/* * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /* * @test * @bug 8074064 * @summary OCSPResponse.SingleResponse objects do not parse singleExtensions * @modules java.base/sun.security.x509 * @run main/othervm sun.security.provider.certpath.OCSPSingleExtensions */ package sun.security.provider.certpath; import java.io.*; import java.util.*; import java.security.cert.*; import sun.security.x509.SerialNumber; /* * Tester note: * For this test, all input files should be co-located with the test source * code. All test input data should be in PEM format, and may be commented * with the '#' character at the beginning of any comment line. Most tests were * generated using the "openssl ocsp" utility in server mode and used the same * utility as a client to drive the responses. In rare cases * (ocsp-good-witharchcut.resp, etc.) the test input was manually modified * because openssl's ocsp could not generate data in that format (e.g. a * "good" response with singleExtensions in the SingleResponse structure.) * These tests were created to force the code to walk codepaths reached only * with invalid OCSP data or legal formats that are not easily generated using * the tools at hand. These hand-modified test cases will not verify. */ public class OCSPSingleExtensions { public static CertificateFactory CF; public static final File testDir = new File(System.getProperty("test.src", ".")); public static final Base64.Decoder B64D = Base64.getMimeDecoder(); public static void main(String [] args) throws Exception { // Get a CertificateFactory for various tests CF = CertificateFactory.getInstance("X509"); ByteArrayInputStream bais = new ByteArrayInputStream(readFile("int.crt").getBytes()); X509Certificate intCA = (X509Certificate)CF.generateCertificate(bais); System.out.println("Successfully instantiated CA cert \"" + intCA.getSubjectX500Principal() + "\""); CertId cid0x1500 = new CertId(intCA, new SerialNumber(0x1500)); boolean noFailures = true; OCSPResponse.SingleResponse sr = getSRByFilename("ocsp-good-nonext.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); if (sr.getRevocationTime() != null) { throw new RuntimeException("Oops. revocationTime is non-null " + sr.getRevocationTime()); } else if (sr.getRevocationReason() != null) { throw new RuntimeException("Oops. revocationReason is non-null " + sr.getRevocationReason()); } sr = getSRByFilename("ocsp-good-withnext.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-good-witharchcut.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-nocerts.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-nonext-noinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-rev-withnext-noinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-rev-nonext-withinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-withnext-withinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); try { sr = getSRByFilename("ocsp-rev-twonext.resp", cid0x1500); System.out.println("FAIL: Allowed two nextUpdate fields"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } try { sr = getSRByFilename("ocsp-rev-bad-sr-tag.resp", cid0x1500); System.out.println("FAIL: Allowed invalid singleResponse item"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } try { sr = getSRByFilename("ocsp-rev-sr-cont-reverse.resp", cid0x1500); System.out.println("FAIL: Allowed reversed " + "nextUpdate/singleExtensions"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } if (!noFailures) { throw new RuntimeException("One or more tests failed"); } } private static OCSPResponse.SingleResponse getSRByFilename(String fileName, CertId cid) throws IOException { byte[] respDER = B64D.decode(readFile(fileName)); OCSPResponse or = new OCSPResponse(respDER); OCSPResponse.SingleResponse sr = or.getSingleResponse(cid); return sr; } private static String readFile(String fileName) throws IOException { String filePath = testDir + "/" + fileName; StringBuilder sb = new StringBuilder(); try (FileReader fr = new FileReader(filePath); BufferedReader br = new BufferedReader(fr)) { String line; while ((line = br.readLine()) != null) { if (!line.trim().startsWith("#")) { sb.append(line).append("\n"); } } } System.out.println("Successfully read " + fileName); return sb.toString(); } private static boolean checkSingleExts(OCSPResponse.SingleResponse sr, int singleExtCount) { Map singleExts; try { singleExts = sr.getSingleExtensions(); } catch (NullPointerException npe) { System.out.println( "Warning: Sent null singleResponse into checkSingleExts"); return false; } for (String key : singleExts.keySet()) { System.out.println("singleExtension: " + singleExts.get(key)); } if (singleExts.size() != singleExtCount) { System.out.println("Single Extension count mismatch, " + "expected " + singleExtCount + ", got " + singleExts.size()); return false; } else { return true; } } }