1 /*
2 * Copyright (c) 2001, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /**
25 * @test
26 * @bug 4458951
27 * @summary Check that Sun's PKIX implementation of
28 * CertPathValidator.validate() and CertPathBuilder.build() throw an
29 * InvalidAlgorithmParameterException if any of the TrustAnchors specified
30 * contain nameConstraints
31 * @modules java.base/sun.security.util
32 */
33 import java.io.File;
34 import java.io.FileInputStream;
35 import java.io.IOException;
36
37 import java.security.InvalidAlgorithmParameterException;
38 import java.security.cert.CertificateFactory;
39 import java.security.cert.CertPath;
40 import java.security.cert.CertPathBuilder;
41 import java.security.cert.CertPathBuilderResult;
42 import java.security.cert.CertPathValidator;
43 import java.security.cert.CertPathValidatorResult;
44 import java.security.cert.PKIXParameters;
45 import java.security.cert.PKIXBuilderParameters;
46 import java.security.cert.TrustAnchor;
47 import java.security.cert.X509Certificate;
48 import java.security.cert.X509CertSelector;
49
50 import java.util.ArrayList;
51 import java.util.Collections;
52 import java.util.List;
53 import java.util.Set;
54
55 import sun.security.util.DerInputStream;
56
57 /**
58 * ValidateNC performs a validation and build of a certification path, using any
59 * name constraints provided in the trust anchor's certificate. Using
60 * Sun's provider, the validation and build should fail because name constraints
61 * on trust anchors are not supported.
62 *
63 * @author Steve Hanna
64 * @author Sean Mullan
65 */
66 public final class ValidateNC {
67
68 private static CertPath path;
69 private static PKIXParameters params;
70 private static Set anchors;
71
72 public static void main(String[] args) throws Exception {
73
74 String[] certs = { "sun2labs2.cer", "labs2isrg2.cer" };
75
76 createPath(certs);
77 try {
78 validate(path, params);
79 throw new Exception("CertPathValidator should have thrown an " +
80 "InvalidAlgorithmParameterException");
81 } catch (InvalidAlgorithmParameterException iape) {
82 // success!
83 }
84
85 try {
86 X509CertSelector sel = new X509CertSelector();
87 sel.setSubject("cn=sean");
88 PKIXBuilderParameters bparams =
89 new PKIXBuilderParameters(anchors, sel);
90 build(bparams);
91 throw new Exception("CertPathBuilder should have thrown an " +
92 "InvalidAlgorithmParameterException");
93 } catch (InvalidAlgorithmParameterException iape) {
94 // success!
95 }
96 }
97
98 public static void createPath(String[] certs) throws Exception {
99
100 X509Certificate anchorCert = getCertFromFile(certs[0]);
101 byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
102 if (nameConstraints != null) {
103 DerInputStream in = new DerInputStream(nameConstraints);
104 nameConstraints = in.getOctetString();
105 }
106 TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
107 List list = new ArrayList();
108 for (int i = 1; i < certs.length; i++) {
109 list.add(0, getCertFromFile(certs[i]));
110 }
111 CertificateFactory cf = CertificateFactory.getInstance("X509");
112 path = cf.generateCertPath(list);
113
114 anchors = Collections.singleton(anchor);
115 params = new PKIXParameters(anchors);
116 params.setRevocationEnabled(false);
117 }
118
119 /**
120 * Get a DER-encoded X.509 certificate from a file.
121 *
122 * @param certFilePath path to file containing DER-encoded certificate
123 * @return X509Certificate
124 * @throws IOException on error
125 */
126 public static X509Certificate getCertFromFile(String certFilePath)
127 throws IOException {
128 X509Certificate cert = null;
129 try {
130 File certFile = new File(System.getProperty("test.src", "."),
131 certFilePath);
132 FileInputStream certFileInputStream =
133 new FileInputStream(certFile);
134 CertificateFactory cf = CertificateFactory.getInstance("X509");
135 cert = (X509Certificate)
136 cf.generateCertificate(certFileInputStream);
137 } catch (Exception e) {
138 e.printStackTrace();
139 throw new IOException("Can't construct X509Certificate: " +
140 e.getMessage());
141 }
142 return cert;
143 }
144
145 /**
146 * Perform a PKIX validation.
147 *
148 * @param path CertPath to validate
149 * @param params PKIXParameters to use in validation
150 * @throws Exception on error
151 */
152 public static void validate(CertPath path, PKIXParameters params)
153 throws Exception {
154 CertPathValidator validator =
155 CertPathValidator.getInstance("PKIX", "SUN");
156 CertPathValidatorResult cpvr = validator.validate(path, params);
157 }
158
159 /**
160 * Perform a PKIX build.
161 *
162 * @param params PKIXBuilderParameters to use in the build
163 * @throws Exception on error
164 */
165 public static void build(PKIXBuilderParameters params)
166 throws Exception {
167 CertPathBuilder builder =
168 CertPathBuilder.getInstance("PKIX", "SUN");
169 CertPathBuilderResult cpbr = builder.build(params);
170 }
171 }