1 /* 2 * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 6996377 27 * @summary shrink duplicate code in the constructor of PKIXValidator 28 */ 29 30 import java.io.ByteArrayInputStream; 31 import java.io.FileInputStream; 32 import java.io.IOException; 33 import java.security.KeyStore; 34 import java.security.cert.Certificate; 35 import java.security.cert.CertificateFactory; 36 import java.security.cert.CertificateException; 37 import java.security.cert.X509Certificate; 38 import java.security.cert.TrustAnchor; 39 import java.security.cert.PKIXBuilderParameters; 40 import java.security.cert.X509CertSelector; 41 import javax.security.auth.x500.X500Principal; 42 import java.util.Date; 43 import java.util.List; 44 import java.util.Arrays; 45 import java.util.ArrayList; 46 import java.util.Set; 47 import java.util.HashSet; 48 import java.util.Enumeration; 49 import java.util.Collection; 50 import sun.security.validator.Validator; 51 import sun.security.validator.PKIXValidator; 52 53 public class ConstructorTest { 54 55 // COMMON-OPTS: All certs created with the following common options: 56 // -keystore <STORE> -storepass <PASS> -keypass <PASS> -keyalg rsa 57 // -keysize 2048 -validity 720 -sigalg sha256withrsa 58 59 // keytool <COMMON-OPTS> -alias root -ext bc:critical=ca:true 60 // -ext ku:critical=keyCertSign,cRLSign 61 private static final String ROOT = 62 "-----BEGIN CERTIFICATE-----\n" + 63 "MIIC3jCCAcagAwIBAgIEInKZgjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRS\n" + 64 "b290MB4XDTE0MDUwODE4MjcwOFoXDTE2MDQyNzE4MjcwOFowDzENMAsGA1UEAxME\n" + 65 "Um9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIzgMkrCZD7PuoFb\n" + 66 "fmtAd2+Td6nA9sgBd8Z3NjQgP6nwyn79svaVV9XAVLTrLian72wV/1Kbq/6HUXQQ\n" + 67 "AqyUAvobDwXeIAmE4+D7qcZxiEJgVNr2Ddv1bbS8Y0/Ta72qzjFiEPMO3Y2GP52C\n" + 68 "ssKQpsdNttHfM9c73cKUspobc3p51k2lkynheshCSNOWxR/Rvsl/gcbEFg8vIEHV\n" + 69 "oJPwKSrABc4sWiiXQj0yLVW+DKVEFuWNqqitcikQLZFpgOYv8P1SjhJFkcA9s0oN\n" + 70 "sbvKO2VF141h161i0AFddTsGE85A3j42qEdwQ0cs9gyAoeU865TFvxCuhSqSgJ3a\n" + 71 "Mdgn7ssCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n" + 72 "HQYDVR0OBBYEFFQY2UJynMSoS7Tf/+DvNPp/ZxXfMA0GCSqGSIb3DQEBCwUAA4IB\n" + 73 "AQAeXRQnEhxNl8lrcGY1U1LbIdrNMlGnc0JbgwiVYwRlE3+u4GvDae1VueXyY6nw\n" + 74 "8m63H3Q/Do9/72aw2Q0FSwvDg+k5ssj+gXQ3Gyx8xsVPJEG0TizOSwnWiZtWu65w\n" + 75 "14p5TB8P8wdPEs6sfE9oheiKhDRjBZHIfqMd4DaBiM9N9qHpSwTJc02BB2KnGwga\n" + 76 "yiYNJbce7GFKn/exryj972n/Nl4xy1WdZrRwTBbV21/GINw+xdXn1+FD95EGqGlr\n" + 77 "Sb4+G7U7Ydo+xFpVQnrqxZe98pI5W2bG7VSKvIzcPxfL5/tjwtNaqhiD7wIBNHVx\n" + 78 "ZeJevm41O9qFQEdXNyVGpB+u\n" + 79 "-----END CERTIFICATE-----\n"; 80 81 // keytool <COMMON-OPTS> -alias int -ext bc:critical=ca:true 82 // -ext ku:critical=keyCertSign,cRLSign 83 private static final String INTERMED = 84 "-----BEGIN CERTIFICATE-----\n" + 85 "MIIC/jCCAeagAwIBAgIEDkzdijANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRS\n" + 86 "b290MB4XDTE0MDUwODE4MjcyNFoXDTE2MDQyNzE4MjcyNFowDjEMMAoGA1UEAxMD\n" + 87 "SW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwslILfgvXPxdRgu8\n" + 88 "4SnrZJsSzb/XvYwYGAKTSvsDaI1nXypBbwDGz87+YPpZSJcExcS8I8GBKqN6kXIh\n" + 89 "YvJ9yMGJX8wdwoMQpw2ZfJpzfw9Nqtlhv8/q5kPlaDghJ+nGNwy5lyYNOzDMVht0\n" + 90 "1XQG65C+l7m52lDJ478tGRZEFkx0aTh2QUBI59iNji6r2Buyeiijhg4YBrvIlYLK\n" + 91 "OAHxru4N/Y2Cq3ECUUvm7Lf8tM8yrINS8FLT+pmNcLj8AKkGW8cFFaiGPMyon0/m\n" + 92 "4iJB7ZaeG+BGm9TvBv93cphAsM2tY+S+P/dLfI01ltucibPkSglmquUSA0xW9ilv\n" + 93 "PEYWqQIDAQABo2MwYTAfBgNVHSMEGDAWgBRUGNlCcpzEqEu03//g7zT6f2cV3zAP\n" + 94 "BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU1jeG+pzz\n" + 95 "WnHa+0PfJNw9JTrZaoMwDQYJKoZIhvcNAQELBQADggEBABRshh0oJ8Dq87Tgcf3w\n" + 96 "ERVZ/uDWKj76UXWQ3uvKMhnNxKN/vs1rCfhovkptn39CXndOb8m6UkvmMjDtJsiO\n" + 97 "Oq/DiR6NngCy5yJ5hMuBsdQ2QVvdiqG4Sb+vOaQ2TNQNEHEWC7sB0ztImjxlqDtq\n" + 98 "yvof5pd8pHeZJNyDo5cHw1cpoUI9GLz6CK5i0wUlBvsYERIX5aRqxqdtKgBefHFN\n" + 99 "S2ChTRB16A5C1h+Lu79KnoeS33lZt1VeebIA7hvaHkqhGGpncutEYgT8QNFFpjM8\n" + 100 "yFCjZG+ZuUD/s5hd/xHnPdJzR+RWVKMjjVCTpnni3+NHXo2fh0G8YFhdHQ2F/YFI\n" + 101 "ig0=\n" + 102 "-----END CERTIFICATE-----\n"; 103 104 // keytool <COMMON-OPTS> -alias user -ext ku:c=digitalSignature 105 // -ext eku=clientAuth 106 private static final String USER = 107 "-----BEGIN CERTIFICATE-----\n" + 108 "MIIDAjCCAeqgAwIBAgIEKgsK2DANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNJ\n" + 109 "bnQwHhcNMTQwNTA4MTgyNzI3WhcNMTYwNDI3MTgyNzI3WjAPMQ0wCwYDVQQDEwRV\n" + 110 "c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArBFLJZ1liQAEkEyJ\n" + 111 "9vAiViRXtDDV+lc62DR4DBj1/Vsw9djVOxmwDKM0+jj83F4Qn9vulr+xp2aZzx4Y\n" + 112 "GiJgbtoxPvZmwNv4MPCNX+fgl/+C0nFKOoSYfHb/tK0Jj6u8HOmQqkbSmGJd/yRL\n" + 113 "qavapRvhS94tFhiNK7wwLAK9AZ+r7cTEBtUSqfaS7mY7tUsERcZs6z3+rmsuxWw6\n" + 114 "/xnNTIVWjdUSbEnjZCdkfZ0cjFONotL6aKoa6YXzohzgA5c3SJZqscEaz4yPkMvl\n" + 115 "7bGy7cn6xjfbb5V3oNqo1dtF3Jm8zp0q8Zgvc47l+DAoGIHSpDhPGX+qSWOTwRla\n" + 116 "QT6NDwIDAQABo2cwZTAfBgNVHSMEGDAWgBTWN4b6nPNacdr7Q98k3D0lOtlqgzAT\n" + 117 "BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFE/p\n" + 118 "UEn8+capIj2+V+7GoxUhdVnWMA0GCSqGSIb3DQEBCwUAA4IBAQBkEyFJ/1CCMoU3\n" + 119 "C1sYoq4Wt36z3e4Z2rMjfpFXcagqOQaq+hq+/eG8gDE50tOp30nZF7BxSv0RKnxa\n" + 120 "KSkrKcupwgPJOZZWVR6ycV3xWm4QleLuDJh3NdK0o8vvIwLQP47fXURzEXTpGodl\n" + 121 "+hGx7jcghsOKftBDCaleywam4jcZ5YPfp5Ayev0pK/Euf0kZgZAhRM33uJVVfEns\n" + 122 "UotoGK7SL6hZMCrreVlXygof19p531Ps5xMqu0y2u2xztjVQJ+gPU5zcYbjByUl+\n" + 123 "pY+wDPb8XU1EoLl7J5UyayXlk0c3KG/5f+CrVi2HtRfCcKLBf8/MH6OFIpX9O77p\n" + 124 "Qq3r+W/l\n" + 125 "-----END CERTIFICATE-----\n"; 126 127 // keytool <COMMON-OPTS> -alias red-ta-key -ext bc:critical=ca:true 128 // -ext ku:critical=keyCertSign,cRLSign 129 private static final String RED_ROOT = 130 "-----BEGIN CERTIFICATE-----\n" + 131 "MIIC5jCCAc6gAwIBAgIEWK8vRTANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhS\n" + 132 "ZWQgUm9vdDAeFw0xNDA1MDgxODI3MTNaFw0xNjA0MjcxODI3MTNaMBMxETAPBgNV\n" + 133 "BAMTCFJlZCBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjpMy\n" + 134 "Qh5yq4R3DrwsWaBZoCR+gda4a1PjGpjlQW/Au6R3hwUDAunkQIz/sX1CnLLJ7cks\n" + 135 "4m6ba2wjYE3NbVP9D3HozLAv2ErB75/F3evRu5UvzkGLkamyHJBY0xEyFyOaD4MC\n" + 136 "hhlo8dDEY++YL8Od+m4i56fYXQlTT94u20I+6hZxeIpJxFSHyouZg06jb+URibi0\n" + 137 "e7I3JApWghgcDfgEXZWlCmB8IswYPdd+XWRFDNc4rSWueRP+SeQOFx9x1jM6+skP\n" + 138 "DGLpuaChO7cqsUxYnsEx9zhdxQ+v4V3vOye/GigpRaO7WvgPB4g5sYhFlwZ/tp+A\n" + 139 "KQebXExXCGOOQUoFEwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB\n" + 140 "/wQEAwIBBjAdBgNVHQ4EFgQUYL8o0Ku7Irg33xzCgA4q1PFz6IQwDQYJKoZIhvcN\n" + 141 "AQELBQADggEBAGSVpI7Qmb0oupBCs+tXlJ4/+TX6eBGcHydaT/2hlgEEdT7S7y6O\n" + 142 "iMC8C8wlEKTLZ6MJSxjeFTIO62OkTjCsGtk+BHTaE81QL5rxjGFkvtuQrwck8gHg\n" + 143 "fAb7daF9ZVLz6B8+cX047xZHx9ZGM/ID+GJg/3fk17WA2BhW1Xkzskby5AWpBDol\n" + 144 "i6+zEod0uZhpHiWwVSfHlEA+rnkhW632oVaVNNDkeUhsCxrU0k7nlQx8bG5bmUso\n" + 145 "1MaPP1kRKvcy0UGx6q3s8pcrKw0X1S66n7HV+WbQebg83U0MVE1r/J0Cfi0jMS/x\n" + 146 "ZUVXs7rjCGFhwfiT/kybKD8adrGHSmLhKs0=\n" + 147 "-----END CERTIFICATE-----\n"; 148 149 // keytool <COMMON-OPTS> -alias orange-ta-key -ext bc:critical=ca:true 150 // -ext ku:critical=keyCertSign,cRLSign 151 private static final String ORANGE_ROOT = 152 "-----BEGIN CERTIFICATE-----\n" + 153 "MIIC7DCCAdSgAwIBAgIEQPSszTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtP\n" + 154 "cmFuZ2UgUm9vdDAeFw0xNDA1MDgxODI3MTRaFw0xNjA0MjcxODI3MTRaMBYxFDAS\n" + 155 "BgNVBAMTC09yYW5nZSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\n" + 156 "AQEAknfh3lKWVQxl2w/eRSza6+0+zeTtMkQFCEFpGJsisDK5XOU1HcJMP4QUteWM\n" + 157 "tg1SGO9bjpiKqJ7JVRnzOC3q6erBj2LmwpWW7p12tg6ENOQfsy6tRZLlQWMFGBkT\n" + 158 "Tatsg9HwKpr6itvk2wERh18AcIqSjtN94kGTljP1qf9gMd31G5d/HyG6EwMZukJm\n" + 159 "4/EFpzh3fVwr/EN1WzrYlsBOA+3Tru/k0p8wP6Bomrx1vAEUqRWSLWxsa7we76jL\n" + 160 "H/kMkyWENyjd/A2c5CwscoG+KSx9cifYnSqrUAmpY88KKuZG2Y1+9ablUEwXW4Gh\n" + 161 "RYLCGIgxp6NrtFG/eUcDBgtEwQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G\n" + 162 "A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUPvRE9j3GPGcc3dNGrVrQoWDb9RMwDQYJ\n" + 163 "KoZIhvcNAQELBQADggEBADjPTuHXMbXc2Kn+i+dnBiQCWcjzaox4KWV4MNO7vkvi\n" + 164 "ADBk5/vVM+HTzwL+gZNwE96/agcOzwHZ8/Dz4aA3zzmAmQB4bt+pUa0iyGvX6+F5\n" + 165 "IH1kd4kBnSBMc76fRcEJnebhrXFgTlps5VELMVcEOn3Q4nt+gVfXmPStTkFjM1/4\n" + 166 "fQggsScLpE2TVkk3oS52NIzG/vyBIt3W0gX20hlQobA2vziJDx8xy/+qe5igyp5F\n" + 167 "WScwSQE8qeuoDJYJRxpxZ7kq8NiHxfGPw5Hjn518zBz2VKJOsJYmckAMFIdS//kM\n" + 168 "NUysH6gFksW/PHy75QkbtD4OFtb2zp01ERuf5OoJavs=\n" + 169 "-----END CERTIFICATE-----\n"; 170 171 // keytool <COMMON-OPTS> -alias yellow-ta-key -ext bc:critical=ca:true 172 // -ext ku:critical=keyCertSign,cRLSign 173 private static final String YELLOW_ROOT = 174 "-----BEGIN CERTIFICATE-----\n" + 175 "MIIC7DCCAdSgAwIBAgIEfLA7azANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtZ\n" + 176 "ZWxsb3cgUm9vdDAeFw0xNDA1MDgxODI3MTZaFw0xNjA0MjcxODI3MTZaMBYxFDAS\n" + 177 "BgNVBAMTC1llbGxvdyBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\n" + 178 "AQEAgLMOpzIR8LyALox2AvItM42VjFDp1EyHU0faJZCpwVbQPJ2f+8Gr7XuTv1uZ\n" + 179 "Ixe6JjcyGNHZG0NuFmMFbK2Y7cg3PdQBjcm+x68iSWzyEUuhytSKSLUt6i+xAg+9\n" + 180 "h9UGXlBNarVjWq63tPt8HK/YHxt9Ber0iriF3SEUsgMOzRrLw1mw35SmgidRp19y\n" + 181 "yNXlgQfylEAVtYD9IYhxTm/j9NL3rTgqXiKjvNAVjAUrD2I2nK5WQqO2hmQr9x/9\n" + 182 "EqgIK03dw0ps7/XL+gpd+zwGZqDr9pbFnko4badiE4AJqPlm6u/Tdc0dSkLu/oXq\n" + 183 "Ex4iqtM0TP5+oeDXGZv6EprzKQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G\n" + 184 "A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUp0/g/PqT9jDVGKSsBh997Kg9KBIwDQYJ\n" + 185 "KoZIhvcNAQELBQADggEBAG4vr5UkWUEA9qNU6wBNg5yySS6KhNVyBDMReyX6qsz6\n" + 186 "yUIeGU/UC8LwdB+Tl3S+FZyUlsx+gwh1n0ei7eOV58cCeWmZ3sUWvLTwsY9iBNyt\n" + 187 "HkItOCDO+JEjgo7OhEBlzYkD4MkwAjaYnT4tU41BSnlTR4+jK77f/b1oMVzDv2tL\n" + 188 "+JAiem04TEoGO97uZ94l6gKwwGO35uejGEUPhFPLtxo+yR2QQqX0S8smG88pCQ82\n" + 189 "6XscdvRTjSfkuI3LiqNORS0fGZ3ykxDCkDLZZ1mSg1h2/3xOUEbFQ0phhMrnr2Rl\n" + 190 "mWNGYCam2jns4qmMnbzPIwQduvRkz1O1lusbLNFpcdY=\n" + 191 "-----END CERTIFICATE-----\n"; 192 193 // keytool <COMMON-OPTS> -alias green-ta-key -ext bc:critical=ca:true 194 // -ext ku:critical=keyCertSign,cRLSign 195 private static final String GREEN_ROOT = 196 "-----BEGIN CERTIFICATE-----\n" + 197 "MIIC6jCCAdKgAwIBAgIENWwt8TANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpH\n" + 198 "cmVlbiBSb290MB4XDTE0MDUwODE4MjcxOFoXDTE2MDQyNzE4MjcxOFowFTETMBEG\n" + 199 "A1UEAxMKR3JlZW4gUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" + 200 "AKHvh3FRJghpNtLqIk5UDSGkcA3rtEygRsFa51ucwNQ1x4SXOVnsNHZZW66RuKOn\n" + 201 "6wjS8+xctNnMIy1XNXa2nlAswQVe75xX0jfGMB4w0MlaqLK9HrU479WrWmrBjz/P\n" + 202 "vvHY8x1CIfTMjOtLO9yxbYQrXsEz6JKxAz6/+ErbkvUjBynezZdJNXgURVz5HmFx\n" + 203 "e/SUbSALX+Kx+/+hXggaQdwlrpoDl/Nqm6S1iR5xtdZB1CEauIwFDSWOG1TjR1Hp\n" + 204 "8OSGb0AhwwM5FzIxevwgKke6WHFKf5p4lcpiQZqmhgqyFbARUfUjYX3WzQTmrJ/q\n" + 205 "87OMIJasvmkNEYkNbrSmI9kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\n" + 206 "HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHG7s0KrfUsnl/3/UGYbCrdXTZtcMA0GCSqG\n" + 207 "SIb3DQEBCwUAA4IBAQBUe18kbDHeqsxM17ahr30hvjdxMkYLkLcGoSOlSI8sFBu6\n" + 208 "jG4JZvvFXw2ZqMQTLSALvsSZ9wkfS8tDCNEHRvCB6aqW4tjp9ddkfe+56WINzTv6\n" + 209 "Ibqwg2JGsOzWttpUA5OPLfODbMqOYzT101toF3sKteX0yyiF/SfMTXR5Jv0uo/dp\n" + 210 "sFeJtWFfhy/Q0jiEAz945BBoSHCIF7Fs4vcls7gNJxfap66W8lamjzFyMDsnlz+b\n" + 211 "sSLWZmvwM+R/RfL1Q3LPCcZWLiP9WSAO4hUoju1E9WeWHHjlPwJJ/iRECL9cnHRt\n" + 212 "Z7/kOlNLGxKvpEbY4xqH0zE07UWPCCBlemk/6jlO\n" + 213 "-----END CERTIFICATE-----\n"; 214 215 // keytool <COMMON-OPTS> -alias blue-ta-key -ext bc:critical=ca:true 216 // -ext ku:critical=keyCertSign,cRLSign 217 private static final String BLUE_ROOT = 218 "-----BEGIN CERTIFICATE-----\n" + 219 "MIIC6DCCAdCgAwIBAgIEX3XC9zANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwlC\n" + 220 "bHVlIFJvb3QwHhcNMTQwNTA4MTgyNzIwWhcNMTYwNDI3MTgyNzIwWjAUMRIwEAYD\n" + 221 "VQQDEwlCbHVlIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY\n" + 222 "pc4r8mfgGGeiYlvHSrEIlp6djHS489P7eqoQRqmS5U/I0lLGNu7QZsY240a9a84S\n" + 223 "2t6VpZID5juK8AF2v4psShsqgfj+RjVev8FJE/D5j8B4QZ+HmbLJIl80f+YOPaLG\n" + 224 "HX1eNktLx3S2gkIKHVdn7q3o4DdXBO+YdaBA56lL4l+dWFtto65+5Sjy4yfyvWJz\n" + 225 "MylXjP/wiC0T3C0NcQX3AIu2tjY2u9lrVbem2rIi0kPFIoYvstKiqXMc/sRf2CfO\n" + 226 "it5k629HsbvdACVRZFxU3Lz25oP4HGz1kq1cpiIS+W3gQQmCKu9XqzpNRThG0SEL\n" + 227 "jaH9E4pZDnZiRCr+Mxm1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P\n" + 228 "AQH/BAQDAgEGMB0GA1UdDgQWBBS5ebHO4iamr3n0+KtxJYAitg9QcTANBgkqhkiG\n" + 229 "9w0BAQsFAAOCAQEAGjh/UzERw+skEK4zM1zfL1RsZnUlFu7mTbOBGgccewHWC+MM\n" + 230 "AQbLo0m4NTEbRoW6fFcAESgE61ZZBLkmhcjXBunNJq6O1hMDpppYA806eG6GcZmK\n" + 231 "rLOZljxx4D1YC17vMEVsMF9XgIj5dLWceJjotZzNxe+miwXLEkxaGIMe/n2VtCoR\n" + 232 "BSrGrAeCsFZ7G2NRWUxUEVJrhLnVZJDt6fHd43BCVnV191PyF5TuB08nijyCoJoS\n" + 233 "/WJkYHxx3vUUfDE5E4UE+iY80BHnAPxiNKwO3XsWjeqbJ8PS+5AvShdG5QdFBhKe\n" + 234 "/tJTZLs0UEubKdaWd5ZgsXP3913bJm/mBo+eJA==\n" + 235 "-----END CERTIFICATE-----\n"; 236 237 // keytool <COMMON-OPTS> -alias indigo-ta-key -ext bc:critical=ca:true 238 // -ext ku:critical=keyCertSign,cRLSign 239 private static final String INDIGO_ROOT = 240 "-----BEGIN CERTIFICATE-----\n" + 241 "MIIC7DCCAdSgAwIBAgIESdUmczANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtJ\n" + 242 "bmRpZ28gUm9vdDAeFw0xNDA1MDgxODI3MjFaFw0xNjA0MjcxODI3MjFaMBYxFDAS\n" + 243 "BgNVBAMTC0luZGlnbyBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\n" + 244 "AQEA2opDa3wDxQrX6GjffbDGtXyvKw0/vhZTeus4cxdZIYF3CWkGbeurDIhPUKRO\n" + 245 "Azact0SECJuMXVxkB5vQKBmHRByNh8ugFfzXWi7/rteXTNjLNKnzVr8plbMvzwM7\n" + 246 "zjIgm0mTRbwv6gZmUbgfmO9FCB8zlV4hYbYbFTJn7GlVPpqZkZNNMTyJkOPxMzXD\n" + 247 "yaToxyR0uY3cMv9pmks3GxU2XoGTFuqptbL9XFSpwrm5BRfWuJDP1t8moLHQZ5iu\n" + 248 "tkCz6MVYcrhTlV/UY0PSGcmUvAu83sNBfIGjme0RIiERy02gLJnSZ/M9r1ukCUJE\n" + 249 "Z6At+9TsNCYNPgW5vcjNLO63/wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G\n" + 250 "A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU8eJ+kMmanqF+IcAQTjxSMv+VR7kwDQYJ\n" + 251 "KoZIhvcNAQELBQADggEBAGRB4C5qYXXJJnEGzJZf8S974SaeLmEvHlmaQPOuCxME\n" + 252 "tCeBoWQqD9qTDVy39izzjA4uE/fCMVCkyr1QL+588dtMI8jJfbzx+TxnlDWlJcMM\n" + 253 "5J8EJPNEy7eR6qqpFncvjmbXzf16XfzL9qSXwHYCvpo25nEEH801y2njJE2gGzZT\n" + 254 "raYRFuwzsZLiSV5TyO5MbRXiZLebDXfE/wXukor87pjGpx1/kevjH/g66OpaIBzu\n" + 255 "IfLePEOekTKXHF1zL89uYHwpUVCzfhO5hNQlSsTCuBkBifSTYm4ixoATi/C2kqze\n" + 256 "WHUK179u1+7v6xRONLQxe1JDftdlHHVg7DSeTY59euo=\n" + 257 "-----END CERTIFICATE-----\n"; 258 259 // keytool <COMMON-OPTS> -alias violet-ta-key -ext bc:critical=ca:true 260 // -ext ku:critical=keyCertSign,cRLSign 261 private static final String VIOLET_ROOT = 262 "-----BEGIN CERTIFICATE-----\n" + 263 "MIIC7DCCAdSgAwIBAgIEXwgmLDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtW\n" + 264 "aW9sZXQgUm9vdDAeFw0xNDA1MDgxODI3MjNaFw0xNjA0MjcxODI3MjNaMBYxFDAS\n" + 265 "BgNVBAMTC1Zpb2xldCBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\n" + 266 "AQEAvElr11MoHUNfnx6nBy4NSXFFzA68g57ohTt+sspEn3wzuPErugMypReHLhtH\n" + 267 "CTrs45T0KU8P4Gi5QHnsBs8yC3QCHNPugo2A4zP+ciTqp+1gRNxQ9wzKSzCoseJg\n" + 268 "RMQflGFzuEe7gWwYfrsDfD1sJCubfBtBUFCSYf1ZSZbdEMrc3RPtC35Ge+3XRxFZ\n" + 269 "KdzH8l7gQTtgAmRQmK+i4jwzSHV/Iu2yiRdhjqIZUezf3pYFfJlmfAY5ruQBKkc+\n" + 270 "KRgdmKanpLbmAo/+3q6snt8V09CoQ+6Cz+P9P0yOxiiwr/6jg9WtHA3ujvtf3dGj\n" + 271 "EeB8SmzXHFZErQIn+QbrJ3/izwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G\n" + 272 "A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUlxlHI8JTrX86r4ezgDLICo6rApowDQYJ\n" + 273 "KoZIhvcNAQELBQADggEBALnfWZx6LC9vDMI8vBH/vbyk2ZQtiQFRt3kbwKtlrw65\n" + 274 "/bqeGXcQ1Lh9gDzp+uGYSfuDNvtJO6xmfny0W5j5WQVJxs+iWyoJfYxeG0kBZut+\n" + 275 "hbxJPlehBwhveuznZbeTN3RXeBi8MSxnBD/WC1e2rnfnrxoLfYZ1BSUP8LaIzC32\n" + 276 "vd6WCgnJRXputlGvnOoAT1WduWonhd7lCoqbtZksw7o0smuAn2mSnod8j948rzzt\n" + 277 "uDQVao/3tCyoX4NSom2hWooPltk5FTdF9cZKfbaU5TPV+U30RN7/UWY/dCvL1fMq\n" + 278 "1kvtJbkh+UMHvszHOxlgjk+3J76Wx0PFjNaIfbj2bmk=\n" + 279 "-----END CERTIFICATE-----\n"; 280 281 public static final String[] rootArrayPEM = { RED_ROOT, ORANGE_ROOT, 282 YELLOW_ROOT, GREEN_ROOT, BLUE_ROOT, INDIGO_ROOT, VIOLET_ROOT, ROOT }; 283 284 /** 285 * @param args {cacerts keystore, cert chain} 286 */ 287 public static void main(String[] args) throws Exception { 288 Set<X509Certificate> trustedCertSet = new HashSet<>(); 289 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 290 291 for (String pemCert : rootArrayPEM) { 292 trustedCertSet.add(makeCertFromPEM(pemCert)); 293 } 294 295 testCtorByCollection(trustedCertSet); 296 297 testCtorByPKIXBuilderParams(trustedCertSet); 298 } 299 300 public static X509Certificate makeCertFromPEM(String pemCert) 301 throws CertificateException { 302 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 303 ByteArrayInputStream is = new ByteArrayInputStream(pemCert.getBytes()); 304 305 return ((X509Certificate)cf.generateCertificate(is)); 306 } 307 308 public static void showValidatedChain(Validator v, X509Certificate[] chain, 309 Set<X509Certificate> otherCerts) throws Exception { 310 for (X509Certificate cert : v.validate(chain, otherCerts)) { 311 System.out.println("\tSubj: " + cert.getSubjectX500Principal() + 312 " Iss: " + cert.getIssuerX500Principal()); 313 } 314 } 315 316 public static Set<TrustAnchor> makeTrustAnchorSet( 317 Set<X509Certificate> certSet) throws Exception { 318 Set<TrustAnchor> anchors = new HashSet<>(); 319 320 for (Certificate cert : certSet) { 321 anchors.add(new TrustAnchor((X509Certificate)cert, null)); 322 } 323 324 return anchors; 325 } 326 327 public static void testCtorByCollection(Set<X509Certificate> certSet) 328 throws Exception { 329 Validator valOK; 330 Validator valNoGood; 331 X509Certificate[] chain = new X509Certificate[1]; 332 Set<X509Certificate> intermeds = new HashSet<>(); 333 334 // Case 1: Make a PKIXValidator with valid arguments 335 // Expected result: Well-formed PKIXValidator 336 System.out.println("Constructor test 1: Valid inputs"); 337 valOK = Validator.getInstance(Validator.TYPE_PKIX, 338 Validator.VAR_GENERIC, certSet); 339 340 // Convert our user cert from PEM format, then do the same for 341 // its intermediate signer and add that as a helper for path building 342 chain[0] = makeCertFromPEM(USER); 343 intermeds.add(makeCertFromPEM(INTERMED)); 344 PKIXBuilderParameters pbParams = ((PKIXValidator)valOK).getParameters(); 345 pbParams.setDate(new Date(1426399200000L)); // 03-15-2014 6:00:00 GMT 346 347 // See if we can build a trusted path to a root to make sure 348 // everything still works as expected. 349 showValidatedChain(valOK, chain, intermeds); 350 351 // Case 2: Make a PKIXValidator with null anchor list. 352 // Expected result: throw NullPointerException 353 System.out.println("Constructor test 2: null trustedCerts"); 354 try { 355 valNoGood = Validator.getInstance(Validator.TYPE_PKIX, 356 Validator.VAR_GENERIC, (Collection<X509Certificate>)null); 357 // Throw something non Runtime-related to indicate we shouldn't 358 // have succeeded on construction. 359 throw new IOException( 360 "Constructor did not throw NullPointerException"); 361 } catch (NullPointerException npe) { 362 System.out.println("\tCaught Exception (" + npe.toString() + 363 ") [PASS])"); 364 } 365 366 // Case 3: Try putting a null reference into a populated TA List 367 // Expected result: throw NullPointerException 368 System.out.println("Constructor test 3: null in trustedCerts list"); 369 try { 370 certSet.add(null); 371 valNoGood = Validator.getInstance(Validator.TYPE_PKIX, 372 Validator.VAR_GENERIC, certSet); 373 // Throw something non Runtime-related to indicate we shouldn't 374 // have succeeded on construction. 375 throw new IOException("Constructor did not throw RuntimeException"); 376 } catch (NullPointerException npe) { 377 System.out.println("\tCaught Exception (" + npe.toString() + 378 ") [PASS])"); 379 } finally { 380 // Return the certSet list to its original state 381 certSet.remove(null); 382 } 383 384 // Case 4: Provide an empty List as the X509Certificate collection 385 // Expected result: throw RuntimeException 386 System.out.println("Constructor test 4: empty trustedCerts list"); 387 try { 388 valNoGood = Validator.getInstance(Validator.TYPE_PKIX, 389 Validator.VAR_GENERIC, new ArrayList<X509Certificate>()); 390 // Throw something non Runtime-related to indicate we shouldn't 391 // have succeeded on construction. 392 throw new IOException("Constructor did not throw RuntimeException"); 393 } catch (RuntimeException re) { 394 System.out.println("\tCaught RuntimeException (" + re.toString() + 395 ") [PASS])"); 396 } 397 398 // Case 5: Provide an invalid variant 399 // Expected result: successful construction. 400 // Note: subsequent calls to validate may throw CertificateException 401 // if the submitted chain has a length > 1. 402 System.out.println("Constructor test 5: Unsupported variant"); 403 valNoGood = Validator.getInstance(Validator.TYPE_PKIX, 404 "BogusVariant", certSet); 405 System.out.println("\tSuccessful construction [PASS]"); 406 407 // Case 6: Provide a null variant 408 // Expected result: throw NullPointerException 409 System.out.println("Constructor test 6: null variant"); 410 try { 411 valNoGood = Validator.getInstance(Validator.TYPE_PKIX, null, 412 certSet); 413 // Throw something non Runtime-related to indicate we shouldn't 414 // have succeeded on construction. 415 throw new IOException( 416 "Constructor did not throw NullPointerException"); 417 } catch (NullPointerException npe) { 418 System.out.println("\tCaught RuntimeException (" + npe.toString() + 419 ") [PASS])"); 420 } 421 } 422 423 public static void testCtorByPKIXBuilderParams(Set<X509Certificate> certSet) 424 throws Exception { 425 Set<TrustAnchor> taSet = makeTrustAnchorSet(certSet); 426 Validator valOK; 427 Validator valNoGood; 428 X509Certificate[] chain = new X509Certificate[1]; 429 Set<X509Certificate> intermeds = new HashSet<>(); 430 431 // Case 7: Make a PKIXValidator with valid arguments 432 // Expected result: Well-formed PKIXValidator object 433 System.out.println("Constructor test 7: Valid inputs"); 434 435 // Set up the PKIXBuilderParameters 436 X509CertSelector sel = new X509CertSelector(); 437 sel.setSubject("CN=User"); 438 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(taSet, sel); 439 pbParams.setRevocationEnabled(false); 440 pbParams.setDate(new Date(1426399200000L)); // 03-15-2014 6:00:00 GMT 441 442 valOK = Validator.getInstance(Validator.TYPE_PKIX, 443 Validator.VAR_GENERIC, pbParams); 444 445 // Convert our user cert from PEM format, then do the same for 446 // its intermediate signer and add that as a helper for path building 447 chain[0] = makeCertFromPEM(USER); 448 intermeds.add(makeCertFromPEM(INTERMED)); 449 450 showValidatedChain(valOK, chain, intermeds); 451 452 // Case 8: Make a PKIXValidator but provide a null PKIXBuilderParameters 453 // Expected result: throw NullPointerException 454 System.out.println("Constructor test 8: null params"); 455 try { 456 valNoGood = Validator.getInstance(Validator.TYPE_PKIX, 457 Validator.VAR_GENERIC, (PKIXBuilderParameters)null); 458 // Throw something non Runtime-related to indicate we shouldn't 459 // have succeeded on construction. 460 throw new IOException( 461 "Constructor did not throw NullPointerException"); 462 } catch (NullPointerException npe) { 463 System.out.println("\tCaught RuntimeException (" + npe.toString() + 464 ") [PASS])"); 465 } 466 } 467 }