1 /* 2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 8076117 27 * @summary EndEntityChecker should not process custom extensions 28 * after PKIX validation 29 * @modules java.base/sun.security.validator 30 */ 31 32 import java.io.ByteArrayInputStream; 33 import java.io.File; 34 import java.io.FileInputStream; 35 import java.security.KeyStore; 36 import java.security.cert.CertPathValidatorException; 37 import java.security.cert.Certificate; 38 import java.security.cert.CertificateException; 39 import java.security.cert.CertificateFactory; 40 import java.security.cert.PKIXBuilderParameters; 41 import java.security.cert.PKIXCertPathChecker; 42 import java.security.cert.TrustAnchor; 43 import java.security.cert.X509Certificate; 44 import java.util.Collection; 45 import java.util.Date; 46 import java.util.HashSet; 47 import java.util.Set; 48 import sun.security.validator.KeyStores; 49 import sun.security.validator.Validator; 50 51 52 public class EndEntityExtensionCheck { 53 54 /* 55 * Owner: CN=TestCA 56 * Issuer: CN=TestCA 57 */ 58 private static final String CA = 59 "-----BEGIN CERTIFICATE-----\n" + 60 "MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" + 61 "dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n" + 62 "VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" + 63 "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" + 64 "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" + 65 "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" + 66 "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" + 67 "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" + 68 "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n" + 69 "oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n" + 70 "nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n" + 71 "eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n" + 72 "8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n" + 73 "L3Oxy6989/FhZlZWJlhqc1ungEQ=\n" + 74 "-----END CERTIFICATE-----"; 75 76 /* 77 * Owner: CN=TestEE 78 * Issuer: CN=TestCA 79 * Contains a custom critical extension with OID 1.2.3.4: 80 * #1: ObjectId: 1.2.3.4 Criticality=true 81 * 0000: 00 00 82 */ 83 private static final String EE = 84 "-----BEGIN CERTIFICATE-----\n" + 85 "MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" + 86 "dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n" + 87 "VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" + 88 "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" + 89 "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" + 90 "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" + 91 "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" + 92 "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" + 93 "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n" + 94 "01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n" + 95 "tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n" + 96 "hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n" + 97 "7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n" + 98 "mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n" + 99 "3ZMpMAjITbuHHlFNUqZ7A9s=\n" + 100 "-----END CERTIFICATE-----"; 101 102 public static void main(String[] args) throws Exception { 103 X509Certificate[] chain = createChain(); 104 105 /* Test 1: Test SimpleValidator 106 * SimpleValidator doesn't check for unsupported critical 107 * extensions in the end entity certificate, and leaves that up 108 * to EndEntityChecker, which should catch such extensions. 109 */ 110 KeyStore ks = KeyStore.getInstance("JKS"); 111 ks.load(null, null); 112 ks.setCertificateEntry("testca", chain[chain.length - 1]); 113 114 Validator v = Validator.getInstance(Validator.TYPE_SIMPLE, 115 Validator.VAR_TLS_CLIENT, 116 KeyStores.getTrustedCerts(ks)); 117 try { 118 v.validate(chain); 119 throw new Exception("Chain should not have validated " + 120 "successfully."); 121 } catch (CertificateException ex) { 122 // EE cert has an unsupported critical extension that is not 123 // checked by SimpleValidator's extension checks, so this 124 // failure is expected 125 } 126 127 /* Test 2: Test PKIXValidator without custom checker 128 * PKIXValidator accepts PKIXParameters that can contain 129 * custom PKIXCertPathCheckers, which would be run against 130 * each cert in the chain, including EE certs. 131 * Check that if PKIXValidator is not provided a custom 132 * PKIXCertPathChecker for an unknown critical extension in 133 * the EE cert, chain validation will fail. 134 */ 135 TrustAnchor ta = new TrustAnchor(chain[chain.length - 1], null); 136 Set<TrustAnchor> tas = new HashSet<>(); 137 tas.add(ta); 138 PKIXBuilderParameters params = new PKIXBuilderParameters(tas, null); 139 params.setDate(new Date(115, 5, 1)); // 2015-05-01 140 params.setRevocationEnabled(false); 141 142 v = Validator.getInstance(Validator.TYPE_PKIX, 143 Validator.VAR_TLS_CLIENT, 144 params); 145 try { 146 v.validate(chain); 147 throw new Exception("Chain should not have validated " + 148 "successfully."); 149 } catch (CertificateException ex) { 150 // EE cert has an unsupported critical extension and 151 // PKIXValidator was not provided any custom checker 152 // for it, so this failure ie expected. 153 } 154 155 /* Test 3: Test PKIXValidator with custom checker 156 * Check that PKIXValidator will successfully validate a chain 157 * containing an EE cert with a critical custom extension, given 158 * a corresponding PKIXCertPathChecker for the extension. 159 */ 160 params = new PKIXBuilderParameters(tas, null); 161 params.addCertPathChecker(new CustomChecker()); 162 params.setDate(new Date(115, 5, 1)); // 2015-05-01 163 params.setRevocationEnabled(false); 164 165 v = Validator.getInstance(Validator.TYPE_PKIX, 166 Validator.VAR_TLS_CLIENT, 167 params); 168 v.validate(chain); // This should validate successfully 169 170 System.out.println("Tests passed."); 171 } 172 173 public static X509Certificate[] createChain() throws Exception { 174 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 175 X509Certificate ee = (X509Certificate) 176 cf.generateCertificate((new ByteArrayInputStream(EE.getBytes()))); 177 X509Certificate ca = (X509Certificate) 178 cf.generateCertificate((new ByteArrayInputStream(CA.getBytes()))); 179 180 X509Certificate[] chain = {ee, ca}; 181 return chain; 182 } 183 184 /* 185 * A custom PKIXCertPathChecker. Looks for a critical extension 186 * in an end entity certificate with the OID 1.2.3.4. 187 */ 188 static class CustomChecker extends PKIXCertPathChecker { 189 190 @Override 191 public void init(boolean forward) throws CertPathValidatorException { 192 // nothing to do 193 } 194 195 @Override 196 public boolean isForwardCheckingSupported() { 197 return false; 198 } 199 200 @Override 201 public Set<String> getSupportedExtensions() { 202 Set<String> exts = new HashSet<>(); 203 exts.add("1.2.3.4"); 204 return exts; 205 } 206 207 @Override 208 public void check(Certificate cert, 209 Collection<String> unresolvedCritExts) 210 throws CertPathValidatorException { 211 X509Certificate currCert = (X509Certificate)cert; 212 // check that this is an EE cert 213 if (currCert.getBasicConstraints() == -1) { 214 if (unresolvedCritExts != null && 215 !unresolvedCritExts.isEmpty()) { 216 unresolvedCritExts.remove("1.2.3.4"); 217 } 218 } 219 } 220 221 } 222 }