1 /*
2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 8076117
27 * @summary EndEntityChecker should not process custom extensions
28 * after PKIX validation
29 * @modules java.base/sun.security.validator
30 */
31
32 import java.io.ByteArrayInputStream;
33 import java.io.File;
34 import java.io.FileInputStream;
35 import java.security.KeyStore;
36 import java.security.cert.CertPathValidatorException;
37 import java.security.cert.Certificate;
38 import java.security.cert.CertificateException;
39 import java.security.cert.CertificateFactory;
40 import java.security.cert.PKIXBuilderParameters;
41 import java.security.cert.PKIXCertPathChecker;
42 import java.security.cert.TrustAnchor;
43 import java.security.cert.X509Certificate;
44 import java.util.Collection;
45 import java.util.Date;
46 import java.util.HashSet;
47 import java.util.Set;
48 import sun.security.validator.KeyStores;
49 import sun.security.validator.Validator;
50
51
52 public class EndEntityExtensionCheck {
53
54 /*
55 * Owner: CN=TestCA
56 * Issuer: CN=TestCA
57 */
58 private static final String CA =
59 "-----BEGIN CERTIFICATE-----\n" +
60 "MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +
61 "dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n" +
62 "VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +
63 "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +
64 "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +
65 "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +
66 "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +
67 "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +
68 "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n" +
69 "oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n" +
70 "nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n" +
71 "eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n" +
72 "8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n" +
73 "L3Oxy6989/FhZlZWJlhqc1ungEQ=\n" +
74 "-----END CERTIFICATE-----";
75
76 /*
77 * Owner: CN=TestEE
78 * Issuer: CN=TestCA
79 * Contains a custom critical extension with OID 1.2.3.4:
80 * #1: ObjectId: 1.2.3.4 Criticality=true
81 * 0000: 00 00
82 */
83 private static final String EE =
84 "-----BEGIN CERTIFICATE-----\n" +
85 "MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +
86 "dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n" +
87 "VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +
88 "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +
89 "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +
90 "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +
91 "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +
92 "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +
93 "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n" +
94 "01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n" +
95 "tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n" +
96 "hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n" +
97 "7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n" +
98 "mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n" +
99 "3ZMpMAjITbuHHlFNUqZ7A9s=\n" +
100 "-----END CERTIFICATE-----";
101
102 public static void main(String[] args) throws Exception {
103 X509Certificate[] chain = createChain();
104
105 /* Test 1: Test SimpleValidator
106 * SimpleValidator doesn't check for unsupported critical
107 * extensions in the end entity certificate, and leaves that up
108 * to EndEntityChecker, which should catch such extensions.
109 */
110 KeyStore ks = KeyStore.getInstance("JKS");
111 ks.load(null, null);
112 ks.setCertificateEntry("testca", chain[chain.length - 1]);
113
114 Validator v = Validator.getInstance(Validator.TYPE_SIMPLE,
115 Validator.VAR_TLS_CLIENT,
116 KeyStores.getTrustedCerts(ks));
117 try {
118 v.validate(chain);
119 throw new Exception("Chain should not have validated " +
120 "successfully.");
121 } catch (CertificateException ex) {
122 // EE cert has an unsupported critical extension that is not
123 // checked by SimpleValidator's extension checks, so this
124 // failure is expected
125 }
126
127 /* Test 2: Test PKIXValidator without custom checker
128 * PKIXValidator accepts PKIXParameters that can contain
129 * custom PKIXCertPathCheckers, which would be run against
130 * each cert in the chain, including EE certs.
131 * Check that if PKIXValidator is not provided a custom
132 * PKIXCertPathChecker for an unknown critical extension in
133 * the EE cert, chain validation will fail.
134 */
135 TrustAnchor ta = new TrustAnchor(chain[chain.length - 1], null);
136 Set<TrustAnchor> tas = new HashSet<>();
137 tas.add(ta);
138 PKIXBuilderParameters params = new PKIXBuilderParameters(tas, null);
139 params.setDate(new Date(115, 5, 1)); // 2015-05-01
140 params.setRevocationEnabled(false);
141
142 v = Validator.getInstance(Validator.TYPE_PKIX,
143 Validator.VAR_TLS_CLIENT,
144 params);
145 try {
146 v.validate(chain);
147 throw new Exception("Chain should not have validated " +
148 "successfully.");
149 } catch (CertificateException ex) {
150 // EE cert has an unsupported critical extension and
151 // PKIXValidator was not provided any custom checker
152 // for it, so this failure ie expected.
153 }
154
155 /* Test 3: Test PKIXValidator with custom checker
156 * Check that PKIXValidator will successfully validate a chain
157 * containing an EE cert with a critical custom extension, given
158 * a corresponding PKIXCertPathChecker for the extension.
159 */
160 params = new PKIXBuilderParameters(tas, null);
161 params.addCertPathChecker(new CustomChecker());
162 params.setDate(new Date(115, 5, 1)); // 2015-05-01
163 params.setRevocationEnabled(false);
164
165 v = Validator.getInstance(Validator.TYPE_PKIX,
166 Validator.VAR_TLS_CLIENT,
167 params);
168 v.validate(chain); // This should validate successfully
169
170 System.out.println("Tests passed.");
171 }
172
173 public static X509Certificate[] createChain() throws Exception {
174 CertificateFactory cf = CertificateFactory.getInstance("X.509");
175 X509Certificate ee = (X509Certificate)
176 cf.generateCertificate((new ByteArrayInputStream(EE.getBytes())));
177 X509Certificate ca = (X509Certificate)
178 cf.generateCertificate((new ByteArrayInputStream(CA.getBytes())));
179
180 X509Certificate[] chain = {ee, ca};
181 return chain;
182 }
183
184 /*
185 * A custom PKIXCertPathChecker. Looks for a critical extension
186 * in an end entity certificate with the OID 1.2.3.4.
187 */
188 static class CustomChecker extends PKIXCertPathChecker {
189
190 @Override
191 public void init(boolean forward) throws CertPathValidatorException {
192 // nothing to do
193 }
194
195 @Override
196 public boolean isForwardCheckingSupported() {
197 return false;
198 }
199
200 @Override
201 public Set<String> getSupportedExtensions() {
202 Set<String> exts = new HashSet<>();
203 exts.add("1.2.3.4");
204 return exts;
205 }
206
207 @Override
208 public void check(Certificate cert,
209 Collection<String> unresolvedCritExts)
210 throws CertPathValidatorException {
211 X509Certificate currCert = (X509Certificate)cert;
212 // check that this is an EE cert
213 if (currCert.getBasicConstraints() == -1) {
214 if (unresolvedCritExts != null &&
215 !unresolvedCritExts.isEmpty()) {
216 unresolvedCritExts.remove("1.2.3.4");
217 }
218 }
219 }
220
221 }
222 }