9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 *
23 */
24
25 /**
26 * @test
27 * @bug 8189131 8198240 8191844 8189949 8191031 8196141 8204923 8195774 8199779
28 * 8209452 8209506 8210432 8195793 8216577 8222089 8222133 8222137 8222136
29 * 8223499 8232019
30 * @summary Check root CA entries in cacerts file
31 */
32 import java.io.File;
33 import java.io.FileInputStream;
34 import java.security.KeyStore;
35 import java.security.MessageDigest;
36 import java.security.cert.Certificate;
37 import java.security.cert.CertificateExpiredException;
38 import java.security.cert.CertificateNotYetValidException;
39 import java.security.cert.X509Certificate;
40 import java.util.Date;
41 import java.util.Enumeration;
42 import java.util.HashMap;
43 import java.util.HashSet;
44 import java.util.Map;
45
46 public class VerifyCACerts {
47
48 private static final String CACERTS
49 = System.getProperty("java.home") + File.separator + "lib"
50 + File.separator + "security" + File.separator + "cacerts";
51
52 // The numbers of certs now.
53 private static final int COUNT = 89;
54
55 // map of cert alias to SHA-256 fingerprint
56 @SuppressWarnings("serial")
57 private static final Map<String, String> FINGERPRINT_MAP
58 = new HashMap<String, String>() {
59 {
60 put("actalisauthenticationrootca [jdk]",
61 "55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66");
62 put("buypassclass2ca [jdk]",
63 "9A:11:40:25:19:7C:5B:B9:5D:94:E6:3D:55:CD:43:79:08:47:B6:46:B2:3C:DF:11:AD:A4:A0:0E:FF:15:FB:48");
64 put("buypassclass3ca [jdk]",
65 "ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D");
66 put("camerfirmachambersca [jdk]",
67 "06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0");
68 put("camerfirmachambersignca [jdk]",
69 "13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA");
70 put("camerfirmachamberscommerceca [jdk]",
71 "0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3");
72 put("certumca [jdk]",
73 "D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24");
218 put("ttelesecglobalrootclass2ca [jdk]",
219 "91:E2:F5:78:8D:58:10:EB:A7:BA:58:73:7D:E1:54:8A:8E:CA:CD:01:45:98:BC:0B:14:3E:04:1B:17:05:25:52");
220 put("starfieldservicesrootg2ca [jdk]",
221 "56:8D:69:05:A2:C8:87:08:A4:B3:02:51:90:ED:CF:ED:B1:97:4A:60:6A:13:C6:E5:29:0F:CB:2A:E6:3E:DA:B5");
222 put("globalsignca [jdk]",
223 "EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99");
224 put("globalsignr3ca [jdk]",
225 "CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B");
226 put("globalsigneccrootcar5 [jdk]",
227 "17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24");
228 put("globalsigneccrootcar4 [jdk]",
229 "BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C");
230 put("globalsignr2ca [jdk]",
231 "CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E");
232 put("teliasonerarootcav1 [jdk]",
233 "DD:69:36:FE:21:F8:F0:77:C1:23:A1:A5:21:C1:22:24:F7:22:55:B7:3E:03:A7:26:06:93:E8:A2:4B:0F:A3:89");
234 put("globalsignrootcar6 [jdk]",
235 "2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69");
236 put("luxtrustglobalroot2ca [jdk]",
237 "54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5");
238 }
239 };
240
241 // Exception list to 90 days expiry policy
242 // No error will be reported if certificate in this list expires
243 @SuppressWarnings("serial")
244 private static final HashSet<String> EXPIRY_EXC_ENTRIES = new HashSet<String>() {
245 {
246 // Valid until: Tue Jul 09 14:40:36 EDT 2019
247 add("utnuserfirstobjectca [jdk]");
248 }
249 };
250
251 // Ninety days in milliseconds
252 private static final long NINETY_DAYS = 7776000000L;
253
254 private static boolean atLeastOneFailed = false;
255
256 private static MessageDigest md;
257
|
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 *
23 */
24
25 /**
26 * @test
27 * @bug 8189131 8198240 8191844 8189949 8191031 8196141 8204923 8195774 8199779
28 * 8209452 8209506 8210432 8195793 8216577 8222089 8222133 8222137 8222136
29 * 8223499 8232019 8233223
30 * @summary Check root CA entries in cacerts file
31 */
32 import java.io.File;
33 import java.io.FileInputStream;
34 import java.security.KeyStore;
35 import java.security.MessageDigest;
36 import java.security.cert.Certificate;
37 import java.security.cert.CertificateExpiredException;
38 import java.security.cert.CertificateNotYetValidException;
39 import java.security.cert.X509Certificate;
40 import java.util.Date;
41 import java.util.Enumeration;
42 import java.util.HashMap;
43 import java.util.HashSet;
44 import java.util.Map;
45
46 public class VerifyCACerts {
47
48 private static final String CACERTS
49 = System.getProperty("java.home") + File.separator + "lib"
50 + File.separator + "security" + File.separator + "cacerts";
51
52 // The numbers of certs now.
53 private static final int COUNT = 93;
54
55 // map of cert alias to SHA-256 fingerprint
56 @SuppressWarnings("serial")
57 private static final Map<String, String> FINGERPRINT_MAP
58 = new HashMap<String, String>() {
59 {
60 put("actalisauthenticationrootca [jdk]",
61 "55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66");
62 put("buypassclass2ca [jdk]",
63 "9A:11:40:25:19:7C:5B:B9:5D:94:E6:3D:55:CD:43:79:08:47:B6:46:B2:3C:DF:11:AD:A4:A0:0E:FF:15:FB:48");
64 put("buypassclass3ca [jdk]",
65 "ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D");
66 put("camerfirmachambersca [jdk]",
67 "06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0");
68 put("camerfirmachambersignca [jdk]",
69 "13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA");
70 put("camerfirmachamberscommerceca [jdk]",
71 "0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3");
72 put("certumca [jdk]",
73 "D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24");
218 put("ttelesecglobalrootclass2ca [jdk]",
219 "91:E2:F5:78:8D:58:10:EB:A7:BA:58:73:7D:E1:54:8A:8E:CA:CD:01:45:98:BC:0B:14:3E:04:1B:17:05:25:52");
220 put("starfieldservicesrootg2ca [jdk]",
221 "56:8D:69:05:A2:C8:87:08:A4:B3:02:51:90:ED:CF:ED:B1:97:4A:60:6A:13:C6:E5:29:0F:CB:2A:E6:3E:DA:B5");
222 put("globalsignca [jdk]",
223 "EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99");
224 put("globalsignr3ca [jdk]",
225 "CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B");
226 put("globalsigneccrootcar5 [jdk]",
227 "17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24");
228 put("globalsigneccrootcar4 [jdk]",
229 "BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C");
230 put("globalsignr2ca [jdk]",
231 "CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E");
232 put("teliasonerarootcav1 [jdk]",
233 "DD:69:36:FE:21:F8:F0:77:C1:23:A1:A5:21:C1:22:24:F7:22:55:B7:3E:03:A7:26:06:93:E8:A2:4B:0F:A3:89");
234 put("globalsignrootcar6 [jdk]",
235 "2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69");
236 put("luxtrustglobalroot2ca [jdk]",
237 "54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5");
238 put("amazonrootca1 [jdk]",
239 "8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E");
240 put("amazonrootca2 [jdk]",
241 "1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4");
242 put("amazonrootca3 [jdk]",
243 "18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4");
244 put("amazonrootca4 [jdk]",
245 "E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92");
246 }
247 };
248
249 // Exception list to 90 days expiry policy
250 // No error will be reported if certificate in this list expires
251 @SuppressWarnings("serial")
252 private static final HashSet<String> EXPIRY_EXC_ENTRIES = new HashSet<String>() {
253 {
254 // Valid until: Tue Jul 09 14:40:36 EDT 2019
255 add("utnuserfirstobjectca [jdk]");
256 }
257 };
258
259 // Ninety days in milliseconds
260 private static final long NINETY_DAYS = 7776000000L;
261
262 private static boolean atLeastOneFailed = false;
263
264 private static MessageDigest md;
265
|