1 /*
2 * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 package sun.security.ssl;
25
26 import java.security.cert.*;
27 import java.util.*;
28 import java.nio.ByteBuffer;
29 import javax.net.ssl.SSLException;
30 import javax.security.auth.x500.X500Principal;
31 import sun.security.provider.certpath.ResponderId;
32 import sun.security.provider.certpath.OCSPNonceExtension;
33
34 /*
35 * Checks that the hash value for a certificate's issuer name is generated
36 * correctly. Requires any certificate that is not self-signed.
37 *
38 * NOTE: this test uses Sun private classes which are subject to change.
39 */
40 public class CertStatusReqItemV2Tests {
41
42 private static final boolean debug = false;
43
44 private static final byte[] DEF_CSRIV2_OCSP_MULTI_BYTES = {
45 2, 0, 4, 0, 0, 0, 0
46 };
47
48 private static final byte[] DEF_CSRIV2_OCSP_BYTES = {
49 1, 0, 4, 0, 0, 0, 0
50 };
51
52 // This is a CSRIV2 (ocsp_multi) that has a single
53 // responder ID and no extensions.
54 private static final byte[] CSRIV2_1RID = {
55 2, 0, 32, 0, 28, 0, 26, -95,
56 24, 48, 22, 49, 20, 48, 18, 6,
57 3, 85, 4, 3, 19, 11, 79, 67,
58 83, 80, 32, 83, 105, 103, 110, 101,
59 114, 0 , 0
60 };
61
62 // This is a CSRIV2 (ocsp_multi) that has a single
63 // responder ID and no extensions. The request_length
64 // field is too short in this case.
65 private static final byte[] CSRIV2_LENGTH_TOO_SHORT = {
66 2, 0, 27, 0, 28, 0, 26, -95,
67 24, 48, 22, 49, 20, 48, 18, 6,
68 3, 85, 4, 3, 19, 11, 79, 67,
69 83, 80, 32, 83, 105, 103, 110, 101,
70 114, 0 , 0
71 };
72
73 // This is a CSRIV2 (ocsp_multi) that has a single
74 // responder ID and no extensions. The request_length
75 // field is too long in this case.
76 private static final byte[] CSRIV2_LENGTH_TOO_LONG = {
77 2, 0, 54, 0, 28, 0, 26, -95,
78 24, 48, 22, 49, 20, 48, 18, 6,
79 3, 85, 4, 3, 19, 11, 79, 67,
80 83, 80, 32, 83, 105, 103, 110, 101,
81 114, 0 , 0
82 };
83
84 // A CSRIV2 (ocsp) with one Responder ID (byName: CN=OCSP Signer)
85 // and a nonce extension (32 bytes).
86 private static final byte[] CSRIV2_OCSP_1RID_1EXT = {
87 1, 0, 83, 0, 28, 0, 26, -95,
88 24, 48, 22, 49, 20, 48, 18, 6,
89 3, 85, 4, 3, 19, 11, 79, 67,
90 83, 80, 32, 83, 105, 103, 110, 101,
91 114, 0, 51, 48, 49, 48, 47, 6,
92 9, 43, 6, 1, 5, 5, 7, 48,
93 1, 2, 4, 34, 4, 32, -34, -83,
94 -66, -17, -34, -83, -66, -17, -34, -83,
95 -66, -17, -34, -83, -66, -17, -34, -83,
96 -66, -17, -34, -83, -66, -17, -34, -83,
97 -66, -17, -34, -83, -66, -17
98 };
99
100 public static void main(String[] args) throws Exception {
101 Map<String, TestCase> testList =
102 new LinkedHashMap<String, TestCase>() {{
103 put("CTOR (Default)", testCtorTypeStatReq);
104 put("CTOR (Byte array)", testCtorByteArray);
105 put("CTOR (invalid lengths)", testCtorInvalidLengths);
106 }};
107
108 TestUtils.runTests(testList);
109 }
110
111 public static final TestCase testCtorTypeStatReq = new TestCase() {
112 @Override
113 public Map.Entry<Boolean, String> runTest() {
114 Boolean pass = Boolean.FALSE;
115 String message = null;
116 try {
117 // Attempt to create CSRIv2 objects using null pointers
118 // for either parameter. In either case NPE should be thrown
119 CertStatusReqItemV2 csriNull;
120 try {
121 csriNull = new CertStatusReqItemV2(null,
122 new OCSPStatusRequest());
123 throw new RuntimeException("Did not catch expected NPE " +
124 "for null status_type parameter");
125 } catch (NullPointerException npe) { }
126
127 try {
128 csriNull = new CertStatusReqItemV2(StatusRequestType.OCSP,
129 null);
130 throw new RuntimeException("Did not catch expected NPE " +
131 "for null StatusRequest parameter");
132 } catch (NullPointerException npe) { }
133
134 // Create an "ocsp_multi" type request using a default
135 // (no Responder IDs, no Extensions) OCSPStatusRequest
136 CertStatusReqItemV2 csriMulti =
137 new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
138 new OCSPStatusRequest());
139 HandshakeOutStream hsout = new HandshakeOutStream(null);
140 csriMulti.send(hsout);
141 TestUtils.valueCheck(DEF_CSRIV2_OCSP_MULTI_BYTES,
142 hsout.toByteArray());
143 hsout.reset();
144
145 // Create an "ocsp" type request using a default
146 // (no Responder IDs, no Extensions) OCSPStatusRequest
147 CertStatusReqItemV2 csriSingle =
148 new CertStatusReqItemV2(StatusRequestType.OCSP,
149 new OCSPStatusRequest(new LinkedList<>(),
150 new LinkedList<>()));
151 csriSingle.send(hsout);
152 TestUtils.valueCheck(DEF_CSRIV2_OCSP_BYTES,
153 hsout.toByteArray());
154
155 // Create the CertStatusRequestItemV2 with a user-defined
156 // StatusRequestType value
157 CertStatusReqItemV2 csriNine =
158 new CertStatusReqItemV2(StatusRequestType.get(9),
159 new OCSPStatusRequest(null, null));
160 if (csriNine.getType().id != 9) {
161 throw new RuntimeException("Expected status_type = 9, " +
162 "got " + csriNine.getType().id);
163 } else {
164 StatusRequest sr = csriNine.getRequest();
165 if (!(sr instanceof OCSPStatusRequest)) {
166 throw new RuntimeException("Expected " +
167 "OCSPStatusRequest, got " +
168 sr.getClass().getName());
169 }
170 }
171
172 // Create the CertStatusRequestItemV2 with a StatusRequest
173 // that does not match the status_type argument.
174 // We expect IllegalArgumentException in this case.
175 try {
176 CertStatusReqItemV2 csriBadSR = new CertStatusReqItemV2(
177 StatusRequestType.OCSP_MULTI,
178 new BogusStatusRequest());
179 throw new RuntimeException("Constructor accepted a " +
180 "StatusRequest that is inconsistent with " +
181 "the status_type");
182 } catch (IllegalArgumentException iae) {
183 // The expected result...nothing to do here
184 }
185
186 pass = Boolean.TRUE;
187 } catch (Exception e) {
188 e.printStackTrace(System.out);
189 message = e.getClass().getName();
190 }
191
192 return new AbstractMap.SimpleEntry<>(pass, message);
193 }
194 };
195
196 // Test the constructor form that takes the data from a byte array
197 public static final TestCase testCtorByteArray = new TestCase() {
198 @Override
199 public Map.Entry<Boolean, String> runTest() {
200 Boolean pass = Boolean.FALSE;
201 String message = null;
202 try {
203 StatusRequestType sType;
204 StatusRequest sReq;
205 ResponderId checkRid =
206 new ResponderId(new X500Principal("CN=OCSP Signer"));
207 Extension checkExt = new OCSPNonceExtension(32);
208
209 CertStatusReqItemV2 csriv =
210 new CertStatusReqItemV2(CSRIV2_OCSP_1RID_1EXT);
211 sType = csriv.getType();
212 if (sType != StatusRequestType.OCSP) {
213 throw new RuntimeException("Unexpected StatusRequestType " +
214 sType.getClass().getName());
215 }
216
217 sReq = csriv.getRequest();
218 if (sReq instanceof OCSPStatusRequest) {
219 OCSPStatusRequest osr = (OCSPStatusRequest)sReq;
220 List<ResponderId> ridList = osr.getResponderIds();
221 List<Extension> extList = osr.getExtensions();
222
223 if (ridList.size() != 1 || !ridList.contains(checkRid)) {
224 throw new RuntimeException("Responder list mismatch");
225 } else if (extList.size() != 1 ||
226 !extList.get(0).getId().equals(checkExt.getId())) {
227 throw new RuntimeException("Extension list mismatch");
228 }
229 } else {
230 throw new RuntimeException("Expected OCSPStatusRequest " +
231 "from decoded bytes, got " +
232 sReq.getClass().getName());
233 }
234
235 // Create a CSRIV2 out of random data. A non-OCSP/OCSP_MULTI
236 // type will be forcibly set and the outer length field will
237 // be correct.
238 // The constructor should create a StatusRequestType object
239 // and an UnknownStatusRequest object consisting of the
240 // data segment.
241 byte[] junkData = new byte[48];
242 Random r = new Random(System.currentTimeMillis());
243 r.nextBytes(junkData);
244 junkData[0] = 7; // status_type = 7
245 junkData[1] = 0;
246 junkData[2] = 45; // request_length = 45
247 csriv = new CertStatusReqItemV2(junkData);
248
249 sType = csriv.getType();
250 sReq = csriv.getRequest();
251 if (sType.id != junkData[0]) {
252 throw new RuntimeException("StatusRequestType mismatch: " +
253 "expected 7, got " + sType.id);
254 }
255 if (sReq instanceof UnknownStatusRequest) {
256 // Verify the underlying StatusRequest bytes have been
257 // preserved correctly.
258 HandshakeOutStream hsout = new HandshakeOutStream(null);
259 sReq.send(hsout);
260 byte[] srDataOut = hsout.toByteArray();
261 TestUtils.valueCheck(srDataOut, junkData, 0, 3,
262 srDataOut.length);
263 } else {
264 throw new RuntimeException("StatusRequest mismatch: " +
265 "expected UnknownStatusRequest, got " +
266 sReq.getClass().getName());
267 }
268
269 // Test the parsing of the default OCSP/OCSP_MULTI extensions
270 // and make sure the underlying StatusRequestType and
271 // StatusRequest objects are correct.
272 csriv = new CertStatusReqItemV2(DEF_CSRIV2_OCSP_MULTI_BYTES);
273 sType = csriv.getType();
274 sReq = csriv.getRequest();
275 if (sType != StatusRequestType.OCSP_MULTI) {
276 throw new RuntimeException("StatusRequestType mismatch: " +
277 "expected OCSP_MULTI (2), got " + sType.id);
278 }
279 if (!(sReq instanceof OCSPStatusRequest)) {
280 throw new RuntimeException("StatusRequest mismatch: " +
281 "expected OCSPStatusRequest, got " +
282 sReq.getClass().getName());
283 }
284
285 csriv = new CertStatusReqItemV2(DEF_CSRIV2_OCSP_BYTES);
286 sType = csriv.getType();
287 sReq = csriv.getRequest();
288 if (sType != StatusRequestType.OCSP) {
289 throw new RuntimeException("StatusRequestType mismatch: " +
290 "expected OCSP (1), got " + sType.id);
291 }
292 if (!(sReq instanceof OCSPStatusRequest)) {
293 throw new RuntimeException("StatusRequest mismatch: " +
294 "expected OCSPStatusRequest, got " +
295 sReq.getClass().getName());
296 }
297
298 pass = Boolean.TRUE;
299 } catch (Exception e) {
300 e.printStackTrace(System.out);
301 message = e.getClass().getName();
302 }
303
304 return new AbstractMap.SimpleEntry<>(pass, message);
305 }
306 };
307
308 public static final TestCase testCtorInvalidLengths = new TestCase() {
309 @Override
310 public Map.Entry<Boolean, String> runTest() {
311 Boolean pass = Boolean.FALSE;
312 String message = null;
313 try {
314 try {
315 CertStatusReqItemV2 csriTooShort =
316 new CertStatusReqItemV2(CSRIV2_LENGTH_TOO_SHORT);
317 throw new RuntimeException("Expected exception not thrown");
318 } catch (SSLException ssle) { }
319
320 try {
321 CertStatusReqItemV2 csriTooLong =
322 new CertStatusReqItemV2(CSRIV2_LENGTH_TOO_LONG);
323 throw new RuntimeException("Expected exception not thrown");
324 } catch (SSLException ssle) { }
325
326 pass = Boolean.TRUE;
327 } catch (Exception e) {
328 e.printStackTrace(System.out);
329 message = e.getClass().getName();
330 }
331
332 return new AbstractMap.SimpleEntry<>(pass, message);
333 }
334 };
335
336 // Test the constructor form that takes the data from HandshakeInputStream
337 public static final TestCase testCtorInputStream = new TestCase() {
338 @Override
339 public Map.Entry<Boolean, String> runTest() {
340 Boolean pass = Boolean.FALSE;
341 String message = null;
342 try {
343 StatusRequestType sType;
344 StatusRequest sReq;
345 ResponderId checkRid =
346 new ResponderId(new X500Principal("CN=OCSP Signer"));
347 Extension checkExt = new OCSPNonceExtension(32);
348
349 HandshakeInStream hsis = new HandshakeInStream();
350 hsis.incomingRecord(ByteBuffer.wrap(CSRIV2_OCSP_1RID_1EXT));
351 CertStatusReqItemV2 csriv = new CertStatusReqItemV2(hsis);
352 sType = csriv.getType();
353 if (sType != StatusRequestType.OCSP) {
354 throw new RuntimeException("Unexpected StatusRequestType " +
355 sType.getClass().getName());
356 }
357
358 sReq = csriv.getRequest();
359 if (sReq instanceof OCSPStatusRequest) {
360 OCSPStatusRequest osr = (OCSPStatusRequest)sReq;
361 List<ResponderId> ridList = osr.getResponderIds();
362 List<Extension> extList = osr.getExtensions();
363
364 if (ridList.size() != 1 || !ridList.contains(checkRid)) {
365 throw new RuntimeException("Responder list mismatch");
366 } else if (extList.size() != 1 ||
367 !extList.get(0).getId().equals(checkExt.getId())) {
368 throw new RuntimeException("Extension list mismatch");
369 }
370 } else {
371 throw new RuntimeException("Expected OCSPStatusRequest " +
372 "from decoded bytes, got " +
373 sReq.getClass().getName());
374 }
375
376 // Create a CSRIV2 out of random data. A non-OCSP/OCSP_MULTI
377 // type will be forcibly set and the outer length field will
378 // be correct.
379 // The constructor should create a StatusRequestType object
380 // and an UnknownStatusRequest object consisting of the
381 // data segment.
382 byte[] junkData = new byte[48];
383 Random r = new Random(System.currentTimeMillis());
384 r.nextBytes(junkData);
385 junkData[0] = 7; // status_type = 7
386 junkData[1] = 0;
387 junkData[2] = 45; // request_length = 45
388 hsis = new HandshakeInStream();
389 hsis.incomingRecord(ByteBuffer.wrap(junkData));
390 csriv = new CertStatusReqItemV2(hsis);
391
392 sType = csriv.getType();
393 sReq = csriv.getRequest();
394 if (sType.id != junkData[0]) {
395 throw new RuntimeException("StatusRequestType mismatch: " +
396 "expected 7, got " + sType.id);
397 }
398 if (sReq instanceof UnknownStatusRequest) {
399 // Verify the underlying StatusRequest bytes have been
400 // preserved correctly.
401 HandshakeOutStream hsout = new HandshakeOutStream(null);
402 sReq.send(hsout);
403 byte[] srDataOut = hsout.toByteArray();
404 TestUtils.valueCheck(srDataOut, junkData, 0, 3,
405 srDataOut.length);
406 } else {
407 throw new RuntimeException("StatusRequest mismatch: " +
408 "expected UnknownStatusRequest, got " +
409 sReq.getClass().getName());
410 }
411
412 // Test the parsing of the default OCSP/OCSP_MULTI extensions
413 // and make sure the underlying StatusRequestType and
414 // StatusRequest objects are correct.
415 hsis = new HandshakeInStream();
416 hsis.incomingRecord(
417 ByteBuffer.wrap(DEF_CSRIV2_OCSP_MULTI_BYTES));
418 csriv = new CertStatusReqItemV2(hsis);
419 sType = csriv.getType();
420 sReq = csriv.getRequest();
421 if (sType != StatusRequestType.OCSP_MULTI) {
422 throw new RuntimeException("StatusRequestType mismatch: " +
423 "expected OCSP_MULTI (2), got " + sType.id);
424 }
425 if (!(sReq instanceof OCSPStatusRequest)) {
426 throw new RuntimeException("StatusRequest mismatch: " +
427 "expected OCSPStatusRequest, got " +
428 sReq.getClass().getName());
429 }
430
431 hsis = new HandshakeInStream();
432 hsis.incomingRecord(ByteBuffer.wrap(DEF_CSRIV2_OCSP_BYTES));
433 csriv = new CertStatusReqItemV2(hsis);
434 sType = csriv.getType();
435 sReq = csriv.getRequest();
436 if (sType != StatusRequestType.OCSP) {
437 throw new RuntimeException("StatusRequestType mismatch: " +
438 "expected OCSP (1), got " + sType.id);
439 }
440 if (!(sReq instanceof OCSPStatusRequest)) {
441 throw new RuntimeException("StatusRequest mismatch: " +
442 "expected OCSPStatusRequest, got " +
443 sReq.getClass().getName());
444 }
445
446 pass = Boolean.TRUE;
447 } catch (Exception e) {
448 e.printStackTrace(System.out);
449 message = e.getClass().getName();
450 }
451
452 return new AbstractMap.SimpleEntry<>(pass, message);
453 }
454 };
455 }