1 /*
2 * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 6405536 6414980 8051972
27 * @summary Make sure that we can parse certificates using various named curves
28 * and verify their signatures
29 * @author Andreas Sterbenz
30 * @library ..
31 * @library ../../../../java/security/testlibrary
32 * @modules jdk.crypto.cryptoki
33 * @run main/othervm ReadCertificates
34 * @run main/othervm ReadCertificates sm policy
35 */
36
37 import java.io.File;
38 import java.io.FileInputStream;
39 import java.io.InputStream;
40 import java.security.InvalidKeyException;
41 import java.security.NoSuchAlgorithmException;
42 import java.security.NoSuchProviderException;
43 import java.security.Provider;
44 import java.security.PublicKey;
45 import java.security.SecureRandom;
46 import java.security.SignatureException;
47 import java.security.cert.CertificateException;
48 import java.security.cert.CertificateFactory;
49 import java.security.cert.X509Certificate;
50 import java.security.interfaces.ECPublicKey;
51 import java.security.spec.ECParameterSpec;
52 import java.util.ArrayList;
53 import java.util.Arrays;
54 import java.util.Collection;
55 import java.util.LinkedHashMap;
56 import java.util.List;
57 import java.util.Map;
58 import javax.security.auth.x500.X500Principal;
59
60 public class ReadCertificates extends PKCS11Test {
61
62 private static CertificateFactory factory;
63
64 private static SecureRandom random;
65
66 private static Collection<X509Certificate> readCertificates(File file) throws Exception {
67 System.out.println("Loading " + file.getName() + "...");
68 Collection<X509Certificate> certs;
69 try (InputStream in = new FileInputStream(file)) {
70 certs = (Collection<X509Certificate>)factory.generateCertificates(in);
71 }
72 return certs;
73 }
74
75 public static void main(String[] args) throws Exception {
76 main(new ReadCertificates(), args);
77 }
78
79 @Override
80 public void main(Provider p) throws Exception {
81 if (p.getService("Signature", "SHA1withECDSA") == null) {
82 System.out.println("Provider does not support ECDSA, skipping...");
83 return;
84 }
85
86 /*
87 * PKCS11Test.main will remove this provider if needed
88 */
89 Providers.setAt(p, 1);
90
91 random = new SecureRandom();
92 factory = CertificateFactory.getInstance("X.509");
93 try {
94 // clear certificate cache in from a previous run with a different
95 // provider (undocumented hack for the Sun provider)
96 factory.generateCertificate(null);
97 } catch (CertificateException e) {
98 // ignore
99 }
100 Map<X500Principal,X509Certificate> certs = new LinkedHashMap<>();
101
102 File dir = new File(BASE, "certs");
103 File closedDir = new File(CLOSED_BASE, "certs");
104 File[] files = concat(dir.listFiles(), closedDir.listFiles());
105 Arrays.sort(files);
106 for (File file : files) {
107 if (file.isFile() == false) {
108 continue;
109 }
110 Collection<X509Certificate> certList = readCertificates(file);
111 for (X509Certificate cert : certList) {
112 X509Certificate old = certs.put(cert.getSubjectX500Principal(), cert);
113 if (old != null) {
114 System.out.println("Duplicate subject:");
115 System.out.println("Old Certificate: " + old);
116 System.out.println("New Certificate: " + cert);
117 throw new Exception(file.getPath());
118 }
119 }
120 }
121 System.out.println("OK: " + certs.size() + " certificates.");
122
123 // Get supported curves
124 List<ECParameterSpec> supportedEC = getKnownCurves(p);
125
126 System.out.println("Test Certs:\n");
127 for (X509Certificate cert : certs.values()) {
128 X509Certificate issuer = certs.get(cert.getIssuerX500Principal());
129 System.out.print("Verifying " + cert.getSubjectX500Principal() +
130 "... ");
131 PublicKey key = issuer.getPublicKey();
132 // Check if curve is supported
133 if (issuer.getPublicKey() instanceof ECPublicKey) {
134 if (!checkSupport(supportedEC,
135 ((ECPublicKey)key).getParams())) {
136 System.out.println("Curve not found. Skipped.");
137 continue;
138 }
139 }
140
141 try {
142 cert.verify(key, p.getName());
143 System.out.println("Pass.");
144 } catch (NoSuchAlgorithmException e) {
145 System.out.println("Warning: " + e.getMessage() +
146 ". Trying another provider...");
147 cert.verify(key);
148 } catch (CertificateException | InvalidKeyException |
149 NoSuchProviderException | SignatureException e) {
150 System.out.println(e.getMessage());
151 if (key instanceof ECPublicKey) {
152 System.out.println("Failed.\n\tCurve: " +
153 ((ECPublicKey)key).getParams() +
154 "\n\tSignature Alg: " + cert.getSigAlgName());
155 } else {
156 System.out.println("Key: "+key.toString());
157 }
158
159 System.err.println("Verifying " + cert.getSubjectX500Principal());
160 e.printStackTrace();
161 }
162 }
163
164 // try some random invalid signatures to make sure we get the correct
165 // error
166 System.out.println("Checking incorrect signatures...");
167 List<X509Certificate> certList = new ArrayList<>(certs.values());
168 for (int i = 0; i < 20; i++) {
169 X509Certificate cert, signer;
170 do {
171 cert = getRandomCert(certList);
172 signer = getRandomCert(certList);
173 } while (cert.getIssuerX500Principal().equals(signer.getSubjectX500Principal()));
174 try {
175 PublicKey signerPublicKey = signer.getPublicKey();
176 cert.verify(signerPublicKey);
177 // Ignore false positives
178 if (cert.getPublicKey().equals(signerPublicKey)) {
179 System.out.println("OK: self-signed certificate detected");
180 } else {
181 throw new Exception("Verified invalid signature");
182 }
183 } catch (SignatureException | InvalidKeyException e) {
184 System.out.println("OK: " + e);
185 }
186 }
187
188 System.out.println("OK");
189 }
190
191 private static X509Certificate getRandomCert(List<X509Certificate> certs) {
192 int n = random.nextInt(certs.size());
193 return certs.get(n);
194 }
195
196 }