/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8046321
* @summary OCSP Stapling for TLS (ResponderId tests)
* @modules java.base/sun.security.provider.certpath
* java.base/sun.security.x509
*/
import java.io.*;
import java.security.cert.*;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.Map;
import java.util.List;
import java.util.ArrayList;
import javax.security.auth.x500.X500Principal;
import sun.security.x509.KeyIdentifier;
import sun.security.provider.certpath.ResponderId;
/*
* NOTE: this test uses Sun private classes which are subject to change.
*/
public class ResponderIdTests {
private static final boolean debug = true;
// Source certificate created with the following command:
// keytool -genkeypair -alias test1 -keyalg rsa -keysize 2048 \
// -validity 7300 -keystore test1.jks \
// -dname "CN=SelfSignedResponder, OU=Validation Services, O=FakeCompany"
private static final String RESP_CERT_1 =
"-----BEGIN CERTIFICATE-----\n" +
"MIIDQzCCAiugAwIBAgIEXTqCCjANBgkqhkiG9w0BAQsFADBSMRQwEgYDVQQKEwtG\n" +
"YWtlQ29tcGFueTEcMBoGA1UECxMTVmFsaWRhdGlvbiBTZXJ2aWNlczEcMBoGA1UE\n" +
"AxMTU2VsZlNpZ25lZFJlc3BvbmRlcjAeFw0xNDA4MTcwNDM2MzBaFw0zNDA4MTIw\n" +
"NDM2MzBaMFIxFDASBgNVBAoTC0Zha2VDb21wYW55MRwwGgYDVQQLExNWYWxpZGF0\n" +
"aW9uIFNlcnZpY2VzMRwwGgYDVQQDExNTZWxmU2lnbmVkUmVzcG9uZGVyMIIBIjAN\n" +
"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApt2Cmw2k9tviLxaxE8aWNuoosWKL\n" +
"h+K4mNcDGKSoiChsqRqeJEnOxijDZqyFwfkaXvpAduFqYjz+Lij2HumvAjHDTui6\n" +
"bGcbsndRDPjvVo1S7f1oWsg7oiA8Lzmjl452S7UNBsDX5Dt1e84Xxwi40B1J2y8D\n" +
"FRPfYRWRlC1Z4kzqkBBa7JhANS+W8KDstFZxL4AwWH/byNwB5dl2j04ohg/Ar54e\n" +
"mu08PIH3hmi0pAu5wn9ariA7UA5lFWRJzvgGXV5J+QVEFuvKmeJ/Q6tU5OBJGw98\n" +
"zjd7F5B0iE+rJHTNF1aGaQfIorz04onV2WjH2VZA18AaMwqlY2br1SBdTQIDAQAB\n" +
"oyEwHzAdBgNVHQ4EFgQUG09HasSTYaTIh/CxxV/rcJV1LvowDQYJKoZIhvcNAQEL\n" +
"BQADggEBAIcUomNpZxGkocIzzybLyeyC6vLF1k0/unuPAHZLDP3o2JTstPhLHOCg\n" +
"FYw1VG2i23pjwKK2x/o80tJAOmW6vowbAPnNmtNIYO3gB/ZGiKeORoGKBCRDNvFa\n" +
"6ZrWxwTzT3EpVwRe7ameES0uP8+S4q2P5LhwMIMw7vGHoOQJgkAh/NUiCli1qRnJ\n" +
"FYd6cHMJJK5gF2FqQ7tdbA26pS06bkIEvil2M5wyKKWOydOa/pr1LgMf9KxljJ8J\n" +
"XlAOO/mGZGkYmWnQaQuBIDyWunWYlhsyCXMa8AScgs0uUeQp19tO7R0f03q/JXoZ\n" +
"1At1gZiMS7SdQaRWP5q+FunAeFWjsFE=\n" +
"-----END CERTIFICATE-----";
private static final String RESP_CERT_1_SUBJ =
"CN=SelfSignedResponder, OU=Validation Services, O=FakeCompany";
private static X509Certificate cert = null;
// The expected DER-encoding for a byName ResponderId derived
// from RESP_CERT_1
private static final byte[] EXP_NAME_ID_BYTES = {
-95, 84, 48, 82, 49, 20, 48, 18,
6, 3, 85, 4, 10, 19, 11, 70,
97, 107, 101, 67, 111, 109, 112, 97,
110, 121, 49, 28, 48, 26, 6, 3,
85, 4, 11, 19, 19, 86, 97, 108,
105, 100, 97, 116, 105, 111, 110, 32,
83, 101, 114, 118, 105, 99, 101, 115,
49, 28, 48, 26, 6, 3, 85, 4,
3, 19, 19, 83, 101, 108, 102, 83,
105, 103, 110, 101, 100, 82, 101, 115,
112, 111, 110, 100, 101, 114
};
// The expected DER-encoding for a byKey ResponderId derived
// from RESP_CERT_1
private static final byte[] EXP_KEY_ID_BYTES = {
-94, 22, 4, 20, 27, 79, 71, 106,
-60, -109, 97, -92, -56, -121, -16, -79,
-59, 95, -21, 112, -107, 117, 46, -6
};
// The DER encoding of a byKey ResponderId, but using an
// incorrect explicit tagging (CONTEXT CONSTRUCTED 3)
private static final byte[] INV_EXPLICIT_TAG_KEY_ID = {
-93, 22, 4, 20, 27, 79, 71, 106,
-60, -109, 97, -92, -56, -121, -16, -79,
-59, 95, -21, 112, -107, 117, 46, -6
};
// These two ResponderId objects will have objects attached to them
// after the pos_CtorByName and pos_CtorByKeyId tests run. Those
// two tests should always be the first two that run.
public static ResponderId respByName;
public static ResponderId respByKeyId;
public static void main(String[] args) throws Exception {
List<TestCase> testList = new ArrayList<>();
testList.add(pos_CtorByName);
testList.add(pos_CtorByKeyId);
testList.add(pos_CtorByEncoding);
testList.add(neg_CtorByEncoding);
testList.add(pos_Equality);
testList.add(pos_GetEncoded);
testList.add(pos_GetRespName);
testList.add(pos_GetRespKeyId);
// Load the certificate object we can use for subsequent tests
CertificateFactory cf = CertificateFactory.getInstance("X.509");
cert = (X509Certificate)cf.generateCertificate(
new ByteArrayInputStream(RESP_CERT_1.getBytes()));
System.out.println("============ Tests ============");
int testNo = 0;
int numberFailed = 0;
Map.Entry<Boolean, String> result;
for (TestCase test : testList) {
System.out.println("Test " + ++testNo + ": " + test.getName());
result = test.runTest();
System.out.print("Result: " + (result.getKey() ? "PASS" : "FAIL"));
System.out.println(" " +
(result.getValue() != null ? result.getValue() : ""));
System.out.println("-------------------------------------------");
if (!result.getKey()) {
numberFailed++;
}
}
System.out.println("End Results: " + (testList.size() - numberFailed) +
" Passed" + ", " + numberFailed + " Failed.");
if (numberFailed > 0) {
throw new RuntimeException(
"One or more tests failed, see test output for details");
}
}
private static void dumpHexBytes(byte[] data) {
if (data != null) {
for (int i = 0; i < data.length; i++) {
if (i % 16 == 0 && i != 0) {
System.out.print("\n");
}
System.out.print(String.format("%02X ", data[i]));
}
System.out.print("\n");
}
}
public interface TestCase {
String getName();
Map.Entry<Boolean, String> runTest();
}
public static final TestCase pos_CtorByName = new TestCase() {
@Override
public String getName() {
return "CTOR Test (by-name)";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
respByName = new ResponderId(cert.getSubjectX500Principal());
pass = Boolean.TRUE;
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase pos_CtorByKeyId = new TestCase() {
@Override
public String getName() {
return "CTOR Test (by-keyID)";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
respByKeyId = new ResponderId(cert.getPublicKey());
pass = Boolean.TRUE;
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase pos_CtorByEncoding = new TestCase() {
@Override
public String getName() {
return "CTOR Test (encoded bytes)";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
ResponderId ridByNameBytes = new ResponderId(EXP_NAME_ID_BYTES);
ResponderId ridByKeyIdBytes = new ResponderId(EXP_KEY_ID_BYTES);
if (!ridByNameBytes.equals(respByName)) {
throw new RuntimeException(
"Equals failed: respNameFromBytes vs. respByName");
} else if (!ridByKeyIdBytes.equals(respByKeyId)) {
throw new RuntimeException(
"Equals failed: respKeyFromBytes vs. respByKeyId");
}
pass = Boolean.TRUE;
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase neg_CtorByEncoding = new TestCase() {
@Override
public String getName() {
return "CTOR Test (by encoding, unknown explicit tag)";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
ResponderId ridByKeyIdBytes =
new ResponderId(INV_EXPLICIT_TAG_KEY_ID);
throw new RuntimeException("Expected IOException not thrown");
} catch (IOException ioe) {
// Make sure it's the IOException we're looking for
if (ioe.getMessage().contains("Invalid ResponderId content")) {
pass = Boolean.TRUE;
} else {
ioe.printStackTrace(System.out);
message = ioe.getClass().getName();
}
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase pos_Equality = new TestCase() {
@Override
public String getName() {
return "Simple Equality Test";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
// byName ResponderId equality test
ResponderId compName =
new ResponderId(new X500Principal(RESP_CERT_1_SUBJ));
if (!respByName.equals(compName)) {
message = "ResponderId mismatch in byName comparison";
} else if (respByKeyId.equals(compName)) {
message = "Invalid ResponderId match in byKeyId comparison";
} else {
pass = Boolean.TRUE;
}
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase pos_GetEncoded = new TestCase() {
@Override
public String getName() {
return "Get Encoded Value";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
// Pull out byName and byKey encodings, they should match
// the expected values
if (!Arrays.equals(respByName.getEncoded(), EXP_NAME_ID_BYTES)) {
message = "ResponderId byName encoding did not " +
"match expected value";
} else if (!Arrays.equals(respByKeyId.getEncoded(), EXP_KEY_ID_BYTES)) {
message = "ResponderId byKeyId encoding did not " +
"match expected value";
} else {
pass = Boolean.TRUE;
}
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase pos_GetRespName = new TestCase() {
@Override
public String getName() {
return "Get Underlying Responder Name";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
// Test methods for pulling out the underlying
// X500Principal object
X500Principal testPrincipal =
new X500Principal(RESP_CERT_1_SUBJ);
if (!respByName.getResponderName().equals(testPrincipal)) {
message = "ResponderId Name did not match expected value";
} else if (respByKeyId.getResponderName() != null) {
message = "Non-null responder name returned from " +
"ResponderId constructed byKey";
} else {
pass = Boolean.TRUE;
}
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
public static final TestCase pos_GetRespKeyId = new TestCase() {
@Override
public String getName() {
return "Get Underlying Responder Key ID";
}
@Override
public Map.Entry<Boolean, String> runTest() {
Boolean pass = Boolean.FALSE;
String message = null;
try {
// Test methods for pulling out the underlying
// KeyIdentifier object. Note: There is a minute chance that
// an RSA public key, once hashed into a key ID might collide
// with the one extracted from the certificate used to create
// respByKeyId. This is so unlikely to happen it is considered
// virtually impossible.
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(2048);
KeyPair rsaKey = kpg.generateKeyPair();
KeyIdentifier testKeyId = new KeyIdentifier(rsaKey.getPublic());
if (respByKeyId.getKeyIdentifier().equals(testKeyId)) {
message = "Unexpected match in ResponderId Key ID";
} else if (respByName.getKeyIdentifier() != null) {
message = "Non-null key ID returned from " +
"ResponderId constructed byName";
} else {
pass = Boolean.TRUE;
}
} catch (Exception e) {
e.printStackTrace(System.out);
message = e.getClass().getName();
}
return new AbstractMap.SimpleEntry<>(pass, message);
}
};
}