| package org.bouncycastle.jce.provider.test; |
| |
| import org.bouncycastle.asn1.DEROctetString; |
| import org.bouncycastle.asn1.x509.GeneralName; |
| import org.bouncycastle.asn1.x509.GeneralSubtree; |
| import org.bouncycastle.jce.provider.PKIXNameConstraintValidator; |
| import org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException; |
| import org.bouncycastle.util.test.SimpleTest; |
| |
| /** |
| * Test class for {@link PKIXNameConstraintValidator}. |
| * <p> |
| * The field testXYZ is the name to test. |
| * <p> |
| * The field testXYZIsConstraint must be tested if it is permitted and excluded. |
| * <p> |
| * The field testXYZIsNotConstraint must be tested if it is not permitted and |
| * not excluded. |
| * <p> |
| * Furthermore there are tests for the intersection and union of test names. |
| * |
| */ |
| public class PKIXNameConstraintsTest |
| extends SimpleTest |
| { |
| |
| private final static String testEmail = "test@abc.test.com"; |
| |
| private final static String testEmailIsConstraint[] = |
| { "test@abc.test.com", "abc.test.com", ".test.com" }; |
| |
| private final static String testEmailIsNotConstraint[] = |
| { ".abc.test.com", "www.test.com", "test1@abc.test.com", "bc.test.com" }; |
| |
| private final static String email1[] = |
| { "test@test.com", "test@test.com", "test@test.com", "test@abc.test.com", |
| "test@test.com", "test@test.com", ".test.com", ".test.com", |
| ".test.com", ".test.com", "test.com", "abc.test.com", |
| "abc.test1.com", "test.com", "test.com", ".test.com" }; |
| |
| private final static String email2[] = |
| { "test@test.abc.com", "test@test.com", ".test.com", ".test.com", |
| "test.com", "test1.com", "test@test.com", ".test.com", |
| ".test1.com", "test.com", "test.com", ".test.com", ".test.com", |
| "test1.com", ".test.com", "abc.test.com" }; |
| |
| private final static String emailintersect[] = |
| { null, "test@test.com", null, "test@abc.test.com", "test@test.com", null, |
| null, ".test.com", null, null, "test.com", "abc.test.com", null, |
| null, null, "abc.test.com" }; |
| |
| private final static String emailunion[][] = |
| { |
| { "test@test.com", "test@test.abc.com" }, |
| { "test@test.com" }, |
| { "test@test.com", ".test.com" }, |
| { ".test.com" }, |
| { "test.com" }, |
| { "test@test.com", "test1.com" }, |
| { ".test.com", "test@test.com" }, |
| { ".test.com" }, |
| { ".test.com", ".test1.com" }, |
| { ".test.com", "test.com" }, |
| { "test.com" }, |
| { ".test.com" }, |
| { ".test.com", "abc.test1.com" }, |
| { "test1.com", "test.com" }, |
| { ".test.com", "test.com" }, |
| { ".test.com" } }; |
| |
| private final static String[] dn1 = |
| { "O=test org, OU=test org unit, CN=John Doe" }; |
| |
| private final static String[] dn2 = |
| { "O=test org, OU=test org unit" }; |
| |
| private final static String[][] dnUnion = |
| { |
| { "O=test org, OU=test org unit" } }; |
| |
| private final static String[] dnIntersection = |
| { "O=test org, OU=test org unit, CN=John Doe" }; |
| |
| private final static String testDN = "O=test org, OU=test org unit, CN=John Doe"; |
| |
| private final static String testDNIsConstraint[] = |
| { "O=test org, OU=test org unit", |
| "O=test org, OU=test org unit, CN=John Doe" }; |
| |
| private final static String testDNIsNotConstraint[] = |
| { "O=test org, OU=test org unit, CN=John Doe2", |
| "O=test org, OU=test org unit2", |
| "OU=test org unit, O=test org, CN=John Doe", |
| "O=test org, OU=test org unit, CN=John Doe, L=USA" }; |
| |
| private final static String testDNS = "abc.test.com"; |
| |
| private final static String testDNSIsConstraint[] = |
| { "test.com", "abc.test.com", "test.com" }; |
| |
| private final static String testDNSIsNotConstraint[] = |
| { "wwww.test.com", "ww.test.com", "www.test.com" }; |
| |
| private final static String dns1[] = |
| { "www.test.de", "www.test1.de", "www.test.de" }; |
| |
| private final static String dns2[] = |
| { "test.de", "www.test.de", "www.test.de" }; |
| |
| private final static String dnsintersect[] = |
| { "www.test.de", null, null }; |
| |
| private final static String dnsunion[][] = |
| { |
| { "test.de" }, |
| { "www.test1.de", "www.test.de" }, |
| { "www.test.de" } }; |
| |
| private final static String testURI = "http://karsten:password@abc.test.com:8080"; |
| |
| private final static String testURIIsConstraint[] = |
| { "abc.test.com", ".test.com" }; |
| |
| private final static String testURIIsNotConstraint[] = |
| { "xyz.test.com", ".abc.test.com" }; |
| |
| private final static String uri1[] = |
| { "www.test.de", ".test.de", "test1.de", ".test.de" }; |
| |
| private final static String uri2[] = |
| { "test.de", "www.test.de", "test1.de", ".test.de" }; |
| |
| private final static String uriintersect[] = |
| { null, "www.test.de", "test1.de", ".test.de" }; |
| |
| private final static String uriunion[][] = |
| { |
| { "www.test.de", "test.de" }, |
| { ".test.de" }, |
| { "test1.de" }, |
| { ".test.de" } }; |
| |
| private final static byte[] testIP = |
| |
| { (byte) 192, (byte) 168, 1, 2 }; |
| |
| private final static byte[][] testIPIsConstraint = |
| { |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0 }, |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 4 } }; |
| |
| private final static byte[][] testIPIsNotConstraint = |
| { |
| { (byte) 192, (byte) 168, 3, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 2 }, |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 3 } }; |
| |
| private final static byte[][] ip1 = |
| { |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFE, (byte) 0xFF }, |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0xFF }, |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0x00 } }; |
| |
| private final static byte[][] ip2 = |
| { |
| { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFC, 3 }, |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0xFF }, |
| { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0x00 } }; |
| |
| private final static byte[][] ipintersect = |
| { |
| { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFE, (byte) 0xFF }, |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0xFF }, null }; |
| |
| private final static byte[][][] ipunion = |
| { |
| { |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFE, (byte) 0xFF }, |
| { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFC, 3 } }, |
| { |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0xFF } }, |
| { |
| { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0x00 }, |
| { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, |
| (byte) 0xFF, (byte) 0x00 } } }; |
| |
| public String getName() |
| { |
| return "PKIXNameConstraintsTest"; |
| } |
| |
| public void performTest() throws Exception |
| { |
| testConstraints(GeneralName.rfc822Name, testEmail, |
| testEmailIsConstraint, testEmailIsNotConstraint, email1, email2, |
| emailunion, emailintersect); |
| testConstraints(GeneralName.dNSName, testDNS, testDNSIsConstraint, |
| testDNSIsNotConstraint, dns1, dns2, dnsunion, dnsintersect); |
| testConstraints(GeneralName.directoryName, testDN, testDNIsConstraint, |
| testDNIsNotConstraint, dn1, dn2, dnUnion, dnIntersection); |
| testConstraints(GeneralName.uniformResourceIdentifier, testURI, |
| testURIIsConstraint, testURIIsNotConstraint, uri1, uri2, uriunion, |
| uriintersect); |
| testConstraints(GeneralName.iPAddress, testIP, testIPIsConstraint, |
| testIPIsNotConstraint, ip1, ip2, ipunion, ipintersect); |
| } |
| |
| /** |
| * Tests string based GeneralNames for inclusion or exclusion. |
| * |
| * @param nameType The {@link GeneralName} type to test. |
| * @param testName The name to test. |
| * @param testNameIsConstraint The names where <code>testName</code> must |
| * be included and excluded. |
| * @param testNameIsNotConstraint The names where <code>testName</code> |
| * must not be excluded and included. |
| * @param testNames1 Operand 1 of test names to use for union and |
| * intersection testing. |
| * @param testNames2 Operand 2 of test names to use for union and |
| * intersection testing. |
| * @param testUnion The union results. |
| * @param testInterSection The intersection results. |
| * @throws Exception If an unexpected exception occurs. |
| */ |
| private void testConstraints( |
| int nameType, |
| String testName, |
| String[] testNameIsConstraint, |
| String[] testNameIsNotConstraint, |
| String[] testNames1, |
| String[] testNames2, |
| String[][] testUnion, |
| String[] testInterSection) throws Exception |
| { |
| for (int i = 0; i < testNameIsConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, testNameIsConstraint[i]))); |
| constraintValidator.checkPermitted(new GeneralName(nameType, testName)); |
| } |
| for (int i = 0; i < testNameIsNotConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, testNameIsNotConstraint[i]))); |
| try |
| { |
| constraintValidator.checkPermitted(new GeneralName(nameType, testName)); |
| fail("not permitted name allowed: " + nameType); |
| } |
| catch (PKIXNameConstraintValidatorException e) |
| { |
| // expected |
| } |
| } |
| for (int i = 0; i < testNameIsConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, testNameIsConstraint[i]))); |
| try |
| { |
| constraintValidator.checkExcluded(new GeneralName(nameType, testName)); |
| fail("excluded name missed: " + nameType); |
| } |
| catch (PKIXNameConstraintValidatorException e) |
| { |
| // expected |
| } |
| } |
| for (int i = 0; i < testNameIsNotConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, testNameIsNotConstraint[i]))); |
| constraintValidator.checkExcluded(new GeneralName(nameType, testName)); |
| } |
| for (int i = 0; i < testNames1.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, testNames1[i]))); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, testNames2[i]))); |
| PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator(); |
| for (int j = 0; j < testUnion[i].length; j++) |
| { |
| constraints2.addExcludedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, testUnion[i][j]))); |
| } |
| if (!constraints2.equals(constraintValidator)) |
| { |
| fail("union wrong: " + nameType); |
| } |
| constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, testNames1[i]))); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, testNames2[i]))); |
| constraints2 = new PKIXNameConstraintValidator(); |
| if (testInterSection[i] != null) |
| { |
| constraints2.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, testInterSection[i]))); |
| } |
| else |
| { |
| constraints2.intersectEmptyPermittedSubtree(nameType); |
| } |
| if (!constraints2.equals(constraintValidator)) |
| { |
| fail("intersection wrong: " + nameType); |
| } |
| } |
| } |
| |
| /** |
| * Tests byte array based GeneralNames for inclusion or exclusion. |
| * |
| * @param nameType The {@link GeneralName} type to test. |
| * @param testName The name to test. |
| * @param testNameIsConstraint The names where <code>testName</code> must |
| * be included and excluded. |
| * @param testNameIsNotConstraint The names where <code>testName</code> |
| * must not be excluded and included. |
| * @param testNames1 Operand 1 of test names to use for union and |
| * intersection testing. |
| * @param testNames2 Operand 2 of test names to use for union and |
| * intersection testing. |
| * @param testUnion The union results. |
| * @param testInterSection The intersection results. |
| * @throws Exception If an unexpected exception occurs. |
| */ |
| private void testConstraints( |
| int nameType, |
| byte[] testName, |
| byte[][] testNameIsConstraint, |
| byte[][] testNameIsNotConstraint, |
| byte[][] testNames1, |
| byte[][] testNames2, |
| byte[][][] testUnion, |
| byte[][] testInterSection) throws Exception |
| { |
| for (int i = 0; i < testNameIsConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, new DEROctetString( |
| testNameIsConstraint[i])))); |
| constraintValidator.checkPermitted(new GeneralName(nameType, |
| new DEROctetString(testName))); |
| } |
| for (int i = 0; i < testNameIsNotConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, new DEROctetString( |
| testNameIsNotConstraint[i])))); |
| try |
| { |
| constraintValidator.checkPermitted(new GeneralName(nameType, |
| new DEROctetString(testName))); |
| fail("not permitted name allowed: " + nameType); |
| } |
| catch (PKIXNameConstraintValidatorException e) |
| { |
| // expected |
| } |
| } |
| for (int i = 0; i < testNameIsConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, new DEROctetString(testNameIsConstraint[i])))); |
| try |
| { |
| constraintValidator.checkExcluded(new GeneralName(nameType, |
| new DEROctetString(testName))); |
| fail("excluded name missed: " + nameType); |
| } |
| catch (PKIXNameConstraintValidatorException e) |
| { |
| // expected |
| } |
| } |
| for (int i = 0; i < testNameIsNotConstraint.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, new DEROctetString(testNameIsNotConstraint[i])))); |
| constraintValidator.checkExcluded(new GeneralName(nameType, |
| new DEROctetString(testName))); |
| } |
| for (int i = 0; i < testNames1.length; i++) |
| { |
| PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, new DEROctetString(testNames1[i])))); |
| constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( |
| nameType, new DEROctetString(testNames2[i])))); |
| PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator(); |
| for (int j = 0; j < testUnion[i].length; j++) |
| { |
| constraints2.addExcludedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, new DEROctetString( |
| testUnion[i][j])))); |
| } |
| if (!constraints2.equals(constraintValidator)) |
| { |
| fail("union wrong: " + nameType); |
| } |
| constraintValidator = new PKIXNameConstraintValidator(); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, new DEROctetString(testNames1[i])))); |
| constraintValidator.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, new DEROctetString(testNames2[i])))); |
| constraints2 = new PKIXNameConstraintValidator(); |
| if (testInterSection[i] != null) |
| { |
| constraints2.intersectPermittedSubtree(new GeneralSubtree( |
| new GeneralName(nameType, new DEROctetString( |
| testInterSection[i])))); |
| } |
| else |
| { |
| constraints2.intersectEmptyPermittedSubtree(nameType); |
| } |
| |
| if (!constraints2.equals(constraintValidator)) |
| { |
| fail("intersection wrong: " + nameType); |
| } |
| } |
| } |
| |
| public static void main(String[] args) |
| { |
| runTest(new PKIXNameConstraintsTest()); |
| } |
| } |