bcpkix/src/main/java/org/bouncycastle/cert/test/CertPathLoopTest.java - platform/external/bouncycastle - Git at Google

 package org.bouncycastle.cert.test;

 import java.math.BigInteger;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
 import java.security.Security;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathBuilderException;
 import java.security.cert.CertPathBuilderResult;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreParameters;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509CRL;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.GregorianCalendar;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;

 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.cert.X509CRLHolder;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.X509v2CRLBuilder;
 import org.bouncycastle.cert.X509v3CertificateBuilder;
 import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.bouncycastle.util.test.SimpleTest;


 /**
  * BC bug test case.
  */
 public class CertPathLoopTest
     extends SimpleTest
 {
     /**
      * List of trust anchors
      */
     private static Set<TrustAnchor> taSet;
     /**
      * List of certificates and CRLs
      */
     private static List<Object> otherList;

     /**
      * Asks the user about the configuration he want's to test
      *
      * @param caA
      * @param caB
      */
     private static void checkUseDistinctCAs(CA caA, CA caB)
     {
         //Standard configuration : everything in caA
         taSet = new HashSet<TrustAnchor>();
         taSet.add(caA.ta);
         otherList = new ArrayList<Object>();
         otherList.add(caA.acCertCrl);
         otherList.add(caA.crl);
         //User specified configuration : parts of caB

         taSet.add(caB.ta);
         otherList.add(caB.acCertCrl);
         otherList.add(caB.crl);
     }

     /**
      * Creates a collection cert store
      */
     static CertStore getStore(Collection col)
         throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
     {
         CertStoreParameters csp = new CollectionCertStoreParameters(col);
         return CertStore.getInstance("Collection", csp);
     }

     public String getName()
     {
         return "CertPath Loop Test";
     }

     public void performTest()
         throws Exception
     {
               //Add the provider
         Security.addProvider(new BouncyCastleProvider());
         //Generate two Cert authorities
         CA caA = new CA();
         CA caB = new CA();
         //Ask the user the conf he want's to test
         checkUseDistinctCAs(caA, caB);

         //Let's create a target cert under caA
         X509CertSelector target = new X509CertSelector();
         target.setCertificate(caA.makeNewCert());
         //create control parameters
         PKIXBuilderParameters params = new PKIXBuilderParameters(taSet, target);
         params.addCertStore(getStore(Collections.singleton(target.getCertificate())));
         params.addCertStore(getStore(otherList));
         //enable revocation check
         params.setRevocationEnabled(true);

         //Lets Build the path
         try
         {
             CertPathBuilderResult cpbr = CertPathBuilder.getInstance("PKIX", "BC").build(params);

             fail("invalid path build");
         }
         catch (CertPathBuilderException e)
         {
             if (!e.getCause().getMessage().equals("CertPath for CRL signer failed to validate."))
             {
                 fail("Exception thrown, but wrong one", e.getCause());
             }
         }
     }

     /**
      * Class simulating a certification authority
      */
     private static class CA
     {
         /**
          * key pair generator
          */
         final static KeyPairGenerator kpg;

         static
         {
             try
             {
                 kpg = KeyPairGenerator.getInstance("RSA");
                 //Key size doesn't matter, smaller == Faster
                 kpg.initialize(512);
             }
             catch (NoSuchAlgorithmException e)
             {
                 throw new RuntimeException(e);
             }
         }

         /**
          * KeyPair signing certificates
          */
         private KeyPair caCertKp;
         /**
          * KeyPair signing CRLs
          */
         private KeyPair caCrlKp;
         TrustAnchor ta;
         /**
          * Subject of this CA
          */
         X500Name acSubject;
         /**
          * Certificate signing certificates
          */
         X509Certificate acCertAc;
         /**
          * Certificate signing CRLs
          */
         X509Certificate acCertCrl;
         /**
          * the CRL
          */
         X509CRL crl;
         /**
          * Signers
          */
         private ContentSigner caCrlSigner, caCertSigner;
         /**
          * Serial number counter
          */
         private int counter = 1;

         /**
          * Constructor
          */
         public CA()
             throws Exception
         {
             //Init both keypairs
             caCertKp = kpg.generateKeyPair();
             caCrlKp = kpg.generateKeyPair();
             //subject
             acSubject = new X500Name("CN=AC_0");
             //validity
             GregorianCalendar gc = new GregorianCalendar();
             Date notBefore = gc.getTime();
             gc.add(GregorianCalendar.DAY_OF_YEAR, 1);
             Date notAfter = gc.getTime();
             //first signer
             caCertSigner = new JcaContentSignerBuilder("SHA1withRSA").build(caCertKp.getPrivate());
             //top level : issuer is self
             X500Name issuer = acSubject;
             //reserved for future use (another test case)
             ContentSigner thisAcSigner = caCertSigner;
             //reserved for future use (another test case)
             //First certificate: Certificate authority (BasicConstraints=true) but not CRLSigner
             X509CertificateHolder certH = new X509v3CertificateBuilder(
                 issuer, BigInteger.valueOf(counter++), notBefore, notAfter, acSubject, getPublicKeyInfo(caCertKp.getPublic()))
                 .addExtension(Extension.basicConstraints, true, new BasicConstraints(true))
                 .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign))
                 .build(thisAcSigner);
             //lets convert to X509Certificate
             acCertAc = convert(certH);
             //and build a trust Anchor
             ta = new TrustAnchor(acCertAc, null);

             //Second signer
             caCrlSigner = new JcaContentSignerBuilder("SHA1withRSA").build(caCrlKp.getPrivate());
             //second certificate: CRLSigner but not Certificate authority (BasicConstraints=false)
             certH = new X509v3CertificateBuilder(
                 issuer, BigInteger.valueOf(counter++), notBefore, notAfter, acSubject, getPublicKeyInfo(caCrlKp.getPublic()))
                 .addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
                 .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.cRLSign))
                 .build(thisAcSigner);
             //lets convert to X509Certificate
             acCertCrl = convert(certH);
             //And create the CRL
             X509CRLHolder crlH = new X509v2CRLBuilder(acSubject, notBefore).setNextUpdate(notAfter).build(caCrlSigner);
             //lets convert to X509CRL
             crl = convert(crlH);
         }

         /**
          * Creates a child certificate
          */
         public X509Certificate makeNewCert()
             throws Exception
         {
             //private key doesn't matter for the test
             PublicKey publicKey = kpg.generateKeyPair().getPublic();
             //Validity
             GregorianCalendar gc = new GregorianCalendar();
             Date notBefore = gc.getTime();
             gc.add(GregorianCalendar.DAY_OF_YEAR, 1);
             Date notAfter = gc.getTime();
             //serial
             BigInteger certSerial = BigInteger.valueOf(counter++);
             //Distinct name based on the serial
             X500Name subject = new X500Name("CN=EU_" + certSerial.toString());
             //End user certificate, not allowed to do anything
             X509CertificateHolder enUserCertH = new X509v3CertificateBuilder(
                 acSubject, certSerial, notBefore, notAfter, subject, getPublicKeyInfo(publicKey))
                 .addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
                 .addExtension(Extension.keyUsage, true, new KeyUsage(0))
                 .build(caCertSigner);

             //lets convert to X509Certificate
             return convert(enUserCertH);
         }


         /**
          * convert to X509Certificate
          */
         static X509Certificate convert(X509CertificateHolder h)
             throws Exception
         {
             return new JcaX509CertificateConverter().getCertificate(h);
         }

         /**
          * convert to X509CRL
          */
         static X509CRL convert(X509CRLHolder h)
             throws Exception
         {
             return new JcaX509CRLConverter().getCRL(h);
         }

         /**
          * convert to SubjectPublicKeyInfo
          */
         static SubjectPublicKeyInfo getPublicKeyInfo(PublicKey k)
             throws Exception
         {
             return SubjectPublicKeyInfo.getInstance(k.getEncoded());
         }
     }

     public static void main(String[] args)
     {
         runTest(new CertPathLoopTest());
     }
 }
	package org.bouncycastle.cert.test;

	import java.math.BigInteger;
	import java.security.InvalidAlgorithmParameterException;
	import java.security.KeyPair;
	import java.security.KeyPairGenerator;
	import java.security.NoSuchAlgorithmException;
	import java.security.PublicKey;
	import java.security.Security;
	import java.security.cert.CertPathBuilder;
	import java.security.cert.CertPathBuilderException;
	import java.security.cert.CertPathBuilderResult;
	import java.security.cert.CertStore;
	import java.security.cert.CertStoreParameters;
	import java.security.cert.CollectionCertStoreParameters;
	import java.security.cert.PKIXBuilderParameters;
	import java.security.cert.TrustAnchor;
	import java.security.cert.X509CRL;
	import java.security.cert.X509CertSelector;
	import java.security.cert.X509Certificate;
	import java.util.ArrayList;
	import java.util.Collection;
	import java.util.Collections;
	import java.util.Date;
	import java.util.GregorianCalendar;
	import java.util.HashSet;
	import java.util.List;
	import java.util.Set;

	import org.bouncycastle.asn1.x500.X500Name;
	import org.bouncycastle.asn1.x509.BasicConstraints;
	import org.bouncycastle.asn1.x509.Extension;
	import org.bouncycastle.asn1.x509.KeyUsage;
	import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
	import org.bouncycastle.cert.X509CRLHolder;
	import org.bouncycastle.cert.X509CertificateHolder;
	import org.bouncycastle.cert.X509v2CRLBuilder;
	import org.bouncycastle.cert.X509v3CertificateBuilder;
	import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
	import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
	import org.bouncycastle.jce.provider.BouncyCastleProvider;
	import org.bouncycastle.operator.ContentSigner;
	import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
	import org.bouncycastle.util.test.SimpleTest;


	/**
	* BC bug test case.
	*/
	public class CertPathLoopTest
	extends SimpleTest
	{
	/**
	* List of trust anchors
	*/
	private static Set<TrustAnchor> taSet;
	/**
	* List of certificates and CRLs
	*/
	private static List<Object> otherList;

	/**
	* Asks the user about the configuration he want's to test
	*
	* @param caA
	* @param caB
	*/
	private static void checkUseDistinctCAs(CA caA, CA caB)
	{
	//Standard configuration : everything in caA
	taSet = new HashSet<TrustAnchor>();
	taSet.add(caA.ta);
	otherList = new ArrayList<Object>();
	otherList.add(caA.acCertCrl);
	otherList.add(caA.crl);
	//User specified configuration : parts of caB

	taSet.add(caB.ta);
	otherList.add(caB.acCertCrl);
	otherList.add(caB.crl);
	}

	/**
	* Creates a collection cert store
	*/
	static CertStore getStore(Collection col)
	throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
	{
	CertStoreParameters csp = new CollectionCertStoreParameters(col);
	return CertStore.getInstance("Collection", csp);
	}

	public String getName()
	{
	return "CertPath Loop Test";
	}

	public void performTest()
	throws Exception
	{
	//Add the provider
	Security.addProvider(new BouncyCastleProvider());
	//Generate two Cert authorities
	CA caA = new CA();
	CA caB = new CA();
	//Ask the user the conf he want's to test
	checkUseDistinctCAs(caA, caB);

	//Let's create a target cert under caA
	X509CertSelector target = new X509CertSelector();
	target.setCertificate(caA.makeNewCert());
	//create control parameters
	PKIXBuilderParameters params = new PKIXBuilderParameters(taSet, target);
	params.addCertStore(getStore(Collections.singleton(target.getCertificate())));
	params.addCertStore(getStore(otherList));
	//enable revocation check
	params.setRevocationEnabled(true);

	//Lets Build the path
	try
	{
	CertPathBuilderResult cpbr = CertPathBuilder.getInstance("PKIX", "BC").build(params);

	fail("invalid path build");
	}
	catch (CertPathBuilderException e)
	{
	if (!e.getCause().getMessage().equals("CertPath for CRL signer failed to validate."))
	{
	fail("Exception thrown, but wrong one", e.getCause());
	}
	}
	}

	/**
	* Class simulating a certification authority
	*/
	private static class CA
	{
	/**
	* key pair generator
	*/
	final static KeyPairGenerator kpg;

	static
	{
	try
	{
	kpg = KeyPairGenerator.getInstance("RSA");
	//Key size doesn't matter, smaller == Faster
	kpg.initialize(512);
	}
	catch (NoSuchAlgorithmException e)
	{
	throw new RuntimeException(e);
	}
	}

	/**
	* KeyPair signing certificates
	*/
	private KeyPair caCertKp;
	/**
	* KeyPair signing CRLs
	*/
	private KeyPair caCrlKp;
	TrustAnchor ta;
	/**
	* Subject of this CA
	*/
	X500Name acSubject;
	/**
	* Certificate signing certificates
	*/
	X509Certificate acCertAc;
	/**
	* Certificate signing CRLs
	*/
	X509Certificate acCertCrl;
	/**
	* the CRL
	*/
	X509CRL crl;
	/**
	* Signers
	*/
	private ContentSigner caCrlSigner, caCertSigner;
	/**
	* Serial number counter
	*/
	private int counter = 1;

	/**
	* Constructor
	*/
	public CA()
	throws Exception
	{
	//Init both keypairs
	caCertKp = kpg.generateKeyPair();
	caCrlKp = kpg.generateKeyPair();
	//subject
	acSubject = new X500Name("CN=AC_0");
	//validity
	GregorianCalendar gc = new GregorianCalendar();
	Date notBefore = gc.getTime();
	gc.add(GregorianCalendar.DAY_OF_YEAR, 1);
	Date notAfter = gc.getTime();
	//first signer
	caCertSigner = new JcaContentSignerBuilder("SHA1withRSA").build(caCertKp.getPrivate());
	//top level : issuer is self
	X500Name issuer = acSubject;
	//reserved for future use (another test case)
	ContentSigner thisAcSigner = caCertSigner;
	//reserved for future use (another test case)
	//First certificate: Certificate authority (BasicConstraints=true) but not CRLSigner
	X509CertificateHolder certH = new X509v3CertificateBuilder(
	issuer, BigInteger.valueOf(counter++), notBefore, notAfter, acSubject, getPublicKeyInfo(caCertKp.getPublic()))
	.addExtension(Extension.basicConstraints, true, new BasicConstraints(true))
	.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign))
	.build(thisAcSigner);
	//lets convert to X509Certificate
	acCertAc = convert(certH);
	//and build a trust Anchor
	ta = new TrustAnchor(acCertAc, null);

	//Second signer
	caCrlSigner = new JcaContentSignerBuilder("SHA1withRSA").build(caCrlKp.getPrivate());
	//second certificate: CRLSigner but not Certificate authority (BasicConstraints=false)
	certH = new X509v3CertificateBuilder(
	issuer, BigInteger.valueOf(counter++), notBefore, notAfter, acSubject, getPublicKeyInfo(caCrlKp.getPublic()))
	.addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
	.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.cRLSign))
	.build(thisAcSigner);
	//lets convert to X509Certificate
	acCertCrl = convert(certH);
	//And create the CRL
	X509CRLHolder crlH = new X509v2CRLBuilder(acSubject, notBefore).setNextUpdate(notAfter).build(caCrlSigner);
	//lets convert to X509CRL
	crl = convert(crlH);
	}

	/**
	* Creates a child certificate
	*/
	public X509Certificate makeNewCert()
	throws Exception
	{
	//private key doesn't matter for the test
	PublicKey publicKey = kpg.generateKeyPair().getPublic();
	//Validity
	GregorianCalendar gc = new GregorianCalendar();
	Date notBefore = gc.getTime();
	gc.add(GregorianCalendar.DAY_OF_YEAR, 1);
	Date notAfter = gc.getTime();
	//serial
	BigInteger certSerial = BigInteger.valueOf(counter++);
	//Distinct name based on the serial
	X500Name subject = new X500Name("CN=EU_" + certSerial.toString());
	//End user certificate, not allowed to do anything
	X509CertificateHolder enUserCertH = new X509v3CertificateBuilder(
	acSubject, certSerial, notBefore, notAfter, subject, getPublicKeyInfo(publicKey))
	.addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
	.addExtension(Extension.keyUsage, true, new KeyUsage(0))
	.build(caCertSigner);

	//lets convert to X509Certificate
	return convert(enUserCertH);
	}


	/**
	* convert to X509Certificate
	*/
	static X509Certificate convert(X509CertificateHolder h)
	throws Exception
	{
	return new JcaX509CertificateConverter().getCertificate(h);
	}

	/**
	* convert to X509CRL
	*/
	static X509CRL convert(X509CRLHolder h)
	throws Exception
	{
	return new JcaX509CRLConverter().getCRL(h);
	}

	/**
	* convert to SubjectPublicKeyInfo
	*/
	static SubjectPublicKeyInfo getPublicKeyInfo(PublicKey k)
	throws Exception
	{
	return SubjectPublicKeyInfo.getInstance(k.getEncoded());
	}
	}

	public static void main(String[] args)
	{
	runTest(new CertPathLoopTest());
	}
	}