test/jdk/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java - platform/libcore - Git at Google

 /*
  * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.
  *
  * This code is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * version 2 for more details (a copy is included in the LICENSE file that
  * accompanied this code).
  *
  * You should have received a copy of the GNU General Public License version
  * 2 along with this work; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  *
  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */

 /**
  * @test
  * @bug 8023362
  * @run main/othervm OcspUnauthorized
  * @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when
  *          SOFT_FAIL option is set
  */

 import java.io.ByteArrayInputStream;
 import java.security.Security;
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.*;
 import java.security.cert.PKIXRevocationChecker.Option;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;

 public class OcspUnauthorized {

     private final static String OCSP_RESPONSE = "MAMKAQY=";

     private final static String EE_CERT =
         "MIICADCCAWmgAwIBAgIEOvxUmjANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJ1czE" +
         "MMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRsYWJzMB4XDTAxMDUxNDIwNDQyMVoXDTI4MD" +
         "kyOTIwNDQyMVowOTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEb" +
         "GFiczENMAsGA1UECxMEaXNyZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4MmP" +
         "GDriFJ+OhDlTuLpHzPy0nawDKyIYUJPZmU9M/pCAUbZewAOyAXGPYVU1og2ZiO9tWBi" +
         "ZBeJGoFHEkkhfeqSVb2PsRckiXvPZ3AiSVmdX0uD/a963abmhRMYB1gDO2+jBe3F/DU" +
         "pHwpyThchy8tYUMh7Gr7+m/8FwZbdbSpMCAwEAAaMkMCIwDwYDVR0PAQH/BAUDAwekA" +
         "DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAME3fmXvES0FVDXSD1iC" +
         "TJLf86kUy3H+uMG7h5pOQmcfF1o9PVWlNByVf4r2b4GRgftPQ3Ao0SAvq1aSkW7YpkN" +
         "pcartYqNk2E5brPajOC0v+Pkxf/g/pkRTT6Zp+9erGQF4Ta62q0iwOyc3FovSbh0Ph2" +
         "WidZRP4qUG5I6JmGkI";

     private final static String TRUST_ANCHOR =
         "MIICIzCCAYygAwIBAgIEOvxT7DANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJ1czE" +
         "MMAoGA1UEChMDc3VuMB4XDTAxMDUxNDIxMDQyOVoXDTI4MDkyOTIxMDQyOVowKjELMA" +
         "kGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEbGFiczCBnzANBgkqhkiG9" +
         "w0BAQEFAAOBjQAwgYkCgYEA0/16V87rhznCM0y7IqyGcfQBentG+PglA+1hiqCuQY/A" +
         "jFiDKr5N+LpcfU28P41E4M+DSDrMIEe4JchRcXeJY6aIVhpOveVV9mgtBaEKlsScrIJ" +
         "zmVqM07PG9JENg2FibECnB5TNUSfVbFKfvtAqaZ7Pc971oZVoIePBWnfKV9kCAwEAAa" +
         "NlMGMwPwYDVR0eAQH/BDUwM6AxMC+kKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1b" +
         "jENMAsGA1UECxMEbGFic4ABAzAPBgNVHQ8BAf8EBQMDB6QAMA8GA1UdEwEB/wQFMAMB" +
         "Af8wDQYJKoZIhvcNAQEEBQADgYEAfJ5HWd7K5PmX0+Vbsux4SYhoaejDwwgS43BRNa+" +
         "AmFq9LIZ+ZcjBMVte8Y3sJF+nz9+1qBaUhNhbaECCqsgmWSwvI+0kUzJXL89k9AdQ8m" +
         "AYf6CB6+kaZQBgrdSdqSGz3tCVa2MIK8wmb0ROM40oJ7vt3qSwgFi3UTltxkFfwQ0=";

     private static CertificateFactory cf;
     private static Base64.Decoder base64Decoder = Base64.getDecoder();

     public static void main(String[] args) throws Exception {
         // EE_CERT is signed with MD5withRSA
         Security.setProperty("jdk.certpath.disabledAlgorithms", "");
         cf = CertificateFactory.getInstance("X.509");
         X509Certificate taCert = getX509Cert(TRUST_ANCHOR);
         X509Certificate eeCert = getX509Cert(EE_CERT);
         CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert));

         CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
         PKIXRevocationChecker prc =
             (PKIXRevocationChecker)cpv.getRevocationChecker();
         prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK));
         byte[] response = base64Decoder.decode(OCSP_RESPONSE);

         prc.setOcspResponses(Collections.singletonMap(eeCert, response));

         TrustAnchor ta = new TrustAnchor(taCert, null);
         PKIXParameters params = new PKIXParameters(Collections.singleton(ta));

         params.addCertPathChecker(prc);

         try {
             cpv.validate(cp, params);
             throw new Exception("FAILED: expected CertPathValidatorException");
         } catch (CertPathValidatorException cpve) {
             cpve.printStackTrace();
             if (cpve.getReason() != BasicReason.UNSPECIFIED &&
                 !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) {
                 throw new Exception("FAILED: unexpected " +
                                     "CertPathValidatorException reason");
             }
         }
     }

     private static X509Certificate getX509Cert(String enc) throws Exception {
         byte[] bytes = base64Decoder.decode(enc);
         ByteArrayInputStream is = new ByteArrayInputStream(bytes);
         return (X509Certificate)cf.generateCertificate(is);
     }
 }
	/*
	* Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	/**
	* @test
	* @bug 8023362
	* @run main/othervm OcspUnauthorized
	* @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when
	* SOFT_FAIL option is set
	*/

	import java.io.ByteArrayInputStream;
	import java.security.Security;
	import java.security.cert.CertPathValidatorException.BasicReason;
	import java.security.cert.*;
	import java.security.cert.PKIXRevocationChecker.Option;
	import java.util.Base64;
	import java.util.Collections;
	import java.util.EnumSet;

	public class OcspUnauthorized {

	private final static String OCSP_RESPONSE = "MAMKAQY=";

	private final static String EE_CERT =
	"MIICADCCAWmgAwIBAgIEOvxUmjANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJ1czE" +
	"MMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRsYWJzMB4XDTAxMDUxNDIwNDQyMVoXDTI4MD" +
	"kyOTIwNDQyMVowOTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEb" +
	"GFiczENMAsGA1UECxMEaXNyZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4MmP" +
	"GDriFJ+OhDlTuLpHzPy0nawDKyIYUJPZmU9M/pCAUbZewAOyAXGPYVU1og2ZiO9tWBi" +
	"ZBeJGoFHEkkhfeqSVb2PsRckiXvPZ3AiSVmdX0uD/a963abmhRMYB1gDO2+jBe3F/DU" +
	"pHwpyThchy8tYUMh7Gr7+m/8FwZbdbSpMCAwEAAaMkMCIwDwYDVR0PAQH/BAUDAwekA" +
	"DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAME3fmXvES0FVDXSD1iC" +
	"TJLf86kUy3H+uMG7h5pOQmcfF1o9PVWlNByVf4r2b4GRgftPQ3Ao0SAvq1aSkW7YpkN" +
	"pcartYqNk2E5brPajOC0v+Pkxf/g/pkRTT6Zp+9erGQF4Ta62q0iwOyc3FovSbh0Ph2" +
	"WidZRP4qUG5I6JmGkI";

	private final static String TRUST_ANCHOR =
	"MIICIzCCAYygAwIBAgIEOvxT7DANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJ1czE" +
	"MMAoGA1UEChMDc3VuMB4XDTAxMDUxNDIxMDQyOVoXDTI4MDkyOTIxMDQyOVowKjELMA" +
	"kGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEbGFiczCBnzANBgkqhkiG9" +
	"w0BAQEFAAOBjQAwgYkCgYEA0/16V87rhznCM0y7IqyGcfQBentG+PglA+1hiqCuQY/A" +
	"jFiDKr5N+LpcfU28P41E4M+DSDrMIEe4JchRcXeJY6aIVhpOveVV9mgtBaEKlsScrIJ" +
	"zmVqM07PG9JENg2FibECnB5TNUSfVbFKfvtAqaZ7Pc971oZVoIePBWnfKV9kCAwEAAa" +
	"NlMGMwPwYDVR0eAQH/BDUwM6AxMC+kKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1b" +
	"jENMAsGA1UECxMEbGFic4ABAzAPBgNVHQ8BAf8EBQMDB6QAMA8GA1UdEwEB/wQFMAMB" +
	"Af8wDQYJKoZIhvcNAQEEBQADgYEAfJ5HWd7K5PmX0+Vbsux4SYhoaejDwwgS43BRNa+" +
	"AmFq9LIZ+ZcjBMVte8Y3sJF+nz9+1qBaUhNhbaECCqsgmWSwvI+0kUzJXL89k9AdQ8m" +
	"AYf6CB6+kaZQBgrdSdqSGz3tCVa2MIK8wmb0ROM40oJ7vt3qSwgFi3UTltxkFfwQ0=";

	private static CertificateFactory cf;
	private static Base64.Decoder base64Decoder = Base64.getDecoder();

	public static void main(String[] args) throws Exception {
	// EE_CERT is signed with MD5withRSA
	Security.setProperty("jdk.certpath.disabledAlgorithms", "");
	cf = CertificateFactory.getInstance("X.509");
	X509Certificate taCert = getX509Cert(TRUST_ANCHOR);
	X509Certificate eeCert = getX509Cert(EE_CERT);
	CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert));

	CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
	PKIXRevocationChecker prc =
	(PKIXRevocationChecker)cpv.getRevocationChecker();
	prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK));
	byte[] response = base64Decoder.decode(OCSP_RESPONSE);

	prc.setOcspResponses(Collections.singletonMap(eeCert, response));

	TrustAnchor ta = new TrustAnchor(taCert, null);
	PKIXParameters params = new PKIXParameters(Collections.singleton(ta));

	params.addCertPathChecker(prc);

	try {
	cpv.validate(cp, params);
	throw new Exception("FAILED: expected CertPathValidatorException");
	} catch (CertPathValidatorException cpve) {
	cpve.printStackTrace();
	if (cpve.getReason() != BasicReason.UNSPECIFIED &&
	!cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) {
	throw new Exception("FAILED: unexpected " +
	"CertPathValidatorException reason");
	}
	}
	}

	private static X509Certificate getX509Cert(String enc) throws Exception {
	byte[] bytes = base64Decoder.decode(enc);
	ByteArrayInputStream is = new ByteArrayInputStream(bytes);
	return (X509Certificate)cf.generateCertificate(is);
	}
	}