commit d92cdfce1b3eb77850cd0b511d9da28bb833ccd8
author Kenny Root <kroot@google.com> Thu Feb 04 18:59:56 2016 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Feb 04 18:59:56 2016 +0000
tree 9d992e52162188adcc7d5f29160b67abed1f86dc
parent 629e4a5903da860156ed7657065d8ee369f1a77f
parent 968cd4ee8e8b2753576c6ca1ecbd6714d8cb4605

Merge "Fix CertPathBuilderPKIX test"

luni/src/test/java/tests/targets/security/cert/CertPathBuilderTestPKIX.java

diff --git a/luni/src/test/java/tests/targets/security/cert/CertPathBuilderTestPKIX.java b/luni/src/test/java/tests/targets/security/cert/CertPathBuilderTestPKIX.java
index dc49de0..af681dc 100644
--- a/luni/src/test/java/tests/targets/security/cert/CertPathBuilderTestPKIX.java
+++ b/luni/src/test/java/tests/targets/security/cert/CertPathBuilderTestPKIX.java
@@ -15,14 +15,13 @@
  */
 package tests.targets.security.cert;
 
-import java.io.ByteArrayInputStream;
 import java.security.KeyStore;
+import java.security.KeyStore.PrivateKeyEntry;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathParameters;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreParameters;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.X509CertSelector;
@@ -30,6 +29,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import javax.security.auth.x500.X500Principal;
+import libcore.java.security.TestKeyStore;
 import tests.security.CertPathBuilderTest;
 
 public class CertPathBuilderTestPKIX extends CertPathBuilderTest {
@@ -40,32 +40,26 @@
 
     @Override
     public CertPathParameters getCertPathParameters() throws Exception {
+        TestKeyStore clientAndCa = TestKeyStore.getClientCertificate();
+        PrivateKeyEntry pke = clientAndCa.getPrivateKey("RSA", "RSA");
+        X509Certificate clientCert = (X509Certificate) pke.getCertificate();
+
         KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-
         keyStore.load(null, null);
-
-        CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
-
-        X509Certificate selfSignedcertificate =
-                (X509Certificate) certificateFactory.generateCertificate(
-                        new ByteArrayInputStream(selfSignedCert.getBytes()));
-
-        keyStore.setCertificateEntry("selfSignedCert", selfSignedcertificate);
+        keyStore.setCertificateEntry("rootCA", clientAndCa.getRootCertificate("RSA"));
 
         X509CertSelector targetConstraints = new X509CertSelector();
-        targetConstraints.setCertificate(selfSignedcertificate);
+        targetConstraints.setCertificate(clientCert);
 
         List<Certificate> certList = new ArrayList<Certificate>();
-        certList.add(selfSignedcertificate);
-        CertStoreParameters storeParams = new CollectionCertStoreParameters(
-                certList);
-
+        for (Certificate certificate : pke.getCertificateChain()) {
+            certList.add(certificate);
+        }
+        CertStoreParameters storeParams = new CollectionCertStoreParameters(certList);
 
         CertStore certStore = CertStore.getInstance("Collection", storeParams);
 
-
-        PKIXBuilderParameters parameters = new PKIXBuilderParameters(
-                keyStore, targetConstraints);
+        PKIXBuilderParameters parameters = new PKIXBuilderParameters(keyStore, targetConstraints);
         parameters.addCertStore(certStore);
         parameters.setRevocationEnabled(false);
         return parameters;
@@ -74,32 +68,19 @@
     @Override
     public void validateCertPath(CertPath path) {
         List<? extends Certificate> certificates = path.getCertificates();
-        Certificate certificate = certificates.get(0);
 
-        assertEquals("unexpected certificate type", "X.509", certificate
-                .getType());
+        // CertPath should not include the Trust Anchor, so the path should be:
+        // [[ end entity <- intermediate CA ]] <- root CA
+        assertEquals(2, certificates.size());
 
-        X509Certificate x509Certificate = (X509Certificate) certificate;
-        X500Principal subjectX500Principal = x509Certificate
-                .getSubjectX500Principal();
+        Certificate endEntityCert = certificates.get(0);
+        assertEquals("Certificate must be of X.509 type", "X.509", endEntityCert.getType());
 
-        X500Principal expectedPrincipal = new X500Principal("CN=Android CTS, "
-                + "OU=Android, O=Android, L=Android, ST=Android, C=AN");
+        X509Certificate endEntityX509Cert = (X509Certificate) endEntityCert;
+        X500Principal endEntityPrincipal = endEntityX509Cert.getSubjectX500Principal();
 
-        assertEquals("unexpected principal", expectedPrincipal,
-                subjectX500Principal);
+        X500Principal expectedPrincipal = new X500Principal("emailAddress=test@user");
+
+        assertEquals(expectedPrincipal, endEntityPrincipal);
     }
-
-    private String selfSignedCert = "-----BEGIN CERTIFICATE-----\n"
-    + "MIICSDCCAbECBEk2ZvswDQYJKoZIhvcNAQEEBQAwazELMAkGA1UEBhMCQU4xEDAOBgNVBAgTB0Fu\n"
-    + "ZHJvaWQxEDAOBgNVBAcTB0FuZHJvaWQxEDAOBgNVBAoTB0FuZHJvaWQxEDAOBgNVBAsTB0FuZHJv\n"
-    + "aWQxFDASBgNVBAMTC0FuZHJvaWQgQ1RTMB4XDTA4MTIwMzExMDExNVoXDTM2MDQyMDExMDExNVow\n"
-    + "azELMAkGA1UEBhMCQU4xEDAOBgNVBAgTB0FuZHJvaWQxEDAOBgNVBAcTB0FuZHJvaWQxEDAOBgNV\n"
-    + "BAoTB0FuZHJvaWQxEDAOBgNVBAsTB0FuZHJvaWQxFDASBgNVBAMTC0FuZHJvaWQgQ1RTMIGfMA0G\n"
-    + "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAMd+N1Bu2eiI4kukOLvFlpTSEHTGplN2vvw76T7jSZinx\n"
-    + "WcrtLe6qH1uPffbVNW4/BRn6OywbcynazEdqEUa09hWtHYmUsXpRPyGUBScNnyF751SGA2JIQUfg\n"
-    + "3gi3gT3h32Z64AIHnn5gsGDJkeWOHx6/uVOV7iqr7cwPdLp03QIDAQABMA0GCSqGSIb3DQEBBAUA\n"
-    + "A4GBAGG46Udsh6U7bSkJsyPPmSCCEkGr14L8F431UuaWbLvQVDtyPv8vtdJilyUTVnlWM6JNGV/q\n"
-    + "bgHuLbohkVXn9l68GtgQ7QDexHJE5hEDG/S7cYNi9GhrCfzAjEed13VMntZHZ0XQ4E7jBOmhcMAY\n"
-    + "DC9BBx1sVKoji17RP4R8CTf1\n" + "-----END CERTIFICATE-----";
 }