diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java deleted file mode 100644 index ba008c68cdc..00000000000 --- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java +++ /dev/null @@ -1,292 +0,0 @@ -/* - * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -import java.io.*; -import java.math.BigInteger; -import java.security.*; -import java.security.cert.*; -import java.time.*; -import java.util.*; -import javax.net.ssl.*; -import sun.security.validator.Validator; -import sun.security.validator.ValidatorException; - -import jdk.test.lib.security.SecurityUtils; - -/** - * @test - * @bug 8207258 8216280 - * @summary Check that TLS Server certificates chaining back to distrusted - * Symantec roots are invalid - * @library /test/lib - * @modules java.base/sun.security.validator - * @run main/othervm Distrust after policyOn invalid - * @run main/othervm Distrust after policyOff valid - * @run main/othervm Distrust before policyOn valid - * @run main/othervm Distrust before policyOff valid - */ - -public class Distrust { - - private static final String TEST_SRC = System.getProperty("test.src", "."); - private static CertificateFactory cf; - - // Each of the roots have a test certificate chain stored in a file - // named "-chain.pem". - private static String[] rootsToTest = new String[] { - "geotrustprimarycag2", "geotrustprimarycag3", - "geotrustuniversalca", "thawteprimaryrootca", "thawteprimaryrootcag2", - "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca", - "verisignclass3g5ca", "verisignuniversalrootca" }; - - // Each of the subCAs with a delayed distrust date have a test certificate - // chain stored in a file named "-chain.pem". - private static String[] subCAsToTest = new String[]{"appleistca8g1"}; - - // A date that is after the restrictions take affect - private static final Date APRIL_17_2019 = - Date.from(LocalDate.of(2019, 4, 17) - .atStartOfDay(ZoneOffset.UTC) - .toInstant()); - - // A date that is a second before the restrictions take affect - private static final Date BEFORE_APRIL_17_2019 = - Date.from(LocalDate.of(2019, 4, 17) - .atStartOfDay(ZoneOffset.UTC) - .minusSeconds(1) - .toInstant()); - - // A date that is after the subCA restrictions take affect - private static final Date JANUARY_1_2020 = - Date.from(LocalDate.of(2020, 1, 1) - .atStartOfDay(ZoneOffset.UTC) - .toInstant()); - - // A date that is a second before the subCA restrictions take affect - private static final Date BEFORE_JANUARY_1_2020 = - Date.from(LocalDate.of(2020, 1, 1) - .atStartOfDay(ZoneOffset.UTC) - .minusSeconds(1) - .toInstant()); - - public static void main(String[] args) throws Exception { - - cf = CertificateFactory.getInstance("X.509"); - - boolean before = args[0].equals("before"); - boolean policyOn = args[1].equals("policyOn"); - boolean isValid = args[2].equals("valid"); - - if (!policyOn) { - // disable policy (default is on) - Security.setProperty("jdk.security.caDistrustPolicies", ""); - } - - Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019; - - X509TrustManager pkixTM = getTMF("PKIX", null); - X509TrustManager sunX509TM = getTMF("SunX509", null); - for (String test : rootsToTest) { - System.err.println("Testing " + test); - X509Certificate[] chain = loadCertificateChain(test); - - testTM(sunX509TM, chain, notBefore, isValid); - testTM(pkixTM, chain, notBefore, isValid); - } - - // test chain if params are passed to TrustManager - System.err.println("Testing verisignuniversalrootca with params"); - testTM(getTMF("PKIX", getParams()), - loadCertificateChain("verisignuniversalrootca"), - notBefore, isValid); - - // test code-signing chain (should be valid as restrictions don't apply) - System.err.println("Testing verisignclass3g5ca code-signing chain"); - Validator v = Validator.getInstance(Validator.TYPE_PKIX, - Validator.VAR_CODE_SIGNING, - getParams()); - // set validation date so this will still pass when cert expires - v.setValidationDate(new Date(1544197375493l)); - v.validate(loadCertificateChain("verisignclass3g5ca-codesigning")); - - // test chains issued through subCAs - notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020; - for (String test : subCAsToTest) { - System.err.println("Testing " + test); - X509Certificate[] chain = loadCertificateChain(test); - - testTM(sunX509TM, chain, notBefore, isValid); - testTM(pkixTM, chain, notBefore, isValid); - } - } - - private static X509TrustManager getTMF(String type, - PKIXBuilderParameters params) throws Exception { - TrustManagerFactory tmf = TrustManagerFactory.getInstance(type); - if (params == null) { - tmf.init((KeyStore)null); - } else { - tmf.init(new CertPathTrustManagerParameters(params)); - } - TrustManager[] tms = tmf.getTrustManagers(); - for (TrustManager tm : tms) { - X509TrustManager xtm = (X509TrustManager)tm; - return xtm; - } - throw new Exception("No TrustManager for " + type); - } - - private static PKIXBuilderParameters getParams() throws Exception { - PKIXBuilderParameters pbp = - new PKIXBuilderParameters(SecurityUtils.getCacertsKeyStore(), - new X509CertSelector()); - pbp.setRevocationEnabled(false); - return pbp; - } - - private static void testTM(X509TrustManager xtm, X509Certificate[] chain, - Date notBefore, boolean valid) throws Exception { - // Check if TLS Server certificate (the first element of the chain) - // is issued after the specified notBefore date (should be rejected - // unless distrust property is false). To do this, we need to - // fake the notBefore date since none of the test certs are issued - // after then. - chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); - - try { - xtm.checkServerTrusted(chain, "ECDHE_RSA"); - if (!valid) { - throw new Exception("chain should be invalid"); - } - } catch (CertificateException ce) { - // expired TLS certificates should not be treated as failure - if (expired(ce)) { - System.err.println("Test is N/A, chain is expired"); - return; - } - if (valid) { - throw new Exception("Unexpected exception, chain " + - "should be valid", ce); - } - if (ce instanceof ValidatorException) { - ValidatorException ve = (ValidatorException)ce; - if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) { - ce.printStackTrace(System.err); - throw new Exception("Unexpected exception: " + ce); - } - } else { - throw new Exception("Unexpected exception: " + ce); - } - } - } - - // check if a cause of exception is an expired cert - private static boolean expired(CertificateException ce) { - if (ce instanceof CertificateExpiredException) { - return true; - } - Throwable t = ce.getCause(); - while (t != null) { - if (t instanceof CertificateExpiredException) { - return true; - } - t = t.getCause(); - } - return false; - } - - private static X509Certificate[] loadCertificateChain(String name) - throws Exception { - try (InputStream in = new FileInputStream(TEST_SRC + File.separator + - name + "-chain.pem")) { - Collection certs = - (Collection)cf.generateCertificates(in); - return certs.toArray(new X509Certificate[0]); - } - } - - private static class DistrustedTLSServerCert extends X509Certificate { - private final X509Certificate cert; - private final Date notBefore; - DistrustedTLSServerCert(X509Certificate cert, Date notBefore) { - this.cert = cert; - this.notBefore = notBefore; - } - public Set getCriticalExtensionOIDs() { - return cert.getCriticalExtensionOIDs(); - } - public byte[] getExtensionValue(String oid) { - return cert.getExtensionValue(oid); - } - public Set getNonCriticalExtensionOIDs() { - return cert.getNonCriticalExtensionOIDs(); - } - public boolean hasUnsupportedCriticalExtension() { - return cert.hasUnsupportedCriticalExtension(); - } - public void checkValidity() throws CertificateExpiredException, - CertificateNotYetValidException { - // always pass - } - public void checkValidity(Date date) throws CertificateExpiredException, - CertificateNotYetValidException { - // always pass - } - public int getVersion() { return cert.getVersion(); } - public BigInteger getSerialNumber() { return cert.getSerialNumber(); } - public Principal getIssuerDN() { return cert.getIssuerDN(); } - public Principal getSubjectDN() { return cert.getSubjectDN(); } - public Date getNotBefore() { return notBefore; } - public Date getNotAfter() { return cert.getNotAfter(); } - public byte[] getTBSCertificate() throws CertificateEncodingException { - return cert.getTBSCertificate(); - } - public byte[] getSignature() { return cert.getSignature(); } - public String getSigAlgName() { return cert.getSigAlgName(); } - public String getSigAlgOID() { return cert.getSigAlgOID(); } - public byte[] getSigAlgParams() { return cert.getSigAlgParams(); } - public boolean[] getIssuerUniqueID() { - return cert.getIssuerUniqueID(); - } - public boolean[] getSubjectUniqueID() { - return cert.getSubjectUniqueID(); - } - public boolean[] getKeyUsage() { return cert.getKeyUsage(); } - public int getBasicConstraints() { return cert.getBasicConstraints(); } - public byte[] getEncoded() throws CertificateEncodingException { - return cert.getEncoded(); - } - public void verify(PublicKey key) throws CertificateException, - InvalidKeyException, NoSuchAlgorithmException, - NoSuchProviderException, SignatureException { - cert.verify(key); - } - public void verify(PublicKey key, String sigProvider) throws - CertificateException, InvalidKeyException, NoSuchAlgorithmException, - NoSuchProviderException, SignatureException { - cert.verify(key, sigProvider); - } - public PublicKey getPublicKey() { return cert.getPublicKey(); } - public String toString() { return cert.toString(); } - } -} diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Distrust.java similarity index 54% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Distrust.java index 1c1fcee3609..18178f65ec1 100644 --- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java +++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Distrust.java @@ -25,7 +25,7 @@ import java.math.BigInteger; import java.security.*; import java.security.cert.*; -import java.time.*; +import java.time.ZonedDateTime; import java.util.*; import javax.net.ssl.*; import sun.security.validator.Validator; @@ -34,95 +34,80 @@ import jdk.test.lib.security.SecurityUtils; /** - * @test - * @bug 8337664 8341059 - * @summary Check that TLS Server certificates chaining back to distrusted - * Entrust roots are invalid - * @library /test/lib - * @modules java.base/sun.security.validator - * @run main/othervm Distrust after policyOn invalid - * @run main/othervm Distrust after policyOff valid - * @run main/othervm Distrust before policyOn valid - * @run main/othervm Distrust before policyOff valid + * Helper class that provides methods to facilitate testing of distrusted roots. */ - -public class Distrust { +public final class Distrust { private static final String TEST_SRC = System.getProperty("test.src", "."); private static CertificateFactory cf; - // Each of the roots have a test certificate chain stored in a file - // named "-chain.pem". - private static String[] rootsToTest = new String[] { - "entrustevca", "entrustrootcaec1", "entrustrootcag2", "entrustrootcag4", - "entrust2048ca", "affirmtrustcommercialca", "affirmtrustnetworkingca", - "affirmtrustpremiumca", "affirmtrustpremiumeccca" }; - - // A date that is after the restrictions take effect - private static final Date NOVEMBER_12_2024 = - Date.from(LocalDate.of(2024, 11, 12) - .atStartOfDay(ZoneOffset.UTC) - .toInstant()); - - // A date that is a second before the restrictions take effect - private static final Date BEFORE_NOVEMBER_12_2024 = - Date.from(LocalDate.of(2024, 11, 12) - .atStartOfDay(ZoneOffset.UTC) - .minusSeconds(1) - .toInstant()); - - public static void main(String[] args) throws Exception { + private final boolean before; + private final boolean policyOn; + private final boolean isValid; - cf = CertificateFactory.getInstance("X.509"); - - boolean before = args[0].equals("before"); - boolean policyOn = args[1].equals("policyOn"); - boolean isValid = args[2].equals("valid"); + public Distrust(String[] args) { + before = args[0].equals("before"); + policyOn = args[1].equals("policyOn"); + isValid = args[2].equals("valid"); if (!policyOn) { // disable policy (default is on) Security.setProperty("jdk.security.caDistrustPolicies", ""); } + } + + public Date getNotBefore(ZonedDateTime distrustDate) { + ZonedDateTime notBefore = before ? distrustDate.minusSeconds(1) : distrustDate; + return Date.from(notBefore.toInstant()); + } - Date notBefore = before ? BEFORE_NOVEMBER_12_2024 : NOVEMBER_12_2024; + public void testCodeSigningChain(String certPath, String name, Date validationDate) + throws Exception { + System.err.println("Testing " + name + " code-signing chain"); + Validator v = Validator.getInstance(Validator.TYPE_PKIX, + Validator.VAR_CODE_SIGNING, + getParams()); + // set validation date so this will still pass when cert expires + v.setValidationDate(validationDate); + v.validate(loadCertificateChain(certPath, name)); + } - X509TrustManager pkixTM = getTMF("PKIX", null); - X509TrustManager sunX509TM = getTMF("SunX509", null); - for (String test : rootsToTest) { + public void testCertificateChain(String certPath, Date notBefore, X509TrustManager[] tms, + String... tests) throws Exception { + for (String test : tests) { System.err.println("Testing " + test); - X509Certificate[] chain = loadCertificateChain(test); + X509Certificate[] chain = loadCertificateChain(certPath, test); - testTM(sunX509TM, chain, notBefore, isValid); - testTM(pkixTM, chain, notBefore, isValid); + for (X509TrustManager tm : tms) { + testTM(tm, chain, notBefore, isValid); + } } } - private static X509TrustManager getTMF(String type, - PKIXBuilderParameters params) throws Exception { + public X509TrustManager getTMF(String type, PKIXBuilderParameters params) throws Exception { TrustManagerFactory tmf = TrustManagerFactory.getInstance(type); if (params == null) { - tmf.init((KeyStore)null); + tmf.init((KeyStore) null); } else { tmf.init(new CertPathTrustManagerParameters(params)); } TrustManager[] tms = tmf.getTrustManagers(); for (TrustManager tm : tms) { - X509TrustManager xtm = (X509TrustManager)tm; - return xtm; + return (X509TrustManager) tm; } - throw new Exception("No TrustManager for " + type); + throw new RuntimeException("No TrustManager for " + type); } - private static PKIXBuilderParameters getParams() throws Exception { + public PKIXBuilderParameters getParams() throws Exception { PKIXBuilderParameters pbp = - new PKIXBuilderParameters(SecurityUtils.getCacertsKeyStore(), - new X509CertSelector()); + new PKIXBuilderParameters(SecurityUtils.getCacertsKeyStore(), + new X509CertSelector()); pbp.setRevocationEnabled(false); return pbp; } - private static void testTM(X509TrustManager xtm, X509Certificate[] chain, - Date notBefore, boolean valid) throws Exception { + public void testTM(X509TrustManager xtm, X509Certificate[] chain, + Date notBefore, boolean valid) { // Check if TLS Server certificate (the first element of the chain) // is issued after the specified notBefore date (should be rejected // unless distrust property is false). To do this, we need to @@ -130,67 +115,54 @@ private static void testTM(X509TrustManager xtm, X509Certificate[] chain, // after then. chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); + // Wrap the intermediate and root CA certs in NonExpiringTLSServerCert + // so it will never throw a CertificateExpiredException + for (int i = 1; i < chain.length; i++) { + chain[i] = new NonExpiringTLSServerCert(chain[i]); + } + try { xtm.checkServerTrusted(chain, "ECDHE_RSA"); if (!valid) { - throw new Exception("chain should be invalid"); + throw new RuntimeException("chain should be invalid"); } } catch (CertificateException ce) { - // expired TLS certificates should not be treated as failure - if (expired(ce)) { - System.err.println("Test is N/A, chain is expired"); - return; - } if (valid) { - throw new Exception("Unexpected exception, chain " + - "should be valid", ce); + throw new RuntimeException("Unexpected exception, chain " + + "should be valid", ce); } if (ce instanceof ValidatorException) { - ValidatorException ve = (ValidatorException)ce; + ValidatorException ve = (ValidatorException) ce; if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) { ce.printStackTrace(System.err); - throw new Exception("Unexpected exception: " + ce); + throw new RuntimeException("Unexpected exception: " + ce); } } else { - throw new Exception("Unexpected exception: " + ce); + throw new RuntimeException(ce); } } } - // check if a cause of exception is an expired cert - private static boolean expired(CertificateException ce) { - if (ce instanceof CertificateExpiredException) { - return true; - } - Throwable t = ce.getCause(); - while (t != null) { - if (t instanceof CertificateExpiredException) { - return true; - } - t = t.getCause(); - } - return false; - } - - private static X509Certificate[] loadCertificateChain(String name) + private X509Certificate[] loadCertificateChain(String certPath, String name) throws Exception { - try (InputStream in = new FileInputStream(TEST_SRC + File.separator + - name + "-chain.pem")) { + if (cf == null) { + cf = CertificateFactory.getInstance("X.509"); + } + try (InputStream in = new FileInputStream(TEST_SRC + File.separator + certPath + + File.separator + name + "-chain.pem")) { Collection certs = - (Collection)cf.generateCertificates(in); + (Collection) cf.generateCertificates(in); return certs.toArray(new X509Certificate[0]); } } - private static class DistrustedTLSServerCert extends X509Certificate { + private static class NonExpiringTLSServerCert extends X509Certificate { private final X509Certificate cert; - private final Date notBefore; - DistrustedTLSServerCert(X509Certificate cert, Date notBefore) { + NonExpiringTLSServerCert(X509Certificate cert) { this.cert = cert; - this.notBefore = notBefore; } public Set getCriticalExtensionOIDs() { - return cert.getCriticalExtensionOIDs(); + return cert.getCriticalExtensionOIDs(); } public byte[] getExtensionValue(String oid) { return cert.getExtensionValue(oid); @@ -201,19 +173,17 @@ public Set getNonCriticalExtensionOIDs() { public boolean hasUnsupportedCriticalExtension() { return cert.hasUnsupportedCriticalExtension(); } - public void checkValidity() throws CertificateExpiredException, - CertificateNotYetValidException { + public void checkValidity() { // always pass } - public void checkValidity(Date date) throws CertificateExpiredException, - CertificateNotYetValidException { + public void checkValidity(Date date) { // always pass } public int getVersion() { return cert.getVersion(); } public BigInteger getSerialNumber() { return cert.getSerialNumber(); } public Principal getIssuerDN() { return cert.getIssuerDN(); } public Principal getSubjectDN() { return cert.getSubjectDN(); } - public Date getNotBefore() { return notBefore; } + public Date getNotBefore() { return cert.getNotBefore(); } public Date getNotAfter() { return cert.getNotAfter(); } public byte[] getTBSCertificate() throws CertificateEncodingException { return cert.getTBSCertificate(); @@ -234,16 +204,25 @@ public byte[] getEncoded() throws CertificateEncodingException { return cert.getEncoded(); } public void verify(PublicKey key) throws CertificateException, - InvalidKeyException, NoSuchAlgorithmException, - NoSuchProviderException, SignatureException { + InvalidKeyException, NoSuchAlgorithmException, + NoSuchProviderException, SignatureException { cert.verify(key); } public void verify(PublicKey key, String sigProvider) throws - CertificateException, InvalidKeyException, NoSuchAlgorithmException, - NoSuchProviderException, SignatureException { + CertificateException, InvalidKeyException, NoSuchAlgorithmException, + NoSuchProviderException, SignatureException { cert.verify(key, sigProvider); } public PublicKey getPublicKey() { return cert.getPublicKey(); } public String toString() { return cert.toString(); } } + + private static class DistrustedTLSServerCert extends NonExpiringTLSServerCert { + private final Date notBefore; + DistrustedTLSServerCert(X509Certificate cert, Date notBefore) { + super(cert); + this.notBefore = notBefore; + } + public Date getNotBefore() { return notBefore; } + } } diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java new file mode 100644 index 00000000000..958e67ebd59 --- /dev/null +++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Entrust.java @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.File; +import java.time.*; +import java.util.*; +import javax.net.ssl.*; + +/** + * @test + * @bug 8337664 + * @summary Check that TLS Server certificates chaining back to distrusted + * Entrust roots are invalid + * @library /test/lib + * @modules java.base/sun.security.validator + * @run main/othervm Entrust after policyOn invalid + * @run main/othervm Entrust after policyOff valid + * @run main/othervm Entrust before policyOn valid + * @run main/othervm Entrust before policyOff valid + */ + +public class Entrust { + + private static final String certPath = "chains" + File.separator + "entrust"; + + // Each of the roots have a test certificate chain stored in a file + // named "-chain.pem". + private static String[] rootsToTest = new String[]{ + "entrustevca", "entrustrootcaec1", "entrustrootcag2", "entrustrootcag4", + "entrust2048ca", "affirmtrustcommercialca", "affirmtrustnetworkingca", + "affirmtrustpremiumca", "affirmtrustpremiumeccca"}; + + // Date when the restrictions take effect + private static final ZonedDateTime DISTRUST_DATE = + LocalDate.of(2024, 11, 12).atStartOfDay(ZoneOffset.UTC); + + public static void main(String[] args) throws Exception { + Distrust distrust = new Distrust(args); + + X509TrustManager[] tms = new X509TrustManager[]{ + distrust.getTMF("PKIX", null), + distrust.getTMF("SunX509", null) + }; + + Date notBefore = distrust.getNotBefore(DISTRUST_DATE); + distrust.testCertificateChain(certPath, notBefore, tms, rootsToTest); + } +} diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Symantec.java b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Symantec.java new file mode 100644 index 00000000000..4e099a8de8d --- /dev/null +++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/Symantec.java @@ -0,0 +1,95 @@ +/* + * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import javax.net.ssl.X509TrustManager; +import java.io.File; +import java.time.*; +import java.util.*; + + +/** + * @test + * @bug 8207258 8216280 + * @summary Check that TLS Server certificates chaining back to distrusted + * Symantec roots are invalid + * @library /test/lib + * @modules java.base/sun.security.validator + * @run main/othervm Symantec after policyOn invalid + * @run main/othervm Symantec after policyOff valid + * @run main/othervm Symantec before policyOn valid + * @run main/othervm Symantec before policyOff valid + */ + +public class Symantec { + + private static final String certPath = "chains" + File.separator + "symantec"; + + // Each of the roots have a test certificate chain stored in a file + // named "-chain.pem". + private static final String[] rootsToTest = new String[]{ + "geotrustprimarycag2", "geotrustprimarycag3", "geotrustuniversalca", + "thawteprimaryrootca", "thawteprimaryrootcag2", "thawteprimaryrootcag3", + "verisignclass3g3ca", "verisignclass3g4ca", "verisignclass3g5ca", + "verisignuniversalrootca" + }; + + // Each of the subCAs with a delayed distrust date have a test certificate + // chain stored in a file named "-chain.pem". + private static String[] subCAsToTest = new String[]{"appleistca8g1"}; + + // Date when the restrictions take effect + private static final ZonedDateTime ROOTS_DISTRUST_DATE = + LocalDate.of(2019, 4, 17).atStartOfDay(ZoneOffset.UTC); + + // Date when the subCA restrictions take effect + private static final ZonedDateTime SUBCA_DISTRUST_DATE = + LocalDate.of(2020, 1, 1).atStartOfDay(ZoneOffset.UTC); + + public static void main(String[] args) throws Exception { + Distrust distrust = new Distrust(args); + X509TrustManager[] tms = new X509TrustManager[]{ + distrust.getTMF("PKIX", null), + distrust.getTMF("SunX509", null) + }; + + // test chains issued through roots + Date notBefore = distrust.getNotBefore(ROOTS_DISTRUST_DATE); + distrust.testCertificateChain(certPath, notBefore, tms, rootsToTest); + + // test chain if params are passed to TrustManager + System.err.println("Testing verisignuniversalrootca with params"); + X509TrustManager[] tmsParams = new X509TrustManager[]{ + distrust.getTMF("PKIX", distrust.getParams()) + }; + distrust.testCertificateChain(certPath, notBefore, tmsParams, + "verisignuniversalrootca"); + + // test code-signing chain (should be valid as restrictions don't apply) + Date validationDate = new Date(1544197375493L); + distrust.testCodeSigningChain(certPath, "verisignclass3g5ca-codesigning", validationDate); + + // test chains issued through subCAs + notBefore = distrust.getNotBefore(SUBCA_DISTRUST_DATE); + distrust.testCertificateChain(certPath, notBefore, tms, subCAsToTest); + } +} diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustcommercialca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustcommercialca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustcommercialca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustcommercialca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustnetworkingca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustnetworkingca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustnetworkingca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustnetworkingca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustpremiumca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustpremiumca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustpremiumca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustpremiumca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustpremiumeccca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustpremiumeccca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/affirmtrustpremiumeccca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/affirmtrustpremiumeccca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrust2048ca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrust2048ca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrust2048ca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrust2048ca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustevca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustevca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustevca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustevca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustrootcaec1-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustrootcaec1-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustrootcaec1-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustrootcaec1-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustrootcag2-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustrootcag2-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustrootcag2-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustrootcag2-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustrootcag4-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustrootcag4-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/entrustrootcag4-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/entrust/entrustrootcag4-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca8g1-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/appleistca8g1-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca8g1-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/appleistca8g1-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/geotrustprimarycag2-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/geotrustprimarycag2-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/geotrustprimarycag2-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/geotrustprimarycag2-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/geotrustprimarycag3-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/geotrustprimarycag3-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/geotrustprimarycag3-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/geotrustprimarycag3-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/geotrustuniversalca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/geotrustuniversalca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/geotrustuniversalca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/geotrustuniversalca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/thawteprimaryrootca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/thawteprimaryrootca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/thawteprimaryrootca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/thawteprimaryrootca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/thawteprimaryrootcag2-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/thawteprimaryrootcag2-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/thawteprimaryrootcag2-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/thawteprimaryrootcag2-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/thawteprimaryrootcag3-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/thawteprimaryrootcag3-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/thawteprimaryrootcag3-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/thawteprimaryrootcag3-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g3ca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g3ca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g3ca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g3ca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g4ca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g4ca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g4ca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g4ca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g5ca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g5ca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g5ca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g5ca-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g5ca-codesigning-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g5ca-codesigning-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignclass3g5ca-codesigning-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignclass3g5ca-codesigning-chain.pem diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignuniversalrootca-chain.pem b/test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignuniversalrootca-chain.pem similarity index 100% rename from test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/verisignuniversalrootca-chain.pem rename to test/jdk/sun/security/ssl/X509TrustManagerImpl/distrust/chains/symantec/verisignuniversalrootca-chain.pem