diff options
34 files changed, 665 insertions, 370 deletions
diff --git a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java index 29682f2a..97ff8051 100644 --- a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java +++ b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java @@ -16,7 +16,7 @@ package org.conscrypt; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.getCommonProtocolSuites; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; @@ -62,7 +62,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -86,7 +86,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java b/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java index ad5b52ab..e77f492c 100644 --- a/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java +++ b/common/src/test/java/org/conscrypt/javax/crypto/CipherTest.java @@ -70,6 +70,7 @@ import javax.crypto.spec.PBEParameterSpec; import javax.crypto.spec.PSource; import javax.crypto.spec.SecretKeySpec; import libcore.junit.util.EnableDeprecatedBouncyCastleAlgorithmsRule; +import libcore.test.annotation.NonCts; import org.bouncycastle.asn1.x509.KeyUsage; import org.conscrypt.Conscrypt; import org.conscrypt.TestUtils; @@ -4662,6 +4663,8 @@ public final class CipherTest { * TODO(27995180): consider whether we keep this compatibility. Consider whether we only allow * if an IV is passed in the parameters. */ + @NonCts(bug = 287231726, reason = "The test asserts buggy or non-breaking " + + "behaviors, but the behavior has been fixed in the future ART module version.") @Test public void test_PBKDF2WITHHMACSHA1_SKFactory_and_PBEAESCBC_Cipher_noIV() throws Exception { Assume.assumeNotNull(Security.getProvider("BC")); diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java index 36d0cb1e..ba842852 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -384,6 +384,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -413,6 +415,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -922,6 +926,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -955,6 +961,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java index f10c388e..de30bbfa 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java @@ -18,7 +18,7 @@ package org.conscrypt; import static org.conscrypt.TestUtils.getConscryptProvider; import static org.conscrypt.TestUtils.getJdkProvider; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.highestCommonProtocol; import static org.conscrypt.TestUtils.initSslContext; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -569,7 +569,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java index 84a0ff69..44533ce9 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java @@ -17,7 +17,6 @@ package org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; @@ -25,10 +24,9 @@ import static org.junit.Assert.fail; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; + +import org.conscrypt.java.security.StandardNames; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; @@ -52,69 +50,61 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2").build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder() + .defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } + + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3").build(); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); - try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); + context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder() - .defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java index c253da22..c7a8de88 100644 --- a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java +++ b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java @@ -77,7 +77,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java index e4297842..601fceec 100644 --- a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java +++ b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java @@ -144,7 +144,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -234,7 +234,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/openjdk/src/test/resources/README b/openjdk/src/test/resources/README index 4a049844..f2505044 100644 --- a/openjdk/src/test/resources/README +++ b/openjdk/src/test/resources/README @@ -24,3 +24,52 @@ This repository contains data used in various tests : - ocsp-response-sct-extension.der: The extension from ocsp-response.der which contains the SCT + +For blocklist testing: +- test_blocklist_ca_key.pem: Private key for blocklisted CA + +- test_blocklist_ca.pem: Certificate for blocklisted CA +Generate with: + openssl req -x509 -new -subj "/CN=blacklist test CA" -days 3650 -key test_blocklist_ca_key.pem -out test_blocklist_ca.pem -nodes + +- test_nonblocklist_ca_key.pem: Private key for non-blocklisted CA + +- test_nonblocklist_ca.pem: Certificate for non-blocklisted CA +Generate with: + openssl req -x509 -new -subj "/CN=Test CA" -days 3650 -key test_nonblocklist_ca_key.pem -out test_nonblocklist_ca.pem -nodes + +- test_leaf.csr: CSR for leaf certificate +Generate with: + openssl req -new -subj "/CN=leaf" -out test_leaf.csr -nodes + +- test_intermediate.csr: CSR for intermediate certificate +Generate with: + openssl req -new -subj "/CN=intermediate" -out test_intermediate.csr -keyout test_intermediate_key.pem -nodes + +- test_leaf_blockedroot.pem: Leaf cert signed by blocked root CA +Generate with: + openssl req -days 3650 -in test_leaf.csr -out test_leaf_blockedroot.pem -CA test_blocklist_ca.pem -CAkey test_blocklist_ca_key.pem -nodes + +- test_leaf_intermediate.pem: Leaf cert signed by intermediate CA +Generate with: + openssl req -days 3650 -in test_leaf.csr -out test_leaf_intermediate.pem -CA test_intermediate_blockedroot.pem -CAkey test_intermediate_key.pem -nodes + +- test_intermediate_blockedroot.pem: Intermediate cert signed by blocked root CA +Generate with: + openssl req -days 3650 -in test_intermediate.csr -out test_intermediate_blockedroot.pem -CA test_blocklist_ca.pem -CAkey test_blocklist_ca_key.pem -nodes + +- test_intermediate_nonblockedroot.pem: Intermediate cert signed by non-blocked root CA +Generate with: + openssl req -days 3650 -in test_intermediate.csr -out test_intermediate_nonblockedroot.pem -CA test_nonblocklist_ca.pem -CAkey test_nonblocklist_ca_key.pem -nodes + +- blocklist_test_valid_ca.pem: non-blocklisted CA cert +Generate with: + cp test_nonblocklist_ca.pem blocklist_test_valid_ca.pem + +- blocklist_test_chain.pem: Test chain with a valid leaf signed by a blocklisted CA +Generate with: + cat test_leaf_blockedroot.pem test_blocklist_ca.pem > blocklist_test_chain.pem + +blocklist_test_valid_chain.pem: Valid cert chain - leaf signed by intermediate cross-signed by both CAs +Generate with: + cat test_leaf_intermediate.pem test_intermediate_blockedroot.pem test_intermediate_nonblockedroot.pem test_blocklist_ca.pem test_nonblocklist_ca.pem > blocklist_test_valid_chain.pem
\ No newline at end of file diff --git a/openjdk/src/test/resources/blocklist_test_chain.pem b/openjdk/src/test/resources/blocklist_test_chain.pem index 6f1f2974..bc7931e9 100644 --- a/openjdk/src/test/resources/blocklist_test_chain.pem +++ b/openjdk/src/test/resources/blocklist_test_chain.pem @@ -1,35 +1,38 @@ -----BEGIN CERTIFICATE----- -MIICxzCCAa+gAwIBAgIDAopPMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMTEWJs -YWNrbGlzdCB0ZXN0IENBMCoYEzIwMTUwMTAxMDAwMDAwKzAwMDAYEzIwMjUwMTAx -MDAwMDAwKzAwMDAwDzENMAsGA1UEAxMEbGVhZjCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAOA1rNFofKivnO6f/UjNnkUZX4qG+MBXw5eeingfrLrAbyTP -qf/YCN3F8JOcot1QUEojcjIrm54rDgi1+o9qDDY0CfbJ8UGmjgh0h5odlxnZbsF2 -0Tzy3lEFHPUUBj6160itB95giHDKH1meW91L1ah8Z+nWES9GGBIAS/1XpeXtiE7/ -IuVmEuE8veAbwdMC9qRSEeq2zUWhA4m/KzTuli/GNErkXlazj3hlBs5WJ207ztTp -HRGrAEjQgRKb3Ap2leowiE/u9D1Ean53g4v4gzDV1gx5uTZ395WfuWteO9ZUc9bo -XMeGJiPcvyr2i8Do25ZWw+wW1T2TbcEAtyfOmgkCAwEAAaMTMBEwDwYDVR0TAQH/ -BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAPY6VDC0kfY+kGrM5YiNEjs6PjNjj -ojWU5/UMjwfRqF8JtkNnV9LnBiNlNGUIV8b5OCyXKGjDlc+ISNRvpgGbZ4dzVIwE -OKKL9tUB4IFwRAxO0UbLtVkwFeX3clzTezLkei7ahgUe04c2ZjFeO/mf/nuQWvWY -hprLz5uiGtKWPcirec4wPLkuyHzQMv7Dx/5VYARuxhHkkplteVQ4k9nTxag372Re -eHgH4KKgLTXEBjV55RoAtOsug+k+KT8U9FzU2ul/j+89tJihllkD1udqIkic8RMx -qn/mBaIe/ENb88TzrSXcp2xE9rth+QtjpNAVGnE4hP87QukVgedq7JKV7Q== +MIIDDDCCAfSgAwIBAgIUODP0VFemD4Zonzl3hogYzAEZLLwwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRYmxhY2tsaXN0IHRlc3QgQ0EwHhcNMjMwMTE5MTcxODQw +WhcNMzMwMTE2MTcxODQwWjAPMQ0wCwYDVQQDDARsZWFmMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA1VVEHqI9ys3QItZQFeM7ne8J20oR04GAK4yYD/Yn +z9gpzSB/8gYIVX9tn1E2YzIey7Uyna27qmizFrILPE9WpbtdhssgrEdJHdlqtO2b +kplEky1H+Jul9+vOsQ5fL7vnzexk850E0Lu6O1jyxNOkveSLZiailfxNYg2eXrhZ ++W3FgJCj6jHtyM7SXCuptSJGTm8saG+6hf4RgHWxfELb5FYyOHdA2LRK3InAEJL7 +474lhokyOj/xcKuQ25jKGfQGarqUzNPdW7TqyQ2mYNCcWCNyZA8RPvJEFl4oWnms +0Vy6CODCaukYm8ScsGRZtTFnvwR13nPiVVSJ8aBZ5cjb2QIDAQABo1MwUTAdBgNV +HQ4EFgQUMg9ifb+WI/uUTTf8Jd31XVHAI8MwHwYDVR0jBBgwFoAUxrkLk9BFhLOW +4XSmUbzxoc+zIJIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA +nxPXBF/Jrsig/5LMwaUyCX/VYb9W7W9tV6odKjghKxf6hA59VxevY/S/J0yK+mTJ +PAQGZC0vkcWjmBDQW8w9J0sUkX+8OCdcxqXGRnryCJ1lB7i/UOLhkCyPA1jZGNti +E43LYqs+iBxEvzPzeOggvXaE+ujtFZxCT5dLlzzVvTt9vomKvPmapC93ycorYjYV +89K54mNqj7aZeCHTmyJxsZGzUhVDdp83Dnl8YopYpnHd7jr0xX8fqbL9WZf81sRn +3u99Js6csv4Gi/ZDrbNONaUfpD5iH0Tm+2Kh7p6pI0lVBWaZzw59PNVGDRZp15sl +HeCO1zZqxh3hj+gZW0Ao1Q== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIC1DCCAbygAwIBAgIDDYaqMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMTEWJs -YWNrbGlzdCB0ZXN0IENBMCoYEzIwMTUwMTAxMDAwMDAwKzAwMDAYEzIwMjUwMTAx -MDAwMDAwKzAwMDAwHDEaMBgGA1UEAxMRYmxhY2tsaXN0IHRlc3QgQ0EwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDafYp6+Gs5ZjfLfU2EH/NYpvdBUyPz -veQBJCE4PhBYhOm+Z+J6aX0rSHqU4VTJ8H0TOb6Fh54zBUkIQJHx8YTIsXVmDj0O -louWAa3uYpIOeBz46knJxdTI9NG6XnsHMYUICZPM8CHtHhoaYnhaRFTcGIg+Y9Hl -BxMTYXXtqjicg10YuSuEkwMuDT7CbmnmYon8Gt5+ygHIe8YFWdCicpzm5wlPvRu4 -D+WiH2mTgfFG5D5QDoRnxnHWAcO8/+UenFtnbfRip9h6TrzXoJSHtuYW3rMCDVG3 -owVwUE3+ExMcbWKn+qaqGQsjrLlwyYEcKjhH67iPFcTtvZfCsgv8YG75AgMBAAGj -EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAILNS2XgO4Qa -plyF7wbQFvVlFFe1QIiEiPZcopqb0zEse73IPBGUnoIt3C9keCv8Q6d7h0x2fe2N -IqD4P9WXGQYiobBnTci1d2nW5dBq1WVDcpK4cNVsDX7SBE6sd19JEAazNSPIQJ6T -sts2JXXdTssAyVqGAnq6TwQ2U5ArzuC5pCmr7FcfYAH0sCZM5VWw+ffJylDMBfeG -oWyjH6f+TmkDd7yvIDh+ptn7Qv+LRxIjHDLPOxG9Y6JaDYtVqKJWh7er5/HFlwUi -E6gpIuFM6It5ogUtmik2B19bPWpcnGFhv01IKBgmihpzd8LyCmxTtkK11KMxS1JF -xZSCP3mJTbQ= +MIIDGTCCAgGgAwIBAgIUWiZLLT8XQzYF/Mb+OH3/otrHqRowDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRYmxhY2tsaXN0IHRlc3QgQ0EwHhcNMjMwMTE5MTYyMzA0 +WhcNMzMwMTE2MTYyMzA0WjAcMRowGAYDVQQDDBFibGFja2xpc3QgdGVzdCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANp9inr4azlmN8t9TYQf81im +90FTI/O95AEkITg+EFiE6b5n4nppfStIepThVMnwfRM5voWHnjMFSQhAkfHxhMix +dWYOPQ6Wi5YBre5ikg54HPjqScnF1Mj00bpeewcxhQgJk8zwIe0eGhpieFpEVNwY +iD5j0eUHExNhde2qOJyDXRi5K4STAy4NPsJuaeZiifwa3n7KAch7xgVZ0KJynObn +CU+9G7gP5aIfaZOB8UbkPlAOhGfGcdYBw7z/5R6cW2dt9GKn2HpOvNeglIe25hbe +swINUbejBXBQTf4TExxtYqf6pqoZCyOsuXDJgRwqOEfruI8VxO29l8KyC/xgbvkC +AwEAAaNTMFEwHQYDVR0OBBYEFMa5C5PQRYSzluF0plG88aHPsyCSMB8GA1UdIwQY +MBaAFMa5C5PQRYSzluF0plG88aHPsyCSMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAI73fjDcLSPr8StmZFO7boGnH8Xd0OmC3nbR2SMpvUMrqW1E +8iNJH3zstFzaBm6QbzDMWhWHq/QfbF+CiLBj0FgMKSWFyf7mZ9CZIcRiTRBneWmV +ScbiDBcGLMlypBrJYZjzf2ngv/G6nOw/wV4/k7VurkNOCg1u38lTwiW8PlhRxmTP +kveCfubd/PEBfyC8aesSbzyUnXKelSb/TmuCdyfogYrFdO44E98dPJ8RRIBV2U2o +P8Bnd+eIbQUlC/7mBEb6dARwVRi+yzkhdnE/lJOzM9np9nxJ6ck7gA3WjEt4gcEr +ZsQ9cSvlxw1uoFKgzLOFhMkpTMIqLBuV1Aj5Jm0= -----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/blocklist_test_valid_ca.pem b/openjdk/src/test/resources/blocklist_test_valid_ca.pem index 19148c72..43aafedd 100644 --- a/openjdk/src/test/resources/blocklist_test_valid_ca.pem +++ b/openjdk/src/test/resources/blocklist_test_valid_ca.pem @@ -1,17 +1,19 @@ -----BEGIN CERTIFICATE----- -MIICwDCCAaigAwIBAgIDBWa1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB1Rl -c3QgQ2EwKhgTMjAxNTAxMDEwMDAwMDArMDAwMBgTMjAyNTAxMDEwMDAwMDArMDAw -MDASMRAwDgYDVQQDEwdUZXN0IENhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAuk5Hq/uHOz7E3gEZFXKb0ZFslODflO7vB/VT3dmHyGXxuDK5fgQB4xPz -uoU1VSpD9Pxpe9u+6jNlShEZ5xN34c2F6g+stU4lUS5udqCZVEtB6/etOOpMuiWU -Ud2DVkEAn9weWkJmKy2gkLQ8p2Iw+0mPlhKKFI9brhGTEpQDTvW9sbLmSQFSEk30 -Ia5rxii/cgu8j5AQmsvUQA06vHXq6/xIsQIj1UFMycBmPz8BvrVO/c891vD9f2Uq -gQg4p084rmsc6a7PAhBibTOFs3m91HNyZuY2M3pA1r1oLPRQ3WYXb8Wt+kHVtKAr -L6qDXtofCU3RGhAruwjmuOWftgNsGwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/ -MA0GCSqGSIb3DQEBCwUAA4IBAQCkFKi9HmsOyn4Wh6RpzwSh39L6e48IdOMcNpOK -O38tO2rO/uNnhGn2ptnUJkwYS7XOy/A09q1iZNbiuwBweIxc8Z17vpNmk7cF4TMw -lMRJjDE3Dm2qjTs/lDOknGuzB38Q8tGN/ZbYUHjjf4TZHk5FXCzRUUp+UMzxlOuc -HAuNuBlQUW88s26h7NdNr115VCbouAI7YkWJRmS2FbeQD5Nwx/kZcvLtJyKasx+n -imeqy3kCW1NzP9nwlsx2vwW6ydGsdHxqsfrRpdRSLHjzQDA+5m5xMNV0oTr86Iex -mkqHtIMbOOUpzrE3PACA4m7IgA6AcSkV5gGM9AgqcYccC3St +MIIDBTCCAe2gAwIBAgIUKqLusWazdD0go8IpA6ZOBM8bFd4wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMzAxMTkxNjUxNTJaFw0zMzAxMTYx +NjUxNTJaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC1gY2VOIFa/lQfPiJpXIKBEVYlnJdsJ6izpwmgi+2M8qTZGxva +ov8xv9tObYNyENakHfdXu4RAF7Z/cCw/ntJo0mEKVzJflm/gMa6/02e+znp5s0lK +YFLGY6+++H81neS8NHWF1E2D0Yxa/47zQAw8QWI5T7Lw0uzWFT6gq2oTRpFBj4Ra +tJhpXMX7/cSR3yV6Eeuq6vU9Ncceurqzo1tg3bI4FKn09xDbnbpb+rxShqv+nKDC +Mxt7f2HRSVSgLEe2z8mpq2PXVwAtv7TL+UXGZfniNG0wzO+PLGIYzctL64z6ebDy +5LOIhrgcOSVE0mAMBA9XPuQiF65lO6Bk+++PAgMBAAGjUzBRMB0GA1UdDgQWBBQA +8Dwjn9Q+kqU1xga49TmtN8js0zAfBgNVHSMEGDAWgBQA8Dwjn9Q+kqU1xga49Tmt +N8js0zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAKqBYJ8sk0 +xfyNQlXSJW0y6guNVa9cO7mkiC1QbJswcFoCr8W1Mk0AJm01aK6BzeUTVxWSkcWY +kLFAaSCK0ppQvk4huJFQciTGsrzF+OrKorKLikS5ExGKW2LVhcZiXCRY3sqO28Tr +HFKyYEZTHpIs5gYZTuDxixJWL48IJOsntWZJXvl6Su2FM3CTkJME2SDdXRBs1O+F +ljhMbaceMX6vE6rpXbSHGiIxc/xienW3j4o6GiMCuptEjCvXoWZVGxXigLN0DLm9 +q00Cjqti9vAt2++S0PXxNo06aN4MvA6j0svMro19DuIST68r9jTzonmG0x/dswZY +g4Un1RLN3rzZ -----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/blocklist_test_valid_chain.pem b/openjdk/src/test/resources/blocklist_test_valid_chain.pem index e763a05a..f5726273 100644 --- a/openjdk/src/test/resources/blocklist_test_valid_chain.pem +++ b/openjdk/src/test/resources/blocklist_test_valid_chain.pem @@ -1,87 +1,95 @@ -----BEGIN CERTIFICATE----- -MIICwjCCAaqgAwIBAgIDD37fMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNVBAMTDGlu -dGVybWVkaWF0ZTAqGBMyMDE1MDEwMTAwMDAwMCswMDAwGBMyMDI1MDEwMTAwMDAw -MCswMDAwMA8xDTALBgNVBAMTBGxlYWYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDNq1OWpxGZfNFw8E8ZPvYEXeaXEa1twBSKDe1EUctuck+F8Ethb0O1 -ooWA9egJh8GWSbxFdPfoJ/yyuor3sH5kkUtq94NO/1IXPn4xnrwrfvkeVR8e3pXn -kAQm7MH8c8iPmQ59arfBjFfX9ZZhPiLDPq1bsQa8WqaajyylVVDzQcYseDSHoR/7 -3QmcfUZjH5qxYf7jcS8QdtfnD6faZuczM30qL7N3BLn2gcA5I5jVkrxQBKfLBPfl -6k3aO6ekxSSxhSHqBv7x5VIzoiq666DGdelLuwrmMksx7Ni7cnXws3rlBYCr6wly -Hux62YJ9Og3rC5lb3pjkmSzj31VVfFnpAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB -Af8wDQYJKoZIhvcNAQELBQADggEBAISuXogfdMHZiAs3CJwsOTjCLW0MGsqWH88j -wdkbotZuTAb84Iq2vpoX/w95WlyakseFGHnAaexy4nzSNyn8LC5b4JMNQopn8Gxs -y3p0Z+XC/PNC/4lVxQB8KARFvhtW7Ltw1jjIqbTq2ZTWVSCuqb+1ZnMihP4MYinb -Ml/Q9N/pitaLolQ/pewm4YjqUA8rGC3OkyL06huz+Ow382TvMDVLk0nctMvCrg1h -IJFlCD5I8xhcIAqp7wzEHVHQ9jRT9NjElG+PF6FwGi6IW3A8wL8fGru2N84OeJbs -ROrn33HqVsoqZUdXSPG5YGxM7c7wfUBx3g1/Ou3gxLlqp4a/kX0= +MIIDBzCCAe+gAwIBAgIUfCBnEPBeeqUTdsm3eI1CnjL8zIowDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50ZXJtZWRpYXRlMB4XDTIzMDExOTE3NDUyMFoXDTMz +MDExNjE3NDUyMFowDzENMAsGA1UEAwwEbGVhZjCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANVVRB6iPcrN0CLWUBXjO53vCdtKEdOBgCuMmA/2J8/YKc0g +f/IGCFV/bZ9RNmMyHsu1Mp2tu6posxayCzxPVqW7XYbLIKxHSR3ZarTtm5KZRJMt +R/ibpffrzrEOXy+7583sZPOdBNC7ujtY8sTTpL3ki2YmopX8TWINnl64WfltxYCQ +o+ox7cjO0lwrqbUiRk5vLGhvuoX+EYB1sXxC2+RWMjh3QNi0StyJwBCS++O+JYaJ +Mjo/8XCrkNuYyhn0Bmq6lMzT3Vu06skNpmDQnFgjcmQPET7yRBZeKFp5rNFcugjg +wmrpGJvEnLBkWbUxZ78Edd5z4lVUifGgWeXI29kCAwEAAaNTMFEwHQYDVR0OBBYE +FDIPYn2/liP7lE03/CXd9V1RwCPDMB8GA1UdIwQYMBaAFDM/Uf/JXrpiMV6rozq/ +L4lNobX7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJh2wZtc +aDji9cI8LKJAr7V3raQFfk6Oq999CIoLoH3MiaEyTG9/FC/ZlaGUpC49c63bsRu8 +AQuPQydVOjrVTeUB4x12qoDGdz1lze+2zeY2jbIsd5VBEF0gObdkwwHgFQXKH5Lf +eSoBc4XPQ0I5dTYvR/P3+KX4fTyEmmjj+EWaH4yFPsW3JVu/2LrzI0IKq3+9VD0a +dB/mI42lI65cEtW2zGI+CSQGt0FGXdVsXGfne87QNByVxYCyS0wzdfSla3yLLGdf +8EJTqwZH0lKuRSf8xeNFr/pVXT9YfJWUAja7lIiwQVQfsD5MGsjNGcJMEDhM08PO ++lFxL3h3B85jIZw= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICzzCCAbegAwIBAgIDDeS0MA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMTEWJs -YWNrbGlzdCB0ZXN0IENBMCoYEzIwMTUwMTAxMDAwMDAwKzAwMDAYEzIwMjUwMTAx -MDAwMDAwKzAwMDAwFzEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2v+yrEqrNHOD30WnfdjgDQx+bWF46/zUArFU -aeHSzjKEaZcSXI4a3vtFS5NH7AGE8kcrOWRSpgG9WC1CSSW9doHqz0eVK/vBDa62 -J3eZPh0kc2pgrwPRWZjzoQLpaApIq1j7xskp5PC21GA3mDKQCI/Z/TpuBoD38jwR -TzmJOA4/+0zf+5dH4qyzHtE+K/WrUdNnonZ9ohK9WAlDhKAZ8N4VFb75VQJOYhdK -sBiqQqBiw1Wg9IRSCeDSq3O6zjDznzQAa0hmKanqq+VVwgq8z9GRCXa3y2RawnU6 -oVfRKTQnRqUxtRobjXUCArDatsZ4xr1A4fDMCPcLyaEMOCG7CQIDAQABoxMwETAP -BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQClkXYt95OajuH5Xqut -KO52XMAeJSC+lAp7sT32tUAZgsV0x5YEAKbo6W9hWuSPdx99r9bPgfQ0sqc1gRgS -wyW3ZbB/rNrQqQqNYzBWwKrg3uTCGA1o85SqX8aiDJuygBySllTzGztENTApWYwN -LJATS9yPgn/31BHyfZ29v+6fa3cnuRitVGIW/thDwz8IPqPSNqGTO8Obf/6WDOK/ -7pkji2rHG25Gi/3mWOvnjejbKwb4w4ZlihcNc60ra+0qEM5xstGz6dMJ3sd/w/Fq -7d/4qhAEpJ7GPg/A5eVGyTYhpYuBA68KoQrrPf2CCGUFQxLQm6UQlICB5AREWOmi -hZGG +MIIDFDCCAfygAwIBAgIUKEpmhiN42JxqaXIMn0ZdTuvIwkEwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRYmxhY2tsaXN0IHRlc3QgQ0EwHhcNMjMwMTE5MTc0MjQ1 +WhcNMzMwMTE2MTc0MjQ1WjAXMRUwEwYDVQQDDAxpbnRlcm1lZGlhdGUwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqmKuWPJTduy2i0DduzXD3uAENuBI9 +fscc9BpVB4gsbj0TqxLwTtOy30Wblvv8EqeHlHZ6STpfOlHWXwyvKzES1SLril9w +M5oQOyNHLUKj5rZlYQrOKetx9CaSTagfkfKOJefiUDPgjc8XNbQp7SwtKAy2VbKG +YPawrdgXMoehKfUbknYgYVVoCseGQbfxg6+x2DD/G4xPOxiTAc2TBZH0ttQYjwJv +uFxwBXp5ZOC7QIQMni2c275FyguDKsk6+I0EHw+zEQUQQM+eKvNm3cE/f8FCESwA +i02WbFaY7HjqJ/JvB/CTvBkGYi+B4OcevgyVADm7r56mrEJ9v2bDz3IvAgMBAAGj +UzBRMB0GA1UdDgQWBBQzP1H/yV66YjFeq6M6vy+JTaG1+zAfBgNVHSMEGDAWgBTG +uQuT0EWEs5bhdKZRvPGhz7MgkjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQDTcXx9PghFT+H1bKJMDGSH8Jr8730dpKs6e3IuVgCs00YyvMBgRYbA +v5ksMV80ZHOErim6JYTj8rpLSUXWYgq7xyFaTMWSt+YPPoXAkdW6p3fngyvCf9T2 +HqZenJTQw2g/xRDL6PTjWh5qumqipVuAR9ue4l+4fRb31VaDOL0U/OPkqjoD3C/c +3ni9cglpzCRotTTGaSpIIpaBWy77HounXjreVn+JbYsEEx1S4CBo6+EJA+CEtQQo +BSFBnvl62rfwNKHCEvMB1jmMELIATVxu1NL6fWp/bP3OTWxqLcJU4G3zf0M1qTLx +fuoKzzyqdyjaeeE+ibr7sgyOU6Q/zk0Q -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICxTCCAa2gAwIBAgIDAIddMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB1Rl -c3QgQ2EwKhgTMjAxNTAxMDEwMDAwMDArMDAwMBgTMjAyNTAxMDEwMDAwMDArMDAw -MDAXMRUwEwYDVQQDEwxpbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQDa/7KsSqs0c4PfRad92OANDH5tYXjr/NQCsVRp4dLOMoRplxJc -jhre+0VLk0fsAYTyRys5ZFKmAb1YLUJJJb12gerPR5Ur+8ENrrYnd5k+HSRzamCv -A9FZmPOhAuloCkirWPvGySnk8LbUYDeYMpAIj9n9Om4GgPfyPBFPOYk4Dj/7TN/7 -l0firLMe0T4r9atR02eidn2iEr1YCUOEoBnw3hUVvvlVAk5iF0qwGKpCoGLDVaD0 -hFIJ4NKrc7rOMPOfNABrSGYpqeqr5VXCCrzP0ZEJdrfLZFrCdTqhV9EpNCdGpTG1 -GhuNdQICsNq2xnjGvUDh8MwI9wvJoQw4IbsJAgMBAAGjEzARMA8GA1UdEwEB/wQF -MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJnqAkMbjA4+FFLAapxM+MMLjIVmtSB7 -je7U8APLI0jeY/Wye/OAsOI2vmn7PYVsCTQXr14sCJz863UHrrlDF8ejf0nqSfUM -bSXvc23XuDmcDqoM2UroHqRmZa0SC1cFC6aJ5ODwioB98cSiPzr24aWcr43dtO4P -OOjmDXzpC7E67amn3luUIpDJ8epHPIT8+hxP2FP7CHlYUxKQFh3l/t3ftlVF9QId -992TbF9dDluhzWVh7jsNRJrq2cEIPn6dBsPRPncOcvYton4nvpmDaeS9/d5ktkij -LCpJv0ECxC/kcPQu65twBWhPwER/hOV0Tq9VYVDpgP3k/K4YdXs1UhY= +MIIDCjCCAfKgAwIBAgIUZzC6NfXFwaGgeTHeleM4k2izk8UwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMzAxMTkxNzQyNTVaFw0zMzAxMTYx +NzQyNTVaMBcxFTATBgNVBAMMDGludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAKqYq5Y8lN27LaLQN27NcPe4AQ24Ej1+xxz0GlUHiCxu +PROrEvBO07LfRZuW+/wSp4eUdnpJOl86UdZfDK8rMRLVIuuKX3AzmhA7I0ctQqPm +tmVhCs4p63H0JpJNqB+R8o4l5+JQM+CNzxc1tCntLC0oDLZVsoZg9rCt2Bcyh6Ep +9RuSdiBhVWgKx4ZBt/GDr7HYMP8bjE87GJMBzZMFkfS21BiPAm+4XHAFenlk4LtA +hAyeLZzbvkXKC4MqyTr4jQQfD7MRBRBAz54q82bdwT9/wUIRLACLTZZsVpjseOon +8m8H8JO8GQZiL4Hg5x6+DJUAObuvnqasQn2/ZsPPci8CAwEAAaNTMFEwHQYDVR0O +BBYEFDM/Uf/JXrpiMV6rozq/L4lNobX7MB8GA1UdIwQYMBaAFADwPCOf1D6SpTXG +Brj1Oa03yOzTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE5y +7OE6lmZlstL/15x8yZmUYzSXF0u365jfs1eJXDkWzn2BcmmzMSADn9spakDDZtN0 +daOpDGaB81TDjiBID1OwKMSRM1DmZzNI4PLFqWKUjWkwRtZjo5GsD0p/ATLV+S2z +eQIHcqTcAH8ay1sBReig/plALKyseTk4R2799Gi+tA08RQ4cIsdxyUFSUc0nqgFV +YsBM/cDeFCSYNwWLsNYAubJMIoUiKiweZ8bx+OoaS8Swc4p1M3Fk7lmh2g7APLjG +RkiPF4Ta3c41yZxNW7tEP4CCPB3hm0OkEdW68zc8oOPiNt1sNL5szJI3+cVT+k+5 +4387ICBvTGLQRHL6avw= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIC1DCCAbygAwIBAgIDDYaqMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMTEWJs -YWNrbGlzdCB0ZXN0IENBMCoYEzIwMTUwMTAxMDAwMDAwKzAwMDAYEzIwMjUwMTAx -MDAwMDAwKzAwMDAwHDEaMBgGA1UEAxMRYmxhY2tsaXN0IHRlc3QgQ0EwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDafYp6+Gs5ZjfLfU2EH/NYpvdBUyPz -veQBJCE4PhBYhOm+Z+J6aX0rSHqU4VTJ8H0TOb6Fh54zBUkIQJHx8YTIsXVmDj0O -louWAa3uYpIOeBz46knJxdTI9NG6XnsHMYUICZPM8CHtHhoaYnhaRFTcGIg+Y9Hl -BxMTYXXtqjicg10YuSuEkwMuDT7CbmnmYon8Gt5+ygHIe8YFWdCicpzm5wlPvRu4 -D+WiH2mTgfFG5D5QDoRnxnHWAcO8/+UenFtnbfRip9h6TrzXoJSHtuYW3rMCDVG3 -owVwUE3+ExMcbWKn+qaqGQsjrLlwyYEcKjhH67iPFcTtvZfCsgv8YG75AgMBAAGj -EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAILNS2XgO4Qa -plyF7wbQFvVlFFe1QIiEiPZcopqb0zEse73IPBGUnoIt3C9keCv8Q6d7h0x2fe2N -IqD4P9WXGQYiobBnTci1d2nW5dBq1WVDcpK4cNVsDX7SBE6sd19JEAazNSPIQJ6T -sts2JXXdTssAyVqGAnq6TwQ2U5ArzuC5pCmr7FcfYAH0sCZM5VWw+ffJylDMBfeG -oWyjH6f+TmkDd7yvIDh+ptn7Qv+LRxIjHDLPOxG9Y6JaDYtVqKJWh7er5/HFlwUi -E6gpIuFM6It5ogUtmik2B19bPWpcnGFhv01IKBgmihpzd8LyCmxTtkK11KMxS1JF -xZSCP3mJTbQ= +MIIDGTCCAgGgAwIBAgIUWiZLLT8XQzYF/Mb+OH3/otrHqRowDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRYmxhY2tsaXN0IHRlc3QgQ0EwHhcNMjMwMTE5MTYyMzA0 +WhcNMzMwMTE2MTYyMzA0WjAcMRowGAYDVQQDDBFibGFja2xpc3QgdGVzdCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANp9inr4azlmN8t9TYQf81im +90FTI/O95AEkITg+EFiE6b5n4nppfStIepThVMnwfRM5voWHnjMFSQhAkfHxhMix +dWYOPQ6Wi5YBre5ikg54HPjqScnF1Mj00bpeewcxhQgJk8zwIe0eGhpieFpEVNwY +iD5j0eUHExNhde2qOJyDXRi5K4STAy4NPsJuaeZiifwa3n7KAch7xgVZ0KJynObn +CU+9G7gP5aIfaZOB8UbkPlAOhGfGcdYBw7z/5R6cW2dt9GKn2HpOvNeglIe25hbe +swINUbejBXBQTf4TExxtYqf6pqoZCyOsuXDJgRwqOEfruI8VxO29l8KyC/xgbvkC +AwEAAaNTMFEwHQYDVR0OBBYEFMa5C5PQRYSzluF0plG88aHPsyCSMB8GA1UdIwQY +MBaAFMa5C5PQRYSzluF0plG88aHPsyCSMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAI73fjDcLSPr8StmZFO7boGnH8Xd0OmC3nbR2SMpvUMrqW1E +8iNJH3zstFzaBm6QbzDMWhWHq/QfbF+CiLBj0FgMKSWFyf7mZ9CZIcRiTRBneWmV +ScbiDBcGLMlypBrJYZjzf2ngv/G6nOw/wV4/k7VurkNOCg1u38lTwiW8PlhRxmTP +kveCfubd/PEBfyC8aesSbzyUnXKelSb/TmuCdyfogYrFdO44E98dPJ8RRIBV2U2o +P8Bnd+eIbQUlC/7mBEb6dARwVRi+yzkhdnE/lJOzM9np9nxJ6ck7gA3WjEt4gcEr +ZsQ9cSvlxw1uoFKgzLOFhMkpTMIqLBuV1Aj5Jm0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICwDCCAaigAwIBAgIDBWa1MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB1Rl -c3QgQ2EwKhgTMjAxNTAxMDEwMDAwMDArMDAwMBgTMjAyNTAxMDEwMDAwMDArMDAw -MDASMRAwDgYDVQQDEwdUZXN0IENhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAuk5Hq/uHOz7E3gEZFXKb0ZFslODflO7vB/VT3dmHyGXxuDK5fgQB4xPz -uoU1VSpD9Pxpe9u+6jNlShEZ5xN34c2F6g+stU4lUS5udqCZVEtB6/etOOpMuiWU -Ud2DVkEAn9weWkJmKy2gkLQ8p2Iw+0mPlhKKFI9brhGTEpQDTvW9sbLmSQFSEk30 -Ia5rxii/cgu8j5AQmsvUQA06vHXq6/xIsQIj1UFMycBmPz8BvrVO/c891vD9f2Uq -gQg4p084rmsc6a7PAhBibTOFs3m91HNyZuY2M3pA1r1oLPRQ3WYXb8Wt+kHVtKAr -L6qDXtofCU3RGhAruwjmuOWftgNsGwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/ -MA0GCSqGSIb3DQEBCwUAA4IBAQCkFKi9HmsOyn4Wh6RpzwSh39L6e48IdOMcNpOK -O38tO2rO/uNnhGn2ptnUJkwYS7XOy/A09q1iZNbiuwBweIxc8Z17vpNmk7cF4TMw -lMRJjDE3Dm2qjTs/lDOknGuzB38Q8tGN/ZbYUHjjf4TZHk5FXCzRUUp+UMzxlOuc -HAuNuBlQUW88s26h7NdNr115VCbouAI7YkWJRmS2FbeQD5Nwx/kZcvLtJyKasx+n -imeqy3kCW1NzP9nwlsx2vwW6ydGsdHxqsfrRpdRSLHjzQDA+5m5xMNV0oTr86Iex -mkqHtIMbOOUpzrE3PACA4m7IgA6AcSkV5gGM9AgqcYccC3St +MIIDBTCCAe2gAwIBAgIUKqLusWazdD0go8IpA6ZOBM8bFd4wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMzAxMTkxNjUxNTJaFw0zMzAxMTYx +NjUxNTJaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC1gY2VOIFa/lQfPiJpXIKBEVYlnJdsJ6izpwmgi+2M8qTZGxva +ov8xv9tObYNyENakHfdXu4RAF7Z/cCw/ntJo0mEKVzJflm/gMa6/02e+znp5s0lK +YFLGY6+++H81neS8NHWF1E2D0Yxa/47zQAw8QWI5T7Lw0uzWFT6gq2oTRpFBj4Ra +tJhpXMX7/cSR3yV6Eeuq6vU9Ncceurqzo1tg3bI4FKn09xDbnbpb+rxShqv+nKDC +Mxt7f2HRSVSgLEe2z8mpq2PXVwAtv7TL+UXGZfniNG0wzO+PLGIYzctL64z6ebDy +5LOIhrgcOSVE0mAMBA9XPuQiF65lO6Bk+++PAgMBAAGjUzBRMB0GA1UdDgQWBBQA +8Dwjn9Q+kqU1xga49TmtN8js0zAfBgNVHSMEGDAWgBQA8Dwjn9Q+kqU1xga49Tmt +N8js0zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAKqBYJ8sk0 +xfyNQlXSJW0y6guNVa9cO7mkiC1QbJswcFoCr8W1Mk0AJm01aK6BzeUTVxWSkcWY +kLFAaSCK0ppQvk4huJFQciTGsrzF+OrKorKLikS5ExGKW2LVhcZiXCRY3sqO28Tr +HFKyYEZTHpIs5gYZTuDxixJWL48IJOsntWZJXvl6Su2FM3CTkJME2SDdXRBs1O+F +ljhMbaceMX6vE6rpXbSHGiIxc/xienW3j4o6GiMCuptEjCvXoWZVGxXigLN0DLm9 +q00Cjqti9vAt2++S0PXxNo06aN4MvA6j0svMro19DuIST68r9jTzonmG0x/dswZY +g4Un1RLN3rzZ -----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/test_blocklist_ca.pem b/openjdk/src/test/resources/test_blocklist_ca.pem index b087d565..74e1c6de 100644 --- a/openjdk/src/test/resources/test_blocklist_ca.pem +++ b/openjdk/src/test/resources/test_blocklist_ca.pem @@ -1,18 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC1DCCAbygAwIBAgIDDYaqMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMTEWJs -YWNrbGlzdCB0ZXN0IENBMCoYEzIwMTUwMTAxMDAwMDAwKzAwMDAYEzIwMjUwMTAx -MDAwMDAwKzAwMDAwHDEaMBgGA1UEAxMRYmxhY2tsaXN0IHRlc3QgQ0EwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDafYp6+Gs5ZjfLfU2EH/NYpvdBUyPz -veQBJCE4PhBYhOm+Z+J6aX0rSHqU4VTJ8H0TOb6Fh54zBUkIQJHx8YTIsXVmDj0O -louWAa3uYpIOeBz46knJxdTI9NG6XnsHMYUICZPM8CHtHhoaYnhaRFTcGIg+Y9Hl -BxMTYXXtqjicg10YuSuEkwMuDT7CbmnmYon8Gt5+ygHIe8YFWdCicpzm5wlPvRu4 -D+WiH2mTgfFG5D5QDoRnxnHWAcO8/+UenFtnbfRip9h6TrzXoJSHtuYW3rMCDVG3 -owVwUE3+ExMcbWKn+qaqGQsjrLlwyYEcKjhH67iPFcTtvZfCsgv8YG75AgMBAAGj -EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAILNS2XgO4Qa -plyF7wbQFvVlFFe1QIiEiPZcopqb0zEse73IPBGUnoIt3C9keCv8Q6d7h0x2fe2N -IqD4P9WXGQYiobBnTci1d2nW5dBq1WVDcpK4cNVsDX7SBE6sd19JEAazNSPIQJ6T -sts2JXXdTssAyVqGAnq6TwQ2U5ArzuC5pCmr7FcfYAH0sCZM5VWw+ffJylDMBfeG -oWyjH6f+TmkDd7yvIDh+ptn7Qv+LRxIjHDLPOxG9Y6JaDYtVqKJWh7er5/HFlwUi -E6gpIuFM6It5ogUtmik2B19bPWpcnGFhv01IKBgmihpzd8LyCmxTtkK11KMxS1JF -xZSCP3mJTbQ= +MIIDGTCCAgGgAwIBAgIUWiZLLT8XQzYF/Mb+OH3/otrHqRowDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRYmxhY2tsaXN0IHRlc3QgQ0EwHhcNMjMwMTE5MTYyMzA0 +WhcNMzMwMTE2MTYyMzA0WjAcMRowGAYDVQQDDBFibGFja2xpc3QgdGVzdCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANp9inr4azlmN8t9TYQf81im +90FTI/O95AEkITg+EFiE6b5n4nppfStIepThVMnwfRM5voWHnjMFSQhAkfHxhMix +dWYOPQ6Wi5YBre5ikg54HPjqScnF1Mj00bpeewcxhQgJk8zwIe0eGhpieFpEVNwY +iD5j0eUHExNhde2qOJyDXRi5K4STAy4NPsJuaeZiifwa3n7KAch7xgVZ0KJynObn +CU+9G7gP5aIfaZOB8UbkPlAOhGfGcdYBw7z/5R6cW2dt9GKn2HpOvNeglIe25hbe +swINUbejBXBQTf4TExxtYqf6pqoZCyOsuXDJgRwqOEfruI8VxO29l8KyC/xgbvkC +AwEAAaNTMFEwHQYDVR0OBBYEFMa5C5PQRYSzluF0plG88aHPsyCSMB8GA1UdIwQY +MBaAFMa5C5PQRYSzluF0plG88aHPsyCSMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAI73fjDcLSPr8StmZFO7boGnH8Xd0OmC3nbR2SMpvUMrqW1E +8iNJH3zstFzaBm6QbzDMWhWHq/QfbF+CiLBj0FgMKSWFyf7mZ9CZIcRiTRBneWmV +ScbiDBcGLMlypBrJYZjzf2ngv/G6nOw/wV4/k7VurkNOCg1u38lTwiW8PlhRxmTP +kveCfubd/PEBfyC8aesSbzyUnXKelSb/TmuCdyfogYrFdO44E98dPJ8RRIBV2U2o +P8Bnd+eIbQUlC/7mBEb6dARwVRi+yzkhdnE/lJOzM9np9nxJ6ck7gA3WjEt4gcEr +ZsQ9cSvlxw1uoFKgzLOFhMkpTMIqLBuV1Aj5Jm0= -----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/test_intermediate.csr b/openjdk/src/test/resources/test_intermediate.csr new file mode 100644 index 00000000..dbe8d2e8 --- /dev/null +++ b/openjdk/src/test/resources/test_intermediate.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICXDCCAUQCAQAwFzEVMBMGA1UEAwwMaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqpirljyU3bstotA3bs1w97gBDbgSPX7HHPQa +VQeILG49E6sS8E7Tst9Fm5b7/BKnh5R2ekk6XzpR1l8MrysxEtUi64pfcDOaEDsj +Ry1Co+a2ZWEKzinrcfQmkk2oH5HyjiXn4lAz4I3PFzW0Ke0sLSgMtlWyhmD2sK3Y +FzKHoSn1G5J2IGFVaArHhkG38YOvsdgw/xuMTzsYkwHNkwWR9LbUGI8Cb7hccAV6 +eWTgu0CEDJ4tnNu+RcoLgyrJOviNBB8PsxEFEEDPnirzZt3BP3/BQhEsAItNlmxW +mOx46ifybwfwk7wZBmIvgeDnHr4MlQA5u6+epqxCfb9mw89yLwIDAQABoAAwDQYJ +KoZIhvcNAQELBQADggEBAHvZLREVOImWgGafwB5b+r0qo2TP/bua3M16m6beNwvx +df4H4Uym8CDd/53u1Bzicf19VR9ncjKt1GDnj+gTW+kVJ2S9mPyLbo7IEzM+rmEb +fq/OHgKjhzTsUJ3rIf0w//XqjjBUvYFOXkF0D4BNL3cSE2aguOWeNKneGFwFZiEM +4Zz2f17AGcRLJqcSJIFBDQzDAQkpxVf67TQpD9Q4yTjaJfdjlawPwJDkw4kHY9IM ++/eADQww6czzOTAYJxZBMJCuiWecHR37Kt+KOhqIOaWG/tRuJ72fyi/jdXItbCEw +bO4soja7MnEgLL3+1se46zqMeZeBqVo9r3cMCVX6K8s= +-----END CERTIFICATE REQUEST----- diff --git a/openjdk/src/test/resources/test_intermediate_blockedroot.pem b/openjdk/src/test/resources/test_intermediate_blockedroot.pem new file mode 100644 index 00000000..84b2c5a3 --- /dev/null +++ b/openjdk/src/test/resources/test_intermediate_blockedroot.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFDCCAfygAwIBAgIUKEpmhiN42JxqaXIMn0ZdTuvIwkEwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRYmxhY2tsaXN0IHRlc3QgQ0EwHhcNMjMwMTE5MTc0MjQ1 +WhcNMzMwMTE2MTc0MjQ1WjAXMRUwEwYDVQQDDAxpbnRlcm1lZGlhdGUwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqmKuWPJTduy2i0DduzXD3uAENuBI9 +fscc9BpVB4gsbj0TqxLwTtOy30Wblvv8EqeHlHZ6STpfOlHWXwyvKzES1SLril9w +M5oQOyNHLUKj5rZlYQrOKetx9CaSTagfkfKOJefiUDPgjc8XNbQp7SwtKAy2VbKG +YPawrdgXMoehKfUbknYgYVVoCseGQbfxg6+x2DD/G4xPOxiTAc2TBZH0ttQYjwJv +uFxwBXp5ZOC7QIQMni2c275FyguDKsk6+I0EHw+zEQUQQM+eKvNm3cE/f8FCESwA +i02WbFaY7HjqJ/JvB/CTvBkGYi+B4OcevgyVADm7r56mrEJ9v2bDz3IvAgMBAAGj +UzBRMB0GA1UdDgQWBBQzP1H/yV66YjFeq6M6vy+JTaG1+zAfBgNVHSMEGDAWgBTG +uQuT0EWEs5bhdKZRvPGhz7MgkjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQDTcXx9PghFT+H1bKJMDGSH8Jr8730dpKs6e3IuVgCs00YyvMBgRYbA +v5ksMV80ZHOErim6JYTj8rpLSUXWYgq7xyFaTMWSt+YPPoXAkdW6p3fngyvCf9T2 +HqZenJTQw2g/xRDL6PTjWh5qumqipVuAR9ue4l+4fRb31VaDOL0U/OPkqjoD3C/c +3ni9cglpzCRotTTGaSpIIpaBWy77HounXjreVn+JbYsEEx1S4CBo6+EJA+CEtQQo +BSFBnvl62rfwNKHCEvMB1jmMELIATVxu1NL6fWp/bP3OTWxqLcJU4G3zf0M1qTLx +fuoKzzyqdyjaeeE+ibr7sgyOU6Q/zk0Q +-----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/test_intermediate_key.pem b/openjdk/src/test/resources/test_intermediate_key.pem new file mode 100644 index 00000000..f841c95e --- /dev/null +++ b/openjdk/src/test/resources/test_intermediate_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqmKuWPJTduy2i +0DduzXD3uAENuBI9fscc9BpVB4gsbj0TqxLwTtOy30Wblvv8EqeHlHZ6STpfOlHW +XwyvKzES1SLril9wM5oQOyNHLUKj5rZlYQrOKetx9CaSTagfkfKOJefiUDPgjc8X +NbQp7SwtKAy2VbKGYPawrdgXMoehKfUbknYgYVVoCseGQbfxg6+x2DD/G4xPOxiT +Ac2TBZH0ttQYjwJvuFxwBXp5ZOC7QIQMni2c275FyguDKsk6+I0EHw+zEQUQQM+e +KvNm3cE/f8FCESwAi02WbFaY7HjqJ/JvB/CTvBkGYi+B4OcevgyVADm7r56mrEJ9 +v2bDz3IvAgMBAAECggEAJH8B4mO2g1MqebTqzwEThGNwkkNJX6+SIF8WjQ9N8hdp +aJ5GMHPktVUvupAL+4rwHUDFMfcdjkbXQDHYcFcgqgM/870IGuRnNsa4Dt+fbJoM +dlbS7XUpYhkV8WG8sHhUOFXirFd1Kbqczb3W+8s6ErUJNy7RQQ9YZ0bhvmC4hGEw +gW+rbpexwGLBSzUZCBJNy8ePi0akcEiaTHVS6ZjyQCIuRekSvJh/DTxZdhI9QV2K +e2XONzCyCsJOEBxPXFEzXXApxPb6DmMnN2xzciQf+MppvUWFKDyDG2a/vNdgVr2O +wXcvgQp5yl9dp+tyP4usSqZPgmRyDtSiaZFsptjMEQKBgQDbaYTDsnFAUmq3DTTp +vVSNnugd1ss+LKMP3D+T986tRX4tVtB4a7Edrh5QLYmkXKZdPp+u6Yo0YDdNJGmP +jnREwCT/YutcQ6TlyFNXwzE0Uf56fhHOaSKW6WFlX6kNfHvfJNu+1mKJS0nTH4yG +NmxSjA8RcEkS9R4o1dTvth0fnwKBgQDHC0Epjiv3LMAIVH0HqWjl1gmfU1QUtkWQ +3GELQeA2KeeVTwakIdKcZ0tr8qqwOIkxGD+Fr0HsST4d1GGmMZ1LM+PgEg2OoKM5 +aBNH2znFwqc8fdd/mBc1Vw4B2yCKrTAbKK/OOV19fi4rs1DARjesknnVAvom9CkK +na9IoAZjcQKBgDmvPjZtHZU5ldDWagjhu+8XzhK6O+j2t1AeKaDvT6kCUi/9WQWv +2nrhIhsWPc+2hA6TvkuwHqOygBeJ8S7K1wqUMaXrDdHN/vZienbiXHdS70KpDmlj +/rIKXY7XXYysI60A9bzwhCtwXdJhwwIuIMB7DiMZkDypsOovfbIgAPwlAoGAKW3t +RUIDYrJc0h8L2zFm1RgE7rXAdYMu3aURSe+PRJbaThih0D3+AXH6n+BlqMJLw/1B +E4lUFmN0W28eWCJRlBqb3sLDMaG797Hy+WznDIOknZGv7i3w/rg9ASPkFRlRPwXr ++ee0zu8Zmxz6vNqgsfnXBABXow4FEOGbX2l3ivECgYEA1yVf+bG4CjG7hrUQmcLV +5WwHOggGRLDOzUJdHq1VpZyN31dagMs7DuV/1xk3uwcxY5M5D5RjRWV0b3BKDCDT +t8/f31FNxNf2JUPM9bwy2tFJO+ZXRFdOmm7S164IhSnv243OUbc6KGO0loBf4WBi +31pgngO3pFBKxtpX81ABrMg= +-----END PRIVATE KEY----- diff --git a/openjdk/src/test/resources/test_intermediate_nonblockedroot.pem b/openjdk/src/test/resources/test_intermediate_nonblockedroot.pem new file mode 100644 index 00000000..1f7bbd25 --- /dev/null +++ b/openjdk/src/test/resources/test_intermediate_nonblockedroot.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCjCCAfKgAwIBAgIUZzC6NfXFwaGgeTHeleM4k2izk8UwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMzAxMTkxNzQyNTVaFw0zMzAxMTYx +NzQyNTVaMBcxFTATBgNVBAMMDGludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAKqYq5Y8lN27LaLQN27NcPe4AQ24Ej1+xxz0GlUHiCxu +PROrEvBO07LfRZuW+/wSp4eUdnpJOl86UdZfDK8rMRLVIuuKX3AzmhA7I0ctQqPm +tmVhCs4p63H0JpJNqB+R8o4l5+JQM+CNzxc1tCntLC0oDLZVsoZg9rCt2Bcyh6Ep +9RuSdiBhVWgKx4ZBt/GDr7HYMP8bjE87GJMBzZMFkfS21BiPAm+4XHAFenlk4LtA +hAyeLZzbvkXKC4MqyTr4jQQfD7MRBRBAz54q82bdwT9/wUIRLACLTZZsVpjseOon +8m8H8JO8GQZiL4Hg5x6+DJUAObuvnqasQn2/ZsPPci8CAwEAAaNTMFEwHQYDVR0O +BBYEFDM/Uf/JXrpiMV6rozq/L4lNobX7MB8GA1UdIwQYMBaAFADwPCOf1D6SpTXG +Brj1Oa03yOzTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE5y +7OE6lmZlstL/15x8yZmUYzSXF0u365jfs1eJXDkWzn2BcmmzMSADn9spakDDZtN0 +daOpDGaB81TDjiBID1OwKMSRM1DmZzNI4PLFqWKUjWkwRtZjo5GsD0p/ATLV+S2z +eQIHcqTcAH8ay1sBReig/plALKyseTk4R2799Gi+tA08RQ4cIsdxyUFSUc0nqgFV +YsBM/cDeFCSYNwWLsNYAubJMIoUiKiweZ8bx+OoaS8Swc4p1M3Fk7lmh2g7APLjG +RkiPF4Ta3c41yZxNW7tEP4CCPB3hm0OkEdW68zc8oOPiNt1sNL5szJI3+cVT+k+5 +4387ICBvTGLQRHL6avw= +-----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/test_leaf.csr b/openjdk/src/test/resources/test_leaf.csr new file mode 100644 index 00000000..bc9a9b5b --- /dev/null +++ b/openjdk/src/test/resources/test_leaf.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICVDCCATwCAQAwDzENMAsGA1UEAwwEbGVhZjCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANVVRB6iPcrN0CLWUBXjO53vCdtKEdOBgCuMmA/2J8/YKc0g +f/IGCFV/bZ9RNmMyHsu1Mp2tu6posxayCzxPVqW7XYbLIKxHSR3ZarTtm5KZRJMt +R/ibpffrzrEOXy+7583sZPOdBNC7ujtY8sTTpL3ki2YmopX8TWINnl64WfltxYCQ +o+ox7cjO0lwrqbUiRk5vLGhvuoX+EYB1sXxC2+RWMjh3QNi0StyJwBCS++O+JYaJ +Mjo/8XCrkNuYyhn0Bmq6lMzT3Vu06skNpmDQnFgjcmQPET7yRBZeKFp5rNFcugjg +wmrpGJvEnLBkWbUxZ78Edd5z4lVUifGgWeXI29kCAwEAAaAAMA0GCSqGSIb3DQEB +CwUAA4IBAQB+gCFpLmV/ub4rVo4sA0bOiE7dN/wBA2tmaVVRxis/itZAFVze5o7P +LRKyjunOJ75BnbiylGcYOfiMQbgBDGw/QHg4cIQwMHdGPHes1JAeF9XYTBgVJT3b +qp1NTL7CDj8ry60wONDQ2X7Y7a2fU8LrfpflDv0+W0PaAK8/ptgi4a0rYPE9OHIC +qQ5aiUJ8QQgnW9S2KCPRBjiJW9lZ7hr7A/TGe6/i9L2NS6KYPGw3PD34Vmvz/rwf +jakm1GrQ3kGjPoc9yWSF60GLTAAXN+xF+9Htq+7PDmeo8krr28upSLokiO7uMWvQ +2/0t7gM1ta7+gVuf9SdUpTOEZ6d+chKb +-----END CERTIFICATE REQUEST----- diff --git a/openjdk/src/test/resources/test_leaf_blockedroot.pem b/openjdk/src/test/resources/test_leaf_blockedroot.pem new file mode 100644 index 00000000..472abf36 --- /dev/null +++ b/openjdk/src/test/resources/test_leaf_blockedroot.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAfSgAwIBAgIUODP0VFemD4Zonzl3hogYzAEZLLwwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRYmxhY2tsaXN0IHRlc3QgQ0EwHhcNMjMwMTE5MTcxODQw +WhcNMzMwMTE2MTcxODQwWjAPMQ0wCwYDVQQDDARsZWFmMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA1VVEHqI9ys3QItZQFeM7ne8J20oR04GAK4yYD/Yn +z9gpzSB/8gYIVX9tn1E2YzIey7Uyna27qmizFrILPE9WpbtdhssgrEdJHdlqtO2b +kplEky1H+Jul9+vOsQ5fL7vnzexk850E0Lu6O1jyxNOkveSLZiailfxNYg2eXrhZ ++W3FgJCj6jHtyM7SXCuptSJGTm8saG+6hf4RgHWxfELb5FYyOHdA2LRK3InAEJL7 +474lhokyOj/xcKuQ25jKGfQGarqUzNPdW7TqyQ2mYNCcWCNyZA8RPvJEFl4oWnms +0Vy6CODCaukYm8ScsGRZtTFnvwR13nPiVVSJ8aBZ5cjb2QIDAQABo1MwUTAdBgNV +HQ4EFgQUMg9ifb+WI/uUTTf8Jd31XVHAI8MwHwYDVR0jBBgwFoAUxrkLk9BFhLOW +4XSmUbzxoc+zIJIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA +nxPXBF/Jrsig/5LMwaUyCX/VYb9W7W9tV6odKjghKxf6hA59VxevY/S/J0yK+mTJ +PAQGZC0vkcWjmBDQW8w9J0sUkX+8OCdcxqXGRnryCJ1lB7i/UOLhkCyPA1jZGNti +E43LYqs+iBxEvzPzeOggvXaE+ujtFZxCT5dLlzzVvTt9vomKvPmapC93ycorYjYV +89K54mNqj7aZeCHTmyJxsZGzUhVDdp83Dnl8YopYpnHd7jr0xX8fqbL9WZf81sRn +3u99Js6csv4Gi/ZDrbNONaUfpD5iH0Tm+2Kh7p6pI0lVBWaZzw59PNVGDRZp15sl +HeCO1zZqxh3hj+gZW0Ao1Q== +-----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/test_leaf_intermediate.pem b/openjdk/src/test/resources/test_leaf_intermediate.pem new file mode 100644 index 00000000..12ae3801 --- /dev/null +++ b/openjdk/src/test/resources/test_leaf_intermediate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBzCCAe+gAwIBAgIUfCBnEPBeeqUTdsm3eI1CnjL8zIowDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50ZXJtZWRpYXRlMB4XDTIzMDExOTE3NDUyMFoXDTMz +MDExNjE3NDUyMFowDzENMAsGA1UEAwwEbGVhZjCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANVVRB6iPcrN0CLWUBXjO53vCdtKEdOBgCuMmA/2J8/YKc0g +f/IGCFV/bZ9RNmMyHsu1Mp2tu6posxayCzxPVqW7XYbLIKxHSR3ZarTtm5KZRJMt +R/ibpffrzrEOXy+7583sZPOdBNC7ujtY8sTTpL3ki2YmopX8TWINnl64WfltxYCQ +o+ox7cjO0lwrqbUiRk5vLGhvuoX+EYB1sXxC2+RWMjh3QNi0StyJwBCS++O+JYaJ +Mjo/8XCrkNuYyhn0Bmq6lMzT3Vu06skNpmDQnFgjcmQPET7yRBZeKFp5rNFcugjg +wmrpGJvEnLBkWbUxZ78Edd5z4lVUifGgWeXI29kCAwEAAaNTMFEwHQYDVR0OBBYE +FDIPYn2/liP7lE03/CXd9V1RwCPDMB8GA1UdIwQYMBaAFDM/Uf/JXrpiMV6rozq/ +L4lNobX7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJh2wZtc +aDji9cI8LKJAr7V3raQFfk6Oq999CIoLoH3MiaEyTG9/FC/ZlaGUpC49c63bsRu8 +AQuPQydVOjrVTeUB4x12qoDGdz1lze+2zeY2jbIsd5VBEF0gObdkwwHgFQXKH5Lf +eSoBc4XPQ0I5dTYvR/P3+KX4fTyEmmjj+EWaH4yFPsW3JVu/2LrzI0IKq3+9VD0a +dB/mI42lI65cEtW2zGI+CSQGt0FGXdVsXGfne87QNByVxYCyS0wzdfSla3yLLGdf +8EJTqwZH0lKuRSf8xeNFr/pVXT9YfJWUAja7lIiwQVQfsD5MGsjNGcJMEDhM08PO ++lFxL3h3B85jIZw= +-----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/test_nonblocklist_ca.pem b/openjdk/src/test/resources/test_nonblocklist_ca.pem new file mode 100644 index 00000000..43aafedd --- /dev/null +++ b/openjdk/src/test/resources/test_nonblocklist_ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAe2gAwIBAgIUKqLusWazdD0go8IpA6ZOBM8bFd4wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMzAxMTkxNjUxNTJaFw0zMzAxMTYx +NjUxNTJaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC1gY2VOIFa/lQfPiJpXIKBEVYlnJdsJ6izpwmgi+2M8qTZGxva +ov8xv9tObYNyENakHfdXu4RAF7Z/cCw/ntJo0mEKVzJflm/gMa6/02e+znp5s0lK +YFLGY6+++H81neS8NHWF1E2D0Yxa/47zQAw8QWI5T7Lw0uzWFT6gq2oTRpFBj4Ra +tJhpXMX7/cSR3yV6Eeuq6vU9Ncceurqzo1tg3bI4FKn09xDbnbpb+rxShqv+nKDC +Mxt7f2HRSVSgLEe2z8mpq2PXVwAtv7TL+UXGZfniNG0wzO+PLGIYzctL64z6ebDy +5LOIhrgcOSVE0mAMBA9XPuQiF65lO6Bk+++PAgMBAAGjUzBRMB0GA1UdDgQWBBQA +8Dwjn9Q+kqU1xga49TmtN8js0zAfBgNVHSMEGDAWgBQA8Dwjn9Q+kqU1xga49Tmt +N8js0zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAKqBYJ8sk0 +xfyNQlXSJW0y6guNVa9cO7mkiC1QbJswcFoCr8W1Mk0AJm01aK6BzeUTVxWSkcWY +kLFAaSCK0ppQvk4huJFQciTGsrzF+OrKorKLikS5ExGKW2LVhcZiXCRY3sqO28Tr +HFKyYEZTHpIs5gYZTuDxixJWL48IJOsntWZJXvl6Su2FM3CTkJME2SDdXRBs1O+F +ljhMbaceMX6vE6rpXbSHGiIxc/xienW3j4o6GiMCuptEjCvXoWZVGxXigLN0DLm9 +q00Cjqti9vAt2++S0PXxNo06aN4MvA6j0svMro19DuIST68r9jTzonmG0x/dswZY +g4Un1RLN3rzZ +-----END CERTIFICATE----- diff --git a/openjdk/src/test/resources/test_nonblocklist_ca_key.pem b/openjdk/src/test/resources/test_nonblocklist_ca_key.pem new file mode 100644 index 00000000..1d6b8bdb --- /dev/null +++ b/openjdk/src/test/resources/test_nonblocklist_ca_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1gY2VOIFa/lQf +PiJpXIKBEVYlnJdsJ6izpwmgi+2M8qTZGxvaov8xv9tObYNyENakHfdXu4RAF7Z/ +cCw/ntJo0mEKVzJflm/gMa6/02e+znp5s0lKYFLGY6+++H81neS8NHWF1E2D0Yxa +/47zQAw8QWI5T7Lw0uzWFT6gq2oTRpFBj4RatJhpXMX7/cSR3yV6Eeuq6vU9Ncce +urqzo1tg3bI4FKn09xDbnbpb+rxShqv+nKDCMxt7f2HRSVSgLEe2z8mpq2PXVwAt +v7TL+UXGZfniNG0wzO+PLGIYzctL64z6ebDy5LOIhrgcOSVE0mAMBA9XPuQiF65l +O6Bk+++PAgMBAAECggEAB3Z+kCgyr60thCTFhd8TquObYT4XGliv9Y8NveyFPGy7 +D7zBZO9SVUT4RoJSpw1a5xa6VW59tzZZPtQE+AYf8RAfFy2KOObtqWJobexKY6f1 +lRFJThg38VomqD39kQJxnLX+nQtIAFne/G6SRuaXMQ4yUA9fNFz7QKi+0WX0Cxbs +uMd0uTMnZorri/YGGMko/0jJrQXY4H1Oufc7Pawdr1jxJWLMqJ6Q26Xu4NGFcGFJ +bHsCtewIFdLvBmV+ef5V+JDWItYC7AkIhbibsGkZFKFbPRo3z+kx/lkB3IluRVcD +oH9wVm9YNkz51NH4FLdQPEGdySuzjiaF9RbDqp+w4QKBgQDKEesxK+Tm3q0AONxI +ELsdyfLyo76NrYfcBYvQs/zevlmgqy3uSRNMWWQE3Yq+NQVGT9NjF8cQn3KN1C6F +QIrGtbIAy1nQAG5KIp1OAkrG/dt3eVlP+9N5cJNZlQNEm0v3qA965hql5zjpM0wO +sk1tvMMa9++Cj4A6s7LVcCpl7wKBgQDl8qPBMgocbBJl1y00/Cw6S8wso7yaGSGz +OVpIpsSaVyVWWWF5H18/NlgrKKOALWkfREX0jbHH7FBxruUTz6FmEs/iE09JVsD5 +UMsYX9dMzbKUTtzw2vOKIJDNaWnbsTNDJlO89boUJrKnwQKAHfQZJU9uiiaoVIpK +XrYLXZmwYQKBgQC6Yda+zw7eSCvoVYoRSqVc76YQWipsAdCbh94TjcDDL236PYor +DOoo9RbFShcsJDmORhjjgM4TLg76dOjH7eVTLcpW4zofGhageNcBWing68wfoiVY +Gh5QGB9BdKnEAT4L288Te+S+e8zJhJA1yg6TFpYbbO9VTMlo29Eq/7+LrwKBgBai +arISreIcVTdHFgEYLXZTjbZ7K45zmNiedZ+fIs0adOdqBuk4SFTdkZI1/toYHjfg +rY4kAHLwdP6ru4rWrklw4pubUPukGXyxEjzE+llqCgEFPkRLGRvolrhRfwUMDUK3 +3BhGi9l98aoHmqpnyGZNQONdn+6D29T0O7EktoMhAoGAbKArB67pRoAOYX+1rc+i +OypUSXFUMyRNcuF8DHF9iKNU6/fXwmkPyfgUmZ/uIbTiiPaM+KI4/UBah4tKKXis +srzxm/1fln0zHJW+h5SnMp483Juml1yZenhYVlyfMs8ZpdpLDZbylvc5SK8m8Fau +75bAWg06Z28TEjq18O7L798= +-----END PRIVATE KEY----- diff --git a/platform/src/test/java/org/conscrypt/TrustedCertificateStoreTest.java b/platform/src/test/java/org/conscrypt/TrustedCertificateStoreTest.java index d2095a32..679f6303 100644 --- a/platform/src/test/java/org/conscrypt/TrustedCertificateStoreTest.java +++ b/platform/src/test/java/org/conscrypt/TrustedCertificateStoreTest.java @@ -780,7 +780,8 @@ public class TrustedCertificateStoreTest extends TestCase { assertFalse(store.isUserAddedCertificate(getCa2())); } - public void testSystemCaCertsUseCorrectFileNames() throws Exception { + // TODO(b/293296163): re-enable once https://r.android.com/2675835 ships via Mainline. + private void dontTestSystemCaCertsUseCorrectFileNames() throws Exception { TrustedCertificateStore store = new TrustedCertificateStore(); // Assert that all the certificates in the system cacerts directory are stored in files with diff --git a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java index f8a80bb6..03a97157 100644 --- a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java +++ b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java @@ -17,10 +17,11 @@ package com.android.org.conscrypt; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.getCommonProtocolSuites; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; +import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; import java.io.IOException; import java.io.OutputStream; import java.net.SocketException; @@ -30,7 +31,6 @@ import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicLong; -import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; /** * Benchmark for comparing performance of server socket implementations. @@ -64,7 +64,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -88,7 +88,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/crypto/CipherTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/crypto/CipherTest.java index 37c702b6..3956c83f 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/crypto/CipherTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/crypto/CipherTest.java @@ -75,6 +75,7 @@ import javax.crypto.spec.PBEParameterSpec; import javax.crypto.spec.PSource; import javax.crypto.spec.SecretKeySpec; import libcore.junit.util.EnableDeprecatedBouncyCastleAlgorithmsRule; +import libcore.test.annotation.NonCts; import org.bouncycastle.asn1.x509.KeyUsage; import org.junit.Assume; import org.junit.BeforeClass; @@ -4654,6 +4655,8 @@ public final class CipherTest { * TODO(27995180): consider whether we keep this compatibility. Consider whether we only allow * if an IV is passed in the parameters. */ + @NonCts(bug = 287231726, reason = "The test asserts buggy or non-breaking " + + "behaviors, but the behavior has been fixed in the future ART module version.") @Test public void test_PBKDF2WITHHMACSHA1_SKFactory_and_PBEAESCBC_Cipher_noIV() throws Exception { Assume.assumeNotNull(Security.getProvider("BC")); diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java index 4a3f2570..7940ee92 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -384,6 +384,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -413,6 +415,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -920,6 +924,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -953,6 +959,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java index bfe10f9e..e1f4a13a 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java @@ -19,7 +19,7 @@ package com.android.org.conscrypt; import static com.android.org.conscrypt.TestUtils.getConscryptProvider; import static com.android.org.conscrypt.TestUtils.getJdkProvider; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.highestCommonProtocol; import static com.android.org.conscrypt.TestUtils.initSslContext; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -578,7 +578,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java index b40f8353..59cd9d9b 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java @@ -18,17 +18,14 @@ package com.android.org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import com.android.org.conscrypt.java.security.StandardNames; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; import org.junit.Test; import org.junit.runner.RunWith; @@ -56,70 +53,59 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2") - .build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3") - .build(); + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java index 49b7abf0..aafc5951 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java @@ -78,7 +78,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java index bc843dca..e2541cb1 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java @@ -149,7 +149,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -239,7 +239,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/repackaged/platform/src/test/java/com/android/org/conscrypt/TrustedCertificateStoreTest.java b/repackaged/platform/src/test/java/com/android/org/conscrypt/TrustedCertificateStoreTest.java index c302f3af..40c136b0 100644 --- a/repackaged/platform/src/test/java/com/android/org/conscrypt/TrustedCertificateStoreTest.java +++ b/repackaged/platform/src/test/java/com/android/org/conscrypt/TrustedCertificateStoreTest.java @@ -784,7 +784,8 @@ public class TrustedCertificateStoreTest extends TestCase { assertFalse(store.isUserAddedCertificate(getCa2())); } - public void testSystemCaCertsUseCorrectFileNames() throws Exception { + // TODO(b/293296163): re-enable once https://r.android.com/2675835 ships via Mainline. + private void dontTestSystemCaCertsUseCorrectFileNames() throws Exception { TrustedCertificateStore store = new TrustedCertificateStore(); // Assert that all the certificates in the system cacerts directory are stored in files with diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java index 25dfbb10..afd6ef92 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java @@ -49,12 +49,12 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Random; import java.util.Set; +import java.util.function.Predicate; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; @@ -72,16 +72,16 @@ import org.junit.Assume; */ public final class TestUtils { public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] {PROTOCOL_TLS_V1_2}; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; @@ -126,10 +126,10 @@ public final class TestUtils { private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -137,7 +137,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -315,23 +315,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[0]); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -399,32 +382,59 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<>(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } + + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + Predicate<String> predicate = p + -> conscryptProtocols.contains(p) + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + && !p.equals(PROTOCOL_TLS_V1_3); + return getSupportedProtocols(jdkContext, predicate); + } - return supported.toArray(new String[0]); + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = c -> isTlsCipherSuite(c) && conscryptCiphers.contains(c); + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); - } - } + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(String[] ::new); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(String[] ::new); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index 07bfd5c9..e0cb2757 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -165,6 +165,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = + new HashSet<>(Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -411,10 +414,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -455,9 +461,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = + new HashSet<>(Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** diff --git a/testing/src/main/java/org/conscrypt/TestUtils.java b/testing/src/main/java/org/conscrypt/TestUtils.java index 524a3d3d..c9f2fc04 100644 --- a/testing/src/main/java/org/conscrypt/TestUtils.java +++ b/testing/src/main/java/org/conscrypt/TestUtils.java @@ -45,12 +45,13 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Random; import java.util.Set; +import java.util.function.Predicate; + import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; @@ -70,16 +71,16 @@ import org.junit.Assume; */ public final class TestUtils { public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] { PROTOCOL_TLS_V1_2 }; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; @@ -121,10 +122,10 @@ public final class TestUtils { private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -132,7 +133,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -309,23 +310,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[0]); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -393,32 +377,59 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<>(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } + + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + Predicate<String> predicate = p -> conscryptProtocols.contains(p) + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + && !p.equals(PROTOCOL_TLS_V1_3); + return getSupportedProtocols(jdkContext, predicate); + } - return supported.toArray(new String[0]); + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = c -> isTlsCipherSuite(c) && conscryptCiphers.contains(c); + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); - } - } + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(String[]::new); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(String[]::new); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") + && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java index 08a72bda..7a8672a9 100644 --- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java +++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java @@ -163,6 +163,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = new HashSet<>( + Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -409,10 +412,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -453,9 +459,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = new HashSet<>( + Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** |