1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
|
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateRevokedException;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509Certificate;
import java.text.DateFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.EnumSet;
import java.util.Locale;
/**
* Utility class to validate certificate path. It supports OCSP and/or CRL
* validation.
*/
public class ValidatePathWithParams {
private static final String FS = System.getProperty("file.separator");
private static final String CACERTS_STORE = System.getProperty("test.jdk")
+ FS + "jre" + FS + "lib" + FS + "security" + FS + "cacerts";
private final String[] trustedRootCerts;
// use this for expired cert validation
private Date validationDate = null;
// expected certificate status
private Status expectedStatus = Status.UNKNOWN;
private Date expectedRevDate = null;
private final CertPathValidator certPathValidator;
private final PKIXRevocationChecker certPathChecker;
private final CertificateFactory cf;
/**
* Possible status values supported for EE certificate
*/
public static enum Status {
UNKNOWN, GOOD, REVOKED, EXPIRED;
}
/**
* Constructor
*
* @param additionalTrustRoots trusted root certificates
* @throws IOException
* @throws CertificateException
* @throws NoSuchAlgorithmException
*/
public ValidatePathWithParams(String[] additionalTrustRoots)
throws IOException, CertificateException, NoSuchAlgorithmException {
cf = CertificateFactory.getInstance("X509");
certPathValidator = CertPathValidator.getInstance("PKIX");
certPathChecker
= (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
if ((additionalTrustRoots == null) || (additionalTrustRoots[0] == null)) {
trustedRootCerts = null;
} else {
trustedRootCerts = additionalTrustRoots.clone();
}
}
/**
* Validate certificates
*
* @param certsToValidate Certificates to validate
* @param st expected certificate status
* @param revDate if revoked, expected revocation date
* @param out PrintStream to log messages
* @throws IOException
* @throws CertificateException
* @throws InvalidAlgorithmParameterException
* @throws ParseException
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
*/
public void validate(String[] certsToValidate,
Status st,
String revDate,
PrintStream out)
throws IOException, CertificateException,
InvalidAlgorithmParameterException, ParseException,
NoSuchAlgorithmException, KeyStoreException {
expectedStatus = st;
if (expectedStatus == Status.REVOKED) {
if (revDate != null) {
expectedRevDate = new SimpleDateFormat("EEE MMM dd HH:mm:ss Z yyyy",
Locale.US).parse(revDate);
}
}
Status certStatus = null;
Date revocationDate = null;
logSettings(out);
try {
doCertPathValidate(certsToValidate, out);
certStatus = Status.GOOD;
} catch (IOException ioe) {
// Some machines don't have network setup correctly to be able to
// reach outside world, skip such failures
out.println("WARNING: Network setup issue, skip this test");
ioe.printStackTrace(System.err);
return;
} catch (CertPathValidatorException cpve) {
out.println("Received exception: " + cpve);
if (cpve.getCause() instanceof IOException) {
out.println("WARNING: CertPathValidatorException caused by IO"
+ " error, skip this test");
return;
}
if (cpve.getReason() == CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED) {
out.println("WARNING: CertPathValidatorException caused by"
+ " restricted algorithm, skip this test");
return;
}
if (cpve.getReason() == CertPathValidatorException.BasicReason.REVOKED
|| cpve.getCause() instanceof CertificateRevokedException) {
certStatus = Status.REVOKED;
if (cpve.getCause() instanceof CertificateRevokedException) {
CertificateRevokedException cre
= (CertificateRevokedException) cpve.getCause();
revocationDate = cre.getRevocationDate();
}
} else if (cpve.getReason() == CertPathValidatorException.BasicReason.EXPIRED
|| cpve.getCause() instanceof CertificateExpiredException) {
certStatus = Status.EXPIRED;
} else {
throw new RuntimeException(
"TEST FAILED: couldn't determine EE certificate status");
}
}
out.println("Expected Certificate status: " + expectedStatus);
out.println("Certificate status after validation: " + certStatus.name());
// Don't want test to fail in case certificate is expired when not expected
// Simply skip the test.
if (expectedStatus != Status.EXPIRED && certStatus == Status.EXPIRED) {
out.println("WARNING: Certificate expired, skip the test");
return;
}
if (certStatus != expectedStatus) {
throw new RuntimeException(
"TEST FAILED: unexpected status of EE certificate");
}
if (certStatus == Status.REVOKED) {
// Check revocation date
if (revocationDate != null) {
out.println(
"Certificate revocation date:" + revocationDate.toString());
if (expectedRevDate != null) {
out.println(
"Expected revocation date:" + expectedRevDate.toString());
if (!expectedRevDate.equals(revocationDate)) {
throw new RuntimeException(
"TEST FAILED: unexpected revocation date");
}
}
} else {
throw new RuntimeException("TEST FAILED: no revocation date");
}
}
}
private void logSettings(PrintStream out) {
out.println();
out.println("=====================================================");
out.println("CONFIGURATION");
out.println("=====================================================");
out.println("http.proxyHost :" + System.getProperty("http.proxyHost"));
out.println("http.proxyPort :" + System.getProperty("http.proxyPort"));
out.println("https.proxyHost :" + System.getProperty("https.proxyHost"));
out.println("https.proxyPort :" + System.getProperty("https.proxyPort"));
out.println("https.socksProxyHost :"
+ System.getProperty("https.socksProxyHost"));
out.println("https.socksProxyPort :"
+ System.getProperty("https.socksProxyPort"));
out.println("jdk.certpath.disabledAlgorithms :"
+ Security.getProperty("jdk.certpath.disabledAlgorithms"));
out.println("Revocation options :" + certPathChecker.getOptions());
out.println("OCSP responder set :" + certPathChecker.getOcspResponder());
out.println("Trusted root set: " + (trustedRootCerts != null));
if (validationDate != null) {
out.println("Validation Date:" + validationDate.toString());
}
out.println("Expected EE Status:" + expectedStatus.name());
if (expectedStatus == Status.REVOKED && expectedRevDate != null) {
out.println(
"Expected EE Revocation Date:" + expectedRevDate.toString());
}
out.println("=====================================================");
}
private void doCertPathValidate(String[] certsToValidate, PrintStream out)
throws IOException, CertificateException,
InvalidAlgorithmParameterException, ParseException,
NoSuchAlgorithmException, CertPathValidatorException, KeyStoreException {
if (certsToValidate == null) {
throw new RuntimeException("Require atleast one cert to validate");
}
// Generate CertPath with certsToValidate
ArrayList<X509Certificate> certs = new ArrayList<>();
for (String cert : certsToValidate) {
if (cert != null) {
certs.add(getCertificate(cert));
}
}
CertPath certPath = (CertPath) cf.generateCertPath(certs);
// Set cacerts as anchor
KeyStore cacerts = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream(CACERTS_STORE)) {
cacerts.load(fis, "changeit".toCharArray());
} catch (IOException | NoSuchAlgorithmException | CertificateException ex) {
throw new RuntimeException(ex);
}
// Set additional trust certificates
if (trustedRootCerts != null) {
for (int i = 0; i < trustedRootCerts.length; i++) {
X509Certificate rootCACert = getCertificate(trustedRootCerts[i]);
cacerts.setCertificateEntry("tempca" + i, rootCACert);
}
}
PKIXParameters params;
params = new PKIXParameters(cacerts);
params.addCertPathChecker(certPathChecker);
// Set backdated validation if requested, if null, current date is set
params.setDate(validationDate);
// Validate
certPathValidator.validate(certPath, params);
out.println("Successful CertPath validation");
}
private X509Certificate getCertificate(String encodedCert)
throws IOException, CertificateException {
ByteArrayInputStream is
= new ByteArrayInputStream(encodedCert.getBytes());
X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
return cert;
}
/**
* Set list of disabled algorithms
*
* @param algos algorithms to disable
*/
public static void setDisabledAlgorithms(String algos) {
Security.setProperty("jdk.certpath.disabledAlgorithms", algos);
}
/**
* Enable OCSP only revocation checks, treat network error as success
*/
public void enableOCSPCheck() {
// OCSP is by default, disable fallback to CRL
certPathChecker.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.NO_FALLBACK));
}
/**
* Enable CRL only revocation check, treat network error as success
*/
public void enableCRLCheck() {
certPathChecker.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS,
PKIXRevocationChecker.Option.NO_FALLBACK));
}
/**
* Overrides OCSP responder URL in AIA extension of certificate
*
* @param url OCSP responder
* @throws URISyntaxException
*/
public void setOCSPResponderURL(String url) throws URISyntaxException {
certPathChecker.setOcspResponder(new URI(url));
}
/**
* Set validation date for EE certificate
*
* @param vDate string formatted date
* @throws ParseException if vDate is incorrect
*/
public void setValidationDate(String vDate) throws ParseException {
validationDate = DateFormat.getDateInstance(DateFormat.MEDIUM,
Locale.US).parse(vDate);
}
/**
* Reset validation date for EE certificate to current date
*/
public void resetValidationDate() {
validationDate = null;
}
}
|
