From f11bf8a0ffd68f584a9413d295a408e57fe811e5 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Mon, 11 Jan 2016 15:11:15 -0800 Subject: Allow separation of path and certs Some tests were listed with multiple apparent intermediates in the documentation, but they were actually one CA to sign the cert and one CA to sign the CRL. This change allows the fixing of the tests to be able to assert separate path from general cert collections. Bug: 8030138 Change-Id: I6dab5be846650c26ed0ed9eb9d8194d93fc85908 --- .../java/security/cert/X509CertificateNistPkitsTest.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java b/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java index 5171a64..b3562d3 100644 --- a/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java +++ b/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java @@ -152,6 +152,12 @@ public class X509CertificateNistPkitsTest extends TestCase { private void assertInvalidPath(String trustAnchor, String[] certs, String[] crls) throws Exception, NoSuchAlgorithmException, InvalidAlgorithmParameterException { + assertInvalidPath(trustAnchor, certs, certs, crls); + } + + private void assertInvalidPath(String trustAnchor, String[] path, String[] certs, + String[] crls) throws Exception, NoSuchAlgorithmException, + InvalidAlgorithmParameterException { CertificateFactory f = CertificateFactory.getInstance("X.509"); PKIXParameters params = getTestPathParams(f, trustAnchor, certs, crls); @@ -169,10 +175,16 @@ public class X509CertificateNistPkitsTest extends TestCase { private void assertValidPath(String trustAnchor, String[] certs, String[] crls) throws Exception, NoSuchAlgorithmException, CertPathValidatorException, InvalidAlgorithmParameterException { + assertValidPath(trustAnchor, certs, certs, crls); + } + + private void assertValidPath(String trustAnchor, String[] path, String[] certs, String[] crls) + throws Exception, NoSuchAlgorithmException, CertPathValidatorException, + InvalidAlgorithmParameterException { CertificateFactory f = CertificateFactory.getInstance("X.509"); PKIXParameters params = getTestPathParams(f, trustAnchor, certs, crls); - CertPath cp = getTestPath(f, certs); + CertPath cp = getTestPath(f, path); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, -- cgit v1.2.3 From 20cb4ffdb52c8e5594806ff11960ee4297b28a34 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Mon, 11 Jan 2016 15:13:42 -0800 Subject: Fix several tests that were worded incorrectly The test description lists the CRL signing key and the CA signing key in the description's expected path, but it should only be the CA signing key in the path. This change fixes all the tests that had this ambiguity. Bug: 8030138 Change-Id: I4edd999d94a05d80a0a2e03e49d9a4025bd9bbfe --- .../cert/X509CertificateNistPkitsTest.java | 77 ++++++++++++++++++---- 1 file changed, 66 insertions(+), 11 deletions(-) diff --git a/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java b/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java index b3562d3..d9a81c5 100644 --- a/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java +++ b/src/libcore/java/security/cert/X509CertificateNistPkitsTest.java @@ -931,6 +931,11 @@ public class X509CertificateNistPkitsTest extends TestCase { public void testBasicCertificateRevocationTests_ValidSeparateCertificateandCRLKeysTest19() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidSeparateCertificateandCRLKeysTest19EE.crt", + "SeparateCertificateandCRLKeysCertificateSigningCACert.crt", + }; + String[] certs = { "ValidSeparateCertificateandCRLKeysTest19EE.crt", "SeparateCertificateandCRLKeysCRLSigningCert.crt", @@ -942,13 +947,18 @@ public class X509CertificateNistPkitsTest extends TestCase { "SeparateCertificateandCRLKeysCRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.4.20 */ public void testBasicCertificateRevocationTests_InvalidSeparateCertificateandCRLKeysTest20() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "InvalidSeparateCertificateandCRLKeysTest20EE.crt", + "SeparateCertificateandCRLKeysCertificateSigningCACert.crt", + }; + String[] certs = { "InvalidSeparateCertificateandCRLKeysTest20EE.crt", "SeparateCertificateandCRLKeysCRLSigningCert.crt", @@ -960,13 +970,18 @@ public class X509CertificateNistPkitsTest extends TestCase { "SeparateCertificateandCRLKeysCRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertInvalidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.4.21 */ public void testBasicCertificateRevocationTests_InvalidSeparateCertificateandCRLKeysTest21() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "InvalidSeparateCertificateandCRLKeysTest21EE.crt", + "SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt", + }; + String[] certs = { "InvalidSeparateCertificateandCRLKeysTest21EE.crt", "SeparateCertificateandCRLKeysCA2CRLSigningCert.crt", @@ -978,7 +993,7 @@ public class X509CertificateNistPkitsTest extends TestCase { "SeparateCertificateandCRLKeysCA2CRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertInvalidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.5.1 */ @@ -1040,6 +1055,11 @@ public class X509CertificateNistPkitsTest extends TestCase { public void testVerifyingPathswithSelfIssuedCertificates_ValidBasicSelfIssuedNewWithOldTest4() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidBasicSelfIssuedNewWithOldTest4EE.crt", + "BasicSelfIssuedOldKeyCACert.crt", + }; + String[] certs = { "ValidBasicSelfIssuedNewWithOldTest4EE.crt", "BasicSelfIssuedOldKeyNewWithOldCACert.crt", @@ -1052,7 +1072,7 @@ public class X509CertificateNistPkitsTest extends TestCase { "BasicSelfIssuedOldKeyCACRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.5.5 */ @@ -1078,6 +1098,11 @@ public class X509CertificateNistPkitsTest extends TestCase { public void testVerifyingPathswithSelfIssuedCertificates_ValidBasicSelfIssuedCRLSigningKeyTest6() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt", + "BasicSelfIssuedCRLSigningKeyCACert.crt", + }; + String[] certs = { "ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt", "BasicSelfIssuedCRLSigningKeyCRLCert.crt", @@ -1090,7 +1115,7 @@ public class X509CertificateNistPkitsTest extends TestCase { "BasicSelfIssuedCRLSigningKeyCACRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.5.7 */ @@ -2620,6 +2645,11 @@ public class X509CertificateNistPkitsTest extends TestCase { public void testDistributionPoints_ValidIDPwithindirectCRLTest24() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidIDPwithindirectCRLTest24EE.crt", + "indirectCRLCA2Cert.crt", + }; + String[] certs = { "ValidIDPwithindirectCRLTest24EE.crt", "indirectCRLCA1Cert.crt", @@ -2631,13 +2661,18 @@ public class X509CertificateNistPkitsTest extends TestCase { "indirectCRLCA1CRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.14.25 */ public void testDistributionPoints_ValidIDPwithindirectCRLTest25() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidIDPwithindirectCRLTest25EE.crt", + "indirectCRLCA2Cert.crt", + }; + String[] certs = { "ValidIDPwithindirectCRLTest25EE.crt", "indirectCRLCA1Cert.crt", @@ -2649,7 +2684,7 @@ public class X509CertificateNistPkitsTest extends TestCase { "indirectCRLCA1CRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.14.26 */ @@ -2692,6 +2727,11 @@ public class X509CertificateNistPkitsTest extends TestCase { public void testDistributionPoints_ValidcRLIssuerTest28() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidcRLIssuerTest28EE.crt", + "indirectCRLCA3Cert.crt", + }; + String[] certs = { "ValidcRLIssuerTest28EE.crt", "indirectCRLCA3cRLIssuerCert.crt", @@ -2704,13 +2744,18 @@ public class X509CertificateNistPkitsTest extends TestCase { "indirectCRLCA3cRLIssuerCRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.14.29 */ public void testDistributionPoints_ValidcRLIssuerTest29() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidcRLIssuerTest29EE.crt", + "indirectCRLCA3Cert.crt", + }; + String[] certs = { "ValidcRLIssuerTest29EE.crt", "indirectCRLCA3cRLIssuerCert.crt", @@ -2723,13 +2768,18 @@ public class X509CertificateNistPkitsTest extends TestCase { "indirectCRLCA3cRLIssuerCRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.14.30 */ public void testDistributionPoints_ValidcRLIssuerTest30() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidcRLIssuerTest30EE.crt", + "indirectCRLCA4Cert.crt", + }; + String[] certs = { "ValidcRLIssuerTest30EE.crt", "indirectCRLCA4cRLIssuerCert.crt", @@ -2741,7 +2791,7 @@ public class X509CertificateNistPkitsTest extends TestCase { "indirectCRLCA4cRLIssuerCRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.14.31 */ @@ -2784,6 +2834,11 @@ public class X509CertificateNistPkitsTest extends TestCase { public void testDistributionPoints_ValidcRLIssuerTest33() throws Exception { String trustAnchor = "TrustAnchorRootCertificate.crt"; + String[] path = { + "ValidcRLIssuerTest33EE.crt", + "indirectCRLCA6Cert.crt", + }; + String[] certs = { "ValidcRLIssuerTest33EE.crt", "indirectCRLCA6Cert.crt", @@ -2795,7 +2850,7 @@ public class X509CertificateNistPkitsTest extends TestCase { "indirectCRLCA5CRL.crl", }; - assertValidPath(trustAnchor, certs, crls); + assertValidPath(trustAnchor, path, certs, crls); } /** NIST PKITS test 4.14.34 */ -- cgit v1.2.3