diff options
Diffstat (limited to 'prov/src/test/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java')
-rw-r--r-- | prov/src/test/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java | 873 |
1 files changed, 0 insertions, 873 deletions
diff --git a/prov/src/test/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java b/prov/src/test/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java deleted file mode 100644 index af94e4e1..00000000 --- a/prov/src/test/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java +++ /dev/null @@ -1,873 +0,0 @@ -package org.bouncycastle.jce.provider.test.nist; - -import java.io.FileInputStream; -import java.io.InputStream; -import java.security.Security; -import java.security.cert.CertPath; -import java.security.cert.CertPathBuilder; -import java.security.cert.CertPathBuilderException; -import java.security.cert.CertPathValidator; -import java.security.cert.CertPathValidatorException; -import java.security.cert.CertStore; -import java.security.cert.CertificateFactory; -import java.security.cert.CollectionCertStoreParameters; -import java.security.cert.PKIXBuilderParameters; -import java.security.cert.PKIXCertPathBuilderResult; -import java.security.cert.PKIXCertPathValidatorResult; -import java.security.cert.PKIXParameters; -import java.security.cert.TrustAnchor; -import java.security.cert.X509CRL; -import java.security.cert.X509CertSelector; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.GregorianCalendar; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.x509.Extension; - -/** - * NIST CertPath test data for RFC 3280 - */ -public class NistCertPathTest - extends TestCase -{ - private static final String TEST_DATA_HOME = "bc.test.data.home"; - - private static final String GOOD_CA_CERT = "GoodCACert"; - - private static final String GOOD_CA_CRL = "GoodCACRL"; - - private static final String TRUST_ANCHOR_ROOT_CRL = "TrustAnchorRootCRL"; - - private static final String TRUST_ANCHOR_ROOT_CERTIFICATE = "TrustAnchorRootCertificate"; - - private static final char[] PKCS12_PASSWORD = "password".toCharArray(); - - private static final String ANY_POLICY = "2.5.29.32.0"; - private static final String NIST_TEST_POLICY_1 = "2.16.840.1.101.3.2.1.48.1"; - private static final String NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2"; - private static final String NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3"; - - private static Map certs = new HashMap(); - private static Map crls = new HashMap(); - - private static Set noPolicies = Collections.EMPTY_SET; - private static Set anyPolicy = Collections.singleton(ANY_POLICY); - private static Set nistTestPolicy1 = Collections.singleton(NIST_TEST_POLICY_1); - private static Set nistTestPolicy2 = Collections.singleton(NIST_TEST_POLICY_2); - private static Set nistTestPolicy3 = Collections.singleton(NIST_TEST_POLICY_3); - private static Set nistTestPolicy1And2 = new HashSet(Arrays.asList(new String[] { NIST_TEST_POLICY_1, NIST_TEST_POLICY_2 })); - - public void setUp() - { - if (Security.getProvider("BC") == null) - { - Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); - } - } - - public void testValidSignaturesTest1() - throws Exception - { - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "ValidCertificatePathTest1EE", GOOD_CA_CERT}, - new String[] { GOOD_CA_CRL, TRUST_ANCHOR_ROOT_CRL }); - } - - public void testInvalidCASignatureTest2() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "ValidCertificatePathTest1EE", "BadSignedCACert" }, - new String[] { "BadSignedCACRL", TRUST_ANCHOR_ROOT_CRL}, - 1, - "TrustAnchor found but certificate validation failed."); - } - - public void testInvalidEESignatureTest3() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "InvalidEESignatureTest3EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, - 0, - "Could not validate certificate signature."); - } - - public void testValidDSASignaturesTest4() - throws Exception - { - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "DSACACert", "ValidDSASignaturesTest4EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }); - } - - // 4.1.5 - public void testValidDSAParameterInheritanceTest5() - throws Exception - { - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "DSACACert", "DSAParametersInheritedCACert", "ValidDSAParameterInheritanceTest5EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL", "DSAParametersInheritedCACRL" }); - } - - public void testInvalidDSASignaturesTest6() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "DSACACert", "InvalidDSASignatureTest6EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }, - 0, - "Could not validate certificate signature."); - } - - public void testCANotBeforeDateTest1() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "BadnotBeforeDateCACert", "InvalidCAnotBeforeDateTest1EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotBeforeDateCACRL" }, - 1, - "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00"); - } - - public void testInvalidEENotBeforeDateTest2() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "InvalidEEnotBeforeDateTest2EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, - 0, - "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00"); - } - - public void testValidPre2000UTCNotBeforeDateTest3() - throws Exception - { - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "Validpre2000UTCnotBeforeDateTest3EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); - } - - public void testValidGeneralizedTimeNotBeforeDateTest4() - throws Exception - { - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "ValidGeneralizedTimenotBeforeDateTest4EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); - } - - public void testInvalidCANotAfterDateTest5() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "BadnotAfterDateCACert", "InvalidCAnotAfterDateTest5EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotAfterDateCACRL" }, - 1, - "Could not validate certificate: certificate expired on 20020101120100GMT+00:00"); - } - - public void testInvalidEENotAfterDateTest6() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "InvalidEEnotAfterDateTest6EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, - 0, - "Could not validate certificate: certificate expired on 20020101120100GMT+00:00"); - } - - public void testInvalidValidPre2000UTCNotAfterDateTest7() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "Invalidpre2000UTCEEnotAfterDateTest7EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, - 0, - "Could not validate certificate: certificate expired on 19990101120100GMT+00:00"); - } - - public void testInvalidNegativeSerialNumberTest15() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "NegativeSerialNumberCACert", "InvalidNegativeSerialNumberTest15EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "NegativeSerialNumberCACRL" }, - 0, - "Certificate revocation after 2001-04-19 14:57:20 +0000", "reason: keyCompromise"); - } - - // - // 4.8 Certificate Policies - // - public void testAllCertificatesSamePolicyTest1() - throws Exception - { - String[] certList = new String[] { GOOD_CA_CERT, "ValidCertificatePathTest1EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - certList, - crlList, - noPolicies); - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - certList, - crlList, - nistTestPolicy1); - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - certList, - crlList, - nistTestPolicy2, - -1, - "Path processing failed on policy."); - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - certList, - crlList, - nistTestPolicy1And2); - } - - public void testAllCertificatesNoPoliciesTest2() - throws Exception - { - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }); - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }, - noPolicies, - 1, - "No valid policy tree found when one expected."); - } - - public void testDifferentPoliciesTest3() - throws Exception - { - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }); - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, - noPolicies, - 1, - "No valid policy tree found when one expected."); - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, - nistTestPolicy1And2, - 1, - "No valid policy tree found when one expected."); - } - - public void testDifferentPoliciesTest4() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "GoodsubCACert", "DifferentPoliciesTest4EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "GoodsubCACRL" }, - 0, - "No valid policy tree found when one expected."); - } - - public void testDifferentPoliciesTest5() - throws Exception - { - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, - new String[] { GOOD_CA_CERT, "PoliciesP2subCA2Cert", "DifferentPoliciesTest5EE" }, - new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCA2CRL" }, - 0, - "No valid policy tree found when one expected."); - } - - public void testOverlappingPoliciesTest6() - throws Exception - { - String[] certList = new String[] { "PoliciesP1234CACert", "PoliciesP1234subCAP123Cert", "PoliciesP1234subsubCAP123P12Cert", "OverlappingPoliciesTest6EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP1234CACRL", "PoliciesP1234subCAP123CRL", "PoliciesP1234subsubCAP123P12CRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, - -1, - "Path processing failed on policy."); - } - - public void testDifferentPoliciesTest7() - throws Exception - { - String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P1Cert", "DifferentPoliciesTest7EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP12P1CRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, - 0, - "No valid policy tree found when one expected."); - } - - public void testDifferentPoliciesTest8() - throws Exception - { - String[] certList = new String[] { "PoliciesP12CACert", "PoliciesP12subCAP1Cert", "PoliciesP12subsubCAP1P2Cert", "DifferentPoliciesTest8EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL", "PoliciesP12subCAP1CRL", "PoliciesP12subsubCAP1P2CRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, - 1, - "No valid policy tree found when one expected."); - } - - public void testDifferentPoliciesTest9() - throws Exception - { - String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P2Cert", "PoliciesP123subsubsubCAP12P2P1Cert", "DifferentPoliciesTest9EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP2P2CRL", "PoliciesP123subsubsubCAP12P2P1CRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, - 1, - "No valid policy tree found when one expected."); - } - - public void testAllCertificatesSamePoliciesTest10() - throws Exception - { - String[] certList = new String[] { "PoliciesP12CACert", "AllCertificatesSamePoliciesTest10EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); - } - - public void testAllCertificatesAnyPolicyTest11() - throws Exception - { - String[] certList = new String[] { "anyPolicyCACert", "AllCertificatesanyPolicyTest11EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; - - PKIXCertPathValidatorResult result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); - - result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - } - - public void testDifferentPoliciesTest12() - throws Exception - { - String[] certList = new String[] { "PoliciesP3CACert", "DifferentPoliciesTest12EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP3CACRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, - 0, - "No valid policy tree found when one expected."); - } - - public void testAllCertificatesSamePoliciesTest13() - throws Exception - { - String[] certList = new String[] { "PoliciesP123CACert", "AllCertificatesSamePoliciesTest13EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy3); - } - - public void testAnyPolicyTest14() - throws Exception - { - String[] certList = new String[] { "anyPolicyCACert", "AnyPolicyTest14EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, - -1, - "Path processing failed on policy."); - } - - public void testUserNoticeQualifierTest15() - throws Exception - { - String[] certList = new String[] { "UserNoticeQualifierTest15EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, - -1, - "Path processing failed on policy."); - } - - public void testUserNoticeQualifierTest16() - throws Exception - { - String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest16EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; - - PKIXCertPathValidatorResult result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); - - result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, - -1, - "Path processing failed on policy."); - } - - public void testUserNoticeQualifierTest17() - throws Exception - { - String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest17EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, - -1, - "Path processing failed on policy."); - } - - public void testUserNoticeQualifierTest18() - throws Exception - { - String[] certList = new String[] { "PoliciesP12CACert", "UserNoticeQualifierTest18EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); - } - - public void testUserNoticeQualifierTest19() - throws Exception - { - String[] certList = new String[] { "UserNoticeQualifierTest19EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, - -1, - "Path processing failed on policy."); - } - - public void testInvalidInhibitPolicyMappingTest1() - throws Exception - { - String[] certList = new String[] { "inhibitPolicyMapping0CACert", "inhibitPolicyMapping0subCACert", "InvalidinhibitPolicyMappingTest1EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitPolicyMapping0CACRL", "inhibitPolicyMapping0subCACRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, - 0, - "No valid policy tree found when one expected."); - } - - public void testValidinhibitPolicyMappingTest2() - throws Exception - { - String[] certList = new String[] { "inhibitPolicyMapping1P12CACert", "inhibitPolicyMapping1P12subCACert", "ValidinhibitPolicyMappingTest2EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitPolicyMapping1P12CACRL", "inhibitPolicyMapping1P12subCACRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); - } - - // 4.12.7 - public void testValidSelfIssuedinhibitAnyPolicyTest7() - throws Exception - { - String[] certList = new String[] { "inhibitAnyPolicy1CACert", "inhibitAnyPolicy1SelfIssuedCACert", "inhibitAnyPolicy1subCA2Cert", "ValidSelfIssuedinhibitAnyPolicyTest7EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitAnyPolicy1CACRL", "inhibitAnyPolicy1subCA2CRL" }; - - doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false); - } - - // 4.4.19 - public void testValidSeparateCertificateandCRLKeysTest19() - throws Exception - { - String[] certList = new String[] { "SeparateCertificateandCRLKeysCertificateSigningCACert", "SeparateCertificateandCRLKeysCRLSigningCert", "ValidSeparateCertificateandCRLKeysTest19EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "SeparateCertificateandCRLKeysCRL" }; - - doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false); - } - - public void testValidpathLenConstraintTest13() - throws Exception - { - String[] certList = new String[] { "pathLenConstraint6CACert", "pathLenConstraint6subCA4Cert", "pathLenConstraint6subsubCA41Cert", "pathLenConstraint6subsubsubCA41XCert", "ValidpathLenConstraintTest13EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "pathLenConstraint6CACRL", "pathLenConstraint6subCA4CRL", "pathLenConstraint6subsubCA41CRL", "pathLenConstraint6subsubsubCA41XCRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null); - } - - // 4.4.10 - public void testInvalidUnknownCRLExtensionTest10() - throws Exception - { - String[] certList = new String[] { "UnknownCRLExtensionCACert", "InvalidUnknownCRLExtensionTest10EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "UnknownCRLExtensionCACRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, - 0, - "CRL contains unsupported critical extensions."); - - } - - // 4.14.3 - public void testInvaliddistributionPointTest3() - throws Exception - { - String[] certList = new String[] { "distributionPoint1CACert", "InvaliddistributionPointTest3EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint1CACRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, - 0, - "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); - } - - // 4.14.5 - public void testValiddistributionPointTest5() - throws Exception - { - String[] certList = new String[] { "distributionPoint2CACert", "ValiddistributionPointTest5EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; - - doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null); - } - - - // 4.14.8 - public void testInvaliddistributionPointTest8() - throws Exception - { - String[] certList = new String[] { "distributionPoint2CACert", "InvaliddistributionPointTest8EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, - 0, - "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); - } - - // 4.14.9 - public void testInvaliddistributionPointTest9() - throws Exception - { - String[] certList = new String[] { "distributionPoint2CACert", "InvaliddistributionPointTest9EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, - 0, - "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); - } - - // 4.14.17 - public void testInvalidonlySomeReasonsTest17() - throws Exception - { - String[] certList = new String[] { "onlySomeReasonsCA2Cert", "InvalidonlySomeReasonsTest17EE" }; - String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "onlySomeReasonsCA2CRL1", "onlySomeReasonsCA2CRL2" }; - - doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, - 0, - "Certificate status could not be determined."); - } - - // section 4.14: tests 17, 24, 25, 30, 31, 32, 33, 35 - - // section 4.15: tests 5, 7 - private void doExceptionTest( - String trustAnchor, - String[] certs, - String[] crls, - int index, - String message) - throws Exception - { - try - { - doTest(trustAnchor, certs, crls); - - fail("path accepted when should be rejected"); - } - catch (CertPathValidatorException e) - { - assertEquals(index, e.getIndex()); - assertEquals(message, e.getMessage()); - } - } - - private void doExceptionTest( - String trustAnchor, - String[] certs, - String[] crls, - Set policies, - int index, - String message) - throws Exception - { - try - { - doTest(trustAnchor, certs, crls, policies); - - fail("path accepted when should be rejected"); - } - catch (CertPathValidatorException e) - { - assertEquals(index, e.getIndex()); - assertEquals(message, e.getMessage()); - } - } - - private void doExceptionTest( - String trustAnchor, - String[] certs, - String[] crls, - int index, - String mesStart, - String mesEnd) - throws Exception - { - try - { - doTest(trustAnchor, certs, crls); - - fail("path accepted when should be rejected"); - } - catch (CertPathValidatorException e) - { - assertEquals(index, e.getIndex()); - assertTrue(e.getMessage().startsWith(mesStart)); - assertTrue(e.getMessage().endsWith(mesEnd)); - } - } - - private PKIXCertPathValidatorResult doTest( - String trustAnchor, - String[] certs, - String[] crls) - throws Exception - { - return doTest(trustAnchor, certs, crls, null); - } - - private PKIXCertPathValidatorResult doTest( - String trustAnchor, - String[] certs, - String[] crls, - Set policies) - throws Exception - { - Set trustedSet = Collections.singleton(getTrustAnchor(trustAnchor)); - List certsAndCrls = new ArrayList(); - X509Certificate endCert = loadCert(certs[certs.length - 1]); - - for (int i = 0; i != certs.length - 1; i++) - { - certsAndCrls.add(loadCert(certs[i])); - } - - certsAndCrls.add(endCert); - - CertPath certPath = CertificateFactory.getInstance("X.509","BC").generateCertPath(certsAndCrls); - - for (int i = 0; i != crls.length; i++) - { - certsAndCrls.add(loadCrl(crls[i])); - } - - CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certsAndCrls), "BC"); - - CertPathValidator validator = CertPathValidator.getInstance("PKIX","BC"); - PKIXParameters params = new PKIXParameters(trustedSet); - - params.addCertStore(store); - params.setRevocationEnabled(true); - params.setDate(new GregorianCalendar(2010, 1, 1).getTime()); - - if (policies != null) - { - params.setExplicitPolicyRequired(true); - params.setInitialPolicies(policies); - } - - return (PKIXCertPathValidatorResult)validator.validate(certPath, params); - } - - private PKIXCertPathBuilderResult doBuilderTest( - String trustAnchor, - String[] certs, - String[] crls, - Set initialPolicies, - boolean policyMappingInhibited, - boolean anyPolicyInhibited) - throws Exception - { - Set trustedSet = Collections.singleton(getTrustAnchor(trustAnchor)); - List certsAndCrls = new ArrayList(); - X509Certificate endCert = loadCert(certs[certs.length - 1]); - - for (int i = 0; i != certs.length - 1; i++) - { - certsAndCrls.add(loadCert(certs[i])); - } - - certsAndCrls.add(endCert); - - for (int i = 0; i != crls.length; i++) - { - certsAndCrls.add(loadCrl(crls[i])); - } - - CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certsAndCrls), "BC"); - - CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); - - X509CertSelector endSelector = new X509CertSelector(); - - endSelector.setCertificate(endCert); - - PKIXBuilderParameters builderParams = new PKIXBuilderParameters(trustedSet, endSelector); - - if (initialPolicies != null) - { - builderParams.setInitialPolicies(initialPolicies); - builderParams.setExplicitPolicyRequired(true); - } - if (policyMappingInhibited) - { - builderParams.setPolicyMappingInhibited(policyMappingInhibited); - } - if (anyPolicyInhibited) - { - builderParams.setAnyPolicyInhibited(anyPolicyInhibited); - } - - builderParams.addCertStore(store); - builderParams.setDate(new GregorianCalendar(2010, 1, 1).getTime()); - - try - { - return (PKIXCertPathBuilderResult)builder.build(builderParams); - } - catch (CertPathBuilderException e) - { - throw (Exception)e.getCause(); - } - } - - private X509Certificate loadCert( - String certName) - { - X509Certificate cert = (X509Certificate)certs.get(certName); - - if (cert != null) - { - return cert; - } - - try - { - InputStream in = new FileInputStream(getPkitsHome() + "/certs/" + certName + ".crt"); - - CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); - - cert = (X509Certificate)fact.generateCertificate(in); - - certs.put(certName, cert); - - return cert; - } - catch (Exception e) - { - throw new IllegalStateException("exception loading certificate " + certName + ": " + e); - } - } - - private X509CRL loadCrl( - String crlName) - throws Exception - { - X509CRL crl = (X509CRL)certs.get(crlName); - - if (crl != null) - { - return crl; - } - - try - { - InputStream in = new FileInputStream(getPkitsHome() + "/crls/" + crlName + ".crl"); - - CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); - - crl = (X509CRL)fact.generateCRL(in); - - crls.put(crlName, crl); - - return crl; - } - catch (Exception e) - { - throw new IllegalStateException("exception loading CRL: " + crlName); - } - } - - private TrustAnchor getTrustAnchor(String trustAnchorName) - throws Exception - { - X509Certificate cert = loadCert(trustAnchorName); - byte[] extBytes = cert.getExtensionValue(Extension.nameConstraints.getId()); - - if (extBytes != null) - { - ASN1Encodable extValue = ASN1Primitive.fromByteArray(ASN1OctetString.getInstance(extBytes).getOctets()); - - return new TrustAnchor(cert, extValue.toASN1Primitive().getEncoded(ASN1Encoding.DER)); - } - - return new TrustAnchor(cert, null); - } - - private String getPkitsHome() - { - String dataHome = System.getProperty(TEST_DATA_HOME); - - if (dataHome == null) - { - throw new IllegalStateException(TEST_DATA_HOME + " property not set"); - } - - return dataHome + "/PKITS"; - } - - public static void main (String[] args) - throws Exception - { - junit.textui.TestRunner.run(suite()); - } - - public static Test suite() - throws Exception - { - TestSuite suite = new TestSuite("NIST CertPath Tests"); - - suite.addTestSuite(NistCertPathTest.class); - - return suite; - } -} |