diff options
Diffstat (limited to 'prov/src/test/java/org/spongycastle/jce/provider/test/nist/NistCertPathTest.java')
| -rw-r--r-- | prov/src/test/java/org/spongycastle/jce/provider/test/nist/NistCertPathTest.java | 873 |
1 files changed, 873 insertions, 0 deletions
diff --git a/prov/src/test/java/org/spongycastle/jce/provider/test/nist/NistCertPathTest.java b/prov/src/test/java/org/spongycastle/jce/provider/test/nist/NistCertPathTest.java new file mode 100644 index 00000000..51ccd14f --- /dev/null +++ b/prov/src/test/java/org/spongycastle/jce/provider/test/nist/NistCertPathTest.java @@ -0,0 +1,873 @@ +package org.spongycastle.jce.provider.test.nist; + +import java.io.FileInputStream; +import java.io.InputStream; +import java.security.Security; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathValidator; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.PKIXCertPathValidatorResult; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.GregorianCalendar; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; +import org.spongycastle.asn1.ASN1Encodable; +import org.spongycastle.asn1.ASN1Encoding; +import org.spongycastle.asn1.ASN1OctetString; +import org.spongycastle.asn1.ASN1Primitive; +import org.spongycastle.asn1.x509.Extension; + +/** + * NIST CertPath test data for RFC 3280 + */ +public class NistCertPathTest + extends TestCase +{ + private static final String TEST_DATA_HOME = "bc.test.data.home"; + + private static final String GOOD_CA_CERT = "GoodCACert"; + + private static final String GOOD_CA_CRL = "GoodCACRL"; + + private static final String TRUST_ANCHOR_ROOT_CRL = "TrustAnchorRootCRL"; + + private static final String TRUST_ANCHOR_ROOT_CERTIFICATE = "TrustAnchorRootCertificate"; + + private static final char[] PKCS12_PASSWORD = "password".toCharArray(); + + private static final String ANY_POLICY = "2.5.29.32.0"; + private static final String NIST_TEST_POLICY_1 = "2.16.840.1.101.3.2.1.48.1"; + private static final String NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2"; + private static final String NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3"; + + private static Map certs = new HashMap(); + private static Map crls = new HashMap(); + + private static Set noPolicies = Collections.EMPTY_SET; + private static Set anyPolicy = Collections.singleton(ANY_POLICY); + private static Set nistTestPolicy1 = Collections.singleton(NIST_TEST_POLICY_1); + private static Set nistTestPolicy2 = Collections.singleton(NIST_TEST_POLICY_2); + private static Set nistTestPolicy3 = Collections.singleton(NIST_TEST_POLICY_3); + private static Set nistTestPolicy1And2 = new HashSet(Arrays.asList(new String[] { NIST_TEST_POLICY_1, NIST_TEST_POLICY_2 })); + + public void setUp() + { + if (Security.getProvider("SC") == null) + { + Security.addProvider(new org.spongycastle.jce.provider.BouncyCastleProvider()); + } + } + + public void testValidSignaturesTest1() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "ValidCertificatePathTest1EE", GOOD_CA_CERT}, + new String[] { GOOD_CA_CRL, TRUST_ANCHOR_ROOT_CRL }); + } + + public void testInvalidCASignatureTest2() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "ValidCertificatePathTest1EE", "BadSignedCACert" }, + new String[] { "BadSignedCACRL", TRUST_ANCHOR_ROOT_CRL}, + 1, + "TrustAnchor found but certificate validation failed."); + } + + public void testInvalidEESignatureTest3() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEESignatureTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate signature."); + } + + public void testValidDSASignaturesTest4() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "ValidDSASignaturesTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }); + } + + // 4.1.5 + public void testValidDSAParameterInheritanceTest5() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "DSAParametersInheritedCACert", "ValidDSAParameterInheritanceTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL", "DSAParametersInheritedCACRL" }); + } + + public void testInvalidDSASignaturesTest6() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "InvalidDSASignatureTest6EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }, + 0, + "Could not validate certificate signature."); + } + + public void testCANotBeforeDateTest1() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "BadnotBeforeDateCACert", "InvalidCAnotBeforeDateTest1EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotBeforeDateCACRL" }, + 1, + "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00"); + } + + public void testInvalidEENotBeforeDateTest2() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEEnotBeforeDateTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00"); + } + + public void testValidPre2000UTCNotBeforeDateTest3() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "Validpre2000UTCnotBeforeDateTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); + } + + public void testValidGeneralizedTimeNotBeforeDateTest4() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "ValidGeneralizedTimenotBeforeDateTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); + } + + public void testInvalidCANotAfterDateTest5() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "BadnotAfterDateCACert", "InvalidCAnotAfterDateTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotAfterDateCACRL" }, + 1, + "Could not validate certificate: certificate expired on 20020101120100GMT+00:00"); + } + + public void testInvalidEENotAfterDateTest6() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEEnotAfterDateTest6EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate: certificate expired on 20020101120100GMT+00:00"); + } + + public void testInvalidValidPre2000UTCNotAfterDateTest7() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "Invalidpre2000UTCEEnotAfterDateTest7EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate: certificate expired on 19990101120100GMT+00:00"); + } + + public void testInvalidNegativeSerialNumberTest15() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NegativeSerialNumberCACert", "InvalidNegativeSerialNumberTest15EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NegativeSerialNumberCACRL" }, + 0, + "Certificate revocation after 2001-04-19 14:57:20 +0000", "reason: keyCompromise"); + } + + // + // 4.8 Certificate Policies + // + public void testAllCertificatesSamePolicyTest1() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "ValidCertificatePathTest1EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + noPolicies); + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy1); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy2, + -1, + "Path processing failed on policy."); + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy1And2); + } + + public void testAllCertificatesNoPoliciesTest2() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }, + noPolicies, + 1, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest3() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, + noPolicies, + 1, + "No valid policy tree found when one expected."); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, + nistTestPolicy1And2, + 1, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest4() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "GoodsubCACert", "DifferentPoliciesTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "GoodsubCACRL" }, + 0, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest5() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCA2Cert", "DifferentPoliciesTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCA2CRL" }, + 0, + "No valid policy tree found when one expected."); + } + + public void testOverlappingPoliciesTest6() + throws Exception + { + String[] certList = new String[] { "PoliciesP1234CACert", "PoliciesP1234subCAP123Cert", "PoliciesP1234subsubCAP123P12Cert", "OverlappingPoliciesTest6EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP1234CACRL", "PoliciesP1234subCAP123CRL", "PoliciesP1234subsubCAP123P12CRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testDifferentPoliciesTest7() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P1Cert", "DifferentPoliciesTest7EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP12P1CRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 0, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest8() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "PoliciesP12subCAP1Cert", "PoliciesP12subsubCAP1P2Cert", "DifferentPoliciesTest8EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL", "PoliciesP12subCAP1CRL", "PoliciesP12subsubCAP1P2CRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 1, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest9() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P2Cert", "PoliciesP123subsubsubCAP12P2P1Cert", "DifferentPoliciesTest9EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP2P2CRL", "PoliciesP123subsubsubCAP12P2P1CRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 1, + "No valid policy tree found when one expected."); + } + + public void testAllCertificatesSamePoliciesTest10() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "AllCertificatesSamePoliciesTest10EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + } + + public void testAllCertificatesAnyPolicyTest11() + throws Exception + { + String[] certList = new String[] { "anyPolicyCACert", "AllCertificatesanyPolicyTest11EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; + + PKIXCertPathValidatorResult result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + } + + public void testDifferentPoliciesTest12() + throws Exception + { + String[] certList = new String[] { "PoliciesP3CACert", "DifferentPoliciesTest12EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP3CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 0, + "No valid policy tree found when one expected."); + } + + public void testAllCertificatesSamePoliciesTest13() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "AllCertificatesSamePoliciesTest13EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy3); + } + + public void testAnyPolicyTest14() + throws Exception + { + String[] certList = new String[] { "anyPolicyCACert", "AnyPolicyTest14EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest15() + throws Exception + { + String[] certList = new String[] { "UserNoticeQualifierTest15EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest16() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest16EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + PKIXCertPathValidatorResult result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest17() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest17EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest18() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "UserNoticeQualifierTest18EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + } + + public void testUserNoticeQualifierTest19() + throws Exception + { + String[] certList = new String[] { "UserNoticeQualifierTest19EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testInvalidInhibitPolicyMappingTest1() + throws Exception + { + String[] certList = new String[] { "inhibitPolicyMapping0CACert", "inhibitPolicyMapping0subCACert", "InvalidinhibitPolicyMappingTest1EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitPolicyMapping0CACRL", "inhibitPolicyMapping0subCACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No valid policy tree found when one expected."); + } + + public void testValidinhibitPolicyMappingTest2() + throws Exception + { + String[] certList = new String[] { "inhibitPolicyMapping1P12CACert", "inhibitPolicyMapping1P12subCACert", "ValidinhibitPolicyMappingTest2EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitPolicyMapping1P12CACRL", "inhibitPolicyMapping1P12subCACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + } + + // 4.12.7 + public void testValidSelfIssuedinhibitAnyPolicyTest7() + throws Exception + { + String[] certList = new String[] { "inhibitAnyPolicy1CACert", "inhibitAnyPolicy1SelfIssuedCACert", "inhibitAnyPolicy1subCA2Cert", "ValidSelfIssuedinhibitAnyPolicyTest7EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitAnyPolicy1CACRL", "inhibitAnyPolicy1subCA2CRL" }; + + doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false); + } + + // 4.4.19 + public void testValidSeparateCertificateandCRLKeysTest19() + throws Exception + { + String[] certList = new String[] { "SeparateCertificateandCRLKeysCertificateSigningCACert", "SeparateCertificateandCRLKeysCRLSigningCert", "ValidSeparateCertificateandCRLKeysTest19EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "SeparateCertificateandCRLKeysCRL" }; + + doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false); + } + + public void testValidpathLenConstraintTest13() + throws Exception + { + String[] certList = new String[] { "pathLenConstraint6CACert", "pathLenConstraint6subCA4Cert", "pathLenConstraint6subsubCA41Cert", "pathLenConstraint6subsubsubCA41XCert", "ValidpathLenConstraintTest13EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "pathLenConstraint6CACRL", "pathLenConstraint6subCA4CRL", "pathLenConstraint6subsubCA41CRL", "pathLenConstraint6subsubsubCA41XCRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null); + } + + // 4.4.10 + public void testInvalidUnknownCRLExtensionTest10() + throws Exception + { + String[] certList = new String[] { "UnknownCRLExtensionCACert", "InvalidUnknownCRLExtensionTest10EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "UnknownCRLExtensionCACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "CRL contains unsupported critical extensions."); + + } + + // 4.14.3 + public void testInvaliddistributionPointTest3() + throws Exception + { + String[] certList = new String[] { "distributionPoint1CACert", "InvaliddistributionPointTest3EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint1CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + + // 4.14.5 + public void testValiddistributionPointTest5() + throws Exception + { + String[] certList = new String[] { "distributionPoint2CACert", "ValiddistributionPointTest5EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null); + } + + + // 4.14.8 + public void testInvaliddistributionPointTest8() + throws Exception + { + String[] certList = new String[] { "distributionPoint2CACert", "InvaliddistributionPointTest8EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + + // 4.14.9 + public void testInvaliddistributionPointTest9() + throws Exception + { + String[] certList = new String[] { "distributionPoint2CACert", "InvaliddistributionPointTest9EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + + // 4.14.17 + public void testInvalidonlySomeReasonsTest17() + throws Exception + { + String[] certList = new String[] { "onlySomeReasonsCA2Cert", "InvalidonlySomeReasonsTest17EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "onlySomeReasonsCA2CRL1", "onlySomeReasonsCA2CRL2" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "Certificate status could not be determined."); + } + + // section 4.14: tests 17, 24, 25, 30, 31, 32, 33, 35 + + // section 4.15: tests 5, 7 + private void doExceptionTest( + String trustAnchor, + String[] certs, + String[] crls, + int index, + String message) + throws Exception + { + try + { + doTest(trustAnchor, certs, crls); + + fail("path accepted when should be rejected"); + } + catch (CertPathValidatorException e) + { + assertEquals(index, e.getIndex()); + assertEquals(message, e.getMessage()); + } + } + + private void doExceptionTest( + String trustAnchor, + String[] certs, + String[] crls, + Set policies, + int index, + String message) + throws Exception + { + try + { + doTest(trustAnchor, certs, crls, policies); + + fail("path accepted when should be rejected"); + } + catch (CertPathValidatorException e) + { + assertEquals(index, e.getIndex()); + assertEquals(message, e.getMessage()); + } + } + + private void doExceptionTest( + String trustAnchor, + String[] certs, + String[] crls, + int index, + String mesStart, + String mesEnd) + throws Exception + { + try + { + doTest(trustAnchor, certs, crls); + + fail("path accepted when should be rejected"); + } + catch (CertPathValidatorException e) + { + assertEquals(index, e.getIndex()); + assertTrue(e.getMessage().startsWith(mesStart)); + assertTrue(e.getMessage().endsWith(mesEnd)); + } + } + + private PKIXCertPathValidatorResult doTest( + String trustAnchor, + String[] certs, + String[] crls) + throws Exception + { + return doTest(trustAnchor, certs, crls, null); + } + + private PKIXCertPathValidatorResult doTest( + String trustAnchor, + String[] certs, + String[] crls, + Set policies) + throws Exception + { + Set trustedSet = Collections.singleton(getTrustAnchor(trustAnchor)); + List certsAndCrls = new ArrayList(); + X509Certificate endCert = loadCert(certs[certs.length - 1]); + + for (int i = 0; i != certs.length - 1; i++) + { + certsAndCrls.add(loadCert(certs[i])); + } + + certsAndCrls.add(endCert); + + CertPath certPath = CertificateFactory.getInstance("X.509","SC").generateCertPath(certsAndCrls); + + for (int i = 0; i != crls.length; i++) + { + certsAndCrls.add(loadCrl(crls[i])); + } + + CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certsAndCrls), "SC"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX","SC"); + PKIXParameters params = new PKIXParameters(trustedSet); + + params.addCertStore(store); + params.setRevocationEnabled(true); + params.setDate(new GregorianCalendar(2010, 1, 1).getTime()); + + if (policies != null) + { + params.setExplicitPolicyRequired(true); + params.setInitialPolicies(policies); + } + + return (PKIXCertPathValidatorResult)validator.validate(certPath, params); + } + + private PKIXCertPathBuilderResult doBuilderTest( + String trustAnchor, + String[] certs, + String[] crls, + Set initialPolicies, + boolean policyMappingInhibited, + boolean anyPolicyInhibited) + throws Exception + { + Set trustedSet = Collections.singleton(getTrustAnchor(trustAnchor)); + List certsAndCrls = new ArrayList(); + X509Certificate endCert = loadCert(certs[certs.length - 1]); + + for (int i = 0; i != certs.length - 1; i++) + { + certsAndCrls.add(loadCert(certs[i])); + } + + certsAndCrls.add(endCert); + + for (int i = 0; i != crls.length; i++) + { + certsAndCrls.add(loadCrl(crls[i])); + } + + CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certsAndCrls), "SC"); + + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "SC"); + + X509CertSelector endSelector = new X509CertSelector(); + + endSelector.setCertificate(endCert); + + PKIXBuilderParameters builderParams = new PKIXBuilderParameters(trustedSet, endSelector); + + if (initialPolicies != null) + { + builderParams.setInitialPolicies(initialPolicies); + builderParams.setExplicitPolicyRequired(true); + } + if (policyMappingInhibited) + { + builderParams.setPolicyMappingInhibited(policyMappingInhibited); + } + if (anyPolicyInhibited) + { + builderParams.setAnyPolicyInhibited(anyPolicyInhibited); + } + + builderParams.addCertStore(store); + builderParams.setDate(new GregorianCalendar(2010, 1, 1).getTime()); + + try + { + return (PKIXCertPathBuilderResult)builder.build(builderParams); + } + catch (CertPathBuilderException e) + { + throw (Exception)e.getCause(); + } + } + + private X509Certificate loadCert( + String certName) + { + X509Certificate cert = (X509Certificate)certs.get(certName); + + if (cert != null) + { + return cert; + } + + try + { + InputStream in = new FileInputStream(getPkitsHome() + "/certs/" + certName + ".crt"); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "SC"); + + cert = (X509Certificate)fact.generateCertificate(in); + + certs.put(certName, cert); + + return cert; + } + catch (Exception e) + { + throw new IllegalStateException("exception loading certificate " + certName + ": " + e); + } + } + + private X509CRL loadCrl( + String crlName) + throws Exception + { + X509CRL crl = (X509CRL)certs.get(crlName); + + if (crl != null) + { + return crl; + } + + try + { + InputStream in = new FileInputStream(getPkitsHome() + "/crls/" + crlName + ".crl"); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "SC"); + + crl = (X509CRL)fact.generateCRL(in); + + crls.put(crlName, crl); + + return crl; + } + catch (Exception e) + { + throw new IllegalStateException("exception loading CRL: " + crlName); + } + } + + private TrustAnchor getTrustAnchor(String trustAnchorName) + throws Exception + { + X509Certificate cert = loadCert(trustAnchorName); + byte[] extBytes = cert.getExtensionValue(Extension.nameConstraints.getId()); + + if (extBytes != null) + { + ASN1Encodable extValue = ASN1Primitive.fromByteArray(ASN1OctetString.getInstance(extBytes).getOctets()); + + return new TrustAnchor(cert, extValue.toASN1Primitive().getEncoded(ASN1Encoding.DER)); + } + + return new TrustAnchor(cert, null); + } + + private String getPkitsHome() + { + String dataHome = System.getProperty(TEST_DATA_HOME); + + if (dataHome == null) + { + throw new IllegalStateException(TEST_DATA_HOME + " property not set"); + } + + return dataHome + "/PKITS"; + } + + public static void main (String[] args) + throws Exception + { + junit.textui.TestRunner.run(suite()); + } + + public static Test suite() + throws Exception + { + TestSuite suite = new TestSuite("NIST CertPath Tests"); + + suite.addTestSuite(NistCertPathTest.class); + + return suite; + } +} |