infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-04-24 13:51:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

8349533: Refactor validator tests shell files to java

Browse Source 
Reviewed-by: weijun
This commit is contained in:
Mikhail Yankelevich 2025-02-25 18:24:42 +00:00 committed by Weijun Wang
parent dea7a9f0d6
commit c5992ca27b
3 changed files with 168 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
test/jdk/sun/security/validator/CertReplace.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -21,29 +21,186 @@
* questions.
*/
/*
* This test is called by certreplace.sh
*/
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.ArrayList;
import java.util.List;
import jdk.test.lib.SecurityTools;
import jdk.test.lib.security.CertUtils;
import jdk.test.lib.security.KeyStoreUtils;
import sun.security.validator.Validator;
/*
* @test id=certreplace
* @bug 6948803
* @summary CertPath validation regression caused by SHA1 replacement root and MD2 disable feature
* @library /test/lib
* @modules java.base/sun.security.validator
*
* @run main CertReplace certreplace.jks certreplace.certs
*/
/*
* @test id=samedn
* @bug 6958869
* @summary Regression: PKIXValidator fails when multiple trust anchors have same dn
* @library /test/lib
* @modules java.base/sun.security.validator
*
* @run main CertReplace samedn.jks samedn1.certs
* @run main CertReplace samedn.jks samedn2.certs
*/
public class CertReplace {
private static final String SAMEDN_JKS = "samedn.jks";
private static final String CERTREPLACE_JKS = "certreplace.jks";
private static final String PASSWORD = "changeit";
private static final char[] PASSWORD_CHAR_ARR = PASSWORD.toCharArray();
/**
* This method creates certs for the Cert Replace test
*
* @throws Exception
*/
private static void certReplace() throws Exception {
final String ktBaseParameters = "-storepass " + PASSWORD + " " +
"-keypass " + PASSWORD + " " +
"-keystore " + CERTREPLACE_JKS + " " +
"-keyalg rsa ";
final Path keystoreFilePath = Paths.get(CERTREPLACE_JKS);
Files.deleteIfExists(keystoreFilePath);
// 1. Generate 3 aliases in a keystore: ca, int, user
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias ca -dname CN=CA -keyalg rsa -sigalg md2withrsa -ext bc");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias int -dname CN=Int -keyalg rsa");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias user -dname CN=User -keyalg rsa");
final KeyStore keyStore = KeyStoreUtils.loadKeyStore(CERTREPLACE_JKS, PASSWORD);
// 2. Signing: ca -> int -> user
SecurityTools.keytool(ktBaseParameters +
"-certreq -alias int -file int.req");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias ca -ext bc -infile int.req " +
"-outfile int.cert");
//putting the certificate in the keystore
try (final FileInputStream certInputStream = new FileInputStream("int.cert")) {
final Certificate[] certs = new Certificate[]{
CertUtils.getCertFromStream(
certInputStream
)
};
final PrivateKey privateKey = (PrivateKey) keyStore.getKey("int", PASSWORD_CHAR_ARR);
keyStore.setKeyEntry("int", privateKey, PASSWORD_CHAR_ARR, certs);
keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR);
}
SecurityTools.keytool(ktBaseParameters +
"-certreq -alias user -file user.req");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias int " +
"-infile user.req " +
"-outfile certreplace.certs"); // this will create certreplace.certs which is later appended
// 3. Create the certchain file
final Path certPath = Paths.get("certreplace.certs");
Files.write(certPath, Files.readAllBytes(Path.of("int.cert")), StandardOpenOption.APPEND);
final String outputCa = SecurityTools.keytool(ktBaseParameters +
"-export -rfc -alias ca").getOutput();
Files.write(certPath, outputCa.getBytes(), StandardOpenOption.APPEND);
// 4. Upgrade ca from MD2withRSA to SHA256withRSA, remove other aliases and make this keystore the cacerts file
keyStore.deleteEntry("int");
keyStore.deleteEntry("user");
keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR);
SecurityTools.keytool(ktBaseParameters +
"-selfcert -alias ca");
}
/**
* This method creates certs for the Same DN test
*
* @throws Exception
*/
private static void sameDn() throws Exception {
final String ktBaseParameters = "-storepass " + PASSWORD + " " +
"-keypass " + PASSWORD + " " +
"-keystore " + SAMEDN_JKS + " " +
"-keyalg rsa ";
final Path keystoreFilePath = Paths.get(SAMEDN_JKS);
Files.deleteIfExists(keystoreFilePath);
// 1. Generate 3 aliases in a keystore: ca1, ca2, user. The CAs' startdate
// is set to one year ago so that they are expired now
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias ca1 -dname CN=CA -keyalg rsa " +
"-sigalg md5withrsa -ext bc -startdate -1y");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias ca2 -dname CN=CA -keyalg rsa " +
"-sigalg sha1withrsa -ext bc -startdate -1y");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias user -dname CN=User -keyalg rsa");
// 2. Signing: ca -> user. The startdate is set to 1 minute in the past to ensure the certificate
// is valid at the time of validation and to prevent any issues with timing discrepancies
// Automatically saves the certs to the certs files
SecurityTools.keytool(ktBaseParameters +
"-certreq -alias user -file user.req");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias ca1 " +
"-startdate -1M -infile user.req -outfile samedn1.certs");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias ca2 " +
"-startdate -1M -infile user.req -outfile samedn2.certs");
// 3. Remove user for cacerts
final KeyStore keyStore = KeyStoreUtils.loadKeyStore(SAMEDN_JKS, PASSWORD);
keyStore.deleteEntry("user");
keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR);
}
/**
* @param args {cacerts keystore, cert chain}
*/
public static void main(String[] args) throws Exception {
if (args[0].equals(CERTREPLACE_JKS)) {
certReplace();
} else if (args[0].equals(SAMEDN_JKS)) {
sameDn();
} else {
throw new RuntimeException("Not recognised test " + args[0]);
}
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(args[0]), "changeit".toCharArray());
try (final FileInputStream certInputStream = new FileInputStream(args[0])) {
ks.load(certInputStream, PASSWORD_CHAR_ARR);
}
Validator v = Validator.getInstance
(Validator.TYPE_PKIX, Validator.VAR_GENERIC, ks);
X509Certificate[] chain = createPath(args[1]);
@ -57,9 +214,10 @@ public class CertReplace {
public static X509Certificate[] createPath(String chain) throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List list = new ArrayList();
for (Certificate c: cf.generateCertificates(
new FileInputStream(chain))) {
list.add((X509Certificate)c);
try (final FileInputStream certInputStream = new FileInputStream(chain)) {
for (Certificate c : cf.generateCertificates(certInputStream)) {
list.add((X509Certificate) c);
}
}
return (X509Certificate[]) list.toArray(new X509Certificate[0]);
}

88
test/jdk/sun/security/validator/certreplace.sh
View File

@ -1,88 +0,0 @@
#
# Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
# @test
# @bug 6948803
# @summary CertPath validation regression caused by SHA1 replacement root
# and MD2 disable feature
# @modules java.base/sun.security.validator
#
if [ "${TESTSRC}" = "" ] ; then
TESTSRC="."
fi
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
COMPILEJAVA="${TESTJAVA}"
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* )
FS="\\"
;;
* )
FS="/"
;;
esac
KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit \
-keypass changeit -keystore certreplace.jks -keyalg rsa"
JAVAC=$COMPILEJAVA${FS}bin${FS}javac
JAVA=$TESTJAVA${FS}bin${FS}java
rm -rf certreplace.jks 2> /dev/null
# 1. Generate 3 aliases in a keystore: ca, int, user
$KT -genkeypair -alias ca -dname CN=CA -keyalg rsa -sigalg md2withrsa -ext bc
$KT -genkeypair -alias int -dname CN=Int -keyalg rsa
$KT -genkeypair -alias user -dname CN=User -keyalg rsa
# 2. Signing: ca -> int -> user
$KT -certreq -alias int | $KT -gencert -rfc -alias ca -ext bc \
| $KT -import -alias int
$KT -certreq -alias user | $KT -gencert -rfc -alias int \
| $KT -import -alias user
# 3. Create the certchain file
$KT -export -alias user -rfc > certreplace.certs
$KT -export -rfc -alias int >> certreplace.certs
$KT -export -rfc -alias ca >> certreplace.certs
# 4. Upgrade ca from MD2withRSA to SHA256withRSA, remove other aliases and
# make this keystore the cacerts file
$KT -selfcert -alias ca
$KT -delete -alias int
$KT -delete -alias user
# 5. Build and run test
EXTRAOPTS="--add-exports java.base/sun.security.validator=ALL-UNNAMED"
$JAVAC ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} ${EXTRAOPTS} -d . ${TESTSRC}${FS}CertReplace.java
$JAVA ${TESTVMOPTS} ${TESTJAVAOPTS} ${EXTRAOPTS} CertReplace certreplace.jks certreplace.certs

86
test/jdk/sun/security/validator/samedn.sh
View File

@ -1,86 +0,0 @@
#
# Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
# @test
# @bug 6958869
# @summary regression: PKIXValidator fails when multiple trust anchors
# have same dn
# @modules java.base/sun.security.validator
#
if [ "${TESTSRC}" = "" ] ; then
TESTSRC="."
fi
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
COMPILEJAVA="${TESTJAVA}"
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* )
FS="\\"
;;
* )
FS="/"
;;
esac
KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit \
-keypass changeit -keystore samedn.jks -keyalg rsa"
JAVAC=$COMPILEJAVA${FS}bin${FS}javac
JAVA=$TESTJAVA${FS}bin${FS}java
rm -rf samedn.jks 2> /dev/null
# 1. Generate 3 aliases in a keystore: ca1, ca2, user. The CAs' startdate
# is set to one year ago so that they are expired now
$KT -genkeypair -alias ca1 -dname CN=CA -keyalg rsa -sigalg md5withrsa -ext bc -startdate -1y
$KT -genkeypair -alias ca2 -dname CN=CA -keyalg rsa -sigalg sha1withrsa -ext bc -startdate -1y
$KT -genkeypair -alias user -dname CN=User -keyalg rsa
# 2. Signing: ca -> user. The startdate is set to 1 minute in the past to ensure the certificate
# is valid at the time of validation and to prevent any issues with timing discrepancies
$KT -certreq -alias user | $KT -gencert -rfc -alias ca1 -startdate -1M > samedn1.certs
$KT -certreq -alias user | $KT -gencert -rfc -alias ca2 -startdate -1M > samedn2.certs
# 3. Append the ca file
$KT -export -rfc -alias ca1 >> samedn1.certs
$KT -export -rfc -alias ca2 >> samedn2.certs
# 4. Remove user for cacerts
$KT -delete -alias user
# 5. Build and run test. Make sure the CA certs are ignored for validity check.
# Check both, one of them might be dropped out of map in old codes.
EXTRAOPTS="--add-exports java.base/sun.security.validator=ALL-UNNAMED"
$JAVAC ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} ${EXTRAOPTS} -d . ${TESTSRC}${FS}CertReplace.java
$JAVA ${TESTVMOPTS} ${TESTJAVAOPTS} ${EXTRAOPTS} CertReplace samedn.jks samedn1.certs || exit 1
$JAVA ${TESTVMOPTS} ${TESTJAVAOPTS} ${EXTRAOPTS} CertReplace samedn.jks samedn2.certs || exit 2