diff --git a/test/jdk/sun/security/validator/CertReplace.java b/test/jdk/sun/security/validator/CertReplace.java index e858cc7657c..42885b73e96 100644 --- a/test/jdk/sun/security/validator/CertReplace.java +++ b/test/jdk/sun/security/validator/CertReplace.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -21,29 +21,186 @@ * questions. */ -/* - * This test is called by certreplace.sh - */ - import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.StandardOpenOption; import java.security.KeyStore; +import java.security.PrivateKey; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import java.util.Arrays; import java.util.ArrayList; import java.util.List; + +import jdk.test.lib.SecurityTools; +import jdk.test.lib.security.CertUtils; +import jdk.test.lib.security.KeyStoreUtils; import sun.security.validator.Validator; +/* + * @test id=certreplace + * @bug 6948803 + * @summary CertPath validation regression caused by SHA1 replacement root and MD2 disable feature + * @library /test/lib + * @modules java.base/sun.security.validator + * + * @run main CertReplace certreplace.jks certreplace.certs + */ + +/* + * @test id=samedn + * @bug 6958869 + * @summary Regression: PKIXValidator fails when multiple trust anchors have same dn + * @library /test/lib + * @modules java.base/sun.security.validator + * + * @run main CertReplace samedn.jks samedn1.certs + * @run main CertReplace samedn.jks samedn2.certs + */ + public class CertReplace { + private static final String SAMEDN_JKS = "samedn.jks"; + private static final String CERTREPLACE_JKS = "certreplace.jks"; + private static final String PASSWORD = "changeit"; + private static final char[] PASSWORD_CHAR_ARR = PASSWORD.toCharArray(); + + /** + * This method creates certs for the Cert Replace test + * + * @throws Exception + */ + private static void certReplace() throws Exception { + + final String ktBaseParameters = "-storepass " + PASSWORD + " " + + "-keypass " + PASSWORD + " " + + "-keystore " + CERTREPLACE_JKS + " " + + "-keyalg rsa "; + + final Path keystoreFilePath = Paths.get(CERTREPLACE_JKS); + Files.deleteIfExists(keystoreFilePath); + + // 1. Generate 3 aliases in a keystore: ca, int, user + SecurityTools.keytool(ktBaseParameters + + "-genkeypair -alias ca -dname CN=CA -keyalg rsa -sigalg md2withrsa -ext bc"); + SecurityTools.keytool(ktBaseParameters + + "-genkeypair -alias int -dname CN=Int -keyalg rsa"); + SecurityTools.keytool(ktBaseParameters + + "-genkeypair -alias user -dname CN=User -keyalg rsa"); + + final KeyStore keyStore = KeyStoreUtils.loadKeyStore(CERTREPLACE_JKS, PASSWORD); + + // 2. Signing: ca -> int -> user + + SecurityTools.keytool(ktBaseParameters + + "-certreq -alias int -file int.req"); + SecurityTools.keytool(ktBaseParameters + + "-gencert -rfc -alias ca -ext bc -infile int.req " + + "-outfile int.cert"); + + //putting the certificate in the keystore + try (final FileInputStream certInputStream = new FileInputStream("int.cert")) { + final Certificate[] certs = new Certificate[]{ + CertUtils.getCertFromStream( + certInputStream + ) + }; + + final PrivateKey privateKey = (PrivateKey) keyStore.getKey("int", PASSWORD_CHAR_ARR); + keyStore.setKeyEntry("int", privateKey, PASSWORD_CHAR_ARR, certs); + keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR); + } + + SecurityTools.keytool(ktBaseParameters + + "-certreq -alias user -file user.req"); + SecurityTools.keytool(ktBaseParameters + + "-gencert -rfc -alias int " + + "-infile user.req " + + "-outfile certreplace.certs"); // this will create certreplace.certs which is later appended + + // 3. Create the certchain file + final Path certPath = Paths.get("certreplace.certs"); + + Files.write(certPath, Files.readAllBytes(Path.of("int.cert")), StandardOpenOption.APPEND); + + final String outputCa = SecurityTools.keytool(ktBaseParameters + + "-export -rfc -alias ca").getOutput(); + Files.write(certPath, outputCa.getBytes(), StandardOpenOption.APPEND); + + // 4. Upgrade ca from MD2withRSA to SHA256withRSA, remove other aliases and make this keystore the cacerts file + keyStore.deleteEntry("int"); + keyStore.deleteEntry("user"); + keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR); + + SecurityTools.keytool(ktBaseParameters + + "-selfcert -alias ca"); + } + + /** + * This method creates certs for the Same DN test + * + * @throws Exception + */ + private static void sameDn() throws Exception { + + final String ktBaseParameters = "-storepass " + PASSWORD + " " + + "-keypass " + PASSWORD + " " + + "-keystore " + SAMEDN_JKS + " " + + "-keyalg rsa "; + + final Path keystoreFilePath = Paths.get(SAMEDN_JKS); + Files.deleteIfExists(keystoreFilePath); + + // 1. Generate 3 aliases in a keystore: ca1, ca2, user. The CAs' startdate + // is set to one year ago so that they are expired now + SecurityTools.keytool(ktBaseParameters + + "-genkeypair -alias ca1 -dname CN=CA -keyalg rsa " + + "-sigalg md5withrsa -ext bc -startdate -1y"); + SecurityTools.keytool(ktBaseParameters + + "-genkeypair -alias ca2 -dname CN=CA -keyalg rsa " + + "-sigalg sha1withrsa -ext bc -startdate -1y"); + SecurityTools.keytool(ktBaseParameters + + "-genkeypair -alias user -dname CN=User -keyalg rsa"); + + // 2. Signing: ca -> user. The startdate is set to 1 minute in the past to ensure the certificate + // is valid at the time of validation and to prevent any issues with timing discrepancies + // Automatically saves the certs to the certs files + + SecurityTools.keytool(ktBaseParameters + + "-certreq -alias user -file user.req"); + SecurityTools.keytool(ktBaseParameters + + "-gencert -rfc -alias ca1 " + + "-startdate -1M -infile user.req -outfile samedn1.certs"); + SecurityTools.keytool(ktBaseParameters + + "-gencert -rfc -alias ca2 " + + "-startdate -1M -infile user.req -outfile samedn2.certs"); + + // 3. Remove user for cacerts + final KeyStore keyStore = KeyStoreUtils.loadKeyStore(SAMEDN_JKS, PASSWORD); + keyStore.deleteEntry("user"); + keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR); + } + /** * @param args {cacerts keystore, cert chain} */ public static void main(String[] args) throws Exception { + if (args[0].equals(CERTREPLACE_JKS)) { + certReplace(); + } else if (args[0].equals(SAMEDN_JKS)) { + sameDn(); + } else { + throw new RuntimeException("Not recognised test " + args[0]); + } + KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(new FileInputStream(args[0]), "changeit".toCharArray()); + try (final FileInputStream certInputStream = new FileInputStream(args[0])) { + ks.load(certInputStream, PASSWORD_CHAR_ARR); + } Validator v = Validator.getInstance (Validator.TYPE_PKIX, Validator.VAR_GENERIC, ks); X509Certificate[] chain = createPath(args[1]); @@ -57,9 +214,10 @@ public class CertReplace { public static X509Certificate[] createPath(String chain) throws Exception { CertificateFactory cf = CertificateFactory.getInstance("X.509"); List list = new ArrayList(); - for (Certificate c: cf.generateCertificates( - new FileInputStream(chain))) { - list.add((X509Certificate)c); + try (final FileInputStream certInputStream = new FileInputStream(chain)) { + for (Certificate c : cf.generateCertificates(certInputStream)) { + list.add((X509Certificate) c); + } } return (X509Certificate[]) list.toArray(new X509Certificate[0]); } diff --git a/test/jdk/sun/security/validator/certreplace.sh b/test/jdk/sun/security/validator/certreplace.sh deleted file mode 100644 index 79c97328092..00000000000 --- a/test/jdk/sun/security/validator/certreplace.sh +++ /dev/null @@ -1,88 +0,0 @@ -# -# Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -# @test -# @bug 6948803 -# @summary CertPath validation regression caused by SHA1 replacement root -# and MD2 disable feature -# @modules java.base/sun.security.validator -# - -if [ "${TESTSRC}" = "" ] ; then - TESTSRC="." -fi -if [ "${TESTJAVA}" = "" ] ; then - JAVAC_CMD=`which javac` - TESTJAVA=`dirname $JAVAC_CMD`/.. - COMPILEJAVA="${TESTJAVA}" -fi - -# set platform-dependent variables -OS=`uname -s` -case "$OS" in - Windows_* ) - FS="\\" - ;; - * ) - FS="/" - ;; -esac - -KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit \ - -keypass changeit -keystore certreplace.jks -keyalg rsa" -JAVAC=$COMPILEJAVA${FS}bin${FS}javac -JAVA=$TESTJAVA${FS}bin${FS}java - -rm -rf certreplace.jks 2> /dev/null - -# 1. Generate 3 aliases in a keystore: ca, int, user - -$KT -genkeypair -alias ca -dname CN=CA -keyalg rsa -sigalg md2withrsa -ext bc -$KT -genkeypair -alias int -dname CN=Int -keyalg rsa -$KT -genkeypair -alias user -dname CN=User -keyalg rsa - -# 2. Signing: ca -> int -> user - -$KT -certreq -alias int | $KT -gencert -rfc -alias ca -ext bc \ - | $KT -import -alias int -$KT -certreq -alias user | $KT -gencert -rfc -alias int \ - | $KT -import -alias user - -# 3. Create the certchain file - -$KT -export -alias user -rfc > certreplace.certs -$KT -export -rfc -alias int >> certreplace.certs -$KT -export -rfc -alias ca >> certreplace.certs - -# 4. Upgrade ca from MD2withRSA to SHA256withRSA, remove other aliases and -# make this keystore the cacerts file - -$KT -selfcert -alias ca -$KT -delete -alias int -$KT -delete -alias user - -# 5. Build and run test - -EXTRAOPTS="--add-exports java.base/sun.security.validator=ALL-UNNAMED" -$JAVAC ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} ${EXTRAOPTS} -d . ${TESTSRC}${FS}CertReplace.java -$JAVA ${TESTVMOPTS} ${TESTJAVAOPTS} ${EXTRAOPTS} CertReplace certreplace.jks certreplace.certs diff --git a/test/jdk/sun/security/validator/samedn.sh b/test/jdk/sun/security/validator/samedn.sh deleted file mode 100644 index 912bbcd40c7..00000000000 --- a/test/jdk/sun/security/validator/samedn.sh +++ /dev/null @@ -1,86 +0,0 @@ -# -# Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -# @test -# @bug 6958869 -# @summary regression: PKIXValidator fails when multiple trust anchors -# have same dn -# @modules java.base/sun.security.validator -# - -if [ "${TESTSRC}" = "" ] ; then - TESTSRC="." -fi -if [ "${TESTJAVA}" = "" ] ; then - JAVAC_CMD=`which javac` - TESTJAVA=`dirname $JAVAC_CMD`/.. - COMPILEJAVA="${TESTJAVA}" -fi - -# set platform-dependent variables -OS=`uname -s` -case "$OS" in - Windows_* ) - FS="\\" - ;; - * ) - FS="/" - ;; -esac - -KT="$TESTJAVA${FS}bin${FS}keytool ${TESTTOOLVMOPTS} -storepass changeit \ - -keypass changeit -keystore samedn.jks -keyalg rsa" -JAVAC=$COMPILEJAVA${FS}bin${FS}javac -JAVA=$TESTJAVA${FS}bin${FS}java - -rm -rf samedn.jks 2> /dev/null - -# 1. Generate 3 aliases in a keystore: ca1, ca2, user. The CAs' startdate -# is set to one year ago so that they are expired now - -$KT -genkeypair -alias ca1 -dname CN=CA -keyalg rsa -sigalg md5withrsa -ext bc -startdate -1y -$KT -genkeypair -alias ca2 -dname CN=CA -keyalg rsa -sigalg sha1withrsa -ext bc -startdate -1y -$KT -genkeypair -alias user -dname CN=User -keyalg rsa - -# 2. Signing: ca -> user. The startdate is set to 1 minute in the past to ensure the certificate -# is valid at the time of validation and to prevent any issues with timing discrepancies - -$KT -certreq -alias user | $KT -gencert -rfc -alias ca1 -startdate -1M > samedn1.certs -$KT -certreq -alias user | $KT -gencert -rfc -alias ca2 -startdate -1M > samedn2.certs - -# 3. Append the ca file - -$KT -export -rfc -alias ca1 >> samedn1.certs -$KT -export -rfc -alias ca2 >> samedn2.certs - -# 4. Remove user for cacerts - -$KT -delete -alias user - -# 5. Build and run test. Make sure the CA certs are ignored for validity check. -# Check both, one of them might be dropped out of map in old codes. - -EXTRAOPTS="--add-exports java.base/sun.security.validator=ALL-UNNAMED" -$JAVAC ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} ${EXTRAOPTS} -d . ${TESTSRC}${FS}CertReplace.java -$JAVA ${TESTVMOPTS} ${TESTJAVAOPTS} ${EXTRAOPTS} CertReplace samedn.jks samedn1.certs || exit 1 -$JAVA ${TESTVMOPTS} ${TESTJAVAOPTS} ${EXTRAOPTS} CertReplace samedn.jks samedn2.certs || exit 2