Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8349533: Refactor validator tests shell files to java #23727

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
+168 −184
Open

8349533: Refactor validator tests shell files to java #23727

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
efa84de
8349533: Refactor validator tests shell files to java
myankelev Feb 21, 2025
a2eed26
changed to 2 different test ids
myankelev Feb 21, 2025
f333ddf
keyStore is not used to delete, cleanup of the calls, minor refactoring
myankelev Feb 21, 2025
9ee6290
keyStore store and cleanup
myankelev Feb 24, 2025
297b494
othervm rm
myankelev Feb 24, 2025
aef7091
cleanup
myankelev Feb 24, 2025
2985d18
missing close file
myankelev Feb 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
8349533: Refactor validator tests shell files to java 
Changed shell files to be java tests:
* ./validator/certreplace.sh
* ./validator/samedn.sh
  • Loading branch information
@myankelev
myankelev committed Feb 21, 2025
commit efa84de5299e14c0794fb7ead38a9906c653b560
140 changes: 139 additions & 1 deletion test/jdk/sun/security/validator/CertReplace.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -26,21 +26,159 @@
*/

import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.ArrayList;
import java.util.List;

import jdk.test.lib.SecurityTools;
import sun.security.validator.Validator;

/*
* @test
* @bug 6948803 6958869
* @summary 1- CertPath validation regression caused by SHA1 replacement root and MD2 disable feature
* 2&3- Regression: PKIXValidator fails when multiple trust anchors have same dn
* @library /test/lib
* @modules java.base/sun.security.validator
*
* @run main CertReplace certreplace.jks certreplace.certs
*
* @run main CertReplace samedn.jks samedn1.certs
* @run main CertReplace samedn.jks samedn2.certs
*/

public class CertReplace {

private static final String SAMEDN_JKS = "samedn.jks";
private static final String CERTREPLACE_JKS = "certreplace.jks";

/**
* This method creates certs for the Cert Replace test
* @throws Exception
*/
private static void certReplace() throws Exception {

final String ktBaseParameters = "-storepass changeit " +
"-keypass changeit " +
"-keystore " + CERTREPLACE_JKS + " " +
"-keyalg rsa ";

final Path keystoreFilePath = Paths.get(CERTREPLACE_JKS);
Files.deleteIfExists(keystoreFilePath);

// 1. Generate 3 aliases in a keystore: ca, int, user
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias ca -dname CN=CA -keyalg rsa -sigalg md2withrsa -ext bc");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias int -dname CN=Int -keyalg rsa");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias user -dname CN=User -keyalg rsa");

// 2. Signing: ca -> int -> user
SecurityTools.keytool(ktBaseParameters +
"-certreq -alias int -file int.req");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias ca -ext bc -infile int.req -outfile int.cert");
SecurityTools.keytool(ktBaseParameters +
"-import -alias int -file int.cert");

SecurityTools.keytool(ktBaseParameters +
"-certreq -alias user -file user.req");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias int -infile user.req -outfile user.cert");
SecurityTools.keytool(ktBaseParameters +
"-import -alias user -file user.cert");

// 3. Create the certchain file
final Path certPath = Paths.get("certreplace.certs");

final String outputUser = SecurityTools.keytool(ktBaseParameters +
"-export -alias user -rfc").getOutput();
Files.write(certPath, outputUser.getBytes());
final String outputInt = SecurityTools.keytool(ktBaseParameters +
"-export -rfc -alias int").getOutput();
Files.write(certPath, outputInt.getBytes(), StandardOpenOption.APPEND);
final String outputCa = SecurityTools.keytool(ktBaseParameters +
"-export -rfc -alias ca").getOutput();
Files.write(certPath, outputCa.getBytes(), StandardOpenOption.APPEND);

// 4. Upgrade ca from MD2withRSA to SHA256withRSA, remove other aliases and make this keystore the cacerts file
SecurityTools.keytool(ktBaseParameters +
"-selfcert -alias ca");
SecurityTools.keytool(ktBaseParameters +
"-delete -alias int");
SecurityTools.keytool(ktBaseParameters +
"-delete -alias user");
}

/**
* This method creates certs for the Same DN test
* @throws Exception
*/
private static void sameDn() throws Exception {

final String ktBaseParameters = "-storepass changeit " +
"-keypass changeit " +
"-keystore " + SAMEDN_JKS + " " +
"-keyalg rsa ";

final Path keystoreFilePath = Paths.get(SAMEDN_JKS);
Files.deleteIfExists(keystoreFilePath);

// 1. Generate 3 aliases in a keystore: ca1, ca2, user. The CAs' startdate
// is set to one year ago so that they are expired now
SecurityTools.keytool(ktBaseParameters +
" -genkeypair -alias ca1 -dname CN=CA -keyalg rsa -sigalg md5withrsa -ext bc -startdate -1y");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias ca2 -dname CN=CA -keyalg rsa -sigalg sha1withrsa -ext bc -startdate -1y");
SecurityTools.keytool(ktBaseParameters +
"-genkeypair -alias user -dname CN=User -keyalg rsa");

// 2. Signing: ca -> user. The startdate is set to 1 minute in the past to ensure the certificate
// is valid at the time of validation and to prevent any issues with timing discrepancies
SecurityTools.keytool(ktBaseParameters +
"-certreq -alias user -file user.req");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias ca1 -startdate -1M -infile user.req -outfile samedn1.certs");
SecurityTools.keytool(ktBaseParameters +
"-gencert -rfc -alias ca2 -startdate -1M -infile user.req -outfile samedn2.certs");

// 3. Append the ca file
final Path samedn1CertPath = Paths.get("samedn1.certs");
final Path samedn2CertPath = Paths.get("samedn2.certs");

final String outputCa1 = SecurityTools.keytool(ktBaseParameters +
"-export -rfc -alias ca1").getOutput();
Files.write(samedn1CertPath, outputCa1.getBytes(), StandardOpenOption.APPEND);
final String outputCa2 = SecurityTools.keytool(ktBaseParameters +
"-export -rfc -alias ca2").getOutput();
Files.write(samedn2CertPath, outputCa2.getBytes(), StandardOpenOption.APPEND);

// 4. Remove user for cacerts
SecurityTools.keytool(ktBaseParameters +
"-delete -alias user");
}

/**
* @param args {cacerts keystore, cert chain}
*/
public static void main(String[] args) throws Exception {
if (args[0].equals(CERTREPLACE_JKS)) {
certReplace();
} else if (args[0].equals(SAMEDN_JKS)) {
sameDn();
} else {
throw new RuntimeException("Not recognised test " + args[0]);
}

KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(args[0]), "changeit".toCharArray());
Expand Down
88 changes: 0 additions & 88 deletions test/jdk/sun/security/validator/certreplace.sh
View file
Open in desktop

This file was deleted.

86 changes: 0 additions & 86 deletions test/jdk/sun/security/validator/samedn.sh
View file
Open in desktop

This file was deleted.