001: package org.bouncycastle.jce.provider.test;
002:
003: import org.bouncycastle.asn1.DEROctetString;
004: import org.bouncycastle.asn1.x509.GeneralName;
005: import org.bouncycastle.asn1.x509.GeneralSubtree;
006: import org.bouncycastle.jce.provider.PKIXNameConstraints;
007: import org.bouncycastle.util.test.SimpleTest;
008:
009: import java.security.cert.CertPathValidatorException;
010:
011: /**
012: * Test class for {@link PKIXNameConstraints}.
013: * <p>
014: * The field testXYZ is the name to test.
015: * <p>
016: * The field testXYZIsConstraint must be tested if it is permitted and excluded.
017: * <p>
018: * The field testXYZIsNotConstraint must be tested if it is not permitted and
019: * not excluded.
020: * <p>
021: * Furthermore there are tests for the intersection and union of test names.
022: *
023: */
024: public class PKIXNameConstraintsTest extends SimpleTest {
025:
026: private final static String testEmail = "test@abc.test.com";
027:
028: private final static String testEmailIsConstraint[] = {
029: "test@abc.test.com", "abc.test.com", ".test.com" };
030:
031: private final static String testEmailIsNotConstraint[] = {
032: ".abc.test.com", "www.test.com", "test1@abc.test.com",
033: "bc.test.com" };
034:
035: private final static String email1[] = { "test@test.com",
036: "test@test.com", "test@test.com", "test@abc.test.com",
037: "test@test.com", "test@test.com", ".test.com", ".test.com",
038: ".test.com", ".test.com", "test.com", "abc.test.com",
039: "abc.test1.com", "test.com", "test.com", ".test.com" };
040:
041: private final static String email2[] = { "test@test.abc.com",
042: "test@test.com", ".test.com", ".test.com", "test.com",
043: "test1.com", "test@test.com", ".test.com", ".test1.com",
044: "test.com", "test.com", ".test.com", ".test.com",
045: "test1.com", ".test.com", "abc.test.com" };
046:
047: private final static String emailintersect[] = { null,
048: "test@test.com", null, "test@abc.test.com",
049: "test@test.com", null, null, ".test.com", null, null,
050: "test.com", "abc.test.com", null, null, null,
051: "abc.test.com" };
052:
053: private final static String emailunion[][] = {
054: { "test@test.com", "test@test.abc.com" },
055: { "test@test.com" }, { "test@test.com", ".test.com" },
056: { ".test.com" }, { "test.com" },
057: { "test@test.com", "test1.com" },
058: { ".test.com", "test@test.com" }, { ".test.com" },
059: { ".test.com", ".test1.com" }, { ".test.com", "test.com" },
060: { "test.com" }, { ".test.com" },
061: { ".test.com", "abc.test1.com" },
062: { "test1.com", "test.com" }, { ".test.com", "test.com" },
063: { ".test.com" } };
064:
065: private final static String[] dn1 = { "O=test org, OU=test org unit, CN=John Doe" };
066:
067: private final static String[] dn2 = { "O=test org, OU=test org unit" };
068:
069: private final static String[][] dnUnion = { { "O=test org, OU=test org unit" } };
070:
071: private final static String[] dnIntersection = { "O=test org, OU=test org unit, CN=John Doe" };
072:
073: private final static String testDN = "O=test org, OU=test org unit, CN=John Doe";
074:
075: private final static String testDNIsConstraint[] = {
076: "O=test org, OU=test org unit",
077: "O=test org, OU=test org unit, CN=John Doe" };
078:
079: private final static String testDNIsNotConstraint[] = {
080: "O=test org, OU=test org unit, CN=John Doe2",
081: "O=test org, OU=test org unit2",
082: "OU=test org unit, O=test org, CN=John Doe",
083: "O=test org, OU=test org unit, CN=John Doe, L=USA" };
084:
085: private final static String testDNS = "abc.test.com";
086:
087: private final static String testDNSIsConstraint[] = { "test.com",
088: "abc.test.com", "test.com" };
089:
090: private final static String testDNSIsNotConstraint[] = {
091: "wwww.test.com", "ww.test.com", "www.test.com" };
092:
093: private final static String dns1[] = { "www.test.de",
094: "www.test1.de", "www.test.de" };
095:
096: private final static String dns2[] = { "test.de", "www.test.de",
097: "www.test.de" };
098:
099: private final static String dnsintersect[] = { "www.test.de", null,
100: null };
101:
102: private final static String dnsunion[][] = { { "test.de" },
103: { "www.test1.de", "www.test.de" }, { "www.test.de" } };
104:
105: private final static String testURI = "http://karsten:password@abc.test.com:8080";
106:
107: private final static String testURIIsConstraint[] = {
108: "abc.test.com", ".test.com" };
109:
110: private final static String testURIIsNotConstraint[] = {
111: "xyz.test.com", ".abc.test.com" };
112:
113: private final static String uri1[] = { "www.test.de", ".test.de",
114: "test1.de", ".test.de" };
115:
116: private final static String uri2[] = { "test.de", "www.test.de",
117: "test1.de", ".test.de" };
118:
119: private final static String uriintersect[] = { null, "www.test.de",
120: "test1.de", ".test.de" };
121:
122: private final static String uriunion[][] = {
123: { "www.test.de", "test.de" }, { ".test.de" },
124: { "test1.de" }, { ".test.de" } };
125:
126: private final static byte[] testIP =
127:
128: { (byte) 192, (byte) 168, 1, 2 };
129:
130: private final static byte[][] testIPIsConstraint = {
131: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
132: (byte) 0xFF, 0 },
133: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
134: (byte) 0xFF, 4 } };
135:
136: private final static byte[][] testIPIsNotConstraint = {
137: { (byte) 192, (byte) 168, 3, 1, (byte) 0xFF, (byte) 0xFF,
138: (byte) 0xFF, 2 },
139: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
140: (byte) 0xFF, 3 } };
141:
142: private final static byte[][] ip1 = {
143: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
144: (byte) 0xFE, (byte) 0xFF },
145: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
146: (byte) 0xFF, (byte) 0xFF },
147: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
148: (byte) 0xFF, (byte) 0x00 } };
149:
150: private final static byte[][] ip2 = {
151: { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
152: (byte) 0xFC, 3 },
153: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
154: (byte) 0xFF, (byte) 0xFF },
155: { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
156: (byte) 0xFF, (byte) 0x00 } };
157:
158: private final static byte[][] ipintersect = {
159: { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
160: (byte) 0xFE, (byte) 0xFF },
161: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
162: (byte) 0xFF, (byte) 0xFF }, null };
163:
164: private final static byte[][][] ipunion = {
165: {
166: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF,
167: (byte) 0xFF, (byte) 0xFE, (byte) 0xFF },
168: { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF,
169: (byte) 0xFF, (byte) 0xFC, 3 } },
170: { { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
171: (byte) 0xFF, (byte) 0xFF } },
172: {
173: { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF,
174: (byte) 0xFF, (byte) 0xFF, (byte) 0x00 },
175: { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF,
176: (byte) 0xFF, (byte) 0xFF, (byte) 0x00 } } };
177:
178: public String getName() {
179: return "PKIXNameConstraintsTest";
180: }
181:
182: public void performTest() throws Exception {
183: testConstraints(GeneralName.rfc822Name, testEmail,
184: testEmailIsConstraint, testEmailIsNotConstraint,
185: email1, email2, emailunion, emailintersect);
186: testConstraints(GeneralName.dNSName, testDNS,
187: testDNSIsConstraint, testDNSIsNotConstraint, dns1,
188: dns2, dnsunion, dnsintersect);
189: testConstraints(GeneralName.directoryName, testDN,
190: testDNIsConstraint, testDNIsNotConstraint, dn1, dn2,
191: dnUnion, dnIntersection);
192: testConstraints(GeneralName.uniformResourceIdentifier, testURI,
193: testURIIsConstraint, testURIIsNotConstraint, uri1,
194: uri2, uriunion, uriintersect);
195: testConstraints(GeneralName.iPAddress, testIP,
196: testIPIsConstraint, testIPIsNotConstraint, ip1, ip2,
197: ipunion, ipintersect);
198: }
199:
200: /**
201: * Tests string based GeneralNames for inclusion or exclusion.
202: *
203: * @param nameType The {@link GeneralName} type to test.
204: * @param testName The name to test.
205: * @param testNameIsConstraint The names where <code>testName</code> must
206: * be included and excluded.
207: * @param testNameIsNotConstraint The names where <code>testName</code>
208: * must not be excluded and included.
209: * @param testNames1 Operand 1 of test names to use for union and
210: * intersection testing.
211: * @param testNames2 Operand 2 of test names to use for union and
212: * intersection testing.
213: * @param testUnion The union results.
214: * @param testInterSection The intersection results.
215: * @throws Exception If an unexpected exception occurs.
216: */
217: private void testConstraints(int nameType, String testName,
218: String[] testNameIsConstraint,
219: String[] testNameIsNotConstraint, String[] testNames1,
220: String[] testNames2, String[][] testUnion,
221: String[] testInterSection) throws Exception {
222: for (int i = 0; i < testNameIsConstraint.length; i++) {
223: PKIXNameConstraints constraints = new PKIXNameConstraints();
224: constraints
225: .intersectPermittedSubtree(new GeneralSubtree(
226: new GeneralName(nameType,
227: testNameIsConstraint[i])));
228: constraints.checkPermitted(new GeneralName(nameType,
229: testName));
230: }
231: for (int i = 0; i < testNameIsNotConstraint.length; i++) {
232: PKIXNameConstraints constraints = new PKIXNameConstraints();
233: constraints.intersectPermittedSubtree(new GeneralSubtree(
234: new GeneralName(nameType,
235: testNameIsNotConstraint[i])));
236: try {
237: constraints.checkPermitted(new GeneralName(nameType,
238: testName));
239: fail("not permitted name allowed: " + nameType);
240: } catch (CertPathValidatorException e) {
241: // expected
242: }
243: }
244: for (int i = 0; i < testNameIsConstraint.length; i++) {
245: PKIXNameConstraints constraints = new PKIXNameConstraints();
246: constraints
247: .addExcludedSubtree(new GeneralSubtree(
248: new GeneralName(nameType,
249: testNameIsConstraint[i])));
250: try {
251: constraints.checkExcluded(new GeneralName(nameType,
252: testName));
253: fail("excluded name missed: " + nameType);
254: } catch (CertPathValidatorException e) {
255: // expected
256: }
257: }
258: for (int i = 0; i < testNameIsNotConstraint.length; i++) {
259: PKIXNameConstraints constraints = new PKIXNameConstraints();
260: constraints.addExcludedSubtree(new GeneralSubtree(
261: new GeneralName(nameType,
262: testNameIsNotConstraint[i])));
263: constraints.checkExcluded(new GeneralName(nameType,
264: testName));
265: }
266: for (int i = 0; i < testNames1.length; i++) {
267: PKIXNameConstraints constraints = new PKIXNameConstraints();
268: constraints.addExcludedSubtree(new GeneralSubtree(
269: new GeneralName(nameType, testNames1[i])));
270: constraints.addExcludedSubtree(new GeneralSubtree(
271: new GeneralName(nameType, testNames2[i])));
272: PKIXNameConstraints constraints2 = new PKIXNameConstraints();
273: for (int j = 0; j < testUnion[i].length; j++) {
274: constraints2.addExcludedSubtree(new GeneralSubtree(
275: new GeneralName(nameType, testUnion[i][j])));
276: }
277: if (!constraints2.equals(constraints)) {
278: fail("union wrong: " + nameType);
279: }
280: constraints = new PKIXNameConstraints();
281: constraints.intersectPermittedSubtree(new GeneralSubtree(
282: new GeneralName(nameType, testNames1[i])));
283: constraints.intersectPermittedSubtree(new GeneralSubtree(
284: new GeneralName(nameType, testNames2[i])));
285: constraints2 = new PKIXNameConstraints();
286: constraints2.intersectPermittedSubtree(new GeneralSubtree(
287: new GeneralName(nameType, testInterSection[i])));
288: if (!constraints2.equals(constraints)) {
289: fail("intersection wrong: " + nameType);
290: }
291: }
292: }
293:
294: /**
295: * Tests byte array based GeneralNames for inclusion or exclusion.
296: *
297: * @param nameType The {@link GeneralName} type to test.
298: * @param testName The name to test.
299: * @param testNameIsConstraint The names where <code>testName</code> must
300: * be included and excluded.
301: * @param testNameIsNotConstraint The names where <code>testName</code>
302: * must not be excluded and included.
303: * @param testNames1 Operand 1 of test names to use for union and
304: * intersection testing.
305: * @param testNames2 Operand 2 of test names to use for union and
306: * intersection testing.
307: * @param testUnion The union results.
308: * @param testInterSection The intersection results.
309: * @throws Exception If an unexpected exception occurs.
310: */
311: private void testConstraints(int nameType, byte[] testName,
312: byte[][] testNameIsConstraint,
313: byte[][] testNameIsNotConstraint, byte[][] testNames1,
314: byte[][] testNames2, byte[][][] testUnion,
315: byte[][] testInterSection) throws Exception {
316: for (int i = 0; i < testNameIsConstraint.length; i++) {
317: PKIXNameConstraints constraints = new PKIXNameConstraints();
318: constraints.intersectPermittedSubtree(new GeneralSubtree(
319: new GeneralName(nameType, new DEROctetString(
320: testNameIsConstraint[i]))));
321: constraints.checkPermitted(new GeneralName(nameType,
322: new DEROctetString(testName)));
323: }
324: for (int i = 0; i < testNameIsNotConstraint.length; i++) {
325: PKIXNameConstraints constraints = new PKIXNameConstraints();
326: constraints.intersectPermittedSubtree(new GeneralSubtree(
327: new GeneralName(nameType, new DEROctetString(
328: testNameIsNotConstraint[i]))));
329: try {
330: constraints.checkPermitted(new GeneralName(nameType,
331: new DEROctetString(testName)));
332: fail("not permitted name allowed: " + nameType);
333: } catch (CertPathValidatorException e) {
334: // expected
335: }
336: }
337: for (int i = 0; i < testNameIsConstraint.length; i++) {
338: PKIXNameConstraints constraints = new PKIXNameConstraints();
339: constraints.addExcludedSubtree(new GeneralSubtree(
340: new GeneralName(nameType, new DEROctetString(
341: testNameIsConstraint[i]))));
342: try {
343: constraints.checkExcluded(new GeneralName(nameType,
344: new DEROctetString(testName)));
345: fail("excluded name missed: " + nameType);
346: } catch (CertPathValidatorException e) {
347: // expected
348: }
349: }
350: for (int i = 0; i < testNameIsNotConstraint.length; i++) {
351: PKIXNameConstraints constraints = new PKIXNameConstraints();
352: constraints.addExcludedSubtree(new GeneralSubtree(
353: new GeneralName(nameType, new DEROctetString(
354: testNameIsNotConstraint[i]))));
355: constraints.checkExcluded(new GeneralName(nameType,
356: new DEROctetString(testName)));
357: }
358: for (int i = 0; i < testNames1.length; i++) {
359: PKIXNameConstraints constraints = new PKIXNameConstraints();
360: constraints.addExcludedSubtree(new GeneralSubtree(
361: new GeneralName(nameType, new DEROctetString(
362: testNames1[i]))));
363: constraints.addExcludedSubtree(new GeneralSubtree(
364: new GeneralName(nameType, new DEROctetString(
365: testNames2[i]))));
366: PKIXNameConstraints constraints2 = new PKIXNameConstraints();
367: for (int j = 0; j < testUnion[i].length; j++) {
368: constraints2.addExcludedSubtree(new GeneralSubtree(
369: new GeneralName(nameType, new DEROctetString(
370: testUnion[i][j]))));
371: }
372: if (!constraints2.equals(constraints)) {
373: fail("union wrong: " + nameType);
374: }
375: constraints = new PKIXNameConstraints();
376: constraints.intersectPermittedSubtree(new GeneralSubtree(
377: new GeneralName(nameType, new DEROctetString(
378: testNames1[i]))));
379: constraints.intersectPermittedSubtree(new GeneralSubtree(
380: new GeneralName(nameType, new DEROctetString(
381: testNames2[i]))));
382: constraints2 = new PKIXNameConstraints();
383: constraints2.intersectPermittedSubtree(new GeneralSubtree(
384: new GeneralName(nameType, new DEROctetString(
385: testInterSection[i]))));
386: if (!constraints2.equals(constraints)) {
387: fail("intersection wrong: " + nameType);
388: }
389: }
390: }
391:
392: public static void main(String[] args) {
393: runTest(new PKIXNameConstraintsTest());
394: }
395: }
|