001: package org.bouncycastle.jce.provider.test.nist;
002:
003: import junit.framework.Test;
004: import junit.framework.TestCase;
005: import junit.framework.TestSuite;
006: import org.bouncycastle.asn1.ASN1Encodable;
007: import org.bouncycastle.asn1.x509.X509Extensions;
008: import org.bouncycastle.i18n.ErrorBundle;
009: import org.bouncycastle.x509.PKIXCertPathReviewer;
010: import org.bouncycastle.x509.extension.X509ExtensionUtil;
011:
012: import java.io.FileInputStream;
013: import java.io.InputStream;
014: import java.security.Security;
015: import java.security.cert.CertPath;
016: import java.security.cert.CertStore;
017: import java.security.cert.CertificateFactory;
018: import java.security.cert.CollectionCertStoreParameters;
019: import java.security.cert.PKIXParameters;
020: import java.security.cert.TrustAnchor;
021: import java.security.cert.X509CRL;
022: import java.security.cert.X509Certificate;
023: import java.util.ArrayList;
024: import java.util.Arrays;
025: import java.util.Collections;
026: import java.util.HashMap;
027: import java.util.HashSet;
028: import java.util.List;
029: import java.util.Locale;
030: import java.util.Map;
031: import java.util.Set;
032: import java.util.TimeZone;
033:
034: /**
035: * NIST CertPath test data for RFC 3280
036: */
037: public class NistCertPathReviewerTest extends TestCase {
038: private static final String TEST_DATA_HOME = "bc.test.data.home";
039:
040: private static final String GOOD_CA_CERT = "GoodCACert";
041:
042: private static final String GOOD_CA_CRL = "GoodCACRL";
043:
044: private static final String TRUST_ANCHOR_ROOT_CRL = "TrustAnchorRootCRL";
045:
046: private static final String TRUST_ANCHOR_ROOT_CERTIFICATE = "TrustAnchorRootCertificate";
047:
048: private static final char[] PKCS12_PASSWORD = "password"
049: .toCharArray();
050:
051: private static String NIST_TEST_POLICY_1 = "2.16.840.1.101.3.2.1.48.1";
052: private static String NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2";
053: private static String NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3";
054:
055: private static Map certs = new HashMap();
056: private static Map crls = new HashMap();
057:
058: private static Set noPolicies = Collections.EMPTY_SET;
059: private static Set nistTestPolicy1 = Collections
060: .singleton(NIST_TEST_POLICY_1);
061: private static Set nistTestPolicy2 = Collections
062: .singleton(NIST_TEST_POLICY_2);
063: private static Set nistTestPolicy3 = Collections
064: .singleton(NIST_TEST_POLICY_3);
065: private static Set nistTestPolicy1And2 = new HashSet(Arrays
066: .asList(new String[] { NIST_TEST_POLICY_1,
067: NIST_TEST_POLICY_2 }));
068:
069: public void testValidSignaturesTest1() throws Exception {
070: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
071: "ValidCertificatePathTest1EE", GOOD_CA_CERT },
072: new String[] { GOOD_CA_CRL, TRUST_ANCHOR_ROOT_CRL });
073: }
074:
075: public void testInvalidCASignatureTest2() throws Exception {
076: doErrorTest(
077: TRUST_ANCHOR_ROOT_CERTIFICATE,
078: new String[] { "ValidCertificatePathTest1EE",
079: "BadSignedCACert" },
080: new String[] { "BadSignedCACRL", TRUST_ANCHOR_ROOT_CRL },
081: 1,
082: "CertPathReviewer.signatureNotVerified",
083: "The certificate signature is invalid. A java.security.InvalidKeyException occurred.");
084: }
085:
086: public void testInvalidEESignatureTest3() throws Exception {
087: doErrorTest(
088: TRUST_ANCHOR_ROOT_CERTIFICATE,
089: new String[] { GOOD_CA_CERT,
090: "InvalidEESignatureTest3EE" },
091: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL },
092: 0,
093: "CertPathReviewer.signatureNotVerified",
094: "The certificate signature is invalid. A java.security.InvalidKeyException occurred.");
095: }
096:
097: public void testValidDSASignaturesTest4() throws Exception {
098: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
099: "DSACACert", "ValidDSASignaturesTest4EE" },
100: new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" });
101: }
102:
103: /*
104: public void testValidDSAParameterInheritanceTest5()
105: throws Exception
106: {
107: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE,
108: new String[] { "DSACACert", "DSAParametersInheritedCACert", "ValidDSAParameterInheritanceTest5EE" },
109: new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL", "DSAParametersInheritedCACRL" });
110: }
111: */
112: public void testInvalidDSASignaturesTest6() throws Exception {
113: doErrorTest(
114: TRUST_ANCHOR_ROOT_CERTIFICATE,
115: new String[] { "DSACACert",
116: "InvalidDSASignatureTest6EE" },
117: new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" },
118: 0,
119: "CertPathReviewer.signatureNotVerified",
120: "The certificate signature is invalid. A java.security.InvalidKeyException occurred.");
121: }
122:
123: public void testCANotBeforeDateTest1() throws Exception {
124: doErrorTest(
125: TRUST_ANCHOR_ROOT_CERTIFICATE,
126: new String[] { "BadnotBeforeDateCACert",
127: "InvalidCAnotBeforeDateTest1EE" },
128: new String[] { TRUST_ANCHOR_ROOT_CRL,
129: "BadnotBeforeDateCACRL" },
130: 1,
131: "CertPathReviewer.certificateNotYetValid",
132: "Could not validate the certificate. Certificate is not valid until Jan 1, 2047 12:01:00 PM GMT.");
133: }
134:
135: public void testInvalidEENotBeforeDateTest2() throws Exception {
136: doErrorTest(
137: TRUST_ANCHOR_ROOT_CERTIFICATE,
138: new String[] { GOOD_CA_CERT,
139: "InvalidEEnotBeforeDateTest2EE" },
140: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL },
141: 0,
142: "CertPathReviewer.certificateNotYetValid",
143: "Could not validate the certificate. Certificate is not valid until Jan 1, 2047 12:01:00 PM GMT.");
144: }
145:
146: public void testValidPre2000UTCNotBeforeDateTest3()
147: throws Exception {
148: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
149: GOOD_CA_CERT, "Validpre2000UTCnotBeforeDateTest3EE" },
150: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL });
151: }
152:
153: public void testValidGeneralizedTimeNotBeforeDateTest4()
154: throws Exception {
155: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
156: GOOD_CA_CERT,
157: "ValidGeneralizedTimenotBeforeDateTest4EE" },
158: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL });
159: }
160:
161: public void testInvalidCANotAfterDateTest5() throws Exception {
162: doErrorTest(
163: TRUST_ANCHOR_ROOT_CERTIFICATE,
164: new String[] { "BadnotAfterDateCACert",
165: "InvalidCAnotAfterDateTest5EE" },
166: new String[] { TRUST_ANCHOR_ROOT_CRL,
167: "BadnotAfterDateCACRL" },
168: 1,
169: "CertPathReviewer.certificateExpired",
170: "Could not validate the certificate. Certificate expired on Jan 1, 2002 12:01:00 PM GMT.");
171: }
172:
173: public void testInvalidEENotAfterDateTest6() throws Exception {
174: doErrorTest(
175: TRUST_ANCHOR_ROOT_CERTIFICATE,
176: new String[] { GOOD_CA_CERT,
177: "InvalidEEnotAfterDateTest6EE" },
178: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL },
179: 0,
180: "CertPathReviewer.certificateExpired",
181: "Could not validate the certificate. Certificate expired on Jan 1, 2002 12:01:00 PM GMT.");
182: }
183:
184: public void testInvalidValidPre2000UTCNotAfterDateTest7()
185: throws Exception {
186: doErrorTest(
187: TRUST_ANCHOR_ROOT_CERTIFICATE,
188: new String[] { GOOD_CA_CERT,
189: "Invalidpre2000UTCEEnotAfterDateTest7EE" },
190: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL },
191: 0,
192: "CertPathReviewer.certificateExpired",
193: "Could not validate the certificate. Certificate expired on Jan 1, 1999 12:01:00 PM GMT.");
194: }
195:
196: public void testInvalidNegativeSerialNumberTest15()
197: throws Exception {
198: doErrorTest(
199: TRUST_ANCHOR_ROOT_CERTIFICATE,
200: new String[] { "NegativeSerialNumberCACert",
201: "InvalidNegativeSerialNumberTest15EE" },
202: new String[] { TRUST_ANCHOR_ROOT_CRL,
203: "NegativeSerialNumberCACRL" },
204: 0,
205: "CertPathReviewer.certRevoked",
206: "The certificate was revoked at Apr 19, 2001 2:57:20 PM GMT. Reason: Key Compromise.");
207: }
208:
209: //
210: // 4.8 Certificate Policies
211: //
212: public void testAllCertificatesSamePolicyTest1() throws Exception {
213: String[] certList = new String[] { GOOD_CA_CERT,
214: "ValidCertificatePathTest1EE" };
215: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
216: GOOD_CA_CRL };
217:
218: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
219: crlList, noPolicies);
220:
221: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
222: crlList, nistTestPolicy1);
223:
224: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
225: nistTestPolicy2, -1, "CertPathReviewer.invalidPolicy",
226: "Path processing failed on policy.");
227:
228: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
229: crlList, nistTestPolicy1And2);
230: }
231:
232: public void testAllCertificatesNoPoliciesTest2() throws Exception {
233: doAcceptingTest(
234: TRUST_ANCHOR_ROOT_CERTIFICATE,
235: new String[] { "NoPoliciesCACert",
236: "AllCertificatesNoPoliciesTest2EE" },
237: new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" });
238:
239: doErrorTest(
240: TRUST_ANCHOR_ROOT_CERTIFICATE,
241: new String[] { "NoPoliciesCACert",
242: "AllCertificatesNoPoliciesTest2EE" },
243: new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" },
244: noPolicies, -1, "CertPathReviewer.noValidPolicyTree",
245: "Policy checking failed: no valid policy tree found when one expected.");
246: }
247:
248: public void testDifferentPoliciesTest3() throws Exception {
249: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
250: GOOD_CA_CERT, "PoliciesP2subCACert",
251: "DifferentPoliciesTest3EE" }, new String[] {
252: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
253: "PoliciesP2subCACRL" });
254:
255: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
256: GOOD_CA_CERT, "PoliciesP2subCACert",
257: "DifferentPoliciesTest3EE" }, new String[] {
258: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
259: "PoliciesP2subCACRL" }, noPolicies, -1,
260: "CertPathReviewer.noValidPolicyTree",
261: "Policy checking failed: no valid policy tree found when one expected.");
262:
263: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
264: GOOD_CA_CERT, "PoliciesP2subCACert",
265: "DifferentPoliciesTest3EE" }, new String[] {
266: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
267: "PoliciesP2subCACRL" }, nistTestPolicy1And2, -1,
268: "CertPathReviewer.noValidPolicyTree",
269: "Policy checking failed: no valid policy tree found when one expected.");
270: }
271:
272: public void testDifferentPoliciesTest4() throws Exception {
273: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
274: GOOD_CA_CERT, "GoodsubCACert",
275: "DifferentPoliciesTest4EE" }, new String[] {
276: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "GoodsubCACRL" },
277: -1, "CertPathReviewer.noValidPolicyTree",
278: "Policy checking failed: no valid policy tree found when one expected.");
279: }
280:
281: public void testDifferentPoliciesTest5() throws Exception {
282: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
283: GOOD_CA_CERT, "PoliciesP2subCA2Cert",
284: "DifferentPoliciesTest5EE" }, new String[] {
285: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
286: "PoliciesP2subCA2CRL" }, -1,
287: "CertPathReviewer.noValidPolicyTree",
288: "Policy checking failed: no valid policy tree found when one expected.");
289: }
290:
291: public void testOverlappingPoliciesTest6() throws Exception {
292: String[] certList = new String[] { "PoliciesP1234CACert",
293: "PoliciesP1234subCAP123Cert",
294: "PoliciesP1234subsubCAP123P12Cert",
295: "OverlappingPoliciesTest6EE" };
296: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
297: "PoliciesP1234CACRL", "PoliciesP1234subCAP123CRL",
298: "PoliciesP1234subsubCAP123P12CRL" };
299:
300: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
301: crlList);
302:
303: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
304: crlList, nistTestPolicy1);
305:
306: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
307: nistTestPolicy2, -1, "CertPathReviewer.invalidPolicy",
308: "Path processing failed on policy.");
309: }
310:
311: public void testDifferentPoliciesTest7() throws Exception {
312: String[] certList = new String[] { "PoliciesP123CACert",
313: "PoliciesP123subCAP12Cert",
314: "PoliciesP123subsubCAP12P1Cert",
315: "DifferentPoliciesTest7EE" };
316: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
317: "PoliciesP123CACRL", "PoliciesP123subCAP12CRL",
318: "PoliciesP123subsubCAP12P1CRL" };
319:
320: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
321: -1, "CertPathReviewer.noValidPolicyTree",
322: "Policy checking failed: no valid policy tree found when one expected.");
323: }
324:
325: public void testDifferentPoliciesTest8() throws Exception {
326: String[] certList = new String[] { "PoliciesP12CACert",
327: "PoliciesP12subCAP1Cert",
328: "PoliciesP12subsubCAP1P2Cert",
329: "DifferentPoliciesTest8EE" };
330: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
331: "PoliciesP12CACRL", "PoliciesP12subCAP1CRL",
332: "PoliciesP12subsubCAP1P2CRL" };
333:
334: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
335: -1, "CertPathReviewer.noValidPolicyTree",
336: "Policy checking failed: no valid policy tree found when one expected.");
337: }
338:
339: public void testDifferentPoliciesTest9() throws Exception {
340: String[] certList = new String[] { "PoliciesP123CACert",
341: "PoliciesP123subCAP12Cert",
342: "PoliciesP123subsubCAP12P2Cert",
343: "PoliciesP123subsubsubCAP12P2P1Cert",
344: "DifferentPoliciesTest9EE" };
345: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
346: "PoliciesP123CACRL", "PoliciesP123subCAP12CRL",
347: "PoliciesP123subsubCAP2P2CRL",
348: "PoliciesP123subsubsubCAP12P2P1CRL" };
349:
350: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
351: -1, "CertPathReviewer.noValidPolicyTree",
352: "Policy checking failed: no valid policy tree found when one expected.");
353: }
354:
355: public void testAllCertificatesSamePoliciesTest10()
356: throws Exception {
357: String[] certList = new String[] { "PoliciesP12CACert",
358: "AllCertificatesSamePoliciesTest10EE" };
359: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
360: "PoliciesP12CACRL" };
361:
362: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
363: crlList);
364: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
365: crlList, nistTestPolicy1);
366: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
367: crlList, nistTestPolicy2);
368: }
369:
370: public void testAllCertificatesAnyPolicyTest11() throws Exception {
371: String[] certList = new String[] { "anyPolicyCACert",
372: "AllCertificatesanyPolicyTest11EE" };
373: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
374: "anyPolicyCACRL" };
375:
376: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
377: crlList);
378:
379: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
380: crlList, nistTestPolicy1);
381: }
382:
383: public void testDifferentPoliciesTest12() throws Exception {
384: String[] certList = new String[] { "PoliciesP3CACert",
385: "DifferentPoliciesTest12EE" };
386: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
387: "PoliciesP3CACRL" };
388:
389: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
390: -1, "CertPathReviewer.noValidPolicyTree",
391: "Policy checking failed: no valid policy tree found when one expected.");
392: }
393:
394: public void testAllCertificatesSamePoliciesTest13()
395: throws Exception {
396: String[] certList = new String[] { "PoliciesP123CACert",
397: "AllCertificatesSamePoliciesTest13EE" };
398: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
399: "PoliciesP123CACRL" };
400:
401: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
402: crlList, nistTestPolicy1);
403: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
404: crlList, nistTestPolicy2);
405: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
406: crlList, nistTestPolicy3);
407: }
408:
409: public void testAnyPolicyTest14() throws Exception {
410: String[] certList = new String[] { "anyPolicyCACert",
411: "AnyPolicyTest14EE" };
412: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
413: "anyPolicyCACRL" };
414:
415: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
416: crlList, nistTestPolicy1);
417: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
418: nistTestPolicy2, -1, "CertPathReviewer.invalidPolicy",
419: "Path processing failed on policy.");
420: }
421:
422: public void testUserNoticeQualifierTest15() throws Exception {
423: String[] certList = new String[] { "UserNoticeQualifierTest15EE" };
424: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL };
425:
426: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
427: crlList);
428: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
429: crlList, nistTestPolicy1);
430: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
431: nistTestPolicy2, -1, "CertPathReviewer.invalidPolicy",
432: "Path processing failed on policy.");
433: }
434:
435: public void testUserNoticeQualifierTest16() throws Exception {
436: String[] certList = new String[] { GOOD_CA_CERT,
437: "UserNoticeQualifierTest16EE" };
438: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
439: GOOD_CA_CRL };
440:
441: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
442: crlList);
443:
444: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
445: crlList, nistTestPolicy1);
446:
447: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
448: nistTestPolicy2, -1, "CertPathReviewer.invalidPolicy",
449: "Path processing failed on policy.");
450: }
451:
452: public void testUserNoticeQualifierTest17() throws Exception {
453: String[] certList = new String[] { GOOD_CA_CERT,
454: "UserNoticeQualifierTest17EE" };
455: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
456: GOOD_CA_CRL };
457:
458: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
459: crlList);
460: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
461: crlList, nistTestPolicy1);
462: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
463: nistTestPolicy2, -1, "CertPathReviewer.invalidPolicy",
464: "Path processing failed on policy.");
465: }
466:
467: public void testUserNoticeQualifierTest18() throws Exception {
468: String[] certList = new String[] { "PoliciesP12CACert",
469: "UserNoticeQualifierTest18EE" };
470: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
471: "PoliciesP12CACRL" };
472:
473: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
474: crlList, nistTestPolicy1);
475: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
476: crlList, nistTestPolicy2);
477: }
478:
479: public void testUserNoticeQualifierTest19() throws Exception {
480: String[] certList = new String[] { "UserNoticeQualifierTest19EE" };
481: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL };
482:
483: doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
484: crlList, nistTestPolicy1);
485: doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
486: nistTestPolicy2, -1, "CertPathReviewer.invalidPolicy",
487: "Path processing failed on policy.");
488: }
489:
490: private void doAcceptingTest(String trustAnchor, String[] certs,
491: String[] crls) throws Exception {
492: PKIXCertPathReviewer result = doTest(trustAnchor, certs, crls);
493: if (!result.isValidCertPath()) {
494: fail("path rejected when should be accepted");
495: }
496: }
497:
498: private void doAcceptingTest(String trustAnchor, String[] certs,
499: String[] crls, Set policies) throws Exception {
500: PKIXCertPathReviewer result = doTest(trustAnchor, certs, crls,
501: policies);
502: if (!result.isValidCertPath()) {
503: fail("path rejected when should be accepted");
504: }
505: }
506:
507: private void doErrorTest(String trustAnchor, String[] certs,
508: String[] crls, int index, String messageId, String message)
509: throws Exception {
510: PKIXCertPathReviewer result = doTest(trustAnchor, certs, crls);
511: if (result.isValidCertPath()) {
512: fail("path accepted when should be rejected");
513: } else {
514: ErrorBundle msg = (ErrorBundle) result.getErrors(index)
515: .iterator().next();
516: assertEquals(messageId, msg.getId());
517: assertEquals(message, msg.getText(Locale.ENGLISH, TimeZone
518: .getTimeZone("GMT")));
519: }
520: }
521:
522: private void doErrorTest(String trustAnchor, String[] certs,
523: String[] crls, Set policies, int index, String messageId,
524: String message) throws Exception {
525: PKIXCertPathReviewer result = doTest(trustAnchor, certs, crls,
526: policies);
527: if (result.isValidCertPath()) {
528: fail("path accepted when should be rejected");
529: } else {
530: ErrorBundle msg = (ErrorBundle) result.getErrors(index)
531: .iterator().next();
532: assertEquals(messageId, msg.getId());
533: assertEquals(message, msg.getText(Locale.ENGLISH, TimeZone
534: .getTimeZone("GMT")));
535: }
536: }
537:
538: private PKIXCertPathReviewer doTest(String trustAnchor,
539: String[] certs, String[] crls) throws Exception {
540: return doTest(trustAnchor, certs, crls, null);
541: }
542:
543: private PKIXCertPathReviewer doTest(String trustAnchor,
544: String[] certs, String[] crls, Set policies)
545: throws Exception {
546: Set trustedSet = Collections
547: .singleton(getTrustAnchor(trustAnchor));
548: List certsAndCrls = new ArrayList();
549: X509Certificate endCert = loadCert(certs[certs.length - 1]);
550:
551: for (int i = 0; i != certs.length - 1; i++) {
552: certsAndCrls.add(loadCert(certs[i]));
553: }
554:
555: certsAndCrls.add(endCert);
556:
557: CertPath certPath = CertificateFactory.getInstance("X.509",
558: "BC").generateCertPath(certsAndCrls);
559:
560: for (int i = 0; i != crls.length; i++) {
561: certsAndCrls.add(loadCrl(crls[i]));
562: }
563:
564: CertStore store = CertStore.getInstance("Collection",
565: new CollectionCertStoreParameters(certsAndCrls), "BC");
566:
567: //CertPathValidator validator = CertPathValidator.getInstance("PKIX","BC");
568: PKIXCertPathReviewer reviewer;
569: PKIXParameters params = new PKIXParameters(trustedSet);
570:
571: params.addCertStore(store);
572: params.setRevocationEnabled(true);
573:
574: if (policies != null) {
575: params.setExplicitPolicyRequired(true);
576: params.setInitialPolicies(policies);
577: }
578:
579: reviewer = new PKIXCertPathReviewer(certPath, params);
580:
581: return reviewer;
582: }
583:
584: private X509Certificate loadCert(String certName) {
585: X509Certificate cert = (X509Certificate) certs.get(certName);
586:
587: if (cert != null) {
588: return cert;
589: }
590:
591: try {
592: InputStream in = new FileInputStream(getPkitsHome()
593: + "/certs/" + certName + ".crt");
594:
595: CertificateFactory fact = CertificateFactory.getInstance(
596: "X.509", "BC");
597:
598: cert = (X509Certificate) fact.generateCertificate(in);
599:
600: certs.put(certName, cert);
601:
602: return cert;
603: } catch (Exception e) {
604: throw new IllegalStateException(
605: "exception loading certificate " + certName + ": "
606: + e);
607: }
608: }
609:
610: private X509CRL loadCrl(String crlName) throws Exception {
611: X509CRL crl = (X509CRL) certs.get(crlName);
612:
613: if (crl != null) {
614: return crl;
615: }
616:
617: try {
618: InputStream in = new FileInputStream(getPkitsHome()
619: + "/crls/" + crlName + ".crl");
620:
621: CertificateFactory fact = CertificateFactory.getInstance(
622: "X.509", "BC");
623:
624: crl = (X509CRL) fact.generateCRL(in);
625:
626: crls.put(crlName, crl);
627:
628: return crl;
629: } catch (Exception e) {
630: throw new IllegalStateException("exception loading CRL: "
631: + crlName);
632: }
633: }
634:
635: private TrustAnchor getTrustAnchor(String trustAnchorName)
636: throws Exception {
637: X509Certificate cert = loadCert(trustAnchorName);
638: byte[] extBytes = cert
639: .getExtensionValue(X509Extensions.NameConstraints
640: .getId());
641:
642: if (extBytes != null) {
643: ASN1Encodable extValue = X509ExtensionUtil
644: .fromExtensionValue(extBytes);
645:
646: return new TrustAnchor(cert, extValue.getDEREncoded());
647: }
648:
649: return new TrustAnchor(cert, null);
650: }
651:
652: private String getPkitsHome() {
653: String dataHome = System.getProperty(TEST_DATA_HOME);
654:
655: if (dataHome == null) {
656: throw new IllegalStateException(TEST_DATA_HOME
657: + " property not set");
658: }
659:
660: return dataHome + "/PKITS";
661: }
662:
663: public static void main(String[] args) throws Exception {
664: junit.textui.TestRunner.run(suite());
665: }
666:
667: public void setUp() {
668: if (Security.getProvider("BC") == null) {
669: Security
670: .addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
671: }
672: }
673:
674: public static Test suite() throws Exception {
675: TestSuite suite = new TestSuite("NIST CertPath Tests");
676:
677: suite.addTestSuite(NistCertPathReviewerTest.class);
678:
679: return suite;
680: }
681: }
|