001: package org.bouncycastle.jce.provider.test.nist;
002:
003: import junit.framework.Test;
004: import junit.framework.TestCase;
005: import junit.framework.TestSuite;
006: import org.bouncycastle.asn1.ASN1Encodable;
007: import org.bouncycastle.asn1.x509.X509Extensions;
008: import org.bouncycastle.x509.extension.X509ExtensionUtil;
009:
010: import java.io.FileInputStream;
011: import java.io.InputStream;
012: import java.security.Security;
013: import java.security.cert.CertPath;
014: import java.security.cert.CertPathValidator;
015: import java.security.cert.CertPathValidatorException;
016: import java.security.cert.CertStore;
017: import java.security.cert.CertificateFactory;
018: import java.security.cert.CollectionCertStoreParameters;
019: import java.security.cert.PKIXCertPathValidatorResult;
020: import java.security.cert.PKIXParameters;
021: import java.security.cert.TrustAnchor;
022: import java.security.cert.X509CRL;
023: import java.security.cert.X509Certificate;
024: import java.util.ArrayList;
025: import java.util.Arrays;
026: import java.util.Collections;
027: import java.util.HashMap;
028: import java.util.HashSet;
029: import java.util.List;
030: import java.util.Map;
031: import java.util.Set;
032:
033: /**
034: * NIST CertPath test data for RFC 3280
035: */
036: public class NistCertPathTest extends TestCase {
037: private static final String TEST_DATA_HOME = "bc.test.data.home";
038:
039: private static final String GOOD_CA_CERT = "GoodCACert";
040:
041: private static final String GOOD_CA_CRL = "GoodCACRL";
042:
043: private static final String TRUST_ANCHOR_ROOT_CRL = "TrustAnchorRootCRL";
044:
045: private static final String TRUST_ANCHOR_ROOT_CERTIFICATE = "TrustAnchorRootCertificate";
046:
047: private static final char[] PKCS12_PASSWORD = "password"
048: .toCharArray();
049:
050: private static String NIST_TEST_POLICY_1 = "2.16.840.1.101.3.2.1.48.1";
051: private static String NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2";
052: private static String NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3";
053:
054: private static Map certs = new HashMap();
055: private static Map crls = new HashMap();
056:
057: private static Set noPolicies = Collections.EMPTY_SET;
058: private static Set nistTestPolicy1 = Collections
059: .singleton(NIST_TEST_POLICY_1);
060: private static Set nistTestPolicy2 = Collections
061: .singleton(NIST_TEST_POLICY_2);
062: private static Set nistTestPolicy3 = Collections
063: .singleton(NIST_TEST_POLICY_3);
064: private static Set nistTestPolicy1And2 = new HashSet(Arrays
065: .asList(new String[] { NIST_TEST_POLICY_1,
066: NIST_TEST_POLICY_2 }));
067:
068: public void setUp() {
069: if (Security.getProvider("BC") == null) {
070: Security
071: .addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
072: }
073: }
074:
075: public void testValidSignaturesTest1() throws Exception {
076: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
077: "ValidCertificatePathTest1EE", GOOD_CA_CERT },
078: new String[] { GOOD_CA_CRL, TRUST_ANCHOR_ROOT_CRL });
079: }
080:
081: public void testInvalidCASignatureTest2() throws Exception {
082: doExceptionTest(
083: TRUST_ANCHOR_ROOT_CERTIFICATE,
084: new String[] { "ValidCertificatePathTest1EE",
085: "BadSignedCACert" },
086: new String[] { "BadSignedCACRL", TRUST_ANCHOR_ROOT_CRL },
087: 1,
088: "TrustAnchor found but certificate validation failed.");
089: }
090:
091: public void testInvalidEESignatureTest3() throws Exception {
092: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
093: GOOD_CA_CERT, "InvalidEESignatureTest3EE" },
094: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, 0,
095: "Could not validate certificate signature.");
096: }
097:
098: public void testValidDSASignaturesTest4() throws Exception {
099: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
100: "DSACACert", "ValidDSASignaturesTest4EE" },
101: new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" });
102: }
103:
104: public void testValidDSAParameterInheritanceTest5()
105: throws Exception {
106: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
107: "DSACACert", "DSAParametersInheritedCACert",
108: "ValidDSAParameterInheritanceTest5EE" }, new String[] {
109: TRUST_ANCHOR_ROOT_CRL, "DSACACRL",
110: "DSAParametersInheritedCACRL" });
111: }
112:
113: public void testInvalidDSASignaturesTest6() throws Exception {
114: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
115: "DSACACert", "InvalidDSASignatureTest6EE" },
116: new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }, 0,
117: "Could not validate certificate signature.");
118: }
119:
120: public void testCANotBeforeDateTest1() throws Exception {
121: doExceptionTest(
122: TRUST_ANCHOR_ROOT_CERTIFICATE,
123: new String[] { "BadnotBeforeDateCACert",
124: "InvalidCAnotBeforeDateTest1EE" },
125: new String[] { TRUST_ANCHOR_ROOT_CRL,
126: "BadnotBeforeDateCACRL" },
127: 1,
128: "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00");
129: }
130:
131: public void testInvalidEENotBeforeDateTest2() throws Exception {
132: doExceptionTest(
133: TRUST_ANCHOR_ROOT_CERTIFICATE,
134: new String[] { GOOD_CA_CERT,
135: "InvalidEEnotBeforeDateTest2EE" },
136: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL },
137: 0,
138: "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00");
139: }
140:
141: public void testValidPre2000UTCNotBeforeDateTest3()
142: throws Exception {
143: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
144: GOOD_CA_CERT, "Validpre2000UTCnotBeforeDateTest3EE" },
145: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL });
146: }
147:
148: public void testValidGeneralizedTimeNotBeforeDateTest4()
149: throws Exception {
150: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
151: GOOD_CA_CERT,
152: "ValidGeneralizedTimenotBeforeDateTest4EE" },
153: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL });
154: }
155:
156: public void testInvalidCANotAfterDateTest5() throws Exception {
157: doExceptionTest(
158: TRUST_ANCHOR_ROOT_CERTIFICATE,
159: new String[] { "BadnotAfterDateCACert",
160: "InvalidCAnotAfterDateTest5EE" },
161: new String[] { TRUST_ANCHOR_ROOT_CRL,
162: "BadnotAfterDateCACRL" },
163: 1,
164: "Could not validate certificate: certificate expired on 20020101120100GMT+00:00");
165: }
166:
167: public void testInvalidEENotAfterDateTest6() throws Exception {
168: doExceptionTest(
169: TRUST_ANCHOR_ROOT_CERTIFICATE,
170: new String[] { GOOD_CA_CERT,
171: "InvalidEEnotAfterDateTest6EE" },
172: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL },
173: 0,
174: "Could not validate certificate: certificate expired on 20020101120100GMT+00:00");
175: }
176:
177: public void testInvalidValidPre2000UTCNotAfterDateTest7()
178: throws Exception {
179: doExceptionTest(
180: TRUST_ANCHOR_ROOT_CERTIFICATE,
181: new String[] { GOOD_CA_CERT,
182: "Invalidpre2000UTCEEnotAfterDateTest7EE" },
183: new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL },
184: 0,
185: "Could not validate certificate: certificate expired on 19990101120100GMT+00:00");
186: }
187:
188: public void testInvalidNegativeSerialNumberTest15()
189: throws Exception {
190: doExceptionTest(
191: TRUST_ANCHOR_ROOT_CERTIFICATE,
192: new String[] { "NegativeSerialNumberCACert",
193: "InvalidNegativeSerialNumberTest15EE" },
194: new String[] { TRUST_ANCHOR_ROOT_CRL,
195: "NegativeSerialNumberCACRL" },
196: 0,
197: "Certificate revocation after Fri Apr 20 00:57:20 EST 2001, reason: keyCompromise");
198: }
199:
200: //
201: // 4.8 Certificate Policies
202: //
203: public void testAllCertificatesSamePolicyTest1() throws Exception {
204: String[] certList = new String[] { GOOD_CA_CERT,
205: "ValidCertificatePathTest1EE" };
206: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
207: GOOD_CA_CRL };
208:
209: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
210: noPolicies);
211:
212: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
213: nistTestPolicy1);
214:
215: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
216: crlList, nistTestPolicy2, -1,
217: "Path processing failed on policy.");
218:
219: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
220: nistTestPolicy1And2);
221: }
222:
223: public void testAllCertificatesNoPoliciesTest2() throws Exception {
224: doTest(
225: TRUST_ANCHOR_ROOT_CERTIFICATE,
226: new String[] { "NoPoliciesCACert",
227: "AllCertificatesNoPoliciesTest2EE" },
228: new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" });
229:
230: doExceptionTest(
231: TRUST_ANCHOR_ROOT_CERTIFICATE,
232: new String[] { "NoPoliciesCACert",
233: "AllCertificatesNoPoliciesTest2EE" },
234: new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" },
235: noPolicies, -1,
236: "No valid policy tree found when one expected.");
237: }
238:
239: public void testDifferentPoliciesTest3() throws Exception {
240: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
241: GOOD_CA_CERT, "PoliciesP2subCACert",
242: "DifferentPoliciesTest3EE" }, new String[] {
243: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
244: "PoliciesP2subCACRL" });
245:
246: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
247: GOOD_CA_CERT, "PoliciesP2subCACert",
248: "DifferentPoliciesTest3EE" }, new String[] {
249: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
250: "PoliciesP2subCACRL" }, noPolicies, -1,
251: "No valid policy tree found when one expected.");
252:
253: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
254: GOOD_CA_CERT, "PoliciesP2subCACert",
255: "DifferentPoliciesTest3EE" }, new String[] {
256: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
257: "PoliciesP2subCACRL" }, nistTestPolicy1And2, -1,
258: "No valid policy tree found when one expected.");
259: }
260:
261: public void testDifferentPoliciesTest4() throws Exception {
262: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
263: GOOD_CA_CERT, "GoodsubCACert",
264: "DifferentPoliciesTest4EE" }, new String[] {
265: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "GoodsubCACRL" },
266: -1, "No valid policy tree found when one expected.");
267: }
268:
269: public void testDifferentPoliciesTest5() throws Exception {
270: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, new String[] {
271: GOOD_CA_CERT, "PoliciesP2subCA2Cert",
272: "DifferentPoliciesTest5EE" }, new String[] {
273: TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL,
274: "PoliciesP2subCA2CRL" }, -1,
275: "No valid policy tree found when one expected.");
276: }
277:
278: public void testOverlappingPoliciesTest6() throws Exception {
279: String[] certList = new String[] { "PoliciesP1234CACert",
280: "PoliciesP1234subCAP123Cert",
281: "PoliciesP1234subsubCAP123P12Cert",
282: "OverlappingPoliciesTest6EE" };
283: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
284: "PoliciesP1234CACRL", "PoliciesP1234subCAP123CRL",
285: "PoliciesP1234subsubCAP123P12CRL" };
286:
287: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList);
288:
289: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
290: nistTestPolicy1);
291:
292: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
293: crlList, nistTestPolicy2, -1,
294: "Path processing failed on policy.");
295: }
296:
297: public void testDifferentPoliciesTest7() throws Exception {
298: String[] certList = new String[] { "PoliciesP123CACert",
299: "PoliciesP123subCAP12Cert",
300: "PoliciesP123subsubCAP12P1Cert",
301: "DifferentPoliciesTest7EE" };
302: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
303: "PoliciesP123CACRL", "PoliciesP123subCAP12CRL",
304: "PoliciesP123subsubCAP12P1CRL" };
305:
306: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
307: crlList, -1,
308: "No valid policy tree found when one expected.");
309: }
310:
311: public void testDifferentPoliciesTest8() throws Exception {
312: String[] certList = new String[] { "PoliciesP12CACert",
313: "PoliciesP12subCAP1Cert",
314: "PoliciesP12subsubCAP1P2Cert",
315: "DifferentPoliciesTest8EE" };
316: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
317: "PoliciesP12CACRL", "PoliciesP12subCAP1CRL",
318: "PoliciesP12subsubCAP1P2CRL" };
319:
320: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
321: crlList, -1,
322: "No valid policy tree found when one expected.");
323: }
324:
325: public void testDifferentPoliciesTest9() throws Exception {
326: String[] certList = new String[] { "PoliciesP123CACert",
327: "PoliciesP123subCAP12Cert",
328: "PoliciesP123subsubCAP12P2Cert",
329: "PoliciesP123subsubsubCAP12P2P1Cert",
330: "DifferentPoliciesTest9EE" };
331: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
332: "PoliciesP123CACRL", "PoliciesP123subCAP12CRL",
333: "PoliciesP123subsubCAP2P2CRL",
334: "PoliciesP123subsubsubCAP12P2P1CRL" };
335:
336: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
337: crlList, -1,
338: "No valid policy tree found when one expected.");
339: }
340:
341: public void testAllCertificatesSamePoliciesTest10()
342: throws Exception {
343: String[] certList = new String[] { "PoliciesP12CACert",
344: "AllCertificatesSamePoliciesTest10EE" };
345: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
346: "PoliciesP12CACRL" };
347:
348: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList);
349: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
350: nistTestPolicy1);
351: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
352: nistTestPolicy2);
353: }
354:
355: public void testAllCertificatesAnyPolicyTest11() throws Exception {
356: String[] certList = new String[] { "anyPolicyCACert",
357: "AllCertificatesanyPolicyTest11EE" };
358: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
359: "anyPolicyCACRL" };
360:
361: PKIXCertPathValidatorResult result = doTest(
362: TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList);
363:
364: result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
365: crlList, nistTestPolicy1);
366: }
367:
368: public void testDifferentPoliciesTest12() throws Exception {
369: String[] certList = new String[] { "PoliciesP3CACert",
370: "DifferentPoliciesTest12EE" };
371: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
372: "PoliciesP3CACRL" };
373:
374: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
375: crlList, -1,
376: "No valid policy tree found when one expected.");
377: }
378:
379: public void testAllCertificatesSamePoliciesTest13()
380: throws Exception {
381: String[] certList = new String[] { "PoliciesP123CACert",
382: "AllCertificatesSamePoliciesTest13EE" };
383: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
384: "PoliciesP123CACRL" };
385:
386: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
387: nistTestPolicy1);
388: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
389: nistTestPolicy2);
390: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
391: nistTestPolicy3);
392: }
393:
394: public void testAnyPolicyTest14() throws Exception {
395: String[] certList = new String[] { "anyPolicyCACert",
396: "AnyPolicyTest14EE" };
397: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
398: "anyPolicyCACRL" };
399:
400: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
401: nistTestPolicy1);
402: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
403: crlList, nistTestPolicy2, -1,
404: "Path processing failed on policy.");
405: }
406:
407: public void testUserNoticeQualifierTest15() throws Exception {
408: String[] certList = new String[] { "UserNoticeQualifierTest15EE" };
409: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL };
410:
411: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList);
412: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
413: nistTestPolicy1);
414: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
415: crlList, nistTestPolicy2, -1,
416: "Path processing failed on policy.");
417: }
418:
419: public void testUserNoticeQualifierTest16() throws Exception {
420: String[] certList = new String[] { GOOD_CA_CERT,
421: "UserNoticeQualifierTest16EE" };
422: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
423: GOOD_CA_CRL };
424:
425: PKIXCertPathValidatorResult result = doTest(
426: TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList);
427:
428: result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
429: crlList, nistTestPolicy1);
430:
431: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
432: crlList, nistTestPolicy2, -1,
433: "Path processing failed on policy.");
434: }
435:
436: public void testUserNoticeQualifierTest17() throws Exception {
437: String[] certList = new String[] { GOOD_CA_CERT,
438: "UserNoticeQualifierTest17EE" };
439: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
440: GOOD_CA_CRL };
441:
442: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList);
443: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
444: nistTestPolicy1);
445: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
446: crlList, nistTestPolicy2, -1,
447: "Path processing failed on policy.");
448: }
449:
450: public void testUserNoticeQualifierTest18() throws Exception {
451: String[] certList = new String[] { "PoliciesP12CACert",
452: "UserNoticeQualifierTest18EE" };
453: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL,
454: "PoliciesP12CACRL" };
455:
456: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
457: nistTestPolicy1);
458: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
459: nistTestPolicy2);
460: }
461:
462: public void testUserNoticeQualifierTest19() throws Exception {
463: String[] certList = new String[] { "UserNoticeQualifierTest19EE" };
464: String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL };
465:
466: doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList,
467: nistTestPolicy1);
468: doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList,
469: crlList, nistTestPolicy2, -1,
470: "Path processing failed on policy.");
471: }
472:
473: private void doExceptionTest(String trustAnchor, String[] certs,
474: String[] crls, int index, String message) throws Exception {
475: try {
476: doTest(trustAnchor, certs, crls);
477:
478: fail("path accepted when should be rejected");
479: } catch (CertPathValidatorException e) {
480: assertEquals(index, e.getIndex());
481: assertEquals(message, e.getMessage());
482: }
483: }
484:
485: private void doExceptionTest(String trustAnchor, String[] certs,
486: String[] crls, Set policies, int index, String message)
487: throws Exception {
488: try {
489: doTest(trustAnchor, certs, crls, policies);
490:
491: fail("path accepted when should be rejected");
492: } catch (CertPathValidatorException e) {
493: assertEquals(index, e.getIndex());
494: assertEquals(message, e.getMessage());
495: }
496: }
497:
498: private PKIXCertPathValidatorResult doTest(String trustAnchor,
499: String[] certs, String[] crls) throws Exception {
500: return doTest(trustAnchor, certs, crls, null);
501: }
502:
503: private PKIXCertPathValidatorResult doTest(String trustAnchor,
504: String[] certs, String[] crls, Set policies)
505: throws Exception {
506: Set trustedSet = Collections
507: .singleton(getTrustAnchor(trustAnchor));
508: List certsAndCrls = new ArrayList();
509: X509Certificate endCert = loadCert(certs[certs.length - 1]);
510:
511: for (int i = 0; i != certs.length - 1; i++) {
512: certsAndCrls.add(loadCert(certs[i]));
513: }
514:
515: certsAndCrls.add(endCert);
516:
517: CertPath certPath = CertificateFactory.getInstance("X.509",
518: "BC").generateCertPath(certsAndCrls);
519:
520: for (int i = 0; i != crls.length; i++) {
521: certsAndCrls.add(loadCrl(crls[i]));
522: }
523:
524: CertStore store = CertStore.getInstance("Collection",
525: new CollectionCertStoreParameters(certsAndCrls), "BC");
526:
527: CertPathValidator validator = CertPathValidator.getInstance(
528: "PKIX", "BC");
529: PKIXParameters params = new PKIXParameters(trustedSet);
530:
531: params.addCertStore(store);
532: params.setRevocationEnabled(true);
533:
534: if (policies != null) {
535: params.setExplicitPolicyRequired(true);
536: params.setInitialPolicies(policies);
537: }
538:
539: return (PKIXCertPathValidatorResult) validator.validate(
540: certPath, params);
541: }
542:
543: private X509Certificate loadCert(String certName) {
544: X509Certificate cert = (X509Certificate) certs.get(certName);
545:
546: if (cert != null) {
547: return cert;
548: }
549:
550: try {
551: InputStream in = new FileInputStream(getPkitsHome()
552: + "/certs/" + certName + ".crt");
553:
554: CertificateFactory fact = CertificateFactory.getInstance(
555: "X.509", "BC");
556:
557: cert = (X509Certificate) fact.generateCertificate(in);
558:
559: certs.put(certName, cert);
560:
561: return cert;
562: } catch (Exception e) {
563: throw new IllegalStateException(
564: "exception loading certificate " + certName + ": "
565: + e);
566: }
567: }
568:
569: private X509CRL loadCrl(String crlName) throws Exception {
570: X509CRL crl = (X509CRL) certs.get(crlName);
571:
572: if (crl != null) {
573: return crl;
574: }
575:
576: try {
577: InputStream in = new FileInputStream(getPkitsHome()
578: + "/crls/" + crlName + ".crl");
579:
580: CertificateFactory fact = CertificateFactory.getInstance(
581: "X.509", "BC");
582:
583: crl = (X509CRL) fact.generateCRL(in);
584:
585: crls.put(crlName, crl);
586:
587: return crl;
588: } catch (Exception e) {
589: throw new IllegalStateException("exception loading CRL: "
590: + crlName);
591: }
592: }
593:
594: private TrustAnchor getTrustAnchor(String trustAnchorName)
595: throws Exception {
596: X509Certificate cert = loadCert(trustAnchorName);
597: byte[] extBytes = cert
598: .getExtensionValue(X509Extensions.NameConstraints
599: .getId());
600:
601: if (extBytes != null) {
602: ASN1Encodable extValue = X509ExtensionUtil
603: .fromExtensionValue(extBytes);
604:
605: return new TrustAnchor(cert, extValue.getDEREncoded());
606: }
607:
608: return new TrustAnchor(cert, null);
609: }
610:
611: private String getPkitsHome() {
612: String dataHome = System.getProperty(TEST_DATA_HOME);
613:
614: if (dataHome == null) {
615: throw new IllegalStateException(TEST_DATA_HOME
616: + " property not set");
617: }
618:
619: return dataHome + "/PKITS";
620: }
621:
622: public static void main(String[] args) throws Exception {
623: junit.textui.TestRunner.run(suite());
624: }
625:
626: public static Test suite() throws Exception {
627: TestSuite suite = new TestSuite("NIST CertPath Tests");
628:
629: suite.addTestSuite(NistCertPathTest.class);
630:
631: return suite;
632: }
633: }
|