1 /*
2  * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 /**
25  * @test
26  * @bug 8023362
27  * @run main/othervm OcspUnauthorized
28  * @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when
29  *          SOFT_FAIL option is set
30  */
31 
32 import java.io.ByteArrayInputStream;
33 import java.security.Security;
34 import java.security.cert.CertPathValidatorException.BasicReason;
35 import java.security.cert.*;
36 import java.security.cert.PKIXRevocationChecker.Option;
37 import java.util.Base64;
38 import java.util.Collections;
39 import java.util.EnumSet;
40 
41 public class OcspUnauthorized {
42 
43     private final static String OCSP_RESPONSE = "MAMKAQY=";
44 
45     private final static String EE_CERT =
46         "MIICADCCAWmgAwIBAgIEOvxUmjANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJ1czE" +
47         "MMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRsYWJzMB4XDTAxMDUxNDIwNDQyMVoXDTI4MD" +
48         "kyOTIwNDQyMVowOTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEb" +
49         "GFiczENMAsGA1UECxMEaXNyZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4MmP" +
50         "GDriFJ+OhDlTuLpHzPy0nawDKyIYUJPZmU9M/pCAUbZewAOyAXGPYVU1og2ZiO9tWBi" +
51         "ZBeJGoFHEkkhfeqSVb2PsRckiXvPZ3AiSVmdX0uD/a963abmhRMYB1gDO2+jBe3F/DU" +
52         "pHwpyThchy8tYUMh7Gr7+m/8FwZbdbSpMCAwEAAaMkMCIwDwYDVR0PAQH/BAUDAwekA" +
53         "DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAME3fmXvES0FVDXSD1iC" +
54         "TJLf86kUy3H+uMG7h5pOQmcfF1o9PVWlNByVf4r2b4GRgftPQ3Ao0SAvq1aSkW7YpkN" +
55         "pcartYqNk2E5brPajOC0v+Pkxf/g/pkRTT6Zp+9erGQF4Ta62q0iwOyc3FovSbh0Ph2" +
56         "WidZRP4qUG5I6JmGkI";
57 
58     private final static String TRUST_ANCHOR =
59         "MIICIzCCAYygAwIBAgIEOvxT7DANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJ1czE" +
60         "MMAoGA1UEChMDc3VuMB4XDTAxMDUxNDIxMDQyOVoXDTI4MDkyOTIxMDQyOVowKjELMA" +
61         "kGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEbGFiczCBnzANBgkqhkiG9" +
62         "w0BAQEFAAOBjQAwgYkCgYEA0/16V87rhznCM0y7IqyGcfQBentG+PglA+1hiqCuQY/A" +
63         "jFiDKr5N+LpcfU28P41E4M+DSDrMIEe4JchRcXeJY6aIVhpOveVV9mgtBaEKlsScrIJ" +
64         "zmVqM07PG9JENg2FibECnB5TNUSfVbFKfvtAqaZ7Pc971oZVoIePBWnfKV9kCAwEAAa" +
65         "NlMGMwPwYDVR0eAQH/BDUwM6AxMC+kKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1b" +
66         "jENMAsGA1UECxMEbGFic4ABAzAPBgNVHQ8BAf8EBQMDB6QAMA8GA1UdEwEB/wQFMAMB" +
67         "Af8wDQYJKoZIhvcNAQEEBQADgYEAfJ5HWd7K5PmX0+Vbsux4SYhoaejDwwgS43BRNa+" +
68         "AmFq9LIZ+ZcjBMVte8Y3sJF+nz9+1qBaUhNhbaECCqsgmWSwvI+0kUzJXL89k9AdQ8m" +
69         "AYf6CB6+kaZQBgrdSdqSGz3tCVa2MIK8wmb0ROM40oJ7vt3qSwgFi3UTltxkFfwQ0=";
70 
71     private static CertificateFactory cf;
72     private static Base64.Decoder base64Decoder = Base64.getDecoder();
73 
main(String[] args)74     public static void main(String[] args) throws Exception {
75         // EE_CERT is signed with MD5withRSA
76         Security.setProperty("jdk.certpath.disabledAlgorithms", "");
77         cf = CertificateFactory.getInstance("X.509");
78         X509Certificate taCert = getX509Cert(TRUST_ANCHOR);
79         X509Certificate eeCert = getX509Cert(EE_CERT);
80         CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert));
81 
82         CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
83         PKIXRevocationChecker prc =
84             (PKIXRevocationChecker)cpv.getRevocationChecker();
85         prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK));
86         byte[] response = base64Decoder.decode(OCSP_RESPONSE);
87 
88         prc.setOcspResponses(Collections.singletonMap(eeCert, response));
89 
90         TrustAnchor ta = new TrustAnchor(taCert, null);
91         PKIXParameters params = new PKIXParameters(Collections.singleton(ta));
92 
93         params.addCertPathChecker(prc);
94 
95         try {
96             cpv.validate(cp, params);
97             throw new Exception("FAILED: expected CertPathValidatorException");
98         } catch (CertPathValidatorException cpve) {
99             cpve.printStackTrace();
100             if (cpve.getReason() != BasicReason.UNSPECIFIED &&
101                 !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) {
102                 throw new Exception("FAILED: unexpected " +
103                                     "CertPathValidatorException reason");
104             }
105         }
106     }
107 
getX509Cert(String enc)108     private static X509Certificate getX509Cert(String enc) throws Exception {
109         byte[] bytes = base64Decoder.decode(enc);
110         ByteArrayInputStream is = new ByteArrayInputStream(bytes);
111         return (X509Certificate)cf.generateCertificate(is);
112     }
113 }
114