public static void main(String[] args) throws Exception { cf = CertificateFactory.getInstance("X.509"); X509Certificate taCert = getX509Cert(TRUST_ANCHOR); X509Certificate eeCert = getX509Cert(EE_CERT); CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert)); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXRevocationChecker prc = (PKIXRevocationChecker)cpv.getRevocationChecker(); prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK)); byte[] response = base64Decoder.decode(OCSP_RESPONSE); prc.setOcspResponses(Collections.singletonMap(eeCert, response)); TrustAnchor ta = new TrustAnchor(taCert, null); PKIXParameters params = new PKIXParameters(Collections.singleton(ta)); params.addCertPathChecker(prc); try { cpv.validate(cp, params); throw new Exception("FAILED: expected CertPathValidatorException"); } catch (CertPathValidatorException cpve) { cpve.printStackTrace(); } }
public static void main(String[] args) throws Exception { // EE_CERT is signed with MD5withRSA Security.setProperty("jdk.certpath.disabledAlgorithms", ""); cf = CertificateFactory.getInstance("X.509"); X509Certificate taCert = getX509Cert(TRUST_ANCHOR); X509Certificate eeCert = getX509Cert(EE_CERT); CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert)); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXRevocationChecker prc = (PKIXRevocationChecker)cpv.getRevocationChecker(); prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK)); byte[] response = base64Decoder.decode(OCSP_RESPONSE); prc.setOcspResponses(Collections.singletonMap(eeCert, response)); TrustAnchor ta = new TrustAnchor(taCert, null); PKIXParameters params = new PKIXParameters(Collections.singleton(ta)); params.addCertPathChecker(prc); try { cpv.validate(cp, params); throw new Exception("FAILED: expected CertPathValidatorException"); } catch (CertPathValidatorException cpve) { cpve.printStackTrace(); if (cpve.getReason() != BasicReason.UNSPECIFIED && !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) { throw new Exception("FAILED: unexpected " + "CertPathValidatorException reason"); } } }
/** * Test a case where client-side stapling is attempted, but does not * occur because OCSP responders are unreachable. Client-side OCSP * checking is enabled for this, with SOFT_FAIL. */ static void testSoftFailFallback() throws Exception { ClientParameters cliParams = new ClientParameters(); ServerParameters servParams = new ServerParameters(); serverReady = false; // make OCSP responders reject connections intOcsp.rejectConnections(); rootOcsp.rejectConnections(); System.out.println("======================================="); System.out.println("Stapling enbled in client and server,"); System.out.println("but OCSP responders disabled."); System.out.println("PKIXParameters with Revocation checking"); System.out.println("enabled and SOFT_FAIL."); System.out.println("======================================="); Security.setProperty("ocsp.enable", "true"); cliParams.pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); cliParams.pkixParams.setRevocationEnabled(true); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); cliParams.revChecker = (PKIXRevocationChecker)cpv.getRevocationChecker(); cliParams.revChecker.setOptions(EnumSet.of(Option.SOFT_FAIL)); SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, servParams); TestResult tr = sslTest.getResult(); if (tr.clientExc != null) { throw tr.clientExc; } else if (tr.serverExc != null) { throw tr.serverExc; } // make sure getSoftFailExceptions is not empty if (cliParams.revChecker.getSoftFailExceptions().isEmpty()) { throw new Exception("No soft fail exceptions"); } System.out.println(" PASS"); System.out.println("=======================================\n"); // Make OCSP responders accept connections intOcsp.acceptConnections(); rootOcsp.acceptConnections(); // Wait 5 seconds for server ready for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) { Thread.sleep(50); } if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { throw new RuntimeException("Server not ready yet"); } }
public static void main(String[] args) throws Exception { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); CertPathChecker cpc = cpv.getRevocationChecker(); PKIXRevocationChecker prc = (PKIXRevocationChecker)cpc; prc.init(false); System.out.println("Testing that get methods return null or " + "empty lists/sets/maps"); requireNull(prc.getOcspResponder(), "getOcspResponder()"); requireNull(prc.getOcspResponderCert(), "getOcspResponderCert()"); requireEmpty(prc.getOcspExtensions(), "getOcspExtensions()"); requireEmpty(prc.getOcspResponses(), "getOcspResponses()"); requireEmpty(prc.getOptions(), "getOptions()"); requireEmpty(prc.getSoftFailExceptions(), "getSoftFailExceptions()"); System.out.println("Testing that get methods return same parameters " + "that are passed to set methods"); URI uri = new URI("http://localhost"); prc.setOcspResponder(uri); requireEquals(uri, prc.getOcspResponder(), "getOcspResponder()"); X509Certificate cert = getCert(); prc.setOcspResponderCert(cert); requireEquals(cert, prc.getOcspResponderCert(), "getOcspResponderCert()"); List<Extension> exts = new ArrayList<>(); for (String oid : cert.getNonCriticalExtensionOIDs()) { System.out.println(oid); exts.add(new ExtensionImpl(oid, cert.getExtensionValue(oid), false)); } prc.setOcspExtensions(exts); requireEquals(exts, prc.getOcspExtensions(), "getOcspExtensions()"); Set<Option> options = EnumSet.of(Option.ONLY_END_ENTITY); prc.setOptions(options); requireEquals(options, prc.getOptions(), "getOptions()"); System.out.println("Testing that parameters are re-initialized to " + "default values if null is passed to set methods"); prc.setOcspResponder(null); requireNull(prc.getOcspResponder(), "getOcspResponder()"); prc.setOcspResponderCert(null); requireNull(prc.getOcspResponderCert(), "getOcspResponderCert()"); prc.setOcspExtensions(null); requireEmpty(prc.getOcspExtensions(), "getOcspExtensions()"); prc.setOcspResponses(null); requireEmpty(prc.getOcspResponses(), "getOcspResponses()"); prc.setOptions(null); requireEmpty(prc.getOptions(), "getOptions()"); System.out.println("Testing that getRevocationChecker returns new " + "instance each time"); CertPathChecker first = cpv.getRevocationChecker(); CertPathChecker second = cpv.getRevocationChecker(); if (first == second) { throw new Exception("FAILED: CertPathCheckers not new instances"); } CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); first = cpb.getRevocationChecker(); second = cpb.getRevocationChecker(); if (first == second) { throw new Exception("FAILED: CertPathCheckers not new instances"); } }
/** * Test a case where client-side stapling is attempted, but does not * occur because OCSP responders are unreachable. Client-side OCSP * checking is enabled for this, with SOFT_FAIL. */ static void testSoftFailFallback() throws Exception { ClientParameters cliParams = new ClientParameters(); ServerParameters servParams = new ServerParameters(); serverReady = false; // Stop the OCSP responders and give a 1 second delay before // running the test. intOcsp.stop(); rootOcsp.stop(); Thread.sleep(1000); System.out.println("======================================="); System.out.println("Stapling enbled in client and server,"); System.out.println("but OCSP responders disabled."); System.out.println("PKIXParameters with Revocation checking"); System.out.println("enabled and SOFT_FAIL."); System.out.println("======================================="); Security.setProperty("ocsp.enable", "true"); cliParams.pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); cliParams.pkixParams.setRevocationEnabled(true); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); cliParams.revChecker = (PKIXRevocationChecker)cpv.getRevocationChecker(); cliParams.revChecker.setOptions(EnumSet.of(Option.SOFT_FAIL)); SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams, servParams); TestResult tr = sslTest.getResult(); if (tr.clientExc != null) { throw tr.clientExc; } else if (tr.serverExc != null) { throw tr.serverExc; } System.out.println(" PASS"); System.out.println("=======================================\n"); // Start the OCSP responders up again intOcsp.start(); rootOcsp.start(); // Wait 5 seconds for server ready for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) { Thread.sleep(50); } if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) { throw new RuntimeException("Server not ready yet"); } }