Mercurial > hg > icedtea9-forest > jdk
changeset 5860:b0bfa441d70f
7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)
Reviewed-by: mullan, xuelei, weijun
Contributed-by: jason.uh@oracle.com
| author | mullan |
|---|---|
| date | Thu, 02 Aug 2012 10:40:24 -0400 |
| parents | 9a5a3741bac9 |
| children | 4e8bafdcefda |
| files | src/share/classes/java/security/cert/Certificate.java src/share/classes/java/security/cert/X509CRL.java src/share/classes/java/security/cert/X509Certificate.java src/share/classes/sun/security/x509/X509CRLImpl.java src/share/classes/sun/security/x509/X509CertImpl.java test/sun/security/x509/X509CRLImpl/Verify.java test/sun/security/x509/X509CertImpl/Verify.java |
| diffstat | 7 files changed, 493 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/security/cert/Certificate.java Wed Aug 01 11:08:11 2012 -0400 +++ b/src/share/classes/java/security/cert/Certificate.java Thu Aug 02 10:40:24 2012 -0400 @@ -27,6 +27,7 @@ import java.util.Arrays; +import java.security.Provider; import java.security.PublicKey; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; @@ -187,6 +188,35 @@ SignatureException; /** + * Verifies that this certificate was signed using the + * private key that corresponds to the specified public key. + * This method uses the signature verification engine + * supplied by the specified provider. Note that the specified + * Provider object does not have to be registered in the provider list. + * + * <p> This method was added to version 1.8 of the Java Platform + * Standard Edition. In order to maintain backwards compatibility with + * existing service providers, this method cannot be <code>abstract</code> + * and by default throws an <code>UnsupportedOperationException</code>. + * + * @param key the PublicKey used to carry out the verification. + * @param sigProvider the signature provider. + * + * @exception NoSuchAlgorithmException on unsupported signature + * algorithms. + * @exception InvalidKeyException on incorrect key. + * @exception SignatureException on signature errors. + * @exception CertificateException on encoding errors. + * @exception UnsupportedOperationException if the method is not supported + * @since 1.8 + */ + public void verify(PublicKey key, Provider sigProvider) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, SignatureException { + throw new UnsupportedOperationException(); + } + + /** * Returns a string representation of this certificate. * * @return a string representation of this certificate.
--- a/src/share/classes/java/security/cert/X509CRL.java Wed Aug 01 11:08:11 2012 -0400 +++ b/src/share/classes/java/security/cert/X509CRL.java Thu Aug 02 10:40:24 2012 -0400 @@ -30,6 +30,7 @@ import java.security.InvalidKeyException; import java.security.SignatureException; import java.security.Principal; +import java.security.Provider; import java.security.PublicKey; import javax.security.auth.x500.X500Principal; @@ -216,6 +217,34 @@ SignatureException; /** + * Verifies that this CRL was signed using the + * private key that corresponds to the given public key. + * This method uses the signature verification engine + * supplied by the given provider. Note that the specified Provider object + * does not have to be registered in the provider list. + * + * This method was added to version 1.8 of the Java Platform Standard + * Edition. In order to maintain backwards compatibility with existing + * service providers, this method is not <code>abstract</code> + * and it provides a default implementation. + * + * @param key the PublicKey used to carry out the verification. + * @param sigProvider the signature provider. + * + * @exception NoSuchAlgorithmException on unsupported signature + * algorithms. + * @exception InvalidKeyException on incorrect key. + * @exception SignatureException on signature errors. + * @exception CRLException on encoding errors. + * @since 1.8 + */ + public void verify(PublicKey key, Provider sigProvider) + throws CRLException, NoSuchAlgorithmException, + InvalidKeyException, SignatureException { + X509CRLImpl.verify(this, key, sigProvider); + } + + /** * Gets the <code>version</code> (version number) value from the CRL. * The ASN.1 definition for this is: * <pre>
--- a/src/share/classes/java/security/cert/X509Certificate.java Wed Aug 01 11:08:11 2012 -0400 +++ b/src/share/classes/java/security/cert/X509Certificate.java Thu Aug 02 10:40:24 2012 -0400 @@ -26,8 +26,7 @@ package java.security.cert; import java.math.BigInteger; -import java.security.Principal; -import java.security.PublicKey; +import java.security.*; import java.util.Collection; import java.util.Date; import java.util.List; @@ -640,4 +639,33 @@ throws CertificateParsingException { return X509CertImpl.getIssuerAlternativeNames(this); } + + /** + * Verifies that this certificate was signed using the + * private key that corresponds to the specified public key. + * This method uses the signature verification engine + * supplied by the specified provider. Note that the specified + * Provider object does not have to be registered in the provider list. + * + * This method was added to version 1.8 of the Java Platform Standard + * Edition. In order to maintain backwards compatibility with existing + * service providers, this method is not <code>abstract</code> + * and it provides a default implementation. + * + * @param key the PublicKey used to carry out the verification. + * @param sigProvider the signature provider. + * + * @exception NoSuchAlgorithmException on unsupported signature + * algorithms. + * @exception InvalidKeyException on incorrect key. + * @exception SignatureException on signature errors. + * @exception CertificateException on encoding errors. + * @exception UnsupportedOperationException if the method is not supported + * @since 1.8 + */ + public void verify(PublicKey key, Provider sigProvider) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, SignatureException { + X509CertImpl.verify(this, key, sigProvider); + } }
--- a/src/share/classes/sun/security/x509/X509CRLImpl.java Wed Aug 01 11:08:11 2012 -0400 +++ b/src/share/classes/sun/security/x509/X509CRLImpl.java Thu Aug 02 10:40:24 2012 -0400 @@ -32,6 +32,7 @@ import java.security.Principal; import java.security.PublicKey; import java.security.PrivateKey; +import java.security.Provider; import java.security.Signature; import java.security.NoSuchAlgorithmException; import java.security.InvalidKeyException; @@ -399,6 +400,61 @@ } /** + * Verifies that this CRL was signed using the + * private key that corresponds to the given public key, + * and that the signature verification was computed by + * the given provider. Note that the specified Provider object + * does not have to be registered in the provider list. + * + * @param key the PublicKey used to carry out the verification. + * @param sigProvider the signature provider. + * + * @exception NoSuchAlgorithmException on unsupported signature + * algorithms. + * @exception InvalidKeyException on incorrect key. + * @exception SignatureException on signature errors. + * @exception CRLException on encoding errors. + */ + public synchronized void verify(PublicKey key, Provider sigProvider) + throws CRLException, NoSuchAlgorithmException, InvalidKeyException, + SignatureException { + + if (signedCRL == null) { + throw new CRLException("Uninitialized CRL"); + } + Signature sigVerf = null; + if (sigProvider == null) { + sigVerf = Signature.getInstance(sigAlgId.getName()); + } else { + sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider); + } + sigVerf.initVerify(key); + + if (tbsCertList == null) { + throw new CRLException("Uninitialized CRL"); + } + + sigVerf.update(tbsCertList, 0, tbsCertList.length); + + if (!sigVerf.verify(signature)) { + throw new SignatureException("Signature does not match."); + } + verifiedPublicKey = key; + } + + /** + * This static method is the default implementation of the + * verify(PublicKey key, Provider sigProvider) method in X509CRL. + * Called from java.security.cert.X509CRL.verify(PublicKey key, + * Provider sigProvider) + */ + public static void verify(X509CRL crl, PublicKey key, + Provider sigProvider) throws CRLException, + NoSuchAlgorithmException, InvalidKeyException, SignatureException { + crl.verify(key, sigProvider); + } + + /** * Encodes an X.509 CRL, and signs it using the given key. * * @param key the private key used for signing.
--- a/src/share/classes/sun/security/x509/X509CertImpl.java Wed Aug 01 11:08:11 2012 -0400 +++ b/src/share/classes/sun/security/x509/X509CertImpl.java Thu Aug 02 10:40:24 2012 -0400 @@ -453,6 +453,62 @@ } /** + * Throws an exception if the certificate was not signed using the + * verification key provided. This method uses the signature verification + * engine supplied by the specified provider. Note that the specified + * Provider object does not have to be registered in the provider list. + * Successfully verifying a certificate does <em>not</em> indicate that one + * should trust the entity which it represents. + * + * @param key the public key used for verification. + * @param sigProvider the provider. + * + * @exception NoSuchAlgorithmException on unsupported signature + * algorithms. + * @exception InvalidKeyException on incorrect key. + * @exception SignatureException on signature errors. + * @exception CertificateException on encoding errors. + */ + public synchronized void verify(PublicKey key, Provider sigProvider) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, SignatureException { + if (signedCert == null) { + throw new CertificateEncodingException("Uninitialized certificate"); + } + // Verify the signature ... + Signature sigVerf = null; + if (sigProvider == null) { + sigVerf = Signature.getInstance(algId.getName()); + } else { + sigVerf = Signature.getInstance(algId.getName(), sigProvider); + } + sigVerf.initVerify(key); + + byte[] rawCert = info.getEncodedInfo(); + sigVerf.update(rawCert, 0, rawCert.length); + + // verify may throw SignatureException for invalid encodings, etc. + verificationResult = sigVerf.verify(signature); + verifiedPublicKey = key; + + if (verificationResult == false) { + throw new SignatureException("Signature does not match."); + } + } + + /** + * This static method is the default implementation of the + * verify(PublicKey key, Provider sigProvider) method in X509Certificate. + * Called from java.security.cert.X509Certificate.verify(PublicKey key, + * Provider sigProvider) + */ + public static void verify(X509Certificate cert, PublicKey key, + Provider sigProvider) throws CertificateException, + NoSuchAlgorithmException, InvalidKeyException, SignatureException { + cert.verify(key, sigProvider); + } + + /** * Creates an X.509 certificate, and signs it using the given key * (associating a signature algorithm and an X.500 name). * This operation is used to implement the certificate generation
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/x509/X509CRLImpl/Verify.java Thu Aug 02 10:40:24 2012 -0400 @@ -0,0 +1,153 @@ +/* + * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 7026347 + * @summary X509CRL should have verify(PublicKey key, Provider sigProvider) + */ + +import java.io.ByteArrayInputStream; +import java.security.*; +import java.security.cert.*; + +public class Verify { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String crlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String crlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + private static X509CRL crl; + private static PublicKey selfSignedCertPubKey; + private static PublicKey crlIssuerCertPubKey; + + public static void main(String[] args) throws Exception { + setup(); + + /* + * Verify CRL with its own public key. + * Should pass. + */ + verifyCRL(crlIssuerCertPubKey, "SunRsaSign"); + + /* + * Try to verify CRL with a provider that does not have a Signature + * implementation. + * Should fail with NoSuchAlgorithmException. + */ + try { + verifyCRL(crlIssuerCertPubKey, "SunPCSC"); + throw new RuntimeException("Didn't catch the exception properly"); + } catch (NoSuchAlgorithmException e) { + System.out.println("Caught the correct exception."); + } + + /* + * Try to verify CRL with a provider that has a Signature implementation + * but not of the right algorithm (MD5withRSA). + * Should fail with NoSuchAlgorithmException. + */ + try { + verifyCRL(crlIssuerCertPubKey, "SUN"); + throw new RuntimeException("Didn't catch the exception properly"); + } catch (NoSuchAlgorithmException e) { + System.out.println("Caught the correct exception."); + } + + /* + * Try to verify CRL with the wrong public key. + * Should fail with SignatureException. + */ + try { + verifyCRL(selfSignedCertPubKey, "SunRsaSign"); + throw new RuntimeException("Didn't catch the exception properly"); + } catch (SignatureException e) { + System.out.println("Caught the correct exception."); + } + } + + private static void setup() throws CertificateException, CRLException { + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + /* Create CRL */ + ByteArrayInputStream inputStream = + new ByteArrayInputStream(crlStr.getBytes()); + crl = (X509CRL)cf.generateCRL(inputStream); + + /* Get public key of the CRL issuer cert */ + inputStream = new ByteArrayInputStream(crlIssuerCertStr.getBytes()); + X509Certificate cert + = (X509Certificate)cf.generateCertificate(inputStream); + crlIssuerCertPubKey = cert.getPublicKey(); + + /* Get public key of the self-signed Cert */ + inputStream = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + selfSignedCertPubKey = cf.generateCertificate(inputStream).getPublicKey(); + } + + private static void verifyCRL(PublicKey key, String providerName) + throws CRLException, NoSuchAlgorithmException, InvalidKeyException, + SignatureException { + Provider provider = Security.getProvider(providerName); + crl.verify(key, provider); + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/x509/X509CertImpl/Verify.java Thu Aug 02 10:40:24 2012 -0400 @@ -0,0 +1,139 @@ +/* + * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 7026347 + * @summary Certificate should have + * verify(PublicKey key, Provider sigProvider) + */ + +import java.io.ByteArrayInputStream; +import java.security.*; +import java.security.cert.*; + +public class Verify { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String crlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + private static X509Certificate cert; + private static PublicKey selfSignedCertPubKey; + private static PublicKey crlIssuerCertPubKey; + + public static void main(String[] args) throws Exception { + setup(); + + /* + * Verify certificate with its own public key. + * Should pass. + */ + verifyCert(selfSignedCertPubKey,"SunRsaSign"); + + /* + * Try to verify certificate with a provider that does not have a + * Signature implementation. + * Should fail with NoSuchAlgorithmException. + */ + try { + verifyCert(selfSignedCertPubKey, "SunPCSC"); + throw new RuntimeException("Didn't catch the exception properly"); + } catch (NoSuchAlgorithmException e) { + System.out.println("Caught the correct exception."); + } + + /* + * Try to verify certificate with a provider that has a Signature + * implementation but not of the right algorithm (MD5withRSA). + * Should fail with NoSuchAlgorithmException. + */ + try { + verifyCert(selfSignedCertPubKey, "SUN"); + throw new RuntimeException("Didn't catch the exception properly"); + } catch (NoSuchAlgorithmException e) { + System.out.println("Caught the correct exception."); + } + + /* + * Try to verify certificate with the wrong public key. + * Should fail with SignatureException. + */ + try { + verifyCert(crlIssuerCertPubKey, "SunRsaSign"); + throw new RuntimeException("Didn't catch the exception properly"); + } catch (SignatureException e) { + System.out.println("Caught the correct exception."); + } + } + + private static void setup() throws CertificateException, CRLException { + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + /* Get public key of the CRL issuer cert */ + ByteArrayInputStream inputStream + = new ByteArrayInputStream(crlIssuerCertStr.getBytes()); + cert = (X509Certificate)cf.generateCertificate(inputStream); + crlIssuerCertPubKey = cert.getPublicKey(); + + /* Get public key of the self-signed Cert */ + inputStream = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + selfSignedCertPubKey = cf.generateCertificate(inputStream).getPublicKey(); + } + + private static void verifyCert(PublicKey key, String providerName) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, SignatureException { + Provider provider = Security.getProvider(providerName); + cert.verify(key, provider); + } +}