Skip to content

Commit

Permalink
8293489: Accept CAs with BasicConstraints without pathLenConstraint
Browse files Browse the repository at this point in the history
Reviewed-by: mullan
  • Loading branch information
wangweij committed Sep 8, 2022
1 parent fc5f97f commit 986b834
Showing 1 changed file with 73 additions and 0 deletions.
@@ -0,0 +1,73 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @bug 8293489
* @summary Accept CAs with BasicConstraints without pathLenConstraint
* @library /test/lib
*/

import jdk.test.lib.SecurityTools;

import java.io.File;
import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class BasicConstraints12 {

public static void main(String[] args) throws Exception {

genkey("-dname CN=TrustAnchor -alias anchor");
genkey("-dname CN=IntermediateCA -alias ca -ext bc:critical -signer anchor");
genkey("-dname CN=Server -alias server -signer ca");

KeyStore full = KeyStore.getInstance(new File("ks"), "changeit".toCharArray());
X509Certificate anchor = (X509Certificate) full.getCertificate("anchor");
X509Certificate ca = (X509Certificate) full.getCertificate("ca");
X509Certificate server = (X509Certificate) full.getCertificate("server");

KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(null, null);
ks.setCertificateEntry("anchor", anchor);

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);

X509TrustManager tm = (X509TrustManager)tmf.getTrustManagers()[0];

X509Certificate[] chain = new X509Certificate[] {server, ca, anchor};

System.out.println("Calling trustmanager...");

tm.checkServerTrusted(chain, "RSA");
System.out.println("Test ok");
}

static void genkey(String s) throws Exception {
SecurityTools.keytool("-storepass changeit -keystore ks -genkeypair -keyalg RSA " + s)
.shouldHaveExitValue(0);
}
}

3 comments on commit 986b834

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GoeLin
Copy link
Member

@GoeLin GoeLin commented on 986b834 Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jdk17u-dev

@openjdk
Copy link

@openjdk openjdk bot commented on 986b834 Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GoeLin the backport was successfully created on the branch GoeLin-backport-986b8341 in my personal fork of openjdk/jdk17u-dev. To create a pull request with this backport targeting openjdk/jdk17u-dev:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 986b8341 from the openjdk/jdk repository.

The commit being backported was authored by Weijun Wang on 8 Sep 2022 and was reviewed by Sean Mullan.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk17u-dev:

$ git fetch https://github.com/openjdk-bots/jdk17u-dev GoeLin-backport-986b8341:GoeLin-backport-986b8341
$ git checkout GoeLin-backport-986b8341
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk17u-dev GoeLin-backport-986b8341

Please sign in to comment.