From 3aa21c4ba14dbad3e5506482afff55215e8707fb Mon Sep 17 00:00:00 2001 From: Aleksey Shipilev Date: Wed, 18 Dec 2024 15:11:34 +0100 Subject: [PATCH 1/3] Backport bfaf5704e7e71f968b716b5f448860e9cda721b4 --- .../classes/sun/security/x509/DNSName.java | 12 +- .../security/x509/DNSName/LeadingPeriod.java | 113 ++++++++++++++++++ .../x509/DNSName/certs/generate-certs.sh | 91 ++++++++++++++ .../security/x509/DNSName/certs/openssl.cnf | 40 +++++++ .../DNSName/certs/withLeadingPeriod/ca.pem | 16 +++ .../DNSName/certs/withLeadingPeriod/leaf.pem | 12 ++ .../DNSName/certs/withoutLeadingPeriod/ca.pem | 16 +++ .../certs/withoutLeadingPeriod/leaf.pem | 12 ++ 8 files changed, 303 insertions(+), 9 deletions(-) create mode 100644 test/jdk/sun/security/x509/DNSName/LeadingPeriod.java create mode 100644 test/jdk/sun/security/x509/DNSName/certs/generate-certs.sh create mode 100644 test/jdk/sun/security/x509/DNSName/certs/openssl.cnf create mode 100644 test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/ca.pem create mode 100644 test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/leaf.pem create mode 100644 test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/ca.pem create mode 100644 test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/leaf.pem diff --git a/src/java.base/share/classes/sun/security/x509/DNSName.java b/src/java.base/share/classes/sun/security/x509/DNSName.java index 647a029413d..3baef0d0e34 100644 --- a/src/java.base/share/classes/sun/security/x509/DNSName.java +++ b/src/java.base/share/classes/sun/security/x509/DNSName.java @@ -200,18 +200,12 @@ public int hashCode() { * . These results are used in checking NameConstraints during * certification path verification. *

- * RFC5280: DNS name restrictions are expressed as host.example.com. + * RFC5280: For DNS names, restrictions MUST use the DNSName syntax in Section 4.2.1.6. * Any DNS name that can be constructed by simply adding zero or more * labels to the left-hand side of the name satisfies the name constraint. * For example, www.host.example.com would satisfy the constraint but * host1.example.com would not. *

- * RFC 5280: DNSName restrictions are expressed as foo.bar.com. - * Any DNSName that - * can be constructed by simply adding to the left-hand side of the name - * satisfies the name constraint. For example, www.foo.bar.com would - * satisfy the constraint but foo1.bar.com would not. - *

* RFC1034: By convention, domain names can be stored with arbitrary case, but * domain name comparisons for all present domain functions are done in a * case-insensitive manner, assuming an ASCII character set, and a high @@ -236,13 +230,13 @@ else if (inputName.getType() != NAME_DNS) constraintType = NAME_MATCH; else if (thisName.endsWith(inName)) { int inNdx = thisName.lastIndexOf(inName); - if (thisName.charAt(inNdx-1) == '.' ) + if (thisName.charAt(inNdx-1) == '.' ^ inName.charAt(0) == '.') constraintType = NAME_WIDENS; else constraintType = NAME_SAME_TYPE; } else if (inName.endsWith(thisName)) { int ndx = inName.lastIndexOf(thisName); - if (inName.charAt(ndx-1) == '.' ) + if (inName.charAt(ndx-1) == '.' ^ thisName.charAt(0) == '.') constraintType = NAME_NARROWS; else constraintType = NAME_SAME_TYPE; diff --git a/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java b/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java new file mode 100644 index 00000000000..50ce8e4b7ad --- /dev/null +++ b/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8311546 + * @summary Adopt de-facto standards on x509 Name Constraints with leading dot. Certs + * can be generated by running generate-certs.sh + * @library /test/lib + * @modules java.base/sun.security.x509 + */ + +import java.io.*; +import java.nio.file.*; +import java.util.*; +import java.security.Security; +import java.security.cert.*; + +public class LeadingPeriod { + + private static CertPath makeCertPath(String caStr, String targetCertStr) + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(caStr.getBytes()); + Certificate ca = cf.generateCertificate(is); + + // generate certification path + List list = List.of(targetCert, ca); + + return cf.generateCertPath(list); + } + + private static PKIXParameters genParams(String caStr) throws Exception { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = new ByteArrayInputStream(caStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = new TrustAnchor((X509Certificate) selfSignedCert, null); + + Set anchors = Collections.singleton(anchor); + + PKIXParameters params = new PKIXParameters(anchors); + + // disable certificate revocation checking + params.setRevocationEnabled(false); + + return params; + } + + public static void main(String[] args) throws Exception { + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + // Load certs with a NameConstraint where DNS value does not begin with a period + Path targetFromCAWithoutPeriodPath = Paths.get(System.getProperty( + "test.src", "./") + "/certs/withoutLeadingPeriod/leaf.pem"); + String targetFromCAWithoutPeriod = Files.readString(targetFromCAWithoutPeriodPath); + + Path caWithoutLeadingPeriodPath = Paths.get(System.getProperty( + "test.src", "./") + "/certs/withoutLeadingPeriod/ca.pem"); + String caWithoutLeadingPeriod = Files.readString(caWithoutLeadingPeriodPath); + + PKIXParameters paramsForCAWithoutLeadingPeriod = genParams(caWithoutLeadingPeriod); + CertPath pathWithoutLeadingPeriod = makeCertPath(caWithoutLeadingPeriod, + targetFromCAWithoutPeriod); + + validator.validate(pathWithoutLeadingPeriod, paramsForCAWithoutLeadingPeriod); + + // Load certificates with a NameConstraint where the DNS value does begin with a period + Path targetFromCAWithPeriodPath = Paths.get(System.getProperty( + "test.src", "./") + "/certs/withLeadingPeriod/leaf.pem"); + String targetFromCAWithPeriod = Files.readString(targetFromCAWithPeriodPath); + + Path caWithLeadingPeriodPath = Paths.get(System.getProperty( + "test.src", "./") + "/certs/withLeadingPeriod/ca.pem"); + String caWithLeadingPeriod = Files.readString(caWithLeadingPeriodPath); + + PKIXParameters paramsForCAWithLeadingPeriod = genParams(caWithLeadingPeriod); + CertPath pathWithLeadingPeriod = makeCertPath(caWithLeadingPeriod, targetFromCAWithPeriod); + + validator.validate(pathWithLeadingPeriod, paramsForCAWithLeadingPeriod); + } +} \ No newline at end of file diff --git a/test/jdk/sun/security/x509/DNSName/certs/generate-certs.sh b/test/jdk/sun/security/x509/DNSName/certs/generate-certs.sh new file mode 100644 index 00000000000..f000bfc9cda --- /dev/null +++ b/test/jdk/sun/security/x509/DNSName/certs/generate-certs.sh @@ -0,0 +1,91 @@ +#!/usr/bin/env bash + +set -e + +############################################################### +# CA with a leading period in the name constraint # +############################################################### +mkdir -p withLeadingPeriod + +openssl req \ + -newkey rsa:1024 \ + -keyout withLeadingPeriod/ca.key \ + -out withLeadingPeriod/ca.csr \ + -subj "/C=US/O=Example/CN=Example CA with period" \ + -nodes + +openssl x509 \ + -req \ + -in withLeadingPeriod/ca.csr \ + -extfile openssl.cnf \ + -extensions withLeadingPeriod \ + -signkey withLeadingPeriod/ca.key \ + -out withLeadingPeriod/ca.pem + +# leaf certificate +openssl req \ + -newkey rsa:1024 \ + -keyout withLeadingPeriod/leaf.key \ + -out withLeadingPeriod/leaf.csr \ + -subj '/CN=demo.example.com' \ + -addext 'subjectAltName = DNS:demo.example.com' \ + -nodes + +openssl x509 \ + -req \ + -in withLeadingPeriod/leaf.csr \ + -CAcreateserial \ + -CA withLeadingPeriod/ca.pem \ + -CAkey withLeadingPeriod/ca.key \ + -out withLeadingPeriod/leaf.pem + + +# ################################################################## +# # CA without a leading period in the name contraint # +# ################################################################## +mkdir -p withoutLeadingPeriod + +openssl req \ + -newkey rsa:1024 \ + -keyout withoutLeadingPeriod/ca.key \ + -out withoutLeadingPeriod/ca.csr \ + -subj "/C=US/O=Example/CN=Example CA without period" \ + -nodes + +openssl x509 \ + -req \ + -in withoutLeadingPeriod/ca.csr \ + -extfile openssl.cnf \ + -extensions withoutLeadingPeriod \ + -signkey withoutLeadingPeriod/ca.key \ + -out withoutLeadingPeriod/ca.pem + +# leaf certificate +openssl req \ + -newkey rsa:1024 \ + -keyout withoutLeadingPeriod/leaf.key \ + -out withoutLeadingPeriod/leaf.csr \ + -subj '/CN=demo.example.com' \ + -addext 'subjectAltName = DNS:demo.example.com' \ + -nodes + +openssl x509 \ + -req \ + -in withoutLeadingPeriod/leaf.csr \ + -CAcreateserial \ + -CA withoutLeadingPeriod/ca.pem \ + -CAkey withoutLeadingPeriod/ca.key \ + -out withoutLeadingPeriod/leaf.pem + + +# # Verify both leaf certificates + +set +e +openssl verify \ + -CAfile withLeadingPeriod/ca.pem \ + withLeadingPeriod/leaf.pem + +openssl verify \ + -CAfile withoutLeadingPeriod/ca.pem \ + withoutLeadingPeriod/leaf.pem + \ No newline at end of file diff --git a/test/jdk/sun/security/x509/DNSName/certs/openssl.cnf b/test/jdk/sun/security/x509/DNSName/certs/openssl.cnf new file mode 100644 index 00000000000..a69d206a5fc --- /dev/null +++ b/test/jdk/sun/security/x509/DNSName/certs/openssl.cnf @@ -0,0 +1,40 @@ +# +# OpenSSL configuration file. +# + +[ withLeadingPeriod ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:true +keyUsage = critical,keyCertSign +nameConstraints = critical,permitted;DNS:.example.com + +[ withoutLeadingPeriod ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:true +keyUsage = critical,keyCertSign +nameConstraints = critical,permitted;DNS:example.com + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:true +keyUsage = critical,keyCertSign + + +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca # The extentions to add to self signed certs +req_extensions = v3_req # The extensions to add to req's + +prompt = no + +[req_distinguished_name] +C = US +O = Example +CN = example.com + +[v3_req] +keyUsage = keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth diff --git a/test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/ca.pem b/test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/ca.pem new file mode 100644 index 00000000000..535a8d9fc7e --- /dev/null +++ b/test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/ca.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICgzCCAeygAwIBAgIJANBGv+BGZZHtMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV +BAYTAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR8wHQYDVQQDDBZFeGFtcGxlIENBIHdp +dGggcGVyaW9kMB4XDTIzMTAxOTIwNTE0NVoXDTIzMTExODIwNTE0NVowQDELMAkG +A1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHzAdBgNVBAMMFkV4YW1wbGUgQ0Eg +d2l0aCBwZXJpb2QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPfaISk+Dvzk +m3AY7IDZYrGWpwxHciacalrsrOFl3mj3FQ/kVhofDri3mE7bxNKWyHNcbt+Cteck +TsGKBH85QsIifju7hqlrR+UbYtQF9/REkxX72gzim4xGk9KmKkuGpT5aZgvTE5eg +ZumJ9XxCjGn5nbsdJoqAE/9B96GqXJvlAgMBAAGjgYQwgYEwHQYDVR0OBBYEFG8h +vtka47iFUsc+3wmQ3LQRXUv3MB8GA1UdIwQYMBaAFG8hvtka47iFUsc+3wmQ3LQR +XUv3MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB4GA1UdHgEB/wQU +MBKgEDAOggwuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADgYEAkPeCbKokI067 +Dt2bommouO7LhTXivjMsByfZs8i9LZUVJz5Is+mDC36nLy4U3+QhofRLlEkWyOlE +033xBtm4YPsazpur79PJtvZemV0KwwMtKCoJYNlcy2llmdKjUwe4PsPnJPqH2KL5 +Cxios1gil8XL5OCmEUSCT9uBblh+9gk= +-----END CERTIFICATE----- diff --git a/test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/leaf.pem b/test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/leaf.pem new file mode 100644 index 00000000000..c587ca20c9a --- /dev/null +++ b/test/jdk/sun/security/x509/DNSName/certs/withLeadingPeriod/leaf.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB0jCCATsCCQCgOCS7vOUOXTANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJV +UzEQMA4GA1UECgwHRXhhbXBsZTEfMB0GA1UEAwwWRXhhbXBsZSBDQSB3aXRoIHBl +cmlvZDAeFw0yMzEwMTkyMDUxNDVaFw0yMzExMTgyMDUxNDVaMBsxGTAXBgNVBAMM +EGRlbW8uZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxi +O4r50rNBbHu/blOSRfo9Vqei+QFS7fPwme68FOcvG+uYXf7zluO59V+8O4RPO+ZJ +W6meZvtpOCWFvlSMhBLTRz350LuSPWF+/tnbiyEv487Vi6Tp7kxJytIcMtH/sWkw +hF0Og8YYt3Xm2aLYPxZHGkvOccjau5X1xG1YiULzAgMBAAEwDQYJKoZIhvcNAQEL +BQADgYEA8OXnFO3yZSVmQfYvC2o9amYa7tNUPHgvEjp7xDlPkvL5zF+n8k0hT0kt +pv4BXzRqVIWsZcNi3H1wk6LMeUXi8EWCOR6gclWI0wZkWBhtoh8SCd2VJRmcv+zG +EnInCapszNKN05KEzaFOQv0QayILBUGgHTTXOgbEmryLHXg6zik= +-----END CERTIFICATE----- diff --git a/test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/ca.pem b/test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/ca.pem new file mode 100644 index 00000000000..cb886c34a1d --- /dev/null +++ b/test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/ca.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICiDCCAfGgAwIBAgIJALUX88nU2b75MA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV +BAYTAlVTMRAwDgYDVQQKDAdFeGFtcGxlMSIwIAYDVQQDDBlFeGFtcGxlIENBIHdp +dGhvdXQgcGVyaW9kMB4XDTIzMTAxOTIwNTE0NVoXDTIzMTExODIwNTE0NVowQzEL +MAkGA1UEBhMCVVMxEDAOBgNVBAoMB0V4YW1wbGUxIjAgBgNVBAMMGUV4YW1wbGUg +Q0Egd2l0aG91dCBwZXJpb2QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANmH +HqVoDjgoS60aPhQisqEL3as81tPXxXgnp5M0TE+Lb0z/kXS2mkqYYhzcZneBhVyI +oGTnSnTSh6S1r/gE80x+hH4ZrLZR7jJMRDA9Q7RTOZBNgozS4XnE3AV/EjrIzHJ1 +IEt1ezoj2QNdVOv7UHprHGoARl9tdxre4MVUv4S3AgMBAAGjgYMwgYAwHQYDVR0O +BBYEFFG0Mvse4c5C01o8kvKiM4MKMJTCMB8GA1UdIwQYMBaAFFG0Mvse4c5C01o8 +kvKiM4MKMJTCMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1Ud +HgEB/wQTMBGgDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOBgQC0CKS0 +JOR8hfUkZHBo52PrF3IKs33wczH5mfV+HLTdSeKtBD0Vj/7DoT0Yx2k5n6vpwA/x +LTSMC4wUo4hb5164ks45iloU0FrA+n9fWbeqwhQb+DW5MSOgoVLkW+rcdKbDatTO +ENcKZsqiG3aKM7pS7mQa+kUUpXWBUgVnhcsYtQ== +-----END CERTIFICATE----- diff --git a/test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/leaf.pem b/test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/leaf.pem new file mode 100644 index 00000000000..449176ff8a8 --- /dev/null +++ b/test/jdk/sun/security/x509/DNSName/certs/withoutLeadingPeriod/leaf.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB1TCCAT4CCQDLscehyPPGXjANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJV +UzEQMA4GA1UECgwHRXhhbXBsZTEiMCAGA1UEAwwZRXhhbXBsZSBDQSB3aXRob3V0 +IHBlcmlvZDAeFw0yMzEwMTkyMDUxNDVaFw0yMzExMTgyMDUxNDVaMBsxGTAXBgNV +BAMMEGRlbW8uZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB +AMZM9Prp5DkAe4pkLqn4v8DFamMtWVqPlYacJacGzBkuzBn8VNQQw4qnf6wiVHBj +uXLHrUCbldtKFK4XdVukmVyYSLR5BBPxA20fjZcsrBZW7u/14qWmIZW7G0xphezg +6g33qNPq9CPqVHR+IrfEmjWnLjc2KrZ3OQElpJOGp48hAgMBAAEwDQYJKoZIhvcN +AQELBQADgYEAYbIuAQKTXsgaBP3pyMqxPHvklDI7wJjEapbKDsOXYmKMb33pmFSD +ntQFZuOKYNV2rAqQaV/3kiWKyR4vO/gsCfuFeW8kxkhZEXX9CNU0Z6mKcvy274A4 +K0gqYGki8hyCc5IMWTUAX2TLdq8W1hwfbjeiNqTY21e+6lIa3kcuLC0= +-----END CERTIFICATE----- From 6770ee5647acd9c67334ef46a1655604bac2e81e Mon Sep 17 00:00:00 2001 From: Aleksey Shipilev Date: Wed, 18 Dec 2024 15:23:09 +0100 Subject: [PATCH 2/3] Backport a2c0fa6f9ccefd3d1b088c51d0b8170cfb59a885 --- .../security/x509/DNSName/LeadingPeriod.java | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java b/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java index 50ce8e4b7ad..a293e5360a9 100644 --- a/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java +++ b/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java @@ -38,8 +38,8 @@ public class LeadingPeriod { - private static CertPath makeCertPath(String caStr, String targetCertStr) - throws CertificateException { + private static CertPath makeCertPath(String targetCertStr, + PKIXParameters params) throws CertificateException { // generate certificate from cert strings CertificateFactory cf = CertificateFactory.getInstance("X.509"); @@ -47,12 +47,11 @@ private static CertPath makeCertPath(String caStr, String targetCertStr) is = new ByteArrayInputStream(targetCertStr.getBytes()); Certificate targetCert = cf.generateCertificate(is); - - is = new ByteArrayInputStream(caStr.getBytes()); - Certificate ca = cf.generateCertificate(is); + // set validity date so that validation won't fail when cert expires + params.setDate(((X509Certificate)targetCert).getNotBefore()); // generate certification path - List list = List.of(targetCert, ca); + List list = List.of(targetCert); return cf.generateCertPath(list); } @@ -91,8 +90,8 @@ public static void main(String[] args) throws Exception { String caWithoutLeadingPeriod = Files.readString(caWithoutLeadingPeriodPath); PKIXParameters paramsForCAWithoutLeadingPeriod = genParams(caWithoutLeadingPeriod); - CertPath pathWithoutLeadingPeriod = makeCertPath(caWithoutLeadingPeriod, - targetFromCAWithoutPeriod); + CertPath pathWithoutLeadingPeriod = makeCertPath( + targetFromCAWithoutPeriod, paramsForCAWithoutLeadingPeriod); validator.validate(pathWithoutLeadingPeriod, paramsForCAWithoutLeadingPeriod); @@ -106,8 +105,8 @@ public static void main(String[] args) throws Exception { String caWithLeadingPeriod = Files.readString(caWithLeadingPeriodPath); PKIXParameters paramsForCAWithLeadingPeriod = genParams(caWithLeadingPeriod); - CertPath pathWithLeadingPeriod = makeCertPath(caWithLeadingPeriod, targetFromCAWithPeriod); + CertPath pathWithLeadingPeriod = makeCertPath(targetFromCAWithPeriod, paramsForCAWithLeadingPeriod); validator.validate(pathWithLeadingPeriod, paramsForCAWithLeadingPeriod); } -} \ No newline at end of file +} From 6a70008845a722ec4b20717de64894f1dc771434 Mon Sep 17 00:00:00 2001 From: Aleksey Shipilev Date: Thu, 16 Jan 2025 11:21:33 +0100 Subject: [PATCH 3/3] Backport a6be9076351b591cbc0860b1ba8f3c56319f4ffe --- .../security/x509/DNSName/LeadingPeriod.java | 81 +++++-------------- 1 file changed, 19 insertions(+), 62 deletions(-) diff --git a/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java b/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java index a293e5360a9..2fa5eb6b8b5 100644 --- a/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java +++ b/test/jdk/sun/security/x509/DNSName/LeadingPeriod.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2023, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,8 +26,7 @@ * @bug 8311546 * @summary Adopt de-facto standards on x509 Name Constraints with leading dot. Certs * can be generated by running generate-certs.sh - * @library /test/lib - * @modules java.base/sun.security.x509 + * @run main LeadingPeriod */ import java.io.*; @@ -38,75 +37,33 @@ public class LeadingPeriod { - private static CertPath makeCertPath(String targetCertStr, - PKIXParameters params) throws CertificateException { - // generate certificate from cert strings - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - - ByteArrayInputStream is; - - is = new ByteArrayInputStream(targetCertStr.getBytes()); - Certificate targetCert = cf.generateCertificate(is); - // set validity date so that validation won't fail when cert expires - params.setDate(((X509Certificate)targetCert).getNotBefore()); - - // generate certification path - List list = List.of(targetCert); - - return cf.generateCertPath(list); + public static void main(String[] args) throws Exception { + String certs = System.getProperty("test.src", "./") + "/certs/"; + validate(certs + "withoutLeadingPeriod"); + validate(certs + "withLeadingPeriod"); } - private static PKIXParameters genParams(String caStr) throws Exception { - // generate certificate from cert string - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - - ByteArrayInputStream is = new ByteArrayInputStream(caStr.getBytes()); - Certificate selfSignedCert = cf.generateCertificate(is); + public static void validate(String certPath) throws Exception { + byte[] targetCertBytes = Files.readAllBytes(Paths.get(certPath + "/leaf.pem")); + byte[] caCertBytes = Files.readAllBytes(Paths.get(certPath + "/ca.pem")); - // generate a trust anchor - TrustAnchor anchor = new TrustAnchor((X509Certificate) selfSignedCert, null); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + Certificate caCert = cf.generateCertificate(new ByteArrayInputStream(caCertBytes)); + Certificate targetCert = cf.generateCertificate(new ByteArrayInputStream(targetCertBytes)); - Set anchors = Collections.singleton(anchor); + TrustAnchor anchor = new TrustAnchor((X509Certificate) caCert, null); - PKIXParameters params = new PKIXParameters(anchors); + PKIXParameters params = new PKIXParameters(Collections.singleton(anchor)); - // disable certificate revocation checking + // Disable certificate revocation checking params.setRevocationEnabled(false); - return params; - } + // Set validity date, so that validation won't fail when cert expires + params.setDate(((X509Certificate)targetCert).getNotBefore()); - public static void main(String[] args) throws Exception { + CertPath path = cf.generateCertPath(List.of(targetCert, caCert)); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); - - // Load certs with a NameConstraint where DNS value does not begin with a period - Path targetFromCAWithoutPeriodPath = Paths.get(System.getProperty( - "test.src", "./") + "/certs/withoutLeadingPeriod/leaf.pem"); - String targetFromCAWithoutPeriod = Files.readString(targetFromCAWithoutPeriodPath); - - Path caWithoutLeadingPeriodPath = Paths.get(System.getProperty( - "test.src", "./") + "/certs/withoutLeadingPeriod/ca.pem"); - String caWithoutLeadingPeriod = Files.readString(caWithoutLeadingPeriodPath); - - PKIXParameters paramsForCAWithoutLeadingPeriod = genParams(caWithoutLeadingPeriod); - CertPath pathWithoutLeadingPeriod = makeCertPath( - targetFromCAWithoutPeriod, paramsForCAWithoutLeadingPeriod); - - validator.validate(pathWithoutLeadingPeriod, paramsForCAWithoutLeadingPeriod); - - // Load certificates with a NameConstraint where the DNS value does begin with a period - Path targetFromCAWithPeriodPath = Paths.get(System.getProperty( - "test.src", "./") + "/certs/withLeadingPeriod/leaf.pem"); - String targetFromCAWithPeriod = Files.readString(targetFromCAWithPeriodPath); - - Path caWithLeadingPeriodPath = Paths.get(System.getProperty( - "test.src", "./") + "/certs/withLeadingPeriod/ca.pem"); - String caWithLeadingPeriod = Files.readString(caWithLeadingPeriodPath); - - PKIXParameters paramsForCAWithLeadingPeriod = genParams(caWithLeadingPeriod); - CertPath pathWithLeadingPeriod = makeCertPath(targetFromCAWithPeriod, paramsForCAWithLeadingPeriod); - - validator.validate(pathWithLeadingPeriod, paramsForCAWithLeadingPeriod); + validator.validate(path, params); } }