J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 10 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 11 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 12 | * version 2 for more details (a copy is included in the LICENSE file that |
| 13 | * accompanied this code). |
| 14 | * |
| 15 | * You should have received a copy of the GNU General Public License version |
| 16 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 17 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 18 | * |
| 19 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 20 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 21 | * have any questions. |
| 22 | */ |
| 23 | |
| 24 | /* |
| 25 | * @test |
| 26 | * @bug 4514108 |
| 27 | * @summary Verify host name matching behaves as defined in RFC2818. |
| 28 | */ |
| 29 | |
| 30 | import java.io.*; |
| 31 | import java.security.cert.*; |
| 32 | |
| 33 | import sun.security.util.*; |
| 34 | |
| 35 | /** |
| 36 | * Certificate 1: |
| 37 | * . no subject alternative names, most specific CN is foo1.com. |
| 38 | * (also test if serialnumber attribute is ignored) |
| 39 | * <pre> |
| 40 | [ |
| 41 | [ |
| 42 | Version: V1 |
| 43 | Subject: SERIALNUMBER=12 + CN=foo1.com, CN=foo2.com, O=Sun, C=US |
| 44 | Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 |
| 45 | |
| 46 | Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1d8957f |
| 47 | Validity: [From: Fri Mar 22 12:22:57 GMT 2002, |
| 48 | To: Tue Mar 22 12:22:57 GMT 2022] |
| 49 | Issuer: CN=CA, O=Sun, C=US |
| 50 | SerialNumber: [ 0 ] |
| 51 | |
| 52 | ] |
| 53 | Algorithm: [SHA1withRSA] |
| 54 | Signature: |
| 55 | 0000: B8 E1 F8 A8 23 EB C4 E9 F9 03 F6 97 FA DD A2 56 ....#..........V |
| 56 | 0010: 06 B6 95 99 68 6B F8 72 6A 27 F4 13 CC 40 06 83 ....hk.rj'...@.. |
| 57 | 0020: 62 C1 94 72 63 EA 69 FD 78 A2 06 D8 3B F5 D0 2C b..rc.i.x...;.., |
| 58 | 0030: 97 D6 29 84 FA 6F 2E E1 13 6A C7 5D DE 2F 6A 2F ..)..o...j.]./j/ |
| 59 | 0040: 08 85 43 3B 7D DB C1 AB 1A DC 38 BE F7 4B 6B 82 ..C;......8..Kk. |
| 60 | 0050: 84 06 FA 46 82 77 42 A6 47 55 33 63 2B D4 05 2E ...F.wB.GU3c+... |
| 61 | 0060: 76 F5 1B 6A CD 8E B2 B3 83 8E 9D 13 BC 82 0C 4B v..j...........K |
| 62 | 0070: DE 8A 63 B5 EA F1 07 00 C0 7E C9 75 DF 13 FC 34 ..c........u...4 |
| 63 | |
| 64 | ] |
| 65 | * </pre> |
| 66 | * |
| 67 | * Certificate 2: |
| 68 | * . CN contains IP address, must be ignored. |
| 69 | * <pre> |
| 70 | [ |
| 71 | [ |
| 72 | Version: V1 |
| 73 | Subject: CN=1.2.3.4, O=Sun, C=US |
| 74 | Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 |
| 75 | |
| 76 | Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@173831b |
| 77 | Validity: [From: Fri Mar 22 12:22:57 GMT 2002, |
| 78 | To: Tue Mar 22 12:22:57 GMT 2022] |
| 79 | Issuer: CN=CA, O=Sun, C=US |
| 80 | SerialNumber: [ 01] |
| 81 | |
| 82 | ] |
| 83 | Algorithm: [SHA1withRSA] |
| 84 | Signature: |
| 85 | 0000: 15 86 83 1E 79 7F 8B 06 1F E0 BF 79 0F EA 84 D1 ....y......y.... |
| 86 | 0010: C5 CD 2C D6 9D 4A 36 7C 75 41 E6 0D 8C 1D 65 60 ..,..J6.uA....e` |
| 87 | 0020: 0F 53 15 54 41 43 AE F9 E9 54 34 8A 4B B9 39 12 .S.TAC...T4.K.9. |
| 88 | 0030: DE 58 21 86 D3 F9 11 6C 4F 72 EF 8C 4B C3 66 FC .X!....lOr..K.f. |
| 89 | 0040: BD AB 87 63 8F 59 1D C3 FE 76 DB B7 76 43 C2 A1 ...c.Y...v..vC.. |
| 90 | 0050: 4D D7 92 C4 CA C6 DC 59 CA A6 1B 6D FE 01 AC F4 M......Y...m.... |
| 91 | 0060: 09 86 D8 A1 40 C4 C2 77 BF 53 21 9A 3B 43 2E 9A ....@..w.S!.;C.. |
| 92 | 0070: D4 0C BE 85 47 A5 02 35 7D EE 27 11 36 0E 80 14 ....G..5..'.6... |
| 93 | |
| 94 | ] |
| 95 | * </pre> |
| 96 | * |
| 97 | * Certificate 3: |
| 98 | * . Contains subject alternative name extension with DNS altfoo1.com, |
| 99 | * DNS altfoo2.com, IP 5.6.7.8. CNs in subject DN must be ignored. |
| 100 | * <pre> |
| 101 | [ |
| 102 | [ |
| 103 | Version: V3 |
| 104 | Subject: SERIALNUMBER=12 + CN=foo1.com, CN=foo2.com, O=Sun, C=US |
| 105 | Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 |
| 106 | |
| 107 | Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@18e2b22 |
| 108 | Validity: [From: Fri Mar 22 12:22:57 GMT 2002, |
| 109 | To: Tue Mar 22 12:22:57 GMT 2022] |
| 110 | Issuer: CN=CA, O=Sun, C=US |
| 111 | SerialNumber: [ 02] |
| 112 | |
| 113 | Certificate Extensions: 1 |
| 114 | [1]: ObjectId: 2.5.29.17 Criticality=false |
| 115 | SubjectAlternativeName [ |
| 116 | [DNSName: altfoo1.com, DNSName: altfoo2.com, IPAddress: 5.6.7.8]] |
| 117 | |
| 118 | ] |
| 119 | Algorithm: [SHA1withRSA] |
| 120 | Signature: |
| 121 | 0000: 65 A6 E5 96 4A D5 8F 8D 3E 70 7D 63 BE B1 58 1C e...J...>p.c..X. |
| 122 | 0010: B5 35 EF 7D E8 00 9C 9E 56 E7 E9 52 71 7B BD 35 .5......V..Rq..5 |
| 123 | 0020: 3D B5 F5 F7 B2 49 A0 E4 23 BB 2A 0A 25 84 0E E2 =....I..#.*.%... |
| 124 | 0030: 4B 6D 61 73 D5 C8 F1 0A EC 2B F2 98 3D 80 F9 DC Kmas.....+..=... |
| 125 | 0040: F5 D1 2A 36 44 EB 59 9A E9 DF 97 FA AE C0 86 F1 ..*6D.Y......... |
| 126 | 0050: 2C 7B 54 21 F2 3A 56 83 0D E0 5A E1 0D FC D5 E2 ,.T!.:V...Z..... |
| 127 | 0060: 45 44 ED C8 C6 F8 26 8E 0C 14 ED D0 F7 37 1C 01 ED....&......7.. |
| 128 | 0070: A5 E2 61 29 5D 14 B3 5A EF 72 CC 9B 13 05 B0 B1 ..a)]..Z.r...... |
| 129 | |
| 130 | ] |
| 131 | * </pre> |
| 132 | * |
| 133 | * Certificate 4: |
| 134 | * . SubjAltName contains wildcard char, in the leftmost as well as |
| 135 | * in the middle component. |
| 136 | * <pre> |
| 137 | [ |
| 138 | [ |
| 139 | Version: V3 |
| 140 | Subject: SERIALNUMBER=12, O=Sun, C=US |
| 141 | Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 |
| 142 | |
| 143 | Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@17a8bd |
| 144 | Validity: [From: Mon Apr 01 22:32:38 PST 2002, |
| 145 | To: Fri Apr 01 22:32:38 PST 2022] |
| 146 | Issuer: CN=CA, O=Sun, C=US |
| 147 | SerialNumber: [ 02] |
| 148 | |
| 149 | Certificate Extensions: 1 |
| 150 | [1]: ObjectId: 2.5.29.17 Criticality=false |
| 151 | SubjectAlternativeName [ |
| 152 | |
| 153 | [DNSName: f*.bar.com, DNSName: altfoo.b*.com]] |
| 154 | |
| 155 | ] |
| 156 | Algorithm: [SHA1withRSA] |
| 157 | Signature: |
| 158 | 0000: BB 9B 00 DB C9 94 15 34 03 9F 28 59 20 4D 10 63 .......4..(Y M.c |
| 159 | 0010: 63 6A F5 C8 56 7B 7C CC E7 06 7E 1E BE 0B 84 92 cj..V........... |
| 160 | 0020: 05 0A 12 5E 21 5D 70 03 DA 27 0B 4E 39 67 FC 8D ...^!]p..'.N9g.. |
| 161 | 0030: D6 FC A6 5B F5 CA F1 4C 75 53 33 E3 4F 30 88 68 ...[...LuS3.O0.h |
| 162 | 0040: B8 F1 2C DF C2 A8 71 A7 37 55 66 7C 51 23 BB C2 ..,...q.7Uf.Q#.. |
| 163 | 0050: 25 70 EA EE 44 ED 32 63 56 E0 BA C8 94 36 87 E2 %p..D.2cV....6.. |
| 164 | 0060: 94 00 2A 3D 4C 46 78 E9 2B 20 9F 73 3C 8E 92 2E ..*=LFx.+ .s<... |
| 165 | 0070: 66 85 C6 27 3A 84 21 94 82 93 B1 A4 94 B6 DE 2F f..':.!......../ |
| 166 | |
| 167 | ] |
| 168 | * </pre> |
| 169 | * |
| 170 | */ |
| 171 | |
| 172 | public class TestHostnameChecker { |
| 173 | |
| 174 | private final static String PATH = System.getProperty("test.src", "."); |
| 175 | |
| 176 | public static void main(String[] args) throws Exception { |
| 177 | CertificateFactory cf = CertificateFactory.getInstance("X.509"); |
| 178 | InputStream in = new FileInputStream(new File(PATH, "cert1.crt")); |
| 179 | X509Certificate cert1 = (X509Certificate)cf.generateCertificate(in); |
| 180 | in.close(); |
| 181 | in = new FileInputStream(new File(PATH, "cert2.crt")); |
| 182 | X509Certificate cert2 = (X509Certificate)cf.generateCertificate(in); |
| 183 | in.close(); |
| 184 | in = new FileInputStream(new File(PATH, "cert3.crt")); |
| 185 | X509Certificate cert3 = (X509Certificate)cf.generateCertificate(in); |
| 186 | in.close(); |
| 187 | in = new FileInputStream(new File(PATH, "cert4.crt")); |
| 188 | X509Certificate cert4 = (X509Certificate)cf.generateCertificate(in); |
| 189 | in.close(); |
| 190 | |
| 191 | HostnameChecker checker = HostnameChecker.getInstance( |
| 192 | HostnameChecker.TYPE_TLS); |
| 193 | System.out.println("TLS tests........."); |
| 194 | System.out.println("=================="); |
| 195 | check(checker, "foo1.com", cert1, true); |
| 196 | check(checker, "foo2.com", cert1, false); |
| 197 | check(checker, "1.2.3.4", cert2, false); |
| 198 | check(checker, "foo1.com", cert3, false); |
| 199 | check(checker, "foo2.com", cert3, false); |
| 200 | check(checker, "altfoo1.com", cert3, true); |
| 201 | check(checker, "altfoo2.com", cert3, true); |
| 202 | check(checker, "5.6.7.8", cert3, true); |
| 203 | check(checker, "foo.bar.com", cert4, true); |
| 204 | check(checker, "altfoo.bar.com", cert4, true); |
| 205 | |
| 206 | checker = HostnameChecker.getInstance( |
| 207 | HostnameChecker.TYPE_LDAP); |
| 208 | System.out.println(); |
| 209 | System.out.println("LDAP tests........."); |
| 210 | System.out.println("=================="); |
| 211 | check(checker, "foo1.com", cert1, true); |
| 212 | check(checker, "foo2.com", cert1, false); |
| 213 | check(checker, "foo1.com", cert3, false); |
| 214 | check(checker, "foo2.com", cert3, false); |
| 215 | check(checker, "altfoo1.com", cert3, true); |
| 216 | check(checker, "altfoo2.com", cert3, true); |
| 217 | check(checker, "5.6.7.8", cert3, true); |
| 218 | check(checker, "foo.bar.com", cert4, true); |
| 219 | check(checker, "altfoo.bar.com", cert4, false); |
| 220 | } |
| 221 | |
| 222 | private static void check(HostnameChecker checker, String name, |
| 223 | X509Certificate cert, boolean expectedResult) |
| 224 | throws Exception { |
| 225 | try { |
| 226 | checker.match(name, cert); |
| 227 | if (expectedResult == false) { |
| 228 | throw new Exception("Passed invalid test: " + name); |
| 229 | } |
| 230 | } catch (CertificateException e) { |
| 231 | if (expectedResult == true) { |
| 232 | throw e; |
| 233 | } |
| 234 | } |
| 235 | System.out.println("OK: " + name); |
| 236 | } |
| 237 | } |