提交 be9ef9fd 编写于 作者: X xuelei

6720721: CRL check with circular depency support needed

Summary: checking AKID of certificates and CRLs
Reviewed-by: mullan, weijun
上级 c6577e43
......@@ -339,6 +339,16 @@ class DistributionPointFetcher {
debug.println("crl issuer does not equal cert issuer");
}
return false;
} else {
// in case of self-issued indirect CRL issuer.
byte[] certAKID = certImpl.getExtensionValue(
PKIXExtensions.AuthorityKey_Id.toString());
byte[] crlAKID = crlImpl.getExtensionValue(
PKIXExtensions.AuthorityKey_Id.toString());
if (!Arrays.equals(certAKID, crlAKID)) {
indirectCRL = true;
}
}
if (!indirectCRL && !signFlag) {
......
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
public class CircularCRLOneLevel {
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
"Vjw=\n" +
"-----END CERTIFICATE-----";
static String subCaCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
"-----END CERTIFICATE-----";
static String targetCertStr = subCaCertStr;
static String crlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
"-----END CERTIFICATE-----";
static String crlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
"-----END X509 CRL-----";
private static CertPath generateCertificatePath()
throws CertificateException {
// generate certificate from cert strings
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is;
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate targetCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate certification path
List<Certificate> list = Arrays.asList(new Certificate[] {
targetCert, selfSignedCert});
return cf.generateCertPath(list);
}
private static Set<TrustAnchor> generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
private static CertStore generateCertificateStore() throws Exception {
// generate CRL from CRL string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(crlStr.getBytes());
// generate a cert store
Collection crls = cf.generateCRLs(is);
is = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
Collection certs = cf.generateCertificates(is);
Collection entries = new HashSet();
entries.addAll(crls);
entries.addAll(certs);
return CertStore.getInstance("Collection",
new CollectionCertStoreParameters(entries));
}
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
}
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
public class CircularCRLOneLevelRevoked {
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
"Vjw=\n" +
"-----END CERTIFICATE-----";
static String dumCaCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc\n" +
"0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W\n" +
"bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4\n" +
"f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL\n" +
"/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05\n" +
"EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp\n" +
"TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs\n" +
"mihnXyZWWTA1sPZlVJu7/abJ2v0=\n" +
"-----END CERTIFICATE-----";
// a revoked certificate
static String targetCertStr = dumCaCertStr;
static String crlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
"-----END CERTIFICATE-----";
static String crlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
"-----END X509 CRL-----";
private static CertPath generateCertificatePath()
throws CertificateException {
// generate certificate from cert strings
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is;
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate targetCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate certification path
List<Certificate> list = Arrays.asList(new Certificate[] {
targetCert, selfSignedCert});
return cf.generateCertPath(list);
}
private static Set<TrustAnchor> generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
private static CertStore generateCertificateStore() throws Exception {
// generate CRL from CRL string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(crlStr.getBytes());
// generate a cert store
Collection crls = cf.generateCRLs(is);
is = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
Collection certs = cf.generateCertificates(is);
Collection entries = new HashSet();
entries.addAll(crls);
entries.addAll(certs);
return CertStore.getInstance("Collection",
new CollectionCertStoreParameters(entries));
}
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
}
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
public class CircularCRLTwoLevel {
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
"Vjw=\n" +
"-----END CERTIFICATE-----";
static String subCaCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
"-----END CERTIFICATE-----";
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
"MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
"9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" +
"ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" +
"V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" +
"pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" +
"4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
"9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" +
"wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" +
"Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" +
"-----END CERTIFICATE-----";
static String topCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
"-----END CERTIFICATE-----";
static String subCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
"LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
"4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
"6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
"jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
"CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
"BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
"QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
"bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
"rg==\n" +
"-----END CERTIFICATE-----";
static String topCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
"-----END X509 CRL-----";
static String subCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
"NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
"MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
"aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
"nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
"ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
"-----END X509 CRL-----";
private static CertPath generateCertificatePath()
throws CertificateException {
// generate certificate from cert strings
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is;
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate targetCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(subCaCertStr.getBytes());
Certificate subCaCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate certification path
List<Certificate> list = Arrays.asList(new Certificate[] {
targetCert, subCaCert, selfSignedCert});
return cf.generateCertPath(list);
}
private static Set<TrustAnchor> generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
private static CertStore generateCertificateStore() throws Exception {
Collection entries = new HashSet();
// generate CRL from CRL string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(topCrlStr.getBytes());
Collection mixes = cf.generateCRLs(is);
entries.addAll(mixes);
is = new ByteArrayInputStream(subCrlStr.getBytes());
mixes = cf.generateCRLs(is);
entries.addAll(mixes);
// intermediate certs
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
mixes = cf.generateCertificates(is);
entries.addAll(mixes);
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
mixes = cf.generateCertificates(is);
entries.addAll(mixes);
return CertStore.getInstance("Collection",
new CollectionCertStoreParameters(entries));
}
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
}
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
public class CircularCRLTwoLevelRevoked {
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
"Vjw=\n" +
"-----END CERTIFICATE-----";
static String subCaCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
"-----END CERTIFICATE-----";
// a revoked certificate
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
"MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG\n" +
"9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR\n" +
"1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ\n" +
"+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo\n" +
"FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is\n" +
"tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
"9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f\n" +
"5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi\n" +
"tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==\n" +
"-----END CERTIFICATE-----";
static String topCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
"-----END CERTIFICATE-----";
static String subCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
"LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
"4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
"6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
"jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
"CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
"BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
"QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
"bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
"rg==\n" +
"-----END CERTIFICATE-----";
static String topCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
"-----END X509 CRL-----";
static String subCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
"NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
"MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
"aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
"nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
"ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
"-----END X509 CRL-----";
private static CertPath generateCertificatePath()
throws CertificateException {
// generate certificate from cert strings
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is;
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate targetCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(subCaCertStr.getBytes());
Certificate subCaCert = cf.generateCertificate(is);
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate certification path
List<Certificate> list = Arrays.asList(new Certificate[] {
targetCert, subCaCert, selfSignedCert});
return cf.generateCertPath(list);
}
private static Set<TrustAnchor> generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
private static CertStore generateCertificateStore() throws Exception {
Collection entries = new HashSet();
// generate CRL from CRL string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(topCrlStr.getBytes());
Collection mixes = cf.generateCRLs(is);
entries.addAll(mixes);
is = new ByteArrayInputStream(subCrlStr.getBytes());
mixes = cf.generateCRLs(is);
entries.addAll(mixes);
// intermediate certs
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
mixes = cf.generateCertificates(is);
entries.addAll(mixes);
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
mixes = cf.generateCertificates(is);
entries.addAll(mixes);
return CertStore.getInstance("Collection",
new CollectionCertStoreParameters(entries));
}
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
}
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
Certificates and CRLs
Here lists the Certificates and CRLs, which was generated by generate.sh,
used in the test cases.
The generate.sh depends on openssl, and it should be run under ksh. The
script will create many directories and files, please run it in a
directory outside of JDK workspace.
1. root certifiate and key
-----BEGIN CERTIFICATE-----
MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ
Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n
jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID
AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME
QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO
BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw
DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0
484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye
iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz
Vjw=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,407A749DF8F6338E
4ukHU4tkRAh2w17NEjPTICMbVtoS24bNk11Ywd7OzLV0aXnes2nSAV0KnXqnPTP8
0VdoMVpp7r/jdaJvd3oL7MF5WcURzcOx2rirg+HeD5lHv0Blrh1FADcI1CQNsi8b
WZHVuCc1+feOKxixPB8Fge5lKeeU554iTTk5XjOxAKO6GFn8FInj7b3+Zse4A/1E
AOSKVSIWbx71owQyzjrYfoGE/oJVaSRraUbJL4xKcSUYdK+7Qp6h/HI1Cne2DZKu
UmApdQnZbxa8hjuLqOiQFu6TVpzJh2UOqu1PEmjJgEM4DQQ9C8AgHdkVYitcLjiI
b90H7JFl3EekMbjKEX/w2Z6y4RzFC9oGpJL/QpKvlq6sY7htPd1MK2UbWVE7/yq/
holkrvySI1S7BFqKEdIY8Oe0tCNlmELdmL1+yVnQT0LnAX/bkzLNDw1n5J4WpLSX
JdsgAXmw1hTh24tnT1E6IUd8HM4QyVrvsqCuEHTSMix1u6QCLvdlw4P6yA39ruiY
xbBIcb5PHic0UrcdElRCzXLtW6tRe/98ET7WDEJOLudSUOSG3CKwrEX/kekBqJ11
pAO34wLW5gsPwk2AQ1fAaNwHtGBlvKXnmbyuNitytA3/oSENSXnDHD2tIe1Jtep6
yrfB9IqYEhINRi9BRR4rCkUwkBSRi4bRI7AzRP8pImG+iCDN6sT7T/mUmTTgFVLX
NxPSGxbLxbidxnBU0B2JA3PfXqtt7J2Q5n0t3R3SC3iUxURGOvvccA3TcIWd4H75
yQZNzvSIfTG3RhIM0as8/Ahad8hsdE/MqgW50yhzyjNF/UkvFLV8mw==
-----END RSA PRIVATE KEY-----
2. root crl issuer and key
-----BEGIN CERTIFICATE-----
MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC
SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ
atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID
AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw
PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD
VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY
eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP
FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck
uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,96FBBE554515B5A4
cDfhsWvWCNruFN+9gSWSEz8kffFrqnvp9sxQx2/EwBrC8HNdQQqQqhkcb5moALz0
KxAFQMmUG476v1zRv4ZRIpmT9gYhuqSpqKVQLRzFhe9wUDsCOcNCSfqK4I4blt+R
gqRF+o97iNun+T2QXvku6B72CgQhJQHrEifoSTSGYpKGIVnhBmBPgadKn864zrv0
ZvwjjRtgyC6/QTfKcXTW+8TIa8Bg/821ZJ0FcNsJs+2tQnki/KubRBIo7rGXGcxO
f5PtO8BTjsw6G9TMuHKPlozOgGBgkQzf3gNXOLhdjwSDJUlTLLx5ugal+q0VVK7a
Np8rK1SLrbC9ReI/VGD8BBW8qHRYhJny2JQ0ub8rXIptILNxH4d8r5ye3NaoskVN
S4i5Jr5bgr0ijZ6kdECDiAoUo6UtTX1O9nbZA2AyJLch8gfNs+WeJLDmG9JPGVsW
moGPGev1ykTc11Hn8K6S0errWD778B+k0ODLWg3EP8E1GFgdChTdMz2fT+YNrvQ/
0iJATduzl4BN9eVB2qnadDAXfWm9kwkaX915ePKU1RpEnU3WygSnze8MfWshVJTn
2F/meijLWgqrb4fmyd6KoDeqP5a+ByAPAiw/oAtemWSDviDc6VpXcXCL8dYoIBOV
ehg/3Z/DmjfVFHdl5PWQfHiuVbIJbr/soQiTvDsjypYDi/aiY729ils2IxmzIQR8
iLhOtBr6yd9qfqQ0761cYrdW5HlsTHOyZFctKxIf98ybzp+bJlskH8ifA1kgNLs3
18T2gS+SkKqITi6TmD4Fkob+UtXPyzsb/8g7cNSv82k=
-----END RSA PRIVATE KEY-----
3. root CRL issued by root crl issuer.
-----BEGIN X509 CRL-----
MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX
DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ
KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY
CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg
oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=
-----END X509 CRL-----
4. subca certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj
8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG
Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8
P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr
IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj
UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF
hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ
7cXP6VDeZMG6oRQ4hbOcixoFPXo=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,AB196C2474B93EE0
8S3B4hsTW2OI6CA7bgoou4nt8VQckaRKvC6v+J/gHhnjd9aWnv3wKHhZsQl42+dY
HB8DImLTU02gnf3tEGJrTIyrIGrrAjwvio8yzxVqOnNuB6CamlCYx6Td7L09+Wlp
8qV1dj+czHhkoH/r0oRHU8NKQMphLQ0kcq3n+hM1UcSzdPxStyIBSRn34dKkuA+t
UjKfxbaPMN0dABPesN5emyAUYvVu4qSgDaw4pkqJKk/3+DL6lP3Ih93vTnyx7KU5
UexoA9apTDGQuiNbhoKJwOlrG2E7Y57eVOW52b7QPHH8miNCJ5UJALBymPkBc76s
D1ioMSdPWfy5C70Hh219oWync3UTToL/Jh1jc0ir5XI5l9lFz/IEA9uhxg137ixB
Gj1f2S+eSgnQ3SADVrA5wwX88nrjDufrFpH7ofq947IbI9F6iTMOSqR1uIy0SryW
jhB6t/fB0alZceqn8dLAFMV2WvVCGsWx53zcGg09q29FkjpLJpZiI6Bc6EYdk+nn
aeGbHLxwKf/vLcD0Oyx4FiJS1vMAEex41eblcwqjiU6vql9LbIFX4hVjGoQ/cL0U
bjEZjWlNPAvbBVAlStEXOyZzrrDJUags5gqhdv6VKvzQouwH3+Ivbx7UiSTpJ3If
A9txNSVsqc5MTy4hA30RSdMwoP4lK2PrHvivNnZi/kD7Knxn9OuEVBL3KXTmYduQ
kDmJzsKWOPvXHEgAZkfXIPKYNT2Z5LuS3yPSlGUcInImBawOkqgs5NJvUTrkbDMk
uSrOUFUBdBczU4I5oD1vs9yNhLtaK0S6w3gfiHNpIfg4FIFbdqmnAA==
-----END RSA PRIVATE KEY-----
5. crl issuer of subca, the certificate and key
-----BEGIN CERTIFICATE-----
MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd
LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N
4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm
6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60
jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX
QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3
bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M
rg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8C523D20E1687EC3
KdLa0JlKnRDBf/bwtpvmcerBOzJNPidRoIrqDt8fZ5r4WyUWhmBzkNgmBu6KFFPQ
4IKK4GW7Oo/D7x1w4hIyDt+JaMSdWWgSyvlIWZ6gSDEsqhzMHQpFNxDet8oD3B6H
CMdfXuQ7VHWcYhjX078FNxSRqTQvKR1eAv3AdnXAkuH6Z8V/if1dlQ/yFteSKzCZ
Y468leZR14Fl0J8au8LOHxZ6tUBvVXUTo0/FutsfOs9BfLTLkKvLS2pEjMdwnfvS
4utV/keK7edAXALfnclAshjYShxgwcyAWszJs9M16k/jqAGdDLAfluoZaznfZ1sc
KhAyIKYRo1XivjmTQxvQRwdG+X/w8CYUzawybt8TtXyLyu4cRdEHsEDyjJ5eG9ap
+ZDP+djWmrjUPKN5Ahc+Fjtsi6i8PcVFnYTnMAwfjiBd4iU+zJEhne0YUB4QRZee
5jdLC8OUfqU0tByj7kDxn6shU2F3r7gIjPqx9DEWGWSf5XDlfk880GGIR67cNEqo
lMLP/9/KUEeCwgrvqKdoD/O7qbNlmX7JyGcl/eU2Zsq5P5xkLWenuRHwpJlmV19m
2Ovg2gK24okl7FiUgP3vNAzDznqHfyoyoR4noKPwtRANOI3otJxokMFGlgzQAXZB
4Eg6M+VLuTxoV14tsSqtkBGNFOUE06n3G5CKuXbh3gXQs0gc8BvzuRMawVSHC144
UJM3X73aqSM42lwO2pBjMfxyPdFNkxf3lDuyfMOhGlpDwsny4N4EAOS5ctKNl3Ua
oP0BiqyKSuzreg1Ouwq1XxxnWec6XqlHm9482I/vautunqLYQDcfQQ==
-----END RSA PRIVATE KEY-----
6. CLR issued by subca CRL issuer
-----BEGIN X509 CRL-----
MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw
NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO
MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr
aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX
nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa
ARGr6Qu68MYGtLMC6ZqP3u0=
-----END X509 CRL-----
7. dumca certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc
0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W
bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4
f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL
/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05
EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp
TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs
mihnXyZWWTA1sPZlVJu7/abJ2v0=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8CE4AB01D39EC5B3
KUkwAyP6ba59QAdDbaXGLmtxtrAilKjFVB+2eawq2Arpumu4cl1joeLtMANF9f1f
afG5FDATYke6C0FMD/bfF4VkUcVUq+Daw8uS5LkDTYjRqrxE4nCLBhxDJdNiIhUi
VNuTMITqcpOOU77nUu2O5LW9Z40F6H9x86SeHOeY0IrmhlFVgHuxr81jdrd8OLYK
7DkKPUa5F331fAkknOQIYnhmCXeHtlTv8ozU5bfBc6TePAL6Y1jn7Hv7EB9C2yYU
6qejxzKBgxWWWuYU21K0gayPmq8gAKyfi21xSxFR+a9GxRlf+K/x07i7w7oT6QLh
Qft76I+UER2jYYeQm3sxEeLBq9nDb2HfSjOnLjh3J2c5Tp9B2dmLxPk2hHim4cUn
nyE8lGDwt/+t6lM8GWfAPn92r2/YOQWr+MXcwE7hi8NZp4cjRR+UqXc0p4+3rKzQ
IuD5CGgtx78sxMrAxfwvkedmYpjf9L8nGWdbivOI25mNKSXhEjMNzv+lC6nLQE7o
6LLA3voN+SiVh7wu45FMJHsz1JOjUjwYXS931GsHyd/sy9q7wUkzokKc1WHML2vl
NglC/4w3NOuEYm5ZDlu6QYQh2uIg/pHPO3am2NTjffjFV0uXEZGd0Qw3gPv9gPNv
iMRa+6vQfl97xOYOtep4yp5L7XatoLMrVmboykdrojUuAQSiZgfwIR/f/NPbVvHp
q3/fadE2hLpkkSJjPm5ensFXoLn14QTdVpKl3mjnAa0rb8q5edz4d8r644NHaYH0
nxToTdZpSH7uGAuOMZwvUaKT//hojKBj6hjlDuVJWs/kwRHbWJEd4A==
-----END RSA PRIVATE KEY-----
8. crl issuer for dumca, the certificate and key
-----BEGIN CERTIFICATE-----
MIICPTCCAaagAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDDBVR9IPJq6ND9z3Wpsv
s0VfJief2QW6U7fNYAnpD4eXNXdwWtZvybMI12crUp31AWzjIaffsBzlFjBO3vKn
edJ+Om2nhqPPT31nDIWIx1VdS7jL+XoFpo8QgzJQpX0rDZNhaTbQcgnuRhzOZ+x2
AzxxQf7aMI6YQ5xklO1ftQIDAQABo3cwdTAdBgNVHQ4EFgQUYqt5Hbekj/p4UkfY
sP4Ma5HdTpkwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
BgkqhkiG9w0BAQQFAAOBgQAMBqjEfALPFj+asQfTjSqXZimybm5WCYJcv92WAaFm
2aJe08jUKCwCVo29CFMMgVG5X0UhEP+ude9RyonYNrMg84hFrQdZSto4Co5yfCGi
SMaa91gkN8/W4VKFjDoooOQ/9o6i22OC7av6+r+qhGMsop5mqRMumAM+C00dy1m6
5g==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FE34D030ADCF25E5
V+hWLshb8wbqv8MqBFVZUBK3T995hc6xxWt9wn1aFVcvoxSmWQ20/9LdYDFNhf5j
3grRdy6sBmQY1Ch73Q1N8egl0FlqqttBY62ulpVQFCYcYhCSMJKSDJyw5pYlQjd4
LpVXhqsTCB1KdeOVkdB45Ljg7wy+idWfo6U0pAPjhnbPysZWuPrIGVIrVfDMz1tw
ohuh/NOsF8r2w/U3zBaGKoeW/TGkxXBCKhMU78fve5ytEwv9Gp5m1O5yHJDqNC1M
gtAQvvXifeLaCRfOpQtCHGuoR0fhdOnQPJQ/4Nre/dRG8zDVa3FKvWjMPbse4cxJ
OljgVyd7UWrnUvnlNufI3T069b6aAfk16eLz9RAJZNZfpXflboRcaHW9VmjU8m7Y
ir353hxKQk+P+lU2Ysmu7hx/QKmfG8aKI+r7tXnm1J0dmbeOZE69i4lhvXNvx1N2
kPNKXsQ3kMKdJNVg5TQrUaqa7GtdQlg3Nr+FpaZ5aZJhTNFejQZrTV9bnQHob0q2
1KCveDPOy2qtRY/mK+BnlNwGx1Ti87iGHv0Om8tXI53G0UkJs3LMI5JPcmHXVC1c
skU6nAxhdNPSDN7EBMF80xte99qQTTtDbYQbIqMtd8lCP4HaYhTtlBeaROuntEjx
3XDXVIHKHxSsrrKn/dE8Ls7tv1j0XxarzGekhQWZ6xbxxursiMstZUfDeQR7SlwC
a3Lem76iGo2BqZd6wbv0i45P2hVQ8DuNhmOphC7DTFQmudOnFJKHPp8pmca+LGfV
dgFmct3vSnWjnTvRDktFblfYa0r0QZDSKZt7TiI4QjR5iqP8WEziKA==
-----END RSA PRIVATE KEY-----
9. end entity certificate issued by subca, Alice
-----BEGIN CERTIFICATE-----
MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK
ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2
V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/
pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE
4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR
wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3
Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3616B3F098ED6707
uXoAPYIUINSr8Cc67K1XdLPO/toBasXYJAYYodq+qMsqYVhjgUgzJWYBwayav04Y
tPgID3f4olLMQP77h5nHLArQCdgI3ZmKDZ6tYR7c2YglTqO1h4pzptv3Csc6lsnr
zYS43Wg5YK8lAVxAbaDqG/xRiJhEG6+Xqno/lyDSUcDjcsyULWCf1mUZUR66fpnO
Kcvmec3RFS6PPpYKJ/3Hl6Px5TsnSMEgb8OIrLik4Tj08XhdBEZxTJcyA1JPeAUP
PH9hm+TWb3E+kDywpItMlTFIhS6b41JGo6Rq6HwVYquCoE4NO32vovd57u5R20yy
3mfzc0udAYDD8drnzp2XPridqy47m/zFpVgfYU+irH3uW/n1QSB0w3fdCRXNEl6c
5dAAwwIR1Pn+RAVUvZ7sQ/qReSOHg85uH7FjY9+m4d4vtf8aV410pyDbaNnevvfK
fTiwmopWujL9sJoZZYP04QZ1f+8aGA41dWS837d9e2F/9BtI5zlymEhLs8UFHziJ
Cw41xnOHHaoxtDFSvSmc2G6o0jfwJ0AZf8toyB5kj+rd5iu2Z1Kmk8vd4bK5SCwT
dZRLri75Hyns7fLMXuzOrJXLaYkLp7gk2YaN368M7mj2Z7yLBV0CoVopS2tfRVJn
fzaxyrkzmZKPKq+m8+UjnlwRW7yR+2RYlFNP3/KemB2i+nXd35f1QCZqb20Lmbbx
jDc1CxESY1wzY5oqUGXeFapbM4YKhQQ5BK90AjVfss1ymBT5vhSjoJSIW2yeklcI
F/WuQ/CrBlmODbiM2LsQMTSoYcAIOUaRcVh/7kvlOlQ=
-----END RSA PRIVATE KEY-----
10. end entity certificate issued by subca, Bob
-----BEGIN CERTIFICATE-----
MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
MzdaFw0yOTAxMTIwMjI0MzdaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBANHxsJI6N5CawwUWJ63i2bvgdHzrsKUeBs7CXEIovPll
+utfqwJGGkkiW9FVxQ2NQfMoHKdSrbLQaZ4I6U75yh40ZiSgSCELzlW8JC48kX7u
txYJzszjT6lATW+mRdMoO0guxAS4NcldoFHZ0nLkAvhRRpZgdS+wdc0LODxeplqT
AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQU2yqQyfYTig4K30lCbEsR
rSrhM6UwHwYDVR0jBBgwFoAU9P5zT/FqcsZmKyAaeLTfMtPI8NowDQYJKoZIhvcN
AQEEBQADgYEAn6j1wY0G5dieYdwUBAJuh6zP1Cu+J12NgdetHAaN6Q3tP339ToCi
C2NQYvFSwOZ7CKf2ofQq5qWA4EFd7PNxpYaVjhhxzkeQRuv/r/sA3rH+01MPx5ob
N1wXY5QmBOuHJIKroNH60u9GzOIGIANZuYWsluw4spWRpvOdqudJWlg=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3DD8B45BA8A57B72
cC15d0phhzxu+Y3FMLu22WejN0JEVGCD0Qbwz73+ahVCqivd7aaipXfnuyuIJW12
ZHKR0ixZUwezRqqM0/D4vKyFR9giJ14A5Tk7RFzimm0JqdJYRXrmVEp+QdVYbJFC
5ncmU/KCAJcHwewixbjo5pkrWNDpIWeIqI8F6rvY1MLSMCCwYfr+1SP5U6AB3+1T
yySvWwK+TIAgVMNjhDKlJ78BxQ3C/AMw5grAU0t2jmuuuXJPML72mQ95ZBgcJsRF
S0walZGZlK+p9S/b4EVzO+oaR1icazH1WJTyuzKOOurlFjFk3tmsnhNuWQTkNjgV
wKODHLA8E8tBajYAYmkQX+uQOmol9LXSOrQFrxvHF3dWC5giOtPYeh9ibEFx+RMu
2EmkF/9VFxzh+kK9KL2qplm4K3HoL/v9g/LlKowjQlr7LoJRCRDOmESCUWX0JPPB
nD01HvyRjgpUAeKtxR3hjH3CrUM1rdLAJaFi1RzgjvXeXhX5stD3X6UCWFbeBBh1
yic4RIGYWjqE7RJRd/Q+/11rCkONg9stYcpe1PL5fJWSC8Sixo6XQTQDbxOJBQbr
gCoUFfCcN8nOYdSe2wWrE/l7r/mRFYbwlErlpomSaxye5yzXhombnZ2k4jNKylEp
TMsvFtVXFyoLWFqhtrv/Sg+0zDox1HMx+qzePYsz9+/rrS7ej6b5c8r6yqmg7nHn
XM4REA46bWcAVjkLNpNZU4i0iURrkjuK0uVFYfnFIxrvGLys8dzH+xAfAHcP0zZ3
/K54gAGk4ZVVXOt8JKOVxAOj2+8f0Gbf28leRx/VOJlEZBpU6UVg4g==
-----END RSA PRIVATE KEY-----
10. end entity certificate issued by subca, Susan
-----BEGIN CERTIFICATE-----
MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR
1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ
+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo
FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is
tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f
5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi
tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A03CB9ABBA747E7A
YhChWe6DOA1Ck5BAjWrHmPkHcS9x5pDw81p31gSf7SE9MCwfsvAIq9jZ7xol3cIJ
5dhbXtBaJIRghke11McQ6zM2DE+9izCO4itedw94i95jSzgpEHTk6gwp9MuomSsm
ytrqIhwEtVC8PaQmywqshKWnpDn3tZESwySNZjUjzHhyzn2Vuyrb0WaHmw3uk33O
7muGNkmn/1yP1qRyJ3YSGcMNpk2zvJDZS5CfJH9sb00+LL4PTKg4dymw4Vjk7b5f
P5JGLbFCBbQ73CwSNLsQGV4qGz7AnRhsmPmNughshOoLKSEAxUsRHE67qyl+Flx0
KZEGeKZUJD9fzgMMdNoYk0Pg9zxzM1oNewxsFk2tTrtMfGq+XFokWKfJoQWguStY
BJWETGrSbXiDMIE93gX40C2zlT06ziOYfFCXeVRcBarolonTrOXt3RZzsQpY4lTz
AAGrb2I9ZByL59ujfniTqljtBpuCKAm+jS0ofcGlQQ0MawtSOeSbQkFKHcKpcK0V
cKMFL3sEzeJf+1LCt7Xnt4gaoXtTpVoWVWFZkghDSmIAHzKaWHAHn5PcUjwAAZHb
47IRq+pe1WLc+tb61+E2jkhFC06QOSxmWSV3CHfMZTxkXX7B7RCiqs+tVH5Vlj/C
ZhkSfmANUVPW1H0KXsDq6lzrEnvaZXZIzTLvj+OsLcG1anXdwPn0NPikfRU0GTvA
fCzg7ZWlexJgl5I48X7AzpHpTPGAHGeNpYjzGWbxmC0KREcAM0yD15uFVac/ZIVI
TO0icmSiRoshC70zo9/u2hUP1e4+s1vl0laq0WjGfFORE1JZ1Cs2Dg==
-----END RSA PRIVATE KEY-----
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Sun designates this
# particular file as subject to the "Classpath" exception as provided
# by Sun in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
#!/bin/ksh
#
# needs ksh to run the script.
# generate a self-signed root certificate
if [ ! -f root/root_cert.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
-out root/root_cert.pem -subj "/C=US/O=Example" \
-config openssl.cnf -reqexts cert_issuer -days 7650 \
-passin pass:passphrase -passout pass:passphrase
fi
# generate a sele-issued root crl issuer certificate
if [ ! -f root/top_crlissuer_cert.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \
-out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \
-extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate subca cert issuer and crl iuuser certificates
if [ ! -f subca/subca_cert.pem ]; then
if [ ! -d subca ]; then
mkdir subca
fi
openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \
-out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
-extensions cert_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
-CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
-out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
-extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate dumca cert issuer and crl iuuser certificates
if [ ! -f dumca/dumca_cert.pem ]; then
if [ ! -d sumca ]; then
mkdir dumca
fi
openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \
-out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \
-extensions cert_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out dumca/dumca_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \
-out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in dumca/dumca_crlissuer_req.pem \
-extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate certifiacte for Alice
if [ ! -f subca/alice/alice_cert.pem ]; then
if [ ! -d subca/alice ]; then
mkdir -p subca/alice
fi
openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
-out subca/alice/alice_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/alice/alice_req.pem \
-extfile openssl.cnf -extensions ee_of_subca \
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
-out subca/alice/alice_cert.pem -CAcreateserial \
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
fi
# generate certifiacte for Bob
if [ ! -f subca/bob/bob_cert.pem ]; then
if [ ! -d subca/bob ]; then
mkdir -p subca/bob
fi
openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
-out subca/bob/bob_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/bob/bob_req.pem \
-extfile openssl.cnf -extensions ee_of_subca \
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
-out subca/bob/bob_cert.pem -CAcreateserial \
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
fi
# generate certifiacte for Susan
if [ ! -f subca/susan/susan_cert.pem ]; then
if [ ! -d subca/susan ]; then
mkdir -p subca/susan
fi
openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
-out subca/susan/susan_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \
-extensions ee_of_subca -CA subca/subca_cert.pem \
-CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \
-CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate the top CRL
if [ ! -f root/top_crl.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
if [ ! -f root/index.txt ]; then
touch root/index.txt
echo 00 > root/crlnumber
fi
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
-passin pass:passphrase
fi
# revoke dumca
openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \
-name ca_top -crl_reason superseded \
-keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \
-passin pass:passphrase
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
-passin pass:passphrase
# revoke for subca
if [ ! -f subca/subca_crl.pem ]; then
if [ ! -d subca ]; then
mkdir subca
fi
if [ ! -f subca/index.txt ]; then
touch subca/index.txt
echo 00 > subca/crlnumber
fi
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
-passin pass:passphrase
fi
# revoke susan
openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \
-name ca_subca -crl_reason superseded \
-keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
-passin pass:passphrase
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Sun designates this
# particular file as subject to the "Classpath" exception as provided
# by Sun in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
#
# OpenSSL configuration file.
#
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./top
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ ca_top ]
dir = ./root
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ ca_subca ]
dir = ./subca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = NO
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = A-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign
[ cert_issuer ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign
[ crl_issuer ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
[ ee_of_subca ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册