8349533: Refactor validator tests shell files to java

Reviewed-by: weijun

Author: myankelev

test/jdk/sun/security/validator/CertReplace.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,29 +21,186 @@
  * questions.
  */
 
-/*
- * This test is called by certreplace.sh
- */
-
 import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
 import java.security.KeyStore;
+import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.util.Arrays;
 import java.util.ArrayList;
 import java.util.List;
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.security.CertUtils;
+import jdk.test.lib.security.KeyStoreUtils;
 import sun.security.validator.Validator;
 
+/*
+ * @test id=certreplace
+ * @bug 6948803
+ * @summary CertPath validation regression caused by SHA1 replacement root and MD2 disable feature
+ * @library /test/lib
+ * @modules java.base/sun.security.validator
+ *
+ * @run main CertReplace certreplace.jks certreplace.certs
+ */
+
+/*
+ * @test id=samedn
+ * @bug 6958869
+ * @summary Regression: PKIXValidator fails when multiple trust anchors have same dn
+ * @library /test/lib
+ * @modules java.base/sun.security.validator
+ *
+ * @run main CertReplace samedn.jks samedn1.certs
+ * @run main CertReplace samedn.jks samedn2.certs
+ */
+
 public class CertReplace {
 
+    private static final String SAMEDN_JKS = "samedn.jks";
+    private static final String CERTREPLACE_JKS = "certreplace.jks";
+    private static final String PASSWORD = "changeit";
+    private static final char[] PASSWORD_CHAR_ARR = PASSWORD.toCharArray();
+
+    /**
+     * This method creates certs for the Cert Replace test
+     *
+     * @throws Exception
+     */
+    private static void certReplace() throws Exception {
+
+        final String ktBaseParameters = "-storepass " + PASSWORD + " " +
+                                        "-keypass " + PASSWORD + " " +
+                                        "-keystore " + CERTREPLACE_JKS + " " +
+                                        "-keyalg rsa ";
+
+        final Path keystoreFilePath = Paths.get(CERTREPLACE_JKS);
+        Files.deleteIfExists(keystoreFilePath);
+
+        // 1. Generate 3 aliases in a keystore: ca, int, user
+        SecurityTools.keytool(ktBaseParameters +
+                              "-genkeypair -alias ca -dname CN=CA -keyalg rsa -sigalg md2withrsa -ext bc");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-genkeypair -alias int -dname CN=Int -keyalg rsa");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-genkeypair -alias user -dname CN=User -keyalg rsa");
+
+        final KeyStore keyStore = KeyStoreUtils.loadKeyStore(CERTREPLACE_JKS, PASSWORD);
+
+        // 2. Signing: ca -> int -> user
+
+        SecurityTools.keytool(ktBaseParameters +
+                              "-certreq -alias int -file int.req");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-gencert -rfc -alias ca -ext bc -infile int.req " +
+                              "-outfile int.cert");
+
+        //putting the certificate in the keystore
+        try (final FileInputStream certInputStream = new FileInputStream("int.cert")) {
+            final Certificate[] certs = new Certificate[]{
+                    CertUtils.getCertFromStream(
+                            certInputStream
+                    )
+            };
+
+            final PrivateKey privateKey = (PrivateKey) keyStore.getKey("int", PASSWORD_CHAR_ARR);
+            keyStore.setKeyEntry("int", privateKey, PASSWORD_CHAR_ARR, certs);
+            keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR);
+        }
+
+        SecurityTools.keytool(ktBaseParameters +
+                              "-certreq -alias user -file user.req");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-gencert -rfc -alias int " +
+                              "-infile user.req " +
+                              "-outfile certreplace.certs"); // this will create certreplace.certs which is later appended
+
+        // 3. Create the certchain file
+        final Path certPath = Paths.get("certreplace.certs");
+
+        Files.write(certPath, Files.readAllBytes(Path.of("int.cert")), StandardOpenOption.APPEND);
+
+        final String outputCa = SecurityTools.keytool(ktBaseParameters +
+                                                      "-export -rfc -alias ca").getOutput();
+        Files.write(certPath, outputCa.getBytes(), StandardOpenOption.APPEND);
+
+        // 4. Upgrade ca from MD2withRSA to SHA256withRSA, remove other aliases and make this keystore the cacerts file
+        keyStore.deleteEntry("int");
+        keyStore.deleteEntry("user");
+        keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR);
+
+        SecurityTools.keytool(ktBaseParameters +
+                              "-selfcert -alias ca");
+    }
+
+    /**
+     * This method creates certs for the Same DN test
+     *
+     * @throws Exception
+     */
+    private static void sameDn() throws Exception {
+
+        final String ktBaseParameters = "-storepass " + PASSWORD + " " +
+                                        "-keypass " + PASSWORD + " " +
+                                        "-keystore " + SAMEDN_JKS + " " +
+                                        "-keyalg rsa ";
+
+        final Path keystoreFilePath = Paths.get(SAMEDN_JKS);
+        Files.deleteIfExists(keystoreFilePath);
+
+        // 1. Generate 3 aliases in a keystore: ca1, ca2, user. The CAs' startdate
+        // is set to one year ago so that they are expired now
+        SecurityTools.keytool(ktBaseParameters +
+                              "-genkeypair -alias ca1 -dname CN=CA -keyalg rsa " +
+                              "-sigalg md5withrsa -ext bc -startdate -1y");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-genkeypair -alias ca2 -dname CN=CA -keyalg rsa " +
+                              "-sigalg sha1withrsa -ext bc -startdate -1y");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-genkeypair -alias user -dname CN=User -keyalg rsa");
+
+        // 2. Signing: ca -> user. The startdate is set to 1 minute in the past to ensure the certificate
+        // is valid at the time of validation and to prevent any issues with timing discrepancies
+        // Automatically saves the certs to the certs files
+
+        SecurityTools.keytool(ktBaseParameters +
+                              "-certreq -alias user -file user.req");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-gencert -rfc -alias ca1 " +
+                              "-startdate -1M -infile user.req -outfile samedn1.certs");
+        SecurityTools.keytool(ktBaseParameters +
+                              "-gencert -rfc -alias ca2 " +
+                              "-startdate -1M -infile user.req -outfile samedn2.certs");
+
+        // 3. Remove user for cacerts
+        final KeyStore keyStore = KeyStoreUtils.loadKeyStore(SAMEDN_JKS, PASSWORD);
+        keyStore.deleteEntry("user");
+        keyStore.store(new FileOutputStream(CERTREPLACE_JKS), PASSWORD_CHAR_ARR);
+    }
+
     /**
      * @param args {cacerts keystore, cert chain}
      */
     public static void main(String[] args) throws Exception {
 
+        if (args[0].equals(CERTREPLACE_JKS)) {
+            certReplace();
+        } else if (args[0].equals(SAMEDN_JKS)) {
+            sameDn();
+        } else {
+            throw new RuntimeException("Not recognised test " + args[0]);
+        }
+
         KeyStore ks = KeyStore.getInstance("JKS");
-        ks.load(new FileInputStream(args[0]), "changeit".toCharArray());
+        try (final FileInputStream certInputStream = new FileInputStream(args[0])) {
+            ks.load(certInputStream, PASSWORD_CHAR_ARR);
+        }
         Validator v = Validator.getInstance
             (Validator.TYPE_PKIX, Validator.VAR_GENERIC, ks);
         X509Certificate[] chain = createPath(args[1]);
@@ -57,9 +214,10 @@ public static void main(String[] args) throws Exception {
     public static X509Certificate[] createPath(String chain) throws Exception {
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
         List list = new ArrayList();
-        for (Certificate c: cf.generateCertificates(
-                new FileInputStream(chain))) {
-            list.add((X509Certificate)c);
+        try (final FileInputStream certInputStream = new FileInputStream(chain)) {
+            for (Certificate c : cf.generateCertificates(certInputStream)) {
+                list.add((X509Certificate) c);
+            }
         }
         return (X509Certificate[]) list.toArray(new X509Certificate[0]);
     }