JDK-8365072: Refactor tests to use PEM API (Phase 2)

10. test/jdk/sun/security/ssl/X509TrustManagerImpl/ComodoHacker.java
11. test/jdk/javax/net/ssl/interop/ClientHelloInterOp.java
	* test/jdk/javax/net/ssl/interop/ClientHelloBufferUnderflowException.java
       	* test/jdk/javax/net/ssl/interop/ClientHelloChromeInterOp.java
12. test/jdk/sun/security/rsa/InvalidBitString.java

Author: myankelev

test/jdk/javax/net/ssl/interop/ClientHelloBufferUnderflowException.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
  * @test
  * @bug 8215790 8219389
  * @summary Verify exception
+ * @enablePreview
  * @library /test/lib
  * @modules java.base/sun.security.util
  * @run main/othervm ClientHelloBufferUnderflowException

test/jdk/javax/net/ssl/interop/ClientHelloChromeInterOp.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
  * @test
  * @bug 8169362
  * @summary Interop automated testing with Chrome
+ * @enablePreview
  * @library /test/lib
  * @modules jdk.crypto.ec
  *          java.base/sun.security.util

test/jdk/javax/net/ssl/interop/ClientHelloInterOp.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,17 +21,22 @@
  * questions.
  */
 
-import javax.net.ssl.*;
-import javax.net.ssl.SSLEngineResult.*;
-import java.io.*;
-import java.nio.*;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManagerFactory;
+import java.nio.ByteBuffer;
 import java.security.KeyStore;
+import java.security.PEMDecoder;
+import java.security.PEMRecord;
 import java.security.PrivateKey;
-import java.security.KeyFactory;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
-import java.security.spec.*;
-import java.util.Base64;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.RSAPrivateKey;
 
 public abstract class ClientHelloInterOp {
 
@@ -179,6 +184,8 @@ public abstract class ClientHelloInterOp {
         "RSA"
         };
 
+    private static final PEMDecoder pemDecoder = PEMDecoder.of();
+
     /*
      * Run the test case.
      */
@@ -251,13 +258,9 @@ protected SSLContext createSSLContext(
 
         KeyStore ts = null;     // trust store
         KeyStore ks = null;     // key store
-        char passphrase[] = "passphrase".toCharArray();
-
-        // Generate certificate from cert string.
-        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        char[] passphrase = "passphrase".toCharArray();
 
         // Import the trused certs.
-        ByteArrayInputStream is;
         if (trustedMaterials != null && trustedMaterials.length != 0) {
             ts = KeyStore.getInstance("JKS");
             ts.load(null, null);
@@ -266,13 +269,8 @@ protected SSLContext createSSLContext(
                     new Certificate[trustedMaterials.length];
             for (int i = 0; i < trustedMaterials.length; i++) {
                 String trustedCertStr = trustedMaterials[i];
-
-                is = new ByteArrayInputStream(trustedCertStr.getBytes());
-                try {
-                    trustedCert[i] = cf.generateCertificate(is);
-                } finally {
-                    is.close();
-                }
+                // Generate certificate from cert string.
+                trustedCert[i] = pemDecoder.decode(trustedCertStr, X509Certificate.class);
 
                 ts.setCertificateEntry("trusted-cert-" + i, trustedCert[i]);
             }
@@ -295,21 +293,16 @@ protected SSLContext createSSLContext(
                 String keyCertStr = keyMaterialCerts[i];
 
                 // generate the private key.
-                PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
-                    Base64.getMimeDecoder().decode(keyMaterialKeys[i]));
-                KeyFactory kf =
-                    KeyFactory.getInstance(keyMaterialKeyAlgs[i]);
-                PrivateKey priKey = kf.generatePrivate(priKeySpec);
+                String keyMaterialStrPEMFormat = new PEMRecord("PRIVATE KEY", keyMaterialKeys[i]).toString();
 
-                // generate certificate chain
-                is = new ByteArrayInputStream(keyCertStr.getBytes());
-                Certificate keyCert = null;
-                try {
-                    keyCert = cf.generateCertificate(is);
-                } finally {
-                    is.close();
-                }
+                PrivateKey priKey = switch (keyMaterialKeyAlgs[i]) {
+                    case "RSA" -> pemDecoder.decode(keyMaterialStrPEMFormat, RSAPrivateKey.class);
+                    case "EC" -> pemDecoder.decode(keyMaterialStrPEMFormat, ECPrivateKey.class);
+                    default -> pemDecoder.decode(keyMaterialStrPEMFormat, PrivateKey.class);
+                };
 
+                // generate certificate chain
+                Certificate keyCert  = pemDecoder.decode(keyCertStr, X509Certificate.class);
                 Certificate[] chain = new Certificate[] { keyCert };
 
                 // import the key entry.

test/jdk/sun/security/rsa/InvalidBitString.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,15 +23,15 @@
 
 /* @test
  * @summary Validation of signatures succeed when it should fail
+ * @enablePreview
  * @bug 6896700
  */
 
-import java.io.InputStream;
-import java.io.ByteArrayInputStream;
+import java.security.PEMDecoder;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
 import java.security.PublicKey;
 import java.security.SignatureException;
+import java.security.cert.X509Certificate;
 
 public class InvalidBitString {
 
@@ -87,16 +87,16 @@ public class InvalidBitString {
         "ZAM6mgkuSY7/vdnsiJtU\n" +
         "-----END CERTIFICATE-----\n";
 
-    public static void main(String args[]) throws Exception {
-
-        Certificate signer = generate(signerCertStr);
+    public static void main(String[] args) throws Exception {
+        final PEMDecoder pemDecoder = PEMDecoder.of();
+        Certificate signer = pemDecoder.decode(signerCertStr, X509Certificate.class);
 
         // the valid certificate
-        Certificate normal = generate(normalCertStr);
+        Certificate normal = pemDecoder.decode(normalCertStr, X509Certificate.class);
         // the invalid certificate with extra signature bits
-        Certificate longer = generate(longerCertStr);
+        Certificate longer = pemDecoder.decode(longerCertStr, X509Certificate.class);
         // the invalid certificate without enough signature bits
-        Certificate shorter = generate(shorterCertStr);
+        Certificate shorter = pemDecoder.decode(shorterCertStr, X509Certificate.class);
 
         if (!test(normal, signer, " normal", true) ||
                 !test(longer, signer, " longer", false) ||
@@ -105,19 +105,6 @@ public static void main(String args[]) throws Exception {
         }
     }
 
-    private static Certificate generate(String certStr) throws Exception {
-        InputStream is = null;
-        try {
-            CertificateFactory cf = CertificateFactory.getInstance("X.509");
-            is = new ByteArrayInputStream(certStr.getBytes());
-            return cf.generateCertificate(is);
-        } finally {
-            if (is != null) {
-                is.close();
-            }
-        }
-    }
-
     private static boolean test(Certificate target, Certificate signer,
             String title, boolean expected) throws Exception {
         System.out.print("Checking " + title + ": expected: " +

test/jdk/sun/security/ssl/X509TrustManagerImpl/ComodoHacker.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,21 +25,18 @@
  * @test
  * @bug 7123519
  * @summary Problem with java/classes_security
+ * @enablePreview
  * @run main/othervm ComodoHacker PKIX
  * @run main/othervm ComodoHacker SunX509
  */
 
-import java.net.*;
-import java.util.*;
-import java.io.*;
-import javax.net.ssl.*;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import java.security.KeyStore;
+import java.security.PEMDecoder;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
-import java.security.spec.*;
-import java.security.interfaces.*;
 
 public class ComodoHacker {
     // DigiNotar Root CA, untrusted root certificate
@@ -213,6 +210,8 @@ public class ComodoHacker {
         "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
         "-----END CERTIFICATE-----";
 
+    private static final PEMDecoder pemDecoder = PEMDecoder.of();
+
     private static String tmAlgorithm;               // trust manager
 
     public static void main(String args[]) throws Exception {
@@ -253,19 +252,15 @@ private static void parseArguments(String[] args) {
     }
 
     private static X509TrustManager getTrustManager() throws Exception {
-        // generate certificate from cert string
-        CertificateFactory cf = CertificateFactory.getInstance("X.509");
 
         // create a key store
         KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, null);
 
+        // generate certificate from cert string
+        Certificate trustedCert = pemDecoder.decode(trustedCertStr, X509Certificate.class);
         // import the trusted cert
-        try (ByteArrayInputStream is =
-                new ByteArrayInputStream(trustedCertStr.getBytes())) {
-            Certificate trustedCert = cf.generateCertificate(is);
-            ks.setCertificateEntry("RSA Export Signer", trustedCert);
-        }
+        ks.setCertificateEntry("RSA Export Signer", trustedCert);
 
         // create the trust manager
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
@@ -276,28 +271,11 @@ private static X509TrustManager getTrustManager() throws Exception {
 
     private static X509Certificate[] getFraudulentChain() throws Exception {
         // generate certificate from cert string
-        CertificateFactory cf = CertificateFactory.getInstance("X.509");
-
         X509Certificate[] chain = new X509Certificate[4];
-        try (ByteArrayInputStream is =
-                new ByteArrayInputStream(targetCertStr.getBytes())) {
-            chain[0] = (X509Certificate)cf.generateCertificate(is);
-        }
-
-        try (ByteArrayInputStream is =
-                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
-            chain[1] = (X509Certificate)cf.generateCertificate(is);
-        }
-
-        try (ByteArrayInputStream is =
-                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
-            chain[2] = (X509Certificate)cf.generateCertificate(is);
-        }
-
-        try (ByteArrayInputStream is =
-                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
-            chain[3] = (X509Certificate)cf.generateCertificate(is);
-        }
+        chain[0] = pemDecoder.decode(targetCertStr, X509Certificate.class);
+        chain[1] = pemDecoder.decode(intermediateCertStr, X509Certificate.class);
+        chain[2] = pemDecoder.decode(compromisedCertStr, X509Certificate.class);
+        chain[3] = pemDecoder.decode(untrustedCrossCertStr, X509Certificate.class);
 
         return chain;
     }