diff options
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java')
-rw-r--r-- | bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java | 452 |
1 files changed, 452 insertions, 0 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java new file mode 100644 index 0000000..df8e8b5 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java @@ -0,0 +1,452 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralSubtree; +import org.bouncycastle.jce.provider.PKIXNameConstraintValidator; +import org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException; +import org.bouncycastle.util.test.SimpleTest; + +/** + * Test class for {@link PKIXNameConstraintValidator}. + * <p> + * The field testXYZ is the name to test. + * <p> + * The field testXYZIsConstraint must be tested if it is permitted and excluded. + * <p> + * The field testXYZIsNotConstraint must be tested if it is not permitted and + * not excluded. + * <p> + * Furthermore there are tests for the intersection and union of test names. + * + */ +public class PKIXNameConstraintsTest + extends SimpleTest +{ + + private final static String testEmail = "test@abc.test.com"; + + private final static String testEmailIsConstraint[] = + { "test@abc.test.com", "abc.test.com", ".test.com" }; + + private final static String testEmailIsNotConstraint[] = + { ".abc.test.com", "www.test.com", "test1@abc.test.com", "bc.test.com" }; + + private final static String email1[] = + { "test@test.com", "test@test.com", "test@test.com", "test@abc.test.com", + "test@test.com", "test@test.com", ".test.com", ".test.com", + ".test.com", ".test.com", "test.com", "abc.test.com", + "abc.test1.com", "test.com", "test.com", ".test.com" }; + + private final static String email2[] = + { "test@test.abc.com", "test@test.com", ".test.com", ".test.com", + "test.com", "test1.com", "test@test.com", ".test.com", + ".test1.com", "test.com", "test.com", ".test.com", ".test.com", + "test1.com", ".test.com", "abc.test.com" }; + + private final static String emailintersect[] = + { null, "test@test.com", null, "test@abc.test.com", "test@test.com", null, + null, ".test.com", null, null, "test.com", "abc.test.com", null, + null, null, "abc.test.com" }; + + private final static String emailunion[][] = + { + { "test@test.com", "test@test.abc.com" }, + { "test@test.com" }, + { "test@test.com", ".test.com" }, + { ".test.com" }, + { "test.com" }, + { "test@test.com", "test1.com" }, + { ".test.com", "test@test.com" }, + { ".test.com" }, + { ".test.com", ".test1.com" }, + { ".test.com", "test.com" }, + { "test.com" }, + { ".test.com" }, + { ".test.com", "abc.test1.com" }, + { "test1.com", "test.com" }, + { ".test.com", "test.com" }, + { ".test.com" } }; + + private final static String[] dn1 = + { "O=test org, OU=test org unit, CN=John Doe" }; + + private final static String[] dn2 = + { "O=test org, OU=test org unit" }; + + private final static String[][] dnUnion = + { + { "O=test org, OU=test org unit" } }; + + private final static String[] dnIntersection = + { "O=test org, OU=test org unit, CN=John Doe" }; + + private final static String testDN = "O=test org, OU=test org unit, CN=John Doe"; + + private final static String testDNIsConstraint[] = + { "O=test org, OU=test org unit", + "O=test org, OU=test org unit, CN=John Doe" }; + + private final static String testDNIsNotConstraint[] = + { "O=test org, OU=test org unit, CN=John Doe2", + "O=test org, OU=test org unit2", + "OU=test org unit, O=test org, CN=John Doe", + "O=test org, OU=test org unit, CN=John Doe, L=USA" }; + + private final static String testDNS = "abc.test.com"; + + private final static String testDNSIsConstraint[] = + { "test.com", "abc.test.com", "test.com" }; + + private final static String testDNSIsNotConstraint[] = + { "wwww.test.com", "ww.test.com", "www.test.com" }; + + private final static String dns1[] = + { "www.test.de", "www.test1.de", "www.test.de" }; + + private final static String dns2[] = + { "test.de", "www.test.de", "www.test.de" }; + + private final static String dnsintersect[] = + { "www.test.de", null, null }; + + private final static String dnsunion[][] = + { + { "test.de" }, + { "www.test1.de", "www.test.de" }, + { "www.test.de" } }; + + private final static String testURI = "http://karsten:password@abc.test.com:8080"; + + private final static String testURIIsConstraint[] = + { "abc.test.com", ".test.com" }; + + private final static String testURIIsNotConstraint[] = + { "xyz.test.com", ".abc.test.com" }; + + private final static String uri1[] = + { "www.test.de", ".test.de", "test1.de", ".test.de" }; + + private final static String uri2[] = + { "test.de", "www.test.de", "test1.de", ".test.de" }; + + private final static String uriintersect[] = + { null, "www.test.de", "test1.de", ".test.de" }; + + private final static String uriunion[][] = + { + { "www.test.de", "test.de" }, + { ".test.de" }, + { "test1.de" }, + { ".test.de" } }; + + private final static byte[] testIP = + + { (byte) 192, (byte) 168, 1, 2 }; + + private final static byte[][] testIPIsConstraint = + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0 }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 4 } }; + + private final static byte[][] testIPIsNotConstraint = + { + { (byte) 192, (byte) 168, 3, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 2 }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 3 } }; + + private final static byte[][] ip1 = + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFE, (byte) 0xFF }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 } }; + + private final static byte[][] ip2 = + { + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFC, 3 }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF }, + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 } }; + + private final static byte[][] ipintersect = + { + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFE, (byte) 0xFF }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF }, null }; + + private final static byte[][][] ipunion = + { + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFE, (byte) 0xFF }, + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFC, 3 } }, + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF } }, + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 }, + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 } } }; + + public String getName() + { + return "PKIXNameConstraintsTest"; + } + + public void performTest() throws Exception + { + testConstraints(GeneralName.rfc822Name, testEmail, + testEmailIsConstraint, testEmailIsNotConstraint, email1, email2, + emailunion, emailintersect); + testConstraints(GeneralName.dNSName, testDNS, testDNSIsConstraint, + testDNSIsNotConstraint, dns1, dns2, dnsunion, dnsintersect); + testConstraints(GeneralName.directoryName, testDN, testDNIsConstraint, + testDNIsNotConstraint, dn1, dn2, dnUnion, dnIntersection); + testConstraints(GeneralName.uniformResourceIdentifier, testURI, + testURIIsConstraint, testURIIsNotConstraint, uri1, uri2, uriunion, + uriintersect); + testConstraints(GeneralName.iPAddress, testIP, testIPIsConstraint, + testIPIsNotConstraint, ip1, ip2, ipunion, ipintersect); + } + + /** + * Tests string based GeneralNames for inclusion or exclusion. + * + * @param nameType The {@link GeneralName} type to test. + * @param testName The name to test. + * @param testNameIsConstraint The names where <code>testName</code> must + * be included and excluded. + * @param testNameIsNotConstraint The names where <code>testName</code> + * must not be excluded and included. + * @param testNames1 Operand 1 of test names to use for union and + * intersection testing. + * @param testNames2 Operand 2 of test names to use for union and + * intersection testing. + * @param testUnion The union results. + * @param testInterSection The intersection results. + * @throws Exception If an unexpected exception occurs. + */ + private void testConstraints( + int nameType, + String testName, + String[] testNameIsConstraint, + String[] testNameIsNotConstraint, + String[] testNames1, + String[] testNames2, + String[][] testUnion, + String[] testInterSection) throws Exception + { + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNameIsConstraint[i]))); + constraintValidator.checkPermitted(new GeneralName(nameType, testName)); + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNameIsNotConstraint[i]))); + try + { + constraintValidator.checkPermitted(new GeneralName(nameType, testName)); + fail("not permitted name allowed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNameIsConstraint[i]))); + try + { + constraintValidator.checkExcluded(new GeneralName(nameType, testName)); + fail("excluded name missed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNameIsNotConstraint[i]))); + constraintValidator.checkExcluded(new GeneralName(nameType, testName)); + } + for (int i = 0; i < testNames1.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNames1[i]))); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNames2[i]))); + PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator(); + for (int j = 0; j < testUnion[i].length; j++) + { + constraints2.addExcludedSubtree(new GeneralSubtree( + new GeneralName(nameType, testUnion[i][j]))); + } + if (!constraints2.equals(constraintValidator)) + { + fail("union wrong: " + nameType); + } + constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNames1[i]))); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNames2[i]))); + constraints2 = new PKIXNameConstraintValidator(); + if (testInterSection[i] != null) + { + constraints2.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testInterSection[i]))); + } + else + { + constraints2.intersectEmptyPermittedSubtree(nameType); + } + if (!constraints2.equals(constraintValidator)) + { + fail("intersection wrong: " + nameType); + } + } + } + + /** + * Tests byte array based GeneralNames for inclusion or exclusion. + * + * @param nameType The {@link GeneralName} type to test. + * @param testName The name to test. + * @param testNameIsConstraint The names where <code>testName</code> must + * be included and excluded. + * @param testNameIsNotConstraint The names where <code>testName</code> + * must not be excluded and included. + * @param testNames1 Operand 1 of test names to use for union and + * intersection testing. + * @param testNames2 Operand 2 of test names to use for union and + * intersection testing. + * @param testUnion The union results. + * @param testInterSection The intersection results. + * @throws Exception If an unexpected exception occurs. + */ + private void testConstraints( + int nameType, + byte[] testName, + byte[][] testNameIsConstraint, + byte[][] testNameIsNotConstraint, + byte[][] testNames1, + byte[][] testNames2, + byte[][][] testUnion, + byte[][] testInterSection) throws Exception + { + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testNameIsConstraint[i])))); + constraintValidator.checkPermitted(new GeneralName(nameType, + new DEROctetString(testName))); + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testNameIsNotConstraint[i])))); + try + { + constraintValidator.checkPermitted(new GeneralName(nameType, + new DEROctetString(testName))); + fail("not permitted name allowed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNameIsConstraint[i])))); + try + { + constraintValidator.checkExcluded(new GeneralName(nameType, + new DEROctetString(testName))); + fail("excluded name missed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNameIsNotConstraint[i])))); + constraintValidator.checkExcluded(new GeneralName(nameType, + new DEROctetString(testName))); + } + for (int i = 0; i < testNames1.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNames1[i])))); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNames2[i])))); + PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator(); + for (int j = 0; j < testUnion[i].length; j++) + { + constraints2.addExcludedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testUnion[i][j])))); + } + if (!constraints2.equals(constraintValidator)) + { + fail("union wrong: " + nameType); + } + constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString(testNames1[i])))); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString(testNames2[i])))); + constraints2 = new PKIXNameConstraintValidator(); + if (testInterSection[i] != null) + { + constraints2.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testInterSection[i])))); + } + else + { + constraints2.intersectEmptyPermittedSubtree(nameType); + } + + if (!constraints2.equals(constraintValidator)) + { + fail("intersection wrong: " + nameType); + } + } + } + + public static void main(String[] args) + { + runTest(new PKIXNameConstraintsTest()); + } +} |