summaryrefslogtreecommitdiffstats
path: root/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java
diff options
context:
space:
mode:
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java')
-rw-r--r--bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java452
1 files changed, 452 insertions, 0 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java
new file mode 100644
index 0000000..df8e8b5
--- /dev/null
+++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java
@@ -0,0 +1,452 @@
+package org.bouncycastle.jce.provider.test;
+
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralSubtree;
+import org.bouncycastle.jce.provider.PKIXNameConstraintValidator;
+import org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException;
+import org.bouncycastle.util.test.SimpleTest;
+
+/**
+ * Test class for {@link PKIXNameConstraintValidator}.
+ * <p>
+ * The field testXYZ is the name to test.
+ * <p>
+ * The field testXYZIsConstraint must be tested if it is permitted and excluded.
+ * <p>
+ * The field testXYZIsNotConstraint must be tested if it is not permitted and
+ * not excluded.
+ * <p>
+ * Furthermore there are tests for the intersection and union of test names.
+ *
+ */
+public class PKIXNameConstraintsTest
+ extends SimpleTest
+{
+
+ private final static String testEmail = "test@abc.test.com";
+
+ private final static String testEmailIsConstraint[] =
+ { "test@abc.test.com", "abc.test.com", ".test.com" };
+
+ private final static String testEmailIsNotConstraint[] =
+ { ".abc.test.com", "www.test.com", "test1@abc.test.com", "bc.test.com" };
+
+ private final static String email1[] =
+ { "test@test.com", "test@test.com", "test@test.com", "test@abc.test.com",
+ "test@test.com", "test@test.com", ".test.com", ".test.com",
+ ".test.com", ".test.com", "test.com", "abc.test.com",
+ "abc.test1.com", "test.com", "test.com", ".test.com" };
+
+ private final static String email2[] =
+ { "test@test.abc.com", "test@test.com", ".test.com", ".test.com",
+ "test.com", "test1.com", "test@test.com", ".test.com",
+ ".test1.com", "test.com", "test.com", ".test.com", ".test.com",
+ "test1.com", ".test.com", "abc.test.com" };
+
+ private final static String emailintersect[] =
+ { null, "test@test.com", null, "test@abc.test.com", "test@test.com", null,
+ null, ".test.com", null, null, "test.com", "abc.test.com", null,
+ null, null, "abc.test.com" };
+
+ private final static String emailunion[][] =
+ {
+ { "test@test.com", "test@test.abc.com" },
+ { "test@test.com" },
+ { "test@test.com", ".test.com" },
+ { ".test.com" },
+ { "test.com" },
+ { "test@test.com", "test1.com" },
+ { ".test.com", "test@test.com" },
+ { ".test.com" },
+ { ".test.com", ".test1.com" },
+ { ".test.com", "test.com" },
+ { "test.com" },
+ { ".test.com" },
+ { ".test.com", "abc.test1.com" },
+ { "test1.com", "test.com" },
+ { ".test.com", "test.com" },
+ { ".test.com" } };
+
+ private final static String[] dn1 =
+ { "O=test org, OU=test org unit, CN=John Doe" };
+
+ private final static String[] dn2 =
+ { "O=test org, OU=test org unit" };
+
+ private final static String[][] dnUnion =
+ {
+ { "O=test org, OU=test org unit" } };
+
+ private final static String[] dnIntersection =
+ { "O=test org, OU=test org unit, CN=John Doe" };
+
+ private final static String testDN = "O=test org, OU=test org unit, CN=John Doe";
+
+ private final static String testDNIsConstraint[] =
+ { "O=test org, OU=test org unit",
+ "O=test org, OU=test org unit, CN=John Doe" };
+
+ private final static String testDNIsNotConstraint[] =
+ { "O=test org, OU=test org unit, CN=John Doe2",
+ "O=test org, OU=test org unit2",
+ "OU=test org unit, O=test org, CN=John Doe",
+ "O=test org, OU=test org unit, CN=John Doe, L=USA" };
+
+ private final static String testDNS = "abc.test.com";
+
+ private final static String testDNSIsConstraint[] =
+ { "test.com", "abc.test.com", "test.com" };
+
+ private final static String testDNSIsNotConstraint[] =
+ { "wwww.test.com", "ww.test.com", "www.test.com" };
+
+ private final static String dns1[] =
+ { "www.test.de", "www.test1.de", "www.test.de" };
+
+ private final static String dns2[] =
+ { "test.de", "www.test.de", "www.test.de" };
+
+ private final static String dnsintersect[] =
+ { "www.test.de", null, null };
+
+ private final static String dnsunion[][] =
+ {
+ { "test.de" },
+ { "www.test1.de", "www.test.de" },
+ { "www.test.de" } };
+
+ private final static String testURI = "http://karsten:password@abc.test.com:8080";
+
+ private final static String testURIIsConstraint[] =
+ { "abc.test.com", ".test.com" };
+
+ private final static String testURIIsNotConstraint[] =
+ { "xyz.test.com", ".abc.test.com" };
+
+ private final static String uri1[] =
+ { "www.test.de", ".test.de", "test1.de", ".test.de" };
+
+ private final static String uri2[] =
+ { "test.de", "www.test.de", "test1.de", ".test.de" };
+
+ private final static String uriintersect[] =
+ { null, "www.test.de", "test1.de", ".test.de" };
+
+ private final static String uriunion[][] =
+ {
+ { "www.test.de", "test.de" },
+ { ".test.de" },
+ { "test1.de" },
+ { ".test.de" } };
+
+ private final static byte[] testIP =
+
+ { (byte) 192, (byte) 168, 1, 2 };
+
+ private final static byte[][] testIPIsConstraint =
+ {
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0 },
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 4 } };
+
+ private final static byte[][] testIPIsNotConstraint =
+ {
+ { (byte) 192, (byte) 168, 3, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 2 },
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 3 } };
+
+ private final static byte[][] ip1 =
+ {
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFE, (byte) 0xFF },
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF },
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0x00 } };
+
+ private final static byte[][] ip2 =
+ {
+ { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFC, 3 },
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF },
+ { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0x00 } };
+
+ private final static byte[][] ipintersect =
+ {
+ { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFE, (byte) 0xFF },
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF }, null };
+
+ private final static byte[][][] ipunion =
+ {
+ {
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFE, (byte) 0xFF },
+ { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFC, 3 } },
+ {
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF } },
+ {
+ { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0x00 },
+ { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0x00 } } };
+
+ public String getName()
+ {
+ return "PKIXNameConstraintsTest";
+ }
+
+ public void performTest() throws Exception
+ {
+ testConstraints(GeneralName.rfc822Name, testEmail,
+ testEmailIsConstraint, testEmailIsNotConstraint, email1, email2,
+ emailunion, emailintersect);
+ testConstraints(GeneralName.dNSName, testDNS, testDNSIsConstraint,
+ testDNSIsNotConstraint, dns1, dns2, dnsunion, dnsintersect);
+ testConstraints(GeneralName.directoryName, testDN, testDNIsConstraint,
+ testDNIsNotConstraint, dn1, dn2, dnUnion, dnIntersection);
+ testConstraints(GeneralName.uniformResourceIdentifier, testURI,
+ testURIIsConstraint, testURIIsNotConstraint, uri1, uri2, uriunion,
+ uriintersect);
+ testConstraints(GeneralName.iPAddress, testIP, testIPIsConstraint,
+ testIPIsNotConstraint, ip1, ip2, ipunion, ipintersect);
+ }
+
+ /**
+ * Tests string based GeneralNames for inclusion or exclusion.
+ *
+ * @param nameType The {@link GeneralName} type to test.
+ * @param testName The name to test.
+ * @param testNameIsConstraint The names where <code>testName</code> must
+ * be included and excluded.
+ * @param testNameIsNotConstraint The names where <code>testName</code>
+ * must not be excluded and included.
+ * @param testNames1 Operand 1 of test names to use for union and
+ * intersection testing.
+ * @param testNames2 Operand 2 of test names to use for union and
+ * intersection testing.
+ * @param testUnion The union results.
+ * @param testInterSection The intersection results.
+ * @throws Exception If an unexpected exception occurs.
+ */
+ private void testConstraints(
+ int nameType,
+ String testName,
+ String[] testNameIsConstraint,
+ String[] testNameIsNotConstraint,
+ String[] testNames1,
+ String[] testNames2,
+ String[][] testUnion,
+ String[] testInterSection) throws Exception
+ {
+ for (int i = 0; i < testNameIsConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, testNameIsConstraint[i])));
+ constraintValidator.checkPermitted(new GeneralName(nameType, testName));
+ }
+ for (int i = 0; i < testNameIsNotConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, testNameIsNotConstraint[i])));
+ try
+ {
+ constraintValidator.checkPermitted(new GeneralName(nameType, testName));
+ fail("not permitted name allowed: " + nameType);
+ }
+ catch (PKIXNameConstraintValidatorException e)
+ {
+ // expected
+ }
+ }
+ for (int i = 0; i < testNameIsConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, testNameIsConstraint[i])));
+ try
+ {
+ constraintValidator.checkExcluded(new GeneralName(nameType, testName));
+ fail("excluded name missed: " + nameType);
+ }
+ catch (PKIXNameConstraintValidatorException e)
+ {
+ // expected
+ }
+ }
+ for (int i = 0; i < testNameIsNotConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, testNameIsNotConstraint[i])));
+ constraintValidator.checkExcluded(new GeneralName(nameType, testName));
+ }
+ for (int i = 0; i < testNames1.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, testNames1[i])));
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, testNames2[i])));
+ PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator();
+ for (int j = 0; j < testUnion[i].length; j++)
+ {
+ constraints2.addExcludedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, testUnion[i][j])));
+ }
+ if (!constraints2.equals(constraintValidator))
+ {
+ fail("union wrong: " + nameType);
+ }
+ constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, testNames1[i])));
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, testNames2[i])));
+ constraints2 = new PKIXNameConstraintValidator();
+ if (testInterSection[i] != null)
+ {
+ constraints2.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, testInterSection[i])));
+ }
+ else
+ {
+ constraints2.intersectEmptyPermittedSubtree(nameType);
+ }
+ if (!constraints2.equals(constraintValidator))
+ {
+ fail("intersection wrong: " + nameType);
+ }
+ }
+ }
+
+ /**
+ * Tests byte array based GeneralNames for inclusion or exclusion.
+ *
+ * @param nameType The {@link GeneralName} type to test.
+ * @param testName The name to test.
+ * @param testNameIsConstraint The names where <code>testName</code> must
+ * be included and excluded.
+ * @param testNameIsNotConstraint The names where <code>testName</code>
+ * must not be excluded and included.
+ * @param testNames1 Operand 1 of test names to use for union and
+ * intersection testing.
+ * @param testNames2 Operand 2 of test names to use for union and
+ * intersection testing.
+ * @param testUnion The union results.
+ * @param testInterSection The intersection results.
+ * @throws Exception If an unexpected exception occurs.
+ */
+ private void testConstraints(
+ int nameType,
+ byte[] testName,
+ byte[][] testNameIsConstraint,
+ byte[][] testNameIsNotConstraint,
+ byte[][] testNames1,
+ byte[][] testNames2,
+ byte[][][] testUnion,
+ byte[][] testInterSection) throws Exception
+ {
+ for (int i = 0; i < testNameIsConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, new DEROctetString(
+ testNameIsConstraint[i]))));
+ constraintValidator.checkPermitted(new GeneralName(nameType,
+ new DEROctetString(testName)));
+ }
+ for (int i = 0; i < testNameIsNotConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, new DEROctetString(
+ testNameIsNotConstraint[i]))));
+ try
+ {
+ constraintValidator.checkPermitted(new GeneralName(nameType,
+ new DEROctetString(testName)));
+ fail("not permitted name allowed: " + nameType);
+ }
+ catch (PKIXNameConstraintValidatorException e)
+ {
+ // expected
+ }
+ }
+ for (int i = 0; i < testNameIsConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, new DEROctetString(testNameIsConstraint[i]))));
+ try
+ {
+ constraintValidator.checkExcluded(new GeneralName(nameType,
+ new DEROctetString(testName)));
+ fail("excluded name missed: " + nameType);
+ }
+ catch (PKIXNameConstraintValidatorException e)
+ {
+ // expected
+ }
+ }
+ for (int i = 0; i < testNameIsNotConstraint.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, new DEROctetString(testNameIsNotConstraint[i]))));
+ constraintValidator.checkExcluded(new GeneralName(nameType,
+ new DEROctetString(testName)));
+ }
+ for (int i = 0; i < testNames1.length; i++)
+ {
+ PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, new DEROctetString(testNames1[i]))));
+ constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName(
+ nameType, new DEROctetString(testNames2[i]))));
+ PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator();
+ for (int j = 0; j < testUnion[i].length; j++)
+ {
+ constraints2.addExcludedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, new DEROctetString(
+ testUnion[i][j]))));
+ }
+ if (!constraints2.equals(constraintValidator))
+ {
+ fail("union wrong: " + nameType);
+ }
+ constraintValidator = new PKIXNameConstraintValidator();
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, new DEROctetString(testNames1[i]))));
+ constraintValidator.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, new DEROctetString(testNames2[i]))));
+ constraints2 = new PKIXNameConstraintValidator();
+ if (testInterSection[i] != null)
+ {
+ constraints2.intersectPermittedSubtree(new GeneralSubtree(
+ new GeneralName(nameType, new DEROctetString(
+ testInterSection[i]))));
+ }
+ else
+ {
+ constraints2.intersectEmptyPermittedSubtree(nameType);
+ }
+
+ if (!constraints2.equals(constraintValidator))
+ {
+ fail("intersection wrong: " + nameType);
+ }
+ }
+ }
+
+ public static void main(String[] args)
+ {
+ runTest(new PKIXNameConstraintsTest());
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 02:50:57 +0000