Fwd: SQE test CertPath/CertPathBuilderTest failed for java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
zaiyao liu
zaiyao.liu at oracle.com
Sat Dec 21 03:10:43 UTC 2013
Hi Xuelei,
Jason are vacation, Can you help me to check it.
I think this code change will cause SQE test error.
- checkCRLs(cert, pubKey, signFlag, true,
+ checkCRLs(cert, pubKey, null, signFlag, true, Can you give some
suggestion about this change?
Thanks
Kevin
-------- Original Message --------
Subject: SQE test CertPath/CertPathBuilderTest failed for
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
Date: Fri, 20 Dec 2013 12:11:21 +0800
From: zaiyao liu <zaiyao.liu at oracle.com>
Organization: Oracle Corporation
To: JASON.UH <jason.uh at oracle.com>
Hi Jason,
There are some sqe test CertPath/CertPathBuilderTest due to following
error:
[2013-12-19T06:34:55.17] java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
[2013-12-19T06:34:55.17] at java.util.ArrayList.rangeCheck(ArrayList.java:638)
[2013-12-19T06:34:55.17] at java.util.ArrayList.get(ArrayList.java:414)
[2013-12-19T06:34:55.17] at java.util.Collections$UnmodifiableList.get(Collections.java:1369)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.RevocationChecker.buildToNewKey(RevocationChecker.java:1068)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.RevocationChecker.verifyWithSeparateSigningKey(RevocationChecker.java:904)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:571)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:459)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:361)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.ReverseBuilder.verifyCert(ReverseBuilder.java:443)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchReverse(SunCertPathBuilder.java:687)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.SunCertPathBuilder.buildReverse(SunCertPathBuilder.java:261)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.SunCertPathBuilder.buildCertPath(SunCertPathBuilder.java:167)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:136)
[2013-12-19T06:34:55.17] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
[2013-12-19T06:34:55.17] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
[2013-12-19T06:34:55.17] at BuildCertPath.doBuild(BuildCertPath.java:395)
[2013-12-19T06:34:55.17] at BuildCertPath.main(BuildCertPath.java:137)
[2013-12-19T06:34:55.49] FAIL :
I checked this test failed since http://hg.openjdk.java.net/jdk8/tl/jdk/rev/d6c4ae56c079 submitted,
Can you help to check whether I should change SQE test to meet JDK changed, or this is a JDK bug?
I have attached the SQE test, Please tell me if you need more information.
Thanks
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20131221/0079cd4b/attachment.htm>
-------------- next part --------------
/*
* @(#)BuildCertPath.java 1.1 11/22/00
*
* Copyright (c) 1998-2000 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information"). You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*
* CopyrightVersion 1.0_beta
*
*/
import sun.security.util.Debug;
import java.io.FileInputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.cert.X509CertSelector;
import java.text.DateFormat;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.LDAPCertStoreParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import sun.security.provider.certpath.SunCertPathBuilderParameters;
import sun.security.x509.GeneralNameInterface;
import sun.security.x509.OIDMap;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;
import sun.security.util.DerValue;
import sun.security.util.DerOutputStream;
import java.util.Locale;
/**
* BuildCertPath tests the functionality of the CertPathBuilder,
* PKIXBuilderParameters, and CertPath classes.
*
* Synopsis:
* <pre>
* BuildCertPath
* -verbose
* -lhost [ldap host name]
* -lport [ldap port]
* -ccsCert [path] certificate to go into a CollectionCertStore
* (can have multiple)
* -ccsCRL [path] CRL to go into a CollectionCertStore
* (can have multiple)
* -keystore [path] (keystore password MUST be "changeit")
* -trusted [path] (can have multiple)
* -keyAndName [ca public key] [ca DN]
* -target [DN]
* -subjectAltName [className:name] (can have multiple)
* -date [date]
* -keyUsage [keyUsage (int value)] (can have multiple)
* -maxLength [int]
* -requireExpPol
* -inhibitPolMap
* -inhibitAnyPol
* -acceptPolQual
* -initPolId [OID] (can have multiple)
* -minTrust [trustLevel]
* -enforceTop
* -initialUID [bits]
* -extKeyUsage [OID] (can have multiple)
* -checker [java Class name]
* -disableRev
* -buildReverse
* -sigProvider [provider]
*</pre>
* Note: the initial trusted certificate has to be a self-signed
* certificate (to get the initial CA's public key and name)
*
* @version 1.1 11/22/00
* @since 1.4
* @author Sean Mullan
* @author Yassir Elley
* @see CertPathBuilder
* @see PKIXBuilderParameters
*/
public final class BuildCertPath {
private static final Debug debug = Debug.getInstance("certpath");
static {
try {
OIDMap.addAttribute("TrustRatingsExtension",
"1.3.6.1.4.1.42.2.31.2.1",
Class.forName("TrustRatingsExtension"));
//Class.forName("x509.info.extensions." + TrustRatingsExtension.NAME));
} catch (CertificateException ce) {
if (debug != null)
debug.println("BuildCertPath static init OIDMap.addAttribute() exception: "+ ce.getMessage());
} catch (Exception e) {
if (debug != null) {
debug.println("BuildCertPath static init unexpected exception");
e.printStackTrace();
}
}
}
//XXX It is public so that callers of parseArgs can
//XXX find out if -verbose option was set.
public static boolean verbose = false;
public static void main(String[] args) {
try {
PKIXBuilderParameters buildParams = parseArgs(args, null, null);
doBuild(buildParams, verbose);
} catch (Exception e) {
System.out.println("BuildCertPath error: " + e);
e.printStackTrace();
System.exit(1);
}
}
public static PKIXBuilderParameters parseArgs(String[] args,
String certDir,
String keyDir)
throws Exception
{
Arguments argList = null;
SunCertPathBuilderParameters buildParams = null;
String caName = null;
Vector collectionCerts = new Vector();
boolean enforceTop = false;
Set extKeyUsageOIDs = new HashSet();
Set initPolIds = new HashSet();
String ldapHost = null;
int ldapPort = 389;
int minTrust = 0;
PublicKey pubKey = null;
Vector storeList = new Vector();
X509CertSelector targetSel = new X509CertSelector();
Set trustAnchors = new HashSet(Collections.singleton(new TrustAnchor("cn=sean", new PublicKey () {
public String getAlgorithm() { return "bogus"; }
public byte[] getEncoded() { return null; }
public String getFormat() { return null; } }, null)));
buildParams = new SunCertPathBuilderParameters(trustAnchors, null);
trustAnchors.clear();
argList = new Arguments(args);
/* check if keystore option was specified */
while (argList.hasMoreElements()) {
String option = "";
try {
option = argList.getArgLower();
if (option.equals("-keystore")) {
FileInputStream fis = new FileInputStream(argList.getParameter());
KeyStore ks = KeyStore.getInstance("jks");
ks.load(fis, "changeit".toCharArray());
buildParams = new SunCertPathBuilderParameters(ks, null);
break;
}
} catch (IllegalArgumentException ex) {
if (debug != null) {
debug.println("BuildCertPath.parseArgs exception while" +
" looking for -keystore; option: " + option +
": " + ex.getMessage());
ex.printStackTrace();
}
throw ex;
}
}
String option = "";
try {
/* parse command line arguments into parameter instance */
argList = new Arguments(args);
while (argList.hasMoreElements()) {
option = argList.getFlagLower();
if (option.equals("-disablerev")) {
buildParams.setRevocationEnabled(false);
} else if (option.equals("-buildreverse")) {
buildParams.setBuildForward(false);
} else if (option.equals("-requireexppol")) {
buildParams.setExplicitPolicyRequired(true);
} else if (option.equals("-inhibitpolmap")) {
buildParams.setPolicyMappingInhibited(true);
} else if (option.equals("-inhibitanypol")) {
buildParams.setAnyPolicyInhibited(true);
} else if (option.equals("-acceptpolqual")){
buildParams.setPolicyQualifiersRejected(false);
} else if (option.equals("-maxlength")) {
buildParams.setMaxPathLength(Integer.parseInt(argList.getParameter()));
} else if (option.equals("-target")) {
targetSel.setSubject(argList.getParameter());
} else if (option.equals("-subjectaltname")) {
String saName = argList.getParameter();
TypedName tn = new TypedName(saName);
GeneralNameInterface gni = tn.getGeneralNameInterface();
DerOutputStream tmp = new DerOutputStream();
gni.encode(tmp);
targetSel.addSubjectAlternativeName(tn.getType(),
tmp.toByteArray());
} else if (option.equals("-date")) {
buildParams.setDate(
DateFormat.getDateInstance(
DateFormat.SHORT, Locale.US).parse(argList.getParameter()));
} else if (option.equals("-keyandname")) {
String keyFile = null;
if (keyDir != null) {
keyFile = keyDir + System.getProperty("file.separator")
+ argList.getParameter();
} else
keyFile = argList.getParameter();
pubKey = TestData.getKeyFromFile(keyFile);
caName = argList.getParameter();
} else if (option.equals("-sigprovider")) {
buildParams.setSigProvider(argList.getParameter());
} else if (option.equals("-trusted")) {
String certFile = null;
if (certDir != null) {
certFile = certDir + System.getProperty("file.separator")
+ argList.getParameter();
} else
certFile = argList.getParameter();
X509Certificate cert = TestData.getCertFromFile(certFile);
if (debug != null)
debug.println("PubKey format: " + cert.getPublicKey().getFormat());
trustAnchors.add(new TrustAnchor(cert, null));
} else if (option.equals("-initpolid")) {
initPolIds.add(argList.getParameter());
} else if (option.equals("-mintrust")) {
minTrust = Integer.parseInt(argList.getParameter());
} else if (option.equals("-enforcetop")) {
enforceTop = true;
} else if (option.equals("-keyusage")) {
boolean[] keyUsage = new boolean[9];
keyUsage[Integer.parseInt(argList.getParameter())] = true;
targetSel.setKeyUsage(keyUsage);
} else if (option.equals("-initialuid")) {
String bitString = argList.getParameter();
boolean[] bitSet = new boolean[bitString.length()];
for (int x = 0; x < bitString.length(); x++) {
switch (bitString.charAt(x)) {
case '0':
bitSet[x] = false;
break;
case '1':
bitSet[x] = true;
break;
default:
printUsage();
}
}
//uniqueID = bitSet;
} else if (option.equals("-lhost")) {
String host = argList.getParameter();
if (host.equals("null"))
ldapHost = null;
else
ldapHost = host;
} else if (option.equals("-lport")) {
try { ldapPort = Integer.parseInt(argList.getParameter()); }
catch (Exception e) { printUsage(); }
} else if (option.equals("-extkeyusage")) {
extKeyUsageOIDs.add(argList.getParameter());
} else if (option.equals("-ccscert")) {
collectionCerts.add(TestData.getCertFromFile(argList.getParameter()));
} else if (option.equals("-ccscrl")) {
collectionCerts.add(TestData.getCRLFromFile(argList.getParameter()));
} else if (option.equals("-verbose")) {
verbose = true;
} else if (option.equals("-keystore")) {
/* already parsed this option so just ignore and continue */
String foo = argList.getParameter();
continue;
} else printUsage();
}
} catch (Exception e) {
if (debug != null) {
debug.println("BuildCertPath.parseArgs exception while" +
" parsing option: " + option + ": " +
e.getMessage());
e.printStackTrace();
}
throw new GeneralSecurityException("Problem parsing option: " +
option + ": " + e.getMessage());
}
String initWhat = "";
try {
initWhat = "setting trusted certs";
if (!trustAnchors.isEmpty())
buildParams.setTrustAnchors(trustAnchors);
initWhat = "setting CA name and public key";
if (caName != null) {
buildParams.setTrustAnchors(Collections.singleton
(new TrustAnchor(caName, pubKey, null)));
}
initWhat = "setting initial policies";
if (!initPolIds.isEmpty())
buildParams.setInitialPolicies(initPolIds);
initWhat = "setting extended key usage";
if (!extKeyUsageOIDs.isEmpty())
targetSel.setExtendedKeyUsage(extKeyUsageOIDs);
initWhat = "setting trust level";
if (minTrust > 0 || enforceTop) {
SampleChecker ic = new SampleChecker(minTrust, targetSel.getSubjectAsString());
if (!enforceTop)
ic.setTopologyChecking(false);
buildParams.addCertPathChecker(ic);
}
initWhat = "testing SunCertPathProvider and services";
// Test that we can find provider and services
// Dynamically add provider so that the JRE java.security file does not have to be modified
//Security.addProvider(new sun.security.provider.certpath.SunCertPathProvider());
//Provider p = Security.getProvider("SunCertPath");
initWhat = "creating collection certstore";
//Create certstores
if (collectionCerts.size() > 0) {
CollectionCertStoreParameters params = new
CollectionCertStoreParameters(collectionCerts);
CertStore store = CertStore.getInstance("Collection", params);
storeList.add(store);
}
initWhat = "creating LDAP certstore";
if (ldapHost != null) {
/* create LDAPCertStore */
CertStore store = CertStore.getInstance("LDAP",
new LDAPCertStoreParameters(ldapHost, ldapPort));
/* Test RFC attribute is set correctly for LDAP algorithm */
String rfc = (String) store.getProvider().get("CertStore.LDAP LDAPSchema");
storeList.add(store);
}
initWhat = "setting cert stores";
if (storeList.size() > 0)
buildParams.setCertStores(storeList);
initWhat = "setting target constraints";
buildParams.setTargetCertConstraints(targetSel);
} catch (Exception e) {
if (debug != null) {
debug.println("BuildCertPath.parseArgs exception: " + e.getMessage());
e.printStackTrace();
}
throw new GeneralSecurityException("problem " + initWhat + ": " + e.getMessage());
}
return buildParams;
}
public static void doBuild(PKIXBuilderParameters buildParams, boolean verbose) throws GeneralSecurityException {
PKIXCertPathBuilderResult buildResult = null;
try{
if (debug != null)
debug.println("BuildCertPath.doBuild() about to get provider");
/* test PKIX certpath builder */
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
/* Test RFC attribute is set correctly for PKIX algorithm */
String rfc = (String) cpb.getProvider().get("CertPathBuilder.PKIX ValidationAlgorithm");
buildResult = (PKIXCertPathBuilderResult) cpb.build(buildParams);
TrustAnchor trustAnchor = (TrustAnchor) buildResult.getTrustAnchor();
//System.out.println("BuildCertPath: trustAnchor = " + trustAnchor);
List certificates = buildResult.getCertPath().getCertificates();
//displayCertPath(certificates, verbose);
// System.out.println("BuildCertPath: policyTree: " +
// buildResult.getPolicyTree());
} catch (GeneralSecurityException e){
System.out.println("PATH BUILD FAILED");
throw e;
}
System.out.println("PATH BUILD SUCCEEDED");
/* Run chain through validator to validate build algorithm */
try{
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
cpv.validate(buildResult.getCertPath(), buildParams);
} catch (GeneralSecurityException e) {
System.out.println("PATH VALIDATION FAILED");
throw e;
}
System.out.println("PATH VALIDATION SUCCEEDED");
}
private static void displayCertPath(List certificates, boolean verbose)
throws CertificateException {
for (int i=0;i<certificates.size();i++) {
X509CertImpl c = (X509CertImpl) certificates.get(i);
System.out.println("-------------------------------------------");
System.out.println("BuildCertPath: certificate# " + (i+1));
if (verbose) {
System.out.println(c);
} else {
System.out.println("BuildCertPath: topology = " + (new CertTopology(c)));
System.out.println("BuildCertPath: issuer = " + c.getIssuerDN());
System.out.println("BuildCertPath: subject = " + c.getSubjectDN());
}
}
}
private static void printUsage(){
StringBuffer sb = new StringBuffer();
sb.append("Usage: BuildCertPath\n");
sb.append(" -verbose : enables verbose output\n");
sb.append(" -lhost <ldap host name> : the ldap host\n");
sb.append(" -lport <ldap port> : port that the ldap host is using (default: 389)\n");
sb.append(" -ccsCert <path> : certificate to go into a CollectionCertStore\n");
sb.append(" -ccsCRL <path> : CRL to go into a CollectionCertStore\n");
sb.append(" -keystore <path> : keystore holding trusted certs\n");
sb.append(" : password MUST be \"changeit\"\n");
sb.append(" -trusted <path> : trust anchor certificate\n");
sb.append(" -keyAndName <pubkey> <DN> : CA trusted public key and issuer name\n");
sb.append(" -target <DN> : target distinguished name\n\n");
sb.append(" -subjectAltName <type:name> : subject alternative name\n");
sb.append(" -date <date> : check validity as of (default: now)\n");
sb.append(" -keyUsage <integer> : keyUsage bit\n");
sb.append(" -maxLength <integer> : max path length\n");
sb.append(" -requireExpPol : set require explicit policy\n");
sb.append(" -inhibitPolMap : set inhibit policy mapping\n");
sb.append(" -inhibitAnyPol : set inhibit any policy\n");
sb.append(" -acceptPolQual : set accept policy qualifiers\n");
sb.append(" -initPolID : required policy identifier\n");
sb.append(" -minTrust <integer> : minimum acceptable trust rating\n");
sb.append(" -enforceTop : enforce topology rules\n");
sb.append(" -initialUID <bitstring> : set initial UID\n");
sb.append(" -extKeyUsage <OID> : extended key usage\n");
sb.append(" -checker <java Class name> : certpath checker class\n");
sb.append(" -disableRev : disable revocation checking\n");
sb.append(" -buildReverse : build the certpath from the trusted cert to the target subject\n");
sb.append(" -sigProvider <path> : signature provider\n");
sb.append("The -target AND (-trusted OR -keyAndName) options must be specified.\n");
sb.append("The -ccsCert, -ccsCRL, -trusted, -subjectAltName, -checker, -extKeyUsage, initPolID, and\n");
sb.append("-keyUsage options can be specified more than once.\n");
System.out.println(sb.toString());
System.exit(1);
}
}
More information about the security-dev
mailing list