< prev index next >

test/jdk/sun/security/lib/cacerts/VerifyCACerts.java

Print this page

299             // Valid until: Sat May 30 10:38:31 GMT 2020
300             add("addtrustexternalca [jdk]");
301             // Valid until: Sat May 30 10:44:50 GMT 2020
302             add("addtrustqualifiedca [jdk]");
303             // Valid until: Wed Mar 17 02:51:37 PDT 2021
304             add("luxtrustglobalrootca [jdk]");
305             // Valid until: Wed Mar 17 11:33:33 PDT 2021
306             add("quovadisrootca [jdk]");
307             // Valid until: Sat May 21 04:00:00 GMT 2022
308             add("geotrustglobalca [jdk]");
309         }
310     };
311 
312     // Ninety days in milliseconds
313     private static final long NINETY_DAYS = 7776000000L;
314 
315     private static boolean atLeastOneFailed = false;
316 
317     private static MessageDigest md;
318 


319     public static void main(String[] args) throws Exception {
320         System.out.println("cacerts file: " + CACERTS);


321 
322         // verify integrity of cacerts
323         md = MessageDigest.getInstance("SHA-256");
324         byte[] data = Files.readAllBytes(Path.of(CACERTS));



325         String checksum = HEX.formatHex(md.digest(data));
326         if (!checksum.equals(CHECKSUM)) {
327             atLeastOneFailed = true;
328             System.err.println("ERROR: wrong checksum " + checksum);
329             System.err.println("Expected checksum " + CHECKSUM);
330         }

331 
332         KeyStore ks = KeyStore.getInstance("JKS");
333         ks.load(new ByteArrayInputStream(data), "changeit".toCharArray());
334 
335         // check the count of certs inside
336         if (ks.size() != COUNT) {
337             atLeastOneFailed = true;
338             System.err.println("ERROR: " + ks.size() + " entries, should be "
339                     + COUNT);
340         }
341 
342         System.out.println("Trusted CA Certificate count: " + ks.size());
343 
344         // also ensure FINGERPRINT_MAP lists correct count
345         if (FINGERPRINT_MAP.size() != COUNT) {
346             atLeastOneFailed = true;
347             System.err.println("ERROR: " + FINGERPRINT_MAP.size()
348                     + " FINGERPRINT_MAP entries, should be " + COUNT);
349         }
350 
351         // check that all entries in the map are in the keystore
352         for (String alias : FINGERPRINT_MAP.keySet()) {
353             if (!ks.isCertificateEntry(alias)) {
354                 atLeastOneFailed = true;
355                 System.err.println("ERROR: " + alias + " is not in cacerts");
356             }
357         }
358 
359         // pull all the trusted self-signed CA certs out of the cacerts file
360         // and verify their signatures
361         Enumeration<String> aliases = ks.aliases();
362         while (aliases.hasMoreElements()) {
363             String alias = aliases.nextElement();
364             System.out.println("Verifying " + alias);
365 
366             // Is cert trusted?
367             if (!ks.isCertificateEntry(alias)) {
368                 atLeastOneFailed = true;

299             // Valid until: Sat May 30 10:38:31 GMT 2020
300             add("addtrustexternalca [jdk]");
301             // Valid until: Sat May 30 10:44:50 GMT 2020
302             add("addtrustqualifiedca [jdk]");
303             // Valid until: Wed Mar 17 02:51:37 PDT 2021
304             add("luxtrustglobalrootca [jdk]");
305             // Valid until: Wed Mar 17 11:33:33 PDT 2021
306             add("quovadisrootca [jdk]");
307             // Valid until: Sat May 21 04:00:00 GMT 2022
308             add("geotrustglobalca [jdk]");
309         }
310     };
311 
312     // Ninety days in milliseconds
313     private static final long NINETY_DAYS = 7776000000L;
314 
315     private static boolean atLeastOneFailed = false;
316 
317     private static MessageDigest md;
318 
319     private static final int OVERALL_CA_CERT_COUNT = COUNT + AmazonCACertConstants.AMAZON_CA_CERT_COUNT;
320 
321     public static void main(String[] args) throws Exception {
322         System.out.println("cacerts file: " + CACERTS);
323         FINGERPRINT_MAP.putAll(AmazonCACertConstants.AMAZON_CA_FINGERPRINT_MAP);
324         EXPIRY_EXC_ENTRIES.addAll(AmazonCACertConstants.AMAZON_CA_EXPIRY_EXC_ENTRIES);
325 
326         // verify integrity of cacerts
327         md = MessageDigest.getInstance("SHA-256");
328         byte[] data = Files.readAllBytes(Path.of(CACERTS));
329         /* Ignore whole-file checksum as the checksum of the cacerts 
330          * file changes with each build, due to the way we merge upstream 
331          * OpenJDK certs and Amazon Linux certs at build time.
332         String checksum = HEX.formatHex(md.digest(data));
333         if (!checksum.equals(CHECKSUM)) {
334             atLeastOneFailed = true;
335             System.err.println("ERROR: wrong checksum " + checksum);
336             System.err.println("Expected checksum " + CHECKSUM);
337         }
338         */
339 
340         KeyStore ks = KeyStore.getInstance("JKS");
341         ks.load(new ByteArrayInputStream(data), "changeit".toCharArray());
342 
343         // check the count of certs inside
344         if (ks.size() != OVERALL_CA_CERT_COUNT) {
345             atLeastOneFailed = true;
346             System.err.println("ERROR: " + ks.size() + " entries, should be "
347                     + OVERALL_CA_CERT_COUNT);
348         }
349 
350         System.out.println("Trusted CA Certificate count: " + ks.size());
351 
352         // also ensure FINGERPRINT_MAP lists correct count
353         if (FINGERPRINT_MAP.size() != OVERALL_CA_CERT_COUNT) {
354             atLeastOneFailed = true;
355             System.err.println("ERROR: " + FINGERPRINT_MAP.size()
356                     + " FINGERPRINT_MAP entries, should be " + OVERALL_CA_CERT_COUNT);
357         }
358 
359         // check that all entries in the map are in the keystore
360         for (String alias : FINGERPRINT_MAP.keySet()) {
361             if (!ks.isCertificateEntry(alias)) {
362                 atLeastOneFailed = true;
363                 System.err.println("ERROR: " + alias + " is not in cacerts");
364             }
365         }
366 
367         // pull all the trusted self-signed CA certs out of the cacerts file
368         // and verify their signatures
369         Enumeration<String> aliases = ks.aliases();
370         while (aliases.hasMoreElements()) {
371             String alias = aliases.nextElement();
372             System.out.println("Verifying " + alias);
373 
374             // Is cert trusted?
375             if (!ks.isCertificateEntry(alias)) {
376                 atLeastOneFailed = true;
< prev index next >