8308592: Framework for CA interoperability testing

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java

@@ -42,22 +42,12 @@
  */
 
 public class ActalisCA {
-     private static final String VALID = "https://ssltest-active.actalis.it/";
-     private static final String REVOKED = "https://ssltest-revoked.actalis.it/";
-     private static final String CA_ALIAS = "actalisauthenticationrootca [jdk]";
+    public static void main(String[] args) throws Exception {
+        CAInterop caInterop = new CAInterop(args[0]);
 
-     public static void main(String[] args) throws Exception {
-
-         if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
-             ValidatePathWithURL.enableCRLOnly();
-         } else {
-             // OCSP check by default
-             ValidatePathWithURL.enableOCSPOnly();
-         }
-
-         ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-         validatePathWithURL.validateDomain(VALID, false);
-         validatePathWithURL.validateDomain(REVOKED, true);
-     }
-}
+        // CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
+        caInterop.validate("actalisauthenticationrootca [jdk]",
+                "https://ssltest-active.actalis.it/",
+                "https://ssltest-revoked.actalis.it/");
+    }
+}

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java

@@ -47,71 +47,28 @@
  * https://www.amazontrust.com/repository/
  */
 public class AmazonCA {
-
     public static void main(String[] args) throws Exception {
 
-        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
-            ValidatePathWithURL.enableCRLOnly();
-        } else {
-            // OCSP check by default
-            ValidatePathWithURL.enableOCSPOnly();
-        }
-
-        new AmazonCA_1().runTest();
-        new AmazonCA_2().runTest();
-        new AmazonCA_3().runTest();
-        new AmazonCA_4().runTest();
-    }
-}
-
-class AmazonCA_1 {
-    private static final String VALID = "https://valid.rootca1.demo.amazontrust.com/";
-    private static final String REVOKED = "https://revoked.rootca1.demo.amazontrust.com/";
-    private static final String CA_ALIAS = "amazonrootca1 [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
-    }
-}
-
-class AmazonCA_2 {
-    private static final String VALID = "https://valid.rootca2.demo.amazontrust.com/";
-    private static final String REVOKED = "https://revoked.rootca2.demo.amazontrust.com/";
-    private static final String CA_ALIAS = "amazonrootca2 [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
-    }
-}
+        CAInterop caInterop = new CAInterop(args[0]);
 
-class AmazonCA_3 {
-    private static final String VALID = "https://valid.rootca3.demo.amazontrust.com/";
-    private static final String REVOKED = "https://revoked.rootca3.demo.amazontrust.com/";
-    private static final String CA_ALIAS = "amazonrootca3 [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
-    }
-}
+        // CN=Amazon Root CA 1, O=Amazon, C=US
+        caInterop.validate("amazonrootca1 [jdk]",
+                "https://valid.rootca1.demo.amazontrust.com/",
+                "https://revoked.rootca1.demo.amazontrust.com/");
 
-class AmazonCA_4 {
-    private static final String VALID = "https://valid.rootca4.demo.amazontrust.com/";
-    private static final String REVOKED = "https://revoked.rootca4.demo.amazontrust.com/";
-    private static final String CA_ALIAS = "amazonrootca4 [jdk]";
+        // CN=Amazon Root CA 2, O=Amazon, C=US
+        caInterop.validate("amazonrootca2 [jdk]",
+                "https://valid.rootca2.demo.amazontrust.com/",
+                "https://revoked.rootca2.demo.amazontrust.com/");
 
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
+        // CN=Amazon Root CA 3, O=Amazon, C=US
+        caInterop.validate("amazonrootca3 [jdk]",
+                "https://valid.rootca3.demo.amazontrust.com/",
+                "https://revoked.rootca3.demo.amazontrust.com/");
 
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
+        // CN=Amazon Root CA 4, O=Amazon, C=US
+        caInterop.validate("amazonrootca4 [jdk]",
+                "https://valid.rootca4.demo.amazontrust.com/",
+                "https://revoked.rootca4.demo.amazontrust.com/");
     }
 }

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java

@@ -45,55 +45,28 @@ public class BuypassCA {
 
     public static void main(String[] args) throws Exception {
 
-        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
-            ValidatePathWithURL.enableCRLOnly();
-        } else {
-            // OCSP check by default
-            ValidatePathWithURL.enableOCSPOnly();
-        }
+        CAInterop caInterop = new CAInterop(args[0]);
 
-        new BuypassClass2().runTest();
-        new BuypassClass3().runTest();
-    }
-}
-
-class BuypassClass2 {
-    private static final String VALID_BUSINESS = "https://valid.business.ca22.ssl.buypass.no";
-    private static final String REVOKED_BUSINESS = "https://revoked.business.ca22.ssl.buypass.no";
-    private static final String VALID_DOMAIN = "https://valid.domain.ca22.ssl.buypass.no";
-    private static final String REVOKED_DOMAIN = "https://revoked.domain.ca22.ssl.buypass.no";
-    private static final String CA_ALIAS = "buypassclass2ca [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID_BUSINESS, false);
-        validatePathWithURL.validateDomain(REVOKED_BUSINESS, true);
-
-        validatePathWithURL.validateDomain(VALID_DOMAIN, false);
-        validatePathWithURL.validateDomain(REVOKED_DOMAIN, true);
-    }
-}
-
-class BuypassClass3 {
-    private static final String VALID_QC = "https://valid.qcevident.ca23.ssl.buypass.no";
-    private static final String REVOKED_QC = "https://revoked.qcevident.ca23.ssl.buypass.no";
-    private static final String VALID_EVIDENT = "https://valid.evident.ca23.ssl.buypass.no";
-    private static final String REVOKED_EVIDENT = "https://revoked.evident.ca23.ssl.buypass.no";
-    private static final String VALID_BUSINESSPLUS = "https://valid.businessplus.ca23.ssl.buypass.no";
-    private static final String REVOKED_BUSINESSPLUS = "https://revoked.businessplus.ca23.ssl.buypass.no";
-    private static final String CA_ALIAS = "buypassclass3ca [jdk]";
+        // CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
+        caInterop.validate("buypassclass2ca [jdk]",
+                "https://valid.business.ca22.ssl.buypass.no",
+                "https://revoked.business.ca22.ssl.buypass.no");
 
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
+        caInterop.validate("buypassclass2ca [jdk]",
+                "https://valid.domain.ca22.ssl.buypass.no",
+                "https://revoked.domain.ca22.ssl.buypass.no");
 
-        validatePathWithURL.validateDomain(VALID_QC, false);
-        validatePathWithURL.validateDomain(REVOKED_QC, true);
+        // CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
+        caInterop.validate("buypassclass3ca [jdk]",
+                "https://valid.qcevident.ca23.ssl.buypass.no",
+                "https://revoked.qcevident.ca23.ssl.buypass.no");
 
-        validatePathWithURL.validateDomain(VALID_EVIDENT, false);
-        validatePathWithURL.validateDomain(REVOKED_EVIDENT, true);
+        caInterop.validate("buypassclass3ca [jdk]",
+                "https://valid.evident.ca23.ssl.buypass.no",
+                "https://revoked.evident.ca23.ssl.buypass.no");
 
-        validatePathWithURL.validateDomain(VALID_BUSINESSPLUS, false);
-        validatePathWithURL.validateDomain(REVOKED_BUSINESSPLUS, true);
+        caInterop.validate("buypassclass3ca [jdk]",
+                "https://valid.businessplus.ca23.ssl.buypass.n",
+                "https://revoked.businessplus.ca23.ssl.buypass.no");
     }
 }

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+public final class CAInterop {
+    /**
+     * Constructor for interoperability test with third party CA.
+     * @param revocationMode revocation checking mode to use
+     */
+    public CAInterop(String revocationMode){
+        if ("CRL".equalsIgnoreCase(revocationMode)) {
+            ValidatePathWithURL.enableCRLOnly();
+        } if ("OCSP".equalsIgnoreCase(revocationMode)) {
+            ValidatePathWithURL.enableOCSPOnly();
+        }else {
+            // OCSP and CRL check by default
+            ValidatePathWithURL.enableOCSPAndCRL();
+        }
+    }
+
+    /**
+     * Validates provided URLs using <code>HttpsURLConnection</code> making sure they
+     * anchor to the root CA found in <code>cacerts</code> using provided alias.
+     * @param caAlias CA alis from <code>cacerts</code> file
+     * @param validCert valid test URL
+     * @param revokedCert revoked test URL
+     * @throws Exception thrown when certificate can't be validated as valid or revoked
+     */
+    public void validate(String caAlias,
+                                String validCert,
+                                String revokedCert) throws Exception {
+
+        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(caAlias);
+
+        if (validCert != null) {
+            validatePathWithURL.validateDomain(validCert, false);
+        }
+
+        if (revokedCert != null) {
+            validatePathWithURL.validateDomain(revokedCert, true);
+        }
+    }
+}

test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java

@@ -47,68 +47,26 @@ public class ComodoCA {
 
     public static void main(String[] args) throws Exception {
 
-        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
-            ValidatePathWithURL.enableCRLOnly();
-        } else {
-            // OCSP check by default
-            ValidatePathWithURL.enableOCSPOnly();
-        }
-
-        new ComodoRSA().runTest();
-        new ComodoECC().runTest();
-        new ComodoUserTrustRSA().runTest();
-        new ComodoUserTrustECC().runTest();
-    }
-}
-
-class ComodoRSA {
-    private static final String VALID = "https://comodorsacertificationauthority-ev.comodoca.com";
-    private static final String REVOKED = "https://comodorsacertificationauthority-ev.comodoca.com:444";
-    private static final String CA_ALIAS = "comodorsaca [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
-    }
-}
-
-class ComodoECC {
-    private static final String VALID = "https://comodoecccertificationauthority-ev.comodoca.com";
-    private static final String REVOKED = "https://comodoecccertificationauthority-ev.comodoca.com:444";
-    private static final String CA_ALIAS = "comodoeccca [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
-    }
-}
-
-class ComodoUserTrustRSA {
-    private static final String VALID = "https://usertrustrsacertificationauthority-ev.comodoca.com";
-    private static final String REVOKED = "https://usertrustrsacertificationauthority-ev.comodoca.com:444";
-    private static final String CA_ALIAS = "usertrustrsaca [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
-    }
-}
-
-class ComodoUserTrustECC {
-    private static final String VALID = "https://usertrustecccertificationauthority-ev.comodoca.com";
-    private static final String REVOKED = "https://usertrustecccertificationauthority-ev.comodoca.com:444";
-    private static final String CA_ALIAS = "usertrusteccca [jdk]";
-
-    public void runTest() throws Exception {
-        ValidatePathWithURL validatePathWithURL = new ValidatePathWithURL(CA_ALIAS);
-
-        validatePathWithURL.validateDomain(VALID, false);
-        validatePathWithURL.validateDomain(REVOKED, true);
+        CAInterop caInterop = new CAInterop(args[0]);
+
+        // CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
+        caInterop.validate("comodorsaca [jdk]",
+                "https://comodorsacertificationauthority-ev.comodoca.com",
+                "https://comodorsacertificationauthority-ev.comodoca.com:444");
+
+        // CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
+        caInterop.validate("comodoeccca [jdk]",
+                "https://comodoecccertificationauthority-ev.comodoca.com",
+                "https://comodoecccertificationauthority-ev.comodoca.com:444");
+
+        // CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
+        caInterop.validate("usertrustrsaca [jdk]",
+                "https://usertrustrsacertificationauthority-ev.comodoca.com",
+                "https://usertrustrsacertificationauthority-ev.comodoca.com:444");
+
+        // CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
+        caInterop.validate("usertrusteccca [jdk]",
+                "https://usertrustecccertificationauthority-ev.comodoca.com",
+                "https://usertrustecccertificationauthority-ev.comodoca.com:444");
     }
 }