Skip to content

Commit 5f5f887

Browse files
dghgitdghgit
committed
added CRLsign check
1 parent 31fe006 commit 5f5f887

2 files changed

Lines changed: 176 additions & 9 deletions

File tree

prov/src/main/java/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java

Lines changed: 25 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@
6161
import org.bouncycastle.jcajce.util.JcaJceHelper;
6262
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
6363
import org.bouncycastle.util.Arrays;
64+
import org.bouncycastle.util.Properties;
6465

6566
class RFC3280CertPathUtilities
6667
{
@@ -556,15 +557,30 @@ protected static Set processCRLF(
556557
{
557558
X509Certificate signCert = (X509Certificate)validCerts.get(i);
558559
boolean[] keyUsage = signCert.getKeyUsage();
559-
560-
if (keyUsage != null && (keyUsage.length <= CRL_SIGN || !keyUsage[CRL_SIGN]))
560+
561+
if (keyUsage == null)
561562
{
562-
lastException = new AnnotatedException(
563-
"Issuer certificate key usage extension does not permit CRL signing.");
563+
if (Properties.isOverrideSet("org.bouncycastle.x509.allow_ca_without_crl_sign"))
564+
{
565+
checkKeys.add(validKeys.get(i));
566+
}
567+
else
568+
{
569+
lastException = new AnnotatedException(
570+
"No key usage extension on CRL issuer certificate.");
571+
}
564572
}
565573
else
566574
{
567-
checkKeys.add(validKeys.get(i));
575+
if (keyUsage.length <= CRL_SIGN || !keyUsage[CRL_SIGN])
576+
{
577+
lastException = new AnnotatedException(
578+
"Issuer certificate key usage extension does not permit CRL signing.");
579+
}
580+
else
581+
{
582+
checkKeys.add(validKeys.get(i));
583+
}
568584
}
569585
}
570586

@@ -1432,16 +1448,18 @@ protected static void processCertA(
14321448
{
14331449
throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index);
14341450
}
1435-
1451+
System.err.println(cert.getIssuerX500Principal());
1452+
System.err.println(cert.getSubjectX500Principal());
14361453
//
14371454
// (a) (3)
14381455
//
14391456
if (revocationChecker != null)
14401457
{
14411458
revocationChecker.initialize(new PKIXCertRevocationCheckerParameters(paramsPKIX, validCertDate, certPath,
14421459
index, sign, workingPublicKey));
1443-
1460+
System.err.println("in revocation");
14441461
revocationChecker.check(cert);
1462+
System.err.println("leaving revocation");
14451463
}
14461464

14471465
//

prov/src/test/java/org/bouncycastle/jce/provider/test/CertPathValidatorTest.java

Lines changed: 151 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -393,11 +393,156 @@ private void constraintTest()
393393

394394
}
395395

396-
public void performTest()
396+
private static byte[] crlFake = Base64.decode(
397+
"MIIBzTCBtgIBATANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJYWDETMBEGA1UE" +
398+
"CgwKQ1JMcyAnciBVcxcNMjQwMzI1MTg0NzAwWhcNMjQwNDAxMTg0NzAwWqBgMF4w" +
399+
"CgYDVR0UBAMCAQEwHwYDVR0jBBgwFoAU/NE0t8uklbG2WeoLBWIe6JqPtDowLwYD" +
400+
"VR0cAQH/BCUwI6AeoByGGmh0dHA6Ly9mb28uZXhhbXBsZS9jcmwuZGxshAH/MA0G" +
401+
"CSqGSIb3DQEBCwUAA4IBAQAN8oDSvWsg3JvUJ4MkXvczaFb72VH0J/VL5PV2cBSm" +
402+
"MfaVBKnUsNr1IcxT06KF8gNrDTpKqJ9fetO290swZfcPt9sEVUBVQUpdlQc3tya1" +
403+
"jYWmFkA3tkpqH5rBCQa3CBm1Cg8cbFBtwWgWr70NsVvfD6etjAEP9Ze+MSXnGV0p" +
404+
"w9EeOV07HnSD/PGQwqCiaSn5DdIDVoH8eFSGmgNLw+b4SwUjmz8PqsZwvHxJvleV" +
405+
"1D8cj7zdR4ywgRMjEfJZ8Bp+Tdu64Gv0doDS0iEJIshLHYkcW1okpq/tPm8kKAbD" +
406+
"reparePNQwhScVcDiSL73eEBIPokgG3QhohiucP5MeF1");
407+
408+
private static byte[] crlIssuer = Base64.decode(
409+
"MIIDMzCCAhugAwIBAgIUPOARSBZTC4SU8f/RrhdPXfZVh9EwDQYJKoZIhvcNAQEL\n" +
410+
"BQAwIzELMAkGA1UEBhMCWFgxFDASBgNVBAoMC0NlcnRzICdyIFVzMB4XDTI0MDMy\n" +
411+
"NTE4NDcwMFoXDTI1MDMyNTE4NDcwMFowIjELMAkGA1UEBhMCWFgxEzARBgNVBAoM\n" +
412+
"CkNSTHMgJ3IgVXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCleY8S\n" +
413+
"gEwPfvfUcIuix5dC7MgFudzaJROINa3u7cW0Rh+mivfepuGl9I683qinDebmE1Sq\n" +
414+
"bVyHDi4RqpM+BCQ0EnW6idriL+13BqNU4QRd68gwF4eNXw9rtmixVGvcvcUngNnz\n" +
415+
"XPrJyWqarjFQ8ECH09I9q/Fv3OAWPmTbzAgWdXV7cx/pCHFNEU3qSWeXkbumKV5l\n" +
416+
"DqTs/J82/n5HZfRjUVIMbf4X6/9wA9BQX8aYbUMng49M5GVd/bg3RXGBLF4lXIUd\n" +
417+
"IPpGYrKT2V+EFq9yKqbnXawTXKw7mBNoIbaN950f1VMdf8czsPNxdeCHJzNtQV70\n" +
418+
"aOqa2hLzxAxzAz7DAgMBAAGjYDBeMB0GA1UdDgQWBBRdiKBrVfofgq1XL7AZu3Wk\n" +
419+
"t83qzjAfBgNVHSMEGDAWgBS04fYwVDNa70uNyIJtV75OHwEHmTAMBgNVHRMBAf8E\n" +
420+
"AjAAMA4GA1UdDwEB/wQEAwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAF5XrOXxVfCFb\n" +
421+
"S5EXxpAk8iXMAOfcfYiWEUT9DdJ3ABeAFnhbiLdlKq8J3BGr1Iiveo2pE9fKz9s/\n" +
422+
"2tZjzbe9Kfg05mfyn9DS5AoWjieW5zaAZpDR9pKkq9/d7pDTbHwvDnNLoMMHRPZP\n" +
423+
"2tsBhjcPPay8zWKLz+8dfPyrGpbGfFg/zd3KBNefc12Sl0Iw6XQUaIpDxyJBvpIU\n" +
424+
"0Xo1R1F22gJ7oG1zI28mr6SGyBvJ8r1c0sQ1qQt+iA/0M5qXRjuLIhO8/ajlMQwP\n" +
425+
"Sdasa53HOErxWqsxNRpwJkaynSiKSwGeqLxdTYwWcWrsYB7RqKgjbQnhSBSd3TKm\n" +
426+
"H2P790A+oQ==");
427+
428+
private static byte[] crlSecretary = Base64.decode(
429+
"MIIDejCCAmKgAwIBAgIUI4Xq9G+KWEr2NPfGbY4A2dfXp50wDQYJKoZIhvcNAQEL\n" +
430+
"BQAwIzELMAkGA1UEBhMCWFgxFDASBgNVBAoMC0NlcnRzICdyIFVzMB4XDTI0MDMy\n" +
431+
"NTE4NDcwMFoXDTI1MDMyNTE4NDcwMFowIjELMAkGA1UEBhMCWFgxEzARBgNVBAoM\n" +
432+
"CkNSTHMgJ3IgVXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkynb7\n" +
433+
"zm0ooFfVkkqj9ppBiTh0YGUqv7/jQoFMDJ/XVtYGUJdyPTXoD9cP1ZypzONmK07U\n" +
434+
"Rc0WMug47hv2tZgrVOxqrGQqDD7e4LM3luinwG5eW3XYT4eJr6Urbk8KSdKSYzqj\n" +
435+
"wjY217KQ8DDgioUInWBUyz5UWrG014QbcEgwX0JGpQrwaaPQtbUd58f5x/LCdsXC\n" +
436+
"p41ySSNsYoKhDawnNblLVxhr+Vp7eQ0wj7LaD/+k12ZDMQbkj3PsGBiWqm+e2uwV\n" +
437+
"n9cq9kK6ARN0svju5dpDw5hERRrQ1GR87WvHWHUtmnR7s7+xacRpZTUvJ5Xsi0Rf\n" +
438+
"Eq1SDPYPyT8ksrt7AgMBAAGjgaYwgaMwHQYDVR0OBBYEFPzRNLfLpJWxtlnqCwVi\n" +
439+
"Huiaj7Q6MB8GA1UdIwQYMBaAFLTh9jBUM1rvS43Igm1Xvk4fAQeZMAwGA1UdEwEB\n" +
440+
"/wQCMAAwUwYDVR0fBEwwSjBIoB6gHIYaaHR0cDovL2Zvby5leGFtcGxlL2NybC5k\n" +
441+
"bGyiJqQkMCIxCzAJBgNVBAYTAlhYMRMwEQYDVQQKDApDUkxzICdyIFVzMA0GCSqG\n" +
442+
"SIb3DQEBCwUAA4IBAQBY72Z1LwWsVbnYl6ZhWDAAuy0bwTMKwF8JwpG1PpFzC6p0\n" +
443+
"DJd36c3ZOzRYgjpmApi3X9lFx0oyuZOjBIlMtqnXgKjYBytF2jmf8DziIsCnvMI8\n" +
444+
"1IiFRjWjm56y0xaxBqv9yzvTqKG198vxakxPAUn8oONMtLvqHAvoQyHCBej5Xirg\n" +
445+
"joJkPeHeRwl9sgYZcqowNHGHiBX8KtXeatkHkpmxZO5cunGD+RcOnBpJEfZJhopX\n" +
446+
"GaW1DPRY0qqPFhnLcQsv8UZEyDxyYH/HuGaZy3u9lT1SqlOx2zzQnTK6EyIc92n3\n" +
447+
"suILIm4MBrqXYXUlHkMzLmpJGH9lg9xaFn3vCU7Q");
448+
449+
private static byte[] crlRoot = Base64.decode(
450+
"MIIDFjCCAf6gAwIBAgIUF/hP3a/TkmHlfhYYUiFNw/H5lMwwDQYJKoZIhvcNAQEL\n" +
451+
"BQAwIzELMAkGA1UEBhMCWFgxFDASBgNVBAoMC0NlcnRzICdyIFVzMB4XDTI0MDMy\n" +
452+
"NTE4NDcwMFoXDTI1MDMyNTE4NDcwMFowIzELMAkGA1UEBhMCWFgxFDASBgNVBAoM\n" +
453+
"C0NlcnRzICdyIFVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAomfH\n" +
454+
"KuGQzqGkFGSsKLESgJbRRRQsIuJ19w/sumNHNPnbl93rEgdoF1y2yUFcY0ZipZCg\n" +
455+
"lIpfhOkp6I+WLtF59t8vLw30P1ZBwmbjC54EwGLH3WRDPS0j+33TfDjNdQRwY4u6\n" +
456+
"j2EK6drXPhBPsaG0map3VfWQelaStAoIC6evoYFzfO2E7Ik4xv06U47WHefseBue\n" +
457+
"ZcsFvfW3bf/E04PFc2YssUyqjiaa0sU/w7l9xj2P+vCqpM393ZWJX6GRcns/wUJ/\n" +
458+
"na7iXpIO82EV3/eExeXoHc912L+m0HoB86RYQat+wyhX6Z5i1ApU6zXqGU7D8cPD\n" +
459+
"DrbIjwLDMwKPbC9FjwIDAQABo0IwQDAdBgNVHQ4EFgQUtOH2MFQzWu9LjciCbVe+\n" +
460+
"Th8BB5kwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcN\n" +
461+
"AQELBQADggEBAJGeqkMrzOgesGaCHJJgX/qpG7bp4KPPL0bi7EYnT1cuy5ss053I\n" +
462+
"Ooh5APYn+GrufWjYn4mwSekvuRTB6VdR4YMeoYPMxWJRp3l7s0aHLo98BbW9WX+4\n" +
463+
"ju+K/Dndbrs1v7r4IB79hu4QtR7BVaEQ8UjqY+/I1VeYKtAd7scQGKpSNOPN3YVu\n" +
464+
"+QY3fXy+nfDhj7drUeAHVj+Qz/6RZOIhmIPj7adsZhDQwvMG3cAkAfVGncP7n+cN\n" +
465+
"nqZyYu8PPQp4g+QM42kXXBu5N8QwkCtcMe2nvKiQvEOZww70N3mTIK8CSxLla5pI\n" +
466+
"635lNPBZubGF6m35P7EArB0JuU2KYNgUxis=\n");
467+
468+
private static byte[] crlVictim = Base64.decode(
469+
"MIIDjTCCAnWgAwIBAgIUW8wsCzJEg7WzpMvkUKyloeKqKLYwDQYJKoZIhvcNAQEL\n" +
470+
"BQAwIzELMAkGA1UEBhMCWFgxFDASBgNVBAoMC0NlcnRzICdyIFVzMB4XDTI0MDMy\n" +
471+
"NTE4NDcwMFoXDTI1MDMyNTE4NDcwMFowJTELMAkGA1UEBhMCWFgxFjAUBgNVBAoM\n" +
472+
"DVVubHVja3kgJ3IgV2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6\n" +
473+
"erJm/+hf6IhoqCYfX+y6uiVSSF/J6VyENk+oXS2g71g1sapGCXRO8xlDqH1rhFzC\n" +
474+
"IJ56nC14K9w4r+6D3FUKw4G5sKMRTMX7U5brjd8wRd3XHAIUdSCP9SVrNz6bmcjf\n" +
475+
"B27vBT0ifIC7bQg7Y01BoqnBPObuwT7ufk951rFzCIagzSylzR/GRNhMYo4rO6jw\n" +
476+
"Ih84LpAxUQ1vFAaBb5GCVhXoUWecu+RtIaIDo9tn8PF16O6VW8zPmsoV9HELD8Sx\n" +
477+
"HuoSXXcsF2OW55XLeAO+l1tikAVqA6nUvQx03bb3TW7W+3v6nGzG308fHA32TdLk\n" +
478+
"ZLK9nPnF5hF4pFmWpjwHAgMBAAGjgbYwgbMwHQYDVR0OBBYEFMitbC8lM9mw/hc6\n" +
479+
"TnvL5vpAyfpZMB8GA1UdIwQYMBaAFLTh9jBUM1rvS43Igm1Xvk4fAQeZMAwGA1Ud\n" +
480+
"EwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMFMGA1UdHwRMMEowSKAeoByGGmh0dHA6\n" +
481+
"Ly9mb28uZXhhbXBsZS9jcmwuZGxsoiakJDAiMQswCQYDVQQGEwJYWDETMBEGA1UE\n" +
482+
"CgwKQ1JMcyAnciBVczANBgkqhkiG9w0BAQsFAAOCAQEAmysx1oqEUDUpLg98K9Rw\n" +
483+
"AXTykVDjjG0ZKg7UtDcaIeBfomhXv+Sh2oz9zqqZQ5/4HGIwe2fAsbQZmlH//8Yb\n" +
484+
"ovEZCo3WmhJSyTDB2KLebPJLw5HOi7QrAjYJWKR+pkuQmxMPoSAdMXRkiBmzYjZL\n" +
485+
"lxHaT6Y2IMZ6kVtHCmcOFaHWJyPAUZ4ymO03cb/1M73ioecf9jMgIf7YBaopty2p\n" +
486+
"X2GVHaCE1m7u+2WU45b34PBRY/ZvhZvuJKi3TfuaLMJFPz6HY4XbHPnlBP4EwXpC\n" +
487+
"5VaJvOMXWZPWh/yrCVEKMzFxesbwHV/vyOUls0P4kIY383/78MvzchHLhwR7h2fy\n" +
488+
"Iw==");
489+
490+
private void testNoKeyUsageCRLSigner()
397491
throws Exception
398492
{
399-
constraintTest();
493+
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
494+
495+
X509Certificate root = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(crlRoot));
496+
X509Certificate crlIss = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(crlIssuer));
497+
X509Certificate secretary = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(crlSecretary));
498+
X509Certificate victim = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(crlVictim));
499+
500+
X509CRL fakeCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(crlFake));
501+
502+
List list = new ArrayList();
503+
504+
// list.add(root);
505+
// list.add(crlIss);
506+
list.add(secretary);
507+
list.add(victim);
508+
list.add(fakeCrl);
400509

510+
System.setProperty("org.bouncycastle.x509.allow_ca_without_crl_sign", "false");
511+
512+
CertPath cp = cf.generateCertPath(Collections.singletonList(victim));
513+
514+
CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
515+
CertStore store = CertStore.getInstance("Collection", ccsp, "BC");
516+
Date validDate = new Date(fakeCrl.getThisUpdate().getTime() + 60 * 60 * 1000);
517+
518+
//Searching for rootCert by subjectDN without CRL
519+
Set trust = new HashSet();
520+
trust.add(new TrustAnchor(root, null));
521+
//
522+
CertPathValidator cpb = CertPathValidator.getInstance("PKIX", "BC");
523+
X509CertSelector targetConstraints = new X509CertSelector();
524+
targetConstraints.setSubject(victim.getSubjectX500Principal().getEncoded());
525+
PKIXParameters params = new PKIXParameters(trust);
526+
params.addCertStore(store);
527+
params.setDate(validDate);
528+
529+
try
530+
{
531+
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)cpb.validate(cp, params);
532+
fail("path should have failed");
533+
}
534+
catch (CertPathValidatorException e)
535+
{ e.printStackTrace();
536+
isTrue("No CRLs found for issuer \"o=Certs 'r Us,c=XX\"".equals(e.getMessage()));
537+
}
538+
}
539+
540+
public void performTest()
541+
throws Exception
542+
{
543+
// constraintTest();
544+
testNoKeyUsageCRLSigner();
545+
System.exit(0);
401546
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
402547

403548
// initialise CertStore
@@ -431,6 +576,8 @@ public void performTest()
431576
MyChecker checker = new MyChecker();
432577
param.addCertPathChecker(checker);
433578

579+
System.setProperty("org.bouncycastle.x509.allow_ca_without_crl_sign", "true");
580+
434581
PKIXCertPathValidatorResult result =
435582
(PKIXCertPathValidatorResult)cpv.validate(cp, param);
436583
PolicyNode policyTree = result.getPolicyTree();
@@ -463,6 +610,8 @@ public void performTest()
463610

464611
result = (PKIXCertPathValidatorResult)cpv.validate(cp, param);
465612

613+
System.setProperty("org.bouncycastle.x509.allow_ca_without_crl_sign", "false");
614+
466615
isTrue(result.getTrustAnchor().getTrustedCert().equals(rootCert));
467616

468617
//

0 commit comments

Comments
 (0)