1 /* 2 * Copyright (C) 2011 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.apache.harmony.xnet.provider.jsse; 18 19 import java.security.KeyStore; 20 import java.security.cert.CertificateException; 21 import java.security.cert.X509Certificate; 22 import javax.net.ssl.TrustManager; 23 import javax.net.ssl.TrustManagerFactory; 24 import javax.net.ssl.X509TrustManager; 25 import junit.framework.TestCase; 26 import libcore.java.security.TestKeyStore; 27 28 public class TrustManagerImplTest extends TestCase { 29 30 /** 31 * Ensure that our non-standard behavior of learning to trust new 32 * intermediate CAs does not regress. http://b/3404902 33 */ 34 public void testLearnIntermediate() throws Exception { 35 36 // chain3 should be server/intermediate/root 37 KeyStore.PrivateKeyEntry pke = TestKeyStore.getServer().getPrivateKey("RSA", "RSA"); 38 X509Certificate[] chain3 = (X509Certificate[])pke.getCertificateChain(); 39 X509Certificate root = chain3[2]; 40 X509Certificate intermediate = chain3[1]; 41 X509Certificate server = chain3[0]; 42 X509Certificate[] chain2 = new X509Certificate[] { server, intermediate }; 43 X509Certificate[] chain1 = new X509Certificate[] { server }; 44 45 // Normal behavior 46 assertValid(chain3, trustManager(root)); 47 assertValid(chain2, trustManager(root)); 48 assertInvalid(chain1, trustManager(root)); 49 assertValid(chain3, trustManager(intermediate)); 50 assertValid(chain2, trustManager(intermediate)); 51 assertValid(chain1, trustManager(intermediate)); 52 assertValid(chain3, trustManager(server)); 53 assertValid(chain2, trustManager(server)); 54 assertValid(chain1, trustManager(server)); 55 56 // non-standard behavior 57 X509TrustManager tm = trustManager(root); 58 // fail on short chain with only root trusted 59 assertInvalid(chain1, tm); 60 // succeed on longer chain, learn intermediate 61 assertValid(chain2, tm); 62 // now we can validate the short chain 63 assertValid(chain1, tm); 64 } 65 66 private X509TrustManager trustManager(X509Certificate ca) throws Exception { 67 KeyStore keyStore = TestKeyStore.createKeyStore(); 68 keyStore.setCertificateEntry("alias", ca); 69 70 String algorithm = TrustManagerFactory.getDefaultAlgorithm(); 71 TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); 72 tmf.init(keyStore); 73 return (X509TrustManager) tmf.getTrustManagers()[0]; 74 } 75 76 private void assertValid(X509Certificate[] chain, X509TrustManager tm) throws Exception { 77 tm.checkClientTrusted(chain, "RSA"); 78 tm.checkServerTrusted(chain, "RSA"); 79 } 80 private void assertInvalid(X509Certificate[] chain, X509TrustManager tm) { 81 try { 82 tm.checkClientTrusted(chain, "RSA"); 83 fail(); 84 } catch (CertificateException expected) { 85 } 86 try { 87 tm.checkServerTrusted(chain, "RSA"); 88 fail(); 89 } catch (CertificateException expected) { 90 } 91 } 92 } 93