Check the EE's eKU extension field, if present.

BUG=https://code.google.com/p/chromium/issues/detail?id=167607 and https://b.corp.google.com/issue?id=7920492 Change-Id: Ib917c3a4a8ea6a12f685c44056aa44aa414d45e6
author: Chris Palmer <palmer@google.com> 2013-01-03 13:51:41 -0800
committer: Brian Carlstrom <bdc@google.com> 2013-04-06 00:35:35 -0700
commit: 0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db (patch)
tree: d68b7769b67443a3c8af890b9c23bd92524a0419 /support
parent: bff71c08206049d7f2509f4836f867e556814fa4 (diff)
download: libcore-0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db.zip
libcore-0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db.tar.gz
libcore-0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db.tar.bz2
1 files changed, 62 insertions, 19 deletions
diff --git a/support/src/test/java/libcore/java/security/TestKeyStore.java b/support/src/test/java/libcore/java/security/TestKeyStore.java
index 74c2840..aee7f8a 100644
--- a/support/src/test/java/libcore/java/security/TestKeyStore.java
+++ b/support/src/test/java/libcore/java/security/TestKeyStore.java
@@ -18,9 +18,11 @@ package libcore.java.security;
 
 import com.android.org.bouncycastle.asn1.DEROctetString;
 import com.android.org.bouncycastle.asn1.x509.BasicConstraints;
+import com.android.org.bouncycastle.asn1.x509.ExtendedKeyUsage;
 import com.android.org.bouncycastle.asn1.x509.GeneralName;
 import com.android.org.bouncycastle.asn1.x509.GeneralNames;
 import com.android.org.bouncycastle.asn1.x509.GeneralSubtree;
+import com.android.org.bouncycastle.asn1.x509.KeyPurposeId;
 import com.android.org.bouncycastle.asn1.x509.KeyUsage;
 import com.android.org.bouncycastle.asn1.x509.NameConstraints;
 import com.android.org.bouncycastle.asn1.x509.X509Extensions;
@@ -75,6 +77,7 @@ import libcore.javax.net.ssl.TestTrustManager;
 public final class TestKeyStore extends Assert {
 
     private static TestKeyStore ROOT_CA;
+    private static TestKeyStore INTERMEDIATE_CA;
 
     private static TestKeyStore SERVER;
     private static TestKeyStore CLIENT;
@@ -145,7 +148,7 @@ public final class TestKeyStore extends Assert {
                 .subject("CN=Test Root Certificate Authority")
                 .ca(true)
                 .build();
-        TestKeyStore intermediateCa = new Builder()
+        INTERMEDIATE_CA = new Builder()
                 .aliasPrefix("IntermediateCA")
                 .subject("CN=Test Intermediate Certificate Authority")
                 .ca(true)
@@ -154,15 +157,15 @@ public final class TestKeyStore extends Assert {
                 .build();
         SERVER = new Builder()
                 .aliasPrefix("server")
-                .signer(intermediateCa.getPrivateKey("RSA", "RSA"))
-                .rootCa(intermediateCa.getRootCertificate("RSA"))
+                .signer(INTERMEDIATE_CA.getPrivateKey("RSA", "RSA"))
+                .rootCa(INTERMEDIATE_CA.getRootCertificate("RSA"))
                 .build();
-        CLIENT = new TestKeyStore(createClient(intermediateCa.keyStore), null, null);
+        CLIENT = new TestKeyStore(createClient(INTERMEDIATE_CA.keyStore), null, null);
         CLIENT_CERTIFICATE = new Builder()
                 .aliasPrefix("client")
                 .subject("emailAddress=test@user")
-                .signer(intermediateCa.getPrivateKey("RSA", "RSA"))
-                .rootCa(intermediateCa.getRootCertificate("RSA"))
+                .signer(INTERMEDIATE_CA.getPrivateKey("RSA", "RSA"))
+                .rootCa(INTERMEDIATE_CA.getRootCertificate("RSA"))
                 .build();
         TestKeyStore rootCa2 = new Builder()
                 .aliasPrefix("RootCA2")
@@ -173,6 +176,22 @@ public final class TestKeyStore extends Assert {
     }
 
     /**
+     * Return an root CA that can be used to issue new certificates.
+     */
+    public static TestKeyStore getRootCa() {
+        initCerts();
+        return ROOT_CA;
+    }
+
+    /**
+     * Return an intermediate CA that can be used to issue new certificates.
+     */
+    public static TestKeyStore getIntermediateCa() {
+        initCerts();
+        return INTERMEDIATE_CA;
+    }
+
+    /**
      * Return a server keystore with a matched RSA certificate and
      * private key as well as a CA certificate.
      */
@@ -223,10 +242,13 @@ public final class TestKeyStore extends Assert {
         private boolean ca;
         private PrivateKeyEntry signer;
         private Certificate rootCa;
+        private final List<KeyPurposeId> extendedKeyUsages = new ArrayList<KeyPurposeId>();
+        private final List<Boolean> criticalExtendedKeyUsages = new ArrayList<Boolean>();
         private final List<GeneralName> subjectAltNames = new ArrayList<GeneralName>();
-        private final Vector<GeneralSubtree> permittedNameConstraints
-                = new Vector<GeneralSubtree>();
-        private final Vector<GeneralSubtree> excludedNameConstraints = new Vector<GeneralSubtree>();
+        private final List<GeneralSubtree> permittedNameConstraints
+                = new ArrayList<GeneralSubtree>();
+        private final List<GeneralSubtree> excludedNameConstraints
+                = new ArrayList<GeneralSubtree>();
 
         public Builder() {
             subject = localhost();
@@ -284,7 +306,13 @@ public final class TestKeyStore extends Assert {
             return this;
         }
 
-        private Builder addSubjectAltName(GeneralName generalName) {
+        public Builder addExtendedKeyUsage(KeyPurposeId keyPurposeId, boolean critical) {
+            extendedKeyUsages.add(keyPurposeId);
+            criticalExtendedKeyUsages.add(critical);
+            return this;
+        }
+
+        public Builder addSubjectAltName(GeneralName generalName) {
             subjectAltNames.add(generalName);
             return this;
         }
@@ -413,6 +441,7 @@ public final class TestKeyStore extends Assert {
                                         : subject);
                 PrivateKey signingKey = (caKey == null) ? privateKey : caKey;
                 x509c = createCertificate(publicKey, signingKey, subject, issuer, keyUsage, ca,
+                                          extendedKeyUsages, criticalExtendedKeyUsages,
                                           subjectAltNames,
                                           permittedNameConstraints, excludedNameConstraints);
             }
@@ -456,9 +485,11 @@ public final class TestKeyStore extends Assert {
             return createCertificate(publicKey, privateKey,
                                      principal, principal,
                                      0, true,
-                                     new Vector<GeneralName>(),
-                                     new Vector<GeneralSubtree>(),
-                                     new Vector<GeneralSubtree>());
+                                     new ArrayList<KeyPurposeId>(),
+                                     new ArrayList<Boolean>(),
+                                     new ArrayList<GeneralName>(),
+                                     new ArrayList<GeneralSubtree>(),
+                                     new ArrayList<GeneralSubtree>());
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -471,9 +502,11 @@ public final class TestKeyStore extends Assert {
             X500Principal issuer,
             int keyUsage,
             boolean ca,
+            List<KeyPurposeId> extendedKeyUsages,
+            List<Boolean> criticalExtendedKeyUsages,
             List<GeneralName> subjectAltNames,
-            Vector<GeneralSubtree> permittedNameConstraints,
-            Vector<GeneralSubtree> excludedNameConstraints) throws Exception {
+            List<GeneralSubtree> permittedNameConstraints,
+            List<GeneralSubtree> excludedNameConstraints) throws Exception {
         // Note that there is no way to programmatically make a
         // Certificate using java.* or javax.* APIs. The
         // CertificateFactory interface assumes you want to read
@@ -520,6 +553,13 @@ public final class TestKeyStore extends Assert {
                                 true,
                                 new BasicConstraints(true));
         }
+        for (int i = 0; i < extendedKeyUsages.size(); i++) {
+            KeyPurposeId keyPurposeId = extendedKeyUsages.get(i);
+            boolean critical = criticalExtendedKeyUsages.get(i);
+            x509cg.addExtension(X509Extensions.ExtendedKeyUsage,
+                                critical,
+                                new ExtendedKeyUsage(keyPurposeId));
+        }
         for (GeneralName subjectAltName : subjectAltNames) {
             x509cg.addExtension(X509Extensions.SubjectAlternativeName,
                                 false,
@@ -592,10 +632,6 @@ public final class TestKeyStore extends Assert {
 
     /**
      * Create an empty KeyStore
-     *
-     * The KeyStore is optionally password protected by the
-     * keyStorePassword argument, which can be null if a password is
-     * not desired.
      */
     public static KeyStore createKeyStore() {
         try {
@@ -815,6 +851,13 @@ public final class TestKeyStore extends Assert {
     /**
      * Dump a key store for debugging.
      */
+    public void dump(String context) throws KeyStoreException, NoSuchAlgorithmException {
+        dump(context, keyStore, keyPassword);
+    }
+
+    /**
+     * Dump a key store for debugging.
+     */
     public static void dump(String context, KeyStore keyStore, char[] keyPassword)
             throws KeyStoreException, NoSuchAlgorithmException {
         PrintStream out = System.out;
author	Chris Palmer <palmer@google.com>	2013-01-03 13:51:41 -0800
committer	Brian Carlstrom <bdc@google.com>	2013-04-06 00:35:35 -0700
commit	0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db (patch)
tree	d68b7769b67443a3c8af890b9c23bd92524a0419 /support
parent	bff71c08206049d7f2509f4836f867e556814fa4 (diff)
download	libcore-0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db.zip libcore-0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db.tar.gz libcore-0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db.tar.bz2