| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Adds coverage for the following:
java.security.cert.CertPathBuilderSpi.engineGetRevocationChecker()
java.security.cert.CertPathValidatorSpi.engineGetRevocationChecker()
java.security.cert.PKIXCertPathChecker.check(java.security.cert.Certificate)
java.security.cert.PKIXRevocationChecker.clone()
Bug: 182166056
Test: atest CtsLibcoreTestCases
Change-Id: Id2e5c1f4efcfa6560c04a2f129a8171afc146069
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CERT_CORRECT in X509Certificate2Test is not correct at all. It contains
a slew of encoding mistakes:
- BOOLEAN { FALSE } is not a valid parameter for dsa-with-sha1. Per
RFC3279, the parameters should be omitted.
- dsa-with-sha1 is not a valid SPKI OID. It's a signature OID. The DSA
SPKI OID is different and needs DSA parameters.
- The body of the SPKI is not a DSA public key.
- A GeneralName using the directoryName CHOICE arm should use explicit
tagging, not implicit tagging. This is a weird corner case of ASN.1
that a lot of folks get wrong.
- 0x01 is not a valid BOOLEAN in DER. The correct encoding of TRUE is
0xff.
- An authorityKeyIdentifier is a moderately complex structure, not a
BOOLEAN.
- A subjectKeyIdentifier is an OCTET STRING, not a BOOLEAN.
- A policyMappings is a moderately complex structure, not a BOOLEAN.
The test is checking that the basicConstraints extension is correctly
parsed, but that isn't a great test when the certificate is invalid.
X.509 is an extensible format, so which syntax errors are rejected
when is a complicated question. (E.g.,
https://github.com/google/conscrypt/issues/916). It happened that
Conscrypt did not reject the certificate today, but it also would have
been valid for Conscrypt to reject it. A recent issue in Conscrypt
coincidentally tripped this test bug. The Conscrypt fix will have a
unit test closer to the code, so we can fix this test cert.
This CL fixes the test certificate to test what it's actually aiming
to test. I've manually reworked the mistakes using
https://github.com/google/der-ascii and replaced the DSA OIDs with
ECDSA so that a correct key is a bit more compact. (The test only parses
basicConstraints, so it does not care.) The signature itself is still
not valid, but the test does not check signatures, so this is fine.
I've also applied the same fixes to CERT_TAMPERED, which appears to be a
slightly tweaked version of CERT_CORRECT. (Although CERT_TAMPERED
appears to have some intentional syntax errors that break the parse.)
Test: Treehugger
Bug: 171808928
Change-Id: Ide6b2e46f4eb172d33b266759a76ea063f5c989e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Android restricts access to a number of deprecated BouncyCastle
algorithms to APKs that target SDK version <= 27. However, those
algorithms still need testing. Rather than set the target SDK version
to be <= 27 (which could have other side effects) tests use
Providers.setMaximumAllowableApiLevelForBcDeprecation(int) to raise
the level to make them accessible at the current target SDK version
and resets it the default value afterwards.
This change adds a JUnit test rule to implement that behavior and
uses it to replace duplicate setUp() and tearDown() code across a
number of tests. It also insulates the tests from having to access
the internal sun.security.jca.Providers and dalvik.system.VMRuntime
classes.
This is intended to be used by external/conscrypt so that the
conscrypt-tests module can stop depending on core-all-systems-module.
Bug: 141539296
Test: atest CtsLibcoreTestCases
Change-Id: If41b5c221c392e9b6d14d500537115d3380c4999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this change,
tests.security.cert.CertPathBuilder1Test#testBuild was annotated as a
@KnownFailure, but was not listed in knownfailures.txt. This was an
anomaly, and is misleading since the AndroidTest.xml for
CtsLibcoreTestCases is currently configured so that knownfailures.txt
is obeyed but @KnownFailure is not, so this test is actually *not*
skipped. The test also passes, happily.
The plan for adding libcore TEST_MAPPINGs requires changing that
AndroidTest.xml to respect @KnownFailure. Fixing this anomaly will
make that change a no-op, which is desirable.
Test: cts-tradefed run cts-dev -m CtsLibcoreTestCase -t tests.security.cert.CertPathBuilder1Test
Bug: 130283485
Change-Id: I030331192874cd58abafcbceac5be2e4430ad548
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The first step in deprecating the BC implementations of algorithms that
are also provided by Conscrypt. This checks whether the app's target
API level is greater than a given threshold (currently O, but subject
to change later) and disallows access to those algorithms when true.
This limit only applies to requests from the system-created BC provider.
Apps can install their own provider, in which case they get the
implementations they requested.
This doesn't yet implement the deprecation for Cipher instances, since
the transformation scheme makes that more complicated.
The ultimate removal of these algorithms, once a sufficient deprecation
period has elapsed, is tracked in b/67761667.
Bug: 67626877
Test: cts -m CtsLibcoreTestCases
Test: cts -m CtsLibcoreOkHttpTestCases
Test: cts -m CtsLibcoreWycheproofBCTestCases
Test: cts -m CtsLibcoreWycheproofConscryptTestCases
Change-Id: I48f07226e66873a65859121af32028c1547952ac
|
| |\
| |
| |
| |
| |
| |
| |
| | |
ef44626d0e am: a0aa6019dc
am: 2bb5cf4e08
Change-Id: I0a06ed38f90a3afb5cbdc48b55d6113c923d3d28
|
| | |
| |
| |
| |
| |
| |
| |
| | |
+ Minor fix in other tests javadoc
Test: vogar CertificateTest.java
Bug: 34923742
Change-Id: I63c84a310a52d60dd7ec9c1d9659929fff302934
|
| |/
|
|
|
|
|
|
|
| |
There was a comparison of a byte against the value 200, which would
always fail. From the code below it's evident that the comparison should
be against the value 200 casted as a byte.
Test: vogar CertificateTest
Change-Id: I5dcde48bb9b64c55f66b9c6ef38050f734674318
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were no changes to code under test.
4 tests were fixed to not tolerate an Exception:
- libcore.java.util.CollectionsTest#test_CheckedMap_computeIfAbsent
In the case where a Map key is present, computeIfAbsent() should
not invoke the Function, so there is no return value that could
be expected to undergo a type check. The test was changed to
verify that the Function is not invoked.
- libcore.java.util.concurrent.CopyOnWriteArrayListTest#test_sort and
libcore.java.util.concurrent.CopyOnWriteArrayListTest#test_subList_sort
were sorting an already-sorted non-null list that contains no null
values. That logic was redundant and wouldn't have thrown.
- org.apache.harmony.security.tests.java.security.KeyStoreSpiTest#test_engineEntryInstanceOf
(the KeyStoreSpi documentation does not mention whether NPE is thrown;
the implementation comes from upstream and does not throw it).
54 tests were fixed by adding the missing
fail();
No attempt was made to make this failure message specific to the
exception that was expected.
Tests that weren't changed:
- SSLEngineTest.test_wrap_ByteBuffer_ByteBuffer_04() requires
investigation to determine the correct resolution.
A comment was added to the test linking to the corresponding bug.
- ThreadTest#testParkUntilWithUnderflowValue() and
OldNodeChangeEventTest.waitForEvent() were not touched since
it was not clear whether that it was relevent to the test whether
or not the exception was thrown.
- two cases in Files2Test#test_setPosixFilePermissions_NPE() are
left to a future CL
Test:
(croot; make vogar core-tests) \
&& git diff aosp/master --name-only | xargs vogar `cparg core-tests`
Change-Id: I1cd3220a06e331ff049b146b393f78879f07211a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pulling upstream changes from OpenJDK version jdk8u60 classes
in java.security.cert
- Certificate#hashValue: cache the hash value as to avoid recomputation.
Use the Arrays#hash instead of a simple ad-hoc function.
- Certificate#verify(PublicKey, Provider): new method that just throws
UnsupportedOperationException.
This commit also contains cosmetic JavaDoc changes like
- Use of @code in place of <code> tags and use of a package-info.java in
place of a package.html file.
- Added comments.
Note not all classes in java.security.cert are updated: X509CRL has more
significant changes and deserves a separate CL.
Change-Id: I44120f1b34c9dc3c062a5d01583bcc87fa2cd558
Test: make droid docs, vogar CertificateTest
Bug: 29631070
|
| |
|
|
|
|
|
| |
Use == for object identity, Arrays.equals() for value equality.
Bug: 28189207
Change-Id: I3dcae7f5714e5ab7216b255de376a9c3030f94b8
|
| |
|
|
|
|
|
|
|
| |
This has a lasting side-effect on the rest of the tests run which
shouldn't happen. This is of dubious use, so just remove the setting of
these properties since there is no way to undo it later.
Bug: 28293120
Change-Id: I6788c5308e2ca7fb36283b81d7839a840e880584
|
| |
|
|
|
|
|
|
| |
Test to make sure CertificateRevokedException behaves correctly for
getAuthorityName().
Bug: 27812109
Change-Id: I3d9724e636b895b9359a0fd37e8bc0cc89dcc756
|
| |
|
|
|
|
|
|
| |
There is a new constructor that takes a BasicReason as an argument. Test
that it works correctly.
Bug: 27812109
Change-Id: I957678a774ab91c9fc2854f45f776c23c321960f
|
| |
|
|
|
|
|
| |
This doesn't actually test anything meaningful, so simply remove it.
Bug: 27812109
Change-Id: I07493cdb7423c789f1ddf23ef8eecb96ce091bec
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed
X509CertSelector#test_addSubjectAlternativeNameLintLjava_lang_String. This
CL disables the above test for GeneralNameInterface.Name_RFC822 as the
test was disabled in the earlier Android
releases.
The test was disabled in M
https://android.googlesource.com/platform/libcore/+/bd7a7c87692d3b5be341fbc5022eaa07611ae751/luni/src/test/java/tests/security/cert/X509CertSelectorTest.java
and was reintroduced recently after the test was enabled after some
time it wasn't run:
https://android.googlesource.com/platform/libcore/+/5ef40918006efad4c7194b505c3ad176928711a3/luni/src/test/java/tests/security/cert/X509CertSelectorTest.java
Disabling as it's failing and wasn't being run in M anyway.
Bug: 27706589
(cherry-picked from commit 443c076d6c1e6dafdc17af03ac8205e57a10aa23)
Change-Id: I8b0cc0d8ee2bc6d5f67cd7cce9274b0018c81da1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix broken methods -
test_addSubjectAlternativeNameLintLjava_lang_String2,
test_addSubjectAlternativeNameLintLbyte_array2,
test_setSubjectKeyIdentifierLB$.getExtensionValue,
test_setSubjectAlternativeNamesLjava_util_Collection,
test_setPathToNamesLjava_util_Collection,
test_getSubjectAlternativeNames, test_getPathToNames,
test_addPathToNameLintLbyte_array,
test_addSubjectAlternativeNameLintLjava_lang_String,
test_addSubjectAlternativeNameLintLbyte_array. The methods were using
org.apache.harmony.security.asn1.* classes which no more exist and
instead, now use sun.security.x509.* classes.
Support for OID - 2.5.29.30, 2.5.29.37, 2.5.29.19 are removed from
test_setSubjectKeyIdentifierLB$.getExtensionValue as they
were not being used.
Bug: 26352408
Change-Id: I5d54a5b9307ff914471b0856bdc1217dd3af0511
|
| |
|
|
|
|
|
|
| |
tests.security.cert.X509CRLSelector2Test
libcore.java.security.cert.X509CertificateTest
Bug: 26352408
Change-Id: Ib83a48a174f80b448ea67e0423cb8069dfc77aa9
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenJDK adjustments for master.
- Restored removed libcore.icu.* classes (needed
by the openjdk java.text.* classes). This will be
undone in short future.
- Adjusted java.lang.* and java.lang.reflect.* classes
for native reflection and other changes in master.
Bug: 25758743
Change-Id: Ifbbe5b1e8661138fc32ad24127f76f711dd585b7
|
| | |\
| | |
| | |
| | | |
Change-Id: I8f49c58f39dc5f4268c6b5718cab18ed26ac930a
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to rfc3280, when using URI as a NameConstraint it's
GeneralName should not contain schema. Details in section
4.2.1.11 of https://www.ietf.org/rfc/rfc3280.txt
Change-Id: Ibddbb4aa9db83139dc75be713a35f36ef68343d6
|
| | | |
| | |
| | |
| | | |
Change-Id: Ife0067f172c64868229bb06291f2a116a988b252
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to rfc3280, when using URI as a NameConstraint it's GeneralName should not
contain schema. Details in section 4.2.1.11 of
https://www.ietf.org/rfc/rfc3280.txt
Change-Id: I69bed45508c4091a7a13e70832fe63c77df538a8
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
RI doesn't throw exception for following OIDs: "0.20", "1.25", "2.39".
According to documentation here:
http://docs.oracle.com/javase/7/docs/api/java/security/cert/X509CertSelector.html#setSubjectPublicKeyAlgID(java.lang.String)
OID is invalid if first component is different than 0, 1 or 2 or
second component is bigger than 39.
Change-Id: Ib57142c86e6ac131b0e713a11e276715eae10911
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
While generating key pairs, BouncyCastle checks that random numbers
are strong enough. Tests were using a mock random generator that
generates the constant 10.
Bug: 19657861
(cherry picked from commit 098bc41d846f847a6551209d65dbb74bfea3bb00)
Change-Id: Ifd1401f9b386e4039b8f51af65e5e7dc5fad15e2
|
| | |/
| |
| |
| |
| |
| |
| | |
Use a provider that can handle the provided public-key.
bug: 21816913
Change-Id: Iee7a932a8767c4c1b781636dfb9456a1b604532f
|
| | |
| |
| |
| |
| |
| |
| | |
Some of it is public API (why oh why..) so we're forced to
keep it around.
Change-Id: Ic1e059d7162c442a1a996eb1510d0f7f84add34e
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While generating key pairs, BouncyCastle checks that random numbers
are strong enough. Tests were using a mock random generator that
generates the constant 10.
Bug: 19657861
Change-Id: Ia68f759103399781a49af23de6356bdfac9c3915
|
| |/
|
|
|
|
|
|
|
|
| |
Use a provider that can handle the provided public-key.
bug: 21816913
(cherry picked from commit cfcb7ad5b68ad854ddbfe5ca1afcf85a1bb61f68)
Change-Id: I581c162f6c57d13e53252fc45ec992b2e217fe81
|
| |
|
|
|
|
|
|
| |
Using Date will interact with timezones, so use milliseconds which
bypasses this.
Bug: 17442302
Change-Id: I6bd73efb95f0f427f31812ce10c32a5af3987ca0
|
| |
|
|
|
|
|
| |
New API for getting the revocation reason. Add tests and exceptions
associated with it.
Change-Id: Ifd6444ab966c984312f069a6ee330d255110ea85
|
| |
|
|
|
|
|
|
| |
The documentation for X509Certificate#getExtendedKeyUsage says that it
must return an unmodifiable list. The test was testing the exact
opposite was true.
Change-Id: I0f99ed6c8f2ddcc59ce6b90b973ccabd0dce35f6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "CERT_CORRECT" is actually an invalid X.509 certificate, but these
test cases are now covered in more detail by
luni/src/test/java/libcore/java/security/cert/X509CertificateTest.java
The decoding of the alternative names in the certificate look like this
via openssl command line:
X509v3 Subject Alternative Name: critical
0[..rfc@822.Name..dNSName..1.0...U.
..Organization..http://uniform.Resource.Id........*..\...
Change-Id: I41d4753b926715b093f558b41d102842e6b3a2da
|
| |
|
|
|
|
|
| |
Make sure that CertificateFactory ends at the place that it should when
reading an InputStream that supports mark and reset.
Change-Id: I3bc20c1e9766f80f1597908707e69d65a6c3b216
|
| |
|
|
|
|
| |
This reverts commit 1496f006676166c1835ac859d5c4ffeb6357b4d0
Change-Id: I5869083fe6cb5f3f3de71233b466d0b1ac702e82
|
| |
|
|
|
|
|
|
|
|
| |
If an RSA field is left NULL, it will not be represented in the ASN.1
output of the RSAPrivateKey. This leads to problems trying to recreate
the key since it does not emit the NULL fields and the fields are not
numbered.
Bug: 7920357
Change-Id: I144302925f9b080a2152a6d12f77981b3aad9495
|
| |
|
|
| |
Change-Id: I5d1ba078b0f8f9ec8e2950e0da02481e8162a5e6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In change:
commit 2f9e468ed4985edfd5e351faf2089d91e561e41d
Author: Elliott Hughes <enh@google.com>
Date: Fri Oct 9 17:21:46 2009 -0700
Update libcore/security to Harmony r823222.
GeneralName.checkDNS was updated to support RFC 1123 (section 2.1)
which allows DNS names to start with a digit. This updates the test to
track that change by changing the negative test input for parsing DNS
names to not start with a '0'.
Bug: 5411722
Change-Id: Ie037e6d54e3e2c8b603af455ccde31c4558f070f
|
| |
|
|
| |
Change-Id: Ife89885ea95de3bb2617172b95cdfd46d586a644
|
| |\
| |
| |
| | |
Change-Id: Ie1f2d796466f1799929b010d67585fd551b6f840
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Mostly a cleanup of CertificateTest, but it found one small bug in X509CertImpl
- X509CertImpl.verify with a specific provider should use that provider,
not ignore it and use the NativeCrypto fast path
- Fix the bad testGetEncoded logic that was expected PEM bytes to
equal a DER encodi
- Remove libcore and harmony dependencies that were preventing these
from running on the RI
- Note testSerializationCompatibility is still failing, but is fixed
by the unmerged 46c6fad9fad8f3dbbc82516232a225f37d332ca7
Bug: 1635707
Change-Id: Ib86d21d6458cf1438c6ddd715ccb5a4f8a9af9e6
|
| |/
|
|
| |
Change-Id: I6e9be66b3f4fd4c09b31e2508236af62fa5214e3
|
| |
|
|
| |
Change-Id: I89243efdeebe22543c45a2166b634f40c3e78cf8
|
| |
|
|
| |
Change-Id: Ie61022069e597d9c5c6e7ea4659fd614efe31852
|
| |\
| |
| |
| |
| | |
* commit 'cfac1139ee706519cafe98485cdca4fc4601432f':
Don't use runtime tests for compile-time checks.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This test was performing type-unsafe operations to check whether
our code redunantly performs checks at runtime. This test is bogus;
we rely on the compiler to do the type checking.
Change-Id: I6dd19f204007003ba4847c27fd2202e88ec7fb50
|
| |\|
| |
| |
| |
| |
| |
| | |
to com.android.org.bouncycastle
* commit 'fedab4777ec28cfb36274660b57c3753acb1df18':
Tracking jarjar of org.bouncycastle to com.android.org.bouncycastle
|
| | |
| |
| |
| |
| | |
Bug: 3086427
Change-Id: I026f80bfa5e963a8e988ecd6f91c9732a4afc70c
|
| | |
| |
| |
| | |
Change-Id: I48e9b742a6b3a9faaf4cc8859ab43cc130f37c63
|
| | |
| |
| |
| | |
Change-Id: Ia1bac1abaa44c6341b00005a3142e87073b16bd6
|
