| /******************************************************************************* |
| * Copyright (c) 2007, 2009 IBM Corporation and others. |
| * All rights reserved. This program and the accompanying materials |
| * are made available under the terms of the Eclipse Public License v1.0 |
| * which accompanies this distribution, and is available at |
| * http://www.eclipse.org/legal/epl-v10.html |
| * |
| * Contributors: |
| * IBM Corporation - initial API and implementation |
| *******************************************************************************/ |
| package org.eclipse.osgi.tests.security; |
| |
| import junit.framework.TestSuite; |
| import org.osgi.framework.AdminPermission; |
| import org.osgi.framework.Bundle; |
| import org.osgi.service.condpermadmin.*; |
| |
| public class OSGiAPICertificateTest extends BaseSecurityTest { |
| private static String dn1 = "CN=CA1 LeafA, O=CA1, L=Boston, ST=Massachusetts, C=US"; //$NON-NLS-1$ |
| private static String dn2 = "CN=CA1 Root, O=CA1, L=Boston, ST=Massachusetts, C=US"; //$NON-NLS-1$ |
| private static String dn3 = "CN=CA1 LeafA, O=CA1, L=Austin, ST=Texas, C=US"; //$NON-NLS-1$ |
| private static String dn4 = "CN=CA1 Root, O=CA1, L=Austin, ST=Texas, C=US"; //$NON-NLS-1$ |
| private static String dn5 = "CN=CA1 LeafA, O=CA1, L=*, ST=*, C=US"; //$NON-NLS-1$ |
| private static String dn6 = "CN=CA1 Root, O=CA1, L=*, ST=*, C=US"; //$NON-NLS-1$ |
| private static String dn7 = "*, L=*, ST=*, C=US"; //$NON-NLS-1$ |
| |
| private static String dnChain01True = dn1 + ';' + dn2; |
| private static String dnChain02True = "*;" + dn2; //$NON-NLS-1$ |
| private static String dnChain03True = dn1 + ";*"; //$NON-NLS-1$ |
| private static String dnChain04False = dn1 + ';' + dn4; |
| private static String dnChain05False = dn3 + ';' + dn2; |
| private static String dnChain06True = dn5 + ';' + dn6; |
| private static String dnChain07True = dn7 + ';' + dn6; |
| private static String dnChain08True = dn5 + ';' + dn7; |
| |
| private static String dnChain01TrueEscaped = escapeStar(dnChain01True); |
| private static String dnChain02TrueEscaped = escapeStar(dnChain02True); |
| private static String dnChain03TrueEscaped = escapeStar(dnChain03True); |
| private static String dnChain04FalseEscaped = escapeStar(dnChain04False); |
| private static String dnChain05FalseEscaped = escapeStar(dnChain05False); |
| private static String dnChain06TrueEscaped = escapeStar(dnChain06True); |
| private static String dnChain07TrueEscaped = escapeStar(dnChain07True); |
| private static String dnChain08TrueEscaped = escapeStar(dnChain08True); |
| |
| private static ConditionInfo info01True = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {"-"}); //$NON-NLS-1$ |
| private static ConditionInfo info02False = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {"-", "!"}); //$NON-NLS-1$ //$NON-NLS-2$ |
| private static ConditionInfo info03True = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain01True}); |
| private static ConditionInfo info04True = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain02True}); |
| private static ConditionInfo info05True = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain03True}); |
| private static ConditionInfo info06False = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain04False}); |
| private static ConditionInfo info07False = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain05False}); |
| private static ConditionInfo info08True = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain06True}); |
| private static ConditionInfo info09True = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain07True}); |
| private static ConditionInfo info10True = new ConditionInfo(BundleSignerCondition.class.getName(), new String[] {dnChain08True}); |
| |
| public static TestSuite suite() { |
| return new TestSuite(OSGiAPICertificateTest.class); |
| } |
| |
| private static String escapeStar(String dnChain) { |
| if (dnChain == null || dnChain.length() == 0) |
| return dnChain; |
| for (int star = dnChain.indexOf('*'); star >= 0; star = dnChain.indexOf('*', star + 2)) |
| dnChain = dnChain.substring(0, star) + '\\' + dnChain.substring(star); |
| return dnChain; |
| } |
| |
| public OSGiAPICertificateTest() { |
| super(); |
| } |
| |
| public OSGiAPICertificateTest(String name, String jarname, String[] aliases) { |
| super(name); |
| } |
| |
| protected void setUp() throws Exception { |
| registerEclipseTrustEngine(); |
| } |
| |
| protected void tearDown() throws Exception { |
| super.tearDown(); |
| } |
| |
| public void testBundleSignerCondition01() { |
| // test trusted cert with all signed match |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info01True); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition02() { |
| // test trusted cert with all signed match + "!" not operation |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info02False); |
| assertEquals("Unexpected condition value", Condition.FALSE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition03() { |
| // test untrusted cert with all signed match |
| try { |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info01True); |
| assertEquals("Unexpected condition value", Condition.FALSE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition04() { |
| // test untrusted cert with all signed match + "!" not operation |
| try { |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info02False); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition05() { |
| // test trusted cert with exact match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info03True); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition06() { |
| // test trusted cert with prefix wildcard match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info04True); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition07() { |
| // test trusted cert with postfix wildcard match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info05True); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition08() { |
| // test trusted cert with wrong prefix dn |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info06False); |
| assertEquals("Unexpected condition value", Condition.FALSE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition09() { |
| // test trusted cert with wrong postfix dn |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info07False); |
| assertEquals("Unexpected condition value", Condition.FALSE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition10() { |
| // test trusted cert with RDN wildcard match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info08True); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition11() { |
| // test trusted cert with RDN wildcard match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info09True); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testBundleSignerCondition12() { |
| // test trusted cert with RDN wildcard match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| Condition condition = BundleSignerCondition.getCondition(testBundle, info10True); |
| assertEquals("Unexpected condition value", Condition.TRUE, condition); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission01() { |
| // test trusted cert with exact match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=-)", AdminPermission.CONTEXT); //$NON-NLS-1$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertTrue("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission02() { |
| // test trusted cert with exact match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain01TrueEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertTrue("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission03() { |
| // test trusted cert with exact match pattern + ! operation |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(!(signer=-))", AdminPermission.CONTEXT); //$NON-NLS-1$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertFalse("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission04() { |
| // test trusted cert with exact match pattern + ! operation |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(!(signer=" + dnChain01TrueEscaped + "))", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertFalse("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission05() { |
| // test trusted cert with prefix wildcard match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain02TrueEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertTrue("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission06() { |
| // test trusted cert with postfix wildcard match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain03TrueEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertTrue("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission07() { |
| // test trusted cert with bad postfix dn match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain04FalseEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertFalse("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission08() { |
| // test trusted cert with bad prefix dn match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain05FalseEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertFalse("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission09() { |
| // test trusted cert with RDN match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain06TrueEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertTrue("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission10() { |
| // test trusted cert with RDN match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain07TrueEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertTrue("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| public void testAdminPermission11() { |
| // test trusted cert with RDN match pattern |
| try { |
| getTrustEngine().addTrustAnchor(getTestCertificate("ca1_leafa"), "ca1_leafa"); //$NON-NLS-1$ //$NON-NLS-2$ |
| Bundle testBundle = installBundle(getTestJarPath("signed")); //$NON-NLS-1$ |
| AdminPermission declaredPerm = new AdminPermission("(signer=" + dnChain08TrueEscaped + ")", AdminPermission.CONTEXT); //$NON-NLS-1$ //$NON-NLS-2$ |
| AdminPermission checkedPerm = new AdminPermission(testBundle, AdminPermission.CONTEXT); |
| assertTrue("Security check failed", declaredPerm.implies(checkedPerm)); //$NON-NLS-1$ |
| } catch (Exception e) { |
| fail("Unexpected exception", e); //$NON-NLS-1$ |
| } |
| } |
| |
| } |