This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 89273f0d8b The original OCSP tests are duplicated and extended by the
new ones.
89273f0d8b is described below
commit 89273f0d8b786b2acc52f7652789ff998026c7fe
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jan 13 19:38:49 2026 +0000
The original OCSP tests are duplicated and extended by the new ones.
Remove the original tests.
---
.../apache/tomcat/security/TestSecurity2017.java | 51 --
.../tomcat/util/net/ocsp/TestOcspIntegration.java | 532 ---------------------
test/org/apache/tomcat/util/net/ocsp/ca-cert.pem | 19 -
.../tomcat/util/net/ocsp/client-keystore.p12 | Bin 3658 -> 0 bytes
.../apache/tomcat/util/net/ocsp/client-password | 1 -
.../util/net/ocsp/generate-ocsp-test-artifacts.sh | 172 -------
.../tomcat/util/net/ocsp/ocsp-client-good.der | Bin 1280 -> 0 bytes
.../tomcat/util/net/ocsp/ocsp-client-revoked.der | Bin 1302 -> 0 bytes
test/org/apache/tomcat/util/net/ocsp/ocsp-good.der | Bin 1280 -> 0 bytes
.../apache/tomcat/util/net/ocsp/ocsp-revoked.der | Bin 1302 -> 0 bytes
.../apache/tomcat/util/net/ocsp/server-cert.pem | 86 ----
.../org/apache/tomcat/util/net/ocsp/server-key.pem | 28 --
.../org/apache/tomcat/util/net/ocsp/trust-password | 1 -
.../org/apache/tomcat/util/net/ocsp/trustStore.p12 | Bin 1174 -> 0 bytes
14 files changed, 890 deletions(-)
diff --git a/test/org/apache/tomcat/security/TestSecurity2017.java
b/test/org/apache/tomcat/security/TestSecurity2017.java
deleted file mode 100644
index 1daf51b177..0000000000
--- a/test/org/apache/tomcat/security/TestSecurity2017.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.tomcat.security;
-
-import javax.net.ssl.SSLHandshakeException;
-
-import org.junit.Assert;
-import org.junit.Ignore;
-import org.junit.Test;
-
-import org.apache.catalina.startup.TomcatBaseTest;
-import org.apache.tomcat.util.net.ocsp.TestOcspIntegration;
-
-public class TestSecurity2017 extends TomcatBaseTest {
- /*
- * https://www.cve.org/CVERecord?id=CVE-2017-15698
- *
- * Fixed in Tomcat Native
- * 1.2.16
https://github.com/apache/tomcat-native/commit/4582e6d9223da618b42db6e992bb2d55d9cd4c42
- *
- * Changes currently in Tomcat Native 2.0.x expand the OCSP checks to
include the date the OCSP response was
- * generated. This causes this test to fail as the OCSP responder uses
canned responses.
- *
- * A new version of this test has been written and will replace this test
once a version of Tomcat Native is
- * released that includes all the OCSP changes.
- */
- @Test
- @Ignore
- public void testCVE_2017_15698() throws Exception {
- try {
-
TestOcspIntegration.testLongUrlForOcspViaAIAWithTomcatNative(getTomcatInstance());
- } catch (SSLHandshakeException sslHandshakeException) {
-
Assert.assertTrue(sslHandshakeException.toString().contains("certificate_revoked"));
- }
- }
-}
diff --git a/test/org/apache/tomcat/util/net/ocsp/TestOcspIntegration.java
b/test/org/apache/tomcat/util/net/ocsp/TestOcspIntegration.java
deleted file mode 100644
index f87035d400..0000000000
--- a/test/org/apache/tomcat/util/net/ocsp/TestOcspIntegration.java
+++ /dev/null
@@ -1,532 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.tomcat.util.net.ocsp;
-
-import java.io.Closeable;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.net.InetSocketAddress;
-import java.net.ServerSocket;
-import java.net.URI;
-import java.net.URL;
-import java.nio.file.Files;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.cert.CRLReason;
-import java.security.cert.CertPathValidator;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateRevokedException;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.PKIXRevocationChecker;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Date;
-import java.util.EnumSet;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import javax.net.ssl.CertPathTrustManagerParameters;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLHandshakeException;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManagerFactory;
-import javax.security.auth.x500.X500Principal;
-
-import jakarta.servlet.http.HttpServletResponse;
-
-import org.junit.Assert;
-import org.junit.Assume;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.Parameterized;
-import org.junit.runners.Parameterized.Parameter;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.catalina.startup.TomcatBaseTest;
-import org.apache.tomcat.util.net.Constants;
-import org.apache.tomcat.util.net.SSLHostConfig;
-import org.apache.tomcat.util.net.SSLHostConfigCertificate;
-import org.apache.tomcat.util.net.TesterSupport;
-import org.apache.tomcat.util.net.openssl.OpenSSLConf;
-import org.apache.tomcat.util.net.openssl.OpenSSLConfCmd;
-import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
-
-import com.sun.net.httpserver.Headers;
-import com.sun.net.httpserver.HttpServer;
-
-
-@RunWith(Parameterized.class)
-public class TestOcspIntegration extends TomcatBaseTest {
-
- private static final String CA_CERTIFICATE_PATH = "ca-cert.pem";
- private static final String SERVER_CERTIFICATE_PATH = "server-cert.pem";
- private static final String SERVER_CERTIFICATE_KEY_PATH = "server-key.pem";
- private static final String TRUSTSTORE_PATH = "trustStore.p12";
- private static final String TRUSTSTORE_PASS = "trust-password";
- private static final String KEYSTORE_TYPE = "PKCS12";
- private static final String OCSP_SERVER_CERT_GOOD_RESPONSE =
"ocsp-good.der";
- private static final String OCSP_SERVER_CERT_REVOKED_RESPONSE =
"ocsp-revoked.der";
- private static final String CLIENT_KEYSTORE_PATH = "client-keystore.p12";
- private static final String CLIENT_KEYSTORE_PASS = "client-password";
- private static final String OCSP_CLIENT_CERT_GOOD_RESPONSE =
"ocsp-client-good.der";
- private static final String OCSP_CLIENT_CERT_REVOKED_RESPONSE =
"ocsp-client-revoked.der";
-
- @Parameterized.Parameters(name = "{0} with OpenSSL trust {2}")
- public static Collection<Object[]> parameters() {
- List<Object[]> parameterSets = new ArrayList<>();
- parameterSets.add(new Object[] { "JSSE", Boolean.FALSE, Boolean.FALSE,
- "org.apache.tomcat.util.net.jsse.JSSEImplementation"});
- parameterSets.add(new Object[] { "OpenSSL", Boolean.TRUE, Boolean.TRUE,
- "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" });
- parameterSets.add(new Object[] { "OpenSSL", Boolean.TRUE,
Boolean.FALSE,
- "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" });
- parameterSets.add(new Object[] { "OpenSSL-FFM", Boolean.TRUE,
Boolean.TRUE,
-
"org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation" });
- parameterSets.add(new Object[] { "OpenSSL-FFM", Boolean.TRUE,
Boolean.FALSE,
-
"org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation" });
-
- return parameterSets;
- }
-
- @Parameter(0)
- public String connectorName;
-
- @Parameter(1)
- public boolean useOpenSSL;
-
- @Parameter(2)
- public boolean useOpenSSLTrust;
-
- @Parameter(3)
- public String sslImplementationName;
-
-
- @Test
- public void testOcspGood_ClientVerifiesServerCertificateOnly() throws
Exception {
- Assert.assertEquals(HttpServletResponse.SC_OK,
- testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE,
ServerSideOcspVerification.DISABLED, true));
- }
-
- @Test
- public void testOcspGood_ClientVerifiesServerCertificateOnlyNoCA() throws
Exception {
- // optionalNoCA is only available with OpenSSL trust
- Assume.assumeTrue(useOpenSSLTrust);
- Assert.assertEquals(HttpServletResponse.SC_OK,
- testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE,
ServerSideOcspVerification.OPTIONAL_NO_CA, true));
- }
-
- @Test
- public void testOcspGood_Mutual() throws Exception {
- // Native 2.0.x validates the response timestamp which fails for the
canned response.
- Assume.assumeFalse(useOpenSSLTrust);
- testOCSPWithClientResponder(OCSP_CLIENT_CERT_GOOD_RESPONSE, () ->
Assert.assertEquals(HttpServletResponse.SC_OK,
- testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE,
ServerSideOcspVerification.ENABLED, true)));
- }
-
- @Test
- public void testOcspGood_ServerVerifiesClientCertificateOnly() throws
Exception {
- // Native 2.0.x validates the response timestamp which fails for the
canned response.
- Assume.assumeFalse(useOpenSSLTrust);
- testOCSPWithClientResponder(OCSP_CLIENT_CERT_GOOD_RESPONSE, () ->
Assert.assertEquals(HttpServletResponse.SC_OK,
- testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE,
ServerSideOcspVerification.ENABLED, false)));
- }
-
- @Test(expected = CertificateRevokedException.class)
- public void testOcspRevoked_ClientVerifiesServerCertificateOnly() throws
Exception {
- try {
- testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE,
ServerSideOcspVerification.DISABLED, true);
- } catch (SSLHandshakeException sslHandshakeException) {
- handleExceptionWhenRevoked(sslHandshakeException);
- }
- }
-
- @Test(expected = CertificateRevokedException.class)
- public void testOcspRevoked_ClientVerifiesServerCertificateOnlyNoCA()
throws Exception {
- // optionalNoCA is only available with OpenSSL trust
- Assume.assumeTrue(useOpenSSLTrust);
- try {
- testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE,
ServerSideOcspVerification.OPTIONAL_NO_CA, true);
- } catch (SSLHandshakeException sslHandshakeException) {
- handleExceptionWhenRevoked(sslHandshakeException);
- }
- }
-
- @Test(expected = CertificateRevokedException.class)
- public void testOcspRevoked_Mutual() throws Exception {
- try {
- // The exception is thrown before server side verification, while
client does OCSP verification.
- testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE,
ServerSideOcspVerification.ENABLED, true);
- } catch (SSLHandshakeException sslHandshakeException) {
- handleExceptionWhenRevoked(sslHandshakeException);
- }
- }
-
- @Test(expected = SSLHandshakeException.class)
- public void testOcspRevoked_ServerVerifiesClientCertificateOnly() throws
Exception {
- Assume.assumeFalse("BoringSSL does not support OCSP in a compatible
way",
- TesterSupport.isOpenSSLVariant(sslImplementationName,
OpenSSLStatus.Name.BORINGSSL));
- testOCSPWithClientResponder(OCSP_CLIENT_CERT_REVOKED_RESPONSE,
- () -> testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE,
ServerSideOcspVerification.ENABLED, false));
- }
-
- @Test
- public void testOcsp_NoVerification() throws Exception {
- testOCSPWithClientResponder(OCSP_CLIENT_CERT_REVOKED_RESPONSE,
- () -> Assert.assertEquals(HttpServletResponse.SC_OK,
- testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE,
ServerSideOcspVerification.DISABLED, false)));
- }
-
- @Test
- public void testOcsp_NoVerificationNoCA() throws Exception {
- // optionalNoCA is only available with OpenSSL trust
- Assume.assumeTrue(useOpenSSLTrust);
- testOCSPWithClientResponder(OCSP_CLIENT_CERT_REVOKED_RESPONSE,
- () -> Assert.assertEquals(HttpServletResponse.SC_OK,
- testOCSP(OCSP_SERVER_CERT_REVOKED_RESPONSE,
ServerSideOcspVerification.OPTIONAL_NO_CA, false)));
- }
-
- @Test
- public void testOcspResponderUrlDiscoveryViaCertificateAIA() throws
Exception {
- final int ocspPort = 8888;
- Assume.assumeTrue("Port " + ocspPort + " is not available.",
isPortAvailable(ocspPort));
- Assert.assertEquals(HttpServletResponse.SC_OK,
- testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE,
ServerSideOcspVerification.DISABLED, true, true, ocspPort));
- }
-
- @Test
- public void testOcspResponderUrlDiscoveryViaCertificateAIANoCA() throws
Exception {
- final int ocspPort = 8888;
- // optionalNoCA is only available with OpenSSL trust
- Assume.assumeTrue(useOpenSSLTrust);
- Assume.assumeTrue("Port " + ocspPort + " is not available.",
isPortAvailable(ocspPort));
- Assert.assertEquals(HttpServletResponse.SC_OK,
testOCSP(OCSP_SERVER_CERT_GOOD_RESPONSE,
- ServerSideOcspVerification.OPTIONAL_NO_CA, true, true,
ocspPort));
- }
-
- public static void testLongUrlForOcspViaAIAWithTomcatNative(Tomcat tomcat)
throws Exception {
- final int ocspResponderPortForClient = 8889;
- Assume.assumeTrue("Port " + ocspResponderPortForClient + " is not
available.",
- isPortAvailable(ocspResponderPortForClient));
- try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(true,
-
"/ocsp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- Files.readAllBytes(new
File(getPath(OCSP_CLIENT_CERT_REVOKED_RESPONSE)).toPath()),
- ocspResponderPortForClient)) {
- fakeOcspResponder.start();
- testOCSP(tomcat, OCSP_SERVER_CERT_GOOD_RESPONSE,
ServerSideOcspVerification.ENABLED, false, false, 0,
-
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation", true, true);
- }
- }
-
- @FunctionalInterface
- private interface TestOCSPAction {
- void execute() throws Exception;
- }
-
- private void testOCSPWithClientResponder(String clientResponsePath,
TestOCSPAction testOCSPAction)
- throws Exception {
- final int ocspResponderPortForClient = 8889;
- Assume.assumeTrue("Port " + ocspResponderPortForClient + " is not
available.",
- isPortAvailable(ocspResponderPortForClient));
- try (FakeOcspResponder fakeOcspResponder = new FakeOcspResponder(
- Files.readAllBytes(new
File(getPath(clientResponsePath)).toPath()), ocspResponderPortForClient)) {
- fakeOcspResponder.start();
- testOCSPAction.execute();
- }
- }
-
- private int testOCSP(String pathToOcspResponse, ServerSideOcspVerification
serverSideOcspVerification,
- boolean clientSideOcspVerificationEnabled) throws Exception {
- return testOCSP(pathToOcspResponse, serverSideOcspVerification,
clientSideOcspVerificationEnabled, false, 0);
- }
-
- private int testOCSP(String pathToOcspResponse, ServerSideOcspVerification
serverSideOcspVerification,
- boolean clientSideOcspVerificationEnabled, boolean
clientDiscoversResponderFromAIA, int ocspResponderPort)
- throws Exception {
- return testOCSP(getTomcatInstance(), pathToOcspResponse,
serverSideOcspVerification,
- clientSideOcspVerificationEnabled,
clientDiscoversResponderFromAIA, ocspResponderPort,
- sslImplementationName, useOpenSSL, useOpenSSLTrust);
- }
-
- private static int testOCSP(Tomcat tomcat, String pathToOcspResponse,
- ServerSideOcspVerification serverSideOcspVerification, boolean
clientSideOcspVerificationEnabled,
- boolean clientDiscoversResponderFromAIA, int ocspResponderPort,
String sslImplementationName,
- boolean useOpenSSL, boolean useOpenSSLTrust) throws Exception {
-
- File certificateFile = new File(getPath(SERVER_CERTIFICATE_PATH));
- File certificateKeyFile = new
File(getPath(SERVER_CERTIFICATE_KEY_PATH));
- File certificateChainFile = new File(getPath(CA_CERTIFICATE_PATH));
- File truststoreFile = new File(getPath(TRUSTSTORE_PATH));
- String truststorePass = Files.readString(new
File(getPath(TRUSTSTORE_PASS)).toPath()).trim();
- initSsl(tomcat, serverSideOcspVerification, useOpenSSLTrust,
certificateFile, certificateKeyFile,
- certificateChainFile, truststoreFile, truststorePass);
-
- TesterSupport.configureSSLImplementation(tomcat,
sslImplementationName, useOpenSSL);
-
- Context context = tomcat.addContext("", null);
- Tomcat.addServlet(context, "simple", new
TesterSupport.SimpleServlet());
- context.addServletMappingDecoded("/", "simple");
-
- KeyStore trustStore = KeyStore.getInstance(KEYSTORE_TYPE);
- trustStore.load(new FileInputStream(new
File(getPath(TRUSTSTORE_PATH)).getAbsolutePath()),
- truststorePass.toCharArray());
- KeyStore clientKeystore = KeyStore.getInstance(KEYSTORE_TYPE);
- String clientKeystorePass = Files.readString(new
File(getPath(CLIENT_KEYSTORE_PASS)).toPath()).trim();
- clientKeystore.load(new FileInputStream(new
File(getPath(CLIENT_KEYSTORE_PATH)).getAbsolutePath()),
- clientKeystorePass.toCharArray());
- byte[] ocspResponse = Files.readAllBytes(new
File(getPath(pathToOcspResponse)).toPath());
- try (FakeOcspResponder fakeOcspResponder = new
FakeOcspResponder(ocspResponse, ocspResponderPort)) {
- fakeOcspResponder.start();
- tomcat.start();
-
- URL url = new URI("https://127.0.0.1:"; +
tomcat.getConnector().getLocalPort() + "/").toURL();
- HttpsURLConnection connection = (HttpsURLConnection)
url.openConnection();
- SSLSocketFactory sslSocketFactory;
- if (clientSideOcspVerificationEnabled) {
- sslSocketFactory = buildClientSslSocketFactoryWithOcsp(
- clientDiscoversResponderFromAIA ? null :
fakeOcspResponder.url(), trustStore, clientKeystore,
- clientKeystorePass);
- } else {
- sslSocketFactory =
buildClientSslSocketFactoryNoOcsp(trustStore, clientKeystore,
clientKeystorePass);
- }
- connection.setSSLSocketFactory(sslSocketFactory);
- connection.connect();
- try {
- return connection.getResponseCode();
- } catch (IOException ioe) {
- if
(tomcat.getConnector().getProtocolHandlerClassName().contains("Nio2")) {
- throw new SSLHandshakeException(ioe.getMessage());
- } else {
- throw ioe;
- }
- }
- } finally {
- tomcat.stop();
- }
- }
-
- private static void initSsl(Tomcat tomcat, ServerSideOcspVerification
serverSideOcspVerification,
- boolean useOpenSSLTrust, File certificateFile, File
certificateKeyFile, File certificateChainFile,
- File truststoreFile, String truststorePassword) {
- Connector connector = tomcat.getConnector();
- connector.setSecure(true);
- connector.setProperty("SSLEnabled", "true");
-
- SSLHostConfig sslHostConfig = new SSLHostConfig();
- SSLHostConfigCertificate certificate =
- new SSLHostConfigCertificate(sslHostConfig,
SSLHostConfigCertificate.Type.UNDEFINED);
- sslHostConfig.addCertificate(certificate);
- certificate.setCertificateFile(certificateFile.getAbsolutePath());
-
certificate.setCertificateKeyFile(certificateKeyFile.getAbsolutePath());
-
certificate.setCertificateChainFile(certificateChainFile.getAbsolutePath());
-
- switch (serverSideOcspVerification) {
- case DISABLED:
- sslHostConfig.setCertificateVerification("required");
- sslHostConfig.setOcspEnabled(false);
- break;
- case OPTIONAL_NO_CA:
- sslHostConfig.setCertificateVerification("optionalNoCA");
- sslHostConfig.setOcspEnabled(true);
- break;
- case ENABLED:
- sslHostConfig.setCertificateVerification("required");
- sslHostConfig.setOcspEnabled(true);
- break;
- default:
- break;
-
- }
-
- if (useOpenSSLTrust) {
-
sslHostConfig.setCaCertificateFile(certificateChainFile.getAbsolutePath());
- // Need to use OpenSSLConf settings
- OpenSSLConf conf = new OpenSSLConf();
- sslHostConfig.setOpenSslConf(conf);
- // Verification
- conf.addCmd(new OpenSSLConfCmd("OCSP_VERIFY_FLAGS", "16"));
- } else {
- sslHostConfig.setTruststoreType("PKCS12");
- sslHostConfig.setTruststoreFile(truststoreFile.getAbsolutePath());
- sslHostConfig.setTruststorePassword(truststorePassword);
- }
- connector.addSslHostConfig(sslHostConfig);
- }
-
- private static SSLSocketFactory buildClientSslSocketFactoryWithOcsp(String
ocspUrl, KeyStore trustStore,
- KeyStore clientKeystore, String clientKeystorePass) throws
Exception {
- KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmf.init(clientKeystore, clientKeystorePass.toCharArray());
- Set<TrustAnchor> trustAnchors =
getTrustAnchorsFromKeystore(trustStore);
- PKIXRevocationChecker revocationChecker =
- (PKIXRevocationChecker)
CertPathValidator.getInstance("PKIX").getRevocationChecker();
- if (ocspUrl != null) {
- revocationChecker.setOcspResponder(new URI(ocspUrl));
- }
-
revocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
-
- PKIXBuilderParameters pkix = new PKIXBuilderParameters(trustAnchors,
new X509CertSelector());
- pkix.addCertPathChecker(revocationChecker);
-
- TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance("PKIX");
- trustManagerFactory.init(new CertPathTrustManagerParameters(pkix));
- return initSSLContext(kmf, trustManagerFactory).getSocketFactory();
- }
-
- private static SSLSocketFactory buildClientSslSocketFactoryNoOcsp(KeyStore
trustStore, KeyStore clientKeystore,
- String clientKeystorePass) throws Exception {
- KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
- kmf.init(clientKeystore, clientKeystorePass.toCharArray());
- TrustManagerFactory trustManagerFactory =
-
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- trustManagerFactory.init(trustStore);
- return initSSLContext(kmf, trustManagerFactory).getSocketFactory();
- }
-
- private static SSLContext initSSLContext(KeyManagerFactory
keyManagerFactory,
- TrustManagerFactory trustManagerFactory) throws Exception {
- SSLContext sslContext;
- if (TesterSupport.isTlsv13Available()) {
- sslContext = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
- } else {
- sslContext = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_2);
- }
- sslContext.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(), null);
- return sslContext;
- }
-
- private static Set<TrustAnchor> getTrustAnchorsFromKeystore(KeyStore
keyStore) throws KeyStoreException {
- Set<TrustAnchor> trustAnchors = new HashSet<>();
- Enumeration<String> aliases = keyStore.aliases();
- while (aliases.hasMoreElements()) {
- String alias = aliases.nextElement();
- Certificate certificate = keyStore.getCertificate(alias);
- if (certificate instanceof X509Certificate) {
- trustAnchors.add(new TrustAnchor((X509Certificate)
certificate, null));
- }
- }
- return trustAnchors;
- }
-
- private static void handleExceptionWhenRevoked(Exception exception) throws
Exception {
- if (exception.getCause().getCause() instanceof
CertPathValidatorException) {
- CertPathValidatorException cpe = (CertPathValidatorException)
exception.getCause().getCause();
- Assert.assertEquals("REVOKED", cpe.getReason().toString());
- Assert.assertTrue(cpe.toString().contains("reason:
KEY_COMPROMISE"));
- // Some JDKs only expose CertPathValidatorException
- if (cpe.getCause() instanceof CertificateRevokedException) {
- throw (CertificateRevokedException) cpe.getCause();
- } else {
- throw new CertificateRevokedException(new Date(),
CRLReason.KEY_COMPROMISE, new X500Principal(""),
- new HashMap<>());
- }
- }
- }
-
- private static class FakeOcspResponder implements Closeable {
- private final byte[] ocspResponse;
- private HttpServer server;
- private int port;
- private boolean strictPath = false;
- private String path = "/ocsp";
-
- FakeOcspResponder(boolean strictPath, String path, byte[]
ocspResponse, int port) {
- this(ocspResponse, port);
- this.strictPath = strictPath;
- this.path = path;
- }
-
- FakeOcspResponder(byte[] ocspResponse, int port) {
- this.ocspResponse = ocspResponse;
- this.port = port;
- }
-
- void start() throws IOException {
- server = HttpServer.create(new InetSocketAddress("127.0.0.1",
port), 0);
- server.createContext(this.path, httpExchange -> {
- if (strictPath) {
- String path = httpExchange.getRequestURI().getPath();
- if (!this.path.equals(path)) {
- httpExchange.sendResponseHeaders(404, -1);
- httpExchange.close();
- return;
- }
- }
- byte[] body = ocspResponse;
- Headers headers = httpExchange.getResponseHeaders();
- headers.add("Content-Type", "application/ocsp-response");
- httpExchange.sendResponseHeaders(HttpServletResponse.SC_OK,
body.length);
- try (OutputStream os = httpExchange.getResponseBody()) {
- os.write(body);
- }
- });
- server.start();
- port = server.getAddress().getPort();
- }
-
- String url() {
- return "http://127.0.0.1:"; + port + path;
- }
-
- @Override
- public void close() {
- if (server != null) {
- server.stop(0);
- }
- }
- }
-
- private static String getPath(String file) throws IOException {
- if (file == null) {
- return null;
- }
- String packageName = TestOcspIntegration.class.getPackageName();
- String path = packageName.replace(".", File.separator);
- File f = new File("test" + File.separator + path + File.separator +
file);
-
- return f.getCanonicalPath();
- }
-
- @SuppressWarnings("unused")
- private static boolean isPortAvailable(int port) {
- try (ServerSocket serverSocket = new ServerSocket(port)) {
- return true;
- } catch (IOException e) {
- return false;
- }
- }
-
-
- private enum ServerSideOcspVerification {
- ENABLED,
- OPTIONAL_NO_CA,
- DISABLED
- }
-}
diff --git a/test/org/apache/tomcat/util/net/ocsp/ca-cert.pem
b/test/org/apache/tomcat/util/net/ocsp/ca-cert.pem
deleted file mode 100644
index 34d31d9595..0000000000
--- a/test/org/apache/tomcat/util/net/ocsp/ca-cert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFTCCAf2gAwIBAgIUAyOAYMldD+vXvTMjdb9wXBFMQhQwDQYJKoZIhvcNAQEL
-BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yNTEwMDkxNzUwMTlaFw0zNTEwMDcx
-NzUwMTlaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCR5uGEWWQ5x9WNSDB/38SAT30PR+DxhNL4v+sjx9u2yARgVI9q
-ENLoXCrQUxMocRvwdb30owOe/vxJPaCrNQunUfSQpeKW9KYPj9tCWxrc/LPeciqO
-m+XTgxowDbAY7gBGSUM75vsv0CBMo2fSGDEmQqB3+guCQBHmvV4iTnctN6jg6e1t
-p+Xq4VwoTLaLMuI+G+pBvv+xVk+Mkw0L+wRChsqegaxq740V0FNfBeId4nYLAWrT
-WRKmmkhrfRm2DQJ+gG46RGb1jA+3y3i+nTkEzn9ZmzAGpF3PIVhrPzYbC7AByE+T
-2NqtHHp37jBvuChr20ReY+Gzx0zUdkQcF/vlAgMBAAGjYzBhMA8GA1UdEwEB/wQF
-MAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTI+niWdI2AaIVg+4CTF2g6
-prb8qDAfBgNVHSMEGDAWgBTI+niWdI2AaIVg+4CTF2g6prb8qDANBgkqhkiG9w0B
-AQsFAAOCAQEAKKXD005JJTCSuQckD856ZzVa6ffoGMSssSOlqvS7KrpiUID/twvG
-/r8SEXbguRGauyh0FY9UlbNeWjN8u92v7zILmnBUdYm7sPEi6+bTFDrjJ22rFxei
-Xpwb02WY9P+Kty96DTjByrKfodtGt9Ey+R/fsBE0dNEKgqOu9H+6nVcxjO2bONJH
-QJsHEn3liLj+DpHn5Pe4laQHuPpXSZgvtjL5/Y8D6G4UCNQ7gVxq8GCDK1eQuyKM
-oboDINCN8/6XUmCuLk51urHcsZXOJ7PX8VirdPWBqpjGa2hMNsIak6NAyK86rDFP
-brZOqWk1hfVTbW9LlIxkU7dQniz/PKFxgw==
------END CERTIFICATE-----
diff --git a/test/org/apache/tomcat/util/net/ocsp/client-keystore.p12
b/test/org/apache/tomcat/util/net/ocsp/client-keystore.p12
deleted file mode 100644
index f763d243e8..0000000000
Binary files a/test/org/apache/tomcat/util/net/ocsp/client-keystore.p12 and
/dev/null differ
diff --git a/test/org/apache/tomcat/util/net/ocsp/client-password
b/test/org/apache/tomcat/util/net/ocsp/client-password
deleted file mode 100644
index 1d40192aeb..0000000000
--- a/test/org/apache/tomcat/util/net/ocsp/client-password
+++ /dev/null
@@ -1 +0,0 @@
-changeit
diff --git
a/test/org/apache/tomcat/util/net/ocsp/generate-ocsp-test-artifacts.sh
b/test/org/apache/tomcat/util/net/ocsp/generate-ocsp-test-artifacts.sh
deleted file mode 100755
index 889976e628..0000000000
--- a/test/org/apache/tomcat/util/net/ocsp/generate-ocsp-test-artifacts.sh
+++ /dev/null
@@ -1,172 +0,0 @@
-#!/bin/sh
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Generate OCSP-ready test material for Tomcat integration tests.
-#
-# Output:
-# ca-cert.pem
-# client-keystore.p12
-# client-password
-# ocsp-client-good.der
-# ocsp-client-revoked.der
-# ocsp-good.der
-# ocsp-revoked.der
-# server-cert.pem
-# server-key.pem
-# trustStore.p12
-# trust-password
-#
-# Usage: generate-ocsp-test-artifacts.sh
-#
-
-PASS="changeit"
-WORK_DIR="ocsp-work"
-
-command -v openssl >/dev/null 2>&1 || (printf "OpenSSL not found. Please
install it.\r\n" && exit)
-command -v keytool >/dev/null 2>&1 || (printf "keytool not found. Please
install it.\r\n" && exit)
-
-rm -rf "$WORK_DIR"
-mkdir -p "$WORK_DIR"/private "$WORK_DIR"/newcerts "$WORK_DIR"/certs
-touch "$WORK_DIR/index"
-echo 1000 > "$WORK_DIR/serial"
-
-printf "Writing minimal OpenSSL config..."
-cat > "$WORK_DIR/openssl.cnf" <<'EOF'
-[ ca ]
-default_ca = CA_default
-
-[ CA_default ]
-dir = .
-database = $dir/index
-new_certs_dir = $dir/newcerts
-serial = $dir/serial
-default_md = sha256
-policy = policy_loose
-copy_extensions = copy
-private_key = $dir/private/ca.key.pem
-certificate = $dir/certs/ca-cert.pem
-
-[ policy_loose ]
-commonName = supplied
-
-[ v3_ca ]
-basicConstraints = critical,CA:TRUE
-keyUsage = critical,keyCertSign,cRLSign
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-
-[ v3_server ]
-basicConstraints = critical,CA:FALSE
-keyUsage = critical,digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth
-authorityInfoAccess = OCSP;URI:http://127.0.0.1:8888/ocsp
-subjectAltName = @san
-[ san ]
-IP.1 = 127.0.0.1
-DNS.1 = localhost
-
-[ v3_client ]
-basicConstraints = critical,CA:FALSE
-keyUsage = critical,digitalSignature,keyEncipherment
-extendedKeyUsage = clientAuth
-# Make the AIA field >127 bytes to test CVE-2017-15698
-authorityInfoAccess =
OCSP;URI:http://127.0.0.1:8889/ocsp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-
-[ v3_ocsp ]
-basicConstraints = critical,CA:FALSE
-keyUsage = critical,digitalSignature
-extendedKeyUsage = OCSPSigning
-EOF
-printf "Done.\r\n"
-
-cd "$WORK_DIR" || (printf "Something went wrong.\r\n" && exit)
-
-printf "Generating CA key and certificate...\r\n"
-openssl genrsa -out private/ca.key.pem 2048
-openssl req -x509 -new -nodes -key private/ca.key.pem -days 3650 -subj
"/CN=Test CA" -config openssl.cnf -extensions v3_ca -out certs/ca-cert.pem
-printf "Done.\r\n"
-
-printf "Generating server key and certificate...\r\n"
-openssl genrsa -out private/server.key.pem 2048
-openssl req -new -key private/server.key.pem -out server.csr.pem -subj
"/CN=localhost"
-openssl ca -batch -config openssl.cnf -extensions v3_server -in server.csr.pem
-out certs/server.cert.pem -days 365
-printf "Done.\r\n"
-
-printf "Generating OCSP responder key and certificate...\r\n"
-openssl genrsa -out private/ocsp.key.pem 2048
-openssl req -new -key private/ocsp.key.pem -out ocsp.csr.pem -subj "/CN=Test
OCSP Responder"
-openssl ca -batch -config openssl.cnf -extensions v3_ocsp -in ocsp.csr.pem
-out certs/ocsp.cert.pem -days 365
-printf "Done.\r\n"
-
-printf "Building OCSP request for the server certificate...\r\n"
-openssl ocsp -issuer certs/ca-cert.pem -cert certs/server.cert.pem -no_nonce
-reqout request.der
-printf "Done.\r\n"
-
-printf "Answering request with good status (ocsp-good.der)...\r\n"
-openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem
-rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin request.der -respout
../ocsp-good.der
-printf "Done.\r\n"
-
-printf "Revoking the server certificate in the CA database...\r\n"
-openssl ca -config openssl.cnf -revoke certs/server.cert.pem -crl_reason
keyCompromise
-printf "Done.\r\n"
-
-printf "Answering request with REVOKED status (ocsp-revoked.der)...\r\n"
-openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem
-rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin request.der -respout
../ocsp-revoked.der
-printf "Done.\r\n"
-
-cp certs/ca-cert.pem ..
-cp private/server.key.pem ../server-key.pem
-cp certs/server.cert.pem ../server-cert.pem
-
-printf "Creating PKCS12 client's truststore (trustStore.p12) with the
CA...\r\n"
-rm -f ../trustStore.p12
-echo "$PASS" > ../trust-password
-keytool -importcert -alias ocsp-ca -file certs/ca-cert.pem -keystore
../trustStore.p12 -storetype PKCS12 -storepass "$PASS" -noprompt
-printf "Done.\r\n"
-
-printf "Generating client key and certificate...\r\n"
-openssl genrsa -out private/client.key.pem 2048
-openssl req -new -key private/client.key.pem -out client.csr.pem -subj
"/CN=test-client"
-openssl ca -batch -config openssl.cnf -extensions v3_client -in client.csr.pem
-out certs/client.cert.pem -days 365
-printf "Done.\r\n"
-
-printf "Building OCSP request for the CLIENT certificate...\r\n"
-openssl ocsp -issuer certs/ca-cert.pem -cert certs/client.cert.pem -no_nonce
-reqout client-request.der
-printf "Done.\r\n"
-
-printf "Answering request with good status for client
(ocsp-client-good.der)...\r\n"
-openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem
-rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin client-request.der
-respout ../ocsp-client-good.der
-printf "Done.\r\n"
-
-printf "Revoking the client certificate in the CA database...\r\n"
-openssl ca -config openssl.cnf -revoke certs/client.cert.pem -crl_reason
keyCompromise
-printf "Done.\r\n"
-
-printf "Answering request with REVOKED status for client
(ocsp-client-revoked.der)...\r\n"
-openssl ocsp -index index -CA certs/ca-cert.pem -rsigner certs/ocsp.cert.pem
-rkey private/ocsp.key.pem -no_nonce -ndays 365 -reqin client-request.der
-respout ../ocsp-client-revoked.der
-printf "Done.\r\n"
-
-printf "Creating PKCS12 client keystore for mutual TLS...\r\n"
-echo "$PASS" > ../client-password
-openssl pkcs12 -export -name ocsp-client -out ../client-keystore.p12 -inkey
private/client.key.pem -in certs/client.cert.pem -certfile certs/ca-cert.pem
-passout pass:"$PASS"
-printf "Done.\r\n"
-
-printf "\r\nOptional verification:\r\n"
-printf " openssl ocsp -respin ocsp-good.der -verify_other
ocsp-work/certs/ocsp.cert.pem -CAfile ca-cert.pem\r\n"
-printf " openssl ocsp -respin ocsp-revoked.der -verify_other
ocsp-work/certs/ocsp.cert.pem -CAfile ca-cert.pem\r\n"
\ No newline at end of file
diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-client-good.der
b/test/org/apache/tomcat/util/net/ocsp/ocsp-client-good.der
deleted file mode 100644
index 1194788bff..0000000000
Binary files a/test/org/apache/tomcat/util/net/ocsp/ocsp-client-good.der and
/dev/null differ
diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-client-revoked.der
b/test/org/apache/tomcat/util/net/ocsp/ocsp-client-revoked.der
deleted file mode 100644
index 55676882c0..0000000000
Binary files a/test/org/apache/tomcat/util/net/ocsp/ocsp-client-revoked.der and
/dev/null differ
diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-good.der
b/test/org/apache/tomcat/util/net/ocsp/ocsp-good.der
deleted file mode 100644
index b4f2dadaa0..0000000000
Binary files a/test/org/apache/tomcat/util/net/ocsp/ocsp-good.der and /dev/null
differ
diff --git a/test/org/apache/tomcat/util/net/ocsp/ocsp-revoked.der
b/test/org/apache/tomcat/util/net/ocsp/ocsp-revoked.der
deleted file mode 100644
index f0b7c51a17..0000000000
Binary files a/test/org/apache/tomcat/util/net/ocsp/ocsp-revoked.der and
/dev/null differ
diff --git a/test/org/apache/tomcat/util/net/ocsp/server-cert.pem
b/test/org/apache/tomcat/util/net/ocsp/server-cert.pem
deleted file mode 100644
index 7f7097bc4d..0000000000
--- a/test/org/apache/tomcat/util/net/ocsp/server-cert.pem
+++ /dev/null
@@ -1,86 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4096 (0x1000)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Test CA
- Validity
- Not Before: Oct 9 17:50:19 2025 GMT
- Not After : Oct 9 17:50:19 2026 GMT
- Subject: CN=localhost
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:b3:a6:2f:95:ec:a3:9f:18:df:92:02:2f:f6:d8:
- e5:90:0d:45:b7:9b:fb:2c:63:62:a0:5d:06:a2:c6:
- 5a:38:d0:02:7e:bf:ae:22:05:5a:c9:83:e1:5f:7b:
- 74:00:b6:7e:58:e2:1e:40:29:b1:5f:2c:3c:5a:c2:
- 5a:04:bb:4e:0f:1a:ae:f0:bc:cb:16:49:c4:6a:59:
- 2e:56:e7:73:e0:c1:01:72:b0:d5:a0:86:b0:f5:77:
- 16:24:57:9b:51:24:97:af:bc:3a:2c:9f:c2:89:b0:
- cc:f2:d9:f9:1d:6d:25:90:2a:1a:36:3e:cb:8a:13:
- 7c:e2:99:6d:7e:a1:ef:a8:36:b1:3b:75:36:14:88:
- 3e:32:7b:c0:5a:55:ec:2c:9f:f8:32:f7:55:86:22:
- 46:ea:ba:19:46:d0:e0:77:df:f3:95:d3:98:f8:62:
- 1c:b7:fe:11:01:e7:bb:5d:82:d9:ee:32:44:9f:88:
- e1:7d:f9:20:83:02:f8:8d:4d:76:26:69:c7:b1:fd:
- 82:7f:a9:c9:0a:8d:26:a4:18:05:ee:04:e9:61:04:
- 9f:e5:80:cc:f4:d5:3d:f7:d3:ce:1f:00:27:b5:d1:
- 09:b6:cb:93:36:b4:4c:58:e3:65:f6:85:4d:51:55:
- 5f:25:01:35:b5:a7:5a:44:7f:0b:69:70:5d:8e:eb:
- ff:b9
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage: critical
- Digital Signature, Key Encipherment
- X509v3 Extended Key Usage:
- TLS Web Server Authentication
- Authority Information Access:
- OCSP - URI:http://127.0.0.1:8888/ocsp
- X509v3 Subject Alternative Name:
- IP Address:127.0.0.1, DNS:localhost
- X509v3 Subject Key Identifier:
- F0:0D:29:83:76:05:84:3A:15:D1:D7:3D:7C:80:B1:A2:B9:B2:34:E9
- X509v3 Authority Key Identifier:
- C8:FA:78:96:74:8D:80:68:85:60:FB:80:93:17:68:3A:A6:B6:FC:A8
- Signature Algorithm: sha256WithRSAEncryption
- Signature Value:
- 55:20:97:f2:f9:44:63:65:50:f5:a2:92:99:d2:ef:90:1b:97:
- aa:0d:3a:bb:6f:a1:d1:dd:99:64:86:f0:ba:f2:12:61:b6:c4:
- 22:20:f1:5b:b4:8c:19:68:57:18:a4:63:47:52:e9:2e:d1:68:
- b2:de:da:02:a8:4f:8f:ec:c1:d4:f7:e4:69:09:25:de:d2:60:
- 5f:bf:e9:fe:12:74:ae:f1:25:59:04:53:e1:a3:3c:b9:c2:99:
- 91:78:3d:79:a3:29:f9:3a:5b:59:32:b1:2c:c3:f0:3f:c2:49:
- 14:36:b9:3e:c5:3f:47:1c:14:bc:da:4f:39:2d:e1:16:f6:a6:
- c7:fa:f4:b8:bb:95:d9:49:b7:0b:51:ae:9b:67:b6:01:c2:30:
- aa:db:17:21:6f:64:cd:2d:ff:ea:9a:ce:4a:a7:44:f5:8f:a7:
- b5:f8:87:48:bf:03:8e:3e:ab:8e:44:e7:a6:64:9a:f2:06:5a:
- 33:21:e1:01:8c:bf:c7:61:36:90:e4:5f:b6:e7:26:55:9e:44:
- 7c:d8:52:75:f9:1b:df:7a:ef:ea:b1:a3:08:19:ae:e1:39:42:
- ec:d2:ad:dc:63:a8:f4:54:db:8d:9f:12:ea:fe:94:cf:af:eb:
- 88:66:bb:3c:cf:a9:a3:5e:4a:c5:09:94:f8:4e:03:a2:01:a1:
- e5:24:92:eb
------BEGIN CERTIFICATE-----
-MIIDbTCCAlWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVz
-dCBDQTAeFw0yNTEwMDkxNzUwMTlaFw0yNjEwMDkxNzUwMTlaMBQxEjAQBgNVBAMM
-CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOmL5Xs
-o58Y35ICL/bY5ZANRbeb+yxjYqBdBqLGWjjQAn6/riIFWsmD4V97dAC2fljiHkAp
-sV8sPFrCWgS7Tg8arvC8yxZJxGpZLlbnc+DBAXKw1aCGsPV3FiRXm1Ekl6+8Oiyf
-womwzPLZ+R1tJZAqGjY+y4oTfOKZbX6h76g2sTt1NhSIPjJ7wFpV7Cyf+DL3VYYi
-Ruq6GUbQ4Hff85XTmPhiHLf+EQHnu12C2e4yRJ+I4X35IIMC+I1NdiZpx7H9gn+p
-yQqNJqQYBe4E6WEEn+WAzPTVPffTzh8AJ7XRCbbLkza0TFjjZfaFTVFVXyUBNbWn
-WkR/C2lwXY7r/7kCAwEAAaOByjCBxzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE
-AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATA2BggrBgEFBQcBAQQqMCgwJgYIKwYB
-BQUHMAGGGmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC9vY3NwMBoGA1UdEQQTMBGHBH8A
-AAGCCWxvY2FsaG9zdDAdBgNVHQ4EFgQU8A0pg3YFhDoV0dc9fICxormyNOkwHwYD
-VR0jBBgwFoAUyPp4lnSNgGiFYPuAkxdoOqa2/KgwDQYJKoZIhvcNAQELBQADggEB
-AFUgl/L5RGNlUPWikpnS75Abl6oNOrtvodHdmWSG8LryEmG2xCIg8Vu0jBloVxik
-Y0dS6S7RaLLe2gKoT4/swdT35GkJJd7SYF+/6f4SdK7xJVkEU+GjPLnCmZF4PXmj
-Kfk6W1kysSzD8D/CSRQ2uT7FP0ccFLzaTzkt4Rb2psf69Li7ldlJtwtRrptntgHC
-MKrbFyFvZM0t/+qazkqnRPWPp7X4h0i/A44+q45E56ZkmvIGWjMh4QGMv8dhNpDk
-X7bnJlWeRHzYUnX5G9967+qxowgZruE5QuzSrdxjqPRU242fEur+lM+v64hmuzzP
-qaNeSsUJlPhOA6IBoeUkkus=
------END CERTIFICATE-----
diff --git a/test/org/apache/tomcat/util/net/ocsp/server-key.pem
b/test/org/apache/tomcat/util/net/ocsp/server-key.pem
deleted file mode 100644
index 1a63661cef..0000000000
--- a/test/org/apache/tomcat/util/net/ocsp/server-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzpi+V7KOfGN+S
-Ai/22OWQDUW3m/ssY2KgXQaixlo40AJ+v64iBVrJg+Ffe3QAtn5Y4h5AKbFfLDxa
-wloEu04PGq7wvMsWScRqWS5W53PgwQFysNWghrD1dxYkV5tRJJevvDosn8KJsMzy
-2fkdbSWQKho2PsuKE3zimW1+oe+oNrE7dTYUiD4ye8BaVewsn/gy91WGIkbquhlG
-0OB33/OV05j4Yhy3/hEB57tdgtnuMkSfiOF9+SCDAviNTXYmacex/YJ/qckKjSak
-GAXuBOlhBJ/lgMz01T33084fACe10Qm2y5M2tExY42X2hU1RVV8lATW1p1pEfwtp
-cF2O6/+5AgMBAAECggEABdjR0apbBPGVTTY/A2S5y/9ylnBAM4ikjB2a+q9D/nde
-rWtlqnvMIaTmL+pfsyo9YH0ziNkSictxx25t6ZuDBeDTcshiP7504xU1+eQclGMT
-vfzdZxUbK1IN6W7kgjaTrUeOCSfF+B9F/F11yyxjPZbxNXTDwSGzPdjKhIWWvD3F
-T0xUHKm+XKHWmEveporOmH1M6wxVfZ8NbAqWYRhFaUp+GZwjv2M+trXdyDmlNPWQ
-k66FdZNM+Roa2nGVcgXDdue/+Xah5eNrNzIm7ilodBQzS7Z5ADYVFktyBTGfRCs3
-Uc2BUGZrVZSRu10DybZo+0XE7HLgdMzlTxTax65hBQKBgQD8ltIYCRBzbRn7EC9O
-tbmyKCutxUCNe8t5cLm6iFTILOR2DZSsQH8cav0uGNMgXo0oHvY2H49xw5DqfSy2
-jcVhIKXoDKvHOrU7Ph/attIvyTTizprupAEi7dnZGf0sENQBR1BuSRMGv4B8hYKL
-51PfkspTBtsaZZhDAjJlYjYZVwKBgQC2EzfFeNKF9IZ4Gfexsrvj84Y8S3kfkxzT
-jZkT+JZFRDhNCA7tORZJcriQnitK1M2dA0L1xNFQH+5mVLnn2YwZMgWGYWWKNfD9
-r/oS7yVy9qr3yf5i+XHk/Dr4LvDsyYlGuRLVfLltcggj5g84JTYabvVzo6j5ss/3
-VVbzMIg1bwKBgQDjDTP31RYLm/Pxwf+0chhldESnJJu9Up16IYFikrAbbHdFQzn0
-iNl6ExZY/Im0HCoo+YP67O3FprU6g6DQzKmzgGSCLfmv0i8c/OAne5V+zRAUHQIa
-KCS5YDMmO31fwhTAvXkoWdmXhEccJ+tMlXnIjCwA7DXCCbcP7QaeKeVVawKBgQCw
-HPCiOpbvaTE0NHHo2OhyuhgKdDpJd0O3wUvjDF1VzIHkyLmfbcuH6cZqZAOeEy57
-BC+dh+2qYeh35NYZU8z2hfLgI49S25Ap4jCyZc1EYSHIIgLEe2FWSz9C1izF7L6y
-wMtd4pF9MoJ7Lslj1mJ5uQAEBbapJ/OO2mYLPtNRUwKBgQCC4aV+boMhDfvYpAir
-PTk+od7rBBcBZnV2dnqz4BHl7cfZCzD2GmJesgBLEBuf3r3sMGov3tItLkCteCqt
-cc3vwC+tNCpz8INLUMCR8i64J4ZgrwUgUbmt+myoAIDx/46GVGsknvuzSabLRH3h
-L9eCqiIiXCbiXjWw4vDfkXqdIA==
------END PRIVATE KEY-----
diff --git a/test/org/apache/tomcat/util/net/ocsp/trust-password
b/test/org/apache/tomcat/util/net/ocsp/trust-password
deleted file mode 100644
index 1d40192aeb..0000000000
--- a/test/org/apache/tomcat/util/net/ocsp/trust-password
+++ /dev/null
@@ -1 +0,0 @@
-changeit
diff --git a/test/org/apache/tomcat/util/net/ocsp/trustStore.p12
b/test/org/apache/tomcat/util/net/ocsp/trustStore.p12
deleted file mode 100644
index 5b66a7d8d8..0000000000
Binary files a/test/org/apache/tomcat/util/net/ocsp/trustStore.p12 and
/dev/null differ
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
