7026347: Certificate and X509CRL should have verify(PublicKey key, Provider sigProvider)

Reviewed-by: mullan, xuelei, weijun

jdk/src/share/classes/java/security/cert/Certificate.java

@@ -27,6 +27,7 @@ package java.security.cert;
 
 import java.util.Arrays;
 
+import java.security.Provider;
 import java.security.PublicKey;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
@@ -186,6 +187,35 @@ public abstract class Certificate implements java.io.Serializable {
         InvalidKeyException, NoSuchProviderException,
         SignatureException;
 
+    /**
+     * Verifies that this certificate was signed using the
+     * private key that corresponds to the specified public key.
+     * This method uses the signature verification engine
+     * supplied by the specified provider. Note that the specified
+     * Provider object does not have to be registered in the provider list.
+     *
+     * <p> This method was added to version 1.8 of the Java Platform
+     * Standard Edition. In order to maintain backwards compatibility with
+     * existing service providers, this method cannot be <code>abstract</code>
+     * and by default throws an <code>UnsupportedOperationException</code>.
+     *
+     * @param key the PublicKey used to carry out the verification.
+     * @param sigProvider the signature provider.
+     *
+     * @exception NoSuchAlgorithmException on unsupported signature
+     * algorithms.
+     * @exception InvalidKeyException on incorrect key.
+     * @exception SignatureException on signature errors.
+     * @exception CertificateException on encoding errors.
+     * @exception UnsupportedOperationException if the method is not supported
+     * @since 1.8
+     */
+    public void verify(PublicKey key, Provider sigProvider)
+        throws CertificateException, NoSuchAlgorithmException,
+        InvalidKeyException, SignatureException {
+        throw new UnsupportedOperationException();
+    }
+
     /**
      * Returns a string representation of this certificate.
      *

jdk/src/share/classes/java/security/cert/X509CRL.java

@@ -30,6 +30,7 @@ import java.security.NoSuchProviderException;
 import java.security.InvalidKeyException;
 import java.security.SignatureException;
 import java.security.Principal;
+import java.security.Provider;
 import java.security.PublicKey;
 import javax.security.auth.x500.X500Principal;
 
@@ -215,6 +216,34 @@ public abstract class X509CRL extends CRL implements X509Extension {
         InvalidKeyException, NoSuchProviderException,
         SignatureException;
 
+    /**
+     * Verifies that this CRL was signed using the
+     * private key that corresponds to the given public key.
+     * This method uses the signature verification engine
+     * supplied by the given provider. Note that the specified Provider object
+     * does not have to be registered in the provider list.
+     *
+     * This method was added to version 1.8 of the Java Platform Standard
+     * Edition. In order to maintain backwards compatibility with existing
+     * service providers, this method is not <code>abstract</code>
+     * and it provides a default implementation.
+     *
+     * @param key the PublicKey used to carry out the verification.
+     * @param sigProvider the signature provider.
+     *
+     * @exception NoSuchAlgorithmException on unsupported signature
+     * algorithms.
+     * @exception InvalidKeyException on incorrect key.
+     * @exception SignatureException on signature errors.
+     * @exception CRLException on encoding errors.
+     * @since 1.8
+     */
+    public void verify(PublicKey key, Provider sigProvider)
+        throws CRLException, NoSuchAlgorithmException,
+        InvalidKeyException, SignatureException {
+        X509CRLImpl.verify(this, key, sigProvider);
+    }
+
     /**
      * Gets the <code>version</code> (version number) value from the CRL.
      * The ASN.1 definition for this is:

jdk/src/share/classes/java/security/cert/X509Certificate.java

@@ -26,8 +26,7 @@
 package java.security.cert;
 
 import java.math.BigInteger;
-import java.security.Principal;
-import java.security.PublicKey;
+import java.security.*;
 import java.util.Collection;
 import java.util.Date;
 import java.util.List;
@@ -640,4 +639,33 @@ implements X509Extension {
         throws CertificateParsingException {
         return X509CertImpl.getIssuerAlternativeNames(this);
     }
+
+     /**
+     * Verifies that this certificate was signed using the
+     * private key that corresponds to the specified public key.
+     * This method uses the signature verification engine
+     * supplied by the specified provider. Note that the specified
+     * Provider object does not have to be registered in the provider list.
+     *
+     * This method was added to version 1.8 of the Java Platform Standard
+     * Edition. In order to maintain backwards compatibility with existing
+     * service providers, this method is not <code>abstract</code>
+     * and it provides a default implementation.
+     *
+     * @param key the PublicKey used to carry out the verification.
+     * @param sigProvider the signature provider.
+     *
+     * @exception NoSuchAlgorithmException on unsupported signature
+     * algorithms.
+     * @exception InvalidKeyException on incorrect key.
+     * @exception SignatureException on signature errors.
+     * @exception CertificateException on encoding errors.
+     * @exception UnsupportedOperationException if the method is not supported
+     * @since 1.8
+     */
+    public void verify(PublicKey key, Provider sigProvider)
+        throws CertificateException, NoSuchAlgorithmException,
+        InvalidKeyException, SignatureException {
+        X509CertImpl.verify(this, key, sigProvider);
+    }
 }

jdk/src/share/classes/sun/security/x509/X509CRLImpl.java

@@ -32,6 +32,7 @@ import java.math.BigInteger;
 import java.security.Principal;
 import java.security.PublicKey;
 import java.security.PrivateKey;
+import java.security.Provider;
 import java.security.Signature;
 import java.security.NoSuchAlgorithmException;
 import java.security.InvalidKeyException;
@@ -398,6 +399,61 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
         verifiedProvider = sigProvider;
     }
 
+    /**
+     * Verifies that this CRL was signed using the
+     * private key that corresponds to the given public key,
+     * and that the signature verification was computed by
+     * the given provider. Note that the specified Provider object
+     * does not have to be registered in the provider list.
+     *
+     * @param key the PublicKey used to carry out the verification.
+     * @param sigProvider the signature provider.
+     *
+     * @exception NoSuchAlgorithmException on unsupported signature
+     * algorithms.
+     * @exception InvalidKeyException on incorrect key.
+     * @exception SignatureException on signature errors.
+     * @exception CRLException on encoding errors.
+     */
+    public synchronized void verify(PublicKey key, Provider sigProvider)
+            throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
+            SignatureException {
+
+        if (signedCRL == null) {
+            throw new CRLException("Uninitialized CRL");
+        }
+        Signature sigVerf = null;
+        if (sigProvider == null) {
+            sigVerf = Signature.getInstance(sigAlgId.getName());
+        } else {
+            sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
+        }
+        sigVerf.initVerify(key);
+
+        if (tbsCertList == null) {
+            throw new CRLException("Uninitialized CRL");
+        }
+
+        sigVerf.update(tbsCertList, 0, tbsCertList.length);
+
+        if (!sigVerf.verify(signature)) {
+            throw new SignatureException("Signature does not match.");
+        }
+        verifiedPublicKey = key;
+    }
+
+    /**
+     * This static method is the default implementation of the
+     * verify(PublicKey key, Provider sigProvider) method in X509CRL.
+     * Called from java.security.cert.X509CRL.verify(PublicKey key,
+     * Provider sigProvider)
+     */
+    public static void verify(X509CRL crl, PublicKey key,
+            Provider sigProvider) throws CRLException,
+            NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+        crl.verify(key, sigProvider);
+    }
+
     /**
      * Encodes an X.509 CRL, and signs it using the given key.
      *

jdk/src/share/classes/sun/security/x509/X509CertImpl.java

@@ -452,6 +452,62 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
         }
     }
 
+    /**
+     * Throws an exception if the certificate was not signed using the
+     * verification key provided.  This method uses the signature verification
+     * engine supplied by the specified provider. Note that the specified
+     * Provider object does not have to be registered in the provider list.
+     * Successfully verifying a certificate does <em>not</em> indicate that one
+     * should trust the entity which it represents.
+     *
+     * @param key the public key used for verification.
+     * @param sigProvider the provider.
+     *
+     * @exception NoSuchAlgorithmException on unsupported signature
+     * algorithms.
+     * @exception InvalidKeyException on incorrect key.
+     * @exception SignatureException on signature errors.
+     * @exception CertificateException on encoding errors.
+     */
+    public synchronized void verify(PublicKey key, Provider sigProvider)
+            throws CertificateException, NoSuchAlgorithmException,
+            InvalidKeyException, SignatureException {
+        if (signedCert == null) {
+            throw new CertificateEncodingException("Uninitialized certificate");
+        }
+        // Verify the signature ...
+        Signature sigVerf = null;
+        if (sigProvider == null) {
+            sigVerf = Signature.getInstance(algId.getName());
+        } else {
+            sigVerf = Signature.getInstance(algId.getName(), sigProvider);
+        }
+        sigVerf.initVerify(key);
+
+        byte[] rawCert = info.getEncodedInfo();
+        sigVerf.update(rawCert, 0, rawCert.length);
+
+        // verify may throw SignatureException for invalid encodings, etc.
+        verificationResult = sigVerf.verify(signature);
+        verifiedPublicKey = key;
+
+        if (verificationResult == false) {
+            throw new SignatureException("Signature does not match.");
+        }
+    }
+
+     /**
+     * This static method is the default implementation of the
+     * verify(PublicKey key, Provider sigProvider) method in X509Certificate.
+     * Called from java.security.cert.X509Certificate.verify(PublicKey key,
+     * Provider sigProvider)
+     */
+    public static void verify(X509Certificate cert, PublicKey key,
+            Provider sigProvider) throws CertificateException,
+            NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+        cert.verify(key, sigProvider);
+    }
+
     /**
      * Creates an X.509 certificate, and signs it using the given key
      * (associating a signature algorithm and an X.500 name).

jdk/test/sun/security/x509/X509CRLImpl/Verify.java

@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7026347
+ * @summary X509CRL should have verify(PublicKey key, Provider sigProvider)
+ */
+
+import java.io.ByteArrayInputStream;
+import java.security.*;
+import java.security.cert.*;
+
+public class Verify {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+        "Vjw=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String crlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String crlStr =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+        "-----END X509 CRL-----";
+
+    private static X509CRL crl;
+    private static PublicKey selfSignedCertPubKey;
+    private static PublicKey crlIssuerCertPubKey;
+
+    public static void main(String[] args) throws Exception {
+        setup();
+
+        /*
+         * Verify CRL with its own public key.
+         * Should pass.
+         */
+        verifyCRL(crlIssuerCertPubKey, "SunRsaSign");
+
+        /*
+         * Try to verify CRL with a provider that does not have a Signature
+         * implementation.
+         * Should fail with NoSuchAlgorithmException.
+         */
+        try {
+            verifyCRL(crlIssuerCertPubKey, "SunPCSC");
+            throw new RuntimeException("Didn't catch the exception properly");
+        } catch (NoSuchAlgorithmException e) {
+            System.out.println("Caught the correct exception.");
+        }
+
+        /*
+         * Try to verify CRL with a provider that has a Signature implementation
+         * but not of the right algorithm (MD5withRSA).
+         * Should fail with NoSuchAlgorithmException.
+         */
+        try {
+            verifyCRL(crlIssuerCertPubKey, "SUN");
+            throw new RuntimeException("Didn't catch the exception properly");
+        } catch (NoSuchAlgorithmException e) {
+            System.out.println("Caught the correct exception.");
+        }
+
+        /*
+         * Try to verify CRL with the wrong public key.
+         * Should fail with SignatureException.
+         */
+        try {
+            verifyCRL(selfSignedCertPubKey, "SunRsaSign");
+            throw new RuntimeException("Didn't catch the exception properly");
+        } catch (SignatureException e) {
+            System.out.println("Caught the correct exception.");
+        }
+    }
+
+    private static void setup() throws CertificateException, CRLException {
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        /* Create CRL */
+        ByteArrayInputStream inputStream =
+                new ByteArrayInputStream(crlStr.getBytes());
+        crl = (X509CRL)cf.generateCRL(inputStream);
+
+        /* Get public key of the CRL issuer cert */
+        inputStream = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
+        X509Certificate cert
+                = (X509Certificate)cf.generateCertificate(inputStream);
+        crlIssuerCertPubKey = cert.getPublicKey();
+
+        /* Get public key of the self-signed Cert */
+        inputStream = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        selfSignedCertPubKey = cf.generateCertificate(inputStream).getPublicKey();
+    }
+
+    private static void verifyCRL(PublicKey key, String providerName)
+            throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
+            SignatureException {
+        Provider provider = Security.getProvider(providerName);
+        crl.verify(key, provider);
+    }
+}

jdk/test/sun/security/x509/X509CertImpl/Verify.java

@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7026347
+ * @summary Certificate should have
+ *          verify(PublicKey key, Provider sigProvider)
+ */
+
+import java.io.ByteArrayInputStream;
+import java.security.*;
+import java.security.cert.*;
+
+public class Verify {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+        "Vjw=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String crlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+        "-----END CERTIFICATE-----";
+
+    private static X509Certificate cert;
+    private static PublicKey selfSignedCertPubKey;
+    private static PublicKey crlIssuerCertPubKey;
+
+    public static void main(String[] args) throws Exception {
+        setup();
+
+        /*
+         * Verify certificate with its own public key.
+         * Should pass.
+         */
+        verifyCert(selfSignedCertPubKey,"SunRsaSign");
+
+        /*
+         * Try to verify certificate with a provider that does not have a
+         * Signature implementation.
+         * Should fail with NoSuchAlgorithmException.
+         */
+        try {
+            verifyCert(selfSignedCertPubKey, "SunPCSC");
+            throw new RuntimeException("Didn't catch the exception properly");
+        } catch (NoSuchAlgorithmException e) {
+            System.out.println("Caught the correct exception.");
+        }
+
+        /*
+         * Try to verify certificate with a provider that has a Signature
+         * implementation but not of the right algorithm (MD5withRSA).
+         * Should fail with NoSuchAlgorithmException.
+         */
+        try {
+            verifyCert(selfSignedCertPubKey, "SUN");
+            throw new RuntimeException("Didn't catch the exception properly");
+        } catch (NoSuchAlgorithmException e) {
+            System.out.println("Caught the correct exception.");
+        }
+
+        /*
+         * Try to verify certificate with the wrong public key.
+         * Should fail with SignatureException.
+         */
+        try {
+            verifyCert(crlIssuerCertPubKey, "SunRsaSign");
+            throw new RuntimeException("Didn't catch the exception properly");
+        } catch (SignatureException e) {
+            System.out.println("Caught the correct exception.");
+        }
+    }
+
+    private static void setup() throws CertificateException, CRLException {
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        /* Get public key of the CRL issuer cert */
+        ByteArrayInputStream inputStream
+                = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
+        cert = (X509Certificate)cf.generateCertificate(inputStream);
+        crlIssuerCertPubKey = cert.getPublicKey();
+
+        /* Get public key of the self-signed Cert */
+        inputStream = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        selfSignedCertPubKey = cf.generateCertificate(inputStream).getPublicKey();
+    }
+
+    private static void verifyCert(PublicKey key, String providerName)
+            throws CertificateException, NoSuchAlgorithmException,
+            InvalidKeyException, SignatureException {
+        Provider provider = Security.getProvider(providerName);
+        cert.verify(key, provider);
+    }
+}