List of usage examples for org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509CertificateConverter
public JcaX509CertificateConverter()
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Tests that if REQUIREVALIDCHAIN=true is specified only the signer certificate * and its issuer (and its issuer and so on...) is allowed in the chain. * Also tests that the default is to not do this check. *//*from w ww . j a v a 2 s. c om*/ @Test public void test11RequireValidChain() throws Exception { // First make sure we don't have this property set workerSession.removeWorkerProperty(WORKER1, "REQUIREVALIDCHAIN"); // Setup an invalid chain final List<Certificate> chain = workerSession.getSignerCertificateChain(WORKER1); final X509Certificate subject = (X509Certificate) workerSession.getSignerCertificate(WORKER1); // Any other certificate that will no match the key-pair final X509Certificate other = new JcaX509CertificateConverter() .getCertificate(new CertBuilder().setSubject("CN=Other cert").build()); try { // An not strictly valid chain as it contains an additional certificate at the end // (In same use cases this might be okey but now we are testing the // strict checking with the REQUIREVALIDCHAIN property set) List<Certificate> ourChain = new LinkedList<Certificate>(); ourChain.addAll(chain); ourChain.add(other); workerSession.uploadSignerCertificate(WORKER1, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER1, asListOfByteArrays(ourChain), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER1); // Test the status of the worker: should be ok as we aren't doing strict checking WorkerStatus actualStatus = workerSession.getStatus(WORKER1); assertEquals("should be okey as aren't doing strict checking", 0, actualStatus.getFatalErrors().size()); // Test signing: should also be ok assertTokenGranted(WORKER1); // Now change to strict checking workerSession.setWorkerProperty(WORKER1, "REQUIREVALIDCHAIN", "true"); workerSession.reloadConfiguration(WORKER1); // Test the status of the worker: should be offline as we don't have a valid chain actualStatus = workerSession.getStatus(WORKER1); assertEquals("should be offline as we don't have a valid chain", 1, actualStatus.getFatalErrors().size()); // Test signing: should give error assertTokenNotGranted(WORKER1); } finally { // Restore workerSession.uploadSignerCertificate(WORKER1, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER1, asListOfByteArrays(chain), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER1); } }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Tests that status is not OK and that an failure is generated when trying * to sign when the right signer certificate is not configured. * */// w w w . j a v a 2 s.c o m @Test public void test12WrongEkuInSignerCertificate() throws Exception { final List<Certificate> chain = workerSession.getSignerCertificateChain(WORKER2); final X509Certificate subject = (X509Certificate) workerSession.getSignerCertificate(WORKER2); // Certifiate without id_kp_timeStamping final X509Certificate certNoEku = new JcaX509CertificateConverter().getCertificate( new CertBuilder().setSubject("CN=Without EKU").setSubjectPublicKey(subject.getPublicKey()).build()); // Certificate with non-critical id_kp_timeStamping boolean critical = false; final X509Certificate certEku = new JcaX509CertificateConverter().getCertificate( new CertBuilder().setSubject("CN=With non-critical EKU").setSubjectPublicKey(subject.getPublicKey()) .addExtension(new CertExt(X509Extension.extendedKeyUsage, critical, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping))) .build()); // OK: Certificate with critical id_kp_timeStamping critical = true; final X509Certificate certCritEku = new JcaX509CertificateConverter().getCertificate( new CertBuilder().setSubject("CN=With critical EKU").setSubjectPublicKey(subject.getPublicKey()) .addExtension(new CertExt(X509Extension.extendedKeyUsage, critical, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping))) .build()); // Certificate with additional extended key usage, besides id_kp_timeStamping final X509Certificate certCritEkuAndAdditional = new JcaX509CertificateConverter().getCertificate( new CertBuilder().setSubject("CN=With critical EKU").setSubjectPublicKey(subject.getPublicKey()) .addExtension(new CertExt(X509Extension.extendedKeyUsage, critical, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_timeStamping, KeyPurposeId.id_kp_emailProtection }))) .build()); try { // Fail: No id_kp_timeStamping workerSession.uploadSignerCertificate(WORKER2, certNoEku.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, Arrays.asList(certNoEku.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); WorkerStatus actualStatus = workerSession.getStatus(WORKER2); List<String> errors = actualStatus.getFatalErrors(); String errorsString = errors.toString(); // should be error as the signer certificate is missing id_kp_timeStamping and EKU is not critical LOG.info("errorsString: " + errorsString); assertEquals(2, errors.size()); assertTrue("error should talk about missing extended key usage timeStamping: " + errorsString, errorsString.contains("timeStamping")); // Will need adjustment if language changes assertTrue("error should talk about missing critical extension: " + errorsString, errorsString.contains("critical")); // Will need adjustment if language changes // Ok: Certificate with critical id_kp_timeStamping workerSession.uploadSignerCertificate(WORKER2, certCritEku.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, Arrays.asList(certCritEku.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); actualStatus = workerSession.getStatus(WORKER2); assertEquals(0, actualStatus.getFatalErrors().size()); // Fail: No non-critical id_kp_timeStamping workerSession.uploadSignerCertificate(WORKER2, certEku.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, Arrays.asList(certEku.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); actualStatus = workerSession.getStatus(WORKER2); errorsString = errors.toString(); // should be error as the signer certificate is missing id_kp_timeStamping assertEquals(1, actualStatus.getFatalErrors().size()); // error should talk about missing critical EKU assertTrue("errorString: " + errorsString, errorsString.contains("critical")); // Will need adjustment if language changes // Fail: Additional EKU workerSession.uploadSignerCertificate(WORKER2, certCritEkuAndAdditional.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, Arrays.asList(certCritEkuAndAdditional.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); actualStatus = workerSession.getStatus(WORKER2); // should be error as the signer certificate is missing id_kp_timeStamping assertEquals(1, actualStatus.getFatalErrors().size()); errorsString = actualStatus.getFatalErrors().toString(); // error should talk about missing critical EKU assertTrue("Should mention additional extended key usages: " + errorsString, errorsString.contains("No other extended key usages than timeStamping is allowed")); // Will need adjustment if language changes } finally { // Restore workerSession.uploadSignerCertificate(WORKER2, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, asListOfByteArrays(chain), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); } }
From source file:org.signserver.module.xades.signer.XAdESSignerUnitTest.java
License:Open Source License
private static MockedCryptoToken generateToken(final KeyType keyType) throws Exception { final KeyPair signerKeyPair; final String signatureAlgorithm; switch (keyType) { case RSA://from ww w . jav a 2 s.c om signerKeyPair = CryptoUtils.generateRSA(1024); signatureAlgorithm = "SHA1withRSA"; break; case DSA: signerKeyPair = CryptoUtils.generateDSA(1024); signatureAlgorithm = "SHA1withDSA"; break; case ECDSA: signerKeyPair = CryptoUtils.generateEcCurve("prime256v1"); signatureAlgorithm = "SHA1withECDSA"; break; default: throw new NoSuchAlgorithmException("Invalid key algorithm"); } final Certificate[] certChain = new Certificate[] { new JcaX509CertificateConverter().getCertificate(new CertBuilder().setSelfSignKeyPair(signerKeyPair) .setNotBefore(new Date(MockedTimeStampTokenProvider.TIMESTAMP)) .setSignatureAlgorithm(signatureAlgorithm).build()) }; final Certificate signerCertificate = certChain[0]; return new MockedCryptoToken(signerKeyPair.getPrivate(), signerKeyPair.getPublic(), signerCertificate, Arrays.asList(certChain), "BC"); }
From source file:org.signserver.module.xades.signer.XAdESSignerUnitTest.java
License:Open Source License
private static MockedCryptoToken generateTokenWithIntermediateCert() throws Exception { final JcaX509CertificateConverter conv = new JcaX509CertificateConverter(); final KeyPair rootcaKeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder rootcaCert = new CertBuilder().setSelfSignKeyPair(rootcaKeyPair) .setSubject("CN=Root, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); final KeyPair subcaKeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder subcaCert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(subcaKeyPair.getPublic()) .setSubject("CN=Sub, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); final KeyPair signerKeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder signerCert = new CertBuilder().setIssuerPrivateKey(subcaKeyPair.getPrivate()) .setIssuer(subcaCert.getSubject()).setSubjectPublicKey(signerKeyPair.getPublic()) .setSubject("CN=Signer 1, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain = Arrays.<Certificate>asList(conv.getCertificate(signerCert), conv.getCertificate(subcaCert), conv.getCertificate(rootcaCert)); return new MockedCryptoToken(signerKeyPair.getPrivate(), signerKeyPair.getPublic(), conv.getCertificate(signerCert), chain, "BC"); }
From source file:org.signserver.module.xades.validator.AbstractCustomCertPathChecker.java
License:Open Source License
/** * /*from ww w . jav a 2 s. co m*/ * Method that retrieves the Authorized OCSP Responders certificate from basic ocsp response structure * the Authorized OCSP responders certificate is identified by OCSPSigner extension * Only certificate having this extension and that can verify response's signature is returned * * NOTE : RFC 2560 does not state it should be an end entity certificate ! * * @param basic ocsp response * @return Authorized OCSP Responders certificate if found, null if not found * @throws OCSPException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws CertStoreException */ private X509Certificate getAuthorizedOCSPRespondersCertificateFromOCSPResponse(BasicOCSPResp basicOCSPResponse) throws NoSuchAlgorithmException, NoSuchProviderException, OCSPException, CertStoreException, CertificateEncodingException, OperatorCreationException { X509Certificate result = null; X509CertificateHolder[] certs = basicOCSPResponse.getCerts(); Store ocspRespCertStore = new JcaCertStore(Arrays.asList(certs)); //search for certificate having OCSPSigner extension X509ExtendedKeyUsageExistsCertSelector certSel = new X509ExtendedKeyUsageExistsCertSelector( KeyPurposeId.id_kp_OCSPSigning.getId()); for (X509CertificateHolder cert : (Collection<X509CertificateHolder>) ocspRespCertStore .getMatches(certSel)) { try { //it might be the case that certchain contains more than one certificate with OCSPSigner extension //check if certificate verifies the signature on the response if (cert != null && basicOCSPResponse .isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(cert))) { result = new JcaX509CertificateConverter().getCertificate(cert); break; } } catch (CertificateException ignored) { } } return result; }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Setting up key-pairs, mocked crypto tokens, certificates and CRLs used * by the tests./*from w w w. jav a2 s .co m*/ */ @BeforeClass public static void setUpClass() throws Exception { Security.addProvider(new BouncyCastleProvider()); JcaX509CertificateConverter conv = new JcaX509CertificateConverter(); // Root CA, sub CA rootcaCRLFile = File.createTempFile("xadestest-", "-rootca.crl"); LOG.debug("rootcaCRLFile: " + rootcaCRLFile); subca1CRLFile = File.createTempFile("xadestest-", "-subca.crl"); LOG.debug("subcaCRLFile: " + subca1CRLFile); rootcaKeyPair = CryptoUtils.generateRSA(1024); anotherKeyPair = CryptoUtils.generateRSA(1024); rootcaCert = new CertBuilder().setSelfSignKeyPair(rootcaKeyPair).setSubject("CN=Root, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage( X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign | X509KeyUsage.digitalSignature))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); final KeyPair subca1KeyPair = CryptoUtils.generateRSA(1024); subca1Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(subca1KeyPair.getPublic()) .addCDPURI(rootcaCRLFile.toURI().toURL().toExternalForm()) .setSubject("CN=Sub 1, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); subca2KeyPair = CryptoUtils.generateRSA(1024); subca2Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(subca2KeyPair.getPublic()) .setSubject("CN=Sub 2, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage( X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign | X509KeyUsage.digitalSignature))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))) .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .build(); // Signer 1 is issued directly by the root CA final KeyPair signer1KeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder signer1Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(signer1KeyPair.getPublic()) .setSubject("CN=Signer 1, O=XAdES Test, C=SE") .addCDPURI(rootcaCRLFile.toURI().toURL().toExternalForm()) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain1 = Arrays.<Certificate>asList(conv.getCertificate(signer1Cert), conv.getCertificate(rootcaCert)); token1 = new MockedCryptoToken(signer1KeyPair.getPrivate(), signer1KeyPair.getPublic(), conv.getCertificate(signer1Cert), chain1, "BC"); LOG.debug("Chain 1: \n" + new String(CertTools.getPEMFromCerts(chain1), "ASCII") + "\n"); // Sign a document by signer 1 XAdESSigner instance = new MockedXAdESSigner(token1); WorkerConfig config = new WorkerConfig(); instance.init(4712, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-201-1"); GenericSignRequest request = new GenericSignRequest(201, "<test201/>".getBytes("UTF-8")); GenericSignResponse response = (GenericSignResponse) instance.processData(request, requestContext); byte[] data = response.getProcessedData(); signedXml1 = new String(data); LOG.debug("Signed document by signer 1:\n\n" + signedXml1 + "\n"); // Signer 2 is issued by the sub CA final KeyPair signer2KeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder signer2Cert = new CertBuilder().setIssuerPrivateKey(subca1KeyPair.getPrivate()) .setIssuer(subca1Cert.getSubject()).setSubjectPublicKey(signer2KeyPair.getPublic()) .setSubject("CN=Signer 2, O=XAdES Test, C=SE") .addCDPURI(subca1CRLFile.toURI().toURL().toExternalForm()) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain2 = Arrays.<Certificate>asList(conv.getCertificate(signer2Cert), conv.getCertificate(subca1Cert), conv.getCertificate(rootcaCert)); token2 = new MockedCryptoToken(signer2KeyPair.getPrivate(), signer2KeyPair.getPublic(), conv.getCertificate(signer2Cert), chain2, "BC"); LOG.debug("Chain 2: \n" + new String(CertTools.getPEMFromCerts(chain2)) + "\n"); // Sign a document by signer 2 instance = new MockedXAdESSigner(token2); config = new WorkerConfig(); instance.init(4713, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-202-1"); request = new GenericSignRequest(202, "<test202/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml2 = new String(data); LOG.debug("Signed document by signer 2:\n\n" + signedXml2 + "\n"); // CRL with all active (empty CRL) rootcaCRLEmpty = new CRLBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).build(); subca1CRLEmpty = new CRLBuilder().setIssuerPrivateKey(subca1KeyPair.getPrivate()) .setIssuer(subca1Cert.getSubject()).build(); rootcaCRLSubCAAndSigner1Revoked = new CRLBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()) .addCRLEntry(subca1Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise) .addCRLEntry(signer1Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise).build(); subca1CRLSigner2Revoked = new CRLBuilder().setIssuerPrivateKey(subca1KeyPair.getPrivate()) .setIssuer(subca1Cert.getSubject()) .addCRLEntry(signer2Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise).build(); otherCRL = new CRLBuilder().setIssuer(subca1Cert.getSubject()) // Setting Sub CA DN all though an other key will be used .build(); // signer 3, issued by the root CA with an OCSP authority information access in the signer cert final KeyPair signer3KeyPair = CryptoUtils.generateRSA(1024); signer3Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(signer3KeyPair.getPublic()) .setSubject("CN=Signer 3, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain3 = Arrays.<Certificate>asList(conv.getCertificate(signer3Cert), conv.getCertificate(rootcaCert)); token3 = new MockedCryptoToken(signer3KeyPair.getPrivate(), signer3KeyPair.getPublic(), conv.getCertificate(signer3Cert), chain3, "BC"); LOG.debug("Chain 3: \n" + new String(CertTools.getPEMFromCerts(chain3)) + "\n"); // signer 4, issued by the sub CA2 with an OCSP authority information access in the signer cert final KeyPair signer4KeyPair = CryptoUtils.generateRSA(1024); signer4Cert = new CertBuilder().setIssuerPrivateKey(subca2KeyPair.getPrivate()) .setIssuer(subca2Cert.getSubject()).setSubjectPublicKey(signer4KeyPair.getPublic()) .setSubject("CN=Signer 4, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain4 = Arrays.<Certificate>asList(conv.getCertificate(signer4Cert), conv.getCertificate(subca2Cert), conv.getCertificate(rootcaCert)); token4 = new MockedCryptoToken(signer4KeyPair.getPrivate(), signer4KeyPair.getPublic(), conv.getCertificate(signer4Cert), chain4, "BC"); LOG.debug("Chain 4: \n" + new String(CertTools.getPEMFromCerts(chain4)) + "\n"); // ocspSigner 1, OCSP responder issued by the root CA with an ocsp-nocheck in the signer cert ocspSigner1KeyPair = CryptoUtils.generateRSA(1024); ocspSigner1Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(ocspSigner1KeyPair.getPublic()) .setSubject("CN=OCSP Responder 1, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))) .addExtension(new CertExt(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning))) .addExtension(new CertExt(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, new DERNull())) .build(); // ocspSigner 2, OCSP responder issued by the sub CA2 with an ocsp-nocheck in the signer cert ocspSigner2KeyPair = CryptoUtils.generateRSA(1024); ocspSigner2Cert = new CertBuilder().setIssuerPrivateKey(subca2KeyPair.getPrivate()) .setIssuer(subca2Cert.getSubject()).setSubjectPublicKey(ocspSigner2KeyPair.getPublic()) .setSubject("CN=OCSP Responder 2, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))) .addExtension(new CertExt(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning))) .addExtension(new CertExt(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, new DERNull())) .build(); // Sign a document by signer 3 instance = new MockedXAdESSigner(token3); config = new WorkerConfig(); instance.init(4714, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-203-1"); request = new GenericSignRequest(202, "<test203/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml3 = new String(data); LOG.debug("Signed document by signer 3:\n\n" + signedXml3 + "\n"); // Sign a document by signer 4 instance = new MockedXAdESSigner(token4); config = new WorkerConfig(); instance.init(4715, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-204-1"); request = new GenericSignRequest(203, "<test204/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml4 = new String(data); LOG.debug("Signed document by signer 4:\n\n" + signedXml4 + "\n"); // Signer 5 is issued directly by the root CA final KeyPair signer5KeyPair = CryptoUtils.generateRSA(1024); signer5Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(signer5KeyPair.getPublic()) .setSubject("CN=Signer 5, O=XAdES Test, C=SE") .addCDPURI(rootcaCRLFile.toURI().toURL().toExternalForm()) .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain5 = Arrays.<Certificate>asList(conv.getCertificate(signer5Cert), conv.getCertificate(rootcaCert)); token5 = new MockedCryptoToken(signer5KeyPair.getPrivate(), signer5KeyPair.getPublic(), conv.getCertificate(signer1Cert), chain5, "BC"); LOG.debug("Chain 5: \n" + new String(CertTools.getPEMFromCerts(chain5)) + "\n"); // Sign a document by signer 5 instance = new MockedXAdESSigner(token5); config = new WorkerConfig(); instance.init(4712, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-205-1"); request = new GenericSignRequest(205, "<test205/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml5 = new String(data); LOG.debug("Signed document by signer 5:\n\n" + signedXml5 + "\n"); // CRL with signer 5 revoked rootcaCRLSigner5Revoked = new CRLBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()) .addCRLEntry(signer5Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise).build(); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Test validation of document signed by signer1 without revocation checking. *///from ww w .ja v a2s . co m @Test public void testSigner1_noRevocationChecking() throws Exception { LOG.info("signer1"); XAdESValidator instance = new XAdESValidator(); WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("REVOCATION_CHECKING", "false"); updateCRLs(rootcaCRLEmpty, subca1CRLEmpty); instance.init(4714, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-300-0"); GenericValidationRequest request = new GenericValidationRequest(300, signedXml1.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertTrue("valid document", response.isValid()); assertNotNull("returned signer cert", response.getSignerCertificate()); assertEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Test validation of document signed by signer1 with CRL where no * cert is revoked./*from w ww . ja v a2 s. co m*/ */ @Test public void testSigner1_crlNoRevoked() throws Exception { LOG.info("signer1"); XAdESValidator instance = new XAdESValidator(); WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("REVOCATION_CHECKING", "true"); updateCRLs(rootcaCRLEmpty, subca1CRLEmpty); instance.init(4714, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-301-1"); GenericValidationRequest request = new GenericValidationRequest(301, signedXml1.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertTrue("valid document", response.isValid()); assertNotNull("returned signer cert", response.getSignerCertificate()); assertEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Test validation of document signed by signer1 with CRL where the signer * certificate is revoked.//w ww . j a va 2 s . c o m */ @Test public void testSigner1_crlSignerRevoked() throws Exception { LOG.info("testSigner1_crlSignerRevoked"); XAdESValidator instance = new XAdESValidator(); WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("REVOCATION_CHECKING", "true"); updateCRLs(rootcaCRLSubCAAndSigner1Revoked, subca1CRLEmpty); instance.init(4714, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-302-1"); GenericValidationRequest request = new GenericValidationRequest(302, signedXml1.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertFalse("valid document", response.isValid()); assertNotEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Test validation of document signed by signer2 without revocation checking. */// w w w. j a v a2 s . c o m @Test public void testSigner2_noRevocationChecking() throws Exception { LOG.info("signer2"); XAdESValidator instance = new XAdESValidator(); WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); // We need to configure intermediate certificate as XAdES4j does not seem to include intermediate certificates in the signed document config.setProperty("CERTIFICATES", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(subca1Cert))))); config.setProperty("REVOCATION_CHECKING", "false"); updateCRLs(rootcaCRLEmpty, subca1CRLEmpty); instance.init(4714, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-303-1"); GenericValidationRequest request = new GenericValidationRequest(303, signedXml2.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertTrue("valid document", response.isValid()); assertNotNull("returned signer cert", response.getSignerCertificate()); assertEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }