List of usage examples for org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509CertificateConverter
public JcaX509CertificateConverter()
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Positive test for signer 4 were an OCSP response is signed by external * responder and returns the status GOOD for the signer 4 certificate. *//*from w w w . ja va 2 s . c o m*/ @Test public void testSigner4_withOnlyOCSP_responder_ok() throws Exception { LOG.info("testSigner4_withOnlyOCSP_responder_ok"); final ArrayList<OCSPReq> requests = new ArrayList<OCSPReq>(); XAdESValidator instance = new XAdESValidator() { @Override protected OCSPResponse doQueryOCSPResponder(URL url, OCSPReq request) throws IOException, OCSPException { try { requests.add(request); // SubCA 2 responder else RootCA responder if (request.getRequestList()[0].getCertID().matchesIssuer(subca2Cert, new BcDigestCalculatorProvider())) { return convert( new OCSPResponseBuilder() .addResponse( new OcspRespObject( new CertificateID( new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier( OIWObjectIdentifiers.idSHA1)), subca2Cert, signer4Cert.getSerialNumber()), CertificateStatus.GOOD)) .setResponseSignerCertificate( new JcaX509CertificateConverter().getCertificate(ocspSigner2Cert)) .setIssuerPrivateKey(ocspSigner2KeyPair.getPrivate()) .setChain(new X509CertificateHolder[] { ocspSigner2Cert }).build()); } else { return convert( new OCSPResponseBuilder() .addResponse( new OcspRespObject( new CertificateID( new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier( OIWObjectIdentifiers.idSHA1)), rootcaCert, subca2Cert.getSerialNumber()), CertificateStatus.GOOD)) .setResponseSignerCertificate( new JcaX509CertificateConverter().getCertificate(ocspSigner1Cert)) .setIssuerPrivateKey(ocspSigner1KeyPair.getPrivate()) .setChain(new X509CertificateHolder[] { ocspSigner1Cert }).build()); } } catch (Exception ex) { throw new RuntimeException(ex); } } }; WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("CERTIFICATES", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(subca2Cert))))); config.setProperty("REVOCATION_CHECKING", "true"); instance.init(4715, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-407-2"); GenericValidationRequest request = new GenericValidationRequest(407, signedXml4.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertEquals("OCSP calls", 2, requests.size()); assertTrue("valid document", response.isValid()); assertEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Negative test for signer 4 were an OCSP response is signed by the sub CA2 * and returns the status REVOKED for the signer 4 certificate. *//* w ww . j a v a2s. com*/ @Test public void testSigner4_withOnlyOCSP_certRevoked() throws Exception { LOG.info("testSigner4_withOnlyOCSP_certRevoked"); final ArrayList<OCSPReq> requests = new ArrayList<OCSPReq>(); XAdESValidator instance = new XAdESValidator() { @Override protected OCSPResponse doQueryOCSPResponder(URL url, OCSPReq request) throws IOException, OCSPException { try { requests.add(request); // SubCA 2 responder else RootCA responder if (request.getRequestList()[0].getCertID().matchesIssuer(subca2Cert, new BcDigestCalculatorProvider())) { return convert( new OCSPResponseBuilder() .addResponse( new OcspRespObject( new CertificateID( new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier( OIWObjectIdentifiers.idSHA1)), subca2Cert, signer4Cert.getSerialNumber()), new RevokedStatus(new Date(1389884758000l), 1))) .setResponseSignerCertificate( new JcaX509CertificateConverter().getCertificate(ocspSigner2Cert)) .setIssuerPrivateKey(ocspSigner2KeyPair.getPrivate()) .setChain(new X509CertificateHolder[] { ocspSigner2Cert }).build()); } else { return convert( new OCSPResponseBuilder() .addResponse( new OcspRespObject( new CertificateID( new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier( OIWObjectIdentifiers.idSHA1)), rootcaCert, subca2Cert.getSerialNumber()), CertificateStatus.GOOD)) .setResponseSignerCertificate( new JcaX509CertificateConverter().getCertificate(ocspSigner1Cert)) .setIssuerPrivateKey(ocspSigner1KeyPair.getPrivate()) .setChain(new X509CertificateHolder[] { ocspSigner1Cert }).build()); } } catch (Exception ex) { throw new RuntimeException(ex); } } }; WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("CERTIFICATES", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(subca2Cert))))); config.setProperty("REVOCATION_CHECKING", "true"); instance.init(4715, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-407-4"); GenericValidationRequest request = new GenericValidationRequest(407, signedXml4.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertEquals("OCSP calls", 2, requests.size()); assertFalse("valid document", response.isValid()); assertNotEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Negative test for signer 4 were an OCSP response is signed by the Root CA * and returns the status REVOKED for the sub CA 2 certificate. *//*from w ww .j a v a2 s .c o m*/ @Test public void testSigner4_withOnlyOCSP_caRevoked() throws Exception { LOG.info("testSigner4_withOnlyOCSP_caRevoked"); final ArrayList<OCSPReq> requests = new ArrayList<OCSPReq>(); XAdESValidator instance = new XAdESValidator() { @Override protected OCSPResponse doQueryOCSPResponder(URL url, OCSPReq request) throws IOException, OCSPException { try { requests.add(request); // SubCA 2 responder else RootCA responder if (request.getRequestList()[0].getCertID().matchesIssuer(subca2Cert, new BcDigestCalculatorProvider())) { return convert( new OCSPResponseBuilder() .addResponse( new OcspRespObject( new CertificateID( new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier( OIWObjectIdentifiers.idSHA1)), subca2Cert, signer4Cert.getSerialNumber()), CertificateStatus.GOOD)) .setResponseSignerCertificate( new JcaX509CertificateConverter().getCertificate(ocspSigner2Cert)) .setIssuerPrivateKey(ocspSigner2KeyPair.getPrivate()) .setChain(new X509CertificateHolder[] { ocspSigner2Cert }).build()); } else { return convert( new OCSPResponseBuilder() .addResponse( new OcspRespObject( new CertificateID( new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier( OIWObjectIdentifiers.idSHA1)), rootcaCert, subca2Cert.getSerialNumber()), new RevokedStatus(new Date(1389884758000l), 1))) .setResponseSignerCertificate( new JcaX509CertificateConverter().getCertificate(ocspSigner1Cert)) .setIssuerPrivateKey(ocspSigner1KeyPair.getPrivate()) .setChain(new X509CertificateHolder[] { ocspSigner1Cert }).build()); } } catch (Exception ex) { throw new RuntimeException(ex); } } }; WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("CERTIFICATES", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(subca2Cert))))); config.setProperty("REVOCATION_CHECKING", "true"); instance.init(4715, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-407-4"); GenericValidationRequest request = new GenericValidationRequest(407, signedXml4.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertTrue("OCSP calls: " + requests.size(), requests.size() == 1 || requests.size() == 2); assertFalse("valid document", response.isValid()); assertNotEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Positive test for signer 5 were OCSP is unable and falls back to CDP * were CRL is ok.//from w w w. j a v a 2 s . com */ @Test public void testSigner5_withOCSPandCDP_ok() throws Exception { LOG.info("testSigner5_withOCSPandCDP_ok"); final ArrayList<OCSPReq> requests = new ArrayList<OCSPReq>(); XAdESValidator instance = new XAdESValidator() { @Override protected OCSPResponse doQueryOCSPResponder(URL url, OCSPReq request) throws IOException, OCSPException { requests.add(request); throw new IOException("Simulating OCSP unavailable"); } }; WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("REVOCATION_CHECKING", "true"); instance.init(4715, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-307-1"); GenericValidationRequest request = new GenericValidationRequest(307, signedXml5.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertEquals("OCSP calls", 1, requests.size()); assertTrue("valid document", response.isValid()); assertEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Negative test for signer 5 were OCSP is unable and falls back to CDP * were signer is revoked in CRL.//w ww. j a v a2 s . c om */ @Test public void testSigner5_withOCSPandCDP_revoked() throws Exception { LOG.info("testSigner5_withOCSPandCDP_revoked"); updateCRLs(rootcaCRLSigner5Revoked, subca1CRLEmpty); final ArrayList<OCSPReq> requests = new ArrayList<OCSPReq>(); XAdESValidator instance = new XAdESValidator() { @Override protected OCSPResponse doQueryOCSPResponder(URL url, OCSPReq request) throws IOException, OCSPException { requests.add(request); throw new IOException("Simulating OCSP unavailable"); } }; WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("REVOCATION_CHECKING", "true"); instance.init(4715, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-307-1"); GenericValidationRequest request = new GenericValidationRequest(307, signedXml5.getBytes("UTF-8")); GenericValidationResponse response = (GenericValidationResponse) instance.processData(request, requestContext); assertEquals("OCSP calls", 1, requests.size()); assertFalse("valid document", response.isValid()); assertNotEquals("cert validation status", Validation.Status.VALID, response.getCertificateValidation().getStatus()); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Tests that a document with a DOCTYPE is not allowed. * @throws Exception/* w w w . ja v a2 s .c om*/ */ @Test @SuppressWarnings("ThrowableResultIgnored") public void testDTDNotAllowed() throws Exception { LOG.info("testDTDNotAllowed"); try { XAdESValidator instance = new XAdESValidator(); WorkerConfig config = new WorkerConfig(); config.setProperty("TRUSTANCHORS", new String(CertTools.getPEMFromCerts( Arrays.<Certificate>asList(new JcaX509CertificateConverter().getCertificate(rootcaCert))))); config.setProperty("REVOCATION_CHECKING", "false"); updateCRLs(rootcaCRLEmpty, subca1CRLEmpty); instance.init(4714, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-300-0"); GenericValidationRequest request = new GenericValidationRequest(300, SIGNED_XML_DOCTYPE.getBytes("UTF-8")); instance.processData(request, requestContext); fail("Should have thrown IllegalRequestException as the document contained a DTD"); } catch (SignServerException expected) { if (expected.getCause() instanceof SAXParseException) { if (!expected.getCause().getMessage().contains("DOCTYPE")) { LOG.error("Wrong exception message", expected); fail("Should be error about doctype: " + expected.getMessage()); } } else { LOG.error("Wrong exception cause", expected); fail("Expected SAXParseException but was: " + expected); } } }
From source file:org.signserver.server.ClientCertAuthorizerTest.java
License:Open Source License
/** * Constructs a test certificate implemented by Sun classes. * @param serialNo to use/*from w w w .j a va2 s . co m*/ * @param issuerDN to use * @return X.509 cert implemented by Sun * @throws CertBuilderException * @throws CertificateException */ private X509Certificate createCert(String serialNo, String issuerDN) throws CertBuilderException, CertificateException { final CertBuilder builder = new CertBuilder(); builder.setSerialNumber(new BigInteger(serialNo, 16)); builder.setIssuer(issuerDN); X509Certificate cert = new JcaX509CertificateConverter().getCertificate(builder.build()); if (!cert.getClass().getName().startsWith("sun.")) { throw new RuntimeException( "Error in test case, should have been Sun certificate: " + cert.getClass().getName()); } return cert; }
From source file:org.signserver.server.cryptotokens.CryptoTokenHelper.java
License:Open Source License
private static X509Certificate getSelfCertificate(String myname, long validity, String sigAlg, KeyPair keyPair, String provider) throws OperatorCreationException, CertificateException { final long currentTime = new Date().getTime(); final Date firstDate = new Date(currentTime - 24 * 60 * 60 * 1000); final Date lastDate = new Date(currentTime + validity * 1000); // Add all mandatory attributes if (LOG.isDebugEnabled()) { LOG.debug("keystore signing algorithm " + sigAlg); }//from www .ja va 2 s. c o m final PublicKey publicKey = keyPair.getPublic(); if (publicKey == null) { throw new IllegalArgumentException("Public key is null"); } X509v3CertificateBuilder cg = new JcaX509v3CertificateBuilder(new X500Principal(myname), BigInteger.valueOf(firstDate.getTime()), firstDate, lastDate, new X500Principal(myname), publicKey); final JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder(sigAlg); contentSignerBuilder.setProvider(provider); final ContentSigner contentSigner = contentSignerBuilder.build(keyPair.getPrivate()); return new JcaX509CertificateConverter().getCertificate(cg.build(contentSigner)); }
From source file:org.signserver.server.cryptotokens.CryptoTokenTestBase.java
License:Open Source License
/** * Tests export of certificate chain. First imports a generate certificate * chain and then checks that it can be read back. Then imports an other * chain and checks again./* w w w. j a v a 2 s . c om*/ * @param existingKey entry to use */ protected void exportCertificatesHelper(final String existingKey) throws CryptoTokenOfflineException, KeyStoreException, InvalidWorkerIdException, SignServerException, IllegalArgumentException, CertificateException, CertificateEncodingException, OperationUnsupportedException, NoSuchAlgorithmException, NoSuchProviderException, OperatorCreationException, IOException, QueryException, OperationUnsupportedException, AuthorizationDeniedException, InvalidAlgorithmParameterException, UnsupportedCryptoTokenParameter { final ISignerCertReqInfo req = new PKCS10CertReqInfo("SHA1WithRSA", "CN=imported", null); final Base64SignerCertReqData reqData = (Base64SignerCertReqData) genCertificateRequest(req, false, existingKey); // Generate a certificate chain that we will try to import and later export KeyPair issuerKeyPair = CryptoUtils.generateRSA(512); final X509CertificateHolder issuerCert = new JcaX509v3CertificateBuilder( new X500Name("CN=Test Import/Export CA"), BigInteger.ONE, new Date(), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(3650)), new X500Name("CN=Test Import/Export CA"), issuerKeyPair.getPublic()) .build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider("BC") .build(issuerKeyPair.getPrivate())); PKCS10CertificationRequest csr = new PKCS10CertificationRequest(Base64.decode(reqData.getBase64CertReq())); final X509CertificateHolder subjectCert1 = new X509v3CertificateBuilder( new X500Name("CN=Test Import/Export CA"), BigInteger.ONE, new Date(), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365)), new X500Name("CN=Test Import/Export 1"), csr.getSubjectPublicKeyInfo()) .build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider("BC") .build(issuerKeyPair.getPrivate())); final X509CertificateHolder subjectCert2 = new X509v3CertificateBuilder( new X500Name("CN=Test Import/Export CA"), BigInteger.ONE, new Date(), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365)), new X500Name("CN=Test Import/Export 2"), csr.getSubjectPublicKeyInfo()) .build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider("BC") .build(issuerKeyPair.getPrivate())); // Import certficate chain 1 importCertificateChain(Arrays.asList(CertTools.getCertfromByteArray(subjectCert1.getEncoded()), CertTools.getCertfromByteArray(issuerCert.getEncoded())), existingKey); // Find the entry TokenSearchResults searchResults = searchTokenEntries(0, Integer.MAX_VALUE, QueryCriteria.create() .add(new Term(RelationalOperator.EQ, CryptoTokenHelper.TokenEntryFields.alias.name(), existingKey)), true); LinkedList<String> aliases = new LinkedList<String>(); for (TokenEntry entry : searchResults.getEntries()) { aliases.add(entry.getAlias()); } assertArrayEquals(new String[] { existingKey }, aliases.toArray()); TokenEntry entry = searchResults.getEntries().iterator().next(); Certificate[] parsedChain = entry.getParsedChain(); assertEquals("right subject", new JcaX509CertificateConverter().getCertificate(subjectCert1).getSubjectX500Principal().getName(), ((X509Certificate) parsedChain[0]).getSubjectX500Principal().getName()); assertEquals("right issuer", new JcaX509CertificateConverter().getCertificate(issuerCert).getSubjectX500Principal().getName(), ((X509Certificate) parsedChain[1]).getSubjectX500Principal().getName()); // Import certificate chain 2 importCertificateChain(Arrays.asList(CertTools.getCertfromByteArray(subjectCert2.getEncoded()), CertTools.getCertfromByteArray(issuerCert.getEncoded())), existingKey); // Find the entry searchResults = searchTokenEntries(0, Integer.MAX_VALUE, QueryCriteria.create() .add(new Term(RelationalOperator.EQ, CryptoTokenHelper.TokenEntryFields.alias.name(), existingKey)), true); entry = searchResults.getEntries().iterator().next(); parsedChain = entry.getParsedChain(); assertEquals("right subject", new JcaX509CertificateConverter().getCertificate(subjectCert2).getSubjectX500Principal().getName(), ((X509Certificate) parsedChain[0]).getSubjectX500Principal().getName()); assertEquals("right issuer", new JcaX509CertificateConverter().getCertificate(issuerCert).getSubjectX500Principal().getName(), ((X509Certificate) parsedChain[1]).getSubjectX500Principal().getName()); }
From source file:org.signserver.server.cryptotokens.KeystoreCryptoTokenTest.java
License:Open Source License
/** Creates a self signed certificate. */ private X509Certificate getSelfCertificate(String alias, long validity, KeyPair keyPair) throws Exception { final long currentTime = new Date().getTime(); final Date firstDate = new Date(currentTime - 24 * 60 * 60 * 1000); final Date lastDate = new Date(currentTime + validity * 1000); final X509v3CertificateBuilder cg = new JcaX509v3CertificateBuilder(new X500Principal(alias), BigInteger.valueOf(firstDate.getTime()), firstDate, lastDate, new X500Principal(alias), keyPair.getPublic());/*from ww w. j a va2 s. c o m*/ final JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA1withRSA"); contentSignerBuilder.setProvider("BC"); final ContentSigner contentSigner = contentSignerBuilder.build(keyPair.getPrivate()); return new JcaX509CertificateConverter().getCertificate(cg.build(contentSigner)); }