List of usage examples for org.bouncycastle.jce X509KeyUsage cRLSign
int cRLSign
To view the source code for org.bouncycastle.jce X509KeyUsage cRLSign.
Click Source Link
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionTest.java
License:Open Source License
/** Test revocation of an end entity. */ @Test/*w w w.ja v a 2s .c o m*/ public void testRevokeEndEntity() throws Exception { final String TEST_NAME = Thread.currentThread().getStackTrace()[1].getMethodName(); final String USERNAME = TEST_NAME + "A"; endEntityManagementSession.addUser(admin, USERNAME, pwd, "C=SE, O=PrimeKey, CN=" + USERNAME, null, null, true, SecConst.EMPTY_ENDENTITYPROFILE, CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER, EndEntityTypes.ENDUSER.toEndEntityType(), SecConst.TOKEN_SOFT_P12, 0, caid); usernames.add(USERNAME); final long now = System.currentTimeMillis(); final Date date10sAgo = new Date(now - 10000L); final Date date2sAgo = new Date(now - 2000L); final Date date1hFromNow = new Date(now + 3600000L); final KeyPair keyPair = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); // Generate self signed certificates // This is really a bit strange with no "real" certificates. We can however revoke them anyhow even though they don't belong to a CA in the system // This may be useful in order to be able to create "dummy" certificates for specific compromised cases where you want to answer specifically for strange things. final X509Certificate x509Certificate1 = CertTools.genSelfCertForPurpose("CN=" + USERNAME, date10sAgo, date1hFromNow, null, keyPair.getPrivate(), keyPair.getPublic(), AlgorithmConstants.SIGALG_SHA256_WITH_RSA, false, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, BouncyCastleProvider.PROVIDER_NAME, true, null); final String fingerprint1 = CertTools.getFingerprintAsString(x509Certificate1); final X509Certificate x509Certificate2 = CertTools.genSelfCertForPurpose("CN=" + USERNAME, date10sAgo, date2sAgo, null, keyPair.getPrivate(), keyPair.getPublic(), AlgorithmConstants.SIGALG_SHA256_WITH_RSA, false, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, BouncyCastleProvider.PROVIDER_NAME, true, null); final String fingerprint2 = CertTools.getFingerprintAsString(x509Certificate2); final X509Certificate x509Certificate3 = CertTools.genSelfCertForPurpose("CN=" + USERNAME, date10sAgo, date1hFromNow, null, keyPair.getPrivate(), keyPair.getPublic(), AlgorithmConstants.SIGALG_SHA256_WITH_RSA, false, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, BouncyCastleProvider.PROVIDER_NAME, true, null); final String fingerprint3 = CertTools.getFingerprintAsString(x509Certificate3); final X509Certificate x509Certificate4 = CertTools.genSelfCertForPurpose("CN=" + USERNAME, date10sAgo, date1hFromNow, null, keyPair.getPrivate(), keyPair.getPublic(), AlgorithmConstants.SIGALG_SHA256_WITH_RSA, false, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, BouncyCastleProvider.PROVIDER_NAME, true, null); final String fingerprint4 = CertTools.getFingerprintAsString(x509Certificate4); final X509Certificate x509Certificate5 = CertTools.genSelfCertForPurpose("CN=" + USERNAME, date10sAgo, date2sAgo, null, keyPair.getPrivate(), keyPair.getPublic(), AlgorithmConstants.SIGALG_SHA256_WITH_RSA, false, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, BouncyCastleProvider.PROVIDER_NAME, true, null); final String fingerprint5 = CertTools.getFingerprintAsString(x509Certificate5); final X509Certificate x509Certificate6 = CertTools.genSelfCertForPurpose("CN=" + USERNAME, date10sAgo, date1hFromNow, null, keyPair.getPrivate(), keyPair.getPublic(), AlgorithmConstants.SIGALG_SHA256_WITH_RSA, false, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, BouncyCastleProvider.PROVIDER_NAME, true, null); final String fingerprint6 = CertTools.getFingerprintAsString(x509Certificate6); try { // Persists self signed certificates internalCertStoreSession.storeCertificateNoAuth(admin, x509Certificate1, USERNAME, fingerprint1, CertificateConstants.CERT_ACTIVE, CertificateConstants.CERTTYPE_ENDENTITY, CertificateProfileConstants.CERTPROFILE_NO_PROFILE, EndEntityInformation.NO_ENDENTITYPROFILE, null, now); internalCertStoreSession.storeCertificateNoAuth(admin, x509Certificate2, USERNAME, fingerprint2, CertificateConstants.CERT_ARCHIVED, CertificateConstants.CERTTYPE_ENDENTITY, CertificateProfileConstants.CERTPROFILE_NO_PROFILE, EndEntityInformation.NO_ENDENTITYPROFILE, null, now); internalCertStoreSession.storeCertificateNoAuth(admin, x509Certificate3, USERNAME, fingerprint3, CertificateConstants.CERT_NOTIFIEDABOUTEXPIRATION, CertificateConstants.CERTTYPE_ENDENTITY, CertificateProfileConstants.CERTPROFILE_NO_PROFILE, EndEntityInformation.NO_ENDENTITYPROFILE, null, now); internalCertStoreSession.storeCertificateNoAuth(admin, x509Certificate4, USERNAME, fingerprint4, CertificateConstants.CERT_REVOKED, CertificateConstants.CERTTYPE_ENDENTITY, CertificateProfileConstants.CERTPROFILE_NO_PROFILE, EndEntityInformation.NO_ENDENTITYPROFILE, null, now); // A certificate that has expired, but status has not been changed to ARCHIVED by the CRL worker internalCertStoreSession.storeCertificateNoAuth(admin, x509Certificate5, USERNAME, fingerprint5, CertificateConstants.CERT_ACTIVE, CertificateConstants.CERTTYPE_ENDENTITY, CertificateProfileConstants.CERTPROFILE_NO_PROFILE, EndEntityInformation.NO_ENDENTITYPROFILE, null, now); // Artificial test vector where certificate has not expired, but the status is still set to archived internalCertStoreSession.storeCertificateNoAuth(admin, x509Certificate6, USERNAME, fingerprint5, CertificateConstants.CERT_ARCHIVED, CertificateConstants.CERTTYPE_ENDENTITY, CertificateProfileConstants.CERTPROFILE_NO_PROFILE, EndEntityInformation.NO_ENDENTITYPROFILE, null, now); // Revoke user endEntityManagementSession.revokeUser(admin, USERNAME, RevokedCertInfo.REVOCATION_REASON_UNSPECIFIED); // Get all certificate except the revoked ones final List<CertificateDataWrapper> cdws = certificateStoreSession.getCertificateDataByUsername(USERNAME, false, Arrays.asList(CertificateConstants.CERT_REVOKED)); assertEquals("Expected that revokeUser call would not touch ARCHIVED or expired certificates.", 3, cdws.size()); final List<String> remainingFingerprints = Arrays.asList( cdws.get(0).getCertificateData().getFingerprint(), cdws.get(1).getCertificateData().getFingerprint(), cdws.get(2).getCertificateData().getFingerprint()); assertTrue("Expected archived and expired certificate to not be revoked.", remainingFingerprints.contains(fingerprint2)); assertTrue("Expected active and expired certificate to not be revoked.", remainingFingerprints.contains(fingerprint5)); assertTrue("Expected archived and non-expired certificate to not be revoked.", remainingFingerprints.contains(fingerprint6)); } finally { // Clean up final List<CertificateDataWrapper> cdws = certificateStoreSession.getCertificateDataByUsername(USERNAME, false, null); for (final CertificateDataWrapper cdw : cdws) { internalCertStoreSession.removeCertificate(cdw.getCertificateData().getFingerprint()); } } }
From source file:org.ejbca.core.model.ca.caadmin.CertificateValidityTest.java
License:Open Source License
private void testBaseTestCertificateValidity(long encodedValidity) throws Exception { KeyPair keys = KeyTools.genKeys("1024", "RSA"); X509Certificate cacert = CertTools.genSelfCertForPurpose("CN=dummy2", 100, null, keys.getPrivate(), keys.getPublic(), AlgorithmConstants.SIGALG_SHA1_WITH_RSA, true, X509KeyUsage.cRLSign | X509KeyUsage.keyCertSign); UserDataVO subject = new UserDataVO(); final CertificateProfile cp = new EndUserCertificateProfile(); cp.setValidity(encodedValidity);/*from w w w.j ava2s . c o m*/ cp.setAllowValidityOverride(false); // First see that when we don't have a specified time requested and validity override is not allowed, the end time shouldbe ruled by the certificate profile. CertificateValidity cv = new CertificateValidity(subject, cp, null, null, cacert, false); Date notBefore = cv.getNotBefore(); Date notAfter = cv.getNotAfter(); Date now = new Date(); Calendar cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 49); Calendar cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 51); assertTrue(notBefore.before(now)); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // See that a requested validity does not affect it Calendar requestNotBefore = Calendar.getInstance(); requestNotBefore.add(Calendar.DAY_OF_MONTH, 2); Calendar requestNotAfter = Calendar.getInstance(); requestNotAfter.add(Calendar.DAY_OF_MONTH, 25); cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); assertTrue(notBefore.before(now)); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Add extended information for the user and see that it does not affect it either ExtendedInformation ei = new ExtendedInformation(); ei.setCustomData(EndEntityProfile.STARTTIME, "10:0:0"); ei.setCustomData(EndEntityProfile.ENDTIME, "30:0:0"); subject.setExtendedinformation(ei); cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); assertTrue(notBefore.before(now)); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Now allow validity override cp.setAllowValidityOverride(true); // Now we should get what's in the UserDataVO extended information cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 9); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 11); assertTrue(notBefore.after(cal1.getTime())); assertTrue(notBefore.before(cal2.getTime())); cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 29); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 31); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Remove extended information from UserDataVO and we should get what we pass as parameters to CertificateValidity subject.setExtendedinformation(null); cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 1); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 3); assertTrue(notBefore.after(cal1.getTime())); assertTrue(notBefore.before(cal2.getTime())); cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 23); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 26); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Check that we can not supersede the certificate profile end time requestNotAfter = Calendar.getInstance(); requestNotAfter.add(Calendar.DAY_OF_MONTH, 200); cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); cal1 = Calendar.getInstance(); cal2 = Calendar.getInstance(); // This will be counted in number of days since notBefore, and notBefore here is taken from requestNotBefore which is two, // so we have to add 2 to certificate profile validity to get the resulting notAfter but not if certificate end is an // absolute end date. if (encodedValidity > Integer.MAX_VALUE) { cal1.add(Calendar.DAY_OF_MONTH, 49); cal2.add(Calendar.DAY_OF_MONTH, 51); } else { cal1.add(Calendar.DAY_OF_MONTH, 51); cal2.add(Calendar.DAY_OF_MONTH, 53); } assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Check that we can not supersede the CA end time cp.setValidity(400); cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); // This will be the CA certificate's notAfter cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 99); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 101); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Unless it is a root CA, then we should be able to get a new validity after, to be able to update CA certificate cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, true); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 199); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 201); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Check that we can request a validity time before "now" requestNotBefore = Calendar.getInstance(); requestNotBefore.add(Calendar.DAY_OF_MONTH, -10); cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); notBefore = cv.getNotBefore(); notAfter = cv.getNotAfter(); cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, -9); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, -11); assertTrue(notBefore.before(cal1.getTime())); assertTrue(notBefore.after(cal2.getTime())); // This will be the CA certificate's notAfter cal1 = Calendar.getInstance(); cal1.add(Calendar.DAY_OF_MONTH, 99); cal2 = Calendar.getInstance(); cal2.add(Calendar.DAY_OF_MONTH, 101); assertTrue(notAfter.after(cal1.getTime())); assertTrue(notAfter.before(cal2.getTime())); // Check that ca.toolateexpiredate setting in ejbca.properties is in effect Calendar cal = Calendar.getInstance(); cal.add(Calendar.DAY_OF_MONTH, 5); CertificateValidity.setTooLateExpireDate(cal.getTime()); boolean thrown = false; try { cv = new CertificateValidity(subject, cp, requestNotBefore.getTime(), requestNotAfter.getTime(), cacert, false); } catch (IllegalValidityException e) { thrown = true; //log.debug(e.getMessage()); String msg = e.getMessage(); // When running from within eclipse it will not have the correct internalresources. if (!msg.contains("Requested expire date is not before the configured 'ca.toolateexpiredate'") && (!msg.equals("signsession.errorbeyondtoolateexpiredate"))) { assertTrue(msg, false); } } assertTrue(thrown); CertificateValidity.setTooLateExpireDate(new Date(Long.MAX_VALUE)); }
From source file:org.ejbca.core.protocol.cmp.AuthenticationModulesTest.java
License:Open Source License
public AuthenticationModulesTest() throws Exception { this.cmpConfiguration = (CmpConfiguration) this.globalConfigurationSession .getCachedConfiguration(CmpConfiguration.CMP_CONFIGURATION_ID); this.nonce = CmpMessageHelper.createSenderNonce(); this.transid = CmpMessageHelper.createSenderNonce(); int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; this.testx509ca = CaTestUtils.createTestX509CA(issuerDN, null, false, keyusage); this.caid = this.testx509ca.getCAId(); this.cacert = this.testx509ca.getCACertificate(); }
From source file:org.ejbca.core.protocol.cmp.AuthenticationModulesTest.java
License:Open Source License
/** * Tests the possibility to use different signature algorithms in CMP requests and responses if protection algorithm * is specified.//from w ww . jav a 2s. c o m * * A CMP request is sent to a CA that uses ECDSA with SHA256 as signature and encryption algorithms: * * 1. Send a CRMF request signed using ECDSA with SHA256 algorithm and expects a response signed by the same algorithm * 2. Send a CMP Confirm message without protection. The response is expected to be signed using ECDSA (because that's the CA's key algorithm) * and SHA1 (because that's the default digest algorithm) * 3. Sends a CMP Revocation request signed using ECDSA with SHA256 and expects a response signed by the same algorithm. * * @throws Exception */ @Test public void test22EECAuthWithSHA256AndECDSA() throws Exception { log.trace(">test22EECAuthWithSHA256AndECDSA()"); //-------------- Set the necessary configurations this.cmpConfiguration.setRAEEProfile(ALIAS, "ECDSAEEP"); this.cmpConfiguration.setRACertProfile(ALIAS, "ECDSACP"); this.cmpConfiguration.setCMPDefaultCA(ALIAS, "CmpECDSATestCA"); this.cmpConfiguration.setRACAName(ALIAS, "CmpECDSATestCA"); this.cmpConfiguration.setRAMode(ALIAS, true); this.cmpConfiguration.setRANameGenScheme(ALIAS, "DN"); this.cmpConfiguration.setRANameGenParams(ALIAS, "CN"); this.cmpConfiguration.setAuthenticationModule(ALIAS, CmpConfiguration.AUTHMODULE_ENDENTITY_CERTIFICATE); this.cmpConfiguration.setAuthenticationParameters(ALIAS, "CmpECDSATestCA"); this.globalConfigurationSession.saveConfiguration(ADMIN, this.cmpConfiguration); removeTestCA("CmpECDSATestCA"); try { final CryptoTokenManagementSessionRemote cryptoTokenManagementSession = EjbRemoteHelper.INSTANCE .getRemoteSession(CryptoTokenManagementSessionRemote.class); final int cryptoTokenId = cryptoTokenManagementSession.getIdFromName("CmpECDSATestCA").intValue(); CryptoTokenTestUtils.removeCryptoToken(ADMIN, cryptoTokenId); } catch (Exception e) {/* do nothing */ } //---------------------- Create the test CA // Create catoken String ecdsaCADN = "CN=CmpECDSATestCA"; String keyspec = "prime256v1"; int cryptoTokenId = CryptoTokenTestUtils.createCryptoTokenForCA(null, "foo123".toCharArray(), true, false, ecdsaCADN, keyspec); final CAToken catoken = CaTestUtils.createCaToken(cryptoTokenId, AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA, AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA); final List<ExtendedCAServiceInfo> extendedCaServices = new ArrayList<ExtendedCAServiceInfo>(2); extendedCaServices.add(new KeyRecoveryCAServiceInfo(ExtendedCAServiceInfo.STATUS_ACTIVE)); String caname = CertTools.getPartFromDN(ecdsaCADN, "CN"); X509CAInfo ecdsaCaInfo = new X509CAInfo(ecdsaCADN, caname, CAConstants.CA_ACTIVE, CertificateProfileConstants.CERTPROFILE_FIXED_ROOTCA, 3650, CAInfo.SELFSIGNED, null, catoken); ecdsaCaInfo.setExtendedCAServiceInfos(extendedCaServices); X509CA ecdsaCA = new X509CA(ecdsaCaInfo); ecdsaCA.setCAToken(catoken); // A CA certificate Collection<Certificate> cachain = new ArrayList<Certificate>(); final PublicKey publicKey = this.cryptoTokenManagementProxySession .getPublicKey(cryptoTokenId, catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN)) .getPublicKey(); //final String keyalg = AlgorithmTools.getKeyAlgorithm(publicKey); String sigalg = AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA; final PrivateKey privateKey = this.cryptoTokenManagementProxySession.getPrivateKey(cryptoTokenId, catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN)); int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; X509Certificate ecdsaCaCert = CertTools.genSelfCertForPurpose(ecdsaCADN, 10L, "1.1.1.1", privateKey, publicKey, sigalg, true, keyusage, true); assertNotNull(ecdsaCaCert); cachain.add(ecdsaCaCert); ecdsaCA.setCertificateChain(cachain); this.caSession.addCA(ADMIN, ecdsaCA); //-------------- Create the EndEntityProfile and the CertificateProfile List<Integer> availableCAs = new ArrayList<Integer>(); availableCAs.add(Integer.valueOf(ecdsaCA.getCAId())); CertificateProfile cp = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); cp.setSignatureAlgorithm(AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA); cp.setAvailableCAs(availableCAs); cp.setAllowDNOverride(true); try { this.certProfileSession.addCertificateProfile(ADMIN, "ECDSACP", cp); } catch (CertificateProfileExistsException e) {// do nothing } int cpId = this.certProfileSession.getCertificateProfileId("ECDSACP"); // Configure an EndEntity profile (CmpRA) with allow CN, O, C in DN // and rfc822Name (uncheck 'Use entity e-mail field' and check // 'Modifyable'), MS UPN in altNames in the end entity profile. EndEntityProfile eep = new EndEntityProfile(true); eep.setValue(EndEntityProfile.DEFAULTCERTPROFILE, 0, "" + cpId); eep.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, "" + cpId); eep.setValue(EndEntityProfile.DEFAULTCA, 0, "" + ecdsaCA.getCAId()); eep.setValue(EndEntityProfile.AVAILCAS, 0, "" + ecdsaCA.getCAId()); eep.setModifyable(DnComponents.RFC822NAME, 0, true); eep.setUse(DnComponents.RFC822NAME, 0, false); // Don't use field // from "email" data try { this.endEntityProfileSession.addEndEntityProfile(ADMIN, "ECDSAEEP", eep); } catch (EndEntityProfileExistsException e) {// do nothing } int eepId = this.endEntityProfileSession.getEndEntityProfileId("ECDSAEEP"); //---------------- Send a CMP initialization request AuthenticationToken admToken = null; final String testAdminDN = "CN=cmptestadmin,C=SE"; final String testAdminName = "cmptestadmin"; X509Certificate admCert = null; String fp = null, fp2 = null; try { KeyPair keys = KeyTools.genKeys(keyspec, AlgorithmConstants.KEYALGORITHM_ECDSA); final X500Name userDN = new X500Name("CN=cmpecdsauser"); final byte[] _nonce = CmpMessageHelper.createSenderNonce(); final byte[] _transid = CmpMessageHelper.createSenderNonce(); final AlgorithmIdentifier pAlg = new AlgorithmIdentifier(X9ObjectIdentifiers.ecdsa_with_SHA256); PKIMessage req = genCertReq(ecdsaCaInfo.getSubjectDN(), userDN, keys, ecdsaCaCert, _nonce, _transid, false, null, null, null, null, pAlg, null); createUser(testAdminName, testAdminDN, "foo123", true, ecdsaCaInfo.getCAId(), eepId, cpId); KeyPair admkeys = KeyTools.genKeys(keyspec, AlgorithmConstants.KEYALGORITHM_ECDSA); admToken = createAdminToken(admkeys, testAdminName, testAdminDN, ecdsaCA.getCAId(), eepId, cpId); admCert = getCertFromCredentials(admToken); fp = CertTools.getFingerprintAsString(admCert); CMPCertificate[] extraCert = getCMPCert(admCert); req = CmpMessageHelper.buildCertBasedPKIProtection(req, extraCert, admkeys.getPrivate(), AlgorithmTools.getDigestFromSigAlg(pAlg.getAlgorithm().getId()), "BC");//CMSSignedGenerator.DIGEST_SHA256 assertNotNull(req); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, ALIAS); checkCmpResponseGeneral(resp, ecdsaCaInfo.getSubjectDN(), userDN, ecdsaCaCert, _nonce, _transid, true, null, X9ObjectIdentifiers.ecdsa_with_SHA256.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN, ecdsaCaCert, resp, reqId); fp2 = CertTools.getFingerprintAsString(cert); // ------------------- Send a CMP confirm message String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN, ecdsaCaCert, _nonce, _transid, hash, reqId); assertNotNull(confirm); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(confirm); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, ALIAS); //Since pAlg was not set in the ConfirmationRequest, the default DigestAlgorithm (SHA1) will be used checkCmpResponseGeneral(resp, ecdsaCaInfo.getSubjectDN(), userDN, ecdsaCaCert, _nonce, _transid, true, null, X9ObjectIdentifiers.ecdsa_with_SHA1.getId()); checkCmpPKIConfirmMessage(userDN, ecdsaCaCert, resp); //------------------------- Send a CMP revocation request PKIMessage rev = genRevReq(ecdsaCaInfo.getSubjectDN(), userDN, cert.getSerialNumber(), ecdsaCaCert, _nonce, _transid, true, pAlg, null); assertNotNull(rev); rev = CmpMessageHelper.buildCertBasedPKIProtection(rev, extraCert, admkeys.getPrivate(), AlgorithmTools.getDigestFromSigAlg(pAlg.getAlgorithm().getId()), "BC"); assertNotNull(rev); ByteArrayOutputStream baorev = new ByteArrayOutputStream(); DEROutputStream outrev = new DEROutputStream(baorev); outrev.writeObject(rev); byte[] barev = baorev.toByteArray(); // Send request and receive response resp = sendCmpHttp(barev, 200, ALIAS); checkCmpResponseGeneral(resp, ecdsaCaInfo.getSubjectDN(), userDN, ecdsaCaCert, _nonce, _transid, true, null, X9ObjectIdentifiers.ecdsa_with_SHA256.getId()); int revStatus = checkRevokeStatus(ecdsaCaInfo.getSubjectDN(), CertTools.getSerialNumber(cert)); assertNotEquals("Revocation request failed to revoke the certificate", RevokedCertInfo.NOT_REVOKED, revStatus); } finally { try { removeAuthenticationToken(admToken, admCert, testAdminName); } catch (Exception e) { //NOPMD: Ignore } try { this.endEntityManagementSession.revokeAndDeleteUser(ADMIN, "cmpecdsauser", ReasonFlags.unused); } catch (Exception e) { //NOPMD: Ignore } this.internalCertStoreSession.removeCertificate(fp); this.internalCertStoreSession.removeCertificate(fp2); this.endEntityProfileSession.removeEndEntityProfile(ADMIN, "ECDSAEEP"); this.certProfileSession.removeCertificateProfile(ADMIN, "ECDSACP"); removeTestCA("CmpECDSATestCA"); } log.trace("<test22EECAuthWithSHA256AndECDSA()"); }
From source file:org.ejbca.core.protocol.cmp.CmpRAUnidTest.java
License:Open Source License
public CmpRAUnidTest() throws Exception { this.keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); final int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; this.testx509ca = CaTestUtils.createTestX509CA(issuerDN, null, false, keyusage); this.caid = this.testx509ca.getCAId(); this.cacert = (X509Certificate) this.testx509ca.getCACertificate(); this.cmpConfiguration = (CmpConfiguration) this.globalConfigurationSession .getCachedConfiguration(CmpConfiguration.CMP_CONFIGURATION_ID); }
From source file:org.ejbca.core.protocol.cmp.CrmfKeyUpdateTest.java
License:Open Source License
public CrmfKeyUpdateTest() throws Exception { this.cmpConfiguration = (CmpConfiguration) this.globalConfigurationSession .getCachedConfiguration(CmpConfiguration.CMP_CONFIGURATION_ID); final int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; this.testx509ca = CaTestUtils.createTestX509CA(this.issuerDN, null, false, keyusage); this.caid = this.testx509ca.getCAId(); this.cacert = this.testx509ca.getCACertificate(); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeRequestTest.java
License:Open Source License
public CrmfRAPbeRequestTest() throws Exception { int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; this.testx509ca = CaTestUtils.createTestX509CA(issuerDN, null, false, keyusage); this.caid = this.testx509ca.getCAId(); this.cacert = (X509Certificate) this.testx509ca.getCACertificate(); this.cmpConfiguration = (CmpConfiguration) this.globalConfigurationSession .getCachedConfiguration(CmpConfiguration.CMP_CONFIGURATION_ID); this.keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeTcpRequestTest.java
License:Open Source License
public CrmfRAPbeTcpRequestTest() throws Exception { this.keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; this.testx509ca = CaTestUtils.createTestX509CA(issuerDN, null, false, keyusage); this.caid = this.testx509ca.getCAId(); this.cacert = (X509Certificate) this.testx509ca.getCACertificate(); this.cmpConfiguration = (CmpConfiguration) this.globalConfigurationSession .getCachedConfiguration(CmpConfiguration.CMP_CONFIGURATION_ID); }
From source file:org.ejbca.core.protocol.cmp.CrmfRARequestTest.java
License:Open Source License
public CrmfRARequestTest() throws Exception { this.caSession.removeCA(ADMIN, ISSUER_DN.hashCode()); final int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; this.testx509ca = CaTestUtils.createTestX509CA(ISSUER_DN, null, false, keyusage); this.caSession.addCA(ADMIN, this.testx509ca); this.caid = this.testx509ca.getCAId(); this.cacert = (X509Certificate) this.testx509ca.getCACertificate(); this.cmpConfiguration = (CmpConfiguration) this.globalConfSession .getCachedConfiguration(CmpConfiguration.CMP_CONFIGURATION_ID); }
From source file:org.ejbca.core.protocol.cmp.CrmfRATcpRequestTest.java
License:Open Source License
public CrmfRATcpRequestTest() throws Exception { this.keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; this.testx509ca = CaTestUtils.createTestX509CA(issuerDN, null, false, keyusage); this.caid = this.testx509ca.getCAId(); this.cacert = (X509Certificate) this.testx509ca.getCACertificate(); this.cmpConfiguration = (CmpConfiguration) this.globalConfigurationSession .getCachedConfiguration(CmpConfiguration.CMP_CONFIGURATION_ID); }