use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeMalformedExtension.
/**
* Tests the behavior when trying to decode a certificate with a malformed
* subject unique ID.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeMalformedExtension() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1GeneralizedTime(notBefore), new ASN1GeneralizedTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024])), new ASN1Element((byte) 0xA3)), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
new X509Certificate(valueSequence.encode());
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeMalformedSignatureBitString.
/**
* Tests the behavior when trying to decode a certificate with a malformed
* signature bit string.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeMalformedSignatureBitString() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1GeneralizedTime(notBefore), new ASN1GeneralizedTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
new X509Certificate(valueSequence.encode());
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class ManageCertificates method printPublicKey.
/**
* Prints information about the provided public key.
*
* @param encodedPublicKey The encoded representation of the public key.
* This must not be {@code null}.
* @param decodedPublicKey The decoded representation of the public key, if
* available.
* @param parameters The public key algorithm parameters, if any.
* @param indent The string to place at the beginning of each
* line to indent that line.
*/
private void printPublicKey(@NotNull final ASN1BitString encodedPublicKey, @Nullable final DecodedPublicKey decodedPublicKey, @Nullable final ASN1Element parameters, @NotNull final String indent) {
if (decodedPublicKey == null) {
String pkString;
try {
pkString = toColonDelimitedHex(encodedPublicKey.getBytes());
} catch (final Exception e) {
Debug.debugException(e);
pkString = encodedPublicKey.toString();
}
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_ENCODED_PK.get());
for (final String line : StaticUtils.wrapLine(pkString, 78)) {
out(indent + " " + line);
}
return;
}
if (decodedPublicKey instanceof RSAPublicKey) {
final RSAPublicKey rsaPublicKey = (RSAPublicKey) decodedPublicKey;
final byte[] modulusBytes = rsaPublicKey.getModulus().toByteArray();
int modulusSizeBits = modulusBytes.length * 8;
if (((modulusBytes.length % 2) != 0) && (modulusBytes[0] == 0x00)) {
modulusSizeBits -= 8;
}
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_RSA_MODULUS.get(modulusSizeBits));
final String modulusHex = toColonDelimitedHex(modulusBytes);
for (final String line : StaticUtils.wrapLine(modulusHex, 78)) {
out(indent + " " + line);
}
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_RSA_EXPONENT.get(toColonDelimitedHex(rsaPublicKey.getPublicExponent().toByteArray())));
} else if (decodedPublicKey instanceof EllipticCurvePublicKey) {
final EllipticCurvePublicKey ecPublicKey = (EllipticCurvePublicKey) decodedPublicKey;
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_IS_COMPRESSED.get(String.valueOf(ecPublicKey.usesCompressedForm())));
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_X.get(String.valueOf(ecPublicKey.getXCoordinate())));
if (ecPublicKey.getYCoordinate() == null) {
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_Y_IS_EVEN.get(String.valueOf(ecPublicKey.yCoordinateIsEven())));
} else {
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_Y.get(String.valueOf(ecPublicKey.getYCoordinate())));
}
}
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class PromptTrustManagerProcessorTestCase method testSubjectCertificateWithInvalidSignature.
/**
* Tests the behavior with a two-certificate chain in which the subject
* certificate has an invalid signature.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testSubjectCertificateWithInvalidSignature() throws Exception {
// Create a bunch of variables with file paths and other values to use
// during testing.
final File tempDir = createTempDir();
final String caCertificateAlias = "ca-cert";
final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
final String serverCertificateAlias = "server-cert";
final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
// Create a JKS keystore with just a CA certificate.
manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
// Create a JKS keystore with a server certificate that is signed by the CA.
manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Load the keystore and get the certificate chain.
final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
keystore.load(inputStream, "password".toCharArray());
}
final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
final List<X509CertificateExtension> extensionList = ldapSDKChain[0].getExtensions();
final X509CertificateExtension[] extensionArray = new X509CertificateExtension[extensionList.size()];
extensionList.toArray(extensionArray);
final boolean[] validSignatureBits = ldapSDKChain[0].getSignatureValue().getBits();
final boolean[] invalidSignatureBits = new boolean[validSignatureBits.length];
final ASN1BitString invalidSignatureValue = new ASN1BitString(invalidSignatureBits);
ldapSDKChain[0] = InternalCertHelper.createX509Certificate(ldapSDKChain[0].getVersion(), ldapSDKChain[0].getSerialNumber(), ldapSDKChain[0].getSignatureAlgorithmOID(), ldapSDKChain[0].getSignatureAlgorithmParameters(), invalidSignatureValue, ldapSDKChain[0].getIssuerDN(), ldapSDKChain[0].getNotBeforeTime(), ldapSDKChain[0].getNotAfterTime(), ldapSDKChain[0].getSubjectDN(), ldapSDKChain[0].getPublicKeyAlgorithmOID(), ldapSDKChain[0].getPublicKeyAlgorithmParameters(), ldapSDKChain[0].getEncodedPublicKey(), ldapSDKChain[0].getDecodedPublicKey(), ldapSDKChain[0].getIssuerUniqueID(), ldapSDKChain[0].getSubjectUniqueID(), extensionArray);
// Invoke the shouldPrompt method and examine the result.
final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
assertNotNull(promptResult.getFirst());
assertEquals(promptResult.getFirst(), Boolean.TRUE);
assertNotNull(promptResult.getSecond());
assertFalse(promptResult.getSecond().isEmpty());
assertEquals(promptResult.getSecond().size(), 1);
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class PromptTrustManagerProcessorTestCase method testSelfSignedCertificateWithInvalidSignature.
/**
* Tests the behavior with a self-signed certificate that has an invalid
* signature.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testSelfSignedCertificateWithInvalidSignature() throws Exception {
final ObjectPair<X509Certificate, KeyPair> p = X509Certificate.generateSelfSignedCertificate(SignatureAlgorithmIdentifier.SHA_256_WITH_RSA, PublicKeyAlgorithmIdentifier.RSA, 2048, new DN("CN=ldap.example.com,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365L));
final X509Certificate c = p.getFirst();
final X509CertificateExtension[] extensions = new X509CertificateExtension[c.getExtensions().size()];
c.getExtensions().toArray(extensions);
final X509Certificate cert = InternalCertHelper.createX509Certificate(c.getVersion(), c.getSerialNumber(), c.getSignatureAlgorithmOID(), c.getSignatureAlgorithmParameters(), new ASN1BitString(ASN1BitString.getBitsForBytes(new byte[256])), c.getIssuerDN(), c.getNotBeforeTime(), c.getNotAfterTime(), c.getSubjectDN(), c.getPublicKeyAlgorithmOID(), null, c.getEncodedPublicKey(), c.getDecodedPublicKey(), c.getIssuerUniqueID(), c.getSubjectUniqueID(), extensions);
// Invoke the shouldPrompt method and examine the result.
final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(cert.toCertificate()), new X509Certificate[] { cert }, true, true, Collections.<String, Boolean>emptyMap(), null);
assertNotNull(promptResult.getFirst());
assertEquals(promptResult.getFirst(), Boolean.TRUE);
assertNotNull(promptResult.getSecond());
assertFalse(promptResult.getSecond().isEmpty());
assertEquals(promptResult.getSecond().size(), 2);
}
Aggregations