Search in sources :

Example 96 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testDecodeMalformedExtension.

/**
 * Tests the behavior when trying to decode a certificate with a malformed
 * subject unique ID.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testDecodeMalformedExtension() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1GeneralizedTime(notBefore), new ASN1GeneralizedTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024])), new ASN1Element((byte) 0xA3)), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
    new X509Certificate(valueSequence.encode());
}
Also used : ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger) DN(com.unboundid.ldap.sdk.DN) ASN1GeneralizedTime(com.unboundid.asn1.ASN1GeneralizedTime) ASN1Integer(com.unboundid.asn1.ASN1Integer) OID(com.unboundid.util.OID) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 97 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testDecodeMalformedSignatureBitString.

/**
 * Tests the behavior when trying to decode a certificate with a malformed
 * signature bit string.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testDecodeMalformedSignatureBitString() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1GeneralizedTime(notBefore), new ASN1GeneralizedTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
    new X509Certificate(valueSequence.encode());
}
Also used : ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger) DN(com.unboundid.ldap.sdk.DN) ASN1GeneralizedTime(com.unboundid.asn1.ASN1GeneralizedTime) ASN1Integer(com.unboundid.asn1.ASN1Integer) OID(com.unboundid.util.OID) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 98 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class ManageCertificates method printPublicKey.

/**
 * Prints information about the provided public key.
 *
 * @param  encodedPublicKey  The encoded representation of the public key.
 *                           This must not be {@code null}.
 * @param  decodedPublicKey  The decoded representation of the public key, if
 *                           available.
 * @param  parameters        The public key algorithm parameters, if any.
 * @param  indent            The string to place at the beginning of each
 *                           line to indent that line.
 */
private void printPublicKey(@NotNull final ASN1BitString encodedPublicKey, @Nullable final DecodedPublicKey decodedPublicKey, @Nullable final ASN1Element parameters, @NotNull final String indent) {
    if (decodedPublicKey == null) {
        String pkString;
        try {
            pkString = toColonDelimitedHex(encodedPublicKey.getBytes());
        } catch (final Exception e) {
            Debug.debugException(e);
            pkString = encodedPublicKey.toString();
        }
        out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_ENCODED_PK.get());
        for (final String line : StaticUtils.wrapLine(pkString, 78)) {
            out(indent + "     " + line);
        }
        return;
    }
    if (decodedPublicKey instanceof RSAPublicKey) {
        final RSAPublicKey rsaPublicKey = (RSAPublicKey) decodedPublicKey;
        final byte[] modulusBytes = rsaPublicKey.getModulus().toByteArray();
        int modulusSizeBits = modulusBytes.length * 8;
        if (((modulusBytes.length % 2) != 0) && (modulusBytes[0] == 0x00)) {
            modulusSizeBits -= 8;
        }
        out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_RSA_MODULUS.get(modulusSizeBits));
        final String modulusHex = toColonDelimitedHex(modulusBytes);
        for (final String line : StaticUtils.wrapLine(modulusHex, 78)) {
            out(indent + "     " + line);
        }
        out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_RSA_EXPONENT.get(toColonDelimitedHex(rsaPublicKey.getPublicExponent().toByteArray())));
    } else if (decodedPublicKey instanceof EllipticCurvePublicKey) {
        final EllipticCurvePublicKey ecPublicKey = (EllipticCurvePublicKey) decodedPublicKey;
        out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_IS_COMPRESSED.get(String.valueOf(ecPublicKey.usesCompressedForm())));
        out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_X.get(String.valueOf(ecPublicKey.getXCoordinate())));
        if (ecPublicKey.getYCoordinate() == null) {
            out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_Y_IS_EVEN.get(String.valueOf(ecPublicKey.yCoordinateIsEven())));
        } else {
            out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_Y.get(String.valueOf(ecPublicKey.getYCoordinate())));
        }
    }
}
Also used : ASN1BitString(com.unboundid.asn1.ASN1BitString) ArgumentException(com.unboundid.util.args.ArgumentException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) LDAPException(com.unboundid.ldap.sdk.LDAPException) IOException(java.io.IOException)

Example 99 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PromptTrustManagerProcessorTestCase method testSubjectCertificateWithInvalidSignature.

/**
 * Tests the behavior with a two-certificate chain in which the subject
 * certificate has an invalid signature.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testSubjectCertificateWithInvalidSignature() throws Exception {
    // Create a bunch of variables with file paths and other values to use
    // during testing.
    final File tempDir = createTempDir();
    final String caCertificateAlias = "ca-cert";
    final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
    final String serverCertificateAlias = "server-cert";
    final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
    final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
    // Create a JKS keystore with just a CA certificate.
    manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
    manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
    // Create a JKS keystore with a server certificate that is signed by the CA.
    manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
    manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
    manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
    // Load the keystore and get the certificate chain.
    final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
    try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
        keystore.load(inputStream, "password".toCharArray());
    }
    final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
    final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
    final List<X509CertificateExtension> extensionList = ldapSDKChain[0].getExtensions();
    final X509CertificateExtension[] extensionArray = new X509CertificateExtension[extensionList.size()];
    extensionList.toArray(extensionArray);
    final boolean[] validSignatureBits = ldapSDKChain[0].getSignatureValue().getBits();
    final boolean[] invalidSignatureBits = new boolean[validSignatureBits.length];
    final ASN1BitString invalidSignatureValue = new ASN1BitString(invalidSignatureBits);
    ldapSDKChain[0] = InternalCertHelper.createX509Certificate(ldapSDKChain[0].getVersion(), ldapSDKChain[0].getSerialNumber(), ldapSDKChain[0].getSignatureAlgorithmOID(), ldapSDKChain[0].getSignatureAlgorithmParameters(), invalidSignatureValue, ldapSDKChain[0].getIssuerDN(), ldapSDKChain[0].getNotBeforeTime(), ldapSDKChain[0].getNotAfterTime(), ldapSDKChain[0].getSubjectDN(), ldapSDKChain[0].getPublicKeyAlgorithmOID(), ldapSDKChain[0].getPublicKeyAlgorithmParameters(), ldapSDKChain[0].getEncodedPublicKey(), ldapSDKChain[0].getDecodedPublicKey(), ldapSDKChain[0].getIssuerUniqueID(), ldapSDKChain[0].getSubjectUniqueID(), extensionArray);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
    assertNotNull(promptResult.getFirst());
    assertEquals(promptResult.getFirst(), Boolean.TRUE);
    assertNotNull(promptResult.getSecond());
    assertFalse(promptResult.getSecond().isEmpty());
    assertEquals(promptResult.getSecond().size(), 1);
}
Also used : X509CertificateExtension(com.unboundid.util.ssl.cert.X509CertificateExtension) ASN1BitString(com.unboundid.asn1.ASN1BitString) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) ASN1BitString(com.unboundid.asn1.ASN1BitString) List(java.util.List) File(java.io.File) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) Certificate(java.security.cert.Certificate) Test(org.testng.annotations.Test)

Example 100 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PromptTrustManagerProcessorTestCase method testSelfSignedCertificateWithInvalidSignature.

/**
 * Tests the behavior with a self-signed certificate that has an invalid
 * signature.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testSelfSignedCertificateWithInvalidSignature() throws Exception {
    final ObjectPair<X509Certificate, KeyPair> p = X509Certificate.generateSelfSignedCertificate(SignatureAlgorithmIdentifier.SHA_256_WITH_RSA, PublicKeyAlgorithmIdentifier.RSA, 2048, new DN("CN=ldap.example.com,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365L));
    final X509Certificate c = p.getFirst();
    final X509CertificateExtension[] extensions = new X509CertificateExtension[c.getExtensions().size()];
    c.getExtensions().toArray(extensions);
    final X509Certificate cert = InternalCertHelper.createX509Certificate(c.getVersion(), c.getSerialNumber(), c.getSignatureAlgorithmOID(), c.getSignatureAlgorithmParameters(), new ASN1BitString(ASN1BitString.getBitsForBytes(new byte[256])), c.getIssuerDN(), c.getNotBeforeTime(), c.getNotAfterTime(), c.getSubjectDN(), c.getPublicKeyAlgorithmOID(), null, c.getEncodedPublicKey(), c.getDecodedPublicKey(), c.getIssuerUniqueID(), c.getSubjectUniqueID(), extensions);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(cert.toCertificate()), new X509Certificate[] { cert }, true, true, Collections.<String, Boolean>emptyMap(), null);
    assertNotNull(promptResult.getFirst());
    assertEquals(promptResult.getFirst(), Boolean.TRUE);
    assertNotNull(promptResult.getSecond());
    assertFalse(promptResult.getSecond().isEmpty());
    assertEquals(promptResult.getSecond().size(), 2);
}
Also used : X509CertificateExtension(com.unboundid.util.ssl.cert.X509CertificateExtension) KeyPair(java.security.KeyPair) DN(com.unboundid.ldap.sdk.DN) List(java.util.List) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) ASN1BitString(com.unboundid.asn1.ASN1BitString) Test(org.testng.annotations.Test)

Aggregations

ASN1BitString (com.unboundid.asn1.ASN1BitString)72 Test (org.testng.annotations.Test)62 DN (com.unboundid.ldap.sdk.DN)49 ASN1Null (com.unboundid.asn1.ASN1Null)36 OID (com.unboundid.util.OID)33 ASN1ObjectIdentifier (com.unboundid.asn1.ASN1ObjectIdentifier)26 ASN1OctetString (com.unboundid.asn1.ASN1OctetString)25 ASN1Sequence (com.unboundid.asn1.ASN1Sequence)24 ASN1Element (com.unboundid.asn1.ASN1Element)23 ASN1BigInteger (com.unboundid.asn1.ASN1BigInteger)22 ASN1Integer (com.unboundid.asn1.ASN1Integer)20 IOException (java.io.IOException)16 ASN1BitString (com.github.zhenwei.core.asn1.ASN1BitString)14 ASN1BitString (org.bouncycastle.asn1.ASN1BitString)11 BigInteger (java.math.BigInteger)10 ArrayList (java.util.ArrayList)10 ASN1GeneralizedTime (com.unboundid.asn1.ASN1GeneralizedTime)9 NotNull (com.unboundid.util.NotNull)9 Date (java.util.Date)8 KeyPair (java.security.KeyPair)7