Search in sources :

Example 16 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PromptTrustManagerProcessorTestCase method testIssuerCertificateWithInvalidSignature.

/**
 * Tests the behavior with an issuer certificate that has an invalid
 * signature.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testIssuerCertificateWithInvalidSignature() throws Exception {
    // Create a bunch of variables with file paths and other values to use
    // during testing.
    final File tempDir = createTempDir();
    final String caCertificateAlias = "ca-cert";
    final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
    final String serverCertificateAlias = "server-cert";
    final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
    final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
    // Create a JKS keystore with just a CA certificate.
    manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
    manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
    // Create a JKS keystore with a server certificate that is signed by the CA.
    manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
    manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
    manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
    // Load the keystore and get the certificate chain.
    final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
    try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
        keystore.load(inputStream, "password".toCharArray());
    }
    final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
    final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
    final List<X509CertificateExtension> extensionList = ldapSDKChain[1].getExtensions();
    final X509CertificateExtension[] extensionArray = new X509CertificateExtension[extensionList.size()];
    extensionList.toArray(extensionArray);
    final boolean[] validSignatureBits = ldapSDKChain[1].getSignatureValue().getBits();
    final boolean[] invalidSignatureBits = new boolean[validSignatureBits.length];
    final ASN1BitString invalidSignatureValue = new ASN1BitString(invalidSignatureBits);
    ldapSDKChain[1] = InternalCertHelper.createX509Certificate(ldapSDKChain[1].getVersion(), ldapSDKChain[1].getSerialNumber(), ldapSDKChain[1].getSignatureAlgorithmOID(), ldapSDKChain[1].getSignatureAlgorithmParameters(), invalidSignatureValue, ldapSDKChain[1].getIssuerDN(), ldapSDKChain[1].getNotBeforeTime(), ldapSDKChain[1].getNotAfterTime(), ldapSDKChain[1].getSubjectDN(), ldapSDKChain[1].getPublicKeyAlgorithmOID(), ldapSDKChain[1].getPublicKeyAlgorithmParameters(), ldapSDKChain[1].getEncodedPublicKey(), ldapSDKChain[1].getDecodedPublicKey(), ldapSDKChain[1].getIssuerUniqueID(), ldapSDKChain[1].getSubjectUniqueID(), extensionArray);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
    assertNotNull(promptResult.getFirst());
    assertEquals(promptResult.getFirst(), Boolean.TRUE);
    assertNotNull(promptResult.getSecond());
    assertFalse(promptResult.getSecond().isEmpty());
    assertEquals(promptResult.getSecond().size(), 1);
}
Also used : X509CertificateExtension(com.unboundid.util.ssl.cert.X509CertificateExtension) ASN1BitString(com.unboundid.asn1.ASN1BitString) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) ASN1BitString(com.unboundid.asn1.ASN1BitString) List(java.util.List) File(java.io.File) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) Certificate(java.security.cert.Certificate) Test(org.testng.annotations.Test)

Example 17 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequestTestCase method testCSRWithUnrecognizedOIDs.

/**
 * Tests a certificate signing request with an unrecognized set of OIDs.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testCSRWithUnrecognizedOIDs() throws Exception {
    PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, new OID("1.2.3.4"), null, new ASN1BitString(true, false, true, false, true), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), new OID("1.2.3.5"), null, new ASN1BitString(false, true, false, true, false), null, null);
    assertNotNull(csr.toString());
    assertNotNull(csr.toPEM());
    assertFalse(csr.toPEM().isEmpty());
    assertNotNull(csr.toPEMString());
    csr = new PKCS10CertificateSigningRequest(csr.getPKCS10CertificateSigningRequestBytes());
    assertNotNull(csr.getVersion());
    assertEquals(csr.getVersion(), PKCS10CertificateSigningRequestVersion.V1);
    assertNotNull(csr.getSignatureAlgorithmOID());
    assertEquals(csr.getSignatureAlgorithmOID(), new OID("1.2.3.4"));
    assertNull(csr.getSignatureAlgorithmName());
    assertNotNull(csr.getSignatureAlgorithmNameOrOID());
    assertEquals(csr.getSignatureAlgorithmNameOrOID(), "1.2.3.4");
    assertNull(csr.getSignatureAlgorithmParameters());
    assertNotNull(csr.getSubjectDN());
    assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    assertNotNull(csr.getPublicKeyAlgorithmOID());
    assertEquals(csr.getPublicKeyAlgorithmOID(), new OID("1.2.3.5"));
    assertNull(csr.getPublicKeyAlgorithmName());
    assertNotNull(csr.getPublicKeyAlgorithmNameOrOID());
    assertEquals(csr.getPublicKeyAlgorithmNameOrOID(), "1.2.3.5");
    assertNull(csr.getPublicKeyAlgorithmParameters());
    assertNotNull(csr.getEncodedPublicKey());
    assertNull(csr.getDecodedPublicKey());
    assertNotNull(csr.getRequestAttributes());
    assertTrue(csr.getRequestAttributes().isEmpty());
    assertNotNull(csr.getExtensions());
    assertTrue(csr.getExtensions().isEmpty());
    assertNotNull(csr.getSignatureValue());
    assertNotNull(csr.toString());
    assertNotNull(csr.toPEM());
    assertFalse(csr.toPEM().isEmpty());
    assertNotNull(csr.toPEMString());
}
Also used : DN(com.unboundid.ldap.sdk.DN) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) Test(org.testng.annotations.Test)

Example 18 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequestTestCase method testVerifySignatureMalformedPublicKey.

/**
 * Tests the behavior of the {@code verifySignature} method with a malformed
 * public key.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testVerifySignatureMalformedPublicKey() throws Exception {
    final PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), new ASN1Null(), new ASN1BitString(true, false, true, false), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), new ASN1Null(), new ASN1BitString(false, true, false, true), null, null);
    csr.verifySignature();
}
Also used : DN(com.unboundid.ldap.sdk.DN) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 19 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequestTestCase method testValidCSRWithNoOptionalElements.

/**
 * Tests a valid PKCS#10 certificate signing request with an RSA public key
 * and no optional elements.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testValidCSRWithNoOptionalElements() throws Exception {
    final byte[] modulusBytes = new byte[256];
    modulusBytes[0] = 0x40;
    modulusBytes[255] = 0x01;
    final BigInteger modulus = new BigInteger(modulusBytes);
    final BigInteger exponent = BigInteger.valueOf(65537L);
    final RSAPublicKey publicKey = new RSAPublicKey(modulus, exponent);
    PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), null, new ASN1BitString(true, false, true, false, true), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), null, publicKey.encode(), null, null);
    assertNotNull(csr.toString());
    assertNotNull(csr.toPEM());
    assertFalse(csr.toPEM().isEmpty());
    assertNotNull(csr.toPEMString());
    csr = new PKCS10CertificateSigningRequest(csr.getPKCS10CertificateSigningRequestBytes());
    assertNotNull(csr.getVersion());
    assertEquals(csr.getVersion(), PKCS10CertificateSigningRequestVersion.V1);
    assertNotNull(csr.getSignatureAlgorithmOID());
    assertEquals(csr.getSignatureAlgorithmOID(), SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID());
    assertNotNull(csr.getSignatureAlgorithmName());
    assertEquals(csr.getSignatureAlgorithmName(), "SHA-256 with RSA");
    assertNotNull(csr.getSignatureAlgorithmNameOrOID());
    assertEquals(csr.getSignatureAlgorithmNameOrOID(), "SHA-256 with RSA");
    assertNull(csr.getSignatureAlgorithmParameters());
    assertNotNull(csr.getSubjectDN());
    assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    assertNotNull(csr.getPublicKeyAlgorithmOID());
    assertEquals(csr.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.RSA.getOID());
    assertNotNull(csr.getPublicKeyAlgorithmName());
    assertEquals(csr.getPublicKeyAlgorithmName(), "RSA");
    assertNotNull(csr.getPublicKeyAlgorithmNameOrOID());
    assertEquals(csr.getPublicKeyAlgorithmNameOrOID(), "RSA");
    assertNull(csr.getPublicKeyAlgorithmParameters());
    assertNotNull(csr.getEncodedPublicKey());
    assertNotNull(csr.getDecodedPublicKey());
    assertTrue(csr.getDecodedPublicKey() instanceof RSAPublicKey);
    assertNotNull(csr.getRequestAttributes());
    assertTrue(csr.getRequestAttributes().isEmpty());
    assertNotNull(csr.getExtensions());
    assertTrue(csr.getExtensions().isEmpty());
    assertNotNull(csr.getSignatureValue());
    assertNotNull(csr.toString());
    assertNotNull(csr.toPEM());
    assertFalse(csr.toPEM().isEmpty());
    assertNotNull(csr.toPEMString());
}
Also used : BigInteger(java.math.BigInteger) DN(com.unboundid.ldap.sdk.DN) ASN1BitString(com.unboundid.asn1.ASN1BitString) Test(org.testng.annotations.Test)

Example 20 with ASN1BitString

use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class PKCS10CertificateSigningRequestTestCase method testValidCSRWithAllOptionalElements.

/**
 * Tests a valid PKCS#10 certificate signing request with an EC public key
 * and all optional elements.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testValidCSRWithAllOptionalElements() throws Exception {
    final EllipticCurvePublicKey publicKey = new EllipticCurvePublicKey(BigInteger.valueOf(1234567890L), BigInteger.valueOf(9876543210L));
    final ArrayList<ObjectPair<OID, ASN1Set>> nonExtensionAttributes = new ArrayList<>(2);
    nonExtensionAttributes.add(new ObjectPair<>(new OID("1.2.3.4"), new ASN1Set()));
    nonExtensionAttributes.add(new ObjectPair<>(new OID("1.2.3.5"), new ASN1Set()));
    PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID(), new ASN1Null(), new ASN1BitString(new boolean[2048]), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.EC.getOID(), new ASN1ObjectIdentifier(NamedCurve.SECP256R1.getOID()), publicKey.encode(), publicKey, nonExtensionAttributes, new SubjectKeyIdentifierExtension(false, new ASN1OctetString("keyIdentifier")), new SubjectAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("ldap.example.com").build()));
    assertNotNull(csr.toString());
    assertNotNull(csr.toPEM());
    assertFalse(csr.toPEM().isEmpty());
    assertNotNull(csr.toPEMString());
    csr = new PKCS10CertificateSigningRequest(csr.getPKCS10CertificateSigningRequestBytes());
    assertNotNull(csr.getVersion());
    assertEquals(csr.getVersion(), PKCS10CertificateSigningRequestVersion.V1);
    assertNotNull(csr.getSignatureAlgorithmOID());
    assertEquals(csr.getSignatureAlgorithmOID(), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID());
    assertNotNull(csr.getSignatureAlgorithmName());
    assertEquals(csr.getSignatureAlgorithmName(), "SHA-256 with ECDSA");
    assertNotNull(csr.getSignatureAlgorithmNameOrOID());
    assertEquals(csr.getSignatureAlgorithmNameOrOID(), "SHA-256 with ECDSA");
    assertNotNull(csr.getSignatureAlgorithmParameters());
    assertNotNull(csr.getSubjectDN());
    assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    assertNotNull(csr.getPublicKeyAlgorithmOID());
    assertEquals(csr.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.EC.getOID());
    assertNotNull(csr.getPublicKeyAlgorithmName());
    assertEquals(csr.getPublicKeyAlgorithmName(), "EC");
    assertNotNull(csr.getPublicKeyAlgorithmNameOrOID());
    assertEquals(csr.getPublicKeyAlgorithmNameOrOID(), "EC");
    assertNotNull(csr.getPublicKeyAlgorithmParameters());
    assertNotNull(csr.getEncodedPublicKey());
    assertNotNull(csr.getDecodedPublicKey());
    assertTrue(csr.getDecodedPublicKey() instanceof EllipticCurvePublicKey);
    assertNotNull(csr.getRequestAttributes());
    assertFalse(csr.getRequestAttributes().isEmpty());
    assertEquals(csr.getRequestAttributes().size(), 3);
    assertNotNull(csr.getExtensions());
    assertFalse(csr.getExtensions().isEmpty());
    assertEquals(csr.getExtensions().size(), 2);
    assertNotNull(csr.getSignatureValue());
    assertNotNull(csr.toString());
    assertNotNull(csr.toPEM());
    assertFalse(csr.toPEM().isEmpty());
    assertNotNull(csr.toPEMString());
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) ArrayList(java.util.ArrayList) DN(com.unboundid.ldap.sdk.DN) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Set(com.unboundid.asn1.ASN1Set) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ObjectPair(com.unboundid.util.ObjectPair) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Aggregations

ASN1BitString (com.unboundid.asn1.ASN1BitString)72 Test (org.testng.annotations.Test)62 DN (com.unboundid.ldap.sdk.DN)49 ASN1Null (com.unboundid.asn1.ASN1Null)36 OID (com.unboundid.util.OID)33 ASN1ObjectIdentifier (com.unboundid.asn1.ASN1ObjectIdentifier)26 ASN1OctetString (com.unboundid.asn1.ASN1OctetString)25 ASN1Sequence (com.unboundid.asn1.ASN1Sequence)24 ASN1Element (com.unboundid.asn1.ASN1Element)23 ASN1BigInteger (com.unboundid.asn1.ASN1BigInteger)22 ASN1Integer (com.unboundid.asn1.ASN1Integer)20 IOException (java.io.IOException)16 ASN1BitString (com.github.zhenwei.core.asn1.ASN1BitString)14 ASN1BitString (org.bouncycastle.asn1.ASN1BitString)11 BigInteger (java.math.BigInteger)10 ArrayList (java.util.ArrayList)10 ASN1GeneralizedTime (com.unboundid.asn1.ASN1GeneralizedTime)9 NotNull (com.unboundid.util.NotNull)9 Date (java.util.Date)8 KeyPair (java.security.KeyPair)7