use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class PromptTrustManagerProcessorTestCase method testIssuerCertificateWithInvalidSignature.
/**
* Tests the behavior with an issuer certificate that has an invalid
* signature.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testIssuerCertificateWithInvalidSignature() throws Exception {
// Create a bunch of variables with file paths and other values to use
// during testing.
final File tempDir = createTempDir();
final String caCertificateAlias = "ca-cert";
final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
final String serverCertificateAlias = "server-cert";
final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
// Create a JKS keystore with just a CA certificate.
manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
// Create a JKS keystore with a server certificate that is signed by the CA.
manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Load the keystore and get the certificate chain.
final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
keystore.load(inputStream, "password".toCharArray());
}
final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
final List<X509CertificateExtension> extensionList = ldapSDKChain[1].getExtensions();
final X509CertificateExtension[] extensionArray = new X509CertificateExtension[extensionList.size()];
extensionList.toArray(extensionArray);
final boolean[] validSignatureBits = ldapSDKChain[1].getSignatureValue().getBits();
final boolean[] invalidSignatureBits = new boolean[validSignatureBits.length];
final ASN1BitString invalidSignatureValue = new ASN1BitString(invalidSignatureBits);
ldapSDKChain[1] = InternalCertHelper.createX509Certificate(ldapSDKChain[1].getVersion(), ldapSDKChain[1].getSerialNumber(), ldapSDKChain[1].getSignatureAlgorithmOID(), ldapSDKChain[1].getSignatureAlgorithmParameters(), invalidSignatureValue, ldapSDKChain[1].getIssuerDN(), ldapSDKChain[1].getNotBeforeTime(), ldapSDKChain[1].getNotAfterTime(), ldapSDKChain[1].getSubjectDN(), ldapSDKChain[1].getPublicKeyAlgorithmOID(), ldapSDKChain[1].getPublicKeyAlgorithmParameters(), ldapSDKChain[1].getEncodedPublicKey(), ldapSDKChain[1].getDecodedPublicKey(), ldapSDKChain[1].getIssuerUniqueID(), ldapSDKChain[1].getSubjectUniqueID(), extensionArray);
// Invoke the shouldPrompt method and examine the result.
final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
assertNotNull(promptResult.getFirst());
assertEquals(promptResult.getFirst(), Boolean.TRUE);
assertNotNull(promptResult.getSecond());
assertFalse(promptResult.getSecond().isEmpty());
assertEquals(promptResult.getSecond().size(), 1);
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequestTestCase method testCSRWithUnrecognizedOIDs.
/**
* Tests a certificate signing request with an unrecognized set of OIDs.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testCSRWithUnrecognizedOIDs() throws Exception {
PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, new OID("1.2.3.4"), null, new ASN1BitString(true, false, true, false, true), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), new OID("1.2.3.5"), null, new ASN1BitString(false, true, false, true, false), null, null);
assertNotNull(csr.toString());
assertNotNull(csr.toPEM());
assertFalse(csr.toPEM().isEmpty());
assertNotNull(csr.toPEMString());
csr = new PKCS10CertificateSigningRequest(csr.getPKCS10CertificateSigningRequestBytes());
assertNotNull(csr.getVersion());
assertEquals(csr.getVersion(), PKCS10CertificateSigningRequestVersion.V1);
assertNotNull(csr.getSignatureAlgorithmOID());
assertEquals(csr.getSignatureAlgorithmOID(), new OID("1.2.3.4"));
assertNull(csr.getSignatureAlgorithmName());
assertNotNull(csr.getSignatureAlgorithmNameOrOID());
assertEquals(csr.getSignatureAlgorithmNameOrOID(), "1.2.3.4");
assertNull(csr.getSignatureAlgorithmParameters());
assertNotNull(csr.getSubjectDN());
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertNotNull(csr.getPublicKeyAlgorithmOID());
assertEquals(csr.getPublicKeyAlgorithmOID(), new OID("1.2.3.5"));
assertNull(csr.getPublicKeyAlgorithmName());
assertNotNull(csr.getPublicKeyAlgorithmNameOrOID());
assertEquals(csr.getPublicKeyAlgorithmNameOrOID(), "1.2.3.5");
assertNull(csr.getPublicKeyAlgorithmParameters());
assertNotNull(csr.getEncodedPublicKey());
assertNull(csr.getDecodedPublicKey());
assertNotNull(csr.getRequestAttributes());
assertTrue(csr.getRequestAttributes().isEmpty());
assertNotNull(csr.getExtensions());
assertTrue(csr.getExtensions().isEmpty());
assertNotNull(csr.getSignatureValue());
assertNotNull(csr.toString());
assertNotNull(csr.toPEM());
assertFalse(csr.toPEM().isEmpty());
assertNotNull(csr.toPEMString());
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequestTestCase method testVerifySignatureMalformedPublicKey.
/**
* Tests the behavior of the {@code verifySignature} method with a malformed
* public key.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testVerifySignatureMalformedPublicKey() throws Exception {
final PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), new ASN1Null(), new ASN1BitString(true, false, true, false), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), new ASN1Null(), new ASN1BitString(false, true, false, true), null, null);
csr.verifySignature();
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequestTestCase method testValidCSRWithNoOptionalElements.
/**
* Tests a valid PKCS#10 certificate signing request with an RSA public key
* and no optional elements.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidCSRWithNoOptionalElements() throws Exception {
final byte[] modulusBytes = new byte[256];
modulusBytes[0] = 0x40;
modulusBytes[255] = 0x01;
final BigInteger modulus = new BigInteger(modulusBytes);
final BigInteger exponent = BigInteger.valueOf(65537L);
final RSAPublicKey publicKey = new RSAPublicKey(modulus, exponent);
PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), null, new ASN1BitString(true, false, true, false, true), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), null, publicKey.encode(), null, null);
assertNotNull(csr.toString());
assertNotNull(csr.toPEM());
assertFalse(csr.toPEM().isEmpty());
assertNotNull(csr.toPEMString());
csr = new PKCS10CertificateSigningRequest(csr.getPKCS10CertificateSigningRequestBytes());
assertNotNull(csr.getVersion());
assertEquals(csr.getVersion(), PKCS10CertificateSigningRequestVersion.V1);
assertNotNull(csr.getSignatureAlgorithmOID());
assertEquals(csr.getSignatureAlgorithmOID(), SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID());
assertNotNull(csr.getSignatureAlgorithmName());
assertEquals(csr.getSignatureAlgorithmName(), "SHA-256 with RSA");
assertNotNull(csr.getSignatureAlgorithmNameOrOID());
assertEquals(csr.getSignatureAlgorithmNameOrOID(), "SHA-256 with RSA");
assertNull(csr.getSignatureAlgorithmParameters());
assertNotNull(csr.getSubjectDN());
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertNotNull(csr.getPublicKeyAlgorithmOID());
assertEquals(csr.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.RSA.getOID());
assertNotNull(csr.getPublicKeyAlgorithmName());
assertEquals(csr.getPublicKeyAlgorithmName(), "RSA");
assertNotNull(csr.getPublicKeyAlgorithmNameOrOID());
assertEquals(csr.getPublicKeyAlgorithmNameOrOID(), "RSA");
assertNull(csr.getPublicKeyAlgorithmParameters());
assertNotNull(csr.getEncodedPublicKey());
assertNotNull(csr.getDecodedPublicKey());
assertTrue(csr.getDecodedPublicKey() instanceof RSAPublicKey);
assertNotNull(csr.getRequestAttributes());
assertTrue(csr.getRequestAttributes().isEmpty());
assertNotNull(csr.getExtensions());
assertTrue(csr.getExtensions().isEmpty());
assertNotNull(csr.getSignatureValue());
assertNotNull(csr.toString());
assertNotNull(csr.toPEM());
assertFalse(csr.toPEM().isEmpty());
assertNotNull(csr.toPEMString());
}
use of com.mindbright.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequestTestCase method testValidCSRWithAllOptionalElements.
/**
* Tests a valid PKCS#10 certificate signing request with an EC public key
* and all optional elements.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidCSRWithAllOptionalElements() throws Exception {
final EllipticCurvePublicKey publicKey = new EllipticCurvePublicKey(BigInteger.valueOf(1234567890L), BigInteger.valueOf(9876543210L));
final ArrayList<ObjectPair<OID, ASN1Set>> nonExtensionAttributes = new ArrayList<>(2);
nonExtensionAttributes.add(new ObjectPair<>(new OID("1.2.3.4"), new ASN1Set()));
nonExtensionAttributes.add(new ObjectPair<>(new OID("1.2.3.5"), new ASN1Set()));
PKCS10CertificateSigningRequest csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID(), new ASN1Null(), new ASN1BitString(new boolean[2048]), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.EC.getOID(), new ASN1ObjectIdentifier(NamedCurve.SECP256R1.getOID()), publicKey.encode(), publicKey, nonExtensionAttributes, new SubjectKeyIdentifierExtension(false, new ASN1OctetString("keyIdentifier")), new SubjectAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("ldap.example.com").build()));
assertNotNull(csr.toString());
assertNotNull(csr.toPEM());
assertFalse(csr.toPEM().isEmpty());
assertNotNull(csr.toPEMString());
csr = new PKCS10CertificateSigningRequest(csr.getPKCS10CertificateSigningRequestBytes());
assertNotNull(csr.getVersion());
assertEquals(csr.getVersion(), PKCS10CertificateSigningRequestVersion.V1);
assertNotNull(csr.getSignatureAlgorithmOID());
assertEquals(csr.getSignatureAlgorithmOID(), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID());
assertNotNull(csr.getSignatureAlgorithmName());
assertEquals(csr.getSignatureAlgorithmName(), "SHA-256 with ECDSA");
assertNotNull(csr.getSignatureAlgorithmNameOrOID());
assertEquals(csr.getSignatureAlgorithmNameOrOID(), "SHA-256 with ECDSA");
assertNotNull(csr.getSignatureAlgorithmParameters());
assertNotNull(csr.getSubjectDN());
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertNotNull(csr.getPublicKeyAlgorithmOID());
assertEquals(csr.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.EC.getOID());
assertNotNull(csr.getPublicKeyAlgorithmName());
assertEquals(csr.getPublicKeyAlgorithmName(), "EC");
assertNotNull(csr.getPublicKeyAlgorithmNameOrOID());
assertEquals(csr.getPublicKeyAlgorithmNameOrOID(), "EC");
assertNotNull(csr.getPublicKeyAlgorithmParameters());
assertNotNull(csr.getEncodedPublicKey());
assertNotNull(csr.getDecodedPublicKey());
assertTrue(csr.getDecodedPublicKey() instanceof EllipticCurvePublicKey);
assertNotNull(csr.getRequestAttributes());
assertFalse(csr.getRequestAttributes().isEmpty());
assertEquals(csr.getRequestAttributes().size(), 3);
assertNotNull(csr.getExtensions());
assertFalse(csr.getExtensions().isEmpty());
assertEquals(csr.getExtensions().size(), 2);
assertNotNull(csr.getSignatureValue());
assertNotNull(csr.toString());
assertNotNull(csr.toPEM());
assertFalse(csr.toPEM().isEmpty());
assertNotNull(csr.toPEMString());
}
Aggregations