use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testCertificateWithMalformedExtensions.
/**
* Tests a valid X.509 certificate with a bunch of malformed extensions.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testCertificateWithMalformedExtensions() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
X509Certificate c = new X509Certificate(X509CertificateVersion.V1, BigInteger.valueOf(123456789L), new OID("1.2.3.4"), new ASN1Null(), new ASN1BitString(new boolean[1235]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), PublicKeyAlgorithmIdentifier.EC.getOID(), new ASN1Null(), new ASN1BitString(new boolean[123]), null, null, null, new X509CertificateExtension(AuthorityKeyIdentifierExtension.AUTHORITY_KEY_IDENTIFIER_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(BasicConstraintsExtension.BASIC_CONSTRAINTS_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(CRLDistributionPointsExtension.CRL_DISTRIBUTION_POINTS_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(ExtendedKeyUsageExtension.EXTENDED_KEY_USAGE_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(IssuerAlternativeNameExtension.ISSUER_ALTERNATIVE_NAME_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(KeyUsageExtension.KEY_USAGE_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(SubjectAlternativeNameExtension.SUBJECT_ALTERNATIVE_NAME_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_OID, true, StaticUtils.NO_BYTES));
assertNotNull(c.getX509CertificateBytes());
c = new X509Certificate(c.encode().encode());
assertNotNull(c.getVersion());
assertEquals(c.getVersion(), X509CertificateVersion.V1);
assertNotNull(c.getSerialNumber());
assertEquals(c.getSerialNumber(), BigInteger.valueOf(123456789L));
assertNotNull(c.getSignatureAlgorithmOID());
assertEquals(c.getSignatureAlgorithmOID(), new OID("1.2.3.4"));
assertNull(c.getSignatureAlgorithmName());
assertNotNull(c.getSignatureAlgorithmNameOrOID());
assertEquals(c.getSignatureAlgorithmNameOrOID(), "1.2.3.4");
assertNotNull(c.getSignatureAlgorithmParameters());
assertNotNull(c.getIssuerDN());
assertEquals(c.getIssuerDN(), new DN("CN=Issuer,O=Example Corp,C=US"));
// NOTE: For some moronic reasons, certificates tend to use UTCTime instead
// of generalized time when encoding notBefore and notAfter values, despite
// the spec allowing either one, and despite UTCTime only supporting a
// two-digit year and no sub-second component. So we can't check for
// exact equivalence of the notBefore and notAfter values. Instead, just
// make sure that the values are within 2000 milliseconds of the expected
// value.
assertTrue(Math.abs(c.getNotBeforeTime() - notBefore) < 2000L);
assertNotNull(c.getNotBeforeDate());
assertEquals(c.getNotBeforeDate(), new Date(c.getNotBeforeTime()));
assertTrue(Math.abs(c.getNotAfterTime() - notAfter) < 2000L);
assertNotNull(c.getNotAfterDate());
assertEquals(c.getNotAfterDate(), new Date(c.getNotAfterTime()));
assertNotNull(c.getSubjectDN());
assertEquals(c.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corp,C=US"));
assertNotNull(c.getPublicKeyAlgorithmOID());
assertEquals(c.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.EC.getOID());
assertNotNull(c.getPublicKeyAlgorithmName());
assertEquals(c.getPublicKeyAlgorithmName(), "EC");
assertNotNull(c.getPublicKeyAlgorithmNameOrOID());
assertEquals(c.getPublicKeyAlgorithmNameOrOID(), "EC");
assertNotNull(c.getPublicKeyAlgorithmParameters());
assertNotNull(c.getEncodedPublicKey());
assertNull(c.getDecodedPublicKey());
assertNull(c.getIssuerUniqueID());
assertNull(c.getSubjectUniqueID());
assertNotNull(c.getExtensions());
assertFalse(c.getExtensions().isEmpty());
assertEquals(c.getExtensions().size(), 8);
assertNotNull(c.getSignatureValue());
assertNotNull(c.toString());
assertNotNull(c.toPEM());
assertFalse(c.toPEM().isEmpty());
assertNotNull(c.toPEMString());
assertNotNull(c.getX509CertificateBytes());
assertNotNull(c.getSHA1Fingerprint());
assertNotNull(c.getSHA256Fingerprint());
}
use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeSignatureAlgorithmMismatch.
/**
* Tests the behavior when trying to decode a certificate with a mismatch in
* the signature algorithm between the TBSCertificate and Certificate
* sequences.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeSignatureAlgorithmMismatch() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1GeneralizedTime(notBefore), new ASN1GeneralizedTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1OctetString());
new X509Certificate(valueSequence.encode());
}
use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testIsSelfSignedWithoutAuthorityKeyIdentifierDifferentDNs.
/**
* Tests the {@code isSelfSigned} method for a certificate that doesn't have
* an authority key identifier and for which the subject DN does not match the
* issuer DN.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testIsSelfSignedWithoutAuthorityKeyIdentifierDifferentDNs() throws Exception {
final X509Certificate c = new X509Certificate(X509CertificateVersion.V3, BigInteger.valueOf(12345L), SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), new ASN1Null(), new ASN1BitString(true, false, true, false, true), new DN("CN=Test,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + (365L * 86_400_000L), new DN("CN=Different Test,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), new ASN1Null(), new ASN1BitString(false, true, false, true, false), null, null, null, new SubjectKeyIdentifierExtension(false, new ASN1OctetString("keyIdentifier")));
assertFalse(c.isSelfSigned());
}
use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testValidCertificateWithECKeyAllOptionalElements.
/**
* Tests a valid X.509 certificate with an elliptic curve public key and all
* optional elements, including all supported types of extensions (and an
* unsupported type of extension).
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidCertificateWithECKeyAllOptionalElements() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final EllipticCurvePublicKey publicKey = new EllipticCurvePublicKey(BigInteger.valueOf(1234567890L), BigInteger.valueOf(9876543210L));
final boolean[] issuerUniqueIDBits = { true, false, true, false, true };
final boolean[] subjectUniqueIDBits = { false, true, false, true, false };
X509Certificate c = new X509Certificate(X509CertificateVersion.V3, BigInteger.valueOf(987654321L), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID(), new ASN1Null(), new ASN1BitString(new boolean[256]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), PublicKeyAlgorithmIdentifier.EC.getOID(), new ASN1ObjectIdentifier(NamedCurve.SECP256R1.getOID()), publicKey.encode(), publicKey, new ASN1BitString(issuerUniqueIDBits), new ASN1BitString(subjectUniqueIDBits), new X509CertificateExtension(new OID("1.2.3.4"), true, "foo".getBytes("UTF-8")), new AuthorityKeyIdentifierExtension(false, new ASN1OctetString("authority-key-identifier"), null, null), new BasicConstraintsExtension(false, false, null), new CRLDistributionPointsExtension(false, Collections.singletonList(new CRLDistributionPoint(new GeneralNamesBuilder().addDNSName("crl.example.com").build(), null, null))), new ExtendedKeyUsageExtension(false, Arrays.asList(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID(), ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID())), new IssuerAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("issuer.example.com").build()), new KeyUsageExtension(false, true, true, true, true, true, true, true, true, true), new SubjectAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("ldap.example.com").build()), new SubjectKeyIdentifierExtension(false, new ASN1OctetString("subject-key-identifier")));
assertNotNull(c.getX509CertificateBytes());
c = new X509Certificate(c.encode().encode());
assertNotNull(c.getVersion());
assertEquals(c.getVersion(), X509CertificateVersion.V3);
assertNotNull(c.getSerialNumber());
assertEquals(c.getSerialNumber(), BigInteger.valueOf(987654321L));
assertNotNull(c.getSignatureAlgorithmOID());
assertEquals(c.getSignatureAlgorithmOID(), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID());
assertNotNull(c.getSignatureAlgorithmName());
assertEquals(c.getSignatureAlgorithmName(), "SHA-256 with ECDSA");
assertNotNull(c.getSignatureAlgorithmNameOrOID());
assertEquals(c.getSignatureAlgorithmNameOrOID(), "SHA-256 with ECDSA");
assertNotNull(c.getSignatureAlgorithmParameters());
assertNotNull(c.getIssuerDN());
assertEquals(c.getIssuerDN(), new DN("CN=Issuer,O=Example Corp,C=US"));
// NOTE: For some moronic reasons, certificates tend to use UTCTime instead
// of generalized time when encoding notBefore and notAfter values, despite
// the spec allowing either one, and despite UTCTime only supporting a
// two-digit year and no sub-second component. So we can't check for
// exact equivalence of the notBefore and notAfter values. Instead, just
// make sure that the values are within 2000 milliseconds of the expected
// value.
assertTrue(Math.abs(c.getNotBeforeTime() - notBefore) < 2000L);
assertNotNull(c.getNotBeforeDate());
assertEquals(c.getNotBeforeDate(), new Date(c.getNotBeforeTime()));
assertTrue(Math.abs(c.getNotAfterTime() - notAfter) < 2000L);
assertNotNull(c.getNotAfterDate());
assertEquals(c.getNotAfterDate(), new Date(c.getNotAfterTime()));
assertNotNull(c.getSubjectDN());
assertEquals(c.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corp,C=US"));
assertNotNull(c.getPublicKeyAlgorithmOID());
assertEquals(c.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.EC.getOID());
assertNotNull(c.getPublicKeyAlgorithmName());
assertEquals(c.getPublicKeyAlgorithmName(), "EC");
assertNotNull(c.getPublicKeyAlgorithmNameOrOID());
assertEquals(c.getPublicKeyAlgorithmNameOrOID(), "EC");
assertNotNull(c.getPublicKeyAlgorithmParameters());
assertEquals(c.getPublicKeyAlgorithmParameters().decodeAsObjectIdentifier().getOID(), NamedCurve.SECP256R1.getOID());
assertNotNull(c.getEncodedPublicKey());
assertNotNull(c.getDecodedPublicKey());
assertTrue(c.getDecodedPublicKey() instanceof EllipticCurvePublicKey);
assertNotNull(c.getIssuerUniqueID());
assertTrue(Arrays.equals(c.getIssuerUniqueID().getBits(), issuerUniqueIDBits));
assertNotNull(c.getSubjectUniqueID());
assertTrue(Arrays.equals(c.getSubjectUniqueID().getBits(), subjectUniqueIDBits));
final List<X509CertificateExtension> extensions = c.getExtensions();
assertNotNull(extensions);
assertFalse(extensions.isEmpty());
assertEquals(extensions.size(), 9);
assertEquals(extensions.get(0).getOID(), new OID("1.2.3.4"));
assertTrue(extensions.get(1) instanceof AuthorityKeyIdentifierExtension);
assertTrue(extensions.get(2) instanceof BasicConstraintsExtension);
assertTrue(extensions.get(3) instanceof CRLDistributionPointsExtension);
assertTrue(extensions.get(4) instanceof ExtendedKeyUsageExtension);
assertTrue(extensions.get(5) instanceof IssuerAlternativeNameExtension);
assertTrue(extensions.get(6) instanceof KeyUsageExtension);
assertTrue(extensions.get(7) instanceof SubjectAlternativeNameExtension);
assertTrue(extensions.get(8) instanceof SubjectKeyIdentifierExtension);
assertNotNull(c.getSignatureValue());
assertNotNull(c.toString());
assertNotNull(c.toPEM());
assertFalse(c.toPEM().isEmpty());
assertNotNull(c.toPEMString());
assertNotNull(c.getX509CertificateBytes());
assertNotNull(c.getSHA1Fingerprint());
assertNotNull(c.getSHA256Fingerprint());
assertNotNull(c.toCertificate());
}
use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testIsSelfSignedWithoutAuthorityKeyIdentifierSameDN.
/**
* Tests the {@code isSelfSigned} method for a certificate that doesn't have
* an authority key identifier and for which the subject DN matches the
* issuer DN.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testIsSelfSignedWithoutAuthorityKeyIdentifierSameDN() throws Exception {
final X509Certificate c = new X509Certificate(X509CertificateVersion.V3, BigInteger.valueOf(12345L), SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), new ASN1Null(), new ASN1BitString(true, false, true, false, true), new DN("CN=Test,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + (365L * 86_400_000L), new DN("CN=Test,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), new ASN1Null(), new ASN1BitString(false, true, false, true, false), null, null, null, new SubjectKeyIdentifierExtension(false, new ASN1OctetString("keyIdentifier")));
assertTrue(c.isSelfSigned());
}
Aggregations