Search in sources :

Example 31 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testCertificateWithMalformedExtensions.

/**
 * Tests a valid X.509 certificate with a bunch of malformed extensions.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testCertificateWithMalformedExtensions() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    X509Certificate c = new X509Certificate(X509CertificateVersion.V1, BigInteger.valueOf(123456789L), new OID("1.2.3.4"), new ASN1Null(), new ASN1BitString(new boolean[1235]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), PublicKeyAlgorithmIdentifier.EC.getOID(), new ASN1Null(), new ASN1BitString(new boolean[123]), null, null, null, new X509CertificateExtension(AuthorityKeyIdentifierExtension.AUTHORITY_KEY_IDENTIFIER_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(BasicConstraintsExtension.BASIC_CONSTRAINTS_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(CRLDistributionPointsExtension.CRL_DISTRIBUTION_POINTS_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(ExtendedKeyUsageExtension.EXTENDED_KEY_USAGE_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(IssuerAlternativeNameExtension.ISSUER_ALTERNATIVE_NAME_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(KeyUsageExtension.KEY_USAGE_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(SubjectAlternativeNameExtension.SUBJECT_ALTERNATIVE_NAME_OID, true, StaticUtils.NO_BYTES), new X509CertificateExtension(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_OID, true, StaticUtils.NO_BYTES));
    assertNotNull(c.getX509CertificateBytes());
    c = new X509Certificate(c.encode().encode());
    assertNotNull(c.getVersion());
    assertEquals(c.getVersion(), X509CertificateVersion.V1);
    assertNotNull(c.getSerialNumber());
    assertEquals(c.getSerialNumber(), BigInteger.valueOf(123456789L));
    assertNotNull(c.getSignatureAlgorithmOID());
    assertEquals(c.getSignatureAlgorithmOID(), new OID("1.2.3.4"));
    assertNull(c.getSignatureAlgorithmName());
    assertNotNull(c.getSignatureAlgorithmNameOrOID());
    assertEquals(c.getSignatureAlgorithmNameOrOID(), "1.2.3.4");
    assertNotNull(c.getSignatureAlgorithmParameters());
    assertNotNull(c.getIssuerDN());
    assertEquals(c.getIssuerDN(), new DN("CN=Issuer,O=Example Corp,C=US"));
    // NOTE:  For some moronic reasons, certificates tend to use UTCTime instead
    // of generalized time when encoding notBefore and notAfter values, despite
    // the spec allowing either one, and despite UTCTime only supporting a
    // two-digit year and no sub-second component.  So we can't check for
    // exact equivalence  of the notBefore and notAfter values.  Instead, just
    // make sure that the values are within 2000 milliseconds of the expected
    // value.
    assertTrue(Math.abs(c.getNotBeforeTime() - notBefore) < 2000L);
    assertNotNull(c.getNotBeforeDate());
    assertEquals(c.getNotBeforeDate(), new Date(c.getNotBeforeTime()));
    assertTrue(Math.abs(c.getNotAfterTime() - notAfter) < 2000L);
    assertNotNull(c.getNotAfterDate());
    assertEquals(c.getNotAfterDate(), new Date(c.getNotAfterTime()));
    assertNotNull(c.getSubjectDN());
    assertEquals(c.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corp,C=US"));
    assertNotNull(c.getPublicKeyAlgorithmOID());
    assertEquals(c.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.EC.getOID());
    assertNotNull(c.getPublicKeyAlgorithmName());
    assertEquals(c.getPublicKeyAlgorithmName(), "EC");
    assertNotNull(c.getPublicKeyAlgorithmNameOrOID());
    assertEquals(c.getPublicKeyAlgorithmNameOrOID(), "EC");
    assertNotNull(c.getPublicKeyAlgorithmParameters());
    assertNotNull(c.getEncodedPublicKey());
    assertNull(c.getDecodedPublicKey());
    assertNull(c.getIssuerUniqueID());
    assertNull(c.getSubjectUniqueID());
    assertNotNull(c.getExtensions());
    assertFalse(c.getExtensions().isEmpty());
    assertEquals(c.getExtensions().size(), 8);
    assertNotNull(c.getSignatureValue());
    assertNotNull(c.toString());
    assertNotNull(c.toPEM());
    assertFalse(c.toPEM().isEmpty());
    assertNotNull(c.toPEMString());
    assertNotNull(c.getX509CertificateBytes());
    assertNotNull(c.getSHA1Fingerprint());
    assertNotNull(c.getSHA256Fingerprint());
}
Also used : DN(com.unboundid.ldap.sdk.DN) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) Date(java.util.Date) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 32 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testDecodeSignatureAlgorithmMismatch.

/**
 * Tests the behavior when trying to decode a certificate with a mismatch in
 * the signature algorithm between the TBSCertificate and Certificate
 * sequences.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testDecodeSignatureAlgorithmMismatch() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1GeneralizedTime(notBefore), new ASN1GeneralizedTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1OctetString());
    new X509Certificate(valueSequence.encode());
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger) DN(com.unboundid.ldap.sdk.DN) ASN1GeneralizedTime(com.unboundid.asn1.ASN1GeneralizedTime) ASN1Integer(com.unboundid.asn1.ASN1Integer) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 33 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testIsSelfSignedWithoutAuthorityKeyIdentifierDifferentDNs.

/**
 * Tests the {@code isSelfSigned} method for a certificate that doesn't have
 * an authority key identifier and for which the subject DN does not match the
 * issuer DN.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testIsSelfSignedWithoutAuthorityKeyIdentifierDifferentDNs() throws Exception {
    final X509Certificate c = new X509Certificate(X509CertificateVersion.V3, BigInteger.valueOf(12345L), SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), new ASN1Null(), new ASN1BitString(true, false, true, false, true), new DN("CN=Test,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + (365L * 86_400_000L), new DN("CN=Different Test,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), new ASN1Null(), new ASN1BitString(false, true, false, true, false), null, null, null, new SubjectKeyIdentifierExtension(false, new ASN1OctetString("keyIdentifier")));
    assertFalse(c.isSelfSigned());
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) DN(com.unboundid.ldap.sdk.DN) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 34 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testValidCertificateWithECKeyAllOptionalElements.

/**
 * Tests a valid X.509 certificate with an elliptic curve public key and all
 * optional elements, including all supported types of extensions (and an
 * unsupported type of extension).
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testValidCertificateWithECKeyAllOptionalElements() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final EllipticCurvePublicKey publicKey = new EllipticCurvePublicKey(BigInteger.valueOf(1234567890L), BigInteger.valueOf(9876543210L));
    final boolean[] issuerUniqueIDBits = { true, false, true, false, true };
    final boolean[] subjectUniqueIDBits = { false, true, false, true, false };
    X509Certificate c = new X509Certificate(X509CertificateVersion.V3, BigInteger.valueOf(987654321L), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID(), new ASN1Null(), new ASN1BitString(new boolean[256]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), PublicKeyAlgorithmIdentifier.EC.getOID(), new ASN1ObjectIdentifier(NamedCurve.SECP256R1.getOID()), publicKey.encode(), publicKey, new ASN1BitString(issuerUniqueIDBits), new ASN1BitString(subjectUniqueIDBits), new X509CertificateExtension(new OID("1.2.3.4"), true, "foo".getBytes("UTF-8")), new AuthorityKeyIdentifierExtension(false, new ASN1OctetString("authority-key-identifier"), null, null), new BasicConstraintsExtension(false, false, null), new CRLDistributionPointsExtension(false, Collections.singletonList(new CRLDistributionPoint(new GeneralNamesBuilder().addDNSName("crl.example.com").build(), null, null))), new ExtendedKeyUsageExtension(false, Arrays.asList(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID(), ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID())), new IssuerAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("issuer.example.com").build()), new KeyUsageExtension(false, true, true, true, true, true, true, true, true, true), new SubjectAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("ldap.example.com").build()), new SubjectKeyIdentifierExtension(false, new ASN1OctetString("subject-key-identifier")));
    assertNotNull(c.getX509CertificateBytes());
    c = new X509Certificate(c.encode().encode());
    assertNotNull(c.getVersion());
    assertEquals(c.getVersion(), X509CertificateVersion.V3);
    assertNotNull(c.getSerialNumber());
    assertEquals(c.getSerialNumber(), BigInteger.valueOf(987654321L));
    assertNotNull(c.getSignatureAlgorithmOID());
    assertEquals(c.getSignatureAlgorithmOID(), SignatureAlgorithmIdentifier.SHA_256_WITH_ECDSA.getOID());
    assertNotNull(c.getSignatureAlgorithmName());
    assertEquals(c.getSignatureAlgorithmName(), "SHA-256 with ECDSA");
    assertNotNull(c.getSignatureAlgorithmNameOrOID());
    assertEquals(c.getSignatureAlgorithmNameOrOID(), "SHA-256 with ECDSA");
    assertNotNull(c.getSignatureAlgorithmParameters());
    assertNotNull(c.getIssuerDN());
    assertEquals(c.getIssuerDN(), new DN("CN=Issuer,O=Example Corp,C=US"));
    // NOTE:  For some moronic reasons, certificates tend to use UTCTime instead
    // of generalized time when encoding notBefore and notAfter values, despite
    // the spec allowing either one, and despite UTCTime only supporting a
    // two-digit year and no sub-second component.  So we can't check for
    // exact equivalence  of the notBefore and notAfter values.  Instead, just
    // make sure that the values are within 2000 milliseconds of the expected
    // value.
    assertTrue(Math.abs(c.getNotBeforeTime() - notBefore) < 2000L);
    assertNotNull(c.getNotBeforeDate());
    assertEquals(c.getNotBeforeDate(), new Date(c.getNotBeforeTime()));
    assertTrue(Math.abs(c.getNotAfterTime() - notAfter) < 2000L);
    assertNotNull(c.getNotAfterDate());
    assertEquals(c.getNotAfterDate(), new Date(c.getNotAfterTime()));
    assertNotNull(c.getSubjectDN());
    assertEquals(c.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corp,C=US"));
    assertNotNull(c.getPublicKeyAlgorithmOID());
    assertEquals(c.getPublicKeyAlgorithmOID(), PublicKeyAlgorithmIdentifier.EC.getOID());
    assertNotNull(c.getPublicKeyAlgorithmName());
    assertEquals(c.getPublicKeyAlgorithmName(), "EC");
    assertNotNull(c.getPublicKeyAlgorithmNameOrOID());
    assertEquals(c.getPublicKeyAlgorithmNameOrOID(), "EC");
    assertNotNull(c.getPublicKeyAlgorithmParameters());
    assertEquals(c.getPublicKeyAlgorithmParameters().decodeAsObjectIdentifier().getOID(), NamedCurve.SECP256R1.getOID());
    assertNotNull(c.getEncodedPublicKey());
    assertNotNull(c.getDecodedPublicKey());
    assertTrue(c.getDecodedPublicKey() instanceof EllipticCurvePublicKey);
    assertNotNull(c.getIssuerUniqueID());
    assertTrue(Arrays.equals(c.getIssuerUniqueID().getBits(), issuerUniqueIDBits));
    assertNotNull(c.getSubjectUniqueID());
    assertTrue(Arrays.equals(c.getSubjectUniqueID().getBits(), subjectUniqueIDBits));
    final List<X509CertificateExtension> extensions = c.getExtensions();
    assertNotNull(extensions);
    assertFalse(extensions.isEmpty());
    assertEquals(extensions.size(), 9);
    assertEquals(extensions.get(0).getOID(), new OID("1.2.3.4"));
    assertTrue(extensions.get(1) instanceof AuthorityKeyIdentifierExtension);
    assertTrue(extensions.get(2) instanceof BasicConstraintsExtension);
    assertTrue(extensions.get(3) instanceof CRLDistributionPointsExtension);
    assertTrue(extensions.get(4) instanceof ExtendedKeyUsageExtension);
    assertTrue(extensions.get(5) instanceof IssuerAlternativeNameExtension);
    assertTrue(extensions.get(6) instanceof KeyUsageExtension);
    assertTrue(extensions.get(7) instanceof SubjectAlternativeNameExtension);
    assertTrue(extensions.get(8) instanceof SubjectKeyIdentifierExtension);
    assertNotNull(c.getSignatureValue());
    assertNotNull(c.toString());
    assertNotNull(c.toPEM());
    assertFalse(c.toPEM().isEmpty());
    assertNotNull(c.toPEMString());
    assertNotNull(c.getX509CertificateBytes());
    assertNotNull(c.getSHA1Fingerprint());
    assertNotNull(c.getSHA256Fingerprint());
    assertNotNull(c.toCertificate());
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) DN(com.unboundid.ldap.sdk.DN) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) Date(java.util.Date) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 35 with ASN1BitString

use of com.unboundid.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testIsSelfSignedWithoutAuthorityKeyIdentifierSameDN.

/**
 * Tests the {@code isSelfSigned} method for a certificate that doesn't have
 * an authority key identifier and for which the subject DN matches the
 * issuer DN.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testIsSelfSignedWithoutAuthorityKeyIdentifierSameDN() throws Exception {
    final X509Certificate c = new X509Certificate(X509CertificateVersion.V3, BigInteger.valueOf(12345L), SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), new ASN1Null(), new ASN1BitString(true, false, true, false, true), new DN("CN=Test,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + (365L * 86_400_000L), new DN("CN=Test,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), new ASN1Null(), new ASN1BitString(false, true, false, true, false), null, null, null, new SubjectKeyIdentifierExtension(false, new ASN1OctetString("keyIdentifier")));
    assertTrue(c.isSelfSigned());
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) DN(com.unboundid.ldap.sdk.DN) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Aggregations

ASN1BitString (com.unboundid.asn1.ASN1BitString)72 Test (org.testng.annotations.Test)62 DN (com.unboundid.ldap.sdk.DN)49 ASN1Null (com.unboundid.asn1.ASN1Null)36 OID (com.unboundid.util.OID)33 ASN1ObjectIdentifier (com.unboundid.asn1.ASN1ObjectIdentifier)26 ASN1OctetString (com.unboundid.asn1.ASN1OctetString)25 ASN1Sequence (com.unboundid.asn1.ASN1Sequence)24 ASN1Element (com.unboundid.asn1.ASN1Element)23 ASN1BigInteger (com.unboundid.asn1.ASN1BigInteger)22 ASN1Integer (com.unboundid.asn1.ASN1Integer)20 IOException (java.io.IOException)16 ASN1BitString (com.github.zhenwei.core.asn1.ASN1BitString)14 ASN1BitString (org.bouncycastle.asn1.ASN1BitString)11 BigInteger (java.math.BigInteger)10 ArrayList (java.util.ArrayList)10 ASN1GeneralizedTime (com.unboundid.asn1.ASN1GeneralizedTime)9 NotNull (com.unboundid.util.NotNull)9 Date (java.util.Date)8 KeyPair (java.security.KeyPair)7