Example 1 with OID
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class ManageCertificatesTestCase method testGenerateSelfSignedCertificate.
/**
* Provides test coverage for the generate-self-signed-certificate subcommand.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testGenerateSelfSignedCertificate() throws Exception {
// Tests with a minimal set of arguments for a new certificate using a
// JKS keystore that doesn't already exist.
File ksFile = createTempFile();
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
final File pemFile = createTempFile();
assertTrue(pemFile.delete());
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--output-file", pemFile.getAbsolutePath(), "--output-format", "PEM");
assertTrue(ksFile.exists());
KeyStore keystore = getKeystore(ksFile.getAbsolutePath(), "JKS");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
X509Certificate[] chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertTrue(pemFile.exists());
assertTrue(pemFile.length() > 0);
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Tests with a minimal set of arguments for a replacement certificate in a
// JKS keystore.
final File derFile = createTempFile();
assertTrue(derFile.delete());
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--output-file", derFile.getAbsolutePath(), "--output-format", "DER");
keystore = getKeystore(ksFile.getAbsolutePath(), "JKS");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertTrue(derFile.exists());
assertTrue(derFile.length() > 0);
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Tests with a minimal set of arguments for a new certificate using a
// PKCS #12 keystore that doesn't already exist.
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
assertTrue(derFile.delete());
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--keystore-type", "PKCS12", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--output-file", derFile.getAbsolutePath(), "--output-format", "DER");
assertTrue(ksFile.exists());
keystore = getKeystore(ksFile.getAbsolutePath(), "PKCS12");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertTrue(derFile.exists());
assertTrue(derFile.length() > 0);
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Tests with a minimal set of arguments for a replacement certificate in a
// PKCS #12 keystore.
assertTrue(pemFile.delete());
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--output-file", pemFile.getAbsolutePath(), "--output-format", "PEM");
keystore = getKeystore(ksFile.getAbsolutePath(), "PKCS12");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertTrue(pemFile.exists());
assertTrue(pemFile.length() > 0);
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Tests with a full set of arguments for a new certificate using a
// keystore that doesn't already exist.
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--keystore-type", "JKS", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--days-valid", "7300", "--validity-start-time", "20170101000000", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-email-address", "test@example.com", "--subject-alternative-name-uri", "https://www.example.com/", "--subject-alternative-name-oid", "1.2.3.4", "--basic-constraints-is-ca", "true", "--basic-constraints-maximum-path-length", "5", "--key-usage", "digital-signature", "--key-usage", "non-repudiation", "--key-usage", "key-encipherment", "--key-usage", "data-encipherment", "--key-usage", "key-agreement", "--key-usage", "key-cert-sign", "--key-usage", "crl-sign", "--key-usage", "encipher-only", "--key-usage", "decipher-only", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--extended-key-usage", "code-signing", "--extended-key-usage", "email-protection", "--extended-key-usage", "time-stamping", "--extended-key-usage", "ocsp-signing", "--extended-key-usage", "1.2.3.5", "--extension", "1.2.3.6:false:1234567890", "--display-keytool-command");
assertTrue(ksFile.exists());
keystore = getKeystore(ksFile.getAbsolutePath(), "JKS");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
boolean hasBasicConstraintsExtension = false;
boolean hasExtendedKeyUsageConstraintsExtension = false;
boolean hasGenericExtension = false;
boolean hasKeyUsageExtension = false;
boolean hasSubjectAlternativeNameExtension = false;
boolean hasSubjectKeyIdentifierExtension = false;
for (final X509CertificateExtension extension : chain[0].getExtensions()) {
if (extension instanceof BasicConstraintsExtension) {
hasBasicConstraintsExtension = true;
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
assertTrue(e.isCA());
assertNotNull(e.getPathLengthConstraint());
assertEquals(e.getPathLengthConstraint().intValue(), 5);
} else if (extension instanceof ExtendedKeyUsageExtension) {
hasExtendedKeyUsageConstraintsExtension = true;
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
} else if (extension instanceof KeyUsageExtension) {
hasKeyUsageExtension = true;
final KeyUsageExtension e = (KeyUsageExtension) extension;
assertTrue(e.isDigitalSignatureBitSet());
assertTrue(e.isNonRepudiationBitSet());
assertTrue(e.isKeyEnciphermentBitSet());
assertTrue(e.isDataEnciphermentBitSet());
assertTrue(e.isKeyAgreementBitSet());
assertTrue(e.isKeyCertSignBitSet());
assertTrue(e.isCRLSignBitSet());
assertTrue(e.isEncipherOnlyBitSet());
assertTrue(e.isDecipherOnlyBitSet());
} else if (extension instanceof SubjectAlternativeNameExtension) {
hasSubjectAlternativeNameExtension = true;
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
} else if (extension instanceof SubjectKeyIdentifierExtension) {
hasSubjectKeyIdentifierExtension = true;
} else if (extension.getOID().equals(new OID("1.2.3.6"))) {
hasGenericExtension = true;
assertFalse(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
}
}
assertTrue(hasBasicConstraintsExtension);
assertTrue(hasExtendedKeyUsageConstraintsExtension);
assertTrue(hasGenericExtension);
assertTrue(hasKeyUsageExtension);
assertTrue(hasSubjectAlternativeNameExtension);
assertTrue(hasSubjectKeyIdentifierExtension);
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Tests with a full set of arguments intended to replace the existing
// certificate, except that we'll inherit the existing extensions rather
// than explicitly specifying them.
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--keystore-type", "JKS", "--alias", "server-cert", "--replace-existing-certificate", "--days-valid", "7300", "--validity-start-time", "20170101000000", "--inherit-extensions", "--display-keytool-command");
assertTrue(ksFile.exists());
keystore = getKeystore(ksFile.getAbsolutePath(), "JKS");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
hasBasicConstraintsExtension = false;
hasExtendedKeyUsageConstraintsExtension = false;
hasGenericExtension = false;
hasKeyUsageExtension = false;
hasSubjectAlternativeNameExtension = false;
hasSubjectKeyIdentifierExtension = false;
for (final X509CertificateExtension extension : chain[0].getExtensions()) {
if (extension instanceof BasicConstraintsExtension) {
hasBasicConstraintsExtension = true;
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
assertTrue(e.isCA());
assertNotNull(e.getPathLengthConstraint());
assertEquals(e.getPathLengthConstraint().intValue(), 5);
} else if (extension instanceof ExtendedKeyUsageExtension) {
hasExtendedKeyUsageConstraintsExtension = true;
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
} else if (extension instanceof KeyUsageExtension) {
hasKeyUsageExtension = true;
final KeyUsageExtension e = (KeyUsageExtension) extension;
assertTrue(e.isDigitalSignatureBitSet());
assertTrue(e.isNonRepudiationBitSet());
assertTrue(e.isKeyEnciphermentBitSet());
assertTrue(e.isDataEnciphermentBitSet());
assertTrue(e.isKeyAgreementBitSet());
assertTrue(e.isKeyCertSignBitSet());
assertTrue(e.isCRLSignBitSet());
assertTrue(e.isEncipherOnlyBitSet());
assertTrue(e.isDecipherOnlyBitSet());
} else if (extension instanceof SubjectAlternativeNameExtension) {
hasSubjectAlternativeNameExtension = true;
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
} else if (extension instanceof SubjectKeyIdentifierExtension) {
hasSubjectKeyIdentifierExtension = true;
} else if (extension.getOID().equals(new OID("1.2.3.6"))) {
hasGenericExtension = true;
assertFalse(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
}
}
assertTrue(hasBasicConstraintsExtension);
assertTrue(hasExtendedKeyUsageConstraintsExtension);
assertTrue(hasGenericExtension);
assertTrue(hasKeyUsageExtension);
assertTrue(hasSubjectAlternativeNameExtension);
assertTrue(hasSubjectKeyIdentifierExtension);
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Test the behavior when trying to replace an existing certificate while
// trying to inherit extensions but also specifying extensions on the
// command line.
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--keystore-type", "JKS", "--alias", "server-cert", "--replace-existing-certificate", "--days-valid", "7300", "--validity-start-time", "20170101000000", "--inherit-extensions", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-ip-address", "::1", "--subject-alternative-name-email-address", "other@example.com", "--subject-alternative-name-uri", "https://www2.example.com/", "--subject-alternative-name-oid", "1.2.3.5", "--basic-constraints-is-ca", "false", "--key-usage", "digital-signature", "--extended-key-usage", "server-auth", "--extension", "1.2.3.7:true:0987654321", "--display-keytool-command");
assertTrue(ksFile.exists());
keystore = getKeystore(ksFile.getAbsolutePath(), "JKS");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
hasBasicConstraintsExtension = false;
hasExtendedKeyUsageConstraintsExtension = false;
hasKeyUsageExtension = false;
hasSubjectAlternativeNameExtension = false;
hasSubjectKeyIdentifierExtension = false;
boolean hasOriginalGenericExtension = false;
boolean hasNewGenericExtension = false;
for (final X509CertificateExtension extension : chain[0].getExtensions()) {
if (extension instanceof BasicConstraintsExtension) {
hasBasicConstraintsExtension = true;
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
assertFalse(e.isCA());
assertNull(e.getPathLengthConstraint());
} else if (extension instanceof ExtendedKeyUsageExtension) {
hasExtendedKeyUsageConstraintsExtension = true;
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
assertFalse(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
assertFalse(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
assertFalse(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
assertFalse(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
assertFalse(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
assertFalse(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
} else if (extension instanceof KeyUsageExtension) {
hasKeyUsageExtension = true;
final KeyUsageExtension e = (KeyUsageExtension) extension;
assertTrue(e.isDigitalSignatureBitSet());
assertFalse(e.isNonRepudiationBitSet());
assertFalse(e.isKeyEnciphermentBitSet());
assertFalse(e.isDataEnciphermentBitSet());
assertFalse(e.isKeyAgreementBitSet());
assertFalse(e.isKeyCertSignBitSet());
assertFalse(e.isCRLSignBitSet());
assertFalse(e.isEncipherOnlyBitSet());
assertFalse(e.isDecipherOnlyBitSet());
} else if (extension instanceof SubjectAlternativeNameExtension) {
hasSubjectAlternativeNameExtension = true;
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("ds.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("::1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("other@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www2.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.5")));
} else if (extension instanceof SubjectKeyIdentifierExtension) {
hasSubjectKeyIdentifierExtension = true;
} else if (extension.getOID().equals(new OID("1.2.3.6"))) {
hasOriginalGenericExtension = true;
assertFalse(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
} else if (extension.getOID().equals(new OID("1.2.3.7"))) {
hasNewGenericExtension = true;
assertTrue(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x09, 0x87, 0x65, 0x43, 0x21));
}
}
assertTrue(hasBasicConstraintsExtension);
assertTrue(hasExtendedKeyUsageConstraintsExtension);
assertTrue(hasKeyUsageExtension);
assertTrue(hasNewGenericExtension);
assertTrue(hasOriginalGenericExtension);
assertTrue(hasSubjectAlternativeNameExtension);
assertTrue(hasSubjectKeyIdentifierExtension);
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Make sure that we can generate a certificate that uses an elliptic
// curve key.
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "EC", "--key-size-bits", "256", "--signature-algorithm", "SHA256withECDSA");
assertTrue(ksFile.exists());
keystore = getKeystore(ksFile.getAbsolutePath(), "JKS");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertEquals(chain[0].getPublicKeyAlgorithmName(), "EC");
assertEquals(chain[0].getSignatureAlgorithmName(), "SHA-256 with ECDSA");
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Make sure that we can generate a replacement for a certificate with an
// elliptic curve key.
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate");
keystore = getKeystore(ksFile.getAbsolutePath(), "JKS");
assertEquals(getAliases(keystore, true, true), setOf("server-cert"));
assertEquals(getAliases(keystore, true, false), setOf("server-cert"));
assertEquals(getAliases(keystore, false, true), Collections.emptySet());
chain = getCertificateChain(keystore, "server-cert");
assertNotNull(chain);
assertEquals(chain.length, 1);
assertEquals(chain[0].getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertEquals(chain[0].getPublicKeyAlgorithmName(), "EC");
assertEquals(chain[0].getSignatureAlgorithmName(), "SHA-256 with ECDSA");
manageCertificates("list-certificates", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--verbose");
// Test the behavior when trying to replace a certificate with an alias
// that doesn't exist.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "nonexistent", "--replace-existing-certificate");
// Test the behavior when trying to replace a certificate with an alias
// that doesn't have a private key.
ksFile = copyFile(serverTrustStorePath);
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", serverCertificateAlias, "--replace-existing-certificate");
// Test the behavior when trying to replace a certificate in a keystore that
// doesn't exist.
assertTrue(ksFile.delete());
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", serverCertificateAlias, "--replace-existing-certificate");
// Test the behavior when trying to an unrecognized key algorithm.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "unrecognized", "--signature-algorithm", "SHA256withECDSA");
// Test the behavior when trying to an unrecognized signature algorithm.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--signature-algorithm", "unrecognized");
// Test the behavior when trying to use a non-RSA key without specifying
// the key size.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "EC", "--signature-algorithm", "SHA256withECDSA");
// Test the behavior when trying to use a non-RSA key without specifying
// the signature algorithm.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "EC", "--key-size-bits", "256");
// Test the behavior when trying to use a basic constraints extension with
// a maximum path length but with isCA=false.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--basic-constraints-is-ca", "false", "--basic-constraints-maximum-path-length", "5");
// Test the behavior when trying to use an invalid key usage string.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-usage", "invalid");
// Test the behavior when trying to use an malformed extended key usage OID.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--extended-key-usage", "invalid");
// Test the behavior when trying to use a generic extension with a malformed
// OID.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--extension", "1234.5678:false:1234567890");
// Test the behavior when trying to use a generic extension with a malformed
// criticality.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--extension", "1.2.3.4:invalid:1234567890");
// Test the behavior when trying to use a generic extension with a malformed
// value.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--extension", "1.2.3.4:true:invalid");
// Test the behavior when trying to use a generic extension with a really
// malformed value that doesn't even have any colons.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--extension", "invalid");
// Test the behavior when trying to generate a certificate in a malformed
// keystore.
ksFile = createTempFile("malformed keystore");
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US");
// Test the behavior when trying to generate a certificate when supplying
// the wrong keystore password.
ksFile = copyFile(emptyKeyStorePath);
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "wrong", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US");
// Test the behavior when trying to generate a certificate when supplying
// a keystore password in a file with multiple lines.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password-file", multiLinePasswordFilePath, "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US");
// Test the behavior when trying to generate a certificate when supplying
// a private key password in a file with multiple lines.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--private-key-password-file", multiLinePasswordFilePath, "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US");
// Test the behavior when not replacing an existing certificate and not
// specifying a subject DN.
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert");
// Test the behavior when trying to generate a new certificate with an alias
// that already exists as a certificate entry.
ksFile = copyFile(serverTrustStorePath);
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US");
// Test the behavior when trying to generate a new certificate with an alias
// that already exists as a key entry.
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
manageCertificates("generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US");
manageCertificates(ResultCode.PARAM_ERROR, null, "generate-self-signed-certificate", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US");
}Example 2 with OID
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class ManageCertificatesTestCase method testPrintExtensions.
/**
* Provides test coverage for the {@code printExtensions} method.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testPrintExtensions() throws Exception {
final ManageCertificates tool = new ManageCertificates(null, null, null);
tool.printExtensions(Collections.<X509CertificateExtension>emptyList(), "");
final List<X509CertificateExtension> extensions = Arrays.asList(new AuthorityKeyIdentifierExtension(false, new ASN1OctetString("keyIdentifier"), new GeneralNamesBuilder().addDNSName("ca.example.com").build(), BigInteger.valueOf(12345L)), new CRLDistributionPointsExtension(false, Arrays.asList(new CRLDistributionPoint(new GeneralNamesBuilder().addDNSName("fullName.example.com").build(), null, new GeneralNamesBuilder().addDNSName("crlIssuer.example.com").build()), new CRLDistributionPoint(new RDN("CN=nameRelativeToCRLIssuer"), null, new GeneralNamesBuilder().addDNSName("crlIssuer.example.com").build()))), new IssuerAlternativeNameExtension(false, new GeneralNamesBuilder().addOtherName(new OID("1.2.3.4"), new ASN1OctetString("otherName1")).addOtherName(new OID("1.2.3.5"), new ASN1OctetString("otherName2")).addRFC822Name("email1@example.com").addRFC822Name("email2@example.com").addDNSName("dns1.example.com").addDNSName("dns2.example.com").addX400Address(new ASN1OctetString("x400Address1")).addX400Address(new ASN1OctetString("x400Address2")).addDirectoryName(new DN("CN=Directory Name 1")).addDirectoryName(new DN("CN=Directory Name 2")).addEDIPartyName(new ASN1OctetString("ediPartyName1")).addEDIPartyName(new ASN1OctetString("ediPartyName2")).addUniformResourceIdentifier("https://uri1.example.com/").addUniformResourceIdentifier("https://uri2.example.com/").addIPAddress(InetAddress.getByName("127.0.0.1")).addIPAddress(InetAddress.getByName("::1")).addRegisteredID(new OID("1.2.3.6")).addRegisteredID(new OID("1.2.3.7")).build()));
tool.printExtensions(extensions, "");
}Example 3 with OID
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class ManageCertificatesTestCase method testGenerateAndSignCertificateSigningRequest.
/**
* Provides test coverage for the generate-certificate-signing-request and
* sign-certificate-signing-request subcommands.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testGenerateAndSignCertificateSigningRequest() throws Exception {
// Tests with a minimal set of arguments for generating a certificate
// signing request for a certificate that doesn't exist.
File ksFile = createTempFile();
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
File csrFile = createTempFile();
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--display-keytool-command");
assertTrue(ksFile.exists());
assertTrue(csrFile.exists());
PKCS10CertificateSigningRequest csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
File certFile = createTempFile();
assertTrue(certFile.exists());
assertTrue(certFile.delete());
assertFalse(certFile.exists());
manageCertificates("sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
List<X509Certificate> certs = ManageCertificates.readCertificatesFromFile(certFile);
assertFalse(certs.isEmpty());
assertEquals(certs.size(), 1);
assertEquals(certs.get(0).getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
// Tests with a minimal set of arguments for generating a certificate
// signing request to replace an existing certificate.
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
assertTrue(csrFile.exists());
csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
// Do the same but using the DER output format.
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-format", "DER", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
assertTrue(csrFile.exists());
csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
// Tests with a full set of arguments for a new certificate using a JKS
// keystore that doesn't already exist.
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-format", "DER", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--keystore-type", "JKS", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-email-address", "test@example.com", "--subject-alternative-name-uri", "https://www.example.com/", "--subject-alternative-name-oid", "1.2.3.4", "--basic-constraints-is-ca", "true", "--basic-constraints-maximum-path-length", "5", "--key-usage", "digital-signature", "--key-usage", "non-repudiation", "--key-usage", "key-encipherment", "--key-usage", "data-encipherment", "--key-usage", "key-agreement", "--key-usage", "key-cert-sign", "--key-usage", "crl-sign", "--key-usage", "encipher-only", "--key-usage", "decipher-only", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--extended-key-usage", "code-signing", "--extended-key-usage", "email-protection", "--extended-key-usage", "time-stamping", "--extended-key-usage", "ocsp-signing", "--extended-key-usage", "1.2.3.5", "--extension", "1.2.3.6:false:1234567890", "--display-keytool-command");
assertTrue(csrFile.exists());
csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertEquals(csr.getPublicKeyAlgorithmName(), "RSA");
assertEquals(csr.getSignatureAlgorithmName(), "SHA-256 with RSA");
boolean hasBasicConstraintsExtension = false;
boolean hasExtendedKeyUsageConstraintsExtension = false;
boolean hasGenericExtension = false;
boolean hasKeyUsageExtension = false;
boolean hasSubjectAlternativeNameExtension = false;
boolean hasSubjectKeyIdentifierExtension = false;
for (final X509CertificateExtension extension : csr.getExtensions()) {
if (extension instanceof BasicConstraintsExtension) {
hasBasicConstraintsExtension = true;
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
assertTrue(e.isCA());
assertNotNull(e.getPathLengthConstraint());
assertEquals(e.getPathLengthConstraint().intValue(), 5);
} else if (extension instanceof ExtendedKeyUsageExtension) {
hasExtendedKeyUsageConstraintsExtension = true;
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
} else if (extension instanceof KeyUsageExtension) {
hasKeyUsageExtension = true;
final KeyUsageExtension e = (KeyUsageExtension) extension;
assertTrue(e.isDigitalSignatureBitSet());
assertTrue(e.isNonRepudiationBitSet());
assertTrue(e.isKeyEnciphermentBitSet());
assertTrue(e.isDataEnciphermentBitSet());
assertTrue(e.isKeyAgreementBitSet());
assertTrue(e.isKeyCertSignBitSet());
assertTrue(e.isCRLSignBitSet());
assertTrue(e.isEncipherOnlyBitSet());
assertTrue(e.isDecipherOnlyBitSet());
} else if (extension instanceof SubjectAlternativeNameExtension) {
hasSubjectAlternativeNameExtension = true;
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
} else if (extension instanceof SubjectKeyIdentifierExtension) {
hasSubjectKeyIdentifierExtension = true;
} else if (extension.getOID().equals(new OID("1.2.3.6"))) {
hasGenericExtension = true;
assertFalse(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
}
}
assertTrue(hasBasicConstraintsExtension);
assertTrue(hasExtendedKeyUsageConstraintsExtension);
assertTrue(hasGenericExtension);
assertTrue(hasKeyUsageExtension);
assertTrue(hasSubjectAlternativeNameExtension);
assertTrue(hasSubjectKeyIdentifierExtension);
// Sign the CSR with a full set of arguments.
assertTrue(certFile.exists());
assertTrue(certFile.delete());
assertFalse(certFile.exists());
manageCertificates("sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--days-valid", "7300", "--validity-start-time", "20170101000000", "--include-requested-extensions", "--issuer-alternative-name-dns", "issuer.example.com", "--issuer-alternative-name-ip-address", "::1", "--issuer-alternative-name-email-address", "issuer@example.com", "--issuer-alternative-name-uri", "https://issuer.example.com/", "--issuer-alternative-name-oid", "1.2.3.7", "--extension", "1.2.3.8:true:0987654321", "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
certs = ManageCertificates.readCertificatesFromFile(certFile);
assertFalse(certs.isEmpty());
assertEquals(certs.size(), 1);
assertEquals(certs.get(0).getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertEquals(certs.get(0).getPublicKeyAlgorithmName(), "RSA");
assertEquals(certs.get(0).getSignatureAlgorithmName(), "SHA-256 with RSA");
hasBasicConstraintsExtension = false;
hasExtendedKeyUsageConstraintsExtension = false;
hasKeyUsageExtension = false;
hasSubjectAlternativeNameExtension = false;
hasSubjectKeyIdentifierExtension = false;
boolean hasAuthorityKeyIdentifierExtension = false;
boolean hasIssuerAlternativeNameExtension = false;
boolean hasOldGenericExtension = false;
boolean hasNewGenericExtension = false;
for (final X509CertificateExtension extension : certs.get(0).getExtensions()) {
if (extension instanceof AuthorityKeyIdentifierExtension) {
hasAuthorityKeyIdentifierExtension = true;
} else if (extension instanceof BasicConstraintsExtension) {
hasBasicConstraintsExtension = true;
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
assertTrue(e.isCA());
assertNotNull(e.getPathLengthConstraint());
assertEquals(e.getPathLengthConstraint().intValue(), 5);
} else if (extension instanceof ExtendedKeyUsageExtension) {
hasExtendedKeyUsageConstraintsExtension = true;
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
} else if (extension instanceof IssuerAlternativeNameExtension) {
hasIssuerAlternativeNameExtension = true;
final IssuerAlternativeNameExtension e = (IssuerAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("issuer.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("::1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("issuer@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://issuer.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.7")));
} else if (extension instanceof KeyUsageExtension) {
hasKeyUsageExtension = true;
final KeyUsageExtension e = (KeyUsageExtension) extension;
assertTrue(e.isDigitalSignatureBitSet());
assertTrue(e.isNonRepudiationBitSet());
assertTrue(e.isKeyEnciphermentBitSet());
assertTrue(e.isDataEnciphermentBitSet());
assertTrue(e.isKeyAgreementBitSet());
assertTrue(e.isKeyCertSignBitSet());
assertTrue(e.isCRLSignBitSet());
assertTrue(e.isEncipherOnlyBitSet());
assertTrue(e.isDecipherOnlyBitSet());
} else if (extension instanceof SubjectAlternativeNameExtension) {
hasSubjectAlternativeNameExtension = true;
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
} else if (extension instanceof SubjectKeyIdentifierExtension) {
hasSubjectKeyIdentifierExtension = true;
} else if (extension.getOID().equals(new OID("1.2.3.6"))) {
hasOldGenericExtension = true;
assertFalse(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
} else if (extension.getOID().equals(new OID("1.2.3.8"))) {
hasNewGenericExtension = true;
assertTrue(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x09, 0x87, 0x65, 0x43, 0x21));
}
}
assertTrue(hasAuthorityKeyIdentifierExtension);
assertTrue(hasBasicConstraintsExtension);
assertTrue(hasExtendedKeyUsageConstraintsExtension);
assertTrue(hasIssuerAlternativeNameExtension);
assertTrue(hasKeyUsageExtension);
assertTrue(hasNewGenericExtension);
assertTrue(hasOldGenericExtension);
assertTrue(hasSubjectAlternativeNameExtension);
assertTrue(hasSubjectKeyIdentifierExtension);
// Tests the behavior when prompting about whether to sign a certificate
// signing request. First, reject the request. Next, fail with invalid
// input. Finally, approve the request.
assertTrue(certFile.exists());
assertTrue(certFile.delete());
assertFalse(certFile.exists());
manageCertificates(ResultCode.USER_CANCELED, "no\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
assertFalse(certFile.exists());
manageCertificates(ResultCode.LOCAL_ERROR, "invalid input\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
assertFalse(certFile.exists());
manageCertificates(ResultCode.SUCCESS, "yes\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
assertTrue(certFile.exists());
// Tests the behavior when trying to sign a certificate signing request with
// the signed certificate being written to standard output instead of to a
// file.
manageCertificates(ResultCode.SUCCESS, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--output-format", "PEM", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
// Tests the behavior when trying to sign a certificate signing request with
// the signed certificate being written to standard output instead of to a
// file and using the DER output format.
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
// Tests the behavior when trying to sign a certificate signing request with
// a keystore that doesn't have an entry with the specified alias.
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", emptyKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when trying to sign a certificate signing request with
// a keystore for which the specified alias is a certificate entry rather
// than a key entry.
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", serverTrustStorePath, "--keystore-password", "password", "--signing-certificate-alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when trying to sign a malformed certificate signing
// request.
csrFile = createTempFile("-----BEGIN NEW CERTIFICATE REQUEST-----", "This isn't a valid CSR.", "-----END NEW CERTIFICATE REQUEST-----");
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when trying to sign a certificate signing request with
// an invalid signature.
csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), null, new ASN1BitString(true, true, true, true, true, true, true, true), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), null, new ASN1BitString(true, true, true, true, true, true, true, true), null, null);
csrFile = createTempFile(csr.toPEMString());
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when writing a certificate signing request to standard
// output.
manageCertificates("generate-certificate-signing-request", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
}Example 4 with OID
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class SubjectAlternativeNameExtensionTestCase method testMultipleValuesForAllTypesOfNames.
/**
* Tests a subject alternative name extension with multiple values for all
* types of names.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testMultipleValuesForAllTypesOfNames() throws Exception {
final GeneralNames names = new GeneralNamesBuilder().addOtherName(new OID("1.2.3.4"), new ASN1OctetString("otherName1")).addOtherName(new OID("1.2.3.5"), new ASN1OctetString("otherName2")).addRFC822Name("user1@example.com").addRFC822Name("user2@example.com").addDNSName("ldap1.example.com").addDNSName("ldap2.example.com").addX400Address(new ASN1OctetString("x.400Address1")).addX400Address(new ASN1OctetString("x.400Address2")).addDirectoryName(new DN("dc=example,dc=com")).addDirectoryName(new DN("o=example.com")).addEDIPartyName(new ASN1OctetString("ediPartyName1")).addEDIPartyName(new ASN1OctetString("ediPartyName2")).addUniformResourceIdentifier("ldap://ds1.example.com:389/").addUniformResourceIdentifier("ldap://ds2.example.com:389/").addIPAddress(InetAddress.getByName("127.0.0.1")).addIPAddress(InetAddress.getByName("::1")).addRegisteredID(new OID("1.2.3.6")).addRegisteredID(new OID("1.2.3.7")).build();
SubjectAlternativeNameExtension e = new SubjectAlternativeNameExtension(true, names);
e = new SubjectAlternativeNameExtension(e);
assertNotNull(e.getOID());
assertEquals(e.getOID().toString(), "2.5.29.17");
assertTrue(e.isCritical());
assertNotNull(e.getValue());
assertNotNull(e.getGeneralNames());
assertNotNull(e.getOtherNames());
assertFalse(e.getOtherNames().isEmpty());
assertNotNull(e.getRFC822Names());
assertFalse(e.getRFC822Names().isEmpty());
assertNotNull(e.getDNSNames());
assertFalse(e.getDNSNames().isEmpty());
assertNotNull(e.getX400Addresses());
assertFalse(e.getX400Addresses().isEmpty());
assertNotNull(e.getDirectoryNames());
assertFalse(e.getDirectoryNames().isEmpty());
assertNotNull(e.getEDIPartyNames());
assertFalse(e.getEDIPartyNames().isEmpty());
assertNotNull(e.getUniformResourceIdentifiers());
assertFalse(e.getUniformResourceIdentifiers().isEmpty());
assertNotNull(e.getIPAddresses());
assertFalse(e.getIPAddresses().isEmpty());
assertNotNull(e.getRegisteredIDs());
assertFalse(e.getRegisteredIDs().isEmpty());
assertNotNull(e.getExtensionName());
assertFalse(e.getExtensionName().equals("2.5.29.17"));
assertNotNull(e.toString());
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
DN(com.unboundid.ldap.sdk.DN)
OID(com.unboundid.util.OID)
Test(org.testng.annotations.Test)
Example 5 with OID
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class SubjectKeyIdentifierExtensionTestCase method testValidExtension.
/**
* Tests the behavior with a valid extension.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidExtension() throws Exception {
final ASN1OctetString value = new ASN1OctetString("foo");
SubjectKeyIdentifierExtension skie = new SubjectKeyIdentifierExtension(false, value);
skie = new SubjectKeyIdentifierExtension(skie);
assertNotNull(skie.getOID());
assertEquals(skie.getOID(), new OID("2.5.29.14"));
assertFalse(skie.isCritical());
assertNotNull(skie.getValue());
assertEquals(skie.getValue(), value.encode());
assertNotNull(skie.getKeyIdentifier());
assertEquals(skie.getKeyIdentifier(), value);
assertNotNull(skie.getExtensionName());
assertNotNull(skie.toString());
}
Also used :
ASN1OctetString(com.unboundid.asn1.ASN1OctetString)
OID(com.unboundid.util.OID)
Test(org.testng.annotations.Test)
Aggregations
OID (com.unboundid.util.OID)66
Test (org.testng.annotations.Test)53
ASN1BitString (com.unboundid.asn1.ASN1BitString)38
DN (com.unboundid.ldap.sdk.DN)38
ASN1Null (com.unboundid.asn1.ASN1Null)32
ASN1OctetString (com.unboundid.asn1.ASN1OctetString)30
ASN1ObjectIdentifier (com.unboundid.asn1.ASN1ObjectIdentifier)25
ASN1Sequence (com.unboundid.asn1.ASN1Sequence)23
ASN1Element (com.unboundid.asn1.ASN1Element)21
ASN1Integer (com.unboundid.asn1.ASN1Integer)18
ASN1BigInteger (com.unboundid.asn1.ASN1BigInteger)16
ASN1GeneralizedTime (com.unboundid.asn1.ASN1GeneralizedTime)9
NotNull (com.unboundid.util.NotNull)8
ArrayList (java.util.ArrayList)7
ASN1UTCTime (com.unboundid.asn1.ASN1UTCTime)6
Date (java.util.Date)6
ASN1Set (com.unboundid.asn1.ASN1Set)4
RDN (com.unboundid.ldap.sdk.RDN)4
File (java.io.File)4
KeyPair (java.security.KeyPair)4
