Examples with X509Certificate com.unboundid.util.ssl.cert.X509Certificate used on opensource projects

Search in sources :

Example 6 with X509Certificate

use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.

the class PromptTrustManagerProcessorTestCase method testSelfSignedCertificateWithValidSignature.

/**
 * Tests the behavior with a self-signed certificate that has a valid
 * signature.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testSelfSignedCertificateWithValidSignature() throws Exception {
    // Create a bunch of variables with file paths and other values to use
    // during testing.
    final File tempDir = createTempDir();
    final String serverCertificateAlias = "server-cert";
    final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
    final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
    // Create a JKS keystore with just a CA certificate.
    manageCertificates("generate-self-signed-certificate", "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
    // Load the keystore and get the certificate chain.
    final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
    try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
        keystore.load(inputStream, "password".toCharArray());
    }
    final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
    final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
    assertNotNull(promptResult.getFirst());
    assertEquals(promptResult.getFirst(), Boolean.TRUE);
    assertNotNull(promptResult.getSecond());
    assertFalse(promptResult.getSecond().isEmpty());
    assertEquals(promptResult.getSecond().size(), 1);
}
Also used : List(java.util.List) ASN1BitString(com.unboundid.asn1.ASN1BitString) File(java.io.File) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) Certificate(java.security.cert.Certificate) Test(org.testng.annotations.Test)

Example 7 with X509Certificate

use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.

the class PromptTrustManagerProcessorTestCase method testCertificateChainIssuerMismatch.

/**
 * Tests the behavior with a certificate chain in which the second certificate
 * is not the issuer for the first.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testCertificateChainIssuerMismatch() throws Exception {
    // Create a bunch of variables with file paths and other values to use
    // during testing.
    final File tempDir = createTempDir();
    final String caCertificateAlias = "ca-cert";
    final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
    final String serverCertificateAlias = "server-cert";
    final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
    final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
    // Create a JKS keystore with just a CA certificate.
    manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
    manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
    // Create a JKS keystore with a server certificate that is signed by the CA.
    manageCertificates("generate-self-signed-certificate", "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
    manageCertificates("import-certificate", "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--no-prompt", "--display-keytool-command");
    // Load the keystore and get the certificate chain.
    final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
    try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
        keystore.load(inputStream, "password".toCharArray());
    }
    final Certificate[] javaChain = { keystore.getCertificateChain(serverCertificateAlias)[0], keystore.getCertificate(caCertificateAlias) };
    final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
    assertNotNull(promptResult.getFirst());
    assertEquals(promptResult.getFirst(), Boolean.TRUE);
    assertNotNull(promptResult.getSecond());
    assertFalse(promptResult.getSecond().isEmpty());
    assertEquals(promptResult.getSecond().size(), 1);
}
Also used : List(java.util.List) ASN1BitString(com.unboundid.asn1.ASN1BitString) File(java.io.File) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) Certificate(java.security.cert.Certificate) Test(org.testng.annotations.Test)

Example 8 with X509Certificate

use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.

the class CertificateDataReplaceCertificateKeyStoreContent method readPEMCertificates.

/**
 * Reads one or more PEM-formatted X.509 certificates from the given input
 * stream.
 *
 * @param  file          The file with which the provided input stream is
 *                       associated.  It must not be {@code null}.
 * @param  inputStream   The input stream from which the certificates are to
 *                       be read.  It must not be {@code null}.
 * @param  encodedCerts  A list that will be updated with the certificates
 *                       that are read.  This must not be {@code null} and
 *                       must be updatable.
 *
 * @throws  IOException  If a problem occurs while trying to read from the
 *                       file.
 *
 * @throws  LDAPException  If the contents of the file cannot be parsed as a
 *                         valid set of PEM-formatted certificates.
 */
private static void readPEMCertificates(@NotNull final File file, @NotNull final InputStream inputStream, @NotNull final List<byte[]> encodedCerts) throws IOException, LDAPException {
    try (X509PEMFileReader pemReader = new X509PEMFileReader(inputStream)) {
        while (true) {
            final X509Certificate cert = pemReader.readCertificate();
            if (cert == null) {
                return;
            }
            encodedCerts.add(cert.getX509CertificateBytes());
        }
    } catch (final CertException e) {
        Debug.debugException(e);
        throw new LDAPException(ResultCode.DECODING_ERROR, ERR_CD_KSC_DECODE_PEM_CERT_ERROR.get(file.getAbsolutePath(), e.getMessage()), e);
    }
}
Also used : LDAPException(com.unboundid.ldap.sdk.LDAPException) CertException(com.unboundid.util.ssl.cert.CertException) X509PEMFileReader(com.unboundid.util.ssl.cert.X509PEMFileReader) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate)

Example 9 with X509Certificate

use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.

the class PromptTrustManagerProcessorTestCase method testServerCertificateNotYetValid.

/**
 * Tests the behavior with a certificate chain in which the certificate at the
 * head of the chain is not yet valid.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testServerCertificateNotYetValid() throws Exception {
    // Create a bunch of variables with file paths and other values to use
    // during testing.
    final File tempDir = createTempDir();
    final String caCertificateAlias = "ca-cert";
    final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
    final String serverCertificateAlias = "server-cert";
    final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
    final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
    // Create a JKS keystore with just a CA certificate.
    manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
    manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
    // Create a JKS keystore with a server certificate that is signed by the CA.
    manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
    manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--validity-start-time", getValidityStartTime(System.currentTimeMillis() + 86_400_000L), "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
    manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
    // Load the keystore and get the certificate chain.
    final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
    try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
        keystore.load(inputStream, "password".toCharArray());
    }
    final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
    final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> serverPromptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
    assertNotNull(serverPromptResult.getFirst());
    assertEquals(serverPromptResult.getFirst(), Boolean.TRUE);
    assertNotNull(serverPromptResult.getSecond());
    assertFalse(serverPromptResult.getSecond().isEmpty());
    assertEquals(serverPromptResult.getSecond().size(), 1);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> clientPromptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, false, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
    assertNotNull(clientPromptResult.getFirst());
    assertEquals(clientPromptResult.getFirst(), Boolean.TRUE);
    assertNotNull(clientPromptResult.getSecond());
    assertFalse(clientPromptResult.getSecond().isEmpty());
    assertEquals(clientPromptResult.getSecond().size(), 1);
}
Also used : List(java.util.List) ASN1BitString(com.unboundid.asn1.ASN1BitString) File(java.io.File) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) Certificate(java.security.cert.Certificate) Test(org.testng.annotations.Test)

Example 10 with X509Certificate

use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.

the class PromptTrustManagerProcessorTestCase method testValidCertificateChainWithoutCNOrSAN.

/**
 * Tests the behavior with a valid certificate chain that shouldn't trigger
 * any warnings.  The certificate won't have a subject alternative name
 * extension, and also won't have a CN attribute in its subject.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testValidCertificateChainWithoutCNOrSAN() throws Exception {
    // Create a bunch of variables with file paths and other values to use
    // during testing.
    final File tempDir = createTempDir();
    final String caCertificateAlias = "ca-cert";
    final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
    final String serverCertificateAlias = "server-cert";
    final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
    final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
    final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
    // Create a JKS keystore with just a CA certificate.
    manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
    manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
    // Create a JKS keystore with a server certificate that is signed by the CA.
    manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "E=admin@example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
    manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
    manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
    // Load the keystore and get the certificate chain.
    final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
    try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
        keystore.load(inputStream, "password".toCharArray());
    }
    final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
    final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
    // Invoke the shouldPrompt method and examine the result.
    final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
    assertNotNull(promptResult.getFirst());
    assertEquals(promptResult.getFirst(), Boolean.TRUE);
    assertNotNull(promptResult.getSecond());
    assertTrue(promptResult.getSecond().isEmpty());
}
Also used : List(java.util.List) ASN1BitString(com.unboundid.asn1.ASN1BitString) File(java.io.File) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) X509Certificate(com.unboundid.util.ssl.cert.X509Certificate) Certificate(java.security.cert.Certificate) Test(org.testng.annotations.Test)

Aggregations

X509Certificate (com.unboundid.util.ssl.cert.X509Certificate)29 ASN1BitString (com.unboundid.asn1.ASN1BitString)28 List (java.util.List)28 Test (org.testng.annotations.Test)28 File (java.io.File)27 FileInputStream (java.io.FileInputStream)27 KeyStore (java.security.KeyStore)27 Certificate (java.security.cert.Certificate)27 X509CertificateExtension (com.unboundid.util.ssl.cert.X509CertificateExtension)3 DN (com.unboundid.ldap.sdk.DN)1 LDAPException (com.unboundid.ldap.sdk.LDAPException)1 CertException (com.unboundid.util.ssl.cert.CertException)1 X509PEMFileReader (com.unboundid.util.ssl.cert.X509PEMFileReader)1 KeyPair (java.security.KeyPair)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial