use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.
the class PromptTrustManagerProcessorTestCase method testValidCertificateChainMatchNameWithSAN.
/**
* Tests the behavior with a valid certificate chain that shouldn't trigger
* any warnings. The certificate will have a subject alternative name
* extension, and the expected address does not match the value of the CN
* attribute in the subject, but does match one of the DNS name values in the
* extension.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidCertificateChainMatchNameWithSAN() throws Exception {
// Create a bunch of variables with file paths and other values to use
// during testing.
final File tempDir = createTempDir();
final String caCertificateAlias = "ca-cert";
final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
final String serverCertificateAlias = "server-cert";
final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
// Create a JKS keystore with just a CA certificate.
manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
// Create a JKS keystore with a server certificate that is signed by the CA.
manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Load the keystore and get the certificate chain.
final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
keystore.load(inputStream, "password".toCharArray());
}
final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
// Invoke the shouldPrompt method and examine the result.
final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ds.example.com"));
assertNotNull(promptResult.getFirst());
assertEquals(promptResult.getFirst(), Boolean.TRUE);
assertNotNull(promptResult.getSecond());
assertTrue(promptResult.getSecond().isEmpty());
}
use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.
the class PromptTrustManagerProcessorTestCase method testValidCertificateChainMatchWildcardNameWithoutSAN.
/**
* Tests the behavior with a valid certificate chain that shouldn't trigger
* any warnings. The certificate won't have a subject alternative name
* extension, but the CN attribute of the subject will include a wildcard and
* will match the expected address.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidCertificateChainMatchWildcardNameWithoutSAN() throws Exception {
// Create a bunch of variables with file paths and other values to use
// during testing.
final File tempDir = createTempDir();
final String caCertificateAlias = "ca-cert";
final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
final String serverCertificateAlias = "server-cert";
final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
// Create a JKS keystore with just a CA certificate.
manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
// Create a JKS keystore with a server certificate that is signed by the CA.
manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=*.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Load the keystore and get the certificate chain.
final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
keystore.load(inputStream, "password".toCharArray());
}
final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
// Invoke the shouldPrompt method and examine the result.
final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
assertNotNull(promptResult.getFirst());
assertEquals(promptResult.getFirst(), Boolean.TRUE);
assertNotNull(promptResult.getSecond());
assertTrue(promptResult.getSecond().isEmpty());
}
use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.
the class PromptTrustManagerProcessorTestCase method testValidCertificateChainAlreadyInCache.
/**
* Tests the behavior with a valid certificate chain that shouldn't trigger
* any warnings and that is already in the cache.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testValidCertificateChainAlreadyInCache() throws Exception {
// Create a bunch of variables with file paths and other values to use
// during testing.
final File tempDir = createTempDir();
final String caCertificateAlias = "ca-cert";
final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
final String serverCertificateAlias = "server-cert";
final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
// Create a JKS keystore with just a CA certificate.
manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
// Create a JKS keystore with a server certificate that is signed by the CA.
manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Load the keystore and get the certificate chain.
final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
keystore.load(inputStream, "password".toCharArray());
}
final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
final X509Certificate[] ldapSDKChain = PromptTrustManager.convertChain(javaChain);
// Invoke the shouldPrompt method and examine the result.
final Map<String, Boolean> acceptedCertificates = Collections.singletonMap(PromptTrustManager.getCacheKey(javaChain[0]), Boolean.FALSE);
final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, acceptedCertificates, Collections.singletonList("ldap.example.com"));
assertNotNull(promptResult.getFirst());
assertEquals(promptResult.getFirst(), Boolean.FALSE);
assertNotNull(promptResult.getSecond());
assertTrue(promptResult.getSecond().isEmpty());
}
use of com.unboundid.util.ssl.cert.X509Certificate in project ldapsdk by pingidentity.
the class PromptTrustManagerProcessorTestCase method testSingleCertificateIncompleteChain.
/**
* Tests the behavior with only the first certificate of a two-certificate
* chain.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testSingleCertificateIncompleteChain() throws Exception {
// Create a bunch of variables with file paths and other values to use
// during testing.
final File tempDir = createTempDir();
final String caCertificateAlias = "ca-cert";
final String caKeyStorePath = new File(tempDir, caCertificateAlias + "-keystore.jks").getAbsolutePath();
final String caCertificatePath = new File(tempDir, caCertificateAlias + ".cert").getAbsolutePath();
final String serverCertificateAlias = "server-cert";
final String serverKeyStorePath = new File(tempDir, serverCertificateAlias + "-keystore.jks").getAbsolutePath();
final String serverCSRPath = new File(tempDir, serverCertificateAlias + ".csr").getAbsolutePath();
final String serverCertificatePath = new File(tempDir, serverCertificateAlias + ".cert").getAbsolutePath();
// Create a JKS keystore with just a CA certificate.
manageCertificates("generate-self-signed-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", caCertificateAlias, "--subject-dn", "CN=Example Root CA,O=Example Corporation,C=US", "--days-valid", "7300", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-email-address", "ca@example.com", "--basic-constraints-is-ca", "true", "--key-usage", "key-cert-sign", "--display-keytool-command");
manageCertificates("export-certificate", "--keystore", caKeyStorePath, "--keystore-password", "password", "--alias", caCertificateAlias, "--output-format", "PEM", "--output-file", caCertificatePath, "--display-keytool-command");
// Create a JKS keystore with a server certificate that is signed by the CA.
manageCertificates("generate-certificate-signing-request", "--output-file", serverCSRPath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--keystore-type", "JKS", "--alias", serverCertificateAlias, "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-dns", "ldap", "--subject-alternative-name-dns", "ds.example.com", "--subject-alternative-name-dns", "ds", "--subject-alternative-name-dns", "localhost", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-ip-address", "::1", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--display-keytool-command");
manageCertificates("sign-certificate-signing-request", "--request-input-file", serverCSRPath, "--certificate-output-file", serverCertificatePath, "--output-format", "PEM", "--keystore", caKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", caCertificateAlias, "--days-valid", "365", "--include-requested-extensions", "--no-prompt", "--display-keytool-command");
manageCertificates("import-certificate", "--certificate-file", serverCertificatePath, "--certificate-file", caCertificatePath, "--keystore", serverKeyStorePath, "--keystore-password", "password", "--alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Load the keystore and get the certificate chain.
final KeyStore keystore = CryptoHelper.getKeyStore("JKS");
try (FileInputStream inputStream = new FileInputStream(serverKeyStorePath)) {
keystore.load(inputStream, "password".toCharArray());
}
final Certificate[] javaChain = keystore.getCertificateChain(serverCertificateAlias);
final X509Certificate[] ldapSDKChain = { PromptTrustManager.convertChain(javaChain)[0] };
// Invoke the shouldPrompt method and examine the result.
final ObjectPair<Boolean, List<String>> promptResult = PromptTrustManagerProcessor.shouldPrompt(PromptTrustManager.getCacheKey(javaChain[0]), ldapSDKChain, true, true, Collections.<String, Boolean>emptyMap(), Collections.singletonList("ldap.example.com"));
assertNotNull(promptResult.getFirst());
assertEquals(promptResult.getFirst(), Boolean.TRUE);
assertNotNull(promptResult.getSecond());
assertFalse(promptResult.getSecond().isEmpty());
assertEquals(promptResult.getSecond().size(), 1);
}
Aggregations