Search in sources :

Example 16 with RSAPrivateKey

use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.

the class X509CRLStreamWriterTest method testIncrementsExtensions.

@Test
public void testIncrementsExtensions() throws Exception {
    File crlToChange = writeCRL(createCRL());
    X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
    stream.preScan(crlToChange).lock();
    OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
    stream.write(o);
    o.close();
    X509CRL changedCrl = readCRL();
    byte[] val = changedCrl.getExtensionValue(Extension.cRLNumber.getId());
    DEROctetString s = (DEROctetString) DERTaggedObject.fromByteArray(val);
    ASN1Integer i = (ASN1Integer) DERTaggedObject.fromByteArray(s.getOctets());
    assertTrue("CRL Number not incremented", i.getValue().compareTo(BigInteger.ONE) > 0);
}
Also used : X509CRL(java.security.cert.X509CRL) BufferedOutputStream(java.io.BufferedOutputStream) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) FileOutputStream(java.io.FileOutputStream) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) File(java.io.File) BufferedOutputStream(java.io.BufferedOutputStream) DEROctetString(org.bouncycastle.asn1.DEROctetString) Test(org.junit.Test)

Example 17 with RSAPrivateKey

use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.

the class X509CRLStreamWriterTest method testAddEntryToBigCRL.

@Test
public void testAddEntryToBigCRL() throws Exception {
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
    AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
    crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
    /* With a CRL number of 127, incrementing it should cause the number of bytes in the length
         * portion of the TLV to increase by one.*/
    crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
    BigInteger serial = new BigInteger("741696FE9E30AD27", 16);
    Set<BigInteger> expected = new HashSet<>();
    for (int i = 0; i < 10000; i++) {
        serial = serial.add(BigInteger.TEN);
        crlBuilder.addCRLEntry(serial, new Date(), CRLReason.privilegeWithdrawn);
        expected.add(serial);
    }
    X509CRLHolder holder = crlBuilder.build(signer);
    File crlToChange = writeCRL(holder);
    File outfile = new File(folder.getRoot(), "new.crl");
    X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
    // Add enough items to cause the number of length bytes to change
    Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
    for (BigInteger i : newSerials) {
        stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
        expected.add(i);
    }
    stream.preScan(crlToChange).lock();
    OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
    stream.write(o);
    o.close();
    X509CRL changedCrl = readCRL();
    Set<BigInteger> discoveredSerials = new HashSet<>();
    for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
        discoveredSerials.add(entry.getSerialNumber());
    }
    assertEquals(expected, discoveredSerials);
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X509CRL(java.security.cert.X509CRL) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) BufferedOutputStream(java.io.BufferedOutputStream) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) Date(java.util.Date) X509CRLEntry(java.security.cert.X509CRLEntry) FileOutputStream(java.io.FileOutputStream) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) File(java.io.File) BufferedOutputStream(java.io.BufferedOutputStream) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 18 with RSAPrivateKey

use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.

the class X509CRLStreamWriterTest method testAddEntryToEmptyCRL.

@Test
public void testAddEntryToEmptyCRL() throws Exception {
    Date oneHourAgo = new Date(new Date().getTime() - 60L * 60L * 1000L);
    Date oneHourHence = new Date(new Date().getTime() + 60L * 60L * 1000L);
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, oneHourAgo);
    AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
    crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
    /* With a CRL number of 127, incrementing it should cause the number of bytes in the length
         * portion of the TLV to increase by one.*/
    crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
    crlBuilder.setNextUpdate(oneHourHence);
    X509CRLHolder holder = crlBuilder.build(signer);
    File crlToChange = writeCRL(holder);
    File outfile = new File(folder.getRoot(), "new.crl");
    X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
    // Add enough items to cause the number of length bytes to change
    Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
    for (BigInteger i : newSerials) {
        stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
    }
    stream.preScan(crlToChange).lock();
    OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
    stream.write(o);
    o.close();
    X509CRL changedCrl = readCRL();
    Set<BigInteger> discoveredSerials = new HashSet<>();
    for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
        discoveredSerials.add(entry.getSerialNumber());
    }
    X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
    assertNotNull(changedCrl.getNextUpdate());
    long changedCrlUpdateDelta = changedCrl.getNextUpdate().getTime() - changedCrl.getThisUpdate().getTime();
    assertEquals(changedCrlUpdateDelta, oneHourHence.getTime() - oneHourAgo.getTime());
    assertThat(changedCrl.getThisUpdate(), OrderingComparison.greaterThan(originalCrl.getThisUpdate()));
    assertEquals(newSerials, discoveredSerials);
    assertEquals(originalCrl.getIssuerX500Principal(), changedCrl.getIssuerX500Principal());
    ASN1ObjectIdentifier crlNumberOID = Extension.cRLNumber;
    byte[] oldCrlNumberBytes = originalCrl.getExtensionValue(crlNumberOID.getId());
    byte[] newCrlNumberBytes = changedCrl.getExtensionValue(crlNumberOID.getId());
    DEROctetString oldOctet = (DEROctetString) DERTaggedObject.fromByteArray(oldCrlNumberBytes);
    DEROctetString newOctet = (DEROctetString) DERTaggedObject.fromByteArray(newCrlNumberBytes);
    ASN1Integer oldNumber = (ASN1Integer) DERTaggedObject.fromByteArray(oldOctet.getOctets());
    ASN1Integer newNumber = (ASN1Integer) DERTaggedObject.fromByteArray(newOctet.getOctets());
    assertEquals(oldNumber.getValue().add(BigInteger.ONE), newNumber.getValue());
    ASN1ObjectIdentifier authorityKeyOID = Extension.authorityKeyIdentifier;
    byte[] oldAuthorityKeyId = originalCrl.getExtensionValue(authorityKeyOID.getId());
    byte[] newAuthorityKeyId = changedCrl.getExtensionValue(authorityKeyOID.getId());
    assertArrayEquals(oldAuthorityKeyId, newAuthorityKeyId);
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X509CRL(java.security.cert.X509CRL) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) BufferedOutputStream(java.io.BufferedOutputStream) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) Date(java.util.Date) DEROctetString(org.bouncycastle.asn1.DEROctetString) X509CRLEntry(java.security.cert.X509CRLEntry) JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) FileOutputStream(java.io.FileOutputStream) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) File(java.io.File) BufferedOutputStream(java.io.BufferedOutputStream) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 19 with RSAPrivateKey

use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.

the class X509CRLStreamWriterTest method testAddEntryToActualCRL.

@Test
public void testAddEntryToActualCRL() throws Exception {
    ClassLoader classLoader = this.getClass().getClassLoader();
    InputStream crl = classLoader.getResourceAsStream("real-crl.der");
    InputStream keyStream = classLoader.getResourceAsStream("real.key");
    InputStreamReader keyReader = new InputStreamReader(keyStream);
    PEMParser reader = null;
    try {
        reader = new PEMParser(keyReader);
        Object pemObj = reader.readObject();
        if (pemObj == null) {
            crl.close();
            throw new RuntimeException("Reading CA private key failed");
        }
        if (pemObj instanceof PEMKeyPair) {
            keyPair = new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) pemObj);
        } else {
            crl.close();
            throw new RuntimeException("Unexpected CA key object: " + pemObj.getClass().getName());
        }
    } finally {
        if (reader != null) {
            reader.close();
        }
    }
    File outfile = new File(folder.getRoot(), "new.crl");
    X509CRLStreamWriter stream = new X509CRLStreamWriter(crl, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
    // Add enough items to cause the number of length bytes to change
    Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
    for (BigInteger i : newSerials) {
        stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
    }
    // Since we have to walk the stream twice, we need two streams!
    stream.preScan(classLoader.getResourceAsStream("real-crl.der")).lock();
    OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
    stream.write(o);
    o.close();
    X509CRL changedCrl = readCRL();
    Set<BigInteger> discoveredSerials = new HashSet<>();
    for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
        discoveredSerials.add(entry.getSerialNumber());
    }
    assertTrue(discoveredSerials.containsAll(newSerials));
}
Also used : X509CRL(java.security.cert.X509CRL) InputStreamReader(java.io.InputStreamReader) BufferedInputStream(java.io.BufferedInputStream) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) BufferedOutputStream(java.io.BufferedOutputStream) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) Date(java.util.Date) X509CRLEntry(java.security.cert.X509CRLEntry) PEMParser(org.bouncycastle.openssl.PEMParser) FileOutputStream(java.io.FileOutputStream) BigInteger(java.math.BigInteger) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair) File(java.io.File) BufferedOutputStream(java.io.BufferedOutputStream) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 20 with RSAPrivateKey

use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.

the class X509CRLStreamWriterTest method testKeySizeChange.

@Test
public void testKeySizeChange() throws Exception {
    int[] sizes = { 1024, 4096 };
    for (int size : sizes) {
        X509CRLHolder holder = createCRL();
        File crlToChange = writeCRL(holder);
        generator.initialize(size);
        KeyPair differentKeyPair = generator.generateKeyPair();
        X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) differentKeyPair.getPrivate(), (RSAPublicKey) differentKeyPair.getPublic());
        stream.preScan(crlToChange).lock();
        OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
        stream.write(o);
        o.close();
        X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
        X509CRL changedCrl = readCRL(differentKeyPair.getPublic());
        Set<BigInteger> discoveredSerials = new HashSet<>();
        for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
            discoveredSerials.add(entry.getSerialNumber());
        }
        Set<BigInteger> expected = new HashSet<>();
        expected.add(new BigInteger("100"));
        assertEquals(expected, discoveredSerials);
        // Since the key changed, the authorityKeyIdentifier must change
        byte[] oldAkiBytes = originalCrl.getExtensionValue(Extension.authorityKeyIdentifier.getId());
        byte[] newAkiBytes = changedCrl.getExtensionValue(Extension.authorityKeyIdentifier.getId());
        oldAkiBytes = ASN1OctetString.getInstance(oldAkiBytes).getOctets();
        newAkiBytes = ASN1OctetString.getInstance(newAkiBytes).getOctets();
        AuthorityKeyIdentifier oldAki = AuthorityKeyIdentifier.getInstance(oldAkiBytes);
        AuthorityKeyIdentifier newAki = AuthorityKeyIdentifier.getInstance(newAkiBytes);
        AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
        assertEquals(oldAki, identifier);
        AuthorityKeyIdentifier differentIdentifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(differentKeyPair.getPublic());
        assertEquals(newAki, differentIdentifier);
    }
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) KeyPair(java.security.KeyPair) PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair) X509CRL(java.security.cert.X509CRL) BufferedOutputStream(java.io.BufferedOutputStream) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X509CRLEntry(java.security.cert.X509CRLEntry) JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) FileOutputStream(java.io.FileOutputStream) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) File(java.io.File) BufferedOutputStream(java.io.BufferedOutputStream) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

BigInteger (java.math.BigInteger)11 PrivateKey (java.security.PrivateKey)10 BufferedOutputStream (java.io.BufferedOutputStream)8 File (java.io.File)8 FileOutputStream (java.io.FileOutputStream)8 OutputStream (java.io.OutputStream)8 X509CRL (java.security.cert.X509CRL)8 DERIA5String (org.bouncycastle.asn1.DERIA5String)8 Test (org.testng.annotations.Test)8 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)7 Test (org.junit.Test)7 PublicKey (java.security.PublicKey)6 X509CRLEntry (java.security.cert.X509CRLEntry)6 Date (java.util.Date)6 HashSet (java.util.HashSet)6 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)5 DERSequence (org.bouncycastle.asn1.DERSequence)5 X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)5 DSAPrivateKey (java.security.interfaces.DSAPrivateKey)4 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)4