use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testIncrementsExtensions.
@Test
public void testIncrementsExtensions() throws Exception {
File crlToChange = writeCRL(createCRL());
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
byte[] val = changedCrl.getExtensionValue(Extension.cRLNumber.getId());
DEROctetString s = (DEROctetString) DERTaggedObject.fromByteArray(val);
ASN1Integer i = (ASN1Integer) DERTaggedObject.fromByteArray(s.getOctets());
assertTrue("CRL Number not incremented", i.getValue().compareTo(BigInteger.ONE) > 0);
}
use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToBigCRL.
@Test
public void testAddEntryToBigCRL() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
BigInteger serial = new BigInteger("741696FE9E30AD27", 16);
Set<BigInteger> expected = new HashSet<>();
for (int i = 0; i < 10000; i++) {
serial = serial.add(BigInteger.TEN);
crlBuilder.addCRLEntry(serial, new Date(), CRLReason.privilegeWithdrawn);
expected.add(serial);
}
X509CRLHolder holder = crlBuilder.build(signer);
File crlToChange = writeCRL(holder);
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
expected.add(i);
}
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
assertEquals(expected, discoveredSerials);
}
use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToEmptyCRL.
@Test
public void testAddEntryToEmptyCRL() throws Exception {
Date oneHourAgo = new Date(new Date().getTime() - 60L * 60L * 1000L);
Date oneHourHence = new Date(new Date().getTime() + 60L * 60L * 1000L);
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, oneHourAgo);
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
crlBuilder.setNextUpdate(oneHourHence);
X509CRLHolder holder = crlBuilder.build(signer);
File crlToChange = writeCRL(holder);
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
}
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
assertNotNull(changedCrl.getNextUpdate());
long changedCrlUpdateDelta = changedCrl.getNextUpdate().getTime() - changedCrl.getThisUpdate().getTime();
assertEquals(changedCrlUpdateDelta, oneHourHence.getTime() - oneHourAgo.getTime());
assertThat(changedCrl.getThisUpdate(), OrderingComparison.greaterThan(originalCrl.getThisUpdate()));
assertEquals(newSerials, discoveredSerials);
assertEquals(originalCrl.getIssuerX500Principal(), changedCrl.getIssuerX500Principal());
ASN1ObjectIdentifier crlNumberOID = Extension.cRLNumber;
byte[] oldCrlNumberBytes = originalCrl.getExtensionValue(crlNumberOID.getId());
byte[] newCrlNumberBytes = changedCrl.getExtensionValue(crlNumberOID.getId());
DEROctetString oldOctet = (DEROctetString) DERTaggedObject.fromByteArray(oldCrlNumberBytes);
DEROctetString newOctet = (DEROctetString) DERTaggedObject.fromByteArray(newCrlNumberBytes);
ASN1Integer oldNumber = (ASN1Integer) DERTaggedObject.fromByteArray(oldOctet.getOctets());
ASN1Integer newNumber = (ASN1Integer) DERTaggedObject.fromByteArray(newOctet.getOctets());
assertEquals(oldNumber.getValue().add(BigInteger.ONE), newNumber.getValue());
ASN1ObjectIdentifier authorityKeyOID = Extension.authorityKeyIdentifier;
byte[] oldAuthorityKeyId = originalCrl.getExtensionValue(authorityKeyOID.getId());
byte[] newAuthorityKeyId = changedCrl.getExtensionValue(authorityKeyOID.getId());
assertArrayEquals(oldAuthorityKeyId, newAuthorityKeyId);
}
use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToActualCRL.
@Test
public void testAddEntryToActualCRL() throws Exception {
ClassLoader classLoader = this.getClass().getClassLoader();
InputStream crl = classLoader.getResourceAsStream("real-crl.der");
InputStream keyStream = classLoader.getResourceAsStream("real.key");
InputStreamReader keyReader = new InputStreamReader(keyStream);
PEMParser reader = null;
try {
reader = new PEMParser(keyReader);
Object pemObj = reader.readObject();
if (pemObj == null) {
crl.close();
throw new RuntimeException("Reading CA private key failed");
}
if (pemObj instanceof PEMKeyPair) {
keyPair = new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) pemObj);
} else {
crl.close();
throw new RuntimeException("Unexpected CA key object: " + pemObj.getClass().getName());
}
} finally {
if (reader != null) {
reader.close();
}
}
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crl, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
}
// Since we have to walk the stream twice, we need two streams!
stream.preScan(classLoader.getResourceAsStream("real-crl.der")).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
assertTrue(discoveredSerials.containsAll(newSerials));
}
use of org.bouncycastle.asn1.pkcs.RSAPrivateKey in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testKeySizeChange.
@Test
public void testKeySizeChange() throws Exception {
int[] sizes = { 1024, 4096 };
for (int size : sizes) {
X509CRLHolder holder = createCRL();
File crlToChange = writeCRL(holder);
generator.initialize(size);
KeyPair differentKeyPair = generator.generateKeyPair();
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) differentKeyPair.getPrivate(), (RSAPublicKey) differentKeyPair.getPublic());
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
X509CRL changedCrl = readCRL(differentKeyPair.getPublic());
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
Set<BigInteger> expected = new HashSet<>();
expected.add(new BigInteger("100"));
assertEquals(expected, discoveredSerials);
// Since the key changed, the authorityKeyIdentifier must change
byte[] oldAkiBytes = originalCrl.getExtensionValue(Extension.authorityKeyIdentifier.getId());
byte[] newAkiBytes = changedCrl.getExtensionValue(Extension.authorityKeyIdentifier.getId());
oldAkiBytes = ASN1OctetString.getInstance(oldAkiBytes).getOctets();
newAkiBytes = ASN1OctetString.getInstance(newAkiBytes).getOctets();
AuthorityKeyIdentifier oldAki = AuthorityKeyIdentifier.getInstance(oldAkiBytes);
AuthorityKeyIdentifier newAki = AuthorityKeyIdentifier.getInstance(newAkiBytes);
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
assertEquals(oldAki, identifier);
AuthorityKeyIdentifier differentIdentifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(differentKeyPair.getPublic());
assertEquals(newAki, differentIdentifier);
}
}
Aggregations