Search in sources :

Example 1 with ASN1BitString

use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class ManageCertificatesTestCase method testGenerateAndSignCertificateSigningRequest.

/**
 * Provides test coverage for the generate-certificate-signing-request and
 * sign-certificate-signing-request subcommands.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testGenerateAndSignCertificateSigningRequest() throws Exception {
    // Tests with a minimal set of arguments for generating a certificate
    // signing request for a certificate that doesn't exist.
    File ksFile = createTempFile();
    assertTrue(ksFile.exists());
    assertTrue(ksFile.delete());
    assertFalse(ksFile.exists());
    File csrFile = createTempFile();
    assertTrue(csrFile.exists());
    assertTrue(csrFile.delete());
    assertFalse(csrFile.exists());
    manageCertificates("generate-certificate-signing-request", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--display-keytool-command");
    assertTrue(ksFile.exists());
    assertTrue(csrFile.exists());
    PKCS10CertificateSigningRequest csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
    assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    File certFile = createTempFile();
    assertTrue(certFile.exists());
    assertTrue(certFile.delete());
    assertFalse(certFile.exists());
    manageCertificates("sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
    assertTrue(certFile.exists());
    List<X509Certificate> certs = ManageCertificates.readCertificatesFromFile(certFile);
    assertFalse(certs.isEmpty());
    assertEquals(certs.size(), 1);
    assertEquals(certs.get(0).getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    // Tests with a minimal set of arguments for generating a certificate
    // signing request to replace an existing certificate.
    assertTrue(csrFile.exists());
    assertTrue(csrFile.delete());
    assertFalse(csrFile.exists());
    manageCertificates("generate-certificate-signing-request", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
    assertTrue(csrFile.exists());
    csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
    assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    // Do the same but using the DER output format.
    assertTrue(csrFile.exists());
    assertTrue(csrFile.delete());
    assertFalse(csrFile.exists());
    manageCertificates("generate-certificate-signing-request", "--output-format", "DER", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
    assertTrue(csrFile.exists());
    csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
    assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    // Tests with a full set of arguments for a new certificate using a JKS
    // keystore that doesn't already exist.
    assertTrue(ksFile.exists());
    assertTrue(ksFile.delete());
    assertFalse(ksFile.exists());
    assertTrue(csrFile.exists());
    assertTrue(csrFile.delete());
    assertFalse(csrFile.exists());
    manageCertificates("generate-certificate-signing-request", "--output-format", "DER", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--keystore-type", "JKS", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-email-address", "test@example.com", "--subject-alternative-name-uri", "https://www.example.com/", "--subject-alternative-name-oid", "1.2.3.4", "--basic-constraints-is-ca", "true", "--basic-constraints-maximum-path-length", "5", "--key-usage", "digital-signature", "--key-usage", "non-repudiation", "--key-usage", "key-encipherment", "--key-usage", "data-encipherment", "--key-usage", "key-agreement", "--key-usage", "key-cert-sign", "--key-usage", "crl-sign", "--key-usage", "encipher-only", "--key-usage", "decipher-only", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--extended-key-usage", "code-signing", "--extended-key-usage", "email-protection", "--extended-key-usage", "time-stamping", "--extended-key-usage", "ocsp-signing", "--extended-key-usage", "1.2.3.5", "--extension", "1.2.3.6:false:1234567890", "--display-keytool-command");
    assertTrue(csrFile.exists());
    csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
    assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    assertEquals(csr.getPublicKeyAlgorithmName(), "RSA");
    assertEquals(csr.getSignatureAlgorithmName(), "SHA-256 with RSA");
    boolean hasBasicConstraintsExtension = false;
    boolean hasExtendedKeyUsageConstraintsExtension = false;
    boolean hasGenericExtension = false;
    boolean hasKeyUsageExtension = false;
    boolean hasSubjectAlternativeNameExtension = false;
    boolean hasSubjectKeyIdentifierExtension = false;
    for (final X509CertificateExtension extension : csr.getExtensions()) {
        if (extension instanceof BasicConstraintsExtension) {
            hasBasicConstraintsExtension = true;
            final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
            assertTrue(e.isCA());
            assertNotNull(e.getPathLengthConstraint());
            assertEquals(e.getPathLengthConstraint().intValue(), 5);
        } else if (extension instanceof ExtendedKeyUsageExtension) {
            hasExtendedKeyUsageConstraintsExtension = true;
            final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
        } else if (extension instanceof KeyUsageExtension) {
            hasKeyUsageExtension = true;
            final KeyUsageExtension e = (KeyUsageExtension) extension;
            assertTrue(e.isDigitalSignatureBitSet());
            assertTrue(e.isNonRepudiationBitSet());
            assertTrue(e.isKeyEnciphermentBitSet());
            assertTrue(e.isDataEnciphermentBitSet());
            assertTrue(e.isKeyAgreementBitSet());
            assertTrue(e.isKeyCertSignBitSet());
            assertTrue(e.isCRLSignBitSet());
            assertTrue(e.isEncipherOnlyBitSet());
            assertTrue(e.isDecipherOnlyBitSet());
        } else if (extension instanceof SubjectAlternativeNameExtension) {
            hasSubjectAlternativeNameExtension = true;
            final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
            assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
            assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
            assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
            assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
            assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
        } else if (extension instanceof SubjectKeyIdentifierExtension) {
            hasSubjectKeyIdentifierExtension = true;
        } else if (extension.getOID().equals(new OID("1.2.3.6"))) {
            hasGenericExtension = true;
            assertFalse(extension.isCritical());
            assertNotNull(extension.getValue());
            assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
        }
    }
    assertTrue(hasBasicConstraintsExtension);
    assertTrue(hasExtendedKeyUsageConstraintsExtension);
    assertTrue(hasGenericExtension);
    assertTrue(hasKeyUsageExtension);
    assertTrue(hasSubjectAlternativeNameExtension);
    assertTrue(hasSubjectKeyIdentifierExtension);
    // Sign the CSR with a full set of arguments.
    assertTrue(certFile.exists());
    assertTrue(certFile.delete());
    assertFalse(certFile.exists());
    manageCertificates("sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--days-valid", "7300", "--validity-start-time", "20170101000000", "--include-requested-extensions", "--issuer-alternative-name-dns", "issuer.example.com", "--issuer-alternative-name-ip-address", "::1", "--issuer-alternative-name-email-address", "issuer@example.com", "--issuer-alternative-name-uri", "https://issuer.example.com/", "--issuer-alternative-name-oid", "1.2.3.7", "--extension", "1.2.3.8:true:0987654321", "--no-prompt", "--display-keytool-command");
    assertTrue(certFile.exists());
    certs = ManageCertificates.readCertificatesFromFile(certFile);
    assertFalse(certs.isEmpty());
    assertEquals(certs.size(), 1);
    assertEquals(certs.get(0).getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
    assertEquals(certs.get(0).getPublicKeyAlgorithmName(), "RSA");
    assertEquals(certs.get(0).getSignatureAlgorithmName(), "SHA-256 with RSA");
    hasBasicConstraintsExtension = false;
    hasExtendedKeyUsageConstraintsExtension = false;
    hasKeyUsageExtension = false;
    hasSubjectAlternativeNameExtension = false;
    hasSubjectKeyIdentifierExtension = false;
    boolean hasAuthorityKeyIdentifierExtension = false;
    boolean hasIssuerAlternativeNameExtension = false;
    boolean hasOldGenericExtension = false;
    boolean hasNewGenericExtension = false;
    for (final X509CertificateExtension extension : certs.get(0).getExtensions()) {
        if (extension instanceof AuthorityKeyIdentifierExtension) {
            hasAuthorityKeyIdentifierExtension = true;
        } else if (extension instanceof BasicConstraintsExtension) {
            hasBasicConstraintsExtension = true;
            final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
            assertTrue(e.isCA());
            assertNotNull(e.getPathLengthConstraint());
            assertEquals(e.getPathLengthConstraint().intValue(), 5);
        } else if (extension instanceof ExtendedKeyUsageExtension) {
            hasExtendedKeyUsageConstraintsExtension = true;
            final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
            assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
        } else if (extension instanceof IssuerAlternativeNameExtension) {
            hasIssuerAlternativeNameExtension = true;
            final IssuerAlternativeNameExtension e = (IssuerAlternativeNameExtension) extension;
            assertEquals(e.getDNSNames(), Collections.singletonList("issuer.example.com"));
            assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("::1")));
            assertEquals(e.getRFC822Names(), Collections.singletonList("issuer@example.com"));
            assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://issuer.example.com/"));
            assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.7")));
        } else if (extension instanceof KeyUsageExtension) {
            hasKeyUsageExtension = true;
            final KeyUsageExtension e = (KeyUsageExtension) extension;
            assertTrue(e.isDigitalSignatureBitSet());
            assertTrue(e.isNonRepudiationBitSet());
            assertTrue(e.isKeyEnciphermentBitSet());
            assertTrue(e.isDataEnciphermentBitSet());
            assertTrue(e.isKeyAgreementBitSet());
            assertTrue(e.isKeyCertSignBitSet());
            assertTrue(e.isCRLSignBitSet());
            assertTrue(e.isEncipherOnlyBitSet());
            assertTrue(e.isDecipherOnlyBitSet());
        } else if (extension instanceof SubjectAlternativeNameExtension) {
            hasSubjectAlternativeNameExtension = true;
            final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
            assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
            assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
            assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
            assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
            assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
        } else if (extension instanceof SubjectKeyIdentifierExtension) {
            hasSubjectKeyIdentifierExtension = true;
        } else if (extension.getOID().equals(new OID("1.2.3.6"))) {
            hasOldGenericExtension = true;
            assertFalse(extension.isCritical());
            assertNotNull(extension.getValue());
            assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
        } else if (extension.getOID().equals(new OID("1.2.3.8"))) {
            hasNewGenericExtension = true;
            assertTrue(extension.isCritical());
            assertNotNull(extension.getValue());
            assertEquals(extension.getValue(), StaticUtils.byteArray(0x09, 0x87, 0x65, 0x43, 0x21));
        }
    }
    assertTrue(hasAuthorityKeyIdentifierExtension);
    assertTrue(hasBasicConstraintsExtension);
    assertTrue(hasExtendedKeyUsageConstraintsExtension);
    assertTrue(hasIssuerAlternativeNameExtension);
    assertTrue(hasKeyUsageExtension);
    assertTrue(hasNewGenericExtension);
    assertTrue(hasOldGenericExtension);
    assertTrue(hasSubjectAlternativeNameExtension);
    assertTrue(hasSubjectKeyIdentifierExtension);
    // Tests the behavior when prompting about whether to sign a certificate
    // signing request.  First, reject the request.  Next, fail with invalid
    // input.  Finally, approve the request.
    assertTrue(certFile.exists());
    assertTrue(certFile.delete());
    assertFalse(certFile.exists());
    manageCertificates(ResultCode.USER_CANCELED, "no\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
    assertFalse(certFile.exists());
    manageCertificates(ResultCode.LOCAL_ERROR, "invalid input\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
    assertFalse(certFile.exists());
    manageCertificates(ResultCode.SUCCESS, "yes\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
    assertTrue(certFile.exists());
    // Tests the behavior when trying to sign a certificate signing request with
    // the signed certificate being written to standard output instead of to a
    // file.
    manageCertificates(ResultCode.SUCCESS, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--output-format", "PEM", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
    assertTrue(certFile.exists());
    // Tests the behavior when trying to sign a certificate signing request with
    // the signed certificate being written to standard output instead of to a
    // file and using the DER output format.
    manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
    assertTrue(certFile.exists());
    // Tests the behavior when trying to sign a certificate signing request with
    // a keystore that doesn't have an entry with the specified alias.
    manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", emptyKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
    // Tests the behavior when trying to sign a certificate signing request with
    // a keystore for which the specified alias is a certificate entry rather
    // than a key entry.
    manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", serverTrustStorePath, "--keystore-password", "password", "--signing-certificate-alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
    // Tests the behavior when trying to sign a malformed certificate signing
    // request.
    csrFile = createTempFile("-----BEGIN NEW CERTIFICATE REQUEST-----", "This isn't a valid CSR.", "-----END NEW CERTIFICATE REQUEST-----");
    manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
    // Tests the behavior when trying to sign a certificate signing request with
    // an invalid signature.
    csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), null, new ASN1BitString(true, true, true, true, true, true, true, true), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), null, new ASN1BitString(true, true, true, true, true, true, true, true), null, null);
    csrFile = createTempFile(csr.toPEMString());
    manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
    // Tests the behavior when writing a certificate signing request to standard
    // output.
    manageCertificates("generate-certificate-signing-request", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
}
Also used : DN(com.unboundid.ldap.sdk.DN) RDN(com.unboundid.ldap.sdk.RDN) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) File(java.io.File) Test(org.testng.annotations.Test)

Example 2 with ASN1BitString

use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testEncodeCertificateWithInvalidOID.

/**
 * Tests the behavior when trying to encode a certificate that includes a
 * malformed OID.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testEncodeCertificateWithInvalidOID() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final X509Certificate c = new X509Certificate(X509CertificateVersion.V1, BigInteger.valueOf(123456789L), new OID("1234.5678"), new ASN1Null(), new ASN1BitString(new boolean[1235]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), new OID("1.2.3.5"), new ASN1Null(), new ASN1BitString(new boolean[123]), null, null, null);
    c.encode();
}
Also used : DN(com.unboundid.ldap.sdk.DN) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 3 with ASN1BitString

use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testDecodeValidityMalformedNotBefore.

/**
 * Tests the behavior when trying to decode a certificate with a validity
 * sequence whose first element is neither a UTCTime nor a GeneralizedTime.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testDecodeValidityMalformedNotBefore() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1OctetString("malformed notBefore"), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
    new X509Certificate(valueSequence.encode());
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) ASN1UTCTime(com.unboundid.asn1.ASN1UTCTime) ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger) DN(com.unboundid.ldap.sdk.DN) ASN1Integer(com.unboundid.asn1.ASN1Integer) OID(com.unboundid.util.OID) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 4 with ASN1BitString

use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testDecodeSerialNumberNotInteger.

/**
 * Tests the behavior when trying to decode a certificate with a serial number
 * that cannot be parsed as an integer.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testDecodeSerialNumberNotInteger() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1OctetString(), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1UTCTime(notBefore), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
    new X509Certificate(valueSequence.encode());
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1UTCTime(com.unboundid.asn1.ASN1UTCTime) DN(com.unboundid.ldap.sdk.DN) ASN1Integer(com.unboundid.asn1.ASN1Integer) OID(com.unboundid.util.OID) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Example 5 with ASN1BitString

use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.

the class X509CertificateTestCase method testDecodeVersionOutOfRange.

/**
 * Tests the behavior when trying to decode a certificate with a version that
 * is out of the range of allowed values.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test(expectedExceptions = { CertException.class })
public void testDecodeVersionOutOfRange() throws Exception {
    final long notBefore = System.currentTimeMillis();
    final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
    final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(999).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1UTCTime(notBefore), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
    new X509Certificate(valueSequence.encode());
}
Also used : ASN1Sequence(com.unboundid.asn1.ASN1Sequence) ASN1Element(com.unboundid.asn1.ASN1Element) ASN1UTCTime(com.unboundid.asn1.ASN1UTCTime) ASN1BigInteger(com.unboundid.asn1.ASN1BigInteger) DN(com.unboundid.ldap.sdk.DN) ASN1Integer(com.unboundid.asn1.ASN1Integer) OID(com.unboundid.util.OID) ASN1ObjectIdentifier(com.unboundid.asn1.ASN1ObjectIdentifier) ASN1BitString(com.unboundid.asn1.ASN1BitString) ASN1Null(com.unboundid.asn1.ASN1Null) Test(org.testng.annotations.Test)

Aggregations

ASN1BitString (com.unboundid.asn1.ASN1BitString)72 Test (org.testng.annotations.Test)62 DN (com.unboundid.ldap.sdk.DN)49 ASN1Null (com.unboundid.asn1.ASN1Null)36 OID (com.unboundid.util.OID)33 ASN1ObjectIdentifier (com.unboundid.asn1.ASN1ObjectIdentifier)26 ASN1OctetString (com.unboundid.asn1.ASN1OctetString)25 ASN1Sequence (com.unboundid.asn1.ASN1Sequence)24 ASN1Element (com.unboundid.asn1.ASN1Element)23 ASN1BigInteger (com.unboundid.asn1.ASN1BigInteger)22 ASN1Integer (com.unboundid.asn1.ASN1Integer)20 IOException (java.io.IOException)16 ASN1BitString (com.github.zhenwei.core.asn1.ASN1BitString)14 ASN1BitString (org.bouncycastle.asn1.ASN1BitString)11 BigInteger (java.math.BigInteger)10 ArrayList (java.util.ArrayList)10 ASN1GeneralizedTime (com.unboundid.asn1.ASN1GeneralizedTime)9 NotNull (com.unboundid.util.NotNull)9 Date (java.util.Date)8 KeyPair (java.security.KeyPair)7