use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class ManageCertificatesTestCase method testGenerateAndSignCertificateSigningRequest.
/**
* Provides test coverage for the generate-certificate-signing-request and
* sign-certificate-signing-request subcommands.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testGenerateAndSignCertificateSigningRequest() throws Exception {
// Tests with a minimal set of arguments for generating a certificate
// signing request for a certificate that doesn't exist.
File ksFile = createTempFile();
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
File csrFile = createTempFile();
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--display-keytool-command");
assertTrue(ksFile.exists());
assertTrue(csrFile.exists());
PKCS10CertificateSigningRequest csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
File certFile = createTempFile();
assertTrue(certFile.exists());
assertTrue(certFile.delete());
assertFalse(certFile.exists());
manageCertificates("sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
List<X509Certificate> certs = ManageCertificates.readCertificatesFromFile(certFile);
assertFalse(certs.isEmpty());
assertEquals(certs.size(), 1);
assertEquals(certs.get(0).getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
// Tests with a minimal set of arguments for generating a certificate
// signing request to replace an existing certificate.
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
assertTrue(csrFile.exists());
csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
// Do the same but using the DER output format.
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-format", "DER", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
assertTrue(csrFile.exists());
csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
// Tests with a full set of arguments for a new certificate using a JKS
// keystore that doesn't already exist.
assertTrue(ksFile.exists());
assertTrue(ksFile.delete());
assertFalse(ksFile.exists());
assertTrue(csrFile.exists());
assertTrue(csrFile.delete());
assertFalse(csrFile.exists());
manageCertificates("generate-certificate-signing-request", "--output-format", "DER", "--output-file", csrFile.getAbsolutePath(), "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--keystore-type", "JKS", "--alias", "server-cert", "--subject-dn", "CN=ldap.example.com,O=Example Corporation,C=US", "--key-algorithm", "RSA", "--key-size-bits", "2048", "--signature-algorithm", "SHA256withRSA", "--subject-alternative-name-dns", "ldap.example.com", "--subject-alternative-name-ip-address", "127.0.0.1", "--subject-alternative-name-email-address", "test@example.com", "--subject-alternative-name-uri", "https://www.example.com/", "--subject-alternative-name-oid", "1.2.3.4", "--basic-constraints-is-ca", "true", "--basic-constraints-maximum-path-length", "5", "--key-usage", "digital-signature", "--key-usage", "non-repudiation", "--key-usage", "key-encipherment", "--key-usage", "data-encipherment", "--key-usage", "key-agreement", "--key-usage", "key-cert-sign", "--key-usage", "crl-sign", "--key-usage", "encipher-only", "--key-usage", "decipher-only", "--extended-key-usage", "server-auth", "--extended-key-usage", "client-auth", "--extended-key-usage", "code-signing", "--extended-key-usage", "email-protection", "--extended-key-usage", "time-stamping", "--extended-key-usage", "ocsp-signing", "--extended-key-usage", "1.2.3.5", "--extension", "1.2.3.6:false:1234567890", "--display-keytool-command");
assertTrue(csrFile.exists());
csr = ManageCertificates.readCertificateSigningRequestFromFile(csrFile);
assertEquals(csr.getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertEquals(csr.getPublicKeyAlgorithmName(), "RSA");
assertEquals(csr.getSignatureAlgorithmName(), "SHA-256 with RSA");
boolean hasBasicConstraintsExtension = false;
boolean hasExtendedKeyUsageConstraintsExtension = false;
boolean hasGenericExtension = false;
boolean hasKeyUsageExtension = false;
boolean hasSubjectAlternativeNameExtension = false;
boolean hasSubjectKeyIdentifierExtension = false;
for (final X509CertificateExtension extension : csr.getExtensions()) {
if (extension instanceof BasicConstraintsExtension) {
hasBasicConstraintsExtension = true;
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
assertTrue(e.isCA());
assertNotNull(e.getPathLengthConstraint());
assertEquals(e.getPathLengthConstraint().intValue(), 5);
} else if (extension instanceof ExtendedKeyUsageExtension) {
hasExtendedKeyUsageConstraintsExtension = true;
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
} else if (extension instanceof KeyUsageExtension) {
hasKeyUsageExtension = true;
final KeyUsageExtension e = (KeyUsageExtension) extension;
assertTrue(e.isDigitalSignatureBitSet());
assertTrue(e.isNonRepudiationBitSet());
assertTrue(e.isKeyEnciphermentBitSet());
assertTrue(e.isDataEnciphermentBitSet());
assertTrue(e.isKeyAgreementBitSet());
assertTrue(e.isKeyCertSignBitSet());
assertTrue(e.isCRLSignBitSet());
assertTrue(e.isEncipherOnlyBitSet());
assertTrue(e.isDecipherOnlyBitSet());
} else if (extension instanceof SubjectAlternativeNameExtension) {
hasSubjectAlternativeNameExtension = true;
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
} else if (extension instanceof SubjectKeyIdentifierExtension) {
hasSubjectKeyIdentifierExtension = true;
} else if (extension.getOID().equals(new OID("1.2.3.6"))) {
hasGenericExtension = true;
assertFalse(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
}
}
assertTrue(hasBasicConstraintsExtension);
assertTrue(hasExtendedKeyUsageConstraintsExtension);
assertTrue(hasGenericExtension);
assertTrue(hasKeyUsageExtension);
assertTrue(hasSubjectAlternativeNameExtension);
assertTrue(hasSubjectKeyIdentifierExtension);
// Sign the CSR with a full set of arguments.
assertTrue(certFile.exists());
assertTrue(certFile.delete());
assertFalse(certFile.exists());
manageCertificates("sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--days-valid", "7300", "--validity-start-time", "20170101000000", "--include-requested-extensions", "--issuer-alternative-name-dns", "issuer.example.com", "--issuer-alternative-name-ip-address", "::1", "--issuer-alternative-name-email-address", "issuer@example.com", "--issuer-alternative-name-uri", "https://issuer.example.com/", "--issuer-alternative-name-oid", "1.2.3.7", "--extension", "1.2.3.8:true:0987654321", "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
certs = ManageCertificates.readCertificatesFromFile(certFile);
assertFalse(certs.isEmpty());
assertEquals(certs.size(), 1);
assertEquals(certs.get(0).getSubjectDN(), new DN("CN=ldap.example.com,O=Example Corporation,C=US"));
assertEquals(certs.get(0).getPublicKeyAlgorithmName(), "RSA");
assertEquals(certs.get(0).getSignatureAlgorithmName(), "SHA-256 with RSA");
hasBasicConstraintsExtension = false;
hasExtendedKeyUsageConstraintsExtension = false;
hasKeyUsageExtension = false;
hasSubjectAlternativeNameExtension = false;
hasSubjectKeyIdentifierExtension = false;
boolean hasAuthorityKeyIdentifierExtension = false;
boolean hasIssuerAlternativeNameExtension = false;
boolean hasOldGenericExtension = false;
boolean hasNewGenericExtension = false;
for (final X509CertificateExtension extension : certs.get(0).getExtensions()) {
if (extension instanceof AuthorityKeyIdentifierExtension) {
hasAuthorityKeyIdentifierExtension = true;
} else if (extension instanceof BasicConstraintsExtension) {
hasBasicConstraintsExtension = true;
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
assertTrue(e.isCA());
assertNotNull(e.getPathLengthConstraint());
assertEquals(e.getPathLengthConstraint().intValue(), 5);
} else if (extension instanceof ExtendedKeyUsageExtension) {
hasExtendedKeyUsageConstraintsExtension = true;
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.CODE_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TIME_STAMPING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.OCSP_SIGNING.getOID()));
assertTrue(e.getKeyPurposeIDs().contains(new OID("1.2.3.5")));
} else if (extension instanceof IssuerAlternativeNameExtension) {
hasIssuerAlternativeNameExtension = true;
final IssuerAlternativeNameExtension e = (IssuerAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("issuer.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("::1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("issuer@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://issuer.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.7")));
} else if (extension instanceof KeyUsageExtension) {
hasKeyUsageExtension = true;
final KeyUsageExtension e = (KeyUsageExtension) extension;
assertTrue(e.isDigitalSignatureBitSet());
assertTrue(e.isNonRepudiationBitSet());
assertTrue(e.isKeyEnciphermentBitSet());
assertTrue(e.isDataEnciphermentBitSet());
assertTrue(e.isKeyAgreementBitSet());
assertTrue(e.isKeyCertSignBitSet());
assertTrue(e.isCRLSignBitSet());
assertTrue(e.isEncipherOnlyBitSet());
assertTrue(e.isDecipherOnlyBitSet());
} else if (extension instanceof SubjectAlternativeNameExtension) {
hasSubjectAlternativeNameExtension = true;
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
assertEquals(e.getDNSNames(), Collections.singletonList("ldap.example.com"));
assertEquals(e.getIPAddresses(), Collections.singletonList(InetAddress.getByName("127.0.0.1")));
assertEquals(e.getRFC822Names(), Collections.singletonList("test@example.com"));
assertEquals(e.getUniformResourceIdentifiers(), Collections.singletonList("https://www.example.com/"));
assertEquals(e.getRegisteredIDs(), Collections.singletonList(new OID("1.2.3.4")));
} else if (extension instanceof SubjectKeyIdentifierExtension) {
hasSubjectKeyIdentifierExtension = true;
} else if (extension.getOID().equals(new OID("1.2.3.6"))) {
hasOldGenericExtension = true;
assertFalse(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x12, 0x34, 0x56, 0x78, 0x90));
} else if (extension.getOID().equals(new OID("1.2.3.8"))) {
hasNewGenericExtension = true;
assertTrue(extension.isCritical());
assertNotNull(extension.getValue());
assertEquals(extension.getValue(), StaticUtils.byteArray(0x09, 0x87, 0x65, 0x43, 0x21));
}
}
assertTrue(hasAuthorityKeyIdentifierExtension);
assertTrue(hasBasicConstraintsExtension);
assertTrue(hasExtendedKeyUsageConstraintsExtension);
assertTrue(hasIssuerAlternativeNameExtension);
assertTrue(hasKeyUsageExtension);
assertTrue(hasNewGenericExtension);
assertTrue(hasOldGenericExtension);
assertTrue(hasSubjectAlternativeNameExtension);
assertTrue(hasSubjectKeyIdentifierExtension);
// Tests the behavior when prompting about whether to sign a certificate
// signing request. First, reject the request. Next, fail with invalid
// input. Finally, approve the request.
assertTrue(certFile.exists());
assertTrue(certFile.delete());
assertFalse(certFile.exists());
manageCertificates(ResultCode.USER_CANCELED, "no\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
assertFalse(certFile.exists());
manageCertificates(ResultCode.LOCAL_ERROR, "invalid input\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
assertFalse(certFile.exists());
manageCertificates(ResultCode.SUCCESS, "yes\n", "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--display-keytool-command");
assertTrue(certFile.exists());
// Tests the behavior when trying to sign a certificate signing request with
// the signed certificate being written to standard output instead of to a
// file.
manageCertificates(ResultCode.SUCCESS, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--output-format", "PEM", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
// Tests the behavior when trying to sign a certificate signing request with
// the signed certificate being written to standard output instead of to a
// file and using the DER output format.
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
assertTrue(certFile.exists());
// Tests the behavior when trying to sign a certificate signing request with
// a keystore that doesn't have an entry with the specified alias.
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", emptyKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when trying to sign a certificate signing request with
// a keystore for which the specified alias is a certificate entry rather
// than a key entry.
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", serverTrustStorePath, "--keystore-password", "password", "--signing-certificate-alias", serverCertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when trying to sign a malformed certificate signing
// request.
csrFile = createTempFile("-----BEGIN NEW CERTIFICATE REQUEST-----", "This isn't a valid CSR.", "-----END NEW CERTIFICATE REQUEST-----");
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when trying to sign a certificate signing request with
// an invalid signature.
csr = new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, SignatureAlgorithmIdentifier.SHA_256_WITH_RSA.getOID(), null, new ASN1BitString(true, true, true, true, true, true, true, true), new DN("CN=ldap.example.com,O=Example Corporation,C=US"), PublicKeyAlgorithmIdentifier.RSA.getOID(), null, new ASN1BitString(true, true, true, true, true, true, true, true), null, null);
csrFile = createTempFile(csr.toPEMString());
manageCertificates(ResultCode.PARAM_ERROR, null, "sign-certificate-signing-request", "--request-input-file", csrFile.getAbsolutePath(), "--certificate-output-file", certFile.getAbsolutePath(), "--output-format", "DER", "--keystore", rootCAKeyStorePath, "--keystore-password", "password", "--signing-certificate-alias", rootCACertificateAlias, "--no-prompt", "--display-keytool-command");
// Tests the behavior when writing a certificate signing request to standard
// output.
manageCertificates("generate-certificate-signing-request", "--keystore", ksFile.getAbsolutePath(), "--keystore-password", "password", "--alias", "server-cert", "--replace-existing-certificate", "--display-keytool-command");
}
use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testEncodeCertificateWithInvalidOID.
/**
* Tests the behavior when trying to encode a certificate that includes a
* malformed OID.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testEncodeCertificateWithInvalidOID() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final X509Certificate c = new X509Certificate(X509CertificateVersion.V1, BigInteger.valueOf(123456789L), new OID("1234.5678"), new ASN1Null(), new ASN1BitString(new boolean[1235]), new DN("CN=Issuer,O=Example Corp,C=US"), notBefore, notAfter, new DN("CN=ldap.example.com,O=Example Corp,C=US"), new OID("1.2.3.5"), new ASN1Null(), new ASN1BitString(new boolean[123]), null, null, null);
c.encode();
}
use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeValidityMalformedNotBefore.
/**
* Tests the behavior when trying to decode a certificate with a validity
* sequence whose first element is neither a UTCTime nor a GeneralizedTime.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeValidityMalformedNotBefore() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1OctetString("malformed notBefore"), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
new X509Certificate(valueSequence.encode());
}
use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeSerialNumberNotInteger.
/**
* Tests the behavior when trying to decode a certificate with a serial number
* that cannot be parsed as an integer.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeSerialNumberNotInteger() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(2).encode()), new ASN1OctetString(), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1UTCTime(notBefore), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
new X509Certificate(valueSequence.encode());
}
use of org.webpki.asn1.ASN1BitString in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testDecodeVersionOutOfRange.
/**
* Tests the behavior when trying to decode a certificate with a version that
* is out of the range of allowed values.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testDecodeVersionOutOfRange() throws Exception {
final long notBefore = System.currentTimeMillis();
final long notAfter = notBefore + (365L * 24L * 60L * 60L * 1000L);
final ASN1Sequence valueSequence = new ASN1Sequence(new ASN1Sequence(new ASN1Element((byte) 0xA0, new ASN1Integer(999).encode()), new ASN1BigInteger(12435L), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), X509Certificate.encodeName(new DN("CN=issuer")), new ASN1Sequence(new ASN1UTCTime(notBefore), new ASN1UTCTime(notAfter)), X509Certificate.encodeName(new DN("CN=ldap.example.com")), new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.5")), new ASN1Null()), new ASN1BitString(new boolean[1024]))), new ASN1Sequence(new ASN1ObjectIdentifier(new OID("1.2.3.4")), new ASN1Null()), new ASN1BitString(new boolean[1024]));
new X509Certificate(valueSequence.encode());
}
Aggregations