List of usage examples for org.bouncycastle.asn1.cmp PKIFailureInfo incorrectData
int incorrectData
To view the source code for org.bouncycastle.asn1.cmp PKIFailureInfo incorrectData.
Click Source Link
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
License:Open Source License
@Test public void test01CrmfHttpOkUserWrongKeyId() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); // A message with the KeyId "foobarfoobar" should not be known by this PKIMessage one = genCertReq(this.issuerDN1, userDN1, this.keys, this.cacert1, nonce, transid, true, null, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "foobarfoobar", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req);/* w w w . ja va 2 s .co m*/ ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, configAlias); assertNotNull(resp); assertTrue(resp.length > 0); // We'll get back an InitializationResponse (but a reject) with FailInfo.BAD_REQUEST checkCmpFailMessage(resp, "End entity profile with name 'foobarfoobar' not found.", 1, reqId, 2, PKIFailureInfo.incorrectData); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeRequestTest.java
License:Open Source License
@Test public void test03CrmfHttpTooManyIterations() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage one = genCertReq(issuerDN, userDN, this.keys, this.cacert, nonce, transid, true, null, null, null, null, null, null);//from www.j av a 2s .com PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, 10001); assertNotNull(req); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, ALIAS); assertNotNull(resp); assertTrue(resp.length > 0); checkCmpFailMessage(resp, "Iteration count can not exceed 10000", 23, reqId, PKIFailureInfo.badMessageCheck, PKIFailureInfo.incorrectData); // We expect a FailInfo.BAD_MESSAGE_CHECK }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeRequestTest.java
License:Open Source License
@Test public void test04RevocationApprovals() throws Exception { // Generate random username and CA name String randomPostfix = Integer.toString((new Random(new Date().getTime() + 4711)).nextInt(999999)); String caname = "cmpRevocationCA" + randomPostfix; String username = "cmpRevocationUser" + randomPostfix; X509CAInfo cainfo = null;/* w w w. j a va 2 s . co m*/ int cryptoTokenId = 0; try { // Generate CA with approvals for revocation enabled cryptoTokenId = CryptoTokenTestUtils.createCryptoTokenForCA(ADMIN, caname, "1024"); final CAToken catoken = CaTestUtils.createCaToken(cryptoTokenId, AlgorithmConstants.SIGALG_SHA1_WITH_RSA, AlgorithmConstants.SIGALG_SHA1_WITH_RSA); int caID = RevocationApprovalTest.createApprovalCA(ADMIN, caname, CAInfo.REQ_APPROVAL_REVOCATION, this.caAdminSession, this.caSession, catoken); // Get CA cert cainfo = (X509CAInfo) this.caSession.getCAInfo(ADMIN, caID); assertNotNull(cainfo); X509Certificate newCACert = (X509Certificate) cainfo.getCertificateChain().iterator().next(); // Create a user and generate the cert EndEntityInformation userdata = new EndEntityInformation(username, "CN=" + username, cainfo.getCAId(), null, null, new EndEntityType(EndEntityTypes.ENDUSER), SecConst.EMPTY_ENDENTITYPROFILE, CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER, SecConst.TOKEN_SOFT_P12, 0, null); userdata.setPassword("foo123"); this.endEntityManagementSession.addUser(ADMIN, userdata, true); File tmpfile = File.createTempFile("ejbca", "p12"); BatchCreateTool.createAllNew(ADMIN, tmpfile.getParent()); Collection<java.security.cert.Certificate> userCerts = this.certificateStoreSession .findCertificatesByUsername(username); assertTrue(userCerts.size() == 1); X509Certificate cert = (X509Certificate) userCerts.iterator().next(); // revoke via CMP and verify response byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); PKIMessage rev = genRevReq(cainfo.getSubjectDN(), new X500Name(userdata.getDN()), cert.getSerialNumber(), newCACert, nonce, transid, true, null, null); PKIMessage revReq = protectPKIMessage(rev, false, PBEPASSWORD, 567); assertNotNull(revReq); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(revReq); byte[] ba = bao.toByteArray(); byte[] resp = sendCmpHttp(ba, 200, ALIAS); checkCmpResponseGeneral(resp, cainfo.getSubjectDN(), new X500Name(userdata.getDN()), newCACert, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpRevokeConfirmMessage(cainfo.getSubjectDN(), new X500Name(userdata.getDN()), cert.getSerialNumber(), newCACert, resp, true); int reason = checkRevokeStatus(cainfo.getSubjectDN(), cert.getSerialNumber()); assertEquals(reason, RevokedCertInfo.NOT_REVOKED); // try to revoke one more via CMP and verify error nonce = CmpMessageHelper.createSenderNonce(); transid = CmpMessageHelper.createSenderNonce(); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); rev = genRevReq(cainfo.getSubjectDN(), new X500Name(userdata.getDN()), cert.getSerialNumber(), newCACert, nonce, transid, true, null, null); revReq = protectPKIMessage(rev, false, PBEPASSWORD, 567); assertNotNull(revReq); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(revReq); ba = bao.toByteArray(); resp = sendCmpHttp(ba, 200, ALIAS); checkCmpResponseGeneral(resp, cainfo.getSubjectDN(), new X500Name(userdata.getDN()), newCACert, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpFailMessage(resp, "The request is already awaiting approval.", CmpPKIBodyConstants.REVOCATIONRESPONSE, 0, ResponseStatus.FAILURE.getValue(), PKIFailureInfo.incorrectData); reason = checkRevokeStatus(cainfo.getSubjectDN(), cert.getSerialNumber()); assertEquals(reason, RevokedCertInfo.NOT_REVOKED); // Approve revocation and verify success approveRevocation(ADMIN, ADMIN, username, RevokedCertInfo.REVOCATION_REASON_CESSATIONOFOPERATION, ApprovalDataVO.APPROVALTYPE_REVOKECERTIFICATE, this.certificateStoreSession, this.approvalSession, this.approvalExecutionSession, cainfo.getCAId()); // try to revoke the now revoked cert via CMP and verify error nonce = CmpMessageHelper.createSenderNonce(); transid = CmpMessageHelper.createSenderNonce(); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); rev = genRevReq(cainfo.getSubjectDN(), new X500Name(userdata.getDN()), cert.getSerialNumber(), newCACert, nonce, transid, true, null, null); revReq = protectPKIMessage(rev, false, PBEPASSWORD, 567); assertNotNull(revReq); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(revReq); ba = bao.toByteArray(); resp = sendCmpHttp(ba, 200, ALIAS); checkCmpResponseGeneral(resp, cainfo.getSubjectDN(), new X500Name(userdata.getDN()), newCACert, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpFailMessage(resp, "Already revoked.", CmpPKIBodyConstants.REVOCATIONRESPONSE, 0, ResponseStatus.FAILURE.getValue(), PKIFailureInfo.incorrectData); } finally { // Delete user this.endEntityManagementSession.deleteUser(ADMIN, username); if (cainfo != null) { // Nuke CA try { this.caAdminSession.revokeCA(ADMIN, cainfo.getCAId(), RevokedCertInfo.REVOCATION_REASON_UNSPECIFIED); } finally { this.caSession.removeCA(ADMIN, cainfo.getCAId()); } } CryptoTokenTestUtils.removeCryptoToken(ADMIN, cryptoTokenId); } }
From source file:org.ejbca.core.protocol.cmp.CrmfRARequestCustomSerialNoTest.java
License:Open Source License
/** * @param userDN/*from w w w.j a v a 2 s.c om*/ * for new certificate. * @param keys * key of the new certificate. * @param sFailMessage * if !=null then EJBCA is expected to fail. The failure response * message string is checked against this parameter. * @return If it is a certificate request that results in a successful certificate issuance, this certificate is returned * @throws Exception */ private X509Certificate crmfHttpUserTest(X500Name userDN, KeyPair keys, String sFailMessage, BigInteger customCertSerno) throws Exception { X509Certificate ret = null; final byte[] nonce = CmpMessageHelper.createSenderNonce(); final byte[] transid = CmpMessageHelper.createSenderNonce(); final int reqId; { final PKIMessage one = genCertReq(this.issuerDN, userDN, keys, this.cacert, nonce, transid, true, null, null, null, customCertSerno, null, null); final PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmpHttp(ba, 200, cmpAlias); // do not check signing if we expect a failure (sFailMessage==null) checkCmpResponseGeneral(resp, this.issuerDN, userDN, this.cacert, nonce, transid, sFailMessage == null, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); if (sFailMessage == null) { ret = checkCmpCertRepMessage(userDN, this.cacert, resp, reqId); // verify if custom cert serial number was used if (customCertSerno != null) { assertTrue(ret.getSerialNumber().toString(16) + " is not same as expected " + customCertSerno.toString(16), ret.getSerialNumber().equals(customCertSerno)); } } else { checkCmpFailMessage(resp, sFailMessage, CmpPKIBodyConstants.ERRORMESSAGE, reqId, PKIFailureInfo.badRequest, PKIFailureInfo.incorrectData); } } { // Send a confirm message to the CA final String hash = "foo123"; final PKIMessage con = genCertConfirm(userDN, this.cacert, nonce, transid, hash, reqId); assertNotNull(con); PKIMessage confirm = protectPKIMessage(con, false, PBEPASSWORD, 567); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(confirm); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmpHttp(ba, 200, cmpAlias); checkCmpResponseGeneral(resp, this.issuerDN, userDN, this.cacert, nonce, transid, false, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN, this.cacert, resp); } return ret; }
From source file:org.ejbca.core.protocol.cmp.CrmfRARequestTest.java
License:Open Source License
/** * @param userDN for new certificate.// w ww. j a v a 2 s . c om * @param keys key of the new certificate. * @param sFailMessage if !=null then EJBCA is expected to fail. The failure response message string is checked against this parameter. * @return X509Certificate the cert produced if test was successful, null for a test that resulted in failure (can be expected if sFailMessage != null) * @throws Exception */ private X509Certificate crmfHttpUserTest(X500Name userDN, KeyPair keys, String sFailMessage, BigInteger customCertSerno, String sigAlg, X509Certificate caCert, String issuerDN) throws Exception { // Create a new good user X509Certificate cert = null; final byte[] nonce = CmpMessageHelper.createSenderNonce(); final byte[] transid = CmpMessageHelper.createSenderNonce(); final int reqId; { final PKIMessage one = genCertReq(issuerDN, userDN, keys, caCert, nonce, transid, true, null, null, null, customCertSerno, null, null); final PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); Assert.assertNotNull(req); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmpHttp(ba, 200, cmpAlias); // do not check signing if we expect a failure (sFailMessage==null) checkCmpResponseGeneral(resp, issuerDN, userDN, caCert, nonce, transid, sFailMessage == null, null, sigAlg); if (sFailMessage == null) { cert = checkCmpCertRepMessage(userDN, caCert, resp, reqId); // verify if custom cert serial number was used if (customCertSerno != null) { Assert.assertTrue(cert.getSerialNumber().toString(16) + " is not same as expected " + customCertSerno.toString(16), cert.getSerialNumber().equals(customCertSerno)); } } else { checkCmpFailMessage(resp, sFailMessage, CmpPKIBodyConstants.ERRORMESSAGE, reqId, PKIFailureInfo.badRequest, PKIFailureInfo.incorrectData); } } { // Send a confirm message to the CA final String hash = "foo123"; final PKIMessage con = genCertConfirm(userDN, caCert, nonce, transid, hash, reqId); Assert.assertNotNull(con); PKIMessage confirm = protectPKIMessage(con, false, PBEPASSWORD, 567); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(confirm); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmpHttp(ba, 200, cmpAlias); checkCmpResponseGeneral(resp, issuerDN, userDN, caCert, nonce, transid, false, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN, caCert, resp); } return cert; }
From source file:org.ejbca.core.protocol.cmp.CrmfRARequestTest.java
License:Open Source License
@Test public void test03UseKeyID() throws Exception { GlobalConfiguration gc = (GlobalConfiguration) this.globalConfSession .getCachedConfiguration(GlobalConfiguration.GLOBAL_CONFIGURATION_ID); gc.setEnableEndEntityProfileLimitations(true); this.globalConfSession.saveConfiguration(ADMIN, gc); this.cmpConfiguration.setRAEEProfile(cmpAlias, "KeyId"); this.cmpConfiguration.setRACertProfile(cmpAlias, "KeyId"); this.globalConfSession.saveConfiguration(ADMIN, this.cmpConfiguration); try {/*from www . jav a 2 s.com*/ this.certProfileSession.removeCertificateProfile(ADMIN, "CMPKEYIDTESTPROFILE"); this.endEntityProfileSession.removeEndEntityProfile(ADMIN, "CMPKEYIDTESTPROFILE"); } catch (Exception e) { /*Do nothing.*/} // Configure CMP for this test, we allow custom certificate serial numbers CertificateProfile profile = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); try { this.certProfileSession.addCertificateProfile(ADMIN, "CMPKEYIDTESTPROFILE", profile); } catch (CertificateProfileExistsException e) { log.error("Could not create certificate profile.", e); } int cpId = this.certProfileSession.getCertificateProfileId("CMPKEYIDTESTPROFILE"); EndEntityProfile eep = new EndEntityProfile(); eep.setValue(EndEntityProfile.DEFAULTCERTPROFILE, 0, "" + cpId); eep.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, "" + cpId); eep.setValue(EndEntityProfile.DEFAULTCA, 0, "" + this.caid); eep.setValue(EndEntityProfile.AVAILCAS, 0, "" + this.caid); eep.addField(DnComponents.ORGANIZATION); eep.setRequired(DnComponents.ORGANIZATION, 0, true); eep.addField(DnComponents.RFC822NAME); eep.addField(DnComponents.UPN); eep.setModifyable(DnComponents.RFC822NAME, 0, true); eep.setUse(DnComponents.RFC822NAME, 0, false); // Don't use field from "email" data try { this.endEntityProfileSession.addEndEntityProfile(ADMIN, "CMPKEYIDTESTPROFILE", eep); } catch (EndEntityProfileExistsException e) { log.error("Could not create end entity profile.", e); } // Create a new user that does not fulfill the end entity profile X500Name userDN = new X500Name("CN=keyIDTestUser,C=SE"); final KeyPair keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); final byte[] nonce = CmpMessageHelper.createSenderNonce(); final byte[] transid = CmpMessageHelper.createSenderNonce(); final int reqId; try { this.endEntityManagementSession.deleteUser(ADMIN, "keyIDTestUser"); } catch (NotFoundException e) { // NOPMD } try { this.endEntityManagementSession.deleteUser(ADMIN, "keyidtest2"); } catch (NotFoundException e) { // NOPMD } try { final PKIMessage one = genCertReq(ISSUER_DN, userDN, keys, this.cacert, nonce, transid, true, null, null, null, null, null, null); final PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "CMPKEYIDTESTPROFILE", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); Assert.assertNotNull(req); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmpHttp(ba, 200, cmpAlias); // do not check signing if we expect a failure (sFailMessage==null) checkCmpResponseGeneral(resp, ISSUER_DN, userDN, this.cacert, nonce, transid, false, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpFailMessage(resp, "Subject DN field 'ORGANIZATION' must exist.", CmpPKIBodyConstants.INITIALIZATIONRESPONSE, reqId, PKIFailureInfo.badRequest, PKIFailureInfo.incorrectData); // Create a new user that fulfills the end entity profile userDN = new X500Name("CN=keyidtest2,O=org"); final KeyPair keys2 = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); final byte[] nonce2 = CmpMessageHelper.createSenderNonce(); final byte[] transid2 = CmpMessageHelper.createSenderNonce(); final int reqId2; final PKIMessage one2 = genCertReq(ISSUER_DN, userDN, keys2, this.cacert, nonce2, transid2, true, null, null, null, null, null, null); final PKIMessage req2 = protectPKIMessage(one2, false, PBEPASSWORD, "CMPKEYIDTESTPROFILE", 567); ir = (CertReqMessages) req2.getBody().getContent(); reqId2 = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); Assert.assertNotNull(req2); final ByteArrayOutputStream bao2 = new ByteArrayOutputStream(); final DEROutputStream out2 = new DEROutputStream(bao2); out2.writeObject(req2); final byte[] ba2 = bao2.toByteArray(); // Send request and receive response final byte[] resp2 = sendCmpHttp(ba2, 200, cmpAlias); // do not check signing if we expect a failure (sFailMessage==null) checkCmpResponseGeneral(resp2, ISSUER_DN, userDN, this.cacert, nonce2, transid2, true, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN, this.cacert, resp2, reqId2); BigInteger serialnumber = cert.getSerialNumber(); EndEntityInformation ee = this.eeAccessSession.findUser(ADMIN, "keyidtest2"); Assert.assertEquals("Wrong certificate profile", cpId, ee.getCertificateProfileId()); // Revoke the created certificate and use keyid final PKIMessage con = genRevReq(ISSUER_DN, userDN, serialnumber, this.cacert, nonce2, transid2, false, null, null); Assert.assertNotNull(con); PKIMessage revmsg = protectPKIMessage(con, false, PBEPASSWORD, "CMPKEYIDTESTPROFILE", 567); final ByteArrayOutputStream baorev = new ByteArrayOutputStream(); final DEROutputStream outrev = new DEROutputStream(baorev); outrev.writeObject(revmsg); final byte[] barev = baorev.toByteArray(); // Send request and receive response final byte[] resprev = sendCmpHttp(barev, 200, cmpAlias); checkCmpResponseGeneral(resprev, ISSUER_DN, userDN, this.cacert, nonce2, transid2, true, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); int revstatus = checkRevokeStatus(ISSUER_DN, serialnumber); Assert.assertEquals("Certificate revocation failed.", RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, revstatus); } finally { try { this.endEntityManagementSession.deleteUser(ADMIN, "keyIDTestUser"); } catch (NotFoundException e) { // NOPMD } try { this.endEntityManagementSession.deleteUser(ADMIN, "keyidtest2"); } catch (NotFoundException e) { // NOPMD } } }
From source file:org.ejbca.core.protocol.cmp.CrmfRARequestTest.java
License:Open Source License
@Test public void test05SubjectSerialNumber() throws Exception { // Set requirement of unique subjectDN serialnumber to be true CAInfo cainfo = this.caSession.getCAInfo(ADMIN, this.caid); boolean requiredUniqueSerialnumber = cainfo.isDoEnforceUniqueSubjectDNSerialnumber(); // Set the CA to enforce unique serialnumber cainfo.setDoEnforceUniqueSubjectDNSerialnumber(true); CAAdminSessionRemote caAdminSession = EjbRemoteHelper.INSTANCE.getRemoteSession(CAAdminSessionRemote.class); caAdminSession.editCA(ADMIN, cainfo); // Create a new good user final String username = "subjectsnuser"; X500Name userDN = new X500Name("CN=" + username + ",SN=1234567,C=SE"); try {/*from ww w . j ava 2 s . com*/ KeyPair keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); final byte[] nonce = CmpMessageHelper.createSenderNonce(); final byte[] transid = CmpMessageHelper.createSenderNonce(); int reqId; PKIMessage one = genCertReq(ISSUER_DN, userDN, keys, this.cacert, nonce, transid, true, null, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, null, 567); Assert.assertNotNull(req); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, cmpAlias); // do not check signing if we expect a failure (sFailMessage==null) checkCmpResponseGeneral(resp, ISSUER_DN, userDN, this.cacert, nonce, transid, true, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN, this.cacert, resp, reqId); BigInteger serialnumber = cert.getSerialNumber(); // create a second user with the same serialnumber, but spelled "SERIALNUMBER" instead of "SN" userDN = new X500Name("CN=subjectsnuser2,SERIALNUMBER=1234567,C=SE"); keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); one = genCertReq(ISSUER_DN, userDN, keys, this.cacert, nonce, transid, true, null, null, null, null, null, null); req = protectPKIMessage(one, false, PBEPASSWORD, null, 567); Assert.assertNotNull(req); ir = (CertReqMessages) req.getBody().getContent(); reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, cmpAlias); // do not check signing if we expect a failure (sFailMessage==null) checkCmpResponseGeneral(resp, ISSUER_DN, userDN, this.cacert, nonce, transid, false, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpFailMessage(resp, "Error: SubjectDN Serialnumber already exists.", CmpPKIBodyConstants.ERRORMESSAGE, reqId, PKIFailureInfo.badRequest, PKIFailureInfo.incorrectData); // Revoke the created certificate final PKIMessage con = genRevReq(ISSUER_DN, userDN, serialnumber, this.cacert, nonce, transid, false, null, null); Assert.assertNotNull(con); PKIMessage revmsg = protectPKIMessage(con, false, PBEPASSWORD, null, 567); final ByteArrayOutputStream baorev = new ByteArrayOutputStream(); final DEROutputStream outrev = new DEROutputStream(baorev); outrev.writeObject(revmsg); final byte[] barev = baorev.toByteArray(); // Send request and receive response final byte[] resprev = sendCmpHttp(barev, 200, cmpAlias); checkCmpResponseGeneral(resprev, ISSUER_DN, userDN, this.cacert, nonce, transid, false, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); int revstatus = checkRevokeStatus(ISSUER_DN, serialnumber); Assert.assertEquals("Certificate revocation failed.", RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, revstatus); cainfo.setDoEnforceUniqueSubjectDNSerialnumber(requiredUniqueSerialnumber); caAdminSession.editCA(ADMIN, cainfo); } finally { this.endEntityManagementSession.deleteUser(ADMIN, username); } }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestTest.java
License:Open Source License
@Test public void test01CrmfHttpUnknowUser() throws Exception { log.trace(">test01CrmfHttpUnknowUser"); // A name that does not exist byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); // USER_DN = USER_DN + ", serialNumber=01234567"; PKIMessage req = genCertReq(ISSUER_DN, USER_DN, this.keys, this.cacert, nonce, transid, false, null, null, null, null, null, null);/*from ww w. j av a 2s .com*/ assertNotNull(req); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); byte[] resp = sendCmpHttp(ba, 200, cmpAlias); checkCmpResponseGeneral(resp, ISSUER_DN, USER_DN, this.cacert, nonce, transid, true, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpFailMessage(resp, "Wrong username or password", 1, reqId, 7, PKIFailureInfo.incorrectData); // Expects a CertificateResponse (reject) message with error // FailInfo.INCORRECT_DATA log.trace("<test01CrmfHttpUnknowUser"); }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestTest.java
License:Open Source License
@Test public void test02CrmfHttpUnknowUserSignedMessage() throws Exception { // A name that does not exist byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage req = genCertReq(ISSUER_DN, USER_DN, this.keys, this.cacert, nonce, transid, false, null, null, null, null, null, null);//from w w w .j a v a2 s. com assertNotNull(req); X509Certificate signCert = CertTools.genSelfCert("CN=CMP Sign Test", 3650, null, this.keys.getPrivate(), this.keys.getPublic(), "SHA256WithRSA", false); ArrayList<Certificate> signCertColl = new ArrayList<Certificate>(); signCertColl.add(signCert); CmpMessageHelper.signPKIMessage(req, signCertColl, this.keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC"); // PKIMessage req = protectPKIMessage(req1, false, "foo123", "mykeyid", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, cmpAlias); checkCmpResponseGeneral(resp, ISSUER_DN, USER_DN, this.cacert, nonce, transid, true, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpFailMessage(resp, "Wrong username or password", 1, reqId, 7, PKIFailureInfo.incorrectData); // Expects a CertificateResponse (reject) message with error // FailInfo.INCORRECT_DATA }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestTest.java
License:Open Source License
@Test public void test03CrmfHttpOkUser() throws Exception { log.trace(">test03CrmfHttpOkUser"); // Create a new good USER final X500Name userDN = createCmpUser("cmptest", "C=SE,O=PrimeKey,CN=cmptest", true); byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage req = genCertReq(ISSUER_DN, userDN, this.keys, this.cacert, nonce, transid, false, null, null, null, null, null, null);/*from ww w.j a va 2 s.co m*/ assertNotNull(req); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, cmpAlias); checkCmpResponseGeneral(resp, ISSUER_DN, userDN, this.cacert, nonce, transid, true, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN, this.cacert, resp, reqId); String altNames = CertTools.getSubjectAlternativeName(cert); assertNull("AltNames was not null (" + altNames + ").", altNames); // Send a confirm message to the CA String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN, this.cacert, nonce, transid, hash, reqId); assertNotNull(confirm); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(confirm); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, cmpAlias); checkCmpResponseGeneral(resp, ISSUER_DN, userDN, this.cacert, nonce, transid, false, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN, this.cacert, resp); // Now revoke the bastard! PKIMessage rev = genRevReq(ISSUER_DN, userDN, cert.getSerialNumber(), this.cacert, nonce, transid, true, null, null); assertNotNull(rev); ByteArrayOutputStream baorev = new ByteArrayOutputStream(); DEROutputStream outrev = new DEROutputStream(baorev); outrev.writeObject(rev); byte[] barev = baorev.toByteArray(); // Send request and receive response resp = sendCmpHttp(barev, 200, cmpAlias); checkCmpResponseGeneral(resp, ISSUER_DN, userDN, this.cacert, nonce, transid, false, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpFailMessage(resp, "PKI Message is not athenticated properly. No HMAC protection was found.", 23, reqId, PKIFailureInfo.badMessageCheck, PKIFailureInfo.incorrectData); log.trace("<test03CrmfHttpOkUser"); }