List of usage examples for org.bouncycastle.asn1.x509 ReasonFlags unused
int unused
To view the source code for org.bouncycastle.asn1.x509 ReasonFlags unused.
Click Source Link
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String[] getReasonFlagsStrings(ReasonFlags reasonFlags) throws IOException { // @formatter:off /*/*from w ww .j av a2s. com*/ * ReasonFlags ::= BIT STRING { unused(0), keyCompromise(1), * cACompromise(2), affiliationChanged(3), superseded(4), * cessationOfOperation(5), certificateHold(6), privilegeWithdrawn(7), * aACompromise(8)} */ // @formatter:on List<String> reasonFlagsList = new ArrayList<String>(); DERBitString reasonFlagsBitString = (DERBitString) reasonFlags.toASN1Primitive(); int reasonFlagsInt = reasonFlagsBitString.intValue(); // Go through bit string adding reason flags found to be true if (hasReasonFlag(reasonFlagsInt, ReasonFlags.unused)) { reasonFlagsList.add(res.getString("UnusedReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.keyCompromise)) { reasonFlagsList.add(res.getString("KeyCompromiseReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.cACompromise)) { reasonFlagsList.add(res.getString("CaCompromiseReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.affiliationChanged)) { reasonFlagsList.add(res.getString("AffiliationChangedReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.superseded)) { reasonFlagsList.add(res.getString("SupersededReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.cessationOfOperation)) { reasonFlagsList.add(res.getString("CessationOfOperationReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.certificateHold)) { reasonFlagsList.add(res.getString("CertificateHoldReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.privilegeWithdrawn)) { reasonFlagsList.add(res.getString("PrivilegeWithdrawnReasonFlag")); } if (hasReasonFlag(reasonFlagsInt, ReasonFlags.aACompromise)) { reasonFlagsList.add(res.getString("AaCompromiseReasonFlag")); } return reasonFlagsList.toArray(new String[reasonFlagsList.size()]); }
From source file:org.cesecore.certificates.certificate.CertRevocationStatusCheckerTest.java
License:Open Source License
/** * 1. Create test certificate/*from w w w. j ava2s . c o m*/ * 2. Specify a working OCSP URL in the constructor of PKIXCertRevocationStatusChecker * 3. Check the revocation status of the test certificate. Expected: certificate not revoked * 4. Revoke the test certificate * 5. Check the revocation status of the test certificate. Expected: error massage that the certificate is revoked */ @Test public void test01VerificationWithOCSPWithStaticUrl() throws Exception { final String username = "CertRevocationStatusCheckTestUser"; final String userDN = "CN=" + username; String usercertFp = ""; String baseUrl = "http://127.0.0.1:8080/ejbca"; String resourceOcsp = "publicweb/status/ocsp"; OcspJunitHelper helper = new OcspJunitHelper(baseUrl, resourceOcsp); helper.reloadKeys(); ArrayList<X509Certificate> caCertChain = new ArrayList<X509Certificate>(); caCertChain.add((X509Certificate) testx509ca.getCACertificate()); try { // create a user and issue it a certificate createUser(username, userDN, testx509ca.getCAId(), SecConst.EMPTY_ENDENTITYPROFILE, CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); final KeyPair userkeys = KeyTools.genKeys("1024", "RSA"); X509Certificate usercert = (X509Certificate) signSession.createCertificate(alwaysAllowToken, username, "foo123", new PublicKeyWrapper(userkeys.getPublic())); usercertFp = CertTools.getFingerprintAsString(usercert); // Check usercert revocation status PKIXCertRevocationStatusChecker checker = new PKIXCertRevocationStatusChecker( baseUrl + "/" + resourceOcsp, null, null, caCertChain); try { checker.check(usercert, null); } catch (CertPathValidatorException e) { fail("The certificate is not revoked and should have passed the check but it did not."); } SingleResp ocspResp1 = checker.getOCSPResponse(); assertNotNull( "The check should have been performed using OCSP, so there should be an OCSP response to fetch", ocspResp1); assertNull("The check should have been performed using OCSP, so there should not be CRLs to fetch", checker.getcrl()); // Revoke usercert eeManagementSession.revokeCert(alwaysAllowToken, CertTools.getSerialNumber(usercert), CADN, 0); // Check usercert revocation status try { checker.check(usercert, null); fail("The certificate is now revoked and should not have passed the check but it did."); } catch (CertPathValidatorException e) { String expectedMsg = "Certificate with serialnumber " + CertTools.getSerialNumberAsString(usercert) + " was revoked"; assertEquals(expectedMsg, e.getLocalizedMessage()); } SingleResp ocspResp2 = checker.getOCSPResponse(); assertNotNull( "The check should have been performed using OCSP, so there should be an OCSP response to fetch", ocspResp2); assertFalse("The OCSP response from the first and second check should not be equals", ocspResp1.equals(ocspResp2)); assertNull("The check should have been performed using OCSP, so there should not be CRLs to fetch", checker.getcrl()); } finally { // Remove it to clean database internalCertStoreSession.removeCertificate(usercertFp); eeManagementSession.revokeAndDeleteUser(alwaysAllowToken, username, ReasonFlags.unused); } }
From source file:org.cesecore.certificates.certificate.CertRevocationStatusCheckerTest.java
License:Open Source License
/** * 1. Create a test certificate containing AuthorityInformationAccess extension containing an OCSP Locator URL * 2. Check the revocation status of the test certificate. Expected: certificate not revoked * 3. Revoke the test certificate//from ww w .ja va 2s. co m * 4. Check the revocation status of the test certificate. Expected: error massage that the certificate is revoked */ @Test public void test02VerificationWithOCSPFromCertExtension() throws Exception { final String username = "CertRevocationStatusCheckTestUser"; final String userDN = "CN=" + username; String usercertFp = ""; String baseUrl = "http://127.0.0.1:8080/ejbca"; String resourceOcsp = "publicweb/status/ocsp"; OcspJunitHelper helper = new OcspJunitHelper(baseUrl, resourceOcsp); helper.reloadKeys(); try { CertificateProfile cp = certProfileSession.getCertificateProfile(certprofileID); cp.setUseAuthorityInformationAccess(true); cp.setOCSPServiceLocatorURI(baseUrl + "/" + resourceOcsp); certProfileSession.changeCertificateProfile(alwaysAllowToken, certprofileName, cp); // create a user and issue it a certificate createUser(username, userDN, testx509ca.getCAId(), eeprofileID, certprofileID); final KeyPair userkeys = KeyTools.genKeys("1024", "RSA"); X509Certificate usercert = (X509Certificate) signSession.createCertificate(alwaysAllowToken, username, "foo123", new PublicKeyWrapper(userkeys.getPublic())); usercertFp = CertTools.getFingerprintAsString(usercert); // Check usercert revocation status PKIXCertRevocationStatusChecker checker = new PKIXCertRevocationStatusChecker( (X509Certificate) testx509ca.getCACertificate(), null); try { checker.check(usercert, null); } catch (CertPathValidatorException e) { fail("The certificate is not revoked and should have passed the check but it did not."); } SingleResp ocspResp1 = checker.getOCSPResponse(); assertNotNull( "The check should have been performed using OCSP, so there should be an OCSP response to fetch", ocspResp1); assertNull("The check should have been performed using OCSP, so there should not be CRLs to fetch", checker.getcrl()); // Revoke usercert eeManagementSession.revokeCert(alwaysAllowToken, CertTools.getSerialNumber(usercert), CADN, 0); // Check usercert revocation status try { checker.check(usercert, null); fail("The certificate is now revoked and should not have passed the check but it did."); } catch (CertPathValidatorException e) { String expectedMsg = "Certificate with serialnumber " + CertTools.getSerialNumberAsString(usercert) + " was revoked"; assertEquals(expectedMsg, e.getLocalizedMessage()); } SingleResp ocspResp2 = checker.getOCSPResponse(); assertNotNull( "The check should have been performed using OCSP, so there should be an OCSP response to fetch", ocspResp2); assertFalse("The OCSP response from the first and second check should not be equals", ocspResp1.equals(ocspResp2)); assertNull("The check should have been performed using OCSP, so there should not be CRLs to fetch", checker.getcrl()); } finally { // Remove it to clean database internalCertStoreSession.removeCertificate(usercertFp); eeManagementSession.revokeAndDeleteUser(alwaysAllowToken, username, ReasonFlags.unused); } }
From source file:org.cesecore.certificates.certificate.CertRevocationStatusCheckerTest.java
License:Open Source License
/** * 1. Create a test certificate containing AuthorityInformationAccess extension containing an OCSP Locator URL * 2. Create a PKIXCertRevocationStatusChecker object that does not specify an issuer certificate * 2. Check the revocation status of the test certificate. Expected: error message that the revocation status could not be checked *///from w w w .j av a2 s . c o m @Test public void test03VerificationWithOCSPWithoutCACert() throws Exception { final String username = "CertRevocationStatusCheckTestUser"; final String userDN = "CN=" + username; String usercertFp = ""; try { // create a user and issue it a certificate createUser(username, userDN, testx509ca.getCAId(), eeprofileID, certprofileID); final KeyPair userkeys = KeyTools.genKeys("1024", "RSA"); X509Certificate usercert = (X509Certificate) signSession.createCertificate(alwaysAllowToken, username, "foo123", new PublicKeyWrapper(userkeys.getPublic())); usercertFp = CertTools.getFingerprintAsString(usercert); // Check usercert revocation status PKIXCertRevocationStatusChecker checker = new PKIXCertRevocationStatusChecker(null, null); try { checker.check(usercert, null); fail("The check should not have been performed because the input parameters were not satisfactory. Inspite of that, the check was successful."); } catch (CertPathValidatorException e) { final String expectedMsg = "No issuer CA certificate was found. An issuer CA certificate is needed to create an OCSP request and to get the right CRL"; assertEquals(expectedMsg, e.getLocalizedMessage()); } assertNull( "The check should not have been performed using OCSP, so there should not be an OCSP response to grab", checker.getOCSPResponse()); assertNull("The check should not have been performed using CRL, so there should not be a CRL to grab", checker.getcrl()); } finally { // Remove it to clean database eeManagementSession.revokeAndDeleteUser(alwaysAllowToken, username, ReasonFlags.unused); internalCertStoreSession.removeCertificate(usercertFp); } }
From source file:org.cesecore.certificates.certificate.CertRevocationStatusCheckerTest.java
License:Open Source License
/** * 1. Create a test certificate containing CRLDistributionPoints extension containing a URL to the right CRL * 2. Generate a CRL/*from ww w .ja v a2s . c o m*/ * 3. Check the revocation status of the test certificate. Expected: certificate not revoked * 4. Revoke the test certificate * 5. Generate a new CRL * 6. Check the revocation status of the test certificate. Expected: error massage that the certificate is revoked */ @Test public void test04VerificationWithCRLFromCertExtension() throws Exception { final String defaultCRLDistPoint = "http://localhost:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer="; final String username = "CertRevocationStatusCheckTestUser"; final String userDN = "CN=" + username; String usercertFp = ""; String crlFp1 = "", crlFp2 = ""; try { CertificateProfile cp = certProfileSession.getCertificateProfile(certprofileID); cp.setUseCRLDistributionPoint(true); cp.setCRLDistributionPointURI(defaultCRLDistPoint + CADN); cp.setCRLIssuer(CADN); certProfileSession.changeCertificateProfile(alwaysAllowToken, certprofileName, cp); // create a user and issue it a certificate createUser(username, userDN, testx509ca.getCAId(), eeprofileID, certprofileID); final KeyPair userkeys = KeyTools.genKeys("1024", "RSA"); X509Certificate usercert = (X509Certificate) signSession.createCertificate(alwaysAllowToken, username, "foo123", new PublicKeyWrapper(userkeys.getPublic())); usercertFp = CertTools.getFingerprintAsString(usercert); // Generate CRL Collection<RevokedCertInfo> revcerts = certStoreSession.listRevokedCertInfo(CADN, -1); int fullnumber = crlStoreSession.getLastCRLNumber(CADN, false); int deltanumber = crlStoreSession.getLastCRLNumber(CADN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) int nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testx509ca, revcerts, -1, nextCrlNumber); // We should now have a CRL generated byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); crlFp1 = CertTools.getFingerprintAsString(crl); // Check usercert revocation status PKIXCertRevocationStatusChecker checker = new PKIXCertRevocationStatusChecker( (X509Certificate) testx509ca.getCACertificate(), null); try { checker.check(usercert, null); } catch (CertPathValidatorException e) { fail("The certificate is not revoked and should have passed the check but it did not."); } assertNull("The check was performed using CRL, so there should not be an OCSP response to grab", checker.getOCSPResponse()); CRL crl1 = checker.getcrl(); assertNotNull("The check was performed using CRL, so there should be a CRL to grab", crl1); // Revoke usercert eeManagementSession.revokeCert(alwaysAllowToken, CertTools.getSerialNumber(usercert), CADN, 0); // Generate a new CRL. It should contain usercert revcerts = certStoreSession.listRevokedCertInfo(CADN, -1); fullnumber = crlStoreSession.getLastCRLNumber(CADN, false); deltanumber = crlStoreSession.getLastCRLNumber(CADN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testx509ca, revcerts, -1, nextCrlNumber); crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); crlFp2 = CertTools.getFingerprintAsString(crl); // Check usercert revocation status try { checker.check(usercert, null); fail("The certificate is now revoked and should not have passed the check but it did."); } catch (CertPathValidatorException e) { String expectedMsg = "Certificate with serialnumber " + CertTools.getSerialNumberAsString(usercert) + " was revoked"; assertEquals(expectedMsg, e.getLocalizedMessage()); } assertNull("The check was performed using CRL, so there should not be an OCSP response to grab", checker.getOCSPResponse()); CRL crl2 = checker.getcrl(); assertNotNull("The check was performed using CRL, so there should be a CRL to grab", crl2); assertFalse("The CRLs from the first and second check should not be the same", crl1.equals(crl2)); } finally { // Remove it to clean database internalCertStoreSession.removeCRL(alwaysAllowToken, crlFp1); internalCertStoreSession.removeCRL(alwaysAllowToken, crlFp2); internalCertStoreSession.removeCertificate(usercertFp); eeManagementSession.revokeAndDeleteUser(alwaysAllowToken, username, ReasonFlags.unused); } }
From source file:org.cesecore.certificates.certificate.CertRevocationStatusCheckerTest.java
License:Open Source License
/** * 1. Create a test certificate// w w w .ja v a 2 s. co m * 2. Generate a CRL * 3. Create a PKIXCertRevocationStatusChecker object specifying a CRL URL * 4. Check the revocation status of the test certificate. Expected: certificate not revoked * 5. Revoke the test certificate * 6. Generate a new CRL * 7. Check the revocation status of the test certificate. Expected: error massage that the certificate is revoked */ @Test public void test05VerificationWithCRLWithStaticURL() throws Exception { X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); final String defaultCRLDistPoint = "http://localhost:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer="; //http://localhost:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=ManagementCA,O=EJBCA%20Sample,C=SE URL crlUrl = new URL(defaultCRLDistPoint + cainfo.getSubjectDN()); cainfo.setDefaultCRLDistPoint(crlUrl.toString()); caSession.editCA(alwaysAllowToken, cainfo); ArrayList<X509Certificate> caCertChain = new ArrayList<X509Certificate>(); caCertChain.add((X509Certificate) testx509ca.getCACertificate()); final String username = "CertRevocationStatusCheckTestUser"; final String userDN = "CN=" + username; String usercertFp = ""; String crlFp1 = "", crlFp2 = ""; try { // create a user and issue it a certificate createUser(username, userDN, testx509ca.getCAId(), SecConst.EMPTY_ENDENTITYPROFILE, CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); final KeyPair userkeys = KeyTools.genKeys("1024", "RSA"); X509Certificate usercert = (X509Certificate) signSession.createCertificate(alwaysAllowToken, username, "foo123", new PublicKeyWrapper(userkeys.getPublic())); usercertFp = CertTools.getFingerprintAsString(usercert); // Generate CRL Collection<RevokedCertInfo> revcerts = certStoreSession.listRevokedCertInfo(CADN, -1); int fullnumber = crlStoreSession.getLastCRLNumber(CADN, false); int deltanumber = crlStoreSession.getLastCRLNumber(CADN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) int nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testx509ca, revcerts, -1, nextCrlNumber); // We should now have a CRL generated byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); crlFp1 = CertTools.getFingerprintAsString(crl); // Check usercert revocation status PKIXCertRevocationStatusChecker checker = new PKIXCertRevocationStatusChecker(null, cainfo.getDefaultCRLDistPoint(), null, caCertChain); try { checker.check(usercert, null); } catch (CertPathValidatorException e) { fail("The certificate is not revoked and should have passed the check but it did not."); } assertNull("The check was performed using CRL, so there should not be an OCSP response to grab", checker.getOCSPResponse()); CRL crl1 = checker.getcrl(); assertNotNull("The check was performed using CRL, so there should be a CRL to grab", crl1); // Revoke usercert eeManagementSession.revokeCert(alwaysAllowToken, CertTools.getSerialNumber(usercert), cainfo.getSubjectDN(), 0); // Generate a new CRL. It should contain usercert revcerts = certStoreSession.listRevokedCertInfo(CADN, -1); fullnumber = crlStoreSession.getLastCRLNumber(CADN, false); deltanumber = crlStoreSession.getLastCRLNumber(CADN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testx509ca, revcerts, -1, nextCrlNumber); crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); crlFp2 = CertTools.getFingerprintAsString(crl); // Check usercert revocation status try { checker.check(usercert, null); fail("The certificate is now revoked and should not have passed the check but it did."); } catch (CertPathValidatorException e) { String expectedMsg = "Certificate with serialnumber " + CertTools.getSerialNumberAsString(usercert) + " was revoked"; assertEquals(expectedMsg, e.getLocalizedMessage()); } assertNull("The check was performed using CRL, so there should not be an OCSP response to grab", checker.getOCSPResponse()); CRL crl2 = checker.getcrl(); assertNotNull("The check was performed using CRL, so there should be a CRL to grab", crl2); assertFalse("The CRLs from the first and second check should not be the same", crl1.equals(crl2)); } finally { // Remove it to clean database internalCertStoreSession.removeCRL(alwaysAllowToken, crlFp1); internalCertStoreSession.removeCRL(alwaysAllowToken, crlFp2); internalCertStoreSession.removeCertificate(usercertFp); eeManagementSession.revokeAndDeleteUser(alwaysAllowToken, username, ReasonFlags.unused); } }
From source file:org.cesecore.certificates.certificate.CertRevocationStatusCheckerTest.java
License:Open Source License
/** * 1. Create a test certificate containing neither AuthorityInformationAccess not CRLDistributionPoints extensions * 2. Create a PKIXCertRevocationStatusChecker object not specifying any URLS * 3. Check the revocation status of the test certificate. Expected: error massage that the revocation status could not be checked *///from w ww. j a va 2 s . c o m @Test public void test06VerificationWithNoLinks() throws Exception { ArrayList<X509Certificate> caCertChain = new ArrayList<X509Certificate>(); caCertChain.add((X509Certificate) testx509ca.getCACertificate()); final String username = "CertRevocationStatusCheckTestUser"; final String userDN = "CN=" + username; String usercertFp = ""; String crlFp1 = ""; try { // create a user and issue it a certificate createUser(username, userDN, testx509ca.getCAId(), SecConst.EMPTY_ENDENTITYPROFILE, CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); final KeyPair userkeys = KeyTools.genKeys("1024", "RSA"); X509Certificate usercert = (X509Certificate) signSession.createCertificate(alwaysAllowToken, username, "foo123", new PublicKeyWrapper(userkeys.getPublic())); usercertFp = CertTools.getFingerprintAsString(usercert); // Generate CRL Collection<RevokedCertInfo> revcerts = certStoreSession.listRevokedCertInfo(CADN, -1); int fullnumber = crlStoreSession.getLastCRLNumber(CADN, false); int deltanumber = crlStoreSession.getLastCRLNumber(CADN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) int nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testx509ca, revcerts, -1, nextCrlNumber); // We should now have a CRL generated byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); crlFp1 = CertTools.getFingerprintAsString(crl); // Check usercert revocation status PKIXCertRevocationStatusChecker checker = new PKIXCertRevocationStatusChecker("", "", null, caCertChain); try { checker.check(usercert, null); fail("The check should not have been performed because the input parameters were not satisfactory. Inspite of that, the check was successful."); } catch (CertPathValidatorException e) { final String expectedMsg = "Failed to verify certificate status using the fallback CRL method. Could not find a CRL URL"; assertEquals(expectedMsg, e.getLocalizedMessage()); } assertNull( "The check should not have been performed using OCSP, so there should not be an OCSP response to grab", checker.getOCSPResponse()); assertNull("The check should not have been performed using CRL, so there should not be a CRL to grab", checker.getcrl()); } finally { // Remove it to clean database internalCertStoreSession.removeCRL(alwaysAllowToken, crlFp1); internalCertStoreSession.removeCertificate(usercertFp); eeManagementSession.revokeAndDeleteUser(alwaysAllowToken, username, ReasonFlags.unused); } }
From source file:org.cesecore.certificates.certificate.CertRevocationStatusCheckerTest.java
License:Open Source License
@Test public void test07VerificationWithMultipleCRLs() throws Exception { final String testca2SubjectDN = "CN=SecondTestCA"; if (caSession.existsCa(testca2SubjectDN)) { caSession.removeCA(alwaysAllowToken, testca2SubjectDN.hashCode()); }/*from w ww . ja v a2 s . c om*/ X509CA testca2 = CaTestUtils.createTestX509CA(testca2SubjectDN, null, false); caSession.addCA(alwaysAllowToken, testca2); final String defaultCRLDistPoint = "http://localhost:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer="; final String username = "CertRevocationStatusCheckTestUser"; final String userDN = "CN=" + username; String usercertFp = ""; String crlFp1 = "", crlFp2 = "", testca2CrlFp1 = ""; try { CertificateProfile cp = certProfileSession.getCertificateProfile(certprofileID); cp.setUseCRLDistributionPoint(true); cp.setCRLDistributionPointURI( defaultCRLDistPoint + testca2SubjectDN + ";" + defaultCRLDistPoint + CADN); cp.setCRLIssuer(CADN); certProfileSession.changeCertificateProfile(alwaysAllowToken, certprofileName, cp); // create a user and issue it a certificate createUser(username, userDN, testx509ca.getCAId(), eeprofileID, certprofileID); final KeyPair userkeys = KeyTools.genKeys("1024", "RSA"); X509Certificate usercert = (X509Certificate) signSession.createCertificate(alwaysAllowToken, username, "foo123", new PublicKeyWrapper(userkeys.getPublic())); usercertFp = CertTools.getFingerprintAsString(usercert); // Generate CRL for the "real" CA Collection<RevokedCertInfo> revcerts = certStoreSession.listRevokedCertInfo(CADN, -1); int fullnumber = crlStoreSession.getLastCRLNumber(CADN, false); int deltanumber = crlStoreSession.getLastCRLNumber(CADN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) int nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testx509ca, revcerts, -1, nextCrlNumber); // We should now have a CRL generated byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); crlFp1 = CertTools.getFingerprintAsString(crl); // Check usercert revocation status PKIXCertRevocationStatusChecker checker = new PKIXCertRevocationStatusChecker( (X509Certificate) testx509ca.getCACertificate(), null); try { checker.check(usercert, null); } catch (CertPathValidatorException e) { fail("The certificate is not revoked and should have passed the check but it did not."); } assertNull("The check was performed using CRL, so there should not be an OCSP response to grab", checker.getOCSPResponse()); CRL testx509caCrl = checker.getcrl(); assertNotNull("The check was performed using CRL, so there should be at least one CRL to grab", testx509caCrl); assertEquals(CADN, CertTools.getIssuerDN((X509CRL) testx509caCrl)); // Generate CRL for the second testCA revcerts = certStoreSession.listRevokedCertInfo(testca2SubjectDN, -1); fullnumber = crlStoreSession.getLastCRLNumber(testca2SubjectDN, false); deltanumber = crlStoreSession.getLastCRLNumber(testca2SubjectDN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testca2, revcerts, -1, nextCrlNumber); // We should now have a CRL generated crl = crlStoreSession.getLastCRL(testca2SubjectDN, false); testca2CrlFp1 = CertTools.getFingerprintAsString(crl); // Check the revocation status again. There should be 2 URL now try { checker.check(usercert, null); } catch (CertPathValidatorException e) { fail("The certificate is not revoked and should have passed the check but it did not."); } assertNull("The check was performed using CRL, so there should not be an OCSP response to grab", checker.getOCSPResponse()); testx509caCrl = checker.getcrl(); assertNotNull("The check was performed using CRL, so there should be at least one CRL to grab", testx509caCrl); assertEquals(CADN, CertTools.getIssuerDN((X509CRL) testx509caCrl)); // Revoke usercert eeManagementSession.revokeCert(alwaysAllowToken, CertTools.getSerialNumber(usercert), CADN, 0); // Generate a new CRL. It should contain usercert revcerts = certStoreSession.listRevokedCertInfo(CADN, -1); fullnumber = crlStoreSession.getLastCRLNumber(CADN, false); deltanumber = crlStoreSession.getLastCRLNumber(CADN, true); // nextCrlNumber: The highest number of last CRL (full or delta) and increased by 1 (both full CRLs and deltaCRLs share the same series of CRL Number) nextCrlNumber = ((fullnumber > deltanumber) ? fullnumber : deltanumber) + 1; crlCreateSession.generateAndStoreCRL(alwaysAllowToken, testx509ca, revcerts, -1, nextCrlNumber); crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); crlFp2 = CertTools.getFingerprintAsString(crl); // Check usercert revocation status try { checker.check(usercert, null); fail("The certificate is now revoked and should not have passed the check but it did."); } catch (CertPathValidatorException e) { String expectedMsg = "Certificate with serialnumber " + CertTools.getSerialNumberAsString(usercert) + " was revoked"; assertEquals(expectedMsg, e.getLocalizedMessage()); } assertNull("The check was performed using CRL, so there should not be an OCSP response to grab", checker.getOCSPResponse()); testx509caCrl = checker.getcrl(); assertNotNull("The check was performed using CRL, so there should be at least one CRL to grab", testx509caCrl); assertEquals(CADN, CertTools.getIssuerDN((X509CRL) testx509caCrl)); } finally { // Remove it to clean database internalCertStoreSession.removeCRL(alwaysAllowToken, crlFp1); internalCertStoreSession.removeCRL(alwaysAllowToken, crlFp2); internalCertStoreSession.removeCRL(alwaysAllowToken, testca2CrlFp1); internalCertStoreSession.removeCertificate(usercertFp); eeManagementSession.revokeAndDeleteUser(alwaysAllowToken, username, ReasonFlags.unused); caSession.removeCA(alwaysAllowToken, testca2.getCAId()); internalCertStoreSession.removeCertificate(testca2.getCACertificate()); } }
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * Converts DERBitString ResonFlags to a RevokedCertInfo constant * //from w ww .j a va2 s .c o m * @param reasonFlags DERBITString received from org.bouncycastle.asn1.x509.ReasonFlags. * @return int according to org.cesecore.certificates.crl.RevokedCertInfo */ public static int bitStringToRevokedCertInfo(DERBitString reasonFlags) { int ret = RevokedCertInfo.REVOCATION_REASON_UNSPECIFIED; if (reasonFlags == null) { return ret; } int val = reasonFlags.intValue(); if (log.isDebugEnabled()) { log.debug("Int value of bitString revocation reason: " + val); } if ((val & ReasonFlags.aACompromise) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_AACOMPROMISE; } if ((val & ReasonFlags.affiliationChanged) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_AFFILIATIONCHANGED; } if ((val & ReasonFlags.cACompromise) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE; } if ((val & ReasonFlags.certificateHold) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD; } if ((val & ReasonFlags.cessationOfOperation) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_CESSATIONOFOPERATION; } if ((val & ReasonFlags.keyCompromise) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE; } if ((val & ReasonFlags.privilegeWithdrawn) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_PRIVILEGESWITHDRAWN; } if ((val & ReasonFlags.superseded) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_SUPERSEDED; } if ((val & ReasonFlags.unused) != 0) { ret = RevokedCertInfo.REVOCATION_REASON_UNSPECIFIED; } return ret; }
From source file:org.ejbca.core.protocol.cmp.AuthenticationModulesTest.java
License:Open Source License
@Test public void test04HMACRevReq() throws Exception { this.cmpConfiguration.setAuthenticationModule(ALIAS, CmpConfiguration.AUTHMODULE_HMAC); this.cmpConfiguration.setAuthenticationParameters(ALIAS, "foo123"); this.cmpConfiguration.setRAMode(ALIAS, true); this.globalConfigurationSession.saveConfiguration(ADMIN, this.cmpConfiguration); final X500Name revUserDN = new X500Name("CN=cmprevuser1,C=SE"); final String revUsername = "cmprevuser1"; String fingerprint = null;/*from www . j a v a 2s .c om*/ try { Collection<Certificate> certs = this.certificateStoreSession .findCertificatesBySubjectAndIssuer(revUserDN.toString(), issuerDN); log.debug("Found " + certs.size() + " certificates for userDN \"" + USER_DN + "\""); Certificate cert = null, tmp = null; Iterator<Certificate> itr = certs.iterator(); while (itr.hasNext()) { tmp = itr.next(); if (!this.certificateStoreSession.isRevoked(issuerDN, CertTools.getSerialNumber(tmp))) { cert = tmp; break; } } if (cert == null) { createUser(revUsername, revUserDN.toString(), "foo123", true, this.caid, SecConst.EMPTY_ENDENTITYPROFILE, CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); KeyPair admkeys = KeyTools.genKeys("1024", "RSA"); cert = this.signSession.createCertificate(ADMIN, revUsername, "foo123", new PublicKeyWrapper(admkeys.getPublic())); } assertNotNull("No certificate to revoke.", cert); fingerprint = CertTools.getFingerprintAsString(cert); // to be able to remove PKIMessage msg = genRevReq(issuerDN, revUserDN, CertTools.getSerialNumber(cert), this.cacert, this.nonce, this.transid, false, null, null); assertNotNull("Generating RevocationRequest failed.", msg); PKIMessage req = protectPKIMessage(msg, false, "foo123", "mykeyid", 567); assertNotNull("Protecting PKIMessage with HMACPbe failed.", req); final ByteArrayOutputStream bao = new ByteArrayOutputStream(); final DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); final byte[] ba = bao.toByteArray(); // Send request and receive response final byte[] resp = sendCmpHttp(ba, 200, ALIAS); checkCmpResponseGeneral(resp, issuerDN, revUserDN, this.cacert, req.getHeader().getSenderNonce().getOctets(), req.getHeader().getTransactionID().getOctets(), true, null, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); int revStatus = checkRevokeStatus(issuerDN, CertTools.getSerialNumber(cert)); Assert.assertNotEquals("Revocation request failed to revoke the certificate", RevokedCertInfo.NOT_REVOKED, revStatus); } finally { if (this.eeAccessSession.findUser(ADMIN, revUsername) != null) { this.endEntityManagementSession.revokeAndDeleteUser(ADMIN, revUsername, ReasonFlags.unused); } this.internalCertStoreSession.removeCertificate(fingerprint); } }