List of usage examples for org.bouncycastle.tsp TimeStampResponse TimeStampResponse
TimeStampResponse(DLSequence dlSequence) throws TSPException, IOException
From source file:org.signserver.module.tsa.RequestedPolicyDispatcherTest.java
License:Open Source License
private TimeStampResponse requestTimeStamp(int worker, TimeStampRequest request) throws IOException, IllegalRequestException, CryptoTokenOfflineException, TSPException, SignServerException { final int reqid = random.nextInt(); byte[] requestBytes = request.getEncoded(); GenericSignRequest signRequest = new GenericSignRequest(reqid, requestBytes); final GenericSignResponse res = (GenericSignResponse) workerSession.process(worker, signRequest, new RequestContext()); return new TimeStampResponse((byte[]) res.getProcessedData()); }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Test successfully doing a TSA request. * /*from w w w . j ava 2 s . c o m*/ * @param worker Worker ID * @param includeSigningTime If the signingTime signed CMS attribute is expected or not * @return Time stamp response * @throws Exception */ private TimeStampResponse assertSuccessfulTimestamp(int worker, final boolean includeSigningTime) throws Exception { int reqid = random.nextInt(); TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator(); TimeStampRequest timeStampRequest = timeStampRequestGenerator.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); byte[] requestBytes = timeStampRequest.getEncoded(); GenericSignRequest signRequest = new GenericSignRequest(reqid, requestBytes); final GenericSignResponse res = (GenericSignResponse) workerSession.process(worker, signRequest, new RequestContext()); assertTrue(reqid == res.getRequestID()); Certificate signercert = res.getSignerCertificate(); assertNotNull(signercert); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); timeStampResponse.validate(timeStampRequest); assertEquals("Token granted", PKIStatus.GRANTED, timeStampResponse.getStatus()); assertNotNull("Got timestamp token", timeStampResponse.getTimeStampToken()); // Validate the signature of the token try { final SignerInformationVerifier infoVerifier = new JcaSimpleSignerInfoVerifierBuilder() .setProvider("BC").build((X509Certificate) signercert); timeStampResponse.getTimeStampToken().validate(infoVerifier); } catch (TSPValidationException ex) { LOG.error("Token validation failed", ex); fail("Token validation failed: " + ex.getMessage()); } // check the signingTime signed attribute final AttributeTable attrs = timeStampResponse.getTimeStampToken().getSignedAttributes(); final Attribute attr = attrs.get(CMSAttributes.signingTime); if (includeSigningTime) { assertNotNull("Should contain signingTime signed attribute", attr); } else { assertNull("Should not contain signingTime signed attribute", attr); } return timeStampResponse; }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Test that a timestamp token is not granted for an policy not listed in * ACCEPTEDPOLICIES and that a proper resoonse is sent back. * @throws Exception in case of exception *///from w ww .j a v a 2 s . c o m @Test public void test03NotAcceptedPolicy() throws Exception { // WORKER2 has ACCEPTEDPOLICIES=1.2.3 // Create an request with another policy (1.2.3.5 != 1.2.3) final TimeStampRequest timeStampRequest = new TimeStampRequest( Base64.decode(REQUEST_WITH_POLICY1235.getBytes())); final byte[] requestBytes = timeStampRequest.getEncoded(); final GenericSignRequest signRequest = new GenericSignRequest(13, requestBytes); final GenericSignResponse res = (GenericSignResponse) workerSession.process(WORKER2, signRequest, new RequestContext()); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); timeStampResponse.validate(timeStampRequest); LOG.info("Response: " + timeStampResponse.getStatusString()); assertEquals("Token rejected", PKIStatus.REJECTION, timeStampResponse.getStatus()); }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
private int testWithHash(final ASN1ObjectIdentifier hashAlgo) throws Exception { int reqid = random.nextInt(); TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator(); final TimeStampRequest timeStampRequest = timeStampRequestGenerator.generate(hashAlgo, new byte[getHashLength(hashAlgo)], BigInteger.valueOf(100)); byte[] requestBytes = timeStampRequest.getEncoded(); GenericSignRequest signRequest = new GenericSignRequest(reqid, requestBytes); final GenericSignResponse res = (GenericSignResponse) workerSession.process(WORKER1, signRequest, new RequestContext()); final CertificateFactory factory = CertificateFactory.getInstance("X.509"); final X509Certificate cert = (X509Certificate) factory .generateCertificate(new ByteArrayInputStream(Base64.decode(CERTSTRING.getBytes()))); TimeStampResponse timeStampResponse = null; try {/* w w w . j a v a 2s. co m*/ // check response timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); timeStampResponse.validate(timeStampRequest); if (timeStampResponse.getStatus() != PKIStatus.GRANTED) { // return early and don't attempt to get a token return timeStampResponse.getStatus(); } // check the hash value from the response TimeStampToken token = timeStampResponse.getTimeStampToken(); AlgorithmIdentifier algo = token.getTimeStampInfo().getHashAlgorithm(); assertEquals("Timestamp response is using incorrect hash algorithm", hashAlgo, algo.getAlgorithm()); Collection signerInfos = token.toCMSSignedData().getSignerInfos().getSigners(); // there should be one SignerInfo assertEquals("There should only be one signer in the timestamp response", 1, signerInfos.size()); for (Object o : signerInfos) { SignerInformation si = (SignerInformation) o; // test the response signature algorithm assertEquals("Timestamp used unexpected signature algorithm", TSPAlgorithms.SHA1.toString(), si.getDigestAlgOID()); assertEquals("Timestamp is signed with unexpected signature encryption algorithm", "1.2.840.113549.1.1.1", si.getEncryptionAlgOID()); final AttributeTable attrs = si.getSignedAttributes(); final ASN1EncodableVector scAttrs = attrs.getAll(PKCSObjectIdentifiers.id_aa_signingCertificate); assertEquals("Should contain a signingCertificate signed attribute", 1, scAttrs.size()); TestUtils.checkSigningCertificateAttribute(ASN1Sequence.getInstance(scAttrs.get(0)), cert); } } catch (TSPException e) { fail("Failed to verify response"); } catch (IOException e) { fail("Failed to verify response"); } final TimeStampToken token = timeStampResponse.getTimeStampToken(); try { token.validate(cert, "BC"); } catch (TSPException e) { fail("Failed to validate response token"); } return timeStampResponse.getStatus(); }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
private void assertTimeNotAvailable(int worker) throws Exception { final int reqid = random.nextInt(); final TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator(); final TimeStampRequest timeStampRequest = timeStampRequestGenerator.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(114)); final byte[] requestBytes = timeStampRequest.getEncoded(); final GenericSignRequest signRequest = new GenericSignRequest(reqid, requestBytes); final GenericSignResponse res = (GenericSignResponse) workerSession.process(worker, signRequest, new RequestContext()); assertTrue(reqid == res.getRequestID()); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); timeStampResponse.validate(timeStampRequest); LOG.info("Response: " + timeStampResponse.getStatusString()); assertEquals("Token not granted", PKIStatus.REJECTION, timeStampResponse.getStatus()); assertEquals("PKIFailureInfo.timeNotAvailable", new PKIFailureInfo(PKIFailureInfo.timeNotAvailable), timeStampResponse.getFailInfo()); assertNull("No timestamp token", timeStampResponse.getTimeStampToken()); }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Check that we either include the signer certificate if it is missing or * otherwise fails the request.// w ww . ja v a 2 s. c om * * In addition Health check should also report an error for this. * * RFC#3161 2.4.1: * "If the certReq field is present and set to true, the TSA's public key * certificate that is referenced by the ESSCertID identifier inside a * SigningCertificate attribute in the response MUST be provided by the * TSA in the certificates field from the SignedData structure in that * response. That field may also contain other certificates." */ @Test public void test09SignerCertificateMustBeIncluded() throws Exception { List<Certificate> chain = workerSession.getSignerCertificateChain(WORKER2); final X509Certificate subject = (X509Certificate) chain.get(0); X509Certificate issuer = (X509Certificate) chain.get(1); // Now, don't include the signer certificate in the chain // For some reason we need to upload the signer certificate again :S workerSession.uploadSignerCertificate(WORKER2, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, Arrays.asList(issuer.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); if (!subject.equals(workerSession.getSignerCertificate(WORKER2))) { LOG.info("Subject: " + subject); LOG.info("Signer: " + workerSession.getSignerCertificate(WORKER2)); throw new Exception("Something is fishy. Test assumed the signer certificate to be present"); } // Test the status of the worker WorkerStatus actualStatus = workerSession.getStatus(WORKER2); assertEquals("should be error as signer certificate is not included in chain", 1, actualStatus.getFatalErrors().size()); assertTrue("error should talk about missing signer certificate: " + actualStatus.getFatalErrors(), actualStatus.getFatalErrors().get(0).contains("ertificate")); // Send a request including certificates TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator(); timeStampRequestGenerator.setCertReq(true); TimeStampRequest timeStampRequest = timeStampRequestGenerator.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); byte[] requestBytes = timeStampRequest.getEncoded(); GenericSignRequest signRequest = new GenericSignRequest(123124, requestBytes); try { final GenericSignResponse res = (GenericSignResponse) workerSession.process(WORKER2, signRequest, new RequestContext()); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); timeStampResponse.validate(timeStampRequest); if (PKIStatus.GRANTED == timeStampResponse.getStatus()) { fail("Should have failed as the signer is miss-configured"); } } catch (CryptoTokenOfflineException ex) { assertTrue("message should talk about missing signer certificate", ex.getMessage().contains("igner certificate")); } finally { // Restore workerSession.uploadSignerCertificate(WORKER2, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, asListOfByteArrays(chain), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); } }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Tests that status is not OK and that an failure is generated when trying * to sign when the right signer certificate is not configured. * *///from ww w . j av a2 s . c om @Test public void test10WrongSignerCertificate() throws Exception { final List<Certificate> chain = workerSession.getSignerCertificateChain(WORKER2); final X509Certificate subject = (X509Certificate) workerSession.getSignerCertificate(WORKER2); // Any other certificate that will no match the key-pair final X509Certificate other = new JcaX509CertificateConverter() .getCertificate(new CertBuilder().setSubject("CN=Other") .addExtension(new CertExt(org.bouncycastle.asn1.x509.X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping))) .build()); try { // Use the other certificate which will not match the key + the right cert in chain workerSession.uploadSignerCertificate(WORKER2, other.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, Arrays.asList(subject.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); // Test the status of the worker WorkerStatus actualStatus = workerSession.getStatus(WORKER2); assertEquals("should be error as the right signer certificate is not configured", 2, actualStatus.getFatalErrors().size()); assertTrue("error should talk about incorrect signer certificate: " + actualStatus.getFatalErrors(), actualStatus.getFatalErrors().get(0).contains("ertificate")); // Send a request including certificates TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator(); timeStampRequestGenerator.setCertReq(true); TimeStampRequest timeStampRequest = timeStampRequestGenerator.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); byte[] requestBytes = timeStampRequest.getEncoded(); GenericSignRequest signRequest = new GenericSignRequest(123124, requestBytes); try { final GenericSignResponse res = (GenericSignResponse) workerSession.process(WORKER2, signRequest, new RequestContext()); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); timeStampResponse.validate(timeStampRequest); if (PKIStatus.GRANTED == timeStampResponse.getStatus()) { fail("Should have failed as the signer is miss-configured"); } } catch (CryptoTokenOfflineException ex) { assertTrue("message should talk about incorrect signer certificate", ex.getMessage().contains("igner certificate")); } } finally { // Restore workerSession.uploadSignerCertificate(WORKER2, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, asListOfByteArrays(chain), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); } }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Tests that status is not OK and that an failure is generated when trying * to sign when the right signer certificate is not configured in the * certificate chain property.//from www . j a v a 2s . c o m * */ @Test public void test10WrongSignerCertificate_InChain() throws Exception { final List<Certificate> chain = workerSession.getSignerCertificateChain(WORKER2); final X509Certificate subject = (X509Certificate) workerSession.getSignerCertificate(WORKER2); // Any other certificate that will no match the key-pair final X509Certificate other = new JcaX509CertificateConverter() .getCertificate(new CertBuilder().setSubject("CN=Other").build()); try { // Use the right certificate but the other in the certificate chain workerSession.uploadSignerCertificate(WORKER2, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, Arrays.asList(other.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); // Test the status of the worker WorkerStatus actualStatus = workerSession.getStatus(WORKER2); assertEquals("should be error as the right signer certificate is not configured", 1, actualStatus.getFatalErrors().size()); assertTrue("error should talk about incorrect signer certificate: " + actualStatus.getFatalErrors(), actualStatus.getFatalErrors().get(0).contains("ertificate")); // Send a request including certificates TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator(); timeStampRequestGenerator.setCertReq(true); TimeStampRequest timeStampRequest = timeStampRequestGenerator.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); byte[] requestBytes = timeStampRequest.getEncoded(); GenericSignRequest signRequest = new GenericSignRequest(123124, requestBytes); try { final GenericSignResponse res = (GenericSignResponse) workerSession.process(WORKER2, signRequest, new RequestContext()); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); timeStampResponse.validate(timeStampRequest); if (PKIStatus.GRANTED == timeStampResponse.getStatus()) { fail("Should have failed as the signer is miss-configured"); } } catch (CryptoTokenOfflineException ex) { assertTrue("message should talk about incorrect signer certificate", ex.getMessage().contains("igner certificate")); } } finally { // Restore workerSession.uploadSignerCertificate(WORKER2, subject.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(WORKER2, asListOfByteArrays(chain), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(WORKER2); } }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Test that the default behavior on rejection is to include a status string. * @throws Exception/* w ww . j a v a2 s . c o m*/ */ @Test public void test27StatusStringIncludedFailure() throws Exception { // WORKER2 has ACCEPTEDPOLICIES=1.2.3 // Create an request with another policy (1.2.3.5 != 1.2.3) final TimeStampRequest timeStampRequest = new TimeStampRequest( Base64.decode(REQUEST_WITH_POLICY1235.getBytes())); final byte[] requestBytes = timeStampRequest.getEncoded(); final GenericSignRequest signRequest = new GenericSignRequest(13, requestBytes); final GenericSignResponse res = (GenericSignResponse) workerSession.process(WORKER2, signRequest, new RequestContext()); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); assertNotNull(timeStampResponse.getStatusString()); }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Test that setting the INCLUDESTATUSSTRING property to false results in no status string * on rejection.//from ww w .j a va 2s . co m * @throws Exception */ @Test public void test28StatusStringExcludedFailure() throws Exception { workerSession.setWorkerProperty(WORKER2, TimeStampSigner.INCLUDESTATUSSTRING, "FALSE"); workerSession.reloadConfiguration(WORKER2); // WORKER2 has ACCEPTEDPOLICIES=1.2.3 // Create an request with another policy (1.2.3.5 != 1.2.3) final TimeStampRequest timeStampRequest = new TimeStampRequest( Base64.decode(REQUEST_WITH_POLICY1235.getBytes())); final byte[] requestBytes = timeStampRequest.getEncoded(); final GenericSignRequest signRequest = new GenericSignRequest(13, requestBytes); final GenericSignResponse res = (GenericSignResponse) workerSession.process(WORKER2, signRequest, new RequestContext()); final TimeStampResponse timeStampResponse = new TimeStampResponse((byte[]) res.getProcessedData()); assertNull(timeStampResponse.getStatusString()); }