Java tutorial
/************************************************************************* * * * EJBCA: The OpenSource Certificate Authority * * * * This software is free software; you can redistribute it and/or * * modify it under the terms of the GNU Lesser General Public * * License as published by the Free Software Foundation; either * * version 2.1 of the License, or any later version. * * * * See terms of license at gnu.org. * * * *************************************************************************/ package org.ejbca.core.ejb.ca.crl; import java.io.ByteArrayInputStream; import java.math.BigInteger; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.cert.X509CRL; import java.security.cert.X509CRLEntry; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Date; import java.util.Iterator; import java.util.Set; import javax.ejb.EJBException; import javax.persistence.PersistenceException; import org.apache.log4j.Logger; import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.DERIA5String; import org.bouncycastle.asn1.x509.CRLDistPoint; import org.bouncycastle.asn1.x509.DistributionPoint; import org.bouncycastle.asn1.x509.DistributionPointName; import org.bouncycastle.asn1.x509.GeneralNames; import org.bouncycastle.asn1.x509.IssuingDistributionPoint; import org.bouncycastle.asn1.x509.X509Extensions; import org.cesecore.core.ejb.ca.crl.CrlCreateSessionRemote; import org.cesecore.core.ejb.ca.crl.CrlSessionRemote; import org.cesecore.core.ejb.ca.store.CertificateProfileSessionRemote; import org.cesecore.core.ejb.ra.raadmin.EndEntityProfileSessionRemote; import org.ejbca.config.WebConfiguration; import org.ejbca.core.ejb.ca.CaTestCase; import org.ejbca.core.ejb.ca.caadmin.CAAdminSessionRemote; import org.ejbca.core.ejb.ca.caadmin.CaSessionRemote; import org.ejbca.core.ejb.ca.sign.SignSessionRemote; import org.ejbca.core.ejb.ca.store.CertificateStoreSessionRemote; import org.ejbca.core.ejb.ra.UserAdminSessionRemote; import org.ejbca.core.model.SecConst; import org.ejbca.core.model.ca.caadmin.CA; import org.ejbca.core.model.ca.caadmin.CADoesntExistsException; import org.ejbca.core.model.ca.caadmin.CAInfo; import org.ejbca.core.model.ca.caadmin.X509CAInfo; import org.ejbca.core.model.ca.catoken.CATokenOfflineException; import org.ejbca.core.model.ca.certificateprofiles.CertificateProfile; import org.ejbca.core.model.ca.certificateprofiles.CertificateProfileExistsException; import org.ejbca.core.model.ca.crl.RevokedCertInfo; import org.ejbca.core.model.ca.store.CertificateInfo; import org.ejbca.core.model.log.Admin; import org.ejbca.core.model.ra.ExtendedInformation; import org.ejbca.core.model.ra.NotFoundException; import org.ejbca.core.model.ra.UserDataConstants; import org.ejbca.core.model.ra.UserDataVO; import org.ejbca.core.model.ra.raadmin.EndEntityProfile; import org.ejbca.core.model.ra.raadmin.EndEntityProfileExistsException; import org.ejbca.util.CertTools; import org.ejbca.util.CryptoProviderTools; import org.ejbca.util.InterfaceCache; import org.ejbca.util.cert.CrlExtensions; import org.ejbca.util.keystore.KeyTools; /** * Tests CRL session (agentrunner and certificatesession). * * @version $Id: CreateCRLSessionTest.java 11526 2011-03-16 12:03:24Z netmackan $ */ public class CreateCRLSessionTest extends CaTestCase { private final static Logger log = Logger.getLogger(CreateCRLSessionTest.class); private final static Admin admin = new Admin(Admin.TYPE_CACOMMANDLINE_USER); private static int caid; private static CA ca; private static final String TESTUSERNAME = "TestCreateCRLSessionUser"; private static final String TESTPROFILE = "TestCreateCRLSessionProfile"; private CAAdminSessionRemote caAdminSession = InterfaceCache.getCAAdminSession(); private CaSessionRemote caSession = InterfaceCache.getCaSession(); private CertificateStoreSessionRemote certificateStoreSession = InterfaceCache.getCertificateStoreSession(); private CertificateProfileSessionRemote certificateProfileSession = InterfaceCache .getCertificateProfileSession(); private CrlSessionRemote crlSession = InterfaceCache.getCrlSession(); private CrlCreateSessionRemote crlCreateSession = InterfaceCache.getCrlStoreSession(); private EndEntityProfileSessionRemote endEntityProfileSession = InterfaceCache.getEndEntityProfileSession(); private SignSessionRemote signSession = InterfaceCache.getSignSession(); private UserAdminSessionRemote userAdminSession = InterfaceCache.getUserAdminSession(); /** * Creates a new TestCreateCRLSession object. * * @param name * name */ public CreateCRLSessionTest(String name) throws Exception { super(name); CryptoProviderTools.installBCProviderIfNotAvailable(); assertTrue("Could not create TestCA.", createTestCA()); CAInfo inforsa = caAdminSession.getCAInfo(admin, "TEST"); assertTrue("No active RSA CA! Must have at least one active CA to run tests!", inforsa != null); caid = inforsa.getCAId(); ca = caSession.getCA(admin, caid); } public void setUp() throws Exception { } public void tearDown() throws Exception { } /** * creates new crl * * @throws Exception * error */ public void test01CreateNewCRL() throws Exception { log.trace(">test01CreateNewCRL()"); crlCreateSession.run(admin, ca); log.trace("<test01CreateNewCRL()"); } /** * gets last crl * * @throws Exception * error */ public void test02LastCRL() throws Exception { log.trace(">test02LastCRL()"); // Get number of last CRL int number = crlSession.getLastCRLNumber(admin, ca.getSubjectDN(), false); log.debug("Last CRLNumber = " + number); byte[] crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); X509CRL x509crl = CertTools.getCRLfromByteArray(crl); BigInteger num = CrlExtensions.getCrlNumber(x509crl); // Create a new CRL again to see that the number increases crlCreateSession.run(admin, ca); int number1 = crlSession.getLastCRLNumber(admin, ca.getSubjectDN(), false); assertEquals(number + 1, number1); byte[] crl1 = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); X509CRL x509crl1 = CertTools.getCRLfromByteArray(crl1); BigInteger num1 = CrlExtensions.getCrlNumber(x509crl1); assertEquals(num.intValue() + 1, num1.intValue()); log.trace("<test02LastCRL()"); } /** * check revoked certificates * * @throws Exception * error */ public void test03CheckNumberofRevokedCerts() throws Exception { log.trace(">test03CheckNumberofRevokedCerts()"); // Get number of last CRL Collection<RevokedCertInfo> revfp = certificateStoreSession.listRevokedCertInfo(admin, ca.getSubjectDN(), -1); log.debug("Number of revoked certificates=" + revfp.size()); byte[] crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); X509CRL x509crl = CertTools.getCRLfromByteArray(crl); Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates(); int revsize = 0; if (revset != null) { revsize = revset.size(); assertEquals(revfp.size(), revsize); } log.trace("<test03CheckNumberofRevokedCerts()"); } /** * Test revocation and reactivation of certificates * * @throws Exception * error */ public void test04RevokeAndUnrevoke() throws Exception { log.trace(">test04RevokeAndUnrevoke()"); // Make user that we know... boolean userExists = false; final String userDN = "C=SE,O=AnaTom,CN=foo"; try { userAdminSession.addUser(admin, "foo", "foo123", userDN, null, "foo@anatom.se", false, SecConst.EMPTY_ENDENTITYPROFILE, SecConst.CERTPROFILE_FIXED_ENDUSER, SecConst.USER_ENDUSER, SecConst.TOKEN_SOFT_PEM, 0, caid); log.debug("created user: foo, foo123, C=SE, O=AnaTom, CN=foo"); } catch (EJBException e) { if (e.getCause() instanceof PersistenceException) { userExists = true; } } if (userExists) { log.info("User foo already exists, resetting status."); UserDataVO userdata = new UserDataVO("foo", userDN, caid, null, "foo@anatom.se", SecConst.USER_ENDUSER, SecConst.EMPTY_ENDENTITYPROFILE, SecConst.CERTPROFILE_FIXED_ENDUSER, SecConst.TOKEN_SOFT_PEM, 0, null); userdata.setStatus(UserDataConstants.STATUS_NEW); userdata.setPassword("foo123"); userAdminSession.changeUser(admin, userdata, false); log.debug("Reset status to NEW"); } KeyPair keys = genKeys(); // user that we know exists... X509Certificate cert = (X509Certificate) signSession.createCertificate(admin, "foo", "foo123", keys.getPublic()); assertNotNull("Misslyckades skapa cert", cert); log.debug("Cert=" + cert.toString()); // Create a new CRL again... crlCreateSession.run(admin, ca); // Check that our newly signed certificate is not present in a new CRL byte[] crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); X509CRL x509crl = CertTools.getCRLfromByteArray(crl); Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates(); if (revset != null) { Iterator<? extends X509CRLEntry> iter = revset.iterator(); while (iter.hasNext()) { X509CRLEntry ce = iter.next(); assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0); } } // If no revoked certificates exist at all, this test passed... certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, userDN); // Create a new CRL again... crlCreateSession.run(admin, ca); // Check that our newly signed certificate IS present in a new CRL crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); assertNotNull(revset); Iterator<? extends X509CRLEntry> iter = revset.iterator(); boolean found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue("Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found); // Unrevoke the certificate that we just revoked certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.NOT_REVOKED, userDN); // Create a new CRL again... crlCreateSession.run(admin, ca); // Check that our newly signed certificate IS NOT present in the new // CRL. crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); if (revset != null) { iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertFalse(found); } // If no revoked certificates exist at all, this test passed... certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, userDN); assertTrue("Failed to revoke certificate!", certificateStoreSession.isRevoked(CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... crlCreateSession.run(admin, ca); // Check that our newly signed certificate IS present in a new CRL crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue(found); certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.NOT_REVOKED, userDN); assertTrue("Was able to re-activate permanently revoked certificate!", certificateStoreSession.isRevoked(CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... crlCreateSession.run(admin, ca); // Check that our newly signed certificate is present in the new CRL, // because the revocation reason // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are // on hold. crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertTrue(found); log.trace("<test04RevokeAndUnrevoke()"); } /** * Test Overflow of CRL Period * * @throws Exception * error */ public void test05CRLPeriodOverflow() throws Exception { log.trace(">test05CRLPeriodOverflow()"); // Fetch CAInfo and save CRLPeriod CAInfo cainfo = ca.getCAInfo(); long tempCRLPeriod = cainfo.getCRLPeriod(); try { // Create a user that Should be revoked boolean userExists = false; final String userDN = "CN=" + TESTUSERNAME; try { int certprofileid = 0; // add a Certificate Profile with overridable validity try { CertificateProfile certProfile = new CertificateProfile(); certProfile.setAllowValidityOverride(true); certificateProfileSession.addCertificateProfile(admin, TESTPROFILE, certProfile); } catch (CertificateProfileExistsException cpeee) { } certprofileid = certificateProfileSession.getCertificateProfileId(admin, TESTPROFILE); assertTrue(certprofileid != 0); // add End Entity Profile with validity limitations EndEntityProfile profile; try { endEntityProfileSession.removeEndEntityProfile(admin, TESTPROFILE); profile = new EndEntityProfile(); profile.setUse(EndEntityProfile.ENDTIME, 0, true); profile.setUse(EndEntityProfile.CLEARTEXTPASSWORD, 0, false); profile.setValue(EndEntityProfile.CLEARTEXTPASSWORD, 0, EndEntityProfile.FALSE); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.valueOf(caid).toString()); profile.setUse(EndEntityProfile.STARTTIME, 0, true); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.valueOf(certprofileid).toString()); profile.setValue(EndEntityProfile.DEFAULTCERTPROFILE, 0, Integer.valueOf(certprofileid).toString()); endEntityProfileSession.addEndEntityProfile(admin, TESTPROFILE, profile); } catch (EndEntityProfileExistsException pee) { } // Create a new user ExtendedInformation ei = new ExtendedInformation(); ei.setCustomData(EndEntityProfile.STARTTIME, "0:00:00"); ei.setCustomData(EndEntityProfile.ENDTIME, "0:00:50"); UserDataVO userdata = new UserDataVO(TESTUSERNAME, userDN, caid, "", "foo@bar.se", UserDataConstants.STATUS_NEW, SecConst.USER_ENDUSER, endEntityProfileSession.getEndEntityProfileId(admin, TESTPROFILE), certprofileid, new Date(), new Date(), SecConst.TOKEN_SOFT_PEM, 0, ei); userdata.setPassword("foo123"); try { userAdminSession.revokeAndDeleteUser(admin, TESTUSERNAME, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE); } catch (NotFoundException nfe) { } userAdminSession.addUser(admin, userdata, false); log.debug("created user"); } catch (EJBException e) { if (e.getCause() instanceof PersistenceException) { userExists = true; } } if (userExists) { log.info("User testCRLPeriod already exists, resetting status."); userAdminSession.setUserStatus(admin, TESTUSERNAME, UserDataConstants.STATUS_NEW); log.debug("Reset status to NEW"); } KeyPair keys = genKeys(); // user that we know exists... X509Certificate cert = (X509Certificate) signSession.createCertificate(admin, TESTUSERNAME, "foo123", keys.getPublic()); assertNotNull("Failed to create certificate", cert); log.debug("Cert=" + cert.toString()); // Revoke the user certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, userDN); // Change CRLPeriod cainfo.setCRLPeriod(Long.MAX_VALUE); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); // Create new CRL's crlCreateSession.run(admin, ca); // Verify that status is not archived CertificateInfo certinfo = certificateStoreSession.getCertificateInfo(admin, CertTools.getFingerprintAsString(cert)); assertFalse("Non Expired Revoked Certificate was archived", certinfo.getStatus() == SecConst.CERT_ARCHIVED); } finally { // Restore CRL Period cainfo.setCRLPeriod(tempCRLPeriod); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); // Delete and revoke User userAdminSession.revokeAndDeleteUser(admin, TESTUSERNAME, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE); // Delete end entity profile certificateProfileSession.removeCertificateProfile(admin, TESTPROFILE); // Delete certificate profile try { endEntityProfileSession.removeEndEntityProfile(admin, TESTPROFILE); } catch (Exception e) { log.error("Could not remove End Entity Profile"); } } } /** * Tests the extension CRL Distribution Point on CRLs * * @throws Exception * error */ public void test06CRLDistPointOnCRL() throws Exception { log.trace(">test06CRLDistPointOnCRL()"); final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) ca.getCAInfo(); X509CRL x509crl; byte[] cdpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); cdpDER = x509crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = new IssuingDistributionPoint((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(""); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); assertNull("CRL has distribution points", x509crl.getExtensionValue(X509Extensions.CRLDistributionPoints.getId())); log.trace("<test06CRLDistPointOnCRL()"); } /** * Tests the extension Freshest CRL DP. * * @throws Exception * in case of error. */ public void test07CRLFreshestCRL() throws Exception { log.trace(">test07CRLFreshestCRL()"); final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; final String freshestCdpURL = "http://www.ejbca.org/foo/delta.crl"; X509CAInfo cainfo = (X509CAInfo) caAdminSession.getCAInfo(admin, caid); X509CRL x509crl; byte[] cFreshestDpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); cainfo.setCADefinedFreshestCRL(freshestCdpURL); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); cFreshestDpDER = x509crl.getExtensionValue(X509Extensions.FreshestCRL.getId()); assertNotNull("CRL has no Freshest Distribution Point", cFreshestDpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cFreshestDpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); CRLDistPoint cdp = new CRLDistPoint((ASN1Sequence) aIn.readObject()); DistributionPoint[] distpoints = cdp.getDistributionPoints(); assertEquals("More CRL Freshest distributions points than expected", 1, distpoints.length); assertEquals("Freshest CRL distribution point is different", freshestCdpURL, ((DERIA5String) ((GeneralNames) distpoints[0].getDistributionPoint().getName()).getNames()[0] .getName()).getString()); log.trace("<test07CRLFreshestCRL()"); } public void test08TestCRLStore() throws Exception { log.trace(">test08TestCRLStore()"); final String HTTP_PORT = InterfaceCache.getConfigurationSession() .getProperty(WebConfiguration.CONFIG_HTTPSERVERPUBHTTP, "8080"); final String result = ValidationAuthorityTst.testCRLStore(ca, this.crlSession, HTTP_PORT); assertNull(result, result); log.trace("<test08TestCRLStore()"); } public void test09CrlGenerateForAll() throws Exception { log.trace(">test09CrlGenerateForAll()"); final X509CAInfo cainfo = (X509CAInfo) caAdminSession.getCAInfo(admin, caid); cainfo.setCRLIssueInterval(1); // Issue very often.. cainfo.setDeltaCRLPeriod(1); // Issue very often.. caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); Thread.sleep(1000); final X509CRL x509crl = CertTools .getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); crlCreateSession.createCRLs(admin); final X509CRL x509crlAfter = CertTools .getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); assertTrue("Did not generate a newer CRL.", x509crlAfter.getThisUpdate().after(x509crl.getThisUpdate())); final X509CRL x509deltaCrl = CertTools .getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), true)); crlCreateSession.createDeltaCRLs(admin); final X509CRL x509deltaCrlAfter = CertTools .getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), true)); assertTrue("Did not generate a newer Delta CRL.", x509deltaCrlAfter.getThisUpdate().after(x509deltaCrl.getThisUpdate())); // Try a similar thing when we specify which CA IDs to generate CRLs for // Compare CRL numbers instead of Dates, since these CRLs might have been generated the same second as the last ones final Collection<Integer> caids = new ArrayList<Integer>(); caids.add(Integer.valueOf(caid)); crlCreateSession.createCRLs(admin, caids, 2); final X509CRL x509crlAfter2 = CertTools .getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); assertTrue("Did not generate a newer CRL.", CrlExtensions.getCrlNumber(x509crlAfter2) .intValue() > CrlExtensions.getCrlNumber(x509crlAfter).intValue()); crlCreateSession.createDeltaCRLs(admin, caids, 2); final X509CRL x509deltaCrlAfter2 = CertTools .getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), true)); assertTrue("Did not generate a newer Delta CRL.", CrlExtensions.getCrlNumber(x509deltaCrlAfter2) .intValue() > CrlExtensions.getCrlNumber(x509deltaCrlAfter).intValue()); log.trace("<test09CrlGenerateForAll()"); } /** Test error handling when we request info that does not exist. */ public void test10CrlSessionErrorHandling() { log.trace(">test10CrlSessionErrorHandling()"); assertNull("crlSession.getLastCRL returned a CRL for nonexsting CA", crlSession.getLastCRL(admin, "CN=notexsting", false)); assertNull("crlSession.getLastCRL returned a DeltaCRL for nonexsting CA", crlSession.getLastCRL(admin, "CN=notexsting", true)); assertNull("crlSession.getLastCRLInfo returned CRLInfo for nonexsting CA", crlSession.getLastCRLInfo(admin, "CN=notexsting", false)); assertNull("crlSession.getLastCRLInfo returned Delta CRLInfo for nonexsting CA", crlSession.getLastCRLInfo(admin, "CN=notexsting", true)); assertNull("crlSession.getCRLInfo returned CRLInfo for nonexsting CRL fingerprint", crlSession.getCRLInfo(admin, "tooshortfp")); log.trace("<test10CrlSessionErrorHandling()"); } /** Test error handling during CRL creation. */ public void test11CrlCreateSessionErrorHandling() throws CADoesntExistsException { log.trace(">test11CrlCreateSessionErrorHandling()"); CA ca = caSession.getCA(admin, getTestCAId()); ca.setStatus(SecConst.CA_OFFLINE); try { crlCreateSession.createCRL(admin, ca, null, 0); assertTrue( "Trying to generate a CRL for CA with status CA_OFFLINE did not throw the CATokenOfflineException.", false); } catch (CATokenOfflineException e) { // Expected } log.trace("<test11CrlCreateSessionErrorHandling()"); } public void test99CleanUp() throws Exception { log.trace(">test99CleanUp()"); removeTestCA(); log.trace("<test99CleanUp()"); } // // Helper methods // /** * Generates a RSA key pair. * * @return KeyPair the generated key pair * * @throws Exception * if en error occurs... */ private static KeyPair genKeys() throws Exception { KeyPairGenerator keygen = KeyPairGenerator.getInstance("RSA", "BC"); keygen.initialize(512); log.debug("Generating keys, please wait..."); KeyPair rsaKeys = keygen.generateKeyPair(); log.debug("Generated " + rsaKeys.getPrivate().getAlgorithm() + " keys with length" + KeyTools.getKeyLength(rsaKeys.getPublic())); return rsaKeys; } // genKeys }