/** Tests the extension Freshest CRL DP. */
  @Test
  public void testCRLFreshestCRL() throws Exception {
    final String cdpURL = "http://www.ejbca.org/foo/bar.crl";
    final String freshestCdpURL = "http://www.ejbca.org/foo/delta.crl";
    X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo();
    X509CRL x509crl;
    byte[] cFreshestDpDER;

    cainfo.setUseCrlDistributionPointOnCrl(true);
    cainfo.setDefaultCRLDistPoint(cdpURL);
    cainfo.setCADefinedFreshestCRL(freshestCdpURL);
    caSession.editCA(roleMgmgToken, cainfo);
    publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
    x509crl =
        CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
    cFreshestDpDER = x509crl.getExtensionValue(Extension.freshestCRL.getId());
    assertNotNull("CRL has no Freshest Distribution Point", cFreshestDpDER);

    ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cFreshestDpDER));
    ASN1OctetString octs = (ASN1OctetString) aIn.readObject();
    aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets()));
    CRLDistPoint cdp = CRLDistPoint.getInstance((ASN1Sequence) aIn.readObject());
    DistributionPoint[] distpoints = cdp.getDistributionPoints();

    assertEquals("More CRL Freshest distributions points than expected", 1, distpoints.length);
    assertEquals(
        "Freshest CRL distribution point is different",
        freshestCdpURL,
        ((DERIA5String)
                ((GeneralNames) distpoints[0].getDistributionPoint().getName())
                    .getNames()[0].getName())
            .getString());
  }
 /** Test Overflow of CRL Period */
 @Test
 public void testCRLPeriodOverflow() throws Exception {
   log.trace(">test05CRLPeriodOverflow()");
   // Fetch CAInfo and save CRLPeriod
   CAInfo cainfo = testx509ca.getCAInfo();
   long tempCRLPeriod = cainfo.getCRLPeriod();
   X509Certificate cert = createCertWithValidity(1);
   try {
     // Revoke the user
     certificateStoreSession.setRevokeStatus(
         roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, null);
     // Change CRLPeriod
     cainfo.setCRLPeriod(Long.MAX_VALUE);
     caSession.editCA(roleMgmgToken, cainfo);
     // Create new CRL's
     assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
     // Verify that status is not archived
     CertificateInfo certinfo =
         certificateStoreSession.getCertificateInfo(CertTools.getFingerprintAsString(cert));
     assertFalse(
         "Non Expired Revoked Certificate was archived",
         certinfo.getStatus() == CertificateConstants.CERT_ARCHIVED);
   } finally {
     internalCertificateStoreSession.removeCertificate(CertTools.getSerialNumber(cert));
     // Restore CRL Period
     cainfo.setCRLPeriod(tempCRLPeriod);
     caSession.editCA(roleMgmgToken, cainfo);
   }
 }
 private X509Certificate createCertWithValidity(int validity) throws Exception {
   EndEntityInformation user =
       new EndEntityInformation(
           USERNAME,
           "C=SE,O=AnaTom,CN=crltest",
           testx509ca.getCAId(),
           null,
           "*****@*****.**",
           new EndEntityType(EndEntityTypes.ENDUSER),
           0,
           CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER,
           EndEntityConstants.TOKEN_USERGEN,
           0,
           null);
   SimpleRequestMessage req =
       new SimpleRequestMessage(keys.getPublic(), user.getUsername(), user.getPassword());
   X509ResponseMessage resp =
       (X509ResponseMessage)
           certificateCreateSession.createCertificate(
               roleMgmgToken,
               user,
               req,
               org.cesecore.certificates.certificate.request.X509ResponseMessage.class,
               signSession.fetchCertGenParams());
   X509Certificate cert = (X509Certificate) resp.getCertificate();
   assertNotNull("Failed to create certificate", cert);
   return cert;
 }
 @After
 public void tearDown() throws Exception {
   // Remove any testca before exiting tests
   byte[] crl;
   while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) {
     X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
     internalCertificateStoreSession.removeCRL(
         alwaysAllowToken, CertTools.getFingerprintAsString(x509crl));
   }
   while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) {
     X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
     internalCertificateStoreSession.removeCRL(
         alwaysAllowToken, CertTools.getFingerprintAsString(x509crl));
   }
   caSession.removeCA(alwaysAllowToken, testx509ca.getCAId());
 }
 @AfterClass
 public static void afterClass() throws Exception {
   try {
     CryptoTokenTestUtils.removeCryptoToken(null, testx509ca.getCAToken().getCryptoTokenId());
   } finally {
     // Be sure to to this, even if the above fails
     tearDownRemoveRole();
   }
 }
  /** creates new crl */
  @Test
  public void testCreateNewCRL() throws Exception {
    publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
    X509CRL x509crl = null;

    // Get number of last CRL
    int number = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false);
    log.debug("Last CRLNumber = " + number);
    byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
    assertNotNull("Could not get CRL", crl);
    x509crl = CertTools.getCRLfromByteArray(crl);

    BigInteger num = CrlExtensions.getCrlNumber(x509crl);
    // Create a new CRL again to see that the number increases
    publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
    int number1 = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false);
    assertEquals(number + 1, number1);
    byte[] crl1 = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
    X509CRL x509crl1 = CertTools.getCRLfromByteArray(crl1);
    BigInteger num1 = CrlExtensions.getCrlNumber(x509crl1);
    assertEquals(num.intValue() + 1, num1.intValue());

    /*
     * check revoked certificates
     */

    // Get number of last CRL
    Collection<RevokedCertInfo> revfp =
        certificateStoreSession.listRevokedCertInfo(testx509ca.getSubjectDN(), -1);
    log.debug("Number of revoked certificates=" + revfp.size());
    crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
    assertNotNull("Could not get CRL", crl);

    x509crl = CertTools.getCRLfromByteArray(crl);
    Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
    // Revset will be null if there are no revoked certificates
    if (revset != null) {
      int revsize = revset.size();
      assertEquals(revfp.size(), revsize);
    } else {
      assertEquals(0, revfp.size());
    }
  }
 /** Test error handling of off-line CA during CRL creation. */
 @Test
 public void testCrlCreateSessionErrorHandling() throws Exception {
   CAInfo cainfo = testx509ca.getCAInfo();
   cainfo.setStatus(CAConstants.CA_OFFLINE);
   caSession.editCA(roleMgmgToken, cainfo);
   CA ca = caTestSession.getCA(roleMgmgToken, testx509ca.getCAId());
   assertEquals(CAConstants.CA_OFFLINE, ca.getStatus());
   assertEquals(CAConstants.CA_OFFLINE, ca.getCAInfo().getStatus());
   try {
     publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
     assertTrue(
         "Trying to generate a CRL for CA with status CA_OFFLINE did not throw the CATokenOfflineException.",
         false);
   } catch (CAOfflineException e) {
     // Expected
   }
   cainfo.setStatus(CAConstants.CA_ACTIVE);
   caSession.editCA(roleMgmgToken, cainfo);
 }
 @Test
 public void testCrlGenerateForAll() throws Exception {
   X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo();
   cainfo.setCRLIssueInterval(1); // Issue very often..
   cainfo.setDeltaCRLPeriod(1); // Issue very often..
   caSession.editCA(roleMgmgToken, cainfo);
   // make sure we have a CRL and delta CRL generated
   publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
   publishingCrlSessionRemote.forceDeltaCRL(roleMgmgToken, testx509ca.getCAId());
   try {
     // Now wait and test again
     Thread.sleep(1000);
     final X509CRL x509crl =
         CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
     assertTrue(publishingCrlSessionRemote.createCRLs(roleMgmgToken) > 0);
     final X509CRL x509crlAfter =
         CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
     assertTrue(
         "Did not generate a newer CRL.",
         x509crlAfter.getThisUpdate().after(x509crl.getThisUpdate()));
     final X509CRL x509deltaCrl =
         CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true));
     assertTrue(publishingCrlSessionRemote.createDeltaCRLs(roleMgmgToken) > 0);
     final X509CRL x509deltaCrlAfter =
         CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true));
     assertTrue(
         "Did not generate a newer Delta CRL.",
         x509deltaCrlAfter.getThisUpdate().after(x509deltaCrl.getThisUpdate()));
     // Try a similar thing when we specify which CA IDs to generate CRLs for
     // Compare CRL numbers instead of Dates, since these CRLs might have been generated the same
     // second as the last ones
     final Collection<Integer> caids = new ArrayList<Integer>();
     caids.add(Integer.valueOf(testx509ca.getCAId()));
     publishingCrlProxySession.createCRLs(roleMgmgToken, caids, 2);
     final X509CRL x509crlAfter2 =
         CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
     assertTrue(
         "Did not generate a newer CRL.",
         CrlExtensions.getCrlNumber(x509crlAfter2).intValue()
             > CrlExtensions.getCrlNumber(x509crlAfter).intValue());
     publishingCrlProxySession.createDeltaCRLs(roleMgmgToken, caids, 2);
     final X509CRL x509deltaCrlAfter2 =
         CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true));
     assertTrue(
         "Did not generate a newer Delta CRL.",
         CrlExtensions.getCrlNumber(x509deltaCrlAfter2).intValue()
             > CrlExtensions.getCrlNumber(x509deltaCrlAfter).intValue());
   } finally {
     byte[] crl;
     while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) {
       X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
       internalCertificateStoreSession.removeCRL(
           roleMgmgToken, CertTools.getFingerprintAsString(x509crl));
     }
     while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) {
       X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
       internalCertificateStoreSession.removeCRL(
           roleMgmgToken, CertTools.getFingerprintAsString(x509crl));
     }
   }
 }
  /** Test revocation and reactivation of certificates */
  @Test
  public void testRevokeAndUnrevoke() throws Exception {

    X509Certificate cert = createCert();
    try {
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate is not present in a new CRL
      byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
      Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
      if (revset != null) {
        Iterator<? extends X509CRLEntry> iter = revset.iterator();
        while (iter.hasNext()) {
          X509CRLEntry ce = iter.next();
          assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0);
        }
      } // If no revoked certificates exist at all, this test passed...

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null);
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS present in a new CRL
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      assertNotNull(revset);
      Iterator<? extends X509CRLEntry> iter = revset.iterator();
      boolean found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
          // TODO: verify the reason code
        }
      }
      assertTrue(
          "Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found);

      // Unrevoke the certificate that we just revoked
      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS NOT present in the new
      // CRL.
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      if (revset != null) {
        iter = revset.iterator();
        found = false;
        while (iter.hasNext()) {
          X509CRLEntry ce = iter.next();
          if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
            found = true;
          }
        }
        assertFalse(found);
      } // If no revoked certificates exist at all, this test passed...

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null);
      assertTrue(
          "Failed to revoke certificate!",
          certificateStoreSession.isRevoked(
              CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS present in a new CRL
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      iter = revset.iterator();
      found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = (X509CRLEntry) iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
          // TODO: verify the reason code
        }
      }
      assertTrue(found);

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
      assertTrue(
          "Was able to re-activate permanently revoked certificate!",
          certificateStoreSession.isRevoked(
              CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate is present in the new CRL,
      // because the revocation reason
      // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are
      // on hold.
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      iter = revset.iterator();
      found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = (X509CRLEntry) iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
        }
      }
      assertTrue(found);
    } finally {
      internalCertificateStoreSession.removeCertificate(cert);
    }
  }