/** Tests the extension Freshest CRL DP. */
@Test
public void testCRLFreshestCRL() throws Exception {
final String cdpURL = "http://www.ejbca.org/foo/bar.crl";
final String freshestCdpURL = "http://www.ejbca.org/foo/delta.crl";
X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo();
X509CRL x509crl;
byte[] cFreshestDpDER;
cainfo.setUseCrlDistributionPointOnCrl(true);
cainfo.setDefaultCRLDistPoint(cdpURL);
cainfo.setCADefinedFreshestCRL(freshestCdpURL);
caSession.editCA(roleMgmgToken, cainfo);
publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
x509crl =
CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
cFreshestDpDER = x509crl.getExtensionValue(Extension.freshestCRL.getId());
assertNotNull("CRL has no Freshest Distribution Point", cFreshestDpDER);
ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cFreshestDpDER));
ASN1OctetString octs = (ASN1OctetString) aIn.readObject();
aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets()));
CRLDistPoint cdp = CRLDistPoint.getInstance((ASN1Sequence) aIn.readObject());
DistributionPoint[] distpoints = cdp.getDistributionPoints();
assertEquals("More CRL Freshest distributions points than expected", 1, distpoints.length);
assertEquals(
"Freshest CRL distribution point is different",
freshestCdpURL,
((DERIA5String)
((GeneralNames) distpoints[0].getDistributionPoint().getName())
.getNames()[0].getName())
.getString());
}
/** Test Overflow of CRL Period */
@Test
public void testCRLPeriodOverflow() throws Exception {
log.trace(">test05CRLPeriodOverflow()");
// Fetch CAInfo and save CRLPeriod
CAInfo cainfo = testx509ca.getCAInfo();
long tempCRLPeriod = cainfo.getCRLPeriod();
X509Certificate cert = createCertWithValidity(1);
try {
// Revoke the user
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, null);
// Change CRLPeriod
cainfo.setCRLPeriod(Long.MAX_VALUE);
caSession.editCA(roleMgmgToken, cainfo);
// Create new CRL's
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Verify that status is not archived
CertificateInfo certinfo =
certificateStoreSession.getCertificateInfo(CertTools.getFingerprintAsString(cert));
assertFalse(
"Non Expired Revoked Certificate was archived",
certinfo.getStatus() == CertificateConstants.CERT_ARCHIVED);
} finally {
internalCertificateStoreSession.removeCertificate(CertTools.getSerialNumber(cert));
// Restore CRL Period
cainfo.setCRLPeriod(tempCRLPeriod);
caSession.editCA(roleMgmgToken, cainfo);
}
}
private X509Certificate createCertWithValidity(int validity) throws Exception {
EndEntityInformation user =
new EndEntityInformation(
USERNAME,
"C=SE,O=AnaTom,CN=crltest",
testx509ca.getCAId(),
null,
"*****@*****.**",
new EndEntityType(EndEntityTypes.ENDUSER),
0,
CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER,
EndEntityConstants.TOKEN_USERGEN,
0,
null);
SimpleRequestMessage req =
new SimpleRequestMessage(keys.getPublic(), user.getUsername(), user.getPassword());
X509ResponseMessage resp =
(X509ResponseMessage)
certificateCreateSession.createCertificate(
roleMgmgToken,
user,
req,
org.cesecore.certificates.certificate.request.X509ResponseMessage.class,
signSession.fetchCertGenParams());
X509Certificate cert = (X509Certificate) resp.getCertificate();
assertNotNull("Failed to create certificate", cert);
return cert;
}
@After
public void tearDown() throws Exception {
// Remove any testca before exiting tests
byte[] crl;
while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) {
X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
internalCertificateStoreSession.removeCRL(
alwaysAllowToken, CertTools.getFingerprintAsString(x509crl));
}
while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) {
X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
internalCertificateStoreSession.removeCRL(
alwaysAllowToken, CertTools.getFingerprintAsString(x509crl));
}
caSession.removeCA(alwaysAllowToken, testx509ca.getCAId());
}
@AfterClass
public static void afterClass() throws Exception {
try {
CryptoTokenTestUtils.removeCryptoToken(null, testx509ca.getCAToken().getCryptoTokenId());
} finally {
// Be sure to to this, even if the above fails
tearDownRemoveRole();
}
}
/** creates new crl */
@Test
public void testCreateNewCRL() throws Exception {
publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
X509CRL x509crl = null;
// Get number of last CRL
int number = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false);
log.debug("Last CRLNumber = " + number);
byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
BigInteger num = CrlExtensions.getCrlNumber(x509crl);
// Create a new CRL again to see that the number increases
publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
int number1 = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false);
assertEquals(number + 1, number1);
byte[] crl1 = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
X509CRL x509crl1 = CertTools.getCRLfromByteArray(crl1);
BigInteger num1 = CrlExtensions.getCrlNumber(x509crl1);
assertEquals(num.intValue() + 1, num1.intValue());
/*
* check revoked certificates
*/
// Get number of last CRL
Collection<RevokedCertInfo> revfp =
certificateStoreSession.listRevokedCertInfo(testx509ca.getSubjectDN(), -1);
log.debug("Number of revoked certificates=" + revfp.size());
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
// Revset will be null if there are no revoked certificates
if (revset != null) {
int revsize = revset.size();
assertEquals(revfp.size(), revsize);
} else {
assertEquals(0, revfp.size());
}
}
/** Test error handling of off-line CA during CRL creation. */
@Test
public void testCrlCreateSessionErrorHandling() throws Exception {
CAInfo cainfo = testx509ca.getCAInfo();
cainfo.setStatus(CAConstants.CA_OFFLINE);
caSession.editCA(roleMgmgToken, cainfo);
CA ca = caTestSession.getCA(roleMgmgToken, testx509ca.getCAId());
assertEquals(CAConstants.CA_OFFLINE, ca.getStatus());
assertEquals(CAConstants.CA_OFFLINE, ca.getCAInfo().getStatus());
try {
publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
assertTrue(
"Trying to generate a CRL for CA with status CA_OFFLINE did not throw the CATokenOfflineException.",
false);
} catch (CAOfflineException e) {
// Expected
}
cainfo.setStatus(CAConstants.CA_ACTIVE);
caSession.editCA(roleMgmgToken, cainfo);
}
@Test
public void testCrlGenerateForAll() throws Exception {
X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo();
cainfo.setCRLIssueInterval(1); // Issue very often..
cainfo.setDeltaCRLPeriod(1); // Issue very often..
caSession.editCA(roleMgmgToken, cainfo);
// make sure we have a CRL and delta CRL generated
publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
publishingCrlSessionRemote.forceDeltaCRL(roleMgmgToken, testx509ca.getCAId());
try {
// Now wait and test again
Thread.sleep(1000);
final X509CRL x509crl =
CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
assertTrue(publishingCrlSessionRemote.createCRLs(roleMgmgToken) > 0);
final X509CRL x509crlAfter =
CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
assertTrue(
"Did not generate a newer CRL.",
x509crlAfter.getThisUpdate().after(x509crl.getThisUpdate()));
final X509CRL x509deltaCrl =
CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true));
assertTrue(publishingCrlSessionRemote.createDeltaCRLs(roleMgmgToken) > 0);
final X509CRL x509deltaCrlAfter =
CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true));
assertTrue(
"Did not generate a newer Delta CRL.",
x509deltaCrlAfter.getThisUpdate().after(x509deltaCrl.getThisUpdate()));
// Try a similar thing when we specify which CA IDs to generate CRLs for
// Compare CRL numbers instead of Dates, since these CRLs might have been generated the same
// second as the last ones
final Collection<Integer> caids = new ArrayList<Integer>();
caids.add(Integer.valueOf(testx509ca.getCAId()));
publishingCrlProxySession.createCRLs(roleMgmgToken, caids, 2);
final X509CRL x509crlAfter2 =
CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false));
assertTrue(
"Did not generate a newer CRL.",
CrlExtensions.getCrlNumber(x509crlAfter2).intValue()
> CrlExtensions.getCrlNumber(x509crlAfter).intValue());
publishingCrlProxySession.createDeltaCRLs(roleMgmgToken, caids, 2);
final X509CRL x509deltaCrlAfter2 =
CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true));
assertTrue(
"Did not generate a newer Delta CRL.",
CrlExtensions.getCrlNumber(x509deltaCrlAfter2).intValue()
> CrlExtensions.getCrlNumber(x509deltaCrlAfter).intValue());
} finally {
byte[] crl;
while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) {
X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
internalCertificateStoreSession.removeCRL(
roleMgmgToken, CertTools.getFingerprintAsString(x509crl));
}
while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) {
X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
internalCertificateStoreSession.removeCRL(
roleMgmgToken, CertTools.getFingerprintAsString(x509crl));
}
}
}
/** Test revocation and reactivation of certificates */
@Test
public void testRevokeAndUnrevoke() throws Exception {
X509Certificate cert = createCert();
try {
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate is not present in a new CRL
byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
if (revset != null) {
Iterator<? extends X509CRLEntry> iter = revset.iterator();
while (iter.hasNext()) {
X509CRLEntry ce = iter.next();
assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0);
}
} // If no revoked certificates exist at all, this test passed...
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null);
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate IS present in a new CRL
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
assertNotNull(revset);
Iterator<? extends X509CRLEntry> iter = revset.iterator();
boolean found = false;
while (iter.hasNext()) {
X509CRLEntry ce = iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
// TODO: verify the reason code
}
}
assertTrue(
"Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found);
// Unrevoke the certificate that we just revoked
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate IS NOT present in the new
// CRL.
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
if (revset != null) {
iter = revset.iterator();
found = false;
while (iter.hasNext()) {
X509CRLEntry ce = iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
}
}
assertFalse(found);
} // If no revoked certificates exist at all, this test passed...
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null);
assertTrue(
"Failed to revoke certificate!",
certificateStoreSession.isRevoked(
CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate IS present in a new CRL
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
iter = revset.iterator();
found = false;
while (iter.hasNext()) {
X509CRLEntry ce = (X509CRLEntry) iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
// TODO: verify the reason code
}
}
assertTrue(found);
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
assertTrue(
"Was able to re-activate permanently revoked certificate!",
certificateStoreSession.isRevoked(
CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate is present in the new CRL,
// because the revocation reason
// was not CERTIFICATE_HOLD, we can only un-revoke certificates that are
// on hold.
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
iter = revset.iterator();
found = false;
while (iter.hasNext()) {
X509CRLEntry ce = (X509CRLEntry) iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
}
}
assertTrue(found);
} finally {
internalCertificateStoreSession.removeCertificate(cert);
}
}