コード例 #1
0
 /** Test Overflow of CRL Period */
 @Test
 public void testCRLPeriodOverflow() throws Exception {
   log.trace(">test05CRLPeriodOverflow()");
   // Fetch CAInfo and save CRLPeriod
   CAInfo cainfo = testx509ca.getCAInfo();
   long tempCRLPeriod = cainfo.getCRLPeriod();
   X509Certificate cert = createCertWithValidity(1);
   try {
     // Revoke the user
     certificateStoreSession.setRevokeStatus(
         roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, null);
     // Change CRLPeriod
     cainfo.setCRLPeriod(Long.MAX_VALUE);
     caSession.editCA(roleMgmgToken, cainfo);
     // Create new CRL's
     assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
     // Verify that status is not archived
     CertificateInfo certinfo =
         certificateStoreSession.getCertificateInfo(CertTools.getFingerprintAsString(cert));
     assertFalse(
         "Non Expired Revoked Certificate was archived",
         certinfo.getStatus() == CertificateConstants.CERT_ARCHIVED);
   } finally {
     internalCertificateStoreSession.removeCertificate(CertTools.getSerialNumber(cert));
     // Restore CRL Period
     cainfo.setCRLPeriod(tempCRLPeriod);
     caSession.editCA(roleMgmgToken, cainfo);
   }
 }
コード例 #2
0
 /** Add a new user and an expire service. Test that the service expires the users password */
 @Test
 public void testExpireCertificateWithCertificateProfiles() throws Exception {
   final String certificateprofilename = "testExpireCertificateWithCertificateProfiles";
   int certificateProfileId =
       certificateProfileSession.addCertificateProfile(
           admin, certificateprofilename, new CertificateProfile());
   try {
     createCertificate(certificateProfileId);
     long seconds = (cert.getNotAfter().getTime() - new Date().getTime()) / 1000l;
     // Create a new UserPasswordExpireService
     ServiceConfiguration config = new ServiceConfiguration();
     config.setActive(true);
     config.setDescription("This is a description");
     // No mailsending for this Junit test service
     config.setActionClassPath(NoAction.class.getName());
     config.setActionProperties(null);
     config.setIntervalClassPath(PeriodicalInterval.class.getName());
     Properties intervalprop = new Properties();
     // Run the service every 3:rd second
     intervalprop.setProperty(PeriodicalInterval.PROP_VALUE, "3");
     intervalprop.setProperty(PeriodicalInterval.PROP_UNIT, PeriodicalInterval.UNIT_SECONDS);
     config.setIntervalProperties(intervalprop);
     config.setWorkerClassPath(CertificateExpirationNotifierWorker.class.getName());
     Properties workerprop = new Properties();
     workerprop.setProperty(EmailSendingWorkerConstants.PROP_SENDTOADMINS, "FALSE");
     workerprop.setProperty(EmailSendingWorkerConstants.PROP_SENDTOENDUSERS, "FALSE");
     workerprop.setProperty(BaseWorker.PROP_CAIDSTOCHECK, String.valueOf(caid));
     workerprop.setProperty(
         BaseWorker.PROP_CERTIFICATE_PROFILE_IDS_TO_CHECK, Integer.toString(certificateProfileId));
     workerprop.setProperty(BaseWorker.PROP_TIMEBEFOREEXPIRING, String.valueOf(seconds - 5));
     workerprop.setProperty(BaseWorker.PROP_TIMEUNIT, BaseWorker.UNIT_SECONDS);
     config.setWorkerProperties(workerprop);
     if (serviceSession.getService(CERTIFICATE_EXPIRATION_SERVICE) == null) {
       serviceSession.addService(admin, 4711, CERTIFICATE_EXPIRATION_SERVICE, config);
     }
     serviceSession.activateServiceTimer(admin, CERTIFICATE_EXPIRATION_SERVICE);
     // The service will run... the cert should still be active after 2
     // seconds..
     Thread.sleep(2000);
     info = certificateStoreSession.getCertificateInfo(fingerprint);
     assertEquals("status does not match.", CertificateConstants.CERT_ACTIVE, info.getStatus());
     // The service will run...We need some tolerance since timers cannot
     // be guaranteed to executed at the exact interval.
     Thread.sleep(10000);
     int tries = 0;
     while (info.getStatus() != CertificateConstants.CERT_NOTIFIEDABOUTEXPIRATION && tries < 5) {
       Thread.sleep(1000);
       info = certificateStoreSession.getCertificateInfo(fingerprint);
       tries++;
     }
     info = certificateStoreSession.getCertificateInfo(fingerprint);
     assertEquals(
         "Status does not match.",
         CertificateConstants.CERT_NOTIFIEDABOUTEXPIRATION,
         info.getStatus());
   } finally {
     // Clean the certificate profile
     certificateProfileSession.removeCertificateProfile(admin, certificateprofilename);
   }
 }
コード例 #3
0
 private void createCertificate(int certificateProfileId) throws Exception {
   KeyPair keys = KeyTools.genKeys("1024", "RSA");
   cert =
       (X509Certificate)
           signSession.createCertificate(
               admin,
               USERNAME,
               PASSWORD,
               new PublicKeyWrapper(keys.getPublic()),
               -1,
               null,
               null,
               certificateProfileId,
               SecConst.CAID_USEUSERDEFINED);
   certificatesToRemove.add(cert);
   fingerprint = CertTools.getFingerprintAsString(cert);
   X509Certificate ce =
       (X509Certificate) certificateStoreSession.findCertificateByFingerprint(fingerprint);
   if (ce == null) {
     throw new Exception("Cannot find certificate with fp=" + fingerprint);
   }
   info = certificateStoreSession.getCertificateInfo(fingerprint);
   if (!fingerprint.equals(info.getFingerprint())) {
     throw new Exception("fingerprint does not match.");
   }
   if (!cert.getSerialNumber().equals(info.getSerialNumber())) {
     throw new Exception("serialnumber does not match.");
   }
   if (!CertTools.getIssuerDN(cert).equals(info.getIssuerDN())) {
     throw new Exception("issuerdn does not match.");
   }
   if (!CertTools.getSubjectDN(cert).equals(info.getSubjectDN())) {
     throw new Exception("subjectdn does not match.");
   }
   // The cert was just stored above with status INACTIVE
   if (!(CertificateConstants.CERT_ACTIVE == info.getStatus())) {
     throw new Exception("status does not match.");
   }
 }
コード例 #4
0
  /** creates new crl */
  @Test
  public void testCreateNewCRL() throws Exception {
    publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
    X509CRL x509crl = null;

    // Get number of last CRL
    int number = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false);
    log.debug("Last CRLNumber = " + number);
    byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
    assertNotNull("Could not get CRL", crl);
    x509crl = CertTools.getCRLfromByteArray(crl);

    BigInteger num = CrlExtensions.getCrlNumber(x509crl);
    // Create a new CRL again to see that the number increases
    publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId());
    int number1 = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false);
    assertEquals(number + 1, number1);
    byte[] crl1 = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
    X509CRL x509crl1 = CertTools.getCRLfromByteArray(crl1);
    BigInteger num1 = CrlExtensions.getCrlNumber(x509crl1);
    assertEquals(num.intValue() + 1, num1.intValue());

    /*
     * check revoked certificates
     */

    // Get number of last CRL
    Collection<RevokedCertInfo> revfp =
        certificateStoreSession.listRevokedCertInfo(testx509ca.getSubjectDN(), -1);
    log.debug("Number of revoked certificates=" + revfp.size());
    crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
    assertNotNull("Could not get CRL", crl);

    x509crl = CertTools.getCRLfromByteArray(crl);
    Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
    // Revset will be null if there are no revoked certificates
    if (revset != null) {
      int revsize = revset.size();
      assertEquals(revfp.size(), revsize);
    } else {
      assertEquals(0, revfp.size());
    }
  }
コード例 #5
0
  /** Test revocation and reactivation of certificates */
  @Test
  public void testRevokeAndUnrevoke() throws Exception {

    X509Certificate cert = createCert();
    try {
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate is not present in a new CRL
      byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
      Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
      if (revset != null) {
        Iterator<? extends X509CRLEntry> iter = revset.iterator();
        while (iter.hasNext()) {
          X509CRLEntry ce = iter.next();
          assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0);
        }
      } // If no revoked certificates exist at all, this test passed...

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null);
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS present in a new CRL
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      assertNotNull(revset);
      Iterator<? extends X509CRLEntry> iter = revset.iterator();
      boolean found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
          // TODO: verify the reason code
        }
      }
      assertTrue(
          "Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found);

      // Unrevoke the certificate that we just revoked
      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS NOT present in the new
      // CRL.
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      if (revset != null) {
        iter = revset.iterator();
        found = false;
        while (iter.hasNext()) {
          X509CRLEntry ce = iter.next();
          if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
            found = true;
          }
        }
        assertFalse(found);
      } // If no revoked certificates exist at all, this test passed...

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null);
      assertTrue(
          "Failed to revoke certificate!",
          certificateStoreSession.isRevoked(
              CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS present in a new CRL
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      iter = revset.iterator();
      found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = (X509CRLEntry) iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
          // TODO: verify the reason code
        }
      }
      assertTrue(found);

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
      assertTrue(
          "Was able to re-activate permanently revoked certificate!",
          certificateStoreSession.isRevoked(
              CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate is present in the new CRL,
      // because the revocation reason
      // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are
      // on hold.
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      iter = revset.iterator();
      found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = (X509CRLEntry) iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
        }
      }
      assertTrue(found);
    } finally {
      internalCertificateStoreSession.removeCertificate(cert);
    }
  }
コード例 #6
0
  /** Add a new user and an expire service. Test running on all CAs. */
  @Test
  public void testExpireCertificateWithAllCAs() throws Exception {
    try {
      createCertificate();
      long seconds = (cert.getNotAfter().getTime() - new Date().getTime()) / 1000l;
      // Create a new UserPasswordExpireService
      ServiceConfiguration config = new ServiceConfiguration();
      config.setActive(true);
      config.setDescription("This is a description");
      // No mailsending for this Junit test service
      config.setActionClassPath(NoAction.class.getName());
      config.setActionProperties(null);
      config.setIntervalClassPath(PeriodicalInterval.class.getName());
      Properties intervalprop = new Properties();
      // Run the service every 3:rd second
      intervalprop.setProperty(PeriodicalInterval.PROP_VALUE, "3");
      intervalprop.setProperty(PeriodicalInterval.PROP_UNIT, PeriodicalInterval.UNIT_SECONDS);
      config.setIntervalProperties(intervalprop);
      config.setWorkerClassPath(CertificateExpirationNotifierWorker.class.getName());
      Properties workerprop = new Properties();
      workerprop.setProperty(EmailSendingWorkerConstants.PROP_SENDTOADMINS, "FALSE");
      workerprop.setProperty(EmailSendingWorkerConstants.PROP_SENDTOENDUSERS, "FALSE");
      // Here is the line that matters for this test
      workerprop.setProperty(BaseWorker.PROP_CAIDSTOCHECK, String.valueOf(SecConst.ALLCAS));

      workerprop.setProperty(BaseWorker.PROP_TIMEBEFOREEXPIRING, String.valueOf(seconds - 5));
      workerprop.setProperty(BaseWorker.PROP_TIMEUNIT, BaseWorker.UNIT_SECONDS);
      config.setWorkerProperties(workerprop);
      if (serviceSession.getService(CERTIFICATE_EXPIRATION_SERVICE) == null) {
        serviceSession.addService(admin, 4711, CERTIFICATE_EXPIRATION_SERVICE, config);
      }
      serviceSession.activateServiceTimer(admin, CERTIFICATE_EXPIRATION_SERVICE);
      // The service will run... the cert should still be active after 2
      // seconds..
      Thread.sleep(2000);
      info = certificateStoreSession.getCertificateInfo(fingerprint);
      assertEquals("status does not match.", CertificateConstants.CERT_ACTIVE, info.getStatus());
      // The service will run...We need some tolerance since timers cannot
      // be guaranteed to executed at the exact interval.
      Thread.sleep(10000);
      int tries = 0;
      while (info.getStatus() != CertificateConstants.CERT_NOTIFIEDABOUTEXPIRATION && tries < 8) {
        Thread.sleep(1000);
        info = certificateStoreSession.getCertificateInfo(fingerprint);
        tries++;
      }
      info = certificateStoreSession.getCertificateInfo(fingerprint);
      assertEquals(
          "Status does not match.",
          CertificateConstants.CERT_NOTIFIEDABOUTEXPIRATION,
          info.getStatus());
    } finally {
      // Restore superadmin CA if it got screwed up.
      List<Certificate> certs = certificateStoreSession.findCertificatesByUsername("superadmin");
      for (Certificate certificate : certs) {
        String superAdminFingerprint = CertTools.getFingerprintAsString(certificate);
        internalCertificateStoreSession.setStatus(
            admin, superAdminFingerprint, CertificateConstants.CERT_ACTIVE);
      }
    }
  }