/** Test Overflow of CRL Period */ @Test public void testCRLPeriodOverflow() throws Exception { log.trace(">test05CRLPeriodOverflow()"); // Fetch CAInfo and save CRLPeriod CAInfo cainfo = testx509ca.getCAInfo(); long tempCRLPeriod = cainfo.getCRLPeriod(); X509Certificate cert = createCertWithValidity(1); try { // Revoke the user certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, null); // Change CRLPeriod cainfo.setCRLPeriod(Long.MAX_VALUE); caSession.editCA(roleMgmgToken, cainfo); // Create new CRL's assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Verify that status is not archived CertificateInfo certinfo = certificateStoreSession.getCertificateInfo(CertTools.getFingerprintAsString(cert)); assertFalse( "Non Expired Revoked Certificate was archived", certinfo.getStatus() == CertificateConstants.CERT_ARCHIVED); } finally { internalCertificateStoreSession.removeCertificate(CertTools.getSerialNumber(cert)); // Restore CRL Period cainfo.setCRLPeriod(tempCRLPeriod); caSession.editCA(roleMgmgToken, cainfo); } }
@After public void tearDown() throws Exception { // Remove any testca before exiting tests byte[] crl; while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( alwaysAllowToken, CertTools.getFingerprintAsString(x509crl)); } while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( alwaysAllowToken, CertTools.getFingerprintAsString(x509crl)); } caSession.removeCA(alwaysAllowToken, testx509ca.getCAId()); }
@After public void tearDown() throws Exception { for (Certificate certificate : certificatesToRemove) { internalCertificateStoreSession.removeCertificate(certificate); } for (Certificate certificate : internalCertificateStoreSession.findCertificatesByIssuer("CN=" + CA_NAME)) { internalCertificateStoreSession.removeCertificate(certificate); } endEntityManagementSession.deleteUser(admin, USERNAME); log.debug("Removed user: "******"Removed service:" + CERTIFICATE_EXPIRATION_SERVICE); assertNull( "ServiceData object with id 4711 was not removed properly.", serviceDataSession.findById(4711)); }
@Test public void testCrlGenerateForAll() throws Exception { X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); cainfo.setCRLIssueInterval(1); // Issue very often.. cainfo.setDeltaCRLPeriod(1); // Issue very often.. caSession.editCA(roleMgmgToken, cainfo); // make sure we have a CRL and delta CRL generated publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); publishingCrlSessionRemote.forceDeltaCRL(roleMgmgToken, testx509ca.getCAId()); try { // Now wait and test again Thread.sleep(1000); final X509CRL x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertTrue(publishingCrlSessionRemote.createCRLs(roleMgmgToken) > 0); final X509CRL x509crlAfter = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertTrue( "Did not generate a newer CRL.", x509crlAfter.getThisUpdate().after(x509crl.getThisUpdate())); final X509CRL x509deltaCrl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true)); assertTrue(publishingCrlSessionRemote.createDeltaCRLs(roleMgmgToken) > 0); final X509CRL x509deltaCrlAfter = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true)); assertTrue( "Did not generate a newer Delta CRL.", x509deltaCrlAfter.getThisUpdate().after(x509deltaCrl.getThisUpdate())); // Try a similar thing when we specify which CA IDs to generate CRLs for // Compare CRL numbers instead of Dates, since these CRLs might have been generated the same // second as the last ones final Collection<Integer> caids = new ArrayList<Integer>(); caids.add(Integer.valueOf(testx509ca.getCAId())); publishingCrlProxySession.createCRLs(roleMgmgToken, caids, 2); final X509CRL x509crlAfter2 = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertTrue( "Did not generate a newer CRL.", CrlExtensions.getCrlNumber(x509crlAfter2).intValue() > CrlExtensions.getCrlNumber(x509crlAfter).intValue()); publishingCrlProxySession.createDeltaCRLs(roleMgmgToken, caids, 2); final X509CRL x509deltaCrlAfter2 = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true)); assertTrue( "Did not generate a newer Delta CRL.", CrlExtensions.getCrlNumber(x509deltaCrlAfter2).intValue() > CrlExtensions.getCrlNumber(x509deltaCrlAfter).intValue()); } finally { byte[] crl; while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( roleMgmgToken, CertTools.getFingerprintAsString(x509crl)); } while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( roleMgmgToken, CertTools.getFingerprintAsString(x509crl)); } } }
/** Test revocation and reactivation of certificates */ @Test public void testRevokeAndUnrevoke() throws Exception { X509Certificate cert = createCert(); try { // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate is not present in a new CRL byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); X509CRL x509crl = CertTools.getCRLfromByteArray(crl); Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates(); if (revset != null) { Iterator<? extends X509CRLEntry> iter = revset.iterator(); while (iter.hasNext()) { X509CRLEntry ce = iter.next(); assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0); } } // If no revoked certificates exist at all, this test passed... certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS present in a new CRL crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); assertNotNull(revset); Iterator<? extends X509CRLEntry> iter = revset.iterator(); boolean found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue( "Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found); // Unrevoke the certificate that we just revoked certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS NOT present in the new // CRL. crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); if (revset != null) { iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertFalse(found); } // If no revoked certificates exist at all, this test passed... certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null); assertTrue( "Failed to revoke certificate!", certificateStoreSession.isRevoked( CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS present in a new CRL crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue(found); certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null); assertTrue( "Was able to re-activate permanently revoked certificate!", certificateStoreSession.isRevoked( CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate is present in the new CRL, // because the revocation reason // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are // on hold. crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertTrue(found); } finally { internalCertificateStoreSession.removeCertificate(cert); } }
/** Add a new user and an expire service. Test running on all CAs. */ @Test public void testExpireCertificateWithAllCAs() throws Exception { try { createCertificate(); long seconds = (cert.getNotAfter().getTime() - new Date().getTime()) / 1000l; // Create a new UserPasswordExpireService ServiceConfiguration config = new ServiceConfiguration(); config.setActive(true); config.setDescription("This is a description"); // No mailsending for this Junit test service config.setActionClassPath(NoAction.class.getName()); config.setActionProperties(null); config.setIntervalClassPath(PeriodicalInterval.class.getName()); Properties intervalprop = new Properties(); // Run the service every 3:rd second intervalprop.setProperty(PeriodicalInterval.PROP_VALUE, "3"); intervalprop.setProperty(PeriodicalInterval.PROP_UNIT, PeriodicalInterval.UNIT_SECONDS); config.setIntervalProperties(intervalprop); config.setWorkerClassPath(CertificateExpirationNotifierWorker.class.getName()); Properties workerprop = new Properties(); workerprop.setProperty(EmailSendingWorkerConstants.PROP_SENDTOADMINS, "FALSE"); workerprop.setProperty(EmailSendingWorkerConstants.PROP_SENDTOENDUSERS, "FALSE"); // Here is the line that matters for this test workerprop.setProperty(BaseWorker.PROP_CAIDSTOCHECK, String.valueOf(SecConst.ALLCAS)); workerprop.setProperty(BaseWorker.PROP_TIMEBEFOREEXPIRING, String.valueOf(seconds - 5)); workerprop.setProperty(BaseWorker.PROP_TIMEUNIT, BaseWorker.UNIT_SECONDS); config.setWorkerProperties(workerprop); if (serviceSession.getService(CERTIFICATE_EXPIRATION_SERVICE) == null) { serviceSession.addService(admin, 4711, CERTIFICATE_EXPIRATION_SERVICE, config); } serviceSession.activateServiceTimer(admin, CERTIFICATE_EXPIRATION_SERVICE); // The service will run... the cert should still be active after 2 // seconds.. Thread.sleep(2000); info = certificateStoreSession.getCertificateInfo(fingerprint); assertEquals("status does not match.", CertificateConstants.CERT_ACTIVE, info.getStatus()); // The service will run...We need some tolerance since timers cannot // be guaranteed to executed at the exact interval. Thread.sleep(10000); int tries = 0; while (info.getStatus() != CertificateConstants.CERT_NOTIFIEDABOUTEXPIRATION && tries < 8) { Thread.sleep(1000); info = certificateStoreSession.getCertificateInfo(fingerprint); tries++; } info = certificateStoreSession.getCertificateInfo(fingerprint); assertEquals( "Status does not match.", CertificateConstants.CERT_NOTIFIEDABOUTEXPIRATION, info.getStatus()); } finally { // Restore superadmin CA if it got screwed up. List<Certificate> certs = certificateStoreSession.findCertificatesByUsername("superadmin"); for (Certificate certificate : certs) { String superAdminFingerprint = CertTools.getFingerprintAsString(certificate); internalCertificateStoreSession.setStatus( admin, superAdminFingerprint, CertificateConstants.CERT_ACTIVE); } } }