/** Tests the extension Freshest CRL DP. */ @Test public void testCRLFreshestCRL() throws Exception { final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; final String freshestCdpURL = "http://www.ejbca.org/foo/delta.crl"; X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); X509CRL x509crl; byte[] cFreshestDpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); cainfo.setCADefinedFreshestCRL(freshestCdpURL); caSession.editCA(roleMgmgToken, cainfo); publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); cFreshestDpDER = x509crl.getExtensionValue(Extension.freshestCRL.getId()); assertNotNull("CRL has no Freshest Distribution Point", cFreshestDpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cFreshestDpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); CRLDistPoint cdp = CRLDistPoint.getInstance((ASN1Sequence) aIn.readObject()); DistributionPoint[] distpoints = cdp.getDistributionPoints(); assertEquals("More CRL Freshest distributions points than expected", 1, distpoints.length); assertEquals( "Freshest CRL distribution point is different", freshestCdpURL, ((DERIA5String) ((GeneralNames) distpoints[0].getDistributionPoint().getName()) .getNames()[0].getName()) .getString()); }
@After public void tearDown() throws Exception { // Remove any testca before exiting tests byte[] crl; while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( alwaysAllowToken, CertTools.getFingerprintAsString(x509crl)); } while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( alwaysAllowToken, CertTools.getFingerprintAsString(x509crl)); } caSession.removeCA(alwaysAllowToken, testx509ca.getCAId()); }
/** creates new crl */ @Test public void testCreateNewCRL() throws Exception { publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); X509CRL x509crl = null; // Get number of last CRL int number = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false); log.debug("Last CRLNumber = " + number); byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); BigInteger num = CrlExtensions.getCrlNumber(x509crl); // Create a new CRL again to see that the number increases publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); int number1 = crlStoreSession.getLastCRLNumber(testx509ca.getSubjectDN(), false); assertEquals(number + 1, number1); byte[] crl1 = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); X509CRL x509crl1 = CertTools.getCRLfromByteArray(crl1); BigInteger num1 = CrlExtensions.getCrlNumber(x509crl1); assertEquals(num.intValue() + 1, num1.intValue()); /* * check revoked certificates */ // Get number of last CRL Collection<RevokedCertInfo> revfp = certificateStoreSession.listRevokedCertInfo(testx509ca.getSubjectDN(), -1); log.debug("Number of revoked certificates=" + revfp.size()); crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates(); // Revset will be null if there are no revoked certificates if (revset != null) { int revsize = revset.size(); assertEquals(revfp.size(), revsize); } else { assertEquals(0, revfp.size()); } }
@Test public void testCrlGenerateForAll() throws Exception { X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); cainfo.setCRLIssueInterval(1); // Issue very often.. cainfo.setDeltaCRLPeriod(1); // Issue very often.. caSession.editCA(roleMgmgToken, cainfo); // make sure we have a CRL and delta CRL generated publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); publishingCrlSessionRemote.forceDeltaCRL(roleMgmgToken, testx509ca.getCAId()); try { // Now wait and test again Thread.sleep(1000); final X509CRL x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertTrue(publishingCrlSessionRemote.createCRLs(roleMgmgToken) > 0); final X509CRL x509crlAfter = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertTrue( "Did not generate a newer CRL.", x509crlAfter.getThisUpdate().after(x509crl.getThisUpdate())); final X509CRL x509deltaCrl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true)); assertTrue(publishingCrlSessionRemote.createDeltaCRLs(roleMgmgToken) > 0); final X509CRL x509deltaCrlAfter = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true)); assertTrue( "Did not generate a newer Delta CRL.", x509deltaCrlAfter.getThisUpdate().after(x509deltaCrl.getThisUpdate())); // Try a similar thing when we specify which CA IDs to generate CRLs for // Compare CRL numbers instead of Dates, since these CRLs might have been generated the same // second as the last ones final Collection<Integer> caids = new ArrayList<Integer>(); caids.add(Integer.valueOf(testx509ca.getCAId())); publishingCrlProxySession.createCRLs(roleMgmgToken, caids, 2); final X509CRL x509crlAfter2 = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertTrue( "Did not generate a newer CRL.", CrlExtensions.getCrlNumber(x509crlAfter2).intValue() > CrlExtensions.getCrlNumber(x509crlAfter).intValue()); publishingCrlProxySession.createDeltaCRLs(roleMgmgToken, caids, 2); final X509CRL x509deltaCrlAfter2 = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), true)); assertTrue( "Did not generate a newer Delta CRL.", CrlExtensions.getCrlNumber(x509deltaCrlAfter2).intValue() > CrlExtensions.getCrlNumber(x509deltaCrlAfter).intValue()); } finally { byte[] crl; while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( roleMgmgToken, CertTools.getFingerprintAsString(x509crl)); } while ((crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), true)) != null) { X509CRL x509crl = CertTools.getCRLfromByteArray(crl); internalCertificateStoreSession.removeCRL( roleMgmgToken, CertTools.getFingerprintAsString(x509crl)); } } }
/** Test revocation and reactivation of certificates */ @Test public void testRevokeAndUnrevoke() throws Exception { X509Certificate cert = createCert(); try { // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate is not present in a new CRL byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); X509CRL x509crl = CertTools.getCRLfromByteArray(crl); Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates(); if (revset != null) { Iterator<? extends X509CRLEntry> iter = revset.iterator(); while (iter.hasNext()) { X509CRLEntry ce = iter.next(); assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0); } } // If no revoked certificates exist at all, this test passed... certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS present in a new CRL crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); assertNotNull(revset); Iterator<? extends X509CRLEntry> iter = revset.iterator(); boolean found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue( "Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found); // Unrevoke the certificate that we just revoked certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS NOT present in the new // CRL. crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); if (revset != null) { iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertFalse(found); } // If no revoked certificates exist at all, this test passed... certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null); assertTrue( "Failed to revoke certificate!", certificateStoreSession.isRevoked( CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS present in a new CRL crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue(found); certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null); assertTrue( "Was able to re-activate permanently revoked certificate!", certificateStoreSession.isRevoked( CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate is present in the new CRL, // because the revocation reason // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are // on hold. crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertTrue(found); } finally { internalCertificateStoreSession.removeCertificate(cert); } }