/** Test Overflow of CRL Period */
@Test
public void testCRLPeriodOverflow() throws Exception {
log.trace(">test05CRLPeriodOverflow()");
// Fetch CAInfo and save CRLPeriod
CAInfo cainfo = testx509ca.getCAInfo();
long tempCRLPeriod = cainfo.getCRLPeriod();
X509Certificate cert = createCertWithValidity(1);
try {
// Revoke the user
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, null);
// Change CRLPeriod
cainfo.setCRLPeriod(Long.MAX_VALUE);
caSession.editCA(roleMgmgToken, cainfo);
// Create new CRL's
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Verify that status is not archived
CertificateInfo certinfo =
certificateStoreSession.getCertificateInfo(CertTools.getFingerprintAsString(cert));
assertFalse(
"Non Expired Revoked Certificate was archived",
certinfo.getStatus() == CertificateConstants.CERT_ARCHIVED);
} finally {
internalCertificateStoreSession.removeCertificate(CertTools.getSerialNumber(cert));
// Restore CRL Period
cainfo.setCRLPeriod(tempCRLPeriod);
caSession.editCA(roleMgmgToken, cainfo);
}
}
/** Test revocation and reactivation of certificates */
@Test
public void testRevokeAndUnrevoke() throws Exception {
X509Certificate cert = createCert();
try {
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate is not present in a new CRL
byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
if (revset != null) {
Iterator<? extends X509CRLEntry> iter = revset.iterator();
while (iter.hasNext()) {
X509CRLEntry ce = iter.next();
assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0);
}
} // If no revoked certificates exist at all, this test passed...
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null);
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate IS present in a new CRL
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
assertNotNull(revset);
Iterator<? extends X509CRLEntry> iter = revset.iterator();
boolean found = false;
while (iter.hasNext()) {
X509CRLEntry ce = iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
// TODO: verify the reason code
}
}
assertTrue(
"Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found);
// Unrevoke the certificate that we just revoked
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate IS NOT present in the new
// CRL.
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
if (revset != null) {
iter = revset.iterator();
found = false;
while (iter.hasNext()) {
X509CRLEntry ce = iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
}
}
assertFalse(found);
} // If no revoked certificates exist at all, this test passed...
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null);
assertTrue(
"Failed to revoke certificate!",
certificateStoreSession.isRevoked(
CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate IS present in a new CRL
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
iter = revset.iterator();
found = false;
while (iter.hasNext()) {
X509CRLEntry ce = (X509CRLEntry) iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
// TODO: verify the reason code
}
}
assertTrue(found);
certificateStoreSession.setRevokeStatus(
roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
assertTrue(
"Was able to re-activate permanently revoked certificate!",
certificateStoreSession.isRevoked(
CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
// Create a new CRL again...
assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
// Check that our newly signed certificate is present in the new CRL,
// because the revocation reason
// was not CERTIFICATE_HOLD, we can only un-revoke certificates that are
// on hold.
crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
assertNotNull("Could not get CRL", crl);
x509crl = CertTools.getCRLfromByteArray(crl);
revset = x509crl.getRevokedCertificates();
iter = revset.iterator();
found = false;
while (iter.hasNext()) {
X509CRLEntry ce = (X509CRLEntry) iter.next();
if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
found = true;
}
}
assertTrue(found);
} finally {
internalCertificateStoreSession.removeCertificate(cert);
}
}
