/** Test Overflow of CRL Period */ @Test public void testCRLPeriodOverflow() throws Exception { log.trace(">test05CRLPeriodOverflow()"); // Fetch CAInfo and save CRLPeriod CAInfo cainfo = testx509ca.getCAInfo(); long tempCRLPeriod = cainfo.getCRLPeriod(); X509Certificate cert = createCertWithValidity(1); try { // Revoke the user certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, null); // Change CRLPeriod cainfo.setCRLPeriod(Long.MAX_VALUE); caSession.editCA(roleMgmgToken, cainfo); // Create new CRL's assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Verify that status is not archived CertificateInfo certinfo = certificateStoreSession.getCertificateInfo(CertTools.getFingerprintAsString(cert)); assertFalse( "Non Expired Revoked Certificate was archived", certinfo.getStatus() == CertificateConstants.CERT_ARCHIVED); } finally { internalCertificateStoreSession.removeCertificate(CertTools.getSerialNumber(cert)); // Restore CRL Period cainfo.setCRLPeriod(tempCRLPeriod); caSession.editCA(roleMgmgToken, cainfo); } }
@After public void tearDown() throws Exception { for (Certificate certificate : certificatesToRemove) { internalCertificateStoreSession.removeCertificate(certificate); } for (Certificate certificate : internalCertificateStoreSession.findCertificatesByIssuer("CN=" + CA_NAME)) { internalCertificateStoreSession.removeCertificate(certificate); } endEntityManagementSession.deleteUser(admin, USERNAME); log.debug("Removed user: "******"Removed service:" + CERTIFICATE_EXPIRATION_SERVICE); assertNull( "ServiceData object with id 4711 was not removed properly.", serviceDataSession.findById(4711)); }
/** Test revocation and reactivation of certificates */ @Test public void testRevokeAndUnrevoke() throws Exception { X509Certificate cert = createCert(); try { // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate is not present in a new CRL byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); X509CRL x509crl = CertTools.getCRLfromByteArray(crl); Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates(); if (revset != null) { Iterator<? extends X509CRLEntry> iter = revset.iterator(); while (iter.hasNext()) { X509CRLEntry ce = iter.next(); assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0); } } // If no revoked certificates exist at all, this test passed... certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS present in a new CRL crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); assertNotNull(revset); Iterator<? extends X509CRLEntry> iter = revset.iterator(); boolean found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue( "Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found); // Unrevoke the certificate that we just revoked certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS NOT present in the new // CRL. crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); if (revset != null) { iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertFalse(found); } // If no revoked certificates exist at all, this test passed... certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null); assertTrue( "Failed to revoke certificate!", certificateStoreSession.isRevoked( CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate IS present in a new CRL crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; // TODO: verify the reason code } } assertTrue(found); certificateStoreSession.setRevokeStatus( roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null); assertTrue( "Was able to re-activate permanently revoked certificate!", certificateStoreSession.isRevoked( CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert))); // Create a new CRL again... assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId())); // Check that our newly signed certificate is present in the new CRL, // because the revocation reason // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are // on hold. crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false); assertNotNull("Could not get CRL", crl); x509crl = CertTools.getCRLfromByteArray(crl); revset = x509crl.getRevokedCertificates(); iter = revset.iterator(); found = false; while (iter.hasNext()) { X509CRLEntry ce = (X509CRLEntry) iter.next(); if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) { found = true; } } assertTrue(found); } finally { internalCertificateStoreSession.removeCertificate(cert); } }