env.put( "java.naming.provider.url", "ldap://localhost:" + getLdapServer().getPort() );
env.put( "java.naming.security.principal", "uid=admin,ou=system" );
env.put( "java.naming.security.credentials", "secret" );
env.put( "java.naming.security.authentication", "simple" );
LdapContext ctx = new InitialLdapContext( env, null );
StartTlsResponse tls = ( StartTlsResponse ) ctx.extendedOperation( new StartTlsRequest() );
tls.setHostnameVerifier( new HostnameVerifier()
{
public boolean verify( String hostname, SSLSession session )
{
return true;
}
} );
tls.negotiate( BogusSSLContextFactory.getInstance( false ).getSocketFactory() );
// create a new certificate
String newIssuerDN = "cn=new_issuer_dn";
String newSubjectDN = "cn=new_subject_dn";
Entry entry = getLdapServer().getDirectoryService().getAdminSession().lookup(
new Dn( "uid=admin,ou=system" ) );
TlsKeyGenerator.addKeyPair( entry, newIssuerDN, newSubjectDN, "RSA" );
// now update the certificate (over the wire)
ModificationItem[] mods = new ModificationItem[3];
mods[0] = new ModificationItem( DirContext.REPLACE_ATTRIBUTE, new BasicAttribute(
TlsKeyGenerator.PRIVATE_KEY_AT, entry.get( TlsKeyGenerator.PRIVATE_KEY_AT ).getBytes() ) );
mods[1] = new ModificationItem( DirContext.REPLACE_ATTRIBUTE, new BasicAttribute(
TlsKeyGenerator.PUBLIC_KEY_AT, entry.get( TlsKeyGenerator.PUBLIC_KEY_AT ).getBytes() ) );
mods[2] = new ModificationItem( DirContext.REPLACE_ATTRIBUTE, new BasicAttribute(
TlsKeyGenerator.USER_CERTIFICATE_AT, entry.get( TlsKeyGenerator.USER_CERTIFICATE_AT ).getBytes() ) );
ctx.modifyAttributes( "uid=admin,ou=system", mods );
ctx.close();
getLdapServer().reloadSslContext();
// create a new secure connection
ctx = new InitialLdapContext( env, null );
tls = ( StartTlsResponse ) ctx.extendedOperation( new StartTlsRequest() );
tls.setHostnameVerifier( new HostnameVerifier()
{
public boolean verify( String hostname, SSLSession session )
{
return true;
}
} );
tls.negotiate( BogusSSLContextFactory.getInstance( false ).getSocketFactory() );
// check the received certificate, it must contain the updated server certificate
X509Certificate[] lastReceivedServerCertificates = BogusTrustManagerFactory.lastReceivedServerCertificates;
assertNotNull( lastReceivedServerCertificates );
assertEquals( 1, lastReceivedServerCertificates.length );