public void test05CrmfHttpOkUserKeyId2() throws Exception {
byte[] nonce = CmpMessageHelper.createSenderNonce();
byte[] transid = CmpMessageHelper.createSenderNonce();
PKIMessage one = genCertReq(issuerDN2, userDN2, keys, cacert2, nonce, transid, true, null, null, null, null);
PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId2", 567);
int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
assertNotNull(req);
ByteArrayOutputStream bao = new ByteArrayOutputStream();
DEROutputStream out = new DEROutputStream(bao);
out.writeObject(req);
byte[] ba = bao.toByteArray();
// Send request and receive response
byte[] resp = sendCmpHttp(ba, 200);
checkCmpResponseGeneral(resp, issuerDN2, userDN2, cacert2, nonce, transid, false, PBEPASSWORD);
X509Certificate cert = checkCmpCertRepMessage(userDN2, cacert2, resp, reqId);
String altNames = CertTools.getSubjectAlternativeName(cert);
assertTrue(altNames.indexOf("upn=fooupn@bar.com") != -1);
assertTrue(altNames.indexOf("rfc822name=fooemail@bar.com") != -1);
// Check key usage that it is digitalSignature for KeyId1 and
// nonRepudiation for KeyId2
boolean[] ku = cert.getKeyUsage();
assertFalse(ku[0]);
assertTrue(ku[1]);
assertFalse(ku[2]);
assertFalse(ku[3]);
assertFalse(ku[4]);
assertFalse(ku[5]);
assertFalse(ku[6]);
assertFalse(ku[7]);
assertFalse(ku[8]);
// Check DN that must be SE for KeyId1 and NO for KeyId2
assertEquals("NO", CertTools.getPartFromDN(cert.getSubjectDN().getName(), "C"));
// Send a confirm message to the CA
String hash = "foo123";
PKIMessage confirm = genCertConfirm(userDN2, cacert2, nonce, transid, hash, reqId);
assertNotNull(confirm);
PKIMessage req1 = protectPKIMessage(confirm, false, PBEPASSWORD, 567);
bao = new ByteArrayOutputStream();
out = new DEROutputStream(bao);
out.writeObject(req1);
ba = bao.toByteArray();
// Send request and receive response
resp = sendCmpHttp(ba, 200);
checkCmpResponseGeneral(resp, issuerDN2, userDN2, cacert2, nonce, transid, false, PBEPASSWORD);
checkCmpPKIConfirmMessage(userDN2, cacert2, resp);
// Now revoke the bastard!
PKIMessage rev = genRevReq(issuerDN2, userDN2, cert.getSerialNumber(), cacert2, nonce, transid, true);
PKIMessage revReq = protectPKIMessage(rev, false, PBEPASSWORD, 567);
assertNotNull(revReq);
bao = new ByteArrayOutputStream();
out = new DEROutputStream(bao);
out.writeObject(revReq);
ba = bao.toByteArray();