assertTrue("Creating DSA CA failed", ret);
} // test12AddDSACA
public void test13RenewCA() throws Exception {
// Test renew cacert
CAInfo info = caAdminSession.getCAInfo(admin, getTestCAId());
Collection<Certificate> certs = info.getCertificateChain();
X509Certificate cacert1 = (X509Certificate) certs.iterator().next();
caAdminSession.renewCA(admin, getTestCAId(), "foo123", false);
info = caAdminSession.getCAInfo(admin, getTestCAId());
certs = info.getCertificateChain();
X509Certificate cacert2 = (X509Certificate) certs.iterator().next();
assertFalse(cacert1.getSerialNumber().equals(cacert2.getSerialNumber()));
assertEquals(new String(CertTools.getSubjectKeyId(cacert1)), new String(CertTools.getSubjectKeyId(cacert2)));
cacert2.verify(cacert1.getPublicKey()); // throws if it fails
// Test renew CA keys
caAdminSession.renewCA(admin, getTestCAId(), "foo123", true);
info = caAdminSession.getCAInfo(admin, getTestCAId());
certs = info.getCertificateChain();
X509Certificate cacert3 = (X509Certificate) certs.iterator().next();
assertFalse(cacert2.getSerialNumber().equals(cacert3.getSerialNumber()));
String keyid1 = new String(CertTools.getSubjectKeyId(cacert2));
String keyid2 = new String(CertTools.getSubjectKeyId(cacert3));
assertFalse(keyid1.equals(keyid2));
// Test create X.509 link certificate (NewWithOld rollover cert)
// We have cacert3 that we want to sign with the old keys from cacert2,
// create a link certificate.
// That link certificate should have the same subjetcKeyId as cert3, but
// be possible to verify with cert2.
byte[] bytes = caAdminSession.signRequest(admin, getTestCAId(), cacert3.getEncoded(), true, true);
X509Certificate cacert4 = (X509Certificate) CertTools.getCertfromByteArray(bytes);
// Same public key as in cacert3 -> same subject key id
keyid1 = new String(CertTools.getSubjectKeyId(cacert3));
keyid2 = new String(CertTools.getSubjectKeyId(cacert4));
assertTrue(keyid1.equals(keyid2));
// Same signer as for cacert2 -> same auth key id in cacert4 as subject
// key id in cacert2
keyid1 = new String(CertTools.getSubjectKeyId(cacert2));
keyid2 = new String(CertTools.getAuthorityKeyId(cacert4));
assertTrue(keyid1.equals(keyid2));
cacert4.verify(cacert2.getPublicKey());
// Test make request just making a request using the old keys
byte[] request = caAdminSession.makeRequest(admin, getTestCAId(), new ArrayList<Certificate>(), false, false, false, "foo123");
assertNotNull(request);
PKCS10RequestMessage msg = RequestMessageUtils.genPKCS10RequestMessage(request);
PublicKey pk1 = cacert3.getPublicKey();
PublicKey pk2 = msg.getRequestPublicKey();
String key1 = new String(Base64.encode(pk1.getEncoded()));
String key2 = new String(Base64.encode(pk2.getEncoded()));
// A plain request using the CAs key will have the same public key
assertEquals(key1, key2);
// Test make request generating new keys
request = caAdminSession.makeRequest(admin, getTestCAId(), new ArrayList<Certificate>(), true, false, true, "foo123");
assertNotNull(request);
msg = RequestMessageUtils.genPKCS10RequestMessage(request);
pk1 = cacert3.getPublicKey();
pk2 = msg.getRequestPublicKey();
key1 = new String(Base64.encode(pk1.getEncoded()));
key2 = new String(Base64.encode(pk2.getEncoded()));
// A plain request using new CAs key can not have the same keys
assertFalse(key1.equals(key2));
// After this (new keys activated but no cert response received) status
// should be waiting...
info = caAdminSession.getCAInfo(admin, getTestCAId());
assertEquals(SecConst.CA_WAITING_CERTIFICATE_RESPONSE, info.getStatus());
// To clean up after us so the active key is not out of sync with the
// active certificate, we should simply renew the CA
info.setStatus(SecConst.CA_ACTIVE);
caAdminSession.editCA(admin, info); // need active status in order
// to do renew
caAdminSession.renewCA(admin, getTestCAId(), "foo123", false);
} // test13RenewCA