}
assertTrue("CA is not valid for the specified duration.", CertTools.getNotAfter(cert).after(
new Date(new Date().getTime() + 10 * 364 * 24 * 60 * 60 * 1000L))
&& CertTools.getNotAfter(cert).before(new Date(new Date().getTime() + 10 * 366 * 24 * 60 * 60 * 1000L)));
// Check role
CardVerifiableCertificate cvcert = (CardVerifiableCertificate) cert;
String role = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole().name();
assertEquals("SETCVCAEC00001", cvcert.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated());
assertEquals("CVCA", role);
ret = true;
} catch (CAExistsException pee) {
log.info("CA exists.");
}
assertTrue(ret);
// Create a Sub DV domestic
ret = false;
try {
adminGroupSession.init(admin, dvddn.hashCode(), DEFAULT_SUPERADMIN_CN);
CVCCAInfo cvccainfo = new CVCCAInfo(dvddn, dvdcaname, SecConst.CA_ACTIVE, new Date(), SecConst.CERTPROFILE_FIXED_SUBCA, 3650, null, // Expiretime
CAInfo.CATYPE_CVC, rootcadn.hashCode(), null, catokeninfo, "JUnit CVC CA", -1, null, 24, // CRLPeriod
0, // CRLIssueInterval
10, // CRLOverlapTime
10, // Delta CRL period
new ArrayList<Integer>(), // CRL publishers
true, // Finish User
extendedcaservices, new ArrayList<Integer>(), // Approvals Settings
1, // Number of Req approvals
true, // Include in health check
true, // isDoEnforceUniquePublicKeys
true, // isDoEnforceUniqueDistinguishedName
false, // isDoEnforceUniqueSubjectDNSerialnumber
true, // useCertReqHistory
true, // useUserStorage
true // useCertificateStorage
);
caAdminSession.createCA(admin, cvccainfo);
dvdcainfo = caAdminSession.getCAInfo(admin, dvdcaname);
assertEquals(CAInfo.CATYPE_CVC, dvdcainfo.getCAType());
Certificate cert = (Certificate) dvdcainfo.getCertificateChain().iterator().next();
assertEquals("CVC", cert.getType());
assertEquals(CertTools.getSubjectDN(cert), dvddn);
assertEquals(CertTools.getIssuerDN(cert), rootcadn);
assertEquals(dvdcainfo.getSubjectDN(), dvddn);
PublicKey pk = cert.getPublicKey();
if (pk instanceof ECPublicKey) {
ECPublicKey epk = (ECPublicKey) pk;
assertEquals(epk.getAlgorithm(), "ECDSA");
int len = KeyTools.getKeyLength(epk);
assertEquals(0, len); // the DVCA does not include all EC
// parameters in the public key, so we
// don't know the key length
} else {
assertTrue("Public key is not ECC", false);
}
assertTrue("CA is not valid for the specified duration.", CertTools.getNotAfter(cert).after(
new Date(new Date().getTime() + 10 * 364 * 24 * 60 * 60 * 1000L))
&& CertTools.getNotAfter(cert).before(new Date(new Date().getTime() + 10 * 366 * 24 * 60 * 60 * 1000L)));
// Check role
CardVerifiableCertificate cvcert = (CardVerifiableCertificate) cert;
assertEquals("SETDVEC-D00001", cvcert.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated());
String role = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole().name();
assertEquals("DV_D", role);
String accessRights = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getAccessRight()
.name();
assertEquals("READ_ACCESS_DG3_AND_DG4", accessRights);
ret = true;
} catch (CAExistsException pee) {
log.info("CA exists.");
}
assertTrue(ret);
// Create a Sub DV foreign
ret = false;
try {
adminGroupSession.init(admin, dvfdn.hashCode(), DEFAULT_SUPERADMIN_CN);
CVCCAInfo cvccainfo = new CVCCAInfo(dvfdn, dvfcaname, SecConst.CA_ACTIVE, new Date(), SecConst.CERTPROFILE_FIXED_SUBCA, 3650, null, // Expiretime
CAInfo.CATYPE_CVC, rootcadn.hashCode(), null, catokeninfo, "JUnit CVC CA", -1, null, 24, // CRLPeriod
0, // CRLIssueInterval
10, // CRLOverlapTime
10, // Delta CRL period
new ArrayList<Integer>(), // CRL publishers
true, // Finish User
extendedcaservices, new ArrayList<Integer>(), // Approvals Settings
1, // Number of Req approvals
true, // Include in health check
true, // isDoEnforceUniquePublicKeys
true, // isDoEnforceUniqueDistinguishedName
false, // isDoEnforceUniqueSubjectDNSerialnumber
true, // useCertReqHistory
true, // useUserStorage
true // useCertificateStorage
);
caAdminSession.createCA(admin, cvccainfo);
CAInfo info = caAdminSession.getCAInfo(admin, dvfcaname);
assertEquals(CAInfo.CATYPE_CVC, info.getCAType());
Certificate cert = (Certificate) info.getCertificateChain().iterator().next();
assertEquals("CVC", cert.getType());
assertEquals(CertTools.getSubjectDN(cert), dvfdn);
assertEquals(CertTools.getIssuerDN(cert), rootcadn);
assertEquals(info.getSubjectDN(), dvfdn);
PublicKey pk = cert.getPublicKey();
if (pk instanceof ECPublicKey) {
ECPublicKey epk = (ECPublicKey) pk;
assertEquals(epk.getAlgorithm(), "ECDSA");
int len = KeyTools.getKeyLength(epk);
assertEquals(0, len); // the DVCA does not include all EC
// parameters in the public key, so we
// don't know the key length
} else {
assertTrue("Public key is not ECC", false);
}
assertTrue("CA is not valid for the specified duration.", CertTools.getNotAfter(cert).after(
new Date(new Date().getTime() + 10 * 364 * 24 * 60 * 60 * 1000L))
&& CertTools.getNotAfter(cert).before(new Date(new Date().getTime() + 10 * 366 * 24 * 60 * 60 * 1000L)));
// Check role
CardVerifiableCertificate cvcert = (CardVerifiableCertificate) cert;
assertEquals("FITDVEC-F00001", cvcert.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated());
String role = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole().name();
assertEquals("DV_F", role);
ret = true;
} catch (CAExistsException pee) {
log.info("CA exists.");
}
assertTrue("Creating CVC CAs failed", ret);
// Test to renew a CVC CA
dvdcainfo = caAdminSession.getCAInfo(admin, dvdcaname);
Certificate cert = (Certificate) dvdcainfo.getCertificateChain().iterator().next();
// Verify that fingerprint and CA fingerprint is handled correctly
CertificateInfo certInfo = certificateStoreSession.getCertificateInfo(admin, CertTools.getFingerprintAsString(cert));
assertFalse(certInfo.getFingerprint().equals(certInfo.getCAFingerprint()));
int caid = dvdcainfo.getCAId();
caAdminSession.renewCA(admin, caid, null, false);
dvdcainfo = caAdminSession.getCAInfo(admin, dvdcaname);
assertEquals(CAInfo.CATYPE_CVC, dvdcainfo.getCAType());
cert = (Certificate) dvdcainfo.getCertificateChain().iterator().next();
assertEquals("CVC", cert.getType());
assertEquals(CertTools.getSubjectDN(cert), dvddn);
assertEquals(CertTools.getIssuerDN(cert), rootcadn);
assertEquals(dvdcainfo.getSubjectDN(), dvddn);
// Verify that fingerprint and CA fingerprint is handled correctly
certInfo = certificateStoreSession.getCertificateInfo(admin, CertTools.getFingerprintAsString(cert));
assertFalse(certInfo.getFingerprint().equals(certInfo.getCAFingerprint()));
// It's not possible to check the time for renewal of a CVC CA since the
// resolution of validity is only days.
// The only way is to generate a certificate with different access
// rights in it
CardVerifiableCertificate cvcert = (CardVerifiableCertificate) cert;
String role = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole().name();
assertEquals("DV_D", role);
String accessRights = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getAccessRight()
.name();
assertEquals("READ_ACCESS_DG3_AND_DG4", accessRights);
// Make a certificate request from a DV, regenerating keys
Collection<Certificate> cachain = dvdcainfo.getCertificateChain();
byte[] request = caAdminSession.makeRequest(admin, dvdcainfo.getCAId(), cachain, true, false, true, "foo123");
CVCObject obj = CertificateParser.parseCVCObject(request);
// We should have created an authenticated request signed by the old
// certificate
CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest) obj;
CVCertificate reqcert = authreq.getRequest();
assertEquals("SETDVEC-D00002", reqcert.getCertificateBody().getHolderReference().getConcatenated());
// This request is made from the DV targeted for the DV, so the old DV
// certificate will be the holder ref.
// Normally you would target an external CA, and thus send in it's
// cachain. The caRef would be the external CAs holderRef.
assertEquals("SETDVEC-D00001", reqcert.getCertificateBody().getAuthorityReference().getConcatenated());
// Get the DVs certificate request signed by the CVCA
byte[] authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), request, false, false);
CVCObject parsedObject = CertificateParser.parseCVCObject(authrequest);
authreq = (CVCAuthenticatedRequest) parsedObject;
assertEquals("SETDVEC-D00002", authreq.getRequest().getCertificateBody().getHolderReference().getConcatenated());
assertEquals("SETDVEC-D00001", authreq.getRequest().getCertificateBody().getAuthorityReference().getConcatenated());
assertEquals("SETCVCAEC00001", authreq.getAuthorityReference().getConcatenated());
// Get the DVs certificate request signed by the CVCA creating a link
// certificate.
// Passing in a request without authrole should return a regular
// authenticated request though.
authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), request, false, true);
parsedObject = CertificateParser.parseCVCObject(authrequest);
authreq = (CVCAuthenticatedRequest) parsedObject;
// Pass in a certificate instead
CardVerifiableCertificate dvdcert = (CardVerifiableCertificate) cachain.iterator().next();
authrequest = caAdminSession.signRequest(admin, cvcainfo.getCAId(), dvdcert.getEncoded(), false, true);
parsedObject = CertificateParser.parseCVCObject(authrequest);
CVCertificate linkcert = (CVCertificate) parsedObject;
assertEquals("SETCVCAEC00001", linkcert.getCertificateBody().getAuthorityReference().getConcatenated());
assertEquals("SETDVEC-D00001", linkcert.getCertificateBody().getHolderReference().getConcatenated());
// Renew again but regenerate keys this time to make sure sequence is
// updated
caid = dvdcainfo.getCAId();
caAdminSession.renewCA(admin, caid, "foo123", true);
dvdcainfo = caAdminSession.getCAInfo(admin, dvdcaname);
assertEquals(CAInfo.CATYPE_CVC, dvdcainfo.getCAType());
cert = (Certificate) dvdcainfo.getCertificateChain().iterator().next();
assertEquals("CVC", cert.getType());
assertEquals(CertTools.getSubjectDN(cert), dvddn);
assertEquals(CertTools.getIssuerDN(cert), rootcadn);
assertEquals(dvdcainfo.getSubjectDN(), dvddn);
cvcert = (CardVerifiableCertificate) cert;
role = cvcert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole().name();
assertEquals("DV_D", role);
String holderRef = cvcert.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated();
// Sequence must have been updated with 1
assertEquals("SETDVEC-D00003", holderRef);
// Make a certificate request from a CVCA
cachain = cvcainfo.getCertificateChain();
assertEquals(1, cachain.size());
Certificate cert1 = (Certificate) cachain.iterator().next();
CardVerifiableCertificate cvcert1 = (CardVerifiableCertificate) cert1;
assertEquals("SETCVCAEC00001", cvcert1.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated());
request = caAdminSession.makeRequest(admin, cvcainfo.getCAId(), cachain, false, false, false, null);
obj = CertificateParser.parseCVCObject(request);
// We should have created an un-authenticated request, because there
// does not exist any old key
CVCertificate cvcertreq = (CVCertificate) obj;
assertEquals("SETCVCAEC00001", cvcertreq.getCertificateBody().getHolderReference().getConcatenated());
assertEquals("SETCVCAEC00001", cvcertreq.getCertificateBody().getAuthorityReference().getConcatenated());
// Renew the CVCA, generating new keys
caAdminSession.renewCA(admin, cvcainfo.getCAId(), "foo123", true);
// Make a certificate request from a CVCA again
cvcainfo = caAdminSession.getCAInfo(admin, rootcaname);
cachain = cvcainfo.getCertificateChain();
assertEquals(1, cachain.size());
Certificate cert2 = (Certificate) cachain.iterator().next();
CardVerifiableCertificate cvcert2 = (CardVerifiableCertificate) cert2;
assertEquals("SETCVCAEC00002", cvcert2.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated());
request = caAdminSession.makeRequest(admin, cvcainfo.getCAId(), cachain, false, false, false, null);
obj = CertificateParser.parseCVCObject(request);
// We should have created an authenticated request signed by the old
// certificate
CVCAuthenticatedRequest authreq1 = (CVCAuthenticatedRequest) obj;