/*************************************************************************
* *
* EJBCA: The OpenSource Certificate Authority *
* *
* This software is free software; you can redistribute it and/or *
* modify it under the terms of the GNU Lesser General Public *
* License as published by the Free Software Foundation; either *
* version 2.1 of the License, or any later version. *
* *
* See terms of license at gnu.org. *
* *
*************************************************************************/
package org.ejbca.core.protocol.ocsp;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Hashtable;
import junit.framework.TestCase;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.ocsp.BasicOCSPResp;
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.OCSPReq;
import org.bouncycastle.ocsp.OCSPReqGenerator;
import org.bouncycastle.ocsp.RespID;
import org.bouncycastle.ocsp.SingleResp;
import org.bouncycastle.ocsp.UnknownStatus;
import org.ejbca.config.OcspConfiguration;
import org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAServiceRequest;
import org.ejbca.core.model.ca.caadmin.extendedcaservices.OCSPCAServiceResponse;
import org.ejbca.core.protocol.ocsp.OcspUtilMockups.MockDSAPublicKey;
import org.ejbca.core.protocol.ocsp.OcspUtilMockups.MockECDSAPublicKey;
import org.ejbca.core.protocol.ocsp.OcspUtilMockups.MockRSAPublicKey;
import org.ejbca.util.Base64;
import org.ejbca.util.CertTools;
import org.ejbca.util.CryptoProviderTools;
/**
*
* @author tomas
* @version $Id: OcspUtilTest.java 9435 2010-07-14 15:18:39Z mikekushner $
*
*/
public class OcspUtilTest extends TestCase {
public void setUp() throws Exception {
CryptoProviderTools.installBCProvider();
}
public void test01CreateOCSPCAServiceResponse() throws Exception {
KeyStore ks = KeyStore.getInstance("PKCS12", "BC");
ks.load(new ByteArrayInputStream(sceprap12), "foo123".toCharArray());
String providerName = "BC";
X509Certificate racert = (X509Certificate)ks.getCertificate("Scep RA");
Certificate[] chain = ks.getCertificateChain("Scep RA");
assertEquals(3, chain.length);
X509Certificate cacert = (X509Certificate)chain[1];
String signer = CertTools.getSubjectDN(chain[0]);
assertEquals("CN=Scep RA,O=PrimeKey,C=SE", signer);
PrivateKey privKey = (PrivateKey)ks.getKey("Scep RA", "foo123".toCharArray());
X509Certificate[] certChain = new X509Certificate[chain.length];
for (int i=0;i<chain.length;i++) {
certChain[i] = (X509Certificate)chain[i];
}
// Everything looks OK, lets get started with the real tests.
// An OCSP request
OCSPReqGenerator gen = new OCSPReqGenerator();
gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, racert.getSerialNumber()));
Hashtable exts = new Hashtable();
X509Extension ext = new X509Extension(false, new DEROctetString("123456789".getBytes()));
exts.put(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, ext);
gen.setRequestExtensions(new X509Extensions(exts));
OCSPReq req = gen.generate();
// A response to create
ArrayList responseList = new ArrayList();
CertificateID certId = req.getRequestList()[0].getCertID();
responseList.add(new OCSPResponseItem(certId, new UnknownStatus(), 0));
// First check that the whole chain is included and the responderId is keyHash
OCSPCAServiceRequest ocspServiceReq = new OCSPCAServiceRequest(req, responseList, null, "SHA1WithRSA;SHA1WithDSA;SHA1WithECDSA", true);
ocspServiceReq.setRespIdType(OcspConfiguration.RESPONDERIDTYPE_KEYHASH);
OCSPCAServiceResponse response = OCSPUtil.createOCSPCAServiceResponse(ocspServiceReq, privKey, providerName, certChain);
BasicOCSPResp basicResp = response.getBasicOCSPResp();
X509Certificate[] respCerts = basicResp.getCerts("BC");
assertEquals(3, respCerts.length); // Certificate chain included
RespID respId = basicResp.getResponderId();
RespID testKeyHash = new RespID(racert.getPublicKey());
RespID testName = new RespID(racert.getSubjectX500Principal());
assertEquals(respId, testKeyHash);
assertFalse(respId.equals(testName));
// Second check that the whole chain is NOT included and the responderId is Name
ocspServiceReq = new OCSPCAServiceRequest(req, responseList, null, "SHA1WithRSA;SHA1WithDSA;SHA1WithECDSA", false);
ocspServiceReq.setRespIdType(OcspConfiguration.RESPONDERIDTYPE_NAME);
response = OCSPUtil.createOCSPCAServiceResponse(ocspServiceReq, privKey, providerName, certChain);
basicResp = response.getBasicOCSPResp();
respCerts = basicResp.getCerts("BC");
assertEquals(1, respCerts.length); // Certificate chain included
respId = basicResp.getResponderId();
assertFalse(respId.equals(testKeyHash));
assertEquals(respId, testName);
// Third do some verification
basicResp.verify(racert.getPublicKey(), "BC");
SingleResp[] responses = basicResp.getResponses();
assertEquals(1, responses.length);
SingleResp resp = responses[0];
CertificateID myid = resp.getCertID();
assertEquals(certId, myid);
}
public void test02getSigningAlgFromAlgSelection() throws Exception {
RSAPublicKey rsa = new MockRSAPublicKey();
assertEquals("SHA1WithRSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithRSA;SHA1WithECDSA", rsa));
assertEquals("SHA1WithRSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA256WithECDSA;SHA1WithECDSA;SHA1WithRSA", rsa));
assertEquals("SHA1WithRSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithRSA", rsa));
assertEquals("SHA1WithRSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithECDSA;SHA1WithRSA", rsa));
ECPublicKey ecdsa = new MockECDSAPublicKey();
assertEquals("SHA1WithECDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithECDSA;SHA1WithDSA", ecdsa));
assertEquals("SHA1WithECDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithDSA;SHA1WithRSA;SHA1WithECDSA", ecdsa));
assertEquals("SHA1WithECDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithECDSA", ecdsa));
assertEquals("SHA1WithECDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithDSA;SHA1WithECDSA", ecdsa));
DSAPublicKey dsa = new MockDSAPublicKey();
assertEquals("SHA1WithDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithECDSA;SHA1WithDSA", dsa));
assertEquals("SHA1WithDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA256WithECDSA;SHA1WithECDSA;SHA1WithDSA", dsa));
assertEquals("SHA1WithDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithDSA", dsa));
assertEquals("SHA1WithDSA", OCSPUtil.getSigningAlgFromAlgSelection("SHA1WithECDSA;SHA1WithDSA", dsa));
assertNull(OCSPUtil.getSigningAlgFromAlgSelection("", dsa));
}
private static byte[] sceprap12 = Base64
.decode(("MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID"+
"ETCCAw0wggMJBgsqhkiG9w0BDAoBAqCCArIwggKuMCgGCiqGSIb3DQEMAQMwGgQU"+
"7xKnsBeIZcizPqFhNYG+aUoC5CkCAgQABIICgLpQSm61BGUpVKrgaEu/XxFLyKe4"+
"B3QGzjt9pBbDLN0WmeD37Mdi3fAxTG3zgdDlyIL/V2jVXMTNmhQiWBafo2lsij8d"+
"P5PgNaxZgZscXqVnreH7R9T86XROTZ9CTuKjW8SHu4TkZOfmWYZgHEQpAqtt3QNq"+
"XnWhCpK2OpBBErawMkFvOGkF4OBCpDH97/M/et5jwh/NCU+Fu7DxAEDm4EvLi46m"+
"3rEZW1PP6y+ZsKXLrDRqwmAowbNDJib6A37KO/qkg7W6ZTrBny7IjhG/3e4T2h6t"+
"nRUUQoVw4CApCUT4vjBmwIADolsGHc3AZvWNN9mLO8kZxVKwhNHK8Lp/3Ooe7LZi"+
"7VgoKNV5VzVKIn/bDAtOrfRBzeaL529U+bQctFheEAyJgAeRohQfPkHUOMOoMQXB"+
"/eUEBvcZRHkoP2VqVUSIrWj5JoOZEZH+LaakOKuFZy4iAjT8ua0jWDbpORYUSVNL"+
"y80YnLuqmHubMNxyRjZzQH+zGInIogamD9k3EQ25hp5AbgPaAR6zwxMsX7d9vMBg"+
"ZFQrFQbSR9RLmu0VRQ8ObmcwTbULBbWpGpqOJp8lokZ2Xv22osfuSj2hYXeuYevc"+
"B1uBaduYmo2qIqtzqPle1GLy/ADGBcFXYvu1rp7XB2fezSiogJfa2Qutuhz4NEB5"+
"qmkJAOTqpstK8MmJEJ5xfueaJ7yj2qNapz/hUVR03v+KQBoX2X9d7u23/GIo/InE"+
"KStTIvk88IBWNcuFX2XVRzMVji0drdZwNTeXq013A0cwHYzKk1+KCajvmGpATK9w"+
"FPj64xT0ExikjJAs2+ZvUXKMUTHBkrHI82ecJxhP2PDV0tnKEehqkqSJWRwxRDAd"+
"BgkqhkiG9w0BCRQxEB4OAFMAYwBlAHAAIABSAEEwIwYJKoZIhvcNAQkVMRYEFHJJ"+
"BcozkYwk5T26NCByyaqwwYTcAAAAAAAAMIAGCSqGSIb3DQEHBqCAMIACAQAwgAYJ"+
"KoZIhvcNAQcBMCgGCiqGSIb3DQEMAQYwGgQUJJUMBlrxmv5ovcHd+zOplLh6lHoC"+
"AgQAoIAEggm4hazZFHNOsMJvcGk9bnsS9d15xFHIa42HUGOiYLVNHoATvX8jWcsp"+
"h8IfIZzBgMjE0t+QvYDenDBeVCCqaiNz/6KHd3xaHT8425Xoykd1ULSNZV6xqnYM"+
"Ub+vSruQYte9q/xOvKXRRg9uBIID6K4w8hjA9OBlC32IIGM4EUcsjaKowVbE+7+D"+
"eu8zw+nKzkUqJPgxp2J1x/2sTLdo8jEI2PEj4Vhzpkar/ZrpPyW8d1CkECUzQ8XV"+
"wZ+62Tfhj5UnCYbzrD0eiZRWassrdEhpyx+MPGCXX1ji6XWqPb9EFeasHxt0zJdN"+
"4EksyqaoJWG4RUi85VOqXnwDNWhjKLQNB7GGOuseA5gkNKKVJwO+piOZF/ueKzHQ"+
"iKtjPxVqSx2DMXOXoEMUXg8dSSvRwP2ctX8myRQxK938cenIdGKutDsyWqZrbqaL"+
"COJbyzGTNSxOcBtJY6zNqROUki8jMxlsZXzOHBiQNmxuOYB6eLX3rD9DosFEZRMn"+
"Ngk20+HRhhJapn71pYb7JL3DQlWaT6uRL/VlTEGxToDR0ZObb3YoScgJls6BmigX"+
"HyJEoCjE0jvmkbbrUBZihF+zi3fRR4tl1vnBtNZiwBeCkpwFtJIxx/0DqNA3lqmG"+
"coEo+xZRcqCn83UewhFNm7vlr2NuTbVbDlcdyKS8I6gVH8FXao8BptGOV8DBqsZq"+
"YpFGl+wjcWhtBqfazedPGfsnm6pRWpBNF7PIsmYAeqkYEslxu7wfVSSOOQW8yGDQ"+
"/JKAxdOZ+mXsJFbRd496U24fZhO+1kJAyluaqNTVdnFepW6w8oHfwmuqVA3E2sW0"+
"RVhM7qCdl+/l4lRmIe65fyc6CA6PEXYg2DYB8g733YBQ5ODD5Qq3HIXjO/3ehwYz"+
"Dtw5KZ0vQana0N4XZPbxpwsR6goqm5azAjgYTR3fNLMgftkjzycSYrOs6EfaM4qu"+
"a+jjKNvQha8xezpj9fuLfCP+tUqxQHAFU5SkNezCbupLsszXtaDgij6VNbKxHVd/"+
"T//75camO4DvVfc+39Tsiv4LyUB5aBlH0XNe9hQhF4WOcg7CynnK+jk6emq/CIDf"+
"23zeNh7D32Un3r2tVs1O2Cz+c5FsVty7SGgjNQxCr8Cb+iFeMWYvHWPLXTgS11ee"+
"zaE+HG8JIRlBjOFgS0Jei9dMLNu08iJPVcEEK+qblGTMQRIl+Pulo3NGoDcrffuN"+
"YoBHWMzBwFg+Mz0hexEn/wiJJ2DjeiN8F1Dj7rU87Ywnf4EJzg/RIrEZimfLLBrT"+
"vKuUQAinjm48X9FEQ6cEhv9srW93aEicEkM8TUSZLeZjbNPwErQTFovWP0m/0YHT"+
"pu8RQd6F5aN5QM8O2csZy4FQkVwolwS0vFzOYuQKFHJcJsYn/jmEPUOfHFYUrtFn"+
"3K2jmGSnEhf+77gnr28EKMVlLziwfCnCUWQVipB+XTO4opYxKj7C67mI47UHbLEJ"+
"qUsZvFivZEg/AqX2PhQEggPoqjJGRwOuGFsJQvW2SR0XZG8NFOr7HEKcFvlArmpZ"+
"vj0iqJuIXEwOTg9lyXz16T5IS5i2gXz0XpYD+7swb+W+GJU46CQMUYnKvbHcd77j"+
"mJc+v9SNMoojVSNLBGD6o+3gzdc+5AMwZ1lKJ8wpwxRIlz1HHIP6NqQPJYNPy0iI"+
"f6kfZMZM25RpEjqfF0aEj9QwTLvWXmllV9jzBRAcMU8slB6DMg0ZH5IQ0y8lXLWw"+
"uDBjjkrhxuI1CG3bfzU9XwFiwRnFqec2KfSPskldTmm7/9R1mLxsUv+cpA00iBo8"+
"RmpRqkzuSNKBnA3hO48hiRXDc/aGhNBCYD6/mL2hqswMZPFgJN419+dnwXWM6Mpf"+
"4WvCD9CPTf++mUYip/Pv0kO0cD1/aT6Q22htO1JIkrF/FVkn0gMQOk42+TtE9uAe"+
"u4SQ4fG6Fzeo5ifXtm7FIMUleKQWvai1N5UnUkbDRS2GCpkcPnldK54NaOFWKvX0"+
"0X4xmd7Fy4Y6CKrB2axpD7kXt8WhkcJHMTJjpC5Qb8062Ew2P3RphYsAK1NGgsht"+
"pb6z5krjLtquFqPV+uqjr2O0FpCHLSmHkBfDiXvrS8qfAys4khE8r/zwbigetALe"+
"Dz3d+SGxp06A8AZqS6UV+pNmjCoLpLlPYKLtxC7CbYsHFVoxPHlaXtx54noPHUsk"+
"kHVdd7+/ZxJtKjFFTCQ5YrAeRtGOwiy8Hh2LCdzuLg8PofblVP4NDLbUWiJGtPDm"+
"4Htwg0REaNXgy142VP4k4qjHQi08UmeFFG9UyKzjMq08XhfRCJVsZ0DfkiFQW6cq"+
"GJ1qYzPhDaLSzT7IVvPVYuHTQ7J78/d6xl/6/y/Fb1oWq20W8VfH/WShsU39rvD9"+
"R5jvwyMsid7/6UtiVLB2Ai221fUsp6HLS76XlJgafi1jANoEpdbyrikXW7qmH9LZ"+
"E3O0I31wuGRf8M9/EMuAVp0U95t0I/SJX7UzsuremW2mD1fohbqRGNHI88y9e8B4"+
"VU51Kjy5Avznlm0EiRdNfZ93UaJiXnkppO4tz+Tqjlh/DkH+AmBb4CCXUXdp37dU"+
"BPQ8u0uYecY8IpDG+Ke5Qpc54V32YqsOedVUTWswgY/glhlAz9yNO5c4YPNLLRUL"+
"yHb0txMDdEr9TymCappZC+WefSQl6f/u+4L21ZvtRKAmafHRvxoB/LXsbEINIF6C"+
"JQqEGfat7dMSIPh5s4EGgMWMtV0bfh0O9N4MGedONpmdDWYKDkbCqWapeQ2Krrps"+
"VX2DzHxhLMbqoalmPu8xpOZhzqK9307foMWzFyrW8bzAvCDPBQ+ptu9tr2cYeZMC"+
"8WoIpIVQlrJMBgSCAYusivMBIRyD4a50V0U6rFMsihXzS5vgP89kSMsFDw7E2DgW"+
"uRQ9J6BM1ZPubNhGK0NVWQa3Qfne/JdGgX033rOQ6Va/GfmKr6OgX3N1oynBqjpy"+
"zbuab+QvKBx2FMtqwxcMPaYBqDoLAY4yND7Xf1iu5S5M2QLGG3SLDa99rIArxRaQ"+
"SecqOmyd3T5O/4l2nac5QeeSZkNGrc7lkE1+Jfw5oV0D65XNRL0e5tQpFFtJMkPv"+
"eYIWyURGxqwBKHc4bWMSnbogwms8omkZU9KV/HGFZ5/ZCvaKO7A7/Dy7OvdwgjFi"+
"SKRS4O12kD9KeQgy/YR8CQ/LzEEnCz1HQGI5GyBJVSbVlaGL02ZyoWm6weZCz+5f"+
"fYgZu/hf1OdCW9PNVrp1jr4iSJoxN4zWDcqQJihBZur0KUQzCcSM2+i8CcOgn8iU"+
"JvGTfN1Dut7uhemAe7gMJqK/Gn191qvnjOx11e3aHx/gsm+oYPjX2WsLaDPTC9xq"+
"qJxTVXugdVJNJa+AnwAAAAAAAAAAAAAAAAAAAAAAADA9MCEwCQYFKw4DAhoFAAQU"+
"unDpu2VQAK16gAfBMGOLYJN2kHQEFOABMQwh12RryVUvks+kUMJIzJOYAgIEAAAA")
.getBytes());
}