diff --git a/.gitignore b/.gitignore index de4c7422..d7a9ffb5 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ *.bak /target/ +/path_accumulator_ps.tmp diff --git a/CHANGELOG.md b/CHANGELOG.md index 81da8342..8cfa5367 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -110,4 +110,8 @@ fix: Add test credential generation, fix key usage in test credentials ### 2.6.7 (Sept 28 2023) -fix: Bouncy Castle Provider initialized within the component only if not already registered in the current process \ No newline at end of file +fix: Bouncy Castle Provider initialized within the component only if not already registered in the current process + +### 3.0.0 (Oct 04 2023) + +feat: provide CMP client implementation diff --git a/README.md b/README.md index 6059372b..507e5b3f 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,16 @@ # Features of the generic CMP RA component -The generic CMP RA component supports the implementation of -applications that provides CMP Registration Authority (RA) functions. - +The generic CMP RA component supports the implementation of applications +that provide CMP Registration Authority (RA) functions. +It implements the RA features specified in the +[Lightweight Certificate Management Protocol (CMP) Profile]( +https://datatracker.ietf.org/doc/draft-ietf-lamps-lightweight-cmp-profile/), +reflecting the updates to CMP (RFC 4210) and CRMF (RFC 4211) given in +[Certificate Management Protocol (CMP) Updates]( +https://datatracker.ietf.org/doc/draft-ietf-lamps-cmp-updates/) +and [Certificate Management Protocol (CMP) Algorithms]( +https://datatracker.ietf.org/doc/draft-ietf-lamps-cmp-algorithms/). ## Basic features for use in PoCs, reference implementations, and in production @@ -38,7 +45,7 @@ applications that provides CMP Registration Authority (RA) functions. * The Configuration interface of the generic CMP RA component supports setting options also dynamically and dependent on certificate profiles. * The upstream message transfer interface of the component - * provides optional routing information via the certificate profile and + * provides optional routing information dependent on the certificate profile * supports legacy servers by using PKCS#10 requests and X.509 responses as alternative to CMP. * The component has an interface for authorizing and optionally @@ -63,8 +70,9 @@ The picture below shows the overall design and relation to JAVA base components: Java libraries and runtime environment, including Java crypto provider (JCE). * Errors, warnings and information on internal message processing are logged using the framework [SLF4J](http://www.slf4j.org/). -* The implementation uses the - [Bouncy Castle library](https://www.bouncycastle.org/) (providing low-level CMP) internally. +* The implementation uses internally the + [Bouncy Castle library](https://www.bouncycastle.org/), + which providesd a low-level CMP implementation. * As far as possible, errors are reported at application level as CMP error messages. Otherwise Java exceptions are thrown, @@ -88,7 +96,7 @@ are exchanged as ASN.1 DER-encoded byte strings. * The transfer layer typically does not need to look into the contents of the request/response messages but can simply forward and return them as opaque data. -* The byte string level is the least common denominator +* The byte-string level is the least common denominator for representing PKIX-related data structures. Using it avoids the error-prone handling of inadequate class definitions provided by the standard Java RE. @@ -112,13 +120,11 @@ It can regard incoming and outgoing CMP messages simply as opaque Java byte arrays. The externally usable interface is specified in [`com.siemens.pki.cmpracomponent.main.CmpRaComponent`](src/main/java/com/siemens/pki/cmpracomponent/main/CmpRaComponent.java). -The UML diagram -component and interface design](doc/componentandinterfacedesign.uml) +The UML diagram [component and interface design](doc/componentandinterfacedesignra.uml) gives an overview about external components and interactions. -![component and interface design](doc/componentandinterfacedesign.png) +![component and interface design](doc/componentandinterfacedesignra.png) -### Dynamic message exchange behavior on the downstream CMP interface and -upstream PKCS#10/X.509 interface +### Dynamic message exchange behavior on the downstream CMP interface and upstream PKCS#10/X.509 interface In the PKCS#10 case the upstream communication (towards the CA) is synchronous. The UML diagram [Sequence diagram for PKCS#10/X.509](doc/Sequence_instantiateP10X509CmpRaComponent.uml) @@ -185,3 +191,125 @@ After the javadoc documentation has been generated locally by invoking `mvn javadoc:javadoc`, it can be found at `target/site/apidocs/com/siemens/pki/cmpracomponent/main/CmpRaComponent.html`. +# Features of the generic CMP client component + +The client extends the +[generic CMP RA component](#features-of-the-generic-cmp-client-component). +It implements the End Entity features specified in the +[Lightweight Certificate Management Protocol (CMP) Profile]( +https://datatracker.ietf.org/doc/draft-ietf-lamps-lightweight-cmp-profile/) +reflecting the updates to CMP (RFC 4210) and CRMF (RFC 4211) given in +[Certificate Management Protocol (CMP) Updates]( +https://datatracker.ietf.org/doc/draft-ietf-lamps-cmp-updates/) +and [Certificate Management Protocol (CMP) Algorithms]( +https://datatracker.ietf.org/doc/draft-ietf-lamps-cmp-algorithms/). + +## Basic feature​s for use in PoCs, reference implementations, and in production + +* The generic CMP client component component implements +the following CMP functions and features: + * Build, parse, and process CMP messages and validate their contents. + * Provide and validate CMP message protection, + based on signatures or shared secrets (MAC). + * Support all CMP use cases (including ir, cr, p10cr, kur, and rr) + defined in the [Lightweight CMP Profile]( + https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile). + * Support all general CMP features defined in Lightweight CMP Profile, + including error handling within CMP, local/central key generation, + and delayed delivery of all message types. +* The component is usable in client contexts and in standalone applications. +* Use of the component is as simple as possible, + not requiring specific (crypto, CMP, etc.) detailed knowledge. +* The component supports very flexible configuration, + allowing to set all relevant options, with reasonable defaults. +* The component provides error reporting and logging + towards embedding application or execution environment. +* All messages are ASN.1 DER-encoded for maximal interoperability. +* The component allows using any type of message transfer, such as HTTP(S). +* Java interface is based on Bouncy Castle (low-level CMP) + and the Java crypto provider (JCE). + +## Advanced features, in particular for productive use + +* The Configuration interface of the generic CMP client component supports + setting options also dynamically and dependent on certificate profiles in a + similar way as for the CMP RA component. +* The message transfer interface of the component provides + optional routing information dependent on the certificate profile + +# Structure of the generic CMP client component + +The picture below shows the overall design and relation to JAVA base components: + +![Structure of the generic CMP client component](doc/CmpEeComponentDesign.png) + + +## Overall software design + +* The API for instantiating an CMP client component is specified as a Java class. +* The API to access the generic CMP client component is based just on common + Java libraries and runtime environment, including Java crypto provider (JCE). +* Errors, warnings and information on internal message processing are logged + using the framework [SLF4J](http://www.slf4j.org/). +* The implementation uses internally the + [Bouncy Castle library](https://www.bouncycastle.org/), + which providesd a low-level CMP implementation. +* Errors are reported as Java exceptions, + also in case of invalid configuration and on other fatal errors. + + +## Message exchange API design + +For simplicity, there is only one upstream interface towards server (CA). +In case multiple upstream interfaces are desired: +* Differentiation in transport/routing + can be achieved by the embedding application multiplexing channels. +* Differentiation in message protection or inventory behavior + can be achieved via the certificate profile mechanism. +* If any further differentiation in CMP/application-level processing + is required, multiple CMP client instances are needed. + +All CMP messages are exchanged as ASN.1 DER-encoded byte strings. +* The transfer layer typically does not need to look into + the contents of the request/response messages + but can simply forward and return them as opaque data. +* The byte-string level is the least common denominator + for representing PKIX-related data structures. + Using it avoids the error-prone handling of inadequate class definitions + provided by the standard Java RE. + +The transport layer in the embedding client application +is responsible for the following: +* Forward request message provided by the client upstream interface + towards the server. +* Collect response messages from server side and + provide them to the client upstream interface. + +## Component and interface design + +The embedding application does not need to know CMP specifics. +It can regard incoming and outgoing CMP messages +simply as opaque Java byte arrays. +The externally usable interface is specified in [`com.siemens.pki.cmpclientcomponent.main.CmpClient`](src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java). + +The UML diagram [component and interface design](doc/componentandinterfacedesignclient.uml) +gives an overview about external components and interactions. +![component and interface design](doc/componentandinterfacedesignclient.png) + +### Dynamic message exchange behavior for downstream and upstream CMP interface + +The UML diagram [Sequence diagram for CMP](doc/Sequence_instantiateCmpClientComponent.uml) +gives an overview about instantiation and message exchange +between CMP Client component and upstream interface: + +![Sequence diagram for CMP](doc/Sequence_instantiateCmpClientComponent.png) + +## Configuration interface design + +* Each CMP client instance is controlled by providing implementations of + * [`com.siemens.pki.cmpclientcomponent.main.CmpClient.ClientContext`](src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java) + * [`com.siemens.pki.cmpracomponent.main.CmpRaComponent.UpstreamExchange`](src/main/java/com/siemens/pki/cmpracomponent/main/CmpRaComponent.java) and + * [`com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface`](src/main/java/com/siemens/pki/cmpracomponent/configuration/CmpMessageInterface.java) + +For configuration interface details see [RA Configuration interface design](#configuration-interface-design) which is partly reused for client configuration. + diff --git a/doc/Sequence_instantiateCmpClientComponent.png b/doc/Sequence_instantiateCmpClientComponent.png new file mode 100644 index 00000000..20fbeb1d --- /dev/null +++ b/doc/Sequence_instantiateCmpClientComponent.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:49f568642c4c00e2b23ff6be94feeaf63344f7a7b338edfba66d52ce40a66f6a +size 69485 diff --git a/doc/Sequence_instantiateCmpClientComponent.uml b/doc/Sequence_instantiateCmpClientComponent.uml new file mode 100644 index 00000000..fae9d581 --- /dev/null +++ b/doc/Sequence_instantiateCmpClientComponent.uml @@ -0,0 +1,57 @@ +@startuml + +entity "**Embedding Application**" as embedapp + +activate embedapp + +participant "Client Instance" as Client +participant "UpstreamExchange interface" as Upstream + +activate Upstream + +embedapp <-> Client : new CmpClient() + +activate Client + +hnote over embedapp, Client +synchronous call of getCaCertificates(), +getCertificateRequestTemplate(), getCrls(), +getRootCaCertificateUpdate(), +invokeEnrollment() or invokeRevocation() +end note + +embedapp -> Client : invoke CmpClient method + +Client -> Upstream : sendReceiveMessage(**byte[]** request, **String** certProfile, **int** bodyTypeOfFirstRequest) + +alt synchronous +Upstream --> Client : **byte[]** sendReceiveMessage (response) + +else asynchronous: delayed delivery + +Upstream --> Client : **byte[]** sendReceiveMessage (response with waiting indication) +loop +Client -> Upstream : sendReceiveMessage(**byte[]** pollRequest, **String** certProfile, **int** bodyTypeOfFirstRequest) +alt +Upstream --> Client : **byte[]** sendReceiveMessage (pollResponse) +else +break +end + +end +end + +Upstream --> Client : **byte[]** sendReceiveMessage (response) +end +opt sucessfull enrollment without implicit confirm +Client -> Upstream : sendReceiveMessage(**byte[]** certConf, **String** certProfile, **int** bodyTypeOfFirstRequest) +Upstream --> Client : **byte[]** sendReceiveMessage (pkiConf) +end +hnote over embedapp, Client +response of getCaCertificates(), getCertificateRequestTemplate() +getCrls(), getRootCaCertificateUpdate(), +invokeEnrollment() or invokeRevocation() +end note + +Client -> embedapp: CmpClient method call returns +@enduml \ No newline at end of file diff --git a/doc/componentandinterfacedesign.png b/doc/componentandinterfacedesign.png deleted file mode 100644 index ae619215..00000000 --- a/doc/componentandinterfacedesign.png +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:df5418bc5e8b4eb7eb1f35bb090e2e3cdfe47ed1777450c05140c18bf12bb1cc -size 48363 diff --git a/doc/componentandinterfacedesignclient.png b/doc/componentandinterfacedesignclient.png new file mode 100644 index 00000000..7d703b94 --- /dev/null +++ b/doc/componentandinterfacedesignclient.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d4332eaed77770f2a30a24ecd3256d38f6310e98bfe2845118a923cc605513fd +size 28712 diff --git a/doc/componentandinterfacedesignclient.uml b/doc/componentandinterfacedesignclient.uml new file mode 100644 index 00000000..1f0cc45a --- /dev/null +++ b/doc/componentandinterfacedesignclient.uml @@ -0,0 +1,17 @@ +@startuml + + +artifact embedding as "Embedding Application" { + +(**Upstream Interface**\n- provided by Embedding Application) as upif +[**CmpClient Component**\n- instantiated by Embedding Application] as Client + +database "**Configuration Interface**\n- provided by Embedding Application" as config + +Client <= config : new CmpClient(config) + +left to right direction + +Client <--> upif : byte[] UpstreamExchange::sendReceiveMessage(byte[] request, String certProfile, int bodyTypeOfFirstRequest) +} +@enduml \ No newline at end of file diff --git a/doc/componentandinterfacedesignra.png b/doc/componentandinterfacedesignra.png new file mode 100644 index 00000000..ac9953dd --- /dev/null +++ b/doc/componentandinterfacedesignra.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc0b5e474def9ec0bd2ae2c5a80e480d2023e8ce04e4a8f709a9239832fe5420 +size 51139 diff --git a/doc/componentandinterfacedesign.uml b/doc/componentandinterfacedesignra.uml similarity index 74% rename from doc/componentandinterfacedesign.uml rename to doc/componentandinterfacedesignra.uml index 992cbb3b..78feb4da 100644 --- a/doc/componentandinterfacedesign.uml +++ b/doc/componentandinterfacedesignra.uml @@ -14,6 +14,6 @@ left to right direction downif <--> RA : byte[] processRequest(byte[] request) or\nFunction(byte[] request) RA <-- upif : void gotResponseAtUpstream(byte[] response) -RA <--> upif : byte[] upstreamExchange(byte[] request, String certificateProfile) or\nBiFunction(byte[] p10csr, String certificateProfile) +RA <--> upif : byte[] UpstreamExchange::sendReceiveMessage(byte[] request, String certProfile, int bodyTypeOfFirstRequest) throws Exception; or\nBiFunction(byte[] p10csr, String certificateProfile) } @enduml \ No newline at end of file diff --git a/pom.xml b/pom.xml index 26de11c4..fbe40c7d 100644 --- a/pom.xml +++ b/pom.xml @@ -5,8 +5,8 @@ 4.0.0 com.siemens.pki CmpRaComponent - 2.6.7 jar + 3.0.0 UTF-8 . @@ -243,7 +243,7 @@ www.siemens.com CMP RA Component - A generic CMP Registration Authority component library + A generic CMP Registration Authority and Client component library https://github.com/siemens/cmp-ra-component/ diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/ClientContext.java b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/ClientContext.java new file mode 100644 index 00000000..2691c2e2 --- /dev/null +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/ClientContext.java @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2022 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.configuration; + +/** + * + * generic client configuration + */ +public interface ClientContext { + + /** + * get enrollment specific configuration + * + * @return enrollment specific configuration + */ + EnrollmentContext getEnrollmentContext(); + + /** + * CMP message recipient or null if NULL_DN should be used + * + * @return CMP message recipient + */ + default String getRecipient() { + return null; + } + + /** + * get revocation specific configuration + * + * @return revocation specific configuration + */ + RevocationContext getRevocationContext(); +} diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/EnrollmentContext.java b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/EnrollmentContext.java new file mode 100644 index 00000000..67b61612 --- /dev/null +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/EnrollmentContext.java @@ -0,0 +1,129 @@ +/* + * Copyright (c) 2022 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.configuration; + +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import java.security.KeyPair; +import java.security.cert.X509Certificate; +import java.util.List; +import org.bouncycastle.asn1.cmp.PKIBody; + +/** + * enrollment specific configuration + * + */ +public interface EnrollmentContext { + + interface TemplateExtension { + /** + * Gets the extensions's object identifier. + * + * @return the object identifier as a String + */ + String getId(); + + /** + * Gets the extensions's DER-encoded value. Note, this is the bytes that are + * encoded as an OCTET STRING. It does not include the OCTET STRING tag and + * length. + * + * @return a copy of the extension's value, or {@code null} if no extension + * value is present. + */ + byte[] getValue(); + + /** + * Gets the extension's criticality setting. + * + * @return true if this is a critical extension. + */ + boolean isCritical(); + } + + /** + * key pair for the new certificate; is is used for signature-based POPO, and + * the corresponding public key is put in the certificate template. Is not + * required if message body type is 4(p10cr). + * + * @return key pair or null if central key generation should be + * requested + */ + KeyPair getCertificateKeypair(); + + /** + * p10cr CertificationRequest message body. Ignored if message body type is not + * 4(p10cr). + * + * @return the p10cr CertificationRequest message body or null. + */ + default byte[] getCertificationRequest() { + return null; + } + + /** + * provide VerificationContext used to validate the newly enrolled certificate + * and build the enrollment chain + * + * @return an VerificationContext related to the enrolled certificate + */ + VerificationContext getEnrollmentTrust(); + + /** + * initial enrollment message type 0(ir), 2(cr), 7(kur) or 4(p10cr) + * + * @return initial enrollment message body type + */ + default int getEnrollmentType() { + return PKIBody.TYPE_CERT_REQ; + } + + /** + * extensions to be added to the CRMF template. Ignored if message body type is + * 4(p10cr). + * + * @return list of extensions or null if extensions should taken + * from {@link #getOldCert()} or absent + */ + List getExtensions(); + + /** + * a KUR contains a id-regCtrl-oldCertID control holding issuer and serialNumber + * of the certificate to be updated. Here an old certificate can be provided. + * Ignored if message body type is 4(p10cr). + * + * @return certificate to be updated or null if the control + * id-regCtrl-oldCertID should'nt be used. + */ + X509Certificate getOldCert(); + + /** + * control implicit confirmation for enrolled certificates + * + * @return true, if end entity requests implicit confirmation + */ + boolean getRequestImplictConfirm(); + + /** + * subject to be inserted in the CRMF template or null if subject + * should taken from {@link #getOldCert()} or absent. Ignored if message body + * type is 4(p10cr). + * + * @return the subject or null + */ + String getSubject(); +} diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/RevocationContext.java b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/RevocationContext.java new file mode 100644 index 00000000..17f7f023 --- /dev/null +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/RevocationContext.java @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2022 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.configuration; + +import java.math.BigInteger; +import java.security.cert.CRLReason; + +/** + * revocation specific configuration + * + */ +public interface RevocationContext { + /** + * get issuer of certificate to revoke + * + * @return issuer of certificate to revoke + */ + String getIssuer(); + + /** + * get revocation reason to use + * @return revocation reason + */ + default int getRevocationReason() { + return CRLReason.UNSPECIFIED.ordinal(); + } + + /** + * get serial number of certificate to revoke + * + * @return serial number of certificate to revoke + */ + BigInteger getSerialNumber(); +} diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/package-info.java b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/package-info.java new file mode 100644 index 00000000..55eef6cb --- /dev/null +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/package-info.java @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2022 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +/** + * interfaces related to configuration + */ +package com.siemens.pki.cmpclientcomponent.configuration; diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java new file mode 100644 index 00000000..281225ba --- /dev/null +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java @@ -0,0 +1,377 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.main; + +import static com.siemens.pki.cmpracomponent.util.NullUtil.ifNotNull; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.cryptoservices.CertUtility; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent.UpstreamExchange; +import com.siemens.pki.cmpracomponent.msggeneration.HeaderProvider; +import com.siemens.pki.cmpracomponent.msggeneration.PkiMessageGenerator; +import com.siemens.pki.cmpracomponent.msgvalidation.BaseCmpException; +import com.siemens.pki.cmpracomponent.msgvalidation.CmpValidationException; +import com.siemens.pki.cmpracomponent.msgvalidation.MessageBodyValidator; +import com.siemens.pki.cmpracomponent.msgvalidation.MessageHeaderValidator; +import com.siemens.pki.cmpracomponent.msgvalidation.ProtectionValidator; +import com.siemens.pki.cmpracomponent.msgvalidation.ValidatorIF; +import com.siemens.pki.cmpracomponent.protection.ProtectionProvider; +import com.siemens.pki.cmpracomponent.protection.ProtectionProviderFactory; +import com.siemens.pki.cmpracomponent.util.FileTracer; +import com.siemens.pki.cmpracomponent.util.MessageDumper; +import java.security.GeneralSecurityException; +import java.util.ArrayList; +import java.util.Objects; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.DERUTF8String; +import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers; +import org.bouncycastle.asn1.cmp.CertRepMessage; +import org.bouncycastle.asn1.cmp.ErrorMsgContent; +import org.bouncycastle.asn1.cmp.InfoTypeAndValue; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.cmp.PKIFailureInfo; +import org.bouncycastle.asn1.cmp.PKIHeader; +import org.bouncycastle.asn1.cmp.PKIMessage; +import org.bouncycastle.asn1.cmp.PKIMessages; +import org.bouncycastle.asn1.cmp.PKIStatus; +import org.bouncycastle.asn1.cmp.PollRepContent; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.GeneralName; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * + * low level client request functions + * + */ +class ClientRequestHandler { + + class ValidatorAndProtector { + + private final ProtectionProvider outputProtection; + + private final ProtectionValidator protectionValidator; + + private final MessageHeaderValidator headerValidator; + + private final ValidatorIF bodyValidator; + + private final VerificationContext inputVerification; + + public ValidatorAndProtector(NestedEndpointContext nestedEndpoint) throws GeneralSecurityException { + this( + NESTED_INTERFACE_NAME, + nestedEndpoint.getInputVerification(), + nestedEndpoint.getOutputCredentials(), + null); + } + + private ValidatorAndProtector(String certProfile, final CmpMessageInterface upstreamConfiguration) + throws GeneralSecurityException { + this( + INTERFACE_NAME, + upstreamConfiguration.getInputVerification(), + upstreamConfiguration.getOutputCredentials(), + upstreamConfiguration); + } + + private ValidatorAndProtector( + String intefaceName, + VerificationContext inputVerification, + CredentialContext outputCredentials, + CmpMessageInterface upstreamConfiguration) + throws GeneralSecurityException { + headerValidator = new MessageHeaderValidator(intefaceName); + outputProtection = ProtectionProviderFactory.createProtectionProvider(outputCredentials); + this.inputVerification = inputVerification; + protectionValidator = new ProtectionValidator(intefaceName, inputVerification); + if (upstreamConfiguration != null) { + bodyValidator = + new MessageBodyValidator(intefaceName, (x, y) -> false, upstreamConfiguration, certProfile); + } else { + bodyValidator = DUMMY_VALIDATOR; + } + } + + public VerificationContext getInputVerification() { + return inputVerification; + } + + public ProtectionProvider getOutputProtection() { + return outputProtection; + } + + private void validateResponse(final PKIMessage response) throws BaseCmpException { + headerValidator.validate(response); + protectionValidator.validate(response); + + bodyValidator.validate(response); + } + } + + private static final ValidatorIF DUMMY_VALIDATOR = messageToValidate -> null; + + private static final int DEFAULT_PVNO = PKIHeader.CMP_2000; + + private static final String INTERFACE_NAME = "ClientUpstream"; + + public static final String NESTED_INTERFACE_NAME = "nested " + INTERFACE_NAME; + + /** The usual Logger. */ + private static final Logger LOGGER = LoggerFactory.getLogger(ClientRequestHandler.class); + + private final ValidatorAndProtector validatorAndProtector; + + private final UpstreamExchange upstreamExchange; + + private final GeneralName recipient; + + private final String certProfile; + + private final ValidatorAndProtector nestedValidatorAndProtector; + + /** + * @param certProfile certificate profile to be used for enrollment. + * null if no certificate profile + * should be used. + * + * @param upstreamExchange the {@link UpstreamExchange} interface + * implemented by the wrapping application. + * + * @param upstreamConfiguration configuration for the upstream CMP interface + * towards the CA + * + * @param clientContext client specific configuration + * @throws GeneralSecurityException + */ + ClientRequestHandler( + String certProfile, + final UpstreamExchange upstreamExchange, + final CmpMessageInterface upstreamConfiguration, + final ClientContext clientContext) + throws GeneralSecurityException { + this.upstreamExchange = upstreamExchange; + recipient = ifNotNull(clientContext.getRecipient(), r -> new GeneralName(new X500Name(r))); + this.certProfile = certProfile; + validatorAndProtector = new ValidatorAndProtector(certProfile, upstreamConfiguration); + nestedValidatorAndProtector = + ifNotNull(upstreamConfiguration.getNestedEndpointContext(), ValidatorAndProtector::new); + } + + PKIMessage buildFurtherRequest(final PKIMessage formerResponse, final PKIBody requestBody) throws Exception { + final PKIHeader formerResponseHeader = formerResponse.getHeader(); + return buildRequest( + requestBody, + formerResponseHeader.getTransactionID(), + formerResponseHeader.getSenderNonce(), + formerResponseHeader.getPvno().intValueExact(), + false); + } + + PKIMessage buildInitialRequest(final PKIBody requestBody, final boolean withImplicitConfirm) throws Exception { + return buildInitialRequest(requestBody, withImplicitConfirm, DEFAULT_PVNO); + } + + PKIMessage buildInitialRequest(final PKIBody requestBody, final boolean withImplicitConfirm, final int pvno) + throws Exception { + return buildRequest( + requestBody, new DEROctetString(CertUtility.generateRandomBytes(16)), null, pvno, withImplicitConfirm); + } + + private PKIMessage buildRequest( + final PKIBody body, + final ASN1OctetString transactionId, + final ASN1OctetString recipNonce, + final int pvno, + final boolean withImplicitConfirm) + throws Exception { + final HeaderProvider headerProvider = new HeaderProvider() { + final ASN1OctetString senderNonce = new DEROctetString(CertUtility.generateRandomBytes(16)); + + @Override + public InfoTypeAndValue[] getGeneralInfo() { + if (certProfile == null && !withImplicitConfirm) { + return null; + } + final ArrayList genList = new ArrayList<>(2); + if (certProfile != null) { + genList.add(new InfoTypeAndValue( + CMPObjectIdentifiers.id_it_certProfile, new DERSequence(new DERUTF8String(certProfile)))); + } + if (withImplicitConfirm) { + genList.add(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm, DERNull.INSTANCE)); + } + return genList.toArray(new InfoTypeAndValue[0]); + } + + @Override + public int getPvno() { + return pvno; + } + + @Override + public GeneralName getRecipient() { + return recipient; + } + + @Override + public ASN1OctetString getRecipNonce() { + return recipNonce; + } + + @Override + public GeneralName getSender() { + return null; + } + + @Override + public ASN1OctetString getSenderNonce() { + return senderNonce; + } + + @Override + public ASN1OctetString getTransactionID() { + return transactionId; + } + }; + return PkiMessageGenerator.generateAndProtectMessage( + headerProvider, validatorAndProtector.getOutputProtection(), body); + } + + public VerificationContext getInputVerification() { + return validatorAndProtector.getInputVerification(); + } + + public ProtectionProvider getOutputProtection() { + return validatorAndProtector.getOutputProtection(); + } + + private boolean isWaitingIndication(final PKIBody responseBody) { + try { + switch (responseBody.getType()) { + case PKIBody.TYPE_ERROR: + final ErrorMsgContent errorContent = (ErrorMsgContent) responseBody.getContent(); + return errorContent.getPKIStatusInfo().getStatus().intValue() == PKIStatus.WAITING; + case PKIBody.TYPE_INIT_REP: + case PKIBody.TYPE_CERT_REP: + case PKIBody.TYPE_KEY_UPDATE_REP: + final CertRepMessage certRepMessageContent = (CertRepMessage) responseBody.getContent(); + return certRepMessageContent + .getResponse()[0] + .getStatus() + .getStatus() + .intValue() + == PKIStatus.WAITING; + default: + return false; + } + } catch (final Exception ex) { + // not decodable as waiting indication + return false; + } + } + + PKIBody sendReceiveInitialBody(final PKIBody body) throws Exception { + return sendReceiveValidateMessage(buildInitialRequest(body, false), body.getType()) + .getBody(); + } + + PKIBody sendReceiveInitialBody(final PKIBody body, final boolean withImplicitConfirm, final int firstRequestType) + throws Exception { + return sendReceiveValidateMessage(buildInitialRequest(body, withImplicitConfirm), firstRequestType) + .getBody(); + } + + PKIMessage sendReceiveValidateMessage(PKIMessage request, final int firstRequestType) throws Exception { + if (nestedValidatorAndProtector != null) { + request = PkiMessageGenerator.generateAndProtectMessage( + PkiMessageGenerator.buildForwardingHeaderProvider(request), + nestedValidatorAndProtector.getOutputProtection(), + new PKIBody(PKIBody.TYPE_NESTED, new PKIMessages(request))); + } + FileTracer.logMessage(request, INTERFACE_NAME); + byte[] rawresponse = upstreamExchange.sendReceiveMessage(request.getEncoded(), certProfile, firstRequestType); + if (rawresponse == null) { + return null; + } + PKIMessage response = PKIMessage.getInstance(rawresponse); + FileTracer.logMessage(response, INTERFACE_NAME); + if (LOGGER.isTraceEnabled()) { + LOGGER.trace("client received:\n" + MessageDumper.dumpPkiMessage(response)); + } + if (response.getBody().getType() == PKIBody.TYPE_NESTED && nestedValidatorAndProtector != null) { + nestedValidatorAndProtector.validateResponse(response); + response = PKIMessages.getInstance(response.getBody().getContent()).toPKIMessageArray()[0]; + } + validatorAndProtector.validateResponse(response); + final PKIHeader requestHeader = request.getHeader(); + final ASN1OctetString firstRequestSenderNonce = requestHeader.getSenderNonce(); + final PKIHeader responseHeader = response.getHeader(); + if (!Objects.equals(firstRequestSenderNonce, responseHeader.getRecipNonce())) { + throw new CmpValidationException( + INTERFACE_NAME, PKIFailureInfo.badRecipientNonce, "nonce mismatch on upstream"); + } + if (!Objects.equals(requestHeader.getTransactionID(), responseHeader.getTransactionID())) { + throw new CmpValidationException( + INTERFACE_NAME, PKIFailureInfo.badMessageCheck, "transactionId mismatch on upstream"); + } + if (!isWaitingIndication(response.getBody())) { + // no delayed delivery + return response; + } + for (; ; ) { + // do polling + final PKIMessage pollReq = buildFurtherRequest(response, PkiMessageGenerator.generatePollReq()); + FileTracer.logMessage(pollReq, INTERFACE_NAME); + rawresponse = upstreamExchange.sendReceiveMessage(pollReq.getEncoded(), certProfile, firstRequestType); + if (rawresponse == null) { + return null; + } + response = PKIMessage.getInstance(rawresponse); + FileTracer.logMessage(response, INTERFACE_NAME); + validatorAndProtector.validateResponse(response); + final PKIBody responseBody = response.getBody(); + final ASN1OctetString pollSenderNonce = pollReq.getHeader().getSenderNonce(); + final ASN1OctetString pollRecipNonce = response.getHeader().getRecipNonce(); + if (responseBody.getType() != PKIBody.TYPE_POLL_REP) { + if (!Objects.equals(firstRequestSenderNonce, pollRecipNonce) + && !Objects.equals(pollSenderNonce, pollRecipNonce)) { + throw new CmpValidationException( + INTERFACE_NAME, PKIFailureInfo.badRecipientNonce, "nonce mismatch on upstream"); + } + return response; + } + if (!Objects.equals(pollSenderNonce, pollRecipNonce)) { + throw new CmpValidationException( + INTERFACE_NAME, PKIFailureInfo.badRecipientNonce, "nonce mismatch on upstream"); + } + final int checkAfterTime = ((PollRepContent) responseBody.getContent()) + .getCheckAfter(0) + .intPositiveValueExact(); + Thread.sleep(checkAfterTime * 1000L); + } + } +} diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java new file mode 100644 index 00000000..288b3d69 --- /dev/null +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java @@ -0,0 +1,616 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.main; + +import static com.siemens.pki.cmpracomponent.util.NullUtil.ifNotNull; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.CrlUpdateRetrievalHandler; +import com.siemens.pki.cmpracomponent.configuration.GetCaCertificatesHandler; +import com.siemens.pki.cmpracomponent.configuration.GetCertificateRequestTemplateHandler; +import com.siemens.pki.cmpracomponent.configuration.GetRootCaCertificateUpdateHandler; +import com.siemens.pki.cmpracomponent.cryptoservices.AlgorithmHelper; +import com.siemens.pki.cmpracomponent.cryptoservices.CertUtility; +import com.siemens.pki.cmpracomponent.cryptoservices.CmsDecryptor; +import com.siemens.pki.cmpracomponent.cryptoservices.DataSignVerifier; +import com.siemens.pki.cmpracomponent.cryptoservices.TrustCredentialAdapter; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent.UpstreamExchange; +import com.siemens.pki.cmpracomponent.msggeneration.PkiMessageGenerator; +import com.siemens.pki.cmpracomponent.protection.MacProtection; +import com.siemens.pki.cmpracomponent.protection.ProtectionProvider; +import com.siemens.pki.cmpracomponent.protection.SignatureBasedProtection; +import com.siemens.pki.cmpracomponent.util.MessageDumper; +import com.siemens.pki.cmpracomponent.util.NullUtil; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.PrivateKey; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.Date; +import java.util.List; +import java.util.stream.Stream; +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.cmp.CMPCertificate; +import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers; +import org.bouncycastle.asn1.cmp.CRLSource; +import org.bouncycastle.asn1.cmp.CRLStatus; +import org.bouncycastle.asn1.cmp.CertRepMessage; +import org.bouncycastle.asn1.cmp.CertReqTemplateContent; +import org.bouncycastle.asn1.cmp.CertResponse; +import org.bouncycastle.asn1.cmp.CertifiedKeyPair; +import org.bouncycastle.asn1.cmp.GenMsgContent; +import org.bouncycastle.asn1.cmp.GenRepContent; +import org.bouncycastle.asn1.cmp.InfoTypeAndValue; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.cmp.PKIHeader; +import org.bouncycastle.asn1.cmp.PKIMessage; +import org.bouncycastle.asn1.cmp.PKIStatus; +import org.bouncycastle.asn1.cmp.RevRepContent; +import org.bouncycastle.asn1.cmp.RootCaKeyUpdateContent; +import org.bouncycastle.asn1.cms.EnvelopedData; +import org.bouncycastle.asn1.crmf.AttributeTypeAndValue; +import org.bouncycastle.asn1.crmf.CertId; +import org.bouncycastle.asn1.crmf.CertTemplateBuilder; +import org.bouncycastle.asn1.crmf.Controls; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.DistributionPointName; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x509.Time; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * a CMP client implementation + * + */ +public class CmpClient + implements CrlUpdateRetrievalHandler, + GetCaCertificatesHandler, + GetCertificateRequestTemplateHandler, + GetRootCaCertificateUpdateHandler { + /** + * result of an enrollment transaction + * + */ + public interface EnrollmentResult { + /** + * get enrolled certificate + * + * @return the enrolled certificate + */ + X509Certificate getEnrolledCertificate(); + + /** + * get certificate chain (1st intermediate certificate up to root certificate) + * of the enrolled certificate + * + * @return the certificate chain of the enrolled certificate + */ + List getEnrollmentChain(); + + /** + * get private key related to the enrolled certificate + * + * @return the private key related to the enrolled certificate + */ + PrivateKey getPrivateKey(); + } + + private static final Logger LOGGER = LoggerFactory.getLogger(CmpClient.class); + + private final ClientRequestHandler requestHandler; + + private final ClientContext clientContext; + + /** + * @param certProfile certificate profile to be used for enrollment. + * null if no certificate profile + * should be used. + * + * @param upstreamExchange the {@link UpstreamExchange} interface + * implemented by the wrapping application. + * + * @param upstreamConfiguration configuration for the upstream CMP interface + * towards the CA + * + * @param clientContext client specific configuration + * @throws GeneralSecurityException in case of error + */ + public CmpClient( + String certProfile, + final UpstreamExchange upstreamExchange, + final CmpMessageInterface upstreamConfiguration, + final ClientContext clientContext) + throws GeneralSecurityException { + requestHandler = new ClientRequestHandler(certProfile, upstreamExchange, upstreamConfiguration, clientContext); + this.clientContext = clientContext; + } + + private ArrayList fetchCaCertificatesFromValue(final ASN1Encodable infoValue) { + if (infoValue == null) { + return null; + } + final ASN1Sequence certificates = ASN1Sequence.getInstance(infoValue); + final ArrayList ret = new ArrayList<>(certificates.size()); + certificates.forEach(x -> { + try { + ret.add(CertUtility.asX509Certificate(x.toASN1Primitive().getEncoded())); + } catch (CertificateException | IOException e) { + throw new RuntimeException("error decoding certificate", e); + } + }); + return ret; + } + + private Extension fetchSubjectAlternativeName(final X509Certificate cert) { + final Stream criticalOids = + NullUtil.defaultIfNull(cert.getCriticalExtensionOIDs(), Collections.emptySet()).stream() + .map(oid -> new Extension(new ASN1ObjectIdentifier(oid), true, cert.getExtensionValue(oid))); + final Stream nonCriticalOids = + NullUtil.defaultIfNull(cert.getNonCriticalExtensionOIDs(), Collections.emptySet()).stream() + .map(oid -> new Extension(new ASN1ObjectIdentifier(oid), false, cert.getExtensionValue(oid))); + final Extension[] ret = Stream.concat(criticalOids, nonCriticalOids) + .filter(x -> x.getExtnId().equals(Extension.subjectAlternativeName)) + .toArray(Extension[]::new); + return ret.length > 0 ? ret[0] : null; + } + + /** + * invoke a Get CA certificates GENM request {@inheritDoc} + */ + @Override + public List getCaCertificates() { + final PKIBody requestBody = new PKIBody( + PKIBody.TYPE_GEN_MSG, new GenMsgContent(new InfoTypeAndValue(CMPObjectIdentifiers.id_it_caCerts))); + try { + final PKIBody responseBody = requestHandler.sendReceiveInitialBody(requestBody); + if (responseBody.getType() == PKIBody.TYPE_GEN_REP) { + final GenRepContent content = (GenRepContent) responseBody.getContent(); + final InfoTypeAndValue[] itav = content.toInfoTypeAndValueArray(); + if (itav != null) { + for (final InfoTypeAndValue aktitav : itav) { + if (CMPObjectIdentifiers.id_it_caCerts.equals(aktitav.getInfoType())) { + return fetchCaCertificatesFromValue(aktitav.getInfoValue()); + } + } + } + } + logUnexpectedResponse(requestBody); + } catch (final Exception e) { + throw new RuntimeException("error processing getCaCertificates", e); + } + return null; + } + + /** + * invoke a Get certificate request template GENM request {@inheritDoc} + */ + @Override + public byte[] getCertificateRequestTemplate() { + final PKIBody requestBody = new PKIBody( + PKIBody.TYPE_GEN_MSG, + new GenMsgContent(new InfoTypeAndValue(CMPObjectIdentifiers.id_it_certReqTemplate))); + try { + final PKIBody responseBody = requestHandler.sendReceiveInitialBody(requestBody); + if (responseBody.getType() == PKIBody.TYPE_GEN_REP) { + final GenRepContent content = (GenRepContent) responseBody.getContent(); + final InfoTypeAndValue[] itav = content.toInfoTypeAndValueArray(); + if (itav != null) { + for (final InfoTypeAndValue aktitav : itav) { + if (CMPObjectIdentifiers.id_it_certReqTemplate.equals(aktitav.getInfoType())) { + final ASN1Encodable infoValue = aktitav.getInfoValue(); + if (infoValue == null) { + return null; + } + return CertReqTemplateContent.getInstance(infoValue).getEncoded(); + } + } + } + } + logUnexpectedResponse(responseBody); + } catch (final Exception e) { + throw new RuntimeException("error processing getCertificateRequestTemplate", e); + } + return null; + } + + @Override + public List getCrls( + final String[] dpnFullName, + final String dpnNameRelativeToCRLIssuer, + final String[] issuer, + final Date thisUpdate) { + + if (dpnFullName != null && dpnNameRelativeToCRLIssuer != null) { + throw new IllegalArgumentException("only dpnFullName OR dpnNameRelativeToCRLIssuer is allowed"); + } + + DistributionPointName dpn = null; + if (dpnFullName != null) { + dpn = new DistributionPointName(new GeneralNames(Arrays.stream(dpnFullName) + .map(X500Name::new) + .map(GeneralName::new) + .toArray(GeneralName[]::new))); + } else if (dpnNameRelativeToCRLIssuer != null) { + dpn = new DistributionPointName( + DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER, + new X500Name(dpnNameRelativeToCRLIssuer).getRDNs()[0]); + } + + final GeneralNames issuers = ifNotNull( + issuer, + x -> new GeneralNames(Arrays.stream(x) + .map(X500Name::new) + .map(GeneralName::new) + .toArray(GeneralName[]::new))); + + final CRLStatus crlStatus = new CRLStatus(new CRLSource(dpn, issuers), ifNotNull(thisUpdate, Time::new)); + + final PKIBody requestBody = new PKIBody( + PKIBody.TYPE_GEN_MSG, + new GenMsgContent( + new InfoTypeAndValue(CMPObjectIdentifiers.id_it_crlStatusList, new DERSequence(crlStatus)))); + try { + final PKIBody responseBody = requestHandler.sendReceiveInitialBody(requestBody); + if (responseBody.getType() == PKIBody.TYPE_GEN_REP) { + final GenRepContent content = (GenRepContent) responseBody.getContent(); + final InfoTypeAndValue[] itav = content.toInfoTypeAndValueArray(); + if (itav != null) { + for (final InfoTypeAndValue aktitav : itav) { + if (CMPObjectIdentifiers.id_it_crls.equals(aktitav.getInfoType())) { + final ASN1Encodable infoValue = aktitav.getInfoValue(); + if (infoValue == null) { + return null; + } + final CertificateFactory certificateFactory = CertUtility.getCertificateFactory(); + final ASN1Sequence crls = ASN1Sequence.getInstance(infoValue); + final List ret = new ArrayList<>(crls.size()); + for (final ASN1Encodable aktCrl : crls) { + ret.add((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream( + aktCrl.toASN1Primitive().getEncoded()))); + } + return ret; + } + } + } + } + logUnexpectedResponse(responseBody); + } catch (final Exception e) { + throw new RuntimeException("error processing getCertificateRequestTemplate", e); + } + return null; + } + + /** + * invoke a Get root CA certificate update GENM request {@inheritDoc} + */ + @Override + public RootCaCertificateUpdateResponse getRootCaCertificateUpdate(final X509Certificate oldRootCaCertificate) { + + try { + final PKIBody requestBody = new PKIBody( + PKIBody.TYPE_GEN_MSG, + new GenMsgContent(new InfoTypeAndValue( + CMPObjectIdentifiers.id_it_rootCaCert, + ifNotNull(oldRootCaCertificate, cert -> CMPCertificate.getInstance(cert.getEncoded()))))); + final PKIBody responseBody = requestHandler.sendReceiveInitialBody(requestBody); + if (responseBody.getType() == PKIBody.TYPE_GEN_REP) { + final GenRepContent content = (GenRepContent) responseBody.getContent(); + final InfoTypeAndValue[] itav = content.toInfoTypeAndValueArray(); + if (itav != null) { + for (final InfoTypeAndValue aktitav : itav) { + if (CMPObjectIdentifiers.id_it_rootCaKeyUpdate.equals(aktitav.getInfoType())) { + final ASN1Encodable infoValue = aktitav.getInfoValue(); + if (infoValue == null) { + return null; + } + final RootCaKeyUpdateContent ret = RootCaKeyUpdateContent.getInstance(infoValue); + + return new RootCaCertificateUpdateResponse() { + + @Override + public X509Certificate getNewWithNew() { + try { + return ifNotNull(ret.getNewWithNew(), CertUtility::asX509Certificate); + } catch (final CertificateException e) { + throw new RuntimeException(e); + } + } + + @Override + public X509Certificate getNewWithOld() { + try { + return ifNotNull(ret.getNewWithOld(), CertUtility::asX509Certificate); + } catch (final CertificateException e) { + throw new RuntimeException(e); + } + } + + @Override + public X509Certificate getOldWithNew() { + try { + return ifNotNull(ret.getOldWithNew(), CertUtility::asX509Certificate); + } catch (final CertificateException e) { + throw new RuntimeException(e); + } + } + }; + } + } + } + } + logUnexpectedResponse(responseBody); + } catch (final Exception e) { + throw new RuntimeException("error processing getCertificateRequestTemplate", e); + } + return null; + } + + private boolean grantsImplicitConfirm(final PKIMessage msg) { + final InfoTypeAndValue[] generalInfo = msg.getHeader().getGeneralInfo(); + if (generalInfo == null) { + return false; + } + for (final InfoTypeAndValue aktGenInfo : generalInfo) { + if (aktGenInfo.getInfoType().equals(CMPObjectIdentifiers.it_implicitConfirm)) { + return true; + } + } + return false; + } + + /** + * invoke a IR or CR enrollment transaction + * + * @return result of successful enrollment transaction or null + */ + public EnrollmentResult invokeEnrollment() { + + try { + final EnrollmentContext enrollmentContext = clientContext.getEnrollmentContext(); + final KeyPair certificateKeypair = enrollmentContext.getCertificateKeypair(); + + PrivateKey enrolledPrivateKey = null; + SubjectPublicKeyInfo enrolledPublicKeyInfo = null; + if (certificateKeypair != null) { + enrolledPrivateKey = certificateKeypair.getPrivate(); + enrolledPublicKeyInfo = SubjectPublicKeyInfo.getInstance( + certificateKeypair.getPublic().getEncoded()); + } + PKIBody requestBody; + int pvno; + final int enrollmentType = enrollmentContext.getEnrollmentType(); + switch (enrollmentType) { + case PKIBody.TYPE_P10_CERT_REQ: { + final PKCS10CertificationRequest p10Request = + new PKCS10CertificationRequest(enrollmentContext.getCertificationRequest()); + enrolledPublicKeyInfo = p10Request.getSubjectPublicKeyInfo(); + requestBody = new PKIBody(PKIBody.TYPE_P10_CERT_REQ, p10Request.toASN1Structure()); + pvno = PKIHeader.CMP_2000; + break; + } + case PKIBody.TYPE_KEY_UPDATE_REQ: { + final X509Certificate oldCert = enrollmentContext.getOldCert(); + if (oldCert == null) { + LOGGER.error("oldCertificate for EnrollmentType 7(kur) reqired"); + return null; + } + final CertTemplateBuilder ctb = new CertTemplateBuilder() + .setSubject(new X500Name(oldCert.getSubjectDN().getName())) + .setPublicKey(enrolledPublicKeyInfo); + final Extension sanExtension = fetchSubjectAlternativeName(oldCert); + if (sanExtension != null) { + ctb.setExtensions(new Extensions(sanExtension)); + } + final Controls controls = new Controls(new AttributeTypeAndValue( + CMPObjectIdentifiers.regCtrl_oldCertID, + new CertId( + new GeneralName(new X500Name( + oldCert.getIssuerX500Principal().getName())), + oldCert.getSerialNumber()))); + requestBody = PkiMessageGenerator.generateIrCrKurBody( + enrollmentType, ctb.build(), controls, enrolledPrivateKey); + pvno = enrolledPrivateKey == null ? PKIHeader.CMP_2021 : PKIHeader.CMP_2000; + break; + } + case PKIBody.TYPE_CERT_REQ: + case PKIBody.TYPE_INIT_REQ: { + final String subject = enrollmentContext.getSubject(); + ifNotNull(enrollmentContext.getExtensions(), exts -> exts.stream() + .map(ext -> new Extension( + new ASN1ObjectIdentifier(ext.getId()), ext.isCritical(), ext.getValue())) + .toArray(Extension[]::new)); + final CertTemplateBuilder ctb = new CertTemplateBuilder() + .setSubject(ifNotNull(subject, X500Name::new)) + .setPublicKey(enrolledPublicKeyInfo); + requestBody = PkiMessageGenerator.generateIrCrKurBody( + enrollmentType, ctb.build(), null, enrolledPrivateKey); + pvno = enrolledPrivateKey == null ? PKIHeader.CMP_2021 : PKIHeader.CMP_2000; + break; + } + default: + LOGGER.error("EnrollmentType must be 0(ir), 2(cr), 7(kur) or 4(p10cr)"); + return null; + } + final PKIMessage responseMessage = requestHandler.sendReceiveValidateMessage( + requestHandler.buildInitialRequest(requestBody, enrollmentContext.getRequestImplictConfirm(), pvno), + enrollmentType); + final PKIBody responseBody = responseMessage.getBody(); + final int responseMessageType = responseBody.getType(); + if (enrollmentType == PKIBody.TYPE_P10_CERT_REQ) { + if (responseMessageType != PKIBody.TYPE_CERT_REP) { + logUnexpectedResponse(responseBody); + return null; + } + } else if (responseMessageType != requestBody.getType() + 1) { + logUnexpectedResponse(responseBody); + return null; + } + + final CertRepMessage certRepMessage = (CertRepMessage) responseBody.getContent(); + final CertResponse certResponse = certRepMessage.getResponse()[0]; + + final int status = certResponse.getStatus().getStatus().intValue(); + if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) { + logUnexpectedResponse(responseBody); + return null; + } + final CertifiedKeyPair certifiedKeyPair = certResponse.getCertifiedKeyPair(); + final CMPCertificate enrolledCertificate = + certifiedKeyPair.getCertOrEncCert().getCertificate(); + + if (enrollmentType != PKIBody.TYPE_P10_CERT_REQ && enrolledPrivateKey == null) { + // central key generation in place, decrypt private key + CmsDecryptor decryptor = null; + final ProtectionProvider outputProtection = requestHandler.getOutputProtection(); + if (outputProtection instanceof SignatureBasedProtection) { + final SignatureBasedProtection sigProtector = (SignatureBasedProtection) outputProtection; + decryptor = new CmsDecryptor(sigProtector.getEndCertificate(), sigProtector.getPrivateKey(), null); + } else if (outputProtection instanceof MacProtection) { + final MacProtection macProtector = (MacProtection) outputProtection; + decryptor = new CmsDecryptor( + null, null, AlgorithmHelper.convertSharedSecretToPassword(macProtector.getSharedSecret())); + } else { + LOGGER.error("wrong or missing local credentials, no key decryption possible"); + return null; + } + final DataSignVerifier verifier = new DataSignVerifier(requestHandler.getInputVerification()); + final byte[] decryptedKey = decryptor.decrypt(EnvelopedData.getInstance( + certifiedKeyPair.getPrivateKey().getValue())); + enrolledPrivateKey = verifier.verifySignedKey(decryptedKey); + if (enrolledPrivateKey == null) { + LOGGER.error("could not verify private key"); + return null; + } + } else if (!enrolledCertificate + .getX509v3PKCert() + .getTBSCertificate() + .getSubjectPublicKeyInfo() + .equals(enrolledPublicKeyInfo)) { + LOGGER.error("wrong public key in enrolled cerificate"); + return null; + } + + final X509Certificate enrolledCertAsX509 = CertUtility.asX509Certificate(enrolledCertificate); + final List enrollmentChain; + if (enrollmentContext.getEnrollmentTrust() != null) { + try { + final List validationResult = new TrustCredentialAdapter( + enrollmentContext.getEnrollmentTrust()) + .validateCertAgainstTrust( + enrolledCertAsX509, + CertUtility.asX509Certificates(responseMessage.getExtraCerts())); + if (validationResult == null) { + LOGGER.error("error building enrollment chain"); + return null; + } + enrollmentChain = new ArrayList<>(validationResult.size()); + enrollmentChain.addAll(validationResult); + } catch (final CertificateException e) { + LOGGER.error("error building enrollment chain", e); + return null; + } + } else { + enrollmentChain = null; + } + if (!grantsImplicitConfirm(responseMessage) || !enrollmentContext.getRequestImplictConfirm()) { + final PKIMessage certConf = requestHandler.buildFurtherRequest( + responseMessage, PkiMessageGenerator.generateCertConfBody(enrolledCertificate)); + final PKIMessage pkiConf = requestHandler.sendReceiveValidateMessage(certConf, enrollmentType); + final PKIBody pkiConfBody = pkiConf.getBody(); + if (pkiConfBody.getType() != PKIBody.TYPE_CONFIRM) { + logUnexpectedResponse(pkiConfBody); + return null; + } + } + + final PrivateKey returnedPrivateKey = enrolledPrivateKey; + + return new EnrollmentResult() { + + @Override + public X509Certificate getEnrolledCertificate() { + return enrolledCertAsX509; + } + + @Override + public List getEnrollmentChain() { + return enrollmentChain; + } + + @Override + public PrivateKey getPrivateKey() { + return returnedPrivateKey; + } + }; + + } catch (final Exception e) { + throw new RuntimeException("error processing invokeEnrollment", e); + } + } + + /** + * invoke a revocation transaction + * + * @return true on success, false on failure + */ + public boolean invokeRevocation() { + final RevocationContext revocationContext = clientContext.getRevocationContext(); + try { + final PKIBody rrBody = PkiMessageGenerator.generateRrBody( + new X500Name(revocationContext.getIssuer()), + new ASN1Integer(revocationContext.getSerialNumber()), + revocationContext.getRevocationReason()); + final PKIBody responseBody = requestHandler.sendReceiveInitialBody(rrBody); + if (responseBody.getType() == PKIBody.TYPE_REVOCATION_REP) { + final RevRepContent revRepContent = (RevRepContent) responseBody.getContent(); + return revRepContent.getStatus()[0].getStatus().intValue() == PKIStatus.GRANTED; + } + logUnexpectedResponse(responseBody); + } catch (final Exception e) { + throw new RuntimeException("error processing invokeRevocation", e); + } + return false; + } + + private void logUnexpectedResponse(final PKIBody body) { + LOGGER.warn("got unexpected response: " + MessageDumper.msgTypeAsString(body.getType())); + if (LOGGER.isTraceEnabled()) { + LOGGER.trace("message body: \n" + MessageDumper.dumpAsn1Object(body)); + } + } +} diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/package-info.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/package-info.java new file mode 100644 index 00000000..4851e800 --- /dev/null +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/main/package-info.java @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2022 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +/** + * the top level CMP end entity entry functions + */ +package com.siemens.pki.cmpclientcomponent.main; diff --git a/src/main/java/com/siemens/pki/cmpracomponent/configuration/CmpMessageInterface.java b/src/main/java/com/siemens/pki/cmpracomponent/configuration/CmpMessageInterface.java index 95538b69..89832789 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/configuration/CmpMessageInterface.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/configuration/CmpMessageInterface.java @@ -32,7 +32,7 @@ public interface CmpMessageInterface { VerificationContext getInputVerification(); /** - * configuration if adding protection by uses of nested messages should be + * configuration if adding protection by use of nested messages should be * supported * * @return a NestedEndpointContext or null if no additional diff --git a/src/main/java/com/siemens/pki/cmpracomponent/configuration/GetCaCertificatesHandler.java b/src/main/java/com/siemens/pki/cmpracomponent/configuration/GetCaCertificatesHandler.java index 4cedb271..1906f389 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/configuration/GetCaCertificatesHandler.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/configuration/GetCaCertificatesHandler.java @@ -21,7 +21,7 @@ import java.util.List; /** - * support message handler supporting Get CA certificates genm requests + * support message handler supporting Get CA certificates GENM requests */ public interface GetCaCertificatesHandler extends SupportMessageHandlerInterface { diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CertUtility.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CertUtility.java index 7ece2a63..817789ae 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CertUtility.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CertUtility.java @@ -51,9 +51,6 @@ public class CertUtility { private static Provider BOUNCY_CASTLE_PROVIDER; private static CertificateFactory certificateFactory; - // utility class - private CertUtility() {} - /** * conversion function from X509 certificate to CMPCertificate * @@ -174,6 +171,21 @@ public static Provider getBouncyCastleProvider() { return BOUNCY_CASTLE_PROVIDER; } + /** + * Function to retrieve the static certificate factory object + * + * @return static certificate factory object + * @throws CertificateException thrown if the certificate factory could not be + * instantiated + * @throws CertificateException in case of an error + */ + public static synchronized CertificateFactory getCertificateFactory() throws CertificateException { + if (certificateFactory == null) { + certificateFactory = CertificateFactory.getInstance("X.509", BOUNCY_CASTLE_PROVIDER); + } + return certificateFactory; + } + /** * Checks whether given X.509 certificate is intermediate certificate and not * self-signed. @@ -198,21 +210,6 @@ public static boolean isIntermediateCertificate(final X509Certificate cert) { } } - /** - * Function to retrieve the static certificate factory object - * - * @return static certificate factory object - * @throws CertificateException thrown if the certificate factory could not be - * instantiated - * @throws Exception in case of an error - */ - private static synchronized CertificateFactory getCertificateFactory() throws CertificateException { - if (certificateFactory == null) { - certificateFactory = CertificateFactory.getInstance("X.509", BOUNCY_CASTLE_PROVIDER); - } - return certificateFactory; - } - private static class BouncyCastleInitializer { private static synchronized Provider getInstance() { return Arrays.stream(Security.getProviders()) @@ -221,4 +218,6 @@ private static synchronized Provider getInstance() { .orElseGet(BouncyCastleProvider::new); } } + // utility class + private CertUtility() {} } diff --git a/src/main/java/com/siemens/pki/cmpracomponent/main/package-info.java b/src/main/java/com/siemens/pki/cmpracomponent/main/package-info.java index fc464fa2..e4a7e6af 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/main/package-info.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/main/package-info.java @@ -16,6 +16,6 @@ * SPDX-License-Identifier: Apache-2.0 */ /** - * the top level, main and configuration loader functions + * the top level RA instantiation functions */ package com.siemens.pki.cmpracomponent.main; diff --git a/src/main/java/com/siemens/pki/cmpracomponent/msggeneration/PkiMessageGenerator.java b/src/main/java/com/siemens/pki/cmpracomponent/msggeneration/PkiMessageGenerator.java index 3e1ee944..da6914a5 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/msggeneration/PkiMessageGenerator.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/msggeneration/PkiMessageGenerator.java @@ -508,10 +508,24 @@ public static PKIBody generateRrBody(final CMPCertificate certificate) throws IO * @throws IOException in case of ASN.1 processing errors */ public static PKIBody generateRrBody(final X500Name issuer, final ASN1Integer serialNumber) throws IOException { + return generateRrBody(issuer, serialNumber, 0); + } + + /** + * generate a RR body + * + * @param issuer issuer of certificate to revoke + * @param serialNumber serialNumber of certificate to revoke + * @param revocationReason the reason for this revocation + * @return generated RR body + * @throws IOException in case of ASN.1 processing errors + */ + public static PKIBody generateRrBody(final X500Name issuer, final ASN1Integer serialNumber, int revocationReason) + throws IOException { final CertTemplateBuilder ctb = new CertTemplateBuilder().setIssuer(issuer).setSerialNumber(serialNumber); final ExtensionsGenerator extgen = new ExtensionsGenerator(); - extgen.addExtension(Extension.reasonCode, false, new ASN1Enumerated(0)); + extgen.addExtension(Extension.reasonCode, false, new ASN1Enumerated(revocationReason)); final RevDetails revDetails = new RevDetails(ctb.build(), extgen.generate()); return new PKIBody(PKIBody.TYPE_REVOCATION_REQ, new RevReqContent(revDetails)); } diff --git a/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaImplementation.java b/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaImplementation.java index 93ea83d3..c602a355 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaImplementation.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaImplementation.java @@ -43,7 +43,9 @@ */ public class CmpRaImplementation implements CmpRaInterface { - private static final String UPSTREAM_INTERFACE_NAME = "upstream"; + private static final String DOWNSTREAM_INTERFACE_NAME = "RaDownstream"; + + private static final String UPSTREAM_INTERFACE_NAME = "RaUpstream"; private static final Logger LOGGER = LoggerFactory.getLogger(CmpRaImplementation.class); @@ -122,13 +124,13 @@ public byte[] processRequest(final byte[] rawRequest) throws Exception { LOGGER.trace("REQUEST at downstream >>>>>"); LOGGER.trace(MessageDumper.dumpPkiMessage(request)); } - FileTracer.logMessage(request, "downstream"); + FileTracer.logMessage(request, DOWNSTREAM_INTERFACE_NAME); final PKIMessage response = downstream.handleInputMessage(request); if (LOGGER.isTraceEnabled()) { LOGGER.trace("RESPONSE at downstream <<<<"); LOGGER.trace(MessageDumper.dumpPkiMessage(response)); } - FileTracer.logMessage(response, "downstream"); + FileTracer.logMessage(response, DOWNSTREAM_INTERFACE_NAME); return ifNotNull(response, PKIMessage::getEncoded); } } diff --git a/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaUpstream.java b/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaUpstream.java index 4c19a97d..86ee2c6c 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaUpstream.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaUpstream.java @@ -34,7 +34,11 @@ import java.util.Collection; import java.util.HashSet; import java.util.Objects; -import org.bouncycastle.asn1.cmp.*; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.cmp.PKIFailureInfo; +import org.bouncycastle.asn1.cmp.PKIHeader; +import org.bouncycastle.asn1.cmp.PKIMessage; +import org.bouncycastle.asn1.cmp.PKIMessages; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -198,7 +202,7 @@ void gotResponseAtUpstream(final PKIMessage responseMessage) throws Exception { final PersistencyContext persistencyContext = persistencyContextManager.loadPersistencyContext( responseMessage.getHeader().getTransactionID().getOctets()); if (persistencyContext == null) { - throw new IllegalStateException("no related request for known for provided response"); + throw new IllegalStateException("no related request known for provided response"); } persistencyContext.setPendingDelayedResponse(responseMessage); persistencyContext.flush(); diff --git a/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/P10X509RaImplementation.java b/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/P10X509RaImplementation.java index 1197029a..25b3bd28 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/P10X509RaImplementation.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/P10X509RaImplementation.java @@ -45,6 +45,8 @@ */ public class P10X509RaImplementation implements Function { + private static final String DOWNSTREAM_INTERFACE_NAME = "RaDownstream"; + private static final Collection supportedMessageTypesOnDownstream = new HashSet<>(Arrays.asList(PKIBody.TYPE_P10_CERT_REQ, PKIBody.TYPE_CERT_CONFIRM)); @@ -105,13 +107,13 @@ public byte[] apply(final byte[] rawRequest) { LOGGER.trace("REQUEST at downstream >>>>>"); LOGGER.trace(MessageDumper.dumpPkiMessage(request)); } - FileTracer.logMessage(request, "downstream"); + FileTracer.logMessage(request, DOWNSTREAM_INTERFACE_NAME); final PKIMessage response = downstream.handleInputMessage(request); if (LOGGER.isTraceEnabled()) { LOGGER.trace("RESPONSE at downstream <<<<"); LOGGER.trace(MessageDumper.dumpPkiMessage(response)); } - FileTracer.logMessage(response, "downstream"); + FileTracer.logMessage(response, DOWNSTREAM_INTERFACE_NAME); return ifNotNull(response, PKIMessage::getEncoded); } catch (final Exception e) { LOGGER.error("exception on downstream", e); diff --git a/src/main/java/com/siemens/pki/cmpracomponent/msgvalidation/ProtectionValidator.java b/src/main/java/com/siemens/pki/cmpracomponent/msgvalidation/ProtectionValidator.java index a486df61..80aaf6ba 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/msgvalidation/ProtectionValidator.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/msgvalidation/ProtectionValidator.java @@ -83,7 +83,6 @@ public Void validate(final PKIMessage message) throws BaseCmpException { } if (CMPObjectIdentifiers.passwordBasedMac.equals(protectionAlg.getAlgorithm())) { new PasswordBasedMacValidator(interfaceName, config).validate(message); - } else if (PKCSObjectIdentifiers.id_PBMAC1.equals(protectionAlg.getAlgorithm())) { new PBMAC1ProtectionValidator(interfaceName, config).validate(message); } else { diff --git a/src/main/java/com/siemens/pki/cmpracomponent/protection/MacProtection.java b/src/main/java/com/siemens/pki/cmpracomponent/protection/MacProtection.java index c5fd1cc1..ab7453c7 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/protection/MacProtection.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/protection/MacProtection.java @@ -37,6 +37,11 @@ public abstract class MacProtection implements ProtectionProvider { private final SharedSecretCredentialContext config; + + public byte[] getSharedSecret() { + return config.getSharedSecret(); + } + private AlgorithmIdentifier protectionAlg; private WrappedMac protectingMac; diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/CmpClientTestcaseBase.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/CmpClientTestcaseBase.java new file mode 100644 index 00000000..c75bcc05 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/CmpClientTestcaseBase.java @@ -0,0 +1,255 @@ +package com.siemens.pki.cmpclientcomponent.test; + +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.main.CmpClient; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SharedSecretCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.cryptoservices.CertUtility; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent.CmpRaInterface; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent.UpstreamExchange; +import com.siemens.pki.cmpracomponent.test.framework.CmpCaMock; +import com.siemens.pki.cmpracomponent.test.framework.ConfigFileLoader; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.PasswordValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import java.io.File; +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.Security; +import java.security.cert.X509Certificate; +import java.util.Collection; +import java.util.function.BiFunction; +import java.util.function.Function; +import org.junit.BeforeClass; + +public class CmpClientTestcaseBase { + + public static final File CONFIG_DIRECTORY = new File("./src/test/java/com/siemens/pki/cmpracomponent/test/config"); + + static { + ConfigFileLoader.setConfigFileBase(CONFIG_DIRECTORY); + } + + protected static CmpMessageInterface getSignatureBasedUpstreamconfiguration(final String upstreamTrustPath) { + return new CmpMessageInterface() { + + final SignatureValidationCredentials upstreamTrust = + new SignatureValidationCredentials(upstreamTrustPath, null); + + @Override + public VerificationContext getInputVerification() { + return upstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return ConfigurationFactory.getEeSignaturebasedCredentials(); + } catch (final Exception e) { + fail(e.getLocalizedMessage()); + return null; + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return deviation < 10; + } + }; + } + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + Security.addProvider(CertUtility.getBouncyCastleProvider()); + } + + protected UpstreamExchange upstreamExchange; + + protected CmpClient getSignatureBasedCmpClient( + String certProfile, final ClientContext clientContext, final String upstreamTrustPath) + throws GeneralSecurityException { + return new CmpClient( + certProfile, + getUpstreamExchange(), + getSignatureBasedUpstreamconfiguration(upstreamTrustPath), + clientContext); + } + + protected UpstreamExchange getUpstreamExchange() { + return upstreamExchange; + } + + protected UpstreamExchange launchCmpCaAndRa(final Configuration config) throws Exception { + return launchCmpRa( + config, + new CmpCaMock("credentials/ENROLL_Keystore.p12", "credentials/CMP_CA_Keystore.p12") + ::sendReceiveMessage); + } + + protected UpstreamExchange launchCmpCaAndRaAndLra(final Configuration raConfig, final Configuration lraConfig) + throws Exception { + final UpstreamExchange ra = launchCmpCaAndRa(raConfig); + final CmpRaInterface lra = CmpRaComponent.instantiateCmpRaComponent(lraConfig, (x, y, z) -> { + try { + return ra.sendReceiveMessage(x, y, z); + } catch (final IOException e) { + fail(e.getMessage()); + return null; + } + }); + upstreamExchange = (request, certProfile, bodyTypeOfFirstRequest) -> { + try { + return lra.processRequest(request); + } catch (final Exception e) { + throw new RuntimeException(e); + } + }; + return upstreamExchange; + } + + protected UpstreamExchange launchCmpRa(final Configuration config, final UpstreamExchange caMock) throws Exception { + final CmpRaInterface raComponent = CmpRaComponent.instantiateCmpRaComponent(config, caMock); + upstreamExchange = (request, certProfile, bodyTypeOfFirstRequest) -> { + try { + return raComponent.processRequest(request); + } catch (final Exception e) { + throw new RuntimeException(e); + } + }; + return upstreamExchange; + } + + protected UpstreamExchange launchP10X509CaAndRa(final Configuration config) throws Exception { + return launchP10X509Ra( + config, + new CmpCaMock("credentials/ENROLL_Keystore.p12", "credentials/CMP_CA_Keystore.p12") + ::processP10CerticateRequest); + } + + protected UpstreamExchange launchP10X509Ra( + final Configuration config, final BiFunction caMock) throws Exception { + final Function raComponent = CmpRaComponent.instantiateP10X509CmpRaComponent(config, caMock); + upstreamExchange = (request, certProfile, bodyTypeOfFirstRequest) -> { + try { + return raComponent.apply(request); + } catch (final Exception e) { + throw new RuntimeException(e); + } + }; + return upstreamExchange; + } + + protected CmpClient getPasswordBasedCmpClient( + String certProfile, + final ClientContext clientContext, + SharedSecretCredentialContext protection, + SignatureValidationCredentials keyValidationCredentials) + throws GeneralSecurityException { + return new CmpClient( + certProfile, + getUpstreamExchange(), + getPasswordBasedUpstreamconfiguration(protection, keyValidationCredentials), + clientContext); + } + + protected static CmpMessageInterface getPasswordBasedUpstreamconfiguration( + SharedSecretCredentialContext protection, SignatureValidationCredentials keyValidationCredentials) { + return new CmpMessageInterface() { + + final PasswordValidationCredentials passwordUpstreamTrust = + new PasswordValidationCredentials(protection.getSharedSecret()); + + @Override + public VerificationContext getInputVerification() { + return new VerificationContext() { + public byte[] getSharedSecret(byte[] senderKID) { + return passwordUpstreamTrust.getSharedSecret(senderKID); + } + + public Collection getAdditionalCerts() { + return keyValidationCredentials.getAdditionalCerts(); + } + + public Collection getTrustedCertificates() { + return keyValidationCredentials.getTrustedCertificates(); + } + }; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + return protection; + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return deviation < 10; + } + }; + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/DelayedDeliveryTestcaseBase.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/DelayedDeliveryTestcaseBase.java new file mode 100644 index 00000000..49e2446c --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/DelayedDeliveryTestcaseBase.java @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2022 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent.CmpRaInterface; +import com.siemens.pki.cmpracomponent.main.CmpRaComponent.UpstreamExchange; +import com.siemens.pki.cmpracomponent.test.framework.CmpCaMock; +import java.util.Timer; +import java.util.TimerTask; + +public class DelayedDeliveryTestcaseBase extends CmpClientTestcaseBase { + + private CmpRaInterface raComponent; + + protected UpstreamExchange launchDelayedCmpCaAndRa(final Configuration config) throws Exception { + + final CmpCaMock caMock = new CmpCaMock("credentials/ENROLL_Keystore.p12", "credentials/CMP_CA_Keystore.p12"); + // delay request for 10 seconds before delivery to the CA + final UpstreamExchange delayedTransport = (request, certProfile, bodyTypeOfFirstRequest) -> { + new Timer() + .schedule( + new TimerTask() { + + @Override + public void run() { + try { + raComponent.gotResponseAtUpstream(caMock.sendReceiveMessage( + request, certProfile, bodyTypeOfFirstRequest)); + } catch (final Exception e) { + fail(e.getMessage()); + } + } + }, + 10_000L); + // trigger delayed delivery stuff in RA + return null; + }; + + raComponent = CmpRaComponent.instantiateCmpRaComponent(config, delayedTransport); + upstreamExchange = (request, certProfile, bodyTypeOfFirstRequest) -> { + try { + return raComponent.processRequest(request); + } catch (final Exception e) { + throw new RuntimeException(e); + } + }; + return upstreamExchange; + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/DelayedEnrollmentTescaseBase.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/DelayedEnrollmentTescaseBase.java new file mode 100644 index 00000000..6aa1ee35 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/DelayedEnrollmentTescaseBase.java @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.TestUtils; +import java.security.KeyPair; +import java.security.cert.X509Certificate; +import java.util.List; + +public class DelayedEnrollmentTescaseBase extends DelayedDeliveryTestcaseBase { + private SignatureValidationCredentials enrollmentCredentials; + + ClientContext getClientContext(final int enrollmentType) { + final ClientContext clientContext = new ClientContext() { + + KeyPair keyPair = ConfigurationFactory.getKeyGenerator().generateKeyPair(); + + @Override + public EnrollmentContext getEnrollmentContext() { + return new EnrollmentContext() { + + @Override + public KeyPair getCertificateKeypair() { + return keyPair; + } + + @Override + public VerificationContext getEnrollmentTrust() { + return enrollmentCredentials; + } + + @Override + public int getEnrollmentType() { + return enrollmentType; + } + + @Override + public List getExtensions() { + return null; + } + + @Override + public X509Certificate getOldCert() { + return null; + } + + @Override + public boolean getRequestImplictConfirm() { + return false; + } + + @Override + public String getSubject() { + return "CN=Subject"; + } + }; + } + + @Override + public RevocationContext getRevocationContext() { + fail("getRevocationContext"); + return null; + } + }; + return clientContext; + } + + protected SignatureValidationCredentials getEnrollmentCredentials() throws Exception { + if (enrollmentCredentials == null) { + enrollmentCredentials = new SignatureValidationCredentials( + "credentials/ENROLL_Keystore.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY); + } + return enrollmentCredentials; + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/EnrollmentTestcaseBase.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/EnrollmentTestcaseBase.java new file mode 100644 index 00000000..00d9d201 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/EnrollmentTestcaseBase.java @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.TestUtils; +import java.security.KeyPair; +import java.security.cert.X509Certificate; +import java.util.List; + +public class EnrollmentTestcaseBase extends CmpClientTestcaseBase { + + SignatureValidationCredentials enrollmentCredentials; + + ClientContext getClientContext(final int enrollmentType, KeyPair keyPair, byte[] certificationRequest) { + return new ClientContext() { + + @Override + public EnrollmentContext getEnrollmentContext() { + return new EnrollmentContext() { + + @Override + public KeyPair getCertificateKeypair() { + return keyPair; + } + + @Override + public byte[] getCertificationRequest() { + return certificationRequest; + } + + @Override + public VerificationContext getEnrollmentTrust() { + return enrollmentCredentials; + } + + @Override + public int getEnrollmentType() { + return enrollmentType; + } + + @Override + public List getExtensions() { + return null; + } + + @Override + public X509Certificate getOldCert() { + return null; + } + + @Override + public boolean getRequestImplictConfirm() { + return false; + } + + @Override + public String getSubject() { + return "CN=Subject"; + } + }; + } + + @Override + public RevocationContext getRevocationContext() { + fail("getRevocationContext"); + return null; + } + }; + } + + protected SignatureValidationCredentials getEnrollmentCredentials() throws Exception { + if (enrollmentCredentials == null) { + enrollmentCredentials = new SignatureValidationCredentials( + "credentials/ENROLL_Keystore.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY); + } + return enrollmentCredentials; + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithKeyAgreement.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithKeyAgreement.java new file mode 100644 index 00000000..934fbcd5 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithKeyAgreement.java @@ -0,0 +1,473 @@ +package com.siemens.pki.cmpclientcomponent.test; +/* + * Copyright (c) 2021 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +import static org.junit.Assert.assertArrayEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CheckAndModifyResult; +import com.siemens.pki.cmpracomponent.configuration.CkgContext; +import com.siemens.pki.cmpracomponent.configuration.CkgKeyAgreementContext; +import com.siemens.pki.cmpracomponent.configuration.CkgKeyTransportContext; +import com.siemens.pki.cmpracomponent.configuration.CkgPasswordContext; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.InventoryInterface; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.SupportMessageHandlerInterface; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.cryptoservices.DataSignVerifier; +import com.siemens.pki.cmpracomponent.cryptoservices.DataSigner; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.TestUtils; +import com.siemens.pki.cmpracomponent.test.framework.TrustChainAndPrivateKey; +import com.siemens.pki.cmpracomponent.util.MessageDumper; +import java.math.BigInteger; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@RunWith(Parameterized.class) +public class TestCentralKeyGenerationWithKeyAgreement extends EnrollmentTestcaseBase { + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem"; + + public static final String DEFAULT_KEY_AGREEMENT = "ECCDH_SHA256KDF"; + + public static final String DEFAULT_KEY_ENCRYPTION = "AES256_WRAP"; + + private static final Logger LOGGER = LoggerFactory.getLogger(TestCentralKeyGenerationWithKeyAgreement.class); + public static Object[][] inputList = new Object[][] { + // + {DEFAULT_KEY_AGREEMENT, DEFAULT_KEY_ENCRYPTION}, + // + {DEFAULT_KEY_AGREEMENT, "2.16.840.1.101.3.4.1.5"}, + // + {DEFAULT_KEY_AGREEMENT, "2.16.840.1.101.3.4.1.25"}, + // + {DEFAULT_KEY_AGREEMENT, "2.16.840.1.101.3.4.1.45"}, + // + // + {"1.3.132.1.11.0", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.11.1", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.11.2", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.11.3", DEFAULT_KEY_ENCRYPTION}, + // + // + {"1.3.132.1.14.0", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.14.1", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.14.2", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.14.3", DEFAULT_KEY_ENCRYPTION}, + // + // + {"1.3.132.1.15.0", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.15.1", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.15.2", DEFAULT_KEY_ENCRYPTION}, + // + {"1.3.132.1.15.3", DEFAULT_KEY_ENCRYPTION}, + // + // + }; + + @Parameters(name = "{index}: keyAgreement=>{0}, keyEncryption=>{1}") + public static List data() { + final List ret = new ArrayList<>(inputList.length); + for (final Object[] aktInput : inputList) { + final Object keyAgreement = aktInput[0]; + final Object keyEncryption = aktInput[1]; + ret.add(new Object[] {keyAgreement, keyEncryption, keyAgreement, keyEncryption}); + } + return ret; + } + + private final String keyAgreementAlg; + private final String keyEncryptionAlg; + + private TrustChainAndPrivateKey raCredentials; + + public TestCentralKeyGenerationWithKeyAgreement( + final String keyAgreementAsString, + final String keyEncryptionAsString, + final String keyAgreementOID, + final String keyEncryptionOID) { + this.keyAgreementAlg = keyAgreementOID; + this.keyEncryptionAlg = keyEncryptionOID; + } + + private Configuration buildSignatureBasedDownstreamConfiguration() throws Exception { + final TrustChainAndPrivateKey downstreamCredentials = + new TrustChainAndPrivateKey("credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + final SignatureValidationCredentials downstreamTrust = + new SignatureValidationCredentials("credentials/CMP_EE_Root.pem", null); + final TrustChainAndPrivateKey upstreamCredentials = + new TrustChainAndPrivateKey("credentials/CMP_LRA_UPSTREAM_Keystore.p12", "Password".toCharArray()); + final SignatureValidationCredentials upstreamTrust = + new SignatureValidationCredentials("credentials/CMP_CA_Root.pem", null); + final SignatureValidationCredentials enrollmentTrust = + new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); + + return buildSimpleRaConfiguration( + downstreamCredentials, downstreamTrust, upstreamCredentials, upstreamTrust, enrollmentTrust); + } + + private Configuration buildSimpleRaConfiguration( + final CredentialContext downstreamCredentials, + final VerificationContext downstreamTrust, + final CredentialContext upstreamCredentials, + final VerificationContext upstreamTrust, + final SignatureValidationCredentials enrollmentTrust) { + return new Configuration() { + @Override + public CkgContext getCkgConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getCkgConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + + return new CkgContext() { + @Override + public CkgKeyAgreementContext getKeyAgreementContext() { + return new CkgKeyAgreementContext() { + + @Override + public String getKeyAgreementAlg() { + return keyAgreementAlg; + } + + @Override + public String getKeyEncryptionAlg() { + return keyEncryptionAlg; + } + + @Override + public PrivateKey getOwnPrivateKey() { + return raCredentials.getPrivateKey(); + } + + @Override + public PublicKey getOwnPublicKey() { + return raCredentials + .getCertificateChain() + .get(0) + .getPublicKey(); + } + + @Override + public X509Certificate getRecipient(final X509Certificate protectingCertificate) { + return protectingCertificate; + } + }; + } + + @Override + public CkgKeyTransportContext getKeyTransportContext() { + fail("getKeyTransportContext"); + return null; + } + + @Override + public CkgPasswordContext getPasswordContext() { + fail("getPasswordContext"); + return null; + } + + @Override + public SignatureCredentialContext getSigningCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + fail(e.getMessage()); + return null; + } + } + }; + } + + @Override + public CmpMessageInterface getDownstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getDownstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + switch (certProfile) { + case "certProfileForKur": + case "certProfileForRr": + return enrollmentTrust; + } + return downstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return downstreamCredentials; + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public int getDownstreamTimeout(final String certProfile, final int bodyType) { + return 10; + } + + @Override + public VerificationContext getEnrollmentTrust(final String certProfile, final int bodyType) { + LOGGER.debug( + "getEnrollmentTrust called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return enrollmentTrust; + } + + @Override + public boolean getForceRaVerifyOnUpstream(final String certProfile, final int bodyType) { + LOGGER.debug( + "getForceRaVerifyOnUpstream called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + + @Override + public InventoryInterface getInventory(final String certProfile, final int bodyType) { + LOGGER.debug( + "getInventory called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new InventoryInterface() { + + @Override + public CheckAndModifyResult checkAndModifyCertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] certTemplate, + final String requestedSubjectDn, + final byte[] pkiMessage) { + LOGGER.debug( + "checkAndModifyCertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return new CheckAndModifyResult() { + + @Override + public byte[] getUpdatedCertTemplate() { + return null; + } + + @Override + public boolean isGranted() { + return true; + } + }; + } + + @Override + public boolean checkP10CertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] pkcs10CertRequest, + final String requestedSubjectDn, + byte[] pkiMessage) { + LOGGER.debug( + "checkP10CertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return false; + } + + @Override + public boolean learnEnrollmentResult( + final byte[] transactionID, + final byte[] certificate, + final String serialNumber, + final String subjectDN, + final String issuerDN) { + LOGGER.debug( + "learnEnrollmentResult called with transactionID: {}, serialNumber: {}, subjectDN: {}, issuerDN: {}", + new BigInteger(transactionID), + serialNumber, + subjectDN, + issuerDN); + return true; + } + }; + } + + @Override + public int getRetryAfterTimeInSeconds(final String certProfile, final int bodyType) { + LOGGER.debug( + "getRetryAfterTimeInSeconds called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return 1; + } + + @Override + public SupportMessageHandlerInterface getSupportMessageHandler( + final String certProfile, final String infoTypeOid) { + LOGGER.debug( + "getSupportMessageHandler called with certprofile: {}, infoTypeOid: {}", + certProfile, + infoTypeOid); + return null; + } + + @Override + public CmpMessageInterface getUpstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getUpstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return upstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + + try { + return upstreamCredentials; + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyType) { + LOGGER.debug( + "isRaVerifiedAcceptable called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return true; + } + }; + } + + @Before + public void setUp() throws Exception { + raCredentials = new TrustChainAndPrivateKey( + "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY); + upstreamExchange = launchCmpCaAndRa(buildSignatureBasedDownstreamConfiguration()); + } + + /** + * Central Key Generation/Using Key Agreement Key Management Technique + */ + @Test + public void testCrWithKeyAgreement() throws Exception { + final EnrollmentResult ret = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext(PKIBody.TYPE_CERT_REQ, null, null), + UPSTREAM_TRUST_PATH) + .invokeEnrollment(); + assertNotNull(ret); + // try to use received certificate and key + final DataSigner testSigner = new DataSigner(ret.getPrivateKey(), ret.getEnrolledCertificate()); + final byte[] msgToSign = "Hello Signer, I am the message".getBytes(); + assertArrayEquals( + msgToSign, + DataSignVerifier.verifySignature(testSigner.signData(msgToSign).getEncoded())); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithKeyTransport.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithKeyTransport.java new file mode 100644 index 00000000..cdeae2b8 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithKeyTransport.java @@ -0,0 +1,429 @@ +/* + * Copyright (c) 2021 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertArrayEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.main.CmpClient; +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CheckAndModifyResult; +import com.siemens.pki.cmpracomponent.configuration.CkgContext; +import com.siemens.pki.cmpracomponent.configuration.CkgKeyAgreementContext; +import com.siemens.pki.cmpracomponent.configuration.CkgKeyTransportContext; +import com.siemens.pki.cmpracomponent.configuration.CkgPasswordContext; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.InventoryInterface; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.SupportMessageHandlerInterface; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.cryptoservices.DataSignVerifier; +import com.siemens.pki.cmpracomponent.cryptoservices.DataSigner; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.TestUtils; +import com.siemens.pki.cmpracomponent.test.framework.TrustChainAndPrivateKey; +import com.siemens.pki.cmpracomponent.util.MessageDumper; +import java.math.BigInteger; +import java.security.GeneralSecurityException; +import java.security.cert.X509Certificate; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class TestCentralKeyGenerationWithKeyTransport extends EnrollmentTestcaseBase { + + private static final Logger LOGGER = LoggerFactory.getLogger(TestCentralKeyGenerationWithKeyTransport.class); + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem"; + + private Configuration buildSignatureBasedDownstreamConfiguration_EE_RSA() throws Exception { + final TrustChainAndPrivateKey downstreamCredentials = + new TrustChainAndPrivateKey("credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + final SignatureValidationCredentials downstreamTrust = + new SignatureValidationCredentials("credentials/CMP_EE_Root_RSA.pem", null); + final TrustChainAndPrivateKey upstreamCredentials = + new TrustChainAndPrivateKey("credentials/CMP_LRA_UPSTREAM_Keystore.p12", "Password".toCharArray()); + final SignatureValidationCredentials upstreamTrust = + new SignatureValidationCredentials("credentials/CMP_CA_Root.pem", null); + final SignatureValidationCredentials enrollmentTrust = + new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); + + return buildSimpleRaConfiguration( + downstreamCredentials, downstreamTrust, upstreamCredentials, upstreamTrust, enrollmentTrust); + } + + private Configuration buildSimpleRaConfiguration( + final CredentialContext downstreamCredentials, + final VerificationContext downstreamTrust, + final CredentialContext upstreamCredentials, + final VerificationContext upstreamTrust, + final SignatureValidationCredentials enrollmentTrust) { + return new Configuration() { + @Override + public CkgContext getCkgConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getCkgConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CkgContext() { + + @Override + public CkgKeyAgreementContext getKeyAgreementContext() { + fail("getKeyAgreementContext"); + return null; + } + + @Override + public CkgKeyTransportContext getKeyTransportContext() { + return new CkgKeyTransportContext() { + @Override + public X509Certificate getRecipient(final X509Certificate protectingCertificate) { + return protectingCertificate; + } + }; + } + + @Override + public CkgPasswordContext getPasswordContext() { + fail("getPasswordContext"); + return null; + } + + @Override + public SignatureCredentialContext getSigningCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + fail(e.getMessage()); + return null; + } + } + }; + } + + @Override + public CmpMessageInterface getDownstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getDownstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + switch (certProfile) { + case "certProfileForKur": + case "certProfileForRr": + return enrollmentTrust; + } + return downstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return downstreamCredentials; + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public int getDownstreamTimeout(final String certProfile, final int bodyType) { + return 10; + } + + @Override + public VerificationContext getEnrollmentTrust(final String certProfile, final int bodyType) { + LOGGER.debug( + "getEnrollmentTrust called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return enrollmentTrust; + } + + @Override + public boolean getForceRaVerifyOnUpstream(final String certProfile, final int bodyType) { + LOGGER.debug( + "getForceRaVerifyOnUpstream called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + + @Override + public InventoryInterface getInventory(final String certProfile, final int bodyType) { + LOGGER.debug( + "getInventory called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new InventoryInterface() { + + @Override + public CheckAndModifyResult checkAndModifyCertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] certTemplate, + final String requestedSubjectDn, + final byte[] pkiMessage) { + LOGGER.debug( + "checkAndModifyCertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return new CheckAndModifyResult() { + + @Override + public byte[] getUpdatedCertTemplate() { + return null; + } + + @Override + public boolean isGranted() { + return true; + } + }; + } + + @Override + public boolean checkP10CertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] pkcs10CertRequest, + final String requestedSubjectDn, + final byte[] pkiMessage) { + LOGGER.debug( + "checkP10CertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return false; + } + + @Override + public boolean learnEnrollmentResult( + final byte[] transactionID, + final byte[] certificate, + final String serialNumber, + final String subjectDN, + final String issuerDN) { + LOGGER.debug( + "learnEnrollmentResult called with transactionID: {}, serialNumber: {}, subjectDN: {}, issuerDN: {}", + new BigInteger(transactionID), + serialNumber, + subjectDN, + issuerDN); + return true; + } + }; + } + + @Override + public int getRetryAfterTimeInSeconds(final String certProfile, final int bodyType) { + LOGGER.debug( + "getRetryAfterTimeInSeconds called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return 1; + } + + @Override + public SupportMessageHandlerInterface getSupportMessageHandler( + final String certProfile, final String infoTypeOid) { + LOGGER.debug( + "getSupportMessageHandler called with certprofile: {}, infoTypeOid: {}", + certProfile, + infoTypeOid); + return null; + } + + @Override + public CmpMessageInterface getUpstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getUpstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return upstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + + try { + return upstreamCredentials; + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyType) { + LOGGER.debug( + "isRaVerifiedAcceptable called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return true; + } + }; + } + + @Override + protected CmpClient getSignatureBasedCmpClient( + String certProfile, final ClientContext clientContext, final String upstreamTrustPath) + throws GeneralSecurityException { + final CmpMessageInterface upstreamconfiguration = new CmpMessageInterface() { + + final SignatureValidationCredentials upstreamTrust = + new SignatureValidationCredentials(upstreamTrustPath, null); + + @Override + public VerificationContext getInputVerification() { + return upstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_EE_Keystore_RSA.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY); + } catch (final Exception e) { + fail(e.getLocalizedMessage()); + return null; + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return deviation < 10; + } + }; + return new CmpClient(certProfile, getUpstreamExchange(), upstreamconfiguration, clientContext); + } + + @Before + public void setUp() throws Exception { + upstreamExchange = launchCmpCaAndRa(buildSignatureBasedDownstreamConfiguration_EE_RSA()); + } + + /** + * Central Key Generation/Using Key Transport Key Management Technique + * + * @throws Exception + */ + @Test + public void testIrWithKeyTransport() throws Exception { + final EnrollmentResult ret = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext(PKIBody.TYPE_INIT_REQ, null, null), + UPSTREAM_TRUST_PATH) + .invokeEnrollment(); + assertNotNull(ret); + // try to use received certificate and key + final DataSigner testSigner = new DataSigner(ret.getPrivateKey(), ret.getEnrolledCertificate()); + final byte[] msgToSign = "Hello Signer, I am the message".getBytes(); + assertArrayEquals( + msgToSign, + DataSignVerifier.verifySignature(testSigner.signData(msgToSign).getEncoded())); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithPassword.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithPassword.java new file mode 100644 index 00000000..a170fc75 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCentralKeyGenerationWithPassword.java @@ -0,0 +1,455 @@ +/* + * Copyright (c) 2021 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertArrayEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CheckAndModifyResult; +import com.siemens.pki.cmpracomponent.configuration.CkgContext; +import com.siemens.pki.cmpracomponent.configuration.CkgKeyAgreementContext; +import com.siemens.pki.cmpracomponent.configuration.CkgKeyTransportContext; +import com.siemens.pki.cmpracomponent.configuration.CkgPasswordContext; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.InventoryInterface; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SharedSecretCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.SupportMessageHandlerInterface; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.cryptoservices.CertUtility; +import com.siemens.pki.cmpracomponent.cryptoservices.DataSignVerifier; +import com.siemens.pki.cmpracomponent.cryptoservices.DataSigner; +import com.siemens.pki.cmpracomponent.test.framework.SharedSecret; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.TrustChainAndPrivateKey; +import com.siemens.pki.cmpracomponent.util.MessageDumper; +import java.math.BigInteger; +import java.util.ArrayList; +import java.util.List; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@RunWith(Parameterized.class) +public class TestCentralKeyGenerationWithPassword extends EnrollmentTestcaseBase { + + private static final String DEFAULT_KEK_ALG = "AES256"; + private static final String DEFAULT_PRF = "SHA224"; + private static final int DEFAULT_ITERATIONCOUNT = 10_000; + private static final Logger LOGGER = LoggerFactory.getLogger(TestCentralKeyGenerationWithPassword.class); + public static Object[][] inputList = new Object[][] { + // + {DEFAULT_PRF, DEFAULT_ITERATIONCOUNT, DEFAULT_KEK_ALG}, + // + {"SHA1", DEFAULT_ITERATIONCOUNT, DEFAULT_KEK_ALG}, + // + {"SHA224", DEFAULT_ITERATIONCOUNT, DEFAULT_KEK_ALG}, + // + {"SHA256", DEFAULT_ITERATIONCOUNT, DEFAULT_KEK_ALG}, + // + {"SHA384", DEFAULT_ITERATIONCOUNT, DEFAULT_KEK_ALG}, + // + {"SHA512", DEFAULT_ITERATIONCOUNT, DEFAULT_KEK_ALG}, + // + {DEFAULT_PRF, 1, DEFAULT_KEK_ALG}, + // + {DEFAULT_PRF, 100_000, DEFAULT_KEK_ALG}, + // + {DEFAULT_PRF, DEFAULT_ITERATIONCOUNT, "AES128_CBC"}, + // + {DEFAULT_PRF, DEFAULT_ITERATIONCOUNT, "AES192_CBC"}, + // + {DEFAULT_PRF, DEFAULT_ITERATIONCOUNT, "AES256_CBC"}, + // + }; + + @Parameters(name = "{index}: prf=>{0}, iterationCount=>{1}, kek={2}") + public static List data() { + final List ret = new ArrayList<>(inputList.length); + for (final Object[] aktInput : inputList) { + final Object prf = aktInput[0]; + final Object iterationCount = aktInput[1]; + final Object kek = aktInput[2]; + ret.add(new Object[] {prf, ((Integer) iterationCount).toString(), kek, prf, iterationCount, kek}); + } + return ret; + } + + private final String kekAlg; + + private final SharedSecret sharedSecret; + + public TestCentralKeyGenerationWithPassword( + final String prfAsString, + final String iterationCountAsString, + final String kekAlgorithmOIDAsString, + final String prf, + final int iterationCount, + final String kek) + throws Exception { + sharedSecret = new SharedSecret( + "PBMAC1", + "theSecret".getBytes(), + "SHA256", + "theSenderKid".getBytes(), + CertUtility.generateRandomBytes(20), + prf, + iterationCount); + this.kekAlg = kek; + } + + public Configuration buildPasswordbasedDownstreamConfiguration() throws Exception { + final VerificationContext downstreamTrust = new VerificationContext() { + @Override + public byte[] getSharedSecret(final byte[] senderKID) { + return sharedSecret.getSharedSecret(); + } + }; + final CredentialContext upstreamCredentials = + new TrustChainAndPrivateKey("credentials/CMP_LRA_UPSTREAM_Keystore.p12", "Password".toCharArray()); + final VerificationContext upstreamTrust = + new SignatureValidationCredentials("credentials/CMP_CA_Root.pem", null); + final SignatureValidationCredentials enrollmentTrust = + new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); + + final Configuration config = buildSimpleRaConfiguration( + sharedSecret, downstreamTrust, upstreamCredentials, upstreamTrust, enrollmentTrust); + return config; + } + + /** + * Central Key Generation/Using Password-Based Key Management Technique + * + * @throws Exception + */ + @Test + public void testCrWithPassword() throws Exception { + + SignatureValidationCredentials keyValidationCredentials = new SignatureValidationCredentials( + "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + final EnrollmentResult ret = getPasswordBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext(PKIBody.TYPE_CERT_REQ, null, null), + sharedSecret, + keyValidationCredentials) + .invokeEnrollment(); + assertNotNull(ret); + // try to use received certificate and key + final DataSigner testSigner = new DataSigner(ret.getPrivateKey(), ret.getEnrolledCertificate()); + final byte[] msgToSign = "Hello Signer, I am the message".getBytes(); + assertArrayEquals( + msgToSign, + DataSignVerifier.verifySignature(testSigner.signData(msgToSign).getEncoded())); + } + + protected Configuration buildSimpleRaConfiguration( + final SharedSecretCredentialContext downstreamCredentials, + final VerificationContext downstreamTrust, + final CredentialContext upstreamCredentials, + final VerificationContext upstreamTrust, + final SignatureValidationCredentials enrollmentTrust) { + return new Configuration() { + @Override + public CkgContext getCkgConfiguration(final String certProfile, final int bodyType) { + + LOGGER.debug( + "getCkgConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CkgContext() { + + @Override + public CkgKeyAgreementContext getKeyAgreementContext() { + fail("getKeyAgreementContext"); + return null; + } + + @Override + public CkgKeyTransportContext getKeyTransportContext() { + fail("getKeyTransportContext"); + return null; + } + + @Override + public CkgPasswordContext getPasswordContext() { + return new CkgPasswordContext() { + + @Override + public SharedSecretCredentialContext getEncryptionCredentials() { + return downstreamCredentials; + } + + @Override + public String getKekAlg() { + return kekAlg; + } + }; + } + + @Override + public SignatureCredentialContext getSigningCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + fail(e.getMessage()); + return null; + } + } + }; + } + + @Override + public CmpMessageInterface getDownstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getDownstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + switch (certProfile) { + case "certProfileForKur": + case "certProfileForRr": + return enrollmentTrust; + } + return downstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return downstreamCredentials; + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public int getDownstreamTimeout(final String certProfile, final int bodyType) { + return 10; + } + + @Override + public VerificationContext getEnrollmentTrust(final String certProfile, final int bodyType) { + LOGGER.debug( + "getEnrollmentTrust called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return enrollmentTrust; + } + + @Override + public boolean getForceRaVerifyOnUpstream(final String certProfile, final int bodyType) { + LOGGER.debug( + "getForceRaVerifyOnUpstream called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + + @Override + public InventoryInterface getInventory(final String certProfile, final int bodyType) { + LOGGER.debug( + "getInventory called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new InventoryInterface() { + + @Override + public CheckAndModifyResult checkAndModifyCertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] certTemplate, + final String requestedSubjectDn, + final byte[] pkiMessage) { + LOGGER.debug( + "checkAndModifyCertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return new CheckAndModifyResult() { + + @Override + public byte[] getUpdatedCertTemplate() { + return null; + } + + @Override + public boolean isGranted() { + return true; + } + }; + } + + @Override + public boolean checkP10CertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] pkcs10CertRequest, + final String requestedSubjectDn, + byte[] pkiMessage) { + LOGGER.debug( + "checkP10CertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return false; + } + + @Override + public boolean learnEnrollmentResult( + final byte[] transactionID, + final byte[] certificate, + final String serialNumber, + final String subjectDN, + final String issuerDN) { + LOGGER.debug( + "learnEnrollmentResult called with transactionID: {}, serialNumber: {}, subjectDN: {}, issuerDN: {}", + new BigInteger(transactionID), + serialNumber, + subjectDN, + issuerDN); + return true; + } + }; + } + + @Override + public int getRetryAfterTimeInSeconds(final String certProfile, final int bodyType) { + LOGGER.debug( + "getRetryAfterTimeInSeconds called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return 1; + } + + @Override + public SupportMessageHandlerInterface getSupportMessageHandler( + final String certProfile, final String infoTypeOid) { + LOGGER.debug( + "getSupportMessageHandler called with certprofile: {}, infoTypeOid: {}", + certProfile, + infoTypeOid); + return null; + } + + @Override + public CmpMessageInterface getUpstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getUpstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return upstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + + try { + return upstreamCredentials; + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyType) { + LOGGER.debug( + "isRaVerifiedAcceptable called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return true; + } + }; + } + + @Before + public void setUp() throws Exception { + upstreamExchange = launchCmpCaAndRa(buildPasswordbasedDownstreamConfiguration()); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCrWithPolling.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCrWithPolling.java new file mode 100644 index 00000000..39b145d6 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCrWithPolling.java @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertNotNull; + +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; + +public class TestCrWithPolling extends DelayedEnrollmentTescaseBase { + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem"; + + @Before + public void setUp() throws Exception { + launchDelayedCmpCaAndRa(ConfigurationFactory.buildSignatureBasedDownstreamConfiguration()); + } + + @Test + public void testCr() throws Exception { + final EnrollmentResult ret = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext(PKIBody.TYPE_CERT_REQ), + UPSTREAM_TRUST_PATH) + .invokeEnrollment(); + assertNotNull(ret); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestNestedKur.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestNestedKur.java new file mode 100644 index 00000000..e934214e --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestNestedKur.java @@ -0,0 +1,717 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpclientcomponent.main.CmpClient; +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CheckAndModifyResult; +import com.siemens.pki.cmpracomponent.configuration.CkgContext; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.InventoryInterface; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.SupportMessageHandlerInterface; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.TrustChainAndPrivateKey; +import com.siemens.pki.cmpracomponent.util.MessageDumper; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class TestNestedKur extends EnrollmentTestcaseBase { + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem"; + + private static final Logger LOGGER = LoggerFactory.getLogger(TestNestedKur.class); + + public static Configuration buildSignatureBasedLraConfiguration() throws Exception { + return new Configuration() { + @Override + public CkgContext getCkgConfiguration(final String certProfile, final int bodyType) { + fail(String.format( + "LRA: getCkgConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType))); + return null; + } + + @Override + public CmpMessageInterface getDownstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "LRA: getDownstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + switch (certProfile) { + case "certProfileForKur": + case "certProfileForRr": + return new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); + } + return new SignatureValidationCredentials("credentials/CMP_EE_Root.pem", null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public int getDownstreamTimeout(final String certProfile, final int bodyType) { + return 10; + } + + @Override + public VerificationContext getEnrollmentTrust(final String certProfile, final int bodyType) { + LOGGER.debug( + "LRA: getEnrollmentTrust called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); + } + + @Override + public boolean getForceRaVerifyOnUpstream(final String certProfile, final int bodyType) { + LOGGER.debug( + "LRA: getForceRaVerifyOnUpstream called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + + @Override + public InventoryInterface getInventory(final String certProfile, final int bodyType) { + LOGGER.debug( + "LRA: getInventory called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new InventoryInterface() { + + @Override + public CheckAndModifyResult checkAndModifyCertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] certTemplate, + final String requestedSubjectDn, + final byte[] pkiMessage) { + LOGGER.debug( + "LRA: checkAndModifyCertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return new CheckAndModifyResult() { + + @Override + public byte[] getUpdatedCertTemplate() { + return null; + } + + @Override + public boolean isGranted() { + return true; + } + }; + } + + @Override + public boolean checkP10CertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] pkcs10CertRequest, + final String requestedSubjectDn, + byte[] pkiMessage) { + fail(String.format( + "LRA: checkP10CertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn)); + return false; + } + + @Override + public boolean learnEnrollmentResult( + final byte[] transactionID, + final byte[] certificate, + final String serialNumber, + final String subjectDN, + final String issuerDN) { + LOGGER.debug( + "LRA: learnEnrollmentResult called with transactionID: {}, serialNumber: {}, subjectDN: {}, issuerDN: {}", + new BigInteger(transactionID), + serialNumber, + subjectDN, + issuerDN); + return true; + } + }; + } + + @Override + public int getRetryAfterTimeInSeconds(final String certProfile, final int bodyType) { + LOGGER.debug( + "LRA: getRetryAfterTimeInSeconds called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return 1; + } + + @Override + public SupportMessageHandlerInterface getSupportMessageHandler( + final String certProfile, final String infoTypeOid) { + LOGGER.debug( + "LRA: getSupportMessageHandler called with certprofile: {}, infoTypeOid: {}", + certProfile, + infoTypeOid); + return null; + } + + @Override + public CmpMessageInterface getUpstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "LRA: getUpstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials("credentials/CMP_CA_Root.pem", null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return new NestedEndpointContext() { + // misuse CA and EE credentials for nested endpoints + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials("credentials/CMP_EE_Root.pem", null); + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_CA_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + fail(e.getMessage()); + return null; + } + } + + @Override + public boolean isIncomingRecipientValid(final String recipient) { + LOGGER.debug("LRA: isIncomingRecipientValid called with recipient: {}", recipient); + return true; + } + }; + } + + @Override + public CredentialContext getOutputCredentials() { + + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_LRA_UPSTREAM_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.keep; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyType) { + LOGGER.debug( + "LRA: isRaVerifiedAcceptable called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + }; + } + + public static Configuration buildSignaturebasedRaConfiguration() throws Exception { + return new Configuration() { + @Override + public CkgContext getCkgConfiguration(final String certProfile, final int bodyType) { + fail(String.format( + "getCkgConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType))); + return null; + } + + @Override + public CmpMessageInterface getDownstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getDownstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + switch (certProfile) { + case "certProfileForKur": + case "certProfileForRr": + return new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); + } + return new SignatureValidationCredentials("credentials/CMP_EE_Root.pem", null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return new NestedEndpointContext() { + // misuse CA and EE credentials for nested endpoints + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials("credentials/CMP_CA_Root.pem", null); + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_EE_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + fail(e.getMessage()); + return null; + } + } + + @Override + public boolean isIncomingRecipientValid(final String recipient) { + LOGGER.debug("isIncomingRecipientValid called with recipient: {}", recipient); + return true; + } + }; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.keep; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public int getDownstreamTimeout(final String certProfile, final int bodyType) { + return 10; + } + + @Override + public VerificationContext getEnrollmentTrust(final String certProfile, final int bodyType) { + LOGGER.debug( + "getEnrollmentTrust called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); + } + + @Override + public boolean getForceRaVerifyOnUpstream(final String certProfile, final int bodyType) { + LOGGER.debug( + "getForceRaVerifyOnUpstream called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + + @Override + public InventoryInterface getInventory(final String certProfile, final int bodyType) { + LOGGER.debug( + "getInventory called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new InventoryInterface() { + + @Override + public CheckAndModifyResult checkAndModifyCertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] certTemplate, + final String requestedSubjectDn, + byte[] pkiMessage) { + LOGGER.debug( + "checkAndModifyCertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return new CheckAndModifyResult() { + + @Override + public byte[] getUpdatedCertTemplate() { + return null; + } + + @Override + public boolean isGranted() { + return true; + } + }; + } + + @Override + public boolean checkP10CertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] pkcs10CertRequest, + final String requestedSubjectDn, + byte[] pkiMessage) { + fail(String.format( + "checkP10CertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn)); + return false; + } + + @Override + public boolean learnEnrollmentResult( + final byte[] transactionID, + final byte[] certificate, + final String serialNumber, + final String subjectDN, + final String issuerDN) { + LOGGER.debug( + "learnEnrollmentResult called with transactionID: {}, serialNumber: {}, subjectDN: {}, issuerDN: {}", + new BigInteger(transactionID), + serialNumber, + subjectDN, + issuerDN); + return true; + } + }; + } + + @Override + public int getRetryAfterTimeInSeconds(final String certProfile, final int bodyType) { + LOGGER.debug( + "getRetryAfterTimeInSeconds called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return 1; + } + + @Override + public SupportMessageHandlerInterface getSupportMessageHandler( + final String certProfile, final String infoTypeOid) { + LOGGER.debug( + "getSupportMessageHandler called with certprofile: {}, infoTypeOid: {}", + certProfile, + infoTypeOid); + return null; + } + + @Override + public CmpMessageInterface getUpstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getUpstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials("credentials/CMP_CA_Root.pem", null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + + try { + return new TrustChainAndPrivateKey( + "credentials/CMP_LRA_UPSTREAM_Keystore.p12", "Password".toCharArray()); + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyType) { + LOGGER.debug( + "isRaVerifiedAcceptable called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + }; + } + + @Before + public void setUp() throws Exception { + launchCmpCaAndRaAndLra(buildSignaturebasedRaConfiguration(), buildSignatureBasedLraConfiguration()); + } + + /** + * Updating a Valid Certificate + * + * @throws Exception + */ + @Test + public void testKur() throws Exception { + final CmpClient crClient = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext( + PKIBody.TYPE_CERT_REQ, + ConfigurationFactory.getKeyGenerator().generateKeyPair(), + null), + UPSTREAM_TRUST_PATH); + final EnrollmentResult crResult = crClient.invokeEnrollment(); + + final X509Certificate crEnrolledCertificate = crResult.getEnrolledCertificate(); + + final ClientContext kurClientContext = new ClientContext() { + + KeyPair keyPair = ConfigurationFactory.getKeyGenerator().generateKeyPair(); + + @Override + public EnrollmentContext getEnrollmentContext() { + + return new EnrollmentContext() { + + @Override + public KeyPair getCertificateKeypair() { + return keyPair; + } + + @Override + public VerificationContext getEnrollmentTrust() { + try { + return getEnrollmentCredentials(); + } catch (final Exception e) { + return null; + } + } + + @Override + public int getEnrollmentType() { + return PKIBody.TYPE_KEY_UPDATE_REQ; + } + + @Override + public List getExtensions() { + return null; + } + + @Override + public X509Certificate getOldCert() { + return crEnrolledCertificate; + } + + @Override + public boolean getRequestImplictConfirm() { + return false; + } + + @Override + public String getSubject() { + return crEnrolledCertificate.getSubjectX500Principal().getName(); + } + }; + } + + @Override + public RevocationContext getRevocationContext() { + fail("getRevocationContext"); + return null; + } + }; + + final SignatureValidationCredentials enrollmentCredentials = getEnrollmentCredentials(); + + final CmpMessageInterface kurUpstream = new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials(UPSTREAM_TRUST_PATH, null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + return new SignatureCredentialContext() { + + @Override + public List getCertificateChain() { + final List ret = new ArrayList<>(enrollmentCredentials.getAdditionalCerts()); + ret.add(0, crEnrolledCertificate); + return ret; + } + + @Override + public PrivateKey getPrivateKey() { + return crResult.getPrivateKey(); + } + }; + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return deviation < 10; + } + }; + final CmpClient kurClient = + new CmpClient("certProfileForKur", getUpstreamExchange(), kurUpstream, kurClientContext); + final EnrollmentResult kurResult = kurClient.invokeEnrollment(); + assertNotNull(kurResult); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestP10Cr.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestP10Cr.java new file mode 100644 index 00000000..f724075f --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestP10Cr.java @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CheckAndModifyResult; +import com.siemens.pki.cmpracomponent.configuration.CkgContext; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.InventoryInterface; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SupportMessageHandlerInterface; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.cryptoservices.AlgorithmHelper; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import com.siemens.pki.cmpracomponent.test.framework.TrustChainAndPrivateKey; +import com.siemens.pki.cmpracomponent.util.MessageDumper; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.PrivateKey; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.junit.Before; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class TestP10Cr extends EnrollmentTestcaseBase { + + private static final Logger LOGGER = LoggerFactory.getLogger(TestP10Cr.class); + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem"; + + public static Configuration buildSignatureBasedDownstreamConfiguration() throws Exception { + final TrustChainAndPrivateKey downstreamCredentials = + new TrustChainAndPrivateKey("credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray()); + final SignatureValidationCredentials downstreamTrust = + new SignatureValidationCredentials("credentials/CMP_EE_Root.pem", null); + final SignatureValidationCredentials enrollmentTrust = + new SignatureValidationCredentials("credentials/ENROLL_Keystore.p12", "Password".toCharArray()); + + return buildSimpleRaConfiguration(downstreamCredentials, downstreamTrust, enrollmentTrust); + } + + public static Configuration buildSimpleRaConfiguration( + final CredentialContext downstreamCredentials, + final VerificationContext downstreamTrust, + final SignatureValidationCredentials enrollmentTrust) { + return new Configuration() { + @Override + public CkgContext getCkgConfiguration(final String certProfile, final int bodyType) { + fail(String.format( + "getCkgConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType))); + return null; + } + + @Override + public CmpMessageInterface getDownstreamConfiguration(final String certProfile, final int bodyType) { + LOGGER.debug( + "getDownstreamConfiguration called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + switch (certProfile) { + case "certProfileForKur": + case "certProfileForRr": + return enrollmentTrust; + } + return downstreamTrust; + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + try { + return downstreamCredentials; + } catch (final Exception e) { + throw new RuntimeException(e); + } + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return true; + } + }; + } + + @Override + public int getDownstreamTimeout(final String certProfile, final int bodyType) { + return 10; + } + + @Override + public VerificationContext getEnrollmentTrust(final String certProfile, final int bodyType) { + LOGGER.debug( + "getEnrollmentTrust called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return enrollmentTrust; + } + + @Override + public boolean getForceRaVerifyOnUpstream(final String certProfile, final int bodyType) { + LOGGER.debug( + "getForceRaVerifyOnUpstream called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return false; + } + + @Override + public InventoryInterface getInventory(final String certProfile, final int bodyType) { + LOGGER.debug( + "getInventory called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType)); + return new InventoryInterface() { + + @Override + public CheckAndModifyResult checkAndModifyCertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] certTemplate, + final String requestedSubjectDn, + byte[] pkiMessage) { + fail(String.format( + "checkAndModifyCertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn)); + return new CheckAndModifyResult() { + + @Override + public byte[] getUpdatedCertTemplate() { + return null; + } + + @Override + public boolean isGranted() { + return false; + } + }; + } + + @Override + public boolean checkP10CertRequest( + final byte[] transactionID, + final String requesterDn, + final byte[] pkcs10CertRequest, + final String requestedSubjectDn, + byte[] pkiMessage) { + LOGGER.debug( + "checkP10CertRequest called with transactionID: {}, requesterDn: {}, requestedSubjectDn: {}", + new BigInteger(transactionID), + requesterDn, + requestedSubjectDn); + return true; + } + + @Override + public boolean learnEnrollmentResult( + final byte[] transactionID, + final byte[] certificate, + final String serialNumber, + final String subjectDN, + final String issuerDN) { + LOGGER.debug( + "learnEnrollmentResult called with transactionID: {}, serialNumber: {}, subjectDN: {}, issuerDN: {}", + new BigInteger(transactionID), + serialNumber, + subjectDN, + issuerDN); + return true; + } + }; + } + + @Override + public int getRetryAfterTimeInSeconds(final String certProfile, final int bodyType) { + fail(String.format( + "getRetryAfterTimeInSeconds called with certprofile: {}, type: {}", + certProfile, + MessageDumper.msgTypeAsString(bodyType))); + return 1; + } + + @Override + public SupportMessageHandlerInterface getSupportMessageHandler( + final String certProfile, final String infoTypeOid) { + fail(String.format( + "getSupportMessageHandler called with certprofile: {}, infoTypeOid: {}", + certProfile, + infoTypeOid)); + return null; + } + + @Override + public CmpMessageInterface getUpstreamConfiguration(final String certProfile, final int bodyType) { + fail("getUpstreamConfiguration called"); + return null; + } + + @Override + public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyType) { + fail("isRaVerifiedAcceptable called"); + return false; + } + }; + } + + @Before + public void setUp() throws Exception { + final Configuration config = buildSignatureBasedDownstreamConfiguration(); + launchP10X509CaAndRa(config); + } + /** + * A certificate from a legacy PKI using PKCS#10 request + * + * @throws Exception + */ + @Test(timeout = 100000L) + public void testP10Cr() throws Exception { + final KeyPair keyPair = ConfigurationFactory.getKeyGenerator().generateKeyPair(); + final JcaPKCS10CertificationRequestBuilder p10Builder = + new JcaPKCS10CertificationRequestBuilder(new X500Name("CN=Subject"), keyPair.getPublic()); + final PrivateKey privateKey = keyPair.getPrivate(); + final ContentSigner signer = + new JcaContentSignerBuilder(AlgorithmHelper.getSigningAlgNameFromKey(privateKey)).build(privateKey); + p10Builder.build(signer).getEncoded(); + final EnrollmentResult ret = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext( + PKIBody.TYPE_P10_CERT_REQ, + null, + p10Builder.build(signer).getEncoded()), + UPSTREAM_TRUST_PATH) + .invokeEnrollment(); + assertNotNull(ret); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestPasswordBasedIr.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestPasswordBasedIr.java new file mode 100644 index 00000000..b4f2f4dd --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestPasswordBasedIr.java @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertNotNull; + +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.Configuration; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.SharedSecret; +import com.siemens.pki.cmpracomponent.test.framework.TestUtils; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; + +public class TestPasswordBasedIr extends EnrollmentTestcaseBase { + + @Before + public void setUp() throws Exception { + final Configuration config = ConfigurationFactory.buildPasswordbasedDownstreamConfiguration(); + launchCmpCaAndRa(config); + } + + @Test + public void testIr() throws Exception { + final EnrollmentResult ret = getPasswordBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext( + PKIBody.TYPE_CERT_REQ, + ConfigurationFactory.getKeyGenerator().generateKeyPair(), + null), + new SharedSecret("PASSWORDBASEDMAC", TestUtils.PASSWORD), + null) + .invokeEnrollment(); + assertNotNull(ret); + } + + /** + * Enrolling an End Entity to a New PKI/Using MAC-Based Protection for + * Enrollment + * + * @throws Exception in case of error + */ + @Test + public void testPbmac1Ir() throws Exception { + final EnrollmentResult ret = getPasswordBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext( + PKIBody.TYPE_CERT_REQ, + ConfigurationFactory.getKeyGenerator().generateKeyPair(), + null), + new SharedSecret("PBMAC1", TestUtils.PASSWORD), + null) + .invokeEnrollment(); + assertNotNull(ret); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestRrWithPolling.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestRrWithPolling.java new file mode 100644 index 00000000..ecd3ab19 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestRrWithPolling.java @@ -0,0 +1,147 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpclientcomponent.main.CmpClient; +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import java.math.BigInteger; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; + +public class TestRrWithPolling extends DelayedEnrollmentTescaseBase { + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem"; + + @Before + public void setUp() throws Exception { + launchDelayedCmpCaAndRa(ConfigurationFactory.buildSignatureBasedDownstreamConfiguration()); + } + + /** + * Revoking a certificate/Handling Delayed Delivery + * + * @throws Exception + */ + @Test + public void testRrWithPolling() throws Exception { + + final CmpClient crClient = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", getClientContext(PKIBody.TYPE_CERT_REQ), UPSTREAM_TRUST_PATH); + + final EnrollmentResult crResult = crClient.invokeEnrollment(); + + final X509Certificate crEnrolledCertificate = crResult.getEnrolledCertificate(); + + final SignatureValidationCredentials enrollmentCredentials = getEnrollmentCredentials(); + + final ClientContext rrClientContext = new ClientContext() { + @Override + public EnrollmentContext getEnrollmentContext() { + fail("getEnrollmentContext"); + return null; + } + + @Override + public RevocationContext getRevocationContext() { + return new RevocationContext() { + + @Override + public BigInteger getSerialNumber() { + return crEnrolledCertificate.getSerialNumber(); + } + + @Override + public String getIssuer() { + return crEnrolledCertificate.getIssuerX500Principal().getName(); + } + }; + } + }; + + final CmpMessageInterface rrUpstream = new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials(UPSTREAM_TRUST_PATH, null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + return new SignatureCredentialContext() { + + @Override + public List getCertificateChain() { + final List ret = new ArrayList<>(enrollmentCredentials.getAdditionalCerts()); + ret.add(0, crEnrolledCertificate); + return ret; + } + + @Override + public PrivateKey getPrivateKey() { + return crResult.getPrivateKey(); + } + }; + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return deviation < 10; + } + }; + final CmpClient rrClient = + new CmpClient("certProfileForRr", getUpstreamExchange(), rrUpstream, rrClientContext); + assertTrue(rrClient.invokeRevocation()); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignatureBasedCr.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignatureBasedCr.java new file mode 100644 index 00000000..c40fda2a --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignatureBasedCr.java @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertNotNull; + +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; + +public class TestSignatureBasedCr extends EnrollmentTestcaseBase { + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_Root.pem"; + + @Before + public void setUp() throws Exception { + launchCmpCaAndRa(ConfigurationFactory.buildSignatureBasedDownstreamConfiguration()); + } + + @Test + public void testCr() throws Exception { + final EnrollmentResult ret = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext( + PKIBody.TYPE_CERT_REQ, + ConfigurationFactory.getKeyGenerator().generateKeyPair(), + null), + UPSTREAM_TRUST_PATH) + .invokeEnrollment(); + assertNotNull(ret); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignatureBasedKur.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignatureBasedKur.java new file mode 100644 index 00000000..c745fba7 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignatureBasedKur.java @@ -0,0 +1,185 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpclientcomponent.main.CmpClient; +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import java.security.KeyPair; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; + +public class TestSignatureBasedKur extends EnrollmentTestcaseBase { + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_Root.pem"; + + @Before + public void setUp() throws Exception { + launchCmpCaAndRa(ConfigurationFactory.buildSignatureBasedDownstreamConfiguration()); + } + + /** + * Updating a Valid Certificate + * + * @throws Exception + */ + @Test + public void testKur() throws Exception { + final CmpClient crClient = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext( + PKIBody.TYPE_CERT_REQ, + ConfigurationFactory.getKeyGenerator().generateKeyPair(), + null), + UPSTREAM_TRUST_PATH); + final EnrollmentResult crResult = crClient.invokeEnrollment(); + + final X509Certificate crEnrolledCertificate = crResult.getEnrolledCertificate(); + + final ClientContext kurClientContext = new ClientContext() { + + KeyPair keyPair = ConfigurationFactory.getKeyGenerator().generateKeyPair(); + + @Override + public EnrollmentContext getEnrollmentContext() { + + return new EnrollmentContext() { + + @Override + public KeyPair getCertificateKeypair() { + return keyPair; + } + + @Override + public VerificationContext getEnrollmentTrust() { + try { + return getEnrollmentCredentials(); + } catch (final Exception e) { + return null; + } + } + + @Override + public int getEnrollmentType() { + return PKIBody.TYPE_KEY_UPDATE_REQ; + } + + @Override + public List getExtensions() { + return null; + } + + @Override + public X509Certificate getOldCert() { + return crEnrolledCertificate; + } + + @Override + public boolean getRequestImplictConfirm() { + return false; + } + + @Override + public String getSubject() { + return crEnrolledCertificate.getSubjectX500Principal().getName(); + } + }; + } + + @Override + public RevocationContext getRevocationContext() { + fail("getRevocationContext"); + return null; + } + }; + + final SignatureValidationCredentials enrollmentCredentials = getEnrollmentCredentials(); + + final CmpMessageInterface kurUpstream = new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials(UPSTREAM_TRUST_PATH, null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + return new SignatureCredentialContext() { + + @Override + public List getCertificateChain() { + final List ret = new ArrayList<>(enrollmentCredentials.getAdditionalCerts()); + ret.add(0, crEnrolledCertificate); + return ret; + } + + @Override + public PrivateKey getPrivateKey() { + return crResult.getPrivateKey(); + } + }; + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return deviation < 10; + } + }; + final CmpClient kurClient = + new CmpClient("certProfileForKur", getUpstreamExchange(), kurUpstream, kurClientContext); + final EnrollmentResult kurResult = kurClient.invokeEnrollment(); + assertNotNull(kurResult); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignaturebasedRr.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignaturebasedRr.java new file mode 100644 index 00000000..6c649107 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSignaturebasedRr.java @@ -0,0 +1,153 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpclientcomponent.main.CmpClient; +import com.siemens.pki.cmpclientcomponent.main.CmpClient.EnrollmentResult; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.CredentialContext; +import com.siemens.pki.cmpracomponent.configuration.NestedEndpointContext; +import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.SignatureValidationCredentials; +import java.math.BigInteger; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.junit.Before; +import org.junit.Test; + +public class TestSignaturebasedRr extends EnrollmentTestcaseBase { + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_CA_Root.pem"; + + @Before + public void setUp() throws Exception { + launchCmpCaAndRa(ConfigurationFactory.buildSignatureBasedDownstreamConfiguration()); + } + + /** + * Revoke a Valid Certificate + * + * @throws Exception + */ + @Test + public void testRr() throws Exception { + final CmpClient crClient = getSignatureBasedCmpClient( + "theCertProfileForOnlineEnrollment", + getClientContext( + PKIBody.TYPE_CERT_REQ, + ConfigurationFactory.getKeyGenerator().generateKeyPair(), + null), + UPSTREAM_TRUST_PATH); + + final EnrollmentResult crResult = crClient.invokeEnrollment(); + + final X509Certificate crEnrolledCertificate = crResult.getEnrolledCertificate(); + + final SignatureValidationCredentials enrollmentCredentials = getEnrollmentCredentials(); + + final ClientContext rrClientContext = new ClientContext() { + @Override + public EnrollmentContext getEnrollmentContext() { + fail("getEnrollmentContext"); + return null; + } + + @Override + public RevocationContext getRevocationContext() { + return new RevocationContext() { + + @Override + public BigInteger getSerialNumber() { + return crEnrolledCertificate.getSerialNumber(); + } + + @Override + public String getIssuer() { + return crEnrolledCertificate.getIssuerX500Principal().getName(); + } + }; + } + }; + + final CmpMessageInterface rrUpstream = new CmpMessageInterface() { + + @Override + public VerificationContext getInputVerification() { + return new SignatureValidationCredentials(UPSTREAM_TRUST_PATH, null); + } + + @Override + public NestedEndpointContext getNestedEndpointContext() { + return null; + } + + @Override + public CredentialContext getOutputCredentials() { + return new SignatureCredentialContext() { + + @Override + public List getCertificateChain() { + final List ret = new ArrayList<>(enrollmentCredentials.getAdditionalCerts()); + ret.add(0, crEnrolledCertificate); + return ret; + } + + @Override + public PrivateKey getPrivateKey() { + return crResult.getPrivateKey(); + } + }; + } + + @Override + public ReprotectMode getReprotectMode() { + return ReprotectMode.reprotect; + } + + @Override + public boolean getSuppressRedundantExtraCerts() { + return false; + } + + @Override + public boolean isCacheExtraCerts() { + return false; + } + + @Override + public boolean isMessageTimeDeviationAllowed(final long deviation) { + return deviation < 10; + } + }; + final CmpClient rrClient = + new CmpClient("certProfileForRr", getUpstreamExchange(), rrUpstream, rrClientContext); + assertTrue(rrClient.invokeRevocation()); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSupportMessages.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSupportMessages.java new file mode 100644 index 00000000..bb3bdcdc --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestSupportMessages.java @@ -0,0 +1,122 @@ +/* + * Copyright (c) 2023 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ +package com.siemens.pki.cmpclientcomponent.test; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.siemens.pki.cmpclientcomponent.configuration.ClientContext; +import com.siemens.pki.cmpclientcomponent.configuration.EnrollmentContext; +import com.siemens.pki.cmpclientcomponent.configuration.RevocationContext; +import com.siemens.pki.cmpracomponent.configuration.GetRootCaCertificateUpdateHandler.RootCaCertificateUpdateResponse; +import com.siemens.pki.cmpracomponent.test.framework.ConfigurationFactory; +import com.siemens.pki.cmpracomponent.test.framework.TestCertUtility; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.List; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers; +import org.bouncycastle.asn1.cmp.CertReqTemplateContent; +import org.bouncycastle.asn1.crmf.AttributeTypeAndValue; +import org.bouncycastle.asn1.crmf.Controls; +import org.junit.Before; +import org.junit.Test; + +public class TestSupportMessages extends CmpClientTestcaseBase { + + private static final String UPSTREAM_TRUST_PATH = "credentials/CMP_LRA_DOWNSTREAM_Root.pem"; + private static final ClientContext clientContext = new ClientContext() { + + @Override + public EnrollmentContext getEnrollmentContext() { + fail("getEnrollmentContext"); + return null; + } + + @Override + public RevocationContext getRevocationContext() { + fail("getRevocationContext"); + return null; + } + }; + + @Before + public void setUp() throws Exception { + // there should be no CA in charge + launchCmpRa(ConfigurationFactory.buildSignatureBasedDownstreamOnlyConfiguration(), (x, y, z) -> { + fail(); + return null; + }); + } + + /** + * CRL Update Retrieval + * + * @throws Exception + */ + @Test + public void testCrlUpdateRetrieval() throws Exception { + final List crls = getSignatureBasedCmpClient("TestSupportMessages", clientContext, UPSTREAM_TRUST_PATH) + .getCrls(null, null, new String[] {"CN=distributionPoint"}, new Date()); + assertNotNull("CRL", crls); + } + + /* + * Get CA certificates + */ + @Test + public void testGetCaCerts() throws Exception { + final List certs = getSignatureBasedCmpClient( + "TestSupportMessages", clientContext, UPSTREAM_TRUST_PATH) + .getCaCertificates(); + assertEquals("number of returned certificates", 20, certs.size()); + } + + /* + * Get Certificate Request Template + */ + @Test + public void testGetCertificateRequestTemplate() throws Exception { + final byte[] template = getSignatureBasedCmpClient("TestSupportMessages", clientContext, UPSTREAM_TRUST_PATH) + .getCertificateRequestTemplate(); + final CertReqTemplateContent crt = CertReqTemplateContent.getInstance(template); + assertNotNull("parse CertTemplate", crt.getCertTemplate()); + final AttributeTypeAndValue[] controls = + Controls.getInstance(crt.getKeySpec()).toAttributeTypeAndValueArray(); + + assertEquals(CMPObjectIdentifiers.id_regCtrl_rsaKeyLen, controls[0].getType()); + + assertNotNull("parse INTEGER", ASN1Integer.getInstance(controls[0].getValue())); + } + + /* + * Get Root CA Certificate Update + */ + @Test + public void testGetRootCaCertificateUpdate() throws Exception { + final RootCaCertificateUpdateResponse update = getSignatureBasedCmpClient( + "TestSupportMessages", clientContext, UPSTREAM_TRUST_PATH) + .getRootCaCertificateUpdate(TestCertUtility.loadCertificatesFromFile("credentials/CMP_EE_Root.pem") + .get(0)); + assertNotNull(update.getNewWithNew()); + assertNotNull(update.getNewWithOld()); + assertNotNull(update.getOldWithNew()); + } +} diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/package-info.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/package-info.java new file mode 100644 index 00000000..d0fe1e03 --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpclientcomponent/test/package-info.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2022 Siemens AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +/** + * client {@link org.junit.Test} test cases + */ +package com.siemens.pki.cmpclientcomponent.test; diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/OnlineRaLraTestcasebase.java b/src/test/java/com/siemens/pki/cmpracomponent/test/OnlineRaLraTestcasebase.java index 95aa7e35..d4c6e99f 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/OnlineRaLraTestcasebase.java +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/OnlineRaLraTestcasebase.java @@ -19,6 +19,7 @@ import static org.junit.Assert.fail; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface.ReprotectMode; import com.siemens.pki.cmpracomponent.configuration.Configuration; import com.siemens.pki.cmpracomponent.main.CmpRaComponent; import com.siemens.pki.cmpracomponent.main.CmpRaComponent.CmpRaInterface; @@ -74,7 +75,12 @@ private Configuration buildRaConfig() throws Exception { new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); return ConfigurationFactory.buildSimpleRaConfiguration( - downStreamCredentials, downstreamTrust, upstreamCredentials, upstreamTrust, enrollmentTrust); + downStreamCredentials, + ReprotectMode.keep, + downstreamTrust, + upstreamCredentials, + upstreamTrust, + enrollmentTrust); } @Override diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/TestCreateTestCertificateChains.java b/src/test/java/com/siemens/pki/cmpracomponent/test/TestCreateTestCertificateChains.java index 778ddfe6..2da4e1aa 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/TestCreateTestCertificateChains.java +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/TestCreateTestCertificateChains.java @@ -47,6 +47,7 @@ */ public class TestCreateTestCertificateChains { + private static final String SIGNATURE_ALGORITHM = "SHA512WITHECDSA"; private static final char[] STORE_PASSWORD = "Password".toCharArray(); private static final File CREDENTIAL_ROOT = new File("src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials"); @@ -129,23 +130,27 @@ private void createFullTestCertificateChain( @Ignore("execute if test credentials need a refresh") public void createTestCertificateChains() throws OperatorCreationException, IOException, GeneralSecurityException { final KeyPairGenerator keyPairGenerator = KeyPairGeneratorFactory.getEcKeyPairGenerator("secp521r1"); - createEnrollTestCertificateChain("ENROLL", keyPairGenerator, "SHA512WITHECDSA"); - createFullTestCertificateChain("CMP_CA", keyPairGenerator, "SHA512WITHECDSA"); + createEnrollTestCertificateChain("ENROLL", keyPairGenerator, SIGNATURE_ALGORITHM); + createFullTestCertificateChain( + "CMP_CA", + keyPairGenerator, + SIGNATURE_ALGORITHM, + TestCertificateFactory.createExtendedKeyUsageExtension(KeyPurposeId.id_kp_cmcCA)); createFullTestCertificateChain( "CMP_LRA_UPSTREAM", keyPairGenerator, - "SHA512WITHECDSA", - TestCertificateFactory.createExtendedKeyUsageExtension( - KeyPurposeId.id_kp_cmcRA, KeyPurposeId.anyExtendedKeyUsage)); + SIGNATURE_ALGORITHM, + TestCertificateFactory.createExtendedKeyUsageExtension(KeyPurposeId.id_kp_cmcRA)); createFullTestCertificateChain( "CMP_LRA_DOWNSTREAM", keyPairGenerator, - "SHA512WITHECDSA", - TestCertificateFactory.createExtendedKeyUsageExtension( - KeyPurposeId.id_kp_cmKGA, KeyPurposeId.anyExtendedKeyUsage)); - createFullTestCertificateChain("CMP_EE", keyPairGenerator, "SHA512WITHECDSA"); - // createTestCertificateChain("TLS", keyPairGenerator, "SHA512WITHECDSA", TestCertificateFactory - // .createExtendedKeyUsageExtension(KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth), - // TestCertificateFactory.createSubjectAlternativeNameExtension("localhost")); + SIGNATURE_ALGORITHM, + TestCertificateFactory.createExtendedKeyUsageExtension(KeyPurposeId.id_kp_cmKGA)); + createFullTestCertificateChain("CMP_EE", keyPairGenerator, SIGNATURE_ALGORITHM); + // createTestCertificateChain("TLS", keyPairGenerator, SIGNATURE_ALGORITHM, + // TestCertificateFactory + // .createExtendedKeyUsageExtension(KeyPurposeId.id_kp_clientAuth, + // KeyPurposeId.id_kp_serverAuth), + // TestCertificateFactory.createSubjectAlternativeNameExtension("localhost")); } } diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Chain.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Chain.pem index 7025312b..36b6deb5 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Chain.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Chain.pem @@ -1,52 +1,52 @@ -----BEGIN CERTIFICATE----- MIICfzCCAeCgAwIBAgIHAKqqAAAAAzAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0NNUF9DQV9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTM1MDkyMDA2NTky -MFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0NNUF9DQV9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTM1MTAwNDExMjQz +NFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtDTVBfQ0FfUk9PVDCBmzAQBgcqhkjOPQIB -BgUrgQQAIwOBhgAEAVt8DcHzPAvF0d5LMnqg+ScOy74e/d6CDDzjZRgzeE9pE3te -wFzSNMSACpuLOo3ADUmwpwUYyTiMU7lZNLpKywc9Ads7aaye43TPUcdBjZz9YagT -DtISNa+F8DZChu14D0q1sSm7OPbNP1PEcI278BaDfahzLH5tm+zSUhTM2BCd0O0e -o2YwZDAfBgNVHSMEGDAWgBREvfNr11lt/ynL9nE9tvmYxl85iDAdBgNVHQ4EFgQU -RL3za9dZbf8py/ZxPbb5mMZfOYgwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B -Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGIAkIBmG0agTG1Btvq8Gp8g4ZZji8X -g/3w1aWK3J/qsoTK9jS3FXevE7j4Em9D7qSRFfZ8yWw2rpVpT8VZDaIU8CMnMFAC -QgD1UY012S8iO7xkmdXt2AUks/g4HoLDyN1HSqgwubrSIQhfAPKbikwNyTrTtPbT -9XeUFZXify3HKhrNmFHBZJL2aA== +BgUrgQQAIwOBhgAEASg9LMf9u3WtMuJfNVXIwqWxtvke3oZHk+ff9G/Qemg26AzG +xDhuVKvFjjogZA//T/2UjciZhQp8sjszRmJkwrNBAa64KaQb96FEWouFO1useZME +Y/I01BOlafzfY/CdVu3q/+YX8xKH5DvKEwM/1MHIC6utlA7Umr4SAY+FvjbICkXJ +o2YwZDAfBgNVHSMEGDAWgBQfsq0oIz89zaTts+wnTqdR/3u0LzAdBgNVHQ4EFgQU +H7KtKCM/Pc2k7bPsJ06nUf97tC8wEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B +Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGIAkIB8QB7olOnGc5s1shimkXsUP+h +v0oV+M5h/mhLW2k9zZKibT7V3/wmrzM+GP8bOJB2t2tW7LCAp8FMgLNexQuBF2oC +QgG9XfajC/QfnztyHaKVO0qh/pPm3Zfo2E8+kk2Cg7zoLh/JhB9Zihvk8kiqptmX +UgffuEryV80sBgsbD1lnYAAeYg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIC4DCCAkGgAwIBAgIHAKqqAAAABDAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0NNUF9DQV9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTI4MDkyMDA2NTky -MFowUDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0NNUF9DQV9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTI4MTAwNDExMjQz +NFowUDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRYwFAYDVQQDDA1DTVBfQ0FfSVNTVUVSMIGbMBAGByqGSM49 -AgEGBSuBBAAjA4GGAAQAac9TGz5r+Ma771Sx31Qck4xCJo5BEpL83aIKqHIsBoA3 -N9yicyDBC7daoz6thepJok5oNIqBWmOqdG08bb7HwMgBw1OgUyFmvegZus+Fl8ER -tXD9idpgxCW/aRxZZf/77rKRikiJr7YzGRt8FaFHTJCaa77zv0THpSO9SmagMboH -yaujgcQwgcEwfAYDVR0jBHUwc4AURL3za9dZbf8py/ZxPbb5mMZfOYihUqRQME4x +AgEGBSuBBAAjA4GGAAQBIFvW4pe6LzLFnL3OuL/tIpUyIT1HKN/okansiCrhYHJP +dTkF2j+zquLJjgdlPnmn6fPVqNMtN2YTWfywj72GXRIBHW1DGA69K1DWGjGlDexX +jvGksPkC4f9xLCyJSXUAkDkfwTtg1M8/9kI8E1DPfxl9wPxG4Gc1UHYG3PGJZ+3k +3OKjgcQwgcEwfAYDVR0jBHUwc4AUH7KtKCM/Pc2k7bPsJ06nUf97tC+hUqRQME4x CzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcwFQYDVQQLEw5UZXN0RGVw YXJ0bWVudDEUMBIGA1UEAwwLQ01QX0NBX1JPT1SCBwCqqgAAAAMwHQYDVR0OBBYE -FFn3gIPBvmfU7AhKwRmzGqEV47hXMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E -CDAGAQH/AgEAMAoGCCqGSM49BAMEA4GMADCBiAJCAdaECb4LFysHpEVSGn3sDxGV -4u6qA3ihRVZD1OvN7MgyT8LVG7QtYAVMYv6ah+L4OiajoWHw9R4rjGVUaBc6vbdG -AkIBzoGkCVlTHrSVOhR5OaJ/EmZL3+KZBJdSrUdWUV2s+uwkmotfOSaG+QEl5vpp -FPyJCqc6fz2Qu4INr4b2tgHKz0U= +FBhaO2UURu7/4jKTnibJ/GuOmyTpMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E +CDAGAQH/AgEAMAoGCCqGSM49BAMEA4GMADCBiAJCAXC9pJINzbRTmARAdu5s1YFl +kcWbl8Z569RoWqZ+icTe9TtI0dA1fowsfxuQJirLMgjqc8g/oxJCxMAPTjQ3MaVI +AkIAmxzaFA4MfyV83diyVV7051cXNlA6TkQXe+lCZLSdqHzRtUT+nOvBgLrpm8+0 +NpWyRhRkpKkDwPzYfNq9dVS2+tM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIC3jCCAkCgAwIBAgIHAKqqAAAABTAKBggqhkjOPQQDBDBQMQswCQYDVQQGEwJE +MIIC9zCCAligAwIBAgIHAKqqAAAABTAKBggqhkjOPQQDBDBQMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFjAU -BgNVBAMMDUNNUF9DQV9JU1NVRVIwHhcNMjMwOTIwMDU1OTIwWhcNMjgwOTIwMDY1 -OTIwWjBTMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMO +BgNVBAMMDUNNUF9DQV9JU1NVRVIwHhcNMjMxMDA0MTAyNDM0WhcNMjgxMDA0MTEy +NDM0WjBTMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMO VGVzdERlcGFydG1lbnQxGTAXBgNVBAMMEENNUF9DQV9FTkRFTlRJVFkwgZswEAYH -KoZIzj0CAQYFK4EEACMDgYYABABYbjIRzpsSM5EWAuhDc0Kv2X3NdouR3D8re1TJ -JzaCa8+tlaMZINeRtiuxEq4XPqGOmRngDr0RXcFXKnCnR+6CwgErRRGgOMBMq6so -sHUZYOgVVeTwnpMuTaJ/BvKPFz7dV0DM13XplJ+cySf0oVlKFYmqDG4pRsHdAOKm -QyPq+WENCqOBvjCBuzB8BgNVHSMEdTBzgBRZ94CDwb5n1OwISsEZsxqhFeO4V6FS +KoZIzj0CAQYFK4EEACMDgYYABAFG7xLUvm10QKuqpEZJvUt4faQiX/DoSr2qJmes +nldozGtM8rP/4tcoVQq2ma5PNtONK4Af0TPeTakjCUHq+qbVJQApEaXwjLqlIjGo +O8Fnz9GsB8nEkiGCJoMlnCugQ0y7fbWIIimirdmy4Fd7z2XIsNP91oI+E1GK00Z/ +CYBRYDn7xKOB1jCB0zB8BgNVHSMEdTBzgBQYWjtlFEbu/+Iyk54myfxrjpsk6aFS pFAwTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtDTVBfQ0FfUk9PVIIHAKqqAAAABDAdBgNV -HQ4EFgQUBr8nxYGEoPNyzTSifAISrrIT7gAwDAYDVR0TAQH/BAIwADAOBgNVHQ8B -Af8EBAMCA4gwCgYIKoZIzj0EAwQDgYsAMIGHAkIAzbyTyTyrC6IiX8z1v1+eCsfH -QEcrRvN+sxgEEfZwGsde6rfyP5S0Y6U2qF/viu6azTtSyC3Nt8g6WRlHBrQaJrYC -QTNWShd62Rb61B38IM+4RGuz4k8Qpbu47oWRa4i+uvUPMrmqgX2bd7S8LUVI7+GF -hxhhb5ka8lrT8Bi/gxqM0GmK +HQ4EFgQUyEJs9oX0dQgDri8S306/f2mjTrMwDAYDVR0TAQH/BAIwADAOBgNVHQ8B +Af8EBAMCA4gwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAxswCgYIKoZIzj0EAwQDgYwA +MIGIAkIA1CdrcDQ8jrf4MYnt+Nc5k5Qxnwf80G/vduQxTCGL9BJuJ3bkXACw7BMg +eAw5hAXNsxYhdG+2t4+RRyKgIgFyrAwCQgH0qsp3jPr1AAWS1TGQ6TBbF9m9C05D +M5Rgcbg1Sbwu/hcR5lbn2xUtGwBXnGxhncSikPQFyEevGFRCVFPxqf7oLw== -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Keystore.p12 b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Keystore.p12 index 0f185526..604606ab 100644 Binary files a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Keystore.p12 and b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Keystore.p12 differ diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Root.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Root.pem index 082b44e7..f2b327e7 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Root.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_Root.pem @@ -1,16 +1,16 @@ -----BEGIN CERTIFICATE----- MIICfzCCAeCgAwIBAgIHAKqqAAAAAzAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0NNUF9DQV9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTM1MDkyMDA2NTky -MFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0NNUF9DQV9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTM1MTAwNDExMjQz +NFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtDTVBfQ0FfUk9PVDCBmzAQBgcqhkjOPQIB -BgUrgQQAIwOBhgAEAVt8DcHzPAvF0d5LMnqg+ScOy74e/d6CDDzjZRgzeE9pE3te -wFzSNMSACpuLOo3ADUmwpwUYyTiMU7lZNLpKywc9Ads7aaye43TPUcdBjZz9YagT -DtISNa+F8DZChu14D0q1sSm7OPbNP1PEcI278BaDfahzLH5tm+zSUhTM2BCd0O0e -o2YwZDAfBgNVHSMEGDAWgBREvfNr11lt/ynL9nE9tvmYxl85iDAdBgNVHQ4EFgQU -RL3za9dZbf8py/ZxPbb5mMZfOYgwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B -Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGIAkIBmG0agTG1Btvq8Gp8g4ZZji8X -g/3w1aWK3J/qsoTK9jS3FXevE7j4Em9D7qSRFfZ8yWw2rpVpT8VZDaIU8CMnMFAC -QgD1UY012S8iO7xkmdXt2AUks/g4HoLDyN1HSqgwubrSIQhfAPKbikwNyTrTtPbT -9XeUFZXify3HKhrNmFHBZJL2aA== +BgUrgQQAIwOBhgAEASg9LMf9u3WtMuJfNVXIwqWxtvke3oZHk+ff9G/Qemg26AzG +xDhuVKvFjjogZA//T/2UjciZhQp8sjszRmJkwrNBAa64KaQb96FEWouFO1useZME +Y/I01BOlafzfY/CdVu3q/+YX8xKH5DvKEwM/1MHIC6utlA7Umr4SAY+FvjbICkXJ +o2YwZDAfBgNVHSMEGDAWgBQfsq0oIz89zaTts+wnTqdR/3u0LzAdBgNVHQ4EFgQU +H7KtKCM/Pc2k7bPsJ06nUf97tC8wEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B +Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGIAkIB8QB7olOnGc5s1shimkXsUP+h +v0oV+M5h/mhLW2k9zZKibT7V3/wmrzM+GP8bOJB2t2tW7LCAp8FMgLNexQuBF2oC +QgG9XfajC/QfnztyHaKVO0qh/pPm3Zfo2E8+kk2Cg7zoLh/JhB9Zihvk8kiqptmX +UgffuEryV80sBgsbD1lnYAAeYg== -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem new file mode 100644 index 00000000..b747e16c --- /dev/null +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_CA_and_LRA_DOWNSTREAM_Root.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIICfzCCAeCgAwIBAgIHAKqqAAAAAzAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE +RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS +BgNVBAMMC0NNUF9DQV9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTM1MTAwNDExMjQz +NFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +c3REZXBhcnRtZW50MRQwEgYDVQQDDAtDTVBfQ0FfUk9PVDCBmzAQBgcqhkjOPQIB +BgUrgQQAIwOBhgAEASg9LMf9u3WtMuJfNVXIwqWxtvke3oZHk+ff9G/Qemg26AzG +xDhuVKvFjjogZA//T/2UjciZhQp8sjszRmJkwrNBAa64KaQb96FEWouFO1useZME +Y/I01BOlafzfY/CdVu3q/+YX8xKH5DvKEwM/1MHIC6utlA7Umr4SAY+FvjbICkXJ +o2YwZDAfBgNVHSMEGDAWgBQfsq0oIz89zaTts+wnTqdR/3u0LzAdBgNVHQ4EFgQU +H7KtKCM/Pc2k7bPsJ06nUf97tC8wEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B +Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGIAkIB8QB7olOnGc5s1shimkXsUP+h +v0oV+M5h/mhLW2k9zZKibT7V3/wmrzM+GP8bOJB2t2tW7LCAp8FMgLNexQuBF2oC +QgG9XfajC/QfnztyHaKVO0qh/pPm3Zfo2E8+kk2Cg7zoLh/JhB9Zihvk8kiqptmX +UgffuEryV80sBgsbD1lnYAAeYg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIClzCCAfigAwIBAgIHAKqqAAAACTAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE +RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxIDAe +BgNVBAMMF0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UMB4XDTIzMTAwNDEwMjQzNFoX +DTM1MTAwNDExMjQzNFowWjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx +FzAVBgNVBAsTDlRlc3REZXBhcnRtZW50MSAwHgYDVQQDDBdDTVBfTFJBX0RPV05T +VFJFQU1fUk9PVDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAclEdI6QNYddUmzK +l33WIiDTBv+I8An32PpJOvN5nwNNuzwjt1Byldm0khEfzqK7nPOsdAaVK/rtH7kp +ZhGGLlVdAUTjA8+NUPN3v61dv9e7aZe2+ceCuAcVAi9EJGt9uU2Ep1RUK3CWjOqF +0vxHwrYSBa1FJf9tUanBijpy6RMVWvl5o2YwZDAfBgNVHSMEGDAWgBQlkyLoZECp +ByMoGxLAmBniOsOGyzAdBgNVHQ4EFgQUJZMi6GRAqQcjKBsSwJgZ4jrDhsswEgYD +VR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYwA +MIGIAkIAmUz9YKFGbVvMp3O8mkbJJPn5xnWW6zAAep/N9/OmcHA5GI0xUFZbiWpu +JpEX8gVbLpi2v8hY/5SYdIHqmvLeuq4CQgE8pa3omvkst/V0cSfSXEQpA7IOaT/p +7nYzi54DiQtMIwp7JnX/ydomIIBbOpjBC6gIw8tbzqUfZICqVzB0wtatSQ== +-----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Chain.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Chain.pem index 588561a3..32f517ad 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Chain.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Chain.pem @@ -1,52 +1,52 @@ -----BEGIN CERTIFICATE----- -MIICfjCCAeCgAwIBAgIHAKqqAAAADDAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE +MIICfTCCAeCgAwIBAgIHAKqqAAAADDAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0NNUF9FRV9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTM1MDkyMDA2NTky -MFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0NNUF9FRV9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTM1MTAwNDExMjQz +NFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtDTVBfRUVfUk9PVDCBmzAQBgcqhkjOPQIB -BgUrgQQAIwOBhgAEAfXPSfsShvDTXihlubjnAF63w0ua9EktfGiqUZ35ZFmy4/Gi -JHFQa/6ZJS27qLtrbLAx/2rhbs3wji6qEu2RYyaIAMxNDr0smr2HaXdJ3pQRDoKJ -ysQnGYivzxl3w/LnNcNiYTQyZIDP82h4tUW7NI0SZ6wlwCFZnCz5BANBvbAEw6Fu -o2YwZDAfBgNVHSMEGDAWgBSUK4GKDJAm1TTrWJgpUhMdACUoQjAdBgNVHQ4EFgQU -lCuBigyQJtU061iYKVITHQAlKEIwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B -Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYsAMIGHAkIBH3DpVvMPZtetUFe/T44wF0rS -agKomSHNxDXT2rh1WJjK9XfG/1FF0NQq+taUwaxchyCYlwn08G6zvedM+hnWmjkC -QRiNk0m5OrmbSO1rW4KDFbPk1zlclhQivLQDZsqrcpmAVF8aIWNCVQlSEGAVa2RH -o07qH+ljmycazv9iC5rOz65Z +BgUrgQQAIwOBhgAEAF/alxcVRCAUmkryJcaXHsR1/ItgyvFHTN2kY++WS8FJVDpm +nkKVy4Acl6xlX7fk5CHKYMGN3dkv3u1V/FsWrsd0ATP+wmz1GmapO7rkef+nSgBw ++Zd3fXyaooYKyhu7jKWvw68PDeKCVNtnBySTXr5ZfLBUGIcTt16wuNh3FbyFk/+3 +o2YwZDAfBgNVHSMEGDAWgBT783KdzzRUTRg1hXrR1th4cqldmDAdBgNVHQ4EFgQU ++/Nync80VE0YNYV60dbYeHKpXZgwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B +Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYoAMIGGAkEMP/trU2X1Q2sFSUY8mYRSXN1o +0137QOmh2RxyMaP46XkY5DGOzY6TwNox4Tsi54OiIe0ecovWbwJK2/QZcJiVmQJB +E/MnihdlqIzQVL2L8AoUAkVTCG8fdxseF8CZc7lVCdqx3+L/FlF3bw694dtvn9TA +a4HgZhjRMUq8zj2u1Xn+boc= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIC3zCCAkGgAwIBAgIHAKqqAAAADTAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE +MIIC4DCCAkGgAwIBAgIHAKqqAAAADTAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0NNUF9FRV9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTI4MDkyMDA2NTky -MFowUDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0NNUF9FRV9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTI4MTAwNDExMjQz +NFowUDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRYwFAYDVQQDDA1DTVBfRUVfSVNTVUVSMIGbMBAGByqGSM49 -AgEGBSuBBAAjA4GGAAQBwEbpS+MS2x8RfodSfjJ5Kz4Ch+jRmQC9ylhOcqHoHP78 -8LClpdeLfR3UJrkNdeioSazv4cjM+tjmbmxmgSPnaw0A4derHZDAjbgwvGfVLknq -296nCX1zzxrzjaknRcd7MetGASX6sA2qJWXYmfZB8ZSSe+uSVV2VLlyNXmuEN8bW -q9KjgcQwgcEwfAYDVR0jBHUwc4AUlCuBigyQJtU061iYKVITHQAlKEKhUqRQME4x +AgEGBSuBBAAjA4GGAAQAc9+aGL+MIBOQQN2EUd6GCktPLe03sEERyjAMXZCTjWs1 +v3cdbkiU+VbHZLNMmrLO0C0K886v4hSPb8PVLwsnc0YAnlC1cfX5dTn7TZ/MP2Gd +6jFWsJVp1zxFs9WMB+6o5zWKS7YhisLqfEIl+RXe+NXAN4DIs9UQrGtTQUDSR7Xz +pnqjgcQwgcEwfAYDVR0jBHUwc4AU+/Nync80VE0YNYV60dbYeHKpXZihUqRQME4x CzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcwFQYDVQQLEw5UZXN0RGVw YXJ0bWVudDEUMBIGA1UEAwwLQ01QX0VFX1JPT1SCBwCqqgAAAAwwHQYDVR0OBBYE -FEm9P2+it6D7rzRu7ByLobF1Dm6tMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E -CDAGAQH/AgEAMAoGCCqGSM49BAMEA4GLADCBhwJBXh+UnnlheJ9oLZzrMW0hNjM7 -Uh1hz3dm3OE/KWzAsFBv0TRWymnNDfCnizihvKyJJjByMa4Jl97qbNjsnbuwmegC -QgC4oPnG/hxAZnR1ZVFoCEVxyz/QLSyi4/qCFfwEMfARiOHCue2nYVE5eL/+/LOL -Udn9Bw4p4r39BzoaPp0r3Mq7nw== +FA5fqTiLjtoQglWX+5G04g1ql61kMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E +CDAGAQH/AgEAMAoGCCqGSM49BAMEA4GMADCBiAJCAMR269jVAm532dbZxCcJWUWB +oJU4DouwYxOxQl7GxOFC1uWkvYkCuP6NRJfF7eAwGwtREfNKIGEpj32S3hx1hwsE +AkIB3g54pu2+VDL5GCFjQhwWomN9KrpHcXOOVT2K+QjtZGWBeLAyj2H1SmD/uRIX +tbIl8jVFnXkjRzKMbBF15fM0Olc= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIC3jCCAkCgAwIBAgIHAKqqAAAADjAKBggqhkjOPQQDBDBQMQswCQYDVQQGEwJE +MIIC3zCCAkCgAwIBAgIHAKqqAAAADjAKBggqhkjOPQQDBDBQMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFjAU -BgNVBAMMDUNNUF9FRV9JU1NVRVIwHhcNMjMwOTIwMDU1OTIwWhcNMjgwOTIwMDY1 -OTIwWjBTMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMO +BgNVBAMMDUNNUF9FRV9JU1NVRVIwHhcNMjMxMDA0MTAyNDM0WhcNMjgxMDA0MTEy +NDM0WjBTMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMO VGVzdERlcGFydG1lbnQxGTAXBgNVBAMMEENNUF9FRV9FTkRFTlRJVFkwgZswEAYH -KoZIzj0CAQYFK4EEACMDgYYABAHpzF1HzxzgDrhNrKhueDEnK+8OE7oi2bBRbzGy -VO8sdGb8ohT7cTx87Qw+TNBlkZ4cHpsz4BZgmarAC9ViCFocuwC4eyVzQPor3/5C -wGatyaGVuj9nwmv3QN6yoYv7Zqzimb/NsF1HXI6fgxH4d8lOjXAa6vTvt3WV3jNV -aUX3wJEJ3aOBvjCBuzB8BgNVHSMEdTBzgBRJvT9voreg+680buwci6GxdQ5uraFS +KoZIzj0CAQYFK4EEACMDgYYABAAslhSvipoxAxMTdLNAEpDlBHqgdhOMS3jKQSbv +yliUp2dTiYWkFzdCu2791Mdn6OLlcK/25Xo1U6aJqsCq9U3i5QEMZCfqn/otqphW +OQcwn+g8FiN2W+t248ia4+EvkXYwo1+ImA7BUWpdETkDBy8FLUeFlZXuDUE+4OUA +KkajRFVovKOBvjCBuzB8BgNVHSMEdTBzgBQOX6k4i47aEIJVl/uRtOINapetZKFS pFAwTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtDTVBfRUVfUk9PVIIHAKqqAAAADTAdBgNV -HQ4EFgQUjaQS72RDUpQIA0ZlGnWgGjZbNBEwDAYDVR0TAQH/BAIwADAOBgNVHQ8B -Af8EBAMCA4gwCgYIKoZIzj0EAwQDgYsAMIGHAkIAj8VwpZMjPX4WmelsyohL6DW9 -8dNa7fXM6XoH48n2osd15BNyEs8UqXE83J9zHLWCdLXNGDdCj0PLLryFgqgK3rUC -QRpl1i1H6EP6L3/k7h+pAAE44TkUtt1S+e3C8vhyBZVY0JRreW+lLgrFDzpCO5MI -EqwbO2oA6ovzojd04FSMcn3t +HQ4EFgQU6iO6rojoAvuGKL9ruINxdA7qXnQwDAYDVR0TAQH/BAIwADAOBgNVHQ8B +Af8EBAMCA4gwCgYIKoZIzj0EAwQDgYwAMIGIAkIBFY9+1ABd+GfeSqxTENPqBJTV +MMEJuQXhVfxFZiENt6RLqpPOz2DZhbX1cidMlnbpXmfNbQVRl1TW/fZ97V8He0oC +QgHXyNY8lDTwmDw65UFbsR+YNKj052Tg4kejG49xoWBgwezmkcB8d/LiZeBXrFil +30rG1RIeuf6qvhMchUSA3hIdZQ== -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Keystore.p12 b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Keystore.p12 index 98ac1f9e..b850fadf 100644 Binary files a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Keystore.p12 and b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Keystore.p12 differ diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Root.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Root.pem index cdbb0579..aa31274a 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Root.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_EE_Root.pem @@ -1,16 +1,16 @@ -----BEGIN CERTIFICATE----- -MIICfjCCAeCgAwIBAgIHAKqqAAAADDAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE +MIICfTCCAeCgAwIBAgIHAKqqAAAADDAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0NNUF9FRV9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTM1MDkyMDA2NTky -MFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0NNUF9FRV9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTM1MTAwNDExMjQz +NFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtDTVBfRUVfUk9PVDCBmzAQBgcqhkjOPQIB -BgUrgQQAIwOBhgAEAfXPSfsShvDTXihlubjnAF63w0ua9EktfGiqUZ35ZFmy4/Gi -JHFQa/6ZJS27qLtrbLAx/2rhbs3wji6qEu2RYyaIAMxNDr0smr2HaXdJ3pQRDoKJ -ysQnGYivzxl3w/LnNcNiYTQyZIDP82h4tUW7NI0SZ6wlwCFZnCz5BANBvbAEw6Fu -o2YwZDAfBgNVHSMEGDAWgBSUK4GKDJAm1TTrWJgpUhMdACUoQjAdBgNVHQ4EFgQU -lCuBigyQJtU061iYKVITHQAlKEIwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B -Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYsAMIGHAkIBH3DpVvMPZtetUFe/T44wF0rS -agKomSHNxDXT2rh1WJjK9XfG/1FF0NQq+taUwaxchyCYlwn08G6zvedM+hnWmjkC -QRiNk0m5OrmbSO1rW4KDFbPk1zlclhQivLQDZsqrcpmAVF8aIWNCVQlSEGAVa2RH -o07qH+ljmycazv9iC5rOz65Z +BgUrgQQAIwOBhgAEAF/alxcVRCAUmkryJcaXHsR1/ItgyvFHTN2kY++WS8FJVDpm +nkKVy4Acl6xlX7fk5CHKYMGN3dkv3u1V/FsWrsd0ATP+wmz1GmapO7rkef+nSgBw ++Zd3fXyaooYKyhu7jKWvw68PDeKCVNtnBySTXr5ZfLBUGIcTt16wuNh3FbyFk/+3 +o2YwZDAfBgNVHSMEGDAWgBT783KdzzRUTRg1hXrR1th4cqldmDAdBgNVHQ4EFgQU ++/Nync80VE0YNYV60dbYeHKpXZgwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B +Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYoAMIGGAkEMP/trU2X1Q2sFSUY8mYRSXN1o +0137QOmh2RxyMaP46XkY5DGOzY6TwNox4Tsi54OiIe0ecovWbwJK2/QZcJiVmQJB +E/MnihdlqIzQVL2L8AoUAkVTCG8fdxseF8CZc7lVCdqx3+L/FlF3bw694dtvn9TA +a4HgZhjRMUq8zj2u1Xn+boc= -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Chain.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Chain.pem index b999365e..65833d3b 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Chain.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Chain.pem @@ -1,54 +1,54 @@ -----BEGIN CERTIFICATE----- -MIICljCCAfigAwIBAgIHAKqqAAAACTAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE +MIIClzCCAfigAwIBAgIHAKqqAAAACTAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxIDAe -BgNVBAMMF0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UMB4XDTIzMDkyMDA1NTkyMFoX -DTM1MDkyMDA2NTkyMFowWjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx +BgNVBAMMF0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UMB4XDTIzMTAwNDEwMjQzNFoX +DTM1MTAwNDExMjQzNFowWjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx FzAVBgNVBAsTDlRlc3REZXBhcnRtZW50MSAwHgYDVQQDDBdDTVBfTFJBX0RPV05T -VFJFQU1fUk9PVDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAARZxJLr9KBSvRAG -TqZC8QUYl/0EwDjFdAnh7SyUwJorfBpvKPyvkFvUUnqvIk9GQ9Y4SR9K+ST3+iW5 -yK1jAtU/AVYQQ14da4s7sRoi/8NaJR4pKtiw4inTG40rVXAJPN4d8bJdXpFUHFo2 -Pj110fI6CnLTXNJSVzkjlMbeN24lS/J5o2YwZDAfBgNVHSMEGDAWgBTEKSruXrRe -BAc3wE9MH9T4GUaY2DAdBgNVHQ4EFgQUxCkq7l60XgQHN8BPTB/U+BlGmNgwEgYD -VR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYsA -MIGHAkIBbl/HLYpCP8hzHMCPTe04iBuOjAUcERYkefnzC03lgA1YVTq9VBoxGF/g -35n11JGWpheF5dkboaCS7wE5jNfn330CQQnmYRd0fivqudFqEhPC6pu5yb0RrtH7 -ownw+4xbBmmIzx+n5mDwG6U+dI7GokcguQpCO2Ccjfu3GJIa2uuUejiR +VFJFQU1fUk9PVDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAclEdI6QNYddUmzK +l33WIiDTBv+I8An32PpJOvN5nwNNuzwjt1Byldm0khEfzqK7nPOsdAaVK/rtH7kp +ZhGGLlVdAUTjA8+NUPN3v61dv9e7aZe2+ceCuAcVAi9EJGt9uU2Ep1RUK3CWjOqF +0vxHwrYSBa1FJf9tUanBijpy6RMVWvl5o2YwZDAfBgNVHSMEGDAWgBQlkyLoZECp +ByMoGxLAmBniOsOGyzAdBgNVHQ4EFgQUJZMi6GRAqQcjKBsSwJgZ4jrDhsswEgYD +VR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYwA +MIGIAkIAmUz9YKFGbVvMp3O8mkbJJPn5xnWW6zAAep/N9/OmcHA5GI0xUFZbiWpu +JpEX8gVbLpi2v8hY/5SYdIHqmvLeuq4CQgE8pa3omvkst/V0cSfSXEQpA7IOaT/p +7nYzi54DiQtMIwp7JnX/ydomIIBbOpjBC6gIw8tbzqUfZICqVzB0wtatSQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDBTCCAmegAwIBAgIHAKqqAAAACjAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE +MIIDBjCCAmegAwIBAgIHAKqqAAAACjAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxIDAe -BgNVBAMMF0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UMB4XDTIzMDkyMDA1NTkyMFoX -DTI4MDkyMDA2NTkyMFowXDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx +BgNVBAMMF0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UMB4XDTIzMTAwNDEwMjQzNFoX +DTI4MTAwNDExMjQzNFowXDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx FzAVBgNVBAsTDlRlc3REZXBhcnRtZW50MSIwIAYDVQQDDBlDTVBfTFJBX0RPV05T -VFJFQU1fSVNTVUVSMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAruMfTM6rC7cY -zJQB7+iNvBAGK/AHKcYI7m11Sh5gobLF4UF7xPj+6VKkUPBCWndPcS/ape3zxNc6 -oc2SFjtmm1QBvK4zTqPiQUnvXCGndPVM3bzcjgXNSxdeplYv27OlkqyBeTxOeyMG -Eo8t204F2sDN0kfJpB8L5v4tivfHu2p12VejgdIwgc8wgYkGA1UdIwSBgTB/gBTE -KSruXrReBAc3wE9MH9T4GUaY2KFepFwwWjELMAkGA1UEBhMCREUxEDAOBgNVBAoT +VFJFQU1fSVNTVUVSMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB8n/4VLf6YKnZ +yxG59x9CMS4rB5xwKSRU73gK9wzVgpYStyHryuTJ5IZqxGXakkWqcKzytbNuf4+B +GSgRKt42cdIAMM+w5gwv4nrrE91kUQc1GsVee3bemb6tL3g5/tTpZ6jCLhG73rD2 +FhEvDaYwQbM2M44fRxa6+SHXxkbiTUdbvgSjgdIwgc8wgYkGA1UdIwSBgTB/gBQl +kyLoZECpByMoGxLAmBniOsOGy6FepFwwWjELMAkGA1UEBhMCREUxEDAOBgNVBAoT B1NpZW1lbnMxFzAVBgNVBAsTDlRlc3REZXBhcnRtZW50MSAwHgYDVQQDDBdDTVBf -TFJBX0RPV05TVFJFQU1fUk9PVIIHAKqqAAAACTAdBgNVHQ4EFgQUsjp+i6jnNYMb -T0HGI3AYmXqHfxcwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw -CgYIKoZIzj0EAwQDgYsAMIGHAkEjCOY2ipODxtkeaNWOhM9PKV5BjJWQUZxB24/J -jQh+yL7gz8ZfSa92ZO4D6gju2/9Qk05Cys1oIiS1m6MdM0CdxgJCAJbKq5rWZCfs -QPNK7TdzpwUYsQib5b/j+e4k389nD2qNUH30PrI1wVPrSrccNETFDzX4AXmfoRBU -EeIVOkbkvmta +TFJBX0RPV05TVFJFQU1fUk9PVIIHAKqqAAAACTAdBgNVHQ4EFgQUzgzmORQwjbji +36fnLVBnoY64bUMwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw +CgYIKoZIzj0EAwQDgYwAMIGIAkIBLfQtra0Bl9WN7wluGJWaN1TLD2TQlAD3h8eQ +SK/DudcO6fNhiBHg6UngGD3pNWX/ct0ye3fmieswhcpLLaSmXPcCQgGAwQ6oIcAx +kN3Q8ulxynIxO77/zwIE2iWbOG54hRvpFySnaxDetn7v7sy/3lJlwfrrXsCusbQf +xvuXh534jmPwjg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDIzCCAoSgAwIBAgIHAKqqAAAACzAKBggqhkjOPQQDBDBcMQswCQYDVQQGEwJE +MIIDHTCCAn6gAwIBAgIHAKqqAAAACzAKBggqhkjOPQQDBDBcMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxIjAg -BgNVBAMMGUNNUF9MUkFfRE9XTlNUUkVBTV9JU1NVRVIwHhcNMjMwOTIwMDU1OTIw -WhcNMjgwOTIwMDY1OTIwWjBfMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVu +BgNVBAMMGUNNUF9MUkFfRE9XTlNUUkVBTV9JU1NVRVIwHhcNMjMxMDA0MTAyNDM0 +WhcNMjgxMDA0MTEyNDM0WjBfMQswCQYDVQQGEwJERTEQMA4GA1UEChMHU2llbWVu czEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxJTAjBgNVBAMMHENNUF9MUkFfRE9X -TlNUUkVBTV9FTkRFTlRJVFkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHLfnYX -XaW2pbBdQUlvXIAKQaecvRxuPFWTrOlCJ0bIMsmt/X50wia9ndURKanTvJT+o3EV -MY4qOlBAOsoYB3qKJQH8XyhQdaMNMIBbb+nnva7hjinP22ZO3U2lcdVChne1VnlN -wJm6IfZNIuTjYzF0gDUT5IDpVivICpU9WCpnY/ltLaOB6jCB5zCBiQYDVR0jBIGB -MH+AFLI6fouo5zWDG09BxiNwGJl6h38XoV6kXDBaMQswCQYDVQQGEwJERTEQMA4G +TlNUUkVBTV9FTkRFTlRJVFkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADOp44x +pQ6bb1lLR4S8QbRaueiZbm79fcqkI0KkSizkzdb3o4LGyLoUNdFE50wh8JnidVlW +y2RiZVWdiYn0xTfRJAG4xdxDmWicliqvtCSLOb/SxQJOsmLmJDyrs3halpIm53D7 +h7ZTYwmQKuQ8+sGPV5qZ5ddOgP1GhZvZ8CZ634EWOaOB5DCB4TCBiQYDVR0jBIGB +MH+AFM4M5jkUMI244t+n5y1QZ6GOuG1DoV6kXDBaMQswCQYDVQQGEwJERTEQMA4G A1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxIDAeBgNVBAMM -F0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UggcAqqoAAAAKMB0GA1UdDgQWBBSUcIsE -zy+vF5QSCRTQpkXbtUyVnDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIDiDAc -BgNVHSUBAf8EEjAQBggrBgEFBQcDIAYEVR0lADAKBggqhkjOPQQDBAOBjAAwgYgC -QgGexiYAB4RAjZupreCI+NV+tnJqi48pb/Co59stHBiGq/QbWVyAv5DzUjw5hVTt -+9kVBh9iiCclaeEaeM6aFBeg6gJCAdj9wS7kV6NqRV9CFAjjnuxWe6fNQCfFYjI7 -WUrE61H3bd5mBnMiKRHXR4h8ljsHXJznV/Od+6ksbhaXYK5IrJ/Y +F0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UggcAqqoAAAAKMB0GA1UdDgQWBBSaKmKW +pstee+2TRwtU+nPfAD9qYjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIDiDAW +BgNVHSUBAf8EDDAKBggrBgEFBQcDIDAKBggqhkjOPQQDBAOBjAAwgYgCQgCFzSB6 +V+p6ylQRbvo438gR0U50CjhWaFGKPDlRlPXUoYGD8QKRTt2/SRWGv4U1aoJ9sZ5u +A7trvt8FnAoBCLbECwJCAXOSQRiTD1TgfD/3fumARGdxs/d0wgJZyxMLgvO2HaCh +yWJEWBAKUo+aZNv46R/JFVapzc8XRZbITDoitaxjpdWc -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Keystore.p12 b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Keystore.p12 index 842120fe..863ba123 100644 Binary files a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Keystore.p12 and b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Keystore.p12 differ diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Root.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Root.pem index c9bdb749..3883b118 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Root.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_DOWNSTREAM_Root.pem @@ -1,16 +1,16 @@ -----BEGIN CERTIFICATE----- -MIICljCCAfigAwIBAgIHAKqqAAAACTAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE +MIIClzCCAfigAwIBAgIHAKqqAAAACTAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxIDAe -BgNVBAMMF0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UMB4XDTIzMDkyMDA1NTkyMFoX -DTM1MDkyMDA2NTkyMFowWjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx +BgNVBAMMF0NNUF9MUkFfRE9XTlNUUkVBTV9ST09UMB4XDTIzMTAwNDEwMjQzNFoX +DTM1MTAwNDExMjQzNFowWjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx FzAVBgNVBAsTDlRlc3REZXBhcnRtZW50MSAwHgYDVQQDDBdDTVBfTFJBX0RPV05T -VFJFQU1fUk9PVDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAARZxJLr9KBSvRAG -TqZC8QUYl/0EwDjFdAnh7SyUwJorfBpvKPyvkFvUUnqvIk9GQ9Y4SR9K+ST3+iW5 -yK1jAtU/AVYQQ14da4s7sRoi/8NaJR4pKtiw4inTG40rVXAJPN4d8bJdXpFUHFo2 -Pj110fI6CnLTXNJSVzkjlMbeN24lS/J5o2YwZDAfBgNVHSMEGDAWgBTEKSruXrRe -BAc3wE9MH9T4GUaY2DAdBgNVHQ4EFgQUxCkq7l60XgQHN8BPTB/U+BlGmNgwEgYD -VR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYsA -MIGHAkIBbl/HLYpCP8hzHMCPTe04iBuOjAUcERYkefnzC03lgA1YVTq9VBoxGF/g -35n11JGWpheF5dkboaCS7wE5jNfn330CQQnmYRd0fivqudFqEhPC6pu5yb0RrtH7 -ownw+4xbBmmIzx+n5mDwG6U+dI7GokcguQpCO2Ccjfu3GJIa2uuUejiR +VFJFQU1fUk9PVDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAclEdI6QNYddUmzK +l33WIiDTBv+I8An32PpJOvN5nwNNuzwjt1Byldm0khEfzqK7nPOsdAaVK/rtH7kp +ZhGGLlVdAUTjA8+NUPN3v61dv9e7aZe2+ceCuAcVAi9EJGt9uU2Ep1RUK3CWjOqF +0vxHwrYSBa1FJf9tUanBijpy6RMVWvl5o2YwZDAfBgNVHSMEGDAWgBQlkyLoZECp +ByMoGxLAmBniOsOGyzAdBgNVHQ4EFgQUJZMi6GRAqQcjKBsSwJgZ4jrDhsswEgYD +VR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYwA +MIGIAkIAmUz9YKFGbVvMp3O8mkbJJPn5xnWW6zAAep/N9/OmcHA5GI0xUFZbiWpu +JpEX8gVbLpi2v8hY/5SYdIHqmvLeuq4CQgE8pa3omvkst/V0cSfSXEQpA7IOaT/p +7nYzi54DiQtMIwp7JnX/ydomIIBbOpjBC6gIw8tbzqUfZICqVzB0wtatSQ== -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Chain.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Chain.pem index 60b8c982..713d4205 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Chain.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Chain.pem @@ -1,54 +1,54 @@ -----BEGIN CERTIFICATE----- -MIICkzCCAfSgAwIBAgIHAKqqAAAABjAKBggqhkjOPQQDBDBYMQswCQYDVQQGEwJE +MIICkjCCAfSgAwIBAgIHAKqqAAAABjAKBggqhkjOPQQDBDBYMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxHjAc -BgNVBAMMFUNNUF9MUkFfVVBTVFJFQU1fUk9PVDAeFw0yMzA5MjAwNTU5MjBaFw0z -NTA5MjAwNjU5MjBaMFgxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcw +BgNVBAMMFUNNUF9MUkFfVVBTVFJFQU1fUk9PVDAeFw0yMzEwMDQxMDI0MzRaFw0z +NTEwMDQxMTI0MzRaMFgxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcw FQYDVQQLEw5UZXN0RGVwYXJ0bWVudDEeMBwGA1UEAwwVQ01QX0xSQV9VUFNUUkVB -TV9ST09UMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAAQnG4YLjAHSUkrbPCfRS -KVWyNNu91JMgWwYCUEhwnFD5/uLmCxbaNrV+DGJ6WA/oVPiX5n2Pfn1SEv/irC6k -SY8BwEVbHCzbETZ7zv6ZSGSiCEvg5UL5w4zoj0/BIYvaTzKCsIvU/a+zTtCD0B/X -t35Hf+xHZZXIytfRK8F2q8mMlrmjZjBkMB8GA1UdIwQYMBaAFK/ARbrXdTAIQPWB -+aadc1OK4fGHMB0GA1UdDgQWBBSvwEW613UwCED1gfmmnXNTiuHxhzASBgNVHRMB -Af8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDBAOBjAAwgYgC -QgFgtgpTKjXDTE5Hmj9aWvPLhYsxWnDEedUXW6JM8JKEVTeq5rqvCad52NotJTcD -4uRVzBkSKYCaqMdMw5FEubiU1AJCARN2nlS7PY3o6W65UeSMgcpDjgMgjeElsYu3 -I6fQaL0t93bVDnI6VOS8BKWv31Nwy2ynAzrZntIBgKFZPXK7VSgY +TV9ST09UMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBWD3Y1YpyKDkEpYnO0uR8 +7anjgXAf6iryFUcHlKhUcJC63Tkoy4AGdTfFOhOnBw9r6eczReAa+t30QDLyPKxE +4BEA48GlDUa2qpqY6WGmwqFV/Z8JHhQruQCu9V0Xsf5vtyturlT3CpNACGL8Xv/E +sFDr6HhdyNhB6r5QDxHN01Ks3ZSjZjBkMB8GA1UdIwQYMBaAFD32zAitj1flBIQM +SN96c6jG2TfeMB0GA1UdDgQWBBQ99swIrY9X5QSEDEjfenOoxtk33jASBgNVHRMB +Af8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDBAOBiwAwgYcC +QSbhvfitKBQi2uDhbtNJLMB/DCoLI8A8yRb7ZnIrH8SzPH0ueO8r97biDJc0GVzl +WAi/Pp6DkzV/eJM/+17GBe3rAkIBsaDHsH0kWbOPrCS/d6Pda5EtFA7dD3UKLHQ1 +/alP/f9ggcy7qgg4/TYU9L54HA1q4GiStw8posf/LnlMHmA0iMs= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIC/zCCAmCgAwIBAgIHAKqqAAAABzAKBggqhkjOPQQDBDBYMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxHjAc -BgNVBAMMFUNNUF9MUkFfVVBTVFJFQU1fUk9PVDAeFw0yMzA5MjAwNTU5MjBaFw0y -ODA5MjAwNjU5MjBaMFoxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcw +BgNVBAMMFUNNUF9MUkFfVVBTVFJFQU1fUk9PVDAeFw0yMzEwMDQxMDI0MzRaFw0y +ODEwMDQxMTI0MzRaMFoxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcw FQYDVQQLEw5UZXN0RGVwYXJ0bWVudDEgMB4GA1UEAwwXQ01QX0xSQV9VUFNUUkVB -TV9JU1NVRVIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABADD8fD0R3AbvwSbGjoe -7hnw4rBmnJDl8MhgkIx/ZoY3Ekmu2iMXx4CpZVQFQdPA2AhmBG6Hmc1eovMyLohl -hH+zFQFVDnspTz3w4ehID65MO3LiUPQvskEAmkJWQcGLVQPSVlWtFBy2RxzVZthM -XlC1AaOVGeDmQf6RaVAc1XxUKGmRtaOBzzCBzDCBhgYDVR0jBH8wfYAUr8BFutd1 -MAhA9YH5pp1zU4rh8YehXKRaMFgxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVt +TV9JU1NVRVIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAF87/IIzzmlfbD+26JC +zsvS0O8CnExYRZ/R25ATlqKLhcrdT7eL4izA8JBp+Aanqj6EN9LMIYl00iSPazZi +LpyaHwFuImw9/ekzonCan87eyVB9yb3urSFlFSXkSphy7Pa2K+7fo268VfOh2pu4 +ehZaRyACckDho2iStCZy8UJvMWhdJqOBzzCBzDCBhgYDVR0jBH8wfYAUPfbMCK2P +V+UEhAxI33pzqMbZN96hXKRaMFgxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVt ZW5zMRcwFQYDVQQLEw5UZXN0RGVwYXJ0bWVudDEeMBwGA1UEAwwVQ01QX0xSQV9V -UFNUUkVBTV9ST09UggcAqqoAAAAGMB0GA1UdDgQWBBRwjQgnQQTNsjghlH+hccPz -1N2WdzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAKBggqhkjO -PQQDBAOBjAAwgYgCQgGba72WLlAnCOrt++uC+v/7oGpIx1uCnx6GXobFnOq3LYtU -pcFwdlBOwUKU/3e/kAkOO/sH6klLPJIu5Y3splheHAJCAP/Jmeg4PymeD8mSxh+I -KF7z+KU3d3yXyQkDffub88xsLCIXGizgZ1kviq1KuO5y4Qrawq+2vOdgBj9FulhI -uKgd +UFNUUkVBTV9ST09UggcAqqoAAAAGMB0GA1UdDgQWBBRjK7JKcQG2+QgZvUN2Rltd +Res1uTAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAKBggqhkjO +PQQDBAOBjAAwgYgCQgEo/mKNe6ab0Kqq0/KXBFEDlB8UgeHO/D93ne4PUlUp9rDW +XVgR0CoDW7HIB91igrUIOeuKnuIKKNNYzqU3q5pLVAJCAKrB3d589iX8gKVXSsj+ +i28bGf7HMCFtgChNdC6ZMcn686qR9g5einREwzW6s/LbrvmLzWzgo+XGWolc0Vmb +Zyg6 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDHDCCAn2gAwIBAgIHAKqqAAAACDAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE +MIIDFjCCAnegAwIBAgIHAKqqAAAACDAKBggqhkjOPQQDBDBaMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxIDAe -BgNVBAMMF0NNUF9MUkFfVVBTVFJFQU1fSVNTVUVSMB4XDTIzMDkyMDA1NTkyMFoX -DTI4MDkyMDA2NTkyMFowXTELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx +BgNVBAMMF0NNUF9MUkFfVVBTVFJFQU1fSVNTVUVSMB4XDTIzMTAwNDEwMjQzNFoX +DTI4MTAwNDExMjQzNFowXTELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMx FzAVBgNVBAsTDlRlc3REZXBhcnRtZW50MSMwIQYDVQQDDBpDTVBfTFJBX1VQU1RS -RUFNX0VOREVOVElUWTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAYdvzt0SJ/Ce -V4CTkJ64EFnEndMO8pWmWsrgacGfhlHH/aZGjOUqQGNhAF/1VFn+KZZALDCw12RJ -Z0LhO7badogtAQfw5Z0oXLbojdl/Xgso13AtgPTy/iIbF1LyqJnOT5dxBOxxqrZw -HUYfRP6EQCMQUOMDLhi6Bxm448Pm5bUMoSP2o4HnMIHkMIGGBgNVHSMEfzB9gBRw -jQgnQQTNsjghlH+hccPz1N2Wd6FcpFowWDELMAkGA1UEBhMCREUxEDAOBgNVBAoT +RUFNX0VOREVOVElUWTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAeNMi9bHnHH+ +MahSG0Pj3a4xqivj4jx+/daXcAQv62EXyhFpBQ/pNZyeYOaXduKmeYQILj0yxa5i +uPfQN/MlZFHgAaTkrXR1PvPEd9oa6BWgBF0j4LD1usAmJTZstXtjmF8Jv+zyPRY8 +hhbiPhYmuER8nZ1CO1uGNLIyo+92+HDbEjrho4HhMIHeMIGGBgNVHSMEfzB9gBRj +K7JKcQG2+QgZvUN2RltdRes1uaFcpFowWDELMAkGA1UEBhMCREUxEDAOBgNVBAoT B1NpZW1lbnMxFzAVBgNVBAsTDlRlc3REZXBhcnRtZW50MR4wHAYDVQQDDBVDTVBf -TFJBX1VQU1RSRUFNX1JPT1SCBwCqqgAAAAcwHQYDVR0OBBYEFLNIYpue+NveVw3F -M0txZ37rTx5MMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOIMBwGA1UdJQEB -/wQSMBAGCCsGAQUFBwMcBgRVHSUAMAoGCCqGSM49BAMEA4GMADCBiAJCAQtHzdK9 -sY4iUw4hIuJSiXnyvl+cY5TfjukiG+yR4fBgmIob4C8CfcmH5WYn8HdRgnOP0qd5 -4jKKqImWGjpXiIckAkIB1GSW481ayqf9TboaA6dTcoIXkFOwJrtdiFtTn2usrnO7 -bEnWzTIDuDhjYY82gAa1NDSMRg6DpScS34djqTuPoS8= +TFJBX1VQU1RSRUFNX1JPT1SCBwCqqgAAAAcwHQYDVR0OBBYEFF01TJohH8DZx72K +0joiOtbzM8WnMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOIMBYGA1UdJQEB +/wQMMAoGCCsGAQUFBwMcMAoGCCqGSM49BAMEA4GMADCBiAJCAJPiMwZ8mUYAvjSs +FOlhuNRHlrIQOD5BEPJUikqrSEXBHTxodM58JvHWtc0+NBLfIUFIuUzeL9A7n2vy +FT1VpZ+mAkIBD4R/6NcJXcdUJXGcScGkaH+z6eN4xGV37T2wsbmSdc6pDPyrO/3R +k2nW2sxA1NFPf6JbRwiKskiQnb6hSVkFLP0= -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Keystore.p12 b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Keystore.p12 index 877554f7..acc2e2e3 100644 Binary files a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Keystore.p12 and b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Keystore.p12 differ diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Root.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Root.pem index 14688239..578783e0 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Root.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/CMP_LRA_UPSTREAM_Root.pem @@ -1,16 +1,16 @@ -----BEGIN CERTIFICATE----- -MIICkzCCAfSgAwIBAgIHAKqqAAAABjAKBggqhkjOPQQDBDBYMQswCQYDVQQGEwJE +MIICkjCCAfSgAwIBAgIHAKqqAAAABjAKBggqhkjOPQQDBDBYMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxHjAc -BgNVBAMMFUNNUF9MUkFfVVBTVFJFQU1fUk9PVDAeFw0yMzA5MjAwNTU5MjBaFw0z -NTA5MjAwNjU5MjBaMFgxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcw +BgNVBAMMFUNNUF9MUkFfVVBTVFJFQU1fUk9PVDAeFw0yMzEwMDQxMDI0MzRaFw0z +NTEwMDQxMTI0MzRaMFgxCzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcw FQYDVQQLEw5UZXN0RGVwYXJ0bWVudDEeMBwGA1UEAwwVQ01QX0xSQV9VUFNUUkVB -TV9ST09UMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAAQnG4YLjAHSUkrbPCfRS -KVWyNNu91JMgWwYCUEhwnFD5/uLmCxbaNrV+DGJ6WA/oVPiX5n2Pfn1SEv/irC6k -SY8BwEVbHCzbETZ7zv6ZSGSiCEvg5UL5w4zoj0/BIYvaTzKCsIvU/a+zTtCD0B/X -t35Hf+xHZZXIytfRK8F2q8mMlrmjZjBkMB8GA1UdIwQYMBaAFK/ARbrXdTAIQPWB -+aadc1OK4fGHMB0GA1UdDgQWBBSvwEW613UwCED1gfmmnXNTiuHxhzASBgNVHRMB -Af8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDBAOBjAAwgYgC -QgFgtgpTKjXDTE5Hmj9aWvPLhYsxWnDEedUXW6JM8JKEVTeq5rqvCad52NotJTcD -4uRVzBkSKYCaqMdMw5FEubiU1AJCARN2nlS7PY3o6W65UeSMgcpDjgMgjeElsYu3 -I6fQaL0t93bVDnI6VOS8BKWv31Nwy2ynAzrZntIBgKFZPXK7VSgY +TV9ST09UMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBWD3Y1YpyKDkEpYnO0uR8 +7anjgXAf6iryFUcHlKhUcJC63Tkoy4AGdTfFOhOnBw9r6eczReAa+t30QDLyPKxE +4BEA48GlDUa2qpqY6WGmwqFV/Z8JHhQruQCu9V0Xsf5vtyturlT3CpNACGL8Xv/E +sFDr6HhdyNhB6r5QDxHN01Ks3ZSjZjBkMB8GA1UdIwQYMBaAFD32zAitj1flBIQM +SN96c6jG2TfeMB0GA1UdDgQWBBQ99swIrY9X5QSEDEjfenOoxtk33jASBgNVHRMB +Af8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDBAOBiwAwgYcC +QSbhvfitKBQi2uDhbtNJLMB/DCoLI8A8yRb7ZnIrH8SzPH0ueO8r97biDJc0GVzl +WAi/Pp6DkzV/eJM/+17GBe3rAkIBsaDHsH0kWbOPrCS/d6Pda5EtFA7dD3UKLHQ1 +/alP/f9ggcy7qgg4/TYU9L54HA1q4GiStw8posf/LnlMHmA0iMs= -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Chain.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Chain.pem index 35b2e3c8..48595df8 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Chain.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Chain.pem @@ -1,34 +1,34 @@ -----BEGIN CERTIFICATE----- -MIICfjCCAeCgAwIBAgIHAKqqAAAAATAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE +MIICfzCCAeCgAwIBAgIHAKqqAAAAATAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0VOUk9MTF9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTM1MDkyMDA2NTky -MFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0VOUk9MTF9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTM1MTAwNDExMjQz +NFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtFTlJPTExfUk9PVDCBmzAQBgcqhkjOPQIB -BgUrgQQAIwOBhgAEARUvXZZ0MsvCO4s9YQMJTG3wJpZPOtW1eE4aWaaPvJCFtQtG -aUh/AbOY/G02kxVl19soIAu7pwtqbNvDaUaAWRxpAaPLLritsSEeiNerfcaqKvIW -5nAjMLxZL607qJg/BUnHbXpknilfV/54TfQjBLyW57YtWvBHFG1BwJpaTUdQNnKp -o2YwZDAfBgNVHSMEGDAWgBTJzcDlGJdjnCVEEucu2fr3ydfpEzAdBgNVHQ4EFgQU -yc3A5RiXY5wlRBLnLtn698nX6RMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B -Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYsAMIGHAkIAjxqtB9DZ1Kzgn4seAqeEm7tx -kmSXGG7+3gZ4y2uZEkH0j0Po1s09hVU2e8G9v74eZqfBpEtxo5r/LsLf3nwVoMsC -QTGfJ0g+8eF9IuaAIsAiVxkAvAe+GWQ+Yf8t0SxQw25+RPhY+LAi4Rso00oxsj18 -1dfcPEe3dJn44aK+KrEyo1H1 +BgUrgQQAIwOBhgAEAYfJKaAfaJpUh+z67LPhQSRix2nhvhFJfpic2IE5hbOC7UzK +FIfZIpRPejEre9T1iTFqAmsQAKkuJmIsiN+/IHmbAXyFxoX+YxPBKaEW+fnv5ONz +Bu4DZ7Wwfh3tp6gf+11FZ+QHcOcFEfjLqsCYh8eKrSdL8UuBakWVRSKVXYSzGJqB +o2YwZDAfBgNVHSMEGDAWgBTMbM0KCx2wtkFa35+BjpTspFCNVDAdBgNVHQ4EFgQU +zGzNCgsdsLZBWt+fgY6U7KRQjVQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B +Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGIAkIBu7Gg92zeAx0tZ5Ra5sw8oGFU +QoaFo94o3g+bVoqt5zask4sI6AErhg0GlBnKefq/gg50IsbYOqmvTHYahEi5DSMC +QgFcy21azze3mK33BuAZaRGoq7DpEPZ1OINeqCBPfCpgxjADUV5vYtZgNe3JQ8/j +tNDR+POAGx/aqlbYZXccpt9HCw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIC3zCCAkGgAwIBAgIHAKqqAAAAAjAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0VOUk9MTF9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTI4MDkyMDA2NTky -MFowUDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0VOUk9MTF9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTI4MTAwNDExMjQz +NFowUDELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRYwFAYDVQQDDA1FTlJPTExfSVNTVUVSMIGbMBAGByqGSM49 -AgEGBSuBBAAjA4GGAAQBZIPbqwmtMyA44hY2a/C+DsSOLT42okniLrOg9w2a08XX -0cLBwwhpKxGeugRlHAsFz9qOv/SJcos3ZnoNZHH1A8MBFxasplnXFC2TpHbPaAyf -mG2go7tgCnPhbsldI8fOGnY8pLU4MXbLxprfmjqxjpsiDDTMiUaVHsHIxgTuL34V -Nm2jgcQwgcEwfAYDVR0jBHUwc4AUyc3A5RiXY5wlRBLnLtn698nX6ROhUqRQME4x +AgEGBSuBBAAjA4GGAAQBGMiDrK7k+3KLPXYMyV2pYaCv7NH470NKM9uy1Ja5fHOw +NPR0j3tiIpvxFF13DutFKUf5+zIZeRkboibG+8kKGAMB6mmu7B1lDAZNxYH+XJri +uluThmM8Ul2uNxYQsTCYAmC+U5LVf6dZ/i37YJDNPUSBB9xWEmPOwpr86y1wy/i1 +G5qjgcQwgcEwfAYDVR0jBHUwc4AUzGzNCgsdsLZBWt+fgY6U7KRQjVShUqRQME4x CzAJBgNVBAYTAkRFMRAwDgYDVQQKEwdTaWVtZW5zMRcwFQYDVQQLEw5UZXN0RGVw YXJ0bWVudDEUMBIGA1UEAwwLRU5ST0xMX1JPT1SCBwCqqgAAAAEwHQYDVR0OBBYE -FMa0hC7tfsefDucw5ndpo992mYNqMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E -CDAGAQH/AgEAMAoGCCqGSM49BAMEA4GLADCBhwJBRK5cDgePKTD6MN9BtEGaiFQ+ -mZyuiiBPm7BzIQRjNN+s9sqBtNS19/4ouUSxeHQWDNp77qNMIn+HazTVpVXEQB0C -QgHpX+cmm+jtQ5SIjPquqK6fOSBYiN7nmbxjOYAbgBwgDq0FS0jos28OJJ8pGZFS -gDX2S2+8kEzOlWtl6IQx4qKSNw== +FNQjw7JoOG6nfsXQ1sijediJvqIVMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8E +CDAGAQH/AgEAMAoGCCqGSM49BAMEA4GLADCBhwJCAIlvMd5+/Y7lSfEpLp/Dq2TU +VU0ArXrje6+KBkbSzLuR2XZF4X5nYElrDwJaEaC30nB+19z/mxSy8mlDD58tLmVA +AkEVGidLum7pJWjBDx0qaCNcc+T62vtIsoqfbYNuVzpDb3ZIaj9uFOb+Euk+KMDc +LMk4pFP0Wu2ee7B6m4+JK/sQDg== -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Keystore.p12 b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Keystore.p12 index 5938b981..0ee1128a 100644 Binary files a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Keystore.p12 and b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Keystore.p12 differ diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Root.pem b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Root.pem index d336323a..272f6449 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Root.pem +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials/ENROLL_Root.pem @@ -1,16 +1,16 @@ -----BEGIN CERTIFICATE----- -MIICfjCCAeCgAwIBAgIHAKqqAAAAATAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE +MIICfzCCAeCgAwIBAgIHAKqqAAAAATAKBggqhkjOPQQDBDBOMQswCQYDVQQGEwJE RTEQMA4GA1UEChMHU2llbWVuczEXMBUGA1UECxMOVGVzdERlcGFydG1lbnQxFDAS -BgNVBAMMC0VOUk9MTF9ST09UMB4XDTIzMDkyMDA1NTkyMFoXDTM1MDkyMDA2NTky -MFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl +BgNVBAMMC0VOUk9MTF9ST09UMB4XDTIzMTAwNDEwMjQzNFoXDTM1MTAwNDExMjQz +NFowTjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB1NpZW1lbnMxFzAVBgNVBAsTDlRl c3REZXBhcnRtZW50MRQwEgYDVQQDDAtFTlJPTExfUk9PVDCBmzAQBgcqhkjOPQIB -BgUrgQQAIwOBhgAEARUvXZZ0MsvCO4s9YQMJTG3wJpZPOtW1eE4aWaaPvJCFtQtG -aUh/AbOY/G02kxVl19soIAu7pwtqbNvDaUaAWRxpAaPLLritsSEeiNerfcaqKvIW -5nAjMLxZL607qJg/BUnHbXpknilfV/54TfQjBLyW57YtWvBHFG1BwJpaTUdQNnKp -o2YwZDAfBgNVHSMEGDAWgBTJzcDlGJdjnCVEEucu2fr3ydfpEzAdBgNVHQ4EFgQU -yc3A5RiXY5wlRBLnLtn698nX6RMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B -Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYsAMIGHAkIAjxqtB9DZ1Kzgn4seAqeEm7tx -kmSXGG7+3gZ4y2uZEkH0j0Po1s09hVU2e8G9v74eZqfBpEtxo5r/LsLf3nwVoMsC -QTGfJ0g+8eF9IuaAIsAiVxkAvAe+GWQ+Yf8t0SxQw25+RPhY+LAi4Rso00oxsj18 -1dfcPEe3dJn44aK+KrEyo1H1 +BgUrgQQAIwOBhgAEAYfJKaAfaJpUh+z67LPhQSRix2nhvhFJfpic2IE5hbOC7UzK +FIfZIpRPejEre9T1iTFqAmsQAKkuJmIsiN+/IHmbAXyFxoX+YxPBKaEW+fnv5ONz +Bu4DZ7Wwfh3tp6gf+11FZ+QHcOcFEfjLqsCYh8eKrSdL8UuBakWVRSKVXYSzGJqB +o2YwZDAfBgNVHSMEGDAWgBTMbM0KCx2wtkFa35+BjpTspFCNVDAdBgNVHQ4EFgQU +zGzNCgsdsLZBWt+fgY6U7KRQjVQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8B +Af8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGIAkIBu7Gg92zeAx0tZ5Ra5sw8oGFU +QoaFo94o3g+bVoqt5zask4sI6AErhg0GlBnKefq/gg50IsbYOqmvTHYahEi5DSMC +QgFcy21azze3mK33BuAZaRGoq7DpEPZ1OINeqCBPfCpgxjADUV5vYtZgNe3JQ8/j +tNDR+POAGx/aqlbYZXccpt9HCw== -----END CERTIFICATE----- diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/framework/ConfigurationFactory.java b/src/test/java/com/siemens/pki/cmpracomponent/test/framework/ConfigurationFactory.java index d08498c3..366598c9 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/framework/ConfigurationFactory.java +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/framework/ConfigurationFactory.java @@ -23,6 +23,7 @@ import com.siemens.pki.cmpracomponent.configuration.CheckAndModifyResult; import com.siemens.pki.cmpracomponent.configuration.CkgContext; import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface; +import com.siemens.pki.cmpracomponent.configuration.CmpMessageInterface.ReprotectMode; import com.siemens.pki.cmpracomponent.configuration.Configuration; import com.siemens.pki.cmpracomponent.configuration.CredentialContext; import com.siemens.pki.cmpracomponent.configuration.CrlUpdateRetrievalHandler; @@ -87,7 +88,12 @@ public static Configuration buildPasswordbasedDownstreamConfiguration() throws E new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); final Configuration config = buildSimpleRaConfiguration( - downstreamCredentials, downstreamTrust, upstreamCredentials, upstreamTrust, enrollmentTrust); + downstreamCredentials, + ReprotectMode.reprotect, + downstreamTrust, + upstreamCredentials, + upstreamTrust, + enrollmentTrust); return config; } @@ -104,7 +110,12 @@ public static Configuration buildSignatureBasedDownstreamConfiguration() throws new SignatureValidationCredentials("credentials/ENROLL_Root.pem", null); return buildSimpleRaConfiguration( - downstreamCredentials, downstreamTrust, upstreamCredentials, upstreamTrust, enrollmentTrust); + downstreamCredentials, + ReprotectMode.keep, + downstreamTrust, + upstreamCredentials, + upstreamTrust, + enrollmentTrust); } public static Configuration buildSignatureBasedDownstreamOnlyConfiguration() throws Exception { @@ -389,6 +400,7 @@ public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyTy public static Configuration buildSimpleRaConfiguration( final CredentialContext downstreamCredentials, + ReprotectMode reprotectMode, final VerificationContext downstreamTrust, final CredentialContext upstreamCredentials, final VerificationContext upstreamTrust, @@ -441,7 +453,7 @@ public CredentialContext getOutputCredentials() { @Override public ReprotectMode getReprotectMode() { - return ReprotectMode.keep; + return reprotectMode; } @Override @@ -647,12 +659,18 @@ public static CertReqTemplateContent generateCertReqTemplateContent() throws IOE public static ProtectionProvider getEePasswordbasedProtectionProvider() throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException { if (eePasswordbasedProtectionProvider == null) { - eePasswordbasedProtectionProvider = ProtectionProviderFactory.createProtectionProvider( - new SharedSecret("PASSWORDBASEDMAC", TestUtils.PASSWORD)); + eePasswordbasedProtectionProvider = + ProtectionProviderFactory.createProtectionProvider(getEeSharedSecretCredentials()); } return eePasswordbasedProtectionProvider; } + private static SharedSecret getEeSharedSecretCredentials() { + if (eeSharedSecretCredentials == null) + eeSharedSecretCredentials = new SharedSecret("PASSWORDBASEDMAC", TestUtils.PASSWORD); + return eeSharedSecretCredentials; + } + public static ProtectionProvider getEePbmac1ProtectionProvider() throws InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException { if (eePbmac1ProtectionProvider == null) { @@ -665,14 +683,23 @@ public static ProtectionProvider getEePbmac1ProtectionProvider() public static ProtectionProvider getEeSignaturebasedProtectionProvider() throws Exception { if (eeSignaturebasedProtectionProvider == null) { eeSignaturebasedProtectionProvider = - ProtectionProviderFactory.createProtectionProvider(new TrustChainAndPrivateKey( - // "credentials/CMP_EE_Keystore_EdDSA.p12", - // "credentials/CMP_EE_Keystore_RSA.p12", - "credentials/CMP_EE_Keystore.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY)); + ProtectionProviderFactory.createProtectionProvider(getEeSignaturebasedCredentials()); } return eeSignaturebasedProtectionProvider; } + private static TrustChainAndPrivateKey eeSignaturebasedCredentials; + private static SharedSecret eeSharedSecretCredentials; + + public static TrustChainAndPrivateKey getEeSignaturebasedCredentials() throws Exception { + if (eeSignaturebasedCredentials == null) + eeSignaturebasedCredentials = new TrustChainAndPrivateKey( + // "credentials/CMP_EE_Keystore_EdDSA.p12", + // "credentials/CMP_EE_Keystore_RSA.p12", + "credentials/CMP_EE_Keystore.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY); + return eeSignaturebasedCredentials; + } + public static KeyPairGenerator getKeyGenerator() { if (keyGenerator == null) { diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/framework/PasswordValidationCredentials.java b/src/test/java/com/siemens/pki/cmpracomponent/test/framework/PasswordValidationCredentials.java index d758f47a..0e086b42 100644 --- a/src/test/java/com/siemens/pki/cmpracomponent/test/framework/PasswordValidationCredentials.java +++ b/src/test/java/com/siemens/pki/cmpracomponent/test/framework/PasswordValidationCredentials.java @@ -26,6 +26,10 @@ public PasswordValidationCredentials(final String sharedSecret) { this.sharedSecret = sharedSecret.getBytes(); } + public PasswordValidationCredentials(byte[] sharedSecret) { + this.sharedSecret = sharedSecret; + } + @Override public byte[] getSharedSecret(final byte[] senderKID) { return sharedSecret;