// A request like this can be used to request a cross certificate
byte[] request = ejbcaraws.caRenewCertRequest(getAdminCAName(), cachain, false, false, false, pwd);
assertNotNull(request);
PKCS10RequestMessage msg = RequestMessageUtils.genPKCS10RequestMessage(request);
assertNotNull(msg);
CAInfo info = caAdminSessionRemote.getCAInfo(intAdmin, getAdminCAName());
assertEquals(info.getSubjectDN(), msg.getRequestDN());
assertTrue(msg.verify());
// System.out.println(ASN1Dump.dumpAsString(msg.getCertificationRequest()));
/*
* First test is to renew a CA signed by an external CA *without
* renewing the keys*. This just creates a new certificate request,
* without setting status to "waiting for certificate response" or
* anything.
*/
// Now we want to renew a DVCA signed by an external CVCA
// Create the self signed CVCA, we do it here locally
final KeyPair cvcakeypair = KeyTools.genKeys(keyspec, keyalg);
CAReferenceField caRef = new CAReferenceField("SE", cvcaMnemonic, "00001");
HolderReferenceField holderRef = new HolderReferenceField("SE", cvcaMnemonic, "00001");
CVCertificate cvcert = CertificateGenerator.createTestCertificate(cvcakeypair.getPublic(), cvcakeypair.getPrivate(), caRef, holderRef, signalg,
AuthorizationRoleEnum.CVCA);
CardVerifiableCertificate cvcacert = new CardVerifiableCertificate(cvcert);
// Create the DVCA signed by our external CVCA
String caname = createDVCCASignedByExternal(dvcaName, dvcaMnemonic, keyspec, keyalg, signalg);
assertNotNull("Failed to create DVC CA " + dvcaName + "Signed By External.", caname);
assertEquals(caname, dvcaName);
// Now test our WS API to generate a request, setting status to
// "WAITING_FOR_CERTIFICATE_RESPONSE"
CAInfo dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
assertEquals(SecConst.CA_WAITING_CERTIFICATE_RESPONSE, dvinfo.getStatus());
cachain.add(cvcacert.getEncoded());
// Create the request with WS API
request = ejbcaraws.caRenewCertRequest(caname, cachain, false, false, false, pwd);
// make the mandatory junit checks...
assertNotNull(request);
CVCRequestMessage cvcreq = RequestMessageUtils.genCVCRequestMessage(request);
assertNotNull(cvcreq);
assertEquals(dvinfo.getSubjectDN(), cvcreq.getRequestDN());
CVCObject obj = CertificateParser.parseCVCObject(request);
// System.out.println(obj.getAsText());
CVCertificate cert = (CVCertificate) obj;
assertEquals(cvcacert.getCVCertificate().getCertificateBody().getAuthorityReference().getConcatenated(), cert.getCertificateBody()
.getAuthorityReference().getConcatenated());
// Receive the response so the DV CA is activated
HolderReferenceField dvholderref = cert.getCertificateBody().getHolderReference();
CVCertificate dvretcert = CertificateGenerator.createTestCertificate(cert.getCertificateBody().getPublicKey(), cvcakeypair.getPrivate(), caRef,
dvholderref, signalg, AuthorizationRoleEnum.DV_D);
ejbcaraws.caCertResponse(caname, dvretcert.getDEREncoded(), cachain, pwd);
// Check that the cert was received and the CA activated
dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
assertEquals(SecConst.CA_ACTIVE, dvinfo.getStatus());
Collection<java.security.cert.Certificate> dvcerts = dvinfo.getCertificateChain();
assertEquals(2, dvcerts.size());
CardVerifiableCertificate dvcertactive = (CardVerifiableCertificate)dvcerts.iterator().next();
obj = CertificateParser.parseCVCObject(dvcertactive.getEncoded());
// System.out.println(obj.getAsText());
dvcertactive.verify(cvcakeypair.getPublic());
// Check to see that is really the same keypair
String pubk1 = new String(Base64.encode(dvcertactive.getPublicKey().getEncoded(), false));
String pubk2 = new String(Base64.encode(cert.getCertificateBody().getPublicKey().getEncoded(), false));
assertTrue(pubk1.compareTo(pubk2) == 0);
String sequence1 = dvcertactive.getCVCertificate().getCertificateBody().getHolderReference().getSequence();
/*
* Second test is to renew a CA signed by an external CA *with renewing
* the keys*, and activating them. This creates a new key pair and a
* certificate request. Status is set to
* "waiting for certificate response" because the new keys can not be
* used until we have receive a certificate.
*/
// Now we want to renew a DVCA signed by an external CVCA, generating
// new keys
// Create the request with WS API, cachain is our CVCA cert from
// previously created CVCA, we use the previously created DV as well.
pwd = "foo123";
request = ejbcaraws.caRenewCertRequest(caname, cachain, true, false, true, pwd);
// make the mandatory junit checks...
assertNotNull(request);
cvcreq = RequestMessageUtils.genCVCRequestMessage(request);
assertNotNull(cvcreq);
assertEquals(dvinfo.getSubjectDN(), cvcreq.getRequestDN());
obj = CertificateParser.parseCVCObject(request);
// System.out.println(obj.getAsText());
// We should have created an authenticated request signed by the old
// certificate
CVCAuthenticatedRequest authreq = (CVCAuthenticatedRequest) obj;
assertEquals(dvcertactive.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated(), authreq.getAuthorityReference()
.getConcatenated());
cert = authreq.getRequest();
// The request should be targeted for the CVCA, i.e. ca_ref in request should be the same as the CVCAs ref
assertEquals(cvcacert.getCVCertificate().getCertificateBody().getAuthorityReference().getConcatenated(), cert.getCertificateBody()
.getAuthorityReference().getConcatenated());
// Now test our WS API that it has set status to "WAITING_FOR_CERTIFICATE_RESPONSE"
dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
assertEquals(SecConst.CA_WAITING_CERTIFICATE_RESPONSE, dvinfo.getStatus());
assertEquals ("DV should not be available", ejbcaraws.getLastCAChain(caname).size (),0);
// Check to see that is really is a new keypair
pubk1 = new String(Base64.encode(dvcertactive.getPublicKey().getEncoded(), false));
pubk2 = new String(Base64.encode(cert.getCertificateBody().getPublicKey().getEncoded(), false));
assertTrue(pubk1.compareTo(pubk2) != 0);
// Receive the response so the DV CA is activated
dvholderref = cert.getCertificateBody().getHolderReference();
dvretcert = CertificateGenerator.createTestCertificate(cert.getCertificateBody().getPublicKey(), cvcakeypair.getPrivate(), caRef, dvholderref, signalg,
AuthorizationRoleEnum.DV_D);
ejbcaraws.caCertResponse(caname, dvretcert.getDEREncoded(), cachain, pwd);
// Check that the cert was received and the CA activated
dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
assertEquals(SecConst.CA_ACTIVE, dvinfo.getStatus());
dvcerts = dvinfo.getCertificateChain();
assertEquals(2, dvcerts.size());
dvcertactive = (CardVerifiableCertificate)dvcerts.iterator().next();
obj = CertificateParser.parseCVCObject(dvcertactive.getEncoded());
// System.out.println(obj.getAsText());
dvcertactive.verify(cvcakeypair.getPublic());
String sequence2 = dvcertactive.getCVCertificate().getCertificateBody().getHolderReference().getSequence();
int s1 = Integer.parseInt(sequence1);
int s2 = Integer.parseInt(sequence2);
assertEquals(s1 + 1, s2); // sequence in new certificate should be old
// sequence + 1
/*
* Third test is to renew a CA signed by an external CA *with renewing
* the keys* saying to *not* activate the key now. This creates a new
* key pair and a certificate request, but the new key pair is not used
* by the CA for issuing certificates. Status is not set to
* "waiting for certificate response" because the old keys can still be
* used until we have received a certificate and activated the new keys.
*/
request = ejbcaraws.caRenewCertRequest(caname, cachain, true, false, false, pwd);
// make the mandatory junit checks...
assertNotNull(request);
cvcreq = RequestMessageUtils.genCVCRequestMessage(request);
assertNotNull(request);
assertEquals(dvinfo.getSubjectDN(), cvcreq.getRequestDN());
obj = CertificateParser.parseCVCObject(request);
// System.out.println(obj.getAsText());
// We should have created an authenticated request signed by the old
// certificate
authreq = (CVCAuthenticatedRequest) obj;
assertEquals(dvcertactive.getCVCertificate().getCertificateBody().getHolderReference().getConcatenated(), authreq.getAuthorityReference()
.getConcatenated());
cert = authreq.getRequest();
assertEquals(cvcacert.getCVCertificate().getCertificateBody().getAuthorityReference().getConcatenated(), cert.getCertificateBody()
.getAuthorityReference().getConcatenated());
String sequence3 = cert.getCertificateBody().getHolderReference().getSequence();
int s3 = Integer.parseInt(sequence3);
assertEquals(s2 + 1, s3); // sequence in new certificate request should
// be old certificate sequence + 1
// status should not be "WAITING_FOR_CERTIFICATE_RESPONSE"
dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
assertEquals(SecConst.CA_ACTIVE, dvinfo.getStatus());
// Check to see that is really is a new keypair
dvcerts = dvinfo.getCertificateChain();
assertEquals(2, dvcerts.size());
dvcertactive = (CardVerifiableCertificate)dvcerts.iterator().next();
String sequence4 = dvcertactive.getCVCertificate().getCertificateBody().getHolderReference().getSequence();
assertEquals(sequence2, sequence4);
PublicKey oldPublicKey = dvcertactive.getPublicKey();
PublicKey newPublicKey = cert.getCertificateBody().getPublicKey();
pubk1 = new String(Base64.encode(oldPublicKey.getEncoded(), false));
pubk2 = new String(Base64.encode(newPublicKey.getEncoded(), false));
assertTrue(pubk1.compareTo(pubk2) != 0);
// Try to issue an IS certificate, it should be issued using the OLD
// private key
// Simple self signed request
KeyPair keyPair = KeyTools.genKeys(keyspec, keyalg);
CVCertificate isrequest = CertificateGenerator.createRequest(keyPair, signalg, caRef, holderRef);
// Edit our favorite test user
UserDataVOWS user1 = new UserDataVOWS();
user1.setUsername("WSTESTUSER1");
user1.setPassword("foo123");
user1.setClearPwd(true);
user1.setSubjectDN("CN=Test,C=SE");
user1.setCaName(caname);
user1.setStatus(UserDataConstants.STATUS_NEW);
user1.setTokenType("USERGENERATED");
user1.setEndEntityProfileName("EMPTY");
user1.setCertificateProfileName("ENDUSER");
// editUser and set status to new
ejbcaraws.editUser(user1);
List<Certificate> certenv = ejbcaraws.cvcRequest(user1.getUsername(), user1.getPassword(), new String(Base64.encode(isrequest.getDEREncoded())));
assertNotNull(certenv);
Certificate wscert = certenv.get(0);
byte[] b64cert = wscert.getCertificateData();
java.security.cert.Certificate iscert = CertTools.getCertfromByteArray(Base64.decode(b64cert));
obj = CertificateParser.parseCVCObject(Base64.decode(b64cert));
CVCertificate iscvc = (CVCertificate) obj;
assertEquals("Test", iscvc.getCertificateBody().getHolderReference().getMnemonic());
// It must verify using the DVCAs old public key
PublicKey pk = KeyTools.getECPublicKeyWithParams(oldPublicKey, cvcacert.getPublicKey());
iscert.verify(pk);
boolean thrown = false;
try {
// it must not be possible to verify this with the new public key
pk = KeyTools.getECPublicKeyWithParams(newPublicKey, cvcacert.getPublicKey());
iscert.verify(pk);
} catch (SignatureException e) {
thrown = true;
}
assertTrue(thrown);
// Receive the CA certificate response so the DV CA's new key is
// activated
dvholderref = cert.getCertificateBody().getHolderReference();
dvretcert = CertificateGenerator.createTestCertificate(cert.getCertificateBody().getPublicKey(), cvcakeypair.getPrivate(), caRef, dvholderref, signalg,
AuthorizationRoleEnum.DV_D);
// Here we want to activate the new key pair
// System.out.println(dvretcert.getAsText());
ejbcaraws.caCertResponse(caname, dvretcert.getDEREncoded(), cachain, pwd);
// Check that the cert was received and the CA activated
dvinfo = caAdminSessionRemote.getCAInfo(intAdmin, caname);
assertEquals(SecConst.CA_ACTIVE, dvinfo.getStatus());
dvcerts = dvinfo.getCertificateChain();
assertEquals(2, dvcerts.size());
dvcertactive = (CardVerifiableCertificate) dvcerts.iterator().next();
obj = CertificateParser.parseCVCObject(dvcertactive.getEncoded());
// System.out.println(obj.getAsText());
dvcertactive.verify(cvcakeypair.getPublic());