1 package org.bouncycastle.cert.test; 2 3 import java.io.ByteArrayInputStream; 4 import java.io.IOException; 5 import java.io.UnsupportedEncodingException; 6 import java.math.BigInteger; 7 import java.security.SecureRandom; 8 import java.security.cert.CRL; 9 import java.security.cert.CertificateException; 10 import java.security.cert.CertificateFactory; 11 import java.security.cert.X509CRL; 12 import java.security.cert.X509Certificate; 13 import java.util.Collection; 14 import java.util.Date; 15 import java.util.Iterator; 16 import java.util.List; 17 import java.util.Set; 18 19 import junit.framework.TestCase; 20 import org.bouncycastle.asn1.ASN1EncodableVector; 21 import org.bouncycastle.asn1.ASN1Enumerated; 22 import org.bouncycastle.asn1.ASN1Object; 23 import org.bouncycastle.asn1.ASN1ObjectIdentifier; 24 import org.bouncycastle.asn1.DERBitString; 25 import org.bouncycastle.asn1.DERSequence; 26 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; 27 import org.bouncycastle.asn1.x500.X500Name; 28 import org.bouncycastle.asn1.x500.X500NameBuilder; 29 import org.bouncycastle.asn1.x500.style.RFC4519Style; 30 import org.bouncycastle.asn1.x509.AlgorithmIdentifier; 31 import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier; 32 import org.bouncycastle.asn1.x509.CRLReason; 33 import org.bouncycastle.asn1.x509.Certificate; 34 import org.bouncycastle.asn1.x509.Extension; 35 import org.bouncycastle.asn1.x509.Extensions; 36 import org.bouncycastle.asn1.x509.ExtensionsGenerator; 37 import org.bouncycastle.asn1.x509.GeneralName; 38 import org.bouncycastle.asn1.x509.GeneralNames; 39 import org.bouncycastle.asn1.x509.KeyPurposeId; 40 import org.bouncycastle.asn1.x509.KeyUsage; 41 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; 42 import org.bouncycastle.cert.CertException; 43 import org.bouncycastle.cert.X509CRLEntryHolder; 44 import org.bouncycastle.cert.X509CRLHolder; 45 import org.bouncycastle.cert.X509CertificateHolder; 46 import org.bouncycastle.cert.X509v1CertificateBuilder; 47 import org.bouncycastle.cert.X509v2CRLBuilder; 48 import org.bouncycastle.cert.X509v3CertificateBuilder; 49 import org.bouncycastle.cert.bc.BcX509ExtensionUtils; 50 import org.bouncycastle.cert.bc.BcX509v1CertificateBuilder; 51 import org.bouncycastle.cert.bc.BcX509v3CertificateBuilder; 52 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; 53 import org.bouncycastle.crypto.AsymmetricCipherKeyPair; 54 import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; 55 import org.bouncycastle.crypto.generators.DSAKeyPairGenerator; 56 import org.bouncycastle.crypto.generators.DSAParametersGenerator; 57 import org.bouncycastle.crypto.generators.RSAKeyPairGenerator; 58 import org.bouncycastle.crypto.params.AsymmetricKeyParameter; 59 import org.bouncycastle.crypto.params.DSAKeyGenerationParameters; 60 import org.bouncycastle.crypto.params.DSAParameters; 61 import org.bouncycastle.crypto.params.RSAKeyGenerationParameters; 62 import org.bouncycastle.crypto.params.RSAKeyParameters; 63 import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; 64 import org.bouncycastle.crypto.util.PublicKeyFactory; 65 import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory; 66 import org.bouncycastle.cert.test.PEMData; 67 import org.bouncycastle.operator.ContentSigner; 68 import org.bouncycastle.operator.ContentVerifierProvider; 69 import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; 70 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; 71 import org.bouncycastle.operator.OperatorCreationException; 72 import org.bouncycastle.operator.bc.BcDSAContentSignerBuilder; 73 import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder; 74 import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder; 75 import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder; 76 import org.bouncycastle.util.Strings; 77 import org.bouncycastle.util.encoders.Base64; 78 79 public class BcCertTest 80 extends TestCase 81 { 82 DefaultSignatureAlgorithmIdentifierFinder sigAlgFinder = new DefaultSignatureAlgorithmIdentifierFinder(); 83 DefaultDigestAlgorithmIdentifierFinder digAlgFinder = new DefaultDigestAlgorithmIdentifierFinder(); 84 85 // 86 // server.crt 87 // 88 byte[] cert1 = Base64.decode( 89 "MIIDXjCCAsegAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBtzELMAkGA1UEBhMCQVUx" 90 + "ETAPBgNVBAgTCFZpY3RvcmlhMRgwFgYDVQQHEw9Tb3V0aCBNZWxib3VybmUxGjAY" 91 + "BgNVBAoTEUNvbm5lY3QgNCBQdHkgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB" 92 + "dXRob3JpdHkxFTATBgNVBAMTDENvbm5lY3QgNCBDQTEoMCYGCSqGSIb3DQEJARYZ" 93 + "d2VibWFzdGVyQGNvbm5lY3Q0LmNvbS5hdTAeFw0wMDA2MDIwNzU2MjFaFw0wMTA2" 94 + "MDIwNzU2MjFaMIG4MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExGDAW" 95 + "BgNVBAcTD1NvdXRoIE1lbGJvdXJuZTEaMBgGA1UEChMRQ29ubmVjdCA0IFB0eSBM" 96 + "dGQxFzAVBgNVBAsTDldlYnNlcnZlciBUZWFtMR0wGwYDVQQDExR3d3cyLmNvbm5l" 97 + "Y3Q0LmNvbS5hdTEoMCYGCSqGSIb3DQEJARYZd2VibWFzdGVyQGNvbm5lY3Q0LmNv" 98 + "bS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArvDxclKAhyv7Q/Wmr2re" 99 + "Gw4XL9Cnh9e+6VgWy2AWNy/MVeXdlxzd7QAuc1eOWQkGQEiLPy5XQtTY+sBUJ3AO" 100 + "Rvd2fEVJIcjf29ey7bYua9J/vz5MG2KYo9/WCHIwqD9mmG9g0xLcfwq/s8ZJBswE" 101 + "7sb85VU+h94PTvsWOsWuKaECAwEAAaN3MHUwJAYDVR0RBB0wG4EZd2VibWFzdGVy" 102 + "QGNvbm5lY3Q0LmNvbS5hdTA6BglghkgBhvhCAQ0ELRYrbW9kX3NzbCBnZW5lcmF0" 103 + "ZWQgY3VzdG9tIHNlcnZlciBjZXJ0aWZpY2F0ZTARBglghkgBhvhCAQEEBAMCBkAw" 104 + "DQYJKoZIhvcNAQEEBQADgYEAotccfKpwSsIxM1Hae8DR7M/Rw8dg/RqOWx45HNVL" 105 + "iBS4/3N/TO195yeQKbfmzbAA2jbPVvIvGgTxPgO1MP4ZgvgRhasaa0qCJCkWvpM4" 106 + "yQf33vOiYQbpv4rTwzU8AmRlBG45WdjyNIigGV+oRc61aKCTnLq7zB8N3z1TF/bF" 107 + "5/8="); 108 109 // 110 // ca.crt 111 // 112 byte[] cert2 = Base64.decode( 113 "MIIDbDCCAtWgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtzELMAkGA1UEBhMCQVUx" 114 + "ETAPBgNVBAgTCFZpY3RvcmlhMRgwFgYDVQQHEw9Tb3V0aCBNZWxib3VybmUxGjAY" 115 + "BgNVBAoTEUNvbm5lY3QgNCBQdHkgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB" 116 + "dXRob3JpdHkxFTATBgNVBAMTDENvbm5lY3QgNCBDQTEoMCYGCSqGSIb3DQEJARYZ" 117 + "d2VibWFzdGVyQGNvbm5lY3Q0LmNvbS5hdTAeFw0wMDA2MDIwNzU1MzNaFw0wMTA2" 118 + "MDIwNzU1MzNaMIG3MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExGDAW" 119 + "BgNVBAcTD1NvdXRoIE1lbGJvdXJuZTEaMBgGA1UEChMRQ29ubmVjdCA0IFB0eSBM" 120 + "dGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAxMMQ29u" 121 + "bmVjdCA0IENBMSgwJgYJKoZIhvcNAQkBFhl3ZWJtYXN0ZXJAY29ubmVjdDQuY29t" 122 + "LmF1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgs5ptNG6Qv1ZpCDuUNGmv" 123 + "rhjqMDPd3ri8JzZNRiiFlBA4e6/ReaO1U8ASewDeQMH6i9R6degFdQRLngbuJP0s" 124 + "xcEE+SksEWNvygfzLwV9J/q+TQDyJYK52utb++lS0b48A1KPLwEsyL6kOAgelbur" 125 + "ukwxowprKUIV7Knf1ajetQIDAQABo4GFMIGCMCQGA1UdEQQdMBuBGXdlYm1hc3Rl" 126 + "ckBjb25uZWN0NC5jb20uYXUwDwYDVR0TBAgwBgEB/wIBADA2BglghkgBhvhCAQ0E" 127 + "KRYnbW9kX3NzbCBnZW5lcmF0ZWQgY3VzdG9tIENBIGNlcnRpZmljYXRlMBEGCWCG" 128 + "SAGG+EIBAQQEAwICBDANBgkqhkiG9w0BAQQFAAOBgQCsGvfdghH8pPhlwm1r3pQk" 129 + "msnLAVIBb01EhbXm2861iXZfWqGQjrGAaA0ZpXNk9oo110yxoqEoSJSzniZa7Xtz" 130 + "soTwNUpE0SLHvWf/SlKdFWlzXA+vOZbzEv4UmjeelekTm7lc01EEa5QRVzOxHFtQ" 131 + "DhkaJ8VqOMajkQFma2r9iA=="); 132 133 // 134 // testx509.pem 135 // 136 byte[] cert3 = Base64.decode( 137 "MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV" 138 + "BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz" 139 + "MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM" 140 + "RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF" 141 + "AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO" 142 + "/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE" 143 + "Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ" 144 + "zl9HYIMxATFyqSiD9jsx"); 145 146 // 147 // v3-cert1.pem 148 // 149 byte[] cert4 = Base64.decode( 150 "MIICjTCCAfigAwIBAgIEMaYgRzALBgkqhkiG9w0BAQQwRTELMAkGA1UEBhMCVVMx" 151 + "NjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlz" 152 + "dHJhdGlvbjAmFxE5NjA1MjgxMzQ5MDUrMDgwMBcROTgwNTI4MTM0OTA1KzA4MDAw" 153 + "ZzELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu" 154 + "ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEgMAkGA1UEBRMCMTYwEwYDVQQDEwxTdGV2" 155 + "ZSBTY2hvY2gwWDALBgkqhkiG9w0BAQEDSQAwRgJBALrAwyYdgxmzNP/ts0Uyf6Bp" 156 + "miJYktU/w4NG67ULaN4B5CnEz7k57s9o3YY3LecETgQ5iQHmkwlYDTL2fTgVfw0C" 157 + "AQOjgaswgagwZAYDVR0ZAQH/BFowWDBWMFQxCzAJBgNVBAYTAlVTMTYwNAYDVQQK" 158 + "Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x" 159 + "DTALBgNVBAMTBENSTDEwFwYDVR0BAQH/BA0wC4AJODMyOTcwODEwMBgGA1UdAgQR" 160 + "MA8ECTgzMjk3MDgyM4ACBSAwDQYDVR0KBAYwBAMCBkAwCwYJKoZIhvcNAQEEA4GB" 161 + "AH2y1VCEw/A4zaXzSYZJTTUi3uawbbFiS2yxHvgf28+8Js0OHXk1H1w2d6qOHH21" 162 + "X82tZXd/0JtG0g1T9usFFBDvYK8O0ebgz/P5ELJnBL2+atObEuJy1ZZ0pBDWINR3" 163 + "WkDNLCGiTkCKp0F5EWIrVDwh54NNevkCQRZita+z4IBO"); 164 165 // 166 // v3-cert2.pem 167 // 168 byte[] cert5 = Base64.decode( 169 "MIICiTCCAfKgAwIBAgIEMeZfHzANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJD" 170 + "YTEPMA0GA1UEBxMGTmVwZWFuMR4wHAYDVQQLExVObyBMaWFiaWxpdHkgQWNjZXB0" 171 + "ZWQxHzAdBgNVBAoTFkZvciBEZW1vIFB1cnBvc2VzIE9ubHkxHDAaBgNVBAMTE0Vu" 172 + "dHJ1c3QgRGVtbyBXZWIgQ0EwHhcNOTYwNzEyMTQyMDE1WhcNOTYxMDEyMTQyMDE1" 173 + "WjB0MSQwIgYJKoZIhvcNAQkBExVjb29rZUBpc3NsLmF0bC5ocC5jb20xCzAJBgNV" 174 + "BAYTAlVTMScwJQYDVQQLEx5IZXdsZXR0IFBhY2thcmQgQ29tcGFueSAoSVNTTCkx" 175 + "FjAUBgNVBAMTDVBhdWwgQS4gQ29va2UwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA" 176 + "6ceSq9a9AU6g+zBwaL/yVmW1/9EE8s5you1mgjHnj0wAILuoB3L6rm6jmFRy7QZT" 177 + "G43IhVZdDua4e+5/n1ZslwIDAQABo2MwYTARBglghkgBhvhCAQEEBAMCB4AwTAYJ" 178 + "YIZIAYb4QgENBD8WPVRoaXMgY2VydGlmaWNhdGUgaXMgb25seSBpbnRlbmRlZCBm" 179 + "b3IgZGVtb25zdHJhdGlvbiBwdXJwb3Nlcy4wDQYJKoZIhvcNAQEEBQADgYEAi8qc" 180 + "F3zfFqy1sV8NhjwLVwOKuSfhR/Z8mbIEUeSTlnH3QbYt3HWZQ+vXI8mvtZoBc2Fz" 181 + "lexKeIkAZXCesqGbs6z6nCt16P6tmdfbZF3I3AWzLquPcOXjPf4HgstkyvVBn0Ap" 182 + "jAFN418KF/Cx4qyHB4cjdvLrRjjQLnb2+ibo7QU="); 183 184 // 185 // pem encoded pkcs7 186 // 187 byte[] cert6 = Base64.decode( 188 "MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJbzCCAj0w" 189 + "ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG" 190 + "A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy" 191 + "dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw" 192 + "CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi" 193 + "bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A" 194 + "MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH" 195 + "mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF" 196 + "4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d" 197 + "6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix" 198 + "3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR" 199 + "cZQwggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYD" 200 + "VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj" 201 + "IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEy" 202 + "MjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy" 203 + "dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5j" 204 + "b3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg" 205 + "SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B" 206 + "AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqB" 207 + "S7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc" 208 + "48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEG" 209 + "MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNv" 210 + "bS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B" 211 + "AQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5SYWklfEXfWe0" 212 + "fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg" 213 + "5V+CprGoksVYasGNAzzrw80FopCubjCCA/gwggNhoAMCAQICEBbbn/1G1zppD6KsP01bwywwDQYJ" 214 + "KoZIhvcNAQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln" 215 + "biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB" 216 + "IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx" 217 + "IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDAxMDAy" 218 + "MDAwMDAwWhcNMDAxMjAxMjM1OTU5WjCCAQcxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD" 219 + "VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl" 220 + "cG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz" 221 + "b25hIE5vdCBWYWxpZGF0ZWQxJzAlBgNVBAsTHkRpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29m" 222 + "dDETMBEGA1UEAxQKRGF2aWQgUnlhbjElMCMGCSqGSIb3DQEJARYWZGF2aWRAbGl2ZW1lZGlhLmNv" 223 + "bS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqxBsdeNmSvFqhMNwhQgNzM8mdjX9eSXb" 224 + "DawpHtQHjmh0AKJSa3IwUY0VIsyZHuXWktO/CgaMBVPt6OVf/n0R2sQigMP6Y+PhEiS0vCJBL9aK" 225 + "0+pOo2qXrjVBmq+XuCyPTnc+BOSrU26tJsX0P9BYorwySiEGxGanBNATdVL4NdUCAwEAAaOBnDCB" 226 + "mTAJBgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQgwKjAoBggrBgEFBQcCARYcaHR0" 227 + "cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTARBglghkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAo" 228 + "oCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOB" 229 + "gQBC8yIIdVGpFTf8/YiL14cMzcmL0nIRm4kGR3U59z7UtcXlfNXXJ8MyaeI/BnXwG/gD5OKYqW6R" 230 + "yca9vZOxf1uoTBl82gInk865ED3Tej6msCqFzZffnSUQvOIeqLxxDlqYRQ6PmW2nAnZeyjcnbI5Y" 231 + "syQSM2fmo7n6qJFP+GbFezGCAkUwggJBAgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j" 232 + "LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWdu" 233 + "LmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UE" 234 + "AxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3Qg" 235 + "VmFsaWRhdGVkAhAW25/9Rtc6aQ+irD9NW8MsMAkGBSsOAwIaBQCggbowGAYJKoZIhvcNAQkDMQsG" 236 + "CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAxMDAyMTczNTE4WjAjBgkqhkiG9w0BCQQxFgQU" 237 + "gZjSaBEY2oxGvlQUIMnxSXhivK8wWwYJKoZIhvcNAQkPMU4wTDAKBggqhkiG9w0DBzAOBggqhkiG" 238 + "9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAh0w" 239 + "DQYJKoZIhvcNAQEBBQAEgYAzk+PU91/ZFfoiuKOECjxEh9fDYE2jfDCheBIgh5gdcCo+sS1WQs8O" 240 + "HreQ9Nop/JdJv1DQMBK6weNBBDoP0EEkRm1XCC144XhXZC82jBZohYmi2WvDbbC//YN58kRMYMyy" 241 + "srrfn4Z9I+6kTriGXkrpGk9Q0LSGjmG2BIsqiF0dvwAAAAAAAA=="); 242 243 // 244 // dsaWithSHA1 cert 245 // 246 byte[] cert7 = Base64.decode( 247 "MIIEXAYJKoZIhvcNAQcCoIIETTCCBEkCAQExCzAJBgUrDgMCGgUAMAsGCSqG" 248 + "SIb3DQEHAaCCAsMwggK/MIIB4AIBADCBpwYFKw4DAhswgZ0CQQEkJRHP+mN7" 249 + "d8miwTMN55CUSmo3TO8WGCxgY61TX5k+7NU4XPf1TULjw3GobwaJX13kquPh" 250 + "fVXk+gVy46n4Iw3hAhUBSe/QF4BUj+pJOF9ROBM4u+FEWA8CQQD4mSJbrABj" 251 + "TUWrlnAte8pS22Tq4/FPO7jHSqjijUHfXKTrHL1OEqV3SVWcFy5j/cqBgX/z" 252 + "m8Q12PFp/PjOhh+nMA4xDDAKBgNVBAMTA0lEMzAeFw05NzEwMDEwMDAwMDBa" 253 + "Fw0zODAxMDEwMDAwMDBaMA4xDDAKBgNVBAMTA0lEMzCB8DCBpwYFKw4DAhsw" 254 + "gZ0CQQEkJRHP+mN7d8miwTMN55CUSmo3TO8WGCxgY61TX5k+7NU4XPf1TULj" 255 + "w3GobwaJX13kquPhfVXk+gVy46n4Iw3hAhUBSe/QF4BUj+pJOF9ROBM4u+FE" 256 + "WA8CQQD4mSJbrABjTUWrlnAte8pS22Tq4/FPO7jHSqjijUHfXKTrHL1OEqV3" 257 + "SVWcFy5j/cqBgX/zm8Q12PFp/PjOhh+nA0QAAkEAkYkXLYMtGVGWj9OnzjPn" 258 + "sB9sefSRPrVegZJCZbpW+Iv0/1RP1u04pHG9vtRpIQLjzUiWvLMU9EKQTThc" 259 + "eNMmWDCBpwYFKw4DAhswgZ0CQQEkJRHP+mN7d8miwTMN55CUSmo3TO8WGCxg" 260 + "Y61TX5k+7NU4XPf1TULjw3GobwaJX13kquPhfVXk+gVy46n4Iw3hAhUBSe/Q" 261 + "F4BUj+pJOF9ROBM4u+FEWA8CQQD4mSJbrABjTUWrlnAte8pS22Tq4/FPO7jH" 262 + "SqjijUHfXKTrHL1OEqV3SVWcFy5j/cqBgX/zm8Q12PFp/PjOhh+nAy8AMCwC" 263 + "FBY3dBSdeprGcqpr6wr3xbG+6WW+AhRMm/facKJNxkT3iKgJbp7R8Xd3QTGC" 264 + "AWEwggFdAgEBMBMwDjEMMAoGA1UEAxMDSUQzAgEAMAkGBSsOAwIaBQCgXTAY" 265 + "BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMjA1" 266 + "MjQyMzEzMDdaMCMGCSqGSIb3DQEJBDEWBBS4WMsoJhf7CVbZYCFcjoTRzPkJ" 267 + "xjCBpwYFKw4DAhswgZ0CQQEkJRHP+mN7d8miwTMN55CUSmo3TO8WGCxgY61T" 268 + "X5k+7NU4XPf1TULjw3GobwaJX13kquPhfVXk+gVy46n4Iw3hAhUBSe/QF4BU" 269 + "j+pJOF9ROBM4u+FEWA8CQQD4mSJbrABjTUWrlnAte8pS22Tq4/FPO7jHSqji" 270 + "jUHfXKTrHL1OEqV3SVWcFy5j/cqBgX/zm8Q12PFp/PjOhh+nBC8wLQIVALID" 271 + "dt+MHwawrDrwsO1Z6sXBaaJsAhRaKssrpevmLkbygKPV07XiAKBG02Zvb2Jh" 272 + "cg=="); 273 274 // 275 // testcrl.pem 276 // 277 byte[] crl1 = Base64.decode( 278 "MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT" 279 + "F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy" 280 + "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw" 281 + "MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw" 282 + "MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw" 283 + "MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw" 284 + "MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw" 285 + "MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw" 286 + "MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw" 287 + "NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw" 288 + "NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF" 289 + "AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ" 290 + "wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt" 291 + "JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v"); 292 293 // 294 // ecdsa cert with extra octet string. 295 // 296 byte[] oldEcdsa = Base64.decode( 297 "MIICljCCAkCgAwIBAgIBATALBgcqhkjOPQQBBQAwgY8xCzAJBgNVBAYTAkFVMSgwJ" 298 + "gYDVQQKEx9UaGUgTGVnaW9uIG9mIHRoZSBCb3VuY3kgQ2FzdGxlMRIwEAYDVQQHEw" 299 + "lNZWxib3VybmUxETAPBgNVBAgTCFZpY3RvcmlhMS8wLQYJKoZIhvcNAQkBFiBmZWV" 300 + "kYmFjay1jcnlwdG9AYm91bmN5Y2FzdGxlLm9yZzAeFw0wMTEyMDcwMTAwMDRaFw0w" 301 + "MTEyMDcwMTAxNDRaMIGPMQswCQYDVQQGEwJBVTEoMCYGA1UEChMfVGhlIExlZ2lvb" 302 + "iBvZiB0aGUgQm91bmN5IENhc3RsZTESMBAGA1UEBxMJTWVsYm91cm5lMREwDwYDVQ" 303 + "QIEwhWaWN0b3JpYTEvMC0GCSqGSIb3DQEJARYgZmVlZGJhY2stY3J5cHRvQGJvdW5" 304 + "jeWNhc3RsZS5vcmcwgeQwgb0GByqGSM49AgEwgbECAQEwKQYHKoZIzj0BAQIef///" 305 + "////////////f///////gAAAAAAAf///////MEAEHn///////////////3///////" 306 + "4AAAAAAAH///////AQeawFsO9zxiUHQ1lSSFHXKcanbL7J9HTd5YYXClCwKBB8CD/" 307 + "qWPNyogWzMM7hkK+35BcPTWFc9Pyf7vTs8uaqvAh5///////////////9///+eXpq" 308 + "fXZBx+9FSJoiQnQsDIgAEHwJbbcU7xholSP+w9nFHLebJUhqdLSU05lq/y9X+DHAw" 309 + "CwYHKoZIzj0EAQUAA0MAMEACHnz6t4UNoVROp74ma4XNDjjGcjaqiIWPZLK8Bdw3G" 310 + "QIeLZ4j3a6ividZl344UH+UPUE7xJxlYGuy7ejTsqRR"); 311 312 byte[] keyUsage = Base64.decode( 313 "MIIE7TCCBFagAwIBAgIEOAOR7jANBgkqhkiG9w0BAQQFADCByTELMAkGA1UE" 314 + "BhMCVVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MUgwRgYDVQQLFD93d3cuZW50" 315 + "cnVzdC5uZXQvQ2xpZW50X0NBX0luZm8vQ1BTIGluY29ycC4gYnkgcmVmLiBs" 316 + "aW1pdHMgbGlhYi4xJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExp" 317 + "bWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENsaWVudCBDZXJ0aWZpY2F0" 318 + "aW9uIEF1dGhvcml0eTAeFw05OTEwMTIxOTI0MzBaFw0xOTEwMTIxOTU0MzBa" 319 + "MIHJMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxSDBGBgNV" 320 + "BAsUP3d3dy5lbnRydXN0Lm5ldC9DbGllbnRfQ0FfSW5mby9DUFMgaW5jb3Jw" 321 + "LiBieSByZWYuIGxpbWl0cyBsaWFiLjElMCMGA1UECxMcKGMpIDE5OTkgRW50" 322 + "cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQgQ2xpZW50" 323 + "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUAA4GL" 324 + "ADCBhwKBgQDIOpleMRffrCdvkHvkGf9FozTC28GoT/Bo6oT9n3V5z8GKUZSv" 325 + "x1cDR2SerYIbWtp/N3hHuzeYEpbOxhN979IMMFGpOZ5V+Pux5zDeg7K6PvHV" 326 + "iTs7hbqqdCz+PzFur5GVbgbUB01LLFZHGARS2g4Qk79jkJvh34zmAqTmT173" 327 + "iwIBA6OCAeAwggHcMBEGCWCGSAGG+EIBAQQEAwIABzCCASIGA1UdHwSCARkw" 328 + "ggEVMIHkoIHhoIHepIHbMIHYMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50" 329 + "cnVzdC5uZXQxSDBGBgNVBAsUP3d3dy5lbnRydXN0Lm5ldC9DbGllbnRfQ0Ff" 330 + "SW5mby9DUFMgaW5jb3JwLiBieSByZWYuIGxpbWl0cyBsaWFiLjElMCMGA1UE" 331 + "CxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50" 332 + "cnVzdC5uZXQgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYD" 333 + "VQQDEwRDUkwxMCygKqAohiZodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NSTC9D" 334 + "bGllbnQxLmNybDArBgNVHRAEJDAigA8xOTk5MTAxMjE5MjQzMFqBDzIwMTkx" 335 + "MDEyMTkyNDMwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUxPucKXuXzUyW" 336 + "/O5bs8qZdIuV6kwwHQYDVR0OBBYEFMT7nCl7l81MlvzuW7PKmXSLlepMMAwG" 337 + "A1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI" 338 + "hvcNAQEEBQADgYEAP66K8ddmAwWePvrqHEa7pFuPeJoSSJn59DXeDDYHAmsQ" 339 + "OokUgZwxpnyyQbJq5wcBoUv5nyU7lsqZwz6hURzzwy5E97BnRqqS5TvaHBkU" 340 + "ODDV4qIxJS7x7EU47fgGWANzYrAQMY9Av2TgXD7FTx/aEkP/TOYGJqibGapE" 341 + "PHayXOw="); 342 343 byte[] nameCert = Base64.decode( 344 "MIIEFjCCA3+gAwIBAgIEdS8BozANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJE"+ 345 "RTERMA8GA1UEChQIREFURVYgZUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRQ0Eg"+ 346 "REFURVYgRDAzIDE6UE4wIhgPMjAwMTA1MTAxMDIyNDhaGA8yMDA0MDUwOTEwMjI0"+ 347 "OFowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIFAZCYXllcm4xEjAQBgNVBAcUCU7I"+ 348 "dXJuYmVyZzERMA8GA1UEChQIREFURVYgZUcxHTAbBgNVBAUTFDAwMDAwMDAwMDA4"+ 349 "OTU3NDM2MDAxMR4wHAYDVQQDFBVEaWV0bWFyIFNlbmdlbmxlaXRuZXIwgaEwDQYJ"+ 350 "KoZIhvcNAQEBBQADgY8AMIGLAoGBAJLI/LJLKaHoMk8fBECW/od8u5erZi6jI8Ug"+ 351 "C0a/LZyQUO/R20vWJs6GrClQtXB+AtfiBSnyZOSYzOdfDI8yEKPEv8qSuUPpOHps"+ 352 "uNCFdLZF1vavVYGEEWs2+y+uuPmg8q1oPRyRmUZ+x9HrDvCXJraaDfTEd9olmB/Z"+ 353 "AuC/PqpjAgUAwAAAAaOCAcYwggHCMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUD"+ 354 "AwdAADAxBgNVHSAEKjAoMCYGBSskCAEBMB0wGwYIKwYBBQUHAgEWD3d3dy56cy5k"+ 355 "YXRldi5kZTApBgNVHREEIjAggR5kaWV0bWFyLnNlbmdlbmxlaXRuZXJAZGF0ZXYu"+ 356 "ZGUwgYQGA1UdIwR9MHuhc6RxMG8xCzAJBgNVBAYTAkRFMT0wOwYDVQQKFDRSZWd1"+ 357 "bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0aW9uIHVuZCBQb3N0"+ 358 "MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjVSLUNBIDE6UE6CBACm8LkwDgYHAoIG"+ 359 "AQoMAAQDAQEAMEcGA1UdHwRAMD4wPKAUoBKGEHd3dy5jcmwuZGF0ZXYuZGWiJKQi"+ 360 "MCAxCzAJBgNVBAYTAkRFMREwDwYDVQQKFAhEQVRFViBlRzAWBgUrJAgDBAQNMAsT"+ 361 "A0VVUgIBBQIBATAdBgNVHQ4EFgQUfv6xFP0xk7027folhy+ziZvBJiwwLAYIKwYB"+ 362 "BQUHAQEEIDAeMBwGCCsGAQUFBzABhhB3d3cuZGlyLmRhdGV2LmRlMA0GCSqGSIb3"+ 363 "DQEBBQUAA4GBAEOVX6uQxbgtKzdgbTi6YLffMftFr2mmNwch7qzpM5gxcynzgVkg"+ 364 "pnQcDNlm5AIbS6pO8jTCLfCd5TZ5biQksBErqmesIl3QD+VqtB+RNghxectZ3VEs"+ 365 "nCUtcE7tJ8O14qwCb3TxS9dvIUFiVi4DjbxX46TdcTbTaK8/qr6AIf+l"); 366 367 byte[] probSelfSignedCert = Base64.decode( 368 "MIICxTCCAi6gAwIBAgIQAQAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQUFADBF" 369 + "MScwJQYDVQQKEx4gRElSRUNUSU9OIEdFTkVSQUxFIERFUyBJTVBPVFMxGjAYBgNV" 370 + "BAMTESBBQyBNSU5FRkkgQiBURVNUMB4XDTA0MDUwNzEyMDAwMFoXDTE0MDUwNzEy" 371 + "MDAwMFowRTEnMCUGA1UEChMeIERJUkVDVElPTiBHRU5FUkFMRSBERVMgSU1QT1RT" 372 + "MRowGAYDVQQDExEgQUMgTUlORUZJIEIgVEVTVDCBnzANBgkqhkiG9w0BAQEFAAOB" 373 + "jQAwgYkCgYEAveoCUOAukZdcFCs2qJk76vSqEX0ZFzHqQ6faBPZWjwkgUNwZ6m6m" 374 + "qWvvyq1cuxhoDvpfC6NXILETawYc6MNwwxsOtVVIjuXlcF17NMejljJafbPximEt" 375 + "DQ4LcQeSp4K7FyFlIAMLyt3BQ77emGzU5fjFTvHSUNb3jblx0sV28c0CAwEAAaOB" 376 + "tTCBsjAfBgNVHSMEGDAWgBSEJ4bLbvEQY8cYMAFKPFD1/fFXlzAdBgNVHQ4EFgQU" 377 + "hCeGy27xEGPHGDABSjxQ9f3xV5cwDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIB" 378 + "AQQEAwIBBjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vYWRvbmlzLnBrNy5jZXJ0" 379 + "cGx1cy5uZXQvZGdpLXRlc3QuY3JsMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN" 380 + "AQEFBQADgYEAmToHJWjd3+4zknfsP09H6uMbolHNGG0zTS2lrLKpzcmkQfjhQpT9" 381 + "LUTBvfs1jdjo9fGmQLvOG+Sm51Rbjglb8bcikVI5gLbclOlvqLkm77otjl4U4Z2/" 382 + "Y0vP14Aov3Sn3k+17EfReYUZI4liuB95ncobC4e8ZM++LjQcIM0s+Vs="); 383 384 385 byte[] gost34102001base = Base64.decode( 386 "MIIB1DCCAYECEEjpVKXP6Wn1yVz3VeeDQa8wCgYGKoUDAgIDBQAwbTEfMB0G" 387 + "A1UEAwwWR29zdFIzNDEwLTIwMDEgZXhhbXBsZTESMBAGA1UECgwJQ3J5cHRv" 388 + "UHJvMQswCQYDVQQGEwJSVTEpMCcGCSqGSIb3DQEJARYaR29zdFIzNDEwLTIw" 389 + "MDFAZXhhbXBsZS5jb20wHhcNMDUwMjAzMTUxNjQ2WhcNMTUwMjAzMTUxNjQ2" 390 + "WjBtMR8wHQYDVQQDDBZHb3N0UjM0MTAtMjAwMSBleGFtcGxlMRIwEAYDVQQK" 391 + "DAlDcnlwdG9Qcm8xCzAJBgNVBAYTAlJVMSkwJwYJKoZIhvcNAQkBFhpHb3N0" 392 + "UjM0MTAtMjAwMUBleGFtcGxlLmNvbTBjMBwGBiqFAwICEzASBgcqhQMCAiQA" 393 + "BgcqhQMCAh4BA0MABECElWh1YAIaQHUIzROMMYks/eUFA3pDXPRtKw/nTzJ+" 394 + "V4/rzBa5lYgD0Jp8ha4P5I3qprt+VsfLsN8PZrzK6hpgMAoGBiqFAwICAwUA" 395 + "A0EAHw5dw/aw/OiNvHyOE65kvyo4Hp0sfz3csM6UUkp10VO247ofNJK3tsLb" 396 + "HOLjUaqzefrlGb11WpHYrvWFg+FcLA=="); 397 398 private final byte[] emptyDNCert = Base64.decode( 399 "MIICfTCCAeagAwIBAgIBajANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJVUzEMMAoGA1UEChMD" 400 + "Q0RXMQkwBwYDVQQLEwAxCTAHBgNVBAcTADEJMAcGA1UECBMAMRowGAYDVQQDExFUZW1wbGFyIFRl" 401 + "c3QgMTAyNDEiMCAGCSqGSIb3DQEJARYTdGVtcGxhcnRlc3RAY2R3LmNvbTAeFw0wNjA1MjIwNTAw" 402 + "MDBaFw0xMDA1MjIwNTAwMDBaMHwxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNDRFcxCTAHBgNVBAsT" 403 + "ADEJMAcGA1UEBxMAMQkwBwYDVQQIEwAxGjAYBgNVBAMTEVRlbXBsYXIgVGVzdCAxMDI0MSIwIAYJ" 404 + "KoZIhvcNAQkBFhN0ZW1wbGFydGVzdEBjZHcuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB" 405 + "gQDH3aJpJBfM+A3d84j5YcU6zEQaQ76u5xO9NSBmHjZykKS2kCcUqPpvVOPDA5WgV22dtKPh+lYV" 406 + "iUp7wyCVwAKibq8HIbihHceFqMKzjwC639rMoDJ7bi/yzQWz1Zg+075a4FGPlUKn7Yfu89wKkjdW" 407 + "wDpRPXc/agqBnrx5pJTXzQIDAQABow8wDTALBgNVHQ8EBAMCALEwDQYJKoZIhvcNAQEEBQADgYEA" 408 + "RRsRsjse3i2/KClFVd6YLZ+7K1BE0WxFyY2bbytkwQJSxvv3vLSuweFUbhNxutb68wl/yW4GLy4b" 409 + "1QdyswNxrNDXTuu5ILKhRDDuWeocz83aG2KGtr3JlFyr3biWGEyn5WUOE6tbONoQDJ0oPYgI6CAc" 410 + "EHdUp0lioOCt6UOw7Cs="); 411 412 private AsymmetricKeyParameter dudPublicKey = new AsymmetricKeyParameter(true) 413 { 414 public String getAlgorithm() 415 { 416 return null; 417 } 418 419 public String getFormat() 420 { 421 return null; 422 } 423 424 public byte[] getEncoded() 425 { 426 return null; 427 } 428 429 }; 430 getName()431 public String getName() 432 { 433 return "CertTest"; 434 } 435 checkCertificate( int id, byte[] bytes)436 public void checkCertificate( 437 int id, 438 byte[] bytes) 439 { 440 try 441 { 442 X509CertificateHolder certHldr = new X509CertificateHolder(bytes); 443 444 SubjectPublicKeyInfo k = certHldr.getSubjectPublicKeyInfo(); 445 // System.out.println(cert); 446 } 447 catch (Exception e) 448 { 449 fail(e.toString()); 450 } 451 } 452 /* 453 public void checkNameCertificate( 454 int id, 455 byte[] bytes) 456 { 457 ByteArrayInputStream bIn; 458 String dump = ""; 459 460 try 461 { 462 bIn = new ByteArrayInputStream(bytes); 463 464 CertificateFactory fact = CertificateFactory.getInstance("X.509", "LKBX-BC"); 465 466 X509Certificate cert = (X509Certificate)fact.generateCertificate(bIn); 467 468 AsymmetricKeyParameter k = cert.getAsymmetricKeyParameter(); 469 if (!cert.getIssuerDN().toString().equals("C=DE,O=DATEV eG,0.2.262.1.10.7.20=1+CN=CA DATEV D03 1:PN")) 470 { 471 fail(id + " failed - name test."); 472 } 473 // System.out.println(cert); 474 } 475 catch (Exception e) 476 { 477 fail(dump + Strings.lineSeparator() + getName() + ": "+ id + " failed - exception " + e.toString(), e); 478 } 479 480 } 481 */ checkKeyUsage( int id, byte[] bytes)482 public void checkKeyUsage( 483 int id, 484 byte[] bytes) 485 throws IOException 486 { 487 488 X509CertificateHolder certHld = new X509CertificateHolder(bytes); 489 490 if ((DERBitString.getInstance(certHld.getExtension(Extension.keyUsage).getParsedValue()).getBytes()[0] & 0x01) != 0) 491 { 492 fail("error generating cert - key usage wrong."); 493 } 494 495 496 } 497 498 checkSelfSignedCertificate( int id, byte[] bytes)499 public void checkSelfSignedCertificate( 500 int id, 501 byte[] bytes) 502 throws OperatorCreationException, IOException, CertException 503 { 504 505 X509CertificateHolder certHolder = new X509CertificateHolder(bytes); 506 507 assertTrue(certHolder.isSignatureValid(new BcRSAContentVerifierProviderBuilder(digAlgFinder).build(certHolder))); 508 509 510 } 511 512 /** 513 * we generate a self signed certificate for the sake of testing - RSA 514 */ checkCreation1()515 public void checkCreation1() 516 throws Exception 517 { 518 // 519 // a sample key pair. 520 // 521 AsymmetricKeyParameter pubKey = new RSAKeyParameters( 522 false, 523 new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), 524 new BigInteger("11", 16)); 525 526 AsymmetricKeyParameter privKey = new RSAPrivateCrtKeyParameters( 527 new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), 528 new BigInteger("11", 16), 529 new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), 530 new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), 531 new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), 532 new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), 533 new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), 534 new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); 535 536 // 537 // distinguished name table. 538 // 539 X500NameBuilder builder = new X500NameBuilder(RFC4519Style.INSTANCE); 540 541 builder.addRDN(RFC4519Style.c, "AU"); 542 builder.addRDN(RFC4519Style.o, "The Legion of the Bouncy Castle"); 543 builder.addRDN(RFC4519Style.l, "Melbourne"); 544 builder.addRDN(RFC4519Style.st, "Victoria"); 545 builder.addRDN(PKCSObjectIdentifiers.pkcs_9_at_emailAddress, "feedback-crypto@bouncycastle.org"); 546 547 // 548 // extensions 549 // 550 551 // 552 // create the certificate - version 3 - without extensions 553 // 554 AlgorithmIdentifier sigAlg = sigAlgFinder.find("SHA256WithRSAEncryption"); 555 ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlg, digAlgFinder.find(sigAlg)).build(privKey); 556 X509v3CertificateBuilder certGen = new BcX509v3CertificateBuilder(builder.build(), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - 50000), new Date(System.currentTimeMillis() + 50000),builder.build(), pubKey); 557 558 X509CertificateHolder certH = certGen.build(sigGen); 559 560 assertTrue(certH.isValidOn(new Date())); 561 562 ContentVerifierProvider contentVerifierProvider = new BcRSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()).build(pubKey); 563 564 assertTrue(certH.isSignatureValid(contentVerifierProvider)); 565 566 X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certH); 567 Set dummySet = cert.getNonCriticalExtensionOIDs(); 568 if (dummySet != null) 569 { 570 fail("non-critical oid set should be null"); 571 } 572 dummySet = cert.getCriticalExtensionOIDs(); 573 if (dummySet != null) 574 { 575 fail("critical oid set should be null"); 576 } 577 578 // 579 // create the certificate - version 3 - with extensions 580 // 581 sigGen = new BcRSAContentSignerBuilder(sigAlgFinder.find("MD5WithRSA"), digAlgFinder.find(sigAlgFinder.find("MD5withRSA"))).build(privKey); 582 certGen = new BcX509v3CertificateBuilder(builder.build(), BigInteger.valueOf(1) 583 , new Date(System.currentTimeMillis() - 50000) 584 , new Date(System.currentTimeMillis() + 50000) 585 , builder.build() 586 , pubKey) 587 .addExtension(new ASN1ObjectIdentifier("2.5.29.15"), true, 588 new KeyUsage(KeyUsage.encipherOnly)) 589 .addExtension(new ASN1ObjectIdentifier("2.5.29.37"), true, 590 new DERSequence(KeyPurposeId.anyExtendedKeyUsage)) 591 .addExtension(new ASN1ObjectIdentifier("2.5.29.17"), true, 592 new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); 593 594 X509CertificateHolder certHolder = certGen.build(sigGen); 595 596 assertTrue(certHolder.isValidOn(new Date())); 597 598 contentVerifierProvider = new BcRSAContentVerifierProviderBuilder(digAlgFinder).build(pubKey); 599 if (!certHolder.isSignatureValid(contentVerifierProvider)) 600 { 601 fail("signature test failed"); 602 } 603 604 ByteArrayInputStream bIn = new ByteArrayInputStream(certHolder.getEncoded()); 605 CertificateFactory certFact = CertificateFactory.getInstance("X.509"); 606 607 cert = (X509Certificate)certFact.generateCertificate(bIn); 608 609 if (!cert.getKeyUsage()[7]) 610 { 611 fail("error generating cert - key usage wrong."); 612 } 613 614 // System.out.println(cert); 615 616 // 617 // create the certificate - version 1 618 // 619 sigGen = new BcRSAContentSignerBuilder(sigAlgFinder.find("MD5WithRSA"), digAlgFinder.find(sigAlgFinder.find("MD5withRSA"))).build(privKey); 620 X509v1CertificateBuilder certGen1 = new BcX509v1CertificateBuilder(builder.build(), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - 50000),new Date(System.currentTimeMillis() + 50000),builder.build(),pubKey); 621 622 cert = new JcaX509CertificateConverter().getCertificate(certGen1.build(sigGen)); 623 624 assertTrue(certHolder.isValidOn(new Date())); 625 626 contentVerifierProvider = new BcRSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()).build(pubKey); 627 628 assertTrue(certHolder.isSignatureValid(contentVerifierProvider)); 629 630 bIn = new ByteArrayInputStream(cert.getEncoded()); 631 certFact = CertificateFactory.getInstance("X.509"); 632 633 cert = (X509Certificate)certFact.generateCertificate(bIn); 634 635 // System.out.println(cert); 636 if (!cert.getIssuerDN().equals(cert.getSubjectDN())) 637 { 638 fail("name comparison fails"); 639 } 640 641 // 642 // a lightweight key pair. 643 // 644 RSAKeyParameters lwPubKey = new RSAKeyParameters( 645 false, 646 new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), 647 new BigInteger("11", 16)); 648 649 RSAPrivateCrtKeyParameters lwPrivKey = new RSAPrivateCrtKeyParameters( 650 new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), 651 new BigInteger("11", 16), 652 new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), 653 new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), 654 new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), 655 new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), 656 new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), 657 new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); 658 659 // 660 // distinguished name table. 661 // 662 builder = new X500NameBuilder(RFC4519Style.INSTANCE); 663 664 builder.addRDN(RFC4519Style.c, "AU"); 665 builder.addRDN(RFC4519Style.o, "The Legion of the Bouncy Castle"); 666 builder.addRDN(RFC4519Style.l, "Melbourne"); 667 builder.addRDN(RFC4519Style.st, "Victoria"); 668 builder.addRDN(PKCSObjectIdentifiers.pkcs_9_at_emailAddress, "feedback-crypto@bouncycastle.org"); 669 670 // 671 // extensions 672 // 673 674 // 675 // create the certificate - version 3 - without extensions 676 // 677 AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption"); 678 AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); 679 680 sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(lwPrivKey); 681 SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(lwPubKey); 682 certGen = new X509v3CertificateBuilder(builder.build(), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - 50000), new Date(System.currentTimeMillis() + 50000), builder.build(), pubInfo); 683 684 certHolder = certGen.build(sigGen); 685 686 assertTrue(certHolder.isValidOn(new Date())); 687 688 contentVerifierProvider = new BcRSAContentVerifierProviderBuilder(new DefaultDigestAlgorithmIdentifierFinder()).build(lwPubKey); 689 690 assertTrue(certHolder.isSignatureValid(contentVerifierProvider)); 691 692 if (!certHolder.isSignatureValid(contentVerifierProvider)) 693 { 694 fail("lw sig verification failed"); 695 } 696 } 697 698 /** 699 * we generate a self signed certificate for the sake of testing - DSA 700 */ checkCreation2()701 public void checkCreation2() 702 throws Exception 703 { 704 // 705 // set up the keys 706 // 707 AsymmetricKeyParameter privKey; 708 AsymmetricKeyParameter pubKey; 709 710 AsymmetricCipherKeyPairGenerator kpg = new DSAKeyPairGenerator(); 711 BigInteger r = new BigInteger("68076202252361894315274692543577577550894681403"); 712 BigInteger s = new BigInteger("1089214853334067536215539335472893651470583479365"); 713 DSAParametersGenerator pGen = new DSAParametersGenerator(); 714 715 pGen.init(512, 80, new SecureRandom()); 716 717 DSAParameters params = pGen.generateParameters(); 718 DSAKeyGenerationParameters genParam = new DSAKeyGenerationParameters(new SecureRandom(), params); 719 720 kpg.init(genParam); 721 722 AsymmetricCipherKeyPair pair = kpg.generateKeyPair(); 723 724 privKey = (AsymmetricKeyParameter)pair.getPrivate(); 725 pubKey = (AsymmetricKeyParameter)pair.getPublic(); 726 727 // 728 // distinguished name table. 729 // 730 X500NameBuilder builder = createStdBuilder(); 731 732 // 733 // extensions 734 // 735 736 // 737 // create the certificate - version 3 738 // 739 AlgorithmIdentifier sigAlgId = sigAlgFinder.find("SHA1withDSA"); 740 AlgorithmIdentifier digAlgId = digAlgFinder.find(sigAlgId); 741 742 ContentSigner sigGen = new BcDSAContentSignerBuilder(sigAlgId, digAlgId).build(privKey); 743 X509v3CertificateBuilder certGen = new BcX509v3CertificateBuilder(builder.build(),BigInteger.valueOf(1),new Date(System.currentTimeMillis() - 50000),new Date(System.currentTimeMillis() + 50000),builder.build(),pubKey); 744 745 746 X509CertificateHolder cert = certGen.build(sigGen); 747 748 assertTrue(cert.isValidOn(new Date())); 749 750 assertTrue(cert.isSignatureValid(new BcDSAContentVerifierProviderBuilder(digAlgFinder).build(pubKey))); 751 752 753 // 754 // create the certificate - version 1 755 // 756 sigAlgId = sigAlgFinder.find("SHA1withDSA"); 757 digAlgId = digAlgFinder.find(sigAlgId); 758 759 sigGen = new BcDSAContentSignerBuilder(sigAlgId, digAlgId).build(privKey); 760 X509v1CertificateBuilder certGen1 = new BcX509v1CertificateBuilder(builder.build(),BigInteger.valueOf(1),new Date(System.currentTimeMillis() - 50000),new Date(System.currentTimeMillis() + 50000),builder.build(),pubKey); 761 762 cert = certGen1.build(sigGen); 763 764 assertTrue(cert.isValidOn(new Date())); 765 766 assertTrue(cert.isSignatureValid(new BcDSAContentVerifierProviderBuilder(digAlgFinder).build(pubKey))); 767 768 AsymmetricKeyParameter certPubKey = PublicKeyFactory.createKey(cert.getSubjectPublicKeyInfo()); 769 770 assertTrue(cert.isSignatureValid(new BcDSAContentVerifierProviderBuilder(digAlgFinder).build(certPubKey))); 771 772 ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); 773 CertificateFactory fact = CertificateFactory.getInstance("X.509"); 774 775 X509Certificate x509cert = (X509Certificate)fact.generateCertificate(bIn); 776 777 //System.out.println(cert); 778 } 779 createStdBuilder()780 private X500NameBuilder createStdBuilder() 781 { 782 X500NameBuilder builder = new X500NameBuilder(RFC4519Style.INSTANCE); 783 784 builder.addRDN(RFC4519Style.c, "AU"); 785 builder.addRDN(RFC4519Style.o, "The Legion of the Bouncy Castle"); 786 builder.addRDN(RFC4519Style.l, "Melbourne"); 787 builder.addRDN(RFC4519Style.st, "Victoria"); 788 builder.addRDN(PKCSObjectIdentifiers.pkcs_9_at_emailAddress, "feedback-crypto@bouncycastle.org"); 789 790 return builder; 791 } 792 checkCRL( int id, byte[] bytes)793 private void checkCRL( 794 int id, 795 byte[] bytes) 796 { 797 String dump = ""; 798 799 try 800 { 801 X509CRLHolder crlHolder = new X509CRLHolder(bytes); 802 803 } 804 catch (Exception e) 805 { 806 fail(dump + Strings.lineSeparator() + getName() + ": "+ id + " failed - exception " + e.toString()); 807 } 808 809 } 810 checkCRLCreation1()811 public void checkCRLCreation1() 812 throws Exception 813 { 814 AsymmetricCipherKeyPairGenerator kpg = new RSAKeyPairGenerator(); 815 RSAKeyGenerationParameters genParam = new RSAKeyGenerationParameters( 816 BigInteger.valueOf(0x1001), new SecureRandom(), 1024, 25); 817 818 kpg.init(genParam); 819 820 AsymmetricCipherKeyPair pair = kpg.generateKeyPair(); 821 Date now = new Date(); 822 823 X509v2CRLBuilder crlGen = new X509v2CRLBuilder(new X500Name("CN=Test CA"), now); 824 825 BcX509ExtensionUtils extFact = new BcX509ExtensionUtils(new SHA1DigestCalculator()); 826 827 crlGen.setNextUpdate(new Date(now.getTime() + 100000)); 828 829 crlGen.addCRLEntry(BigInteger.ONE, now, CRLReason.privilegeWithdrawn); 830 831 crlGen.addExtension(Extension.authorityKeyIdentifier, false, extFact.createAuthorityKeyIdentifier(pair.getPublic())); 832 833 AlgorithmIdentifier sigAlg = sigAlgFinder.find("SHA256withRSAEncryption"); 834 AlgorithmIdentifier digAlg = digAlgFinder.find(sigAlg); 835 836 X509CRLHolder crl = crlGen.build(new BcRSAContentSignerBuilder(sigAlg, digAlg).build(pair.getPrivate())); 837 838 if (!crl.getIssuer().equals(new X500Name("CN=Test CA"))) 839 { 840 fail("failed CRL issuer test"); 841 } 842 843 Extension authExt = crl.getExtension(Extension.authorityKeyIdentifier); 844 845 if (authExt == null) 846 { 847 fail("failed to find CRL extension"); 848 } 849 850 AuthorityKeyIdentifier authId = AuthorityKeyIdentifier.getInstance(authExt.getParsedValue()); 851 852 X509CRLEntryHolder entry = crl.getRevokedCertificate(BigInteger.ONE); 853 854 if (entry == null) 855 { 856 fail("failed to find CRL entry"); 857 } 858 859 if (!entry.getSerialNumber().equals(BigInteger.ONE)) 860 { 861 fail("CRL cert serial number does not match"); 862 } 863 864 if (!entry.hasExtensions()) 865 { 866 fail("CRL entry extension not found"); 867 } 868 869 Extension ext = entry.getExtension(Extension.reasonCode); 870 871 if (ext != null) 872 { 873 ASN1Enumerated reasonCode = ASN1Enumerated.getInstance(ext.getParsedValue()); 874 875 if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn) 876 { 877 fail("CRL entry reasonCode wrong"); 878 } 879 } 880 else 881 { 882 fail("CRL entry reasonCode not found"); 883 } 884 } 885 checkCRLCreation2()886 public void checkCRLCreation2() 887 throws Exception 888 { 889 AsymmetricCipherKeyPairGenerator kpg = new RSAKeyPairGenerator(); 890 RSAKeyGenerationParameters genParam = new RSAKeyGenerationParameters( 891 BigInteger.valueOf(0x1001), new SecureRandom(), 1024, 25); 892 893 kpg.init(genParam); 894 895 AsymmetricCipherKeyPair pair = kpg.generateKeyPair(); 896 Date now = new Date(); 897 898 X509v2CRLBuilder crlGen = new X509v2CRLBuilder(new X500Name("CN=Test CA"), now); 899 900 crlGen.setNextUpdate(new Date(now.getTime() + 100000)); 901 902 ExtensionsGenerator extGen = new ExtensionsGenerator(); 903 904 CRLReason crlReason = CRLReason.lookup(CRLReason.privilegeWithdrawn); 905 906 extGen.addExtension(Extension.reasonCode, false, crlReason); 907 908 BcX509ExtensionUtils extFact = new BcX509ExtensionUtils(new SHA1DigestCalculator()); 909 910 crlGen.addCRLEntry(BigInteger.ONE, now, extGen.generate()); 911 912 crlGen.addExtension(Extension.authorityKeyIdentifier, false, extFact.createAuthorityKeyIdentifier((AsymmetricKeyParameter)pair.getPublic())); 913 914 AlgorithmIdentifier sigAlg = sigAlgFinder.find("SHA256withRSAEncryption"); 915 AlgorithmIdentifier digAlg = digAlgFinder.find(sigAlg); 916 917 X509CRLHolder crlHolder = crlGen.build(new BcRSAContentSignerBuilder(sigAlg, digAlg).build((AsymmetricKeyParameter)pair.getPrivate())); 918 919 if (!crlHolder.getIssuer().equals(new X500Name("CN=Test CA"))) 920 { 921 fail("failed CRL issuer test"); 922 } 923 924 Extension authExt = crlHolder.getExtension(Extension.authorityKeyIdentifier); 925 926 if (authExt == null) 927 { 928 fail("failed to find CRL extension"); 929 } 930 931 AuthorityKeyIdentifier authId = AuthorityKeyIdentifier.getInstance(authExt.getParsedValue()); 932 933 X509CRLEntryHolder entry = crlHolder.getRevokedCertificate(BigInteger.ONE); 934 935 if (entry == null) 936 { 937 fail("failed to find CRL entry"); 938 } 939 940 if (!entry.getSerialNumber().equals(BigInteger.ONE)) 941 { 942 fail("CRL cert serial number does not match"); 943 } 944 945 if (!entry.hasExtensions()) 946 { 947 fail("CRL entry extension not found"); 948 } 949 950 Extension ext = entry.getExtension(Extension.reasonCode); 951 952 if (ext != null) 953 { 954 ASN1Enumerated reasonCode = ASN1Enumerated.getInstance(ext.getParsedValue()); 955 956 if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn) 957 { 958 fail("CRL entry reasonCode wrong"); 959 } 960 } 961 else 962 { 963 fail("CRL entry reasonCode not found"); 964 } 965 } 966 checkCRLCreation3()967 public void checkCRLCreation3() 968 throws Exception 969 { 970 AsymmetricCipherKeyPairGenerator kpg = new RSAKeyPairGenerator(); 971 RSAKeyGenerationParameters genParam = new RSAKeyGenerationParameters( 972 BigInteger.valueOf(0x1001), new SecureRandom(), 1024, 25); 973 974 kpg.init(genParam); 975 976 AsymmetricCipherKeyPair pair = kpg.generateKeyPair(); 977 Date now = new Date(); 978 X509v2CRLBuilder crlGen = new X509v2CRLBuilder(new X500Name("CN=Test CA"), now); 979 980 crlGen.setNextUpdate(new Date(now.getTime() + 100000)); 981 982 ExtensionsGenerator extGen = new ExtensionsGenerator(); 983 984 CRLReason crlReason = CRLReason.lookup(CRLReason.privilegeWithdrawn); 985 986 extGen.addExtension(Extension.reasonCode, false, crlReason); 987 988 BcX509ExtensionUtils extFact = new BcX509ExtensionUtils(new SHA1DigestCalculator()); 989 990 Extensions entryExtensions = extGen.generate(); 991 992 crlGen.addCRLEntry(BigInteger.ONE, now, entryExtensions); 993 994 crlGen.addExtension(Extension.authorityKeyIdentifier, false, extFact.createAuthorityKeyIdentifier((AsymmetricKeyParameter)pair.getPublic())); 995 996 AlgorithmIdentifier sigAlg = sigAlgFinder.find("SHA256withRSAEncryption"); 997 AlgorithmIdentifier digAlg = digAlgFinder.find(sigAlg); 998 999 X509CRLHolder crlHolder = crlGen.build(new BcRSAContentSignerBuilder(sigAlg, digAlg).build((AsymmetricKeyParameter)pair.getPrivate())); 1000 1001 if (!crlHolder.getIssuer().equals(new X500Name("CN=Test CA"))) 1002 { 1003 fail("failed CRL issuer test"); 1004 } 1005 1006 Extension authExt = crlHolder.getExtension(Extension.authorityKeyIdentifier); 1007 1008 if (authExt == null) 1009 { 1010 fail("failed to find CRL extension"); 1011 } 1012 1013 AuthorityKeyIdentifier authId = AuthorityKeyIdentifier.getInstance(authExt.getParsedValue()); 1014 1015 X509CRLEntryHolder entry = crlHolder.getRevokedCertificate(BigInteger.ONE); 1016 1017 if (entry == null) 1018 { 1019 fail("failed to find CRL entry"); 1020 } 1021 1022 if (!entry.getSerialNumber().equals(BigInteger.ONE)) 1023 { 1024 fail("CRL cert serial number does not match"); 1025 } 1026 1027 if (!entry.hasExtensions()) 1028 { 1029 fail("CRL entry extension not found"); 1030 } 1031 1032 Extension ext = entry.getExtension(Extension.reasonCode); 1033 1034 if (ext != null) 1035 { 1036 ASN1Enumerated reasonCode = ASN1Enumerated.getInstance(ext.getParsedValue()); 1037 1038 if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn) 1039 { 1040 fail("CRL entry reasonCode wrong"); 1041 } 1042 } 1043 else 1044 { 1045 fail("CRL entry reasonCode not found"); 1046 } 1047 1048 // 1049 // check loading of existing CRL 1050 // 1051 now = new Date(); 1052 crlGen = new X509v2CRLBuilder(new X500Name("CN=Test CA"), now); 1053 1054 crlGen.setNextUpdate(new Date(now.getTime() + 100000)); 1055 1056 crlGen.addCRL(crlHolder); 1057 1058 crlGen.addCRLEntry(BigInteger.valueOf(2), now, entryExtensions); 1059 1060 crlGen.addExtension(Extension.authorityKeyIdentifier, false, extFact.createAuthorityKeyIdentifier(pair.getPublic())); 1061 1062 crlHolder = crlGen.build(new BcRSAContentSignerBuilder(sigAlg, digAlg).build(pair.getPrivate())); 1063 1064 int count = 0; 1065 boolean oneFound = false; 1066 boolean twoFound = false; 1067 1068 Iterator it = crlHolder.getRevokedCertificates().iterator(); 1069 while (it.hasNext()) 1070 { 1071 X509CRLEntryHolder crlEnt = (X509CRLEntryHolder)it.next(); 1072 1073 if (crlEnt.getSerialNumber().intValue() == 1) 1074 { 1075 oneFound = true; 1076 Extension extn = crlEnt.getExtension(Extension.reasonCode); 1077 1078 if (extn != null) 1079 { 1080 ASN1Enumerated reasonCode = ASN1Enumerated.getInstance(extn.getParsedValue()); 1081 1082 if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn) 1083 { 1084 fail("CRL entry reasonCode wrong on recheck"); 1085 } 1086 } 1087 else 1088 { 1089 fail("CRL entry reasonCode not found on recheck"); 1090 } 1091 } 1092 else if (crlEnt.getSerialNumber().intValue() == 2) 1093 { 1094 twoFound = true; 1095 } 1096 1097 count++; 1098 } 1099 1100 if (count != 2) 1101 { 1102 fail("wrong number of CRLs found, got: " + count); 1103 } 1104 1105 if (!oneFound || !twoFound) 1106 { 1107 fail("wrong CRLs found in copied list"); 1108 } 1109 1110 // 1111 // check factory read back 1112 // 1113 CertificateFactory cFact = CertificateFactory.getInstance("X.509"); 1114 1115 X509CRL readCrl = (X509CRL)cFact.generateCRL(new ByteArrayInputStream(crlHolder.getEncoded())); 1116 1117 if (readCrl == null) 1118 { 1119 fail("crl not returned!"); 1120 } 1121 1122 Collection col = cFact.generateCRLs(new ByteArrayInputStream(crlHolder.getEncoded())); 1123 1124 if (col.size() != 1) 1125 { 1126 fail("wrong number of CRLs found in collection"); 1127 } 1128 } 1129 checkCreation5()1130 public void checkCreation5() 1131 throws Exception 1132 { 1133 // 1134 // a sample key pair. 1135 // 1136 AsymmetricKeyParameter pubKey = new RSAKeyParameters( 1137 false, 1138 new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), 1139 new BigInteger("11", 16)); 1140 1141 AsymmetricKeyParameter privKey = new RSAPrivateCrtKeyParameters( 1142 new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), 1143 new BigInteger("11", 16), 1144 new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), 1145 new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), 1146 new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), 1147 new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), 1148 new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), 1149 new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); 1150 1151 // 1152 // set up the keys 1153 // 1154 SecureRandom rand = new SecureRandom(); 1155 1156 // 1157 // distinguished name table. 1158 // 1159 X500NameBuilder builder = createStdBuilder(); 1160 1161 // 1162 // create base certificate - version 3 1163 // 1164 AlgorithmIdentifier sigAlg = sigAlgFinder.find("MD5WithRSA"); 1165 AlgorithmIdentifier digAlg = digAlgFinder.find(sigAlg); 1166 1167 ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlg, digAlg).build(privKey); 1168 ASN1ObjectIdentifier extOid = new ASN1ObjectIdentifier("2.5.29.37"); 1169 X509v3CertificateBuilder certGen = new BcX509v3CertificateBuilder(builder.build(),BigInteger.valueOf(1),new Date(System.currentTimeMillis() - 50000),new Date(System.currentTimeMillis() + 50000),builder.build(),pubKey) 1170 .addExtension(new ASN1ObjectIdentifier("2.5.29.15"), true, 1171 new KeyUsage(KeyUsage.encipherOnly)) 1172 .addExtension(extOid, true, 1173 new DERSequence(KeyPurposeId.anyExtendedKeyUsage)) 1174 .addExtension(new ASN1ObjectIdentifier("2.5.29.17"), true, 1175 new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); 1176 1177 X509CertificateHolder baseCert = certGen.build(sigGen); 1178 1179 // 1180 // copy certificate 1181 // 1182 1183 certGen = new BcX509v3CertificateBuilder(builder.build(),BigInteger.valueOf(1),new Date(System.currentTimeMillis() - 50000),new Date(System.currentTimeMillis() + 50000),builder.build(),pubKey) 1184 .copyAndAddExtension(new ASN1ObjectIdentifier("2.5.29.15"), true, baseCert) 1185 .copyAndAddExtension(extOid, false, baseCert); 1186 1187 X509CertificateHolder cert = certGen.build(sigGen); 1188 1189 assertTrue(cert.isValidOn(new Date())); 1190 1191 assertTrue(cert.isSignatureValid(new BcRSAContentVerifierProviderBuilder(digAlgFinder).build(pubKey))); 1192 1193 if (!baseCert.getExtension(new ASN1ObjectIdentifier("2.5.29.15")).equals(cert.getExtension(new ASN1ObjectIdentifier("2.5.29.15")))) 1194 { 1195 fail("2.5.29.15 differs"); 1196 } 1197 1198 assertTrue(baseCert.getExtension(extOid).getExtnId().equals(cert.getExtension(extOid).getExtnId())); 1199 assertFalse(baseCert.getExtension(extOid).isCritical() == cert.getExtension(extOid).isCritical()); 1200 if (!baseCert.getExtension(extOid).getParsedValue().equals(cert.getExtension(extOid).getParsedValue())) 1201 { 1202 fail("2.5.29.37 differs"); 1203 } 1204 1205 // 1206 // exception test 1207 // 1208 1209 try 1210 { 1211 certGen.copyAndAddExtension(new ASN1ObjectIdentifier("2.5.99.99"), true, baseCert); 1212 1213 fail("exception not thrown on dud extension copy"); 1214 } 1215 catch (NullPointerException e) 1216 { 1217 // expected 1218 } 1219 1220 // try 1221 // { 1222 // certGen.setPublicKey(dudPublicKey); 1223 // 1224 // certGen.generate(privKey, BC); 1225 // 1226 // fail("key without encoding not detected in v3"); 1227 // } 1228 // catch (IllegalArgumentException e) 1229 // { 1230 // // expected 1231 // } 1232 1233 } 1234 testForgedSignature()1235 public void testForgedSignature() 1236 throws Exception 1237 { 1238 String cert = "MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV" 1239 + "BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD" 1240 + "VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU4NTVa" 1241 + "Fw0wNjEwMTEyMzU4NTVaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs" 1242 + "YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy" 1243 + "IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD" 1244 + "hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u" 1245 + "12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAbynCRIlUQgaqyNgU" 1246 + "DF6P14yRKUtX8akOP2TwStaSiVf/akYqfLFm3UGka5XbPj4rifrZ0/sOoZEEBvHQ" 1247 + "e20sRA=="; 1248 1249 X509CertificateHolder hldr = new X509CertificateHolder(Base64.decode(cert)); 1250 1251 assertFalse(hldr.isSignatureValid(new BcRSAContentVerifierProviderBuilder(digAlgFinder).build(hldr))); 1252 } 1253 pemTest()1254 private void pemTest() 1255 throws Exception 1256 { 1257 CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); 1258 1259 X509Certificate cert = readPEMCert(cf, PEMData.CERTIFICATE_1); 1260 if (cert == null) 1261 { 1262 fail("PEM cert not read"); 1263 } 1264 cert = readPEMCert(cf, "-----BEGIN CERTIFICATE-----" + PEMData.CERTIFICATE_2); 1265 if (cert == null) 1266 { 1267 fail("PEM cert with extraneous header not read"); 1268 } 1269 CRL crl = cf.generateCRL(new ByteArrayInputStream(PEMData.CRL_1.getBytes("US-ASCII"))); 1270 if (crl == null) 1271 { 1272 fail("PEM crl not read"); 1273 } 1274 Collection col = cf.generateCertificates(new ByteArrayInputStream(PEMData.CERTIFICATE_2.getBytes("US-ASCII"))); 1275 if (col.size() != 1 || !col.contains(cert)) 1276 { 1277 fail("PEM cert collection not right"); 1278 } 1279 col = cf.generateCRLs(new ByteArrayInputStream(PEMData.CRL_2.getBytes("US-ASCII"))); 1280 if (col.size() != 1 || !col.contains(crl)) 1281 { 1282 fail("PEM crl collection not right"); 1283 } 1284 } 1285 readPEMCert(CertificateFactory cf, String pemData)1286 private static X509Certificate readPEMCert(CertificateFactory cf, String pemData) 1287 throws CertificateException, UnsupportedEncodingException 1288 { 1289 return (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(pemData.getBytes("US-ASCII"))); 1290 } 1291 createPSSCert(String algorithm)1292 private void createPSSCert(String algorithm) 1293 throws Exception 1294 { 1295 AsymmetricCipherKeyPair pair = generateLongFixedKeys(); 1296 1297 AsymmetricKeyParameter privKey = (AsymmetricKeyParameter)pair.getPrivate(); 1298 AsymmetricKeyParameter pubKey = (AsymmetricKeyParameter)pair.getPublic(); 1299 1300 // 1301 // distinguished name table. 1302 // 1303 1304 X500NameBuilder builder = createStdBuilder(); 1305 1306 // 1307 // create base certificate - version 3 1308 // 1309 BcX509ExtensionUtils extFact = new BcX509ExtensionUtils(new SHA1DigestCalculator()); 1310 1311 AlgorithmIdentifier sigAlgId = sigAlgFinder.find(algorithm); 1312 AlgorithmIdentifier digAlgId = digAlgFinder.find(sigAlgId); 1313 1314 ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privKey); 1315 BcX509v3CertificateBuilder certGen = new BcX509v3CertificateBuilder(builder.build(),BigInteger.valueOf(1), 1316 new Date(System.currentTimeMillis() - 50000),new Date(System.currentTimeMillis() + 50000),builder.build(),pubKey); 1317 1318 certGen.addExtension(new ASN1ObjectIdentifier("2.5.29.15"), true, 1319 new KeyUsage(KeyUsage.encipherOnly)); 1320 certGen.addExtension(new ASN1ObjectIdentifier("2.5.29.37"), true, 1321 new DERSequence(KeyPurposeId.anyExtendedKeyUsage)); 1322 certGen.addExtension(new ASN1ObjectIdentifier("2.5.29.17"), true, 1323 new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); 1324 1325 certGen.addExtension(Extension.authorityKeyIdentifier, true, extFact.createAuthorityKeyIdentifier(pubKey)); 1326 1327 X509CertificateHolder baseCert = certGen.build(sigGen); 1328 1329 assertTrue(baseCert.isSignatureValid(new BcRSAContentVerifierProviderBuilder(digAlgFinder).build(pubKey))); 1330 } 1331 generateLongFixedKeys()1332 private AsymmetricCipherKeyPair generateLongFixedKeys() 1333 { 1334 RSAKeyParameters pubKeySpec = new RSAKeyParameters( 1335 false, 1336 new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), 1337 new BigInteger("010001",16)); 1338 1339 RSAKeyParameters privKeySpec = new RSAPrivateCrtKeyParameters( 1340 new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), 1341 new BigInteger("010001",16), 1342 new BigInteger("33a5042a90b27d4f5451ca9bbbd0b44771a101af884340aef9885f2a4bbe92e894a724ac3c568c8f97853ad07c0266c8c6a3ca0929f1e8f11231884429fc4d9ae55fee896a10ce707c3ed7e734e44727a39574501a532683109c2abacaba283c31b4bd2f53c3ee37e352cee34f9e503bd80c0622ad79c6dcee883547c6a3b325",16), 1343 new BigInteger("e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443",16), 1344 new BigInteger("b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd",16), 1345 new BigInteger("28fa13938655be1f8a159cbaca5a72ea190c30089e19cd274a556f36c4f6e19f554b34c077790427bbdd8dd3ede2448328f385d81b30e8e43b2fffa027861979",16), 1346 new BigInteger("1a8b38f398fa712049898d7fb79ee0a77668791299cdfa09efc0e507acb21ed74301ef5bfd48be455eaeb6e1678255827580a8e4e8e14151d1510a82a3f2e729",16), 1347 new BigInteger("27156aba4126d24a81f3a528cbfb27f56886f840a9f6e86e17a44b94fe9319584b8e22fdde1e5a2e3bd8aa5ba8d8584194eb2190acf832b847f13a3d24a79f4d",16)); 1348 1349 return new AsymmetricCipherKeyPair(pubKeySpec, privKeySpec); 1350 } 1351 testNullDerNullCert()1352 public void testNullDerNullCert() 1353 throws Exception 1354 { 1355 AsymmetricCipherKeyPair pair = generateLongFixedKeys(); 1356 AsymmetricKeyParameter pubKey = (AsymmetricKeyParameter)pair.getPublic(); 1357 AsymmetricKeyParameter privKey = (AsymmetricKeyParameter)pair.getPrivate(); 1358 1359 DefaultSignatureAlgorithmIdentifierFinder sigAlgFinder = new DefaultSignatureAlgorithmIdentifierFinder(); 1360 DefaultDigestAlgorithmIdentifierFinder digAlgFinder = new DefaultDigestAlgorithmIdentifierFinder(); 1361 1362 AlgorithmIdentifier sigAlgId = sigAlgFinder.find("MD5withRSA"); 1363 AlgorithmIdentifier digAlgId = digAlgFinder.find(sigAlgId); 1364 1365 ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privKey); 1366 BcX509v3CertificateBuilder certGen = new BcX509v3CertificateBuilder(new X500Name("CN=Test"),BigInteger.valueOf(1),new Date(System.currentTimeMillis() - 50000),new Date(System.currentTimeMillis() + 50000),new X500Name("CN=Test"),pubKey); 1367 X509CertificateHolder cert = certGen.build(sigGen); 1368 1369 Certificate struct = Certificate.getInstance(cert.getEncoded()); 1370 1371 ASN1Object tbsCertificate = struct.getTBSCertificate(); 1372 AlgorithmIdentifier sig = struct.getSignatureAlgorithm(); 1373 1374 ASN1EncodableVector v = new ASN1EncodableVector(); 1375 1376 v.add(tbsCertificate); 1377 v.add(new AlgorithmIdentifier(sig.getAlgorithm())); 1378 v.add(struct.getSignature()); 1379 1380 // verify 1381 ByteArrayInputStream bIn; 1382 String dump = ""; 1383 1384 bIn = new ByteArrayInputStream(new DERSequence(v).getEncoded()); 1385 1386 cert = new X509CertificateHolder(new DERSequence(v).getEncoded()); 1387 1388 assertTrue(cert.isSignatureValid(new BcRSAContentVerifierProviderBuilder(digAlgFinder).build(pubKey))); 1389 } 1390 testCertificates()1391 public void testCertificates() 1392 throws Exception 1393 { 1394 checkCertificate(1, cert1); 1395 checkCertificate(2, cert2); 1396 checkCertificate(3, cert3); 1397 checkCertificate(4, cert4); 1398 checkCertificate(5, cert5); 1399 //checkCertificate(7, cert7); 1400 1401 checkKeyUsage(8, keyUsage); 1402 1403 checkSelfSignedCertificate(11, probSelfSignedCert); 1404 1405 checkCRL(1, crl1); 1406 1407 checkCreation1(); 1408 checkCreation2(); 1409 checkCreation5(); 1410 1411 createPSSCert("SHA1withRSAandMGF1"); 1412 createPSSCert("SHA224withRSAandMGF1"); 1413 createPSSCert("SHA256withRSAandMGF1"); 1414 createPSSCert("SHA384withRSAandMGF1"); 1415 1416 checkCRLCreation1(); 1417 checkCRLCreation2(); 1418 checkCRLCreation3(); 1419 1420 pemTest(); 1421 1422 checkCertificate(18, emptyDNCert); 1423 } 1424 } 1425