📄 protocolscephttptest.java
字号:
int b = in.read(); while (b != -1) { baos.write(b); b = in.read(); } baos.flush(); in.close(); byte[] respBytes = baos.toByteArray(); assertNotNull("Response can not be null.", respBytes); assertTrue(respBytes.length > 0); X509Certificate cert = CertTools.getCertfromByteArray(respBytes); // Check that we got the right cert back assertEquals(cacert.getSubjectDN().getName(), cert.getSubjectDN().getName()); log.debug(">test07ScepGetCACert()"); } public void test08ScepGetCrl() throws Exception { log.debug(">test08ScepGetCrl()"); byte[] msgBytes = genScepRequest(true, CMSSignedDataGenerator.DIGEST_SHA1); // Send message with GET byte[] retMsg = sendScep(false, msgBytes, false); assertNotNull(retMsg); checkScepResponse(retMsg, "C=SE,O=PrimeKey,CN=sceptest", senderNonce, transId, true, CMSSignedDataGenerator.DIGEST_SHA1, false); log.debug(">test08ScepGetCrl()"); } public void test09ScepGetCACaps() throws Exception { log.debug(">test09ScepGetCACaps()"); String reqUrl = httpReqPath + '/' + resourceScep+"?operation=GetCACaps&message="+caname; URL url = new URL(reqUrl); HttpURLConnection con = (HttpURLConnection)url.openConnection(); con.setRequestMethod("GET"); con.getDoOutput(); con.connect(); assertEquals("Response code", 200, con.getResponseCode()); assertEquals("Content-Type", "text/plain", con.getContentType()); ByteArrayOutputStream baos = new ByteArrayOutputStream(); // This works for small requests, and SCEP requests are small enough InputStream in = con.getInputStream(); int b = in.read(); while (b != -1) { baos.write(b); b = in.read(); } baos.flush(); in.close(); byte[] respBytes = baos.toByteArray(); assertNotNull("Response can not be null.", respBytes); assertTrue(respBytes.length > 0); assertEquals(new String(respBytes), "POSTPKIOperation\nSHA-1"); log.debug(">test09ScepGetCACaps()"); } public void test99CleanUp() throws Exception { // remove user usersession.deleteUser(admin,"sceptest"); log.debug("deleted user: sceptest"); } // // Private helper methods // private void createScepUser() throws RemoteException, AuthorizationDeniedException, FinderException, UserDoesntFullfillEndEntityProfile { // Make user that we know... boolean userExists = false; try { usersession.addUser(admin,"sceptest","foo123","C=SE,O=PrimeKey,CN=sceptest",null,"ocsptest@anatom.se",false,SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,caid); log.debug("created user: sceptest, foo123, C=SE, O=PrimeKey, CN=sceptest"); } catch (RemoteException re) { if (re.detail instanceof DuplicateKeyException) { userExists = true; } } catch (DuplicateKeyException dke) { userExists = true; } if (userExists) { log.debug("User sceptest already exists."); usersession.setUserStatus(admin,"sceptest",UserDataConstants.STATUS_NEW); log.debug("Reset status to NEW"); } } private byte[] genScepRequest(boolean makeCrlReq, String digestoid) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidAlgorithmParameterException, CertStoreException, IOException, CMSException { ScepRequestGenerator gen = new ScepRequestGenerator(); gen.setKeys(keys); gen.setDigestOid(digestoid); byte[] msgBytes = null; if (makeCrlReq) { msgBytes = gen.generateCrlReq("C=SE, O=PrimeKey, CN=sceptest", cacert); } else { msgBytes = gen.generateCertReq("C=SE, O=PrimeKey, CN=sceptest", "foo123", cacert); } assertNotNull(msgBytes); transId = gen.getTransactionId(); assertNotNull(transId); byte[] idBytes = Base64.decode(transId.getBytes()); assertTrue(idBytes.length == 16); senderNonce = gen.getSenderNonce(); byte[] nonceBytes = Base64.decode(senderNonce.getBytes()); assertTrue(nonceBytes.length == 16); return msgBytes; } private void checkScepResponse(byte[] retMsg, String userDN, String senderNonce, String transId, boolean crlRep, String digestOid, boolean noca) throws CMSException, NoSuchProviderException, NoSuchAlgorithmException, CertStoreException, InvalidKeyException, CertificateException, SignatureException, CRLException { // // Parse response message // CMSSignedData s = new CMSSignedData(retMsg); // The signer, i.e. the CA, check it's the right CA SignerInformationStore signers = s.getSignerInfos(); Collection col = signers.getSigners(); assertTrue(col.size() > 0); Iterator iter = col.iterator(); SignerInformation signerInfo = (SignerInformation)iter.next(); // Check that the message is signed with the correct digest alg assertEquals(signerInfo.getDigestAlgOID(), digestOid); SignerId sinfo = signerInfo.getSID(); // Check that the signer is the expected CA assertEquals(CertTools.stringToBCDNString(cacert.getIssuerDN().getName()), CertTools.stringToBCDNString(sinfo.getIssuerAsString())); // Verify the signature signerInfo.verify(cacert.getPublicKey(), "BC"); // Get authenticated attributes AttributeTable tab = signerInfo.getSignedAttributes(); // --Fail info Attribute attr = tab.get(new DERObjectIdentifier(ScepRequestMessage.id_failInfo)); // No failInfo on this success message assertNull(attr); // --Message type attr = tab.get(new DERObjectIdentifier(ScepRequestMessage.id_messageType)); assertNotNull(attr); ASN1Set values = attr.getAttrValues(); assertEquals(values.size(), 1); DERString str = DERPrintableString.getInstance((values.getObjectAt(0))); String messageType = str.getString(); assertEquals("3", messageType); // --Success status attr = tab.get(new DERObjectIdentifier(ScepRequestMessage.id_pkiStatus)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); str = DERPrintableString.getInstance((values.getObjectAt(0))); assertEquals(ResponseStatus.SUCCESS.getValue(), str.getString()); // --SenderNonce attr = tab.get(new DERObjectIdentifier(ScepRequestMessage.id_senderNonce)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); ASN1OctetString octstr = ASN1OctetString.getInstance(values.getObjectAt(0)); // SenderNonce is something the server came up with, but it should be 16 chars assertTrue(octstr.getOctets().length == 16); // --Recipient Nonce attr = tab.get(new DERObjectIdentifier(ScepRequestMessage.id_recipientNonce)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); octstr = ASN1OctetString.getInstance(values.getObjectAt(0)); // recipient nonce should be the same as we sent away as sender nonce assertEquals(senderNonce, new String(Base64.encode(octstr.getOctets()))); // --Transaction ID attr = tab.get(new DERObjectIdentifier(ScepRequestMessage.id_transId)); assertNotNull(attr); values = attr.getAttrValues(); assertEquals(values.size(), 1); str = DERPrintableString.getInstance((values.getObjectAt(0))); // transid should be the same as the one we sent assertEquals(transId, str.getString()); // // Check different message types // if (messageType.equals("3")) { // First we extract the encrypted data from the CMS enveloped data contained // within the CMS signed data CMSProcessable sp = s.getSignedContent(); byte[] content = (byte[])sp.getContent(); CMSEnvelopedData ed = new CMSEnvelopedData(content); RecipientInformationStore recipients = ed.getRecipientInfos(); Collection c = recipients.getRecipients(); assertEquals(c.size(), 1); Iterator it = c.iterator(); byte[] decBytes = null; RecipientInformation recipient = (RecipientInformation) it.next(); decBytes = recipient.getContent(keys.getPrivate(), "BC"); // This is yet another CMS signed data CMSSignedData sd = new CMSSignedData(decBytes); // Get certificates from the signed data CertStore certstore = sd.getCertificatesAndCRLs("Collection","BC"); if (crlRep) { // We got a reply with a requested CRL Collection crls = certstore.getCRLs(null); assertEquals(crls.size(), 1); it = crls.iterator(); X509CRL retCrl = null; // CRL is first (and only) retCrl = (X509CRL)it.next(); System.out.println("Got CRL with DN: "+ retCrl.getIssuerDN().getName());// try {// FileOutputStream fos = new FileOutputStream("sceptest.der");// fos.write(retCrl.getEncoded());// fos.close();// } catch (Exception e) {} // check the returned CRL assertEquals(cacert.getSubjectDN().getName(), retCrl.getIssuerDN().getName()); retCrl.verify(cacert.getPublicKey()); } else { // We got a reply with a requested certificate Collection certs = certstore.getCertificates(null); // EJBCA returns the issued cert and the CA cert (cisco vpn client requires that the ca cert is included) if (noca) { assertEquals(certs.size(), 1); } else { assertEquals(certs.size(), 2); } it = certs.iterator(); // Issued certificate must be first boolean verified = false; boolean gotcacert = false; String mysubjectdn = CertTools.stringToBCDNString("C=SE,O=PrimeKey,CN=sceptest"); while (it.hasNext()) { X509Certificate retcert = (X509Certificate)it.next(); System.out.println("Got cert with DN: "+ retcert.getSubjectDN().getName());// try {// FileOutputStream fos = new FileOutputStream("sceptest.der");// fos.write(retcert.getEncoded());// fos.close();// } catch (Exception e) {} // check the returned certificate String subjectdn = CertTools.stringToBCDNString(retcert.getSubjectDN().getName()); if (mysubjectdn.equals(subjectdn)) { // issued certificate assertEquals(CertTools.stringToBCDNString("C=SE,O=PrimeKey,CN=sceptest"), subjectdn); retcert.verify(cacert.getPublicKey()); assertTrue(checkKeys(keys.getPrivate(), retcert.getPublicKey())); verified = true; } else { // ca certificate assertEquals(cacert.getSubjectDN().getName(), retcert.getIssuerDN().getName()); gotcacert = true; } } assertTrue(verified); if (noca) { assertFalse(gotcacert); } else { assertTrue(gotcacert); } } } } /** * checks that a public and private key matches by signing and verifying a message */ private boolean checkKeys(PrivateKey priv, PublicKey pub) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException { Signature signer = Signature.getInstance("SHA1WithRSA"); signer.initSign(priv); signer.update("PrimeKey".getBytes()); byte[] signature = signer.sign(); Signature signer2 = Signature.getInstance("SHA1WithRSA"); signer2.initVerify(pub); signer2.update("PrimeKey".getBytes()); return signer2.verify(signature); } private byte[] sendScep(boolean post, byte[] scepPackage, boolean noca) throws IOException, OCSPException, NoSuchProviderException { // POST the OCSP request // we are going to do a POST String resource = resourceScep; if (noca) { resource = resourceScepNoCA; } String urlString = httpReqPath + '/' + resource+"?operation=PKIOperation"; log.debug("UrlString =" + urlString); HttpURLConnection con = null; if (post) { URL url = new URL(urlString); con = (HttpURLConnection)url.openConnection(); con.setDoOutput(true); con.setRequestMethod("POST"); con.connect(); // POST it OutputStream os = con.getOutputStream(); os.write(scepPackage); os.close(); } else { String reqUrl = urlString + "&message=" + URLEncoder.encode(new String(Base64.encode(scepPackage)),"UTF-8"); URL url = new URL(reqUrl); con = (HttpURLConnection)url.openConnection(); con.setRequestMethod("GET"); con.getDoOutput(); con.connect(); } assertEquals("Response code", 200, con.getResponseCode()); assertEquals("Content-Type", "application/x-pki-message", con.getContentType()); ByteArrayOutputStream baos = new ByteArrayOutputStream(); // This works for small requests, and SCEP requests are small enough InputStream in = con.getInputStream(); int b = in.read(); while (b != -1) { baos.write(b); b = in.read(); } baos.flush(); in.close(); byte[] respBytes = baos.toByteArray(); assertNotNull("Response can not be null.", respBytes); assertTrue(respBytes.length > 0); return respBytes; }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -