You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2017/04/19 07:12:09 UTC
directory-kerby git commit: Remove bouncycastle related tests.
Repository: directory-kerby
Updated Branches:
refs/heads/trunk 6560e6d98 -> e20049373
Remove bouncycastle related tests.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/e2004937
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/e2004937
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/e2004937
Branch: refs/heads/trunk
Commit: e20049373dad19ff7bf8da4ec8093e03f21ea822
Parents: 6560e6d
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Apr 19 15:19:31 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Apr 19 15:19:31 2017 +0800
----------------------------------------------------------------------
kerby-dist/kdc-dist/conf/krb5.conf | 2 +-
kerby-dist/tool-dist/pom.xml | 5 -
kerby-kerb/kerb-client-api-all/pom.xml | 2 -
kerby-pkix/pom.xml | 7 -
.../kerby/pkix/CertificateChainFactory.java | 278 -------------------
.../kerby/pkix/CertificateChainFactoryTest.java | 115 --------
.../apache/kerby/pkix/EndEntityGenerator.java | 272 ------------------
.../apache/kerby/pkix/EnvelopedDataEngine.java | 109 --------
.../kerby/pkix/EnvelopedDataEngineTest.java | 123 --------
.../kerby/pkix/IntermediateCaGenerator.java | 130 ---------
.../org/apache/kerby/pkix/JavaSignTest.java | 89 ------
.../java/org/apache/kerby/pkix/KeyPairSpec.java | 111 --------
.../org/apache/kerby/pkix/SignedDataEngine.java | 124 ---------
.../apache/kerby/pkix/SignedDataEngineTest.java | 123 --------
.../apache/kerby/pkix/TrustAnchorGenerator.java | 120 --------
pom.xml | 1 -
16 files changed, 1 insertion(+), 1610 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-dist/kdc-dist/conf/krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-dist/kdc-dist/conf/krb5.conf b/kerby-dist/kdc-dist/conf/krb5.conf
index a79d547..8225e67 100644
--- a/kerby-dist/kdc-dist/conf/krb5.conf
+++ b/kerby-dist/kdc-dist/conf/krb5.conf
@@ -26,4 +26,4 @@
[realms]
EXAMPLE.COM = {
kdc = localhost:88
- }
+ }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-dist/tool-dist/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-dist/tool-dist/pom.xml b/kerby-dist/tool-dist/pom.xml
index a77116d..fcc0786 100644
--- a/kerby-dist/tool-dist/pom.xml
+++ b/kerby-dist/tool-dist/pom.xml
@@ -64,11 +64,6 @@
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
</dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
- <version>${bouncycastle.version}</version>
- </dependency>
</dependencies>
<profiles>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-kerb/kerb-client-api-all/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client-api-all/pom.xml b/kerby-kerb/kerb-client-api-all/pom.xml
index 9359538..d09810e 100644
--- a/kerby-kerb/kerb-client-api-all/pom.xml
+++ b/kerby-kerb/kerb-client-api-all/pom.xml
@@ -55,8 +55,6 @@
<exclude>junit:junit</exclude>
<exclude>org.slf4j:slf4j-api</exclude>
<exclude>org.apache.kerby:kerby-asn1</exclude>
- <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
- <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
</excludes>
</artifactSet>
</configuration>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-pkix/pom.xml b/kerby-pkix/pom.xml
index 96d5dc9..61e4992 100644
--- a/kerby-pkix/pom.xml
+++ b/kerby-pkix/pom.xml
@@ -40,13 +40,6 @@
</dependency>
<dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
- <version>${bouncycastle.version}</version>
- <scope>test</scope>
- </dependency>
-
- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java
deleted file mode 100644
index 88907ae..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactory.java
+++ /dev/null
@@ -1,278 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.security.KeyFactory;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.SecureRandom;
-import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
-
-/**
- * Factory for dynamically generating certificate chains.
- */
-public class CertificateChainFactory {
- private static final Logger LOG = LoggerFactory.getLogger(CertificateChainFactory.class);
-
- private static int trustAnchorLevel = 2;
-
- private static int intermediateLevel = 1;
-
- private static int endEntityLevel = 0;
-
- private static SecureRandom secureRandom = new SecureRandom();
-
- private static String container =
- "C=US, ST=Maryland, L=Forest Hill, O=Apache Software Foundation, OU=Apache Directory, CN=";
-
- private static boolean isGenerated = false;
-
- private static boolean isInitialized = false;
-
- private static X509Certificate[] clientChain;
-
- private static X509Certificate[] kdcChain;
-
- private static PrivateKey clientPrivateKey;
-
- private static PrivateKey kdcPrivateKey;
-
-
- public static X509Certificate[] getKdcChain() throws Exception {
- init();
-
- return kdcChain;
- }
-
-
- public static X509Certificate[] getClientChain() throws Exception {
- init();
-
- return clientChain;
- }
-
-
- public static PrivateKey getKdcPrivateKey() throws Exception {
- init();
-
- return kdcPrivateKey;
- }
-
-
- public static PrivateKey getClientPrivateKey() throws Exception {
- init();
-
- return clientPrivateKey;
- }
-
-
- private static void init() throws Exception {
- if (!isInitialized) {
- initClientChain();
- initKdcChain();
- isInitialized = true;
- }
- }
-
-
- private static void initClientChain() throws Exception {
- // Make trust anchor.
- String friendlyName = "Test Root CA";
- String dn = container + friendlyName;
- int validityDays = 730;
-
- KeyPair keyPair = getKeyPair(trustAnchorLevel);
- PrivateKey trustAnchorPrivateKey = keyPair.getPrivate();
- PublicKey trustAnchorPublicKey = keyPair.getPublic();
-
- X509Certificate trustAnchorCert = TrustAnchorGenerator.generate(trustAnchorPublicKey, trustAnchorPrivateKey,
- dn, validityDays, friendlyName);
-
- trustAnchorCert.checkValidity();
- trustAnchorCert.verify(trustAnchorPublicKey);
-
- LOG.debug("Generated cert for friendly name '{}', valid for {} days.", friendlyName, validityDays);
-
- // Make intermediate client CA.
- friendlyName = "Client Test CA 1";
- dn = container + friendlyName;
- validityDays = 365;
-
- keyPair = getKeyPair(intermediateLevel);
- PrivateKey clientCaPrivateKey = keyPair.getPrivate();
- PublicKey clientCaPublicKey = keyPair.getPublic();
-
- X509Certificate clientCaCert = IntermediateCaGenerator.generate(trustAnchorCert, trustAnchorPrivateKey,
- clientCaPublicKey, dn, validityDays, friendlyName);
-
- clientCaCert.checkValidity();
- clientCaCert.verify(trustAnchorPublicKey);
-
- LOG.debug("Generated cert for friendly name '{}', valid for {} days.", friendlyName, validityDays);
-
- // Make client certificate.
- friendlyName = "hnelson@EXAMPLE.COM UPN";
- dn = container + friendlyName;
- validityDays = 30;
-
- keyPair = getKeyPair(endEntityLevel);
- clientPrivateKey = keyPair.getPrivate();
- PublicKey clientPublicKey = keyPair.getPublic();
-
- X509Certificate clientCert = EndEntityGenerator.generate(clientCaCert, clientCaPrivateKey, clientPublicKey,
- dn, validityDays, friendlyName);
-
- clientCert.checkValidity();
- clientCert.verify(clientCaPublicKey);
-
- LOG.debug("Generated cert for friendly name '{}', valid for {} days.", friendlyName, validityDays);
-
- // Build client chain.
- clientChain = new X509Certificate[3];
-
- clientChain[2] = trustAnchorCert;
- clientChain[1] = clientCaCert;
- clientChain[0] = clientCert;
- }
-
-
- private static void initKdcChain() throws Exception {
- // Make trust anchor.
- String friendlyName = "Test Root CA";
- String dn = container + friendlyName;
- int validityDays = 730;
-
- KeyPair keyPair = getKeyPair(trustAnchorLevel);
- PrivateKey trustAnchorPrivateKey = keyPair.getPrivate();
- PublicKey trustAnchorPublicKey = keyPair.getPublic();
-
- X509Certificate trustAnchorCert = TrustAnchorGenerator.generate(trustAnchorPublicKey, trustAnchorPrivateKey,
- dn, validityDays, friendlyName);
-
- trustAnchorCert.checkValidity();
- trustAnchorCert.verify(trustAnchorPublicKey);
-
- LOG.debug("Generated cert for friendly name '{}', valid for {} days.", friendlyName, validityDays);
-
- // Make intermediate KDC CA.
- friendlyName = "KDC Test CA 1";
- dn = container + friendlyName;
- validityDays = 365;
-
- keyPair = getKeyPair(intermediateLevel);
- PrivateKey kdcCaPrivateKey = keyPair.getPrivate();
- PublicKey kdcCaPublicKey = keyPair.getPublic();
-
- X509Certificate kdcCaCert = IntermediateCaGenerator.generate(trustAnchorCert, trustAnchorPrivateKey,
- kdcCaPublicKey, dn, validityDays, friendlyName);
-
- kdcCaCert.checkValidity();
- kdcCaCert.verify(trustAnchorPublicKey);
-
- LOG.debug("Generated cert for friendly name '{}', valid for {} days.", friendlyName, validityDays);
-
- // Make KDC certificate.
- friendlyName = "krbtgt/EXAMPLE.COM@EXAMPLE.COM KDC";
- dn = container + friendlyName;
- validityDays = 30;
-
- keyPair = getKeyPair(endEntityLevel);
- kdcPrivateKey = keyPair.getPrivate();
- PublicKey kdcPublicKey = keyPair.getPublic();
-
- X509Certificate kdcCert = EndEntityGenerator.generate(kdcCaCert, kdcCaPrivateKey, kdcPublicKey, dn,
- validityDays, friendlyName);
-
- kdcCert.checkValidity();
- kdcCert.verify(kdcCaPublicKey);
-
- LOG.debug("Generated cert for friendly name '{}', valid for {} days.", friendlyName, validityDays);
-
- // Build KDC chain.
- kdcChain = new X509Certificate[3];
-
- kdcChain[2] = trustAnchorCert;
- kdcChain[1] = kdcCaCert;
- kdcChain[0] = kdcCert;
- }
-
-
- /**
- * Get a key pair for the new certificate. Depending on the static constant
- * 'isGenerated', these key pairs can be dynamically generated (slower) or
- * built from static constant values (faster).
- *
- * @param level
- * @return The key pair.
- * @throws NoSuchAlgorithmException
- * @throws NoSuchProviderException
- * @throws InvalidKeySpecException
- */
- private static KeyPair getKeyPair(int level) throws NoSuchAlgorithmException, NoSuchProviderException,
- InvalidKeySpecException {
- if (isGenerated) {
- KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
- keyGen.initialize(1024, secureRandom);
- return keyGen.generateKeyPair();
- } else {
- return getStaticKeyPair(level);
- }
- }
-
-
- /**
- * Get a key pair generated using static key values. This is much faster than
- * dynamically generating key values.
- *
- * @param level
- * @return The static key pair.
- * @throws NoSuchAlgorithmException
- * @throws NoSuchProviderException
- * @throws InvalidKeySpecException
- */
- private static KeyPair getStaticKeyPair(int level) throws NoSuchAlgorithmException, NoSuchProviderException,
- InvalidKeySpecException {
- KeyFactory keyFactory = KeyFactory.getInstance("RSA", "BC");
-
- switch (level) {
- case 2:
- PrivateKey caPrivKey = keyFactory.generatePrivate(KeyPairSpec.caPrivKeySpec);
- PublicKey caPubKey = keyFactory.generatePublic(KeyPairSpec.caPubKeySpec);
- return new KeyPair(caPubKey, caPrivKey);
- case 1:
- PrivateKey intPrivKey = keyFactory.generatePrivate(KeyPairSpec.intPrivKeySpec);
- PublicKey intPubKey = keyFactory.generatePublic(KeyPairSpec.intPubKeySpec);
- return new KeyPair(intPubKey, intPrivKey);
- case 0:
- default:
- PrivateKey privKey = keyFactory.generatePrivate(KeyPairSpec.privKeySpec);
- PublicKey pubKey = keyFactory.generatePublic(KeyPairSpec.pubKeySpec);
- return new KeyPair(pubKey, privKey);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java
deleted file mode 100644
index 31059c4..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/CertificateChainFactoryTest.java
+++ /dev/null
@@ -1,115 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.Security;
-import java.security.cert.CertPath;
-import java.security.cert.CertPathValidator;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.PKIXParameters;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * Tests the dynamic generation of certificate chains.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
- */
-public class CertificateChainFactoryTest {
-
- @Before
- public void setUp() {
- if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
- Security.addProvider(new BouncyCastleProvider());
- }
- }
-
-
- /**
- * Tests construction of the client chain.
- * <p/>
- * The created certificates can be displayed with a command like:
- * <p/>
- * openssl pkcs12 -nodes -info -in /tmp/test.p12 > /tmp/test.cert && openssl x509 -noout -text -in /tmp/test.cert
- *
- * @throws Exception
- */
- @Test
- public void testClientChain() throws Exception {
- X509Certificate[] clientChain = CertificateChainFactory.getClientChain();
-
- validateChain(clientChain);
- }
-
-
- /**
- * Tests construction of the KDC chain.
- * <p/>
- * The created certificates can be displayed with a command like:
- * <p/>
- * openssl pkcs12 -nodes -info -in /tmp/test.p12 > /tmp/test.cert && openssl x509 -noout -text -in /tmp/test.cert
- *
- * @throws Exception
- */
- @Test
- public void testKdcChain() throws Exception {
- X509Certificate[] kdcChain = CertificateChainFactory.getKdcChain();
-
- validateChain(kdcChain);
- }
-
-
- /**
- * Validates a chain of {@link X509Certificate}s.
- *
- * @param chain
- * @throws CertificateException
- * @throws InvalidAlgorithmParameterException
- */
- private void validateChain(X509Certificate[] chain) throws CertificateException,
- InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException,
- InvalidAlgorithmParameterException, CertPathValidatorException {
- List<X509Certificate> certificateList = Arrays.asList(chain);
- CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
- CertPath certPath = certificateFactory.generateCertPath(certificateList);
-
- CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC");
-
- TrustAnchor trustAnchor = new TrustAnchor(chain[chain.length - 1], null);
-
- PKIXParameters parameters = new PKIXParameters(Collections.singleton(trustAnchor));
- parameters.setRevocationEnabled(false);
-
- cpv.validate(certPath, parameters);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java
deleted file mode 100644
index 8f80599..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/EndEntityGenerator.java
+++ /dev/null
@@ -1,272 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import org.bouncycastle.asn1.ASN1EncodableVector;
-import org.bouncycastle.asn1.DERBMPString;
-import org.bouncycastle.asn1.DERObjectIdentifier;
-import org.bouncycastle.asn1.DERSequence;
-import org.bouncycastle.asn1.DERTaggedObject;
-import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.x509.BasicConstraints;
-import org.bouncycastle.asn1.x509.GeneralName;
-import org.bouncycastle.asn1.x509.GeneralNames;
-import org.bouncycastle.asn1.x509.GeneralNamesBuilder;
-import org.bouncycastle.asn1.x509.KeyPurposeId;
-import org.bouncycastle.asn1.x509.KeyUsage;
-import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.asn1.x509.X509Extensions;
-import org.bouncycastle.crypto.DataLengthException;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA1Digest;
-import org.bouncycastle.jce.PrincipalUtil;
-import org.bouncycastle.jce.X509Principal;
-import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
-import org.bouncycastle.x509.X509V3CertificateGenerator;
-import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
-
-import java.math.BigInteger;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.SignatureException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Calendar;
-import java.util.Date;
-
-/**
- * Generates an X.509 "end entity" certificate programmatically.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
- */
-@SuppressWarnings({"PMD.UnusedPrivateField"})
-public class EndEntityGenerator {
- /**
- * id-pkinit-san OBJECT IDENTIFIER ::=
- * { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) x509SanAN (2) }
- */
- private static final DERObjectIdentifier ID_PKINIT_SAN = new DERObjectIdentifier("1.3.6.1.5.2.2");
-
- /**
- * id-pkinit-KPClientAuth OBJECT IDENTIFIER ::=
- * { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) pkinit(3) keyPurposeClientAuth(4) }
- * -- PKINIT client authentication.
- * -- Key usage bits that MUST be consistent:
- * -- digitalSignature.
- */
- private static final DERObjectIdentifier ID_PKINIT_KPCLIENTAUTH = new DERObjectIdentifier("1.3.6.1.5.2.3.4");
-
- /**
- * id-pkinit-KPKdc OBJECT IDENTIFIER ::=
- * { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) pkinit(3) keyPurposeKdc(5) }
- * -- Signing KDC responses.
- * -- Key usage bits that MUST be consistent:
- * -- digitalSignature.
- */
- private static final DERObjectIdentifier ID_PKINIT_KPKDC = new DERObjectIdentifier("1.3.6.1.5.2.3.5");
-
- private static final DERObjectIdentifier ID_MS_KP_SC_LOGON = new DERObjectIdentifier("1.3.6.1.4.1.311.20.2.2");
-
- private static final DERObjectIdentifier ID_MS_SAN_SC_LOGON_UPN = new DERObjectIdentifier("1.3.6.1.4.1.311.20.2.3");
-
-
- /**
- * Generate certificate.
- *
- * @param issuerCert
- * @param issuerPrivateKey
- * @param publicKey
- * @param dn
- * @param validityDays
- * @param friendlyName
- * @return The certificate.
- * @throws InvalidKeyException
- * @throws SecurityException
- * @throws SignatureException
- * @throws NoSuchAlgorithmException
- * @throws DataLengthException
- * @throws CertificateException
- */
- public static X509Certificate generate(X509Certificate issuerCert, PrivateKey issuerPrivateKey,
- PublicKey publicKey, String dn, int validityDays,
- String friendlyName)
- throws InvalidKeyException, SecurityException, SignatureException,
- NoSuchAlgorithmException, DataLengthException, CertificateException {
- X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
-
- // Set certificate attributes.
- certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
-
- certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(issuerCert));
- certGen.setSubjectDN(new X509Principal(dn));
-
- certGen.setNotBefore(new Date());
-
- Calendar expiry = Calendar.getInstance();
- expiry.add(Calendar.DAY_OF_YEAR, validityDays);
-
- certGen.setNotAfter(expiry.getTime());
-
- certGen.setPublicKey(publicKey);
- certGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
-
- certGen
- .addExtension(X509Extensions.SubjectKeyIdentifier, false,
- new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
-
- // MAY set BasicConstraints=false or not at all.
- certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
-
- certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
- new AuthorityKeyIdentifierStructure(issuerCert));
-
- certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature
- | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment));
-
- ASN1EncodableVector keyPurposeVector = new ASN1EncodableVector();
- keyPurposeVector.add(KeyPurposeId.id_kp_smartcardlogon);
- //keyPurposeVector.add( KeyPurposeId.id_kp_serverAuth );
- DERSequence keyPurposeOids = new DERSequence(keyPurposeVector);
-
- // If critical, will throw unsupported EKU.
- certGen.addExtension(X509Extensions.ExtendedKeyUsage, false, keyPurposeOids);
-
- ASN1EncodableVector pkinitSanVector = new ASN1EncodableVector();
- pkinitSanVector.add(ID_PKINIT_SAN);
- pkinitSanVector.add(new DERTaggedObject(0, new DERSequence()));
- DERSequence pkinitSan = new DERSequence(pkinitSanVector);
-
- String dnsName = "localhost";
-
- GeneralName name1 = new GeneralName(GeneralName.otherName, pkinitSan);
- GeneralName name2 = new GeneralName(GeneralName.dNSName, dnsName);
-
- GeneralNamesBuilder genNamesBuilder = new GeneralNamesBuilder();
-
- genNamesBuilder.addName(name1);
- genNamesBuilder.addName(name2);
-
- GeneralNames sanGeneralNames = genNamesBuilder.build();
-
- certGen.addExtension(X509Extensions.SubjectAlternativeName, true, sanGeneralNames);
-
- /*
- * The KDC MAY require the presence of an Extended Key Usage (EKU) KeyPurposeId
- * [RFC3280] id-pkinit-KPClientAuth in the extensions field of the client's
- * X.509 certificate.
- */
-
- /*
- * The digitalSignature key usage bit [RFC3280] MUST be asserted when the
- * intended purpose of the client's X.509 certificate is restricted with
- * the id-pkinit-KPClientAuth EKU.
- */
-
- /*
- * KDCs implementing this requirement SHOULD also accept the EKU KeyPurposeId
- * id-ms-kp-sc-logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as
- * there are a large number of X.509 client certificates deployed for use
- * with PKINIT that have this EKU.
- */
-
- // KDC
- /*
- * In addition, unless the client can otherwise verify that the public key
- * used to verify the KDC's signature is bound to the KDC of the target realm,
- * the KDC's X.509 certificate MUST contain a Subject Alternative Name extension
- * [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as defined
- * in Section 3.2.2) and whose value is a KRB5PrincipalName that matches the
- * name of the TGS of the target realm (as defined in Section 7.3 of [RFC4120]).
- */
-
- /*
- * Unless the client knows by some other means that the KDC certificate is
- * intended for a Kerberos KDC, the client MUST require that the KDC certificate
- * contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc.
- */
-
- /*
- * The digitalSignature key usage bit [RFC3280] MUST be asserted when the
- * intended purpose of the KDC's X.509 certificate is restricted with the
- * id-pkinit-KPKdc EKU.
- */
-
- /*
- * If the KDC certificate contains the Kerberos TGS name encoded as an id-pkinit-san
- * SAN, this certificate is certified by the issuing CA as a KDC certificate,
- * therefore the id-pkinit-KPKdc EKU is not required.
- */
-
- /*
- * KDC certificates issued by Windows 2000 Enterprise CAs contain a dNSName
- * SAN with the DNS name of the host running the KDC, and the id-kp-serverAuth
- * EKU [RFC3280].
- */
-
- /*
- * KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName
- * SAN with the DNS name of the host running the KDC, the id-kp-serverAuth
- * EKU, and the id-ms-kp-sc-logon EKU.
- */
-
- /*
- * RFC: KDC certificates with id-pkinit-san SAN as specified in this RFC.
- *
- * MS: dNSName SAN containing the domain name of the KDC
- * id-pkinit-KPKdc EKU
- * id-kp-serverAuth EKU.
- */
-
- /*
- * Client certificates accepted by Windows 2000 and Windows 2003 Server KDCs
- * must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) SAN and
- * the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN contains a
- * UTF8-encoded string whose value is that of the Directory Service attribute
- * UserPrincipalName of the client account object, and the purpose of including
- * the id-ms-san-sc-logon-upn SAN in the client certificate is to validate
- * the client mapping (in other words, the client's public key is bound to
- * the account that has this UserPrincipalName value).
- */
-
- X509Certificate cert = certGen.generate(issuerPrivateKey);
-
- PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
-
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
- new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
-
- return cert;
- }
-
- private static byte[] getDigest(SubjectPublicKeyInfo spki) {
- Digest digest = new SHA1Digest();
- byte[] resBuf = new byte[digest.getDigestSize()];
-
- byte[] bytes = spki.getPublicKeyData().getBytes();
- digest.update(bytes, 0, bytes.length);
- digest.doFinal(resBuf, 0);
- return resBuf;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java
deleted file mode 100644
index 63e1816..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngine.java
+++ /dev/null
@@ -1,109 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
-import org.bouncycastle.cms.CMSAlgorithm;
-import org.bouncycastle.cms.CMSEnvelopedData;
-import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
-import org.bouncycastle.cms.CMSException;
-import org.bouncycastle.cms.CMSProcessableByteArray;
-import org.bouncycastle.cms.RecipientInformation;
-import org.bouncycastle.cms.RecipientInformationStore;
-import org.bouncycastle.cms.bc.BcCMSContentEncryptorBuilder;
-import org.bouncycastle.cms.bc.BcRSAKeyTransEnvelopedRecipient;
-import org.bouncycastle.cms.bc.BcRSAKeyTransRecipientInfoGenerator;
-import org.bouncycastle.crypto.util.PrivateKeyFactory;
-
-import java.io.IOException;
-import java.security.PrivateKey;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.util.Collection;
-import java.util.Iterator;
-
-/**
- * Encapsulates working with PKINIT enveloped data structures.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
- */
-public class EnvelopedDataEngine {
- /**
- * Uses a certificate to encrypt data in a CMS EnvelopedData structure and
- * returns the encoded EnvelopedData as bytes.
- * <p/>
- * 'encKeyPack' contains a CMS type ContentInfo encoded according to [RFC3852].
- * The contentType field of the type ContentInfo is id-envelopedData (1.2.840.113549.1.7.3).
- * The content field is an EnvelopedData. The contentType field for the type
- * EnvelopedData is id-signedData (1.2.840.113549.1.7.2).
- *
- * @param dataToEnvelope
- * @param certificate
- * @return The EnvelopedData bytes.
- * @throws IOException
- * @throws CMSException
- * @throws CertificateEncodingException
- */
- public static byte[] getEnvelopedReplyKeyPack(byte[] dataToEnvelope, X509Certificate certificate)
- throws IOException, CMSException, CertificateEncodingException {
- CMSProcessableByteArray content = new CMSProcessableByteArray(dataToEnvelope);
-
- CMSEnvelopedDataGenerator envelopeGenerator = new CMSEnvelopedDataGenerator();
- envelopeGenerator.addRecipientInfoGenerator(new BcRSAKeyTransRecipientInfoGenerator(
- new JcaX509CertificateHolder(certificate)));
- CMSEnvelopedData envdata = envelopeGenerator.generate(content,
- new BcCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).build());
-
- return envdata.getEncoded();
- }
-
-
- /**
- * Uses a private key to decrypt data in a CMS EnvelopedData structure and
- * returns the recovered (decrypted) data bytes.
- *
- * @param envelopedDataBytes
- * @param privateKey
- * @return The recovered (decrypted) data bytes.
- * @throws IOException
- * @throws CMSException
- */
- @SuppressWarnings("unchecked")
- public static byte[] getUnenvelopedData(byte[] envelopedDataBytes,
- PrivateKey privateKey) throws CMSException, IOException {
- CMSEnvelopedData envelopedData = new CMSEnvelopedData(envelopedDataBytes);
-
- // Set up to iterate through the recipients.
- RecipientInformationStore recipients = envelopedData.getRecipientInfos();
- Collection c = recipients.getRecipients();
- Iterator it = c.iterator();
-
- byte[] recData = new byte[0];
- while (it.hasNext()) {
- RecipientInformation recipient = (RecipientInformation) it.next();
-
- recData = recipient.getContent(new BcRSAKeyTransEnvelopedRecipient(
- PrivateKeyFactory.createKey(PrivateKeyInfo.getInstance(privateKey.getEncoded()))));
- }
- return recData;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java
deleted file mode 100644
index 826815e..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/EnvelopedDataEngineTest.java
+++ /dev/null
@@ -1,123 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.security.InvalidKeyException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.SignatureException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPrivateCrtKey;
-import java.util.Arrays;
-
-public class EnvelopedDataEngineTest extends org.junit.Assert {
- private static final Logger LOG = LoggerFactory.getLogger(CertificateChainFactory.class);
-
- /**
- * Certificate used to encrypt the data.
- */
- private X509Certificate certificate;
-
- /**
- * Private key used to decrypt the data.
- */
- private PrivateKey privateKey;
-
-
- @Before
- public void setUp() throws Exception {
- if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
- Security.addProvider(new BouncyCastleProvider());
- }
-
- //getCaFromFile( "/tmp/testCa.p12", "password", "Test CA" );
- getCaFromFactory();
- }
-
-
- /**
- * Tests that enveloped data wrapping and unwrapping works.
- *
- * @throws Exception
- */
- @Test
- public void testEnvelopedData() throws Exception {
- byte[] dataToEnvelope = "Hello".getBytes();
-
- byte[] envelopedDataBytes = EnvelopedDataEngine.getEnvelopedReplyKeyPack(
- dataToEnvelope, certificate);
- byte[] unenvelopedData = EnvelopedDataEngine.getUnenvelopedData(
- envelopedDataBytes, privateKey);
-
- assertTrue(Arrays.equals(dataToEnvelope, unenvelopedData));
- }
-
-
- void getCaFromFactory() throws Exception {
- X509Certificate[] clientChain = CertificateChainFactory.getClientChain();
- certificate = clientChain[0];
-
- privateKey = CertificateChainFactory.getClientPrivateKey();
- }
-
-
- void getCaFromFile(String caFile, String caPassword, String caAlias) throws KeyStoreException,
- UnrecoverableKeyException, NoSuchAlgorithmException, IOException, CertificateException,
- NoSuchProviderException, InvalidKeyException, SignatureException {
- // Open the keystore.
- KeyStore caKs = KeyStore.getInstance("PKCS12");
- caKs.load(new FileInputStream(new File(caFile)), caPassword.toCharArray());
-
- // Load the private key from the keystore.
- privateKey = (RSAPrivateCrtKey) caKs.getKey(caAlias, caPassword.toCharArray());
-
- if (privateKey == null) {
- throw new IllegalStateException("Got null key from keystore!");
- }
-
- // Load the certificate from the keystore.
- certificate = (X509Certificate) caKs.getCertificate(caAlias);
-
- if (certificate == null) {
- throw new IllegalStateException("Got null cert from keystore!");
- }
-
- LOG.debug("Successfully loaded key and certificate having DN '{}'.", certificate.getSubjectDN().getName());
-
- // Verify.
- certificate.verify(certificate.getPublicKey());
- LOG.debug("Successfully verified CA certificate with its own public key.");
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java
deleted file mode 100644
index 3b90eea..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/IntermediateCaGenerator.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-
-import org.bouncycastle.asn1.DERBMPString;
-import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.x509.BasicConstraints;
-import org.bouncycastle.asn1.x509.KeyUsage;
-import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.asn1.x509.X509Extensions;
-import org.bouncycastle.crypto.DataLengthException;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA1Digest;
-import org.bouncycastle.jce.PrincipalUtil;
-import org.bouncycastle.jce.X509Principal;
-import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
-import org.bouncycastle.x509.X509V3CertificateGenerator;
-import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
-
-import java.math.BigInteger;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.SignatureException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Calendar;
-import java.util.Date;
-
-
-/**
- * Generates an X.509 "intermediate CA" certificate programmatically.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
- */
-public class IntermediateCaGenerator {
- /**
- * Create certificate.
- *
- * @param issuerCert
- * @param issuerPrivateKey
- * @param publicKey
- * @param dn
- * @param validityDays
- * @param friendlyName
- * @return The certificate.
- * @throws InvalidKeyException
- * @throws SecurityException
- * @throws SignatureException
- * @throws NoSuchAlgorithmException
- * @throws DataLengthException
- * @throws CertificateException
- */
- public static X509Certificate generate(X509Certificate issuerCert, PrivateKey issuerPrivateKey,
- PublicKey publicKey, String dn, int validityDays,
- String friendlyName)
- throws InvalidKeyException, SecurityException, SignatureException,
- NoSuchAlgorithmException, DataLengthException, CertificateException {
- X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
-
- // Set certificate attributes.
- certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
-
- certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(issuerCert));
- certGen.setSubjectDN(new X509Principal(dn));
-
- certGen.setNotBefore(new Date());
-
- Calendar expiry = Calendar.getInstance();
- expiry.add(Calendar.DAY_OF_YEAR, validityDays);
-
- certGen.setNotAfter(expiry.getTime());
-
- certGen.setPublicKey(publicKey);
- certGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
-
- certGen
- .addExtension(X509Extensions.SubjectKeyIdentifier, false,
- new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
-
- certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
-
- certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
- new AuthorityKeyIdentifierStructure(issuerCert));
-
- certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature
- | KeyUsage.keyCertSign | KeyUsage.cRLSign));
-
- X509Certificate cert = certGen.generate(issuerPrivateKey);
-
- PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
-
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
- new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
-
- return cert;
- }
-
- private static byte[] getDigest(SubjectPublicKeyInfo spki) {
- Digest digest = new SHA1Digest();
- byte[] resBuf = new byte[digest.getDigestSize()];
-
- byte[] bytes = spki.getPublicKeyData().getBytes();
- digest.update(bytes, 0, bytes.length);
- digest.doFinal(resBuf, 0);
- return resBuf;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java
deleted file mode 100644
index cf07eaa..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/JavaSignTest.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.Signature;
-
-/**
- * This is a JAVA sign and verify test to serve as a good sample.
- */
-public class JavaSignTest {
-
- static class SignAlgorithm {
- String algo;
- String keyType;
-
- SignAlgorithm(String algo, String keyType) {
- this.algo = algo;
- this.keyType = keyType;
- }
- }
-
- static final SignAlgorithm[] ALGORITHMS = {
- new SignAlgorithm("DSA", "DSA"),
- new SignAlgorithm("SHA1withDSA", "DSA"),
- new SignAlgorithm("SHA1withRSA", "RSA"),
- new SignAlgorithm("SHA256withRSA", "RSA"),
- new SignAlgorithm("SHA384withRSA", "RSA"),
- new SignAlgorithm("SHA512withRSA", "RSA"),
- new SignAlgorithm("MD5withRSA", "RSA"),
- new SignAlgorithm("MD5andSHA1withRSA", "RSA"),
- new SignAlgorithm("SHA256withRSA", "RSA")
- };
-
- static byte[] signData(byte[] dataToSign, KeyPair keyPair,
- SignAlgorithm sa) throws Exception {
- byte[] signResult;
- Signature signer = Signature.getInstance(sa.algo);
- signer.initSign(keyPair.getPrivate());
- signer.update(dataToSign);
- signResult = signer.sign();
-
- return signResult;
- }
-
- static boolean verifyData(byte[] dataToVerify, byte[] signature,
- KeyPair keyPair, SignAlgorithm sa) throws Exception {
- boolean verifyResult;
- Signature verifier = Signature.getInstance(sa.algo);
- verifier.initVerify(keyPair.getPublic());
- verifier.update(dataToVerify);
- verifyResult = verifier.verify(signature);
-
- return verifyResult;
- }
-
- public static void main(String[] args) throws Exception {
- for (SignAlgorithm sa : ALGORITHMS) {
- KeyPairGenerator keyGen = KeyPairGenerator.getInstance(sa.keyType);
- keyGen.initialize(1024);
- KeyPair keyPair = keyGen.generateKeyPair();
-
- byte[] testMessage = "Hello, Kerby!!".getBytes();
- byte[] signature = signData(testMessage, keyPair, sa);
- boolean isOk = verifyData(testMessage, signature, keyPair, sa);
- if (!isOk) {
- throw new RuntimeException("Failed");
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java
deleted file mode 100644
index b6cfa17..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/KeyPairSpec.java
+++ /dev/null
@@ -1,111 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-
-import java.math.BigInteger;
-import java.security.spec.RSAPrivateCrtKeySpec;
-import java.security.spec.RSAPublicKeySpec;
-
-
-/**
- * Specifications for asymmetric key pairs.
- */
-@SuppressWarnings("checkstyle:linelength")
-class KeyPairSpec {
- // End-entity keys.
- static RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(
- new BigInteger(
- "b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7",
- 16), new BigInteger("11", 16));
-
- static RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec(
- new BigInteger(
- "b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7",
- 16),
- new BigInteger("11", 16),
- new BigInteger(
- "9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89",
- 16), new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16),
- new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), new BigInteger(
- "b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), new BigInteger(
- "d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), new BigInteger(
- "b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16));
-
- // Intermediate keys.
- static RSAPublicKeySpec intPubKeySpec = new RSAPublicKeySpec(
- new BigInteger(
- "8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69",
- 16), new BigInteger("ffff", 16));
-
- static RSAPrivateCrtKeySpec intPrivKeySpec = new RSAPrivateCrtKeySpec(
- new BigInteger(
- "8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69",
- 16),
- new BigInteger("ffff", 16),
- new BigInteger(
- "7deb1b194a85bcfd29cf871411468adbc987650903e3bacc8338c449ca7b32efd39ffc33bc84412fcd7df18d23ce9d7c25ea910b1ae9985373e0273b4dca7f2e0db3b7314056ac67fd277f8f89cf2fd73c34c6ca69f9ba477143d2b0e2445548aa0b4a8473095182631da46844c356f5e5c7522eb54b5a33f11d730ead9c0cff",
- 16),
- new BigInteger(
- "ef4cede573cea47f83699b814de4302edb60eefe426c52e17bd7870ec7c6b7a24fe55282ebb73775f369157726fcfb988def2b40350bdca9e5b418340288f649",
- 16),
- new BigInteger(
- "97c7737d1b9a0088c3c7b528539247fd2a1593e7e01cef18848755be82f4a45aa093276cb0cbf118cb41117540a78f3fc471ba5d69f0042274defc9161265721",
- 16),
- new BigInteger(
- "6c641094e24d172728b8da3c2777e69adfd0839085be7e38c7c4a2dd00b1ae969f2ec9d23e7e37090fcd449a40af0ed463fe1c612d6810d6b4f58b7bfa31eb5f",
- 16),
- new BigInteger(
- "70b7123e8e69dfa76feb1236d0a686144b00e9232ed52b73847e74ef3af71fb45ccb24261f40d27f98101e230cf27b977a5d5f1f15f6cf48d5cb1da2a3a3b87f",
- 16),
- new BigInteger(
- "e38f5750d97e270996a286df2e653fd26c242106436f5bab0f4c7a9e654ce02665d5a281f2c412456f2d1fa26586ef04a9adac9004ca7f913162cb28e13bf40d",
- 16));
-
- // Trust anchor keys.
- static RSAPublicKeySpec caPubKeySpec = new RSAPublicKeySpec(
- new BigInteger(
- "b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5",
- 16), new BigInteger("11", 16));
-
- static RSAPrivateCrtKeySpec caPrivKeySpec = new RSAPrivateCrtKeySpec(
- new BigInteger(
- "b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5",
- 16),
- new BigInteger("11", 16),
- new BigInteger(
- "92e08f83cc9920746989ca5034dcb384a094fb9c5a6288fcc4304424ab8f56388f72652d8fafc65a4b9020896f2cde297080f2a540e7b7ce5af0b3446e1258d1dd7f245cf54124b4c6e17da21b90a0ebd22605e6f45c9f136d7a13eaac1c0f7487de8bd6d924972408ebb58af71e76fd7b012a8d0e165f3ae2e5077a8648e619",
- 16),
- new BigInteger(
- "f75e80839b9b9379f1cf1128f321639757dba514642c206bbbd99f9a4846208b3e93fbbe5e0527cc59b1d4b929d9555853004c7c8b30ee6a213c3d1bb7415d03",
- 16),
- new BigInteger(
- "b892d9ebdbfc37e397256dd8a5d3123534d1f03726284743ddc6be3a709edb696fc40c7d902ed804c6eee730eee3d5b20bf6bd8d87a296813c87d3b3cc9d7947",
- 16),
- new BigInteger(
- "1d1a2d3ca8e52068b3094d501c9a842fec37f54db16e9a67070a8b3f53cc03d4257ad252a1a640eadd603724d7bf3737914b544ae332eedf4f34436cac25ceb5",
- 16),
- new BigInteger(
- "6c929e4e81672fef49d9c825163fec97c4b7ba7acb26c0824638ac22605d7201c94625770984f78a56e6e25904fe7db407099cad9b14588841b94f5ab498dded",
- 16),
- new BigInteger(
- "dae7651ee69ad1d081ec5e7188ae126f6004ff39556bde90e0b870962fa7b926d070686d8244fe5a9aa709a95686a104614834b0ada4b10f53197a5cb4c97339",
- 16));
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java
deleted file mode 100644
index bb10273..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngine.java
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.cert.X509CertificateHolder;
-import org.bouncycastle.cert.jcajce.JcaCertStore;
-import org.bouncycastle.cms.CMSException;
-import org.bouncycastle.cms.CMSProcessableByteArray;
-import org.bouncycastle.cms.CMSSignedData;
-import org.bouncycastle.cms.CMSSignedDataGenerator;
-import org.bouncycastle.cms.CMSTypedData;
-import org.bouncycastle.cms.SignerInformation;
-import org.bouncycastle.cms.SignerInformationStore;
-import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder;
-import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.util.Store;
-
-import java.io.IOException;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.List;
-
-
-/**
- * Encapsulates working with PKINIT signed data structures.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
- */
-public class SignedDataEngine {
-
- static byte[] getSignedData(PrivateKey privateKey, X509Certificate certificate, byte[] dataToSign,
- String eContentType) throws IOException, OperatorCreationException,
- CertificateEncodingException, CMSException {
-
- if (Security.getProvider("BC") == null) {
- Security.addProvider(new BouncyCastleProvider());
- }
-
-
- List certList = new ArrayList();
- certList.add(certificate);
- Store certs = new JcaCertStore(certList);
-
- CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
-
- gen.addSignerInfoGenerator(
- new JcaSimpleSignerInfoGeneratorBuilder()
- .setProvider("BC")
- .build("SHA1withRSA", privateKey, certificate));
-
- gen.addCertificates(certs);
-
- ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(eContentType);
- CMSTypedData msg = new CMSProcessableByteArray(asn1ObjectIdentifier, dataToSign);
- CMSSignedData s = gen.generate(msg, true);
-
- return s.getEncoded();
- }
-
- /**
- * Validates a CMS SignedData using the public key corresponding to the private
- * key used to sign the structure.
- *
- * @param s
- * @return true if the signature is valid.
- * @throws Exception
- */
- public static boolean validateSignedData(CMSSignedData s) throws Exception {
-
- Store certStore = s.getCertificates();
- Store crlStore = s.getCRLs();
- SignerInformationStore signers = s.getSignerInfos();
-
- Collection c = signers.getSigners();
- Iterator it = c.iterator();
-
- while (it.hasNext()) {
- SignerInformation signer = (SignerInformation) it.next();
- Collection certCollection = certStore.getMatches(signer.getSID());
-
- Iterator certIt = certCollection.iterator();
- X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
-
- if (!signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) {
- return false;
- }
- }
-
- Collection certColl = certStore.getMatches(null);
- Collection crlColl = crlStore.getMatches(null);
-
- if (certColl.size() != s.getCertificates().getMatches(null).size()
- || crlColl.size() != s.getCRLs().getMatches(null).size()) {
- return false;
- }
- return true;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java
deleted file mode 100644
index 60db909..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/SignedDataEngineTest.java
+++ /dev/null
@@ -1,123 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-
-import org.bouncycastle.cms.CMSSignedData;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPrivateCrtKey;
-
-/**
- * Tests the use of {@link CMSSignedData}.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$, $Date$
- */
-public class SignedDataEngineTest extends org.junit.Assert {
- /**
- * The log for this class.
- */
- private static final Logger LOG = LoggerFactory.getLogger(SignedDataEngineTest.class);
-
- private static final String ID_DATA = "1.2.840.113549.1.7.1";
-
- /**
- * Certificate used to verify the signature.
- */
- private X509Certificate certificate;
-
- /**
- * Private key used to sign the data.
- */
- private PrivateKey privateKey;
-
-
- @Before
- public void setUp() throws Exception {
- if (Security.getProvider("BC") == null) {
- Security.addProvider(new BouncyCastleProvider());
- }
-
- //getCaFromFile( "/tmp/testCa.p12", "password", "Test CA" );
- getCaFromFactory();
- }
-
- /**
- * Tests that signed data signature validation works.
- *
- * @throws Exception
- */
- @Test
- public void testSignedData() throws Exception {
- byte[] data = "Hello".getBytes();
-
- byte[] signedDataBytes = SignedDataEngine.getSignedData(privateKey, certificate, data, ID_DATA);
-
- CMSSignedData signedData = new CMSSignedData(signedDataBytes);
-
- assertTrue(SignedDataEngine.validateSignedData(signedData));
- }
-
-
- void getCaFromFactory() throws Exception {
- X509Certificate[] clientChain = CertificateChainFactory.getClientChain();
- certificate = clientChain[0];
-
- privateKey = CertificateChainFactory.getClientPrivateKey();
- }
-
-
- void getCaFromFile(String caFile, String caPassword, String caAlias) throws Exception {
- // Open the keystore.
- KeyStore caKs = KeyStore.getInstance("PKCS12");
- caKs.load(new FileInputStream(new File(caFile)), caPassword.toCharArray());
-
- // Load the private key from the keystore.
- privateKey = (RSAPrivateCrtKey) caKs.getKey(caAlias, caPassword.toCharArray());
-
- if (privateKey == null) {
- throw new IllegalStateException("Got null key from keystore!");
- }
-
- // Load the certificate from the keystore.
- certificate = (X509Certificate) caKs.getCertificate(caAlias);
-
- if (certificate == null) {
- throw new IllegalStateException("Got null cert from keystore!");
- }
-
- LOG.debug("Successfully loaded CA key and certificate. CA DN is '{}'.", certificate.getSubjectDN().getName());
-
- // Verify.
- certificate.verify(certificate.getPublicKey());
- LOG.debug("Successfully verified CA certificate with its own public key.");
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java
----------------------------------------------------------------------
diff --git a/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java b/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java
deleted file mode 100644
index f26354d..0000000
--- a/kerby-pkix/src/test/java/org/apache/kerby/pkix/TrustAnchorGenerator.java
+++ /dev/null
@@ -1,120 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.pkix;
-
-import org.bouncycastle.asn1.DERBMPString;
-import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.x509.BasicConstraints;
-import org.bouncycastle.asn1.x509.KeyUsage;
-import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.asn1.x509.X509Extensions;
-import org.bouncycastle.crypto.DataLengthException;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA1Digest;
-import org.bouncycastle.jce.X509Principal;
-import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
-import org.bouncycastle.x509.X509V3CertificateGenerator;
-
-import java.math.BigInteger;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.SignatureException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Calendar;
-import java.util.Date;
-
-
-/**
- * Generates an X.509 "trust anchor" certificate programmatically.
- */
-public class TrustAnchorGenerator {
- /**
- * Create CA certificate.
- *
- * @param publicKey
- * @param privateKey
- * @param dn
- * @param validityDays
- * @param friendlyName
- * @return The certificate.
- * @throws InvalidKeyException
- * @throws SecurityException
- * @throws SignatureException
- * @throws NoSuchAlgorithmException
- * @throws DataLengthException
- * @throws CertificateException
- */
- public static X509Certificate generate(PublicKey publicKey, PrivateKey privateKey,
- String dn, int validityDays, String friendlyName)
- throws InvalidKeyException, SecurityException, SignatureException,
- NoSuchAlgorithmException, DataLengthException, CertificateException {
- X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
-
- // Set certificate attributes.
- certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
-
- X509Principal x509Principal = new X509Principal(dn);
- certGen.setIssuerDN(x509Principal);
- certGen.setSubjectDN(x509Principal);
-
- certGen.setNotBefore(new Date());
-
- Calendar expiry = Calendar.getInstance();
- expiry.add(Calendar.DAY_OF_YEAR, validityDays);
-
- certGen.setNotAfter(expiry.getTime());
-
- certGen.setPublicKey(publicKey);
- certGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
-
- certGen
- .addExtension(X509Extensions.SubjectKeyIdentifier, false,
- new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
-
- certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(1));
-
- certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature
- | KeyUsage.keyCertSign | KeyUsage.cRLSign));
-
- X509Certificate cert = certGen.generate(privateKey);
-
- PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert;
-
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName));
- bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
- new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()))));
-
- return cert;
- }
-
- private static byte[] getDigest(SubjectPublicKeyInfo spki) {
- Digest digest = new SHA1Digest();
- byte[] resBuf = new byte[digest.getDigestSize()];
-
- byte[] bytes = spki.getPublicKeyData().getBytes();
- digest.update(bytes, 0, bytes.length);
- digest.doFinal(resBuf, 0);
- return resBuf;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e2004937/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 3834a42..8993379 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,7 +48,6 @@
<properties>
<apacheds.version>2.0.0-M23</apacheds.version>
- <bouncycastle.version>1.55</bouncycastle.version>
<commons-io.version>2.5</commons-io.version>
<gson.version>2.6.2</gson.version>
<ldap.api.version>1.0.0-RC2</ldap.api.version>