You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by se...@apache.org on 2020/04/04 11:55:48 UTC

[directory-server] branch master updated: Allow creation of CA certificate, fixes certifcate validation test on newer Java versions.

This is an automated email from the ASF dual-hosted git repository.

seelmann pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-server.git


The following commit(s) were added to refs/heads/master by this push:
     new 656524b  Allow creation of CA certificate, fixes certifcate validation test on newer Java versions.
656524b is described below

commit 656524be7783a019e32cc13358f6708487d852c7
Author: Stefan Seelmann <ma...@stefan-seelmann.de>
AuthorDate: Sat Apr 4 13:55:28 2020 +0200

    Allow creation of CA certificate, fixes certifcate validation test on newer Java versions.
---
 .../directory/server/core/security/TlsKeyGenerator.java    |  8 +++-----
 .../shared/client/api/CertificateValidationTest.java       | 14 +++++++-------
 .../sasl/external/ClientCertificateAuthenticationIT.java   |  2 +-
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java b/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
index ec5d23b..1a0da3b 100644
--- a/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
+++ b/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
@@ -253,12 +253,12 @@ public final class TlsKeyGenerator
     {
         Date startDate = new Date();
         Date expiryDate = new Date( System.currentTimeMillis() + YEAR_MILLIS );
-        addKeyPair( entry, issuerDN, subjectDN, startDate, expiryDate, keyAlgo, keySize, null );
+        addKeyPair( entry, issuerDN, subjectDN, startDate, expiryDate, keyAlgo, keySize, null, false );
     }
 
 
     public static void addKeyPair( Entry entry, String issuerDN, String subjectDN, Date startDate, Date expiryDate,
-        String keyAlgo, int keySize, PrivateKey optionalSigningKey ) throws LdapException
+        String keyAlgo, int keySize, PrivateKey optionalSigningKey, boolean isCA ) throws LdapException
     {
         Attribute objectClass = entry.get( SchemaConstants.OBJECT_CLASS_AT );
 
@@ -312,12 +312,10 @@ public final class TlsKeyGenerator
         certGen.setSubjectDN( subjectName );
         certGen.setPublicKey( publicKey );
         certGen.setSignatureAlgorithm( "SHA256With" + keyAlgo );
-        certGen.addExtension( Extension.basicConstraints, false, new BasicConstraints( false ) );
+        certGen.addExtension( Extension.basicConstraints, false, new BasicConstraints( isCA ) );
         certGen.addExtension( Extension.extendedKeyUsage, true, new ExtendedKeyUsage( 
             new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth } ) );
 
-        
-
         try
         {
             PrivateKey signingKey = optionalSigningKey != null ? optionalSigningKey : privateKey;
diff --git a/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java b/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java
index 1d8645d..e6b7685 100644
--- a/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java
+++ b/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java
@@ -109,36 +109,36 @@ public class CertificateValidationTest extends AbstractLdapTestUnit
         // generate root CA, self-signed
         String rootCaSubjectDn = issuerDn;
         ROOT_CA_KEYSTORE = createKeyStore( rootCaSubjectDn, issuerDn, startDate, expiryDate, keyAlgo, keySize, null,
-            ROOT_CA_KEYSTORE_PATH );
+            true, ROOT_CA_KEYSTORE_PATH );
         PrivateKey rootCaPrivateKey = ( PrivateKey ) ROOT_CA_KEYSTORE.getKey( "apacheds", KEYSTORE_PW.toCharArray() );
 
         // generate a valid certificate, signed by root CA
         createKeyStore( subjectDn, issuerDn, startDate, expiryDate, keyAlgo, keySize, rootCaPrivateKey,
-            VALID_KEYSTORE_PATH );
+            false, VALID_KEYSTORE_PATH );
 
         // generate an expired certificate, signed by root CA
         Date expiredStartDate = new Date( System.currentTimeMillis() - TlsKeyGenerator.YEAR_MILLIS );
         Date expiredExpiryDate = new Date( System.currentTimeMillis() - TlsKeyGenerator.YEAR_MILLIS / 365 );
         createKeyStore( subjectDn, issuerDn, expiredStartDate, expiredExpiryDate, keyAlgo, keySize,
-            rootCaPrivateKey, EXPIRED_KEYSTORE_PATH );
+            rootCaPrivateKey, false, EXPIRED_KEYSTORE_PATH );
 
         // generate a not yet valid certificate, signed by root CA
         Date notYetValidStartDate = new Date( System.currentTimeMillis() + TlsKeyGenerator.YEAR_MILLIS / 365 );
         Date notYetValidExpiryDate = new Date( System.currentTimeMillis() + TlsKeyGenerator.YEAR_MILLIS );
         createKeyStore( subjectDn, issuerDn, notYetValidStartDate, notYetValidExpiryDate, keyAlgo, keySize,
-            rootCaPrivateKey, NOT_YET_VALID_KEYSTORE_PATH );
+            rootCaPrivateKey, false, NOT_YET_VALID_KEYSTORE_PATH );
 
         // generate a certificate with small key size, signed by root CA
         int smallKeySize = 512;
         createKeyStore( subjectDn, issuerDn, startDate, expiryDate, keyAlgo, smallKeySize,
-            rootCaPrivateKey, SMALL_KEYSIZE_KEYSTORE_PATH );
+            rootCaPrivateKey, false, SMALL_KEYSIZE_KEYSTORE_PATH );
 
         // TODO signature does not match if root private key is null
     }
 
 
     private static KeyStore createKeyStore( String subjectDn, String issuerDn, Date startDate, Date expiryDate,
-        String keyAlgo, int keySize, PrivateKey optionalSigningKey, String keystorePath )
+        String keyAlgo, int keySize, PrivateKey optionalSigningKey, boolean isCA, String keystorePath )
         throws Exception
     {
         File goodKeyStoreFile = new File( keystorePath );
@@ -148,7 +148,7 @@ public class CertificateValidationTest extends AbstractLdapTestUnit
         }
         Entry entry = new DefaultEntry();
         TlsKeyGenerator.addKeyPair( entry, issuerDn, subjectDn, startDate, expiryDate, keyAlgo, keySize,
-            optionalSigningKey );
+            optionalSigningKey, isCA );
         KeyPair keyPair = TlsKeyGenerator.getKeyPair( entry );
         X509Certificate cert = TlsKeyGenerator.getCertificate( entry );
         //System.out.println( cert );
diff --git a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
index 96d2f06..90143e9 100644
--- a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
+++ b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
@@ -136,7 +136,7 @@ public class ClientCertificateAuthenticationIT extends AbstractLdapTestUnit
             int keySize = 1024;
 
             Entry entry = new DefaultEntry();
-            TlsKeyGenerator.addKeyPair( entry, issuerDn, subjectDn, startDate, expiryDate, keyAlgo, keySize, null );
+            TlsKeyGenerator.addKeyPair( entry, issuerDn, subjectDn, startDate, expiryDate, keyAlgo, keySize, null, false );
 
             // prepare socket factory to provide client certificate
             try (