You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by se...@apache.org on 2020/04/04 11:55:48 UTC
[directory-server] branch master updated: Allow creation of CA
certificate, fixes certifcate validation test on newer Java versions.
This is an automated email from the ASF dual-hosted git repository.
seelmann pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-server.git
The following commit(s) were added to refs/heads/master by this push:
new 656524b Allow creation of CA certificate, fixes certifcate validation test on newer Java versions.
656524b is described below
commit 656524be7783a019e32cc13358f6708487d852c7
Author: Stefan Seelmann <ma...@stefan-seelmann.de>
AuthorDate: Sat Apr 4 13:55:28 2020 +0200
Allow creation of CA certificate, fixes certifcate validation test on newer Java versions.
---
.../directory/server/core/security/TlsKeyGenerator.java | 8 +++-----
.../shared/client/api/CertificateValidationTest.java | 14 +++++++-------
.../sasl/external/ClientCertificateAuthenticationIT.java | 2 +-
3 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java b/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
index ec5d23b..1a0da3b 100644
--- a/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
+++ b/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java
@@ -253,12 +253,12 @@ public final class TlsKeyGenerator
{
Date startDate = new Date();
Date expiryDate = new Date( System.currentTimeMillis() + YEAR_MILLIS );
- addKeyPair( entry, issuerDN, subjectDN, startDate, expiryDate, keyAlgo, keySize, null );
+ addKeyPair( entry, issuerDN, subjectDN, startDate, expiryDate, keyAlgo, keySize, null, false );
}
public static void addKeyPair( Entry entry, String issuerDN, String subjectDN, Date startDate, Date expiryDate,
- String keyAlgo, int keySize, PrivateKey optionalSigningKey ) throws LdapException
+ String keyAlgo, int keySize, PrivateKey optionalSigningKey, boolean isCA ) throws LdapException
{
Attribute objectClass = entry.get( SchemaConstants.OBJECT_CLASS_AT );
@@ -312,12 +312,10 @@ public final class TlsKeyGenerator
certGen.setSubjectDN( subjectName );
certGen.setPublicKey( publicKey );
certGen.setSignatureAlgorithm( "SHA256With" + keyAlgo );
- certGen.addExtension( Extension.basicConstraints, false, new BasicConstraints( false ) );
+ certGen.addExtension( Extension.basicConstraints, false, new BasicConstraints( isCA ) );
certGen.addExtension( Extension.extendedKeyUsage, true, new ExtendedKeyUsage(
new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth } ) );
-
-
try
{
PrivateKey signingKey = optionalSigningKey != null ? optionalSigningKey : privateKey;
diff --git a/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java b/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java
index 1d8645d..e6b7685 100644
--- a/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java
+++ b/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/CertificateValidationTest.java
@@ -109,36 +109,36 @@ public class CertificateValidationTest extends AbstractLdapTestUnit
// generate root CA, self-signed
String rootCaSubjectDn = issuerDn;
ROOT_CA_KEYSTORE = createKeyStore( rootCaSubjectDn, issuerDn, startDate, expiryDate, keyAlgo, keySize, null,
- ROOT_CA_KEYSTORE_PATH );
+ true, ROOT_CA_KEYSTORE_PATH );
PrivateKey rootCaPrivateKey = ( PrivateKey ) ROOT_CA_KEYSTORE.getKey( "apacheds", KEYSTORE_PW.toCharArray() );
// generate a valid certificate, signed by root CA
createKeyStore( subjectDn, issuerDn, startDate, expiryDate, keyAlgo, keySize, rootCaPrivateKey,
- VALID_KEYSTORE_PATH );
+ false, VALID_KEYSTORE_PATH );
// generate an expired certificate, signed by root CA
Date expiredStartDate = new Date( System.currentTimeMillis() - TlsKeyGenerator.YEAR_MILLIS );
Date expiredExpiryDate = new Date( System.currentTimeMillis() - TlsKeyGenerator.YEAR_MILLIS / 365 );
createKeyStore( subjectDn, issuerDn, expiredStartDate, expiredExpiryDate, keyAlgo, keySize,
- rootCaPrivateKey, EXPIRED_KEYSTORE_PATH );
+ rootCaPrivateKey, false, EXPIRED_KEYSTORE_PATH );
// generate a not yet valid certificate, signed by root CA
Date notYetValidStartDate = new Date( System.currentTimeMillis() + TlsKeyGenerator.YEAR_MILLIS / 365 );
Date notYetValidExpiryDate = new Date( System.currentTimeMillis() + TlsKeyGenerator.YEAR_MILLIS );
createKeyStore( subjectDn, issuerDn, notYetValidStartDate, notYetValidExpiryDate, keyAlgo, keySize,
- rootCaPrivateKey, NOT_YET_VALID_KEYSTORE_PATH );
+ rootCaPrivateKey, false, NOT_YET_VALID_KEYSTORE_PATH );
// generate a certificate with small key size, signed by root CA
int smallKeySize = 512;
createKeyStore( subjectDn, issuerDn, startDate, expiryDate, keyAlgo, smallKeySize,
- rootCaPrivateKey, SMALL_KEYSIZE_KEYSTORE_PATH );
+ rootCaPrivateKey, false, SMALL_KEYSIZE_KEYSTORE_PATH );
// TODO signature does not match if root private key is null
}
private static KeyStore createKeyStore( String subjectDn, String issuerDn, Date startDate, Date expiryDate,
- String keyAlgo, int keySize, PrivateKey optionalSigningKey, String keystorePath )
+ String keyAlgo, int keySize, PrivateKey optionalSigningKey, boolean isCA, String keystorePath )
throws Exception
{
File goodKeyStoreFile = new File( keystorePath );
@@ -148,7 +148,7 @@ public class CertificateValidationTest extends AbstractLdapTestUnit
}
Entry entry = new DefaultEntry();
TlsKeyGenerator.addKeyPair( entry, issuerDn, subjectDn, startDate, expiryDate, keyAlgo, keySize,
- optionalSigningKey );
+ optionalSigningKey, isCA );
KeyPair keyPair = TlsKeyGenerator.getKeyPair( entry );
X509Certificate cert = TlsKeyGenerator.getCertificate( entry );
//System.out.println( cert );
diff --git a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
index 96d2f06..90143e9 100644
--- a/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
+++ b/server-integ/src/test/java/org/apache/directory/server/ldap/handlers/sasl/external/ClientCertificateAuthenticationIT.java
@@ -136,7 +136,7 @@ public class ClientCertificateAuthenticationIT extends AbstractLdapTestUnit
int keySize = 1024;
Entry entry = new DefaultEntry();
- TlsKeyGenerator.addKeyPair( entry, issuerDn, subjectDn, startDate, expiryDate, keyAlgo, keySize, null );
+ TlsKeyGenerator.addKeyPair( entry, issuerDn, subjectDn, startDate, expiryDate, keyAlgo, keySize, null, false );
// prepare socket factory to provide client certificate
try (