KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > se > anatom > ejbca > protocol > ProtocolLookupServerHttpTest


1 /*************************************************************************
2  * *
3  * EJBCA: The OpenSource Certificate Authority *
4  * *
5  * This software is free software; you can redistribute it and/or *
6  * modify it under the terms of the GNU Lesser General Public *
7  * License as published by the Free Software Foundation; either *
8  * version 2.1 of the License, or any later version. *
9  * *
10  * See terms of license at gnu.org. *
11  * *
12  *************************************************************************/

13
14 package se.anatom.ejbca.protocol;
15
16 import java.io.ByteArrayInputStream JavaDoc;
17 import java.io.ByteArrayOutputStream JavaDoc;
18 import java.io.FileInputStream JavaDoc;
19 import java.io.IOException JavaDoc;
20 import java.io.InputStream JavaDoc;
21 import java.io.OutputStream JavaDoc;
22 import java.net.HttpURLConnection JavaDoc;
23 import java.net.URL JavaDoc;
24 import java.net.URLConnection JavaDoc;
25 import java.rmi.RemoteException JavaDoc;
26 import java.security.GeneralSecurityException JavaDoc;
27 import java.security.KeyPair JavaDoc;
28 import java.security.KeyPairGenerator JavaDoc;
29 import java.security.KeyStore JavaDoc;
30 import java.security.cert.Certificate JavaDoc;
31 import java.security.cert.X509Certificate JavaDoc;
32 import java.security.interfaces.RSAPrivateKey JavaDoc;
33 import java.util.Collection JavaDoc;
34 import java.util.Enumeration JavaDoc;
35 import java.util.Hashtable JavaDoc;
36 import java.util.Iterator JavaDoc;
37
38 import javax.ejb.DuplicateKeyException JavaDoc;
39 import javax.naming.Context JavaDoc;
40 import javax.naming.NamingException JavaDoc;
41 import javax.net.ssl.HostnameVerifier;
42 import javax.net.ssl.HttpsURLConnection;
43 import javax.net.ssl.KeyManagerFactory;
44 import javax.net.ssl.SSLContext;
45 import javax.net.ssl.SSLSession;
46 import javax.net.ssl.SSLSocketFactory;
47 import javax.net.ssl.TrustManagerFactory;
48
49 import junit.framework.TestCase;
50
51 import org.apache.log4j.Logger;
52 import org.bouncycastle.asn1.ASN1InputStream;
53 import org.bouncycastle.asn1.ASN1OctetString;
54 import org.bouncycastle.asn1.DEROctetString;
55 import org.bouncycastle.asn1.x509.X509Extension;
56 import org.bouncycastle.asn1.x509.X509Extensions;
57 import org.bouncycastle.ocsp.BasicOCSPResp;
58 import org.bouncycastle.ocsp.CertificateID;
59 import org.bouncycastle.ocsp.OCSPException;
60 import org.bouncycastle.ocsp.OCSPReq;
61 import org.bouncycastle.ocsp.OCSPReqGenerator;
62 import org.bouncycastle.ocsp.OCSPResp;
63 import org.bouncycastle.ocsp.RevokedStatus;
64 import org.bouncycastle.ocsp.SingleResp;
65 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionHome;
66 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionRemote;
67 import org.ejbca.core.ejb.ca.sign.ISignSessionHome;
68 import org.ejbca.core.ejb.ca.sign.ISignSessionRemote;
69 import org.ejbca.core.ejb.ca.store.CertificateDataPK;
70 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionHome;
71 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionRemote;
72 import org.ejbca.core.ejb.ra.IUserAdminSessionHome;
73 import org.ejbca.core.ejb.ra.IUserAdminSessionRemote;
74 import org.ejbca.core.model.SecConst;
75 import org.ejbca.core.model.ca.caadmin.CAInfo;
76 import org.ejbca.core.model.ca.crl.RevokedCertInfo;
77 import org.ejbca.core.model.log.Admin;
78 import org.ejbca.core.model.ra.UserDataConstants;
79 import org.ejbca.core.protocol.ocsp.FnrFromUnidExtension;
80 import org.ejbca.util.CertTools;
81 import org.ejbca.util.KeyTools;
82
83 /** Tests http pages of ocsp lookup server.
84  * This test requires a lot of setup.
85  * - The lookup service must be active
86  * - There must be a database for the unid-fnr mapping with the mapping 123456789, 654321
87  * - You must have a CA that has issued certificates with serialNumber in the DN matching the unid 123456789
88  * - You also need a keystore issued by the CA for TLS communication, the keystore cert must be configured in the lookup extension as trusted
89  * - /lookup-kstrust.p12 (password lookup)
90  * - You also need a keystore as above but not configured as trusted in the lookup extension
91  * - /lookup-ksnotrust.p12 (password lookup)
92  * - The CA-certificate issuing the two keystores should be configured in ejbca.properties
93  *
94  * Simply create two new users with batch generation and PKCS12 keystores in ejbca and issue their keystores.
95  * The SSL certificate used for JBoss must be issued by the same CA that creates lookup-kstrust.p12.
96  *
97  * The database table for the UnidFnrMapping should look like (MySQL):
98  * CREATE TABLE UnidFnrMapping(
99  * unid varchar(250) NOT NULL DEFAULT '',
100  * fnr varchar(250) NOT NULL DEFAULT '',
101  * PRIMARY KEY (unid)
102  * );
103  *
104  **/

105 public class ProtocolLookupServerHttpTest extends TestCase {
106     private static Logger log = Logger.getLogger(ProtocolLookupServerHttpTest.class);
107
108     private String JavaDoc httpReqPath;
109     private final String JavaDoc resourceOcsp;
110
111
112     private static Context JavaDoc ctx;
113     private static ISignSessionHome home;
114     private static ISignSessionRemote remote;
115     protected ICertificateStoreSessionHome storehome;
116     private static IUserAdminSessionRemote usersession;
117     protected static int caid = 0;
118     protected static Admin admin;
119     private static X509Certificate JavaDoc cacert = null;
120     private static X509Certificate JavaDoc ocspTestCert = null;
121     private static KeyPair JavaDoc keys = null;
122     
123     public ProtocolLookupServerHttpTest(String JavaDoc name) throws Exception JavaDoc {
124         this(name,"https://127.0.0.1:8443/ejbca", "publicweb/status/ocsp");
125     }
126
127     public ProtocolLookupServerHttpTest(String JavaDoc name, String JavaDoc reqP, String JavaDoc res) throws Exception JavaDoc {
128         super(name);
129         httpReqPath = reqP;
130         resourceOcsp = res;
131
132         // Install BouncyCastle provider
133
CertTools.installBCProvider();
134         
135         admin = new Admin(Admin.TYPE_BATCHCOMMANDLINE_USER);
136
137         ctx = getInitialContext();
138         Object JavaDoc obj = ctx.lookup("CAAdminSession");
139         ICAAdminSessionHome cahome = (ICAAdminSessionHome) javax.rmi.PortableRemoteObject.narrow(obj, ICAAdminSessionHome.class);
140         ICAAdminSessionRemote casession = cahome.create();
141         setCAID(casession);
142         CAInfo cainfo = casession.getCAInfo(admin, caid);
143         Collection JavaDoc certs = cainfo.getCertificateChain();
144         if (certs.size() > 0) {
145             Iterator JavaDoc certiter = certs.iterator();
146             cacert = (X509Certificate JavaDoc) certiter.next();
147         } else {
148             log.error("NO CACERT for caid " + caid);
149         }
150         obj = ctx.lookup("RSASignSession");
151         home = (ISignSessionHome) javax.rmi.PortableRemoteObject.narrow(obj, ISignSessionHome.class);
152         remote = home.create();
153         Object JavaDoc obj2 = ctx.lookup("CertificateStoreSession");
154         storehome = (ICertificateStoreSessionHome) javax.rmi.PortableRemoteObject.narrow(obj2, ICertificateStoreSessionHome.class);
155         obj = ctx.lookup("UserAdminSession");
156         IUserAdminSessionHome userhome = (IUserAdminSessionHome) javax.rmi.PortableRemoteObject.narrow(obj, IUserAdminSessionHome.class);
157         usersession = userhome.create();
158
159         keys = genKeys();
160
161     }
162
163     protected void setCAID(ICAAdminSessionRemote casession) throws RemoteException JavaDoc {
164         Collection JavaDoc caids = casession.getAvailableCAs(admin);
165         Iterator JavaDoc iter = caids.iterator();
166         if (iter.hasNext()) {
167             caid = ((Integer JavaDoc) iter.next()).intValue();
168         } else {
169             assertTrue("No active CA! Must have at least one active CA to run tests!", false);
170         }
171     }
172     protected void setUp() throws Exception JavaDoc {
173         log.debug(">setUp()");
174
175         log.debug("<setUp()");
176     }
177
178     protected void tearDown() throws Exception JavaDoc {
179     }
180
181     private Context JavaDoc getInitialContext() throws NamingException JavaDoc {
182         log.debug(">getInitialContext");
183         Context JavaDoc ctx = new javax.naming.InitialContext JavaDoc();
184         log.debug("<getInitialContext");
185         return ctx;
186     }
187     
188     /**
189      * Generates a RSA key pair.
190      *
191      * @return KeyPair the generated key pair
192      *
193      * @throws Exception if en error occurs...
194      */

195     private static KeyPair JavaDoc genKeys() throws Exception JavaDoc {
196         KeyPairGenerator JavaDoc keygen = KeyPairGenerator.getInstance("RSA", "BC");
197         keygen.initialize(512);
198         log.debug("Generating keys, please wait...");
199         KeyPair JavaDoc rsaKeys = keygen.generateKeyPair();
200         log.debug("Generated " + rsaKeys.getPrivate().getAlgorithm() + " keys with length" +
201                 ((RSAPrivateKey JavaDoc) rsaKeys.getPrivate()).getModulus().bitLength());
202         return rsaKeys;
203     } // genKeys
204

205     /** Tests ocsp message with good status and a valid unid
206      * @throws Exception error
207      */

208     public void test01OcspGoodWithFnr() throws Exception JavaDoc {
209
210         // Make user that we know...
211
boolean userExists = false;
212         try {
213             usersession.addUser(admin,"unidtest","foo123","C=SE,O=AnaTom,surname=Jansson,serialNumber=123456789,CN=UNIDTest",null,"unidtest@anatom.se",false,SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,caid);
214             log.debug("created user: unidtest, foo123, C=SE, O=AnaTom,surname=Jansson,serialNumber=123456789, CN=UNIDTest");
215         } catch (RemoteException JavaDoc re) {
216             if (re.detail instanceof DuplicateKeyException JavaDoc) {
217                 userExists = true;
218             }
219         } catch (DuplicateKeyException JavaDoc dke) {
220             userExists = true;
221         }
222
223         if (userExists) {
224             log.debug("User unidtest already exists.");
225             usersession.changeUser(admin, "unidtest", "foo123", "C=SE,O=AnaTom,surname=Jansson,serialNumber=123456789,CN=UNIDTest",null,"unidtest@anatom.se",false, SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,UserDataConstants.STATUS_NEW, caid);
226             log.debug("Reset status to NEW");
227         }
228         // Generate certificate for the new user
229

230         // user that we know exists...
231
ocspTestCert = (X509Certificate JavaDoc) remote.createCertificate(admin, "unidtest", "foo123", keys.getPublic());
232         assertNotNull("Misslyckades skapa cert", ocspTestCert);
233
234         // And an OCSP request
235
OCSPReqGenerator gen = new OCSPReqGenerator();
236         gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
237         Hashtable JavaDoc exts = new Hashtable JavaDoc();
238         X509Extension ext = new X509Extension(false, new DEROctetString(new FnrFromUnidExtension("123456789")));
239         exts.put(FnrFromUnidExtension.FnrFromUnidOid, ext);
240         gen.setRequestExtensions(new X509Extensions(exts));
241         OCSPReq req = gen.generate();
242
243         // Send the request and receive a BasicResponse
244
BasicOCSPResp brep = sendOCSPPost(req.getEncoded(), true);
245         assertEquals(getFnr(brep), "654321");
246         SingleResp[] singleResps = brep.getResponses();
247         assertEquals("No of SingResps should be 1.", singleResps.length, 1);
248         SingleResp singleResp = singleResps[0];
249         
250         CertificateID certId = singleResp.getCertID();
251         assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());
252         Object JavaDoc status = singleResp.getCertStatus();
253         assertEquals("Status is not null (good)", status, null);
254     }
255
256     /** Tests ocsp message with bad status and a valid unid
257      * @throws Exception error
258      */

259     public void test02OcspBadWithFnr() throws Exception JavaDoc {
260         CertificateDataPK pk = new CertificateDataPK();
261         pk.fingerprint = CertTools.getFingerprintAsString(ocspTestCert);
262         ICertificateStoreSessionRemote store = storehome.create();
263         store.revokeCertificate(admin, ocspTestCert,null,RevokedCertInfo.REVOKATION_REASON_KEYCOMPROMISE);
264
265         // And an OCSP request
266
OCSPReqGenerator gen = new OCSPReqGenerator();
267         gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
268         Hashtable JavaDoc exts = new Hashtable JavaDoc();
269         X509Extension ext = new X509Extension(false, new DEROctetString(new FnrFromUnidExtension("123456789")));
270         exts.put(FnrFromUnidExtension.FnrFromUnidOid, ext);
271         gen.setRequestExtensions(new X509Extensions(exts));
272         OCSPReq req = gen.generate();
273
274         // Send the request and receive a BasicResponse
275
BasicOCSPResp brep = sendOCSPPost(req.getEncoded(), true);
276         // When a certificate is revoked the FNR must not be returned
277
assertEquals(getFnr(brep), null);
278         SingleResp[] singleResps = brep.getResponses();
279         assertEquals("No of SingResps should be 1.", singleResps.length, 1);
280         SingleResp singleResp = singleResps[0];
281         
282         CertificateID certId = singleResp.getCertID();
283         assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());
284         Object JavaDoc status = singleResp.getCertStatus();
285         assertTrue("Status is not RevokedStatus", status instanceof RevokedStatus);
286         RevokedStatus rev = (RevokedStatus) status;
287         assertTrue("Status does not have reason", rev.hasRevocationReason());
288         int reason = rev.getRevocationReason();
289         assertEquals("Wrong revocation reason", reason, RevokedCertInfo.REVOKATION_REASON_KEYCOMPROMISE);
290     }
291
292     /** Tests ocsp message with good status and invalid unid
293      * @throws Exception error
294      */

295     public void test03OcspGoodWithNoFnr() throws Exception JavaDoc {
296         // Change uses to a Unid that we don't have mapping for
297
usersession.changeUser(admin, "unidtest", "foo123", "C=SE,O=AnaTom,surname=Jansson,serialNumber=12345678,CN=UNIDTest",null,"unidtest@anatom.se",false, SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,UserDataConstants.STATUS_NEW, caid);
298         log.debug("Reset status to NEW");
299         // Generate certificate for the new/changed user
300
ocspTestCert = (X509Certificate JavaDoc) remote.createCertificate(admin, "unidtest", "foo123", keys.getPublic());
301         assertNotNull("Misslyckades skapa cert", ocspTestCert);
302
303         // And an OCSP request
304
OCSPReqGenerator gen = new OCSPReqGenerator();
305         gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
306         Hashtable JavaDoc exts = new Hashtable JavaDoc();
307         X509Extension ext = new X509Extension(false, new DEROctetString(new FnrFromUnidExtension("123456789")));
308         exts.put(FnrFromUnidExtension.FnrFromUnidOid, ext);
309         gen.setRequestExtensions(new X509Extensions(exts));
310         OCSPReq req = gen.generate();
311
312         // Send the request and receive a BasicResponse
313
BasicOCSPResp brep = sendOCSPPost(req.getEncoded(), true);
314         assertEquals(getFnr(brep), null);
315         SingleResp[] singleResps = brep.getResponses();
316         assertEquals("No of SingResps should be 1.", singleResps.length, 1);
317         SingleResp singleResp = singleResps[0];
318         
319         CertificateID certId = singleResp.getCertID();
320         assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());
321         Object JavaDoc status = singleResp.getCertStatus();
322         assertEquals("Status is not null (good)", status, null);
323     }
324
325     /** Tests ocsp message with good status but no serialNnumber in the DN
326      * @throws Exception error
327      */

328     public void test04OcspGoodNoSerialNo() throws Exception JavaDoc {
329         // Change uses to not have any serialNumber
330
usersession.changeUser(admin, "unidtest", "foo123", "C=SE,O=AnaTom,surname=Jansson,CN=UNIDTest",null,"unidtest@anatom.se",false, SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,UserDataConstants.STATUS_NEW, caid);
331         log.debug("Reset status to NEW");
332         // Generate certificate for the new/changed user
333
ocspTestCert = (X509Certificate JavaDoc) remote.createCertificate(admin, "unidtest", "foo123", keys.getPublic());
334         assertNotNull("Misslyckades skapa cert", ocspTestCert);
335
336         // And an OCSP request
337
OCSPReqGenerator gen = new OCSPReqGenerator();
338         gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
339         Hashtable JavaDoc exts = new Hashtable JavaDoc();
340         X509Extension ext = new X509Extension(false, new DEROctetString(new FnrFromUnidExtension("123456789")));
341         exts.put(FnrFromUnidExtension.FnrFromUnidOid, ext);
342         gen.setRequestExtensions(new X509Extensions(exts));
343         OCSPReq req = gen.generate();
344
345         // Send the request and receive a BasicResponse
346
BasicOCSPResp brep = sendOCSPPost(req.getEncoded(), true);
347         assertEquals(getFnr(brep), null);
348         SingleResp[] singleResps = brep.getResponses();
349         assertEquals("No of SingResps should be 1.", singleResps.length, 1);
350         SingleResp singleResp = singleResps[0];
351         
352         CertificateID certId = singleResp.getCertID();
353         assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());
354         Object JavaDoc status = singleResp.getCertStatus();
355         assertEquals("Status is not null (good)", status, null);
356     }
357
358     /** test a lookup message from an untrusted requestor, should not work
359      *
360      * @throws Exception
361      */

362     public void test05HttpsNotAuthorized() throws Exception JavaDoc {
363         // Change uses to a Unid that is OK
364
usersession.changeUser(admin, "unidtest", "foo123", "C=SE,O=AnaTom,surname=Jansson,serialNumber=123456789,CN=UNIDTest",null,"unidtest@anatom.se",false, SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,UserDataConstants.STATUS_NEW, caid);
365         log.debug("Reset status to NEW");
366         // Generate certificate for the new/changed user
367
ocspTestCert = (X509Certificate JavaDoc) remote.createCertificate(admin, "unidtest", "foo123", keys.getPublic());
368         assertNotNull("Misslyckades skapa cert", ocspTestCert);
369
370         // And an OCSP request
371
OCSPReqGenerator gen = new OCSPReqGenerator();
372         gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
373         Hashtable JavaDoc exts = new Hashtable JavaDoc();
374         X509Extension ext = new X509Extension(false, new DEROctetString(new FnrFromUnidExtension("123456789")));
375         exts.put(FnrFromUnidExtension.FnrFromUnidOid, ext);
376         gen.setRequestExtensions(new X509Extensions(exts));
377         OCSPReq req = gen.generate();
378
379         // Send the request and receive a BasicResponse
380
BasicOCSPResp brep = sendOCSPPost(req.getEncoded(), false);
381         assertEquals(getFnr(brep), null);
382         SingleResp[] singleResps = brep.getResponses();
383         assertEquals("No of SingResps should be 1.", singleResps.length, 1);
384         SingleResp singleResp = singleResps[0];
385         
386         CertificateID certId = singleResp.getCertID();
387         assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());
388         Object JavaDoc status = singleResp.getCertStatus();
389         assertEquals("Status is not null (good)", status, null);
390     }
391
392     /** test a lookup request with regular http, should not work
393      *
394      * @throws Exception
395      */

396     public void test06HttpNotAuthorized() throws Exception JavaDoc {
397         // Change to use plain http, we should be able to get a OCSP response, but the FNR mapping
398
// will not be returned bacuse it requires https with client authentication
399
httpReqPath = "http://127.0.0.1:8080/ejbca";
400         // Change uses to a Unid that is OK
401
usersession.changeUser(admin, "unidtest", "foo123", "C=SE,O=AnaTom,surname=Jansson,serialNumber=123456789,CN=UNIDTest",null,"unidtest@anatom.se",false, SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,UserDataConstants.STATUS_NEW, caid);
402         log.debug("Reset status to NEW");
403         // Generate certificate for the new/changed user
404
ocspTestCert = (X509Certificate JavaDoc) remote.createCertificate(admin, "unidtest", "foo123", keys.getPublic());
405         assertNotNull("Misslyckades skapa cert", ocspTestCert);
406
407         // And an OCSP request
408
OCSPReqGenerator gen = new OCSPReqGenerator();
409         gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
410         Hashtable JavaDoc exts = new Hashtable JavaDoc();
411         X509Extension ext = new X509Extension(false, new DEROctetString(new FnrFromUnidExtension("123456789")));
412         exts.put(FnrFromUnidExtension.FnrFromUnidOid, ext);
413         gen.setRequestExtensions(new X509Extensions(exts));
414         OCSPReq req = gen.generate();
415
416         // Send the request and receive a BasicResponse
417
BasicOCSPResp brep = sendOCSPPost(req.getEncoded(), true);
418         assertEquals(getFnr(brep), null);
419         SingleResp[] singleResps = brep.getResponses();
420         assertEquals("No of SingResps should be 1.", singleResps.length, 1);
421         SingleResp singleResp = singleResps[0];
422         
423         CertificateID certId = singleResp.getCertID();
424         assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());
425         Object JavaDoc status = singleResp.getCertStatus();
426         assertEquals("Status is not null (good)", status, null);
427     }
428
429     //
430
// Private helper methods
431
//
432

433     private BasicOCSPResp sendOCSPPost(byte[] ocspPackage, boolean trust) throws IOException JavaDoc, OCSPException, GeneralSecurityException JavaDoc {
434         // POST the OCSP request
435
URL JavaDoc url = new URL JavaDoc(httpReqPath + '/' + resourceOcsp);
436         //HttpURLConnection con = (HttpURLConnection)url.openConnection();
437
HttpURLConnection JavaDoc con = (HttpURLConnection JavaDoc)getUrlConnection(url, trust);
438         // we are going to do a POST
439
con.setDoOutput(true);
440         con.setRequestMethod("POST");
441
442         // POST it
443
con.setRequestProperty("Content-Type", "application/ocsp-request");
444         OutputStream JavaDoc os = con.getOutputStream();
445         os.write(ocspPackage);
446         os.close();
447         assertEquals("Response code", 200, con.getResponseCode());
448         assertEquals("Content-Type", "application/ocsp-response", con.getContentType());
449         ByteArrayOutputStream JavaDoc baos = new ByteArrayOutputStream JavaDoc();
450         // This works for small requests, and OCSP requests are small
451
InputStream JavaDoc in = con.getInputStream();
452         int b = in.read();
453         while (b != -1) {
454             baos.write(b);
455             b = in.read();
456         }
457         baos.flush();
458         in.close();
459         byte[] respBytes = baos.toByteArray();
460         OCSPResp response = new OCSPResp(new ByteArrayInputStream JavaDoc(respBytes));
461         assertEquals("Response status not zero.", response.getStatus(), 0);
462         BasicOCSPResp brep = (BasicOCSPResp) response.getResponseObject();
463         X509Certificate JavaDoc[] chain = brep.getCerts("BC");
464         boolean verify = brep.verify(chain[0].getPublicKey(), "BC");
465         assertTrue("Response failed to verify.", verify);
466         return brep;
467     }
468
469     private String JavaDoc getFnr(BasicOCSPResp brep) throws IOException JavaDoc {
470         byte[] fnrrep = brep.getExtensionValue(FnrFromUnidExtension.FnrFromUnidOid.getId());
471         if (fnrrep == null) {
472             return null;
473         }
474         assertNotNull(fnrrep);
475         ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream JavaDoc(fnrrep));
476         ASN1OctetString octs = (ASN1OctetString) aIn.readObject();
477         aIn = new ASN1InputStream(new ByteArrayInputStream JavaDoc(octs.getOctets()));
478         FnrFromUnidExtension fnrobj = FnrFromUnidExtension.getInstance(aIn.readObject());
479         return fnrobj.getFnr();
480     }
481     
482     private SSLSocketFactory getSSLFactory(boolean trust) throws GeneralSecurityException JavaDoc, IOException JavaDoc {
483         log.debug(">getSSLFactory()");
484
485         String JavaDoc trustp12 = "/lookup-kstrust.p12";
486         if (!trust) trustp12 = "/lookup-ksnotrust.p12";
487         char[] passphrase = "lookup".toCharArray();
488         
489         SSLContext ctx = SSLContext.getInstance("TLS");
490         KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
491
492         // Put the key and certs in the user keystore
493
KeyStore JavaDoc ks = KeyStore.getInstance("PKCS12", "BC");
494         ks.load(new FileInputStream JavaDoc(trustp12), passphrase);
495         kmf.init(ks, passphrase);
496
497         // Now make a truststore to verify the server
498
KeyStore JavaDoc trustks = KeyStore.getInstance("jks");
499         trustks.load(null, "foo123".toCharArray());
500         // add trusted CA cert
501
Enumeration JavaDoc en = ks.aliases();
502         String JavaDoc alias = (String JavaDoc)en.nextElement();
503         Certificate JavaDoc[] certs = KeyTools.getCertChain(ks, alias);
504         trustks.setCertificateEntry("trusted", certs[certs.length-1]);
505         TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
506         tmf.init(trustks);
507
508         ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
509
510         log.debug("<getSSLFactory()");
511         return ctx.getSocketFactory();
512     }
513
514     /**
515      *
516      * @param url
517      * @param trust should be set to false when we want to use an un-trusted keystore
518      * @return URLConnection
519      * @throws IOException
520      * @throws GeneralSecurityException
521      */

522     private URLConnection JavaDoc getUrlConnection(URL JavaDoc url, boolean trust) throws IOException JavaDoc, GeneralSecurityException JavaDoc {
523         log.debug(">getUrlConnection( URL url )");
524         log.debug(" - url=" + url);
525         URLConnection JavaDoc orgcon = url.openConnection();
526         log.debug(orgcon.getClass());
527         if (orgcon instanceof HttpsURLConnection) {
528             HttpsURLConnection con = (HttpsURLConnection) orgcon;
529             con.setHostnameVerifier(new SimpleVerifier());
530             con.setSSLSocketFactory(getSSLFactory(trust));
531         } else
532             log.debug("getUrlConnection(): Ingen HttpsUrlConnection!");
533         log.debug("<getUrlConnection() --> " + orgcon);
534         return orgcon;
535     }
536
537     class SimpleVerifier implements HostnameVerifier {
538         public boolean verify(String JavaDoc hostname, SSLSession session) {
539             return true;
540         }
541     }
542     
543 }
544
Popular Tags