1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.wss4j.common.crypto;
21
22 import java.io.InputStream;
23 import java.security.KeyStore;
24 import java.security.cert.X509Certificate;
25 import java.util.Arrays;
26
27 import org.apache.wss4j.common.ext.WSSecurityException;
28 import org.apache.wss4j.common.util.Loader;
29 import org.junit.jupiter.api.Test;
30
31 import static org.junit.jupiter.api.Assertions.assertNotNull;
32 import static org.junit.jupiter.api.Assertions.assertTrue;
33 import static org.junit.jupiter.api.Assertions.fail;
34
35
36
37
38
39 public class AuthorityKeyIdentifierTest {
40
41 public AuthorityKeyIdentifierTest() {
42 WSProviderConfig.init();
43 }
44
45 @Test
46 public void testExtractKeyIdentifiers() throws Exception {
47
48 KeyStore keyStore = loadKeyStore("keys/wss40.jks", "security");
49 assertNotNull(keyStore);
50
51 X509Certificate cert = (X509Certificate)keyStore.getCertificate("wss40");
52 assertNotNull(cert);
53
54
55 byte[] keyIdentifierBytes = BouncyCastleUtils.getAuthorityKeyIdentifierBytes(cert);
56 assertNotNull(keyIdentifierBytes);
57
58
59 KeyStore caKeyStore = loadKeyStore("keys/wss40CA.jks", "security");
60 assertNotNull(caKeyStore);
61
62 X509Certificate caCert = (X509Certificate)caKeyStore.getCertificate("wss40CA");
63 assertNotNull(caCert);
64
65
66 byte[] subjectKeyIdentifierBytes =
67 BouncyCastleUtils.getSubjectKeyIdentifierBytes(caCert);
68 assertNotNull(subjectKeyIdentifierBytes);
69
70 assertTrue(Arrays.equals(keyIdentifierBytes, subjectKeyIdentifierBytes));
71 }
72
73 @Test
74 public void testMerlinAKI() throws Exception {
75
76 KeyStore keyStore = loadKeyStore("keys/wss40.jks", "security");
77 assertNotNull(keyStore);
78 X509Certificate cert = (X509Certificate)keyStore.getCertificate("wss40");
79 assertNotNull(cert);
80
81
82 KeyStore caKeyStore = loadKeyStore("keys/wss40CA.jks", "security");
83 assertNotNull(caKeyStore);
84 MerlinAKI crypto = new MerlinAKI();
85 crypto.setTrustStore(caKeyStore);
86
87
88 crypto.verifyTrust(new X509Certificate[]{cert}, false, null);
89
90
91 KeyStore badKeyStore = loadKeyStore("keys/wss86.keystore", "security");
92 assertNotNull(badKeyStore);
93 X509Certificate badCert = (X509Certificate)badKeyStore.getCertificate("wss86");
94 assertNotNull(badCert);
95
96 try {
97 crypto.verifyTrust(new X509Certificate[]{badCert}, false, null);
98 fail("Failure expected on trying to validate an untrusted cert");
99 } catch (WSSecurityException ex) {
100 assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.FAILURE);
101 }
102 }
103
104 private KeyStore loadKeyStore(String path, String password) throws Exception {
105 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
106 ClassLoader loader = Loader.getClassLoader(AuthorityKeyIdentifierTest.class);
107 InputStream input = Merlin.loadInputStream(loader, path);
108 keyStore.load(input, password.toCharArray());
109 input.close();
110
111 return keyStore;
112 }
113 }