View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.wss4j.common.crypto;
21  
22  import java.io.InputStream;
23  import java.security.KeyStore;
24  import java.security.cert.X509Certificate;
25  import java.util.Arrays;
26  
27  import org.apache.wss4j.common.ext.WSSecurityException;
28  import org.apache.wss4j.common.util.Loader;
29  import org.junit.jupiter.api.Test;
30  
31  import static org.junit.jupiter.api.Assertions.assertNotNull;
32  import static org.junit.jupiter.api.Assertions.assertTrue;
33  import static org.junit.jupiter.api.Assertions.fail;
34  
35  /**
36   * This is a test for extracting AuthorityKeyIdentifier/SubjectKeyIdentifier information from
37   * the certs using BouncyCastle.
38   */
39  public class AuthorityKeyIdentifierTest {
40  
41      public AuthorityKeyIdentifierTest() {
42          WSProviderConfig.init();
43      }
44  
45      @Test
46      public void testExtractKeyIdentifiers() throws Exception {
47          // Load the keystore
48          KeyStore keyStore = loadKeyStore("keys/wss40.jks", "security");
49          assertNotNull(keyStore);
50  
51          X509Certificate cert = (X509Certificate)keyStore.getCertificate("wss40");
52          assertNotNull(cert);
53  
54          // Get AuthorityKeyIdentifier from the cert
55          byte[] keyIdentifierBytes = BouncyCastleUtils.getAuthorityKeyIdentifierBytes(cert);
56          assertNotNull(keyIdentifierBytes);
57  
58          // Now load the CA cert
59          KeyStore caKeyStore = loadKeyStore("keys/wss40CA.jks", "security");
60          assertNotNull(caKeyStore);
61  
62          X509Certificate caCert = (X509Certificate)caKeyStore.getCertificate("wss40CA");
63          assertNotNull(caCert);
64  
65          // Get SubjectKeyIdentifier from the CA cert
66          byte[] subjectKeyIdentifierBytes =
67              BouncyCastleUtils.getSubjectKeyIdentifierBytes(caCert);
68          assertNotNull(subjectKeyIdentifierBytes);
69  
70          assertTrue(Arrays.equals(keyIdentifierBytes, subjectKeyIdentifierBytes));
71      }
72  
73      @Test
74      public void testMerlinAKI() throws Exception {
75          // Load the keystore
76          KeyStore keyStore = loadKeyStore("keys/wss40.jks", "security");
77          assertNotNull(keyStore);
78          X509Certificate cert = (X509Certificate)keyStore.getCertificate("wss40");
79          assertNotNull(cert);
80  
81          // Now load the CA keystore + instantiate MerlinAKI
82          KeyStore caKeyStore = loadKeyStore("keys/wss40CA.jks", "security");
83          assertNotNull(caKeyStore);
84          MerlinAKI crypto = new MerlinAKI();
85          crypto.setTrustStore(caKeyStore);
86  
87          // Verify trust...
88          crypto.verifyTrust(new X509Certificate[]{cert}, false, null);
89  
90          // Now test with a non-trusted cert
91          KeyStore badKeyStore = loadKeyStore("keys/wss86.keystore", "security");
92          assertNotNull(badKeyStore);
93          X509Certificate badCert = (X509Certificate)badKeyStore.getCertificate("wss86");
94          assertNotNull(badCert);
95  
96          try {
97              crypto.verifyTrust(new X509Certificate[]{badCert}, false, null);
98              fail("Failure expected on trying to validate an untrusted cert");
99          } catch (WSSecurityException ex) {
100             assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.FAILURE);
101         }
102     }
103 
104     private KeyStore loadKeyStore(String path, String password) throws Exception {
105         KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
106         ClassLoader loader = Loader.getClassLoader(AuthorityKeyIdentifierTest.class);
107         InputStream input = Merlin.loadInputStream(loader, path);
108         keyStore.load(input, password.toCharArray());
109         input.close();
110 
111         return keyStore;
112     }
113 }