/*
* Copyright 2010-2017 Norwegian Agency for Public Management and eGovernment (Difi)
*
* Licensed under the EUPL, Version 1.1 or – as soon they
* will be approved by the European Commission - subsequent
* versions of the EUPL (the "Licence");
*
* You may not use this work except in compliance with the Licence.
*
* You may obtain a copy of the Licence at:
*
* https://joinup.ec.europa.eu/community/eupl/og_page/eupl
*
* Unless required by applicable law or agreed to in
* writing, software distributed under the Licence is
* distributed on an "AS IS" basis,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied.
* See the Licence for the specific language governing
* permissions and limitations under the Licence.
*/
package no.difi.oxalis.test.util;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.testng.annotations.Test;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.*;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
/**
* Verifies that our dummy AP certificate can be validated against our dummy CA certificate.
*
* @author steinar
* Date: 20.12.2015
* Time: 11.10
*/
public class CertificateValidationTest {
static {
// Installs the Bouncy Castle provider
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
Security.addProvider(new BouncyCastleProvider());
}
@Test
public void verifyDummyCertificates() {
KeyStore keystore = loadKeystore("security/oxalis-dummy-keystore.jks", "peppol");
try {
Enumeration<String> aliases = keystore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
X509Certificate certificate = (X509Certificate) keystore.getCertificate(alias);
validateCertificate(certificate);
}
} catch (KeyStoreException e) {
throw new IllegalStateException(e);
}
}
private KeyStore loadKeystore(String resourceName, String password) {
try (InputStream is = CertificateValidationTest.class.getClassLoader().getResourceAsStream(resourceName)) {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(is, password.toCharArray());
return keyStore;
} catch (NoSuchAlgorithmException | IOException | KeyStoreException | CertificateException e) {
throw new IllegalStateException("Unable to load keystore " + resourceName + ", " + e.getMessage(), e);
}
}
public void validateCertificate(X509Certificate certificate) {
try {
List<X509Certificate> certificateList = new ArrayList<X509Certificate>();
certificateList.add(certificate);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME);
CertPath certPath = certificateFactory.generateCertPath(certificateList);
KeyStore trustStore = loadKeystore("security/oxalis-dummy-ca.jks", "peppol");
// Create the parameters for the validator
PKIXParameters params = new PKIXParameters(trustStore);
// Disable revocation checking as we trust our own truststore (and do not have a CRL and don't want OCSP)
params.setRevocationEnabled(false);
// Validate the certificate path
CertPathValidator pathValidator = CertPathValidator
.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
CertPathValidatorResult validatorResult = pathValidator.validate(certPath, params);
// Get the CA used to validate this path
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validatorResult;
TrustAnchor ta = result.getTrustAnchor();
X509Certificate trustCert = ta.getTrustedCert();
} catch (Exception e) {
throw new IllegalStateException("Unable to trust the signer : " + e.getMessage(), e);
}
}
}