diff options
author | Sergio Giro <sgiro@google.com> | 2015-12-11 18:58:58 +0000 |
---|---|---|
committer | Sergio Giro <sgiro@google.com> | 2016-01-25 15:38:49 +0000 |
commit | 16f9ee464b68937f45d009d9c1b0eb9b544a8dee (patch) | |
tree | 61086f6673133c387b13b0e494e42973c6f4c0e8 /bcprov/src/main/java/org/bouncycastle/jce | |
parent | fcfe48e7cf461bf4a6314802c0f31f292d87ab95 (diff) | |
download | bouncycastle-16f9ee464b68937f45d009d9c1b0eb9b544a8dee.tar.gz |
bouncycastle: Android tree with upstream code for version 1.49
Android tree as of 08e455bd61ddaa02255383e85480b0d9cde6e954
Change-Id: I99dab80b49707f0fdefb67ccd1bcfe765363b5e5
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/jce')
188 files changed, 53226 insertions, 0 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/ECGOST3410NamedCurveTable.java b/bcprov/src/main/java/org/bouncycastle/jce/ECGOST3410NamedCurveTable.java new file mode 100644 index 00000000..7843e0a5 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/ECGOST3410NamedCurveTable.java @@ -0,0 +1,61 @@ +package org.bouncycastle.jce; + +import java.util.Enumeration; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.cryptopro.ECGOST3410NamedCurves; +import org.bouncycastle.crypto.params.ECDomainParameters; +import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec; + +/** + * a table of locally supported named curves. + */ +public class ECGOST3410NamedCurveTable +{ + /** + * return a parameter spec representing the passed in named + * curve. The routine returns null if the curve is not present. + * + * @param name the name of the curve requested + * @return a parameter spec for the curve, null if it is not available. + */ + public static ECNamedCurveParameterSpec getParameterSpec( + String name) + { + ECDomainParameters ecP = ECGOST3410NamedCurves.getByName(name); + if (ecP == null) + { + try + { + ecP = ECGOST3410NamedCurves.getByOID(new ASN1ObjectIdentifier(name)); + } + catch (IllegalArgumentException e) + { + return null; // not an oid. + } + } + + if (ecP == null) + { + return null; + } + + return new ECNamedCurveParameterSpec( + name, + ecP.getCurve(), + ecP.getG(), + ecP.getN(), + ecP.getH(), + ecP.getSeed()); + } + + /** + * return an enumeration of the names of the available curves. + * + * @return an enumeration of the names of the available curves. + */ + public static Enumeration getNames() + { + return ECGOST3410NamedCurves.getNames(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/ECKeyUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/ECKeyUtil.java new file mode 100644 index 00000000..c4c72cf4 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/ECKeyUtil.java @@ -0,0 +1,229 @@ +package org.bouncycastle.jce; + +import java.io.UnsupportedEncodingException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.PublicKey; +import java.security.Security; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x9.X962Parameters; +import org.bouncycastle.asn1.x9.X9ECParameters; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil; +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +/** + * Utility class to allow conversion of EC key parameters to explicit from named + * curves and back (where possible). + */ +public class ECKeyUtil +{ + /** + * Convert a passed in public EC key to have explicit parameters. If the key + * is already using explicit parameters it is returned. + * + * @param key key to be converted + * @param providerName provider name to be used. + * @return the equivalent key with explicit curve parameters + * @throws IllegalArgumentException + * @throws NoSuchAlgorithmException + * @throws NoSuchProviderException + */ + public static PublicKey publicToExplicitParameters(PublicKey key, String providerName) + throws IllegalArgumentException, NoSuchAlgorithmException, NoSuchProviderException + { + Provider provider = Security.getProvider(providerName); + + if (provider == null) + { + throw new NoSuchProviderException("cannot find provider: " + providerName); + } + + return publicToExplicitParameters(key, provider); + } + + /** + * Convert a passed in public EC key to have explicit parameters. If the key + * is already using explicit parameters it is returned. + * + * @param key key to be converted + * @param provider provider to be used. + * @return the equivalent key with explicit curve parameters + * @throws IllegalArgumentException + * @throws NoSuchAlgorithmException + */ + public static PublicKey publicToExplicitParameters(PublicKey key, Provider provider) + throws IllegalArgumentException, NoSuchAlgorithmException + { + try + { + SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(ASN1Primitive.fromByteArray(key.getEncoded())); + + if (info.getAlgorithmId().getObjectId().equals(CryptoProObjectIdentifiers.gostR3410_2001)) + { + throw new IllegalArgumentException("cannot convert GOST key to explicit parameters."); + } + else + { + X962Parameters params = X962Parameters.getInstance(info.getAlgorithmId().getParameters()); + X9ECParameters curveParams; + + if (params.isNamedCurve()) + { + ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(params.getParameters()); + + curveParams = ECUtil.getNamedCurveByOid(oid); + // ignore seed value due to JDK bug + curveParams = new X9ECParameters(curveParams.getCurve(), curveParams.getG(), curveParams.getN(), curveParams.getH()); + } + else if (params.isImplicitlyCA()) + { + curveParams = new X9ECParameters(BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getCurve(), BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getG(), BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getN(), BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getH()); + } + else + { + return key; // already explicit + } + + params = new X962Parameters(curveParams); + + info = new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, params), info.getPublicKeyData().getBytes()); + + KeyFactory keyFact = KeyFactory.getInstance(key.getAlgorithm(), provider); + + return keyFact.generatePublic(new X509EncodedKeySpec(info.getEncoded())); + } + } + catch (IllegalArgumentException e) + { + throw e; + } + catch (NoSuchAlgorithmException e) + { + throw e; + } + catch (Exception e) + { // shouldn't really happen... + throw new UnexpectedException(e); + } + } + + /** + * Convert a passed in private EC key to have explicit parameters. If the key + * is already using explicit parameters it is returned. + * + * @param key key to be converted + * @param providerName provider name to be used. + * @return the equivalent key with explicit curve parameters + * @throws IllegalArgumentException + * @throws NoSuchAlgorithmException + * @throws NoSuchProviderException + */ + public static PrivateKey privateToExplicitParameters(PrivateKey key, String providerName) + throws IllegalArgumentException, NoSuchAlgorithmException, NoSuchProviderException + { + Provider provider = Security.getProvider(providerName); + + if (provider == null) + { + throw new NoSuchProviderException("cannot find provider: " + providerName); + } + + return privateToExplicitParameters(key, provider); + } + + /** + * Convert a passed in private EC key to have explicit parameters. If the key + * is already using explicit parameters it is returned. + * + * @param key key to be converted + * @param provider provider to be used. + * @return the equivalent key with explicit curve parameters + * @throws IllegalArgumentException + * @throws NoSuchAlgorithmException + */ + public static PrivateKey privateToExplicitParameters(PrivateKey key, Provider provider) + throws IllegalArgumentException, NoSuchAlgorithmException + { + try + { + PrivateKeyInfo info = PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(key.getEncoded())); + + if (info.getAlgorithmId().getObjectId().equals(CryptoProObjectIdentifiers.gostR3410_2001)) + { + throw new UnsupportedEncodingException("cannot convert GOST key to explicit parameters."); + } + else + { + X962Parameters params = X962Parameters.getInstance(info.getAlgorithmId().getParameters()); + X9ECParameters curveParams; + + if (params.isNamedCurve()) + { + ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(params.getParameters()); + + curveParams = ECUtil.getNamedCurveByOid(oid); + // ignore seed value due to JDK bug + curveParams = new X9ECParameters(curveParams.getCurve(), curveParams.getG(), curveParams.getN(), curveParams.getH()); + } + else if (params.isImplicitlyCA()) + { + curveParams = new X9ECParameters(BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getCurve(), BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getG(), BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getN(), BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getH()); + } + else + { + return key; // already explicit + } + + params = new X962Parameters(curveParams); + + info = new PrivateKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, params), info.parsePrivateKey()); + + KeyFactory keyFact = KeyFactory.getInstance(key.getAlgorithm(), provider); + + return keyFact.generatePrivate(new PKCS8EncodedKeySpec(info.getEncoded())); + } + } + catch (IllegalArgumentException e) + { + throw e; + } + catch (NoSuchAlgorithmException e) + { + throw e; + } + catch (Exception e) + { // shouldn't really happen + throw new UnexpectedException(e); + } + } + + private static class UnexpectedException + extends RuntimeException + { + private Throwable cause; + + UnexpectedException(Throwable cause) + { + super(cause.toString()); + + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/ECNamedCurveTable.java b/bcprov/src/main/java/org/bouncycastle/jce/ECNamedCurveTable.java new file mode 100644 index 00000000..cab5a456 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/ECNamedCurveTable.java @@ -0,0 +1,119 @@ +package org.bouncycastle.jce; + +import java.util.Enumeration; +import java.util.Vector; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.nist.NISTNamedCurves; +import org.bouncycastle.asn1.sec.SECNamedCurves; +import org.bouncycastle.asn1.teletrust.TeleTrusTNamedCurves; +import org.bouncycastle.asn1.x9.X962NamedCurves; +import org.bouncycastle.asn1.x9.X9ECParameters; +import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec; + +/** + * a table of locally supported named curves. + */ +public class ECNamedCurveTable +{ + /** + * return a parameter spec representing the passed in named + * curve. The routine returns null if the curve is not present. + * + * @param name the name of the curve requested + * @return a parameter spec for the curve, null if it is not available. + */ + public static ECNamedCurveParameterSpec getParameterSpec( + String name) + { + X9ECParameters ecP = X962NamedCurves.getByName(name); + if (ecP == null) + { + try + { + ecP = X962NamedCurves.getByOID(new ASN1ObjectIdentifier(name)); + } + catch (IllegalArgumentException e) + { + // ignore - not an oid + } + } + + if (ecP == null) + { + ecP = SECNamedCurves.getByName(name); + if (ecP == null) + { + try + { + ecP = SECNamedCurves.getByOID(new ASN1ObjectIdentifier(name)); + } + catch (IllegalArgumentException e) + { + // ignore - not an oid + } + } + } + + if (ecP == null) + { + ecP = TeleTrusTNamedCurves.getByName(name); + if (ecP == null) + { + try + { + ecP = TeleTrusTNamedCurves.getByOID(new ASN1ObjectIdentifier(name)); + } + catch (IllegalArgumentException e) + { + // ignore - not an oid + } + } + } + + if (ecP == null) + { + ecP = NISTNamedCurves.getByName(name); + } + + if (ecP == null) + { + return null; + } + + return new ECNamedCurveParameterSpec( + name, + ecP.getCurve(), + ecP.getG(), + ecP.getN(), + ecP.getH(), + ecP.getSeed()); + } + + /** + * return an enumeration of the names of the available curves. + * + * @return an enumeration of the names of the available curves. + */ + public static Enumeration getNames() + { + Vector v = new Vector(); + + addEnumeration(v, X962NamedCurves.getNames()); + addEnumeration(v, SECNamedCurves.getNames()); + addEnumeration(v, NISTNamedCurves.getNames()); + addEnumeration(v, TeleTrusTNamedCurves.getNames()); + + return v.elements(); + } + + private static void addEnumeration( + Vector v, + Enumeration e) + { + while (e.hasMoreElements()) + { + v.addElement(e.nextElement()); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/ECPointUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/ECPointUtil.java new file mode 100644 index 00000000..35185830 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/ECPointUtil.java @@ -0,0 +1,56 @@ +package org.bouncycastle.jce; + +import java.security.spec.ECFieldF2m; +import java.security.spec.ECFieldFp; +import java.security.spec.ECPoint; +import java.security.spec.EllipticCurve; + +import org.bouncycastle.math.ec.ECCurve; + +/** + * Utility class for handling EC point decoding. + */ +public class ECPointUtil +{ + /** + * Decode a point on this curve which has been encoded using point + * compression (X9.62 s 4.2.1 and 4.2.2) or regular encoding. + * + * @param curve + * The elliptic curve. + * @param encoded + * The encoded point. + * @return the decoded point. + */ + public static ECPoint decodePoint( + EllipticCurve curve, + byte[] encoded) + { + ECCurve c = null; + + if (curve.getField() instanceof ECFieldFp) + { + c = new ECCurve.Fp( + ((ECFieldFp)curve.getField()).getP(), curve.getA(), curve.getB()); + } + else + { + int k[] = ((ECFieldF2m)curve.getField()).getMidTermsOfReductionPolynomial(); + + if (k.length == 3) + { + c = new ECCurve.F2m( + ((ECFieldF2m)curve.getField()).getM(), k[2], k[1], k[0], curve.getA(), curve.getB()); + } + else + { + c = new ECCurve.F2m( + ((ECFieldF2m)curve.getField()).getM(), k[0], curve.getA(), curve.getB()); + } + } + + org.bouncycastle.math.ec.ECPoint p = c.decodePoint(encoded); + + return new ECPoint(p.getX().toBigInteger(), p.getY().toBigInteger()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/MultiCertStoreParameters.java b/bcprov/src/main/java/org/bouncycastle/jce/MultiCertStoreParameters.java new file mode 100644 index 00000000..2ffa031a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/MultiCertStoreParameters.java @@ -0,0 +1,51 @@ +package org.bouncycastle.jce; + +import java.security.cert.CertStoreParameters; +import java.util.Collection; + +public class MultiCertStoreParameters + implements CertStoreParameters +{ + private Collection certStores; + private boolean searchAllStores; + + /** + * Create a parameters object which specifies searching of all the passed in stores. + * + * @param certStores CertStores making up the multi CertStore + */ + public MultiCertStoreParameters(Collection certStores) + { + this(certStores, true); + } + + /** + * Create a parameters object which can be to used to make a multi store made up + * of the passed in CertStores. If the searchAllStores parameter is false, any search on + * the multi-store will terminate as soon as a search query produces a result. + * + * @param certStores CertStores making up the multi CertStore + * @param searchAllStores true if all CertStores should be searched on request, false if a result + * should be returned on the first successful CertStore query. + */ + public MultiCertStoreParameters(Collection certStores, boolean searchAllStores) + { + this.certStores = certStores; + this.searchAllStores = searchAllStores; + } + + public Collection getCertStores() + { + return certStores; + } + + public boolean getSearchAllStores() + { + return searchAllStores; + } + + public Object clone() + { + return this; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/PKCS10CertificationRequest.java b/bcprov/src/main/java/org/bouncycastle/jce/PKCS10CertificationRequest.java new file mode 100644 index 00000000..2a611e30 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/PKCS10CertificationRequest.java @@ -0,0 +1,640 @@ +package org.bouncycastle.jce; + +import java.io.IOException; +import java.security.AlgorithmParameters; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Signature; +import java.security.SignatureException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PSSParameterSpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.HashSet; +import java.util.Hashtable; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1Set; +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; +import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.CertificationRequest; +import org.bouncycastle.asn1.pkcs.CertificationRequestInfo; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.RSASSAPSSparams; +import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x509.X509Name; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Strings; + +/** + * A class for verifying and creating PKCS10 Certification requests. + * <pre> + * CertificationRequest ::= SEQUENCE { + * certificationRequestInfo CertificationRequestInfo, + * signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }}, + * signature BIT STRING + * } + * + * CertificationRequestInfo ::= SEQUENCE { + * version INTEGER { v1(0) } (v1,...), + * subject Name, + * subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, + * attributes [0] Attributes{{ CRIAttributes }} + * } + * + * Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} + * + * Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { + * type ATTRIBUTE.&id({IOSet}), + * values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type}) + * } + * </pre> + * @deprecated use classes in org.bouncycastle.pkcs. + */ +public class PKCS10CertificationRequest + extends CertificationRequest +{ + private static Hashtable algorithms = new Hashtable(); + private static Hashtable params = new Hashtable(); + private static Hashtable keyAlgorithms = new Hashtable(); + private static Hashtable oids = new Hashtable(); + private static Set noParams = new HashSet(); + + static + { + algorithms.put("MD2WITHRSAENCRYPTION", new DERObjectIdentifier("1.2.840.113549.1.1.2")); + algorithms.put("MD2WITHRSA", new DERObjectIdentifier("1.2.840.113549.1.1.2")); + algorithms.put("MD5WITHRSAENCRYPTION", new DERObjectIdentifier("1.2.840.113549.1.1.4")); + algorithms.put("MD5WITHRSA", new DERObjectIdentifier("1.2.840.113549.1.1.4")); + algorithms.put("RSAWITHMD5", new DERObjectIdentifier("1.2.840.113549.1.1.4")); + algorithms.put("SHA1WITHRSAENCRYPTION", new DERObjectIdentifier("1.2.840.113549.1.1.5")); + algorithms.put("SHA1WITHRSA", new DERObjectIdentifier("1.2.840.113549.1.1.5")); + algorithms.put("SHA224WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha224WithRSAEncryption); + algorithms.put("SHA224WITHRSA", PKCSObjectIdentifiers.sha224WithRSAEncryption); + algorithms.put("SHA256WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha256WithRSAEncryption); + algorithms.put("SHA256WITHRSA", PKCSObjectIdentifiers.sha256WithRSAEncryption); + algorithms.put("SHA384WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha384WithRSAEncryption); + algorithms.put("SHA384WITHRSA", PKCSObjectIdentifiers.sha384WithRSAEncryption); + algorithms.put("SHA512WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha512WithRSAEncryption); + algorithms.put("SHA512WITHRSA", PKCSObjectIdentifiers.sha512WithRSAEncryption); + algorithms.put("SHA1WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); + algorithms.put("SHA224WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); + algorithms.put("SHA256WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); + algorithms.put("SHA384WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); + algorithms.put("SHA512WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); + algorithms.put("RSAWITHSHA1", new DERObjectIdentifier("1.2.840.113549.1.1.5")); + algorithms.put("RIPEMD128WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128); + algorithms.put("RIPEMD128WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128); + algorithms.put("RIPEMD160WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160); + algorithms.put("RIPEMD160WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160); + algorithms.put("RIPEMD256WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256); + algorithms.put("RIPEMD256WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256); + algorithms.put("SHA1WITHDSA", new DERObjectIdentifier("1.2.840.10040.4.3")); + algorithms.put("DSAWITHSHA1", new DERObjectIdentifier("1.2.840.10040.4.3")); + algorithms.put("SHA224WITHDSA", NISTObjectIdentifiers.dsa_with_sha224); + algorithms.put("SHA256WITHDSA", NISTObjectIdentifiers.dsa_with_sha256); + algorithms.put("SHA384WITHDSA", NISTObjectIdentifiers.dsa_with_sha384); + algorithms.put("SHA512WITHDSA", NISTObjectIdentifiers.dsa_with_sha512); + algorithms.put("SHA1WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA1); + algorithms.put("SHA224WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA224); + algorithms.put("SHA256WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256); + algorithms.put("SHA384WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384); + algorithms.put("SHA512WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512); + algorithms.put("ECDSAWITHSHA1", X9ObjectIdentifiers.ecdsa_with_SHA1); + algorithms.put("GOST3411WITHGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); + algorithms.put("GOST3410WITHGOST3411", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); + algorithms.put("GOST3411WITHECGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + algorithms.put("GOST3411WITHECGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + algorithms.put("GOST3411WITHGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + + // + // reverse mappings + // + oids.put(new DERObjectIdentifier("1.2.840.113549.1.1.5"), "SHA1WITHRSA"); + oids.put(PKCSObjectIdentifiers.sha224WithRSAEncryption, "SHA224WITHRSA"); + oids.put(PKCSObjectIdentifiers.sha256WithRSAEncryption, "SHA256WITHRSA"); + oids.put(PKCSObjectIdentifiers.sha384WithRSAEncryption, "SHA384WITHRSA"); + oids.put(PKCSObjectIdentifiers.sha512WithRSAEncryption, "SHA512WITHRSA"); + oids.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94, "GOST3411WITHGOST3410"); + oids.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001, "GOST3411WITHECGOST3410"); + + oids.put(new DERObjectIdentifier("1.2.840.113549.1.1.4"), "MD5WITHRSA"); + oids.put(new DERObjectIdentifier("1.2.840.113549.1.1.2"), "MD2WITHRSA"); + oids.put(new DERObjectIdentifier("1.2.840.10040.4.3"), "SHA1WITHDSA"); + oids.put(X9ObjectIdentifiers.ecdsa_with_SHA1, "SHA1WITHECDSA"); + oids.put(X9ObjectIdentifiers.ecdsa_with_SHA224, "SHA224WITHECDSA"); + oids.put(X9ObjectIdentifiers.ecdsa_with_SHA256, "SHA256WITHECDSA"); + oids.put(X9ObjectIdentifiers.ecdsa_with_SHA384, "SHA384WITHECDSA"); + oids.put(X9ObjectIdentifiers.ecdsa_with_SHA512, "SHA512WITHECDSA"); + oids.put(OIWObjectIdentifiers.sha1WithRSA, "SHA1WITHRSA"); + oids.put(OIWObjectIdentifiers.dsaWithSHA1, "SHA1WITHDSA"); + oids.put(NISTObjectIdentifiers.dsa_with_sha224, "SHA224WITHDSA"); + oids.put(NISTObjectIdentifiers.dsa_with_sha256, "SHA256WITHDSA"); + + // + // key types + // + keyAlgorithms.put(PKCSObjectIdentifiers.rsaEncryption, "RSA"); + keyAlgorithms.put(X9ObjectIdentifiers.id_dsa, "DSA"); + + // + // According to RFC 3279, the ASN.1 encoding SHALL (id-dsa-with-sha1) or MUST (ecdsa-with-SHA*) omit the parameters field. + // The parameters field SHALL be NULL for RSA based signature algorithms. + // + noParams.add(X9ObjectIdentifiers.ecdsa_with_SHA1); + noParams.add(X9ObjectIdentifiers.ecdsa_with_SHA224); + noParams.add(X9ObjectIdentifiers.ecdsa_with_SHA256); + noParams.add(X9ObjectIdentifiers.ecdsa_with_SHA384); + noParams.add(X9ObjectIdentifiers.ecdsa_with_SHA512); + noParams.add(X9ObjectIdentifiers.id_dsa_with_sha1); + noParams.add(NISTObjectIdentifiers.dsa_with_sha224); + noParams.add(NISTObjectIdentifiers.dsa_with_sha256); + + // + // RFC 4491 + // + noParams.add(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); + noParams.add(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + // + // explicit params + // + AlgorithmIdentifier sha1AlgId = new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE); + params.put("SHA1WITHRSAANDMGF1", creatPSSParams(sha1AlgId, 20)); + + AlgorithmIdentifier sha224AlgId = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha224, DERNull.INSTANCE); + params.put("SHA224WITHRSAANDMGF1", creatPSSParams(sha224AlgId, 28)); + + AlgorithmIdentifier sha256AlgId = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256, DERNull.INSTANCE); + params.put("SHA256WITHRSAANDMGF1", creatPSSParams(sha256AlgId, 32)); + + AlgorithmIdentifier sha384AlgId = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha384, DERNull.INSTANCE); + params.put("SHA384WITHRSAANDMGF1", creatPSSParams(sha384AlgId, 48)); + + AlgorithmIdentifier sha512AlgId = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha512, DERNull.INSTANCE); + params.put("SHA512WITHRSAANDMGF1", creatPSSParams(sha512AlgId, 64)); + } + + private static RSASSAPSSparams creatPSSParams(AlgorithmIdentifier hashAlgId, int saltSize) + { + return new RSASSAPSSparams( + hashAlgId, + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, hashAlgId), + new ASN1Integer(saltSize), + new ASN1Integer(1)); + } + + private static ASN1Sequence toDERSequence( + byte[] bytes) + { + try + { + ASN1InputStream dIn = new ASN1InputStream(bytes); + + return (ASN1Sequence)dIn.readObject(); + } + catch (Exception e) + { + throw new IllegalArgumentException("badly encoded request"); + } + } + + /** + * construct a PKCS10 certification request from a DER encoded + * byte stream. + */ + public PKCS10CertificationRequest( + byte[] bytes) + { + super(toDERSequence(bytes)); + } + + public PKCS10CertificationRequest( + ASN1Sequence sequence) + { + super(sequence); + } + + /** + * create a PKCS10 certfication request using the BC provider. + */ + public PKCS10CertificationRequest( + String signatureAlgorithm, + X509Name subject, + PublicKey key, + ASN1Set attributes, + PrivateKey signingKey) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, SignatureException + { + this(signatureAlgorithm, subject, key, attributes, signingKey, BouncyCastleProvider.PROVIDER_NAME); + } + + private static X509Name convertName( + X500Principal name) + { + try + { + return new X509Principal(name.getEncoded()); + } + catch (IOException e) + { + throw new IllegalArgumentException("can't convert name"); + } + } + + /** + * create a PKCS10 certfication request using the BC provider. + */ + public PKCS10CertificationRequest( + String signatureAlgorithm, + X500Principal subject, + PublicKey key, + ASN1Set attributes, + PrivateKey signingKey) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, SignatureException + { + this(signatureAlgorithm, convertName(subject), key, attributes, signingKey, BouncyCastleProvider.PROVIDER_NAME); + } + + /** + * create a PKCS10 certfication request using the named provider. + */ + public PKCS10CertificationRequest( + String signatureAlgorithm, + X500Principal subject, + PublicKey key, + ASN1Set attributes, + PrivateKey signingKey, + String provider) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, SignatureException + { + this(signatureAlgorithm, convertName(subject), key, attributes, signingKey, provider); + } + + /** + * create a PKCS10 certfication request using the named provider. + */ + public PKCS10CertificationRequest( + String signatureAlgorithm, + X509Name subject, + PublicKey key, + ASN1Set attributes, + PrivateKey signingKey, + String provider) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, SignatureException + { + String algorithmName = Strings.toUpperCase(signatureAlgorithm); + DERObjectIdentifier sigOID = (DERObjectIdentifier)algorithms.get(algorithmName); + + if (sigOID == null) + { + try + { + sigOID = new DERObjectIdentifier(algorithmName); + } + catch (Exception e) + { + throw new IllegalArgumentException("Unknown signature type requested"); + } + } + + if (subject == null) + { + throw new IllegalArgumentException("subject must not be null"); + } + + if (key == null) + { + throw new IllegalArgumentException("public key must not be null"); + } + + if (noParams.contains(sigOID)) + { + this.sigAlgId = new AlgorithmIdentifier(sigOID); + } + else if (params.containsKey(algorithmName)) + { + this.sigAlgId = new AlgorithmIdentifier(sigOID, (ASN1Encodable)params.get(algorithmName)); + } + else + { + this.sigAlgId = new AlgorithmIdentifier(sigOID, DERNull.INSTANCE); + } + + try + { + ASN1Sequence seq = (ASN1Sequence)ASN1Primitive.fromByteArray(key.getEncoded()); + this.reqInfo = new CertificationRequestInfo(subject, new SubjectPublicKeyInfo(seq), attributes); + } + catch (IOException e) + { + throw new IllegalArgumentException("can't encode public key"); + } + + Signature sig; + if (provider == null) + { + sig = Signature.getInstance(signatureAlgorithm); + } + else + { + sig = Signature.getInstance(signatureAlgorithm, provider); + } + + sig.initSign(signingKey); + + try + { + sig.update(reqInfo.getEncoded(ASN1Encoding.DER)); + } + catch (Exception e) + { + throw new IllegalArgumentException("exception encoding TBS cert request - " + e); + } + + this.sigBits = new DERBitString(sig.sign()); + } + + /** + * return the public key associated with the certification request - + * the public key is created using the BC provider. + */ + public PublicKey getPublicKey() + throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException + { + return getPublicKey(BouncyCastleProvider.PROVIDER_NAME); + } + + public PublicKey getPublicKey( + String provider) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException + { + SubjectPublicKeyInfo subjectPKInfo = reqInfo.getSubjectPublicKeyInfo(); + + + try + { + X509EncodedKeySpec xspec = new X509EncodedKeySpec(new DERBitString(subjectPKInfo).getBytes()); + AlgorithmIdentifier keyAlg = subjectPKInfo.getAlgorithm(); + try + { + if (provider == null) + { + return KeyFactory.getInstance(keyAlg.getAlgorithm().getId()).generatePublic(xspec); + } + else + { + return KeyFactory.getInstance(keyAlg.getAlgorithm().getId(), provider).generatePublic(xspec); + } + } + catch (NoSuchAlgorithmException e) + { + // + // try an alternate + // + if (keyAlgorithms.get(keyAlg.getObjectId()) != null) + { + String keyAlgorithm = (String)keyAlgorithms.get(keyAlg.getObjectId()); + + if (provider == null) + { + return KeyFactory.getInstance(keyAlgorithm).generatePublic(xspec); + } + else + { + return KeyFactory.getInstance(keyAlgorithm, provider).generatePublic(xspec); + } + } + + throw e; + } + } + catch (InvalidKeySpecException e) + { + throw new InvalidKeyException("error decoding public key"); + } + catch (IOException e) + { + throw new InvalidKeyException("error decoding public key"); + } + } + + /** + * verify the request using the BC provider. + */ + public boolean verify() + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, SignatureException + { + return verify(BouncyCastleProvider.PROVIDER_NAME); + } + + /** + * verify the request using the passed in provider. + */ + public boolean verify( + String provider) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, SignatureException + { + return verify(this.getPublicKey(provider), provider); + } + + /** + * verify the request using the passed in public key and the provider.. + */ + public boolean verify( + PublicKey pubKey, + String provider) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, SignatureException + { + Signature sig; + + try + { + if (provider == null) + { + sig = Signature.getInstance(getSignatureName(sigAlgId)); + } + else + { + sig = Signature.getInstance(getSignatureName(sigAlgId), provider); + } + } + catch (NoSuchAlgorithmException e) + { + // + // try an alternate + // + if (oids.get(sigAlgId.getObjectId()) != null) + { + String signatureAlgorithm = (String)oids.get(sigAlgId.getObjectId()); + + if (provider == null) + { + sig = Signature.getInstance(signatureAlgorithm); + } + else + { + sig = Signature.getInstance(signatureAlgorithm, provider); + } + } + else + { + throw e; + } + } + + setSignatureParameters(sig, sigAlgId.getParameters()); + + sig.initVerify(pubKey); + + try + { + sig.update(reqInfo.getEncoded(ASN1Encoding.DER)); + } + catch (Exception e) + { + throw new SignatureException("exception encoding TBS cert request - " + e); + } + + return sig.verify(sigBits.getBytes()); + } + + /** + * return a DER encoded byte array representing this object + */ + public byte[] getEncoded() + { + try + { + return this.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + throw new RuntimeException(e.toString()); + } + } + + private void setSignatureParameters( + Signature signature, + ASN1Encodable params) + throws NoSuchAlgorithmException, SignatureException, InvalidKeyException + { + if (params != null && !DERNull.INSTANCE.equals(params)) + { + AlgorithmParameters sigParams = AlgorithmParameters.getInstance(signature.getAlgorithm(), signature.getProvider()); + + try + { + sigParams.init(params.toASN1Primitive().getEncoded(ASN1Encoding.DER)); + } + catch (IOException e) + { + throw new SignatureException("IOException decoding parameters: " + e.getMessage()); + } + + if (signature.getAlgorithm().endsWith("MGF1")) + { + try + { + signature.setParameter(sigParams.getParameterSpec(PSSParameterSpec.class)); + } + catch (GeneralSecurityException e) + { + throw new SignatureException("Exception extracting parameters: " + e.getMessage()); + } + } + } + } + + static String getSignatureName( + AlgorithmIdentifier sigAlgId) + { + ASN1Encodable params = sigAlgId.getParameters(); + + if (params != null && !DERNull.INSTANCE.equals(params)) + { + if (sigAlgId.getObjectId().equals(PKCSObjectIdentifiers.id_RSASSA_PSS)) + { + RSASSAPSSparams rsaParams = RSASSAPSSparams.getInstance(params); + return getDigestAlgName(rsaParams.getHashAlgorithm().getObjectId()) + "withRSAandMGF1"; + } + } + + return sigAlgId.getObjectId().getId(); + } + + private static String getDigestAlgName( + DERObjectIdentifier digestAlgOID) + { + if (PKCSObjectIdentifiers.md5.equals(digestAlgOID)) + { + return "MD5"; + } + else if (OIWObjectIdentifiers.idSHA1.equals(digestAlgOID)) + { + return "SHA1"; + } + else if (NISTObjectIdentifiers.id_sha224.equals(digestAlgOID)) + { + return "SHA224"; + } + else if (NISTObjectIdentifiers.id_sha256.equals(digestAlgOID)) + { + return "SHA256"; + } + else if (NISTObjectIdentifiers.id_sha384.equals(digestAlgOID)) + { + return "SHA384"; + } + else if (NISTObjectIdentifiers.id_sha512.equals(digestAlgOID)) + { + return "SHA512"; + } + else if (TeleTrusTObjectIdentifiers.ripemd128.equals(digestAlgOID)) + { + return "RIPEMD128"; + } + else if (TeleTrusTObjectIdentifiers.ripemd160.equals(digestAlgOID)) + { + return "RIPEMD160"; + } + else if (TeleTrusTObjectIdentifiers.ripemd256.equals(digestAlgOID)) + { + return "RIPEMD256"; + } + else if (CryptoProObjectIdentifiers.gostR3411.equals(digestAlgOID)) + { + return "GOST3411"; + } + else + { + return digestAlgOID.getId(); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/PKCS12Util.java b/bcprov/src/main/java/org/bouncycastle/jce/PKCS12Util.java new file mode 100644 index 00000000..c780ed6b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/PKCS12Util.java @@ -0,0 +1,126 @@ +package org.bouncycastle.jce; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; + +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.PBEParameterSpec; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.DEROutputStream; +import org.bouncycastle.asn1.pkcs.ContentInfo; +import org.bouncycastle.asn1.pkcs.MacData; +import org.bouncycastle.asn1.pkcs.Pfx; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.DigestInfo; + +/** + * Utility class for reencoding PKCS#12 files to definite length. + */ +public class PKCS12Util +{ + /** + * Just re-encode the outer layer of the PKCS#12 file to definite length encoding. + * + * @param berPKCS12File - original PKCS#12 file + * @return a byte array representing the DER encoding of the PFX structure + * @throws IOException + */ + public static byte[] convertToDefiniteLength(byte[] berPKCS12File) + throws IOException + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + DEROutputStream dOut = new DEROutputStream(bOut); + + Pfx pfx = Pfx.getInstance(berPKCS12File); + + bOut.reset(); + + dOut.writeObject(pfx); + + return bOut.toByteArray(); + } + + /** + * Re-encode the PKCS#12 structure to definite length encoding at the inner layer + * as well, recomputing the MAC accordingly. + * + * @param berPKCS12File - original PKCS12 file. + * @param provider - provider to use for MAC calculation. + * @return a byte array representing the DER encoding of the PFX structure. + * @throws IOException on parsing, encoding errors. + */ + public static byte[] convertToDefiniteLength(byte[] berPKCS12File, char[] passwd, String provider) + throws IOException + { + Pfx pfx = Pfx.getInstance(berPKCS12File); + + ContentInfo info = pfx.getAuthSafe(); + + ASN1OctetString content = ASN1OctetString.getInstance(info.getContent()); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + DEROutputStream dOut = new DEROutputStream(bOut); + + ASN1InputStream contentIn = new ASN1InputStream(content.getOctets()); + ASN1Primitive obj = contentIn.readObject(); + + dOut.writeObject(obj); + + info = new ContentInfo(info.getContentType(), new DEROctetString(bOut.toByteArray())); + + MacData mData = pfx.getMacData(); + try + { + int itCount = mData.getIterationCount().intValue(); + byte[] data = ASN1OctetString.getInstance(info.getContent()).getOctets(); + byte[] res = calculatePbeMac(mData.getMac().getAlgorithmId().getObjectId(), mData.getSalt(), itCount, passwd, data, provider); + + AlgorithmIdentifier algId = new AlgorithmIdentifier(mData.getMac().getAlgorithmId().getObjectId(), DERNull.INSTANCE); + DigestInfo dInfo = new DigestInfo(algId, res); + + mData = new MacData(dInfo, mData.getSalt(), itCount); + } + catch (Exception e) + { + throw new IOException("error constructing MAC: " + e.toString()); + } + + pfx = new Pfx(info, mData); + + bOut.reset(); + + dOut.writeObject(pfx); + + return bOut.toByteArray(); + } + + private static byte[] calculatePbeMac( + DERObjectIdentifier oid, + byte[] salt, + int itCount, + char[] password, + byte[] data, + String provider) + throws Exception + { + SecretKeyFactory keyFact = SecretKeyFactory.getInstance(oid.getId(), provider); + PBEParameterSpec defParams = new PBEParameterSpec(salt, itCount); + PBEKeySpec pbeSpec = new PBEKeySpec(password); + SecretKey key = keyFact.generateSecret(pbeSpec); + + Mac mac = Mac.getInstance(oid.getId(), provider); + mac.init(key, defParams); + mac.update(data); + + return mac.doFinal(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/PrincipalUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/PrincipalUtil.java new file mode 100644 index 00000000..4bf65a03 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/PrincipalUtil.java @@ -0,0 +1,81 @@ +package org.bouncycastle.jce; + +import java.io.IOException; +import java.security.cert.CRLException; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; + +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.x509.TBSCertList; +import org.bouncycastle.asn1.x509.TBSCertificateStructure; +import org.bouncycastle.asn1.x509.X509Name; + +/** + * a utility class that will extract X509Principal objects from X.509 certificates. + * <p> + * Use this in preference to trying to recreate a principal from a String, not all + * DNs are what they should be, so it's best to leave them encoded where they + * can be. + */ +public class PrincipalUtil +{ + /** + * return the issuer of the given cert as an X509PrincipalObject. + */ + public static X509Principal getIssuerX509Principal( + X509Certificate cert) + throws CertificateEncodingException + { + try + { + TBSCertificateStructure tbsCert = TBSCertificateStructure.getInstance( + ASN1Primitive.fromByteArray(cert.getTBSCertificate())); + + return new X509Principal(X509Name.getInstance(tbsCert.getIssuer())); + } + catch (IOException e) + { + throw new CertificateEncodingException(e.toString()); + } + } + + /** + * return the subject of the given cert as an X509PrincipalObject. + */ + public static X509Principal getSubjectX509Principal( + X509Certificate cert) + throws CertificateEncodingException + { + try + { + TBSCertificateStructure tbsCert = TBSCertificateStructure.getInstance( + ASN1Primitive.fromByteArray(cert.getTBSCertificate())); + return new X509Principal(X509Name.getInstance(tbsCert.getSubject())); + } + catch (IOException e) + { + throw new CertificateEncodingException(e.toString()); + } + } + + /** + * return the issuer of the given CRL as an X509PrincipalObject. + */ + public static X509Principal getIssuerX509Principal( + X509CRL crl) + throws CRLException + { + try + { + TBSCertList tbsCertList = TBSCertList.getInstance( + ASN1Primitive.fromByteArray(crl.getTBSCertList())); + + return new X509Principal(X509Name.getInstance(tbsCertList.getIssuer())); + } + catch (IOException e) + { + throw new CRLException(e.toString()); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/X509KeyUsage.java b/bcprov/src/main/java/org/bouncycastle/jce/X509KeyUsage.java new file mode 100644 index 00000000..163566a1 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/X509KeyUsage.java @@ -0,0 +1,57 @@ +package org.bouncycastle.jce; + +import org.bouncycastle.asn1.ASN1Object; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.x509.KeyUsage; + +/** + * A holding class for constructing an X509 Key Usage extension. + * + * <pre> + * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + * + * KeyUsage ::= BIT STRING { + * digitalSignature (0), + * nonRepudiation (1), + * keyEncipherment (2), + * dataEncipherment (3), + * keyAgreement (4), + * keyCertSign (5), + * cRLSign (6), + * encipherOnly (7), + * decipherOnly (8) } + * </pre> + */ +public class X509KeyUsage + extends ASN1Object +{ + public static final int digitalSignature = 1 << 7; + public static final int nonRepudiation = 1 << 6; + public static final int keyEncipherment = 1 << 5; + public static final int dataEncipherment = 1 << 4; + public static final int keyAgreement = 1 << 3; + public static final int keyCertSign = 1 << 2; + public static final int cRLSign = 1 << 1; + public static final int encipherOnly = 1 << 0; + public static final int decipherOnly = 1 << 15; + + private int usage = 0; + + /** + * Basic constructor. + * + * @param usage - the bitwise OR of the Key Usage flags giving the + * allowed uses for the key. + * e.g. (X509KeyUsage.keyEncipherment | X509KeyUsage.dataEncipherment) + */ + public X509KeyUsage( + int usage) + { + this.usage = usage; + } + + public ASN1Primitive toASN1Primitive() + { + return new KeyUsage(usage).toASN1Primitive(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/X509LDAPCertStoreParameters.java b/bcprov/src/main/java/org/bouncycastle/jce/X509LDAPCertStoreParameters.java new file mode 100644 index 00000000..80532fac --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/X509LDAPCertStoreParameters.java @@ -0,0 +1,1258 @@ +package org.bouncycastle.jce; + +import org.bouncycastle.x509.X509StoreParameters; + +import java.security.cert.CertStoreParameters; +import java.security.cert.LDAPCertStoreParameters; + +/** + * An expanded set of parameters for an LDAPCertStore + */ +public class X509LDAPCertStoreParameters + implements X509StoreParameters, CertStoreParameters +{ + + private String ldapURL; + + private String baseDN; + + // LDAP attributes, where data is stored + + private String userCertificateAttribute; + + private String cACertificateAttribute; + + private String crossCertificateAttribute; + + private String certificateRevocationListAttribute; + + private String deltaRevocationListAttribute; + + private String authorityRevocationListAttribute; + + private String attributeCertificateAttributeAttribute; + + private String aACertificateAttribute; + + private String attributeDescriptorCertificateAttribute; + + private String attributeCertificateRevocationListAttribute; + + private String attributeAuthorityRevocationListAttribute; + + // LDAP attributes with which data can be found + + private String ldapUserCertificateAttributeName; + + private String ldapCACertificateAttributeName; + + private String ldapCrossCertificateAttributeName; + + private String ldapCertificateRevocationListAttributeName; + + private String ldapDeltaRevocationListAttributeName; + + private String ldapAuthorityRevocationListAttributeName; + + private String ldapAttributeCertificateAttributeAttributeName; + + private String ldapAACertificateAttributeName; + + private String ldapAttributeDescriptorCertificateAttributeName; + + private String ldapAttributeCertificateRevocationListAttributeName; + + private String ldapAttributeAuthorityRevocationListAttributeName; + + // certificates and CRLs subject or issuer DN attributes, which must be + // matched against ldap attribute names + + private String userCertificateSubjectAttributeName; + + private String cACertificateSubjectAttributeName; + + private String crossCertificateSubjectAttributeName; + + private String certificateRevocationListIssuerAttributeName; + + private String deltaRevocationListIssuerAttributeName; + + private String authorityRevocationListIssuerAttributeName; + + private String attributeCertificateAttributeSubjectAttributeName; + + private String aACertificateSubjectAttributeName; + + private String attributeDescriptorCertificateSubjectAttributeName; + + private String attributeCertificateRevocationListIssuerAttributeName; + + private String attributeAuthorityRevocationListIssuerAttributeName; + + private String searchForSerialNumberIn; + + public static class Builder + { + private String ldapURL; + + private String baseDN; + + // LDAP attributes, where data is stored + + private String userCertificateAttribute; + + private String cACertificateAttribute; + + private String crossCertificateAttribute; + + private String certificateRevocationListAttribute; + + private String deltaRevocationListAttribute; + + private String authorityRevocationListAttribute; + + private String attributeCertificateAttributeAttribute; + + private String aACertificateAttribute; + + private String attributeDescriptorCertificateAttribute; + + private String attributeCertificateRevocationListAttribute; + + private String attributeAuthorityRevocationListAttribute; + + // LDAP attributes with which data can be found + + private String ldapUserCertificateAttributeName; + + private String ldapCACertificateAttributeName; + + private String ldapCrossCertificateAttributeName; + + private String ldapCertificateRevocationListAttributeName; + + private String ldapDeltaRevocationListAttributeName; + + private String ldapAuthorityRevocationListAttributeName; + + private String ldapAttributeCertificateAttributeAttributeName; + + private String ldapAACertificateAttributeName; + + private String ldapAttributeDescriptorCertificateAttributeName; + + private String ldapAttributeCertificateRevocationListAttributeName; + + private String ldapAttributeAuthorityRevocationListAttributeName; + + // certificates and CRLs subject or issuer DN attributes, which must be + // matched against ldap attribute names + + private String userCertificateSubjectAttributeName; + + private String cACertificateSubjectAttributeName; + + private String crossCertificateSubjectAttributeName; + + private String certificateRevocationListIssuerAttributeName; + + private String deltaRevocationListIssuerAttributeName; + + private String authorityRevocationListIssuerAttributeName; + + private String attributeCertificateAttributeSubjectAttributeName; + + private String aACertificateSubjectAttributeName; + + private String attributeDescriptorCertificateSubjectAttributeName; + + private String attributeCertificateRevocationListIssuerAttributeName; + + private String attributeAuthorityRevocationListIssuerAttributeName; + + private String searchForSerialNumberIn; + + public Builder() + { + this("ldap://localhost:389", ""); + } + + public Builder(String ldapURL, String baseDN) + { + this.ldapURL = ldapURL; + if (baseDN == null) + { + this.baseDN = ""; + } + else + { + this.baseDN = baseDN; + } + + this.userCertificateAttribute = "userCertificate"; + this.cACertificateAttribute = "cACertificate"; + this.crossCertificateAttribute = "crossCertificatePair"; + this.certificateRevocationListAttribute = "certificateRevocationList"; + this.deltaRevocationListAttribute = "deltaRevocationList"; + this.authorityRevocationListAttribute = "authorityRevocationList"; + this.attributeCertificateAttributeAttribute = "attributeCertificateAttribute"; + this.aACertificateAttribute = "aACertificate"; + this.attributeDescriptorCertificateAttribute = "attributeDescriptorCertificate"; + this.attributeCertificateRevocationListAttribute = "attributeCertificateRevocationList"; + this.attributeAuthorityRevocationListAttribute = "attributeAuthorityRevocationList"; + this.ldapUserCertificateAttributeName = "cn"; + this.ldapCACertificateAttributeName = "cn ou o"; + this.ldapCrossCertificateAttributeName = "cn ou o"; + this.ldapCertificateRevocationListAttributeName = "cn ou o"; + this.ldapDeltaRevocationListAttributeName = "cn ou o"; + this.ldapAuthorityRevocationListAttributeName = "cn ou o"; + this.ldapAttributeCertificateAttributeAttributeName = "cn"; + this.ldapAACertificateAttributeName = "cn o ou"; + this.ldapAttributeDescriptorCertificateAttributeName = "cn o ou"; + this.ldapAttributeCertificateRevocationListAttributeName = "cn o ou"; + this.ldapAttributeAuthorityRevocationListAttributeName = "cn o ou"; + this.userCertificateSubjectAttributeName = "cn"; + this.cACertificateSubjectAttributeName = "o ou"; + this.crossCertificateSubjectAttributeName = "o ou"; + this.certificateRevocationListIssuerAttributeName = "o ou"; + this.deltaRevocationListIssuerAttributeName = "o ou"; + this.authorityRevocationListIssuerAttributeName = "o ou"; + this.attributeCertificateAttributeSubjectAttributeName = "cn"; + this.aACertificateSubjectAttributeName = "o ou"; + this.attributeDescriptorCertificateSubjectAttributeName = "o ou"; + this.attributeCertificateRevocationListIssuerAttributeName = "o ou"; + this.attributeAuthorityRevocationListIssuerAttributeName = "o ou"; + this.searchForSerialNumberIn = "uid serialNumber cn"; + } + + /** + * @param userCertificateAttribute Attribute name(s) in the LDAP directory where end certificates + * are stored. Separated by space. Defaults to "userCertificate" + * if <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setUserCertificateAttribute(String userCertificateAttribute) + { + this.userCertificateAttribute = userCertificateAttribute; + + return this; + } + + /** + * @param cACertificateAttribute Attribute name(s) in the LDAP directory where CA certificates + * are stored. Separated by space. Defaults to "cACertificate" if + * <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setCACertificateAttribute(String cACertificateAttribute) + { + this.cACertificateAttribute = cACertificateAttribute; + + return this; + } + + /** + * @param crossCertificateAttribute Attribute name(s), where the cross certificates are stored. + * Separated by space. Defaults to "crossCertificatePair" if + * <code>null</code> + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setCrossCertificateAttribute(String crossCertificateAttribute) + { + this.crossCertificateAttribute = crossCertificateAttribute; + + return this; + } + + /** + * @param certificateRevocationListAttribute + * Attribute name(s) in the LDAP directory where CRLs are stored. + * Separated by space. Defaults to "certificateRevocationList" if + * <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setCertificateRevocationListAttribute(String certificateRevocationListAttribute) + { + this.certificateRevocationListAttribute = certificateRevocationListAttribute; + + return this; + } + + /** + * @param deltaRevocationListAttribute Attribute name(s) in the LDAP directory where delta RLs are + * stored. Separated by space. Defaults to "deltaRevocationList" + * if <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setDeltaRevocationListAttribute(String deltaRevocationListAttribute) + { + this.deltaRevocationListAttribute = deltaRevocationListAttribute; + + return this; + } + + /** + * @param authorityRevocationListAttribute + * Attribute name(s) in the LDAP directory where CRLs for + * authorities are stored. Separated by space. Defaults to + * "authorityRevocationList" if <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAuthorityRevocationListAttribute(String authorityRevocationListAttribute) + { + this.authorityRevocationListAttribute = authorityRevocationListAttribute; + + return this; + } + + /** + * @param attributeCertificateAttributeAttribute + * Attribute name(s) in the LDAP directory where end attribute + * certificates are stored. Separated by space. Defaults to + * "attributeCertificateAttribute" if <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeCertificateAttributeAttribute(String attributeCertificateAttributeAttribute) + { + this.attributeCertificateAttributeAttribute = attributeCertificateAttributeAttribute; + + return this; + } + + /** + * @param aACertificateAttribute Attribute name(s) in the LDAP directory where attribute + * certificates for attribute authorities are stored. Separated + * by space. Defaults to "aACertificate" if <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAACertificateAttribute(String aACertificateAttribute) + { + this.aACertificateAttribute = aACertificateAttribute; + + return this; + } + + /** + * @param attributeDescriptorCertificateAttribute + * Attribute name(s) in the LDAP directory where self signed + * attribute certificates for attribute authorities are stored. + * Separated by space. Defaults to + * "attributeDescriptorCertificate" if <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeDescriptorCertificateAttribute(String attributeDescriptorCertificateAttribute) + { + this.attributeDescriptorCertificateAttribute = attributeDescriptorCertificateAttribute; + + return this; + } + + /** + * @param attributeCertificateRevocationListAttribute + * Attribute name(s) in the LDAP directory where CRLs for + * attribute certificates are stored. Separated by space. + * Defaults to "attributeCertificateRevocationList" if + * <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeCertificateRevocationListAttribute(String attributeCertificateRevocationListAttribute) + { + this.attributeCertificateRevocationListAttribute = attributeCertificateRevocationListAttribute; + + return this; + } + + /** + * @param attributeAuthorityRevocationListAttribute + * Attribute name(s) in the LDAP directory where RLs for + * attribute authority attribute certificates are stored. + * Separated by space. Defaults to + * "attributeAuthorityRevocationList" if <code>null</code>. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeAuthorityRevocationListAttribute(String attributeAuthorityRevocationListAttribute) + { + this.attributeAuthorityRevocationListAttribute = attributeAuthorityRevocationListAttribute; + + return this; + } + + /** + * @param ldapUserCertificateAttributeName + * The attribute name(s) in the LDAP directory where to search + * for the attribute value of the specified + * <code>userCertificateSubjectAttributeName</code>. E.g. if + * "cn" is used to put information about the subject for end + * certificates, then specify "cn". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapUserCertificateAttributeName(String ldapUserCertificateAttributeName) + { + this.ldapUserCertificateAttributeName = ldapUserCertificateAttributeName; + + return this; + } + + /** + * @param ldapCACertificateAttributeName The attribute name(s) in the LDAP directory where to search + * for the attribute value of the specified + * <code>cACertificateSubjectAttributeName</code>. E.g. if + * "ou" is used to put information about the subject for CA + * certificates, then specify "ou". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapCACertificateAttributeName(String ldapCACertificateAttributeName) + { + this.ldapCACertificateAttributeName = ldapCACertificateAttributeName; + + return this; + } + + /** + * @param ldapCrossCertificateAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>crossCertificateSubjectAttributeName</code>. E.g. if + * "o" is used to put information about the subject for cross + * certificates, then specify "o". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapCrossCertificateAttributeName(String ldapCrossCertificateAttributeName) + { + this.ldapCrossCertificateAttributeName = ldapCrossCertificateAttributeName; + + return this; + } + + /** + * @param ldapCertificateRevocationListAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>certificateRevocationListIssuerAttributeName</code>. + * E.g. if "ou" is used to put information about the issuer of + * CRLs, specify "ou". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapCertificateRevocationListAttributeName(String ldapCertificateRevocationListAttributeName) + { + this.ldapCertificateRevocationListAttributeName = ldapCertificateRevocationListAttributeName; + + return this; + } + + /** + * @param ldapDeltaRevocationListAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>deltaRevocationListIssuerAttributeName</code>. E.g. + * if "ou" is used to put information about the issuer of CRLs, + * specify "ou". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapDeltaRevocationListAttributeName(String ldapDeltaRevocationListAttributeName) + { + this.ldapDeltaRevocationListAttributeName = ldapDeltaRevocationListAttributeName; + + return this; + } + + /** + * @param ldapAuthorityRevocationListAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>authorityRevocationListIssuerAttributeName</code>. + * E.g. if "ou" is used to put information about the issuer of + * CRLs, specify "ou". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapAuthorityRevocationListAttributeName(String ldapAuthorityRevocationListAttributeName) + { + this.ldapAuthorityRevocationListAttributeName = ldapAuthorityRevocationListAttributeName; + + return this; + } + + /** + * @param ldapAttributeCertificateAttributeAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>attributeCertificateAttributeSubjectAttributeName</code>. + * E.g. if "cn" is used to put information about the subject of + * end attribute certificates, specify "cn". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapAttributeCertificateAttributeAttributeName(String ldapAttributeCertificateAttributeAttributeName) + { + this.ldapAttributeCertificateAttributeAttributeName = ldapAttributeCertificateAttributeAttributeName; + + return this; + } + + /** + * @param ldapAACertificateAttributeName The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>aACertificateSubjectAttributeName</code>. E.g. if + * "ou" is used to put information about the subject of attribute + * authority attribute certificates, specify "ou". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapAACertificateAttributeName(String ldapAACertificateAttributeName) + { + this.ldapAACertificateAttributeName = ldapAACertificateAttributeName; + + return this; + } + + /** + * @param ldapAttributeDescriptorCertificateAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>attributeDescriptorCertificateSubjectAttributeName</code>. + * E.g. if "o" is used to put information about the subject of + * self signed attribute authority attribute certificates, + * specify "o". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapAttributeDescriptorCertificateAttributeName(String ldapAttributeDescriptorCertificateAttributeName) + { + this.ldapAttributeDescriptorCertificateAttributeName = ldapAttributeDescriptorCertificateAttributeName; + + return this; + } + + /** + * @param ldapAttributeCertificateRevocationListAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>attributeCertificateRevocationListIssuerAttributeName</code>. + * E.g. if "ou" is used to put information about the issuer of + * CRLs, specify "ou". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapAttributeCertificateRevocationListAttributeName(String ldapAttributeCertificateRevocationListAttributeName) + { + this.ldapAttributeCertificateRevocationListAttributeName = ldapAttributeCertificateRevocationListAttributeName; + + return this; + } + + /** + * @param ldapAttributeAuthorityRevocationListAttributeName + * The attribute name(s) in the LDAP directory where to search for + * the attribute value of the specified + * <code>attributeAuthorityRevocationListIssuerAttributeName</code>. + * E.g. if "ou" is used to put information about the issuer of + * CRLs, specify "ou". + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setLdapAttributeAuthorityRevocationListAttributeName(String ldapAttributeAuthorityRevocationListAttributeName) + { + this.ldapAttributeAuthorityRevocationListAttributeName = ldapAttributeAuthorityRevocationListAttributeName; + + return this; + } + + /** + * @param userCertificateSubjectAttributeName + * Attribute(s) in the subject of the certificate which is used + * to be searched in the + * <code>ldapUserCertificateAttributeName</code>. E.g. the + * "cn" attribute of the DN could be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setUserCertificateSubjectAttributeName(String userCertificateSubjectAttributeName) + { + this.userCertificateSubjectAttributeName = userCertificateSubjectAttributeName; + + return this; + } + + /** + * @param cACertificateSubjectAttributeName + * Attribute(s) in the subject of the certificate which is used + * to be searched in the + * <code>ldapCACertificateAttributeName</code>. E.g. the "ou" + * attribute of the DN could be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setCACertificateSubjectAttributeName(String cACertificateSubjectAttributeName) + { + this.cACertificateSubjectAttributeName = cACertificateSubjectAttributeName; + + return this; + } + + /** + * @param crossCertificateSubjectAttributeName + * Attribute(s) in the subject of the cross certificate which is + * used to be searched in the + * <code>ldapCrossCertificateAttributeName</code>. E.g. the + * "o" attribute of the DN may be appropriate. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setCrossCertificateSubjectAttributeName(String crossCertificateSubjectAttributeName) + { + this.crossCertificateSubjectAttributeName = crossCertificateSubjectAttributeName; + + return this; + } + + /** + * @param certificateRevocationListIssuerAttributeName + * Attribute(s) in the issuer of the CRL which is used to be + * searched in the + * <code>ldapCertificateRevocationListAttributeName</code>. + * E.g. the "o" or "ou" attribute may be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setCertificateRevocationListIssuerAttributeName(String certificateRevocationListIssuerAttributeName) + { + this.certificateRevocationListIssuerAttributeName = certificateRevocationListIssuerAttributeName; + + return this; + } + + /** + * @param deltaRevocationListIssuerAttributeName + * Attribute(s) in the issuer of the CRL which is used to be + * searched in the + * <code>ldapDeltaRevocationListAttributeName</code>. E.g. the + * "o" or "ou" attribute may be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setDeltaRevocationListIssuerAttributeName(String deltaRevocationListIssuerAttributeName) + { + this.deltaRevocationListIssuerAttributeName = deltaRevocationListIssuerAttributeName; + + return this; + } + + /** + * @param authorityRevocationListIssuerAttributeName + * Attribute(s) in the issuer of the CRL which is used to be + * searched in the + * <code>ldapAuthorityRevocationListAttributeName</code>. E.g. + * the "o" or "ou" attribute may be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAuthorityRevocationListIssuerAttributeName(String authorityRevocationListIssuerAttributeName) + { + this.authorityRevocationListIssuerAttributeName = authorityRevocationListIssuerAttributeName; + + return this; + } + + /** + * @param attributeCertificateAttributeSubjectAttributeName + * Attribute(s) in the subject of the attribute certificate which + * is used to be searched in the + * <code>ldapAttributeCertificateAttributeAttributeName</code>. + * E.g. the "cn" attribute of the DN could be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeCertificateAttributeSubjectAttributeName(String attributeCertificateAttributeSubjectAttributeName) + { + this.attributeCertificateAttributeSubjectAttributeName = attributeCertificateAttributeSubjectAttributeName; + + return this; + } + + /** + * @param aACertificateSubjectAttributeName + * Attribute(s) in the subject of the attribute certificate which + * is used to be searched in the + * <code>ldapAACertificateAttributeName</code>. E.g. the "ou" + * attribute of the DN could be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAACertificateSubjectAttributeName(String aACertificateSubjectAttributeName) + { + this.aACertificateSubjectAttributeName = aACertificateSubjectAttributeName; + + return this; + } + + /** + * @param attributeDescriptorCertificateSubjectAttributeName + * Attribute(s) in the subject of the attribute certificate which + * is used to be searched in the + * <code>ldapAttributeDescriptorCertificateAttributeName</code>. + * E.g. the "o" attribute of the DN could be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeDescriptorCertificateSubjectAttributeName(String attributeDescriptorCertificateSubjectAttributeName) + { + this.attributeDescriptorCertificateSubjectAttributeName = attributeDescriptorCertificateSubjectAttributeName; + + return this; + } + + /** + * @param attributeCertificateRevocationListIssuerAttributeName + * Attribute(s) in the issuer of the CRL which is used to be + * searched in the + * <code>ldapAttributeCertificateRevocationListAttributeName</code>. + * E.g. the "o" or "ou" attribute may be used + * certificate is searched in this LDAP attribute. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeCertificateRevocationListIssuerAttributeName(String attributeCertificateRevocationListIssuerAttributeName) + { + this.attributeCertificateRevocationListIssuerAttributeName = attributeCertificateRevocationListIssuerAttributeName; + + return this; + } + + /** + * @param attributeAuthorityRevocationListIssuerAttributeName + * Anttribute(s) in the issuer of the CRL which is used to be + * searched in the + * <code>ldapAttributeAuthorityRevocationListAttributeName</code>. + * E.g. the "o" or "ou" attribute may be used. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setAttributeAuthorityRevocationListIssuerAttributeName(String attributeAuthorityRevocationListIssuerAttributeName) + { + this.attributeAuthorityRevocationListIssuerAttributeName = attributeAuthorityRevocationListIssuerAttributeName; + + return this; + } + + /** + * + * @param searchForSerialNumberIn If not <code>null</code> the serial number of the + * certificate is searched in this LDAP attribute. + * @throws IllegalArgumentException if a necessary parameter is <code>null</code>. + * @return the builder + */ + public Builder setSearchForSerialNumberIn(String searchForSerialNumberIn) + { + this.searchForSerialNumberIn = searchForSerialNumberIn; + + return this; + } + + public X509LDAPCertStoreParameters build() + { + if (ldapUserCertificateAttributeName == null // migrate to setters + || ldapCACertificateAttributeName == null + || ldapCrossCertificateAttributeName == null + || ldapCertificateRevocationListAttributeName == null + || ldapDeltaRevocationListAttributeName == null + || ldapAuthorityRevocationListAttributeName == null + || ldapAttributeCertificateAttributeAttributeName == null + || ldapAACertificateAttributeName == null + || ldapAttributeDescriptorCertificateAttributeName == null + || ldapAttributeCertificateRevocationListAttributeName == null + || ldapAttributeAuthorityRevocationListAttributeName == null + || userCertificateSubjectAttributeName == null + || cACertificateSubjectAttributeName == null + || crossCertificateSubjectAttributeName == null + || certificateRevocationListIssuerAttributeName == null + || deltaRevocationListIssuerAttributeName == null + || authorityRevocationListIssuerAttributeName == null + || attributeCertificateAttributeSubjectAttributeName == null + || aACertificateSubjectAttributeName == null + || attributeDescriptorCertificateSubjectAttributeName == null + || attributeCertificateRevocationListIssuerAttributeName == null + || attributeAuthorityRevocationListIssuerAttributeName == null) + { + throw new IllegalArgumentException( + "Necessary parameters not specified."); + } + return new X509LDAPCertStoreParameters(this); + } + } + + + private X509LDAPCertStoreParameters(Builder builder) + { + this.ldapURL = builder.ldapURL; + this.baseDN = builder.baseDN; + + this.userCertificateAttribute = builder.userCertificateAttribute; + this.cACertificateAttribute = builder.cACertificateAttribute; + this.crossCertificateAttribute = builder.crossCertificateAttribute; + this.certificateRevocationListAttribute = builder.certificateRevocationListAttribute; + this.deltaRevocationListAttribute = builder.deltaRevocationListAttribute; + this.authorityRevocationListAttribute = builder.authorityRevocationListAttribute; + this.attributeCertificateAttributeAttribute = builder.attributeCertificateAttributeAttribute; + this.aACertificateAttribute = builder.aACertificateAttribute; + this.attributeDescriptorCertificateAttribute = builder.attributeDescriptorCertificateAttribute; + this.attributeCertificateRevocationListAttribute = builder.attributeCertificateRevocationListAttribute; + this.attributeAuthorityRevocationListAttribute = builder.attributeAuthorityRevocationListAttribute; + this.ldapUserCertificateAttributeName = builder.ldapUserCertificateAttributeName; + this.ldapCACertificateAttributeName = builder.ldapCACertificateAttributeName; + this.ldapCrossCertificateAttributeName = builder.ldapCrossCertificateAttributeName; + this.ldapCertificateRevocationListAttributeName = builder.ldapCertificateRevocationListAttributeName; + this.ldapDeltaRevocationListAttributeName = builder.ldapDeltaRevocationListAttributeName; + this.ldapAuthorityRevocationListAttributeName = builder.ldapAuthorityRevocationListAttributeName; + this.ldapAttributeCertificateAttributeAttributeName = builder.ldapAttributeCertificateAttributeAttributeName; + this.ldapAACertificateAttributeName = builder.ldapAACertificateAttributeName; + this.ldapAttributeDescriptorCertificateAttributeName = builder.ldapAttributeDescriptorCertificateAttributeName; + this.ldapAttributeCertificateRevocationListAttributeName = builder.ldapAttributeCertificateRevocationListAttributeName; + this.ldapAttributeAuthorityRevocationListAttributeName = builder.ldapAttributeAuthorityRevocationListAttributeName; + this.userCertificateSubjectAttributeName = builder.userCertificateSubjectAttributeName; + this.cACertificateSubjectAttributeName = builder.cACertificateSubjectAttributeName; + this.crossCertificateSubjectAttributeName = builder.crossCertificateSubjectAttributeName; + this.certificateRevocationListIssuerAttributeName = builder.certificateRevocationListIssuerAttributeName; + this.deltaRevocationListIssuerAttributeName = builder.deltaRevocationListIssuerAttributeName; + this.authorityRevocationListIssuerAttributeName = builder.authorityRevocationListIssuerAttributeName; + this.attributeCertificateAttributeSubjectAttributeName = builder.attributeCertificateAttributeSubjectAttributeName; + this.aACertificateSubjectAttributeName = builder.aACertificateSubjectAttributeName; + this.attributeDescriptorCertificateSubjectAttributeName = builder.attributeDescriptorCertificateSubjectAttributeName; + this.attributeCertificateRevocationListIssuerAttributeName = builder.attributeCertificateRevocationListIssuerAttributeName; + this.attributeAuthorityRevocationListIssuerAttributeName = builder.attributeAuthorityRevocationListIssuerAttributeName; + this.searchForSerialNumberIn = builder.searchForSerialNumberIn; + } + + /** + * Returns a clone of this object. + */ + public Object clone() + { + return this; + } + + public boolean equal(Object o) + { + if (o == this) + { + return true; + } + + if (!(o instanceof X509LDAPCertStoreParameters)) + { + return false; + } + + X509LDAPCertStoreParameters params = (X509LDAPCertStoreParameters)o; + return checkField(ldapURL, params.ldapURL) + && checkField(baseDN, params.baseDN) + && checkField(userCertificateAttribute, params.userCertificateAttribute) + && checkField(cACertificateAttribute, params.cACertificateAttribute) + && checkField(crossCertificateAttribute, params.crossCertificateAttribute) + && checkField(certificateRevocationListAttribute, params.certificateRevocationListAttribute) + && checkField(deltaRevocationListAttribute, params.deltaRevocationListAttribute) + && checkField(authorityRevocationListAttribute, params.authorityRevocationListAttribute) + && checkField(attributeCertificateAttributeAttribute, params.attributeCertificateAttributeAttribute) + && checkField(aACertificateAttribute, params.aACertificateAttribute) + && checkField(attributeDescriptorCertificateAttribute, params.attributeDescriptorCertificateAttribute) + && checkField(attributeCertificateRevocationListAttribute, params.attributeCertificateRevocationListAttribute) + && checkField(attributeAuthorityRevocationListAttribute, params.attributeAuthorityRevocationListAttribute) + && checkField(ldapUserCertificateAttributeName, params.ldapUserCertificateAttributeName) + && checkField(ldapCACertificateAttributeName, params.ldapCACertificateAttributeName) + && checkField(ldapCrossCertificateAttributeName, params.ldapCrossCertificateAttributeName) + && checkField(ldapCertificateRevocationListAttributeName, params.ldapCertificateRevocationListAttributeName) + && checkField(ldapDeltaRevocationListAttributeName, params.ldapDeltaRevocationListAttributeName) + && checkField(ldapAuthorityRevocationListAttributeName, params.ldapAuthorityRevocationListAttributeName) + && checkField(ldapAttributeCertificateAttributeAttributeName, params.ldapAttributeCertificateAttributeAttributeName) + && checkField(ldapAACertificateAttributeName, params.ldapAACertificateAttributeName) + && checkField(ldapAttributeDescriptorCertificateAttributeName, params.ldapAttributeDescriptorCertificateAttributeName) + && checkField(ldapAttributeCertificateRevocationListAttributeName, params.ldapAttributeCertificateRevocationListAttributeName) + && checkField(ldapAttributeAuthorityRevocationListAttributeName, params.ldapAttributeAuthorityRevocationListAttributeName) + && checkField(userCertificateSubjectAttributeName, params.userCertificateSubjectAttributeName) + && checkField(cACertificateSubjectAttributeName, params.cACertificateSubjectAttributeName) + && checkField(crossCertificateSubjectAttributeName, params.crossCertificateSubjectAttributeName) + && checkField(certificateRevocationListIssuerAttributeName, params.certificateRevocationListIssuerAttributeName) + && checkField(deltaRevocationListIssuerAttributeName, params.deltaRevocationListIssuerAttributeName) + && checkField(authorityRevocationListIssuerAttributeName, params.authorityRevocationListIssuerAttributeName) + && checkField(attributeCertificateAttributeSubjectAttributeName, params.attributeCertificateAttributeSubjectAttributeName) + && checkField(aACertificateSubjectAttributeName, params.aACertificateSubjectAttributeName) + && checkField(attributeDescriptorCertificateSubjectAttributeName, params.attributeDescriptorCertificateSubjectAttributeName) + && checkField(attributeCertificateRevocationListIssuerAttributeName, params.attributeCertificateRevocationListIssuerAttributeName) + && checkField(attributeAuthorityRevocationListIssuerAttributeName, params.attributeAuthorityRevocationListIssuerAttributeName) + && checkField(searchForSerialNumberIn, params.searchForSerialNumberIn); + } + + private boolean checkField(Object o1, Object o2) + { + if (o1 == o2) + { + return true; + } + + if (o1 == null) + { + return false; + } + + return o1.equals(o2); + } + + public int hashCode() + { + int hash = 0; + + hash = addHashCode(hash, userCertificateAttribute); + hash = addHashCode(hash, cACertificateAttribute); + hash = addHashCode(hash, crossCertificateAttribute); + hash = addHashCode(hash, certificateRevocationListAttribute); + hash = addHashCode(hash, deltaRevocationListAttribute); + hash = addHashCode(hash, authorityRevocationListAttribute); + hash = addHashCode(hash, attributeCertificateAttributeAttribute); + hash = addHashCode(hash, aACertificateAttribute); + hash = addHashCode(hash, attributeDescriptorCertificateAttribute); + hash = addHashCode(hash, attributeCertificateRevocationListAttribute); + hash = addHashCode(hash, attributeAuthorityRevocationListAttribute); + hash = addHashCode(hash, ldapUserCertificateAttributeName); + hash = addHashCode(hash, ldapCACertificateAttributeName); + hash = addHashCode(hash, ldapCrossCertificateAttributeName); + hash = addHashCode(hash, ldapCertificateRevocationListAttributeName); + hash = addHashCode(hash, ldapDeltaRevocationListAttributeName); + hash = addHashCode(hash, ldapAuthorityRevocationListAttributeName); + hash = addHashCode(hash, ldapAttributeCertificateAttributeAttributeName); + hash = addHashCode(hash, ldapAACertificateAttributeName); + hash = addHashCode(hash, ldapAttributeDescriptorCertificateAttributeName); + hash = addHashCode(hash, ldapAttributeCertificateRevocationListAttributeName); + hash = addHashCode(hash, ldapAttributeAuthorityRevocationListAttributeName); + hash = addHashCode(hash, userCertificateSubjectAttributeName); + hash = addHashCode(hash, cACertificateSubjectAttributeName); + hash = addHashCode(hash, crossCertificateSubjectAttributeName); + hash = addHashCode(hash, certificateRevocationListIssuerAttributeName); + hash = addHashCode(hash, deltaRevocationListIssuerAttributeName); + hash = addHashCode(hash, authorityRevocationListIssuerAttributeName); + hash = addHashCode(hash, attributeCertificateAttributeSubjectAttributeName); + hash = addHashCode(hash, aACertificateSubjectAttributeName); + hash = addHashCode(hash, attributeDescriptorCertificateSubjectAttributeName); + hash = addHashCode(hash, attributeCertificateRevocationListIssuerAttributeName); + hash = addHashCode(hash, attributeAuthorityRevocationListIssuerAttributeName); + hash = addHashCode(hash, searchForSerialNumberIn); + + return hash; + } + + private int addHashCode(int hashCode, Object o) + { + return (hashCode * 29) + (o == null ? 0 : o.hashCode()); + } + + /** + * @return Returns the aACertificateAttribute. + */ + public String getAACertificateAttribute() + { + return aACertificateAttribute; + } + + /** + * @return Returns the aACertificateSubjectAttributeName. + */ + public String getAACertificateSubjectAttributeName() + { + return aACertificateSubjectAttributeName; + } + + /** + * @return Returns the attributeAuthorityRevocationListAttribute. + */ + public String getAttributeAuthorityRevocationListAttribute() + { + return attributeAuthorityRevocationListAttribute; + } + + /** + * @return Returns the attributeAuthorityRevocationListIssuerAttributeName. + */ + public String getAttributeAuthorityRevocationListIssuerAttributeName() + { + return attributeAuthorityRevocationListIssuerAttributeName; + } + + /** + * @return Returns the attributeCertificateAttributeAttribute. + */ + public String getAttributeCertificateAttributeAttribute() + { + return attributeCertificateAttributeAttribute; + } + + /** + * @return Returns the attributeCertificateAttributeSubjectAttributeName. + */ + public String getAttributeCertificateAttributeSubjectAttributeName() + { + return attributeCertificateAttributeSubjectAttributeName; + } + + /** + * @return Returns the attributeCertificateRevocationListAttribute. + */ + public String getAttributeCertificateRevocationListAttribute() + { + return attributeCertificateRevocationListAttribute; + } + + /** + * @return Returns the + * attributeCertificateRevocationListIssuerAttributeName. + */ + public String getAttributeCertificateRevocationListIssuerAttributeName() + { + return attributeCertificateRevocationListIssuerAttributeName; + } + + /** + * @return Returns the attributeDescriptorCertificateAttribute. + */ + public String getAttributeDescriptorCertificateAttribute() + { + return attributeDescriptorCertificateAttribute; + } + + /** + * @return Returns the attributeDescriptorCertificateSubjectAttributeName. + */ + public String getAttributeDescriptorCertificateSubjectAttributeName() + { + return attributeDescriptorCertificateSubjectAttributeName; + } + + /** + * @return Returns the authorityRevocationListAttribute. + */ + public String getAuthorityRevocationListAttribute() + { + return authorityRevocationListAttribute; + } + + /** + * @return Returns the authorityRevocationListIssuerAttributeName. + */ + public String getAuthorityRevocationListIssuerAttributeName() + { + return authorityRevocationListIssuerAttributeName; + } + + /** + * @return Returns the baseDN. + */ + public String getBaseDN() + { + return baseDN; + } + + /** + * @return Returns the cACertificateAttribute. + */ + public String getCACertificateAttribute() + { + return cACertificateAttribute; + } + + /** + * @return Returns the cACertificateSubjectAttributeName. + */ + public String getCACertificateSubjectAttributeName() + { + return cACertificateSubjectAttributeName; + } + + /** + * @return Returns the certificateRevocationListAttribute. + */ + public String getCertificateRevocationListAttribute() + { + return certificateRevocationListAttribute; + } + + /** + * @return Returns the certificateRevocationListIssuerAttributeName. + */ + public String getCertificateRevocationListIssuerAttributeName() + { + return certificateRevocationListIssuerAttributeName; + } + + /** + * @return Returns the crossCertificateAttribute. + */ + public String getCrossCertificateAttribute() + { + return crossCertificateAttribute; + } + + /** + * @return Returns the crossCertificateSubjectAttributeName. + */ + public String getCrossCertificateSubjectAttributeName() + { + return crossCertificateSubjectAttributeName; + } + + /** + * @return Returns the deltaRevocationListAttribute. + */ + public String getDeltaRevocationListAttribute() + { + return deltaRevocationListAttribute; + } + + /** + * @return Returns the deltaRevocationListIssuerAttributeName. + */ + public String getDeltaRevocationListIssuerAttributeName() + { + return deltaRevocationListIssuerAttributeName; + } + + /** + * @return Returns the ldapAACertificateAttributeName. + */ + public String getLdapAACertificateAttributeName() + { + return ldapAACertificateAttributeName; + } + + /** + * @return Returns the ldapAttributeAuthorityRevocationListAttributeName. + */ + public String getLdapAttributeAuthorityRevocationListAttributeName() + { + return ldapAttributeAuthorityRevocationListAttributeName; + } + + /** + * @return Returns the ldapAttributeCertificateAttributeAttributeName. + */ + public String getLdapAttributeCertificateAttributeAttributeName() + { + return ldapAttributeCertificateAttributeAttributeName; + } + + /** + * @return Returns the ldapAttributeCertificateRevocationListAttributeName. + */ + public String getLdapAttributeCertificateRevocationListAttributeName() + { + return ldapAttributeCertificateRevocationListAttributeName; + } + + /** + * @return Returns the ldapAttributeDescriptorCertificateAttributeName. + */ + public String getLdapAttributeDescriptorCertificateAttributeName() + { + return ldapAttributeDescriptorCertificateAttributeName; + } + + /** + * @return Returns the ldapAuthorityRevocationListAttributeName. + */ + public String getLdapAuthorityRevocationListAttributeName() + { + return ldapAuthorityRevocationListAttributeName; + } + + /** + * @return Returns the ldapCACertificateAttributeName. + */ + public String getLdapCACertificateAttributeName() + { + return ldapCACertificateAttributeName; + } + + /** + * @return Returns the ldapCertificateRevocationListAttributeName. + */ + public String getLdapCertificateRevocationListAttributeName() + { + return ldapCertificateRevocationListAttributeName; + } + + /** + * @return Returns the ldapCrossCertificateAttributeName. + */ + public String getLdapCrossCertificateAttributeName() + { + return ldapCrossCertificateAttributeName; + } + + /** + * @return Returns the ldapDeltaRevocationListAttributeName. + */ + public String getLdapDeltaRevocationListAttributeName() + { + return ldapDeltaRevocationListAttributeName; + } + + /** + * @return Returns the ldapURL. + */ + public String getLdapURL() + { + return ldapURL; + } + + /** + * @return Returns the ldapUserCertificateAttributeName. + */ + public String getLdapUserCertificateAttributeName() + { + return ldapUserCertificateAttributeName; + } + + /** + * @return Returns the searchForSerialNumberIn. + */ + public String getSearchForSerialNumberIn() + { + return searchForSerialNumberIn; + } + + /** + * @return Returns the userCertificateAttribute. + */ + public String getUserCertificateAttribute() + { + return userCertificateAttribute; + } + + /** + * @return Returns the userCertificateSubjectAttributeName. + */ + public String getUserCertificateSubjectAttributeName() + { + return userCertificateSubjectAttributeName; + } + + public static X509LDAPCertStoreParameters getInstance(LDAPCertStoreParameters params) + { + String server = "ldap://" + params.getServerName() + ":" + params.getPort(); + X509LDAPCertStoreParameters _params = new Builder(server, "").build(); + return _params; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/X509Principal.java b/bcprov/src/main/java/org/bouncycastle/jce/X509Principal.java new file mode 100644 index 00000000..efa0f661 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/X509Principal.java @@ -0,0 +1,164 @@ +package org.bouncycastle.jce; + +import java.io.IOException; +import java.security.Principal; +import java.util.Hashtable; +import java.util.Vector; + +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.X509Name; + +/** + * a general extension of X509Name with a couple of extra methods and + * constructors. + * <p> + * Objects of this type can be created from certificates and CRLs using the + * PrincipalUtil class. + * </p> + * @see org.bouncycastle.jce.PrincipalUtil + */ +public class X509Principal + extends X509Name + implements Principal +{ + private static ASN1Sequence readSequence( + ASN1InputStream aIn) + throws IOException + { + try + { + return ASN1Sequence.getInstance(aIn.readObject()); + } + catch (IllegalArgumentException e) + { + throw new IOException("not an ASN.1 Sequence: " + e); + } + } + + /** + * Constructor from an encoded byte array. + */ + public X509Principal( + byte[] bytes) + throws IOException + { + super(readSequence(new ASN1InputStream(bytes))); + } + + /** + * Constructor from an X509Name object. + */ + public X509Principal( + X509Name name) + { + super((ASN1Sequence)name.toASN1Primitive()); + } + + /** + * Constructor from an X509Name object. + */ + public X509Principal( + X500Name name) + { + super((ASN1Sequence)name.toASN1Primitive()); + } + + /** + * constructor from a table of attributes. + * <p> + * it's is assumed the table contains OID/String pairs. + */ + public X509Principal( + Hashtable attributes) + { + super(attributes); + } + + /** + * constructor from a table of attributes and a vector giving the + * specific ordering required for encoding or conversion to a string. + * <p> + * it's is assumed the table contains OID/String pairs. + */ + public X509Principal( + Vector ordering, + Hashtable attributes) + { + super(ordering, attributes); + } + + /** + * constructor from a vector of attribute values and a vector of OIDs. + */ + public X509Principal( + Vector oids, + Vector values) + { + super(oids, values); + } + + /** + * takes an X509 dir name as a string of the format "C=AU,ST=Victoria", or + * some such, converting it into an ordered set of name attributes. + */ + public X509Principal( + String dirName) + { + super(dirName); + } + + /** + * Takes an X509 dir name as a string of the format "C=AU,ST=Victoria", or + * some such, converting it into an ordered set of name attributes. If reverse + * is false the dir name will be encoded in the order of the (name, value) pairs + * presented, otherwise the encoding will start with the last (name, value) pair + * and work back. + */ + public X509Principal( + boolean reverse, + String dirName) + { + super(reverse, dirName); + } + + /** + * Takes an X509 dir name as a string of the format "C=AU, ST=Victoria", or + * some such, converting it into an ordered set of name attributes. lookUp + * should provide a table of lookups, indexed by lowercase only strings and + * yielding a DERObjectIdentifier, other than that OID. and numeric oids + * will be processed automatically. + * <p> + * If reverse is true, create the encoded version of the sequence starting + * from the last element in the string. + */ + public X509Principal( + boolean reverse, + Hashtable lookUp, + String dirName) + { + super(reverse, lookUp, dirName); + } + + public String getName() + { + return this.toString(); + } + + /** + * return a DER encoded byte array representing this object + */ + public byte[] getEncoded() + { + try + { + return this.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + throw new RuntimeException(e.toString()); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/examples/PKCS12Example.java b/bcprov/src/main/java/org/bouncycastle/jce/examples/PKCS12Example.java new file mode 100644 index 00000000..fe613df7 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/examples/PKCS12Example.java @@ -0,0 +1,379 @@ +package org.bouncycastle.jce.examples; + +import java.io.FileOutputStream; +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.util.Date; +import java.util.Hashtable; +import java.util.Vector; + +import org.bouncycastle.asn1.DERBMPString; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.jce.PrincipalUtil; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.x509.X509V1CertificateGenerator; +import org.bouncycastle.x509.X509V3CertificateGenerator; +import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; +import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure; + +/** + * Example of how to set up a certificiate chain and a PKCS 12 store for + * a private individual - obviously you'll need to generate your own keys, + * and you may need to add a NetscapeCertType extension or add a key + * usage extension depending on your application, but you should get the + * idea! As always this is just an example... + */ +public class PKCS12Example +{ + static char[] passwd = { 'h', 'e', 'l', 'l', 'o', ' ', 'w', 'o', 'r', 'l', 'd' }; + + static X509V1CertificateGenerator v1CertGen = new X509V1CertificateGenerator(); + static X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); + + /** + * we generate the CA's certificate + */ + public static Certificate createMasterCert( + PublicKey pubKey, + PrivateKey privKey) + throws Exception + { + // + // signers name + // + String issuer = "C=AU, O=The Legion of the Bouncy Castle, OU=Bouncy Primary Certificate"; + + // + // subjects name - the same as we are self signed. + // + String subject = "C=AU, O=The Legion of the Bouncy Castle, OU=Bouncy Primary Certificate"; + + // + // create the certificate - version 1 + // + + v1CertGen.setSerialNumber(BigInteger.valueOf(1)); + v1CertGen.setIssuerDN(new X509Principal(issuer)); + v1CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); + v1CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); + v1CertGen.setSubjectDN(new X509Principal(subject)); + v1CertGen.setPublicKey(pubKey); + v1CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + + X509Certificate cert = v1CertGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)cert; + + // + // this is actually optional - but if you want to have control + // over setting the friendly name this is the way to do it... + // + bagAttr.setBagAttribute( + PKCSObjectIdentifiers.pkcs_9_at_friendlyName, + new DERBMPString("Bouncy Primary Certificate")); + + return cert; + } + + /** + * we generate an intermediate certificate signed by our CA + */ + public static Certificate createIntermediateCert( + PublicKey pubKey, + PrivateKey caPrivKey, + X509Certificate caCert) + throws Exception + { + // + // subject name table. + // + Hashtable attrs = new Hashtable(); + Vector order = new Vector(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.OU, "Bouncy Intermediate Certificate"); + attrs.put(X509Principal.EmailAddress, "feedback-crypto@bouncycastle.org"); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.OU); + order.addElement(X509Principal.EmailAddress); + + // + // create the certificate - version 3 + // + v3CertGen.reset(); + + v3CertGen.setSerialNumber(BigInteger.valueOf(2)); + v3CertGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert)); + v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); + v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); + v3CertGen.setSubjectDN(new X509Principal(order, attrs)); + v3CertGen.setPublicKey(pubKey); + v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + + // + // extensions + // + v3CertGen.addExtension( + X509Extensions.SubjectKeyIdentifier, + false, + new SubjectKeyIdentifierStructure(pubKey)); + + v3CertGen.addExtension( + X509Extensions.AuthorityKeyIdentifier, + false, + new AuthorityKeyIdentifierStructure(caCert)); + + v3CertGen.addExtension( + X509Extensions.BasicConstraints, + true, + new BasicConstraints(0)); + + X509Certificate cert = v3CertGen.generate(caPrivKey); + + cert.checkValidity(new Date()); + + cert.verify(caCert.getPublicKey()); + + PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)cert; + + // + // this is actually optional - but if you want to have control + // over setting the friendly name this is the way to do it... + // + bagAttr.setBagAttribute( + PKCSObjectIdentifiers.pkcs_9_at_friendlyName, + new DERBMPString("Bouncy Intermediate Certificate")); + + return cert; + } + + /** + * we generate a certificate signed by our CA's intermediate certficate + */ + public static Certificate createCert( + PublicKey pubKey, + PrivateKey caPrivKey, + PublicKey caPubKey) + throws Exception + { + // + // signers name table. + // + Hashtable sAttrs = new Hashtable(); + Vector sOrder = new Vector(); + + sAttrs.put(X509Principal.C, "AU"); + sAttrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + sAttrs.put(X509Principal.OU, "Bouncy Intermediate Certificate"); + sAttrs.put(X509Principal.EmailAddress, "feedback-crypto@bouncycastle.org"); + + sOrder.addElement(X509Principal.C); + sOrder.addElement(X509Principal.O); + sOrder.addElement(X509Principal.OU); + sOrder.addElement(X509Principal.EmailAddress); + + // + // subjects name table. + // + Hashtable attrs = new Hashtable(); + Vector order = new Vector(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.L, "Melbourne"); + attrs.put(X509Principal.CN, "Eric H. Echidna"); + attrs.put(X509Principal.EmailAddress, "feedback-crypto@bouncycastle.org"); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.L); + order.addElement(X509Principal.CN); + order.addElement(X509Principal.EmailAddress); + + // + // create the certificate - version 3 + // + v3CertGen.reset(); + + v3CertGen.setSerialNumber(BigInteger.valueOf(3)); + v3CertGen.setIssuerDN(new X509Principal(sOrder, sAttrs)); + v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); + v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); + v3CertGen.setSubjectDN(new X509Principal(order, attrs)); + v3CertGen.setPublicKey(pubKey); + v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + + // + // add the extensions + // + v3CertGen.addExtension( + X509Extensions.SubjectKeyIdentifier, + false, + new SubjectKeyIdentifierStructure(pubKey)); + + v3CertGen.addExtension( + X509Extensions.AuthorityKeyIdentifier, + false, + new AuthorityKeyIdentifierStructure(caPubKey)); + + X509Certificate cert = v3CertGen.generate(caPrivKey); + + cert.checkValidity(new Date()); + + cert.verify(caPubKey); + + PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)cert; + + // + // this is also optional - in the sense that if you leave this + // out the keystore will add it automatically, note though that + // for the browser to recognise the associated private key this + // you should at least use the pkcs_9_localKeyId OID and set it + // to the same as you do for the private key's localKeyId. + // + bagAttr.setBagAttribute( + PKCSObjectIdentifiers.pkcs_9_at_friendlyName, + new DERBMPString("Eric's Key")); + bagAttr.setBagAttribute( + PKCSObjectIdentifiers.pkcs_9_at_localKeyId, + new SubjectKeyIdentifierStructure(pubKey)); + + return cert; + } + + public static void main( + String[] args) + throws Exception + { + Security.addProvider(new BouncyCastleProvider()); + + // + // personal keys + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + // + // intermediate keys. + // + RSAPublicKeySpec intPubKeySpec = new RSAPublicKeySpec( + new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16), + new BigInteger("ffff", 16)); + + + RSAPrivateCrtKeySpec intPrivKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16), + new BigInteger("ffff", 16), + new BigInteger("7deb1b194a85bcfd29cf871411468adbc987650903e3bacc8338c449ca7b32efd39ffc33bc84412fcd7df18d23ce9d7c25ea910b1ae9985373e0273b4dca7f2e0db3b7314056ac67fd277f8f89cf2fd73c34c6ca69f9ba477143d2b0e2445548aa0b4a8473095182631da46844c356f5e5c7522eb54b5a33f11d730ead9c0cff", 16), + new BigInteger("ef4cede573cea47f83699b814de4302edb60eefe426c52e17bd7870ec7c6b7a24fe55282ebb73775f369157726fcfb988def2b40350bdca9e5b418340288f649", 16), + new BigInteger("97c7737d1b9a0088c3c7b528539247fd2a1593e7e01cef18848755be82f4a45aa093276cb0cbf118cb41117540a78f3fc471ba5d69f0042274defc9161265721", 16), + new BigInteger("6c641094e24d172728b8da3c2777e69adfd0839085be7e38c7c4a2dd00b1ae969f2ec9d23e7e37090fcd449a40af0ed463fe1c612d6810d6b4f58b7bfa31eb5f", 16), + new BigInteger("70b7123e8e69dfa76feb1236d0a686144b00e9232ed52b73847e74ef3af71fb45ccb24261f40d27f98101e230cf27b977a5d5f1f15f6cf48d5cb1da2a3a3b87f", 16), + new BigInteger("e38f5750d97e270996a286df2e653fd26c242106436f5bab0f4c7a9e654ce02665d5a281f2c412456f2d1fa26586ef04a9adac9004ca7f913162cb28e13bf40d", 16)); + + // + // ca keys + // + RSAPublicKeySpec caPubKeySpec = new RSAPublicKeySpec( + new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec caPrivKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16), + new BigInteger("11", 16), + new BigInteger("92e08f83cc9920746989ca5034dcb384a094fb9c5a6288fcc4304424ab8f56388f72652d8fafc65a4b9020896f2cde297080f2a540e7b7ce5af0b3446e1258d1dd7f245cf54124b4c6e17da21b90a0ebd22605e6f45c9f136d7a13eaac1c0f7487de8bd6d924972408ebb58af71e76fd7b012a8d0e165f3ae2e5077a8648e619", 16), + new BigInteger("f75e80839b9b9379f1cf1128f321639757dba514642c206bbbd99f9a4846208b3e93fbbe5e0527cc59b1d4b929d9555853004c7c8b30ee6a213c3d1bb7415d03", 16), + new BigInteger("b892d9ebdbfc37e397256dd8a5d3123534d1f03726284743ddc6be3a709edb696fc40c7d902ed804c6eee730eee3d5b20bf6bd8d87a296813c87d3b3cc9d7947", 16), + new BigInteger("1d1a2d3ca8e52068b3094d501c9a842fec37f54db16e9a67070a8b3f53cc03d4257ad252a1a640eadd603724d7bf3737914b544ae332eedf4f34436cac25ceb5", 16), + new BigInteger("6c929e4e81672fef49d9c825163fec97c4b7ba7acb26c0824638ac22605d7201c94625770984f78a56e6e25904fe7db407099cad9b14588841b94f5ab498dded", 16), + new BigInteger("dae7651ee69ad1d081ec5e7188ae126f6004ff39556bde90e0b870962fa7b926d070686d8244fe5a9aa709a95686a104614834b0ada4b10f53197a5cb4c97339", 16)); + + + + // + // set up the keys + // + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + PrivateKey caPrivKey = fact.generatePrivate(caPrivKeySpec); + PublicKey caPubKey = fact.generatePublic(caPubKeySpec); + PrivateKey intPrivKey = fact.generatePrivate(intPrivKeySpec); + PublicKey intPubKey = fact.generatePublic(intPubKeySpec); + PrivateKey privKey = fact.generatePrivate(privKeySpec); + PublicKey pubKey = fact.generatePublic(pubKeySpec); + + Certificate[] chain = new Certificate[3]; + + chain[2] = createMasterCert(caPubKey, caPrivKey); + chain[1] = createIntermediateCert(intPubKey, caPrivKey, (X509Certificate)chain[2]); + chain[0] = createCert(pubKey, intPrivKey, intPubKey); + + // + // add the friendly name for the private key + // + PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)privKey; + + // + // this is also optional - in the sense that if you leave this + // out the keystore will add it automatically, note though that + // for the browser to recognise which certificate the private key + // is associated with you should at least use the pkcs_9_localKeyId + // OID and set it to the same as you do for the private key's + // corresponding certificate. + // + bagAttr.setBagAttribute( + PKCSObjectIdentifiers.pkcs_9_at_friendlyName, + new DERBMPString("Eric's Key")); + bagAttr.setBagAttribute( + PKCSObjectIdentifiers.pkcs_9_at_localKeyId, + new SubjectKeyIdentifierStructure(pubKey)); + + // + // store the key and the certificate chain + // + KeyStore store = KeyStore.getInstance("PKCS12", "BC"); + + store.load(null, null); + + // + // if you haven't set the friendly name and local key id above + // the name below will be the name of the key + // + store.setKeyEntry("Eric's Key", privKey, null, chain); + + FileOutputStream fOut = new FileOutputStream("id.p12"); + + store.store(fOut, passwd); + + fOut.close(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/examples/package.html b/bcprov/src/main/java/org/bouncycastle/jce/examples/package.html new file mode 100644 index 00000000..96b31939 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/examples/package.html @@ -0,0 +1,5 @@ +<html> +<body bgcolor="#ffffff"> +Example classes for use with the JCE. +</body> +</html> diff --git a/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertPathBuilderException.java b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertPathBuilderException.java new file mode 100644 index 00000000..a0b2d900 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertPathBuilderException.java @@ -0,0 +1,29 @@ +package org.bouncycastle.jce.exception; + +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilderException; + +public class ExtCertPathBuilderException + extends CertPathBuilderException + implements ExtException +{ + private Throwable cause; + + public ExtCertPathBuilderException(String message, Throwable cause) + { + super(message); + this.cause = cause; + } + + public ExtCertPathBuilderException(String msg, Throwable cause, + CertPath certPath, int index) + { + super(msg, cause); + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertPathValidatorException.java b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertPathValidatorException.java new file mode 100644 index 00000000..e36848f4 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertPathValidatorException.java @@ -0,0 +1,30 @@ +package org.bouncycastle.jce.exception; + +import java.security.cert.CertPath; +import java.security.cert.CertPathValidatorException; + +public class ExtCertPathValidatorException + extends CertPathValidatorException + implements ExtException +{ + + private Throwable cause; + + public ExtCertPathValidatorException(String message, Throwable cause) + { + super(message); + this.cause = cause; + } + + public ExtCertPathValidatorException(String msg, Throwable cause, + CertPath certPath, int index) + { + super(msg, cause, certPath, index); + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertificateEncodingException.java b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertificateEncodingException.java new file mode 100644 index 00000000..e3c33d80 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtCertificateEncodingException.java @@ -0,0 +1,21 @@ +package org.bouncycastle.jce.exception; + +import java.security.cert.CertificateEncodingException; + +public class ExtCertificateEncodingException + extends CertificateEncodingException + implements ExtException +{ + private Throwable cause; + + public ExtCertificateEncodingException(String message, Throwable cause) + { + super(message); + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtException.java b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtException.java new file mode 100644 index 00000000..52c60ded --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtException.java @@ -0,0 +1,21 @@ +package org.bouncycastle.jce.exception; + +/** + * + * This is an extended exception. Java before version 1.4 did not offer the + * possibility the attach a cause to an exception. The cause of an exception is + * the <code>Throwable</code> object which was thrown and caused the + * exception. This interface must be implemented by all exceptions to accomplish + * this additional functionality. + * + */ +public interface ExtException +{ + + /** + * Returns the cause of the exception. + * + * @return The cause of the exception. + */ + Throwable getCause(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtIOException.java b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtIOException.java new file mode 100644 index 00000000..656e23ae --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/exception/ExtIOException.java @@ -0,0 +1,21 @@ +package org.bouncycastle.jce.exception; + +import java.io.IOException; + +public class ExtIOException + extends IOException + implements ExtException +{ + private Throwable cause; + + public ExtIOException(String message, Throwable cause) + { + super(message); + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/BCKeyStore.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/BCKeyStore.java new file mode 100644 index 00000000..a36abbb2 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/BCKeyStore.java @@ -0,0 +1,14 @@ +package org.bouncycastle.jce.interfaces; + +import java.security.SecureRandom; + +/** + * all BC provider keystores implement this interface. + */ +public interface BCKeyStore +{ + /** + * set the random source for the key store + */ + public void setRandom(SecureRandom random); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECKey.java new file mode 100644 index 00000000..0812c128 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECKey.java @@ -0,0 +1,15 @@ +package org.bouncycastle.jce.interfaces; + +import org.bouncycastle.jce.spec.ECParameterSpec; + +/** + * generic interface for an Elliptic Curve Key. + */ +public interface ECKey +{ + /** + * return a parameter specification representing the EC domain parameters + * for the key. + */ + public ECParameterSpec getParameters(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPointEncoder.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPointEncoder.java new file mode 100644 index 00000000..001dab3e --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPointEncoder.java @@ -0,0 +1,20 @@ +package org.bouncycastle.jce.interfaces; + +/** + * All BC elliptic curve keys implement this interface. You need to + * cast the key to get access to it. + * <p> + * By default BC keys produce encodings without point compression, + * to turn this on call setPointFormat() with "COMPRESSED". + */ +public interface ECPointEncoder +{ + /** + * Set the formatting for encoding of points. If the String "UNCOMPRESSED" is passed + * in point compression will not be used. If the String "COMPRESSED" is passed point + * compression will be used. The default is "UNCOMPRESSED". + * + * @param style the style to use. + */ + public void setPointFormat(String style); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPrivateKey.java new file mode 100644 index 00000000..39d80c3c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPrivateKey.java @@ -0,0 +1,16 @@ +package org.bouncycastle.jce.interfaces; + +import java.math.BigInteger; +import java.security.PrivateKey; + +/** + * interface for Elliptic Curve Private keys. + */ +public interface ECPrivateKey + extends ECKey, PrivateKey +{ + /** + * return the private value D. + */ + public BigInteger getD(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPublicKey.java new file mode 100644 index 00000000..db2ecdce --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ECPublicKey.java @@ -0,0 +1,17 @@ +package org.bouncycastle.jce.interfaces; + +import java.security.PublicKey; + +import org.bouncycastle.math.ec.ECPoint; + +/** + * interface for elliptic curve public keys. + */ +public interface ECPublicKey + extends ECKey, PublicKey +{ + /** + * return the public point Q + */ + public ECPoint getQ(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalKey.java new file mode 100644 index 00000000..e6394836 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalKey.java @@ -0,0 +1,8 @@ +package org.bouncycastle.jce.interfaces; + +import org.bouncycastle.jce.spec.ElGamalParameterSpec; + +public interface ElGamalKey +{ + public ElGamalParameterSpec getParameters(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalPrivateKey.java new file mode 100644 index 00000000..609a2a84 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalPrivateKey.java @@ -0,0 +1,10 @@ +package org.bouncycastle.jce.interfaces; + +import java.math.BigInteger; +import java.security.PrivateKey; + +public interface ElGamalPrivateKey + extends ElGamalKey, PrivateKey +{ + public BigInteger getX(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalPublicKey.java new file mode 100644 index 00000000..c9fe35e6 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/ElGamalPublicKey.java @@ -0,0 +1,10 @@ +package org.bouncycastle.jce.interfaces; + +import java.math.BigInteger; +import java.security.PublicKey; + +public interface ElGamalPublicKey + extends ElGamalKey, PublicKey +{ + public BigInteger getY(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410Key.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410Key.java new file mode 100644 index 00000000..ad16ac3b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410Key.java @@ -0,0 +1,11 @@ +package org.bouncycastle.jce.interfaces; + +/** + * Main interface for a GOST 3410-94 key. + */ +public interface GOST3410Key +{ + + public GOST3410Params getParameters(); + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410Params.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410Params.java new file mode 100644 index 00000000..175913b0 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410Params.java @@ -0,0 +1,15 @@ +package org.bouncycastle.jce.interfaces; + +import org.bouncycastle.jce.spec.GOST3410PublicKeyParameterSetSpec; + +public interface GOST3410Params +{ + + public String getPublicKeyParamSetOID(); + + public String getDigestParamSetOID(); + + public String getEncryptionParamSetOID(); + + public GOST3410PublicKeyParameterSetSpec getPublicKeyParameters(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410PrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410PrivateKey.java new file mode 100644 index 00000000..dcb25fe7 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410PrivateKey.java @@ -0,0 +1,9 @@ +package org.bouncycastle.jce.interfaces; + +import java.math.BigInteger; + +public interface GOST3410PrivateKey extends GOST3410Key, java.security.PrivateKey +{ + + public BigInteger getX(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410PublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410PublicKey.java new file mode 100644 index 00000000..447cec2b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/GOST3410PublicKey.java @@ -0,0 +1,10 @@ +package org.bouncycastle.jce.interfaces; + +import java.security.PublicKey; +import java.math.BigInteger; + +public interface GOST3410PublicKey extends GOST3410Key, PublicKey +{ + + public BigInteger getY(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/IESKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/IESKey.java new file mode 100644 index 00000000..f1d79013 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/IESKey.java @@ -0,0 +1,22 @@ +package org.bouncycastle.jce.interfaces; + +import java.security.Key; +import java.security.PrivateKey; +import java.security.PublicKey; + +/** + * key pair for use with an integrated encryptor + */ +public interface IESKey + extends Key +{ + /** + * return the intended recipient's/sender's public key. + */ + public PublicKey getPublic(); + + /** + * return the local private key. + */ + public PrivateKey getPrivate(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/MQVPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/MQVPrivateKey.java new file mode 100644 index 00000000..a8caffd5 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/MQVPrivateKey.java @@ -0,0 +1,27 @@ +package org.bouncycastle.jce.interfaces; + +import java.security.PrivateKey; +import java.security.PublicKey; + +/** + * Static/ephemeral private key (pair) for use with ECMQV key agreement + * (Optionally provides the ephemeral public key) + */ +public interface MQVPrivateKey + extends PrivateKey +{ + /** + * return the static private key. + */ + PrivateKey getStaticPrivateKey(); + + /** + * return the ephemeral private key. + */ + PrivateKey getEphemeralPrivateKey(); + + /** + * return the ephemeral public key (may be null). + */ + PublicKey getEphemeralPublicKey(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/MQVPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/MQVPublicKey.java new file mode 100644 index 00000000..1be14bd0 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/MQVPublicKey.java @@ -0,0 +1,20 @@ +package org.bouncycastle.jce.interfaces; + +import java.security.PublicKey; + +/** + * Static/ephemeral public key pair for use with ECMQV key agreement + */ +public interface MQVPublicKey + extends PublicKey +{ + /** + * return the static public key. + */ + PublicKey getStaticKey(); + + /** + * return the ephemeral public key. + */ + PublicKey getEphemeralKey(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/PKCS12BagAttributeCarrier.java b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/PKCS12BagAttributeCarrier.java new file mode 100644 index 00000000..b8ebee74 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/PKCS12BagAttributeCarrier.java @@ -0,0 +1,21 @@ +package org.bouncycastle.jce.interfaces; + +import java.util.Enumeration; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; + +/** + * allow us to set attributes on objects that can go into a PKCS12 store. + */ +public interface PKCS12BagAttributeCarrier +{ + void setBagAttribute( + ASN1ObjectIdentifier oid, + ASN1Encodable attribute); + + ASN1Encodable getBagAttribute( + ASN1ObjectIdentifier oid); + + Enumeration getBagAttributeKeys(); +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/interfaces/package.html b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/package.html new file mode 100644 index 00000000..bacde6c8 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/interfaces/package.html @@ -0,0 +1,5 @@ +<html> +<body bgcolor="#ffffff"> +Interfaces for supporting Elliptic Curve Keys, El Gamal, and PKCS12 attributes. +</body> +</html> diff --git a/bcprov/src/main/java/org/bouncycastle/jce/netscape/NetscapeCertRequest.java b/bcprov/src/main/java/org/bouncycastle/jce/netscape/NetscapeCertRequest.java new file mode 100644 index 00000000..39dd35ad --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/netscape/NetscapeCertRequest.java @@ -0,0 +1,303 @@ +package org.bouncycastle.jce.netscape; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Signature; +import java.security.SignatureException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.X509EncodedKeySpec; + +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Object; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DERIA5String; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; + +/** + * + * + * Handles NetScape certificate request (KEYGEN), these are constructed as: + * <pre><code> + * SignedPublicKeyAndChallenge ::= SEQUENCE { + * publicKeyAndChallenge PublicKeyAndChallenge, + * signatureAlgorithm AlgorithmIdentifier, + * signature BIT STRING + * } + * </pre> + * + * PublicKey's encoded-format has to be X.509. + * + **/ +public class NetscapeCertRequest + extends ASN1Object +{ + AlgorithmIdentifier sigAlg; + AlgorithmIdentifier keyAlg; + byte sigBits []; + String challenge; + DERBitString content; + PublicKey pubkey ; + + private static ASN1Sequence getReq( + byte[] r) + throws IOException + { + ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(r)); + + return ASN1Sequence.getInstance(aIn.readObject()); + } + + public NetscapeCertRequest( + byte[] req) + throws IOException + { + this(getReq(req)); + } + + public NetscapeCertRequest (ASN1Sequence spkac) + { + try + { + + // + // SignedPublicKeyAndChallenge ::= SEQUENCE { + // publicKeyAndChallenge PublicKeyAndChallenge, + // signatureAlgorithm AlgorithmIdentifier, + // signature BIT STRING + // } + // + if (spkac.size() != 3) + { + throw new IllegalArgumentException("invalid SPKAC (size):" + + spkac.size()); + } + + sigAlg = new AlgorithmIdentifier((ASN1Sequence)spkac + .getObjectAt(1)); + sigBits = ((DERBitString)spkac.getObjectAt(2)).getBytes(); + + // + // PublicKeyAndChallenge ::= SEQUENCE { + // spki SubjectPublicKeyInfo, + // challenge IA5STRING + // } + // + ASN1Sequence pkac = (ASN1Sequence)spkac.getObjectAt(0); + + if (pkac.size() != 2) + { + throw new IllegalArgumentException("invalid PKAC (len): " + + pkac.size()); + } + + challenge = ((DERIA5String)pkac.getObjectAt(1)).getString(); + + //this could be dangerous, as ASN.1 decoding/encoding + //could potentially alter the bytes + content = new DERBitString(pkac); + + SubjectPublicKeyInfo pubkeyinfo = new SubjectPublicKeyInfo( + (ASN1Sequence)pkac.getObjectAt(0)); + + X509EncodedKeySpec xspec = new X509EncodedKeySpec(new DERBitString( + pubkeyinfo).getBytes()); + + keyAlg = pubkeyinfo.getAlgorithmId(); + pubkey = KeyFactory.getInstance(keyAlg.getObjectId().getId(), "BC") + .generatePublic(xspec); + + } + catch (Exception e) + { + throw new IllegalArgumentException(e.toString()); + } + } + + public NetscapeCertRequest( + String challenge, + AlgorithmIdentifier signing_alg, + PublicKey pub_key) throws NoSuchAlgorithmException, + InvalidKeySpecException, NoSuchProviderException + { + + this.challenge = challenge; + sigAlg = signing_alg; + pubkey = pub_key; + + ASN1EncodableVector content_der = new ASN1EncodableVector(); + content_der.add(getKeySpec()); + //content_der.add(new SubjectPublicKeyInfo(sigAlg, new RSAPublicKeyStructure(pubkey.getModulus(), pubkey.getPublicExponent()).getDERObject())); + content_der.add(new DERIA5String(challenge)); + + try + { + content = new DERBitString(new DERSequence(content_der)); + } + catch (IOException e) + { + throw new InvalidKeySpecException("exception encoding key: " + e.toString()); + } + } + + public String getChallenge() + { + return challenge; + } + + public void setChallenge(String value) + { + challenge = value; + } + + public AlgorithmIdentifier getSigningAlgorithm() + { + return sigAlg; + } + + public void setSigningAlgorithm(AlgorithmIdentifier value) + { + sigAlg = value; + } + + public AlgorithmIdentifier getKeyAlgorithm() + { + return keyAlg; + } + + public void setKeyAlgorithm(AlgorithmIdentifier value) + { + keyAlg = value; + } + + public PublicKey getPublicKey() + { + return pubkey; + } + + public void setPublicKey(PublicKey value) + { + pubkey = value; + } + + public boolean verify(String challenge) throws NoSuchAlgorithmException, + InvalidKeyException, SignatureException, NoSuchProviderException + { + if (!challenge.equals(this.challenge)) + { + return false; + } + + // + // Verify the signature .. shows the response was generated + // by someone who knew the associated private key + // + Signature sig = Signature.getInstance(sigAlg.getObjectId().getId(), + "BC"); + sig.initVerify(pubkey); + sig.update(content.getBytes()); + + return sig.verify(sigBits); + } + + public void sign(PrivateKey priv_key) throws NoSuchAlgorithmException, + InvalidKeyException, SignatureException, NoSuchProviderException, + InvalidKeySpecException + { + sign(priv_key, null); + } + + public void sign(PrivateKey priv_key, SecureRandom rand) + throws NoSuchAlgorithmException, InvalidKeyException, + SignatureException, NoSuchProviderException, + InvalidKeySpecException + { + Signature sig = Signature.getInstance(sigAlg.getAlgorithm().getId(), + "BC"); + + if (rand != null) + { + sig.initSign(priv_key, rand); + } + else + { + sig.initSign(priv_key); + } + + ASN1EncodableVector pkac = new ASN1EncodableVector(); + + pkac.add(getKeySpec()); + pkac.add(new DERIA5String(challenge)); + + try + { + sig.update(new DERSequence(pkac).getEncoded(ASN1Encoding.DER)); + } + catch (IOException ioe) + { + throw new SignatureException(ioe.getMessage()); + } + + sigBits = sig.sign(); + } + + private ASN1Primitive getKeySpec() throws NoSuchAlgorithmException, + InvalidKeySpecException, NoSuchProviderException + { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + + ASN1Primitive obj = null; + try + { + + baos.write(pubkey.getEncoded()); + baos.close(); + + ASN1InputStream derin = new ASN1InputStream( + new ByteArrayInputStream(baos.toByteArray())); + + obj = derin.readObject(); + } + catch (IOException ioe) + { + throw new InvalidKeySpecException(ioe.getMessage()); + } + return obj; + } + + public ASN1Primitive toASN1Primitive() + { + ASN1EncodableVector spkac = new ASN1EncodableVector(); + ASN1EncodableVector pkac = new ASN1EncodableVector(); + + try + { + pkac.add(getKeySpec()); + } + catch (Exception e) + { + //ignore + } + + pkac.add(new DERIA5String(challenge)); + + spkac.add(new DERSequence(pkac)); + spkac.add(sigAlg); + spkac.add(new DERBitString(sigBits)); + + return new DERSequence(spkac); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/package.html b/bcprov/src/main/java/org/bouncycastle/jce/package.html new file mode 100644 index 00000000..52ef3bf6 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/package.html @@ -0,0 +1,10 @@ +<html> +<body bgcolor="#ffffff"> +Utility classes for use with the JCE. +<p> +The classes in this package support the generation of certificates and PKCS10 signing requests. +<p> +Note: the PKCS7 class is deprecated, for a fuller version of CMS see the cms package distributed +with the BC mail API. +</body> +</html> diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/AnnotatedException.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/AnnotatedException.java new file mode 100644 index 00000000..c9ac46ef --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/AnnotatedException.java @@ -0,0 +1,32 @@ +package org.bouncycastle.jce.provider; + +import org.bouncycastle.jce.exception.ExtException; + +public class AnnotatedException + extends Exception + implements ExtException +{ + private Throwable _underlyingException; + + AnnotatedException(String string, Throwable e) + { + super(string); + + _underlyingException = e; + } + + AnnotatedException(String string) + { + this(string, null); + } + + Throwable getUnderlyingException() + { + return _underlyingException; + } + + public Throwable getCause() + { + return _underlyingException; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java new file mode 100644 index 00000000..0433965c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java @@ -0,0 +1,281 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.security.AccessController; +import java.security.PrivateKey; +import java.security.PrivilegedAction; +import java.security.Provider; +import java.security.PublicKey; +import java.util.HashMap; +import java.util.Map; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.jcajce.provider.config.ConfigurableProvider; +import org.bouncycastle.jcajce.provider.config.ProviderConfiguration; +import org.bouncycastle.jcajce.provider.util.AlgorithmProvider; +import org.bouncycastle.jcajce.provider.util.AsymmetricKeyInfoConverter; + +/** + * To add the provider at runtime use: + * <pre> + * import java.security.Security; + * import org.bouncycastle.jce.provider.BouncyCastleProvider; + * + * Security.addProvider(new BouncyCastleProvider()); + * </pre> + * The provider can also be configured as part of your environment via + * static registration by adding an entry to the java.security properties + * file (found in $JAVA_HOME/jre/lib/security/java.security, where + * $JAVA_HOME is the location of your JDK/JRE distribution). You'll find + * detailed instructions in the file but basically it comes down to adding + * a line: + * <pre> + * <code> + * security.provider.<n>=org.bouncycastle.jce.provider.BouncyCastleProvider + * </code> + * </pre> + * Where <n> is the preference you want the provider at (1 being the + * most preferred). + * <p>Note: JCE algorithm names should be upper-case only so the case insensitive + * test for getInstance works. + */ +public final class BouncyCastleProvider extends Provider + implements ConfigurableProvider +{ + private static String info = "BouncyCastle Security Provider v1.49"; + + public static final String PROVIDER_NAME = "BC"; + + public static final ProviderConfiguration CONFIGURATION = new BouncyCastleProviderConfiguration(); + + private static final Map keyInfoConverters = new HashMap(); + + /* + * Configurable symmetric ciphers + */ + private static final String SYMMETRIC_PACKAGE = "org.bouncycastle.jcajce.provider.symmetric."; + + private static final String[] SYMMETRIC_GENERIC = + { + "PBEPBKDF2", "PBEPKCS12" + }; + + private static final String[] SYMMETRIC_MACS = + { + "SipHash" + }; + + private static final String[] SYMMETRIC_CIPHERS = + { + "AES", "ARC4", "Blowfish", "Camellia", "CAST5", "CAST6", "DES", "DESede", "GOST28147", "Grainv1", "Grain128", "HC128", "HC256", "IDEA", + "Noekeon", "RC2", "RC5", "RC6", "Rijndael", "Salsa20", "SEED", "Serpent", "Skipjack", "TEA", "Twofish", "VMPC", "VMPCKSA3", "XTEA" + }; + + /* + * Configurable asymmetric ciphers + */ + private static final String ASYMMETRIC_PACKAGE = "org.bouncycastle.jcajce.provider.asymmetric."; + + // this one is required for GNU class path - it needs to be loaded first as the + // later ones configure it. + private static final String[] ASYMMETRIC_GENERIC = + { + "X509", "IES" + }; + + private static final String[] ASYMMETRIC_CIPHERS = + { + "DSA", "DH", "EC", "RSA", "GOST", "ECGOST", "ElGamal", "DSTU4145" + }; + + /* + * Configurable digests + */ + private static final String DIGEST_PACKAGE = "org.bouncycastle.jcajce.provider.digest."; + private static final String[] DIGESTS = + { + "GOST3411", "MD2", "MD4", "MD5", "SHA1", "RIPEMD128", "RIPEMD160", "RIPEMD256", "RIPEMD320", "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "Tiger", "Whirlpool" + }; + + /* + * Configurable digests + */ + private static final String KEYSTORE_PACKAGE = "org.bouncycastle.jcajce.provider.keystore."; + private static final String[] KEYSTORES = + { + "BC", "PKCS12" + }; + + /** + * Construct a new provider. This should only be required when + * using runtime registration of the provider using the + * <code>Security.addProvider()</code> mechanism. + */ + public BouncyCastleProvider() + { + super(PROVIDER_NAME, 1.49, info); + + AccessController.doPrivileged(new PrivilegedAction() + { + public Object run() + { + setup(); + return null; + } + }); + } + + private void setup() + { + loadAlgorithms(DIGEST_PACKAGE, DIGESTS); + + loadAlgorithms(SYMMETRIC_PACKAGE, SYMMETRIC_GENERIC); + + loadAlgorithms(SYMMETRIC_PACKAGE, SYMMETRIC_MACS); + + loadAlgorithms(SYMMETRIC_PACKAGE, SYMMETRIC_CIPHERS); + + loadAlgorithms(ASYMMETRIC_PACKAGE, ASYMMETRIC_GENERIC); + + loadAlgorithms(ASYMMETRIC_PACKAGE, ASYMMETRIC_CIPHERS); + + loadAlgorithms(KEYSTORE_PACKAGE, KEYSTORES); + + // + // X509Store + // + put("X509Store.CERTIFICATE/COLLECTION", "org.bouncycastle.jce.provider.X509StoreCertCollection"); + put("X509Store.ATTRIBUTECERTIFICATE/COLLECTION", "org.bouncycastle.jce.provider.X509StoreAttrCertCollection"); + put("X509Store.CRL/COLLECTION", "org.bouncycastle.jce.provider.X509StoreCRLCollection"); + put("X509Store.CERTIFICATEPAIR/COLLECTION", "org.bouncycastle.jce.provider.X509StoreCertPairCollection"); + + put("X509Store.CERTIFICATE/LDAP", "org.bouncycastle.jce.provider.X509StoreLDAPCerts"); + put("X509Store.CRL/LDAP", "org.bouncycastle.jce.provider.X509StoreLDAPCRLs"); + put("X509Store.ATTRIBUTECERTIFICATE/LDAP", "org.bouncycastle.jce.provider.X509StoreLDAPAttrCerts"); + put("X509Store.CERTIFICATEPAIR/LDAP", "org.bouncycastle.jce.provider.X509StoreLDAPCertPairs"); + + // + // X509StreamParser + // + put("X509StreamParser.CERTIFICATE", "org.bouncycastle.jce.provider.X509CertParser"); + put("X509StreamParser.ATTRIBUTECERTIFICATE", "org.bouncycastle.jce.provider.X509AttrCertParser"); + put("X509StreamParser.CRL", "org.bouncycastle.jce.provider.X509CRLParser"); + put("X509StreamParser.CERTIFICATEPAIR", "org.bouncycastle.jce.provider.X509CertPairParser"); + + // + // cipher engines + // + put("Cipher.BROKENPBEWITHMD5ANDDES", "org.bouncycastle.jce.provider.BrokenJCEBlockCipher$BrokePBEWithMD5AndDES"); + + put("Cipher.BROKENPBEWITHSHA1ANDDES", "org.bouncycastle.jce.provider.BrokenJCEBlockCipher$BrokePBEWithSHA1AndDES"); + + + put("Cipher.OLDPBEWITHSHAANDTWOFISH-CBC", "org.bouncycastle.jce.provider.BrokenJCEBlockCipher$OldPBEWithSHAAndTwofish"); + + // Certification Path API + put("CertPathValidator.RFC3281", "org.bouncycastle.jce.provider.PKIXAttrCertPathValidatorSpi"); + put("CertPathBuilder.RFC3281", "org.bouncycastle.jce.provider.PKIXAttrCertPathBuilderSpi"); + put("CertPathValidator.RFC3280", "org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi"); + put("CertPathBuilder.RFC3280", "org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi"); + put("CertPathValidator.PKIX", "org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi"); + put("CertPathBuilder.PKIX", "org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi"); + put("CertStore.Collection", "org.bouncycastle.jce.provider.CertStoreCollectionSpi"); + put("CertStore.LDAP", "org.bouncycastle.jce.provider.X509LDAPCertStoreSpi"); + put("CertStore.Multi", "org.bouncycastle.jce.provider.MultiCertStoreSpi"); + put("Alg.Alias.CertStore.X509LDAP", "LDAP"); + } + + private void loadAlgorithms(String packageName, String[] names) + { + for (int i = 0; i != names.length; i++) + { + Class clazz = null; + try + { + ClassLoader loader = this.getClass().getClassLoader(); + + if (loader != null) + { + clazz = loader.loadClass(packageName + names[i] + "$Mappings"); + } + else + { + clazz = Class.forName(packageName + names[i] + "$Mappings"); + } + } + catch (ClassNotFoundException e) + { + // ignore + } + + if (clazz != null) + { + try + { + ((AlgorithmProvider)clazz.newInstance()).configure(this); + } + catch (Exception e) + { // this should never ever happen!! + throw new InternalError("cannot create instance of " + + packageName + names[i] + "$Mappings : " + e); + } + } + } + } + + public void setParameter(String parameterName, Object parameter) + { + synchronized (CONFIGURATION) + { + ((BouncyCastleProviderConfiguration)CONFIGURATION).setParameter(parameterName, parameter); + } + } + + public boolean hasAlgorithm(String type, String name) + { + return containsKey(type + "." + name) || containsKey("Alg.Alias." + type + "." + name); + } + + public void addAlgorithm(String key, String value) + { + if (containsKey(key)) + { + throw new IllegalStateException("duplicate provider key (" + key + ") found"); + } + + put(key, value); + } + + public void addKeyInfoConverter(ASN1ObjectIdentifier oid, AsymmetricKeyInfoConverter keyInfoConverter) + { + keyInfoConverters.put(oid, keyInfoConverter); + } + + public static PublicKey getPublicKey(SubjectPublicKeyInfo publicKeyInfo) + throws IOException + { + AsymmetricKeyInfoConverter converter = (AsymmetricKeyInfoConverter)keyInfoConverters.get(publicKeyInfo.getAlgorithm().getAlgorithm()); + + if (converter == null) + { + return null; + } + + return converter.generatePublic(publicKeyInfo); + } + + public static PrivateKey getPrivateKey(PrivateKeyInfo privateKeyInfo) + throws IOException + { + AsymmetricKeyInfoConverter converter = (AsymmetricKeyInfoConverter)keyInfoConverters.get(privateKeyInfo.getPrivateKeyAlgorithm().getAlgorithm()); + + if (converter == null) + { + return null; + } + + return converter.generatePrivate(privateKeyInfo); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProviderConfiguration.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProviderConfiguration.java new file mode 100644 index 00000000..cda05e83 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProviderConfiguration.java @@ -0,0 +1,167 @@ +package org.bouncycastle.jce.provider; + +import java.security.Permission; + +import javax.crypto.spec.DHParameterSpec; + +import org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util; +import org.bouncycastle.jcajce.provider.config.ConfigurableProvider; +import org.bouncycastle.jcajce.provider.config.ProviderConfiguration; +import org.bouncycastle.jcajce.provider.config.ProviderConfigurationPermission; +import org.bouncycastle.jce.spec.ECParameterSpec; + +class BouncyCastleProviderConfiguration + implements ProviderConfiguration +{ + private static Permission BC_EC_LOCAL_PERMISSION = new ProviderConfigurationPermission( + BouncyCastleProvider.PROVIDER_NAME, ConfigurableProvider.THREAD_LOCAL_EC_IMPLICITLY_CA); + private static Permission BC_EC_PERMISSION = new ProviderConfigurationPermission( + BouncyCastleProvider.PROVIDER_NAME, ConfigurableProvider.EC_IMPLICITLY_CA); + private static Permission BC_DH_LOCAL_PERMISSION = new ProviderConfigurationPermission( + BouncyCastleProvider.PROVIDER_NAME, ConfigurableProvider.THREAD_LOCAL_DH_DEFAULT_PARAMS); + private static Permission BC_DH_PERMISSION = new ProviderConfigurationPermission( + BouncyCastleProvider.PROVIDER_NAME, ConfigurableProvider.DH_DEFAULT_PARAMS); + + private ThreadLocal ecThreadSpec = new ThreadLocal(); + private ThreadLocal dhThreadSpec = new ThreadLocal(); + + private volatile ECParameterSpec ecImplicitCaParams; + private volatile Object dhDefaultParams; + + void setParameter(String parameterName, Object parameter) + { + SecurityManager securityManager = System.getSecurityManager(); + + if (parameterName.equals(ConfigurableProvider.THREAD_LOCAL_EC_IMPLICITLY_CA)) + { + ECParameterSpec curveSpec; + + if (securityManager != null) + { + securityManager.checkPermission(BC_EC_LOCAL_PERMISSION); + } + + if (parameter instanceof ECParameterSpec || parameter == null) + { + curveSpec = (ECParameterSpec)parameter; + } + else // assume java.security.spec + { + curveSpec = EC5Util.convertSpec((java.security.spec.ECParameterSpec)parameter, false); + } + + if (curveSpec == null) + { + ecThreadSpec.remove(); + } + else + { + ecThreadSpec.set(curveSpec); + } + } + else if (parameterName.equals(ConfigurableProvider.EC_IMPLICITLY_CA)) + { + if (securityManager != null) + { + securityManager.checkPermission(BC_EC_PERMISSION); + } + + if (parameter instanceof ECParameterSpec || parameter == null) + { + ecImplicitCaParams = (ECParameterSpec)parameter; + } + else // assume java.security.spec + { + ecImplicitCaParams = EC5Util.convertSpec((java.security.spec.ECParameterSpec)parameter, false); + } + } + else if (parameterName.equals(ConfigurableProvider.THREAD_LOCAL_DH_DEFAULT_PARAMS)) + { + Object dhSpec; + + if (securityManager != null) + { + securityManager.checkPermission(BC_DH_LOCAL_PERMISSION); + } + + if (parameter instanceof DHParameterSpec || parameter instanceof DHParameterSpec[] || parameter == null) + { + dhSpec = parameter; + } + else + { + throw new IllegalArgumentException("not a valid DHParameterSpec"); + } + + if (dhSpec == null) + { + dhThreadSpec.remove(); + } + else + { + dhThreadSpec.set(dhSpec); + } + } + else if (parameterName.equals(ConfigurableProvider.DH_DEFAULT_PARAMS)) + { + if (securityManager != null) + { + securityManager.checkPermission(BC_DH_PERMISSION); + } + + if (parameter instanceof DHParameterSpec || parameter instanceof DHParameterSpec[] || parameter == null) + { + dhDefaultParams = parameter; + } + else + { + throw new IllegalArgumentException("not a valid DHParameterSpec or DHParameterSpec[]"); + } + } + } + + public ECParameterSpec getEcImplicitlyCa() + { + ECParameterSpec spec = (ECParameterSpec)ecThreadSpec.get(); + + if (spec != null) + { + return spec; + } + + return ecImplicitCaParams; + } + + public DHParameterSpec getDHDefaultParameters(int keySize) + { + Object params = dhThreadSpec.get(); + if (params == null) + { + params = dhDefaultParams; + } + + if (params instanceof DHParameterSpec) + { + DHParameterSpec spec = (DHParameterSpec)params; + + if (spec.getP().bitLength() == keySize) + { + return spec; + } + } + else if (params instanceof DHParameterSpec[]) + { + DHParameterSpec[] specs = (DHParameterSpec[])params; + + for (int i = 0; i != specs.length; i++) + { + if (specs[i].getP().bitLength() == keySize) + { + return specs[i]; + } + } + } + + return null; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenJCEBlockCipher.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenJCEBlockCipher.java new file mode 100644 index 00000000..cb88e208 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenJCEBlockCipher.java @@ -0,0 +1,621 @@ +package org.bouncycastle.jce.provider; + +import java.security.AlgorithmParameters; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.Key; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SecureRandom; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEParameterSpec; +import javax.crypto.spec.RC2ParameterSpec; +import javax.crypto.spec.RC5ParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.crypto.BlockCipher; +import org.bouncycastle.crypto.BufferedBlockCipher; +import org.bouncycastle.crypto.CipherParameters; +import org.bouncycastle.crypto.DataLengthException; +import org.bouncycastle.crypto.InvalidCipherTextException; +import org.bouncycastle.crypto.engines.DESEngine; +import org.bouncycastle.crypto.engines.DESedeEngine; +import org.bouncycastle.crypto.engines.TwofishEngine; +import org.bouncycastle.crypto.modes.CBCBlockCipher; +import org.bouncycastle.crypto.modes.CFBBlockCipher; +import org.bouncycastle.crypto.modes.CTSBlockCipher; +import org.bouncycastle.crypto.modes.OFBBlockCipher; +import org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher; +import org.bouncycastle.crypto.params.KeyParameter; +import org.bouncycastle.crypto.params.ParametersWithIV; +import org.bouncycastle.crypto.params.RC2Parameters; +import org.bouncycastle.crypto.params.RC5Parameters; +import org.bouncycastle.jcajce.provider.symmetric.util.BCPBEKey; +import org.bouncycastle.util.Strings; + +public class BrokenJCEBlockCipher + implements BrokenPBE +{ + // + // specs we can handle. + // + private Class[] availableSpecs = + { + IvParameterSpec.class, + PBEParameterSpec.class, + RC2ParameterSpec.class, + RC5ParameterSpec.class + }; + + private BufferedBlockCipher cipher; + private ParametersWithIV ivParam; + + private int pbeType = PKCS12; + private int pbeHash = SHA1; + private int pbeKeySize; + private int pbeIvSize; + + private int ivLength = 0; + + private AlgorithmParameters engineParams = null; + + protected BrokenJCEBlockCipher( + BlockCipher engine) + { + cipher = new PaddedBufferedBlockCipher(engine); + } + + protected BrokenJCEBlockCipher( + BlockCipher engine, + int pbeType, + int pbeHash, + int pbeKeySize, + int pbeIvSize) + { + cipher = new PaddedBufferedBlockCipher(engine); + + this.pbeType = pbeType; + this.pbeHash = pbeHash; + this.pbeKeySize = pbeKeySize; + this.pbeIvSize = pbeIvSize; + } + + protected int engineGetBlockSize() + { + return cipher.getBlockSize(); + } + + protected byte[] engineGetIV() + { + return (ivParam != null) ? ivParam.getIV() : null; + } + + protected int engineGetKeySize( + Key key) + { + return key.getEncoded().length; + } + + protected int engineGetOutputSize( + int inputLen) + { + return cipher.getOutputSize(inputLen); + } + + protected AlgorithmParameters engineGetParameters() + { + if (engineParams == null) + { + if (ivParam != null) + { + String name = cipher.getUnderlyingCipher().getAlgorithmName(); + + if (name.indexOf('/') >= 0) + { + name = name.substring(0, name.indexOf('/')); + } + + try + { + engineParams = AlgorithmParameters.getInstance(name, BouncyCastleProvider.PROVIDER_NAME); + engineParams.init(ivParam.getIV()); + } + catch (Exception e) + { + throw new RuntimeException(e.toString()); + } + } + } + + return engineParams; + } + + protected void engineSetMode( + String mode) + { + String modeName = Strings.toUpperCase(mode); + + if (modeName.equals("ECB")) + { + ivLength = 0; + cipher = new PaddedBufferedBlockCipher(cipher.getUnderlyingCipher()); + } + else if (modeName.equals("CBC")) + { + ivLength = cipher.getUnderlyingCipher().getBlockSize(); + cipher = new PaddedBufferedBlockCipher( + new CBCBlockCipher(cipher.getUnderlyingCipher())); + } + else if (modeName.startsWith("OFB")) + { + ivLength = cipher.getUnderlyingCipher().getBlockSize(); + if (modeName.length() != 3) + { + int wordSize = Integer.parseInt(modeName.substring(3)); + + cipher = new PaddedBufferedBlockCipher( + new OFBBlockCipher(cipher.getUnderlyingCipher(), wordSize)); + } + else + { + cipher = new PaddedBufferedBlockCipher( + new OFBBlockCipher(cipher.getUnderlyingCipher(), 8 * cipher.getBlockSize())); + } + } + else if (modeName.startsWith("CFB")) + { + ivLength = cipher.getUnderlyingCipher().getBlockSize(); + if (modeName.length() != 3) + { + int wordSize = Integer.parseInt(modeName.substring(3)); + + cipher = new PaddedBufferedBlockCipher( + new CFBBlockCipher(cipher.getUnderlyingCipher(), wordSize)); + } + else + { + cipher = new PaddedBufferedBlockCipher( + new CFBBlockCipher(cipher.getUnderlyingCipher(), 8 * cipher.getBlockSize())); + } + } + else + { + throw new IllegalArgumentException("can't support mode " + mode); + } + } + + protected void engineSetPadding( + String padding) + throws NoSuchPaddingException + { + String paddingName = Strings.toUpperCase(padding); + + if (paddingName.equals("NOPADDING")) + { + cipher = new BufferedBlockCipher(cipher.getUnderlyingCipher()); + } + else if (paddingName.equals("PKCS5PADDING") || paddingName.equals("PKCS7PADDING") || paddingName.equals("ISO10126PADDING")) + { + cipher = new PaddedBufferedBlockCipher(cipher.getUnderlyingCipher()); + } + else if (paddingName.equals("WITHCTS")) + { + cipher = new CTSBlockCipher(cipher.getUnderlyingCipher()); + } + else + { + throw new NoSuchPaddingException("Padding " + padding + " unknown."); + } + } + + protected void engineInit( + int opmode, + Key key, + AlgorithmParameterSpec params, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException + { + CipherParameters param; + + // + // a note on iv's - if ivLength is zero the IV gets ignored (we don't use it). + // + if (key instanceof BCPBEKey) + { + param = BrokenPBE.Util.makePBEParameters((BCPBEKey)key, params, pbeType, pbeHash, + cipher.getUnderlyingCipher().getAlgorithmName(), pbeKeySize, pbeIvSize); + + if (pbeIvSize != 0) + { + ivParam = (ParametersWithIV)param; + } + } + else if (params == null) + { + param = new KeyParameter(key.getEncoded()); + } + else if (params instanceof IvParameterSpec) + { + if (ivLength != 0) + { + param = new ParametersWithIV(new KeyParameter(key.getEncoded()), ((IvParameterSpec)params).getIV()); + ivParam = (ParametersWithIV)param; + } + else + { + param = new KeyParameter(key.getEncoded()); + } + } + else if (params instanceof RC2ParameterSpec) + { + RC2ParameterSpec rc2Param = (RC2ParameterSpec)params; + + param = new RC2Parameters(key.getEncoded(), ((RC2ParameterSpec)params).getEffectiveKeyBits()); + + if (rc2Param.getIV() != null && ivLength != 0) + { + param = new ParametersWithIV(param, rc2Param.getIV()); + ivParam = (ParametersWithIV)param; + } + } + else if (params instanceof RC5ParameterSpec) + { + RC5ParameterSpec rc5Param = (RC5ParameterSpec)params; + + param = new RC5Parameters(key.getEncoded(), ((RC5ParameterSpec)params).getRounds()); + if (rc5Param.getWordSize() != 32) + { + throw new IllegalArgumentException("can only accept RC5 word size 32 (at the moment...)"); + } + if ((rc5Param.getIV() != null) && (ivLength != 0)) + { + param = new ParametersWithIV(param, rc5Param.getIV()); + ivParam = (ParametersWithIV)param; + } + } + else + { + throw new InvalidAlgorithmParameterException("unknown parameter type."); + } + + if ((ivLength != 0) && !(param instanceof ParametersWithIV)) + { + if (random == null) + { + random = new SecureRandom(); + } + + if ((opmode == Cipher.ENCRYPT_MODE) || (opmode == Cipher.WRAP_MODE)) + { + byte[] iv = new byte[ivLength]; + + random.nextBytes(iv); + param = new ParametersWithIV(param, iv); + ivParam = (ParametersWithIV)param; + } + else + { + throw new InvalidAlgorithmParameterException("no IV set when one expected"); + } + } + + switch (opmode) + { + case Cipher.ENCRYPT_MODE: + case Cipher.WRAP_MODE: + cipher.init(true, param); + break; + case Cipher.DECRYPT_MODE: + case Cipher.UNWRAP_MODE: + cipher.init(false, param); + break; + default: + System.out.println("eeek!"); + } + } + + protected void engineInit( + int opmode, + Key key, + AlgorithmParameters params, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException + { + AlgorithmParameterSpec paramSpec = null; + + if (params != null) + { + for (int i = 0; i != availableSpecs.length; i++) + { + try + { + paramSpec = params.getParameterSpec(availableSpecs[i]); + break; + } + catch (Exception e) + { + continue; + } + } + + if (paramSpec == null) + { + throw new InvalidAlgorithmParameterException("can't handle parameter " + params.toString()); + } + } + + engineParams = params; + engineInit(opmode, key, paramSpec, random); + } + + protected void engineInit( + int opmode, + Key key, + SecureRandom random) + throws InvalidKeyException + { + try + { + engineInit(opmode, key, (AlgorithmParameterSpec)null, random); + } + catch (InvalidAlgorithmParameterException e) + { + throw new IllegalArgumentException(e.getMessage()); + } + } + + protected byte[] engineUpdate( + byte[] input, + int inputOffset, + int inputLen) + { + int length = cipher.getUpdateOutputSize(inputLen); + + if (length > 0) + { + byte[] out = new byte[length]; + + cipher.processBytes(input, inputOffset, inputLen, out, 0); + return out; + } + + cipher.processBytes(input, inputOffset, inputLen, null, 0); + + return null; + } + + protected int engineUpdate( + byte[] input, + int inputOffset, + int inputLen, + byte[] output, + int outputOffset) + { + return cipher.processBytes(input, inputOffset, inputLen, output, outputOffset); + } + + protected byte[] engineDoFinal( + byte[] input, + int inputOffset, + int inputLen) + throws IllegalBlockSizeException, BadPaddingException + { + int len = 0; + byte[] tmp = new byte[engineGetOutputSize(inputLen)]; + + if (inputLen != 0) + { + len = cipher.processBytes(input, inputOffset, inputLen, tmp, 0); + } + + try + { + len += cipher.doFinal(tmp, len); + } + catch (DataLengthException e) + { + throw new IllegalBlockSizeException(e.getMessage()); + } + catch (InvalidCipherTextException e) + { + throw new BadPaddingException(e.getMessage()); + } + + byte[] out = new byte[len]; + + System.arraycopy(tmp, 0, out, 0, len); + + return out; + } + + protected int engineDoFinal( + byte[] input, + int inputOffset, + int inputLen, + byte[] output, + int outputOffset) + throws IllegalBlockSizeException, BadPaddingException + { + int len = 0; + + if (inputLen != 0) + { + len = cipher.processBytes(input, inputOffset, inputLen, output, outputOffset); + } + + try + { + return len + cipher.doFinal(output, outputOffset + len); + } + catch (DataLengthException e) + { + throw new IllegalBlockSizeException(e.getMessage()); + } + catch (InvalidCipherTextException e) + { + throw new BadPaddingException(e.getMessage()); + } + } + + protected byte[] engineWrap( + Key key) + throws IllegalBlockSizeException, java.security.InvalidKeyException + { + byte[] encoded = key.getEncoded(); + if (encoded == null) + { + throw new InvalidKeyException("Cannot wrap key, null encoding."); + } + + try + { + return engineDoFinal(encoded, 0, encoded.length); + } + catch (BadPaddingException e) + { + throw new IllegalBlockSizeException(e.getMessage()); + } + } + + protected Key engineUnwrap( + byte[] wrappedKey, + String wrappedKeyAlgorithm, + int wrappedKeyType) + throws InvalidKeyException + { + byte[] encoded = null; + try + { + encoded = engineDoFinal(wrappedKey, 0, wrappedKey.length); + } + catch (BadPaddingException e) + { + throw new InvalidKeyException(e.getMessage()); + } + catch (IllegalBlockSizeException e2) + { + throw new InvalidKeyException(e2.getMessage()); + } + + if (wrappedKeyType == Cipher.SECRET_KEY) + { + return new SecretKeySpec(encoded, wrappedKeyAlgorithm); + } + else + { + try + { + KeyFactory kf = KeyFactory.getInstance(wrappedKeyAlgorithm, BouncyCastleProvider.PROVIDER_NAME); + + if (wrappedKeyType == Cipher.PUBLIC_KEY) + { + return kf.generatePublic(new X509EncodedKeySpec(encoded)); + } + else if (wrappedKeyType == Cipher.PRIVATE_KEY) + { + return kf.generatePrivate(new PKCS8EncodedKeySpec(encoded)); + } + } + catch (NoSuchProviderException e) + { + throw new InvalidKeyException("Unknown key type " + e.getMessage()); + } + catch (NoSuchAlgorithmException e) + { + throw new InvalidKeyException("Unknown key type " + e.getMessage()); + } + catch (InvalidKeySpecException e2) + { + throw new InvalidKeyException("Unknown key type " + e2.getMessage()); + } + + throw new InvalidKeyException("Unknown key type " + wrappedKeyType); + } + } + + /* + * The ciphers that inherit from us. + */ + + /** + * PBEWithMD5AndDES + */ + static public class BrokePBEWithMD5AndDES + extends BrokenJCEBlockCipher + { + public BrokePBEWithMD5AndDES() + { + super(new CBCBlockCipher(new DESEngine()), PKCS5S1, MD5, 64, 64); + } + } + + /** + * PBEWithSHA1AndDES + */ + static public class BrokePBEWithSHA1AndDES + extends BrokenJCEBlockCipher + { + public BrokePBEWithSHA1AndDES() + { + super(new CBCBlockCipher(new DESEngine()), PKCS5S1, SHA1, 64, 64); + } + } + + /** + * PBEWithSHAAnd3-KeyTripleDES-CBC + */ + static public class BrokePBEWithSHAAndDES3Key + extends BrokenJCEBlockCipher + { + public BrokePBEWithSHAAndDES3Key() + { + super(new CBCBlockCipher(new DESedeEngine()), PKCS12, SHA1, 192, 64); + } + } + + /** + * OldPBEWithSHAAnd3-KeyTripleDES-CBC + */ + static public class OldPBEWithSHAAndDES3Key + extends BrokenJCEBlockCipher + { + public OldPBEWithSHAAndDES3Key() + { + super(new CBCBlockCipher(new DESedeEngine()), OLD_PKCS12, SHA1, 192, 64); + } + } + + /** + * PBEWithSHAAnd2-KeyTripleDES-CBC + */ + static public class BrokePBEWithSHAAndDES2Key + extends BrokenJCEBlockCipher + { + public BrokePBEWithSHAAndDES2Key() + { + super(new CBCBlockCipher(new DESedeEngine()), PKCS12, SHA1, 128, 64); + } + } + + /** + * OldPBEWithSHAAndTwofish-CBC + */ + static public class OldPBEWithSHAAndTwofish + extends BrokenJCEBlockCipher + { + public OldPBEWithSHAAndTwofish() + { + super(new CBCBlockCipher(new TwofishEngine()), OLD_PKCS12, SHA1, 256, 128); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenKDF2BytesGenerator.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenKDF2BytesGenerator.java new file mode 100644 index 00000000..e6186f67 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenKDF2BytesGenerator.java @@ -0,0 +1,127 @@ +package org.bouncycastle.jce.provider; + +import org.bouncycastle.crypto.DataLengthException; +import org.bouncycastle.crypto.DerivationFunction; +import org.bouncycastle.crypto.DerivationParameters; +import org.bouncycastle.crypto.Digest; +import org.bouncycastle.crypto.params.KDFParameters; + +/** + * Generator for PBE derived keys and ivs as defined by IEEE P1363a + * <br> + * This implementation is based on draft 9 of IEEE P1363a. <b>Note:</b> + * as this is still a draft the output of this generator may change, don't + * use it for anything that might be subject to long term storage. + */ +public class BrokenKDF2BytesGenerator + implements DerivationFunction +{ + private Digest digest; + private byte[] shared; + private byte[] iv; + + /** + * Construct a KDF2 Parameters generator. Generates key material + * according to IEEE P1363a - if you want orthodox results you should + * use a digest specified in the standard. + * <p> + * <b>Note:</b> IEEE P1363a standard is still a draft standard, if the standard + * changes this function, the output of this function will change as well. + * Don't use this routine for anything subject to long term storage. + * + * @param digest the digest to be used as the source of derived keys. + */ + public BrokenKDF2BytesGenerator( + Digest digest) + { + this.digest = digest; + } + + public void init( + DerivationParameters param) + { + if (!(param instanceof KDFParameters)) + { + throw new IllegalArgumentException("KDF parameters required for KDF2Generator"); + } + + KDFParameters p = (KDFParameters)param; + + shared = p.getSharedSecret(); + iv = p.getIV(); + } + + /** + * return the underlying digest. + */ + public Digest getDigest() + { + return digest; + } + + /** + * fill len bytes of the output buffer with bytes generated from + * the derivation function. + * + * @throws IllegalArgumentException if the size of the request will cause an overflow. + * @throws DataLengthException if the out buffer is too small. + */ + public int generateBytes( + byte[] out, + int outOff, + int len) + throws DataLengthException, IllegalArgumentException + { + if ((out.length - len) < outOff) + { + throw new DataLengthException("output buffer too small"); + } + + long oBits = len * 8; + + // + // this is at odds with the standard implementation, the + // maximum value should be hBits * (2^23 - 1) where hBits + // is the digest output size in bits. We can't have an + // array with a long index at the moment... + // + if (oBits > (digest.getDigestSize() * 8 * (2L^32 - 1))) + { + new IllegalArgumentException("Output length to large"); + } + + int cThreshold = (int)(oBits / digest.getDigestSize()); + + byte[] dig = null; + + dig = new byte[digest.getDigestSize()]; + + for (int counter = 1; counter <= cThreshold; counter++) + { + digest.update(shared, 0, shared.length); + + digest.update((byte)(counter & 0xff)); + digest.update((byte)((counter >> 8) & 0xff)); + digest.update((byte)((counter >> 16) & 0xff)); + digest.update((byte)((counter >> 24) & 0xff)); + + digest.update(iv, 0, iv.length); + + digest.doFinal(dig, 0); + + if ((len - outOff) > dig.length) + { + System.arraycopy(dig, 0, out, outOff, dig.length); + outOff += dig.length; + } + else + { + System.arraycopy(dig, 0, out, outOff, len - outOff); + } + } + + digest.reset(); + + return len; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenPBE.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenPBE.java new file mode 100644 index 00000000..a1736253 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/BrokenPBE.java @@ -0,0 +1,441 @@ +package org.bouncycastle.jce.provider; + +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.spec.PBEParameterSpec; + +import org.bouncycastle.crypto.CipherParameters; +import org.bouncycastle.crypto.Digest; +import org.bouncycastle.crypto.PBEParametersGenerator; +import org.bouncycastle.crypto.digests.MD5Digest; +import org.bouncycastle.crypto.digests.RIPEMD160Digest; +import org.bouncycastle.crypto.digests.SHA1Digest; +import org.bouncycastle.crypto.generators.PKCS12ParametersGenerator; +import org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator; +import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; +import org.bouncycastle.crypto.params.KeyParameter; +import org.bouncycastle.crypto.params.ParametersWithIV; +import org.bouncycastle.jcajce.provider.symmetric.util.BCPBEKey; + +/** + * Generator for PBE derived keys and ivs as defined by PKCS 12 V1.0, + * with a bug affecting 180 bit plus keys - this class is only here to + * allow smooth migration of the version 0 keystore to version 1. Don't + * use it (it won't be staying around). + * <p> + * The document this implementation is based on can be found at + * <a href=http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html> + * RSA's PKCS12 Page</a> + */ +class OldPKCS12ParametersGenerator + extends PBEParametersGenerator +{ + public static final int KEY_MATERIAL = 1; + public static final int IV_MATERIAL = 2; + public static final int MAC_MATERIAL = 3; + + private Digest digest; + + private int u; + private int v; + + /** + * Construct a PKCS 12 Parameters generator. This constructor will + * accept MD5, SHA1, and RIPEMD160. + * + * @param digest the digest to be used as the source of derived keys. + * @exception IllegalArgumentException if an unknown digest is passed in. + */ + public OldPKCS12ParametersGenerator( + Digest digest) + { + this.digest = digest; + if (digest instanceof MD5Digest) + { + u = 128 / 8; + v = 512 / 8; + } + else if (digest instanceof SHA1Digest) + { + u = 160 / 8; + v = 512 / 8; + } + else if (digest instanceof RIPEMD160Digest) + { + u = 160 / 8; + v = 512 / 8; + } + else + { + throw new IllegalArgumentException("Digest " + digest.getAlgorithmName() + " unsupported"); + } + } + + /** + * add a + b + 1, returning the result in a. The a value is treated + * as a BigInteger of length (b.length * 8) bits. The result is + * modulo 2^b.length in case of overflow. + */ + private void adjust( + byte[] a, + int aOff, + byte[] b) + { + int x = (b[b.length - 1] & 0xff) + (a[aOff + b.length - 1] & 0xff) + 1; + + a[aOff + b.length - 1] = (byte)x; + x >>>= 8; + + for (int i = b.length - 2; i >= 0; i--) + { + x += (b[i] & 0xff) + (a[aOff + i] & 0xff); + a[aOff + i] = (byte)x; + x >>>= 8; + } + } + + /** + * generation of a derived key ala PKCS12 V1.0. + */ + private byte[] generateDerivedKey( + int idByte, + int n) + { + byte[] D = new byte[v]; + byte[] dKey = new byte[n]; + + for (int i = 0; i != D.length; i++) + { + D[i] = (byte)idByte; + } + + byte[] S; + + if ((salt != null) && (salt.length != 0)) + { + S = new byte[v * ((salt.length + v - 1) / v)]; + + for (int i = 0; i != S.length; i++) + { + S[i] = salt[i % salt.length]; + } + } + else + { + S = new byte[0]; + } + + byte[] P; + + if ((password != null) && (password.length != 0)) + { + P = new byte[v * ((password.length + v - 1) / v)]; + + for (int i = 0; i != P.length; i++) + { + P[i] = password[i % password.length]; + } + } + else + { + P = new byte[0]; + } + + byte[] I = new byte[S.length + P.length]; + + System.arraycopy(S, 0, I, 0, S.length); + System.arraycopy(P, 0, I, S.length, P.length); + + byte[] B = new byte[v]; + int c = (n + u - 1) / u; + + for (int i = 1; i <= c; i++) + { + byte[] A = new byte[u]; + + digest.update(D, 0, D.length); + digest.update(I, 0, I.length); + digest.doFinal(A, 0); + for (int j = 1; j != iterationCount; j++) + { + digest.update(A, 0, A.length); + digest.doFinal(A, 0); + } + + for (int j = 0; j != B.length; j++) + { + B[i] = A[j % A.length]; + } + + for (int j = 0; j != I.length / v; j++) + { + adjust(I, j * v, B); + } + + if (i == c) + { + System.arraycopy(A, 0, dKey, (i - 1) * u, dKey.length - ((i - 1) * u)); + } + else + { + System.arraycopy(A, 0, dKey, (i - 1) * u, A.length); + } + } + + return dKey; + } + + /** + * Generate a key parameter derived from the password, salt, and iteration + * count we are currently initialised with. + * + * @param keySize the size of the key we want (in bits) + * @return a KeyParameter object. + */ + public CipherParameters generateDerivedParameters( + int keySize) + { + keySize = keySize / 8; + + byte[] dKey = generateDerivedKey(KEY_MATERIAL, keySize); + + return new KeyParameter(dKey, 0, keySize); + } + + /** + * Generate a key with initialisation vector parameter derived from + * the password, salt, and iteration count we are currently initialised + * with. + * + * @param keySize the size of the key we want (in bits) + * @param ivSize the size of the iv we want (in bits) + * @return a ParametersWithIV object. + */ + public CipherParameters generateDerivedParameters( + int keySize, + int ivSize) + { + keySize = keySize / 8; + ivSize = ivSize / 8; + + byte[] dKey = generateDerivedKey(KEY_MATERIAL, keySize); + + byte[] iv = generateDerivedKey(IV_MATERIAL, ivSize); + + return new ParametersWithIV(new KeyParameter(dKey, 0, keySize), iv, 0, ivSize); + } + + /** + * Generate a key parameter for use with a MAC derived from the password, + * salt, and iteration count we are currently initialised with. + * + * @param keySize the size of the key we want (in bits) + * @return a KeyParameter object. + */ + public CipherParameters generateDerivedMacParameters( + int keySize) + { + keySize = keySize / 8; + + byte[] dKey = generateDerivedKey(MAC_MATERIAL, keySize); + + return new KeyParameter(dKey, 0, keySize); + } +} + +public interface BrokenPBE +{ + // + // PBE Based encryption constants - by default we do PKCS12 with SHA-1 + // + static final int MD5 = 0; + static final int SHA1 = 1; + static final int RIPEMD160 = 2; + + static final int PKCS5S1 = 0; + static final int PKCS5S2 = 1; + static final int PKCS12 = 2; + static final int OLD_PKCS12 = 3; + + /** + * uses the appropriate mixer to generate the key and IV if neccessary. + */ + static class Util + { + /** + * a faulty parity routine... + * + * @param bytes the byte array to set the parity on. + */ + static private void setOddParity( + byte[] bytes) + { + for (int i = 0; i < bytes.length; i++) + { + int b = bytes[i]; + bytes[i] = (byte)((b & 0xfe) | + (((b >> 1) ^ + (b >> 2) ^ + (b >> 3) ^ + (b >> 4) ^ + (b >> 5) ^ + (b >> 6) ^ + (b >> 7)) ^ 0x01)); + } + } + + static private PBEParametersGenerator makePBEGenerator( + int type, + int hash) + { + PBEParametersGenerator generator; + + if (type == PKCS5S1) + { + switch (hash) + { + case MD5: + generator = new PKCS5S1ParametersGenerator(new MD5Digest()); + break; + case SHA1: + generator = new PKCS5S1ParametersGenerator(new SHA1Digest()); + break; + default: + throw new IllegalStateException("PKCS5 scheme 1 only supports only MD5 and SHA1."); + } + } + else if (type == PKCS5S2) + { + generator = new PKCS5S2ParametersGenerator(); + } + else if (type == OLD_PKCS12) + { + switch (hash) + { + case MD5: + generator = new OldPKCS12ParametersGenerator(new MD5Digest()); + break; + case SHA1: + generator = new OldPKCS12ParametersGenerator(new SHA1Digest()); + break; + case RIPEMD160: + generator = new OldPKCS12ParametersGenerator(new RIPEMD160Digest()); + break; + default: + throw new IllegalStateException("unknown digest scheme for PBE encryption."); + } + } + else + { + switch (hash) + { + case MD5: + generator = new PKCS12ParametersGenerator(new MD5Digest()); + break; + case SHA1: + generator = new PKCS12ParametersGenerator(new SHA1Digest()); + break; + case RIPEMD160: + generator = new PKCS12ParametersGenerator(new RIPEMD160Digest()); + break; + default: + throw new IllegalStateException("unknown digest scheme for PBE encryption."); + } + } + + return generator; + } + + /** + * construct a key and iv (if neccessary) suitable for use with a + * Cipher. + */ + static CipherParameters makePBEParameters( + BCPBEKey pbeKey, + AlgorithmParameterSpec spec, + int type, + int hash, + String targetAlgorithm, + int keySize, + int ivSize) + { + if ((spec == null) || !(spec instanceof PBEParameterSpec)) + { + throw new IllegalArgumentException("Need a PBEParameter spec with a PBE key."); + } + + PBEParameterSpec pbeParam = (PBEParameterSpec)spec; + PBEParametersGenerator generator = makePBEGenerator(type, hash); + byte[] key = pbeKey.getEncoded(); + CipherParameters param; + + generator.init(key, pbeParam.getSalt(), pbeParam.getIterationCount()); + + if (ivSize != 0) + { + param = generator.generateDerivedParameters(keySize, ivSize); + } + else + { + param = generator.generateDerivedParameters(keySize); + } + + if (targetAlgorithm.startsWith("DES")) + { + if (param instanceof ParametersWithIV) + { + KeyParameter kParam = (KeyParameter)((ParametersWithIV)param).getParameters(); + + setOddParity(kParam.getKey()); + } + else + { + KeyParameter kParam = (KeyParameter)param; + + setOddParity(kParam.getKey()); + } + } + + for (int i = 0; i != key.length; i++) + { + key[i] = 0; + } + + return param; + } + + /** + * generate a PBE based key suitable for a MAC algorithm, the + * key size is chosen according the MAC size, or the hashing algorithm, + * whichever is greater. + */ + static CipherParameters makePBEMacParameters( + BCPBEKey pbeKey, + AlgorithmParameterSpec spec, + int type, + int hash, + int keySize) + { + if ((spec == null) || !(spec instanceof PBEParameterSpec)) + { + throw new IllegalArgumentException("Need a PBEParameter spec with a PBE key."); + } + + PBEParameterSpec pbeParam = (PBEParameterSpec)spec; + PBEParametersGenerator generator = makePBEGenerator(type, hash); + byte[] key = pbeKey.getEncoded(); + CipherParameters param; + + generator.init(key, pbeParam.getSalt(), pbeParam.getIterationCount()); + + param = generator.generateDerivedMacParameters(keySize); + + for (int i = 0; i != key.length; i++) + { + key[i] = 0; + } + + return param; + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java new file mode 100644 index 00000000..9200fdae --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java @@ -0,0 +1,1426 @@ +package org.bouncycastle.jce.provider; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.GeneralSecurityException; +import java.security.KeyFactory; +import java.security.PublicKey; +import java.security.cert.CRLException; +import java.security.cert.CertPath; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertStore; +import java.security.cert.CertStoreException; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.PKIXParameters; +import java.security.cert.PolicyQualifierInfo; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLEntry; +import java.security.cert.X509CRLSelector; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.security.interfaces.DSAParams; +import java.security.interfaces.DSAPublicKey; +import java.security.spec.DSAPublicKeySpec; +import java.text.ParseException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Date; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1OutputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DEREnumerated; +import org.bouncycastle.asn1.DERGeneralizedTime; +import org.bouncycastle.asn1.DERIA5String; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.CRLDistPoint; +import org.bouncycastle.asn1.x509.CRLReason; +import org.bouncycastle.asn1.x509.DistributionPoint; +import org.bouncycastle.asn1.x509.DistributionPointName; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.PolicyInformation; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.jce.X509LDAPCertStoreParameters; +import org.bouncycastle.jce.exception.ExtCertPathValidatorException; +import org.bouncycastle.util.Integers; +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.StoreException; +import org.bouncycastle.x509.ExtendedPKIXBuilderParameters; +import org.bouncycastle.x509.ExtendedPKIXParameters; +import org.bouncycastle.x509.X509AttributeCertStoreSelector; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509CRLStoreSelector; +import org.bouncycastle.x509.X509CertStoreSelector; +import org.bouncycastle.x509.X509Store; + +public class CertPathValidatorUtilities +{ + protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); + + protected static final String CERTIFICATE_POLICIES = Extension.certificatePolicies.getId(); + protected static final String BASIC_CONSTRAINTS = Extension.basicConstraints.getId(); + protected static final String POLICY_MAPPINGS = Extension.policyMappings.getId(); + protected static final String SUBJECT_ALTERNATIVE_NAME = Extension.subjectAlternativeName.getId(); + protected static final String NAME_CONSTRAINTS = Extension.nameConstraints.getId(); + protected static final String KEY_USAGE = Extension.keyUsage.getId(); + protected static final String INHIBIT_ANY_POLICY = Extension.inhibitAnyPolicy.getId(); + protected static final String ISSUING_DISTRIBUTION_POINT = Extension.issuingDistributionPoint.getId(); + protected static final String DELTA_CRL_INDICATOR = Extension.deltaCRLIndicator.getId(); + protected static final String POLICY_CONSTRAINTS = Extension.policyConstraints.getId(); + protected static final String FRESHEST_CRL = Extension.freshestCRL.getId(); + protected static final String CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId(); + protected static final String AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId(); + + protected static final String ANY_POLICY = "2.5.29.32.0"; + + protected static final String CRL_NUMBER = Extension.cRLNumber.getId(); + + /* + * key usage bits + */ + protected static final int KEY_CERT_SIGN = 5; + protected static final int CRL_SIGN = 6; + + protected static final String[] crlReasons = new String[]{ + "unspecified", + "keyCompromise", + "cACompromise", + "affiliationChanged", + "superseded", + "cessationOfOperation", + "certificateHold", + "unknown", + "removeFromCRL", + "privilegeWithdrawn", + "aACompromise"}; + + /** + * Search the given Set of TrustAnchor's for one that is the + * issuer of the given X509 certificate. Uses the default provider + * for signature verification. + * + * @param cert the X509 certificate + * @param trustAnchors a Set of TrustAnchor's + * @return the <code>TrustAnchor</code> object if found or + * <code>null</code> if not. + * @throws AnnotatedException if a TrustAnchor was found but the signature verification + * on the given certificate has thrown an exception. + */ + protected static TrustAnchor findTrustAnchor( + X509Certificate cert, + Set trustAnchors) + throws AnnotatedException + { + return findTrustAnchor(cert, trustAnchors, null); + } + + /** + * Search the given Set of TrustAnchor's for one that is the + * issuer of the given X509 certificate. Uses the specified + * provider for signature verification, or the default provider + * if null. + * + * @param cert the X509 certificate + * @param trustAnchors a Set of TrustAnchor's + * @param sigProvider the provider to use for signature verification + * @return the <code>TrustAnchor</code> object if found or + * <code>null</code> if not. + * @throws AnnotatedException if a TrustAnchor was found but the signature verification + * on the given certificate has thrown an exception. + */ + protected static TrustAnchor findTrustAnchor( + X509Certificate cert, + Set trustAnchors, + String sigProvider) + throws AnnotatedException + { + TrustAnchor trust = null; + PublicKey trustPublicKey = null; + Exception invalidKeyEx = null; + + X509CertSelector certSelectX509 = new X509CertSelector(); + X500Principal certIssuer = getEncodedIssuerPrincipal(cert); + + try + { + certSelectX509.setSubject(certIssuer.getEncoded()); + } + catch (IOException ex) + { + throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex); + } + + Iterator iter = trustAnchors.iterator(); + while (iter.hasNext() && trust == null) + { + trust = (TrustAnchor)iter.next(); + if (trust.getTrustedCert() != null) + { + if (certSelectX509.match(trust.getTrustedCert())) + { + trustPublicKey = trust.getTrustedCert().getPublicKey(); + } + else + { + trust = null; + } + } + else if (trust.getCAName() != null + && trust.getCAPublicKey() != null) + { + try + { + X500Principal caName = new X500Principal(trust.getCAName()); + if (certIssuer.equals(caName)) + { + trustPublicKey = trust.getCAPublicKey(); + } + else + { + trust = null; + } + } + catch (IllegalArgumentException ex) + { + trust = null; + } + } + else + { + trust = null; + } + + if (trustPublicKey != null) + { + try + { + verifyX509Certificate(cert, trustPublicKey, sigProvider); + } + catch (Exception ex) + { + invalidKeyEx = ex; + trust = null; + trustPublicKey = null; + } + } + } + + if (trust == null && invalidKeyEx != null) + { + throw new AnnotatedException("TrustAnchor found but certificate validation failed.", invalidKeyEx); + } + + return trust; + } + + protected static void addAdditionalStoresFromAltNames( + X509Certificate cert, + ExtendedPKIXParameters pkixParams) + throws CertificateParsingException + { + // if in the IssuerAltName extension an URI + // is given, add an additinal X.509 store + if (cert.getIssuerAlternativeNames() != null) + { + Iterator it = cert.getIssuerAlternativeNames().iterator(); + while (it.hasNext()) + { + // look for URI + List list = (List)it.next(); + if (list.get(0).equals(Integers.valueOf(GeneralName.uniformResourceIdentifier))) + { + // found + String temp = (String)list.get(1); + CertPathValidatorUtilities.addAdditionalStoreFromLocation(temp, pkixParams); + } + } + } + } + + /** + * Returns the issuer of an attribute certificate or certificate. + * + * @param cert The attribute certificate or certificate. + * @return The issuer as <code>X500Principal</code>. + */ + protected static X500Principal getEncodedIssuerPrincipal( + Object cert) + { + if (cert instanceof X509Certificate) + { + return ((X509Certificate)cert).getIssuerX500Principal(); + } + else + { + return (X500Principal)((X509AttributeCertificate)cert).getIssuer().getPrincipals()[0]; + } + } + + protected static Date getValidDate(PKIXParameters paramsPKIX) + { + Date validDate = paramsPKIX.getDate(); + + if (validDate == null) + { + validDate = new Date(); + } + + return validDate; + } + + protected static X500Principal getSubjectPrincipal(X509Certificate cert) + { + return cert.getSubjectX500Principal(); + } + + protected static boolean isSelfIssued(X509Certificate cert) + { + return cert.getSubjectDN().equals(cert.getIssuerDN()); + } + + + /** + * Extract the value of the given extension, if it exists. + * + * @param ext The extension object. + * @param oid The object identifier to obtain. + * @throws AnnotatedException if the extension cannot be read. + */ + protected static ASN1Primitive getExtensionValue( + java.security.cert.X509Extension ext, + String oid) + throws AnnotatedException + { + byte[] bytes = ext.getExtensionValue(oid); + if (bytes == null) + { + return null; + } + + return getObject(oid, bytes); + } + + private static ASN1Primitive getObject( + String oid, + byte[] ext) + throws AnnotatedException + { + try + { + ASN1InputStream aIn = new ASN1InputStream(ext); + ASN1OctetString octs = (ASN1OctetString)aIn.readObject(); + + aIn = new ASN1InputStream(octs.getOctets()); + return aIn.readObject(); + } + catch (Exception e) + { + throw new AnnotatedException("exception processing extension " + oid, e); + } + } + + protected static X500Principal getIssuerPrincipal(X509CRL crl) + { + return crl.getIssuerX500Principal(); + } + + protected static AlgorithmIdentifier getAlgorithmIdentifier( + PublicKey key) + throws CertPathValidatorException + { + try + { + ASN1InputStream aIn = new ASN1InputStream(key.getEncoded()); + + SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject()); + + return info.getAlgorithmId(); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Subject public key cannot be decoded.", e); + } + } + + // crl checking + + + // + // policy checking + // + + protected static final Set getQualifierSet(ASN1Sequence qualifiers) + throws CertPathValidatorException + { + Set pq = new HashSet(); + + if (qualifiers == null) + { + return pq; + } + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ASN1OutputStream aOut = new ASN1OutputStream(bOut); + + Enumeration e = qualifiers.getObjects(); + + while (e.hasMoreElements()) + { + try + { + aOut.writeObject((ASN1Encodable)e.nextElement()); + + pq.add(new PolicyQualifierInfo(bOut.toByteArray())); + } + catch (IOException ex) + { + throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); + } + + bOut.reset(); + } + + return pq; + } + + protected static PKIXPolicyNode removePolicyNode( + PKIXPolicyNode validPolicyTree, + List[] policyNodes, + PKIXPolicyNode _node) + { + PKIXPolicyNode _parent = (PKIXPolicyNode)_node.getParent(); + + if (validPolicyTree == null) + { + return null; + } + + if (_parent == null) + { + for (int j = 0; j < policyNodes.length; j++) + { + policyNodes[j] = new ArrayList(); + } + + return null; + } + else + { + _parent.removeChild(_node); + removePolicyNodeRecurse(policyNodes, _node); + + return validPolicyTree; + } + } + + private static void removePolicyNodeRecurse( + List[] policyNodes, + PKIXPolicyNode _node) + { + policyNodes[_node.getDepth()].remove(_node); + + if (_node.hasChildren()) + { + Iterator _iter = _node.getChildren(); + while (_iter.hasNext()) + { + PKIXPolicyNode _child = (PKIXPolicyNode)_iter.next(); + removePolicyNodeRecurse(policyNodes, _child); + } + } + } + + + protected static boolean processCertD1i( + int index, + List[] policyNodes, + DERObjectIdentifier pOid, + Set pq) + { + List policyNodeVec = policyNodes[index - 1]; + + for (int j = 0; j < policyNodeVec.size(); j++) + { + PKIXPolicyNode node = (PKIXPolicyNode)policyNodeVec.get(j); + Set expectedPolicies = node.getExpectedPolicies(); + + if (expectedPolicies.contains(pOid.getId())) + { + Set childExpectedPolicies = new HashSet(); + childExpectedPolicies.add(pOid.getId()); + + PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(), + index, + childExpectedPolicies, + node, + pq, + pOid.getId(), + false); + node.addChild(child); + policyNodes[index].add(child); + + return true; + } + } + + return false; + } + + protected static void processCertD1ii( + int index, + List[] policyNodes, + DERObjectIdentifier _poid, + Set _pq) + { + List policyNodeVec = policyNodes[index - 1]; + + for (int j = 0; j < policyNodeVec.size(); j++) + { + PKIXPolicyNode _node = (PKIXPolicyNode)policyNodeVec.get(j); + + if (ANY_POLICY.equals(_node.getValidPolicy())) + { + Set _childExpectedPolicies = new HashSet(); + _childExpectedPolicies.add(_poid.getId()); + + PKIXPolicyNode _child = new PKIXPolicyNode(new ArrayList(), + index, + _childExpectedPolicies, + _node, + _pq, + _poid.getId(), + false); + _node.addChild(_child); + policyNodes[index].add(_child); + return; + } + } + } + + protected static void prepareNextCertB1( + int i, + List[] policyNodes, + String id_p, + Map m_idp, + X509Certificate cert + ) + throws AnnotatedException, CertPathValidatorException + { + boolean idp_found = false; + Iterator nodes_i = policyNodes[i].iterator(); + while (nodes_i.hasNext()) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); + if (node.getValidPolicy().equals(id_p)) + { + idp_found = true; + node.expectedPolicies = (Set)m_idp.get(id_p); + break; + } + } + + if (!idp_found) + { + nodes_i = policyNodes[i].iterator(); + while (nodes_i.hasNext()) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); + if (ANY_POLICY.equals(node.getValidPolicy())) + { + Set pq = null; + ASN1Sequence policies = null; + try + { + policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES)); + } + catch (Exception e) + { + throw new AnnotatedException("Certificate policies cannot be decoded.", e); + } + Enumeration e = policies.getObjects(); + while (e.hasMoreElements()) + { + PolicyInformation pinfo = null; + + try + { + pinfo = PolicyInformation.getInstance(e.nextElement()); + } + catch (Exception ex) + { + throw new AnnotatedException("Policy information cannot be decoded.", ex); + } + if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) + { + try + { + pq = getQualifierSet(pinfo.getPolicyQualifiers()); + } + catch (CertPathValidatorException ex) + { + throw new ExtCertPathValidatorException( + "Policy qualifier info set could not be built.", ex); + } + break; + } + } + boolean ci = false; + if (cert.getCriticalExtensionOIDs() != null) + { + ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES); + } + + PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); + if (ANY_POLICY.equals(p_node.getValidPolicy())) + { + PKIXPolicyNode c_node = new PKIXPolicyNode( + new ArrayList(), i, + (Set)m_idp.get(id_p), + p_node, pq, id_p, ci); + p_node.addChild(c_node); + policyNodes[i].add(c_node); + } + break; + } + } + } + } + + protected static PKIXPolicyNode prepareNextCertB2( + int i, + List[] policyNodes, + String id_p, + PKIXPolicyNode validPolicyTree) + { + Iterator nodes_i = policyNodes[i].iterator(); + while (nodes_i.hasNext()) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); + if (node.getValidPolicy().equals(id_p)) + { + PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); + p_node.removeChild(node); + nodes_i.remove(); + for (int k = (i - 1); k >= 0; k--) + { + List nodes = policyNodes[k]; + for (int l = 0; l < nodes.size(); l++) + { + PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l); + if (!node2.hasChildren()) + { + validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node2); + if (validPolicyTree == null) + { + break; + } + } + } + } + } + } + return validPolicyTree; + } + + protected static boolean isAnyPolicy( + Set policySet) + { + return policySet == null || policySet.contains(ANY_POLICY) || policySet.isEmpty(); + } + + protected static void addAdditionalStoreFromLocation(String location, + ExtendedPKIXParameters pkixParams) + { + if (pkixParams.isAdditionalLocationsEnabled()) + { + try + { + if (location.startsWith("ldap://")) + { + // ldap://directory.d-trust.net/CN=D-TRUST + // Qualified CA 2003 1:PN,O=D-Trust GmbH,C=DE + // skip "ldap://" + location = location.substring(7); + // after first / baseDN starts + String base = null; + String url = null; + if (location.indexOf("/") != -1) + { + base = location.substring(location.indexOf("/")); + // URL + url = "ldap://" + + location.substring(0, location.indexOf("/")); + } + else + { + url = "ldap://" + location; + } + // use all purpose parameters + X509LDAPCertStoreParameters params = new X509LDAPCertStoreParameters.Builder( + url, base).build(); + pkixParams.addAdditionalStore(X509Store.getInstance( + "CERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); + pkixParams.addAdditionalStore(X509Store.getInstance( + "CRL/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); + pkixParams.addAdditionalStore(X509Store.getInstance( + "ATTRIBUTECERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); + pkixParams.addAdditionalStore(X509Store.getInstance( + "CERTIFICATEPAIR/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); + } + } + catch (Exception e) + { + // cannot happen + throw new RuntimeException("Exception adding X.509 stores."); + } + } + } + + /** + * Return a Collection of all certificates or attribute certificates found + * in the X509Store's that are matching the certSelect criteriums. + * + * @param certSelect a {@link Selector} object that will be used to select + * the certificates + * @param certStores a List containing only {@link X509Store} objects. These + * are used to search for certificates. + * @return a Collection of all found {@link X509Certificate} or + * {@link org.bouncycastle.x509.X509AttributeCertificate} objects. + * May be empty but never <code>null</code>. + */ + protected static Collection findCertificates(X509CertStoreSelector certSelect, + List certStores) + throws AnnotatedException + { + Set certs = new HashSet(); + Iterator iter = certStores.iterator(); + + while (iter.hasNext()) + { + Object obj = iter.next(); + + if (obj instanceof X509Store) + { + X509Store certStore = (X509Store)obj; + try + { + certs.addAll(certStore.getMatches(certSelect)); + } + catch (StoreException e) + { + throw new AnnotatedException( + "Problem while picking certificates from X.509 store.", e); + } + } + else + { + CertStore certStore = (CertStore)obj; + + try + { + certs.addAll(certStore.getCertificates(certSelect)); + } + catch (CertStoreException e) + { + throw new AnnotatedException( + "Problem while picking certificates from certificate store.", + e); + } + } + } + return certs; + } + + protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, + List certStores) + throws AnnotatedException + { + Set certs = new HashSet(); + Iterator iter = certStores.iterator(); + + while (iter.hasNext()) + { + Object obj = iter.next(); + + if (obj instanceof X509Store) + { + X509Store certStore = (X509Store)obj; + try + { + certs.addAll(certStore.getMatches(certSelect)); + } + catch (StoreException e) + { + throw new AnnotatedException( + "Problem while picking certificates from X.509 store.", e); + } + } + } + return certs; + } + + protected static void addAdditionalStoresFromCRLDistributionPoint( + CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) + throws AnnotatedException + { + if (crldp != null) + { + DistributionPoint dps[] = null; + try + { + dps = crldp.getDistributionPoints(); + } + catch (Exception e) + { + throw new AnnotatedException( + "Distribution points could not be read.", e); + } + for (int i = 0; i < dps.length; i++) + { + DistributionPointName dpn = dps[i].getDistributionPoint(); + // look for URIs in fullName + if (dpn != null) + { + if (dpn.getType() == DistributionPointName.FULL_NAME) + { + GeneralName[] genNames = GeneralNames.getInstance( + dpn.getName()).getNames(); + // look for an URI + for (int j = 0; j < genNames.length; j++) + { + if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) + { + String location = DERIA5String.getInstance( + genNames[j].getName()).getString(); + CertPathValidatorUtilities + .addAdditionalStoreFromLocation(location, + pkixParams); + } + } + } + } + } + } + } + + /** + * Add the CRL issuers from the cRLIssuer field of the distribution point or + * from the certificate if not given to the issuer criterion of the + * <code>selector</code>. + * <p/> + * The <code>issuerPrincipals</code> are a collection with a single + * <code>X500Principal</code> for <code>X509Certificate</code>s. For + * {@link X509AttributeCertificate}s the issuer may contain more than one + * <code>X500Principal</code>. + * + * @param dp The distribution point. + * @param issuerPrincipals The issuers of the certificate or attribute + * certificate which contains the distribution point. + * @param selector The CRL selector. + * @param pkixParams The PKIX parameters containing the cert stores. + * @throws AnnotatedException if an exception occurs while processing. + * @throws ClassCastException if <code>issuerPrincipals</code> does not + * contain only <code>X500Principal</code>s. + */ + protected static void getCRLIssuersFromDistributionPoint( + DistributionPoint dp, + Collection issuerPrincipals, + X509CRLSelector selector, + ExtendedPKIXParameters pkixParams) + throws AnnotatedException + { + List issuers = new ArrayList(); + // indirect CRL + if (dp.getCRLIssuer() != null) + { + GeneralName genNames[] = dp.getCRLIssuer().getNames(); + // look for a DN + for (int j = 0; j < genNames.length; j++) + { + if (genNames[j].getTagNo() == GeneralName.directoryName) + { + try + { + issuers.add(new X500Principal(genNames[j].getName() + .toASN1Primitive().getEncoded())); + } + catch (IOException e) + { + throw new AnnotatedException( + "CRL issuer information from distribution point cannot be decoded.", + e); + } + } + } + } + else + { + /* + * certificate issuer is CRL issuer, distributionPoint field MUST be + * present. + */ + if (dp.getDistributionPoint() == null) + { + throw new AnnotatedException( + "CRL issuer is omitted from distribution point but no distributionPoint field present."); + } + // add and check issuer principals + for (Iterator it = issuerPrincipals.iterator(); it.hasNext(); ) + { + issuers.add((X500Principal)it.next()); + } + } + // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid + // distributionPoint +// if (dp.getDistributionPoint() != null) +// { +// // look for nameRelativeToCRLIssuer +// if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) +// { +// // append fragment to issuer, only one +// // issuer can be there, if this is given +// if (issuers.size() != 1) +// { +// throw new AnnotatedException( +// "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given."); +// } +// ASN1Encodable relName = dp.getDistributionPoint().getName(); +// Iterator it = issuers.iterator(); +// List issuersTemp = new ArrayList(issuers.size()); +// while (it.hasNext()) +// { +// Enumeration e = null; +// try +// { +// e = ASN1Sequence.getInstance( +// new ASN1InputStream(((X500Principal) it.next()) +// .getEncoded()).readObject()).getObjects(); +// } +// catch (IOException ex) +// { +// throw new AnnotatedException( +// "Cannot decode CRL issuer information.", ex); +// } +// ASN1EncodableVector v = new ASN1EncodableVector(); +// while (e.hasMoreElements()) +// { +// v.add((ASN1Encodable) e.nextElement()); +// } +// v.add(relName); +// issuersTemp.add(new X500Principal(new DERSequence(v) +// .getDEREncoded())); +// } +// issuers.clear(); +// issuers.addAll(issuersTemp); +// } +// } + Iterator it = issuers.iterator(); + while (it.hasNext()) + { + try + { + selector.addIssuerName(((X500Principal)it.next()).getEncoded()); + } + catch (IOException ex) + { + throw new AnnotatedException( + "Cannot decode CRL issuer information.", ex); + } + } + } + + private static BigInteger getSerialNumber( + Object cert) + { + if (cert instanceof X509Certificate) + { + return ((X509Certificate)cert).getSerialNumber(); + } + else + { + return ((X509AttributeCertificate)cert).getSerialNumber(); + } + } + + protected static void getCertStatus( + Date validDate, + X509CRL crl, + Object cert, + CertStatus certStatus) + throws AnnotatedException + { + X509CRLEntry crl_entry = null; + + boolean isIndirect; + try + { + isIndirect = X509CRLObject.isIndirectCRL(crl); + } + catch (CRLException exception) + { + throw new AnnotatedException("Failed check for indirect CRL.", exception); + } + + if (isIndirect) + { + crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); + + if (crl_entry == null) + { + return; + } + + X500Principal certIssuer = crl_entry.getCertificateIssuer(); + + if (certIssuer == null) + { + certIssuer = getIssuerPrincipal(crl); + } + + if (!getEncodedIssuerPrincipal(cert).equals(certIssuer)) + { + return; + } + } + else if (!getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl))) + { + return; // not for our issuer, ignore + } + else + { + crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); + + if (crl_entry == null) + { + return; + } + } + + DEREnumerated reasonCode = null; + if (crl_entry.hasExtensions()) + { + try + { + reasonCode = DEREnumerated + .getInstance(CertPathValidatorUtilities + .getExtensionValue(crl_entry, + X509Extension.reasonCode.getId())); + } + catch (Exception e) + { + throw new AnnotatedException( + "Reason code CRL entry extension could not be decoded.", + e); + } + } + + // for reason keyCompromise, caCompromise, aACompromise or + // unspecified + if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) + || reasonCode == null + || reasonCode.getValue().intValue() == 0 + || reasonCode.getValue().intValue() == 1 + || reasonCode.getValue().intValue() == 2 + || reasonCode.getValue().intValue() == 8) + { + + // (i) or (j) (1) + if (reasonCode != null) + { + certStatus.setCertStatus(reasonCode.getValue().intValue()); + } + // (i) or (j) (2) + else + { + certStatus.setCertStatus(CRLReason.unspecified); + } + certStatus.setRevocationDate(crl_entry.getRevocationDate()); + } + } + + /** + * Fetches delta CRLs according to RFC 3280 section 5.2.4. + * + * @param currentDate The date for which the delta CRLs must be valid. + * @param paramsPKIX The extended PKIX parameters. + * @param completeCRL The complete CRL the delta CRL is for. + * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. + * @throws AnnotatedException if an exception occurs while picking the delta + * CRLs. + */ + protected static Set getDeltaCRLs(Date currentDate, + ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) + throws AnnotatedException + { + + X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector(); + + // 5.2.4 (a) + try + { + deltaSelect.addIssuerName(CertPathValidatorUtilities + .getIssuerPrincipal(completeCRL).getEncoded()); + } + catch (IOException e) + { + throw new AnnotatedException("Cannot extract issuer from CRL.", e); + } + + BigInteger completeCRLNumber = null; + try + { + ASN1Primitive derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, + CRL_NUMBER); + if (derObject != null) + { + completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue(); + } + } + catch (Exception e) + { + throw new AnnotatedException( + "CRL number extension could not be extracted from CRL.", e); + } + + // 5.2.4 (b) + byte[] idp = null; + try + { + idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); + } + catch (Exception e) + { + throw new AnnotatedException( + "Issuing distribution point extension value could not be read.", + e); + } + + // 5.2.4 (d) + + deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber + .add(BigInteger.valueOf(1))); + + deltaSelect.setIssuingDistributionPoint(idp); + deltaSelect.setIssuingDistributionPointEnabled(true); + + // 5.2.4 (c) + deltaSelect.setMaxBaseCRLNumber(completeCRLNumber); + + // find delta CRLs + Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate); + + Set result = new HashSet(); + + for (Iterator it = temp.iterator(); it.hasNext(); ) + { + X509CRL crl = (X509CRL)it.next(); + + if (isDeltaCRL(crl)) + { + result.add(crl); + } + } + + return result; + } + + private static boolean isDeltaCRL(X509CRL crl) + { + Set critical = crl.getCriticalExtensionOIDs(); + + if (critical == null) + { + return false; + } + + return critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); + } + + /** + * Fetches complete CRLs according to RFC 3280. + * + * @param dp The distribution point for which the complete CRL + * @param cert The <code>X509Certificate</code> or + * {@link org.bouncycastle.x509.X509AttributeCertificate} for + * which the CRL should be searched. + * @param currentDate The date for which the delta CRLs must be valid. + * @param paramsPKIX The extended PKIX parameters. + * @return A <code>Set</code> of <code>X509CRL</code>s with complete + * CRLs. + * @throws AnnotatedException if an exception occurs while picking the CRLs + * or no CRLs are found. + */ + protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, + Date currentDate, ExtendedPKIXParameters paramsPKIX) + throws AnnotatedException + { + X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); + try + { + Set issuers = new HashSet(); + if (cert instanceof X509AttributeCertificate) + { + issuers.add(((X509AttributeCertificate)cert) + .getIssuer().getPrincipals()[0]); + } + else + { + issuers.add(getEncodedIssuerPrincipal(cert)); + } + CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); + } + catch (AnnotatedException e) + { + throw new AnnotatedException( + "Could not get issuer information from distribution point.", e); + } + if (cert instanceof X509Certificate) + { + crlselect.setCertificateChecking((X509Certificate)cert); + } + else if (cert instanceof X509AttributeCertificate) + { + crlselect.setAttrCertificateChecking((X509AttributeCertificate)cert); + } + + + crlselect.setCompleteCRLEnabled(true); + + Set crls = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate); + + if (crls.isEmpty()) + { + if (cert instanceof X509AttributeCertificate) + { + X509AttributeCertificate aCert = (X509AttributeCertificate)cert; + + throw new AnnotatedException("No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\""); + } + else + { + X509Certificate xCert = (X509Certificate)cert; + + throw new AnnotatedException("No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\""); + } + } + return crls; + } + + protected static Date getValidCertDateFromValidityModel( + ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) + throws AnnotatedException + { + if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) + { + // if end cert use given signing/encryption/... time + if (index <= 0) + { + return CertPathValidatorUtilities.getValidDate(paramsPKIX); + // else use time when previous cert was created + } + else + { + if (index - 1 == 0) + { + DERGeneralizedTime dateOfCertgen = null; + try + { + byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); + if (extBytes != null) + { + dateOfCertgen = DERGeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes)); + } + } + catch (IOException e) + { + throw new AnnotatedException( + "Date of cert gen extension could not be read."); + } + catch (IllegalArgumentException e) + { + throw new AnnotatedException( + "Date of cert gen extension could not be read."); + } + if (dateOfCertgen != null) + { + try + { + return dateOfCertgen.getDate(); + } + catch (ParseException e) + { + throw new AnnotatedException( + "Date from date of cert gen extension could not be parsed.", + e); + } + } + return ((X509Certificate)certPath.getCertificates().get( + index - 1)).getNotBefore(); + } + else + { + return ((X509Certificate)certPath.getCertificates().get( + index - 1)).getNotBefore(); + } + } + } + else + { + return getValidDate(paramsPKIX); + } + } + + /** + * Return the next working key inheriting DSA parameters if necessary. + * <p> + * This methods inherits DSA parameters from the indexed certificate or + * previous certificates in the certificate chain to the returned + * <code>PublicKey</code>. The list is searched upwards, meaning the end + * certificate is at position 0 and previous certificates are following. + * </p> + * <p> + * If the indexed certificate does not contain a DSA key this method simply + * returns the public key. If the DSA key already contains DSA parameters + * the key is also only returned. + * </p> + * + * @param certs The certification path. + * @param index The index of the certificate which contains the public key + * which should be extended with DSA parameters. + * @return The public key of the certificate in list position + * <code>index</code> extended with DSA parameters if applicable. + * @throws AnnotatedException if DSA parameters cannot be inherited. + */ + protected static PublicKey getNextWorkingKey(List certs, int index) + throws CertPathValidatorException + { + Certificate cert = (Certificate)certs.get(index); + PublicKey pubKey = cert.getPublicKey(); + if (!(pubKey instanceof DSAPublicKey)) + { + return pubKey; + } + DSAPublicKey dsaPubKey = (DSAPublicKey)pubKey; + if (dsaPubKey.getParams() != null) + { + return dsaPubKey; + } + for (int i = index + 1; i < certs.size(); i++) + { + X509Certificate parentCert = (X509Certificate)certs.get(i); + pubKey = parentCert.getPublicKey(); + if (!(pubKey instanceof DSAPublicKey)) + { + throw new CertPathValidatorException( + "DSA parameters cannot be inherited from previous certificate."); + } + DSAPublicKey prevDSAPubKey = (DSAPublicKey)pubKey; + if (prevDSAPubKey.getParams() == null) + { + continue; + } + DSAParams dsaParams = prevDSAPubKey.getParams(); + DSAPublicKeySpec dsaPubKeySpec = new DSAPublicKeySpec( + dsaPubKey.getY(), dsaParams.getP(), dsaParams.getQ(), dsaParams.getG()); + try + { + KeyFactory keyFactory = KeyFactory.getInstance("DSA", BouncyCastleProvider.PROVIDER_NAME); + return keyFactory.generatePublic(dsaPubKeySpec); + } + catch (Exception exception) + { + throw new RuntimeException(exception.getMessage()); + } + } + throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); + } + + /** + * Find the issuer certificates of a given certificate. + * + * @param cert The certificate for which an issuer should be found. + * @param pkixParams + * @return A <code>Collection</code> object containing the issuer + * <code>X509Certificate</code>s. Never <code>null</code>. + * @throws AnnotatedException if an error occurs. + */ + protected static Collection findIssuerCerts( + X509Certificate cert, + ExtendedPKIXBuilderParameters pkixParams) + throws AnnotatedException + { + X509CertStoreSelector certSelect = new X509CertStoreSelector(); + Set certs = new HashSet(); + try + { + certSelect.setSubject(cert.getIssuerX500Principal().getEncoded()); + } + catch (IOException ex) + { + throw new AnnotatedException( + "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); + } + + Iterator iter; + + try + { + List matches = new ArrayList(); + + matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getCertStores())); + matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getStores())); + matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getAdditionalStores())); + + iter = matches.iterator(); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Issuer certificate cannot be searched.", e); + } + + X509Certificate issuer = null; + while (iter.hasNext()) + { + issuer = (X509Certificate)iter.next(); + // issuer cannot be verified because possible DSA inheritance + // parameters are missing + certs.add(issuer); + } + return certs; + } + + protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, + String sigProvider) + throws GeneralSecurityException + { + if (sigProvider == null) + { + cert.verify(publicKey); + } + else + { + cert.verify(publicKey, sigProvider); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertStatus.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertStatus.java new file mode 100644 index 00000000..ba3da165 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertStatus.java @@ -0,0 +1,46 @@ +package org.bouncycastle.jce.provider; + +import java.util.Date; + +class CertStatus +{ + public static final int UNREVOKED = 11; + + public static final int UNDETERMINED = 12; + + int certStatus = UNREVOKED; + + Date revocationDate = null; + + /** + * @return Returns the revocationDate. + */ + public Date getRevocationDate() + { + return revocationDate; + } + + /** + * @param revocationDate The revocationDate to set. + */ + public void setRevocationDate(Date revocationDate) + { + this.revocationDate = revocationDate; + } + + /** + * @return Returns the certStatus. + */ + public int getCertStatus() + { + return certStatus; + } + + /** + * @param certStatus The certStatus to set. + */ + public void setCertStatus(int certStatus) + { + this.certStatus = certStatus; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertStoreCollectionSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertStoreCollectionSpi.java new file mode 100644 index 00000000..210d986d --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertStoreCollectionSpi.java @@ -0,0 +1,104 @@ +package org.bouncycastle.jce.provider; + +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CRL; +import java.security.cert.CRLSelector; +import java.security.cert.CertSelector; +import java.security.cert.CertStoreException; +import java.security.cert.CertStoreParameters; +import java.security.cert.CertStoreSpi; +import java.security.cert.Certificate; +import java.security.cert.CollectionCertStoreParameters; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Iterator; +import java.util.List; + +public class CertStoreCollectionSpi extends CertStoreSpi +{ + private CollectionCertStoreParameters params; + + public CertStoreCollectionSpi(CertStoreParameters params) + throws InvalidAlgorithmParameterException + { + super(params); + + if (!(params instanceof CollectionCertStoreParameters)) + { + throw new InvalidAlgorithmParameterException("org.bouncycastle.jce.provider.CertStoreCollectionSpi: parameter must be a CollectionCertStoreParameters object\n" + params.toString()); + } + + this.params = (CollectionCertStoreParameters)params; + } + + public Collection engineGetCertificates( + CertSelector selector) + throws CertStoreException + { + List col = new ArrayList(); + Iterator iter = params.getCollection().iterator(); + + if (selector == null) + { + while (iter.hasNext()) + { + Object obj = iter.next(); + + if (obj instanceof Certificate) + { + col.add(obj); + } + } + } + else + { + while (iter.hasNext()) + { + Object obj = iter.next(); + + if ((obj instanceof Certificate) && selector.match((Certificate)obj)) + { + col.add(obj); + } + } + } + + return col; + } + + + public Collection engineGetCRLs( + CRLSelector selector) + throws CertStoreException + { + List col = new ArrayList(); + Iterator iter = params.getCollection().iterator(); + + if (selector == null) + { + while (iter.hasNext()) + { + Object obj = iter.next(); + + if (obj instanceof CRL) + { + col.add(obj); + } + } + } + else + { + while (iter.hasNext()) + { + Object obj = iter.next(); + + if ((obj instanceof CRL) && selector.match((CRL)obj)) + { + col.add(obj); + } + } + } + + return col; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/DHUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/DHUtil.java new file mode 100644 index 00000000..2470af99 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/DHUtil.java @@ -0,0 +1,50 @@ +package org.bouncycastle.jce.provider; + +import java.security.InvalidKeyException; +import java.security.PrivateKey; +import java.security.PublicKey; + +import javax.crypto.interfaces.DHPrivateKey; +import javax.crypto.interfaces.DHPublicKey; + +import org.bouncycastle.crypto.params.AsymmetricKeyParameter; +import org.bouncycastle.crypto.params.DHParameters; +import org.bouncycastle.crypto.params.DHPrivateKeyParameters; +import org.bouncycastle.crypto.params.DHPublicKeyParameters; + +/** + * utility class for converting jce/jca DH objects + * objects into their org.bouncycastle.crypto counterparts. + */ +public class DHUtil +{ + static public AsymmetricKeyParameter generatePublicKeyParameter( + PublicKey key) + throws InvalidKeyException + { + if (key instanceof DHPublicKey) + { + DHPublicKey k = (DHPublicKey)key; + + return new DHPublicKeyParameters(k.getY(), + new DHParameters(k.getParams().getP(), k.getParams().getG(), null, k.getParams().getL())); + } + + throw new InvalidKeyException("can't identify DH public key."); + } + + static public AsymmetricKeyParameter generatePrivateKeyParameter( + PrivateKey key) + throws InvalidKeyException + { + if (key instanceof DHPrivateKey) + { + DHPrivateKey k = (DHPrivateKey)key; + + return new DHPrivateKeyParameters(k.getX(), + new DHParameters(k.getParams().getP(), k.getParams().getG(), null, k.getParams().getL())); + } + + throw new InvalidKeyException("can't identify DH private key."); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/ExtCRLException.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/ExtCRLException.java new file mode 100644 index 00000000..3bc820f3 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/ExtCRLException.java @@ -0,0 +1,20 @@ +package org.bouncycastle.jce.provider; + +import java.security.cert.CRLException; + +class ExtCRLException + extends CRLException +{ + Throwable cause; + + ExtCRLException(String message, Throwable cause) + { + super(message); + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEDHPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEDHPrivateKey.java new file mode 100644 index 00000000..b38f60bb --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEDHPrivateKey.java @@ -0,0 +1,188 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.util.Enumeration; + +import javax.crypto.interfaces.DHPrivateKey; +import javax.crypto.spec.DHParameterSpec; +import javax.crypto.spec.DHPrivateKeySpec; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.pkcs.DHParameter; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x9.DHDomainParameters; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.crypto.params.DHPrivateKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.PKCS12BagAttributeCarrierImpl; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; + +public class JCEDHPrivateKey + implements DHPrivateKey, PKCS12BagAttributeCarrier +{ + static final long serialVersionUID = 311058815616901812L; + + BigInteger x; + + private DHParameterSpec dhSpec; + private PrivateKeyInfo info; + + private PKCS12BagAttributeCarrier attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + protected JCEDHPrivateKey() + { + } + + JCEDHPrivateKey( + DHPrivateKey key) + { + this.x = key.getX(); + this.dhSpec = key.getParams(); + } + + JCEDHPrivateKey( + DHPrivateKeySpec spec) + { + this.x = spec.getX(); + this.dhSpec = new DHParameterSpec(spec.getP(), spec.getG()); + } + + JCEDHPrivateKey( + PrivateKeyInfo info) + throws IOException + { + ASN1Sequence seq = ASN1Sequence.getInstance(info.getAlgorithmId().getParameters()); + DERInteger derX = DERInteger.getInstance(info.parsePrivateKey()); + DERObjectIdentifier id = info.getAlgorithmId().getAlgorithm(); + + this.info = info; + this.x = derX.getValue(); + + if (id.equals(PKCSObjectIdentifiers.dhKeyAgreement)) + { + DHParameter params = DHParameter.getInstance(seq); + + if (params.getL() != null) + { + this.dhSpec = new DHParameterSpec(params.getP(), params.getG(), params.getL().intValue()); + } + else + { + this.dhSpec = new DHParameterSpec(params.getP(), params.getG()); + } + } + else if (id.equals(X9ObjectIdentifiers.dhpublicnumber)) + { + DHDomainParameters params = DHDomainParameters.getInstance(seq); + + this.dhSpec = new DHParameterSpec(params.getP().getValue(), params.getG().getValue()); + } + else + { + throw new IllegalArgumentException("unknown algorithm type: " + id); + } + } + + JCEDHPrivateKey( + DHPrivateKeyParameters params) + { + this.x = params.getX(); + this.dhSpec = new DHParameterSpec(params.getParameters().getP(), params.getParameters().getG(), params.getParameters().getL()); + } + + public String getAlgorithm() + { + return "DH"; + } + + /** + * return the encoding format we produce in getEncoded(). + * + * @return the string "PKCS#8" + */ + public String getFormat() + { + return "PKCS#8"; + } + + /** + * Return a PKCS8 representation of the key. The sequence returned + * represents a full PrivateKeyInfo object. + * + * @return a PKCS8 representation of the key. + */ + public byte[] getEncoded() + { + try + { + if (info != null) + { + return info.getEncoded(ASN1Encoding.DER); + } + + PrivateKeyInfo info = new PrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.dhKeyAgreement, new DHParameter(dhSpec.getP(), dhSpec.getG(), dhSpec.getL())), new DERInteger(getX())); + + return info.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + return null; + } + } + + public DHParameterSpec getParams() + { + return dhSpec; + } + + public BigInteger getX() + { + return x; + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + x = (BigInteger)in.readObject(); + + this.dhSpec = new DHParameterSpec((BigInteger)in.readObject(), (BigInteger)in.readObject(), in.readInt()); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(this.getX()); + out.writeObject(dhSpec.getP()); + out.writeObject(dhSpec.getG()); + out.writeInt(dhSpec.getL()); + } + + public void setBagAttribute( + ASN1ObjectIdentifier oid, + ASN1Encodable attribute) + { + attrCarrier.setBagAttribute(oid, attribute); + } + + public ASN1Encodable getBagAttribute( + ASN1ObjectIdentifier oid) + { + return attrCarrier.getBagAttribute(oid); + } + + public Enumeration getBagAttributeKeys() + { + return attrCarrier.getBagAttributeKeys(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEDHPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEDHPublicKey.java new file mode 100644 index 00000000..6ff1e083 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEDHPublicKey.java @@ -0,0 +1,178 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; + +import javax.crypto.interfaces.DHPublicKey; +import javax.crypto.spec.DHParameterSpec; +import javax.crypto.spec.DHPublicKeySpec; + +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.pkcs.DHParameter; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x9.DHDomainParameters; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.crypto.params.DHPublicKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; + +public class JCEDHPublicKey + implements DHPublicKey +{ + static final long serialVersionUID = -216691575254424324L; + + private BigInteger y; + private DHParameterSpec dhSpec; + private SubjectPublicKeyInfo info; + + JCEDHPublicKey( + DHPublicKeySpec spec) + { + this.y = spec.getY(); + this.dhSpec = new DHParameterSpec(spec.getP(), spec.getG()); + } + + JCEDHPublicKey( + DHPublicKey key) + { + this.y = key.getY(); + this.dhSpec = key.getParams(); + } + + JCEDHPublicKey( + DHPublicKeyParameters params) + { + this.y = params.getY(); + this.dhSpec = new DHParameterSpec(params.getParameters().getP(), params.getParameters().getG(), params.getParameters().getL()); + } + + JCEDHPublicKey( + BigInteger y, + DHParameterSpec dhSpec) + { + this.y = y; + this.dhSpec = dhSpec; + } + + JCEDHPublicKey( + SubjectPublicKeyInfo info) + { + this.info = info; + + DERInteger derY; + try + { + derY = (DERInteger)info.parsePublicKey(); + } + catch (IOException e) + { + throw new IllegalArgumentException("invalid info structure in DH public key"); + } + + this.y = derY.getValue(); + + ASN1Sequence seq = ASN1Sequence.getInstance(info.getAlgorithmId().getParameters()); + DERObjectIdentifier id = info.getAlgorithmId().getAlgorithm(); + + // we need the PKCS check to handle older keys marked with the X9 oid. + if (id.equals(PKCSObjectIdentifiers.dhKeyAgreement) || isPKCSParam(seq)) + { + DHParameter params = DHParameter.getInstance(seq); + + if (params.getL() != null) + { + this.dhSpec = new DHParameterSpec(params.getP(), params.getG(), params.getL().intValue()); + } + else + { + this.dhSpec = new DHParameterSpec(params.getP(), params.getG()); + } + } + else if (id.equals(X9ObjectIdentifiers.dhpublicnumber)) + { + DHDomainParameters params = DHDomainParameters.getInstance(seq); + + this.dhSpec = new DHParameterSpec(params.getP().getValue(), params.getG().getValue()); + } + else + { + throw new IllegalArgumentException("unknown algorithm type: " + id); + } + } + + public String getAlgorithm() + { + return "DH"; + } + + public String getFormat() + { + return "X.509"; + } + + public byte[] getEncoded() + { + if (info != null) + { + return KeyUtil.getEncodedSubjectPublicKeyInfo(info); + } + + return KeyUtil.getEncodedSubjectPublicKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.dhKeyAgreement, new DHParameter(dhSpec.getP(), dhSpec.getG(), dhSpec.getL())), new DERInteger(y)); + } + + public DHParameterSpec getParams() + { + return dhSpec; + } + + public BigInteger getY() + { + return y; + } + + private boolean isPKCSParam(ASN1Sequence seq) + { + if (seq.size() == 2) + { + return true; + } + + if (seq.size() > 3) + { + return false; + } + + DERInteger l = DERInteger.getInstance(seq.getObjectAt(2)); + DERInteger p = DERInteger.getInstance(seq.getObjectAt(0)); + + if (l.getValue().compareTo(BigInteger.valueOf(p.getValue().bitLength())) > 0) + { + return false; + } + + return true; + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + this.y = (BigInteger)in.readObject(); + this.dhSpec = new DHParameterSpec((BigInteger)in.readObject(), (BigInteger)in.readObject(), in.readInt()); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(this.getY()); + out.writeObject(dhSpec.getP()); + out.writeObject(dhSpec.getG()); + out.writeInt(dhSpec.getL()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEECPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEECPrivateKey.java new file mode 100644 index 00000000..3175237d --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEECPrivateKey.java @@ -0,0 +1,478 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.interfaces.ECPrivateKey; +import java.security.spec.ECParameterSpec; +import java.security.spec.ECPoint; +import java.security.spec.ECPrivateKeySpec; +import java.security.spec.EllipticCurve; +import java.util.Enumeration; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.cryptopro.ECGOST3410NamedCurves; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.sec.ECPrivateKeyStructure; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x9.X962Parameters; +import org.bouncycastle.asn1.x9.X9ECParameters; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.crypto.params.ECDomainParameters; +import org.bouncycastle.crypto.params.ECPrivateKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util; +import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil; +import org.bouncycastle.jcajce.provider.asymmetric.util.PKCS12BagAttributeCarrierImpl; +import org.bouncycastle.jce.interfaces.ECPointEncoder; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.spec.ECNamedCurveSpec; +import org.bouncycastle.math.ec.ECCurve; + +public class JCEECPrivateKey + implements ECPrivateKey, org.bouncycastle.jce.interfaces.ECPrivateKey, PKCS12BagAttributeCarrier, ECPointEncoder +{ + private String algorithm = "EC"; + private BigInteger d; + private ECParameterSpec ecSpec; + private boolean withCompression; + + private DERBitString publicKey; + + private PKCS12BagAttributeCarrierImpl attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + protected JCEECPrivateKey() + { + } + + public JCEECPrivateKey( + ECPrivateKey key) + { + this.d = key.getS(); + this.algorithm = key.getAlgorithm(); + this.ecSpec = key.getParams(); + } + + public JCEECPrivateKey( + String algorithm, + org.bouncycastle.jce.spec.ECPrivateKeySpec spec) + { + this.algorithm = algorithm; + this.d = spec.getD(); + + if (spec.getParams() != null) // can be null if implicitlyCA + { + ECCurve curve = spec.getParams().getCurve(); + EllipticCurve ellipticCurve; + + ellipticCurve = EC5Util.convertCurve(curve, spec.getParams().getSeed()); + + this.ecSpec = EC5Util.convertSpec(ellipticCurve, spec.getParams()); + } + else + { + this.ecSpec = null; + } + } + + + public JCEECPrivateKey( + String algorithm, + ECPrivateKeySpec spec) + { + this.algorithm = algorithm; + this.d = spec.getS(); + this.ecSpec = spec.getParams(); + } + + public JCEECPrivateKey( + String algorithm, + JCEECPrivateKey key) + { + this.algorithm = algorithm; + this.d = key.d; + this.ecSpec = key.ecSpec; + this.withCompression = key.withCompression; + this.attrCarrier = key.attrCarrier; + this.publicKey = key.publicKey; + } + + public JCEECPrivateKey( + String algorithm, + ECPrivateKeyParameters params, + JCEECPublicKey pubKey, + ECParameterSpec spec) + { + ECDomainParameters dp = params.getParameters(); + + this.algorithm = algorithm; + this.d = params.getD(); + + if (spec == null) + { + EllipticCurve ellipticCurve = EC5Util.convertCurve(dp.getCurve(), dp.getSeed()); + + this.ecSpec = new ECParameterSpec( + ellipticCurve, + new ECPoint( + dp.getG().getX().toBigInteger(), + dp.getG().getY().toBigInteger()), + dp.getN(), + dp.getH().intValue()); + } + else + { + this.ecSpec = spec; + } + + publicKey = getPublicKeyDetails(pubKey); + } + + public JCEECPrivateKey( + String algorithm, + ECPrivateKeyParameters params, + JCEECPublicKey pubKey, + org.bouncycastle.jce.spec.ECParameterSpec spec) + { + ECDomainParameters dp = params.getParameters(); + + this.algorithm = algorithm; + this.d = params.getD(); + + if (spec == null) + { + EllipticCurve ellipticCurve = EC5Util.convertCurve(dp.getCurve(), dp.getSeed()); + + this.ecSpec = new ECParameterSpec( + ellipticCurve, + new ECPoint( + dp.getG().getX().toBigInteger(), + dp.getG().getY().toBigInteger()), + dp.getN(), + dp.getH().intValue()); + } + else + { + EllipticCurve ellipticCurve = EC5Util.convertCurve(spec.getCurve(), spec.getSeed()); + + this.ecSpec = new ECParameterSpec( + ellipticCurve, + new ECPoint( + spec.getG().getX().toBigInteger(), + spec.getG().getY().toBigInteger()), + spec.getN(), + spec.getH().intValue()); + } + + publicKey = getPublicKeyDetails(pubKey); + } + + public JCEECPrivateKey( + String algorithm, + ECPrivateKeyParameters params) + { + this.algorithm = algorithm; + this.d = params.getD(); + this.ecSpec = null; + } + + JCEECPrivateKey( + PrivateKeyInfo info) + throws IOException + { + populateFromPrivKeyInfo(info); + } + + private void populateFromPrivKeyInfo(PrivateKeyInfo info) + throws IOException + { + X962Parameters params = new X962Parameters((ASN1Primitive)info.getPrivateKeyAlgorithm().getParameters()); + + if (params.isNamedCurve()) + { + ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(params.getParameters()); + X9ECParameters ecP = ECUtil.getNamedCurveByOid(oid); + + if (ecP == null) // GOST Curve + { + ECDomainParameters gParam = ECGOST3410NamedCurves.getByOID(oid); + EllipticCurve ellipticCurve = EC5Util.convertCurve(gParam.getCurve(), gParam.getSeed()); + + ecSpec = new ECNamedCurveSpec( + ECGOST3410NamedCurves.getName(oid), + ellipticCurve, + new ECPoint( + gParam.getG().getX().toBigInteger(), + gParam.getG().getY().toBigInteger()), + gParam.getN(), + gParam.getH()); + } + else + { + EllipticCurve ellipticCurve = EC5Util.convertCurve(ecP.getCurve(), ecP.getSeed()); + + ecSpec = new ECNamedCurveSpec( + ECUtil.getCurveName(oid), + ellipticCurve, + new ECPoint( + ecP.getG().getX().toBigInteger(), + ecP.getG().getY().toBigInteger()), + ecP.getN(), + ecP.getH()); + } + } + else if (params.isImplicitlyCA()) + { + ecSpec = null; + } + else + { + X9ECParameters ecP = X9ECParameters.getInstance(params.getParameters()); + EllipticCurve ellipticCurve = EC5Util.convertCurve(ecP.getCurve(), ecP.getSeed()); + + this.ecSpec = new ECParameterSpec( + ellipticCurve, + new ECPoint( + ecP.getG().getX().toBigInteger(), + ecP.getG().getY().toBigInteger()), + ecP.getN(), + ecP.getH().intValue()); + } + + ASN1Encodable privKey = info.parsePrivateKey(); + if (privKey instanceof DERInteger) + { + DERInteger derD = DERInteger.getInstance(privKey); + + this.d = derD.getValue(); + } + else + { + ECPrivateKeyStructure ec = new ECPrivateKeyStructure((ASN1Sequence)privKey); + + this.d = ec.getKey(); + this.publicKey = ec.getPublicKey(); + } + } + + public String getAlgorithm() + { + return algorithm; + } + + /** + * return the encoding format we produce in getEncoded(). + * + * @return the string "PKCS#8" + */ + public String getFormat() + { + return "PKCS#8"; + } + + /** + * Return a PKCS8 representation of the key. The sequence returned + * represents a full PrivateKeyInfo object. + * + * @return a PKCS8 representation of the key. + */ + public byte[] getEncoded() + { + X962Parameters params; + + if (ecSpec instanceof ECNamedCurveSpec) + { + DERObjectIdentifier curveOid = ECUtil.getNamedCurveOid(((ECNamedCurveSpec)ecSpec).getName()); + if (curveOid == null) // guess it's the OID + { + curveOid = new DERObjectIdentifier(((ECNamedCurveSpec)ecSpec).getName()); + } + params = new X962Parameters(curveOid); + } + else if (ecSpec == null) + { + params = new X962Parameters(DERNull.INSTANCE); + } + else + { + ECCurve curve = EC5Util.convertCurve(ecSpec.getCurve()); + + X9ECParameters ecP = new X9ECParameters( + curve, + EC5Util.convertPoint(curve, ecSpec.getGenerator(), withCompression), + ecSpec.getOrder(), + BigInteger.valueOf(ecSpec.getCofactor()), + ecSpec.getCurve().getSeed()); + + params = new X962Parameters(ecP); + } + + PrivateKeyInfo info; + ECPrivateKeyStructure keyStructure; + + if (publicKey != null) + { + keyStructure = new ECPrivateKeyStructure(this.getS(), publicKey, params); + } + else + { + keyStructure = new ECPrivateKeyStructure(this.getS(), params); + } + + try + { + if (algorithm.equals("ECGOST3410")) + { + info = new PrivateKeyInfo(new AlgorithmIdentifier(CryptoProObjectIdentifiers.gostR3410_2001, params.toASN1Primitive()), keyStructure.toASN1Primitive()); + } + else + { + + info = new PrivateKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, params.toASN1Primitive()), keyStructure.toASN1Primitive()); + } + + return info.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + return null; + } + } + + public ECParameterSpec getParams() + { + return ecSpec; + } + + public org.bouncycastle.jce.spec.ECParameterSpec getParameters() + { + if (ecSpec == null) + { + return null; + } + + return EC5Util.convertSpec(ecSpec, withCompression); + } + + org.bouncycastle.jce.spec.ECParameterSpec engineGetSpec() + { + if (ecSpec != null) + { + return EC5Util.convertSpec(ecSpec, withCompression); + } + + return BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa(); + } + + public BigInteger getS() + { + return d; + } + + public BigInteger getD() + { + return d; + } + + public void setBagAttribute( + ASN1ObjectIdentifier oid, + ASN1Encodable attribute) + { + attrCarrier.setBagAttribute(oid, attribute); + } + + public ASN1Encodable getBagAttribute( + ASN1ObjectIdentifier oid) + { + return attrCarrier.getBagAttribute(oid); + } + + public Enumeration getBagAttributeKeys() + { + return attrCarrier.getBagAttributeKeys(); + } + + public void setPointFormat(String style) + { + withCompression = !("UNCOMPRESSED".equalsIgnoreCase(style)); + } + + public boolean equals(Object o) + { + if (!(o instanceof JCEECPrivateKey)) + { + return false; + } + + JCEECPrivateKey other = (JCEECPrivateKey)o; + + return getD().equals(other.getD()) && (engineGetSpec().equals(other.engineGetSpec())); + } + + public int hashCode() + { + return getD().hashCode() ^ engineGetSpec().hashCode(); + } + + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append("EC Private Key").append(nl); + buf.append(" S: ").append(this.d.toString(16)).append(nl); + + return buf.toString(); + + } + + private DERBitString getPublicKeyDetails(JCEECPublicKey pub) + { + try + { + SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(ASN1Primitive.fromByteArray(pub.getEncoded())); + + return info.getPublicKeyData(); + } + catch (IOException e) + { // should never happen + return null; + } + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + byte[] enc = (byte[])in.readObject(); + + populateFromPrivKeyInfo(PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(enc))); + + this.algorithm = (String)in.readObject(); + this.withCompression = in.readBoolean(); + this.attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + attrCarrier.readObject(in); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(this.getEncoded()); + out.writeObject(algorithm); + out.writeBoolean(withCompression); + + attrCarrier.writeObject(out); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEECPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEECPublicKey.java new file mode 100644 index 00000000..00df81f9 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEECPublicKey.java @@ -0,0 +1,525 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.interfaces.ECPublicKey; +import java.security.spec.ECParameterSpec; +import java.security.spec.ECPoint; +import java.security.spec.ECPublicKeySpec; +import java.security.spec.EllipticCurve; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.cryptopro.ECGOST3410NamedCurves; +import org.bouncycastle.asn1.cryptopro.GOST3410PublicKeyAlgParameters; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x9.X962Parameters; +import org.bouncycastle.asn1.x9.X9ECParameters; +import org.bouncycastle.asn1.x9.X9ECPoint; +import org.bouncycastle.asn1.x9.X9IntegerConverter; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.crypto.params.ECDomainParameters; +import org.bouncycastle.crypto.params.ECPublicKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util; +import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil; +import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; +import org.bouncycastle.jce.ECGOST3410NamedCurveTable; +import org.bouncycastle.jce.interfaces.ECPointEncoder; +import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec; +import org.bouncycastle.jce.spec.ECNamedCurveSpec; +import org.bouncycastle.math.ec.ECCurve; + +public class JCEECPublicKey + implements ECPublicKey, org.bouncycastle.jce.interfaces.ECPublicKey, ECPointEncoder +{ + private String algorithm = "EC"; + private org.bouncycastle.math.ec.ECPoint q; + private ECParameterSpec ecSpec; + private boolean withCompression; + private GOST3410PublicKeyAlgParameters gostParams; + + public JCEECPublicKey( + String algorithm, + JCEECPublicKey key) + { + this.algorithm = algorithm; + this.q = key.q; + this.ecSpec = key.ecSpec; + this.withCompression = key.withCompression; + this.gostParams = key.gostParams; + } + + public JCEECPublicKey( + String algorithm, + ECPublicKeySpec spec) + { + this.algorithm = algorithm; + this.ecSpec = spec.getParams(); + this.q = EC5Util.convertPoint(ecSpec, spec.getW(), false); + } + + public JCEECPublicKey( + String algorithm, + org.bouncycastle.jce.spec.ECPublicKeySpec spec) + { + this.algorithm = algorithm; + this.q = spec.getQ(); + + if (spec.getParams() != null) // can be null if implictlyCa + { + ECCurve curve = spec.getParams().getCurve(); + EllipticCurve ellipticCurve = EC5Util.convertCurve(curve, spec.getParams().getSeed()); + + this.ecSpec = EC5Util.convertSpec(ellipticCurve, spec.getParams()); + } + else + { + if (q.getCurve() == null) + { + org.bouncycastle.jce.spec.ECParameterSpec s = BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa(); + + q = s.getCurve().createPoint(q.getX().toBigInteger(), q.getY().toBigInteger(), false); + } + this.ecSpec = null; + } + } + + public JCEECPublicKey( + String algorithm, + ECPublicKeyParameters params, + ECParameterSpec spec) + { + ECDomainParameters dp = params.getParameters(); + + this.algorithm = algorithm; + this.q = params.getQ(); + + if (spec == null) + { + EllipticCurve ellipticCurve = EC5Util.convertCurve(dp.getCurve(), dp.getSeed()); + + this.ecSpec = createSpec(ellipticCurve, dp); + } + else + { + this.ecSpec = spec; + } + } + + public JCEECPublicKey( + String algorithm, + ECPublicKeyParameters params, + org.bouncycastle.jce.spec.ECParameterSpec spec) + { + ECDomainParameters dp = params.getParameters(); + + this.algorithm = algorithm; + this.q = params.getQ(); + + if (spec == null) + { + EllipticCurve ellipticCurve = EC5Util.convertCurve(dp.getCurve(), dp.getSeed()); + + this.ecSpec = createSpec(ellipticCurve, dp); + } + else + { + EllipticCurve ellipticCurve = EC5Util.convertCurve(spec.getCurve(), spec.getSeed()); + + this.ecSpec = EC5Util.convertSpec(ellipticCurve, spec); + } + } + + /* + * called for implicitCA + */ + public JCEECPublicKey( + String algorithm, + ECPublicKeyParameters params) + { + this.algorithm = algorithm; + this.q = params.getQ(); + this.ecSpec = null; + } + + private ECParameterSpec createSpec(EllipticCurve ellipticCurve, ECDomainParameters dp) + { + return new ECParameterSpec( + ellipticCurve, + new ECPoint( + dp.getG().getX().toBigInteger(), + dp.getG().getY().toBigInteger()), + dp.getN(), + dp.getH().intValue()); + } + + public JCEECPublicKey( + ECPublicKey key) + { + this.algorithm = key.getAlgorithm(); + this.ecSpec = key.getParams(); + this.q = EC5Util.convertPoint(this.ecSpec, key.getW(), false); + } + + JCEECPublicKey( + SubjectPublicKeyInfo info) + { + populateFromPubKeyInfo(info); + } + + private void populateFromPubKeyInfo(SubjectPublicKeyInfo info) + { + if (info.getAlgorithmId().getObjectId().equals(CryptoProObjectIdentifiers.gostR3410_2001)) + { + DERBitString bits = info.getPublicKeyData(); + ASN1OctetString key; + this.algorithm = "ECGOST3410"; + + try + { + key = (ASN1OctetString) ASN1Primitive.fromByteArray(bits.getBytes()); + } + catch (IOException ex) + { + throw new IllegalArgumentException("error recovering public key"); + } + + byte[] keyEnc = key.getOctets(); + byte[] x = new byte[32]; + byte[] y = new byte[32]; + + for (int i = 0; i != x.length; i++) + { + x[i] = keyEnc[32 - 1 - i]; + } + + for (int i = 0; i != y.length; i++) + { + y[i] = keyEnc[64 - 1 - i]; + } + + gostParams = new GOST3410PublicKeyAlgParameters((ASN1Sequence)info.getAlgorithmId().getParameters()); + + ECNamedCurveParameterSpec spec = ECGOST3410NamedCurveTable.getParameterSpec(ECGOST3410NamedCurves.getName(gostParams.getPublicKeyParamSet())); + + ECCurve curve = spec.getCurve(); + EllipticCurve ellipticCurve = EC5Util.convertCurve(curve, spec.getSeed()); + + this.q = curve.createPoint(new BigInteger(1, x), new BigInteger(1, y), false); + + ecSpec = new ECNamedCurveSpec( + ECGOST3410NamedCurves.getName(gostParams.getPublicKeyParamSet()), + ellipticCurve, + new ECPoint( + spec.getG().getX().toBigInteger(), + spec.getG().getY().toBigInteger()), + spec.getN(), spec.getH()); + + } + else + { + X962Parameters params = new X962Parameters((ASN1Primitive)info.getAlgorithmId().getParameters()); + ECCurve curve; + EllipticCurve ellipticCurve; + + if (params.isNamedCurve()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)params.getParameters(); + X9ECParameters ecP = ECUtil.getNamedCurveByOid(oid); + + curve = ecP.getCurve(); + ellipticCurve = EC5Util.convertCurve(curve, ecP.getSeed()); + + ecSpec = new ECNamedCurveSpec( + ECUtil.getCurveName(oid), + ellipticCurve, + new ECPoint( + ecP.getG().getX().toBigInteger(), + ecP.getG().getY().toBigInteger()), + ecP.getN(), + ecP.getH()); + } + else if (params.isImplicitlyCA()) + { + ecSpec = null; + curve = BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa().getCurve(); + } + else + { + X9ECParameters ecP = X9ECParameters.getInstance(params.getParameters()); + + curve = ecP.getCurve(); + ellipticCurve = EC5Util.convertCurve(curve, ecP.getSeed()); + + this.ecSpec = new ECParameterSpec( + ellipticCurve, + new ECPoint( + ecP.getG().getX().toBigInteger(), + ecP.getG().getY().toBigInteger()), + ecP.getN(), + ecP.getH().intValue()); + } + + DERBitString bits = info.getPublicKeyData(); + byte[] data = bits.getBytes(); + ASN1OctetString key = new DEROctetString(data); + + // + // extra octet string - one of our old certs... + // + if (data[0] == 0x04 && data[1] == data.length - 2 + && (data[2] == 0x02 || data[2] == 0x03)) + { + int qLength = new X9IntegerConverter().getByteLength(curve); + + if (qLength >= data.length - 3) + { + try + { + key = (ASN1OctetString) ASN1Primitive.fromByteArray(data); + } + catch (IOException ex) + { + throw new IllegalArgumentException("error recovering public key"); + } + } + } + X9ECPoint derQ = new X9ECPoint(curve, key); + + this.q = derQ.getPoint(); + } + } + + public String getAlgorithm() + { + return algorithm; + } + + public String getFormat() + { + return "X.509"; + } + + public byte[] getEncoded() + { + ASN1Encodable params; + SubjectPublicKeyInfo info; + + if (algorithm.equals("ECGOST3410")) + { + if (gostParams != null) + { + params = gostParams; + } + else + { + if (ecSpec instanceof ECNamedCurveSpec) + { + params = new GOST3410PublicKeyAlgParameters( + ECGOST3410NamedCurves.getOID(((ECNamedCurveSpec)ecSpec).getName()), + CryptoProObjectIdentifiers.gostR3411_94_CryptoProParamSet); + } + else + { // strictly speaking this may not be applicable... + ECCurve curve = EC5Util.convertCurve(ecSpec.getCurve()); + + X9ECParameters ecP = new X9ECParameters( + curve, + EC5Util.convertPoint(curve, ecSpec.getGenerator(), withCompression), + ecSpec.getOrder(), + BigInteger.valueOf(ecSpec.getCofactor()), + ecSpec.getCurve().getSeed()); + + params = new X962Parameters(ecP); + } + } + + BigInteger bX = this.q.getX().toBigInteger(); + BigInteger bY = this.q.getY().toBigInteger(); + byte[] encKey = new byte[64]; + + extractBytes(encKey, 0, bX); + extractBytes(encKey, 32, bY); + + try + { + info = new SubjectPublicKeyInfo(new AlgorithmIdentifier(CryptoProObjectIdentifiers.gostR3410_2001, params), new DEROctetString(encKey)); + } + catch (IOException e) + { + return null; + } + } + else + { + if (ecSpec instanceof ECNamedCurveSpec) + { + ASN1ObjectIdentifier curveOid = ECUtil.getNamedCurveOid(((ECNamedCurveSpec)ecSpec).getName()); + if (curveOid == null) + { + curveOid = new ASN1ObjectIdentifier(((ECNamedCurveSpec)ecSpec).getName()); + } + params = new X962Parameters(curveOid); + } + else if (ecSpec == null) + { + params = new X962Parameters(DERNull.INSTANCE); + } + else + { + ECCurve curve = EC5Util.convertCurve(ecSpec.getCurve()); + + X9ECParameters ecP = new X9ECParameters( + curve, + EC5Util.convertPoint(curve, ecSpec.getGenerator(), withCompression), + ecSpec.getOrder(), + BigInteger.valueOf(ecSpec.getCofactor()), + ecSpec.getCurve().getSeed()); + + params = new X962Parameters(ecP); + } + + ECCurve curve = this.engineGetQ().getCurve(); + ASN1OctetString p = (ASN1OctetString) + new X9ECPoint(curve.createPoint(this.getQ().getX().toBigInteger(), this.getQ().getY().toBigInteger(), withCompression)).toASN1Primitive(); + + info = new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, params), p.getOctets()); + } + + return KeyUtil.getEncodedSubjectPublicKeyInfo(info); + } + + private void extractBytes(byte[] encKey, int offSet, BigInteger bI) + { + byte[] val = bI.toByteArray(); + if (val.length < 32) + { + byte[] tmp = new byte[32]; + System.arraycopy(val, 0, tmp, tmp.length - val.length, val.length); + val = tmp; + } + + for (int i = 0; i != 32; i++) + { + encKey[offSet + i] = val[val.length - 1 - i]; + } + } + + public ECParameterSpec getParams() + { + return ecSpec; + } + + public org.bouncycastle.jce.spec.ECParameterSpec getParameters() + { + if (ecSpec == null) // implictlyCA + { + return null; + } + + return EC5Util.convertSpec(ecSpec, withCompression); + } + + public ECPoint getW() + { + return new ECPoint(q.getX().toBigInteger(), q.getY().toBigInteger()); + } + + public org.bouncycastle.math.ec.ECPoint getQ() + { + if (ecSpec == null) + { + if (q instanceof org.bouncycastle.math.ec.ECPoint.Fp) + { + return new org.bouncycastle.math.ec.ECPoint.Fp(null, q.getX(), q.getY()); + } + else + { + return new org.bouncycastle.math.ec.ECPoint.F2m(null, q.getX(), q.getY()); + } + } + + return q; + } + + public org.bouncycastle.math.ec.ECPoint engineGetQ() + { + return q; + } + + org.bouncycastle.jce.spec.ECParameterSpec engineGetSpec() + { + if (ecSpec != null) + { + return EC5Util.convertSpec(ecSpec, withCompression); + } + + return BouncyCastleProvider.CONFIGURATION.getEcImplicitlyCa(); + } + + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append("EC Public Key").append(nl); + buf.append(" X: ").append(this.q.getX().toBigInteger().toString(16)).append(nl); + buf.append(" Y: ").append(this.q.getY().toBigInteger().toString(16)).append(nl); + + return buf.toString(); + + } + + public void setPointFormat(String style) + { + withCompression = !("UNCOMPRESSED".equalsIgnoreCase(style)); + } + + public boolean equals(Object o) + { + if (!(o instanceof JCEECPublicKey)) + { + return false; + } + + JCEECPublicKey other = (JCEECPublicKey)o; + + return engineGetQ().equals(other.engineGetQ()) && (engineGetSpec().equals(other.engineGetSpec())); + } + + public int hashCode() + { + return engineGetQ().hashCode() ^ engineGetSpec().hashCode(); + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + byte[] enc = (byte[])in.readObject(); + + populateFromPubKeyInfo(SubjectPublicKeyInfo.getInstance(ASN1Primitive.fromByteArray(enc))); + + this.algorithm = (String)in.readObject(); + this.withCompression = in.readBoolean(); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(this.getEncoded()); + out.writeObject(algorithm); + out.writeBoolean(withCompression); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEElGamalPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEElGamalPrivateKey.java new file mode 100644 index 00000000..afaddfa0 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEElGamalPrivateKey.java @@ -0,0 +1,167 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.util.Enumeration; + +import javax.crypto.interfaces.DHPrivateKey; +import javax.crypto.spec.DHParameterSpec; +import javax.crypto.spec.DHPrivateKeySpec; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.oiw.ElGamalParameter; +import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.crypto.params.ElGamalPrivateKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; +import org.bouncycastle.jcajce.provider.asymmetric.util.PKCS12BagAttributeCarrierImpl; +import org.bouncycastle.jce.interfaces.ElGamalPrivateKey; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.spec.ElGamalParameterSpec; +import org.bouncycastle.jce.spec.ElGamalPrivateKeySpec; + +public class JCEElGamalPrivateKey + implements ElGamalPrivateKey, DHPrivateKey, PKCS12BagAttributeCarrier +{ + static final long serialVersionUID = 4819350091141529678L; + + BigInteger x; + + ElGamalParameterSpec elSpec; + + private PKCS12BagAttributeCarrierImpl attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + protected JCEElGamalPrivateKey() + { + } + + JCEElGamalPrivateKey( + ElGamalPrivateKey key) + { + this.x = key.getX(); + this.elSpec = key.getParameters(); + } + + JCEElGamalPrivateKey( + DHPrivateKey key) + { + this.x = key.getX(); + this.elSpec = new ElGamalParameterSpec(key.getParams().getP(), key.getParams().getG()); + } + + JCEElGamalPrivateKey( + ElGamalPrivateKeySpec spec) + { + this.x = spec.getX(); + this.elSpec = new ElGamalParameterSpec(spec.getParams().getP(), spec.getParams().getG()); + } + + JCEElGamalPrivateKey( + DHPrivateKeySpec spec) + { + this.x = spec.getX(); + this.elSpec = new ElGamalParameterSpec(spec.getP(), spec.getG()); + } + + JCEElGamalPrivateKey( + PrivateKeyInfo info) + throws IOException + { + ElGamalParameter params = new ElGamalParameter((ASN1Sequence)info.getAlgorithmId().getParameters()); + DERInteger derX = ASN1Integer.getInstance(info.parsePrivateKey()); + + this.x = derX.getValue(); + this.elSpec = new ElGamalParameterSpec(params.getP(), params.getG()); + } + + JCEElGamalPrivateKey( + ElGamalPrivateKeyParameters params) + { + this.x = params.getX(); + this.elSpec = new ElGamalParameterSpec(params.getParameters().getP(), params.getParameters().getG()); + } + + public String getAlgorithm() + { + return "ElGamal"; + } + + /** + * return the encoding format we produce in getEncoded(). + * + * @return the string "PKCS#8" + */ + public String getFormat() + { + return "PKCS#8"; + } + + /** + * Return a PKCS8 representation of the key. The sequence returned + * represents a full PrivateKeyInfo object. + * + * @return a PKCS8 representation of the key. + */ + public byte[] getEncoded() + { + return KeyUtil.getEncodedPrivateKeyInfo(new AlgorithmIdentifier(OIWObjectIdentifiers.elGamalAlgorithm, new ElGamalParameter(elSpec.getP(), elSpec.getG())), new DERInteger(getX())); + } + + public ElGamalParameterSpec getParameters() + { + return elSpec; + } + + public DHParameterSpec getParams() + { + return new DHParameterSpec(elSpec.getP(), elSpec.getG()); + } + + public BigInteger getX() + { + return x; + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + x = (BigInteger)in.readObject(); + + this.elSpec = new ElGamalParameterSpec((BigInteger)in.readObject(), (BigInteger)in.readObject()); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(this.getX()); + out.writeObject(elSpec.getP()); + out.writeObject(elSpec.getG()); + } + + public void setBagAttribute( + ASN1ObjectIdentifier oid, + ASN1Encodable attribute) + { + attrCarrier.setBagAttribute(oid, attribute); + } + + public ASN1Encodable getBagAttribute( + ASN1ObjectIdentifier oid) + { + return attrCarrier.getBagAttribute(oid); + } + + public Enumeration getBagAttributeKeys() + { + return attrCarrier.getBagAttributeKeys(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEElGamalPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEElGamalPublicKey.java new file mode 100644 index 00000000..cb7a0abf --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEElGamalPublicKey.java @@ -0,0 +1,140 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; + +import javax.crypto.interfaces.DHPublicKey; +import javax.crypto.spec.DHParameterSpec; +import javax.crypto.spec.DHPublicKeySpec; + +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.oiw.ElGamalParameter; +import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.crypto.params.ElGamalPublicKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; +import org.bouncycastle.jce.interfaces.ElGamalPublicKey; +import org.bouncycastle.jce.spec.ElGamalParameterSpec; +import org.bouncycastle.jce.spec.ElGamalPublicKeySpec; + +public class JCEElGamalPublicKey + implements ElGamalPublicKey, DHPublicKey +{ + static final long serialVersionUID = 8712728417091216948L; + + private BigInteger y; + private ElGamalParameterSpec elSpec; + + JCEElGamalPublicKey( + ElGamalPublicKeySpec spec) + { + this.y = spec.getY(); + this.elSpec = new ElGamalParameterSpec(spec.getParams().getP(), spec.getParams().getG()); + } + + JCEElGamalPublicKey( + DHPublicKeySpec spec) + { + this.y = spec.getY(); + this.elSpec = new ElGamalParameterSpec(spec.getP(), spec.getG()); + } + + JCEElGamalPublicKey( + ElGamalPublicKey key) + { + this.y = key.getY(); + this.elSpec = key.getParameters(); + } + + JCEElGamalPublicKey( + DHPublicKey key) + { + this.y = key.getY(); + this.elSpec = new ElGamalParameterSpec(key.getParams().getP(), key.getParams().getG()); + } + + JCEElGamalPublicKey( + ElGamalPublicKeyParameters params) + { + this.y = params.getY(); + this.elSpec = new ElGamalParameterSpec(params.getParameters().getP(), params.getParameters().getG()); + } + + JCEElGamalPublicKey( + BigInteger y, + ElGamalParameterSpec elSpec) + { + this.y = y; + this.elSpec = elSpec; + } + + JCEElGamalPublicKey( + SubjectPublicKeyInfo info) + { + ElGamalParameter params = new ElGamalParameter((ASN1Sequence)info.getAlgorithmId().getParameters()); + DERInteger derY = null; + + try + { + derY = (DERInteger)info.parsePublicKey(); + } + catch (IOException e) + { + throw new IllegalArgumentException("invalid info structure in DSA public key"); + } + + this.y = derY.getValue(); + this.elSpec = new ElGamalParameterSpec(params.getP(), params.getG()); + } + + public String getAlgorithm() + { + return "ElGamal"; + } + + public String getFormat() + { + return "X.509"; + } + + public byte[] getEncoded() + { + return KeyUtil.getEncodedSubjectPublicKeyInfo(new AlgorithmIdentifier(OIWObjectIdentifiers.elGamalAlgorithm, new ElGamalParameter(elSpec.getP(), elSpec.getG())), new DERInteger(y)); + } + + public ElGamalParameterSpec getParameters() + { + return elSpec; + } + + public DHParameterSpec getParams() + { + return new DHParameterSpec(elSpec.getP(), elSpec.getG()); + } + + public BigInteger getY() + { + return y; + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + this.y = (BigInteger)in.readObject(); + this.elSpec = new ElGamalParameterSpec((BigInteger)in.readObject(), (BigInteger)in.readObject()); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(this.getY()); + out.writeObject(elSpec.getP()); + out.writeObject(elSpec.getG()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPrivateCrtKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPrivateCrtKey.java new file mode 100644 index 00000000..f9bb5dd3 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPrivateCrtKey.java @@ -0,0 +1,241 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.interfaces.RSAPrivateCrtKey; +import java.security.spec.RSAPrivateCrtKeySpec; + +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.pkcs.RSAPrivateKey; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; + +/** + * A provider representation for a RSA private key, with CRT factors included. + */ +public class JCERSAPrivateCrtKey + extends JCERSAPrivateKey + implements RSAPrivateCrtKey +{ + static final long serialVersionUID = 7834723820638524718L; + + private BigInteger publicExponent; + private BigInteger primeP; + private BigInteger primeQ; + private BigInteger primeExponentP; + private BigInteger primeExponentQ; + private BigInteger crtCoefficient; + + /** + * construct a private key from it's org.bouncycastle.crypto equivalent. + * + * @param key the parameters object representing the private key. + */ + JCERSAPrivateCrtKey( + RSAPrivateCrtKeyParameters key) + { + super(key); + + this.publicExponent = key.getPublicExponent(); + this.primeP = key.getP(); + this.primeQ = key.getQ(); + this.primeExponentP = key.getDP(); + this.primeExponentQ = key.getDQ(); + this.crtCoefficient = key.getQInv(); + } + + /** + * construct a private key from an RSAPrivateCrtKeySpec + * + * @param spec the spec to be used in construction. + */ + JCERSAPrivateCrtKey( + RSAPrivateCrtKeySpec spec) + { + this.modulus = spec.getModulus(); + this.publicExponent = spec.getPublicExponent(); + this.privateExponent = spec.getPrivateExponent(); + this.primeP = spec.getPrimeP(); + this.primeQ = spec.getPrimeQ(); + this.primeExponentP = spec.getPrimeExponentP(); + this.primeExponentQ = spec.getPrimeExponentQ(); + this.crtCoefficient = spec.getCrtCoefficient(); + } + + /** + * construct a private key from another RSAPrivateCrtKey. + * + * @param key the object implementing the RSAPrivateCrtKey interface. + */ + JCERSAPrivateCrtKey( + RSAPrivateCrtKey key) + { + this.modulus = key.getModulus(); + this.publicExponent = key.getPublicExponent(); + this.privateExponent = key.getPrivateExponent(); + this.primeP = key.getPrimeP(); + this.primeQ = key.getPrimeQ(); + this.primeExponentP = key.getPrimeExponentP(); + this.primeExponentQ = key.getPrimeExponentQ(); + this.crtCoefficient = key.getCrtCoefficient(); + } + + /** + * construct an RSA key from a private key info object. + */ + JCERSAPrivateCrtKey( + PrivateKeyInfo info) + throws IOException + { + this(org.bouncycastle.asn1.pkcs.RSAPrivateKey.getInstance(info.parsePrivateKey())); + } + + /** + * construct an RSA key from a ASN.1 RSA private key object. + */ + JCERSAPrivateCrtKey( + RSAPrivateKey key) + { + this.modulus = key.getModulus(); + this.publicExponent = key.getPublicExponent(); + this.privateExponent = key.getPrivateExponent(); + this.primeP = key.getPrime1(); + this.primeQ = key.getPrime2(); + this.primeExponentP = key.getExponent1(); + this.primeExponentQ = key.getExponent2(); + this.crtCoefficient = key.getCoefficient(); + } + + /** + * return the encoding format we produce in getEncoded(). + * + * @return the encoding format we produce in getEncoded(). + */ + public String getFormat() + { + return "PKCS#8"; + } + + /** + * Return a PKCS8 representation of the key. The sequence returned + * represents a full PrivateKeyInfo object. + * + * @return a PKCS8 representation of the key. + */ + public byte[] getEncoded() + { + return KeyUtil.getEncodedPrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE), new RSAPrivateKey(getModulus(), getPublicExponent(), getPrivateExponent(), getPrimeP(), getPrimeQ(), getPrimeExponentP(), getPrimeExponentQ(), getCrtCoefficient())); + } + + /** + * return the public exponent. + * + * @return the public exponent. + */ + public BigInteger getPublicExponent() + { + return publicExponent; + } + + /** + * return the prime P. + * + * @return the prime P. + */ + public BigInteger getPrimeP() + { + return primeP; + } + + /** + * return the prime Q. + * + * @return the prime Q. + */ + public BigInteger getPrimeQ() + { + return primeQ; + } + + /** + * return the prime exponent for P. + * + * @return the prime exponent for P. + */ + public BigInteger getPrimeExponentP() + { + return primeExponentP; + } + + /** + * return the prime exponent for Q. + * + * @return the prime exponent for Q. + */ + public BigInteger getPrimeExponentQ() + { + return primeExponentQ; + } + + /** + * return the CRT coefficient. + * + * @return the CRT coefficient. + */ + public BigInteger getCrtCoefficient() + { + return crtCoefficient; + } + + public int hashCode() + { + return this.getModulus().hashCode() + ^ this.getPublicExponent().hashCode() + ^ this.getPrivateExponent().hashCode(); + } + + public boolean equals(Object o) + { + if (o == this) + { + return true; + } + + if (!(o instanceof RSAPrivateCrtKey)) + { + return false; + } + + RSAPrivateCrtKey key = (RSAPrivateCrtKey)o; + + return this.getModulus().equals(key.getModulus()) + && this.getPublicExponent().equals(key.getPublicExponent()) + && this.getPrivateExponent().equals(key.getPrivateExponent()) + && this.getPrimeP().equals(key.getPrimeP()) + && this.getPrimeQ().equals(key.getPrimeQ()) + && this.getPrimeExponentP().equals(key.getPrimeExponentP()) + && this.getPrimeExponentQ().equals(key.getPrimeExponentQ()) + && this.getCrtCoefficient().equals(key.getCrtCoefficient()); + } + + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append("RSA Private CRT Key").append(nl); + buf.append(" modulus: ").append(this.getModulus().toString(16)).append(nl); + buf.append(" public exponent: ").append(this.getPublicExponent().toString(16)).append(nl); + buf.append(" private exponent: ").append(this.getPrivateExponent().toString(16)).append(nl); + buf.append(" primeP: ").append(this.getPrimeP().toString(16)).append(nl); + buf.append(" primeQ: ").append(this.getPrimeQ().toString(16)).append(nl); + buf.append(" primeExponentP: ").append(this.getPrimeExponentP().toString(16)).append(nl); + buf.append(" primeExponentQ: ").append(this.getPrimeExponentQ().toString(16)).append(nl); + buf.append(" crtCoefficient: ").append(this.getCrtCoefficient().toString(16)).append(nl); + + return buf.toString(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPrivateKey.java new file mode 100644 index 00000000..cacedd4b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPrivateKey.java @@ -0,0 +1,146 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.interfaces.RSAPrivateKey; +import java.security.spec.RSAPrivateKeySpec; +import java.util.Enumeration; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.crypto.params.RSAKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; +import org.bouncycastle.jcajce.provider.asymmetric.util.PKCS12BagAttributeCarrierImpl; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; + +public class JCERSAPrivateKey + implements RSAPrivateKey, PKCS12BagAttributeCarrier +{ + static final long serialVersionUID = 5110188922551353628L; + + private static BigInteger ZERO = BigInteger.valueOf(0); + + protected BigInteger modulus; + protected BigInteger privateExponent; + + private PKCS12BagAttributeCarrierImpl attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + protected JCERSAPrivateKey() + { + } + + JCERSAPrivateKey( + RSAKeyParameters key) + { + this.modulus = key.getModulus(); + this.privateExponent = key.getExponent(); + } + + JCERSAPrivateKey( + RSAPrivateKeySpec spec) + { + this.modulus = spec.getModulus(); + this.privateExponent = spec.getPrivateExponent(); + } + + JCERSAPrivateKey( + RSAPrivateKey key) + { + this.modulus = key.getModulus(); + this.privateExponent = key.getPrivateExponent(); + } + + public BigInteger getModulus() + { + return modulus; + } + + public BigInteger getPrivateExponent() + { + return privateExponent; + } + + public String getAlgorithm() + { + return "RSA"; + } + + public String getFormat() + { + return "PKCS#8"; + } + + public byte[] getEncoded() + { + return KeyUtil.getEncodedPrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE), new org.bouncycastle.asn1.pkcs.RSAPrivateKey(getModulus(), ZERO, getPrivateExponent(), ZERO, ZERO, ZERO, ZERO, ZERO)); + } + + public boolean equals(Object o) + { + if (!(o instanceof RSAPrivateKey)) + { + return false; + } + + if (o == this) + { + return true; + } + + RSAPrivateKey key = (RSAPrivateKey)o; + + return getModulus().equals(key.getModulus()) + && getPrivateExponent().equals(key.getPrivateExponent()); + } + + public int hashCode() + { + return getModulus().hashCode() ^ getPrivateExponent().hashCode(); + } + + public void setBagAttribute( + ASN1ObjectIdentifier oid, + ASN1Encodable attribute) + { + attrCarrier.setBagAttribute(oid, attribute); + } + + public ASN1Encodable getBagAttribute( + ASN1ObjectIdentifier oid) + { + return attrCarrier.getBagAttribute(oid); + } + + public Enumeration getBagAttributeKeys() + { + return attrCarrier.getBagAttributeKeys(); + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + this.modulus = (BigInteger)in.readObject(); + this.attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + attrCarrier.readObject(in); + + this.privateExponent = (BigInteger)in.readObject(); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(modulus); + + attrCarrier.writeObject(out); + + out.writeObject(privateExponent); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPublicKey.java new file mode 100644 index 00000000..a09295d5 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCERSAPublicKey.java @@ -0,0 +1,131 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.interfaces.RSAPublicKey; +import java.security.spec.RSAPublicKeySpec; + +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.RSAPublicKeyStructure; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.crypto.params.RSAKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; + +public class JCERSAPublicKey + implements RSAPublicKey +{ + static final long serialVersionUID = 2675817738516720772L; + + private BigInteger modulus; + private BigInteger publicExponent; + + JCERSAPublicKey( + RSAKeyParameters key) + { + this.modulus = key.getModulus(); + this.publicExponent = key.getExponent(); + } + + JCERSAPublicKey( + RSAPublicKeySpec spec) + { + this.modulus = spec.getModulus(); + this.publicExponent = spec.getPublicExponent(); + } + + JCERSAPublicKey( + RSAPublicKey key) + { + this.modulus = key.getModulus(); + this.publicExponent = key.getPublicExponent(); + } + + JCERSAPublicKey( + SubjectPublicKeyInfo info) + { + try + { + RSAPublicKeyStructure pubKey = new RSAPublicKeyStructure((ASN1Sequence)info.parsePublicKey()); + + this.modulus = pubKey.getModulus(); + this.publicExponent = pubKey.getPublicExponent(); + } + catch (IOException e) + { + throw new IllegalArgumentException("invalid info structure in RSA public key"); + } + } + + /** + * return the modulus. + * + * @return the modulus. + */ + public BigInteger getModulus() + { + return modulus; + } + + /** + * return the public exponent. + * + * @return the public exponent. + */ + public BigInteger getPublicExponent() + { + return publicExponent; + } + + public String getAlgorithm() + { + return "RSA"; + } + + public String getFormat() + { + return "X.509"; + } + + public byte[] getEncoded() + { + return KeyUtil.getEncodedSubjectPublicKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE), new RSAPublicKeyStructure(getModulus(), getPublicExponent())); + } + + public int hashCode() + { + return this.getModulus().hashCode() ^ this.getPublicExponent().hashCode(); + } + + public boolean equals(Object o) + { + if (o == this) + { + return true; + } + + if (!(o instanceof RSAPublicKey)) + { + return false; + } + + RSAPublicKey key = (RSAPublicKey)o; + + return getModulus().equals(key.getModulus()) + && getPublicExponent().equals(key.getPublicExponent()); + } + + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append("RSA Public Key").append(nl); + buf.append(" modulus: ").append(this.getModulus().toString(16)).append(nl); + buf.append(" public exponent: ").append(this.getPublicExponent().toString(16)).append(nl); + + return buf.toString(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEStreamCipher.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEStreamCipher.java new file mode 100644 index 00000000..46104b27 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JCEStreamCipher.java @@ -0,0 +1,613 @@ +package org.bouncycastle.jce.provider; + +import java.security.AlgorithmParameters; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.Key; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.CipherSpi; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; +import javax.crypto.ShortBufferException; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEParameterSpec; +import javax.crypto.spec.RC2ParameterSpec; +import javax.crypto.spec.RC5ParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.crypto.BlockCipher; +import org.bouncycastle.crypto.CipherParameters; +import org.bouncycastle.crypto.DataLengthException; +import org.bouncycastle.crypto.StreamBlockCipher; +import org.bouncycastle.crypto.StreamCipher; +import org.bouncycastle.crypto.engines.BlowfishEngine; +import org.bouncycastle.crypto.engines.DESEngine; +import org.bouncycastle.crypto.engines.DESedeEngine; +import org.bouncycastle.crypto.engines.RC4Engine; +import org.bouncycastle.crypto.engines.SkipjackEngine; +import org.bouncycastle.crypto.engines.TwofishEngine; +import org.bouncycastle.crypto.modes.CFBBlockCipher; +import org.bouncycastle.crypto.modes.OFBBlockCipher; +import org.bouncycastle.crypto.params.KeyParameter; +import org.bouncycastle.crypto.params.ParametersWithIV; +import org.bouncycastle.jcajce.provider.symmetric.util.BCPBEKey; +import org.bouncycastle.jcajce.provider.symmetric.util.PBE; + +public class JCEStreamCipher + extends CipherSpi + implements PBE +{ + // + // specs we can handle. + // + private Class[] availableSpecs = + { + RC2ParameterSpec.class, + RC5ParameterSpec.class, + IvParameterSpec.class, + PBEParameterSpec.class + }; + + private StreamCipher cipher; + private ParametersWithIV ivParam; + + private int ivLength = 0; + + private PBEParameterSpec pbeSpec = null; + private String pbeAlgorithm = null; + + private AlgorithmParameters engineParams; + + protected JCEStreamCipher( + StreamCipher engine, + int ivLength) + { + cipher = engine; + this.ivLength = ivLength; + } + + protected JCEStreamCipher( + BlockCipher engine, + int ivLength) + { + this.ivLength = ivLength; + + cipher = new StreamBlockCipher(engine); + } + + protected int engineGetBlockSize() + { + return 0; + } + + protected byte[] engineGetIV() + { + return (ivParam != null) ? ivParam.getIV() : null; + } + + protected int engineGetKeySize( + Key key) + { + return key.getEncoded().length * 8; + } + + protected int engineGetOutputSize( + int inputLen) + { + return inputLen; + } + + protected AlgorithmParameters engineGetParameters() + { + if (engineParams == null) + { + if (pbeSpec != null) + { + try + { + AlgorithmParameters engineParams = AlgorithmParameters.getInstance(pbeAlgorithm, BouncyCastleProvider.PROVIDER_NAME); + engineParams.init(pbeSpec); + + return engineParams; + } + catch (Exception e) + { + return null; + } + } + } + + return engineParams; + } + + /** + * should never be called. + */ + protected void engineSetMode( + String mode) + { + if (!mode.equalsIgnoreCase("ECB")) + { + throw new IllegalArgumentException("can't support mode " + mode); + } + } + + /** + * should never be called. + */ + protected void engineSetPadding( + String padding) + throws NoSuchPaddingException + { + if (!padding.equalsIgnoreCase("NoPadding")) + { + throw new NoSuchPaddingException("Padding " + padding + " unknown."); + } + } + + protected void engineInit( + int opmode, + Key key, + AlgorithmParameterSpec params, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException + { + CipherParameters param; + + this.pbeSpec = null; + this.pbeAlgorithm = null; + + this.engineParams = null; + + // + // basic key check + // + if (!(key instanceof SecretKey)) + { + throw new InvalidKeyException("Key for algorithm " + key.getAlgorithm() + " not suitable for symmetric enryption."); + } + + if (key instanceof BCPBEKey) + { + BCPBEKey k = (BCPBEKey)key; + + if (k.getOID() != null) + { + pbeAlgorithm = k.getOID().getId(); + } + else + { + pbeAlgorithm = k.getAlgorithm(); + } + + if (k.getParam() != null) + { + param = k.getParam(); + pbeSpec = new PBEParameterSpec(k.getSalt(), k.getIterationCount()); + } + else if (params instanceof PBEParameterSpec) + { + param = PBE.Util.makePBEParameters(k, params, cipher.getAlgorithmName()); + pbeSpec = (PBEParameterSpec)params; + } + else + { + throw new InvalidAlgorithmParameterException("PBE requires PBE parameters to be set."); + } + + if (k.getIvSize() != 0) + { + ivParam = (ParametersWithIV)param; + } + } + else if (params == null) + { + param = new KeyParameter(key.getEncoded()); + } + else if (params instanceof IvParameterSpec) + { + param = new ParametersWithIV(new KeyParameter(key.getEncoded()), ((IvParameterSpec)params).getIV()); + ivParam = (ParametersWithIV)param; + } + else + { + throw new IllegalArgumentException("unknown parameter type."); + } + + if ((ivLength != 0) && !(param instanceof ParametersWithIV)) + { + SecureRandom ivRandom = random; + + if (ivRandom == null) + { + ivRandom = new SecureRandom(); + } + + if ((opmode == Cipher.ENCRYPT_MODE) || (opmode == Cipher.WRAP_MODE)) + { + byte[] iv = new byte[ivLength]; + + ivRandom.nextBytes(iv); + param = new ParametersWithIV(param, iv); + ivParam = (ParametersWithIV)param; + } + else + { + throw new InvalidAlgorithmParameterException("no IV set when one expected"); + } + } + + switch (opmode) + { + case Cipher.ENCRYPT_MODE: + case Cipher.WRAP_MODE: + cipher.init(true, param); + break; + case Cipher.DECRYPT_MODE: + case Cipher.UNWRAP_MODE: + cipher.init(false, param); + break; + default: + System.out.println("eeek!"); + } + } + + protected void engineInit( + int opmode, + Key key, + AlgorithmParameters params, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException + { + AlgorithmParameterSpec paramSpec = null; + + if (params != null) + { + for (int i = 0; i != availableSpecs.length; i++) + { + try + { + paramSpec = params.getParameterSpec(availableSpecs[i]); + break; + } + catch (Exception e) + { + continue; + } + } + + if (paramSpec == null) + { + throw new InvalidAlgorithmParameterException("can't handle parameter " + params.toString()); + } + } + + engineInit(opmode, key, paramSpec, random); + engineParams = params; + } + + protected void engineInit( + int opmode, + Key key, + SecureRandom random) + throws InvalidKeyException + { + try + { + engineInit(opmode, key, (AlgorithmParameterSpec)null, random); + } + catch (InvalidAlgorithmParameterException e) + { + throw new InvalidKeyException(e.getMessage()); + } + } + + protected byte[] engineUpdate( + byte[] input, + int inputOffset, + int inputLen) + { + byte[] out = new byte[inputLen]; + + cipher.processBytes(input, inputOffset, inputLen, out, 0); + + return out; + } + + protected int engineUpdate( + byte[] input, + int inputOffset, + int inputLen, + byte[] output, + int outputOffset) + throws ShortBufferException + { + try + { + cipher.processBytes(input, inputOffset, inputLen, output, outputOffset); + + return inputLen; + } + catch (DataLengthException e) + { + throw new ShortBufferException(e.getMessage()); + } + } + + protected byte[] engineDoFinal( + byte[] input, + int inputOffset, + int inputLen) + throws BadPaddingException, IllegalBlockSizeException + { + if (inputLen != 0) + { + byte[] out = engineUpdate(input, inputOffset, inputLen); + + cipher.reset(); + + return out; + } + + cipher.reset(); + + return new byte[0]; + } + + protected int engineDoFinal( + byte[] input, + int inputOffset, + int inputLen, + byte[] output, + int outputOffset) + throws BadPaddingException + { + if (inputLen != 0) + { + cipher.processBytes(input, inputOffset, inputLen, output, outputOffset); + } + + cipher.reset(); + + return inputLen; + } + + protected byte[] engineWrap( + Key key) + throws IllegalBlockSizeException, InvalidKeyException + { + byte[] encoded = key.getEncoded(); + if (encoded == null) + { + throw new InvalidKeyException("Cannot wrap key, null encoding."); + } + + try + { + return engineDoFinal(encoded, 0, encoded.length); + } + catch (BadPaddingException e) + { + throw new IllegalBlockSizeException(e.getMessage()); + } + } + + protected Key engineUnwrap( + byte[] wrappedKey, + String wrappedKeyAlgorithm, + int wrappedKeyType) + throws InvalidKeyException + { + byte[] encoded; + try + { + encoded = engineDoFinal(wrappedKey, 0, wrappedKey.length); + } + catch (BadPaddingException e) + { + throw new InvalidKeyException(e.getMessage()); + } + catch (IllegalBlockSizeException e2) + { + throw new InvalidKeyException(e2.getMessage()); + } + + if (wrappedKeyType == Cipher.SECRET_KEY) + { + return new SecretKeySpec(encoded, wrappedKeyAlgorithm); + } + else if (wrappedKeyAlgorithm.equals("") && wrappedKeyType == Cipher.PRIVATE_KEY) + { + /* + * The caller doesn't know the algorithm as it is part of + * the encrypted data. + */ + try + { + PrivateKeyInfo in = PrivateKeyInfo.getInstance(encoded); + + PrivateKey privKey = BouncyCastleProvider.getPrivateKey(in); + + if (privKey != null) + { + return privKey; + } + else + { + throw new InvalidKeyException("algorithm " + in.getPrivateKeyAlgorithm().getAlgorithm() + " not supported"); + } + } + catch (Exception e) + { + throw new InvalidKeyException("Invalid key encoding."); + } + } + else + { + try + { + KeyFactory kf = KeyFactory.getInstance(wrappedKeyAlgorithm, BouncyCastleProvider.PROVIDER_NAME); + + if (wrappedKeyType == Cipher.PUBLIC_KEY) + { + return kf.generatePublic(new X509EncodedKeySpec(encoded)); + } + else if (wrappedKeyType == Cipher.PRIVATE_KEY) + { + return kf.generatePrivate(new PKCS8EncodedKeySpec(encoded)); + } + } + catch (NoSuchProviderException e) + { + throw new InvalidKeyException("Unknown key type " + e.getMessage()); + } + catch (NoSuchAlgorithmException e) + { + throw new InvalidKeyException("Unknown key type " + e.getMessage()); + } + catch (InvalidKeySpecException e2) + { + throw new InvalidKeyException("Unknown key type " + e2.getMessage()); + } + + throw new InvalidKeyException("Unknown key type " + wrappedKeyType); + } + } + + /* + * The ciphers that inherit from us. + */ + + /** + * DES + */ + static public class DES_CFB8 + extends JCEStreamCipher + { + public DES_CFB8() + { + super(new CFBBlockCipher(new DESEngine(), 8), 64); + } + } + + /** + * DESede + */ + static public class DESede_CFB8 + extends JCEStreamCipher + { + public DESede_CFB8() + { + super(new CFBBlockCipher(new DESedeEngine(), 8), 64); + } + } + + /** + * SKIPJACK + */ + static public class Skipjack_CFB8 + extends JCEStreamCipher + { + public Skipjack_CFB8() + { + super(new CFBBlockCipher(new SkipjackEngine(), 8), 64); + } + } + + /** + * Blowfish + */ + static public class Blowfish_CFB8 + extends JCEStreamCipher + { + public Blowfish_CFB8() + { + super(new CFBBlockCipher(new BlowfishEngine(), 8), 64); + } + } + + /** + * Twofish + */ + static public class Twofish_CFB8 + extends JCEStreamCipher + { + public Twofish_CFB8() + { + super(new CFBBlockCipher(new TwofishEngine(), 8), 128); + } + } + + /** + * DES + */ + static public class DES_OFB8 + extends JCEStreamCipher + { + public DES_OFB8() + { + super(new OFBBlockCipher(new DESEngine(), 8), 64); + } + } + + /** + * DESede + */ + static public class DESede_OFB8 + extends JCEStreamCipher + { + public DESede_OFB8() + { + super(new OFBBlockCipher(new DESedeEngine(), 8), 64); + } + } + + /** + * SKIPJACK + */ + static public class Skipjack_OFB8 + extends JCEStreamCipher + { + public Skipjack_OFB8() + { + super(new OFBBlockCipher(new SkipjackEngine(), 8), 64); + } + } + + /** + * Blowfish + */ + static public class Blowfish_OFB8 + extends JCEStreamCipher + { + public Blowfish_OFB8() + { + super(new OFBBlockCipher(new BlowfishEngine(), 8), 64); + } + } + + /** + * Twofish + */ + static public class Twofish_OFB8 + extends JCEStreamCipher + { + public Twofish_OFB8() + { + super(new OFBBlockCipher(new TwofishEngine(), 8), 128); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKDSAPrivateKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKDSAPrivateKey.java new file mode 100644 index 00000000..50a714c8 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKDSAPrivateKey.java @@ -0,0 +1,180 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.interfaces.DSAParams; +import java.security.interfaces.DSAPrivateKey; +import java.security.spec.DSAParameterSpec; +import java.security.spec.DSAPrivateKeySpec; +import java.util.Enumeration; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.DSAParameter; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.util.PKCS12BagAttributeCarrierImpl; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; + +public class JDKDSAPrivateKey + implements DSAPrivateKey, PKCS12BagAttributeCarrier +{ + private static final long serialVersionUID = -4677259546958385734L; + + BigInteger x; + DSAParams dsaSpec; + + private PKCS12BagAttributeCarrierImpl attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + protected JDKDSAPrivateKey() + { + } + + JDKDSAPrivateKey( + DSAPrivateKey key) + { + this.x = key.getX(); + this.dsaSpec = key.getParams(); + } + + JDKDSAPrivateKey( + DSAPrivateKeySpec spec) + { + this.x = spec.getX(); + this.dsaSpec = new DSAParameterSpec(spec.getP(), spec.getQ(), spec.getG()); + } + + JDKDSAPrivateKey( + PrivateKeyInfo info) + throws IOException + { + DSAParameter params = DSAParameter.getInstance(info.getPrivateKeyAlgorithm().getParameters()); + DERInteger derX = ASN1Integer.getInstance(info.parsePrivateKey()); + + this.x = derX.getValue(); + this.dsaSpec = new DSAParameterSpec(params.getP(), params.getQ(), params.getG()); + } + + JDKDSAPrivateKey( + DSAPrivateKeyParameters params) + { + this.x = params.getX(); + this.dsaSpec = new DSAParameterSpec(params.getParameters().getP(), params.getParameters().getQ(), params.getParameters().getG()); + } + + public String getAlgorithm() + { + return "DSA"; + } + + /** + * return the encoding format we produce in getEncoded(). + * + * @return the string "PKCS#8" + */ + public String getFormat() + { + return "PKCS#8"; + } + + /** + * Return a PKCS8 representation of the key. The sequence returned + * represents a full PrivateKeyInfo object. + * + * @return a PKCS8 representation of the key. + */ + public byte[] getEncoded() + { + try + { + PrivateKeyInfo info = new PrivateKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa, new DSAParameter(dsaSpec.getP(), dsaSpec.getQ(), dsaSpec.getG())), new DERInteger(getX())); + + return info.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + return null; + } + } + + public DSAParams getParams() + { + return dsaSpec; + } + + public BigInteger getX() + { + return x; + } + + public boolean equals( + Object o) + { + if (!(o instanceof DSAPrivateKey)) + { + return false; + } + + DSAPrivateKey other = (DSAPrivateKey)o; + + return this.getX().equals(other.getX()) + && this.getParams().getG().equals(other.getParams().getG()) + && this.getParams().getP().equals(other.getParams().getP()) + && this.getParams().getQ().equals(other.getParams().getQ()); + } + + public int hashCode() + { + return this.getX().hashCode() ^ this.getParams().getG().hashCode() + ^ this.getParams().getP().hashCode() ^ this.getParams().getQ().hashCode(); + } + + public void setBagAttribute( + ASN1ObjectIdentifier oid, + ASN1Encodable attribute) + { + attrCarrier.setBagAttribute(oid, attribute); + } + + public ASN1Encodable getBagAttribute( + ASN1ObjectIdentifier oid) + { + return attrCarrier.getBagAttribute(oid); + } + + public Enumeration getBagAttributeKeys() + { + return attrCarrier.getBagAttributeKeys(); + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + this.x = (BigInteger)in.readObject(); + this.dsaSpec = new DSAParameterSpec((BigInteger)in.readObject(), (BigInteger)in.readObject(), (BigInteger)in.readObject()); + this.attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + attrCarrier.readObject(in); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(x); + out.writeObject(dsaSpec.getP()); + out.writeObject(dsaSpec.getQ()); + out.writeObject(dsaSpec.getG()); + + attrCarrier.writeObject(out); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKDSAPublicKey.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKDSAPublicKey.java new file mode 100644 index 00000000..85a39a46 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKDSAPublicKey.java @@ -0,0 +1,177 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.interfaces.DSAParams; +import java.security.interfaces.DSAPublicKey; +import java.security.spec.DSAParameterSpec; +import java.security.spec.DSAPublicKeySpec; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.DSAParameter; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.crypto.params.DSAPublicKeyParameters; + +public class JDKDSAPublicKey + implements DSAPublicKey +{ + private static final long serialVersionUID = 1752452449903495175L; + + private BigInteger y; + private DSAParams dsaSpec; + + JDKDSAPublicKey( + DSAPublicKeySpec spec) + { + this.y = spec.getY(); + this.dsaSpec = new DSAParameterSpec(spec.getP(), spec.getQ(), spec.getG()); + } + + JDKDSAPublicKey( + DSAPublicKey key) + { + this.y = key.getY(); + this.dsaSpec = key.getParams(); + } + + JDKDSAPublicKey( + DSAPublicKeyParameters params) + { + this.y = params.getY(); + this.dsaSpec = new DSAParameterSpec(params.getParameters().getP(), params.getParameters().getQ(), params.getParameters().getG()); + } + + JDKDSAPublicKey( + BigInteger y, + DSAParameterSpec dsaSpec) + { + this.y = y; + this.dsaSpec = dsaSpec; + } + + JDKDSAPublicKey( + SubjectPublicKeyInfo info) + { + + DERInteger derY; + + try + { + derY = (DERInteger)info.parsePublicKey(); + } + catch (IOException e) + { + throw new IllegalArgumentException("invalid info structure in DSA public key"); + } + + this.y = derY.getValue(); + + if (isNotNull(info.getAlgorithm().getParameters())) + { + DSAParameter params = DSAParameter.getInstance(info.getAlgorithm().getParameters()); + + this.dsaSpec = new DSAParameterSpec(params.getP(), params.getQ(), params.getG()); + } + } + + private boolean isNotNull(ASN1Encodable parameters) + { + return parameters != null && !DERNull.INSTANCE.equals(parameters); + } + + public String getAlgorithm() + { + return "DSA"; + } + + public String getFormat() + { + return "X.509"; + } + + public byte[] getEncoded() + { + try + { + if (dsaSpec == null) + { + return new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa), new DERInteger(y)).getEncoded(ASN1Encoding.DER); + } + + return new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa, new DSAParameter(dsaSpec.getP(), dsaSpec.getQ(), dsaSpec.getG())), new DERInteger(y)).getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + return null; + } + } + + public DSAParams getParams() + { + return dsaSpec; + } + + public BigInteger getY() + { + return y; + } + + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append("DSA Public Key").append(nl); + buf.append(" y: ").append(this.getY().toString(16)).append(nl); + + return buf.toString(); + } + + public int hashCode() + { + return this.getY().hashCode() ^ this.getParams().getG().hashCode() + ^ this.getParams().getP().hashCode() ^ this.getParams().getQ().hashCode(); + } + + public boolean equals( + Object o) + { + if (!(o instanceof DSAPublicKey)) + { + return false; + } + + DSAPublicKey other = (DSAPublicKey)o; + + return this.getY().equals(other.getY()) + && this.getParams().getG().equals(other.getParams().getG()) + && this.getParams().getP().equals(other.getParams().getP()) + && this.getParams().getQ().equals(other.getParams().getQ()); + } + + private void readObject( + ObjectInputStream in) + throws IOException, ClassNotFoundException + { + this.y = (BigInteger)in.readObject(); + this.dsaSpec = new DSAParameterSpec((BigInteger)in.readObject(), (BigInteger)in.readObject(), (BigInteger)in.readObject()); + } + + private void writeObject( + ObjectOutputStream out) + throws IOException + { + out.writeObject(y); + out.writeObject(dsaSpec.getP()); + out.writeObject(dsaSpec.getQ()); + out.writeObject(dsaSpec.getG()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKPKCS12StoreParameter.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKPKCS12StoreParameter.java new file mode 100644 index 00000000..7e8340aa --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/JDKPKCS12StoreParameter.java @@ -0,0 +1,51 @@ +package org.bouncycastle.jce.provider; + +import java.io.OutputStream; +import java.security.KeyStore; +import java.security.KeyStore.LoadStoreParameter; +import java.security.KeyStore.ProtectionParameter; + +/** + * @deprecated use org.bouncycastle.jcajce.config.PKCS12StoreParameter + */ +public class JDKPKCS12StoreParameter implements LoadStoreParameter +{ + private OutputStream outputStream; + private ProtectionParameter protectionParameter; + private boolean useDEREncoding; + + public OutputStream getOutputStream() + { + return outputStream; + } + + public ProtectionParameter getProtectionParameter() + { + return protectionParameter; + } + + public boolean isUseDEREncoding() + { + return useDEREncoding; + } + + public void setOutputStream(OutputStream outputStream) + { + this.outputStream = outputStream; + } + + public void setPassword(char[] password) + { + this.protectionParameter = new KeyStore.PasswordProtection(password); + } + + public void setProtectionParameter(ProtectionParameter protectionParameter) + { + this.protectionParameter = protectionParameter; + } + + public void setUseDEREncoding(boolean useDEREncoding) + { + this.useDEREncoding = useDEREncoding; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/MultiCertStoreSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/MultiCertStoreSpi.java new file mode 100644 index 00000000..cf3d15d7 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/MultiCertStoreSpi.java @@ -0,0 +1,85 @@ +package org.bouncycastle.jce.provider; + +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CRLSelector; +import java.security.cert.CertSelector; +import java.security.cert.CertStore; +import java.security.cert.CertStoreException; +import java.security.cert.CertStoreParameters; +import java.security.cert.CertStoreSpi; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.Iterator; +import java.util.List; + +import org.bouncycastle.jce.MultiCertStoreParameters; + +public class MultiCertStoreSpi + extends CertStoreSpi +{ + private MultiCertStoreParameters params; + + public MultiCertStoreSpi(CertStoreParameters params) + throws InvalidAlgorithmParameterException + { + super(params); + + if (!(params instanceof MultiCertStoreParameters)) + { + throw new InvalidAlgorithmParameterException("org.bouncycastle.jce.provider.MultiCertStoreSpi: parameter must be a MultiCertStoreParameters object\n" + params.toString()); + } + + this.params = (MultiCertStoreParameters)params; + } + + public Collection engineGetCertificates(CertSelector certSelector) + throws CertStoreException + { + boolean searchAllStores = params.getSearchAllStores(); + Iterator iter = params.getCertStores().iterator(); + List allCerts = searchAllStores ? new ArrayList() : Collections.EMPTY_LIST; + + while (iter.hasNext()) + { + CertStore store = (CertStore)iter.next(); + Collection certs = store.getCertificates(certSelector); + + if (searchAllStores) + { + allCerts.addAll(certs); + } + else if (!certs.isEmpty()) + { + return certs; + } + } + + return allCerts; + } + + public Collection engineGetCRLs(CRLSelector crlSelector) + throws CertStoreException + { + boolean searchAllStores = params.getSearchAllStores(); + Iterator iter = params.getCertStores().iterator(); + List allCRLs = searchAllStores ? new ArrayList() : Collections.EMPTY_LIST; + + while (iter.hasNext()) + { + CertStore store = (CertStore)iter.next(); + Collection crls = store.getCRLs(crlSelector); + + if (searchAllStores) + { + allCRLs.addAll(crls); + } + else if (!crls.isEmpty()) + { + return crls; + } + } + + return allCRLs; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PEMUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PEMUtil.java new file mode 100644 index 00000000..04718efc --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PEMUtil.java @@ -0,0 +1,94 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.io.InputStream; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.util.encoders.Base64; + +public class PEMUtil +{ + private final String _header1; + private final String _header2; + private final String _footer1; + private final String _footer2; + + PEMUtil( + String type) + { + _header1 = "-----BEGIN " + type + "-----"; + _header2 = "-----BEGIN X509 " + type + "-----"; + _footer1 = "-----END " + type + "-----"; + _footer2 = "-----END X509 " + type + "-----"; + } + + private String readLine( + InputStream in) + throws IOException + { + int c; + StringBuffer l = new StringBuffer(); + + do + { + while (((c = in.read()) != '\r') && c != '\n' && (c >= 0)) + { + if (c == '\r') + { + continue; + } + + l.append((char)c); + } + } + while (c >= 0 && l.length() == 0); + + if (c < 0) + { + return null; + } + + return l.toString(); + } + + ASN1Sequence readPEMObject( + InputStream in) + throws IOException + { + String line; + StringBuffer pemBuf = new StringBuffer(); + + while ((line = readLine(in)) != null) + { + if (line.startsWith(_header1) || line.startsWith(_header2)) + { + break; + } + } + + while ((line = readLine(in)) != null) + { + if (line.startsWith(_footer1) || line.startsWith(_footer2)) + { + break; + } + + pemBuf.append(line); + } + + if (pemBuf.length() != 0) + { + ASN1Primitive o = new ASN1InputStream(Base64.decode(pemBuf.toString())).readObject(); + if (!(o instanceof ASN1Sequence)) + { + throw new IOException("malformed PEM data encountered"); + } + + return (ASN1Sequence)o; + } + + return null; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java new file mode 100644 index 00000000..14aef43e --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java @@ -0,0 +1,303 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.Principal; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathBuilderResult; +import java.security.cert.CertPathBuilderSpi; +import java.security.cert.CertPathParameters; +import java.security.cert.CertPathValidator; +import java.security.cert.CertificateFactory; +import java.security.cert.CertificateParsingException; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.PKIXCertPathValidatorResult; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.jce.exception.ExtCertPathBuilderException; +import org.bouncycastle.util.Selector; +import org.bouncycastle.x509.ExtendedPKIXBuilderParameters; +import org.bouncycastle.x509.X509AttributeCertStoreSelector; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509CertStoreSelector; + +public class PKIXAttrCertPathBuilderSpi + extends CertPathBuilderSpi +{ + + /** + * Build and validate a CertPath using the given parameter. + * + * @param params PKIXBuilderParameters object containing all information to + * build the CertPath + */ + public CertPathBuilderResult engineBuild(CertPathParameters params) + throws CertPathBuilderException, InvalidAlgorithmParameterException + { + if (!(params instanceof PKIXBuilderParameters) + && !(params instanceof ExtendedPKIXBuilderParameters)) + { + throw new InvalidAlgorithmParameterException( + "Parameters must be an instance of " + + PKIXBuilderParameters.class.getName() + " or " + + ExtendedPKIXBuilderParameters.class.getName() + + "."); + } + + ExtendedPKIXBuilderParameters pkixParams; + if (params instanceof ExtendedPKIXBuilderParameters) + { + pkixParams = (ExtendedPKIXBuilderParameters) params; + } + else + { + pkixParams = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters + .getInstance((PKIXBuilderParameters) params); + } + + Collection targets; + Iterator targetIter; + List certPathList = new ArrayList(); + X509AttributeCertificate cert; + + // search target certificates + + Selector certSelect = pkixParams.getTargetConstraints(); + if (!(certSelect instanceof X509AttributeCertStoreSelector)) + { + throw new CertPathBuilderException( + "TargetConstraints must be an instance of " + + X509AttributeCertStoreSelector.class.getName() + + " for "+this.getClass().getName()+" class."); + } + + try + { + targets = CertPathValidatorUtilities.findCertificates((X509AttributeCertStoreSelector)certSelect, pkixParams.getStores()); + } + catch (AnnotatedException e) + { + throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e); + } + + if (targets.isEmpty()) + { + throw new CertPathBuilderException( + "No attribute certificate found matching targetContraints."); + } + + CertPathBuilderResult result = null; + + // check all potential target certificates + targetIter = targets.iterator(); + while (targetIter.hasNext() && result == null) + { + cert = (X509AttributeCertificate) targetIter.next(); + + X509CertStoreSelector selector = new X509CertStoreSelector(); + Principal[] principals = cert.getIssuer().getPrincipals(); + Set issuers = new HashSet(); + for (int i = 0; i < principals.length; i++) + { + try + { + if (principals[i] instanceof X500Principal) + { + selector.setSubject(((X500Principal)principals[i]).getEncoded()); + } + issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores())); + issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getCertStores())); + } + catch (AnnotatedException e) + { + throw new ExtCertPathBuilderException( + "Public key certificate for attribute certificate cannot be searched.", + e); + } + catch (IOException e) + { + throw new ExtCertPathBuilderException( + "cannot encode X500Principal.", + e); + } + } + if (issuers.isEmpty()) + { + throw new CertPathBuilderException( + "Public key certificate for attribute certificate cannot be found."); + } + Iterator it = issuers.iterator(); + while (it.hasNext() && result == null) + { + result = build(cert, (X509Certificate)it.next(), pkixParams, certPathList); + } + } + + if (result == null && certPathException != null) + { + throw new ExtCertPathBuilderException( + "Possible certificate chain could not be validated.", + certPathException); + } + + if (result == null && certPathException == null) + { + throw new CertPathBuilderException( + "Unable to find certificate chain."); + } + + return result; + } + + private Exception certPathException; + + private CertPathBuilderResult build(X509AttributeCertificate attrCert, X509Certificate tbvCert, + ExtendedPKIXBuilderParameters pkixParams, List tbvPath) + + { + // If tbvCert is readily present in tbvPath, it indicates having run + // into a cycle in the + // PKI graph. + if (tbvPath.contains(tbvCert)) + { + return null; + } + // step out, the certificate is not allowed to appear in a certification + // chain + if (pkixParams.getExcludedCerts().contains(tbvCert)) + { + return null; + } + // test if certificate path exceeds maximum length + if (pkixParams.getMaxPathLength() != -1) + { + if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) + { + return null; + } + } + + tbvPath.add(tbvCert); + + CertificateFactory cFact; + CertPathValidator validator; + CertPathBuilderResult builderResult = null; + + try + { + cFact = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME); + validator = CertPathValidator.getInstance("RFC3281", BouncyCastleProvider.PROVIDER_NAME); + } + catch (Exception e) + { + // cannot happen + throw new RuntimeException( + "Exception creating support classes."); + } + + try + { + // check whether the issuer of <tbvCert> is a TrustAnchor + if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getTrustAnchors(), + pkixParams.getSigProvider()) != null) + { + CertPath certPath; + PKIXCertPathValidatorResult result; + try + { + certPath = cFact.generateCertPath(tbvPath); + } + catch (Exception e) + { + throw new AnnotatedException( + "Certification path could not be constructed from certificate list.", + e); + } + + try + { + result = (PKIXCertPathValidatorResult) validator.validate( + certPath, pkixParams); + } + catch (Exception e) + { + throw new AnnotatedException( + "Certification path could not be validated.", + e); + } + + return new PKIXCertPathBuilderResult(certPath, result + .getTrustAnchor(), result.getPolicyTree(), result + .getPublicKey()); + + } + else + { + // add additional X.509 stores from locations in certificate + try + { + CertPathValidatorUtilities.addAdditionalStoresFromAltNames(tbvCert, pkixParams); + } + catch (CertificateParsingException e) + { + throw new AnnotatedException( + "No additional X.509 stores can be added from certificate locations.", + e); + } + Collection issuers = new HashSet(); + // try to get the issuer certificate from one + // of the stores + try + { + issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams)); + } + catch (AnnotatedException e) + { + throw new AnnotatedException( + "Cannot find issuer certificate for certificate in certification path.", + e); + } + if (issuers.isEmpty()) + { + throw new AnnotatedException( + "No issuer certificate for certificate in certification path found."); + } + Iterator it = issuers.iterator(); + + while (it.hasNext() && builderResult == null) + { + X509Certificate issuer = (X509Certificate) it.next(); + // TODO Use CertPathValidatorUtilities.isSelfIssued(issuer)? + // if untrusted self signed certificate continue + if (issuer.getIssuerX500Principal().equals( + issuer.getSubjectX500Principal())) + { + continue; + } + builderResult = build(attrCert, issuer, pkixParams, tbvPath); + } + } + } + catch (AnnotatedException e) + { + certPathException = new AnnotatedException( + "No valid certification path could be build.", e); + } + if (builderResult == null) + { + tbvPath.remove(tbvCert); + } + return builderResult; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java new file mode 100644 index 00000000..c1759bac --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java @@ -0,0 +1,99 @@ +package org.bouncycastle.jce.provider; + +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CertPath; +import java.security.cert.CertPathParameters; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertPathValidatorResult; +import java.security.cert.CertPathValidatorSpi; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Set; + +import org.bouncycastle.jce.exception.ExtCertPathValidatorException; +import org.bouncycastle.util.Selector; +import org.bouncycastle.x509.ExtendedPKIXParameters; +import org.bouncycastle.x509.X509AttributeCertStoreSelector; +import org.bouncycastle.x509.X509AttributeCertificate; + +/** + * CertPathValidatorSpi implementation for X.509 Attribute Certificates la RFC 3281. + * + * @see org.bouncycastle.x509.ExtendedPKIXParameters + */ +public class PKIXAttrCertPathValidatorSpi + extends CertPathValidatorSpi +{ + + /** + * Validates an attribute certificate with the given certificate path. + * + * <p> + * <code>params</code> must be an instance of + * <code>ExtendedPKIXParameters</code>. + * <p> + * The target constraints in the <code>params</code> must be an + * <code>X509AttributeCertStoreSelector</code> with at least the attribute + * certificate criterion set. Obey that also target informations may be + * necessary to correctly validate this attribute certificate. + * <p> + * The attribute certificate issuer must be added to the trusted attribute + * issuers with {@link ExtendedPKIXParameters#setTrustedACIssuers(Set)}. + * + * @param certPath The certificate path which belongs to the attribute + * certificate issuer public key certificate. + * @param params The PKIX parameters. + * @return A <code>PKIXCertPathValidatorResult</code> of the result of + * validating the <code>certPath</code>. + * @throws InvalidAlgorithmParameterException if <code>params</code> is + * inappropriate for this validator. + * @throws CertPathValidatorException if the verification fails. + */ + public CertPathValidatorResult engineValidate(CertPath certPath, + CertPathParameters params) throws CertPathValidatorException, + InvalidAlgorithmParameterException + { + if (!(params instanceof ExtendedPKIXParameters)) + { + throw new InvalidAlgorithmParameterException( + "Parameters must be a " + + ExtendedPKIXParameters.class.getName() + " instance."); + } + ExtendedPKIXParameters pkixParams = (ExtendedPKIXParameters) params; + + Selector certSelect = pkixParams.getTargetConstraints(); + if (!(certSelect instanceof X509AttributeCertStoreSelector)) + { + throw new InvalidAlgorithmParameterException( + "TargetConstraints must be an instance of " + + X509AttributeCertStoreSelector.class.getName() + " for " + + this.getClass().getName() + " class."); + } + X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect) + .getAttributeCert(); + + CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, pkixParams); + CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, pkixParams); + X509Certificate issuerCert = (X509Certificate) certPath + .getCertificates().get(0); + RFC3281CertPathUtilities.processAttrCert3(issuerCert, pkixParams); + RFC3281CertPathUtilities.processAttrCert4(issuerCert, pkixParams); + RFC3281CertPathUtilities.processAttrCert5(attrCert, pkixParams); + // 6 already done in X509AttributeCertStoreSelector + RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, pkixParams); + RFC3281CertPathUtilities.additionalChecks(attrCert, pkixParams); + Date date = null; + try + { + date = CertPathValidatorUtilities + .getValidCertDateFromValidityModel(pkixParams, null, -1); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException( + "Could not get validity date from attribute certificate.", e); + } + RFC3281CertPathUtilities.checkCRLs(attrCert, pkixParams, issuerCert, date, certPath.getCertificates()); + return result; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCRLUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCRLUtil.java new file mode 100644 index 00000000..c94016d7 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCRLUtil.java @@ -0,0 +1,155 @@ +package org.bouncycastle.jce.provider; + +import java.security.cert.CertStore; +import java.security.cert.CertStoreException; +import java.security.cert.PKIXParameters; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.Collection; +import java.util.Date; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import org.bouncycastle.util.StoreException; +import org.bouncycastle.x509.ExtendedPKIXParameters; +import org.bouncycastle.x509.X509CRLStoreSelector; +import org.bouncycastle.x509.X509Store; + +public class PKIXCRLUtil +{ + public Set findCRLs(X509CRLStoreSelector crlselect, ExtendedPKIXParameters paramsPKIX, Date currentDate) + throws AnnotatedException + { + Set initialSet = new HashSet(); + + // get complete CRL(s) + try + { + initialSet.addAll(findCRLs(crlselect, paramsPKIX.getAdditionalStores())); + initialSet.addAll(findCRLs(crlselect, paramsPKIX.getStores())); + initialSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores())); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Exception obtaining complete CRLs.", e); + } + + Set finalSet = new HashSet(); + Date validityDate = currentDate; + + if (paramsPKIX.getDate() != null) + { + validityDate = paramsPKIX.getDate(); + } + + // based on RFC 5280 6.3.3 + for (Iterator it = initialSet.iterator(); it.hasNext();) + { + X509CRL crl = (X509CRL)it.next(); + + if (crl.getNextUpdate().after(validityDate)) + { + X509Certificate cert = crlselect.getCertificateChecking(); + + if (cert != null) + { + if (crl.getThisUpdate().before(cert.getNotAfter())) + { + finalSet.add(crl); + } + } + else + { + finalSet.add(crl); + } + } + } + + return finalSet; + } + + public Set findCRLs(X509CRLStoreSelector crlselect, PKIXParameters paramsPKIX) + throws AnnotatedException + { + Set completeSet = new HashSet(); + + // get complete CRL(s) + try + { + completeSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores())); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Exception obtaining complete CRLs.", e); + } + + return completeSet; + } + +/** + * Return a Collection of all CRLs found in the X509Store's that are + * matching the crlSelect criteriums. + * + * @param crlSelect a {@link X509CRLStoreSelector} object that will be used + * to select the CRLs + * @param crlStores a List containing only + * {@link org.bouncycastle.x509.X509Store X509Store} objects. + * These are used to search for CRLs + * + * @return a Collection of all found {@link java.security.cert.X509CRL X509CRL} objects. May be + * empty but never <code>null</code>. + */ + private final Collection findCRLs(X509CRLStoreSelector crlSelect, + List crlStores) throws AnnotatedException + { + Set crls = new HashSet(); + Iterator iter = crlStores.iterator(); + + AnnotatedException lastException = null; + boolean foundValidStore = false; + + while (iter.hasNext()) + { + Object obj = iter.next(); + + if (obj instanceof X509Store) + { + X509Store store = (X509Store)obj; + + try + { + crls.addAll(store.getMatches(crlSelect)); + foundValidStore = true; + } + catch (StoreException e) + { + lastException = new AnnotatedException( + "Exception searching in X.509 CRL store.", e); + } + } + else + { + CertStore store = (CertStore)obj; + + try + { + crls.addAll(store.getCRLs(crlSelect)); + foundValidStore = true; + } + catch (CertStoreException e) + { + lastException = new AnnotatedException( + "Exception searching in X.509 CRL store.", e); + } + } + } + if (!foundValidStore && lastException != null) + { + throw lastException; + } + return crls; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathBuilderSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathBuilderSpi.java new file mode 100644 index 00000000..384eb861 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathBuilderSpi.java @@ -0,0 +1,261 @@ +package org.bouncycastle.jce.provider; + +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathBuilderResult; +import java.security.cert.CertPathBuilderSpi; +import java.security.cert.CertPathParameters; +import java.security.cert.CertPathValidator; +import java.security.cert.CertificateFactory; +import java.security.cert.CertificateParsingException; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.PKIXCertPathValidatorResult; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; + +import org.bouncycastle.jce.exception.ExtCertPathBuilderException; +import org.bouncycastle.util.Selector; +import org.bouncycastle.x509.ExtendedPKIXBuilderParameters; +import org.bouncycastle.x509.X509CertStoreSelector; + +/** + * Implements the PKIX CertPathBuilding algorithm for BouncyCastle. + * + * @see CertPathBuilderSpi + */ +public class PKIXCertPathBuilderSpi + extends CertPathBuilderSpi +{ + /** + * Build and validate a CertPath using the given parameter. + * + * @param params PKIXBuilderParameters object containing all information to + * build the CertPath + */ + public CertPathBuilderResult engineBuild(CertPathParameters params) + throws CertPathBuilderException, InvalidAlgorithmParameterException + { + if (!(params instanceof PKIXBuilderParameters) + && !(params instanceof ExtendedPKIXBuilderParameters)) + { + throw new InvalidAlgorithmParameterException( + "Parameters must be an instance of " + + PKIXBuilderParameters.class.getName() + " or " + + ExtendedPKIXBuilderParameters.class.getName() + "."); + } + + ExtendedPKIXBuilderParameters pkixParams = null; + if (params instanceof ExtendedPKIXBuilderParameters) + { + pkixParams = (ExtendedPKIXBuilderParameters) params; + } + else + { + pkixParams = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters + .getInstance((PKIXBuilderParameters) params); + } + + Collection targets; + Iterator targetIter; + List certPathList = new ArrayList(); + X509Certificate cert; + + // search target certificates + + Selector certSelect = pkixParams.getTargetConstraints(); + if (!(certSelect instanceof X509CertStoreSelector)) + { + throw new CertPathBuilderException( + "TargetConstraints must be an instance of " + + X509CertStoreSelector.class.getName() + " for " + + this.getClass().getName() + " class."); + } + + try + { + targets = CertPathValidatorUtilities.findCertificates((X509CertStoreSelector)certSelect, pkixParams.getStores()); + targets.addAll(CertPathValidatorUtilities.findCertificates((X509CertStoreSelector)certSelect, pkixParams.getCertStores())); + } + catch (AnnotatedException e) + { + throw new ExtCertPathBuilderException( + "Error finding target certificate.", e); + } + + if (targets.isEmpty()) + { + + throw new CertPathBuilderException( + "No certificate found matching targetContraints."); + } + + CertPathBuilderResult result = null; + + // check all potential target certificates + targetIter = targets.iterator(); + while (targetIter.hasNext() && result == null) + { + cert = (X509Certificate) targetIter.next(); + result = build(cert, pkixParams, certPathList); + } + + if (result == null && certPathException != null) + { + if (certPathException instanceof AnnotatedException) + { + throw new CertPathBuilderException(certPathException.getMessage(), certPathException.getCause()); + } + throw new CertPathBuilderException( + "Possible certificate chain could not be validated.", + certPathException); + } + + if (result == null && certPathException == null) + { + throw new CertPathBuilderException( + "Unable to find certificate chain."); + } + + return result; + } + + private Exception certPathException; + + protected CertPathBuilderResult build(X509Certificate tbvCert, + ExtendedPKIXBuilderParameters pkixParams, List tbvPath) + { + // If tbvCert is readily present in tbvPath, it indicates having run + // into a cycle in the + // PKI graph. + if (tbvPath.contains(tbvCert)) + { + return null; + } + // step out, the certificate is not allowed to appear in a certification + // chain. + if (pkixParams.getExcludedCerts().contains(tbvCert)) + { + return null; + } + // test if certificate path exceeds maximum length + if (pkixParams.getMaxPathLength() != -1) + { + if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) + { + return null; + } + } + + tbvPath.add(tbvCert); + + CertificateFactory cFact; + CertPathValidator validator; + CertPathBuilderResult builderResult = null; + + try + { + cFact = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME); + validator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); + } + catch (Exception e) + { + // cannot happen + throw new RuntimeException("Exception creating support classes."); + } + + try + { + // check whether the issuer of <tbvCert> is a TrustAnchor + if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getTrustAnchors(), + pkixParams.getSigProvider()) != null) + { + // exception message from possibly later tried certification + // chains + CertPath certPath = null; + PKIXCertPathValidatorResult result = null; + try + { + certPath = cFact.generateCertPath(tbvPath); + } + catch (Exception e) + { + throw new AnnotatedException( + "Certification path could not be constructed from certificate list.", + e); + } + + try + { + result = (PKIXCertPathValidatorResult) validator.validate( + certPath, pkixParams); + } + catch (Exception e) + { + throw new AnnotatedException( + "Certification path could not be validated.", e); + } + + return new PKIXCertPathBuilderResult(certPath, result + .getTrustAnchor(), result.getPolicyTree(), result + .getPublicKey()); + + } + else + { + // add additional X.509 stores from locations in certificate + try + { + CertPathValidatorUtilities.addAdditionalStoresFromAltNames( + tbvCert, pkixParams); + } + catch (CertificateParsingException e) + { + throw new AnnotatedException( + "No additiontal X.509 stores can be added from certificate locations.", + e); + } + Collection issuers = new HashSet(); + // try to get the issuer certificate from one + // of the stores + try + { + issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams)); + } + catch (AnnotatedException e) + { + throw new AnnotatedException( + "Cannot find issuer certificate for certificate in certification path.", + e); + } + if (issuers.isEmpty()) + { + throw new AnnotatedException( + "No issuer certificate for certificate in certification path found."); + } + Iterator it = issuers.iterator(); + + while (it.hasNext() && builderResult == null) + { + X509Certificate issuer = (X509Certificate) it.next(); + builderResult = build(issuer, pkixParams, tbvPath); + } + } + } + catch (AnnotatedException e) + { + certPathException = e; + } + if (builderResult == null) + { + tbvPath.remove(tbvCert); + } + return builderResult; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java new file mode 100644 index 00000000..f28a02a7 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java @@ -0,0 +1,431 @@ +package org.bouncycastle.jce.provider; + +import java.security.InvalidAlgorithmParameterException; +import java.security.PublicKey; +import java.security.cert.CertPath; +import java.security.cert.CertPathParameters; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertPathValidatorResult; +import java.security.cert.CertPathValidatorSpi; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.PKIXCertPathValidatorResult; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jce.exception.ExtCertPathValidatorException; +import org.bouncycastle.x509.ExtendedPKIXParameters; + +/** + * CertPathValidatorSpi implementation for X.509 Certificate validation � la RFC + * 3280. + */ +public class PKIXCertPathValidatorSpi + extends CertPathValidatorSpi +{ + + public CertPathValidatorResult engineValidate( + CertPath certPath, + CertPathParameters params) + throws CertPathValidatorException, + InvalidAlgorithmParameterException + { + if (!(params instanceof PKIXParameters)) + { + throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName() + + " instance."); + } + + ExtendedPKIXParameters paramsPKIX; + if (params instanceof ExtendedPKIXParameters) + { + paramsPKIX = (ExtendedPKIXParameters)params; + } + else + { + paramsPKIX = ExtendedPKIXParameters.getInstance((PKIXParameters)params); + } + if (paramsPKIX.getTrustAnchors() == null) + { + throw new InvalidAlgorithmParameterException( + "trustAnchors is null, this is not allowed for certification path validation."); + } + + // + // 6.1.1 - inputs + // + + // + // (a) + // + List certs = certPath.getCertificates(); + int n = certs.size(); + + if (certs.isEmpty()) + { + throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0); + } + + // + // (b) + // + // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX); + + // + // (c) + // + Set userInitialPolicySet = paramsPKIX.getInitialPolicies(); + + // + // (d) + // + TrustAnchor trust; + try + { + trust = CertPathValidatorUtilities.findTrustAnchor((X509Certificate) certs.get(certs.size() - 1), + paramsPKIX.getTrustAnchors(), paramsPKIX.getSigProvider()); + } + catch (AnnotatedException e) + { + throw new CertPathValidatorException(e.getMessage(), e, certPath, certs.size() - 1); + } + + if (trust == null) + { + throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); + } + + // + // (e), (f), (g) are part of the paramsPKIX object. + // + Iterator certIter; + int index = 0; + int i; + // Certificate for each interation of the validation loop + // Signature information for each iteration of the validation loop + // + // 6.1.2 - setup + // + + // + // (a) + // + List[] policyNodes = new ArrayList[n + 1]; + for (int j = 0; j < policyNodes.length; j++) + { + policyNodes[j] = new ArrayList(); + } + + Set policySet = new HashSet(); + + policySet.add(RFC3280CertPathUtilities.ANY_POLICY); + + PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(), + RFC3280CertPathUtilities.ANY_POLICY, false); + + policyNodes[0].add(validPolicyTree); + + // + // (b) and (c) + // + PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator(); + + // (d) + // + int explicitPolicy; + Set acceptablePolicies = new HashSet(); + + if (paramsPKIX.isExplicitPolicyRequired()) + { + explicitPolicy = 0; + } + else + { + explicitPolicy = n + 1; + } + + // + // (e) + // + int inhibitAnyPolicy; + + if (paramsPKIX.isAnyPolicyInhibited()) + { + inhibitAnyPolicy = 0; + } + else + { + inhibitAnyPolicy = n + 1; + } + + // + // (f) + // + int policyMapping; + + if (paramsPKIX.isPolicyMappingInhibited()) + { + policyMapping = 0; + } + else + { + policyMapping = n + 1; + } + + // + // (g), (h), (i), (j) + // + PublicKey workingPublicKey; + X500Principal workingIssuerName; + + X509Certificate sign = trust.getTrustedCert(); + try + { + if (sign != null) + { + workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign); + workingPublicKey = sign.getPublicKey(); + } + else + { + workingIssuerName = new X500Principal(trust.getCAName()); + workingPublicKey = trust.getCAPublicKey(); + } + } + catch (IllegalArgumentException ex) + { + throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, + -1); + } + + AlgorithmIdentifier workingAlgId = null; + try + { + workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey); + } + catch (CertPathValidatorException e) + { + throw new ExtCertPathValidatorException( + "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); + } + DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId(); + ASN1Encodable workingPublicKeyParameters = workingAlgId.getParameters(); + + // + // (k) + // + int maxPathLength = n; + + // + // 6.1.3 + // + + if (paramsPKIX.getTargetConstraints() != null + && !paramsPKIX.getTargetConstraints().match((X509Certificate) certs.get(0))) + { + throw new ExtCertPathValidatorException( + "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); + } + + // + // initialize CertPathChecker's + // + List pathCheckers = paramsPKIX.getCertPathCheckers(); + certIter = pathCheckers.iterator(); + while (certIter.hasNext()) + { + ((PKIXCertPathChecker) certIter.next()).init(false); + } + + X509Certificate cert = null; + + for (index = certs.size() - 1; index >= 0; index--) + { + // try + // { + // + // i as defined in the algorithm description + // + i = n - index; + + // + // set certificate to be checked in this round + // sign and workingPublicKey and workingIssuerName are set + // at the end of the for loop and initialized the + // first time from the TrustAnchor + // + cert = (X509Certificate) certs.get(index); + boolean verificationAlreadyPerformed = (index == certs.size() - 1); + + // + // 6.1.3 + // + + RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, index, workingPublicKey, + verificationAlreadyPerformed, workingIssuerName, sign); + + RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator); + + validPolicyTree = RFC3280CertPathUtilities.processCertD(certPath, index, acceptablePolicies, + validPolicyTree, policyNodes, inhibitAnyPolicy); + + validPolicyTree = RFC3280CertPathUtilities.processCertE(certPath, index, validPolicyTree); + + RFC3280CertPathUtilities.processCertF(certPath, index, validPolicyTree, explicitPolicy); + + // + // 6.1.4 + // + + if (i != n) + { + if (cert != null && cert.getVersion() == 1) + { + throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, + certPath, index); + } + + RFC3280CertPathUtilities.prepareNextCertA(certPath, index); + + validPolicyTree = RFC3280CertPathUtilities.prepareCertB(certPath, index, policyNodes, validPolicyTree, + policyMapping); + + RFC3280CertPathUtilities.prepareNextCertG(certPath, index, nameConstraintValidator); + + // (h) + explicitPolicy = RFC3280CertPathUtilities.prepareNextCertH1(certPath, index, explicitPolicy); + policyMapping = RFC3280CertPathUtilities.prepareNextCertH2(certPath, index, policyMapping); + inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertH3(certPath, index, inhibitAnyPolicy); + + // + // (i) + // + explicitPolicy = RFC3280CertPathUtilities.prepareNextCertI1(certPath, index, explicitPolicy); + policyMapping = RFC3280CertPathUtilities.prepareNextCertI2(certPath, index, policyMapping); + + // (j) + inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertJ(certPath, index, inhibitAnyPolicy); + + // (k) + RFC3280CertPathUtilities.prepareNextCertK(certPath, index); + + // (l) + maxPathLength = RFC3280CertPathUtilities.prepareNextCertL(certPath, index, maxPathLength); + + // (m) + maxPathLength = RFC3280CertPathUtilities.prepareNextCertM(certPath, index, maxPathLength); + + // (n) + RFC3280CertPathUtilities.prepareNextCertN(certPath, index); + + Set criticalExtensions = cert.getCriticalExtensionOIDs(); + if (criticalExtensions != null) + { + criticalExtensions = new HashSet(criticalExtensions); + + // these extensions are handled by the algorithm + criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE); + criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES); + criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS); + criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY); + criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT); + criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); + criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS); + criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS); + criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME); + criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS); + } + else + { + criticalExtensions = new HashSet(); + } + + // (o) + RFC3280CertPathUtilities.prepareNextCertO(certPath, index, criticalExtensions, pathCheckers); + + // set signing certificate for next round + sign = cert; + + // (c) + workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign); + + // (d) + try + { + workingPublicKey = CertPathValidatorUtilities.getNextWorkingKey(certPath.getCertificates(), index); + } + catch (CertPathValidatorException e) + { + throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); + } + + workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey); + // (f) + workingPublicKeyAlgorithm = workingAlgId.getObjectId(); + // (e) + workingPublicKeyParameters = workingAlgId.getParameters(); + } + } + + // + // 6.1.5 Wrap-up procedure + // + + explicitPolicy = RFC3280CertPathUtilities.wrapupCertA(explicitPolicy, cert); + + explicitPolicy = RFC3280CertPathUtilities.wrapupCertB(certPath, index + 1, explicitPolicy); + + // + // (c) (d) and (e) are already done + // + + // + // (f) + // + Set criticalExtensions = cert.getCriticalExtensionOIDs(); + + if (criticalExtensions != null) + { + criticalExtensions = new HashSet(criticalExtensions); + // these extensions are handled by the algorithm + criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE); + criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES); + criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS); + criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY); + criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT); + criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); + criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS); + criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS); + criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME); + criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS); + criticalExtensions.remove(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS); + } + else + { + criticalExtensions = new HashSet(); + } + + RFC3280CertPathUtilities.wrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); + + PKIXPolicyNode intersection = RFC3280CertPathUtilities.wrapupCertG(certPath, paramsPKIX, userInitialPolicySet, + index + 1, policyNodes, validPolicyTree, acceptablePolicies); + + if ((explicitPolicy > 0) || (intersection != null)) + { + return new PKIXCertPathValidatorResult(trust, intersection, cert.getPublicKey()); + } + + throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, index); + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidator.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidator.java new file mode 100644 index 00000000..7ecc4860 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidator.java @@ -0,0 +1,1927 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Map; +import java.util.Set; + +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERIA5String; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralSubtree; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.Integers; +import org.bouncycastle.util.Strings; + +public class PKIXNameConstraintValidator +{ + private Set excludedSubtreesDN = new HashSet(); + + private Set excludedSubtreesDNS = new HashSet(); + + private Set excludedSubtreesEmail = new HashSet(); + + private Set excludedSubtreesURI = new HashSet(); + + private Set excludedSubtreesIP = new HashSet(); + + private Set permittedSubtreesDN; + + private Set permittedSubtreesDNS; + + private Set permittedSubtreesEmail; + + private Set permittedSubtreesURI; + + private Set permittedSubtreesIP; + + public PKIXNameConstraintValidator() + { + } + + private static boolean withinDNSubtree( + ASN1Sequence dns, + ASN1Sequence subtree) + { + if (subtree.size() < 1) + { + return false; + } + + if (subtree.size() > dns.size()) + { + return false; + } + + for (int j = subtree.size() - 1; j >= 0; j--) + { + if (!subtree.getObjectAt(j).equals(dns.getObjectAt(j))) + { + return false; + } + } + + return true; + } + + public void checkPermittedDN(ASN1Sequence dns) + throws PKIXNameConstraintValidatorException + { + checkPermittedDN(permittedSubtreesDN, dns); + } + + public void checkExcludedDN(ASN1Sequence dns) + throws PKIXNameConstraintValidatorException + { + checkExcludedDN(excludedSubtreesDN, dns); + } + + private void checkPermittedDN(Set permitted, ASN1Sequence dns) + throws PKIXNameConstraintValidatorException + { + if (permitted == null) + { + return; + } + + if (permitted.isEmpty() && dns.size() == 0) + { + return; + } + Iterator it = permitted.iterator(); + + while (it.hasNext()) + { + ASN1Sequence subtree = (ASN1Sequence)it.next(); + + if (withinDNSubtree(dns, subtree)) + { + return; + } + } + + throw new PKIXNameConstraintValidatorException( + "Subject distinguished name is not from a permitted subtree"); + } + + private void checkExcludedDN(Set excluded, ASN1Sequence dns) + throws PKIXNameConstraintValidatorException + { + if (excluded.isEmpty()) + { + return; + } + + Iterator it = excluded.iterator(); + + while (it.hasNext()) + { + ASN1Sequence subtree = (ASN1Sequence)it.next(); + + if (withinDNSubtree(dns, subtree)) + { + throw new PKIXNameConstraintValidatorException( + "Subject distinguished name is from an excluded subtree"); + } + } + } + + private Set intersectDN(Set permitted, Set dns) + { + Set intersect = new HashSet(); + for (Iterator it = dns.iterator(); it.hasNext();) + { + ASN1Sequence dn = ASN1Sequence.getInstance(((GeneralSubtree)it + .next()).getBase().getName().toASN1Primitive()); + if (permitted == null) + { + if (dn != null) + { + intersect.add(dn); + } + } + else + { + Iterator _iter = permitted.iterator(); + while (_iter.hasNext()) + { + ASN1Sequence subtree = (ASN1Sequence)_iter.next(); + + if (withinDNSubtree(dn, subtree)) + { + intersect.add(dn); + } + else if (withinDNSubtree(subtree, dn)) + { + intersect.add(subtree); + } + } + } + } + return intersect; + } + + private Set unionDN(Set excluded, ASN1Sequence dn) + { + if (excluded.isEmpty()) + { + if (dn == null) + { + return excluded; + } + excluded.add(dn); + + return excluded; + } + else + { + Set intersect = new HashSet(); + + Iterator it = excluded.iterator(); + while (it.hasNext()) + { + ASN1Sequence subtree = (ASN1Sequence)it.next(); + + if (withinDNSubtree(dn, subtree)) + { + intersect.add(subtree); + } + else if (withinDNSubtree(subtree, dn)) + { + intersect.add(dn); + } + else + { + intersect.add(subtree); + intersect.add(dn); + } + } + + return intersect; + } + } + + private Set intersectEmail(Set permitted, Set emails) + { + Set intersect = new HashSet(); + for (Iterator it = emails.iterator(); it.hasNext();) + { + String email = extractNameAsString(((GeneralSubtree)it.next()) + .getBase()); + + if (permitted == null) + { + if (email != null) + { + intersect.add(email); + } + } + else + { + Iterator it2 = permitted.iterator(); + while (it2.hasNext()) + { + String _permitted = (String)it2.next(); + + intersectEmail(email, _permitted, intersect); + } + } + } + return intersect; + } + + private Set unionEmail(Set excluded, String email) + { + if (excluded.isEmpty()) + { + if (email == null) + { + return excluded; + } + excluded.add(email); + return excluded; + } + else + { + Set union = new HashSet(); + + Iterator it = excluded.iterator(); + while (it.hasNext()) + { + String _excluded = (String)it.next(); + + unionEmail(_excluded, email, union); + } + + return union; + } + } + + /** + * Returns the intersection of the permitted IP ranges in + * <code>permitted</code> with <code>ip</code>. + * + * @param permitted A <code>Set</code> of permitted IP addresses with + * their subnet mask as byte arrays. + * @param ips The IP address with its subnet mask. + * @return The <code>Set</code> of permitted IP ranges intersected with + * <code>ip</code>. + */ + private Set intersectIP(Set permitted, Set ips) + { + Set intersect = new HashSet(); + for (Iterator it = ips.iterator(); it.hasNext();) + { + byte[] ip = ASN1OctetString.getInstance( + ((GeneralSubtree)it.next()).getBase().getName()).getOctets(); + if (permitted == null) + { + if (ip != null) + { + intersect.add(ip); + } + } + else + { + Iterator it2 = permitted.iterator(); + while (it2.hasNext()) + { + byte[] _permitted = (byte[])it2.next(); + intersect.addAll(intersectIPRange(_permitted, ip)); + } + } + } + return intersect; + } + + /** + * Returns the union of the excluded IP ranges in <code>excluded</code> + * with <code>ip</code>. + * + * @param excluded A <code>Set</code> of excluded IP addresses with their + * subnet mask as byte arrays. + * @param ip The IP address with its subnet mask. + * @return The <code>Set</code> of excluded IP ranges unified with + * <code>ip</code> as byte arrays. + */ + private Set unionIP(Set excluded, byte[] ip) + { + if (excluded.isEmpty()) + { + if (ip == null) + { + return excluded; + } + excluded.add(ip); + + return excluded; + } + else + { + Set union = new HashSet(); + + Iterator it = excluded.iterator(); + while (it.hasNext()) + { + byte[] _excluded = (byte[])it.next(); + union.addAll(unionIPRange(_excluded, ip)); + } + + return union; + } + } + + /** + * Calculates the union if two IP ranges. + * + * @param ipWithSubmask1 The first IP address with its subnet mask. + * @param ipWithSubmask2 The second IP address with its subnet mask. + * @return A <code>Set</code> with the union of both addresses. + */ + private Set unionIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) + { + Set set = new HashSet(); + + // difficult, adding always all IPs is not wrong + if (Arrays.areEqual(ipWithSubmask1, ipWithSubmask2)) + { + set.add(ipWithSubmask1); + } + else + { + set.add(ipWithSubmask1); + set.add(ipWithSubmask2); + } + return set; + } + + /** + * Calculates the interesction if two IP ranges. + * + * @param ipWithSubmask1 The first IP address with its subnet mask. + * @param ipWithSubmask2 The second IP address with its subnet mask. + * @return A <code>Set</code> with the single IP address with its subnet + * mask as a byte array or an empty <code>Set</code>. + */ + private Set intersectIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) + { + if (ipWithSubmask1.length != ipWithSubmask2.length) + { + return Collections.EMPTY_SET; + } + byte[][] temp = extractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2); + byte ip1[] = temp[0]; + byte subnetmask1[] = temp[1]; + byte ip2[] = temp[2]; + byte subnetmask2[] = temp[3]; + + byte minMax[][] = minMaxIPs(ip1, subnetmask1, ip2, subnetmask2); + byte[] min; + byte[] max; + max = min(minMax[1], minMax[3]); + min = max(minMax[0], minMax[2]); + + // minimum IP address must be bigger than max + if (compareTo(min, max) == 1) + { + return Collections.EMPTY_SET; + } + // OR keeps all significant bits + byte[] ip = or(minMax[0], minMax[2]); + byte[] subnetmask = or(subnetmask1, subnetmask2); + return Collections.singleton(ipWithSubnetMask(ip, subnetmask)); + } + + /** + * Concatenates the IP address with its subnet mask. + * + * @param ip The IP address. + * @param subnetMask Its subnet mask. + * @return The concatenated IP address with its subnet mask. + */ + private byte[] ipWithSubnetMask(byte[] ip, byte[] subnetMask) + { + int ipLength = ip.length; + byte[] temp = new byte[ipLength * 2]; + System.arraycopy(ip, 0, temp, 0, ipLength); + System.arraycopy(subnetMask, 0, temp, ipLength, ipLength); + return temp; + } + + /** + * Splits the IP addresses and their subnet mask. + * + * @param ipWithSubmask1 The first IP address with the subnet mask. + * @param ipWithSubmask2 The second IP address with the subnet mask. + * @return An array with two elements. Each element contains the IP address + * and the subnet mask in this order. + */ + private byte[][] extractIPsAndSubnetMasks( + byte[] ipWithSubmask1, + byte[] ipWithSubmask2) + { + int ipLength = ipWithSubmask1.length / 2; + byte ip1[] = new byte[ipLength]; + byte subnetmask1[] = new byte[ipLength]; + System.arraycopy(ipWithSubmask1, 0, ip1, 0, ipLength); + System.arraycopy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength); + + byte ip2[] = new byte[ipLength]; + byte subnetmask2[] = new byte[ipLength]; + System.arraycopy(ipWithSubmask2, 0, ip2, 0, ipLength); + System.arraycopy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength); + return new byte[][] + {ip1, subnetmask1, ip2, subnetmask2}; + } + + /** + * Based on the two IP addresses and their subnet masks the IP range is + * computed for each IP address - subnet mask pair and returned as the + * minimum IP address and the maximum address of the range. + * + * @param ip1 The first IP address. + * @param subnetmask1 The subnet mask of the first IP address. + * @param ip2 The second IP address. + * @param subnetmask2 The subnet mask of the second IP address. + * @return A array with two elements. The first/second element contains the + * min and max IP address of the first/second IP address and its + * subnet mask. + */ + private byte[][] minMaxIPs( + byte[] ip1, + byte[] subnetmask1, + byte[] ip2, + byte[] subnetmask2) + { + int ipLength = ip1.length; + byte[] min1 = new byte[ipLength]; + byte[] max1 = new byte[ipLength]; + + byte[] min2 = new byte[ipLength]; + byte[] max2 = new byte[ipLength]; + + for (int i = 0; i < ipLength; i++) + { + min1[i] = (byte)(ip1[i] & subnetmask1[i]); + max1[i] = (byte)(ip1[i] & subnetmask1[i] | ~subnetmask1[i]); + + min2[i] = (byte)(ip2[i] & subnetmask2[i]); + max2[i] = (byte)(ip2[i] & subnetmask2[i] | ~subnetmask2[i]); + } + + return new byte[][]{min1, max1, min2, max2}; + } + + private void checkPermittedEmail(Set permitted, String email) + throws PKIXNameConstraintValidatorException + { + if (permitted == null) + { + return; + } + + Iterator it = permitted.iterator(); + + while (it.hasNext()) + { + String str = ((String)it.next()); + + if (emailIsConstrained(email, str)) + { + return; + } + } + + if (email.length() == 0 && permitted.size() == 0) + { + return; + } + + throw new PKIXNameConstraintValidatorException( + "Subject email address is not from a permitted subtree."); + } + + private void checkExcludedEmail(Set excluded, String email) + throws PKIXNameConstraintValidatorException + { + if (excluded.isEmpty()) + { + return; + } + + Iterator it = excluded.iterator(); + + while (it.hasNext()) + { + String str = (String)it.next(); + + if (emailIsConstrained(email, str)) + { + throw new PKIXNameConstraintValidatorException( + "Email address is from an excluded subtree."); + } + } + } + + /** + * Checks if the IP <code>ip</code> is included in the permitted set + * <code>permitted</code>. + * + * @param permitted A <code>Set</code> of permitted IP addresses with + * their subnet mask as byte arrays. + * @param ip The IP address. + * @throws PKIXNameConstraintValidatorException + * if the IP is not permitted. + */ + private void checkPermittedIP(Set permitted, byte[] ip) + throws PKIXNameConstraintValidatorException + { + if (permitted == null) + { + return; + } + + Iterator it = permitted.iterator(); + + while (it.hasNext()) + { + byte[] ipWithSubnet = (byte[])it.next(); + + if (isIPConstrained(ip, ipWithSubnet)) + { + return; + } + } + if (ip.length == 0 && permitted.size() == 0) + { + return; + } + throw new PKIXNameConstraintValidatorException( + "IP is not from a permitted subtree."); + } + + /** + * Checks if the IP <code>ip</code> is included in the excluded set + * <code>excluded</code>. + * + * @param excluded A <code>Set</code> of excluded IP addresses with their + * subnet mask as byte arrays. + * @param ip The IP address. + * @throws PKIXNameConstraintValidatorException + * if the IP is excluded. + */ + private void checkExcludedIP(Set excluded, byte[] ip) + throws PKIXNameConstraintValidatorException + { + if (excluded.isEmpty()) + { + return; + } + + Iterator it = excluded.iterator(); + + while (it.hasNext()) + { + byte[] ipWithSubnet = (byte[])it.next(); + + if (isIPConstrained(ip, ipWithSubnet)) + { + throw new PKIXNameConstraintValidatorException( + "IP is from an excluded subtree."); + } + } + } + + /** + * Checks if the IP address <code>ip</code> is constrained by + * <code>constraint</code>. + * + * @param ip The IP address. + * @param constraint The constraint. This is an IP address concatenated with + * its subnetmask. + * @return <code>true</code> if constrained, <code>false</code> + * otherwise. + */ + private boolean isIPConstrained(byte ip[], byte[] constraint) + { + int ipLength = ip.length; + + if (ipLength != (constraint.length / 2)) + { + return false; + } + + byte[] subnetMask = new byte[ipLength]; + System.arraycopy(constraint, ipLength, subnetMask, 0, ipLength); + + byte[] permittedSubnetAddress = new byte[ipLength]; + + byte[] ipSubnetAddress = new byte[ipLength]; + + // the resulting IP address by applying the subnet mask + for (int i = 0; i < ipLength; i++) + { + permittedSubnetAddress[i] = (byte)(constraint[i] & subnetMask[i]); + ipSubnetAddress[i] = (byte)(ip[i] & subnetMask[i]); + } + + return Arrays.areEqual(permittedSubnetAddress, ipSubnetAddress); + } + + private boolean emailIsConstrained(String email, String constraint) + { + String sub = email.substring(email.indexOf('@') + 1); + // a particular mailbox + if (constraint.indexOf('@') != -1) + { + if (email.equalsIgnoreCase(constraint)) + { + return true; + } + } + // on particular host + else if (!(constraint.charAt(0) == '.')) + { + if (sub.equalsIgnoreCase(constraint)) + { + return true; + } + } + // address in sub domain + else if (withinDomain(sub, constraint)) + { + return true; + } + return false; + } + + private boolean withinDomain(String testDomain, String domain) + { + String tempDomain = domain; + if (tempDomain.startsWith(".")) + { + tempDomain = tempDomain.substring(1); + } + String[] domainParts = Strings.split(tempDomain, '.'); + String[] testDomainParts = Strings.split(testDomain, '.'); + // must have at least one subdomain + if (testDomainParts.length <= domainParts.length) + { + return false; + } + int d = testDomainParts.length - domainParts.length; + for (int i = -1; i < domainParts.length; i++) + { + if (i == -1) + { + if (testDomainParts[i + d].equals("")) + { + return false; + } + } + else if (!domainParts[i].equalsIgnoreCase(testDomainParts[i + d])) + { + return false; + } + } + return true; + } + + private void checkPermittedDNS(Set permitted, String dns) + throws PKIXNameConstraintValidatorException + { + if (permitted == null) + { + return; + } + + Iterator it = permitted.iterator(); + + while (it.hasNext()) + { + String str = ((String)it.next()); + + // is sub domain + if (withinDomain(dns, str) || dns.equalsIgnoreCase(str)) + { + return; + } + } + if (dns.length() == 0 && permitted.size() == 0) + { + return; + } + throw new PKIXNameConstraintValidatorException( + "DNS is not from a permitted subtree."); + } + + private void checkExcludedDNS(Set excluded, String dns) + throws PKIXNameConstraintValidatorException + { + if (excluded.isEmpty()) + { + return; + } + + Iterator it = excluded.iterator(); + + while (it.hasNext()) + { + String str = ((String)it.next()); + + // is sub domain or the same + if (withinDomain(dns, str) || dns.equalsIgnoreCase(str)) + { + throw new PKIXNameConstraintValidatorException( + "DNS is from an excluded subtree."); + } + } + } + + /** + * The common part of <code>email1</code> and <code>email2</code> is + * added to the union <code>union</code>. If <code>email1</code> and + * <code>email2</code> have nothing in common they are added both. + * + * @param email1 Email address constraint 1. + * @param email2 Email address constraint 2. + * @param union The union. + */ + private void unionEmail(String email1, String email2, Set union) + { + // email1 is a particular address + if (email1.indexOf('@') != -1) + { + String _sub = email1.substring(email1.indexOf('@') + 1); + // both are a particular mailbox + if (email2.indexOf('@') != -1) + { + if (email1.equalsIgnoreCase(email2)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(_sub, email2)) + { + union.add(email2); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a particular host + else + { + if (_sub.equalsIgnoreCase(email2)) + { + union.add(email2); + } + else + { + union.add(email1); + union.add(email2); + } + } + } + // email1 specifies a domain + else if (email1.startsWith(".")) + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email1.indexOf('@') + 1); + if (withinDomain(_sub, email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2) + || email1.equalsIgnoreCase(email2)) + { + union.add(email2); + } + else if (withinDomain(email2, email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + else + { + if (withinDomain(email2, email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + } + // email specifies a host + else + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email1.indexOf('@') + 1); + if (_sub.equalsIgnoreCase(email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2)) + { + union.add(email2); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a particular host + else + { + if (email1.equalsIgnoreCase(email2)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + } + } + + private void unionURI(String email1, String email2, Set union) + { + // email1 is a particular address + if (email1.indexOf('@') != -1) + { + String _sub = email1.substring(email1.indexOf('@') + 1); + // both are a particular mailbox + if (email2.indexOf('@') != -1) + { + if (email1.equalsIgnoreCase(email2)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(_sub, email2)) + { + union.add(email2); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a particular host + else + { + if (_sub.equalsIgnoreCase(email2)) + { + union.add(email2); + } + else + { + union.add(email1); + union.add(email2); + } + } + } + // email1 specifies a domain + else if (email1.startsWith(".")) + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email1.indexOf('@') + 1); + if (withinDomain(_sub, email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2) + || email1.equalsIgnoreCase(email2)) + { + union.add(email2); + } + else if (withinDomain(email2, email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + else + { + if (withinDomain(email2, email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + } + // email specifies a host + else + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email1.indexOf('@') + 1); + if (_sub.equalsIgnoreCase(email1)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2)) + { + union.add(email2); + } + else + { + union.add(email1); + union.add(email2); + } + } + // email2 specifies a particular host + else + { + if (email1.equalsIgnoreCase(email2)) + { + union.add(email1); + } + else + { + union.add(email1); + union.add(email2); + } + } + } + } + + private Set intersectDNS(Set permitted, Set dnss) + { + Set intersect = new HashSet(); + for (Iterator it = dnss.iterator(); it.hasNext();) + { + String dns = extractNameAsString(((GeneralSubtree)it.next()) + .getBase()); + if (permitted == null) + { + if (dns != null) + { + intersect.add(dns); + } + } + else + { + Iterator _iter = permitted.iterator(); + while (_iter.hasNext()) + { + String _permitted = (String)_iter.next(); + + if (withinDomain(_permitted, dns)) + { + intersect.add(_permitted); + } + else if (withinDomain(dns, _permitted)) + { + intersect.add(dns); + } + } + } + } + + return intersect; + } + + protected Set unionDNS(Set excluded, String dns) + { + if (excluded.isEmpty()) + { + if (dns == null) + { + return excluded; + } + excluded.add(dns); + + return excluded; + } + else + { + Set union = new HashSet(); + + Iterator _iter = excluded.iterator(); + while (_iter.hasNext()) + { + String _permitted = (String)_iter.next(); + + if (withinDomain(_permitted, dns)) + { + union.add(dns); + } + else if (withinDomain(dns, _permitted)) + { + union.add(_permitted); + } + else + { + union.add(_permitted); + union.add(dns); + } + } + + return union; + } + } + + /** + * The most restricting part from <code>email1</code> and + * <code>email2</code> is added to the intersection <code>intersect</code>. + * + * @param email1 Email address constraint 1. + * @param email2 Email address constraint 2. + * @param intersect The intersection. + */ + private void intersectEmail(String email1, String email2, Set intersect) + { + // email1 is a particular address + if (email1.indexOf('@') != -1) + { + String _sub = email1.substring(email1.indexOf('@') + 1); + // both are a particular mailbox + if (email2.indexOf('@') != -1) + { + if (email1.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(_sub, email2)) + { + intersect.add(email1); + } + } + // email2 specifies a particular host + else + { + if (_sub.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + } + } + // email specifies a domain + else if (email1.startsWith(".")) + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email1.indexOf('@') + 1); + if (withinDomain(_sub, email1)) + { + intersect.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2) + || email1.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + else if (withinDomain(email2, email1)) + { + intersect.add(email2); + } + } + else + { + if (withinDomain(email2, email1)) + { + intersect.add(email2); + } + } + } + // email1 specifies a host + else + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email2.indexOf('@') + 1); + if (_sub.equalsIgnoreCase(email1)) + { + intersect.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2)) + { + intersect.add(email1); + } + } + // email2 specifies a particular host + else + { + if (email1.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + } + } + } + + private void checkExcludedURI(Set excluded, String uri) + throws PKIXNameConstraintValidatorException + { + if (excluded.isEmpty()) + { + return; + } + + Iterator it = excluded.iterator(); + + while (it.hasNext()) + { + String str = ((String)it.next()); + + if (isUriConstrained(uri, str)) + { + throw new PKIXNameConstraintValidatorException( + "URI is from an excluded subtree."); + } + } + } + + private Set intersectURI(Set permitted, Set uris) + { + Set intersect = new HashSet(); + for (Iterator it = uris.iterator(); it.hasNext();) + { + String uri = extractNameAsString(((GeneralSubtree)it.next()) + .getBase()); + if (permitted == null) + { + if (uri != null) + { + intersect.add(uri); + } + } + else + { + Iterator _iter = permitted.iterator(); + while (_iter.hasNext()) + { + String _permitted = (String)_iter.next(); + intersectURI(_permitted, uri, intersect); + } + } + } + return intersect; + } + + private Set unionURI(Set excluded, String uri) + { + if (excluded.isEmpty()) + { + if (uri == null) + { + return excluded; + } + excluded.add(uri); + + return excluded; + } + else + { + Set union = new HashSet(); + + Iterator _iter = excluded.iterator(); + while (_iter.hasNext()) + { + String _excluded = (String)_iter.next(); + + unionURI(_excluded, uri, union); + } + + return union; + } + } + + private void intersectURI(String email1, String email2, Set intersect) + { + // email1 is a particular address + if (email1.indexOf('@') != -1) + { + String _sub = email1.substring(email1.indexOf('@') + 1); + // both are a particular mailbox + if (email2.indexOf('@') != -1) + { + if (email1.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(_sub, email2)) + { + intersect.add(email1); + } + } + // email2 specifies a particular host + else + { + if (_sub.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + } + } + // email specifies a domain + else if (email1.startsWith(".")) + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email1.indexOf('@') + 1); + if (withinDomain(_sub, email1)) + { + intersect.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2) + || email1.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + else if (withinDomain(email2, email1)) + { + intersect.add(email2); + } + } + else + { + if (withinDomain(email2, email1)) + { + intersect.add(email2); + } + } + } + // email1 specifies a host + else + { + if (email2.indexOf('@') != -1) + { + String _sub = email2.substring(email2.indexOf('@') + 1); + if (_sub.equalsIgnoreCase(email1)) + { + intersect.add(email2); + } + } + // email2 specifies a domain + else if (email2.startsWith(".")) + { + if (withinDomain(email1, email2)) + { + intersect.add(email1); + } + } + // email2 specifies a particular host + else + { + if (email1.equalsIgnoreCase(email2)) + { + intersect.add(email1); + } + } + } + } + + private void checkPermittedURI(Set permitted, String uri) + throws PKIXNameConstraintValidatorException + { + if (permitted == null) + { + return; + } + + Iterator it = permitted.iterator(); + + while (it.hasNext()) + { + String str = ((String)it.next()); + + if (isUriConstrained(uri, str)) + { + return; + } + } + if (uri.length() == 0 && permitted.size() == 0) + { + return; + } + throw new PKIXNameConstraintValidatorException( + "URI is not from a permitted subtree."); + } + + private boolean isUriConstrained(String uri, String constraint) + { + String host = extractHostFromURL(uri); + // a host + if (!constraint.startsWith(".")) + { + if (host.equalsIgnoreCase(constraint)) + { + return true; + } + } + + // in sub domain or domain + else if (withinDomain(host, constraint)) + { + return true; + } + + return false; + } + + private static String extractHostFromURL(String url) + { + // see RFC 1738 + // remove ':' after protocol, e.g. http: + String sub = url.substring(url.indexOf(':') + 1); + // extract host from Common Internet Scheme Syntax, e.g. http:// + if (sub.indexOf("//") != -1) + { + sub = sub.substring(sub.indexOf("//") + 2); + } + // first remove port, e.g. http://test.com:21 + if (sub.lastIndexOf(':') != -1) + { + sub = sub.substring(0, sub.lastIndexOf(':')); + } + // remove user and password, e.g. http://john:password@test.com + sub = sub.substring(sub.indexOf(':') + 1); + sub = sub.substring(sub.indexOf('@') + 1); + // remove local parts, e.g. http://test.com/bla + if (sub.indexOf('/') != -1) + { + sub = sub.substring(0, sub.indexOf('/')); + } + return sub; + } + + /** + * Checks if the given GeneralName is in the permitted set. + * + * @param name The GeneralName + * @throws PKIXNameConstraintValidatorException + * If the <code>name</code> + */ + public void checkPermitted(GeneralName name) + throws PKIXNameConstraintValidatorException + { + switch (name.getTagNo()) + { + case 1: + checkPermittedEmail(permittedSubtreesEmail, + extractNameAsString(name)); + break; + case 2: + checkPermittedDNS(permittedSubtreesDNS, DERIA5String.getInstance( + name.getName()).getString()); + break; + case 4: + checkPermittedDN(ASN1Sequence.getInstance(name.getName() + .toASN1Primitive())); + break; + case 6: + checkPermittedURI(permittedSubtreesURI, DERIA5String.getInstance( + name.getName()).getString()); + break; + case 7: + byte[] ip = ASN1OctetString.getInstance(name.getName()).getOctets(); + + checkPermittedIP(permittedSubtreesIP, ip); + } + } + + /** + * Check if the given GeneralName is contained in the excluded set. + * + * @param name The GeneralName. + * @throws PKIXNameConstraintValidatorException + * If the <code>name</code> is + * excluded. + */ + public void checkExcluded(GeneralName name) + throws PKIXNameConstraintValidatorException + { + switch (name.getTagNo()) + { + case 1: + checkExcludedEmail(excludedSubtreesEmail, extractNameAsString(name)); + break; + case 2: + checkExcludedDNS(excludedSubtreesDNS, DERIA5String.getInstance( + name.getName()).getString()); + break; + case 4: + checkExcludedDN(ASN1Sequence.getInstance(name.getName() + .toASN1Primitive())); + break; + case 6: + checkExcludedURI(excludedSubtreesURI, DERIA5String.getInstance( + name.getName()).getString()); + break; + case 7: + byte[] ip = ASN1OctetString.getInstance(name.getName()).getOctets(); + + checkExcludedIP(excludedSubtreesIP, ip); + } + } + + public void intersectPermittedSubtree(GeneralSubtree permitted) + { + intersectPermittedSubtree(new GeneralSubtree[] { permitted }); + } + + /** + * Updates the permitted set of these name constraints with the intersection + * with the given subtree. + * + * @param permitted The permitted subtrees + */ + + public void intersectPermittedSubtree(GeneralSubtree[] permitted) + { + Map subtreesMap = new HashMap(); + + // group in sets in a map ordered by tag no. + for (int i = 0; i != permitted.length; i++) + { + GeneralSubtree subtree = permitted[i]; + Integer tagNo = Integers.valueOf(subtree.getBase().getTagNo()); + if (subtreesMap.get(tagNo) == null) + { + subtreesMap.put(tagNo, new HashSet()); + } + ((Set)subtreesMap.get(tagNo)).add(subtree); + } + + for (Iterator it = subtreesMap.entrySet().iterator(); it.hasNext();) + { + Map.Entry entry = (Map.Entry)it.next(); + + // go through all subtree groups + switch (((Integer)entry.getKey()).intValue()) + { + case 1: + permittedSubtreesEmail = intersectEmail(permittedSubtreesEmail, + (Set)entry.getValue()); + break; + case 2: + permittedSubtreesDNS = intersectDNS(permittedSubtreesDNS, + (Set)entry.getValue()); + break; + case 4: + permittedSubtreesDN = intersectDN(permittedSubtreesDN, + (Set)entry.getValue()); + break; + case 6: + permittedSubtreesURI = intersectURI(permittedSubtreesURI, + (Set)entry.getValue()); + break; + case 7: + permittedSubtreesIP = intersectIP(permittedSubtreesIP, + (Set)entry.getValue()); + } + } + } + + private String extractNameAsString(GeneralName name) + { + return DERIA5String.getInstance(name.getName()).getString(); + } + + public void intersectEmptyPermittedSubtree(int nameType) + { + switch (nameType) + { + case 1: + permittedSubtreesEmail = new HashSet(); + break; + case 2: + permittedSubtreesDNS = new HashSet(); + break; + case 4: + permittedSubtreesDN = new HashSet(); + break; + case 6: + permittedSubtreesURI = new HashSet(); + break; + case 7: + permittedSubtreesIP = new HashSet(); + } + } + + /** + * Adds a subtree to the excluded set of these name constraints. + * + * @param subtree A subtree with an excluded GeneralName. + */ + public void addExcludedSubtree(GeneralSubtree subtree) + { + GeneralName base = subtree.getBase(); + + switch (base.getTagNo()) + { + case 1: + excludedSubtreesEmail = unionEmail(excludedSubtreesEmail, + extractNameAsString(base)); + break; + case 2: + excludedSubtreesDNS = unionDNS(excludedSubtreesDNS, + extractNameAsString(base)); + break; + case 4: + excludedSubtreesDN = unionDN(excludedSubtreesDN, + (ASN1Sequence)base.getName().toASN1Primitive()); + break; + case 6: + excludedSubtreesURI = unionURI(excludedSubtreesURI, + extractNameAsString(base)); + break; + case 7: + excludedSubtreesIP = unionIP(excludedSubtreesIP, ASN1OctetString + .getInstance(base.getName()).getOctets()); + break; + } + } + + /** + * Returns the maximum IP address. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return The maximum IP address. + */ + private static byte[] max(byte[] ip1, byte[] ip2) + { + for (int i = 0; i < ip1.length; i++) + { + if ((ip1[i] & 0xFFFF) > (ip2[i] & 0xFFFF)) + { + return ip1; + } + } + return ip2; + } + + /** + * Returns the minimum IP address. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return The minimum IP address. + */ + private static byte[] min(byte[] ip1, byte[] ip2) + { + for (int i = 0; i < ip1.length; i++) + { + if ((ip1[i] & 0xFFFF) < (ip2[i] & 0xFFFF)) + { + return ip1; + } + } + return ip2; + } + + /** + * Compares IP address <code>ip1</code> with <code>ip2</code>. If ip1 + * is equal to ip2 0 is returned. If ip1 is bigger 1 is returned, -1 + * otherwise. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return 0 if ip1 is equal to ip2, 1 if ip1 is bigger, -1 otherwise. + */ + private static int compareTo(byte[] ip1, byte[] ip2) + { + if (Arrays.areEqual(ip1, ip2)) + { + return 0; + } + if (Arrays.areEqual(max(ip1, ip2), ip1)) + { + return 1; + } + return -1; + } + + /** + * Returns the logical OR of the IP addresses <code>ip1</code> and + * <code>ip2</code>. + * + * @param ip1 The first IP address. + * @param ip2 The second IP address. + * @return The OR of <code>ip1</code> and <code>ip2</code>. + */ + private static byte[] or(byte[] ip1, byte[] ip2) + { + byte[] temp = new byte[ip1.length]; + for (int i = 0; i < ip1.length; i++) + { + temp[i] = (byte)(ip1[i] | ip2[i]); + } + return temp; + } + + public int hashCode() + { + return hashCollection(excludedSubtreesDN) + + hashCollection(excludedSubtreesDNS) + + hashCollection(excludedSubtreesEmail) + + hashCollection(excludedSubtreesIP) + + hashCollection(excludedSubtreesURI) + + hashCollection(permittedSubtreesDN) + + hashCollection(permittedSubtreesDNS) + + hashCollection(permittedSubtreesEmail) + + hashCollection(permittedSubtreesIP) + + hashCollection(permittedSubtreesURI); + } + + private int hashCollection(Collection coll) + { + if (coll == null) + { + return 0; + } + int hash = 0; + Iterator it1 = coll.iterator(); + while (it1.hasNext()) + { + Object o = it1.next(); + if (o instanceof byte[]) + { + hash += Arrays.hashCode((byte[])o); + } + else + { + hash += o.hashCode(); + } + } + return hash; + } + + public boolean equals(Object o) + { + if (!(o instanceof PKIXNameConstraintValidator)) + { + return false; + } + PKIXNameConstraintValidator constraintValidator = (PKIXNameConstraintValidator)o; + return collectionsAreEqual(constraintValidator.excludedSubtreesDN, excludedSubtreesDN) + && collectionsAreEqual(constraintValidator.excludedSubtreesDNS, excludedSubtreesDNS) + && collectionsAreEqual(constraintValidator.excludedSubtreesEmail, excludedSubtreesEmail) + && collectionsAreEqual(constraintValidator.excludedSubtreesIP, excludedSubtreesIP) + && collectionsAreEqual(constraintValidator.excludedSubtreesURI, excludedSubtreesURI) + && collectionsAreEqual(constraintValidator.permittedSubtreesDN, permittedSubtreesDN) + && collectionsAreEqual(constraintValidator.permittedSubtreesDNS, permittedSubtreesDNS) + && collectionsAreEqual(constraintValidator.permittedSubtreesEmail, permittedSubtreesEmail) + && collectionsAreEqual(constraintValidator.permittedSubtreesIP, permittedSubtreesIP) + && collectionsAreEqual(constraintValidator.permittedSubtreesURI, permittedSubtreesURI); + } + + private boolean collectionsAreEqual(Collection coll1, Collection coll2) + { + if (coll1 == coll2) + { + return true; + } + if (coll1 == null || coll2 == null) + { + return false; + } + if (coll1.size() != coll2.size()) + { + return false; + } + Iterator it1 = coll1.iterator(); + + while (it1.hasNext()) + { + Object a = it1.next(); + Iterator it2 = coll2.iterator(); + boolean found = false; + while (it2.hasNext()) + { + Object b = it2.next(); + if (equals(a, b)) + { + found = true; + break; + } + } + if (!found) + { + return false; + } + } + return true; + } + + private boolean equals(Object o1, Object o2) + { + if (o1 == o2) + { + return true; + } + if (o1 == null || o2 == null) + { + return false; + } + if (o1 instanceof byte[] && o2 instanceof byte[]) + { + return Arrays.areEqual((byte[])o1, (byte[])o2); + } + else + { + return o1.equals(o2); + } + } + + /** + * Stringifies an IPv4 or v6 address with subnet mask. + * + * @param ip The IP with subnet mask. + * @return The stringified IP address. + */ + private String stringifyIP(byte[] ip) + { + String temp = ""; + for (int i = 0; i < ip.length / 2; i++) + { + temp += Integer.toString(ip[i] & 0x00FF) + "."; + } + temp = temp.substring(0, temp.length() - 1); + temp += "/"; + for (int i = ip.length / 2; i < ip.length; i++) + { + temp += Integer.toString(ip[i] & 0x00FF) + "."; + } + temp = temp.substring(0, temp.length() - 1); + return temp; + } + + private String stringifyIPCollection(Set ips) + { + String temp = ""; + temp += "["; + for (Iterator it = ips.iterator(); it.hasNext();) + { + temp += stringifyIP((byte[])it.next()) + ","; + } + if (temp.length() > 1) + { + temp = temp.substring(0, temp.length() - 1); + } + temp += "]"; + return temp; + } + + public String toString() + { + String temp = ""; + temp += "permitted:\n"; + if (permittedSubtreesDN != null) + { + temp += "DN:\n"; + temp += permittedSubtreesDN.toString() + "\n"; + } + if (permittedSubtreesDNS != null) + { + temp += "DNS:\n"; + temp += permittedSubtreesDNS.toString() + "\n"; + } + if (permittedSubtreesEmail != null) + { + temp += "Email:\n"; + temp += permittedSubtreesEmail.toString() + "\n"; + } + if (permittedSubtreesURI != null) + { + temp += "URI:\n"; + temp += permittedSubtreesURI.toString() + "\n"; + } + if (permittedSubtreesIP != null) + { + temp += "IP:\n"; + temp += stringifyIPCollection(permittedSubtreesIP) + "\n"; + } + temp += "excluded:\n"; + if (!excludedSubtreesDN.isEmpty()) + { + temp += "DN:\n"; + temp += excludedSubtreesDN.toString() + "\n"; + } + if (!excludedSubtreesDNS.isEmpty()) + { + temp += "DNS:\n"; + temp += excludedSubtreesDNS.toString() + "\n"; + } + if (!excludedSubtreesEmail.isEmpty()) + { + temp += "Email:\n"; + temp += excludedSubtreesEmail.toString() + "\n"; + } + if (!excludedSubtreesURI.isEmpty()) + { + temp += "URI:\n"; + temp += excludedSubtreesURI.toString() + "\n"; + } + if (!excludedSubtreesIP.isEmpty()) + { + temp += "IP:\n"; + temp += stringifyIPCollection(excludedSubtreesIP) + "\n"; + } + return temp; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidatorException.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidatorException.java new file mode 100644 index 00000000..b06d5e5b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXNameConstraintValidatorException.java @@ -0,0 +1,10 @@ +package org.bouncycastle.jce.provider; + +public class PKIXNameConstraintValidatorException + extends Exception +{ + public PKIXNameConstraintValidatorException(String msg) + { + super(msg); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXPolicyNode.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXPolicyNode.java new file mode 100644 index 00000000..34376055 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXPolicyNode.java @@ -0,0 +1,168 @@ +package org.bouncycastle.jce.provider; + +import java.security.cert.PolicyNode; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +public class PKIXPolicyNode + implements PolicyNode +{ + protected List children; + protected int depth; + protected Set expectedPolicies; + protected PolicyNode parent; + protected Set policyQualifiers; + protected String validPolicy; + protected boolean critical; + + /* + * + * CONSTRUCTORS + * + */ + + public PKIXPolicyNode( + List _children, + int _depth, + Set _expectedPolicies, + PolicyNode _parent, + Set _policyQualifiers, + String _validPolicy, + boolean _critical) + { + children = _children; + depth = _depth; + expectedPolicies = _expectedPolicies; + parent = _parent; + policyQualifiers = _policyQualifiers; + validPolicy = _validPolicy; + critical = _critical; + } + + public void addChild( + PKIXPolicyNode _child) + { + children.add(_child); + _child.setParent(this); + } + + public Iterator getChildren() + { + return children.iterator(); + } + + public int getDepth() + { + return depth; + } + + public Set getExpectedPolicies() + { + return expectedPolicies; + } + + public PolicyNode getParent() + { + return parent; + } + + public Set getPolicyQualifiers() + { + return policyQualifiers; + } + + public String getValidPolicy() + { + return validPolicy; + } + + public boolean hasChildren() + { + return !children.isEmpty(); + } + + public boolean isCritical() + { + return critical; + } + + public void removeChild(PKIXPolicyNode _child) + { + children.remove(_child); + } + + public void setCritical(boolean _critical) + { + critical = _critical; + } + + public void setParent(PKIXPolicyNode _parent) + { + parent = _parent; + } + + public String toString() + { + return toString(""); + } + + public String toString(String _indent) + { + StringBuffer _buf = new StringBuffer(); + _buf.append(_indent); + _buf.append(validPolicy); + _buf.append(" {\n"); + + for(int i = 0; i < children.size(); i++) + { + _buf.append(((PKIXPolicyNode)children.get(i)).toString(_indent + " ")); + } + + _buf.append(_indent); + _buf.append("}\n"); + return _buf.toString(); + } + + public Object clone() + { + return copy(); + } + + public PKIXPolicyNode copy() + { + Set _expectedPolicies = new HashSet(); + Iterator _iter = expectedPolicies.iterator(); + while (_iter.hasNext()) + { + _expectedPolicies.add(new String((String)_iter.next())); + } + + Set _policyQualifiers = new HashSet(); + _iter = policyQualifiers.iterator(); + while (_iter.hasNext()) + { + _policyQualifiers.add(new String((String)_iter.next())); + } + + PKIXPolicyNode _node = new PKIXPolicyNode(new ArrayList(), + depth, + _expectedPolicies, + null, + _policyQualifiers, + new String(validPolicy), + critical); + + _iter = children.iterator(); + while (_iter.hasNext()) + { + PKIXPolicyNode _child = ((PKIXPolicyNode)_iter.next()).copy(); + _child.setParent(_node); + _node.addChild(_child); + } + + return _node; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java new file mode 100644 index 00000000..769edb8a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java @@ -0,0 +1,2565 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.GeneralSecurityException; +import java.security.PublicKey; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.security.cert.X509Extension; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Date; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.Vector; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1TaggedObject; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.CRLDistPoint; +import org.bouncycastle.asn1.x509.CRLReason; +import org.bouncycastle.asn1.x509.DistributionPoint; +import org.bouncycastle.asn1.x509.DistributionPointName; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.GeneralSubtree; +import org.bouncycastle.asn1.x509.IssuingDistributionPoint; +import org.bouncycastle.asn1.x509.NameConstraints; +import org.bouncycastle.asn1.x509.PolicyInformation; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.asn1.x509.X509Name; +import org.bouncycastle.jce.exception.ExtCertPathValidatorException; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.x509.ExtendedPKIXBuilderParameters; +import org.bouncycastle.x509.ExtendedPKIXParameters; +import org.bouncycastle.x509.X509CRLStoreSelector; +import org.bouncycastle.x509.X509CertStoreSelector; + +public class RFC3280CertPathUtilities +{ + private static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); + + /** + * If the complete CRL includes an issuing distribution point (IDP) CRL + * extension check the following: + * <p/> + * (i) If the distribution point name is present in the IDP CRL extension + * and the distribution field is present in the DP, then verify that one of + * the names in the IDP matches one of the names in the DP. If the + * distribution point name is present in the IDP CRL extension and the + * distribution field is omitted from the DP, then verify that one of the + * names in the IDP matches one of the names in the cRLIssuer field of the + * DP. + * </p> + * <p/> + * (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL + * extension, verify that the certificate does not include the basic + * constraints extension with the cA boolean asserted. + * </p> + * <p/> + * (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL + * extension, verify that the certificate includes the basic constraints + * extension with the cA boolean asserted. + * </p> + * <p/> + * (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted. + * </p> + * + * @param dp The distribution point. + * @param cert The certificate. + * @param crl The CRL. + * @throws AnnotatedException if one of the conditions is not met or an error occurs. + */ + protected static void processCRLB2( + DistributionPoint dp, + Object cert, + X509CRL crl) + throws AnnotatedException + { + IssuingDistributionPoint idp = null; + try + { + idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, + RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); + } + catch (Exception e) + { + throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); + } + // (b) (2) (i) + // distribution point name is present + if (idp != null) + { + if (idp.getDistributionPoint() != null) + { + // make list of names + DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint(); + List names = new ArrayList(); + + if (dpName.getType() == DistributionPointName.FULL_NAME) + { + GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames(); + for (int j = 0; j < genNames.length; j++) + { + names.add(genNames[j]); + } + } + if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) + { + ASN1EncodableVector vec = new ASN1EncodableVector(); + try + { + Enumeration e = ASN1Sequence.getInstance( + ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl) + .getEncoded())).getObjects(); + while (e.hasMoreElements()) + { + vec.add((ASN1Encodable)e.nextElement()); + } + } + catch (IOException e) + { + throw new AnnotatedException("Could not read CRL issuer.", e); + } + vec.add(dpName.getName()); + names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec)))); + } + boolean matches = false; + // verify that one of the names in the IDP matches one + // of the names in the DP. + if (dp.getDistributionPoint() != null) + { + dpName = dp.getDistributionPoint(); + GeneralName[] genNames = null; + if (dpName.getType() == DistributionPointName.FULL_NAME) + { + genNames = GeneralNames.getInstance(dpName.getName()).getNames(); + } + if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) + { + if (dp.getCRLIssuer() != null) + { + genNames = dp.getCRLIssuer().getNames(); + } + else + { + genNames = new GeneralName[1]; + try + { + genNames[0] = new GeneralName(new X509Name( + (ASN1Sequence)ASN1Sequence.fromByteArray(CertPathValidatorUtilities + .getEncodedIssuerPrincipal(cert).getEncoded()))); + } + catch (IOException e) + { + throw new AnnotatedException("Could not read certificate issuer.", e); + } + } + for (int j = 0; j < genNames.length; j++) + { + Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects(); + ASN1EncodableVector vec = new ASN1EncodableVector(); + while (e.hasMoreElements()) + { + vec.add((ASN1Encodable)e.nextElement()); + } + vec.add(dpName.getName()); + genNames[j] = new GeneralName(new X509Name(new DERSequence(vec))); + } + } + if (genNames != null) + { + for (int j = 0; j < genNames.length; j++) + { + if (names.contains(genNames[j])) + { + matches = true; + break; + } + } + } + if (!matches) + { + throw new AnnotatedException( + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + } + // verify that one of the names in + // the IDP matches one of the names in the cRLIssuer field of + // the DP + else + { + if (dp.getCRLIssuer() == null) + { + throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + + "be contained in DistributionPoint."); + } + GeneralName[] genNames = dp.getCRLIssuer().getNames(); + for (int j = 0; j < genNames.length; j++) + { + if (names.contains(genNames[j])) + { + matches = true; + break; + } + } + if (!matches) + { + throw new AnnotatedException( + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + } + } + BasicConstraints bc = null; + try + { + bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension)cert, + BASIC_CONSTRAINTS)); + } + catch (Exception e) + { + throw new AnnotatedException("Basic constraints extension could not be decoded.", e); + } + + if (cert instanceof X509Certificate) + { + // (b) (2) (ii) + if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) + { + throw new AnnotatedException("CA Cert CRL only contains user certificates."); + } + + // (b) (2) (iii) + if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) + { + throw new AnnotatedException("End CRL only contains CA certificates."); + } + } + + // (b) (2) (iv) + if (idp.onlyContainsAttributeCerts()) + { + throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted."); + } + } + } + + /** + * If the DP includes cRLIssuer, then verify that the issuer field in the + * complete CRL matches cRLIssuer in the DP and that the complete CRL + * contains an issuing distribution point extension with the indirectCRL + * boolean asserted. Otherwise, verify that the CRL issuer matches the + * certificate issuer. + * + * @param dp The distribution point. + * @param cert The certificate ot attribute certificate. + * @param crl The CRL for <code>cert</code>. + * @throws AnnotatedException if one of the above conditions does not apply or an error + * occurs. + */ + protected static void processCRLB1( + DistributionPoint dp, + Object cert, + X509CRL crl) + throws AnnotatedException + { + ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT); + boolean isIndirect = false; + if (idp != null) + { + if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL()) + { + isIndirect = true; + } + } + byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded(); + + boolean matchIssuer = false; + if (dp.getCRLIssuer() != null) + { + GeneralName genNames[] = dp.getCRLIssuer().getNames(); + for (int j = 0; j < genNames.length; j++) + { + if (genNames[j].getTagNo() == GeneralName.directoryName) + { + try + { + if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes)) + { + matchIssuer = true; + } + } + catch (IOException e) + { + throw new AnnotatedException( + "CRL issuer information from distribution point cannot be decoded.", e); + } + } + } + if (matchIssuer && !isIndirect) + { + throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect."); + } + if (!matchIssuer) + { + throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point."); + } + } + else + { + if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals( + CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert))) + { + matchIssuer = true; + } + } + if (!matchIssuer) + { + throw new AnnotatedException("Cannot find matching CRL issuer for certificate."); + } + } + + protected static ReasonsMask processCRLD( + X509CRL crl, + DistributionPoint dp) + throws AnnotatedException + { + IssuingDistributionPoint idp = null; + try + { + idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, + RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); + } + catch (Exception e) + { + throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); + } + // (d) (1) + if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null) + { + return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons())); + } + // (d) (4) + if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null) + { + return ReasonsMask.allReasons; + } + // (d) (2) and (d)(3) + return (dp.getReasons() == null + ? ReasonsMask.allReasons + : new ReasonsMask(dp.getReasons())).intersect(idp == null + ? ReasonsMask.allReasons + : new ReasonsMask(idp.getOnlySomeReasons())); + + } + + public static final String CERTIFICATE_POLICIES = X509Extensions.CertificatePolicies.getId(); + + public static final String POLICY_MAPPINGS = X509Extensions.PolicyMappings.getId(); + + public static final String INHIBIT_ANY_POLICY = X509Extensions.InhibitAnyPolicy.getId(); + + public static final String ISSUING_DISTRIBUTION_POINT = X509Extensions.IssuingDistributionPoint.getId(); + + public static final String FRESHEST_CRL = X509Extensions.FreshestCRL.getId(); + + public static final String DELTA_CRL_INDICATOR = X509Extensions.DeltaCRLIndicator.getId(); + + public static final String POLICY_CONSTRAINTS = X509Extensions.PolicyConstraints.getId(); + + public static final String BASIC_CONSTRAINTS = X509Extensions.BasicConstraints.getId(); + + public static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints.getId(); + + public static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId(); + + public static final String NAME_CONSTRAINTS = X509Extensions.NameConstraints.getId(); + + public static final String AUTHORITY_KEY_IDENTIFIER = X509Extensions.AuthorityKeyIdentifier.getId(); + + public static final String KEY_USAGE = X509Extensions.KeyUsage.getId(); + + public static final String CRL_NUMBER = X509Extensions.CRLNumber.getId(); + + public static final String ANY_POLICY = "2.5.29.32.0"; + + /* + * key usage bits + */ + protected static final int KEY_CERT_SIGN = 5; + + protected static final int CRL_SIGN = 6; + + /** + * Obtain and validate the certification path for the complete CRL issuer. + * If a key usage extension is present in the CRL issuer's certificate, + * verify that the cRLSign bit is set. + * + * @param crl CRL which contains revocation information for the certificate + * <code>cert</code>. + * @param cert The attribute certificate or certificate to check if it is + * revoked. + * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. + * @param defaultCRLSignKey The public key of the issuer certificate + * <code>defaultCRLSignCert</code>. + * @param paramsPKIX paramsPKIX PKIX parameters. + * @param certPathCerts The certificates on the certification path. + * @return A <code>Set</code> with all keys of possible CRL issuer + * certificates. + * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or + * some error occurs. + */ + protected static Set processCRLF( + X509CRL crl, + Object cert, + X509Certificate defaultCRLSignCert, + PublicKey defaultCRLSignKey, + ExtendedPKIXParameters paramsPKIX, + List certPathCerts) + throws AnnotatedException + { + // (f) + + // get issuer from CRL + X509CertStoreSelector selector = new X509CertStoreSelector(); + try + { + byte[] issuerPrincipal = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded(); + selector.setSubject(issuerPrincipal); + } + catch (IOException e) + { + throw new AnnotatedException( + "Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e); + } + + // get CRL signing certs + Collection coll; + try + { + coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getStores()); + coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getAdditionalStores())); + coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores())); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e); + } + + coll.add(defaultCRLSignCert); + + Iterator cert_it = coll.iterator(); + + List validCerts = new ArrayList(); + List validKeys = new ArrayList(); + + while (cert_it.hasNext()) + { + X509Certificate signingCert = (X509Certificate)cert_it.next(); + + /* + * CA of the certificate, for which this CRL is checked, has also + * signed CRL, so skip the path validation, because is already done + */ + if (signingCert.equals(defaultCRLSignCert)) + { + validCerts.add(signingCert); + validKeys.add(defaultCRLSignKey); + continue; + } + try + { + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); + selector = new X509CertStoreSelector(); + selector.setCertificate(signingCert); + ExtendedPKIXParameters temp = (ExtendedPKIXParameters)paramsPKIX.clone(); + temp.setTargetCertConstraints(selector); + ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters)ExtendedPKIXBuilderParameters + .getInstance(temp); + /* + * if signingCert is placed not higher on the cert path a + * dependency loop results. CRL for cert is checked, but + * signingCert is needed for checking the CRL which is dependent + * on checking cert because it is higher in the cert path and so + * signing signingCert transitively. so, revocation is disabled, + * forgery attacks of the CRL are detected in this outer loop + * for all other it must be enabled to prevent forgery attacks + */ + if (certPathCerts.contains(signingCert)) + { + params.setRevocationEnabled(false); + } + else + { + params.setRevocationEnabled(true); + } + List certs = builder.build(params).getCertPath().getCertificates(); + validCerts.add(signingCert); + validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0)); + } + catch (CertPathBuilderException e) + { + throw new AnnotatedException("Internal error.", e); + } + catch (CertPathValidatorException e) + { + throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e); + } + catch (Exception e) + { + throw new RuntimeException(e.getMessage()); + } + } + + Set checkKeys = new HashSet(); + + AnnotatedException lastException = null; + for (int i = 0; i < validCerts.size(); i++) + { + X509Certificate signCert = (X509Certificate)validCerts.get(i); + boolean[] keyusage = signCert.getKeyUsage(); + + if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) + { + lastException = new AnnotatedException( + "Issuer certificate key usage extension does not permit CRL signing."); + } + else + { + checkKeys.add(validKeys.get(i)); + } + } + + if (checkKeys.isEmpty() && lastException == null) + { + throw new AnnotatedException("Cannot find a valid issuer certificate."); + } + if (checkKeys.isEmpty() && lastException != null) + { + throw lastException; + } + + return checkKeys; + } + + protected static PublicKey processCRLG( + X509CRL crl, + Set keys) + throws AnnotatedException + { + Exception lastException = null; + for (Iterator it = keys.iterator(); it.hasNext();) + { + PublicKey key = (PublicKey)it.next(); + try + { + crl.verify(key); + return key; + } + catch (Exception e) + { + lastException = e; + } + } + throw new AnnotatedException("Cannot verify CRL.", lastException); + } + + protected static X509CRL processCRLH( + Set deltacrls, + PublicKey key) + throws AnnotatedException + { + Exception lastException = null; + + for (Iterator it = deltacrls.iterator(); it.hasNext();) + { + X509CRL crl = (X509CRL)it.next(); + try + { + crl.verify(key); + return crl; + } + catch (Exception e) + { + lastException = e; + } + } + + if (lastException != null) + { + throw new AnnotatedException("Cannot verify delta CRL.", lastException); + } + return null; + } + + protected static Set processCRLA1i( + Date currentDate, + ExtendedPKIXParameters paramsPKIX, + X509Certificate cert, + X509CRL crl) + throws AnnotatedException + { + Set set = new HashSet(); + if (paramsPKIX.isUseDeltasEnabled()) + { + CRLDistPoint freshestCRL = null; + try + { + freshestCRL = CRLDistPoint + .getInstance(CertPathValidatorUtilities.getExtensionValue(cert, FRESHEST_CRL)); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Freshest CRL extension could not be decoded from certificate.", e); + } + if (freshestCRL == null) + { + try + { + freshestCRL = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, + FRESHEST_CRL)); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Freshest CRL extension could not be decoded from CRL.", e); + } + } + if (freshestCRL != null) + { + try + { + CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(freshestCRL, paramsPKIX); + } + catch (AnnotatedException e) + { + throw new AnnotatedException( + "No new delta CRL locations could be added from Freshest CRL extension.", e); + } + // get delta CRL(s) + try + { + set.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl)); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Exception obtaining delta CRLs.", e); + } + } + } + return set; + } + + protected static Set[] processCRLA1ii( + Date currentDate, + ExtendedPKIXParameters paramsPKIX, + X509Certificate cert, + X509CRL crl) + throws AnnotatedException + { + Set deltaSet = new HashSet(); + X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); + crlselect.setCertificateChecking(cert); + + try + { + crlselect.addIssuerName(crl.getIssuerX500Principal().getEncoded()); + } + catch (IOException e) + { + throw new AnnotatedException("Cannot extract issuer from CRL." + e, e); + } + + crlselect.setCompleteCRLEnabled(true); + Set completeSet = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate); + + if (paramsPKIX.isUseDeltasEnabled()) + { + // get delta CRL(s) + try + { + deltaSet.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl)); + } + catch (AnnotatedException e) + { + throw new AnnotatedException("Exception obtaining delta CRLs.", e); + } + } + return new Set[] + { + completeSet, + deltaSet}; + } + + + + /** + * If use-deltas is set, verify the issuer and scope of the delta CRL. + * + * @param deltaCRL The delta CRL. + * @param completeCRL The complete CRL. + * @param pkixParams The PKIX paramaters. + * @throws AnnotatedException if an exception occurs. + */ + protected static void processCRLC( + X509CRL deltaCRL, + X509CRL completeCRL, + ExtendedPKIXParameters pkixParams) + throws AnnotatedException + { + if (deltaCRL == null) + { + return; + } + IssuingDistributionPoint completeidp = null; + try + { + completeidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue( + completeCRL, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); + } + catch (Exception e) + { + throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); + } + + if (pkixParams.isUseDeltasEnabled()) + { + // (c) (1) + if (!deltaCRL.getIssuerX500Principal().equals(completeCRL.getIssuerX500Principal())) + { + throw new AnnotatedException("Complete CRL issuer does not match delta CRL issuer."); + } + + // (c) (2) + IssuingDistributionPoint deltaidp = null; + try + { + deltaidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue( + deltaCRL, ISSUING_DISTRIBUTION_POINT)); + } + catch (Exception e) + { + throw new AnnotatedException( + "Issuing distribution point extension from delta CRL could not be decoded.", e); + } + + boolean match = false; + if (completeidp == null) + { + if (deltaidp == null) + { + match = true; + } + } + else + { + if (completeidp.equals(deltaidp)) + { + match = true; + } + } + if (!match) + { + throw new AnnotatedException( + "Issuing distribution point extension from delta CRL and complete CRL does not match."); + } + + // (c) (3) + ASN1Primitive completeKeyIdentifier = null; + try + { + completeKeyIdentifier = CertPathValidatorUtilities.getExtensionValue( + completeCRL, AUTHORITY_KEY_IDENTIFIER); + } + catch (AnnotatedException e) + { + throw new AnnotatedException( + "Authority key identifier extension could not be extracted from complete CRL.", e); + } + + ASN1Primitive deltaKeyIdentifier = null; + try + { + deltaKeyIdentifier = CertPathValidatorUtilities.getExtensionValue( + deltaCRL, AUTHORITY_KEY_IDENTIFIER); + } + catch (AnnotatedException e) + { + throw new AnnotatedException( + "Authority key identifier extension could not be extracted from delta CRL.", e); + } + + if (completeKeyIdentifier == null) + { + throw new AnnotatedException("CRL authority key identifier is null."); + } + + if (deltaKeyIdentifier == null) + { + throw new AnnotatedException("Delta CRL authority key identifier is null."); + } + + if (!completeKeyIdentifier.equals(deltaKeyIdentifier)) + { + throw new AnnotatedException( + "Delta CRL authority key identifier does not match complete CRL authority key identifier."); + } + } + } + + protected static void processCRLI( + Date validDate, + X509CRL deltacrl, + Object cert, + CertStatus certStatus, + ExtendedPKIXParameters pkixParams) + throws AnnotatedException + { + if (pkixParams.isUseDeltasEnabled() && deltacrl != null) + { + CertPathValidatorUtilities.getCertStatus(validDate, deltacrl, cert, certStatus); + } + } + + protected static void processCRLJ( + Date validDate, + X509CRL completecrl, + Object cert, + CertStatus certStatus) + throws AnnotatedException + { + if (certStatus.getCertStatus() == CertStatus.UNREVOKED) + { + CertPathValidatorUtilities.getCertStatus(validDate, completecrl, cert, certStatus); + } + } + + protected static PKIXPolicyNode prepareCertB( + CertPath certPath, + int index, + List[] policyNodes, + PKIXPolicyNode validPolicyTree, + int policyMapping) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + int n = certs.size(); + // i as defined in the algorithm description + int i = n - index; + // (b) + // + ASN1Sequence pm = null; + try + { + pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.POLICY_MAPPINGS)); + } + catch (AnnotatedException ex) + { + throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded.", ex, certPath, + index); + } + PKIXPolicyNode _validPolicyTree = validPolicyTree; + if (pm != null) + { + ASN1Sequence mappings = (ASN1Sequence)pm; + Map m_idp = new HashMap(); + Set s_idp = new HashSet(); + + for (int j = 0; j < mappings.size(); j++) + { + ASN1Sequence mapping = (ASN1Sequence)mappings.getObjectAt(j); + String id_p = ((DERObjectIdentifier)mapping.getObjectAt(0)).getId(); + String sd_p = ((DERObjectIdentifier)mapping.getObjectAt(1)).getId(); + Set tmp; + + if (!m_idp.containsKey(id_p)) + { + tmp = new HashSet(); + tmp.add(sd_p); + m_idp.put(id_p, tmp); + s_idp.add(id_p); + } + else + { + tmp = (Set)m_idp.get(id_p); + tmp.add(sd_p); + } + } + + Iterator it_idp = s_idp.iterator(); + while (it_idp.hasNext()) + { + String id_p = (String)it_idp.next(); + + // + // (1) + // + if (policyMapping > 0) + { + boolean idp_found = false; + Iterator nodes_i = policyNodes[i].iterator(); + while (nodes_i.hasNext()) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); + if (node.getValidPolicy().equals(id_p)) + { + idp_found = true; + node.expectedPolicies = (Set)m_idp.get(id_p); + break; + } + } + + if (!idp_found) + { + nodes_i = policyNodes[i].iterator(); + while (nodes_i.hasNext()) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); + if (RFC3280CertPathUtilities.ANY_POLICY.equals(node.getValidPolicy())) + { + Set pq = null; + ASN1Sequence policies = null; + try + { + policies = (ASN1Sequence)CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.CERTIFICATE_POLICIES); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException( + "Certificate policies extension could not be decoded.", e, certPath, index); + } + Enumeration e = policies.getObjects(); + while (e.hasMoreElements()) + { + PolicyInformation pinfo = null; + try + { + pinfo = PolicyInformation.getInstance(e.nextElement()); + } + catch (Exception ex) + { + throw new CertPathValidatorException( + "Policy information could not be decoded.", ex, certPath, index); + } + if (RFC3280CertPathUtilities.ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) + { + try + { + pq = CertPathValidatorUtilities + .getQualifierSet(pinfo.getPolicyQualifiers()); + } + catch (CertPathValidatorException ex) + { + + throw new ExtCertPathValidatorException( + "Policy qualifier info set could not be decoded.", ex, certPath, + index); + } + break; + } + } + boolean ci = false; + if (cert.getCriticalExtensionOIDs() != null) + { + ci = cert.getCriticalExtensionOIDs().contains( + RFC3280CertPathUtilities.CERTIFICATE_POLICIES); + } + + PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); + if (RFC3280CertPathUtilities.ANY_POLICY.equals(p_node.getValidPolicy())) + { + PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set)m_idp + .get(id_p), p_node, pq, id_p, ci); + p_node.addChild(c_node); + policyNodes[i].add(c_node); + } + break; + } + } + } + + // + // (2) + // + } + else if (policyMapping <= 0) + { + Iterator nodes_i = policyNodes[i].iterator(); + while (nodes_i.hasNext()) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); + if (node.getValidPolicy().equals(id_p)) + { + PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); + p_node.removeChild(node); + nodes_i.remove(); + for (int k = (i - 1); k >= 0; k--) + { + List nodes = policyNodes[k]; + for (int l = 0; l < nodes.size(); l++) + { + PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l); + if (!node2.hasChildren()) + { + _validPolicyTree = CertPathValidatorUtilities.removePolicyNode( + _validPolicyTree, policyNodes, node2); + if (_validPolicyTree == null) + { + break; + } + } + } + } + } + } + } + } + } + return _validPolicyTree; + } + + protected static void prepareNextCertA( + CertPath certPath, + int index) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // + // (a) check the policy mappings + // + ASN1Sequence pm = null; + try + { + pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.POLICY_MAPPINGS)); + } + catch (AnnotatedException ex) + { + throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded.", ex, certPath, + index); + } + if (pm != null) + { + ASN1Sequence mappings = pm; + + for (int j = 0; j < mappings.size(); j++) + { + DERObjectIdentifier issuerDomainPolicy = null; + DERObjectIdentifier subjectDomainPolicy = null; + try + { + ASN1Sequence mapping = DERSequence.getInstance(mappings.getObjectAt(j)); + + issuerDomainPolicy = DERObjectIdentifier.getInstance(mapping.getObjectAt(0)); + subjectDomainPolicy = DERObjectIdentifier.getInstance(mapping.getObjectAt(1)); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Policy mappings extension contents could not be decoded.", + e, certPath, index); + } + + if (RFC3280CertPathUtilities.ANY_POLICY.equals(issuerDomainPolicy.getId())) + { + + throw new CertPathValidatorException("IssuerDomainPolicy is anyPolicy", null, certPath, index); + } + + if (RFC3280CertPathUtilities.ANY_POLICY.equals(subjectDomainPolicy.getId())) + { + + throw new CertPathValidatorException("SubjectDomainPolicy is anyPolicy,", null, certPath, index); + } + } + } + } + + protected static void processCertF( + CertPath certPath, + int index, + PKIXPolicyNode validPolicyTree, + int explicitPolicy) + throws CertPathValidatorException + { + // + // (f) + // + if (explicitPolicy <= 0 && validPolicyTree == null) + { + throw new ExtCertPathValidatorException("No valid policy tree found when one expected.", null, certPath, + index); + } + } + + protected static PKIXPolicyNode processCertE( + CertPath certPath, + int index, + PKIXPolicyNode validPolicyTree) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (e) + // + ASN1Sequence certPolicies = null; + try + { + certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.CERTIFICATE_POLICIES)); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", + e, certPath, index); + } + if (certPolicies == null) + { + validPolicyTree = null; + } + return validPolicyTree; + } + + protected static void processCertBC( + CertPath certPath, + int index, + PKIXNameConstraintValidator nameConstraintValidator) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + int n = certs.size(); + // i as defined in the algorithm description + int i = n - index; + // + // (b), (c) permitted and excluded subtree checking. + // + if (!(CertPathValidatorUtilities.isSelfIssued(cert) && (i < n))) + { + X500Principal principal = CertPathValidatorUtilities.getSubjectPrincipal(cert); + ASN1InputStream aIn = new ASN1InputStream(principal.getEncoded()); + ASN1Sequence dns; + + try + { + dns = DERSequence.getInstance(aIn.readObject()); + } + catch (Exception e) + { + throw new CertPathValidatorException("Exception extracting subject name when checking subtrees.", e, + certPath, index); + } + + try + { + nameConstraintValidator.checkPermittedDN(dns); + nameConstraintValidator.checkExcludedDN(dns); + } + catch (PKIXNameConstraintValidatorException e) + { + throw new CertPathValidatorException("Subtree check for certificate subject failed.", e, certPath, + index); + } + + GeneralNames altName = null; + try + { + altName = GeneralNames.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME)); + } + catch (Exception e) + { + throw new CertPathValidatorException("Subject alternative name extension could not be decoded.", e, + certPath, index); + } + Vector emails = new X509Name(dns).getValues(X509Name.EmailAddress); + for (Enumeration e = emails.elements(); e.hasMoreElements();) + { + String email = (String)e.nextElement(); + GeneralName emailAsGeneralName = new GeneralName(GeneralName.rfc822Name, email); + try + { + nameConstraintValidator.checkPermitted(emailAsGeneralName); + nameConstraintValidator.checkExcluded(emailAsGeneralName); + } + catch (PKIXNameConstraintValidatorException ex) + { + throw new CertPathValidatorException( + "Subtree check for certificate subject alternative email failed.", ex, certPath, index); + } + } + if (altName != null) + { + GeneralName[] genNames = null; + try + { + genNames = altName.getNames(); + } + catch (Exception e) + { + throw new CertPathValidatorException("Subject alternative name contents could not be decoded.", e, + certPath, index); + } + for (int j = 0; j < genNames.length; j++) + { + + try + { + nameConstraintValidator.checkPermitted(genNames[j]); + nameConstraintValidator.checkExcluded(genNames[j]); + } + catch (PKIXNameConstraintValidatorException e) + { + throw new CertPathValidatorException( + "Subtree check for certificate subject alternative name failed.", e, certPath, index); + } + } + } + } + } + + protected static PKIXPolicyNode processCertD( + CertPath certPath, + int index, + Set acceptablePolicies, + PKIXPolicyNode validPolicyTree, + List[] policyNodes, + int inhibitAnyPolicy) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + int n = certs.size(); + // i as defined in the algorithm description + int i = n - index; + // + // (d) policy Information checking against initial policy and + // policy mapping + // + ASN1Sequence certPolicies = null; + try + { + certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.CERTIFICATE_POLICIES)); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", + e, certPath, index); + } + if (certPolicies != null && validPolicyTree != null) + { + // + // (d) (1) + // + Enumeration e = certPolicies.getObjects(); + Set pols = new HashSet(); + + while (e.hasMoreElements()) + { + PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); + DERObjectIdentifier pOid = pInfo.getPolicyIdentifier(); + + pols.add(pOid.getId()); + + if (!RFC3280CertPathUtilities.ANY_POLICY.equals(pOid.getId())) + { + Set pq = null; + try + { + pq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers()); + } + catch (CertPathValidatorException ex) + { + throw new ExtCertPathValidatorException("Policy qualifier info set could not be build.", ex, + certPath, index); + } + + boolean match = CertPathValidatorUtilities.processCertD1i(i, policyNodes, pOid, pq); + + if (!match) + { + CertPathValidatorUtilities.processCertD1ii(i, policyNodes, pOid, pq); + } + } + } + + if (acceptablePolicies.isEmpty() || acceptablePolicies.contains(RFC3280CertPathUtilities.ANY_POLICY)) + { + acceptablePolicies.clear(); + acceptablePolicies.addAll(pols); + } + else + { + Iterator it = acceptablePolicies.iterator(); + Set t1 = new HashSet(); + + while (it.hasNext()) + { + Object o = it.next(); + + if (pols.contains(o)) + { + t1.add(o); + } + } + acceptablePolicies.clear(); + acceptablePolicies.addAll(t1); + } + + // + // (d) (2) + // + if ((inhibitAnyPolicy > 0) || ((i < n) && CertPathValidatorUtilities.isSelfIssued(cert))) + { + e = certPolicies.getObjects(); + + while (e.hasMoreElements()) + { + PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); + + if (RFC3280CertPathUtilities.ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId())) + { + Set _apq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers()); + List _nodes = policyNodes[i - 1]; + + for (int k = 0; k < _nodes.size(); k++) + { + PKIXPolicyNode _node = (PKIXPolicyNode)_nodes.get(k); + + Iterator _policySetIter = _node.getExpectedPolicies().iterator(); + while (_policySetIter.hasNext()) + { + Object _tmp = _policySetIter.next(); + + String _policy; + if (_tmp instanceof String) + { + _policy = (String)_tmp; + } + else if (_tmp instanceof DERObjectIdentifier) + { + _policy = ((DERObjectIdentifier)_tmp).getId(); + } + else + { + continue; + } + + boolean _found = false; + Iterator _childrenIter = _node.getChildren(); + + while (_childrenIter.hasNext()) + { + PKIXPolicyNode _child = (PKIXPolicyNode)_childrenIter.next(); + + if (_policy.equals(_child.getValidPolicy())) + { + _found = true; + } + } + + if (!_found) + { + Set _newChildExpectedPolicies = new HashSet(); + _newChildExpectedPolicies.add(_policy); + + PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(), i, + _newChildExpectedPolicies, _node, _apq, _policy, false); + _node.addChild(_newChild); + policyNodes[i].add(_newChild); + } + } + } + break; + } + } + } + + PKIXPolicyNode _validPolicyTree = validPolicyTree; + // + // (d) (3) + // + for (int j = (i - 1); j >= 0; j--) + { + List nodes = policyNodes[j]; + + for (int k = 0; k < nodes.size(); k++) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); + if (!node.hasChildren()) + { + _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(_validPolicyTree, policyNodes, + node); + if (_validPolicyTree == null) + { + break; + } + } + } + } + + // + // d (4) + // + Set criticalExtensionOids = cert.getCriticalExtensionOIDs(); + + if (criticalExtensionOids != null) + { + boolean critical = criticalExtensionOids.contains(RFC3280CertPathUtilities.CERTIFICATE_POLICIES); + + List nodes = policyNodes[i]; + for (int j = 0; j < nodes.size(); j++) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(j); + node.setCritical(critical); + } + } + return _validPolicyTree; + } + return null; + } + + protected static void processCertA( + CertPath certPath, + ExtendedPKIXParameters paramsPKIX, + int index, + PublicKey workingPublicKey, + boolean verificationAlreadyPerformed, + X500Principal workingIssuerName, + X509Certificate sign) + throws ExtCertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (a) verify + // + if (!verificationAlreadyPerformed) + { + try + { + // (a) (1) + // + CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, + paramsPKIX.getSigProvider()); + } + catch (GeneralSecurityException e) + { + throw new ExtCertPathValidatorException("Could not validate certificate signature.", e, certPath, index); + } + } + + try + { + // (a) (2) + // + cert.checkValidity(CertPathValidatorUtilities + .getValidCertDateFromValidityModel(paramsPKIX, certPath, index)); + } + catch (CertificateExpiredException e) + { + throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); + } + catch (CertificateNotYetValidException e) + { + throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index); + } + + // + // (a) (3) + // + if (paramsPKIX.isRevocationEnabled()) + { + try + { + checkCRLs(paramsPKIX, cert, CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, + certPath, index), sign, workingPublicKey, certs); + } + catch (AnnotatedException e) + { + Throwable cause = e; + if (null != e.getCause()) + { + cause = e.getCause(); + } + throw new ExtCertPathValidatorException(e.getMessage(), cause, certPath, index); + } + } + + // + // (a) (4) name chaining + // + if (!CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).equals(workingIssuerName)) + { + throw new ExtCertPathValidatorException("IssuerName(" + CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert) + + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null, + certPath, index); + } + } + + protected static int prepareNextCertI1( + CertPath certPath, + int index, + int explicitPolicy) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (i) + // + ASN1Sequence pc = null; + try + { + pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Policy constraints extension cannot be decoded.", e, certPath, + index); + } + + int tmpInt; + + if (pc != null) + { + Enumeration policyConstraints = pc.getObjects(); + + while (policyConstraints.hasMoreElements()) + { + try + { + + ASN1TaggedObject constraint = ASN1TaggedObject.getInstance(policyConstraints.nextElement()); + if (constraint.getTagNo() == 0) + { + tmpInt = DERInteger.getInstance(constraint, false).getValue().intValue(); + if (tmpInt < explicitPolicy) + { + return tmpInt; + } + break; + } + } + catch (IllegalArgumentException e) + { + throw new ExtCertPathValidatorException("Policy constraints extension contents cannot be decoded.", + e, certPath, index); + } + } + } + return explicitPolicy; + } + + protected static int prepareNextCertI2( + CertPath certPath, + int index, + int policyMapping) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (i) + // + ASN1Sequence pc = null; + try + { + pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Policy constraints extension cannot be decoded.", e, certPath, + index); + } + + int tmpInt; + + if (pc != null) + { + Enumeration policyConstraints = pc.getObjects(); + + while (policyConstraints.hasMoreElements()) + { + try + { + ASN1TaggedObject constraint = ASN1TaggedObject.getInstance(policyConstraints.nextElement()); + if (constraint.getTagNo() == 1) + { + tmpInt = DERInteger.getInstance(constraint, false).getValue().intValue(); + if (tmpInt < policyMapping) + { + return tmpInt; + } + break; + } + } + catch (IllegalArgumentException e) + { + throw new ExtCertPathValidatorException("Policy constraints extension contents cannot be decoded.", + e, certPath, index); + } + } + } + return policyMapping; + } + + protected static void prepareNextCertG( + CertPath certPath, + int index, + PKIXNameConstraintValidator nameConstraintValidator) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (g) handle the name constraints extension + // + NameConstraints nc = null; + try + { + ASN1Sequence ncSeq = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.NAME_CONSTRAINTS)); + if (ncSeq != null) + { + nc = NameConstraints.getInstance(ncSeq); + } + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Name constraints extension could not be decoded.", e, certPath, + index); + } + if (nc != null) + { + + // + // (g) (1) permitted subtrees + // + GeneralSubtree[] permitted = nc.getPermittedSubtrees(); + if (permitted != null) + { + try + { + nameConstraintValidator.intersectPermittedSubtree(permitted); + } + catch (Exception ex) + { + throw new ExtCertPathValidatorException( + "Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index); + } + } + + // + // (g) (2) excluded subtrees + // + GeneralSubtree[] excluded = nc.getExcludedSubtrees(); + if (excluded != null) + { + for (int i = 0; i != excluded.length; i++) + try + { + nameConstraintValidator.addExcludedSubtree(excluded[i]); + } + catch (Exception ex) + { + throw new ExtCertPathValidatorException( + "Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index); + } + } + } + } + + /** + * Checks a distribution point for revocation information for the + * certificate <code>cert</code>. + * + * @param dp The distribution point to consider. + * @param paramsPKIX PKIX parameters. + * @param cert Certificate to check if it is revoked. + * @param validDate The date when the certificate revocation status should be + * checked. + * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. + * @param defaultCRLSignKey The public key of the issuer certificate + * <code>defaultCRLSignCert</code>. + * @param certStatus The current certificate revocation status. + * @param reasonMask The reasons mask which is already checked. + * @param certPathCerts The certificates of the certification path. + * @throws AnnotatedException if the certificate is revoked or the status cannot be checked + * or some error occurs. + */ + private static void checkCRL( + DistributionPoint dp, + ExtendedPKIXParameters paramsPKIX, + X509Certificate cert, + Date validDate, + X509Certificate defaultCRLSignCert, + PublicKey defaultCRLSignKey, + CertStatus certStatus, + ReasonsMask reasonMask, + List certPathCerts) + throws AnnotatedException + { + Date currentDate = new Date(System.currentTimeMillis()); + if (validDate.getTime() > currentDate.getTime()) + { + throw new AnnotatedException("Validation time is in future."); + } + + // (a) + /* + * We always get timely valid CRLs, so there is no step (a) (1). + * "locally cached" CRLs are assumed to be in getStore(), additional + * CRLs must be enabled in the ExtendedPKIXParameters and are in + * getAdditionalStore() + */ + + Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, cert, currentDate, paramsPKIX); + boolean validCrlFound = false; + AnnotatedException lastException = null; + Iterator crl_iter = crls.iterator(); + + while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) + { + try + { + X509CRL crl = (X509CRL)crl_iter.next(); + + // (d) + ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp); + + // (e) + /* + * The reasons mask is updated at the end, so only valid CRLs + * can update it. If this CRL does not contain new reasons it + * must be ignored. + */ + if (!interimReasonsMask.hasNewReasons(reasonMask)) + { + continue; + } + + // (f) + Set keys = RFC3280CertPathUtilities.processCRLF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, + paramsPKIX, certPathCerts); + // (g) + PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys); + + X509CRL deltaCRL = null; + + if (paramsPKIX.isUseDeltasEnabled()) + { + // get delta CRLs + Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl); + // we only want one valid delta CRL + // (h) + deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key); + } + + /* + * CRL must be be valid at the current time, not the validation + * time. If a certificate is revoked with reason keyCompromise, + * cACompromise, it can be used for forgery, also for the past. + * This reason may not be contained in older CRLs. + */ + + /* + * in the chain model signatures stay valid also after the + * certificate has been expired, so they do not have to be in + * the CRL validity time + */ + + if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) + { + /* + * if a certificate has expired, but was revoked, it is not + * more in the CRL, so it would be regarded as valid if the + * first check is not done + */ + if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) + { + throw new AnnotatedException("No valid CRL for current time found."); + } + } + + RFC3280CertPathUtilities.processCRLB1(dp, cert, crl); + + // (b) (2) + RFC3280CertPathUtilities.processCRLB2(dp, cert, crl); + + // (c) + RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX); + + // (i) + RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX); + + // (j) + RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus); + + // (k) + if (certStatus.getCertStatus() == CRLReason.removeFromCRL) + { + certStatus.setCertStatus(CertStatus.UNREVOKED); + } + + // update reasons mask + reasonMask.addReasons(interimReasonsMask); + + Set criticalExtensions = crl.getCriticalExtensionOIDs(); + if (criticalExtensions != null) + { + criticalExtensions = new HashSet(criticalExtensions); + criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); + criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); + + if (!criticalExtensions.isEmpty()) + { + throw new AnnotatedException("CRL contains unsupported critical extensions."); + } + } + + if (deltaCRL != null) + { + criticalExtensions = deltaCRL.getCriticalExtensionOIDs(); + if (criticalExtensions != null) + { + criticalExtensions = new HashSet(criticalExtensions); + criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); + criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); + if (!criticalExtensions.isEmpty()) + { + throw new AnnotatedException("Delta CRL contains unsupported critical extension."); + } + } + } + + validCrlFound = true; + } + catch (AnnotatedException e) + { + lastException = e; + } + } + if (!validCrlFound) + { + throw lastException; + } + } + + /** + * Checks a certificate if it is revoked. + * + * @param paramsPKIX PKIX parameters. + * @param cert Certificate to check if it is revoked. + * @param validDate The date when the certificate revocation status should be + * checked. + * @param sign The issuer certificate of the certificate <code>cert</code>. + * @param workingPublicKey The public key of the issuer certificate <code>sign</code>. + * @param certPathCerts The certificates of the certification path. + * @throws AnnotatedException if the certificate is revoked or the status cannot be checked + * or some error occurs. + */ + protected static void checkCRLs( + ExtendedPKIXParameters paramsPKIX, + X509Certificate cert, + Date validDate, + X509Certificate sign, + PublicKey workingPublicKey, + List certPathCerts) + throws AnnotatedException + { + AnnotatedException lastException = null; + CRLDistPoint crldp = null; + try + { + crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS)); + } + catch (Exception e) + { + throw new AnnotatedException("CRL distribution point extension could not be read.", e); + } + try + { + CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX); + } + catch (AnnotatedException e) + { + throw new AnnotatedException( + "No additional CRL locations could be decoded from CRL distribution point extension.", e); + } + CertStatus certStatus = new CertStatus(); + ReasonsMask reasonsMask = new ReasonsMask(); + + boolean validCrlFound = false; + // for each distribution point + if (crldp != null) + { + DistributionPoint dps[] = null; + try + { + dps = crldp.getDistributionPoints(); + } + catch (Exception e) + { + throw new AnnotatedException("Distribution points could not be read.", e); + } + if (dps != null) + { + for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) + { + ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters)paramsPKIX.clone(); + try + { + checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); + validCrlFound = true; + } + catch (AnnotatedException e) + { + lastException = e; + } + } + } + } + + /* + * If the revocation status has not been determined, repeat the process + * above with any available CRLs not specified in a distribution point + * but issued by the certificate issuer. + */ + + if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) + { + try + { + /* + * assume a DP with both the reasons and the cRLIssuer fields + * omitted and a distribution point name of the certificate + * issuer. + */ + ASN1Primitive issuer = null; + try + { + issuer = new ASN1InputStream(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()) + .readObject(); + } + catch (Exception e) + { + throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e); + } + DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames( + new GeneralName(GeneralName.directoryName, issuer))), null, null); + ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters)paramsPKIX.clone(); + checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, + certPathCerts); + validCrlFound = true; + } + catch (AnnotatedException e) + { + lastException = e; + } + } + + if (!validCrlFound) + { + if (lastException instanceof AnnotatedException) + { + throw lastException; + } + + throw new AnnotatedException("No valid CRL found.", lastException); + } + if (certStatus.getCertStatus() != CertStatus.UNREVOKED) + { + String message = "Certificate revocation after " + certStatus.getRevocationDate(); + message += ", reason: " + crlReasons[certStatus.getCertStatus()]; + throw new AnnotatedException(message); + } + if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) + { + certStatus.setCertStatus(CertStatus.UNDETERMINED); + } + if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) + { + throw new AnnotatedException("Certificate status could not be determined."); + } + } + + protected static int prepareNextCertJ( + CertPath certPath, + int index, + int inhibitAnyPolicy) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (j) + // + DERInteger iap = null; + try + { + iap = DERInteger.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.INHIBIT_ANY_POLICY)); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Inhibit any-policy extension cannot be decoded.", e, certPath, + index); + } + + if (iap != null) + { + int _inhibitAnyPolicy = iap.getValue().intValue(); + + if (_inhibitAnyPolicy < inhibitAnyPolicy) + { + return _inhibitAnyPolicy; + } + } + return inhibitAnyPolicy; + } + + protected static void prepareNextCertK( + CertPath certPath, + int index) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (k) + // + BasicConstraints bc = null; + try + { + bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, + index); + } + if (bc != null) + { + if (!(bc.isCA())) + { + throw new CertPathValidatorException("Not a CA certificate"); + } + } + else + { + throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints"); + } + } + + protected static int prepareNextCertL( + CertPath certPath, + int index, + int maxPathLength) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (l) + // + if (!CertPathValidatorUtilities.isSelfIssued(cert)) + { + if (maxPathLength <= 0) + { + throw new ExtCertPathValidatorException("Max path length not greater than zero", null, certPath, index); + } + + return maxPathLength - 1; + } + return maxPathLength; + } + + protected static int prepareNextCertM( + CertPath certPath, + int index, + int maxPathLength) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + + // + // (m) + // + BasicConstraints bc = null; + try + { + bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, + index); + } + if (bc != null) + { + BigInteger _pathLengthConstraint = bc.getPathLenConstraint(); + + if (_pathLengthConstraint != null) + { + int _plc = _pathLengthConstraint.intValue(); + + if (_plc < maxPathLength) + { + return _plc; + } + } + } + return maxPathLength; + } + + protected static void prepareNextCertN( + CertPath certPath, + int index) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + + // + // (n) + // + boolean[] _usage = cert.getKeyUsage(); + + if ((_usage != null) && !_usage[RFC3280CertPathUtilities.KEY_CERT_SIGN]) + { + throw new ExtCertPathValidatorException( + "Issuer certificate keyusage extension is critical and does not permit key signing.", null, + certPath, index); + } + } + + protected static void prepareNextCertO( + CertPath certPath, + int index, + Set criticalExtensions, + List pathCheckers) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (o) + // + + Iterator tmpIter; + tmpIter = pathCheckers.iterator(); + while (tmpIter.hasNext()) + { + try + { + ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); + } + catch (CertPathValidatorException e) + { + throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index); + } + } + if (!criticalExtensions.isEmpty()) + { + throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath, + index); + } + } + + protected static int prepareNextCertH1( + CertPath certPath, + int index, + int explicitPolicy) + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (h) + // + if (!CertPathValidatorUtilities.isSelfIssued(cert)) + { + // + // (1) + // + if (explicitPolicy != 0) + { + return explicitPolicy - 1; + } + } + return explicitPolicy; + } + + protected static int prepareNextCertH2( + CertPath certPath, + int index, + int policyMapping) + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (h) + // + if (!CertPathValidatorUtilities.isSelfIssued(cert)) + { + // + // (2) + // + if (policyMapping != 0) + { + return policyMapping - 1; + } + } + return policyMapping; + } + + protected static int prepareNextCertH3( + CertPath certPath, + int index, + int inhibitAnyPolicy) + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (h) + // + if (!CertPathValidatorUtilities.isSelfIssued(cert)) + { + // + // (3) + // + if (inhibitAnyPolicy != 0) + { + return inhibitAnyPolicy - 1; + } + } + return inhibitAnyPolicy; + } + + protected static final String[] crlReasons = new String[] + { + "unspecified", + "keyCompromise", + "cACompromise", + "affiliationChanged", + "superseded", + "cessationOfOperation", + "certificateHold", + "unknown", + "removeFromCRL", + "privilegeWithdrawn", + "aACompromise"}; + + protected static int wrapupCertA( + int explicitPolicy, + X509Certificate cert) + { + // + // (a) + // + if (!CertPathValidatorUtilities.isSelfIssued(cert) && (explicitPolicy != 0)) + { + explicitPolicy--; + } + return explicitPolicy; + } + + protected static int wrapupCertB( + CertPath certPath, + int index, + int explicitPolicy) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + // + // (b) + // + int tmpInt; + ASN1Sequence pc = null; + try + { + pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, + RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException("Policy constraints could not be decoded.", e, certPath, index); + } + if (pc != null) + { + Enumeration policyConstraints = pc.getObjects(); + + while (policyConstraints.hasMoreElements()) + { + ASN1TaggedObject constraint = (ASN1TaggedObject)policyConstraints.nextElement(); + switch (constraint.getTagNo()) + { + case 0: + try + { + tmpInt = DERInteger.getInstance(constraint, false).getValue().intValue(); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException( + "Policy constraints requireExplicitPolicy field could not be decoded.", e, certPath, + index); + } + if (tmpInt == 0) + { + return 0; + } + break; + } + } + } + return explicitPolicy; + } + + protected static void wrapupCertF( + CertPath certPath, + int index, + List pathCheckers, + Set criticalExtensions) + throws CertPathValidatorException + { + List certs = certPath.getCertificates(); + X509Certificate cert = (X509Certificate)certs.get(index); + Iterator tmpIter; + tmpIter = pathCheckers.iterator(); + while (tmpIter.hasNext()) + { + try + { + ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); + } + catch (CertPathValidatorException e) + { + throw new ExtCertPathValidatorException("Additional certificate path checker failed.", e, certPath, + index); + } + } + + if (!criticalExtensions.isEmpty()) + { + throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath, + index); + } + } + + protected static PKIXPolicyNode wrapupCertG( + CertPath certPath, + ExtendedPKIXParameters paramsPKIX, + Set userInitialPolicySet, + int index, + List[] policyNodes, + PKIXPolicyNode validPolicyTree, + Set acceptablePolicies) + throws CertPathValidatorException + { + int n = certPath.getCertificates().size(); + // + // (g) + // + PKIXPolicyNode intersection; + + // + // (g) (i) + // + if (validPolicyTree == null) + { + if (paramsPKIX.isExplicitPolicyRequired()) + { + throw new ExtCertPathValidatorException("Explicit policy requested but none available.", null, + certPath, index); + } + intersection = null; + } + else if (CertPathValidatorUtilities.isAnyPolicy(userInitialPolicySet)) // (g) + // (ii) + { + if (paramsPKIX.isExplicitPolicyRequired()) + { + if (acceptablePolicies.isEmpty()) + { + throw new ExtCertPathValidatorException("Explicit policy requested but none available.", null, + certPath, index); + } + else + { + Set _validPolicyNodeSet = new HashSet(); + + for (int j = 0; j < policyNodes.length; j++) + { + List _nodeDepth = policyNodes[j]; + + for (int k = 0; k < _nodeDepth.size(); k++) + { + PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); + + if (RFC3280CertPathUtilities.ANY_POLICY.equals(_node.getValidPolicy())) + { + Iterator _iter = _node.getChildren(); + while (_iter.hasNext()) + { + _validPolicyNodeSet.add(_iter.next()); + } + } + } + } + + Iterator _vpnsIter = _validPolicyNodeSet.iterator(); + while (_vpnsIter.hasNext()) + { + PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); + String _validPolicy = _node.getValidPolicy(); + + if (!acceptablePolicies.contains(_validPolicy)) + { + // validPolicyTree = + // removePolicyNode(validPolicyTree, policyNodes, + // _node); + } + } + if (validPolicyTree != null) + { + for (int j = (n - 1); j >= 0; j--) + { + List nodes = policyNodes[j]; + + for (int k = 0; k < nodes.size(); k++) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); + if (!node.hasChildren()) + { + validPolicyTree = CertPathValidatorUtilities.removePolicyNode(validPolicyTree, + policyNodes, node); + } + } + } + } + } + } + + intersection = validPolicyTree; + } + else + { + // + // (g) (iii) + // + // This implementation is not exactly same as the one described in + // RFC3280. + // However, as far as the validation result is concerned, both + // produce + // adequate result. The only difference is whether AnyPolicy is + // remain + // in the policy tree or not. + // + // (g) (iii) 1 + // + Set _validPolicyNodeSet = new HashSet(); + + for (int j = 0; j < policyNodes.length; j++) + { + List _nodeDepth = policyNodes[j]; + + for (int k = 0; k < _nodeDepth.size(); k++) + { + PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); + + if (RFC3280CertPathUtilities.ANY_POLICY.equals(_node.getValidPolicy())) + { + Iterator _iter = _node.getChildren(); + while (_iter.hasNext()) + { + PKIXPolicyNode _c_node = (PKIXPolicyNode)_iter.next(); + if (!RFC3280CertPathUtilities.ANY_POLICY.equals(_c_node.getValidPolicy())) + { + _validPolicyNodeSet.add(_c_node); + } + } + } + } + } + + // + // (g) (iii) 2 + // + Iterator _vpnsIter = _validPolicyNodeSet.iterator(); + while (_vpnsIter.hasNext()) + { + PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); + String _validPolicy = _node.getValidPolicy(); + + if (!userInitialPolicySet.contains(_validPolicy)) + { + validPolicyTree = CertPathValidatorUtilities.removePolicyNode(validPolicyTree, policyNodes, _node); + } + } + + // + // (g) (iii) 4 + // + if (validPolicyTree != null) + { + for (int j = (n - 1); j >= 0; j--) + { + List nodes = policyNodes[j]; + + for (int k = 0; k < nodes.size(); k++) + { + PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); + if (!node.hasChildren()) + { + validPolicyTree = CertPathValidatorUtilities.removePolicyNode(validPolicyTree, policyNodes, + node); + } + } + } + } + + intersection = validPolicyTree; + } + return intersection; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java new file mode 100644 index 00000000..19dbae1d --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java @@ -0,0 +1,703 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Principal; +import java.security.PublicKey; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathBuilderResult; +import java.security.cert.CertPathValidator; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertPathValidatorResult; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.x509.CRLDistPoint; +import org.bouncycastle.asn1.x509.CRLReason; +import org.bouncycastle.asn1.x509.DistributionPoint; +import org.bouncycastle.asn1.x509.DistributionPointName; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.TargetInformation; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.jce.exception.ExtCertPathValidatorException; +import org.bouncycastle.x509.ExtendedPKIXBuilderParameters; +import org.bouncycastle.x509.ExtendedPKIXParameters; +import org.bouncycastle.x509.PKIXAttrCertChecker; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509CertStoreSelector; + +class RFC3281CertPathUtilities +{ + + private static final String TARGET_INFORMATION = X509Extensions.TargetInformation + .getId(); + + private static final String NO_REV_AVAIL = X509Extensions.NoRevAvail + .getId(); + + private static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints + .getId(); + + private static final String AUTHORITY_INFO_ACCESS = X509Extensions.AuthorityInfoAccess + .getId(); + + protected static void processAttrCert7(X509AttributeCertificate attrCert, + CertPath certPath, CertPath holderCertPath, + ExtendedPKIXParameters pkixParams) throws CertPathValidatorException + { + // TODO: + // AA Controls + // Attribute encryption + // Proxy + Set set = attrCert.getCriticalExtensionOIDs(); + // 7.1 + // process extensions + + // target information checked in step 6 / X509AttributeCertStoreSelector + if (set.contains(TARGET_INFORMATION)) + { + try + { + TargetInformation.getInstance(CertPathValidatorUtilities + .getExtensionValue(attrCert, TARGET_INFORMATION)); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException( + "Target information extension could not be read.", e); + } + catch (IllegalArgumentException e) + { + throw new ExtCertPathValidatorException( + "Target information extension could not be read.", e); + } + } + set.remove(TARGET_INFORMATION); + for (Iterator it = pkixParams.getAttrCertCheckers().iterator(); it + .hasNext();) + { + ((PKIXAttrCertChecker) it.next()).check(attrCert, certPath, + holderCertPath, set); + } + if (!set.isEmpty()) + { + throw new CertPathValidatorException( + "Attribute certificate contains unsupported critical extensions: " + + set); + } + } + + /** + * Checks if an attribute certificate is revoked. + * + * @param attrCert Attribute certificate to check if it is revoked. + * @param paramsPKIX PKIX parameters. + * @param issuerCert The issuer certificate of the attribute certificate + * <code>attrCert</code>. + * @param validDate The date when the certificate revocation status should + * be checked. + * @param certPathCerts The certificates of the certification path to be + * checked. + * + * @throws CertPathValidatorException if the certificate is revoked or the + * status cannot be checked or some error occurs. + */ + protected static void checkCRLs(X509AttributeCertificate attrCert, + ExtendedPKIXParameters paramsPKIX, X509Certificate issuerCert, + Date validDate, List certPathCerts) throws CertPathValidatorException + { + if (paramsPKIX.isRevocationEnabled()) + { + // check if revocation is available + if (attrCert.getExtensionValue(NO_REV_AVAIL) == null) + { + CRLDistPoint crldp = null; + try + { + crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities + .getExtensionValue(attrCert, CRL_DISTRIBUTION_POINTS)); + } + catch (AnnotatedException e) + { + throw new CertPathValidatorException( + "CRL distribution point extension could not be read.", + e); + } + try + { + CertPathValidatorUtilities + .addAdditionalStoresFromCRLDistributionPoint(crldp, + paramsPKIX); + } + catch (AnnotatedException e) + { + throw new CertPathValidatorException( + "No additional CRL locations could be decoded from CRL distribution point extension.", + e); + } + CertStatus certStatus = new CertStatus(); + ReasonsMask reasonsMask = new ReasonsMask(); + + AnnotatedException lastException = null; + boolean validCrlFound = false; + // for each distribution point + if (crldp != null) + { + DistributionPoint dps[] = null; + try + { + dps = crldp.getDistributionPoints(); + } + catch (Exception e) + { + throw new ExtCertPathValidatorException( + "Distribution points could not be read.", e); + } + try + { + for (int i = 0; i < dps.length + && certStatus.getCertStatus() == CertStatus.UNREVOKED + && !reasonsMask.isAllReasons(); i++) + { + ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX + .clone(); + checkCRL(dps[i], attrCert, paramsPKIXClone, + validDate, issuerCert, certStatus, reasonsMask, + certPathCerts); + validCrlFound = true; + } + } + catch (AnnotatedException e) + { + lastException = new AnnotatedException( + "No valid CRL for distribution point found.", e); + } + } + + /* + * If the revocation status has not been determined, repeat the + * process above with any available CRLs not specified in a + * distribution point but issued by the certificate issuer. + */ + + if (certStatus.getCertStatus() == CertStatus.UNREVOKED + && !reasonsMask.isAllReasons()) + { + try + { + /* + * assume a DP with both the reasons and the cRLIssuer + * fields omitted and a distribution point name of the + * certificate issuer. + */ + ASN1Primitive issuer = null; + try + { + + issuer = new ASN1InputStream( + ((X500Principal) attrCert.getIssuer() + .getPrincipals()[0]).getEncoded()) + .readObject(); + } + catch (Exception e) + { + throw new AnnotatedException( + "Issuer from certificate for CRL could not be reencoded.", + e); + } + DistributionPoint dp = new DistributionPoint( + new DistributionPointName(0, new GeneralNames( + new GeneralName(GeneralName.directoryName, + issuer))), null, null); + ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX + .clone(); + checkCRL(dp, attrCert, paramsPKIXClone, validDate, + issuerCert, certStatus, reasonsMask, certPathCerts); + validCrlFound = true; + } + catch (AnnotatedException e) + { + lastException = new AnnotatedException( + "No valid CRL for distribution point found.", e); + } + } + + if (!validCrlFound) + { + throw new ExtCertPathValidatorException( + "No valid CRL found.", lastException); + } + if (certStatus.getCertStatus() != CertStatus.UNREVOKED) + { + String message = "Attribute certificate revocation after " + + certStatus.getRevocationDate(); + message += ", reason: " + + RFC3280CertPathUtilities.crlReasons[certStatus + .getCertStatus()]; + throw new CertPathValidatorException(message); + } + if (!reasonsMask.isAllReasons() + && certStatus.getCertStatus() == CertStatus.UNREVOKED) + { + certStatus.setCertStatus(CertStatus.UNDETERMINED); + } + if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) + { + throw new CertPathValidatorException( + "Attribute certificate status could not be determined."); + } + + } + else + { + if (attrCert.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null + || attrCert.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) + { + throw new CertPathValidatorException( + "No rev avail extension is set, but also an AC revocation pointer."); + } + } + } + } + + protected static void additionalChecks(X509AttributeCertificate attrCert, + ExtendedPKIXParameters pkixParams) throws CertPathValidatorException + { + // 1 + for (Iterator it = pkixParams.getProhibitedACAttributes().iterator(); it + .hasNext();) + { + String oid = (String) it.next(); + if (attrCert.getAttributes(oid) != null) + { + throw new CertPathValidatorException( + "Attribute certificate contains prohibited attribute: " + + oid + "."); + } + } + for (Iterator it = pkixParams.getNecessaryACAttributes().iterator(); it + .hasNext();) + { + String oid = (String) it.next(); + if (attrCert.getAttributes(oid) == null) + { + throw new CertPathValidatorException( + "Attribute certificate does not contain necessary attribute: " + + oid + "."); + } + } + } + + protected static void processAttrCert5(X509AttributeCertificate attrCert, + ExtendedPKIXParameters pkixParams) throws CertPathValidatorException + { + try + { + attrCert.checkValidity(CertPathValidatorUtilities + .getValidDate(pkixParams)); + } + catch (CertificateExpiredException e) + { + throw new ExtCertPathValidatorException( + "Attribute certificate is not valid.", e); + } + catch (CertificateNotYetValidException e) + { + throw new ExtCertPathValidatorException( + "Attribute certificate is not valid.", e); + } + } + + protected static void processAttrCert4(X509Certificate acIssuerCert, + ExtendedPKIXParameters pkixParams) throws CertPathValidatorException + { + Set set = pkixParams.getTrustedACIssuers(); + boolean trusted = false; + for (Iterator it = set.iterator(); it.hasNext();) + { + TrustAnchor anchor = (TrustAnchor) it.next(); + if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") + .equals(anchor.getCAName()) + || acIssuerCert.equals(anchor.getTrustedCert())) + { + trusted = true; + } + } + if (!trusted) + { + throw new CertPathValidatorException( + "Attribute certificate issuer is not directly trusted."); + } + } + + protected static void processAttrCert3(X509Certificate acIssuerCert, + ExtendedPKIXParameters pkixParams) throws CertPathValidatorException + { + if (acIssuerCert.getKeyUsage() != null + && (!acIssuerCert.getKeyUsage()[0] && !acIssuerCert.getKeyUsage()[1])) + { + throw new CertPathValidatorException( + "Attribute certificate issuer public key cannot be used to validate digital signatures."); + } + if (acIssuerCert.getBasicConstraints() != -1) + { + throw new CertPathValidatorException( + "Attribute certificate issuer is also a public key certificate issuer."); + } + } + + protected static CertPathValidatorResult processAttrCert2( + CertPath certPath, ExtendedPKIXParameters pkixParams) + throws CertPathValidatorException + { + CertPathValidator validator = null; + try + { + validator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); + } + catch (NoSuchProviderException e) + { + throw new ExtCertPathValidatorException( + "Support class could not be created.", e); + } + catch (NoSuchAlgorithmException e) + { + throw new ExtCertPathValidatorException( + "Support class could not be created.", e); + } + try + { + return validator.validate(certPath, pkixParams); + } + catch (CertPathValidatorException e) + { + throw new ExtCertPathValidatorException( + "Certification path for issuer certificate of attribute certificate could not be validated.", + e); + } + catch (InvalidAlgorithmParameterException e) + { + // must be a programming error + throw new RuntimeException(e.getMessage()); + } + } + + /** + * Searches for a holder public key certificate and verifies its + * certification path. + * + * @param attrCert the attribute certificate. + * @param pkixParams The PKIX parameters. + * @return The certificate path of the holder certificate. + * @throws AnnotatedException if + * <ul> + * <li>no public key certificate can be found although holder + * information is given by an entity name or a base certificate + * ID + * <li>support classes cannot be created + * <li>no certification path for the public key certificate can + * be built + * </ul> + */ + protected static CertPath processAttrCert1( + X509AttributeCertificate attrCert, ExtendedPKIXParameters pkixParams) + throws CertPathValidatorException + { + CertPathBuilderResult result = null; + // find holder PKCs + Set holderPKCs = new HashSet(); + if (attrCert.getHolder().getIssuer() != null) + { + X509CertStoreSelector selector = new X509CertStoreSelector(); + selector.setSerialNumber(attrCert.getHolder().getSerialNumber()); + Principal[] principals = attrCert.getHolder().getIssuer(); + for (int i = 0; i < principals.length; i++) + { + try + { + if (principals[i] instanceof X500Principal) + { + selector.setIssuer(((X500Principal)principals[i]) + .getEncoded()); + } + holderPKCs.addAll(CertPathValidatorUtilities + .findCertificates(selector, pkixParams.getStores())); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException( + "Public key certificate for attribute certificate cannot be searched.", + e); + } + catch (IOException e) + { + throw new ExtCertPathValidatorException( + "Unable to encode X500 principal.", e); + } + } + if (holderPKCs.isEmpty()) + { + throw new CertPathValidatorException( + "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); + } + } + if (attrCert.getHolder().getEntityNames() != null) + { + X509CertStoreSelector selector = new X509CertStoreSelector(); + Principal[] principals = attrCert.getHolder().getEntityNames(); + for (int i = 0; i < principals.length; i++) + { + try + { + if (principals[i] instanceof X500Principal) + { + selector.setIssuer(((X500Principal) principals[i]) + .getEncoded()); + } + holderPKCs.addAll(CertPathValidatorUtilities + .findCertificates(selector, pkixParams.getStores())); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException( + "Public key certificate for attribute certificate cannot be searched.", + e); + } + catch (IOException e) + { + throw new ExtCertPathValidatorException( + "Unable to encode X500 principal.", e); + } + } + if (holderPKCs.isEmpty()) + { + throw new CertPathValidatorException( + "Public key certificate specified in entity name for attribute certificate cannot be found."); + } + } + // verify cert paths for PKCs + ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters + .getInstance(pkixParams); + CertPathValidatorException lastException = null; + for (Iterator it = holderPKCs.iterator(); it.hasNext();) + { + X509CertStoreSelector selector = new X509CertStoreSelector(); + selector.setCertificate((X509Certificate) it.next()); + params.setTargetConstraints(selector); + CertPathBuilder builder = null; + try + { + builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); + } + catch (NoSuchProviderException e) + { + throw new ExtCertPathValidatorException( + "Support class could not be created.", e); + } + catch (NoSuchAlgorithmException e) + { + throw new ExtCertPathValidatorException( + "Support class could not be created.", e); + } + try + { + result = builder.build(ExtendedPKIXBuilderParameters + .getInstance(params)); + } + catch (CertPathBuilderException e) + { + lastException = new ExtCertPathValidatorException( + "Certification path for public key certificate of attribute certificate could not be build.", + e); + } + catch (InvalidAlgorithmParameterException e) + { + // must be a programming error + throw new RuntimeException(e.getMessage()); + } + } + if (lastException != null) + { + throw lastException; + } + return result.getCertPath(); + } + + /** + * + * Checks a distribution point for revocation information for the + * certificate <code>attrCert</code>. + * + * @param dp The distribution point to consider. + * @param attrCert The attribute certificate which should be checked. + * @param paramsPKIX PKIX parameters. + * @param validDate The date when the certificate revocation status should + * be checked. + * @param issuerCert Certificate to check if it is revoked. + * @param reasonMask The reasons mask which is already checked. + * @param certPathCerts The certificates of the certification path to be + * checked. + * @throws AnnotatedException if the certificate is revoked or the status + * cannot be checked or some error occurs. + */ + private static void checkCRL(DistributionPoint dp, + X509AttributeCertificate attrCert, ExtendedPKIXParameters paramsPKIX, + Date validDate, X509Certificate issuerCert, CertStatus certStatus, + ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException + { + + /* + * 4.3.6 No Revocation Available + * + * The noRevAvail extension, defined in [X.509-2000], allows an AC + * issuer to indicate that no revocation information will be made + * available for this AC. + */ + if (attrCert.getExtensionValue(X509Extensions.NoRevAvail.getId()) != null) + { + return; + } + Date currentDate = new Date(System.currentTimeMillis()); + if (validDate.getTime() > currentDate.getTime()) + { + throw new AnnotatedException("Validation time is in future."); + } + + // (a) + /* + * We always get timely valid CRLs, so there is no step (a) (1). + * "locally cached" CRLs are assumed to be in getStore(), additional + * CRLs must be enabled in the ExtendedPKIXParameters and are in + * getAdditionalStore() + */ + + Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, attrCert, + currentDate, paramsPKIX); + boolean validCrlFound = false; + AnnotatedException lastException = null; + Iterator crl_iter = crls.iterator(); + + while (crl_iter.hasNext() + && certStatus.getCertStatus() == CertStatus.UNREVOKED + && !reasonMask.isAllReasons()) + { + try + { + X509CRL crl = (X509CRL) crl_iter.next(); + + // (d) + ReasonsMask interimReasonsMask = RFC3280CertPathUtilities + .processCRLD(crl, dp); + + // (e) + /* + * The reasons mask is updated at the end, so only valid CRLs + * can update it. If this CRL does not contain new reasons it + * must be ignored. + */ + if (!interimReasonsMask.hasNewReasons(reasonMask)) + { + continue; + } + + // (f) + Set keys = RFC3280CertPathUtilities.processCRLF(crl, attrCert, + null, null, paramsPKIX, certPathCerts); + // (g) + PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys); + + X509CRL deltaCRL = null; + + if (paramsPKIX.isUseDeltasEnabled()) + { + // get delta CRLs + Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs( + currentDate, paramsPKIX, crl); + // we only want one valid delta CRL + // (h) + deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, + key); + } + + /* + * CRL must be be valid at the current time, not the validation + * time. If a certificate is revoked with reason keyCompromise, + * cACompromise, it can be used for forgery, also for the past. + * This reason may not be contained in older CRLs. + */ + + /* + * in the chain model signatures stay valid also after the + * certificate has been expired, so they do not have to be in + * the CRL vality time + */ + + if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) + { + /* + * if a certificate has expired, but was revoked, it is not + * more in the CRL, so it would be regarded as valid if the + * first check is not done + */ + if (attrCert.getNotAfter().getTime() < crl.getThisUpdate() + .getTime()) + { + throw new AnnotatedException( + "No valid CRL for current time found."); + } + } + + RFC3280CertPathUtilities.processCRLB1(dp, attrCert, crl); + + // (b) (2) + RFC3280CertPathUtilities.processCRLB2(dp, attrCert, crl); + + // (c) + RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX); + + // (i) + RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, + attrCert, certStatus, paramsPKIX); + + // (j) + RFC3280CertPathUtilities.processCRLJ(validDate, crl, attrCert, + certStatus); + + // (k) + if (certStatus.getCertStatus() == CRLReason.removeFromCRL) + { + certStatus.setCertStatus(CertStatus.UNREVOKED); + } + + // update reasons mask + reasonMask.addReasons(interimReasonsMask); + validCrlFound = true; + } + catch (AnnotatedException e) + { + lastException = e; + } + } + if (!validCrlFound) + { + throw lastException; + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/ReasonsMask.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/ReasonsMask.java new file mode 100644 index 00000000..04f5a063 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/ReasonsMask.java @@ -0,0 +1,101 @@ +package org.bouncycastle.jce.provider; + +import org.bouncycastle.asn1.x509.ReasonFlags; + +/** + * This class helps to handle CRL revocation reasons mask. Each CRL handles a + * certain set of revocation reasons. + */ +class ReasonsMask +{ + private int _reasons; + + /** + * Constructs are reason mask with the reasons. + * + * @param reasons The reasons. + */ + ReasonsMask(ReasonFlags reasons) + { + _reasons = reasons.intValue(); + } + + private ReasonsMask(int reasons) + { + _reasons = reasons; + } + + /** + * A reason mask with no reason. + * + */ + ReasonsMask() + { + this(0); + } + + /** + * A mask with all revocation reasons. + */ + static final ReasonsMask allReasons = new ReasonsMask(ReasonFlags.aACompromise + | ReasonFlags.affiliationChanged | ReasonFlags.cACompromise + | ReasonFlags.certificateHold | ReasonFlags.cessationOfOperation + | ReasonFlags.keyCompromise | ReasonFlags.privilegeWithdrawn + | ReasonFlags.unused | ReasonFlags.superseded); + + /** + * Adds all reasons from the reasons mask to this mask. + * + * @param mask The reasons mask to add. + */ + void addReasons(ReasonsMask mask) + { + _reasons = _reasons | mask.getReasons(); + } + + /** + * Returns <code>true</code> if this reasons mask contains all possible + * reasons. + * + * @return <code>true</code> if this reasons mask contains all possible + * reasons. + */ + boolean isAllReasons() + { + return _reasons == allReasons._reasons ? true : false; + } + + /** + * Intersects this mask with the given reasons mask. + * + * @param mask The mask to intersect with. + * @return The intersection of this and teh given mask. + */ + ReasonsMask intersect(ReasonsMask mask) + { + ReasonsMask _mask = new ReasonsMask(); + _mask.addReasons(new ReasonsMask(_reasons & mask.getReasons())); + return _mask; + } + + /** + * Returns <code>true</code> if the passed reasons mask has new reasons. + * + * @param mask The reasons mask which should be tested for new reasons. + * @return <code>true</code> if the passed reasons mask has new reasons. + */ + boolean hasNewReasons(ReasonsMask mask) + { + return ((_reasons | mask.getReasons() ^ _reasons) != 0); + } + + /** + * Returns the reasons in this mask. + * + * @return Returns the reasons. + */ + int getReasons() + { + return _reasons; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509AttrCertParser.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509AttrCertParser.java new file mode 100644 index 00000000..847f32bd --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509AttrCertParser.java @@ -0,0 +1,156 @@ +package org.bouncycastle.jce.provider; + +import java.io.BufferedInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1Set; +import org.bouncycastle.asn1.ASN1TaggedObject; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.SignedData; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509StreamParserSpi; +import org.bouncycastle.x509.X509V2AttributeCertificate; +import org.bouncycastle.x509.util.StreamParsingException; + +public class X509AttrCertParser + extends X509StreamParserSpi +{ + private static final PEMUtil PEM_PARSER = new PEMUtil("ATTRIBUTE CERTIFICATE"); + + private ASN1Set sData = null; + private int sDataObjectCount = 0; + private InputStream currentStream = null; + + private X509AttributeCertificate readDERCertificate( + InputStream in) + throws IOException + { + ASN1InputStream dIn = new ASN1InputStream(in); + ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); + + if (seq.size() > 1 + && seq.getObjectAt(0) instanceof DERObjectIdentifier) + { + if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) + { + sData = new SignedData(ASN1Sequence.getInstance( + (ASN1TaggedObject)seq.getObjectAt(1), true)).getCertificates(); + + return getCertificate(); + } + } + + return new X509V2AttributeCertificate(seq.getEncoded()); + } + + private X509AttributeCertificate getCertificate() + throws IOException + { + if (sData != null) + { + while (sDataObjectCount < sData.size()) + { + Object obj = sData.getObjectAt(sDataObjectCount++); + + if (obj instanceof ASN1TaggedObject && ((ASN1TaggedObject)obj).getTagNo() == 2) + { + return new X509V2AttributeCertificate( + ASN1Sequence.getInstance((ASN1TaggedObject)obj, false).getEncoded()); + } + } + } + + return null; + } + + private X509AttributeCertificate readPEMCertificate( + InputStream in) + throws IOException + { + ASN1Sequence seq = PEM_PARSER.readPEMObject(in); + + if (seq != null) + { + return new X509V2AttributeCertificate(seq.getEncoded()); + } + + return null; + } + + public void engineInit(InputStream in) + { + currentStream = in; + sData = null; + sDataObjectCount = 0; + + if (!currentStream.markSupported()) + { + currentStream = new BufferedInputStream(currentStream); + } + } + + public Object engineRead() + throws StreamParsingException + { + try + { + if (sData != null) + { + if (sDataObjectCount != sData.size()) + { + return getCertificate(); + } + else + { + sData = null; + sDataObjectCount = 0; + return null; + } + } + + currentStream.mark(10); + int tag = currentStream.read(); + + if (tag == -1) + { + return null; + } + + if (tag != 0x30) // assume ascii PEM encoded. + { + currentStream.reset(); + return readPEMCertificate(currentStream); + } + else + { + currentStream.reset(); + return readDERCertificate(currentStream); + } + } + catch (Exception e) + { + throw new StreamParsingException(e.toString(), e); + } + } + + public Collection engineReadAll() + throws StreamParsingException + { + X509AttributeCertificate cert; + List certs = new ArrayList(); + + while ((cert = (X509AttributeCertificate)engineRead()) != null) + { + certs.add(cert); + } + + return certs; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLEntryObject.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLEntryObject.java new file mode 100644 index 00000000..d5c3700a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLEntryObject.java @@ -0,0 +1,301 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.cert.CRLException; +import java.security.cert.X509CRLEntry; +import java.util.Date; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1Enumerated; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.util.ASN1Dump; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.CRLReason; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.TBSCertList; +import org.bouncycastle.asn1.x509.X509Extension; + +/** + * The following extensions are listed in RFC 2459 as relevant to CRL Entries + * + * ReasonCode Hode Instruction Code Invalidity Date Certificate Issuer + * (critical) + */ +public class X509CRLEntryObject extends X509CRLEntry +{ + private TBSCertList.CRLEntry c; + + private X500Name certificateIssuer; + private int hashValue; + private boolean isHashValueSet; + + public X509CRLEntryObject(TBSCertList.CRLEntry c) + { + this.c = c; + this.certificateIssuer = null; + } + + /** + * Constructor for CRLEntries of indirect CRLs. If <code>isIndirect</code> + * is <code>false</code> {@link #getCertificateIssuer()} will always + * return <code>null</code>, <code>previousCertificateIssuer</code> is + * ignored. If this <code>isIndirect</code> is specified and this CRLEntry + * has no certificate issuer CRL entry extension + * <code>previousCertificateIssuer</code> is returned by + * {@link #getCertificateIssuer()}. + * + * @param c + * TBSCertList.CRLEntry object. + * @param isIndirect + * <code>true</code> if the corresponding CRL is a indirect + * CRL. + * @param previousCertificateIssuer + * Certificate issuer of the previous CRLEntry. + */ + public X509CRLEntryObject( + TBSCertList.CRLEntry c, + boolean isIndirect, + X500Name previousCertificateIssuer) + { + this.c = c; + this.certificateIssuer = loadCertificateIssuer(isIndirect, previousCertificateIssuer); + } + + /** + * Will return true if any extensions are present and marked as critical as + * we currently don't handle any extensions! + */ + public boolean hasUnsupportedCriticalExtension() + { + Set extns = getCriticalExtensionOIDs(); + + return extns != null && !extns.isEmpty(); + } + + private X500Name loadCertificateIssuer(boolean isIndirect, X500Name previousCertificateIssuer) + { + if (!isIndirect) + { + return null; + } + + Extension ext = getExtension(Extension.certificateIssuer); + if (ext == null) + { + return previousCertificateIssuer; + } + + try + { + GeneralName[] names = GeneralNames.getInstance(ext.getParsedValue()).getNames(); + for (int i = 0; i < names.length; i++) + { + if (names[i].getTagNo() == GeneralName.directoryName) + { + return X500Name.getInstance(names[i].getName()); + } + } + return null; + } + catch (Exception e) + { + return null; + } + } + + public X500Principal getCertificateIssuer() + { + if (certificateIssuer == null) + { + return null; + } + try + { + return new X500Principal(certificateIssuer.getEncoded()); + } + catch (IOException e) + { + return null; + } + } + + private Set getExtensionOIDs(boolean critical) + { + Extensions extensions = c.getExtensions(); + + if (extensions != null) + { + Set set = new HashSet(); + Enumeration e = extensions.oids(); + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement(); + Extension ext = extensions.getExtension(oid); + + if (critical == ext.isCritical()) + { + set.add(oid.getId()); + } + } + + return set; + } + + return null; + } + + public Set getCriticalExtensionOIDs() + { + return getExtensionOIDs(true); + } + + public Set getNonCriticalExtensionOIDs() + { + return getExtensionOIDs(false); + } + + private Extension getExtension(ASN1ObjectIdentifier oid) + { + Extensions exts = c.getExtensions(); + + if (exts != null) + { + return exts.getExtension(oid); + } + + return null; + } + + public byte[] getExtensionValue(String oid) + { + Extension ext = getExtension(new ASN1ObjectIdentifier(oid)); + + if (ext != null) + { + try + { + return ext.getExtnValue().getEncoded(); + } + catch (Exception e) + { + throw new RuntimeException("error encoding " + e.toString()); + } + } + + return null; + } + + /** + * Cache the hashCode value - calculating it with the standard method. + * @return calculated hashCode. + */ + public int hashCode() + { + if (!isHashValueSet) + { + hashValue = super.hashCode(); + isHashValueSet = true; + } + + return hashValue; + } + + public byte[] getEncoded() + throws CRLException + { + try + { + return c.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + throw new CRLException(e.toString()); + } + } + + public BigInteger getSerialNumber() + { + return c.getUserCertificate().getValue(); + } + + public Date getRevocationDate() + { + return c.getRevocationDate().getDate(); + } + + public boolean hasExtensions() + { + return c.getExtensions() != null; + } + + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append(" userCertificate: ").append(this.getSerialNumber()).append(nl); + buf.append(" revocationDate: ").append(this.getRevocationDate()).append(nl); + buf.append(" certificateIssuer: ").append(this.getCertificateIssuer()).append(nl); + + Extensions extensions = c.getExtensions(); + + if (extensions != null) + { + Enumeration e = extensions.oids(); + if (e.hasMoreElements()) + { + buf.append(" crlEntryExtensions:").append(nl); + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)e.nextElement(); + Extension ext = extensions.getExtension(oid); + if (ext.getExtnValue() != null) + { + byte[] octs = ext.getExtnValue().getOctets(); + ASN1InputStream dIn = new ASN1InputStream(octs); + buf.append(" critical(").append(ext.isCritical()).append(") "); + try + { + if (oid.equals(X509Extension.reasonCode)) + { + buf.append(CRLReason.getInstance(ASN1Enumerated.getInstance(dIn.readObject()))).append(nl); + } + else if (oid.equals(X509Extension.certificateIssuer)) + { + buf.append("Certificate issuer: ").append(GeneralNames.getInstance(dIn.readObject())).append(nl); + } + else + { + buf.append(oid.getId()); + buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl); + } + } + catch (Exception ex) + { + buf.append(oid.getId()); + buf.append(" value = ").append("*****").append(nl); + } + } + else + { + buf.append(nl); + } + } + } + } + + return buf.toString(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLObject.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLObject.java new file mode 100644 index 00000000..cd832118 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLObject.java @@ -0,0 +1,576 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Principal; +import java.security.PublicKey; +import java.security.Signature; +import java.security.SignatureException; +import java.security.cert.CRLException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLEntry; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.util.ASN1Dump; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.CRLDistPoint; +import org.bouncycastle.asn1.x509.CRLNumber; +import org.bouncycastle.asn1.x509.CertificateList; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.IssuingDistributionPoint; +import org.bouncycastle.asn1.x509.TBSCertList; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.util.encoders.Hex; + +/** + * The following extensions are listed in RFC 2459 as relevant to CRLs + * + * Authority Key Identifier + * Issuer Alternative Name + * CRL Number + * Delta CRL Indicator (critical) + * Issuing Distribution Point (critical) + */ +public class X509CRLObject + extends X509CRL +{ + private CertificateList c; + private String sigAlgName; + private byte[] sigAlgParams; + private boolean isIndirect; + + static boolean isIndirectCRL(X509CRL crl) + throws CRLException + { + try + { + byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId()); + return idp != null + && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL(); + } + catch (Exception e) + { + throw new ExtCRLException( + "Exception reading IssuingDistributionPoint", e); + } + } + + public X509CRLObject( + CertificateList c) + throws CRLException + { + this.c = c; + + try + { + this.sigAlgName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm()); + + if (c.getSignatureAlgorithm().getParameters() != null) + { + this.sigAlgParams = ((ASN1Encodable)c.getSignatureAlgorithm().getParameters()).toASN1Primitive().getEncoded(ASN1Encoding.DER); + } + else + { + this.sigAlgParams = null; + } + + this.isIndirect = isIndirectCRL(this); + } + catch (Exception e) + { + throw new CRLException("CRL contents invalid: " + e); + } + } + + /** + * Will return true if any extensions are present and marked + * as critical as we currently dont handle any extensions! + */ + public boolean hasUnsupportedCriticalExtension() + { + Set extns = getCriticalExtensionOIDs(); + + if (extns == null) + { + return false; + } + + extns.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT); + extns.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); + + return !extns.isEmpty(); + } + + private Set getExtensionOIDs(boolean critical) + { + if (this.getVersion() == 2) + { + Extensions extensions = c.getTBSCertList().getExtensions(); + + if (extensions != null) + { + Set set = new HashSet(); + Enumeration e = extensions.oids(); + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)e.nextElement(); + Extension ext = extensions.getExtension(oid); + + if (critical == ext.isCritical()) + { + set.add(oid.getId()); + } + } + + return set; + } + } + + return null; + } + + public Set getCriticalExtensionOIDs() + { + return getExtensionOIDs(true); + } + + public Set getNonCriticalExtensionOIDs() + { + return getExtensionOIDs(false); + } + + public byte[] getExtensionValue(String oid) + { + Extensions exts = c.getTBSCertList().getExtensions(); + + if (exts != null) + { + Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid)); + + if (ext != null) + { + try + { + return ext.getExtnValue().getEncoded(); + } + catch (Exception e) + { + throw new IllegalStateException("error parsing " + e.toString()); + } + } + } + + return null; + } + + public byte[] getEncoded() + throws CRLException + { + try + { + return c.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + throw new CRLException(e.toString()); + } + } + + public void verify(PublicKey key) + throws CRLException, NoSuchAlgorithmException, + InvalidKeyException, NoSuchProviderException, SignatureException + { + verify(key, BouncyCastleProvider.PROVIDER_NAME); + } + + public void verify(PublicKey key, String sigProvider) + throws CRLException, NoSuchAlgorithmException, + InvalidKeyException, NoSuchProviderException, SignatureException + { + if (!c.getSignatureAlgorithm().equals(c.getTBSCertList().getSignature())) + { + throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList."); + } + + Signature sig; + + if (sigProvider != null) + { + sig = Signature.getInstance(getSigAlgName(), sigProvider); + } + else + { + sig = Signature.getInstance(getSigAlgName()); + } + + sig.initVerify(key); + sig.update(this.getTBSCertList()); + + if (!sig.verify(this.getSignature())) + { + throw new SignatureException("CRL does not verify with supplied public key."); + } + } + + public int getVersion() + { + return c.getVersionNumber(); + } + + public Principal getIssuerDN() + { + return new X509Principal(X500Name.getInstance(c.getIssuer().toASN1Primitive())); + } + + public X500Principal getIssuerX500Principal() + { + try + { + return new X500Principal(c.getIssuer().getEncoded()); + } + catch (IOException e) + { + throw new IllegalStateException("can't encode issuer DN"); + } + } + + public Date getThisUpdate() + { + return c.getThisUpdate().getDate(); + } + + public Date getNextUpdate() + { + if (c.getNextUpdate() != null) + { + return c.getNextUpdate().getDate(); + } + + return null; + } + + private Set loadCRLEntries() + { + Set entrySet = new HashSet(); + Enumeration certs = c.getRevokedCertificateEnumeration(); + + X500Name previousCertificateIssuer = null; // the issuer + while (certs.hasMoreElements()) + { + TBSCertList.CRLEntry entry = (TBSCertList.CRLEntry)certs.nextElement(); + X509CRLEntryObject crlEntry = new X509CRLEntryObject(entry, isIndirect, previousCertificateIssuer); + entrySet.add(crlEntry); + if (isIndirect && entry.hasExtensions()) + { + Extension currentCaName = entry.getExtensions().getExtension(Extension.certificateIssuer); + + if (currentCaName != null) + { + previousCertificateIssuer = X500Name.getInstance(GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName()); + } + } + } + + return entrySet; + } + + public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) + { + Enumeration certs = c.getRevokedCertificateEnumeration(); + + X500Name previousCertificateIssuer = null; // the issuer + while (certs.hasMoreElements()) + { + TBSCertList.CRLEntry entry = (TBSCertList.CRLEntry)certs.nextElement(); + + if (serialNumber.equals(entry.getUserCertificate().getValue())) + { + return new X509CRLEntryObject(entry, isIndirect, previousCertificateIssuer); + } + + if (isIndirect && entry.hasExtensions()) + { + Extension currentCaName = entry.getExtensions().getExtension(Extension.certificateIssuer); + + if (currentCaName != null) + { + previousCertificateIssuer = X500Name.getInstance(GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName()); + } + } + } + + return null; + } + + public Set getRevokedCertificates() + { + Set entrySet = loadCRLEntries(); + + if (!entrySet.isEmpty()) + { + return Collections.unmodifiableSet(entrySet); + } + + return null; + } + + public byte[] getTBSCertList() + throws CRLException + { + try + { + return c.getTBSCertList().getEncoded("DER"); + } + catch (IOException e) + { + throw new CRLException(e.toString()); + } + } + + public byte[] getSignature() + { + return c.getSignature().getBytes(); + } + + public String getSigAlgName() + { + return sigAlgName; + } + + public String getSigAlgOID() + { + return c.getSignatureAlgorithm().getAlgorithm().getId(); + } + + public byte[] getSigAlgParams() + { + if (sigAlgParams != null) + { + byte[] tmp = new byte[sigAlgParams.length]; + + System.arraycopy(sigAlgParams, 0, tmp, 0, tmp.length); + + return tmp; + } + + return null; + } + + /** + * Returns a string representation of this CRL. + * + * @return a string representation of this CRL. + */ + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append(" Version: ").append(this.getVersion()).append( + nl); + buf.append(" IssuerDN: ").append(this.getIssuerDN()) + .append(nl); + buf.append(" This update: ").append(this.getThisUpdate()) + .append(nl); + buf.append(" Next update: ").append(this.getNextUpdate()) + .append(nl); + buf.append(" Signature Algorithm: ").append(this.getSigAlgName()) + .append(nl); + + byte[] sig = this.getSignature(); + + buf.append(" Signature: ").append( + new String(Hex.encode(sig, 0, 20))).append(nl); + for (int i = 20; i < sig.length; i += 20) + { + if (i < sig.length - 20) + { + buf.append(" ").append( + new String(Hex.encode(sig, i, 20))).append(nl); + } + else + { + buf.append(" ").append( + new String(Hex.encode(sig, i, sig.length - i))).append(nl); + } + } + + Extensions extensions = c.getTBSCertList().getExtensions(); + + if (extensions != null) + { + Enumeration e = extensions.oids(); + + if (e.hasMoreElements()) + { + buf.append(" Extensions: ").append(nl); + } + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement(); + Extension ext = extensions.getExtension(oid); + + if (ext.getExtnValue() != null) + { + byte[] octs = ext.getExtnValue().getOctets(); + ASN1InputStream dIn = new ASN1InputStream(octs); + buf.append(" critical(").append( + ext.isCritical()).append(") "); + try + { + if (oid.equals(Extension.cRLNumber)) + { + buf.append( + new CRLNumber(ASN1Integer.getInstance( + dIn.readObject()).getPositiveValue())) + .append(nl); + } + else if (oid.equals(Extension.deltaCRLIndicator)) + { + buf.append( + "Base CRL: " + + new CRLNumber(ASN1Integer.getInstance( + dIn.readObject()).getPositiveValue())) + .append(nl); + } + else if (oid + .equals(Extension.issuingDistributionPoint)) + { + buf.append( + IssuingDistributionPoint.getInstance(dIn.readObject())).append(nl); + } + else if (oid + .equals(Extension.cRLDistributionPoints)) + { + buf.append( + CRLDistPoint.getInstance(dIn.readObject())).append(nl); + } + else if (oid.equals(Extension.freshestCRL)) + { + buf.append( + CRLDistPoint.getInstance(dIn.readObject())).append(nl); + } + else + { + buf.append(oid.getId()); + buf.append(" value = ").append( + ASN1Dump.dumpAsString(dIn.readObject())) + .append(nl); + } + } + catch (Exception ex) + { + buf.append(oid.getId()); + buf.append(" value = ").append("*****").append(nl); + } + } + else + { + buf.append(nl); + } + } + } + Set set = getRevokedCertificates(); + if (set != null) + { + Iterator it = set.iterator(); + while (it.hasNext()) + { + buf.append(it.next()); + buf.append(nl); + } + } + return buf.toString(); + } + + /** + * Checks whether the given certificate is on this CRL. + * + * @param cert the certificate to check for. + * @return true if the given certificate is on this CRL, + * false otherwise. + */ + public boolean isRevoked(Certificate cert) + { + if (!cert.getType().equals("X.509")) + { + throw new RuntimeException("X.509 CRL used with non X.509 Cert"); + } + + TBSCertList.CRLEntry[] certs = c.getRevokedCertificates(); + + X500Name caName = c.getIssuer(); + + if (certs != null) + { + BigInteger serial = ((X509Certificate)cert).getSerialNumber(); + + for (int i = 0; i < certs.length; i++) + { + if (isIndirect && certs[i].hasExtensions()) + { + Extension currentCaName = certs[i].getExtensions().getExtension(Extension.certificateIssuer); + + if (currentCaName != null) + { + caName = X500Name.getInstance(GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName()); + } + } + + if (certs[i].getUserCertificate().getValue().equals(serial)) + { + X500Name issuer; + + if (cert instanceof X509Certificate) + { + issuer = X500Name.getInstance(((X509Certificate)cert).getIssuerX500Principal().getEncoded()); + } + else + { + try + { + issuer = org.bouncycastle.asn1.x509.Certificate.getInstance(cert.getEncoded()).getIssuer(); + } + catch (CertificateEncodingException e) + { + throw new RuntimeException("Cannot process certificate"); + } + } + + if (!caName.equals(issuer)) + { + return false; + } + + return true; + } + } + } + + return false; + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLParser.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLParser.java new file mode 100644 index 00000000..40f0a64f --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CRLParser.java @@ -0,0 +1,150 @@ +package org.bouncycastle.jce.provider; + +import java.io.BufferedInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.cert.CRL; +import java.security.cert.CRLException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1Set; +import org.bouncycastle.asn1.ASN1TaggedObject; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.SignedData; +import org.bouncycastle.asn1.x509.CertificateList; +import org.bouncycastle.x509.X509StreamParserSpi; +import org.bouncycastle.x509.util.StreamParsingException; + +public class X509CRLParser + extends X509StreamParserSpi +{ + private static final PEMUtil PEM_PARSER = new PEMUtil("CRL"); + + private ASN1Set sData = null; + private int sDataObjectCount = 0; + private InputStream currentStream = null; + + private CRL readDERCRL( + InputStream in) + throws IOException, CRLException + { + ASN1InputStream dIn = new ASN1InputStream(in); + ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); + + if (seq.size() > 1 + && seq.getObjectAt(0) instanceof DERObjectIdentifier) + { + if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) + { + sData = new SignedData(ASN1Sequence.getInstance( + (ASN1TaggedObject)seq.getObjectAt(1), true)).getCRLs(); + + return getCRL(); + } + } + + return new X509CRLObject(CertificateList.getInstance(seq)); + } + + private CRL getCRL() + throws CRLException + { + if (sData == null || sDataObjectCount >= sData.size()) + { + return null; + } + + return new X509CRLObject( + CertificateList.getInstance( + sData.getObjectAt(sDataObjectCount++))); + } + + private CRL readPEMCRL( + InputStream in) + throws IOException, CRLException + { + ASN1Sequence seq = PEM_PARSER.readPEMObject(in); + + if (seq != null) + { + return new X509CRLObject(CertificateList.getInstance(seq)); + } + + return null; + } + + public void engineInit(InputStream in) + { + currentStream = in; + sData = null; + sDataObjectCount = 0; + + if (!currentStream.markSupported()) + { + currentStream = new BufferedInputStream(currentStream); + } + } + + public Object engineRead() + throws StreamParsingException + { + try + { + if (sData != null) + { + if (sDataObjectCount != sData.size()) + { + return getCRL(); + } + else + { + sData = null; + sDataObjectCount = 0; + return null; + } + } + + currentStream.mark(10); + int tag = currentStream.read(); + + if (tag == -1) + { + return null; + } + + if (tag != 0x30) // assume ascii PEM encoded. + { + currentStream.reset(); + return readPEMCRL(currentStream); + } + else + { + currentStream.reset(); + return readDERCRL(currentStream); + } + } + catch (Exception e) + { + throw new StreamParsingException(e.toString(), e); + } + } + + public Collection engineReadAll() + throws StreamParsingException + { + CRL crl; + List certs = new ArrayList(); + + while ((crl = (CRL)engineRead()) != null) + { + certs.add(crl); + } + + return certs; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertPairParser.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertPairParser.java new file mode 100644 index 00000000..41d64480 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertPairParser.java @@ -0,0 +1,77 @@ +package org.bouncycastle.jce.provider; + +import java.io.BufferedInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.cert.CertificateParsingException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.x509.CertificatePair; +import org.bouncycastle.x509.X509CertificatePair; +import org.bouncycastle.x509.X509StreamParserSpi; +import org.bouncycastle.x509.util.StreamParsingException; + +public class X509CertPairParser + extends X509StreamParserSpi +{ + private InputStream currentStream = null; + + private X509CertificatePair readDERCrossCertificatePair( + InputStream in) + throws IOException, CertificateParsingException + { + ASN1InputStream dIn = new ASN1InputStream(in); + ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); + CertificatePair pair = CertificatePair.getInstance(seq); + return new X509CertificatePair(pair); + } + + public void engineInit(InputStream in) + { + currentStream = in; + + if (!currentStream.markSupported()) + { + currentStream = new BufferedInputStream(currentStream); + } + } + + public Object engineRead() throws StreamParsingException + { + try + { + + currentStream.mark(10); + int tag = currentStream.read(); + + if (tag == -1) + { + return null; + } + + currentStream.reset(); + return readDERCrossCertificatePair(currentStream); + } + catch (Exception e) + { + throw new StreamParsingException(e.toString(), e); + } + } + + public Collection engineReadAll() throws StreamParsingException + { + X509CertificatePair pair; + List certs = new ArrayList(); + + while ((pair = (X509CertificatePair)engineRead()) != null) + { + certs.add(pair); + } + + return certs; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertParser.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertParser.java new file mode 100644 index 00000000..a407ba83 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertParser.java @@ -0,0 +1,158 @@ +package org.bouncycastle.jce.provider; + +import java.io.BufferedInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1Set; +import org.bouncycastle.asn1.ASN1TaggedObject; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.SignedData; +import org.bouncycastle.x509.X509StreamParserSpi; +import org.bouncycastle.x509.util.StreamParsingException; + +public class X509CertParser + extends X509StreamParserSpi +{ + private static final PEMUtil PEM_PARSER = new PEMUtil("CERTIFICATE"); + + private ASN1Set sData = null; + private int sDataObjectCount = 0; + private InputStream currentStream = null; + + private Certificate readDERCertificate( + InputStream in) + throws IOException, CertificateParsingException + { + ASN1InputStream dIn = new ASN1InputStream(in); + ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); + + if (seq.size() > 1 + && seq.getObjectAt(0) instanceof DERObjectIdentifier) + { + if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) + { + sData = new SignedData(ASN1Sequence.getInstance( + (ASN1TaggedObject)seq.getObjectAt(1), true)).getCertificates(); + + return getCertificate(); + } + } + + return new X509CertificateObject( + org.bouncycastle.asn1.x509.Certificate.getInstance(seq)); + } + + private Certificate getCertificate() + throws CertificateParsingException + { + if (sData != null) + { + while (sDataObjectCount < sData.size()) + { + Object obj = sData.getObjectAt(sDataObjectCount++); + + if (obj instanceof ASN1Sequence) + { + return new X509CertificateObject( + org.bouncycastle.asn1.x509.Certificate.getInstance(obj)); + } + } + } + + return null; + } + + private Certificate readPEMCertificate( + InputStream in) + throws IOException, CertificateParsingException + { + ASN1Sequence seq = PEM_PARSER.readPEMObject(in); + + if (seq != null) + { + return new X509CertificateObject( + org.bouncycastle.asn1.x509.Certificate.getInstance(seq)); + } + + return null; + } + + public void engineInit(InputStream in) + { + currentStream = in; + sData = null; + sDataObjectCount = 0; + + if (!currentStream.markSupported()) + { + currentStream = new BufferedInputStream(currentStream); + } + } + + public Object engineRead() + throws StreamParsingException + { + try + { + if (sData != null) + { + if (sDataObjectCount != sData.size()) + { + return getCertificate(); + } + else + { + sData = null; + sDataObjectCount = 0; + return null; + } + } + + currentStream.mark(10); + int tag = currentStream.read(); + + if (tag == -1) + { + return null; + } + + if (tag != 0x30) // assume ascii PEM encoded. + { + currentStream.reset(); + return readPEMCertificate(currentStream); + } + else + { + currentStream.reset(); + return readDERCertificate(currentStream); + } + } + catch (Exception e) + { + throw new StreamParsingException(e.toString(), e); + } + } + + public Collection engineReadAll() + throws StreamParsingException + { + Certificate cert; + List certs = new ArrayList(); + + while ((cert = (Certificate)engineRead()) != null) + { + certs.add(cert); + } + + return certs; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertificateObject.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertificateObject.java new file mode 100644 index 00000000..97ff6f98 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509CertificateObject.java @@ -0,0 +1,901 @@ +package org.bouncycastle.jce.provider; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Principal; +import java.security.Provider; +import java.security.PublicKey; +import java.security.Security; +import java.security.Signature; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1OutputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1String; +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DERIA5String; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.misc.MiscObjectIdentifiers; +import org.bouncycastle.asn1.misc.NetscapeCertType; +import org.bouncycastle.asn1.misc.NetscapeRevocationURL; +import org.bouncycastle.asn1.misc.VerisignCzagExtension; +import org.bouncycastle.asn1.util.ASN1Dump; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x500.style.RFC4519Style; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.bouncycastle.jcajce.provider.asymmetric.util.PKCS12BagAttributeCarrierImpl; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.Integers; +import org.bouncycastle.util.encoders.Hex; + +public class X509CertificateObject + extends X509Certificate + implements PKCS12BagAttributeCarrier +{ + private org.bouncycastle.asn1.x509.Certificate c; + private BasicConstraints basicConstraints; + private boolean[] keyUsage; + private boolean hashValueSet; + private int hashValue; + + private PKCS12BagAttributeCarrier attrCarrier = new PKCS12BagAttributeCarrierImpl(); + + public X509CertificateObject( + org.bouncycastle.asn1.x509.Certificate c) + throws CertificateParsingException + { + this.c = c; + + try + { + byte[] bytes = this.getExtensionBytes("2.5.29.19"); + + if (bytes != null) + { + basicConstraints = BasicConstraints.getInstance(ASN1Primitive.fromByteArray(bytes)); + } + } + catch (Exception e) + { + throw new CertificateParsingException("cannot construct BasicConstraints: " + e); + } + + try + { + byte[] bytes = this.getExtensionBytes("2.5.29.15"); + if (bytes != null) + { + DERBitString bits = DERBitString.getInstance(ASN1Primitive.fromByteArray(bytes)); + + bytes = bits.getBytes(); + int length = (bytes.length * 8) - bits.getPadBits(); + + keyUsage = new boolean[(length < 9) ? 9 : length]; + + for (int i = 0; i != length; i++) + { + keyUsage[i] = (bytes[i / 8] & (0x80 >>> (i % 8))) != 0; + } + } + else + { + keyUsage = null; + } + } + catch (Exception e) + { + throw new CertificateParsingException("cannot construct KeyUsage: " + e); + } + } + + public void checkValidity() + throws CertificateExpiredException, CertificateNotYetValidException + { + this.checkValidity(new Date()); + } + + public void checkValidity( + Date date) + throws CertificateExpiredException, CertificateNotYetValidException + { + if (date.getTime() > this.getNotAfter().getTime()) // for other VM compatibility + { + throw new CertificateExpiredException("certificate expired on " + c.getEndDate().getTime()); + } + + if (date.getTime() < this.getNotBefore().getTime()) + { + throw new CertificateNotYetValidException("certificate not valid till " + c.getStartDate().getTime()); + } + } + + public int getVersion() + { + return c.getVersionNumber(); + } + + public BigInteger getSerialNumber() + { + return c.getSerialNumber().getValue(); + } + + public Principal getIssuerDN() + { + try + { + return new X509Principal(X500Name.getInstance(c.getIssuer().getEncoded())); + } + catch (IOException e) + { + return null; + } + } + + public X500Principal getIssuerX500Principal() + { + try + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ASN1OutputStream aOut = new ASN1OutputStream(bOut); + + aOut.writeObject(c.getIssuer()); + + return new X500Principal(bOut.toByteArray()); + } + catch (IOException e) + { + throw new IllegalStateException("can't encode issuer DN"); + } + } + + public Principal getSubjectDN() + { + return new X509Principal(X500Name.getInstance(c.getSubject().toASN1Primitive())); + } + + public X500Principal getSubjectX500Principal() + { + try + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ASN1OutputStream aOut = new ASN1OutputStream(bOut); + + aOut.writeObject(c.getSubject()); + + return new X500Principal(bOut.toByteArray()); + } + catch (IOException e) + { + throw new IllegalStateException("can't encode issuer DN"); + } + } + + public Date getNotBefore() + { + return c.getStartDate().getDate(); + } + + public Date getNotAfter() + { + return c.getEndDate().getDate(); + } + + public byte[] getTBSCertificate() + throws CertificateEncodingException + { + try + { + return c.getTBSCertificate().getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + throw new CertificateEncodingException(e.toString()); + } + } + + public byte[] getSignature() + { + return c.getSignature().getBytes(); + } + + /** + * return a more "meaningful" representation for the signature algorithm used in + * the certficate. + */ + public String getSigAlgName() + { + Provider prov = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME); + + if (prov != null) + { + String algName = prov.getProperty("Alg.Alias.Signature." + this.getSigAlgOID()); + + if (algName != null) + { + return algName; + } + } + + Provider[] provs = Security.getProviders(); + + // + // search every provider looking for a real algorithm + // + for (int i = 0; i != provs.length; i++) + { + String algName = provs[i].getProperty("Alg.Alias.Signature." + this.getSigAlgOID()); + if (algName != null) + { + return algName; + } + } + + return this.getSigAlgOID(); + } + + /** + * return the object identifier for the signature. + */ + public String getSigAlgOID() + { + return c.getSignatureAlgorithm().getAlgorithm().getId(); + } + + /** + * return the signature parameters, or null if there aren't any. + */ + public byte[] getSigAlgParams() + { + if (c.getSignatureAlgorithm().getParameters() != null) + { + try + { + return c.getSignatureAlgorithm().getParameters().toASN1Primitive().getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + return null; + } + } + else + { + return null; + } + } + + public boolean[] getIssuerUniqueID() + { + DERBitString id = c.getTBSCertificate().getIssuerUniqueId(); + + if (id != null) + { + byte[] bytes = id.getBytes(); + boolean[] boolId = new boolean[bytes.length * 8 - id.getPadBits()]; + + for (int i = 0; i != boolId.length; i++) + { + boolId[i] = (bytes[i / 8] & (0x80 >>> (i % 8))) != 0; + } + + return boolId; + } + + return null; + } + + public boolean[] getSubjectUniqueID() + { + DERBitString id = c.getTBSCertificate().getSubjectUniqueId(); + + if (id != null) + { + byte[] bytes = id.getBytes(); + boolean[] boolId = new boolean[bytes.length * 8 - id.getPadBits()]; + + for (int i = 0; i != boolId.length; i++) + { + boolId[i] = (bytes[i / 8] & (0x80 >>> (i % 8))) != 0; + } + + return boolId; + } + + return null; + } + + public boolean[] getKeyUsage() + { + return keyUsage; + } + + public List getExtendedKeyUsage() + throws CertificateParsingException + { + byte[] bytes = this.getExtensionBytes("2.5.29.37"); + + if (bytes != null) + { + try + { + ASN1InputStream dIn = new ASN1InputStream(bytes); + ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); + List list = new ArrayList(); + + for (int i = 0; i != seq.size(); i++) + { + list.add(((ASN1ObjectIdentifier)seq.getObjectAt(i)).getId()); + } + + return Collections.unmodifiableList(list); + } + catch (Exception e) + { + throw new CertificateParsingException("error processing extended key usage extension"); + } + } + + return null; + } + + public int getBasicConstraints() + { + if (basicConstraints != null) + { + if (basicConstraints.isCA()) + { + if (basicConstraints.getPathLenConstraint() == null) + { + return Integer.MAX_VALUE; + } + else + { + return basicConstraints.getPathLenConstraint().intValue(); + } + } + else + { + return -1; + } + } + + return -1; + } + + public Collection getSubjectAlternativeNames() + throws CertificateParsingException + { + return getAlternativeNames(getExtensionBytes(Extension.subjectAlternativeName.getId())); + } + + public Collection getIssuerAlternativeNames() + throws CertificateParsingException + { + return getAlternativeNames(getExtensionBytes(Extension.issuerAlternativeName.getId())); + } + + public Set getCriticalExtensionOIDs() + { + if (this.getVersion() == 3) + { + Set set = new HashSet(); + Extensions extensions = c.getTBSCertificate().getExtensions(); + + if (extensions != null) + { + Enumeration e = extensions.oids(); + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)e.nextElement(); + Extension ext = extensions.getExtension(oid); + + if (ext.isCritical()) + { + set.add(oid.getId()); + } + } + + return set; + } + } + + return null; + } + + private byte[] getExtensionBytes(String oid) + { + Extensions exts = c.getTBSCertificate().getExtensions(); + + if (exts != null) + { + Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid)); + if (ext != null) + { + return ext.getExtnValue().getOctets(); + } + } + + return null; + } + + public byte[] getExtensionValue(String oid) + { + Extensions exts = c.getTBSCertificate().getExtensions(); + + if (exts != null) + { + Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid)); + + if (ext != null) + { + try + { + return ext.getExtnValue().getEncoded(); + } + catch (Exception e) + { + throw new IllegalStateException("error parsing " + e.toString()); + } + } + } + + return null; + } + + public Set getNonCriticalExtensionOIDs() + { + if (this.getVersion() == 3) + { + Set set = new HashSet(); + Extensions extensions = c.getTBSCertificate().getExtensions(); + + if (extensions != null) + { + Enumeration e = extensions.oids(); + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)e.nextElement(); + Extension ext = extensions.getExtension(oid); + + if (!ext.isCritical()) + { + set.add(oid.getId()); + } + } + + return set; + } + } + + return null; + } + + public boolean hasUnsupportedCriticalExtension() + { + if (this.getVersion() == 3) + { + Extensions extensions = c.getTBSCertificate().getExtensions(); + + if (extensions != null) + { + Enumeration e = extensions.oids(); + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)e.nextElement(); + String oidId = oid.getId(); + + if (oidId.equals(RFC3280CertPathUtilities.KEY_USAGE) + || oidId.equals(RFC3280CertPathUtilities.CERTIFICATE_POLICIES) + || oidId.equals(RFC3280CertPathUtilities.POLICY_MAPPINGS) + || oidId.equals(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY) + || oidId.equals(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS) + || oidId.equals(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT) + || oidId.equals(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR) + || oidId.equals(RFC3280CertPathUtilities.POLICY_CONSTRAINTS) + || oidId.equals(RFC3280CertPathUtilities.BASIC_CONSTRAINTS) + || oidId.equals(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME) + || oidId.equals(RFC3280CertPathUtilities.NAME_CONSTRAINTS)) + { + continue; + } + + Extension ext = extensions.getExtension(oid); + + if (ext.isCritical()) + { + return true; + } + } + } + } + + return false; + } + + public PublicKey getPublicKey() + { + try + { + return BouncyCastleProvider.getPublicKey(c.getSubjectPublicKeyInfo()); + } + catch (IOException e) + { + return null; // should never happen... + } + } + + public byte[] getEncoded() + throws CertificateEncodingException + { + try + { + return c.getEncoded(ASN1Encoding.DER); + } + catch (IOException e) + { + throw new CertificateEncodingException(e.toString()); + } + } + + public boolean equals( + Object o) + { + if (o == this) + { + return true; + } + + if (!(o instanceof Certificate)) + { + return false; + } + + Certificate other = (Certificate)o; + + try + { + byte[] b1 = this.getEncoded(); + byte[] b2 = other.getEncoded(); + + return Arrays.areEqual(b1, b2); + } + catch (CertificateEncodingException e) + { + return false; + } + } + + public synchronized int hashCode() + { + if (!hashValueSet) + { + hashValue = calculateHashCode(); + hashValueSet = true; + } + + return hashValue; + } + + private int calculateHashCode() + { + try + { + int hashCode = 0; + byte[] certData = this.getEncoded(); + for (int i = 1; i < certData.length; i++) + { + hashCode += certData[i] * i; + } + return hashCode; + } + catch (CertificateEncodingException e) + { + return 0; + } + } + + public void setBagAttribute( + ASN1ObjectIdentifier oid, + ASN1Encodable attribute) + { + attrCarrier.setBagAttribute(oid, attribute); + } + + public ASN1Encodable getBagAttribute( + ASN1ObjectIdentifier oid) + { + return attrCarrier.getBagAttribute(oid); + } + + public Enumeration getBagAttributeKeys() + { + return attrCarrier.getBagAttributeKeys(); + } + + public String toString() + { + StringBuffer buf = new StringBuffer(); + String nl = System.getProperty("line.separator"); + + buf.append(" [0] Version: ").append(this.getVersion()).append(nl); + buf.append(" SerialNumber: ").append(this.getSerialNumber()).append(nl); + buf.append(" IssuerDN: ").append(this.getIssuerDN()).append(nl); + buf.append(" Start Date: ").append(this.getNotBefore()).append(nl); + buf.append(" Final Date: ").append(this.getNotAfter()).append(nl); + buf.append(" SubjectDN: ").append(this.getSubjectDN()).append(nl); + buf.append(" Public Key: ").append(this.getPublicKey()).append(nl); + buf.append(" Signature Algorithm: ").append(this.getSigAlgName()).append(nl); + + byte[] sig = this.getSignature(); + + buf.append(" Signature: ").append(new String(Hex.encode(sig, 0, 20))).append(nl); + for (int i = 20; i < sig.length; i += 20) + { + if (i < sig.length - 20) + { + buf.append(" ").append(new String(Hex.encode(sig, i, 20))).append(nl); + } + else + { + buf.append(" ").append(new String(Hex.encode(sig, i, sig.length - i))).append(nl); + } + } + + Extensions extensions = c.getTBSCertificate().getExtensions(); + + if (extensions != null) + { + Enumeration e = extensions.oids(); + + if (e.hasMoreElements()) + { + buf.append(" Extensions: \n"); + } + + while (e.hasMoreElements()) + { + ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)e.nextElement(); + Extension ext = extensions.getExtension(oid); + + if (ext.getExtnValue() != null) + { + byte[] octs = ext.getExtnValue().getOctets(); + ASN1InputStream dIn = new ASN1InputStream(octs); + buf.append(" critical(").append(ext.isCritical()).append(") "); + try + { + if (oid.equals(Extension.basicConstraints)) + { + buf.append(BasicConstraints.getInstance(dIn.readObject())).append(nl); + } + else if (oid.equals(Extension.keyUsage)) + { + buf.append(KeyUsage.getInstance(dIn.readObject())).append(nl); + } + else if (oid.equals(MiscObjectIdentifiers.netscapeCertType)) + { + buf.append(new NetscapeCertType((DERBitString)dIn.readObject())).append(nl); + } + else if (oid.equals(MiscObjectIdentifiers.netscapeRevocationURL)) + { + buf.append(new NetscapeRevocationURL((DERIA5String)dIn.readObject())).append(nl); + } + else if (oid.equals(MiscObjectIdentifiers.verisignCzagExtension)) + { + buf.append(new VerisignCzagExtension((DERIA5String)dIn.readObject())).append(nl); + } + else + { + buf.append(oid.getId()); + buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl); + //buf.append(" value = ").append("*****").append(nl); + } + } + catch (Exception ex) + { + buf.append(oid.getId()); + // buf.append(" value = ").append(new String(Hex.encode(ext.getExtnValue().getOctets()))).append(nl); + buf.append(" value = ").append("*****").append(nl); + } + } + else + { + buf.append(nl); + } + } + } + + return buf.toString(); + } + + public final void verify( + PublicKey key) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, NoSuchProviderException, SignatureException + { + Signature signature; + String sigName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm()); + + try + { + signature = Signature.getInstance(sigName, BouncyCastleProvider.PROVIDER_NAME); + } + catch (Exception e) + { + signature = Signature.getInstance(sigName); + } + + checkSignature(key, signature); + } + + public final void verify( + PublicKey key, + String sigProvider) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, NoSuchProviderException, SignatureException + { + String sigName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm()); + Signature signature = Signature.getInstance(sigName, sigProvider); + + checkSignature(key, signature); + } + + private void checkSignature( + PublicKey key, + Signature signature) + throws CertificateException, NoSuchAlgorithmException, + SignatureException, InvalidKeyException + { + if (!isAlgIdEqual(c.getSignatureAlgorithm(), c.getTBSCertificate().getSignature())) + { + throw new CertificateException("signature algorithm in TBS cert not same as outer cert"); + } + + ASN1Encodable params = c.getSignatureAlgorithm().getParameters(); + + // TODO This should go after the initVerify? + X509SignatureUtil.setSignatureParameters(signature, params); + + signature.initVerify(key); + + signature.update(this.getTBSCertificate()); + + if (!signature.verify(this.getSignature())) + { + throw new SignatureException("certificate does not verify with supplied key"); + } + } + + private boolean isAlgIdEqual(AlgorithmIdentifier id1, AlgorithmIdentifier id2) + { + if (!id1.getAlgorithm().equals(id2.getAlgorithm())) + { + return false; + } + + if (id1.getParameters() == null) + { + if (id2.getParameters() != null && !id2.getParameters().equals(DERNull.INSTANCE)) + { + return false; + } + + return true; + } + + if (id2.getParameters() == null) + { + if (id1.getParameters() != null && !id1.getParameters().equals(DERNull.INSTANCE)) + { + return false; + } + + return true; + } + + return id1.getParameters().equals(id2.getParameters()); + } + + private static Collection getAlternativeNames(byte[] extVal) + throws CertificateParsingException + { + if (extVal == null) + { + return null; + } + try + { + Collection temp = new ArrayList(); + Enumeration it = ASN1Sequence.getInstance(extVal).getObjects(); + while (it.hasMoreElements()) + { + GeneralName genName = GeneralName.getInstance(it.nextElement()); + List list = new ArrayList(); + list.add(Integers.valueOf(genName.getTagNo())); + switch (genName.getTagNo()) + { + case GeneralName.ediPartyName: + case GeneralName.x400Address: + case GeneralName.otherName: + list.add(genName.getEncoded()); + break; + case GeneralName.directoryName: + list.add(X500Name.getInstance(RFC4519Style.INSTANCE, genName.getName()).toString()); + break; + case GeneralName.dNSName: + case GeneralName.rfc822Name: + case GeneralName.uniformResourceIdentifier: + list.add(((ASN1String)genName.getName()).getString()); + break; + case GeneralName.registeredID: + list.add(ASN1ObjectIdentifier.getInstance(genName.getName()).getId()); + break; + case GeneralName.iPAddress: + byte[] addrBytes = DEROctetString.getInstance(genName.getName()).getOctets(); + final String addr; + try + { + addr = InetAddress.getByAddress(addrBytes).getHostAddress(); + } + catch (UnknownHostException e) + { + continue; + } + list.add(addr); + break; + default: + throw new IOException("Bad tag number: " + genName.getTagNo()); + } + + temp.add(Collections.unmodifiableList(list)); + } + if (temp.size() == 0) + { + return null; + } + return Collections.unmodifiableCollection(temp); + } + catch (Exception e) + { + throw new CertificateParsingException(e.getMessage()); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java new file mode 100644 index 00000000..3797607c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java @@ -0,0 +1,477 @@ +package org.bouncycastle.jce.provider; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CRL; +import java.security.cert.CRLSelector; +import java.security.cert.CertSelector; +import java.security.cert.CertStoreException; +import java.security.cert.CertStoreParameters; +import java.security.cert.CertStoreSpi; +import java.security.cert.Certificate; +import java.security.cert.CertificateFactory; +import java.security.cert.X509CRLSelector; +import java.security.cert.X509CertSelector; +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Properties; +import java.util.Set; + +import javax.naming.Context; +import javax.naming.NamingEnumeration; +import javax.naming.NamingException; +import javax.naming.directory.Attribute; +import javax.naming.directory.DirContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.directory.SearchControls; +import javax.naming.directory.SearchResult; +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.x509.CertificatePair; +import org.bouncycastle.jce.X509LDAPCertStoreParameters; + +/** + * + * This is a general purpose implementation to get X.509 certificates and CRLs + * from a LDAP location. + * <p> + * At first a search is performed in the ldap*AttributeNames of the + * {@link org.bouncycastle.jce.X509LDAPCertStoreParameters} with the given + * information of the subject (for all kind of certificates) or issuer (for + * CRLs), respectively, if a X509CertSelector is given with that details. For + * CRLs, CA certificates and cross certificates a coarse search is made only for + * entries with that content to get more possibly matchign results. + */ +public class X509LDAPCertStoreSpi + extends CertStoreSpi +{ + private X509LDAPCertStoreParameters params; + + public X509LDAPCertStoreSpi(CertStoreParameters params) + throws InvalidAlgorithmParameterException + { + super(params); + + if (!(params instanceof X509LDAPCertStoreParameters)) + { + throw new InvalidAlgorithmParameterException( + X509LDAPCertStoreSpi.class.getName() + ": parameter must be a " + X509LDAPCertStoreParameters.class.getName() + " object\n" + + params.toString()); + } + + this.params = (X509LDAPCertStoreParameters)params; + } + + /** + * Initial Context Factory. + */ + private static String LDAP_PROVIDER = "com.sun.jndi.ldap.LdapCtxFactory"; + + /** + * Processing referrals.. + */ + private static String REFERRALS_IGNORE = "ignore"; + + /** + * Security level to be used for LDAP connections. + */ + private static final String SEARCH_SECURITY_LEVEL = "none"; + + /** + * Package Prefix for loading URL context factories. + */ + private static final String URL_CONTEXT_PREFIX = "com.sun.jndi.url"; + + private DirContext connectLDAP() throws NamingException + { + Properties props = new Properties(); + props.setProperty(Context.INITIAL_CONTEXT_FACTORY, LDAP_PROVIDER); + props.setProperty(Context.BATCHSIZE, "0"); + + props.setProperty(Context.PROVIDER_URL, params.getLdapURL()); + props.setProperty(Context.URL_PKG_PREFIXES, URL_CONTEXT_PREFIX); + props.setProperty(Context.REFERRAL, REFERRALS_IGNORE); + props.setProperty(Context.SECURITY_AUTHENTICATION, + SEARCH_SECURITY_LEVEL); + + DirContext ctx = new InitialDirContext(props); + return ctx; + } + + private String parseDN(String subject, String subjectAttributeName) + { + String temp = subject; + int begin = temp.toLowerCase().indexOf( + subjectAttributeName.toLowerCase()); + temp = temp.substring(begin + subjectAttributeName.length()); + int end = temp.indexOf(','); + if (end == -1) + { + end = temp.length(); + } + while (temp.charAt(end - 1) == '\\') + { + end = temp.indexOf(',', end + 1); + if (end == -1) + { + end = temp.length(); + } + } + temp = temp.substring(0, end); + begin = temp.indexOf('='); + temp = temp.substring(begin + 1); + if (temp.charAt(0) == ' ') + { + temp = temp.substring(1); + } + if (temp.startsWith("\"")) + { + temp = temp.substring(1); + } + if (temp.endsWith("\"")) + { + temp = temp.substring(0, temp.length() - 1); + } + return temp; + } + + public Collection engineGetCertificates(CertSelector selector) + throws CertStoreException + { + if (!(selector instanceof X509CertSelector)) + { + throw new CertStoreException("selector is not a X509CertSelector"); + } + X509CertSelector xselector = (X509CertSelector)selector; + + Set certSet = new HashSet(); + + Set set = getEndCertificates(xselector); + set.addAll(getCACertificates(xselector)); + set.addAll(getCrossCertificates(xselector)); + + Iterator it = set.iterator(); + + try + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", + BouncyCastleProvider.PROVIDER_NAME); + while (it.hasNext()) + { + byte[] bytes = (byte[])it.next(); + if (bytes == null || bytes.length == 0) + { + continue; + } + + List bytesList = new ArrayList(); + bytesList.add(bytes); + + try + { + CertificatePair pair = CertificatePair + .getInstance(new ASN1InputStream(bytes) + .readObject()); + bytesList.clear(); + if (pair.getForward() != null) + { + bytesList.add(pair.getForward().getEncoded()); + } + if (pair.getReverse() != null) + { + bytesList.add(pair.getReverse().getEncoded()); + } + } + catch (IOException e) + { + + } + catch (IllegalArgumentException e) + { + + } + for (Iterator it2 = bytesList.iterator(); it2.hasNext();) + { + ByteArrayInputStream bIn = new ByteArrayInputStream( + (byte[])it2.next()); + try + { + Certificate cert = cf.generateCertificate(bIn); + // System.out.println(((X509Certificate) + // cert).getSubjectX500Principal()); + if (xselector.match(cert)) + { + certSet.add(cert); + } + } + catch (Exception e) + { + + } + } + } + } + catch (Exception e) + { + throw new CertStoreException( + "certificate cannot be constructed from LDAP result: " + e); + } + + return certSet; + } + + private Set certSubjectSerialSearch(X509CertSelector xselector, + String[] attrs, String attrName, String subjectAttributeName) + throws CertStoreException + { + Set set = new HashSet(); + try + { + if (xselector.getSubjectAsBytes() != null + || xselector.getSubjectAsString() != null + || xselector.getCertificate() != null) + { + String subject = null; + String serial = null; + if (xselector.getCertificate() != null) + { + subject = xselector.getCertificate() + .getSubjectX500Principal().getName("RFC1779"); + serial = xselector.getCertificate().getSerialNumber() + .toString(); + } + else + { + if (xselector.getSubjectAsBytes() != null) + { + subject = new X500Principal(xselector + .getSubjectAsBytes()).getName("RFC1779"); + } + else + { + subject = xselector.getSubjectAsString(); + } + } + String attrValue = parseDN(subject, subjectAttributeName); + set.addAll(search(attrName, "*" + attrValue + "*", attrs)); + if (serial != null + && params.getSearchForSerialNumberIn() != null) + { + attrValue = serial; + attrName = params.getSearchForSerialNumberIn(); + set.addAll(search(attrName, "*" + attrValue + "*", attrs)); + } + } + else + { + set.addAll(search(attrName, "*", attrs)); + } + } + catch (IOException e) + { + throw new CertStoreException("exception processing selector: " + e); + } + + return set; + } + + private Set getEndCertificates(X509CertSelector xselector) + throws CertStoreException + { + String[] attrs = {params.getUserCertificateAttribute()}; + String attrName = params.getLdapUserCertificateAttributeName(); + String subjectAttributeName = params.getUserCertificateSubjectAttributeName(); + + Set set = certSubjectSerialSearch(xselector, attrs, attrName, + subjectAttributeName); + return set; + } + + private Set getCACertificates(X509CertSelector xselector) + throws CertStoreException + { + String[] attrs = {params.getCACertificateAttribute()}; + String attrName = params.getLdapCACertificateAttributeName(); + String subjectAttributeName = params + .getCACertificateSubjectAttributeName(); + Set set = certSubjectSerialSearch(xselector, attrs, attrName, + subjectAttributeName); + + if (set.isEmpty()) + { + set.addAll(search(null, "*", attrs)); + } + + return set; + } + + private Set getCrossCertificates(X509CertSelector xselector) + throws CertStoreException + { + String[] attrs = {params.getCrossCertificateAttribute()}; + String attrName = params.getLdapCrossCertificateAttributeName(); + String subjectAttributeName = params + .getCrossCertificateSubjectAttributeName(); + Set set = certSubjectSerialSearch(xselector, attrs, attrName, + subjectAttributeName); + + if (set.isEmpty()) + { + set.addAll(search(null, "*", attrs)); + } + + return set; + } + + public Collection engineGetCRLs(CRLSelector selector) + throws CertStoreException + { + String[] attrs = {params.getCertificateRevocationListAttribute()}; + if (!(selector instanceof X509CRLSelector)) + { + throw new CertStoreException("selector is not a X509CRLSelector"); + } + X509CRLSelector xselector = (X509CRLSelector)selector; + + Set crlSet = new HashSet(); + + String attrName = params.getLdapCertificateRevocationListAttributeName(); + Set set = new HashSet(); + + if (xselector.getIssuerNames() != null) + { + for (Iterator it = xselector.getIssuerNames().iterator(); it + .hasNext();) + { + Object o = it.next(); + String attrValue = null; + if (o instanceof String) + { + String issuerAttributeName = params + .getCertificateRevocationListIssuerAttributeName(); + attrValue = parseDN((String)o, issuerAttributeName); + } + else + { + String issuerAttributeName = params + .getCertificateRevocationListIssuerAttributeName(); + attrValue = parseDN(new X500Principal((byte[])o) + .getName("RFC1779"), issuerAttributeName); + } + set.addAll(search(attrName, "*" + attrValue + "*", attrs)); + } + } + else + { + set.addAll(search(attrName, "*", attrs)); + } + set.addAll(search(null, "*", attrs)); + Iterator it = set.iterator(); + + try + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", + BouncyCastleProvider.PROVIDER_NAME); + while (it.hasNext()) + { + CRL crl = cf.generateCRL(new ByteArrayInputStream((byte[])it + .next())); + if (xselector.match(crl)) + { + crlSet.add(crl); + } + } + } + catch (Exception e) + { + throw new CertStoreException( + "CRL cannot be constructed from LDAP result " + e); + } + + return crlSet; + } + + /** + * Returns a Set of byte arrays with the certificate or CRL encodings. + * + * @param attributeName The attribute name to look for in the LDAP. + * @param attributeValue The value the attribute name must have. + * @param attrs The attributes in the LDAP which hold the certificate, + * certificate pair or CRL in a found entry. + * @return Set of byte arrays with the certificate encodings. + */ + private Set search(String attributeName, String attributeValue, + String[] attrs) throws CertStoreException + { + String filter = attributeName + "=" + attributeValue; + if (attributeName == null) + { + filter = null; + } + DirContext ctx = null; + Set set = new HashSet(); + try + { + + ctx = connectLDAP(); + + SearchControls constraints = new SearchControls(); + constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); + constraints.setCountLimit(0); + for (int i = 0; i < attrs.length; i++) + { + String temp[] = new String[1]; + temp[0] = attrs[i]; + constraints.setReturningAttributes(temp); + + String filter2 = "(&(" + filter + ")(" + temp[0] + "=*))"; + if (filter == null) + { + filter2 = "(" + temp[0] + "=*)"; + } + NamingEnumeration results = ctx.search(params.getBaseDN(), + filter2, constraints); + while (results.hasMoreElements()) + { + SearchResult sr = (SearchResult)results.next(); + // should only be one attribute in the attribute set with + // one + // attribute value as byte array + NamingEnumeration enumeration = ((Attribute)(sr + .getAttributes().getAll().next())).getAll(); + while (enumeration.hasMore()) + { + Object o = enumeration.next(); + set.add(o); + } + } + } + } + catch (Exception e) + { + throw new CertStoreException( + "Error getting results from LDAP directory " + e); + + } + finally + { + try + { + if (null != ctx) + { + ctx.close(); + } + } + catch (Exception e) + { + } + } + return set; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509SignatureUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509SignatureUtil.java new file mode 100644 index 00000000..c9a13885 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509SignatureUtil.java @@ -0,0 +1,138 @@ +package org.bouncycastle.jce.provider; + +import java.io.IOException; +import java.security.AlgorithmParameters; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.Signature; +import java.security.SignatureException; +import java.security.spec.PSSParameterSpec; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Null; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; +import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.RSASSAPSSparams; +import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; + +class X509SignatureUtil +{ + private static final ASN1Null derNull = DERNull.INSTANCE; + + static void setSignatureParameters( + Signature signature, + ASN1Encodable params) + throws NoSuchAlgorithmException, SignatureException, InvalidKeyException + { + if (params != null && !derNull.equals(params)) + { + AlgorithmParameters sigParams = AlgorithmParameters.getInstance(signature.getAlgorithm(), signature.getProvider()); + + try + { + sigParams.init(params.toASN1Primitive().getEncoded()); + } + catch (IOException e) + { + throw new SignatureException("IOException decoding parameters: " + e.getMessage()); + } + + if (signature.getAlgorithm().endsWith("MGF1")) + { + try + { + signature.setParameter(sigParams.getParameterSpec(PSSParameterSpec.class)); + } + catch (GeneralSecurityException e) + { + throw new SignatureException("Exception extracting parameters: " + e.getMessage()); + } + } + } + } + + static String getSignatureName( + AlgorithmIdentifier sigAlgId) + { + ASN1Encodable params = sigAlgId.getParameters(); + + if (params != null && !derNull.equals(params)) + { + if (sigAlgId.getObjectId().equals(PKCSObjectIdentifiers.id_RSASSA_PSS)) + { + RSASSAPSSparams rsaParams = RSASSAPSSparams.getInstance(params); + + return getDigestAlgName(rsaParams.getHashAlgorithm().getObjectId()) + "withRSAandMGF1"; + } + if (sigAlgId.getObjectId().equals(X9ObjectIdentifiers.ecdsa_with_SHA2)) + { + ASN1Sequence ecDsaParams = ASN1Sequence.getInstance(params); + + return getDigestAlgName((DERObjectIdentifier)ecDsaParams.getObjectAt(0)) + "withECDSA"; + } + } + + return sigAlgId.getObjectId().getId(); + } + + /** + * Return the digest algorithm using one of the standard JCA string + * representations rather the the algorithm identifier (if possible). + */ + private static String getDigestAlgName( + DERObjectIdentifier digestAlgOID) + { + if (PKCSObjectIdentifiers.md5.equals(digestAlgOID)) + { + return "MD5"; + } + else if (OIWObjectIdentifiers.idSHA1.equals(digestAlgOID)) + { + return "SHA1"; + } + else if (NISTObjectIdentifiers.id_sha224.equals(digestAlgOID)) + { + return "SHA224"; + } + else if (NISTObjectIdentifiers.id_sha256.equals(digestAlgOID)) + { + return "SHA256"; + } + else if (NISTObjectIdentifiers.id_sha384.equals(digestAlgOID)) + { + return "SHA384"; + } + else if (NISTObjectIdentifiers.id_sha512.equals(digestAlgOID)) + { + return "SHA512"; + } + else if (TeleTrusTObjectIdentifiers.ripemd128.equals(digestAlgOID)) + { + return "RIPEMD128"; + } + else if (TeleTrusTObjectIdentifiers.ripemd160.equals(digestAlgOID)) + { + return "RIPEMD160"; + } + else if (TeleTrusTObjectIdentifiers.ripemd256.equals(digestAlgOID)) + { + return "RIPEMD256"; + } + else if (CryptoProObjectIdentifiers.gostR3411.equals(digestAlgOID)) + { + return "GOST3411"; + } + else + { + return digestAlgOID.getId(); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreAttrCertCollection.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreAttrCertCollection.java new file mode 100644 index 00000000..7e2dc6a3 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreAttrCertCollection.java @@ -0,0 +1,34 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; + +import org.bouncycastle.util.CollectionStore; +import org.bouncycastle.util.Selector; +import org.bouncycastle.x509.X509CollectionStoreParameters; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; + +public class X509StoreAttrCertCollection + extends X509StoreSpi +{ + private CollectionStore _store; + + public X509StoreAttrCertCollection() + { + } + + public void engineInit(X509StoreParameters params) + { + if (!(params instanceof X509CollectionStoreParameters)) + { + throw new IllegalArgumentException(params.toString()); + } + + _store = new CollectionStore(((X509CollectionStoreParameters)params).getCollection()); + } + + public Collection engineGetMatches(Selector selector) + { + return _store.getMatches(selector); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCRLCollection.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCRLCollection.java new file mode 100644 index 00000000..b914f171 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCRLCollection.java @@ -0,0 +1,34 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; + +import org.bouncycastle.util.CollectionStore; +import org.bouncycastle.util.Selector; +import org.bouncycastle.x509.X509CollectionStoreParameters; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; + +public class X509StoreCRLCollection + extends X509StoreSpi +{ + private CollectionStore _store; + + public X509StoreCRLCollection() + { + } + + public void engineInit(X509StoreParameters params) + { + if (!(params instanceof X509CollectionStoreParameters)) + { + throw new IllegalArgumentException(params.toString()); + } + + _store = new CollectionStore(((X509CollectionStoreParameters)params).getCollection()); + } + + public Collection engineGetMatches(Selector selector) + { + return _store.getMatches(selector); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCertCollection.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCertCollection.java new file mode 100644 index 00000000..db88f316 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCertCollection.java @@ -0,0 +1,34 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; + +import org.bouncycastle.util.CollectionStore; +import org.bouncycastle.util.Selector; +import org.bouncycastle.x509.X509CollectionStoreParameters; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; + +public class X509StoreCertCollection + extends X509StoreSpi +{ + private CollectionStore _store; + + public X509StoreCertCollection() + { + } + + public void engineInit(X509StoreParameters params) + { + if (!(params instanceof X509CollectionStoreParameters)) + { + throw new IllegalArgumentException(params.toString()); + } + + _store = new CollectionStore(((X509CollectionStoreParameters)params).getCollection()); + } + + public Collection engineGetMatches(Selector selector) + { + return _store.getMatches(selector); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCertPairCollection.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCertPairCollection.java new file mode 100644 index 00000000..e67c25ba --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreCertPairCollection.java @@ -0,0 +1,64 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; + +import org.bouncycastle.util.CollectionStore; +import org.bouncycastle.util.Selector; +import org.bouncycastle.x509.X509CollectionStoreParameters; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; + +/** + * This class is a collection based Bouncy Castle + * {@link org.bouncycastle.x509.X509Store} SPI implementation for certificate + * pairs. + * + * @see org.bouncycastle.x509.X509Store + * @see org.bouncycastle.x509.X509CertificatePair + */ +public class X509StoreCertPairCollection extends X509StoreSpi +{ + + private CollectionStore _store; + + public X509StoreCertPairCollection() + { + } + + /** + * Initializes this store. + * + * @param params The {@link X509CollectionStoreParameters}s for this store. + * @throws IllegalArgumentException if <code>params</code> is no instance of + * <code>X509CollectionStoreParameters</code>. + */ + public void engineInit(X509StoreParameters params) + { + if (!(params instanceof X509CollectionStoreParameters)) + { + throw new IllegalArgumentException( + "Initialization parameters must be an instance of " + + X509CollectionStoreParameters.class.getName() + + "."); + } + + _store = new CollectionStore(((X509CollectionStoreParameters)params) + .getCollection()); + } + + /** + * Returns a colelction of certificate pairs which match the given + * <code>selector</code>. + * <p/> + * The returned collection contains + * {@link org.bouncycastle.x509.X509CertificatePair}s. The selector must be + * a {@link org.bouncycastle.x509.X509CertPairStoreSelector} to select + * certificate pairs. + * + * @return A collection with matching certificate pairs. + */ + public Collection engineGetMatches(Selector selector) + { + return _store.getMatches(selector); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPAttrCerts.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPAttrCerts.java new file mode 100644 index 00000000..96baa129 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPAttrCerts.java @@ -0,0 +1,79 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +import org.bouncycastle.jce.X509LDAPCertStoreParameters; +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.StoreException; +import org.bouncycastle.x509.X509AttributeCertStoreSelector; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; +import org.bouncycastle.x509.util.LDAPStoreHelper; + +/** + * A SPI implementation of Bouncy Castle <code>X509Store</code> for getting + * attribute certificates from an LDAP directory. + * + * @see org.bouncycastle.x509.X509Store + */ +public class X509StoreLDAPAttrCerts extends X509StoreSpi +{ + + private LDAPStoreHelper helper; + + public X509StoreLDAPAttrCerts() + { + } + + /** + * Initializes this LDAP attribute cert store implementation. + * + * @param parameters <code>X509LDAPCertStoreParameters</code>. + * @throws IllegalArgumentException if <code>params</code> is not an instance of + * <code>X509LDAPCertStoreParameters</code>. + */ + public void engineInit(X509StoreParameters parameters) + { + if (!(parameters instanceof X509LDAPCertStoreParameters)) + { + throw new IllegalArgumentException( + "Initialization parameters must be an instance of " + + X509LDAPCertStoreParameters.class.getName() + "."); + } + helper = new LDAPStoreHelper((X509LDAPCertStoreParameters)parameters); + } + + /** + * Returns a collection of matching attribute certificates from the LDAP + * location. + * <p/> + * The selector must be a of type + * <code>X509AttributeCertStoreSelector</code>. If it is not an empty + * collection is returned. + * <p/> + * <p/> + * The subject and the serial number should be reasonable criterias for a + * selector. + * + * @param selector The selector to use for finding. + * @return A collection with the matches. + * @throws StoreException if an exception occurs while searching. + */ + public Collection engineGetMatches(Selector selector) throws StoreException + { + if (!(selector instanceof X509AttributeCertStoreSelector)) + { + return Collections.EMPTY_SET; + } + X509AttributeCertStoreSelector xselector = (X509AttributeCertStoreSelector)selector; + Set set = new HashSet(); + set.addAll(helper.getAACertificates(xselector)); + set.addAll(helper.getAttributeCertificateAttributes(xselector)); + set.addAll(helper.getAttributeDescriptorCertificates(xselector)); + return set; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCRLs.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCRLs.java new file mode 100644 index 00000000..5f4dfb48 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCRLs.java @@ -0,0 +1,87 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +import org.bouncycastle.jce.X509LDAPCertStoreParameters; +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.StoreException; +import org.bouncycastle.x509.X509CRLStoreSelector; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; +import org.bouncycastle.x509.util.LDAPStoreHelper; + +/** + * A SPI implementation of Bouncy Castle <code>X509Store</code> for getting + * certificate revocation lists from an LDAP directory. + * + * @see org.bouncycastle.x509.X509Store + */ +public class X509StoreLDAPCRLs extends X509StoreSpi +{ + + private LDAPStoreHelper helper; + + public X509StoreLDAPCRLs() + { + } + + /** + * Initializes this LDAP CRL store implementation. + * + * @param params <code>X509LDAPCertStoreParameters</code>. + * @throws IllegalArgumentException if <code>params</code> is not an instance of + * <code>X509LDAPCertStoreParameters</code>. + */ + public void engineInit(X509StoreParameters params) + { + if (!(params instanceof X509LDAPCertStoreParameters)) + { + throw new IllegalArgumentException( + "Initialization parameters must be an instance of " + + X509LDAPCertStoreParameters.class.getName() + "."); + } + helper = new LDAPStoreHelper((X509LDAPCertStoreParameters)params); + } + + /** + * Returns a collection of matching CRLs from the LDAP location. + * <p/> + * The selector must be a of type <code>X509CRLStoreSelector</code>. If + * it is not an empty collection is returned. + * <p/> + * The issuer should be a reasonable criteria for a selector. + * + * @param selector The selector to use for finding. + * @return A collection with the matches. + * @throws StoreException if an exception occurs while searching. + */ + public Collection engineGetMatches(Selector selector) throws StoreException + { + if (!(selector instanceof X509CRLStoreSelector)) + { + return Collections.EMPTY_SET; + } + X509CRLStoreSelector xselector = (X509CRLStoreSelector)selector; + Set set = new HashSet(); + // test only delta CRLs should be selected + if (xselector.isDeltaCRLIndicatorEnabled()) + { + set.addAll(helper.getDeltaCertificateRevocationLists(xselector)); + } + // nothing specified + else + { + set.addAll(helper.getDeltaCertificateRevocationLists(xselector)); + set.addAll(helper.getAttributeAuthorityRevocationLists(xselector)); + set + .addAll(helper + .getAttributeCertificateRevocationLists(xselector)); + set.addAll(helper.getAuthorityRevocationLists(xselector)); + set.addAll(helper.getCertificateRevocationLists(xselector)); + } + return set; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCertPairs.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCertPairs.java new file mode 100644 index 00000000..f5687d8c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCertPairs.java @@ -0,0 +1,75 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +import org.bouncycastle.jce.X509LDAPCertStoreParameters; +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.StoreException; +import org.bouncycastle.x509.X509CertPairStoreSelector; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; +import org.bouncycastle.x509.util.LDAPStoreHelper; + +/** + * A SPI implementation of Bouncy Castle <code>X509Store</code> for getting + * cross certificates pairs from an LDAP directory. + * + * @see org.bouncycastle.x509.X509Store + */ +public class X509StoreLDAPCertPairs extends X509StoreSpi +{ + + private LDAPStoreHelper helper; + + public X509StoreLDAPCertPairs() + { + } + + /** + * Initializes this LDAP cross certificate pair store implementation. + * + * @param parameters <code>X509LDAPCertStoreParameters</code>. + * @throws IllegalArgumentException if <code>params</code> is not an instance of + * <code>X509LDAPCertStoreParameters</code>. + */ + public void engineInit(X509StoreParameters parameters) + { + if (!(parameters instanceof X509LDAPCertStoreParameters)) + { + throw new IllegalArgumentException( + "Initialization parameters must be an instance of " + + X509LDAPCertStoreParameters.class.getName() + "."); + } + helper = new LDAPStoreHelper((X509LDAPCertStoreParameters)parameters); + } + + /** + * Returns a collection of matching cross certificate pairs from the LDAP + * location. + * <p/> + * The selector must be a of type <code>X509CertPairStoreSelector</code>. + * If it is not an empty collection is returned. + * <p/> + * <p/> + * The subject should be a reasonable criteria for a selector. + * + * @param selector The selector to use for finding. + * @return A collection with the matches. + * @throws StoreException if an exception occurs while searching. + */ + public Collection engineGetMatches(Selector selector) throws StoreException + { + if (!(selector instanceof X509CertPairStoreSelector)) + { + return Collections.EMPTY_SET; + } + X509CertPairStoreSelector xselector = (X509CertPairStoreSelector)selector; + Set set = new HashSet(); + set.addAll(helper.getCrossCertificatePairs(xselector)); + return set; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCerts.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCerts.java new file mode 100644 index 00000000..dd811a17 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/X509StoreLDAPCerts.java @@ -0,0 +1,128 @@ +package org.bouncycastle.jce.provider; + +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Set; + +import org.bouncycastle.jce.X509LDAPCertStoreParameters; +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.StoreException; +import org.bouncycastle.x509.X509CertPairStoreSelector; +import org.bouncycastle.x509.X509CertStoreSelector; +import org.bouncycastle.x509.X509CertificatePair; +import org.bouncycastle.x509.X509StoreParameters; +import org.bouncycastle.x509.X509StoreSpi; +import org.bouncycastle.x509.util.LDAPStoreHelper; + +/** + * A SPI implementation of Bouncy Castle <code>X509Store</code> for getting + * certificates form a LDAP directory. + * + * @see org.bouncycastle.x509.X509Store + */ +public class X509StoreLDAPCerts + extends X509StoreSpi +{ + + private LDAPStoreHelper helper; + + public X509StoreLDAPCerts() + { + } + + /** + * Initializes this LDAP cert store implementation. + * + * @param params <code>X509LDAPCertStoreParameters</code>. + * @throws IllegalArgumentException if <code>params</code> is not an instance of + * <code>X509LDAPCertStoreParameters</code>. + */ + public void engineInit(X509StoreParameters params) + { + if (!(params instanceof X509LDAPCertStoreParameters)) + { + throw new IllegalArgumentException( + "Initialization parameters must be an instance of " + + X509LDAPCertStoreParameters.class.getName() + "."); + } + helper = new LDAPStoreHelper((X509LDAPCertStoreParameters)params); + } + + /** + * Returns a collection of matching certificates from the LDAP location. + * <p/> + * The selector must be a of type <code>X509CertStoreSelector</code>. If + * it is not an empty collection is returned. + * <p/> + * The implementation searches only for CA certificates, if the method + * {@link java.security.cert.X509CertSelector#getBasicConstraints()} is + * greater or equal to 0. If it is -2 only end certificates are searched. + * <p/> + * The subject and the serial number for end certificates should be + * reasonable criterias for a selector. + * + * @param selector The selector to use for finding. + * @return A collection with the matches. + * @throws StoreException if an exception occurs while searching. + */ + public Collection engineGetMatches(Selector selector) throws StoreException + { + if (!(selector instanceof X509CertStoreSelector)) + { + return Collections.EMPTY_SET; + } + X509CertStoreSelector xselector = (X509CertStoreSelector)selector; + Set set = new HashSet(); + // test if only CA certificates should be selected + if (xselector.getBasicConstraints() > 0) + { + set.addAll(helper.getCACertificates(xselector)); + set.addAll(getCertificatesFromCrossCertificatePairs(xselector)); + } + // only end certificates should be selected + else if (xselector.getBasicConstraints() == -2) + { + set.addAll(helper.getUserCertificates(xselector)); + } + // nothing specified + else + { + set.addAll(helper.getUserCertificates(xselector)); + set.addAll(helper.getCACertificates(xselector)); + set.addAll(getCertificatesFromCrossCertificatePairs(xselector)); + } + return set; + } + + private Collection getCertificatesFromCrossCertificatePairs( + X509CertStoreSelector xselector) throws StoreException + { + Set set = new HashSet(); + X509CertPairStoreSelector ps = new X509CertPairStoreSelector(); + + ps.setForwardSelector(xselector); + ps.setReverseSelector(new X509CertStoreSelector()); + + Set crossCerts = new HashSet(helper.getCrossCertificatePairs(ps)); + Set forward = new HashSet(); + Set reverse = new HashSet(); + Iterator it = crossCerts.iterator(); + while (it.hasNext()) + { + X509CertificatePair pair = (X509CertificatePair)it.next(); + if (pair.getForward() != null) + { + forward.add(pair.getForward()); + } + if (pair.getReverse() != null) + { + reverse.add(pair.getReverse()); + } + } + set.addAll(forward); + set.addAll(reverse); + return set; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AESSICTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AESSICTest.java new file mode 100644 index 00000000..61f79959 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AESSICTest.java @@ -0,0 +1,168 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Key; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.RepeatedSecretKeySpec; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * test vectors based on NIST Special Publication 800-38A, + * "Recommendation for Block Cipher Modes of Operation" + */ +public class AESSICTest + extends SimpleTest +{ + private byte[][] keys = + { + Hex.decode("2b7e151628aed2a6abf7158809cf4f3c"), + Hex.decode("8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"), + Hex.decode("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4") + }; + + private byte[][] plain = + { + Hex.decode("6bc1bee22e409f96e93d7e117393172a"), + Hex.decode("ae2d8a571e03ac9c9eb76fac45af8e51"), + Hex.decode("30c81c46a35ce411e5fbc1191a0a52ef"), + Hex.decode("f69f2445df4f9b17ad2b417be66c3710") + }; + + private byte[][][] cipher = + { + { + Hex.decode("874d6191b620e3261bef6864990db6ce"), + Hex.decode("9806f66b7970fdff8617187bb9fffdff"), + Hex.decode("5ae4df3edbd5d35e5b4f09020db03eab"), + Hex.decode("1e031dda2fbe03d1792170a0f3009cee") + }, + { + Hex.decode("1abc932417521ca24f2b0459fe7e6e0b"), + Hex.decode("090339ec0aa6faefd5ccc2c6f4ce8e94"), + Hex.decode("1e36b26bd1ebc670d1bd1d665620abf7"), + Hex.decode("4f78a7f6d29809585a97daec58c6b050") + }, + { + Hex.decode("601ec313775789a5b7a7f504bbf3d228"), + Hex.decode("f443e3ca4d62b59aca84e990cacaf5c5"), + Hex.decode("2b0930daa23de94ce87017ba2d84988d"), + Hex.decode("dfc9c58db67aada613c2dd08457941a6") + } + }; + + public String getName() + { + return "AESSIC"; + } + + public void performTest() + throws Exception + { + Cipher c = Cipher.getInstance("AES/SIC/NoPadding", "BC"); + + // + // NIST vectors + // + for (int i = 0; i != keys.length; i++) + { + Key sk = new SecretKeySpec(keys[i], "AES"); + c.init( + Cipher.ENCRYPT_MODE, sk, + new IvParameterSpec(Hex.decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF"))); + + for (int j = 0; j != plain.length; j++) + { + byte[] crypt = c.update(plain[j]); + if (!areEqual(crypt, cipher[i][j])) + { + fail("AESSIC encrypt failed: key " + i + " block " + j); + } + } + + c.init( + Cipher.DECRYPT_MODE, sk, + new IvParameterSpec(Hex.decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF"))); + + for (int j = 0; j != plain.length; j++) + { + byte[] crypt = c.update(cipher[i][j]); + if (!areEqual(crypt, plain[j])) + { + fail("AESSIC decrypt failed: key " + i + " block " + j); + } + } + } + + // + // check CTR also recognised. + // + c = Cipher.getInstance("AES/CTR/NoPadding", "BC"); + + Key sk = new SecretKeySpec(Hex.decode("2B7E151628AED2A6ABF7158809CF4F3C"), "AES"); + + c.init( + Cipher.ENCRYPT_MODE, sk, + new IvParameterSpec(Hex.decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFD0001"))); + + byte[] crypt = c.doFinal(Hex.decode("00000000000000000000000000000000")); + + if (!areEqual(crypt, Hex.decode("D23513162B02D0F72A43A2FE4A5F97AB"))) + { + fail("AESSIC failed test 2"); + } + + // + // check partial block processing + // + c = Cipher.getInstance("AES/CTR/NoPadding", "BC"); + + sk = new SecretKeySpec(Hex.decode("2B7E151628AED2A6ABF7158809CF4F3C"), "AES"); + + c.init( + Cipher.ENCRYPT_MODE, sk, + new IvParameterSpec(Hex.decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFD0001"))); + + crypt = c.doFinal(Hex.decode("12345678")); + + c.init( + Cipher.DECRYPT_MODE, sk, + new IvParameterSpec(Hex.decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFD0001"))); + + crypt = c.doFinal(crypt); + + if (!areEqual(crypt, Hex.decode("12345678"))) + { + fail("AESSIC failed partial test"); + } + + // null key test + sk = new RepeatedSecretKeySpec("AES"); + + c.init( + Cipher.ENCRYPT_MODE, sk, + new IvParameterSpec(Hex.decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF"))); + + for (int j = 0; j != plain.length; j++) + { + crypt = c.update(plain[j]); + if (!areEqual(crypt, cipher[0][j])) + { + fail("AESSIC encrypt failed: key " + 0 + " block " + j); + } + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new AESSICTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AESTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AESTest.java new file mode 100644 index 00000000..b9ea1335 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AESTest.java @@ -0,0 +1,408 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.IOException; +import java.security.Key; +import java.security.Security; + +/** + * basic test class for the AES cipher vectors from FIPS-197 + */ +public class AESTest + extends BaseBlockCipherTest +{ + static String[] cipherTests = + { + "128", + "000102030405060708090a0b0c0d0e0f", + "00112233445566778899aabbccddeeff", + "69c4e0d86a7b0430d8cdb78070b4c55a", + "192", + "000102030405060708090a0b0c0d0e0f1011121314151617", + "00112233445566778899aabbccddeeff", + "dda97ca4864cdfe06eaf70a0ec0d7191", + "256", + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "00112233445566778899aabbccddeeff", + "8ea2b7ca516745bfeafc49904b496089", + }; + + public AESTest() + { + super("AES"); + } + + private void test( + int strength, + byte[] keyBytes, + byte[] input, + byte[] output) + throws Exception + { + Key key; + Cipher in, out; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + key = new SecretKeySpec(keyBytes, "AES"); + + in = Cipher.getInstance("AES/ECB/NoPadding", "BC"); + out = Cipher.getInstance("AES/ECB/NoPadding", "BC"); + + try + { + out.init(Cipher.ENCRYPT_MODE, key); + } + catch (Exception e) + { + fail("AES failed initialisation - " + e.toString(), e); + } + + try + { + in.init(Cipher.DECRYPT_MODE, key); + } + catch (Exception e) + { + fail("AES failed initialisation - " + e.toString(), e); + } + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + try + { + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + } + catch (IOException e) + { + fail("AES failed encryption - " + e.toString(), e); + } + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!areEqual(bytes, output)) + { + fail("AES failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + try + { + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + } + catch (Exception e) + { + fail("AES failed encryption - " + e.toString(), e); + } + + if (!areEqual(bytes, input)) + { + fail("AES failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + } + + private void eaxTest() + throws Exception + { + byte[] K = Hex.decode("233952DEE4D5ED5F9B9C6D6FF80FF478"); + byte[] N = Hex.decode("62EC67F9C3A4A407FCB2A8C49031A8B3"); + byte[] P = Hex.decode("68656c6c6f20776f726c642121"); + byte[] C = Hex.decode("2f9f76cb7659c70e4be11670a3e193ae1bc6b5762a"); + + Key key; + Cipher in, out; + + key = new SecretKeySpec(K, "AES"); + + in = Cipher.getInstance("AES/EAX/NoPadding", "BC"); + out = Cipher.getInstance("AES/EAX/NoPadding", "BC"); + + in.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] enc = in.doFinal(P); + if (!areEqual(enc, C)) + { + fail("ciphertext doesn't match in EAX"); + } + + out.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] dec = out.doFinal(C); + if (!areEqual(dec, P)) + { + fail("plaintext doesn't match in EAX"); + } + + try + { + in = Cipher.getInstance("AES/EAX/PKCS5Padding", "BC"); + + fail("bad padding missed in EAX"); + } + catch (NoSuchPaddingException e) + { + // expected + } + } + + private void ccmTest() + throws Exception + { + byte[] K = Hex.decode("404142434445464748494a4b4c4d4e4f"); + byte[] N = Hex.decode("10111213141516"); + byte[] P = Hex.decode("68656c6c6f20776f726c642121"); + byte[] C = Hex.decode("39264f148b54c456035de0a531c8344f46db12b388"); + + Key key; + Cipher in, out; + + key = new SecretKeySpec(K, "AES"); + + in = Cipher.getInstance("AES/CCM/NoPadding", "BC"); + out = Cipher.getInstance("AES/CCM/NoPadding", "BC"); + + in.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] enc = in.doFinal(P); + if (!areEqual(enc, C)) + { + fail("ciphertext doesn't match in CCM"); + } + + out.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] dec = out.doFinal(C); + if (!areEqual(dec, P)) + { + fail("plaintext doesn't match in CCM"); + } + + try + { + in = Cipher.getInstance("AES/CCM/PKCS5Padding", "BC"); + + fail("bad padding missed in CCM"); + } + catch (NoSuchPaddingException e) + { + // expected + } + } + + private void gcmTest() + throws Exception + { + // Test Case 15 from McGrew/Viega + byte[] K = Hex.decode( + "feffe9928665731c6d6a8f9467308308" + + "feffe9928665731c6d6a8f9467308308"); + byte[] P = Hex.decode( + "d9313225f88406e5a55909c5aff5269a" + + "86a7a9531534f7da2e4c303d8a318a72" + + "1c3c0c95956809532fcf0e2449a6b525" + + "b16aedf5aa0de657ba637b391aafd255"); + byte[] N = Hex.decode("cafebabefacedbaddecaf888"); + String T = "b094dac5d93471bdec1a502270e3cc6c"; + byte[] C = Hex.decode( + "522dc1f099567d07f47f37a32a84427d" + + "643a8cdcbfe5c0c97598a2bd2555d1aa" + + "8cb08e48590dbb3da7b08b1056828838" + + "c5f61e6393ba7a0abcc9f662898015ad" + + T); + + Key key; + Cipher in, out; + + key = new SecretKeySpec(K, "AES"); + + in = Cipher.getInstance("AES/GCM/NoPadding", "BC"); + out = Cipher.getInstance("AES/GCM/NoPadding", "BC"); + + in.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] enc = in.doFinal(P); + if (!areEqual(enc, C)) + { + fail("ciphertext doesn't match in GCM"); + } + + out.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] dec = out.doFinal(C); + if (!areEqual(dec, P)) + { + fail("plaintext doesn't match in GCM"); + } + + try + { + in = Cipher.getInstance("AES/GCM/PKCS5Padding", "BC"); + + fail("bad padding missed in GCM"); + } + catch (NoSuchPaddingException e) + { + // expected + } + } + + private void ocbTest() + throws Exception + { + byte[] K = Hex.decode( + "000102030405060708090A0B0C0D0E0F"); + byte[] P = Hex.decode( + "000102030405060708090A0B0C0D0E0F"); + byte[] N = Hex.decode("000102030405060708090A0B"); + String T = "4CBB3E4BD6B456AF"; + byte[] C = Hex.decode( + "BEA5E8798DBE7110031C144DA0B2612213CC8B747807121A" + T); + + Key key; + Cipher in, out; + + key = new SecretKeySpec(K, "AES"); + + in = Cipher.getInstance("AES/OCB/NoPadding", "BC"); + out = Cipher.getInstance("AES/OCB/NoPadding", "BC"); + + in.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] enc = in.doFinal(P); + if (!areEqual(enc, C)) + { + fail("ciphertext doesn't match in OCB"); + } + + out.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(N)); + + byte[] dec = out.doFinal(C); + if (!areEqual(dec, P)) + { + fail("plaintext doesn't match in OCB"); + } + + try + { + in = Cipher.getInstance("AES/OCB/PKCS5Padding", "BC"); + + fail("bad padding missed in OCB"); + } + catch (NoSuchPaddingException e) + { + // expected + } + } + + public void performTest() + throws Exception + { + for (int i = 0; i != cipherTests.length; i += 4) + { + test(Integer.parseInt(cipherTests[i]), + Hex.decode(cipherTests[i + 1]), + Hex.decode(cipherTests[i + 2]), + Hex.decode(cipherTests[i + 3])); + } + + byte[] kek1 = Hex.decode("000102030405060708090a0b0c0d0e0f"); + byte[] in1 = Hex.decode("00112233445566778899aabbccddeeff"); + byte[] out1 = Hex.decode("1fa68b0a8112b447aef34bd8fb5a7b829d3e862371d2cfe5"); + + wrapTest(1, "AESWrap", kek1, in1, out1); + + String[] oids = { + NISTObjectIdentifiers.id_aes128_ECB.getId(), + NISTObjectIdentifiers.id_aes128_CBC.getId(), + NISTObjectIdentifiers.id_aes128_OFB.getId(), + NISTObjectIdentifiers.id_aes128_CFB.getId(), + NISTObjectIdentifiers.id_aes192_ECB.getId(), + NISTObjectIdentifiers.id_aes192_CBC.getId(), + NISTObjectIdentifiers.id_aes192_OFB.getId(), + NISTObjectIdentifiers.id_aes192_CFB.getId(), + NISTObjectIdentifiers.id_aes256_ECB.getId(), + NISTObjectIdentifiers.id_aes256_CBC.getId(), + NISTObjectIdentifiers.id_aes256_OFB.getId(), + NISTObjectIdentifiers.id_aes256_CFB.getId() + }; + + String[] names = { + "AES/ECB/PKCS7Padding", + "AES/CBC/PKCS7Padding", + "AES/OFB/NoPadding", + "AES/CFB/NoPadding", + "AES/ECB/PKCS7Padding", + "AES/CBC/PKCS7Padding", + "AES/OFB/NoPadding", + "AES/CFB/NoPadding", + "AES/ECB/PKCS7Padding", + "AES/CBC/PKCS7Padding", + "AES/OFB/NoPadding", + "AES/CFB/NoPadding" + }; + + oidTest(oids, names, 4); + + + String[] wrapOids = { + NISTObjectIdentifiers.id_aes128_wrap.getId(), + NISTObjectIdentifiers.id_aes192_wrap.getId(), + NISTObjectIdentifiers.id_aes256_wrap.getId() + }; + + wrapOidTest(wrapOids, "AESWrap"); + + eaxTest(); + ccmTest(); + gcmTest(); + ocbTest(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new AESTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AlgorithmParametersTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AlgorithmParametersTest.java new file mode 100644 index 00000000..72f38854 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AlgorithmParametersTest.java @@ -0,0 +1,110 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + +import java.io.IOException; +import java.security.AlgorithmParameters; +import java.security.Security; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.DSAParameterSpec; +import java.security.spec.InvalidParameterSpecException; + +public class AlgorithmParametersTest + extends SimpleTest +{ + private byte[] dsaParams = Base64.decode( + "MIGcAkEAjfKklEkidqo9JXWbsGhpy+rA2Dr7jQz3y7gyTw14guXQdi/FtyEOr8Lprawyq3qsSWk9+/g3J" + + "MLsBzbuMcgCkQIVAMdzIYxzfsjumTtPLe0w9I7azpFfAkBP3Z9K7oNeZMXEXYpqvrMUgVdFjq4lnWJoV8" + + "Rwe+TERStHTkqSO7sp0lq7EEggVMcuXtarKNsxaJ+qyYv/n1t6"); + + private void basicTest(String algorithm, Class algorithmParameterSpec, byte[] asn1Encoded) + throws Exception + { + AlgorithmParameters alg = AlgorithmParameters.getInstance(algorithm, "BC"); + + alg.init(asn1Encoded); + + try + { + alg.init(asn1Encoded); + fail("encoded re-initialization not detected"); + } + catch (IOException e) + { + // expected already initialized + } + + AlgorithmParameterSpec spec = alg.getParameterSpec(algorithmParameterSpec); + + try + { + alg.init(spec); + fail("spec re-initialization not detected"); + } + catch (InvalidParameterSpecException e) + { + // expected already initialized + } + + try + { + spec = alg.getParameterSpec(AlgorithmParameterSpec.class); + fail("wrong spec not detected"); + } + catch (InvalidParameterSpecException e) + { + // expected unknown object + } + + try + { + spec = alg.getParameterSpec(null); + fail("null spec not detected"); + } + catch (NullPointerException e) + { + // expected unknown object + } + + alg = AlgorithmParameters.getInstance(algorithm, "BC"); + + alg.init(asn1Encoded, "ASN.1"); + + alg = AlgorithmParameters.getInstance(algorithm, "BC"); + + alg.init(asn1Encoded, null); + + alg = AlgorithmParameters.getInstance(algorithm, "BC"); + + try + { + alg.init(asn1Encoded, "FRED"); + fail("unknown spec not detected"); + } + catch (IOException e) + { + // expected already initialized + } + } + + public void performTest() + throws Exception + { + basicTest("DSA", DSAParameterSpec.class, dsaParams); + } + + public String getName() + { + return "AlgorithmParameters"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new AlgorithmParametersTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AllTests.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AllTests.java new file mode 100644 index 00000000..34767457 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AllTests.java @@ -0,0 +1,53 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Security; + +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.provider.test.rsa3.RSA3CertTest; +import org.bouncycastle.util.test.SimpleTestResult; + +public class AllTests + extends TestCase +{ + public void testJCE() + { + org.bouncycastle.util.test.Test[] tests = RegressionTest.tests; + + for (int i = 0; i != tests.length; i++) + { + SimpleTestResult result = (SimpleTestResult)tests[i].perform(); + + if (!result.isSuccessful()) + { + if (result.getException() != null) + { + result.getException().printStackTrace(); + } + fail(result.toString()); + } + } + } + + public static void main (String[] args) + { + junit.textui.TestRunner.run(suite()); + } + + public static Test suite() + { + TestSuite suite = new TestSuite("JCE Tests"); + + if (Security.getProvider("BC") == null) + { + Security.addProvider(new BouncyCastleProvider()); + } + + suite.addTestSuite(RSA3CertTest.class); + suite.addTestSuite(AllTests.class); + + return suite; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AttrCertSelectorTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AttrCertSelectorTest.java new file mode 100644 index 00000000..cc556d4f --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AttrCertSelectorTest.java @@ -0,0 +1,241 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.PrivateKey; +import java.security.Security; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.util.Date; + +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.Target; +import org.bouncycastle.asn1.x509.TargetInformation; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.PrincipalUtil; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; +import org.bouncycastle.x509.AttributeCertificateHolder; +import org.bouncycastle.x509.AttributeCertificateIssuer; +import org.bouncycastle.x509.X509Attribute; +import org.bouncycastle.x509.X509AttributeCertStoreSelector; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509V2AttributeCertificateGenerator; + +public class AttrCertSelectorTest + extends SimpleTest +{ + + static final RSAPrivateCrtKeySpec RSA_PRIVATE_KEY_SPEC = new RSAPrivateCrtKeySpec( + new BigInteger( + "b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", + 16), + new BigInteger("11", 16), + new BigInteger( + "9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", + 16), new BigInteger( + "c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", + 16), new BigInteger( + "f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", + 16), new BigInteger( + "b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", + 16), new BigInteger( + "d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", + 16), new BigInteger( + "b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", + 16)); + + static final byte[] holderCert = Base64 + .decode("MIIGjTCCBXWgAwIBAgICAPswDQYJKoZIhvcNAQEEBQAwaTEdMBsGCSqGSIb3DQEJ" + + "ARYOaXJtaGVscEB2dC5lZHUxLjAsBgNVBAMTJVZpcmdpbmlhIFRlY2ggQ2VydGlm" + + "aWNhdGlvbiBBdXRob3JpdHkxCzAJBgNVBAoTAnZ0MQswCQYDVQQGEwJVUzAeFw0w" + + "MzAxMzExMzUyMTRaFw0wNDAxMzExMzUyMTRaMIGDMRswGQYJKoZIhvcNAQkBFgxz" + + "c2hhaEB2dC5lZHUxGzAZBgNVBAMTElN1bWl0IFNoYWggKHNzaGFoKTEbMBkGA1UE" + + "CxMSVmlyZ2luaWEgVGVjaCBVc2VyMRAwDgYDVQQLEwdDbGFzcyAxMQswCQYDVQQK" + + "EwJ2dDELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPDc" + + "scgSKmsEp0VegFkuitD5j5PUkDuzLjlfaYONt2SN8WeqU4j2qtlCnsipa128cyKS" + + "JzYe9duUdNxquh5BPIkMkHBw4jHoQA33tk0J/sydWdN74/AHPpPieK5GHwhU7GTG" + + "rCCS1PJRxjXqse79ExAlul+gjQwHeldAC+d4A6oZAgMBAAGjggOmMIIDojAMBgNV" + + "HRMBAf8EAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAOBgNVHQ8BAf8EBAMCA/gwHQYD" + + "VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRUIoWAzlXbzBYE" + + "yVTjQFWyMMKo1jCBkwYDVR0jBIGLMIGIgBTgc3Fm+TGqKDhen+oKfbl+xVbj2KFt" + + "pGswaTEdMBsGCSqGSIb3DQEJARYOaXJtaGVscEB2dC5lZHUxLjAsBgNVBAMTJVZp" + + "cmdpbmlhIFRlY2ggQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxCzAJBgNVBAoTAnZ0" + + "MQswCQYDVQQGEwJVU4IBADCBiwYJYIZIAYb4QgENBH4WfFZpcmdpbmlhIFRlY2gg" + + "Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgZGlnaXRhbCBjZXJ0aWZpY2F0ZXMgYXJl" + + "IHN1YmplY3QgdG8gcG9saWNpZXMgbG9jYXRlZCBhdCBodHRwOi8vd3d3LnBraS52" + + "dC5lZHUvY2EvY3BzLy4wFwYDVR0RBBAwDoEMc3NoYWhAdnQuZWR1MBkGA1UdEgQS" + + "MBCBDmlybWhlbHBAdnQuZWR1MEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYn" + + "aHR0cDovL2JveDE3Ny5jYy52dC5lZHUvY2EvaXNzdWVycy5odG1sMEQGA1UdHwQ9" + + "MDswOaA3oDWGM2h0dHA6Ly9ib3gxNzcuY2MudnQuZWR1L2h0ZG9jcy1wdWJsaWMv" + + "Y3JsL2NhY3JsLmNybDBUBgNVHSAETTBLMA0GCysGAQQBtGgFAQEBMDoGCysGAQQB" + + "tGgFAQEBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cucGtpLnZ0LmVkdS9jYS9j" + + "cHMvMD8GCWCGSAGG+EIBBAQyFjBodHRwOi8vYm94MTc3LmNjLnZ0LmVkdS9jZ2kt" + + "cHVibGljL2NoZWNrX3Jldl9jYT8wPAYJYIZIAYb4QgEDBC8WLWh0dHA6Ly9ib3gx" + + "NzcuY2MudnQuZWR1L2NnaS1wdWJsaWMvY2hlY2tfcmV2PzBLBglghkgBhvhCAQcE" + + "PhY8aHR0cHM6Ly9ib3gxNzcuY2MudnQuZWR1L35PcGVuQ0E4LjAxMDYzMC9jZ2kt" + + "cHVibGljL3JlbmV3YWw/MCwGCWCGSAGG+EIBCAQfFh1odHRwOi8vd3d3LnBraS52" + + "dC5lZHUvY2EvY3BzLzANBgkqhkiG9w0BAQQFAAOCAQEAHJ2ls9yjpZVcu5DqiE67" + + "r7BfkdMnm7IOj2v8cd4EAlPp6OPBmjwDMwvKRBb/P733kLBqFNWXWKTpT008R0KB" + + "8kehbx4h0UPz9vp31zhGv169+5iReQUUQSIwTGNWGLzrT8kPdvxiSAvdAJxcbRBm" + + "KzDic5I8PoGe48kSCkPpT1oNmnivmcu5j1SMvlx0IS2BkFMksr0OHiAW1elSnE/N" + + "RuX2k73b3FucwVxB3NRo3vgoHPCTnh9r4qItAHdxFlF+pPtbw2oHESKRfMRfOIHz" + + "CLQWSIa6Tvg4NIV3RRJ0sbCObesyg08lymalQMdkXwtRn5eGE00SHWwEUjSXP2gR" + + "3g=="); + + public String getName() + { + return "AttrCertSelector"; + } + + private X509AttributeCertificate createAttrCert() throws Exception + { + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + X509Certificate iCert = (X509Certificate) fact + .generateCertificate(new ByteArrayInputStream(holderCert)); + + // + // a sample key pair. + // + // RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + // new BigInteger( + // "b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", + // 16), new BigInteger("11", 16)); + + // + // set up the keys + // + PrivateKey privKey; + + KeyFactory kFact = KeyFactory.getInstance("RSA", "BC"); + + privKey = kFact.generatePrivate(RSA_PRIVATE_KEY_SPEC); + + X509V2AttributeCertificateGenerator gen = new X509V2AttributeCertificateGenerator(); + + // the actual attributes + GeneralName roleName = new GeneralName(GeneralName.rfc822Name, + "DAU123456789@test.com"); + ASN1EncodableVector roleSyntax = new ASN1EncodableVector(); + roleSyntax.add(roleName); + + // roleSyntax OID: 2.5.24.72 + X509Attribute attributes = new X509Attribute("2.5.24.72", + new DERSequence(roleSyntax)); + + gen.addAttribute(attributes); + gen.setHolder(new AttributeCertificateHolder(PrincipalUtil.getSubjectX509Principal(iCert))); + gen.setIssuer(new AttributeCertificateIssuer(new X509Principal( + "cn=test"))); + gen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + gen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + gen.setSerialNumber(BigInteger.valueOf(1)); + gen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + + Target targetName = new Target(Target.targetName, new GeneralName(GeneralName.dNSName, + "www.test.com")); + + Target targetGroup = new Target(Target.targetGroup, new GeneralName( + GeneralName.directoryName, "o=Test, ou=Test")); + Target[] targets = new Target[2]; + targets[0] = targetName; + targets[1] = targetGroup; + TargetInformation targetInformation = new TargetInformation(targets); + gen.addExtension(X509Extensions.TargetInformation.getId(), true, + targetInformation); + + return gen.generate(privKey, "BC"); + } + + public void testSelector() throws Exception + { + X509AttributeCertificate aCert = createAttrCert(); + X509AttributeCertStoreSelector sel = new X509AttributeCertStoreSelector(); + sel.setAttributeCert(aCert); + boolean match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate."); + } + sel.setAttributeCert(null); + match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate."); + } + sel.setHolder(aCert.getHolder()); + match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate holder."); + } + sel.setHolder(null); + sel.setIssuer(aCert.getIssuer()); + match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate issuer."); + } + sel.setIssuer(null); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + X509Certificate iCert = (X509Certificate) fact + .generateCertificate(new ByteArrayInputStream(holderCert)); + match = aCert.getHolder().match(iCert); + if (!match) + { + fail("Issuer holder does not match signing certificate of attribute certificate."); + } + + sel.setSerialNumber(aCert.getSerialNumber()); + match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate serial number."); + } + + sel.setAttributeCertificateValid(new Date()); + match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate time."); + } + + sel.addTargetName(new GeneralName(2, "www.test.com")); + match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate target name."); + } + sel.setTargetNames(null); + sel.addTargetGroup(new GeneralName(4, "o=Test, ou=Test")); + match = sel.match(aCert); + if (!match) + { + fail("Selector does not match attribute certificate target group."); + } + sel.setTargetGroups(null); + } + + public void performTest() throws Exception + { + Security.addProvider(new BouncyCastleProvider()); + testSelector(); + } + + public static void main(String[] args) + { + Test test = new AttrCertSelectorTest(); + TestResult result = test.perform(); + System.out.println(result); + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AttrCertTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AttrCertTest.java new file mode 100644 index 00000000..416ba499 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/AttrCertTest.java @@ -0,0 +1,634 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.Principal; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.X509Certificate; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Date; +import java.util.List; +import java.util.Set; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1String; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.AttributeCertificateHolder; +import org.bouncycastle.x509.AttributeCertificateIssuer; +import org.bouncycastle.x509.X509Attribute; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509V2AttributeCertificate; +import org.bouncycastle.x509.X509V2AttributeCertificateGenerator; +import org.bouncycastle.x509.extension.X509ExtensionUtil; + +public class AttrCertTest + extends SimpleTest +{ + private static final RSAPrivateCrtKeySpec RSA_PRIVATE_KEY_SPEC = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + public static byte[] attrCert = Base64.decode( + "MIIHQDCCBqkCAQEwgZChgY2kgYowgYcxHDAaBgkqhkiG9w0BCQEWDW1sb3JjaEB2" + + "dC5lZHUxHjAcBgNVBAMTFU1hcmt1cyBMb3JjaCAobWxvcmNoKTEbMBkGA1UECxMS" + + "VmlyZ2luaWEgVGVjaCBVc2VyMRAwDgYDVQQLEwdDbGFzcyAyMQswCQYDVQQKEwJ2" + + "dDELMAkGA1UEBhMCVVMwgYmkgYYwgYMxGzAZBgkqhkiG9w0BCQEWDHNzaGFoQHZ0" + + "LmVkdTEbMBkGA1UEAxMSU3VtaXQgU2hhaCAoc3NoYWgpMRswGQYDVQQLExJWaXJn" + + "aW5pYSBUZWNoIFVzZXIxEDAOBgNVBAsTB0NsYXNzIDExCzAJBgNVBAoTAnZ0MQsw" + + "CQYDVQQGEwJVUzANBgkqhkiG9w0BAQQFAAIBBTAiGA8yMDAzMDcxODE2MDgwMloY" + + "DzIwMDMwNzI1MTYwODAyWjCCBU0wggVJBgorBgEEAbRoCAEBMYIFORaCBTU8UnVs" + + "ZSBSdWxlSWQ9IkZpbGUtUHJpdmlsZWdlLVJ1bGUiIEVmZmVjdD0iUGVybWl0Ij4K" + + "IDxUYXJnZXQ+CiAgPFN1YmplY3RzPgogICA8U3ViamVjdD4KICAgIDxTdWJqZWN0" + + "TWF0Y2ggTWF0Y2hJZD0idXJuOm9hc2lzOm5hbWVzOnRjOnhhY21sOjEuMDpmdW5j" + + "dGlvbjpzdHJpbmctZXF1YWwiPgogICAgIDxBdHRyaWJ1dGVWYWx1ZSBEYXRhVHlw" + + "ZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEjc3RyaW5nIj4KICAg" + + "ICAgIENOPU1hcmt1cyBMb3JjaDwvQXR0cmlidXRlVmFsdWU+CiAgICAgPFN1Ympl" + + "Y3RBdHRyaWJ1dGVEZXNpZ25hdG9yIEF0dHJpYnV0ZUlkPSJ1cm46b2FzaXM6bmFt" + + "ZXM6dGM6eGFjbWw6MS4wOnN1YmplY3Q6c3ViamVjdC1pZCIgRGF0YVR5cGU9Imh0" + + "dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hI3N0cmluZyIgLz4gCiAgICA8" + + "L1N1YmplY3RNYXRjaD4KICAgPC9TdWJqZWN0PgogIDwvU3ViamVjdHM+CiAgPFJl" + + "c291cmNlcz4KICAgPFJlc291cmNlPgogICAgPFJlc291cmNlTWF0Y2ggTWF0Y2hJ" + + "ZD0idXJuOm9hc2lzOm5hbWVzOnRjOnhhY21sOjEuMDpmdW5jdGlvbjpzdHJpbmct" + + "ZXF1YWwiPgogICAgIDxBdHRyaWJ1dGVWYWx1ZSBEYXRhVHlwZT0iaHR0cDovL3d3" + + "dy53My5vcmcvMjAwMS9YTUxTY2hlbWEjYW55VVJJIj4KICAgICAgaHR0cDovL3p1" + + "bmkuY3MudnQuZWR1PC9BdHRyaWJ1dGVWYWx1ZT4KICAgICA8UmVzb3VyY2VBdHRy" + + "aWJ1dGVEZXNpZ25hdG9yIEF0dHJpYnV0ZUlkPSJ1cm46b2FzaXM6bmFtZXM6dGM6" + + "eGFjbWw6MS4wOnJlc291cmNlOnJlc291cmNlLWlkIiBEYXRhVHlwZT0iaHR0cDov" + + "L3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEjYW55VVJJIiAvPiAKICAgIDwvUmVz" + + "b3VyY2VNYXRjaD4KICAgPC9SZXNvdXJjZT4KICA8L1Jlc291cmNlcz4KICA8QWN0" + + "aW9ucz4KICAgPEFjdGlvbj4KICAgIDxBY3Rpb25NYXRjaCBNYXRjaElkPSJ1cm46" + + "b2FzaXM6bmFtZXM6dGM6eGFjbWw6MS4wOmZ1bmN0aW9uOnN0cmluZy1lcXVhbCI+" + + "CiAgICAgPEF0dHJpYnV0ZVZhbHVlIERhdGFUeXBlPSJodHRwOi8vd3d3LnczLm9y" + + "Zy8yMDAxL1hNTFNjaGVtYSNzdHJpbmciPgpEZWxlZ2F0ZSBBY2Nlc3MgICAgIDwv" + + "QXR0cmlidXRlVmFsdWU+CgkgIDxBY3Rpb25BdHRyaWJ1dGVEZXNpZ25hdG9yIEF0" + + "dHJpYnV0ZUlkPSJ1cm46b2FzaXM6bmFtZXM6dGM6eGFjbWw6MS4wOmFjdGlvbjph" + + "Y3Rpb24taWQiIERhdGFUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNj" + + "aGVtYSNzdHJpbmciIC8+IAogICAgPC9BY3Rpb25NYXRjaD4KICAgPC9BY3Rpb24+" + + "CiAgPC9BY3Rpb25zPgogPC9UYXJnZXQ+CjwvUnVsZT4KMA0GCSqGSIb3DQEBBAUA" + + "A4GBAGiJSM48XsY90HlYxGmGVSmNR6ZW2As+bot3KAfiCIkUIOAqhcphBS23egTr" + + "6asYwy151HshbPNYz+Cgeqs45KkVzh7bL/0e1r8sDVIaaGIkjHK3CqBABnfSayr3" + + "Rd1yBoDdEv8Qb+3eEPH6ab9021AsLEnJ6LWTmybbOpMNZ3tv"); + + byte[] signCert = Base64.decode( + "MIIGjTCCBXWgAwIBAgICAPswDQYJKoZIhvcNAQEEBQAwaTEdMBsGCSqGSIb3DQEJ" + + "ARYOaXJtaGVscEB2dC5lZHUxLjAsBgNVBAMTJVZpcmdpbmlhIFRlY2ggQ2VydGlm" + + "aWNhdGlvbiBBdXRob3JpdHkxCzAJBgNVBAoTAnZ0MQswCQYDVQQGEwJVUzAeFw0w" + + "MzAxMzExMzUyMTRaFw0wNDAxMzExMzUyMTRaMIGDMRswGQYJKoZIhvcNAQkBFgxz" + + "c2hhaEB2dC5lZHUxGzAZBgNVBAMTElN1bWl0IFNoYWggKHNzaGFoKTEbMBkGA1UE" + + "CxMSVmlyZ2luaWEgVGVjaCBVc2VyMRAwDgYDVQQLEwdDbGFzcyAxMQswCQYDVQQK" + + "EwJ2dDELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPDc" + + "scgSKmsEp0VegFkuitD5j5PUkDuzLjlfaYONt2SN8WeqU4j2qtlCnsipa128cyKS" + + "JzYe9duUdNxquh5BPIkMkHBw4jHoQA33tk0J/sydWdN74/AHPpPieK5GHwhU7GTG" + + "rCCS1PJRxjXqse79ExAlul+gjQwHeldAC+d4A6oZAgMBAAGjggOmMIIDojAMBgNV" + + "HRMBAf8EAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAOBgNVHQ8BAf8EBAMCA/gwHQYD" + + "VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRUIoWAzlXbzBYE" + + "yVTjQFWyMMKo1jCBkwYDVR0jBIGLMIGIgBTgc3Fm+TGqKDhen+oKfbl+xVbj2KFt" + + "pGswaTEdMBsGCSqGSIb3DQEJARYOaXJtaGVscEB2dC5lZHUxLjAsBgNVBAMTJVZp" + + "cmdpbmlhIFRlY2ggQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxCzAJBgNVBAoTAnZ0" + + "MQswCQYDVQQGEwJVU4IBADCBiwYJYIZIAYb4QgENBH4WfFZpcmdpbmlhIFRlY2gg" + + "Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgZGlnaXRhbCBjZXJ0aWZpY2F0ZXMgYXJl" + + "IHN1YmplY3QgdG8gcG9saWNpZXMgbG9jYXRlZCBhdCBodHRwOi8vd3d3LnBraS52" + + "dC5lZHUvY2EvY3BzLy4wFwYDVR0RBBAwDoEMc3NoYWhAdnQuZWR1MBkGA1UdEgQS" + + "MBCBDmlybWhlbHBAdnQuZWR1MEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcwAoYn" + + "aHR0cDovL2JveDE3Ny5jYy52dC5lZHUvY2EvaXNzdWVycy5odG1sMEQGA1UdHwQ9" + + "MDswOaA3oDWGM2h0dHA6Ly9ib3gxNzcuY2MudnQuZWR1L2h0ZG9jcy1wdWJsaWMv" + + "Y3JsL2NhY3JsLmNybDBUBgNVHSAETTBLMA0GCysGAQQBtGgFAQEBMDoGCysGAQQB" + + "tGgFAQEBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cucGtpLnZ0LmVkdS9jYS9j" + + "cHMvMD8GCWCGSAGG+EIBBAQyFjBodHRwOi8vYm94MTc3LmNjLnZ0LmVkdS9jZ2kt" + + "cHVibGljL2NoZWNrX3Jldl9jYT8wPAYJYIZIAYb4QgEDBC8WLWh0dHA6Ly9ib3gx" + + "NzcuY2MudnQuZWR1L2NnaS1wdWJsaWMvY2hlY2tfcmV2PzBLBglghkgBhvhCAQcE" + + "PhY8aHR0cHM6Ly9ib3gxNzcuY2MudnQuZWR1L35PcGVuQ0E4LjAxMDYzMC9jZ2kt" + + "cHVibGljL3JlbmV3YWw/MCwGCWCGSAGG+EIBCAQfFh1odHRwOi8vd3d3LnBraS52" + + "dC5lZHUvY2EvY3BzLzANBgkqhkiG9w0BAQQFAAOCAQEAHJ2ls9yjpZVcu5DqiE67" + + "r7BfkdMnm7IOj2v8cd4EAlPp6OPBmjwDMwvKRBb/P733kLBqFNWXWKTpT008R0KB" + + "8kehbx4h0UPz9vp31zhGv169+5iReQUUQSIwTGNWGLzrT8kPdvxiSAvdAJxcbRBm" + + "KzDic5I8PoGe48kSCkPpT1oNmnivmcu5j1SMvlx0IS2BkFMksr0OHiAW1elSnE/N" + + "RuX2k73b3FucwVxB3NRo3vgoHPCTnh9r4qItAHdxFlF+pPtbw2oHESKRfMRfOIHz" + + "CLQWSIa6Tvg4NIV3RRJ0sbCObesyg08lymalQMdkXwtRn5eGE00SHWwEUjSXP2gR" + + "3g=="); + + static byte[] certWithBaseCertificateID = Base64.decode( + "MIIBqzCCARQCAQEwSKBGMD6kPDA6MQswCQYDVQQGEwJJVDEOMAwGA1UEChMFVU5JVE4xDDAKBgNV" + + "BAsTA0RJVDENMAsGA1UEAxMEcm9vdAIEAVMVjqB6MHikdjB0MQswCQYDVQQGEwJBVTEoMCYGA1UE" + + "ChMfVGhlIExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3RsZTEjMCEGA1UECxMaQm91bmN5IFByaW1h" + + "cnkgQ2VydGlmaWNhdGUxFjAUBgNVBAMTDUJvdW5jeSBDYXN0bGUwDQYJKoZIhvcNAQEFBQACBQKW" + + "RhnHMCIYDzIwMDUxMjEyMTIwMDQyWhgPMjAwNTEyMTkxMjAxMzJaMA8wDQYDVRhIMQaBBGVWSVAw" + + "DQYJKoZIhvcNAQEFBQADgYEAUAVin9StDaA+InxtXq/av6rUQLI9p1X6louBcj4kYJnxRvTrHpsr" + + "N3+i9Uq/uk5lRdAqmPFvcmSbuE3TRAsjrXON5uFiBBKZ1AouLqcr8nHbwcdwjJ9TyUNO9I4hfpSH" + + "UHHXMtBKgp4MOkhhX8xTGyWg3hp23d3GaUeg/IYlXBI="); + + byte[] holderCertWithBaseCertificateID = Base64.decode( + "MIIBwDCCASmgAwIBAgIEAVMVjjANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJJVDEOMAwGA1UE" + + "ChMFVU5JVE4xDDAKBgNVBAsTA0RJVDENMAsGA1UEAxMEcm9vdDAeFw0wNTExMTExMjAxMzJaFw0w" + + "NjA2MTYxMjAxMzJaMD4xCzAJBgNVBAYTAklUMQ4wDAYDVQQKEwVVTklUTjEMMAoGA1UECxMDRElU" + + "MREwDwYDVQQDEwhMdWNhQm9yejBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQC0p+RhcFdPFqlwgrIr" + + "5YtqKmKXmEGb4ShypL26Ymz66ZAPdqv7EhOdzl3lZWT6srZUMWWgQMYGiHQg4z2R7X7XAgERoxUw" + + "EzARBglghkgBhvhCAQEEBAMCBDAwDQYJKoZIhvcNAQEFBQADgYEAsX50VPQQCWmHvPq9y9DeCpmS" + + "4szcpFAhpZyn6gYRwY9CRZVtmZKH8713XhkGDWcIEMcG0u3oTz3tdKgPU5uyIPrDEWr6w8ClUj4x" + + "5aVz5c2223+dVY7KES//JSB2bE/KCIchN3kAioQ4K8O3e0OL6oDVjsqKGw5bfahgKuSIk/Q="); + + + public String getName() + { + return "AttrCertTest"; + } + + private void testCertWithBaseCertificateID() + throws Exception + { + X509AttributeCertificate attrCert = new X509V2AttributeCertificate(certWithBaseCertificateID); + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + X509Certificate cert = (X509Certificate)fact.generateCertificate(new ByteArrayInputStream(holderCertWithBaseCertificateID)); + + AttributeCertificateHolder holder = attrCert.getHolder(); + + if (holder.getEntityNames() != null) + { + fail("entity names set when none expected"); + } + + if (!holder.getSerialNumber().equals(cert.getSerialNumber())) + { + fail("holder serial number doesn't match"); + } + + if (!holder.getIssuer()[0].equals(cert.getIssuerX500Principal())) + { + fail("holder issuer doesn't match"); + } + + if (!holder.match(cert)) + { + fail("holder not matching holder certificate"); + } + + if (!holder.equals(holder.clone())) + { + fail("holder clone test failed"); + } + + if (!attrCert.getIssuer().equals(attrCert.getIssuer().clone())) + { + fail("issuer clone test failed"); + } + + //equalityAndHashCodeTest(attrCert, certWithBaseCertificateID); + } + + private void equalityAndHashCodeTest(X509AttributeCertificate attrCert, byte[] encoding) + throws IOException + { + if (!attrCert.equals(attrCert)) + { + fail("same certificate not equal"); + } + + if (!attrCert.getHolder().equals(attrCert.getHolder())) + { + fail("same holder not equal"); + } + + if (!attrCert.getIssuer().equals(attrCert.getIssuer())) + { + fail("same issuer not equal"); + } + + if (attrCert.getHolder().equals(attrCert.getIssuer())) + { + fail("wrong holder equal"); + } + + if (attrCert.getIssuer().equals(attrCert.getHolder())) + { + fail("wrong issuer equal"); + } + + X509AttributeCertificate attrCert2 = new X509V2AttributeCertificate(encoding); + + if (attrCert2.getHolder().hashCode() != attrCert.getHolder().hashCode()) + { + fail("holder hashCode test failed"); + } + + if (!attrCert2.getHolder().equals(attrCert.getHolder())) + { + fail("holder equals test failed"); + } + + if (attrCert2.getIssuer().hashCode() != attrCert.getIssuer().hashCode()) + { + fail("issuer hashCode test failed"); + } + + if (!attrCert2.getIssuer().equals(attrCert.getIssuer())) + { + fail("issuer equals test failed"); + } + } + + private void testGenerateWithCert() + throws Exception + { + CertificateFactory fact = CertificateFactory.getInstance("X.509","BC"); + X509Certificate iCert = (X509Certificate)fact.generateCertificate(new ByteArrayInputStream(signCert)); + + // + // a sample key pair. + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory kFact = KeyFactory.getInstance("RSA", "BC"); + + privKey = kFact.generatePrivate(RSA_PRIVATE_KEY_SPEC); + pubKey = kFact.generatePublic(pubKeySpec); + + X509V2AttributeCertificateGenerator gen = new X509V2AttributeCertificateGenerator(); + + // the actual attributes + GeneralName roleName = new GeneralName(GeneralName.rfc822Name, "DAU123456789"); + ASN1EncodableVector roleSyntax = new ASN1EncodableVector(); + roleSyntax.add(roleName); + + // roleSyntax OID: 2.5.24.72 + X509Attribute attributes = new X509Attribute("2.5.24.72", + new DERSequence(roleSyntax)); + + gen.addAttribute(attributes); + gen.setHolder(new AttributeCertificateHolder(iCert)); + gen.setIssuer(new AttributeCertificateIssuer(new X509Principal("cn=test"))); + gen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + gen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + gen.setSerialNumber(BigInteger.ONE); + gen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + + X509AttributeCertificate aCert = gen.generate(privKey, "BC"); + + aCert.checkValidity(); + + aCert.verify(pubKey, "BC"); + + AttributeCertificateHolder holder = aCert.getHolder(); + + if (holder.getEntityNames() != null) + { + fail("entity names set when none expected"); + } + + if (!holder.getSerialNumber().equals(iCert.getSerialNumber())) + { + fail("holder serial number doesn't match"); + } + + if (!holder.getIssuer()[0].equals(iCert.getIssuerX500Principal())) + { + fail("holder issuer doesn't match"); + } + + if (!holder.match(iCert)) + { + fail("generated holder not matching holder certificate"); + } + + X509Attribute[] attrs = aCert.getAttributes("2.5.24.72"); + + if (attrs == null) + { + fail("attributes related to 2.5.24.72 not found"); + } + + X509Attribute attr = attrs[0]; + + if (!attr.getOID().equals("2.5.24.72")) + { + fail("attribute oid mismatch"); + } + + ASN1Encodable[] values = attr.getValues(); + + GeneralName role = GeneralNames.getInstance(values[0]).getNames()[0]; + + if (role.getTagNo() != GeneralName.rfc822Name) + { + fail("wrong general name type found in role"); + } + + if (!((ASN1String)role.getName()).getString().equals("DAU123456789")) + { + fail("wrong general name value found in role"); + } + + X509Certificate sCert = (X509Certificate)fact.generateCertificate(new ByteArrayInputStream(holderCertWithBaseCertificateID)); + + if (holder.match(sCert)) + { + fail("generated holder matching wrong certificate"); + } + + equalityAndHashCodeTest(aCert, aCert.getEncoded()); + } + + private void testGenerateWithPrincipal() + throws Exception + { + CertificateFactory fact = CertificateFactory.getInstance("X.509","BC"); + X509Certificate iCert = (X509Certificate)fact.generateCertificate(new ByteArrayInputStream(signCert)); + + // + // a sample key pair. + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory kFact = KeyFactory.getInstance("RSA", "BC"); + + privKey = kFact.generatePrivate(RSA_PRIVATE_KEY_SPEC); + pubKey = kFact.generatePublic(pubKeySpec); + + X509V2AttributeCertificateGenerator gen = new X509V2AttributeCertificateGenerator(); + + // the actual attributes + GeneralName roleName = new GeneralName(GeneralName.rfc822Name, "DAU123456789"); + ASN1EncodableVector roleSyntax = new ASN1EncodableVector(); + roleSyntax.add(roleName); + + // roleSyntax OID: 2.5.24.72 + X509Attribute attributes = new X509Attribute("2.5.24.72", + new DERSequence(roleSyntax)); + + gen.addAttribute(attributes); + gen.setHolder(new AttributeCertificateHolder(iCert.getSubjectX500Principal())); + gen.setIssuer(new AttributeCertificateIssuer(new X509Principal("cn=test"))); + gen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + gen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + gen.setSerialNumber(BigInteger.ONE); + gen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + + X509AttributeCertificate aCert = gen.generate(privKey, "BC"); + + aCert.checkValidity(); + + aCert.verify(pubKey, "BC"); + + AttributeCertificateHolder holder = aCert.getHolder(); + + if (holder.getEntityNames() == null) + { + fail("entity names not set when expected"); + } + + if (holder.getSerialNumber() != null) + { + fail("holder serial number found when none expected"); + } + + if (holder.getIssuer() != null) + { + fail("holder issuer found when none expected"); + } + + if (!holder.match(iCert)) + { + fail("generated holder not matching holder certificate"); + } + + X509Certificate sCert = (X509Certificate)fact.generateCertificate(new ByteArrayInputStream(holderCertWithBaseCertificateID)); + + if (holder.match(sCert)) + { + fail("principal generated holder matching wrong certificate"); + } + + equalityAndHashCodeTest(aCert, aCert.getEncoded()); + } + + public void performTest() + throws Exception + { + X509AttributeCertificate aCert = new X509V2AttributeCertificate(attrCert); + CertificateFactory fact = CertificateFactory.getInstance("X.509","BC"); + X509Certificate sCert = (X509Certificate)fact.generateCertificate(new ByteArrayInputStream(signCert)); + + aCert.verify(sCert.getPublicKey(), "BC"); + + // + // search test + // + + List list = new ArrayList(); + + list.add(sCert); + + CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); + CertStore store = CertStore.getInstance("Collection", ccsp); + + Collection certs = store.getCertificates(aCert.getIssuer()); + if (certs.size() != 1 || !certs.contains(sCert)) + { + fail("sCert not found by issuer"); + } + + X509Attribute[] attrs = aCert.getAttributes("1.3.6.1.4.1.6760.8.1.1"); + if (attrs == null || attrs.length != 1) + { + fail("attribute not found"); + } + + // + // reencode test + // + aCert = new X509V2AttributeCertificate(aCert.getEncoded()); + + aCert.verify(sCert.getPublicKey(), "BC"); + + X509AttributeCertificate saCert = new X509V2AttributeCertificate(new ByteArrayInputStream(aCert.getEncoded())); + + if (!aCert.getNotAfter().equals(saCert.getNotAfter())) + { + fail("failed date comparison"); + } + + // base generator test + + // + // a sample key pair. + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec privKeySpec = RSA_PRIVATE_KEY_SPEC; + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory kFact = KeyFactory.getInstance("RSA", "BC"); + + privKey = kFact.generatePrivate(privKeySpec); + pubKey = kFact.generatePublic(pubKeySpec); + + X509V2AttributeCertificateGenerator gen = new X509V2AttributeCertificateGenerator(); + + gen.addAttribute(attrs[0]); + gen.setHolder(aCert.getHolder()); + gen.setIssuer(aCert.getIssuer()); + gen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + gen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + gen.setSerialNumber(aCert.getSerialNumber()); + gen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + + aCert = gen.generate(privKey, "BC"); + + aCert.checkValidity(); + + aCert.verify(pubKey, "BC"); + + // as the issuer is the same this should still work (even though it is not + // technically correct + + certs = store.getCertificates(aCert.getIssuer()); + if (certs.size() != 1 || !certs.contains(sCert)) + { + fail("sCert not found by issuer"); + } + + attrs = aCert.getAttributes("1.3.6.1.4.1.6760.8.1.1"); + if (attrs == null || attrs.length != 1) + { + fail("attribute not found"); + } + + // + // reencode test + // + aCert = new X509V2AttributeCertificate(aCert.getEncoded()); + + aCert.verify(pubKey, "BC"); + + AttributeCertificateIssuer issuer = aCert.getIssuer(); + + Principal[] principals = issuer.getPrincipals(); + + // + // test holder + // + AttributeCertificateHolder holder = aCert.getHolder(); + + if (holder.getEntityNames() == null) + { + fail("entity names not set"); + } + + if (holder.getSerialNumber() != null) + { + fail("holder serial number set when none expected"); + } + + if (holder.getIssuer() != null) + { + fail("holder issuer set when none expected"); + } + + principals = holder.getEntityNames(); + + if (!principals[0].toString().equals("C=US, O=vt, OU=Class 2, OU=Virginia Tech User, CN=Markus Lorch (mlorch), EMAILADDRESS=mlorch@vt.edu")) + { + fail("principal[0] for entity names don't match"); + } + + // + // extension test + // + + if (aCert.hasUnsupportedCriticalExtension()) + { + fail("unsupported extensions found with no extensions"); + } + + gen.addExtension("1.1", true, new DEROctetString(new byte[10])); + + gen.addExtension("2.2", false, new DEROctetString(new byte[20])); + + aCert = gen.generate(privKey, "BC"); + + Set exts = aCert.getCriticalExtensionOIDs(); + + if (exts.size() != 1 || !exts.contains("1.1")) + { + fail("critical extension test failed"); + } + + exts = aCert.getNonCriticalExtensionOIDs(); + + if (exts.size() != 1 || !exts.contains("2.2")) + { + fail("non-critical extension test failed"); + } + + if (!aCert.hasUnsupportedCriticalExtension()) + { + fail("unsupported extensions not found"); + } + + byte[] extString = aCert.getExtensionValue("1.1"); + ASN1Encodable extValue = X509ExtensionUtil.fromExtensionValue(extString); + + if (!extValue.equals(new DEROctetString(new byte[10]))) + { + fail("wrong extension value found for 1.1"); + } + + testCertWithBaseCertificateID(); + testGenerateWithCert(); + testGenerateWithPrincipal(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new AttrCertTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/BaseBlockCipherTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/BaseBlockCipherTest.java new file mode 100644 index 00000000..ebc56002 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/BaseBlockCipherTest.java @@ -0,0 +1,143 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.util.test.TestFailedException; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; +import java.security.Key; + +public abstract class BaseBlockCipherTest + extends SimpleTest +{ + String algorithm; + + BaseBlockCipherTest( + String algorithm) + { + this.algorithm = algorithm; + } + + public String getName() + { + return algorithm; + } + + protected void oidTest(String[] oids, String[] names, int groupSize) + throws Exception + { + byte[] data = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; + IvParameterSpec ivSpec = new IvParameterSpec(new byte[16]); + + for (int i = 0; i != oids.length; i++) + { + Cipher c1 = Cipher.getInstance(oids[i], "BC"); + Cipher c2 = Cipher.getInstance(names[i], "BC"); + KeyGenerator kg = KeyGenerator.getInstance(oids[i], "BC"); + + SecretKey k = kg.generateKey(); + + if (names[i].indexOf("/ECB/") > 0) + { + c1.init(Cipher.ENCRYPT_MODE, k); + c2.init(Cipher.DECRYPT_MODE, k); + } + else + { + c1.init(Cipher.ENCRYPT_MODE, k, ivSpec); + c2.init(Cipher.DECRYPT_MODE, k, ivSpec); + } + + byte[] result = c2.doFinal(c1.doFinal(data)); + + if (!areEqual(data, result)) + { + fail("failed OID test"); + } + + if (k.getEncoded().length != (16 + ((i / groupSize) * 8))) + { + fail("failed key length test"); + } + } + } + + protected void wrapOidTest(String[] oids, String name) + throws Exception + { + byte[] data = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; + + for (int i = 0; i != oids.length; i++) + { + Cipher c1 = Cipher.getInstance(oids[i], "BC"); + Cipher c2 = Cipher.getInstance(name, "BC"); + KeyGenerator kg = KeyGenerator.getInstance(oids[i], "BC"); + + SecretKey k = kg.generateKey(); + + c1.init(Cipher.WRAP_MODE, k); + c2.init(Cipher.UNWRAP_MODE, k); + + Key wKey = c2.unwrap(c1.wrap(new SecretKeySpec(data, algorithm)), algorithm, Cipher.SECRET_KEY); + + if (!areEqual(data, wKey.getEncoded())) + { + fail("failed wrap OID test"); + } + + if (k.getEncoded().length != (16 + (i * 8))) + { + fail("failed key length test"); + } + } + } + + protected void wrapTest( + int id, + String wrappingAlgorithm, + byte[] kek, + byte[] in, + byte[] out) + throws Exception + { + Cipher wrapper = Cipher.getInstance(wrappingAlgorithm, "BC"); + + wrapper.init(Cipher.WRAP_MODE, new SecretKeySpec(kek, algorithm)); + + try + { + byte[] cText = wrapper.wrap(new SecretKeySpec(in, algorithm)); + if (!areEqual(cText, out)) + { + fail("failed wrap test " + id + " expected " + new String(Hex.encode(out)) + " got " + new String(Hex.encode(cText))); + } + } + catch (TestFailedException e) + { + throw e; + } + catch (Exception e) + { + fail("failed wrap test exception " + e.toString(), e); + } + + wrapper.init(Cipher.UNWRAP_MODE, new SecretKeySpec(kek, algorithm)); + + try + { + Key pText = wrapper.unwrap(out, algorithm, Cipher.SECRET_KEY); + if (!areEqual(pText.getEncoded(), in)) + { + fail("failed unwrap test " + id + " expected " + new String(Hex.encode(in)) + " got " + new String(Hex.encode(pText.getEncoded()))); + } + } + catch (Exception e) + { + fail("failed unwrap test exception " + e.toString(), e); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/BlockCipherTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/BlockCipherTest.java new file mode 100644 index 00000000..30489bff --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/BlockCipherTest.java @@ -0,0 +1,964 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.ShortBufferException; +import javax.crypto.spec.DESedeKeySpec; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.RC2ParameterSpec; +import javax.crypto.spec.RC5ParameterSpec; +import javax.crypto.spec.SecretKeySpec; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.IOException; +import java.security.AlgorithmParameters; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.InvalidParameterException; +import java.security.Key; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; + +/** + * basic test class for a block cipher, basically this just exercises the provider, and makes sure we + * are behaving sensibly, correctness of the implementation is shown in the lightweight test classes. + */ +public class BlockCipherTest + extends SimpleTest +{ + static String[] cipherTests1 = + { + "DES", + "466da00648ef0e1f9617b1f002e225251a3248d09172f46b9617b1f002e225250112ecb3da61bc99", + "DESede", + "2f4bc6b30c893fa549d82c560d61cf3eb088aed020603de249d82c560d61cf3e529e95ecd8e05394", + "SKIPJACK", + "d4de46d52274dbb029f33b076043f8c40089f906751623de29f33b076043f8c4ac99b90f9396cb04", + "Blowfish", + "7870ebe7f6a52803eb9396ba6c5198216ce81d76d8d4c74beb9396ba6c5198211212473b05214e9f", + "Twofish", + "70336d9c9718a8a2ced1b19deed973a3c58af7ea71a69e7efc4df082dca581c0839e31468661bcfc57a14899ceeb0253", + "RC2", + "eb5b889bbcced12eb6b1a3da6a3d965bba66a5edfdd4c8a6b6b1a3da6a3d965b994a5b859e765797", + "RC5", + "220053543e3eca3bc9503a091ca67b08372560d8a4fdbee8c9503a091ca67b08a796d53bb8a4b7e0", + "RC5-64", + "e0b4a526ba3bc5f09199c3b1fe3737fe6d248cde70e565b0feea59ebfda375ae1946c386a48d8d8a74d7b1947ff6a788", + "RC6", + "44c97b67ca8486067f8b6c5b97632f3049e5e52c1d61fdd527dc3da39616540f19a3db39aac1ffd713795cd886cce0c0", + "IDEA", + "8c9fd56823ffdc523f6ccf7f614aa6173553e594fc7a21b53f6ccf7f614aa61740c54f7a66e95108", + "TEA", + "fcf45062104fda7c35712368b56dd4216a6ca998dc297b5435712368b56dd421208027ed2923cd0c", + "XTEA", + "4b427893d3d6aaded2afafabe25f7b233fb5589faa2b6389d2afafabe25f7b239d12979ac67e1c07", + "Camellia", + "3a68b4ad145bc2c76010669d68f2826359887afce763a78d9994143266adfaec8ba7ee562a1688ef9dfd7f897e5c44dc", + "SEED", + "d53d4ce1f48b9879420949467bfcbfbe2c6a7d4a8770bee0c71211def898d7c5024ce2007dd85accb3f69d906ae2164d", + "Noekeon", + "7e68ceb33aad9db04af6b878a16dd6c6b4f880d6c89027ba581884c10690bb6b3dbfd6ed5513e2c4f5670c3528023121", + "DES/CBC/NoPadding", + "60fa2f8fae5aa2a38e9ac77d0246726beb7511e4515feb12cf99f75cc6e0122a", + "DESede/CBC/NoPadding", + "4d3d7931875cf25593dc402298add8b914761e4936c9585ae22b2c1441169231", + "SKIPJACK/CBC/NoPadding", + "ceebcc2e5e2b847f9ed797b4930b95f115b9e6cf49c457fc2ea0df79ad5c8334", + "Blowfish/CBC/NoPadding", + "80823abbabc109733e7ebf3ce3344d67fc387c306b782086b452f7fbe8e844ce", + "Twofish/CBC/NoPadding", + "f819694251a00bdd403928745cd1d8a094de61f49ddf8e7692e9d81a83812943", + "RC2/CBC/NoPadding", + "a51facdb3933c9676795cd38cc3146fd4694722b468b1a979a399c77606abf99", + "RC5/CBC/NoPadding", + "9ee7517eab0280445f3a7c60c90c0f75029d65bca8b1af83ace5399d388c83c3", + "RC6/CBC/NoPadding", + "c44695633c07010f3a0d8f7ea046a642d4a96bf4e44f89fd91b46830bc95b130", + "IDEA/CBC/NoPadding", + "30cd990ebdae80fe12b6c6e4fcd1c064a27d985c276b3d7097351c8684e4c4d9", + "DES/CBC/PKCS5Padding", + "60fa2f8fae5aa2a38e9ac77d0246726beb7511e4515feb12cf99f75cc6e0122afdc70484fb9c0232", + "DES/CBC/ISO10126Padding", + "60fa2f8fae5aa2a38e9ac77d0246726beb7511e4515feb12cf99f75cc6e0122a980639850a2cc3e8", + "DES/CBC/ISO7816-4Padding", + "60fa2f8fae5aa2a38e9ac77d0246726beb7511e4515feb12cf99f75cc6e0122a1f80b9b0f1be49ac", + "DES/CBC/X9.23Padding", + "60fa2f8fae5aa2a38e9ac77d0246726beb7511e4515feb12cf99f75cc6e0122a980639850a2cc3e8", + "DESede/CBC/PKCS7Padding", + "4d3d7931875cf25593dc402298add8b914761e4936c9585ae22b2c1441169231a41e40695f1cff84", + "SKIPJACK/CBC/PKCS7Padding", + "ceebcc2e5e2b847f9ed797b4930b95f115b9e6cf49c457fc2ea0df79ad5c8334df7042de5db89c96", + "Blowfish/CBC/PKCS7Padding", + "80823abbabc109733e7ebf3ce3344d67fc387c306b782086b452f7fbe8e844cef986562ab1a675e8", + "Twofish/CBC/PKCS7Padding", + "f819694251a00bdd403928745cd1d8a094de61f49ddf8e7692e9d81a838129433e5f1343d6cdb0b41838619da1541f04", + "RC2/CBC/PKCS7Padding", + "a51facdb3933c9676795cd38cc3146fd4694722b468b1a979a399c77606abf9958435525f770f137", + "RC5/CBC/PKCS7Padding", + "9ee7517eab0280445f3a7c60c90c0f75029d65bca8b1af83ace5399d388c83c3edd95ff49be76651", + "RC5-64/CBC/PKCS7Padding", + "e479fd11f89dab22d2f3dd062b1d2abd5b5962553421a5c562dc7214c3b23b8e21949fda87f2f820e5f032c552c6ec78", + "RC6/CBC/PKCS7Padding", + "c44695633c07010f3a0d8f7ea046a642d4a96bf4e44f89fd91b46830bc95b130824b972c9019a69d2dd05ef2d36b37ac", + "IDEA/CBC/PKCS7Padding", + "30cd990ebdae80fe12b6c6e4fcd1c064a27d985c276b3d7097351c8684e4c4d9e584751325ef7c32", + "IDEA/CBC/ISO10126Padding", + "30cd990ebdae80fe12b6c6e4fcd1c064a27d985c276b3d7097351c8684e4c4d978b3fd73135f033b", + "IDEA/CBC/X9.23Padding", + "30cd990ebdae80fe12b6c6e4fcd1c064a27d985c276b3d7097351c8684e4c4d978b3fd73135f033b", + "AES/CBC/PKCS7Padding", + "cf87f4d8bb9d1abb36cdd9f44ead7d046db2f802d99e1ef0a5940f306079e08389a44c4a8cc1a47cbaee1128da55bbb7", + "AES/CBC/ISO7816-4Padding", + "cf87f4d8bb9d1abb36cdd9f44ead7d046db2f802d99e1ef0a5940f306079e08306d84876508a33efec701118d8eeaf6d", + "Rijndael/CBC/PKCS7Padding", + "cf87f4d8bb9d1abb36cdd9f44ead7d046db2f802d99e1ef0a5940f306079e08389a44c4a8cc1a47cbaee1128da55bbb7", + "Serpent/CBC/PKCS7Padding", + "f8940ca31aba8ce1e0693b1ae0b1e08daef6de03c80f019774280052f824ac44540bb8dd74dfad47f83f9c7ec268ca68", + "CAST5/CBC/PKCS7Padding", + "87b6dc0c5a1d23d42fa740b0548be0b298112000544610d889d6361994cf8e670a19d6af72d7289f", + "CAST6/CBC/PKCS7Padding", + "943445569cfdda174118e433828f84e137faee38cac5c827d87a3c9a5a46a07dd64e7ad8accd921f248eea627cd6826f", + "DES/CBC/WithCTS", + "60fa2f8fae5aa2a38e9ac77d0246726bcf99f75cc6e0122aeb7511e4515feb12", + "IDEA/CBC/PKCS7Padding", + "30cd990ebdae80fe12b6c6e4fcd1c064a27d985c276b3d7097351c8684e4c4d9e584751325ef7c32", + "DES/CBC/ZeroBytePadding", + "60fa2f8fae5aa2a38e9ac77d0246726beb7511e4515feb12cf99f75cc6e0122ad3b3f002c927f1fd", + "DES/CTS/NoPadding", // official style + "60fa2f8fae5aa2a38e9ac77d0246726bcf99f75cc6e0122aeb7511e4515feb12", + "DESede/CTS/NoPadding", + "4d3d7931875cf25593dc402298add8b9e22b2c144116923114761e4936c9585a", + "SKIPJACK/CTS/NoPadding", + "ceebcc2e5e2b847f9ed797b4930b95f12ea0df79ad5c833415b9e6cf49c457fc", + "Blowfish/CTS/NoPadding", + "80823abbabc109733e7ebf3ce3344d67b452f7fbe8e844cefc387c306b782086", + "Twofish/CTS/NoPadding", + "94de61f49ddf8e7692e9d81a83812943f819694251a00bdd403928745cd1d8a0", + "AES/CTS/NoPadding", + "6db2f802d99e1ef0a5940f306079e083cf87f4d8bb9d1abb36cdd9f44ead7d04", + "Rijndael/CTS/NoPadding", + "6db2f802d99e1ef0a5940f306079e083cf87f4d8bb9d1abb36cdd9f44ead7d04", + "Serpent/CTS/NoPadding", + "aef6de03c80f019774280052f824ac44f8940ca31aba8ce1e0693b1ae0b1e08d", + "CAST5/CTS/NoPadding", + "87b6dc0c5a1d23d42fa740b0548be0b289d6361994cf8e6798112000544610d8", + "CAST6/CTS/NoPadding", + "37faee38cac5c827d87a3c9a5a46a07d943445569cfdda174118e433828f84e1", + "RC2/CTS/NoPadding", + "a51facdb3933c9676795cd38cc3146fd9a399c77606abf994694722b468b1a97", + "RC5/CTS/NoPadding", + "9ee7517eab0280445f3a7c60c90c0f75ace5399d388c83c3029d65bca8b1af83", + "RC6/CTS/NoPadding", + "d4a96bf4e44f89fd91b46830bc95b130c44695633c07010f3a0d8f7ea046a642", + "IDEA/CTS/NoPadding", + "30cd990ebdae80fe12b6c6e4fcd1c06497351c8684e4c4d9a27d985c276b3d70", + "DES/CBC/WithCTS", // older style + "60fa2f8fae5aa2a38e9ac77d0246726bcf99f75cc6e0122aeb7511e4515feb12", + "DESede/CBC/WithCTS", + "4d3d7931875cf25593dc402298add8b9e22b2c144116923114761e4936c9585a", + "SKIPJACK/CBC/WithCTS", + "ceebcc2e5e2b847f9ed797b4930b95f12ea0df79ad5c833415b9e6cf49c457fc", + "Blowfish/CBC/WithCTS", + "80823abbabc109733e7ebf3ce3344d67b452f7fbe8e844cefc387c306b782086", + "Twofish/CBC/WithCTS", + "94de61f49ddf8e7692e9d81a83812943f819694251a00bdd403928745cd1d8a0", + "AES/CBC/WithCTS", + "6db2f802d99e1ef0a5940f306079e083cf87f4d8bb9d1abb36cdd9f44ead7d04", + "Rijndael/CBC/WithCTS", + "6db2f802d99e1ef0a5940f306079e083cf87f4d8bb9d1abb36cdd9f44ead7d04", + "Serpent/CBC/WithCTS", + "aef6de03c80f019774280052f824ac44f8940ca31aba8ce1e0693b1ae0b1e08d", + "CAST5/CBC/WithCTS", + "87b6dc0c5a1d23d42fa740b0548be0b289d6361994cf8e6798112000544610d8", + "CAST6/CBC/WithCTS", + "37faee38cac5c827d87a3c9a5a46a07d943445569cfdda174118e433828f84e1", + "RC2/CBC/WithCTS", + "a51facdb3933c9676795cd38cc3146fd9a399c77606abf994694722b468b1a97", + "RC5/CBC/WithCTS", + "9ee7517eab0280445f3a7c60c90c0f75ace5399d388c83c3029d65bca8b1af83", + "RC6/CBC/WithCTS", + "d4a96bf4e44f89fd91b46830bc95b130c44695633c07010f3a0d8f7ea046a642", + "IDEA/CBC/WithCTS", + "30cd990ebdae80fe12b6c6e4fcd1c06497351c8684e4c4d9a27d985c276b3d70", + "DES/OFB/NoPadding", + "537572e480c1714f5c9a4f3b874df824dc6681b1fd6c11982debcad91e3f78b7", + "DESede/OFB/NoPadding", + "481e9872acea7fcf8e29a453242da774e5f6a28f15f7723659a73e4ff4939f80", + "SKIPJACK/OFB/NoPadding", + "71143a124e3a0cde753b60fe9b200e559018b6a0fe0682659f7c13feb9df995c", + "Blowfish/OFB/NoPadding", + "6cd6f7c5d2c655556d7a9e98a1696d1875e9f1b2fc991e28a2d55b56861e80bd", + "Twofish/OFB/NoPadding", + "821c54b1b54ae113cf74595eefe10c83b61c9682fc81f92c52f39a3a693f88b8", + "RC2/OFB/NoPadding", + "0a07cb78537cb04c0c74e28a7b86b80f80acadf87d6ef32792f1a8cf74b39f74", + "RC5/OFB/NoPadding", + "c62b233df296283b918a2b4cc53a54fbf061850e781b97332ed1bd78b88d9670", + "IDEA/OFB/NoPadding", + "dd447da3cbdcf81f4053fb446596261cb00a3c49a66085485af5f7c10ba20dad", + "DES/OFB8/NoPadding", + "53cb5010d189f94cf584e5ff1c4a9d86443c45ddb6fa3c2d1a5dadfcdf01db8a", + "DESede/OFB8/NoPadding", + "482c0c1ccd0e6d218e1cffb0a295352c2357ffaa673f2257ef5c77b6c04f03b5", + "SKIPJACK/OFB8/NoPadding", + "719ea1b432b3d2c8011e5aa873f95978420022b5e2c9c1a1c1082cd1f4999da2", + "Blowfish/OFB8/NoPadding", + "6ca6078755b263f09787d830b6fda7b7748494634bdc73ab68540cf9f6b7eccf", + "Twofish/OFB8/NoPadding", + "825dcec234ad52253d6e064b0d769bc04b1142435933f4a510ffc20d70095a88", + "RC2/OFB8/NoPadding", + "0aa26c6f6a820fe7d38da97085995ad62e2e293323a76300fcd4eb572810f7c6", + "RC5/OFB8/NoPadding", + "c601a9074dbd874f4d3293f6a32d93d9f0a4f5685d8597f0102fcc96d444f976", + "IDEA/OFB8/NoPadding", + "dd7897b6ced43d060a518bb38d570308b83b4de577eb208130daabf619e9b1fb", + "DES/CFB/NoPadding", + "537572e480c1714fec3c7424f88d4202219244c5ca8f5e4361d64f08fe747bb2", + "DESede/CFB/NoPadding", + "481e9872acea7fcfb75bb58670fe64c59123265139e357d161cd4ddb5eba042a", + "SKIPJACK/CFB/NoPadding", + "71143a124e3a0cde70a69ede4ceb14376b1e6a80bafde0a6330508dfa86a7c41", + "Blowfish/CFB/NoPadding", + "6cd6f7c5d2c6555561167fe9b10665102206869339122f1ed89efa4a985397f6", + "Twofish/CFB/NoPadding", + "821c54b1b54ae113cf74595eefe10c8308b7a438277de4f40948ac2d172d53d2", + "RC2/CFB/NoPadding", + "0a07cb78537cb04ca1401450d5cd411c7da7fa5b6baaa17bb2137bd95c9f26a5", + "RC5/CFB/NoPadding", + "c62b233df296283b989352bbebf616a19e11503ac737f9e0eaf19049cde05d34", + "IDEA/CFB/NoPadding", + "dd447da3cbdcf81fcbe4661dcbed88aed899f87585118384bd0565067fa6c13a", + "DES/CFB8/NoPadding", + "53cb0cdff712a825eb283b23c31e7323aa12495e7e751428b5c4eb89b28a25d4", + "DESede/CFB8/NoPadding", + "482cd5bf87ca4cee0b573d66a077231bfea93843ce2d1f948550a1d208e18279", + "SKIPJACK/CFB8/NoPadding", + "719eef3906bef23f7b63599285437d8e34183b165acf3e855b4e160d4f036508", + "Blowfish/CFB8/NoPadding", + "6ca63aaada9188d2410c07513cc0736b9888770768c25a5befc776beea5bdc4c", + "Twofish/CFB8/NoPadding", + "825d12af040721cf5ed4a4798647837ac5eb14d752aace28728aeb37b2010abd", + "RC2/CFB8/NoPadding", + "0aa227f94be3a32ff927c5d25647ea41d7c2a1e94012fc7f2ad6767b9664bce5", + "RC5/CFB8/NoPadding", + "c601cf88725411f119965b9cd38d6c313b91128ed7c98c7604cc62d9b210be79", + "IDEA/CFB8/NoPadding", + "dd7839d2525420d10f95eec23dbaf3463302c445972a28c563c2635191bc19af", + "IDEA/PGPCFB/NoPadding", + "dd447da3cbdcf81fcbe4661dcbed88aed899f87585118384bd0565067fa6c13a", + "IDEA/PGPCFBwithIv/NoPadding", + "ed5adbac0e730cc0f00df7e4f6fef672ab042673106435faf3ecf3996a72a0e127b440ba9e5313501de3", + "Twofish/ECB/TBCPadding", + "70336d9c9718a8a2ced1b19deed973a3c58af7ea71a69e7efc4df082dca581c019d7daa58d02b89aab6e8c0d17202439", + "RC2/ECB/TBCPadding", + "eb5b889bbcced12eb6b1a3da6a3d965bba66a5edfdd4c8a6b6b1a3da6a3d965b6b5359ba5e69b179" + }; + + static String[] cipherTests2 = + { + "DES/OFB64/NoPadding", + "537572e480c1714f5c9a4f3b874df824dc6681b1fd6c11982debcad91e", + "DES/CFB64/NoPadding", + "537572e480c1714fec3c7424f88d4202219244c5ca8f5e4361d64f08fe", + "DES/CTR/NoPadding", + "537572e480c1714fb47081d35eb18eaca9e0a5aee982f105438a0db6ce", + "DES/CTS/NoPadding", + "60fa2f8fae5aa2a38e9ac77d0246726b32df660db51a710ceb7511e451" + }; + + static byte[] input1 = Hex.decode("000102030405060708090a0b0c0d0e0fff0102030405060708090a0b0c0d0e0f"); + static byte[] input2 = Hex.decode("000102030405060708090a0b0c0d0e0fff0102030405060708090a0b0c"); + + static RC2ParameterSpec rc2Spec = new RC2ParameterSpec(128, Hex.decode("0123456789abcdef")); + static RC5ParameterSpec rc5Spec = new RC5ParameterSpec(16, 16, 32, Hex.decode("0123456789abcdef")); + static RC5ParameterSpec rc564Spec = new RC5ParameterSpec(16, 16, 64, Hex.decode("0123456789abcdef0123456789abcdef")); + + /** + * a fake random number generator - we just want to make sure the random numbers + * aren't random so that we get the same output, while still getting to test the + * key generation facilities. + */ + private class FixedSecureRandom + extends SecureRandom + { + byte[] seed = { + (byte)0xaa, (byte)0xfd, (byte)0x12, (byte)0xf6, (byte)0x59, + (byte)0xca, (byte)0xe6, (byte)0x34, (byte)0x89, (byte)0xb4, + (byte)0x79, (byte)0xe5, (byte)0x07, (byte)0x6d, (byte)0xde, + (byte)0xc2, (byte)0xf0, (byte)0x6c, (byte)0xb5, (byte)0x8f + }; + + public void nextBytes( + byte[] bytes) + { + int offset = 0; + + while ((offset + seed.length) < bytes.length) + { + System.arraycopy(seed, 0, bytes, offset, seed.length); + offset += seed.length; + } + + System.arraycopy(seed, 0, bytes, offset, bytes.length - offset); + } + } + + public String getName() + { + return "BlockCipher"; + } + + public void test( + String algorithm, + byte[] input, + byte[] output) + { + Key key = null; + KeyGenerator keyGen; + SecureRandom rand; + Cipher in = null; + Cipher out = null; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + rand = new FixedSecureRandom(); + + try + { + String baseAlgorithm; + int index = algorithm.indexOf('/'); + + if (index > 0) + { + baseAlgorithm = algorithm.substring(0, index); + } + else + { + baseAlgorithm = algorithm; + } + + if (baseAlgorithm.equals("IDEA") & noIDEA()) + { + return; + } + + keyGen = KeyGenerator.getInstance(baseAlgorithm, "BC"); + if (!keyGen.getAlgorithm().equals(baseAlgorithm)) + { + fail("wrong key generator returned!"); + } + keyGen.init(rand); + + key = keyGen.generateKey(); + + in = Cipher.getInstance(algorithm, "BC"); + out = Cipher.getInstance(algorithm, "BC"); + + if (!in.getAlgorithm().startsWith(baseAlgorithm)) + { + fail("wrong cipher returned!"); + } + + if (algorithm.startsWith("RC2")) + { + out.init(Cipher.ENCRYPT_MODE, key, rc2Spec, rand); + } + else if (algorithm.startsWith("RC5")) + { + if (algorithm.startsWith("RC5-64")) + { + out.init(Cipher.ENCRYPT_MODE, key, rc564Spec, rand); + } + else + { + out.init(Cipher.ENCRYPT_MODE, key, rc5Spec, rand); + } + } + else + { + out.init(Cipher.ENCRYPT_MODE, key, rand); + } + } + catch (Exception e) + { + fail("" + algorithm + " failed initialisation - " + e.toString(), e); + } + + // + // grab the iv if there is one + // + try + { + if (algorithm.startsWith("RC2")) + { + in.init(Cipher.DECRYPT_MODE, key, rc2Spec); + } + else if (algorithm.startsWith("RC5")) + { + if (algorithm.startsWith("RC5-64")) + { + in.init(Cipher.DECRYPT_MODE, key, rc564Spec, rand); + } + else + { + in.init(Cipher.DECRYPT_MODE, key, rc5Spec, rand); + } + } + else + { + byte[] iv; + + iv = out.getIV(); + if (iv != null) + { + try + { + byte[] nIv = new byte[iv.length - 1]; + + in.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(nIv)); + fail("failed to pick up short IV"); + } + catch (InvalidAlgorithmParameterException e) + { + // ignore - this is what we want... + } + + IvParameterSpec spec; + + spec = new IvParameterSpec(iv); + + in.init(Cipher.DECRYPT_MODE, key, spec); + } + else + { + in.init(Cipher.DECRYPT_MODE, key); + } + } + } + catch (Exception e) + { + fail("" + algorithm + " failed initialisation - " + e.toString()); + } + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + try + { + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + } + catch (IOException e) + { + fail("" + algorithm + " failed encryption - " + e.toString()); + } + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!areEqual(bytes, output)) + { + fail("" + algorithm + " failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + try + { + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + } + catch (Exception e) + { + fail("" + algorithm + " failed decryption - " + e.toString()); + } + + if (!areEqual(bytes, input)) + { + fail("" + algorithm + " failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + } + + private boolean noIDEA() + { + try + { + Cipher.getInstance("IDEA", "BC"); + + return false; + } + catch (Exception e) + { + return true; + } + } + + private void testExceptions() + { + SecretKeyFactory skF = null; + + try + { + skF = SecretKeyFactory.getInstance("DESede", "BC"); + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + KeySpec ks = null; + SecretKey secKey = null; + byte[] bb = new byte[24]; + + try + { + skF.getKeySpec(null, null); + + fail("failed exception test - no exception thrown"); + } + catch (InvalidKeySpecException e) + { + // ignore okay + } + catch (Exception e) + { + fail("failed exception test.", e); + } + try + { + ks = (KeySpec)new DESedeKeySpec(bb); + skF.getKeySpec(null, ks.getClass()); + + fail("failed exception test - no exception thrown"); + } + catch (InvalidKeySpecException e) + { + // ignore okay; + } + catch (Exception e) + { + fail("failed exception test.", e); + } + try + { + skF.getKeySpec(secKey, null); + } + catch (InvalidKeySpecException e) + { + // ignore okay + } + catch (Exception e) + { + fail("failed exception test.", e); + } + + try + { + KeyGenerator kg = KeyGenerator.getInstance("DESede", "BC"); + try + { + kg.init(Integer.MIN_VALUE, new SecureRandom()); + + fail("failed exception test - no exception thrown"); + } + catch (InvalidParameterException e) + { + // ignore okay + } + catch (Exception e) + { + fail("failed exception test.", e); + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + skF = SecretKeyFactory.getInstance("DESede", "BC"); + + try + { + skF.translateKey(null); + + fail("failed exception test - no exception thrown"); + } + catch (InvalidKeyException e) + { + // ignore okay + } + catch (Exception e) + { + fail("failed exception test.", e); + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + byte[] rawDESKey = { (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143 }; + + SecretKeySpec cipherKey = new SecretKeySpec(rawDESKey, "DES"); + + Cipher cipher = Cipher.getInstance("DES/CBC/NoPadding", "BC"); + + try + { + // According specification engineInit(int opmode, Key key, + // SecureRandom random) throws InvalidKeyException if this + // cipher is being + // initialized for decryption and requires algorithm parameters + // that cannot be determined from the given key + cipher.init(Cipher.DECRYPT_MODE, cipherKey, (SecureRandom)null); + + fail("failed exception test - no InvalidKeyException thrown"); + } + catch (InvalidKeyException e) + { + // ignore + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + byte[] rawDESKey = { -128, -125, -123, -122, -119, -118 }; + + SecretKeySpec cipherKey = new SecretKeySpec(rawDESKey, "DES"); + Cipher cipher = Cipher.getInstance("DES/ECB/NoPadding", "BC"); + try + { + // According specification engineInit(int opmode, Key key, + // SecureRandom random) throws InvalidKeyException if the given + // key is inappropriate for initializing this cipher + cipher.init(Cipher.ENCRYPT_MODE, cipherKey); + + fail("failed exception test - no InvalidKeyException thrown"); + } + catch (InvalidKeyException e) + { + // ignore + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + byte[] rawDESKey = { -128, -125, -123, -122, -119, -118, -117, -115, -114 }; + + SecretKeySpec cipherKey = new SecretKeySpec(rawDESKey, "DES"); + Cipher cipher = Cipher.getInstance("DES/ECB/NoPadding", "BC"); + try + { + // According specification engineInit(int opmode, Key key, + // SecureRandom random) throws InvalidKeyException if the given + // key is inappropriate for initializing this cipher + cipher.init(Cipher.ENCRYPT_MODE, cipherKey); + + fail("failed exception test - no InvalidKeyException thrown"); + } + catch (InvalidKeyException e) + { + // ignore + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + + try + { + byte[] rawDESKey = { (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143 }; + + SecretKeySpec cipherKey = new SecretKeySpec(rawDESKey, "DES"); + Cipher ecipher = Cipher.getInstance("DES/ECB/PKCS5Padding", "BC"); + ecipher.init(Cipher.ENCRYPT_MODE, cipherKey); + + byte[] cipherText = new byte[0]; + try + { + // According specification Method engineUpdate(byte[] input, + // int inputOffset, int inputLen, byte[] output, int + // outputOffset) + // throws ShortBufferException - if the given output buffer is + // too + // small to hold the result + ecipher.update(new byte[20], 0, 20, cipherText); + + fail("failed exception test - no ShortBufferException thrown"); + } + catch (ShortBufferException e) + { + // ignore + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + byte[] rawDESKey = { (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143 }; + + SecretKeySpec cipherKey = new SecretKeySpec(rawDESKey, "DES"); + Cipher ecipher = Cipher.getInstance("DES/ECB/PKCS5Padding", "BC"); + ecipher.init(Cipher.ENCRYPT_MODE, cipherKey); + + byte[] cipherText = new byte[0]; + try + { + // According specification Method enginedoFinal(byte[] input, + // int inputOffset, int inputLen, byte[] output, int + // outputOffset) + // throws ShortBufferException - if the given output buffer is + // too + // small to hold the result + ecipher.doFinal(new byte[20], 0, 20, cipherText); + + fail("failed exception test - no ShortBufferException thrown"); + } + catch (ShortBufferException e) + { + // ignore + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + KeyGenerator keyGen = KeyGenerator.getInstance("DES", "BC"); + + keyGen.init((SecureRandom)null); + + // According specification engineGenerateKey() doesn't throw any exceptions. + + SecretKey key = keyGen.generateKey(); + if (key == null) + { + fail("key is null!"); + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + AlgorithmParameters algParams = AlgorithmParameters.getInstance("DES", "BC"); + + algParams.init(new IvParameterSpec(new byte[8])); + + // According specification engineGetEncoded() returns + // the parameters in their primary encoding format. The primary + // encoding + // format for parameters is ASN.1, if an ASN.1 specification for + // this type + // of parameters exists. + byte[] iv = algParams.getEncoded(); + + if (iv.length != 10) + { + fail("parameters encoding wrong length - " + iv.length); + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + + try + { + try + { + AlgorithmParameters algParams = AlgorithmParameters.getInstance("DES", "BC"); + + byte[] encoding = new byte[10]; + encoding[0] = 3; + encoding[1] = 8; + + // According specification engineInit(byte[] params, String format) + // throws + // IOException on decoding errors, but BC throws ClassCastException. + algParams.init(encoding, "ASN.1"); + + fail("failed exception test - no IOException thrown"); + } + catch (IOException e) + { + // okay + } + + try + { + Cipher c = Cipher.getInstance("DES", "BC"); + + Key k = new PublicKey() + { + + public String getAlgorithm() + { + return "STUB"; + } + + public String getFormat() + { + return null; + } + + public byte[] getEncoded() + { + return null; + } + + }; + + c.init(Cipher.ENCRYPT_MODE, k); + + fail("failed exception test - no InvalidKeyException thrown for public key"); + } + catch (InvalidKeyException e) + { + // okay + } + + try + { + Cipher c = Cipher.getInstance("DES", "BC"); + + Key k = new PrivateKey() + { + + public String getAlgorithm() + { + return "STUB"; + } + + public String getFormat() + { + return null; + } + + public byte[] getEncoded() + { + return null; + } + + }; + + c.init(Cipher.DECRYPT_MODE, k); + + fail("failed exception test - no InvalidKeyException thrown for private key"); + } + catch (InvalidKeyException e) + { + // okay + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + } + + public void performTest() + { + for (int i = 0; i != cipherTests1.length; i += 2) + { + test(cipherTests1[i], input1, Hex.decode(cipherTests1[i + 1])); + } + + for (int i = 0; i != cipherTests2.length; i += 2) + { + test(cipherTests2[i], input2, Hex.decode(cipherTests2[i + 1])); + } + + // + // check for less than a block + // + try + { + Cipher c = Cipher.getInstance("AES/CTS/NoPadding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(new byte[16], "AES")); + + c.doFinal(new byte[4]); + + fail("CTS failed to throw exception"); + } + catch (Exception e) + { + if (!(e instanceof IllegalBlockSizeException)) + { + fail("CTS exception test - " + e, e); + } + } + + testExceptions(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new BlockCipherTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CMacTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CMacTest.java new file mode 100644 index 00000000..29ffc7f5 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CMacTest.java @@ -0,0 +1,288 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Security; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * CMAC tester - <a href="http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/tv/omac1-tv.txt">AES Official Test Vectors</a>. + */ +public class CMacTest + extends SimpleTest +{ + private static final byte[] keyBytes128 = Hex.decode("2b7e151628aed2a6abf7158809cf4f3c"); + private static final byte[] keyBytes192 = Hex.decode( + "8e73b0f7da0e6452c810f32b809079e5" + + "62f8ead2522c6b7b"); + private static final byte[] keyBytes256 = Hex.decode( + "603deb1015ca71be2b73aef0857d7781" + + "1f352c073b6108d72d9810a30914dff4"); + + private static final byte[] input0 = Hex.decode(""); + private static final byte[] input16 = Hex.decode("6bc1bee22e409f96e93d7e117393172a"); + private static final byte[] input40 = Hex.decode( + "6bc1bee22e409f96e93d7e117393172a" + + "ae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411"); + private static final byte[] input64 = Hex.decode( + "6bc1bee22e409f96e93d7e117393172a" + + "ae2d8a571e03ac9c9eb76fac45af8e51" + + "30c81c46a35ce411e5fbc1191a0a52ef" + + "f69f2445df4f9b17ad2b417be66c3710"); + + private static final byte[] output_k128_m0 = Hex.decode("bb1d6929e95937287fa37d129b756746"); + private static final byte[] output_k128_m16 = Hex.decode("070a16b46b4d4144f79bdd9dd04a287c"); + private static final byte[] output_k128_m40 = Hex.decode("dfa66747de9ae63030ca32611497c827"); + private static final byte[] output_k128_m64 = Hex.decode("51f0bebf7e3b9d92fc49741779363cfe"); + + private static final byte[] output_k192_m0 = Hex.decode("d17ddf46adaacde531cac483de7a9367"); + private static final byte[] output_k192_m16 = Hex.decode("9e99a7bf31e710900662f65e617c5184"); + private static final byte[] output_k192_m40 = Hex.decode("8a1de5be2eb31aad089a82e6ee908b0e"); + private static final byte[] output_k192_m64 = Hex.decode("a1d5df0eed790f794d77589659f39a11"); + + private static final byte[] output_k256_m0 = Hex.decode("028962f61b7bf89efc6b551f4667d983"); + private static final byte[] output_k256_m16 = Hex.decode("28a7023f452e8f82bd4bf28d8c37c35c"); + private static final byte[] output_k256_m40 = Hex.decode("aaf3d8f1de5640c232f5b169b9c911e6"); + private static final byte[] output_k256_m64 = Hex.decode("e1992190549f6ed5696a2c056c315410"); + + private final byte[] output_des_ede = Hex.decode("1ca670dea381d37c"); + + public CMacTest() + { + } + + public void performTest() + throws Exception + { + Mac mac = Mac.getInstance("AESCMAC", "BC"); + + //128 bytes key + + SecretKeySpec key = new SecretKeySpec(keyBytes128, "AES"); + + // 0 bytes message - 128 bytes key + mac.init(key); + + mac.update(input0, 0, input0.length); + + byte[] out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k128_m0)) + { + fail("Failed - expected " + new String(Hex.encode(output_k128_m0)) + + " got " + new String(Hex.encode(out))); + } + + // 16 bytes message - 128 bytes key + mac.init(key); + + mac.update(input16, 0, input16.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k128_m16)) + { + fail("Failed - expected " + new String(Hex.encode(output_k128_m16)) + + " got " + new String(Hex.encode(out))); + } + + // 40 bytes message - 128 bytes key + mac.init(key); + + mac.update(input40, 0, input40.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k128_m40)) + { + fail("Failed - expected " + new String(Hex.encode(output_k128_m40)) + + " got " + new String(Hex.encode(out))); + } + + // 64 bytes message - 128 bytes key + mac.init(key); + + mac.update(input64, 0, input64.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k128_m64)) + { + fail("Failed - expected " + new String(Hex.encode(output_k128_m64)) + + " got " + new String(Hex.encode(out))); + } + + //192 bytes key + + key = new SecretKeySpec(keyBytes192, "AES"); + + // 0 bytes message - 192 bytes key + mac.init(key); + + mac.update(input0, 0, input0.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k192_m0)) + { + fail("Failed - expected " + new String(Hex.encode(output_k192_m0)) + + " got " + new String(Hex.encode(out))); + } + + // 16 bytes message - 192 bytes key + mac.init(key); + + mac.update(input16, 0, input16.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k192_m16)) + { + fail("Failed - expected " + new String(Hex.encode(output_k192_m16)) + + " got " + new String(Hex.encode(out))); + } + + // 40 bytes message - 192 bytes key + mac.init(key); + + mac.update(input40, 0, input40.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k192_m40)) + { + fail("Failed - expected " + new String(Hex.encode(output_k192_m40)) + + " got " + new String(Hex.encode(out))); + } + + // 64 bytes message - 192 bytes key + mac.init(key); + + mac.update(input64, 0, input64.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k192_m64)) + { + fail("Failed - expected " + new String(Hex.encode(output_k192_m64)) + + " got " + new String(Hex.encode(out))); + } + + //256 bytes key + + key = new SecretKeySpec(keyBytes256, "AES"); + + // 0 bytes message - 256 bytes key + mac.init(key); + + mac.update(input0, 0, input0.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k256_m0)) + { + fail("Failed - expected " + new String(Hex.encode(output_k256_m0)) + + " got " + new String(Hex.encode(out))); + } + + // 16 bytes message - 256 bytes key + mac.init(key); + + mac.update(input16, 0, input16.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k256_m16)) + { + fail("Failed - expected " + new String(Hex.encode(output_k256_m16)) + + " got " + new String(Hex.encode(out))); + } + + // 40 bytes message - 256 bytes key + mac.init(key); + + mac.update(input40, 0, input40.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k256_m40)) + { + fail("Failed - expected " + new String(Hex.encode(output_k256_m40)) + + " got " + new String(Hex.encode(out))); + } + + // 64 bytes message - 256 bytes key + mac.init(key); + + mac.update(input64, 0, input64.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_k256_m64)) + { + fail("Failed - expected " + new String(Hex.encode(output_k256_m64)) + + " got " + new String(Hex.encode(out))); + } + + mac = Mac.getInstance("DESedeCMAC", "BC"); + + //DESede + + key = new SecretKeySpec(keyBytes128, "DESede"); + + // 0 bytes message - 128 bytes key + mac.init(key); + + mac.update(input0, 0, input0.length); + + out = new byte[mac.getMacLength()]; + + mac.doFinal(out, 0); + + if (!areEqual(out, output_des_ede)) + { + fail("Failed - expected " + new String(Hex.encode(output_des_ede)) + + " got " + new String(Hex.encode(out))); + } + } + + public String getName() + { + return "CMac"; + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CMacTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CRL5Test.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CRL5Test.java new file mode 100644 index 00000000..8b1c022a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CRL5Test.java @@ -0,0 +1,268 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CertificateFactory; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLEntry; +import java.util.Iterator; +import java.util.Set; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + +public class CRL5Test + extends SimpleTest +{ + byte[] inDirectCrl = Base64.decode( + "MIIdXjCCHMcCAQEwDQYJKoZIhvcNAQEFBQAwdDELMAkGA1UEBhMCREUxHDAaBgNV" + +"BAoUE0RldXRzY2hlIFRlbGVrb20gQUcxFzAVBgNVBAsUDlQtVGVsZVNlYyBUZXN0" + +"MS4wDAYHAoIGAQoHFBMBMTAeBgNVBAMUF1QtVGVsZVNlYyBUZXN0IERJUiA4OlBO" + +"Fw0wNjA4MDQwODQ1MTRaFw0wNjA4MDQxNDQ1MTRaMIIbfzB+AgQvrj/pFw0wMzA3" + +"MjIwNTQxMjhaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP+oXDTAzMDcyMjA1NDEyOFowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/5xcNMDQwNDA1MTMxODE3WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/oFw0wNDA0" + +"MDUxMzE4MTdaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP+UXDTAzMDExMzExMTgxMVowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/5hcNMDMwMTEzMTExODExWjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/jFw0wMzAx" + +"MTMxMTI2NTZaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP+QXDTAzMDExMzExMjY1NlowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/4hcNMDQwNzEzMDc1ODM4WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/eFw0wMzAy" + +"MTcwNjMzMjVaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP98XDTAzMDIxNzA2MzMyNVowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/0xcNMDMwMjE3MDYzMzI1WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/dFw0wMzAx" + +"MTMxMTI4MTRaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP9cXDTAzMDExMzExMjcwN1owZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/2BcNMDMwMTEzMTEyNzA3WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/VFw0wMzA0" + +"MzAxMjI3NTNaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP9YXDTAzMDQzMDEyMjc1M1owZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/xhcNMDMwMjEyMTM0NTQwWjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFUVEMgVGVzdCBDQSAxMTpQTjCBkAIEL64/xRcNMDMw" + +"MjEyMTM0NTQwWjB5MHcGA1UdHQEB/wRtMGukaTBnMQswCQYDVQQGEwJERTEcMBoG" + +"A1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEQMA4GA1UECxQHVGVsZVNlYzEoMAwG" + +"BwKCBgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNTpQTjB+AgQvrj/CFw0w" + +"MzAyMTIxMzA5MTZaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRww" + +"GgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNV" + +"BAMUEVRUQyBUZXN0IENBIDExOlBOMIGQAgQvrj/BFw0wMzAyMTIxMzA4NDBaMHkw" + +"dwYDVR0dAQH/BG0wa6RpMGcxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2No" + +"ZSBUZWxla29tIEFHMRAwDgYDVQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAY" + +"BgNVBAMUEVNpZ0cgVGVzdCBDQSA1OlBOMH4CBC+uP74XDTAzMDIxNzA2MzcyNVow" + +"ZzBlBgNVHR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRz" + +"Y2hlIFRlbGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRVFRDIFRlc3Qg" + +"Q0EgMTE6UE4wgZACBC+uP70XDTAzMDIxNzA2MzcyNVoweTB3BgNVHR0BAf8EbTBr" + +"pGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcx" + +"EDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBU" + +"ZXN0IENBIDU6UE4wgZACBC+uP7AXDTAzMDIxMjEzMDg1OVoweTB3BgNVHR0BAf8E" + +"bTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20g" + +"QUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2ln" + +"RyBUZXN0IENBIDU6UE4wgZACBC+uP68XDTAzMDIxNzA2MzcyNVoweTB3BgNVHR0B" + +"Af8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVr" + +"b20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQR" + +"U2lnRyBUZXN0IENBIDU6UE4wfgIEL64/kxcNMDMwNDEwMDUyNjI4WjBnMGUGA1Ud" + +"HQEB/wRbMFmkVzBVMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVs" + +"ZWtvbSBBRzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFUVEMgVGVzdCBDQSAxMTpQ" + +"TjCBkAIEL64/khcNMDMwNDEwMDUyNjI4WjB5MHcGA1UdHQEB/wRtMGukaTBnMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEQMA4GA1UE" + +"CxQHVGVsZVNlYzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0Eg" + +"NTpQTjB+AgQvrj8/Fw0wMzAyMjYxMTA0NDRaMGcwZQYDVR0dAQH/BFswWaRXMFUx" + +"CzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYH" + +"AoIGAQoHFBMBMTAYBgNVBAMUEVRUQyBUZXN0IENBIDExOlBOMIGQAgQvrj8+Fw0w" + +"MzAyMjYxMTA0NDRaMHkwdwYDVR0dAQH/BG0wa6RpMGcxCzAJBgNVBAYTAkRFMRww" + +"GgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAwDgYDVQQLFAdUZWxlU2VjMSgw" + +"DAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVzdCBDQSA1OlBOMH4CBC+uPs0X" + +"DTAzMDUyMDA1MjczNlowZzBlBgNVHR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUx" + +"HDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgG" + +"A1UEAxQRVFRDIFRlc3QgQ0EgMTE6UE4wgZACBC+uPswXDTAzMDUyMDA1MjczNlow" + +"eTB3BgNVHR0BAf8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRz" + +"Y2hlIFRlbGVrb20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwEx" + +"MBgGA1UEAxQRU2lnRyBUZXN0IENBIDY6UE4wfgIEL64+PBcNMDMwNjE3MTAzNDE2" + +"WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1" + +"dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFUVEMgVGVz" + +"dCBDQSAxMTpQTjCBkAIEL64+OxcNMDMwNjE3MTAzNDE2WjB5MHcGA1UdHQEB/wRt" + +"MGukaTBnMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBB" + +"RzEQMA4GA1UECxQHVGVsZVNlYzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFTaWdH" + +"IFRlc3QgQ0EgNjpQTjCBkAIEL64+OhcNMDMwNjE3MTAzNDE2WjB5MHcGA1UdHQEB" + +"/wRtMGukaTBnMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtv" + +"bSBBRzEQMA4GA1UECxQHVGVsZVNlYzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFT" + +"aWdHIFRlc3QgQ0EgNjpQTjB+AgQvrj45Fw0wMzA2MTcxMzAxMDBaMGcwZQYDVR0d" + +"AQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxl" + +"a29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVRUQyBUZXN0IENBIDExOlBO" + +"MIGQAgQvrj44Fw0wMzA2MTcxMzAxMDBaMHkwdwYDVR0dAQH/BG0wa6RpMGcxCzAJ" + +"BgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAwDgYDVQQL" + +"FAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVzdCBDQSA2" + +"OlBOMIGQAgQvrj43Fw0wMzA2MTcxMzAxMDBaMHkwdwYDVR0dAQH/BG0wa6RpMGcx" + +"CzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAwDgYD" + +"VQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVzdCBD" + +"QSA2OlBOMIGQAgQvrj42Fw0wMzA2MTcxMzAxMDBaMHkwdwYDVR0dAQH/BG0wa6Rp" + +"MGcxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAw" + +"DgYDVQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVz" + +"dCBDQSA2OlBOMIGQAgQvrj4zFw0wMzA2MTcxMDM3NDlaMHkwdwYDVR0dAQH/BG0w" + +"a6RpMGcxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFH" + +"MRAwDgYDVQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cg" + +"VGVzdCBDQSA2OlBOMH4CBC+uPjEXDTAzMDYxNzEwNDI1OFowZzBlBgNVHR0BAf8E" + +"WzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20g" + +"QUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRVFRDIFRlc3QgQ0EgMTE6UE4wgZAC" + +"BC+uPjAXDTAzMDYxNzEwNDI1OFoweTB3BgNVHR0BAf8EbTBrpGkwZzELMAkGA1UE" + +"BhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAOBgNVBAsUB1Rl" + +"bGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDY6UE4w" + +"gZACBC+uPakXDTAzMTAyMjExMzIyNFoweTB3BgNVHR0BAf8EbTBrpGkwZzELMAkG" + +"A1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAOBgNVBAsU" + +"B1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDY6" + +"UE4wgZACBC+uPLIXDTA1MDMxMTA2NDQyNFoweTB3BgNVHR0BAf8EbTBrpGkwZzEL" + +"MAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAOBgNV" + +"BAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENB" + +"IDY6UE4wgZACBC+uPKsXDTA0MDQwMjA3NTQ1M1oweTB3BgNVHR0BAf8EbTBrpGkw" + +"ZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAO" + +"BgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0" + +"IENBIDY6UE4wgZACBC+uOugXDTA1MDEyNzEyMDMyNFoweTB3BgNVHR0BAf8EbTBr" + +"pGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcx" + +"EDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBU" + +"ZXN0IENBIDY6UE4wgZACBC+uOr4XDTA1MDIxNjA3NTcxNloweTB3BgNVHR0BAf8E" + +"bTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20g" + +"QUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2ln" + +"RyBUZXN0IENBIDY6UE4wgZACBC+uOqcXDTA1MDMxMDA1NTkzNVoweTB3BgNVHR0B" + +"Af8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVr" + +"b20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQR" + +"U2lnRyBUZXN0IENBIDY6UE4wgZACBC+uOjwXDTA1MDUxMTEwNDk0NloweTB3BgNV" + +"HR0BAf8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UE" + +"AxQRU2lnRyBUZXN0IENBIDY6UE4wgaoCBC+sbdUXDTA1MTExMTEwMDMyMVowgZIw" + +"gY8GA1UdHQEB/wSBhDCBgaR/MH0xCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0" + +"c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLFBZQcm9kdWt0emVudHJ1bSBUZWxlU2Vj" + +"MS8wDAYHAoIGAQoHFBMBMTAfBgNVBAMUGFRlbGVTZWMgUEtTIFNpZ0cgQ0EgMTpQ" + +"TjCBlQIEL64uaBcNMDYwMTIzMTAyNTU1WjB+MHwGA1UdHQEB/wRyMHCkbjBsMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEWMBQGA1UE" + +"CxQNWmVudHJhbGUgQm9ubjEnMAwGBwKCBgEKBxQTATEwFwYDVQQDFBBUVEMgVGVz" + +"dCBDQSA5OlBOMIGVAgQvribHFw0wNjA4MDEwOTQ4NDRaMH4wfAYDVR0dAQH/BHIw" + +"cKRuMGwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFH" + +"MRYwFAYDVQQLFA1aZW50cmFsZSBCb25uMScwDAYHAoIGAQoHFBMBMTAXBgNVBAMU" + +"EFRUQyBUZXN0IENBIDk6UE6ggZswgZgwCwYDVR0UBAQCAhEMMB8GA1UdIwQYMBaA" + +"FANbyNumDI9545HwlCF26NuOJC45MA8GA1UdHAEB/wQFMAOEAf8wVwYDVR0SBFAw" + +"ToZMbGRhcDovL3Brc2xkYXAudHR0Yy5kZS9vdT1ULVRlbGVTZWMgVGVzdCBESVIg" + +"ODpQTixvPURldXRzY2hlIFRlbGVrb20gQUcsYz1kZTANBgkqhkiG9w0BAQUFAAOB" + +"gQBewL5gLFHpeOWO07Vk3Gg7pRDuAlvaovBH4coCyCWpk5jEhUfFSYEDuaQB7do4" + +"IlJmeTHvkI0PIZWJ7bwQ2PVdipPWDx0NVwS/Cz5jUKiS3BbAmZQZOueiKLFpQq3A" + +"b8aOHA7WHU4078/1lM+bgeu33Ln1CGykEbmSjA/oKPi/JA=="); + + byte[] directCRL = Base64.decode( + "MIIGXTCCBckCAQEwCgYGKyQDAwECBQAwdDELMAkGA1UEBhMCREUxHDAaBgNVBAoU" + +"E0RldXRzY2hlIFRlbGVrb20gQUcxFzAVBgNVBAsUDlQtVGVsZVNlYyBUZXN0MS4w" + +"DAYHAoIGAQoHFBMBMTAeBgNVBAMUF1QtVGVsZVNlYyBUZXN0IERJUiA4OlBOFw0w" + +"NjA4MDQwODQ1MTRaFw0wNjA4MDQxNDQ1MTRaMIIElTAVAgQvrj/pFw0wMzA3MjIw" + +"NTQxMjhaMBUCBC+uP+oXDTAzMDcyMjA1NDEyOFowFQIEL64/5xcNMDQwNDA1MTMx" + +"ODE3WjAVAgQvrj/oFw0wNDA0MDUxMzE4MTdaMBUCBC+uP+UXDTAzMDExMzExMTgx" + +"MVowFQIEL64/5hcNMDMwMTEzMTExODExWjAVAgQvrj/jFw0wMzAxMTMxMTI2NTZa" + +"MBUCBC+uP+QXDTAzMDExMzExMjY1NlowFQIEL64/4hcNMDQwNzEzMDc1ODM4WjAV" + +"AgQvrj/eFw0wMzAyMTcwNjMzMjVaMBUCBC+uP98XDTAzMDIxNzA2MzMyNVowFQIE" + +"L64/0xcNMDMwMjE3MDYzMzI1WjAVAgQvrj/dFw0wMzAxMTMxMTI4MTRaMBUCBC+u" + +"P9cXDTAzMDExMzExMjcwN1owFQIEL64/2BcNMDMwMTEzMTEyNzA3WjAVAgQvrj/V" + +"Fw0wMzA0MzAxMjI3NTNaMBUCBC+uP9YXDTAzMDQzMDEyMjc1M1owFQIEL64/xhcN" + +"MDMwMjEyMTM0NTQwWjAVAgQvrj/FFw0wMzAyMTIxMzQ1NDBaMBUCBC+uP8IXDTAz" + +"MDIxMjEzMDkxNlowFQIEL64/wRcNMDMwMjEyMTMwODQwWjAVAgQvrj++Fw0wMzAy" + +"MTcwNjM3MjVaMBUCBC+uP70XDTAzMDIxNzA2MzcyNVowFQIEL64/sBcNMDMwMjEy" + +"MTMwODU5WjAVAgQvrj+vFw0wMzAyMTcwNjM3MjVaMBUCBC+uP5MXDTAzMDQxMDA1" + +"MjYyOFowFQIEL64/khcNMDMwNDEwMDUyNjI4WjAVAgQvrj8/Fw0wMzAyMjYxMTA0" + +"NDRaMBUCBC+uPz4XDTAzMDIyNjExMDQ0NFowFQIEL64+zRcNMDMwNTIwMDUyNzM2" + +"WjAVAgQvrj7MFw0wMzA1MjAwNTI3MzZaMBUCBC+uPjwXDTAzMDYxNzEwMzQxNlow" + +"FQIEL64+OxcNMDMwNjE3MTAzNDE2WjAVAgQvrj46Fw0wMzA2MTcxMDM0MTZaMBUC" + +"BC+uPjkXDTAzMDYxNzEzMDEwMFowFQIEL64+OBcNMDMwNjE3MTMwMTAwWjAVAgQv" + +"rj43Fw0wMzA2MTcxMzAxMDBaMBUCBC+uPjYXDTAzMDYxNzEzMDEwMFowFQIEL64+" + +"MxcNMDMwNjE3MTAzNzQ5WjAVAgQvrj4xFw0wMzA2MTcxMDQyNThaMBUCBC+uPjAX" + +"DTAzMDYxNzEwNDI1OFowFQIEL649qRcNMDMxMDIyMTEzMjI0WjAVAgQvrjyyFw0w" + +"NTAzMTEwNjQ0MjRaMBUCBC+uPKsXDTA0MDQwMjA3NTQ1M1owFQIEL6466BcNMDUw" + +"MTI3MTIwMzI0WjAVAgQvrjq+Fw0wNTAyMTYwNzU3MTZaMBUCBC+uOqcXDTA1MDMx" + +"MDA1NTkzNVowFQIEL646PBcNMDUwNTExMTA0OTQ2WjAVAgQvrG3VFw0wNTExMTEx" + +"MDAzMjFaMBUCBC+uLmgXDTA2MDEyMzEwMjU1NVowFQIEL64mxxcNMDYwODAxMDk0" + +"ODQ0WqCBijCBhzALBgNVHRQEBAICEQwwHwYDVR0jBBgwFoAUA1vI26YMj3njkfCU" + +"IXbo244kLjkwVwYDVR0SBFAwToZMbGRhcDovL3Brc2xkYXAudHR0Yy5kZS9vdT1U" + +"LVRlbGVTZWMgVGVzdCBESVIgODpQTixvPURldXRzY2hlIFRlbGVrb20gQUcsYz1k" + +"ZTAKBgYrJAMDAQIFAAOBgQArj4eMlbAwuA2aS5O4UUUHQMKKdK/dtZi60+LJMiMY" + +"ojrMIf4+ZCkgm1Ca0Cd5T15MJxVHhh167Ehn/Hd48pdnAP6Dfz/6LeqkIHGWMHR+" + +"z6TXpwWB+P4BdUec1ztz04LypsznrHcLRa91ixg9TZCb1MrOG+InNhleRs1ImXk8" + +"MQ=="); + + + public String getName() + { + return "CRL5"; + } + + public void indirectCRLTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + ByteArrayInputStream in = new ByteArrayInputStream(inDirectCrl); + X509CRL crl = (X509CRL) cf.generateCRL(in); + Set set = crl.getRevokedCertificates(); + Iterator it = set.iterator(); + while (it.hasNext()) + { + if (((X509CRLEntry)it.next()).getCertificateIssuer() == null) + { + fail("certificate issuer CRL entry extension is null"); + } + } + } + + public void directCRLTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + ByteArrayInputStream in = new ByteArrayInputStream(directCRL); + X509CRL crl = (X509CRL) cf.generateCRL(in); + Set set = crl.getRevokedCertificates(); + Iterator it = set.iterator(); + while (it.hasNext()) + { + if (((X509CRLEntry)it.next()).getCertificateIssuer() != null) + { + fail("certificate issuer CRL entry extension is not null"); + } + } + } + + public void performTest() + throws Exception + { + indirectCRLTest(); + directCRLTest(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CRL5Test()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CamelliaTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CamelliaTest.java new file mode 100644 index 00000000..9ee56c77 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CamelliaTest.java @@ -0,0 +1,189 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.asn1.ntt.NTTObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.spec.SecretKeySpec; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.IOException; +import java.security.Key; +import java.security.Security; + +/** + * basic test class for Camellia + */ +public class CamelliaTest + extends BaseBlockCipherTest +{ + static String[] cipherTests = + { + "128", + "0123456789abcdeffedcba9876543210", + "0123456789abcdeffedcba9876543210", + "67673138549669730857065648eabe43", + "192", + "0123456789abcdeffedcba98765432100011223344556677", + "0123456789abcdeffedcba9876543210", + "b4993401b3e996f84ee5cee7d79b09b9", + "256", + "0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff", + "0123456789abcdeffedcba9876543210", + "9acc237dff16d76c20ef7c919e3a7509", + }; + + public CamelliaTest() + { + super("Camellia"); + } + + public void test( + int strength, + byte[] keyBytes, + byte[] input, + byte[] output) + throws Exception + { + Key key; + Cipher in, out; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + key = new SecretKeySpec(keyBytes, "Camellia"); + + in = Cipher.getInstance("Camellia/ECB/NoPadding", "BC"); + out = Cipher.getInstance("Camellia/ECB/NoPadding", "BC"); + + try + { + out.init(Cipher.ENCRYPT_MODE, key); + } + catch (Exception e) + { + fail("Camellia failed initialisation - " + e.toString(), e); + } + + try + { + in.init(Cipher.DECRYPT_MODE, key); + } + catch (Exception e) + { + fail("Camellia failed initialisation - " + e.toString(), e); + } + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + try + { + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + } + catch (IOException e) + { + fail("Camellia failed encryption - " + e.toString(), e); + } + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!areEqual(bytes, output)) + { + fail("Camellia failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + try + { + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + } + catch (Exception e) + { + fail("Camellia failed encryption - " + e.toString(), e); + } + + if (!areEqual(bytes, input)) + { + fail("Camellia failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + } + + public void performTest() + throws Exception + { + for (int i = 0; i != cipherTests.length; i += 4) + { + test(Integer.parseInt(cipherTests[i]), + Hex.decode(cipherTests[i + 1]), + Hex.decode(cipherTests[i + 2]), + Hex.decode(cipherTests[i + 3])); + } + + byte[] kek1 = Hex.decode("000102030405060708090a0b0c0d0e0f"); + byte[] in1 = Hex.decode("00112233445566778899aabbccddeeff"); + byte[] out1 = Hex.decode("635d6ac46eedebd3a7f4a06421a4cbd1746b24795ba2f708"); + + wrapTest(1, "CamelliaWrap", kek1, in1, out1); + + String[] oids = { + NTTObjectIdentifiers.id_camellia128_cbc.getId(), + NTTObjectIdentifiers.id_camellia192_cbc.getId(), + NTTObjectIdentifiers.id_camellia256_cbc.getId() + }; + + String[] names = { + "Camellia/CBC/PKCS7Padding", + "Camellia/CBC/PKCS7Padding", + "Camellia/CBC/PKCS7Padding" + }; + + oidTest(oids, names, 1); + + String[] wrapOids = { + NTTObjectIdentifiers.id_camellia128_wrap.getId(), + NTTObjectIdentifiers.id_camellia192_wrap.getId(), + NTTObjectIdentifiers.id_camellia256_wrap.getId() + }; + + wrapOidTest(wrapOids, "CamelliaWrap"); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CamelliaTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathBuilderTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathBuilderTest.java new file mode 100644 index 00000000..85f4fad4 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathBuilderTest.java @@ -0,0 +1,142 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.Security; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Calendar; +import java.util.Collections; +import java.util.Date; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; + +public class CertPathBuilderTest + extends SimpleTest +{ + + private void baseTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + // initialise CertStore + X509Certificate rootCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(CertPathTest.finalCertBin)); + X509CRL rootCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(CertPathTest.rootCrlBin)); + X509CRL interCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(CertPathTest.interCrlBin)); + List list = new ArrayList(); + list.add(rootCert); + list.add(interCert); + list.add(finalCert); + list.add(rootCrl); + list.add(interCrl); + CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); + CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); + Calendar validDate = Calendar.getInstance(); + validDate.set(2008,8,4,14,49,10); + + //Searching for rootCert by subjectDN without CRL + Set trust = new HashSet(); + trust.add(new TrustAnchor(rootCert, null)); + + CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC"); + X509CertSelector targetConstraints = new X509CertSelector(); + targetConstraints.setSubject(finalCert.getSubjectX500Principal().getEncoded()); + PKIXBuilderParameters params = new PKIXBuilderParameters(trust, targetConstraints); + params.addCertStore(store); + params.setDate(validDate.getTime()); + PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) cpb.build(params); + CertPath path = result.getCertPath(); + + if (path.getCertificates().size() != 2) + { + fail("wrong number of certs in baseTest path"); + } + } + + private void v0Test() + throws Exception + { + // create certificates and CRLs + KeyPair rootPair = TestUtils.generateRSAKeyPair(); + KeyPair interPair = TestUtils.generateRSAKeyPair(); + KeyPair endPair = TestUtils.generateRSAKeyPair(); + + X509Certificate rootCert = TestUtils.generateRootCert(rootPair); + X509Certificate interCert = TestUtils.generateIntermediateCert(interPair.getPublic(), rootPair.getPrivate(), rootCert); + X509Certificate endCert = TestUtils.generateEndEntityCert(endPair.getPublic(), interPair.getPrivate(), interCert); + + BigInteger revokedSerialNumber = BigInteger.valueOf(2); + X509CRL rootCRL = TestUtils.createCRL(rootCert, rootPair.getPrivate(), revokedSerialNumber); + X509CRL interCRL = TestUtils.createCRL(interCert, interPair.getPrivate(), revokedSerialNumber); + + // create CertStore to support path building + List list = new ArrayList(); + + list.add(rootCert); + list.add(interCert); + list.add(endCert); + list.add(rootCRL); + list.add(interCRL); + + CollectionCertStoreParameters params = new CollectionCertStoreParameters(list); + CertStore store = CertStore.getInstance("Collection", params); + + // build the path + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); + X509CertSelector pathConstraints = new X509CertSelector(); + + pathConstraints.setSubject(endCert.getSubjectX500Principal().getEncoded()); + + PKIXBuilderParameters buildParams = new PKIXBuilderParameters(Collections.singleton(new TrustAnchor(rootCert, null)), pathConstraints); + + buildParams.addCertStore(store); + buildParams.setDate(new Date()); + + PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)builder.build(buildParams); + CertPath path = result.getCertPath(); + + if (path.getCertificates().size() != 2) + { + fail("wrong number of certs in v0Test path"); + } + } + + public void performTest() + throws Exception + { + baseTest(); + v0Test(); + } + + public String getName() + { + return "CertPathBuilder"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertPathBuilderTest()); + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathTest.java new file mode 100644 index 00000000..5e00b618 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathTest.java @@ -0,0 +1,369 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectOutputStream; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathBuilderResult; +import java.security.cert.CertStore; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; +import java.util.Vector; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + +public class CertPathTest + extends SimpleTest +{ + public static byte[] rootCertBin = Base64.decode( + "MIIBqzCCARQCAQEwDQYJKoZIhvcNAQEFBQAwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTAeFw0wODA5MDQwNDQ1MDhaFw0wODA5MTEwNDQ1MDhaMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRLUjhPe4YUdLo6EcjKcWUOG7CydFTH53Pr1lWjOkbmszYDpkhCTT9LOsI+disk18nkBxSl8DAHTqV+VxtuTPt64iyi10YxyDeep+DwZG/f8cVQv97U3hA9cLurZ2CofkMLGr6JpSGCMZ9FcstcTdHB4lbErIJ54YqfF4pNOs4/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAgyrTEFY7ALpeY59jL6xFOLpuPqoBOWrUWv6O+zy5BCU0qiX71r3BpigtxRj+DYcfLIM9FNERDoHu3TthD3nwYWUBtFX8N0QUJIdJabxqAMhLjSC744koiFpCYse5Ye3ZvEdFwDzgAQsJTp5eFGgTZPkPzcdhkFJ2p9+OWs+cb24="); + + + static byte[] interCertBin = Base64.decode( + "MIICSzCCAbSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTA4MDkwNDA0NDUwOFoXDTA4MDkxMTA0NDUwOFowKDEmMCQGA1UEAxMdVGVzdCBJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAISS9OOZ2wxzdWny9aVvk4Joq+dwSJ+oqvHUxX3PflZyuiLiCBUOUE4q59dGKdtNX5fIfwyK3cpV0e73Y/0fwfM3m9rOWFrCKOhfeswNTes0w/2PqPVVDDsF/nj7NApuqXwioeQlgTL251RDF4sVoxXqAU7lRkcqwZt3mwqS4KTJAgMBAAGjgY4wgYswRgYDVR0jBD8wPYAUhv8BOT27EB9JaCccJD4YASPP5XWhIqQgMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGWCAQEwHQYDVR0OBBYEFL/IwAGOkHzaQyPZegy79CwM5oTFMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA4GBAE4TRgUz4sUvZyVdZxqV+XyNRnqXAeLOOqFGYv2D96tQrS+zjd0elVlT6lFrtchZdOmmX7R6/H/tjMWMcTBICZyRYrvK8cCAmDOI+EIdq5p6lj2Oq6Pbw/wruojAqNrpaR6IkwNpWtdOSSupv4IJL+YU9q2YFTh4R1j3tOkPoFGr"); + + static byte[] finalCertBin = Base64.decode( + "MIICRjCCAa+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAoMSYwJAYDVQQDEx1UZXN0IEludGVybWVkaWF0ZSBDZXJ0aWZpY2F0ZTAeFw0wODA5MDQwNDQ1MDhaFw0wODA5MTEwNDQ1MDhaMB8xHTAbBgNVBAMTFFRlc3QgRW5kIENlcnRpZmljYXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChpUeo0tPYywWKiLlbWKNJBcCpSaLSlaZ+4+yer1AxI5yJIVHP6SAlBghlbD5Qne5ImnN/15cz1xwYAiul6vGKJkVPlFEe2Mr+g/J/WJPQQPsjbZ1G+vxbAwXEDA4KaQrnpjRZFq+CdKHwOjuPLYS/MYQNgdIvDVEQcTbPQ8GaiQIDAQABo4GIMIGFMEYGA1UdIwQ/MD2AFL/IwAGOkHzaQyPZegy79CwM5oTFoSKkIDAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlggEBMB0GA1UdDgQWBBSVkw+VpqBf3zsLc/9GdkK9TzHPwDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBLv/0bVDjzTs/y1vN3FUiZNknEbzupIZduTuXJjqv/vBX+LDPjUfu/+iOCXOSKoRn6nlOWhwB1z6taG2usQkFG8InMkRcPREi2uVgFdhJ/1C3dAWhsdlubjdL926bftXvxnx/koDzyrePW5U96RlOQM2qLvbaky2Giz6hrc3Wl+w=="); + public static byte[] rootCrlBin = Base64.decode( + "MIIBYjCBzAIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlFw0wODA5MDQwNDQ1MDhaFw0wODA5MDQwNzMxNDhaMCIwIAIBAhcNMDgwOTA0MDQ0NTA4WjAMMAoGA1UdFQQDCgEJoFYwVDBGBgNVHSMEPzA9gBSG/wE5PbsQH0loJxwkPhgBI8/ldaEipCAwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZYIBATAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOBgQCAbaFCo0BNG4AktVf6jjBLeawP1u0ELYkOCEGvYZE0mBpQ+OvFg7subZ6r3lRIj030nUli28sPFtu5ZQMBNcpE4nS1ziF44RfT3Lp5UgHx9x17Krz781iEyV+7zU8YxYMY9wULD+DCuK294kGKIssVNbmTYXZatBNoXQN5CLIocA=="); + static byte[] interCrlBin = Base64.decode( + "MIIBbDCB1gIBATANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1UZXN0IEludGVybWVkaWF0ZSBDZXJ0aWZpY2F0ZRcNMDgwOTA0MDQ0NTA4WhcNMDgwOTA0MDczMTQ4WjAiMCACAQIXDTA4MDkwNDA0NDUwOFowDDAKBgNVHRUEAwoBCaBWMFQwRgYDVR0jBD8wPYAUv8jAAY6QfNpDI9l6DLv0LAzmhMWhIqQgMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGWCAQEwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADgYEAEVCr5TKs5yguGgLH+dBzmSPoeSIWJFLsgWwJEit/iUDJH3dgYmaczOcGxIDtbYYHLWIHM+P2YRyQz3MEkCXEgm/cx4y7leAmux5l+xQWgmxFPz+197vaphPeCZo+B7V1CWtm518gcq4mrs9ovfgNqgyFj7KGjcBpWdJE32KMt50="); + + /* + * certpath with a circular reference + */ + static byte[] certA = Base64.decode( + "MIIC6jCCAlOgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIzMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ2NTda" + + "Fw0xNzAzMzAwODQ0MDBaMIGlMScwJQYDVQQDHh4AQQByAG0AaQBuACAASADkAGIA" + + "ZQByAGwAaQBuAGcxCzAJBgNVBAYTAkNIMQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNV" + + "BAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNwaGVyZSBBRzEQMA4GA1UECxMHVGVzdGlu" + + "ZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5AcHJpdmFzcGhlcmUuY29tMIGfMA0GCSqG" + + "SIb3DQEBAQUAA4GNADCBiQKBgQCfHfyVs5dbxG35H/Thd29qR4NZU88taCu/OWA1" + + "GdACI02lXWYpmLWiDgnU0ULP+GG8OnVp1IES9fz2zcrXKQ19xZzsen/To3h5sNte" + + "cJpS00XMM24q/jDwy5NvkBP9YIfFKQ1E/0hFHXcqwlw+b/y/v6YGsZCU2h6QDzc4" + + "5m0+BwIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIE8DAeBglg" + + "hkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4GBAJEu" + + "KiSfIwsY7SfobMLrv2v/BtLhGLi4RnmjiwzBhuv5rn4rRfBpq1ppmqQMJ2pmA67v" + + "UWCY+mNwuyjHyivpCCyJGsZ9d5H09g2vqxzkDBMz7X9VNMZYFH8j/R3/Cfvqks31" + + "z0OFslJkeKLa1I0P/dfVHsRKNkLRT3Ws5LKksErQ"); + + static byte[] certB = Base64.decode( + "MIICtTCCAh6gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIyMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ2Mzha" + + "Fw0xNzAzMzAwODQ0MDBaMIGNMQ8wDQYDVQQDEwZJbnRlcjMxCzAJBgNVBAYTAkNI" + + "MQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNVBAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNw" + + "aGVyZSBBRzEQMA4GA1UECxMHVGVzdGluZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5A" + + "cHJpdmFzcGhlcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxCXIB" + + "QRnmVvl2h7Q+0SsRxDLnyM1dJG9jMa+UCCmHy0k/ZHs5VirSbjEJSjkQ9BGeh9SC" + + "7JwbMpXO7UE+gcVc2RnWUY+MA+fWIeTV4KtkYA8WPu8wVGCXbN8wwh/StOocszxb" + + "g+iLvGeh8CYSRqg6QN3S/02etH3o8H4e7Z0PZwIDAQABoyMwITAPBgNVHRMBAf8E" + + "BTADAQH/MA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQQFAAOBgQCtWdirSsmt" + + "+CBBCNn6ZnbU3QqQfiiQIomjenNEHESJgaS/+PvPE5i3xWFXsunTHLW321/Km16I" + + "7+ZvT8Su1cqHg79NAT8QB0yke1saKSy2C0Pic4HwrNqVBWFNSxMU0hQzpx/ZXDbZ" + + "DqIXAp5EfyRYBy2ul+jm6Rot6aFgzuopKg=="); + + static byte[] certC = Base64.decode( + "MIICtTCCAh6gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIxMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ0Mzla" + + "Fw0xNzAzMzAwODQ0MDBaMIGNMQ8wDQYDVQQDEwZJbnRlcjIxCzAJBgNVBAYTAkNI" + + "MQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNVBAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNw" + + "aGVyZSBBRzEQMA4GA1UECxMHVGVzdGluZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5A" + + "cHJpdmFzcGhlcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0rLr6" + + "f2/ONeJzTb0q9M/NNX+MnAFMSqiQGVBkT76u5nOH4KLkpHXkzI82JI7GuQMzoT3a" + + "+RP1hO6FneO92ms2soC6xiOFb4EC69Dfhh87Nww5O35JxVF0bzmbmIAWd6P/7zGh" + + "nd2S4tKkaZcubps+C0j9Fgi0hipVicAOUVVoDQIDAQABoyMwITAPBgNVHRMBAf8E" + + "BTADAQH/MA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQQFAAOBgQCLPvc1IMA4" + + "YP+PmnEldyUoRWRnvPWjBGeu0WheBP7fdcnGBf93Nmc5j68ZN+eTZ5VMuZ99YdvH" + + "CXGNX6oodONLU//LlFKdLl5xjLAS5X9p1RbOEGytnalqeiEpjk4+C/7rIBG1kllO" + + "dItmI6LlEMV09Hkpg6ZRAUmRkb8KrM4X7A=="); + + static byte[] certD = Base64.decode( + "MIICtTCCAh6gAwIBAgIBBjANBgkqhkiG9w0BAQQFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIzMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ5NTNa" + + "Fw0xNzAzMzAwODQ0MDBaMIGNMQ8wDQYDVQQDEwZJbnRlcjExCzAJBgNVBAYTAkNI" + + "MQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNVBAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNw" + + "aGVyZSBBRzEQMA4GA1UECxMHVGVzdGluZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5A" + + "cHJpdmFzcGhlcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCae3TP" + + "jIVKeASqvNabaiUHAMGUgFxB7L0yUsIj39azLcLtUj4S7XkDf7SMGtYV0JY1XNaQ" + + "sHJAsnJivDZc50oiYvqDYfgFZx5+AsN5l5X5rjRzs/OX+Jo+k1OgsIyu6+mf9Kfb" + + "5IdWOVB2EcOg4f9tPjLM8CIj9Pp7RbKLyqUUgwIDAQABoyMwITAPBgNVHRMBAf8E" + + "BTADAQH/MA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQQFAAOBgQCgr9kUdWUT" + + "Lt9UcztSzR3pnHRsyvS0E/z850OKQKS5/VxLEalpFvhj+3EcZ7Y6mFxaaS2B7vXg" + + "2YWyqV1PRb6iF7/u9EXkpSTKGrJahwANirCa3V/HTUuPdCE2GITlnWI8h3eVA+xQ" + + "D4LF0PXHOkXbwmhXRSb10lW1bSGkUxE9jg=="); + + private void testExceptions() + throws Exception + { + byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 }; + MyCertPath mc = new MyCertPath(enc); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + ByteArrayInputStream is; + byte[] arr; + + ObjectOutputStream oOut = new ObjectOutputStream(os); + oOut.writeObject(mc); + oOut.flush(); + oOut.close(); + + try + { + CertificateFactory cFac = CertificateFactory.getInstance("X.509", + "BC"); + arr = os.toByteArray(); + is = new ByteArrayInputStream(arr); + cFac.generateCertPath(is); + } + catch (CertificateException e) + { + // ignore okay + } + + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + List certCol = new ArrayList(); + + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certA))); + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certB))); + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certC))); + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certD))); + + CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", "BC"); + X509CertSelector select = new X509CertSelector(); + select.setSubject(((X509Certificate)certCol.get(0)).getSubjectX500Principal().getEncoded()); + + Set trustanchors = new HashSet(); + trustanchors.add(new TrustAnchor((X509Certificate)cf.generateCertificate(new ByteArrayInputStream(rootCertBin)), null)); + + CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); + + PKIXBuilderParameters params = new PKIXBuilderParameters(trustanchors, select); + params.addCertStore(certStore); + + try + { + CertPathBuilderResult result = pathBuilder.build(params); + CertPath path = result.getCertPath(); + fail("found cert path in circular set"); + } + catch (CertPathBuilderException e) + { + // expected + } + } + + public void performTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate rootCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(rootCertBin)); + X509Certificate interCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(interCertBin)); + X509Certificate finalCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(finalCertBin)); + + //Testing CertPath generation from List + List list = new ArrayList(); + list.add(interCert); + CertPath certPath1 = cf.generateCertPath(list); + + //Testing CertPath encoding as PkiPath + byte[] encoded = certPath1.getEncoded("PkiPath"); + + //Testing CertPath generation from InputStream + ByteArrayInputStream inStream = new ByteArrayInputStream(encoded); + CertPath certPath2 = cf.generateCertPath(inStream, "PkiPath"); + + //Comparing both CertPathes + if (!certPath2.equals(certPath1)) + { + fail("CertPath differ after encoding and decoding."); + } + + encoded = certPath1.getEncoded("PKCS7"); + + //Testing CertPath generation from InputStream + inStream = new ByteArrayInputStream(encoded); + certPath2 = cf.generateCertPath(inStream, "PKCS7"); + + //Comparing both CertPathes + if (!certPath2.equals(certPath1)) + { + fail("CertPath differ after encoding and decoding."); + } + + encoded = certPath1.getEncoded("PEM"); + + //Testing CertPath generation from InputStream + inStream = new ByteArrayInputStream(encoded); + certPath2 = cf.generateCertPath(inStream, "PEM"); + + //Comparing both CertPathes + if (!certPath2.equals(certPath1)) + { + fail("CertPath differ after encoding and decoding."); + } + + // + // empty list test + // + list = new ArrayList(); + + CertPath certPath = CertificateFactory.getInstance("X.509","BC").generateCertPath(list); + if (certPath.getCertificates().size() != 0) + { + fail("list wrong size."); + } + + // + // exception tests + // + testExceptions(); + } + + public String getName() + { + return "CertPath"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertPathTest()); + } + + private static class MyCertificate extends Certificate + { + private final byte[] encoding; + + public MyCertificate(String type, byte[] encoding) + { + super(type); + // don't copy to allow null parameter in test + this.encoding = encoding; + } + + public byte[] getEncoded() throws CertificateEncodingException + { + // do copy to force NPE in test + return (byte[])encoding.clone(); + } + + public void verify(PublicKey key) throws CertificateException, + NoSuchAlgorithmException, InvalidKeyException, + NoSuchProviderException, SignatureException + { + } + + public void verify(PublicKey key, String sigProvider) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, NoSuchProviderException, + SignatureException + { + } + + public String toString() + { + return "[My test Certificate, type: " + getType() + "]"; + } + + public PublicKey getPublicKey() + { + return new PublicKey() + { + public String getAlgorithm() + { + return "TEST"; + } + + public byte[] getEncoded() + { + return new byte[] { (byte)1, (byte)2, (byte)3 }; + } + + public String getFormat() + { + return "TEST_FORMAT"; + } + }; + } + } + + private static class MyCertPath extends CertPath + { + private final Vector certificates; + + private final Vector encodingNames; + + private final byte[] encoding; + + public MyCertPath(byte[] encoding) + { + super("MyEncoding"); + this.encoding = encoding; + certificates = new Vector(); + certificates.add(new MyCertificate("MyEncoding", encoding)); + encodingNames = new Vector(); + encodingNames.add("MyEncoding"); + } + + public List getCertificates() + { + return Collections.unmodifiableList(certificates); + } + + public byte[] getEncoded() throws CertificateEncodingException + { + return (byte[])encoding.clone(); + } + + public byte[] getEncoded(String encoding) + throws CertificateEncodingException + { + if (getType().equals(encoding)) + { + return (byte[])this.encoding.clone(); + } + throw new CertificateEncodingException("Encoding not supported: " + + encoding); + } + + public Iterator getEncodings() + { + return Collections.unmodifiableCollection(encodingNames).iterator(); + } + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathValidatorTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathValidatorTest.java new file mode 100644 index 00000000..d1857b83 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertPathValidatorTest.java @@ -0,0 +1,395 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.security.PublicKey; +import java.security.Security; +import java.security.cert.CertPath; +import java.security.cert.CertPathValidator; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertStore; +import java.security.cert.CertStoreParameters; +import java.security.cert.Certificate; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.PKIXCertPathValidatorResult; +import java.security.cert.PKIXParameters; +import java.security.cert.PolicyNode; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Calendar; +import java.util.Collection; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + +public class CertPathValidatorTest + extends SimpleTest +{ + private byte[] AC_PR = Base64.decode( + "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFU1RDQ0F6R2dBd0lC" + + "QWdJQkJUQU5CZ2txaGtpRzl3MEJBUVVGQURDQnRERUxNQWtHQTFVRUJoTUNR" + + "bEl4DQpFekFSQmdOVkJBb1RDa2xEVUMxQ2NtRnphV3d4UFRBN0JnTlZCQXNU" + + "TkVsdWMzUnBkSFYwYnlCT1lXTnBiMjVoDQpiQ0JrWlNCVVpXTnViMnh2WjJs" + + "aElHUmhJRWx1Wm05eWJXRmpZVzhnTFNCSlZFa3hFVEFQQmdOVkJBY1RDRUp5" + + "DQpZWE5wYkdsaE1Rc3dDUVlEVlFRSUV3SkVSakV4TUM4R0ExVUVBeE1vUVhW" + + "MGIzSnBaR0ZrWlNCRFpYSjBhV1pwDQpZMkZrYjNKaElGSmhhWG9nUW5KaGMy" + + "bHNaV2x5WVRBZUZ3MHdNakEwTURReE9UTTVNREJhRncwd05UQTBNRFF5DQpN" + + "elU1TURCYU1HRXhDekFKQmdOVkJBWVRBa0pTTVJNd0VRWURWUVFLRXdwSlEx" + + "QXRRbkpoYzJsc01UMHdPd1lEDQpWUVFERXpSQmRYUnZjbWxrWVdSbElFTmxj" + + "blJwWm1sallXUnZjbUVnWkdFZ1VISmxjMmxrWlc1amFXRWdaR0VnDQpVbVZ3" + + "ZFdKc2FXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJD" + + "Z0tDQVFFQXMwc0t5NGsrDQp6b016aldyMTQxeTVYQ045UGJMZERFQXN2cjZ4" + + "Z0NCN1l5bEhIQ1NBYmpGR3dOQ0R5NlVxN1h0VjZ6UHdIMXpGDQpFWENlS3Jm" + + "UUl5YXBXSEZ4V1VKajBMblFrY1RZM1FOR1huK0JuVk9EVTZDV3M1c3NoZktH" + + "RXZyVlQ1Z214V1NmDQp4OFlsdDgzY1dwUE1QZzg3VDlCaHVIbHQzazh2M2Ev" + + "NmRPbmF2dytOYTAyZExBaDBlNzZqcCtQUS9LK0pHZlBuDQphQjVVWURrZkd0" + + "em5uTTNBV01tY3VJK0o0ek5OMDZaa3ZnbDFsdEo2UU1qcnZEUFlSak9ndDlT" + + "cklpY1NmbEo4DQptVDdHWGRRaXJnQUNXc3g1QURBSklRK253TU1vNHlyTUtx" + + "SlFhNFFDMHhhT0QvdkdVcG9SaDQzT0FTZFp3c3YvDQpPWFlybmVJeVAwVCs4" + + "UUlEQVFBQm80RzNNSUcwTUQwR0ExVWRId1EyTURRd01xQXdvQzZHTEdoMGRI" + + "QTZMeTloDQpZM0poYVhvdWFXTndZbkpoYzJsc0xtZHZkaTVpY2k5TVExSmhZ" + + "M0poYVhvdVkzSnNNQklHQTFVZElBUUxNQWt3DQpCd1lGWUV3QkFRRXdIUVlE" + + "VlIwT0JCWUVGREpUVFlKNE9TWVB5T09KZkVMZXhDaHppK2hiTUI4R0ExVWRJ" + + "d1FZDQpNQmFBRklyNjhWZUVFUk0xa0VMNlYwbFVhUTJreFBBM01BNEdBMVVk" + + "RHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CDQpBZjhFQlRBREFRSC9NQTBHQ1Nx" + + "R1NJYjNEUUVCQlFVQUE0SUJBUUJRUFNoZ1lidnFjaWV2SDVVb3ZMeXhkbkYr" + + "DQpFcjlOeXF1SWNkMnZ3Y0N1SnpKMkQ3WDBUcWhHQ0JmUEpVVkdBVWorS0NP" + + "SDFCVkgva1l1OUhsVHB1MGtKWFBwDQpBQlZkb2hJUERqRHhkbjhXcFFSL0Yr" + + "ejFDaWtVcldIMDR4eTd1N1p6UUpLSlBuR0loY1FpOElyRm1PYkllMEc3DQpY" + + "WTZPTjdPRUZxY21KTFFHWWdtRzFXMklXcytQd1JwWTdENGhLVEFoVjFSNkVv" + + "amE1L3BPcmVDL09kZXlQWmVxDQo1SUZTOUZZZk02U0Npd2hrK3l2Q1FHbVo0" + + "YzE5SjM0ZjVFYkRrK1NQR2tEK25EQ0E3L3VMUWNUMlJURE14SzBaDQpuZlo2" + + "Nm1Sc0ZjcXRGaWdScjVFcmtKZDdoUVV6eHNOV0VrNzJEVUFIcVgvNlNjeWtt" + + "SkR2V0plSUpqZlcNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg=="); + + private byte[] AC_RAIZ_ICPBRASIL = Base64.decode( + "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFdURDQ0E2Q2dBd0lC" + + "QWdJQkJEQU5CZ2txaGtpRzl3MEJBUVVGQURDQnRERUxNQWtHQTFVRUJoTUNR" + + "bEl4DQpFekFSQmdOVkJBb1RDa2xEVUMxQ2NtRnphV3d4UFRBN0JnTlZCQXNU" + + "TkVsdWMzUnBkSFYwYnlCT1lXTnBiMjVoDQpiQ0JrWlNCVVpXTnViMnh2WjJs" + + "aElHUmhJRWx1Wm05eWJXRmpZVzhnTFNCSlZFa3hFVEFQQmdOVkJBY1RDRUp5" + + "DQpZWE5wYkdsaE1Rc3dDUVlEVlFRSUV3SkVSakV4TUM4R0ExVUVBeE1vUVhW" + + "MGIzSnBaR0ZrWlNCRFpYSjBhV1pwDQpZMkZrYjNKaElGSmhhWG9nUW5KaGMy" + + "bHNaV2x5WVRBZUZ3MHdNVEV4TXpBeE1qVTRNREJhRncweE1URXhNekF5DQpN" + + "elU1TURCYU1JRzBNUXN3Q1FZRFZRUUdFd0pDVWpFVE1CRUdBMVVFQ2hNS1NV" + + "TlFMVUp5WVhOcGJERTlNRHNHDQpBMVVFQ3hNMFNXNXpkR2wwZFhSdklFNWhZ" + + "Mmx2Ym1Gc0lHUmxJRlJsWTI1dmJHOW5hV0VnWkdFZ1NXNW1iM0p0DQpZV05o" + + "YnlBdElFbFVTVEVSTUE4R0ExVUVCeE1JUW5KaGMybHNhV0V4Q3pBSkJnTlZC" + + "QWdUQWtSR01URXdMd1lEDQpWUVFERXloQmRYUnZjbWxrWVdSbElFTmxjblJw" + + "Wm1sallXUnZjbUVnVW1GcGVpQkNjbUZ6YVd4bGFYSmhNSUlCDQpJakFOQmdr" + + "cWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd1BNdWR3WC9odm0r" + + "VWgyYi9sUUFjSFZBDQppc2FtYUxrV2Rrd1A5L1MvdE9LSWdSckw2T3krWklH" + + "bE9VZGQ2dVl0azlNYS8zcFVwZ2NmTkFqMHZZbTVnc3lqDQpRbzllbXNjK3g2" + + "bTRWV3drOWlxTVpTQ0s1RVFrQXEvVXQ0bjdLdUxFMStnZGZ0d2RJZ3hmVXNQ" + + "dDRDeU5yWTUwDQpRVjU3S00yVVQ4eDVycm16RWpyN1RJQ0dwU1VBbDJnVnFl" + + "NnhhaWkrYm1ZUjFRcm1XYUJTQUc1OUxya3Jqcll0DQpiUmhGYm9VRGUxREsr" + + "NlQ4czVMNms4Yzhva3BiSHBhOXZlTXp0RFZDOXNQSjYwTVdYaDZhblZLbzFV" + + "Y0xjYlVSDQp5RWVOdlpuZVZSS0FBVTZvdXdkakR2d2xzYUt5ZEZLd2VkMFRv" + + "UTQ3Ym1VS2djbSt3VjNlVFJrMzZVT25Ud0lEDQpBUUFCbzRIU01JSFBNRTRH" + + "QTFVZElBUkhNRVV3UXdZRllFd0JBUUF3T2pBNEJnZ3JCZ0VGQlFjQ0FSWXNh" + + "SFIwDQpjRG92TDJGamNtRnBlaTVwWTNCaWNtRnphV3d1WjI5MkxtSnlMMFJR" + + "UTJGamNtRnBlaTV3WkdZd1BRWURWUjBmDQpCRFl3TkRBeW9EQ2dMb1lzYUhS" + + "MGNEb3ZMMkZqY21GcGVpNXBZM0JpY21GemFXd3VaMjkyTG1KeUwweERVbUZq" + + "DQpjbUZwZWk1amNtd3dIUVlEVlIwT0JCWUVGSXI2OFZlRUVSTTFrRUw2VjBs" + + "VWFRMmt4UEEzTUE4R0ExVWRFd0VCDQovd1FGTUFNQkFmOHdEZ1lEVlIwUEFR" + + "SC9CQVFEQWdFR01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQVpBNWMxDQpV" + + "L2hnSWg2T2NnTEFmaUpnRldwdm1EWldxbFYzMC9iSEZwajhpQm9iSlNtNXVE" + + "cHQ3VGlyWWgxVXhlM2ZRYUdsDQpZakplKzl6ZCtpelBSYkJxWFBWUUEzNEVY" + + "Y3drNHFwV3VmMWhIcmlXZmRyeDhBY3FTcXI2Q3VRRndTcjc1Rm9zDQpTemx3" + + "REFEYTcwbVQ3d1pqQW1RaG5aeDJ4SjZ3ZldsVDlWUWZTLy9KWWVJYzdGdWUy" + + "Sk5MZDAwVU9TTU1haUsvDQp0NzllbktOSEVBMmZ1cEgzdkVpZ2Y1RWg0YlZB" + + "TjVWb2hyVG02TVk1M3g3WFFaWnIxTUU3YTU1bEZFblNlVDB1DQptbE9BalIy" + + "bUFidlNNNVg1b1NaTnJtZXRkenlUajJmbENNOENDN01MYWIwa2tkbmdSSWxV" + + "QkdIRjEvUzVubVBiDQpLKzlBNDZzZDMzb3FLOG44DQotLS0tLUVORCBDRVJU" + + "SUZJQ0FURS0tLS0tDQo="); + + private byte[] schefer = Base64.decode( + "MIIEnDCCBAWgAwIBAgICIPAwDQYJKoZIhvcNAQEEBQAwgcAxCzAJBgNVBAYT" + + "AkRFMQ8wDQYDVQQIEwZIRVNTRU4xGDAWBgNVBAcTDzY1MDA4IFdpZXNiYWRl" + + "bjEaMBgGA1UEChMRU0NIVUZBIEhPTERJTkcgQUcxGjAYBgNVBAsTEVNDSFVG" + + "QSBIT0xESU5HIEFHMSIwIAYDVQQDExlJbnRlcm5ldCBCZW51dHplciBTZXJ2" + + "aWNlMSowKAYJKoZIhvcNAQkBFht6ZXJ0aWZpa2F0QHNjaHVmYS1vbmxpbmUu" + + "ZGUwHhcNMDQwMzMwMTEwODAzWhcNMDUwMzMwMTEwODAzWjCBnTELMAkGA1UE" + + "BhMCREUxCjAIBgNVBAcTASAxIzAhBgNVBAoTGlNIUyBJbmZvcm1hdGlvbnNz" + + "eXN0ZW1lIEFHMRwwGgYDVQQLExM2MDAvMDU5NDktNjAwLzA1OTQ5MRgwFgYD" + + "VQQDEw9TY2hldHRlciBTdGVmYW4xJTAjBgkqhkiG9w0BCQEWFlN0ZWZhbi5T" + + "Y2hldHRlckBzaHMuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJD0" + + "95Bi76fkAMjJNTGPDiLPHmZXNsmakngDeS0juzKMeJA+TjXFouhYh6QyE4Bl" + + "Nf18fT4mInlgLefwf4t6meIWbiseeTo7VQdM+YrbXERMx2uHsRcgZMsiMYHM" + + "kVfYMK3SMJ4nhCmZxrBkoTRed4gXzVA1AA8YjjTqMyyjvt4TAgMBAAGjggHE" + + "MIIBwDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIEsDALBgNVHQ8EBAMC" + + "BNAwOQYJYIZIAYb4QgENBCwWKlplcnRpZmlrYXQgbnVyIGZ1ZXIgU0NIVUZB" + + "LU9ubGluZSBndWVsdGlnLjAdBgNVHQ4EFgQUXReirhBfg0Yhf6MsBWoo/nPa" + + "hGwwge0GA1UdIwSB5TCB4oAUf2UyCaBV9JUeG9lS1Yo6OFBUdEKhgcakgcMw" + + "gcAxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIRVNTRU4xGDAWBgNVBAcTDzY1" + + "MDA4IFdpZXNiYWRlbjEaMBgGA1UEChMRU0NIVUZBIEhPTERJTkcgQUcxGjAY" + + "BgNVBAsTEVNDSFVGQSBIT0xESU5HIEFHMSIwIAYDVQQDExlJbnRlcm5ldCBC" + + "ZW51dHplciBTZXJ2aWNlMSowKAYJKoZIhvcNAQkBFht6ZXJ0aWZpa2F0QHNj" + + "aHVmYS1vbmxpbmUuZGWCAQAwIQYDVR0RBBowGIEWU3RlZmFuLlNjaGV0dGVy" + + "QHNocy5kZTAmBgNVHRIEHzAdgRt6ZXJ0aWZpa2F0QHNjaHVmYS1vbmxpbmUu" + + "ZGUwDQYJKoZIhvcNAQEEBQADgYEAWzZtN9XQ9uyrFXqSy3hViYwV751+XZr0" + + "YH5IFhIS+9ixNAu8orP3bxqTaMhpwoU7T/oSsyGGSkb3fhzclgUADbA2lrOI" + + "GkeB/m+FArTwRbwpqhCNTwZywOp0eDosgPjCX1t53BB/m/2EYkRiYdDGsot0" + + "kQPOVGSjQSQ4+/D+TM8="); + + // circular dependency certificates + private static final byte[] circCA = Base64.decode( + "MIIDTzCCAjegAwIBAgIDARAAMA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNVBAYT" + + "AkZSMRAwDgYDVQQKEwdHSVAtQ1BTMRgwFgYDVQQLEw9HSVAtQ1BTIEFOT05Z" + + "TUUwHhcNMDQxMDExMDAwMDAxWhcNMTQxMjMxMjM1OTU5WjA5MQswCQYDVQQG" + + "EwJGUjEQMA4GA1UEChMHR0lQLUNQUzEYMBYGA1UECxMPR0lQLUNQUyBBTk9O" + + "WU1FMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3WyWDwcM58aU" + + "hPX4ueI1mwETt3WdQtMfIdRiCXeBrjCkYCc7nIgCmGbnfTzXSplHRgKColWh" + + "q/Z+1rHYayje1gjAEU2+4/r1P2pnBmPgquDuguktCIbDtCcGZu0ylyKeHh37" + + "aeIKzkcmRSLRzvGf/eO3RdFksrvaPaSjqCVfGRXVDKK2uftE8rIFJE+bCqow" + + "6+WiaAaDDiJaSJPuu5hC1NA5jw0/BFodlCuAvl1GJ8A+TICkYWcSpKS9bkSC" + + "0i8xdGbSSk94shA1PdDvRdFMfFys8g4aupBXV8yqqEAUkBYmOtZSJckc3W4y" + + "2Gx53y7vY07Xh63mcgtJs2T82WJICwIDAQABo2AwXjAdBgNVHQ4EFgQU8c/P" + + "NNJaL0srd9SwHwgtvwPB/3cwDgYDVR0PAQH/BAQDAgIEMBkGA1UdIAQSMBAw" + + "DgYMKoF6AUcDBwgAAAABMBIGA1UdEwEB/wQIMAYBAf8CAQEwDQYJKoZIhvcN" + + "AQEFBQADggEBAHRjYDPJKlfUzID0YzajZpgR/i2ngJrJqYeaWCmwzBgNUPad" + + "uBKSGHmPVg21sfULMSnirnR+e90i/D0EVzLwQzcbjPDD/85rp9QDCeMxqqPe" + + "9ZCHGs2BpE/HOQMP0QfQ3/Kpk7SvOH/ZcpIf6+uE6lLBQYAGs5cxvtTGOzZk" + + "jCVFG+TrAnF4V5sNkn3maCWiYLmyqcnxtKEFSONy2bYqqudx/dBBlRrDbRfZ" + + "9XsCBdiXAHY1hFHldbfDs8rslmkXJi3fJC028HZYB6oiBX/JE7BbMk7bRnUf" + + "HSpP7Sjxeso2SY7Yit+hQDVAlqTDGmh6kLt/hQMpsOMry4vgBL6XHKw="); + + private static final byte[] circCRLCA = Base64.decode( + "MIIDXDCCAkSgAwIBAgIDASAAMA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNVBAYT" + + "AkZSMRAwDgYDVQQKEwdHSVAtQ1BTMRgwFgYDVQQLEw9HSVAtQ1BTIEFOT05Z" + + "TUUwHhcNMDQxMDExMDAwMDAxWhcNMTQxMjMxMjM1OTU5WjA5MQswCQYDVQQG" + + "EwJGUjEQMA4GA1UEChMHR0lQLUNQUzEYMBYGA1UECxMPR0lQLUNQUyBBTk9O" + + "WU1FMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwfEcFK0g7Kfo" + + "o5f2IBF7VEd/AG+RVGSds0Yg+u2kNYu4k04HR/+tOdBQtJvyr4W5jrQKsC5X" + + "skeFWMyWaFKzAjZDWB52HWp/kiMivGcxnYDuYf5piukSC+d2+vL8YaAphDzV" + + "HPnxEKqoM/J66uUussDTqfcL3JC/Bc7kBwn4srrsZOsamMWTQQtEqVQxNN7A" + + "ROSRsdiTt3hMOKditc9/NBNmjZWxgc7Twr/SaZ8CfN5wf2wuOl23knWL0QsJ" + + "0lSMBSBTzTcfAke4/jIT7d4nVMp3t7dsna8rt56pFK4wpRFGuCt+1P5gi51x" + + "xVSdI+JoNXv6zGO4o8YVaRpC5rQeGQIDAQABo20wazAfBgNVHSMEGDAWgBTx" + + "z8800lovSyt31LAfCC2/A8H/dzAdBgNVHQ4EFgQUGa3SbBrJx/wa2MQwhWPl" + + "dwLw1+IwDgYDVR0PAQH/BAQDAgECMBkGA1UdIAQSMBAwDgYMKoF6AUcDBwgA" + + "AAABMA0GCSqGSIb3DQEBBQUAA4IBAQAPDpYe2WPYnXTLsXSIUREBNMLmg+/7" + + "4Yhq9uOm5Hb5LVkDuHoEHGfmpXXEvucx5Ehu69hw+F4YSrd9wPjOiG8G6GXi" + + "RcrK8nE8XDvvV+E1HpJ7NKN4fSAoSb+0gliiq3aF15bvXP8nfespdd/x1xWQ" + + "mpYCx/mJeuqONQv2/D/7hfRKYoDBaAkWGodenPFPVs6FxwnEuH2R+KWCUdA9" + + "L04v8JBeL3kZiALkU7+DCCm7A0imUAgeeArbAbfIPu6eDygm+XndZ9qi7o4O" + + "AntPxrqbeXFIbDrQ4GV1kpxnW+XpSGDd96SWKe715gxkkDBppR5IKYJwRb6O" + + "1TRQIf2F+muQ"); + + private static final byte[] circCRL = Base64.decode( + "MIIB1DCBvQIBATANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGUjEQMA4G" + + "A1UEChMHR0lQLUNQUzEYMBYGA1UECxMPR0lQLUNQUyBBTk9OWU1FFw0xMDAx" + + "MDcwMzAwMTVaFw0xMDAxMTMwMzAwMTVaMACgTjBMMB8GA1UdIwQYMBaAFBmt" + + "0mwaycf8GtjEMIVj5XcC8NfiMAsGA1UdFAQEAgILgzAcBgNVHRIEFTATgRFh" + + "Yy1naXBAZ2lwLWNwcy5mcjANBgkqhkiG9w0BAQUFAAOCAQEAtF1DdFl1MQvf" + + "vNkbrCPuppNYcHen4+za/ZDepKuwHsH/OpKuaDJc4LndRgd5IwzfpCHkQGzt" + + "shK50bakN8oaYJgthKIOIJzR+fn6NMjftfR2a27Hdk2o3eQXRHQ360qMbpSy" + + "qPb3WfuBhxO2/DlLChJP+OxZIHtT/rNYgE0tlIv7swYi81Gq+DafzaZ9+A5t" + + "I0L2Gp/NUDsp5dF6PllAGiXQzl27qkcu+r50w+u0gul3nobXgbwPcMSYuWUz" + + "1lhA+uDn/EUWV4RSiJciCGSS10WCkFh1/YPo++mV15KDB0m+8chscrSu/bAl" + + "B19LxL/pCX3qr5iLE9ss3olVImyFZg=="); + + private void checkCircProcessing() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate caCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(circCA)); + X509Certificate crlCaCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(circCRLCA)); + X509CRL crl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(circCRL)); + + List list = new ArrayList(); + + list.add(caCert); + list.add(crlCaCert); + list.add(crl); + + CertStoreParameters ccsp = new CollectionCertStoreParameters(list); + CertStore store = CertStore.getInstance("Collection", ccsp); + + Calendar validDate = Calendar.getInstance(); + validDate.set(2010,0,8,2,21,10); + + //validating path + List certchain = new ArrayList(); + + certchain.add(crlCaCert); + CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain); + + Set trust = new HashSet(); + trust.add(new TrustAnchor(caCert, null)); + + CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC"); + //PKIXParameters param = new PKIXParameters(trust); + + PKIXBuilderParameters param = new PKIXBuilderParameters(trust, null); + X509CertSelector certSelector = new X509CertSelector(); + certSelector.setCertificate(crlCaCert); + param.setTargetCertConstraints(certSelector); + param.addCertStore(store); + param.setRevocationEnabled(true); + param.setDate(validDate.getTime()); + + PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)cpv.validate(cp, param); + } + + public void performTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + // initialise CertStore + X509Certificate rootCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(CertPathTest.finalCertBin)); + X509CRL rootCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(CertPathTest.rootCrlBin)); + X509CRL interCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(CertPathTest.interCrlBin)); + List list = new ArrayList(); + list.add(rootCert); + list.add(interCert); + list.add(finalCert); + list.add(rootCrl); + list.add(interCrl); + CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); + CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); + Calendar validDate = Calendar.getInstance(); + validDate.set(2008,8,4,14,49,10); + //validating path + List certchain = new ArrayList(); + certchain.add(finalCert); + certchain.add(interCert); + CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain); + Set trust = new HashSet(); + trust.add(new TrustAnchor(rootCert, null)); + + CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC"); + PKIXParameters param = new PKIXParameters(trust); + param.addCertStore(store); + param.setDate(validDate.getTime()); + MyChecker checker = new MyChecker(); + param.addCertPathChecker(checker); + + PKIXCertPathValidatorResult result = + (PKIXCertPathValidatorResult) cpv.validate(cp, param); + PolicyNode policyTree = result.getPolicyTree(); + PublicKey subjectPublicKey = result.getPublicKey(); + + if (checker.getCount() != 2) + { + fail("checker not evaluated for each certificate"); + } + + if (!subjectPublicKey.equals(finalCert.getPublicKey())) + { + fail("wrong public key returned"); + } + + // + // invalid path containing a valid one test + // + try + { + // initialise CertStore + rootCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(AC_RAIZ_ICPBRASIL)); + interCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(AC_PR)); + finalCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(schefer)); + + list = new ArrayList(); + list.add(rootCert); + list.add(interCert); + list.add(finalCert); + + ccsp = new CollectionCertStoreParameters(list); + store = CertStore.getInstance("Collection", ccsp); + validDate = Calendar.getInstance(); + validDate.set(2004,2,21,2,21,10); + + //validating path + certchain = new ArrayList(); + certchain.add(finalCert); + certchain.add(interCert); + cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain); + trust = new HashSet(); + trust.add(new TrustAnchor(rootCert, null)); + + cpv = CertPathValidator.getInstance("PKIX","BC"); + param = new PKIXParameters(trust); + param.addCertStore(store); + param.setRevocationEnabled(false); + param.setDate(validDate.getTime()); + + result =(PKIXCertPathValidatorResult) cpv.validate(cp, param); + policyTree = result.getPolicyTree(); + subjectPublicKey = result.getPublicKey(); + + fail("Invalid path validated"); + } + catch (Exception e) + { + if (!(e instanceof CertPathValidatorException + && e.getMessage().startsWith("Could not validate certificate signature."))) + { + fail("unexpected exception", e); + } + } + + checkCircProcessing(); + } + + public String getName() + { + return "CertPathValidator"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertPathValidatorTest()); + } + + + private static class MyChecker + extends PKIXCertPathChecker + { + private static int count; + + public void init(boolean forward) + throws CertPathValidatorException + { + //To change body of implemented methods use File | Settings | File Templates. + } + + public boolean isForwardCheckingSupported() + { + return true; + } + + public Set getSupportedExtensions() + { + return null; + } + + public void check(Certificate cert, Collection unresolvedCritExts) + throws CertPathValidatorException + { + count++; + } + + public int getCount() + { + return count; + } + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertStoreTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertStoreTest.java new file mode 100644 index 00000000..35f55e89 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertStoreTest.java @@ -0,0 +1,235 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; + +import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLSelector; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Iterator; +import java.util.List; + +public class CertStoreTest + extends SimpleTest +{ + + public void performTest() + throws Exception + { + basicTest(); + orderTest(); + } + + private void basicTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate rootCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.finalCertBin)); + X509CRL rootCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream( + CertPathTest.rootCrlBin)); + X509CRL interCrl = (X509CRL)cf + .generateCRL(new ByteArrayInputStream( + CertPathTest.interCrlBin)); + + // Testing CollectionCertStore generation from List + List list = new ArrayList(); + list.add(rootCert); + list.add(interCert); + list.add(finalCert); + list.add(rootCrl); + list.add(interCrl); + CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); + CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); + + // Searching for rootCert by subjectDN + X509CertSelector targetConstraints = new X509CertSelector(); + targetConstraints.setSubject(rootCert.getSubjectX500Principal().getName()); + Collection certs = store.getCertificates(targetConstraints); + if (certs.size() != 1 || !certs.contains(rootCert)) + { + fail("rootCert not found by subjectDN"); + } + + // Searching for rootCert by subjectDN encoded as byte + targetConstraints = new X509CertSelector(); + targetConstraints.setSubject(rootCert.getSubjectX500Principal() + .getEncoded()); + certs = store.getCertificates(targetConstraints); + if (certs.size() != 1 || !certs.contains(rootCert)) + { + fail("rootCert not found by encoded subjectDN"); + } + + // Searching for rootCert by public key encoded as byte + targetConstraints = new X509CertSelector(); + targetConstraints.setSubjectPublicKey(rootCert.getPublicKey() + .getEncoded()); + certs = store.getCertificates(targetConstraints); + if (certs.size() != 1 || !certs.contains(rootCert)) + { + fail("rootCert not found by encoded public key"); + } + + // Searching for interCert by issuerDN + targetConstraints = new X509CertSelector(); + targetConstraints.setIssuer(rootCert.getSubjectX500Principal() + .getEncoded()); + certs = store.getCertificates(targetConstraints); + if (certs.size() != 2) + { + fail("did not found 2 certs"); + } + if (!certs.contains(rootCert)) + { + fail("rootCert not found"); + } + if (!certs.contains(interCert)) + { + fail("interCert not found"); + } + + // Searching for rootCrl by issuerDN + X509CRLSelector targetConstraintsCRL = new X509CRLSelector(); + targetConstraintsCRL.addIssuerName(rootCrl.getIssuerX500Principal() + .getEncoded()); + Collection crls = store.getCRLs(targetConstraintsCRL); + if (crls.size() != 1 || !crls.contains(rootCrl)) + { + fail("rootCrl not found"); + } + } + + private void orderTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate rootCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.finalCertBin)); + + List list = new ArrayList(); + list.add(rootCert); + list.add(interCert); + list.add(finalCert); + CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); + CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); + + Iterator certs = store.getCertificates(null).iterator(); + + if (!certs.next().equals(rootCert)) + { + fail("root ordering wrong"); + } + if (!certs.next().equals(interCert)) + { + fail("mid ordering wrong"); + } + if (!certs.next().equals(finalCert)) + { + fail("final ordering wrong"); + } + + list = new ArrayList(); + list.add(finalCert); + list.add(interCert); + list.add(rootCert); + ccsp = new CollectionCertStoreParameters(list); + store = CertStore.getInstance("Collection", ccsp, "BC"); + + certs = store.getCertificates(null).iterator(); + + if (!certs.next().equals(finalCert)) + { + fail("reverse final ordering wrong"); + } + if (!certs.next().equals(interCert)) + { + fail("reverse mid ordering wrong"); + } + if (!certs.next().equals(rootCert)) + { + fail("reverse root ordering wrong"); + } + + X509CRL rootCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream( + CertPathTest.rootCrlBin)); + X509CRL interCrl = (X509CRL)cf + .generateCRL(new ByteArrayInputStream( + CertPathTest.interCrlBin)); + + list = new ArrayList(); + list.add(finalCert); + list.add(rootCrl); + list.add(interCrl); + + ccsp = new CollectionCertStoreParameters(list); + store = CertStore.getInstance("Collection", ccsp, "BC"); + + Iterator crls = store.getCRLs(null).iterator(); + + if (!crls.next().equals(rootCrl)) + { + fail("root crl ordering wrong"); + } + if (!crls.next().equals(interCrl)) + { + fail("mid crl ordering wrong"); + } + + list = new ArrayList(); + list.add(finalCert); + list.add(interCrl); + list.add(rootCrl); + ccsp = new CollectionCertStoreParameters(list); + store = CertStore.getInstance("Collection", ccsp, "BC"); + + crls = store.getCRLs(null).iterator(); + + if (!crls.next().equals(interCrl)) + { + fail("reverse mid crl ordering wrong"); + } + if (!crls.next().equals(rootCrl)) + { + fail("reverse root crl ordering wrong"); + } + } + + public String getName() + { + return "CertStore"; + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertStoreTest()); + } + +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertTest.java new file mode 100644 index 00000000..7977f1c1 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertTest.java @@ -0,0 +1,2891 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.UnsupportedEncodingException; +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.cert.CRL; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLEntry; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.util.Collection; +import java.util.Date; +import java.util.Hashtable; +import java.util.Iterator; +import java.util.List; +import java.util.Set; +import java.util.Vector; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.DEREnumerated; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.DERSet; +import org.bouncycastle.asn1.DERTaggedObject; +import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; +import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.asn1.cms.SignedData; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier; +import org.bouncycastle.asn1.x509.CRLReason; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.KeyPurposeId; +import org.bouncycastle.asn1.x509.X509CertificateStructure; +import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.jce.X509KeyUsage; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.interfaces.ECPointEncoder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPrivateKeySpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.jce.spec.GOST3410ParameterSpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.Integers; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.io.Streams; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509V1CertificateGenerator; +import org.bouncycastle.x509.X509V2CRLGenerator; +import org.bouncycastle.x509.X509V3CertificateGenerator; +import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; +import org.bouncycastle.x509.extension.X509ExtensionUtil; + +public class CertTest + extends SimpleTest +{ + // + // server.crt + // + byte[] cert1 = Base64.decode( + "MIIDXjCCAsegAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBtzELMAkGA1UEBhMCQVUx" + + "ETAPBgNVBAgTCFZpY3RvcmlhMRgwFgYDVQQHEw9Tb3V0aCBNZWxib3VybmUxGjAY" + + "BgNVBAoTEUNvbm5lY3QgNCBQdHkgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB" + + "dXRob3JpdHkxFTATBgNVBAMTDENvbm5lY3QgNCBDQTEoMCYGCSqGSIb3DQEJARYZ" + + "d2VibWFzdGVyQGNvbm5lY3Q0LmNvbS5hdTAeFw0wMDA2MDIwNzU2MjFaFw0wMTA2" + + "MDIwNzU2MjFaMIG4MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExGDAW" + + "BgNVBAcTD1NvdXRoIE1lbGJvdXJuZTEaMBgGA1UEChMRQ29ubmVjdCA0IFB0eSBM" + + "dGQxFzAVBgNVBAsTDldlYnNlcnZlciBUZWFtMR0wGwYDVQQDExR3d3cyLmNvbm5l" + + "Y3Q0LmNvbS5hdTEoMCYGCSqGSIb3DQEJARYZd2VibWFzdGVyQGNvbm5lY3Q0LmNv" + + "bS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArvDxclKAhyv7Q/Wmr2re" + + "Gw4XL9Cnh9e+6VgWy2AWNy/MVeXdlxzd7QAuc1eOWQkGQEiLPy5XQtTY+sBUJ3AO" + + "Rvd2fEVJIcjf29ey7bYua9J/vz5MG2KYo9/WCHIwqD9mmG9g0xLcfwq/s8ZJBswE" + + "7sb85VU+h94PTvsWOsWuKaECAwEAAaN3MHUwJAYDVR0RBB0wG4EZd2VibWFzdGVy" + + "QGNvbm5lY3Q0LmNvbS5hdTA6BglghkgBhvhCAQ0ELRYrbW9kX3NzbCBnZW5lcmF0" + + "ZWQgY3VzdG9tIHNlcnZlciBjZXJ0aWZpY2F0ZTARBglghkgBhvhCAQEEBAMCBkAw" + + "DQYJKoZIhvcNAQEEBQADgYEAotccfKpwSsIxM1Hae8DR7M/Rw8dg/RqOWx45HNVL" + + "iBS4/3N/TO195yeQKbfmzbAA2jbPVvIvGgTxPgO1MP4ZgvgRhasaa0qCJCkWvpM4" + + "yQf33vOiYQbpv4rTwzU8AmRlBG45WdjyNIigGV+oRc61aKCTnLq7zB8N3z1TF/bF" + + "5/8="); + + // + // ca.crt + // + byte[] cert2 = Base64.decode( + "MIIDbDCCAtWgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtzELMAkGA1UEBhMCQVUx" + + "ETAPBgNVBAgTCFZpY3RvcmlhMRgwFgYDVQQHEw9Tb3V0aCBNZWxib3VybmUxGjAY" + + "BgNVBAoTEUNvbm5lY3QgNCBQdHkgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB" + + "dXRob3JpdHkxFTATBgNVBAMTDENvbm5lY3QgNCBDQTEoMCYGCSqGSIb3DQEJARYZ" + + "d2VibWFzdGVyQGNvbm5lY3Q0LmNvbS5hdTAeFw0wMDA2MDIwNzU1MzNaFw0wMTA2" + + "MDIwNzU1MzNaMIG3MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExGDAW" + + "BgNVBAcTD1NvdXRoIE1lbGJvdXJuZTEaMBgGA1UEChMRQ29ubmVjdCA0IFB0eSBM" + + "dGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAxMMQ29u" + + "bmVjdCA0IENBMSgwJgYJKoZIhvcNAQkBFhl3ZWJtYXN0ZXJAY29ubmVjdDQuY29t" + + "LmF1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgs5ptNG6Qv1ZpCDuUNGmv" + + "rhjqMDPd3ri8JzZNRiiFlBA4e6/ReaO1U8ASewDeQMH6i9R6degFdQRLngbuJP0s" + + "xcEE+SksEWNvygfzLwV9J/q+TQDyJYK52utb++lS0b48A1KPLwEsyL6kOAgelbur" + + "ukwxowprKUIV7Knf1ajetQIDAQABo4GFMIGCMCQGA1UdEQQdMBuBGXdlYm1hc3Rl" + + "ckBjb25uZWN0NC5jb20uYXUwDwYDVR0TBAgwBgEB/wIBADA2BglghkgBhvhCAQ0E" + + "KRYnbW9kX3NzbCBnZW5lcmF0ZWQgY3VzdG9tIENBIGNlcnRpZmljYXRlMBEGCWCG" + + "SAGG+EIBAQQEAwICBDANBgkqhkiG9w0BAQQFAAOBgQCsGvfdghH8pPhlwm1r3pQk" + + "msnLAVIBb01EhbXm2861iXZfWqGQjrGAaA0ZpXNk9oo110yxoqEoSJSzniZa7Xtz" + + "soTwNUpE0SLHvWf/SlKdFWlzXA+vOZbzEv4UmjeelekTm7lc01EEa5QRVzOxHFtQ" + + "DhkaJ8VqOMajkQFma2r9iA=="); + + // + // testx509.pem + // + byte[] cert3 = Base64.decode( + "MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV" + + "BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz" + + "MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM" + + "RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF" + + "AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO" + + "/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE" + + "Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ" + + "zl9HYIMxATFyqSiD9jsx"); + + // + // v3-cert1.pem + // + byte[] cert4 = Base64.decode( + "MIICjTCCAfigAwIBAgIEMaYgRzALBgkqhkiG9w0BAQQwRTELMAkGA1UEBhMCVVMx" + + "NjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlz" + + "dHJhdGlvbjAmFxE5NjA1MjgxMzQ5MDUrMDgwMBcROTgwNTI4MTM0OTA1KzA4MDAw" + + "ZzELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu" + + "ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEgMAkGA1UEBRMCMTYwEwYDVQQDEwxTdGV2" + + "ZSBTY2hvY2gwWDALBgkqhkiG9w0BAQEDSQAwRgJBALrAwyYdgxmzNP/ts0Uyf6Bp" + + "miJYktU/w4NG67ULaN4B5CnEz7k57s9o3YY3LecETgQ5iQHmkwlYDTL2fTgVfw0C" + + "AQOjgaswgagwZAYDVR0ZAQH/BFowWDBWMFQxCzAJBgNVBAYTAlVTMTYwNAYDVQQK" + + "Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x" + + "DTALBgNVBAMTBENSTDEwFwYDVR0BAQH/BA0wC4AJODMyOTcwODEwMBgGA1UdAgQR" + + "MA8ECTgzMjk3MDgyM4ACBSAwDQYDVR0KBAYwBAMCBkAwCwYJKoZIhvcNAQEEA4GB" + + "AH2y1VCEw/A4zaXzSYZJTTUi3uawbbFiS2yxHvgf28+8Js0OHXk1H1w2d6qOHH21" + + "X82tZXd/0JtG0g1T9usFFBDvYK8O0ebgz/P5ELJnBL2+atObEuJy1ZZ0pBDWINR3" + + "WkDNLCGiTkCKp0F5EWIrVDwh54NNevkCQRZita+z4IBO"); + + // + // v3-cert2.pem + // + byte[] cert5 = Base64.decode( + "MIICiTCCAfKgAwIBAgIEMeZfHzANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJD" + + "YTEPMA0GA1UEBxMGTmVwZWFuMR4wHAYDVQQLExVObyBMaWFiaWxpdHkgQWNjZXB0" + + "ZWQxHzAdBgNVBAoTFkZvciBEZW1vIFB1cnBvc2VzIE9ubHkxHDAaBgNVBAMTE0Vu" + + "dHJ1c3QgRGVtbyBXZWIgQ0EwHhcNOTYwNzEyMTQyMDE1WhcNOTYxMDEyMTQyMDE1" + + "WjB0MSQwIgYJKoZIhvcNAQkBExVjb29rZUBpc3NsLmF0bC5ocC5jb20xCzAJBgNV" + + "BAYTAlVTMScwJQYDVQQLEx5IZXdsZXR0IFBhY2thcmQgQ29tcGFueSAoSVNTTCkx" + + "FjAUBgNVBAMTDVBhdWwgQS4gQ29va2UwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA" + + "6ceSq9a9AU6g+zBwaL/yVmW1/9EE8s5you1mgjHnj0wAILuoB3L6rm6jmFRy7QZT" + + "G43IhVZdDua4e+5/n1ZslwIDAQABo2MwYTARBglghkgBhvhCAQEEBAMCB4AwTAYJ" + + "YIZIAYb4QgENBD8WPVRoaXMgY2VydGlmaWNhdGUgaXMgb25seSBpbnRlbmRlZCBm" + + "b3IgZGVtb25zdHJhdGlvbiBwdXJwb3Nlcy4wDQYJKoZIhvcNAQEEBQADgYEAi8qc" + + "F3zfFqy1sV8NhjwLVwOKuSfhR/Z8mbIEUeSTlnH3QbYt3HWZQ+vXI8mvtZoBc2Fz" + + "lexKeIkAZXCesqGbs6z6nCt16P6tmdfbZF3I3AWzLquPcOXjPf4HgstkyvVBn0Ap" + + "jAFN418KF/Cx4qyHB4cjdvLrRjjQLnb2+ibo7QU="); + + // + // pem encoded pkcs7 + // + byte[] cert6 = Base64.decode( + "MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJbzCCAj0w" + + "ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG" + + "A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy" + + "dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw" + + "CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi" + + "bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A" + + "MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH" + + "mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF" + + "4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d" + + "6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix" + + "3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR" + + "cZQwggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYD" + + "VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj" + + "IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEy" + + "MjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy" + + "dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5j" + + "b3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg" + + "SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B" + + "AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqB" + + "S7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc" + + "48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEG" + + "MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNv" + + "bS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B" + + "AQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5SYWklfEXfWe0" + + "fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg" + + "5V+CprGoksVYasGNAzzrw80FopCubjCCA/gwggNhoAMCAQICEBbbn/1G1zppD6KsP01bwywwDQYJ" + + "KoZIhvcNAQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln" + + "biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB" + + "IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx" + + "IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDAxMDAy" + + "MDAwMDAwWhcNMDAxMjAxMjM1OTU5WjCCAQcxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD" + + "VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl" + + "cG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz" + + "b25hIE5vdCBWYWxpZGF0ZWQxJzAlBgNVBAsTHkRpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29m" + + "dDETMBEGA1UEAxQKRGF2aWQgUnlhbjElMCMGCSqGSIb3DQEJARYWZGF2aWRAbGl2ZW1lZGlhLmNv" + + "bS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqxBsdeNmSvFqhMNwhQgNzM8mdjX9eSXb" + + "DawpHtQHjmh0AKJSa3IwUY0VIsyZHuXWktO/CgaMBVPt6OVf/n0R2sQigMP6Y+PhEiS0vCJBL9aK" + + "0+pOo2qXrjVBmq+XuCyPTnc+BOSrU26tJsX0P9BYorwySiEGxGanBNATdVL4NdUCAwEAAaOBnDCB" + + "mTAJBgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQgwKjAoBggrBgEFBQcCARYcaHR0" + + "cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTARBglghkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAo" + + "oCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOB" + + "gQBC8yIIdVGpFTf8/YiL14cMzcmL0nIRm4kGR3U59z7UtcXlfNXXJ8MyaeI/BnXwG/gD5OKYqW6R" + + "yca9vZOxf1uoTBl82gInk865ED3Tej6msCqFzZffnSUQvOIeqLxxDlqYRQ6PmW2nAnZeyjcnbI5Y" + + "syQSM2fmo7n6qJFP+GbFezGCAkUwggJBAgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j" + + "LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWdu" + + "LmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UE" + + "AxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3Qg" + + "VmFsaWRhdGVkAhAW25/9Rtc6aQ+irD9NW8MsMAkGBSsOAwIaBQCggbowGAYJKoZIhvcNAQkDMQsG" + + "CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAxMDAyMTczNTE4WjAjBgkqhkiG9w0BCQQxFgQU" + + "gZjSaBEY2oxGvlQUIMnxSXhivK8wWwYJKoZIhvcNAQkPMU4wTDAKBggqhkiG9w0DBzAOBggqhkiG" + + "9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAh0w" + + "DQYJKoZIhvcNAQEBBQAEgYAzk+PU91/ZFfoiuKOECjxEh9fDYE2jfDCheBIgh5gdcCo+sS1WQs8O" + + "HreQ9Nop/JdJv1DQMBK6weNBBDoP0EEkRm1XCC144XhXZC82jBZohYmi2WvDbbC//YN58kRMYMyy" + + "srrfn4Z9I+6kTriGXkrpGk9Q0LSGjmG2BIsqiF0dvwAAAAAAAA=="); + + // + // dsaWithSHA1 cert + // + byte[] cert7 = Base64.decode( + "MIIEXAYJKoZIhvcNAQcCoIIETTCCBEkCAQExCzAJBgUrDgMCGgUAMAsGCSqG" + + "SIb3DQEHAaCCAsMwggK/MIIB4AIBADCBpwYFKw4DAhswgZ0CQQEkJRHP+mN7" + + "d8miwTMN55CUSmo3TO8WGCxgY61TX5k+7NU4XPf1TULjw3GobwaJX13kquPh" + + "fVXk+gVy46n4Iw3hAhUBSe/QF4BUj+pJOF9ROBM4u+FEWA8CQQD4mSJbrABj" + + "TUWrlnAte8pS22Tq4/FPO7jHSqjijUHfXKTrHL1OEqV3SVWcFy5j/cqBgX/z" + + "m8Q12PFp/PjOhh+nMA4xDDAKBgNVBAMTA0lEMzAeFw05NzEwMDEwMDAwMDBa" + + "Fw0zODAxMDEwMDAwMDBaMA4xDDAKBgNVBAMTA0lEMzCB8DCBpwYFKw4DAhsw" + + "gZ0CQQEkJRHP+mN7d8miwTMN55CUSmo3TO8WGCxgY61TX5k+7NU4XPf1TULj" + + "w3GobwaJX13kquPhfVXk+gVy46n4Iw3hAhUBSe/QF4BUj+pJOF9ROBM4u+FE" + + "WA8CQQD4mSJbrABjTUWrlnAte8pS22Tq4/FPO7jHSqjijUHfXKTrHL1OEqV3" + + "SVWcFy5j/cqBgX/zm8Q12PFp/PjOhh+nA0QAAkEAkYkXLYMtGVGWj9OnzjPn" + + "sB9sefSRPrVegZJCZbpW+Iv0/1RP1u04pHG9vtRpIQLjzUiWvLMU9EKQTThc" + + "eNMmWDCBpwYFKw4DAhswgZ0CQQEkJRHP+mN7d8miwTMN55CUSmo3TO8WGCxg" + + "Y61TX5k+7NU4XPf1TULjw3GobwaJX13kquPhfVXk+gVy46n4Iw3hAhUBSe/Q" + + "F4BUj+pJOF9ROBM4u+FEWA8CQQD4mSJbrABjTUWrlnAte8pS22Tq4/FPO7jH" + + "SqjijUHfXKTrHL1OEqV3SVWcFy5j/cqBgX/zm8Q12PFp/PjOhh+nAy8AMCwC" + + "FBY3dBSdeprGcqpr6wr3xbG+6WW+AhRMm/facKJNxkT3iKgJbp7R8Xd3QTGC" + + "AWEwggFdAgEBMBMwDjEMMAoGA1UEAxMDSUQzAgEAMAkGBSsOAwIaBQCgXTAY" + + "BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMjA1" + + "MjQyMzEzMDdaMCMGCSqGSIb3DQEJBDEWBBS4WMsoJhf7CVbZYCFcjoTRzPkJ" + + "xjCBpwYFKw4DAhswgZ0CQQEkJRHP+mN7d8miwTMN55CUSmo3TO8WGCxgY61T" + + "X5k+7NU4XPf1TULjw3GobwaJX13kquPhfVXk+gVy46n4Iw3hAhUBSe/QF4BU" + + "j+pJOF9ROBM4u+FEWA8CQQD4mSJbrABjTUWrlnAte8pS22Tq4/FPO7jHSqji" + + "jUHfXKTrHL1OEqV3SVWcFy5j/cqBgX/zm8Q12PFp/PjOhh+nBC8wLQIVALID" + + "dt+MHwawrDrwsO1Z6sXBaaJsAhRaKssrpevmLkbygKPV07XiAKBG02Zvb2Jh" + + "cg=="); + + // + // testcrl.pem + // + byte[] crl1 = Base64.decode( + "MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT" + + "F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy" + + "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw" + + "MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw" + + "MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw" + + "MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw" + + "MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw" + + "MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw" + + "MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw" + + "NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw" + + "NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF" + + "AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ" + + "wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt" + + "JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v"); + + // + // ecdsa cert with extra octet string. + // + byte[] oldEcdsa = Base64.decode( + "MIICljCCAkCgAwIBAgIBATALBgcqhkjOPQQBBQAwgY8xCzAJBgNVBAYTAkFVMSgwJ" + + "gYDVQQKEx9UaGUgTGVnaW9uIG9mIHRoZSBCb3VuY3kgQ2FzdGxlMRIwEAYDVQQHEw" + + "lNZWxib3VybmUxETAPBgNVBAgTCFZpY3RvcmlhMS8wLQYJKoZIhvcNAQkBFiBmZWV" + + "kYmFjay1jcnlwdG9AYm91bmN5Y2FzdGxlLm9yZzAeFw0wMTEyMDcwMTAwMDRaFw0w" + + "MTEyMDcwMTAxNDRaMIGPMQswCQYDVQQGEwJBVTEoMCYGA1UEChMfVGhlIExlZ2lvb" + + "iBvZiB0aGUgQm91bmN5IENhc3RsZTESMBAGA1UEBxMJTWVsYm91cm5lMREwDwYDVQ" + + "QIEwhWaWN0b3JpYTEvMC0GCSqGSIb3DQEJARYgZmVlZGJhY2stY3J5cHRvQGJvdW5" + + "jeWNhc3RsZS5vcmcwgeQwgb0GByqGSM49AgEwgbECAQEwKQYHKoZIzj0BAQIef///" + + "////////////f///////gAAAAAAAf///////MEAEHn///////////////3///////" + + "4AAAAAAAH///////AQeawFsO9zxiUHQ1lSSFHXKcanbL7J9HTd5YYXClCwKBB8CD/" + + "qWPNyogWzMM7hkK+35BcPTWFc9Pyf7vTs8uaqvAh5///////////////9///+eXpq" + + "fXZBx+9FSJoiQnQsDIgAEHwJbbcU7xholSP+w9nFHLebJUhqdLSU05lq/y9X+DHAw" + + "CwYHKoZIzj0EAQUAA0MAMEACHnz6t4UNoVROp74ma4XNDjjGcjaqiIWPZLK8Bdw3G" + + "QIeLZ4j3a6ividZl344UH+UPUE7xJxlYGuy7ejTsqRR"); + + byte[] uncompressedPtEC = Base64.decode( + "MIIDKzCCAsGgAwIBAgICA+kwCwYHKoZIzj0EAQUAMGYxCzAJBgNVBAYTAkpQ" + + "MRUwEwYDVQQKEwxuaXRlY2guYWMuanAxDjAMBgNVBAsTBWFpbGFiMQ8wDQYD" + + "VQQDEwZ0ZXN0Y2ExHzAdBgkqhkiG9w0BCQEWEHRlc3RjYUBsb2NhbGhvc3Qw" + + "HhcNMDExMDEzMTE1MzE3WhcNMjAxMjEyMTE1MzE3WjBmMQswCQYDVQQGEwJK" + + "UDEVMBMGA1UEChMMbml0ZWNoLmFjLmpwMQ4wDAYDVQQLEwVhaWxhYjEPMA0G" + + "A1UEAxMGdGVzdGNhMR8wHQYJKoZIhvcNAQkBFhB0ZXN0Y2FAbG9jYWxob3N0" + + "MIIBczCCARsGByqGSM49AgEwggEOAgEBMDMGByqGSM49AQECKEdYWnajFmnZ" + + "tzrukK2XWdle2v+GsD9l1ZiR6g7ozQDbhFH/bBiMDQcwVAQoJ5EQKrI54/CT" + + "xOQ2pMsd/fsXD+EX8YREd8bKHWiLz8lIVdD5cBNeVwQoMKSc6HfI7vKZp8Q2" + + "zWgIFOarx1GQoWJbMcSt188xsl30ncJuJT2OoARRBAqJ4fD+q6hbqgNSjTQ7" + + "htle1KO3eiaZgcJ8rrnyN8P+5A8+5K+H9aQ/NbBR4Gs7yto5PXIUZEUgodHA" + + "TZMSAcSq5ZYt4KbnSYaLY0TtH9CqAigEwZ+hglbT21B7ZTzYX2xj0x+qooJD" + + "hVTLtIPaYJK2HrMPxTw6/zfrAgEPA1IABAnvfFcFDgD/JicwBGn6vR3N8MIn" + + "mptZf/mnJ1y649uCF60zOgdwIyI7pVSxBFsJ7ohqXEHW0x7LrGVkdSEiipiH" + + "LYslqh3xrqbAgPbl93GUo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB" + + "/wQEAwIBxjAdBgNVHQ4EFgQUAEo62Xm9H6DcsE0zUDTza4BRG90wCwYHKoZI" + + "zj0EAQUAA1cAMFQCKAQsCHHSNOqfJXLgt3bg5+k49hIBGVr/bfG0B9JU3rNt" + + "Ycl9Y2zfRPUCKAK2ccOQXByAWfsasDu8zKHxkZv7LVDTFjAIffz3HaCQeVhD" + + "z+fauEg="); + + byte[] keyUsage = Base64.decode( + "MIIE7TCCBFagAwIBAgIEOAOR7jANBgkqhkiG9w0BAQQFADCByTELMAkGA1UE" + + "BhMCVVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MUgwRgYDVQQLFD93d3cuZW50" + + "cnVzdC5uZXQvQ2xpZW50X0NBX0luZm8vQ1BTIGluY29ycC4gYnkgcmVmLiBs" + + "aW1pdHMgbGlhYi4xJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExp" + + "bWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENsaWVudCBDZXJ0aWZpY2F0" + + "aW9uIEF1dGhvcml0eTAeFw05OTEwMTIxOTI0MzBaFw0xOTEwMTIxOTU0MzBa" + + "MIHJMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxSDBGBgNV" + + "BAsUP3d3dy5lbnRydXN0Lm5ldC9DbGllbnRfQ0FfSW5mby9DUFMgaW5jb3Jw" + + "LiBieSByZWYuIGxpbWl0cyBsaWFiLjElMCMGA1UECxMcKGMpIDE5OTkgRW50" + + "cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQgQ2xpZW50" + + "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUAA4GL" + + "ADCBhwKBgQDIOpleMRffrCdvkHvkGf9FozTC28GoT/Bo6oT9n3V5z8GKUZSv" + + "x1cDR2SerYIbWtp/N3hHuzeYEpbOxhN979IMMFGpOZ5V+Pux5zDeg7K6PvHV" + + "iTs7hbqqdCz+PzFur5GVbgbUB01LLFZHGARS2g4Qk79jkJvh34zmAqTmT173" + + "iwIBA6OCAeAwggHcMBEGCWCGSAGG+EIBAQQEAwIABzCCASIGA1UdHwSCARkw" + + "ggEVMIHkoIHhoIHepIHbMIHYMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50" + + "cnVzdC5uZXQxSDBGBgNVBAsUP3d3dy5lbnRydXN0Lm5ldC9DbGllbnRfQ0Ff" + + "SW5mby9DUFMgaW5jb3JwLiBieSByZWYuIGxpbWl0cyBsaWFiLjElMCMGA1UE" + + "CxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50" + + "cnVzdC5uZXQgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYD" + + "VQQDEwRDUkwxMCygKqAohiZodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NSTC9D" + + "bGllbnQxLmNybDArBgNVHRAEJDAigA8xOTk5MTAxMjE5MjQzMFqBDzIwMTkx" + + "MDEyMTkyNDMwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUxPucKXuXzUyW" + + "/O5bs8qZdIuV6kwwHQYDVR0OBBYEFMT7nCl7l81MlvzuW7PKmXSLlepMMAwG" + + "A1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI" + + "hvcNAQEEBQADgYEAP66K8ddmAwWePvrqHEa7pFuPeJoSSJn59DXeDDYHAmsQ" + + "OokUgZwxpnyyQbJq5wcBoUv5nyU7lsqZwz6hURzzwy5E97BnRqqS5TvaHBkU" + + "ODDV4qIxJS7x7EU47fgGWANzYrAQMY9Av2TgXD7FTx/aEkP/TOYGJqibGapE" + + "PHayXOw="); + + byte[] nameCert = Base64.decode( + "MIIEFjCCA3+gAwIBAgIEdS8BozANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJE"+ + "RTERMA8GA1UEChQIREFURVYgZUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRQ0Eg"+ + "REFURVYgRDAzIDE6UE4wIhgPMjAwMTA1MTAxMDIyNDhaGA8yMDA0MDUwOTEwMjI0"+ + "OFowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIFAZCYXllcm4xEjAQBgNVBAcUCU7I"+ + "dXJuYmVyZzERMA8GA1UEChQIREFURVYgZUcxHTAbBgNVBAUTFDAwMDAwMDAwMDA4"+ + "OTU3NDM2MDAxMR4wHAYDVQQDFBVEaWV0bWFyIFNlbmdlbmxlaXRuZXIwgaEwDQYJ"+ + "KoZIhvcNAQEBBQADgY8AMIGLAoGBAJLI/LJLKaHoMk8fBECW/od8u5erZi6jI8Ug"+ + "C0a/LZyQUO/R20vWJs6GrClQtXB+AtfiBSnyZOSYzOdfDI8yEKPEv8qSuUPpOHps"+ + "uNCFdLZF1vavVYGEEWs2+y+uuPmg8q1oPRyRmUZ+x9HrDvCXJraaDfTEd9olmB/Z"+ + "AuC/PqpjAgUAwAAAAaOCAcYwggHCMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUD"+ + "AwdAADAxBgNVHSAEKjAoMCYGBSskCAEBMB0wGwYIKwYBBQUHAgEWD3d3dy56cy5k"+ + "YXRldi5kZTApBgNVHREEIjAggR5kaWV0bWFyLnNlbmdlbmxlaXRuZXJAZGF0ZXYu"+ + "ZGUwgYQGA1UdIwR9MHuhc6RxMG8xCzAJBgNVBAYTAkRFMT0wOwYDVQQKFDRSZWd1"+ + "bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0aW9uIHVuZCBQb3N0"+ + "MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjVSLUNBIDE6UE6CBACm8LkwDgYHAoIG"+ + "AQoMAAQDAQEAMEcGA1UdHwRAMD4wPKAUoBKGEHd3dy5jcmwuZGF0ZXYuZGWiJKQi"+ + "MCAxCzAJBgNVBAYTAkRFMREwDwYDVQQKFAhEQVRFViBlRzAWBgUrJAgDBAQNMAsT"+ + "A0VVUgIBBQIBATAdBgNVHQ4EFgQUfv6xFP0xk7027folhy+ziZvBJiwwLAYIKwYB"+ + "BQUHAQEEIDAeMBwGCCsGAQUFBzABhhB3d3cuZGlyLmRhdGV2LmRlMA0GCSqGSIb3"+ + "DQEBBQUAA4GBAEOVX6uQxbgtKzdgbTi6YLffMftFr2mmNwch7qzpM5gxcynzgVkg"+ + "pnQcDNlm5AIbS6pO8jTCLfCd5TZ5biQksBErqmesIl3QD+VqtB+RNghxectZ3VEs"+ + "nCUtcE7tJ8O14qwCb3TxS9dvIUFiVi4DjbxX46TdcTbTaK8/qr6AIf+l"); + + byte[] probSelfSignedCert = Base64.decode( + "MIICxTCCAi6gAwIBAgIQAQAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQUFADBF" + + "MScwJQYDVQQKEx4gRElSRUNUSU9OIEdFTkVSQUxFIERFUyBJTVBPVFMxGjAYBgNV" + + "BAMTESBBQyBNSU5FRkkgQiBURVNUMB4XDTA0MDUwNzEyMDAwMFoXDTE0MDUwNzEy" + + "MDAwMFowRTEnMCUGA1UEChMeIERJUkVDVElPTiBHRU5FUkFMRSBERVMgSU1QT1RT" + + "MRowGAYDVQQDExEgQUMgTUlORUZJIEIgVEVTVDCBnzANBgkqhkiG9w0BAQEFAAOB" + + "jQAwgYkCgYEAveoCUOAukZdcFCs2qJk76vSqEX0ZFzHqQ6faBPZWjwkgUNwZ6m6m" + + "qWvvyq1cuxhoDvpfC6NXILETawYc6MNwwxsOtVVIjuXlcF17NMejljJafbPximEt" + + "DQ4LcQeSp4K7FyFlIAMLyt3BQ77emGzU5fjFTvHSUNb3jblx0sV28c0CAwEAAaOB" + + "tTCBsjAfBgNVHSMEGDAWgBSEJ4bLbvEQY8cYMAFKPFD1/fFXlzAdBgNVHQ4EFgQU" + + "hCeGy27xEGPHGDABSjxQ9f3xV5cwDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIB" + + "AQQEAwIBBjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vYWRvbmlzLnBrNy5jZXJ0" + + "cGx1cy5uZXQvZGdpLXRlc3QuY3JsMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN" + + "AQEFBQADgYEAmToHJWjd3+4zknfsP09H6uMbolHNGG0zTS2lrLKpzcmkQfjhQpT9" + + "LUTBvfs1jdjo9fGmQLvOG+Sm51Rbjglb8bcikVI5gLbclOlvqLkm77otjl4U4Z2/" + + "Y0vP14Aov3Sn3k+17EfReYUZI4liuB95ncobC4e8ZM++LjQcIM0s+Vs="); + + + byte[] gost34102001base = Base64.decode( + "MIIB1DCCAYECEEjpVKXP6Wn1yVz3VeeDQa8wCgYGKoUDAgIDBQAwbTEfMB0G" + + "A1UEAwwWR29zdFIzNDEwLTIwMDEgZXhhbXBsZTESMBAGA1UECgwJQ3J5cHRv" + + "UHJvMQswCQYDVQQGEwJSVTEpMCcGCSqGSIb3DQEJARYaR29zdFIzNDEwLTIw" + + "MDFAZXhhbXBsZS5jb20wHhcNMDUwMjAzMTUxNjQ2WhcNMTUwMjAzMTUxNjQ2" + + "WjBtMR8wHQYDVQQDDBZHb3N0UjM0MTAtMjAwMSBleGFtcGxlMRIwEAYDVQQK" + + "DAlDcnlwdG9Qcm8xCzAJBgNVBAYTAlJVMSkwJwYJKoZIhvcNAQkBFhpHb3N0" + + "UjM0MTAtMjAwMUBleGFtcGxlLmNvbTBjMBwGBiqFAwICEzASBgcqhQMCAiQA" + + "BgcqhQMCAh4BA0MABECElWh1YAIaQHUIzROMMYks/eUFA3pDXPRtKw/nTzJ+" + + "V4/rzBa5lYgD0Jp8ha4P5I3qprt+VsfLsN8PZrzK6hpgMAoGBiqFAwICAwUA" + + "A0EAHw5dw/aw/OiNvHyOE65kvyo4Hp0sfz3csM6UUkp10VO247ofNJK3tsLb" + + "HOLjUaqzefrlGb11WpHYrvWFg+FcLA=="); + + byte[] gost341094base = Base64.decode( + "MIICDzCCAbwCEBcxKsIb0ghYvAQeUjfQdFAwCgYGKoUDAgIEBQAwaTEdMBsG" + + "A1UEAwwUR29zdFIzNDEwLTk0IGV4YW1wbGUxEjAQBgNVBAoMCUNyeXB0b1By" + + "bzELMAkGA1UEBhMCUlUxJzAlBgkqhkiG9w0BCQEWGEdvc3RSMzQxMC05NEBl" + + "eGFtcGxlLmNvbTAeFw0wNTAyMDMxNTE2NTFaFw0xNTAyMDMxNTE2NTFaMGkx" + + "HTAbBgNVBAMMFEdvc3RSMzQxMC05NCBleGFtcGxlMRIwEAYDVQQKDAlDcnlw" + + "dG9Qcm8xCzAJBgNVBAYTAlJVMScwJQYJKoZIhvcNAQkBFhhHb3N0UjM0MTAt" + + "OTRAZXhhbXBsZS5jb20wgaUwHAYGKoUDAgIUMBIGByqFAwICIAIGByqFAwIC" + + "HgEDgYQABIGAu4Rm4XmeWzTYLIB/E6gZZnFX/oxUJSFHbzALJ3dGmMb7R1W+" + + "t7Lzk2w5tUI3JoTiDRCKJA4fDEJNKzsRK6i/ZjkyXJSLwaj+G2MS9gklh8x1" + + "G/TliYoJgmjTXHemD7aQEBON4z58nJHWrA0ILD54wbXCtrcaqCqLRYGTMjJ2" + + "+nswCgYGKoUDAgIEBQADQQBxKNhOmjgz/i5CEgLOyKyz9pFGkDcaymsWYQWV" + + "v7CZ0pTM8IzMzkUBW3GHsUjCFpanFZDfg2zuN+3kT+694n9B"); + + byte[] gost341094A = Base64.decode( + "MIICSDCCAfWgAwIBAgIBATAKBgYqhQMCAgQFADCBgTEXMBUGA1UEAxMOZGVmYXVsdDM0MTAtOTQx" + + "DTALBgNVBAoTBERpZ3QxDzANBgNVBAsTBkNyeXB0bzEOMAwGA1UEBxMFWS1vbGExDDAKBgNVBAgT" + + "A01FTDELMAkGA1UEBhMCcnUxGzAZBgkqhkiG9w0BCQEWDHRlc3RAdGVzdC5ydTAeFw0wNTAzMjkx" + + "MzExNTdaFw0wNjAzMjkxMzExNTdaMIGBMRcwFQYDVQQDEw5kZWZhdWx0MzQxMC05NDENMAsGA1UE" + + "ChMERGlndDEPMA0GA1UECxMGQ3J5cHRvMQ4wDAYDVQQHEwVZLW9sYTEMMAoGA1UECBMDTUVMMQsw" + + "CQYDVQQGEwJydTEbMBkGCSqGSIb3DQEJARYMdGVzdEB0ZXN0LnJ1MIGlMBwGBiqFAwICFDASBgcq" + + "hQMCAiACBgcqhQMCAh4BA4GEAASBgIQACDLEuxSdRDGgdZxHmy30g/DUYkRxO9Mi/uSHX5NjvZ31" + + "b7JMEMFqBtyhql1HC5xZfUwZ0aT3UnEFDfFjLP+Bf54gA+LPkQXw4SNNGOj+klnqgKlPvoqMGlwa" + + "+hLPKbS561WpvB2XSTgbV+pqqXR3j6j30STmybelEV3RdS2Now8wDTALBgNVHQ8EBAMCB4AwCgYG" + + "KoUDAgIEBQADQQBCFy7xWRXtNVXflKvDs0pBdBuPzjCMeZAXVxK8vUxsxxKu76d9CsvhgIFknFRi" + + "wWTPiZenvNoJ4R1uzeX+vREm"); + + byte[] gost341094B = Base64.decode( + "MIICSDCCAfWgAwIBAgIBATAKBgYqhQMCAgQFADCBgTEXMBUGA1UEAxMOcGFyYW0xLTM0MTAtOTQx" + + "DTALBgNVBAoTBERpZ3QxDzANBgNVBAsTBkNyeXB0bzEOMAwGA1UEBxMFWS1PbGExDDAKBgNVBAgT" + + "A01lbDELMAkGA1UEBhMCcnUxGzAZBgkqhkiG9w0BCQEWDHRlc3RAdGVzdC5ydTAeFw0wNTAzMjkx" + + "MzEzNTZaFw0wNjAzMjkxMzEzNTZaMIGBMRcwFQYDVQQDEw5wYXJhbTEtMzQxMC05NDENMAsGA1UE" + + "ChMERGlndDEPMA0GA1UECxMGQ3J5cHRvMQ4wDAYDVQQHEwVZLU9sYTEMMAoGA1UECBMDTWVsMQsw" + + "CQYDVQQGEwJydTEbMBkGCSqGSIb3DQEJARYMdGVzdEB0ZXN0LnJ1MIGlMBwGBiqFAwICFDASBgcq" + + "hQMCAiADBgcqhQMCAh4BA4GEAASBgEa+AAcZmijWs1M9x5Pn9efE8D9ztG1NMoIt0/hNZNqln3+j" + + "lMZjyqPt+kTLIjtmvz9BRDmIDk6FZz+4LhG2OTL7yGpWfrMxMRr56nxomTN9aLWRqbyWmn3brz9Y" + + "AUD3ifnwjjIuW7UM84JNlDTOdxx0XRUfLQIPMCXe9cO02Xskow8wDTALBgNVHQ8EBAMCB4AwCgYG" + + "KoUDAgIEBQADQQBzFcnuYc/639OTW+L5Ecjw9KxGr+dwex7lsS9S1BUgKa3m1d5c+cqI0B2XUFi5" + + "4iaHHJG0dCyjtQYLJr0OZjRw"); + + byte[] gost34102001A = Base64.decode( + "MIICCzCCAbigAwIBAgIBATAKBgYqhQMCAgMFADCBhDEaMBgGA1UEAxMRZGVmYXVsdC0zNDEwLTIw" + + "MDExDTALBgNVBAoTBERpZ3QxDzANBgNVBAsTBkNyeXB0bzEOMAwGA1UEBxMFWS1PbGExDDAKBgNV" + + "BAgTA01lbDELMAkGA1UEBhMCcnUxGzAZBgkqhkiG9w0BCQEWDHRlc3RAdGVzdC5ydTAeFw0wNTAz" + + "MjkxMzE4MzFaFw0wNjAzMjkxMzE4MzFaMIGEMRowGAYDVQQDExFkZWZhdWx0LTM0MTAtMjAwMTEN" + + "MAsGA1UEChMERGlndDEPMA0GA1UECxMGQ3J5cHRvMQ4wDAYDVQQHEwVZLU9sYTEMMAoGA1UECBMD" + + "TWVsMQswCQYDVQQGEwJydTEbMBkGCSqGSIb3DQEJARYMdGVzdEB0ZXN0LnJ1MGMwHAYGKoUDAgIT" + + "MBIGByqFAwICIwEGByqFAwICHgEDQwAEQG/4c+ZWb10IpeHfmR+vKcbpmSOClJioYmCVgnojw0Xn" + + "ned0KTg7TJreRUc+VX7vca4hLQaZ1o/TxVtfEApK/O6jDzANMAsGA1UdDwQEAwIHgDAKBgYqhQMC" + + "AgMFAANBAN8y2b6HuIdkD3aWujpfQbS1VIA/7hro4vLgDhjgVmev/PLzFB8oTh3gKhExpDo82IEs" + + "ZftGNsbbyp1NFg7zda0="); + + byte[] gostCA1 = Base64.decode( + "MIIDNDCCAuGgAwIBAgIQZLcKDcWcQopF+jp4p9jylDAKBgYqhQMCAgQFADBm" + + "MQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9zY293MRcwFQYDVQQKEw5PT08g" + + "Q3J5cHRvLVBybzEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxFzAVBgNVBAMTDkNQ" + + "IENTUCBUZXN0IENBMB4XDTAyMDYwOTE1NTIyM1oXDTA5MDYwOTE1NTkyOVow" + + "ZjELMAkGA1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEXMBUGA1UEChMOT09P" + + "IENyeXB0by1Qcm8xFDASBgNVBAsTC0RldmVsb3BtZW50MRcwFQYDVQQDEw5D" + + "UCBDU1AgVGVzdCBDQTCBpTAcBgYqhQMCAhQwEgYHKoUDAgIgAgYHKoUDAgIe" + + "AQOBhAAEgYAYglywKuz1nMc9UiBYOaulKy53jXnrqxZKbCCBSVaJ+aCKbsQm" + + "glhRFrw6Mwu8Cdeabo/ojmea7UDMZd0U2xhZFRti5EQ7OP6YpqD0alllo7za" + + "4dZNXdX+/ag6fOORSLFdMpVx5ganU0wHMPk67j+audnCPUj/plbeyccgcdcd" + + "WaOCASIwggEeMAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud" + + "DgQWBBTe840gTo4zt2twHilw3PD9wJaX0TCBygYDVR0fBIHCMIG/MDygOqA4" + + "hjYtaHR0cDovL2ZpZXdhbGwvQ2VydEVucm9sbC9DUCUyMENTUCUyMFRlc3Ql" + + "MjBDQSgzKS5jcmwwRKBCoECGPmh0dHA6Ly93d3cuY3J5cHRvcHJvLnJ1L0Nl" + + "cnRFbnJvbGwvQ1AlMjBDU1AlMjBUZXN0JTIwQ0EoMykuY3JsMDmgN6A1hjMt" + + "ZmlsZTovL1xcZmlld2FsbFxDZXJ0RW5yb2xsXENQIENTUCBUZXN0IENBKDMp" + + "LmNybC8wEgYJKwYBBAGCNxUBBAUCAwMAAzAKBgYqhQMCAgQFAANBAIJi7ni7" + + "9rwMR5rRGTFftt2k70GbqyUEfkZYOzrgdOoKiB4IIsIstyBX0/ne6GsL9Xan" + + "G2IN96RB7KrowEHeW+k="); + + byte[] gostCA2 = Base64.decode( + "MIIC2DCCAoWgAwIBAgIQe9ZCugm42pRKNcHD8466zTAKBgYqhQMCAgMFADB+" + + "MRowGAYJKoZIhvcNAQkBFgtzYmFAZGlndC5ydTELMAkGA1UEBhMCUlUxDDAK" + + "BgNVBAgTA01FTDEUMBIGA1UEBxMLWW9zaGthci1PbGExDTALBgNVBAoTBERp" + + "Z3QxDzANBgNVBAsTBkNyeXB0bzEPMA0GA1UEAxMGc2JhLUNBMB4XDTA0MDgw" + + "MzEzMzE1OVoXDTE0MDgwMzEzNDAxMVowfjEaMBgGCSqGSIb3DQEJARYLc2Jh" + + "QGRpZ3QucnUxCzAJBgNVBAYTAlJVMQwwCgYDVQQIEwNNRUwxFDASBgNVBAcT" + + "C1lvc2hrYXItT2xhMQ0wCwYDVQQKEwREaWd0MQ8wDQYDVQQLEwZDcnlwdG8x" + + "DzANBgNVBAMTBnNiYS1DQTBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMC" + + "Ah4BA0MABEDMSy10CuOH+i8QKG2UWA4XmCt6+BFrNTZQtS6bOalyDY8Lz+G7" + + "HybyipE3PqdTB4OIKAAPsEEeZOCZd2UXGQm5o4HaMIHXMBMGCSsGAQQBgjcU" + + "AgQGHgQAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud" + + "DgQWBBRJJl3LcNMxkZI818STfoi3ng1xoDBxBgNVHR8EajBoMDGgL6Athito" + + "dHRwOi8vc2JhLmRpZ3QubG9jYWwvQ2VydEVucm9sbC9zYmEtQ0EuY3JsMDOg" + + "MaAvhi1maWxlOi8vXFxzYmEuZGlndC5sb2NhbFxDZXJ0RW5yb2xsXHNiYS1D" + + "QS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwCgYGKoUDAgIDBQADQQA+BRJHbc/p" + + "q8EYl6iJqXCuR+ozRmH7hPAP3c4KqYSC38TClCgBloLapx/3/WdatctFJW/L" + + "mcTovpq088927shE"); + + byte[] inDirectCrl = Base64.decode( + "MIIdXjCCHMcCAQEwDQYJKoZIhvcNAQEFBQAwdDELMAkGA1UEBhMCREUxHDAaBgNV" + +"BAoUE0RldXRzY2hlIFRlbGVrb20gQUcxFzAVBgNVBAsUDlQtVGVsZVNlYyBUZXN0" + +"MS4wDAYHAoIGAQoHFBMBMTAeBgNVBAMUF1QtVGVsZVNlYyBUZXN0IERJUiA4OlBO" + +"Fw0wNjA4MDQwODQ1MTRaFw0wNjA4MDQxNDQ1MTRaMIIbfzB+AgQvrj/pFw0wMzA3" + +"MjIwNTQxMjhaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP+oXDTAzMDcyMjA1NDEyOFowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/5xcNMDQwNDA1MTMxODE3WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/oFw0wNDA0" + +"MDUxMzE4MTdaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP+UXDTAzMDExMzExMTgxMVowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/5hcNMDMwMTEzMTExODExWjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/jFw0wMzAx" + +"MTMxMTI2NTZaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP+QXDTAzMDExMzExMjY1NlowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/4hcNMDQwNzEzMDc1ODM4WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/eFw0wMzAy" + +"MTcwNjMzMjVaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP98XDTAzMDIxNzA2MzMyNVowZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/0xcNMDMwMjE3MDYzMzI1WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/dFw0wMzAx" + +"MTMxMTI4MTRaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP9cXDTAzMDExMzExMjcwN1owZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/2BcNMDMwMTEzMTEyNzA3WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNDpQTjB+AgQvrj/VFw0wMzA0" + +"MzAxMjI3NTNaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYD" + +"VQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMU" + +"EVNpZ0cgVGVzdCBDQSA0OlBOMH4CBC+uP9YXDTAzMDQzMDEyMjc1M1owZzBlBgNV" + +"HR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDQ6" + +"UE4wfgIEL64/xhcNMDMwMjEyMTM0NTQwWjBnMGUGA1UdHQEB/wRbMFmkVzBVMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKC" + +"BgEKBxQTATEwGAYDVQQDFBFUVEMgVGVzdCBDQSAxMTpQTjCBkAIEL64/xRcNMDMw" + +"MjEyMTM0NTQwWjB5MHcGA1UdHQEB/wRtMGukaTBnMQswCQYDVQQGEwJERTEcMBoG" + +"A1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEQMA4GA1UECxQHVGVsZVNlYzEoMAwG" + +"BwKCBgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0EgNTpQTjB+AgQvrj/CFw0w" + +"MzAyMTIxMzA5MTZaMGcwZQYDVR0dAQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRww" + +"GgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNV" + +"BAMUEVRUQyBUZXN0IENBIDExOlBOMIGQAgQvrj/BFw0wMzAyMTIxMzA4NDBaMHkw" + +"dwYDVR0dAQH/BG0wa6RpMGcxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2No" + +"ZSBUZWxla29tIEFHMRAwDgYDVQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAY" + +"BgNVBAMUEVNpZ0cgVGVzdCBDQSA1OlBOMH4CBC+uP74XDTAzMDIxNzA2MzcyNVow" + +"ZzBlBgNVHR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRz" + +"Y2hlIFRlbGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRVFRDIFRlc3Qg" + +"Q0EgMTE6UE4wgZACBC+uP70XDTAzMDIxNzA2MzcyNVoweTB3BgNVHR0BAf8EbTBr" + +"pGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcx" + +"EDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBU" + +"ZXN0IENBIDU6UE4wgZACBC+uP7AXDTAzMDIxMjEzMDg1OVoweTB3BgNVHR0BAf8E" + +"bTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20g" + +"QUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2ln" + +"RyBUZXN0IENBIDU6UE4wgZACBC+uP68XDTAzMDIxNzA2MzcyNVoweTB3BgNVHR0B" + +"Af8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVr" + +"b20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQR" + +"U2lnRyBUZXN0IENBIDU6UE4wfgIEL64/kxcNMDMwNDEwMDUyNjI4WjBnMGUGA1Ud" + +"HQEB/wRbMFmkVzBVMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVs" + +"ZWtvbSBBRzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFUVEMgVGVzdCBDQSAxMTpQ" + +"TjCBkAIEL64/khcNMDMwNDEwMDUyNjI4WjB5MHcGA1UdHQEB/wRtMGukaTBnMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEQMA4GA1UE" + +"CxQHVGVsZVNlYzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFTaWdHIFRlc3QgQ0Eg" + +"NTpQTjB+AgQvrj8/Fw0wMzAyMjYxMTA0NDRaMGcwZQYDVR0dAQH/BFswWaRXMFUx" + +"CzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMSgwDAYH" + +"AoIGAQoHFBMBMTAYBgNVBAMUEVRUQyBUZXN0IENBIDExOlBOMIGQAgQvrj8+Fw0w" + +"MzAyMjYxMTA0NDRaMHkwdwYDVR0dAQH/BG0wa6RpMGcxCzAJBgNVBAYTAkRFMRww" + +"GgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAwDgYDVQQLFAdUZWxlU2VjMSgw" + +"DAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVzdCBDQSA1OlBOMH4CBC+uPs0X" + +"DTAzMDUyMDA1MjczNlowZzBlBgNVHR0BAf8EWzBZpFcwVTELMAkGA1UEBhMCREUx" + +"HDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxKDAMBgcCggYBCgcUEwExMBgG" + +"A1UEAxQRVFRDIFRlc3QgQ0EgMTE6UE4wgZACBC+uPswXDTAzMDUyMDA1MjczNlow" + +"eTB3BgNVHR0BAf8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRz" + +"Y2hlIFRlbGVrb20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwEx" + +"MBgGA1UEAxQRU2lnRyBUZXN0IENBIDY6UE4wfgIEL64+PBcNMDMwNjE3MTAzNDE2" + +"WjBnMGUGA1UdHQEB/wRbMFmkVzBVMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1" + +"dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFUVEMgVGVz" + +"dCBDQSAxMTpQTjCBkAIEL64+OxcNMDMwNjE3MTAzNDE2WjB5MHcGA1UdHQEB/wRt" + +"MGukaTBnMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBB" + +"RzEQMA4GA1UECxQHVGVsZVNlYzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFTaWdH" + +"IFRlc3QgQ0EgNjpQTjCBkAIEL64+OhcNMDMwNjE3MTAzNDE2WjB5MHcGA1UdHQEB" + +"/wRtMGukaTBnMQswCQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtv" + +"bSBBRzEQMA4GA1UECxQHVGVsZVNlYzEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFT" + +"aWdHIFRlc3QgQ0EgNjpQTjB+AgQvrj45Fw0wMzA2MTcxMzAxMDBaMGcwZQYDVR0d" + +"AQH/BFswWaRXMFUxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxl" + +"a29tIEFHMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVRUQyBUZXN0IENBIDExOlBO" + +"MIGQAgQvrj44Fw0wMzA2MTcxMzAxMDBaMHkwdwYDVR0dAQH/BG0wa6RpMGcxCzAJ" + +"BgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAwDgYDVQQL" + +"FAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVzdCBDQSA2" + +"OlBOMIGQAgQvrj43Fw0wMzA2MTcxMzAxMDBaMHkwdwYDVR0dAQH/BG0wa6RpMGcx" + +"CzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAwDgYD" + +"VQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVzdCBD" + +"QSA2OlBOMIGQAgQvrj42Fw0wMzA2MTcxMzAxMDBaMHkwdwYDVR0dAQH/BG0wa6Rp" + +"MGcxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMRAw" + +"DgYDVQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cgVGVz" + +"dCBDQSA2OlBOMIGQAgQvrj4zFw0wMzA2MTcxMDM3NDlaMHkwdwYDVR0dAQH/BG0w" + +"a6RpMGcxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFH" + +"MRAwDgYDVQQLFAdUZWxlU2VjMSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEVNpZ0cg" + +"VGVzdCBDQSA2OlBOMH4CBC+uPjEXDTAzMDYxNzEwNDI1OFowZzBlBgNVHR0BAf8E" + +"WzBZpFcwVTELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20g" + +"QUcxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRVFRDIFRlc3QgQ0EgMTE6UE4wgZAC" + +"BC+uPjAXDTAzMDYxNzEwNDI1OFoweTB3BgNVHR0BAf8EbTBrpGkwZzELMAkGA1UE" + +"BhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAOBgNVBAsUB1Rl" + +"bGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDY6UE4w" + +"gZACBC+uPakXDTAzMTAyMjExMzIyNFoweTB3BgNVHR0BAf8EbTBrpGkwZzELMAkG" + +"A1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAOBgNVBAsU" + +"B1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENBIDY6" + +"UE4wgZACBC+uPLIXDTA1MDMxMTA2NDQyNFoweTB3BgNVHR0BAf8EbTBrpGkwZzEL" + +"MAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAOBgNV" + +"BAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0IENB" + +"IDY6UE4wgZACBC+uPKsXDTA0MDQwMjA3NTQ1M1oweTB3BgNVHR0BAf8EbTBrpGkw" + +"ZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcxEDAO" + +"BgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBUZXN0" + +"IENBIDY6UE4wgZACBC+uOugXDTA1MDEyNzEyMDMyNFoweTB3BgNVHR0BAf8EbTBr" + +"pGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20gQUcx" + +"EDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2lnRyBU" + +"ZXN0IENBIDY6UE4wgZACBC+uOr4XDTA1MDIxNjA3NTcxNloweTB3BgNVHR0BAf8E" + +"bTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVrb20g" + +"QUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQRU2ln" + +"RyBUZXN0IENBIDY6UE4wgZACBC+uOqcXDTA1MDMxMDA1NTkzNVoweTB3BgNVHR0B" + +"Af8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRlbGVr" + +"b20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UEAxQR" + +"U2lnRyBUZXN0IENBIDY6UE4wgZACBC+uOjwXDTA1MDUxMTEwNDk0NloweTB3BgNV" + +"HR0BAf8EbTBrpGkwZzELMAkGA1UEBhMCREUxHDAaBgNVBAoUE0RldXRzY2hlIFRl" + +"bGVrb20gQUcxEDAOBgNVBAsUB1RlbGVTZWMxKDAMBgcCggYBCgcUEwExMBgGA1UE" + +"AxQRU2lnRyBUZXN0IENBIDY6UE4wgaoCBC+sbdUXDTA1MTExMTEwMDMyMVowgZIw" + +"gY8GA1UdHQEB/wSBhDCBgaR/MH0xCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0" + +"c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLFBZQcm9kdWt0emVudHJ1bSBUZWxlU2Vj" + +"MS8wDAYHAoIGAQoHFBMBMTAfBgNVBAMUGFRlbGVTZWMgUEtTIFNpZ0cgQ0EgMTpQ" + +"TjCBlQIEL64uaBcNMDYwMTIzMTAyNTU1WjB+MHwGA1UdHQEB/wRyMHCkbjBsMQsw" + +"CQYDVQQGEwJERTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEWMBQGA1UE" + +"CxQNWmVudHJhbGUgQm9ubjEnMAwGBwKCBgEKBxQTATEwFwYDVQQDFBBUVEMgVGVz" + +"dCBDQSA5OlBOMIGVAgQvribHFw0wNjA4MDEwOTQ4NDRaMH4wfAYDVR0dAQH/BHIw" + +"cKRuMGwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFH" + +"MRYwFAYDVQQLFA1aZW50cmFsZSBCb25uMScwDAYHAoIGAQoHFBMBMTAXBgNVBAMU" + +"EFRUQyBUZXN0IENBIDk6UE6ggZswgZgwCwYDVR0UBAQCAhEMMB8GA1UdIwQYMBaA" + +"FANbyNumDI9545HwlCF26NuOJC45MA8GA1UdHAEB/wQFMAOEAf8wVwYDVR0SBFAw" + +"ToZMbGRhcDovL3Brc2xkYXAudHR0Yy5kZS9vdT1ULVRlbGVTZWMgVGVzdCBESVIg" + +"ODpQTixvPURldXRzY2hlIFRlbGVrb20gQUcsYz1kZTANBgkqhkiG9w0BAQUFAAOB" + +"gQBewL5gLFHpeOWO07Vk3Gg7pRDuAlvaovBH4coCyCWpk5jEhUfFSYEDuaQB7do4" + +"IlJmeTHvkI0PIZWJ7bwQ2PVdipPWDx0NVwS/Cz5jUKiS3BbAmZQZOueiKLFpQq3A" + +"b8aOHA7WHU4078/1lM+bgeu33Ln1CGykEbmSjA/oKPi/JA=="); + + byte[] directCRL = Base64.decode( + "MIIGXTCCBckCAQEwCgYGKyQDAwECBQAwdDELMAkGA1UEBhMCREUxHDAaBgNVBAoU" + +"E0RldXRzY2hlIFRlbGVrb20gQUcxFzAVBgNVBAsUDlQtVGVsZVNlYyBUZXN0MS4w" + +"DAYHAoIGAQoHFBMBMTAeBgNVBAMUF1QtVGVsZVNlYyBUZXN0IERJUiA4OlBOFw0w" + +"NjA4MDQwODQ1MTRaFw0wNjA4MDQxNDQ1MTRaMIIElTAVAgQvrj/pFw0wMzA3MjIw" + +"NTQxMjhaMBUCBC+uP+oXDTAzMDcyMjA1NDEyOFowFQIEL64/5xcNMDQwNDA1MTMx" + +"ODE3WjAVAgQvrj/oFw0wNDA0MDUxMzE4MTdaMBUCBC+uP+UXDTAzMDExMzExMTgx" + +"MVowFQIEL64/5hcNMDMwMTEzMTExODExWjAVAgQvrj/jFw0wMzAxMTMxMTI2NTZa" + +"MBUCBC+uP+QXDTAzMDExMzExMjY1NlowFQIEL64/4hcNMDQwNzEzMDc1ODM4WjAV" + +"AgQvrj/eFw0wMzAyMTcwNjMzMjVaMBUCBC+uP98XDTAzMDIxNzA2MzMyNVowFQIE" + +"L64/0xcNMDMwMjE3MDYzMzI1WjAVAgQvrj/dFw0wMzAxMTMxMTI4MTRaMBUCBC+u" + +"P9cXDTAzMDExMzExMjcwN1owFQIEL64/2BcNMDMwMTEzMTEyNzA3WjAVAgQvrj/V" + +"Fw0wMzA0MzAxMjI3NTNaMBUCBC+uP9YXDTAzMDQzMDEyMjc1M1owFQIEL64/xhcN" + +"MDMwMjEyMTM0NTQwWjAVAgQvrj/FFw0wMzAyMTIxMzQ1NDBaMBUCBC+uP8IXDTAz" + +"MDIxMjEzMDkxNlowFQIEL64/wRcNMDMwMjEyMTMwODQwWjAVAgQvrj++Fw0wMzAy" + +"MTcwNjM3MjVaMBUCBC+uP70XDTAzMDIxNzA2MzcyNVowFQIEL64/sBcNMDMwMjEy" + +"MTMwODU5WjAVAgQvrj+vFw0wMzAyMTcwNjM3MjVaMBUCBC+uP5MXDTAzMDQxMDA1" + +"MjYyOFowFQIEL64/khcNMDMwNDEwMDUyNjI4WjAVAgQvrj8/Fw0wMzAyMjYxMTA0" + +"NDRaMBUCBC+uPz4XDTAzMDIyNjExMDQ0NFowFQIEL64+zRcNMDMwNTIwMDUyNzM2" + +"WjAVAgQvrj7MFw0wMzA1MjAwNTI3MzZaMBUCBC+uPjwXDTAzMDYxNzEwMzQxNlow" + +"FQIEL64+OxcNMDMwNjE3MTAzNDE2WjAVAgQvrj46Fw0wMzA2MTcxMDM0MTZaMBUC" + +"BC+uPjkXDTAzMDYxNzEzMDEwMFowFQIEL64+OBcNMDMwNjE3MTMwMTAwWjAVAgQv" + +"rj43Fw0wMzA2MTcxMzAxMDBaMBUCBC+uPjYXDTAzMDYxNzEzMDEwMFowFQIEL64+" + +"MxcNMDMwNjE3MTAzNzQ5WjAVAgQvrj4xFw0wMzA2MTcxMDQyNThaMBUCBC+uPjAX" + +"DTAzMDYxNzEwNDI1OFowFQIEL649qRcNMDMxMDIyMTEzMjI0WjAVAgQvrjyyFw0w" + +"NTAzMTEwNjQ0MjRaMBUCBC+uPKsXDTA0MDQwMjA3NTQ1M1owFQIEL6466BcNMDUw" + +"MTI3MTIwMzI0WjAVAgQvrjq+Fw0wNTAyMTYwNzU3MTZaMBUCBC+uOqcXDTA1MDMx" + +"MDA1NTkzNVowFQIEL646PBcNMDUwNTExMTA0OTQ2WjAVAgQvrG3VFw0wNTExMTEx" + +"MDAzMjFaMBUCBC+uLmgXDTA2MDEyMzEwMjU1NVowFQIEL64mxxcNMDYwODAxMDk0" + +"ODQ0WqCBijCBhzALBgNVHRQEBAICEQwwHwYDVR0jBBgwFoAUA1vI26YMj3njkfCU" + +"IXbo244kLjkwVwYDVR0SBFAwToZMbGRhcDovL3Brc2xkYXAudHR0Yy5kZS9vdT1U" + +"LVRlbGVTZWMgVGVzdCBESVIgODpQTixvPURldXRzY2hlIFRlbGVrb20gQUcsYz1k" + +"ZTAKBgYrJAMDAQIFAAOBgQArj4eMlbAwuA2aS5O4UUUHQMKKdK/dtZi60+LJMiMY" + +"ojrMIf4+ZCkgm1Ca0Cd5T15MJxVHhh167Ehn/Hd48pdnAP6Dfz/6LeqkIHGWMHR+" + +"z6TXpwWB+P4BdUec1ztz04LypsznrHcLRa91ixg9TZCb1MrOG+InNhleRs1ImXk8" + +"MQ=="); + + private final byte[] pkcs7CrlProblem = Base64.decode( + "MIIwSAYJKoZIhvcNAQcCoIIwOTCCMDUCAQExCzAJBgUrDgMCGgUAMAsGCSqG" + + "SIb3DQEHAaCCEsAwggP4MIIC4KADAgECAgF1MA0GCSqGSIb3DQEBBQUAMEUx" + + "CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR4wHAYDVQQD" + + "ExVHZW9UcnVzdCBDQSBmb3IgQWRvYmUwHhcNMDQxMjAyMjEyNTM5WhcNMDYx" + + "MjMwMjEyNTM5WjBMMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMR2VvVHJ1c3Qg" + + "SW5jMSYwJAYDVQQDEx1HZW9UcnVzdCBBZG9iZSBPQ1NQIFJlc3BvbmRlcjCB" + + "nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4gnNYhtw7U6QeVXZODnGhHMj" + + "+OgZ0DB393rEk6a2q9kq129IA2e03yKBTfJfQR9aWKc2Qj90dsSqPjvTDHFG" + + "Qsagm2FQuhnA3fb1UWhPzeEIdm6bxDsnQ8nWqKqxnWZzELZbdp3I9bBLizIq" + + "obZovzt60LNMghn/unvvuhpeVSsCAwEAAaOCAW4wggFqMA4GA1UdDwEB/wQE" + + "AwIE8DCB5QYDVR0gAQH/BIHaMIHXMIHUBgkqhkiG9y8BAgEwgcYwgZAGCCsG" + + "AQUFBwICMIGDGoGAVGhpcyBjZXJ0aWZpY2F0ZSBoYXMgYmVlbiBpc3N1ZWQg" + + "aW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBBY3JvYmF0IENyZWRlbnRpYWxzIENQ" + + "UyBsb2NhdGVkIGF0IGh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNl" + + "cy9jcHMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jl" + + "c291cmNlcy9jcHMwEwYDVR0lBAwwCgYIKwYBBQUHAwkwOgYDVR0fBDMwMTAv" + + "oC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9hZG9iZWNhMS5j" + + "cmwwHwYDVR0jBBgwFoAUq4BZw2WDbR19E70Zw+wajw1HaqMwDQYJKoZIhvcN" + + "AQEFBQADggEBAENJf1BD7PX5ivuaawt90q1OGzXpIQL/ClzEeFVmOIxqPc1E" + + "TFRq92YuxG5b6+R+k+tGkmCwPLcY8ipg6ZcbJ/AirQhohzjlFuT6YAXsTfEj" + + "CqEZfWM2sS7crK2EYxCMmKE3xDfPclYtrAoz7qZvxfQj0TuxHSstHZv39wu2" + + "ZiG1BWiEcyDQyTgqTOXBoZmfJtshuAcXmTpgkrYSrS37zNlPTGh+pMYQ0yWD" + + "c8OQRJR4OY5ZXfdna01mjtJTOmj6/6XPoLPYTq2gQrc2BCeNJ4bEhLb7sFVB" + + "PbwPrpzTE/HRbQHDrzj0YimDxeOUV/UXctgvYwHNtEkcBLsOm/uytMYwggSh" + + "MIIDiaADAgECAgQ+HL0oMA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNVBAYTAlVT" + + "MSMwIQYDVQQKExpBZG9iZSBTeXN0ZW1zIEluY29ycG9yYXRlZDEdMBsGA1UE" + + "CxMUQWRvYmUgVHJ1c3QgU2VydmljZXMxFjAUBgNVBAMTDUFkb2JlIFJvb3Qg" + + "Q0EwHhcNMDMwMTA4MjMzNzIzWhcNMjMwMTA5MDAwNzIzWjBpMQswCQYDVQQG" + + "EwJVUzEjMCEGA1UEChMaQWRvYmUgU3lzdGVtcyBJbmNvcnBvcmF0ZWQxHTAb" + + "BgNVBAsTFEFkb2JlIFRydXN0IFNlcnZpY2VzMRYwFAYDVQQDEw1BZG9iZSBS" + + "b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzE9UhPen" + + "ouczU38/nBKIayyZR2d+Dx65rRSI+cMQ2B3w8NWfaQovWTWwzGypTJwVoJ/O" + + "IL+gz1Ti4CBmRT85hjh+nMSOByLGJPYBErA131XqaZCw24U3HuJOB7JCoWoT" + + "aaBm6oCREVkqmwh5WiBELcm9cziLPC/gQxtdswvwrzUaKf7vppLdgUydPVmO" + + "rTE8QH6bkTYG/OJcjdGNJtVcRc+vZT+xqtJilvSoOOq6YEL09BxKNRXO+E4i" + + "Vg+VGMX4lp+f+7C3eCXpgGu91grwxnSUnfMPUNuad85LcIMjjaDKeCBEXDxU" + + "ZPHqojAZn+pMBk0GeEtekt8i0slns3rSAQIDAQABo4IBTzCCAUswEQYJYIZI" + + "AYb4QgEBBAQDAgAHMIGOBgNVHR8EgYYwgYMwgYCgfqB8pHoweDELMAkGA1UE" + + "BhMCVVMxIzAhBgNVBAoTGkFkb2JlIFN5c3RlbXMgSW5jb3Jwb3JhdGVkMR0w" + + "GwYDVQQLExRBZG9iZSBUcnVzdCBTZXJ2aWNlczEWMBQGA1UEAxMNQWRvYmUg" + + "Um9vdCBDQTENMAsGA1UEAxMEQ1JMMTArBgNVHRAEJDAigA8yMDAzMDEwODIz" + + "MzcyM1qBDzIwMjMwMTA5MDAwNzIzWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgw" + + "FoAUgrc4SpOqmxDvgLvZVOLxD/uAnN4wHQYDVR0OBBYEFIK3OEqTqpsQ74C7" + + "2VTi8Q/7gJzeMAwGA1UdEwQFMAMBAf8wHQYJKoZIhvZ9B0EABBAwDhsIVjYu" + + "MDo0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4IBAQAy2p9DdcH6b8lv26sdNjc+" + + "vGEZNrcCPB0jWZhsnu5NhedUyCAfp9S74r8Ad30ka3AvXME6dkm10+AjhCpx" + + "aiLzwScpmBX2NZDkBEzDjbyfYRzn/SSM0URDjBa6m02l1DUvvBHOvfdRN42f" + + "kOQU8Rg/vulZEjX5M5LznuDVa5pxm5lLyHHD4bFhCcTl+pHwQjo3fTT5cujN" + + "qmIcIenV9IIQ43sFti1oVgt+fpIsb01yggztVnSynbmrLSsdEF/bJ3Vwj/0d" + + "1+ICoHnlHOX/r2RAUS2em0fbQqV8H8KmSLDXvpJpTaT2KVfFeBEY3IdRyhOy" + + "Yp1PKzK9MaXB+lKrBYjIMIIEyzCCA7OgAwIBAgIEPhy9tTANBgkqhkiG9w0B" + + "AQUFADBpMQswCQYDVQQGEwJVUzEjMCEGA1UEChMaQWRvYmUgU3lzdGVtcyBJ" + + "bmNvcnBvcmF0ZWQxHTAbBgNVBAsTFEFkb2JlIFRydXN0IFNlcnZpY2VzMRYw" + + "FAYDVQQDEw1BZG9iZSBSb290IENBMB4XDTA0MDExNzAwMDMzOVoXDTE1MDEx" + + "NTA4MDAwMFowRTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IElu" + + "Yy4xHjAcBgNVBAMTFUdlb1RydXN0IENBIGZvciBBZG9iZTCCASIwDQYJKoZI" + + "hvcNAQEBBQADggEPADCCAQoCggEBAKfld+BkeFrnOYW8r9L1WygTDlTdSfrO" + + "YvWS/Z6Ye5/l+HrBbOHqQCXBcSeCpz7kB2WdKMh1FOE4e9JlmICsHerBLdWk" + + "emU+/PDb69zh8E0cLoDfxukF6oVPXj6WSThdSG7H9aXFzRr6S3XGCuvgl+Qw" + + "DTLiLYW+ONF6DXwt3TQQtKReJjOJZk46ZZ0BvMStKyBaeB6DKZsmiIo89qso" + + "13VDZINH2w1KvXg0ygDizoNtbvgAPFymwnsINS1klfQlcvn0x0RJm9bYQXK3" + + "5GNZAgL3M7Lqrld0jMfIUaWvuHCLyivytRuzq1dJ7E8rmidjDEk/G+27pf13" + + "fNZ7vR7M+IkCAwEAAaOCAZ0wggGZMBIGA1UdEwEB/wQIMAYBAf8CAQEwUAYD" + + "VR0gBEkwRzBFBgkqhkiG9y8BAgEwODA2BggrBgEFBQcCARYqaHR0cHM6Ly93" + + "d3cuYWRvYmUuY29tL21pc2MvcGtpL2Nkc19jcC5odG1sMBQGA1UdJQQNMAsG" + + "CSqGSIb3LwEBBTCBsgYDVR0fBIGqMIGnMCKgIKAehhxodHRwOi8vY3JsLmFk" + + "b2JlLmNvbS9jZHMuY3JsMIGAoH6gfKR6MHgxCzAJBgNVBAYTAlVTMSMwIQYD" + + "VQQKExpBZG9iZSBTeXN0ZW1zIEluY29ycG9yYXRlZDEdMBsGA1UECxMUQWRv" + + "YmUgVHJ1c3QgU2VydmljZXMxFjAUBgNVBAMTDUFkb2JlIFJvb3QgQ0ExDTAL" + + "BgNVBAMTBENSTDEwCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFIK3OEqTqpsQ" + + "74C72VTi8Q/7gJzeMB0GA1UdDgQWBBSrgFnDZYNtHX0TvRnD7BqPDUdqozAZ" + + "BgkqhkiG9n0HQQAEDDAKGwRWNi4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEA" + + "PzlZLqIAjrFeEWEs0uC29YyJhkXOE9mf3YSaFGsITF+Gl1j0pajTjyH4R35Q" + + "r3floW2q3HfNzTeZ90Jnr1DhVERD6zEMgJpCtJqVuk0sixuXJHghS/KicKf4" + + "YXJJPx9epuIRF1siBRnznnF90svmOJMXApc0jGnYn3nQfk4kaShSnDaYaeYR" + + "DJKcsiWhl6S5zfwS7Gg8hDeyckhMQKKWnlG1CQrwlSFisKCduoodwRtWgft8" + + "kx13iyKK3sbalm6vnVc+5nufS4vI+TwMXoV63NqYaSroafBWk0nL53zGXPEy" + + "+A69QhzEViJKn2Wgqt5gt++jMMNImbRObIqgfgF1VjCCBUwwggQ0oAMCAQIC" + + "AgGDMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1H" + + "ZW9UcnVzdCBJbmMuMR4wHAYDVQQDExVHZW9UcnVzdCBDQSBmb3IgQWRvYmUw" + + "HhcNMDYwMzI0MTU0MjI5WhcNMDkwNDA2MTQ0MjI5WjBzMQswCQYDVQQGEwJV" + + "UzELMAkGA1UECBMCTUExETAPBgNVBAoTCEdlb1RydXN0MR0wGwYDVQQDExRN" + + "YXJrZXRpbmcgRGVwYXJ0bWVudDElMCMGCSqGSIb3DQEJARYWbWFya2V0aW5n" + + "QGdlb3RydXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB" + + "ANmvajTO4XJvAU2nVcLmXeCnAQX7RZt+7+ML3InmqQ3LCGo1weop09zV069/" + + "1x/Nmieol7laEzeXxd2ghjGzwfXafqQEqHn6+vBCvqdNPoSi63fSWhnuDVWp" + + "KVDOYgxOonrXl+Cc43lu4zRSq+Pi5phhrjDWcH74a3/rdljUt4c4GFezFXfa" + + "w2oTzWkxj2cTSn0Szhpr17+p66UNt8uknlhmu4q44Speqql2HwmCEnpLYJrK" + + "W3fOq5D4qdsvsLR2EABLhrBezamLI3iGV8cRHOUTsbTMhWhv/lKfHAyf4XjA" + + "z9orzvPN5jthhIfICOFq/nStTgakyL4Ln+nFAB/SMPkCAwEAAaOCAhYwggIS" + + "MA4GA1UdDwEB/wQEAwIF4DCB5QYDVR0gAQH/BIHaMIHXMIHUBgkqhkiG9y8B" + + "AgEwgcYwgZAGCCsGAQUFBwICMIGDGoGAVGhpcyBjZXJ0aWZpY2F0ZSBoYXMg" + + "YmVlbiBpc3N1ZWQgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBBY3JvYmF0IENy" + + "ZWRlbnRpYWxzIENQUyBsb2NhdGVkIGF0IGh0dHA6Ly93d3cuZ2VvdHJ1c3Qu" + + "Y29tL3Jlc291cmNlcy9jcHMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2Vv" + + "dHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwOgYDVR0fBDMwMTAvoC2gK4YpaHR0" + + "cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9hZG9iZWNhMS5jcmwwHwYDVR0j" + + "BBgwFoAUq4BZw2WDbR19E70Zw+wajw1HaqMwRAYIKwYBBQUHAQEEODA2MDQG" + + "CCsGAQUFBzABhihodHRwOi8vYWRvYmUtb2NzcC5nZW90cnVzdC5jb20vcmVz" + + "cG9uZGVyMBQGA1UdJQQNMAsGCSqGSIb3LwEBBTA8BgoqhkiG9y8BAQkBBC4w" + + "LAIBAYYnaHR0cDovL2Fkb2JlLXRpbWVzdGFtcC5nZW90cnVzdC5jb20vdHNh" + + "MBMGCiqGSIb3LwEBCQIEBTADAgEBMAwGA1UdEwQFMAMCAQAwDQYJKoZIhvcN" + + "AQEFBQADggEBAAOhy6QxOo+i3h877fvDvTa0plGD2bIqK7wMdNqbMDoSWied" + + "FIcgcBOIm2wLxOjZBAVj/3lDq59q2rnVeNnfXM0/N0MHI9TumHRjU7WNk9e4" + + "+JfJ4M+c3anrWOG3NE5cICDVgles+UHjXetHWql/LlP04+K2ZOLb6LE2xGnI" + + "YyLW9REzCYNAVF+/WkYdmyceHtaBZdbyVAJq0NAJPsfgY1pWcBo31Mr1fpX9" + + "WrXNTYDCqMyxMImJTmN3iI68tkXlNrhweQoArKFqBysiBkXzG/sGKYY6tWKU" + + "pzjLc3vIp/LrXC5zilROes8BSvwu1w9qQrJNcGwo7O4uijoNtyYil1Exgh1Q" + + "MIIdTAIBATBLMEUxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJ" + + "bmMuMR4wHAYDVQQDExVHZW9UcnVzdCBDQSBmb3IgQWRvYmUCAgGDMAkGBSsO" + + "AwIaBQCgggxMMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIwYJKoZIhvcN" + + "AQkEMRYEFP4R6qIdpQJzWyzrqO8X1ZfJOgChMIIMCQYJKoZIhvcvAQEIMYIL" + + "+jCCC/agggZ5MIIGdTCCA6gwggKQMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV" + + "BAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR4wHAYDVQQDExVHZW9U" + + "cnVzdCBDQSBmb3IgQWRvYmUXDTA2MDQwNDE3NDAxMFoXDTA2MDQwNTE3NDAx" + + "MFowggIYMBMCAgC5Fw0wNTEwMTEyMDM2MzJaMBICAVsXDTA0MTEwNDE1MDk0" + + "MVowEwICALgXDTA1MTIxMjIyMzgzOFowEgIBWhcNMDQxMTA0MTUwOTMzWjAT" + + "AgIA5hcNMDUwODI3MDQwOTM4WjATAgIAtxcNMDYwMTE2MTc1NTEzWjATAgIA" + + "hhcNMDUxMjEyMjIzODU1WjATAgIAtRcNMDUwNzA2MTgzODQwWjATAgIA4BcN" + + "MDYwMzIwMDc0ODM0WjATAgIAgRcNMDUwODAyMjIzMTE1WjATAgIA3xcNMDUx" + + "MjEyMjIzNjUwWjASAgFKFw0wNDExMDQxNTA5MTZaMBICAUQXDTA0MTEwNDE1" + + "MDg1M1owEgIBQxcNMDQxMDAzMDEwMDQwWjASAgFsFw0wNDEyMDYxOTQ0MzFa" + + "MBMCAgEoFw0wNjAzMDkxMjA3MTJaMBMCAgEkFw0wNjAxMTYxNzU1MzRaMBIC" + + "AWcXDTA1MDMxODE3NTYxNFowEwICAVEXDTA2MDEzMTExMjcxMVowEgIBZBcN" + + "MDQxMTExMjI0ODQxWjATAgIA8RcNMDUwOTE2MTg0ODAxWjATAgIBThcNMDYw" + + "MjIxMjAxMDM2WjATAgIAwRcNMDUxMjEyMjIzODE2WjASAgFiFw0wNTAxMTAx" + + "NjE5MzRaMBICAWAXDTA1MDExMDE5MDAwNFowEwICAL4XDTA1MDUxNzE0NTYx" + + "MFowDQYJKoZIhvcNAQEFBQADggEBAEKhRMS3wVho1U3EvEQJZC8+JlUngmZQ" + + "A78KQbHPWNZWFlNvPuf/b0s7Lu16GfNHXh1QAW6Y5Hi1YtYZ3YOPyMd4Xugt" + + "gCdumbB6xtKsDyN5RvTht6ByXj+CYlYqsL7RX0izJZ6mJn4fjMkqzPKNOjb8" + + "kSn5T6rn93BjlATtCE8tPVOM8dnqGccRE0OV59+nDBXc90UMt5LdEbwaUOap" + + "snVB0oLcNm8d/HnlVH6RY5LnDjrT4vwfe/FApZtTecEWsllVUXDjSpwfcfD/" + + "476/lpGySB2otALqzImlA9R8Ok3hJ8dnF6hhQ5Oe6OJMnGYgdhkKbxsKkdib" + + "tTVl3qmH5QAwggLFMIIBrQIBATANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQG" + + "EwJVUzEjMCEGA1UEChMaQWRvYmUgU3lzdGVtcyBJbmNvcnBvcmF0ZWQxHTAb" + + "BgNVBAsTFEFkb2JlIFRydXN0IFNlcnZpY2VzMRYwFAYDVQQDEw1BZG9iZSBS" + + "b290IENBFw0wNjAxMjcxODMzMzFaFw0wNzAxMjcwMDAwMDBaMIHeMCMCBD4c" + + "vUAXDTAzMDEyMTIzNDY1NlowDDAKBgNVHRUEAwoBBDAjAgQ+HL1BFw0wMzAx" + + "MjEyMzQ3MjJaMAwwCgYDVR0VBAMKAQQwIwIEPhy9YhcNMDMwMTIxMjM0NzQy" + + "WjAMMAoGA1UdFQQDCgEEMCMCBD4cvWEXDTA0MDExNzAxMDg0OFowDDAKBgNV" + + "HRUEAwoBBDAjAgQ+HL2qFw0wNDAxMTcwMTA5MDVaMAwwCgYDVR0VBAMKAQQw" + + "IwIEPhy9qBcNMDQwMTE3MDEzOTI5WjAMMAoGA1UdFQQDCgEEoC8wLTAKBgNV" + + "HRQEAwIBDzAfBgNVHSMEGDAWgBSCtzhKk6qbEO+Au9lU4vEP+4Cc3jANBgkq" + + "hkiG9w0BAQUFAAOCAQEAwtXF9042wG39icUlsotn5tpE3oCusLb/hBpEONhx" + + "OdfEQOq0w5hf/vqaxkcf71etA+KpbEUeSVaHMHRPhx/CmPrO9odE139dJdbt" + + "9iqbrC9iZokFK3h/es5kg73xujLKd7C/u5ngJ4mwBtvhMLjFjF2vJhPKHL4C" + + "IgMwdaUAhrcNzy16v+mw/VGJy3Fvc6oCESW1K9tvFW58qZSNXrMlsuidgunM" + + "hPKG+z0SXVyCqL7pnqKiaGddcgujYGOSY4S938oVcfZeZQEODtSYGlzldojX" + + "C1U1hCK5+tHAH0Ox/WqRBIol5VCZQwJftf44oG8oviYq52aaqSejXwmfT6zb" + + "76GCBXUwggVxMIIFbQoBAKCCBWYwggViBgkrBgEFBQcwAQEEggVTMIIFTzCB" + + "taIWBBS+8EpykfXdl4h3z7m/NZfdkAQQERgPMjAwNjA0MDQyMDIwMTVaMGUw" + + "YzA7MAkGBSsOAwIaBQAEFEb4BuZYkbjBjOjT6VeA/00fBvQaBBT3fTSQniOp" + + "BbHBSkz4xridlX0bsAICAYOAABgPMjAwNjA0MDQyMDIwMTVaoBEYDzIwMDYw" + + "NDA1MDgyMDE1WqEjMCEwHwYJKwYBBQUHMAECBBIEEFqooq/R2WltD7TposkT" + + "BhMwDQYJKoZIhvcNAQEFBQADgYEAMig6lty4b0JDsT/oanfQG5x6jVKPACpp" + + "1UA9SJ0apJJa7LeIdDFmu5C2S/CYiKZm4A4P9cAu0YzgLHxE4r6Op+HfVlAG" + + "6bzUe1P/hi1KCJ8r8wxOZAktQFPSzs85RAZwkHMfB0lP2e/h666Oye+Zf8VH" + + "RaE+/xZ7aswE89HXoumgggQAMIID/DCCA/gwggLgoAMCAQICAXUwDQYJKoZI" + + "hvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IElu" + + "Yy4xHjAcBgNVBAMTFUdlb1RydXN0IENBIGZvciBBZG9iZTAeFw0wNDEyMDIy" + + "MTI1MzlaFw0wNjEyMzAyMTI1MzlaMEwxCzAJBgNVBAYTAlVTMRUwEwYDVQQK" + + "EwxHZW9UcnVzdCBJbmMxJjAkBgNVBAMTHUdlb1RydXN0IEFkb2JlIE9DU1Ag" + + "UmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiCc1iG3Dt" + + "TpB5Vdk4OcaEcyP46BnQMHf3esSTprar2SrXb0gDZ7TfIoFN8l9BH1pYpzZC" + + "P3R2xKo+O9MMcUZCxqCbYVC6GcDd9vVRaE/N4Qh2bpvEOydDydaoqrGdZnMQ" + + "tlt2ncj1sEuLMiqhtmi/O3rQs0yCGf+6e++6Gl5VKwIDAQABo4IBbjCCAWow" + + "DgYDVR0PAQH/BAQDAgTwMIHlBgNVHSABAf8EgdowgdcwgdQGCSqGSIb3LwEC" + + "ATCBxjCBkAYIKwYBBQUHAgIwgYMagYBUaGlzIGNlcnRpZmljYXRlIGhhcyBi" + + "ZWVuIGlzc3VlZCBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIEFjcm9iYXQgQ3Jl" + + "ZGVudGlhbHMgQ1BTIGxvY2F0ZWQgYXQgaHR0cDovL3d3dy5nZW90cnVzdC5j" + + "b20vcmVzb3VyY2VzL2NwczAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5nZW90" + + "cnVzdC5jb20vcmVzb3VyY2VzL2NwczATBgNVHSUEDDAKBggrBgEFBQcDCTA6" + + "BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxz" + + "L2Fkb2JlY2ExLmNybDAfBgNVHSMEGDAWgBSrgFnDZYNtHX0TvRnD7BqPDUdq" + + "ozANBgkqhkiG9w0BAQUFAAOCAQEAQ0l/UEPs9fmK+5prC33SrU4bNekhAv8K" + + "XMR4VWY4jGo9zURMVGr3Zi7Eblvr5H6T60aSYLA8txjyKmDplxsn8CKtCGiH" + + "OOUW5PpgBexN8SMKoRl9YzaxLtysrYRjEIyYoTfEN89yVi2sCjPupm/F9CPR" + + "O7EdKy0dm/f3C7ZmIbUFaIRzINDJOCpM5cGhmZ8m2yG4BxeZOmCSthKtLfvM" + + "2U9MaH6kxhDTJYNzw5BElHg5jlld92drTWaO0lM6aPr/pc+gs9hOraBCtzYE" + + "J40nhsSEtvuwVUE9vA+unNMT8dFtAcOvOPRiKYPF45RX9Rdy2C9jAc20SRwE" + + "uw6b+7K0xjANBgkqhkiG9w0BAQEFAASCAQC7a4yICFGCEMPlJbydK5qLG3rV" + + "sip7Ojjz9TB4nLhC2DgsIHds8jjdq2zguInluH2nLaBCVS+qxDVlTjgbI2cB" + + "TaWS8nglC7nNjzkKAsa8vThA8FZUVXTW0pb74jNJJU2AA27bb4g+4WgunCrj" + + "fpYp+QjDyMmdrJVqRmt5eQN+dpVxMS9oq+NrhOSEhyIb4/rejgNg9wnVK1ms" + + "l5PxQ4x7kpm7+Ua41//owkJVWykRo4T1jo4eHEz1DolPykAaKie2VKH/sMqR" + + "Spjh4E5biKJLOV9fKivZWKAXByXfwUbbMsJvz4v/2yVHFy9xP+tqB5ZbRoDK" + + "k8PzUyCprozn+/22oYIPijCCD4YGCyqGSIb3DQEJEAIOMYIPdTCCD3EGCSqG" + + "SIb3DQEHAqCCD2Iwgg9eAgEDMQswCQYFKw4DAhoFADCB+gYLKoZIhvcNAQkQ" + + "AQSggeoEgecwgeQCAQEGAikCMCEwCQYFKw4DAhoFAAQUoT97qeCv3FXYaEcS" + + "gY8patCaCA8CAiMHGA8yMDA2MDQwNDIwMjA1N1owAwIBPAEB/wIIO0yRre3L" + + "8/6ggZCkgY0wgYoxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl" + + "dHRzMRAwDgYDVQQHEwdOZWVkaGFtMRUwEwYDVQQKEwxHZW9UcnVzdCBJbmMx" + + "EzARBgNVBAsTClByb2R1Y3Rpb24xJTAjBgNVBAMTHGFkb2JlLXRpbWVzdGFt" + + "cC5nZW90cnVzdC5jb22gggzJMIIDUTCCAjmgAwIBAgICAI8wDQYJKoZIhvcN" + + "AQEFBQAwRTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4x" + + "HjAcBgNVBAMTFUdlb1RydXN0IENBIGZvciBBZG9iZTAeFw0wNTAxMTAwMTI5" + + "MTBaFw0xNTAxMTUwODAwMDBaMIGKMQswCQYDVQQGEwJVUzEWMBQGA1UECBMN" + + "TWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHTmVlZGhhbTEVMBMGA1UEChMMR2Vv" + + "VHJ1c3QgSW5jMRMwEQYDVQQLEwpQcm9kdWN0aW9uMSUwIwYDVQQDExxhZG9i" + + "ZS10aW1lc3RhbXAuZ2VvdHJ1c3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN" + + "ADCBiQKBgQDRbxJotLFPWQuuEDhKtOMaBUJepGxIvWxeahMbq1DVmqnk88+j" + + "w/5lfPICPzQZ1oHrcTLSAFM7Mrz3pyyQKQKMqUyiemzuG/77ESUNfBNSUfAF" + + "PdtHuDMU8Is8ABVnFk63L+wdlvvDIlKkE08+VTKCRdjmuBVltMpQ6QcLFQzm" + + "AQIDAQABo4GIMIGFMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuZ2Vv" + + "dHJ1c3QuY29tL2NybHMvYWRvYmVjYTEuY3JsMB8GA1UdIwQYMBaAFKuAWcNl" + + "g20dfRO9GcPsGo8NR2qjMA4GA1UdDwEB/wQEAwIGwDAWBgNVHSUBAf8EDDAK" + + "BggrBgEFBQcDCDANBgkqhkiG9w0BAQUFAAOCAQEAmnyXjdtX+F79Nf0KggTd" + + "6YC2MQD9s09IeXTd8TP3rBmizfM+7f3icggeCGakNfPRmIUMLoa0VM5Kt37T" + + "2X0TqzBWusfbKx7HnX4v1t/G8NJJlT4SShSHv+8bjjU4lUoCmW2oEcC5vXwP" + + "R5JfjCyois16npgcO05ZBT+LLDXyeBijE6qWmwLDfEpLyILzVRmyU4IE7jvm" + + "rgb3GXwDUvd3yQXGRRHbPCh3nj9hBGbuzyt7GnlqnEie3wzIyMG2ET/wvTX5" + + "4BFXKNe7lDLvZj/MXvd3V7gMTSVW0kAszKao56LfrVTgp1VX3UBQYwmQqaoA" + + "UwFezih+jEvjW6cYJo/ErDCCBKEwggOJoAMCAQICBD4cvSgwDQYJKoZIhvcN" + + "AQEFBQAwaTELMAkGA1UEBhMCVVMxIzAhBgNVBAoTGkFkb2JlIFN5c3RlbXMg" + + "SW5jb3Jwb3JhdGVkMR0wGwYDVQQLExRBZG9iZSBUcnVzdCBTZXJ2aWNlczEW" + + "MBQGA1UEAxMNQWRvYmUgUm9vdCBDQTAeFw0wMzAxMDgyMzM3MjNaFw0yMzAx" + + "MDkwMDA3MjNaMGkxCzAJBgNVBAYTAlVTMSMwIQYDVQQKExpBZG9iZSBTeXN0" + + "ZW1zIEluY29ycG9yYXRlZDEdMBsGA1UECxMUQWRvYmUgVHJ1c3QgU2Vydmlj" + + "ZXMxFjAUBgNVBAMTDUFkb2JlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA" + + "A4IBDwAwggEKAoIBAQDMT1SE96ei5zNTfz+cEohrLJlHZ34PHrmtFIj5wxDY" + + "HfDw1Z9pCi9ZNbDMbKlMnBWgn84gv6DPVOLgIGZFPzmGOH6cxI4HIsYk9gES" + + "sDXfVeppkLDbhTce4k4HskKhahNpoGbqgJERWSqbCHlaIEQtyb1zOIs8L+BD" + + "G12zC/CvNRop/u+mkt2BTJ09WY6tMTxAfpuRNgb84lyN0Y0m1VxFz69lP7Gq" + + "0mKW9Kg46rpgQvT0HEo1Fc74TiJWD5UYxfiWn5/7sLd4JemAa73WCvDGdJSd" + + "8w9Q25p3zktwgyONoMp4IERcPFRk8eqiMBmf6kwGTQZ4S16S3yLSyWezetIB" + + "AgMBAAGjggFPMIIBSzARBglghkgBhvhCAQEEBAMCAAcwgY4GA1UdHwSBhjCB" + + "gzCBgKB+oHykejB4MQswCQYDVQQGEwJVUzEjMCEGA1UEChMaQWRvYmUgU3lz" + + "dGVtcyBJbmNvcnBvcmF0ZWQxHTAbBgNVBAsTFEFkb2JlIFRydXN0IFNlcnZp" + + "Y2VzMRYwFAYDVQQDEw1BZG9iZSBSb290IENBMQ0wCwYDVQQDEwRDUkwxMCsG" + + "A1UdEAQkMCKADzIwMDMwMTA4MjMzNzIzWoEPMjAyMzAxMDkwMDA3MjNaMAsG" + + "A1UdDwQEAwIBBjAfBgNVHSMEGDAWgBSCtzhKk6qbEO+Au9lU4vEP+4Cc3jAd" + + "BgNVHQ4EFgQUgrc4SpOqmxDvgLvZVOLxD/uAnN4wDAYDVR0TBAUwAwEB/zAd" + + "BgkqhkiG9n0HQQAEEDAOGwhWNi4wOjQuMAMCBJAwDQYJKoZIhvcNAQEFBQAD" + + "ggEBADLan0N1wfpvyW/bqx02Nz68YRk2twI8HSNZmGye7k2F51TIIB+n1Lvi" + + "vwB3fSRrcC9cwTp2SbXT4COEKnFqIvPBJymYFfY1kOQETMONvJ9hHOf9JIzR" + + "REOMFrqbTaXUNS+8Ec6991E3jZ+Q5BTxGD++6VkSNfkzkvOe4NVrmnGbmUvI" + + "ccPhsWEJxOX6kfBCOjd9NPly6M2qYhwh6dX0ghDjewW2LWhWC35+kixvTXKC" + + "DO1WdLKduastKx0QX9sndXCP/R3X4gKgeeUc5f+vZEBRLZ6bR9tCpXwfwqZI" + + "sNe+kmlNpPYpV8V4ERjch1HKE7JinU8rMr0xpcH6UqsFiMgwggTLMIIDs6AD" + + "AgECAgQ+HL21MA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNVBAYTAlVTMSMwIQYD" + + "VQQKExpBZG9iZSBTeXN0ZW1zIEluY29ycG9yYXRlZDEdMBsGA1UECxMUQWRv" + + "YmUgVHJ1c3QgU2VydmljZXMxFjAUBgNVBAMTDUFkb2JlIFJvb3QgQ0EwHhcN" + + "MDQwMTE3MDAwMzM5WhcNMTUwMTE1MDgwMDAwWjBFMQswCQYDVQQGEwJVUzEW" + + "MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgQ0Eg" + + "Zm9yIEFkb2JlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp+V3" + + "4GR4Wuc5hbyv0vVbKBMOVN1J+s5i9ZL9nph7n+X4esFs4epAJcFxJ4KnPuQH" + + "ZZ0oyHUU4Th70mWYgKwd6sEt1aR6ZT788Nvr3OHwTRwugN/G6QXqhU9ePpZJ" + + "OF1Ibsf1pcXNGvpLdcYK6+CX5DANMuIthb440XoNfC3dNBC0pF4mM4lmTjpl" + + "nQG8xK0rIFp4HoMpmyaIijz2qyjXdUNkg0fbDUq9eDTKAOLOg21u+AA8XKbC" + + "ewg1LWSV9CVy+fTHREmb1thBcrfkY1kCAvczsuquV3SMx8hRpa+4cIvKK/K1" + + "G7OrV0nsTyuaJ2MMST8b7bul/Xd81nu9Hsz4iQIDAQABo4IBnTCCAZkwEgYD" + + "VR0TAQH/BAgwBgEB/wIBATBQBgNVHSAESTBHMEUGCSqGSIb3LwECATA4MDYG" + + "CCsGAQUFBwIBFipodHRwczovL3d3dy5hZG9iZS5jb20vbWlzYy9wa2kvY2Rz" + + "X2NwLmh0bWwwFAYDVR0lBA0wCwYJKoZIhvcvAQEFMIGyBgNVHR8Egaowgacw" + + "IqAgoB6GHGh0dHA6Ly9jcmwuYWRvYmUuY29tL2Nkcy5jcmwwgYCgfqB8pHow" + + "eDELMAkGA1UEBhMCVVMxIzAhBgNVBAoTGkFkb2JlIFN5c3RlbXMgSW5jb3Jw" + + "b3JhdGVkMR0wGwYDVQQLExRBZG9iZSBUcnVzdCBTZXJ2aWNlczEWMBQGA1UE" + + "AxMNQWRvYmUgUm9vdCBDQTENMAsGA1UEAxMEQ1JMMTALBgNVHQ8EBAMCAQYw" + + "HwYDVR0jBBgwFoAUgrc4SpOqmxDvgLvZVOLxD/uAnN4wHQYDVR0OBBYEFKuA" + + "WcNlg20dfRO9GcPsGo8NR2qjMBkGCSqGSIb2fQdBAAQMMAobBFY2LjADAgSQ" + + "MA0GCSqGSIb3DQEBBQUAA4IBAQA/OVkuogCOsV4RYSzS4Lb1jImGRc4T2Z/d" + + "hJoUawhMX4aXWPSlqNOPIfhHflCvd+Whbarcd83NN5n3QmevUOFUREPrMQyA" + + "mkK0mpW6TSyLG5ckeCFL8qJwp/hhckk/H16m4hEXWyIFGfOecX3Sy+Y4kxcC" + + "lzSMadifedB+TiRpKFKcNphp5hEMkpyyJaGXpLnN/BLsaDyEN7JySExAopae" + + "UbUJCvCVIWKwoJ26ih3BG1aB+3yTHXeLIorextqWbq+dVz7me59Li8j5PAxe" + + "hXrc2phpKuhp8FaTScvnfMZc8TL4Dr1CHMRWIkqfZaCq3mC376Mww0iZtE5s" + + "iqB+AXVWMYIBgDCCAXwCAQEwSzBFMQswCQYDVQQGEwJVUzEWMBQGA1UEChMN" + + "R2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgQ0EgZm9yIEFkb2Jl" + + "AgIAjzAJBgUrDgMCGgUAoIGMMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRAB" + + "BDAcBgkqhkiG9w0BCQUxDxcNMDYwNDA0MjAyMDU3WjAjBgkqhkiG9w0BCQQx" + + "FgQUp7AnXBqoNcarvO7fMJut1og2U5AwKwYLKoZIhvcNAQkQAgwxHDAaMBgw" + + "FgQU1dH4eZTNhgxdiSABrat6zsPdth0wDQYJKoZIhvcNAQEBBQAEgYCinr/F" + + "rMiQz/MRm9ZD5YGcC0Qo2dRTPd0Aop8mZ4g1xAhKFLnp7lLsjCbkSDpVLDBh" + + "cnCk7CV+3FT5hlvt8OqZlR0CnkSnCswLFhrppiWle6cpxlwGqyAteC8uKtQu" + + "wjE5GtBKLcCOAzQYyyuNZZeB6oCZ+3mPhZ62FxrvvEGJCgAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="); + + private final byte[] emptyDNCert = Base64.decode( + "MIICfTCCAeagAwIBAgIBajANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJVUzEMMAoGA1UEChMD" + + "Q0RXMQkwBwYDVQQLEwAxCTAHBgNVBAcTADEJMAcGA1UECBMAMRowGAYDVQQDExFUZW1wbGFyIFRl" + + "c3QgMTAyNDEiMCAGCSqGSIb3DQEJARYTdGVtcGxhcnRlc3RAY2R3LmNvbTAeFw0wNjA1MjIwNTAw" + + "MDBaFw0xMDA1MjIwNTAwMDBaMHwxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNDRFcxCTAHBgNVBAsT" + + "ADEJMAcGA1UEBxMAMQkwBwYDVQQIEwAxGjAYBgNVBAMTEVRlbXBsYXIgVGVzdCAxMDI0MSIwIAYJ" + + "KoZIhvcNAQkBFhN0ZW1wbGFydGVzdEBjZHcuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB" + + "gQDH3aJpJBfM+A3d84j5YcU6zEQaQ76u5xO9NSBmHjZykKS2kCcUqPpvVOPDA5WgV22dtKPh+lYV" + + "iUp7wyCVwAKibq8HIbihHceFqMKzjwC639rMoDJ7bi/yzQWz1Zg+075a4FGPlUKn7Yfu89wKkjdW" + + "wDpRPXc/agqBnrx5pJTXzQIDAQABow8wDTALBgNVHQ8EBAMCALEwDQYJKoZIhvcNAQEEBQADgYEA" + + "RRsRsjse3i2/KClFVd6YLZ+7K1BE0WxFyY2bbytkwQJSxvv3vLSuweFUbhNxutb68wl/yW4GLy4b" + + "1QdyswNxrNDXTuu5ILKhRDDuWeocz83aG2KGtr3JlFyr3biWGEyn5WUOE6tbONoQDJ0oPYgI6CAc" + + "EHdUp0lioOCt6UOw7Cs="); + + private final byte[] gostRFC4491_94 = Base64.decode( + "MIICCzCCAboCECMO42BGlSTOxwvklBgufuswCAYGKoUDAgIEMGkxHTAbBgNVBAMM" + + "FEdvc3RSMzQxMC05NCBleGFtcGxlMRIwEAYDVQQKDAlDcnlwdG9Qcm8xCzAJBgNV" + + "BAYTAlJVMScwJQYJKoZIhvcNAQkBFhhHb3N0UjM0MTAtOTRAZXhhbXBsZS5jb20w" + + "HhcNMDUwODE2MTIzMjUwWhcNMTUwODE2MTIzMjUwWjBpMR0wGwYDVQQDDBRHb3N0" + + "UjM0MTAtOTQgZXhhbXBsZTESMBAGA1UECgwJQ3J5cHRvUHJvMQswCQYDVQQGEwJS" + + "VTEnMCUGCSqGSIb3DQEJARYYR29zdFIzNDEwLTk0QGV4YW1wbGUuY29tMIGlMBwG" + + "BiqFAwICFDASBgcqhQMCAiACBgcqhQMCAh4BA4GEAASBgLuEZuF5nls02CyAfxOo" + + "GWZxV/6MVCUhR28wCyd3RpjG+0dVvrey85NsObVCNyaE4g0QiiQOHwxCTSs7ESuo" + + "v2Y5MlyUi8Go/htjEvYJJYfMdRv05YmKCYJo01x3pg+2kBATjeM+fJyR1qwNCCw+" + + "eMG1wra3Gqgqi0WBkzIydvp7MAgGBiqFAwICBANBABHHCH4S3ALxAiMpR3aPRyqB" + + "g1DjB8zy5DEjiULIc+HeIveF81W9lOxGkZxnrFjXBSqnjLeFKgF1hffXOAP7zUM="); + + private final byte[] gostRFC4491_2001 = Base64.decode( + "MIIB0DCCAX8CECv1xh7CEb0Xx9zUYma0LiEwCAYGKoUDAgIDMG0xHzAdBgNVBAMM" + + "Fkdvc3RSMzQxMC0yMDAxIGV4YW1wbGUxEjAQBgNVBAoMCUNyeXB0b1BybzELMAkG" + + "A1UEBhMCUlUxKTAnBgkqhkiG9w0BCQEWGkdvc3RSMzQxMC0yMDAxQGV4YW1wbGUu" + + "Y29tMB4XDTA1MDgxNjE0MTgyMFoXDTE1MDgxNjE0MTgyMFowbTEfMB0GA1UEAwwW" + + "R29zdFIzNDEwLTIwMDEgZXhhbXBsZTESMBAGA1UECgwJQ3J5cHRvUHJvMQswCQYD" + + "VQQGEwJSVTEpMCcGCSqGSIb3DQEJARYaR29zdFIzNDEwLTIwMDFAZXhhbXBsZS5j" + + "b20wYzAcBgYqhQMCAhMwEgYHKoUDAgIkAAYHKoUDAgIeAQNDAARAhJVodWACGkB1" + + "CM0TjDGJLP3lBQN6Q1z0bSsP508yfleP68wWuZWIA9CafIWuD+SN6qa7flbHy7Df" + + "D2a8yuoaYDAIBgYqhQMCAgMDQQA8L8kJRLcnqeyn1en7U23Sw6pkfEQu3u0xFkVP" + + "vFQ/3cHeF26NG+xxtZPz3TaTVXdoiYkXYiD02rEx1bUcM97i"); + + private final byte[] uaczo1 = Base64.decode( + "MIIFWzCCBNegAwIBAgIUMAR1He8seK4BAAAAAQAAAAEAAAAwDQYLKoYkAgEBAQED" + + "AQEwgfoxPzA9BgNVBAoMNtCc0ZbQvdGW0YHRgtC10YDRgdGC0LLQviDRjtGB0YLQ" + + "uNGG0ZbRlyDQo9C60YDQsNGX0L3QuDExMC8GA1UECwwo0JDQtNC80ZbQvdGW0YHR" + + "gtGA0LDRgtC+0YAg0IbQotChINCm0JfQnjFJMEcGA1UEAwxA0KbQtdC90YLRgNCw" + + "0LvRjNC90LjQuSDQt9Cw0YHQstGW0LTRh9GD0LLQsNC70YzQvdC40Lkg0L7RgNCz" + + "0LDQvTEZMBcGA1UEBQwQVUEtMDAwMTU2MjItMjAxMjELMAkGA1UEBhMCVUExETAP" + + "BgNVBAcMCNCa0LjRl9CyMB4XDTEyMDkyODE5NTMwMFoXDTIyMDkyODE5NTMwMFow" + + "gfoxPzA9BgNVBAoMNtCc0ZbQvdGW0YHRgtC10YDRgdGC0LLQviDRjtGB0YLQuNGG" + + "0ZbRlyDQo9C60YDQsNGX0L3QuDExMC8GA1UECwwo0JDQtNC80ZbQvdGW0YHRgtGA" + + "0LDRgtC+0YAg0IbQotChINCm0JfQnjFJMEcGA1UEAwxA0KbQtdC90YLRgNCw0LvR" + + "jNC90LjQuSDQt9Cw0YHQstGW0LTRh9GD0LLQsNC70YzQvdC40Lkg0L7RgNCz0LDQ" + + "vTEZMBcGA1UEBQwQVUEtMDAwMTU2MjItMjAxMjELMAkGA1UEBhMCVUExETAPBgNV" + + "BAcMCNCa0LjRl9CyMIIBUTCCARIGCyqGJAIBAQEBAwEBMIIBATCBvDAPAgIBrzAJ" + + "AgEBAgEDAgEFAgEBBDbzykDGaaTaFzFJyhLDLa4Ya1Osa8Y2WZferq6K0tiI+b/V" + + "NAFpTvnEJz2M/m3Cj3BqD0kQzgMCNj//////////////////////////////////" + + "/7oxdUWACajApyTwL4Gqih/Lr4DZDHqVEQUEzwQ2fIV8lMVDO/2ZHhfCJoQGWFCp" + + "oknte8JJrlpOh4aJ+HLvetUkCC7DA46a7ee6a6Ezgdl5umIaBECp1utF8TxwgoDE" + + "lnsjH16t9ljrpMA3KR042WvwJcpOF/jpcg3GFbQ6KJdfC8Heo2Q4tWTqLBef0BI+" + + "bbj6xXkEAzkABDa2G/m9S2LKqyw5UPXFHV+oDXB+AHtSW3BnZ9zlzRuvbido2tDG" + + "qE/CL5kFHZE0NfTrHrGa1USjggE6MIIBNjApBgNVHQ4EIgQgMAR1He8seK4VC6vv" + + "vv8Nq9v4LOVonutO0xCl+xM4+wowKwYDVR0jBCQwIoAgMAR1He8seK4VC6vvvv8N" + + "q9v4LOVonutO0xCl+xM4+wowDgYDVR0PAQH/BAQDAgEGMBkGA1UdIAEB/wQPMA0w" + + "CwYJKoYkAgEBAQICMBIGA1UdEwEB/wQIMAYBAf8CAQIwHgYIKwYBBQUHAQMBAf8E" + + "DzANMAsGCSqGJAIBAQECATA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3pvLmdv" + + "di51YS9kb3dubG9hZC9jcmxzL0NaTy1GdWxsLmNybDA+BgNVHS4ENzA1MDOgMaAv" + + "hi1odHRwOi8vY3pvLmdvdi51YS9kb3dubG9hZC9jcmxzL0NaTy1EZWx0YS5jcmww" + + "DQYLKoYkAgEBAQEDAQEDbwAEbPF4bx7drDxzzYABhB33Y0MQ+/N5FuPl7faVx/es" + + "V5n5DXg5TzZovzZeICB5JHPLcbdeCq6aGwvXsgybt34zqf7LKmfq0rFNYfXJVWFH" + + "4Tg5sPA+fCQ+T0O35VN873BLgTGz7bnHH9o8bnjwMA=="); + + private final byte[] uaczo2 = Base64.decode( + "MIIEvTCCBDmgAwIBAgIDAYhwMA0GCyqGJAIBAQEBAwEBMIIBHjELMAkGA1UEBhMC" + + "VUExKDAmBgNVBAgMH9Ca0LjRl9Cy0YHRjNC60LAg0L7QsdC70LDRgdGC0YwxETAP" + + "BgNVBAcMCNCa0LjRl9CyMUkwRwYDVQQKDEDQptC10L3RgtGA0LDQu9GM0L3QuNC5" + + "INC30LDRgdCy0ZbQtNGH0YPQstCw0LvRjNC90LjQuSDQvtGA0LPQsNC9MTUwMwYD" + + "VQQLDCzQotC10YXQvdC+0LvQvtCz0ZbRh9C90LjQuSDRhtC10L3RgtGAINCm0JfQ" + + "njE1MDMGA1UEAwws0KPQutGA0LDRl9C90LAsINCm0JfQniAvIFVrcmFpbmUsIENl" + + "bnRyYWwgQ0ExGTAXBgNVBAUTEFVBLTM3MjAwMzAzLTIwMTAwHhcNMDYxMjI1MDc0" + + "MDU4WhcNMTExMjI0MDc0MDU4WjCCAR4xCzAJBgNVBAYTAlVBMSgwJgYDVQQIDB/Q" + + "mtC40ZfQstGB0YzQutCwINC+0LHQu9Cw0YHRgtGMMREwDwYDVQQHDAjQmtC40ZfQ" + + "sjFJMEcGA1UECgxA0KbQtdC90YLRgNCw0LvRjNC90LjQuSDQt9Cw0YHQstGW0LTR" + + "h9GD0LLQsNC70YzQvdC40Lkg0L7RgNCz0LDQvTE1MDMGA1UECwws0KLQtdGF0L3Q" + + "vtC70L7Qs9GW0YfQvdC40Lkg0YbQtdC90YLRgCDQptCX0J4xNTAzBgNVBAMMLNCj" + + "0LrRgNCw0ZfQvdCwLCDQptCX0J4gLyBVa3JhaW5lLCBDZW50cmFsIENBMRkwFwYD" + + "VQQFExBVQS0zNzIwMDMwMy0yMDEwMIGdMGAGCyqGJAIBAQEBAwEBMFEGDSqGJAIB" + + "AQEBAwEBAgkEQKnW60XxPHCCgMSWeyMfXq32WOukwDcpHTjZa/Alyk4X+OlyDcYV" + + "tDool18Lwd6jZDi1ZOosF5/QEj5tuPrFeQQDOQAENlMfji/H5gxxL5TKtLMFv2X3" + + "0EJrj3orwGV0zEz+EgSChr+I8bsOrnfkr5UwMQIjGJOg1G/nYKOCARgwggEUMA8G" + + "A1UdEwEB/wQFMAMBAf8weQYDVR0gAQH/BG8wbTBeBgkqhiQCAQEBAgEwUTBPBggr" + + "BgEFBQcCARZDaHR0cDovL2N6by5nb3YudWEvY29udGVudC9ub3JtYXRpdmVfZG9j" + + "dW1lbnQvZ2VuZXJhbF9kb2MvcmVnQ1pPLnppcDALBgkqhiQCAQEBAgIwHgYIKwYB" + + "BQUHAQMBAf8EDzANMAsGCSqGJAIBAQECATAOBgNVHQ8BAf8EBAMCAcYwKQYDVR0O" + + "BCIEIPqbNt55OgWdLCn8hfuY9HJE3d3+DTTBlTJBN0nxog+mMCsGA1UdIwQkMCKA" + + "IPqbNt55OgWdLCn8hfuY9HJE3d3+DTTBlTJBN0nxog+mMA0GCyqGJAIBAQEBAwEB" + + "A28ABGx8QNaWcy0admsBt6iB0Vi+kAargzsQuoc/BThskYdxGNftLvYDPYxkEM2N" + + "GQ+9f1RJgCSNVRj3NhWoHhkqcL5R3gxAHie+a+zMqsX0258hGdT3MXkm0Syn/cNo" + + "sga4XzzvnVaas9vsPKMrZTQ="); + + private final byte[] uaczo3 = Base64.decode( + "MIIEtTCCBDGgAwIBAgIDAYisMA0GCyqGJAIBAQEBAwEBMIIBGjELMAkGA1UEBhMC" + + "VUExKDAmBgNVBAgMH9Ca0LjRl9Cy0YHRjNC60LAg0L7QsdC70LDRgdGC0YwxETAP" + + "BgNVBAcMCNCa0LjRl9CyMUkwRwYDVQQKDEDQptC10L3RgtGA0LDQu9GM0L3QuNC5" + + "INC30LDRgdCy0ZbQtNGH0YPQstCw0LvRjNC90LjQuSDQvtGA0LPQsNC9MTEwLwYD" + + "VQQLDCjQkNC00LzRltC90ZbRgdGC0YDQsNGC0L7RgCDQhtCi0KEg0KbQl9CeMTUw" + + "MwYDVQQDDCzQo9C60YDQsNGX0L3QsCwg0KbQl9CeIC8gVWtyYWluZSwgQ2VudHJh" + + "bCBDQTEZMBcGA1UEBRMQVUEtMDAwMTU2MjItMjAxMTAeFw0wNzEyMjAxMDAwMDBa" + + "Fw0xMjEyMTgxMDAwMDBaMIIBGjELMAkGA1UEBhMCVUExKDAmBgNVBAgMH9Ca0LjR" + + "l9Cy0YHRjNC60LAg0L7QsdC70LDRgdGC0YwxETAPBgNVBAcMCNCa0LjRl9CyMUkw" + + "RwYDVQQKDEDQptC10L3RgtGA0LDQu9GM0L3QuNC5INC30LDRgdCy0ZbQtNGH0YPQ" + + "stCw0LvRjNC90LjQuSDQvtGA0LPQsNC9MTEwLwYDVQQLDCjQkNC00LzRltC90ZbR" + + "gdGC0YDQsNGC0L7RgCDQhtCi0KEg0KbQl9CeMTUwMwYDVQQDDCzQo9C60YDQsNGX" + + "0L3QsCwg0KbQl9CeIC8gVWtyYWluZSwgQ2VudHJhbCBDQTEZMBcGA1UEBRMQVUEt" + + "MDAwMTU2MjItMjAxMTCBnTBgBgsqhiQCAQEBAQMBATBRBg0qhiQCAQEBAQMBAQIJ" + + "BECp1utF8TxwgoDElnsjH16t9ljrpMA3KR042WvwJcpOF/jpcg3GFbQ6KJdfC8He" + + "o2Q4tWTqLBef0BI+bbj6xXkEAzkABDajkfNBomH27xjY1N7wklRvY5E0ZFaU53Fh" + + "y4jUY+G4AUhEHHCkTvUja8CUxPqtb9KyfuZELVOjggEYMIIBFDAPBgNVHRMBAf8E" + + "BTADAQH/MHkGA1UdIAEB/wRvMG0wXgYJKoYkAgEBAQIBMFEwTwYIKwYBBQUHAgEW" + + "Q2h0dHA6Ly9jem8uZ292LnVhL2NvbnRlbnQvbm9ybWF0aXZlX2RvY3VtZW50L2dl" + + "bmVyYWxfZG9jL3JlZ0NaTy56aXAwCwYJKoYkAgEBAQICMB4GCCsGAQUFBwEDAQH/" + + "BA8wDTALBgkqhiQCAQEBAgEwDgYDVR0PAQH/BAQDAgHGMCkGA1UdDgQiBCC+e+cA" + + "bIdAgQkh6q3dUAZjPrNhwDDGrVnLNP6telmoCjArBgNVHSMEJDAigCC+e+cAbIdA" + + "gQkh6q3dUAZjPrNhwDDGrVnLNP6telmoCjANBgsqhiQCAQEBAQMBAQNvAARsyq9i" + + "ajEgdBh5mPUZefcLY56AIRWqmsJsWuZuUbCa5oQXRH5iCRa4PSvs8v6zHAKKlMgK" + + "gaoY6jywqmwiMlylbSgo/A0HKdCFnUUl7S8yjE4054MSSIjb2R0c2pmqmwtU25JB" + + "/MkNbe77Uzka"); + + private final byte[] uaczo4 = Base64.decode( + "MIIEKzCCA6egAwIBAgIBATANBgsqhiQCAQEBAQMBATCBzDFJMEcGA1UECwxA0KbQ" + + "tdC90YLRgNCw0LvRjNC90LjQuSDQt9Cw0YHQstGW0LTRh9GD0LLQsNC70YzQvdC4" + + "0Lkg0L7RgNCz0LDQvTE1MDMGA1UEAwws0KPQutGA0LDRl9C90LAsINCm0JfQniAv" + + "IFVrcmFpbmUsIENlbnRyYWwgQ0ExCzAJBgNVBAYTAlVBMREwDwYDVQQHDAjQmtC4" + + "0ZfQsjEoMCYGA1UECAwf0JrQuNGX0LLRgdGM0LrQsCDQvtCx0LvQsNGB0YLRjDAe" + + "Fw0wNTEyMjMyMzAxMDFaFw0xMDEyMjMyMzAxMDFaMIHMMUkwRwYDVQQLDEDQptC1" + + "0L3RgtGA0LDQu9GM0L3QuNC5INC30LDRgdCy0ZbQtNGH0YPQstCw0LvRjNC90LjQ" + + "uSDQvtGA0LPQsNC9MTUwMwYDVQQDDCzQo9C60YDQsNGX0L3QsCwg0KbQl9CeIC8g" + + "VWtyYWluZSwgQ2VudHJhbCBDQTELMAkGA1UEBhMCVUExETAPBgNVBAcMCNCa0LjR" + + "l9CyMSgwJgYDVQQIDB/QmtC40ZfQstGB0YzQutCwINC+0LHQu9Cw0YHRgtGMMIIB" + + "UTCCARIGCyqGJAIBAQEBAwEBMIIBATCBvDAPAgIBrzAJAgEBAgEDAgEFAgEBBDbz" + + "ykDGaaTaFzFJyhLDLa4Ya1Osa8Y2WZferq6K0tiI+b/VNAFpTvnEJz2M/m3Cj3Bq" + + "D0kQzgMCNj///////////////////////////////////7oxdUWACajApyTwL4Gq" + + "ih/Lr4DZDHqVEQUEzwQ2lqAgR9+skUI33jGNgj2Qsh9+3x7so5koelwr4fy89k/x" + + "5eqNSvFZ/1fPHfXz+iz7PmFIhr15BECLwhftNllK8B904j3LmmBY/teFIBSrw2lL" + + "CKc1nWIez+h/01q0GSxgeuwU0oOw9WmwlkGuj13DJ8cSmm70jTULAzkABDa6vb3U" + + "VIxZr2cXcVSvKkPM65Ii2+8biqyoH8i9e0NKJu+IhjDvUrvzlr8U+ywuf5bpSj4N" + + "fEmjezB5MA4GA1UdDwEB/wQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MCsGA1UdIwQk" + + "MCKAIOPEn/xcXE6VGFNB8vbfXS1XMYYzAa4ML8opsOslTHJNMCkGA1UdDgQiBCDj" + + "xJ/8XFxOlRhTQfL2310tVzGGMwGuDC/KKbDrJUxyTTANBgsqhiQCAQEBAQMBAQNv" + + "AARsh0unjBfQoINx2rXAJggrBdoRsCouw8lN771DhcuUrlQUuEEQHTaZrQoYbECu" + + "AGfsxfTyldQDEOVzD/Uq8Xh4gIHuSqki9mRSjMR19MQtTKRmI9TRHIeTdIZ6l3P7" + + "jFfGJvTP0E9NYSolx+kM"); + + private PublicKey dudPublicKey = new PublicKey() + { + public String getAlgorithm() + { + return null; + } + + public String getFormat() + { + return null; + } + + public byte[] getEncoded() + { + return null; + } + + }; + + public String getName() + { + return "CertTest"; + } + + public void checkCertificate( + int id, + byte[] bytes) + { + ByteArrayInputStream bIn; + String dump = ""; + + try + { + bIn = new ByteArrayInputStream(bytes); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + Certificate cert = fact.generateCertificate(bIn); + + PublicKey k = cert.getPublicKey(); + // System.out.println(cert); + } + catch (Exception e) + { + fail(dump + System.getProperty("line.separator") + getName() + ": "+ id + " failed - exception " + e.toString(), e); + } + + } + + public void checkNameCertificate( + int id, + byte[] bytes) + { + ByteArrayInputStream bIn; + String dump = ""; + + try + { + bIn = new ByteArrayInputStream(bytes); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate cert = (X509Certificate)fact.generateCertificate(bIn); + + PublicKey k = cert.getPublicKey(); + if (!cert.getIssuerDN().toString().equals("C=DE,O=DATEV eG,0.2.262.1.10.7.20=1+CN=CA DATEV D03 1:PN")) + { + fail(id + " failed - name test."); + } + // System.out.println(cert); + } + catch (Exception e) + { + fail(dump + System.getProperty("line.separator") + getName() + ": "+ id + " failed - exception " + e.toString(), e); + } + + } + + public void checkKeyUsage( + int id, + byte[] bytes) + { + ByteArrayInputStream bIn; + String dump = ""; + + try + { + bIn = new ByteArrayInputStream(bytes); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate cert = (X509Certificate)fact.generateCertificate(bIn); + + PublicKey k = cert.getPublicKey(); + + if (cert.getKeyUsage()[7]) + { + fail("error generating cert - key usage wrong."); + } + + // System.out.println(cert); + } + catch (Exception e) + { + fail(dump + System.getProperty("line.separator") + getName() + ": "+ id + " failed - exception " + e.toString(), e); + } + + } + + + public void checkSelfSignedCertificate( + int id, + byte[] bytes) + { + ByteArrayInputStream bIn; + String dump = ""; + + try + { + bIn = new ByteArrayInputStream(bytes); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + Certificate cert = fact.generateCertificate(bIn); + + PublicKey k = cert.getPublicKey(); + + cert.verify(k); + // System.out.println(cert); + } + catch (Exception e) + { + fail(dump + System.getProperty("line.separator") + getName() + ": "+ id + " failed - exception " + e.toString(), e); + } + + } + + /** + * we generate a self signed certificate for the sake of testing - RSA + */ + public void checkCreation1() + throws Exception + { + // + // a sample key pair. + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + + privKey = fact.generatePrivate(privKeySpec); + pubKey = fact.generatePublic(pubKeySpec); + + // + // distinguished name table. + // + Vector ord = new Vector(); + Vector values = new Vector(); + + ord.addElement(X509Principal.C); + ord.addElement(X509Principal.O); + ord.addElement(X509Principal.L); + ord.addElement(X509Principal.ST); + ord.addElement(X509Principal.E); + + values.addElement("AU"); + values.addElement("The Legion of the Bouncy Castle"); + values.addElement("Melbourne"); + values.addElement("Victoria"); + values.addElement("feedback-crypto@bouncycastle.org"); + + // + // extensions + // + + // + // create the certificate - version 3 - without extensions + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + X509Certificate cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + Set dummySet = cert.getNonCriticalExtensionOIDs(); + if (dummySet != null) + { + fail("non-critical oid set should be null"); + } + dummySet = cert.getCriticalExtensionOIDs(); + if (dummySet != null) + { + fail("critical oid set should be null"); + } + + // + // create the certificate - version 3 - with extensions + // + certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("MD5WithRSAEncryption"); + certGen.addExtension("2.5.29.15", true, + new X509KeyUsage(X509KeyUsage.encipherOnly)); + certGen.addExtension("2.5.29.37", true, + new DERSequence(KeyPurposeId.anyExtendedKeyUsage)); + certGen.addExtension("2.5.29.17", true, + new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); + + cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + ByteArrayInputStream sbIn = new ByteArrayInputStream(cert.getEncoded()); + ASN1InputStream sdIn = new ASN1InputStream(sbIn); + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory certFact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)certFact.generateCertificate(bIn); + + if (!cert.getKeyUsage()[7]) + { + fail("error generating cert - key usage wrong."); + } + + List l = cert.getExtendedKeyUsage(); + if (!l.get(0).equals(KeyPurposeId.anyExtendedKeyUsage.getId())) + { + fail("failed extended key usage test"); + } + + Collection c = cert.getSubjectAlternativeNames(); + Iterator it = c.iterator(); + while (it.hasNext()) + { + List gn = (List)it.next(); + if (!gn.get(1).equals("test@test.test")) + { + fail("failed subject alternative names test"); + } + } + + // System.out.println(cert); + + // + // create the certificate - version 1 + // + X509V1CertificateGenerator certGen1 = new X509V1CertificateGenerator(); + + certGen1.setSerialNumber(BigInteger.valueOf(1)); + certGen1.setIssuerDN(new X509Principal(ord, values)); + certGen1.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen1.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen1.setSubjectDN(new X509Principal(ord, values)); + certGen1.setPublicKey(pubKey); + certGen1.setSignatureAlgorithm("MD5WithRSAEncryption"); + + cert = certGen1.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + bIn = new ByteArrayInputStream(cert.getEncoded()); + certFact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)certFact.generateCertificate(bIn); + + // System.out.println(cert); + if (!cert.getIssuerDN().equals(cert.getSubjectDN())) + { + fail("name comparison fails"); + } + } + + /** + * we generate a self signed certificate for the sake of testing - DSA + */ + public void checkCreation2() + { + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + try + { + KeyPairGenerator g = KeyPairGenerator.getInstance("DSA", "SUN"); + + g.initialize(512, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + privKey = p.getPrivate(); + pubKey = p.getPublic(); + } + catch (Exception e) + { + fail("error setting up keys - " + e.toString()); + return; + } + + // + // distinguished name table. + // + Vector ord = new Vector(); + Vector values = new Vector(); + + ord.addElement(X509Principal.C); + ord.addElement(X509Principal.O); + ord.addElement(X509Principal.L); + ord.addElement(X509Principal.ST); + ord.addElement(X509Principal.E); + + values.addElement("AU"); + values.addElement("The Legion of the Bouncy Castle"); + values.addElement("Melbourne"); + values.addElement("Victoria"); + values.addElement("feedback-crypto@bouncycastle.org"); + + // + // extensions + // + + // + // create the certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("SHA1withDSA"); + + try + { + X509Certificate cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + + // System.out.println(cert); + } + catch (Exception e) + { + fail("error setting generating cert - " + e.toString()); + } + + // + // create the certificate - version 1 + // + X509V1CertificateGenerator certGen1 = new X509V1CertificateGenerator(); + + certGen1.setSerialNumber(BigInteger.valueOf(1)); + certGen1.setIssuerDN(new X509Principal(ord, values)); + certGen1.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen1.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen1.setSubjectDN(new X509Principal(ord, values)); + certGen1.setPublicKey(pubKey); + certGen1.setSignatureAlgorithm("SHA1withDSA"); + + try + { + X509Certificate cert = certGen1.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + + //System.out.println(cert); + } + catch (Exception e) + { + fail("error setting generating cert - " + e.toString()); + } + + // + // exception test + // + try + { + certGen.setPublicKey(dudPublicKey); + + fail("key without encoding not detected in v1"); + } + catch (IllegalArgumentException e) + { + // expected + } + } + + /** + * we generate a self signed certificate for the sake of testing - ECDSA + */ + public void checkCreation3() + { + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + + ECPrivateKeySpec privKeySpec = new ECPrivateKeySpec( + new BigInteger("876300101507107567501066130761671078357010671067781776716671676178726717"), // d + spec); + + ECPublicKeySpec pubKeySpec = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("025b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c70")), // Q + spec); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + try + { + KeyFactory fact = KeyFactory.getInstance("ECDSA", "BC"); + + privKey = fact.generatePrivate(privKeySpec); + pubKey = fact.generatePublic(pubKeySpec); + } + catch (Exception e) + { + fail("error setting up keys - " + e.toString()); + return; + } + + // + // distinguished name table. + // + Hashtable attrs = new Hashtable(); + Vector order = new Vector(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.L, "Melbourne"); + attrs.put(X509Principal.ST, "Victoria"); + attrs.put(X509Principal.E, "feedback-crypto@bouncycastle.org"); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.L); + order.addElement(X509Principal.ST); + order.addElement(X509Principal.E); + + + // + // toString test + // + X509Principal p = new X509Principal(order, attrs); + String s = p.toString(); + + if (!s.equals("C=AU,O=The Legion of the Bouncy Castle,L=Melbourne,ST=Victoria,E=feedback-crypto@bouncycastle.org")) + { + fail("ordered X509Principal test failed - s = " + s + "."); + } + +// p = new X509Principal(attrs); +// s = p.toString(); +// +// // +// // we need two of these as the hash code for strings changed... +// // +// if (!s.equals("O=The Legion of the Bouncy Castle,E=feedback-crypto@bouncycastle.org,ST=Victoria,L=Melbourne,C=AU") && !s.equals("ST=Victoria,L=Melbourne,C=AU,E=feedback-crypto@bouncycastle.org,O=The Legion of the Bouncy Castle")) +// { +// fail("unordered X509Principal test failed."); +// } + + // + // create the certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(order, attrs)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(order, attrs)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("SHA1withECDSA"); + + try + { + X509Certificate cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + + // + // try with point compression turned off + // + ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED"); + + certGen.setPublicKey(pubKey); + + cert = certGen.generate(privKey, "BC"); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + bIn = new ByteArrayInputStream(cert.getEncoded()); + fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + // System.out.println(cert); + } + catch (Exception e) + { + fail("error setting generating cert - " + e.toString()); + } + + X509Principal pr = new X509Principal("O=\"The Bouncy Castle, The Legion of\",E=feedback-crypto@bouncycastle.org,ST=Victoria,L=Melbourne,C=AU"); + + if (!pr.toString().equals("O=The Bouncy Castle\\, The Legion of,E=feedback-crypto@bouncycastle.org,ST=Victoria,L=Melbourne,C=AU")) + { + fail("string based X509Principal test failed."); + } + + pr = new X509Principal("O=The Bouncy Castle\\, The Legion of,E=feedback-crypto@bouncycastle.org,ST=Victoria,L=Melbourne,C=AU"); + + if (!pr.toString().equals("O=The Bouncy Castle\\, The Legion of,E=feedback-crypto@bouncycastle.org,ST=Victoria,L=Melbourne,C=AU")) + { + fail("string based X509Principal test failed."); + } + + } + + /** + * we generate a self signed certificate for the sake of testing - SHA224withECDSA + */ + private void createECCert(String algorithm, DERObjectIdentifier algOid) + throws Exception + { + ECCurve.Fp curve = new ECCurve.Fp( + new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151"), // q (or p) + new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 16), // a + new BigInteger("0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("0200C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")), // G + new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 16)); // n + + ECPrivateKeySpec privKeySpec = new ECPrivateKeySpec( + new BigInteger("5769183828869504557786041598510887460263120754767955773309066354712783118202294874205844512909370791582896372147797293913785865682804434049019366394746072023"), // d + spec); + + ECPublicKeySpec pubKeySpec = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("02006BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q + spec); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory fact = KeyFactory.getInstance("ECDSA", "BC"); + + privKey = fact.generatePrivate(privKeySpec); + pubKey = fact.generatePublic(pubKeySpec); + + + // + // distinguished name table. + // + Hashtable attrs = new Hashtable(); + Vector order = new Vector(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.L, "Melbourne"); + attrs.put(X509Principal.ST, "Victoria"); + attrs.put(X509Principal.E, "feedback-crypto@bouncycastle.org"); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.L); + order.addElement(X509Principal.ST); + order.addElement(X509Principal.E); + + // + // create the certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(order, attrs)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(order, attrs)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm(algorithm); + + + X509Certificate cert = certGen.generate(privKey, "BC"); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory certFact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)certFact.generateCertificate(bIn); + + // + // try with point compression turned off + // + ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED"); + + certGen.setPublicKey(pubKey); + + cert = certGen.generate(privKey, "BC"); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + bIn = new ByteArrayInputStream(cert.getEncoded()); + certFact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)certFact.generateCertificate(bIn); + + if (!cert.getSigAlgOID().equals(algOid.toString())) + { + fail("ECDSA oid incorrect."); + } + + if (cert.getSigAlgParams() != null) + { + fail("sig parameters present"); + } + + Signature sig = Signature.getInstance(algorithm, "BC"); + + sig.initVerify(pubKey); + + sig.update(cert.getTBSCertificate()); + + if (!sig.verify(cert.getSignature())) + { + fail("EC certificate signature not mapped correctly."); + } + // System.out.println(cert); + } + + private void checkCRL( + int id, + byte[] bytes) + { + ByteArrayInputStream bIn; + String dump = ""; + + try + { + bIn = new ByteArrayInputStream(bytes); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + CRL cert = fact.generateCRL(bIn); + + // System.out.println(cert); + } + catch (Exception e) + { + fail(dump + System.getProperty("line.separator") + getName() + ": "+ id + " failed - exception " + e.toString(), e); + } + + } + + public void checkCRLCreation1() + throws Exception + { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); + X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); + Date now = new Date(); + KeyPair pair = kpGen.generateKeyPair(); + + crlGen.setIssuerDN(new X500Principal("CN=Test CA")); + + crlGen.setThisUpdate(now); + crlGen.setNextUpdate(new Date(now.getTime() + 100000)); + crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + crlGen.addCRLEntry(BigInteger.ONE, now, CRLReason.privilegeWithdrawn); + + crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic())); + + X509CRL crl = crlGen.generate(pair.getPrivate(), "BC"); + + if (!crl.getIssuerX500Principal().equals(new X500Principal("CN=Test CA"))) + { + fail("failed CRL issuer test"); + } + + byte[] authExt = crl.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); + + if (authExt == null) + { + fail("failed to find CRL extension"); + } + + AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt); + + X509CRLEntry entry = crl.getRevokedCertificate(BigInteger.ONE); + + if (entry == null) + { + fail("failed to find CRL entry"); + } + + if (!entry.getSerialNumber().equals(BigInteger.ONE)) + { + fail("CRL cert serial number does not match"); + } + + if (!entry.hasExtensions()) + { + fail("CRL entry extension not found"); + } + + byte[] ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId()); + + if (ext != null) + { + DEREnumerated reasonCode = (DEREnumerated)X509ExtensionUtil.fromExtensionValue(ext); + + if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn) + { + fail("CRL entry reasonCode wrong"); + } + } + else + { + fail("CRL entry reasonCode not found"); + } + } + + public void checkCRLCreation2() + throws Exception + { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); + X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); + Date now = new Date(); + KeyPair pair = kpGen.generateKeyPair(); + + crlGen.setIssuerDN(new X500Principal("CN=Test CA")); + + crlGen.setThisUpdate(now); + crlGen.setNextUpdate(new Date(now.getTime() + 100000)); + crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + Vector extOids = new Vector(); + Vector extValues = new Vector(); + + CRLReason crlReason = CRLReason.lookup(CRLReason.privilegeWithdrawn); + + try + { + extOids.addElement(X509Extensions.ReasonCode); + extValues.addElement(new X509Extension(false, new DEROctetString(crlReason.getEncoded()))); + } + catch (IOException e) + { + throw new IllegalArgumentException("error encoding reason: " + e); + } + + X509Extensions entryExtensions = new X509Extensions(extOids, extValues); + + crlGen.addCRLEntry(BigInteger.ONE, now, entryExtensions); + + crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic())); + + X509CRL crl = crlGen.generate(pair.getPrivate(), "BC"); + + if (!crl.getIssuerX500Principal().equals(new X500Principal("CN=Test CA"))) + { + fail("failed CRL issuer test"); + } + + byte[] authExt = crl.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); + + if (authExt == null) + { + fail("failed to find CRL extension"); + } + + AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt); + + X509CRLEntry entry = crl.getRevokedCertificate(BigInteger.ONE); + + if (entry == null) + { + fail("failed to find CRL entry"); + } + + if (!entry.getSerialNumber().equals(BigInteger.ONE)) + { + fail("CRL cert serial number does not match"); + } + + if (!entry.hasExtensions()) + { + fail("CRL entry extension not found"); + } + + byte[] ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId()); + + if (ext != null) + { + DEREnumerated reasonCode = (DEREnumerated)X509ExtensionUtil.fromExtensionValue(ext); + + if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn) + { + fail("CRL entry reasonCode wrong"); + } + } + else + { + fail("CRL entry reasonCode not found"); + } + } + + public void checkCRLCreation3() + throws Exception + { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); + X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); + Date now = new Date(); + KeyPair pair = kpGen.generateKeyPair(); + + crlGen.setIssuerDN(new X500Principal("CN=Test CA")); + + crlGen.setThisUpdate(now); + crlGen.setNextUpdate(new Date(now.getTime() + 100000)); + crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + Vector extOids = new Vector(); + Vector extValues = new Vector(); + + CRLReason crlReason = CRLReason.lookup(CRLReason.privilegeWithdrawn); + + try + { + extOids.addElement(X509Extensions.ReasonCode); + extValues.addElement(new X509Extension(false, new DEROctetString(crlReason.getEncoded()))); + } + catch (IOException e) + { + throw new IllegalArgumentException("error encoding reason: " + e); + } + + X509Extensions entryExtensions = new X509Extensions(extOids, extValues); + + crlGen.addCRLEntry(BigInteger.ONE, now, entryExtensions); + + crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic())); + + X509CRL crl = crlGen.generate(pair.getPrivate(), "BC"); + + if (!crl.getIssuerX500Principal().equals(new X500Principal("CN=Test CA"))) + { + fail("failed CRL issuer test"); + } + + byte[] authExt = crl.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); + + if (authExt == null) + { + fail("failed to find CRL extension"); + } + + AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt); + + X509CRLEntry entry = crl.getRevokedCertificate(BigInteger.ONE); + + if (entry == null) + { + fail("failed to find CRL entry"); + } + + if (!entry.getSerialNumber().equals(BigInteger.ONE)) + { + fail("CRL cert serial number does not match"); + } + + if (!entry.hasExtensions()) + { + fail("CRL entry extension not found"); + } + + byte[] ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId()); + + if (ext != null) + { + DEREnumerated reasonCode = (DEREnumerated)X509ExtensionUtil.fromExtensionValue(ext); + + if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn) + { + fail("CRL entry reasonCode wrong"); + } + } + else + { + fail("CRL entry reasonCode not found"); + } + + // + // check loading of existing CRL + // + crlGen = new X509V2CRLGenerator(); + now = new Date(); + + crlGen.setIssuerDN(new X500Principal("CN=Test CA")); + + crlGen.setThisUpdate(now); + crlGen.setNextUpdate(new Date(now.getTime() + 100000)); + crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + crlGen.addCRL(crl); + + crlGen.addCRLEntry(BigInteger.valueOf(2), now, entryExtensions); + + crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic())); + + X509CRL newCrl = crlGen.generate(pair.getPrivate(), "BC"); + + int count = 0; + boolean oneFound = false; + boolean twoFound = false; + + Iterator it = newCrl.getRevokedCertificates().iterator(); + while (it.hasNext()) + { + X509CRLEntry crlEnt = (X509CRLEntry)it.next(); + + if (crlEnt.getSerialNumber().intValue() == 1) + { + oneFound = true; + } + else if (crlEnt.getSerialNumber().intValue() == 2) + { + twoFound = true; + } + + count++; + } + + if (count != 2) + { + fail("wrong number of CRLs found"); + } + + if (!oneFound || !twoFound) + { + fail("wrong CRLs found in copied list"); + } + + // + // check factory read back + // + CertificateFactory cFact = CertificateFactory.getInstance("X.509", "BC"); + + X509CRL readCrl = (X509CRL)cFact.generateCRL(new ByteArrayInputStream(newCrl.getEncoded())); + + if (readCrl == null) + { + fail("crl not returned!"); + } + + Collection col = cFact.generateCRLs(new ByteArrayInputStream(newCrl.getEncoded())); + + if (col.size() != 1) + { + fail("wrong number of CRLs found in collection"); + } + } + + /** + * we generate a self signed certificate for the sake of testing - GOST3410 + */ + public void checkCreation4() + throws Exception + { + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyPairGenerator g = KeyPairGenerator.getInstance("GOST3410", "BC"); + GOST3410ParameterSpec gost3410P = new GOST3410ParameterSpec("GostR3410-94-CryptoPro-A"); + + g.initialize(gost3410P, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + privKey = p.getPrivate(); + pubKey = p.getPublic(); + + // + // distinguished name table. + // + Hashtable attrs = new Hashtable(); + Vector order = new Vector(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.L, "Melbourne"); + attrs.put(X509Principal.ST, "Victoria"); + attrs.put(X509Principal.E, "feedback-crypto@bouncycastle.org"); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.L); + order.addElement(X509Principal.ST); + order.addElement(X509Principal.E); + + // + // extensions + // + + // + // create the certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(order, attrs)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(order, attrs)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("GOST3411withGOST3410"); + + X509Certificate cert = certGen.generate(privKey, "BC"); + + cert.checkValidity(new Date()); + + // + // check verifies in general + // + cert.verify(pubKey); + + // + // check verifies with contained key + // + cert.verify(cert.getPublicKey()); + + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + + //System.out.println(cert); + + //check getEncoded() + byte[] bytesch = cert.getEncoded(); + } + + public void checkCreation5() + throws Exception + { + // + // a sample key pair. + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + // + // set up the keys + // + SecureRandom rand = new SecureRandom(); + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + + privKey = fact.generatePrivate(privKeySpec); + pubKey = fact.generatePublic(pubKeySpec); + + // + // distinguished name table. + // + Vector ord = new Vector(); + Vector values = new Vector(); + + ord.addElement(X509Principal.C); + ord.addElement(X509Principal.O); + ord.addElement(X509Principal.L); + ord.addElement(X509Principal.ST); + ord.addElement(X509Principal.E); + + values.addElement("AU"); + values.addElement("The Legion of the Bouncy Castle"); + values.addElement("Melbourne"); + values.addElement("Victoria"); + values.addElement("feedback-crypto@bouncycastle.org"); + + // + // create base certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("MD5WithRSAEncryption"); + certGen.addExtension("2.5.29.15", true, + new X509KeyUsage(X509KeyUsage.encipherOnly)); + certGen.addExtension("2.5.29.37", true, + new DERSequence(KeyPurposeId.anyExtendedKeyUsage)); + certGen.addExtension("2.5.29.17", true, + new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); + + X509Certificate baseCert = certGen.generate(privKey, "BC"); + + // + // copy certificate + // + certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("MD5WithRSAEncryption"); + + certGen.copyAndAddExtension(new DERObjectIdentifier("2.5.29.15"), true, baseCert); + certGen.copyAndAddExtension("2.5.29.37", false, baseCert); + + X509Certificate cert = certGen.generate(privKey, "BC"); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + if (!areEqual(baseCert.getExtensionValue("2.5.29.15"), cert.getExtensionValue("2.5.29.15"))) + { + fail("2.5.29.15 differs"); + } + + if (!areEqual(baseCert.getExtensionValue("2.5.29.37"), cert.getExtensionValue("2.5.29.37"))) + { + fail("2.5.29.37 differs"); + } + + // + // exception test + // + try + { + certGen.copyAndAddExtension("2.5.99.99", true, baseCert); + + fail("exception not thrown on dud extension copy"); + } + catch (CertificateParsingException e) + { + // expected + } + + try + { + certGen.setPublicKey(dudPublicKey); + + certGen.generate(privKey, "BC"); + + fail("key without encoding not detected in v3"); + } + catch (IllegalArgumentException e) + { + // expected + } + } + + private void testForgedSignature() + throws Exception + { + String cert = "MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV" + + "BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD" + + "VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU4NTVa" + + "Fw0wNjEwMTEyMzU4NTVaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs" + + "YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy" + + "IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD" + + "hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u" + + "12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAbynCRIlUQgaqyNgU" + + "DF6P14yRKUtX8akOP2TwStaSiVf/akYqfLFm3UGka5XbPj4rifrZ0/sOoZEEBvHQ" + + "e20sRA=="; + + CertificateFactory certFact = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate x509 = (X509Certificate)certFact.generateCertificate(new ByteArrayInputStream(Base64.decode(cert))); + try + { + x509.verify(x509.getPublicKey()); + + fail("forged RSA signature passed"); + } + catch (Exception e) + { + // expected + } + } + + + private void pemTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + Certificate cert = readPEMCert(cf, PEMData.CERTIFICATE_1); + if (cert == null) + { + fail("PEM cert not read"); + } + cert = readPEMCert(cf, "-----BEGIN CERTIFICATE-----" + PEMData.CERTIFICATE_2); + if (cert == null) + { + fail("PEM cert with extraneous header not read"); + } + CRL crl = cf.generateCRL(new ByteArrayInputStream(PEMData.CRL_1.getBytes("US-ASCII"))); + if (crl == null) + { + fail("PEM crl not read"); + } + Collection col = cf.generateCertificates(new ByteArrayInputStream(PEMData.CERTIFICATE_2.getBytes("US-ASCII"))); + if (col.size() != 1 || !col.contains(cert)) + { + fail("PEM cert collection not right"); + } + col = cf.generateCRLs(new ByteArrayInputStream(PEMData.CRL_2.getBytes("US-ASCII"))); + if (col.size() != 1 || !col.contains(crl)) + { + fail("PEM crl collection not right"); + } + } + + private static Certificate readPEMCert(CertificateFactory cf, String pemData) + throws CertificateException, UnsupportedEncodingException + { + return cf.generateCertificate(new ByteArrayInputStream(pemData.getBytes("US-ASCII"))); + } + + private void pkcs7Test() + throws Exception + { + ASN1EncodableVector certs = new ASN1EncodableVector(); + + certs.add(new ASN1InputStream(CertPathTest.rootCertBin).readObject()); + certs.add(new DERTaggedObject(false, 2, new ASN1InputStream(AttrCertTest.attrCert).readObject())); + + ASN1EncodableVector crls = new ASN1EncodableVector(); + + crls.add(new ASN1InputStream(CertPathTest.rootCrlBin).readObject()); + SignedData sigData = new SignedData(new DERSet(), new ContentInfo(CMSObjectIdentifiers.data, null), new DERSet(certs), new DERSet(crls), new DERSet()); + + ContentInfo info = new ContentInfo(CMSObjectIdentifiers.signedData, sigData); + + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate cert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(info.getEncoded())); + if (cert == null || !areEqual(cert.getEncoded(), certs.get(0).toASN1Primitive().getEncoded())) + { + fail("PKCS7 cert not read"); + } + X509CRL crl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(info.getEncoded())); + if (crl == null || !areEqual(crl.getEncoded(), crls.get(0).toASN1Primitive().getEncoded())) + { + fail("PKCS7 crl not read"); + } + Collection col = cf.generateCertificates(new ByteArrayInputStream(info.getEncoded())); + if (col.size() != 1 || !col.contains(cert)) + { + fail("PKCS7 cert collection not right"); + } + col = cf.generateCRLs(new ByteArrayInputStream(info.getEncoded())); + if (col.size() != 1 || !col.contains(crl)) + { + fail("PKCS7 crl collection not right"); + } + + // data with no certificates or CRLs + + sigData = new SignedData(new DERSet(), new ContentInfo(CMSObjectIdentifiers.data, null), new DERSet(), new DERSet(), new DERSet()); + + info = new ContentInfo(CMSObjectIdentifiers.signedData, sigData); + + cert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(info.getEncoded())); + if (cert != null) + { + fail("PKCS7 cert present"); + } + crl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(info.getEncoded())); + if (crl != null) + { + fail("PKCS7 crl present"); + } + + // data with absent certificates and CRLS + + sigData = new SignedData(new DERSet(), new ContentInfo(CMSObjectIdentifiers.data, null), null, null, new DERSet()); + + info = new ContentInfo(CMSObjectIdentifiers.signedData, sigData); + + cert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(info.getEncoded())); + if (cert != null) + { + fail("PKCS7 cert present"); + } + crl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(info.getEncoded())); + if (crl != null) + { + fail("PKCS7 crl present"); + } + + // + // sample message + // + InputStream in = new ByteArrayInputStream(pkcs7CrlProblem); + Collection certCol = cf.generateCertificates(in); + Collection crlCol = cf.generateCRLs(in); + + if (crlCol.size() != 0) + { + fail("wrong number of CRLs: " + crlCol.size()); + } + + if (certCol.size() != 4) + { + fail("wrong number of Certs: " + certCol.size()); + } + } + + private void createPSSCert(String algorithm) + throws Exception + { + KeyPair pair = generateLongFixedKeys(); + + PrivateKey privKey = pair.getPrivate(); + PublicKey pubKey = pair.getPublic(); + + // + // distinguished name table. + // + Vector ord = new Vector(); + Vector values = new Vector(); + + ord.addElement(X509Principal.C); + ord.addElement(X509Principal.O); + ord.addElement(X509Principal.L); + ord.addElement(X509Principal.ST); + ord.addElement(X509Principal.E); + + values.addElement("AU"); + values.addElement("The Legion of the Bouncy Castle"); + values.addElement("Melbourne"); + values.addElement("Victoria"); + values.addElement("feedback-crypto@bouncycastle.org"); + + // + // create base certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm(algorithm); + certGen.addExtension("2.5.29.15", true, + new X509KeyUsage(X509KeyUsage.encipherOnly)); + certGen.addExtension("2.5.29.37", true, + new DERSequence(KeyPurposeId.anyExtendedKeyUsage)); + certGen.addExtension(Extension.subjectAlternativeName.getId(), true, + new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); + certGen.addExtension(Extension.issuerAlternativeName, false, + new GeneralNames(new GeneralName(GeneralName.directoryName, new X500Name("O=Test, OU=Testing, C=AU")))); + + X509Certificate baseCert = certGen.generate(privKey, "BC"); + + Collection names = baseCert.getSubjectAlternativeNames(); + + if (names.size() != 1) + { + fail("subject alt names size incorrect"); + } + + List name = (List)names.iterator().next(); + if(!name.get(0).equals(Integers.valueOf(GeneralName.rfc822Name))) + { + fail("subject alt name type incorrect"); + } + + names = baseCert.getIssuerAlternativeNames(); + + if (names.size() != 1) + { + fail("issuer alt names size incorrect"); + } + + name = (List)names.iterator().next(); + if(!name.get(0).equals(Integers.valueOf(GeneralName.directoryName))) + { + fail("issuer alt name type incorrect"); + } + + // check IETF output (reverse of default BC) + if (!name.get(1).equals("c=AU,ou=Testing,o=Test")) + { + fail("issuer alt name dir string incorrect"); + } + + baseCert.verify(pubKey); + } + + private KeyPair generateLongFixedKeys() + throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException + { + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), + new BigInteger("010001",16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), + new BigInteger("010001",16), + new BigInteger("33a5042a90b27d4f5451ca9bbbd0b44771a101af884340aef9885f2a4bbe92e894a724ac3c568c8f97853ad07c0266c8c6a3ca0929f1e8f11231884429fc4d9ae55fee896a10ce707c3ed7e734e44727a39574501a532683109c2abacaba283c31b4bd2f53c3ee37e352cee34f9e503bd80c0622ad79c6dcee883547c6a3b325",16), + new BigInteger("e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443",16), + new BigInteger("b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd",16), + new BigInteger("28fa13938655be1f8a159cbaca5a72ea190c30089e19cd274a556f36c4f6e19f554b34c077790427bbdd8dd3ede2448328f385d81b30e8e43b2fffa027861979",16), + new BigInteger("1a8b38f398fa712049898d7fb79ee0a77668791299cdfa09efc0e507acb21ed74301ef5bfd48be455eaeb6e1678255827580a8e4e8e14151d1510a82a3f2e729",16), + new BigInteger("27156aba4126d24a81f3a528cbfb27f56886f840a9f6e86e17a44b94fe9319584b8e22fdde1e5a2e3bd8aa5ba8d8584194eb2190acf832b847f13a3d24a79f4d",16)); + + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + + return new KeyPair(fact.generatePublic(pubKeySpec), fact.generatePrivate(privKeySpec)); + } + + private void rfc4491Test() + throws Exception + { + CertificateFactory certFact = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate x509 = (X509Certificate)certFact.generateCertificate(new ByteArrayInputStream(gostRFC4491_94)); + + x509.verify(x509.getPublicKey(), "BC"); + + x509 = (X509Certificate)certFact.generateCertificate(new ByteArrayInputStream(gostRFC4491_2001)); + + x509.verify(x509.getPublicKey(), "BC"); + } + + private void testNullDerNullCert() + throws Exception + { + KeyPair pair = generateLongFixedKeys(); + PublicKey pubKey = pair.getPublic(); + PrivateKey privKey = pair.getPrivate(); + + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal("CN=Test")); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal("CN=Test")); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("MD5WithRSAEncryption"); + X509Certificate cert = certGen.generate(privKey, "BC"); + + X509CertificateStructure struct = X509CertificateStructure.getInstance(ASN1Primitive.fromByteArray(cert.getEncoded())); + + ASN1Encodable tbsCertificate = struct.getTBSCertificate(); + AlgorithmIdentifier sig = struct.getSignatureAlgorithm(); + + ASN1EncodableVector v = new ASN1EncodableVector(); + + v.add(tbsCertificate); + v.add(new AlgorithmIdentifier(sig.getObjectId())); + v.add(struct.getSignature()); + + // verify + ByteArrayInputStream bIn; + String dump = ""; + + try + { + bIn = new ByteArrayInputStream(new DERSequence(v).getEncoded()); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + + cert.verify(cert.getPublicKey()); + } + catch (Exception e) + { + fail(dump + System.getProperty("line.separator") + getName() + ": testNullDerNull failed - exception " + e.toString(), e); + } + } + + private void checkComparison(byte[] encCert) + throws NoSuchProviderException, CertificateException + { + CertificateFactory bcFact = CertificateFactory.getInstance("X.509", "BC"); + CertificateFactory sunFact = CertificateFactory.getInstance("X.509", "SUN"); + + X509Certificate bcCert = (X509Certificate)bcFact.generateCertificate(new ByteArrayInputStream(encCert)); + X509Certificate sunCert = (X509Certificate)sunFact.generateCertificate(new ByteArrayInputStream(encCert)); + + if (!bcCert.equals(sunCert) || !sunCert.equals(bcCert)) + { + fail("BC/Sun equals test failed"); + } + + if (bcCert.hashCode() != sunCert.hashCode()) + { + fail("BC/Sun hashCode test failed"); + } + } + + private void testV1CRL() + throws Exception + { + byte[] certData = Streams.readAll(this.getClass().getResourceAsStream("ThawteSGCCA.cer")); + byte[] crlData = Streams.readAll(this.getClass().getResourceAsStream("ThawteSGCCA.crl")); + + // verify CRL with default (JCE) provider + CertificateFactory jceFac = CertificateFactory.getInstance("X.509"); + + X509Certificate jceIssuer = (X509Certificate) + jceFac.generateCertificate(new ByteArrayInputStream(certData)); + + X509CRL jceCRL = (X509CRL)jceFac.generateCRL(new ByteArrayInputStream(crlData)); + + jceCRL.verify(jceIssuer.getPublicKey()); + + + // verify CRL with BC provider + CertificateFactory bcFac = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate bcIssuer = (X509Certificate) + bcFac.generateCertificate(new ByteArrayInputStream(certData)); + + X509CRL bcCRL = (X509CRL)bcFac.generateCRL(new ByteArrayInputStream(crlData)); + + jceCRL.verify(bcIssuer.getPublicKey()); + + bcCRL.verify(bcIssuer.getPublicKey()); + } + + private void testCertPathEncAvailableTest() + throws Exception + { + CertificateFactory certFact = CertificateFactory.getInstance("X.509", "BC"); + + Iterator it = certFact.getCertPathEncodings(); + + if (!"PkiPath".equals(it.next())) + { + fail("available enc 1 wrong"); + } + if (!"PEM".equals(it.next())) + { + fail("available enc 2 wrong"); + } + if (!"PKCS7".equals(it.next())) + { + fail("available enc 3 wrong"); + } + + if (it.hasNext()) + { + fail("wrong number of encodings"); + } + } + + public void performTest() + throws Exception + { + testV1CRL(); + + checkCertificate(1, cert1); + checkCertificate(2, cert2); + checkCertificate(3, cert3); + checkCertificate(4, cert4); + checkCertificate(5, cert5); + checkCertificate(6, oldEcdsa); + checkCertificate(7, cert7); + + checkComparison(cert1); + + checkKeyUsage(8, keyUsage); + checkSelfSignedCertificate(9, uncompressedPtEC); + checkNameCertificate(10, nameCert); + + checkSelfSignedCertificate(11, probSelfSignedCert); + checkSelfSignedCertificate(12, gostCA1); + checkSelfSignedCertificate(13, gostCA2); + checkSelfSignedCertificate(14, gost341094base); + checkSelfSignedCertificate(15, gost34102001base); + checkSelfSignedCertificate(16, gost341094A); + checkSelfSignedCertificate(17, gost341094B); + checkSelfSignedCertificate(18, gost34102001A); + + try + { + checkSelfSignedCertificate(19, uaczo1); + checkSelfSignedCertificate(20, uaczo2); + checkSelfSignedCertificate(21, uaczo3); + checkSelfSignedCertificate(22, uaczo4); + } + catch (Exception e) + { + if (e instanceof NoSuchAlgorithmException) + { + // ignore - only valid for jdk1.5+ + } + } + + checkCRL(1, crl1); + + checkCreation1(); + checkCreation2(); + checkCreation3(); + checkCreation4(); + checkCreation5(); + + createECCert("SHA1withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA1); + createECCert("SHA224withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA224); + createECCert("SHA256withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256); + createECCert("SHA384withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384); + createECCert("SHA512withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512); + + createPSSCert("SHA1withRSAandMGF1"); + createPSSCert("SHA224withRSAandMGF1"); + createPSSCert("SHA256withRSAandMGF1"); + createPSSCert("SHA384withRSAandMGF1"); + + checkCRLCreation1(); + checkCRLCreation2(); + checkCRLCreation3(); + + pemTest(); + pkcs7Test(); + rfc4491Test(); + + testForgedSignature(); + + testNullDerNullCert(); + + checkCertificate(18, emptyDNCert); + + testCertPathEncAvailableTest(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertUniqueIDTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertUniqueIDTest.java new file mode 100644 index 00000000..283c50be --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CertUniqueIDTest.java @@ -0,0 +1,178 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.cert.X509Certificate; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.util.Date; +import java.util.Set; +import java.util.Vector; + +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509V3CertificateGenerator; + +public class CertUniqueIDTest + extends SimpleTest +{ + public String getName() + { + return "CertUniqueID"; + } + + public void performTest() throws Exception + { + checkCreation1(); + } + + /** + * we generate a self signed certificate for the sake of testing - RSA + */ + public void checkCreation1() + throws Exception + { + // + // a sample key pair. + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + + privKey = fact.generatePrivate(privKeySpec); + pubKey = fact.generatePublic(pubKeySpec); + + // + // distinguished name table. + // + Vector ord = new Vector(); + Vector values = new Vector(); + + ord.addElement(X509Principal.C); + ord.addElement(X509Principal.O); + ord.addElement(X509Principal.L); + ord.addElement(X509Principal.ST); + ord.addElement(X509Principal.E); + + values.addElement("AU"); + values.addElement("The Legion of the Bouncy Castle"); + values.addElement("Melbourne"); + values.addElement("Victoria"); + values.addElement("feedback-crypto@bouncycastle.org"); + + // + // extensions + // + + // + // create the certificate - version 3 - without subject unique ID + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + X509Certificate cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + Set dummySet = cert.getNonCriticalExtensionOIDs(); + if (dummySet != null) + { + fail("non-critical oid set should be null"); + } + dummySet = cert.getCriticalExtensionOIDs(); + if (dummySet != null) + { + fail("critical oid set should be null"); + } + + // + // create the certificate - version 3 - with subject unique ID + // + certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(ord, values)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(ord, values)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("MD5WithRSAEncryption"); + + boolean[] subjectUniqID = {true, false, false, false, true, false, false, true, false, true, true}; + + certGen.setSubjectUniqueID(subjectUniqID); + + boolean[] issuerUniqID = {false, false, true, false, true, false, false, false, true, false, false, true, false, true, true}; + + certGen.setIssuerUniqueID(issuerUniqID); + + cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + boolean[] subjectUniqueId = cert.getSubjectUniqueID(); + if (!Arrays.areEqual(subjectUniqID, subjectUniqueId)) + { + fail("Subject unique id is not correct, original: "+arrayToString(subjectUniqID)+", from cert: "+arrayToString(subjectUniqueId)); + } + + boolean[] issuerUniqueId = cert.getIssuerUniqueID(); + if (!Arrays.areEqual(issuerUniqID, issuerUniqueId)) + { + fail("Issuer unique id is not correct, original: "+arrayToString(issuerUniqID)+", from cert: "+arrayToString(subjectUniqueId)); + } + } + + private String arrayToString(boolean[] array) + { + StringBuffer b = new StringBuffer(); + + for (int i = 0; i != array.length; i++) + { + b.append(array[i] ? "1" : "0"); + } + + return b.toString(); + } + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertUniqueIDTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CipherStreamTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CipherStreamTest.java new file mode 100644 index 00000000..83063ef9 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/CipherStreamTest.java @@ -0,0 +1,330 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.ShortBufferException; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.security.InvalidKeyException; +import java.security.Key; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; + +/** + * check that cipher input/output streams are working correctly + */ +public class CipherStreamTest + extends SimpleTest +{ + + private static byte[] RK = Hex.decode("0123456789ABCDEF"); + private static byte[] RIN = Hex.decode("4e6f772069732074"); + private static byte[] ROUT = Hex.decode("3afbb5c77938280d"); + + private static byte[] SIN = Hex.decode( + "00000000000000000000000000000000" + + "00000000000000000000000000000000" + + "00000000000000000000000000000000" + + "00000000000000000000000000000000"); + private static final byte[] SK = Hex.decode("80000000000000000000000000000000"); + private static final byte[] SIV = Hex.decode("0000000000000000"); + private static final byte[] SOUT = Hex.decode( + "4DFA5E481DA23EA09A31022050859936" + + "DA52FCEE218005164F267CB65F5CFD7F" + + "2B4F97E0FF16924A52DF269515110A07" + + "F9E460BC65EF95DA58F740B7D1DBB0AA"); + + private static final byte[] HCIN = new byte[64]; + private static final byte[] HCIV = new byte[32]; + + private static final byte[] HCK256A = new byte[32]; + private static final byte[] HC256A = Hex.decode( + "5B078985D8F6F30D42C5C02FA6B67951" + + "53F06534801F89F24E74248B720B4818" + + "CD9227ECEBCF4DBF8DBF6977E4AE14FA" + + "E8504C7BC8A9F3EA6C0106F5327E6981"); + + private static final byte[] HCK128A = new byte[16]; + private static final byte[] HC128A = Hex.decode( + "82001573A003FD3B7FD72FFB0EAF63AA" + + "C62F12DEB629DCA72785A66268EC758B" + + "1EDB36900560898178E0AD009ABF1F49" + + "1330DC1C246E3D6CB264F6900271D59C"); + + private static final byte[] GRAIN_V1 = Hex.decode("0123456789abcdef1234"); + private static final byte[] GRAIN_V1_IV = Hex.decode("0123456789abcdef"); + private static final byte[] GRAIN_V1_IN = new byte[10]; + private static final byte[] GRAIN_V1_OUT = Hex.decode("7f362bd3f7abae203664"); + + private static final byte[] GRAIN_128 = Hex.decode("0123456789abcdef123456789abcdef0"); + private static final byte[] GRAIN_128_IV = Hex.decode("0123456789abcdef12345678"); + private static final byte[] GRAIN_128_IN = new byte[16]; + private static final byte[] GRAIN_128_OUT = Hex.decode("afb5babfa8de896b4b9c6acaf7c4fbfd"); + + public CipherStreamTest() + { + } + + private void runTest( + String name) + throws Exception + { + String lCode = "ABCDEFGHIJKLMNOPQRSTUVWXY0123456789"; + KeyGenerator kGen; + + if (name.indexOf('/') < 0) + { + kGen = KeyGenerator.getInstance(name, "BC"); + } + else + { + kGen = KeyGenerator.getInstance(name.substring(0, name.indexOf('/')), "BC"); + } + + Cipher in = Cipher.getInstance(name, "BC"); + Cipher out = Cipher.getInstance(name, "BC"); + Key key = kGen.generateKey(); + ByteArrayInputStream bIn = new ByteArrayInputStream(lCode.getBytes()); + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + in.init(Cipher.ENCRYPT_MODE, key); + if (in.getIV() != null) + { + out.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(in.getIV())); + } + else + { + out.init(Cipher.DECRYPT_MODE, key); + } + + CipherInputStream cIn = new CipherInputStream(bIn, in); + CipherOutputStream cOut = new CipherOutputStream(bOut, out); + + int c; + + while ((c = cIn.read()) >= 0) + { + cOut.write(c); + } + + cIn.close(); + + cOut.flush(); + cOut.close(); + + String res = new String(bOut.toByteArray()); + + if (!res.equals(lCode)) + { + fail("Failed - decrypted data doesn't match."); + } + } + + private void testAlgorithm(String name, byte[] keyBytes, byte[] iv, byte[] plainText, byte[] cipherText) + throws Exception + { + SecretKey key = new SecretKeySpec(keyBytes, name); + Cipher in = Cipher.getInstance(name, "BC"); + Cipher out = Cipher.getInstance(name, "BC"); + + if (iv != null) + { + in.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv)); + out.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv)); + } + else + { + in.init(Cipher.ENCRYPT_MODE, key); + out.init(Cipher.DECRYPT_MODE, key); + } + + byte[] enc = in.doFinal(plainText); + if (!areEqual(enc, cipherText)) + { + fail(name + ": cipher text doesn't match"); + } + + byte[] dec = out.doFinal(enc); + + if (!areEqual(dec, plainText)) + { + fail(name + ": plain text doesn't match"); + } + } + + private void testException( + String name) + { + try + { + byte[] key128 = { + (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143, + (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143 }; + + byte[] key256 = { + (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143, + (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143, + (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143, + (byte)128, (byte)131, (byte)133, (byte)134, + (byte)137, (byte)138, (byte)140, (byte)143 }; + + byte[] keyBytes; + if (name.equals("HC256")) + { + keyBytes = key256; + } + else + { + keyBytes = key128; + } + + SecretKeySpec cipherKey = new SecretKeySpec(keyBytes, name); + Cipher ecipher = Cipher.getInstance(name, "BC"); + ecipher.init(Cipher.ENCRYPT_MODE, cipherKey); + + byte[] cipherText = new byte[0]; + try + { + // According specification Method engineUpdate(byte[] input, + // int inputOffset, int inputLen, byte[] output, int + // outputOffset) + // throws ShortBufferException - if the given output buffer is + // too + // small to hold the result + ecipher.update(new byte[20], 0, 20, cipherText); + + fail("failed exception test - no ShortBufferException thrown"); + } + catch (ShortBufferException e) + { + // ignore + } + + try + { + Cipher c = Cipher.getInstance(name, "BC"); + + Key k = new PublicKey() + { + + public String getAlgorithm() + { + return "STUB"; + } + + public String getFormat() + { + return null; + } + + public byte[] getEncoded() + { + return null; + } + + }; + + c.init(Cipher.ENCRYPT_MODE, k); + + fail("failed exception test - no InvalidKeyException thrown for public key"); + } + catch (InvalidKeyException e) + { + // okay + } + + try + { + Cipher c = Cipher.getInstance(name, "BC"); + + Key k = new PrivateKey() + { + + public String getAlgorithm() + { + return "STUB"; + } + + public String getFormat() + { + return null; + } + + public byte[] getEncoded() + { + return null; + } + + }; + + c.init(Cipher.DECRYPT_MODE, k); + + fail("failed exception test - no InvalidKeyException thrown for private key"); + } + catch (InvalidKeyException e) + { + // okay + } + } + catch (Exception e) + { + fail("unexpected exception.", e); + } + } + + public void performTest() + throws Exception + { + runTest("RC4"); + testException("RC4"); + testAlgorithm("RC4", RK, null, RIN, ROUT); + runTest("Salsa20"); + testException("Salsa20"); + testAlgorithm("Salsa20", SK, SIV, SIN, SOUT); + runTest("HC128"); + testException("HC128"); + testAlgorithm("HC128", HCK128A, HCIV, HCIN, HC128A); + runTest("HC256"); + testException("HC256"); + testAlgorithm("HC256", HCK256A, HCIV, HCIN, HC256A); + runTest("VMPC"); + testException("VMPC"); + //testAlgorithm("VMPC", a, iv, in, a); + runTest("VMPC-KSA3"); + testException("VMPC-KSA3"); + //testAlgorithm("VMPC-KSA3", a, iv, in, a); + testAlgorithm("Grainv1", GRAIN_V1, GRAIN_V1_IV, GRAIN_V1_IN, GRAIN_V1_OUT); + testAlgorithm("Grain128", GRAIN_128, GRAIN_128_IV, GRAIN_128_IN, GRAIN_128_OUT); + runTest("DES/ECB/PKCS7Padding"); + runTest("DES/CFB8/NoPadding"); + } + + public String getName() + { + return "CipherStreamTest"; + } + + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CipherStreamTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DESedeTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DESedeTest.java new file mode 100644 index 00000000..313f665f --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DESedeTest.java @@ -0,0 +1,326 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.IOException; +import java.security.Key; +import java.security.SecureRandom; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.DESedeKeySpec; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * basic test class for key generation for a DES-EDE block cipher, basically + * this just exercises the provider, and makes sure we are behaving sensibly, + * correctness of the implementation is shown in the lightweight test classes. + */ +public class DESedeTest + extends SimpleTest +{ + static String[] cipherTests1 = + { + "112", + "2f4bc6b30c893fa549d82c560d61cf3eb088aed020603de249d82c560d61cf3e529e95ecd8e05394", + "128", + "2f4bc6b30c893fa549d82c560d61cf3eb088aed020603de249d82c560d61cf3e529e95ecd8e05394", + "168", + "50ddb583a25c21e6c9233f8e57a86d40bb034af421c03096c9233f8e57a86d402fce91e8eb639f89", + "192", + "50ddb583a25c21e6c9233f8e57a86d40bb034af421c03096c9233f8e57a86d402fce91e8eb639f89", + }; + + static byte[] input1 = Hex.decode("000102030405060708090a0b0c0d0e0fff0102030405060708090a0b0c0d0e0f"); + + /** + * a fake random number generator - we just want to make sure the random numbers + * aren't random so that we get the same output, while still getting to test the + * key generation facilities. + */ + private class FixedSecureRandom + extends SecureRandom + { + byte[] seed = { + (byte)0xaa, (byte)0xfd, (byte)0x12, (byte)0xf6, (byte)0x59, + (byte)0xca, (byte)0xe6, (byte)0x34, (byte)0x89, (byte)0xb4, + (byte)0x79, (byte)0xe5, (byte)0x07, (byte)0x6d, (byte)0xde, + (byte)0xc2, (byte)0xf0, (byte)0x6c, (byte)0xb5, (byte)0x8f + }; + + public void nextBytes( + byte[] bytes) + { + int offset = 0; + + while ((offset + seed.length) < bytes.length) + { + System.arraycopy(seed, 0, bytes, offset, seed.length); + offset += seed.length; + } + + System.arraycopy(seed, 0, bytes, offset, bytes.length - offset); + } + } + + public String getName() + { + return "DESEDE"; + } + + private boolean equalArray( + byte[] a, + byte[] b) + { + if (a.length != b.length) + { + return false; + } + + for (int i = 0; i != a.length; i++) + { + if (a[i] != b[i]) + { + return false; + } + } + + return true; + } + + private boolean equalArray( + byte[] a, + byte[] b, + int length) + { + if (a.length < length) + { + return false; + } + + if (b.length < length) + { + return false; + } + + for (int i = 0; i != length; i++) + { + if (a[i] != b[i]) + { + return false; + } + } + + return true; + } + + private void wrapTest( + String alg, + int id, + byte[] kek, + byte[] iv, + byte[] in, + byte[] out) + { + try + { + Cipher wrapper = Cipher.getInstance(alg + "Wrap", "BC"); + + wrapper.init(Cipher.WRAP_MODE, new SecretKeySpec(kek, alg), new IvParameterSpec(iv)); + + try + { + byte[] cText = wrapper.wrap(new SecretKeySpec(in, alg)); + if (!equalArray(cText, out)) + { + fail("failed wrap test " + id + " expected " + new String(Hex.encode(out)) + " got " + new String(Hex.encode(cText))); + } + } + catch (Exception e) + { + fail("failed wrap test exception " + e.toString()); + } + + wrapper.init(Cipher.UNWRAP_MODE, new SecretKeySpec(kek, alg)); + + try + { + Key pText = wrapper.unwrap(out, alg, Cipher.SECRET_KEY); + if (!equalArray(pText.getEncoded(), in)) + { + fail("failed unwrap test " + id + " expected " + new String(Hex.encode(in)) + " got " + new String(Hex.encode(pText.getEncoded()))); + } + } + catch (Exception e) + { + fail("failed unwrap test exception " + e.toString()); + } + } + catch (Exception ex) + { + fail("failed exception " + ex.toString()); + } + } + + public void test( + String alg, + int strength, + byte[] input, + byte[] output) + { + Key key = null; + KeyGenerator keyGen; + SecureRandom rand; + Cipher in = null; + Cipher out = null; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + rand = new FixedSecureRandom(); + + try + { + keyGen = KeyGenerator.getInstance(alg, "BC"); + keyGen.init(strength, rand); + + key = keyGen.generateKey(); + + in = Cipher.getInstance(alg + "/ECB/PKCS7Padding", "BC"); + out = Cipher.getInstance(alg + "/ECB/PKCS7Padding", "BC"); + + out.init(Cipher.ENCRYPT_MODE, key, rand); + } + catch (Exception e) + { + fail(alg + " failed initialisation - " + e.toString()); + } + + try + { + in.init(Cipher.DECRYPT_MODE, key); + } + catch (Exception e) + { + fail(alg + " failed initialisation - " + e.toString()); + } + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + try + { + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + } + catch (IOException e) + { + fail(alg + " failed encryption - " + e.toString()); + } + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!equalArray(bytes, output)) + { + fail(alg + " failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + try + { + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + } + catch (Exception e) + { + fail(alg + " failed encryption - " + e.toString()); + } + + if (!equalArray(bytes, input)) + { + fail(alg + " failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + + // + // keyspec test + // + try + { + SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(alg, "BC"); + DESedeKeySpec keySpec = (DESedeKeySpec)keyFactory.getKeySpec((SecretKey)key, DESedeKeySpec.class); + + if (!equalArray(key.getEncoded(), keySpec.getKey(), 16)) + { + fail(alg + " KeySpec does not match key."); + } + } + catch (Exception e) + { + fail(alg + " failed keyspec - " + e.toString()); + } + } + + public void performTest() + { + for (int i = 0; i != cipherTests1.length; i += 2) + { + test("DESEDE", Integer.parseInt(cipherTests1[i]), input1, Hex.decode(cipherTests1[i + 1])); + } + + for (int i = 0; i != cipherTests1.length; i += 2) + { + test("TDEA", Integer.parseInt(cipherTests1[i]), input1, Hex.decode(cipherTests1[i + 1])); + } + + byte[] kek1 = Hex.decode("255e0d1c07b646dfb3134cc843ba8aa71f025b7c0838251f"); + byte[] iv1 = Hex.decode("5dd4cbfc96f5453b"); + byte[] in1 = Hex.decode("2923bf85e06dd6ae529149f1f1bae9eab3a7da3d860d3e98"); + byte[] out1 = Hex.decode("690107618ef092b3b48ca1796b234ae9fa33ebb4159604037db5d6a84eb3aac2768c632775a467d4"); + + wrapTest("DESEDE", 1, kek1, iv1, in1, out1); + wrapTest("TDEA", 1, kek1, iv1, in1, out1); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new DESedeTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DHIESTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DHIESTest.java new file mode 100644 index 00000000..f081d80b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DHIESTest.java @@ -0,0 +1,194 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.SecureRandom; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.interfaces.DHPrivateKey; +import javax.crypto.interfaces.DHPublicKey; +import javax.crypto.spec.DHParameterSpec; + +import org.bouncycastle.crypto.agreement.DHBasicAgreement; +import org.bouncycastle.crypto.digests.SHA1Digest; +import org.bouncycastle.crypto.engines.DESEngine; +import org.bouncycastle.crypto.engines.IESEngine; +import org.bouncycastle.crypto.generators.KDF2BytesGenerator; +import org.bouncycastle.crypto.macs.HMac; +import org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jcajce.provider.asymmetric.dh.IESCipher; +import org.bouncycastle.jce.spec.IESParameterSpec; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * Test for DHIES - Diffie-Hellman Integrated Encryption Scheme + */ +public class DHIESTest + extends SimpleTest +{ + // Oakley group 2 - RFC 5996 + BigInteger p1024 = new BigInteger( + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" + + "FFFFFFFFFFFFFFFF",16); + + BigInteger g1024 = new BigInteger("2",16); + + DHParameterSpec param = new DHParameterSpec(p1024, g1024); + + DHIESTest() + { + } + + public String getName() + { + return "DHIES"; + } + + public void performTest() + throws Exception + { + byte[] derivation = Hex.decode("202122232425262728292a2b2c2d2e2f"); + byte[] encoding = Hex.decode("303132333435363738393a3b3c3d3e3f"); + + + IESCipher c1 = new org.bouncycastle.jcajce.provider.asymmetric.dh.IESCipher.IES(); + IESCipher c2 = new org.bouncycastle.jcajce.provider.asymmetric.dh.IESCipher.IES(); + IESParameterSpec params = new IESParameterSpec(derivation,encoding,128); + + // Testing DHIES with default prime in streaming mode + KeyPairGenerator g = KeyPairGenerator.getInstance("DH", "BC"); + + g.initialize(param); + + doTest("DHIES with default", g, "DHIES", params); + + // Testing DHIES with 512-bit prime in streaming mode + g.initialize(512, new SecureRandom()); + doTest("DHIES with 512-bit", g, "DHIES", params); + + // Testing ECIES with 1024-bit prime in streaming mode + g.initialize(1024, new SecureRandom()); + doTest("DHIES with 1024-bit", g, "DHIES", params); + + c1 = new IESCipher(new IESEngine(new DHBasicAgreement(), + new KDF2BytesGenerator(new SHA1Digest()), + new HMac(new SHA1Digest()), + new PaddedBufferedBlockCipher(new DESEngine()))); + + c2 = new IESCipher(new IESEngine(new DHBasicAgreement(), + new KDF2BytesGenerator(new SHA1Digest()), + new HMac(new SHA1Digest()), + new PaddedBufferedBlockCipher(new DESEngine()))); + + params = new IESParameterSpec(derivation, encoding, 128, 192); + + // Testing DHIES with default prime using DESEDE + g = KeyPairGenerator.getInstance("DH", "BC"); + doTest("DHIESwithDES default", g, "DHIESwithDESEDE", params); + + // Testing DHIES with 512-bit prime using DESEDE + g.initialize(512, new SecureRandom()); + doTest("DHIESwithDES 512-bit", g, "DHIESwithDESEDE", params); + + // Testing DHIES with 1024-bit prime using DESEDE + g.initialize(1024, new SecureRandom()); + doTest("DHIESwithDES 1024-bit", g, "DHIESwithDESEDE", params); + + g = KeyPairGenerator.getInstance("DH", "BC"); + g.initialize(param); + + c1 = new IESCipher.IESwithAES(); + c2 = new IESCipher.IESwithAES(); + params = new IESParameterSpec(derivation, encoding, 128, 128); + + // Testing DHIES with default curve using AES + doTest("DHIESwithAES default", g, "DHIESwithAES", params); + + // Testing DHIES with 512-bit curve using AES + g.initialize(512, new SecureRandom()); + doTest("DHIESwithAES 512-bit", g, "DHIESwithAES", params); + + // Testing DHIES with 1024-bit curve using AES + g.initialize(1024, new SecureRandom()); + doTest("DHIESwithAES 1024-bit", g, "DHIESwithAES", params); + + } + + public void doTest( + String testname, + KeyPairGenerator g, + String cipher, + IESParameterSpec p) + throws Exception + { + + byte[] message = Hex.decode("0102030405060708090a0b0c0d0e0f10111213141516"); + byte[] out1, out2; + + Cipher c1 = Cipher.getInstance(cipher, "BC"); + Cipher c2 = Cipher.getInstance(cipher, "BC"); + // Generate static key pair + KeyPair keyPair = g.generateKeyPair(); + DHPublicKey pub = (DHPublicKey)keyPair.getPublic(); + DHPrivateKey priv = (DHPrivateKey)keyPair.getPrivate(); + + + // Testing with null parameters and DHAES mode off + c1.init(Cipher.ENCRYPT_MODE, pub, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, priv, new SecureRandom()); + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + { + fail(testname + " test failed with null parameters, DHAES mode false."); + } + + + // Testing with given parameters and DHAES mode off + c1.init(Cipher.ENCRYPT_MODE, pub, p, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, priv, p, new SecureRandom()); + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + fail(testname + " test failed with non-null parameters, DHAES mode false."); + + // Testing with null parameters and DHAES mode on + c1 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC"); + c2 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC"); + c1.init(Cipher.ENCRYPT_MODE, pub, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, priv, new SecureRandom()); + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + fail(testname + " test failed with null parameters, DHAES mode true."); + + + // Testing with given parameters and DHAES mode on + c1 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC"); + c2 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC"); + + c1.init(Cipher.ENCRYPT_MODE, pub, p, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, priv, p, new SecureRandom()); + + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + fail(testname + " test failed with non-null parameters, DHAES mode true."); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new DHIESTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DHTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DHTest.java new file mode 100644 index 00000000..c0720be3 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DHTest.java @@ -0,0 +1,895 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.AlgorithmParameterGenerator; +import java.security.AlgorithmParameters; +import java.security.Key; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.SecureRandom; +import java.security.Security; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; +import java.security.spec.ECFieldFp; +import java.security.spec.ECParameterSpec; +import java.security.spec.EllipticCurve; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import javax.crypto.KeyAgreement; +import javax.crypto.SecretKey; +import javax.crypto.interfaces.DHPrivateKey; +import javax.crypto.interfaces.DHPublicKey; +import javax.crypto.spec.DESKeySpec; +import javax.crypto.spec.DESedeKeySpec; +import javax.crypto.spec.DHParameterSpec; + +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.jcajce.provider.config.ConfigurableProvider; +import org.bouncycastle.jce.ECPointUtil; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class DHTest + extends SimpleTest +{ + private BigInteger g512 = new BigInteger("153d5d6172adb43045b68ae8e1de1070b6137005686d29d3d73a7749199681ee5b212c9b96bfdcfa5b20cd5e3fd2044895d609cf9b410b7a0f12ca1cb9a428cc", 16); + private BigInteger p512 = new BigInteger("9494fec095f3b85ee286542b3836fc81a5dd0a0349b4c239dd38744d488cf8e31db8bcb7d33b41abb9e5a33cca9144b1cef332c94bf0573bf047a3aca98cdf3b", 16); + + private BigInteger g768 = new BigInteger("7c240073c1316c621df461b71ebb0cdcc90a6e5527e5e126633d131f87461c4dc4afc60c2cb0f053b6758871489a69613e2a8b4c8acde23954c08c81cbd36132cfd64d69e4ed9f8e51ed6e516297206672d5c0a69135df0a5dcf010d289a9ca1", 16); + private BigInteger p768 = new BigInteger("8c9dd223debed1b80103b8b309715be009d48860ed5ae9b9d5d8159508efd802e3ad4501a7f7e1cfec78844489148cd72da24b21eddd01aa624291c48393e277cfc529e37075eccef957f3616f962d15b44aeab4039d01b817fde9eaa12fd73f", 16); + + private BigInteger g1024 = new BigInteger("1db17639cdf96bc4eabba19454f0b7e5bd4e14862889a725c96eb61048dcd676ceb303d586e30f060dbafd8a571a39c4d823982117da5cc4e0f89c77388b7a08896362429b94a18a327604eb7ff227bffbc83459ade299e57b5f77b50fb045250934938efa145511166e3197373e1b5b1e52de713eb49792bedde722c6717abf", 16); + private BigInteger p1024 = new BigInteger("a00e283b3c624e5b2b4d9fbc2653b5185d99499b00fd1bf244c6f0bb817b4d1c451b2958d62a0f8a38caef059fb5ecd25d75ed9af403f5b5bdab97a642902f824e3c13789fed95fa106ddfe0ff4a707c85e2eb77d49e68f2808bcea18ce128b178cd287c6bc00efa9a1ad2a673fe0dceace53166f75b81d6709d5f8af7c66bb7", 16); + + // public key with mismatched oid/parameters + private byte[] oldPubEnc = Base64.decode( + "MIIBnzCCARQGByqGSM4+AgEwggEHAoGBAPxSrN417g43VAM9sZRf1dt6AocAf7D6" + + "WVCtqEDcBJrMzt63+g+BNJzhXVtbZ9kp9vw8L/0PHgzv0Ot/kOLX7Khn+JalOECW" + + "YlkyBhmOVbjR79TY5u2GAlvG6pqpizieQNBCEMlUuYuK1Iwseil6VoRuA13Zm7uw" + + "WO1eZmaJtY7LAoGAQaPRCFKM5rEdkMrV9FNzeSsYRs8m3DqPnnJHpuySpyO9wUcX" + + "OOJcJY5qvHbDO5SxHXu/+bMgXmVT6dXI5o0UeYqJR7fj6pR4E6T0FwG55RFr5Ok4" + + "3C4cpXmaOu176SyWuoDqGs1RDGmYQjwbZUi23DjaaTFUly9LCYXMliKrQfEDgYQA" + + "AoGAQUGCBN4TaBw1BpdBXdTvTfCU69XDB3eyU2FOBE3UWhpx9D8XJlx4f5DpA4Y6" + + "6sQMuCbhfmjEph8W7/sbMurM/awR+PSR8tTY7jeQV0OkmAYdGK2nzh0ZSifMO1oE" + + "NNhN2O62TLs67msxT28S4/S89+LMtc98mevQ2SX+JF3wEVU="); + + // bogus key with full PKCS parameter set + private byte[] oldFullParams = Base64.decode( + "MIIBIzCCARgGByqGSM4+AgEwggELAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9E" + + "AMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f" + + "6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv" + + "8iIDGZ3RSAHHAoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlX" + + "jrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6j" + + "fwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqAgFk" + + "AwUAAgIH0A=="); + + private byte[] samplePubEnc = Base64.decode( + "MIIBpjCCARsGCSqGSIb3DQEDATCCAQwCgYEA/X9TgR11EilS30qcLuzk5/YRt1I8" + + "70QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWk" + + "n5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX" + + "Ku/yIgMZndFIAccCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdR" + + "WVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWR" + + "bqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoC" + + "AgIAA4GEAAKBgEIiqxoUW6E6GChoOgcfNbVFclW91ITf5MFSUGQwt2R0RHoOhxvO" + + "lZhNs++d0VPATLAyXovjfgENT9SGCbuZttYcqqLdKTbMXBWPek+rfnAl9E4iEMED" + + "IDd83FJTKs9hQcPAm7zmp0Xm1bGF9CbUFjP5G02265z7eBmHDaT0SNlB"); + + private byte[] samplePrivEnc = Base64.decode( + "MIIBZgIBADCCARsGCSqGSIb3DQEDATCCAQwCgYEA/X9TgR11EilS30qcLuzk5/YR" + + "t1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZ" + + "UKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu" + + "K2HXKu/yIgMZndFIAccCgYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0H" + + "gmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuz" + + "pnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7P" + + "SSoCAgIABEICQAZYXnBHazxXUUdFP4NIf2Ipu7du0suJPZQKKff81wymi2zfCfHh" + + "uhe9gQ9xdm4GpzeNtrQ8/MzpTy+ZVrtd29Q="); + + public String getName() + { + return "DH"; + } + + private void testGP( + String algName, + int size, + int privateValueSize, + BigInteger g, + BigInteger p) + throws Exception + { + DHParameterSpec dhParams = new DHParameterSpec(p, g, privateValueSize); + + KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algName, "BC"); + + keyGen.initialize(dhParams); + + testTwoParty(algName, size, privateValueSize, keyGen); + + KeyPair aKeyPair = keyGen.generateKeyPair(); + + // + // public key encoding test + // + byte[] pubEnc = aKeyPair.getPublic().getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance(algName, "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + DHPublicKey pubKey = (DHPublicKey)keyFac.generatePublic(pubX509); + DHParameterSpec spec = pubKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit public key encoding/decoding test failed on parameters"); + } + + if (!((DHPublicKey)aKeyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key encoding/decoding test failed on y value"); + } + + // + // public key serialisation test + // + pubKey = (DHPublicKey)serializeDeserialize(aKeyPair.getPublic()); + spec = pubKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit public key serialisation test failed on parameters"); + } + + if (!((DHPublicKey)aKeyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key serialisation test failed on y value"); + } + + if (!aKeyPair.getPublic().equals(pubKey)) + { + fail("equals test failed"); + } + + if (aKeyPair.getPublic().hashCode() != pubKey.hashCode()) + { + fail("hashCode test failed"); + } + + // + // private key encoding test + // + byte[] privEnc = aKeyPair.getPrivate().getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + DHPrivateKey privKey = (DHPrivateKey)keyFac.generatePrivate(privPKCS8); + + spec = privKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit private key encoding/decoding test failed on parameters"); + } + + if (!((DHPrivateKey)aKeyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key encoding/decoding test failed on y value"); + } + + // + // private key serialisation test + // + privKey = (DHPrivateKey)serializeDeserialize(aKeyPair.getPrivate()); + spec = privKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit private key serialisation test failed on parameters"); + } + + if (!((DHPrivateKey)aKeyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key serialisation test failed on X value"); + } + + if (!aKeyPair.getPrivate().equals(privKey)) + { + fail("equals test failed"); + } + + if (aKeyPair.getPrivate().hashCode() != privKey.hashCode()) + { + fail("hashCode test failed"); + } + + if (!(privKey instanceof PKCS12BagAttributeCarrier)) + { + fail("private key not implementing PKCS12 attribute carrier"); + } + + // + // three party test + // + KeyPairGenerator aPairGen = KeyPairGenerator.getInstance(algName, "BC"); + aPairGen.initialize(spec); + KeyPair aPair = aPairGen.generateKeyPair(); + + KeyPairGenerator bPairGen = KeyPairGenerator.getInstance(algName, "BC"); + bPairGen.initialize(spec); + KeyPair bPair = bPairGen.generateKeyPair(); + + KeyPairGenerator cPairGen = KeyPairGenerator.getInstance(algName, "BC"); + cPairGen.initialize(spec); + KeyPair cPair = cPairGen.generateKeyPair(); + + KeyAgreement aKeyAgree = KeyAgreement.getInstance(algName, "BC"); + aKeyAgree.init(aPair.getPrivate()); + + KeyAgreement bKeyAgree = KeyAgreement.getInstance(algName, "BC"); + bKeyAgree.init(bPair.getPrivate()); + + KeyAgreement cKeyAgree = KeyAgreement.getInstance(algName, "BC"); + cKeyAgree.init(cPair.getPrivate()); + + Key ac = aKeyAgree.doPhase(cPair.getPublic(), false); + + Key ba = bKeyAgree.doPhase(aPair.getPublic(), false); + + Key cb = cKeyAgree.doPhase(bPair.getPublic(), false); + + aKeyAgree.doPhase(cb, true); + + bKeyAgree.doPhase(ac, true); + + cKeyAgree.doPhase(ba, true); + + BigInteger aShared = new BigInteger(aKeyAgree.generateSecret()); + BigInteger bShared = new BigInteger(bKeyAgree.generateSecret()); + BigInteger cShared = new BigInteger(cKeyAgree.generateSecret()); + + if (!aShared.equals(bShared)) + { + fail(size + " bit 3-way test failed (a and b differ)"); + } + + if (!cShared.equals(bShared)) + { + fail(size + " bit 3-way test failed (c and b differ)"); + } + } + + private void testTwoParty(String algName, int size, int privateValueSize, KeyPairGenerator keyGen) + throws Exception + { + // + // a side + // + KeyPair aKeyPair = keyGen.generateKeyPair(); + + KeyAgreement aKeyAgree = KeyAgreement.getInstance(algName, "BC"); + + checkKeySize(privateValueSize, aKeyPair); + + aKeyAgree.init(aKeyPair.getPrivate()); + + // + // b side + // + KeyPair bKeyPair = keyGen.generateKeyPair(); + + KeyAgreement bKeyAgree = KeyAgreement.getInstance(algName, "BC"); + + checkKeySize(privateValueSize, bKeyPair); + + bKeyAgree.init(bKeyPair.getPrivate()); + + // + // agreement + // + aKeyAgree.doPhase(bKeyPair.getPublic(), true); + bKeyAgree.doPhase(aKeyPair.getPublic(), true); + + BigInteger k1 = new BigInteger(aKeyAgree.generateSecret()); + BigInteger k2 = new BigInteger(bKeyAgree.generateSecret()); + + if (!k1.equals(k2)) + { + fail(size + " bit 2-way test failed"); + } + } + + private void testExplicitWrapping( + int size, + int privateValueSize, + BigInteger g, + BigInteger p) + throws Exception + { + DHParameterSpec dhParams = new DHParameterSpec(p, g, privateValueSize); + + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DH", "BC"); + + keyGen.initialize(dhParams); + + // + // a side + // + KeyPair aKeyPair = keyGen.generateKeyPair(); + + KeyAgreement aKeyAgree = KeyAgreement.getInstance("DH", "BC"); + + checkKeySize(privateValueSize, aKeyPair); + + aKeyAgree.init(aKeyPair.getPrivate()); + + // + // b side + // + KeyPair bKeyPair = keyGen.generateKeyPair(); + + KeyAgreement bKeyAgree = KeyAgreement.getInstance("DH", "BC"); + + checkKeySize(privateValueSize, bKeyPair); + + bKeyAgree.init(bKeyPair.getPrivate()); + + // + // agreement + // + aKeyAgree.doPhase(bKeyPair.getPublic(), true); + bKeyAgree.doPhase(aKeyPair.getPublic(), true); + + SecretKey k1 = aKeyAgree.generateSecret(PKCSObjectIdentifiers.id_alg_CMS3DESwrap.getId()); + SecretKey k2 = bKeyAgree.generateSecret(PKCSObjectIdentifiers.id_alg_CMS3DESwrap.getId()); + + // TODO Compare k1 and k2? + } + + private Object serializeDeserialize(Object o) + throws Exception + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(o); + oOut.close(); + + ObjectInputStream oIn = new ObjectInputStream(new ByteArrayInputStream(bOut.toByteArray())); + + return oIn.readObject(); + } + + private void checkKeySize(int privateValueSize, KeyPair aKeyPair) + { + if (privateValueSize != 0) + { + DHPrivateKey key = (DHPrivateKey)aKeyPair.getPrivate(); + + if (key.getX().bitLength() != privateValueSize) + { + fail("limited key check failed for key size " + privateValueSize); + } + } + } + + private void testRandom( + int size) + throws Exception + { + AlgorithmParameterGenerator a = AlgorithmParameterGenerator.getInstance("DH", "BC"); + a.init(size, new SecureRandom()); + AlgorithmParameters params = a.generateParameters(); + + byte[] encodeParams = params.getEncoded(); + + AlgorithmParameters a2 = AlgorithmParameters.getInstance("DH", "BC"); + a2.init(encodeParams); + + // a and a2 should be equivalent! + byte[] encodeParams_2 = a2.getEncoded(); + + if (!areEqual(encodeParams, encodeParams_2)) + { + fail("encode/decode parameters failed"); + } + + DHParameterSpec dhP = (DHParameterSpec)params.getParameterSpec(DHParameterSpec.class); + + testGP("DH", size, 0, dhP.getG(), dhP.getP()); + } + + private void testDefault( + int privateValueSize, + BigInteger g, + BigInteger p) + throws Exception + { + DHParameterSpec dhParams = new DHParameterSpec(p, g, privateValueSize); + String algName = "DH"; + int size = p.bitLength(); + + new BouncyCastleProvider().setParameter(ConfigurableProvider.DH_DEFAULT_PARAMS, dhParams); + + KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algName, "BC"); + + keyGen.initialize(dhParams.getP().bitLength()); + + testTwoParty("DH", size, privateValueSize, keyGen); + + KeyPair aKeyPair = keyGen.generateKeyPair(); + + new BouncyCastleProvider().setParameter(ConfigurableProvider.DH_DEFAULT_PARAMS, null); + + // + // public key encoding test + // + byte[] pubEnc = aKeyPair.getPublic().getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance(algName, "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + DHPublicKey pubKey = (DHPublicKey)keyFac.generatePublic(pubX509); + DHParameterSpec spec = pubKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit public key encoding/decoding test failed on parameters"); + } + + if (!((DHPublicKey)aKeyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key encoding/decoding test failed on y value"); + } + + // + // public key serialisation test + // + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(aKeyPair.getPublic()); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + ObjectInputStream oIn = new ObjectInputStream(bIn); + + pubKey = (DHPublicKey)oIn.readObject(); + spec = pubKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit public key serialisation test failed on parameters"); + } + + if (!((DHPublicKey)aKeyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key serialisation test failed on y value"); + } + + // + // private key encoding test + // + byte[] privEnc = aKeyPair.getPrivate().getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + DHPrivateKey privKey = (DHPrivateKey)keyFac.generatePrivate(privPKCS8); + + spec = privKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit private key encoding/decoding test failed on parameters"); + } + + if (!((DHPrivateKey)aKeyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key encoding/decoding test failed on y value"); + } + + // + // private key serialisation test + // + bOut = new ByteArrayOutputStream(); + oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(aKeyPair.getPrivate()); + + bIn = new ByteArrayInputStream(bOut.toByteArray()); + oIn = new ObjectInputStream(bIn); + + privKey = (DHPrivateKey)oIn.readObject(); + spec = privKey.getParams(); + + if (!spec.getG().equals(dhParams.getG()) || !spec.getP().equals(dhParams.getP())) + { + fail(size + " bit private key serialisation test failed on parameters"); + } + + if (!((DHPrivateKey)aKeyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key serialisation test failed on y value"); + } + + // + // three party test + // + KeyPairGenerator aPairGen = KeyPairGenerator.getInstance(algName, "BC"); + aPairGen.initialize(spec); + KeyPair aPair = aPairGen.generateKeyPair(); + + KeyPairGenerator bPairGen = KeyPairGenerator.getInstance(algName, "BC"); + bPairGen.initialize(spec); + KeyPair bPair = bPairGen.generateKeyPair(); + + KeyPairGenerator cPairGen = KeyPairGenerator.getInstance(algName, "BC"); + cPairGen.initialize(spec); + KeyPair cPair = cPairGen.generateKeyPair(); + + KeyAgreement aKeyAgree = KeyAgreement.getInstance(algName, "BC"); + aKeyAgree.init(aPair.getPrivate()); + + KeyAgreement bKeyAgree = KeyAgreement.getInstance(algName, "BC"); + bKeyAgree.init(bPair.getPrivate()); + + KeyAgreement cKeyAgree = KeyAgreement.getInstance(algName, "BC"); + cKeyAgree.init(cPair.getPrivate()); + + Key ac = aKeyAgree.doPhase(cPair.getPublic(), false); + + Key ba = bKeyAgree.doPhase(aPair.getPublic(), false); + + Key cb = cKeyAgree.doPhase(bPair.getPublic(), false); + + aKeyAgree.doPhase(cb, true); + + bKeyAgree.doPhase(ac, true); + + cKeyAgree.doPhase(ba, true); + + BigInteger aShared = new BigInteger(aKeyAgree.generateSecret()); + BigInteger bShared = new BigInteger(bKeyAgree.generateSecret()); + BigInteger cShared = new BigInteger(cKeyAgree.generateSecret()); + + if (!aShared.equals(bShared)) + { + fail(size + " bit 3-way test failed (a and b differ)"); + } + + if (!cShared.equals(bShared)) + { + fail(size + " bit 3-way test failed (c and b differ)"); + } + } + private void testECDH(String algorithm) + throws Exception + { + KeyPairGenerator g = KeyPairGenerator.getInstance(algorithm, "BC"); + + EllipticCurve curve = new EllipticCurve( + new ECFieldFp(new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839")), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + ECPointUtil.decodePoint(curve, Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307"), // n + 1); // h + + g.initialize(ecSpec, new SecureRandom()); + + // + // a side + // + KeyPair aKeyPair = g.generateKeyPair(); + + KeyAgreement aKeyAgree = KeyAgreement.getInstance(algorithm, "BC"); + + aKeyAgree.init(aKeyPair.getPrivate()); + + // + // b side + // + KeyPair bKeyPair = g.generateKeyPair(); + + KeyAgreement bKeyAgree = KeyAgreement.getInstance(algorithm, "BC"); + + bKeyAgree.init(bKeyPair.getPrivate()); + + // + // agreement + // + aKeyAgree.doPhase(bKeyPair.getPublic(), true); + bKeyAgree.doPhase(aKeyPair.getPublic(), true); + + BigInteger k1 = new BigInteger(aKeyAgree.generateSecret()); + BigInteger k2 = new BigInteger(bKeyAgree.generateSecret()); + + if (!k1.equals(k2)) + { + fail(algorithm + " 2-way test failed"); + } + + // + // public key encoding test + // + byte[] pubEnc = aKeyPair.getPublic().getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance(algorithm, "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + ECPublicKey pubKey = (ECPublicKey)keyFac.generatePublic(pubX509); + + if (!pubKey.getW().equals(((ECPublicKey)aKeyPair.getPublic()).getW())) + { + System.out.println(" expected " + pubKey.getW().getAffineX() + " got " + ((ECPublicKey)aKeyPair.getPublic()).getW().getAffineX()); + System.out.println(" expected " + pubKey.getW().getAffineY() + " got " + ((ECPublicKey)aKeyPair.getPublic()).getW().getAffineY()); + fail(algorithm + " public key encoding (W test) failed"); + } + + if (!pubKey.getParams().getGenerator().equals(((ECPublicKey)aKeyPair.getPublic()).getParams().getGenerator())) + { + fail(algorithm + " public key encoding (G test) failed"); + } + + // + // private key encoding test + // + byte[] privEnc = aKeyPair.getPrivate().getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + ECPrivateKey privKey = (ECPrivateKey)keyFac.generatePrivate(privPKCS8); + + if (!privKey.getS().equals(((ECPrivateKey)aKeyPair.getPrivate()).getS())) + { + fail(algorithm + " private key encoding (S test) failed"); + } + + if (!privKey.getParams().getGenerator().equals(((ECPrivateKey)aKeyPair.getPrivate()).getParams().getGenerator())) + { + fail(algorithm + " private key encoding (G test) failed"); + } + } + + private void testExceptions() + { + try + { + KeyAgreement aKeyAgree = KeyAgreement.getInstance("DH", "BC"); + + aKeyAgree.generateSecret("DES"); + } + catch (IllegalStateException e) + { + // okay + } + catch (Exception e) + { + fail("Unexpected exception: " + e, e); + } + } + + private void testDESAndDESede(BigInteger g, BigInteger p) + throws Exception + { + DHParameterSpec dhParams = new DHParameterSpec(p, g, 256); + + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DH", "BC"); + + keyGen.initialize(dhParams); + + KeyPair kp = keyGen.generateKeyPair(); + + KeyAgreement keyAgreement = KeyAgreement.getInstance("DH", "BC"); + + keyAgreement.init(kp.getPrivate()); + keyAgreement.doPhase(kp.getPublic(), true); + + SecretKey key = keyAgreement.generateSecret("DES"); + + if (key.getEncoded().length != 8) + { + fail("DES length wrong"); + } + + if (!DESKeySpec.isParityAdjusted(key.getEncoded(), 0)) + { + fail("DES parity wrong"); + } + + key = keyAgreement.generateSecret("DESEDE"); + + if (key.getEncoded().length != 24) + { + fail("DESEDE length wrong"); + } + + if (!DESedeKeySpec.isParityAdjusted(key.getEncoded(), 0)) + { + fail("DESEDE parity wrong"); + } + + key = keyAgreement.generateSecret("Blowfish"); + + if (key.getEncoded().length != 16) + { + fail("Blowfish length wrong"); + } + } + + private void testInitialise() + throws Exception + { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DH", "BC"); + + keyGen.initialize(512); + + keyGen.generateKeyPair(); + + testTwoParty("DH", 512, 0, keyGen); + } + + private void testEnc() + throws Exception + { + KeyFactory kFact = KeyFactory.getInstance("DH", "BC"); + + Key k = kFact.generatePrivate(new PKCS8EncodedKeySpec(samplePrivEnc)); + + if (!Arrays.areEqual(samplePrivEnc, k.getEncoded())) + { + fail("private key re-encode failed"); + } + + k = kFact.generatePublic(new X509EncodedKeySpec(samplePubEnc)); + + if (!Arrays.areEqual(samplePubEnc, k.getEncoded())) + { + fail("public key re-encode failed"); + } + + k = kFact.generatePublic(new X509EncodedKeySpec(oldPubEnc)); + + if (!Arrays.areEqual(oldPubEnc, k.getEncoded())) + { + fail("old public key re-encode failed"); + } + + k = kFact.generatePublic(new X509EncodedKeySpec(oldFullParams)); + + if (!Arrays.areEqual(oldFullParams, k.getEncoded())) + { + fail("old full public key re-encode failed"); + } + } + + private void testConfig() + { + ConfigurableProvider prov = new BouncyCastleProvider(); + + DHParameterSpec dhSpec512 = new DHParameterSpec( + new BigInteger("fca682ce8e12caba26efccf7110e526db078b05edecbcd1eb4a208f3ae1617ae01f35b91a47e6df63413c5e12ed0899bcd132acd50d99151bdc43ee737592e17", 16), + new BigInteger("678471b27a9cf44ee91a49c5147db1a9aaf244f05a434d6486931d2d14271b9e35030b71fd73da179069b32e2935630e1c2062354d0da20a6c416e50be794ca4", 16), + 384); + + DHParameterSpec dhSpec768 = new DHParameterSpec( + new BigInteger("e9e642599d355f37c97ffd3567120b8e25c9cd43e927b3a9670fbec5d890141922d2c3b3ad2480093799869d1e846aab49fab0ad26d2ce6a22219d470bce7d777d4a21fbe9c270b57f607002f3cef8393694cf45ee3688c11a8c56ab127a3daf", 16), + new BigInteger("30470ad5a005fb14ce2d9dcd87e38bc7d1b1c5facbaecbe95f190aa7a31d23c4dbbcbe06174544401a5b2c020965d8c2bd2171d3668445771f74ba084d2029d83c1c158547f3a9f1a2715be23d51ae4d3e5a1f6a7064f316933a346d3f529252", 16), + 384); + + DHParameterSpec dhSpec1024 = new DHParameterSpec( + new BigInteger("f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a", 16), + new BigInteger("fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7", 16), + 512); + + prov.setParameter(ConfigurableProvider.DH_DEFAULT_PARAMS, dhSpec512); + + if (!dhSpec512.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(512))) + { + fail("config mismatch"); + } + + if (BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(768) != null) + { + fail("config found when none expected"); + } + + prov.setParameter(ConfigurableProvider.DH_DEFAULT_PARAMS, new DHParameterSpec[] { dhSpec512, dhSpec768, dhSpec1024 }); + + if (!dhSpec512.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(512))) + { + fail("512 config mismatch"); + } + + if (!dhSpec768.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(768))) + { + fail("768 config mismatch"); + } + + if (!dhSpec1024.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(1024))) + { + fail("1024 config mismatch"); + } + + prov.setParameter(ConfigurableProvider.DH_DEFAULT_PARAMS, null); + + if (BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(512) != null) + { + fail("config found for 512 when none expected"); + } + + if (BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(768) != null) + { + fail("config found for 768 when none expected"); + } + + prov.setParameter(ConfigurableProvider.THREAD_LOCAL_DH_DEFAULT_PARAMS, dhSpec512); + + if (!dhSpec512.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(512))) + { + fail("config mismatch"); + } + + if (BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(768) != null) + { + fail("config found when none expected"); + } + + prov.setParameter(ConfigurableProvider.THREAD_LOCAL_DH_DEFAULT_PARAMS, new DHParameterSpec[] { dhSpec512, dhSpec768, dhSpec1024 }); + + if (!dhSpec512.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(512))) + { + fail("512 config mismatch"); + } + + if (!dhSpec768.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(768))) + { + fail("768 config mismatch"); + } + + if (!dhSpec1024.equals(BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(1024))) + { + fail("1024 config mismatch"); + } + + prov.setParameter(ConfigurableProvider.THREAD_LOCAL_DH_DEFAULT_PARAMS, null); + + if (BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(512) != null) + { + fail("config found for 512 when none expected"); + } + + if (BouncyCastleProvider.CONFIGURATION.getDHDefaultParameters(768) != null) + { + fail("config found for 768 when none expected"); + } + } + + public void performTest() + throws Exception + { + testDefault(64, g512, p512); + + testEnc(); + testGP("DH", 512, 0, g512, p512); + testGP("DiffieHellman", 768, 0, g768, p768); + testGP("DIFFIEHELLMAN", 1024, 0, g1024, p1024); + testGP("DH", 512, 64, g512, p512); + testGP("DiffieHellman", 768, 128, g768, p768); + testGP("DIFFIEHELLMAN", 1024, 256, g1024, p1024); + testExplicitWrapping(512, 0, g512, p512); + testRandom(256); + testECDH("ECDH"); + testECDH("ECDHC"); + testExceptions(); + testDESAndDESede(g768, p768); + testInitialise(); + testConfig(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new DHTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DSATest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DSATest.java new file mode 100644 index 00000000..e0478997 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DSATest.java @@ -0,0 +1,1016 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.AlgorithmParameterGenerator; +import java.security.AlgorithmParameters; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.SignatureException; +import java.security.interfaces.DSAPrivateKey; +import java.security.interfaces.DSAPublicKey; +import java.security.spec.DSAParameterSpec; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.eac.EACObjectIdentifiers; +import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.crypto.params.DSAParameters; +import org.bouncycastle.crypto.params.DSAPublicKeyParameters; +import org.bouncycastle.crypto.signers.DSASigner; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPrivateKeySpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.BigIntegers; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.FixedSecureRandom; +import org.bouncycastle.util.test.SimpleTest; + +public class DSATest + extends SimpleTest +{ + byte[] k1 = Hex.decode("d5014e4b60ef2ba8b6211b4062ba3224e0427dd3"); + byte[] k2 = Hex.decode("345e8d05c075c3a508df729a1685690e68fcfb8c8117847e89063bca1f85d968fd281540b6e13bd1af989a1fbf17e06462bf511f9d0b140fb48ac1b1baa5bded"); + + SecureRandom random = new FixedSecureRandom(new byte[][] { k1, k2 }); + + private void testCompat() + throws Exception + { + if (Security.getProvider("SUN") == null) + { + return; + } + + Signature s = Signature.getInstance("DSA", "SUN"); + KeyPairGenerator g = KeyPairGenerator.getInstance("DSA", "SUN"); + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + + g.initialize(512, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + PrivateKey sKey = p.getPrivate(); + PublicKey vKey = p.getPublic(); + + // + // sign SUN - verify with BC + // + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("DSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("SUN -> BC verification failed"); + } + + // + // sign BC - verify with SUN + // + + s.initSign(sKey); + + s.update(data); + + sigBytes = s.sign(); + + s = Signature.getInstance("DSA", "SUN"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("BC -> SUN verification failed"); + } + + // + // key encoding test - BC decoding Sun keys + // + KeyFactory f = KeyFactory.getInstance("DSA", "BC"); + X509EncodedKeySpec x509s = new X509EncodedKeySpec(vKey.getEncoded()); + + DSAPublicKey k1 = (DSAPublicKey)f.generatePublic(x509s); + + checkPublic(k1, vKey); + + PKCS8EncodedKeySpec pkcs8 = new PKCS8EncodedKeySpec(sKey.getEncoded()); + + DSAPrivateKey k2 = (DSAPrivateKey)f.generatePrivate(pkcs8); + + checkPrivateKey(k2, sKey); + + // + // key decoding test - SUN decoding BC keys + // + f = KeyFactory.getInstance("DSA", "SUN"); + x509s = new X509EncodedKeySpec(k1.getEncoded()); + + vKey = (DSAPublicKey)f.generatePublic(x509s); + + checkPublic(k1, vKey); + + pkcs8 = new PKCS8EncodedKeySpec(k2.getEncoded()); + sKey = f.generatePrivate(pkcs8); + + checkPrivateKey(k2, sKey); + } + + private void testNONEwithDSA() + throws Exception + { + byte[] dummySha1 = Hex.decode("01020304050607080910111213141516"); + + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("DSA", "BC"); + + kpGen.initialize(512); + + KeyPair kp = kpGen.generateKeyPair(); + + Signature sig = Signature.getInstance("NONEwithDSA", "BC"); + + sig.initSign(kp.getPrivate()); + + sig.update(dummySha1); + + byte[] sigBytes = sig.sign(); + + sig.initVerify(kp.getPublic()); + + sig.update(dummySha1); + + sig.verify(sigBytes); + + // reset test + + sig.update(dummySha1); + + if (!sig.verify(sigBytes)) + { + fail("NONEwithDSA failed to reset"); + } + + // lightweight test + DSAPublicKey key = (DSAPublicKey)kp.getPublic(); + DSAParameters params = new DSAParameters(key.getParams().getP(), key.getParams().getQ(), key.getParams().getG()); + DSAPublicKeyParameters keyParams = new DSAPublicKeyParameters(key.getY(), params); + DSASigner signer = new DSASigner(); + ASN1Sequence derSig = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(sigBytes)); + + signer.init(false, keyParams); + + if (!signer.verifySignature(dummySha1, DERInteger.getInstance(derSig.getObjectAt(0)).getValue(), DERInteger.getInstance(derSig.getObjectAt(1)).getValue())) + { + fail("NONEwithDSA not really NONE!"); + } + } + + private void checkPublic(DSAPublicKey k1, PublicKey vKey) + { + if (!k1.getY().equals(((DSAPublicKey)vKey).getY())) + { + fail("public number not decoded properly"); + } + + if (!k1.getParams().getG().equals(((DSAPublicKey)vKey).getParams().getG())) + { + fail("public generator not decoded properly"); + } + + if (!k1.getParams().getP().equals(((DSAPublicKey)vKey).getParams().getP())) + { + fail("public p value not decoded properly"); + } + + if (!k1.getParams().getQ().equals(((DSAPublicKey)vKey).getParams().getQ())) + { + fail("public q value not decoded properly"); + } + } + + private void checkPrivateKey(DSAPrivateKey k2, PrivateKey sKey) + { + if (!k2.getX().equals(((DSAPrivateKey)sKey).getX())) + { + fail("private number not decoded properly"); + } + + if (!k2.getParams().getG().equals(((DSAPrivateKey)sKey).getParams().getG())) + { + fail("private generator not decoded properly"); + } + + if (!k2.getParams().getP().equals(((DSAPrivateKey)sKey).getParams().getP())) + { + fail("private p value not decoded properly"); + } + + if (!k2.getParams().getQ().equals(((DSAPrivateKey)sKey).getParams().getQ())) + { + fail("private q value not decoded properly"); + } + } + + private Object serializeDeserialize(Object o) + throws Exception + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(o); + oOut.close(); + + ObjectInputStream oIn = new ObjectInputStream(new ByteArrayInputStream(bOut.toByteArray())); + + return oIn.readObject(); + } + + /** + * X9.62 - 1998,<br> + * J.3.2, Page 155, ECDSA over the field Fp<br> + * an example with 239 bit prime + */ + private void testECDSA239bitPrime() + throws Exception + { + BigInteger r = new BigInteger("308636143175167811492622547300668018854959378758531778147462058306432176"); + BigInteger s = new BigInteger("323813553209797357708078776831250505931891051755007842781978505179448783"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("700000017569056646655505781757157107570501575775705779575555657156756655")); + + SecureRandom k = new FixedSecureRandom(kData); + + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("876300101507107567501066130761671078357010671067781776716671676178726717"), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("025b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c70")), // Q + spec); + + Signature sgr = Signature.getInstance("ECDSA", "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + PrivateKey sKey = f.generatePrivate(priKey); + PublicKey vKey = f.generatePublic(pubKey); + + sgr.initSign(sKey, k); + + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("239 Bit EC verification failed"); + } + + BigInteger[] sig = derDecode(sigBytes); + + if (!r.equals(sig[0])) + { + fail("r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0]); + } + + if (!s.equals(sig[1])) + { + fail("s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1]); + } + } + + private void testNONEwithECDSA239bitPrime() + throws Exception + { + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("876300101507107567501066130761671078357010671067781776716671676178726717"), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("025b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c70")), // Q + spec); + + Signature sgr = Signature.getInstance("NONEwithECDSA", "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + PrivateKey sKey = f.generatePrivate(priKey); + PublicKey vKey = f.generatePublic(pubKey); + + byte[] message = "abc".getBytes(); + byte[] sig = Hex.decode("3040021e2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0021e64cb19604be06c57e761b3de5518f71de0f6e0cd2df677cec8a6ffcb690d"); + + checkMessage(sgr, sKey, vKey, message, sig); + + message = "abcdefghijklmnopqrstuvwxyz".getBytes(); + sig = Hex.decode("3040021e2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0021e43fd65b3363d76aabef8630572257dbb67c82818ad9fad31256539b1b02c"); + + checkMessage(sgr, sKey, vKey, message, sig); + + message = "a very very long message gauranteed to cause an overflow".getBytes(); + sig = Hex.decode("3040021e2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0021e7d5be84b22937a1691859a3c6fe45ed30b108574431d01b34025825ec17a"); + + checkMessage(sgr, sKey, vKey, message, sig); + } + + private void checkMessage(Signature sgr, PrivateKey sKey, PublicKey vKey, byte[] message, byte[] sig) + throws InvalidKeyException, SignatureException + { + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("700000017569056646655505781757157107570501575775705779575555657156756655")); + + SecureRandom k = new FixedSecureRandom(kData); + + sgr.initSign(sKey, k); + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + if (!Arrays.areEqual(sigBytes, sig)) + { + fail(new String(message) + " signature incorrect"); + } + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail(new String(message) + " verification failed"); + } + } + + /** + * X9.62 - 1998,<br> + * J.2.1, Page 100, ECDSA over the field F2m<br> + * an example with 191 bit binary field + */ + private void testECDSA239bitBinary() + throws Exception + { + BigInteger r = new BigInteger("21596333210419611985018340039034612628818151486841789642455876922391552"); + BigInteger s = new BigInteger("197030374000731686738334997654997227052849804072198819102649413465737174"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("171278725565216523967285789236956265265265235675811949404040041670216363")); + + SecureRandom k = new FixedSecureRandom(kData); + + ECCurve curve = new ECCurve.F2m( + 239, // m + 36, // k + new BigInteger("32010857077C5431123A46B808906756F543423E8D27877578125778AC76", 16), // a + new BigInteger("790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16", 16)); // b + + ECParameterSpec params = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("0457927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305")), // G + new BigInteger("220855883097298041197912187592864814557886993776713230936715041207411783"), // n + BigInteger.valueOf(4)); // h + + ECPrivateKeySpec priKeySpec = new ECPrivateKeySpec( + new BigInteger("145642755521911534651321230007534120304391871461646461466464667494947990"), // d + params); + + ECPublicKeySpec pubKeySpec = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("045894609CCECF9A92533F630DE713A958E96C97CCB8F5ABB5A688A238DEED6DC2D9D0C94EBFB7D526BA6A61764175B99CB6011E2047F9F067293F57F5")), // Q + params); + + Signature sgr = Signature.getInstance("ECDSA", "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + PrivateKey sKey = f.generatePrivate(priKeySpec); + PublicKey vKey = f.generatePublic(pubKeySpec); + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.initSign(sKey, k); + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("239 Bit EC verification failed"); + } + + BigInteger[] sig = derDecode(sigBytes); + + if (!r.equals(sig[0])) + { + fail("r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0]); + } + + if (!s.equals(sig[1])) + { + fail("s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1]); + } + } + + private void testECDSA239bitBinary(String algorithm, DERObjectIdentifier oid) + throws Exception + { + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("171278725565216523967285789236956265265265235675811949404040041670216363")); + + SecureRandom k = new FixedSecureRandom(kData); + + ECCurve curve = new ECCurve.F2m( + 239, // m + 36, // k + new BigInteger("32010857077C5431123A46B808906756F543423E8D27877578125778AC76", 16), // a + new BigInteger("790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16", 16)); // b + + ECParameterSpec params = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("0457927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305")), // G + new BigInteger("220855883097298041197912187592864814557886993776713230936715041207411783"), // n + BigInteger.valueOf(4)); // h + + ECPrivateKeySpec priKeySpec = new ECPrivateKeySpec( + new BigInteger("145642755521911534651321230007534120304391871461646461466464667494947990"), // d + params); + + ECPublicKeySpec pubKeySpec = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("045894609CCECF9A92533F630DE713A958E96C97CCB8F5ABB5A688A238DEED6DC2D9D0C94EBFB7D526BA6A61764175B99CB6011E2047F9F067293F57F5")), // Q + params); + + Signature sgr = Signature.getInstance(algorithm, "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + PrivateKey sKey = f.generatePrivate(priKeySpec); + PublicKey vKey = f.generatePublic(pubKeySpec); + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.initSign(sKey, k); + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr = Signature.getInstance(oid.getId(), "BC"); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("239 Bit EC RIPEMD160 verification failed"); + } + } + + private void testGeneration() + throws Exception + { + Signature s = Signature.getInstance("DSA", "BC"); + KeyPairGenerator g = KeyPairGenerator.getInstance("DSA", "BC"); + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + + + // test exception + // + try + { + g.initialize(513, new SecureRandom()); + + fail("illegal parameter 513 check failed."); + } + catch (IllegalArgumentException e) + { + // expected + } + + try + { + g.initialize(510, new SecureRandom()); + + fail("illegal parameter 510 check failed."); + } + catch (IllegalArgumentException e) + { + // expected + } + + try + { + g.initialize(1025, new SecureRandom()); + + fail("illegal parameter 1025 check failed."); + } + catch (IllegalArgumentException e) + { + // expected + } + + g.initialize(512, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + PrivateKey sKey = p.getPrivate(); + PublicKey vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("DSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("DSA verification failed"); + } + + // + // key decoding test - serialisation test + // + + DSAPublicKey k1 = (DSAPublicKey)serializeDeserialize(vKey); + + checkPublic(k1, vKey); + + checkEquals(k1, vKey); + + DSAPrivateKey k2 = (DSAPrivateKey)serializeDeserialize(sKey); + + checkPrivateKey(k2, sKey); + + checkEquals(k2, sKey); + + if (!(k2 instanceof PKCS12BagAttributeCarrier)) + { + fail("private key not implementing PKCS12 attribute carrier"); + } + + // + // ECDSA Fp generation test + // + s = Signature.getInstance("ECDSA", "BC"); + g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + g.initialize(ecSpec, new SecureRandom()); + + p = g.generateKeyPair(); + + sKey = p.getPrivate(); + vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + sigBytes = s.sign(); + + s = Signature.getInstance("ECDSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("ECDSA verification failed"); + } + + // + // key decoding test - serialisation test + // + + PublicKey eck1 = (PublicKey)serializeDeserialize(vKey); + + checkEquals(eck1, vKey); + + PrivateKey eck2 = (PrivateKey)serializeDeserialize(sKey); + + checkEquals(eck2, sKey); + + // Named curve parameter + g.initialize(new ECNamedCurveGenParameterSpec("P-256"), new SecureRandom()); + + p = g.generateKeyPair(); + + sKey = p.getPrivate(); + vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + sigBytes = s.sign(); + + s = Signature.getInstance("ECDSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("ECDSA verification failed"); + } + + // + // key decoding test - serialisation test + // + + eck1 = (PublicKey)serializeDeserialize(vKey); + + checkEquals(eck1, vKey); + + eck2 = (PrivateKey)serializeDeserialize(sKey); + + checkEquals(eck2, sKey); + + // + // ECDSA F2m generation test + // + s = Signature.getInstance("ECDSA", "BC"); + g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + curve = new ECCurve.F2m( + 239, // m + 36, // k + new BigInteger("32010857077C5431123A46B808906756F543423E8D27877578125778AC76", 16), // a + new BigInteger("790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16", 16)); // b + + ecSpec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("0457927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305")), // G + new BigInteger("220855883097298041197912187592864814557886993776713230936715041207411783"), // n + BigInteger.valueOf(4)); // h + + g.initialize(ecSpec, new SecureRandom()); + + p = g.generateKeyPair(); + + sKey = p.getPrivate(); + vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + sigBytes = s.sign(); + + s = Signature.getInstance("ECDSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("ECDSA verification failed"); + } + + // + // key decoding test - serialisation test + // + + eck1 = (PublicKey)serializeDeserialize(vKey); + + checkEquals(eck1, vKey); + + eck2 = (PrivateKey)serializeDeserialize(sKey); + + checkEquals(eck2, sKey); + + if (!(eck2 instanceof PKCS12BagAttributeCarrier)) + { + fail("private key not implementing PKCS12 attribute carrier"); + } + } + + private void checkEquals(Object o1, Object o2) + { + if (!o1.equals(o2)) + { + fail("comparison test failed"); + } + + if (o1.hashCode() != o2.hashCode()) + { + fail("hashCode test failed"); + } + } + + private void testParameters() + throws Exception + { + AlgorithmParameterGenerator a = AlgorithmParameterGenerator.getInstance("DSA", "BC"); + a.init(512, random); + AlgorithmParameters params = a.generateParameters(); + + byte[] encodeParams = params.getEncoded(); + + AlgorithmParameters a2 = AlgorithmParameters.getInstance("DSA", "BC"); + a2.init(encodeParams); + + // a and a2 should be equivalent! + byte[] encodeParams_2 = a2.getEncoded(); + + if (!areEqual(encodeParams, encodeParams_2)) + { + fail("encode/decode parameters failed"); + } + + DSAParameterSpec dsaP = (DSAParameterSpec)params.getParameterSpec(DSAParameterSpec.class); + + KeyPairGenerator g = KeyPairGenerator.getInstance("DSA", "BC"); + g.initialize(dsaP, new SecureRandom()); + KeyPair p = g.generateKeyPair(); + + PrivateKey sKey = p.getPrivate(); + PublicKey vKey = p.getPublic(); + + Signature s = Signature.getInstance("DSA", "BC"); + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("DSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("DSA verification failed"); + } + } + + private void testDSA2Parameters() + throws Exception + { + byte[] seed = Hex.decode("4783081972865EA95D43318AB2EAF9C61A2FC7BBF1B772A09017BDF5A58F4FF0"); + + AlgorithmParameterGenerator a = AlgorithmParameterGenerator.getInstance("DSA", "BC"); + a.init(2048, new DSATestSecureRandom(seed)); + AlgorithmParameters params = a.generateParameters(); + + DSAParameterSpec dsaP = (DSAParameterSpec)params.getParameterSpec(DSAParameterSpec.class); + + if (!dsaP.getQ().equals(new BigInteger("C24ED361870B61E0D367F008F99F8A1F75525889C89DB1B673C45AF5867CB467", 16))) + { + fail("Q incorrect"); + } + + if (!dsaP.getP().equals(new BigInteger( + "F56C2A7D366E3EBDEAA1891FD2A0D099" + + "436438A673FED4D75F594959CFFEBCA7BE0FC72E4FE67D91" + + "D801CBA0693AC4ED9E411B41D19E2FD1699C4390AD27D94C" + + "69C0B143F1DC88932CFE2310C886412047BD9B1C7A67F8A2" + + "5909132627F51A0C866877E672E555342BDF9355347DBD43" + + "B47156B2C20BAD9D2B071BC2FDCF9757F75C168C5D9FC431" + + "31BE162A0756D1BDEC2CA0EB0E3B018A8B38D3EF2487782A" + + "EB9FBF99D8B30499C55E4F61E5C7DCEE2A2BB55BD7F75FCD" + + "F00E48F2E8356BDB59D86114028F67B8E07B127744778AFF" + + "1CF1399A4D679D92FDE7D941C5C85C5D7BFF91BA69F9489D" + + "531D1EBFA727CFDA651390F8021719FA9F7216CEB177BD75", 16))) + { + fail("P incorrect"); + } + + if (!dsaP.getG().equals(new BigInteger( + "8DC6CC814CAE4A1C05A3E186A6FE27EA" + + "BA8CDB133FDCE14A963A92E809790CBA096EAA26140550C1" + + "29FA2B98C16E84236AA33BF919CD6F587E048C52666576DB" + + "6E925C6CBE9B9EC5C16020F9A44C9F1C8F7A8E611C1F6EC2" + + "513EA6AA0B8D0F72FED73CA37DF240DB57BBB27431D61869" + + "7B9E771B0B301D5DF05955425061A30DC6D33BB6D2A32BD0" + + "A75A0A71D2184F506372ABF84A56AEEEA8EB693BF29A6403" + + "45FA1298A16E85421B2208D00068A5A42915F82CF0B858C8" + + "FA39D43D704B6927E0B2F916304E86FB6A1B487F07D8139E" + + "428BB096C6D67A76EC0B8D4EF274B8A2CF556D279AD267CC" + + "EF5AF477AFED029F485B5597739F5D0240F67C2D948A6279", 16))) + { + fail("G incorrect"); + } + + KeyPairGenerator g = KeyPairGenerator.getInstance("DSA", "BC"); + g.initialize(dsaP, new FixedSecureRandom(Hex.decode("0CAF2EF547EC49C4F3A6FE6DF4223A174D01F2C115D49A6F73437C29A2A8458C"))); + KeyPair p = g.generateKeyPair(); + + DSAPrivateKey sKey = (DSAPrivateKey)p.getPrivate(); + DSAPublicKey vKey = (DSAPublicKey)p.getPublic(); + + if (!vKey.getY().equals(new BigInteger( + "2828003D7C747199143C370FDD07A286" + + "1524514ACC57F63F80C38C2087C6B795B62DE1C224BF8D1D" + + "1424E60CE3F5AE3F76C754A2464AF292286D873A7A30B7EA" + + "CBBC75AAFDE7191D9157598CDB0B60E0C5AA3F6EBE425500" + + "C611957DBF5ED35490714A42811FDCDEB19AF2AB30BEADFF" + + "2907931CEE7F3B55532CFFAEB371F84F01347630EB227A41" + + "9B1F3F558BC8A509D64A765D8987D493B007C4412C297CAF" + + "41566E26FAEE475137EC781A0DC088A26C8804A98C23140E" + + "7C936281864B99571EE95C416AA38CEEBB41FDBFF1EB1D1D" + + "C97B63CE1355257627C8B0FD840DDB20ED35BE92F08C49AE" + + "A5613957D7E5C7A6D5A5834B4CB069E0831753ECF65BA02B", 16))) + { + fail("Y value incorrect"); + } + + if (!sKey.getX().equals( + new BigInteger("0CAF2EF547EC49C4F3A6FE6DF4223A174D01F2C115D49A6F73437C29A2A8458C", 16))) + { + fail("X value incorrect"); + } + + byte[] encodeParams = params.getEncoded(); + + AlgorithmParameters a2 = AlgorithmParameters.getInstance("DSA", "BC"); + a2.init(encodeParams); + + // a and a2 should be equivalent! + byte[] encodeParams_2 = a2.getEncoded(); + + if (!areEqual(encodeParams, encodeParams_2)) + { + fail("encode/decode parameters failed"); + } + + Signature s = Signature.getInstance("DSA", "BC"); + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("DSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("DSA verification failed"); + } + } + + public void performTest() + throws Exception + { + testCompat(); + testNONEwithDSA(); + testECDSA239bitPrime(); + testNONEwithECDSA239bitPrime(); + testECDSA239bitBinary(); + testECDSA239bitBinary("RIPEMD160withECDSA", TeleTrusTObjectIdentifiers.ecSignWithRipemd160); + testECDSA239bitBinary("SHA1withECDSA", TeleTrusTObjectIdentifiers.ecSignWithSha1); + testECDSA239bitBinary("SHA224withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA224); + testECDSA239bitBinary("SHA256withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256); + testECDSA239bitBinary("SHA384withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384); + testECDSA239bitBinary("SHA512withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512); + testECDSA239bitBinary("SHA1withCVC-ECDSA", EACObjectIdentifiers.id_TA_ECDSA_SHA_1); + testECDSA239bitBinary("SHA224withCVC-ECDSA", EACObjectIdentifiers.id_TA_ECDSA_SHA_224); + testECDSA239bitBinary("SHA256withCVC-ECDSA", EACObjectIdentifiers.id_TA_ECDSA_SHA_256); + testECDSA239bitBinary("SHA384withCVC-ECDSA", EACObjectIdentifiers.id_TA_ECDSA_SHA_384); + testECDSA239bitBinary("SHA512withCVC-ECDSA", EACObjectIdentifiers.id_TA_ECDSA_SHA_512); + + testGeneration(); + testParameters(); + testDSA2Parameters(); + } + + protected BigInteger[] derDecode( + byte[] encoding) + throws IOException + { + ByteArrayInputStream bIn = new ByteArrayInputStream(encoding); + ASN1InputStream aIn = new ASN1InputStream(bIn); + ASN1Sequence s = (ASN1Sequence)aIn.readObject(); + + BigInteger[] sig = new BigInteger[2]; + + sig[0] = ((DERInteger)s.getObjectAt(0)).getValue(); + sig[1] = ((DERInteger)s.getObjectAt(1)).getValue(); + + return sig; + } + + public String getName() + { + return "DSA/ECDSA"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new DSATest()); + } + + private class DSATestSecureRandom + extends FixedSecureRandom + { + private boolean first = true; + + public DSATestSecureRandom(byte[] value) + { + super(value); + } + + public void nextBytes(byte[] bytes) + { + if (first) + { + super.nextBytes(bytes); + first = false; + } + else + { + bytes[bytes.length - 1] = 2; + } + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DSTU4145Test.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DSTU4145Test.java new file mode 100644 index 00000000..5d29841c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DSTU4145Test.java @@ -0,0 +1,196 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; + +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPrivateKeySpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.FixedSecureRandom; +import org.bouncycastle.util.test.SimpleTest; + +public class DSTU4145Test + extends SimpleTest +{ + + public String getName() + { + return "DSTU4145"; + } + + public void performTest() + throws Exception + { + + DSTU4145Test(); + generationTest(); + //parametersTest(); + + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + runTest(new DSTU4145Test()); + } + + static final BigInteger r = new BigInteger("00f2702989366e9569d5092b83ac17f918bf040c487a", 16); + static final BigInteger s = new BigInteger("01dd460039db3be70392d7012f2a492d3e59091ab7a6", 16); + + private void generationTest() throws Exception + { + ECCurve.F2m curve = new ECCurve.F2m(173, 1, 2, 10, BigInteger.ZERO, new BigInteger("108576C80499DB2FC16EDDF6853BBB278F6B6FB437D9", 16)); + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.createPoint(new BigInteger("BE6628EC3E67A91A4E470894FBA72B52C515F8AEE9", 16), new BigInteger("D9DEEDF655CF5412313C11CA566CDC71F4DA57DB45C", 16), false), + new BigInteger("800000000000000000000189B4E67606E3825BB2831", 16)); + + SecureRandom k = new FixedSecureRandom(Hex.decode("00137449348C1249971759D99C252FFE1E14D8B31F00")); + SecureRandom keyRand = new FixedSecureRandom(Hex.decode("0000955CD7E344303D1034E66933DC21C8044D42ADB8")); + + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSTU4145", "BC"); + keyGen.initialize(spec, keyRand); + KeyPair pair = keyGen.generateKeyPair(); + + Signature sgr = Signature.getInstance("DSTU4145", "BC"); + + sgr.initSign(pair.getPrivate(), k); + + byte[] message = new byte[]{(byte)'a', (byte)'b', (byte)'c'}; + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(pair.getPublic()); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("DSTU4145 verification failed"); + } + + BigInteger[] sig = decode(sigBytes); + + if (!r.equals(sig[0])) + { + fail( + ": r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0].toString(16)); + } + + if (!s.equals(sig[1])) + { + fail( + ": s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1].toString(16)); + } + } + + private void DSTU4145Test() + throws Exception + { + + SecureRandom k = new FixedSecureRandom(Hex.decode("00137449348C1249971759D99C252FFE1E14D8B31F00")); + + ECCurve.F2m curve = new ECCurve.F2m(173, 1, 2, 10, BigInteger.ZERO, new BigInteger("108576C80499DB2FC16EDDF6853BBB278F6B6FB437D9", 16)); + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.createPoint(new BigInteger("BE6628EC3E67A91A4E470894FBA72B52C515F8AEE9", 16), new BigInteger("D9DEEDF655CF5412313C11CA566CDC71F4DA57DB45C", 16), false), + new BigInteger("800000000000000000000189B4E67606E3825BB2831", 16)); + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("955CD7E344303D1034E66933DC21C8044D42ADB8", 16), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + curve.createPoint(new BigInteger("22de541d48a75c1c3b8c7c107b2551c5093c6c096e1", 16), new BigInteger("1e5b602efc0269d61e64d97c9193d2788fa05c4b7fd5", 16), false), + spec); + + Signature sgr = Signature.getInstance("DSTU4145", "BC"); + KeyFactory f = KeyFactory.getInstance("DSTU4145", "BC"); + PrivateKey sKey = f.generatePrivate(priKey); + PublicKey vKey = f.generatePublic(pubKey); + + sgr.initSign(sKey, k); + + byte[] message = new byte[]{(byte)'a', (byte)'b', (byte)'c'}; + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("DSTU4145 verification failed"); + } + + BigInteger[] sig = decode(sigBytes); + + if (!r.equals(sig[0])) + { + fail( + ": r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0].toString(16)); + } + + if (!s.equals(sig[1])) + { + fail( + ": s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1].toString(16)); + } + } + + private BigInteger[] decode( + byte[] encoding) + throws IOException + { + ASN1OctetString octetString = (ASN1OctetString)ASN1OctetString.fromByteArray(encoding); + encoding = octetString.getOctets(); + + byte[] r = new byte[encoding.length / 2]; + byte[] s = new byte[encoding.length / 2]; + + System.arraycopy(encoding, 0, s, 0, encoding.length / 2); + + System.arraycopy(encoding, encoding.length / 2, r, 0, encoding.length / 2); + + BigInteger[] sig = new BigInteger[2]; + + sig[0] = new BigInteger(1, r); + sig[1] = new BigInteger(1, s); + + return sig; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DigestTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DigestTest.java new file mode 100644 index 00000000..5e379911 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DigestTest.java @@ -0,0 +1,153 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.MessageDigest; +import java.security.Security; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class DigestTest + extends SimpleTest +{ + final static String provider = "BC"; + + static private String[][] abcVectors = + { + { "MD2", "da853b0d3f88d99b30283a69e6ded6bb" }, + { "MD4", "a448017aaf21d8525fc10ae87aa6729d" }, + { "MD5", "900150983cd24fb0d6963f7d28e17f72"}, + { "SHA-1", "a9993e364706816aba3e25717850c26c9cd0d89d" }, + { "SHA-224", "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7" }, + { "SHA-256", "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" }, + { "SHA-384", "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7" }, + { "SHA-512", "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" }, + { "SHA-512/224", "4634270F707B6A54DAAE7530460842E20E37ED265CEEE9A43E8924AA" }, + { "SHA-512/256", "53048E2681941EF99B2E29B76B4C7DABE4C2D0C634FC6D46E0E2F13107E7AF23" }, + { "RIPEMD128", "c14a12199c66e4ba84636b0f69144c77" }, + { "RIPEMD160", "8eb208f7e05d987a9b044a8e98c6b087f15a0bfc" }, + { "RIPEMD256", "afbd6e228b9d8cbbcef5ca2d03e6dba10ac0bc7dcbe4680e1e42d2e975459b65" }, + { "RIPEMD320", "de4c01b3054f8930a79d09ae738e92301e5a17085beffdc1b8d116713e74f82fa942d64cdbc4682d" }, + { "Tiger", "2AAB1484E8C158F2BFB8C5FF41B57A525129131C957B5F93" }, + { "GOST3411", "b285056dbf18d7392d7677369524dd14747459ed8143997e163b2986f92fd42c" }, + { "WHIRLPOOL", "4E2448A4C6F486BB16B6562C73B4020BF3043E3A731BCE721AE1B303D97E6D4C7181EEBDB6C57E277D0E34957114CBD6C797FC9D95D8B582D225292076D4EEF5" } + }; + + public String getName() + { + return "Digest"; + } + + void test(String algorithm) + throws Exception + { + byte[] message = "hello world".getBytes(); + + MessageDigest digest = MessageDigest.getInstance(algorithm, provider); + + byte[] result = digest.digest(message); + byte[] result2 = digest.digest(message); + + // test one digest the same message with the same instance + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 1 not equal"); + } + + // test two, single byte updates + for (int i = 0; i < message.length; i++) + { + digest.update(message[i]); + } + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 2 not equal"); + } + + // test three, two half updates + digest.update(message, 0, message.length/2); + digest.update(message, message.length/2, message.length-message.length/2); + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 3 not equal"); + } + + // test four, clone test + digest.update(message, 0, message.length/2); + MessageDigest d = (MessageDigest)digest.clone(); + digest.update(message, message.length/2, message.length-message.length/2); + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 4(a) not equal"); + } + + d.update(message, message.length/2, message.length-message.length/2); + result2 = d.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 4(b) not equal"); + } + + // test five, check reset() method + digest.update(message, 0, message.length/2); + digest.reset(); + digest.update(message, 0, message.length/2); + digest.update(message, message.length/2, message.length-message.length/2); + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 5 not equal"); + } + } + + /** + * Test the hash against a standard value for the string "abc" + * + * @param algorithm algorithm to test + * @param hash expected value + * @return the test result. + */ + void abcTest( + String algorithm, + String hash) + throws Exception + { + byte[] abc = { (byte)0x61, (byte)0x62, (byte)0x63 }; + + MessageDigest digest = MessageDigest.getInstance(algorithm, provider); + + byte[] result = digest.digest(abc); + + if (!MessageDigest.isEqual(result, Hex.decode(hash))) + { + fail("abc result not equal for " + algorithm); + } + } + + public void performTest() + throws Exception + { + for (int i = 0; i != abcVectors.length; i++) + { + test(abcVectors[i][0]); + + abcTest(abcVectors[i][0], abcVectors[i][1]); + } + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new DigestTest()); + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DoFinalTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DoFinalTest.java new file mode 100644 index 00000000..d0591386 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/DoFinalTest.java @@ -0,0 +1,164 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Key; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTestResult; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +/** + * check that doFinal is properly reseting the cipher. + */ +public class DoFinalTest + implements Test +{ + public DoFinalTest() + { + } + + private boolean equalArray( + byte[] a, + int aOff, + byte[] b, + int length) + { + if (aOff + a.length < length) + { + return false; + } + + if (b.length < length) + { + return false; + } + + for (int i = 0; i != length; i++) + { + if (a[aOff + i] != b[i]) + { + return false; + } + } + + return true; + } + + public TestResult checkCipher( + String cipherName) + { + String lCode = "ABCDEFGHIJKLMNOPQRSTUVWXY0123456789"; + String baseAlgorithm; + int index = cipherName.indexOf('/'); + + if (index > 0) + { + baseAlgorithm = cipherName.substring(0, index); + } + else + { + baseAlgorithm = cipherName; + } + + try + { + KeyGenerator kGen = KeyGenerator.getInstance(baseAlgorithm, "BC"); + Cipher cipher = Cipher.getInstance(cipherName, "BC"); + Key key = kGen.generateKey(); + + cipher.init(Cipher.ENCRYPT_MODE, key); + + byte[] encrypted = cipher.doFinal(lCode.getBytes()); + + // 2nd try + byte[] encrypted2 = cipher.doFinal(lCode.getBytes()); + + if (encrypted.length != encrypted2.length) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - expected length " + encrypted.length + " got " + encrypted2.length); + } + + if (!equalArray(encrypted, 0, encrypted2, encrypted.length)) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - first two arrays not equal"); + } + + // 3rd try + byte[] enc1 = cipher.update(lCode.getBytes()); + byte[] enc2 = cipher.doFinal(); + + if ((enc1.length + enc2.length) != encrypted.length) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - expected length " + encrypted.length + " got " + (enc1.length + enc2.length)); + } + + if (!equalArray(encrypted, 0, enc1, enc1.length)) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - enc1 array not equal"); + } + + if (!equalArray(encrypted, enc1.length, enc2, enc2.length)) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - enc1 array not equal"); + } + + enc1 = cipher.update(lCode.getBytes()); + + if (!equalArray(encrypted, 0, enc1, enc1.length)) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - 2nd enc1 array not equal"); + } + + int len = cipher.doFinal(enc1, 0); + if ((enc1.length + len) != encrypted.length) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - expected length " + encrypted.length + " got " + (enc1.length + len)); + } + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + ": Failed " + cipherName + " - exception " + e.toString()); + } + + return new SimpleTestResult(true, getName() + ": Okay"); + } + + public TestResult perform() + { + TestResult result = checkCipher("RC4"); + + if (!result.isSuccessful()) + { + return result; + } + + result = checkCipher("DES/CBC/PKCS5Padding"); + + if (!result.isSuccessful()) + { + return result; + } + + return checkCipher("Rijndael"); + } + + public String getName() + { + return "DoFinalTest"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + Test test = new DoFinalTest(); + TestResult result = test.perform(); + + System.out.println(result.toString()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECDSA5Test.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECDSA5Test.java new file mode 100644 index 00000000..0f93bdca --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECDSA5Test.java @@ -0,0 +1,730 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; +import java.security.spec.ECFieldF2m; +import java.security.spec.ECFieldFp; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.ECParameterSpec; +import java.security.spec.ECPoint; +import java.security.spec.ECPrivateKeySpec; +import java.security.spec.ECPublicKeySpec; +import java.security.spec.EllipticCurve; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.sec.SECObjectIdentifiers; +import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x9.X962Parameters; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.jce.ECKeyUtil; +import org.bouncycastle.jce.ECPointUtil; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.BigIntegers; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.FixedSecureRandom; +import org.bouncycastle.util.test.SimpleTest; + +public class ECDSA5Test + extends SimpleTest +{ + byte[] k1 = Hex.decode("d5014e4b60ef2ba8b6211b4062ba3224e0427dd3"); + byte[] k2 = Hex.decode("345e8d05c075c3a508df729a1685690e68fcfb8c8117847e89063bca1f85d968fd281540b6e13bd1af989a1fbf17e06462bf511f9d0b140fb48ac1b1baa5bded"); + + SecureRandom random = new FixedSecureRandom(new byte[][] { k1, k2 }); + + private void decodeTest() + { + EllipticCurve curve = new EllipticCurve( + new ECFieldFp(new BigInteger("6277101735386680763835789423207666416083908700390324961279")), // q + new BigInteger("fffffffffffffffffffffffffffffffefffffffffffffffc", 16), // a + new BigInteger("64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1", 16)); // b + + ECPoint p = ECPointUtil.decodePoint(curve, Hex.decode("03188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012")); + + if (!p.getAffineX().equals(new BigInteger("188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", 16))) + { + fail("x uncompressed incorrectly"); + } + + if (!p.getAffineY().equals(new BigInteger("7192b95ffc8da78631011ed6b24cdd573f977a11e794811", 16))) + { + fail("y uncompressed incorrectly"); + } + } + + /** + * X9.62 - 1998,<br> + * J.3.2, Page 155, ECDSA over the field Fp<br> + * an example with 239 bit prime + */ + private void testECDSA239bitPrime() + throws Exception + { + BigInteger r = new BigInteger("308636143175167811492622547300668018854959378758531778147462058306432176"); + BigInteger s = new BigInteger("323813553209797357708078776831250505931891051755007842781978505179448783"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("700000017569056646655505781757157107570501575775705779575555657156756655")); + + SecureRandom k = new FixedSecureRandom(kData); + + EllipticCurve curve = new EllipticCurve( + new ECFieldFp(new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839")), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + ECPointUtil.decodePoint(curve, Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307"), // n + 1); // h + + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("876300101507107567501066130761671078357010671067781776716671676178726717"), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + ECPointUtil.decodePoint(curve, Hex.decode("025b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c70")), // Q + spec); + + Signature sgr = Signature.getInstance("ECDSA", "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + PrivateKey sKey = f.generatePrivate(priKey); + PublicKey vKey = f.generatePublic(pubKey); + + sgr.initSign(sKey, k); + + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("239 Bit EC verification failed"); + } + + BigInteger[] sig = derDecode(sigBytes); + + if (!r.equals(sig[0])) + { + fail("r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0]); + } + + if (!s.equals(sig[1])) + { + fail("s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1]); + } + } + + /** + * X9.62 - 1998,<br> + * J.2.1, Page 100, ECDSA over the field F2m<br> + * an example with 191 bit binary field + */ + private void testECDSA239bitBinary() + throws Exception + { + BigInteger r = new BigInteger("21596333210419611985018340039034612628818151486841789642455876922391552"); + BigInteger s = new BigInteger("197030374000731686738334997654997227052849804072198819102649413465737174"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("171278725565216523967285789236956265265265235675811949404040041670216363")); + + SecureRandom k = new FixedSecureRandom(kData); + + EllipticCurve curve = new EllipticCurve( + new ECFieldF2m(239, // m + new int[] { 36 }), // k + new BigInteger("32010857077C5431123A46B808906756F543423E8D27877578125778AC76", 16), // a + new BigInteger("790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16", 16)); // b + + ECParameterSpec params = new ECParameterSpec( + curve, + ECPointUtil.decodePoint(curve, Hex.decode("0457927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305")), // G + new BigInteger("220855883097298041197912187592864814557886993776713230936715041207411783"), // n + 4); // h + + ECPrivateKeySpec priKeySpec = new ECPrivateKeySpec( + new BigInteger("145642755521911534651321230007534120304391871461646461466464667494947990"), // d + params); + + ECPublicKeySpec pubKeySpec = new ECPublicKeySpec( + ECPointUtil.decodePoint(curve, Hex.decode("045894609CCECF9A92533F630DE713A958E96C97CCB8F5ABB5A688A238DEED6DC2D9D0C94EBFB7D526BA6A61764175B99CB6011E2047F9F067293F57F5")), // Q + params); + + Signature sgr = Signature.getInstance("ECDSA", "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + PrivateKey sKey = f.generatePrivate(priKeySpec); + PublicKey vKey = f.generatePublic(pubKeySpec); + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.initSign(sKey, k); + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("239 Bit EC verification failed"); + } + + BigInteger[] sig = derDecode(sigBytes); + + if (!r.equals(sig[0])) + { + fail("r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0]); + } + + if (!s.equals(sig[1])) + { + fail("s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1]); + } + } + + private void testGeneration() + throws Exception + { + // + // ECDSA generation test + // + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + Signature s = Signature.getInstance("ECDSA", "BC"); + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + EllipticCurve curve = new EllipticCurve( + new ECFieldFp(new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839")), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + ECPointUtil.decodePoint(curve, Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307"), // n + 1); // h + + g.initialize(ecSpec, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + PrivateKey sKey = p.getPrivate(); + PublicKey vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("ECDSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("ECDSA verification failed"); + } + + testKeyFactory((ECPublicKey)vKey, (ECPrivateKey)sKey); + testSerialise((ECPublicKey)vKey, (ECPrivateKey)sKey); + } + + private void testSerialise(ECPublicKey ecPublicKey, ECPrivateKey ecPrivateKey) + throws Exception + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(ecPublicKey); + oOut.writeObject(ecPrivateKey); + oOut.close(); + + ObjectInputStream oIn = new ObjectInputStream(new ByteArrayInputStream(bOut.toByteArray())); + + PublicKey pubKey = (PublicKey)oIn.readObject(); + PrivateKey privKey = (PrivateKey)oIn.readObject(); + + if (!ecPublicKey.equals(pubKey)) + { + fail("public key serialisation check failed"); + } + + if (!ecPrivateKey.equals(privKey)) + { + fail("private key serialisation check failed"); + } + } + + private void testKeyFactory(ECPublicKey pub, ECPrivateKey priv) + throws Exception + { + KeyFactory ecFact = KeyFactory.getInstance("ECDSA"); + + ECPublicKeySpec pubSpec = (ECPublicKeySpec)ecFact.getKeySpec(pub, ECPublicKeySpec.class); + ECPrivateKeySpec privSpec = (ECPrivateKeySpec)ecFact.getKeySpec(priv, ECPrivateKeySpec.class); + + if (!pubSpec.getW().equals(pub.getW()) || !pubSpec.getParams().getCurve().equals(pub.getParams().getCurve())) + { + fail("pubSpec not correct"); + } + + if (!privSpec.getS().equals(priv.getS()) || !privSpec.getParams().getCurve().equals(priv.getParams().getCurve())) + { + fail("privSpec not correct"); + } + + ECPublicKey pubKey = (ECPublicKey)ecFact.translateKey(pub); + ECPrivateKey privKey = (ECPrivateKey)ecFact.translateKey(priv); + + if (!pubKey.getW().equals(pub.getW()) || !pubKey.getParams().getCurve().equals(pub.getParams().getCurve())) + { + fail("pubKey not correct"); + } + + if (!privKey.getS().equals(priv.getS()) || !privKey.getParams().getCurve().equals(priv.getParams().getCurve())) + { + fail("privKey not correct"); + } + } + + private void testKeyConversion() + throws Exception + { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("ECDSA", "BC"); + + kpGen.initialize(new ECGenParameterSpec("prime192v1")); + + KeyPair pair = kpGen.generateKeyPair(); + + PublicKey pubKey = ECKeyUtil.publicToExplicitParameters(pair.getPublic(), "BC"); + + SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(ASN1Primitive.fromByteArray(pubKey.getEncoded())); + X962Parameters params = X962Parameters.getInstance(info.getAlgorithmId().getParameters()); + + if (params.isNamedCurve() || params.isImplicitlyCA()) + { + fail("public key conversion to explicit failed"); + } + + if (!((ECPublicKey)pair.getPublic()).getW().equals(((ECPublicKey)pubKey).getW())) + { + fail("public key conversion check failed"); + } + + PrivateKey privKey = ECKeyUtil.privateToExplicitParameters(pair.getPrivate(), "BC"); + PrivateKeyInfo privInfo = PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(privKey.getEncoded())); + params = X962Parameters.getInstance(privInfo.getAlgorithmId().getParameters()); + + if (params.isNamedCurve() || params.isImplicitlyCA()) + { + fail("private key conversion to explicit failed"); + } + + if (!((ECPrivateKey)pair.getPrivate()).getS().equals(((ECPrivateKey)privKey).getS())) + { + fail("private key conversion check failed"); + } + } + + private void testAdaptiveKeyConversion() + throws Exception + { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("ECDSA", "BC"); + + kpGen.initialize(new ECGenParameterSpec("prime192v1")); + + KeyPair pair = kpGen.generateKeyPair(); + + final PrivateKey privKey = pair.getPrivate(); + final PublicKey pubKey = pair.getPublic(); + + Signature s = Signature.getInstance("ECDSA", "BC"); + + // raw interface tests + s.initSign(new PrivateKey() + { + public String getAlgorithm() + { + return privKey.getAlgorithm(); + } + + public String getFormat() + { + return privKey.getFormat(); + } + + public byte[] getEncoded() + { + return privKey.getEncoded(); + } + }); + + s.initVerify(new PublicKey() + { + public String getAlgorithm() + { + return pubKey.getAlgorithm(); + } + + public String getFormat() + { + return pubKey.getFormat(); + } + + public byte[] getEncoded() + { + return pubKey.getEncoded(); + } + }); + + + s.initSign(new ECPrivateKey() + { + public String getAlgorithm() + { + return privKey.getAlgorithm(); + } + + public String getFormat() + { + return privKey.getFormat(); + } + + public byte[] getEncoded() + { + return privKey.getEncoded(); + } + + public BigInteger getS() + { + return ((ECPrivateKey)privKey).getS(); + } + + public ECParameterSpec getParams() + { + return ((ECPrivateKey)privKey).getParams(); + } + }); + + s.initVerify(new ECPublicKey() + { + public String getAlgorithm() + { + return pubKey.getAlgorithm(); + } + + public String getFormat() + { + return pubKey.getFormat(); + } + + public byte[] getEncoded() + { + return pubKey.getEncoded(); + } + + public ECPoint getW() + { + return ((ECPublicKey)pubKey).getW(); + } + + public ECParameterSpec getParams() + { + return ((ECPublicKey)pubKey).getParams(); + } + }); + + try + { + s.initSign(new PrivateKey() + { + public String getAlgorithm() + { + return privKey.getAlgorithm(); + } + + public String getFormat() + { + return privKey.getFormat(); + } + + public byte[] getEncoded() + { + return null; + } + }); + + fail("no exception thrown!!!"); + } + catch (InvalidKeyException e) + { + // ignore + } + + try + { + s.initVerify(new PublicKey() + { + public String getAlgorithm() + { + return pubKey.getAlgorithm(); + } + + public String getFormat() + { + return pubKey.getFormat(); + } + + public byte[] getEncoded() + { + return null; + } + }); + + fail("no exception thrown!!!"); + } + catch (InvalidKeyException e) + { + // ignore + } + + // try bogus encoding + try + { + s.initSign(new PrivateKey() + { + public String getAlgorithm() + { + return privKey.getAlgorithm(); + } + + public String getFormat() + { + return privKey.getFormat(); + } + + public byte[] getEncoded() + { + return new byte[20]; + } + }); + + fail("no exception thrown!!!"); + } + catch (InvalidKeyException e) + { + // ignore + } + + try + { + s.initVerify(new PublicKey() + { + public String getAlgorithm() + { + return pubKey.getAlgorithm(); + } + + public String getFormat() + { + return pubKey.getFormat(); + } + + public byte[] getEncoded() + { + return new byte[20]; + } + }); + + fail("no exception thrown!!!"); + } + catch (InvalidKeyException e) + { + // ignore + } + + // try encoding of wrong key + kpGen = KeyPairGenerator.getInstance("RSA", "BC"); + + kpGen.initialize(512); + + pair = kpGen.generateKeyPair(); + + final PrivateKey privRsa = pair.getPrivate(); + final PublicKey pubRsa = pair.getPublic(); + + try + { + s.initSign(new PrivateKey() + { + public String getAlgorithm() + { + return privRsa.getAlgorithm(); + } + + public String getFormat() + { + return privRsa.getFormat(); + } + + public byte[] getEncoded() + { + return privRsa.getEncoded(); + } + }); + + fail("no exception thrown!!!"); + + } + catch (InvalidKeyException e) + { + // ignore + } + + try + { + s.initVerify(new PublicKey() + { + public String getAlgorithm() + { + return pubRsa.getAlgorithm(); + } + + public String getFormat() + { + return pubRsa.getFormat(); + } + + public byte[] getEncoded() + { + return pubRsa.getEncoded(); + } + }); + + fail("no exception thrown!!!"); + } + catch (InvalidKeyException e) + { + // ignore + } + } + + private void testKeyPairGenerationWithOIDs() + throws Exception + { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("ECDSA", "BC"); + + kpGen.initialize(new ECGenParameterSpec(X9ObjectIdentifiers.prime192v1.getId())); + kpGen.initialize(new ECGenParameterSpec(TeleTrusTObjectIdentifiers.brainpoolP160r1.getId())); + kpGen.initialize(new ECGenParameterSpec(SECObjectIdentifiers.secp128r1.getId())); + + try + { + kpGen.initialize(new ECGenParameterSpec("1.1")); + + fail("non-existant curve OID failed"); + } + catch (InvalidAlgorithmParameterException e) + { + if (!"unknown curve OID: 1.1".equals(e.getMessage())) + { + fail("OID message check failed"); + } + } + + try + { + kpGen.initialize(new ECGenParameterSpec("flibble")); + + fail("non-existant curve name failed"); + } + catch (InvalidAlgorithmParameterException e) + { + if (!"unknown curve name: flibble".equals(e.getMessage())) + { + fail("name message check failed"); + } + } + } + + protected BigInteger[] derDecode( + byte[] encoding) + throws IOException + { + ByteArrayInputStream bIn = new ByteArrayInputStream(encoding); + ASN1InputStream aIn = new ASN1InputStream(bIn); + ASN1Sequence s = (ASN1Sequence)aIn.readObject(); + + BigInteger[] sig = new BigInteger[2]; + + sig[0] = ((DERInteger)s.getObjectAt(0)).getValue(); + sig[1] = ((DERInteger)s.getObjectAt(1)).getValue(); + + return sig; + } + + public String getName() + { + return "ECDSA5"; + } + + public void performTest() + throws Exception + { + testKeyConversion(); + testAdaptiveKeyConversion(); + decodeTest(); + testECDSA239bitPrime(); + testECDSA239bitBinary(); + testGeneration(); + testKeyPairGenerationWithOIDs(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new ECDSA5Test()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECEncodingTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECEncodingTest.java new file mode 100644 index 00000000..9a5135ae --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECEncodingTest.java @@ -0,0 +1,214 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.Date; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.x9.X9ECParameters; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.interfaces.ECPointEncoder; +import org.bouncycastle.jce.interfaces.ECPrivateKey; +import org.bouncycastle.jce.interfaces.ECPublicKey; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509V3CertificateGenerator; + +public class ECEncodingTest + extends SimpleTest +{ + public String getName() + { + return "ECEncodingTest"; + } + + /** J.4.7 An Example with m = 304 */ + private int m = 304; + + /** f = 010000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000807 */ + private int k1 = 1; + private int k2 = 2; + private int k3 = 11; + private byte hexa[] = {(byte)0xFD, 0x0D, 0x69, 0x31, 0x49, (byte)0xA1, 0x18, (byte)0xF6, 0x51 + , (byte)0xE6, (byte)0xDC, (byte)0xE6, (byte)0x80, 0x20, (byte)0x85, 0x37, 0x7E, 0x5F, (byte)0x88, 0x2D, 0x1B, 0x51 + , 0x0B, 0x44, 0x16, 0x00, 0x74, (byte)0xC1, 0x28, (byte)0x80, 0x78, 0x36, 0x5A, 0x03 + , (byte)0x96, (byte)0xC8, (byte)0xE6, (byte)0x81}; + private byte hexb[] = {(byte)0xBD, (byte)0xDB, (byte)0x97, (byte)0xE5, (byte)0x55 + , (byte)0xA5, (byte)0x0A, (byte)0x90, (byte)0x8E, (byte)0x43, (byte)0xB0 + , (byte)0x1C, (byte)0x79, (byte)0x8E, (byte)0xA5, (byte)0xDA, (byte)0xA6 + , (byte)0x78, (byte)0x8F, (byte)0x1E, (byte)0xA2, (byte)0x79 + , (byte)0x4E, (byte)0xFC, (byte)0xF5, (byte)0x71, (byte)0x66, (byte)0xB8 + , (byte)0xC1, (byte)0x40, (byte)0x39, (byte)0x60, (byte)0x1E + , (byte)0x55, (byte)0x82, (byte)0x73, (byte)0x40, (byte)0xBE}; + private BigInteger a = new BigInteger(1, hexa); + private BigInteger b = new BigInteger(1, hexb); + + /** Base point G (with point compression) */ + private byte enc[] = + {0x02, 0x19, 0x7B, 0x07, (byte)0x84, 0x5E, (byte)0x9B, (byte)0xE2, (byte)0xD9, 0x6A, (byte)0xDB, 0x0F + , 0x5F, 0x3C, 0x7F, 0x2C, (byte)0xFF, (byte)0xBD, 0x7A, 0x3E, (byte)0xB8, (byte)0xB6, (byte)0xFE, + (byte)0xC3, 0x5C, 0x7F, (byte)0xD6, 0x7F, 0x26, (byte)0xDD, (byte)0xF6 + , 0x28, 0x5A, 0x64, 0x4F, 0x74, 0x0A, 0x26, 0x14}; + + private void testPointCompression() + throws Exception + { + ECCurve curve = new ECCurve.F2m(m, k1, k2, k3, a, b); + curve.decodePoint(enc); + + int ks[] = new int[3]; + ks[0] = k3; + ks[1] = k2; + ks[2] = k1; + } + + public void performTest() + throws Exception + { + byte[] ecParams = Hex.decode("3081C8020101302806072A8648CE3D0101021D00D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF303C041C68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43041C2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B0439040D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD021D00D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F020101"); + testParams(ecParams, true); + + testParams(ecParams, false); + + ecParams = Hex.decode("3081C8020101302806072A8648CE3D0101021D00D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF303C041C56E6C7E4F11A7B4B961A4DCB5BD282EB22E42E9BCBE3E7B361F18012041C4BE3E7B361F18012F2353D22975E02D8D05D2C6F3342DD8F57D4C76F0439048D127A0C27E0DE207ED3B7FB98F83C8BD5A2A57C827F4B97874DEB2C1BAEB0C006958CE61BB1FC81F5389E288CB3E86E2ED91FB47B08FCCA021D00D7C134AA264366862A18302575D11A5F7AABFBA3D897FF5CA727AF53020101"); + testParams(ecParams, true); + + testParams(ecParams, false); + + ecParams = Hex.decode("30820142020101303c06072a8648ce3d0101023100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff3066043100fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc043100b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef046104aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab73617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973020101"); + testParams(ecParams, true); + + testParams(ecParams, false); + + testPointCompression(); + } + + private void testParams(byte[] ecParameterEncoded, boolean compress) + throws Exception + { + String keyStorePass = "myPass"; + ASN1InputStream in = new ASN1InputStream(new ByteArrayInputStream( + ecParameterEncoded)); + X9ECParameters params = X9ECParameters.getInstance(in + .readObject()); + KeyPair kp = null; + boolean success = false; + while (!success) + { + KeyPairGenerator kpg = KeyPairGenerator.getInstance("ECDSA"); + kpg.initialize(new ECParameterSpec(params.getCurve(), + params.getG(), params.getN(), params.getH(), params + .getSeed())); + kp = kpg.generateKeyPair(); + // The very old Problem... we need a certificate chain to + // save a private key... + ECPublicKey pubKey = (ECPublicKey)kp.getPublic(); + if (!compress) + { + ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED"); + } + byte[] x = pubKey.getQ().getX().toBigInteger().toByteArray(); + byte[] y = pubKey.getQ().getY().toBigInteger().toByteArray(); + if (x.length == y.length) + { + success = true; + } + } + + // The very old Problem... we need a certificate chain to + // save a private key... + + Certificate[] chain = new Certificate[] { generateSelfSignedSoftECCert( + kp, compress) }; + + KeyStore keyStore = KeyStore.getInstance("BKS"); + keyStore.load(null, keyStorePass.toCharArray()); + + keyStore.setCertificateEntry("ECCert", chain[0]); + + ECPrivateKey privateECKey = (ECPrivateKey)kp.getPrivate(); + keyStore.setKeyEntry("ECPrivKey", privateECKey, keyStorePass + .toCharArray(), chain); + + // Test ec sign / verify + ECPublicKey pub = (ECPublicKey)kp.getPublic(); + String oldPrivateKey = new String(Hex.encode(privateECKey.getEncoded())); + String oldPublicKey = new String(Hex.encode(pub.getEncoded())); + ECPrivateKey newKey = (ECPrivateKey)keyStore.getKey("ECPrivKey", + keyStorePass.toCharArray()); + ECPublicKey newPubKey = (ECPublicKey)keyStore.getCertificate( + "ECCert").getPublicKey(); + if (!compress) + { + ((ECPointEncoder)newKey).setPointFormat("UNCOMPRESSED"); + ((ECPointEncoder)newPubKey).setPointFormat("UNCOMPRESSED"); + } + + String newPrivateKey = new String(Hex.encode(newKey.getEncoded())); + String newPublicKey = new String(Hex.encode(newPubKey.getEncoded())); + + if (!oldPrivateKey.equals(newPrivateKey)) + { + fail("failed private key comparison"); + } + + if (!oldPublicKey.equals(newPublicKey)) + { + fail("failed public key comparison"); + } + } + + /** + * Create a self signed cert for our software emulation + * + * @param kp + * is the keypair for our certificate + * @return a self signed cert for our software emulation + * @throws InvalidKeyException + * on error + * @throws SignatureException + * on error + */ + private X509Certificate generateSelfSignedSoftECCert(KeyPair kp, + boolean compress) throws Exception + { + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + ECPrivateKey privECKey = (ECPrivateKey)kp.getPrivate(); + ECPublicKey pubECKey = (ECPublicKey)kp.getPublic(); + if (!compress) + { + ((ECPointEncoder)privECKey).setPointFormat("UNCOMPRESSED"); + ((ECPointEncoder)pubECKey).setPointFormat("UNCOMPRESSED"); + } + certGen.setSignatureAlgorithm("ECDSAwithSHA1"); + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal("CN=Software emul (EC Cert)")); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000000)); + certGen.setSubjectDN(new X509Principal("CN=Software emul (EC Cert)")); + certGen.setPublicKey((PublicKey)pubECKey); + + return certGen.generate((PrivateKey)privECKey); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new ECEncodingTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECIESTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECIESTest.java new file mode 100644 index 00000000..9af0670a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECIESTest.java @@ -0,0 +1,180 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.SecureRandom; +import java.security.Security; + +import javax.crypto.Cipher; + +import org.bouncycastle.crypto.agreement.ECDHBasicAgreement; +import org.bouncycastle.crypto.digests.SHA1Digest; +import org.bouncycastle.crypto.engines.DESEngine; +import org.bouncycastle.crypto.engines.IESEngine; +import org.bouncycastle.crypto.generators.KDF2BytesGenerator; +import org.bouncycastle.crypto.macs.HMac; +import org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher; +import org.bouncycastle.jcajce.provider.asymmetric.ec.IESCipher; +import org.bouncycastle.jce.interfaces.ECPrivateKey; +import org.bouncycastle.jce.interfaces.ECPublicKey; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.IESParameterSpec; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * Test for ECIES - Elliptic Curve Integrated Encryption Scheme + */ +public class ECIESTest + extends SimpleTest +{ + + ECIESTest() + { + } + + public String getName() + { + return "ECIES"; + } + + public void performTest() + throws Exception + { + byte[] derivation = Hex.decode("202122232425262728292a2b2c2d2e2f"); + byte[] encoding = Hex.decode("303132333435363738393a3b3c3d3e3f"); + + + IESCipher c1 = new org.bouncycastle.jcajce.provider.asymmetric.ec.IESCipher.ECIES(); + IESCipher c2 = new org.bouncycastle.jcajce.provider.asymmetric.ec.IESCipher.ECIES(); + IESParameterSpec params = new IESParameterSpec(derivation,encoding,128); + + // Testing ECIES with default curve in streaming mode + KeyPairGenerator g = KeyPairGenerator.getInstance("EC", "BC"); + doTest("ECIES with default", g, "ECIES", params); + + // Testing ECIES with 192-bit curve in streaming mode + g.initialize(192, new SecureRandom()); + doTest("ECIES with 192-bit", g, "ECIES", params); + + // Testing ECIES with 256-bit curve in streaming mode + g.initialize(256, new SecureRandom()); + doTest("ECIES with 256-bit", g, "ECIES", params); + + + c1 = new IESCipher(new IESEngine(new ECDHBasicAgreement(), + new KDF2BytesGenerator(new SHA1Digest()), + new HMac(new SHA1Digest()), + new PaddedBufferedBlockCipher(new DESEngine()))); + + c2 = new IESCipher(new IESEngine(new ECDHBasicAgreement(), + new KDF2BytesGenerator(new SHA1Digest()), + new HMac(new SHA1Digest()), + new PaddedBufferedBlockCipher(new DESEngine()))); + + params = new IESParameterSpec(derivation, encoding, 128, 128); + + // Testing ECIES with default curve using DES + g = KeyPairGenerator.getInstance("EC", "BC"); + doTest("default", g, "ECIESwithDESEDE", params); + + // Testing ECIES with 192-bit curve using DES + g.initialize(192, new SecureRandom()); + doTest("192-bit", g, "ECIESwithDESEDE", params); + + // Testing ECIES with 256-bit curve using DES + g.initialize(256, new SecureRandom()); + doTest("256-bit", g, "ECIESwithDESEDE", params); + + + c1 = new org.bouncycastle.jcajce.provider.asymmetric.ec.IESCipher.ECIESwithAES(); + c2 = new org.bouncycastle.jcajce.provider.asymmetric.ec.IESCipher.ECIESwithAES(); + params = new IESParameterSpec(derivation, encoding, 128, 128); + + // Testing ECIES with default curve using AES + g = KeyPairGenerator.getInstance("EC", "BC"); + doTest("default", g, "ECIESwithAES", params); + + // Testing ECIES with 192-bit curve using AES + g.initialize(192, new SecureRandom()); + doTest("192-bit", g, "ECIESwithAES", params); + + // Testing ECIES with 256-bit curve using AES + g.initialize(256, new SecureRandom()); + doTest("256-bit", g, "ECIESwithAES", params); + + } + + public void doTest( + String testname, + KeyPairGenerator g, + String cipher, + IESParameterSpec p) + throws Exception + { + + byte[] message = Hex.decode("0102030405060708090a0b0c0d0e0f10111213141516"); + byte[] out1, out2; + + // Generate static key pair + KeyPair KeyPair = g.generateKeyPair(); + ECPublicKey Pub = (ECPublicKey) KeyPair.getPublic(); + ECPrivateKey Priv = (ECPrivateKey) KeyPair.getPrivate(); + + Cipher c1 = Cipher.getInstance(cipher); + Cipher c2 = Cipher.getInstance(cipher); + + // Testing with null parameters and DHAES mode off + c1.init(Cipher.ENCRYPT_MODE, Pub, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, Priv, new SecureRandom()); + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + fail(testname + " test failed with null parameters, DHAES mode false."); + + + // Testing with given parameters and DHAES mode off + c1.init(Cipher.ENCRYPT_MODE, Pub, p, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, Priv, p, new SecureRandom()); + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + fail(testname + " test failed with non-null parameters, DHAES mode false."); + + + c1 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC"); + c2 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding","BC"); + + // Testing with null parameters and DHAES mode on + c1.init(Cipher.ENCRYPT_MODE, Pub, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, Priv, new SecureRandom()); + + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + fail(testname + " test failed with null parameters, DHAES mode true."); + + c1 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding"); + c2 = Cipher.getInstance(cipher + "/DHAES/PKCS7Padding"); + + // Testing with given parameters and DHAES mode on + c1.init(Cipher.ENCRYPT_MODE, Pub, p, new SecureRandom()); + c2.init(Cipher.DECRYPT_MODE, Priv, p, new SecureRandom()); + + out1 = c1.doFinal(message, 0, message.length); + out2 = c2.doFinal(out1, 0, out1.length); + if (!areEqual(out2, message)) + fail(testname + " test failed with non-null parameters, DHAES mode true."); + + } + + + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new ECIESTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECNRTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECNRTest.java new file mode 100644 index 00000000..dc60a5c7 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ECNRTest.java @@ -0,0 +1,247 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERInteger; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPrivateKeySpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.BigIntegers; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.FixedSecureRandom; +import org.bouncycastle.util.test.SimpleTest; + +public class ECNRTest + extends SimpleTest +{ + byte[] k1 = Hex.decode("d5014e4b60ef2ba8b6211b4062ba3224e0427dd3"); + byte[] k2 = Hex.decode("345e8d05c075c3a508df729a1685690e68fcfb8c8117847e89063bca1f85d968fd281540b6e13bd1af989a1fbf17e06462bf511f9d0b140fb48ac1b1baa5bded"); + + SecureRandom random = new FixedSecureRandom(new byte[][] { k1, k2 }); + + /** + * X9.62 - 1998,<br> + * J.3.2, Page 155, ECDSA over the field Fp<br> + * an example with 239 bit prime + */ + private void testECNR239bitPrime() + throws Exception + { + BigInteger r = new BigInteger("308636143175167811492623515537541734843573549327605293463169625072911693"); + BigInteger s = new BigInteger("852401710738814635664888632022555967400445256405412579597015412971797143"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("700000017569056646655505781757157107570501575775705779575555657156756655")); + + SecureRandom k = new FixedSecureRandom(kData); + + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("876300101507107567501066130761671078357010671067781776716671676178726717"), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("025b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c70")), // Q + spec); + + Signature sgr = Signature.getInstance("SHA1withECNR", "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + checkSignature(239, priKey, pubKey, sgr, k, message, r, s); + } + + // ------------------------------------------------------------------------- + + /** + * X9.62 - 1998,<br> + * Page 104-105, ECDSA over the field Fp<br> + * an example with 192 bit prime + */ + private void testECNR192bitPrime() + throws Exception + { + BigInteger r = new BigInteger("2474388605162950674935076940284692598330235697454145648371"); + BigInteger s = new BigInteger("2997192822503471356158280167065034437828486078932532073836"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", 16)); + + SecureRandom k = new FixedSecureRandom(kData); + + ECCurve.Fp curve = new ECCurve.Fp( + new BigInteger("6277101735386680763835789423207666416083908700390324961279"), // q (or p) + new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", 16), // a + new BigInteger("64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("03188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")), // G + new BigInteger("6277101735386680763835789423176059013767194773182842284081")); // n + + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("651056770906015076056810763456358567190100156695615665659"), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("0262B12D60690CDCF330BABAB6E69763B471F994DD702D16A5")), // Q + spec); + + Signature sgr = Signature.getInstance("SHA1withECNR", "BC"); + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + checkSignature(192, priKey, pubKey, sgr, k, message, r, s); + } + + // ------------------------------------------------------------------------- + + /** + * SEC 2: Recommended Elliptic Curve Domain Parameters - September 2000,<br> + * Page 17-19, Recommended 521-bit Elliptic Curve Domain Parameters over Fp<br> + * an ECC example with a 521 bit prime and a 512 bit hash + */ + private void testECNR521bitPrime() + throws Exception + { + BigInteger r = new BigInteger("1820641608112320695747745915744708800944302281118541146383656165330049339564439316345159057453301092391897040509935100825960342573871340486684575368150970954"); + BigInteger s = new BigInteger("6358277176448326821136601602749690343031826490505780896013143436153111780706227024847359990383467115737705919410755190867632280059161174165591324242446800763"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("cdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef", 16)); + + SecureRandom k = new FixedSecureRandom(kData); + + ECCurve.Fp curve = new ECCurve.Fp( + new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151"), // q (or p) + new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 16), // a + new BigInteger("0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("0200C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")), // G + new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 16)); // n + + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("5769183828869504557786041598510887460263120754767955773309066354712783118202294874205844512909370791582896372147797293913785865682804434049019366394746072023"), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("02006BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q + spec); + + Signature sgr = Signature.getInstance("SHA512withECNR", "BC"); + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + checkSignature(521, priKey, pubKey, sgr, k, message, r, s); + } + + private void checkSignature( + int size, + ECPrivateKeySpec priKey, + ECPublicKeySpec pubKey, + Signature sgr, + SecureRandom k, + byte[] message, + BigInteger r, + BigInteger s) + throws Exception + { + KeyFactory f = KeyFactory.getInstance("ECDSA", "BC"); + PrivateKey sKey = f.generatePrivate(priKey); + PublicKey vKey = f.generatePublic(pubKey); + + sgr.initSign(sKey, k); + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail(size + " bit EC verification failed"); + } + + BigInteger[] sig = derDecode(sigBytes); + + if (!r.equals(sig[0])) + { + fail(size + "bit" + + ": r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0]); + } + + if (!s.equals(sig[1])) + { + fail(size + "bit" + + ": s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1]); + } + } + + protected BigInteger[] derDecode( + byte[] encoding) + throws IOException + { + ByteArrayInputStream bIn = new ByteArrayInputStream(encoding); + ASN1InputStream aIn = new ASN1InputStream(bIn); + ASN1Sequence s = (ASN1Sequence)aIn.readObject(); + + BigInteger[] sig = new BigInteger[2]; + + sig[0] = ((DERInteger)s.getObjectAt(0)).getValue(); + sig[1] = ((DERInteger)s.getObjectAt(1)).getValue(); + + return sig; + } + + public String getName() + { + return "ECNR"; + } + + public void performTest() + throws Exception + { + testECNR192bitPrime(); + testECNR239bitPrime(); + testECNR521bitPrime(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new ECNRTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ElGamalTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ElGamalTest.java new file mode 100644 index 00000000..2ff08510 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ElGamalTest.java @@ -0,0 +1,497 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.AlgorithmParameterGenerator; +import java.security.AlgorithmParameters; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.SecureRandom; +import java.security.Security; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import javax.crypto.Cipher; +import javax.crypto.interfaces.DHPrivateKey; +import javax.crypto.interfaces.DHPublicKey; +import javax.crypto.spec.DHParameterSpec; + +import org.bouncycastle.jcajce.provider.config.ConfigurableProvider; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class ElGamalTest + extends SimpleTest +{ + private BigInteger g512 = new BigInteger("153d5d6172adb43045b68ae8e1de1070b6137005686d29d3d73a7749199681ee5b212c9b96bfdcfa5b20cd5e3fd2044895d609cf9b410b7a0f12ca1cb9a428cc", 16); + private BigInteger p512 = new BigInteger("9494fec095f3b85ee286542b3836fc81a5dd0a0349b4c239dd38744d488cf8e31db8bcb7d33b41abb9e5a33cca9144b1cef332c94bf0573bf047a3aca98cdf3b", 16); + + private BigInteger g768 = new BigInteger("7c240073c1316c621df461b71ebb0cdcc90a6e5527e5e126633d131f87461c4dc4afc60c2cb0f053b6758871489a69613e2a8b4c8acde23954c08c81cbd36132cfd64d69e4ed9f8e51ed6e516297206672d5c0a69135df0a5dcf010d289a9ca1", 16); + private BigInteger p768 = new BigInteger("8c9dd223debed1b80103b8b309715be009d48860ed5ae9b9d5d8159508efd802e3ad4501a7f7e1cfec78844489148cd72da24b21eddd01aa624291c48393e277cfc529e37075eccef957f3616f962d15b44aeab4039d01b817fde9eaa12fd73f", 16); + + private BigInteger g1024 = new BigInteger("1db17639cdf96bc4eabba19454f0b7e5bd4e14862889a725c96eb61048dcd676ceb303d586e30f060dbafd8a571a39c4d823982117da5cc4e0f89c77388b7a08896362429b94a18a327604eb7ff227bffbc83459ade299e57b5f77b50fb045250934938efa145511166e3197373e1b5b1e52de713eb49792bedde722c6717abf", 16); + private BigInteger p1024 = new BigInteger("a00e283b3c624e5b2b4d9fbc2653b5185d99499b00fd1bf244c6f0bb817b4d1c451b2958d62a0f8a38caef059fb5ecd25d75ed9af403f5b5bdab97a642902f824e3c13789fed95fa106ddfe0ff4a707c85e2eb77d49e68f2808bcea18ce128b178cd287c6bc00efa9a1ad2a673fe0dceace53166f75b81d6709d5f8af7c66bb7", 16); + + public String getName() + { + return "ElGamal"; + } + + private void testGP( + int size, + int privateValueSize, + BigInteger g, + BigInteger p) + throws Exception + { + DHParameterSpec elParams = new DHParameterSpec(p, g, privateValueSize); + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("ElGamal", "BC"); + byte[] in = "This is a test".getBytes(); + + keyGen.initialize(elParams); + + KeyPair keyPair = keyGen.generateKeyPair(); + SecureRandom rand = new SecureRandom(); + + checkKeySize(privateValueSize, keyPair); + + Cipher cipher = Cipher.getInstance("ElGamal", "BC"); + + cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic(), rand); + + if (cipher.getOutputSize(in.length) != (size / 8) * 2) + { + fail("getOutputSize wrong on encryption"); + } + + byte[] out = cipher.doFinal(in); + + cipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); + + if (cipher.getOutputSize(out.length) != (size / 8) - 1) + { + fail("getOutputSize wrong on decryption"); + } + + // + // No Padding - maximum length + // + byte[] modBytes = ((DHPublicKey)keyPair.getPublic()).getParams().getP().toByteArray(); + byte[] maxInput = new byte[modBytes.length - 1]; + + maxInput[0] |= 0x7f; + + cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic(), rand); + + out = cipher.doFinal(maxInput); + + cipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); + + out = cipher.doFinal(out); + + if (!areEqual(out, maxInput)) + { + fail("NoPadding test failed on decrypt expected " + new String(Hex.encode(maxInput)) + " got " + new String(Hex.encode(out))); + } + + // + // encrypt/decrypt + // + + Cipher c1 = Cipher.getInstance("ElGamal", "BC"); + Cipher c2 = Cipher.getInstance("ElGamal", "BC"); + + c1.init(Cipher.ENCRYPT_MODE, keyPair.getPublic(), rand); + + byte[] out1 = c1.doFinal(in); + + c2.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); + + byte[] out2 = c2.doFinal(out1); + + if (!areEqual(in, out2)) + { + fail(size + " encrypt test failed"); + } + + // + // encrypt/decrypt with update + // + int outLen = c1.update(in, 0, 2, out1, 0); + + outLen += c1.doFinal(in, 2, in.length - 2, out1, outLen); + + outLen = c2.update(out1, 0, 2, out2, 0); + + outLen += c2.doFinal(out1, 2, out1.length - 2, out2, outLen); + + if (!areEqual(in, out2)) + { + fail(size + " encrypt with update test failed"); + } + + // + // public key encoding test + // + byte[] pubEnc = keyPair.getPublic().getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance("ElGamal", "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + DHPublicKey pubKey = (DHPublicKey)keyFac.generatePublic(pubX509); + DHParameterSpec spec = pubKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit public key encoding/decoding test failed on parameters"); + } + + if (!((DHPublicKey)keyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key encoding/decoding test failed on y value"); + } + + // + // public key serialisation test + // + pubKey = (DHPublicKey)serializeDeserialize(keyPair.getPublic()); + spec = pubKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit public key serialisation test failed on parameters"); + } + + if (!((DHPublicKey)keyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key serialisation test failed on y value"); + } + + if (!keyPair.getPublic().equals(pubKey)) + { + fail("equals test failed"); + } + + if (keyPair.getPublic().hashCode() != pubKey.hashCode()) + { + fail("hashCode test failed"); + } + + // + // private key encoding test + // + byte[] privEnc = keyPair.getPrivate().getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + DHPrivateKey privKey = (DHPrivateKey)keyFac.generatePrivate(privPKCS8); + + spec = privKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit private key encoding/decoding test failed on parameters"); + } + + if (!((DHPrivateKey)keyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key encoding/decoding test failed on y value"); + } + + // + // private key serialisation test + // + privKey = (DHPrivateKey)serializeDeserialize(keyPair.getPrivate()); + spec = privKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit private key serialisation test failed on parameters"); + } + + if (!((DHPrivateKey)keyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key serialisation test failed on y value"); + } + + if (!keyPair.getPrivate().equals(privKey)) + { + fail("equals test failed"); + } + + if (keyPair.getPrivate().hashCode() != privKey.hashCode()) + { + fail("hashCode test failed"); + } + + if (!(privKey instanceof PKCS12BagAttributeCarrier)) + { + fail("private key not implementing PKCS12 attribute carrier"); + } + } + + private Object serializeDeserialize(Object o) + throws Exception + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(o); + oOut.close(); + + ObjectInputStream oIn = new ObjectInputStream(new ByteArrayInputStream(bOut.toByteArray())); + + return oIn.readObject(); + } + + private void checkKeySize(int privateValueSize, KeyPair aKeyPair) + { + if (privateValueSize != 0) + { + DHPrivateKey key = (DHPrivateKey)aKeyPair.getPrivate(); + + if (key.getX().bitLength() != privateValueSize) + { + fail("limited key check failed for key size " + privateValueSize); + } + } + } + + private void testRandom( + int size) + throws Exception + { + AlgorithmParameterGenerator a = AlgorithmParameterGenerator.getInstance("ElGamal", "BC"); + a.init(size, new SecureRandom()); + AlgorithmParameters params = a.generateParameters(); + + byte[] encodeParams = params.getEncoded(); + + AlgorithmParameters a2 = AlgorithmParameters.getInstance("ElGamal", "BC"); + a2.init(encodeParams); + + // a and a2 should be equivalent! + byte[] encodeParams_2 = a2.getEncoded(); + + if (!areEqual(encodeParams, encodeParams_2)) + { + fail(this.getName() + ": encode/decode parameters failed"); + } + + DHParameterSpec elP = (DHParameterSpec)params.getParameterSpec(DHParameterSpec.class); + + testGP(size, 0, elP.getG(), elP.getP()); + } + + private void testDefault( + int privateValueSize, + BigInteger g, + BigInteger p) + throws Exception + { + DHParameterSpec elParams = new DHParameterSpec(p, g, privateValueSize); + int size = p.bitLength(); + + new BouncyCastleProvider().setParameter(ConfigurableProvider.DH_DEFAULT_PARAMS, elParams); + + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("ElGamal", "BC"); + byte[] in = "This is a test".getBytes(); + + keyGen.initialize(p.bitLength()); + + KeyPair keyPair = keyGen.generateKeyPair(); + + new BouncyCastleProvider().setParameter(ConfigurableProvider.DH_DEFAULT_PARAMS, elParams); + + SecureRandom rand = new SecureRandom(); + + checkKeySize(privateValueSize, keyPair); + + Cipher cipher = Cipher.getInstance("ElGamal", "BC"); + + cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic(), rand); + + if (cipher.getOutputSize(in.length) != (size / 8) * 2) + { + fail("getOutputSize wrong on encryption"); + } + + byte[] out = cipher.doFinal(in); + + cipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); + + if (cipher.getOutputSize(out.length) != (size / 8) - 1) + { + fail("getOutputSize wrong on decryption"); + } + + // + // No Padding - maximum length + // + byte[] modBytes = ((DHPublicKey)keyPair.getPublic()).getParams().getP().toByteArray(); + byte[] maxInput = new byte[modBytes.length - 1]; + + maxInput[0] |= 0x7f; + + cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPublic(), rand); + + out = cipher.doFinal(maxInput); + + cipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); + + out = cipher.doFinal(out); + + if (!areEqual(out, maxInput)) + { + fail("NoPadding test failed on decrypt expected " + new String(Hex.encode(maxInput)) + " got " + new String(Hex.encode(out))); + } + + // + // encrypt/decrypt + // + + Cipher c1 = Cipher.getInstance("ElGamal", "BC"); + Cipher c2 = Cipher.getInstance("ElGamal", "BC"); + + c1.init(Cipher.ENCRYPT_MODE, keyPair.getPublic(), rand); + + byte[] out1 = c1.doFinal(in); + + c2.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); + + byte[] out2 = c2.doFinal(out1); + + if (!areEqual(in, out2)) + { + fail(size + " encrypt test failed"); + } + + // + // encrypt/decrypt with update + // + int outLen = c1.update(in, 0, 2, out1, 0); + + outLen += c1.doFinal(in, 2, in.length - 2, out1, outLen); + + outLen = c2.update(out1, 0, 2, out2, 0); + + outLen += c2.doFinal(out1, 2, out1.length - 2, out2, outLen); + + if (!areEqual(in, out2)) + { + fail(size + " encrypt with update test failed"); + } + + // + // public key encoding test + // + byte[] pubEnc = keyPair.getPublic().getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance("ElGamal", "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + DHPublicKey pubKey = (DHPublicKey)keyFac.generatePublic(pubX509); + DHParameterSpec spec = pubKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit public key encoding/decoding test failed on parameters"); + } + + if (!((DHPublicKey)keyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key encoding/decoding test failed on y value"); + } + + // + // public key serialisation test + // + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(keyPair.getPublic()); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + ObjectInputStream oIn = new ObjectInputStream(bIn); + + pubKey = (DHPublicKey)oIn.readObject(); + spec = pubKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit public key serialisation test failed on parameters"); + } + + if (!((DHPublicKey)keyPair.getPublic()).getY().equals(pubKey.getY())) + { + fail(size + " bit public key serialisation test failed on y value"); + } + + // + // private key encoding test + // + byte[] privEnc = keyPair.getPrivate().getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + DHPrivateKey privKey = (DHPrivateKey)keyFac.generatePrivate(privPKCS8); + + spec = privKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit private key encoding/decoding test failed on parameters"); + } + + if (!((DHPrivateKey)keyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key encoding/decoding test failed on y value"); + } + + // + // private key serialisation test + // + bOut = new ByteArrayOutputStream(); + oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(keyPair.getPrivate()); + + bIn = new ByteArrayInputStream(bOut.toByteArray()); + oIn = new ObjectInputStream(bIn); + + privKey = (DHPrivateKey)oIn.readObject(); + spec = privKey.getParams(); + + if (!spec.getG().equals(elParams.getG()) || !spec.getP().equals(elParams.getP())) + { + fail(size + " bit private key serialisation test failed on parameters"); + } + + if (!((DHPrivateKey)keyPair.getPrivate()).getX().equals(privKey.getX())) + { + fail(size + " bit private key serialisation test failed on y value"); + } + } + + public void performTest() + throws Exception + { + testDefault(64, g512, p512); + + testGP(512, 0, g512, p512); + testGP(768, 0, g768, p768); + testGP(1024, 0, g1024, p1024); + + testGP(512, 64, g512, p512); + testGP(768, 128, g768, p768); + testGP(1024, 256, g1024, p1024); + + testRandom(256); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new ElGamalTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/EncryptedPrivateKeyInfoTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/EncryptedPrivateKeyInfoTest.java new file mode 100644 index 00000000..80e64ac6 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/EncryptedPrivateKeyInfoTest.java @@ -0,0 +1,145 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.AlgorithmParameters; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.MessageDigest; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.spec.PKCS8EncodedKeySpec; + +import javax.crypto.Cipher; +import javax.crypto.EncryptedPrivateKeyInfo; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.PBEParameterSpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTestResult; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +public class EncryptedPrivateKeyInfoTest + implements Test +{ + String alg = "1.2.840.113549.1.12.1.3"; // 3 key triple DES with SHA-1 + + public TestResult perform() + { + try + { + KeyPairGenerator fact = KeyPairGenerator.getInstance("RSA", "BC"); + fact.initialize(512, new SecureRandom()); + + KeyPair keyPair = fact.generateKeyPair(); + + PrivateKey priKey = keyPair.getPrivate(); + PublicKey pubKey = keyPair.getPublic(); + + // + // set up the parameters + // + byte[] salt = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 }; + int iterationCount = 100; + PBEParameterSpec defParams = new PBEParameterSpec(salt, iterationCount); + + AlgorithmParameters params = AlgorithmParameters.getInstance(alg, "BC"); + + params.init(defParams); + + // + // set up the key + // + char[] password1 = { 'h', 'e', 'l', 'l', 'o' }; + + PBEKeySpec pbeSpec = new PBEKeySpec(password1); + SecretKeyFactory keyFact = SecretKeyFactory.getInstance(alg, "BC"); + Cipher cipher = Cipher.getInstance(alg, "BC"); + + cipher.init(Cipher.WRAP_MODE, keyFact.generateSecret(pbeSpec), params); + + byte[] wrappedKey = cipher.wrap(priKey); + + // + // create encrypted object + // + + EncryptedPrivateKeyInfo pInfo = new EncryptedPrivateKeyInfo(params, wrappedKey); + + // + // decryption step + // + char[] password2 = { 'h', 'e', 'l', 'l', 'o' }; + + pbeSpec = new PBEKeySpec(password2); + + cipher = Cipher.getInstance(pInfo.getAlgName(), "BC"); + + cipher.init(Cipher.DECRYPT_MODE, keyFact.generateSecret(pbeSpec), pInfo.getAlgParameters()); + + PKCS8EncodedKeySpec keySpec = pInfo.getKeySpec(cipher); + + if (!MessageDigest.isEqual(priKey.getEncoded(), keySpec.getEncoded())) + { + return new SimpleTestResult(false, "Private key does not match"); + } + + // + // using Cipher parameters test + // + pbeSpec = new PBEKeySpec(password1); + keyFact = SecretKeyFactory.getInstance(alg, "BC"); + cipher = Cipher.getInstance(alg, "BC"); + + cipher.init(Cipher.WRAP_MODE, keyFact.generateSecret(pbeSpec), params); + + wrappedKey = cipher.wrap(priKey); + + // + // create encrypted object + // + + pInfo = new EncryptedPrivateKeyInfo(cipher.getParameters(), wrappedKey); + + // + // decryption step + // + pbeSpec = new PBEKeySpec(password2); + + cipher = Cipher.getInstance(pInfo.getAlgName(), "BC"); + + cipher.init(Cipher.DECRYPT_MODE, keyFact.generateSecret(pbeSpec), pInfo.getAlgParameters()); + + keySpec = pInfo.getKeySpec(cipher); + + if (!MessageDigest.isEqual(priKey.getEncoded(), keySpec.getEncoded())) + { + return new SimpleTestResult(false, "Private key does not match"); + } + + return new SimpleTestResult(true, getName() + ": Okay"); + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + ": exception - " + e.toString(), e); + } + } + + public String getName() + { + return "EncryptedPrivateKeyInfoTest"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + Test test = new EncryptedPrivateKeyInfoTest(); + TestResult result = test.perform(); + + System.out.println(result.toString()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/FIPSDESTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/FIPSDESTest.java new file mode 100644 index 00000000..5a599879 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/FIPSDESTest.java @@ -0,0 +1,229 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.Key; +import java.security.KeyException; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTestResult; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +/** + * basic FIPS test class for a block cipher, just to make sure ECB/CBC/OFB/CFB are behaving + * correctly. Tests from <a href=http://www.itl.nist.gov/fipspubs/fip81.htm>FIPS 81</a>. + */ +public class FIPSDESTest + implements Test +{ + static String[] fips1Tests = + { + "DES/ECB/NoPadding", + "3fa40e8a984d48156a271787ab8883f9893d51ec4b563b53", + "DES/CBC/NoPadding", + "e5c7cdde872bf27c43e934008c389c0f683788499a7c05f6", + "DES/CFB/NoPadding", + "f3096249c7f46e51a69e839b1a92f78403467133898ea622" + }; + + static String[] fips2Tests = + { + "DES/CFB8/NoPadding", + "f31fda07011462ee187f", + "DES/OFB8/NoPadding", + "f34a2850c9c64985d684" + }; + + static byte[] input1 = Hex.decode("4e6f77206973207468652074696d6520666f7220616c6c20"); + static byte[] input2 = Hex.decode("4e6f7720697320746865"); + + public String getName() + { + return "FIPSDESTest"; + } + + private boolean equalArray( + byte[] a, + byte[] b) + { + if (a.length != b.length) + { + return false; + } + + for (int i = 0; i != a.length; i++) + { + if (a[i] != b[i]) + { + return false; + } + } + + return true; + } + + public TestResult test( + String algorithm, + byte[] input, + byte[] output) + { + Key key; + Cipher in, out; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + IvParameterSpec spec = new IvParameterSpec(Hex.decode("1234567890abcdef")); + + try + { + String baseAlgorithm; + + key = new SecretKeySpec(Hex.decode("0123456789abcdef"), "DES"); + + in = Cipher.getInstance(algorithm, "BC"); + out = Cipher.getInstance(algorithm, "BC"); + + if (algorithm.startsWith("DES/ECB")) + { + out.init(Cipher.ENCRYPT_MODE, key); + } + else + { + out.init(Cipher.ENCRYPT_MODE, key, spec); + } + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + ": " + algorithm + " failed initialisation - " + e.toString(), e); + } + + try + { + if (algorithm.startsWith("DES/ECB")) + { + in.init(Cipher.DECRYPT_MODE, key); + } + else + { + in.init(Cipher.DECRYPT_MODE, key, spec); + } + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + ": " + algorithm + " failed initialisation - " + e.toString(), e); + } + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + try + { + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + } + catch (IOException e) + { + return new SimpleTestResult(false, getName() + ": " + algorithm + " failed encryption - " + e.toString()); + } + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!equalArray(bytes, output)) + { + return new SimpleTestResult(false, getName() + ": " + algorithm + " failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + try + { + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + ": " + algorithm + " failed encryption - " + e.toString()); + } + + if (!equalArray(bytes, input)) + { + return new SimpleTestResult(false, getName() + ": " + algorithm + " failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + + return new SimpleTestResult(true, getName() + ": " + algorithm + " Okay"); + } + + public TestResult perform() + { + for (int i = 0; i != fips1Tests.length; i += 2) + { + TestResult result; + + result = test(fips1Tests[i], input1, Hex.decode(fips1Tests[i + 1])); + if (!result.isSuccessful()) + { + return result; + } + } + + for (int i = 0; i != fips2Tests.length; i += 2) + { + TestResult result; + + result = test(fips2Tests[i], input2, Hex.decode(fips2Tests[i + 1])); + if (!result.isSuccessful()) + { + return result; + } + } + + return new SimpleTestResult(true, getName() + ": Okay"); + } + + public static void main( + String[] args) + throws KeyException, InvalidAlgorithmParameterException + { + Security.addProvider(new BouncyCastleProvider()); + + Test test = new FIPSDESTest(); + TestResult result = test.perform(); + + System.out.println(result.toString()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GMacTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GMacTest.java new file mode 100644 index 00000000..3a26d3cd --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GMacTest.java @@ -0,0 +1,144 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.util.test.TestFailedException; + +public class GMacTest + extends SimpleTest +{ + public String getName() + { + return "GMac"; + } + + public void performTest() + throws Exception + { + checkRegistrations(); + } + + private void checkRegistrations() + throws Exception + { + List missingMacs = new ArrayList(); + List missingKeyGens = new ArrayList(); + + String[] ciphers = new String[] { "AES", "NOEKEON", "Twofish", "CAST6", "SEED", "Serpent", "RC6", "CAMELLIA" }; + String[] macs = new String[] + { + "a52308801b32d4770c701ace9b826f12", + "cf11dacaf6024a78dba76b256e23caab", + "13db7c428e5a7128149b5ec782d07fac", + "d13a33e78e48b274bf7d64bf9aecdb82", + "d05d550054735c6e7e01b6981fc14b4e", + "4a34dfe4f5410afd7c40b1e110377a73", + "d9f597c96b41f641da6c83d4760f543b", + "371ad8cc920c6bda2a26d8f237bd446b" + }; + + for (int i = 0; i < ciphers.length; i++) + { + String cipherName = ciphers[i]; + Cipher cipher; + try + { + cipher = Cipher.getInstance(cipherName, "BC"); + } + catch (Exception e) + { + System.err.println(cipherName + ": " + e.getMessage()); + continue; + } + int blocksize; + try + { + blocksize = cipher.getBlockSize(); + } + catch (Exception e) + { + System.err.println(cipherName + ": " + e.getMessage()); + continue; + } + // GCM is defined over 128 bit block ciphers + if (blocksize == 16) + { + String macName = cipherName + "-GMAC"; + String macNameAlt = cipherName + "GMAC"; + + // Check we have a GMAC registered for each name + checkMac(macName, missingMacs, missingKeyGens, macs[i]); + checkMac(macNameAlt, missingMacs, missingKeyGens, macs[i]); + } + } + if (missingMacs.size() != 0) + { + fail("Did not find GMAC registrations for the following ciphers: " + missingMacs); + } + if (missingKeyGens.size() != 0) + { + fail("Did not find GMAC KeyGenerator registrations for the following macs: " + missingKeyGens); + } + } + + private void checkMac(String name, List missingMacs, List missingKeyGens, String macOutput) + { + try + { + Mac mac = Mac.getInstance(name); + + mac.init(new SecretKeySpec(new byte[mac.getMacLength()], mac.getAlgorithm()), new IvParameterSpec( + new byte[16])); + mac.update(new byte[128]); + byte[] bytes = mac.doFinal(); + + if (!Arrays.areEqual(bytes, Hex.decode(macOutput))) + { + fail("wrong mac value computed for " + name); + } + + try + { + KeyGenerator kg = KeyGenerator.getInstance(name); + kg.generateKey(); + } + catch (NoSuchAlgorithmException e) + { + missingKeyGens.add(name); + } + } + catch (NoSuchAlgorithmException e) + { + missingMacs.add(name); + } + catch (TestFailedException e) + { + throw e; + } + catch (Exception e) + { + fail("Unexpected error", e); + } + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new GMacTest()); + } +}
\ No newline at end of file diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GOST28147Test.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GOST28147Test.java new file mode 100644 index 00000000..b7fecd09 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GOST28147Test.java @@ -0,0 +1,249 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.security.Key; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import javax.crypto.spec.IvParameterSpec; + +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * basic test class for the GOST28147 cipher + */ +public class GOST28147Test + extends SimpleTest +{ + static String[] cipherTests = + { + "256", + "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + "4e6f77206973207468652074696d6520666f7220616c6c20", + "281630d0d5770030068c252d841e84149ccc1912052dbc02", + + "256", + "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + "4e6f77206973207468652074696d65208a920c6ed1a804f5", + "88e543dfc04dc4f764fa7b624741cec07de49b007bf36065" + }; + + public String getName() + { + return "GOST28147"; + } + + public void testECB( + int strength, + byte[] keyBytes, + byte[] input, + byte[] output) + throws Exception + { + Key key; + Cipher in, out; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + key = new SecretKeySpec(keyBytes, "GOST28147"); + + in = Cipher.getInstance("GOST28147/ECB/NoPadding", "BC"); + out = Cipher.getInstance("GOST28147/ECB/NoPadding", "BC"); + out.init(Cipher.ENCRYPT_MODE, key); + in.init(Cipher.DECRYPT_MODE, key); + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!areEqual(bytes, output)) + { + fail("GOST28147 failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + + if (!areEqual(bytes, input)) + { + fail("GOST28147 failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + } + + public void testCFB( + int strength, + byte[] keyBytes, + byte[] input, + byte[] output) + throws Exception + { + Key key; + Cipher in, out; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + key = new SecretKeySpec(keyBytes, "GOST28147"); + + in = Cipher.getInstance("GOST28147/CFB8/NoPadding", "BC"); + out = Cipher.getInstance("GOST28147/CFB8/NoPadding", "BC"); + byte[] iv = {1,2,3,4,5,6,7,8}; + + out.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv)); + in.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv)); + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!areEqual(bytes, output)) + { + fail("GOST28147 failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + + if (!areEqual(bytes, input)) + { + fail("GOST28147 failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + } + + private void oidTest() + { + String[] oids = { + CryptoProObjectIdentifiers.gostR28147_cbc.getId(), + }; + + String[] names = { + "GOST28147/CBC/PKCS7Padding" + }; + + try + { + + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }; + IvParameterSpec ivSpec = new IvParameterSpec(new byte[8]); + + for (int i = 0; i != oids.length; i++) + { + Cipher c1 = Cipher.getInstance(oids[i], "BC"); + Cipher c2 = Cipher.getInstance(names[i], "BC"); + KeyGenerator kg = KeyGenerator.getInstance(oids[i], "BC"); + + SecretKey k = kg.generateKey(); + + c1.init(Cipher.ENCRYPT_MODE, k, ivSpec); + c2.init(Cipher.DECRYPT_MODE, k, ivSpec); + + byte[] result = c2.doFinal(c1.doFinal(data)); + + if (!areEqual(data, result)) + { + fail("failed OID test"); + } + } + } + catch (Exception ex) + { + fail("failed exception " + ex.toString(), ex); + } + } + + public void performTest() + throws Exception + { + for (int i = 0; i != cipherTests.length; i += 8) + { + testECB(Integer.parseInt(cipherTests[i]), + Hex.decode(cipherTests[i + 1]), + Hex.decode(cipherTests[i + 2]), + Hex.decode(cipherTests[i + 3])); + + testCFB(Integer.parseInt(cipherTests[i + 4]), + Hex.decode(cipherTests[i + 4 + 1]), + Hex.decode(cipherTests[i + 4 + 2]), + Hex.decode(cipherTests[i + 4 + 3])); + + oidTest(); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new GOST28147Test()); + } + } diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GOST3410Test.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GOST3410Test.java new file mode 100644 index 00000000..472f2742 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/GOST3410Test.java @@ -0,0 +1,517 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.SignatureException; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.Date; + +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.interfaces.ECPrivateKey; +import org.bouncycastle.jce.interfaces.ECPublicKey; +import org.bouncycastle.jce.interfaces.GOST3410PrivateKey; +import org.bouncycastle.jce.interfaces.GOST3410PublicKey; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPrivateKeySpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.jce.spec.GOST3410ParameterSpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.math.ec.ECFieldElement; +import org.bouncycastle.math.ec.ECPoint; +import org.bouncycastle.util.BigIntegers; +import org.bouncycastle.util.test.FixedSecureRandom; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509V3CertificateGenerator; + +public class GOST3410Test + extends SimpleTest +{ + private void ecGOST3410Test() + throws Exception + { + + BigInteger r = new BigInteger("29700980915817952874371204983938256990422752107994319651632687982059210933395"); + BigInteger s = new BigInteger("46959264877825372965922731380059061821746083849389763294914877353246631700866"); + + byte[] kData = BigIntegers.asUnsignedByteArray(new BigInteger("53854137677348463731403841147996619241504003434302020712960838528893196233395")); + + SecureRandom k = new FixedSecureRandom(kData); + + BigInteger mod_p = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564821041"); //p + + ECCurve curve = new ECCurve.Fp( + mod_p, // p + new BigInteger("7"), // a + new BigInteger("43308876546767276905765904595650931995942111794451039583252968842033849580414")); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + new ECPoint.Fp(curve, + new ECFieldElement.Fp(mod_p,new BigInteger("2")), // x + new ECFieldElement.Fp(mod_p,new BigInteger("4018974056539037503335449422937059775635739389905545080690979365213431566280"))), // y + new BigInteger("57896044618658097711785492504343953927082934583725450622380973592137631069619")); // q + + ECPrivateKeySpec priKey = new ECPrivateKeySpec( + new BigInteger("55441196065363246126355624130324183196576709222340016572108097750006097525544"), // d + spec); + + ECPublicKeySpec pubKey = new ECPublicKeySpec( + new ECPoint.Fp(curve, + new ECFieldElement.Fp(mod_p, new BigInteger("57520216126176808443631405023338071176630104906313632182896741342206604859403")), // x + new ECFieldElement.Fp(mod_p, new BigInteger("17614944419213781543809391949654080031942662045363639260709847859438286763994"))), // y + spec); + + Signature sgr = Signature.getInstance("ECGOST3410", "BC"); + KeyFactory f = KeyFactory.getInstance("ECGOST3410", "BC"); + PrivateKey sKey = f.generatePrivate(priKey); + PublicKey vKey = f.generatePublic(pubKey); + + sgr.initSign(sKey, k); + + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail("ECGOST3410 verification failed"); + } + + BigInteger[] sig = decode(sigBytes); + + if (!r.equals(sig[0])) + { + fail( + ": r component wrong." + System.getProperty("line.separator") + + " expecting: " + r + System.getProperty("line.separator") + + " got : " + sig[0]); + } + + if (!s.equals(sig[1])) + { + fail( + ": s component wrong." + System.getProperty("line.separator") + + " expecting: " + s + System.getProperty("line.separator") + + " got : " + sig[1]); + } + } + + private void generationTest() + throws Exception + { + Signature s = Signature.getInstance("GOST3410", "BC"); + KeyPairGenerator g = KeyPairGenerator.getInstance("GOST3410", "BC"); + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + GOST3410ParameterSpec gost3410P = new GOST3410ParameterSpec(CryptoProObjectIdentifiers.gostR3410_94_CryptoPro_A.getId()); + + g.initialize(gost3410P, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + PrivateKey sKey = p.getPrivate(); + PublicKey vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("GOST3410", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("GOST3410 verification failed"); + } + + // + // default initialisation test + // + s = Signature.getInstance("GOST3410", "BC"); + g = KeyPairGenerator.getInstance("GOST3410", "BC"); + + p = g.generateKeyPair(); + + sKey = p.getPrivate(); + vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + sigBytes = s.sign(); + + s = Signature.getInstance("GOST3410", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("GOST3410 verification failed"); + } + + // + // encoded test + // + KeyFactory f = KeyFactory.getInstance("GOST3410", "BC"); + + X509EncodedKeySpec x509s = new X509EncodedKeySpec(vKey.getEncoded()); + GOST3410PublicKey k1 = (GOST3410PublicKey)f.generatePublic(x509s); + + if (!k1.getY().equals(((GOST3410PublicKey)vKey).getY())) + { + fail("public number not decoded properly"); + } + + if (!k1.getParameters().equals(((GOST3410PublicKey)vKey).getParameters())) + { + fail("public parameters not decoded properly"); + } + + PKCS8EncodedKeySpec pkcs8 = new PKCS8EncodedKeySpec(sKey.getEncoded()); + GOST3410PrivateKey k2 = (GOST3410PrivateKey)f.generatePrivate(pkcs8); + + if (!k2.getX().equals(((GOST3410PrivateKey)sKey).getX())) + { + fail("private number not decoded properly"); + } + + if (!k2.getParameters().equals(((GOST3410PrivateKey)sKey).getParameters())) + { + fail("private number not decoded properly"); + } + + k2 = (GOST3410PrivateKey)serializeDeserialize(sKey); + if (!k2.getX().equals(((GOST3410PrivateKey)sKey).getX())) + { + fail("private number not deserialised properly"); + } + + if (!k2.getParameters().equals(((GOST3410PrivateKey)sKey).getParameters())) + { + fail("private number not deserialised properly"); + } + + checkEquals(k2, sKey); + + if (!(k2 instanceof PKCS12BagAttributeCarrier)) + { + fail("private key not implementing PKCS12 attribute carrier"); + } + + k1 = (GOST3410PublicKey)serializeDeserialize(vKey); + + if (!k1.getY().equals(((GOST3410PublicKey)vKey).getY())) + { + fail("public number not deserialised properly"); + } + + if (!k1.getParameters().equals(((GOST3410PublicKey)vKey).getParameters())) + { + fail("public parameters not deserialised properly"); + } + + checkEquals(k1, vKey); + + // + // ECGOST3410 generation test + // + s = Signature.getInstance("ECGOST3410", "BC"); + g = KeyPairGenerator.getInstance("ECGOST3410", "BC"); + +// BigInteger mod_p = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564821041"); //p +// +// ECCurve curve = new ECCurve.Fp( +// mod_p, // p +// new BigInteger("7"), // a +// new BigInteger("43308876546767276905765904595650931995942111794451039583252968842033849580414")); // b +// +// ECParameterSpec ecSpec = new ECParameterSpec( +// curve, +// new ECPoint.Fp(curve, +// new ECFieldElement.Fp(mod_p,new BigInteger("2")), // x +// new ECFieldElement.Fp(mod_p,new BigInteger("4018974056539037503335449422937059775635739389905545080690979365213431566280"))), // y +// new BigInteger("57896044618658097711785492504343953927082934583725450622380973592137631069619")); // q + + g.initialize(new ECNamedCurveGenParameterSpec("GostR3410-2001-CryptoPro-A"), new SecureRandom()); + + p = g.generateKeyPair(); + + sKey = p.getPrivate(); + vKey = p.getPublic(); + + s.initSign(sKey); + + s.update(data); + + sigBytes = s.sign(); + + s = Signature.getInstance("ECGOST3410", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("ECGOST3410 verification failed"); + } + + // + // encoded test + // + f = KeyFactory.getInstance("ECGOST3410", "BC"); + + x509s = new X509EncodedKeySpec(vKey.getEncoded()); + ECPublicKey eck1 = (ECPublicKey)f.generatePublic(x509s); + + if (!eck1.getQ().equals(((ECPublicKey)vKey).getQ())) + { + fail("public number not decoded properly"); + } + + if (!eck1.getParameters().equals(((ECPublicKey)vKey).getParameters())) + { + fail("public parameters not decoded properly"); + } + + pkcs8 = new PKCS8EncodedKeySpec(sKey.getEncoded()); + ECPrivateKey eck2 = (ECPrivateKey)f.generatePrivate(pkcs8); + + if (!eck2.getD().equals(((ECPrivateKey)sKey).getD())) + { + fail("private number not decoded properly"); + } + + if (!eck2.getParameters().equals(((ECPrivateKey)sKey).getParameters())) + { + fail("private number not decoded properly"); + } + + eck2 = (ECPrivateKey)serializeDeserialize(sKey); + if (!eck2.getD().equals(((ECPrivateKey)sKey).getD())) + { + fail("private number not decoded properly"); + } + + if (!eck2.getParameters().equals(((ECPrivateKey)sKey).getParameters())) + { + fail("private number not decoded properly"); + } + + checkEquals(eck2, sKey); + + if (!(eck2 instanceof PKCS12BagAttributeCarrier)) + { + fail("private key not implementing PKCS12 attribute carrier"); + } + + eck1 = (ECPublicKey)serializeDeserialize(vKey); + + if (!eck1.getQ().equals(((ECPublicKey)vKey).getQ())) + { + fail("public number not decoded properly"); + } + + if (!eck1.getParameters().equals(((ECPublicKey)vKey).getParameters())) + { + fail("public parameters not decoded properly"); + } + + checkEquals(eck1, vKey); + } + + private void keyStoreTest(PrivateKey sKey, PublicKey vKey) + throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, UnrecoverableKeyException + { + // + // keystore test + // + KeyStore ks = KeyStore.getInstance("JKS"); + + ks.load(null, null); + + // + // create the certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal("CN=Test")); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal("CN=Test")); + certGen.setPublicKey(vKey); + certGen.setSignatureAlgorithm("GOST3411withGOST3410"); + + X509Certificate cert = certGen.generate(sKey, "BC"); + + ks.setKeyEntry("gost",sKey, "gost".toCharArray(), new Certificate[] { cert }); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + ks.store(bOut, "gost".toCharArray()); + + ks = KeyStore.getInstance("JKS"); + + ks.load(new ByteArrayInputStream(bOut.toByteArray()), "gost".toCharArray()); + + PrivateKey gKey = (PrivateKey)ks.getKey("gost", "gost".toCharArray()); + } + + private void checkEquals(Object o1, Object o2) + { + if (!o1.equals(o2)) + { + fail("comparison test failed"); + } + + if (o1.hashCode() != o2.hashCode()) + { + fail("hashCode test failed"); + } + } + + private void parametersTest() + throws Exception + { +// AlgorithmParameterGenerator a = AlgorithmParameterGenerator.getInstance("GOST3410", "BC"); +// a.init(512, random); +// AlgorithmParameters params = a.generateParameters(); +// +// byte[] encodeParams = params.getEncoded(); +// +// AlgorithmParameters a2 = AlgorithmParameters.getInstance("GOST3410", "BC"); +// a2.init(encodeParams); +// +// // a and a2 should be equivalent! +// byte[] encodeParams_2 = a2.getEncoded(); +// +// if (!arrayEquals(encodeParams, encodeParams_2)) +// { +// fail("encode/decode parameters failed"); +// } + + GOST3410ParameterSpec gost3410P = new GOST3410ParameterSpec(CryptoProObjectIdentifiers.gostR3410_94_CryptoPro_B.getId()); + + KeyPairGenerator g = KeyPairGenerator.getInstance("GOST3410", "BC"); + g.initialize(gost3410P, new SecureRandom()); + KeyPair p = g.generateKeyPair(); + + PrivateKey sKey = p.getPrivate(); + PublicKey vKey = p.getPublic(); + + Signature s = Signature.getInstance("GOST3410", "BC"); + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("GOST3410", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("GOST3410 verification failed"); + } + + keyStoreTest(sKey, vKey); + } + + private BigInteger[] decode( + byte[] encoding) + { + byte[] r = new byte[32]; + byte[] s = new byte[32]; + + System.arraycopy(encoding, 0, s, 0, 32); + + System.arraycopy(encoding, 32, r, 0, 32); + + BigInteger[] sig = new BigInteger[2]; + + sig[0] = new BigInteger(1, r); + sig[1] = new BigInteger(1, s); + + return sig; + } + + private Object serializeDeserialize(Object o) + throws Exception + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(o); + oOut.close(); + + ObjectInputStream oIn = new ObjectInputStream(new ByteArrayInputStream(bOut.toByteArray())); + + return oIn.readObject(); + } + + public String getName() + { + return "GOST3410/ECGOST3410"; + } + + public void performTest() + throws Exception + { + ecGOST3410Test(); + generationTest(); + parametersTest(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new GOST3410Test()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/HMacTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/HMacTest.java new file mode 100644 index 00000000..080df072 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/HMacTest.java @@ -0,0 +1,187 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.Security; + +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.RC5ParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.asn1.iana.IANAObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; + +/** + * HMAC tester + */ +public class HMacTest + extends SimpleTest +{ + static byte[] keyBytes = Hex.decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"); + static byte[] message = "Hi There".getBytes(); + static byte[] output1 = Hex.decode("b617318655057264e28bc0b6fb378c8ef146be00"); + static byte[] outputMD5 = Hex.decode("5ccec34ea9656392457fa1ac27f08fbc"); + static byte[] outputMD2 = Hex.decode("dc1923ef5f161d35bef839ca8c807808"); + static byte[] outputMD4 = Hex.decode("5570ce964ba8c11756cdc3970278ff5a"); + static byte[] output224 = Hex.decode("896fb1128abbdf196832107cd49df33f47b4b1169912ba4f53684b22"); + static byte[] output256 = Hex.decode("b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7"); + static byte[] output384 = Hex.decode("afd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6"); + static byte[] output512 = Hex.decode("87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854"); + static byte[] output512_224 = Hex.decode("b244ba01307c0e7a8ccaad13b1067a4cf6b961fe0c6a20bda3d92039"); + static byte[] output512_256 = Hex.decode("9f9126c3d9c3c330d760425ca8a217e31feae31bfe70196ff81642b868402eab"); + static byte[] outputRipeMD128 = Hex.decode("fda5717fb7e20cf05d30bb286a44b05d"); + static byte[] outputRipeMD160 = Hex.decode("24cb4bd67d20fc1a5d2ed7732dcc39377f0a5668"); + static byte[] outputTiger = Hex.decode("1d7a658c75f8f004916e7b07e2a2e10aec7de2ae124d3647"); + static byte[] outputOld384 = Hex.decode("0a046aaa0255e432912228f8ccda437c8a8363fb160afb0570ab5b1fd5ddc20eb1888b9ed4e5b6cb5bc034cd9ef70e40"); + static byte[] outputOld512 = Hex.decode("9656975ee5de55e75f2976ecce9a04501060b9dc22a6eda2eaef638966280182477fe09f080b2bf564649cad42af8607a2bd8d02979df3a980f15e2326a0a22a"); + + public HMacTest() + { + } + + public void testHMac( + String hmacName, + byte[] output) + throws Exception + { + SecretKey key = new SecretKeySpec(keyBytes, hmacName); + byte[] out; + Mac mac; + + mac = Mac.getInstance(hmacName, "BC"); + + mac.init(key); + + mac.reset(); + + mac.update(message, 0, message.length); + + out = mac.doFinal(); + + if (!areEqual(out, output)) + { + fail("Failed - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(out))); + } + + // no key generator for the old algorithms + if (hmacName.startsWith("Old")) + { + return; + } + + KeyGenerator kGen = KeyGenerator.getInstance(hmacName, "BC"); + + mac.init(kGen.generateKey()); + + mac.update(message); + + out = mac.doFinal(); + } + + private void testExceptions() + throws Exception + { + Mac mac = null; + + mac = Mac.getInstance("HmacSHA1", "BC"); + + byte [] b = {(byte)1, (byte)2, (byte)3, (byte)4, (byte)5}; + SecretKeySpec sks = new SecretKeySpec(b, "HmacSHA1"); + RC5ParameterSpec algPS = new RC5ParameterSpec(100, 100, 100); + + try + { + mac.init(sks, algPS); + } + catch (InvalidAlgorithmParameterException e) + { + // ignore okay + } + + try + { + mac.init(null, null); + } + catch (InvalidKeyException e) + { + // ignore okay + } + catch (InvalidAlgorithmParameterException e) + { + // ignore okay + } + + try + { + mac.init(null); + } + catch (InvalidKeyException e) + { + // ignore okay + } + } + + public void performTest() + throws Exception + { + testHMac("HMac-SHA1", output1); + testHMac("HMac-MD5", outputMD5); + testHMac("HMac-MD4", outputMD4); + testHMac("HMac-MD2", outputMD2); + testHMac("HMac-SHA224", output224); + testHMac("HMac-SHA256", output256); + testHMac("HMac-SHA384", output384); + testHMac("HMac-SHA512", output512); + testHMac("HMac-SHA512/224", output512_224); + testHMac("HMac-SHA512/256", output512_256); + testHMac("HMac-RIPEMD128", outputRipeMD128); + testHMac("HMac-RIPEMD160", outputRipeMD160); + testHMac("HMac-TIGER", outputTiger); + + testHMac("HMac/SHA1", output1); + testHMac("HMac/MD5", outputMD5); + testHMac("HMac/MD4", outputMD4); + testHMac("HMac/MD2", outputMD2); + testHMac("HMac/SHA224", output224); + testHMac("HMac/SHA256", output256); + testHMac("HMac/SHA384", output384); + testHMac("HMac/SHA512", output512); + testHMac("HMac/RIPEMD128", outputRipeMD128); + testHMac("HMac/RIPEMD160", outputRipeMD160); + testHMac("HMac/TIGER", outputTiger); + + testHMac(PKCSObjectIdentifiers.id_hmacWithSHA1.getId(), output1); + testHMac(PKCSObjectIdentifiers.id_hmacWithSHA224.getId(), output224); + testHMac(PKCSObjectIdentifiers.id_hmacWithSHA256.getId(), output256); + testHMac(PKCSObjectIdentifiers.id_hmacWithSHA384.getId(), output384); + testHMac(PKCSObjectIdentifiers.id_hmacWithSHA512.getId(), output512); + testHMac(IANAObjectIdentifiers.hmacSHA1.getId(), output1); + testHMac(IANAObjectIdentifiers.hmacMD5.getId(), outputMD5); + testHMac(IANAObjectIdentifiers.hmacRIPEMD160.getId(), outputRipeMD160); + testHMac(IANAObjectIdentifiers.hmacTIGER.getId(), outputTiger); + + // test for compatibility with broken HMac. + testHMac("OldHMacSHA384", outputOld384); + testHMac("OldHMacSHA512", outputOld512); + + testExceptions(); + } + + public String getName() + { + return "HMac"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new HMacTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/IESTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/IESTest.java new file mode 100644 index 00000000..8dc1c0b5 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/IESTest.java @@ -0,0 +1,244 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.AlgorithmParameters; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.spec.DHParameterSpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.IEKeySpec; +import org.bouncycastle.jce.spec.IESParameterSpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * test for ECIES - Elliptic Curve Integrated Encryption Scheme + */ +public class IESTest + extends SimpleTest +{ + private BigInteger g512 = new BigInteger("153d5d6172adb43045b68ae8e1de1070b6137005686d29d3d73a7749199681ee5b212c9b96bfdcfa5b20cd5e3fd2044895d609cf9b410b7a0f12ca1cb9a428cc", 16); + private BigInteger p512 = new BigInteger("9494fec095f3b85ee286542b3836fc81a5dd0a0349b4c239dd38744d488cf8e31db8bcb7d33b41abb9e5a33cca9144b1cef332c94bf0573bf047a3aca98cdf3b", 16); + + IESTest() + { + } + + public String getName() + { + return "IES"; + } + + public void performTest() + throws Exception + { + KeyPairGenerator g = KeyPairGenerator.getInstance("ECIES", "BC"); + + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + g.initialize(ecSpec, new SecureRandom()); + + Cipher c1 = Cipher.getInstance("ECIES", "BC"); + Cipher c2 = Cipher.getInstance("ECIES", "BC"); + + doTest(g, c1, c2); + + g = KeyPairGenerator.getInstance("ECIES", "BC"); + + g.initialize(192, new SecureRandom()); + + doTest(g, c1, c2); + + g = KeyPairGenerator.getInstance("ECIES", "BC"); + + g.initialize(239, new SecureRandom()); + + doTest(g, c1, c2); + + g = KeyPairGenerator.getInstance("ECIES", "BC"); + + g.initialize(256, new SecureRandom()); + + doTest(g, c1, c2); + + doDefTest(g, c1, c2); + + DHParameterSpec dhParams = new DHParameterSpec(p512, g512); + + c1 = Cipher.getInstance("IES", "BC"); + c2 = Cipher.getInstance("IES", "BC"); + + g = KeyPairGenerator.getInstance("DH", "BC"); + + g.initialize(dhParams); + + doTest(g, c1, c2); + + doDefTest(g, c1, c2); + } + + public void doTest( + KeyPairGenerator g, + Cipher c1, + Cipher c2) + throws Exception + { + // + // a side + // + KeyPair aKeyPair = g.generateKeyPair(); + PublicKey aPub = aKeyPair.getPublic(); + PrivateKey aPriv = aKeyPair.getPrivate(); + + // + // b side + // + KeyPair bKeyPair = g.generateKeyPair(); + PublicKey bPub = bKeyPair.getPublic(); + PrivateKey bPriv = bKeyPair.getPrivate(); + + // + // stream test + // + + IEKeySpec c1Key = new IEKeySpec(aPriv, bPub); + IEKeySpec c2Key = new IEKeySpec(bPriv, aPub); + + byte[] d = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 }; + byte[] e = new byte[] { 8, 7, 6, 5, 4, 3, 2, 1 }; + + IESParameterSpec param = new IESParameterSpec(d, e, 128); + + c1.init(Cipher.ENCRYPT_MODE, c1Key, param); + + c2.init(Cipher.DECRYPT_MODE, c2Key, param); + + byte[] message = Hex.decode("1234567890abcdef"); + + byte[] out1 = c1.doFinal(message, 0, message.length); + + byte[] out2 = c2.doFinal(out1, 0, out1.length); + + if (!areEqual(out2, message)) + { + fail("stream cipher test failed"); + } + } + + public void doDefTest( + KeyPairGenerator g, + Cipher c1, + Cipher c2) + throws Exception + { + // + // a side + // + KeyPair aKeyPair = g.generateKeyPair(); + PublicKey aPub = aKeyPair.getPublic(); + PrivateKey aPriv = aKeyPair.getPrivate(); + + // + // b side + // + KeyPair bKeyPair = g.generateKeyPair(); + PublicKey bPub = bKeyPair.getPublic(); + PrivateKey bPriv = bKeyPair.getPrivate(); + + // + // stream test + // + IEKeySpec c1Key = new IEKeySpec(aPriv, bPub); + IEKeySpec c2Key = new IEKeySpec(bPriv, aPub); + + c1.init(Cipher.ENCRYPT_MODE, c1Key); + + AlgorithmParameters param = c1.getParameters(); + + c2.init(Cipher.DECRYPT_MODE, c2Key, param); + + byte[] message = Hex.decode("1234567890abcdef"); + + byte[] out1 = c1.doFinal(message, 0, message.length); + + byte[] out2 = c2.doFinal(out1, 0, out1.length); + + if (!areEqual(out2, message)) + { + fail("stream cipher test failed"); + } + + // + // int doFinal + // + int len1 = c1.doFinal(message, 0, message.length, out1, 0); + + if (len1 != out1.length) + { + fail("encryption length wrong"); + } + + int len2 = c2.doFinal(out1, 0, out1.length, out2, 0); + + if (len2 != out2.length) + { + fail("decryption length wrong"); + } + + if (!areEqual(out2, message)) + { + fail("stream cipher test failed"); + } + + // + // int doFinal with update + // + len1 = c1.update(message, 0, 2, out1, 0); + + len1 += c1.doFinal(message, 2, message.length - 2, out1, len1); + + if (len1 != out1.length) + { + fail("update encryption length wrong"); + } + + len2 = c2.update(out1, 0, 2, out2, 0); + + len2 += c2.doFinal(out1, 2, out1.length - 2, out2, len2); + + if (len2 != out2.length) + { + fail("update decryption length wrong"); + } + + if (!areEqual(out2, message)) + { + fail("update stream cipher test failed"); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new IESTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ImplicitlyCaTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ImplicitlyCaTest.java new file mode 100644 index 00000000..103a3e3b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/ImplicitlyCaTest.java @@ -0,0 +1,342 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.interfaces.ECKey; +import java.security.spec.ECFieldFp; +import java.security.spec.EllipticCurve; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.jcajce.provider.config.ConfigurableProvider; +import org.bouncycastle.jce.ECPointUtil; +import org.bouncycastle.jce.interfaces.ECPrivateKey; +import org.bouncycastle.jce.interfaces.ECPublicKey; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPrivateKeySpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.FixedSecureRandom; +import org.bouncycastle.util.test.SimpleTest; + +public class ImplicitlyCaTest + extends SimpleTest +{ + byte[] k1 = Hex.decode("d5014e4b60ef2ba8b6211b4062ba3224e0427dd3"); + byte[] k2 = Hex.decode("345e8d05c075c3a508df729a1685690e68fcfb8c8117847e89063bca1f85d968fd281540b6e13bd1af989a1fbf17e06462bf511f9d0b140fb48ac1b1baa5bded"); + + SecureRandom random = new FixedSecureRandom(new byte[][] { k1, k2 }); + + public void performTest() + throws Exception + { + testBCAPI(); + + testJDKAPI(); + + testKeyFactory(); + + testBasicThreadLocal(); + } + + private void testBCAPI() + throws Exception + { + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + ConfigurableProvider config = (ConfigurableProvider)Security.getProvider("BC"); + + config.setParameter(ConfigurableProvider.EC_IMPLICITLY_CA, ecSpec); + + g.initialize(null, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + ECPrivateKey sKey = (ECPrivateKey)p.getPrivate(); + ECPublicKey vKey = (ECPublicKey)p.getPublic(); + + testECDSA(sKey, vKey); + + testBCParamsAndQ(sKey, vKey); + testEC5Params(sKey, vKey); + + testEncoding(sKey, vKey); + } + + private void testKeyFactory() + throws Exception + { + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + ConfigurableProvider config = (ConfigurableProvider)Security.getProvider("BC"); + + config.setParameter(ConfigurableProvider.EC_IMPLICITLY_CA, ecSpec); + + g.initialize(null, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + ECPrivateKey sKey = (ECPrivateKey)p.getPrivate(); + ECPublicKey vKey = (ECPublicKey)p.getPublic(); + + KeyFactory fact = KeyFactory.getInstance("ECDSA", "BC"); + + vKey = (ECPublicKey)fact.generatePublic(new ECPublicKeySpec(vKey.getQ(), null)); + sKey = (ECPrivateKey)fact.generatePrivate(new ECPrivateKeySpec(sKey.getD(), null)); + + testECDSA(sKey, vKey); + + testBCParamsAndQ(sKey, vKey); + testEC5Params(sKey, vKey); + + testEncoding(sKey, vKey); + + ECPublicKey vKey2 = (ECPublicKey)fact.generatePublic(new ECPublicKeySpec(vKey.getQ(), ecSpec)); + ECPrivateKey sKey2 = (ECPrivateKey)fact.generatePrivate(new ECPrivateKeySpec(sKey.getD(), ecSpec)); + + if (!vKey.equals(vKey2) || vKey.hashCode() != vKey2.hashCode()) + { + fail("private equals/hashCode failed"); + } + + if (!sKey.equals(sKey2) || sKey.hashCode() != sKey2.hashCode()) + { + fail("private equals/hashCode failed"); + } + + // check we can get specs. + fact.getKeySpec(vKey, java.security.spec.ECPublicKeySpec.class); + + fact.getKeySpec(sKey, java.security.spec.ECPrivateKeySpec.class); + } + + private void testJDKAPI() + throws Exception + { + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + EllipticCurve curve = new EllipticCurve( + new ECFieldFp(new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839")), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + java.security.spec.ECParameterSpec ecSpec = new java.security.spec.ECParameterSpec( + curve, + ECPointUtil.decodePoint(curve, Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307"), // n + 1); // h + + + ConfigurableProvider config = (ConfigurableProvider)Security.getProvider("BC"); + + config.setParameter(ConfigurableProvider.EC_IMPLICITLY_CA, ecSpec); + + g.initialize(null, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + ECPrivateKey sKey = (ECPrivateKey)p.getPrivate(); + ECPublicKey vKey = (ECPublicKey)p.getPublic(); + + testECDSA(sKey, vKey); + + testBCParamsAndQ(sKey, vKey); + testEC5Params(sKey, vKey); + + testEncoding(sKey, vKey); + } + + private void testBasicThreadLocal() + throws Exception + { + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + EllipticCurve curve = new EllipticCurve( + new ECFieldFp(new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839")), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + java.security.spec.ECParameterSpec ecSpec = new java.security.spec.ECParameterSpec( + curve, + ECPointUtil.decodePoint(curve, Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307"), // n + 1); // h + + + ConfigurableProvider config = (ConfigurableProvider)Security.getProvider("BC"); + + config.setParameter(ConfigurableProvider.THREAD_LOCAL_EC_IMPLICITLY_CA, ecSpec); + + g.initialize(null, new SecureRandom()); + + KeyPair p = g.generateKeyPair(); + + ECPrivateKey sKey = (ECPrivateKey)p.getPrivate(); + ECPublicKey vKey = (ECPublicKey)p.getPublic(); + + testECDSA(sKey, vKey); + + testBCParamsAndQ(sKey, vKey); + testEC5Params(sKey, vKey); + + testEncoding(sKey, vKey); + } + + private void testECDSA( + ECPrivateKey sKey, + ECPublicKey vKey) + throws Exception + { + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + Signature s = Signature.getInstance("ECDSA", "BC"); + + s.initSign(sKey); + + s.update(data); + + byte[] sigBytes = s.sign(); + + s = Signature.getInstance("ECDSA", "BC"); + + s.initVerify(vKey); + + s.update(data); + + if (!s.verify(sigBytes)) + { + fail("ECDSA verification failed"); + } + } + + private void testEncoding( + ECPrivateKey privKey, + ECPublicKey pubKey) + throws Exception + { + KeyFactory kFact = KeyFactory.getInstance("ECDSA", "BC"); + + byte[] bytes = privKey.getEncoded(); + + PrivateKeyInfo sInfo = PrivateKeyInfo.getInstance(new ASN1InputStream(bytes).readObject()); + + if (!sInfo.getPrivateKeyAlgorithm().getParameters().equals(DERNull.INSTANCE)) + { + fail("private key parameters wrong"); + } + + ECPrivateKey sKey = (ECPrivateKey)kFact.generatePrivate(new PKCS8EncodedKeySpec(bytes)); + + if (!sKey.equals(privKey)) + { + fail("private equals failed"); + } + + if (sKey.hashCode() != privKey.hashCode()) + { + fail("private hashCode failed"); + } + + bytes = pubKey.getEncoded(); + + SubjectPublicKeyInfo vInfo = SubjectPublicKeyInfo.getInstance(new ASN1InputStream(bytes).readObject()); + + if (!vInfo.getAlgorithm().getParameters().equals(DERNull.INSTANCE)) + { + fail("public key parameters wrong"); + } + + ECPublicKey vKey = (ECPublicKey)kFact.generatePublic(new X509EncodedKeySpec(bytes)); + + if (!vKey.equals(pubKey) || vKey.hashCode() != pubKey.hashCode()) + { + fail("public equals/hashCode failed"); + } + + testBCParamsAndQ(sKey, vKey); + testEC5Params(sKey, vKey); + + testECDSA(sKey, vKey); + } + + private void testBCParamsAndQ( + ECPrivateKey sKey, + ECPublicKey vKey) + { + if (sKey.getParameters() != null) + { + fail("parameters exposed in private key"); + } + + if (vKey.getParameters() != null) + { + fail("parameters exposed in public key"); + } + + if (vKey.getQ().getCurve() != null) + { + fail("curve exposed in public point"); + } + } + + private void testEC5Params( + ECPrivateKey sKey, + ECPublicKey vKey) + { + java.security.interfaces.ECKey k = (java.security.interfaces.ECKey)sKey; + + if (k.getParams() != null) + { + fail("parameters exposed in private key"); + } + + k = (ECKey)vKey; + if (k.getParams() != null) + { + fail("parameters exposed in public key"); + } + } + + public String getName() + { + return "ImplicitlyCA"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new ImplicitlyCaTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/JceTestUtil.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/JceTestUtil.java new file mode 100644 index 00000000..9c0805a8 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/JceTestUtil.java @@ -0,0 +1,49 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Security; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.List; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +abstract class JceTestUtil +{ + private JceTestUtil() + { + } + + static String[] getRegisteredAlgorithms(String prefix, String[] exclusionPatterns) + { + final BouncyCastleProvider prov = (BouncyCastleProvider)Security.getProvider("BC"); + + List matches = new ArrayList(); + Enumeration algos = prov.keys(); + while (algos.hasMoreElements()) + { + String algo = (String)algos.nextElement(); + if (!algo.startsWith(prefix)) + { + continue; + } + String algoName = algo.substring(prefix.length()); + if (!isExcluded(algoName, exclusionPatterns)) + { + matches.add(algoName); + } + } + return (String[])matches.toArray(new String[matches.size()]); + } + + private static boolean isExcluded(String algoName, String[] exclusionPatterns) + { + for (int i = 0; i < exclusionPatterns.length; i++) + { + if (algoName.contains(exclusionPatterns[i])) + { + return true; + } + } + return false; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/KeyStoreTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/KeyStoreTest.java new file mode 100644 index 00000000..4dc62479 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/KeyStoreTest.java @@ -0,0 +1,424 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.Key; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.cert.Certificate; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.Date; +import java.util.Hashtable; +import java.util.Vector; + +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509V3CertificateGenerator; + +/** + * Exercise the various key stores, making sure we at least get back what we put in! + * <p> + * This tests both the BKS, and the UBER key store. + */ +public class KeyStoreTest + extends SimpleTest +{ + static char[] passwd = { 'h', 'e', 'l', 'l', 'o', ' ', 'w', 'o', 'r', 'l', 'd' }; + + byte[] v1BKS = Base64.decode( + "AAAAAQAAABTqZbNMyPjsFazhFplWWDMBLPRdRAAABcYEAAdhbmRyb2lkAAAB" + + "NOifkPwAAAAAAAAAPAAAABTZOLhcyhB0gKyfoDvyQbpzftB7GgAABEYPrZP8" + + "q20AJLETjDv0K9C5rIl1erpyvpv20bqcbghK6wD0b8OP5/XzOz/8knhxmqJZ" + + "3yRJMw=="); + byte[] v2BKS = Base64.decode( + "AAAAAgAAABSkmTXz4VIznO1SSUqsIHdxWcxsuQAABFMEAAdhbmRyb2lkAAABN" + + "OifkPwAAAAAAAAAPAAAABTZOLhcyhB0gKyfoDvyQbpzftB7GgAABEYPrZP8q2" + + "0AJLETjDv0K9C5rIl1erpyvpv20bqcbghK6wBO59KOGPvSrmJpd32P6ZAh9qLZJw=="); + + byte[] v1UBER = Base64.decode( + "AAAAAQAAABRP0F6p2p3FyQKqyJiJt3NbvdybiwAAB2znqrO779YIW5gMtbt+" + + "NUs96VPPcfZiKJPg7RKH7Yu3CQB0/g9nYsvgFB0fQ05mHcW3KjntN2/31A6G" + + "i00n4ZnUTjJL16puZnQrloeGXxFy58tjwkFuwJ7V7ELYgiZlls0beHSdDGQW" + + "iyYECwWs1la/"); + byte[] v2UBER = Base64.decode( + "AAAAAgAAABQ/D9k3376OG/REg4Ams9Up332tLQAABujoVcsRcKWwhlo4mMg5" + + "lF2vJfK+okIYecJGWCvdykF5r8kDn68llt52IDXDkpRXVXcNJ0/aD7sa7iZ0" + + "SL0TAwcfp/9v4j/w8slj/qgO0i/76+zROrP0NGFIa5k/iOg5Z0Tj77muMaJf" + + "n3vLlIHa4IsX"); + + byte[] negSaltBKS = Base64.decode( + "AAAAAv////+WnyglO06djy6JgCxGiIemnZdcOwAAB2AEAAdhbmRyb2lkAAAB" + + "NOifkPwAAAAAAAAAPAAAABTZOLhcyhB0gKyfoDvyQbpzftB7GgAABEYPrZP8" + + "q20AJLETjDv0K9C5rIl1erpyvpv20bqcbghK6wDrg6gUHsh27wNjUwkR+REe" + + "NeFYBg=="); + + char[] oldStorePass = "fredfred".toCharArray(); + + public void ecStoreTest( + String storeName) + throws Exception + { + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + g.initialize(ecSpec, new SecureRandom()); + + KeyPair keyPair = g.generateKeyPair(); + + PublicKey pubKey = keyPair.getPublic(); + PrivateKey privKey = keyPair.getPrivate(); + + // + // distinguished name table. + // + Hashtable attrs = new Hashtable(); + Vector order = new Vector(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.L, "Melbourne"); + attrs.put(X509Principal.ST, "Victoria"); + attrs.put(X509Principal.E, "feedback-crypto@bouncycastle.org"); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.L); + order.addElement(X509Principal.ST); + order.addElement(X509Principal.E); + + // + // create the certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(order, attrs)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(order, attrs)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("ECDSAwithSHA1"); + + Certificate[] chain = new Certificate[1]; + + try + { + X509Certificate cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + + chain[0] = cert; + } + catch (Exception e) + { + fail("error generating cert - " + e.toString()); + } + + KeyStore store = KeyStore.getInstance(storeName, "BC"); + + store.load(null, null); + + store.setKeyEntry("private", privKey, passwd, chain); + + // + // write out and read back store + // + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + store.store(bOut, passwd); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + + // + // start with a new key store + // + store = KeyStore.getInstance(storeName, "BC"); + + store.load(bIn, passwd); + + // + // load the private key + // + privKey = (PrivateKey)store.getKey("private", passwd); + + // + // double public key encoding test + // + byte[] pubEnc = pubKey.getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance(pubKey.getAlgorithm(), "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + + pubKey = (PublicKey)keyFac.generatePublic(pubX509); + + pubEnc = pubKey.getEncoded(); + keyFac = KeyFactory.getInstance(pubKey.getAlgorithm(), "BC"); + pubX509 = new X509EncodedKeySpec(pubEnc); + + pubKey = (PublicKey)keyFac.generatePublic(pubX509); + + // + // double private key encoding test + // + byte[] privEnc = privKey.getEncoded(); + + keyFac = KeyFactory.getInstance(privKey.getAlgorithm(), "BC"); + + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + privKey = (PrivateKey)keyFac.generatePrivate(privPKCS8); + + keyFac = KeyFactory.getInstance(privKey.getAlgorithm(), "BC"); + privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + privKey = (PrivateKey)keyFac.generatePrivate(privPKCS8); + } + + public void keyStoreTest( + String storeName) + throws Exception + { + KeyStore store = KeyStore.getInstance(storeName, "BC"); + + store.load(null, null); + + KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA", "BC"); + + gen.initialize(1024, new SecureRandom()); + + KeyPair pair = gen.generateKeyPair(); + RSAPrivateKey privKey = (RSAPrivateKey)pair.getPrivate(); + RSAPublicKey pubKey = (RSAPublicKey)pair.getPublic(); + BigInteger modulus = privKey.getModulus(); + BigInteger privateExponent = privKey.getPrivateExponent(); + + + // + // distinguished name table. + // + Hashtable attrs = new Hashtable(); + Vector order = new Vector(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.L, "Melbourne"); + attrs.put(X509Principal.ST, "Victoria"); + attrs.put(X509Principal.EmailAddress, "feedback-crypto@bouncycastle.org"); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.L); + order.addElement(X509Principal.ST); + order.addElement(X509Principal.EmailAddress); + + // + // extensions + // + + // + // create the certificate. + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(order, attrs)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal(order, attrs)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("MD5WithRSAEncryption"); + + Certificate[] chain = new Certificate[1]; + + try + { + X509Certificate cert = certGen.generate(privKey); + + cert.checkValidity(new Date()); + + cert.verify(pubKey); + + ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(bIn); + + chain[0] = cert; + } + catch (Exception e) + { + fail("error generating cert - " + e.toString()); + } + + store.setKeyEntry("private", privKey, passwd, chain); + + // + // write out and read back store + // + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + store.store(bOut, passwd); + + ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); + + // + // start with a new key store + // + store = KeyStore.getInstance(storeName, "BC"); + + store.load(bIn, passwd); + + // + // verify public key + // + privKey = (RSAPrivateKey)store.getKey("private", passwd); + + if (!privKey.getModulus().equals(modulus)) + { + fail("private key modulus wrong"); + } + else if (!privKey.getPrivateExponent().equals(privateExponent)) + { + fail("private key exponent wrong"); + } + + // + // verify certificate + // + Certificate cert = store.getCertificateChain("private")[0]; + + cert.verify(pubKey); + } + + private void oldStoreTest() + throws Exception + { + checkStore(KeyStore.getInstance("BKS", "BC"), v1BKS); + checkStore(KeyStore.getInstance("BKS", "BC"), v2BKS); + checkStore(KeyStore.getInstance("UBER", "BC"), v1UBER); + checkStore(KeyStore.getInstance("UBER", "BC"), v2UBER); + + checkOldStore(KeyStore.getInstance("BKS-V1", "BC"), v1BKS); + checkOldStore(KeyStore.getInstance("BKS-V1", "BC"), v2BKS); + } + + private void checkStore(KeyStore ks, byte[] data) + throws Exception + { + ks.load(new ByteArrayInputStream(data), oldStorePass); + + if (!ks.containsAlias("android")) + { + fail("cannot find alias"); + } + + Key key = ks.getKey("android", oldStorePass); + if (key == null) + { + fail("cannot find key"); + } + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + ks.store(bOut, oldStorePass); + } + + private void checkOldStore(KeyStore ks, byte[] data) + throws Exception + { + ks.load(new ByteArrayInputStream(data), oldStorePass); + + if (!ks.containsAlias("android")) + { + fail("cannot find alias"); + } + + Key key = ks.getKey("android", oldStorePass); + if (key == null) + { + fail("cannot find key"); + } + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + ks.store(bOut, oldStorePass); + + if (data.length != bOut.toByteArray().length) + { + fail("Old version key store write incorrect"); + } + } + + private void checkException() + throws Exception + { + KeyStore ks = KeyStore.getInstance("BKS", "BC"); + + try + { + ks.load(new ByteArrayInputStream(negSaltBKS), oldStorePass); + } + catch (IOException e) + { + if (!e.getMessage().equals("Invalid salt detected")) + { + fail("negative salt length not detected"); + } + } + } + + public String getName() + { + return "KeyStore"; + } + + public void performTest() + throws Exception + { + keyStoreTest("BKS"); + keyStoreTest("UBER"); + keyStoreTest("BKS-V1"); + ecStoreTest("BKS"); + oldStoreTest(); + checkException(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new KeyStoreTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MQVTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MQVTest.java new file mode 100644 index 00000000..3b0b8a2f --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MQVTest.java @@ -0,0 +1,93 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.SecureRandom; +import java.security.Security; +import java.security.spec.ECFieldFp; +import java.security.spec.ECParameterSpec; +import java.security.spec.EllipticCurve; + +import javax.crypto.KeyAgreement; + +import org.bouncycastle.jce.ECPointUtil; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.MQVPrivateKeySpec; +import org.bouncycastle.jce.spec.MQVPublicKeySpec; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class MQVTest + extends SimpleTest +{ + public String getName() + { + return "MQV"; + } + + public void performTest() + throws Exception + { + testECMQV(); + } + + private void testECMQV() + throws Exception + { + KeyPairGenerator g = KeyPairGenerator.getInstance("ECMQV", "BC"); + + EllipticCurve curve = new EllipticCurve( + new ECFieldFp(new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839")), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + ECPointUtil.decodePoint(curve, Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307"), // n + 1); // h + + g.initialize(ecSpec, new SecureRandom()); + + // + // U side + // + KeyPair U1 = g.generateKeyPair(); + KeyPair U2 = g.generateKeyPair(); + + KeyAgreement uAgree = KeyAgreement.getInstance("ECMQV", "BC"); + uAgree.init(new MQVPrivateKeySpec(U1.getPrivate(), U2.getPrivate(), U2.getPublic())); + + // + // V side + // + KeyPair V1 = g.generateKeyPair(); + KeyPair V2 = g.generateKeyPair(); + + KeyAgreement vAgree = KeyAgreement.getInstance("ECMQV", "BC"); + vAgree.init(new MQVPrivateKeySpec(V1.getPrivate(), V2.getPrivate(), V2.getPublic())); + + // + // agreement + // + uAgree.doPhase(new MQVPublicKeySpec(V1.getPublic(), V2.getPublic()), true); + vAgree.doPhase(new MQVPublicKeySpec(U1.getPublic(), U2.getPublic()), true); + + BigInteger ux = new BigInteger(uAgree.generateSecret()); + BigInteger vx = new BigInteger(vAgree.generateSecret()); + + if (!ux.equals(vx)) + { + fail("Agreement failed"); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new MQVTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MacTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MacTest.java new file mode 100644 index 00000000..d011eb71 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MacTest.java @@ -0,0 +1,186 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Security; + +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * MAC tester - vectors from + * <a href=http://www.itl.nist.gov/fipspubs/fip81.htm>FIP 81</a> and + * <a href=http://www.itl.nist.gov/fipspubs/fip113.htm>FIP 113</a>. + */ +public class MacTest + extends SimpleTest +{ + static byte[] keyBytes = Hex.decode("0123456789abcdef"); + static byte[] ivBytes = Hex.decode("1234567890abcdef"); + + static byte[] input = Hex.decode("37363534333231204e6f77206973207468652074696d6520666f7220"); + + static byte[] output1 = Hex.decode("f1d30f68"); + static byte[] output2 = Hex.decode("58d2e77e"); + static byte[] output3 = Hex.decode("cd647403"); + + static byte[] keyBytesISO9797 = Hex.decode("7CA110454A1A6E570131D9619DC1376E"); + + static byte[] inputISO9797 = "Hello World !!!!".getBytes(); + + static byte[] outputISO9797 = Hex.decode("F09B856213BAB83B"); + + static byte[] inputDesEDE64 = "Hello World !!!!".getBytes(); + + static byte[] outputDesEDE64 = Hex.decode("862304d33af01096"); + + public MacTest() + { + } + + private void aliasTest(SecretKey key, String primary, String[] aliases) + throws Exception + { + Mac mac = Mac.getInstance(primary, "BC"); + + // + // standard DAC - zero IV + // + mac.init(key); + + mac.update(input, 0, input.length); + + byte[] ref = mac.doFinal(); + + for (int i = 0; i != aliases.length; i++) + { + mac = Mac.getInstance(aliases[i], "BC"); + + mac.init(key); + + mac.update(input, 0, input.length); + + byte[] out = mac.doFinal(); + if (!areEqual(out, ref)) + { + fail("Failed - expected " + new String(Hex.encode(ref)) + " got " + new String(Hex.encode(out))); + } + } + } + + public void performTest() + throws Exception + { + SecretKey key = new SecretKeySpec(keyBytes, "DES"); + byte[] out; + Mac mac; + + mac = Mac.getInstance("DESMac", "BC"); + + // + // standard DAC - zero IV + // + mac.init(key); + + mac.update(input, 0, input.length); + + out = mac.doFinal(); + + if (!areEqual(out, output1)) + { + fail("Failed - expected " + new String(Hex.encode(output1)) + " got " + new String(Hex.encode(out))); + } + + // + // mac with IV. + // + mac.init(key, new IvParameterSpec(ivBytes)); + + mac.update(input, 0, input.length); + + out = mac.doFinal(); + + if (!areEqual(out, output2)) + { + fail("Failed - expected " + new String(Hex.encode(output2)) + " got " + new String(Hex.encode(out))); + } + + // + // CFB mac with IV - 8 bit CFB mode + // + mac = Mac.getInstance("DESMac/CFB8", "BC"); + + mac.init(key, new IvParameterSpec(ivBytes)); + + mac.update(input, 0, input.length); + + out = mac.doFinal(); + + if (!areEqual(out, output3)) + { + fail("Failed - expected " + new String(Hex.encode(output3)) + " got " + new String(Hex.encode(out))); + } + + // + // ISO9797 algorithm 3 using DESEDE + // + key = new SecretKeySpec(keyBytesISO9797, "DESEDE"); + + mac = Mac.getInstance("ISO9797ALG3", "BC"); + + mac.init(key); + + mac.update(inputISO9797, 0, inputISO9797.length); + + out = mac.doFinal(); + + if (!areEqual(out, outputISO9797)) + { + fail("Failed - expected " + new String(Hex.encode(outputISO9797)) + " got " + new String(Hex.encode(out))); + } + + // + // 64bit DESede Mac + // + key = new SecretKeySpec(keyBytesISO9797, "DESEDE"); + + mac = Mac.getInstance("DESEDE64", "BC"); + + mac.init(key); + + mac.update(inputDesEDE64, 0, inputDesEDE64.length); + + out = mac.doFinal(); + + if (!areEqual(out, outputDesEDE64)) + { + fail("Failed - expected " + new String(Hex.encode(outputDesEDE64)) + " got " + new String(Hex.encode(out))); + } + + aliasTest(new SecretKeySpec(keyBytesISO9797, "DESede"), "DESedeMac64withISO7816-4Padding", + new String[] { "DESEDE64WITHISO7816-4PADDING", "DESEDEISO9797ALG1MACWITHISO7816-4PADDING", "DESEDEISO9797ALG1WITHISO7816-4PADDING" }); + + aliasTest(new SecretKeySpec(keyBytesISO9797, "DESede"), "ISO9797ALG3WITHISO7816-4PADDING", + new String[] { "ISO9797ALG3MACWITHISO7816-4PADDING" }); + + aliasTest(new SecretKeySpec(keyBytes, "DES"), "DES64", + new String[] { "DESMAC64" }); + } + + public String getName() + { + return "Mac"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new MacTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MultiCertStoreTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MultiCertStoreTest.java new file mode 100644 index 00000000..240d1e63 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/MultiCertStoreTest.java @@ -0,0 +1,96 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.MultiCertStoreParameters; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; + +import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.X509CRL; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +public class MultiCertStoreTest + extends SimpleTest +{ + + public void performTest() + throws Exception + { + basicTest(); + } + + private void basicTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate rootCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.finalCertBin)); + X509CRL rootCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream( + CertPathTest.rootCrlBin)); + X509CRL interCrl = (X509CRL)cf + .generateCRL(new ByteArrayInputStream( + CertPathTest.interCrlBin)); + + // Testing CollectionCertStore generation from List + List list = new ArrayList(); + list.add(rootCert); + list.add(interCert); + list.add(finalCert); + list.add(rootCrl); + list.add(interCrl); + CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); + CertStore store1 = CertStore.getInstance("Collection", ccsp, "BC"); + CertStore store2 = CertStore.getInstance("Collection", ccsp, "BC"); + + List storeList = new ArrayList(); + storeList.add(store1); + storeList.add(store2); + CertStore store = CertStore.getInstance("Multi", new MultiCertStoreParameters(storeList)); + + // Searching for rootCert by subjectDN + X509CertSelector targetConstraints = new X509CertSelector(); + targetConstraints.setSubject(rootCert.getSubjectX500Principal().getName()); + Collection certs = store.getCertificates(targetConstraints); + + if (certs.size() != 2 || !certs.contains(rootCert)) + { + fail("2 rootCerts not found by subjectDN"); + } + + store = CertStore.getInstance("Multi", new MultiCertStoreParameters(storeList, false)); + certs = store.getCertificates(targetConstraints); + + if (certs.size() != 1 || !certs.contains(rootCert)) + { + fail("1 rootCert not found by subjectDN"); + } + } + + public String getName() + { + return "MultiCertStore"; + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new MultiCertStoreTest()); + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NISTCertPathTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NISTCertPathTest.java new file mode 100644 index 00000000..43f90a1c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NISTCertPathTest.java @@ -0,0 +1,5173 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.security.GeneralSecurityException; +import java.security.Security; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderResult; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.HashSet; +import java.util.Set; +import java.util.Vector; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + + +/* + * These tests are taken from the NIST X.509 Validation Test Suite + * available at: http://csrc.nist.gov/pki/testing/x509paths.html + * + * Only the relevant certificate and crl data has been kept, in order + * to keep the class size to a minimum. + * + */ + +public class NISTCertPathTest + extends SimpleTest +{ + private static final String TEST_POLICY_1 = "2.16.840.1.101.3.1.48.1"; + private static final String TEST_POLICY_2 = "2.16.840.1.101.3.1.48.2"; + private static final String TEST_POLICY_3 = "2.16.840.1.101.3.1.48.3"; + private static final String TEST_POLICY_4 = "2.16.840.1.101.3.1.48.4"; + private static final String TEST_POLICY_5 = "2.16.840.1.101.3.1.48.5"; + + private static Set ANY; + private static Set TP1; + private static Set TP2; + private static Set TP3; + private static Set TP4; + private static Set TP1_TP2; + + static { + ANY = new HashSet(); + + TP1 = new HashSet(); + TP1.add(TEST_POLICY_1); + + TP2 = new HashSet(); + TP2.add(TEST_POLICY_2); + + TP3 = new HashSet(); + TP3.add(TEST_POLICY_3); + + TP4 = new HashSet(); + TP4.add(TEST_POLICY_4); + + TP1_TP2 = new HashSet(); + TP1_TP2.add(TEST_POLICY_1); + TP1_TP2.add(TEST_POLICY_2); + } + + /* + * + * FIELDS + * + */ + + private CertificateFactory fact; + + private X509Certificate trustedCert; + private X509CRL trustedCRL; + private Set trustedSet; + private int testCount; + private Vector testFail; + private StringBuffer resultBuf; + + public String getName() + { + return "NISTCertPathTest"; + } + + + public void performTest() + { + init(); + + test(" 1", TEST_1_DATA , true , false); + test(" 2", TEST_2_DATA , false, false); + test(" 3", TEST_3_DATA , false, false); + test(" 4", TEST_4_DATA , true , false); + test(" 5", TEST_5_DATA , false, false); + test(" 6", TEST_6_DATA , false, false); + test(" 7", TEST_7_DATA , true , false); + test(" 8", TEST_8_DATA , false, false); + test(" 9", TEST_9_DATA , false, false); + + test("10", TEST_10_DATA, false, false); + test("11", TEST_11_DATA, false, false); + test("12", TEST_12_DATA, true , false); + test("13", TEST_13_DATA, false, false); + test("14", TEST_14_DATA, false, false); + test("15", TEST_15_DATA, true , false); + test("16", TEST_16_DATA, true , false); + test("17", TEST_17_DATA, true , false); + test("18", TEST_18_DATA, true , false); + test("19", TEST_19_DATA, false, false); + + test("20", TEST_20_DATA, false, false); + test("21", TEST_21_DATA, false, false); + test("22", TEST_22_DATA, false, false); + test("23", TEST_23_DATA, false, false); + test("24", TEST_24_DATA, true , false); + test("25", TEST_25_DATA, false, false); + test("26", TEST_26_DATA, true , false); + test("27", TEST_27_DATA, true , false); + test("28", TEST_28_DATA, false, false); + test("29", TEST_29_DATA, false, false); + + test("30", TEST_30_DATA, true , false); + test("31", TEST_31_DATA, false, false); + test("32", TEST_32_DATA, false, false); + test("33", TEST_33_DATA, true , false); + + + + test("34a", TEST_34_DATA, ANY , true , true , false); + test("34b", TEST_34_DATA, ANY , false, true , false); + test("34c", TEST_34_DATA, TP1 , true , true , false); + test("34d", TEST_34_DATA, TP1 , false, true , false); + test("34e", TEST_34_DATA, TP2 , true , false, false); + test("34f", TEST_34_DATA, TP2 , false, true , false); + + test("35a", TEST_35_DATA, false, true , false); + test("35b", TEST_35_DATA, true , false, false); + + test("36a", TEST_36_DATA, false, true , false); + test("36b", TEST_36_DATA, true , false, false); + + test("37a", TEST_37_DATA, false, true , false); + test("37b", TEST_37_DATA, true , false, false); + + test("38a", TEST_38_DATA, false, true , false); + test("38b", TEST_38_DATA, true , false, false); + + test("39a", TEST_39_DATA, ANY , true , true , false); + test("39b", TEST_39_DATA, ANY , false, true , false); + test("39c", TEST_39_DATA, TP1 , true , true , false); + test("39d", TEST_39_DATA, TP1 , false, true , false); + test("39e", TEST_39_DATA, TP2 , true , false, false); + test("39f", TEST_39_DATA, TP2 , false, true , false); + + + test("40a", TEST_40_DATA, false, true , false); + test("40b", TEST_40_DATA, true , false, false); + + test("41a", TEST_41_DATA, false, true , false); + test("41b", TEST_41_DATA, true , false, false); + + test("42a", TEST_42_DATA, false, true , false); + test("42b", TEST_42_DATA, true , false, false); + + test("43a", TEST_43_DATA, false, true , false); + test("43b", TEST_43_DATA, true , false, false); + + test("44a", TEST_44_DATA, false, true , false); + test("44b", TEST_44_DATA, true , false, false); + + test("45a", TEST_45_DATA, false, false, false); + test("45b", TEST_45_DATA, true , false, false); + + test("46a", TEST_46_DATA, ANY , false, true , false); + test("46b", TEST_46_DATA, ANY , true , true , false); + test("46c", TEST_46_DATA, TP1 , true , true , false); + test("46d", TEST_46_DATA, TP1 , false, true , false); + test("46e", TEST_46_DATA, TP2 , true , false, false); + test("46f", TEST_46_DATA, TP2 , false, false, false); + + test("47a", TEST_47_DATA, false, false, false); + test("47b", TEST_47_DATA, true , false, false); + + test("48a", TEST_48_DATA, TP1 , false, true , false); + test("48b", TEST_48_DATA, TP1 , true , true , false); + test("48c", TEST_48_DATA, ANY , false, true , false); + test("48d", TEST_48_DATA, ANY , true , true , false); + test("48e", TEST_48_DATA, TP2 , false, true , false); + test("48f", TEST_48_DATA, TP2 , true , false, false); + + test("49a", TEST_49_DATA, TP1 , false, true , false); + test("49b", TEST_49_DATA, TP1 , true , true , false); + test("49c", TEST_49_DATA, TP3 , false, true , false); + test("49d", TEST_49_DATA, TP3 , true , false, false); + test("49e", TEST_49_DATA, ANY , false, true , false); + test("49f", TEST_49_DATA, ANY , true , true , false); + + test("50a", TEST_50_DATA, TP1 , false, true , false); + test("50b", TEST_50_DATA, TP1 , true , true , false); + test("50c", TEST_50_DATA, TP1_TP2 , false, true , false); + test("50d", TEST_50_DATA, TP1_TP2 , true , true , false); + test("50e", TEST_50_DATA, ANY , false, true , false); + test("50f", TEST_50_DATA, ANY , true , true , false); + + test("51a", TEST_51_DATA, false, true , false); + test("51b", TEST_51_DATA, true , false, false); + + test("52a", TEST_52_DATA, TP1 , false, true , false); + test("52b", TEST_52_DATA, TP1 , true , false, false); + test("52c", TEST_52_DATA, TP1_TP2 , false, true , false); + test("52d", TEST_52_DATA, TP1_TP2 , true , false, false); + test("52e", TEST_52_DATA, ANY , false, true , false); + test("52f", TEST_52_DATA, ANY , true , true , false); + + test("53a", TEST_53_DATA, TP1 , false, true , false); + test("53b", TEST_53_DATA, TP1 , true , true , false); + test("53c", TEST_53_DATA, TP1_TP2 , false, true , false); + test("53d", TEST_53_DATA, TP1_TP2 , true , true , false); + test("53e", TEST_53_DATA, TP4 , false, true , false); + test("53f", TEST_53_DATA, TP4 , true , false, false); + test("53g", TEST_53_DATA, ANY , false, true , false); + test("53h", TEST_53_DATA, ANY , true , true , false); + + test("54", TEST_54_DATA, false, false); + test("55", TEST_55_DATA, false, false); + test("56", TEST_56_DATA, true , false); + test("57", TEST_57_DATA, true , false); + test("58", TEST_58_DATA, false, false); + test("59", TEST_59_DATA, false, false); + + test("60", TEST_60_DATA, false, false); + test("61", TEST_61_DATA, false, false); + test("62", TEST_62_DATA, true , false); + test("63", TEST_63_DATA, true , false); + test("64", TEST_64_DATA, false, false); + test("65", TEST_65_DATA, false, false); + test("66", TEST_66_DATA, false, false); + test("67", TEST_67_DATA, true , false); + test("68", TEST_68_DATA, false, false); + test("69", TEST_69_DATA, false, false); + + test("70", TEST_70_DATA, false, false); + test("71", TEST_71_DATA, false, false); + test("72", TEST_72_DATA, false, false); + test("73", TEST_73_DATA, false, false); + test("74", TEST_74_DATA, true , false); + test("75", TEST_75_DATA, false, false); + test("76", TEST_76_DATA, false, false); + + resultBuf.append("NISTCertPathTest -- Failed: ").append(testFail.size()).append('/').append(testCount).append('\n'); + if (!testFail.isEmpty()) + { + fail(resultBuf.toString()); + } + } + + private void init() + { + try + { + fact = CertificateFactory.getInstance("X.509", "BC"); + trustedCert = (X509Certificate)fact + .generateCertificate(new ByteArrayInputStream(Base64 + .decode(Trust_Anchor_CP_01_01_crt))); + trustedCRL = (X509CRL)fact.generateCRL(new ByteArrayInputStream( + Base64.decode(Trust_Anchor_CRL_CP_01_01_crl))); + trustedSet = new HashSet(); + + byte[] _ncBytes = null; + byte[] _octBytes = trustedCert.getExtensionValue("2.5.29.30"); + if (_octBytes != null) + { + ASN1InputStream _ais = new ASN1InputStream( + new ByteArrayInputStream(_octBytes)); + ASN1OctetString _oct = ASN1OctetString.getInstance(_ais + .readObject()); + _ais.close(); + _ncBytes = _oct.getOctets(); + } + + trustedSet.add(new TrustAnchor(trustedCert, _ncBytes)); + testCount = 0; + testFail = new Vector(); + resultBuf = new StringBuffer(); + } + catch (Exception ex) + { + throw new RuntimeException(ex.getMessage()); + } + } + + private X509Certificate decodeCertificate(String _str) + throws GeneralSecurityException + { + + return (X509Certificate)fact + .generateCertificate(new ByteArrayInputStream(Base64 + .decode(_str))); + } + + private X509CRL decodeCRL(String _str) + throws GeneralSecurityException + { + + return (X509CRL)fact.generateCRL(new ByteArrayInputStream(Base64 + .decode(_str))); + } + + private CertStore makeCertStore(String[] _strs) + throws GeneralSecurityException + { + + Vector _vec = new Vector(); + _vec.addElement(trustedCRL); + + for (int i = 0; i < _strs.length; i++) + { + if (_strs[i].startsWith("MIIC")) + { + _vec.addElement(fact + .generateCertificate(new ByteArrayInputStream(Base64 + .decode(_strs[i])))); + } + else if (_strs[i].startsWith("MIIB")) + { + _vec.addElement(fact.generateCRL(new ByteArrayInputStream( + Base64.decode(_strs[i])))); + } + else + { + throw new IllegalArgumentException("Invalid certificate or crl"); + } + } + + // Insert elements backwards to muck up forward ordering dependency + Vector _vec2 = new Vector(); + for (int i = _vec.size() - 1; i >= 0; i--) + { + _vec2.add(_vec.elementAt(i)); + } + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(_vec2), "BC"); + } + + private void test(String _name, String[] _data, boolean _accept, + boolean _debug) + { + + test(_name, _data, null, false, _accept, _debug); + } + + private void test(String _name, String[] _data, boolean _explicit, + boolean _accept, boolean _debug) + { + + test(_name, _data, null, _explicit, _accept, _debug); + } + + private void test(String _name, String[] _data, Set _ipolset, + boolean _explicit, boolean _accept, boolean _debug) + { + + testCount++; + boolean _pass = true; + + try + { + CertPathBuilder _cpb = CertPathBuilder.getInstance("PKIX", "BC"); + X509Certificate _ee = decodeCertificate(_data[_data.length - 1]); + X509CertSelector _select = new X509CertSelector(); + _select.setSubject(_ee.getSubjectX500Principal().getEncoded()); + + PKIXBuilderParameters _param = new PKIXBuilderParameters( + trustedSet, _select); + _param.setExplicitPolicyRequired(_explicit); + _param.addCertStore(makeCertStore(_data)); + _param.setRevocationEnabled(true); + if (_ipolset != null) + { + _param.setInitialPolicies(_ipolset); + } + + CertPathBuilderResult _result = _cpb.build(_param); + + if (!_accept) + { + System.out.println("Accept when it should reject"); + _pass = false; + testFail.addElement(_name); + } + } + catch (Exception ex) + { + if (_accept) + { + System.out.println("Reject when it should accept"); + _pass = false; + testFail.addElement(_name); + } + } + + resultBuf.append("NISTCertPathTest -- ").append(_name).append(": ") + .append(_pass ? "\n" : "Failed.\n"); + } + + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new NISTCertPathTest()); + } + + /* + * Trust Anchor + * + */ + public static final String Trust_Anchor_CP_01_01_crt = + "MIICbDCCAdWgAwIBAgIDAYafMA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNVBAYTAlVTMRgwFg" + + "YDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEQMA4GA1UECxMHVGVzdGlu" + + "ZzEVMBMGA1UEAxMMVHJ1c3QgQW5jaG9yMB4XDTk5MDEwMTEyMDEwMFoXDTQ4MDEwMTEyMD" + + "EwMFowXjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE" + + "CxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5nMRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBANPzucEztz+nJ/ZBHVyceZ2q0pUQt4TO2qPlWAw+" + + "TotWvz6qIS1QE/7zGS56yxHP89O4X1efnZeArx2VVxLfNNS9865N53ymINQETtpjYT49Ko" + + "03z8U8yfn68DlIBHi9sN31JEYzoUafF58Eu883lAwTQ6qQrJF4HbrzGIQqgitHAgMBAAGj" + + "ODA2MBEGA1UdDgQKBAirmuv5wudUjzAMBgNVHRMEBTADAQH/MBMGA1UdIwQMMAqACKua6/" + + "nC51SPMA0GCSqGSIb3DQEBBQUAA4GBABZWD2Gsh4tP62QSG8OFWUpo4TulIcFZLpGsaP4T" + + "/2Nt7lXUoIJMN7wWjqkmYf5/Rvo4HxNcimq3EkeYcrm1VoDueJUYGvRjcCY5mxkghI27Yl" + + "/fLKE9/BvQOrvYzBs2EqKrrT7m4VK0dRMR7CeVpmPP08z0Tti6uK2tzBplp1pF"; + public static final String Trust_Anchor_CRL_CP_01_01_crl = + "MIIBbzCB2QIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDFRydXN0IEFuY2hvchcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjAiMCACAS" + + "cXDTk5MDEwMTEyMDAwMFowDDAKBgNVHRUEAwoBAaAjMCEwCgYDVR0UBAMCAQEwEwYDVR0j" + + "BAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEFBQADgYEAC7lqZwejJRW7QvzH11/7cYcL3r" + + "acgMxH3PSU/ufvyLk7ahR++RtHary/WeCvRdyznLiIOA8ZBiguWtVPqsNysNn7WLofQIVa" + + "+/TD3T+lece4e1NwGQvj5Q+e2wRtGXg+gCuTjTKUFfKRnWz7O7RyiJKKim0jtAF4RkCpLe" + + "bNChY="; + + + /* + * test1 + * + */ + + public static final String End_Certificate_CP_01_01_crt = + "MIIChjCCAe+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDEuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMY07G8M4FkOvF+6LpO7BKcDuXCKudfl1+bKSowj" + + "2GCza8uIiMfYSH5k+fYb43lGQeRh9yVHcfNQlE7yfGo3tgxGv5yWpeKvDMqL8Iy6Q0oIjm" + + "qH80ZOz21dUkermcckzTEOfe/R2fNpJPv8M24pq29SdYAqu+CpLDHFtws9O+q1AgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIrNv88bwFLtIwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEFBQADgYEAK4hP" + + "goWtZbHf6qWfRfmrPrz9hDH1644NrJop2Y7MXzuTtpo1zp4NCG4+ii0CSOfvhugc8yOmq3" + + "I6olgE0V16VtC5br2892UHYZ55Q4oQ9BWouVVlOyY9rogOB160BnsqBELFhT0Wf6mnbsdD" + + "G+BB5fFyeK61aYDWV84kS7cSX5w="; + public static final String[] TEST_1_DATA = new String[] { + End_Certificate_CP_01_01_crt, + }; + + /* + * test2 + * + */ + + public static final String Intermediate_Certificate_CP_01_02_crt = + "MIIClTCCAf6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAxLjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDWOZ4hk+K6NX/l+OiHC4pfKCWFt+XM2n/TxwkqY+mt" + + "j9Co77rPPPtVA7mDKU4OiYT74mIWH52HQBZr+PRmOFh0Z9S1oTpLbxNLCDc6OmQKBo6iex" + + "SIt/jOatFFmzmTZ78Kq9s3nfrOVA83ggmPDTPkuG5GwcxPgFq0vRmAJ0CESQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQI5o5Am09NlOYwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEA3C7Ye5/Te14LIwo/LK2fnpobbQA3dhOn5UgqZ8lKbQ/HV1D8/eU9dK" + + "2v5gW43XvFq4whK0WKLBvBFchKtp9T1QX3CI2WCqdJRyqla6TkQsS36T17/ww2nzy1853Y" + + "hfDYNsge5XW8YZNfNjjVxcR3RnyFxPax1YIlISiGdI0dnag="; + public static final String Intermediate_CRL_CP_01_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMS4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI5o5Am09NlOYwDQYJKoZIhvcNAQEFBQADgYEAl26W" + + "g1Gqq3R93XPjghABVocfeIi8zcSJ0YAKqbifh5V3JCC8Piy19GzZdL244GqBDls44IAhKj" + + "YuXN2mSohdqwULbye4agAgfl37XhhwsBDTYwaJiv3njFQ6Ml7KJ3STmoIpmlLvrXibDuHX" + + "ocuNGo72ckhOdBpXd+PhgGuoTis="; + public static final String End_Certificate_CP_01_02_crt = + "MIIChjCCAe+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMS4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDEuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwJrZT6bJXQnZzc3socZ/mNsEag4BTdym99ZCP2" + + "3PGsTCfV2z7+p4DehIFrn/N/a1d1nvyqRqpQGPU86tl1CWgFtXS+zCctDR71P76bjd6yef" + + "5vxxdO/SBIRHfQTjM8F3BTLkrC+PVl5wbaLcEXRORXrFvBvsj0oqwZ4C8ZObh/AgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIf5mSjuNhs/gwEwYDVR0jBAwwCoAI5o5Am09NlOYwDQYJKoZIhvcNAQEFBQADgYEAK7wd" + + "MyLlIZ/Qsqj3/A3Gat0d5BORtFTZH0VdlVVOWN1JCZxrnjeIFB92NNzUROemxgBxzneuWN" + + "SlYlcpTk25pAbs6RMdbT8dovKQkQkF2TXeQ+4qktFaLQntVT8UsEzHR4Diw0/gH8tseGqF" + + "F7FyiW8ni6zInSO+embUKiibj9I="; + public static final String[] TEST_2_DATA = new String[] { + Intermediate_Certificate_CP_01_02_crt, + Intermediate_CRL_CP_01_02_crl, + End_Certificate_CP_01_02_crt + }; + + /* + * test3 + * + */ + + public static final String Intermediate_Certificate_CP_01_03_crt = + "MIIClTCCAf6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAxLjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC4RZ0R82sA+BfyynFeoIDG7c5IlZ8HorEv+O4Ij3Oy" + + "7FR1MB4no8hDEBPBf5fCrAR/8PVxCZjVj2HOwnSAqUQgxo6WPcmkabux12k8kK6yeKq3b7" + + "u5fL6tb7eKElQzsz8Je4z4rCDkI10vV+X0VZ5Ip/Es428dw2KoN8eyGmw3+QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIz08WhMpG2JswEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAQ+iqlFvbvDejO/m+RCHh2UuUau1FuABObkPOu2Tv9yTWvTSWDRygdO" + + "LQRiOLsjgrdXPdbDutVGjllBoTN8cdz3SWjCpampg5TBikArxmNEYMDQvL6n2lkUcetRJR" + + "gQ7TYLvFj9+SycKXfM5CUXAyCfcU/QwDghhZgc99AuDZtJc="; + public static final String Intermediate_CRL_CP_01_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMS4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIz08WhMpG2JswDQYJKoZIhvcNAQEFBQADgYEAoyO/" + + "xcpJ0Obj4rTXhHFd7XMzslt79njkEgdwnon9BaYB3xSmkEXCMwLMurrjVYKaB6SWAiPeUv" + + "G7ScDHJE6UFVJwIt4vP/M7gTOJ7uak33aWi9e5DeIuLqE6pFqTGu+uoBkkd82SHg2GhJhZ" + + "VXDtJ3UcO/3JQPbslc02s9HiRBg="; + public static final String End_Certificate_CP_01_03_crt = + "MIIChjCCAe+gAwIBAgIBBTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMS4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDEuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAD1vQj//4BGEXW1Q7HX/AUyFJFyHoYcvg5y4u/" + + "8Sj6okriXj3knnBKDiJLpKfcsO5p5MQS5QzAc+lxErXD+duiw8lm61hj0StsRzhDFsaC1g" + + "akjzU70R2Tmz/djUnqO3aa2wICc4NVAXnIMMsH/b6XXFZpC0/C32TPTv9aa9mrAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIPw2wltiRqz4wEwYDVR0jBAwwCoAIz08WhMpG2JswDQYJKoZIhvcNAQEFBQADgYEAln42" + + "iR3eHyazF8CRjS9Jnas/26MaBtjUyDtcSjTVDWFlccwrQ7TgtzjkNm9fCmgSyvryDnUYGM" + + "DoEjwYNLIgtCAkVIEBTmJvlqiPHH+tV5oJvIav+Fn8okHpuuK44umDcdKiFWlOyxrShxzV" + + "3Bez/eHklaPTw/VsVhyh+Uru5zM="; + public static final String[] TEST_3_DATA = new String[] { + Intermediate_Certificate_CP_01_03_crt, + Intermediate_CRL_CP_01_03_crl, + End_Certificate_CP_01_03_crt + }; + + /* + * test4 + * + */ + + public static final String Intermediate_Certificate_1_CP_02_01_crt = + "MIIClTCCAf6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05OTAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAyLjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC/lQLtWKzklgYuzhjMiK2CzFmzODsEY/JIVNdn9T8M" + + "W4ufpGwnfIV62EUHCFeMYydKBm8Hyjbjrz1otINJmrGL5WSAX1/UPtHy1chgXOsFYD6nAH" + + "jZAJJGw74nUbKw5+L1wUHU8qXABaaTrRpS1UdKSq4TCZ18NCjC4Oxcf/yDdQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQINsJcxaBqdugwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAOQP3iUX7FtJlL9nvu4F+8o/N5vr+OB28OsbYtW+Q1FzEfjkUGtT9Ri" + + "teradpN/xUnS/oj3BfqFtNANkYKrBeqRtm2VeOC3kdCVFnWFME2aoRAQZbWvOwCFc3yLA7" + + "JBdENtDNI54yYHMHPA4/2CuNQq1Iu1ektAS95DIe7ddxL18="; + public static final String Intermediate_Certificate_2_CP_02_01_crt = + "MIIClTCCAf6gAwIBAgIBBzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMi4wMTAeFw05OTAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLUNQLjAyLjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCx/mIo1Ma/IN8OR7KOjclvIwsv0JFXD/T258DruDZU" + + "uGoYiEbAc/ZN7R8OHI7dnv9pBfsvyEl7m2DVoLZnP0eXJTHjdZxb1TwPHoSIysi9u3xWlP" + + "Rg+v+GGfKLB9pL0m8SZh97SngerZI14w7vQy0kkXziGatSpBoXtWNmsHJNuQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIoI0mSmDmzZUwEwYDVR0jBAwwCoAINsJcxaBqdugwDQYJKoZI" + + "hvcNAQEFBQADgYEAcfs1pH12Qwdhv4NOJO2xxgMZZo8+A9Zl9c7RxsvuoZOOyCxoE9wT/l" + + "PdUpGoGxtIPoWQs1qXEXnAlXJCXjLCJUHIG1/E6gQUXW0Ty6Ztpc5Dz06pPTN2gt+41B3J" + + "sL/Klqc4iyCaWr8sYgEPQ8nColWRmIwk9gAasPNkNhyxA3Y="; + public static final String Intermediate_CRL_1_CP_02_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAINsJcxaBqdugwDQYJKoZIhvcNAQEFBQADgYEAlBaV" + + "VfrZqvyRhGXNYFik169nBHiNfKpw8k1YgFAQeNYdmfScq1KHmKzDhsx9kQteczBL7ltviK" + + "TN3CKlZW82c16mfd4yYx0l5tkU80lwKCHSUzx92+qrvYjSMup+bqSsi8JhqByBf6b0JbKf" + + "yx53Vpw1OCzjxrVHcfHPx8Q/vR4="; + public static final String Intermediate_CRL_2_CP_02_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1DUC4wMi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIoI0mSmDmzZUwDQYJKoZIhvcNAQEFBQADgYEAhAHP" + + "QxpcrTTN0GXeOwoMXuQUoHMvezEpM0BYOVLzI3KbRXWa9iWZINr99cRQvonMtOGkhIH3iS" + + "wSNbsjmF9HX5UvNzrofOWataVP+macpCuNlK0NS3xxJjKRWOB9C1Ib7tiSSrQqIPcchlF6" + + "vofy2ALEL6Usa1UTVYMhzGYnVZU="; + public static final String End_Certificate_CP_02_01_crt = + "MIIChjCCAe+gAwIBAgIBCDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1DUC4wMi4wMTAeFw05OTAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDIuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOzYq2murB5ZjQd4wReI51Lc1F5VwK90OMGRfi71" + + "YvwdRjgCudeDXZGW5ayid82y+eTDKFSzo1Li/BPTUXMpeqHHMCmLeefqxAWmz3aDoilF8I" + + "Q53PlejnXJdntsal44w6WdP6ssiXlwzcZDnobAfuDTPgsnWWfzAkr1/LqEw/QZAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIP5tVdEyxotcwEwYDVR0jBAwwCoAIoI0mSmDmzZUwDQYJKoZIhvcNAQEFBQADgYEAkVx9" + + "S/20Hir8qMnfMpMGTgMKoVeWoljxim83IkNs1Xqe1oLGHdyDUA66uF8wPkoTqGrfDYvgBa" + + "5Mi0iJREnMWoiWvCe467+L1b2gtvRBMl9bcRj40bvelk0Wn4lBl3VuKXarP5M0PKT5OWvN" + + "2cPLNeXHvV6ZIrC4rmK2ISpIXX4="; + public static final String[] TEST_4_DATA = new String[] { + Intermediate_Certificate_1_CP_02_01_crt, + Intermediate_Certificate_2_CP_02_01_crt, + Intermediate_CRL_1_CP_02_01_crl, + Intermediate_CRL_2_CP_02_01_crl, + End_Certificate_CP_02_01_crt + }; + + /* + * test5 + * + */ + + public static final String Intermediate_Certificate_CP_02_02_crt = + "MIIClTCCAf6gAwIBAgIBCTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw00NzAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAyLjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDHJmlRKb+mjc61iiqGe9gx/VUMLNmGrXGRYKMmYSxO" + + "Q5sGLoztd2XtEgtZEPwvzd9KLKGP3XmgTrc4BGohqoFoG9Qb+w2ZGFwVC22GpeSoXc+J2u" + + "2t3uRKYgboHpB0Jk42XLy+2wSEtS+/er7cFu2ufdPsvT4J1AqiuZSco96vtQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIBvoP1E6PGiMwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAmOyFq2vZrUNDVWRcyzYvZhs1uQ4zgXtfqnPE0V19RgaYffCrSCI86z" + + "5kyDUyZwbGABMxBaVxEw536MesyDTdZdEVw6lN5RRtxr8/WEiSH6oI6t0xNxuNOkSNpz4d" + + "28HA4UfUvtXK8RK2YZnPAd6UXsRUPBPXKEpzy4v/9RyihSg="; + public static final String Intermediate_CRL_CP_02_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIBvoP1E6PGiMwDQYJKoZIhvcNAQEFBQADgYEAALlA" + + "f3IDWexcdkMQHWTdGeFe+bG5dBvVPL5ZyQUw9DWbLwrjw/Jm4v9t+HLjETLSymsFT4bW21" + + "OwnEiAAdaKT96k5t+sTyU5QQ6HL/jRXLHLGdCQgMFCglm5iNqaCLIFoMAVCaFkYtFUE3m/" + + "iVt+319JOh5UyshMuWrAEW0IGGQ="; + public static final String End_Certificate_CP_02_02_crt = + "MIIChjCCAe+gAwIBAgIBCjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDIuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/Src6e8qXwL+KJs5+v+JsakZdSDqMAFJUMfA2O" + + "OO2TIqcvDFHzqesX+G+28MUwy6++ux07CD3FCaapgzBN4zO4RfKcamxFReKMKcEvNVVCOO" + + "wO4Lvku1Sad14oYyGLOMzZwZFjRp8paaz5g87k70EOPBLeDlFMcch36czw53sLAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIPoHc2Sfk6XUwEwYDVR0jBAwwCoAIBvoP1E6PGiMwDQYJKoZIhvcNAQEFBQADgYEAFHhm" + + "o6QRFdO1x1wp7Jb1QQAlChFfP8MrGVNK04Ur8f+wfkwIypTDifJ0AoFpjcM3Ohu9Ixvb9q" + + "3kCSIWKDnWtDWw1/dN8mPL5If5gGqPA0+wRbUKVKvduOg7hKr4mWjKw7oYiaJuIIoN9RRZ" + + "ejzltd0NEaODNPW/JaKeQUVgZbY="; + public static final String[] TEST_5_DATA = new String[] { + Intermediate_Certificate_CP_02_02_crt, + Intermediate_CRL_CP_02_02_crl, + End_Certificate_CP_02_02_crt + }; + + /* + * test6 + * + */ + + public static final String Intermediate_Certificate_CP_02_03_crt = + "MIIClTCCAf6gAwIBAgIBCzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAyLjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCaJ7NcOvb22F6HjMF1R/AORa4+pKFfFfd9teXPpVWC" + + "9InTq+alY11QaSj27Qg0znOIItmf2W/8Dub9sjnbg+SgAkoV5+CAkplodRNC8AbD4x8rh/" + + "fioQ8lb0Qb4Dn9I0n2wjOgitmMRdE2uW4uwVpH52vsMyenbDVxVI7jA4NS/wIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIC2T+/BkG93AwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEApr6kDXVY5jYt23wC9n3LmhoxDoWh8cBQxcWmr1wpVxIrCbaP0/y00a" + + "29wbewKfucUoh/W2OfjNcohjpKRrnVmOpi5vN7SmbZIHaxbKLzyQ7JwF17aznyCSZVrGpF" + + "A/S49T5rlCm8KDBcc2ym7gRJzwUApbC0Wws4Pg46czrpQlg="; + public static final String Intermediate_CRL_CP_02_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMi4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIC2T+/BkG93AwDQYJKoZIhvcNAQEFBQADgYEAlBFY" + + "vPxhFYsjFOIfQkd7MwKIi7vgPgoWTP5f+QlI0ison5n4N3rYJv31hTZRRRP99JZce1hY6J" + + "Qiv1OtkpG7VfQIhr0FAGxTNaJD6F6rLbGjG8cap4+VibFQf5gZv0XQcyW4akYiRqSXImYn" + + "NVlNyaxiJja+5GA9XVqvWOjjz4o="; + public static final String End_Certificate_CP_02_03_crt = + "MIIChjCCAe+gAwIBAgIBDDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMi4wMzAeFw00NzAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDIuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMlW6FOLwhRsKZM6p0ww4QEWjQzjpjYhKnz3BnLw" + + "SdGZqMe4wzZnDWc/0eyDOMCSYXIWQhlDMqQn2zCVPbDKzMRkdEeRSvE6ghhYP/hn3ipjSw" + + "D8QwaqofCp0sFkbDPke+xD2tMhLdUyNKynPjpSQmYtfoA98PD7so3cSAtrYuSDAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIc/X6kp7teCQwEwYDVR0jBAwwCoAIC2T+/BkG93AwDQYJKoZIhvcNAQEFBQADgYEAStub" + + "g3DzhJgzYO+ZmRc0acldZGwZFm6F1Ckc1JzQDgVHU0bnCANgBcJj49UV2MwbNKPQdVzdwo" + + "c91rfwrSY/PrvVQ9tUonZ28y/esFRBAdJTLf4u++p/gI3vfCvEXa5xVTIz1Hc+iKzAGKrI" + + "cveDHy3ZZluQ3J6tbHs2BhnQFXM="; + public static final String[] TEST_6_DATA = new String[] { + Intermediate_Certificate_CP_02_03_crt, + Intermediate_CRL_CP_02_03_crl, + End_Certificate_CP_02_03_crt + }; + + /* + * test7 + * + */ + + public static final String Intermediate_Certificate_CP_02_04_crt = + "MIIClTCCAf6gAwIBAgIBDTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAyLjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDgZy2Xs5pIoJrT7GuagmKLrn8F9rj8p8w2wELorGhM" + + "1HJMVOurH+o+y6RXd0oMGJkKNrhjEnbHKm3PBYiLgpCjVEcFNhQF1OOxJ7RdahvA9ifsuw" + + "jV1TxTGq35jeaJYASRXb2TiNfzuPWSVm0MWr5zz+YB6NNuvjxwEBgZvNiV8QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIWAOnkHkwSVkwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAMiHozz92EOhSXU/krwQVs0GNEWoAUH3LHt70Zr01dFzEF6QhA/wUa4" + + "+V4XwbMob+q4zGnTHj+tL9ChGWi3NDGELQ4cN64OMPsToGKkepLy+sDwdm9LaUP1bDvPxd" + + "v2hjlskJ7TEu4+6ltXSG/k36Jk8C0/I/ayNGbYcEcLyes3s="; + public static final String Intermediate_CRL_CP_02_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMi4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIWAOnkHkwSVkwDQYJKoZIhvcNAQEFBQADgYEAVtCi" + + "IocktnWOwWiaOc7tTUJvvH5+IYVyB/XhmMhF7cDbL292gyrnuh1+3+lHwZQBPoF9kzF0vt" + + "WaweG7mDvYKxENQODdph/VcnypgUiFTWRTIPB1ZXfCTMWYf2QSalpHRDR4vVsqF748QbcG" + + "E9mbzvLUz6NDA+Vf8wEwZehqSDM="; + public static final String End_Certificate_CP_02_04_crt = + "MIIChjCCAe+gAwIBAgIBDjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMi4wNDAeFw01MDAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDIuMDQwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALBX5GIQtvwswWwMDDPnphIk1rJSbcq7iClXLM2E" + + "kgvBu+hbOzb0v9mtl0KJB71TWJCfwceVQiXc3Gk+YduujAbZRVTkROf9UOWD9bfrI7g+52" + + "g4ms2n7evCO33b+kGEf4I014xl8dJDWtHK9Bhr+569RW9TzO06IeVeTD7whxMXAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIuKXv5WkUTWAwEwYDVR0jBAwwCoAIWAOnkHkwSVkwDQYJKoZIhvcNAQEFBQADgYEAiu0B" + + "yR5Ru8qVsgRqkOpCvrJnkqBAImbbR6+BUYH0juRxxKzKnbFOjU6a9WvkKpEBB8Q2xLynPN" + + "68ecLpnOynx3xj2sWWSVbsRKPy0iOesQblKrq3yHAm4lhzoWA8t1Xz29Ko1WxylDhyxGpR" + + "QAWsyGVCfJFlsZE0ibw3erlWTnA="; + public static final String[] TEST_7_DATA = new String[] { + Intermediate_Certificate_CP_02_04_crt, + Intermediate_CRL_CP_02_04_crl, + End_Certificate_CP_02_04_crt + }; + + /* + * test8 + * + */ + + public static final String Intermediate_Certificate_CP_02_05_crt = + "MIIClTCCAf6gAwIBAgIBDzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAyLjA1MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC2d80bD1RounqjKizkZJYPFUuVWZQ8W2nZDkEp8qR9" + + "fRWCAGOZGs84tgHj5gasmxy1mxJc9ogyQ2mcZhJRitRm5LVNuGevO6JmfqYtJxbW54aZGE" + + "5AWSRXqjJKJEih4VmPjA3vjQaSZSZJnu0DSnO82qWfu1ZUDlvIG6dfKJWRQQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQI3uNhI+QuI4owEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAG/+Rpk8dYrSFdaEO8Ch5tuvvKTOMi7W/DRA4B4xR7WyRJmosPB+37c" + + "teGKVzqFND22Xc8xQH/b/nxYW08sCSLAfN0cRusoSWwWSRtPO2f9fyC/BqCy2B2kQLFNPM" + + "Bk22jNFwLqPUeZn1UHN05RFAqVx325kpl2m1V7tw/mrXATI="; + public static final String Intermediate_CRL_CP_02_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMi4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI3uNhI+QuI4owDQYJKoZIhvcNAQEFBQADgYEAWZUI" + + "2VGY4pak0kICONP/CKvamYFs5txJfR69AC5tEJ+Fy3PmSeHkLUZf/oc9d8EEyr0MsIjRHj" + + "N4X4MquMlk4FflZcc8GblQK8LdXBK4Dy1SiXHA5GB3U1AmgzAzEQGwGRZnzWP5+rJ65upX" + + "vksAYyPQmruRM0O5sElctPn6B+Y="; + public static final String End_Certificate_CP_02_05_crt = + "MIICiDCCAfGgAwIBAgIBEDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMi4wNTAgGA8yMDUwMDEwMTEyMDEwMFoXDTQ4MDEwMTEyMD" + + "EwMFowYDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE" + + "CxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5nMRcwFQYDVQQDEw5Vc2VyMS1DUC4wMi4wNTCBnz" + + "ANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAviLKpW4iblWNLQfmBJJ+ruMgygmjRWfoFGya" + + "Ndv2ma0Ugqm5xXq8c0orbnezwSp+tnzZZhG5KDNZr5+z3krCkqOGGzuUvVLqeJxPOLu7Js" + + "y472nAA7+FhwfZrXUI+Vg9F4qF+Ye81ivDrYVAEmalCpCyHOAKdvwkwQjRucifu90CAwEA" + + "AaNSMFAwDgYDVR0PAQH/BAQDAgXgMBYGA1UdIAQPMA0wCwYJYIZIAWUDATABMBEGA1UdDg" + + "QKBAjgph7BA5L7dzATBgNVHSMEDDAKgAje42Ej5C4jijANBgkqhkiG9w0BAQUFAAOBgQBr" + + "MDMv9NWCTIQ3blMEqPiEyjiBhSJl88Cu797P4lIn+gc6E+0vZp61X7B2k5CHgsnxyVLK5e" + + "bwl0bYAPKwRI9yzHLrj71RNw8HA7PCRPn1GNrtBBbIpLE0/sqLo51UPu/377+CnzYhIycL" + + "tvS0KDLUTDSY/OowDcplF6Xwnt8cUQ=="; + public static final String[] TEST_8_DATA = new String[] { + Intermediate_Certificate_CP_02_05_crt, + Intermediate_CRL_CP_02_05_crl, + End_Certificate_CP_02_05_crt + }; + + /* + * test9 + * + */ + + public static final String Intermediate_Certificate_CP_03_01_crt = + "MIIClTCCAf6gAwIBAgIBETANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw0wMDAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAzLjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCuF8mub5cgUYZytrRjJ5Rhc2fgazGxWIj6EIKzeSpo" + + "FwScItRX9KxnTIXEBTguBk7eQUsbN8yu49/Mlq45EAnemyZRBWzLFLYLPCco7pyTsWm7Ps" + + "2FAGJ3vE9pC9xaZC+KrwF3Ho+DZNDwhj5InXTP8pChAIPfB8/7V/2mk0lN0wIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQI4mI6Ojs0onswEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAMVGzU6f4YOHpHla+YuGCjHOUZYrA9J25G3UFFoPr2JZEG+Fb5hRQUh" + + "4S1qUQKXn6dpVua+qTJDk3Tg2N8OdIHG/gy0hvYHsxhLCSDQBsfPN7p3FClM7r/VHOqgAN" + + "vzT+KYvxx6gwn6O+n7ERkrBIfkyrGFhnmjx3+VOCc9P4SDE="; + public static final String Intermediate_CRL_CP_03_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMy4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI4mI6Ojs0onswDQYJKoZIhvcNAQEFBQADgYEAfwYf" + + "4kAG4srB2VxWimJs1HwXTaPDooellQclZ5hP/EluT7oe03+ReFef6uXbHt/xRdeaoQhJGy" + + "SP8dWf6UIbL82oaSYqChIvAZD6zTMavEgSET0PlUsK1aEMTpMEtKPvedFSOTNBaMNvMzSW" + + "t5xwurn63qyXTOxHf4m2L4w8+i0="; + public static final String End_Certificate_CP_03_01_crt = + "MIIChjCCAe+gAwIBAgIBEjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMy4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDMuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ/ALaZ+MdNxKDH49+7jUm+17DII5QQEfjk8IaEU" + + "syApOhsByOG06HPItiBEnnfDDxU5kjsZDtw/9LlouBocNXAJt+ZmL3QYyOgeH4SQ4f21rw" + + "7j8fw57gUkP5oWhEc0loXr/hB92hoKbsBoRpv8F1zPZcPNLUnyUzqLH5+CeIibAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QI822isg/wPCowEwYDVR0jBAwwCoAI4mI6Ojs0onswDQYJKoZIhvcNAQEFBQADgYEAilIn" + + "OD0iQrLrHRkO4zr9S9VXAJXJV3l9wfbLBweXM3q/zt4HGKBw4Wq1Yn+AfDxXrBtJA5hP5e" + + "d7CDd4eM93yeKozdZCLNZfUM8sJ2/MRh07tvwJ19e2STklED8b/ndmr5my8H8jjJDaaYww" + + "qTSnXqpcqsUsj+kV4Mk0DvVWT3w="; + public static final String[] TEST_9_DATA = new String[] { + Intermediate_Certificate_CP_03_01_crt, + Intermediate_CRL_CP_03_01_crl, + End_Certificate_CP_03_01_crt + }; + + /* + * test10 + * + */ + + public static final String Intermediate_Certificate_CP_03_02_crt = + "MIIClTCCAf6gAwIBAgIBEzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAzLjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC4AbP8gDUUcIa8w4pEsGgbYH2sz08QMUXd4xwx691i" + + "9QCcyWSovQO4Jozeb9JwtyN2+f3T+JqZL/gwUHuLO2IEXpzE2C8FzQg6Ma+TiSrlvGJfec" + + "TlSooFmEtD3Xh6I6N5PM1fpyyY2sOOhARN5S6qR9BOuxkBAqrAT0fgqD2TswIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQI97nJCqq6+kIwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAWwpfh9oOOvj9xHS0zcczaUIHTkpjgk09I+pERlu0Z0+rHvpZGge4Ov" + + "NDFtMc4TgthGcydbIwiKogjtGBM2/sNHIO2jcpNeOtNKLxrzD4Y0Ve164kXBu9Mmsxx4sG" + + "7XUXZWgiOPfu/HmyPVdzbIReJdQO515SNx7JdgVyUkyhBxM="; + public static final String Intermediate_CRL_CP_03_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMy4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI97nJCqq6+kIwDQYJKoZIhvcNAQEFBQADgYEAC9Hv" + + "NevV6/Oz3wcgEbDgZYRKJRdr4OW4Es7R4ahjz3sH6GXZ1HiEjx2+frmp8LMshQ4D+hpjRk" + + "drSPko1M4a/fQCYxbonZ0xjpYw067dwLmr56+GPJAxkzcSmFKXx+ejyQpG+9+qCR+zm98V" + + "lop6besAaGUjZKnYShIQOfNzDZk="; + public static final String End_Certificate_CP_03_02_crt = + "MIIChjCCAe+gAwIBAgIBFDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMy4wMjAeFw05ODAxMDExMjAxMDBaFw0wMDAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDMuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJMiW+G4bgoRaYz2OUu/+PQ/yp4JgFOB3Vegf5/" + + "vIrF4gsnoQxOCCsO5JTLrbS5fi3COjvM5w9/SZpNHtSfyWb9afmx4DdrT1bNjma7I6PCid" + + "yxMzX4iTLeaMRnqBk4A+/0Wf2+4VzCqr8aViIiQ7u2JfZiTQ4dZxDoUW6G8lrbAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIEjny2GzFXGQwEwYDVR0jBAwwCoAI97nJCqq6+kIwDQYJKoZIhvcNAQEFBQADgYEAJw3T" + + "3aL3pYbZhswgshOvJ9Y1qv65R6rClSxB5lqBw6+Qki4ZpW57NK8LwaGS03XzDUPaDi4/9R" + + "hGCHpP24fIskS4n4jNZgKpGtt6VEVorUH7cOLNCw2cuwMlKbkyZnNdx2JqTMMlHzNJ3cmy" + + "aX3F70IY0OZbwCKdUo/uMVC6hss="; + public static final String[] TEST_10_DATA = new String[] { + Intermediate_Certificate_CP_03_02_crt, + Intermediate_CRL_CP_03_02_crl, + End_Certificate_CP_03_02_crt + }; + + /* + * test11 + * + */ + + public static final String Intermediate_Certificate_CP_03_03_crt = + "MIIClTCCAf6gAwIBAgIBFTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAzLjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCjLYKGKEMJgC/r0NH7vubQZ5qPEFEEN6QdLUWWqf/O" + + "Yqo9hboQq6S8dFHp3DVR5x/4NOdNRjsTABbXsnz8U+L7+4CorhDhXj29weGMYIIfJ3XSIb" + + "T7sE/GOPmXeGhrTv2zucI1j80sN5nTEoiGFm10LQqAgoyV46BxDltf3/D7wwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIhCIOyzfScpAwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAA18kQijoJebmTQS7n/q/fQx2iblOJaJAWQLHeGCCGqKxCjUpOxuD+y" + + "xMspmTKdQqEkqQ5vpHdFYQ5MYuecqAdp6woWUNQGVd4HHPmHsAW3Oppwb0yLggYs8IVHjm" + + "dNO1pYb+YYciCKBtX8D1OnedIRcrQmDMJUjbfmAEv/4b0EM="; + public static final String Intermediate_CRL_CP_03_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMy4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIhCIOyzfScpAwDQYJKoZIhvcNAQEFBQADgYEAk34j" + + "SxMr8p1h1qJWlfoh4er9pu1AkkHujovan6Ctx89VwFdOS5Kw82OCvD+nmJAHrFuncNlClf" + + "51G8FCEAFLhMNwic4WAxrBX15hcUTaWk8Wj00dfUFwjG8/Kv3QUCDBN8f3KC8/oBeORRX9" + + "dHW5ei2IUKuD1ITCeIoyRDBxQIg="; + public static final String End_Certificate_CP_03_03_crt = + "MIIChjCCAe+gAwIBAgIBFjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMy4wMzAeFw05ODAxMDExMjAxMDBaFw01MDA3MDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDMuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALSw1Ey7kzFzzjMS4oTSrZH/95NMHLxtUSaVGMCy" + + "0q2iLfGZ79eTS9megQUranYlIuK411yvFtskbFKf0idMKBtM8nX3Rxubm5EnbnpgvNrBEg" + + "0FbOPqpSaR+8pxZ6lweB45tkzLU3OZeAZSpGOY1UvT/htn6Ae8JQAVajSvYyfNAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIF014kOHikvcwEwYDVR0jBAwwCoAIhCIOyzfScpAwDQYJKoZIhvcNAQEFBQADgYEAdLMM" + + "zGPPvBLgPbhn2tba/7HiaZaayHIxTXmpW0KAhP+8hwapOitrtLGPwqVtxQ3GoSMZJPMDCV" + + "WsrT3OZm27G6ytqqNZ2ZO49UC7WwQ49TVlN79Ui9RZIBnRzlMIDNKsyuohfSRhFZTkWdoH" + + "/y8ulY8k4xBThV8e8IRgtYj3nhc="; + public static final String[] TEST_11_DATA = new String[] { + Intermediate_Certificate_CP_03_03_crt, + Intermediate_CRL_CP_03_03_crl, + End_Certificate_CP_03_03_crt + }; + + /* + * test12 + * + */ + + public static final String Intermediate_Certificate_CP_03_04_crt = + "MIIClTCCAf6gAwIBAgIBFzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjAzLjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDbUii3czeUQ2zNlxvrhnJ0LcBGxCDHFr3xx+plDg3f" + + "uasDKCY/VjCLEfQ5a2oqcovvGKsd2CPXbCFJtimW1R7Dvt+a0y95fppsdseorYDikiBlOj" + + "ja6LR3Cz3bslYc133C+W/MKHMJ0tdvtTk+SJrq7lqs+iv/b/xHC3k/gDjIswIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIFNw3o1kc4XkwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAn/pr7/noYyjXSKEe/eLk3l4Rb6PEhNAnzySmxGkjIjWKAgh5IVYSGV" + + "KFO/FaNOiYkRFHwXZFNj71q7gbM+HwALurN0Mr/MUA1TSpPy7YhFL0SWq3C3XsC/dVJ50b" + + "HmTW+dGcxboX0h9HeKFxp3VyOY/dUut2oc+s/TnmqQII1CU="; + public static final String Intermediate_CRL_CP_03_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wMy4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIFNw3o1kc4XkwDQYJKoZIhvcNAQEFBQADgYEAMoJ5" + + "jGE1AxxfluixG8Sk7H4W2rqSEkQyNHfnlKSMbh9KZA3evI8HGKGGfkbBNoe4/HauZ4NVFw" + + "FXgllCp+TI8Qd+HafFoDv6ff1K7T86p6r7tE3AEM1XmbnfohP3/ivpIzustv/f2rqjxILK" + + "Ldvrth2/OlNygwY+D54lcWH1DX8="; + public static final String End_Certificate_CP_03_04_crt = + "MIICiDCCAfGgAwIBAgIBGDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wMy4wNDAgFw05ODAxMDExMjAxMDBaGA8yMDUwMDEwMTEyMD" + + "EwMFowYDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE" + + "CxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5nMRcwFQYDVQQDEw5Vc2VyMS1DUC4wMy4wNDCBnz" + + "ANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuSL9tB1JW6JPUO2Xw6TMYkPX41lru3EPyYko" + + "YgXy4giy6LGoqbgtskHehD22v3rfWjqOd9iV2PBio/vYE4zEz0H0n84dpnBvog6A1AlE19" + + "PkQ1txjzIA52FQIRwRfZ38LaulQEfJ0a+fiRHQiM960O3YvHXV+GEbNcw4jo8b0sUCAwEA" + + "AaNSMFAwDgYDVR0PAQH/BAQDAgXgMBYGA1UdIAQPMA0wCwYJYIZIAWUDATABMBEGA1UdDg" + + "QKBAh9/WgM+UT6bTATBgNVHSMEDDAKgAgU3DejWRzheTANBgkqhkiG9w0BAQUFAAOBgQDR" + + "I6PKUGg876/fSljtqxXCR4CoGAAurNFOcM4EWeoc6ZvuDOi3P7rNYiYAXXlmp7epOAgvZP" + + "EV4vS16ODaJO6qIMR1YsaGEPo0ecT2pEStvP37X6pb5TdyjyKYF3586IN6TJdFMFsW/Lqg" + + "tucl9bGlWmfTVwxTexq6+D8diK48KQ=="; + public static final String[] TEST_12_DATA = new String[] { + Intermediate_Certificate_CP_03_04_crt, + Intermediate_CRL_CP_03_04_crl, + End_Certificate_CP_03_04_crt + }; + + /* + * test13 + * + */ + + public static final String Intermediate_Certificate_CP_04_01_crt = + "MIIClTCCAf6gAwIBAgIBGTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjA0LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC5UJ+KMj8tAmzr3OGYL2gSFcNTf8ik+ZVxlaPVGHyS" + + "KjYQBAEbefhfg5Ps2aIuqBwYkbtFXuHif5GEhgObA4InCyESeRjYLGcVMqwSZzAOFAR0dP" + + "1LzgzQs3ZgG9JX5MO5wEZ8IMnVN4Otu4XIlWSgIpUNS2vyet8Zi7t9fX+JewIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIOZvfph4Uu9YwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAXMyscmGpKSLG3hQltMQLegy0+g5wzgOrbFOWxZmiVNR+zSsHDD3UAH" + + "H4SyTozlooC0jAY4yAhZ5RX6SSJKx9fHsOZD9ldCmst14qLk3pkI+M0QiPBZkVTx5/7dR2" + + "wGkuNKSVWH6woOq7BbEzpO7xMlrUr6tgHt4Dc6Evt1pVZls="; + public static final String Intermediate_CRL_CP_04_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wNC4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIOZvfph4Uu9YwDQYJKoZIhvcNAQEFBQADgYEAe79z" + + "iEUgP/mvouJ9ufit1y4SjnHQWik75W65eGn/XGArRrBqJ8jZVJE4/rpDBbzm2V0hQoWU8z" + + "zchZFlesUyqQZ9KUlT0YGR0YPcNw/V+58RonWWfmU3M2DvWDrXgCOXPm61+AYq4+kTowsG" + + "0stmeML6NxjDzWpfAgI/MpXqe80="; + public static final String End_Certificate_CP_04_01_crt = + "MIIChjCCAe+gAwIBAgIBGjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC45OS45OTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDQuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPiAZKXPjK8jvaNj34VynyKPK7dQtFysBPKFW5Y1" + + "Bc+OMsyd2pPpQoJYcQTMMomlAqoBvSXUJCMNly/BxVuvn7l6I9crtx6PjBBUlEzdcsscaa" + + "EaHuCCVl+Msnr66cSV3GqVGAhujun81+lyurcTEog3ftsohwbQnfA76qNU/N3/AgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIJZPDbf2xNv8wEwYDVR0jBAwwCoAIOZvfph4Uu9YwDQYJKoZIhvcNAQEFBQADgYEAZf4L" + + "1RDHDXwwA2CgcIhM4CAfZ72CR2zOan0at38VVFB3u9vs4VLwFcrOQCIjDbdLijc0XWLima" + + "4vCD1qrsv6Hk5+6113HfFNmD8mp6X5jAwoNPa/I4kmFOA8iIm4TTk7M75vQyCQTPG0VzbU" + + "Nu3uwTbXKm5ME9C5MFMf7z347CM="; + public static final String[] TEST_13_DATA = new String[] { + Intermediate_Certificate_CP_04_01_crt, + Intermediate_CRL_CP_04_01_crl, + End_Certificate_CP_04_01_crt + }; + + /* + * test14 + * + */ + + public static final String Intermediate_Certificate_CP_04_02_crt = + "MIIClTCCAf6gAwIBAgIBGzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjA0LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCteErspc5ekSOel/wmjn/XQ0HUy4XzxB5Zj0nGn9FD" + + "PbjF2LERCHOn5aBnIMHYhyr7PDynwbvSx2egzGC6wGe9Zrri1MteirQ9Ppw7062IIleloy" + + "UAiuwvD+s0npKsvboarQsCMfOB1hOB1tGG1bjXP6B5B187SZXuR3KawggyJwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIUjnGp96itUMwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAR6fmN+9p5AWy/asEAiVBnbY9q7EQXyB8WuZK9FtFmupe3hlfcTq84E" + + "A+TGvXOlNr05/1iLRv82GsWXDif7DlGVPN8CS1+0kb5Ve8Pmv2ziiWVREqWx916ioPjDRp" + + "wvdGcCNC26+fyvv5TrP8uzojurl1ZlVRRqi2sIbopVX5r8w="; + public static final String Intermediate_CRL_CP_04_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wNC4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIUjnGp96itUMwDQYJKoZIhvcNAQEFBQADgYEAZkXJ" + + "aJG4QDE02wFURwaxWuv2VyD7m+N/2B0/9KR+6UKVpsMd2XHq+G3SlFOa6dA/fHUdhtUs2D" + + "gpx3SfQYbcgKFrryZHqJDK230eP3F41S9g5XJTRaNR5iZvxvh4bmSf4l6a5MXsKEoBoJoT" + + "j8cU4qg6j7Xk4NpIR1JbWiSIYQc="; + public static final String End_Certificate_CP_04_02_crt = + "MIIChjCCAe+gAwIBAgIBHDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MRAwDgYDVQQLEwdUZXN0aW5nMQwwCgYDVQQLEwNEb0Qx" + + "FTATBgNVBAMTDENBMS1DUC4wNC4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDQuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALM7mfq+hpLfvQdqZUJfIx/2gFcgHS2AsgZn0An+" + + "Yn61WtG8K2+lt/a8aypa/q+J93RVkRYKWKFQcJHiRgx7DMlXElVnfQbSFuLX46ng4hqmQL" + + "sSOKmXDld2BlyMZ41B3rfdhJT8P12RMR6uAwvc9CH3b0UTcsc498Kj+JeaRbzxAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIo7S64S6t5nswEwYDVR0jBAwwCoAIUjnGp96itUMwDQYJKoZIhvcNAQEFBQADgYEApNT5" + + "Y+9Jc28m5Qwjm+/8SKk83iCPnIW3BsAvQUB9Wmd1+kMZvqLySQjm1tBBbcGYuSERMJ2Et5" + + "eoTdL9B6EG2CZYnPqu1vk0TVugRxs7IJm4h5z4MCInf2g1KTt0AMEasQW6ZTj7DIkkU48Z" + + "EKLPoBGXfD9t9Y9cmdj1e1RQbog="; + public static final String[] TEST_14_DATA = new String[] { + Intermediate_Certificate_CP_04_02_crt, + Intermediate_CRL_CP_04_02_crl, + End_Certificate_CP_04_02_crt + }; + + /* + * test15 + * + */ + + public static final String Intermediate_Certificate_CP_04_03_crt = + "MIICmzCCAgSgAwIBAgIBHTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGQxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEbMBkGA1UEAxMSICBDQTEgLSAgIENQLjA0LjAzMI" + + "GfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD11QBcw4P2rTUfPmbVNYqdo0AMmcB3Yxsx" + + "Iz5me/S1I2PJLtRh9KP7lUV20SMEFsFKtE1C+9O7ODtOUCJA/6ECeXbyj20SbG1E2oQrZe" + + "gkcn7IQDUgnuedzdFj4kTevok6ao9hycg+qeZrL6oeBD2XQCd9nqMmzhihNu/QOSnp5wID" + + "AQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMA" + + "sGCWCGSAFlAwEwATARBgNVHQ4ECgQInx+ELo31rJMwEwYDVR0jBAwwCoAIq5rr+cLnVI8w" + + "DQYJKoZIhvcNAQEFBQADgYEAriYMoRDpSPI4HWrxN1rjqWIzggz8p1wpbEFgK5o/Fi2KT3" + + "jCd6bfCcIFDpoXNqlsc+dvzc4XB1Eg/Qbcror8HP8LSxrbFw/y7VhC+wCaDCmhcqQn3rp/" + + "WaOWnR7/H7HlKM9m1u7MBtwlxHINnLKwPHIA1XwmAnItAXIL2yHRJhU="; + public static final String Intermediate_CRL_CP_04_03_crl = + "MIIBUTCBuwIBATANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxGzAZBgNV" + + "BAMTEiAgQ0ExIC0gICBDUC4wNC4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWq" + + "AjMCEwCgYDVR0UBAMCAQEwEwYDVR0jBAwwCoAInx+ELo31rJMwDQYJKoZIhvcNAQEFBQAD" + + "gYEAvJgOX6tewnRbC9Ch+Fe4KjkB9IAhe5anQKGfnDHuLfga6JEjOzyfhonWZeppJwvYpl" + + "1rZbsKICNphMDkd/eaWnn8Q9w02ah4kzIb0LuzrNBrxpFv9AAidfGU2VeF0gRi02jtAZsh" + + "gUNbrdC+ovA8mAsBigy+HMzCi61+wrumwvo="; + public static final String End_Certificate_CP_04_03_crt = + "MIICijCCAfOgAwIBAgIBHjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "GTAXBgNVBAMTEGNhMSAtIENQLjA0LjAzICAwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMT" + + "IwMTAwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYD" + + "VQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLUNQLjA0LjAzMI" + + "GfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2Rd0VKnTIrME7hzpnpIPGXGXZCjpf5lSO" + + "19zvB3WdZumLGdwUBXpIQTrl5teYgL62PpOwNC93URZDEUt+rqoqvs8E7MpF3IulStp2+H" + + "/xa6Ihf4OmkgKjpHNTWOIFXeRJ4sVgWuH6cqQ+6GL+0fa1sed1crsEgTTAGYNhFi6ebwID" + + "AQABo1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR" + + "0OBAoECBNwCFdDgPCqMBMGA1UdIwQMMAqACJ8fhC6N9ayTMA0GCSqGSIb3DQEBBQUAA4GB" + + "ABAjSPg794yiVz9RqdNxic8TGnApNrZui/vwr1U8ZkETZfx8W1fWgQ0z7KjryML5IOmvps" + + "zycM7by6jb2kMmxI1SQCwjiNQ1fb1osrNAj2bRfpp2YgjjbHx1XkddommtVc0V8kvyQBcb" + + "7NdxfbwKr8AtpiWTWIajc2uqUlELsLzr"; + public static final String[] TEST_15_DATA = new String[] { + Intermediate_Certificate_CP_04_03_crt, + Intermediate_CRL_CP_04_03_crl, + End_Certificate_CP_04_03_crt + }; + + /* + * test16 + * + */ + + public static final String Intermediate_Certificate_CP_04_04_crt = + "MIIClzCCAgCgAwIBAgIBHzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOQ0ExIC0gQ1AuMDQuMDQwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOFf5hr4R8IqTp53qQSiBEjOFQ3Q3ICcafl+FLzm" + + "K3xIFqERjyXARsTM4gDQ9yntFeNp2TiIi98xBrz7D8TlrbTAmxO/PUfAQ68tXpz9Id/XrU" + + "WeAKxMZULPL9nPFcGQoh0qq3JKpFRSb3Iobryfysblm7cCDDCJOI7uK14XZtTFAgMBAAGj" + + "YzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBYGA1UdIAQPMA0wCwYJYI" + + "ZIAWUDATABMBEGA1UdDgQKBAjior7qCuLBljATBgNVHSMEDDAKgAirmuv5wudUjzANBgkq" + + "hkiG9w0BAQUFAAOBgQBhh55gTy5htqjxW1Ch2hRrRikhBH7LJz1PmDuzwiIOtnWL+EiQOY" + + "T6h3NV1j8Kn5S4KhUOrhnvrPXRi22HdqRzEPl7y/wXm6G0XcgYlyy2ofZKdYVWCVStKAMW" + + "5SwV2wC5RPK2KphdhnlEqss6QVRUsliDDjnf9Saiey9nzJAfNw=="; + public static final String Intermediate_CRL_CP_04_04_crl = + "MIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNV" + + "BAMTDkNBMSAtIENQLjA0LjA0Fw05OTAxMDExMjAxMDBaFw00ODAxMDExMjAxMDBaoCMwIT" + + "AKBgNVHRQEAwIBATATBgNVHSMEDDAKgAjior7qCuLBljANBgkqhkiG9w0BAQUFAAOBgQBI" + + "VlXD5FnIiO8tavLJ8qo/qRhbBNgUbFBdAgAY6yVnFNP6YN4qPineYPN6NV1XdqNDrZh2Nz" + + "GHzX3YDo1Uv9yABVR0NvXCaMIW5/raqZp/on6bPuQLgJe9UisOPKunzehTm/NmO1RW9dwU" + + "37UzC0XnVHyVipDVh07DrTKBUtQJQw=="; + public static final String End_Certificate_CP_04_04_crt = + "MIICjTCCAfagAwIBAgIBIDANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJVUzEZMBcGA1" + + "UEChMQVS5TLiAgR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRswGQYDVQQDExJDQTEgICAgLSAgQ1AuMDQuMDQwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMT" + + "AxMTIwMTAwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQww" + + "CgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLUNQLjA0Lj" + + "A0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCegy6qOnM14CS7+enBElgh2DLtF5bn" + + "ah0yfA18/hbqnmUaWOWJQllyXa8QFawnvdXOOEXJm1ErIm3rDYihkbUTP+ybOBH9dprWtl" + + "1cSGL9CkoxwzkJRLQTu5xG72EhET3S3kwqZsmYbgy4MduGKv9VGFbv75Wr17Vo9K4Lz6QK" + + "vQIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQ" + + "YDVR0OBAoECEc4b3BP059HMBMGA1UdIwQMMAqACOKivuoK4sGWMA0GCSqGSIb3DQEBBQUA" + + "A4GBADj73jXpPLev5crwZIoXCJd/nXXp1fJzEEbByWggsR9cFHN4wnp7N6gpIxQbLQwjmo" + + "cLPC1pHQ3A5VHVrCbxAk6nifmSvnKFWHTBftZGpfTGkrXbURFF64T/CB4O+JXr1eBUGheN" + + "Q0T8L17UNgi3oBENKjASWnpjxvD2QrOnH0rb"; + public static final String[] TEST_16_DATA = new String[] { + Intermediate_Certificate_CP_04_04_crt, + Intermediate_CRL_CP_04_04_crl, + End_Certificate_CP_04_04_crt + }; + + /* + * test17 + * + */ + + public static final String Intermediate_Certificate_CP_04_05_crt = + "MIIClzCCAgCgAwIBAgIBITANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOICBDQTEtQ1AuMDQuMDUwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBsWmrcKH0J9bkI3zHthZ0S3904f3fMUSasY5qp" + + "7CSQ0sbXTwP947sfAPK4Dso6Bpwl0WExRCdFHd6qfY9wR+NtfuI/DkFEY8WveoqM4Vskpi" + + "cutWghCx14PiPY5YGFn8VvXu7wbuHp4TnHtUCMEUt3EfYO5oqm+/I8y0eTKMNHAgMBAAGj" + + "YzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBYGA1UdIAQPMA0wCwYJYI" + + "ZIAWUDATABMBEGA1UdDgQKBAjOoKlp+BfGqTATBgNVHSMEDDAKgAirmuv5wudUjzANBgkq" + + "hkiG9w0BAQUFAAOBgQDLhQ/RJFqMDNRonAHZ30DYyphf8do4q6ARikhhXSSa6G2G/PzbpS" + + "x3T+3G8ot+NnFhtf9ZWo7KfwmFEbUA/B/X2vJaJbNImkMDT1aTY5sPXtA69B3QKQVz7HST" + + "f5XH6DjuoV0/m1M153A4vf1Z783dOPw1MzOq19t+6tYFeELEHQ=="; + public static final String Intermediate_CRL_CP_04_05_crl = + "MIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNV" + + "BAMTDiAgQ0ExLUNQLjA0LjA1Fw05OTAxMDExMjAxMDBaFw00ODAxMDExMjAxMDBaoCMwIT" + + "AKBgNVHRQEAwIBATATBgNVHSMEDDAKgAjOoKlp+BfGqTANBgkqhkiG9w0BAQUFAAOBgQAp" + + "6gLCdPQw7Hisnr1i3QbD7GybqfD6b1s10GQ3c/j59RYDe1Fk47Srs9ol/baleasWjcdt8M" + + "SlTc66KvK9YPFAqIdYoOW4FidpJBF/1cvSc2hGYwVsxLnXKr9CJ5Py5vBCCjovIRiLdzoL" + + "ZoteOKFIEHkV7V8V2OTFawxpW9hkiA=="; + public static final String End_Certificate_CP_04_05_crt = + "MIICiDCCAfGgAwIBAgIBIjANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FzAVBgNVBAMTDkNBMS1DUC4wNC4wNSAgMB4XDTk4MDEwMTEyMDEwMFoXDTQ4MDEwMTEyMD" + + "EwMFowYDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE" + + "CxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5nMRcwFQYDVQQDEw5Vc2VyMS1DUC4wNC4wNTCBnz" + + "ANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwZsiUhXiFHN9dfJb0Yyy+rYtV8gx+d0+8WkW" + + "5C68nQgSqqk2uSTpvZbx0bpHF+s+LKppj2M2tt/AfZgVQHTsp5rO0IftZE2iLwqejj0rYU" + + "Poprq1PE3vVhs818ZlDS0PTUP97YxLysQjq2jS/d/9lF5pS3sMlP4Usp24gXX0vG0CAwEA" + + "AaNSMFAwDgYDVR0PAQH/BAQDAgXgMBYGA1UdIAQPMA0wCwYJYIZIAWUDATABMBEGA1UdDg" + + "QKBAjpC0ZvCXrvBTATBgNVHSMEDDAKgAjOoKlp+BfGqTANBgkqhkiG9w0BAQUFAAOBgQB7" + + "YwJWcx+PU1sUZUOVleoB5amHFu0GT+Hy7cRa82UJMHFkz0bmnyEV8CBNcnn0xa5iVfwe2y" + + "5ZKwy61DLR3MPTar9eKITL67uZag9w+1tnIf594XRbEiUzn20uxuDFX3oPoZCemtWdVanj" + + "2T+9TVQKfrp15+qzOCObNNRHZw29EA=="; + public static final String[] TEST_17_DATA = new String[] { + Intermediate_Certificate_CP_04_05_crt, + Intermediate_CRL_CP_04_05_crl, + End_Certificate_CP_04_05_crt + }; + + /* + * test18 + * + */ + + public static final String Intermediate_Certificate_CP_04_06_crt = + "MIIClTCCAf6gAwIBAgIBIzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjA0LjA2MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQD0t0dfe82Su58bJdn4dh7E3OCam1AUPTzPnt7DwT2w" + + "1XwD76OCUYP7SBBjsLYDDfUCb2ek96pSK4jpzyE6/4IOtfObe7OW+iBT9YAB5WeW+SmvEO" + + "TIX+xo13sbz6rG6j9svcOxtth98yv7mxzV/ZwTNBSO72CcfDXIIq20TVunlwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQI0AufZEn1f9AwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAbfhxuNBYizxfMZNcyiN61j+7LXZZo3SmMU21UmOhPBTmdTbIkuVCI+" + + "F1jSWdu3eGShVNJ3jmkidDvojMm+E8ZZ1YGHYfgeG16dDQudaGUjGmOfYzzlkFmsaf0paG" + + "4y4sBerPsZCmhN7BanGh3qYPFvadSmp3OapGfEmDtS+BbVQ="; + public static final String Intermediate_CRL_CP_04_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wNC4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI0AufZEn1f9AwDQYJKoZIhvcNAQEFBQADgYEAIAI7" + + "W6K69twJZnHx6CoIMs5+P9DrJ2yKHptmntlOCTSJirC/xdj0Zv2k5FW84VrTtdCSZDT1Ce" + + "4Dh69fT2sUUexJb/4IcDtzloiuASSJzKWCeVIj9A8e6+coNUJVKtRKRX8bHJ5Un7xpFrY6" + + "t1hdxt8gUecAAdXEFGuZ3QEHHN0="; + public static final String End_Certificate_CP_04_06_crt = + "MIIChjCCAe+gAwIBAgIBJDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPdS5zLiBHT1ZFUk5NRU5UMQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1RFU1RJTkcx" + + "FTATBgNVBAMTDGNhMS1DUC4wNC4wNjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDQuMDYwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKq8rAPXsu1RVm3vT7od7CDLn8k/C3x3wvfzoWrm" + + "W0cmlhp9xRy5a3HWiJATD8yCKY1psBgnrOpv37sdtUX4P2kf668HrYOaGo365fKPeT5Wjm" + + "gp0pL3sXKNNsCuJPd3wKAXGHAi1R9arZFYPsKJlfQl1774dwAvzxSOMr5+pbnzAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QI33MEYdo5YX4wEwYDVR0jBAwwCoAI0AufZEn1f9AwDQYJKoZIhvcNAQEFBQADgYEAo8Ge" + + "ADBoJFEIRzdO37uasuyIBhClTUgyFhEKemMBN6aelYeiJMX6FZIL3DgZOce4dg7Zg3Ak/w" + + "B5m8XlGQLW9xIbpEzY/Iq9kr+qK6k9YmvtcOiHFbnudCFNZngTQZpxjiDaj4eA48uqKIxs" + + "51taC5gOv9LYWPnugN8TsUUFZ1s="; + public static final String[] TEST_18_DATA = new String[] { + Intermediate_Certificate_CP_04_06_crt, + Intermediate_CRL_CP_04_06_crl, + End_Certificate_CP_04_06_crt + }; + + /* + * test19 + * + */ + + public static final String Intermediate_Certificate_CP_05_01_crt = + "MIIClTCCAf6gAwIBAgIBJTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjA1LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCshocJtyGsxeEd2ouVTVKp+HuhDjnDk9eXtaLQIKaB" + + "7aTODHYbq1mC+1LO5DmRV5PBVd8NuuCA+1DmzFrfYl+nMCjjgOkC0//Gf9O85Hi/n21q0T" + + "F+oVa1j9fc7nAgLIziexaXrflYSbaeNWkwHHftGUninKPuNGM2re0krEeurQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIaUi/P20o4LcwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAWBLeJl4qlAPKxmBM5QZ2JYsbCV3VBeYGAKQ+4L7ehS63VQMCwIjBCI" + + "LaHGIFfCqecDNd6cpYIArdx4tY7X2/Zxm3j5ocngpI1Tv8zydQcFeraILglsHf2UZUuK/N" + + "6jKGjwL68C8YwmA+u6ZhcQFD2Xg4wSMC/xxzAs9zEAQGBPo="; + public static final String End_Certificate_CP_05_01_crt = + "MIIChjCCAe+gAwIBAgIBJjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wNS4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDUuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO9ODA12Fky/Md5AELkaOvOwB31UlfZq3SHAOvs0" + + "Y4NYoA7Q5KDIwW8RNzMSKD30z51VlgOAaBVR6HLo6rkcWB4wGiV7EPelewdSOdk72IrnYR" + + "npJEm2KEuLkHB+gejgk+paw8CejxMsrvT6loN8Pz0btBKxWaCfknTIyXVyQsolAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QI5LtSKs/inGMwEwYDVR0jBAwwCoAIaUi/P20o4LcwDQYJKoZIhvcNAQEFBQADgYEAOMrC" + + "38uzHckKMkiawXhPUHtDQfyR7bLweS2qro7GyndfxPpeMJwjzVxqvQBtMuHON+al8jyXpy" + + "BsEryV6qvdFC1vczLzJHAJZmLe5np27zQIXOObsyYcOG+aPq727/pKoD90DAlBvrxNW0ox" + + "x7citflEYpmOEv9Do5xiO3MuCFw="; + public static final String[] TEST_19_DATA = new String[] { + Intermediate_Certificate_CP_05_01_crt, + End_Certificate_CP_05_01_crt + }; + + /* + * test20 + * + */ + + public static final String Intermediate_Certificate_CP_06_01_crt = + "MIIClTCCAf6gAwIBAgIBJzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjA2LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDI4MXZB08BfUHxo//4Re7Ax0qWkHgy6nb+/XaLQ2Fw" + + "Pbvpb5mkhLhqDZBSX3KQL0YiJ8p81tmdvRQH/LbFzX/3OKBTUfV5imYy979A2NEb4otFp6" + + "EDSskZhttY3d2IzUICoCWUXhObnmkHJ2jEc81bggFkK5Lir1m/tKq2IOPFJQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQICIAmlz6+Cc0wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEA0ZvIG2cnk32p6uxqGw8Bu40NrfHu9gNkJL5MhDHJXA6OxU5BX5bWZp" + + "LnKXLoHiqSdtEdmy5cLZw3kggxndxjsnRFMyCawaYupJBhlgquFbuvBtA8rMtkc5H4zudP" + + "ZcOcvXu7Xw58K+1caSGURL+A6uXFPnMUBd1+k+ejbtO8Pto="; + public static final String Intermediate_CRL_CP_06_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAICIAmlz6+Cc0wDQYJKoZIhvcNAQEFBQADgYEAbkJe" + + "jfc1rztCbtC6xJZ3iZEDDMW2CxFvOvSwhmCjPqVY3lrCPNSQzdjmqepioCnu7ongP+HAA7" + + "hM7bm+SoN7KzXKufQ7C2ONoAwvoPZgnoidg7RVECxUByD6AJu04yd2wCLYRpCfS2tDtXLh" + + "HEDpe+ELwv35pbkCMlCO2u7J+Tc="; + public static final String End_Certificate_CP_06_01_crt = + "MIIChjCCAe+gAwIBAgIBKDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wNi4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDYuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOh7lUwMRet7t/ABI6mo27CsnRzQ64Xx7f1dqxrJ" + + "NuuSRslVShaWnwiGHjc+5/TS7Urfj9VO0dseBCzPsyYFoIX1q7Q5zlArwy24qpXTGMmlpE" + + "GByzi7jkXO8w5+wqh3+8RFrQQzr71zLtAVV/qPUyleuF8M8jzkwfPvawunmwdLAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIayC0PPU9zyswEwYDVR0jBAwwCoAICIAmlz6+Cc0wDQYJKoZIhvcNAQEFBQADgYEAPz7b" + + "UvaEV7Myjhe8LJO/soj84X71rvVPtBPrhYjWTJ6p69GCfJRyho3vAUIt8RFal1GFb72c45" + + "DQGkcVzLLJw8cDP3ajtWac5HZ9dNPJkW+Kh12l9gqjn061XAjQ4XnbbwQDYCuXhguPE9v3" + + "kzDbimwVwIEOB/4SARX37y7TUWk="; + public static final String[] TEST_20_DATA = new String[] { + Intermediate_Certificate_CP_06_01_crt, + Intermediate_CRL_CP_06_01_crl, + End_Certificate_CP_06_01_crt + }; + + /* + * test21 + * + */ + + public static final String Intermediate_Certificate_CP_06_02_crt = + "MIIClTCCAf6gAwIBAgIBKTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUNQLjA2LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC/IejV3DmeaLW8OwMfAGyr5+8NOxM1C+UBYslbOfWj" + + "KUGdhlX6TxFc5AOJVJBpS/QjeA+RWoUCxnxKb9QSlOrBmADrcnGz8zV0/c0JDLaU3oSgsV" + + "EWZE0SexBVWrKcl1j7wN0RuxMeAp342/YoyvBwea3VeqJkmSCc7Y2TjruWEQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIaHxWOdHsLbUwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAuzeq/lqp0qs62krK6EA81Silhy42l/KmynE3mVu9GPBgQS0BUDi7+r" + + "QQ+m0UxYElzj2SNO4J5aBYeC98lVJFCHX7QE8yVOoPBQd5rA+rrz4HD9QoP7glxTqLU6Tc" + + "9VFd+iaFpqsVtSh2bxH2BtUB2ARgebTklaNl5VPbu0+yc2I="; + public static final String Intermediate_CRL_CP_06_02_crl = + "MIIBbzCB2QIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1DUC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjAiMCACAS" + + "oXDTk5MDEwMTEyMDAwMFowDDAKBgNVHRUEAwoBAaAjMCEwCgYDVR0UBAMCAQEwEwYDVR0j" + + "BAwwCoAIaHxWOdHsLbUwDQYJKoZIhvcNAQEFBQADgYEAYGaAzVoUdlSZ3uGKiRPfHAFIoK" + + "T79hNOvtOxaGA0aIek9OypDrDqYAh/s2jsXSheL0pr/v9WRIHvtCt7ytXDxVyn4Nxjpfv7" + + "BkAMMiccdUx1OH1VElTRkmmtMe7ROzUeHUGzXJNPex1Bc9BvSChH18bWYckyOZdYJBjctC" + + "KJFgw="; + public static final String End_Certificate_CP_06_02_crt = + "MIIChjCCAe+gAwIBAgIBKjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1DUC4wNi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtQ1AuMDYuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4D9H8JxeIrFuOmx0cSkIYNS0p7cDSBlcc57Na3" + + "+1k7lJD7mE9ZP6/47YsDVK2bwe4aTKCTXtPk/kGQ6bsLswJXbyW4k4+f5LeAYoXgbmZXjA" + + "WF+BKIl8uKetsqC3HkCeqhBaY1AGUqef4oOAkakEP+1jYFumNYtMaB+9x/0ncBAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIC9MiJNI71RMwEwYDVR0jBAwwCoAIaHxWOdHsLbUwDQYJKoZIhvcNAQEFBQADgYEAo/ib" + + "mIxteityjZlszjCc/s7yM/0snL78pYpMOZ3P2TPKkYh2Th4+Bw8JqX10+M/zwFBj5Bw7Im" + + "zCIRfS3GFuKmcVcyHB4OZLMcQZtXWA8GOZ94YvWq5TBINlVtThQtusQj15KBq2TJNNFUyD" + + "pBdvyo05AnEsRY0HbIQu6ZhNQ40="; + public static final String[] TEST_21_DATA = new String[] { + Intermediate_Certificate_CP_06_02_crt, + Intermediate_CRL_CP_06_02_crl, + End_Certificate_CP_06_02_crt + }; + + /* + * test22 + * + */ + + public static final String Intermediate_Certificate_IC_01_01_crt = + "MIIChDCCAe2gAwIBAgIBKzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjAxLjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDDOu1J/VIzbB4VcS2Dwf2fsHOmIj3iatM8y61V7CrN" + + "RCxCWTJ1Os8e/mFWOi/zN+0afizA0UzJDTe8L++/RlP68IFg5Ju2OhXqQC3HbUZmQ7ve9g" + + "QdWTfur3oEJV6/XoVE4WG0Ic7D1p7BENb3LUT+8MJdSboTvAggA1CiOI6zRQIDAQABo1Iw" + + "UDAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBAoECP" + + "RyRiSV+4XrMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqGSIb3DQEBBQUAA4GBAJlmJ9EW" + + "9ujUosqHZyZkniu2vX8VOL52OnxtLxw3LqxLyuxivjyYCaMAaJNr7/xfm3C2ozh9mQyZTQ" + + "6TpBapLFUH8QsEKUhy57MDUgIvZsyOvvjJh3AXfSkXDaMZ3ncLg6x0wwjN/Hxu9i+IhX1W" + + "1E7/5foGx7AEVfwY7Fo9S82d"; + public static final String Intermediate_CRL_IC_01_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wMS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI9HJGJJX7heswDQYJKoZIhvcNAQEFBQADgYEAV4DM" + + "F5gU8MZ6E/mnjAWS+dIRKUBJV1GZJ+hOysdbmK1hD0mj5Pd5qTzlcvLjuatIoIsB5DCpYd" + + "AcNRLVvF5EJFhVjqsPzRlfUZth0Xqa+U/DeHjVxHxYsLEOSt+v2bLkbGh88SmOAk6F8xj1" + + "l7YIfPX5cIkUBTVZlsUt51slMXc="; + public static final String End_Certificate_IC_01_01_crt = + "MIIChjCCAe+gAwIBAgIBLDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wMS4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDEuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPrk1fosBu0hemIKgTDCeV/RoFbbsm02X4LfZonX" + + "KeGRGYZXz4tpWgbNpjKBq1e/2bOO1DCn9I8I2kjvZdOkabk4MLeuRDo/sqlNndu4Ar5502" + + "pAo4A2V0QLR4IDHAJoDpxtSFrqELOiiyCx9O9V19ywe5pcBFrxVEWDqTnBUeDJAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIbI6BhABrmQ8wEwYDVR0jBAwwCoAI9HJGJJX7heswDQYJKoZIhvcNAQEFBQADgYEAYzYy" + + "M0wbzNhZftAWz7TfFi64uA9WmTmd4MeK9vga4ChswT4H1zlaV1Sr+3hqpGmOoP5AUd9XIq" + + "O/ui+/gFaeuOLI+ATmK+V2KHGAneMwzcw9qbXRc+xZqGGjbXMb3Bowe3qrj3mhyowfa1n7" + + "x5xB7XEOqO6sfWxLdDjLVo4sn88="; + public static final String[] TEST_22_DATA = new String[] { + Intermediate_Certificate_IC_01_01_crt, + Intermediate_CRL_IC_01_01_crl, + End_Certificate_IC_01_01_crt + }; + + /* + * test23 + * + */ + + public static final String Intermediate_Certificate_IC_02_01_crt = + "MIICkjCCAfugAwIBAgIBLTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjAyLjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDemJgZnOzXOwNGqRA3Xq9aMrAWQU4oFuhSELsEYfLZ" + + "GO3ntBjJLqCn+rs3FjR9N94cu63TduOAgqlXqrNbvyO1+SF9m35JXreqn/OS6KrK6c8W2I" + + "pDAWJcr89nGyyCXMoJeaOOtj8m2NjZblmCZvtAl5UMOew73GE7Z5fE+jtA2wIDAQABo2Aw" + + "XjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAw" + + "EwATARBgNVHQ4ECgQIhT9GjaaHj68wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN" + + "AQEFBQADgYEAWhKJUujLapxpz/DoD/w48HMzkL6UQCxQPOAjwwHicX8wFcKmcrWLVBdVC3" + + "0+ywrzMraWhaq+QCOqsgtxCwTZrfUxbCNqhKS0lZijCMgNN4Jht+PAZ22tzEsw7nCwiMM2" + + "n1jeKF/3btoDEUvZn9SuzhkIyxy7Q8l2tbNOsANqpxE="; + public static final String Intermediate_CRL_IC_02_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wMi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIhT9GjaaHj68wDQYJKoZIhvcNAQEFBQADgYEAJsjf" + + "oS3F1KMpcVBOC1Z6P5N20TYLCCHG6KETlBA3Rjf8ehNxJKJW0lGd7qHpVHp4BGvkSfaOAa" + + "OrC0G59wjDEY+Ci4QS46OYzBcHXMFX5HF2xMq+y5SfQnyV6MQUVVkxJRjgsTLrYwP2JaYm" + + "BK/zExhqQgPfgcR+56swBPXqogo="; + public static final String End_Certificate_IC_02_01_crt = + "MIIChjCCAe+gAwIBAgIBLjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wMi4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDIuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBANbTVeAxOibAO3KGqxxY3VqKXDr9tKJN+igpKb4w" + + "goR0ZnWGDusSVm4pvneZ9qfmi8A0sM0E91+B2hAwsU6Y9RoA7nPsTkFYi5F+hHGIF46Op6" + + "8blGrZraGf9bsWXCZFoLoxcgltwjGPQqyZ5mnnm8cxUbtaWmgo28MK1yBH/sS5AgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QI3gkBNo/SISMwEwYDVR0jBAwwCoAIhT9GjaaHj68wDQYJKoZIhvcNAQEFBQADgYEAQGl1" + + "7uT2xxYDks6HolrQIpesIoPqEiZ8TkizEBuLG3sUKsC7klHwy2iyVvA6nRUDwf/XzDLpGW" + + "/Gn0KTW6ZYIX6snOC1+7HX5OJglQx8tDpDvcAgyocK8PvCrHfu9o33J49aSeLAVpoCHwne" + + "tTtJxVfTMmjYWKeDbHHHi8a2YTI="; + public static final String[] TEST_23_DATA = new String[] { + Intermediate_Certificate_IC_02_01_crt, + Intermediate_CRL_IC_02_01_crl, + End_Certificate_IC_02_01_crt + }; + + /* + * test24 + * + */ + + public static final String Intermediate_Certificate_IC_02_02_crt = + "MIIClTCCAf6gAwIBAgIBLzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjAyLjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDoeA32BPwgq8pLJoR/tbOSjHtAz6fmzvzJrhJMvl64" + + "ccVuIzGxzOneYsO/ZYWy3ZGtlCoMZJRnS83tw0ikU9vQUwBw7DEcfRlLKYkY68rp25N1V5" + + "JEjnlHw+RvubdGkonWzUNJFbY1GA24J3no2GZHiLPgWmGb1jsA8Ag32MUrCQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIKx4Ybzu2PaYwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAotGeNFzmktvcxpCRcpuARHkv1lW+LegvbDBnSPvGnr1+Cn9rZcuLup" + + "u8ex6VJ7KWtgWBtzdOelerO6ytfWQ67uNpTOuc0SDdk/f3tCagdx44LBVQywuq/Kj57ZuN" + + "jpe4J8UPZSBFFK+P3gTX3S/lIKsDi6xjRnqFLSQYGX2XiIE="; + public static final String Intermediate_CRL_IC_02_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wMi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIKx4Ybzu2PaYwDQYJKoZIhvcNAQEFBQADgYEAOfuX" + + "wRv4skbPZAbOH/LVXdc/cA7vCSTAnWecN3ZKm/eCsxbyRxqn7fcDyHmqg5H3Ac5UOlMHR4" + + "FMe0Dp+Yu4Xg8xg3zRvE/3M/5jyRILGGi7olh4ikkOMD+UlreysvYvUX2MVP1iM9qAkXh8" + + "E8n/LZIlABN2GGkFEMRMJA6KTXg="; + public static final String End_Certificate_IC_02_02_crt = + "MIIChjCCAe+gAwIBAgIBMDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wMi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDIuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKogqWGx9EpJ/0G7ORopyIQ4IZXYKKTE48WqOJbu" + + "nLD3txGjMUb5Xefl/QyTfd6J758ddGzPiKs1zWO6riffJLIBoOFDmt8tchPBJuIM3gKgXe" + + "VcZMyF5mebm5/GZekMOjbs8P/zbLdrlu1D9CZWZMXONYitdluSg2moMGbewS2NAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIP8N7OmNGshEwEwYDVR0jBAwwCoAIKx4Ybzu2PaYwDQYJKoZIhvcNAQEFBQADgYEAwkpF" + + "j6Kv+OcKrUtOgnH9QddB0Ej0oU6B5/5Hhhf3liAPKtllDHnhUj6nqfh4APNq/iqYFOkKMR" + + "RUZoaj6kakJNSOlgvRIiQfuFIgv3CqLZnhr85YFRnKgoluZE1pq3TvunoiKyJbCjbmyCos" + + "Rd32gVcJq024xvY2eVBTl6tfn5A="; + public static final String[] TEST_24_DATA = new String[] { + Intermediate_Certificate_IC_02_02_crt, + Intermediate_CRL_IC_02_02_crl, + End_Certificate_IC_02_02_crt + }; + + /* + * test25 + * + */ + + public static final String Intermediate_Certificate_IC_02_03_crt = + "MIICjzCCAfigAwIBAgIBMTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjAyLjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC7LFt+yGItQFqSEPi03ICIr5ydWnFPQHZdEMNu2tRU" + + "3XiOpfam1wl0xgAPGBkQK768OfidpP/i1hgYOU/isOB5dyALscvIQ9XJG1OWQXBBLgKuCb" + + "MS5fuDhBNa4KiFuGMbJ3/UjluRsD9qaXwGUavc436JwbRHvW8FomaBYYY1hQIDAQABo10w" + + "WzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAwEwAT" + + "ARBgNVHQ4ECgQIPsBg9tMABhAwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEF" + + "BQADgYEANZcayTTX+FGhtRUJ+XuYA7jR14CJL6qTHPvdSMgHNw9mGXI/7sO5I4v1vayOCI" + + "YQ9luBvrTYlMPmuej8+bhM8YTYpiiOjVFANwvSKArI9U2CAGBcoBMXydykkm8qYw4gtYQT" + + "neiOz7VqI9plLWA111IRMgayD3CAt4Ntpzd1VSE="; + public static final String Intermediate_CRL_IC_02_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wMi4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIPsBg9tMABhAwDQYJKoZIhvcNAQEFBQADgYEAVeQi" + + "tT1FRUaJlhfpkfjZr6VHmvGnqYapdo4DRT/pm8tsp1LbZZXpYW638ztwgZNgeBRPFlcb+x" + + "8naQjEkoaYzLbCYfdY+PPVDv7ym15PE48Kve8ImvANY0YnTGS8pcKdK1dpNKBnYYMOG9JN" + + "+H5K/4cSm/WMCKIuKdsiAWFYauE="; + public static final String End_Certificate_IC_02_03_crt = + "MIIChjCCAe+gAwIBAgIBMjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wMi4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDIuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALGbo9yEujZ9RFU+Vmxb5+Rx1VdIG/3E/5hXV/xI" + + "OFu4mEfYh2tBhP2qIMH2KbrR1tiW5t4DvTCBM3NKKqp75wpiuu7E3q6imt1pLbGW13NVL+" + + "81gYWXnCnzHpxYjMTIqqCkPIAeOG+SBJ1MgERbL+NBl+AK3WG4TeQ8vw7r2CGrAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIS/HbII+ki/kwEwYDVR0jBAwwCoAIPsBg9tMABhAwDQYJKoZIhvcNAQEFBQADgYEAWHy4" + + "sHrTkqY1XjDBY5XpNEyhP6htcnjYD9bos4wjxPlJUyxdIWACWrLDE+R5iRCOYsh/nDAJEt" + + "CUcVASukvP6VLJaFjyxUOaCp6JCVV+txk7Fh0S/Ur3Zyysfp5LllP1plOA3N/k1Hliljp0" + + "+bnSiDhA1+3hJh0gDMjWUdRq9yM="; + public static final String[] TEST_25_DATA = new String[] { + Intermediate_Certificate_IC_02_03_crt, + Intermediate_CRL_IC_02_03_crl, + End_Certificate_IC_02_03_crt + }; + + /* + * test26 + * + */ + + public static final String Intermediate_Certificate_IC_02_04_crt = + "MIICkjCCAfugAwIBAgIBMzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjAyLjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDf5u5ouGQlQmdNfc4ell3RXKWmtq+ar9VKMme3kp8D" + + "cbDbUaVwlvhWTkOKxb9I208wfGG2nQiArezIwutlASf7sWo16EPapmGdCF+rp1dpjAPBUu" + + "fruEyCZ8nu2ITD52wuPY9OAcKHQE2/bBpCJWkw97fYX6Q9PPW5uobWoUJtOwIDAQABo2Aw" + + "XjAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAw" + + "EwATARBgNVHQ4ECgQIjDm8K5YcGakwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN" + + "AQEFBQADgYEAEQIJeZj/HE3HvjjJV7PdU+2Ze8OeCYeeWDocxrA647xpeOksVXBXKmq2OV" + + "NqoFk7YNtlSUqiS2TlqjGqLtKYetk7a17qS/8EIQct+H5KWdvkLkYMkfIAAMJvJZHPGxEv" + + "j+oVPAi9FITRbFdN8Jvdo9MAuU2q8d2x8MF236RmEds="; + public static final String Intermediate_CRL_IC_02_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wMi4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIjDm8K5YcGakwDQYJKoZIhvcNAQEFBQADgYEAV5bX" + + "7WsT8sWeA0iQ7V/+ZQESDzvyHA7Ziju0iRsvTL7qOVF/Nl5v+zND+ZNPhdJDKEM/Q0lEaA" + + "ybe0E73NMmM1qRX1daAwE++jHukF9TMeNl750HJaS667H6jcjeRrHUJDD0+AgqrZY52dL6" + + "CPM3V4QSvdfc1/xtKmNIZWSSoqY="; + public static final String End_Certificate_IC_02_04_crt = + "MIIChjCCAe+gAwIBAgIBNDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wMi4wNDAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDIuMDQwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMW45d5dPrzUJbuRIDeQ5gIJRYxi80PxPvxSmJe8" + + "ScG1A+l75SAtgLGWAxBqxPSzL+teBBUsnmf2Xsc8/qQHHev74uat0lxq9YrZ3npLW2YNo2" + + "CfxLK0M7F1/bhkHK2f9ttIvOrrKI67BeEjfACULdJEhl431uWINWV0pY+fHq+pAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QII61NnUvgvjYwEwYDVR0jBAwwCoAIjDm8K5YcGakwDQYJKoZIhvcNAQEFBQADgYEAjwgL" + + "6qMnnqUvNspsDaYpPQzTCqXkqshZhsy5G/nLk621H/YbNGlnZ6asHGljYVYMzjmcny16y6" + + "ntiv9QPB7YorAx27WT7pQPFla96s+nM/rfwWHPWI6QGDsquPriwJm/MwQC+1oDXEFKvdIL" + + "0urejfd5hgiXYbRRwMI7km97iHg="; + public static final String[] TEST_26_DATA = new String[] { + Intermediate_Certificate_IC_02_04_crt, + Intermediate_CRL_IC_02_04_crl, + End_Certificate_IC_02_04_crt + }; + + /* + * test27 + * + */ + + public static final String Intermediate_Certificate_IC_04_01_crt = + "MIICjzCCAfigAwIBAgIBNTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjA0LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDBtNwpr9LZBF2LRtAp9Tb1FZnfM3b/Jv2sdO5zc/Bk" + + "sO4ByUgY+Mux9dEvFrkVWBK110TvXn+dj+85TuboILv4MDKlu+tI/rtuadXGwwDIg8TQnz" + + "uyC7LWhxM5JZs1/Is+sPKUY4PTCHs3+EHPBWf2tFiP3l6ZftkySEiL6+2LSQIDAQABo10w" + + "WzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAwEwAT" + + "ARBgNVHQ4ECgQIbMuZ73onuZswEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEF" + + "BQADgYEAhaTSc2xafdP/QceMm9YJ/rZJ5gTgBR/SlmKQwd2BclHabG+Fozdg4delDjtRXS" + + "FKY3sFWBFZHVeprh4T93Oj6IVA5X4DIuUeBpprtS+psCnWZxdtcUWmbyYQwZNCifG5C5D0" + + "lRwxlMlv40xT2oCM1zPZpfmqemBDUPJ2OhkCjvo="; + public static final String Intermediate_CRL_IC_04_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wNC4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIbMuZ73onuZswDQYJKoZIhvcNAQEFBQADgYEAMk6D" + + "Rztz1AyFnFr1KAlbjLLwxtQplf2eIc//zUkDFVUHtX5TrEC/ijUaItjdkOoPGQfpnL0w8x" + + "wyqWndMh593QPCqIJTtv/iACoiJNZ90ZJS0adcdZ+AEmQpa0Zv0e1JOqRrPoAfTq4HrOfR" + + "vhBwhvKQNtTExupW/EBudznKC6Q="; + public static final String End_Certificate_IC_04_01_crt = + "MIIChjCCAe+gAwIBAgIBNjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wNC4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDQuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2dGkraKGdIi6EXxAu6/ekMqDloX5YSVBGh4Hp2" + + "faujr1u4j8Lp8afqjngRxFUpTqGbqH0ETgm4cVPXmc9rUvUzYTMdxTUmIZ+iW+ULZEvzNB" + + "712kxRPCD2kDFN2fH2ai8miXr434w+weLm8VQN4jJGo4nswhSs2w1gsUmWyn/ZAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QITsLx/sO1edwwEwYDVR0jBAwwCoAIbMuZ73onuZswDQYJKoZIhvcNAQEFBQADgYEAeKft" + + "0RM8/b3zQodaKrTdWiFyLg5fzoOsTecSfdFPXoqz9J5ejLVkvJevSmfXJrIUhKXySzsQi+" + + "GazuTh/hvWjwUTIvmupi+EiFudnMpXCro8bgi48+NkepNjXvjsSmOfzlrK3SxtpH5dqonL" + + "6LHjGyg+Xp0Nor1m5g1rLHyrcEk="; + public static final String[] TEST_27_DATA = new String[] { + Intermediate_Certificate_IC_04_01_crt, + Intermediate_CRL_IC_04_01_crl, + End_Certificate_IC_04_01_crt + }; + + /* + * test28 + * + */ + + public static final String Intermediate_Certificate_IC_05_01_crt = + "MIIClTCCAf6gAwIBAgIBNzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjA1LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDM3aWmgX3OzAaBg6lnWjpFQ9ufeTOia3+lIUqn+Ypf" + + "5OH/s9dLRqg1ZynV3YIUyzaJPP/YlUEmrhheJn3Bjw25bHeIKdge73pfEbuBAugbUMS75D" + + "csBV7Ze9D+sVw8w/LtT3ZPcvM3Vju4d+c14Ip/8pC15jlgQPhwVQSf0x3V2QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBAjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIJ2DFtxoQnXkwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEASvdcfBOh2d1dC10pGLZLI3T+oSPCup/U9riynIR3RxZsIaS/+Q2s81" + + "oeg++WQV6pyYvCLneZIp0efvqh5DThNV9lhBcJjlYwm/T8Hi2IaRGsSMwIvzrFN7zxA/zu" + + "tW98wigAKM2myk/nlYxmholgbQkQ7ZxYM3lD1TDRl69N66Q="; + public static final String Intermediate_CRL_IC_05_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wNS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIJ2DFtxoQnXkwDQYJKoZIhvcNAQEFBQADgYEAK7Ym" + + "Y9PjX5CpVewe2E9PNxj3dLYElghaQyapYoVtNq3jDqLMWspdmHdNdeaQoXsjlSJe0Zy8xH" + + "ZvpimwifnFZ5hq4yByzHjzNMpcA2yFtg2MtPWGEia+BmaZYZi3X0lR+OShKpNLFc4CfVM/" + + "aWG6W2BulHjIAThZhTg3uRekDzs="; + public static final String End_Certificate_IC_05_01_crt = + "MIIChjCCAe+gAwIBAgIBODANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wNS4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDUuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALlcUtceuxDznvI3pVM7YddPcBOrNvrOtpuLOa1L" + + "Lj9LeNH6+8CzRZnMsUtt+bRGqCKMEJLUIIstWwGg4SskXWk2m+nDKm5Ai6Kyx4nldpgtgQ" + + "xZSEwNcwRhpy7TtmLkxDVM9DoTbIbK0dZ7aWw4bXVHPK/lnOMtOaJbFDq0sLfxAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIiXgrRBVcDf0wEwYDVR0jBAwwCoAIJ2DFtxoQnXkwDQYJKoZIhvcNAQEFBQADgYEAhyO6" + + "SP6brWDDKZwdQGULno4Om5+DuilJKamyEcvSqE666z1KhvOCdLicqwVa6tQiAL6akrt5Kv" + + "R+TT0xqHR4JGosGLGolvK4DLrMeD+PRK7m1a+nJl44luo5Mn48HrKI7jn7n8Lp9bNdCHvr" + + "NHaQksCIR/Q8xoucPa+8sCTVSj4="; + public static final String[] TEST_28_DATA = new String[] { + Intermediate_Certificate_IC_05_01_crt, + Intermediate_CRL_IC_05_01_crl, + End_Certificate_IC_05_01_crt + }; + + /* + * test29 + * + */ + + public static final String Intermediate_Certificate_IC_05_02_crt = + "MIICkjCCAfugAwIBAgIBOTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjA1LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCrtIYqo2Is8Cd6Ld+fyWC755oA6hQiiruooaR/6O4z" + + "ikyhOUztnHkOGMF5H4CKWafwwVrfFtqe7iop3N6AToEIpNlJLVy3cj14A/IASVYSSNFeHd" + + "O44Id1NWhPiKx3paPTWslMEdKQV9BlXb7gu8pQpvqTa/38hNQ9vdil/4QZbQIDAQABo2Aw" + + "XjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBAjAWBgNVHSAEDzANMAsGCWCGSAFlAw" + + "EwATARBgNVHQ4ECgQI9P78RavuWW8wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN" + + "AQEFBQADgYEA0sAEmWBYSazUav6RtuNFtZgNrlQ2i5i138VzRHoF/kq/CxeR/lINQqgJhC" + + "ZlUnlslUuM86g8OQGlR8SS0Wsi0MdCQCtPCKA2hStlTx9MMux2IZAGoyHy6P95UE9qINHE" + + "fYZUYjO9rh96fzNyJ5Oy2kJdJWdhFXtSh3BSOe0ZD+Y="; + public static final String Intermediate_CRL_IC_05_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wNS4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI9P78RavuWW8wDQYJKoZIhvcNAQEFBQADgYEAlPLh" + + "+CMqRcbLgUKEAL2UlSY5tjsF8At0hf000kec93TnBf7f1NKYVJ5eyeoh/WK4s+k4paAA5E" + + "/P2C8JMlGXNTrqKZXMy2zIlufE1ymXAZCKLOLC5ezXRSpwIsBWxko2nfw8Bz/mZO/bCSCT" + + "nDwkH8BJIbFV51vJFlyyOmZnCz4="; + public static final String End_Certificate_IC_05_02_crt = + "MIIChjCCAe+gAwIBAgIBOjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wNS4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDUuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPsWBfT8HqaiLnoUCPAFniq502odL4uVqzOOxkx" + + "evZtjh7NaFlRjuYjTofdkj/IAgg7lkkBEW3auK47Td3TvqnHO401PqvOFNTlbhr5wDLmXS" + + "WWcR6XrvgYL3Z3wx15/z6eojcSgu07kdvKqzuLzcDs+noG8lbcruokX0A186pVAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QImgomUTkzwbEwEwYDVR0jBAwwCoAI9P78RavuWW8wDQYJKoZIhvcNAQEFBQADgYEATAEq" + + "YVV0iYdYomPqxbTapSCJFAMQO/WZhN9brCXP88+jRfk6cAHzTodQOYTOAVe8YXa904505e" + + "RA11NNTViP3s/AseGWuqbWjsom9mbR+tVkvufGqPQtm1JhfLgR/68e29AI7tj7zIJyFVYD" + + "nLRXGwMGnosqSHDle+WYyfok6a8="; + public static final String[] TEST_29_DATA = new String[] { + Intermediate_Certificate_IC_05_02_crt, + Intermediate_CRL_IC_05_02_crl, + End_Certificate_IC_05_02_crt + }; + + /* + * test30 + * + */ + + public static final String Intermediate_Certificate_IC_05_03_crt = + "MIICkjCCAfugAwIBAgIBOzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjA1LjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCajRjoRNL9HFTytLLx7C8WYouW0uONGsrtGS5tKMiW" + + "oLlQUkohqB2a2PhA1InNGQqnbDtNdqKbR1k6EzD6MyegvXK1sXs0ZE8gt0LZYio7Xp3k+Q" + + "7i4Rk5iTruAUrV8bFMYmeIXHXL/9rl5LQV8YRp/Ut3Bg3VECzfhQG4EavMlwIDAQABo2Aw" + + "XjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAw" + + "EwATARBgNVHQ4ECgQI9041oiwvHsgwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN" + + "AQEFBQADgYEAYwGYwLsA/kxYZG/RM+kvoH+mUebrBVZRBxjovYsYzNznD26fssjBFfiTmg" + + "zwZJfG7MZRsgDSRsS+bxuTlXMVeGRKH8fVj7PNq05sS18QZQOF0CCKzg9DLkCzkzkEWBxc" + + "5ersciPrL90UarOIPIJWUxQ/5sdMS/wZtYTU34rNNWE="; + public static final String Intermediate_CRL_IC_05_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wNS4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI9041oiwvHsgwDQYJKoZIhvcNAQEFBQADgYEAJHTp" + + "k+RRsD0dUv59J1GQMWjQTjVz39Xaonx2sk38WHcrHBB78L0W6Skjvt082PwZg32sb7FQBt" + + "boAQ3PIKpXMnFnkjnkyaFihrnMdfa0abCPtQhFl3yra+w+1a2RDjQBZOOdq3xlFcLi9unT" + + "YYome7eS93wchIvNWFpgwF5A5XY="; + public static final String End_Certificate_IC_05_03_crt = + "MIIChjCCAe+gAwIBAgIBPDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wNS4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDUuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYxdSZq7qRBdPOz6H+l0GGAtymAWTshfZZCubHK" + + "lQjbVq98qudORfhCOZgOy83j/mo2KAecBhxaxB9YA5ggWNAgaKtFvknvjFemtBCZwt6cVK" + + "8LCyUGKzStwAV1+HSDlHxdWo7pRwP0beXFvFECrX418osGt6E/v7Cz++ZtvaDhAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIgTuCLfTVa+QwEwYDVR0jBAwwCoAI9041oiwvHsgwDQYJKoZIhvcNAQEFBQADgYEAQRuC" + + "rAx9zzu9QwOq9weNit9PNgFHBpo3Gh9jPVYGJjOQxeSqqou503xi82H3W30FT/3ESCO7IF" + + "hfpr/uQZVEmUQnvDsVwbKvED1QF9qkTp6ILk38ITJJgfb+sdSL3bsUeNqVXd0C9wzVoErc" + + "OuoCulwkZzfoIOlO2YAjAnR1nUc="; + public static final String[] TEST_30_DATA = new String[] { + Intermediate_Certificate_IC_05_03_crt, + Intermediate_CRL_IC_05_03_crl, + End_Certificate_IC_05_03_crt + }; + + /* + * test31 + * + */ + + public static final String Intermediate_Certificate_IC_06_01_crt = + "MIIClTCCAf6gAwIBAgIBPTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjA2LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDmutL9PY/BLXvXMEDQLQnWE7dCOsrLNvJiuSjDdznF" + + "vBz6WS/RqUr9zsDFknpOWB3Epo2syV4ZFto+v4VWNo61uaClIEsw5x1y0saG19px34KVpQ" + + "wkpvLeRZySdCydKdE1rptYR/JbHvPo5TU4mxOo6L7JeEwAvjSI4tK4rwJ4MwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQI1BB9j6Jyny4wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAajWMbY8zL8jS2VUjCPBMuIjUvBfy55+92EXg5pZnyNNwN1diZfJFiB" + + "rrPWEg3Fa4NMLgaDKWZsYkOcDDo8I+Qb9FsU9LphCzQ1ubIEuxu6KPX9X29BscFOxUnZCz" + + "yuzVfadACxi5Y7Bz5pN5LfC/jEb2iXjkdN5Rm8AqT81syIo="; + public static final String Intermediate_CRL_IC_06_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI1BB9j6Jyny4wDQYJKoZIhvcNAQEFBQADgYEAxH4/" + + "mgACT847PyufmF1nob9TSqBj+cM5ye2bgv83gTVd3B1Gopr75Tnu4iP10d0PpSXjySWCjB" + + "0HPJ7BdxzkKxSrcM5vcb/jLdk9PqMUS30ohexsx1xK+E38pDJdLX4kbJ3E62AgyXm9WQlD" + + "9xsDk7TMXwuxHT4fX070HL6lWGI="; + public static final String End_Certificate_IC_06_01_crt = + "MIIChjCCAe+gAwIBAgIBPjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wNi4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDYuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO1VOl25MTf068LOgzmQOmyh8MXunBrQ4t6UYuEj" + + "H7v+owR9JTDXpfzLPcYfkR+BH2jjISSHIJsUDesKVhpmhABNXcOI5tiRNkeDlV2zKCBXKC" + + "wFi5qkhrE8FUCP0hL8YzbybOrYZYSVEP8GgIgMSQcTvhN/Tor0o1jdJvRLmevXAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIFJA9XGd9UZUwEwYDVR0jBAwwCoAI1BB9j6Jyny4wDQYJKoZIhvcNAQEFBQADgYEApRQC" + + "OTU9cp16BHM2n0TdZThgj9kSAQ4wHk/dKNOjYNEWu6n/GQ0alxy1dyRzpsr058FOvft23Z" + + "Kp0YhdKG/7F1hkcoNvC2yN+Re44n7S+F/jcEPTWnOX6h1Nkw8OS7Uz2fZ8t61iHjqjX4sv" + + "M/cKP+AkC8g7p2tfdkP1fQ6ww5E="; + public static final String[] TEST_31_DATA = new String[] { + Intermediate_Certificate_IC_06_01_crt, + Intermediate_CRL_IC_06_01_crl, + End_Certificate_IC_06_01_crt + }; + + /* + * test32 + * + */ + + public static final String Intermediate_Certificate_IC_06_02_crt = + "MIICkjCCAfugAwIBAgIBPzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjA2LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC0JoTnPaI/HT2eAqCW1204nRNjcA8EQSp87tvHLpWy" + + "5aafmxeJxvk5V9Ba7Ye8eY8yX9losbNUpHJFNdE46fD5qp/oS7Cn3NXA0dwIDQEn1X9vaz" + + "nqtZtMjt1S/yGv2xDOb2LKT9zRrqSvxGszCHFUBcJ4HDFJMAdhXPUZiLyXVQIDAQABo2Aw" + + "XjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHSAEDzANMAsGCWCGSAFlAw" + + "EwATARBgNVHQ4ECgQI7j2LO1CcsE4wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN" + + "AQEFBQADgYEAfXIh0oYlM2pagAWzTuYqTl0NavtfqibPgolvhgIG/XmmjswHOg/JVCLb7O" + + "jIYtEG2MAD0xQXwu0mc9Deufed2embP/wc0qVG7rj7lxUq6p0aMQJNndBw4m9KlSnjdzyG" + + "lwE9pNd2BgEeD516J2k7dspCZHDw3qLer4i2JYoCo2Y="; + public static final String Intermediate_CRL_IC_06_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI7j2LO1CcsE4wDQYJKoZIhvcNAQEFBQADgYEAJej7" + + "23qVtwkcvCTPb6afTosYMnVppPXWbtvqn0N5mAFHQfE27x1YPOXOQHBrpQuTyiUdUmPXiH" + + "xMKbuR5o2lfdQgew9hbYVk6GegSu+DBC1JKv2YSTgzgRAlJfyByDZ7mbJwZWHVHys08oGk" + + "adG6zstavg5EkEeRuAp47T+7cZc="; + public static final String End_Certificate_IC_06_02_crt = + "MIIChjCCAe+gAwIBAgIBQDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wNi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDYuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMkIzl9+NRTZf/xaA8noiHRt65Zo6Zp57YvCKUe+" + + "YfoC8koMq12MBgrc0IyIfJoqEDEMfD1WbitZdGZMQZ7D9BP2Bk09NXLEAAuj+waFhYk0bW" + + "vHBH90O7HpMGmxwHmzOjDV3JHYsU8hq77/5gRFDNRkSCJe2A1Maj8Gcqi6tYf5AgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIYDfThEjNL28wEwYDVR0jBAwwCoAI7j2LO1CcsE4wDQYJKoZIhvcNAQEFBQADgYEAJiHT" + + "CjLGZK5Lyw+7ICDHs3eS1OGJH/wfsLcBP5sLER41qJfrXGTl2XdKvBMIpriUmJYzjkjof4" + + "bvS/VPDNlhI9AJadicW8LM4L3qpy7/YV4Dd/C/BJphJ6cZcT+hjaRKeC7gQVjMeC/npu/p" + + "jLgIgzf7HC4WYnaS3h9oYl0cMJk="; + public static final String[] TEST_32_DATA = new String[] { + Intermediate_Certificate_IC_06_02_crt, + Intermediate_CRL_IC_06_02_crl, + End_Certificate_IC_06_02_crt + }; + + /* + * test33 + * + */ + + public static final String Intermediate_Certificate_IC_06_03_crt = + "MIICkjCCAfugAwIBAgIBQTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLUlDLjA2LjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCuUtIYFbVjg8VLLUqIEQ6r7hjTaqYVs8DJnJPHUWPA" + + "JW9HEIV+d6hj/so76Bff4KJRX7MgoXbvq4ivmn8656N7YSGk9GPuJ25SXK7RJyoqzG/x2R" + + "AVUCx/wG99VXVDZhd5ZAVBG2JCkHImsWAei6/Tz8UgXmmLBM8rZNJ/hNtTBwIDAQABo2Aw" + + "XjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAw" + + "EwATARBgNVHQ4ECgQIpwUlwG1W+sMwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN" + + "AQEFBQADgYEAqJhUfgar10fl5qG+oH34s/JS3ku0dRm4cTQvqUNOWA9ALnBhSkmOpoMMzH" + + "sE9FXXcZ072a8/ecpviP04X5mt5QSLreh3hPVvgWv1LiZ9YkS4Z2kcr+3Gx7zj4gQgT5vG" + + "QPpbIBAtBRH5xNHIYQsk6kOe2+t7b0Q82Wnj8UoznmQ="; + public static final String Intermediate_CRL_IC_06_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1JQy4wNi4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIpwUlwG1W+sMwDQYJKoZIhvcNAQEFBQADgYEAKCp7" + + "ViY1cajXpbjCIqe8yo/98SQRIxoTNgp7EUaaV17FeHZ59nJhRtsF1XnLP4cK0lPBkKFhHK" + + "2XyDEWx2hK3X7Z3lSAtn12WFJHOP5T5i0DmYfMJYAFbuPD0JQEWCM3aYsgbXKbbFH1BURh" + + "L/uy3arVBP4FaJB8gH678K4J1p4="; + public static final String End_Certificate_IC_06_03_crt = + "MIIChjCCAe+gAwIBAgIBQjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1JQy4wNi4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtSUMuMDYuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALZw+GpvdleGlmdqZ/zEO2DUGhwgrsselBUNnEzR" + + "bcuzr5O1WwiG6aLjrPxIXeL1wLS1/u9AD9p3CQU0XFhi+bEI9+LLnt2y3707O+AQxy1PnQ" + + "6qmYE4jMwqDGHn8WVanN2joFT3isLH5wJD0Jh74eoG0tqCHUyOiXaZNo78qgB3AgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIJOeyCnvfJtAwEwYDVR0jBAwwCoAIpwUlwG1W+sMwDQYJKoZIhvcNAQEFBQADgYEAJbz1" + + "RipbW6uu7B+f2Ol1iq4AVOUuET2S9vi9ojReyAIka3q1XUceZCm5Et0KqpOoOLiu8IRuNB" + + "bvKwRcZ4hcVEXv5bRMqaPEK2B0VrRAV/Llj5A+RGn6yc1ZdkJeBRhoSsaHn5whfICaiJX6" + + "j3lMpo/CiMRViL+gZLU3SdKqvdY="; + public static final String[] TEST_33_DATA = new String[] { + Intermediate_Certificate_IC_06_03_crt, + Intermediate_CRL_IC_06_03_crl, + End_Certificate_IC_06_03_crt + }; + + /* + * test34 + * + */ + + public static final String Intermediate_Certificate_PP_01_01_crt = + "MIIClTCCAf6gAwIBAgIBQzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDRkBhJJVgOXHjydAHAnokd/XfEiW+bnWd2ZPJrMBmP" + + "7TlvVpxOGqLd6lGdbelbSyAzut1i8lyYn9NSDR0PcyehCSS+MsKS2uNKsTEuH3mlMK/7C5" + + "B1qggKqE8f7opyl9+U+Qyi1WQj01gY6XYXaCxksCB0Oqx2737d7QWMvl15dQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIO1U69B4DBHQwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAcHWV4Q4z7C+IC4bWgIf1+BzkszCN+LSb4JquR7GgICESbwF2JzR+xL" + + "7yoKvB/NBcCqtMY4Hi1DHACbIGJwRe68vVHzz4CmYEK50UUCbAtiAiy9Od6wwrTyFyacBd" + + "CBjiO6mkFEp6jOsoIgXRfxK4kDNcMkGUUwMbSR/wZKFuImc="; + public static final String Intermediate_CRL_PP_01_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIO1U69B4DBHQwDQYJKoZIhvcNAQEFBQADgYEAHtbX" + + "MUofQlCnbJhgLQw96jsBRu0Kdx/Rk4LWxEbZQOWNaD7aukASjEv63d1qZIDgpefuUNTz5s" + + "3eascdtI6iyWFtBO3r6tihtkkSbxocN2Rz7OlR4rW9VwuUirxP0145nMd5CEL03/CNABP5" + + "zUo1bNgswHW3z/RaH6h0j0yTkbo="; + public static final String End_Certificate_PP_01_01_crt = + "MIIChjCCAe+gAwIBAgIBRDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDEuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQaTS1wvv551g3BP9JYBMM+KXXLzxtOwPlO5NR4" + + "LwuJJB2WuO4vmbn8AG35in/0JqwjZeroLQvbCPxZseXsyA0+7cMO0qcjRJ5l5WdFsahT6g" + + "z1YW8pYYY5i2eDUkIRsM7roHMiNjt3zpkuUGX0xZQfAxhuWnRIvlGg5J4r7UOdAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIeyLSANVaTpQwEwYDVR0jBAwwCoAIO1U69B4DBHQwDQYJKoZIhvcNAQEFBQADgYEAvZ4a" + + "SQMNl+Q++D9yVaGr+37XJyxs4yow5e5YM9LXn1qBASQ+GNfqPWoe2cPCPYKj32yulxyFEu" + + "RHrbhpEQe+nrKWJgO9W1bmfwgQDin29ne/JCQPlznhd3EPFvCkmPLnTyJmSLR6B2VxvndM" + + "GO8JEbj3KCf51uf3VnC/Qj11mX8="; + public static final String[] TEST_34_DATA = new String[] { + Intermediate_Certificate_PP_01_01_crt, + Intermediate_CRL_PP_01_01_crl, + End_Certificate_PP_01_01_crt + }; + + /* + * test35 + * + */ + + public static final String Intermediate_Certificate_PP_01_02_crt = + "MIICfTCCAeagAwIBAgIBRTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCkQQXRO+dnU2v7EbaqQNmfPD8v0s5Wa50hl9M1Gfr5" + + "5nuVUZs/RI//1VksTNrW10MVh11nsxpA/XRPntEIbHiH1OoECd4dnZBiA/2xEueM02fTjj" + + "fb/t7g+pr9dSU/TzCVZDVWFBcPn4VNz7BBqIrTAOXaJkyBZ8hh7vyiE1Y2VQIDAQABo0sw" + + "STAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjARBgNVHQ4ECgQIoTKVlZ8YCR" + + "AwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEFBQADgYEADhtnd6ifr6kyfC5D" + + "UWuAXLtoccMj8Jaur/1YT1DgnH1XbBsEeZwm9Jkzr1a3cXPIHgaHYgXvBeGUtZ3XhbCSGp" + + "8U6clJz3lm3qKPKkb5rdDrpdTaPnEJJjS3C4ZK1L7UZtQga2Enlelm5vIkhjsF3Sexe1kY" + + "mzqiLZZ8yLxJ/Tg="; + public static final String Intermediate_CRL_PP_01_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIoTKVlZ8YCRAwDQYJKoZIhvcNAQEFBQADgYEAn94u" + + "sT8ZYNzfHIdnx0+fV0jglL0Kn1duz+ehKHow+RGqH+J9opMYuXVD+rVQnLdZl5LbFBcv+5" + + "TSP9WR9QtyoXar4/jmY2FFdBjfgO9w7p7OHD4WxblJmfPVOvrzFm/slZE39Oe5Qn4KlS03" + + "9tttEFTKDH3qREQbT6g4k4ExxYM="; + public static final String End_Certificate_PP_01_02_crt = + "MIICbjCCAdegAwIBAgIBRjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDEuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBwkwTWdZ977UAx6CCpXc9T4MX9T3/Tt6LbtY9I" + + "eXxI9W15eXm/aqrKiXhULB+oF9/qNeUi2fAtrURZ7hgHbTaswr8CZ3Uwc6Rbkyj2GGiM6Z" + + "8sKFztYZfFyGBiNEwfTT0yaUUQ6etIFqPuL/6qLvqXmvNPxFb9gjTH/azs/MdNAgMBAAGj" + + "OjA4MA4GA1UdDwEB/wQEAwIF4DARBgNVHQ4ECgQIW1/BRCbe3c0wEwYDVR0jBAwwCoAIoT" + + "KVlZ8YCRAwDQYJKoZIhvcNAQEFBQADgYEAPJg24q7wCU8CVlxFLchoe7txhkzApkVMIJ9G" + + "+QTnraHDn0CZS6undCsJw8mrTNBQPHFn2Ixa5lrPfJvwW4Med1bcJKbwR4TveL1WeYYq6+" + + "9k1kS/7KmqyKAKC/s504jAc7qgMd4b08oLxbGVfFVjWG/ZMbO770FrsyRHHs2rTOU="; + public static final String[] TEST_35_DATA = new String[] { + Intermediate_Certificate_PP_01_02_crt, + Intermediate_CRL_PP_01_02_crl, + End_Certificate_PP_01_02_crt + }; + + /* + * test36 + * + */ + + public static final String Intermediate_Certificate_1_PP_01_03_crt = + "MIIClTCCAf6gAwIBAgIBRzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDL/XgMvoeszcAzZqMYnv1At5u83Gb/CEX3fv6O1jL4" + + "W3XbdvBNIZpuTwQhTH4Iofk9rIuQdkR7xOmbk4AqZINuas3Y1CPdzss7teraK0CNralNl1" + + "jPYK+ClDBHt32Iw3bAl7RqWX73hl3YH6/7cvG4XCo1HqeeFFHUGa7HXGXq9QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwAjARBgNVHQ4ECgQITMu5Qbn1Cm4wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAuCnzXbHg87PIYYRbCCiXKDKA3MOcEKuxpNaSbtm12DQWpnvzmaK5nB" + + "D/Ebko97CS7u9Tpwa7TmTyi39bYzY0dmVaotCDzfSTpzw6qHZl/w8riS+cKr0mimnjW1cq" + + "kGPyHf0zBBqh0liGbd7EOLIBln0ASrn8V+G4Tj0Q6aQVcko="; + public static final String Intermediate_Certificate_2_PP_01_03_crt = + "MIIClTCCAf6gAwIBAgIBSDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjAxLjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCu1Fq+gBJsBf5EjKKtNIxgdtgPMObby7tKH7fTJxYE" + + "5LPyPi/IiWQ5Mi/8BCG3zmQhu9ZdBbpal350qCGVTbaMlnpi98D4WwXSw7e8oHIJIK689p" + + "Q6Z5cf8hgwPnwDpYLeEaqxwhd4bu0x1lG1fUISA0ZZIQaEeNSJfdh15IkAswIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQILRhQwULcyPYwEwYDVR0jBAwwCoAITMu5Qbn1Cm4wDQYJKoZI" + + "hvcNAQEFBQADgYEAlEVOqXcdeTU7wT0l+/BJhlG5iaAcanAsOaJFZsXPjLMSjhldQe11/z" + + "BsrrqjcpdctcmBarKO4MnwqVU9DN2RZ/v5Gps6OcPxj3T8wlrCGe4l6s9d1FncBMJ0RAUe" + + "QEn2JLkQW5JWRBQ00+RXJYFuIM6Ger2MipWj1oOciv9MMoc="; + public static final String Intermediate_CRL_1_PP_01_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAITMu5Qbn1Cm4wDQYJKoZIhvcNAQEFBQADgYEAycux" + + "rzvy2IiYfFkTw7QgGuBhxIQPbSIbfudqyUumuviHJkIMZpPwYj2wltjyiRaozrDAWq8mlc" + + "PsFYNr2lUYN5Cj4BhNQCNZlyBw7LLdzRgza55zVjmYkHWedyZm3kPWe7Y0w8xc/XIvi3iC" + + "qlwV+X85cgHNJarx3GEYdb7Yos4="; + public static final String Intermediate_CRL_2_PP_01_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wMS4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAILRhQwULcyPYwDQYJKoZIhvcNAQEFBQADgYEAbcjU" + + "+8l6pSik8PcuIzWndAg/w8uRfAgR5W9hPSXZChlx7uM+48wK98DGEXuTkJcbeclZia+Mpi" + + "J5u3qG1zhoL1aHr+RqyJrjiWKC4/rDBuiUk/ftU54mrYn0qev3aSjf/GLtpcC8kC3gpqD+" + + "20bvxLjBG3Vc9ZrxDvzfj8cD9K4="; + public static final String End_Certificate_PP_01_03_crt = + "MIIChjCCAe+gAwIBAgIBSTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wMS4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDEuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMO0l0+X6jfT8cY4DumtseTryyIJ7h+nraogXmYo" + + "uhFGvMUWEAZVGD4x9QTTVEL/UCqNfzpI//Pp/uZpDudSgOX0ZdAbykObqCAEO85msK+eie" + + "8baS1cW1XGjCuWDqNZko3Uo3c5lLPlRMbZ3hjvA1zmYh3prYnOh032GZAArVcVAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIMh2aWvtm0mgwEwYDVR0jBAwwCoAILRhQwULcyPYwDQYJKoZIhvcNAQEFBQADgYEAigVE" + + "FlCgbgKLR9FWIiwnz1bZ0MKsfhytllCI+jGx0Q3o3CxCGXs9PvL6BPDdMOxNIT/oU2uG64" + + "EhZEjcZCnUknGx9OkkSSVq44P/pGuUx1g4Kx4i8gsJ/UPrPpYv/3heuMcKWCr92l33cxPT" + + "IU+kmAtqy0MBvBKL4p635+MSIVA="; + public static final String[] TEST_36_DATA = new String[] { + Intermediate_Certificate_1_PP_01_03_crt, + Intermediate_Certificate_2_PP_01_03_crt, + Intermediate_CRL_1_PP_01_03_crl, + Intermediate_CRL_2_PP_01_03_crl, + End_Certificate_PP_01_03_crt + }; + + /* + * test37 + * + */ + + public static final String Intermediate_Certificate_1_PP_01_04_crt = + "MIIClTCCAf6gAwIBAgIBSjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC9gxMP8j4L+ISffY9wkislQ/V5sO9LzZOncYK93lZf" + + "HXJG1MPSQzFPNzDLSc2zsilA03v6q+zr4NRrRWwWGmB34NGM4aqkoxox/7ngTn0MIq5gZ2" + + "eOx0FbjA9W9DHEceVDS6kgs9lFcN2W+muCG2/fGqQUED9Fzl9JSM/tE8XAKwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIgdUt9H4i6kwwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAxPe0vM0BvormJLF5HxkyFcTtoombfDGANoLoyj+PTWRD6z1/AcAx5K" + + "rn/0J1sZo13M2ezaZUABbbpNH9X0OS225IJF4mXNpfkYhsz/+jNPGjRpN2p0K+DhMSawUw" + + "QfGv2x6f31k6WCdy/769i1mwKP6Rpph2nkRyYW8MwO0N5HU="; + public static final String Intermediate_Certificate_2_PP_01_04_crt = + "MIIClTCCAf6gAwIBAgIBSzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wNDAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjAxLjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC7YCtN67S/ItOzaSGqTvfEE483HoQGiQZ0ob3+0beK" + + "kmbSGADBQVBKe/sLJEKddyV2Gl8S4x+cKaKBWUI8lMZViJwWqVnyAFd8ZiAB/BpXaKKgP5" + + "pFsg10Yo/EtsxGlLSTLurst0azNnFv7ca5Hb8te3T91eaI6y59IjbsRgilSQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIGazrt+QRNCkwEwYDVR0jBAwwCoAIgdUt9H4i6kwwDQYJKoZI" + + "hvcNAQEFBQADgYEAUIz/MSc6K5eaIAg8skaAgm6rSPvcU/711b9G0qsIs6YqvEz4zhGi5X" + + "nalYYXfaSQzomuRuABNvuR1Ydaw/B9OdPMro0DhX8VpY6NzCL5Qj60/I4is5a+Hzgk82ck" + + "eAC3okPHbVMd7R9kdFsWNE3Capnv7rriqXO3vwFw8b9vXD4="; + public static final String Intermediate_CRL_1_PP_01_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIgdUt9H4i6kwwDQYJKoZIhvcNAQEFBQADgYEAkR24" + + "ebKfvEhDA0C7sawukQbv/q8mjSS3CrhA/oqeb8bML1IlW8rjHSXuRU/n3oeyAZuxLCAQMU" + + "TPG6Vq4dOu8XC1RY74xIm8ps4mE0xB8/nI5kadHUSDPtUZhNzc8tv+z7fUGRaVGL7CBEpq" + + "ICyQKYytCwxyf4xu2Ip71Uy2tuo="; + public static final String Intermediate_CRL_2_PP_01_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wMS4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIGazrt+QRNCkwDQYJKoZIhvcNAQEFBQADgYEAjpUo" + + "XSj0HX7Wm4w1FiRBBazInGOhSQX9VP2GcGb5lfr3GKt75Y+C+C9qd5X25DVkA4M1gPBK+u" + + "XjSMQoHAmFJychQG23rcGcuDJlzRMyfvPCF9dOGLFdmkuHSo5hQUyYsxnXV8cWLIkR1AUz" + + "PtUbTJL9g98R/OJFsCBiPi+By6w="; + public static final String End_Certificate_PP_01_04_crt = + "MIIChjCCAe+gAwIBAgIBTDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wMS4wNDAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDEuMDQwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOtf65MaydWM3bmMT8tAGCX8gZkx1JlgQyBlJT67" + + "2APIkfmKRFK/dBtSwwCVGHZG4JYBrrwMpzUPrkGKYI6ZVIvvPnPfadZns9i5SM5LZFS+a5" + + "JfbRnSJd8dXhZsKHxqkxIWwG6+VgnRKXE/Uc4m8TePQJZEOra5ezna5yhvqUwPAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwAjARBgNVHQ4ECg" + + "QI4iNoMjKiXMkwEwYDVR0jBAwwCoAIGazrt+QRNCkwDQYJKoZIhvcNAQEFBQADgYEAmOjp" + + "2EupE1AmgjGfiGK1fk9kf39yQXK1EDsyO6KLdWL/bmWeYi/G7ZE57/+yVVADJuHI8xVIDZ" + + "LAC0u5p35OLgbcmmA5bs52KWJJfa0nbgGpVaUSMg9SkEGS997OsgExWMvYhdFIKXlq4Rwc" + + "ca89Hg1GlXdrpfD2OCDNBvcWB5Y="; + public static final String[] TEST_37_DATA = new String[] { + Intermediate_Certificate_1_PP_01_04_crt, + Intermediate_Certificate_2_PP_01_04_crt, + Intermediate_CRL_1_PP_01_04_crl, + Intermediate_CRL_2_PP_01_04_crl, + End_Certificate_PP_01_04_crt + }; + + /* + * test38 + * + */ + + public static final String Intermediate_Certificate_1_PP_01_05_crt = + "MIIClTCCAf6gAwIBAgIBTTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjA1MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDFzEEzV/yUEORIOufyqpZzKpYz5aPyBbcDf8AMMCM5" + + "tEz7j39cf1f227cbrTcAaUfYFwkrb07RU4bTS2X+U2Ak7Q5OROz5rrZBbsfwF3yHhwHxCg" + + "KLjbwz7D+OJdNfv7x2HRckwfMUkmP4cEuJIIPwj1ieBbsnUi9dkWZePwl80QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIjsCjmszYCHMwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAWMUBdOdHMB/SV5kPUk+zut9g/1v/GyxyB60mq9jGqjrIsk4a9JRqa5" + + "MWju+6kVfSLelAOCR24EQsXnZM/5Qqg3Wb/SFJXWDcBnfWQWgh8UmJfmPhD7jViG5QVIxn" + + "iALNCYtz373L+IDECLMO6S3wcTPsHdYv14jl6BKtabwIpE4="; + public static final String Intermediate_Certificate_2_PP_01_05_crt = + "MIIClTCCAf6gAwIBAgIBTjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wNTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjAxLjA1MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCZzdj+ixWCuxJGMjcoHUwSNqI9Wt9gYwXUTl+dWg/E" + + "lg2SPJP7lrBOibAhSmaTorhunUSEf2adhdxhuGrd5Ucp6G0oZAa6ZDWaID4rKYWsI7d5kv" + + "mrUhDEEdzk2s4PCoPiQm4dKwRg2rIvA5Dv+W1ldqSVSG376zVrQ5xdjDUX5QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwAjARBgNVHQ4ECgQIUASviIKBmJgwEwYDVR0jBAwwCoAIjsCjmszYCHMwDQYJKoZI" + + "hvcNAQEFBQADgYEAa3c+0Drcq7iWP7K+gE6Mz/0ATQoiG87irXWfWBUGWtYnsh6K+1THMl" + + "ibmZjYhsztK1P5rm6qL6HAyw0PhrRE9imqZ16cgiMomh65BWQImOeiXx9YWIPvjXWsE6iV" + + "E31XShr9b9OZBA2+Zpydc3ID/SQzy9PiTAfL5yJiW/JZvFw="; + public static final String Intermediate_CRL_1_PP_01_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIjsCjmszYCHMwDQYJKoZIhvcNAQEFBQADgYEAZIzN" + + "pXT89MplQgcXcA/K7YKlf62QCbw3rE+bUQiumJMlNGiVdaNJ8T66ObyoOWE+s+KN/Oetlu" + + "HglQ7r6RG68gHYtZZiO6kmxq+wor65dFGQyRggpD+D47yioEgR12wUUksL/8oBW1pfGW2B" + + "dR4sNWjzV5k5EWbLYu7wxj2/ubo="; + public static final String Intermediate_CRL_2_PP_01_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wMS4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIUASviIKBmJgwDQYJKoZIhvcNAQEFBQADgYEAlZ06" + + "h2L/89GvCtU1K1VtbHPMN/LAUYJrWFID1Eo+Cf/5wKEGBr8hxRtvshTK436zqVQRQN/XTq" + + "7u0SLxvIixNRErlmUlGByi5vumN2OA77SxOyqYLCnBXTd5tWbFGz/udjaNk1MxOK0MQxPV" + + "9R+HHUUVojRnAIQvlcqx/sMzU5o="; + public static final String End_Certificate_PP_01_05_crt = + "MIIChjCCAe+gAwIBAgIBTzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wMS4wNTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDEuMDUwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALyBn2GKvoKNHcu3AEJRCbWOyUpCc/onvRoQgWRr" + + "wE7vMI7vjqnoR8mXdWDW5u9DFu9V5pb/yHBWn1zpgFGNnLrqn8irwR9i6Q+qlu4lXL5WSr" + + "DqBqEKxrOBDPgkVz8Ldjt/Hy57qEukBarvpAwTc4XEJPAmxNrboMeGCEn2UShbAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIaV3Cd/83r08wEwYDVR0jBAwwCoAIUASviIKBmJgwDQYJKoZIhvcNAQEFBQADgYEAVJXz" + + "gooT1qd6rdehnLxJMf1HZ6JuqpyoQjzWF1jA3SkJmBDMXvAkMmIcQ7r5CZHaVF0iMQl5JW" + + "fxPtM9Bws6jZhVL0TkwJHmbnSvbzUkJYeXPCP7ags4bu5I32co1nFVF6wf3aQDZeLFj/TU" + + "1GCQ4rh80T5oknuazD4xXAYx9sE="; + public static final String[] TEST_38_DATA = new String[] { + Intermediate_Certificate_1_PP_01_05_crt, + Intermediate_Certificate_2_PP_01_05_crt, + Intermediate_CRL_1_PP_01_05_crl, + Intermediate_CRL_2_PP_01_05_crl, + End_Certificate_PP_01_05_crt + }; + + /* + * test39 + * + */ + + public static final String Intermediate_Certificate_1_PP_01_06_crt = + "MIICvjCCAiegAwIBAgIBUDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjA2MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCjeJAwaZ0cw6O76hu15XadwJiTsIJcXZxGAETq8H9p" + + "VJs7kJh57oLpO/lG8zG89QS9g1ozxaaGDWsSyXsDzv1eqDVZg3ISQu6XcKdDu8EwgQDY3S" + + "EGkJ2AidFue3l0kEwR9+rtsuVKd/P+ULF1hWcoyLB/sQD5z8GvIiDKyRBiFwIDAQABo4GL" + + "MIGIMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMD0GA1UdIAQ2MDQwCwYJYI" + + "ZIAWUDATABMAsGCWCGSAFlAwEwAjALBglghkgBZQMBMAMwCwYJYIZIAWUDATAEMBEGA1Ud" + + "DgQKBAh9i6tKUsPTgTATBgNVHSMEDDAKgAirmuv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQ" + + "B/Gxsb5lxSTN21CrjBp2aE+U1oTP2MpIFWUD1q8KWhZZF1iCQ7orcDVITqJPdPxDu1YwKk" + + "zOegc4YBSJzHZqF/W4Kw4wisMfnWLTsUAeP/Ucz4vXk5rsf7IRssFG6PLxVmtRZizoxl9a" + + "DO9abTM/jV8Mgi1IB6LdWgmtosBGBzbQ=="; + public static final String Intermediate_Certificate_2_PP_01_06_crt = + "MIICrzCCAhigAwIBAgIBUTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wNjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjAxLjA2MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC8DbqYUf437toWlRkOQA5PloqYQjWYpiR67yGSjQHp" + + "j/HlduTYFS4qfUbLCjH4qsNUH8yQDvogImQw5M1IQOsUAqO6mYFxjqUWccuOaHT6XfUaOs" + + "DDHr/tQUvhz3LJryaILiPlNcQF8QiYpujM1utVRyFpmUrMAlOvWUB93c/xUQIDAQABo30w" + + "ezAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAwBgNVHSAEKTAnMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwCwYJYIZIAWUDATADMBEGA1UdDgQKBAgQxGVMTJml1TAT" + + "BgNVHSMEDDAKgAh9i6tKUsPTgTANBgkqhkiG9w0BAQUFAAOBgQALJtPqY5uROJ+2QYTekn" + + "fSUc0gC7j3/cngIvxGT385xDLTrd6TjYSi+12+vU7RNd3MIZoz1o7RpWQV6C751WtOFuZi" + + "iXeQ758aLqfhjYSVW/NHkO8vjrAMUzUbgjqb03k7q5JgtT6udB+9ySmou2/RxYW5p/IT17" + + "euMVGmQb/RFg=="; + public static final String Intermediate_Certificate_3_PP_01_06_crt = + "MIICojCCAgugAwIBAgIBUjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wMS4wNjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjAxLjA2MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCsQqIx0ayxpIE8NduclvK1ubbNkXyvr0RDqnGOoyTj" + + "yMtnfnwRbclkFCNBdalZYofuTWP0reqvqGqsBj+RS3uazvDBqVmn0J0AGRiLILummgEFRJ" + + "ow8IB1hduDYJpDMrHRpfXpbG2H3fzN1XeX/B0hUZgdQ86GyK2qrmyIcyqZXwIDAQABo3Aw" + + "bjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAjBgNVHSAEHDAaMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwEQYDVR0OBAoECNKJMmEWCA+jMBMGA1UdIwQMMAqACBDE" + + "ZUxMmaXVMA0GCSqGSIb3DQEBBQUAA4GBAKv9F3+Y4N8RX4bRZ4fFTKri2rrB4BsVrBFpOr" + + "SLzKnuyO1O5gg45d70pSHUAVBn3pz0f/6WwWLECq9tB7/Fphi0TyqeFmkRnysygZGlvLgs" + + "L19bpIgVPkjFFziMGuzdAFIGy8vnV19yJ2euMygEHr20yiGBUaHHnKyuOGbDg4i7"; + public static final String Intermediate_CRL_1_PP_01_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIfYurSlLD04EwDQYJKoZIhvcNAQEFBQADgYEARL4u" + + "DZvfcQDYanTfwU/hWAJDdDO7m7oQZLy3o0PTqXkk2Jd2v3+M2U8UN2PcuqZXT1lwS/piiW" + + "Sc1x1YndD0qUtV4bOZ9SESPhCeOc1lQTk5mMf/zqFxQqYv8rfDB5O3QY4bjS7QQzSsvmal" + + "TGCnoHmUJ4skmZJrQAzYnXyD9G4="; + public static final String Intermediate_CRL_2_PP_01_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wMS4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIEMRlTEyZpdUwDQYJKoZIhvcNAQEFBQADgYEAcEyr" + + "sgLhVq0L6N5fww/U6TW4lqaVAEtjqxluWRyZnL3AJLEHfwh1lllCG5dNM5fahGDOW/53fV" + + "+gW5l92bsi2D/lAkDfNUdQdi5ZpQG9y2zhTArUlx9z1+KXklCi2Gg1X22gi+cYbK2hfzk6" + + "kNGP1v42bjrkF/ECczpy3e41rEg="; + public static final String Intermediate_CRL_3_PP_01_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wMS4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI0okyYRYID6MwDQYJKoZIhvcNAQEFBQADgYEAp3uQ" + + "Tn2HC65TFmSjzvjuStIJwJcVahNcTWiGdtfTalZrMtuC9vUgQq0K1QIa7QNC9C3hQlzb5e" + + "bO7JhJDs+5GZnnsqHN3pvdKEoueRfWBjUGpPnSGFD61ysf9aDFY2j9Amf3zcBFsXZs4+DM" + + "dIENndbjkwqCV4zRTajAqCsIy20="; + public static final String End_Certificate_PP_01_06_crt = + "MIIClTCCAf6gAwIBAgIBUzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wMS4wNjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjAxLjA2MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC+IxiNJMOQG2gx1xd9ELNuzs9LrVJVRLvgP0lpWrx2" + + "2HTEXPDB6YmrEg/YgyptmQ5Z4K6CEgJz3EdDOarCSGcL7DmcSEwEw46MV3piS5DrHwQ4GH" + + "a2/ENSh3lF+6dliBwbQR2necmQ5g8ekqkWNb65pLl6RCNGkntJpdu8w5GWbwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIMf/eRyakKwgwEwYDVR0jBAwwCoAI0okyYRYID6MwDQYJKoZI" + + "hvcNAQEFBQADgYEADgpHRDgyPuK4dc+m2p0IELHUAK3qsdTZzBXsaA0rkkk1aRjI6DQ2qg" + + "b4crRU3spQgYwBC7KQYd/hp8Lk17iX6fdV/9wol0DxTGhamOJA0uRl768awRArf4cEUElF" + + "uWPN8D3wJEfL6BWgReUJWg8V9HEtdvXZZgzFN/CgHRkQ2RM="; + public static final String[] TEST_39_DATA = new String[] { + Intermediate_Certificate_1_PP_01_06_crt, + Intermediate_Certificate_2_PP_01_06_crt, + Intermediate_Certificate_3_PP_01_06_crt, + Intermediate_CRL_1_PP_01_06_crl, + Intermediate_CRL_2_PP_01_06_crl, + Intermediate_CRL_3_PP_01_06_crl, + End_Certificate_PP_01_06_crt + }; + + /* + * test40 + * + */ + + public static final String Intermediate_Certificate_1_PP_01_07_crt = + "MIICrzCCAhigAwIBAgIBVDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjA3MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDs3Z/FfgJOyKp+Ds8xiQBM053cWylYbD+g+zuWDz3d" + + "nD0eF77TLPITL7hwI058Pn3tXHlveuKMFqbvzWUgFXaBoHmmRohIj1eqfJQhlmKLjlSYyC" + + "N4xhLVi7vg71ZjFdRk1k8ME1HDfpb2WXqXh9LyRYY8b/aqL+NHe1PUDbT6FQIDAQABo30w" + + "ezAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAwBgNVHSAEKTAnMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwCwYJYIZIAWUDATADMBEGA1UdDgQKBAgvehPxsTfSBDAT" + + "BgNVHSMEDDAKgAirmuv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQBpdMBEONGcpFitMN1ihf" + + "W441E4HVTQwtF+h56aagVFndUF1gQsVEdDNmvvN/jdlzXotcfdEj1lOahmcwWbPOlNx3PB" + + "LUPAcaNM9SCrXWi1gKJK3gXC2OAxj0mT5XhfPlAdfhZXTBZLqMqebmk6kVwa+VyPPZFHGy" + + "BW0fV2ClJ69Q=="; + public static final String Intermediate_Certificate_2_PP_01_07_crt = + "MIICojCCAgugAwIBAgIBVTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wNzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjAxLjA3MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCrO/98w96Bg5YTTmtdc9sL8AOABGcYx5J8E1Y7/GhU" + + "2sInc/j0dtBbE0Tj4KFIKpVLD0m2mTyHVCUA0/QGiS1Tq6DzmZW/V36Clya3CoX9rDTJyU" + + "cKHpgntV19fFAK58aksyKCdP9jjLpbSspzOlIc+mVW+hkjgw3NcuY6fAOQvQIDAQABo3Aw" + + "bjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAjBgNVHSAEHDAaMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwEQYDVR0OBAoECEmeATXRkM5EMBMGA1UdIwQMMAqACC96" + + "E/GxN9IEMA0GCSqGSIb3DQEBBQUAA4GBAG/Qv60jyImedUXtCYl0QpQ1Ne2ZLxvUHRLms8" + + "B1nXC/Rze7zfz5cwiyQn+6XN2rhuYFdTMDEFZDIjeeCLNllfan4GUAdRGtoJnfoLOGLlQf" + + "RW1ONc80cxd1NTxHqxOtqpWdoJQEn8070WLqQPACEs88XYKBZ00sF9ZdSg5vhHUu"; + public static final String Intermediate_Certificate_3_PP_01_07_crt = + "MIIClTCCAf6gAwIBAgIBVjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wMS4wNzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjAxLjA3MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC+5b7o4iWl80ntDMKGcnquLQDTGlf6Gy/8y34Vw08/" + + "8ij+nuHMiKpo6UCF0OpDcnkJ2ovvMsY5dAb5ErhH64UbnMlKbghnGv0sVidtipoC8u7ey1" + + "YUIzDCdmbNvTfho6IXKzH8ev//K+FJd3qBuKHl9u2Kk5+igsyb+bPSid7d/QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIUDKu7h5EQ70wEwYDVR0jBAwwCoAISZ4BNdGQzkQwDQYJKoZI" + + "hvcNAQEFBQADgYEAnKhR3OvdgtVtmio7ikCvjxlSoKVbUleazxONOxHUAKdXEv0/mSOTwp" + + "hPPIoE2xAqPOOHvXPmzmJpPADjrfhU6afJ7ThDRFTMk4ZLOkT1SvRlymK7uWhj5bhUgi6S" + + "UQ2LUmrY2hIN4cTrrzZvDw2Q/6UIuqpmySXEOHDL5T5MXEo="; + public static final String Intermediate_CRL_1_PP_01_07_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wNxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIL3oT8bE30gQwDQYJKoZIhvcNAQEFBQADgYEA4gZR" + + "71wRXNdxWe7kaQPAw44UUw+cN1bDBU0RV7nwYAFDYxDIaDGOfjhUVTMBq4rb51S7uqIqYS" + + "F6j7BdLXl9WVRJobfkRH0t0cBnuSeQRz3ckrZrCuvyxb3PEL3pbf0UH1i/BfoG+EHJAY7R" + + "OVOL/dyoXeX6ehH6ImGhucDixS0="; + public static final String Intermediate_CRL_2_PP_01_07_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wMS4wNxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAISZ4BNdGQzkQwDQYJKoZIhvcNAQEFBQADgYEAfzKw" + + "NHrl10PJDHa3olBYXYzXi94zxDsEQSIb+W4pPXUfDZijPqL1NzapLqc/uL1Sl28GmLDrbm" + + "nCrlMn1Kt/gI6XndOnSyC9Sg6WDxAI3HTHxlG5MHLBn9Lb36CHobnwep1BMo8zl2clh0Kz" + + "PIxQSGXM1BDpHkwF5eoFAolDih4="; + public static final String Intermediate_CRL_3_PP_01_07_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wMS4wNxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIUDKu7h5EQ70wDQYJKoZIhvcNAQEFBQADgYEAj7+M" + + "EeIe1GmJpbRUFqbNrDvT5tHjKQMNdbe5Y8F920U5t0ig1Up60kc7hs7LH57i6R/quPOpym" + + "a9Eo9Bql+P2Bg9FELih5/a4B021TZBmmdSI5fwQZ6Q5PjgG58Zl2cJitNYvGi7tVUBojA5" + + "CSN7KBMyipia9ivxm9a/llJPrQY="; + public static final String End_Certificate_PP_01_07_crt = + "MIIClTCCAf6gAwIBAgIBVzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wMS4wNzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjAxLjA3MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC/RmUcYHxgQRHCUh5cMug/J2o8DzYbT+2pIehJkNCr" + + "zfqemV3qshLdMct5GV73oEkG5b6n7tj3/hI1TLh/A3LQpKROAGZybdo9fk4Pa0+6V6ql/U" + + "NnSpcAKct/f3IvchGo9nBGdi9aE+j+xKhMM6E8xj1+Jc7Z0xz7zE4+qRbeZQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwAjARBgNVHQ4ECgQI/y572lfRyH4wEwYDVR0jBAwwCoAIUDKu7h5EQ70wDQYJKoZI" + + "hvcNAQEFBQADgYEANl9zdMKbaq14OP45PeK9D4ftOSuliW2di1qAX38FQoWPYLLoaDU0Q1" + + "9I54PDY/UYRR9jKDl1WPhV6cD+65eadtiOZVr/h1CaW/HxTloouzN4z1zCXMC7AxZKo+EI" + + "XLN8f4w7hKLFYgf6gP9+iVi+T2gKfH5Ch2zjRhlmGFRgsBQ="; + public static final String[] TEST_40_DATA = new String[] { + Intermediate_Certificate_1_PP_01_07_crt, + Intermediate_Certificate_2_PP_01_07_crt, + Intermediate_Certificate_3_PP_01_07_crt, + Intermediate_CRL_1_PP_01_07_crl, + Intermediate_CRL_2_PP_01_07_crl, + Intermediate_CRL_3_PP_01_07_crl, + End_Certificate_PP_01_07_crt + }; + + /* + * test41 + * + */ + + public static final String Intermediate_Certificate_1_PP_01_08_crt = + "MIICojCCAgugAwIBAgIBWDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjA4MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDDe20HLq7R8b0fWTsEiNV3Z5IbQseZ8QCW+1cb6yM+" + + "ArKLJDnXx8zmTHSHQCpw3G7xhGsxA1btm0cSC5P/1bw/kFWsSLRe2NFF6oKU+7c+cgIUMB" + + "kzyXk+kpWAQRb7hcb50iKdKFtO8gMNGMAxlHRI05/1tThyAs9suI4TrxTS9QIDAQABo3Aw" + + "bjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAjBgNVHSAEHDAaMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwEQYDVR0OBAoECFxr9vgF31fKMBMGA1UdIwQMMAqACKua" + + "6/nC51SPMA0GCSqGSIb3DQEBBQUAA4GBABaX7TYfmSyVmzGCVbTFweUuPilo4wzy7z/w0x" + + "y4uSaM/YMtixUdDPpTHOJNYDdeV85v+w9oezdL2ZYAaGn7tldC6k8ouq/6hOGGST+ziHJS" + + "gTOD8UVBQPRPvWEwgmDIprnzrVRz8rG6uqslXNiBDnO9BMGpRo4dy8YpOmV6BPCD"; + public static final String Intermediate_Certificate_2_PP_01_08_crt = + "MIIClTCCAf6gAwIBAgIBWTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wODAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjAxLjA4MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC8nLZcMLHYKxVqbhwJiqQbAYhf7S6ck2O9AhNor935" + + "Bfm7/8qVZbBAotQy1PoCjSW0UYdknDolWvi8aAtO0f9XVrAv6BZVVW9j3osIGN/XUThaN+" + + "9dZ83kGpyjeoitpGK4wbFNDteuBFYp+8gFNupnX7JQwUK3aGwBUucbe7puRQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIL0xyFYBk4OcwEwYDVR0jBAwwCoAIXGv2+AXfV8owDQYJKoZI" + + "hvcNAQEFBQADgYEAPk+Lys0Ueoyhp544EH9Hqy9+gY+l/+N99v7KvBlZWKuhkwZDE+qAYT" + + "P/SOPsWe8ADZE2iQ4pOlpK8jSqtJSdK69RgGL9omLnR04L9c/zKLArBE+VmoV7mohcQp8x" + + "aB4q/g3QnAqwfFYDjIWW3H6gRAeQ5MOtKdz/4042fJxc5L8="; + public static final String Intermediate_Certificate_3_PP_01_08_crt = + "MIIClTCCAf6gAwIBAgIBWjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wMS4wODAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjAxLjA4MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCvy6bNOyVaP8JTwiySFa3Sj+rdSqzkalK5gA7DLk4q" + + "AyvnAK64HgbCsb8dpnSi94WBDsocrQ4C1Ltoahc/AZyRVLA/REsAh1r3/0FALZgYiIxvSF" + + "m3ihKb3P9URBbotzhl1ahRZPSrcxKwNXEmxB0gjixGW7GZTARq3Il5ressRwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwAjARBgNVHQ4ECgQIwFtfZBe/KqUwEwYDVR0jBAwwCoAIL0xyFYBk4OcwDQYJKoZI" + + "hvcNAQEFBQADgYEAeZhpIDEYyV/LkOtUf1TryemJExQ1jdfirJ3AUtoFIoWz1p9aqnV6Po" + + "GAMozjtdyotfSA2O8c065DwD+CvUXPmdD+2vWpX/2hJPj+x++UvvntAokD2UE9HCeEvBHK" + + "rr59hvKKd6GChyhAjLris202eTLIiMEoyZy9X/Wt1nXF8/g="; + public static final String Intermediate_CRL_1_PP_01_08_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wOBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIXGv2+AXfV8owDQYJKoZIhvcNAQEFBQADgYEAhkwT" + + "E/EGAe32J883qVrh1wG5xQzO/GGfp/zuDYGL2k1zZ2zq7MajKfzBoXXQ3WPh5dTK1sy5o5" + + "boPHG0pge0B4/2JvuDVS539+9HAPansUNsrMXzOblg1acjdKtuk4oS8PIYkM/lbA6yJl6F" + + "QMbdIthWqa2gjaWKll3R8fVUjxI="; + public static final String Intermediate_CRL_2_PP_01_08_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wMS4wOBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIL0xyFYBk4OcwDQYJKoZIhvcNAQEFBQADgYEAN6BQ" + + "sEQT5YCvs9vlUSdG4gjTgNkyQTCdmSIcufpK4MG/AoW/Fn5zJXxiMyHmvT/dkk/UOf82/s" + + "41YI/Inz4qRmGF4IL7jo+l7V+OI1n+Vf4ClgZU6ocb9d1dFoBkJu3xI9dcWK6ExpzaBUXw" + + "rPJilV4M5luGbszdDCs9cLjmiRA="; + public static final String Intermediate_CRL_3_PP_01_08_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wMS4wOBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIwFtfZBe/KqUwDQYJKoZIhvcNAQEFBQADgYEAkmDx" + + "t+r59llppKmm9mSTof9/BX2rNyG9LfIH7wweoDi9be2vYOLy0NU1kJ8f3/muEw2v7hWDri" + + "k9ROLDFnb/S8MYVT0l4rymRhpshPF1uMTOZmfJUCfTX9jIaShztSScqcGSP0a3EUfDD14R" + + "1yMu2pdlMM35llE0lV3uf/eUNr0="; + public static final String End_Certificate_PP_01_08_crt = + "MIIClTCCAf6gAwIBAgIBWzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wMS4wODAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjAxLjA4MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDTWNp6Oz39wwU8AFDzYVs3UfVvXg+t6j/qFavnvllI" + + "NO6aU1o4Hnk1wfmTPZPErc00/MfizMSumTYYRl21hEZWhjNO5uQIHrF9V/4OToo2iOfsPd" + + "gxwpSokwxcl7CJyadwUxhRDYCLhSORXoCK1CPQZjwb+uQz799O5ozb0WVNYQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwAjARBgNVHQ4ECgQIO1TNJtWwaiIwEwYDVR0jBAwwCoAIwFtfZBe/KqUwDQYJKoZI" + + "hvcNAQEFBQADgYEANmP9hyFnYvi8gdtRe8ERoEG90NwoyPTsB8sXd40f+Sm1QxKqMPzKPL" + + "7bOtY12JGwZ55a6HFVgpw4PnU+0iOcCMHS5OQQLtyirxX2HfioiXEmcmRJT6FvLHrGIHGv" + + "KNcfc3rUiksdOb6+j2k8x4IwQ6pBEHQwY8U4Y4DgqALlqM0="; + public static final String[] TEST_41_DATA = new String[] { + Intermediate_Certificate_1_PP_01_08_crt, + Intermediate_Certificate_2_PP_01_08_crt, + Intermediate_Certificate_3_PP_01_08_crt, + Intermediate_CRL_1_PP_01_08_crl, + Intermediate_CRL_2_PP_01_08_crl, + Intermediate_CRL_3_PP_01_08_crl, + End_Certificate_PP_01_08_crt + }; + + /* + * test42 + * + */ + + public static final String Intermediate_Certificate_1_PP_01_09_crt = + "MIICrzCCAhigAwIBAgIBXDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjAxLjA5MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDJqSSqGjgI3JUJfA/XkloAOg2QtZeAGp2nCq1Oiply" + + "MTjJpMpEOSRYrEIgKMGnBPq33seP7X/obCT2jgexmbFT2TmPirM+h1aqbGQ7QAqsx80BdE" + + "ofdcfiNosLbbzli9qFrbarO7fJfBhzraBFGDJj3N8nLi2YtP9IieFYJ/MhKwIDAQABo30w" + + "ezAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAwBgNVHSAEKTAnMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwCwYJYIZIAWUDATADMBEGA1UdDgQKBAiVRMrZuHQ7VjAT" + + "BgNVHSMEDDAKgAirmuv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQCetZy9JMzUVveSPE2fQY" + + "4fRVChyvIc9nCE4wbzhnRl3zduBGmAwTFr7dRWSFTnEq1c2b6B5nJtCzmt4Ovapf69sIlM" + + "s3iV16eBB1WTNCY8YlAsnmZ7q/AR0t0vX+hh6QV6zN5xqulOM4Y8csZEx3RWJzV/LjE5w7" + + "mKvofBEUoqQA=="; + public static final String Intermediate_Certificate_2_PP_01_09_crt = + "MIICojCCAgugAwIBAgIBXTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wMS4wOTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjAxLjA5MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDWUTlTieoi7aLGUYOAgqUC2J/6JarOWfv4vobpwjAA" + + "DjvQGqg/GCZP7FgD/72Z4YefZKJEFZTDnYfmy2qh6iBYxcvLsJ+PJGzPCObNSmyq8gpeXy" + + "KKEeCZtEev1tSywTT6E5Dhee4dX0QHE4ydZEliMMXGRW/8ffT6x54CPwVylQIDAQABo3Aw" + + "bjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAjBgNVHSAEHDAaMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwEQYDVR0OBAoECAMhmGN8+qXoMBMGA1UdIwQMMAqACJVE" + + "ytm4dDtWMA0GCSqGSIb3DQEBBQUAA4GBALNjokGrTnWsPn5KrlO+g3R8tAGM90JQDjfrap" + + "xWM+nN+dUVVdGU6w2pAOAq2UhfySiP42qiFChnPK9oOqPF2Or7/kcmXZzBfZkE/FnJGNUA" + + "gs9je1nZvTPQYsF094OqE7QdJi2k3seA1tqejA1kihMHpwQNmIp8bFpqn4dPO6ys"; + public static final String Intermediate_Certificate_3_PP_01_09_crt = + "MIIClTCCAf6gAwIBAgIBXjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wMS4wOTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjAxLjA5MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDHUpHhF4ANNLOywnvpqyDgzLMtatW3ZxgLBBRYk6TE" + + "jMgTVKmRasVRTA9uatGG4b2f70YWs9cOd4ylQDqPEDdKNZ47bqZdX6RAU3j1dO9LBwWDbp" + + "NvZ3zuDBRDoCZClIcBESDYweaZ9nUgKl/WxTeCnMwqkfSJGYBBcHIonRPnGwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwAjARBgNVHQ4ECgQIyppef22OmjEwEwYDVR0jBAwwCoAIAyGYY3z6pegwDQYJKoZI" + + "hvcNAQEFBQADgYEAOySUCY+PZxomhWgTRSKRodOIe/QSfCMSC+0iw24a2TuJzFLjN9pSm9" + + "0C2PqWbfwD1uDjrteO1NK+1yhtIDySiptR9GmR/fhL7NJ+z7M4fEJBjjeeI9/aEIuHuBFT" + + "TVHfwsJxnZtjujtOdl56B825LsKW8Otumd2A43N9wIgSyBg="; + public static final String Intermediate_Certificate_4_PP_01_09_crt = + "MIIClTCCAf6gAwIBAgIBXzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wMS4wOTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjAxLjA5MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDR8/c35YqAswoRMgQswlTbKB9oYEzrFSC0G4dt8ydP" + + "O4PyQs+J8wUVrRVMiVDTLO9rUnzR1T3iA0dqM+SvWMIA8pMWKyNV58f73ZPJIejhxMmOZa" + + "sSLHceMmmMRy1zyk38i3ZJP3YhvxffTjWyTZ9k2xSDX+6KNnkiKkJSKpl6nwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIpcWcVIIu63kwEwYDVR0jBAwwCoAIyppef22OmjEwDQYJKoZI" + + "hvcNAQEFBQADgYEAckgV11ND/D1vfPEMUbDGUvtmsziHiSuEoDLJqSAhOmcX+evKWOfoVo" + + "f7og+0ajuul7yuB+7YX1AakOw+33k++Rsgg4o+ImZq3+VScpgnIQ037OOhgH3umwFRC0r3" + + "NpWqhmQuz+mHnKiK3X+IDsQOFkhnpNs06CQSZzmrzbYlQU0="; + public static final String Intermediate_CRL_1_PP_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIlUTK2bh0O1YwDQYJKoZIhvcNAQEFBQADgYEAkEc6" + + "qHGOWZXYTQ5fsWyJgEtuJyl8uJ+gMcikcMut5SIJTTtOz+q3wclYDevT8z1MM25kNdgwyg" + + "b1bwHNAG8I72eIDtGfLrChFwU3qpvVMTG9gPYJb05Q8On56nsBu/PnnzJervzxjViaeOuv" + + "kjwwfmWqGkyiK433WxzgPqE48eA="; + public static final String Intermediate_CRL_2_PP_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIAyGYY3z6pegwDQYJKoZIhvcNAQEFBQADgYEAV9Md" + + "8PaNoIlT7WIwnelqrbwsR66vAaT8w3gu8XDYXu+MOYThfyERUvtH6AUrHWfiRvWEzKljHH" + + "3BQB0Zsa9Zz3U5cLzJcqtqDc1lH53aIA8MflrfMVrYSF684s28FikcukmA5Fw3+7S3TJ18" + + "Hq7plHwTCidVD6yG35hsPwcjTrE="; + public static final String Intermediate_CRL_3_PP_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIyppef22OmjEwDQYJKoZIhvcNAQEFBQADgYEAjBaP" + + "V/TFQtDLxQFIBCbfqhlgpOfvJBatjNuvB0TuD2rsGS1eaLNfTfyVKlOLpxoKwKYMu36kIO" + + "l/+KEPDq+ofy7uDZ6GLK3KZ/WiJyriqBQjFCvlhNTW1cjA7Ejk2lOM/A46mrUS9xC+aITh" + + "d+/UYGt6O/e256cOwQCUaF2z328="; + public static final String Intermediate_CRL_4_PP_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QUC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIpcWcVIIu63kwDQYJKoZIhvcNAQEFBQADgYEApZ1l" + + "w5SJoU8zeKwX5jpVWiFFFomDgKsNlkkX5mF88l0B6MiYbGqJIowJRfeIlxvPOf20imN7Z8" + + "l38DRXFacDQP4y5kxM420dp+ljQL5q9RsrC1+OS7I7TGgGwPoZTO4mHVk8nx9MyT+kW1OU" + + "x9qRYWN0CLmP22kutYBndny222Y="; + public static final String End_Certificate_PP_01_09_crt = + "MIIChjCCAe+gAwIBAgIBYDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBNC1QUC4wMS4wOTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDEuMDkwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALiOjwwwUk1HNwf2rdzPL2okKTgL+lMdzhC7cbq3" + + "6A409EY7iipPCcsDsheo9EaTNOHV9xjWDqOhqjA38h4hGNkRUVOlTW2r8SoHISn3gDXfrh" + + "aHbU3owscAmt1nuA7rzo7L1eBPsisIIxAY16uAmVN5RdiAAaP8VUdshcNI4/1jAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIGZIY3nffEXowEwYDVR0jBAwwCoAIpcWcVIIu63kwDQYJKoZIhvcNAQEFBQADgYEA0Svm" + + "aqjaeQx/lnF223xlCTsU7XzOxbHetRWfeCTw0QrWQaTrKjWTS/TNyzLhGuPBFg+NTTvWML" + + "gzteo/WWdF8+d2rOis9FVRCe/Euok6ZCL/xgzaE86ZSQg0jj6458TpuC2cszSaifRSlhL5" + + "ogy4ADWgJxdVcBrgADo6QZXkXXw="; + public static final String[] TEST_42_DATA = new String[] { + Intermediate_Certificate_1_PP_01_09_crt, + Intermediate_Certificate_2_PP_01_09_crt, + Intermediate_Certificate_3_PP_01_09_crt, + Intermediate_Certificate_4_PP_01_09_crt, + Intermediate_CRL_1_PP_01_09_crl, + Intermediate_CRL_2_PP_01_09_crl, + Intermediate_CRL_3_PP_01_09_crl, + Intermediate_CRL_4_PP_01_09_crl, + End_Certificate_PP_01_09_crt + }; + + /* + * test43 + * + */ + + public static final String Intermediate_Certificate_1_PP_06_01_crt = + "MIICozCCAgygAwIBAgIBYTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA2LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC4mu1oBHB9BeorCFJIuSw5tszmmYBD4bjTklsAfjrz" + + "OknQsYxEoHfifpdgivh1fMUk+mK5YWUz0G8/edquKbJhPBTTWp8opsGzTATsTLSEzkKbVM" + + "DQ84ttxrhJWlrVRlouZTnD5HoLUvujY4EdydmKsjj6UBt/tGL5EKodymcEtwIDAQABo3Ew" + + "bzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATAMBgNVHSQEBTADgAEKMBEGA1UdDgQKBAiGRi8YRte8PzATBgNVHSMEDDAKgAir" + + "muv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQDHOaIki9TogVJn54FRPl+7FyzBJ2DnR4RTM/" + + "q1K3COWRdtvmGqtBBtAccxWziQJ5TnAQn1XA0cFPoCgymGPRcUz+0+C+3VhJ/m9LggVP3/" + + "pjJEG0fsmJtUYPyphUlXeUzf4qSj34SlJws3DIHTR8ozAR75HZmlMRnxyZBLl+jAng=="; + public static final String Intermediate_Certificate_2_PP_06_01_crt = + "MIIClTCCAf6gAwIBAgIBYjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wNi4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjA2LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC2rptuREzhGfEJ3U8ILPBq+z0s+aafMvBRHpqkipDq" + + "bC7v9zpwg1K18F4MYiATpPAEfdEeprKs0mWfdusF93BoMBVm1y0zRgDRUNdyB5GFO8g8+2" + + "yNEO6L37c1PwrMLnvJakaqwbbnwlcMcKtLHoX19fyveQQg5DNj8WcKZj397wIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIJPt6qKdFeYEwEwYDVR0jBAwwCoAIhkYvGEbXvD8wDQYJKoZI" + + "hvcNAQEFBQADgYEAkFJGNze9/6YX7Rv8FR9obFGACIJ7Om4YQQRW9WM9pEDgKls7g9b9El" + + "dJxLKOlWoRoYZIrbEam19traE2O3dxqRevPoYvfAqkR089BkxH/cFYyfqw64IpjDG84dsY" + + "XieajI/Ov/HjgF0VQKF3+Y1ZiDjb2OHNgMkqs9VmUHaE+94="; + public static final String Intermediate_Certificate_3_PP_06_01_crt = + "MIIClTCCAf6gAwIBAgIBYzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wNi4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjA2LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCzxfyi52gw/5tt6/9aNAXdY3wZYH1GifzGoN4cg8Mt" + + "++5xmTdrc2A9/5biaTUVC0x/Ml6mm940NA9mM/EoEu4SdnP2crNCIFHWNlYz3cJtYJ68rE" + + "rEU+S0gnYaYRiwNGhVpAjV+FPDr0Ghgp5rYQ61evAhmRuNAFwYocUw80G6JQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIZ9yMlboxCIEwEwYDVR0jBAwwCoAIJPt6qKdFeYEwDQYJKoZI" + + "hvcNAQEFBQADgYEATNnRMQmvTxRcSMUL4pa5bejuX2Ixy/OfZIAlJWt9AfLW2tHmdAaGpD" + + "GhTHKfyQQ+HrIMQ+lXau8Yu6nzWXAY8pKpKD1Hbd355VE4dYZ7aPvcAulZHeV0F2EFn09x" + + "qQ1frHDRoCOc11B5qV5hnwgDE/ByZh1+OWUcR4tBQKyEF4g="; + public static final String Intermediate_Certificate_4_PP_06_01_crt = + "MIIClTCCAf6gAwIBAgIBZDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wNi4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjA2LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDB66hLZx1WGcCqmOxHK/rotXOpccJQOB2L3kpWP1M2" + + "ZiWufUguLw45XShdqu31OgmGw0/w9ugwy96aRL+Tiluj4xjIAxJCav5cXF8Dt2Ex7hjIHm" + + "XV0rHbJUiduHEh3fQphgtzlR4QxG6i/i4SbcsoJzsws8x3qOqRPaWDtyWs0QIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIyZsLNvyyIZEwEwYDVR0jBAwwCoAIZ9yMlboxCIEwDQYJKoZI" + + "hvcNAQEFBQADgYEAc7G4BAUsQeqNp/Kv8TKJckfxWygz54PrkBICNw/eGuGamVJMRkYCP3" + + "yJ8NW4jY/rfxzKKyjVB09XuNBLDwYdR5Z5UHSg6Ijes3j8tehZ+9DwEQrR+WQf/adHIsxn" + + "/347MHrSQF7CJzE9tAu6AOu53lKxLeH6C/5YI611or2Ql1I="; + public static final String Intermediate_CRL_1_PP_06_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIhkYvGEbXvD8wDQYJKoZIhvcNAQEFBQADgYEAC7ev" + + "Pqe0veUX+zF51d/NiG6VwgEwOP1HlzD/saDn/FYXStTQDwoIyFjmZ9z0yLGIaVI1O9BWVD" + + "CTU3bCU1dBg61Blo3rI3TlNqmGrYRUSJ857QM9c/G+/+V0XJ/HgId39Pufd9Tob150XNMs" + + "9h0PvqjhYjG1bARMRa8JB4KTBU4="; + public static final String Intermediate_CRL_2_PP_06_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIJPt6qKdFeYEwDQYJKoZIhvcNAQEFBQADgYEAiUbi" + + "qQ3X/hTgjhpQGDZi/7EnZcqSgiAFMreV30/mav2NtXDITE9DqZzCS9x1vHBp4BBsQwYVvp" + + "XvLVSgns4pFwR+0Whc+tPo2j9ScePq3sICsqleWTN1DvuoP9rBe8w7pDN4guA59Kbeku75" + + "5CMA5YjiTUomK4UaqI3htwkBlWo="; + public static final String Intermediate_CRL_3_PP_06_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIZ9yMlboxCIEwDQYJKoZIhvcNAQEFBQADgYEANowv" + + "f/scWT6FFT393XEpWcTnA18hBT5Nkddw6mHjKBq7ndtBQkydMO8Wym1IeQ2qYbAqu3ifNZ" + + "SKF3PfgJjYPBKImzJdHTKfcclMC5H8Y9JDN0voeyONr9NiXcoj+p24YNYjb+PFI6avRYo7" + + "Xyrqvwnvng/IY9zLtc7SYYUIODk="; + public static final String Intermediate_CRL_4_PP_06_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QUC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIyZsLNvyyIZEwDQYJKoZIhvcNAQEFBQADgYEAsnA9" + + "ERwsi2mK540oPL45mLdOjGnet7+HhNk14q0hvALTYGB1vEjijc+Yvf6mHJGRbiG207BpJ1" + + "DWeWBY8TLe4YJXlSrWwx1jD46rCt7gdqXAdLpMo+i35yfQ19ZqeWcRLkspmczoUJLJaJza" + + "eLRrnjv62GLJ09KVKpZBGhV3SUM="; + public static final String End_Certificate_PP_06_01_crt = + "MIICbjCCAdegAwIBAgIBZTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBNC1QUC4wNi4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDYuMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKrLB7XA0PKY0qtSC5lMBvvIvbyjBM8XmANrN9Wx" + + "66QxEuloRAz0D5uAu7TnJBv6qNuIPGFl74yusKCSkjEkBMdVpBCfDvpG1/Tz3sALSlxmnz" + + "xbK2ytOncbYuYrzvXttx6wkhLrBLlnfuwpZwGZOr/Pt6WwQJWjXxgTNJ6dcgXbAgMBAAGj" + + "OjA4MA4GA1UdDwEB/wQEAwIF4DARBgNVHQ4ECgQIv0gg7LxDM+swEwYDVR0jBAwwCoAIyZ" + + "sLNvyyIZEwDQYJKoZIhvcNAQEFBQADgYEAgzlxBGGOBvHw20eOzSswMqrHopNMcvwuEO+Z" + + "Mr0h8U2/HIiRqKWQaxMyM8A0oULGJny3B/0WtkfVQ2EIibZGiKIjC1RPAB3QmL0vgSyUmF" + + "s/LZbzugpJW6jvfov7N4O+u0J5rYniRxa4bgrXa89TY9kwDMbr6/z4oiI8bq3gEsw="; + public static final String[] TEST_43_DATA = new String[] { + Intermediate_Certificate_1_PP_06_01_crt, + Intermediate_Certificate_2_PP_06_01_crt, + Intermediate_Certificate_3_PP_06_01_crt, + Intermediate_Certificate_4_PP_06_01_crt, + Intermediate_CRL_1_PP_06_01_crl, + Intermediate_CRL_2_PP_06_01_crl, + Intermediate_CRL_3_PP_06_01_crl, + Intermediate_CRL_4_PP_06_01_crl, + End_Certificate_PP_06_01_crt + }; + + /* + * test44 + * + */ + + public static final String Intermediate_Certificate_1_PP_06_02_crt = + "MIICozCCAgygAwIBAgIBZjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA2LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDjg5+XWZwW1gLAOldsRshbCXmUCmt1Vs+oZsvyH+6d" + + "2PwKs8ydrz+oD0/D8V7cRXucj7q7cJSLhEY1wJoTTgrWeRg1hQioAXzPW3ZkaZuzhpi+cC" + + "qeZzN5nPvqK18GWvpffNbUUVfOuaHzzHmhmhgQyZaNG7JHwpWM10UMzMawOwIDAQABo3Ew" + + "bzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATAMBgNVHSQEBTADgAEFMBEGA1UdDgQKBAh5am+tkndt5zATBgNVHSMEDDAKgAir" + + "muv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQAF0h1iaxxZUp43AjP5gSvbW6JfFRW/ugH9SU" + + "n3e1B29LMH3F/ML0joVhPx5CIVpX4nfaYzdeje9+E2/bHMBGSCFeHz9S/KoBLLiI0GNhzh" + + "I6MytvPMPRx7hkuROouQ69TnslJiGCcoo+MD0fA2YwO1bCtyLdeVHYhJZWQ2Sg8PHQ=="; + public static final String Intermediate_Certificate_2_PP_06_02_crt = + "MIIClTCCAf6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wNi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjA2LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDF4KSKxo8HvQ59E77LcuLpZ7ujNDjb30KB+EbIuRmy" + + "khXAkhq2Rp2Iqd3OhC0AXmhSF+enJq3h0dqyxNWP08SIuK5ia3OIeatl1UgEyukuAnrLuI" + + "A7PFUQAGZmDG4OuHv28zza4n/SwfCaKfi8qatIwpwF/29ycB8wYBrHThQD0wIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIKFZV4vjfOOQwEwYDVR0jBAwwCoAIeWpvrZJ3becwDQYJKoZI" + + "hvcNAQEFBQADgYEAuj8P5ga8Xv9eFjk4AdRMx/Fj/doRAOLZfs+OnrduRXPLe7CFKDxhFx" + + "xYOma8In08cgXVVnRR+2nZ54h5qjCYpskGNx+yZRY8+HW3XXE3KpS7QgTnc/1XshUy9VGm" + + "2qX0k661f2d3KnSKiKVKtM/y/j/nNyxPugDz1Yy50NtzQOE="; + public static final String Intermediate_Certificate_3_PP_06_02_crt = + "MIIClTCCAf6gAwIBAgIBaDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wNi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjA2LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCitrzXkbO4hAQpBRQE880MFBPq84umX9pyKbV3iMqK" + + "Z7HBYwZOvEwGQxG+TX1PIj0Jz27oyvoqpLeMkbn9L3K0BuS0AZKlWIOGPPHWpYTDoQCCs9" + + "Mba1evVT/1CMxESsv2kgf49YHMs/6TtxQX0qj5TQzXrkM6CMBc5zyPBDWORQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIxLES0WIVZQYwEwYDVR0jBAwwCoAIKFZV4vjfOOQwDQYJKoZI" + + "hvcNAQEFBQADgYEAdQeDAOFys//2xUFwBilhqr32/jh4gT/ijxRjG0msKTYXmWcCQv9Tms" + + "smtIMtiwwnByhjTdQAtOmEyDm/CFW0/NBnxlRvqZKt+PRtscpExVy7xnnm2MBITTa+9xkC" + + "A361jSDPnRPEOZoKdMRRzNnW4f59m0huibeFNRYJ7y8BnHs="; + public static final String Intermediate_Certificate_4_PP_06_02_crt = + "MIIClTCCAf6gAwIBAgIBaTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wNi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjA2LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCg0yQG7oewLD2eFfPuj2DPBgT47iEri2IVeS/r5hUD" + + "nZhxzT2/+UsQfiS+ufdC2Xq+QAcXFcAifPbvRs9xo2q0uLz26mwSq1TH8ilHLKatKwJ/Yf" + + "hcRAfEWDwhLJGRhZ7YrKu8xczZgyxwaeu5m38lEaLIRyaVfVSrw8WhN4z4ewIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQI/dKmuI1u6I0wEwYDVR0jBAwwCoAIxLES0WIVZQYwDQYJKoZI" + + "hvcNAQEFBQADgYEAOEcMpdSAVKUzQ1A7LJnWOh5Tul6yXw6qMsdZNGOZ3vYBXH3vHnSHvp" + + "MqJQ1JIX/4XSiKF8En5dVI/ooNabgyORpPnLGDvrshvO/09iaDlQXxWRsoGAFhcIe7Ibp+" + + "3g6hnBO5U+0pbInioKVYf/1VyZSUK1QQMutshMIye/8gyZw="; + public static final String Intermediate_CRL_1_PP_06_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIeWpvrZJ3becwDQYJKoZIhvcNAQEFBQADgYEAEJ28" + + "g5iyw3ZOqs5ly7O2X0YWtgKK3BnPztxygCUWO1xVy/QbMM5ybAU/UPbJC2pUnkOZMX+h30" + + "RYp/kV9w2o15V1hxj2M0tR8fQ0WXudwi20pZO56uHb+WSaETOmPVoNH5efeXsTvtbHQR5w" + + "95L2vNeEzJEy1l7S/sasUUoQvqY="; + public static final String Intermediate_CRL_2_PP_06_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIKFZV4vjfOOQwDQYJKoZIhvcNAQEFBQADgYEApLIK" + + "X/YJYhSfn7yLTAlKjnhpH1QDlFeaE6/+uj6j7ZgpK6HBjHOvfwbrjurl+L3ZTLrY1FCL4/" + + "SUgXrJxbAyMANlg4Z8u6o73F9cur2gi3sgv5d6FjJ8VwuKYWY2dwZNeXwlWE/W0h01Vd9H" + + "QVuctFxzQaJQdQBadw/XqzvLlyw="; + public static final String Intermediate_CRL_3_PP_06_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIxLES0WIVZQYwDQYJKoZIhvcNAQEFBQADgYEAE5J9" + + "wJKAb3veF4GhHeoIgy6JvMsrjv7d7dhT+ZIKq+wPNk1909X/Zo1GXxJSjMaMgkLlXa0QN6" + + "LtSJxbyMRCKSJfqTKOezFXirZ7MEQ04FT0z6Hp0m+E2Q7dGs52ZOV3YZBhQUlH+aQ8WNu2" + + "6clf4VqBiUYgGhkE95PhN5AAnOU="; + public static final String Intermediate_CRL_4_PP_06_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QUC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI/dKmuI1u6I0wDQYJKoZIhvcNAQEFBQADgYEAKgk1" + + "HJ7OW203z9H7jNGxoLCN9bGDKOFcWlWuruzXWOAn+AomjSZpqZkZU1qyKrFaKM320sfn8C" + + "ZJPnVWaVMLBLNddDRWUjJrUHtNdnnZEuYPYlRVb0MmwaxHHR0ZBUIaniqoLuvtQIB9N++T" + + "bu4cjx33mN6MX0oWr4Bbq7ovPnE="; + public static final String End_Certificate_PP_06_02_crt = + "MIICbjCCAdegAwIBAgIBajANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBNC1QUC4wNi4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDYuMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAr4hFku3Y6jI+vD6JTRFc7ZLL9tIxT7Mq+QcDd" + + "rRHgSEXhPL3MM//3ZFXca3w4rXOUVQyANQncywNM3uwl7T9jC0MD2kJ9PsNGQL2bQcSajX" + + "jrxT403PVFsa6ZrLMU0hwomSO4nJBLCJj3i1rlX9esYbRNCqzep2OMWgAWRUsrAgMBAAGj" + + "OjA4MA4GA1UdDwEB/wQEAwIF4DARBgNVHQ4ECgQIMBvQP4Q8w2UwEwYDVR0jBAwwCoAI/d" + + "KmuI1u6I0wDQYJKoZIhvcNAQEFBQADgYEAnmNf+3jJp4mo4YDznASTMnrBBdXuskhnRXSQ" + + "Gj5dNq6PxEXM+CmBhaNlnFYcr7UCtcD8XwampfyO52tvAZW5kWQKsxyowVtsxtwkAtj6/f" + + "trIeulIM0B1xjyXJshmVST5u6gZ3OegsAyuqyAbo9B1IvkNFOldt624aEG43jq7ho="; + public static final String[] TEST_44_DATA = new String[] { + Intermediate_Certificate_1_PP_06_02_crt, + Intermediate_Certificate_2_PP_06_02_crt, + Intermediate_Certificate_3_PP_06_02_crt, + Intermediate_Certificate_4_PP_06_02_crt, + Intermediate_CRL_1_PP_06_02_crl, + Intermediate_CRL_2_PP_06_02_crl, + Intermediate_CRL_3_PP_06_02_crl, + Intermediate_CRL_4_PP_06_02_crl, + End_Certificate_PP_06_02_crt + }; + + /* + * test45 + * + */ + + public static final String Intermediate_Certificate_1_PP_06_03_crt = + "MIICozCCAgygAwIBAgIBazANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA2LjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCrUMqMxZ4sSrH6sKv2y6nYKagLvUHaforCnf4z/5O1" + + "PeldaW4ANtNPA8SkVBES/zoKgvrLJUmqRi4b+BGhCVqLU77PvWyiPOS40tpJfw7m9pPK53" + + "aeaLC9M6rarjdOvF8MkdtytCMU/Ef1NsuJULwEP+XB90k4lHr9EzbgKhXvoQIDAQABo3Ew" + + "bzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATAMBgNVHSQEBTADgAEEMBEGA1UdDgQKBAhF0iXZmlIKsTATBgNVHSMEDDAKgAir" + + "muv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQCmab7noekyx5TzxAqWoQiC9S/aZJtvLkuH1p" + + "KiZnclMpRvIL1CVOukkzLTZXY0EcCHnXuVGjw+9vmiQWGGw8t6TGCXo/CtCo934HGBxOfQ" + + "MVysEjst7L7TDQsqxk4j9O8cU/TFWsghW9Ihu7SVIn8RJmknKMB2xkIhcDe8S8dmxw=="; + public static final String Intermediate_Certificate_2_PP_06_03_crt = + "MIIClTCCAf6gAwIBAgIBbDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wNi4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjA2LjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCmT7wL9WwWBr1oY9bHIq4IrJOkbOARK3zOeyZSbBBB" + + "zxcky5kjC9pamMpyZjga+q0CGd2rq9eUjQ2FXZsBSgf/X9B0/g9trNMebYgGnYmHHX2JK+" + + "doyAX+h3afDbZzZ696S0Hw7yRx00+teQe/Gx4h4qKPwbJIW5Bep9SBysikJQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQInXHgY/+onu4wEwYDVR0jBAwwCoAIRdIl2ZpSCrEwDQYJKoZI" + + "hvcNAQEFBQADgYEAhlboR5gzYWluWIaFM5R1Ko0/rprrv5BHONRiXjLfAPkzZmd7FLDE2j" + + "BlU7s7IenICeST4c7HG5zqBigK1814GG75nq5htCGUnM6pn8/gvc58+ckKeWgbJxC5I/0u" + + "olCCs8ORbWIEGWmghGg1USxeI1RQwXGgE8XwtabVibJOVBk="; + public static final String Intermediate_Certificate_3_PP_06_03_crt = + "MIIClTCCAf6gAwIBAgIBbTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wNi4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjA2LjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDEouRlqTFQiJQSwc+yhjpvA0dUIbRrNwLF+EPfUWq0" + + "FV1UV0a5lb5BGPW4RGUEbFwsgGCHsfLiY7WmUpC1e6332PZPnrnoJbf28paeiZ8KqcAKZE" + + "pGPWKCmFBwBW23q1w/v/CxcXJoBx5OC1yxG3fGH7CZSzc+4Z/+PxLk9yoASwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIc24GzUM6/LswEwYDVR0jBAwwCoAInXHgY/+onu4wDQYJKoZI" + + "hvcNAQEFBQADgYEANLxcLvJqjyu94HN+X6tTxGcN1s43kQh8yRGotW2ptuA2jmGlAhI8QQ" + + "sXHO0o0bFLBC/Uv0L0YlEJhK1w0ct7Awwn4UYgqupxug2f84yamcvFa1es3osIMJoi0GPz" + + "1WDBM711efRtbzvK6t/4fJ01nG2BlMeEbctVqrehuAip4p4="; + public static final String Intermediate_Certificate_4_PP_06_03_crt = + "MIIClTCCAf6gAwIBAgIBbjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wNi4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjA2LjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDNuzSN3BiT84M3Dy6KeTQkMqWNuYGTENWPP8WvQ0Ot" + + "ggue/lemC+IqYBtIEYtk3A30eKKnF28WIbPlB3oSykrPVV5dMhYGF9ysOtp4wyETHtzdv0" + + "7HyqlMHOCPiFplbwjUSo0uEIRVgS3luBJi9onTpcn97/i0S7VsM2nooooaowIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIDjpr8w0dRq0wEwYDVR0jBAwwCoAIc24GzUM6/LswDQYJKoZI" + + "hvcNAQEFBQADgYEArE6qUMnjXiB5eKiAFc9Elw1dYsQArtnDQAfFGtShDulxYKq9+pxory" + + "4kTMUZZCJc7awEC11tdJp7xJGcpjCJl4I2wBcHiCcVcnwQijqM719PqoQKydXB9MSrXqmU" + + "2CyakSzBpb82VooVNx0IZ3h0nXQSE3V0qSXXCaImJcOIGMo="; + public static final String Intermediate_CRL_1_PP_06_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wNi4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIRdIl2ZpSCrEwDQYJKoZIhvcNAQEFBQADgYEAQrHK" + + "VV2MJPJLNdPoEuqFXRTEclSmYhUWC5lthK0JnKUbCUj2cMAku2UdN5sRgVG0475dXV2nvn" + + "huxy+IQVt5OJ+PNZ9MYZlC2CfYsBiW9DEYMA603XhVvX/bxx80MwxNby18oyo/V9ycSyJw" + + "XzUmzYRUtohHk39r3eUSAt5H7zM="; + public static final String Intermediate_CRL_2_PP_06_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wNi4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAInXHgY/+onu4wDQYJKoZIhvcNAQEFBQADgYEADOEh" + + "jV8V8y17mFstkVwigOAKURbi7sD24RkLd1QG0Bn21JiwpkGY8Z4vetQps+VX586xKzz6v6" + + "Sj+TJk3jfHCiEAk6a7PLxRcVCCi6y70mzEBCwn6fS5NDfxzxYYLgq+dlUiVwqXsHksEvUz" + + "2Z5dpuLhbUGxHiqazNE9iq9pEEE="; + public static final String Intermediate_CRL_3_PP_06_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wNi4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIc24GzUM6/LswDQYJKoZIhvcNAQEFBQADgYEAK/zi" + + "r7ASgtWA0xGQVrqhHsXH9bdaj+FceW6ivoXo3z6xCFLvzu2uenEu5g849+YI0KMomHsDAY" + + "tX8qO3XEaLGchbhIfywgRVDlSF8ytMKhJTS05R/vZSZAl+eoT3mC92Grihsd3wublyNZ7a" + + "d925Py/oFp3J+geUkKJQK+RVu4M="; + public static final String Intermediate_CRL_4_PP_06_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QUC4wNi4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIDjpr8w0dRq0wDQYJKoZIhvcNAQEFBQADgYEAcBag" + + "81RFYMBAf8aRP5VXPcfu0OxgJvVE25ZHGLCkLD4TPKAXMjZMHWrf34+5FW7aigDO1YhGA+" + + "2zVtVj8k71DichiCCGXQvH50AqFgeNXNQwn9WcpQ8rRkfmyhlccfeM+MzHI1giRw/RjvCN" + + "0dfJL9g3c7peW+VCKn85REZ1ne4="; + public static final String End_Certificate_PP_06_03_crt = + "MIICbjCCAdegAwIBAgIBbzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBNC1QUC4wNi4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDYuMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKBSOacrUg5H5yuISkqmJuQcK2ao+Ib0FmIKCuek" + + "8mm2HEiux+K5/yIAYsQnz9eDKzKWaS73exPniKOXABHaL6dxsptbdBqWB6II2kIl0BFz9P" + + "82qjz6DMwpUhj5Pwfy5q0Bz8grTe31ZYP19y8AHgcWna+eiY4fNVXVkIEJOJ6tAgMBAAGj" + + "OjA4MA4GA1UdDwEB/wQEAwIF4DARBgNVHQ4ECgQIaZQ3Q55so58wEwYDVR0jBAwwCoAIDj" + + "pr8w0dRq0wDQYJKoZIhvcNAQEFBQADgYEAnNYKc2pSFZ9PtR4gQyVI3j+gQ97tcWu6Alxm" + + "4T48fSb2KtFGuozJyCv0aYjtuZ9ava9r4v04lyFPoAjWYbALHC9F+vz7JLNr4VstuMdy5O" + + "ax+PvJjKGACSXD7QjXJ48qvm+v8OnMbkzf8+rY3LoTJ2KhXo9Ey4+UmU/YuZ0PXuY="; + public static final String[] TEST_45_DATA = new String[] { + Intermediate_Certificate_1_PP_06_03_crt, + Intermediate_Certificate_2_PP_06_03_crt, + Intermediate_Certificate_3_PP_06_03_crt, + Intermediate_Certificate_4_PP_06_03_crt, + Intermediate_CRL_1_PP_06_03_crl, + Intermediate_CRL_2_PP_06_03_crl, + Intermediate_CRL_3_PP_06_03_crl, + Intermediate_CRL_4_PP_06_03_crl, + End_Certificate_PP_06_03_crt + }; + + /* + * test46 + * + */ + + public static final String Intermediate_Certificate_1_PP_06_04_crt = + "MIICozCCAgygAwIBAgIBcDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA2LjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDFoR/YTJlGYenu2IRsTiT6jwIA7yOnFbM9JXcqYIP5" + + "jSgtn/wVztPHgVWP+582foXJ+oEcThQVZ+RBXYt6VU5o7eVCsGJjqMd0DbRzTO+poelVoY" + + "1UEJMrKG0xSEex0T6XLQ+jPU9o5tlXoLYsXvpvbIrCJ0o8kuk4MWTzenDKJwIDAQABo3Ew" + + "bzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATAMBgNVHSQEBTADgAEAMBEGA1UdDgQKBAgVwXynYDSYEDATBgNVHSMEDDAKgAir" + + "muv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQC6MnYM9cY3CNb7/KKZvoaSwF/Se5iZYnbdPn" + + "WCnKydnN1AhlDN3kEw0gjTmZo/MkvPqku2aPzg5EiZ0eyeJaR6a4aiICU9z/Hiet19mBF6" + + "BtAUdt0fJ7aL5WPAc4BKXUbONd6vkQNv8uLcBmsqZ4wXDj7ZVBMGKcuDq7uClb0xYw=="; + public static final String Intermediate_Certificate_2_PP_06_04_crt = + "MIIClTCCAf6gAwIBAgIBcTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wNi4wNDAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjA2LjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDHqX/4IZpOCsHWgdJ6mICN94nXz/KqsXPNymadVdZA" + + "nVU0fHdMcxehAvsBKju5d791Psly1Xyyda8KQ0BKPgGed6jNKb89JzuEtPBov0VMzskqwR" + + "irjaDCwYKtibiDe+T/kEN9Sq5pbexHcaTbAIeQrAIoSUmGdQ/Up6PYplb0jwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQISKcQDqdBecUwEwYDVR0jBAwwCoAIFcF8p2A0mBAwDQYJKoZI" + + "hvcNAQEFBQADgYEAkAQaOoZYAZOCk881Ro+SIclAj2lp+arAkWPP/gwN4/0lpH62eWqlmY" + + "okWRBjk6+iwCgRxQ56uUjJhE08p5juZ5V32ie3RW+S1ZBPtL/T/+Tqp9HNQQ3GjW1yc/yI" + + "sWQxrd7QKzTER37HBiOr5WjEjn+dzuWlJtClcQetqMLtMgM="; + public static final String Intermediate_Certificate_3_PP_06_04_crt = + "MIIClTCCAf6gAwIBAgIBcjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wNi4wNDAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjA2LjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC2tnVj8KHGCm8XBPvDYWZMp3yOKQxuORze6a764qIC" + + "hkdO7hQbgJ9YiuAF/y62W17FnbhKPX6ninaZG0N77bznKvivSC3+T1jIVhw+kpxRh9MRya" + + "L2p+zHJEyO/9JaKWzJZiVi4kebW+hwNgSZc7FSYsAbW7lr4ujDei/yn/AJEwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIaAEiWf4JpfQwEwYDVR0jBAwwCoAISKcQDqdBecUwDQYJKoZI" + + "hvcNAQEFBQADgYEAHNsZDCWtOqt741IJNA9OwpymTA4ES1BRJquEvGj5+4RH2pxi67bYd1" + + "kWTPF1qFC2R1sugSNhbU0wOBMdKUJtKWNacPsK0HbD7CPqt4THOcMXFO36b/2gqHqy9rc/" + + "slWuIwbtT/tEC+Mk67GEATWNPifoPT7TjWHM3RhsDnagZXw="; + public static final String Intermediate_Certificate_4_PP_06_04_crt = + "MIIClTCCAf6gAwIBAgIBczANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wNi4wNDAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjA2LjA0MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDgdk/smDJ5yZYJDH4SG7pIDCzGNZeLO9RI3ybOx4/B" + + "M3YQu3DDFSOv8kq6PgL8ThC8Dk6t1jSbT8QVzaGgx0KMV3p6pIMdaVNkOjVjUb+L0nXVfr" + + "XYpFLON6tZLgh8oIbiz4KznKmsxo6VdYwyUeHmkpGcL5y+8qLspCNdRJnDGwIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIgSY376EamQowEwYDVR0jBAwwCoAIaAEiWf4JpfQwDQYJKoZI" + + "hvcNAQEFBQADgYEAEztvmGSVnDGGeNlIoR+wfRM8ndJogvUxLBZm4N96mDZ9Y+Nr99Dqvw" + + "+mMI3BU0miA5kDO9aFrKIgow3cpruoedhnBUsxTfhrNaFEwp+ORUb3tWn7sSxLfnTim4Vq" + + "y6j/EfUK2CS4ZAy7J5BADWSqDezPnrb5UaY1JFKMuLyGRac="; + public static final String Intermediate_CRL_1_PP_06_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wNi4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIFcF8p2A0mBAwDQYJKoZIhvcNAQEFBQADgYEAPlIW" + + "SxwW2LE8qxeD+M+HypNwai7j9XxUA2MhBbGVnsrhH+DKX5VeyP/nyZn2hBoGWhs05IpG2P" + + "S0odnyhbgGSXSj+IOfkZkVT0BmuEJmqv75R15LBzeyONks+eSEhoOIGAaIN4WgJ5mzjSrI" + + "ddDu3c4s6QO/OFVrNF1F6e4laSU="; + public static final String Intermediate_CRL_2_PP_06_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wNi4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAISKcQDqdBecUwDQYJKoZIhvcNAQEFBQADgYEAE5wt" + + "y3+jVnr8de/Yi0LV70v3JDHimwG2pQcuDRhR1NLPr4oC+2uxMqwxVzdHITDb3yI2ZT9pVh" + + "PV3UvX85avMdA0/JyaMWSKNpbSah1eNfMwMBY2vzh1Q7f5n+7HYYM+I2kz7HARPvwsLP9d" + + "j4mY7Kq7uiOFdnQzJ6LWjm8qEMs="; + public static final String Intermediate_CRL_3_PP_06_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wNi4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIaAEiWf4JpfQwDQYJKoZIhvcNAQEFBQADgYEAOm2f" + + "m3IdcDnIS915tEZzDmIbTFPBkIn0wjUreZKb9uNxE2a8Jixq+UP2uiyYWiWmXnRdVB1Gsb" + + "ofc5f8ctNgSPVTSYB0U5apIauXjV0y7WMUrLNrDFa5m9lxLRhF9kvXVL8zPhVfMpujnXre" + + "A8WS4UjDMuveyQL6yASGoZvB+Ps="; + public static final String Intermediate_CRL_4_PP_06_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QUC4wNi4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIgSY376EamQowDQYJKoZIhvcNAQEFBQADgYEAznK9" + + "ekskl4uWU+2Xqp3Pj14wvXuzfPAqFlHR0jl5By7T82JRiRa6LGX6T953vcwwJBsYG1hMqH" + + "pgbnUGB8APQ6YNXN+7ZkudaG6fMVX6bCr8zT+nVSj7PHIK2VFsC1Jpm5SoQMHH6DFit/oH" + + "tm4tdV8+nupMBQn1ZtxQHgUUF14="; + public static final String End_Certificate_PP_06_04_crt = + "MIIChjCCAe+gAwIBAgIBdDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBNC1QUC4wNi4wNDAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDYuMDQwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOCVJmtrW8Z2WGGRNjEgyp2NJn1xaIVDwlxL4C0n" + + "UAPpo1WM/rarQTYejT2Yo8H39TdRfiAlggF0Qsce0W//atey8WewGsFlUem6a4OFwg1X2h" + + "CN/COL0eC4a6lwkdOKmqgxSyWNWeKxXRTM8+EYQIem78uY7A8XuzVUmOpzYWoLAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QION6UOZ2Eky4wEwYDVR0jBAwwCoAIgSY376EamQowDQYJKoZIhvcNAQEFBQADgYEAXota" + + "1N1UrMxj2a/vdII92Wi8uEetcHo9vmiJVYxwPFkp+qo1q93Ww8Qnfp7xzaZwLgVoUOAF8U" + + "TRUVnzqoSwmRrfyEMfrgej3eiBjcU+zS9mNlx9mUUSLmlY+xMeejyVDCntRn6YJWWLesVq" + + "eFOjyNux97/XnGT3T1w0J+wShu4="; + public static final String[] TEST_46_DATA = new String[] { + Intermediate_Certificate_1_PP_06_04_crt, + Intermediate_Certificate_2_PP_06_04_crt, + Intermediate_Certificate_3_PP_06_04_crt, + Intermediate_Certificate_4_PP_06_04_crt, + Intermediate_CRL_1_PP_06_04_crl, + Intermediate_CRL_2_PP_06_04_crl, + Intermediate_CRL_3_PP_06_04_crl, + Intermediate_CRL_4_PP_06_04_crl, + End_Certificate_PP_06_04_crt + }; + + /* + * test47 + * + */ + + public static final String Intermediate_Certificate_1_PP_06_05_crt = + "MIICozCCAgygAwIBAgIBdTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA2LjA1MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDMIUtQ/CgudxHAwAAn8jUsdAY8u7WDslOC4nNbWn5C" + + "tILgZ2hGIZhEnhzP+VCV8ke8zLo1DX0hCRYAgzk5XTGAimExHFv/yDdhpJWEnqMRljkCHx" + + "Hg3XE1439qutBdmWvGUlRF0hQrd9Q/Ubr+PjEzP3a0EUmXo7LYuQKMcFsC4wIDAQABo3Ew" + + "bzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATAMBgNVHSQEBTADgAEHMBEGA1UdDgQKBAgha8GqGbO1nDATBgNVHSMEDDAKgAir" + + "muv5wudUjzANBgkqhkiG9w0BAQUFAAOBgQAEG5C3P1A/MYpNJ0qvi26v04GGUWDQWRW1q9" + + "1392XpAxDdv7kODf1FUMpfBpcUblagxrX7Npthv6/6W8poBTjvJuq5BfnnOMQrCwnsNfRy" + + "Y7b1mAZIvcOBhWe+bFVqRLUqZ+JseWkw0YgZIGtX41Znwl0VcFQKJ4lNkuaBgXXdGw=="; + public static final String Intermediate_Certificate_2_PP_06_05_crt = + "MIICozCCAgygAwIBAgIBdjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wNi4wNTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EyLVBQLjA2LjA1MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQC36j0YkXZZSw3qQaxD0g2BfrKYperkGjVAfLwOtOxB" + + "0A3Ufx2ECl/MqNOvi/QWlTkKwnrqw0aEnD25iS1DFM4jMZBmdfJg80oa+y6TJoZcIb+3bv" + + "SK5o3ArCFWkhTHHggIIY3H9dQOgAeYQF57Vb0iu59GPfnYJO8y8ZpxGIYcjQIDAQABo3Ew" + + "bzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATAMBgNVHSQEBTADgAECMBEGA1UdDgQKBAhUpoGZzfV7EjATBgNVHSMEDDAKgAgh" + + "a8GqGbO1nDANBgkqhkiG9w0BAQUFAAOBgQAjrFHzC1FLvssJTfV5YsGfw7Luj4EqLDQd6b" + + "MgtBSwPnXqMTUAZpDETyeYvcgM+L2tasB26MSy6IttSKsaJpHPCP+BIs0jji5xosuCX6Cs" + + "wI2gE/LjF85rjZnldrlDShw01DlcmWlWwudit/ieO71Xc8i0F4EhSaTUJX12po5Xkg=="; + public static final String Intermediate_Certificate_3_PP_06_05_crt = + "MIICozCCAgygAwIBAgIBdzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMi1QUC4wNi4wNTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0EzLVBQLjA2LjA1MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDFWhChPQNFYQpLBmVmXSGF2py1wcfhZgZurv0E5AgE" + + "BZwBo2bxSeC36lBQyR3OABGI4nQoEegSQWwuS2Pk3+emG2MZ8R5QINAkMlAKTp5Gj7KTlm" + + "3VVJRx7/VduoFx8sZPjkpvF1bSL+KOH4UZny1xqqTj4bJ+oGu58INeSNVa+wIDAQABo3Ew" + + "bzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATAMBgNVHSQEBTADgAEEMBEGA1UdDgQKBAjN4PvsHY9+YzATBgNVHSMEDDAKgAhU" + + "poGZzfV7EjANBgkqhkiG9w0BAQUFAAOBgQA8KmWbAQOnM59zry9TNtLbA2P5y8R/sO771S" + + "yQYcu6undt9t7UEiOepDp/z3CGsITm9RdtXAobZ5ZqhW+3Ll+UnML1itiCytOPbfC7iiUO" + + "S5jviQnpgJncZD2Lp65yNAB7lMmMleFO15Bsk8VNmzMDMsFtzo508Bs6T33ZW69/vg=="; + public static final String Intermediate_Certificate_4_PP_06_05_crt = + "MIIClTCCAf6gAwIBAgIBeDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMy1QUC4wNi4wNTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0E0LVBQLjA2LjA1MIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDxx57R4j64xdbjpTl7reLby/T2ym4rESC90aBkC2/E" + + "/YUSjsuGG9GiHEVgoGzoQGQNQV0v9ZMIvuoI6q7Fd6VZhIVGE0MGzTFNA9QEEDGPc10ZxC" + + "Gyh9mZYp77PMuhQ12Iv3aDW9KNTr09+HyhK7d3Se7toXLwjE5pKt+A4ZvBFQIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIwmq0fugIX0kwEwYDVR0jBAwwCoAIzeD77B2PfmMwDQYJKoZI" + + "hvcNAQEFBQADgYEAbAbRorTyh6zfAmdg0lfeZyCyW9k4NWfhUs46iSOl6lkZH8c1eoAF5/" + + "q0pOF+CtI3F9VMhfUXChEbVj7QENctU7kDiFe8300OWD5h1VUi+WTK4CG7B36/BjkrVOuG" + + "Os76P9l1WaC+/WRZdcqgFMfPjpn3R179dImBDwZiCMMbVqc="; + public static final String Intermediate_CRL_1_PP_06_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wNi4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIIWvBqhmztZwwDQYJKoZIhvcNAQEFBQADgYEADX3u" + + "wxpN+p8N2HqmhFw8w9LCeoR3Xa/uaqgqh4i/VkDuAC4Bi7VbIO6rcxDO2uAdZgNhb/hnRq" + + "cvKLcy0vrovCa2EPHcFo7dJl7si2q09EeuHT4+lZt/Ek/VOkwHhvh2o6yEvKOGXCnF9hZr" + + "8YbOIknboEz+tRfxoJArRBwpJkE="; + public static final String Intermediate_CRL_2_PP_06_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QUC4wNi4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIVKaBmc31exIwDQYJKoZIhvcNAQEFBQADgYEAQz7u" + + "dfU4yAHFLH5BgeZkYh0l2lZ95af+E/67MSCjQSF7RWWWTffbDMc4HmiRlZLvQdltyGCKmi" + + "kuzcPP8vyYOBQmoIKQ6c2LItBjXVavLdpe91yCOhCWXVVlnMFq5ztrvBEpfO0GVUOnPWfG" + + "1Ugit3SEd4DbhYFTBYHbbOKRWsU="; + public static final String Intermediate_CRL_3_PP_06_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QUC4wNi4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIzeD77B2PfmMwDQYJKoZIhvcNAQEFBQADgYEAkiW6" + + "h9a8v+IITd+p0jxukj2FYfmED59ZXAlYhQdQAGlPE71rOXn6ZPURYoGf7qlmBwQffpksOb" + + "Byb+PX+CBTUNXzhgTzD7ifM9xOhCEKVKai9acQfvokU56OHwfq5AnkRykLZ7IdvdYCP57k" + + "ynrNNV35dsMZXg23/PpreumlOkE="; + public static final String Intermediate_CRL_4_PP_06_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QUC4wNi4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIwmq0fugIX0kwDQYJKoZIhvcNAQEFBQADgYEAnTbS" + + "MBWyoPaslaLpAMmJ+D6kmmKAdRYurA0okU/QP+0W+YNPV4DducAQUDy8Cg3RkpRK2ze0ad" + + "l6TUW8g83hj9TXSBp+XZuVvzerMCjOeBqhskZN4Ly8101ZZmMmdYdSc3PEhqkme6iZzjwB" + + "ZooAN2dIYjuBj1c1/t5qH80CMAI="; + public static final String End_Certificate_PP_06_05_crt = + "MIICbjCCAdegAwIBAgIBeTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBNC1QUC4wNi4wNTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDYuMDUwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALyVMklPv3uwTPzLG70sXIwKSEt65yiU71ibHyhH" + + "wJ/6dXy3HK2UETkRBK7UVSOYq005EbO9s/3oR3zt7QTFifvRTsIjl1L4TCLC2a8ApBr3BH" + + "xmBWcJDf427Pk1fm5qDdEmZnpyIlpKaKIiBcdtwZfjr0lROL8RNcvgtJPdu/ndAgMBAAGj" + + "OjA4MA4GA1UdDwEB/wQEAwIF4DARBgNVHQ4ECgQISjAUfyAwSA0wEwYDVR0jBAwwCoAIwm" + + "q0fugIX0kwDQYJKoZIhvcNAQEFBQADgYEAC6Af3cJUh/IQgWdbC2Vmk96sYjDlAsbA2keY" + + "J0bgBcNaIVoJ/W0B3rSawqSU+Vv64p7kcuAl6cbvIXPB++19V23jj6HUs1JxtPJZ9IWkS/" + + "FRakv6lD7+j1OdzJvDR8AMZWmPFHJdQnJwQ+I1YOU/O/ShawOnGCmihpIULUINFhk="; + public static final String[] TEST_47_DATA = new String[] { + Intermediate_Certificate_1_PP_06_05_crt, + Intermediate_Certificate_2_PP_06_05_crt, + Intermediate_Certificate_3_PP_06_05_crt, + Intermediate_Certificate_4_PP_06_05_crt, + Intermediate_CRL_1_PP_06_05_crl, + Intermediate_CRL_2_PP_06_05_crl, + Intermediate_CRL_3_PP_06_05_crl, + Intermediate_CRL_4_PP_06_05_crl, + End_Certificate_PP_06_05_crt + }; + + /* + * test48 + * + */ + + public static final String Intermediate_Certificate_PP_08_01_crt = + "MIIClTCCAf6gAwIBAgIBejANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA4LjAxMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCp2vHVX08nyKe+S8NPkNJOZ9Xng22TbYXhUHtXw9yv" + + "ZmPkRhwDrZfBLXZcdZFixidkky3kCzv8Q3aPyPByM2ozH+AHJzEMbwifhyvUbANcS+Jts3" + + "lsZHarN7VyiXO+8J2OtYqX9qzmrAOHGleB2cJopEcmAMdrzgt1JIo98SUs4wIDAQABo2Mw" + + "YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSA" + + "FlAwEwATARBgNVHQ4ECgQIoRYqHNcbLacwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZI" + + "hvcNAQEFBQADgYEAXchRFC94Pl25d3Kl4wBcueQLyWPRuH9zS0ZPLAqKLcWVdcg3fYMuJ5" + + "SypMMpxLaVjN7xq0KjML1gLiPQPk18iA2TOAUMblvjUl1uFzDdD6SqQidEZh2h3wxFtbLP" + + "U7qBBki7i1+Xn072Bpn2paw/vlh4K+ut0tFQ2BAhqVnQGJ8="; + public static final String Intermediate_CRL_PP_08_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wOC4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIoRYqHNcbLacwDQYJKoZIhvcNAQEFBQADgYEARyX9" + + "2+LoXD2fIAACBMPDgds6m3Equ+Aawlr0kuppPO4ydCU4kiEgtVGK+kY5GzP6fUpAKjC8mh" + + "BrozojhAbkJekDoN0BIJ42Iab70VmdWXRQhPsUDhQwEt+9eSgy+HfiFfpcL1VJx8uY4XMh" + + "VB3hmapIe99P/T2QkZ+Pl8j0MgY="; + public static final String End_Certificate_PP_08_01_crt = + "MIIChjCCAe+gAwIBAgIBezANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wOC4wMTAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDguMDEwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBANYtrtpgxNl+9jF3TN1B9bSEGQci+cQOKpFsmrtF" + + "AyiGBxKONgGSgSFFuFIhyBKZF5ROaKX1P8lsQkrpnuybUi+Z9ADdyoaLUDD/z/kp5sebAZ" + + "ujmF8HVlqHYj5Ls2smS9EdSN1zgPTXIOTeZd/lv1iFppRZv6cBqlaoapQJsb1JAgMBAAGj" + + "UjBQMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECg" + + "QIZjcOdw0ZTCYwEwYDVR0jBAwwCoAIoRYqHNcbLacwDQYJKoZIhvcNAQEFBQADgYEAarsn" + + "13/g0vOKxy0okOp2JXEsPdsP7aWnCfR8N4+7gFD6dVnkgCIyc5Kbs7MbhB9gtIxYhHOV9W" + + "MaW9QAcBH+eXciFDfQBfaMBkL34ssE/TsZ92r/bhBwKRcH54f96G0QWUnoNMt4U/1j2mKn" + + "faFirltqEPUu9mv4FiQ0pNT9yH0="; + public static final String[] TEST_48_DATA = new String[] { + Intermediate_Certificate_PP_08_01_crt, + Intermediate_CRL_PP_08_01_crl, + End_Certificate_PP_08_01_crt + }; + + /* + * test49 + * + */ + + public static final String Intermediate_Certificate_PP_08_02_crt = + "MIICojCCAgugAwIBAgIBfDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA4LjAyMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQCmAgNA68ABUEppM9Oo3guiGvguvtrWQzsQIJfMBrE4" + + "/Scwc4SPK4PiJD+kVwtXinXpVclBMQge10uZ48lSJTihfZscJw3RSHt70H4CpPQm44QS7P" + + "7fQqpcZKZvMWmY6A8jju3Phbuq2WgJCIxxVw886GNIAXW8C4ZFmXCjwiGGHwIDAQABo3Aw" + + "bjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAjBgNVHSAEHDAaMAsGCWCGSA" + + "FlAwEwATALBglghkgBZQMBMAIwEQYDVR0OBAoECOhZ4RAlqGGcMBMGA1UdIwQMMAqACKua" + + "6/nC51SPMA0GCSqGSIb3DQEBBQUAA4GBAGEVSOcNaUu50f6AgGBtz1MDdRiHe08W/nzCNn" + + "0K1/UqrIXVJ7IYgbOLkL3cdHy4PdngCyEblzl5Cwp9chh2zL0PTUbV1uJIBW32ks1HuAVQ" + + "FTZqx0iuopY5AqRCJVDJt4HB5PKObwnmLPNWicI4Juap13j/Tcnw1EP7E7n6OejC"; + public static final String Intermediate_CRL_PP_08_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wOC4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI6FnhECWoYZwwDQYJKoZIhvcNAQEFBQADgYEACLHw" + + "iDARFoF4GauIHnoZlfj6nlOHAFfNSXq06Vvl713bsoAiOSV+2goZjRG62uxhampE+gCdXx" + + "1nwhKQ5R5jOGGOxgLtBFNZwKmD0KiDOSvfIVJ0kYCcaB4mSm0a/7pcCPrrE5ofvkmTW6Wx" + + "k/YIuBZdDoqZC91v4tnu0fSch9Q="; + public static final String End_Certificate_PP_08_02_crt = + "MIICkzCCAfygAwIBAgIBfTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wOC4wMjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDguMDIwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOJsz8ys71e8UB+VDTBAocVQvADiqh0LjdML3pET" + + "B6VvikiHgbB1PJufxDses+v0WD74ChZEa/octNcMFqMgBlhVBEfvbyGTjiN97LzdZ7SPyd" + + "DsDulqwBG9sACryUGHqwHYnUbjOqsThOXFB8Sg/CGGawpZAosm2AuH2gqNvNuJAgMBAAGj" + + "XzBdMA4GA1UdDwEB/wQEAwIF4DAjBgNVHSAEHDAaMAsGCWCGSAFlAwEwATALBglghkgBZQ" + + "MBMAIwEQYDVR0OBAoECOiMLE2l5u16MBMGA1UdIwQMMAqACOhZ4RAlqGGcMA0GCSqGSIb3" + + "DQEBBQUAA4GBAFf4BCbNtduwn5InkfdtFbQOqhPLAn/5eIhxhVhUu7TekWT7ktdaVQFzGF" + + "G2h1+gXgFP+YKjJy7kGzEVQjlWtuC0l74EwybNHnYAoDg4itKe+0OSNNXdyOmn+i0tE0nx" + + "sWN19VvhLGFC8p38gd0oDr1ziYdg0z2Mx4IlMDxl7QhT"; + public static final String[] TEST_49_DATA = new String[] { + Intermediate_Certificate_PP_08_02_crt, + Intermediate_CRL_PP_08_02_crl, + End_Certificate_PP_08_02_crt + }; + + /* + * test50 + * + */ + + public static final String Intermediate_Certificate_PP_08_03_crt = + "MIICkDCCAfmgAwIBAgIBfjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UEAxMMQ0ExLVBQLjA4LjAzMIGfMA0GCS" + + "qGSIb3DQEBAQUAA4GNADCBiQKBgQDKZDgBum5Ud5i8HWlCKInJ1x9goZ7TQJ+LdfA9iGU1" + + "47xJL5eFcERWy4dr5wM5GNRW/DHXlnA/qsRVE29EuRh6qAVgcPGAfmJxz7s5yhmErfmiQ3" + + "0rh6+pma/EhcjntXqwIqnk1qt6mEk7x9UKO3ksFCVsDEA67/dvownjcZB59wIDAQABo14w" + + "XDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUdIA" + + "AwEQYDVR0OBAoECGtTrZIwYYHbMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqGSIb3DQEB" + + "BQUAA4GBAM3t13xJJraRiJDAwZFxhTNR570wMdSRiF3yWSRtOjEv8NTVFj/T1oJJ8h9Gqh" + + "hMpTTHU7uGCyVB9S1HCelmS+1zteKr0B+WVzBl9yuhvku3farz6zgIVK3v5hQ6xC4H4Lac" + + "NDhTTKBkRfDf9KskFoxJ/AGxPdZtIEC92DFSblQB"; + public static final String Intermediate_CRL_PP_08_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wOC4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIa1OtkjBhgdswDQYJKoZIhvcNAQEFBQADgYEAcUHo" + + "D00X/pd3D5KGa5C6dY18RsnUovkjUkegGTpbhQfmYZIdBatj7Kv75FeUJ9UpqCUjxHgdiE" + + "EVy60NLVGP2VRuJ1m8vfDz8hu5PaiVjneQoRw2M9ieBnz3PjSETDdBGJLWHyCBZbp/W2+0" + + "iqcZK7Fm9O5EL4PUO6QIwuH76q0="; + public static final String End_Certificate_PP_08_03_crt = + "MIICgTCCAeqgAwIBAgIBfzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1" + + "UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rpbmcx" + + "FTATBgNVBAMTDENBMS1QUC4wOC4wMzAeFw05ODAxMDExMjAxMDBaFw00ODAxMDExMjAxMD" + + "BaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsT" + + "A0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UEAxMOVXNlcjEtUFAuMDguMDMwgZ8wDQ" + + "YJKoZIhvcNAQEBBQADgY0AMIGJAoGBALsXEPrCg91CObTl5OrHIB5GshIDXgqBmjzxfWPK" + + "ih4STWeBe2eIFO9pONXcM5lstEu2XLBPP6QBMUMWOrphJejrJ3eDQHs404bBnt95O/x17i" + + "665CZtg1jUqoO1kOBOComx2AJGZ46RdBExbfd0tTtdHWtRhMsnQchI+WtEyotdAgMBAAGj" + + "TTBLMA4GA1UdDwEB/wQEAwIF4DARBgNVHSAECjAIMAYGBFUdIAAwEQYDVR0OBAoECEWZkJ" + + "TYQ3z5MBMGA1UdIwQMMAqACGtTrZIwYYHbMA0GCSqGSIb3DQEBBQUAA4GBAHki/TrpHiKW" + + "gvERhguQ/uOqHHZNXsog+fgGVFFMOWwJ9bq4aHKd1fDZpyZF4vBxW7llbhuSt+ob2TNlkR" + + "wkqzfGL+3xOTKNRgzDwJcil8akC1N5uBftrQk+eL7rM1PezWRM7fIbpmv5ZieIVswtTPF5" + + "1Rl3G+JXUBy9E95espls"; + public static final String[] TEST_50_DATA = new String[] { + Intermediate_Certificate_PP_08_03_crt, + Intermediate_CRL_PP_08_03_crl, + End_Certificate_PP_08_03_crt + }; + + /* + * test51 + * + */ + + public static final String Intermediate_Certificate_PP_08_04_crt = + "MIICljCCAf+gAwIBAgICAIAwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QUC4wOC4wNDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsrM3A06j1zDz6VuZh+O2UrAPcKtwSA6KxTShUpgr" + + "t9UB5iIAEvxcDTwDlubEv/cJjDcFj9N57otzW4ppnuT2ztE4ROmkNb0xL6u00deS1yGjXB" + + "wy1G9g8bYDdAXOJlv0tjHOBqXlyKoMny82BOBL2vsCstiqxl14Q3/wBD1w29MCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAMwEQYDVR0OBAoECJiAkexK6/c7MBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAL4xwcpXZQPTTPYIQ8CMoVla/5P1x6BPmPqSkvh1D/o4ds9Ll9kHBz" + + "//X1ZM8SzYcEO+1r75JUzoHsvDw9yYAk2oclLsCORAPqD8Owhv3jv0QQtYSmf0Sxt5FLx0" + + "MRP9keY/DURRf9KitO4glOawtRtYMq2BeeJk1xusY0KqEnQr"; + public static final String Intermediate_CRL_PP_08_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wOC4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAImICR7Err9zswDQYJKoZIhvcNAQEFBQADgYEAcN3a" + + "jIEcXsQatb0fvVcFnO7d7lzNtgbqL3MtaqJ/PjkRJ/rO7JAXQRwdajUZF4ECHylZKE2HUG" + + "Dk+vidV98T8mNmb0TEuuLV+J1G0q8ezMXRJtDt/2m3y1VBireXlEMd1DdgpsDdCQ4va+XJ" + + "qv0TvVhfxWry+LrVb6Bf5ItexXg="; + public static final String End_Certificate_PP_08_04_crt = + "MIIChzCCAfCgAwIBAgICAIEwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUFAuMDguMDQwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBQLjA4LjA0MIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPJWa/cB7WW7tkGxFhcwxqE+BycXe3Ru2qGbun" + + "NPQZ/j44UT2C6rl1wZwugCY0sR6mXR/P/NR7czZvg4Tt6lwcNtc8PeafFMUeu0u0Kg9uWn" + + "fzQQKeIgRVcEzGTGMPGWXS0ed6X/1+Dj8A+T/tqXKUtM3Jpe0pCmm9CIrYCXLPRQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAQwEQYDVR0OBA" + + "oECKm9IOyOM1h+MBMGA1UdIwQMMAqACJiAkexK6/c7MA0GCSqGSIb3DQEBBQUAA4GBAEXy" + + "dlTkkZaYK6sUJCiPeCPxfj5cdo/G4RGBImMJbTeDyVTvXSH9G2yWUMqBGnYLrwdJJeXjF3" + + "89miJgnJ+1r/r3r2/NeAUuJDsOHRMFh0KXFmgubyw/kGsZBe3279hDnND8ZjfQBmKQD17f" + + "PycWTTAC5p6GM8tGERiDSnMc5rmm"; + public static final String[] TEST_51_DATA = new String[] { + Intermediate_Certificate_PP_08_04_crt, + Intermediate_CRL_PP_08_04_crl, + End_Certificate_PP_08_04_crt + }; + + /* + * test52 + * + */ + + public static final String Intermediate_Certificate_PP_08_05_crt = + "MIICljCCAf+gAwIBAgICAIIwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QUC4wOC4wNTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwH2d+D0pH8y4QJAPpE0s2oWucV1jlE4pBMGNNPJ5" + + "FIRmyRCt90IpzmK/EuqT6iSZYd9hIB9wa180ByN67PK1z4loLFMUL2RmbWeAFlGy5eEFOy" + + "4d479qfy6JCOzt0TKhYzhukLUqGLa4DDTzvnnUx0o86aLvGq0K5s6DRlNyc08CAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAMwEQYDVR0OBAoECDSeuxr4EVgaMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAKoGi6qlODB8Lc86PtGXfBhW769jB8xzgmENE59sqNBEvYa/oK9Xxm" + + "1JX1OGEQMq/mqwZXg6hSczpexCIO4tUH8QKTU68yvqcZoZCDV8FLM8aEUPtUoPIpluhAtN" + + "scGfb3uXoV9fg7q1Pi5YlKMnNrDIq1tH1CAGKMDRrjW63Q8C"; + public static final String Intermediate_CRL_PP_08_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wOC4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAINJ67GvgRWBowDQYJKoZIhvcNAQEFBQADgYEAv5Hs" + + "nYPZO1fGC/Z2lIbbUKjIv0+BrR9HbG+b76wXeJTVxfXMlZe0cpOR/KD29DyxI3G4IedHRy" + + "zL8iCDWYbA86arJzl5GZJ1MC2A586vNn/6wiiT6nP3iMj2z/nyvan8L30KNBm9IDXQExOu" + + "PNE/wOWYBxxCjg551fpXfJKqDIo="; + public static final String End_Certificate_PP_08_05_crt = + "MIIChzCCAfCgAwIBAgICAIMwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUFAuMDguMDUwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBQLjA4LjA1MIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4BZFTwOqI+71v8CdiYbe7x0qYveN524h6+iLh" + + "oEqvzuVKVqvQgVSaSLPcMhoCGDv3nqyP57Znl/3I09vLU6F4HKLtjO9E0PZu8EXOKLjeWP" + + "XmJQkdHfODj/TrrWSsrdorl7s7gdWEUFlbiWvUVUtkqLNbGLJZ5Q1xZvBRLS7loQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAMwEQYDVR0OBA" + + "oECBDaTXbN11BBMBMGA1UdIwQMMAqACDSeuxr4EVgaMA0GCSqGSIb3DQEBBQUAA4GBAGVa" + + "QNtd4LgoVZQ+Uy1lSr6sog4fsGaoQJCZcvrMJwGpMF0FJsGtOb0R2mfwHi1YXqPF5qZY2I" + + "7cVbwVtRQzbXunk1z12k0iIesMtYUncxb/SBstC7VNS8HNZm9ese+YM6Ac8mGT+IUZsPcP" + + "gI9fQ1L/2u+/3L4fweca1R45xm5M"; + public static final String[] TEST_52_DATA = new String[] { + Intermediate_Certificate_PP_08_05_crt, + Intermediate_CRL_PP_08_05_crl, + End_Certificate_PP_08_05_crt + }; + + /* + * test53 + * + */ + + public static final String Intermediate_Certificate_PP_08_06_crt = + "MIICsDCCAhmgAwIBAgICAIQwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QUC4wOC4wNjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlSIH/+6DEL1P9tkgbsI2PcW0w9dmqMTLP3jKYPsr" + + "sSWI5bcv55sk6RItVr3hGgkaskZoHeamUBAiGPksVyrqmRwSCJzQDLnLdMnjjudvPjp1ZZ" + + "9UCufTtMPFvnEuVBx5e8A13AQ4OyHqaJgWRVoRJd6vwTa5jzfYCCMJZHHKpcUCAwEAAaN9" + + "MHswDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwMAYDVR0gBCkwJzALBglghk" + + "gBZQMBMAEwCwYJYIZIAWUDATACMAsGCWCGSAFlAwEwAzARBgNVHQ4ECgQI8837JGF7vMAw" + + "EwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEFBQADgYEAKmgbxzWI6V2twYDp65" + + "Gu8zn883CnI08s2FEVupvrKduxYmg+ZDkTBE3ZJFxcOuxJf58MRfDWy8C4jJhLnT3JSSSg" + + "sY3n93jzc0s2h5y2wd1bUTDLqhqWCshisDG/88rpv938O8luiUEwltolzKTa+ScA6nXSQt" + + "LT4I6O3vbTx2g="; + public static final String Intermediate_CRL_PP_08_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QUC4wOC4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI8837JGF7vMAwDQYJKoZIhvcNAQEFBQADgYEAHua+" + + "lC3wP4G6796jjr6wuu7xEQqY1azsLVsGtL7YL8fm42rl7hgU40SuFIc7Kc+A7oEEkKgvmu" + + "SLMIv7q5O8J26fQOuduGWQAncPYB8w7sNWjCZbdjVbjp1XIApcAL3djCbLZ8/NYsCoOuwx" + + "hRQKX1hIn+rNDi1DMD4H99QdDGE="; + public static final String End_Certificate_PP_08_06_crt = + "MIICoTCCAgqgAwIBAgICAIUwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUFAuMDguMDYwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBQLjA4LjA2MIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnaYU/lu+u+LmLQwyACSsRyxQEEvgriE7ApmHj" + + "sNBcd3lovFQMfw9MyOOMsInOgQZU8p/invnhx11/pwi77ViQQ780unhHt5H/tteaYwcsDR" + + "cUxR/8jK0DBnbVWvm8S/NGb8BxfbRmDHBTWGZ70hDSCJypWRfHQj0I/SAqAW/VuwIDAQAB" + + "o2wwajAOBgNVHQ8BAf8EBAMCBeAwMAYDVR0gBCkwJzALBglghkgBZQMBMAEwCwYJYIZIAW" + + "UDATACMAsGCWCGSAFlAwEwAzARBgNVHQ4ECgQIhh/KikcKA7EwEwYDVR0jBAwwCoAI8837" + + "JGF7vMAwDQYJKoZIhvcNAQEFBQADgYEAbHK3lkqbGy61lu9d22uO2H3hzwvjmlccZo8pro" + + "ord45d2nRIxw2ag4dS1YRFrefVdxZtKeR9+5o+tQtvmTcDOer4u6NZ/sVVElTb1d6axtL0" + + "i4cmqv6bGWYECEwtwmPGqAavp9pPZjNRbkBGy9qhVNTXfDQYpA8yzXWO/xUrwNU="; + public static final String[] TEST_53_DATA = new String[] { + Intermediate_Certificate_PP_08_06_crt, + Intermediate_CRL_PP_08_06_crl, + End_Certificate_PP_08_06_crt + }; + + /* + * test54 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_01_crt = + "MIICmTCCAgKgAwIBAgICAIYwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxDV2d7qXbpCvOzBimskBLsgexpEYaHv0s7gOaqhC" + + "4A3K8sxdjyW6QdGZhKX8tCMqnlPp9CNbpY4tQQ5oTSk5pj6HwAsTfGcDwXJnjKWx1FJ7rD" + + "meZZ8c2K7a8voBl6FoPGn8CMhO0WmM9Eyb/vDUPdCZzScb+z/BxTcV1BPFdq0CAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECBpj0+Gcq32oMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBAB/9veHrkLeu8jkwXggJtwqPTmkrIBcX+pz85BTSETYeLOzF46" + + "onk+qt+IHptlrm3D7ny2Y5M0dQQ6tPzhGZxCEg9RoDibZGtsx+qeAh1ZjeEpEcQyp/idWY" + + "asH+EIuEIOZA9c1ySxI/3v3ZfzaSGS8jsgSDkLB4JumrE9ZkLNd1"; + public static final String Intermediate_Certificate_2_PL_01_01_crt = + "MIICljCCAf+gAwIBAgICAIcwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3B3UKG3tEL6FQz6dL6iqSvzgGsm1Fg5uzK8npkEq" + + "g2caUM7huYFfXeur1mu6iKiROcGX8ZYxrPi9Orh39YVrSu2EUWvqQui4QScf4dIlzAOunv" + + "0gAa/lIVTHgZhIomKND6/tZLU251dJiFhoV6bXx2tor83vWFVPx2oVd5LL5S0CAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECJmK3jFTIl6lMBMGA1UdIwQMMAqACBpj0+Gcq32oMA0GCSqG" + + "SIb3DQEBBQUAA4GBADkYLTg4RncTpAFmpUy7WGOMvoFV15nDoi91OMxhxVkbGSE0DJFxi3" + + "hPKcfUNvzy0bEUUTaqOXdbIkoLTG77NTckJxurSRyam0jA0+6SUYZ6F9fVotwMul2EiVl9" + + "XP5oCt7LkgqVgMASuwfzMnQozB6Oi/YP2OdSPXLipI6rl2dx"; + public static final String Intermediate_CRL_1_PL_01_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIGmPT4ZyrfagwDQYJKoZIhvcNAQEFBQADgYEAd8YZ" + + "8jibr8yjcGYSDicJuyUvHBZntTVQ1sP5XVmtCZcYcQCVjbC0auYTEP5snXbGPW5qeEaaXB" + + "MhekMr776hP4Kl3g4AjguFl3XQGcURlgNd8LsTpMMdNWC7XwooOF2FzFjD1ru0BSEWabzW" + + "NNaVeuMMbu2N0lc6NDJvRC8LkhA="; + public static final String Intermediate_CRL_2_PL_01_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAImYreMVMiXqUwDQYJKoZIhvcNAQEFBQADgYEAZFec" + + "GtjOfp8pT0n1dMF/x9n8y5tM+G3LLnZvDJspLc/sqP3E3B/sHBiis81caEkQQAOTBU5goJ" + + "0KOFAUOfEq+IX5uvNhuPuinx0OsSak+2Annvi12zodMQKPNm1uMVt2bMHHHZVEVTqcv36g" + + "xgdbp0YKTmuvSy6s8NtGFpkNmnU="; + public static final String End_Certificate_PL_01_01_crt = + "MIIChzCCAfCgAwIBAgICAIgwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBMLjAxLjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCAUPp5j4V5XTA44Ra1EWkp9HgS4w3uXJ7/Vhi" + + "K5bARFrDOOxjV8nmr5hoUYr4jwdi2Rl+60TQK/F08gdcGxdyc9p/yiU5HyAP6i+4iqmvaW" + + "9b2egNyZ5tOmpl/Q9FSFWa9d/PYBKM5Sj/r73RtA+/chc4uq3uyLekSRQGh1MieQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECAiL3A4CkaFyMBMGA1UdIwQMMAqACJmK3jFTIl6lMA0GCSqGSIb3DQEBBQUAA4GBAJtH" + + "mNNvCt/0uFbHdvUvCuBeZ9cggfpTyUS4X8zgcLDPFbw6VvX65umOZpceZI6hwcre+LZahi" + + "gUEPvXppncEObkeVTcYdOTSDoxh5tZyee1P4sbD9H+suGWeewqUDvFs2ymHtxlkpOttitR" + + "xQc2U6VlCuZ4XU8SwucyhW0z51e4"; + public static final String[] TEST_54_DATA = new String[] { + Intermediate_Certificate_1_PL_01_01_crt, + Intermediate_Certificate_2_PL_01_01_crt, + Intermediate_CRL_1_PL_01_01_crl, + Intermediate_CRL_2_PL_01_01_crl, + End_Certificate_PL_01_01_crt + }; + + /* + * test55 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_02_crt = + "MIICmTCCAgKgAwIBAgICAIkwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wMjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4QmGXEeVKCn1aQx27r+EBuQqfi8fP7gyV5JLkaSu" + + "DOUrqXg8dQxHsBNCf3XilGIvjNFZjVUPdS8FNqC+if9D164VyGQlv/JUor/GlvwVfyotUO" + + "U1PqSzFrAALYTmfm/ZqhMvGYloStSDxlzjDmyKadskzOxZZDNSe5s8dvUpYn0CAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECGk7qDbbBgRbMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBAD+eI+jg4jmeC3pJRGEF/hbPPYvL6aocjqqbZyNKN5FWItccQo" + + "PWg/GK1GpusDZadesZBDo6fLIUJzL+OumrIYJLB3HxQsmyOXB1gRg1hcva71RWFJYzx01U" + + "eB8lCbk8Zu24HzLzqjfVuwKOFFELWDEq7bd6Re/aKSHtNnDbsgSE"; + public static final String Intermediate_Certificate_2_PL_01_02_crt = + "MIICljCCAf+gAwIBAgICAIowDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDIwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wMjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAl/HiHoos7eHaDIFhMmvIPk63UT33Z+0iiCIuKLW7" + + "tgkT8ia1Yg++np1pC3oqYVeKkXqMcjgonPGQhcek12vLt3/+2PYyYirOTVZaiO9pKQ5An8" + + "ZMWXIJmCEAMHabPO1RnetvRv5JZFxZY9jIUnD2fUADzzUh/eHN6Pur0DDrI6sCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECPk0C10KQLZuMBMGA1UdIwQMMAqACGk7qDbbBgRbMA0GCSqG" + + "SIb3DQEBBQUAA4GBAMJ4+BZQxpxWhNbo8bpGkbbcKT3kfKYrHjHsZADC+/gAJSVL854b1W" + + "VKsGr1YcCX10V1Gcqb6Jgziy+AzRLhcJngszcz0A7LxrMH+FIyWEPgZnOyQCa8B/9bnsh9" + + "bC1gEmXGOVtWboIFOEdGghEbm/ENnQyj+HbIk3jhF3QYbXhw"; + public static final String Intermediate_CRL_1_PL_01_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIaTuoNtsGBFswDQYJKoZIhvcNAQEFBQADgYEAZEt+" + + "FjRuXgnOZg70geqS4hVsF1VWWawlAVGmjPsbRH7rADXPUE2bYL54wLdwt/6QYwHqy2KwCf" + + "d4OkWkwn9xwGS4j+XBCw9Y4nbWI+wrsZ9W7vgbeIaVUUUZu6hoin1GxrGDcfbM+bhYzQAA" + + "gNmKIWdlJ4tKD2KNgg0KmZPoj/k="; + public static final String Intermediate_CRL_2_PL_01_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI+TQLXQpAtm4wDQYJKoZIhvcNAQEFBQADgYEAXwZO" + + "wr9mrO6yUOoopNjcIcDssCUksYco1PFgWx9O/hGq9ktdoGoGcECGhdkHTLe2ab3WFl9jzW" + + "1/lkysD9Jl3VjbnbRB3dPQlrSfiv7cYBLnfKvyF/CxQg/wCtWo46GJJQgOx/WHzi9aF08m" + + "tQuJEtl7RgoByUSvLtmvKjQWEnc="; + public static final String End_Certificate_PL_01_02_crt = + "MIICljCCAf+gAwIBAgICAIswDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMDIwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMy1QTC4wMS4wMjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0/rXOZwUebRaHcPPFeKTB2OWIzIAgavqb5HerPAe" + + "c3sJCdNOSLc0OX0dFblso97WR8uueF9I7QeGg3ayQjzDVqm5Tu77ZaCuyb6UU8+fY2eqwD" + + "5lCVuLfJr9U2JD5b2TcdvAD9RqfhefclVjDj9rObLjvzLg3AefO3drsfBtAIMCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAeYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECDBWCFTOp3evMBMGA1UdIwQMMAqACPk0C10KQLZuMA0GCSqG" + + "SIb3DQEBBQUAA4GBAI/JpU3gHo8Izsbjlx6bkQo/e/hD634N5lSMtVHIGnoVLu99dvroRu" + + "2DO8Fhnv6VZpMvYoAc5oEgUqx9hw3bfS/XN9GXaeMssjwN/qM6lzCsvMG7DA9sf59xjf4Y" + + "2+u4KTye4PdpmWaseDDJ1wAihTHEaofnQdaoUffxQgw5UcAf"; + public static final String[] TEST_55_DATA = new String[] { + Intermediate_Certificate_1_PL_01_02_crt, + Intermediate_Certificate_2_PL_01_02_crt, + Intermediate_CRL_1_PL_01_02_crl, + Intermediate_CRL_2_PL_01_02_crl, + End_Certificate_PL_01_02_crt + }; + + /* + * test56 + * + */ + + public static final String Intermediate_Certificate_PL_01_03_crt = + "MIICmTCCAgKgAwIBAgICAIwwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wMzCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA60y6V2WkNCB34dcGfu+Jo3YHQZXzgp76+HgnyFmP" + + "DLj9DjZHqifD3gW8Zk7L+yK4PfLDSHjbrXM9GY1ser6XwhaJQDPUBBYW5X3XTOmDWmV63J" + + "YeRF5r7cfF2h3eEZ460GRLK5tt0Zr8V+hA9oOvwqynrIhDYC/tCzE28ciqA+sCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECPE2FCetVerZMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBABUOUWwyfyrRIw7dRIVfLlWyp5R1I+Kmq5e8st0AEMVpPAmLoy" + + "0s+46Xf+THXZy5em1P3bSVTSUhTs+XD6tbFFUcTrX0mQJlshR7yD/A0siMDUNzzt9LJQvP" + + "dwNjQSA2keOrV9q/2CAGce4daL4Wz54jfh33YVqJ8sHT4E8CxQb7"; + public static final String Intermediate_CRL_PL_01_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI8TYUJ61V6tkwDQYJKoZIhvcNAQEFBQADgYEA6FnB" + + "LXWt4B/3oP0PXERYh7ZV39yu/tm9DHBQGcGDF8JIspU7F+mH/+37U/lT6BQxpKOpgOgGeP" + + "nTQeQzN9sRsXxFO22SkHbdPCao84qvv485epgzqFcVsCRBwBBLcnNLMg891q0EYsTW9vSw" + + "Dx7V4CawyYAYGz1MqYuY6SSs6Q0="; + public static final String End_Certificate_PL_01_03_crt = + "MIIChzCCAfCgAwIBAgICAI0wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDMwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBMLjAxLjAzMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwt6B9gpDz/x/vnowXf1MdkAPeaCWZ3pYikgxE" + + "ZLrMuulFaI1UDnAzgSuSvoHE80VKGKjSkrzIX9OFfeilW5rNZAXoZrjtkaJd1Q8l5AtjFn" + + "0tlLytDzIMYo5Tiq/n3IiTdbEzGYzEOCcSyVaQdB7K1WgYI/z/UAaWV/GbqCX1zQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECMQHLiufEm0IMBMGA1UdIwQMMAqACPE2FCetVerZMA0GCSqGSIb3DQEBBQUAA4GBAD5/" + + "vGn/rpoHvny/mfh6n2zVNNQLTEBiddfAdCWpeBFcwxS5lpxfm4dAWgHhprZTMirF9yS+wO" + + "wWQ4G9/wiqfAtoaNN1qkHMlUMOAPsOSff6ClgP+1uzKVqQa9NTd5HAeMdYfYjMa/fcF/37" + + "plCs5ZsJjb9lhEjNd/tq4/aALQmt"; + public static final String[] TEST_56_DATA = new String[] { + Intermediate_Certificate_PL_01_03_crt, + Intermediate_CRL_PL_01_03_crl, + End_Certificate_PL_01_03_crt + }; + + /* + * test57 + * + */ + + public static final String Intermediate_Certificate_PL_01_04_crt = + "MIICmTCCAgKgAwIBAgICAI4wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wNDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06yd2NQEAgpv0kQQEOzhHHU4YqHgtvJgkdLYxb2W" + + "Zordrm4b/43UDnLmsI0790V76y9Aa+Y8SIMBBRBJgnlppFJrFsPaOMO98M3/mXkQotVbY1" + + "59P/AjWMxpzP9h8Bs8KuoPqnl5jN0UZAF4kRoNXHzyS445VBp4DtWz/jcCPm8CAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECHxLORDZ1KKNMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBACHmDOaoC0Hr2cmfuQvdyGDF7/RlvTUJ7cvGypCa724SwAZGZk" + + "Tf5GwxgjVcLHY5RlX2kDm9vjneDzP88U3587qA2ZRwxhheK0RGp1kudNQ5y2gAGKZ7YSc0" + + "SENMDxUAa6HUkn9Rfo4rf5ULuGNJZXQZ3DtP+lZSwzkUeCVjKhyQ"; + public static final String Intermediate_CRL_PL_01_04_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wNBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIfEs5ENnUoo0wDQYJKoZIhvcNAQEFBQADgYEAb8lX" + + "19SlVNRkc9SKNpRLZQom67djZfMSIPIDkBALfMepdevbquzgO7AufTuiDn5Zqe6J6odTv6" + + "RrQReo64XB4+Lx2pXOe8bZEbzZk0HvzLl9DjN7zxyNglNK+Hd2xS4yT4ps4fBdvXvWAXEx" + + "6DfvWHbGFDoH2auomCKJtCVXxCI="; + public static final String End_Certificate_PL_01_04_crt = + "MIICljCCAf+gAwIBAgICAI8wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDQwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wNDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA14bXc39XiWvb4r1jzbADzrpfbg2Y9sGBkefSQHsM" + + "QZ1SRLR7uexWD7MuDYh4ZYBL+WPhaJJr3a1jnAIp54h68m8mwS13DgrxBF2/hrVKEm9IRG" + + "s13hoM4Mjjogn/Lvc1xLvB5lctHjZrNRZjyrt+PqDDmqZqgCOmcD61PhrfAoECAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAeYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECB9hXgJfzBvTMBMGA1UdIwQMMAqACHxLORDZ1KKNMA0GCSqG" + + "SIb3DQEBBQUAA4GBAB0HgiURRd/REVfc5DenIPhMu8riVcwVgTUwatsCWragUhXpCtvJmf" + + "z4vGo1rKYai2dltVX6am+NDvN5tROcM0bvC8lOCc/iPfI5eWTy9SJ2nxvs1+q809Rj0rno" + + "zS77TIE8rD7Q8ZUd3qNUiBwdjBoc9misgyN7zUulg4Ueebvv"; + public static final String[] TEST_57_DATA = new String[] { + Intermediate_Certificate_PL_01_04_crt, + Intermediate_CRL_PL_01_04_crl, + End_Certificate_PL_01_04_crt + }; + + /* + * test58 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_05_crt = + "MIICmTCCAgKgAwIBAgICAJAwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wNTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA/rVBEGZ4jibDhREeRGV3jPnv05esRL8/En1Bu35y" + + "QrAHi32+kBu42vwwDbeuiTZd/B90bn5srJZoW83rxXxNnpxqbnjN3GgIcRiUVyaVRTp9/U" + + "IT8B9h09b9yT8gpQ5qR0+JDcOHCfJwpogAsyJJa6AM5p/q3TeF39ugfVOWt/cCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBjAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECJ7/mkuLuEIGMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBADC0A2KMMSSmGI9p85WG7XZVMBX/xdDYOHO0e3ORTRFS3kj9rK" + + "a0yUjc1X+p22AA8kUyOLpYIulfDjPrLKN2E/hWSf3+XWMiC7JfX01F+BBl/avEZoymaZB4" + + "dkH1Hym4IMJoSaEOgf5HFKBnFEA6aUcr+oDYGUP+Sc1dmJMjBW72"; + public static final String Intermediate_Certificate_2_PL_01_05_crt = + "MIICmTCCAgKgAwIBAgICAJEwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDUwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wNTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEArir4GaS6r0Tv9PMbaOXYdPKADNpVbJe79G5t/F6x" + + "7Tz1rwUR+m10E+Jq9RsV+fU/nUzzjJXHbPLZnfodUVVmrXgzvQ8+B2N4jJtdNLG66j2PZG" + + "+P8GQzVK9drDh54VHXdvxAYCXs7GaIprWmCQsxZOKjhFU3YDiRRK8qJGpBG/cCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECMmrFr30fUzZMBMGA1UdIwQMMAqACJ7/mkuLuEIGMA0G" + + "CSqGSIb3DQEBBQUAA4GBAI4qJF6STCi+elUbpZIP7YmcaQsS0PE4G3+LJoMg1LT3rSeobK" + + "Aj/yUetmA7y0B5i0svKjRChLOpfClNPVPCx/+mc75+LG+dh1eVG/qk2UH/lrqLN0XLl8tA" + + "IwZeoPaegBQAIp9oEjhDN1fWtKIkOe6A6wYdH2VPvsqC8g02VcwD"; + public static final String Intermediate_Certificate_3_PL_01_05_crt = + "MIICmTCCAgKgAwIBAgICAJIwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMDUwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMy1QTC4wMS4wNTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtRC2/PDG3kx8LpzfWC0yJph5h3LXZJZW0W2voss1" + + "HYPP1/MBoQY067dfbALilVRh9asCNL4F45uu0lT24qS9vjW8SzBOLA18GsVYRmWO7EP+Cd" + + "9f3mgPIMJ5n+UjW+yhBwh0Z2pzVElkX9CxECrs1Mt2ulyuwWA1lR8nRMaTUeMCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECAlV3mzXYPyuMBMGA1UdIwQMMAqACMmrFr30fUzZMA0G" + + "CSqGSIb3DQEBBQUAA4GBAG28iHdlA+nTs/b9pi+m9eMy7niELjIWL9fMgn1r4iXQ0TsPYi" + + "tgpoip+BB4G/jz7MPx/N4nwyAPV+C9wN8cAHALf/ka2MxAORYFVFI+5PDgXzm78ILqj91f" + + "vOFN4jemizTES4/dHxfmdctnsTRpU9ALQgfJLhxEQISOPwuemKB0"; + public static final String Intermediate_CRL_1_PL_01_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAInv+aS4u4QgYwDQYJKoZIhvcNAQEFBQADgYEA5i45" + + "gETFAw6l9Awex9IAVIqYTA1dnbDyrUYDRdzd0x6OxSPODvNfQCwqwlTJXrHidCPO8jRhMS" + + "Zcdn/MTlIeHa6OERFcjOiwOpeTgtchvpTdDchs5ve8Ik+myue+cfgpEVKOE+ZQ2T2tcyz/" + + "+DbeMptECfJ0lVfCKIY7ZOzBPaQ="; + public static final String Intermediate_CRL_2_PL_01_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIyasWvfR9TNkwDQYJKoZIhvcNAQEFBQADgYEAdsNe" + + "ugM8sd8bmIDkYXce2WmS5Zx6QUQ0yT6Ij4OR5/F4CG4Vl+k3JkNPuAiNSs2Z9HeML+F/W8" + + "3yEPe/mdLV4nLw4B/b1/8DmgZN4r1ojaWuHAg+KrA3Zz3Rc/hwQfvBy49mf4NGtY4ArbeB" + + "DYKz5sVlrwR+gOCR5jm4IC7WEDs="; + public static final String Intermediate_CRL_3_PL_01_05_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QTC4wMS4wNRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAICVXebNdg/K4wDQYJKoZIhvcNAQEFBQADgYEAqYex" + + "FaIykZo17O2URpofe8x04L/VsfA9jV28zUgNFruAGld/kUh4rYvgwrdbNZ8NmEFDp9J9aL" + + "93af3bzoNvWCik2VrQLd5nccCFiC04B+LUH9Y2p+7vV2ojrtBks5SMW0q4HaNyPSQu8Fst" + + "4mYVf+QIYZC3iVAF4rsKnaxwzIU="; + public static final String End_Certificate_PL_01_05_crt = + "MIIChzCCAfCgAwIBAgICAJMwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTMtUEwuMDEuMDUwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBMLjAxLjA1MIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCXJjzKGcLyONTyOa6sQHvIKZIAh0pWdteUiXf" + + "b7yjCn6Z52SCHxB9GZERHwR7fbJpoE3oDcYUY+8pH65bIVm1p3zr5deo4v85DEZQ50cU9a" + + "WEUAO/5X57P7pYb9/47abu0cdsLIWeE+O94HpZS8vz8mxRQKLj27gPY1KzzTbrZQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECG8ILlM9oqZwMBMGA1UdIwQMMAqACAlV3mzXYPyuMA0GCSqGSIb3DQEBBQUAA4GBAF6S" + + "x3aunfgnDmo42aPOzDh536WSkTTbX9bmUNyg3IQHl/3xhVqjS76bMqreYhx5nh4VNx/Z3N" + + "LD0W75XmASCk0wtW9S1MoxzJMFIozRruaE3oykrbyMMOt0Br5CV12ofUd0WybDkXfNAIze" + + "IRgps3nORHWjV1GwXe8uNoUn6/z7"; + public static final String[] TEST_58_DATA = new String[] { + Intermediate_Certificate_1_PL_01_05_crt, + Intermediate_Certificate_2_PL_01_05_crt, + Intermediate_Certificate_3_PL_01_05_crt, + Intermediate_CRL_1_PL_01_05_crl, + Intermediate_CRL_2_PL_01_05_crl, + Intermediate_CRL_3_PL_01_05_crl, + End_Certificate_PL_01_05_crt + }; + + /* + * test59 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_06_crt = + "MIICmTCCAgKgAwIBAgICAJQwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wNjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAweCAiEGMLycmodjrUMIWEEFshkvhX2r90wGl+/pU" + + "Ia9NSdT23zYzE4Uo8Is1ywyV+YfvgR22j/RXF6j8OK+XZ8jlgfjVTAhjCnTWY9LDR7qAyk" + + "8zuuITxJrYpiPoxqZs9BXLfGkDbye5VpVJXvQdbJNxgKO0hkBBDfe+T9+qw6ECAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBjAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECG1DiuoAwV6aMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBAMFvtFiMDMP6n3CrqQLSzhpK5Qu0uxa56ARXIKSIqi0OUZAu9v" + + "sCXxMvaG/R5bElwi7ybYZ5KUSN+PnDmlUxWWL5Ib5RZdXgj7L83oyLTQmbDMvka6rSWHgw" + + "Jq8qHVslhh+l+YNOb4fzs8x9ctCrs/BgjX8wkORpQbigU0BUJ9sX"; + public static final String Intermediate_Certificate_2_PL_01_06_crt = + "MIICmTCCAgKgAwIBAgICAJUwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDYwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wNjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwf6Nf0+r7JvE6BO4MbDbS1T1SCzn78haBAmqGZLS" + + "Ac4xQTydvmzr9PwiWlU0xjFfKItqRMt7rfzTTPfvvnwxsAfQNPtxKzi30yCNq/VotMA7j5" + + "iQYaVe2OWVHu13agbXLEZ0pL/ZkmQ3Gvo6UhF4dRmCnjFbd5cMTxQVHUrwgyECAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECE3tS4AYmwZDMBMGA1UdIwQMMAqACG1DiuoAwV6aMA0G" + + "CSqGSIb3DQEBBQUAA4GBADcBTKbhx8PCunjRVJkcLBCcVGHs9HfkChDafwBO51fe5uhHE2" + + "QBpW3J8ZsevuFQiEZvuy2RVFktE6ZoKD8wxwBFhs+OIxe2mergQPy6jHuxoSUiPzr3CVXZ" + + "UsNxe7j3IcJLqbJ15UqGFH5yph7Sa4Ym6x747miF6W9knNkjcx3K"; + public static final String Intermediate_Certificate_3_PL_01_06_crt = + "MIICmTCCAgKgAwIBAgICAJYwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMDYwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMy1QTC4wMS4wNjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwq2YlDLHX4KktKnzLCYjnk079IDgXENrkRBuZHTB" + + "IQyZoiBH4ZWHreZKs3LvznP8uSd8eEL8keNw4PwZ6aT1LF/Jr/UlrFQNnpLzQVXwGGAuzh" + + "tFJYRlOfI5cCZYAcpjnyUV4GW+MuwBdoqDycMjmqIv/8A8vupjahffcmBAassCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECB+qYFJjEkJ5MBMGA1UdIwQMMAqACE3tS4AYmwZDMA0G" + + "CSqGSIb3DQEBBQUAA4GBADiXredACtRQTV2TKgu5SDdPlczj7cZZUARJiJKiRfjmxHCc1q" + + "m/Oh7sHkqRvlHqjoX8qp4iSchoZWdOAE5O/q4Ef6rViejDFVyN2ZmlhP6KIiRxznrvYfF1" + + "n08K7CHgHWvDaumm4pNmWeF03nuasHrY0W9h1uk5poVuzaWDpx3A"; + public static final String Intermediate_CRL_1_PL_01_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIbUOK6gDBXpowDQYJKoZIhvcNAQEFBQADgYEAiHM1" + + "xFuYt6tDscqzwj0mLHPHULnR44/vNyPUg0KnV03Dd4XbFHz0FtwDKgVTBZ8x7ybp83ubJH" + + "tE/p8nPW5kN25WQOlYkZoAcMpEXjTzlo9evU0W3nyzJjmlT8YEI7vnmWFz/ahzy6WFwPue" + + "h862EKh2zVO4hoqZYEuDQI33fOc="; + public static final String Intermediate_CRL_2_PL_01_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAITe1LgBibBkMwDQYJKoZIhvcNAQEFBQADgYEAuDSF" + + "W1KOc4x41HGvdRaw/NtipD2y6zSh3mtRoo7Q6J2BvJvunymZNEziozBOiUgT8zMgbdbm4a" + + "PEwlHRaoJP8+yxJIlKaHa9Hc7Yz4SOwSrLicf7EnBSct3Mze0b48UYqbn1q+lf/zKaUGrP" + + "M6oqtE8Fam06T+WUfutU53zTtSs="; + public static final String Intermediate_CRL_3_PL_01_06_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QTC4wMS4wNhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIH6pgUmMSQnkwDQYJKoZIhvcNAQEFBQADgYEAcPfO" + + "+Rj2KmO1CxjuKLEiOUAIq5YmR4U06IcCBGMxlrdHVXHM3vepBKUlMDaT4UGcleABMPX9Iz" + + "/31ofyXlZ/fQJOoTZt0CI7SOPQE5ZkUsR3BDuUqf1+sWwBYyBHkrC95JhJkM4LfGS5K19p" + + "fp0j0bguzNCXSBRTfjSZhy80tcs="; + public static final String End_Certificate_PL_01_06_crt = + "MIICljCCAf+gAwIBAgICAJcwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTMtUEwuMDEuMDYwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBNC1QTC4wMS4wNjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3asAqJcjXngEuyM/W3+TAE+Qr4JtNUdwBtmrpGlo" + + "fAvJdmXHARyiN/Zn6Si8bGI8Wz8J4Y+Ll7zLdaMU4MCZo6hwZiaQwkh9a+ZecCpLpjs4mz" + + "MSf5zHSwTYiXKMazlmnGEITVyKLmAiLSyGeeJvOJVqVo/NZXRGVlmnPxZFfgsCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAeYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECLZuS770NcDsMBMGA1UdIwQMMAqACB+qYFJjEkJ5MA0GCSqG" + + "SIb3DQEBBQUAA4GBAGM18aR2i8vSywsWhcLrRN1Xckl/HiBPNphobfKoER4NG29cFjUPQX" + + "zukjQcJl2clAXNCVtcsKCoYRP3YUyAB6At+yskuuJXtES7FIzM3rt/UpDS5ktVC3gh+jgE" + + "pPhMILYIXFzYY1hifkpagfO+mkcr7RqHU3tHAr6LCWjqrB9g"; + public static final String[] TEST_59_DATA = new String[] { + Intermediate_Certificate_1_PL_01_06_crt, + Intermediate_Certificate_2_PL_01_06_crt, + Intermediate_Certificate_3_PL_01_06_crt, + Intermediate_CRL_1_PL_01_06_crl, + Intermediate_CRL_2_PL_01_06_crl, + Intermediate_CRL_3_PL_01_06_crl, + End_Certificate_PL_01_06_crt + }; + + /* + * test60 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_07_crt = + "MIICmTCCAgKgAwIBAgICAJgwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wNzCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5HkS45NLuqq9ZwF79+pTGtQnGWO7DFdetYeQTbeD" + + "sisjZMsK0sCCR5xAKYQsJSS4v/8LQUdxlQR30LMV0SQUKFMJyFsMiSsO8subb6sVINWn8A" + + "tL4zcQK0WiASUZOEkybAFJtP31PahzI5wfD1cikE1M4BlDij5WeaIjt/RTHKUCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBjAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECLSUEn5d8YywMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBANLO+kEiswkGzEh4ZcF5LtfnPZlnG4gTPSNugeWJc+Xedqmttp" + + "jZ35fr1hiRe2Q1UcyTd4ThkPknawwZednbsZVPqw8u1mo7kuAeL9KrCk199vL4bV8Ag/kj" + + "HJ8TAy40UDB6hMm7l4j8mEKwV03THVrz1Vvz59CQXj+iseH6yUNO"; + public static final String Intermediate_Certificate_2_PL_01_07_crt = + "MIICmTCCAgKgAwIBAgICAJkwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDcwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wNzCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu78gmT5HwmBHEe+K8fLLgGaPpcv13ZjrgL4twTBS" + + "OkZn5LL9GcfkPuA5WIAZkVYfCWSDPqcAGoOWUIDADfBfdcyLteUH+xI01rHKiLDVexMvU9" + + "vqCmcBKhxK3S6wraW5YhOO0bx4oPrZXVIjyG8fh4e5WTEykzvUWJ8ZbzSJ9JsCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECCT+fDEaN7GaMBMGA1UdIwQMMAqACLSUEn5d8YywMA0G" + + "CSqGSIb3DQEBBQUAA4GBANpKr98PiXAdcXlbgSgif0213H+tg3WwUNKZTw8MpqPyrN2/DZ" + + "HBi6e2KWXLTxttV9AZBRvcKwsveS6oc31eulMe8nHxRNRfadvF6dL3Tsig6HAQkartcJMI" + + "yfW4V3EhXbCdziQkre7XcR9WK5bpQoX04HWeew6YTxjG/cL9MIJR"; + public static final String Intermediate_Certificate_3_PL_01_07_crt = + "MIICmTCCAgKgAwIBAgICAJowDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMDcwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMy1QTC4wMS4wNzCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr7YezMXvnkSuNCdXch2HRAEVuCqfzpVRCj6laJI9" + + "Q+NxgXwzaOwnImvwER3Hblh1l0MAt5/I/9hhqCN+918ueME50MkoM1wPbcmrRIlwWLGSVZ" + + "yBKeyPHrLbdPqVIexUlQk7PasLm/Qx4SvRGVe9IMLrEzPV3MFJtrJoWaMobQkCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECKw8JlHMvVfuMBMGA1UdIwQMMAqACCT+fDEaN7GaMA0G" + + "CSqGSIb3DQEBBQUAA4GBAA5JEDEDyqfZzTGzOoMV+8RVke+a4qgOo7rnOEdletgGFEwz8A" + + "tiMHBxR+UMxuHS82Hz3+F8XlyYIwlrG9wWVcB/tOyzgVyA28Yux9Q/meU7T6dco/AnmOdr" + + "2XL6Xm5iLnARG+PkUPHOsxuweyB/sSUSA8ZJPowNRWTik57ul/bO"; + public static final String Intermediate_Certificate_4_PL_01_07_crt = + "MIICljCCAf+gAwIBAgICAJswDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTMtUEwuMDEuMDcwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBNC1QTC4wMS4wNzCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7mNS8dGz0gkXDbBRzP2ypdNMahJbM3cSMHO0hYpn" + + "uRsiXGUhIB0K4WVbnz6tr7Hch3yltK4H1Y12Lf8cXEETR2sE9lCY2A3r8/VM5OUbou5Y8k" + + "wIf03VhP7cGKonaFtlj/WD77fidDePVp1Nk28gV0T2F/l4pM5TEJrq5C9PSUcCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECJBEcZsMRq6CMBMGA1UdIwQMMAqACKw8JlHMvVfuMA0GCSqG" + + "SIb3DQEBBQUAA4GBACfbHKpuRJnZ5UU0sih8RuywhUo6Getwl/p6fsi87wYI61pvYru+hm" + + "4R4eAMZvg7MrAarS3Iu3zKBU1HKeq1i+hpwTIXrngR8eL2fU/X6GPzdte3+3tjhah38bqF" + + "zDon+N6ap4MKWRk033SsFYo1K88Mena2tGuFForJlV9DOF1l"; + public static final String Intermediate_CRL_1_PL_01_07_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wNxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAItJQSfl3xjLAwDQYJKoZIhvcNAQEFBQADgYEAJtaE" + + "I1+PCNL1/bgEVKWUIwvh58ugnWhxzbFW6hNJwNEz9/yt+FLZfNrT/Ezort4VVQFLQg7+Gj" + + "KrkIujqfRJG4LXrXAV8ZsvSPuwyQ+hM1GdHGDPhj9x6DkjFusxJYUEs5BzlX7ovpnaIPSW" + + "RPsatheSzu48pMOCmyTKE3MpuZg="; + public static final String Intermediate_CRL_2_PL_01_07_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4wNxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIJP58MRo3sZowDQYJKoZIhvcNAQEFBQADgYEALiV+" + + "BFpXhgTjiMZBYLVuc/fqhHcXeXOGOmJZoKUnIXjETH3rzkkt5k4tMN00ycZVgpRwn3ZyQs" + + "cFLcW8taau1J7iQOmGY/7qIT0eFx2OlgNmxqirmwx4OM5VSH5mEpnp9NOr1rfut1GDRzw0" + + "tZ+nhD/PGDXYPu+QPX6jii0vdHo="; + public static final String Intermediate_CRL_3_PL_01_07_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QTC4wMS4wNxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIrDwmUcy9V+4wDQYJKoZIhvcNAQEFBQADgYEASY47" + + "p94jEh9FZ1TrPS82nWC3Z6ZKdaD9pUbaJpRnAId59QdBaD2Cxq+SfM3HTlz8grCAPKwulv" + + "jDDhXhp4H/m63Q/pJbyl3bbMxnphMOoDwB9wwKIUQPM5wagMovF/UYtC8MoC++m2kuZ1eb" + + "fR/OIJuQr+k/kD5Axhw/xolKPdE="; + public static final String Intermediate_CRL_4_PL_01_07_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QTC4wMS4wNxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIkERxmwxGroIwDQYJKoZIhvcNAQEFBQADgYEAMhIQ" + + "lE+BdCO6NBz+YgcH+tjP0n4OCdQ+7uxUxUYmPtPbsLwbDDEEZUjykgwiA6P47Cqh5fXB6G" + + "tfInh1cmQi3y2IEHK+bRSx321qczOh34Yx2hw5vp+JFttbQAEl/BHixklrFBrXjN0UsWGC" + + "ibXcZy0YjerWTp/yceoABz9p94U="; + public static final String End_Certificate_PL_01_07_crt = + "MIIChzCCAfCgAwIBAgICAJwwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTQtUEwuMDEuMDcwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBMLjAxLjA3MIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdH60mBM1eInACvOB83zLrtiebq9B5UBlAAVS8" + + "9ucDwGx1HOJwhwk2AmvhN7pYuDc+BFzuNtgHojqZSDpRMA3rVsGlgOkZ3sOQzvxB73w+/X" + + "XmCYpwcEGLpK4egl8r1aOYm0Zm4OxqWhNu9+Do7nrJczDLi8k/qh8/+Rfdtvt4kwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECEmVurZ+7UXFMBMGA1UdIwQMMAqACJBEcZsMRq6CMA0GCSqGSIb3DQEBBQUAA4GBAANe" + + "AbvpAHwBu9+FlI4DOb65Z+h5f2Ok59FVbVqAj3zkMRkawppngK3CMY/1BQlGXOlHvE+CGz" + + "x/7DsiV0O3rxOUjutt00PNxCyIM2pcOZeGUaAu5DJWn0SRwzTMJa4M5K+7wh/4sSPWyxKi" + + "ueDq2VXvIgAfEVC8Lv44sxcOduSZ"; + public static final String[] TEST_60_DATA = new String[] { + Intermediate_Certificate_1_PL_01_07_crt, + Intermediate_Certificate_2_PL_01_07_crt, + Intermediate_Certificate_3_PL_01_07_crt, + Intermediate_Certificate_4_PL_01_07_crt, + Intermediate_CRL_1_PL_01_07_crl, + Intermediate_CRL_2_PL_01_07_crl, + Intermediate_CRL_3_PL_01_07_crl, + Intermediate_CRL_4_PL_01_07_crl, + End_Certificate_PL_01_07_crt + }; + + /* + * test61 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_08_crt = + "MIICmTCCAgKgAwIBAgICAJ0wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wODCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsr+i9HxgO6LnOa6xOHfe9BeLVTo4iZd8rp6UTc02" + + "C0MmsSjvIgn3UiayU7aoHcTH8tAXSV5bn0CIH4B46qLym//oE69hUFImy6d1kKgNoaUKWB" + + "HztKVtswSSPjIUf7pbyp0wasYMN6fIKYyLpLXUxzA2DrD0kP2Y8ElQJKl2HocCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBjAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECPMW3WMPtaowMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBAH2N6S9ggfmRJkzhs82uOPXaHF62YEg1pbNxaCyJJbSt2iIIyy" + + "NPSlE1OufPPH3pO7p5xcYi90LCI//0tlUL8y7aULFNygbshFY3B8MSgCz3KPA3UKdtIZYe" + + "7lqP9/ob5wmkjtLpx6oZ4/38jxqe37pH1IwVjaUnoeElSo3EkCI5"; + public static final String Intermediate_Certificate_2_PL_01_08_crt = + "MIICmTCCAgKgAwIBAgICAJ4wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDgwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wODCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqZZolrig33i1rEwdP1pin8a5PgzSk7fT+qhrJRCg" + + "UTOW5WyPtakrLTUipDcR07t8tIe0NsjRoph7+fAwbjWBfbJdydndHHGx5BqWg8Xi4zFhFd" + + "6Mc5O6KO7Yqxs8lmthv/RAdL4Eiir9d9hqskKOtQKbLWz+Bz3+9NwfLGzwzPcCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECFjxM3RkbbhNMBMGA1UdIwQMMAqACPMW3WMPtaowMA0G" + + "CSqGSIb3DQEBBQUAA4GBAJOJKBubTS/kLnfXN5YbQfggxbO2c7DTxx2LhrnPiyVDEow+Xf" + + "lMv4YK5olH6UUm02D8cv6Wxg4NeTtBBnwKQG/GV4Ssgc/rrpEzM7jFRQcUzPu0jfya2fX8" + + "ZNBnSDjovlN6vmZHtiksjh66h3a0aVusEuOQXD29ogMR8qAGYQaZ"; + public static final String Intermediate_Certificate_3_PL_01_08_crt = + "MIICmTCCAgKgAwIBAgICAJ8wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMDgwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMy1QTC4wMS4wODCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAogLtEcWxzzkkIYe+KrwKhaQjjGQqy2KDsW00U5lx" + + "+XJoT8eKd5pxFdCa0SPn/jkNILVeh07mIHec1WF8SOeveVT4Ewd3nG/6ZGoVVq6l0j+3RM" + + "jpJbp26BPR69nFn6rmFUMoSNq0VG8Zl+UBqnjq83G3umJCJMMRekUTULSFEGUCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECGAFYeJIhrRzMBMGA1UdIwQMMAqACFjxM3RkbbhNMA0G" + + "CSqGSIb3DQEBBQUAA4GBABHamiW7sPLQ83nXt3LZemcAp4QaDB8X94EuJGBwshEcKLoOHb" + + "/3cZkPRbOiRQUh/YdpfyApndGFSi0DtwM2Z7yup+MzdrR0wzQoNS95A51nHE7XdCuVFemc" + + "LTJ5rdd2BLK3OB5lQagVLzAY9Bs1vaeXKT2Cy+gSUkTIekWcsH3K"; + public static final String Intermediate_Certificate_4_PL_01_08_crt = + "MIICljCCAf+gAwIBAgICAKAwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTMtUEwuMDEuMDgwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBNC1QTC4wMS4wODCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxVjjKlLlZzeZhamPO2NDnRtWM1oWZ3/kdwdBRn50" + + "o1NRXb60Ir2HjniK1dRdbijAvR5uItLe9tmj4nusBiaPUGM0HNlEdQWSzble8rvUsP0apw" + + "uJusV7zLvzwwbgLbMYT+8lMhxWXM34xszP+dgjWASQOVao1Uqs/MLLibOuueUCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECFMFrvh2hQ18MBMGA1UdIwQMMAqACGAFYeJIhrRzMA0GCSqG" + + "SIb3DQEBBQUAA4GBAFsCOJ4DzuMOKti5PvF71ZKOtcTHSv123ZNdPIbK6OatT9YhVuUOYB" + + "AjMavggywrb+QOXOFfJMctQlS3y/JE9YyoNNt/4UTdx1jQ3I2ablonmzjt8eN5GJ9jUXth" + + "fHjxnmGUeWlAvwMjEdzdigkyuWCi9LJfjyHtTjSf9n7w2rU+"; + public static final String Intermediate_CRL_1_PL_01_08_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wOBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI8xbdYw+1qjAwDQYJKoZIhvcNAQEFBQADgYEAG2Aq" + + "R1oelnrTgh56m6Mm+Lsm0Sf+Ot1W7LzZmMDwoZgmGLcTduVktx+XrtiDDWsf58hmneT1q0" + + "5wl4yNH8y/VCAA3SM/gOq4ddOEiS8GbuEYo5P/julH/U3g6M0vfPUZ5y+7V0s35jIbTkjX" + + "76n3Rhf88nvTscYvMdqrYyUhAmg="; + public static final String Intermediate_CRL_2_PL_01_08_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4wOBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIWPEzdGRtuE0wDQYJKoZIhvcNAQEFBQADgYEAX/+I" + + "DkAx7PLTi2x6aYbLacPRaUSjMne84MDaEkYiA64Vo3eL6FbKe14z2mBsM2W7x8xDnxjZ0N" + + "RbhcFZ2E6A1ct6HMunuKxjoROIsdWhrYMqJfKKMTWMviz1UjtupsGUWS0dVQCquAr6DJmr" + + "W88P8wgiVH2VZsc+edDmCGDunrI="; + public static final String Intermediate_CRL_3_PL_01_08_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QTC4wMS4wOBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIYAVh4kiGtHMwDQYJKoZIhvcNAQEFBQADgYEASw1+" + + "6rGDKgpUtXcCziQCjy8mHFD2zV6x/Ppxm2Gj0U+5eFnIbMPmr4TUYwfSOROUycsiJX/Wa8" + + "HEuqWJhIdcsHMA7TYf0iSXK597Bljjg4F/1Rgz0wqLjgMuA59eFbKjJ6zP1E6Sv2Ck0Ea9" + + "HJsv5zFA1ljVnNWoQwoHsuLk/wk="; + public static final String Intermediate_CRL_4_PL_01_08_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QTC4wMS4wOBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIUwWu+HaFDXwwDQYJKoZIhvcNAQEFBQADgYEAHHKd" + + "U1SccTsK99BUDrvF930ejNRAvHQM9xv80wcUAy18x+TLwBH8vDTmP210/C5Zk9pQs+rLDd" + + "doQQbWJrQkznyB1OSK0T41KZ9L0UE+YmFGJjz0PEzYHV0Kc57j5uc7Fsi8Xu20Y8JeTaJs" + + "FUXVsvnCuoSxYmwY1futFWHJG7Q="; + public static final String End_Certificate_PL_01_08_crt = + "MIICljCCAf+gAwIBAgICAKEwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTQtUEwuMDEuMDgwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBNS1QTC4wMS4wODCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwgNkhQrcqmjhkES6DNAW3uQLKILcFlrFvOlWfDPo" + + "ngXzCKeed85npqL+Enxo4sLarEiywuDLrDgPf0gKnZXQWBmzWViZhvTsiAemH7iNsNS68s" + + "hhb0vnLzlPpDUJDv7KVKW8VbM7nvplKptlEE6g5kmj3iEmM4l2u8Z/pmQoTsMCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAeYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECLfApJ09y/ZNMBMGA1UdIwQMMAqACFMFrvh2hQ18MA0GCSqG" + + "SIb3DQEBBQUAA4GBAG2ANLc/ib9ayz0B0L6/XQf/xuwETEq8kb5vWml/PbcFD1b/uwRHI8" + + "vTvM559nZgtzkhS5ZAvNBTh1CB9Ox/nugHc4srbH6/Wcd94pMQx/sfCB/C6zZ5Tbm7Y4jp" + + "hkjnxwGUYTvgNzxmaAPLyCfqY7KwhCSzns2M+yuncEKqlzuT"; + public static final String[] TEST_61_DATA = new String[] { + Intermediate_Certificate_1_PL_01_08_crt, + Intermediate_Certificate_2_PL_01_08_crt, + Intermediate_Certificate_3_PL_01_08_crt, + Intermediate_Certificate_4_PL_01_08_crt, + Intermediate_CRL_1_PL_01_08_crl, + Intermediate_CRL_2_PL_01_08_crl, + Intermediate_CRL_3_PL_01_08_crl, + Intermediate_CRL_4_PL_01_08_crl, + End_Certificate_PL_01_08_crt + }; + + /* + * test62 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_09_crt = + "MIICmTCCAgKgAwIBAgICAKIwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4wOTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4slldx8rhfz5l2i0rwib2McrCyQkadTjJRoEGQCV" + + "xT0dmw7GhDa6wJg2ozXLLk5y7ZCwlmBOTEoNbigHvcKSnJT8R/S+F4KqBz5d5dbRMNEKYz" + + "jdbD7Sm7id+eyfq1s5cpmta2lBJ5gTaC9YPSOY2mucGcJ1muYzdOc6h+PCCNMCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBjAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECO7tq4dJC8OgMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBAHbth0HjAygIoWVrz59ZBPntOn5nzgUGpH60aSDOS6i9ZOKSoC" + + "7wCOEt6IpKO7M7SNznxaX2uhFTYotneyq3qENvqZVXKhE6wQRsdK4kG10cxSB5AXPHJRgk" + + "W9+p+Nb0iYVKwHdDCW8KHYIroGhSkKxuflwxhK6DcwQuA7y5q7r7"; + public static final String Intermediate_Certificate_2_PL_01_09_crt = + "MIICmTCCAgKgAwIBAgICAKMwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMDkwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4wOTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA70v7BFxmToZHF5M29JK6N0Ha6n729cv1U912mH9O" + + "NTz9tafa+jv4W7njScv21CJbNlUO5rlAFcTlXY0U9vbqHEufhtwRQqi7+pkfa+Ig8bwl26" + + "4U8L5rgmSvZJpEiiKfkmF2Rz9+zPPhHjk58ZcKoAcyhOdZ60KqmaaU/TVtEq8CAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBDAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECKOwR13+P/BlMBMGA1UdIwQMMAqACO7tq4dJC8OgMA0G" + + "CSqGSIb3DQEBBQUAA4GBAN71oLHr0+uf6zCOC5L7oeCOGMUwvZyROu8eTztZrPYGjaamSm" + + "Z0ZmUPOJP3g5nO6tHf34Tb9CTkwPdPicEaXuxflkSbJBV3mUFQ1BUDlyYTuaL8uT2N61dg" + + "xt5RgYTIGsW3/2XrRvXsH91gSiEkccoUyjKnQcX3oZmEeITb6H8m"; + public static final String Intermediate_Certificate_3_PL_01_09_crt = + "MIICmTCCAgKgAwIBAgICAKQwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMDkwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMy1QTC4wMS4wOTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwMLmDs63ai7i4xC/1ufMFWeigJAlbKWMti/PeEKi" + + "7LBfNJDRaO+1kde6QIo1vhkhKtokNu9ue3Rfo1+xGuZVohjRbHnmamEm5G3jihegPQgGCR" + + "fDZoJDI9HMbwBa0RWw1Nes5igIVjdSHQKO/XTul1yyF2Dt03K2qeLwes+2FyECAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECPEAjG80q0FoMBMGA1UdIwQMMAqACKOwR13+P/BlMA0G" + + "CSqGSIb3DQEBBQUAA4GBAN9eiZXma2n0XgzdvYrlV/IEqBIhpcZ7gycjDumVBVITZJD2sJ" + + "bkBi+N8dg7uovgxGxWGsyxqgAboLhMgbpbFzGh+HyIhQu/CeAx93PWYc5rP2l2Y8d7KJvk" + + "p1GZEcG/nTakpjxTQ5MQYFsOHVsnDDOyaZYvqPuMrwGYsfoUa1wq"; + public static final String Intermediate_Certificate_4_PL_01_09_crt = + "MIICljCCAf+gAwIBAgICAKUwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTMtUEwuMDEuMDkwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBNC1QTC4wMS4wOTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo4L9QEqzq2VXzkZI3cvUWR5v6vreKKQPfJPfEwNH" + + "nMS0cgDjC4Fnw9ySI7Eb4A/OJGLIyg84mzTl6JX3kGoYr9/bJ8jOD7pN6CljXuHpwwmd7L" + + "6Nf5Hy0ltjAIr5s67e33OWdPi4gApS4FN6nPSDkZotY73d1xqJYQQZWuNEsGUCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECLfU7BuxzXeCMBMGA1UdIwQMMAqACPEAjG80q0FoMA0GCSqG" + + "SIb3DQEBBQUAA4GBABmQZOvwRpVsTD8uazfQpLJUZkuTap4OOPHie5xJsvOhGend2k+LiP" + + "7btGoFrqmkyVV/+dNA8+45SRsnoOtgctiF2ubeqIvd7xf/J5C9Cmo+T89Mt7WEBEuDmEZm" + + "JPXvOvyh6lRcYVSBnvVW5ZSstNAQKa/8xuyN0OrE1hJWbucn"; + public static final String Intermediate_CRL_1_PL_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI7u2rh0kLw6AwDQYJKoZIhvcNAQEFBQADgYEAbXc1" + + "QgR2TAvOPqJmRFFrDQkPVIVyEEDTwZy5aNnoAKK+AmJ5FZkBtbPJ8qt9UeYRh8lbX8+EIk" + + "tyrAKw/1Kc3h7RDqAQ/p8t8kFwVQh2l4KTIukV8hYcj5sMKlt5f49ZwzWPyoOaLDomiUfI" + + "OY/jaDMw293AjQXxGCDtnaTvh0o="; + public static final String Intermediate_CRL_2_PL_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIo7BHXf4/8GUwDQYJKoZIhvcNAQEFBQADgYEAq6en" + + "XtvIdh/DifGzWn11hqJIZxLQDGJZPoMmwSOLyB6OzsPrIg1xkOWZYEOELTR8+qP6emmx+D" + + "CaEbUDLj60rso0gRQCBwTgHgjeMRpv8fGnV8MJgMv5BdzsGAGQbLSSY9FxtqeCPfZ6olHC" + + "iUIopdZJZP8ZvGKQ6QGaMnLpJ78="; + public static final String Intermediate_CRL_3_PL_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QTC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAI8QCMbzSrQWgwDQYJKoZIhvcNAQEFBQADgYEAraCx" + + "ruxopFbKvxOx/CIF4niG27ABB2ZwU6n4NBGYHo1Y9NjuytjjMZvQjMHyoayqpnF5TA1vXL" + + "jXjI3VgQcK7A4ah/0FNLFGtczyY8kXXrpbmdg8+xdNJEG3/e5rDW5VSf7OY1XqU85ySUJQ" + + "ZR5uiy8LxlDdaIT4WT7X5ezs3wk="; + public static final String Intermediate_CRL_4_PL_01_09_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QTC4wMS4wORcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIt9TsG7HNd4IwDQYJKoZIhvcNAQEFBQADgYEATtjA" + + "BdSZYnIbv1bCL+aSiioJg9S9yWGD1mjsA/CDzvkzSffeSpvqaSy+Zwwf+NDMMG6Cs+SgU+" + + "sxQdJALAbb4sYGEyXj/Exh9BYHvgoVahH4NWuhm6LIN8RTcMDAtGoGYFNGXGuT8XRBUJZ/" + + "tH9re3gpWaE1rjWeB/2ZBR5ONcM="; + public static final String End_Certificate_PL_01_09_crt = + "MIIChzCCAfCgAwIBAgICAKYwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTQtUEwuMDEuMDkwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVBMLjAxLjA5MIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+g1Puqjn+/Of35mqVVUricIV5x+bpZRCAgBDh" + + "VYcmZFXLB/XnRd/mYTu0RR4ISEerC1km5tjGeCN2k3NGdZwz/wEh9kEL8WikSqpxUSUD/N" + + "vQbliz4f3YECLcpNXKzkCvszeB5ZGHa0sLYDg3r62wy+1y2rtcrHzFEoMFgnnruwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECANGcL2klYf7MBMGA1UdIwQMMAqACLfU7BuxzXeCMA0GCSqGSIb3DQEBBQUAA4GBAHm+" + + "/vQ7VxDry3VqiqKnNoOhAHTTIUphNWF4jddRqVc32IsjVaeTbcGwCIRflRm/lUplRvXXxb" + + "JEbW9mP3nfTCREUdm49hjmo/szsPjgosFoEmuEKXThC81/y2vQkb4/jqRoOHEknU++38EU" + + "Juv6Y6psZNa37x8Yn3i7S+b3TM2q"; + public static final String[] TEST_62_DATA = new String[] { + Intermediate_Certificate_1_PL_01_09_crt, + Intermediate_Certificate_2_PL_01_09_crt, + Intermediate_Certificate_3_PL_01_09_crt, + Intermediate_Certificate_4_PL_01_09_crt, + Intermediate_CRL_1_PL_01_09_crl, + Intermediate_CRL_2_PL_01_09_crl, + Intermediate_CRL_3_PL_01_09_crl, + Intermediate_CRL_4_PL_01_09_crl, + End_Certificate_PL_01_09_crt + }; + + /* + * test63 + * + */ + + public static final String Intermediate_Certificate_1_PL_01_10_crt = + "MIICmTCCAgKgAwIBAgICAKcwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1QTC4wMS4xMDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr4LmuvhSms70CnuAHIHwz45csKvBPVtcDjA1tWNb" + + "NIvvNHBzyt6G8U4CTVKmsFAZOzrWJem3b/ZywM1WlDarGJAAa/SRIYZ/jQwaOIoPW4OUfK" + + "ZQI6MO7uAPcIQ4ugtPth10viVqZYLZn/6O26Q905YsFltuPFl64KrJVJJBlLECAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBjAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECGRn9ckrcsEdMBMGA1UdIwQMMAqACKua6/nC51SPMA0G" + + "CSqGSIb3DQEBBQUAA4GBANK+1qalm7Nl+PJHT9nQLVJ3ruQNAoMlH9fN52Q9BZCr30iWCd" + + "+GhQIPRjxZ4GWojMnqbWzYQsxIR2PLdFc6SwjQrq+i2ES/LePDtaLQddS44/+GP/+qDpM9" + + "Mqp3/Nbe1MfOKRBT57qgrxa8eUVieysoKeYX6yQpa8bab3qDwOTH"; + public static final String Intermediate_Certificate_2_PL_01_10_crt = + "MIICmTCCAgKgAwIBAgICAKgwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUEwuMDEuMTAwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1QTC4wMS4xMDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx5tMLJ3LRxi9jAzCSNkj8zyrSO0cImNGf6ZCIzEU" + + "V8LrmXjgiZboPTh9LWQ3msWDLpzaxVxDLBXG3eMO8ys46TfJKciyeoiB8wfuNGMKAccm8u" + + "43XjWs1KAdNikWEZupYPgdmA92oRlVcHshG9PqP4+xA6sydpu3V18Nyfa0n3MCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBBDAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECDE3dDXkS7TxMBMGA1UdIwQMMAqACGRn9ckrcsEdMA0G" + + "CSqGSIb3DQEBBQUAA4GBAE+8cyOUQ7y4atc4BlZNZvGNRZ63dbGDCM2AItTEAf4ETM9v7j" + + "biUWTirJyoWsGxm2eIUk1V+EKxcuO3FotFUe7lS6thmVd6OYOSW+02RXMNklmptzK9I3AK" + + "DZNh82ugLNyrrd06BSiED+0MoGVVI4gi3wdFtRiai+MgQVeWIB4i"; + public static final String Intermediate_Certificate_3_PL_01_10_crt = + "MIICmTCCAgKgAwIBAgICAKkwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUEwuMDEuMTAwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMy1QTC4wMS4xMDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsmSUL/UZBYMdqU0PecjCd+9U+1Ld3mKkH303Fido" + + "K6k5S4ZObxVHKhYDJyp3CcVT2+nENjzIfQQQaA11UK7Uf/jmVs0IC8e2scWzq0W2BeOLef" + + "jVgNgXGsXyfLi9T4KJPPyGsKlIU2R2xKxgHmAOt/tw6OYX/OaEfM1jiQza5lkCAwEAAaNm" + + "MGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBg" + + "lghkgBZQMBMAEwEQYDVR0OBAoECHYI07i4owpIMBMGA1UdIwQMMAqACDE3dDXkS7TxMA0G" + + "CSqGSIb3DQEBBQUAA4GBAK23Kx99Y9HtFBVnHWW/NfvNro7I5Wx/ZCko6ulHm84FPAjhnL" + + "tvc4jmfAZd0wYPKQKWwUKUDWNEwIU1qkxyJYACckue35GLzj8aLY/z+h037vGonFmNutMM" + + "rcRdiV7gVD17dYLVTt0RgxsDVDtut+twqHgIaKtKyJnl9dSgFFv1"; + public static final String Intermediate_Certificate_4_PL_01_10_crt = + "MIICljCCAf+gAwIBAgICAKowDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTMtUEwuMDEuMTAwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBNC1QTC4wMS4xMDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEArgBnLCnqI6Sa7gXkZOvIKH4EL5i3CoG6eGG2R8aA" + + "kjBs78IKGYj9gY7rRajAKSpf19zvfcW8+2gBDDj5AoCy6uDnBICmqdu+hkdokVi8dJHiTU" + + "9LdS2TeuvFv47eiXoEBjMEAquCuSyHvW3lNrA+ESTnK3s7V4lBoO+o5mZD6dsCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECLTgYziQC9zmMBMGA1UdIwQMMAqACHYI07i4owpIMA0GCSqG" + + "SIb3DQEBBQUAA4GBAEx8wgBjBglU98rocddKAEKXkt4MNzrpUMq75C9HtnuOtFgM2oY/OC" + + "x67aZSTEph9ag6Hc+MyxWB5rzGD9j0y7OLsasE9AX8vjplUq50wq1xAFkGi1GnqRK/Oe7D" + + "S6R66+UFHW/3KAeNe96aaJuMcx0TRbfkGbW1ASSi/ixMd9Gi"; + public static final String Intermediate_CRL_1_PL_01_10_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1QTC4wMS4xMBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIZGf1yStywR0wDQYJKoZIhvcNAQEFBQADgYEAjkY5" + + "nXjLst8CMz0fyEM7Ft2d9TOOJXV4TMAfSAP9QCnit8qzrdVdJ6TJIsJNZYBz9Ryr5K/iSw" + + "KbYk0g6y/pskcMoHG3vJwNAxBbkf+fV7Eyve+90Z6oWDXHKLGCQQpdZ0a0wAqYeiScok8+" + + "YHypEVLfbjWARR9fsci2Ps3tdvA="; + public static final String Intermediate_CRL_2_PL_01_10_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1QTC4wMS4xMBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIMTd0NeRLtPEwDQYJKoZIhvcNAQEFBQADgYEAdpTU" + + "xcywBjX2rD8Gu6zkDqlDmZfRXHDPtnf2RB4bHDx77kDEib6nH6DGoJdx8WnRTZsTjly3MG" + + "62LfVmjp/bJyKHUQqBDrilv21EWsaI9JOr673Nk5iTZa/645GdgyLzSmxvcVDN40BAH0py" + + "/2gvBQTPNzp2W1IR2mebuLdHwTI="; + public static final String Intermediate_CRL_3_PL_01_10_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMy1QTC4wMS4xMBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIdgjTuLijCkgwDQYJKoZIhvcNAQEFBQADgYEATVf2" + + "cEEGphsIe0AsqNJ5rENLe8DeDAV8R4XCKdeP5qmHmLMm9Z4pX8bIfU7bCoXiNIwGvIU6ag" + + "FmHPNHEj70cQFVqCX/ZESc02hit+Os9g7pcl7s9QgwVUCMZdCiF/+pSEp3eCL5tFoKmAZe" + + "nxkL0KOSuKmBzuqRtZufbhDvmbw="; + public static final String Intermediate_CRL_4_PL_01_10_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBNC1QTC4wMS4xMBcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAItOBjOJAL3OYwDQYJKoZIhvcNAQEFBQADgYEAbG2B" + + "BhvRQ1pY/8VFeiCRFD8mBzq5iW5hWv2P7Zdp9zEbQo0fI4Kbis3OGemEttCxvAc/UPfogr" + + "UudImf3s8sLV9BS59xQUGQlxZ5XBNlripY8EjHNWrwgy7/x4hzlZ9yYBbqoNOqnHLy/gbM" + + "XZWoCbIK0co70lh1soOQ6eqLDKM="; + public static final String End_Certificate_PL_01_10_crt = + "MIICljCCAf+gAwIBAgICAKswDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTQtUEwuMDEuMTAwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBNS1QTC4wMS4xMDCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3bx0qx8s4Zse6Ri6NqkLEKUPLIOhTFj/9Dh7sxvE" + + "HpemBlTjbp2in08WTxEb9n8iAIWuGs3Vqm82ttBQmayjIaWD5oE/BE0oV/e91NAv/aRLsl" + + "f7VtOb6vi8Ef6muOAjI2dUaUD6QONkqkJhnZ353uR3LZnsAEAW+InePGFNEGkCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAeYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECIokB8m8Vi4QMBMGA1UdIwQMMAqACLTgYziQC9zmMA0GCSqG" + + "SIb3DQEBBQUAA4GBAKBGQwZQLQFXb+/kjP5xAtq+1rRtrblytjpv3ujJrKH1v2VB2+9boB" + + "0YYYGJTy2Wuj0ZBEMeTzMO8Hol4Mq9pnYv5DCmfnZN3FuDidgnRsCjM3ZL7NcXXG9YwlKF" + + "G2SXj0YfkSwN9gnyN11W8i+F/OSjlm+TDKHB3ePMcY8EnnXy"; + public static final String[] TEST_63_DATA = new String[] { + Intermediate_Certificate_1_PL_01_10_crt, + Intermediate_Certificate_2_PL_01_10_crt, + Intermediate_Certificate_3_PL_01_10_crt, + Intermediate_Certificate_4_PL_01_10_crt, + Intermediate_CRL_1_PL_01_10_crl, + Intermediate_CRL_2_PL_01_10_crl, + Intermediate_CRL_3_PL_01_10_crl, + Intermediate_CRL_4_PL_01_10_crl, + End_Certificate_PL_01_10_crt + }; + + /* + * test64 + * + */ + + public static final String Intermediate_Certificate_RL_02_01_crt = + "MIICljCCAf+gAwIBAgICAKwwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wMi4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3AN+Y3Hl/9V0nKXHQotb/cA2VfZc5vrRu+ZjwKgK" + + "6KasGegAorKSTybYX/fTbnaPwykDPfSscAnzAW5WdF9+wTLmvYc+6pkcx1ryKkGmofFMXi" + + "bZ5LUO/oK0iuNjBKfLdWoi+hpciKyPb9Bs8SO/svKSNqTEbn9ts3q6tpbngoECAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECGXQ07qiAqv2MBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBADKtN3OOaRdte0X4xLC6nTGaK/u7IEKQ0DjduDHwJR5w27zefrx48Z" + + "dlq8t5lAfQJqWmfk7iCIW1QJPLcZOouWDP2S9Cb0YooGQRIEkMjpBn3Xufx0XUphtCDs3W" + + "9LAMVXqfuce1tpZ6Dvrh6/H2X8rJMU29Czsz949bh6tcsHJi"; + public static final String Intermediate_CRL_RL_02_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wMi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIZdDTuqICq/YwDQYJKoZIhvcNAQEFBQADgYEAxrDH" + + "zKno1mkJqPTub0c9To6jC3CGTilV1E12oD0kFjkXqL40+W251qQ2wMC+G7ZrzBIc5dRuJ9" + + "3feHZ7cc03/s3TziXDvSyfNOYpHzkPwT48HuSgBYgJ3uswwk+tDiA64NzbOJqssxxhFRok" + + "9OpwC8eQkzgpA3a6816v2I3XL9s="; + public static final String End_Certificate_RL_02_01_crt = + "MIIChzCCAfCgAwIBAgICAK0wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDIuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjAyLjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCykRGcIKuxia47yRmJT8XpNNi2LTTbUUTteIBp" + + "DZBfz2ExeWLruO9Rn1/oB/EP+4apx4r9rQ2tGsvr/7qQYeQK8W7eJzZgvxFadY57IMfUNq" + + "1nEnj0ZvuWrOSf+K9v6FWX5Y2uyZS5Uvb1VVQv0Ev890+yXTtthPTjepk3JkkouwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECFIkVrx7NRAdMBMGA1UdIwQMMAqACGXQ07qiAqv2MA0GCSqGSIb3DQEBBQUAA4GBAI+B" + + "T6bFZruoeFHXsYVjkQ42jSdYB9JuQkG7JLKte5gGlhyR+jMlJBzxBgNIfvlmYSnbRFPbE8" + + "eqsGm90hJJoUuVMkm0i03H13uddlS494O6HhTGpaKcYwp3hbLhVcaY3wFTqTCuZk1T7Oxq" + + "ggTrCDYvNH+/ZpQuy6nB/FH3SAHS"; + public static final String[] TEST_64_DATA = new String[] { + Intermediate_Certificate_RL_02_01_crt, + Intermediate_CRL_RL_02_01_crl, + End_Certificate_RL_02_01_crt + }; + + /* + * test65 + * + */ + + public static final String Intermediate_Certificate_1_RL_03_01_crt = + "MIICljCCAf+gAwIBAgICAK4wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wMy4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsZG8wsV3Kuo+jtnKxLYGBuAqQwUh6Cs7ioDTNUFI" + + "UDDJ0lOP1HVTMBA7DEcyTCGvnQ02dEVVuCddBTQvG5RvW7G7cCEW37cS56/3yPsU1bD/cp" + + "3C1pPJpoun04va91Sxtgcmx7jnz69QPVrucu6aI1sZyeOlvzb8K7DceaAfR98CAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECMNzJ3SpyOLxMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBABo7oKmQilgji3w1tGz1cMrWxZxqGJqOAKcHywli+oxFo2oxSfEuFS" + + "tN2aEd2Ja5HU5a0ySztvByXF1TTNurGez7ARxmcS2kpoQtQXTloywza4A5N7iQwk0yyo/E" + + "J4lrXUfVRwZHr7FwA7qMODtFb0+Zivv9JLaq19GhnRhzZyWp"; + public static final String Intermediate_Certificate_2_RL_03_01_crt = + "MIICljCCAf+gAwIBAgICAK8wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1STC4wMy4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt7yNq1QZsV3p7OR8rgPuY7x7Bvs+nPhcLR7zFOgR" + + "+plQUwpWQ2PhuzReVV4jNasKtNK9MIWoeV+eV3pEiso5obb9+Byvha1F6gkYNZMPs9Iv86" + + "cJSMtownNJVGVAL9FEpof1QKLp7kfn08EjkoGmGy85xy9uFytd2S8n5TlrBqcCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECAVwoCPFqMtqMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAL9GufFieduzBJaMtsXtKHMf64O/KAGLSh1YDXS+a7Ku+EFw+WteKU" + + "Ob6+c1m7VH9P711eATQoACotCdKusPECqeYDEmT9keqA4f7cP4VcvGwhvSVQJsPuB3LL3S" + + "LIILE4zhT+O9G+5v+mkG/pEDirRYk6ZkdM91bsUuzsX40uyn"; + public static final String Intermediate_CRL_RL_03_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1STC4wMy4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIBXCgI8Woy2owDQYJKoZIhvcNAQEFBQADgYEAkwyA" + + "I1rrz6tOmEpBHDzuJfqY2nbXCIXFN6dVuaKNZWHJ4ZNIc4/t29Wa5GgXYrVXyXRcXP/u5k" + + "NEhOX2/NwCm6vL8+tclYP5qPLrh/Dk4v3nvcTFLKCvclAbf4Il0zfMQx+RRnO5PPqPDu5i" + + "1tHHwOtA8Q+oO71lZEwPE+pX1Sc="; + public static final String End_Certificate_RL_03_01_crt = + "MIIChzCCAfCgAwIBAgICALAwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDMuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjAzLjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPGLfi8/T5p63cbGE98mqO5VzkeI1r2/2TLgvY" + + "RpL1h8i+CVYKoX37yYwNXf+HkHhj1OXJSNrm7853ctmDf2h1fv3f1+qJLg4VRVzlEgErNq" + + "74OR7XLXV77kGOmhip2g5BF5VKeqAdj0pCo1E5ZFHpRPFq/0DDmSda6GKJ6Dl8hwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECOHM3uWxFmcrMBMGA1UdIwQMMAqACMNzJ3SpyOLxMA0GCSqGSIb3DQEBBQUAA4GBAFBu" + + "doX0TZK/yoUcrSkP8AtFiv5c7QvyEtigFZTT+lbW/g4RX/oJGNZCu78yAxCczl+Z6ft+0V" + + "wInwahjyyAgw4QXxtw3b9CfqvT7HH7hcQ6r9ZA/NA9XpzNtxKfmXjzCZWdfmLJrd8KCnU/" + + "utKRAObRBKiaTGa178SEWvtkoIXd"; + public static final String[] TEST_65_DATA = new String[] { + Intermediate_Certificate_1_RL_03_01_crt, + Intermediate_Certificate_2_RL_03_01_crt, + Intermediate_CRL_RL_03_01_crl, + End_Certificate_RL_03_01_crt + }; + + /* + * test66 + * + */ + + public static final String Intermediate_Certificate_RL_03_02_crt = + "MIICljCCAf+gAwIBAgICALEwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wMy4wMjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvoTuc2LYBOhziBe02f6F8l9MwX74O1lknBcJjGvq" + + "JcirQx/6hQgBQT4hz4RRXNy7DSBr3swEw4eDNSeyd6kvG0h9oI3+SVmVyPPVi5eKDL1roI" + + "OBzmfx1+Nn/CnwOf8VroKDutBBQ0gJ24IEjwp6er/8hEAVN/yIjIi/MTFeoRkCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECKtCUOlmMPu6MBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAI9x8O/JgJuZV/s4OBUy3AvcW9QP3HWWBQSdxUdjSosT2schjn7wrR" + + "gttL7vWjT1djsbATAHa5C3inG+VjGIq/NqWaPoHAucRNMs4oZX2ACZFuBLOb/qhywsKh5+" + + "bjv4QgtqkUedzEratY6yQiJSiMSJVJSMzHosTVMX7oOp+cll"; + public static final String Intermediate_CRL_RL_03_02_crl = + "MIIBcDCB2gIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wMi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjAjMCECAg" + + "CyFw05OTAxMDExMjAwMDBaMAwwCgYDVR0VBAMKAQGgIzAhMAoGA1UdFAQDAgEBMBMGA1Ud" + + "IwQMMAqACKtCUOlmMPu6MA0GCSqGSIb3DQEBBQUAA4GBAAEZ0Hg6sKiVXIeK6zbQrKtMMz" + + "Vz2K68+SqN1LAjlNW6u+HSTlAvhRIFO1Hv5Zj7qbO226rLxas/X2XWXpMlm84NHN8T4dZU" + + "4Yo5rhhpCHckRxNYn3AFcfcV4ra1rrTtdx8e7e7/m0Ghog9Ny52ZuQThasL9caF0JxUx6d" + + "zbBHPm"; + public static final String End_Certificate_RL_03_02_crt = + "MIIChzCCAfCgAwIBAgICALIwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDMuMDIwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjAzLjAyMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNb6HGPRDulLMCCyCq6w2X8rHPtm1gN68JXFkX" + + "j/BZsHhu29Z9hXj76hO//7O775EPVMSLyRy8t15yzYpXfZRHFaGB5bs8U2R5ClvsD2FR0H" + + "t0JVfU6Ggn1lhO+jOiguJtXVRjofsfvHuiOe75ctaJ9lBpgwiV8tk4VRKz2e5xVwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECI3Gy0TgXMrwMBMGA1UdIwQMMAqACKtCUOlmMPu6MA0GCSqGSIb3DQEBBQUAA4GBAISQ" + + "Qh9+7D6nk3FL5YQOzyZ0BSHQYjpbIVykJ+Lr4jBPKyGgCqW6jqWNg7X4waB77J2z/OkavY" + + "A6qtpsk8r2wmG9thi8JyZZNhYMxAszHzFbBmSoxGRMvI0XarxgIu8Ky6V7jKVDLz12C3o9" + + "H0yd+nZXilCD+p9BTjjg5bGUogJS"; + public static final String[] TEST_66_DATA = new String[] { + Intermediate_Certificate_RL_03_02_crt, + Intermediate_CRL_RL_03_02_crl, + End_Certificate_RL_03_02_crt + }; + + /* + * test67 + * + */ + + public static final String Intermediate_Certificate_RL_03_03_crt = + "MIICljCCAf+gAwIBAgICALMwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wMy4wMzCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu/o0uxgTrAvNDrMNuG2eTla+AmkLVCIXBbsIo0gs" + + "tLm29tLwfBh/8l5OC0y6Xeh5lx+NLdelsiZGRNaaWmWHj9Ji5V6rclr8sXRDUjxe12zLeh" + + "0G+a0TfpL380cx9RItqQyA1ZRiUNymmJHnm13hwrf7LPirR9BMrtyTT2EI3cMCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECHYt39LYdEn0MBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAIoSGa7MxnOuHoWM/BoJKsCeBmBHYCYDKmQ19JfsDHW8z8oAFiikFb" + + "Gtw1Qpc0GFfJgN0cppaXfe5lDS6BWL2dPorhu3URfXKu84ATLwGmNhqLDY7zh/zPvLtG2m" + + "izaMLC6ZwZL5KELpYpcP15EHPDquyP1xpV3fT17GjpG9IH8k"; + public static final String Intermediate_CRL_1_RL_03_03_crl = + "MIIBcDCB2gIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wMi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjAjMCECAg" + + "C0Fw05OTAxMDExMjAwMDBaMAwwCgYDVR0VBAMKAQGgIzAhMAoGA1UdFAQDAgEBMBMGA1Ud" + + "IwQMMAqACHYt39LYdEn0MA0GCSqGSIb3DQEBBQUAA4GBAI3HsXanos/N6uO3QVUaBZzmCt" + + "w1HCHMrLVG614YlUQiEedQ/oEc7dwCeD1rUbGNVkFPIRvMkmUQo1klhKAlEUmrtW+aH+If" + + "6oqumifqxvaycWidacbgNLIAMQtlQmniPF6Pq0dv8sNeKq4CE0gjRHOPJ2zIqy3kJ3tZYB" + + "pTguwO"; + public static final String Intermediate_CRL_2_RL_03_03_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wMy4wMxcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIdi3f0th0SfQwDQYJKoZIhvcNAQEFBQADgYEAXZSZ" + + "ySsD7U6ETy9ZRmiKUCJMUV9CIhCY0mEihHjW0DhFTyV1Hr01yN5zUr/IFVuP/Xcx36IX4l" + + "dVv6/MgR1GeM/BUGZhm4z6YwfAosZ1N3zayIy/pP3fa1rVRl8cgCxc/8qxg9nH9p6yPpxM" + + "AOOu6TLYquk/dA7wJPEW7MPixXY="; + public static final String End_Certificate_RL_03_03_crt = + "MIIChzCCAfCgAwIBAgICALQwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDMuMDMwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjAzLjAzMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5LNxAB+lm514Hk2ykrFUb7fCX0ryIEMg0mgeT" + + "/z8Iw7xisht57koK4PTXY863aunfNNh+8oFTHZnoLB5dbkROj1nFRgcWPezzv1wNkZEpxn" + + "NINtTPBogW22NPznoZ/rSk9JRFe0sCOVazkW9tZbY2ARqyJsYU1ez5tQIkDS47kQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECMWddsi+qmxKMBMGA1UdIwQMMAqACHYt39LYdEn0MA0GCSqGSIb3DQEBBQUAA4GBAAv8" + + "nrJaqEycAyIKdPBYTUqaxjkv4SmonDDJG9OqvD78/o9hUKKteoMkNUp8eexTkWk0L72L4N" + + "/eXB30+m65E841V+Dy8L4bXh15n4qz4cyMt8Kvm7nbCqcgpiyBJmBxzfaXDLSthlmhcJ4X" + + "zDFnav1LEw5fZklt7cnMl4YvLD8d"; + public static final String[] TEST_67_DATA = new String[] { + Intermediate_Certificate_RL_03_03_crt, + Intermediate_CRL_1_RL_03_03_crl, + Intermediate_CRL_2_RL_03_03_crl, + End_Certificate_RL_03_03_crt + }; + + /* + * test68 + * + */ + + public static final String Intermediate_Certificate_1_RL_05_01_crt = + "MIICljCCAf+gAwIBAgICALUwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wNS4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA59vHTe5A9AcT237mW7HdSfh8Pu4P2wJNLT7RXczN" + + "7DD/P6mAkugSgPTXwwlE1oSB/hCxAtEPhwONYZFYlRClFJidHDdVApalB7UbosTghsUzAg" + + "Lqw7NL+w9i3Un2G7JM2oWwugozQn/1hzr2Cii2TIB6K0RWKoPBJvaWUURS/G8CAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECP55Cc4eBca8MBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBALX594y5uF4Rt7CoRHeKZ5h8QiG7mc+kQDMjaSU4KJwNVVL0mJatQG" + + "w90yFfhvprlgDt9UIAvpF6z5gysbrjHXJaEhVlXeg9D5mcxsL4THEc8f6oU1GjfT/SOD9l" + + "QrT/keX3D9lcFEaTOgi0HIZ7aFIJgoWjXF/9kNNMEAs8sJNI"; + public static final String Intermediate_Certificate_2_RL_05_01_crt = + "MIICljCCAf+gAwIBAgICALYwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDUuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1STC4wNS4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtl4hX6HlF0M+lSBTG8jHiB06hOy87LL81yAE2JQt" + + "/6F+LZjuOBTCIc2yO2bVM3XzUnjyYDBYGnBFp/7XpRoiADuPJSfmkzmezpyJc+hm96UR1g" + + "Bpo+pPKbRTWuM+FYy+vPtaDk5wKOrmyNx440PwbzxTN3JeWz17xeYE98bXMc0CAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECJOjtwEYV9VSMBMGA1UdIwQMMAqACP55Cc4eBca8MA0GCSqG" + + "SIb3DQEBBQUAA4GBAFbkOffoIjWSfxEuKszoK7Fj27Hf5jlV92xqXtBLURjNGi9jCLUIUd" + + "QLnONZLJYo70Z6XaGjpAK1EtZKVWsz11JDq5egE1zNES//9Tz8xDtJ7Lcq0mwneVFxmBuL" + + "gxkw4GKbBFKz10FoSP7VJWaeW080WwKnp96Me5GtZRe260N1"; + public static final String Intermediate_CRL_1_RL_05_01_crl = + "MIIBhTCB7wIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wNS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjA4MDYCAg" + + "C2Fw05OTAxMDExMjAwMDBaMCEwCgYDVR0VBAMKAQEwEwYJYIZIAWUCAQwCAQH/BAMCAQCg" + + "IzAhMAoGA1UdFAQDAgEBMBMGA1UdIwQMMAqACP55Cc4eBca8MA0GCSqGSIb3DQEBBQUAA4" + + "GBAIdOaBfpAEKWLrSvepVjk3UTfEfsSP6y+kFMl33YXy18xUvVpLarGu6YjQIpXiL+ulkP" + + "eF8TAc9AarUjvDf0kcslIOt3NhdMxR4/F614Ds/rPEXs4c7n4kCkvAlFg/19iIFeCaynx3" + + "X0s/v1SwzgAUHi3P+OwAGDApDTyKbnmzvt"; + public static final String Intermediate_CRL_2_RL_05_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1STC4wNS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIk6O3ARhX1VIwDQYJKoZIhvcNAQEFBQADgYEAfOOd" + + "JiLUCFSurAafQEBfxE9KVrgFC+W9m64cmERicO1QL9aDVIDGJAIY1pdvWVdhLBIKwSugwB" + + "ZH3ToptY+VizvFN1gkKGL2OuvDsXPHn1+QgmqvxYFPmvwDcwuxZ/3zD1VeHgEIKo9ugRnW" + + "F8G2Ph6SWUxJCjJQpB7WIbydowI="; + public static final String End_Certificate_RL_05_01_crt = + "MIIChzCCAfCgAwIBAgICALcwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUkwuMDUuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA1LjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9NWkW/mia20c5gM3DpcTsBWTNC/d/Cob+OVrS" + + "lYytMjK4htO3MavavMZNTLAYFCXWhZ+Uo/uiAF0ddE4HaFI418eKJMSSbQyed0TG5Udw/t" + + "3dhYeLzLEmVc0r00q5v+CLINsCNQAKaPV71UvoHrE092zZjmtacuAetBS1Q2ufpwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECGNPOXdCLpZ3MBMGA1UdIwQMMAqACJOjtwEYV9VSMA0GCSqGSIb3DQEBBQUAA4GBALTo" + + "hfBEPdzZ6A9QNStakOhmhHYox70xOPuWqzSbIugZv4chKXNQGiUAoOGImTw1mcun/uPNtd" + + "0bT+O+a9yX5gzW55CSmR/teHkTkND1mJhOMuYOmaCaBHnqgIIe1iEhMZQgag70+/tSmmQm" + + "UpWGpxeK2c02tBK6gEmnqk75bKRT"; + public static final String[] TEST_68_DATA = new String[] { + Intermediate_Certificate_1_RL_05_01_crt, + Intermediate_Certificate_2_RL_05_01_crt, + Intermediate_CRL_1_RL_05_01_crl, + Intermediate_CRL_2_RL_05_01_crl, + End_Certificate_RL_05_01_crt + }; + + /* + * test69 + * + */ + + public static final String Intermediate_Certificate_RL_05_02_crt = + "MIICljCCAf+gAwIBAgICALgwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wNS4wMjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAouNcO1wHvKHPR15L7Fohr/QbTkPWGr9QYp2MXEDy" + + "BRGHt63Ob+yNvsP/C74GJA+PzvcRELSnJxmBVbdRN5y/u4S6Zt4yTTcrvp4vl//luoGLOX" + + "NHhCXbrGavyoP/iKpbfP7fy948AN34i95HuZENoGPjG5stX0uk12P087S2tPcCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECFi86MGPmMsXMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAFVZVMZEsaVuL0qX5Ls94+x8gBklxPfxgfG5LeBR2/YcqW+7BhsVA1" + + "GQhjBtwqCU9SOL16oTrqgw2+YeWBjaYuNYVlxfdifd0pQydpE1iDQWxmoKLzSDmtWgRYhz" + + "v0TB6j8q+0x5Q0OOrHX0jdIiBnHrLmReCK8dY1x6fb6I0tTH"; + public static final String Intermediate_CRL_RL_05_02_crl = + "MIIBhTCB7wIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wNS4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjA4MDYCAg" + + "C5Fw05OTAxMDExMjAwMDBaMCEwCgYDVR0VBAMKAQEwEwYJYIZIAWUCAQwCAQH/BAMCAQCg" + + "IzAhMAoGA1UdFAQDAgEBMBMGA1UdIwQMMAqACFi86MGPmMsXMA0GCSqGSIb3DQEBBQUAA4" + + "GBAFMN6PWjz2bA1RRySYNXde2rKiYkZYghbtT4ig2yDJBKOiPnjdx+jriFJxGYpt7BvcNx" + + "cDfijmDZ1clzprIvz0lFO6IwsQiWtLxOz4Doj6K2AD+7IxuGLceaXmubvi4e6VVC3xXGsu" + + "OYsNgFzsdUXIazi74+eOcj4dqrHAepbhXT"; + public static final String End_Certificate_RL_05_02_crt = + "MIIChzCCAfCgAwIBAgICALkwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDUuMDIwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA1LjAyMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuWE1aFx3Zjk6gM0Wy6ijcUegbiGvhjBgqIGwv" + + "YissT0v3KGAKoh5wGeKC+rePQNbZ91j4XDLvUNUdNw8HVNdNG/igIwsuaJ9teKSbqrAw9X" + + "aD2YjJz/I6X6WXFd/eQ+g9lY3eidOXJkglYSwWMxUV62RUZbGyqjR1so+XpmYxCQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECLLbuNyVkkK9MBMGA1UdIwQMMAqACFi86MGPmMsXMA0GCSqGSIb3DQEBBQUAA4GBACKt" + + "GgxIRXYHZGZgwYHjNzquM1pUJTbxxm3qYA4U6r44oAo1UzQTDpHOalflreGFvG05l1BCnQ" + + "olQ8rcXU25v/CDfyww7cl8l7IxjYz7PNht7R97vjfMVqqButbn+BmU6D5kR9YXDCDPzaQ5" + + "DrKNk+3tIjJNj6YhxhqC2tPG9RIN"; + public static final String[] TEST_69_DATA = new String[] { + Intermediate_Certificate_RL_05_02_crt, + Intermediate_CRL_RL_05_02_crl, + End_Certificate_RL_05_02_crt + }; + + /* + * test70 + * + */ + + public static final String Intermediate_Certificate_1_RL_06_01_crt = + "MIICljCCAf+gAwIBAgICALowDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wNi4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmhxr4ckU5C3E57odZjgcxl46ZF2QVy+K86YoLOGT" + + "mq34NSHTFxP93mrNqMYdFKFedUTNI68HkecFVvVKoXsDNBnhyyCTQ3xXhBcMUXFByB+55k" + + "W5LeQ8l1G2ugsyZ7Z+P8uylrpeGJt4RjOTilhcI2mnfZ7S+arFGe4KYgnsaFUCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECOS4X3XqhyJYMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBALCPtNwXGxVSUNGErkBHSYCHyqlA55jKQQvZ4P0PznWEQ/gBJx34hq" + + "LxiBO2G+iDomzHszeM77TXkQBpNxCUw26Jxv2HuvyBXuSprgjw5F1tvLqwsBAnD5vsb0uD" + + "NrkKIzJSIBFQ1SRhuCObaXnamfPJHBmkP25t4QqEvoXMtVHB"; + public static final String Intermediate_Certificate_2_RL_06_01_crt = + "MIICljCCAf+gAwIBAgICALswDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDYuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMi1STC4wNi4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2IKrW6HDZJVFw3e4cC7v/jPGXAexI4B88707NhAc" + + "qxSVfGTPJBdfWo5pkptZKN5/L5n6+rixLItHnei/uwBCHvhwzeEIGo1yVCgz6R2MoNB966" + + "Q5CHWfT43BUjp0rZLJkK4hVKNyXB78NVv2Fly+XWBDEnzQvgVPWbGOvzE3zh0CAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECK/1z9Xbu2jGMBMGA1UdIwQMMAqACOS4X3XqhyJYMA0GCSqG" + + "SIb3DQEBBQUAA4GBAAa/MVC+8ozm9py40a4o/kHbkkmFNQr4s9yi3KXXuVxsNvquFMXm4a" + + "gC8GPoNjvV+RPRmU8wOM6I2/PPl2JEQRb7NDM8LkY/m/Au4GHVeln6FKlldiRm0A+YIr19" + + "ip2RHOldikAjUUYv7JT3SP34sjtq2e8bsXfWEPG5BA/wxtm7"; + public static final String Intermediate_CRL_1_RL_06_01_crl = + "MIIBhTCB7wIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjAjMCECAg" + + "C7Fw05OTAxMDExMjAwMDBaMAwwCgYDVR0VBAMKAQGgODA2MAoGA1UdFAQDAgEBMBMGCWCG" + + "SAFlAgEMAgEB/wQDAgEAMBMGA1UdIwQMMAqACOS4X3XqhyJYMA0GCSqGSIb3DQEBBQUAA4" + + "GBAJSexboWDaqLVY6iiWt8ZX5GwuNwDBN1R2TgM95H7JqjMgoWML887dKk24p4eKACFMWI" + + "Ji9nwsqdZ/h1FtPhYpSoJ8l8vo4imMKr+tTnMngDNpMMZPQyRY1AK1jSrLhEtUdjiEtrTY" + + "rG56RNt4YyUtNxxfkEymvwJxmO/4YcAz/l"; + public static final String Intermediate_CRL_2_RL_06_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMi1STC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIr/XP1du7aMYwDQYJKoZIhvcNAQEFBQADgYEAImRg" + + "n9A7px9exOJL4Se9jsSHzZ3sAd3y16LdAb+HLtYLl1swNB4KPE+OebtzEoYiSzVVwezdlm" + + "5WseZjfbd0q01srZI4FeACZe99iBSpKymdKxw2gRvfYZ8ZMwFpK2mQq9cmygFn53iOwP7j" + + "3KE+lllielu7sYyEnkliF9wsaG0="; + public static final String End_Certificate_RL_06_01_crt = + "MIIChzCCAfCgAwIBAgICALwwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTItUkwuMDYuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA2LjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZVBNzD7LZW6mC2GSbVPjpcJ7sWISYsL2eHqXb" + + "/PuxtbOneOjYqx0GeL9pxDGSSNl2NrlG0G1HTU2MaEOVA6h96W9e5ADV/pzGPMr97z+3BV" + + "unxLX+ciM3T7rUQm/LueQTEC2Ww19T6QOg2i8rEadYT0OoW6OcvyuomemspxgClQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECK5pHDrhL7xjMBMGA1UdIwQMMAqACK/1z9Xbu2jGMA0GCSqGSIb3DQEBBQUAA4GBAF3J" + + "Kskjs4jp+BBoei9YWYtmOupn9w3oGyhknNh2jz7api5Gtgk2SyKfYFvN6EhWZJEab0hPFe" + + "WuYwO7zNCLGHw0cFXT/R48ogd6JkH6xDwj4afZDkWVTu8oaVD4h1rTYS6WPRzizAozOzhi" + + "tmIo+MV/lCG8+jdVtFgeKycI8aX7"; + public static final String[] TEST_70_DATA = new String[] { + Intermediate_Certificate_1_RL_06_01_crt, + Intermediate_Certificate_2_RL_06_01_crt, + Intermediate_CRL_1_RL_06_01_crl, + Intermediate_CRL_2_RL_06_01_crl, + End_Certificate_RL_06_01_crt + }; + + /* + * test71 + * + */ + + public static final String Intermediate_Certificate_RL_06_02_crt = + "MIICljCCAf+gAwIBAgICAL0wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wNi4wMjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxMlJ0vbkMRGzuEDTDGuPmwDzU1xn3dFDZ1Tx6ONP" + + "fwNN5gk6r9kYl5TZ8f5TbkQSnOzyhDSqX8dGumCSgukETXtYBU2+KiIAtliu5NJRbXe3La" + + "vn102HxaHDLGsR0FFLiFM9GVhOOXryJoXoGZqUwvqbWyaQQEzrV4RWmuOv7xMCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECFNaMo88Vb5MMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAJsjJG4/U1OWCJPB1u7UD3TPKRgOR9hT5l3LzFw5s0CEGt2Beg25LP" + + "GEGcr0sEdosVQI5m5CuPolpmlQv0FkZv5M1W+uXX+F/6edtMDEquDpdR97ihQSLZjFFqjE" + + "ytuaD4gqtL/BKBbz3e93mOmR9Wi+kWlXOYl0j8wpU9ePSjDV"; + public static final String Intermediate_CRL_RL_06_02_crl = + "MIIBhTCB7wIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWjAjMCECAg" + + "C+Fw05OTAxMDExMjAwMDBaMAwwCgYDVR0VBAMKAQGgODA2MAoGA1UdFAQDAgEBMBMGCWCG" + + "SAFlAgEMAgEB/wQDAgEAMBMGA1UdIwQMMAqACFNaMo88Vb5MMA0GCSqGSIb3DQEBBQUAA4" + + "GBAAKNj5xmtE7wzO1p5igiAmCDV6KuYsiPAQPHPEBlmo85vzvWv2hpEtmk4nDhehogl0QX" + + "rhvRRqR+cPE5vBLB8mAStW+ZR6FXQPnmU5qGHqCQ4Wh6TWZesd7oyftoS7bJD5Xdf5ErA9" + + "qijWoz8FgxZHVnAFmjA0rUINkdQ5JfE5oj"; + public static final String End_Certificate_RL_06_02_crt = + "MIIChzCCAfCgAwIBAgICAL4wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDYuMDIwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA2LjAyMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD3UzwrnwKRlP00Pn49iI35S0wLn7c1I3rsmzdm" + + "YFicetxHNeOKXLg1CN1bqkbAJ+N39fKjrkusqb2T+R3zhAV5LeLT4fzbHYdU7f4r6xgW2/" + + "b2WLv+QVR+ldTsVxgPp/ZUgYi4/vAow4Q/6IT+zWtlawMBob/nLjVl+jQ9N4coFwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECPhq75noL+9WMBMGA1UdIwQMMAqACFNaMo88Vb5MMA0GCSqGSIb3DQEBBQUAA4GBAIU2" + + "5bLX/NyDC8dKUxRwVn8oc3YPQjK0zXGdUr15Ib+cLdRyFVCuAyxVdpTf/csuga6tDhGuTL" + + "B18mTE/fAjhUOiKiOLD6m4P77Nj67l2NTi86RimsI/Z6r5+bU31ahrls/7kr788+f4oEIY" + + "TyOJecojsJUOG3qzK9J50iszclxg"; + public static final String[] TEST_71_DATA = new String[] { + Intermediate_Certificate_RL_06_02_crt, + Intermediate_CRL_RL_06_02_crl, + End_Certificate_RL_06_02_crt + }; + + /* + * test72 + * + */ + + public static final String Intermediate_Certificate_RL_07_01_crt = + "MIICljCCAf+gAwIBAgICAL8wDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wNy4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxjHxSRwJjEkLG9Al5uSQ22QI8N/hJ8hhkhh9qlaJ" + + "mHusM8sWpAp2vnuumlThTA2zZbptXZ8Krb7i/Kpym4wo3ZkEThwi/ijsM5QCunQJmESRGD" + + "yPZJjfhWjoC+lCjbmzsOGLMETpgSEMy+EyoXkRCnKmXcmCMS8HjLrqdnwiWBUCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECHPEkeIs8GuwMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBABCmgEnb8dfnG9lWQKT5BmQm459WqRQAiqdfqf9w0qRMuVrdfLMwqx" + + "oq4uh10A3d+auHohgT2fT9RzNaWnRoNaH9K6qLQsdCUZdqjbEGdyiIFzvWP9MkV9nhDlo2" + + "GgiU68HfnpKO/WA9EaRHyEzwT9o4SA7hAbz+3L12hB2WLSOg"; + public static final String Intermediate_CRL_RL_07_01_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wNy4wMRcNOTgwMTAxMDYwMTAwWhcNOTgwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIc8SR4izwa7AwDQYJKoZIhvcNAQEFBQADgYEAOyZr" + + "f1tRnuzoq7dgQo+eOYhb5JyRyrNaSwNnRy82wOP+/G3NH8V3NGonDFOOcd9SoLTbeW4o71" + + "vdOrKZgom5H2MZK5M4wTdfPAfXB1wBxOMzW5jXzsRtaha4l6EPI+GVL0eXN+aW3k/pscdA" + + "ToI+OxTmRRnCYS6yW3qL9RoTIXQ="; + public static final String End_Certificate_RL_07_01_crt = + "MIIChzCCAfCgAwIBAgICAMAwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDcuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA3LjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrm/Zem9Tt2UJFUKdAhTNwvhLo03uOax74ZgbV" + + "YNTCpKeEWkV5d5d7DRC4mCTX1yjIlg6K4l7T+sRGI4XAcDRgYLuoyG1X958XCXSdIPTdbK" + + "Hxs/tFv4mrCwi1kU+zjyzDoqgjT6kUxgM39rfcvDMH6qSzHQKgTFp7Tj/DHiELqwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECGFR8c6rRbhcMBMGA1UdIwQMMAqACHPEkeIs8GuwMA0GCSqGSIb3DQEBBQUAA4GBAANZ" + + "TVR288mKpDDzm9XZMZ9+K1kPZ+eQYX+vUul11luVw27AIJGR8Fb4PIGl4+ALvqU3NQP/6v" + + "d+zvS7IfiR6q7aLS3w111BUCgDhTJAp3oSo12qfcp+2DB1M9QfjrM9nKgmh5bBJigdJwJM" + + "W8HHKStUMLdxg+qkZJgZpnyowCFM"; + public static final String[] TEST_72_DATA = new String[] { + Intermediate_Certificate_RL_07_01_crt, + Intermediate_CRL_RL_07_01_crl, + End_Certificate_RL_07_01_crt + }; + + /* + * test73 + * + */ + + public static final String Intermediate_Certificate_RL_07_02_crt = + "MIICljCCAf+gAwIBAgICAMEwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNNTAwMTAxMDYwMDMwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wNy4wMjCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0CvEneaAPtxZOTqlh/TXBM6V0bQgKbO58yEyURcO" + + "Zi7jzYsmNtN9Tsr0wAlD41/ZONsW4MMzZ13UCc0aGa+eE8XRULBe5cgaGxJKwVnEqz3W8z" + + "v1MjOk7Anb8TkxMSlWlptC6V3eRA85p5Id9gXbIrP3E3NuSfyx6246oLjNnbECAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECIb5Ia6wKcHtMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAAYEHQY+Z4qv4bYLmd+sz4aNGwZF7FT6ZIQ43OSeb+t+ibL7rZ0X0y" + + "4SCTMs1mAB44IA6RFurmeCFk0ladRCn3A1xaVI1HlHen13ovzDA9ogL4CWbYXvCUv/znQY" + + "yVSQCTKwT8iVam8xS1MsNCe408iVjhRfR6u9Hi31M+Pf+AUe"; + public static final String Intermediate_CRL_RL_07_02_crl = + "MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wNy4wMhcNNTAwMTAxMDYwMTAwWhcNNTAwMTAxMTIwMTAwWqAjMCEwCg" + + "YDVR0UBAMCAQEwEwYDVR0jBAwwCoAIhvkhrrApwe0wDQYJKoZIhvcNAQEFBQADgYEALVUq" + + "3Wq/Opvp9ifmQ4VXz4dgLNR+5Nz3muJ4RZt5R5b4R3RYllhgXNYw2EbEVCFjnfm97z73Ke" + + "wzVV+fo/u5GbqJHN2cAVEHarOpasLxySktNA1Cwq5OTzUF0dYISqYbyBvVcaOQBvU/Lwj7" + + "MQJJVVq96iDKnAJYBX03EHKbBeg="; + public static final String End_Certificate_RL_07_02_crt = + "MIIChzCCAfCgAwIBAgICAMIwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDcuMDIwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA3LjAyMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD6YgsbjW9IL7/SBORKssFUZBUxmluOpxJK/7d7" + + "JA2pxbg7L96xHFPWN36CYDJzTscNpbGrD3G2MPkg4GqoTo0rU28NYVzj4SwqYoSLIbXB+r" + + "SVgWcxNgbJ+4x9bK3YccNLR1PWEFxz1NckhCLBmb5pI4E34MCxQ6PvFO02I19FwQIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECIutV9ItCIbZMBMGA1UdIwQMMAqACIb5Ia6wKcHtMA0GCSqGSIb3DQEBBQUAA4GBALQE" + + "cBr31h3jKUHcuf3yztr9NWUkGMDM0NCXHOpQl7JbV3P5BjvaiRYWlUrN7+92G8EaUFORto" + + "zp8GG+d/MvFooVQOvpOzyhautYWyqq3AWpZLppnxNk1mRAdjUAvJaONtv37eLsma0bhtLM" + + "j62sQQ6CdoKbMtIEGuJgpwWqHYwY"; + public static final String[] TEST_73_DATA = new String[] { + Intermediate_Certificate_RL_07_02_crt, + Intermediate_CRL_RL_07_02_crl, + End_Certificate_RL_07_02_crt + }; + + /* + * test74 + * + */ + + public static final String Intermediate_Certificate_RL_07_03_crt = + "MIICljCCAf+gAwIBAgICAMMwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wNy4wMzCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8QzGjV0NVTNrOgkeqTkQFCOvl7M0qmjmYJjuw4R3" + + "YfQIXDN0m9HR2JKp5WKTSUedmWviGS7NbGSzLR7+6OkLwSoxN9PkA/fMko7O0KWBfduhvn" + + "jymlDMb2GPb1hBjScbq8fVJHwzqUm+BtEO2MXwXKYY2hZr+OEyEGhSEThp90MCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECFwl2XphEZRSMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAAb5GERgYVGuOb62gVZAAnhuk5K7CCkWZucOv6iI7pAgI6S7pvool/" + + "dXHC0tzgQ+/MkuWcr+22k/ya7f+iSfiYokjnQkgoYFYk3PkjyOXA3mzs5qhF0nOP6Gvmz4" + + "asONA+qZSqa4pjxF9Kn8L64f9yeyEXnckmbzdmbjAFCveQIP"; + public static final String Intermediate_CRL_RL_07_03_crl = + "MIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wNy4wMxcNOTkwMTAxMDYwMTAwWhgPMjA1MDAxMDExMjAxMDBaoCMwIT" + + "AKBgNVHRQEAwIBATATBgNVHSMEDDAKgAhcJdl6YRGUUjANBgkqhkiG9w0BAQUFAAOBgQAz" + + "DMl8P16hylNkUEw4z9//PJFObNPZCYdmzBfp0K3tNRrOAouUVegyX0gDHi8O+bmmJNgcnC" + + "tMRXx+D4qP7bx5fDS2MVQhSsncf6u4UZ8pxbRc0JmwR5oGZLPQabrctgmEmg8ZKGApKtsf" + + "pGyvvTwaAzM+GaWXD68bBEN3VfVdeQ=="; + public static final String End_Certificate_RL_07_03_crt = + "MIIChzCCAfCgAwIBAgICAMQwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDcuMDMwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA3LjAzMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDU6mec24uBaVip7fFWHas+o/lpZBOfj/IPHXQ9" + + "QaRZwmJZBB81AX3BJ60DD12o/+RXdHl7B2Eh9kYv/QEXOKmyhJFSPa0Lv7MQ/hCIcL4m1U" + + "FDGtJ3SUixZMqVBP0xjwXoNS88zzaCBL+co2TxhBrYMzeNQOX1eEkXMT4pvULmAwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECBBgFdYLuvk9MBMGA1UdIwQMMAqACFwl2XphEZRSMA0GCSqGSIb3DQEBBQUAA4GBAAof" + + "dPOGa4ZxRPcLw6zWM/NLzF3XYDqXAsZBsC75r0GRrogqEYn07tVUDNaQczDtjRLBRNmxWE" + + "+qCkJwc+wOBJqOFUxcuhK9oag6OE94+UIHdh3Td9i2ELZXj9RSNchnjyFohj5gk1dJSO41" + + "86Ls3mCT9JcssR0dSxxkF0ENfZCG"; + public static final String[] TEST_74_DATA = new String[] { + Intermediate_Certificate_RL_07_03_crt, + Intermediate_CRL_RL_07_03_crl, + End_Certificate_RL_07_03_crt + }; + + /* + * test75 + * + */ + + public static final String Intermediate_Certificate_RL_08_01_crt = + "MIICljCCAf+gAwIBAgICAMUwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wOC4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs2YRTEl3C1TmmneJ6K110nSACn+KXxSOTGAGN5xv" + + "XW751StpE2iEQIbRVPQdMzmcQX0bcg/WpdrewPQld9NRjFj7it+9YNQh7vMKhZwoAPoDmv" + + "TnTdTEuV0c1FLVDVhiaAD9KMBa4fBLRfTKVzgzAr+oNqLhm3YBd2JWRHg+fA8CAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECB4we8+hIrkKMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBABTQI82uCMwQ4bgUWr9lawSI5DyWg3KY13F45rAlmKyckgne9SHbCH" + + "+Lvm3XkkIqKmeHfJ3QTf7bpz6eErn3CxRrGm5JWblcYbVT+smjboJ9A0BXifqINYLy3qGc" + + "AnNRkPq8OUREj2sU1qWKagUIgA/Vk2WyZhcUiApJPHI4fwv9"; + public static final String Intermediate_CRL_RL_08_01_crl = + "MIIBWjCBxAIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wOC4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqAyMDAwCg" + + "YDVR0UBAMCAQEwDQYDVR0bAQH/BAMCAQEwEwYDVR0jBAwwCoAIHjB7z6EiuQowDQYJKoZI" + + "hvcNAQEFBQADgYEAkjF0oERt5XW2i70gyspkEYIHyGCHnqngky5yuwQSRrlW7t0vGdKV7W" + + "50evTeSVV41uhi1MBcccpx1MdRcB5vsatFSSKcKx4NF3PuHXxXCm2HkfXQy4K5zftE3jOZ" + + "5s+yTHiw3s/QSErtHRca+TQcEZwamI+p402TEa6e82l6xHI="; + public static final String End_Certificate_RL_08_01_crt = + "MIIChzCCAfCgAwIBAgICAMYwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDguMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA4LjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfEMqWMqk3Rre5m4ILtQIz45JImvU379Al/S6t" + + "2y/TzimJc4nhIKQp80VaZA/gwu/DcvMgJPM+FFz5U5rRkDaYASsc34tZUESF5LC6ZbtGqf" + + "J96IKdajvkGLsHyI7dseuwaQ0FlOwcmKMSR898MGNNbKxaQNLEXsIFypRDsN6JhwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECMT22ARjB1ABMBMGA1UdIwQMMAqACB4we8+hIrkKMA0GCSqGSIb3DQEBBQUAA4GBAIaP" + + "EqI7oHl/+h3MszG4VB1Va9NTN0kaysTyjQSVBi9jhOlPkzuXc2wI1bymBhatHEn6OrgP13" + + "vsOiH2BiyudYcYjKpwI4FUiyKLIc0CXzM0VYFoMzb91QtsK1EnvAPDKNYVVFXrL7ABVIK4" + + "hU6HfMMUbnpKWBxT5274iHScX8tL"; + public static final String[] TEST_75_DATA = new String[] { + Intermediate_Certificate_RL_08_01_crt, + Intermediate_CRL_RL_08_01_crl, + End_Certificate_RL_08_01_crt + }; + + /* + * test76 + * + */ + + public static final String Intermediate_Certificate_RL_09_01_crt = + "MIICljCCAf+gAwIBAgICAMcwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxUcnVzdCBBbmNob3IwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNVBAMTDENBMS1STC4wOS4wMTCBnzANBg" + + "kqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsvkvLv5fMFYvohaXO8a7GgU4rDHe9iL7LP1VeNUg" + + "GIdJGqPEnuggQ/guhrBHafGh1NtmlEbmPJ4WQ99dBbPHHeO8sfCgkmWC0SqPODoI+t3qJE" + + "kf2z9dWoAij15RXPliywZz+S6bTtcEQAREyBQ6M8/HJ83wRXp/uCpdPOSxVPkCAwEAAaNj" + + "MGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0gBA8wDTALBglghk" + + "gBZQMBMAEwEQYDVR0OBAoECISY4bvGMEBTMBMGA1UdIwQMMAqACKua6/nC51SPMA0GCSqG" + + "SIb3DQEBBQUAA4GBAAd7g+dWso4V/Vr+QIoNLueCBAYWdOF+Yz3VeomcsDAs2V8E+xcZaq" + + "jo2LrMygYCeMxVfXx/ZdhLPOaZ+ahNAbk+nWRwj35JdTNAAbMMWFdZUgR6N+uzx1v7i86p" + + "AWUpRJ9IYPgUoQ5pmjdf3Ru1nrLfRt4yp+kNHWp6IL/+MwcM"; + public static final String Intermediate_CRL_RL_09_01_crl = + "MIIBXDCBxgIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS" + + "5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3RpbmcxFTATBgNV" + + "BAMTDENBMS1STC4wOS4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMTAwWqA0MDIwCg" + + "YDVR0UBAMCAQEwDwYDVR0cAQH/BAUwA4IB/zATBgNVHSMEDDAKgAiEmOG7xjBAUzANBgkq" + + "hkiG9w0BAQUFAAOBgQAKTXYgqlP+upFIwOSpdaVKDT8aqFzY9nSIsxHg5Wdl43U7p44LvQ" + + "lW8XKhw74oQl1ExU5s7mDaEqB0JIozGzmoNyKsErgWKNW+lpKSxR5+1EHOB6Oo2KijpTsv" + + "GFrHFCnF09f9JaTaMRIXOljx3rMO1UZsftKy/L9z3aUz8hQRnQ=="; + public static final String End_Certificate_RL_09_01_crt = + "MIIChzCCAfCgAwIBAgICAMgwDQYJKoZIhvcNAQEFBQAwXjELMAkGA1UEBhMCVVMxGDAWBg" + + "NVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9kMRAwDgYDVQQLEwdUZXN0aW5n" + + "MRUwEwYDVQQDEwxDQTEtUkwuMDkuMDEwHhcNOTgwMTAxMTIwMTAwWhcNNDgwMTAxMTIwMT" + + "AwWjBgMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL" + + "EwNEb0QxEDAOBgNVBAsTB1Rlc3RpbmcxFzAVBgNVBAMTDlVzZXIxLVJMLjA5LjAxMIGfMA" + + "0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpz09VCXzAhH4/ifMk0RAzaBqJCXaHHqAdO/TW" + + "6uvOVtl+fGvWXhXmSSCUfzg5xBqdUXrqcyxOME3vdgF1uOFZ4q2K6+Zuxmm+GCOCIpe+Gl" + + "Jzqz4WKXG0iaXXQOYa56itNc/6Z6D/aAjNJavI19w0lmb9l6U2WBfn3LywxHp4dwIDAQAB" + + "o1IwUDAOBgNVHQ8BAf8EBAMCBeAwFgYDVR0gBA8wDTALBglghkgBZQMBMAEwEQYDVR0OBA" + + "oECOri1JgnJfLjMBMGA1UdIwQMMAqACISY4bvGMEBTMA0GCSqGSIb3DQEBBQUAA4GBADmV" + + "Ee0xy25Z0HtmWwprKPjJDr/p7TgzbmNC58pUPkgtxnJFP4yrzNB9FQBWSfnjZpzQkLSU7i" + + "7O6cf5HkqjQqoPErDnJLWgGzjbF80v2IIyZk7rEpAAM4MwjIk7hFvJK8QkTht9F4N1zj2X" + + "0TQkmlbo9Z4SFj/3fsbl9h2GdKuU"; + public static final String[] TEST_76_DATA = new String[] { + Intermediate_Certificate_RL_09_01_crt, + Intermediate_CRL_RL_09_01_crl, + End_Certificate_RL_09_01_crt + }; + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NamedCurveTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NamedCurveTest.java new file mode 100644 index 00000000..aeb0871d --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NamedCurveTest.java @@ -0,0 +1,341 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.asn1.nist.NISTNamedCurves; +import org.bouncycastle.asn1.sec.SECNamedCurves; +import org.bouncycastle.asn1.teletrust.TeleTrusTNamedCurves; +import org.bouncycastle.asn1.x9.X962NamedCurves; +import org.bouncycastle.asn1.cryptopro.ECGOST3410NamedCurves; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECNamedCurveSpec; +import org.bouncycastle.util.test.SimpleTest; + +import javax.crypto.KeyAgreement; +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Set; +import java.util.HashSet; + +public class NamedCurveTest + extends SimpleTest +{ + private static Hashtable CURVE_NAMES = new Hashtable(); + private static Hashtable CURVE_ALIASES = new Hashtable(); + + static + { + CURVE_NAMES.put("prime192v1", "prime192v1"); // X9.62 + CURVE_NAMES.put("sect571r1", "sect571r1"); // sec + CURVE_NAMES.put("secp224r1", "secp224r1"); + CURVE_NAMES.put("B-409", SECNamedCurves.getName(NISTNamedCurves.getOID("B-409"))); // nist + CURVE_NAMES.put("P-521", SECNamedCurves.getName(NISTNamedCurves.getOID("P-521"))); + CURVE_NAMES.put("brainpoolp160r1", "brainpoolp160r1"); // TeleTrusT + + CURVE_ALIASES.put("secp192r1", "prime192v1"); + CURVE_ALIASES.put("secp256r1", "prime256v1"); + } + + public void testCurve( + String name) + throws Exception + { + ECGenParameterSpec ecSpec = new ECGenParameterSpec(name); + + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDH", "BC"); + + g.initialize(ecSpec, new SecureRandom()); + + // + // a side + // + KeyPair aKeyPair = g.generateKeyPair(); + + KeyAgreement aKeyAgree = KeyAgreement.getInstance("ECDHC", "BC"); + + aKeyAgree.init(aKeyPair.getPrivate()); + + // + // b side + // + KeyPair bKeyPair = g.generateKeyPair(); + + KeyAgreement bKeyAgree = KeyAgreement.getInstance("ECDHC", "BC"); + + bKeyAgree.init(bKeyPair.getPrivate()); + + // + // agreement + // + aKeyAgree.doPhase(bKeyPair.getPublic(), true); + bKeyAgree.doPhase(aKeyPair.getPublic(), true); + + BigInteger k1 = new BigInteger(aKeyAgree.generateSecret()); + BigInteger k2 = new BigInteger(bKeyAgree.generateSecret()); + + if (!k1.equals(k2)) + { + fail("2-way test failed"); + } + + // + // public key encoding test + // + byte[] pubEnc = aKeyPair.getPublic().getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance("ECDH", "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + ECPublicKey pubKey = (ECPublicKey)keyFac.generatePublic(pubX509); + + if (!pubKey.getW().equals(((ECPublicKey)aKeyPair.getPublic()).getW())) + { + fail("public key encoding (Q test) failed"); + } + + if (!(pubKey.getParams() instanceof ECNamedCurveSpec)) + { + fail("public key encoding not named curve"); + } + + // + // private key encoding test + // + byte[] privEnc = aKeyPair.getPrivate().getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + ECPrivateKey privKey = (ECPrivateKey)keyFac.generatePrivate(privPKCS8); + + if (!privKey.getS().equals(((ECPrivateKey)aKeyPair.getPrivate()).getS())) + { + fail("private key encoding (S test) failed"); + } + + if (!(privKey.getParams() instanceof ECNamedCurveSpec)) + { + fail("private key encoding not named curve"); + } + + ECNamedCurveSpec privSpec = (ECNamedCurveSpec)privKey.getParams(); + if (!(privSpec.getName().equals(name) || privSpec.getName().equals(CURVE_NAMES.get(name)))) + { + fail("private key encoding wrong named curve. Expected: " + CURVE_NAMES.get(name) + " got " + privSpec.getName()); + } + } + + public void testECDSA( + String name) + throws Exception + { + ECGenParameterSpec ecSpec = new ECGenParameterSpec(name); + + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + g.initialize(ecSpec, new SecureRandom()); + + Signature sgr = Signature.getInstance("ECDSA", "BC"); + KeyPair pair = g.generateKeyPair(); + PrivateKey sKey = pair.getPrivate(); + PublicKey vKey = pair.getPublic(); + + sgr.initSign(sKey); + + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail(name + " verification failed"); + } + + // + // public key encoding test + // + byte[] pubEnc = vKey.getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance("ECDH", "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + ECPublicKey pubKey = (ECPublicKey)keyFac.generatePublic(pubX509); + + if (!pubKey.getW().equals(((ECPublicKey)vKey).getW())) + { + fail("public key encoding (Q test) failed"); + } + + if (!(pubKey.getParams() instanceof ECNamedCurveSpec)) + { + fail("public key encoding not named curve"); + } + + // + // private key encoding test + // + byte[] privEnc = sKey.getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + ECPrivateKey privKey = (ECPrivateKey)keyFac.generatePrivate(privPKCS8); + + if (!privKey.getS().equals(((ECPrivateKey)sKey).getS())) + { + fail("private key encoding (S test) failed"); + } + + if (!(privKey.getParams() instanceof ECNamedCurveSpec)) + { + fail("private key encoding not named curve"); + } + + ECNamedCurveSpec privSpec = (ECNamedCurveSpec)privKey.getParams(); + if (!privSpec.getName().equalsIgnoreCase(name) + && !privSpec.getName().equalsIgnoreCase((String)CURVE_ALIASES.get(name))) + { + fail("private key encoding wrong named curve. Expected: " + name + " got " + privSpec.getName()); + } + } + + public void testECGOST( + String name) + throws Exception + { + ECGenParameterSpec ecSpec = new ECGenParameterSpec(name); + + KeyPairGenerator g = KeyPairGenerator.getInstance("ECGOST3410", "BC"); + + g.initialize(ecSpec, new SecureRandom()); + + Signature sgr = Signature.getInstance("ECGOST3410", "BC"); + KeyPair pair = g.generateKeyPair(); + PrivateKey sKey = pair.getPrivate(); + PublicKey vKey = pair.getPublic(); + + sgr.initSign(sKey); + + byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; + + sgr.update(message); + + byte[] sigBytes = sgr.sign(); + + sgr.initVerify(vKey); + + sgr.update(message); + + if (!sgr.verify(sigBytes)) + { + fail(name + " verification failed"); + } + + // + // public key encoding test + // + byte[] pubEnc = vKey.getEncoded(); + KeyFactory keyFac = KeyFactory.getInstance("ECGOST3410", "BC"); + X509EncodedKeySpec pubX509 = new X509EncodedKeySpec(pubEnc); + ECPublicKey pubKey = (ECPublicKey)keyFac.generatePublic(pubX509); + + if (!pubKey.getW().equals(((ECPublicKey)vKey).getW())) + { + fail("public key encoding (Q test) failed"); + } + + if (!(pubKey.getParams() instanceof ECNamedCurveSpec)) + { + fail("public key encoding not named curve"); + } + + // + // private key encoding test + // + byte[] privEnc = sKey.getEncoded(); + PKCS8EncodedKeySpec privPKCS8 = new PKCS8EncodedKeySpec(privEnc); + ECPrivateKey privKey = (ECPrivateKey)keyFac.generatePrivate(privPKCS8); + + if (!privKey.getS().equals(((ECPrivateKey)sKey).getS())) + { + fail("GOST private key encoding (S test) failed"); + } + + if (!(privKey.getParams() instanceof ECNamedCurveSpec)) + { + fail("GOST private key encoding not named curve"); + } + + ECNamedCurveSpec privSpec = (ECNamedCurveSpec)privKey.getParams(); + if (!privSpec.getName().equalsIgnoreCase(name) + && !privSpec.getName().equalsIgnoreCase((String)CURVE_ALIASES.get(name))) + { + fail("GOST private key encoding wrong named curve. Expected: " + name + " got " + privSpec.getName()); + } + } + + public String getName() + { + return "NamedCurve"; + } + + public void performTest() + throws Exception + { + testCurve("prime192v1"); // X9.62 + testCurve("sect571r1"); // sec + testCurve("secp224r1"); + testCurve("B-409"); // nist + testCurve("P-521"); + testCurve("brainpoolp160r1"); // TeleTrusT + + for (Enumeration en = X962NamedCurves.getNames(); en.hasMoreElements();) + { + testECDSA((String)en.nextElement()); + } + + // these curves can't be used under JDK 1.5 + Set problemCurves = new HashSet(); + + problemCurves.add("secp256k1"); + problemCurves.add("secp160k1"); + problemCurves.add("secp224k1"); + problemCurves.add("secp192k1"); + + for (Enumeration en = SECNamedCurves.getNames(); en.hasMoreElements();) + { + String curveName = (String)en.nextElement(); + + if (!problemCurves.contains(curveName)) + { + testECDSA(curveName); + } + } + + for (Enumeration en = TeleTrusTNamedCurves.getNames(); en.hasMoreElements();) + { + testECDSA((String)en.nextElement()); + } + + for (Enumeration en = ECGOST3410NamedCurves.getNames(); en.hasMoreElements();) + { + testECGOST((String)en.nextElement()); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new NamedCurveTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NetscapeCertRequestTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NetscapeCertRequestTest.java new file mode 100644 index 00000000..d670f54b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NetscapeCertRequestTest.java @@ -0,0 +1,130 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Security; + +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DEROutputStream; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jce.netscape.NetscapeCertRequest; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTestResult; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +/** + */ +public class NetscapeCertRequestTest + implements Test +{ + /* from NS 4.75 */ + static final String test1 = + "MIIBRzCBsTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmwdh+LJXQ8AtXczo"+ + "4EIGfXjpmDwsoIRpPaXEx1CBHhpon/Dpo/o5Vw2WoWNICXj5lmqhftIpCPO9qKxx"+ + "85x6k/fuyTPH8P02hkmscAYsgqOgb/1yRCNXFryuFOATqxw1tsuye5Q3lTU9JCLU"+ + "UilQ6BV8n3fm2egtPPUaJEuCvcsCAwEAARYNZml4ZWQtZm9yLW5vdzANBgkqhkiG"+ + "9w0BAQQFAAOBgQAImbJD6xHbJtXl6kOTbCFoMnDk7U0o6pHy9l56DYVsiluXegiY"+ + "6twB4o7OWsrqTb+gVvzK65FfP+NBVVzxY8UzcjbqC51yvO/9wnpUsIBqD/Gvi1gE"+ + "qvw7RHwVEhdzsvLwlL22G8CfDxHnWLww39j8uRJsmoNiKJly3BcsZkLd9g=="; + + public String getName() + { + return "NetscapeCertRequest"; + } + + public TestResult perform() + { + try + { + String challenge = "fixed-for-now"; + + byte data [] = Base64.decode (test1); + + ASN1InputStream in = new ASN1InputStream (new ByteArrayInputStream(data)); + ASN1Sequence spkac = (ASN1Sequence)in.readObject (); + // System.out.println("SPKAC: \n"+DERDump.dumpAsString (spkac)); + + + NetscapeCertRequest nscr = new NetscapeCertRequest (spkac); + + if (!nscr.verify (challenge)) + { + return new SimpleTestResult(false, getName() + ": 1 - not verified"); + } + + //now try to generate one + KeyPairGenerator kpg = + KeyPairGenerator.getInstance (nscr.getKeyAlgorithm().getObjectId ().getId(), "BC"); + + kpg.initialize (1024); + + KeyPair kp = kpg.genKeyPair(); + + nscr.setPublicKey (kp.getPublic()); + nscr.sign (kp.getPrivate()); + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + DEROutputStream deros = new DEROutputStream (baos); + deros.writeObject (nscr); + deros.close(); + + + ASN1InputStream in2 = + new ASN1InputStream (new ByteArrayInputStream(baos.toByteArray())); + ASN1Sequence spkac2 = (ASN1Sequence)in2.readObject (); + + // System.out.println("SPKAC2: \n"+DERDump.dumpAsString (spkac2)); + + NetscapeCertRequest nscr2 = new NetscapeCertRequest (spkac2); + + if (!nscr2.verify (challenge)) + { + return new SimpleTestResult(false, getName() + ": 2 - not verified"); + } + + //lets build it from scratch + + + challenge = "try it"; + + NetscapeCertRequest nscr3 = + new NetscapeCertRequest (challenge, + new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption, null), + kp.getPublic()); + + nscr3.sign (kp.getPrivate()); + + // System.out.println("SPKAC3: \n"+DERDump.dumpAsString (nscr3)); + + if (nscr3.verify (challenge)) + { + return new SimpleTestResult(true, getName() + ": Okay"); + } + else + { + return new SimpleTestResult(false, getName() + ": 3 - not verified"); + } + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + ": exception - " + e.toString()); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + Test test = new NetscapeCertRequestTest(); + TestResult result = test.perform(); + + System.out.println(result.toString()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NoekeonTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NoekeonTest.java new file mode 100644 index 00000000..c1c7b668 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/NoekeonTest.java @@ -0,0 +1,152 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.spec.SecretKeySpec; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.IOException; +import java.security.Key; +import java.security.Security; + +/** + * basic test class for SEED + */ +public class NoekeonTest + extends BaseBlockCipherTest +{ + static String[] cipherTests = + { + "128", + "b1656851699e29fa24b70148503d2dfc", + "2a78421b87c7d0924f26113f1d1349b2", + "e2f687e07b75660ffc372233bc47532c" + }; + + public NoekeonTest() + { + super("Noekeon"); + } + + public void test( + int strength, + byte[] keyBytes, + byte[] input, + byte[] output) + throws Exception + { + Key key; + Cipher in, out; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + key = new SecretKeySpec(keyBytes, "Noekeon"); + + in = Cipher.getInstance("Noekeon/ECB/NoPadding", "BC"); + out = Cipher.getInstance("Noekeon/ECB/NoPadding", "BC"); + + try + { + out.init(Cipher.ENCRYPT_MODE, key); + } + catch (Exception e) + { + fail("Noekeon failed initialisation - " + e.toString(), e); + } + + try + { + in.init(Cipher.DECRYPT_MODE, key); + } + catch (Exception e) + { + fail("Noekeoen failed initialisation - " + e.toString(), e); + } + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + try + { + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + } + catch (IOException e) + { + fail("Noekeon failed encryption - " + e.toString(), e); + } + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!areEqual(bytes, output)) + { + fail("Noekeon failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + try + { + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + } + catch (Exception e) + { + fail("Noekeon failed encryption - " + e.toString(), e); + } + + if (!areEqual(bytes, input)) + { + fail("Noekeon failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + } + + public void performTest() + throws Exception + { + for (int i = 0; i != cipherTests.length; i += 4) + { + test(Integer.parseInt(cipherTests[i]), + Hex.decode(cipherTests[i + 1]), + Hex.decode(cipherTests[i + 2]), + Hex.decode(cipherTests[i + 3])); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new NoekeonTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PBETest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PBETest.java new file mode 100644 index 00000000..d5781f4c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PBETest.java @@ -0,0 +1,672 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.AlgorithmParameters; +import java.security.SecureRandom; +import java.security.Security; +import java.security.spec.InvalidParameterSpecException; +import java.security.spec.KeySpec; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.PBEParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.asn1.bc.BCObjectIdentifiers; +import org.bouncycastle.crypto.Digest; +import org.bouncycastle.crypto.PBEParametersGenerator; +import org.bouncycastle.crypto.digests.SHA1Digest; +import org.bouncycastle.crypto.digests.SHA256Digest; +import org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator; +import org.bouncycastle.crypto.generators.PKCS12ParametersGenerator; +import org.bouncycastle.crypto.params.KeyParameter; +import org.bouncycastle.crypto.params.ParametersWithIV; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +/** + * test out the various PBE modes, making sure the JCE implementations + * are compatible woth the light weight ones. + */ +public class PBETest + extends SimpleTest +{ + private class OpenSSLTest + extends SimpleTest + { + char[] password; + String baseAlgorithm; + String algorithm; + int keySize; + int ivSize; + + OpenSSLTest( + String baseAlgorithm, + String algorithm, + int keySize, + int ivSize) + { + this.password = algorithm.toCharArray(); + this.baseAlgorithm = baseAlgorithm; + this.algorithm = algorithm; + this.keySize = keySize; + this.ivSize = ivSize; + } + + public String getName() + { + return "OpenSSLPBE"; + } + + public void performTest() + throws Exception + { + byte[] salt = new byte[16]; + int iCount = 100; + + for (int i = 0; i != salt.length; i++) + { + salt[i] = (byte)i; + } + + OpenSSLPBEParametersGenerator pGen = new OpenSSLPBEParametersGenerator(); + + pGen.init( + PBEParametersGenerator.PKCS5PasswordToBytes(password), + salt, + iCount); + + ParametersWithIV params = (ParametersWithIV)pGen.generateDerivedParameters(keySize, ivSize); + + SecretKeySpec encKey = new SecretKeySpec(((KeyParameter)params.getParameters()).getKey(), baseAlgorithm); + + Cipher c; + + if (baseAlgorithm.equals("RC4")) + { + c = Cipher.getInstance(baseAlgorithm, "BC"); + + c.init(Cipher.ENCRYPT_MODE, encKey); + } + else + { + c = Cipher.getInstance(baseAlgorithm + "/CBC/PKCS7Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, encKey, new IvParameterSpec(params.getIV())); + } + + byte[] enc = c.doFinal(salt); + + c = Cipher.getInstance(algorithm, "BC"); + + PBEKeySpec keySpec = new PBEKeySpec(password, salt, iCount); + SecretKeyFactory fact = SecretKeyFactory.getInstance(algorithm, "BC"); + + c.init(Cipher.DECRYPT_MODE, fact.generateSecret(keySpec)); + + byte[] dec = c.doFinal(enc); + + if (!Arrays.areEqual(salt, dec)) + { + fail("" + algorithm + "failed encryption/decryption test"); + } + } + } + + private class PKCS12Test + extends SimpleTest + { + char[] password; + String baseAlgorithm; + String algorithm; + Digest digest; + int keySize; + int ivSize; + + PKCS12Test( + String baseAlgorithm, + String algorithm, + Digest digest, + int keySize, + int ivSize) + { + this.password = algorithm.toCharArray(); + this.baseAlgorithm = baseAlgorithm; + this.algorithm = algorithm; + this.digest = digest; + this.keySize = keySize; + this.ivSize = ivSize; + } + + public String getName() + { + return "PKCS12PBE"; + } + + public void performTest() + throws Exception + { + byte[] salt = new byte[digest.getDigestSize()]; + int iCount = 100; + + digest.doFinal(salt, 0); + + PKCS12ParametersGenerator pGen = new PKCS12ParametersGenerator(digest); + + pGen.init( + PBEParametersGenerator.PKCS12PasswordToBytes(password), + salt, + iCount); + + ParametersWithIV params = (ParametersWithIV)pGen.generateDerivedParameters(keySize, ivSize); + + SecretKeySpec encKey = new SecretKeySpec(((KeyParameter)params.getParameters()).getKey(), baseAlgorithm); + + Cipher c; + + if (baseAlgorithm.equals("RC4")) + { + c = Cipher.getInstance(baseAlgorithm, "BC"); + + c.init(Cipher.ENCRYPT_MODE, encKey); + } + else + { + c = Cipher.getInstance(baseAlgorithm + "/CBC/PKCS7Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, encKey, new IvParameterSpec(params.getIV())); + } + + byte[] enc = c.doFinal(salt); + + c = Cipher.getInstance(algorithm, "BC"); + + PBEKeySpec keySpec = new PBEKeySpec(password, salt, iCount); + SecretKeyFactory fact = SecretKeyFactory.getInstance(algorithm, "BC"); + + c.init(Cipher.DECRYPT_MODE, fact.generateSecret(keySpec)); + + byte[] dec = c.doFinal(enc); + + if (!Arrays.areEqual(salt, dec)) + { + fail("" + algorithm + "failed encryption/decryption test"); + } + + // + // get the parameters + // + AlgorithmParameters param = checkParameters(c, salt, iCount); + + // + // try using parameters + // + c = Cipher.getInstance(algorithm, "BC"); + + keySpec = new PBEKeySpec(password); + + c.init(Cipher.DECRYPT_MODE, fact.generateSecret(keySpec), param); + + checkParameters(c, salt, iCount); + + dec = c.doFinal(enc); + + if (!Arrays.areEqual(salt, dec)) + { + fail("" + algorithm + "failed encryption/decryption test"); + } + + // + // try using PBESpec + // + c = Cipher.getInstance(algorithm, "BC"); + + keySpec = new PBEKeySpec(password); + + c.init(Cipher.DECRYPT_MODE, fact.generateSecret(keySpec), param.getParameterSpec(PBEParameterSpec.class)); + + checkParameters(c, salt, iCount); + + dec = c.doFinal(enc); + + if (!Arrays.areEqual(salt, dec)) + { + fail("" + algorithm + "failed encryption/decryption test"); + } + } + + private AlgorithmParameters checkParameters(Cipher c, byte[] salt, int iCount) + throws InvalidParameterSpecException + { + AlgorithmParameters param = c.getParameters(); + PBEParameterSpec spec = (PBEParameterSpec)param.getParameterSpec(PBEParameterSpec.class); + + if (!Arrays.areEqual(salt, spec.getSalt())) + { + fail("" + algorithm + "failed salt test"); + } + + if (iCount != spec.getIterationCount()) + { + fail("" + algorithm + "failed count test"); + } + return param; + } + } + + private PKCS12Test[] pkcs12Tests = { + new PKCS12Test("DESede", "PBEWITHSHAAND3-KEYTRIPLEDES-CBC", new SHA1Digest(), 192, 64), + new PKCS12Test("DESede", "PBEWITHSHAAND2-KEYTRIPLEDES-CBC", new SHA1Digest(), 128, 64), + new PKCS12Test("RC4", "PBEWITHSHAAND128BITRC4", new SHA1Digest(), 128, 0), + new PKCS12Test("RC4", "PBEWITHSHAAND40BITRC4", new SHA1Digest(), 40, 0), + new PKCS12Test("RC2", "PBEWITHSHAAND128BITRC2-CBC", new SHA1Digest(), 128, 64), + new PKCS12Test("RC2", "PBEWITHSHAAND40BITRC2-CBC", new SHA1Digest(), 40, 64), + new PKCS12Test("AES", "PBEWithSHA1And128BitAES-CBC-BC", new SHA1Digest(), 128, 128), + new PKCS12Test("AES", "PBEWithSHA1And192BitAES-CBC-BC", new SHA1Digest(), 192, 128), + new PKCS12Test("AES", "PBEWithSHA1And256BitAES-CBC-BC", new SHA1Digest(), 256, 128), + new PKCS12Test("AES", "PBEWithSHA256And128BitAES-CBC-BC", new SHA256Digest(), 128, 128), + new PKCS12Test("AES", "PBEWithSHA256And192BitAES-CBC-BC", new SHA256Digest(), 192, 128), + new PKCS12Test("AES", "PBEWithSHA256And256BitAES-CBC-BC", new SHA256Digest(), 256, 128), + new PKCS12Test("Twofish","PBEWithSHAAndTwofish-CBC", new SHA1Digest(), 256, 128), + new PKCS12Test("IDEA", "PBEWithSHAAndIDEA-CBC", new SHA1Digest(), 128, 64), + new PKCS12Test("AES", BCObjectIdentifiers.bc_pbe_sha1_pkcs12_aes128_cbc.getId(), new SHA1Digest(), 128, 128), + new PKCS12Test("AES", BCObjectIdentifiers.bc_pbe_sha1_pkcs12_aes192_cbc.getId(), new SHA1Digest(), 192, 128), + new PKCS12Test("AES", BCObjectIdentifiers.bc_pbe_sha1_pkcs12_aes256_cbc.getId(), new SHA1Digest(), 256, 128), + new PKCS12Test("AES", BCObjectIdentifiers.bc_pbe_sha256_pkcs12_aes128_cbc.getId(), new SHA256Digest(), 128, 128), + new PKCS12Test("AES", BCObjectIdentifiers.bc_pbe_sha256_pkcs12_aes192_cbc.getId(), new SHA256Digest(), 192, 128), + new PKCS12Test("AES", BCObjectIdentifiers.bc_pbe_sha256_pkcs12_aes256_cbc.getId(), new SHA256Digest(), 256, 128), + }; + + private OpenSSLTest openSSLTests[] = { + new OpenSSLTest("AES", "PBEWITHMD5AND128BITAES-CBC-OPENSSL", 128, 128), + new OpenSSLTest("AES", "PBEWITHMD5AND192BITAES-CBC-OPENSSL", 192, 128), + new OpenSSLTest("AES", "PBEWITHMD5AND256BITAES-CBC-OPENSSL", 256, 128) + }; + + static byte[] message = Hex.decode("4869205468657265"); + + private byte[] hMac1 = Hex.decode("bcc42174ccb04f425d9a5c8c4a95d6fd7c372911"); + private byte[] hMac2 = Hex.decode("cb1d8bdb6aca9e3fa8980d6eb41ab28a7eb2cfd6"); + private byte[] hMac3 = Hex.decode("514aa173a302c770689269aac08eb8698e5879ac"); + + private Cipher makePBECipherUsingParam( + String algorithm, + int mode, + char[] password, + byte[] salt, + int iterationCount) + throws Exception + { + PBEKeySpec pbeSpec = new PBEKeySpec(password); + SecretKeyFactory keyFact = SecretKeyFactory.getInstance(algorithm, "BC"); + PBEParameterSpec defParams = new PBEParameterSpec(salt, iterationCount); + + Cipher cipher = Cipher.getInstance(algorithm, "BC"); + + cipher.init(mode, keyFact.generateSecret(pbeSpec), defParams); + + return cipher; + } + + private Cipher makePBECipherWithoutParam( + String algorithm, + int mode, + char[] password, + byte[] salt, + int iterationCount) + throws Exception + { + PBEKeySpec pbeSpec = new PBEKeySpec(password, salt, iterationCount); + SecretKeyFactory keyFact = SecretKeyFactory.getInstance(algorithm, "BC"); + + Cipher cipher = Cipher.getInstance(algorithm, "BC"); + + cipher.init(mode, keyFact.generateSecret(pbeSpec)); + + return cipher; + } + + public void testPBEHMac( + String hmacName, + byte[] output) + { + SecretKey key; + byte[] out; + Mac mac; + + try + { + SecretKeyFactory fact = SecretKeyFactory.getInstance(hmacName, "BC"); + + key = fact.generateSecret(new PBEKeySpec("hello".toCharArray())); + + mac = Mac.getInstance(hmacName, "BC"); + } + catch (Exception e) + { + fail("Failed - exception " + e.toString(), e); + return; + } + + try + { + mac.init(key, new PBEParameterSpec(new byte[20], 100)); + } + catch (Exception e) + { + fail("Failed - exception " + e.toString(), e); + return; + } + + mac.reset(); + + mac.update(message, 0, message.length); + + out = mac.doFinal(); + + if (!Arrays.areEqual(out, output)) + { + fail("Failed - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(out))); + } + } + + public void testPBEonSecretKeyHmac( + String hmacName, + byte[] output) + { + SecretKey key; + byte[] out; + Mac mac; + + try + { + SecretKeyFactory fact = SecretKeyFactory.getInstance(hmacName, "BC"); + + key = fact.generateSecret(new PBEKeySpec("hello".toCharArray(), new byte[20], 100, 160)); + + mac = Mac.getInstance("HMAC-SHA1", "BC"); + } + catch (Exception e) + { + fail("Failed - exception " + e.toString(), e); + return; + } + + try + { + mac.init(key); + } + catch (Exception e) + { + fail("Failed - exception " + e.toString(), e); + return; + } + + mac.reset(); + + mac.update(message, 0, message.length); + + out = mac.doFinal(); + + if (!Arrays.areEqual(out, output)) + { + fail("Failed - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(out))); + } + } + + private void testCipherNameWithWrap(String name, String simpleName) + throws Exception + { + KeyGenerator kg = KeyGenerator.getInstance("AES"); + kg.init(new SecureRandom()); + SecretKey key = kg.generateKey(); + + byte[] salt = { + (byte)0xc7, (byte)0x73, (byte)0x21, (byte)0x8c, + (byte)0x7e, (byte)0xc8, (byte)0xee, (byte)0x99 + }; + char[] password = { 'p','a','s','s','w','o','r','d' }; + + PBEParameterSpec pbeParamSpec = new PBEParameterSpec(salt, 20); + PBEKeySpec pbeKeySpec = new PBEKeySpec(password); + SecretKeyFactory keyFac = + SecretKeyFactory.getInstance(name); + SecretKey pbeKey = keyFac.generateSecret(pbeKeySpec); + Cipher pbeEncryptCipher = Cipher.getInstance(name, "BC"); + + pbeEncryptCipher.init(Cipher.WRAP_MODE, pbeKey, pbeParamSpec); + + byte[] symKeyBytes = pbeEncryptCipher.wrap(key); + + Cipher simpleCipher = Cipher.getInstance(simpleName, "BC"); + + simpleCipher.init(Cipher.UNWRAP_MODE, pbeKey, pbeParamSpec); + + SecretKey unwrappedKey = (SecretKey)simpleCipher.unwrap(symKeyBytes, "AES", Cipher.SECRET_KEY); + + if (!Arrays.areEqual(unwrappedKey.getEncoded(), key.getEncoded())) + { + fail("key mismatch on unwrapping"); + } + } + + public void performTest() + throws Exception + { + byte[] input = Hex.decode("1234567890abcdefabcdef1234567890fedbca098765"); + + // + // DES + // + Cipher cEnc = Cipher.getInstance("DES/CBC/PKCS7Padding", "BC"); + + cEnc.init(Cipher.ENCRYPT_MODE, + new SecretKeySpec(Hex.decode("30e69252758e5346"), "DES"), + new IvParameterSpec(Hex.decode("7c1c1ab9c454a688"))); + + byte[] out = cEnc.doFinal(input); + + char[] password = { 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' }; + + Cipher cDec = makePBECipherUsingParam( + "PBEWithSHA1AndDES", + Cipher.DECRYPT_MODE, + password, + Hex.decode("7d60435f02e9e0ae"), + 2048); + + byte[] in = cDec.doFinal(out); + + if (!Arrays.areEqual(input, in)) + { + fail("DES failed"); + } + + cDec = makePBECipherWithoutParam( + "PBEWithSHA1AndDES", + Cipher.DECRYPT_MODE, + password, + Hex.decode("7d60435f02e9e0ae"), + 2048); + + in = cDec.doFinal(out); + + if (!Arrays.areEqual(input, in)) + { + fail("DES failed without param"); + } + + // + // DESede + // + cEnc = Cipher.getInstance("DESede/CBC/PKCS7Padding", "BC"); + + cEnc.init(Cipher.ENCRYPT_MODE, + new SecretKeySpec(Hex.decode("732f2d33c801732b7206756cbd44f9c1c103ddd97c7cbe8e"), "DES"), + new IvParameterSpec(Hex.decode("b07bf522c8d608b8"))); + + out = cEnc.doFinal(input); + + cDec = makePBECipherUsingParam( + "PBEWithSHAAnd3-KeyTripleDES-CBC", + Cipher.DECRYPT_MODE, + password, + Hex.decode("7d60435f02e9e0ae"), + 2048); + + in = cDec.doFinal(out); + + if (!Arrays.areEqual(input, in)) + { + fail("DESede failed"); + } + + // + // 40Bit RC2 + // + cEnc = Cipher.getInstance("RC2/CBC/PKCS7Padding", "BC"); + + cEnc.init(Cipher.ENCRYPT_MODE, + new SecretKeySpec(Hex.decode("732f2d33c8"), "RC2"), + new IvParameterSpec(Hex.decode("b07bf522c8d608b8"))); + + out = cEnc.doFinal(input); + + cDec = makePBECipherUsingParam( + "PBEWithSHAAnd40BitRC2-CBC", + Cipher.DECRYPT_MODE, + password, + Hex.decode("7d60435f02e9e0ae"), + 2048); + + in = cDec.doFinal(out); + + if (!Arrays.areEqual(input, in)) + { + fail("RC2 failed"); + } + + // + // 128bit RC4 + // + cEnc = Cipher.getInstance("RC4", "BC"); + + cEnc.init(Cipher.ENCRYPT_MODE, + new SecretKeySpec(Hex.decode("732f2d33c801732b7206756cbd44f9c1"), "RC4")); + + out = cEnc.doFinal(input); + + cDec = makePBECipherUsingParam( + "PBEWithSHAAnd128BitRC4", + Cipher.DECRYPT_MODE, + password, + Hex.decode("7d60435f02e9e0ae"), + 2048); + + in = cDec.doFinal(out); + + if (!Arrays.areEqual(input, in)) + { + fail("RC4 failed"); + } + + cDec = makePBECipherWithoutParam( + "PBEWithSHAAnd128BitRC4", + Cipher.DECRYPT_MODE, + password, + Hex.decode("7d60435f02e9e0ae"), + 2048); + + in = cDec.doFinal(out); + + if (!Arrays.areEqual(input, in)) + { + fail("RC4 failed without param"); + } + + for (int i = 0; i != pkcs12Tests.length; i++) + { + pkcs12Tests[i].perform(); + } + + for (int i = 0; i != openSSLTests.length; i++) + { + openSSLTests[i].perform(); + } + + testPBEHMac("PBEWithHMacSHA1", hMac1); + testPBEHMac("PBEWithHMacRIPEMD160", hMac2); + + testPBEonSecretKeyHmac("PBKDF2WithHmacSHA1", hMac3); + + testCipherNameWithWrap("PBEWITHSHA256AND128BITAES-CBC-BC", "AES/CBC/PKCS5Padding"); + testCipherNameWithWrap("PBEWITHSHAAND40BITRC4", "RC4"); + testCipherNameWithWrap("PBEWITHSHAAND128BITRC4", "RC4"); + + checkPBE("PBKDF2WithHmacSHA1", true, "f14687fc31a66e2f7cc01d0a65f687961bd27e20", "6f6579193d6433a3e4600b243bb390674f04a615"); + } + + private void checkPBE(String baseAlg, boolean defIsUTF8, String utf8, String eightBit) + throws Exception + { + byte[] utf8K = Hex.decode(utf8); + byte[] ascK = Hex.decode(eightBit); + + SecretKeyFactory f = SecretKeyFactory.getInstance(baseAlg, "BC"); + KeySpec ks1 = new PBEKeySpec("\u0141\u0142".toCharArray(), new byte[20], 4096, 160); + if (!Arrays.areEqual((defIsUTF8) ? utf8K : ascK, f.generateSecret(ks1).getEncoded())) + { + fail(baseAlg + " wrong PBKDF2 k1 key generated, got : " + new String(Hex.encode(f.generateSecret(ks1).getEncoded()))); + } + + KeySpec ks2 = new PBEKeySpec("\u0041\u0042".toCharArray(), new byte[20], 4096, 160); + if (!Arrays.areEqual(ascK, f.generateSecret(ks2).getEncoded())) + { + fail(baseAlg + " wrong PBKDF2 k2 key generated"); + } + f = SecretKeyFactory.getInstance(baseAlg + "AndUTF8", "BC"); + ks1 = new PBEKeySpec("\u0141\u0142".toCharArray(), new byte[20], 4096, 160); + if (!Arrays.areEqual(utf8K, f.generateSecret(ks1).getEncoded())) + { + fail(baseAlg + " wrong PBKDF2 k1 utf8 key generated"); + } + + ks2 = new PBEKeySpec("\u0041\u0042".toCharArray(), new byte[20], 4096, 160); + if (!Arrays.areEqual(ascK, f.generateSecret(ks2).getEncoded())) + { + fail(baseAlg + " wrong PBKDF2 k2 utf8 key generated"); + } + f = SecretKeyFactory.getInstance(baseAlg + "And8BIT", "BC"); + ks1 = new PBEKeySpec("\u0141\u0142".toCharArray(), new byte[20], 4096, 160); + if (!Arrays.areEqual(ascK, f.generateSecret(ks1).getEncoded())) + { + fail(baseAlg + " wrong PBKDF2 k1 8bit key generated"); + } + + ks2 = new PBEKeySpec("\u0041\u0042".toCharArray(), new byte[20], 4096, 160); + if (!Arrays.areEqual(ascK, f.generateSecret(ks2).getEncoded())) + { + fail(baseAlg + " wrong PBKDF2 k2 8bit key generated"); + } + } + + public String getName() + { + return "PBETest"; + } + + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new PBETest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PEMData.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PEMData.java new file mode 100644 index 00000000..e78d4c83 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PEMData.java @@ -0,0 +1,114 @@ +package org.bouncycastle.jce.provider.test; + +public class PEMData +{ + public static String CERTIFICATE_1 = + "-----BEGIN X509 CERTIFICATE-----\r" + + "MIIDXjCCAsegAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBtzELMAkGA1UEBhMCQVUx\r" + + "ETAPBgNVBAgTCFZpY3RvcmlhMRgwFgYDVQQHEw9Tb3V0aCBNZWxib3VybmUxGjAY\r" + + "BgNVBAoTEUNvbm5lY3QgNCBQdHkgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB\r" + + "dXRob3JpdHkxFTATBgNVBAMTDENvbm5lY3QgNCBDQTEoMCYGCSqGSIb3DQEJARYZ\r" + + "d2VibWFzdGVyQGNvbm5lY3Q0LmNvbS5hdTAeFw0wMDA2MDIwNzU2MjFaFw0wMTA2\r" + + "MDIwNzU2MjFaMIG4MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExGDAW\r" + + "BgNVBAcTD1NvdXRoIE1lbGJvdXJuZTEaMBgGA1UEChMRQ29ubmVjdCA0IFB0eSBM\r" + + "dGQxFzAVBgNVBAsTDldlYnNlcnZlciBUZWFtMR0wGwYDVQQDExR3d3cyLmNvbm5l\r" + + "Y3Q0LmNvbS5hdTEoMCYGCSqGSIb3DQEJARYZd2VibWFzdGVyQGNvbm5lY3Q0LmNv\r" + + "bS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArvDxclKAhyv7Q/Wmr2re\r" + + "Gw4XL9Cnh9e+6VgWy2AWNy/MVeXdlxzd7QAuc1eOWQkGQEiLPy5XQtTY+sBUJ3AO\r" + + "Rvd2fEVJIcjf29ey7bYua9J/vz5MG2KYo9/WCHIwqD9mmG9g0xLcfwq/s8ZJBswE\r" + + "7sb85VU+h94PTvsWOsWuKaECAwEAAaN3MHUwJAYDVR0RBB0wG4EZd2VibWFzdGVy\r" + + "QGNvbm5lY3Q0LmNvbS5hdTA6BglghkgBhvhCAQ0ELRYrbW9kX3NzbCBnZW5lcmF0\r" + + "ZWQgY3VzdG9tIHNlcnZlciBjZXJ0aWZpY2F0ZTARBglghkgBhvhCAQEEBAMCBkAw\r" + + "DQYJKoZIhvcNAQEEBQADgYEAotccfKpwSsIxM1Hae8DR7M/Rw8dg/RqOWx45HNVL\r" + + "iBS4/3N/TO195yeQKbfmzbAA2jbPVvIvGgTxPgO1MP4ZgvgRhasaa0qCJCkWvpM4\r" + + "yQf33vOiYQbpv4rTwzU8AmRlBG45WdjyNIigGV+oRc61aKCTnLq7zB8N3z1TF/bF\r" + + "5/8=\r" + + "-----END X509 CERTIFICATE-----\r"; + + public static String CERTIFICATE_2 = + "-----BEGIN CERTIFICATE-----\n" + + "MIIDXjCCAsegAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBtzELMAkGA1UEBhMCQVUx\n" + + "ETAPBgNVBAgTCFZpY3RvcmlhMRgwFgYDVQQHEw9Tb3V0aCBNZWxib3VybmUxGjAY\n" + + "BgNVBAoTEUNvbm5lY3QgNCBQdHkgTHRkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB\n" + + "dXRob3JpdHkxFTATBgNVBAMTDENvbm5lY3QgNCBDQTEoMCYGCSqGSIb3DQEJARYZ\n" + + "d2VibWFzdGVyQGNvbm5lY3Q0LmNvbS5hdTAeFw0wMDA2MDIwNzU2MjFaFw0wMTA2\n" + + "MDIwNzU2MjFaMIG4MQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExGDAW\n" + + "BgNVBAcTD1NvdXRoIE1lbGJvdXJuZTEaMBgGA1UEChMRQ29ubmVjdCA0IFB0eSBM\n" + + "dGQxFzAVBgNVBAsTDldlYnNlcnZlciBUZWFtMR0wGwYDVQQDExR3d3cyLmNvbm5l\n" + + "Y3Q0LmNvbS5hdTEoMCYGCSqGSIb3DQEJARYZd2VibWFzdGVyQGNvbm5lY3Q0LmNv\n" + + "bS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArvDxclKAhyv7Q/Wmr2re\n" + + "Gw4XL9Cnh9e+6VgWy2AWNy/MVeXdlxzd7QAuc1eOWQkGQEiLPy5XQtTY+sBUJ3AO\n" + + "Rvd2fEVJIcjf29ey7bYua9J/vz5MG2KYo9/WCHIwqD9mmG9g0xLcfwq/s8ZJBswE\n" + + "7sb85VU+h94PTvsWOsWuKaECAwEAAaN3MHUwJAYDVR0RBB0wG4EZd2VibWFzdGVy\n" + + "QGNvbm5lY3Q0LmNvbS5hdTA6BglghkgBhvhCAQ0ELRYrbW9kX3NzbCBnZW5lcmF0\n" + + "ZWQgY3VzdG9tIHNlcnZlciBjZXJ0aWZpY2F0ZTARBglghkgBhvhCAQEEBAMCBkAw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAotccfKpwSsIxM1Hae8DR7M/Rw8dg/RqOWx45HNVL\n" + + "iBS4/3N/TO195yeQKbfmzbAA2jbPVvIvGgTxPgO1MP4ZgvgRhasaa0qCJCkWvpM4\n" + + "yQf33vOiYQbpv4rTwzU8AmRlBG45WdjyNIigGV+oRc61aKCTnLq7zB8N3z1TF/bF\n" + + "5/8=\n" + + "-----END CERTIFICATE-----\n"; + + public static String CRL_1 = + "-----BEGIN X509 CRL-----\r\n" + + "MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT\r\n" + + "F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy\r\n" + + "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw\r\n" + + "MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw\r\n" + + "MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw\r\n" + + "MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw\r\n" + + "MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw\r\n" + + "MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw\r\n" + + "MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw\r\n" + + "NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw\r\n" + + "NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF\r\n" + + "AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ\r\n" + + "wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt\r\n" + + "JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v\r\n" + + "-----END X509 CRL-----\r\n"; + + public static String CRL_2 = + "-----BEGIN CRL-----\r\n" + + "MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT\r\n" + + "F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy\r\n" + + "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw\r\n" + + "MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw\r\n" + + "MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw\r\n" + + "MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw\r\n" + + "MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw\r\n" + + "MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw\r\n" + + "MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw\r\n" + + "NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw\r\n" + + "NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF\r\n" + + "AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ\r\n" + + "wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt\r\n" + + "JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v\r\n" + + "-----END CRL-----\r\n"; + + static String ATTRIBUTE_CERTIFICATE_1 = + "-----BEGIN X509 ATTRIBUTE CERTIFICATE-----\r\n" + + "MIIBuDCCASECAQEwZ6BlMGCkXjBcMQswCQYDVQQGEwJBVTEoMCYGA1UEChMfVGhl\r\n" + + "IExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3RsZTEjMCEGA1UECxMaQm91bmN5IFBy\r\n" + + "aW1hcnkgQ2VydGlmaWNhdGUCARSgYjBgpF4wXDELMAkGA1UEBhMCQVUxKDAmBgNV\r\n" + + "BAoTH1RoZSBMZWdpb24gb2YgdGhlIEJvdW5jeSBDYXN0bGUxIzAhBgNVBAsTGkJv\r\n" + + "dW5jeSBQcmltYXJ5IENlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAAgEBMCIYDzIw\r\n" + + "MDUwNjEwMDI0MTMzWhgPMjAwNTA2MTAwMjQzMTNaMBkwFwYDVRhIMRAwDoEMREFV\r\n" + + "MTIzNDU2Nzg5MA0GCSqGSIb3DQEBBQUAA4GBALAYXT9zdxSR5zdPLAon1xIPehgI\r\n" + + "NZhjM7w0uu3OdzSV5sC31X1Kx9vi5RIWiM9VimRTwbQIod9POttD5QMXCwQb/fm7\r\n" + + "eiJqL2YBIXOeClB19VrQe8xQtMFbyuFpDiM7QdvIam9ShZZMEMGjv9QHI64M4b0G\r\n" + + "odUBlSsJwPPQjZSU\r\n" + + "-----END X509 ATTRIBUTE CERTIFICATE-----\r\n"; + + static String ATTRIBUTE_CERTIFICATE_2 = + "-----BEGIN ATTRIBUTE CERTIFICATE-----\r\n" + + "MIIBuDCCASECAQEwZ6BlMGCkXjBcMQswCQYDVQQGEwJBVTEoMCYGA1UEChMfVGhl\r\n" + + "IExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3RsZTEjMCEGA1UECxMaQm91bmN5IFBy\r\n" + + "aW1hcnkgQ2VydGlmaWNhdGUCARSgYjBgpF4wXDELMAkGA1UEBhMCQVUxKDAmBgNV\r\n" + + "BAoTH1RoZSBMZWdpb24gb2YgdGhlIEJvdW5jeSBDYXN0bGUxIzAhBgNVBAsTGkJv\r\n" + + "dW5jeSBQcmltYXJ5IENlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAAgEBMCIYDzIw\r\n" + + "MDUwNjEwMDI0MTMzWhgPMjAwNTA2MTAwMjQzMTNaMBkwFwYDVRhIMRAwDoEMREFV\r\n" + + "MTIzNDU2Nzg5MA0GCSqGSIb3DQEBBQUAA4GBALAYXT9zdxSR5zdPLAon1xIPehgI\r\n" + + "NZhjM7w0uu3OdzSV5sC31X1Kx9vi5RIWiM9VimRTwbQIod9POttD5QMXCwQb/fm7\r\n" + + "eiJqL2YBIXOeClB19VrQe8xQtMFbyuFpDiM7QdvIam9ShZZMEMGjv9QHI64M4b0G\r\n" + + "odUBlSsJwPPQjZSU\r\n" + + "-----END ATTRIBUTE CERTIFICATE-----\r\n"; +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKCS10CertRequestTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKCS10CertRequestTest.java new file mode 100644 index 00000000..35139c57 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKCS10CertRequestTest.java @@ -0,0 +1,543 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.util.Hashtable; +import java.util.Vector; + +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.DERSet; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.Attribute; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.bouncycastle.asn1.x509.SubjectKeyIdentifier; +import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.asn1.x509.X509Name; +import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.jce.ECGOST3410NamedCurveTable; +import org.bouncycastle.jce.ECNamedCurveTable; +import org.bouncycastle.jce.PKCS10CertificationRequest; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.interfaces.ECPointEncoder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPrivateKeySpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure; + +/** + **/ +public class PKCS10CertRequestTest + extends SimpleTest +{ + private byte[] gost3410EC_A = Base64.decode( + "MIIBOzCB6wIBADB/MQ0wCwYDVQQDEwR0ZXN0MRUwEwYDVQQKEwxEZW1vcyBDbyBMdGQxHjAcBgNV" + +"BAsTFUNyeXB0b2dyYXBoeSBkaXZpc2lvbjEPMA0GA1UEBxMGTW9zY293MQswCQYDVQQGEwJydTEZ" + +"MBcGCSqGSIb3DQEJARYKc2RiQGRvbC5ydTBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4B" + +"A0MABEBYx0P2D7YuuZo5HgdIAUKAXcLBDZ+4LYFgbKjrfStVfH59lc40BQ2FZ7M703hLpXK8GiBQ" + +"GEYpKaAuQZnMIpByoAAwCAYGKoUDAgIDA0EAgXMcTrhdOY2Er2tHOSAgnMezqrYxocZTWhxmW5Rl" + +"JY6lbXH5rndCn4swFzXU+YhgAsJv1wQBaoZEWRl5WV4/nA=="); + + private byte[] gost3410EC_B = Base64.decode( + "MIIBPTCB7QIBADCBgDENMAsGA1UEAxMEdGVzdDEWMBQGA1UEChMNRGVtb3MgQ28gTHRkLjEeMBwG" + +"A1UECxMVQ3J5cHRvZ3JhcGh5IGRpdmlzaW9uMQ8wDQYDVQQHEwZNb3Njb3cxCzAJBgNVBAYTAnJ1" + +"MRkwFwYJKoZIhvcNAQkBFgpzZGJAZG9sLnJ1MGMwHAYGKoUDAgITMBIGByqFAwICIwIGByqFAwIC" + +"HgEDQwAEQI5SLoWT7dZVilbV9j5B/fyIDuDs6x4pjqNC2TtFYbpRHrk/Wc5g/mcHvD80tsm5o1C7" + +"7cizNzkvAVUM4VT4Dz6gADAIBgYqhQMCAgMDQQAoT5TwJ8o+bSrxckymyo3diwG7ZbSytX4sRiKy" + +"wXPWRS9LlBvPO2NqwpS2HUnxSU8rzfL9fJcybATf7Yt1OEVq"); + + private byte[] gost3410EC_C = Base64.decode( + "MIIBRDCB9AIBADCBhzEVMBMGA1UEAxMMdGVzdCByZXF1ZXN0MRUwEwYDVQQKEwxEZW1vcyBDbyBM" + +"dGQxHjAcBgNVBAsTFUNyeXB0b2dyYXBoeSBkaXZpc2lvbjEPMA0GA1UEBxMGTW9zY293MQswCQYD" + +"VQQGEwJydTEZMBcGCSqGSIb3DQEJARYKc2RiQGRvbC5ydTBjMBwGBiqFAwICEzASBgcqhQMCAiMD" + +"BgcqhQMCAh4BA0MABEBcmGh7OmR4iqqj+ycYo1S1fS7r5PhisSQU2Ezuz8wmmmR2zeTZkdMYCOBa" + +"UTMNms0msW3wuYDho7nTDNscHTB5oAAwCAYGKoUDAgIDA0EAVoOMbfyo1Un4Ss7WQrUjHJoiaYW8" + +"Ime5LeGGU2iW3ieAv6es/FdMrwTKkqn5dhd3aL/itFg5oQbhyfXw5yw/QQ=="); + + private byte[] gost3410EC_ExA = Base64.decode( + "MIIBOzCB6wIBADB/MQ0wCwYDVQQDEwR0ZXN0MRUwEwYDVQQKEwxEZW1vcyBDbyBMdGQxHjAcBgNV" + + "BAsTFUNyeXB0b2dyYXBoeSBkaXZpc2lvbjEPMA0GA1UEBxMGTW9zY293MQswCQYDVQQGEwJydTEZ" + + "MBcGCSqGSIb3DQEJARYKc2RiQGRvbC5ydTBjMBwGBiqFAwICEzASBgcqhQMCAiQABgcqhQMCAh4B" + + "A0MABEDkqNT/3f8NHj6EUiWnK4JbVZBh31bEpkwq9z3jf0u8ZndG56Vt+K1ZB6EpFxLT7hSIos0w" + + "weZ2YuTZ4w43OgodoAAwCAYGKoUDAgIDA0EASk/IUXWxoi6NtcUGVF23VRV1L3undB4sRZLp4Vho" + + "gQ7m3CMbZFfJ2cPu6QyarseXGYHmazoirH5lGjEo535c1g=="); + + private byte[] gost3410EC_ExB = Base64.decode( + "MIIBPTCB7QIBADCBgDENMAsGA1UEAxMEdGVzdDEWMBQGA1UEChMNRGVtb3MgQ28gTHRkLjEeMBwG" + + "A1UECxMVQ3J5cHRvZ3JhcGh5IGRpdmlzaW9uMQ8wDQYDVQQHEwZNb3Njb3cxCzAJBgNVBAYTAnJ1" + + "MRkwFwYJKoZIhvcNAQkBFgpzZGJAZG9sLnJ1MGMwHAYGKoUDAgITMBIGByqFAwICJAEGByqFAwIC" + + "HgEDQwAEQMBWYUKPy/1Kxad9ChAmgoSWSYOQxRnXo7KEGLU5RNSXA4qMUvArWzvhav+EYUfTbWLh" + + "09nELDyHt2XQcvgQHnSgADAIBgYqhQMCAgMDQQAdaNhgH/ElHp64mbMaEo1tPCg9Q22McxpH8rCz" + + "E0QBpF4H5mSSQVGI5OAXHToetnNuh7gHHSynyCupYDEHTbkZ"); + + public String getName() + { + return "PKCS10CertRequest"; + } + + private void generationTest(int keySize, String keyName, String sigName, String provider) + throws Exception + { + KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyName, "BC"); + + kpg.initialize(keySize); + + KeyPair kp = kpg.genKeyPair(); + + Hashtable attrs = new Hashtable(); + + attrs.put(X509Principal.C, "AU"); + attrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + attrs.put(X509Principal.L, "Melbourne"); + attrs.put(X509Principal.ST, "Victoria"); + attrs.put(X509Principal.EmailAddress, "feedback-crypto@bouncycastle.org"); + + Vector order = new Vector(); + + order.addElement(X509Principal.C); + order.addElement(X509Principal.O); + order.addElement(X509Principal.L); + order.addElement(X509Principal.ST); + order.addElement(X509Principal.EmailAddress); + + X509Name subject = new X509Name(order, attrs); + + PKCS10CertificationRequest req1 = new PKCS10CertificationRequest( + sigName, + subject, + kp.getPublic(), + null, + kp.getPrivate(), provider); + + byte[] bytes = req1.getEncoded(); + + PKCS10CertificationRequest req2 = new PKCS10CertificationRequest(bytes); + + if (!req2.verify(provider)) + { + fail(sigName + ": Failed verify check."); + } + + if (!req2.getPublicKey(provider).equals(req1.getPublicKey(provider))) + { + fail(keyName + ": Failed public key check."); + } + } + + /* + * we generate a self signed certificate for the sake of testing - SHA224withECDSA + */ + private void createECRequest(String algorithm, DERObjectIdentifier algOid, DERObjectIdentifier curveOid) + throws Exception + { + ECNamedCurveParameterSpec spec = ECNamedCurveTable.getParameterSpec(curveOid.getId()); + KeyPairGenerator ecGen = KeyPairGenerator.getInstance("ECDSA", "BC"); + + ecGen.initialize(spec); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyPair pair = ecGen.generateKeyPair(); + + privKey = pair.getPrivate(); + pubKey = pair.getPublic(); + + PKCS10CertificationRequest req = new PKCS10CertificationRequest( + algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); + if (!req.verify()) + { + fail("Failed verify check EC."); + } + + req = new PKCS10CertificationRequest(req.getEncoded()); + if (!req.verify()) + { + fail("Failed verify check EC encoded."); + } + + // + // try with point compression turned off + // + ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED"); + + req = new PKCS10CertificationRequest( + algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); + if (!req.verify()) + { + fail("Failed verify check EC uncompressed."); + } + + req = new PKCS10CertificationRequest(req.getEncoded()); + if (!req.verify()) + { + fail("Failed verify check EC uncompressed encoded."); + } + + if (!req.getSignatureAlgorithm().getObjectId().equals(algOid)) + { + fail("ECDSA oid incorrect."); + } + + if (req.getSignatureAlgorithm().getParameters() != null) + { + fail("ECDSA parameters incorrect."); + } + + Signature sig = Signature.getInstance(algorithm, "BC"); + + sig.initVerify(pubKey); + + sig.update(req.getCertificationRequestInfo().getEncoded()); + + if (!sig.verify(req.getSignature().getBytes())) + { + fail("signature not mapped correctly."); + } + } + + private void createECRequest(String algorithm, DERObjectIdentifier algOid) + throws Exception + { + ECCurve.Fp curve = new ECCurve.Fp( + new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151"), // q (or p) + new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 16), // a + new BigInteger("0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 16)); // b + + ECParameterSpec spec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("0200C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")), // G + new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 16)); // n + + ECPrivateKeySpec privKeySpec = new ECPrivateKeySpec( + new BigInteger("5769183828869504557786041598510887460263120754767955773309066354712783118202294874205844512909370791582896372147797293913785865682804434049019366394746072023"), // d + spec); + + ECPublicKeySpec pubKeySpec = new ECPublicKeySpec( + curve.decodePoint(Hex.decode("02006BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q + spec); + + // + // set up the keys + // + PrivateKey privKey; + PublicKey pubKey; + + KeyFactory fact = KeyFactory.getInstance("ECDSA", "BC"); + + privKey = fact.generatePrivate(privKeySpec); + pubKey = fact.generatePublic(pubKeySpec); + + PKCS10CertificationRequest req = new PKCS10CertificationRequest( + algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); + if (!req.verify()) + { + fail("Failed verify check EC."); + } + + req = new PKCS10CertificationRequest(req.getEncoded()); + if (!req.verify()) + { + fail("Failed verify check EC encoded."); + } + + // + // try with point compression turned off + // + ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED"); + + req = new PKCS10CertificationRequest( + algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); + if (!req.verify()) + { + fail("Failed verify check EC uncompressed."); + } + + req = new PKCS10CertificationRequest(req.getEncoded()); + if (!req.verify()) + { + fail("Failed verify check EC uncompressed encoded."); + } + + if (!req.getSignatureAlgorithm().getObjectId().equals(algOid)) + { + fail("ECDSA oid incorrect."); + } + + if (req.getSignatureAlgorithm().getParameters() != null) + { + fail("ECDSA parameters incorrect."); + } + + Signature sig = Signature.getInstance(algorithm, "BC"); + + sig.initVerify(pubKey); + + sig.update(req.getCertificationRequestInfo().getEncoded()); + + if (!sig.verify(req.getSignature().getBytes())) + { + fail("signature not mapped correctly."); + } + } + + private void createECGOSTRequest() + throws Exception + { + String algorithm = "GOST3411withECGOST3410"; + KeyPairGenerator ecGostKpg = KeyPairGenerator.getInstance("ECGOST3410", "BC"); + + ecGostKpg.initialize(ECGOST3410NamedCurveTable.getParameterSpec("GostR3410-2001-CryptoPro-A"), new SecureRandom()); + + // + // set up the keys + // + KeyPair pair = ecGostKpg.generateKeyPair(); + PrivateKey privKey = pair.getPrivate(); + PublicKey pubKey = pair.getPublic(); + + PKCS10CertificationRequest req = new PKCS10CertificationRequest( + algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); + if (!req.verify()) + { + fail("Failed verify check EC."); + } + + req = new PKCS10CertificationRequest(req.getEncoded()); + if (!req.verify()) + { + fail("Failed verify check EC encoded."); + } + + if (!req.getSignatureAlgorithm().getObjectId().equals(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001)) + { + fail("ECGOST oid incorrect."); + } + + if (req.getSignatureAlgorithm().getParameters() != null) + { + fail("ECGOST parameters incorrect."); + } + + Signature sig = Signature.getInstance(algorithm, "BC"); + + sig.initVerify(pubKey); + + sig.update(req.getCertificationRequestInfo().getEncoded()); + + if (!sig.verify(req.getSignature().getBytes())) + { + fail("signature not mapped correctly."); + } + } + + private void createPSSTest(String algorithm) + throws Exception + { + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), + new BigInteger("010001",16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), + new BigInteger("010001",16), + new BigInteger("33a5042a90b27d4f5451ca9bbbd0b44771a101af884340aef9885f2a4bbe92e894a724ac3c568c8f97853ad07c0266c8c6a3ca0929f1e8f11231884429fc4d9ae55fee896a10ce707c3ed7e734e44727a39574501a532683109c2abacaba283c31b4bd2f53c3ee37e352cee34f9e503bd80c0622ad79c6dcee883547c6a3b325",16), + new BigInteger("e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443",16), + new BigInteger("b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd",16), + new BigInteger("28fa13938655be1f8a159cbaca5a72ea190c30089e19cd274a556f36c4f6e19f554b34c077790427bbdd8dd3ede2448328f385d81b30e8e43b2fffa027861979",16), + new BigInteger("1a8b38f398fa712049898d7fb79ee0a77668791299cdfa09efc0e507acb21ed74301ef5bfd48be455eaeb6e1678255827580a8e4e8e14151d1510a82a3f2e729",16), + new BigInteger("27156aba4126d24a81f3a528cbfb27f56886f840a9f6e86e17a44b94fe9319584b8e22fdde1e5a2e3bd8aa5ba8d8584194eb2190acf832b847f13a3d24a79f4d",16)); + + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + + PrivateKey privKey = fact.generatePrivate(privKeySpec); + PublicKey pubKey = fact.generatePublic(pubKeySpec); + + PKCS10CertificationRequest req = new PKCS10CertificationRequest( + algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); + if (!req.verify()) + { + fail("Failed verify check PSS."); + } + + req = new PKCS10CertificationRequest(req.getEncoded()); + if (!req.verify()) + { + fail("Failed verify check PSS encoded."); + } + + if (!req.getSignatureAlgorithm().getObjectId().equals(PKCSObjectIdentifiers.id_RSASSA_PSS)) + { + fail("PSS oid incorrect."); + } + + if (req.getSignatureAlgorithm().getParameters() == null) + { + fail("PSS parameters incorrect."); + } + + Signature sig = Signature.getInstance(algorithm, "BC"); + + sig.initVerify(pubKey); + + sig.update(req.getCertificationRequestInfo().getEncoded()); + + if (!sig.verify(req.getSignature().getBytes())) + { + fail("signature not mapped correctly."); + } + } + + // previous code found to cause a NullPointerException + private void nullPointerTest() + throws Exception + { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "BC"); + keyGen.initialize(1024, new SecureRandom()); + KeyPair pair = keyGen.generateKeyPair(); + + Vector oids = new Vector(); + Vector values = new Vector(); + oids.add(X509Extensions.BasicConstraints); + values.add(new X509Extension(true, new DEROctetString(new BasicConstraints(true)))); + oids.add(X509Extensions.KeyUsage); + values.add(new X509Extension(true, new DEROctetString( + new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)))); + SubjectKeyIdentifier subjectKeyIdentifier = new SubjectKeyIdentifierStructure(pair.getPublic()); + X509Extension ski = new X509Extension(false, new DEROctetString(subjectKeyIdentifier)); + oids.add(X509Extensions.SubjectKeyIdentifier); + values.add(ski); + + Attribute attribute = new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, + new DERSet(new X509Extensions(oids, values))); + + PKCS10CertificationRequest p1 = new PKCS10CertificationRequest( + "SHA1WithRSA", new X509Principal("cn=csr"), + pair.getPublic(), new DERSet(attribute), pair.getPrivate(), "BC"); + PKCS10CertificationRequest p2 = new PKCS10CertificationRequest( + "SHA1WithRSA", new X509Principal("cn=csr"), + pair.getPublic(), new DERSet(attribute), pair.getPrivate(), "BC"); + + if (!p1.equals(p2)) + { + fail("cert request comparison failed"); + } + } + + public void performTest() + throws Exception + { + generationTest(512, "RSA", "SHA1withRSA", "BC"); + generationTest(512, "GOST3410", "GOST3411withGOST3410", "BC"); + + if (Security.getProvider("SunRsaSign") != null) + { + generationTest(512, "RSA", "SHA1withRSA", "SunRsaSign"); + } + + // elliptic curve GOST A parameter set + PKCS10CertificationRequest req = new PKCS10CertificationRequest(gost3410EC_A); + if (!req.verify()) + { + fail("Failed verify check gost3410EC_A."); + } + + // elliptic curve GOST B parameter set + req = new PKCS10CertificationRequest(gost3410EC_B); + if (!req.verify()) + { + fail("Failed verify check gost3410EC_B."); + } + + // elliptic curve GOST C parameter set + req = new PKCS10CertificationRequest(gost3410EC_C); + if (!req.verify()) + { + fail("Failed verify check gost3410EC_C."); + } + + // elliptic curve GOST ExA parameter set + req = new PKCS10CertificationRequest(gost3410EC_ExA); + if (!req.verify()) + { + fail("Failed verify check gost3410EC_ExA."); + } + + // elliptic curve GOST ExB parameter set + req = new PKCS10CertificationRequest(gost3410EC_ExB); + if (!req.verify()) + { + fail("Failed verify check gost3410EC_ExA."); + } + + // elliptic curve openSSL + KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC"); + + ECCurve curve = new ECCurve.Fp( + new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q + new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b + + ECParameterSpec ecSpec = new ECParameterSpec( + curve, + curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G + new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n + + g.initialize(ecSpec, new SecureRandom()); + + KeyPair kp = g.generateKeyPair(); + + req = new PKCS10CertificationRequest( + "ECDSAWITHSHA1", new X509Name("CN=XXX"), kp.getPublic(), null, kp.getPrivate()); + if (!req.verify()) + { + fail("Failed verify check EC."); + } + + createECRequest("SHA1withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA1); + createECRequest("SHA224withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA224); + createECRequest("SHA256withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256); + createECRequest("SHA384withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384); + createECRequest("SHA512withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512); + + createECRequest("SHA1withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA1, new DERObjectIdentifier("1.3.132.0.34")); + + createECGOSTRequest(); + + createPSSTest("SHA1withRSAandMGF1"); + createPSSTest("SHA224withRSAandMGF1"); + createPSSTest("SHA256withRSAandMGF1"); + createPSSTest("SHA384withRSAandMGF1"); + + nullPointerTest(); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new PKCS10CertRequestTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKCS12StoreTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKCS12StoreTest.java new file mode 100644 index 00000000..c35c5b88 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKCS12StoreTest.java @@ -0,0 +1,1123 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.math.BigInteger; +import java.security.Key; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.security.interfaces.RSAPrivateKey; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.util.Date; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Vector; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1StreamParser; +import org.bouncycastle.asn1.DERBMPString; +import org.bouncycastle.asn1.DERSequenceParser; +import org.bouncycastle.asn1.pkcs.ContentInfo; +import org.bouncycastle.asn1.pkcs.EncryptedData; +import org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.Pfx; +import org.bouncycastle.asn1.pkcs.SafeBag; +import org.bouncycastle.jcajce.provider.config.PKCS12StoreParameter; +import org.bouncycastle.jce.PKCS12Util; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.provider.JDKPKCS12StoreParameter; +import org.bouncycastle.jce.provider.X509CertificateObject; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509V3CertificateGenerator; + +/** + * Exercise the various key stores, making sure we at least get back what we put in! + * <p> + * This tests both the PKCS12 key store. + */ +public class PKCS12StoreTest + extends SimpleTest +{ + static char[] passwd = { 'h', 'e', 'l', 'l', 'o', ' ', 'w', 'o', 'r', 'l', 'd' }; + + // + // pkcs-12 pfx-pdu + // + byte[] pkcs12 = Base64.decode( + "MIACAQMwgAYJKoZIhvcNAQcBoIAkgAQBMAQBgAQBMAQBgAQBBgQBCQQJKoZI" + + "hvcNAQcBBAGgBAGABAEkBAGABAEEBAEBBAEwBAEEBAEDBAOCAzQEAQQEAQEE" + + "ATAEAQQEAQMEA4IDMAQBBAQBAQQBBgQBBAQBAQQBCwQBBAQBCwQLKoZIhvcN" + + "AQwKAQIEAQQEAQEEAaAEAQQEAQMEA4ICpQQBBAQBAQQBMAQBBAQBAwQDggKh" + + "BAEEBAEBBAEwBAEEBAEBBAEbBAEEBAEBBAEGBAEEBAEBBAEKBAEEBAEKBAoq" + + "hkiG9w0BDAEDBAEEBAEPBA8wDQQIoagiwNZPJR4CAQEEAQQEAQEEAQQEAQQE" + + "AQMEA4ICgAQBBAQDggKABIICgEPG0XlhMFyrs4ZWDrvEzl51ICfXd6K2ql2l" + + "nnxhszUbigtSj6x49VEx4PfOB9fQFeidc5L5An+nKp646NBMIY0UwXGs8BLQ" + + "au59jtOs987+l7QYIvl6fdGUIuLPhVSnZZDyqD+HQjU/0/ccKFHRif4tlEQq" + + "aErvZbFeH0pg4ijf1HfgX6gBJGRKdO+msa4qKGnZdHCSLZehyyxvxAmURetg" + + "yhtEl7RmedTB+4TDs7atekqxkNlD9tfwDUX6sb0IH6qbEA6P/DlVMdaD54Cl" + + "QDxRzOfIIjklZhv5OMFWtPK0aYPcqyxzLpw1qRAyoTVXpidkj/hpIpgCVBP/" + + "k5s2+WdGbLgA/4/zSrF6feRCE5llzM2IGxiHVq4oPzzngl3R+Fi5VCPDMcuW" + + "NRuIOzJA+RNV2NPOE/P3knThDnwiImq+rfxmvZ1u6T06s20RmWK6cxp7fTEw" + + "lQ9BOsv+mmyV8dr6cYJq4IlRzHdFOyEUBDwfHThyribNKKobO50xh2f93xYj" + + "Rn5UMOQBJIe3b7OKZt5HOIMrJSZO02IZgvImi9yQWi96PnWa419D1cAsLWvM" + + "xiN0HqZMbDFfxVM2BZmsxiexLhkHWKwLqfQDzRjJfmVww8fnXpWZhFXKyut9" + + "gMGEyCNoba4RU3QI/wHKWYaK74qtJpsucuLWBH6UcsHsCry6VZkwRxWwC0lb" + + "/F3Bm5UKHax5n9JHJ2amQm9zW3WJ0S5stpPObfmg5ArhbPY+pVOsTqBRlop1" + + "bYJLD/X8Qbs468Bwzej0FhoEU59ZxFrbjLSBsMUYrVrwD83JE9kEazMLVchc" + + "uCB9WT1g0hxYb7VA0BhOrWhL8F5ZH72RMCYLPI0EAQQEAQEEATEEAQQEAQEE" + + "AXgEAQQEAQEEATAEAQQEAQEEAVEEAQQEAQEEAQYEAQQEAQEEAQkEAQQEAQkE" + + "CSqGSIb3DQEJFAQBBAQBAQQBMQQBBAQBAQQBRAQBBAQBAQQBHgQBBAQBAQQB" + + "QgQBBAQBQgRCAEQAYQB2AGkAZAAgAEcALgAgAEgAbwBvAGsAJwBzACAAVgBl" + + "AHIAaQBTAGkAZwBuACwAIABJAG4AYwAuACAASQBEBAEEBAEBBAEwBAEEBAEB" + + "BAEjBAEEBAEBBAEGBAEEBAEBBAEJBAEEBAEJBAkqhkiG9w0BCRUEAQQEAQEE" + + "ATEEAQQEAQEEARYEAQQEAQEEAQQEAQQEAQEEARQEAQQEARQEFKEcMJ798oZL" + + "FkH0OnpbUBnrTLgWBAIAAAQCAAAEAgAABAEwBAGABAEGBAEJBAkqhkiG9w0B" + + "BwYEAaAEAYAEATAEAYAEAQIEAQEEAQAEATAEAYAEAQYEAQkECSqGSIb3DQEH" + + "AQQBMAQBGwQBBgQBCgQKKoZIhvcNAQwBBgQPMA0ECEE7euvmxxwYAgEBBAGg" + + "BAGABAEEBAEIBAgQIWDGlBWxnwQBBAQBCAQI2WsMhavhSCcEAQQEAQgECPol" + + "uHJy9bm/BAEEBAEQBBCiRxtllKXkJS2anKD2q3FHBAEEBAEIBAjKy6BRFysf" + + "7gQBBAQDggMwBIIDMJWRGu2ZLZild3oz7UBdpBDUVMOA6eSoWiRIfVTo4++l" + + "RUBm8TpmmGrVkV32PEoLkoV+reqlyWCvqqSjRzi3epQiVwPQ6PV+ccLqxDhV" + + "pGWDRQ5UttDBC2+u4fUQVZi2Z1i1g2tsk6SzB3MKUCrjoWKvaDUUwXo5k9Vz" + + "qSLWCLTZCjs3RaY+jg3NbLZYtfMDdYovhCU2jMYV9adJ8MxxmJRz+zPWAJph" + + "LH8hhfkKG+wJOSszqk9BqGZUa/mnZyzeQSMTEFga1ZB/kt2e8SZFWrTZEBgJ" + + "oszsL5MObbwMDowNurnZsnS+Mf7xi01LeG0VT1fjd6rn9BzVwuMwhoqyoCNo" + + "ziUqSUyLEwnGTYYpvXLxzhNiYzW8546KdoEKDkEjhfYsc4XqSjm9NYy/BW/M" + + "qR+aL92j8hqnkrWkrWyvocUe3mWaiqt7/oOzNZiMTcV2dgjjh9HfnjSHjFGe" + + "CVhnEWzV7dQIVyc/qvNzOuND8X5IyJ28xb6a/i1vScwGuo/UDgPAaMjGw28f" + + "siOZBShzde0Kj82y8NilfYLHHeIGRW+N/grUFWhW25mAcBReXDd5JwOqM/eF" + + "y+4+zBzlO84ws88T1pkSifwtMldglN0APwr4hvUH0swfiqQOWtwyeM4t+bHd" + + "5buAlXOkSeF5rrLzZ2/Lx+JJmI2pJ/CQx3ej3bxPlx/BmarUGAxaI4le5go4" + + "KNfs4GV8U+dbEHQz+yDYL+ksYNs1eb+DjI2khbl28jhoeAFKBtu2gGOL5M9M" + + "CIP/JDOCHimu1YZRuOTAf6WISnG/0Ri3pYZsgQ0i4cXj+WfYwYVjhKX5AcDj" + + "UKnc4/Cxp+TbbgZqEKRcYVb2q0kOAxkeaNo3WCm+qvUYrwAmKp4nVB+/24rK" + + "khHiyYJQsETxtOEyvJkVxAS01djY4amuJ4jL0sYnXIhW3Ag93eavbzksGT7W" + + "Fg1ywpr1x1xpXWIIuVt1k4e+g9fy7Yx7rx0IK1qCSjNwU3QPWbaef1rp0Q/X" + + "P9IVXYkqo1g/T3SyXqrbZLO+sDjiG4IT3z3fJJqt81sRSVT0QN1ND8l93BG4" + + "QKzghYw8sZ4FwKPtLky1dDcVTgQBBAQBCAQIK/85VMKWDWYEAQQEAQgECGsO" + + "Q85CcFwPBAEEBAEIBAhaup6ot9XnQAQBBAQCgaAEgaCeCMadSm5fkLfhErYQ" + + "DgePZl/rrjP9FQ3VJZ13XrjTSjTRknAbXi0DEu2tvAbmCf0sdoVNuZIZ92W0" + + "iyaa2/A3RHA2RLPNQz5meTi1RE2N361yR0q181dC3ztkkJ8PLyd74nCtgPUX" + + "0JlsvLRrdSjPBpBQ14GiM8VjqeIY7EVFy3vte6IbPzodxaviuSc70iXM4Yko" + + "fQq6oaSjNBFRqkHrBAEEBAEIBAjlIvOf8SnfugQBBAQBCAQIutCF3Jovvl0E" + + "AQQEAQgECO7jxbucdp/3BAEEBAEIBAidxK3XDLj+BwQBBAQBCAQI3m/HMbd3" + + "TwwEAQQEA4ICOASCAjgtoCiMfTkjpCRuMhF5gNLRBiNv+xjg6GvZftR12qiJ" + + "dLeCERI5bvXbh9GD6U+DjTUfhEab/37TbiI7VOFzsI/R137sYy9Tbnu7qkSx" + + "u0bTvyXSSmio6sMRiWIcakmDbv+TDWR/xgtj7+7C6p+1jfUGXn/RjB3vlyjL" + + "Q9lFe5F84qkZjnADo66p9gor2a48fgGm/nkABIUeyzFWCiTp9v6FEzuBfeuP" + + "T9qoKSnCitaXRCru5qekF6L5LJHLNXLtIMSrbO0bS3hZK58FZAUVMaqawesJ" + + "e/sVfQip9x/aFQ6U3KlSpJkmZK4TAqp9jIfxBC8CclbuwmoXPMomiCH57ykr" + + "vkFHOGcxRcCxax5HySCwSyPDr8I4+6Kocty61i/1Xr4xJjb+3oyFStIpB24x" + + "+ALb0Mz6mUa1ls76o+iQv0VM2YFwnx+TC8KC1+O4cNOE/gKeh0ircenVX83h" + + "GNez8C5Ltg81g6p9HqZPc2pkwsneX2sJ4jMsjDhewV7TyyS3x3Uy3vTpZPek" + + "VdjYeVIcgAz8VLJOpsIjyHMB57AyT7Yj87hVVy//VODnE1T88tRXZb+D+fCg" + + "lj2weQ/bZtFzDX0ReiEQP6+yklGah59omeklIy9wctGV1o9GNZnGBSLvQ5NI" + + "61e9zmQTJD2iDjihvQA/6+edKswCjGRX6rMjRWXT5Jv436l75DVoUj09tgR9" + + "ytXSathCjQUL9MNXzUMtr7mgEUPETjM/kYBR7CNrsc+gWTWHYaSWuqKVBAEE" + + "BAEIBAh6slfZ6iqkqwQBBAQBCAQI9McJKl5a+UwEAQQEATgEOBelrmiYMay3" + + "q0OW2x2a8QQodYqdUs1TCUU4JhfFGFRy+g3yU1cP/9ZSI8gcI4skdPc31cFG" + + "grP7BAEEBAEIBAhzv/wSV+RBJQQBBAQBCAQI837ImVqqlr4EAQQEAQgECGeU" + + "gjULLnylBAEEBAEIBAjD3P4hlSBCvQQBBAQBCAQISP/qivIzf50EAQQEAQgE" + + "CKIDMX9PKxICBAEEBAOCBOgEggTocP5VVT1vWvpAV6koZupKN1btJ3C01dR6" + + "16g1zJ5FK5xL1PTdA0r6iAwVtgYdxQYnU8tht3bkNXdPJC1BdsC9oTkBg9Nr" + + "dqlF5cCzXWIezcR3ObjGLpXu49SAHvChH4emT5rytv81MYxZ7bGmlQfp8BNa" + + "0cMZz05A56LXw//WWDEzZcbKSk4tCsfMXBdGk/ngs7aILZ4FGM620PBPtD92" + + "pz2Ui/tUZqtQ0WKdLzwga1E/rl02a/x78/OdlVRNeaIYWJWLmLavX98w0PhY" + + "ha3Tbj/fqq+H3ua6Vv2Ff4VeXazkXpp4tTiqUxhc6aAGiRYckwZaP7OPSbos" + + "RKFlRLVofSGu1IVSKO+7faxV4IrVaAAzqRwLGkpJZLV7NkzkU1BwgvsAZAI4" + + "WClPDF228ygbhLwrSN2NK0s+5bKhTCNAR/LCUf3k7uip3ZSe18IwEkUMWiaZ" + + "ayktcTYn2ZjmfIfV7wIxHgWPkP1DeB+RMS7VZe9zEgJKOA16L+9SNBwJSSs9" + + "5Sb1+nmhquZmnAltsXMgwOrR12JLIgdfyyqGcNq997U0/KuHybqBVDVu0Fyr" + + "6O+q5oRmQZq6rju7h+Hb/ZUqRxRoTTSPjGD4Cu9vUqkoNVgwYOT+88FIMYun" + + "g9eChhio2kwPYwU/9BNGGzh+hAvAKcUpO016mGLImYin+FpQxodJXfpNCFpG" + + "4v4HhIwKh71OOfL6ocM/518dYwuU4Ds2/JrDhYYFsn+KprLftjrnTBnSsfYS" + + "t68b+Xr16qv9r6sseEkXbsaNbrGiZAhfHEVBOxQ4lchHrMp4zpduxG4crmpc" + + "+Jy4SadvS0uaJvADgI03DpsDYffUdriECUqAfOg/Hr7HHyr6Q9XMo1GfIarz" + + "eUHBgi1Ny0nDTWkdb7I3bIajG+Unr3KfK6dZz5Lb3g5NeclU5zintB1045Jr" + + "j9fvGGk0/2lG0n17QViBiOzGs2poTlhn7YxmiskwlkRKVafxPZNPxKILpN9s" + + "YaWGz93qER/pGMJarGJxu8sFi3+yt6FZ4pVPkvKE8JZMEPBBrmH41batS3sw" + + "sfnJ5CicAkwd8bluQpoc6qQd81HdNpS6u7djaRSDwPtYnZWu/8Hhj4DXisje" + + "FJBAjQdn2nK4MV7WKVwr+mNcVgOdc5IuOZbRLOfc3Sff6kYVuQFfcCGgAFpd" + + "nbprF/FnYXR/rghWE7fT1gfzSMNv+z5UjZ5Rtg1S/IQfUM/P7t0UqQ01/w58" + + "bTlMGihTxHiJ4Qf3o5GUzNmAyryLvID+nOFqxpr5es6kqSN4GPRHsmUIpB9t" + + "f9Nw952vhsXI9uVkhQap3JvmdAKJaIyDz6Qi7JBZvhxpghVIDh73BQTaAFP9" + + "5GUcPbYOYJzKaU5MeYEsorGoanSqPDeKDeZxjxJD4xFsqJCoutyssqIxnXUN" + + "Y3Uojbz26IJOhqIBLaUn6QVFX79buWYjJ5ZkDS7D8kq6DZeqZclt5711AO5U" + + "uz/eDSrx3d4iVHR+kSeopxFKsrK+KCH3CbBUMIFGX/GE9WPhDWCtjjNKEe8W" + + "PinQtxvv8MlqGXtv3v7ObJ2BmfIfLD0rh3EB5WuRNKL7Ssxaq14KZGEBvc7G" + + "Fx7jXLOW6ZV3SH+C3deJGlKM2kVhDdIVjjODvQzD8qw8a/ZKqDO5hGGKUTGD" + + "Psdd7O/k/Wfn+XdE+YuKIhcEAQQEAQgECJJCZNJdIshRBAEEBAEIBAiGGrlG" + + "HlKwrAQBBAQBCAQIkdvKinJYjJcEAQQEAUAEQBGiIgN/s1bvPQr+p1aQNh/X" + + "UQFmay6Vm5HIvPhoNrX86gmMjr6/sg28/WCRtSfyuYjwQkK91n7MwFLOBaU3" + + "RrsEAQQEAQgECLRqESFR50+zBAEEBAEIBAguqbAEWMTiPwQBBAQBGAQYKzUv" + + "EetQEAe3cXEGlSsY4a/MNTbzu1WbBAEEBAEIBAiVpOv1dOWZ1AQCAAAEAgAA" + + "BAIAAAQCAAAEAgAABAIAAAAAAAAAADA1MCEwCQYFKw4DAhoFAAQUvMkeVqe6" + + "D4UmMHGEQwcb8O7ZwhgEEGiX9DeqtRwQnVi+iY/6Re8AAA=="); + + byte[] certUTF = Base64.decode( + "MIIGVQIBAzCCBg8GCSqGSIb3DQEHAaCCBgAEggX8MIIF+DCCAsUGCSqGSIb3" + + "DQEHAaCCArYEggKyMIICrjCCAqoGCyqGSIb3DQEMCgEDoIIChTCCAoEGCiqG" + + "SIb3DQEJFgGgggJxBIICbTCCAmkwggHSoAMCAQICAQcwDQYJKoZIhvcNAQEF" + + "BQAwOTEPMA0GA1UEBxMGTGV1dmVuMRkwFwYDVQQKExBVdGltYWNvIFN1YiBD" + + "QSAyMQswCQYDVQQGEwJCRTAeFw05OTEyMzEyMzAwMDBaFw0xOTEyMzEyMzAw" + + "MDBaMFcxCzAJBgNVBAYTAkJFMQ8wDQYDVQQHEwZIYWFjaHQxEDAOBgNVBAoT" + + "B1V0aW1hY28xDDAKBgNVBAsMA1ImRDEXMBUGA1UEAxMOR2VlcnQgRGUgUHJp" + + "bnMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANYGIyhTn/p0IA41ElLD" + + "fZ44PS88AAcDCiOd2DIMLck56ea+5nhI0JLyz1XgPHecc8SLFdl7vSIBA0eb" + + "tm/A7WIqIp0lcvgoyQ0qsak/dvzs+xw6r2xLCVogku4+/To6UebtfRsukXNI" + + "ckP5lWV/Ui4l+XvGdmENlEE9/BvOZIvLAgMBAAGjYzBhMBEGA1UdIwQKMAiA" + + "BlN1YkNBMjAQBgNVHQ4ECQQHVXNlcklEMjAOBgNVHQ8BAf8EBAMCBLAwGQYD" + + "VR0RBBIwEIEOVXNlcklEMkB1dGkuYmUwDwYDVR0TAQH/BAUwAwEBADANBgkq" + + "hkiG9w0BAQUFAAOBgQACS7iLLgMV4O5gFdriI7dqX55l7Qn6HiRNxlSH2kCX" + + "41X82gae4MHFc41qqsC4qm6KZWi1yvTN9XgSBCXTaw1SXGTK7SuNdoYh6ufC" + + "KuAwy5lsaetyARDksRiOIrNV9j+MRIjJMjPNg+S+ysIHTWZo2NTUuVuZ01D2" + + "jDtYPhcDFDESMBAGCSqGSIb3DQEJFTEDBAE3MIIDKwYJKoZIhvcNAQcGoIID" + + "HDCCAxgCAQAwggMRBgkqhkiG9w0BBwEwKAYKKoZIhvcNAQwBAzAaBBS5KxQC" + + "BMuZ1To+yed2j/TT45td6gICCACAggLYxQS+fu7W2sLQTkslI0EoNxLoH/WO" + + "L8NgiIgZ5temV3mgC2q0MxjVVq+SCvG89ZSTfptxOaSmYV772irFdzlrtotZ" + + "wmYk1axuFDYQ1gH0M6i9FWuhOnbk7qHclmOroXqrrbP6g3IsjwztH0+iwBCg" + + "39f63V0rr8DHiu7zZ2hBkU4/RHEsXLjaCBVNTUSssWhVLisLh2sqBJccPC2E" + + "1lw4c4WrshGQ+syLGG38ttFgXT1c+xYNpUKqJiJTLVouOH9kK3nH1hPRHKMN" + + "9CucBdUzibvkcRk1L53F3MfvjhCSNeWEmd9PKN+FtUtzRWQG3L84VGTM37Ws" + + "YcxaDwDFGcw3u1W8WFsCCkjpZecKN8P2Kp/ai/iugcXY77bYwAwpETDvQFvD" + + "nnL9oGi03HYdfeiXglC7x7dlojvnpkXDbE0nJiFwhe8Mxpx8GVlGHtP+siXg" + + "tklubg1eTCSoG9m1rsBJM717ZHXUGf32HNun2dn4vOWGocgBmokZ46KKMb9v" + + "reT39JTxi8Jlp+2cYb6Qr/oBzudR+D4iAiiVhhhEbJKPNHa61YyxF810fNI2" + + "GWlNIyN3KcI8XU6WJutm/0H3X8Y+iCSWrJ2exUktj8GiqNQ6Yx0YgEk9HI7W" + + "t9UVTIsPCgCqrV4SWCOPf6so1JqnpvlPvvNyNxSsAJ7DaJx1+oD2QQfhowk/" + + "bygkKnRo5Y15ThrTsIyQKsJHTIVy+6K5uFZnlT1DGV3DcNpuk3AY26hrAzWO" + + "TuWXsULZe7M6h6U2hTT/eplZ/mwHlXdF1VErIuusaCdkSI0doY4/Q223H40L" + + "BNU3pTezl41PLceSll00WGVr2MunlNeXKnXDJW06lnfs9BmnpV2+Lkfmf30W" + + "Pn4RKJQc+3D3SV4fCoQLIGrKiZLFfEdGJcMlySr+dJYcEtoZPuo6i/hb5xot" + + "le63h65ihNtXlEDrNpYSQqnfhjOzk5/+ZvYEcOtDObEwPTAhMAkGBSsOAwIa" + + "BQAEFMIeDI9l2Da24mtA1fbQIPc6+4dUBBQ8a4lD7j1CA1vRLhdEgPM+5hpD" + + "RgICCAA="); + + byte[] pkcs12noFriendly = Base64.decode( + "MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCBAAwgDCABgkqhkiG9w0BBwGggCSA" + + "BIICvjCCArowggK2BgsqhkiG9w0BDAoBAqCCAqUwggKhMBsGCiqGSIb3DQEM" + + "AQMwDQQIyJDupEHvySECAQEEggKAupvM7RuZL3G4qNeJM3afElt03TVfynRT" + + "xUxAZOfx+zekHJTlnEuHJ+a16cOV6dQUgYfyMw1xcq4E+l59rVeMX9V3Zr0K" + + "tsMN9VYB/9zn62Kw6LQnY0rMlWYf4bt9Ut5ysq0hE5t9FL+NZ5FbFdWBOKsj" + + "/3oC6eNXOkOFyrY2haPJtD1hVHUosrlC0ffecV0YxPDsReeyx0R4CiYZpAUy" + + "ZD7rkxL+mSX7zTsShRiga2Q/NEhC1KZpbhO/qbyOgvH0r7CRumSMvijzDgaV" + + "IGqtrIZ2E2k5kscjcuFTW0x3OZTLAW/UnAh4JXJzC6isbdiWuswbAEBHifUC" + + "rk2f+bDJKe2gkH67J2K0yDQ3YSSibpjDX/bVfbtfmOoggK9MKQwqEeE0nbYE" + + "jzInH2OK5jPtmwppjmVA7i3Uk25w2+z7b/suUbft9hPCNjxFvzdbyCcXK4Vv" + + "xAgEbVWnIkvOQNbyaQi+DEF/4P26GwgJgXuJpMBn0zzsSZSIDLNl8eJHoKp2" + + "ZXknTi0SZkLaYlBxZlNhFoyXLfvQd6TI2aR5aCVqg1aZMBXyOWfz5t0JTVX8" + + "HTIcdXKis91iEsLB7vjcxIOASTAjKARr5tRp6OvaVterAyDOn2awYQJLLic5" + + "pQfditRAlsLkTxlDdu0/QBMXSPptO8g3R+dS7ntvCjXgZZyxpOeKkssS2l5v" + + "/B2EsfKmYA9hU4aBdW1S9o/PcF1wpVqABd8664TGJ77tCAkbdHe0VJ3Bop2X" + + "lNxlWeEeD0v0QUZLqkJoMEwi5SUE6HAWjbqGhRuHyey9E+UsdCVnQ8AxXQzL" + + "2UKOmIrXc6R25GsLPCysXuXPRFBB2Tul0V3re3hPcAAAAAAAADCABgkqhkiG" + + "9w0BBwaggDCAAgEAMIAGCSqGSIb3DQEHATAbBgoqhkiG9w0BDAEGMA0ECDXn" + + "UZu6xckzAgEBoIAEggTYQMbzAoGnRVJMbCaJJUYgaARJ4zMfxt2e12H4pX/e" + + "vnZrR1eKAMck5c2vJoEasr0i2VUcAcK12AntVIEnBwuRBcA2WrZnC28WR+O7" + + "rLdu9ymG2V3zmk66aTizaB6rcHAzs2lD74n+/zJhZNaDMBfu9LzAdWb/u6Rb" + + "AThmbw764Zyv9802pET6xrB8ureffgyvQAdlcGHM+yxaOV3ZEtS0cp7i+pb/" + + "NTiET4jAFoO1tbBrWGJSRrMKvx4ZREppMhG3e/pYglfMFl+1ejbDsOvEUKSt" + + "H+MVrgDgAv4NsUtNmBu+BIIEAIOCjrBSK3brtV0NZOWsa6hZSSGBhflbEY8s" + + "U1bDsgZIW4ZaJJvSYEXLmiWSBOgq9VxojMfjowY+zj6ePJJMyI3E7AcFa+on" + + "zZjeKxkKypER+TtpBeraqUfgf01b6olH8L2i4+1yotCQ0PS+15qRYPK6D+d3" + + "S+R4veOA6wEsNRijVcB3oQsBCi0FVdf+6MVDvjNzBCZXj0heVi+x0EE106Sz" + + "B3HaDbB/KNHMPZvvs3J3z2lWLj5w7YZ9eVmrVJKsgG2HRKxtt2IQquRj4BkS" + + "upFnMTBVgWxXgwXycauC9bgYZurs+DbijqhHfWpUrttDfavsP8aX6+i3gabK" + + "DH4LQRL7xrTcKkcUHxOTcPHLgDPhi+RevkV+BX9tdajbk4tqw1d+0wOkf1pW" + + "aTG8fUp0lUpra7EJ0lGy8t/MB3NEk/5tLk9qA2nsKKdNoEdZWiEBE0fMrH1o" + + "tWJDew3VhspT+Lkor2dLN5ydjcr3wkb76OETPeMxS91onNj5mrAMUBt66vb6" + + "Gx4CL8FTRNZ/l8Kzngzdv9PmmKPTIXbhYbn3XRGg3od2tC/oVfsqYlGAMgFO" + + "STt+BZ1BR9Phyi4jsiy8R0seCEDRWYQLbwgwVj0V8Rx9VptqRoCnB4XhGJoJ" + + "TdAz/MT7KOSxIh2F2FymTJpyImcV6X4Kcj9iY0AZQ4zj712g4yMR6xKGzRu6" + + "oIBDkFW2bdA3Lb9ePpo5GFtNyA7IbggIko6VOeeOKxaq9nALS2gsZc1yaYtp" + + "aKL8kB+dVTCXiLgQniO6eMzgonsuwFnG+42XM1vhEpAvFzeJRC0CYzebEK9n" + + "nGXKCPoqPFuw3gcPMn57NCZJ8MjT/p0wANIEm6AsgqrdFKwTRVJ1ytB/X9Ri" + + "ysmjMBs9zbFKjU9jVDg1vGBNtb7YnYg9IrYHa3e4yTu2wUJKGP2XWHVgjDR7" + + "6RtzlO4ljw0kkSMMEDle2ZbGZ6lVXbFwV0wPNPmGA6+XGJRxcddTnrM6R/41" + + "zqksFLgoNL2BdofMXwv7SzxGyvFhHdRRdBZ5dKj2K9OfXakEcm/asZGu87u8" + + "y9m7Cckw8ilSNPMdvYiFRoThICx9NiwYl1IIKGcWlb9p6RAx6XNSkY6ZZ6pE" + + "Vla1E26rbd7is1ssSeqxLXXV9anuG5HDwMIt+CIbD8fZmNTcWMzZRiaFajvR" + + "gXdyTu/UhVdhiQPF+lrxp4odgF0cXrpcGaKvOtPq04F4ad3O5EkSGucI210Q" + + "pR/jQs07Yp5xDPzsXAb8naHb84FvK1iONAEjWbfhDxqtH7KGrBbW4KEzJrv3" + + "B8GLDp+wOAFjGEdGDPkOx3y2L2HuI1XiS9LwL+psCily/A96OiUyRU8yEz4A" + + "AAAAAAAAAAAEAwAAAAAAAAAAADAtMCEwCQYFKw4DAhoFAAQU1NQjgVRH6Vg3" + + "tTy3wnQisALy9aYECKiM2gZrLi+fAAA="); + + static char[] noFriendlyPassword = "sschette12".toCharArray(); + + byte[] pkcs12StorageIssue = Base64.decode( + "MIIO8QIBAzCCDrEGCSqGSIb3DQEHAaCCDqIEgg6eMIIOmjCCBBMGCSqGSIb3" + + "DQEHAaCCBAQEggQAMIID/DCCA/gGCyqGSIb3DQEMCgECoIICtjCCArIwHAYK" + + "KoZIhvcNAQwBAzAOBAgURJ+/5hA2pgICB9AEggKQYZ4POE8clgH9Bjd1XO8m" + + "sr6NiRBiA08CllHSOn2RzyAgHTa+cKaWrEVVJ9mCd9XveSUCoBF9E1C3jSl0" + + "XIqLNgYd6mWK9BpeMRImM/5crjy///K4ab9kymzkc5qc0pIpdCQCZ04YmtFP" + + "B80VCgyaoh2xoxqgjBCIgdSg5XdepdA5nXkG9EsQ1oVUyCykv20lKgKKRseG" + + "Jo23AX8YUYR7ANqP2gz9lvlX6RBczuoZ62ujopUexiQgt5SZx97sgo3o/b/C" + + "px17A2L4wLdeAYCMCsZhC2UeaqnZCHSsvnPZfRGiuSEGbV5gHLmXszLDaEdQ" + + "Bo873GTpKTTzBfRFzNCtYtZRqh2AUsInWZWQUcCeX6Ogwa0wTonkp18/tqsh" + + "Fj1fVpnsRmjJTTXFxkPtUw5GPJnDAM0t1xqV7kOjN76XnZrMyk2azQ1Mf3Hn" + + "sGpF+VRGH6JtxbM0Jm5zD9uHcmkSfNR3tP/+vHOB1mkIR9tD2cHvBg7pAlPD" + + "RfDVWynhS+UBNlQ0SEM/pgR7PytRSUoKc/hhe3N8VerF7VL3BwWfBLlZFYZH" + + "FvPQg4coxF7+We7nrSQfXvdVBP9Zf0PTdf3pbZelGCPVjOzbzY/o/cB23IwC" + + "ONxlY8SC1nJDXrPZ5sY51cg/qUqor056YqipRlI6I+FoTMmMDKPAiV1V5ibo" + + "DNQJkyv/CAbTX4+oFlxgddTwYcPZgd/GoGjiP9yBHHdRISatHwMcM06CzXJS" + + "s3MhzXWD4aNxvvSpXAngDLdlB7cm4ja2klmMzL7IuxzLXFQFFvYf7IF5I1pC" + + "YZOmTlJgp0efL9bHjuHFnh0S0lPtlGDOjJ/4YpWvSKDplcPiXhaFVjsUtclE" + + "oxCC5xppRm8QWS8xggEtMA0GCSsGAQQBgjcRAjEAMBMGCSqGSIb3DQEJFTEG" + + "BAQBAAAAMGkGCSsGAQQBgjcRATFcHloATQBpAGMAcgBvAHMAbwBmAHQAIABS" + + "AFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAA" + + "aABpAGMAIABQAHIAbwB2AGkAZABlAHIwgZsGCSqGSIb3DQEJFDGBjR6BigA3" + + "AGQAZQBmADUAYgA0ADMANgBjAGEAYgBkADAAMAAyAGQAZAAyADkAMAAzAGIA" + + "MQA2ADgANgBjADcAOQA0ADgAXwA0ADYAZgAyADYAZgBkADQALQA4ADEAMgBk" + + "AC0ANABlAGYAYgAtADgAMAA4ADgALQA0ADUAYQBiADkAMQA5ADEAMAA3AGMA" + + "YzCCCn8GCSqGSIb3DQEHBqCCCnAwggpsAgEAMIIKZQYJKoZIhvcNAQcBMBwG" + + "CiqGSIb3DQEMAQYwDgQIbr2xdnQ9inMCAgfQgIIKOHg9VKz+jlM+3abi3cp6" + + "/XMathxDSEJLrxJs6j5DAVX17S4sw1Q/1pptjdMdd8QtTfUB6JpfgJ5Kpn+h" + + "gZMf6M8wWue0U/RZN0D9w7o+2n+X3ItdEXu80eJVDOm7I2p8qiXtijbMbXRL" + + "Cup1lgfPM5uv2D63/hmWRXLeG8eySrJnKENngpM559V8TI2JcTUBy1ZP3kcH" + + "KbcJ/tVPnIIe4qguxfsTmDtAQviGvWUohbt+RGFmtqfgntK7o6b+S8uRSwEs" + + "fOU/pnVE9M1ugtNJZI/xeGJq6umZWXA/OrAcK7feWUwqRvfivDGQJEoggByd" + + "4/g92PhK1JGkwlCb1HdfhOOKKChowQ4zVvSOm+uBxARGhk2i5uW9I20I0vSJ" + + "px42O2VFVJweOchfp+wBtSHBKYP1ZXyXWMvOtULClosSeesbYMAwvyBfpYEz" + + "3rQt/1iZkqDmEisXk8X1aEKG1KSWaSPyb/+6glWikDm+YdQw3Khu7IZt1l/H" + + "qWGecccel+R9mT4YjRzHlahUYk4U+RNVasVpH1Kxz2j3CZqL+b3jQOwSAPd/" + + "hKI+S/pjIpBPfiC4WxORAzGZzY2j+a79B70h1DO1D9jGur3vJDbdmGBNgs6d" + + "nonE1B527SICcGeXY1MtnZCLOPvySih0AvOekbN9x2CJg+Hp9e7A3Fxni53/" + + "oMLr9wGRRDki72eXCXW98mU8VJofoWYS1/VBLXGf/f+tJ9J02PpzxleqPH9T" + + "4mE+YHnZId6cqjCXmwvMr2cMw2clDVfvkbAJRE3eZHzL7IWSO8+giXzzrTsl" + + "VbMuXVkT4oniTN7TSRsBCT3zVVmCy1QL2hPBD6KsVc+bvLgAHRov84FPrI3f" + + "kY/oJufT36VE34Eu+QjzULlvVsLE3lhjutOerVIGSP//FM4LE99hp214P0JF" + + "DgBK+3J+ihmFdW8hUXOt6BU8/MBeiroiJMWo1/f/XcduekG2ZsdGv+GNPzXI" + + "PyHRpCgAgmck1+qoUPXxHRJuNqv223OZ5MN14X7iLl5OZ+f8IWfxUnZeZ9gj" + + "HNeceElwZ+YOup1CAi3haD9jxRWhZG4NDfB4IYi4Bc/TAkXE3jCPkYEvIbj9" + + "ExaU1Ts0+lqOOcwRmBoYjVrz0xbtfR/OWlopyrDHbeL5iQcQCW/loYRapWCZ" + + "E4ekHknpX9yoAwT355vtTkl0VKXeSZHE8jREhN95aY9zCoLYwbTQDTw7qUR5" + + "UamabLew0oS0XALtuOrfX4OUOZZUstUsGBle/Pw1TE3Bhe1clhrikp0F+Xgb" + + "Xx90KqxZX/36RMnCMAD7/q+57rV7WXp2Y5tT0AUgyUMjy1F1X/b1olUfqO1u" + + "rlWIUTl2znmQ3D9uO3W4ytfgGd5DpKcl2w84MBAT9qGwKuQg/UYKbP4K/+4L" + + "Y1DWCy3utmohQ28IJtlIUkPL1G7lHX1tfq/VA+bRNTJIhMrNn06ZJpuEJHDs" + + "/ferdlMFt/d6MrwVivmPVYkb8mSbHSiI8jZOFE44sA974depsDyXafFaSsl0" + + "bVzqOAu0C/n9dIednU0xxxgDF/djdZ/QhbaDIg2VJf11wx0nw9n76B0+eeyu" + + "QLaapzxCpQNDVOAM9doBb5F1I5pXQHFQqzTNtLmqDC4x0g8IH7asyk5LCglT" + + "b1pwMqPJOL2vGWKRLhPzT+9OfSpCmYGKytf593hmGmwIgEO13hQrw31F5TYt" + + "btkbDr+Q5XilOKEczhEM+Ug7YHU7bxkckOAbxu0YeRp/57GdGLokeLJ0dRlQ" + + "+V2CfQvWJoVC6PS4PUQtjwgK2p/LU10QsEFwM/S621fGq9zGrv7+FPBATRDb" + + "k4E9D/WaRylnW11ZTrOlTchQkoHcOh0xztlFxU8jzuIuDrPQQWkoqdl6B+yf" + + "lykRNJKKxwzFiPl40nLC3nEdIzCEvR4r/9QHiWQxAVSc/wQX+an5vakUmSXS" + + "oLFjgVdY1jmvdsx2r5BQPuOR8ONGmw/muvVSMaHV85brA4uk0lxn00HD9/a0" + + "A1LCeFkabNLn9wJT8RaJeOSNmFFllLR70OHaoPSb3GyzHpvd1e6aeaimdyVH" + + "BQWJ6Ufx+HjbOGuOiN46WyE6Q27dnWxx8qF89dKB4T/J0mEXqueiUjAUnnnR" + + "Cs4zPaX53hmNBdrZGaLs+xNG8xy+iyBUJIWWfQAQjCjfHYlT9nygiUWIbVQq" + + "RHkGkAN62jsSNLgHvWVzQPNNsYq0U8TPhyyci/vc8MJytujjptcz8FPqUjg2" + + "TPv34ef9buErsm4vsdEv/8Z+9aDaNex+O3Lo3N0Aw7M5NcntFBHjFY/nBFNZ" + + "whH5YA4gQ8PLZ5qshlGvb0DFXHV/9zxnsdPkLwH47ERm5IlEAuoaWtZFxg27" + + "BjLfwU1Opk+ybDSb5WZVZrs7ljsU85p3Vaf3a//yoyr9ITYj15tTXxSPoct0" + + "fDUy1I6LjJH/+eZXKA1WSda9mDQlRocvJ0IIIlI4weJpTdm8aHIJ8OngCqOF" + + "TufcSLDM41+nxEK1LqXeAScVy74kVvvqngj6mIrbylrINZOHheEgTXrUWEc0" + + "uXS8l1YqY6K6Ru5km2jVyWi/ujrDGb6QGShC09oiDYUuUGy4gwJ3XLVX/dR3" + + "pmMExohTGiVefFP400wVZaxB9g1BQmjSEZxIaW1U1K6fk8Yni8yWB3/L/PuD" + + "0+OV+98i1sQGaPe35crIpEc7R2XJdngL0Ol1ZuvCIBfy5DQwGIawTtBnjPdi" + + "hy//QTt/isdu7C5pGaJDkZFMrfxMibr6c3xXr7wwR75sTzPNmS8mquEdLsmG" + + "h8gTUnB8/K6V11JtUExMqTimTbUw+j8PggpeBelG36breWJIz1O+dmCTGuLM" + + "x/sK/i8eiUeRvWjqYpq5DYt4URWg2WlcpcKiUxQp07/NMx0svDC+mlQGwMnJ" + + "8KOJMW1qr3TGEJ/VVKKVn6sXn/RxA+VPofYzhwZByRX87XmNdPeQKC2DHQsW" + + "6v83dua5gcnv0cv/smXt7Yr/c12i0fbIaQvj3qjtUCDucjARoBey3eCyG5H6" + + "5VHSsFnPZ2HCTum+jRSw/ENsu/77XU4BIM2fjAfswp7iIr2Xi4OZWKIj6o6q" + + "+fNgnOJjemDYHAFK+hWxClrG8b+9Eaf21o4zcHkhCfBlYv4d+xcZOIDsDPwI" + + "sf+4V+CfoBLALsa2K0pXlPplGom/a8h7CjlyaICbWpEDItqwu7NQwdMRCa7i" + + "yAyM1sVjXUdcZByS1bjOFSeBe7ygAvEl78vApLxqt8Cw11XSsOtmwssecUN/" + + "pb7iHE4OMyOgsYx9u7rZ2hMyl42n3c29IwDYMumiNqk9cwCBpQTJAQEv4VzO" + + "QE5xYDBY9SEozni+4f7B7e2Wj/LOGb3vfNVYGNpDczBFxvr2FXTQla0lNYD/" + + "aePuC++QW4KvwiGL1Zx4Jo0eoDKWYlYj0qiNlQbWfVw+raaaFnlrq+je0W6P" + + "+BrKZCncho145y+CFKRLZrN5yl/cDxwsePMVhAIMr1DzVhgBXzA3MB8wBwYF" + + "Kw4DAhoEFN4Cwj9AtArnRbOIAsRhaaoZlTNJBBTIVPqCrloqLns145CWXjb0" + + "g141BQ=="); + + static char[] storagePassword = "pass".toCharArray(); + + byte[] pkcs12nopass = Base64.decode( + "MIIMvgIBAzCCDIQGCSqGSIb3DQEHAaCCDHUEggxxMIIMbTCCCS8GCSqGSIb3" + + "DQEHBqCCCSAwggkcAgEAMIIJFQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYw" + + "DgQIfnlhuZRR6/YCAggAgIII6DYgeRwq5n9kzvohZ3JuK+fB+9jZ7Or6EGBA" + + "GDxtBfHmSNUBWJEV/I8wV1zrKKoW/CaoZfA61pyrVZRd/roaqBx/koTFoh/g" + + "woyyWTRV9gYTXSVqPQgCH+e2dISAa6UGO+/YOWOOwG2X3t8tS+3FduFQFLt5" + + "cvUP98zENdm57Aef5pKpBSZDLIAoTASfmqwszWABRh2p/wKOHcCQ9Aj2e2vs" + + "pls/ntIv81MqPuxHttwX8e+3dKWGFrJRztLpCD2aua8VkSsHFsPxEHkezX4O" + + "6/VCjMCRFGophTS4dgKKtQIhZ9i/ESlr6sGKgIpyG99ALFpNEhtTKe+T3boE" + + "sEkhGDquSpu4PGz2m0W5sej1DyFkKX4zIbeMDAb1y3O7aP0F+Llo9QSeGsOA" + + "aCwND3NUAKBMOHzwdyNQcuCGCqY8j5rrSt99A5FMs3UVW3XU6hRCx7JlzO05" + + "PNCkcPRSnKSNzBhIR5W0qj4PAZnQTfX+wbtUaDLIqsObX4Muh2l3gl+JmdpO" + + "53U7ILqN8PAPly1eT+fIrUmlMmFhvo6LbTB7B2K728wsA/5wROlud/mOQz4s" + + "quS288YsnVc9ExSZKodWa3Pqcdb/cgKNJYDxrR6/eBHOj+0RLK/1yTK9ghj7" + + "IPYHoEqQbw768WK92RjM+RFGlXASkQhR9y4weWj/388uAWMIbQ+R2Zi4nb31" + + "knjqRPFThysG1bsRL04/9PgysaasfS9KYOeAlLqp+Ar4gJrof5fytBuY+6wm" + + "/J8eEdNw7VPV1cz/4rhrd2sfJQwDEN/iZoy8rTwe7wozpwZI0lwH11BBbav+" + + "1AMfI79jjxhqOeo7uxE2NzUmSd05JYI7a94tcRzGQyGEKpGxYCRamzFW23qb" + + "vG5Hcqi7Tdd7eTxw4c60l/vQLSo38g6ST5yZrK3URLiAtpioPyjrq2jnVfie" + + "QLsiAHhpHF01+t+OcKv3UjwdEyBmQ34h9klwiG7iwBFXZaPXFCF2Np1TqFVG" + + "jjBzmB+hRddEiYwN+XGCKB2Cvgc5ZMQ8LG9jQmEKLmOjuumz1ciAVY2qtl1s" + + "HYSvfNsIAV/gGzHshOVF19JmGtcQt3pMtupoRh+sh8jY2/x5eIKrj2Jx6HPd" + + "p/6IPUr54j0xSd6j7gWuXMj/eKp/utMNuBzAhkydnhXYedvTDYIj7SyPPIHa" + + "qtam8rxTDWn2AOxp7OXTgPmo1GU2zW1OLL1D3MFlS+oaRMfhgNrhW+QP5ay6" + + "ge4QLijpnSM+p0CbFAOClwzgdJV56bBVV09sDqSBXnG9MeEv5nDaH3I+GpPA" + + "UgDkaI4zT61kaGgk0uNMf3czy2ycoQzTx0iHDTXSdSqvUC1yFza8UG4AYaKz" + + "14gtSL7StvZtK0Y8oI084BINI1LgrWyrOLj7vkds4WrKhXm21BtM1GbN/pFh" + + "XI41h+XoD8KnEPqJ36rAgBo1uHqTNJCC7YikDE/dEvq6MkOx+Nug1YZRHEyi" + + "3AHry5u1HJHtxT34HXBwRXvnstuFhvU6cjc1WY1dJhu1p82TGnx7OBo/QbcM" + + "8MRrWmWuU5eW4jWbriGNGYfvZy+tHnGwy0bIeqrsHOG6/JwvfmYYXe64sryH" + + "5Qo96SZtcTJZaNFwuBY+bFUuOWm8YrT1L7Gl2Muf3pEVtNHLeYARBo1jEAym" + + "Cb4jw0oodZqbPKdyyzUZu69fdTJiQkMUcKDfHJEGK0Li9SvtdqJLiiJs57Tb" + + "YfOvn+TIuC40ssJFtmtlGCVH/0vtKLWYeW1NYAMzgI/nlhQ7W6Aroh8sZnqv" + + "SwxeQmRJaVLxiV6YveTKuVlCbqNVLeEtKYAujgnJtPemGCPbwZpwlBw6V+Dz" + + "oXveOBcUqATztWJeNv7RbU0Mk7k057+DNxXBIU+eHRGquyHQSBXxBbA+OFuu" + + "4SPfEAyoYed0HEaoKN9lIsBW1xTROI30MZvaJXvPdLsa8izXGPLnTGmoI+fv" + + "tJ644HtBCCCr3Reu82ZsTSDMxspZ9aa4ro9Oza+R5eULXDhVXedbhJBYiPPo" + + "J37El5lRqOgu2SEilhhVQq3ZCugsinCaY9P/RtWG4CFnH1IcIT5+/mivB48I" + + "2XfH6Xq6ziJdj2/r86mhEnz9sKunNvYPBDGlOvI7xucEf9AiEQoTR1xyFDbW" + + "ljL4BsJqgsHN02LyUzLwqMstwv+/JH1wUuXSK40Kik/N7+jEFW2C+/N8tN7l" + + "RPKSLaTjxVuTfdv/BH1dkV4iGFgpQrdWkWgkb+VZP9xE2mLz715eIAg13x6+" + + "n97tc9Hh375xZJqwr3QyYTXWpsK/vx04RThv8p0qMdqKvf3jVQWwnCnoeBv2" + + "L4h/uisOLY18qka/Y48ttympG+6DpmzXTwD1LycoG2SOWckCMmJhZK40+zr3" + + "NVmWf6iJtbLGMxI/kzTqbTaOfXc2MroertyM1rILRSpgnJFxJfai5Enspr9b" + + "SCwlP718jG2lQsnYlw8CuxoZAiaNy4MmC5Y3qNl3hlcggcHeLodyGkSyRsBg" + + "cEiKSL7JNvqr0X/nUeW28zVxkmQsWlp3KmST8agf+r+sQvw52fXNLdYznGZV" + + "rJrwgNOoRj0Z70MwTns3s/tCqDEsy5Sv/5dZW2uQEe7/wvmsP2WLu73Rwplg" + + "1dwi/Uo9lO9dkEzmoIK5wMPCDINxL1K+0Y79q0tIAEMDgaIxmtRpEh8/TEsA" + + "UwyEErkDsQqgGviH+ePmawJ/yehYHTRfYUgdUflwApJxRx65pDeSYkiYboMU" + + "8WSAQY2nh/p9hLlS4zbz9dCK2tzVyRkJgqNy/c4IpiHEx2l1iipW9vENglqx" + + "dYP4uqD8e3OOLjDQKizWx2t1u7GRwoEVQ3d3QzzOvsRcv7h+6vNsmYqE6phe" + + "wKFZLctpSn21zkyut444ij4sSr1OG68dEXLY0t0mATfTmXXy5GJBsdK/lLfk" + + "YTIPYYeDMle9aEicDqaKqkZUuYPnVchGp8UFMJ3M0n48OMDdDvpzBLTxxZeW" + + "cK5v/m3OEo3jgxy9wXfZdz//J3zXXqvX8LpMy1K9X0uCBTz6ERlawviMQhg1" + + "1okD5zCCAzYGCSqGSIb3DQEHAaCCAycEggMjMIIDHzCCAxsGCyqGSIb3DQEM" + + "CgECoIICpjCCAqIwHAYKKoZIhvcNAQwBAzAOBAj3QoojTSbZqgICCAAEggKA" + + "YOSp5XGdnG1pdm9CfvlAaUSHRCOyNLndoUTqteTZjHTEM9bGwNXAx4/R5H2Q" + + "PnPm5HB/ynVSXX0uKdW6YlbqUyAdV3eqE4X3Nl+K7ZoXmgAFnMr0tveBhT1b" + + "7rTi0TN4twjJzBTkKcxT8XKjvpVizUxGo+Ss5Wk8FrWLHAiC5dZvgRemtGcM" + + "w5S09Pwj+qXpjUhX1pB5/63qWPrjVf+Bfmlz4bWcqogGk0i7eg+OdTeWMrW0" + + "KR9nD1+/uNEyc4FdGtdIPnM+ax0E+vcco0ExQpTXe0xoX4JW7O71d550Wp89" + + "hAVPNrJA5eUbSWNsuz+38gjUJ+4XaAEhcA7HZIp6ZyxtzSJUoh7oqpRktoxu" + + "3cSVqVxIqAEqlNn6j0vbKfW91Od5DI5L+BIxY4xqXS7fdwipj9r6qWA8t9QU" + + "C2r1A+xXpZ4jEh6inHW9qlfACBBrYf8pSDakSR6yTbaA07LExw0IXz5oiQYt" + + "s7yx231CZlOH88bBmruLOIZsJjeg/lf63zI7Gg4F85QG3RqEJnY2pinLUTP7" + + "R62VErFZPc2a85r2dbFH1mSQIj/rT1IKe32zIW8xoHC4VwrPkT3bcLFAu2TH" + + "5k5zSI/gZUKjPDxb2dwLM4pvsj3gJ9vcFZp6BCuLkZc5rd7CyD8HK9PrBLKd" + + "H3Yngy4A08W4U3XUtIux95WE+5O/UEmSF7fr2vT//DwZArGUpBPq4Bikb8cv" + + "0wpOwUv8r0DXveeaPsxdipXlt29Ayywcs6KIidLtCaCX6/0u/XtMsGNFS+ah" + + "OlumTGBFpbLnagvIf0GKNhbg2lTjflACnxIj8d+QWsnrIU1uC1JRRKCnhpi2" + + "veeWd1m8GUb3aTFiMCMGCSqGSIb3DQEJFTEWBBS9g+Xmq/8B462FWFfaLWd/" + + "rlFxOTA7BgkqhkiG9w0BCRQxLh4sAEMAZQByAHQAeQBmAGkAawBhAHQAIAB1" + + "AHoAeQB0AGsAbwB3AG4AaQBrAGEwMTAhMAkGBSsOAwIaBQAEFKJpUOIj0OtI" + + "j2CPp38YIFBEqvjsBAi8G+yhJe3A/wICCAA="); + + /** + * we generate a self signed certificate for the sake of testing - RSA + */ + public Certificate createCert( + PublicKey pubKey, + PrivateKey privKey, + String issuerEmail, + String subjectEmail) + throws Exception + { + // + // distinguished name table. + // + Hashtable issuerAttrs = new Hashtable(); + + issuerAttrs.put(X509Principal.C, "AU"); + issuerAttrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + issuerAttrs.put(X509Principal.L, "Melbourne"); + issuerAttrs.put(X509Principal.ST, "Victoria"); + issuerAttrs.put(X509Principal.EmailAddress, issuerEmail); + + Hashtable subjectAttrs = new Hashtable(); + + subjectAttrs.put(X509Principal.C, "AU"); + subjectAttrs.put(X509Principal.O, "The Legion of the Bouncy Castle"); + subjectAttrs.put(X509Principal.L, "Melbourne"); + subjectAttrs.put(X509Principal.ST, "Victoria"); + subjectAttrs.put(X509Principal.EmailAddress, subjectEmail); + + Vector order = new Vector(); + order.add(X509Principal.C); + order.add(X509Principal.O); + order.add(X509Principal.L); + order.add(X509Principal.ST); + order.add(X509Principal.EmailAddress); + + // + // extensions + // + + // + // create the certificate - version 3 + // + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal(order, issuerAttrs)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); + certGen.setSubjectDN(new X509Principal(order, subjectAttrs)); + certGen.setPublicKey(pubKey); + certGen.setSignatureAlgorithm("MD5WithRSAEncryption"); + + return certGen.generate(privKey); + } + + public void testPKCS12Store() + throws Exception + { + BigInteger mod = new BigInteger("bb1be8074e4787a8d77967f1575ef72dd7582f9b3347724413c021beafad8f32dba5168e280cbf284df722283dad2fd4abc750e3d6487c2942064e2d8d80641aa5866d1f6f1f83eec26b9b46fecb3b1c9856a303148a5cc899c642fb16f3d9d72f52526c751dc81622c420c82e2cfda70fe8d13f16cc7d6a613a5b2a2b5894d1", 16); + KeyStore store = KeyStore.getInstance("PKCS12", "BC"); + ByteArrayInputStream stream = new ByteArrayInputStream(pkcs12); + + store.load(stream, passwd); + + Enumeration en = store.aliases(); + String pName = null; + + while (en.hasMoreElements()) + { + String n = (String)en.nextElement(); + if (store.isKeyEntry(n)) + { + pName = n; + } + else + { + // the store's we're using here are consistent so this test will pass - it's actually + // possible for this test to fail in other circumstances as PKCS#12 allows certificates + // to be stored multiple times under different aliases. + X509Certificate cert = (X509Certificate)store.getCertificate(n); + + if (!store.getCertificateAlias(cert).equals(n)) + { + fail("certificate alias check fails"); + } + } + } + + PrivateKey key = (PrivateKey)store.getKey(pName, null); + + if (!((RSAPrivateKey)key).getModulus().equals(mod)) + { + fail("Modulus doesn't match."); + } + + Certificate[] ch = store.getCertificateChain(pName); + + if (ch.length != 3) + { + fail("chain was wrong length"); + } + + if (!((X509Certificate)ch[0]).getSerialNumber().equals(new BigInteger("96153094170511488342715101755496684211"))) + { + fail("chain[0] wrong certificate."); + } + + if (!((X509Certificate)ch[1]).getSerialNumber().equals(new BigInteger("279751514312356623147411505294772931957"))) + { + fail("chain[1] wrong certificate."); + } + + if (!((X509Certificate)ch[2]).getSerialNumber().equals(new BigInteger("11341398017"))) + { + fail("chain[2] wrong certificate."); + } + + // + // save test + // + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + store.store(bOut, passwd); + + stream = new ByteArrayInputStream(bOut.toByteArray()); + + store.load(stream, passwd); + + key = (PrivateKey)store.getKey(pName, null); + + if (!((RSAPrivateKey)key).getModulus().equals(mod)) + { + fail("Modulus doesn't match."); + } + + // + // save test using LoadStoreParameter + // + bOut = new ByteArrayOutputStream(); + + PKCS12StoreParameter storeParam = new PKCS12StoreParameter(bOut, passwd, true); + + store.store(storeParam); + + byte[] data = bOut.toByteArray(); + + stream = new ByteArrayInputStream(data); + store.load(stream, passwd); + + key = (PrivateKey)store.getKey(pName, null); + + if (!((RSAPrivateKey)key).getModulus().equals(mod)) + { + fail("Modulus doesn't match."); + } + + ASN1Encodable outer = new ASN1StreamParser(data).readObject(); + if (!(outer instanceof DERSequenceParser)) + { + fail("Failed DER encoding test."); + } + + // + // save test using LoadStoreParameter + // + bOut = new ByteArrayOutputStream(); + + JDKPKCS12StoreParameter oldParam = new JDKPKCS12StoreParameter(); + oldParam.setOutputStream(bOut); + oldParam.setPassword(passwd); + oldParam.setUseDEREncoding(true); + + store.store(oldParam); + + data = bOut.toByteArray(); + + stream = new ByteArrayInputStream(data); + store.load(stream, passwd); + + key = (PrivateKey)store.getKey(pName, null); + + if (!((RSAPrivateKey)key).getModulus().equals(mod)) + { + fail("Modulus doesn't match."); + } + + outer = new ASN1StreamParser(data).readObject(); + if (!(outer instanceof DERSequenceParser)) + { + fail("Failed DER encoding test."); + } + + // + // delete test + // + store.deleteEntry(pName); + + if (store.getKey(pName, null) != null) + { + fail("Failed deletion test."); + } + + // cert chain test + // + store.setCertificateEntry("testCert", ch[2]); + + if (store.getCertificateChain("testCert") != null) + { + fail("Failed null chain test."); + } + + // + // UTF 8 single cert test + // + store = KeyStore.getInstance("PKCS12", "BC"); + stream = new ByteArrayInputStream(certUTF); + + store.load(stream, "user".toCharArray()); + + if (store.getCertificate("37") == null) + { + fail("Failed to find UTF cert."); + } + + // + // try for a self generated certificate + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + // + // set up the keys + // + PrivateKey privKey = null; + PublicKey pubKey = null; + + try + { + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + + privKey = fact.generatePrivate(privKeySpec); + pubKey = fact.generatePublic(pubKeySpec); + } + catch (Exception e) + { + fail("error setting up keys - " + e.toString()); + } + + Certificate[] chain = new Certificate[1]; + + chain[0] = createCert(pubKey, privKey, "issuer@bouncycastle.org", "subject@bouncycastle.org"); + + testSupportedTypes(privKey, chain); + + store = KeyStore.getInstance("PKCS12", "BC"); + + store.load(null, null); + + store.setKeyEntry("privateKey", privKey, null, chain); + + if (!store.containsAlias("privateKey") || !store.containsAlias("PRIVATEKEY")) + { + fail("couldn't find alias privateKey"); + } + + if (store.isCertificateEntry("privateKey")) + { + fail("key identified as certificate entry"); + } + + if (!store.isKeyEntry("privateKey") || !store.isKeyEntry("PRIVATEKEY")) + { + fail("key not identified as key entry"); + } + + if (!"privateKey".equals(store.getCertificateAlias(chain[0]))) + { + fail("Did not return alias for key certificate privateKey"); + } + + ByteArrayOutputStream store1Stream = new ByteArrayOutputStream(); + + store.store(store1Stream, passwd); + + testNoExtraLocalKeyID(store1Stream.toByteArray()); + + // + // no friendly name test + // + store = KeyStore.getInstance("PKCS12", "BC"); + stream = new ByteArrayInputStream(pkcs12noFriendly); + + store.load(stream, noFriendlyPassword); + + en = store.aliases(); + pName = null; + + while (en.hasMoreElements()) + { + String n = (String)en.nextElement(); + + if (store.isKeyEntry(n)) + { + pName = n; + } + } + + ch = store.getCertificateChain(pName); + + for (int i = 0; i != ch.length; i++) + { + //System.out.println(ch[i]); + } + + if (ch.length != 1) + { + fail("no cert found in pkcs12noFriendly"); + } + + // + // failure tests + // + ch = store.getCertificateChain("dummy"); + + store.getCertificateChain("DUMMY"); + + store.getCertificate("dummy"); + + store.getCertificate("DUMMY"); + + // + // storage test + // + store = KeyStore.getInstance("PKCS12", "BC"); + stream = new ByteArrayInputStream(pkcs12StorageIssue); + + store.load(stream, storagePassword); + + en = store.aliases(); + pName = null; + + while (en.hasMoreElements()) + { + String n = (String)en.nextElement(); + + if (store.isKeyEntry(n)) + { + pName = n; + } + } + + ch = store.getCertificateChain(pName); + if (ch.length != 2) + { + fail("Certificate chain wrong length"); + } + + store.store(new ByteArrayOutputStream(), storagePassword); + + // + // basic certificate check + // + store.setCertificateEntry("cert", ch[1]); + + if (!store.containsAlias("cert") || !store.containsAlias("CERT")) + { + fail("couldn't find alias cert"); + } + + if (!store.isCertificateEntry("cert") || !store.isCertificateEntry("CERT")) + { + fail("cert not identified as certificate entry"); + } + + if (store.isKeyEntry("cert") || store.isKeyEntry("CERT")) + { + fail("cert identified as key entry"); + } + + if (!store.entryInstanceOf("cert", KeyStore.TrustedCertificateEntry.class)) + { + fail("cert not identified as TrustedCertificateEntry"); + } + + if (!store.entryInstanceOf("CERT", KeyStore.TrustedCertificateEntry.class)) + { + fail("CERT not identified as TrustedCertificateEntry"); + } + + if (store.entryInstanceOf("cert", KeyStore.PrivateKeyEntry.class)) + { + fail("cert identified as key entry via PrivateKeyEntry"); + } + + if (!"cert".equals(store.getCertificateAlias(ch[1]))) + { + fail("Did not return alias for certificate entry"); + } + + // + // test restoring of a certificate with private key originally as a ca certificate + // + store = KeyStore.getInstance("PKCS12", "BC"); + + store.load(null, null); + + store.setCertificateEntry("cert", ch[0]); + + if (!store.containsAlias("cert") || !store.containsAlias("CERT")) + { + fail("restore: couldn't find alias cert"); + } + + if (!store.isCertificateEntry("cert") || !store.isCertificateEntry("CERT")) + { + fail("restore: cert not identified as certificate entry"); + } + + if (store.isKeyEntry("cert") || store.isKeyEntry("CERT")) + { + fail("restore: cert identified as key entry"); + } + + if (store.entryInstanceOf("cert", KeyStore.PrivateKeyEntry.class)) + { + fail("restore: cert identified as key entry via PrivateKeyEntry"); + } + + if (store.entryInstanceOf("CERT", KeyStore.PrivateKeyEntry.class)) + { + fail("restore: cert identified as key entry via PrivateKeyEntry"); + } + + if (!store.entryInstanceOf("cert", KeyStore.TrustedCertificateEntry.class)) + { + fail("restore: cert not identified as TrustedCertificateEntry"); + } + + // + // test of reading incorrect zero-length encoding + // + store = KeyStore.getInstance("PKCS12", "BC"); + stream = new ByteArrayInputStream(pkcs12nopass); + + store.load(stream, "".toCharArray()); + } + + private void testSupportedTypes(PrivateKey privKey, Certificate[] chain) + throws Exception + { + basicStoreTest(privKey, chain, "PKCS12"); + basicStoreTest(privKey, chain, "BCPKCS12"); + basicStoreTest(privKey, chain, "PKCS12-DEF"); + + basicStoreTest(privKey, chain, "PKCS12-3DES-40RC2"); + basicStoreTest(privKey, chain, "PKCS12-3DES-3DES"); + + basicStoreTest(privKey, chain, "PKCS12-DEF-3DES-40RC2"); + basicStoreTest(privKey, chain, "PKCS12-DEF-3DES-3DES"); + } + + private void basicStoreTest(PrivateKey privKey, Certificate[] chain, String type) + throws Exception + { + KeyStore store = KeyStore.getInstance(type, "BC"); + + store.load(null, null); + + store.setKeyEntry("key", privKey, null, chain); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + store.store(bOut, passwd); + + store.load(new ByteArrayInputStream(bOut.toByteArray()), passwd); + + Key k = store.getKey("key", null); + + if (!k.equals(privKey)) + { + fail("private key didn't match"); + } + + Certificate[] c = store.getCertificateChain("key"); + + if (c.length != chain.length || !c[0].equals(chain[0])) + { + fail("certificates didn't match"); + } + + if (type.contains("DEF")) + { + if (c[0] instanceof X509CertificateObject) + { + fail("wrong certificate type found"); + } + } + + // check attributes + PKCS12BagAttributeCarrier b1 = (PKCS12BagAttributeCarrier)k; + PKCS12BagAttributeCarrier b2 = (PKCS12BagAttributeCarrier)chain[0]; + + if (b1.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName) != null) + { + DERBMPString name = (DERBMPString)b1.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName); + + if (!name.equals(new DERBMPString("key"))) + { + fail("friendly name wrong"); + } + } + else + { + fail("no friendly name found on key"); + } + + if (b1.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId) != null) + { + ASN1OctetString id = (ASN1OctetString)b1.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId); + + if (!id.equals(b2.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId))) + { + fail("local key id mismatch"); + } + } + else + { + fail("no local key id found"); + } + + // + // check algorithm types. + // + ASN1InputStream aIn = new ASN1InputStream(bOut.toByteArray()); + + Pfx pfx = Pfx.getInstance(aIn.readObject()); + + ContentInfo cInfo = pfx.getAuthSafe(); + + ASN1OctetString auth = (ASN1OctetString)cInfo.getContent(); + + aIn = new ASN1InputStream(auth.getOctets()); + ASN1Sequence s1 = (ASN1Sequence)aIn.readObject(); + + ContentInfo c1 = ContentInfo.getInstance(s1.getObjectAt(0)); + ContentInfo c2 = ContentInfo.getInstance(s1.getObjectAt(1)); + + aIn = new ASN1InputStream(((ASN1OctetString)c1.getContent()).getOctets()); + + SafeBag sb = SafeBag.getInstance((((ASN1Sequence)aIn.readObject()).getObjectAt(0))); + + EncryptedPrivateKeyInfo encInfo = EncryptedPrivateKeyInfo.getInstance(sb.getBagValue()); + + if (!encInfo.getEncryptionAlgorithm().getAlgorithm().equals(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC)) + { + fail("key encryption algorithm wrong"); + } + + // check the key encryption + + // check the certificate encryption + EncryptedData cb = EncryptedData.getInstance(c2.getContent()); + + if (type.endsWith("3DES")) + { + if (!cb.getEncryptionAlgorithm().getAlgorithm().equals(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC)) + { + fail("expected 3DES found: " + cb.getEncryptionAlgorithm().getAlgorithm()); + } + } + else if (type.endsWith("40RC2")) + { + if (!cb.getEncryptionAlgorithm().getAlgorithm().equals(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC)) + { + fail("expected 40 bit RC2 found: " + cb.getEncryptionAlgorithm().getAlgorithm()); + } + } + else + { + if (!cb.getEncryptionAlgorithm().getAlgorithm().equals(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC)) + { + fail("expected 40 bit RC2 found: " + cb.getEncryptionAlgorithm().getAlgorithm()); + } + } + } + + private void testNoExtraLocalKeyID(byte[] store1data) + throws Exception + { + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "BC"); + + kpg.initialize(512); + + KeyPair newPair = kpg.genKeyPair(); + + KeyStore store1 = KeyStore.getInstance("PKCS12", "BC"); + + store1.load(new ByteArrayInputStream(store1data), passwd); + + KeyStore store2 = KeyStore.getInstance("PKCS12", "BC"); + + store2.load(null, null); + + PrivateKey k1 = (PrivateKey)store1.getKey("privatekey", null); + Certificate[] chain1 = store1.getCertificateChain("privatekey"); + + Certificate[] chain2 = new Certificate[chain1.length + 1]; + + System.arraycopy(chain1, 0, chain2, 1, chain1.length); + + chain2[0] = createCert(newPair.getPublic(), k1, "subject@bouncycastle.org", "extra@bouncycaste.org"); + + if (((PKCS12BagAttributeCarrier)chain1[0]).getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId) == null) + { + fail("localKeyID not found initially"); + } + + store2.setKeyEntry("new", newPair.getPrivate(), null, chain2); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + store2.store(bOut, passwd); + + store2.load(new ByteArrayInputStream(bOut.toByteArray()), passwd); + + chain2 = store2.getCertificateChain("new"); + + if (((PKCS12BagAttributeCarrier)chain2[1]).getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId) != null) + { + fail("localKeyID found after save"); + } + } + + public String getName() + { + return "PKCS12Store"; + } + + public void performTest() + throws Exception + { + testPKCS12Store(); + + + // converter tests + + KeyStore kS = KeyStore.getInstance("PKCS12", "BC"); + + byte[] data = PKCS12Util.convertToDefiniteLength(pkcs12); + kS.load(new ByteArrayInputStream(data), passwd); // check MAC + + ASN1Encodable obj = new ASN1StreamParser(data).readObject(); + if (!(obj instanceof DERSequenceParser)) + { + fail("Failed DER conversion test."); + } + + data = PKCS12Util.convertToDefiniteLength(pkcs12, passwd, "BC"); + kS.load(new ByteArrayInputStream(data), passwd); //check MAC + + obj = new ASN1StreamParser(data).readObject(); + if (!(obj instanceof DERSequenceParser)) + { + fail("Failed deep DER conversion test - outer."); + } + + Pfx pfx = Pfx.getInstance(obj); + + obj = new ASN1StreamParser(ASN1OctetString.getInstance(pfx.getAuthSafe().getContent()).getOctets()).readObject(); + if (!(obj instanceof DERSequenceParser)) + { + fail("Failed deep DER conversion test - inner."); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new PKCS12StoreTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java new file mode 100644 index 00000000..df8e8b5f --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXNameConstraintsTest.java @@ -0,0 +1,452 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralSubtree; +import org.bouncycastle.jce.provider.PKIXNameConstraintValidator; +import org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException; +import org.bouncycastle.util.test.SimpleTest; + +/** + * Test class for {@link PKIXNameConstraintValidator}. + * <p> + * The field testXYZ is the name to test. + * <p> + * The field testXYZIsConstraint must be tested if it is permitted and excluded. + * <p> + * The field testXYZIsNotConstraint must be tested if it is not permitted and + * not excluded. + * <p> + * Furthermore there are tests for the intersection and union of test names. + * + */ +public class PKIXNameConstraintsTest + extends SimpleTest +{ + + private final static String testEmail = "test@abc.test.com"; + + private final static String testEmailIsConstraint[] = + { "test@abc.test.com", "abc.test.com", ".test.com" }; + + private final static String testEmailIsNotConstraint[] = + { ".abc.test.com", "www.test.com", "test1@abc.test.com", "bc.test.com" }; + + private final static String email1[] = + { "test@test.com", "test@test.com", "test@test.com", "test@abc.test.com", + "test@test.com", "test@test.com", ".test.com", ".test.com", + ".test.com", ".test.com", "test.com", "abc.test.com", + "abc.test1.com", "test.com", "test.com", ".test.com" }; + + private final static String email2[] = + { "test@test.abc.com", "test@test.com", ".test.com", ".test.com", + "test.com", "test1.com", "test@test.com", ".test.com", + ".test1.com", "test.com", "test.com", ".test.com", ".test.com", + "test1.com", ".test.com", "abc.test.com" }; + + private final static String emailintersect[] = + { null, "test@test.com", null, "test@abc.test.com", "test@test.com", null, + null, ".test.com", null, null, "test.com", "abc.test.com", null, + null, null, "abc.test.com" }; + + private final static String emailunion[][] = + { + { "test@test.com", "test@test.abc.com" }, + { "test@test.com" }, + { "test@test.com", ".test.com" }, + { ".test.com" }, + { "test.com" }, + { "test@test.com", "test1.com" }, + { ".test.com", "test@test.com" }, + { ".test.com" }, + { ".test.com", ".test1.com" }, + { ".test.com", "test.com" }, + { "test.com" }, + { ".test.com" }, + { ".test.com", "abc.test1.com" }, + { "test1.com", "test.com" }, + { ".test.com", "test.com" }, + { ".test.com" } }; + + private final static String[] dn1 = + { "O=test org, OU=test org unit, CN=John Doe" }; + + private final static String[] dn2 = + { "O=test org, OU=test org unit" }; + + private final static String[][] dnUnion = + { + { "O=test org, OU=test org unit" } }; + + private final static String[] dnIntersection = + { "O=test org, OU=test org unit, CN=John Doe" }; + + private final static String testDN = "O=test org, OU=test org unit, CN=John Doe"; + + private final static String testDNIsConstraint[] = + { "O=test org, OU=test org unit", + "O=test org, OU=test org unit, CN=John Doe" }; + + private final static String testDNIsNotConstraint[] = + { "O=test org, OU=test org unit, CN=John Doe2", + "O=test org, OU=test org unit2", + "OU=test org unit, O=test org, CN=John Doe", + "O=test org, OU=test org unit, CN=John Doe, L=USA" }; + + private final static String testDNS = "abc.test.com"; + + private final static String testDNSIsConstraint[] = + { "test.com", "abc.test.com", "test.com" }; + + private final static String testDNSIsNotConstraint[] = + { "wwww.test.com", "ww.test.com", "www.test.com" }; + + private final static String dns1[] = + { "www.test.de", "www.test1.de", "www.test.de" }; + + private final static String dns2[] = + { "test.de", "www.test.de", "www.test.de" }; + + private final static String dnsintersect[] = + { "www.test.de", null, null }; + + private final static String dnsunion[][] = + { + { "test.de" }, + { "www.test1.de", "www.test.de" }, + { "www.test.de" } }; + + private final static String testURI = "http://karsten:password@abc.test.com:8080"; + + private final static String testURIIsConstraint[] = + { "abc.test.com", ".test.com" }; + + private final static String testURIIsNotConstraint[] = + { "xyz.test.com", ".abc.test.com" }; + + private final static String uri1[] = + { "www.test.de", ".test.de", "test1.de", ".test.de" }; + + private final static String uri2[] = + { "test.de", "www.test.de", "test1.de", ".test.de" }; + + private final static String uriintersect[] = + { null, "www.test.de", "test1.de", ".test.de" }; + + private final static String uriunion[][] = + { + { "www.test.de", "test.de" }, + { ".test.de" }, + { "test1.de" }, + { ".test.de" } }; + + private final static byte[] testIP = + + { (byte) 192, (byte) 168, 1, 2 }; + + private final static byte[][] testIPIsConstraint = + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0 }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 4 } }; + + private final static byte[][] testIPIsNotConstraint = + { + { (byte) 192, (byte) 168, 3, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 2 }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 3 } }; + + private final static byte[][] ip1 = + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFE, (byte) 0xFF }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 } }; + + private final static byte[][] ip2 = + { + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFC, 3 }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF }, + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 } }; + + private final static byte[][] ipintersect = + { + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFE, (byte) 0xFF }, + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF }, null }; + + private final static byte[][][] ipunion = + { + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFE, (byte) 0xFF }, + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFC, 3 } }, + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0xFF } }, + { + { (byte) 192, (byte) 168, 1, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 }, + { (byte) 192, (byte) 168, 0, 1, (byte) 0xFF, (byte) 0xFF, + (byte) 0xFF, (byte) 0x00 } } }; + + public String getName() + { + return "PKIXNameConstraintsTest"; + } + + public void performTest() throws Exception + { + testConstraints(GeneralName.rfc822Name, testEmail, + testEmailIsConstraint, testEmailIsNotConstraint, email1, email2, + emailunion, emailintersect); + testConstraints(GeneralName.dNSName, testDNS, testDNSIsConstraint, + testDNSIsNotConstraint, dns1, dns2, dnsunion, dnsintersect); + testConstraints(GeneralName.directoryName, testDN, testDNIsConstraint, + testDNIsNotConstraint, dn1, dn2, dnUnion, dnIntersection); + testConstraints(GeneralName.uniformResourceIdentifier, testURI, + testURIIsConstraint, testURIIsNotConstraint, uri1, uri2, uriunion, + uriintersect); + testConstraints(GeneralName.iPAddress, testIP, testIPIsConstraint, + testIPIsNotConstraint, ip1, ip2, ipunion, ipintersect); + } + + /** + * Tests string based GeneralNames for inclusion or exclusion. + * + * @param nameType The {@link GeneralName} type to test. + * @param testName The name to test. + * @param testNameIsConstraint The names where <code>testName</code> must + * be included and excluded. + * @param testNameIsNotConstraint The names where <code>testName</code> + * must not be excluded and included. + * @param testNames1 Operand 1 of test names to use for union and + * intersection testing. + * @param testNames2 Operand 2 of test names to use for union and + * intersection testing. + * @param testUnion The union results. + * @param testInterSection The intersection results. + * @throws Exception If an unexpected exception occurs. + */ + private void testConstraints( + int nameType, + String testName, + String[] testNameIsConstraint, + String[] testNameIsNotConstraint, + String[] testNames1, + String[] testNames2, + String[][] testUnion, + String[] testInterSection) throws Exception + { + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNameIsConstraint[i]))); + constraintValidator.checkPermitted(new GeneralName(nameType, testName)); + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNameIsNotConstraint[i]))); + try + { + constraintValidator.checkPermitted(new GeneralName(nameType, testName)); + fail("not permitted name allowed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNameIsConstraint[i]))); + try + { + constraintValidator.checkExcluded(new GeneralName(nameType, testName)); + fail("excluded name missed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNameIsNotConstraint[i]))); + constraintValidator.checkExcluded(new GeneralName(nameType, testName)); + } + for (int i = 0; i < testNames1.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNames1[i]))); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, testNames2[i]))); + PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator(); + for (int j = 0; j < testUnion[i].length; j++) + { + constraints2.addExcludedSubtree(new GeneralSubtree( + new GeneralName(nameType, testUnion[i][j]))); + } + if (!constraints2.equals(constraintValidator)) + { + fail("union wrong: " + nameType); + } + constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNames1[i]))); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testNames2[i]))); + constraints2 = new PKIXNameConstraintValidator(); + if (testInterSection[i] != null) + { + constraints2.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, testInterSection[i]))); + } + else + { + constraints2.intersectEmptyPermittedSubtree(nameType); + } + if (!constraints2.equals(constraintValidator)) + { + fail("intersection wrong: " + nameType); + } + } + } + + /** + * Tests byte array based GeneralNames for inclusion or exclusion. + * + * @param nameType The {@link GeneralName} type to test. + * @param testName The name to test. + * @param testNameIsConstraint The names where <code>testName</code> must + * be included and excluded. + * @param testNameIsNotConstraint The names where <code>testName</code> + * must not be excluded and included. + * @param testNames1 Operand 1 of test names to use for union and + * intersection testing. + * @param testNames2 Operand 2 of test names to use for union and + * intersection testing. + * @param testUnion The union results. + * @param testInterSection The intersection results. + * @throws Exception If an unexpected exception occurs. + */ + private void testConstraints( + int nameType, + byte[] testName, + byte[][] testNameIsConstraint, + byte[][] testNameIsNotConstraint, + byte[][] testNames1, + byte[][] testNames2, + byte[][][] testUnion, + byte[][] testInterSection) throws Exception + { + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testNameIsConstraint[i])))); + constraintValidator.checkPermitted(new GeneralName(nameType, + new DEROctetString(testName))); + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testNameIsNotConstraint[i])))); + try + { + constraintValidator.checkPermitted(new GeneralName(nameType, + new DEROctetString(testName))); + fail("not permitted name allowed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNameIsConstraint[i])))); + try + { + constraintValidator.checkExcluded(new GeneralName(nameType, + new DEROctetString(testName))); + fail("excluded name missed: " + nameType); + } + catch (PKIXNameConstraintValidatorException e) + { + // expected + } + } + for (int i = 0; i < testNameIsNotConstraint.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNameIsNotConstraint[i])))); + constraintValidator.checkExcluded(new GeneralName(nameType, + new DEROctetString(testName))); + } + for (int i = 0; i < testNames1.length; i++) + { + PKIXNameConstraintValidator constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNames1[i])))); + constraintValidator.addExcludedSubtree(new GeneralSubtree(new GeneralName( + nameType, new DEROctetString(testNames2[i])))); + PKIXNameConstraintValidator constraints2 = new PKIXNameConstraintValidator(); + for (int j = 0; j < testUnion[i].length; j++) + { + constraints2.addExcludedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testUnion[i][j])))); + } + if (!constraints2.equals(constraintValidator)) + { + fail("union wrong: " + nameType); + } + constraintValidator = new PKIXNameConstraintValidator(); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString(testNames1[i])))); + constraintValidator.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString(testNames2[i])))); + constraints2 = new PKIXNameConstraintValidator(); + if (testInterSection[i] != null) + { + constraints2.intersectPermittedSubtree(new GeneralSubtree( + new GeneralName(nameType, new DEROctetString( + testInterSection[i])))); + } + else + { + constraints2.intersectEmptyPermittedSubtree(nameType); + } + + if (!constraints2.equals(constraintValidator)) + { + fail("intersection wrong: " + nameType); + } + } + } + + public static void main(String[] args) + { + runTest(new PKIXNameConstraintsTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXPolicyMappingTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXPolicyMappingTest.java new file mode 100644 index 00000000..069a0063 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXPolicyMappingTest.java @@ -0,0 +1,450 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidAlgorithmParameterException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertStore; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.util.Date; +import java.util.HashSet; +import java.util.Hashtable; +import java.util.Set; + +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.CertificatePolicies; +import org.bouncycastle.asn1.x509.PolicyInformation; +import org.bouncycastle.asn1.x509.PolicyMappings; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.util.test.TestFailedException; +import org.bouncycastle.x509.X509V3CertificateGenerator; + +public class PKIXPolicyMappingTest + extends SimpleTest +{ + static X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); + + public String getName() + { + return "PKIXPolicyMapping"; + } + + /** + * TrustAnchor's Cert + */ + private X509Certificate createTrustCert( + PublicKey pubKey, + PrivateKey privKey) + throws Exception + { + String issuer = "C=JP, O=policyMappingAdditionalTest, OU=trustAnchor"; + String subject = "C=JP, O=policyMappingAdditionalTest, OU=trustAnchor"; + v3CertGen.setSerialNumber(BigInteger.valueOf(10)); + v3CertGen.setIssuerDN(new X509Principal(issuer)); + v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); + v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); + v3CertGen.setSubjectDN(new X509Principal(subject)); + v3CertGen.setPublicKey(pubKey); + v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + X509Certificate cert = v3CertGen.generate(privKey); + return cert; + } + + /** + * intermediate cert + */ + private X509Certificate createIntmedCert( + PublicKey pubKey, + PrivateKey caPrivKey, + PublicKey caPubKey, + CertificatePolicies policies, + Hashtable policyMap) + throws Exception + { + String issuer = "C=JP, O=policyMappingAdditionalTest, OU=trustAnchor"; + String subject = "C=JP, O=policyMappingAdditionalTest, OU=intmedCA"; + v3CertGen.reset(); + v3CertGen.setSerialNumber(BigInteger.valueOf(20)); + v3CertGen.setIssuerDN(new X509Principal(issuer)); + v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); + v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); + v3CertGen.setSubjectDN(new X509Principal(subject)); + v3CertGen.setPublicKey(pubKey); + v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + v3CertGen.addExtension(X509Extensions.CertificatePolicies, true, policies); + v3CertGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); + v3CertGen.addExtension(X509Extensions.PolicyMappings, true, new PolicyMappings(policyMap)); + X509Certificate cert = v3CertGen.generate(caPrivKey); + return cert; + } + + /** + * endEntity cert + */ + private X509Certificate createEndEntityCert( + PublicKey pubKey, + PrivateKey caPrivKey, + PublicKey caPubKey, + ASN1EncodableVector policies) + throws Exception + { + String issuer = "C=JP, O=policyMappingAdditionalTest, OU=intMedCA"; + String subject = "C=JP, O=policyMappingAdditionalTest, OU=endEntity"; + v3CertGen.reset(); + v3CertGen.setSerialNumber(BigInteger.valueOf(20)); + v3CertGen.setIssuerDN(new X509Principal(issuer)); + v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); + v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); + v3CertGen.setSubjectDN(new X509Principal(subject)); + v3CertGen.setPublicKey(pubKey); + v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); + v3CertGen.addExtension(X509Extensions.CertificatePolicies,true,new DERSequence(policies)); + X509Certificate cert = v3CertGen.generate(caPrivKey); + return cert; + } + + private String testPolicies( + int index, + X509Certificate trustCert, + X509Certificate intCert, + X509Certificate endCert, + Set requirePolicies, + boolean okay) + throws IOException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException + { + Set trust = new HashSet(); + trust.add(new TrustAnchor(trustCert, null)); + X509CertSelector targetConstraints = new X509CertSelector(); + targetConstraints.setSubject(endCert.getSubjectX500Principal().getEncoded()); + PKIXBuilderParameters params = new PKIXBuilderParameters(trust, targetConstraints); + + Set certs = new HashSet(); + certs.add(intCert); + certs.add(endCert); + CollectionCertStoreParameters pr = new CollectionCertStoreParameters(certs); + CertStore store = CertStore.getInstance("Collection",pr); + params.addCertStore(store); + + params.setRevocationEnabled(false); + if (requirePolicies != null) + { + params.setExplicitPolicyRequired(true); + params.setInitialPolicies(requirePolicies); + } + + CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC"); +// CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","SUN"); + PKIXCertPathBuilderResult result = null; + try + { + result = (PKIXCertPathBuilderResult)cpb.build(params); + + if (!okay) + { + fail(index + ": path validated when failure expected."); + } + +// if (result.getPolicyTree() != null) +// { +// System.out.println("OK"); +// System.out.println("policy: " + result.getPolicyTree()); +// } +// else +// { +// System.out.println("OK: policy tree = null"); +// } + + return ""; + } + catch (TestFailedException e) + { + throw e; + } + catch (Exception e) + { + if (okay) + { + fail(index + ": path failed to validate when success expected."); + } + + Throwable ee = e.getCause(); + if (ee != null) + { + return ee.getMessage(); + } + + return e.getMessage(); + } + } + + public void performTest() + throws Exception + { + // + // personal keys + // + RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + // + // intermediate keys. + // + RSAPublicKeySpec intPubKeySpec = new RSAPublicKeySpec( + new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16), + new BigInteger("ffff", 16)); + + + RSAPrivateCrtKeySpec intPrivKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("8de0d113c5e736969c8d2b047a243f8fe18edad64cde9e842d3669230ca486f7cfdde1f8eec54d1905fff04acc85e61093e180cadc6cea407f193d44bb0e9449b8dbb49784cd9e36260c39e06a947299978c6ed8300724e887198cfede20f3fbde658fa2bd078be946a392bd349f2b49c486e20c405588e306706c9017308e69", 16), + new BigInteger("ffff", 16), + new BigInteger("7deb1b194a85bcfd29cf871411468adbc987650903e3bacc8338c449ca7b32efd39ffc33bc84412fcd7df18d23ce9d7c25ea910b1ae9985373e0273b4dca7f2e0db3b7314056ac67fd277f8f89cf2fd73c34c6ca69f9ba477143d2b0e2445548aa0b4a8473095182631da46844c356f5e5c7522eb54b5a33f11d730ead9c0cff", 16), + new BigInteger("ef4cede573cea47f83699b814de4302edb60eefe426c52e17bd7870ec7c6b7a24fe55282ebb73775f369157726fcfb988def2b40350bdca9e5b418340288f649", 16), + new BigInteger("97c7737d1b9a0088c3c7b528539247fd2a1593e7e01cef18848755be82f4a45aa093276cb0cbf118cb41117540a78f3fc471ba5d69f0042274defc9161265721", 16), + new BigInteger("6c641094e24d172728b8da3c2777e69adfd0839085be7e38c7c4a2dd00b1ae969f2ec9d23e7e37090fcd449a40af0ed463fe1c612d6810d6b4f58b7bfa31eb5f", 16), + new BigInteger("70b7123e8e69dfa76feb1236d0a686144b00e9232ed52b73847e74ef3af71fb45ccb24261f40d27f98101e230cf27b977a5d5f1f15f6cf48d5cb1da2a3a3b87f", 16), + new BigInteger("e38f5750d97e270996a286df2e653fd26c242106436f5bab0f4c7a9e654ce02665d5a281f2c412456f2d1fa26586ef04a9adac9004ca7f913162cb28e13bf40d", 16)); + + // + // ca keys + // + RSAPublicKeySpec caPubKeySpec = new RSAPublicKeySpec( + new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16), + new BigInteger("11", 16)); + + RSAPrivateCrtKeySpec caPrivKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b259d2d6e627a768c94be36164c2d9fc79d97aab9253140e5bf17751197731d6f7540d2509e7b9ffee0a70a6e26d56e92d2edd7f85aba85600b69089f35f6bdbf3c298e05842535d9f064e6b0391cb7d306e0a2d20c4dfb4e7b49a9640bdea26c10ad69c3f05007ce2513cee44cfe01998e62b6c3637d3fc0391079b26ee36d5", 16), + new BigInteger("11", 16), + new BigInteger("92e08f83cc9920746989ca5034dcb384a094fb9c5a6288fcc4304424ab8f56388f72652d8fafc65a4b9020896f2cde297080f2a540e7b7ce5af0b3446e1258d1dd7f245cf54124b4c6e17da21b90a0ebd22605e6f45c9f136d7a13eaac1c0f7487de8bd6d924972408ebb58af71e76fd7b012a8d0e165f3ae2e5077a8648e619", 16), + new BigInteger("f75e80839b9b9379f1cf1128f321639757dba514642c206bbbd99f9a4846208b3e93fbbe5e0527cc59b1d4b929d9555853004c7c8b30ee6a213c3d1bb7415d03", 16), + new BigInteger("b892d9ebdbfc37e397256dd8a5d3123534d1f03726284743ddc6be3a709edb696fc40c7d902ed804c6eee730eee3d5b20bf6bd8d87a296813c87d3b3cc9d7947", 16), + new BigInteger("1d1a2d3ca8e52068b3094d501c9a842fec37f54db16e9a67070a8b3f53cc03d4257ad252a1a640eadd603724d7bf3737914b544ae332eedf4f34436cac25ceb5", 16), + new BigInteger("6c929e4e81672fef49d9c825163fec97c4b7ba7acb26c0824638ac22605d7201c94625770984f78a56e6e25904fe7db407099cad9b14588841b94f5ab498dded", 16), + new BigInteger("dae7651ee69ad1d081ec5e7188ae126f6004ff39556bde90e0b870962fa7b926d070686d8244fe5a9aa709a95686a104614834b0ada4b10f53197a5cb4c97339", 16)); + + // + // set up the keys + // + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + PrivateKey caPrivKey = fact.generatePrivate(caPrivKeySpec); + PublicKey caPubKey = fact.generatePublic(caPubKeySpec); + PrivateKey intPrivKey = fact.generatePrivate(intPrivKeySpec); + PublicKey intPubKey = fact.generatePublic(intPubKeySpec); + PrivateKey privKey = fact.generatePrivate(privKeySpec); + PublicKey pubKey = fact.generatePublic(pubKeySpec); + + X509Certificate trustCert = createTrustCert(caPubKey, caPrivKey); + CertificatePolicies intPolicies = null; + Hashtable map = null; + ASN1EncodableVector policies = null; + Set requirePolicies = null; + X509Certificate intCert = null; + X509Certificate endCert = null; + + /** + * valid test_00 + */ + intPolicies = new CertificatePolicies(new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0"))); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1","2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.2"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = null; + String msg = testPolicies(0, trustCert, intCert, endCert, requirePolicies, true); + checkMessage(0, msg, ""); + + /** + * test_01 + */ + intPolicies = new CertificatePolicies(new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0"))); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1","2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.2"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.16.840.1.101.3.2.1.48.1"); + msg = testPolicies(1, trustCert, intCert, endCert, requirePolicies, true); + checkMessage(1, msg, ""); + + /** + * test_02 + */ + intPolicies = new CertificatePolicies(new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0"))); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1","2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.2"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.5.29.32.0"); + msg = testPolicies(2, trustCert, intCert, endCert, requirePolicies, true); + checkMessage(2, msg, ""); + + /** + * test_03 + */ + intPolicies = new CertificatePolicies(new PolicyInformation[] + { new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.3")), + new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0")) }); + + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1","2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.2"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.16.840.1.101.3.2.1.48.1"); + msg = testPolicies(3, trustCert, intCert, endCert, requirePolicies, true); + checkMessage(3, msg, ""); + + /** + * test_04 + */ + intPolicies = new CertificatePolicies(new PolicyInformation[] + { new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.3")), + new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0")) } ); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.3"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.16.840.1.101.3.2.1.48.3"); + msg = testPolicies(4, trustCert, intCert, endCert, requirePolicies, true); + checkMessage(4, msg, ""); + + /** + * test_05 + */ + intPolicies = new CertificatePolicies(new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0"))); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.2"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.16.840.1.101.3.2.1.48.2"); + msg = testPolicies(5, trustCert, intCert, endCert, requirePolicies, false); + checkMessage(5, msg, "Path processing failed on policy."); + + /** + * test_06 + */ + intPolicies = new CertificatePolicies(new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0"))); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.1"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.16.840.1.101.3.2.1.48.1"); + msg = testPolicies(6, trustCert, intCert, endCert, requirePolicies, true); + checkMessage(6, msg, ""); + + /** + * test_07 + */ + intPolicies = new CertificatePolicies(new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0"))); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.2"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.16.840.1.101.3.2.1.48.3"); + msg = testPolicies(7, trustCert, intCert, endCert, requirePolicies, false); + checkMessage(7, msg, "Path processing failed on policy."); + + /** + * test_08 + */ + intPolicies = new CertificatePolicies(new PolicyInformation(new ASN1ObjectIdentifier("2.5.29.32.0"))); + map = new Hashtable(); + map.put("2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2"); + intCert = createIntmedCert(intPubKey, caPrivKey, caPubKey, intPolicies, map); + + policies = new ASN1EncodableVector(); + policies.add(new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.3.2.1.48.3"))); + endCert = createEndEntityCert(pubKey, intPrivKey, intPubKey, policies); + + requirePolicies = new HashSet(); + requirePolicies.add("2.16.840.1.101.3.2.1.48.1"); + msg = testPolicies(8, trustCert, intCert, endCert, requirePolicies, false); + checkMessage(8, msg, "Path processing failed on policy."); + } + + + private void checkMessage( + int index, + String msg, + String expected) + { + if (!msg.equals(expected)) + { + fail("test " + index + " failed got: " + msg + " expected: " + expected); + } + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new PKIXPolicyMappingTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXTest.java new file mode 100644 index 00000000..99d21b0b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PKIXTest.java @@ -0,0 +1,248 @@ + +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CertificateFactory; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTestResult; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +public class PKIXTest + implements Test +{ + /* + * The following certs and crls are described in: + * http://www.ietf.org/internet-drafts/draft-ietf-pkix-new-part1-08.txt + * + * This section contains four examples: three certificates and a CRL. + * The first two certificates and the CRL comprise a minimal + * certification path. + * + * Section C.1 contains an annotated hex dump of a "self-signed" + * certificate issued by a CA whose distinguished name is + * cn=us,o=gov,ou=nist. The certificate contains a DSA public key with + * parameters, and is signed by the corresponding DSA private key. + * + * Section C.2 contains an annotated hex dump of an end entity + * certificate. The end entity certificate contains a DSA public key, + * and is signed by the private key corresponding to the "self-signed" + * certificate in section C.1. + * + * Section C.3 contains a dump of an end entity certificate which + * contains an RSA public key and is signed with RSA and MD5. This + * certificate is not part of the minimal certification path. + * + * Section C.4 contains an annotated hex dump of a CRL. The CRL is + * issued by the CA whose distinguished name is cn=us,o=gov,ou=nist and + * the list of revoked certificates includes the end entity certificate + * presented in C.2. + */ + + /** + * C.1 Certificate + * + * This section contains an annotated hex dump of a 699 byte version 3 + * certificate. The certificate contains the following information: + * (a) the serial number is 23 (17 hex); + * (b) the certificate is signed with DSA and the SHA-1 hash algorithm; + * (c) the issuer's distinguished name is OU=NIST; O=gov; C=US + * (d) and the subject's distinguished name is OU=NIST; O=gov; C=US + * (e) the certificate was issued on June 30, 1997 and will expire on + * December 31, 1997; + * (f) the certificate contains a 1024 bit DSA public key with + * parameters; + * (g) the certificate contains a subject key identifier extension + * generated using method (1) of section 4.2.1.2; and + * (h) the certificate is a CA certificate (as indicated through the + * basic constraints extension.) + */ + static byte[] rootCertBin = Hex.decode( + "308202bb3082027ba003020102020111300906072a8648ce380403302a310b30" + + "09060355040613025553310c300a060355040a1303676f76310d300b06035504" + + "0b13044e495354301e170d3937303633303030303030305a170d393731323331" + + "3030303030305a302a310b3009060355040613025553310c300a060355040a13" + + "03676f76310d300b060355040b13044e495354308201b83082012c06072a8648" + + "ce3804013082011f02818100b68b0f942b9acea525c6f2edfcfb9532ac011233" + + "b9e01cad909bbc48549ef394773c2c713555e6fe4f22cbd5d83e8993334dfcbd" + + "4f41643ea29870ec31b450deebf198280ac93e44b3fd22979683d018a3e3bd35" + + "5bffeea321726a7b96dab93f1e5a90af24d620f00d21a7d402b91afcac21fb9e" + + "949e4b42459e6ab24863fe43021500b20db0b101df0c6624fc1392ba55f77d57" + + "7481e5028181009abf46b1f53f443dc9a565fb91c08e47f10ac30147c2444236" + + "a99281de57c5e0688658007b1ff99b77a1c510a580917851513cf6fcfccc46c6" + + "817892843df4933d0c387e1a5b994eab1464f60c21224e28089c92b9669f40e8" + + "95f6d5312aef39a262c7b26d9e58c43aa81181846daff8b419b4c211aed0223b" + + "aa207fee1e57180381850002818100b59e1f490447d1dbf53addca0475e8dd75" + + "f69b8ab197d6596982d3034dfd3b365f4af2d14ec107f5d12ad378776356ea96" + + "614d420b7a1dfbab91a4cedeef77c8e5ef20aea62848afbe69c36aa530f2c2b9" + + "d9822b7dd9c4841fde0de854d71b992eb3d088f6d6639ba7e20e82d43b8a681b" + + "065631590b49eb99a5d581417bc955a3323030301d0603551d0e0416041486ca" + + "a5228162efad0a89bcad72412c2949f48656300f0603551d130101ff04053003" + + "0101ff300906072a8648ce380403032f00302c0214431bcf292545c04e52e77d" + + "d6fcb1664c83cf2d7702140b5b9a241198e8f3869004f608a9e18da5cc3ad4"); + + + /** + * C.2 Certificate + * + * This section contains an annotated hex dump of a 730 byte version 3 + * certificate. The certificate contains the following information: + * (a the serial number is 18 (12 hex); + * (b) the certificate is signed with DSA and the SHA-1 hash algorithm; + * (c) the issuer's distinguished name is OU=nist; O=gov; C=US + * (d) and the subject's distinguished name is CN=Tim Polk; OU=nist; + * O=gov; C=US + * (e) the certificate was valid from July 30, 1997 through December 1, + * 1997; + * (f) the certificate contains a 1024 bit DSA public key; + * (g) the certificate is an end entity certificate, as the basic + * constraints extension is not present; + * (h) the certificate contains an authority key identifier extension + * matching the subject key identifier of the certificate in Appendix + * C.1; and + * (i) the certificate includes one alternative name - an RFC 822 + * address of "wpolk@nist.gov". + */ + static byte[] userCert1Bin = Hex.decode( + "308202da30820299a003020102020112300906072a8648ce380403302a310b30" + + "09060355040613025553310c300a060355040a1303676f76310d300b06035504" + + "0b13044e495354301e170d3937303733303030303030305a170d393731323031" + + "3030303030305a303d310b3009060355040613025553310c300a060355040a13" + + "03676f76310d300b060355040b13044e4953543111300f060355040313085469" + + "6d20506f6c6b308201b73082012c06072a8648ce3804013082011f02818100b6" + + "8b0f942b9acea525c6f2edfcfb9532ac011233b9e01cad909bbc48549ef39477" + + "3c2c713555e6fe4f22cbd5d83e8993334dfcbd4f41643ea29870ec31b450deeb" + + "f198280ac93e44b3fd22979683d018a3e3bd355bffeea321726a7b96dab93f1e" + + "5a90af24d620f00d21a7d402b91afcac21fb9e949e4b42459e6ab24863fe4302" + + "1500b20db0b101df0c6624fc1392ba55f77d577481e5028181009abf46b1f53f" + + "443dc9a565fb91c08e47f10ac30147c2444236a99281de57c5e0688658007b1f" + + "f99b77a1c510a580917851513cf6fcfccc46c6817892843df4933d0c387e1a5b" + + "994eab1464f60c21224e28089c92b9669f40e895f6d5312aef39a262c7b26d9e" + + "58c43aa81181846daff8b419b4c211aed0223baa207fee1e5718038184000281" + + "8030b675f77c2031ae38bb7e0d2baba09c4bdf20d524133ccd98e55f6cb7c1ba" + + "4abaa9958053f00d72dc3337f4010bf5041f9d2e1f62d8843a9b25095a2dc846" + + "8e2bd4f50d3bc72dc66cb998c1253a444e8eca9561357cce15315c23131ea205" + + "d17a241ccbd3720990ff9b9d28c0a10aec469f0db8d0dcd018a62b5ef98fb595" + + "bea33e303c30190603551d1104123010810e77706f6c6b406e6973742e676f76" + + "301f0603551d2304183016801486caa5228162efad0a89bcad72412c2949f486" + + "56300906072a8648ce380403033000302d02143697cbe3b42ce1bb61a9d3cc24" + + "cc22929ff4f587021500abc979afd2161ca9e368a91410b4a02eff225a73"); + + + /** + * C.3 End Entity Certificate Using RSA + * + * This section contains an annotated hex dump of a 654 byte version 3 + * certificate. The certificate contains the following information: + * (a) the serial number is 256; + * (b) the certificate is signed with RSA and the SHA-1 hash algorithm; + * (c) the issuer's distinguished name is OU=NIST; O=gov; C=US + * (d) and the subject's distinguished name is CN=Tim Polk; OU=NIST; + * O=gov; C=US + * (e) the certificate was issued on May 21, 1996 at 09:58:26 and + * expired on May 21, 1997 at 09:58:26; + * (f) the certificate contains a 1024 bit RSA public key; + * (g) the certificate is an end entity certificate (not a CA + * certificate); + * (h) the certificate includes an alternative subject name of + * "<http://www.itl.nist.gov/div893/staff/polk/index.html>" and an + * alternative issuer name of "<http://www.nist.gov/>" - both are URLs; + * (i) the certificate include an authority key identifier extension + * and a certificate policies extension psecifying the policy OID + * 2.16.840.1.101.3.2.1.48.9; and + * (j) the certificate includes a critical key usage extension + * specifying that the public key is intended for verification of + * digital signatures. + */ + static byte[] userCert2Bin = Hex.decode( + "3082028e308201f7a00302010202020100300d06092a864886f70d0101050500" + + "302a310b3009060355040613025553310c300a060355040b1303676f76310d30" + + "0b060355040a13044e495354301e170d3936303532313039353832365a170d39" + + "37303532313039353832365a303d310b3009060355040613025553310c300a06" + + "0355040b1303676f76310d300b060355040a13044e4953543111300f06035504" + + "03130854696d20506f6c6b30819f300d06092a864886f70d010101050003818d" + + "0030818902818100e16ae4033097023cf410f3b51e4d7f147bf6f5d078e9a48a" + + "f0a375ecedb656967f8899859af23e687787eb9ed19fc0b417dcab8923a41d7e" + + "16234c4fa84df531b87caae31a4909f44b26db2767308212014ae91ab6c10c53" + + "8b6cfc2f7a43ec33367e32b27bd5aacf0114c612ec13f22d147a8b215814134c" + + "46a39af21695ff230203010001a381af3081ac303f0603551d11043830368634" + + "687474703a2f2f7777772e69746c2e6e6973742e676f762f6469763839332f73" + + "746166662f706f6c6b2f696e6465782e68746d6c301f0603551d120418301686" + + "14687474703a2f2f7777772e6e6973742e676f762f301f0603551d2304183016" + + "80140868af8533c8394a7af882938e706a4a20842c3230170603551d20041030" + + "0e300c060a60864801650302013009300e0603551d0f0101ff04040302078030" + + "0d06092a864886f70d0101050500038181008e8e3656788bbfa13975172ee310" + + "dc832b6834521cf66c1d525e5420105e4ca940f94b729e82b961dceb32a5bdb1" + + "b148f99b01bbebaf9b83f6528cb06d7cd09a39543e6d206fcdd0debe275f204f" + + "b6ab0df5b7e1bab4dfdf3dd4f6ed01fb6ecb9859ac41fb489c1ff65b46e029e2" + + "76ecc43a0afc92c5c0d2a9c9d32952876533"); + + /** + * This section contains an annotated hex dump of a version 2 CRL with + * one extension (cRLNumber). The CRL was issued by OU=NIST; O=gov; C=US + * on August 7, 1997; the next scheduled issuance was September 7, 1997. + * The CRL includes one revoked certificates: serial number 18 (12 hex), + * which was revoked on July 31, 1997 due to keyCompromise. The CRL + * itself is number 18, and it was signed with DSA and SHA-1. + */ + static byte[] crlBin = Hex.decode( + "3081cb30818c020101300906072a8648ce380403302a310b3009060355040613025553310c300a060355040a1303676f76310d300b060355040b13044e495354170d3937303830373030303030305a170d3937303930373030303030305a30223020020112170d3937303733313030303030305a300c300a0603551d1504030a0101a00e300c300a0603551d14040302010c300906072a8648ce380403032f00302c0214224e9f43ba950634f2bb5e65dba68005c03a29470214591a57c982d7022114c3d40b321b9616b11f465a"); + + + public TestResult perform() + { + try + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate rootCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(rootCertBin)); + X509Certificate userCert1 = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(userCert1Bin)); + X509Certificate userCert2 = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(userCert2Bin)); + X509CRL crl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(crlBin)); + rootCert.verify(rootCert.getPublicKey(), "BC"); + userCert1.verify(rootCert.getPublicKey(), "BC"); + + crl.verify(rootCert.getPublicKey(), "BC"); + + if (!crl.isRevoked(userCert1)) + { + return new SimpleTestResult(false, this.getName() + ": usercert1 not revoked."); + } + + if (crl.isRevoked(userCert2)) + { + return new SimpleTestResult(false, this.getName() + ": usercert2 revoked."); + } + + } + catch (Exception e) + { + return new SimpleTestResult(false, this.getName() + ": exception - " + e.toString()); + } + + return new SimpleTestResult(true, this.getName() + ": Okay"); + } + + public String getName() + { + return "PKIX"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + Test test = new PKIXTest(); + TestResult result = test.perform(); + + System.out.println(result.toString()); + } + +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PSSTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PSSTest.java new file mode 100644 index 00000000..c886c392 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/PSSTest.java @@ -0,0 +1,261 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.AlgorithmParameters; +import java.security.KeyFactory; +import java.security.MessageDigest; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.spec.MGF1ParameterSpec; +import java.security.spec.PSSParameterSpec; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPublicKeySpec; + +import org.bouncycastle.asn1.DERObjectIdentifier; +import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; +import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.FixedSecureRandom; +import org.bouncycastle.util.test.SimpleTest; + +public class PSSTest + extends SimpleTest +{ + private class FixedRandom + extends SecureRandom + { + byte[] vals; + + FixedRandom( + byte[] vals) + { + this.vals = vals; + } + + public void nextBytes( + byte[] bytes) + { + System.arraycopy(vals, 0, bytes, 0, vals.length); + } + } + + private boolean arrayEquals( + byte[] a, + byte[] b) + { + if (a.length != b.length) + { + return false; + } + + for (int i = 0; i != a.length; i++) + { + if (a[i] != b[i]) + { + return false; + } + } + + return true; + } + + + private RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), + new BigInteger("010001",16)); + + private RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137",16), + new BigInteger("010001",16), + new BigInteger("33a5042a90b27d4f5451ca9bbbd0b44771a101af884340aef9885f2a4bbe92e894a724ac3c568c8f97853ad07c0266c8c6a3ca0929f1e8f11231884429fc4d9ae55fee896a10ce707c3ed7e734e44727a39574501a532683109c2abacaba283c31b4bd2f53c3ee37e352cee34f9e503bd80c0622ad79c6dcee883547c6a3b325",16), + new BigInteger("e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443",16), + new BigInteger("b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd",16), + new BigInteger("28fa13938655be1f8a159cbaca5a72ea190c30089e19cd274a556f36c4f6e19f554b34c077790427bbdd8dd3ede2448328f385d81b30e8e43b2fffa027861979",16), + new BigInteger("1a8b38f398fa712049898d7fb79ee0a77668791299cdfa09efc0e507acb21ed74301ef5bfd48be455eaeb6e1678255827580a8e4e8e14151d1510a82a3f2e729",16), + new BigInteger("27156aba4126d24a81f3a528cbfb27f56886f840a9f6e86e17a44b94fe9319584b8e22fdde1e5a2e3bd8aa5ba8d8584194eb2190acf832b847f13a3d24a79f4d",16)); + + // PSSExample1.1 + + private byte[] msg1a = Hex.decode("cdc87da223d786df3b45e0bbbc721326d1ee2af806cc315475cc6f0d9c66e1b62371d45ce2392e1ac92844c310102f156a0d8d52c1f4c40ba3aa65095786cb769757a6563ba958fed0bcc984e8b517a3d5f515b23b8a41e74aa867693f90dfb061a6e86dfaaee64472c00e5f20945729cbebe77f06ce78e08f4098fba41f9d6193c0317e8b60d4b6084acb42d29e3808a3bc372d85e331170fcbf7cc72d0b71c296648b3a4d10f416295d0807aa625cab2744fd9ea8fd223c42537029828bd16be02546f130fd2e33b936d2676e08aed1b73318b750a0167d0"); + + private byte[] slt1a = Hex.decode("dee959c7e06411361420ff80185ed57f3e6776af"); + + private byte[] sig1a = Hex.decode("9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c"); + + private byte[] sig1b = Hex.decode("96ea348db4db2947aee807bd687411a880913706f21b383a1002b97e43656e5450a9d1812efbedd1ed159f8307986adf48bada66a8efd14bd9e2f6f6f458e73b50c8ce6e3079011c5b4bd1600a2601a66198a1582574a43f13e0966c6c2337e6ca0886cd9e1b1037aeadef1382117d22b35e7e4403f90531c8cfccdf223f98e4"); + + private byte[] sig1c = Hex.decode("9e64cc1062c537b142480bc5af407b55904ead970e20e0f8f6664279c96c6da6b03522160f224a85cc413dfe6bd00621485b665abac6d90ff38c9af06f4ddd6c7c81540439e5795601a1343d9feb465712ff8a5f5150391522fb5a9b8e2225a555f4efaa5e5c0ed7a19b27074c2d9f6dbbd0c893ba02c4a35b115d337bccd7a2"); + + public void performTest() throws Exception + { + KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); + + PrivateKey privKey = fact.generatePrivate(privKeySpec); + PublicKey pubKey = fact.generatePublic(pubKeySpec); + + Signature s = Signature.getInstance("SHA1withRSA/PSS", "BC"); + + s.initSign(privKey, new FixedRandom(slt1a)); + s.update(msg1a); + byte[] sig = s.sign(); + + if (!arrayEquals(sig1a, sig)) + { + fail("PSS Sign test expected " + new String(Hex.encode(sig1a)) + " got " + new String(Hex.encode(sig))); + } + + s = Signature.getInstance("SHA1withRSAandMGF1", "BC"); + + s.initVerify(pubKey); + s.update(msg1a); + if (!s.verify(sig1a)) + { + fail("SHA1 signature verification failed"); + } + + s = Signature.getInstance("SHA1withRSAandMGF1", "BC"); + + s.setParameter(PSSParameterSpec.DEFAULT); + + s.initVerify(pubKey); + s.update(msg1a); + if (!s.verify(sig1a)) + { + fail("SHA1 signature verification with default parameters failed"); + } + + AlgorithmParameters pss = s.getParameters(); + if (!arrayEquals(pss.getEncoded(), new byte[] { 0x30, 0x00 })) + { + fail("failed default encoding test."); + } + + s = Signature.getInstance("SHA256withRSA/PSS", "BC"); + + s.initSign(privKey, new FixedRandom(slt1a)); + s.update(msg1a); + sig = s.sign(); + + pss = s.getParameters(); + + if (!arrayEquals(sig1b, sig)) + { + fail("PSS Sign test expected " + new String(Hex.encode(sig1b)) + " got " + new String(Hex.encode(sig))); + } + + s = Signature.getInstance("SHA256withRSAandMGF1", "BC"); + + s.setParameter(pss.getParameterSpec(PSSParameterSpec.class)); + + s.initVerify(pubKey); + s.update(msg1a); + if (!s.verify(sig1b)) + { + fail("SHA256 signature verification failed"); + } + + // + // 512 test -with zero salt length + // + s = Signature.getInstance("SHA512withRSAandMGF1", "BC"); + + s.setParameter(new PSSParameterSpec("SHA-512", "MGF1", new MGF1ParameterSpec("SHA-512"), 0, 1)); + s.initSign(privKey); + + s.update(msg1a); + sig = s.sign(); + + pss = s.getParameters(); + + if (!arrayEquals(sig1c, sig)) + { + fail("PSS Sign test expected " + new String(Hex.encode(sig1c)) + " got " + new String(Hex.encode(sig))); + } + + s = Signature.getInstance("SHA512withRSAandMGF1", "BC"); + + s.setParameter(pss.getParameterSpec(PSSParameterSpec.class)); + + s.initVerify(pubKey); + s.update(msg1a); + if (!s.verify(sig1c)) + { + fail("SHA512 signature verification failed"); + } + + SecureRandom random = new SecureRandom(); + + // Note: PSS minimum key size determined by hash/salt lengths + PrivateKey priv2048Key = fact.generatePrivate(RSATest.priv2048KeySpec); + PublicKey pub2048Key = fact.generatePublic(RSATest.pub2048KeySpec); + + rawModeTest("SHA1withRSA/PSS", X509ObjectIdentifiers.id_SHA1, priv2048Key, pub2048Key, random); + rawModeTest("SHA224withRSA/PSS", NISTObjectIdentifiers.id_sha224, priv2048Key, pub2048Key, random); + rawModeTest("SHA256withRSA/PSS", NISTObjectIdentifiers.id_sha256, priv2048Key, pub2048Key, random); + rawModeTest("SHA384withRSA/PSS", NISTObjectIdentifiers.id_sha384, priv2048Key, pub2048Key, random); + rawModeTest("SHA512withRSA/PSS", NISTObjectIdentifiers.id_sha512, priv2048Key, pub2048Key, random); + } + + private void rawModeTest(String sigName, DERObjectIdentifier digestOID, + PrivateKey privKey, PublicKey pubKey, SecureRandom random) throws Exception + { + byte[] sampleMessage = new byte[1000 + random.nextInt(100)]; + random.nextBytes(sampleMessage); + + Signature normalSig = Signature.getInstance(sigName, "BC"); + + PSSParameterSpec spec = (PSSParameterSpec)normalSig.getParameters().getParameterSpec(PSSParameterSpec.class); + + // Make sure we generate the same 'random' salt for both normal and raw signers + int saltLen = spec.getSaltLength(); + byte[] fixedRandomBytes = new byte[saltLen]; + random.nextBytes(fixedRandomBytes); + + normalSig.initSign(privKey, new FixedSecureRandom(fixedRandomBytes)); + normalSig.update(sampleMessage); + byte[] normalResult = normalSig.sign(); + + MessageDigest digest = MessageDigest.getInstance(digestOID.getId(), "BC"); + byte[] hash = digest.digest(sampleMessage); + + Signature rawSig = Signature.getInstance("RAWRSASSA-PSS", "BC"); + + // Need to init the params explicitly to avoid having a 'raw' variety of every PSS algorithm + rawSig.setParameter(spec); + + rawSig.initSign(privKey, new FixedSecureRandom(fixedRandomBytes)); + rawSig.update(hash); + byte[] rawResult = rawSig.sign(); + + if (!Arrays.areEqual(normalResult, rawResult)) + { + fail("raw mode signature differs from normal one"); + } + + rawSig.initVerify(pubKey); + rawSig.update(hash); + + if (!rawSig.verify(rawResult)) + { + fail("raw mode signature verification failed"); + } + } + + public String getName() + { + return "PSSTest"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new PSSTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/RSATest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/RSATest.java new file mode 100644 index 00000000..a0a05727 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/RSATest.java @@ -0,0 +1,795 @@ +package org.bouncycastle.jce.provider.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.math.BigInteger; +import java.security.AlgorithmParameters; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.interfaces.RSAPrivateCrtKey; +import java.security.interfaces.RSAPublicKey; +import java.security.spec.MGF1ParameterSpec; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.RSAKeyGenParameterSpec; +import java.security.spec.RSAPrivateCrtKeySpec; +import java.security.spec.RSAPrivateKeySpec; +import java.security.spec.RSAPublicKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.spec.OAEPParameterSpec; +import javax.crypto.spec.PSource; + +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; +import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.RSAESOAEPparams; +import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.DigestInfo; +import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class RSATest + extends SimpleTest +{ + /** + * a fake random number generator - we just want to make sure the random numbers + * aren't random so that we get the same output, while still getting to test the + * key generation facilities. + */ + private class FixedSecureRandom + extends SecureRandom + { + byte[] seed = { + (byte)0xaa, (byte)0xfd, (byte)0x12, (byte)0xf6, (byte)0x59, + (byte)0xca, (byte)0xe6, (byte)0x34, (byte)0x89, (byte)0xb4, + (byte)0x79, (byte)0xe5, (byte)0x07, (byte)0x6d, (byte)0xde, + (byte)0xc2, (byte)0xf0, (byte)0x6c, (byte)0xb5, (byte)0x8f + }; + + public void nextBytes( + byte[] bytes) + { + int offset = 0; + + while ((offset + seed.length) < bytes.length) + { + System.arraycopy(seed, 0, bytes, offset, seed.length); + offset += seed.length; + } + + System.arraycopy(seed, 0, bytes, offset, bytes.length - offset); + } + } + + private RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16)); + + private RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("b4a7e46170574f16a97082b22be58b6a2a629798419be12872a4bdba626cfae9900f76abfb12139dce5de56564fab2b6543165a040c606887420e33d91ed7ed7", 16), + new BigInteger("11", 16), + new BigInteger("9f66f6b05410cd503b2709e88115d55daced94d1a34d4e32bf824d0dde6028ae79c5f07b580f5dce240d7111f7ddb130a7945cd7d957d1920994da389f490c89", 16), + new BigInteger("c0a0758cdf14256f78d4708c86becdead1b50ad4ad6c5c703e2168fbf37884cb", 16), + new BigInteger("f01734d7960ea60070f1b06f2bb81bfac48ff192ae18451d5e56c734a5aab8a5", 16), + new BigInteger("b54bb9edff22051d9ee60f9351a48591b6500a319429c069a3e335a1d6171391", 16), + new BigInteger("d3d83daf2a0cecd3367ae6f8ae1aeb82e9ac2f816c6fc483533d8297dd7884cd", 16), + new BigInteger("b8f52fc6f38593dabb661d3f50f8897f8106eee68b1bce78a95b132b4e5b5d19", 16)); + + private RSAPublicKeySpec isoPubKeySpec = new RSAPublicKeySpec( + new BigInteger("0100000000000000000000000000000000bba2d15dbb303c8a21c5ebbcbae52b7125087920dd7cdf358ea119fd66fb064012ec8ce692f0a0b8e8321b041acd40b7", 16), + new BigInteger("03", 16)); + + private RSAPrivateKeySpec isoPrivKeySpec = new RSAPrivateKeySpec( + new BigInteger("0100000000000000000000000000000000bba2d15dbb303c8a21c5ebbcbae52b7125087920dd7cdf358ea119fd66fb064012ec8ce692f0a0b8e8321b041acd40b7", 16), + new BigInteger("2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac9f0783a49dd5f6c5af651f4c9d0dc9281c96a3f16a85f9572d7cc3f2d0f25a9dbf1149e4cdc32273faadd3fda5dcda7", 16)); + + static RSAPublicKeySpec pub2048KeySpec = new RSAPublicKeySpec( + new BigInteger("a7295693155b1813bb84877fb45343556e0568043de5910872a3a518cc11e23e2db74eaf4545068c4e3d258a2718fbacdcc3eafa457695b957e88fbf110aed049a992d9c430232d02f3529c67a3419935ea9b569f85b1bcd37de6b899cd62697e843130ff0529d09c97d813cb15f293751ff56f943fbdabb63971cc7f4f6d5bff1594416b1f5907bde5a84a44f9802ef29b43bda1960f948f8afb8766c1ab80d32eec88ed66d0b65aebe44a6d0b3c5e0ab051aaa1b912fbcc17b8e751ddecc5365b6db6dab0020c3057db4013a51213a5798a3aab67985b0f4d88627a54a0f3f0285fbcb4afdfeb65cb153af66825656d43238b75503231500753f4e421e3c57", 16), + new BigInteger("10001", 16)); + + static RSAPrivateCrtKeySpec priv2048KeySpec = new RSAPrivateCrtKeySpec( + new BigInteger("a7295693155b1813bb84877fb45343556e0568043de5910872a3a518cc11e23e2db74eaf4545068c4e3d258a2718fbacdcc3eafa457695b957e88fbf110aed049a992d9c430232d02f3529c67a3419935ea9b569f85b1bcd37de6b899cd62697e843130ff0529d09c97d813cb15f293751ff56f943fbdabb63971cc7f4f6d5bff1594416b1f5907bde5a84a44f9802ef29b43bda1960f948f8afb8766c1ab80d32eec88ed66d0b65aebe44a6d0b3c5e0ab051aaa1b912fbcc17b8e751ddecc5365b6db6dab0020c3057db4013a51213a5798a3aab67985b0f4d88627a54a0f3f0285fbcb4afdfeb65cb153af66825656d43238b75503231500753f4e421e3c57", 16), + new BigInteger("10001", 16), + new BigInteger("65dad56ac7df7abb434e4cb5eeadb16093aa6da7f0033aad3815289b04757d32bfee6ade7749c8e4a323b5050a2fb9e2a99e23469e1ed4ba5bab54336af20a5bfccb8b3424cc6923db2ffca5787ed87aa87aa614cd04cedaebc8f623a2d2063017910f436dff18bb06f01758610787f8b258f0a8efd8bd7de30007c47b2a1031696c7d6523bc191d4d918927a7e0b09584ed205bd2ff4fc4382678df82353f7532b3bbb81d69e3f39070aed3fb64fce032a089e8e64955afa5213a6eb241231bd98d702fba725a9b205952fda186412d9e0d9344d2998c455ad8c2bae85ee672751466d5288304032b5b7e02f7e558c7af82c7fbf58eea0bb4ef0f001e6cd0a9", 16), + new BigInteger("d4fd9ac3474fb83aaf832470643609659e511b322632b239b688f3cd2aad87527d6cf652fb9c9ca67940e84789444f2e99b0cb0cfabbd4de95396106c865f38e2fb7b82b231260a94df0e01756bf73ce0386868d9c41645560a81af2f53c18e4f7cdf3d51d80267372e6e0216afbf67f655c9450769cca494e4f6631b239ce1b", 16), + new BigInteger("c8eaa0e2a1b3a4412a702bccda93f4d150da60d736c99c7c566fdea4dd1b401cbc0d8c063daaf0b579953d36343aa18b33dbf8b9eae94452490cc905245f8f7b9e29b1a288bc66731a29e1dd1a45c9fd7f8238ff727adc49fff73991d0dc096206b9d3a08f61e7462e2b804d78cb8c5eccdb9b7fbd2ad6a8fea46c1053e1be75", 16), + new BigInteger("10edcb544421c0f9e123624d1099feeb35c72a8b34e008ac6fa6b90210a7543f293af4e5299c8c12eb464e70092805c7256e18e5823455ba0f504d36f5ccacac1b7cd5c58ff710f9c3f92646949d88fdd1e7ea5fed1081820bb9b0d2a8cd4b093fecfdb96dabd6e28c3a6f8c186dc86cddc89afd3e403e0fcf8a9e0bcb27af0b", 16), + new BigInteger("97fc25484b5a415eaa63c03e6efa8dafe9a1c8b004d9ee6e80548fefd6f2ce44ee5cb117e77e70285798f57d137566ce8ea4503b13e0f1b5ed5ca6942537c4aa96b2a395782a4cb5b58d0936e0b0fa63b1192954d39ced176d71ef32c6f42c84e2e19f9d4dd999c2151b032b97bd22aa73fd8c5bcd15a2dca4046d5acc997021", 16), + new BigInteger("4bb8064e1eff7e9efc3c4578fcedb59ca4aef0993a8312dfdcb1b3decf458aa6650d3d0866f143cbf0d3825e9381181170a0a1651eefcd7def786b8eb356555d9fa07c85b5f5cbdd74382f1129b5e36b4166b6cc9157923699708648212c484958351fdc9cf14f218dbe7fbf7cbd93a209a4681fe23ceb44bab67d66f45d1c9d", 16)); + + public void performTest() + throws Exception + { + KeyFactory fact; + byte[] input = new byte[] + { (byte)0x54, (byte)0x85, (byte)0x9b, (byte)0x34, (byte)0x2c, (byte)0x49, (byte)0xea, (byte)0x2a }; + byte[][] output = new byte[][] + { + Hex.decode("8b427f781a2e59dd9def386f1956b996ee07f48c96880e65a368055ed8c0a8831669ef7250b40918b2b1d488547e72c84540e42bd07b03f14e226f04fbc2d929"), + Hex.decode("2ec6e1a1711b6c7b8cd3f6a25db21ab8bb0a5f1d6df2ef375fa708a43997730ffc7c98856dbbe36edddcdd1b2d2a53867d8355af94fea3aeec128da908e08f4c"), + Hex.decode("0850ac4e5a8118323200c8ed1e5aaa3d5e635172553ccac66a8e4153d35c79305c4440f11034ab147fccce21f18a50cf1c0099c08a577eb68237a91042278965"), + Hex.decode("1c9649bdccb51056751fe43837f4eb43bada472accf26f65231666d5de7d11950d8379b3596dfdf75c6234274896fa8d18ad0865d3be2ac4d6687151abdf01e93941dcef18fa63186c9351d1506c89d09733c5ff4304208c812bdd21a50f56fde115e629e0e973721c9fcc87e89295a79853dee613962a0b2f2fc57163fd99057a3c776f13c20c26407eb8863998d7e53b543ba8d0a295a9a68d1a149833078c9809ad6a6dad7fc22a95ad615a73138c54c018f40d99bf8eeecd45f5be526f2d6b01aeb56381991c1ab31a2e756f15e052b9cd5638b2eff799795c5bae493307d5eb9f8c21d438de131fe505a4e7432547ab19224094f9e4be1968bd0793b79d"), + Hex.decode("4c4afc0c24dddaedd4f9a3b23be30d35d8e005ffd36b3defc5d18acc830c3ed388ce20f43a00e614fd087c814197bc9fc2eff9ad4cc474a7a2ef3ed9c0f0a55eb23371e41ee8f2e2ed93ea3a06ca482589ab87e0d61dcffda5eea1241408e43ea1108726cdb87cc3aa5e9eaaa9f72507ca1352ac54a53920c94dccc768147933d8c50aefd9d1da10522a40133cd33dbc0524669e70f771a88d65c4716d471cd22b08b9f01f24e4e9fc7ffbcfa0e0a7aed47b345826399b26a73be112eb9c5e06fc6742fc3d0ef53d43896403c5105109cfc12e6deeaf4a48ba308e039774b9bdb31a9b9e133c81c321630cf0b4b2d1f90717b24c3268e1fea681ea9cdc709342"), + Hex.decode("06b5b26bd13515f799e5e37ca43cace15cd82fd4bf36b25d285a6f0998d97c8cb0755a28f0ae66618b1cd03e27ac95eaaa4882bc6dc0078cd457d4f7de4154173a9c7a838cfc2ac2f74875df462aae0cfd341645dc51d9a01da9bdb01507f140fa8a016534379d838cc3b2a53ac33150af1b242fc88013cb8d914e66c8182864ee6de88ce2879d4c05dd125409620a96797c55c832fb2fb31d4310c190b8ed2c95fdfda2ed87f785002faaec3f35ec05cf70a3774ce185e4882df35719d582dd55ac31257344a9cba95189dcbea16e8c6cb7a235a0384bc83b6183ca8547e670fe33b1b91725ae0c250c9eca7b5ba78bd77145b70270bf8ac31653006c02ca9c"), + Hex.decode("135f1be3d045526235bf9d5e43499d4ee1bfdf93370769ae56e85dbc339bc5b7ea3bee49717497ee8ac3f7cd6adb6fc0f17812390dcd65ac7b87fef7970d9ff9"), + Hex.decode("03c05add1e030178c352face07cafc9447c8f369b8f95125c0d311c16b6da48ca2067104cce6cd21ae7b163cd18ffc13001aecebdc2eb02b9e92681f84033a98"), + Hex.decode("00319bb9becb49f3ed1bca26d0fcf09b0b0a508e4d0bd43b350f959b72cd25b3af47d608fdcd248eada74fbe19990dbeb9bf0da4b4e1200243a14e5cab3f7e610c") + }; + SecureRandom rand = new FixedSecureRandom(); + + + fact = KeyFactory.getInstance("RSA", "BC"); + + PrivateKey privKey = fact.generatePrivate(privKeySpec); + PublicKey pubKey = fact.generatePublic(pubKeySpec); + + PrivateKey priv2048Key = fact.generatePrivate(priv2048KeySpec); + PublicKey pub2048Key = fact.generatePublic(pub2048KeySpec); + + // + // No Padding + // + Cipher c = Cipher.getInstance("RSA", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + byte[] out = c.doFinal(input); + + if (!areEqual(out, output[0])) + { + fail("NoPadding test failed on encrypt expected " + new String(Hex.encode(output[0])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("NoPadding test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // No Padding - incremental + // + c = Cipher.getInstance("RSA", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + c.update(input); + + out = c.doFinal(); + + if (!areEqual(out, output[0])) + { + fail("NoPadding test failed on encrypt expected " + new String(Hex.encode(output[0])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("NoPadding test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // No Padding - incremental - explicit use of NONE in mode. + // + c = Cipher.getInstance("RSA/NONE/NoPadding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + c.update(input); + + out = c.doFinal(); + + if (!areEqual(out, output[0])) + { + fail("NoPadding test failed on encrypt expected " + new String(Hex.encode(output[0])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("NoPadding test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // No Padding - maximum length + // + c = Cipher.getInstance("RSA", "BC"); + + byte[] modBytes = ((RSAPublicKey)pubKey).getModulus().toByteArray(); + byte[] maxInput = new byte[modBytes.length - 1]; + + maxInput[0] |= 0x7f; + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.doFinal(maxInput); + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, maxInput)) + { + fail("NoPadding test failed on decrypt expected " + new String(Hex.encode(maxInput)) + " got " + new String(Hex.encode(out))); + } + + // + // PKCS1 V 1.5 + // + c = Cipher.getInstance("RSA/ECB/PKCS1Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[1])) + { + fail("PKCS1 test failed on encrypt expected " + new String(Hex.encode(output[1])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("PKCS1 test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // PKCS1 V 1.5 - NONE + // + c = Cipher.getInstance("RSA/NONE/PKCS1Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[1])) + { + fail("PKCS1 test failed on encrypt expected " + new String(Hex.encode(output[1])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("PKCS1 test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // OAEP - SHA1 + // + c = Cipher.getInstance("RSA/NONE/OAEPPadding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[2])) + { + fail("OAEP test failed on encrypt expected " + new String(Hex.encode(output[2])) + " got " + new String(Hex.encode(out))); + } + + c = Cipher.getInstance("RSA/NONE/OAEPWithSHA1AndMGF1Padding", "BC"); + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("OAEP test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + AlgorithmParameters oaepP = c.getParameters(); + + if (!areEqual(oaepP.getEncoded(), + new RSAESOAEPparams( + new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE)), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_pSpecified, new DEROctetString(new byte[0]))).getEncoded())) + { + fail("OAEP test failed default sha-1 parameters"); + } + + // + // OAEP - SHA224 + // + c = Cipher.getInstance("RSA/NONE/OAEPWithSHA224AndMGF1Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pub2048Key, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[3])) + { + fail("OAEP SHA-224 test failed on encrypt expected " + new String(Hex.encode(output[2])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, priv2048Key); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("OAEP SHA-224 test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + oaepP = c.getParameters(); + + if (!areEqual(oaepP.getEncoded(), + new RSAESOAEPparams( + new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha224, DERNull.INSTANCE), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha224, DERNull.INSTANCE)), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_pSpecified, new DEROctetString(new byte[0]))).getEncoded())) + { + fail("OAEP test failed default sha-224 parameters"); + } + + // + // OAEP - SHA 256 + // + c = Cipher.getInstance("RSA/NONE/OAEPWithSHA256AndMGF1Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pub2048Key, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[4])) + { + fail("OAEP SHA-256 test failed on encrypt expected " + new String(Hex.encode(output[2])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, priv2048Key); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("OAEP SHA-256 test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + oaepP = c.getParameters(); + + if (!areEqual(oaepP.getEncoded(), + new RSAESOAEPparams( + new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256, DERNull.INSTANCE), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256, DERNull.INSTANCE)), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_pSpecified, new DEROctetString(new byte[0]))).getEncoded())) + { + fail("OAEP test failed default sha-256 parameters"); + } + + // + // OAEP - SHA 384 + // + c = Cipher.getInstance("RSA/NONE/OAEPWithSHA384AndMGF1Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pub2048Key, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[5])) + { + fail("OAEP SHA-384 test failed on encrypt expected " + new String(Hex.encode(output[2])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, priv2048Key); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("OAEP SHA-384 test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + oaepP = c.getParameters(); + + if (!areEqual(oaepP.getEncoded(), + new RSAESOAEPparams( + new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha384, DERNull.INSTANCE), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha384, DERNull.INSTANCE)), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_pSpecified, new DEROctetString(new byte[0]))).getEncoded())) + { + fail("OAEP test failed default sha-384 parameters"); + } + + // + // OAEP - MD5 + // + c = Cipher.getInstance("RSA/NONE/OAEPWithMD5AndMGF1Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[6])) + { + fail("OAEP MD5 test failed on encrypt expected " + new String(Hex.encode(output[2])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("OAEP MD5 test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + oaepP = c.getParameters(); + + if (!areEqual(oaepP.getEncoded(), + new RSAESOAEPparams( + new AlgorithmIdentifier(PKCSObjectIdentifiers.md5, DERNull.INSTANCE), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, new AlgorithmIdentifier(PKCSObjectIdentifiers.md5, DERNull.INSTANCE)), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_pSpecified, new DEROctetString(new byte[0]))).getEncoded())) + { + fail("OAEP test failed default md5 parameters"); + } + + // + // OAEP - SHA1 with default parameters + // + c = Cipher.getInstance("RSA/NONE/OAEPPadding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, OAEPParameterSpec.DEFAULT, rand); + + out = c.doFinal(input); + + if (!areEqual(out, output[2])) + { + fail("OAEP test failed on encrypt expected " + new String(Hex.encode(output[2])) + " got " + new String(Hex.encode(out))); + } + + c = Cipher.getInstance("RSA/NONE/OAEPWithSHA1AndMGF1Padding", "BC"); + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("OAEP test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + oaepP = c.getParameters(); + + if (!areEqual(oaepP.getEncoded(), new byte[] { 0x30, 0x00 })) + { + fail("OAEP test failed default parameters"); + } + + // + // OAEP - SHA1 with specified string + // + c = Cipher.getInstance("RSA/NONE/OAEPPadding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, pubKey, new OAEPParameterSpec("SHA1", "MGF1", new MGF1ParameterSpec("SHA1"), new PSource.PSpecified(new byte[] { 1, 2, 3, 4, 5 })), rand); + + out = c.doFinal(input); + + oaepP = c.getParameters(); + + if (!areEqual(oaepP.getEncoded(), + new RSAESOAEPparams( + new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE)), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_pSpecified, new DEROctetString(new byte[] { 1, 2, 3, 4, 5 }))).getEncoded())) + { + fail("OAEP test failed changed sha-1 parameters"); + } + + if (!areEqual(out, output[7])) + { + fail("OAEP test failed on encrypt expected " + new String(Hex.encode(output[2])) + " got " + new String(Hex.encode(out))); + } + + c = Cipher.getInstance("RSA/NONE/OAEPWithSHA1AndMGF1Padding", "BC"); + + c.init(Cipher.DECRYPT_MODE, privKey, oaepP); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("OAEP test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // ISO9796-1 + // + byte[] isoInput = Hex.decode("fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210"); + PrivateKey isoPrivKey = fact.generatePrivate(isoPrivKeySpec); + PublicKey isoPubKey = fact.generatePublic(isoPubKeySpec); + + c = Cipher.getInstance("RSA/NONE/ISO9796-1Padding", "BC"); + + c.init(Cipher.ENCRYPT_MODE, isoPrivKey); + + out = c.doFinal(isoInput); + + if (!areEqual(out, output[8])) + { + fail("ISO9796-1 test failed on encrypt expected " + new String(Hex.encode(output[3])) + " got " + new String(Hex.encode(out))); + } + + c.init(Cipher.DECRYPT_MODE, isoPubKey); + + out = c.doFinal(out); + + if (!areEqual(out, isoInput)) + { + fail("ISO9796-1 test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // + // generation with parameters test. + // + KeyPairGenerator keyPairGen = + KeyPairGenerator.getInstance("RSA", "BC"); + + // + // 768 bit RSA with e = 2^16-1 + // + keyPairGen.initialize( + new RSAKeyGenParameterSpec(768, + BigInteger.valueOf(65537)), + new SecureRandom()); + + KeyPair kp = keyPairGen.generateKeyPair(); + + pubKey = kp.getPublic(); + privKey = kp.getPrivate(); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.doFinal(input); + + c.init(Cipher.DECRYPT_MODE, privKey); + + out = c.doFinal(out); + + if (!areEqual(out, input)) + { + fail("key generation test failed on decrypt expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(out))); + } + + // + // comparison check + // + KeyFactory keyFact = KeyFactory.getInstance("RSA", "BC"); + + RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)keyFact.translateKey(privKey); + + if (!privKey.equals(crtKey)) + { + fail("private key equality check failed"); + } + + crtKey = (RSAPrivateCrtKey)keyFact.generatePrivate(new PKCS8EncodedKeySpec(privKey.getEncoded())); + + if (!privKey.equals(crtKey)) + { + fail("private key equality check failed"); + } + + crtKey = (RSAPrivateCrtKey)serializeDeserialize(privKey); + + if (!privKey.equals(crtKey)) + { + fail("private key equality check failed"); + } + + if (privKey.hashCode() != crtKey.hashCode()) + { + fail("private key hashCode check failed"); + } + + RSAPublicKey copyKey = (RSAPublicKey)keyFact.translateKey(pubKey); + + if (!pubKey.equals(copyKey)) + { + fail("public key equality check failed"); + } + + copyKey = (RSAPublicKey)keyFact.generatePublic(new X509EncodedKeySpec(pubKey.getEncoded())); + + if (!pubKey.equals(copyKey)) + { + fail("public key equality check failed"); + } + + copyKey = (RSAPublicKey)serializeDeserialize(pubKey); + + if (!pubKey.equals(copyKey)) + { + fail("public key equality check failed"); + } + + if (pubKey.hashCode() != copyKey.hashCode()) + { + fail("public key hashCode check failed"); + } + + oaepCompatibilityTest("SHA-1", priv2048Key, pub2048Key); + oaepCompatibilityTest("SHA-224", priv2048Key, pub2048Key); + oaepCompatibilityTest("SHA-256", priv2048Key, pub2048Key); + oaepCompatibilityTest("SHA-384", priv2048Key, pub2048Key); + oaepCompatibilityTest("SHA-512", priv2048Key, pub2048Key); + + SecureRandom random = new SecureRandom(); + rawModeTest("SHA1withRSA", X509ObjectIdentifiers.id_SHA1, priv2048Key, pub2048Key, random); + rawModeTest("MD5withRSA", PKCSObjectIdentifiers.md5, priv2048Key, pub2048Key, random); + rawModeTest("RIPEMD128withRSA", TeleTrusTObjectIdentifiers.ripemd128, priv2048Key, pub2048Key, random); + + // init reset test + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.update(new byte[40]); + + c.init(Cipher.ENCRYPT_MODE, pubKey, rand); + + out = c.update(new byte[40]); + } + + private void oaepCompatibilityTest(String digest, PrivateKey privKey, PublicKey pubKey) + throws Exception + { + if (Security.getProvider("SunJCE") == null || Security.getProvider("SunRsaSign") == null) + { + return; + } + + KeyFactory fact = KeyFactory.getInstance("RSA", "SunRsaSign"); + PrivateKey priv2048Key = fact.generatePrivate(priv2048KeySpec); + PublicKey pub2048Key = fact.generatePublic(pub2048KeySpec); + + byte[] data = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }; + + Cipher sCipher; + try + { + sCipher = Cipher.getInstance("RSA/ECB/OAEPWith" + digest + "AndMGF1Padding", "SunJCE"); + } + catch (NoSuchAlgorithmException e) + { + return; + } + catch (NoSuchPaddingException e) + { + return; + } + + sCipher.init(Cipher.ENCRYPT_MODE, pub2048Key); + + byte[] enctext = sCipher.doFinal(data); + + Cipher bcCipher = Cipher.getInstance("RSA/ECB/OAEPWith" + digest + "AndMGF1Padding", "BC"); + + bcCipher.init(Cipher.DECRYPT_MODE, privKey, new OAEPParameterSpec(digest, "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)); + + byte[] plaintext = bcCipher.doFinal(enctext); + + if (!Arrays.areEqual(plaintext, data)) + { + fail("data did not decrypt first time"); + } + + bcCipher.init(Cipher.ENCRYPT_MODE, pubKey, new OAEPParameterSpec(digest, "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)); + + enctext = bcCipher.doFinal(data); + + sCipher.init(Cipher.DECRYPT_MODE, priv2048Key); + + plaintext = sCipher.doFinal(enctext); + + if (!Arrays.areEqual(plaintext, data)) + { + fail("data did not decrypt second time"); + } + } + + private void rawModeTest(String sigName, ASN1ObjectIdentifier digestOID, + PrivateKey privKey, PublicKey pubKey, SecureRandom random) throws Exception + { + byte[] sampleMessage = new byte[1000 + random.nextInt(100)]; + random.nextBytes(sampleMessage); + + Signature normalSig = Signature.getInstance(sigName, "BC"); + normalSig.initSign(privKey); + normalSig.update(sampleMessage); + byte[] normalResult = normalSig.sign(); + + MessageDigest digest = MessageDigest.getInstance(digestOID.getId(), "BC"); + byte[] hash = digest.digest(sampleMessage); + byte[] digInfo = derEncode(digestOID, hash); + + Signature rawSig = Signature.getInstance("RSA", "BC"); + rawSig.initSign(privKey); + rawSig.update(digInfo); + byte[] rawResult = rawSig.sign(); + + if (!Arrays.areEqual(normalResult, rawResult)) + { + fail("raw mode signature differs from normal one"); + } + + rawSig.initVerify(pubKey); + rawSig.update(digInfo); + + if (!rawSig.verify(rawResult)) + { + fail("raw mode signature verification failed"); + } + } + + private Object serializeDeserialize(Object o) + throws Exception + { + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + ObjectOutputStream oOut = new ObjectOutputStream(bOut); + + oOut.writeObject(o); + oOut.close(); + + ObjectInputStream oIn = new ObjectInputStream(new ByteArrayInputStream(bOut.toByteArray())); + + return oIn.readObject(); + } + + private byte[] derEncode(ASN1ObjectIdentifier oid, byte[] hash) throws IOException + { + AlgorithmIdentifier algId = new AlgorithmIdentifier(oid, DERNull.INSTANCE); + DigestInfo dInfo = new DigestInfo(algId, hash); + + return dInfo.getEncoded(ASN1Encoding.DER); + } + + public String getName() + { + return "RSATest"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new RSATest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/RegressionTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/RegressionTest.java new file mode 100644 index 00000000..85972a05 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/RegressionTest.java @@ -0,0 +1,97 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Security; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +public class RegressionTest +{ + public static Test[] tests = { + new FIPSDESTest(), + new DESedeTest(), + new AESTest(), + new CamelliaTest(), + new SEEDTest(), + new AESSICTest(), + new GOST28147Test(), + new PBETest(), + new BlockCipherTest(), + new MacTest(), + new HMacTest(), + new SealedTest(), + new RSATest(), + new DHTest(), + new DHIESTest(), + new DSATest(), + new ImplicitlyCaTest(), + new ECNRTest(), + new ECIESTest(), + new ECDSA5Test(), + new GOST3410Test(), + new ElGamalTest(), + new IESTest(), + new SigTest(), + new AttrCertTest(), + new CertTest(), + new PKCS10CertRequestTest(), + new EncryptedPrivateKeyInfoTest(), + new KeyStoreTest(), + new PKCS12StoreTest(), + new DigestTest(), + new PSSTest(), + new WrapTest(), + new DoFinalTest(), + new CipherStreamTest(), + new NamedCurveTest(), + new PKIXTest(), + new NetscapeCertRequestTest(), + new X509StoreTest(), + new X509StreamParserTest(), + new X509CertificatePairTest(), + new CertPathTest(), + new CertStoreTest(), + new CertPathValidatorTest(), + new CertPathBuilderTest(), + new ECEncodingTest(), + new AlgorithmParametersTest(), + new NISTCertPathTest(), + new PKIXPolicyMappingTest(), + new SlotTwoTest(), + new PKIXNameConstraintsTest(), + new MultiCertStoreTest(), + new NoekeonTest(), + new AttrCertSelectorTest(), + new SerialisationTest(), + new SigNameTest(), + new MQVTest(), + new CMacTest(), + new GMacTest(), + new DSTU4145Test(), + new CRL5Test(), + new SipHashTest(), + new SHA3Test() + }; + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + System.out.println("Testing " + Security.getProvider("BC").getInfo() + " version: " + Security.getProvider("BC").getVersion()); + + for (int i = 0; i != tests.length; i++) + { + TestResult result = tests[i].perform(); + + if (result.getException() != null) + { + result.getException().printStackTrace(); + } + + System.out.println(result); + } + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SEEDTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SEEDTest.java new file mode 100644 index 00000000..20364647 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SEEDTest.java @@ -0,0 +1,175 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.asn1.kisa.KISAObjectIdentifiers; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.spec.SecretKeySpec; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.IOException; +import java.security.Key; +import java.security.Security; + +/** + * basic test class for SEED + */ +public class SEEDTest + extends BaseBlockCipherTest +{ + static String[] cipherTests = + { + "128", + "28DBC3BC49FFD87DCFA509B11D422BE7", + "B41E6BE2EBA84A148E2EED84593C5EC7", + "9B9B7BFCD1813CB95D0B3618F40F5122" + }; + + public SEEDTest() + { + super("SEED"); + } + + public void test( + int strength, + byte[] keyBytes, + byte[] input, + byte[] output) + throws Exception + { + Key key; + Cipher in, out; + CipherInputStream cIn; + CipherOutputStream cOut; + ByteArrayInputStream bIn; + ByteArrayOutputStream bOut; + + key = new SecretKeySpec(keyBytes, "SEED"); + + in = Cipher.getInstance("SEED/ECB/NoPadding", "BC"); + out = Cipher.getInstance("SEED/ECB/NoPadding", "BC"); + + try + { + out.init(Cipher.ENCRYPT_MODE, key); + } + catch (Exception e) + { + fail("SEED failed initialisation - " + e.toString(), e); + } + + try + { + in.init(Cipher.DECRYPT_MODE, key); + } + catch (Exception e) + { + fail("SEED failed initialisation - " + e.toString(), e); + } + + // + // encryption pass + // + bOut = new ByteArrayOutputStream(); + + cOut = new CipherOutputStream(bOut, out); + + try + { + for (int i = 0; i != input.length / 2; i++) + { + cOut.write(input[i]); + } + cOut.write(input, input.length / 2, input.length - input.length / 2); + cOut.close(); + } + catch (IOException e) + { + fail("SEED failed encryption - " + e.toString(), e); + } + + byte[] bytes; + + bytes = bOut.toByteArray(); + + if (!areEqual(bytes, output)) + { + fail("SEED failed encryption - expected " + new String(Hex.encode(output)) + " got " + new String(Hex.encode(bytes))); + } + + // + // decryption pass + // + bIn = new ByteArrayInputStream(bytes); + + cIn = new CipherInputStream(bIn, in); + + try + { + DataInputStream dIn = new DataInputStream(cIn); + + bytes = new byte[input.length]; + + for (int i = 0; i != input.length / 2; i++) + { + bytes[i] = (byte)dIn.read(); + } + dIn.readFully(bytes, input.length / 2, bytes.length - input.length / 2); + } + catch (Exception e) + { + fail("SEED failed encryption - " + e.toString(), e); + } + + if (!areEqual(bytes, input)) + { + fail("SEED failed decryption - expected " + new String(Hex.encode(input)) + " got " + new String(Hex.encode(bytes))); + } + } + + public void performTest() + throws Exception + { + for (int i = 0; i != cipherTests.length; i += 4) + { + test(Integer.parseInt(cipherTests[i]), + Hex.decode(cipherTests[i + 1]), + Hex.decode(cipherTests[i + 2]), + Hex.decode(cipherTests[i + 3])); + } + + byte[] kek1 = Hex.decode("000102030405060708090a0b0c0d0e0f"); + byte[] in1 = Hex.decode("00112233445566778899aabbccddeeff"); + byte[] out1 = Hex.decode("bf71f77138b5afea05232a8dad54024e812dc8dd7d132559"); + + wrapTest(1, "SEEDWrap", kek1, in1, out1); + + String[] oids = { + KISAObjectIdentifiers.id_seedCBC.getId() + }; + + String[] names = { + "SEED/CBC/PKCS7Padding" + }; + + oidTest(oids, names, 1); + + String[] wrapOids = { + KISAObjectIdentifiers.id_npki_app_cmsSeed_wrap.getId() + }; + + wrapOidTest(wrapOids, "SEEDWrap"); + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new SEEDTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SHA3Test.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SHA3Test.java new file mode 100644 index 00000000..89b85ae4 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SHA3Test.java @@ -0,0 +1,136 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.MessageDigest; +import java.security.Security; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class SHA3Test + extends SimpleTest +{ + final static String provider = "BC"; + + static private byte[] nullMsg = new byte[0]; + + static private String[][] nullVectors = + { + { "SHA3-224", "f71837502ba8e10837bdd8d365adb85591895602fc552b48b7390abd" }, + { "SHA3-256", "c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470" }, + { "SHA3-384", "2c23146a63a29acf99e73b88f8c24eaa7dc60aa771780ccc006afbfa8fe2479b2dd2b21362337441ac12b515911957ff" }, + { "SHA3-512", "0eab42de4c3ceb9235fc91acffe746b29c29a8c366b7c60e4e67c466f36a4304c00fa9caf9d87976ba469bcbe06713b435f091ef2769fb160cdab33d3670680e" }, + }; + + static private byte[] shortMsg = Hex.decode("54686520717569636b2062726f776e20666f78206a756d7073206f76657220746865206c617a7920646f67"); + + static private String[][] shortVectors = + { + { "SHA3-224", "310aee6b30c47350576ac2873fa89fd190cdc488442f3ef654cf23fe" }, + { "SHA3-256", "4d741b6f1eb29cb2a9b9911c82f56fa8d73b04959d3d9d222895df6c0b28aa15" }, + { "SHA3-384", "283990fa9d5fb731d786c5bbee94ea4db4910f18c62c03d173fc0a5e494422e8a0b3da7574dae7fa0baf005e504063b3" }, + { "SHA3-512", "d135bb84d0439dbac432247ee573a23ea7d3c9deb2a968eb31d47c4fb45f1ef4422d6c531b5b9bd6f449ebcc449ea94d0a8f05f62130fda612da53c79659f609" }, + }; + + public String getName() + { + return "SHA3"; + } + + void test(String algorithm, byte[] message, String expected) + throws Exception + { + MessageDigest digest = MessageDigest.getInstance(algorithm, provider); + + byte[] result = digest.digest(message); + byte[] result2 = digest.digest(message); + + // test zero results valid + if (!MessageDigest.isEqual(result, Hex.decode(expected))) + { + fail("null result not equal for " + algorithm); + } + + // test one digest the same message with the same instance + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 1 not equal"); + } + + if (!MessageDigest.isEqual(result, Hex.decode(expected))) + { + fail("Result object 1 not equal"); + } + + // test two, single byte updates + for (int i = 0; i < message.length; i++) + { + digest.update(message[i]); + } + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 2 not equal"); + } + + // test three, two half updates + digest.update(message, 0, message.length/2); + digest.update(message, message.length/2, message.length-message.length/2); + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 3 not equal"); + } + + // test four, clone test + digest.update(message, 0, message.length/2); + MessageDigest d = (MessageDigest)digest.clone(); + digest.update(message, message.length/2, message.length-message.length/2); + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 4(a) not equal"); + } + + d.update(message, message.length/2, message.length-message.length/2); + result2 = d.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 4(b) not equal"); + } + + // test five, check reset() method + digest.update(message, 0, message.length/2); + digest.reset(); + digest.update(message, 0, message.length/2); + digest.update(message, message.length/2, message.length-message.length/2); + result2 = digest.digest(); + + if (!MessageDigest.isEqual(result, result2)) + { + fail("Result object 5 not equal"); + } + + } + + public void performTest() + throws Exception + { + for (int i = 0; i != nullVectors.length; i++) + { + test(nullVectors[i][0], nullMsg, nullVectors[i][1]); + test(shortVectors[i][0], shortMsg, shortVectors[i][1]); + } + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new SHA3Test()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SealedTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SealedTest.java new file mode 100644 index 00000000..9a7e3141 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SealedTest.java @@ -0,0 +1,79 @@ + +package org.bouncycastle.jce.provider.test; + +import java.security.Key; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SealedObject; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTestResult; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +public class SealedTest + implements Test +{ + final static String provider = "BC"; + + public String getName() + { + return "SealedObject"; + } + + public TestResult perform() + { + try + { + KeyGenerator keyGen = KeyGenerator.getInstance("DES", provider); + Key key = keyGen.generateKey(); + Cipher c = Cipher.getInstance("DES/ECB/PKCS5Padding", provider); + + c.init(Cipher.ENCRYPT_MODE, key); + String object = "Hello world"; + SealedObject so = new SealedObject(object, c); + c.init(Cipher.DECRYPT_MODE, key); + + Object o = so.getObject(c); + if (!o.equals(object)) + { + return new SimpleTestResult(false, "Result object 1 not equal" + + "orig: " + object + " res: " + o); + } + + o = so.getObject(key); + if (!o.equals(object)) + { + return new SimpleTestResult(false, "Result object 2 not equal" + + "orig: " + object + " res: " + o); + } + + o = so.getObject(key, provider); + if (!o.equals(object)) + { + return new SimpleTestResult(false, "Result object 3 not equal" + + "orig: " + object + " res: " + o); + } + + return new SimpleTestResult(true, getName() + ": Okay"); + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + + ": failed excpetion - " + e.toString(), e); + } + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + Test test = new SealedTest(); + TestResult result = test.perform(); + + System.out.println(result.toString()); + } +} + diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SerialisationTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SerialisationTest.java new file mode 100644 index 00000000..3db5e984 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SerialisationTest.java @@ -0,0 +1,325 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.interfaces.ElGamalPrivateKey; +import org.bouncycastle.jce.interfaces.ElGamalPublicKey; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + +import javax.crypto.interfaces.DHPrivateKey; +import javax.crypto.interfaces.DHPublicKey; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.ObjectInputStream; +import java.math.BigInteger; +import java.security.interfaces.DSAPrivateKey; +import java.security.interfaces.DSAPublicKey; +import java.security.interfaces.RSAPrivateCrtKey; +import java.security.interfaces.RSAPublicKey; + +public class SerialisationTest + extends SimpleTest +{ + private static BigInteger mod = new BigInteger("69919157209851583596607278525201743749468350078269839551939850344506918649679"); + private static BigInteger pubExp = new BigInteger("65537"); + private static BigInteger privExp = new BigInteger("6387323103214694462561419908301918608189256611651974386490887304224030221257"); + private static BigInteger crtExp = new BigInteger("49050879172577973803420172068797326635"); + private static BigInteger p = new BigInteger("272712035519670228866910009292918035133"); + private static BigInteger q = new BigInteger("256384567247338962716621434774670631163"); + private static BigInteger expP = new BigInteger("121540093892892992427860713054115232161"); + private static BigInteger expQ = new BigInteger("169333445127196347119779037859859594883"); + + private static byte[] rsaPub = Base64.decode( + "rO0ABXNyAC1vcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KQ0VSU0FQdWJsaWNLZXklImoOW/pshAIAAkwAB21vZHV" + + "sdXN0ABZMamF2YS9tYXRoL0JpZ0ludGVnZXI7TAAOcHVibGljRXhwb25lbnRxAH4AAXhwc3IAFGphdmEubWF0aC5CaWdJbn" + + "RlZ2VyjPyfH6k7+x0DAAZJAAhiaXRDb3VudEkACWJpdExlbmd0aEkAE2ZpcnN0Tm9uemVyb0J5dGVOdW1JAAxsb3dlc3RTZ" + + "XRCaXRJAAZzaWdudW1bAAltYWduaXR1ZGV0AAJbQnhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cP//////////" + + "/////v////4AAAABdXIAAltCrPMX+AYIVOACAAB4cAAAACCalNcvvJNMM944KWzzuH2MXkKbiW10OEzGQb9B9MM/T3hzcQB" + + "+AAP///////////////7////+AAAAAXVxAH4ABwAAAAMBAAF4"); + + private static byte[] rsaPriv = Base64.decode( + "rO0ABXNyADFvcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KQ0VSU0FQcml2YXRlQ3J0S2V5bLqHzgJzVS4CAAZMAA5" + + "jcnRDb2VmZmljaWVudHQAFkxqYXZhL21hdGgvQmlnSW50ZWdlcjtMAA5wcmltZUV4cG9uZW50UHEAfgABTAAOcHJpbWVFeH" + + "BvbmVudFFxAH4AAUwABnByaW1lUHEAfgABTAAGcHJpbWVRcQB+AAFMAA5wdWJsaWNFeHBvbmVudHEAfgABeHIALm9yZy5ib" + + "3VuY3ljYXN0bGUuamNlLnByb3ZpZGVyLkpDRVJTQVByaXZhdGVLZXlG6wnAB89BHAMABEwAB21vZHVsdXNxAH4AAUwAEHBr" + + "Y3MxMkF0dHJpYnV0ZXN0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAA5wa2NzMTJPcmRlcmluZ3QAEkxqYXZhL3V0aWwvVmV" + + "jdG9yO0wAD3ByaXZhdGVFeHBvbmVudHEAfgABeHBzcgAUamF2YS5tYXRoLkJpZ0ludGVnZXKM/J8fqTv7HQMABkkACGJpdE" + + "NvdW50SQAJYml0TGVuZ3RoSQATZmlyc3ROb256ZXJvQnl0ZU51bUkADGxvd2VzdFNldEJpdEkABnNpZ251bVsACW1hZ25pd" + + "HVkZXQAAltCeHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhw///////////////+/////gAAAAF1cgACW0Ks8xf4" + + "BghU4AIAAHhwAAAAIJqU1y+8k0wz3jgpbPO4fYxeQpuJbXQ4TMZBv0H0wz9PeHNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7s" + + "PJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAB4c3IAEGphdmEudXRpbC5WZW" + + "N0b3LZl31bgDuvAQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0ABNbTGphd" + + "mEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBw" + + "cHBweHNxAH4ABv///////////////v////4AAAABdXEAfgAKAAAAIA4fGMVoocAtYNiamDRvnzBmMv/l8FibkQsOUJjxrmP" + + "JeHhzcQB+AAb///////////////7////+AAAAAXVxAH4ACgAAABAk5tsPIq2YfF0nfLPvAKUreHNxAH4ABv////////////" + + "///v////4AAAABdXEAfgAKAAAAEFtvxUfS67k0bWmAU9/geaF4c3EAfgAG///////////////+/////gAAAAF1cQB+AAoAA" + + "AAQf2RvbOpsxhCjGK1vhd7+g3hzcQB+AAb///////////////7////+AAAAAXVxAH4ACgAAABDNKm1zRn/cYal03dRjdxK9" + + "eHNxAH4ABv///////////////v////4AAAABdXEAfgAKAAAAEMDh3xza3MJ4XNak/35BYPt4c3EAfgAG///////////////" + + "+/////gAAAAF1cQB+AAoAAAADAQABeA=="); + + private static BigInteger elGamalY = new BigInteger("89822212135401014750127909969755994242838935150891306006689219384134393835581"); + private static BigInteger elGamalX = new BigInteger("23522982289275336984843296896007818700866293719703239515258104457243931686357"); + private static BigInteger elGamalG = new BigInteger("29672625807664138507782226105202719390719480236799714903174779490259822385963"); + private static BigInteger elGamalP = new BigInteger("98263422916834911205348180460395783697757584103849580149025105739079617780363"); + + private static byte[] elGamalPub = Base64.decode( + "rO0ABXNyADFvcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KQ0VFbEdhbWFsUHVibGljS2V5eOnUVVUsZjQDAAJMAAZ" + + "lbFNwZWN0ADBMb3JnL2JvdW5jeWNhc3RsZS9qY2Uvc3BlYy9FbEdhbWFsUGFyYW1ldGVyU3BlYztMAAF5dAAWTGphdmEvbW" + + "F0aC9CaWdJbnRlZ2VyO3hwc3IAFGphdmEubWF0aC5CaWdJbnRlZ2VyjPyfH6k7+x0DAAZJAAhiaXRDb3VudEkACWJpdExlb" + + "md0aEkAE2ZpcnN0Tm9uemVyb0J5dGVOdW1JAAxsb3dlc3RTZXRCaXRJAAZzaWdudW1bAAltYWduaXR1ZGV0AAJbQnhyABBq" + + "YXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cP///////////////v////4AAAABdXIAAltCrPMX+AYIVOACAAB4cAAAACD" + + "GlZIJNbVQCnj4wiR0o8gGbKtJEWJBllz8NAELXcqwPXhzcQB+AAT///////////////7////+AAAAAXVxAH4ACAAAACDZPy" + + "BetQ1Ed8NUnTfXb+MBhFVK1KRe2LzQP7oVz2Kai3hzcQB+AAT///////////////7////+AAAAAXVxAH4ACAAAACBBmhxth" + + "0FhU4SsG01Wjyi1dlZFZvOy1zFC12XRGO8bK3h4"); + + private static byte[] elGamalPriv = Base64.decode( + "rO0ABXNyADJvcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KQ0VFbEdhbWFsUHJpdmF0ZUtleULhxV+2vMBOAwAETAA" + + "GZWxTcGVjdAAwTG9yZy9ib3VuY3ljYXN0bGUvamNlL3NwZWMvRWxHYW1hbFBhcmFtZXRlclNwZWM7TAAQcGtjczEyQXR0cm" + + "lidXRlc3QAFUxqYXZhL3V0aWwvSGFzaHRhYmxlO0wADnBrY3MxMk9yZGVyaW5ndAASTGphdmEvdXRpbC9WZWN0b3I7TAABe" + + "HQAFkxqYXZhL21hdGgvQmlnSW50ZWdlcjt4cHNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx+pO/sdAwAGSQAIYml0Q291" + + "bnRJAAliaXRMZW5ndGhJABNmaXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWR" + + "ldAACW0J4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHD///////////////7////+AAAAAXVyAAJbQqzzF/gGCF" + + "TgAgAAeHAAAAAgNAGJQeYfM6ToYoA3ePFdEe7yh8hKecr+WZA0AwxrtdV4c3EAfgAG///////////////+/////gAAAAF1c" + + "QB+AAoAAAAg2T8gXrUNRHfDVJ0312/jAYRVStSkXti80D+6Fc9imot4c3EAfgAG///////////////+/////gAAAAF1cQB+" + + "AAoAAAAgQZocbYdBYVOErBtNVo8otXZWRWbzstcxQtdl0RjvGyt4eA=="); + + private static BigInteger dhY = new BigInteger("1925747248304483170395506065378568192931506039297732684689153183373019672434"); + private static BigInteger dhX = new BigInteger("3"); + private static BigInteger dhG = new BigInteger("3493483775405590747011712302510626058005717040655777294576367636428413099058"); + private static BigInteger dhP = new BigInteger("106557663805518855012633095511067237673895862256610675920943888960856082029127"); + + private static byte[] dhPub = Base64.decode( + "rO0ABXNyACxvcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KQ0VESFB1YmxpY0tlefz+KCkPI+T8AwACTAAGZGhTcGV" + + "jdAAjTGphdmF4L2NyeXB0by9zcGVjL0RIUGFyYW1ldGVyU3BlYztMAAF5dAAWTGphdmEvbWF0aC9CaWdJbnRlZ2VyO3hwc3" + + "IAFGphdmEubWF0aC5CaWdJbnRlZ2VyjPyfH6k7+x0DAAZJAAhiaXRDb3VudEkACWJpdExlbmd0aEkAE2ZpcnN0Tm9uemVyb" + + "0J5dGVOdW1JAAxsb3dlc3RTZXRCaXRJAAZzaWdudW1bAAltYWduaXR1ZGV0AAJbQnhyABBqYXZhLmxhbmcuTnVtYmVyhqyV" + + "HQuU4IsCAAB4cP///////////////v////4AAAABdXIAAltCrPMX+AYIVOACAAB4cAAAACAEQe8vYXxZPS5oAUy0e0yRYxK" + + "EAO3GjhMWZKNw8flvcnhzcQB+AAT///////////////7////+AAAAAXVxAH4ACAAAACDrlYAb5zOABHPgsK6oIKtMFgPD3v" + + "nbTosOnokaSVsaR3hzcQB+AAT///////////////7////+AAAAAXVxAH4ACAAAACAHuT3jEhOVRGfaKdFOX6J2vDYxiMPQW" + + "ljjL/3Xz85cMnh3BAAAAAB4"); + + private static byte[] dhPriv = Base64.decode( + "rO0ABXNyAC1vcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KQ0VESFByaXZhdGVLZXkEURpYQRlitAMABEwABmRoU3B" + + "lY3QAI0xqYXZheC9jcnlwdG8vc3BlYy9ESFBhcmFtZXRlclNwZWM7TAAQcGtjczEyQXR0cmlidXRlc3QAFUxqYXZhL3V0aW" + + "wvSGFzaHRhYmxlO0wADnBrY3MxMk9yZGVyaW5ndAASTGphdmEvdXRpbC9WZWN0b3I7TAABeHQAFkxqYXZhL21hdGgvQmlnS" + + "W50ZWdlcjt4cHNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx+pO/sdAwAGSQAIYml0Q291bnRJAAliaXRMZW5ndGhJABNm" + + "aXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWRldAACW0J4cgAQamF2YS5sYW5" + + "nLk51bWJlcoaslR0LlOCLAgAAeHD///////////////7////+AAAAAXVyAAJbQqzzF/gGCFTgAgAAeHAAAAABA3hzcQB+AA" + + "b///////////////7////+AAAAAXVxAH4ACgAAACDrlYAb5zOABHPgsK6oIKtMFgPD3vnbTosOnokaSVsaR3hzcQB+AAb//" + + "/////////////7////+AAAAAXVxAH4ACgAAACAHuT3jEhOVRGfaKdFOX6J2vDYxiMPQWljjL/3Xz85cMnh3BAAAAAB4"); + + private static BigInteger dsaY = new BigInteger("6189794363048388077684611193598066807847399153242870209962581468350882042922904596556915269714052441467859854436813271130403014368908908961326314287317209"); + private static BigInteger dsaX = new BigInteger("45673695048287886591258561084679393738177012644"); + private static BigInteger dsaG = new BigInteger("3245524385217980657302535456606469153364622623109429686740209357408427939040123729832874550911504858612362156241316117434271994372338032643547044203024422"); + private static BigInteger dsaP = new BigInteger("8836853285188714261909188099204635517862922237850722644742752953058083563923137941667883080809922365262319540202714582925718707421743492259382127680083261"); + + private static byte[] dsaPub = Base64.decode( + "rO0ABXNyAC1vcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KREtEU0FQdWJsaWNLZXkYUfY34kLIBwMAAkwAB2RzYVN" + + "wZWN0ACRMamF2YS9zZWN1cml0eS9pbnRlcmZhY2VzL0RTQVBhcmFtcztMAAF5dAAWTGphdmEvbWF0aC9CaWdJbnRlZ2VyO3" + + "hwc3IAFGphdmEubWF0aC5CaWdJbnRlZ2VyjPyfH6k7+x0DAAZJAAhiaXRDb3VudEkACWJpdExlbmd0aEkAE2ZpcnN0Tm9ue" + + "mVyb0J5dGVOdW1JAAxsb3dlc3RTZXRCaXRJAAZzaWdudW1bAAltYWduaXR1ZGV0AAJbQnhyABBqYXZhLmxhbmcuTnVtYmVy" + + "hqyVHQuU4IsCAAB4cP///////////////v////4AAAABdXIAAltCrPMX+AYIVOACAAB4cAAAAEB2LxWpG2UqKz0HcWZwDii" + + "fO0+3sXqWwmnAnHw8HbPRbtJUozr0As4FX7loWxvWyV+CJDse2KwdxISyMmq6hMDZeHNxAH4ABP///////////////v////" + + "4AAAABdXEAfgAIAAAAQKi5o5xNZaCAFFAV6dWnHHjG0TVoA7d34RUNF0GhquH6BH/W3BvW4fy428+NPnCgUvJM9iLBTpuBn" + + "oepupEE1T14c3EAfgAE///////////////+/////gAAAAF1cQB+AAgAAAAU/tVyr5rbnY4WkK7C6NK21c9jn8V4c3EAfgAE" + + "///////////////+/////gAAAAF1cQB+AAgAAABAPffK8RBcfUspb5PsGDyjZf4Tqcmo5UhuaABmUnq8Vqb3P7jc1+LNaTh" + + "mUJSnjWQ4+kyCeeJgPH9d3iBd5blQJnh4"); + + private static byte[] dsaPriv = Base64.decode( + "rO0ABXNyAC5vcmcuYm91bmN5Y2FzdGxlLmpjZS5wcm92aWRlci5KREtEU0FQcml2YXRlS2V5vxcJOSU9rboDAANMAAthdHR" + + "yQ2FycmllcnQAPUxvcmcvYm91bmN5Y2FzdGxlL2pjZS9wcm92aWRlci9QS0NTMTJCYWdBdHRyaWJ1dGVDYXJyaWVySW1wbD" + + "tMAAdkc2FTcGVjdAAkTGphdmEvc2VjdXJpdHkvaW50ZXJmYWNlcy9EU0FQYXJhbXM7TAABeHQAFkxqYXZhL21hdGgvQmlnS" + + "W50ZWdlcjt4cHNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx+pO/sdAwAGSQAIYml0Q291bnRJAAliaXRMZW5ndGhJABNm" + + "aXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWRldAACW0J4cgAQamF2YS5sYW5" + + "nLk51bWJlcoaslR0LlOCLAgAAeHD///////////////7////+AAAAAXVyAAJbQqzzF/gGCFTgAgAAeHAAAAAUCAAUTkau3a" + + "uChEXbN4isGH4aY6R4c3EAfgAF///////////////+/////gAAAAF1cQB+AAkAAABAqLmjnE1loIAUUBXp1acceMbRNWgDt" + + "3fhFQ0XQaGq4foEf9bcG9bh/Ljbz40+cKBS8kz2IsFOm4Geh6m6kQTVPXhzcQB+AAX///////////////7////+AAAAAXVx" + + "AH4ACQAAABT+1XKvmtudjhaQrsLo0rbVz2OfxXhzcQB+AAX///////////////7////+AAAAAXVxAH4ACQAAAEA998rxEFx" + + "9Sylvk+wYPKNl/hOpyajlSG5oAGZSerxWpvc/uNzX4s1pOGZQlKeNZDj6TIJ54mA8f13eIF3luVAmeHNyABNqYXZhLnV0aW" + + "wuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAB4c3IAE" + + "GphdmEudXRpbC5WZWN0b3LZl31bgDuvAQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVu" + + "dERhdGF0ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB" + + "4cAAAAApwcHBwcHBwcHBweHg="); + + public String getName() + { + return "Serialisation"; + } + + public void performTest() throws Exception + { + rsaTest(); + elGamalTest(); + dhTest(); + dsaTest(); + } + + private void rsaTest() + throws IOException, ClassNotFoundException + { + RSAPublicKey pub = (RSAPublicKey)readObject(rsaPub); + + if (!mod.equals(pub.getModulus())) + { + fail("public key modulus mismatch"); + } + if (!pubExp.equals(pub.getPublicExponent())) + { + fail("public key exponent mismatch"); + } + + RSAPrivateCrtKey priv = (RSAPrivateCrtKey)readObject(rsaPriv); + + if (!mod.equals(priv.getModulus())) + { + fail("private key modulus mismatch"); + } + if (!privExp.equals(priv.getPrivateExponent())) + { + fail("private key exponent mismatch"); + } + if (!p.equals(priv.getPrimeP())) + { + fail("private key p mismatch"); + } + if (!q.equals(priv.getPrimeQ())) + { + fail("private key q mismatch"); + } + if (!expP.equals(priv.getPrimeExponentP())) + { + fail("private key p exponent mismatch"); + } + if (!expQ.equals(priv.getPrimeExponentQ())) + { + fail("private key q exponent mismatch"); + } + if (!crtExp.equals(priv.getCrtCoefficient())) + { + fail("private key crt exponent mismatch"); + } + } + + private void elGamalTest() + throws IOException, ClassNotFoundException + { + ElGamalPublicKey pub = (ElGamalPublicKey)readObject(elGamalPub); + + if (!elGamalY.equals(pub.getY())) + { + fail("public key y mismatch"); + } + if (!elGamalG.equals(pub.getParameters().getG())) + { + fail("public key g mismatch"); + } + if (!elGamalP.equals(pub.getParameters().getP())) + { + fail("public key p mismatch"); + } + + ElGamalPrivateKey priv = (ElGamalPrivateKey)readObject(elGamalPriv); + + if (!elGamalX.equals(priv.getX())) + { + fail("private key x mismatch"); + } + if (!elGamalG.equals(priv.getParameters().getG())) + { + fail("private key g mismatch"); + } + if (!elGamalP.equals(priv.getParameters().getP())) + { + fail("private key p mismatch"); + } + } + + private void dhTest() + throws IOException, ClassNotFoundException + { + DHPublicKey pub = (DHPublicKey)readObject(dhPub); + + if (!dhY.equals(pub.getY())) + { + fail("dh public key y mismatch"); + } + if (!dhG.equals(pub.getParams().getG())) + { + fail("dh public key g mismatch"); + } + if (!dhP.equals(pub.getParams().getP())) + { + fail("dh public key p mismatch"); + } + if (0 != pub.getParams().getL()) + { + fail("dh public key l mismatch"); + } + + DHPrivateKey priv = (DHPrivateKey)readObject(dhPriv); + + if (!dhX.equals(priv.getX())) + { + fail("dh private key x mismatch"); + } + if (!dhG.equals(priv.getParams().getG())) + { + fail("dh private key g mismatch"); + } + if (!dhP.equals(priv.getParams().getP())) + { + fail("dh private key p mismatch"); + } + if (0 != priv.getParams().getL()) + { + fail("dh private key l mismatch"); + } + } + + private void dsaTest() + throws IOException, ClassNotFoundException + { + DSAPublicKey pub = (DSAPublicKey)readObject(dsaPub); + + if (!dsaY.equals(pub.getY())) + { + fail("dsa public key y mismatch"); + } + if (!dsaG.equals(pub.getParams().getG())) + { + fail("dsa public key g mismatch"); + } + if (!dsaP.equals(pub.getParams().getP())) + { + fail("dsa public key p mismatch"); + } + + DSAPrivateKey priv = (DSAPrivateKey)readObject(dsaPriv); + + if (!dsaX.equals(priv.getX())) + { + fail("dsa private key x mismatch"); + } + if (!dsaG.equals(priv.getParams().getG())) + { + fail("dsa private key g mismatch"); + } + if (!dsaP.equals(priv.getParams().getP())) + { + fail("dsa private key p mismatch"); + } + } + + private Object readObject(byte[] key) + throws IOException, ClassNotFoundException + { + ObjectInputStream oIn = new ObjectInputStream(new ByteArrayInputStream(key)); + + return oIn.readObject(); + } + + public static void main( + String[] args) + { + runTest(new SerialisationTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SigNameTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SigNameTest.java new file mode 100644 index 00000000..0ed90c35 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SigNameTest.java @@ -0,0 +1,83 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Security; +import java.security.Signature; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; + +public class SigNameTest + extends SimpleTest +{ + private void checkName(String name) + throws NoSuchProviderException, NoSuchAlgorithmException + { + if (!name.equals(Signature.getInstance(name, "BC").getAlgorithm())) + { + fail("name misatch on " + name); + } + } + + public void performTest() + throws Exception + { + checkName("SHA1withRSA"); + checkName("SHA224withRSA"); + checkName("SHA256withRSA"); + checkName("SHA384withRSA"); + checkName("SHA512withRSA"); + checkName("MD2withRSA"); + checkName("MD4withRSA"); + checkName("MD5withRSA"); + checkName("RIPEMD160withRSA"); + checkName("RIPEMD128withRSA"); + checkName("RIPEMD256withRSA"); + + checkName("SHA1withDSA"); + checkName("SHA224withDSA"); + checkName("SHA256withDSA"); + checkName("SHA384withDSA"); + checkName("SHA512withDSA"); + checkName("NONEwithDSA"); + checkName("SHA1withECDSA"); + checkName("SHA224withECDSA"); + checkName("SHA256withECDSA"); + checkName("SHA384withECDSA"); + checkName("SHA512withECDSA"); + checkName("RIPEMD160withECDSA"); + checkName("SHA1withECNR"); + checkName("SHA224withECNR"); + checkName("SHA256withECNR"); + checkName("SHA384withECNR"); + checkName("SHA512withECNR"); + + checkName("SHA1withRSAandMGF1"); + checkName("SHA1withRSAandMGF1"); + checkName("SHA224withRSAandMGF1"); + checkName("SHA256withRSAandMGF1"); + checkName("SHA384withRSAandMGF1"); + checkName("SHA512withRSAandMGF1"); + + checkName("GOST3411withGOST3410"); + checkName("GOST3411withECGOST3410"); + + checkName("SHA1withRSA/ISO9796-2"); + checkName("MD5withRSA/ISO9796-2"); + checkName("RIPEMD160withRSA/ISO9796-2"); + } + + public String getName() + { + return "SigNameTest"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new SigNameTest()); + } +}
\ No newline at end of file diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SigTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SigTest.java new file mode 100644 index 00000000..1863ca69 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SigTest.java @@ -0,0 +1,373 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.MessageDigest; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.Signature; +import java.security.spec.RSAPrivateKeySpec; +import java.security.spec.RSAPublicKeySpec; + +import javax.crypto.Cipher; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class SigTest + extends SimpleTest +{ + /** + * signature with a "forged signature" (sig block not at end of plain text) + */ + private void testBadSig(PrivateKey priv, PublicKey pub) throws Exception + { + MessageDigest sha1 = MessageDigest.getInstance("SHA1", "BC"); + Cipher signer = Cipher.getInstance("RSA/ECB/PKCS1Padding", "BC"); + + signer.init(Cipher.ENCRYPT_MODE, priv); + + byte[] block = new byte[signer.getBlockSize()]; + + sha1.update((byte)0); + + byte[] sigHeader = Hex.decode("3021300906052b0e03021a05000414"); + System.arraycopy(sigHeader, 0, block, 0, sigHeader.length); + + byte[] dig = sha1.digest(); + + System.arraycopy(dig, 0, block, sigHeader.length, dig.length); + + System.arraycopy(sigHeader, 0, block, + sigHeader.length + dig.length, sigHeader.length); + + byte[] sig = signer.doFinal(block); + + Signature verifier = Signature.getInstance("SHA1WithRSA", "BC"); + + verifier.initVerify(pub); + + verifier.update((byte)0); + + if (verifier.verify(sig)) + { + fail("bad signature passed"); + } + } + + public void performTest() + throws Exception + { + Signature sig = Signature.getInstance("SHA1WithRSAEncryption", "BC"); + KeyPairGenerator fact; + KeyPair keyPair; + byte[] data = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 }; + + fact = KeyPairGenerator.getInstance("RSA", "BC"); + + fact.initialize(768, new SecureRandom()); + + keyPair = fact.generateKeyPair(); + + PrivateKey signingKey = keyPair.getPrivate(); + PublicKey verifyKey = keyPair.getPublic(); + + testBadSig(signingKey, verifyKey); + + sig.initSign(signingKey); + + sig.update(data); + + byte[] sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("SHA1 verification failed"); + } + + sig = Signature.getInstance("MD2WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("MD2 verification failed"); + } + + sig = Signature.getInstance("MD5WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("MD5 verification failed"); + } + + sig = Signature.getInstance("RIPEMD160WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("RIPEMD160 verification failed"); + } + + // + // RIPEMD-128 + // + sig = Signature.getInstance("RIPEMD128WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("RIPEMD128 verification failed"); + } + + // + // RIPEMD256 + // + sig = Signature.getInstance("RIPEMD256WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("RIPEMD256 verification failed"); + } + + // + // SHA-224 + // + sig = Signature.getInstance("SHA224WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("SHA224 verification failed"); + } + + // + // SHA-256 + // + sig = Signature.getInstance("SHA256WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("SHA256 verification failed"); + } + + // + // SHA-384 + // + sig = Signature.getInstance("SHA384WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("SHA384 verification failed"); + } + + // + // SHA-512 + // + sig = Signature.getInstance("SHA512WithRSAEncryption", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("SHA512 verification failed"); + } + + // + // ISO Sigs. + // + sig = Signature.getInstance("MD5WithRSA/ISO9796-2", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("MD5/ISO verification failed"); + } + + sig = Signature.getInstance("SHA1WithRSA/ISO9796-2", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("SHA1/ISO verification failed"); + } + + sig = Signature.getInstance("RIPEMD160WithRSA/ISO9796-2", "BC"); + + sig.initSign(signingKey); + + sig.update(data); + + sigBytes = sig.sign(); + + sig.initVerify(verifyKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("RIPEMD160/ISO verification failed"); + } + + // + // standard vector test - B.1.3 RIPEMD160, implicit. + // + BigInteger mod = new BigInteger("ffffffff78f6c55506c59785e871211ee120b0b5dd644aa796d82413a47b24573f1be5745b5cd9950f6b389b52350d4e01e90009669a8720bf265a2865994190a661dea3c7828e2e7ca1b19651adc2d5", 16); + BigInteger pub = new BigInteger("03", 16); + BigInteger pri = new BigInteger("2aaaaaaa942920e38120ee965168302fd0301d73a4e60c7143ceb0adf0bf30b9352f50e8b9e4ceedd65343b2179005b2f099915e4b0c37e41314bb0821ad8330d23cba7f589e0f129b04c46b67dfce9d", 16); + + KeyFactory f = KeyFactory.getInstance("RSA", "BC"); + + PrivateKey privKey = f.generatePrivate(new RSAPrivateKeySpec(mod, pri)); + PublicKey pubKey = f.generatePublic(new RSAPublicKeySpec(mod, pub)); + byte[] testSig = Hex.decode("5cf9a01854dbacaec83aae8efc563d74538192e95466babacd361d7c86000fe42dcb4581e48e4feb862d04698da9203b1803b262105104d510b365ee9c660857ba1c001aa57abfd1c8de92e47c275cae"); + + data = Hex.decode("fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210"); + + sig = Signature.getInstance("RIPEMD160WithRSA/ISO9796-2", "BC"); + + sig.initSign(privKey); + + sig.update(data); + + sigBytes = sig.sign(); + + if (!Arrays.areEqual(testSig, sigBytes)) + { + fail("SigTest: failed ISO9796-2 generation Test"); + } + + sig.initVerify(pubKey); + + sig.update(data); + + if (!sig.verify(sigBytes)) + { + fail("RIPEMD160/ISO verification failed"); + } + } + + public String getName() + { + return "SigTest"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new SigTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SipHashTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SipHashTest.java new file mode 100644 index 00000000..9120e88b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SipHashTest.java @@ -0,0 +1,88 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Security; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.encoders.Hex; +import org.bouncycastle.util.test.SimpleTest; + +public class SipHashTest + extends SimpleTest +{ + public void performTest() + throws Exception + { + byte[] key = Hex.decode("000102030405060708090a0b0c0d0e0f"); + byte[] input = Hex.decode("000102030405060708090a0b0c0d0e"); + + byte[] expected = Hex.decode("e545be4961ca29a1"); + + Mac mac = Mac.getInstance("SipHash", "BC"); + + mac.init(new SecretKeySpec(key, "SipHash")); + + mac.update(input, 0, input.length); + + byte[] result = mac.doFinal(); + + if (!Arrays.areEqual(expected, result)) + { + fail("Result does not match expected value for doFinal()"); + } + + mac.init(new SecretKeySpec(key, "SipHash-2-4")); + + mac.update(input, 0, input.length); + + result = mac.doFinal(); + if (!Arrays.areEqual(expected, result)) + { + fail("Result does not match expected value for second doFinal()"); + } + + mac = Mac.getInstance("SipHash-2-4", "BC"); + + mac.init(new SecretKeySpec(key, "SipHash-2-4")); + + mac.update(input, 0, input.length); + + result = mac.doFinal(); + if (!Arrays.areEqual(expected, result)) + { + fail("Result does not match expected value for alias"); + } + + // SipHash 4-8 + expected = Hex.decode("e0a6a97dd589d383"); + + mac = Mac.getInstance("SipHash-4-8", "BC"); + + mac.init(new SecretKeySpec(key, "SipHash")); + + mac.update(input, 0, input.length); + + result = mac.doFinal(); + + if (!Arrays.areEqual(expected, result)) + { + fail("Result does not match expected value for SipHash 4-8"); + } + } + + public String getName() + { + return "SipHash"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new SipHashTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SlotTwoTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SlotTwoTest.java new file mode 100644 index 00000000..7a2a880e --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/SlotTwoTest.java @@ -0,0 +1,90 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Key; +import java.security.SecureRandom; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.spec.IvParameterSpec; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; + +public class SlotTwoTest + extends SimpleTest +{ + byte[] plainData = "abcdefghijklmnopqrstuvwxyz".getBytes(); + + public String getName() + { + return "SlotTwo"; + } + + public void performTest() + throws Exception + { + Security.removeProvider("BC"); + Security.insertProviderAt(new BouncyCastleProvider(), 2); + + KeyGenerator keyGen = KeyGenerator.getInstance("DESede", "BC"); + + keyGen.init(new SecureRandom()); + + Key key = keyGen.generateKey(); + + testDesEde(key, "ECB", "PKCS7Padding"); + testDesEde(key, "CBC", "PKCS7Padding"); + testDesEde(key, "CTR", "NoPadding"); + testDesEde(key, "CTR", "PKCS7Padding"); + testDesEde(key, "OFB", "PKCS7Padding"); + testDesEde(key, "CFB", "PKCS7Padding"); + + Security.removeProvider("BC"); + Security.addProvider(new BouncyCastleProvider()); + } + + private void testDesEde( + Key key, + String mode, + String padding) + throws Exception + { + Cipher encrypt = Cipher.getInstance("DESede/" + mode + "/" + padding, "BC"); + Cipher decrypt = Cipher.getInstance("DESede/" + mode + "/" + padding); + + if (!decrypt.getProvider().getName().equals("BC")) + { + fail("BC provider not returned for DESede/" + mode + "/" + padding + " got " + decrypt.getProvider().getName()); + } + + encrypt.init(Cipher.ENCRYPT_MODE, key); + + byte[] encryptedBytes = encrypt.doFinal(plainData); + byte[] ivBytes = encrypt.getIV(); + + if (ivBytes != null) + { + IvParameterSpec ivp = new IvParameterSpec(ivBytes); + + decrypt.init(Cipher.DECRYPT_MODE, key, ivp); + } + else + { + decrypt.init(Cipher.DECRYPT_MODE, key); + } + + byte[] plainBytes = decrypt.doFinal(encryptedBytes, 0, encryptedBytes.length); + + if (!areEqual(plainData, plainBytes)) + { + fail("decryption test failed."); + } + } + + public static void main( + String[] args) + { + runTest(new SlotTwoTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/TestUtils.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/TestUtils.java new file mode 100644 index 00000000..4751fb2b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/TestUtils.java @@ -0,0 +1,286 @@ +package org.bouncycastle.jce.provider.test; + +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Principal; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.SignatureException; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Set; + +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.CRLNumber; +import org.bouncycastle.asn1.x509.CRLReason; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.bouncycastle.asn1.x509.X509Extensions; +import org.bouncycastle.jce.PrincipalUtil; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.x509.X509V1CertificateGenerator; +import org.bouncycastle.x509.X509V2CRLGenerator; +import org.bouncycastle.x509.X509V3CertificateGenerator; +import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; +import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure; + +/** + * Test Utils + */ +class TestUtils +{ + /** + * Create a random 1024 bit RSA key pair + */ + public static KeyPair generateRSAKeyPair() + throws Exception + { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); + + kpGen.initialize(1024, new SecureRandom()); + + return kpGen.generateKeyPair(); + } + + public static X509Certificate generateRootCert(KeyPair pair) + throws Exception + { + X509V1CertificateGenerator certGen = new X509V1CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(new X509Principal("CN=Test CA Certificate")); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal("CN=Test CA Certificate")); + certGen.setPublicKey(pair.getPublic()); + certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + return certGen.generate(pair.getPrivate(), "BC"); + } + + public static X509Certificate generateIntermediateCert(PublicKey intKey, PrivateKey caKey, X509Certificate caCert) + throws Exception + { + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal("CN=Test Intermediate Certificate")); + certGen.setPublicKey(intKey); + certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); + certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(intKey)); + certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0)); + certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); + + return certGen.generate(caKey, "BC"); + } + + public static X509Certificate generateEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert) + throws Exception + { + X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); + + certGen.setSerialNumber(BigInteger.valueOf(1)); + certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert)); + certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000)); + certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); + certGen.setSubjectDN(new X509Principal("CN=Test End Certificate")); + certGen.setPublicKey(entityKey); + certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); + certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey)); + certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); + certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); + + return certGen.generate(caKey, "BC"); + } + + public static X509CRL createCRL( + X509Certificate caCert, + PrivateKey caKey, + BigInteger serialNumber) + throws Exception + { + X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); + Date now = new Date(); + BigInteger revokedSerialNumber = BigInteger.valueOf(2); + + crlGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert)); + + crlGen.setThisUpdate(now); + crlGen.setNextUpdate(new Date(now.getTime() + 100000)); + crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); + + crlGen.addCRLEntry(serialNumber, now, CRLReason.privilegeWithdrawn); + + crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); + crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(1))); + + return crlGen.generate(caKey, "BC"); + } + + public static X509Certificate createExceptionCertificate(boolean exceptionOnEncode) + { + return new ExceptionCertificate(exceptionOnEncode); + } + + private static class ExceptionCertificate + extends X509Certificate + { + private boolean _exceptionOnEncode; + + public ExceptionCertificate(boolean exceptionOnEncode) + { + _exceptionOnEncode = exceptionOnEncode; + } + + public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException + { + throw new CertificateNotYetValidException(); + } + + public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException + { + throw new CertificateExpiredException(); + } + + public int getVersion() + { + return 0; + } + + public BigInteger getSerialNumber() + { + return null; + } + + public Principal getIssuerDN() + { + return null; + } + + public Principal getSubjectDN() + { + return null; + } + + public Date getNotBefore() + { + return null; + } + + public Date getNotAfter() + { + return null; + } + + public byte[] getTBSCertificate() throws CertificateEncodingException + { + throw new CertificateEncodingException(); + } + + public byte[] getSignature() + { + return new byte[0]; + } + + public String getSigAlgName() + { + return null; + } + + public String getSigAlgOID() + { + return null; + } + + public byte[] getSigAlgParams() + { + return new byte[0]; + } + + public boolean[] getIssuerUniqueID() + { + return new boolean[0]; + } + + public boolean[] getSubjectUniqueID() + { + return new boolean[0]; + } + + public boolean[] getKeyUsage() + { + return new boolean[0]; + } + + public int getBasicConstraints() + { + return 0; + } + + public byte[] getEncoded() throws CertificateEncodingException + { + if (_exceptionOnEncode) + { + throw new CertificateEncodingException(); + } + + return new byte[0]; + } + + public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException + { + throw new CertificateException(); + } + + public void verify(PublicKey key, String sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException + { + throw new CertificateException(); + } + + public String toString() + { + return null; + } + + public PublicKey getPublicKey() + { + return null; + } + + public boolean hasUnsupportedCriticalExtension() + { + return false; + } + + public Set getCriticalExtensionOIDs() + { + return null; + } + + public Set getNonCriticalExtensionOIDs() + { + return null; + } + + public byte[] getExtensionValue(String oid) + { + return new byte[0]; + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/WrapTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/WrapTest.java new file mode 100644 index 00000000..118e1827 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/WrapTest.java @@ -0,0 +1,76 @@ +package org.bouncycastle.jce.provider.test; + +import java.security.Key; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.MessageDigest; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTestResult; +import org.bouncycastle.util.test.Test; +import org.bouncycastle.util.test.TestResult; + +public class WrapTest + implements Test +{ + public TestResult perform() + { + try + { + Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding", "BC"); + KeyPairGenerator fact = KeyPairGenerator.getInstance("RSA", "BC"); + fact.initialize(512, new SecureRandom()); + + KeyPair keyPair = fact.generateKeyPair(); + + PrivateKey priKey = keyPair.getPrivate(); + PublicKey pubKey = keyPair.getPublic(); + + KeyGenerator keyGen = KeyGenerator.getInstance("DES", "BC"); + Key wrapKey = keyGen.generateKey(); + cipher.init(Cipher.WRAP_MODE, wrapKey); + byte[] wrappedKey = cipher.wrap(priKey); + + cipher.init(Cipher.UNWRAP_MODE, wrapKey); + Key key = cipher.unwrap(wrappedKey, "RSA", Cipher.PRIVATE_KEY); + + if (!MessageDigest.isEqual(priKey.getEncoded(), key.getEncoded())) + { + return new SimpleTestResult(false, "Unwrapped key does not match"); + } + + return new SimpleTestResult(true, getName() + ": Okay"); + } + catch (Exception e) + { + return new SimpleTestResult(false, getName() + ": exception - " + e.toString(), e); + } + } + + public String getName() + { + return "WrapTest"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + Test test = new WrapTest(); + TestResult result = test.perform(); + + System.out.println(result.toString()); + if (result.getException() != null) + { + result.getException().printStackTrace(); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509CertificatePairTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509CertificatePairTest.java new file mode 100644 index 00000000..4eecef8a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509CertificatePairTest.java @@ -0,0 +1,147 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509CertificatePair; + +import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; + +public class X509CertificatePairTest + extends SimpleTest +{ + public void performTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate rootCert = (X509Certificate)cf.generateCertificate( + new ByteArrayInputStream(CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf.generateCertificate( + new ByteArrayInputStream(CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf.generateCertificate( + new ByteArrayInputStream(CertPathTest.finalCertBin)); + + + X509CertificatePair pair1 = new X509CertificatePair(rootCert, interCert); + X509CertificatePair pair2 = new X509CertificatePair(rootCert, interCert); + X509CertificatePair pair3 = new X509CertificatePair(interCert, finalCert); + X509CertificatePair pair4 = new X509CertificatePair(rootCert, finalCert); + X509CertificatePair pair5 = new X509CertificatePair(rootCert, null); + X509CertificatePair pair6 = new X509CertificatePair(rootCert, null); + X509CertificatePair pair7 = new X509CertificatePair(null, rootCert); + X509CertificatePair pair8 = new X509CertificatePair(null, rootCert); + + if (!pair1.equals(pair2)) + { + fail("pair1 pair2 equality test"); + } + + if (!pair5.equals(pair6)) + { + fail("pair1 pair2 equality test"); + } + + if (!pair7.equals(pair8)) + { + fail("pair1 pair2 equality test"); + } + + if (pair1.equals(null)) + { + fail("pair1 null equality test"); + } + + if (pair1.hashCode() != pair2.hashCode()) + { + fail("pair1 pair2 hashCode equality test"); + } + + if (pair1.equals(pair3)) + { + fail("pair1 pair3 inequality test"); + } + + if (pair1.equals(pair4)) + { + fail("pair1 pair4 inequality test"); + } + + if (pair1.equals(pair5)) + { + fail("pair1 pair5 inequality test"); + } + + if (pair1.equals(pair7)) + { + fail("pair1 pair7 inequality test"); + } + + if (pair5.equals(pair1)) + { + fail("pair5 pair1 inequality test"); + } + + if (pair7.equals(pair1)) + { + fail("pair7 pair1 inequality test"); + } + + if (pair1.getForward() != rootCert) + { + fail("pair1 forward test"); + } + + if (pair1.getReverse() != interCert) + { + fail("pair1 reverse test"); + } + + if (!areEqual(pair1.getEncoded(), pair2.getEncoded())) + { + fail("encoding check"); + } + + pair4 = new X509CertificatePair(rootCert, TestUtils.createExceptionCertificate(false)); + + try + { + pair4.getEncoded(); + + fail("no exception on bad getEncoded()"); + } + catch (CertificateEncodingException e) + { + // expected + } + + pair4 = new X509CertificatePair(rootCert, TestUtils.createExceptionCertificate(true)); + + try + { + pair4.getEncoded(); + + fail("no exception on exception getEncoded()"); + } + catch (CertificateEncodingException e) + { + // expected + } + } + + public String getName() + { + return "X509CertificatePair"; + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new X509CertificatePairTest()); + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509LDAPCertStoreTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509LDAPCertStoreTest.java new file mode 100644 index 00000000..27167127 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509LDAPCertStoreTest.java @@ -0,0 +1,467 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.PrincipalUtil; +import org.bouncycastle.jce.X509LDAPCertStoreParameters; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509CRLStoreSelector; +import org.bouncycastle.x509.X509CertStoreSelector; +import org.bouncycastle.x509.X509Store; + +import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CRLException; +import java.security.cert.CertStore; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLSelector; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.Collection; +import java.util.Collections; +import java.util.Iterator; + +public class X509LDAPCertStoreTest extends SimpleTest +{ + private static final byte cert1[] = Base64 + .decode("MIIDyTCCAzKgAwIBAgIEL64+8zANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJE" + + "RTEcMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEoMAwGBwKCBgEKBxQTATEw" + + "GAYDVQQDFBFUVEMgVGVzdCBDQSAxMTpQTjAeFw0wMzAzMjUxNDM1MzFaFw0wNjAz" + + "MjUxNDM1MzFaMGIxCzAJBgNVBAYTAkRFMRswGQYDVQQKDBJHRlQgU29sdXRpb25z" + + "IEdtYkgxEjAQBgNVBAsMCUhZUEFSQ0hJVjEWMBQGA1UEAwwNRGllZ2UsIFNpbW9u" + + "ZTEKMAgGA1UEBRMBMTCBoDANBgkqhkiG9w0BAQEFAAOBjgAwgYoCgYEAiEYsFbs4" + + "FesQpMjBkzJB92c0p8tJ02nbCNA5l17VVbbrv6/twnQHW4kgA+9lZlXfzI8iunT1" + + "KuiwVupWObHgFaGPkelIN/qIbuwbQzh7T+IUKdKETE12Lc+xk9YvQ6mJVgosmwpr" + + "nMMjezymh8DjPhe7MC7/H3AotrHVNM3mEJcCBEAAAIGjggGWMIIBkjAfBgNVHSME" + + "GDAWgBTQc8wTeltcAM3iTE63fk/wTA+IJTAdBgNVHQ4EFgQUq6ChBvXPiqhMHLS3" + + "kiKpSeGWDz4wDgYDVR0PAQH/BAQDAgQwMB8GA1UdEQQYMBaBFHNpbW9uZS5kaWVn" + + "ZUBnZnQuY29tMIHoBgNVHR8EgeAwgd0wgdqgaqBohjVsZGFwOi8vcGtzbGRhcC50" + + "dHRjLmRlOjM4OS9jPWRlLG89RGV1dHNjaGUgVGVsZWtvbSBBR4YvaHR0cDovL3d3" + + "dy50dHRjLmRlL3RlbGVzZWMvc2VydmxldC9kb3dubG9hZF9jcmyibKRqMGgxCzAJ" + + "BgNVBAYTAkRFMRwwGgYDVQQKFBNEZXV0c2NoZSBUZWxla29tIEFHMTswDAYHAoIG" + + "AQoHFBMBMTArBgNVBAMUJFRlbGVTZWMgRGlyZWN0b3J5IFNlcnZpY2UgU2lnRyAx" + + "MDpQTjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly93d3cudHR0" + + "Yy5kZS9vY3NwcjANBgkqhkiG9w0BAQUFAAOBgQBCPudAtrP9Bx7GRhHQgYS6kaoN" + + "vYb/yDss86pyn0uiFuwT+mT1popcAfxPo2yxL0jqqlsDNFBC2hJob5rjihsKPmqV" + + "rSaW0VJu/zBihsX7hLKOVMf5gvUYMS5ulq/bp8jOj8a+5SmxVY+WWZVFghWjISse" + + "T3WABdTS9S3zjnQiyg=="); + + private static final byte[] directCRL = Base64 + .decode("MIIGXTCCBckCAQEwCgYGKyQDAwECBQAwdDELMAkGA1UEBhMCREUxHDAaBgNVBAoU" + + "E0RldXRzY2hlIFRlbGVrb20gQUcxFzAVBgNVBAsUDlQtVGVsZVNlYyBUZXN0MS4w" + + "DAYHAoIGAQoHFBMBMTAeBgNVBAMUF1QtVGVsZVNlYyBUZXN0IERJUiA4OlBOFw0w" + + "NjA4MDQwODQ1MTRaFw0wNjA4MDQxNDQ1MTRaMIIElTAVAgQvrj/pFw0wMzA3MjIw" + + "NTQxMjhaMBUCBC+uP+oXDTAzMDcyMjA1NDEyOFowFQIEL64/5xcNMDQwNDA1MTMx" + + "ODE3WjAVAgQvrj/oFw0wNDA0MDUxMzE4MTdaMBUCBC+uP+UXDTAzMDExMzExMTgx" + + "MVowFQIEL64/5hcNMDMwMTEzMTExODExWjAVAgQvrj/jFw0wMzAxMTMxMTI2NTZa" + + "MBUCBC+uP+QXDTAzMDExMzExMjY1NlowFQIEL64/4hcNMDQwNzEzMDc1ODM4WjAV" + + "AgQvrj/eFw0wMzAyMTcwNjMzMjVaMBUCBC+uP98XDTAzMDIxNzA2MzMyNVowFQIE" + + "L64/0xcNMDMwMjE3MDYzMzI1WjAVAgQvrj/dFw0wMzAxMTMxMTI4MTRaMBUCBC+u" + + "P9cXDTAzMDExMzExMjcwN1owFQIEL64/2BcNMDMwMTEzMTEyNzA3WjAVAgQvrj/V" + + "Fw0wMzA0MzAxMjI3NTNaMBUCBC+uP9YXDTAzMDQzMDEyMjc1M1owFQIEL64/xhcN" + + "MDMwMjEyMTM0NTQwWjAVAgQvrj/FFw0wMzAyMTIxMzQ1NDBaMBUCBC+uP8IXDTAz" + + "MDIxMjEzMDkxNlowFQIEL64/wRcNMDMwMjEyMTMwODQwWjAVAgQvrj++Fw0wMzAy" + + "MTcwNjM3MjVaMBUCBC+uP70XDTAzMDIxNzA2MzcyNVowFQIEL64/sBcNMDMwMjEy" + + "MTMwODU5WjAVAgQvrj+vFw0wMzAyMTcwNjM3MjVaMBUCBC+uP5MXDTAzMDQxMDA1" + + "MjYyOFowFQIEL64/khcNMDMwNDEwMDUyNjI4WjAVAgQvrj8/Fw0wMzAyMjYxMTA0" + + "NDRaMBUCBC+uPz4XDTAzMDIyNjExMDQ0NFowFQIEL64+zRcNMDMwNTIwMDUyNzM2" + + "WjAVAgQvrj7MFw0wMzA1MjAwNTI3MzZaMBUCBC+uPjwXDTAzMDYxNzEwMzQxNlow" + + "FQIEL64+OxcNMDMwNjE3MTAzNDE2WjAVAgQvrj46Fw0wMzA2MTcxMDM0MTZaMBUC" + + "BC+uPjkXDTAzMDYxNzEzMDEwMFowFQIEL64+OBcNMDMwNjE3MTMwMTAwWjAVAgQv" + + "rj43Fw0wMzA2MTcxMzAxMDBaMBUCBC+uPjYXDTAzMDYxNzEzMDEwMFowFQIEL64+" + + "MxcNMDMwNjE3MTAzNzQ5WjAVAgQvrj4xFw0wMzA2MTcxMDQyNThaMBUCBC+uPjAX" + + "DTAzMDYxNzEwNDI1OFowFQIEL649qRcNMDMxMDIyMTEzMjI0WjAVAgQvrjyyFw0w" + + "NTAzMTEwNjQ0MjRaMBUCBC+uPKsXDTA0MDQwMjA3NTQ1M1owFQIEL6466BcNMDUw" + + "MTI3MTIwMzI0WjAVAgQvrjq+Fw0wNTAyMTYwNzU3MTZaMBUCBC+uOqcXDTA1MDMx" + + "MDA1NTkzNVowFQIEL646PBcNMDUwNTExMTA0OTQ2WjAVAgQvrG3VFw0wNTExMTEx" + + "MDAzMjFaMBUCBC+uLmgXDTA2MDEyMzEwMjU1NVowFQIEL64mxxcNMDYwODAxMDk0" + + "ODQ0WqCBijCBhzALBgNVHRQEBAICEQwwHwYDVR0jBBgwFoAUA1vI26YMj3njkfCU" + + "IXbo244kLjkwVwYDVR0SBFAwToZMbGRhcDovL3Brc2xkYXAudHR0Yy5kZS9vdT1U" + + "LVRlbGVTZWMgVGVzdCBESVIgODpQTixvPURldXRzY2hlIFRlbGVrb20gQUcsYz1k" + + "ZTAKBgYrJAMDAQIFAAOBgQArj4eMlbAwuA2aS5O4UUUHQMKKdK/dtZi60+LJMiMY" + + "ojrMIf4+ZCkgm1Ca0Cd5T15MJxVHhh167Ehn/Hd48pdnAP6Dfz/6LeqkIHGWMHR+" + + "z6TXpwWB+P4BdUec1ztz04LypsznrHcLRa91ixg9TZCb1MrOG+InNhleRs1ImXk8" + + "MQ=="); + + private static final String ldapURL1 = "ldap://pksldap.tttc.de:389"; + + private static final X509LDAPCertStoreParameters params1 = new X509LDAPCertStoreParameters.Builder( + ldapURL1, "o=Deutsche Telekom AG, c=DE"). + setAACertificateSubjectAttributeName("ou cn"). + setAttributeAuthorityRevocationListIssuerAttributeName("cn"). + setAttributeCertificateAttributeSubjectAttributeName("cn"). + setAttributeCertificateRevocationListIssuerAttributeName("cn"). + setAttributeDescriptorCertificateSubjectAttributeName("ou cn"). + setAuthorityRevocationListIssuerAttributeName("cn"). + setCACertificateSubjectAttributeName("ou cn"). + setCertificateRevocationListIssuerAttributeName("cn"). + setCrossCertificateSubjectAttributeName("cn"). + setDeltaRevocationListIssuerAttributeName("cn"). + setSearchForSerialNumberIn("cn") + .build(); + + private static final String ldapURL2 = "ldap://directory.d-trust.de:389"; + + private static final X509LDAPCertStoreParameters params2 = new X509LDAPCertStoreParameters.Builder( + ldapURL2, "o=D-Trust GmbH, c=DE"). + setAACertificateSubjectAttributeName("cn o"). + setAttributeAuthorityRevocationListIssuerAttributeName("cn"). + setAttributeCertificateAttributeSubjectAttributeName("cn"). + setAttributeCertificateRevocationListIssuerAttributeName("cn"). + setAttributeDescriptorCertificateSubjectAttributeName("cn o"). + setAuthorityRevocationListIssuerAttributeName("cn"). + setCACertificateSubjectAttributeName("cn o"). + setCertificateRevocationListIssuerAttributeName("cn"). + setCrossCertificateSubjectAttributeName("cn o"). + setDeltaRevocationListIssuerAttributeName("cn"). + setSearchForSerialNumberIn("uid") + .build(); + + private static final byte[] cert2 = Base64 + .decode("MIIEADCCAuigAwIBAgIDAJ/QMA0GCSqGSIb3DQEBBQUAMD8xCzAJBgNVBAYTAkRF" + + "MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxGTAXBgNVBAMMEEQtVFJVU1QgRGVtbyBD" + + "QTEwHhcNMDYwMzAyMTYxNTU3WhcNMDgwMzEyMTYxNTU3WjB+MQswCQYDVQQGEwJE" + + "RTEUMBIGA1UECgwLTXVzdGVyIEdtYkgxFzAVBgNVBAMMDk1heCBNdXN0ZXJtYW5u" + + "MRMwEQYDVQQEDApNdXN0ZXJtYW5uMQwwCgYDVQQqDANNYXgxHTAbBgNVBAUTFERU" + + "UldFMTQxMjk5NDU1MTgwMTIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC" + + "AQEAjLDFeviSZDEZgLzTdptU4biPgNV7SvLqsNholfqkyQm2r5WSghGZSjhKYIne" + + "qKmZ08W59a51bGqDEsifYR7Tw9JC/AhH19fyK01+1ZAXHalgVthaRtLw31lcoTVJ" + + "R7j9fvrnW0sMPVP4m5gePb3P5/pYHVmN1MjdPIm38us5aJOytOO5Li2IwQIG0t4M" + + "bEC6/1horBR5TgRl7ACamrdaPHOvO1QVweOqYU7uVxLgDTK4mSV6heyrisFMfkbj" + + "7jT/c44kXM7dtgNcmESINudu6bnqaB1CxOFTJ/Jzv81R5lf7pBX2LOG1Bu94Yw2x" + + "cHUVROs2UWY8kQrNUozsBHzQ0QIDAKq5o4HFMIHCMBMGA1UdIwQMMAqACEITKrPL" + + "WuYiMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZC10" + + "cnVzdC5uZXQwEAYDVR0gBAkwBzAFBgMqAwQwEQYDVR0OBAoECEvE8bXFHkFLMA4G" + + "A1UdDwEB/wQEAwIGQDAPBgUrJAgDCAQGDARUZXN0MB8GA1UdEQQYMBaBFG0ubXVz" + + "dGVybWFubkB0ZXN0LmRlMA8GBSskCAMPBAYMBFRlc3QwDQYJKoZIhvcNAQEFBQAD" + + "ggEBADD/X+UZZN30nCBDzJ7MtmgwvMBVDAU6HkPlzfyn9pxIKFrq3uR9wcY2pedM" + + "yQQk0NpTDCIhAYIjAHysMue0ViQnW5qq8uUCFn0+fsgMqqTQNRmE4NIqUrnYO40g" + + "WjcepCEApkTqGf3RFaDMf9zpRvj9qUx18De+V0GC22uD2vPKpqRcvS2dSw6pHBW2" + + "NwEU+RgNhoPXrHt332PEYdwO0zOL7eSLBD9AmkpP2uDjpMQ02Lu9kXG6OOfanwfS" + + "jHioCvDXyl5pwSHwrHNWQRb5dLF12Fg41LMapDwR7awAKE9h6qHBonvCMBPMvqrr" + + "NktqQcoQkluR9MItONJI5XHADtU="); + + private static final String ldapURL3 = "ldap://dir.signtrust.de:389"; + + private static final X509LDAPCertStoreParameters params3 = new X509LDAPCertStoreParameters.Builder( + ldapURL3, "o=Deutsche Post AG, c=de"). + setAACertificateSubjectAttributeName("ou"). + setAttributeAuthorityRevocationListIssuerAttributeName("cn"). + setAttributeCertificateAttributeSubjectAttributeName("cn"). + setAttributeCertificateRevocationListIssuerAttributeName("o"). + setAttributeDescriptorCertificateSubjectAttributeName("ou"). + setAuthorityRevocationListIssuerAttributeName("o"). + setCACertificateSubjectAttributeName("ou"). + setCertificateRevocationListIssuerAttributeName("o"). + setCrossCertificateSubjectAttributeName("o"). + setDeltaRevocationListIssuerAttributeName("o"). + setSearchForSerialNumberIn("serialNumber") + .build(); + + private static final byte[] cert3 = Base64 + .decode("MIICwDCCAimgAwIBAgIBKzANBgkqhkiG9w0BAQUFADA6MRAwDgYDVQQDEwdQQ0Ex" + + "OlBOMRkwFwYDVQQKExBEZXV0c2NoZSBQb3N0IEFHMQswCQYDVQQGEwJERTAeFw0w" + + "MDA0MTkyMjAwMDBaFw0wMzA0MTkyMjAwMDBaMIGOMRAwDgYDVQQEFAdN5G5jaGVy" + + "MQ4wDAYDVQQqEwVLbGF1czEWMBQGA1UEAxQNS2xhdXMgTeRuY2hlcjEVMBMGA1UE" + + "CRMMV2llc2Vuc3RyLiAzMQ4wDAYDVQQREwU2MzMyOTESMBAGA1UEBxMJRWdlbHNi" + + "YWNoMQswCQYDVQQGEwJERTEKMAgGA1UEBRMBMTCBnzANBgkqhkiG9w0BAQEFAAOB" + + "jQAwgYkCgYEAn7z6Ba9wpv/mNBIaricY/d0KpxGpqGAXdqKlvqkk/seJEoBLvmL7" + + "wZz88RPELQqzDhc4oXYohS2dh3NHus9FpSPMq0JzKAcE3ArrVDxwtXtlcwN2v7iS" + + "TcHurgLOb9C/r8JdsMHNgwHMkkdp96cJk/sioyP5sLPYmgWxg1JH0vMCAwEAAaOB" + + "gDB+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfAADBKBgNVHSMEQzBBoTyk" + + "OjEQMA4GA1UEAxMHUENBMTpQTjEZMBcGA1UEChMQRGV1dHNjaGUgUG9zdCBBRzEL" + + "MAkGA1UEBhMCREWCAQEwEQYDVR0OBAoECEAeJ6R3USjxMA0GCSqGSIb3DQEBBQUA" + + "A4GBADMRtdiQJF2fg7IcedTjnAW+QGl/wNSKy7A4oaBQeahcruo+hzH+ZU+DsiSu" + + "TJZaf2X1eUUEPmV+5zZlopGa3HvFfgmIYIXBw9ZO3Qb/HWGsPNgW0yg5eXEGwNEt" + + "vV85BTMGuMjiuDw841IuAZaMKqOKnVXHmd2pLJz7Wv0MLJhw"); + + private static final byte[] caCert3 = Base64 + .decode("MIICUjCCAb6gAwIBAgIDD2ptMAoGBiskAwMBAgUAMG8xCzAJBgNVBAYTAkRFMT0w" + + "OwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0" + + "aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjRSLUNBIDE6UE4w" + + "IhgPMjAwMDA0MTIwODIyMDNaGA8yMDA0MDQxMjA4MjIwM1owWzELMAkGA1UEBhMC" + + "REUxGTAXBgNVBAoUEERldXRzY2hlIFBvc3QgQUcxMTAMBgcCggYBCgcUEwExMCEG" + + "A1UEAxQaQ0EgREVSIERFVVRTQ0hFTiBQT1NUIDU6UE4wgZ8wDQYJKoZIhvcNAQEB" + + "BQADgY0AMIGJAoGBAIH3c+gig1KkY5ceR6n/AMq+xz7hi3f0PMdpwIe2v2w6Hu5k" + + "jipe++NvU3r6wakIY2royHl3gKWrExOisBico9aQmn8lMJnWZ7SUbB+WpRn0mAWN" + + "ZM9YT+/U5hRCffeeuLWClzrbScaWnAeaaI0G+N/QKnSSjrV/l64jogyADWCTAgMB" + + "AAGjEjAQMA4GA1UdDwEB/wQEAwIBBjAKBgYrJAMDAQIFAAOBgQAaV5WClEneXk9s" + + "LO8zTQAsf4KvDaLd1BFcFeYM7kLLRHKeWQ0MAd0xkuAMme5NVwWNpNZP74B4HX7Q" + + "/Q0h/wo/9LTgQaxw52lLs4Ml0HUyJbSFjoQ+sqgjg2fGNGw7aGkVNY5dQTAy8oSv" + + "iG8mxTsQ7Fxaush3cIB0qDDwXar/hg=="); + + private static final byte[] crossCert3 = Base64 + .decode("MIICVDCCAcCgAwIBAgIDDIOsMAoGBiskAwMBAgUAMG8xCzAJBgNVBAYTAkRFMT0w" + + "OwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0" + + "aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjRSLUNBIDE6UE4w" + + "IhgPMjAwMDAzMjIwOTQzNTBaGA8yMDA0MDEyMTE2MDQ1M1owbzELMAkGA1UEBhMC" + + "REUxPTA7BgNVBAoUNFJlZ3VsaWVydW5nc2JlaMhvcmRlIGbIdXIgVGVsZWtvbW11" + + "bmlrYXRpb24gdW5kIFBvc3QxITAMBgcCggYBCgcUEwExMBEGA1UEAxQKNVItQ0Eg" + + "MTpQTjCBoTANBgkqhkiG9w0BAQEFAAOBjwAwgYsCgYEAih5BUycfBpqKhU8RDsaS" + + "vV5AtzWeXQRColL9CH3t0DKnhjKAlJ8iccFtJNv+d3bh8bb9sh0maRSo647xP7hs" + + "HTjKgTE4zM5BYNfXvST79OtcMgAzrnDiGjQIIWv8xbfV1MqxxdtZJygrwzRMb9jG" + + "CAGoJEymoyzAMNG7tSdBWnUCBQDAAAABMAoGBiskAwMBAgUAA4GBAIBWrl6aEy4d" + + "2d6U/924YK8Tv9oChmaKVhklkiTzcKv1N8dhLnLTibq4/stop03CY3rKU4X5aTfu" + + "0J77FIV1Poy9jLT5Tm1NBpi71m4uO3AUoSeyhJXGQGsYFjAc3URqkznbTL/nr9re" + + "IoBhf6u9cX+idnN6Uy1q+j/LOrcy3zgj"); + + public void performTest() throws Exception + { + certStoretest(); + x509StoreTest(); + } + + private void certStoretest() throws Exception + { + CertStore cs = CertStore.getInstance("X509LDAP", params1, "BC"); + X509CertSelector sl = new X509CertSelector(); + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + X509Certificate xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(cert1)); + sl.setCertificate(xcert); + Collection coll = cs.getCertificates(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + sl.setCertificate(null); + sl.setSubject(getSubject(xcert).getEncoded()); + coll = cs.getCertificates(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("certificate could not be picked from LDAP directory."); + } + X509CRLSelector sl2 = new X509CRLSelector(); + X509CRL crl = (X509CRL)cf.generateCRL(new + ByteArrayInputStream(directCRL)); + sl2.addIssuerName(getCRLIssuer(crl).getEncoded()); + coll = cs.getCRLs(sl2); + if (!coll.iterator().hasNext()) + { + fail("CRL could not be picked from LDAP directory."); + } + // System.out.println(coll.toArray()[0]); + + cs = CertStore.getInstance("X509LDAP", params2, "BC"); + sl = new X509CertSelector(); + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(cert2)); + sl.setCertificate(xcert); + coll = cs.getCertificates(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("Certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + cs = CertStore.getInstance("X509LDAP", params3, "BC"); + sl = new X509CertSelector(); + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(cert3)); + sl.setCertificate(xcert); + coll = cs.getCertificates(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("Certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(caCert3)); + sl = new X509CertSelector(); + sl.setSubject(getSubject(xcert).getEncoded()); + coll = cs.getCertificates(sl); + boolean found = false; + if (coll.isEmpty()) + { + fail("Certificate could not be picked from LDAP directory."); + } + + for (Iterator it = coll.iterator(); it.hasNext();) + { + if (it.next().equals(xcert)) + { + found = true; + break; + } + } + if (!found) + { + fail("Certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + sl = new X509CertSelector(); + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(crossCert3)); + sl = new X509CertSelector(); + sl.setSubject(getSubject(xcert).getEncoded()); + coll = cs.getCertificates(sl); + if (coll.isEmpty()) + { + fail("Cross certificate pair could not be picked from LDAP directory."); + } + found = false; + for (Iterator it = coll.iterator(); it.hasNext();) + { + if (it.next().equals(xcert)) + { + found = true; + break; + } + } + if (!found) + { + fail("Cross certificate pair could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + } + + private void x509StoreTest() throws Exception + { + X509Store cs = X509Store.getInstance("CERTIFICATE/LDAP", params1, "BC"); + + X509CertStoreSelector sl = new X509CertStoreSelector(); + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + X509Certificate xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(cert1)); + sl.setCertificate(xcert); + Collection coll = cs.getMatches(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + sl.setCertificate(null); + sl.setSubject(getSubject(xcert).getEncoded()); + coll = cs.getMatches(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("certificate could not be picked from LDAP directory."); + } + X509CRLStoreSelector sl2 = new X509CRLStoreSelector(); + X509CRL crl = (X509CRL)cf.generateCRL(new + ByteArrayInputStream(directCRL)); + sl2.setIssuers(Collections.singleton(crl.getIssuerX500Principal())); + cs = X509Store.getInstance("CRL/LDAP", params1, "BC"); + coll = cs.getMatches(sl2); + if (!coll.iterator().hasNext()) + { + fail("CRL could not be picked from LDAP directory."); + } + // System.out.println(coll.toArray()[0]); + + cs = X509Store.getInstance("CERTIFICATE/LDAP", params2, "BC"); + sl = new X509CertStoreSelector(); + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(cert2)); + sl.setCertificate(xcert); + coll = cs.getMatches(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("Certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + cs = X509Store.getInstance("CERTIFICATE/LDAP", params3, "BC"); + sl = new X509CertStoreSelector(); + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(cert3)); + sl.setCertificate(xcert); + coll = cs.getMatches(sl); + if (coll.isEmpty() || !coll.iterator().next().equals(xcert)) + { + fail("Certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(caCert3)); + sl = new X509CertStoreSelector(); + sl.setSubject(getSubject(xcert).getEncoded()); + coll = cs.getMatches(sl); + boolean found = false; + if (coll.isEmpty()) + { + fail("Certificate could not be picked from LDAP directory."); + } + + for (Iterator it = coll.iterator(); it.hasNext();) + { + if (it.next().equals(xcert)) + { + found = true; + break; + } + } + if (!found) + { + fail("Certificate could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + sl = new X509CertStoreSelector(); + xcert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream(crossCert3)); + sl.setSubject(getSubject(xcert).getEncoded()); + coll = cs.getMatches(sl); + if (coll.isEmpty()) + { + fail("Cross certificate pair could not be picked from LDAP directory."); + } + found = false; + for (Iterator it = coll.iterator(); it.hasNext();) + { + if (it.next().equals(xcert)) + { + found = true; + break; + } + } + if (!found) + { + fail("Cross certificate pair could not be picked from LDAP directory."); + } + + // System.out.println(coll.toArray()[0]); + + } + + private X509Principal getSubject(X509Certificate cert) + throws CertificateEncodingException + { + return PrincipalUtil.getSubjectX509Principal(cert); + } + + private X509Principal getCRLIssuer(X509CRL crl) + throws CRLException + { + return PrincipalUtil.getIssuerX509Principal(crl); + } + + public String getName() + { + return "LDAPCertStoreTest"; + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + runTest(new X509LDAPCertStoreTest()); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509StoreTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509StoreTest.java new file mode 100644 index 00000000..5897117b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509StoreTest.java @@ -0,0 +1,345 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.jce.PrincipalUtil; +import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509AttributeCertStoreSelector; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509CRLStoreSelector; +import org.bouncycastle.x509.X509CertPairStoreSelector; +import org.bouncycastle.x509.X509CertStoreSelector; +import org.bouncycastle.x509.X509CertificatePair; +import org.bouncycastle.x509.X509CollectionStoreParameters; +import org.bouncycastle.x509.X509Store; +import org.bouncycastle.x509.X509V2AttributeCertificate; + +import java.io.ByteArrayInputStream; +import java.math.BigInteger; +import java.security.Security; +import java.security.cert.CertificateFactory; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; +import java.util.List; + +public class X509StoreTest + extends SimpleTest +{ + private void certPairTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", + "BC"); + + X509Certificate rootCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.finalCertBin)); + + // Testing CollectionCertStore generation from List + X509CertificatePair pair1 = new X509CertificatePair(rootCert, interCert); + List certList = new ArrayList(); + + certList.add(pair1); + certList.add(new X509CertificatePair(interCert, finalCert)); + + X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(certList); + + X509Store certStore = X509Store.getInstance("CertificatePair/Collection", ccsp, "BC"); + X509CertPairStoreSelector selector = new X509CertPairStoreSelector(); + X509CertStoreSelector fwSelector = new X509CertStoreSelector(); + + fwSelector.setSerialNumber(rootCert.getSerialNumber()); + fwSelector.setSubject(rootCert.getIssuerDN().getName()); + + selector.setForwardSelector(fwSelector); + + Collection col = certStore.getMatches(selector); + + if (col.size() != 1 || !col.contains(pair1)) + { + fail("failed pair1 test"); + } + + col = certStore.getMatches(null); + + if (col.size() != 2) + { + fail("failed null test"); + } + } + + public void performTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", + "BC"); + + X509Certificate rootCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.rootCertBin)); + X509Certificate interCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.interCertBin)); + X509Certificate finalCert = (X509Certificate)cf + .generateCertificate(new ByteArrayInputStream( + CertPathTest.finalCertBin)); + X509CRL rootCrl = (X509CRL)cf.generateCRL(new ByteArrayInputStream( + CertPathTest.rootCrlBin)); + X509CRL interCrl = (X509CRL)cf + .generateCRL(new ByteArrayInputStream( + CertPathTest.interCrlBin)); + + // Testing CollectionCertStore generation from List + List certList = new ArrayList(); + certList.add(rootCert); + certList.add(interCert); + certList.add(finalCert); + X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(certList); + X509Store certStore = X509Store.getInstance("Certificate/Collection", ccsp, "BC"); + // set default to be the same as for SUN X500 name + X509Principal.DefaultReverse = true; + + // Searching for rootCert by subjectDN + + X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); + targetConstraints.setSubject(PrincipalUtil.getSubjectX509Principal(rootCert).getEncoded()); + Collection certs = certStore.getMatches(targetConstraints); + if (certs.size() != 1 || !certs.contains(rootCert)) + { + fail("rootCert not found by subjectDN"); + } + + // Searching for rootCert by subjectDN encoded as byte + targetConstraints = new X509CertStoreSelector(); + targetConstraints.setSubject(PrincipalUtil.getSubjectX509Principal(rootCert).getEncoded()); + certs = certStore.getMatches(targetConstraints); + if (certs.size() != 1 || !certs.contains(rootCert)) + { + fail("rootCert not found by encoded subjectDN"); + } + + X509Principal.DefaultReverse = false; + + // Searching for rootCert by public key encoded as byte + targetConstraints = new X509CertStoreSelector(); + targetConstraints.setSubjectPublicKey(rootCert.getPublicKey().getEncoded()); + certs = certStore.getMatches(targetConstraints); + if (certs.size() != 1 || !certs.contains(rootCert)) + { + fail("rootCert not found by encoded public key"); + } + + // Searching for interCert by issuerDN + targetConstraints = new X509CertStoreSelector(); + targetConstraints.setIssuer(PrincipalUtil.getSubjectX509Principal(rootCert).getEncoded()); + certs = certStore.getMatches(targetConstraints); + if (certs.size() != 2) + { + fail("did not found 2 certs"); + } + if (!certs.contains(rootCert)) + { + fail("rootCert not found"); + } + if (!certs.contains(interCert)) + { + fail("interCert not found"); + } + + // Searching for rootCrl by issuerDN + List crlList = new ArrayList(); + crlList.add(rootCrl); + crlList.add(interCrl); + ccsp = new X509CollectionStoreParameters(crlList); + X509Store store = X509Store.getInstance("CRL/Collection", ccsp, "BC"); + X509CRLStoreSelector targetConstraintsCRL = new X509CRLStoreSelector(); + targetConstraintsCRL.setIssuers(Collections.singleton(rootCrl.getIssuerX500Principal())); + Collection crls = store.getMatches(targetConstraintsCRL); + if (crls.size() != 1 || !crls.contains(rootCrl)) + { + fail("rootCrl not found"); + } + + crls = certStore.getMatches(targetConstraintsCRL); + if (crls.size() != 0) + { + fail("error using wrong selector (CRL)"); + } + certs = store.getMatches(targetConstraints); + if (certs.size() != 0) + { + fail("error using wrong selector (certs)"); + } + // Searching for attribute certificates + X509V2AttributeCertificate attrCert = new X509V2AttributeCertificate(AttrCertTest.attrCert); + X509AttributeCertificate attrCert2 = new X509V2AttributeCertificate(AttrCertTest.certWithBaseCertificateID); + + List attrList = new ArrayList(); + attrList.add(attrCert); + attrList.add(attrCert2); + ccsp = new X509CollectionStoreParameters(attrList); + store = X509Store.getInstance("AttributeCertificate/Collection", ccsp, "BC"); + X509AttributeCertStoreSelector attrSelector = new X509AttributeCertStoreSelector(); + attrSelector.setHolder(attrCert.getHolder()); + if (!attrSelector.getHolder().equals(attrCert.getHolder())) + { + fail("holder get not correct"); + } + Collection attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert)) + { + fail("attrCert not found on holder"); + } + attrSelector.setHolder(attrCert2.getHolder()); + if (attrSelector.getHolder().equals(attrCert.getHolder())) + { + fail("holder get not correct"); + } + attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert2)) + { + fail("attrCert2 not found on holder"); + } + attrSelector = new X509AttributeCertStoreSelector(); + attrSelector.setIssuer(attrCert.getIssuer()); + if (!attrSelector.getIssuer().equals(attrCert.getIssuer())) + { + fail("issuer get not correct"); + } + attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert)) + { + fail("attrCert not found on issuer"); + } + attrSelector.setIssuer(attrCert2.getIssuer()); + if (attrSelector.getIssuer().equals(attrCert.getIssuer())) + { + fail("issuer get not correct"); + } + attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert2)) + { + fail("attrCert2 not found on issuer"); + } + attrSelector = new X509AttributeCertStoreSelector(); + attrSelector.setAttributeCert(attrCert); + if (!attrSelector.getAttributeCert().equals(attrCert)) + { + fail("attrCert get not correct"); + } + attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert)) + { + fail("attrCert not found on attrCert"); + } + attrSelector = new X509AttributeCertStoreSelector(); + attrSelector.setSerialNumber(attrCert.getSerialNumber()); + if (!attrSelector.getSerialNumber().equals(attrCert.getSerialNumber())) + { + fail("serial number get not correct"); + } + attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert)) + { + fail("attrCert not found on serial number"); + } + attrSelector = (X509AttributeCertStoreSelector)attrSelector.clone(); + if (!attrSelector.getSerialNumber().equals(attrCert.getSerialNumber())) + { + fail("serial number get not correct"); + } + attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert)) + { + fail("attrCert not found on serial number"); + } + + attrSelector = new X509AttributeCertStoreSelector(); + attrSelector.setAttributeCertificateValid(attrCert.getNotBefore()); + if (!attrSelector.getAttributeCertificateValid().equals(attrCert.getNotBefore())) + { + fail("valid get not correct"); + } + attrs = store.getMatches(attrSelector); + if (attrs.size() != 1 || !attrs.contains(attrCert)) + { + fail("attrCert not found on valid"); + } + attrSelector = new X509AttributeCertStoreSelector(); + attrSelector.setAttributeCertificateValid(new Date(attrCert.getNotBefore().getTime() - 100)); + attrs = store.getMatches(attrSelector); + if (attrs.size() != 0) + { + fail("attrCert found on before"); + } + attrSelector.setAttributeCertificateValid(new Date(attrCert.getNotAfter().getTime() + 100)); + attrs = store.getMatches(attrSelector); + if (attrs.size() != 0) + { + fail("attrCert found on after"); + } + attrSelector.setSerialNumber(BigInteger.valueOf(10000)); + attrs = store.getMatches(attrSelector); + if (attrs.size() != 0) + { + fail("attrCert found on wrong serial number"); + } + + attrSelector.setAttributeCert(null); + attrSelector.setAttributeCertificateValid(null); + attrSelector.setHolder(null); + attrSelector.setIssuer(null); + attrSelector.setSerialNumber(null); + if (attrSelector.getAttributeCert() != null) + { + fail("null attrCert"); + } + if (attrSelector.getAttributeCertificateValid() != null) + { + fail("null attrCertValid"); + } + if (attrSelector.getHolder() != null) + { + fail("null attrCert holder"); + } + if (attrSelector.getIssuer() != null) + { + fail("null attrCert issuer"); + } + if (attrSelector.getSerialNumber() != null) + { + fail("null attrCert serial"); + } + + attrs = certStore.getMatches(attrSelector); + if (attrs.size() != 0) + { + fail("error using wrong selector (attrs)"); + } + + certPairTest(); + } + + public String getName() + { + return "X509Store"; + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new X509StoreTest()); + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509StreamParserTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509StreamParserTest.java new file mode 100644 index 00000000..8f3c7fe3 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/X509StreamParserTest.java @@ -0,0 +1,360 @@ +package org.bouncycastle.jce.provider.test; + +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.DERSet; +import org.bouncycastle.asn1.DERTaggedObject; +import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; +import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.asn1.cms.SignedData; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; +import org.bouncycastle.x509.X509AttributeCertificate; +import org.bouncycastle.x509.X509CertificatePair; +import org.bouncycastle.x509.X509StreamParser; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.security.Security; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.Collection; + +public class X509StreamParserTest + extends SimpleTest +{ + byte[] attrCert = Base64.decode( + "MIIHQDCCBqkCAQEwgZChgY2kgYowgYcxHDAaBgkqhkiG9w0BCQEWDW1sb3JjaEB2" + + "dC5lZHUxHjAcBgNVBAMTFU1hcmt1cyBMb3JjaCAobWxvcmNoKTEbMBkGA1UECxMS" + + "VmlyZ2luaWEgVGVjaCBVc2VyMRAwDgYDVQQLEwdDbGFzcyAyMQswCQYDVQQKEwJ2" + + "dDELMAkGA1UEBhMCVVMwgYmkgYYwgYMxGzAZBgkqhkiG9w0BCQEWDHNzaGFoQHZ0" + + "LmVkdTEbMBkGA1UEAxMSU3VtaXQgU2hhaCAoc3NoYWgpMRswGQYDVQQLExJWaXJn" + + "aW5pYSBUZWNoIFVzZXIxEDAOBgNVBAsTB0NsYXNzIDExCzAJBgNVBAoTAnZ0MQsw" + + "CQYDVQQGEwJVUzANBgkqhkiG9w0BAQQFAAIBBTAiGA8yMDAzMDcxODE2MDgwMloY" + + "DzIwMDMwNzI1MTYwODAyWjCCBU0wggVJBgorBgEEAbRoCAEBMYIFORaCBTU8UnVs" + + "ZSBSdWxlSWQ9IkZpbGUtUHJpdmlsZWdlLVJ1bGUiIEVmZmVjdD0iUGVybWl0Ij4K" + + "IDxUYXJnZXQ+CiAgPFN1YmplY3RzPgogICA8U3ViamVjdD4KICAgIDxTdWJqZWN0" + + "TWF0Y2ggTWF0Y2hJZD0idXJuOm9hc2lzOm5hbWVzOnRjOnhhY21sOjEuMDpmdW5j" + + "dGlvbjpzdHJpbmctZXF1YWwiPgogICAgIDxBdHRyaWJ1dGVWYWx1ZSBEYXRhVHlw" + + "ZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEjc3RyaW5nIj4KICAg" + + "ICAgIENOPU1hcmt1cyBMb3JjaDwvQXR0cmlidXRlVmFsdWU+CiAgICAgPFN1Ympl" + + "Y3RBdHRyaWJ1dGVEZXNpZ25hdG9yIEF0dHJpYnV0ZUlkPSJ1cm46b2FzaXM6bmFt" + + "ZXM6dGM6eGFjbWw6MS4wOnN1YmplY3Q6c3ViamVjdC1pZCIgRGF0YVR5cGU9Imh0" + + "dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hI3N0cmluZyIgLz4gCiAgICA8" + + "L1N1YmplY3RNYXRjaD4KICAgPC9TdWJqZWN0PgogIDwvU3ViamVjdHM+CiAgPFJl" + + "c291cmNlcz4KICAgPFJlc291cmNlPgogICAgPFJlc291cmNlTWF0Y2ggTWF0Y2hJ" + + "ZD0idXJuOm9hc2lzOm5hbWVzOnRjOnhhY21sOjEuMDpmdW5jdGlvbjpzdHJpbmct" + + "ZXF1YWwiPgogICAgIDxBdHRyaWJ1dGVWYWx1ZSBEYXRhVHlwZT0iaHR0cDovL3d3" + + "dy53My5vcmcvMjAwMS9YTUxTY2hlbWEjYW55VVJJIj4KICAgICAgaHR0cDovL3p1" + + "bmkuY3MudnQuZWR1PC9BdHRyaWJ1dGVWYWx1ZT4KICAgICA8UmVzb3VyY2VBdHRy" + + "aWJ1dGVEZXNpZ25hdG9yIEF0dHJpYnV0ZUlkPSJ1cm46b2FzaXM6bmFtZXM6dGM6" + + "eGFjbWw6MS4wOnJlc291cmNlOnJlc291cmNlLWlkIiBEYXRhVHlwZT0iaHR0cDov" + + "L3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEjYW55VVJJIiAvPiAKICAgIDwvUmVz" + + "b3VyY2VNYXRjaD4KICAgPC9SZXNvdXJjZT4KICA8L1Jlc291cmNlcz4KICA8QWN0" + + "aW9ucz4KICAgPEFjdGlvbj4KICAgIDxBY3Rpb25NYXRjaCBNYXRjaElkPSJ1cm46" + + "b2FzaXM6bmFtZXM6dGM6eGFjbWw6MS4wOmZ1bmN0aW9uOnN0cmluZy1lcXVhbCI+" + + "CiAgICAgPEF0dHJpYnV0ZVZhbHVlIERhdGFUeXBlPSJodHRwOi8vd3d3LnczLm9y" + + "Zy8yMDAxL1hNTFNjaGVtYSNzdHJpbmciPgpEZWxlZ2F0ZSBBY2Nlc3MgICAgIDwv" + + "QXR0cmlidXRlVmFsdWU+CgkgIDxBY3Rpb25BdHRyaWJ1dGVEZXNpZ25hdG9yIEF0" + + "dHJpYnV0ZUlkPSJ1cm46b2FzaXM6bmFtZXM6dGM6eGFjbWw6MS4wOmFjdGlvbjph" + + "Y3Rpb24taWQiIERhdGFUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNj" + + "aGVtYSNzdHJpbmciIC8+IAogICAgPC9BY3Rpb25NYXRjaD4KICAgPC9BY3Rpb24+" + + "CiAgPC9BY3Rpb25zPgogPC9UYXJnZXQ+CjwvUnVsZT4KMA0GCSqGSIb3DQEBBAUA" + + "A4GBAGiJSM48XsY90HlYxGmGVSmNR6ZW2As+bot3KAfiCIkUIOAqhcphBS23egTr" + + "6asYwy151HshbPNYz+Cgeqs45KkVzh7bL/0e1r8sDVIaaGIkjHK3CqBABnfSayr3" + + "Rd1yBoDdEv8Qb+3eEPH6ab9021AsLEnJ6LWTmybbOpMNZ3tv"); + + public void performTest() + throws Exception + { + X509StreamParser parser = X509StreamParser.getInstance("Certificate", "BC"); + + parser.init(new ByteArrayInputStream(CertPathTest.rootCertBin)); + X509Certificate rootCert = (X509Certificate)parser.read(); + + parser = X509StreamParser.getInstance("CRL", "BC"); + + parser.init(new ByteArrayInputStream(CertPathTest.rootCrlBin)); + + + X509CRL rootCrl = (X509CRL)parser.read(); + + parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); + + parser.init(new ByteArrayInputStream(attrCert)); + + X509AttributeCertificate aCert = (X509AttributeCertificate)parser.read(); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + bOut.write(CertPathTest.rootCertBin); + bOut.write(CertPathTest.interCertBin); + bOut.write(CertPathTest.finalCertBin); + + parser = X509StreamParser.getInstance("Certificate", "BC"); + + parser.init(bOut.toByteArray()); + + Collection res = parser.readAll(); + + if (res.size() != 3) + { + fail("wrong number of certificates found"); + } + + bOut = new ByteArrayOutputStream(); + + bOut.write(CertPathTest.rootCrlBin); + bOut.write(CertPathTest.interCrlBin); + + parser = X509StreamParser.getInstance("CRL", "BC"); + + parser.init(bOut.toByteArray()); + + res = parser.readAll(); + + if (res.size() != 2) + { + fail("wrong number of CRLs found"); + } + + bOut = new ByteArrayOutputStream(); + + bOut.write(attrCert); + bOut.write(attrCert); + + parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); + + parser.init(bOut.toByteArray()); + + res = parser.readAll(); + + if (res.size() != 2) + { + fail("wrong number of Attribute Certificates found"); + } + + // + // PEM tests + // + parser = X509StreamParser.getInstance("Certificate", "BC"); + + parser.init(PEMData.CERTIFICATE_1.getBytes("US-ASCII")); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of Certificates found"); + } + + parser = X509StreamParser.getInstance("Certificate", "BC"); + + parser.init(PEMData.CERTIFICATE_2.getBytes("US-ASCII")); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of Certificates found"); + } + + parser = X509StreamParser.getInstance("CRL", "BC"); + + parser.init(PEMData.CRL_1.getBytes("US-ASCII")); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of CRLs found"); + } + + parser = X509StreamParser.getInstance("CRL", "BC"); + + parser.init(PEMData.CRL_2.getBytes("US-ASCII")); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of CRLs found"); + } + + parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); + + parser.init(PEMData.ATTRIBUTE_CERTIFICATE_1.getBytes("US-ASCII")); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of Attribute Certificates found"); + } + + parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); + + parser.init(PEMData.ATTRIBUTE_CERTIFICATE_2.getBytes("US-ASCII")); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of Attribute Certificates found"); + } + + ASN1EncodableVector certs = new ASN1EncodableVector(); + + certs.add(new ASN1InputStream(CertPathTest.rootCertBin).readObject()); + certs.add(new DERTaggedObject(false, 2, new ASN1InputStream(attrCert).readObject())); + + ASN1EncodableVector crls = new ASN1EncodableVector(); + + crls.add(new ASN1InputStream(CertPathTest.rootCrlBin).readObject()); + + // + // cross certificate pairs + // + parser = X509StreamParser.getInstance("CertificatePair", "BC"); + + parser.init(new X509CertificatePair(rootCert, rootCert).getEncoded()); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of CertificatePairs found"); + } + + // + // PKCS7 + // + SignedData sigData = new SignedData(new DERSet(), new ContentInfo(CMSObjectIdentifiers.data, null), new DERSet(certs), new DERSet(crls), new DERSet()); + + ContentInfo info = new ContentInfo(CMSObjectIdentifiers.signedData, sigData); + + parser = X509StreamParser.getInstance("Certificate", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of Certificates found"); + } + + parser = X509StreamParser.getInstance("CRL", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of CRLs found"); + } + + parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 1) + { + fail("wrong number of Attribute Certificates found"); + } + + // data with no certificates or CRLs + + sigData = new SignedData(new DERSet(), new ContentInfo(CMSObjectIdentifiers.data, null), new DERSet(), new DERSet(), new DERSet()); + + info = new ContentInfo(CMSObjectIdentifiers.signedData, sigData); + + parser = X509StreamParser.getInstance("Certificate", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 0) + { + fail("wrong number of Certificates found - expected 0"); + } + + parser = X509StreamParser.getInstance("CRL", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 0) + { + fail("wrong number of CRLs found - expected 0"); + } + + parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 0) + { + fail("wrong number of Attribute Certificates found - expected 0"); + } + + // data with absent certificates and CRLs + sigData = new SignedData(new DERSet(), new ContentInfo(CMSObjectIdentifiers.data, null), null, null, new DERSet()); + + info = new ContentInfo(CMSObjectIdentifiers.signedData, sigData); + + parser = X509StreamParser.getInstance("Certificate", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 0) + { + fail("wrong number of Certificates found - expected 0"); + } + + parser = X509StreamParser.getInstance("CRL", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 0) + { + fail("wrong number of CRLs found - expected 0"); + } + + parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); + + parser.init(info.getEncoded()); + + res = parser.readAll(); + + if (res.size() != 0) + { + fail("wrong number of Attribute Certificates found - expected 0"); + } + } + + public String getName() + { + return "X509StreamParser"; + } + + public static void main(String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new X509StreamParserTest()); + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/nist/NistCertPathReviewerTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/nist/NistCertPathReviewerTest.java new file mode 100644 index 00000000..1ee8dede --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/nist/NistCertPathReviewerTest.java @@ -0,0 +1,713 @@ +package org.bouncycastle.jce.provider.test.nist; + +import java.io.FileInputStream; +import java.io.InputStream; +import java.security.Security; +import java.security.cert.CertPath; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.GregorianCalendar; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import java.util.Set; +import java.util.TimeZone; + +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.i18n.ErrorBundle; +import org.bouncycastle.x509.PKIXCertPathReviewer; +import org.bouncycastle.x509.extension.X509ExtensionUtil; + +/** + * NIST CertPath test data for RFC 3280 + */ +public class NistCertPathReviewerTest + extends TestCase +{ + private static final String TEST_DATA_HOME = "bc.test.data.home"; + + private static final String GOOD_CA_CERT = "GoodCACert"; + + private static final String GOOD_CA_CRL = "GoodCACRL"; + + private static final String TRUST_ANCHOR_ROOT_CRL = "TrustAnchorRootCRL"; + + private static final String TRUST_ANCHOR_ROOT_CERTIFICATE = "TrustAnchorRootCertificate"; + + private static final char[] PKCS12_PASSWORD = "password".toCharArray(); + + private static String NIST_TEST_POLICY_1 = "2.16.840.1.101.3.2.1.48.1"; + private static String NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2"; + private static String NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3"; + + private static Map certs = new HashMap(); + private static Map crls = new HashMap(); + + private static Set noPolicies = Collections.EMPTY_SET; + private static Set nistTestPolicy1 = Collections.singleton(NIST_TEST_POLICY_1); + private static Set nistTestPolicy2 = Collections.singleton(NIST_TEST_POLICY_2); + private static Set nistTestPolicy3 = Collections.singleton(NIST_TEST_POLICY_3); + private static Set nistTestPolicy1And2 = new HashSet(Arrays.asList(new String[] { NIST_TEST_POLICY_1, NIST_TEST_POLICY_2 })); + + public void testValidSignaturesTest1() + throws Exception + { + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "ValidCertificatePathTest1EE", GOOD_CA_CERT}, + new String[] { GOOD_CA_CRL, TRUST_ANCHOR_ROOT_CRL }); + } + + public void testInvalidCASignatureTest2() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "ValidCertificatePathTest1EE", "BadSignedCACert" }, + new String[] { "BadSignedCACRL", TRUST_ANCHOR_ROOT_CRL}, + 1, + "CertPathReviewer.signatureNotVerified", + "The certificate signature is invalid. A java.security.SignatureException occurred."); + } + + public void testInvalidEESignatureTest3() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEESignatureTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "CertPathReviewer.signatureNotVerified", + "The certificate signature is invalid. A java.security.SignatureException occurred."); + } + + public void testValidDSASignaturesTest4() + throws Exception + { + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "ValidDSASignaturesTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }); + } + /* + public void testValidDSAParameterInheritanceTest5() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "DSAParametersInheritedCACert", "ValidDSAParameterInheritanceTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL", "DSAParametersInheritedCACRL" }); + } + */ + public void testInvalidDSASignaturesTest6() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "InvalidDSASignatureTest6EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }, + 0, + "CertPathReviewer.signatureNotVerified", + "The certificate signature is invalid. A java.security.SignatureException occurred."); + } + + public void testCANotBeforeDateTest1() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "BadnotBeforeDateCACert", "InvalidCAnotBeforeDateTest1EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotBeforeDateCACRL" }, + 1, + "CertPathReviewer.certificateNotYetValid", + "Could not validate the certificate. Certificate is not valid until Jan 1, 2047 12:01:00 PM GMT."); + } + + public void testInvalidEENotBeforeDateTest2() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEEnotBeforeDateTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "CertPathReviewer.certificateNotYetValid", + "Could not validate the certificate. Certificate is not valid until Jan 1, 2047 12:01:00 PM GMT."); + } + + public void testValidPre2000UTCNotBeforeDateTest3() + throws Exception + { + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "Validpre2000UTCnotBeforeDateTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); + } + + public void testValidGeneralizedTimeNotBeforeDateTest4() + throws Exception + { + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "ValidGeneralizedTimenotBeforeDateTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); + } + + public void testInvalidCANotAfterDateTest5() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "BadnotAfterDateCACert", "InvalidCAnotAfterDateTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotAfterDateCACRL" }, + 1, + "CertPathReviewer.certificateExpired", + "Could not validate the certificate. Certificate expired on Jan 1, 2002 12:01:00 PM GMT."); + } + + public void testInvalidEENotAfterDateTest6() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEEnotAfterDateTest6EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "CertPathReviewer.certificateExpired", + "Could not validate the certificate. Certificate expired on Jan 1, 2002 12:01:00 PM GMT."); + } + + public void testInvalidValidPre2000UTCNotAfterDateTest7() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "Invalidpre2000UTCEEnotAfterDateTest7EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "CertPathReviewer.certificateExpired", + "Could not validate the certificate. Certificate expired on Jan 1, 1999 12:01:00 PM GMT."); + } + + public void testInvalidNegativeSerialNumberTest15() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NegativeSerialNumberCACert", "InvalidNegativeSerialNumberTest15EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NegativeSerialNumberCACRL" }, + 0, + "CertPathReviewer.certRevoked", + "The certificate was revoked at Apr 19, 2001 2:57:20 PM GMT. Reason: Key Compromise."); + } + + // + // 4.8 Certificate Policies + // + public void testAllCertificatesSamePolicyTest1() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "ValidCertificatePathTest1EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + noPolicies); + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy1); + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy2, + -1, + "CertPathReviewer.invalidPolicy", + "Path processing failed on policy."); + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy1And2); + } + + public void testAllCertificatesNoPoliciesTest2() + throws Exception + { + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }); + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }, + noPolicies, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest3() + throws Exception + { + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }); + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, + noPolicies, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, + nistTestPolicy1And2, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest4() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "GoodsubCACert", "DifferentPoliciesTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "GoodsubCACRL" }, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest5() + throws Exception + { + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCA2Cert", "DifferentPoliciesTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCA2CRL" }, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testOverlappingPoliciesTest6() + throws Exception + { + String[] certList = new String[] { "PoliciesP1234CACert", "PoliciesP1234subCAP123Cert", "PoliciesP1234subsubCAP123P12Cert", "OverlappingPoliciesTest6EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP1234CACRL", "PoliciesP1234subCAP123CRL", "PoliciesP1234subsubCAP123P12CRL" }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "CertPathReviewer.invalidPolicy", + "Path processing failed on policy."); + } + + public void testDifferentPoliciesTest7() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P1Cert", "DifferentPoliciesTest7EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP12P1CRL" }; + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest8() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "PoliciesP12subCAP1Cert", "PoliciesP12subsubCAP1P2Cert", "DifferentPoliciesTest8EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL", "PoliciesP12subCAP1CRL", "PoliciesP12subsubCAP1P2CRL" }; + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest9() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P2Cert", "PoliciesP123subsubsubCAP12P2P1Cert", "DifferentPoliciesTest9EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP2P2CRL", "PoliciesP123subsubsubCAP12P2P1CRL" }; + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testAllCertificatesSamePoliciesTest10() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "AllCertificatesSamePoliciesTest10EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + } + + public void testAllCertificatesAnyPolicyTest11() + throws Exception + { + String[] certList = new String[] { "anyPolicyCACert", "AllCertificatesanyPolicyTest11EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + } + + public void testDifferentPoliciesTest12() + throws Exception + { + String[] certList = new String[] { "PoliciesP3CACert", "DifferentPoliciesTest12EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP3CACRL" }; + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + -1, + "CertPathReviewer.noValidPolicyTree", + "Policy checking failed: no valid policy tree found when one expected."); + } + + public void testAllCertificatesSamePoliciesTest13() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "AllCertificatesSamePoliciesTest13EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL" }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy3); + } + + public void testAnyPolicyTest14() + throws Exception + { + String[] certList = new String[] { "anyPolicyCACert", "AnyPolicyTest14EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "CertPathReviewer.invalidPolicy", + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest15() + throws Exception + { + String[] certList = new String[] { "UserNoticeQualifierTest15EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "CertPathReviewer.invalidPolicy", + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest16() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest16EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "CertPathReviewer.invalidPolicy", + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest17() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest17EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "CertPathReviewer.invalidPolicy", + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest18() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "UserNoticeQualifierTest18EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + } + + public void testUserNoticeQualifierTest19() + throws Exception + { + String[] certList = new String[] { "UserNoticeQualifierTest19EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; + + doAcceptingTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doErrorTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "CertPathReviewer.invalidPolicy", + "Path processing failed on policy."); + } + + private void doAcceptingTest( + String trustAnchor, + String[] certs, + String[] crls) + throws Exception + { + PKIXCertPathReviewer result = doTest(trustAnchor,certs,crls); + if (!result.isValidCertPath()) + { + fail("path rejected when should be accepted"); + } + } + + private void doAcceptingTest( + String trustAnchor, + String[] certs, + String[] crls, + Set policies) + throws Exception + { + PKIXCertPathReviewer result = doTest(trustAnchor,certs,crls,policies); + if (!result.isValidCertPath()) + { + fail("path rejected when should be accepted"); + } + } + + private void doErrorTest( + String trustAnchor, + String[] certs, + String[] crls, + int index, + String messageId, + String message) + throws Exception + { + PKIXCertPathReviewer result = doTest(trustAnchor, certs, crls); + if (result.isValidCertPath()) + { + fail("path accepted when should be rejected"); + } + else + { + ErrorBundle msg = (ErrorBundle) result.getErrors(index).iterator().next(); + assertEquals(messageId,msg.getId()); + assertEquals(message,msg.getText(Locale.ENGLISH,TimeZone.getTimeZone("GMT"))); + } + } + + private void doErrorTest( + String trustAnchor, + String[] certs, + String[] crls, + Set policies, + int index, + String messageId, + String message) + throws Exception + { + PKIXCertPathReviewer result = doTest(trustAnchor, certs, crls, policies); + if (result.isValidCertPath()) + { + fail("path accepted when should be rejected"); + } + else + { + ErrorBundle msg = (ErrorBundle) result.getErrors(index).iterator().next(); + assertEquals(messageId,msg.getId()); + assertEquals(message,msg.getText(Locale.ENGLISH,TimeZone.getTimeZone("GMT"))); + } + } + + private PKIXCertPathReviewer doTest( + String trustAnchor, + String[] certs, + String[] crls) + throws Exception + { + return doTest(trustAnchor, certs, crls, null); + } + + private PKIXCertPathReviewer doTest( + String trustAnchor, + String[] certs, + String[] crls, + Set policies) + throws Exception + { + Set trustedSet = Collections.singleton(getTrustAnchor(trustAnchor)); + List certsAndCrls = new ArrayList(); + X509Certificate endCert = loadCert(certs[certs.length - 1]); + + for (int i = 0; i != certs.length - 1; i++) + { + certsAndCrls.add(loadCert(certs[i])); + } + + certsAndCrls.add(endCert); + + CertPath certPath = CertificateFactory.getInstance("X.509","BC").generateCertPath(certsAndCrls); + + for (int i = 0; i != crls.length; i++) + { + certsAndCrls.add(loadCrl(crls[i])); + } + + CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certsAndCrls), "BC"); + + //CertPathValidator validator = CertPathValidator.getInstance("PKIX","BC"); + PKIXCertPathReviewer reviewer; + PKIXParameters params = new PKIXParameters(trustedSet); + + params.addCertStore(store); + params.setRevocationEnabled(true); + params.setDate(new GregorianCalendar(2010, 1, 1).getTime()); + + if (policies != null) + { + params.setExplicitPolicyRequired(true); + params.setInitialPolicies(policies); + } + + reviewer = new PKIXCertPathReviewer(certPath,params); + + return reviewer; + } + + private X509Certificate loadCert( + String certName) + { + X509Certificate cert = (X509Certificate)certs.get(certName); + + if (cert != null) + { + return cert; + } + + try + { + InputStream in = new FileInputStream(getPkitsHome() + "/certs/" + certName + ".crt"); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(in); + + certs.put(certName, cert); + + return cert; + } + catch (Exception e) + { + throw new IllegalStateException("exception loading certificate " + certName + ": " + e); + } + } + + private X509CRL loadCrl( + String crlName) + throws Exception + { + X509CRL crl = (X509CRL)certs.get(crlName); + + if (crl != null) + { + return crl; + } + + try + { + InputStream in = new FileInputStream(getPkitsHome() + "/crls/" + crlName + ".crl"); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + crl = (X509CRL)fact.generateCRL(in); + + crls.put(crlName, crl); + + return crl; + } + catch (Exception e) + { + throw new IllegalStateException("exception loading CRL: " + crlName); + } + } + + private TrustAnchor getTrustAnchor(String trustAnchorName) + throws Exception + { + X509Certificate cert = loadCert(trustAnchorName); + byte[] extBytes = cert.getExtensionValue(X509Extension.nameConstraints.getId()); + + if (extBytes != null) + { + ASN1Primitive extValue = X509ExtensionUtil.fromExtensionValue(extBytes); + + return new TrustAnchor(cert, extValue.getEncoded(ASN1Encoding.DER)); + } + + return new TrustAnchor(cert, null); + } + + private String getPkitsHome() + { + String dataHome = System.getProperty(TEST_DATA_HOME); + + if (dataHome == null) + { + throw new IllegalStateException(TEST_DATA_HOME + " property not set"); + } + + return dataHome + "/PKITS"; + } + + public static void main (String[] args) + throws Exception + { + junit.textui.TestRunner.run(suite()); + } + + public void setUp() + { + if (Security.getProvider("BC") == null) + { + Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); + } + } + + public static Test suite() + throws Exception + { + TestSuite suite = new TestSuite("NIST CertPath Tests"); + + suite.addTestSuite(NistCertPathReviewerTest.class); + + return suite; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java new file mode 100644 index 00000000..ddbda5d3 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/nist/NistCertPathTest.java @@ -0,0 +1,872 @@ +package org.bouncycastle.jce.provider.test.nist; + +import java.io.FileInputStream; +import java.io.InputStream; +import java.security.Security; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathValidator; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertStore; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.PKIXCertPathValidatorResult; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CRL; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.GregorianCalendar; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Encoding; +import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.x509.extension.X509ExtensionUtil; + +/** + * NIST CertPath test data for RFC 3280 + */ +public class NistCertPathTest + extends TestCase +{ + private static final String TEST_DATA_HOME = "bc.test.data.home"; + + private static final String GOOD_CA_CERT = "GoodCACert"; + + private static final String GOOD_CA_CRL = "GoodCACRL"; + + private static final String TRUST_ANCHOR_ROOT_CRL = "TrustAnchorRootCRL"; + + private static final String TRUST_ANCHOR_ROOT_CERTIFICATE = "TrustAnchorRootCertificate"; + + private static final char[] PKCS12_PASSWORD = "password".toCharArray(); + + private static final String ANY_POLICY = "2.5.29.32.0"; + private static final String NIST_TEST_POLICY_1 = "2.16.840.1.101.3.2.1.48.1"; + private static final String NIST_TEST_POLICY_2 = "2.16.840.1.101.3.2.1.48.2"; + private static final String NIST_TEST_POLICY_3 = "2.16.840.1.101.3.2.1.48.3"; + + private static Map certs = new HashMap(); + private static Map crls = new HashMap(); + + private static Set noPolicies = Collections.EMPTY_SET; + private static Set anyPolicy = Collections.singleton(ANY_POLICY); + private static Set nistTestPolicy1 = Collections.singleton(NIST_TEST_POLICY_1); + private static Set nistTestPolicy2 = Collections.singleton(NIST_TEST_POLICY_2); + private static Set nistTestPolicy3 = Collections.singleton(NIST_TEST_POLICY_3); + private static Set nistTestPolicy1And2 = new HashSet(Arrays.asList(new String[] { NIST_TEST_POLICY_1, NIST_TEST_POLICY_2 })); + + public void setUp() + { + if (Security.getProvider("BC") == null) + { + Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); + } + } + + public void testValidSignaturesTest1() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "ValidCertificatePathTest1EE", GOOD_CA_CERT}, + new String[] { GOOD_CA_CRL, TRUST_ANCHOR_ROOT_CRL }); + } + + public void testInvalidCASignatureTest2() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "ValidCertificatePathTest1EE", "BadSignedCACert" }, + new String[] { "BadSignedCACRL", TRUST_ANCHOR_ROOT_CRL}, + 1, + "TrustAnchor found but certificate validation failed."); + } + + public void testInvalidEESignatureTest3() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEESignatureTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate signature."); + } + + public void testValidDSASignaturesTest4() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "ValidDSASignaturesTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }); + } + + // 4.1.5 + public void testValidDSAParameterInheritanceTest5() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "DSAParametersInheritedCACert", "ValidDSAParameterInheritanceTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL", "DSAParametersInheritedCACRL" }); + } + + public void testInvalidDSASignaturesTest6() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "DSACACert", "InvalidDSASignatureTest6EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "DSACACRL" }, + 0, + "Could not validate certificate signature."); + } + + public void testCANotBeforeDateTest1() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "BadnotBeforeDateCACert", "InvalidCAnotBeforeDateTest1EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotBeforeDateCACRL" }, + 1, + "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00"); + } + + public void testInvalidEENotBeforeDateTest2() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEEnotBeforeDateTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate: certificate not valid till 20470101120100GMT+00:00"); + } + + public void testValidPre2000UTCNotBeforeDateTest3() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "Validpre2000UTCnotBeforeDateTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); + } + + public void testValidGeneralizedTimeNotBeforeDateTest4() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "ValidGeneralizedTimenotBeforeDateTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }); + } + + public void testInvalidCANotAfterDateTest5() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "BadnotAfterDateCACert", "InvalidCAnotAfterDateTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "BadnotAfterDateCACRL" }, + 1, + "Could not validate certificate: certificate expired on 20020101120100GMT+00:00"); + } + + public void testInvalidEENotAfterDateTest6() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "InvalidEEnotAfterDateTest6EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate: certificate expired on 20020101120100GMT+00:00"); + } + + public void testInvalidValidPre2000UTCNotAfterDateTest7() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "Invalidpre2000UTCEEnotAfterDateTest7EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }, + 0, + "Could not validate certificate: certificate expired on 19990101120100GMT+00:00"); + } + + public void testInvalidNegativeSerialNumberTest15() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NegativeSerialNumberCACert", "InvalidNegativeSerialNumberTest15EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NegativeSerialNumberCACRL" }, + 0, + "Certificate revocation after Fri Apr 20 00:57:20", "reason: keyCompromise"); + } + + // + // 4.8 Certificate Policies + // + public void testAllCertificatesSamePolicyTest1() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "ValidCertificatePathTest1EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + noPolicies); + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy1); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy2, + -1, + "Path processing failed on policy."); + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + certList, + crlList, + nistTestPolicy1And2); + } + + public void testAllCertificatesNoPoliciesTest2() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { "NoPoliciesCACert", "AllCertificatesNoPoliciesTest2EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, "NoPoliciesCACRL" }, + noPolicies, + 1, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest3() + throws Exception + { + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, + noPolicies, + 1, + "No valid policy tree found when one expected."); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCACert", "DifferentPoliciesTest3EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCACRL" }, + nistTestPolicy1And2, + 1, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest4() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "GoodsubCACert", "DifferentPoliciesTest4EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "GoodsubCACRL" }, + 0, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest5() + throws Exception + { + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, + new String[] { GOOD_CA_CERT, "PoliciesP2subCA2Cert", "DifferentPoliciesTest5EE" }, + new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL, "PoliciesP2subCA2CRL" }, + 0, + "No valid policy tree found when one expected."); + } + + public void testOverlappingPoliciesTest6() + throws Exception + { + String[] certList = new String[] { "PoliciesP1234CACert", "PoliciesP1234subCAP123Cert", "PoliciesP1234subsubCAP123P12Cert", "OverlappingPoliciesTest6EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP1234CACRL", "PoliciesP1234subCAP123CRL", "PoliciesP1234subsubCAP123P12CRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testDifferentPoliciesTest7() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P1Cert", "DifferentPoliciesTest7EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP12P1CRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 0, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest8() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "PoliciesP12subCAP1Cert", "PoliciesP12subsubCAP1P2Cert", "DifferentPoliciesTest8EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL", "PoliciesP12subCAP1CRL", "PoliciesP12subsubCAP1P2CRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 1, + "No valid policy tree found when one expected."); + } + + public void testDifferentPoliciesTest9() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "PoliciesP123subCAP12Cert", "PoliciesP123subsubCAP12P2Cert", "PoliciesP123subsubsubCAP12P2P1Cert", "DifferentPoliciesTest9EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL", "PoliciesP123subCAP12CRL", "PoliciesP123subsubCAP2P2CRL", "PoliciesP123subsubsubCAP12P2P1CRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 1, + "No valid policy tree found when one expected."); + } + + public void testAllCertificatesSamePoliciesTest10() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "AllCertificatesSamePoliciesTest10EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + } + + public void testAllCertificatesAnyPolicyTest11() + throws Exception + { + String[] certList = new String[] { "anyPolicyCACert", "AllCertificatesanyPolicyTest11EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; + + PKIXCertPathValidatorResult result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + } + + public void testDifferentPoliciesTest12() + throws Exception + { + String[] certList = new String[] { "PoliciesP3CACert", "DifferentPoliciesTest12EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP3CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, + 0, + "No valid policy tree found when one expected."); + } + + public void testAllCertificatesSamePoliciesTest13() + throws Exception + { + String[] certList = new String[] { "PoliciesP123CACert", "AllCertificatesSamePoliciesTest13EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP123CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy3); + } + + public void testAnyPolicyTest14() + throws Exception + { + String[] certList = new String[] { "anyPolicyCACert", "AnyPolicyTest14EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "anyPolicyCACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest15() + throws Exception + { + String[] certList = new String[] { "UserNoticeQualifierTest15EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest16() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest16EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + PKIXCertPathValidatorResult result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + + result = doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest17() + throws Exception + { + String[] certList = new String[] { GOOD_CA_CERT, "UserNoticeQualifierTest17EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, GOOD_CA_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testUserNoticeQualifierTest18() + throws Exception + { + String[] certList = new String[] { "PoliciesP12CACert", "UserNoticeQualifierTest18EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "PoliciesP12CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2); + } + + public void testUserNoticeQualifierTest19() + throws Exception + { + String[] certList = new String[] { "UserNoticeQualifierTest19EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy2, + -1, + "Path processing failed on policy."); + } + + public void testInvalidInhibitPolicyMappingTest1() + throws Exception + { + String[] certList = new String[] { "inhibitPolicyMapping0CACert", "inhibitPolicyMapping0subCACert", "InvalidinhibitPolicyMappingTest1EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitPolicyMapping0CACRL", "inhibitPolicyMapping0subCACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No valid policy tree found when one expected."); + } + + public void testValidinhibitPolicyMappingTest2() + throws Exception + { + String[] certList = new String[] { "inhibitPolicyMapping1P12CACert", "inhibitPolicyMapping1P12subCACert", "ValidinhibitPolicyMappingTest2EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitPolicyMapping1P12CACRL", "inhibitPolicyMapping1P12subCACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, nistTestPolicy1); + } + + // 4.12.7 + public void testValidSelfIssuedinhibitAnyPolicyTest7() + throws Exception + { + String[] certList = new String[] { "inhibitAnyPolicy1CACert", "inhibitAnyPolicy1SelfIssuedCACert", "inhibitAnyPolicy1subCA2Cert", "ValidSelfIssuedinhibitAnyPolicyTest7EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "inhibitAnyPolicy1CACRL", "inhibitAnyPolicy1subCA2CRL" }; + + doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false); + } + + // 4.4.19 + public void testValidSeparateCertificateandCRLKeysTest19() + throws Exception + { + String[] certList = new String[] { "SeparateCertificateandCRLKeysCertificateSigningCACert", "SeparateCertificateandCRLKeysCRLSigningCert", "ValidSeparateCertificateandCRLKeysTest19EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "SeparateCertificateandCRLKeysCRL" }; + + doBuilderTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, false, false); + } + + public void testValidpathLenConstraintTest13() + throws Exception + { + String[] certList = new String[] { "pathLenConstraint6CACert", "pathLenConstraint6subCA4Cert", "pathLenConstraint6subsubCA41Cert", "pathLenConstraint6subsubsubCA41XCert", "ValidpathLenConstraintTest13EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "pathLenConstraint6CACRL", "pathLenConstraint6subCA4CRL", "pathLenConstraint6subsubCA41CRL", "pathLenConstraint6subsubsubCA41XCRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null); + } + + // 4.4.10 + public void testInvalidUnknownCRLExtensionTest10() + throws Exception + { + String[] certList = new String[] { "UnknownCRLExtensionCACert", "InvalidUnknownCRLExtensionTest10EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "UnknownCRLExtensionCACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "CRL contains unsupported critical extensions."); + + } + + // 4.14.3 + public void testInvaliddistributionPointTest3() + throws Exception + { + String[] certList = new String[] { "distributionPoint1CACert", "InvaliddistributionPointTest3EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint1CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + + // 4.14.5 + public void testValiddistributionPointTest5() + throws Exception + { + String[] certList = new String[] { "distributionPoint2CACert", "ValiddistributionPointTest5EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; + + doTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null); + } + + + // 4.14.8 + public void testInvaliddistributionPointTest8() + throws Exception + { + String[] certList = new String[] { "distributionPoint2CACert", "InvaliddistributionPointTest8EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + + // 4.14.9 + public void testInvaliddistributionPointTest9() + throws Exception + { + String[] certList = new String[] { "distributionPoint2CACert", "InvaliddistributionPointTest9EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "distributionPoint2CACRL" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); + } + + // 4.14.17 + public void testInvalidonlySomeReasonsTest17() + throws Exception + { + String[] certList = new String[] { "onlySomeReasonsCA2Cert", "InvalidonlySomeReasonsTest17EE" }; + String[] crlList = new String[] { TRUST_ANCHOR_ROOT_CRL, "onlySomeReasonsCA2CRL1", "onlySomeReasonsCA2CRL2" }; + + doExceptionTest(TRUST_ANCHOR_ROOT_CERTIFICATE, certList, crlList, null, + 0, + "Certificate status could not be determined."); + } + + // section 4.14: tests 17, 24, 25, 30, 31, 32, 33, 35 + + // section 4.15: tests 5, 7 + private void doExceptionTest( + String trustAnchor, + String[] certs, + String[] crls, + int index, + String message) + throws Exception + { + try + { + doTest(trustAnchor, certs, crls); + + fail("path accepted when should be rejected"); + } + catch (CertPathValidatorException e) + { + assertEquals(index, e.getIndex()); + assertEquals(message, e.getMessage()); + } + } + + private void doExceptionTest( + String trustAnchor, + String[] certs, + String[] crls, + Set policies, + int index, + String message) + throws Exception + { + try + { + doTest(trustAnchor, certs, crls, policies); + + fail("path accepted when should be rejected"); + } + catch (CertPathValidatorException e) + { + assertEquals(index, e.getIndex()); + assertEquals(message, e.getMessage()); + } + } + + private void doExceptionTest( + String trustAnchor, + String[] certs, + String[] crls, + int index, + String mesStart, + String mesEnd) + throws Exception + { + try + { + doTest(trustAnchor, certs, crls); + + fail("path accepted when should be rejected"); + } + catch (CertPathValidatorException e) + { + assertEquals(index, e.getIndex()); + assertTrue(e.getMessage().startsWith(mesStart)); + assertTrue(e.getMessage().endsWith(mesEnd)); + } + } + + private PKIXCertPathValidatorResult doTest( + String trustAnchor, + String[] certs, + String[] crls) + throws Exception + { + return doTest(trustAnchor, certs, crls, null); + } + + private PKIXCertPathValidatorResult doTest( + String trustAnchor, + String[] certs, + String[] crls, + Set policies) + throws Exception + { + Set trustedSet = Collections.singleton(getTrustAnchor(trustAnchor)); + List certsAndCrls = new ArrayList(); + X509Certificate endCert = loadCert(certs[certs.length - 1]); + + for (int i = 0; i != certs.length - 1; i++) + { + certsAndCrls.add(loadCert(certs[i])); + } + + certsAndCrls.add(endCert); + + CertPath certPath = CertificateFactory.getInstance("X.509","BC").generateCertPath(certsAndCrls); + + for (int i = 0; i != crls.length; i++) + { + certsAndCrls.add(loadCrl(crls[i])); + } + + CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certsAndCrls), "BC"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX","BC"); + PKIXParameters params = new PKIXParameters(trustedSet); + + params.addCertStore(store); + params.setRevocationEnabled(true); + params.setDate(new GregorianCalendar(2010, 1, 1).getTime()); + + if (policies != null) + { + params.setExplicitPolicyRequired(true); + params.setInitialPolicies(policies); + } + + return (PKIXCertPathValidatorResult)validator.validate(certPath, params); + } + + private PKIXCertPathBuilderResult doBuilderTest( + String trustAnchor, + String[] certs, + String[] crls, + Set initialPolicies, + boolean policyMappingInhibited, + boolean anyPolicyInhibited) + throws Exception + { + Set trustedSet = Collections.singleton(getTrustAnchor(trustAnchor)); + List certsAndCrls = new ArrayList(); + X509Certificate endCert = loadCert(certs[certs.length - 1]); + + for (int i = 0; i != certs.length - 1; i++) + { + certsAndCrls.add(loadCert(certs[i])); + } + + certsAndCrls.add(endCert); + + for (int i = 0; i != crls.length; i++) + { + certsAndCrls.add(loadCrl(crls[i])); + } + + CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certsAndCrls), "BC"); + + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); + + X509CertSelector endSelector = new X509CertSelector(); + + endSelector.setCertificate(endCert); + + PKIXBuilderParameters builderParams = new PKIXBuilderParameters(trustedSet, endSelector); + + if (initialPolicies != null) + { + builderParams.setInitialPolicies(initialPolicies); + builderParams.setExplicitPolicyRequired(true); + } + if (policyMappingInhibited) + { + builderParams.setPolicyMappingInhibited(policyMappingInhibited); + } + if (anyPolicyInhibited) + { + builderParams.setAnyPolicyInhibited(anyPolicyInhibited); + } + + builderParams.addCertStore(store); + builderParams.setDate(new GregorianCalendar(2010, 1, 1).getTime()); + + try + { + return (PKIXCertPathBuilderResult)builder.build(builderParams); + } + catch (CertPathBuilderException e) + { + throw (Exception)e.getCause(); + } + } + + private X509Certificate loadCert( + String certName) + { + X509Certificate cert = (X509Certificate)certs.get(certName); + + if (cert != null) + { + return cert; + } + + try + { + InputStream in = new FileInputStream(getPkitsHome() + "/certs/" + certName + ".crt"); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + cert = (X509Certificate)fact.generateCertificate(in); + + certs.put(certName, cert); + + return cert; + } + catch (Exception e) + { + throw new IllegalStateException("exception loading certificate " + certName + ": " + e); + } + } + + private X509CRL loadCrl( + String crlName) + throws Exception + { + X509CRL crl = (X509CRL)certs.get(crlName); + + if (crl != null) + { + return crl; + } + + try + { + InputStream in = new FileInputStream(getPkitsHome() + "/crls/" + crlName + ".crl"); + + CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); + + crl = (X509CRL)fact.generateCRL(in); + + crls.put(crlName, crl); + + return crl; + } + catch (Exception e) + { + throw new IllegalStateException("exception loading CRL: " + crlName); + } + } + + private TrustAnchor getTrustAnchor(String trustAnchorName) + throws Exception + { + X509Certificate cert = loadCert(trustAnchorName); + byte[] extBytes = cert.getExtensionValue(X509Extension.nameConstraints.getId()); + + if (extBytes != null) + { + ASN1Encodable extValue = X509ExtensionUtil.fromExtensionValue(extBytes); + + return new TrustAnchor(cert, extValue.toASN1Primitive().getEncoded(ASN1Encoding.DER)); + } + + return new TrustAnchor(cert, null); + } + + private String getPkitsHome() + { + String dataHome = System.getProperty(TEST_DATA_HOME); + + if (dataHome == null) + { + throw new IllegalStateException(TEST_DATA_HOME + " property not set"); + } + + return dataHome + "/PKITS"; + } + + public static void main (String[] args) + throws Exception + { + junit.textui.TestRunner.run(suite()); + } + + public static Test suite() + throws Exception + { + TestSuite suite = new TestSuite("NIST CertPath Tests"); + + suite.addTestSuite(NistCertPathTest.class); + + return suite; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/test/rsa3/RSA3CertTest.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/rsa3/RSA3CertTest.java new file mode 100644 index 00000000..08ca1026 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/test/rsa3/RSA3CertTest.java @@ -0,0 +1,131 @@ +package org.bouncycastle.jce.provider.test.rsa3; + +import java.security.Security; +import java.security.Signature; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; + +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; + +/** + * Marius Schilder's Bleichenbacher's Forgery Attack Tests + */ +public class RSA3CertTest + extends TestCase +{ + public void setUp() + { + if (Security.getProvider("BC") == null) + { + Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); + } + } + + public void testA() + throws Exception + { + doTest("self-testcase-A.pem"); + } + + public void testB() + throws Exception + { + doTest("self-testcase-B.pem"); + } + + public void testC() + throws Exception + { + doTest("self-testcase-C.pem"); + } + + public void testD() + throws Exception + { + doTest("self-testcase-D.pem"); + } + + public void testE() + throws Exception + { + doTest("self-testcase-E.pem"); + } + + public void testF() + throws Exception + { + doTest("self-testcase-F.pem"); + } + + public void testG() + throws Exception + { + doTest("self-testcase-G.pem"); + } + + public void testH() + throws Exception + { + doTest("self-testcase-H.pem"); + } + + public void testI() + throws Exception + { + doTest("self-testcase-I.pem"); + } + + public void testJ() + throws Exception + { + doTest("self-testcase-J.pem"); + } + + public void testL() + throws Exception + { + doTest("self-testcase-L.pem"); + } + + private void doTest( + String certName) + throws Exception + { + X509Certificate cert = loadCert(certName); + byte[] tbs = cert.getTBSCertificate(); + Signature sig = Signature.getInstance(cert.getSigAlgName(), "BC"); + + sig.initVerify(cert.getPublicKey()); + + sig.update(tbs); + + assertFalse(sig.verify(cert.getSignature())); + } + + private X509Certificate loadCert( + String certName) + throws Exception + { + CertificateFactory rd = CertificateFactory.getInstance("X.509", "BC"); + + return (X509Certificate)rd.generateCertificate(getClass().getResourceAsStream(certName)); + } + + public static void main (String[] args) + throws Exception + { + junit.textui.TestRunner.run(suite()); + } + + public static Test suite() + throws Exception + { + TestSuite suite = new TestSuite("Bleichenbacher's Forgery Attack Tests"); + + suite.addTestSuite(RSA3CertTest.class); + + return suite; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ECKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECKeySpec.java new file mode 100644 index 00000000..12157844 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECKeySpec.java @@ -0,0 +1,26 @@ +package org.bouncycastle.jce.spec; + +import java.security.spec.KeySpec; + +/** + * base class for an Elliptic Curve Key Spec + */ +public class ECKeySpec + implements KeySpec +{ + private ECParameterSpec spec; + + protected ECKeySpec( + ECParameterSpec spec) + { + this.spec = spec; + } + + /** + * return the domain parameters for the curve + */ + public ECParameterSpec getParams() + { + return spec; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveGenParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveGenParameterSpec.java new file mode 100644 index 00000000..a5dd319c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveGenParameterSpec.java @@ -0,0 +1,28 @@ +package org.bouncycastle.jce.spec; + +import java.security.spec.AlgorithmParameterSpec; + +/** + * Named curve generation spec + * <p> + * If you are using JDK 1.5 you should be looking at ECGenParameterSpec. + */ +public class ECNamedCurveGenParameterSpec + implements AlgorithmParameterSpec +{ + private String name; + + public ECNamedCurveGenParameterSpec( + String name) + { + this.name = name; + } + + /** + * return the name of the curve the EC domain parameters belong to. + */ + public String getName() + { + return name; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveParameterSpec.java new file mode 100644 index 00000000..47416a22 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveParameterSpec.java @@ -0,0 +1,62 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; + +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.math.ec.ECPoint; + +/** + * specification signifying that the curve parameters can also be + * refered to by name. + * <p> + * If you are using JDK 1.5 you should be looking at ECNamedCurveSpec. + */ +public class ECNamedCurveParameterSpec + extends ECParameterSpec +{ + private String name; + + public ECNamedCurveParameterSpec( + String name, + ECCurve curve, + ECPoint G, + BigInteger n) + { + super(curve, G, n); + + this.name = name; + } + + public ECNamedCurveParameterSpec( + String name, + ECCurve curve, + ECPoint G, + BigInteger n, + BigInteger h) + { + super(curve, G, n, h); + + this.name = name; + } + + public ECNamedCurveParameterSpec( + String name, + ECCurve curve, + ECPoint G, + BigInteger n, + BigInteger h, + byte[] seed) + { + super(curve, G, n, h, seed); + + this.name = name; + } + + /** + * return the name of the curve the EC domain parameters belong to. + */ + public String getName() + { + return name; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveSpec.java new file mode 100644 index 00000000..84ebf70a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECNamedCurveSpec.java @@ -0,0 +1,121 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; +import java.security.spec.ECFieldF2m; +import java.security.spec.ECFieldFp; +import java.security.spec.ECPoint; +import java.security.spec.EllipticCurve; + +import org.bouncycastle.math.ec.ECCurve; + +/** + * specification signifying that the curve parameters can also be + * referred to by name. + */ +public class ECNamedCurveSpec + extends java.security.spec.ECParameterSpec +{ + private String name; + + private static EllipticCurve convertCurve( + ECCurve curve, + byte[] seed) + { + if (curve instanceof ECCurve.Fp) + { + return new EllipticCurve(new ECFieldFp(((ECCurve.Fp)curve).getQ()), curve.getA().toBigInteger(), curve.getB().toBigInteger(), seed); + } + else + { + ECCurve.F2m curveF2m = (ECCurve.F2m)curve; + int ks[]; + + if (curveF2m.isTrinomial()) + { + ks = new int[] { curveF2m.getK1() }; + + return new EllipticCurve(new ECFieldF2m(curveF2m.getM(), ks), curve.getA().toBigInteger(), curve.getB().toBigInteger(), seed); + } + else + { + ks = new int[] { curveF2m.getK3(), curveF2m.getK2(), curveF2m.getK1() }; + + return new EllipticCurve(new ECFieldF2m(curveF2m.getM(), ks), curve.getA().toBigInteger(), curve.getB().toBigInteger(), seed); + } + } + + } + + private static ECPoint convertPoint( + org.bouncycastle.math.ec.ECPoint g) + { + return new ECPoint(g.getX().toBigInteger(), g.getY().toBigInteger()); + } + + public ECNamedCurveSpec( + String name, + ECCurve curve, + org.bouncycastle.math.ec.ECPoint g, + BigInteger n) + { + super(convertCurve(curve, null), convertPoint(g), n, 1); + + this.name = name; + } + + public ECNamedCurveSpec( + String name, + EllipticCurve curve, + ECPoint g, + BigInteger n) + { + super(curve, g, n, 1); + + this.name = name; + } + + public ECNamedCurveSpec( + String name, + ECCurve curve, + org.bouncycastle.math.ec.ECPoint g, + BigInteger n, + BigInteger h) + { + super(convertCurve(curve, null), convertPoint(g), n, h.intValue()); + + this.name = name; + } + + public ECNamedCurveSpec( + String name, + EllipticCurve curve, + ECPoint g, + BigInteger n, + BigInteger h) + { + super(curve, g, n, h.intValue()); + + this.name = name; + } + + public ECNamedCurveSpec( + String name, + ECCurve curve, + org.bouncycastle.math.ec.ECPoint g, + BigInteger n, + BigInteger h, + byte[] seed) + { + super(convertCurve(curve, seed), convertPoint(g), n, h.intValue()); + + this.name = name; + } + + /** + * return the name of the curve the EC domain parameters belong to. + */ + public String getName() + { + return name; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ECParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECParameterSpec.java new file mode 100644 index 00000000..e774a11e --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECParameterSpec.java @@ -0,0 +1,121 @@ +package org.bouncycastle.jce.spec; + +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.math.ec.ECPoint; + +import java.math.BigInteger; +import java.security.spec.AlgorithmParameterSpec; + +/** + * basic domain parameters for an Elliptic Curve public or private key. + */ +public class ECParameterSpec + implements AlgorithmParameterSpec +{ + private ECCurve curve; + private byte[] seed; + private ECPoint G; + private BigInteger n; + private BigInteger h; + + public ECParameterSpec( + ECCurve curve, + ECPoint G, + BigInteger n) + { + this.curve = curve; + this.G = G; + this.n = n; + this.h = BigInteger.valueOf(1); + this.seed = null; + } + + public ECParameterSpec( + ECCurve curve, + ECPoint G, + BigInteger n, + BigInteger h) + { + this.curve = curve; + this.G = G; + this.n = n; + this.h = h; + this.seed = null; + } + + public ECParameterSpec( + ECCurve curve, + ECPoint G, + BigInteger n, + BigInteger h, + byte[] seed) + { + this.curve = curve; + this.G = G; + this.n = n; + this.h = h; + this.seed = seed; + } + + /** + * return the curve along which the base point lies. + * @return the curve + */ + public ECCurve getCurve() + { + return curve; + } + + /** + * return the base point we are using for these domain parameters. + * @return the base point. + */ + public ECPoint getG() + { + return G; + } + + /** + * return the order N of G + * @return the order + */ + public BigInteger getN() + { + return n; + } + + /** + * return the cofactor H to the order of G. + * @return the cofactor + */ + public BigInteger getH() + { + return h; + } + + /** + * return the seed used to generate this curve (if available). + * @return the random seed + */ + public byte[] getSeed() + { + return seed; + } + + public boolean equals(Object o) + { + if (!(o instanceof ECParameterSpec)) + { + return false; + } + + ECParameterSpec other = (ECParameterSpec)o; + + return this.getCurve().equals(other.getCurve()) && this.getG().equals(other.getG()); + } + + public int hashCode() + { + return this.getCurve().hashCode() ^ this.getG().hashCode(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ECPrivateKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECPrivateKeySpec.java new file mode 100644 index 00000000..27885c40 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECPrivateKeySpec.java @@ -0,0 +1,35 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; + +/** + * Elliptic Curve private key specification. + */ +public class ECPrivateKeySpec + extends ECKeySpec +{ + private BigInteger d; + + /** + * base constructor + * + * @param d the private number for the key. + * @param spec the domain parameters for the curve being used. + */ + public ECPrivateKeySpec( + BigInteger d, + ECParameterSpec spec) + { + super(spec); + + this.d = d; + } + + /** + * return the private number D + */ + public BigInteger getD() + { + return d; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ECPublicKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECPublicKeySpec.java new file mode 100644 index 00000000..debab004 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ECPublicKeySpec.java @@ -0,0 +1,35 @@ +package org.bouncycastle.jce.spec; + +import org.bouncycastle.math.ec.ECPoint; + +/** + * Elliptic Curve public key specification + */ +public class ECPublicKeySpec + extends ECKeySpec +{ + private ECPoint q; + + /** + * base constructor + * + * @param q the public point on the curve. + * @param spec the domain parameters for the curve. + */ + public ECPublicKeySpec( + ECPoint q, + ECParameterSpec spec) + { + super(spec); + + this.q = q; + } + + /** + * return the public point q + */ + public ECPoint getQ() + { + return q; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalGenParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalGenParameterSpec.java new file mode 100644 index 00000000..200d2b4d --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalGenParameterSpec.java @@ -0,0 +1,28 @@ +package org.bouncycastle.jce.spec; + +import java.security.spec.AlgorithmParameterSpec; + +public class ElGamalGenParameterSpec + implements AlgorithmParameterSpec +{ + private int primeSize; + + /* + * @param primeSize the size (in bits) of the prime modulus. + */ + public ElGamalGenParameterSpec( + int primeSize) + { + this.primeSize = primeSize; + } + + /** + * Returns the size in bits of the prime modulus. + * + * @return the size in bits of the prime modulus + */ + public int getPrimeSize() + { + return primeSize; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalKeySpec.java new file mode 100644 index 00000000..5e3eb663 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalKeySpec.java @@ -0,0 +1,20 @@ +package org.bouncycastle.jce.spec; + +import java.security.spec.KeySpec; + +public class ElGamalKeySpec + implements KeySpec +{ + private ElGamalParameterSpec spec; + + public ElGamalKeySpec( + ElGamalParameterSpec spec) + { + this.spec = spec; + } + + public ElGamalParameterSpec getParams() + { + return spec; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalParameterSpec.java new file mode 100644 index 00000000..10ed1c5d --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalParameterSpec.java @@ -0,0 +1,46 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; +import java.security.spec.AlgorithmParameterSpec; + +public class ElGamalParameterSpec + implements AlgorithmParameterSpec +{ + private BigInteger p; + private BigInteger g; + + /** + * Constructs a parameter set for Diffie-Hellman, using a prime modulus + * <code>p</code> and a base generator <code>g</code>. + * + * @param p the prime modulus + * @param g the base generator + */ + public ElGamalParameterSpec( + BigInteger p, + BigInteger g) + { + this.p = p; + this.g = g; + } + + /** + * Returns the prime modulus <code>p</code>. + * + * @return the prime modulus <code>p</code> + */ + public BigInteger getP() + { + return p; + } + + /** + * Returns the base generator <code>g</code>. + * + * @return the base generator <code>g</code> + */ + public BigInteger getG() + { + return g; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalPrivateKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalPrivateKeySpec.java new file mode 100644 index 00000000..3a3c6e48 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalPrivateKeySpec.java @@ -0,0 +1,33 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; + +/** + * This class specifies an ElGamal private key with its associated parameters. + * + * @see ElGamalPublicKeySpec + */ +public class ElGamalPrivateKeySpec + extends ElGamalKeySpec +{ + private BigInteger x; + + public ElGamalPrivateKeySpec( + BigInteger x, + ElGamalParameterSpec spec) + { + super(spec); + + this.x = x; + } + + /** + * Returns the private value <code>x</code>. + * + * @return the private value <code>x</code> + */ + public BigInteger getX() + { + return x; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalPublicKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalPublicKeySpec.java new file mode 100644 index 00000000..c0e6dba1 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/ElGamalPublicKeySpec.java @@ -0,0 +1,33 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; + +/** + * This class specifies an ElGamal public key with its associated parameters. + * + * @see ElGamalPrivateKeySpec + */ +public class ElGamalPublicKeySpec + extends ElGamalKeySpec +{ + private BigInteger y; + + public ElGamalPublicKeySpec( + BigInteger y, + ElGamalParameterSpec spec) + { + super(spec); + + this.y = y; + } + + /** + * Returns the public value <code>y</code>. + * + * @return the public value <code>y</code> + */ + public BigInteger getY() + { + return y; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST28147ParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST28147ParameterSpec.java new file mode 100644 index 00000000..384d871c --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST28147ParameterSpec.java @@ -0,0 +1,73 @@ +package org.bouncycastle.jce.spec; + +import java.security.spec.AlgorithmParameterSpec; + +import org.bouncycastle.crypto.engines.GOST28147Engine; + +/** + * A parameter spec for the GOST-28147 cipher. + */ +public class GOST28147ParameterSpec + implements AlgorithmParameterSpec +{ + private byte[] iv = null; + private byte[] sBox = null; + + public GOST28147ParameterSpec( + byte[] sBox) + { + this.sBox = new byte[sBox.length]; + + System.arraycopy(sBox, 0, this.sBox, 0, sBox.length); + } + + public GOST28147ParameterSpec( + byte[] sBox, + byte[] iv) + { + this(sBox); + this.iv = new byte[iv.length]; + + System.arraycopy(iv, 0, this.iv, 0, iv.length); + } + + public GOST28147ParameterSpec( + String sBoxName) + { + this.sBox = GOST28147Engine.getSBox(sBoxName); + } + + public GOST28147ParameterSpec( + String sBoxName, + byte[] iv) + { + this(sBoxName); + this.iv = new byte[iv.length]; + + System.arraycopy(iv, 0, this.iv, 0, iv.length); + } + + public byte[] getSbox() + { + return sBox; + } + + /** + * Returns the IV or null if this parameter set does not contain an IV. + * + * @return the IV or null if this parameter set does not contain an IV. + */ + public byte[] getIV() + { + if (iv == null) + { + return null; + } + + byte[] tmp = new byte[iv.length]; + + System.arraycopy(iv, 0, tmp, 0, tmp.length); + + return tmp; + } +}
\ No newline at end of file diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410ParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410ParameterSpec.java new file mode 100644 index 00000000..6e0980db --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410ParameterSpec.java @@ -0,0 +1,133 @@ +package org.bouncycastle.jce.spec; + +import java.security.spec.AlgorithmParameterSpec; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.cryptopro.GOST3410NamedParameters; +import org.bouncycastle.asn1.cryptopro.GOST3410ParamSetParameters; +import org.bouncycastle.asn1.cryptopro.GOST3410PublicKeyAlgParameters; +import org.bouncycastle.jce.interfaces.GOST3410Params; + +/** + * ParameterSpec for a GOST 3410-94 key. + */ +public class GOST3410ParameterSpec + implements AlgorithmParameterSpec, GOST3410Params +{ + private GOST3410PublicKeyParameterSetSpec keyParameters; + private String keyParamSetOID; + private String digestParamSetOID; + private String encryptionParamSetOID; + + public GOST3410ParameterSpec( + String keyParamSetID, + String digestParamSetOID, + String encryptionParamSetOID) + { + GOST3410ParamSetParameters ecP = null; + + try + { + ecP = GOST3410NamedParameters.getByOID(new ASN1ObjectIdentifier(keyParamSetID)); + } + catch (IllegalArgumentException e) + { + ASN1ObjectIdentifier oid = GOST3410NamedParameters.getOID(keyParamSetID); + if (oid != null) + { + keyParamSetID = oid.getId(); + ecP = GOST3410NamedParameters.getByOID(oid); + } + } + + if (ecP == null) + { + throw new IllegalArgumentException("no key parameter set for passed in name/OID."); + } + + this.keyParameters = new GOST3410PublicKeyParameterSetSpec( + ecP.getP(), + ecP.getQ(), + ecP.getA()); + + this.keyParamSetOID = keyParamSetID; + this.digestParamSetOID = digestParamSetOID; + this.encryptionParamSetOID = encryptionParamSetOID; + } + + public GOST3410ParameterSpec( + String keyParamSetID, + String digestParamSetOID) + { + this(keyParamSetID, digestParamSetOID, null); + } + + public GOST3410ParameterSpec( + String keyParamSetID) + { + this(keyParamSetID, CryptoProObjectIdentifiers.gostR3411_94_CryptoProParamSet.getId(), null); + } + + public GOST3410ParameterSpec( + GOST3410PublicKeyParameterSetSpec spec) + { + this.keyParameters = spec; + this.digestParamSetOID = CryptoProObjectIdentifiers.gostR3411_94_CryptoProParamSet.getId(); + this.encryptionParamSetOID = null; + } + + public String getPublicKeyParamSetOID() + { + return this.keyParamSetOID; + } + + public GOST3410PublicKeyParameterSetSpec getPublicKeyParameters() + { + return keyParameters; + } + + public String getDigestParamSetOID() + { + return this.digestParamSetOID; + } + + public String getEncryptionParamSetOID() + { + return this.encryptionParamSetOID; + } + + public boolean equals(Object o) + { + if (o instanceof GOST3410ParameterSpec) + { + GOST3410ParameterSpec other = (GOST3410ParameterSpec)o; + + return this.keyParameters.equals(other.keyParameters) + && this.digestParamSetOID.equals(other.digestParamSetOID) + && (this.encryptionParamSetOID == other.encryptionParamSetOID + || (this.encryptionParamSetOID != null && this.encryptionParamSetOID.equals(other.encryptionParamSetOID))); + } + + return false; + } + + public int hashCode() + { + return this.keyParameters.hashCode() ^ this.digestParamSetOID.hashCode() + ^ (this.encryptionParamSetOID != null ? this.encryptionParamSetOID.hashCode() : 0); + } + + public static GOST3410ParameterSpec fromPublicKeyAlg( + GOST3410PublicKeyAlgParameters params) + { + if (params.getEncryptionParamSet() != null) + { + return new GOST3410ParameterSpec(params.getPublicKeyParamSet().getId(), params.getDigestParamSet().getId(), params.getEncryptionParamSet().getId()); + } + else + { + return new GOST3410ParameterSpec(params.getPublicKeyParamSet().getId(), params.getDigestParamSet().getId()); + } + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PrivateKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PrivateKeySpec.java new file mode 100644 index 00000000..5ea13856 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PrivateKeySpec.java @@ -0,0 +1,70 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; +import java.security.spec.KeySpec; + +/** + * This class specifies a GOST3410-94 private key with its associated parameters. + */ + +public class GOST3410PrivateKeySpec + implements KeySpec +{ + private BigInteger x; + private BigInteger p; + private BigInteger q; + private BigInteger a; + + /** + * Creates a new GOST3410PrivateKeySpec with the specified parameter values. + * + * @param x the private key. + * @param p the prime. + * @param q the sub-prime. + * @param a the base. + */ + public GOST3410PrivateKeySpec(BigInteger x, BigInteger p, BigInteger q, + BigInteger a) + { + this.x = x; + this.p = p; + this.q = q; + this.a = a; + } + + /** + * Returns the private key <code>x</code>. + * @return the private key <code>x</code>. + */ + public BigInteger getX() + { + return this.x; + } + + /** + * Returns the prime <code>p</code>. + * @return the prime <code>p</code>. + */ + public BigInteger getP() + { + return this.p; + } + + /** + * Returns the sub-prime <code>q</code>. + * @return the sub-prime <code>q</code>. + */ + public BigInteger getQ() + { + return this.q; + } + + /** + * Returns the base <code>a</code>. + * @return the base <code>a</code>. + */ + public BigInteger getA() + { + return this.a; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PublicKeyParameterSetSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PublicKeyParameterSetSpec.java new file mode 100644 index 00000000..9e4e650a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PublicKeyParameterSetSpec.java @@ -0,0 +1,78 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; + +/** + * ParameterSpec for a GOST 3410-94 key parameters. + */ +public class GOST3410PublicKeyParameterSetSpec +{ + private BigInteger p; + private BigInteger q; + private BigInteger a; + + /** + * Creates a new GOST3410ParameterSpec with the specified parameter values. + * + * @param p the prime. + * @param q the sub-prime. + * @param a the base. + */ + public GOST3410PublicKeyParameterSetSpec( + BigInteger p, + BigInteger q, + BigInteger a) + { + this.p = p; + this.q = q; + this.a = a; + } + + /** + * Returns the prime <code>p</code>. + * + * @return the prime <code>p</code>. + */ + public BigInteger getP() + { + return this.p; + } + + /** + * Returns the sub-prime <code>q</code>. + * + * @return the sub-prime <code>q</code>. + */ + public BigInteger getQ() + { + return this.q; + } + + /** + * Returns the base <code>a</code>. + * + * @return the base <code>a</code>. + */ + public BigInteger getA() + { + return this.a; + } + + public boolean equals( + Object o) + { + if (o instanceof GOST3410PublicKeyParameterSetSpec) + { + GOST3410PublicKeyParameterSetSpec other = (GOST3410PublicKeyParameterSetSpec)o; + + return this.a.equals(other.a) && this.p.equals(other.p) && this.q.equals(other.q); + } + + return false; + } + + public int hashCode() + { + return a.hashCode() ^ p.hashCode() ^ q.hashCode(); + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PublicKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PublicKeySpec.java new file mode 100644 index 00000000..7b65c064 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/GOST3410PublicKeySpec.java @@ -0,0 +1,78 @@ +package org.bouncycastle.jce.spec; + +import java.math.BigInteger; +import java.security.spec.KeySpec; + +/** + * This class specifies a GOST3410-94 public key with its associated parameters. + */ + +public class GOST3410PublicKeySpec + implements KeySpec +{ + + private BigInteger y; + private BigInteger p; + private BigInteger q; + private BigInteger a; + + /** + * Creates a new GOST3410PublicKeySpec with the specified parameter values. + * + * @param y the public key. + * @param p the prime. + * @param q the sub-prime. + * @param a the base. + */ + public GOST3410PublicKeySpec( + BigInteger y, + BigInteger p, + BigInteger q, + BigInteger a) + { + this.y = y; + this.p = p; + this.q = q; + this.a = a; + } + + /** + * Returns the public key <code>y</code>. + * + * @return the public key <code>y</code>. + */ + public BigInteger getY() + { + return this.y; + } + + /** + * Returns the prime <code>p</code>. + * + * @return the prime <code>p</code>. + */ + public BigInteger getP() + { + return this.p; + } + + /** + * Returns the sub-prime <code>q</code>. + * + * @return the sub-prime <code>q</code>. + */ + public BigInteger getQ() + { + return this.q; + } + + /** + * Returns the base <code>g</code>. + * + * @return the base <code>g</code>. + */ + public BigInteger getA() + { + return this.a; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/IEKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/IEKeySpec.java new file mode 100644 index 00000000..9859a22b --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/IEKeySpec.java @@ -0,0 +1,70 @@ +package org.bouncycastle.jce.spec; + +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.spec.KeySpec; + +import org.bouncycastle.jce.interfaces.IESKey; + +/** + * key pair for use with an integrated encryptor - together + * they provide what's required to generate the message. + */ +public class IEKeySpec + implements KeySpec, IESKey +{ + private PublicKey pubKey; + private PrivateKey privKey; + + /** + * @param privKey our private key. + * @param pubKey the public key of the sender/recipient. + */ + public IEKeySpec( + PrivateKey privKey, + PublicKey pubKey) + { + this.privKey = privKey; + this.pubKey = pubKey; + } + + /** + * return the intended recipient's/sender's public key. + */ + public PublicKey getPublic() + { + return pubKey; + } + + /** + * return the local private key. + */ + public PrivateKey getPrivate() + { + return privKey; + } + + /** + * return "IES" + */ + public String getAlgorithm() + { + return "IES"; + } + + /** + * return null + */ + public String getFormat() + { + return null; + } + + /** + * returns null + */ + public byte[] getEncoded() + { + return null; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/IESParameterSpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/IESParameterSpec.java new file mode 100644 index 00000000..165df9f1 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/IESParameterSpec.java @@ -0,0 +1,104 @@ +package org.bouncycastle.jce.spec; + +import java.security.spec.AlgorithmParameterSpec; + +/** + * Parameter spec for an integrated encryptor, as in IEEE P1363a + */ +public class IESParameterSpec + implements AlgorithmParameterSpec +{ + private byte[] derivation; + private byte[] encoding; + private int macKeySize; + private int cipherKeySize; + + + /** + * Set the IES engine parameters. + * + * @param derivation the optional derivation vector for the KDF. + * @param encoding the optional encoding vector for the KDF. + * @param macKeySize the key size (in bits) for the MAC. + */ + public IESParameterSpec( + byte[] derivation, + byte[] encoding, + int macKeySize) + { + this(derivation, encoding, macKeySize, -1); + } + + + /** + * Set the IES engine parameters. + * + * @param derivation the optional derivation vector for the KDF. + * @param encoding the optional encoding vector for the KDF. + * @param macKeySize the key size (in bits) for the MAC. + * @param cipherKeySize the key size (in bits) for the block cipher. + */ + public IESParameterSpec( + byte[] derivation, + byte[] encoding, + int macKeySize, + int cipherKeySize) + { + if (derivation != null) + { + this.derivation = new byte[derivation.length]; + System.arraycopy(derivation, 0, this.derivation, 0, derivation.length); + } + else + { + this.derivation = null; + } + + if (encoding != null) + { + this.encoding = new byte[encoding.length]; + System.arraycopy(encoding, 0, this.encoding, 0, encoding.length); + } + else + { + this.encoding = null; + } + + this.macKeySize = macKeySize; + this.cipherKeySize = cipherKeySize; + } + + + /** + * return the derivation vector. + */ + public byte[] getDerivationV() + { + return derivation; + } + + /** + * return the encoding vector. + */ + public byte[] getEncodingV() + { + return encoding; + } + + /** + * return the key size in bits for the MAC used with the message + */ + public int getMacKeySize() + { + return macKeySize; + } + + /** + * return the key size in bits for the block cipher used with the message + */ + public int getCipherKeySize() + { + return cipherKeySize; + } + +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/MQVPrivateKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/MQVPrivateKeySpec.java new file mode 100644 index 00000000..bdd988d0 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/MQVPrivateKeySpec.java @@ -0,0 +1,93 @@ +package org.bouncycastle.jce.spec; + +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.spec.KeySpec; + +import org.bouncycastle.jce.interfaces.MQVPrivateKey; + +/** + * Static/ephemeral private key (pair) for use with ECMQV key agreement + * (Optionally provides the ephemeral public key) + */ +public class MQVPrivateKeySpec + implements KeySpec, MQVPrivateKey +{ + private PrivateKey staticPrivateKey; + private PrivateKey ephemeralPrivateKey; + private PublicKey ephemeralPublicKey; + + /** + * @param staticPrivateKey the static private key. + * @param ephemeralPrivateKey the ephemeral private key. + */ + public MQVPrivateKeySpec( + PrivateKey staticPrivateKey, + PrivateKey ephemeralPrivateKey) + { + this(staticPrivateKey, ephemeralPrivateKey, null); + } + + /** + * @param staticPrivateKey the static private key. + * @param ephemeralPrivateKey the ephemeral private key. + * @param ephemeralPublicKey the ephemeral public key (may be null). + */ + public MQVPrivateKeySpec( + PrivateKey staticPrivateKey, + PrivateKey ephemeralPrivateKey, + PublicKey ephemeralPublicKey) + { + this.staticPrivateKey = staticPrivateKey; + this.ephemeralPrivateKey = ephemeralPrivateKey; + this.ephemeralPublicKey = ephemeralPublicKey; + } + + /** + * return the static private key + */ + public PrivateKey getStaticPrivateKey() + { + return staticPrivateKey; + } + + /** + * return the ephemeral private key + */ + public PrivateKey getEphemeralPrivateKey() + { + return ephemeralPrivateKey; + } + + /** + * return the ephemeral public key (may be null) + */ + public PublicKey getEphemeralPublicKey() + { + return ephemeralPublicKey; + } + + /** + * return "ECMQV" + */ + public String getAlgorithm() + { + return "ECMQV"; + } + + /** + * return null + */ + public String getFormat() + { + return null; + } + + /** + * returns null + */ + public byte[] getEncoded() + { + return null; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/MQVPublicKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/MQVPublicKeySpec.java new file mode 100644 index 00000000..8b50d05f --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/MQVPublicKeySpec.java @@ -0,0 +1,68 @@ +package org.bouncycastle.jce.spec; + +import java.security.PublicKey; +import java.security.spec.KeySpec; + +import org.bouncycastle.jce.interfaces.MQVPublicKey; + +/** + * Static/ephemeral public key pair for use with ECMQV key agreement + */ +public class MQVPublicKeySpec + implements KeySpec, MQVPublicKey +{ + private PublicKey staticKey; + private PublicKey ephemeralKey; + + /** + * @param staticKey the static public key. + * @param ephemeralKey the ephemeral public key. + */ + public MQVPublicKeySpec( + PublicKey staticKey, + PublicKey ephemeralKey) + { + this.staticKey = staticKey; + this.ephemeralKey = ephemeralKey; + } + + /** + * return the static public key + */ + public PublicKey getStaticKey() + { + return staticKey; + } + + /** + * return the ephemeral public key + */ + public PublicKey getEphemeralKey() + { + return ephemeralKey; + } + + /** + * return "ECMQV" + */ + public String getAlgorithm() + { + return "ECMQV"; + } + + /** + * return null + */ + public String getFormat() + { + return null; + } + + /** + * returns null + */ + public byte[] getEncoded() + { + return null; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/RepeatedSecretKeySpec.java b/bcprov/src/main/java/org/bouncycastle/jce/spec/RepeatedSecretKeySpec.java new file mode 100644 index 00000000..2a7ceb53 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/RepeatedSecretKeySpec.java @@ -0,0 +1,34 @@ +package org.bouncycastle.jce.spec; + + +import javax.crypto.SecretKey; + +/** + * A simple object to indicate that a symmetric cipher should reuse the + * last key provided. + */ +public class RepeatedSecretKeySpec + implements SecretKey +{ + private String algorithm; + + public RepeatedSecretKeySpec(String algorithm) + { + this.algorithm = algorithm; + } + + public String getAlgorithm() + { + return algorithm; + } + + public String getFormat() + { + return null; + } + + public byte[] getEncoded() + { + return null; + } +} diff --git a/bcprov/src/main/java/org/bouncycastle/jce/spec/package.html b/bcprov/src/main/java/org/bouncycastle/jce/spec/package.html new file mode 100644 index 00000000..6f370577 --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jce/spec/package.html @@ -0,0 +1,5 @@ +<html> +<body bgcolor="#ffffff"> +Parameter specifications for supporting El Gamal, and Elliptic Curve. +</body> +</html> |