1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.crypto.pkix.internal

File BcX509CertificateGeneratorFactoryTest.java

 

Code metrics

12
122
10
1
467
362
16
0.13
12.2
10
1.6

Classes

Class Line # Actions
BcX509CertificateGeneratorFactoryTest 89 122 0% 16 2
0.986111198.6%
 

Contributing tests

This file is covered by 6 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.crypto.pkix.internal;
21   
22    import java.net.InetAddress;
23    import java.net.URI;
24    import java.net.URL;
25    import java.util.Date;
26    import java.util.EnumSet;
27    import java.util.List;
28   
29    import javax.mail.internet.InternetAddress;
30   
31    import org.bouncycastle.util.IPAddress;
32    import org.hamcrest.Matchers;
33    import org.junit.Before;
34    import org.junit.Rule;
35    import org.junit.Test;
36    import org.xwiki.crypto.AbstractPKIXTest;
37    import org.xwiki.crypto.AsymmetricKeyFactory;
38    import org.xwiki.crypto.BinaryStringEncoder;
39    import org.xwiki.crypto.internal.DefaultSecureRandomProvider;
40    import org.xwiki.crypto.internal.asymmetric.keyfactory.BcDSAKeyFactory;
41    import org.xwiki.crypto.internal.asymmetric.keyfactory.BcRSAKeyFactory;
42    import org.xwiki.crypto.internal.digest.factory.BcSHA1DigestFactory;
43    import org.xwiki.crypto.internal.encoder.Base64BinaryStringEncoder;
44    import org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters;
45    import org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters;
46    import org.xwiki.crypto.pkix.CertificateGenerator;
47    import org.xwiki.crypto.pkix.CertificateGeneratorFactory;
48    import org.xwiki.crypto.pkix.CertifyingSigner;
49    import org.xwiki.crypto.pkix.X509ExtensionBuilder;
50    import org.xwiki.crypto.pkix.internal.extension.DefaultX509ExtensionBuilder;
51    import org.xwiki.crypto.pkix.params.CertifiedKeyPair;
52    import org.xwiki.crypto.pkix.params.CertifiedPublicKey;
53    import org.xwiki.crypto.pkix.params.PrincipalIndentifier;
54    import org.xwiki.crypto.pkix.params.x509certificate.DistinguishedName;
55    import org.xwiki.crypto.pkix.params.x509certificate.X509CertificateGenerationParameters;
56    import org.xwiki.crypto.pkix.params.x509certificate.X509CertificateParameters;
57    import org.xwiki.crypto.pkix.params.x509certificate.X509CertifiedPublicKey;
58    import org.xwiki.crypto.pkix.params.x509certificate.extension.ExtendedKeyUsages;
59    import org.xwiki.crypto.pkix.params.x509certificate.extension.KeyUsage;
60    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509DirectoryName;
61    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509DnsName;
62    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509Extensions;
63    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName;
64    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509IpAddress;
65    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509Rfc822Name;
66    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509StringGeneralName;
67    import org.xwiki.crypto.pkix.params.x509certificate.extension.X509URI;
68    import org.xwiki.crypto.signer.SignerFactory;
69    import org.xwiki.crypto.signer.internal.factory.BcDSAwithSHA1SignerFactory;
70    import org.xwiki.crypto.signer.internal.factory.BcSHA1withRsaSignerFactory;
71    import org.xwiki.crypto.signer.internal.factory.DefaultSignerFactory;
72    import org.xwiki.test.annotation.ComponentList;
73    import org.xwiki.test.mockito.MockitoComponentMockingRule;
74   
75    import static org.hamcrest.Matchers.greaterThan;
76    import static org.hamcrest.Matchers.lessThan;
77    import static org.hamcrest.Matchers.notNullValue;
78    import static org.hamcrest.core.AnyOf.anyOf;
79    import static org.hamcrest.core.IsEqual.equalTo;
80    import static org.hamcrest.core.IsInstanceOf.instanceOf;
81    import static org.junit.Assert.assertFalse;
82    import static org.junit.Assert.assertThat;
83    import static org.junit.Assert.assertTrue;
84    import static org.junit.Assert.fail;
85   
86    @ComponentList({Base64BinaryStringEncoder.class, DefaultSecureRandomProvider.class, BcRSAKeyFactory.class,
87    BcDSAKeyFactory.class, BcSHA1DigestFactory.class, BcSHA1withRsaSignerFactory.class, DefaultSignerFactory.class,
88    BcX509CertificateFactory.class, BcDSAwithSHA1SignerFactory.class})
 
89    public class BcX509CertificateGeneratorFactoryTest extends AbstractPKIXTest
90    {
91    @Rule
92    public final MockitoComponentMockingRule<CertificateGeneratorFactory> mocker =
93    new MockitoComponentMockingRule<CertificateGeneratorFactory>(BcX509CertificateGeneratorFactory.class);
94   
95    @Rule
96    public final MockitoComponentMockingRule<X509ExtensionBuilder> builderMocker =
97    new MockitoComponentMockingRule<X509ExtensionBuilder>(DefaultX509ExtensionBuilder.class);
98   
99    private CertificateGeneratorFactory factory;
100    private SignerFactory signerFactory;
101    private static PrivateKeyParameters rsaPrivateKey;
102    private static PublicKeyParameters rsaPublicKey;
103    private static PrivateKeyParameters interCaDsaPrivateKey;
104    private static PublicKeyParameters interCaDsaPublicKey;
105    @SuppressWarnings("unused")
106    private static PrivateKeyParameters dsaPrivateKey;
107    private static PublicKeyParameters dsaPublicKey;
108   
 
109  6 toggle public void setupTest(MockitoComponentMockingRule<CertificateGeneratorFactory> mocker) throws Exception
110    {
111    // Decode keys once for all tests.
112  6 if (rsaPrivateKey == null) {
113  1 BinaryStringEncoder base64encoder = mocker.getInstance(BinaryStringEncoder.class, "Base64");
114  1 AsymmetricKeyFactory keyFactory = mocker.getInstance(AsymmetricKeyFactory.class, "RSA");
115  1 rsaPrivateKey = keyFactory.fromPKCS8(base64encoder.decode(RSA_PRIVATE_KEY));
116  1 rsaPublicKey = keyFactory.fromX509(base64encoder.decode(RSA_PUBLIC_KEY));
117  1 keyFactory = mocker.getInstance(AsymmetricKeyFactory.class, "DSA");
118  1 interCaDsaPrivateKey = keyFactory.fromPKCS8(base64encoder.decode(INTERCA_DSA_PRIVATE_KEY));
119  1 interCaDsaPublicKey = keyFactory.fromX509(base64encoder.decode(INTERCA_DSA_PUBLIC_KEY));
120  1 dsaPrivateKey = keyFactory.fromPKCS8(base64encoder.decode(DSA_PRIVATE_KEY));
121  1 dsaPublicKey = keyFactory.fromX509(base64encoder.decode(DSA_PUBLIC_KEY));
122    }
123    }
124   
 
125  6 toggle @Before
126    public void configure() throws Exception
127    {
128  6 factory = mocker.getComponentUnderTest();
129  6 signerFactory = mocker.getInstance(SignerFactory.class, "SHA1withRSAEncryption");
130  6 setupTest(mocker);
131    }
132   
133    /*
134    private void dumpCert(CertifiedPublicKey certificate) throws Exception {
135    BinaryStringEncoder base64encoder = mocker.getInstance(BinaryStringEncoder.class, "Base64");
136    System.out.println("-----BEGIN CERTIFICATE-----");
137    System.out.println(base64encoder.encode(certificate.getEncoded(), 64));
138    System.out.println("-----END CERTIFICATE-----");
139    }
140    */
141   
 
142  3 toggle private X509CertifiedPublicKey checkSelfSigned(CertifiedPublicKey certificate, int version) throws Exception {
143  3 assertThat(certificate.getIssuer(), equalTo((PrincipalIndentifier) new DistinguishedName("CN=Test")));
144  3 assertThat(certificate.getSubject(), equalTo((PrincipalIndentifier) new DistinguishedName("CN=Test")));
145  3 assertThat(certificate.getIssuer(), equalTo(certificate.getSubject()));
146  3 assertTrue("Signature should match used private key.", certificate.isSignedBy(rsaPublicKey));
147  3 assertTrue("Signature should match subject public key.",
148    certificate.isSignedBy(certificate.getPublicKeyParameters()));
149   
150  3 assertThat(certificate, instanceOf(X509CertifiedPublicKey.class));
151  3 X509CertifiedPublicKey x509cert = (X509CertifiedPublicKey) certificate;
152   
153    //dumpCert(certificate);
154   
155  3 assertThat(x509cert.getVersionNumber(), equalTo(version));
156   
157  3 Date yesterday = new Date(System.currentTimeMillis() - 86400000);
158  3 Date inMoreThan500Days = new Date(System.currentTimeMillis() + 43286400000L);
159   
160  3 assertTrue("Certificate should be valid today.", x509cert.isValidOn(new Date()));
161  3 assertThat(x509cert.getNotBefore().getTime(), greaterThan(yesterday.getTime()));
162  3 assertThat(x509cert.getNotAfter().getTime(), lessThan(inMoreThan500Days.getTime()));
163  3 assertFalse("Certificate should not be valid yesterday.",
164    x509cert.isValidOn(yesterday));
165  3 assertFalse("Certificate should not be valid in more than 500 days.",
166    x509cert.isValidOn(inMoreThan500Days));
167  3 assertTrue(x509cert.isRootCA());
168   
169  3 return x509cert;
170    }
171   
 
172  2 toggle private X509CertifiedPublicKey checkRootSigned(CertifiedPublicKey certificate, int version) throws Exception
173    {
174  2 assertThat(certificate.getIssuer(), equalTo((PrincipalIndentifier) new DistinguishedName("CN=Test CA")));
175  2 assertThat(certificate.getSubject(), equalTo((PrincipalIndentifier) new DistinguishedName("CN=Test End Entity")));
176  2 assertTrue("Signature should match used private key.", certificate.isSignedBy(rsaPublicKey));
177   
178  2 assertThat(certificate, instanceOf(X509CertifiedPublicKey.class));
179  2 X509CertifiedPublicKey x509cert = (X509CertifiedPublicKey) certificate;
180   
181    //dumpCert(certificate);
182   
183  2 assertThat(x509cert.getVersionNumber(), equalTo(version));
184   
185  2 Date yesterday = new Date(System.currentTimeMillis() - 86400000);
186  2 Date inMoreThan500Days = new Date(System.currentTimeMillis() + 43286400000L);
187   
188  2 assertTrue("Certificate should be valid today.", x509cert.isValidOn(new Date()));
189  2 assertThat(x509cert.getNotBefore().getTime(), greaterThan(yesterday.getTime()));
190  2 assertThat(x509cert.getNotAfter().getTime(), lessThan(inMoreThan500Days.getTime()));
191  2 assertFalse("Certificate should not be valid yesterday.",
192    x509cert.isValidOn(yesterday));
193  2 assertFalse("Certificate should not be valid in more than 500 days.",
194    x509cert.isValidOn(inMoreThan500Days));
195  2 assertFalse(x509cert.isRootCA());
196   
197  2 return x509cert;
198    }
199   
200   
 
201  1 toggle @Test
202    public void testGenerateSelfSignedCertificateVersion1() throws Exception
203    {
204  1 CertifiedPublicKey certificate =
205    factory.getInstance(signerFactory.getInstance(true, rsaPrivateKey),
206    new X509CertificateGenerationParameters())
207    .generate(new DistinguishedName("CN=Test"), rsaPublicKey,
208    new X509CertificateParameters());
209   
210  1 checkSelfSigned(certificate, 1);
211    }
212   
 
213  1 toggle @Test
214    public void testGenerateSelfSignedCertificateVersion3WithoutExtension() throws Exception
215    {
216  1 CertifiedPublicKey certificate =
217    factory.getInstance(signerFactory.getInstance(true, rsaPrivateKey),
218    new X509CertificateGenerationParameters(null))
219    .generate(new DistinguishedName("CN=Test"), rsaPublicKey,
220    new X509CertificateParameters());
221   
222  1 checkSelfSigned(certificate, 3);
223    }
224   
 
225  1 toggle @Test
226    public void testGenerateSelfSignedCertificateVersion3RootCa() throws Exception
227    {
228  1 X509ExtensionBuilder builder = builderMocker.getComponentUnderTest();
229   
230  1 CertifiedPublicKey certificate =
231    factory.getInstance(signerFactory.getInstance(true, rsaPrivateKey),
232    new X509CertificateGenerationParameters(
233    builder.addBasicConstraints(true)
234    .addKeyUsage(true, EnumSet.of(KeyUsage.keyCertSign,
235    KeyUsage.cRLSign))
236    .build()))
237    .generate(new DistinguishedName("CN=Test"), rsaPublicKey,
238    new X509CertificateParameters());
239   
240  1 X509CertifiedPublicKey cert = checkSelfSigned(certificate, 3);
241   
242  1 assertTrue("Basic constraints should be critical.", cert.getExtensions().isCritical(X509Extensions.BASIC_CONSTRAINTS_OID));
243  1 assertTrue("Basic constraints should be set to CA.", cert.getExtensions().hasCertificateAuthorityBasicConstraints());
244  1 assertTrue("KeyUsage extension should be critical.", cert.getExtensions().isCritical(KeyUsage.OID));
245  1 assertThat(cert.getExtensions().getKeyUsage(), equalTo(EnumSet.of(KeyUsage.keyCertSign,
246    KeyUsage.cRLSign)));
247  1 assertThat(cert.getAuthorityKeyIdentifier(), notNullValue());
248  1 assertThat(cert.getAuthorityKeyIdentifier(),
249    equalTo(cert.getSubjectKeyIdentifier()));
250    }
251   
 
252  1 toggle @Test
253    public void testGenerateEndEntitySignedCertificateVersion1() throws Exception
254    {
255  1 CertifiedPublicKey caCertificate =
256    factory.getInstance(signerFactory.getInstance(true, rsaPrivateKey),
257    new X509CertificateGenerationParameters(
258    //<validity in days>
259    ))
260    .generate(new DistinguishedName("CN=Test CA"), rsaPublicKey,
261    new X509CertificateParameters());
262   
263    //dumpCert(caCertificate);
264   
265  1 CertifiedPublicKey certificate =
266    factory.getInstance(
267    CertifyingSigner.getInstance(true, new CertifiedKeyPair(rsaPrivateKey, caCertificate), signerFactory),
268    new X509CertificateGenerationParameters(
269    //<validity in days>
270    )
271    ).generate(new DistinguishedName("CN=Test End Entity"), dsaPublicKey,
272    new X509CertificateParameters());
273   
274  1 checkRootSigned(certificate, 1);
275    }
276   
 
277  1 toggle @Test
278    public void testGenerateEndEntitySignedCertificateVersion3() throws Exception
279    {
280  1 X509ExtensionBuilder builder = builderMocker.getComponentUnderTest();
281   
282  1 CertifiedPublicKey caCertificate =
283    factory.getInstance(signerFactory.getInstance(true, rsaPrivateKey),
284    new X509CertificateGenerationParameters(
285    builder.addBasicConstraints(true)
286    .addKeyUsage(true, EnumSet.of(KeyUsage.keyCertSign,
287    KeyUsage.cRLSign))
288    .build()))
289    .generate(new DistinguishedName("CN=Test CA"), rsaPublicKey,
290    new X509CertificateParameters());
291   
292  1 builder = builderMocker.getComponentUnderTest();
293   
294  1 CertificateGenerator generator = factory.getInstance(
295    CertifyingSigner.getInstance(true, new CertifiedKeyPair(rsaPrivateKey, caCertificate), signerFactory),
296    new X509CertificateGenerationParameters(
297    builder.addKeyUsage(EnumSet.of(KeyUsage.digitalSignature,
298    KeyUsage.dataEncipherment))
299    .addExtendedKeyUsage(false,
300    new ExtendedKeyUsages(new String[]{ExtendedKeyUsages.EMAIL_PROTECTION}))
301    .build()));
302   
303  1 builder = builderMocker.getComponentUnderTest();
304   
305  1 CertifiedPublicKey certificate =
306    generator.generate(new DistinguishedName("CN=Test End Entity"), dsaPublicKey,
307    new X509CertificateParameters(
308    builder.addSubjectAltName(false,
309    new X509GeneralName[] {
310    new X509Rfc822Name("test@example.com"),
311    new X509Rfc822Name(new InternetAddress("test@test.com")),
312    new X509DnsName("example.com"),
313    new X509DirectoryName("CN=Test"),
314    new X509IpAddress("192.168.1.1"),
315    new X509IpAddress("192.168.2.0/24"),
316    new X509IpAddress("192.168.3.0/255.255.255.0"),
317    new X509IpAddress(InetAddress.getByName("192.168.4.1")),
318    new X509IpAddress(InetAddress.getByName("192.168.5.0"),InetAddress.getByName("255.255.255.0")),
319    new X509IpAddress("2001:db8:0:85a3::ac1f:8001"),
320    new X509IpAddress("2001:db8:1f89::/48"),
321    new X509IpAddress(InetAddress.getByName("2001:db8:0:85a3::ac1f:8001")),
322    new X509IpAddress(InetAddress.getByName("2001:db8:1f89::"),InetAddress.getByName("ffff:ffff:ffff::")),
323    new X509URI("http://xwiki.org"),
324    new X509URI(new URL("http://myxwiki.org"))
325    })
326    .build()
327    ));
328   
329  1 X509CertifiedPublicKey cert = checkRootSigned(certificate, 3);
330   
331  1 assertThat(cert.getExtensions().getExtensionOID(), equalTo(new String[] {"2.5.29.35", "2.5.29.14", "2.5.29.15", "2.5.29.37", "2.5.29.17"}));
332  1 assertThat(cert.getExtensions().getCriticalExtensionOID(), equalTo(new String[] {"2.5.29.15"}));
333  1 assertThat(cert.getExtensions().getNonCriticalExtensionOID(), equalTo(new String[] {"2.5.29.35", "2.5.29.14", "2.5.29.37", "2.5.29.17"}));
334   
335  1 assertTrue("KeyUsage extension should be critical.", cert.getExtensions().isCritical(KeyUsage.OID));
336  1 assertThat(cert.getExtensions().getKeyUsage(), equalTo(EnumSet.of(KeyUsage.digitalSignature,
337    KeyUsage.dataEncipherment)));
338  1 assertFalse("ExtendedKeyUsage extension should be non critical.",
339    cert.getExtensions().isCritical(ExtendedKeyUsages.OID));
340  1 assertThat(cert.getExtensions().getExtendedKeyUsage().getAll().toArray(new String[0]), equalTo(
341    new String[]{ExtendedKeyUsages.EMAIL_PROTECTION}));
342  1 assertTrue("Email data protection extended usage should be set.",
343    cert.getExtensions().getExtendedKeyUsage().hasUsage(ExtendedKeyUsages.EMAIL_PROTECTION));
344   
345  1 List<X509GeneralName> names = cert.getExtensions().getSubjectAltName();
346   
347  1 assertThat(names.size(), equalTo(15));
348  1 for (X509GeneralName name : names) {
349  15 if (name instanceof X509Rfc822Name) {
350  2 assertThat(((X509StringGeneralName) name).getName(), anyOf(equalTo("test@example.com"), equalTo("test@test.com")));
351  2 assertThat(((X509Rfc822Name) name).getAddress(), anyOf(equalTo(new InternetAddress("test@example.com")),
352    equalTo(new InternetAddress("test@test.com"))));
353  13 } else if (name instanceof X509DnsName) {
354  1 assertThat(((X509StringGeneralName) name).getName(), equalTo("example.com"));
355  1 assertThat(((X509DnsName) name).getDomain(), equalTo("example.com"));
356  12 } else if (name instanceof X509DirectoryName) {
357  1 assertThat(((X509StringGeneralName) name).getName(), equalTo("CN=Test"));
358  11 } else if (name instanceof X509URI) {
359  2 assertThat(((X509StringGeneralName) name).getName(), anyOf(equalTo("http://xwiki.org"),
360    equalTo("http://myxwiki.org")));
361  2 assertThat(((X509URI) name).getURI(), anyOf(equalTo(new URI("http://xwiki.org")),
362    equalTo(new URI("http://myxwiki.org"))));
363  2 assertThat(((X509URI) name).getURL(), anyOf(equalTo(new URL("http://xwiki.org")),
364    equalTo(new URL("http://myxwiki.org"))));
365  9 } else if (name instanceof X509IpAddress) {
366  9 assertTrue("Invalid IP address: " + ((X509StringGeneralName) name).getName(),
367    IPAddress.isValid(((X509StringGeneralName) name).getName())
368    || IPAddress.isValidWithNetMask(((X509StringGeneralName) name).getName()));
369    } else {
370  0 fail("Unexpected SubjectAltName type.");
371    }
372    }
373    }
374   
 
375  1 toggle @Test
376    public void testGenerateIntermediateCertificateVersion3() throws Exception
377    {
378  1 X509ExtensionBuilder builder = builderMocker.getComponentUnderTest();
379   
380  1 CertifiedPublicKey caCertificate =
381    factory.getInstance(signerFactory.getInstance(true, rsaPrivateKey),
382    new X509CertificateGenerationParameters(
383    //<validity in days>,
384    builder.addBasicConstraints(true)
385    .addKeyUsage(true, EnumSet.of(KeyUsage.keyCertSign,
386    KeyUsage.cRLSign))
387    .build()))
388    .generate(new DistinguishedName("CN=Test CA"), rsaPublicKey,
389    new X509CertificateParameters());
390   
391    //dumpCert(caCertificate);
392   
393  1 X509CertifiedPublicKey caKey = (X509CertifiedPublicKey) caCertificate;
394   
395  1 builder = builderMocker.getComponentUnderTest();
396   
397  1 CertificateGenerator generator = factory.getInstance(
398    CertifyingSigner.getInstance(true, new CertifiedKeyPair(rsaPrivateKey, caCertificate), signerFactory),
399    new X509CertificateGenerationParameters(
400    //<validity in days>,
401    builder.addBasicConstraints(0)
402    .addKeyUsage(EnumSet.of(KeyUsage.keyCertSign,
403    KeyUsage.cRLSign))
404    .build()));
405   
406  1 CertifiedPublicKey interCAcert =
407    generator.generate(new DistinguishedName("CN=Test Intermediate CA"), interCaDsaPublicKey,
408    new X509CertificateParameters());
409   
410    //dumpCert(interCAcert);
411   
412  1 assertTrue("Signature should match Root CA key.", interCAcert.isSignedBy(rsaPublicKey));
413  1 assertThat(interCAcert.getIssuer(), equalTo(caCertificate.getSubject()));
414  1 assertThat(interCAcert.getSubject(),
415    equalTo((PrincipalIndentifier) new DistinguishedName("CN=Test Intermediate CA")));
416  1 assertThat(interCAcert, instanceOf(X509CertifiedPublicKey.class));
417   
418  1 X509CertifiedPublicKey interCaKey = (X509CertifiedPublicKey) interCAcert;
419   
420  1 assertThat(interCaKey.getVersionNumber(), equalTo(3));
421  1 assertTrue("Basic constraints should be critical.",
422    interCaKey.getExtensions().isCritical(X509Extensions.BASIC_CONSTRAINTS_OID));
423  1 assertTrue("Basic constraints should be set to CA.",
424    interCaKey.getExtensions().hasCertificateAuthorityBasicConstraints());
425  1 assertThat(interCaKey.getExtensions().getBasicConstraintsPathLen(), Matchers.equalTo(0));
426  1 assertTrue("KeyUsage extension should be critical.", interCaKey.getExtensions().isCritical(KeyUsage.OID));
427  1 assertThat(interCaKey.getExtensions().getKeyUsage(), equalTo(EnumSet.of(KeyUsage.keyCertSign,
428    KeyUsage.cRLSign)));
429  1 assertThat(interCaKey.getAuthorityKeyIdentifier(),
430    equalTo(caKey.getSubjectKeyIdentifier()));
431   
432  1 builder = builderMocker.getComponentUnderTest();
433   
434  1 generator = factory.getInstance(
435    CertifyingSigner.getInstance(true, new CertifiedKeyPair(interCaDsaPrivateKey, interCAcert), (SignerFactory) mocker.getInstance(SignerFactory.class, "DSAwithSHA1")),
436    new X509CertificateGenerationParameters(
437    //<validity in days>,
438    builder.addKeyUsage(EnumSet.of(KeyUsage.digitalSignature,
439    KeyUsage.dataEncipherment))
440    .addExtendedKeyUsage(false,
441    new ExtendedKeyUsages(new String[]{ExtendedKeyUsages.EMAIL_PROTECTION}))
442    .build()));
443   
444  1 builder = builderMocker.getComponentUnderTest();
445   
446  1 CertifiedPublicKey certificate =
447    generator.generate(new DistinguishedName("CN=Test End Entity"), dsaPublicKey,
448    new X509CertificateParameters(
449    builder.addSubjectAltName(false,
450    new X509GeneralName[] {
451    new X509Rfc822Name("test@example.com")
452    })
453    .build()
454    ));
455   
456    //dumpCert(certificate);
457   
458  1 assertTrue("Signature should match intermediate CA key.", certificate.isSignedBy(interCaDsaPublicKey));
459  1 assertThat(certificate.getIssuer(), equalTo(interCAcert.getSubject()));
460  1 assertThat(certificate.getSubject(), equalTo((PrincipalIndentifier) new DistinguishedName("CN=Test End Entity")));
461  1 assertThat(certificate, instanceOf(X509CertifiedPublicKey.class));
462   
463  1 X509CertifiedPublicKey key = (X509CertifiedPublicKey) certificate;
464  1 assertThat(key.getAuthorityKeyIdentifier(),
465    equalTo(interCaKey.getSubjectKeyIdentifier()));
466    }
467    }