siemens · Akretsch · Sep 20, 2023 · Aug 30, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -103,3 +103,7 @@ fix: switch to SUN provider for chain validation
 
 ### 2.6.5 (Sep 16 2023)
 note: maintenance release with updated dependencies, an adjusted CI pipeline
+
+### 2.6.6 (Sept 20 2023)
+
+fix: Add test credential generation, fix key usage in test credentials
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.siemens.pki</groupId>
 	<artifactId>CmpRaComponent</artifactId>
-	<version>2.6.5</version>
+	<version>2.6.6</version>
 	<packaging>jar</packaging>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -89,7 +89,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.5.0</version>
+				<version>3.6.0</version>
 				<executions>
 					<execution>
 						<id>javadoc-jar</id>

diff --git a/...st/java/com/siemens/pki/cmpracomponent/test/TestCentralKeyGenerationWithKeyTransport.java b/...st/java/com/siemens/pki/cmpracomponent/test/TestCentralKeyGenerationWithKeyTransport.java
@@ -53,55 +53,11 @@ public class TestCentralKeyGenerationWithKeyTransport extends CkgOnlineEnrollmen
 
     private SignatureBasedProtection eeRsaCredentials;
 
-    @Override
-    @Before
-    public void setUp() throws Exception {
-        super.setUp();
-        eeRsaCredentials = new SignatureBasedProtection(
-                new TrustChainAndPrivateKey("credentials/CMP_EE_Keystore_RSA.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY));
-        keyTransportDecryptor =
-                new CmsDecryptor(eeRsaCredentials.getEndCertificate(), eeRsaCredentials.getPrivateKey(), null);
-        launchCmpCaAndRa(buildSignatureBasedDownstreamConfiguration());
-    }
-
-    /**
-     * Central Key Generation/Using Key Transport Key Management Technique
-     *
-     * @throws Exception
-     */
-    @Test
-    public void testCrWithKeyTransport() throws Exception {
-        executeCrmfCertificateRequestWithoutKey(
-                PKIBody.TYPE_CERT_REQ, PKIBody.TYPE_CERT_REP, eeRsaCredentials, getEeClient(), keyTransportDecryptor);
-    }
-
-    /**
-     * Central Key Generation/Using Key Transport Key Management Technique
-     *
-     * @throws Exception
-     */
-    @Test
-    public void testIrWithKeyTransport() throws Exception {
-        executeCrmfCertificateRequestWithoutKey(
-                PKIBody.TYPE_INIT_REQ, PKIBody.TYPE_INIT_REP, eeRsaCredentials, getEeClient(), keyTransportDecryptor);
-    }
-
-    /**
-     * Central Key Generation/Using Key Transport Key Management Technique
-     *
-     * @throws Exception
-     */
-    @Test
-    public void testKurWithKeyTransport() throws Exception {
-        executeCrmfCertificateRequestWithoutKey(
-                PKIBody.TYPE_INIT_REQ, PKIBody.TYPE_INIT_REP, eeRsaCredentials, getEeClient(), keyTransportDecryptor);
-    }
-
-    private Configuration buildSignatureBasedDownstreamConfiguration() throws Exception {
+    private Configuration buildRsaSignatureBasedDownstreamConfiguration() throws Exception {
         final TrustChainAndPrivateKey downstreamCredentials =
                 new TrustChainAndPrivateKey("credentials/CMP_LRA_DOWNSTREAM_Keystore.p12", "Password".toCharArray());
         final SignatureValidationCredentials downstreamTrust =
-                new SignatureValidationCredentials("credentials/CMP_EE_Root.pem", null);
+                new SignatureValidationCredentials("credentials/CMP_EE_Root_RSA.pem", null);
         final TrustChainAndPrivateKey upstreamCredentials =
                 new TrustChainAndPrivateKey("credentials/CMP_LRA_UPSTREAM_Keystore.p12", "Password".toCharArray());
         final SignatureValidationCredentials upstreamTrust =
@@ -386,4 +342,48 @@ public boolean isRaVerifiedAcceptable(final String certProfile, final int bodyTy
             }
         };
     }
+
+    @Override
+    @Before
+    public void setUp() throws Exception {
+        super.setUp();
+        eeRsaCredentials = new SignatureBasedProtection(
+                new TrustChainAndPrivateKey("credentials/CMP_EE_Keystore_RSA.p12", TestUtils.PASSWORD_AS_CHAR_ARRAY));
+        keyTransportDecryptor =
+                new CmsDecryptor(eeRsaCredentials.getEndCertificate(), eeRsaCredentials.getPrivateKey(), null);
+        launchCmpCaAndRa(buildRsaSignatureBasedDownstreamConfiguration());
+    }
+
+    /**
+     * Central Key Generation/Using Key Transport Key Management Technique
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testCrWithKeyTransport() throws Exception {
+        executeCrmfCertificateRequestWithoutKey(
+                PKIBody.TYPE_CERT_REQ, PKIBody.TYPE_CERT_REP, eeRsaCredentials, getEeClient(), keyTransportDecryptor);
+    }
+
+    /**
+     * Central Key Generation/Using Key Transport Key Management Technique
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testIrWithKeyTransport() throws Exception {
+        executeCrmfCertificateRequestWithoutKey(
+                PKIBody.TYPE_INIT_REQ, PKIBody.TYPE_INIT_REP, eeRsaCredentials, getEeClient(), keyTransportDecryptor);
+    }
+
+    /**
+     * Central Key Generation/Using Key Transport Key Management Technique
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testKurWithKeyTransport() throws Exception {
+        executeCrmfCertificateRequestWithoutKey(
+                PKIBody.TYPE_INIT_REQ, PKIBody.TYPE_INIT_REP, eeRsaCredentials, getEeClient(), keyTransportDecryptor);
+    }
 }
diff --git a/src/test/java/com/siemens/pki/cmpracomponent/test/TestCreateTestCertificateChains.java b/src/test/java/com/siemens/pki/cmpracomponent/test/TestCreateTestCertificateChains.java
@@ -0,0 +1,150 @@
+/*
+ *  Copyright (c) 2023 Siemens AG
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ */
+package com.siemens.pki.cmpracomponent.test;
+
+import com.siemens.pki.cmpracomponent.cryptoservices.KeyPairGeneratorFactory;
+import com.siemens.pki.cmpracomponent.test.framework.TestCertificateFactory;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.junit.Test;
+
+/**
+ * initial creation of test credentials
+ *
+ */
+public class TestCreateTestCertificateChains {
+
+    private static final char[] STORE_PASSWORD = "Password".toCharArray();
+    private static final File CREDENTIAL_ROOT =
+            new File("src/test/java/com/siemens/pki/cmpracomponent/test/config/credentials");
+
+    private void createEnrollTestCertificateChain(
+            final String subjectPrefix, KeyPairGenerator keyPairGenerator, String signatureAlgorithm)
+            throws GeneralSecurityException, CertificateException, OperatorCreationException, NoSuchAlgorithmException,
+                    IOException, KeyStoreException, FileNotFoundException {
+        final KeyPair rootKeypair = keyPairGenerator.generateKeyPair();
+        final X509Certificate rootCert =
+                TestCertificateFactory.createRootCertificate(subjectPrefix, rootKeypair, signatureAlgorithm);
+
+        final KeyPair issuerKeypair = keyPairGenerator.generateKeyPair();
+        final X509Certificate issuerCert = TestCertificateFactory.createIssuerCertificate(
+                subjectPrefix, rootCert, rootKeypair.getPrivate(), issuerKeypair.getPublic(), signatureAlgorithm);
+
+        try (JcaPEMWriter pw =
+                new JcaPEMWriter(new FileWriter(new File(CREDENTIAL_ROOT, subjectPrefix + "_Chain.pem")))) {
+            pw.writeObject(rootCert);
+            pw.writeObject(issuerCert);
+        }
+        try (JcaPEMWriter pw =
+                new JcaPEMWriter(new FileWriter(new File(CREDENTIAL_ROOT, subjectPrefix + "_Root.pem")))) {
+            pw.writeObject(rootCert);
+        }
+        final KeyStore keystore = KeyStore.getInstance("PKCS12");
+        keystore.load(null, STORE_PASSWORD);
+        keystore.setKeyEntry(
+                "cert", issuerKeypair.getPrivate(), STORE_PASSWORD, new Certificate[] {issuerCert, rootCert});
+        try (final OutputStream ksout =
+                new FileOutputStream(new File(CREDENTIAL_ROOT, subjectPrefix + "_Keystore.p12"))) {
+            keystore.store(ksout, STORE_PASSWORD);
+        }
+    }
+
+    private void createFullTestCertificateChain(
+            final String subjectPrefix,
+            KeyPairGenerator keyPairGenerator,
+            String signatureAlgorithm,
+            Extension... eeExtensions)
+            throws GeneralSecurityException, CertificateException, OperatorCreationException, NoSuchAlgorithmException,
+                    IOException, KeyStoreException, FileNotFoundException {
+        final KeyPair rootKeypair = keyPairGenerator.generateKeyPair();
+        final X509Certificate rootCert =
+                TestCertificateFactory.createRootCertificate(subjectPrefix, rootKeypair, signatureAlgorithm);
+
+        final KeyPair issuerKeypair = keyPairGenerator.generateKeyPair();
+        final X509Certificate issuerCert = TestCertificateFactory.createIssuerCertificate(
+                subjectPrefix, rootCert, rootKeypair.getPrivate(), issuerKeypair.getPublic(), signatureAlgorithm);
+
+        final KeyPair eeKeypair = keyPairGenerator.generateKeyPair();
+        final X509Certificate eeCert = TestCertificateFactory.createEndEntityCertificate(
+                subjectPrefix,
+                issuerCert,
+                issuerKeypair.getPrivate(),
+                eeKeypair.getPublic(),
+                signatureAlgorithm,
+                eeExtensions);
+        try (JcaPEMWriter pw =
+                new JcaPEMWriter(new FileWriter(new File(CREDENTIAL_ROOT, subjectPrefix + "_Chain.pem")))) {
+            pw.writeObject(rootCert);
+            pw.writeObject(issuerCert);
+            pw.writeObject(eeCert);
+        }
+        try (JcaPEMWriter pw =
+                new JcaPEMWriter(new FileWriter(new File(CREDENTIAL_ROOT, subjectPrefix + "_Root.pem")))) {
+            pw.writeObject(rootCert);
+        }
+        final KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
+        keystore.load(null, STORE_PASSWORD);
+        keystore.setKeyEntry(
+                "cert", eeKeypair.getPrivate(), STORE_PASSWORD, new Certificate[] {eeCert, issuerCert, rootCert});
+        try (final OutputStream ksout =
+                new FileOutputStream(new File(CREDENTIAL_ROOT, subjectPrefix + "_Keystore.p12"))) {
+            keystore.store(ksout, STORE_PASSWORD);
+        }
+    }
+
+    @Test
+    // @Ignore("execute if test credentials need a refresh")
+    public void createTestCertificateChains() throws OperatorCreationException, IOException, GeneralSecurityException {
+        final KeyPairGenerator keyPairGenerator = KeyPairGeneratorFactory.getEcKeyPairGenerator("secp521r1");
+        createEnrollTestCertificateChain("ENROLL", keyPairGenerator, "SHA512WITHECDSA");
+        createFullTestCertificateChain("CMP_CA", keyPairGenerator, "SHA512WITHECDSA");
+        createFullTestCertificateChain(
+                "CMP_LRA_UPSTREAM",
+                keyPairGenerator,
+                "SHA512WITHECDSA",
+                TestCertificateFactory.createExtendedKeyUsageExtension(
+                        KeyPurposeId.id_kp_cmcRA, KeyPurposeId.anyExtendedKeyUsage));
+        createFullTestCertificateChain(
+                "CMP_LRA_DOWNSTREAM",
+                keyPairGenerator,
+                "SHA512WITHECDSA",
+                TestCertificateFactory.createExtendedKeyUsageExtension(
+                        KeyPurposeId.id_kp_cmKGA, KeyPurposeId.anyExtendedKeyUsage));
+        createFullTestCertificateChain("CMP_EE", keyPairGenerator, "SHA512WITHECDSA");
+        //		createTestCertificateChain("TLS", keyPairGenerator, "SHA512WITHECDSA", TestCertificateFactory
+        //				.createExtendedKeyUsageExtension(KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth),
+        //				TestCertificateFactory.createSubjectAlternativeNameExtension("localhost"));
+    }
+}