diff --git a/pom.xml b/pom.xml
index 2cf587a..3764720 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,12 +7,12 @@
4.0.0
com.siemens.pki
LightweightCmpRa
- 4.0.3
+ 4.2.0_PQ
UTF-8
.
- 2.44.2
- 0.8.12
+ 2.46.1
+ 0.8.13
3.3.1
11
11
@@ -71,7 +71,7 @@
org.apache.maven.plugins
maven-surefire-plugin
- 3.5.2
+ 3.5.3
**/local/**
@@ -81,7 +81,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 3.11.2
+ 3.11.3
com.diffplug.spotless
@@ -172,7 +172,7 @@
com.siemens.pki
CmpRaComponent
- 4.2.0
+ 4.2.0_PQ
jakarta.xml.bind
@@ -192,32 +192,32 @@
org.slf4j
slf4j-api
- 2.0.16
+ 2.0.17
org.slf4j
slf4j-simple
- 2.0.16
+ 2.0.17
org.eclipse.californium
californium-core
- 3.13.0
+ 3.14.0
com.fasterxml.jackson.jaxrs
jackson-jaxrs-yaml-provider
- 2.18.2
+ 2.20.0
com.fasterxml.jackson.core
jackson-databind
- 2.18.2
+ 2.20.0
commons-cli
commons-cli
- 1.9.0
+ 1.10.0
org.jacoco
@@ -231,7 +231,7 @@
CVE-2021-26291.-->
org.apache.maven.shared
file-management
- 3.1.0
+ 3.2.0
diff --git a/src/main/java/com/siemens/pki/lightweightcmpclient/configuration/EnrollmentContextImpl.java b/src/main/java/com/siemens/pki/lightweightcmpclient/configuration/EnrollmentContextImpl.java
index 251dbde..24832b4 100644
--- a/src/main/java/com/siemens/pki/lightweightcmpclient/configuration/EnrollmentContextImpl.java
+++ b/src/main/java/com/siemens/pki/lightweightcmpclient/configuration/EnrollmentContextImpl.java
@@ -66,7 +66,12 @@ private KeyPair createKeyPair(final String upperKeyType) throws NoSuchAlgorithmE
if (upperKeyType.startsWith("ED")) {
return KeyPairGeneratorFactory.getEdDsaKeyPairGenerator(keyType).generateKeyPair();
}
- return KeyPairGeneratorFactory.getEcKeyPairGenerator(keyType).generateKeyPair();
+ try {
+ return KeyPairGeneratorFactory.getEcKeyPairGenerator(keyType).generateKeyPair();
+ } catch (GeneralSecurityException ex) {
+ return KeyPairGeneratorFactory.getGenericKeyPairGenerator(upperKeyType)
+ .generateKeyPair();
+ }
}
@Override
diff --git a/src/main/java/com/siemens/pki/lightweightcmpclient/main/CliCmpClient.java b/src/main/java/com/siemens/pki/lightweightcmpclient/main/CliCmpClient.java
index ed1d6d2..1f8db86 100644
--- a/src/main/java/com/siemens/pki/lightweightcmpclient/main/CliCmpClient.java
+++ b/src/main/java/com/siemens/pki/lightweightcmpclient/main/CliCmpClient.java
@@ -47,11 +47,11 @@
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
-import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.OptionGroup;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.help.HelpFormatter;
import org.bouncycastle.asn1.cmp.PKIBody;
public class CliCmpClient {
@@ -317,7 +317,7 @@ private static int doGetCertificateRequestTemplate(final CommandLine cmd, final
}
private static int doGetCrls(final CommandLine cmd, final CmpClient client)
- throws java.text.ParseException, CRLException, IOException {
+ throws java.text.ParseException, IOException, GeneralSecurityException {
List crls = null;
if (cmd.hasOption(OPTION_oldCRL)) {
final X509CRL crl = CredentialLoader.loadCRLs(new File(cmd.getOptionValue(OPTION_oldCRL)).toURI())
@@ -376,10 +376,9 @@ public static void main(final String[] args) {
System.exit(ret);
}
- private static void printHelp() {
- final HelpFormatter formatter = new HelpFormatter();
- formatter.setOptionComparator(null);
- formatter.printHelp("java -jar path/to/CmpClient.jar", cliOptions);
+ private static void printHelp() throws IOException {
+ final HelpFormatter formatter = HelpFormatter.builder().get();
+ formatter.printHelp("java -jar path/to/CmpClient.jar", null, cliOptions, null, true);
}
public static int runClient(final String... args) {
@@ -486,7 +485,12 @@ public static int runClient(final String... args) {
return 2;
} catch (final ParseException | java.text.ParseException e) {
System.err.println("Client failed. Reason: " + e.getMessage());
- printHelp();
+ try {
+ printHelp();
+ } catch (IOException e1) {
+ // TODO Auto-generated catch block
+ e1.printStackTrace();
+ }
return 3;
} catch (final Throwable e) {
System.err.println("Client failed. Reason: " + e.getCause());
diff --git a/src/main/java/com/siemens/pki/lightweightcmpra/main/RA.java b/src/main/java/com/siemens/pki/lightweightcmpra/main/RA.java
index 23498dc..4605f0a 100644
--- a/src/main/java/com/siemens/pki/lightweightcmpra/main/RA.java
+++ b/src/main/java/com/siemens/pki/lightweightcmpra/main/RA.java
@@ -26,11 +26,14 @@
import com.siemens.pki.lightweightcmpra.downstream.DownstreamInterfaceFactory;
import com.siemens.pki.lightweightcmpra.upstream.UpstreamInterface;
import com.siemens.pki.lightweightcmpra.upstream.UpstreamInterfaceFactory;
+import java.security.Security;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.function.Supplier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider;
/**
* main class
@@ -38,6 +41,11 @@
*/
public class RA {
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ Security.addProvider(new BouncyCastlePQCProvider());
+ }
+
private static class CertProfileBodyTypeTupel {
private final String certProfile;
private final int bodyType;
diff --git a/src/test/java/com/siemens/pki/lightweightcmpclient/test/DelayedEnrollmentTestcaseBase.java b/src/test/java/com/siemens/pki/lightweightcmpclient/test/DelayedEnrollmentTestcaseBase.java
index 57eef7f..47009cf 100644
--- a/src/test/java/com/siemens/pki/lightweightcmpclient/test/DelayedEnrollmentTestcaseBase.java
+++ b/src/test/java/com/siemens/pki/lightweightcmpclient/test/DelayedEnrollmentTestcaseBase.java
@@ -32,14 +32,14 @@ public class DelayedEnrollmentTestcaseBase extends EnrollmentTestcaseBase {
@BeforeClass
public static void setupRas() throws GeneralSecurityException, InterruptedException, Exception {
- TestUtils.createDirectories("./target/CmpTest/Downstream", "./target/CmpTest/Upstream");
+ TestUtils.createDirectories("./target/CmpTest/Downstream_REV", "./target/CmpTest/Upstream_REV");
initTestbed("DelayedEnrollmentRaTestConfig.yaml", "DelayedEnrollmentLraTestConfig.yaml");
}
@AfterClass
public static void stopAllRas() {
RA.stopAllRas();
- TestUtils.removeDirectories("./target/CmpTest/Downstream", "./target/CmpTest/Upstream");
+ TestUtils.removeDirectories("./target/CmpTest/Downstream_REV", "./target/CmpTest/Upstream_REV");
}
@After
diff --git a/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestEnrollmentForAllKeyTypes.java b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestEnrollmentForAllKeyTypes.java
new file mode 100644
index 0000000..fc389bb
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestEnrollmentForAllKeyTypes.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2020 Siemens AG
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package com.siemens.pki.lightweightcmpclient.test;
+
+import com.siemens.pki.lightweightcmpra.main.RA;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+
+@RunWith(Parameterized.class)
+public class TestEnrollmentForAllKeyTypes extends EnrollmentTestcaseBase {
+
+ @Parameters(name = "{0}")
+ public static Iterable data() throws GeneralSecurityException {
+ return Arrays.asList(new Object[][] {
+ //
+ {"ML-KEM-512"},
+ {"ML-KEM-1024"},
+ //
+ {"ML-DSA-44"},
+ {"SLH-DSA-SHA2-128S"},
+ {"RSA1024"},
+ {"RSA2048"},
+ {"Ed448"},
+ {"Ed25519"},
+ {"secp256r1"},
+ //
+ });
+ }
+
+ @BeforeClass
+ public static void setUpRas() throws Exception {
+ initTestbed("EnrollmentConfigWithHttpAndSignature.yaml");
+ }
+
+ @AfterClass
+ public static void stopAllRas() {
+ RA.stopAllRas();
+ }
+
+ private final String certProfile;
+
+ /**
+ * certificate from a trusted PKI with signature protection
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testCr() throws Exception {
+ enrollWithConfigAndCertProfile("ClientEnrollmentConfigWithDifferentKeys.yaml", certProfile);
+ }
+
+ public TestEnrollmentForAllKeyTypes(String certProfile) {
+ this.certProfile = certProfile;
+ }
+}
diff --git a/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestKemEnrollmentLight.java b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestKemEnrollmentLight.java
new file mode 100644
index 0000000..ade015b
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestKemEnrollmentLight.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2020 Siemens AG
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package com.siemens.pki.lightweightcmpclient.test;
+
+import com.siemens.pki.lightweightcmpra.main.RA;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+
+@RunWith(Parameterized.class)
+public class TestKemEnrollmentLight extends EnrollmentTestcaseBase {
+
+ @Parameters(name = "{0}")
+ public static Iterable data() throws GeneralSecurityException {
+ return Arrays.asList(new Object[][] {
+ //
+ {"ML-KEM-512"},
+ //
+ });
+ }
+
+ @BeforeClass
+ public static void setUpRas() throws Exception {
+ initTestbed("EnrollmentConfigWithHttpAndSignature.yaml");
+ }
+
+ @AfterClass
+ public static void stopAllRas() {
+ RA.stopAllRas();
+ }
+
+ private final String certProfile;
+
+ /**
+ * certificate from a trusted PKI with signature protection
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testCr() throws Exception {
+ enrollWithConfigAndCertProfile("ClientEnrollmentConfigWithDifferentKeys.yaml", certProfile);
+ }
+
+ public TestKemEnrollmentLight(String certProfile) {
+ this.certProfile = certProfile;
+ }
+}
diff --git a/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestOsslKemlIntegration.java b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestOsslKemlIntegration.java
new file mode 100644
index 0000000..92f1f8a
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestOsslKemlIntegration.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2020 Siemens AG
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package com.siemens.pki.lightweightcmpclient.test;
+
+import com.siemens.pki.lightweightcmpra.main.RA;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestOsslKemlIntegration extends EnrollmentTestcaseBase {
+
+ @BeforeClass
+ public static void setUpRas() throws Exception {
+ initTestbed("EnrollmentOsslKem.yaml");
+ }
+
+ @AfterClass
+ public static void stopAllRas() {
+ RA.stopAllRas();
+ }
+
+ /**
+ * certificate from a trusted PKI with signature protection
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testCr() throws Exception {
+ enrollWithConfig("ClientEnrollmentOsslKem.yaml");
+ }
+}
diff --git a/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestOsslKemlIntegrationStandalone.java b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestOsslKemlIntegrationStandalone.java
new file mode 100644
index 0000000..d08a637
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpclient/test/TestOsslKemlIntegrationStandalone.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2020 Siemens AG
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package com.siemens.pki.lightweightcmpclient.test;
+
+import java.security.Security;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.junit.Ignore;
+import org.junit.Test;
+
+@Ignore("RajeevKemCaRa Launch Group must be up")
+public class TestOsslKemlIntegrationStandalone extends EnrollmentTestcaseBase {
+
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ /**
+ * certificate from a trusted PKI with signature protection
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testCr() throws Exception {
+ enrollWithConfig("ClientEnrollmentOsslKem.yaml");
+ }
+}
diff --git a/src/test/java/com/siemens/pki/lightweightcmpra/test/config/ClientEnrollmentConfigWithDifferentKeys.yaml b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/ClientEnrollmentConfigWithDifferentKeys.yaml
new file mode 100644
index 0000000..5827ee3
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/ClientEnrollmentConfigWithDifferentKeys.yaml
@@ -0,0 +1,108 @@
+---
+
+MessageInterface:
+ - HttpClient:
+ UpstreamURI: "http://localhost:6000/onlinelra"
+
+MessageConfiguration:
+ - VerificationContext:
+ trustedCertificates:
+ - "credentials/CMP_CA_Root.pem"
+ - "credentials/CMP_LRA_DOWNSTREAM_Root.pem"
+ outputCredentials:
+ Signature:
+ keyStore: "credentials/CMP_EE_Keystore.p12"
+ Password: "Password"
+ Recipient: "CN=recip"
+
+ClientContext:
+ - certProfile: ML-KEM-512
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: ML-KEM-512
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+ - certProfile: ML-KEM-1024
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: ML-KEM-1024
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+
+ - certProfile: ML-DSA-44
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: ML-DSA-44
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+ - certProfile: SLH-DSA-SHA2-128S
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: SLH-DSA-SHA2-128S
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+ - certProfile: "RSA1024"
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: RSA1024
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+ - certProfile: "RSA2048"
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: RSA2048
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+ - certProfile: "Ed448"
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: Ed448
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+ - certProfile: "Ed25519"
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: Ed25519
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
+ - certProfile: "secp256r1"
+ EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: secp256r1
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
diff --git a/src/test/java/com/siemens/pki/lightweightcmpra/test/config/ClientEnrollmentOsslKem.yaml b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/ClientEnrollmentOsslKem.yaml
new file mode 100644
index 0000000..d6e618c
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/ClientEnrollmentOsslKem.yaml
@@ -0,0 +1,27 @@
+---
+
+MessageInterface:
+ - HttpClient:
+ UpstreamURI: "http://localhost:1701/pkix/"
+
+MessageConfiguration:
+ - VerificationContext:
+ trustedCertificates:
+ - "credentials/CMP_CA_Root.pem"
+ - "credentials/CMP_LRA_DOWNSTREAM_Root.pem"
+ outputCredentials:
+ Signature:
+ keyStore: "credentials/CMP_EE_Keystore.p12"
+ Password: "Password"
+ Recipient: "CN=recip"
+
+ClientContext:
+ - EnrollmentContext:
+ EnrollmentType: CR
+ EnrollmentTrust:
+ trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+ KeyType: ML-KEM-512
+ Subject: "CN=subject"
+ RequestImplictConfirm: false
+
diff --git a/src/test/java/com/siemens/pki/lightweightcmpra/test/config/EnrollmentOsslKem-RR.yaml b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/EnrollmentOsslKem-RR.yaml
new file mode 100644
index 0000000..655a709
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/EnrollmentOsslKem-RR.yaml
@@ -0,0 +1,40 @@
+---
+
+UpstreamInterface:
+ - HttpClient:
+ UpstreamURI: "http://localhost:7000/ca"
+ Timeout: 44
+
+DownstreamInterface:
+ HttpServer:
+ UpstreamURI: "http://localhost:1701/pkix/"
+
+UpstreamConfiguration:
+ - VerificationContext:
+ trustedCertificates:
+ - "credentials/CMP_CA_Root.pem"
+ outputCredentials:
+ Signature:
+ keyStore: "credentials/CMP_LRA_UPSTREAM_Keystore.p12"
+ Password: "Password"
+
+DownstreamConfiguration:
+ - VerificationContext:
+ trustedCertificates:
+ - "credentials/CMP_EE_Root_RR.pem"
+ additionalcerts:
+ - "credentials/CMP_EE_Chain.pem"
+ OutputCredentials:
+ Signature:
+ keyStore: "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12"
+ Password: "Password"
+
+EnrollmentTrust:
+ - trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+
+RaVerifiedAcceptable:
+ - value: false
+
+ForceRaVerifyOnUpstream:
+ - value: false
diff --git a/src/test/java/com/siemens/pki/lightweightcmpra/test/config/EnrollmentOsslKem.yaml b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/EnrollmentOsslKem.yaml
new file mode 100644
index 0000000..4b1d107
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/EnrollmentOsslKem.yaml
@@ -0,0 +1,40 @@
+---
+
+UpstreamInterface:
+ - HttpClient:
+ UpstreamURI: "http://localhost:7000/ca"
+ Timeout: 44
+
+DownstreamInterface:
+ HttpServer:
+ UpstreamURI: "http://localhost:1701/pkix/"
+
+UpstreamConfiguration:
+ - VerificationContext:
+ trustedCertificates:
+ - "credentials/CMP_CA_Root.pem"
+ outputCredentials:
+ Signature:
+ keyStore: "credentials/CMP_LRA_UPSTREAM_Keystore.p12"
+ Password: "Password"
+
+DownstreamConfiguration:
+ - VerificationContext:
+ trustedCertificates:
+ - "credentials/CMP_EE_Root.pem"
+ additionalcerts:
+ - "credentials/CMP_EE_Chain.pem"
+ OutputCredentials:
+ Signature:
+ keyStore: "credentials/CMP_LRA_DOWNSTREAM_Keystore.p12"
+ Password: "Password"
+
+EnrollmentTrust:
+ - trustedCertificates:
+ - "credentials/ENROLL_Root.pem"
+
+RaVerifiedAcceptable:
+ - value: false
+
+ForceRaVerifyOnUpstream:
+ - value: false
diff --git a/src/test/java/com/siemens/pki/lightweightcmpra/test/config/credentials/CMP_EE_Root_RR.pem b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/credentials/CMP_EE_Root_RR.pem
new file mode 100644
index 0000000..032d2c8
--- /dev/null
+++ b/src/test/java/com/siemens/pki/lightweightcmpra/test/config/credentials/CMP_EE_Root_RR.pem
@@ -0,0 +1,22 @@
+Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = rootCA
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa
+Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0
+YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM
+BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf
++3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i
+xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO
+rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU
+34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL
+r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2
+QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf
+ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w
+DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0
+mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ
+WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI
+qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0
+GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT
+JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ=
+-----END CERTIFICATE-----
diff --git a/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/CmpCaMock.java b/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/CmpCaMock.java
index 13f8d54..8cc1ef9 100644
--- a/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/CmpCaMock.java
+++ b/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/CmpCaMock.java
@@ -17,6 +17,7 @@
*/
package com.siemens.pki.lightweightcmpra.test.framework;
+import com.siemens.pki.cmpracomponent.cryptoservices.AlgorithmHelper;
import com.siemens.pki.cmpracomponent.msggeneration.PkiMessageGenerator;
import com.siemens.pki.cmpracomponent.protection.ProtectionProvider;
import com.siemens.pki.cmpracomponent.util.MessageDumper;
@@ -28,11 +29,8 @@
import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
-import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Security;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
@@ -55,14 +53,11 @@
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -76,8 +71,6 @@ public class CmpCaMock implements ExFunction {
private static final Logger LOGGER = LoggerFactory.getLogger(CmpCaMock.class);
- private static JcaPEMKeyConverter JCA_KEY_CONVERTER = new JcaPEMKeyConverter();
-
private static CmpCaMock singleCaMock;
private static final LinkedList lastReceivedMessages = new LinkedList<>();
@@ -151,10 +144,11 @@ public byte[] apply(final byte[] receivedMessageAsByte) throws Exception {
private CMPCertificate createCertificate(
final X500Name subject, final SubjectPublicKeyInfo publicKey, final X509Certificate issuingCert)
- throws PEMException, NoSuchAlgorithmException, CertIOException, CertificateEncodingException,
- CertificateException, OperatorCreationException {
+ throws Exception {
final long now = System.currentTimeMillis();
- final PublicKey pubKey = JCA_KEY_CONVERTER.getPublicKey(publicKey);
+ final PublicKey pubKey = new JcaPEMKeyConverter()
+ .setProvider(CertUtility.BOUNCY_CASTLE_PROVIDER)
+ .getPublicKey(publicKey);
final X509v3CertificateBuilder v3CertBldr = new JcaX509v3CertificateBuilder(
issuingCert.getSubjectX500Principal(),
BigInteger.valueOf(now),
@@ -169,8 +163,10 @@ private CMPCertificate createCertificate(
Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(issuingCert));
v3CertBldr.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
- final JcaContentSignerBuilder signerBuilder =
- new JcaContentSignerBuilder("SHA384withECDSA").setProvider(CertUtility.BOUNCY_CASTLE_PROVIDER);
+ final JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(
+ AlgorithmHelper.getSigningAlgNameFromKey(
+ enrollmentCredentials.getPrivateKeyOfEndCertififcate()))
+ .setProvider(CertUtility.BOUNCY_CASTLE_PROVIDER);
return CertUtility.cmpCertificateFromCertificate(new JcaX509CertificateConverter()
.setProvider(CertUtility.BOUNCY_CASTLE_PROVIDER)
diff --git a/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/TrustChainAndPrivateKey.java b/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/TrustChainAndPrivateKey.java
index 07a3e24..28e7a57 100644
--- a/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/TrustChainAndPrivateKey.java
+++ b/src/test/java/com/siemens/pki/lightweightcmpra/test/framework/TrustChainAndPrivateKey.java
@@ -27,6 +27,7 @@
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
@@ -86,7 +87,7 @@ public ProtectionProvider setEndEntityToProtect(final CMPCertificate certificate
return new ProtectionProvider() {
@Override
public List getProtectingExtraCerts()
- throws java.security.cert.CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
+ throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
final List ret = new ArrayList<>(trustChain.size());
ret.add(certificate);
for (final X509Certificate aktCert : trustChain) {