2 * ============LICENSE_START=======================================================
3 * Copyright (C) 2020 Nokia. All rights reserved.
4 * ================================================================================
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 * SPDX-License-Identifier: Apache-2.0
18 * ============LICENSE_END=========================================================
21 package org.onap.oom.certservice.cmpv2client.impl;
23 import org.bouncycastle.asn1.cmp.CMPCertificate;
24 import org.bouncycastle.asn1.cmp.CertRepMessage;
25 import org.bouncycastle.asn1.cmp.PKIMessage;
26 import org.bouncycastle.util.io.pem.PemObject;
27 import org.bouncycastle.util.io.pem.PemReader;
28 import org.junit.jupiter.api.BeforeAll;
29 import org.junit.jupiter.api.Test;
30 import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
31 import org.onap.oom.certservice.cmpv2client.model.Cmpv2CertificationModel;
33 import java.io.ByteArrayInputStream;
34 import java.io.IOException;
35 import java.io.StringReader;
36 import java.security.NoSuchProviderException;
37 import java.security.Security;
38 import java.security.cert.Certificate;
39 import java.security.cert.CertificateEncodingException;
40 import java.security.cert.CertificateException;
41 import java.security.cert.CertificateFactory;
42 import java.security.cert.X509Certificate;
44 import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
45 import static org.junit.jupiter.api.Assertions.assertThrows;
46 import static org.mockito.Mockito.mock;
47 import static org.mockito.Mockito.when;
49 class CmpResponseHelperTest {
52 private static final String EXPECTED_ERROR_MESSAGE = "Something was wrong with the supplied certificate";
54 //Sample Certificate (keystore.pem) received from client
55 private static final String TEST_1LAYER_ENTITY_CERT = "-----BEGIN CERTIFICATE-----\n"
56 + "MIIEtjCCAx6gAwIBAgIUeNg1jY0CV+zwcJ4CdQiDN2ihx0IwDQYJKoZIhvcNAQEL\n"
57 + "BQAwUzEVMBMGCgmSJomT8ixkAQEMBTEyMzQ1MRUwEwYDVQQDDAxNYW5hZ2VtZW50\n"
58 + "Q0ExIzAhBgNVBAoMGkVKQkNBIENvbnRhaW5lciBRdWlja3N0YXJ0MB4XDTIyMDUx\n"
59 + "ODE3MTYyOVoXDTMyMDUxNTE3MTAwOVowdzERMA8GA1UEAwwIb25hcC5vcmcxDTAL\n"
60 + "BgNVBAsMBE9OQVAxGTAXBgNVBAoMEExpbnV4LUZvdW5kYXRpb24xFjAUBgNVBAcM\n"
61 + "DVNhbi1GcmFuY2lzY28xEzARBgNVBAgMCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVT\n"
62 + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn7jV9kysrzF/LOAtiEs+\n"
63 + "DpmEY/10j92TyMLy4CUYqbWhj5KWNGHJ2L8GqfWivubxTTS3svbQPLyQEXrhc1fB\n"
64 + "TD1Q32q99mFaieUAnYoMIGzPZOCvsWP3A3fU1z0VsbALyJGabwA3YR9+aabcPK+D\n"
65 + "be54HsvyDzU3dj85J7Mbh6w+QncRVXCN/7IMceYpUY/H00TVa3KRPMqT1IFOAsT2\n"
66 + "JTcJwPkhmo6Grka7wz9QEcGKPq7MT+YFwPsvpq9/Ma8J1hVUJQEgNvOjIligPsp6\n"
67 + "CZxu33A9xW51yT8Hl2zyYM/dklithNvTFXAIuu99fyWu3edn6kH0WsqHIh3L9O6P\n"
68 + "gwIDAQABo4HdMIHaMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU6ZNXe9TmP/rY\n"
69 + "K69j3+AQ3CSeVWEwUQYDVR0RBEowSIENb25hcEBvbmFwLm9yZ4ILZXhhbXBsZS5v\n"
70 + "cmeCDXRlc3Qub25hcC5vcmeGFW9uYXA6Ly9jbHVzdGVyLmxvY2FsL4cEfwAAATAn\n"
71 + "BgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwQGCCsGAQUFBwMBMB0GA1UdDgQW\n"
72 + "BBQpQyXaSwlrBlTE3j8DEqWCHDJhKjAOBgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcN\n"
73 + "AQELBQADggGBAKp65hA59bX2TpfBBbdd9p8E1k1A+b8SszlIRkE755LmJOK1rEcS\n"
74 + "xuN2mOGx4/fhiycgNfuVUfVo9BMfjHct4nJ3EObK6N1tklgbNhLdwVG1BFSwDQgR\n"
75 + "guxjn+UUZRp6iUYVAjo2ju5Hgn3v4xrrKIUXgwleyG18e6leKOBmfEF8vpevSXNK\n"
76 + "v+OXUqJk0MFjkBG+HqFrmBY2Bwb8ZhDBc46ye5URxS1eZ8kpD5vtye3dQxI9Yi9G\n"
77 + "D2AsAckq13dLXSHpqBQYFeyKzHJyjXMxjYOIUUThtVhGPNVJt4Glt1FtIXllBCkR\n"
78 + "CNen6kXQjr1ocPlomx1fOj4ihVOseWxbK5WuWNFFWObA3YkwjdtmAMvb57Zm9M8S\n"
79 + "67myPUbMx9ZbU9WmBXtntKREGcrYxRgcwwk8ljDT0Z8FT+YFKmtZmDxCzvSK0Znz\n"
80 + "ysi80vDtXWH64OnyJ6wdugRRR6RKTuiiJh+xigN5HuveqIGu2gdzMAr5w5wh+LkW\n"
81 + "oTNRWh8PGkjPFA==\n"
82 + "-----END CERTIFICATE-----\n";
84 //ManagementCa.pem from EJBCA
85 private static final String TEST_1LAYER_CA_CERT = "-----BEGIN CERTIFICATE-----\n"
86 + "MIIElzCCAv+gAwIBAgIUUrxLMcvZmK8Y9qMrOXea8CfY/NswDQYJKoZIhvcNAQEL\n"
87 + "BQAwUzEVMBMGCgmSJomT8ixkAQEMBTEyMzQ1MRUwEwYDVQQDDAxNYW5hZ2VtZW50\n"
88 + "Q0ExIzAhBgNVBAoMGkVKQkNBIENvbnRhaW5lciBRdWlja3N0YXJ0MB4XDTIyMDUx\n"
89 + "ODE3MTYyOVoXDTMyMDUxNzE3MTYyOFowUzEVMBMGCgmSJomT8ixkAQEMBTEyMzQ1\n"
90 + "MRUwEwYDVQQDDAxNYW5hZ2VtZW50Q0ExIzAhBgNVBAoMGkVKQkNBIENvbnRhaW5l\n"
91 + "ciBRdWlja3N0YXJ0MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAs5TO\n"
92 + "bBiTf3pZ+b46KIVqIQKesB3HWHWp0TvvhhVUiRTxMMJXthUEg/NiSZ51G2cuzz9B\n"
93 + "eREbMkEmQYltlPrJ2OFIsFEMshePYm9O8MLDr8uWkN553l5bDfCNQcFdX/nwZcIa\n"
94 + "pNlPZ0f9KTMhzax/C9vXt6fUqBTTzSuIdmlx51y42viLWqVu31zHr2fMFGZLkk0G\n"
95 + "MMIHaEgY+SadySf6VfvoEkYXzrenrH9Lgk/7KXRHy5/AmqxmwMgqYNlJ+o5mwdA6\n"
96 + "DAERtyWDSOUFZNgeqRELY9nBn0HxHoCESIOAxIREyZL1oeXUpSHuxzdG9HuhrAJ8\n"
97 + "Kb5yjbTzn+sYweaWjARGVG2+xQS+ZIRlteOXDkOI9oseJuLOIVFYwj3bB72Za/MR\n"
98 + "b8cD7q9d2G8ZFt2mUOuK0JnsU3tv4okmPmMOcwLA0U1tgVaX/WCNuoHIbXoBQy9N\n"
99 + "GKIEfhMBkzrG4Q8oqTxbDRGzVRRq13kVP3aKgIrwbjwj0ztc1S4GH4K4Ata1AgMB\n"
100 + "AAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU6ZNXe9TmP/rYK69j\n"
101 + "3+AQ3CSeVWEwHQYDVR0OBBYEFOmTV3vU5j/62CuvY9/gENwknlVhMA4GA1UdDwEB\n"
102 + "/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAYEAAaTpoqWIpx65BVd+OllQ72k4/cv/\n"
103 + "PckS/lrvQNJtxCZxz3nfO9/VakoiQOxx1f8MfLJdfi+dB8ePd1BlpBJWzF9eyTAI\n"
104 + "lUyJkQAUHe0nMl477DUgPTooQwQmSbbO0ek0TBEBAhmjkfz3S6t+Dp3t2Q2sNP/H\n"
105 + "136xHgqFrODvEBRsjw18Kdc2326rWVHqF7joW6o1rug3kVbjVDPBIsUS833U6aD5\n"
106 + "mOCZP6nenPY1FBh8SAQmAoJ2Xr17Jj8gJpUhApU8Awc973OHBCcE4ao39XIqMzuh\n"
107 + "7Yl8I0Zy6q9Gq+UeRIN/VMeADuPxNkQA7NcUtHCXkhVI5+DlBQhPetCIHnCEyEG+\n"
108 + "tRGy9etWDW4adyJQL/hMKJTCyST0F2J1WOjr3+6kSH7oKcFsiQ+Xpg1MFo1LBdcg\n"
109 + "XtlCUMTyb0pHYsyenj3Bop2mJQCuqXNW4WzHkNjjZBE5HYsF46LPbJoDRgK1UExX\n"
110 + "YkBM+KWJQWV+eJDiZUR7Ag4mSCjEhVKh8Zw0\n"
111 + "-----END CERTIFICATE-----\n";
113 private static final String TEST_2LAYER_ENTITY_CERT = ""
114 + "-----BEGIN CERTIFICATE-----\n"
115 + "MIIDjDCCAnSgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlVT\n"
116 + "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4tRnJhbmNpc2NvMRkw\n"
117 + "FwYDVQQKDBBMaW51eC1Gb3VuZGF0aW9uMQ0wCwYDVQQLDARPTkFQMR4wHAYDVQQD\n"
118 + "DBVpbnRlcm1lZGlhdGUub25hcC5vcmcwHhcNMjAwMjEyMDk1MTI2WhcNMjIxMTA4\n"
119 + "MDk1MTI2WjB7MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n"
120 + "A1UEBwwNU2FuLUZyYW5jaXNjbzEZMBcGA1UECgwQTGludXgtRm91bmRhdGlvbjEN\n"
121 + "MAsGA1UECwwET05BUDEVMBMGA1UEAwwMdmlkLm9uYXAub3JnMIIBIjANBgkqhkiG\n"
122 + "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+GIRzJzUOh0gtc+wzFJEdTnn+q5F10L0Yhr\n"
123 + "G1xKdjPieHIFGsoiXwcuCU8arNSqlz7ocx62KQRkcA8y6edlOAsYtdOEJvqEI9vc\n"
124 + "eyTB/HYsbzw3URPGch4AmibrQkKU9QvGwouHtHn4R2Ft2Y0tfEqv9hxj9v4njq4A\n"
125 + "EiDLAFLl5FmVyCZu/MtKngSgu1smcaFKTYySPMxytgJZexoa/ALZyyE0gRhsvwHm\n"
126 + "NLGCPt1bmE/PEGZybsCqliyTO0S56ncD55The7+D/UDS4kE1Wg0svlWon/YsE6QW\n"
127 + "B3oeJDX7Kr8ebDTIAErevIAD7Sm4ee5se2zxYrsYlj0MzHZtvwIDAQABoxAwDjAM\n"
128 + "BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCvQ1pTvjON6vSlcJRKSY4r\n"
129 + "8q7L4/9ZaVXWJAjzEYJtPIqsgGiPWz0vGfgklowU6tZxp9zRZFXfMil+mPQSe+yo\n"
130 + "ULrZSQ/z48YHPueE/BNO/nT4aaVBEhPLR5aVwC7uQVX8H+m1V1UGT8lk9vdI9rej\n"
131 + "CI9l524sLCpdE4dFXiWK2XHEZ0Vfylk221u3IYEogVVA+UMX7BFPSsOnI2vtYK/i\n"
132 + "lwZtlri8LtTusNe4oiTkYyq+RSyDhtAswg8ANgvfHolhCHoLFj6w1IkG88UCmbwN\n"
133 + "d7BoGMy06y5MJxyXEZG0vR7eNeLey0TIh+rAszAFPsIQvrOHW+HuA+WLQAj1mhnm\n"
134 + "-----END CERTIFICATE-----";
136 private static final String TEST_2LAYER_INTERMEDIATE_CERT = ""
137 + "-----BEGIN CERTIFICATE-----\n"
138 + "MIIDqTCCApGgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT\n"
139 + "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4tRnJhbmNpc2NvMRkw\n"
140 + "FwYDVQQKDBBMaW51eC1Gb3VuZGF0aW9uMQ0wCwYDVQQLDARPTkFQMREwDwYDVQQD\n"
141 + "DAhvbmFwLm9yZzEeMBwGCSqGSIb3DQEJARYPdGVzdGVyQG9uYXAub3JnMB4XDTIw\n"
142 + "MDIxMjA5NDAxMloXDTIyMTEwODA5NDAxMlowgYQxCzAJBgNVBAYTAlVTMRMwEQYD\n"
143 + "VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4tRnJhbmNpc2NvMRkwFwYDVQQK\n"
144 + "DBBMaW51eC1Gb3VuZGF0aW9uMQ0wCwYDVQQLDARPTkFQMR4wHAYDVQQDDBVpbnRl\n"
145 + "cm1lZGlhdGUub25hcC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n"
146 + "AQC1oOYMZ6G+2DGDAizYnzdCNiogivlht1s4oqgem7fM1XFPxD2p31ATIibOdqr/\n"
147 + "gv1qemO9Q4r1xn6w1Ufq7T1K7PjnMzdSeTqZefurE2JM/HHx2QvW4TjMlz2ILgaD\n"
148 + "L1LN60kmMQSOi5VxKJpsrCQxbOsxhvefd212gny5AZMcjJe23kUd9OxUrtvpdLEv\n"
149 + "wI3vFEvT7oRUnEUg/XNz7qeg33vf1C39yMR+6O4s6oevgsEebVKjb+yOoS6zzGtz\n"
150 + "72wZjm07C54ZlO+4Uy+QAlMjRiU3mgWkKbkOy+4CvwehjhpTikdBs2DX39ZLGHhn\n"
151 + "L/0a2NYtGulp9XEqmTvRoI+PAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZI\n"
152 + "hvcNAQELBQADggEBADcitdJ6YswiV8jAD9GK0gf3+zqcGegt4kt+79JXlXYbb1sY\n"
153 + "q3o6prcB7nSUoClgF2xUPCslFGpM0Er9FCSFElQM/ru0l/KVmJS6kSpwEHvsYIH3\n"
154 + "q5anta+Pyk8JSQWAAw+qrind0uBQMnhR8Tn13tgV+Kjvg/xlH/nZIEdN5YtLB1cA\n"
155 + "beVsZRyRfVL9DeZU8s/MZ5wC3kgcEp5A4m5lg7HyBxBdqhzFcDr6xiy6OGqW8Yep\n"
156 + "xrwfc8Fw8a/lOv4U+tBeGNKPQDYaL9hh+oM+qMkNXsHXDqdJsuEGJtU4i3Wcwzoc\n"
157 + "XGN5NWV//4bP+NFmwgcn7AYCdRvz04A8GU/0Cwg=\n"
158 + "-----END CERTIFICATE-----";
160 private static final String TEST_2LAYER_CA_CERT = ""
161 + "-----BEGIN CERTIFICATE-----\n"
162 + "MIIDtzCCAp8CFAwqQddh4/iyGfP8UZ3dpXlxfAN8MA0GCSqGSIb3DQEBCwUAMIGX\n"
163 + "MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu\n"
164 + "LUZyYW5jaXNjbzEZMBcGA1UECgwQTGludXgtRm91bmRhdGlvbjENMAsGA1UECwwE\n"
165 + "T05BUDERMA8GA1UEAwwIb25hcC5vcmcxHjAcBgkqhkiG9w0BCQEWD3Rlc3RlckBv\n"
166 + "bmFwLm9yZzAeFw0yMDAyMTIwOTM0MjdaFw0yMTAyMTEwOTM0MjdaMIGXMQswCQYD\n"
167 + "VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuLUZyYW5j\n"
168 + "aXNjbzEZMBcGA1UECgwQTGludXgtRm91bmRhdGlvbjENMAsGA1UECwwET05BUDER\n"
169 + "MA8GA1UEAwwIb25hcC5vcmcxHjAcBgkqhkiG9w0BCQEWD3Rlc3RlckBvbmFwLm9y\n"
170 + "ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCFrnO7/eT6V+7XkPPd\n"
171 + "eiL/6xXreuegvit/1/jTVjG+3AOVcmTn2WXwXXRcQLvkWQfJVPoltsY8E3FqFRti\n"
172 + "797XjY6cdQJFVDyzNU0+Fb4vJL9FK5wSvnS6EFjBEn3JvXRlENorDCs/mfjkjJoa\n"
173 + "Dl74gXQEJYcg4nsTeNIj7cm3Q7VK3mZt1t7LSJJ+czxv69UJDuNJpmQ/2WOKyLZA\n"
174 + "gTtBJ+Hyol45/OLsrqwq1dAn9ZRWIFPvRt/XQYH9bI/6MtqSreRVUrdYCiTe/XpP\n"
175 + "B/OM6NEi2+p5QLi3Yi70CEbqP3HqUVbkzF+r7bwIb6M5/HxfqzLmGwLvD+6rYnUn\n"
176 + "Bm8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhXoO65DXth2X/zFRNsCNpLwmDy7r\n"
177 + "PxT9ZAIZAzSxx3/aCYiuTrKP1JnqjkO+F2IbikrI4n6sKO49SKnRf9SWTFhd+5dX\n"
178 + "vxq5y7MaqxHAY9J7+Qzq33+COVFQnaF7ddel2NbyUVb2b9ZINNsaZkkPXui6DtQ7\n"
179 + "/Fb/1tmAGWd3hMp75G2thBSzs816JMKKa9WD+4VGATEs6OSll4sv2fOZEn+0mAD3\n"
180 + "9q9c+WtLGIudOwcHwzPb2njtNntQSCK/tVOqbY+vzhMY3JW+p9oSrLDSdGC+pAKK\n"
181 + "m/wB+2VPIYcsPMtIhHC4tgoSaiCqjXYptaOh4b8ye8CPBUCpX/AYYkN0Ow==\n"
182 + "-----END CERTIFICATE-----";
186 static void setUpSecurity() {
187 Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
192 void returnListOfCertificationWhenGivenCaCertInCaPubsAndEntityCertInLeafCertificate()
193 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
195 PKIMessage respPkiMessage = mockExtraCerts(null);
197 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT);
198 CMPCertificate[] cmpCertificates = {caCmpCertificate};
199 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
201 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_1LAYER_ENTITY_CERT);
204 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
205 respPkiMessage, certRepMessage, leafCertificate);
208 assertThatChainContainsEntityCertificate(certs, TEST_1LAYER_ENTITY_CERT);
210 assertThatRootCaAndTrustedCaAreInSecondList(certs, caCmpCertificate);
214 void returnListOfCertificationWhenGivenCaCertInExtraCertsAndEntityCertInLeafCertificate()
215 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
217 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT);
218 CMPCertificate[] extraCmpCertificates = {caCmpCertificate};
219 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
221 CertRepMessage certRepMessage = mockCaPubs(null);
223 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_1LAYER_ENTITY_CERT);
226 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
227 respPkiMessage, certRepMessage, leafCertificate);
230 assertThatChainContainsEntityCertificate(certs, TEST_1LAYER_ENTITY_CERT);
232 assertThatRootCaAndTrustedCaAreInSecondList(certs, caCmpCertificate);
236 void returnListOfCertificationWhenGivenCaCertInExtraCertsAndExtraTrustAnchorInCaPubsAndEntityCertInLeafCertificate()
237 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
239 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT);
240 CMPCertificate[] extraCmpCertificates = {caCmpCertificate};
241 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
243 CMPCertificate extraTrustAnchor = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
244 CMPCertificate[] cmpCertificates = {extraTrustAnchor};
245 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
247 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_1LAYER_ENTITY_CERT);
250 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
251 respPkiMessage, certRepMessage, leafCertificate);
254 assertThatChainContainsEntityCertificate(certs, TEST_1LAYER_ENTITY_CERT);
256 assertThatRootCaAndTrustedCaAreInSecondList(
258 caCmpCertificate, extraTrustAnchor
263 void returnListOfCertificationWhenGivenCaCertInExtraCertsAndExtraTrustAnchorInExtraCertsAndEntityCertInLeafCertificate()
264 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
266 CMPCertificate trustedCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
267 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT);
268 CMPCertificate[] extraCmpCertificates = {caCmpCertificate, trustedCmpCertificate};
269 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
271 CertRepMessage certRepMessage = mockCaPubs(null);
273 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_1LAYER_ENTITY_CERT);
276 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
277 respPkiMessage, certRepMessage, leafCertificate);
280 assertThatChainContainsEntityCertificate(certs, TEST_1LAYER_ENTITY_CERT);
282 assertThatRootCaAndTrustedCaAreInSecondList(
284 caCmpCertificate, trustedCmpCertificate
289 void returnListOfCertificationWhenGivenCaCertAndIntermediateCertInExtraCertsAndEntityCertInLeafCertificate()
290 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
292 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
293 CMPCertificate intermediateCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_INTERMEDIATE_CERT);
294 CMPCertificate[] extraCmpCertificates = {caCmpCertificate, intermediateCmpCertificate};
295 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
297 CertRepMessage certRepMessage = mockCaPubs(null);
299 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_2LAYER_ENTITY_CERT);
302 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
303 respPkiMessage, certRepMessage, leafCertificate);
306 assertThatChainContainsEntityAndIntermediateCertificate(certs, TEST_2LAYER_ENTITY_CERT, TEST_2LAYER_INTERMEDIATE_CERT);
308 assertThatRootCaAndTrustedCaAreInSecondList(
315 void returnListOfCertificationWhenGivenCaCertAndIntermediateCertInCmpCertificatesAndEntityCertInLeafCertificate()
316 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
318 PKIMessage respPkiMessage = mockExtraCerts(null);
320 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
321 CMPCertificate intermediateCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_INTERMEDIATE_CERT);
322 CMPCertificate[] cmpCertificates = {caCmpCertificate, intermediateCmpCertificate};
323 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
325 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_2LAYER_ENTITY_CERT);
328 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
329 respPkiMessage, certRepMessage, leafCertificate);
332 assertThatChainContainsEntityAndIntermediateCertificate(certs, TEST_2LAYER_ENTITY_CERT, TEST_2LAYER_INTERMEDIATE_CERT);
334 assertThatRootCaAndTrustedCaAreInSecondList(
341 void returnListOfCertificationWhenGivenCaCertInCaPubsAndIntermediateCertInExtraCertsAndEntityCertInLeafCertificate()
342 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
344 CMPCertificate intermediateCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_INTERMEDIATE_CERT);
345 CMPCertificate[] extraCmpCertificates = {intermediateCmpCertificate};
346 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
348 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
349 CMPCertificate[] cmpCertificates = {caCmpCertificate};
350 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
352 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_2LAYER_ENTITY_CERT);
355 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
356 respPkiMessage, certRepMessage, leafCertificate);
359 assertThatChainContainsEntityAndIntermediateCertificate(certs, TEST_2LAYER_ENTITY_CERT, TEST_2LAYER_INTERMEDIATE_CERT);
361 assertThatRootCaAndTrustedCaAreInSecondList(
368 void returnListOfCertificationWhenGivenCaCertInCaPubsAndExtraCertsAndEntityCertInLeafCertificate()
369 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
371 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT);
372 CMPCertificate[] extraCmpCertificates = {caCmpCertificate};
373 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
374 CMPCertificate[] cmpCertificates = {mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT)};
375 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
376 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_1LAYER_ENTITY_CERT);
379 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
380 respPkiMessage, certRepMessage, leafCertificate);
383 assertThatChainContainsEntityCertificate(certs, TEST_1LAYER_ENTITY_CERT);
384 assertThatRootCaAndTrustedCaAreInSecondList(certs, mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT));
389 void returnListOfCertificationWhenGivenCaCertAndIntermediateCertInExtraCertsAndIntermediateCertInCaPubsAndEntityCertInLeafCertificate()
390 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
392 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
393 CMPCertificate intermediateCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_INTERMEDIATE_CERT);
394 CMPCertificate[] extraCmpCertificates = {caCmpCertificate, intermediateCmpCertificate};
395 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
396 CMPCertificate[] cmpCertificates = {intermediateCmpCertificate};
397 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
398 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_2LAYER_ENTITY_CERT);
401 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
402 respPkiMessage, certRepMessage, leafCertificate);
405 assertThatChainContainsEntityAndIntermediateCertificate(certs, TEST_2LAYER_ENTITY_CERT, TEST_2LAYER_INTERMEDIATE_CERT);
406 assertThatRootCaAndTrustedCaAreInSecondList(
413 void returnListOfCertificationWhenGivenCaCertAndExtraTrustAnchorInCaPubsAndIntermediateCertInExtraCertsAndEntityCertInLeafCertificate()
414 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
416 CMPCertificate intermediateCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_INTERMEDIATE_CERT);
417 CMPCertificate[] extraCmpCertificates = {intermediateCmpCertificate};
418 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
420 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
421 CMPCertificate extraTrustAnchor = mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT);
422 CMPCertificate[] cmpCertificates = {caCmpCertificate, extraTrustAnchor};
423 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
425 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_2LAYER_ENTITY_CERT);
428 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
429 respPkiMessage, certRepMessage, leafCertificate);
432 assertThatChainContainsEntityAndIntermediateCertificate(certs, TEST_2LAYER_ENTITY_CERT, TEST_2LAYER_INTERMEDIATE_CERT);
434 assertThatRootCaAndTrustedCaAreInSecondList(
436 caCmpCertificate, extraTrustAnchor
441 void returnListOfCertificationWhenGivenCaCertAndFirstExtraTrustAnchorInCaPubsAndIntermediateCertAndSecondExtraTrustAnchorInExtraCertsAndEntityCertInLeafCertificate()
442 throws CertificateException, CmpClientException, IOException, NoSuchProviderException {
444 CMPCertificate intermediateCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_INTERMEDIATE_CERT);
445 CMPCertificate extraTrustAnchor01 = mockCmpCertificateFromPem(TEST_1LAYER_ENTITY_CERT);
446 CMPCertificate[] extraCmpCertificates = {intermediateCmpCertificate, extraTrustAnchor01};
447 PKIMessage respPkiMessage = mockExtraCerts(extraCmpCertificates);
449 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
450 CMPCertificate extraTrustAnchor02 = mockCmpCertificateFromPem(TEST_1LAYER_CA_CERT);
451 CMPCertificate[] cmpCertificates = {caCmpCertificate, extraTrustAnchor02};
452 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
454 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_2LAYER_ENTITY_CERT);
457 Cmpv2CertificationModel certs = CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
458 respPkiMessage, certRepMessage, leafCertificate);
461 assertThatChainContainsEntityAndIntermediateCertificate(certs, TEST_2LAYER_ENTITY_CERT, TEST_2LAYER_INTERMEDIATE_CERT);
463 assertThatRootCaAndTrustedCaAreInSecondList(
465 caCmpCertificate, extraTrustAnchor01, extraTrustAnchor02
470 void throwsExceptionWhenNoCaCertForEntityCertIsGivenAndOnlyExtraTrustAnchorIsReturned()
471 throws CertificateException, IOException, NoSuchProviderException {
474 PKIMessage respPkiMessage = mockExtraCerts(null);
476 CMPCertificate trustedCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
477 CMPCertificate[] cmpCertificates = {trustedCmpCertificate};
478 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
480 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_1LAYER_ENTITY_CERT);
483 Exception exception = assertThrows(
484 CmpClientException.class,
485 () -> CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
486 respPkiMessage, certRepMessage, leafCertificate
490 String actualMessage = exception.getMessage();
493 assertThat(actualMessage).isEqualTo(EXPECTED_ERROR_MESSAGE);
497 void throwsExceptionWhenBothExtraCertsAndCaPubsAreEmpty()
498 throws CertificateException, IOException, NoSuchProviderException {
501 PKIMessage respPkiMessage = mockExtraCerts(null);
502 CertRepMessage certRepMessage = mockCaPubs(null);
504 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_1LAYER_ENTITY_CERT);
507 Exception exception = assertThrows(
508 CmpClientException.class,
509 () -> CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
510 respPkiMessage, certRepMessage, leafCertificate
514 String actualMessage = exception.getMessage();
517 assertThat(actualMessage).isEqualTo(EXPECTED_ERROR_MESSAGE);
521 void throwsExceptionWhenNoIntermediateCertForEntityCertIsGiven()
522 throws CertificateException, IOException, NoSuchProviderException {
525 PKIMessage respPkiMessage = mockExtraCerts(null);
527 CMPCertificate caCmpCertificate = mockCmpCertificateFromPem(TEST_2LAYER_CA_CERT);
528 CMPCertificate[] cmpCertificates = {caCmpCertificate};
529 CertRepMessage certRepMessage = mockCaPubs(cmpCertificates);
531 X509Certificate leafCertificate = getX509CertificateFromPem(TEST_2LAYER_ENTITY_CERT);
534 Exception exception = assertThrows(
535 CmpClientException.class,
536 () -> CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore(
537 respPkiMessage, certRepMessage, leafCertificate
541 String actualMessage = exception.getMessage();
544 assertThat(actualMessage).isEqualTo(EXPECTED_ERROR_MESSAGE);
548 private void assertThatRootCaAndTrustedCaAreInSecondList(
549 Cmpv2CertificationModel certs, CMPCertificate... rootAndTrustedCerts
550 ) throws IOException {
551 assertThat(certs.getTrustedCertificates().size()).isEqualTo(rootAndTrustedCerts.length);
552 for (CMPCertificate certificate : rootAndTrustedCerts) {
553 assertThat(certs.getTrustedCertificates())
554 .extracting(Certificate::getEncoded)
555 .contains(certificate.getEncoded());
559 private void assertThatChainContainsEntityCertificate(
560 Cmpv2CertificationModel certs, String entityCertificate
561 ) throws CertificateEncodingException, IOException {
562 assertThat(certs.getCertificateChain().size()).isEqualTo(1);
563 assertThat(certs.getCertificateChain().get(0).getEncoded()).isEqualTo(createPemObject(entityCertificate).getContent());
566 private void assertThatChainContainsEntityAndIntermediateCertificate(
567 Cmpv2CertificationModel certs, String entityCertificate, String intermediateCertificate
568 ) throws CertificateEncodingException, IOException {
569 assertThat(certs.getCertificateChain().size()).isEqualTo(2);
570 assertThat(certs.getCertificateChain().get(0).getEncoded()).isEqualTo(createPemObject(entityCertificate).getContent());
571 assertThat(certs.getCertificateChain().get(1).getEncoded()).isEqualTo(createPemObject(intermediateCertificate).getContent());
574 private X509Certificate getX509CertificateFromPem(String pem) throws CertificateException, NoSuchProviderException, IOException {
575 return (X509Certificate)
576 CertificateFactory.getInstance("X.509", "BC").generateCertificate(
577 new ByteArrayInputStream(createPemObject(pem).getContent())
581 private PKIMessage mockExtraCerts(CMPCertificate[] cmpCertificates) {
582 PKIMessage respPkiMessage = mock(PKIMessage.class);
583 when(respPkiMessage.getExtraCerts()).thenReturn(cmpCertificates);
584 return respPkiMessage;
587 private CertRepMessage mockCaPubs(CMPCertificate[] cmpCertificates) {
588 CertRepMessage certRepMessage = mock(CertRepMessage.class);
589 when(certRepMessage.getCaPubs()).thenReturn(cmpCertificates);
590 return certRepMessage;
593 private CMPCertificate mockCmpCertificateFromPem(String pem) throws IOException {
594 return mockCmpCertificate(createPemObject(pem).getContent());
597 private CMPCertificate mockCmpCertificate(byte[] encodedCertificate) throws IOException {
598 CMPCertificate cmpCertificate01 = mock(CMPCertificate.class);
599 when(cmpCertificate01.getEncoded()).thenReturn(encodedCertificate);
600 return cmpCertificate01;
603 private PemObject createPemObject(String pem) throws IOException {
604 try (StringReader stringReader = new StringReader(pem);
605 PemReader pemReader = new PemReader(stringReader)) {
606 return pemReader.readPemObject();