Hi.
I’m new around here, I’ve been developing a software that signs and
validate cades signature(using policy). And I have a doubt with the
name constraint, one of the certificate requirements(RFC 3125).
I’ve created a test case, using junit, for this, just to learn more
about the bouncy castle api, but I’ve found that there is something
wrong with my test:
@Test
public void testNameConstraint() throws Exception{
String[] trustAnchors = { "/ICPBRASIL/certs/ac_raiz_v1.der.cer" };
String[] intermediates = {
"/ICPBRASIL/certs/serasa_acp_v1.der.cer",
"/ICPBRASIL/certs/serasa_cd_v1.der.cer",
"/parsetests/serasa_cd_v1_ee_1.cer" };
String[] crls = { "/ICPBRASIL/crls/ac_raiz_v1_20090116_1741.crl",
"/ICPBRASIL/crls/serasa_cd_v1_20090401_1700.crl",
"/ICPBRASIL/crls/serasa_acp_v1_20090401_1700.crl" };
String[] crlsUrls = {
"
http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl",
"
http://lcr.certificados.com.br/repositorio/lcr/serasacdv1.crl",
"
http://www.certificadodigital.com.br/repositorio/lcr/serasaacpv1.crl"
};
CertPathBuilder pathBuilder =
CertPathBuilder.getInstance("PKIX",
BouncyCastleProvider.PROVIDER_NAME);
Collection<X509Certificate> trustRoots =
createCertificateSet(trustAnchors);
Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
//We have an API created by another company, we have to
compensate the api limitations using the bouncy castle
//Here creates the permitted and excluded subtrees.
NameConstraintsType nameConstraints =
PolicyElementFactory.newNameConstraints(PolicyElementFactory.newGeneralSubTreesListType(TestPolicyGenerator.newGeneralSubTreeType("CN=Invalid,O=Test",
0, 2)),
PolicyElementFactory.newGeneralSubTreesListType(TestPolicyGenerator.newGeneralSubTreeType("CN=AC
SERASA SRF, OU=Secretaria da Receita Federal - SRF, O=ICP-Brasil,
C=BR", 0, 4)));
//This method was created for passing the nameConstraint to use in the bc
byte[] constraint =
SignaturePolicyImplSerasa.convertInternalToASN1NameConstraintsRFC3280Implicit(nameConstraints,
new GenericErrorList());
for (X509Certificate certificate : trustRoots) {
anchors.add(new TrustAnchor(certificate, constraint));
}
X509CertSelector targetConst = new X509CertSelector();
X509Certificate cert =
TestUtils.loadX509Certificate("/parsetests/serasa_cd_v1_ee_1.cer");
targetConst.setIssuer(cert.getIssuerX500Principal());
targetConst.setSerialNumber(cert.getSerialNumber());
//Create the builder parameter from here. I've used the name
constraint in the trustAnchors.
PKIXBuilderParameters params = new
PKIXBuilderParameters(anchors, targetConst);
Collection store = new ArrayList();
store.addAll(TestPolicyGenerator.newX509CertificateCollection(intermediates));
store.addAll(TestPolicyGenerator.newX509CrlCollection(crls));
//logger.info("store:" + store);
params.addCertStore(X509StoreUtils.createCertificateStoreFromCertsAndCrls(store));
params.setRevocationEnabled(false);
Date date = new Date(DATE_20090401_21_05_28_GMT);
params.setDate(date);
try{
CertPathBuilderResult build = pathBuilder.build(params);
fail("Should throw exception: " + build);
}catch(Exception e){
System.out.println(e.getMessage());
}
}
My doubt is if the path builder do any verification about the name
constraint? If yes, what I’m doing wrong… else what is recommended for
this verification…
Thanks in advance,
Juliano Gomes
