Some cleaning about x509 integations tests.

Remove not used credentials, rename some certificates or tests ...
eclipse-leshan · Oct 19, 2023 · a8d4af1 · a8d4af1
1 parent 088d6da
commit a8d4af1
Show file tree

Hide file tree

Showing 13 changed files with 232 additions and 380 deletions.
diff --git a/leshan-client-cf/src/main/java/org/eclipse/leshan/client/californium/X509Util.java b/leshan-client-cf/src/main/java/org/eclipse/leshan/client/californium/X509Util.java
@@ -125,7 +125,7 @@ public static boolean contains(X509Certificate certificate, X509Certificate[] ce
     /**
      * Convert array of {@link Certificate} to array of {@link X509Certificate}
      */
-    public static X509Certificate[] asX509Certificates(Certificate[] certificates) throws CertificateException {
+    public static X509Certificate[] asX509Certificates(Certificate... certificates) throws CertificateException {
         ArrayList<X509Certificate> x509Certificates = new ArrayList<>();
 
         for (Certificate cert : certificates) {

diff --git a/...java/org/eclipse/leshan/client/californium/endpoint/coaps/CoapsClientEndpointFactory.java b/...java/org/eclipse/leshan/client/californium/endpoint/coaps/CoapsClientEndpointFactory.java
@@ -187,8 +187,7 @@ protected DtlsConnectorConfig.Builder createEffectiveDtlsConnectorConfigBuilder(
                 // LWM2M v1.1.1 - 5.2.8.7. Certificate Usage Field
                 //
                 // 0: Certificate usage 0 ("CA constraint")
-                // - trustStore is combination of client's configured trust store and provided certificate in server
-                // info
+                // - trustStore is client's configured trust store
                 // - must do PKIX validation with trustStore to build certPath
                 // - must check that given certificate is part of certPath
                 // - validate server name

diff --git a/leshan-integration-tests/credentials/clientKeyStore.jks b/leshan-integration-tests/credentials/clientKeyStore.jks
diff --git a/leshan-integration-tests/credentials/generate_credentials.sh b/leshan-integration-tests/credentials/generate_credentials.sh
@@ -8,13 +8,11 @@ SERVER_STORE=serverKeyStore.jks
 SERVER_STORE_PWD=server
 TRUSTED_CA_STORE=trustedCaKeyStore.jks
 TRUSTED_CA_STORE_PWD=trusted
-MANUFACTURER_CA_STORE=manufacturerCaKeyStore.jks
-MANUFACTURER_CA_STORE_PWD=manufacturer
 UNKNOWN_CA_STORE=unknownCaKeyStore.jks
 UNKNOWN_CA_STORE_PWD=unknown
 
 VALIDITY=36500 #days
-DEFAULT_STORE_TYPE=JKS #PKCS12 is not supported by Java7
+DEFAULT_STORE_TYPE=PKCS12 #PKCS12 is not supported by Java7, JKS can be used instead
 
 # Color output stuff
 red=`tput setaf 1`
@@ -53,36 +51,6 @@ keytool -certreq -alias intermediateCA -dname 'CN=Leshan intermediate CA' -keyst
   keytool -importcert -alias intermediateCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD
 keytool -exportcert -alias intermediateCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD -file intermediateCA.der
 echo
-
-# Generation of the Manufacturer CA keystore needed for Leshan integration tests.
-echo "${H1}Manufacturer CA Keystore : ${RESET}"
-echo "${H1}======================${RESET}"
-echo "${H2}Creating the trusted root CA key and certificate...${RESET}"
-keytool -genkeypair -alias mfgProductsRootCA -keyalg EC -dname 'CN=Products Root CA,O=Manufacturer' \
-        -validity $VALIDITY \
-        -storetype $DEFAULT_STORE_TYPE \
-        -ext BasicConstraints:critical=ca:true \
-        -ext KeyUsage:critical=keyCertSign,cRLSign \
-        -keypass $MANUFACTURER_CA_STORE_PWD -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD 
-keytool -exportcert -alias mfgProductsRootCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD -file mfgProductsRootCA.der
-echo
-echo "${H2}Creating the Devices CA key and certificate...${RESET}"
-keytool -genkeypair -alias mfgDevicesCA -keyalg EC -dname 'CN=Devices CA,O=Manufacturer' \
-        -validity $VALIDITY \
-        -storetype $DEFAULT_STORE_TYPE \
-        -ext BasicConstraints:critical=ca:true,pathlen:0 \
-        -ext KeyUsage:critical=keyCertSign,cRLSign \
-        -keypass $MANUFACTURER_CA_STORE_PWD -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD
-echo
-keytool -certreq -alias mfgDevicesCA -dname 'CN=Devices CA,O=Manufacturer' -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD | \
-  keytool -gencert -alias mfgProductsRootCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD \
-        -validity $VALIDITY \
-        -ext BasicConstraints:critical=ca:true,pathlen:0 \
-        -ext KeyUsage:critical=keyCertSign,cRLSign | \
-    keytool -importcert -alias mfgDevicesCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD
-keytool -exportcert -alias mfgDevicesCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD -file mfgDevicesCA.der
-echo
-
 # Generation of the Unknown CA keystore needed for Leshan integration tests.
 echo "${H1}Unknown CA Keystore : ${RESET}"
 echo "${H1}======================${RESET}"
@@ -108,18 +76,6 @@ keytool -genkeypair -alias server -keyalg EC -dname 'CN=localhost' \
         -keypass $SERVER_STORE_PWD -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD
 keytool -exportcert -alias server -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \
   keytool -importcert -alias server_self_signed -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD -noprompt
-
-echo
-echo "${H2}Creating second server key and self-signed certificate ...${RESET}"
-keytool -genkeypair -alias serverInt -keyalg EC -dname 'CN=Server signed with Intermediate CA' -ext san=dns:localhost \
-        -validity $VALIDITY \
-        -storetype $DEFAULT_STORE_TYPE \
-        -ext BasicConstraints=ca:false \
-        -ext KeyUsage:critical=digitalSignature,keyAgreement \
-        -ext ExtendedkeyUsage=serverAuth \
-        -keypass $SERVER_STORE_PWD -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD
-keytool -exportcert -alias serverInt -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \
-  keytool -importcert -alias serverInt_self_signed -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD -noprompt
 echo
 echo "${H2}Importing Root CA certificate ...${RESET}"
 keytool -importcert -alias rootCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD -noprompt -file rootCA.der
@@ -134,17 +90,17 @@ keytool -certreq -alias server -dname 'CN=localhost' -keystore $SERVER_STORE -st
           -ext BasicConstraints=ca:false \
           -ext KeyUsage:critical=digitalSignature,keyAgreement \
           -ext ExtendedkeyUsage=serverAuth | \
-    keytool -importcert -alias server -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD
+    keytool -importcert -alias server_signed_by_root -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD
 echo
 echo "${H2}Creating server certificate signed by intermediate CA...${RESET}"
-keytool -certreq -alias serverInt -dname 'CN=Server signed with Intermediate CA' -ext san=dns:localhost -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \
+keytool -certreq -alias server -dname 'CN=Server signed with Intermediate CA' -ext san=dns:localhost -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \
   keytool -gencert -alias intermediateCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD \
           -validity $VALIDITY \
           -ext BasicConstraints=ca:false \
           -ext KeyUsage:critical=digitalSignature,keyAgreement \
           -ext ExtendedkeyUsage=serverAuth \
           -ext san=dns:localhost | \
-    keytool -importcert -alias serverInt -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD
+    keytool -importcert -alias server_signed_by_intermediate_ca -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD
 
 echo
 echo "${H1}Client Keystore : ${RESET}"
@@ -170,7 +126,7 @@ keytool -certreq -alias client -keystore $CLIENT_STORE -storepass $CLIENT_STORE_
           -ext BasicConstraints=ca:false \
           -ext KeyUsage:critical=digitalSignature,keyAgreement \
           -ext ExtendedkeyUsage=clientAuth | \
-    keytool -importcert -alias client -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt
+    keytool -importcert -alias client_signed_by_root -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt
 echo
 echo "${H2}Creating client certificate signed by root CA with bad/unexpected CN...${RESET}"
 keytool -certreq -alias client -dname 'CN=leshan_client_with_bad_cn' -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD | \
@@ -189,27 +145,3 @@ keytool -certreq -alias client -keystore $CLIENT_STORE -storepass $CLIENT_STORE_
           -ext KeyUsage:critical=digitalSignature,keyAgreement \
           -ext ExtendedkeyUsage=clientAuth | \
     keytool -importcert -alias client_not_trusted -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt
-echo
-echo "${H2}Creating mfg client key and self-signed certificate with expected CN...${RESET}"
-keytool -genkeypair -alias mfgClient -keyalg EC -dname 'CN=urn:dev:ops:32473-IoT_Device-K1234567,O=Manufacturer' \
-        -validity $VALIDITY \
-        -storetype $DEFAULT_STORE_TYPE \
-        -ext BasicConstraints=ca:false \
-        -ext KeyUsage:critical=digitalSignature,keyAgreement \
-        -ext ExtendedkeyUsage=clientAuth \
-        -keypass $CLIENT_STORE_PWD -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD
-echo
-echo "${H2}Import mfg products root CA certificate just to be able to sign certificate ...${RESET}"
-keytool -importcert -alias mfgProductsRootCA -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt -file mfgProductsRootCA.der
-echo
-echo "${H2}Import mfg devices CA certificate just to be able to sign certificate ...${RESET}"
-keytool -importcert -alias mfgDevicesCA -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt -file mfgDevicesCA.der
-echo
-echo "${H2}Creating mfg client certificate signed by root CA with expected CN...${RESET}"
-keytool -certreq -alias mfgClient -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD | \
-  keytool -gencert -alias mfgDevicesCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD \
-          -validity $VALIDITY \
-          -ext BasicConstraints=ca:false \
-          -ext KeyUsage:critical=digitalSignature,keyAgreement \
-          -ext ExtendedkeyUsage=clientAuth | \
-    keytool -importcert -alias mfgClient -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt
diff --git a/leshan-integration-tests/credentials/manufacturerCaKeyStore.jks b/leshan-integration-tests/credentials/manufacturerCaKeyStore.jks
diff --git a/leshan-integration-tests/credentials/serverKeyStore.jks b/leshan-integration-tests/credentials/serverKeyStore.jks
diff --git a/leshan-integration-tests/credentials/trustedCaKeyStore.jks b/leshan-integration-tests/credentials/trustedCaKeyStore.jks
diff --git a/leshan-integration-tests/credentials/unknownCaKeyStore.jks b/leshan-integration-tests/credentials/unknownCaKeyStore.jks
diff --git a/...gration-tests/src/test/java/org/eclipse/leshan/integration/tests/SecureBootstrapTest.java b/...gration-tests/src/test/java/org/eclipse/leshan/integration/tests/SecureBootstrapTest.java
@@ -21,12 +21,12 @@
 import static org.eclipse.leshan.integration.tests.util.Credentials.clientPrivateKey;
 import static org.eclipse.leshan.integration.tests.util.Credentials.clientPrivateKeyFromCert;
 import static org.eclipse.leshan.integration.tests.util.Credentials.clientPublicKey;
-import static org.eclipse.leshan.integration.tests.util.Credentials.clientX509Cert;
+import static org.eclipse.leshan.integration.tests.util.Credentials.clientX509CertSignedByRoot;
 import static org.eclipse.leshan.integration.tests.util.Credentials.serverPrivateKey;
 import static org.eclipse.leshan.integration.tests.util.Credentials.serverPrivateKeyFromCert;
 import static org.eclipse.leshan.integration.tests.util.Credentials.serverPublicKey;
-import static org.eclipse.leshan.integration.tests.util.Credentials.serverX509Cert;
-import static org.eclipse.leshan.integration.tests.util.Credentials.trustedCertificates;
+import static org.eclipse.leshan.integration.tests.util.Credentials.serverX509CertSignedByRoot;
+import static org.eclipse.leshan.integration.tests.util.Credentials.trustedCertificatesByServer;
 import static org.eclipse.leshan.integration.tests.util.assertion.Assertions.assertThat;
 
 import java.security.cert.CertificateEncodingException;
@@ -191,14 +191,15 @@ public void bootstrap_using_x509()
         server.start();
 
         // Create and start bootstrap server
-        bootstrapServer = givenBootstrapServer.using(Protocol.COAPS).using(serverX509Cert, serverPrivateKeyFromCert)//
-                .trusting(trustedCertificates).build();
+        bootstrapServer = givenBootstrapServer.using(Protocol.COAPS)
+                .using(serverX509CertSignedByRoot, serverPrivateKeyFromCert)//
+                .trusting(trustedCertificatesByServer).build();
         bootstrapServer.start();
 
         // Create Client and check it is not already registered
         client = givenClient.connectingTo(bootstrapServer).using(Protocol.COAPS)
-                .using(clientX509Cert, clientPrivateKeyFromCert)//
-                .trusting(serverX509Cert).build();
+                .using(clientX509CertSignedByRoot, clientPrivateKeyFromCert)//
+                .trusting(serverX509CertSignedByRoot).build();
 
         assertThat(client).isNotRegisteredAt(server);
 
@@ -208,8 +209,8 @@ public void bootstrap_using_x509()
         // Add config for this client
         bootstrapServer.getConfigStore().add(client.getEndpointName(), //
                 givenBootstrapConfig() //
-                        .adding(Protocol.COAPS, bootstrapServer, clientX509Cert, clientPrivateKeyFromCert,
-                                serverX509Cert) //
+                        .adding(Protocol.COAPS, bootstrapServer, clientX509CertSignedByRoot, clientPrivateKeyFromCert,
+                                serverX509CertSignedByRoot) //
                         .adding(Protocol.COAP, server) //
                         .build());