diff --git a/ReleaseNotes.md b/ReleaseNotes.md
index 235dd3c..f8978c7 100644
--- a/ReleaseNotes.md
+++ b/ReleaseNotes.md
@@ -2,6 +2,10 @@
# Release notes PKI Test Suite
+## Release 1.0.6
+
+- upload binaries
+
## Release 1.0.1
- migrate from maven based execution of approval tests to binary (jar) based
diff --git a/docs/img/components.png b/docs/img/components.png
index 4bc68d7..b2f365b 100644
Binary files a/docs/img/components.png and b/docs/img/components.png differ
diff --git a/pki-testsuite/pom.xml b/pki-testsuite/pom.xml
index 676896e..a9fec4d 100644
--- a/pki-testsuite/pom.xml
+++ b/pki-testsuite/pom.xml
@@ -4,10 +4,11 @@
de.gematik.pki.pkits
pkits-global
- 1.0.1
+ 1.0.6
pki-testsuite
+ 1.0.6
pom
PKITS Packaging
diff --git a/pkits-common/pom.xml b/pkits-common/pom.xml
index c2eb660..45b8e6e 100644
--- a/pkits-common/pom.xml
+++ b/pkits-common/pom.xml
@@ -4,10 +4,11 @@
de.gematik.pki.pkits
pkits-global
- 1.0.1
+ 1.0.6
pkits-common
+ 1.0.6
Common Code
Common code
diff --git a/pkits-coverage-reports/pom.xml b/pkits-coverage-reports/pom.xml
index abd7827..78d25a9 100644
--- a/pkits-coverage-reports/pom.xml
+++ b/pkits-coverage-reports/pom.xml
@@ -4,10 +4,11 @@
de.gematik.pki.pkits
pkits-global
- 1.0.1
+ 1.0.6
pkits-coverage-reports
+ 1.0.6
Code Coverage Reports
Code coverage reports
diff --git a/pkits-ocsp-responder/pom.xml b/pkits-ocsp-responder/pom.xml
index fbc7b20..50c14d1 100644
--- a/pkits-ocsp-responder/pom.xml
+++ b/pkits-ocsp-responder/pom.xml
@@ -4,10 +4,11 @@
de.gematik.pki.pkits
pkits-global
- 1.0.1
+ 1.0.6
pkits-ocsp-responder
+ 1.0.6
OCSP Responder Simulator
Spring Boot OCSP Responder
diff --git a/pkits-sut-server-sim/pom.xml b/pkits-sut-server-sim/pom.xml
index 27a0c77..538a3e8 100644
--- a/pkits-sut-server-sim/pom.xml
+++ b/pkits-sut-server-sim/pom.xml
@@ -4,10 +4,11 @@
de.gematik.pki.pkits
pkits-global
- 1.0.1
+ 1.0.6
pkits-sut-server-sim
+ 1.0.6
Test Object Simulator (Server)
Test object simulator (server)
diff --git a/pkits-testsuite/pom.xml b/pkits-testsuite/pom.xml
index 537f79f..6095c10 100644
--- a/pkits-testsuite/pom.xml
+++ b/pkits-testsuite/pom.xml
@@ -4,10 +4,11 @@
de.gematik.pki.pkits
pkits-global
- 1.0.1
+ 1.0.6
pkits-testsuite
+ 1.0.6
PKI Test Suite
PKI test suite
@@ -29,7 +30,6 @@
3.3.0
${version.maven-surefire-plugin}
- 1.6.1
http://localhost:8084/tsl/tsl.xml?activeTslSeqNr=700000
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ApprovalTestsBaseIT.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ApprovalTestsBaseIT.java
index 5d4eda6..8ae7f2e 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ApprovalTestsBaseIT.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ApprovalTestsBaseIT.java
@@ -36,6 +36,7 @@
import de.gematik.pki.gemlibpki.tsl.TslConverter;
import de.gematik.pki.gemlibpki.tsl.TslReader;
+import de.gematik.pki.gemlibpki.tsl.TslUtils;
import de.gematik.pki.gemlibpki.utils.CertReader;
import de.gematik.pki.gemlibpki.utils.GemLibPkiUtils;
import de.gematik.pki.gemlibpki.utils.P12Container;
@@ -44,6 +45,7 @@
import de.gematik.pki.pkits.ocsp.responder.data.OcspResponderConfigDto;
import de.gematik.pki.pkits.testsuite.UseCase;
import de.gematik.pki.pkits.testsuite.approval.support.OcspResponderType;
+import de.gematik.pki.pkits.testsuite.approval.support.OcspSeqNrUpdateMode;
import de.gematik.pki.pkits.testsuite.approval.support.PcapHelper;
import de.gematik.pki.pkits.testsuite.approval.support.PcapManager;
import de.gematik.pki.pkits.testsuite.approval.support.TestResultLoggerExtension;
@@ -66,6 +68,7 @@
import de.gematik.pki.pkits.testsuite.config.TestSuiteConfig;
import de.gematik.pki.pkits.testsuite.config.TslSettings;
import de.gematik.pki.pkits.testsuite.exceptions.TestSuiteException;
+import eu.europa.esig.trustedlist.jaxb.tsl.TrustStatusListType;
import java.io.IOException;
import java.lang.reflect.Method;
import java.math.BigInteger;
@@ -78,6 +81,7 @@
import java.util.List;
import java.util.Map;
import java.util.Optional;
+import java.util.function.Consumer;
import java.util.function.Function;
import javax.xml.datatype.DatatypeConfigurationException;
import lombok.NonNull;
@@ -85,6 +89,11 @@
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.awaitility.core.ConditionTimeoutException;
+import org.bouncycastle.asn1.x500.RDN;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeAll;
@@ -304,7 +313,7 @@ protected void testCaseMessage(@NonNull final TestInfo testInfo) {
.forEach(afo -> log.info("{} - {}", afo.afoId(), afo.description()));
}
- protected void initialState() throws DatatypeConfigurationException, IOException {
+ protected void initialState() {
currentTestInfo.setPhase("initialState");
@@ -313,7 +322,6 @@ protected void initialState() throws DatatypeConfigurationException, IOException
if (tslSettings.isInitialStateTslImport()) {
initialTslDownloadByTestObject();
} else {
- // tslSequenceNr.setExpectedNrInTestObject(tslSequenceNr.getCurrentNrInTestObject());
log.info(
"\n===> Initial state TSL import skipped by user request. - {}\n", currentTestInfo);
}
@@ -330,7 +338,9 @@ protected void initialState() throws DatatypeConfigurationException, IOException
currentTestInfo.resetPhase();
}
- void initialStateWithAlternativeTemplate() throws DatatypeConfigurationException, IOException {
+ void initialStateWithAlternativeTemplate() {
+
+ currentTestInfo.setPhase("initialStateWithAlternativeTemplate");
log.info("initialStateWithAlternativeTemplate - start");
final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
@@ -344,7 +354,8 @@ void initialStateWithAlternativeTemplate() throws DatatypeConfigurationException
tslTemplate,
defaultTslSigner,
SIGNER_KEY_USAGE_CHECK_ENABLED,
- SIGNER_VALIDITY_CHECK_ENABLED);
+ SIGNER_VALIDITY_CHECK_ENABLED,
+ null);
tslSequenceNr.setLastOfferedNr(offeredSeqNr);
tslDownload.waitUntilTslDownloadCompleted(IGNORE_SEQUENCE_NUMBER, IGNORE_SEQUENCE_NUMBER);
@@ -354,17 +365,20 @@ void initialStateWithAlternativeTemplate() throws DatatypeConfigurationException
final Path certPath = getPathOfAlternativeCertificate();
useCaseWithCert(certPath, USECASE_VALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_EXPECT);
+
+ currentTestInfo.resetPhase();
log.info("initialStateWithAlternativeTemplate - finish\n\n");
}
void updateTrustStore(
+ final String description,
final Path tslTemplate,
final Path tslSignerP12Path,
final OcspRequestExpectationBehaviour ocspRequestExpectationBehaviour,
final Path useCaseCertPath,
- final UseCaseResult useCaseResult)
- throws DatatypeConfigurationException, IOException {
+ final UseCaseResult useCaseResult) {
updateTrustStore(
+ description,
tslTemplate,
tslSignerP12Path,
ocspRequestExpectationBehaviour,
@@ -374,16 +388,46 @@ void updateTrustStore(
}
void updateTrustStore(
+ final String description,
final Path tslTemplate,
final Path tslSignerP12Path,
final OcspRequestExpectationBehaviour ocspRequestExpectationBehaviour,
final Path useCaseCertPath,
final UseCaseResult useCaseResult,
- final OcspRequestExpectationBehaviour ocspRequestExpectationBehaviourForUseCase)
- throws DatatypeConfigurationException, IOException {
+ final OcspRequestExpectationBehaviour ocspRequestExpectationBehaviourForUseCase) {
+ updateTrustStore(
+ description,
+ tslTemplate,
+ tslSignerP12Path,
+ ocspRequestExpectationBehaviour,
+ useCaseCertPath,
+ useCaseResult,
+ ocspRequestExpectationBehaviourForUseCase,
+ null,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
+ }
+
+ void updateTrustStore(
+ final String description,
+ final Path tslTemplate,
+ final Path tslSignerP12Path,
+ final OcspRequestExpectationBehaviour ocspRequestExpectationBehaviour,
+ final Path useCaseCertPath,
+ final UseCaseResult useCaseResult,
+ final OcspRequestExpectationBehaviour ocspRequestExpectationBehaviourForUseCase,
+ final Consumer modifyTsl,
+ final OcspSeqNrUpdateMode ocspSeqNrUpdateMode) {
+
+ final String customPhaseName = StringUtils.substringBetween(description, "<", ">");
+ final String phaseName = StringUtils.defaultString(customPhaseName, "updateTrustStore");
+
+ currentTestInfo.setPhase(phaseName);
+
+ log.info(
+ "START updateTrustStore -\ndescription: {},\n{}\n",
+ description,
+ PkitsTestSuiteUtils.getCallerTrace());
- currentTestInfo.setPhase("updateTrustStore");
- log.info("START updateTrustStore - {}", PkitsTestSuiteUtils.getCallerTrace());
final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
log.info("Offering TSL with seqNr. {} for download.", offeredSeqNr);
@@ -393,7 +437,8 @@ void updateTrustStore(
tslTemplate,
tslSignerP12Path,
SIGNER_KEY_USAGE_CHECK_ENABLED,
- SIGNER_VALIDITY_CHECK_ENABLED);
+ SIGNER_VALIDITY_CHECK_ENABLED,
+ modifyTsl);
tslDownload.configureOcspResponderTslSignerStatusGood();
tslSequenceNr.setLastOfferedNr(offeredSeqNr);
@@ -406,12 +451,17 @@ void updateTrustStore(
} else if (ocspRequestExpectationBehaviour == OCSP_REQUEST_IGNORE) {
tslDownload.waitUntilOcspRequestForSignerOptional();
} else {
- throw new TestSuiteException("not implemented");
+ assertNoOcspRequest(tslDownload);
+ }
+
+ if (ocspSeqNrUpdateMode == OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR) {
+ setExpectedOcspTslSeqNr(tslSequenceNr.getExpectedNrInTestObject());
}
if (useCaseResult == null) {
log.info(
- "END updateTrustStore (without useCaseResult) - {}",
+ "END updateTrustStore (without useCaseResult) -\ndescription: {},\n{}\n",
+ description,
PkitsTestSuiteUtils.getCallerTrace());
return;
}
@@ -428,7 +478,11 @@ void updateTrustStore(
useCaseWithCert(
useCaseCertPath, useCaseResult, OCSP_RESP_TYPE_DEFAULT_USECASE, ocspRequestExpectation);
- log.info("END updateTrustStore - {}", PkitsTestSuiteUtils.getCallerTrace());
+ log.info(
+ "END updateTrustStore (with useCaseResult) -\ndescription: {},\n{}\n",
+ description,
+ PkitsTestSuiteUtils.getCallerTrace());
+
currentTestInfo.resetPhase();
}
@@ -504,7 +558,6 @@ private void useCaseWithCert(
ocspRequestExpectationBehaviour);
assertThat(UseCase.exec(certPath)).as(message).isEqualTo(useCaseResult.getExpectedReturnCode());
- // mje 14.2. tslSequenceNr.saveCurrentTestObjectSeqNr(tslSequenceNr.getLastOfferedNr());
if (ocspRequestExpectationBehaviour != OCSP_REQUEST_IGNORE) {
log.info("{}", tslSequenceNr);
@@ -597,31 +650,29 @@ private void checkOcspHistory(
OcspHistory.check(ocspRespUri, certSerialNr, tslSequenceNr, ocspRequestExpectationBehaviour);
}
- TslDownload getTslDownloadDefaultTemplate(final int offeredSeqNr)
- throws DatatypeConfigurationException, IOException {
+ TslDownload getTslDownloadDefaultTemplate(final int offeredSeqNr) {
return getTslDownloadWithTemplate(offeredSeqNr, tslSettings.getDefaultTemplate());
}
- TslDownload getTslDownloadAlternativeTemplate(final int offeredSeqNr)
- throws DatatypeConfigurationException, IOException {
+ TslDownload getTslDownloadAlternativeTemplate(final int offeredSeqNr) {
return getTslDownloadWithTemplate(offeredSeqNr, tslSettings.getAlternativeTemplate());
}
protected static final String TSL_DIRNAME = "./out/tsl";
protected static final String TSL_FILENAME_PREFIX = "Tsl_";
- protected static Path getTslOutputPath(final BigInteger tslSeqNr, final String tslId) {
- return Path.of(TSL_DIRNAME, "%s%04d_%s.xml".formatted(TSL_FILENAME_PREFIX, tslSeqNr, tslId));
+ protected static Path getTslOutputPath(final BigInteger tslSeqNr, final String postfix) {
+ return Path.of(TSL_DIRNAME, "%s%04d_%s.xml".formatted(TSL_FILENAME_PREFIX, tslSeqNr, postfix));
}
- TslDownload getTslDownloadWithTemplate(final int offeredSeqNr, final Path template)
- throws DatatypeConfigurationException, IOException {
+ TslDownload getTslDownloadWithTemplate(final int offeredSeqNr, final Path template) {
return getTslDownloadWithTemplateAndSigner(
offeredSeqNr,
template,
defaultTslSigner,
SIGNER_KEY_USAGE_CHECK_ENABLED,
- SIGNER_VALIDITY_CHECK_ENABLED);
+ SIGNER_VALIDITY_CHECK_ENABLED,
+ null);
}
TslDownload getTslDownloadWithTemplateAndSigner(
@@ -629,8 +680,8 @@ TslDownload getTslDownloadWithTemplateAndSigner(
final Path tslTemplate,
final Path tslSignerP12Path,
final boolean signerKeyUsageCheck,
- final boolean signerValidityCheck)
- throws DatatypeConfigurationException, IOException {
+ final boolean signerValidityCheck,
+ final Consumer modifyTsl) {
final P12Container tslSignerP12 =
P12Reader.getContentFromP12(
@@ -658,6 +709,10 @@ TslDownload getTslDownloadWithTemplateAndSigner(
.tslSignerCert(tslSignerCert)
.build();
+ if (modifyTsl != null) {
+ modifyTsl.accept(tslDownload);
+ }
+
writeTsl(tslDownload, "");
return tslDownload;
@@ -679,30 +734,55 @@ protected void signAndSetTslBytes(
tslDownload.setTslBytes(tslBytesSigned);
}
- protected void writeTsl(final TslDownload tslDownload, final String postfix) throws IOException {
+ private static String getCertIssuerCn(final TrustStatusListType tsl) {
+ try {
+ final X509Certificate signerCert = TslUtils.getFirstTslSignerCertificate(tsl);
+
+ final X500Name x500name = new JcaX509CertificateHolder(signerCert).getIssuer();
+ final RDN cnRdn = x500name.getRDNs(BCStyle.CN)[0];
+
+ final String issuerCn = IETFUtils.valueToString(cnRdn.getFirst().getValue());
+
+ return "_" + StringUtils.replace(issuerCn, " ", "_");
+
+ } catch (final Exception e) {
+ }
+
+ return "";
+ }
+
+ protected void writeTsl(final TslDownload tslDownload, final String postfix) {
final String phase =
StringUtils.isNotBlank(currentTestInfo.getPhase()) ? "__" + currentTestInfo.getPhase() : "";
+ final String trustAnchorIssuerCn = getCertIssuerCn(tslDownload.getTsl());
+
+ final String extendedPostfix =
+ "%s__%s_n%d%s%s%s"
+ .formatted(
+ tslDownload.getTsl().getId(),
+ currentTestInfo.getMethodName(),
+ currentTestInfo.tslCounter,
+ phase,
+ postfix,
+ trustAnchorIssuerCn);
+
final Path tslOutputPath =
- getTslOutputPath(
- TslReader.getSequenceNumber(tslDownload.getTsl()),
- tslDownload.getTsl().getId()
- + "__"
- + currentTestInfo.getMethodName()
- + "_n"
- + currentTestInfo.tslCounter
- + phase
- + postfix);
+ getTslOutputPath(TslReader.getSequenceNumber(tslDownload.getTsl()), extendedPostfix);
currentTestInfo.tslCounter++;
- if (!Files.exists(tslOutputPath.getParent())) {
- Files.createDirectories(tslOutputPath.getParent());
- Files.createFile(tslOutputPath);
+ try {
+ if (!Files.exists(tslOutputPath.getParent())) {
+ Files.createDirectories(tslOutputPath.getParent());
+ Files.createFile(tslOutputPath);
+ }
+ Files.write(tslOutputPath, tslDownload.getTslBytes());
+ log.info("saved TSL to file: {}", tslOutputPath);
+ } catch (final IOException e) {
+ throw new TestSuiteException("cannot save TSL to file", e);
}
- Files.write(tslOutputPath, tslDownload.getTslBytes());
- log.info("saved TSL to file: {}", tslOutputPath);
}
protected void assignOcspTslSeqNrFromHistory(
@@ -713,15 +793,10 @@ protected void assignOcspTslSeqNrFromHistory(
final int currentTslSeqNrForOcsp =
lastOcspRequestHistoryEntries.get(lastOcspRequestHistoryEntries.size() - 1).getTslSeqNr();
- // if (currentTslSeqNrForOcsp == offeredSeqNr) {
- // throw new TestSuiteException("tslSeqNr equals to offeredSeqNr " + offeredSeqNr);
- // }
-
setExpectedOcspTslSeqNr(currentTslSeqNrForOcsp);
}
- protected TslDownload initialTslDownloadByTestObject()
- throws DatatypeConfigurationException, IOException {
+ protected TslDownload initialTslDownloadByTestObject() {
final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
log.info("Offering TSL with seqNr. {} for download.", offeredSeqNr);
@@ -747,17 +822,20 @@ protected static byte[] createTslForTestObject(
final String tslSingerPassw,
final int seqNr,
final boolean signerKeyUsageCheck,
- final boolean signerValidityCheck)
- throws DatatypeConfigurationException {
+ final boolean signerValidityCheck) {
final TslModification tslModification = getTslModification(seqNr);
- return TslGeneration.createTslFromFile(
- tslTemplate,
- tslModification,
- tslSinger,
- tslSingerPassw,
- signerKeyUsageCheck,
- signerValidityCheck);
+ try {
+ return TslGeneration.createTslFromFile(
+ tslTemplate,
+ tslModification,
+ tslSinger,
+ tslSingerPassw,
+ signerKeyUsageCheck,
+ signerValidityCheck);
+ } catch (final DatatypeConfigurationException e) {
+ throw new TestSuiteException("cannot create TSL", e);
+ }
}
private static String getTslDownloadUrlPrimary(final int seqNr) {
@@ -816,8 +894,7 @@ void retrieveCurrentTslSeqNrInTestObject() {
@Test
@Order(1)
@DisplayName("Check initial state")
- void checkInitialState(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void checkInitialState(final TestInfo testInfo) {
testCaseMessage(testInfo);
retrieveCurrentTslSeqNrInTestObject();
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/CertificateApprovalTestsIT.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/CertificateApprovalTestsIT.java
index d405975..759cf19 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/CertificateApprovalTestsIT.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/CertificateApprovalTestsIT.java
@@ -33,9 +33,7 @@
import de.gematik.pki.pkits.testsuite.common.VariableSource;
import de.gematik.pki.pkits.testsuite.config.Afo;
import de.gematik.pki.pkits.testsuite.config.TestEnvironment;
-import java.io.IOException;
import java.nio.file.Path;
-import javax.xml.datatype.DatatypeConfigurationException;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.DisplayName;
@@ -63,10 +61,11 @@ class CertificateApprovalTestsIT extends ApprovalTestsBaseIT {
@ArgumentsSource(CertificateProvider.class)
@VariableSource(value = PKITS_CERT_VALID)
@DisplayName("Test use case with valid certificates")
- void verifyConnectCertsValid(final Path certPath, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyConnectCertsValid(final Path certPath, final TestInfo testInfo) {
+
testCaseMessage(testInfo);
initialState();
+
useCaseWithCert(certPath, USECASE_VALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_EXPECT);
}
@@ -76,11 +75,9 @@ void verifyConnectCertsValid(final Path certPath, final TestInfo testInfo)
@Afo(afoId = "GS-A_4384", description = "RSA cipher suites for TLS")
@Disabled("Our SUT does not support RSA yet")
@DisplayName("Test use case with valid RSA certificate")
- void verifyConnectCertsValidRsa(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyConnectCertsValidRsa(final TestInfo testInfo) {
testCaseMessage(testInfo);
-
initialState();
final Path certPath = Path.of("./testDataTemplates/certificates/valid-rsa/ee_default-rsa.p12");
@@ -114,12 +111,11 @@ void verifyConnectCertsValidRsa(final TestInfo testInfo)
@ArgumentsSource(CertificateProvider.class)
@VariableSource(value = PKITS_CERT_INVALID)
@DisplayName("Test use case with invalid certificates")
- void verifyConnectCertsInvalid(final Path certPath, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyConnectCertsInvalid(final Path certPath, final TestInfo testInfo) {
testCaseMessage(testInfo);
-
initialState();
+
useCaseWithCert(certPath, USECASE_INVALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_IGNORE);
}
}
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ListApprovalTestsAndAfos.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ListApprovalTestsAndAfos.java
index c2ca01a..9483cb7 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ListApprovalTestsAndAfos.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/ListApprovalTestsAndAfos.java
@@ -440,6 +440,14 @@ public int compareTo(final CustomTestInfo o) {
.toComparison();
}
+ boolean sameClassName(final String className) {
+ return StringUtils.equalsAny(className, getSimpleClassName(), getClassName());
+ }
+
+ boolean sameMethodName(final String methodName) {
+ return method.getName().equals(methodName);
+ }
+
@Override
public String toString() {
return "CustomTestInfo{class='%s', declaringClassName='%s', method='%s', displayName='%s'}"
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/OcspApprovalTestsIT.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/OcspApprovalTestsIT.java
index 1bbd377..93efc83 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/OcspApprovalTestsIT.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/OcspApprovalTestsIT.java
@@ -37,9 +37,7 @@
import de.gematik.pki.pkits.testsuite.config.Afo;
import de.gematik.pki.pkits.testsuite.config.TestEnvironment;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPRespStatus;
-import java.io.IOException;
import java.nio.file.Path;
-import javax.xml.datatype.DatatypeConfigurationException;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Order;
@@ -59,8 +57,7 @@ class OcspApprovalTestsIT extends ApprovalTestsBaseIT {
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 1")
@DisplayName("Test OCSP grace period")
- void verifyOcspGracePeriod(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspGracePeriod(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -91,8 +88,7 @@ void verifyOcspGracePeriod(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 4c")
@DisplayName("Test OCSP response with timeout and delay")
- void verifyOcspResponseTimeoutAndDelay(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTimeoutAndDelay(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -135,11 +131,11 @@ void verifyOcspResponseTimeoutAndDelay(final TestInfo testInfo)
TestSuiteConstants.OCSP_SIGNER_NOT_IN_TSL_FILENAME,
TestSuiteConstants.OCSP_SIGNER_DIFFERENT_KEY
})
- void verifyMissingOcspSignerInTsl(final String signerFilename, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyMissingOcspSignerInTsl(final String signerFilename, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
+
final P12Container signer =
P12Reader.getContentFromP12(
ocspSettings.getKeystorePathOcsp().resolve(signerFilename),
@@ -162,8 +158,7 @@ void verifyMissingOcspSignerInTsl(final String signerFilename, final TestInfo te
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 5a1")
@DisplayName("Test invalid signature in OCSP response")
- void verifyInvalidSignatureInOcspResponse(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyInvalidSignatureInOcspResponse(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -208,8 +203,7 @@ private void verifyOcspResponseDate(
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with producedAt in past within tolerance")
- void verifyOcspResponseProducedAtPastWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseProducedAtPastWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -226,8 +220,7 @@ void verifyOcspResponseProducedAtPastWithinTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with producedAt in past out of tolerance")
- void verifyOcspResponseProducedAtPastOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseProducedAtPastOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -244,8 +237,7 @@ void verifyOcspResponseProducedAtPastOutOfTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with producedAt in future within tolerance")
- void verifyOcspResponseProducedAtFutureWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseProducedAtFutureWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -272,8 +264,7 @@ void verifyOcspResponseProducedAtFutureWithinTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with producedAt in future out of tolerance")
- void verifyOcspResponseProducedAtFutureOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseProducedAtFutureOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -299,8 +290,7 @@ void verifyOcspResponseProducedAtFutureOutOfTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with thisUpdate in future within tolerance")
- void verifyOcspResponseThisUpdateFutureWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseThisUpdateFutureWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -327,8 +317,7 @@ void verifyOcspResponseThisUpdateFutureWithinTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with thisUpdate in future out of tolerance")
- void verifyOcspResponseThisUpdateFutureOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseThisUpdateFutureOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -355,8 +344,7 @@ void verifyOcspResponseThisUpdateFutureOutOfTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with nextUpdate in past within tolerance")
- void verifyOcspResponseNextUpdatePastWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseNextUpdatePastWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -373,8 +361,7 @@ void verifyOcspResponseNextUpdatePastWithinTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with nextUpdate in past out of tolerance")
- void verifyOcspResponseNextUpdatePastOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseNextUpdatePastOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -391,8 +378,7 @@ void verifyOcspResponseNextUpdatePastOutOfTolerance(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response with missing nextUpdate")
- void verifyOcspResponseMissingNextUpdate(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseMissingNextUpdate(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -417,8 +403,9 @@ void verifyOcspResponseMissingNextUpdate(final TestInfo testInfo)
"de.gematik.pki.pkits.testsuite.common.TestSuiteConstants#provideOcspResponseVariousStatusAndResponseBytes")
@DisplayName("Test various status of OCSP responses with and without response bytes")
void verifyOcspResponseVariousStatusAndResponseBytes(
- final OCSPRespStatus ocspRespStatus, final boolean withResponseBytes, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final OCSPRespStatus ocspRespStatus,
+ final boolean withResponseBytes,
+ final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -445,8 +432,7 @@ void verifyOcspResponseVariousStatusAndResponseBytes(
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6b")
@DisplayName("Test invalid cert id in OCSP response")
void verifyInvalidCerIdInOcspResponse(
- final CertificateIdGeneration certificateIdGeneration, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final CertificateIdGeneration certificateIdGeneration, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -469,8 +455,7 @@ void verifyInvalidCerIdInOcspResponse(
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 7b")
@DisplayName("Test missing CertHash in OCSP response")
- void verifyMissingCertHashInOcspResponse(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyMissingCertHashInOcspResponse(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -493,11 +478,11 @@ void verifyMissingCertHashInOcspResponse(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 7c")
@DisplayName("Test invalid CertHash in OCSP response")
- void verifyInvalidCertHashInOcspResponse(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyInvalidCertHashInOcspResponse(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
+
final Path certPath = getPathOfFirstValidCert();
final OcspResponderConfigDto dto =
@@ -520,8 +505,7 @@ void verifyInvalidCertHashInOcspResponse(final TestInfo testInfo)
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 8b und 8c")
@DisplayName("Test OCSP response with certificate status revoked and unknown")
void verifyOcspCertificateStatusRevokedAndUnknown(
- final CustomCertificateStatusType customCertificateStatusType, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final CustomCertificateStatusType customCertificateStatusType, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -543,8 +527,7 @@ void verifyOcspCertificateStatusRevokedAndUnknown(
@Test
@Afo(afoId = "RFC 6960", description = "4.2.1. ASN.1 Specification of the OCSP Response")
@DisplayName("Test OCSP response with responder id byName")
- void verifyOcspResponseResponderIdByName(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseResponderIdByName(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -569,8 +552,7 @@ void verifyOcspResponseResponderIdByName(final TestInfo testInfo)
@ValueSource(booleans = {true, false})
@DisplayName("Test OCSP response with null parameter in CertId")
void verifyOcspResponseWithNullParameterInCertId(
- final boolean withNullParameterHashAlgoOfCertId, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final boolean withNullParameterHashAlgoOfCertId, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/PkitsTestsuiteRunner.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/PkitsTestsuiteRunner.java
index db774c2..4354f68 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/PkitsTestsuiteRunner.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/PkitsTestsuiteRunner.java
@@ -301,13 +301,27 @@ private static List parseTestNamesToInputTestInfos(final String t
StringUtils.splitByWholeSeparatorPreserveAllTokens(testNamesStr, ",");
return Arrays.stream(testNames)
.map(
- testName -> {
+ testOrClass -> {
final String classNameSeparator = "#";
- String className = "";
- String methodName = testName;
- if (testName.contains(classNameSeparator)) {
- className = StringUtils.substringBefore(testName, classNameSeparator);
- methodName = StringUtils.substringAfter(testName, classNameSeparator);
+
+ String className;
+ String methodName;
+
+ if (testOrClass.contains(classNameSeparator)) {
+ className = StringUtils.substringBefore(testOrClass, classNameSeparator);
+ methodName = StringUtils.substringAfter(testOrClass, classNameSeparator);
+ } else {
+ try {
+ // assuming all approval and utils test classes are in the same package as
+ // ApprovalTestsBaseIT
+ Class.forName(
+ ClassUtils.getPackageName(ApprovalTestsBaseIT.class) + "." + testOrClass);
+ className = testOrClass;
+ methodName = "";
+ } catch (final ClassNotFoundException e) {
+ className = "";
+ methodName = testOrClass;
+ }
}
return new InputTestInfo(className, methodName, true);
})
@@ -321,27 +335,27 @@ static List getTestToRun(
return inputTestInfoList.stream()
.filter(inputTestInfo -> inputTestInfo.selected)
- .map(
+ .flatMap(
inputTestInfo -> {
+ final List matchedCustomTestInfos = new ArrayList<>();
for (final CustomTestInfo customTestInfo : customTestInfoList) {
- final boolean sameClassName =
- StringUtils.isBlank(inputTestInfo.className)
- || StringUtils.equalsAny(
- inputTestInfo.className,
- customTestInfo.getSimpleClassName(),
- customTestInfo.getClassName());
+ final boolean sameClassName = customTestInfo.sameClassName(inputTestInfo.className);
+
final boolean sameMethodName =
- customTestInfo.method.getName().equals(inputTestInfo.methodName);
+ customTestInfo.sameMethodName(inputTestInfo.methodName);
- if (sameClassName && sameMethodName) {
- return customTestInfo;
+ if (sameClassName || sameMethodName) {
+ matchedCustomTestInfos.add(customTestInfo);
}
}
- throw new TestSuiteException(
- "unknown test case: %s of class %s"
- .formatted(inputTestInfo.methodName, inputTestInfo.className));
+ if (matchedCustomTestInfos.isEmpty()) {
+ throw new TestSuiteException(
+ "unknown test case method <%s> or class with test cases <%s>"
+ .formatted(inputTestInfo.methodName, inputTestInfo.className));
+ }
+ return matchedCustomTestInfos.stream();
})
.toList();
}
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslApprovalTestsIT.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslApprovalTestsIT.java
index e2cc40d..529e16b 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslApprovalTestsIT.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslApprovalTestsIT.java
@@ -35,22 +35,24 @@
import de.gematik.pki.gemlibpki.utils.CertReader;
import de.gematik.pki.gemlibpki.utils.GemLibPkiUtils;
import de.gematik.pki.pkits.common.PkitsConstants;
+import de.gematik.pki.pkits.testsuite.approval.support.OcspSeqNrUpdateMode;
import de.gematik.pki.pkits.testsuite.common.PkitsTestSuiteUtils;
import de.gematik.pki.pkits.testsuite.common.TestSuiteConstants;
import de.gematik.pki.pkits.testsuite.common.tsl.TslDownload;
import de.gematik.pki.pkits.testsuite.config.Afo;
import de.gematik.pki.pkits.testsuite.config.TestEnvironment;
+import de.gematik.pki.pkits.testsuite.exceptions.TestSuiteException;
import de.gematik.pki.pkits.tsl.provider.api.TslProviderManager;
import de.gematik.pki.pkits.tsl.provider.data.TslProviderConfigDto.TslProviderEndpointsConfig;
import de.gematik.pki.pkits.tsl.provider.data.TslRequestHistoryEntryDto;
import eu.europa.esig.trustedlist.jaxb.tsl.TrustStatusListType;
-import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.cert.X509Certificate;
import java.time.ZonedDateTime;
import java.util.List;
import java.util.concurrent.Callable;
+import java.util.function.Consumer;
import java.util.stream.Collectors;
import javax.xml.datatype.DatatypeConfigurationException;
import lombok.extern.slf4j.Slf4j;
@@ -67,11 +69,16 @@ class TslApprovalTestsIT extends ApprovalTestsBaseIT {
public static final X509Certificate VALID_ISSUER_CERT_TSL_CA8 =
CertReader.readX509(TestSuiteConstants.VALID_ISSUER_CERT_TSL_CA8_PATH);
+
+ /** TSLTypeID 4 */
public static final Path alternativeCaRevokedPretty =
Path.of(TSL_TEMPLATES_DIRNAME, "TSL_altCA_revoked_pretty.xml");
- private void verifyUpdateTrustStoreInTestObject_initialStateWithAlternativeCert()
- throws DatatypeConfigurationException, IOException {
+ /** TSLTypeID 194 */
+ public final Path tslAlternativeCaRevokedLater =
+ Path.of(TSL_TEMPLATES_DIRNAME, "TSL_altCA_revokedLater.xml");
+
+ private void verifyUpdateTrustStoreInTestObject_initialStateWithAlternativeCert() {
log.info("verifyUpdateTrustStoreInTestObject: initialStateWithAlternativeCert");
@@ -89,8 +96,7 @@ private void verifyUpdateTrustStoreInTestObject_initialStateWithAlternativeCert(
useCaseWithCert(certPath, USECASE_VALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_EXPECT);
}
- private void verifyUpdateTrustStoreInTestObject1_AlternativeCaRevoked()
- throws DatatypeConfigurationException, IOException {
+ private void verifyUpdateTrustStoreInTestObject1_AlternativeCaRevoked() {
log.info("verifyUpdateTrustStoreInTestObject: case 1 - AlternativeCaRevoked");
final Path tslTemplatePath = tslSettings.getAlternativeRevokedTemplate();
@@ -109,8 +115,7 @@ private void verifyUpdateTrustStoreInTestObject1_AlternativeCaRevoked()
useCaseWithCert(certPath, USECASE_INVALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_EXPECT);
}
- private void verifyUpdateTrustStoreInTestObject2_AlternativeCaNoLineBreaks()
- throws DatatypeConfigurationException, IOException {
+ private void verifyUpdateTrustStoreInTestObject2_AlternativeCaNoLineBreaks() {
log.info("verifyUpdateTrustStoreInTestObject: case 2 - AlternativeCaNoLineBreaks");
final Path tslTemplatePath =
testSuiteConfig
@@ -132,8 +137,7 @@ private void verifyUpdateTrustStoreInTestObject2_AlternativeCaNoLineBreaks()
useCaseWithCert(certPath, USECASE_VALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_EXPECT);
}
- private void verifyUpdateTrustStoreInTestObject3_Default()
- throws DatatypeConfigurationException, IOException {
+ private void verifyUpdateTrustStoreInTestObject3_Default() {
log.info("verifyUpdateTrustStoreInTestObject: case 3 - Default");
final Path tslTemplatePath =
testSuiteConfig.getTestSuiteParameter().getTslSettings().getDefaultTemplate();
@@ -158,8 +162,7 @@ private void verifyUpdateTrustStoreInTestObject3_Default()
@Afo(afoId = "GS-A_4649", description = "TUC_PKI_020: XML-Dokument validieren")
@DisplayName("Test update of TSL with different XML format (pretty print)")
@Disabled("Correct Testcase with PrettyPrint TSL (PKITS-158 and GLP-263)")
- void verifyUpdateTrustStoreInTestObject(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyUpdateTrustStoreInTestObject(final TestInfo testInfo) {
testCaseMessage(testInfo);
@@ -176,8 +179,7 @@ void verifyUpdateTrustStoreInTestObject(final TestInfo testInfo)
afoId = "TIP1-A_5120",
description = "Clients des TSL-Dienstes: HTTP-Komprimierung unterstützen")
@DisplayName("Test compression of TSL download")
- void verifyTslDownloadCompression(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyTslDownloadCompression(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -208,8 +210,7 @@ void verifyTslDownloadCompression(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4648", description = "TUC_PKI_019: Prüfung der Aktualität der TSL - Schritt 6")
@DisplayName("Test TSL service does not provide updated TSL")
- void verifyIrregularDifferencesBetweenCurrentAndNewTsls(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyIrregularDifferencesBetweenCurrentAndNewTsls(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -262,25 +263,27 @@ void verifyIrregularDifferencesBetweenCurrentAndNewTsls(final TestInfo testInfo)
"initial tsl seqNr: {}, id: {}",
initialTslDownload.getTsl().getId(),
initialTslDownload.getTsl().getSchemeInformation().getTSLSequenceNumber());
- final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
- log.info("Offering TSL with seqNr. {} for download.", offeredSeqNr);
-
- final TslDownload tslDownload = getTslDownloadAlternativeTemplate(offeredSeqNr);
-
- final byte[] tslBytes = tslDownload.getTslBytes();
-
- final String newId = initialTslDownload.getTsl().getId();
- final byte[] tslBytesWithNewId = TslModifier.modifiedTslId(tslBytes, newId);
- signAndSetTslBytes(tslDownload, defaultTslSigner, tslBytesWithNewId);
- writeTsl(tslDownload, "_modified");
-
- tslSequenceNr.setLastOfferedNr(offeredSeqNr);
- tslDownload.waitUntilTslDownloadCompletedOptional(tslSequenceNr.getExpectedNrInTestObject());
-
- final Path certPath = getPathOfAlternativeCertificate();
- useCaseWithCert(
- certPath, USECASE_INVALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_DO_NOT_EXPECT);
+ final Consumer rewriteTslIdToInitial =
+ (tslDownload) -> {
+ final byte[] tslBytes = tslDownload.getTslBytes();
+
+ final String newId = initialTslDownload.getTsl().getId();
+ final byte[] tslBytesWithNewId = TslModifier.modifiedTslId(tslBytes, newId);
+
+ signAndSetTslBytes(tslDownload, defaultTslSigner, tslBytesWithNewId);
+ };
+
+ updateTrustStore(
+ "Offer a TSL with the same tsl id, but new (incremented) seqNr",
+ tslSettings.getAlternativeTemplate(),
+ defaultTslSigner,
+ OCSP_REQUEST_IGNORE,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID,
+ OCSP_REQUEST_DO_NOT_EXPECT,
+ rewriteTslIdToInitial,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
}
}
@@ -290,13 +293,13 @@ void verifyIrregularDifferencesBetweenCurrentAndNewTsls(final TestInfo testInfo)
afoId = "GS-A_4642",
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 6")
@DisplayName("Test bad CA certificate is not extractable from TSL")
- void verifyForBadCertificateOfTSPService(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyForBadCertificateOfTSPService(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
updateTrustStore(
+ "Offer a TSL with alternative test CAs whose ASN1 structure is invalid.",
tslSettings.getDefectAlternativeCaBrokenTemplate(),
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -316,13 +319,13 @@ void verifyForBadCertificateOfTSPService(final TestInfo testInfo)
afoId = "GS-A_4642",
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 6")
@DisplayName("Test proper handling of unspecified CA certificate in TSL")
- void verifyForUnspecifiedCertificateOfTSPService(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyForUnspecifiedCertificateOfTSPService(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
updateTrustStore(
+ "Offer a TSL with alternative test CAs and \"irrelevant, unexpected\" CA.",
tslSettings.getDefectAlternativeCaUnspecifiedTemplate(),
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -340,13 +343,14 @@ void verifyForUnspecifiedCertificateOfTSPService(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4749", description = "TUC_PKI_007: Prüfung Zertifikatstyp - Schritt 8")
@DisplayName("Test CA certificate with missing service information extension in TSL")
- void verifyForWrongServiceInfoExtCertificateOfTSPService(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyForWrongServiceInfoExtCertificateOfTSPService(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
updateTrustStore(
+ "Offer a TSL with alternative test CAs whose ServiceInformationExtension elements are"
+ + " wrong.",
tslSettings.getDefectAlternativeCaWrongSrvInfoExtTemplate(),
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -365,13 +369,13 @@ void verifyForWrongServiceInfoExtCertificateOfTSPService(final TestInfo testInfo
@Test
@Afo(afoId = "A_17700", description = "TSL-Auswertung ServiceTypeIdentifier \"unspecified\"")
@DisplayName("Test CA certificate with ServiceTypeIdentifier \"unspecified\" in TSL")
- void verifyForUnspecifiedServiceTypeIdentifierOfTSPService(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyForUnspecifiedServiceTypeIdentifierOfTSPService(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
updateTrustStore(
+ "Import TSL with ServiceTypeIdentifier \"unspecified\"",
tslSettings.getAlternativeCaUnspecifiedStiTemplate(),
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -383,8 +387,7 @@ void verifyForUnspecifiedServiceTypeIdentifierOfTSPService(final TestInfo testIn
@Test
@Afo(afoId = "GS-A_4652", description = "TUC_PKI_018: Zertifikatsprüfung in der TI - Schritt 5a")
@DisplayName("Test CA certificate in TSL is revoked and EE certificate is issued later.")
- void verifyRevokedCaCertificateInTslLater(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyRevokedCaCertificateInTslLater(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -392,6 +395,7 @@ void verifyRevokedCaCertificateInTslLater(final TestInfo testInfo)
waitForOcspCacheToExpire();
updateTrustStore(
+ "Offer a TSL with alternative test CAs with ServiceStatus REVOKED",
alternativeCaRevokedPretty,
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -409,43 +413,46 @@ void verifyRevokedCaCertificateInTslLater(final TestInfo testInfo)
@Test
@Afo(afoId = "GS-A_4652", description = "TUC_PKI_018: Zertifikatsprüfung in der TI - Schritt 5")
@DisplayName("Test CA certificate in TSL is revoked and EE certificate is issued earlier.")
- void verifyRevokedCaCertificateInTsl(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyRevokedCaCertificateInTsl(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
waitForOcspCacheToExpire();
- final Path tslTemplatePath = Path.of(TSL_TEMPLATES_DIRNAME, "TSL_altCA_revokedLater.xml");
-
- final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
- log.info("Offering TSL with seqNr. {} for download.", offeredSeqNr);
-
- final TslDownload tslDownload = getTslDownloadWithTemplate(offeredSeqNr, tslTemplatePath);
-
- final ZonedDateTime newStatusStartingTime = GemLibPkiUtils.now().plusDays(1);
-
- final byte[] tslBytes = tslDownload.getTslBytes();
- final byte[] tslBytesWithNewStatusStartingTime =
- TslModifier.modifiedStatusStartingTime(
- tslBytes,
- PkitsConstants.GEMATIK_TEST_TSP,
- null,
- TslConstants.SVCSTATUS_REVOKED,
- newStatusStartingTime);
-
- signAndSetTslBytes(tslDownload, defaultTslSigner, tslBytesWithNewStatusStartingTime);
- writeTsl(tslDownload, "_modified");
-
- printCurrentTslSeqNr();
- tslSequenceNr.setLastOfferedNr(offeredSeqNr);
- tslDownload.waitUntilTslDownloadCompleted(
- tslSequenceNr.getExpectedNrInTestObject(), getExpectedOcspTslSeqNr());
- tslSequenceNr.setExpectedNrInTestObject(offeredSeqNr);
+ final Consumer rewriteStatusStartingTimeToNowPlusOneDay =
+ tslDownload -> {
+ final ZonedDateTime newStatusStartingTime = GemLibPkiUtils.now().plusDays(1);
+
+ final byte[] tslBytes = tslDownload.getTslBytes();
+ final byte[] tslBytesWithNewStatusStartingTime;
+ try {
+
+ tslBytesWithNewStatusStartingTime =
+ TslModifier.modifiedStatusStartingTime(
+ tslBytes,
+ PkitsConstants.GEMATIK_TEST_TSP,
+ null,
+ TslConstants.SVCSTATUS_REVOKED,
+ newStatusStartingTime);
+ } catch (final DatatypeConfigurationException e) {
+ throw new TestSuiteException("cannot modify TSL", e);
+ }
+
+ signAndSetTslBytes(tslDownload, defaultTslSigner, tslBytesWithNewStatusStartingTime);
+ };
- final Path certPath = getPathOfAlternativeCertificate();
- useCaseWithCert(certPath, USECASE_VALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_EXPECT);
+ updateTrustStore(
+ "Offer a TSL with alternative CAs, ServiceStatus REVOKED, StatusStartingTime one day in the"
+ + " future.",
+ tslAlternativeCaRevokedLater,
+ defaultTslSigner,
+ OCSP_REQUEST_EXPECT,
+ getPathOfAlternativeCertificate(),
+ USECASE_VALID,
+ OCSP_REQUEST_EXPECT,
+ rewriteStatusStartingTimeToNowPlusOneDay,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
}
/** gematikId: UE_PKI_TC_0105_009 */
@@ -453,39 +460,43 @@ void verifyRevokedCaCertificateInTsl(final TestInfo testInfo)
@Afo(afoId = "GS-A_4648", description = "Prüfung der Aktualität der TSL - Schritt 4")
@Afo(afoId = "GS-GS-A_4651", description = "TUC_PKI_012: XML-Signatur-Prüfung")
@DisplayName("Test TSL signature invalid - \"to be signed block\" with integrity violation")
- void verifyTslSignatureInvalid(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyTslSignatureInvalid(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
- final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
- log.info("Offering TSL with seqNr. {} for download.", offeredSeqNr);
-
- // create TSL and verify signature
- final TslDownload tslDownload = getTslDownloadAlternativeTemplate(offeredSeqNr);
- assertThat(TslValidator.checkSignature(tslDownload.getTslBytes(), VALID_ISSUER_CERT_TSL_CA8))
- .isTrue();
-
- // break integrity of TSL and verify signature again
- final String mailToStrOld = getFirstSchemeOperatorMailAddressOfTsl(tslDownload.getTslBytes());
- final String mailToStrNew = "mailto:signatureInvalid@gematik.de";
- final String tslStr = new String(tslDownload.getTslBytes(), StandardCharsets.UTF_8);
- final byte[] brokenTsl =
- tslStr.replace(mailToStrOld, mailToStrNew).getBytes(StandardCharsets.UTF_8);
-
- tslDownload.setTslBytes(brokenTsl);
- writeTsl(tslDownload, "_modified");
-
- log.info("Verify test tsl has wrong signature.");
- assertThat(TslValidator.checkSignature(tslDownload.getTslBytes(), VALID_ISSUER_CERT_TSL_CA8))
- .isFalse();
-
- tslSequenceNr.setLastOfferedNr(offeredSeqNr);
- tslDownload.waitUntilTslDownloadCompletedOptional(tslSequenceNr.getExpectedNrInTestObject());
+ final Consumer rewriteMailToInvalidateSignature =
+ tslDownload -> {
+ assertThat(
+ TslValidator.checkSignature(tslDownload.getTslBytes(), VALID_ISSUER_CERT_TSL_CA8))
+ .isTrue();
+
+ // break integrity of TSL and verify signature again
+ final String mailToStrOld =
+ getFirstSchemeOperatorMailAddressOfTsl(tslDownload.getTslBytes());
+ final String mailToStrNew = "mailto:signatureInvalid@gematik.de";
+ final String tslStr = new String(tslDownload.getTslBytes(), StandardCharsets.UTF_8);
+ final byte[] brokenTsl =
+ tslStr.replace(mailToStrOld, mailToStrNew).getBytes(StandardCharsets.UTF_8);
+
+ tslDownload.setTslBytes(brokenTsl);
+
+ log.info("Verify test tsl has wrong signature.");
+ assertThat(
+ TslValidator.checkSignature(tslDownload.getTslBytes(), VALID_ISSUER_CERT_TSL_CA8))
+ .isFalse();
+ };
- final Path certPath = getPathOfAlternativeCertificate();
- useCaseWithCert(certPath, USECASE_INVALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_IGNORE);
+ updateTrustStore(
+ "Offer a TSL with alternative test CAs. The signature of the TSL is invalid.",
+ tslSettings.getAlternativeTemplate(),
+ defaultTslSigner,
+ OCSP_REQUEST_IGNORE,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID,
+ OCSP_REQUEST_IGNORE,
+ rewriteMailToInvalidateSignature,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
useCaseWithCert(
getPathOfFirstValidCert(),
@@ -510,8 +521,7 @@ private String getFirstSchemeOperatorMailAddressOfTsl(final byte[] tslBytes) {
@Afo(afoId = "GS-A_4648", description = "TUC_PKI_019: Prüfung der Aktualität der TSL - Schritt 1")
@Afo(afoId = "GS-A_4647", description = "TUC_PKI_016: Download der TSL-Datei - Schritt 3 und 4")
@DisplayName("Test TSL download not possible")
- void verifyRetryFailingTslDownload(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyRetryFailingTslDownload(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -599,8 +609,7 @@ void verifyRetryFailingTslDownload(final TestInfo testInfo)
@Afo(afoId = "GS-A_4648", description = "TUC_PKI_019: Prüfung der Aktualität der TSL - Schritt 1")
@Afo(afoId = "GS-A_4647", description = "TUC_PKI_016: Download der TSL-Datei - Schritt 3 und 4")
@DisplayName("Test TSL download on primary endpoint not possible")
- void verifyUseBackupTslDownload(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyUseBackupTslDownload(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslSignerApprovalTestsIT.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslSignerApprovalTestsIT.java
index e4af5d3..f7ff715 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslSignerApprovalTestsIT.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslSignerApprovalTestsIT.java
@@ -43,6 +43,7 @@
import de.gematik.pki.pkits.ocsp.responder.data.OcspResponderConfigDto.CustomCertificateStatusDto;
import de.gematik.pki.pkits.ocsp.responder.data.OcspResponderConfigDto.CustomCertificateStatusType;
import de.gematik.pki.pkits.ocsp.responder.data.OcspResponderConfigDto.OcspResponderConfigDtoBuilder;
+import de.gematik.pki.pkits.testsuite.approval.support.OcspSeqNrUpdateMode;
import de.gematik.pki.pkits.testsuite.approval.support.UseCaseResult;
import de.gematik.pki.pkits.testsuite.common.PkitsTestSuiteUtils;
import de.gematik.pki.pkits.testsuite.common.TestSuiteConstants;
@@ -50,13 +51,13 @@
import de.gematik.pki.pkits.testsuite.common.ocsp.OcspHistory.OcspRequestExpectationBehaviour;
import de.gematik.pki.pkits.testsuite.common.tsl.TslDownload;
import de.gematik.pki.pkits.testsuite.config.Afo;
+import de.gematik.pki.pkits.testsuite.exceptions.TestSuiteException;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPRespStatus;
import eu.europa.esig.trustedlist.jaxb.tsl.TrustStatusListType;
-import java.io.IOException;
import java.nio.file.Path;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
-import javax.xml.datatype.DatatypeConfigurationException;
+import java.util.function.Consumer;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Order;
@@ -82,8 +83,7 @@ private void updateTrustStoreUsingOcspResponderConfig(
final OcspResponderConfigDtoBuilder ocspResponderConfigDtoBuilder,
final TslUpdateExpectation tslUpdateExpected,
final Path certPath,
- final UseCaseResult useCaseResult)
- throws DatatypeConfigurationException, IOException {
+ final UseCaseResult useCaseResult) {
currentTestInfo.setPhase("updateTrustStoreUsingOcspResponderConfig");
@@ -130,8 +130,7 @@ private void updateTrustStoreUsingOcspResponderConfig(
TestSuiteConstants.OCSP_SIGNER_DIFFERENT_KEY
})
void verifyMissingOcspSignerInTslForTslSignerCert(
- final String ocspSignerFilename, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final String ocspSignerFilename, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -165,8 +164,7 @@ void verifyMissingOcspSignerInTslForTslSignerCert(
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 4")
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 5a1")
@DisplayName("Test invalid OCSP response signature for TSL signer certificate")
- void verifyOcspResponseWithInvalidSignatureForTslSignerCert(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseWithInvalidSignatureForTslSignerCert(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -195,8 +193,7 @@ private void verifyOcspResponseDateForTslSignerCert(
final DtoDateConfigOption dateConfigOption,
final int deltaMilliseconds,
final TslUpdateExpectation tslUpdateExcected,
- final UseCaseResult useCaseResult)
- throws DatatypeConfigurationException, IOException {
+ final UseCaseResult useCaseResult) {
final OcspResponderConfigDtoBuilder dtoBuilder =
OcspResponderConfigDto.builder().eeCert(getDefaultTslSignerCert()).signer(ocspSigner);
@@ -223,8 +220,7 @@ private void verifyOcspResponseDateForTslSignerCert(
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with producedAt in past within tolerance")
- void verifyOcspResponseTslSignerCertProducedAtPastWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertProducedAtPastWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -254,8 +250,7 @@ void verifyOcspResponseTslSignerCertProducedAtPastWithinTolerance(final TestInfo
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with producedAt in past out of tolerance")
- void verifyOcspResponseTslSignerCertProducedAtPastOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertProducedAtPastOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -285,8 +280,7 @@ void verifyOcspResponseTslSignerCertProducedAtPastOutOfTolerance(final TestInfo
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with producedAt in future within tolerance")
- void verifyOcspResponseTslSignerCertProducedAtFutureWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertProducedAtFutureWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -299,11 +293,13 @@ void verifyOcspResponseTslSignerCertProducedAtFutureWithinTolerance(final TestIn
producedAtDeltaMilliseconds,
TSL_UPDATE_EXPECTED,
USECASE_VALID);
+
useCaseWithCert(
getPathOfFirstValidCert(),
USECASE_VALID,
OCSP_RESP_TYPE_DEFAULT_USECASE,
OCSP_REQUEST_EXPECT);
+
waitForOcspCacheToExpire(
testSuiteConfig.getTestObject().getOcspGracePeriodSeconds()
+ producedAtDeltaMilliseconds / 1000);
@@ -317,8 +313,7 @@ void verifyOcspResponseTslSignerCertProducedAtFutureWithinTolerance(final TestIn
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with producedAt in future out of tolerance")
- void verifyOcspResponseTslSignerCertProducedAtFutureOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertProducedAtFutureOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -351,8 +346,7 @@ void verifyOcspResponseTslSignerCertProducedAtFutureOutOfTolerance(final TestInf
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with thisUpdate in future within tolerance")
- void verifyOcspResponseTslSignerCertThisUpdateFutureWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertThisUpdateFutureWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -365,11 +359,13 @@ void verifyOcspResponseTslSignerCertThisUpdateFutureWithinTolerance(final TestIn
thisUpdateDeltaMilliseconds,
TSL_UPDATE_EXPECTED,
USECASE_VALID);
+
useCaseWithCert(
getPathOfFirstValidCert(),
USECASE_VALID,
OCSP_RESP_TYPE_DEFAULT_USECASE,
OCSP_REQUEST_EXPECT);
+
waitForOcspCacheToExpire(
testSuiteConfig.getTestObject().getOcspGracePeriodSeconds()
+ thisUpdateDeltaMilliseconds / 1000);
@@ -383,8 +379,7 @@ void verifyOcspResponseTslSignerCertThisUpdateFutureWithinTolerance(final TestIn
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with thisUpdate in future out of tolerance")
- void verifyOcspResponseTslSignerCertThisUpdateFutureOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertThisUpdateFutureOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -415,8 +410,7 @@ void verifyOcspResponseTslSignerCertThisUpdateFutureOutOfTolerance(final TestInf
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with nextUpdate in past within tolerance")
- void verifyOcspResponseTslSignerCertNextUpdatePastWithinTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertNextUpdatePastWithinTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -445,8 +439,7 @@ void verifyOcspResponseTslSignerCertNextUpdatePastWithinTolerance(final TestInfo
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName(
"Test OCSP response of TSL signer certificate with nextUpdate in past out of tolerance")
- void verifyOcspResponseTslSignerCertNextUpdatePastOutOfTolerance(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertNextUpdatePastOutOfTolerance(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -474,8 +467,7 @@ void verifyOcspResponseTslSignerCertNextUpdatePastOutOfTolerance(final TestInfo
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 4")
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 6")
@DisplayName("Test OCSP response of TSL signer certificate with missing nextUpdate")
- void verifyOcspResponseTslSignerCertMissingNextUpdate(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertMissingNextUpdate(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -512,8 +504,9 @@ void verifyOcspResponseTslSignerCertMissingNextUpdate(final TestInfo testInfo)
"Test various status of OCSP responses of TSL signer certificate with and without response"
+ " bytes")
void verifyOcspResponseTslSignerCertVariousStatusAndResponseBytes(
- final OCSPRespStatus ocspRespStatus, final boolean withResponseBytes, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final OCSPRespStatus ocspRespStatus,
+ final boolean withResponseBytes,
+ final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -546,8 +539,7 @@ void verifyOcspResponseTslSignerCertVariousStatusAndResponseBytes(
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 4")
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 7b")
@DisplayName("Test OCSP response of TSL signer certificate with missing CertHash")
- void verifyOcspResponseTslSignerCertMissingCertHash(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertMissingCertHash(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -579,8 +571,7 @@ void verifyOcspResponseTslSignerCertMissingCertHash(final TestInfo testInfo)
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 4")
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 7c")
@DisplayName("Test OCSP response of TSL signer certificate with invalid CertHash")
- void verifyOcspResponseTslSignerCertInvalidCertHash(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertInvalidCertHash(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -616,8 +607,7 @@ void verifyOcspResponseTslSignerCertInvalidCertHash(final TestInfo testInfo)
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP-Abfrage - Schritt 8b und 8c")
@DisplayName("Test OCSP response of TSL signer certificate with status revoked and unknown")
void verifyOcspResponseTslSignerCertStatusRevokedAndUnknown(
- final CustomCertificateStatusType customCertificateStatusType, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final CustomCertificateStatusType customCertificateStatusType, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -649,8 +639,7 @@ void verifyOcspResponseTslSignerCertStatusRevokedAndUnknown(
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 4")
@Afo(afoId = "RFC 6960", description = "4.2.1. ASN.1 Specification of the OCSP Response")
@DisplayName("Test OCSP response of TSL signer certificate with responder id byName")
- void verifyOcspResponseTslSignerCertResponderIdByName(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertResponderIdByName(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -684,8 +673,7 @@ void verifyOcspResponseTslSignerCertResponderIdByName(final TestInfo testInfo)
@ValueSource(booleans = {true, false})
@DisplayName("Test OCSP response of TSL signer certificate with null parameter in CertId")
void verifyOcspResponseTslSignerCertWithNullParameterInCertId(
- final boolean withNullParameterHashAlgoOfCertId, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final boolean withNullParameterHashAlgoOfCertId, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -717,8 +705,7 @@ void verifyOcspResponseTslSignerCertWithNullParameterInCertId(
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 4")
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP check - step 4c")
@DisplayName("Test OCSP response TSL signer certificate with timeout and delay")
- void verifyOcspResponseTslSignerCertTimeoutAndDelay(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyOcspResponseTslSignerCertTimeoutAndDelay(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -789,8 +776,7 @@ void verifyOcspResponseTslSignerCertTimeoutAndDelay(final TestInfo testInfo)
@Afo(afoId = "GS-A_4657", description = "TUC_PKI_006: OCSP check - step 6b")
@DisplayName("Test invalid cert id in OCSP response for TSL signer cert")
void verifyOcspResponseTslSignerCertInvalidCertId(
- final CertificateIdGeneration certificateIdGeneration, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final CertificateIdGeneration certificateIdGeneration, final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -826,8 +812,7 @@ void verifyOcspResponseTslSignerCertInvalidCertId(
description = "TUC_PKI_011: Prüfung des TSL-Signer-Zertifikates - Schritt 2")
@Afo(afoId = "GS-A_4653", description = "TUC_PKI_002: Gültigkeitsprüfung des Zertifikats")
@DisplayName("Test TSL signer certificate that is not yet valid - notBefore is in the future")
- void verifyTslSignerCertNotYetValid(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyTslSignerCertNotYetValid(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -852,8 +837,7 @@ void verifyTslSignerCertNotYetValid(final TestInfo testInfo)
description = "TUC_PKI_011: Prüfung des TSL-Signer-Zertifikates - Schritt 2")
@Afo(afoId = "GS-A_4653", description = "TUC_PKI_002: Gültigkeitsprüfung des Zertifikats")
@DisplayName("Test TSL signer certificate that is expired")
- void verifyTslSignerCertExpired(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyTslSignerCertExpired(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -867,22 +851,26 @@ void verifyTslSignerCertExpired(final TestInfo testInfo)
OCSP_REQUEST_EXPECT);
}
- private void breakTslSigner(final TslDownload tslDownload)
- throws CertificateEncodingException, IOException {
+ private final Consumer breakTslSigner =
+ tslDownload -> {
+ final byte[] tslBytes = tslDownload.getTslBytes();
+ final TrustStatusListType tsl = TslConverter.bytesToTsl(tslBytes);
+ final X509Certificate signerCert = TslUtils.getFirstTslSignerCertificate(tsl);
- final byte[] tslBytes = tslDownload.getTslBytes();
- final TrustStatusListType tsl = TslConverter.bytesToTsl(tslBytes);
- final X509Certificate signerCert = TslUtils.getFirstTslSignerCertificate(tsl);
+ final byte[] signerCertBrokenBytes;
+ try {
+ signerCertBrokenBytes = signerCert.getEncoded();
+ } catch (CertificateEncodingException e) {
+ throw new TestSuiteException("cannot read signerCert", e);
+ }
- final byte[] signerCertBrokenBytes = signerCert.getEncoded();
- GemLibPkiUtils.change4Bytes(signerCertBrokenBytes, 4);
+ GemLibPkiUtils.change4Bytes(signerCertBrokenBytes, 4);
- final byte[] tslWithSignerCertBroken =
- TslModifier.modifiedSignerCert(tslBytes, signerCertBrokenBytes);
+ final byte[] tslWithSignerCertBroken =
+ TslModifier.modifiedSignerCert(tslBytes, signerCertBrokenBytes);
- tslDownload.setTslBytes(tslWithSignerCertBroken);
- writeTsl(tslDownload, "_modified");
- }
+ tslDownload.setTslBytes(tslWithSignerCertBroken);
+ };
/** gematikId: UE_PKI_TC_0105_001 */
@Test
@@ -890,28 +878,22 @@ private void breakTslSigner(final TslDownload tslDownload)
afoId = "GS-A_4642",
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 3")
@DisplayName("Test TSL signer certificate is broken")
- void verifyTslSignerCertBroken(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException, CertificateEncodingException {
+ void verifyTslSignerCertBroken(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
- final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
- log.info("Offering TSL with seqNr. {} for download.", offeredSeqNr);
- final TslDownload tslDownload = getTslDownloadAlternativeTemplate(offeredSeqNr);
-
- tslDownload.configureOcspResponderTslSignerStatusGood();
-
- breakTslSigner(tslDownload);
-
- tslSequenceNr.setLastOfferedNr(offeredSeqNr);
- tslDownload.waitForTslDownload(tslSequenceNr.getExpectedNrInTestObject());
-
- assertNoOcspRequest(tslDownload);
-
- final Path certPath = getPathOfAlternativeCertificate();
- useCaseWithCert(
- certPath, USECASE_INVALID, OCSP_RESP_TYPE_DEFAULT_USECASE, OCSP_REQUEST_DO_NOT_EXPECT);
+ updateTrustStore(
+ "Offer a TSL with alternative test CAs (the TSL signer certificate contains an invalid ASN1"
+ + " structure).",
+ tslSettings.getAlternativeTemplate(),
+ defaultTslSigner,
+ OCSP_REQUEST_DO_NOT_EXPECT,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID,
+ OCSP_REQUEST_DO_NOT_EXPECT,
+ breakTslSigner,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
final Path validCertPath = getPathOfFirstValidCert();
useCaseWithCert(
@@ -926,8 +908,7 @@ void verifyTslSignerCertBroken(final TestInfo testInfo)
private void verifyForBadCertificateFromTrustAnchors(
final String p12Filename,
final boolean signerKeyUsageCheck,
- final boolean signerValidityCheck)
- throws DatatypeConfigurationException, IOException {
+ final boolean signerValidityCheck) {
final Path p12ContainerBadPath = Path.of(TRUST_ANCHOR_TEMPLATES_DIRNAME, p12Filename);
final P12Container p12ContainerBad = P12Reader.getContentFromP12(p12ContainerBadPath, "00");
@@ -942,7 +923,8 @@ private void verifyForBadCertificateFromTrustAnchors(
tslTemplate,
p12ContainerBadPath,
signerKeyUsageCheck,
- signerValidityCheck);
+ signerValidityCheck,
+ null);
final OcspResponderConfigDtoBuilder dtoBuilder =
OcspResponderConfigDto.builder()
@@ -969,8 +951,7 @@ private void verifyForBadCertificateFromTrustAnchors(
afoId = "GS-A_4650",
description = "TUC_PKI_011: Prüfung des TSL-Signer-Zertifikates - Schritt 3")
@DisplayName("Test TSL signer certificates with invalid key usage and extended key usage")
- void verifyTslSignerCertInvalidKeyUsageAndExtendedKeyUsage(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyTslSignerCertInvalidKeyUsageAndExtendedKeyUsage(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalTestsIT.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalTestsIT.java
index d235f95..762ff10 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalTestsIT.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalTestsIT.java
@@ -26,13 +26,13 @@
import de.gematik.pki.gemlibpki.utils.GemLibPkiUtils;
import de.gematik.pki.pkits.common.PkitsCommonUtils;
-import de.gematik.pki.pkits.testsuite.approval.support.UseCaseResult;
+import de.gematik.pki.pkits.testsuite.approval.support.OcspSeqNrUpdateMode;
import de.gematik.pki.pkits.testsuite.common.ocsp.OcspHistory.OcspRequestExpectationBehaviour;
+import de.gematik.pki.pkits.testsuite.common.tsl.TslDownload;
import de.gematik.pki.pkits.testsuite.config.Afo;
-import java.io.IOException;
import java.nio.file.Path;
import java.time.ZonedDateTime;
-import javax.xml.datatype.DatatypeConfigurationException;
+import java.util.function.Consumer;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.DisplayName;
@@ -106,8 +106,6 @@ class TslVaApprovalTestsIT extends TslVaApprovalUtilsBaseIT {
static final Path tslTemplateAlternativeTrustAnchor2TrustAnchorChange =
Path.of(TSL_TEMPLATES_DIRNAME, "TSL_altTA2_TAchange.xml");
- private static final UseCaseResult SKIP_USECASE = null;
-
/** gematikId: UE_PKI_TC_0106_001 */
@Test
@Afo(
@@ -115,15 +113,14 @@ class TslVaApprovalTestsIT extends TslVaApprovalUtilsBaseIT {
description = "TUC_PKI_001: Periodische Aktualisierung TI-Vertrauensraum - Schritt 5")
@Afo(afoId = "GS-A_4643", description = "TUC_PKI_013: Import TI-Vertrauensanker aus TSL")
@DisplayName("Test updating trust anchor")
- void verifyUpdateTrustAnchor(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyUpdateTrustAnchor(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
- log.info("verifyUpdateTrustAnchor step 2.1");
-
updateTrustStore(
+ "Offer a TSL with announcement of trust anchor change."
+ + " ",
tslTemplateTrustAnchorChange,
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -134,11 +131,16 @@ void verifyUpdateTrustAnchor(final TestInfo testInfo)
log.info("verifyUpdateTrustAnchor - new trust anchor should be activated now");
- verifyInvalidTrustAnchorWasNotImported(tslSettings.getAlternativeTemplate(), defaultTslSigner);
+ verifyInvalidTrustAnchorWasNotImported(
+ "Offer a TSL (with alternative test CAs), signed with old (no longer active) trust anchor."
+ + " ",
+ tslSettings.getAlternativeTemplate(),
+ defaultTslSigner);
- log.info("verifyUpdateTrustAnchor step 2.3");
printCurrentTslSeqNr();
updateTrustStore(
+ "Offer a TSL (with alternate test CAs), signed with the new (announced) first alternative"
+ + " trust anchor. ",
tslTemplateAlternativeTrustAnchorAlternativeCa,
alternativeTslSignerP12Path,
OCSP_REQUEST_EXPECT,
@@ -148,48 +150,41 @@ void verifyUpdateTrustAnchor(final TestInfo testInfo)
fallBackFromAlternativeToDefaultTrustAnchorAndCheck(alternativeTslSignerP12Path);
}
- private void fallBackFromAlternativeToDefaultTrustAnchorAndCheck(final Path tslSignerP12Path)
- throws DatatypeConfigurationException, IOException {
+ private void fallBackFromAlternativeToDefaultTrustAnchorAndCheck(final Path tslSignerP12Path) {
log.info("fallBackFromAlternativeToDefaultTrustAnchorAndCheck - start");
updateTrustStore(
+ getSwitchMessage(TA_NAME_ALT1, TA_NAME_DEFAULT)
+ + " ",
tslTemplateAlternativeTrustAnchorTrustAnchorChange,
tslSignerP12Path,
OCSP_REQUEST_EXPECT,
getPathOfFirstValidCert(),
- USECASE_VALID);
-
- setExpectedOcspTslSeqNr(tslSequenceNr.getExpectedNrInTestObject());
+ USECASE_VALID,
+ OCSP_REQUEST_EXPECT,
+ null,
+ OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR);
log.info("fallBackFromAlternativeToDefaultTrustAnchorAndCheck - finish\n\n");
}
- private void tryToImportAnnouncedInvalidTrustAnchor(
- final Path tslTemplate,
- final Path tslSignerP12Path,
- final OcspRequestExpectationBehaviour ocspRequestExpectationBehaviour)
- throws DatatypeConfigurationException, IOException {
+ private void verifyInvalidTrustAnchorWasNotImported(
+ final String description, final Path tslTemplate, final Path tslSignerP12Path) {
- log.info("tryToImportAnnouncedInvalidTrustAnchor - start: tsl template {}", tslTemplate);
+ log.info("Test if Trust Anchor was erroneously imported");
+ log.info("verifyInvalidTrustAnchorWasNotImported - start: tslTemplate {}", tslTemplate);
updateTrustStore(
+ description,
tslTemplate,
tslSignerP12Path,
- ocspRequestExpectationBehaviour,
- getPathOfAlternativeCertificate(),
- USECASE_INVALID);
-
- log.info("tryToImportAnnouncedInvalidTrustAnchor - finish\n\n");
- }
-
- private void verifyInvalidTrustAnchorWasNotImported(
- final Path tslTemplate, final Path tslSignerP12Path)
- throws DatatypeConfigurationException, IOException {
-
- log.info("verifyInvalidTrustAnchorWasNotImported - start: tslTemplate {}", tslTemplate);
-
- updateTrustStore(tslTemplate, tslSignerP12Path, OCSP_REQUEST_IGNORE, null, SKIP_USECASE);
+ OCSP_REQUEST_IGNORE,
+ null,
+ SKIP_USECASE,
+ null,
+ null,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
final Path certPath = getPathOfAlternativeCertificate();
@@ -229,39 +224,79 @@ private void verifyInvalidTrustAnchorWasNotImported(
afoId = "GS-A_4643",
description = "TUC_PKI_013: Import TI-Vertrauensanker aus TSL - Schritt 4")
@DisplayName("Test updating trust anchor with certificates that have invalid times")
- void verifyNewTrustAnchorInvalidTime(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyNewTrustAnchorInvalidTime(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
- log.info("case 1: verify new trust anchor expired");
+ final ZonedDateTime now = GemLibPkiUtils.now();
+ final Consumer rewriteStatusStartingTime =
+ getActivationTimeModifier(defaultTslSigner, now);
+
+ // ---------------------------------------------------------------------------------
+
+ log.info("start case 1: verify new trust anchor expired");
initialStateWithAlternativeTemplate();
- tryToImportAnnouncedInvalidTrustAnchor(
- tslTemplateDefectTrustAnchorChangeExpired, defaultTslSigner, OCSP_REQUEST_EXPECT);
+ log.info("StartingStatusTime of announced trust anchor: {}", now);
+ updateTrustStore(
+ "Try to import invalid trust anchor: offer a TSL announcing a new trust anchor (but"
+ + " expired). ",
+ tslTemplateDefectTrustAnchorChangeExpired,
+ defaultTslSigner,
+ OCSP_REQUEST_EXPECT,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID,
+ OCSP_REQUEST_DO_NOT_EXPECT,
+ rewriteStatusStartingTime,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
verifyInvalidTrustAnchorWasNotImported(
+ "Offer a TSL with alternative CAs and the TSL signer certificate from the new trust anchor"
+ + " (but expired). ",
tslTemplateInvalidAlternativeTrustAnchorExpiredAlternativeCa,
tslSignerFromExpiredTrustAnchorP12Path);
- log.info("case 2: verify new trust anchor not yet valid");
- initialStateWithAlternativeTemplate();
+ // ---------------------------------------------------------------------------------
- tryToImportAnnouncedInvalidTrustAnchor(
- tslTemplateDefectTrustAnchorChangeNotYetValid, defaultTslSigner, OCSP_REQUEST_EXPECT);
+ log.info("start case 2: verify new trust anchor not yet valid");
+ initialStateWithAlternativeTemplate();
+ log.info("StartingStatusTime of announced trust anchor: {}", now);
+ updateTrustStore(
+ "Try to import invalid trust anchor: offer a TSL announcing a new trust anchor (but not yet"
+ + " valid). ",
+ tslTemplateDefectTrustAnchorChangeNotYetValid,
+ defaultTslSigner,
+ OCSP_REQUEST_EXPECT,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID,
+ OCSP_REQUEST_DO_NOT_EXPECT,
+ rewriteStatusStartingTime,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
verifyInvalidTrustAnchorWasNotImported(
+ "Offer a TSL with alternative CAs and with the TSL signer certificate from the new trust"
+ + " anchor (but not yet valid). ",
tslTemplateInvalidAlternativeTrustAnchorNotYetValidAlternativeCa,
tslSignerFromNotYetValidTrustAnchorP12Path);
+ // ---------------------------------------------------------------------------------
log.info("case 3: StatusStartingTime is expired");
initialStateWithAlternativeTemplate();
- tryToImportAnnouncedInvalidTrustAnchor(
+ updateTrustStore(
+ "Try to import invalid trust anchor: offer a TSL announcing a new valid trust anchor, that"
+ + " would expire to the time of specified StatusStartingTime."
+ + " ",
tslTemplateDefectTrustAnchorChangeStartingTimeFuture,
defaultTslSigner,
- OCSP_REQUEST_EXPECT);
+ OCSP_REQUEST_EXPECT,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID);
+ // ---------------------------------------------------------------------------------
+ log.info(
+ "Check if expected TSL is in the test object (TSL sequence number is in"
+ + " ServiceSupplyPoint)");
useCaseWithCert(
getPathOfFirstValidCert(),
USECASE_VALID,
@@ -278,23 +313,46 @@ void verifyNewTrustAnchorInvalidTime(final TestInfo testInfo)
afoId = "GS-A_4643",
description = "TUC_PKI_013: Import TI-Vertrauensanker aus TSL - Schritt 1")
@DisplayName("Test multiple announced trust anchors in single TSL")
- void verifyMultipleAnnouncedTrustAnchorsInTsl(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyMultipleAnnouncedTrustAnchorsInTsl(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
initialStateWithAlternativeTemplate();
- tryToImportAnnouncedInvalidTrustAnchor(
- tslTemplateDefectTrustAnchorChangeTwoEntries, defaultTslSigner, OCSP_REQUEST_EXPECT);
+ final ZonedDateTime now = GemLibPkiUtils.now();
+ final Consumer rewriteStatusStartingTime =
+ getActivationTimeModifier(defaultTslSigner, now);
+
+ log.info("StartingStatusTime of announced trust anchor: {}", now);
+
+ updateTrustStore(
+ "Try to import invalid trust anchor: offer a TSL announcing two trust - the first and"
+ + " second alternative - anchors at the same time, but without alternative CAs."
+ + " ",
+ tslTemplateDefectTrustAnchorChangeTwoEntries,
+ defaultTslSigner,
+ OCSP_REQUEST_EXPECT,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID,
+ OCSP_REQUEST_DO_NOT_EXPECT,
+ rewriteStatusStartingTime,
+ OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
+ // ---------------------------------------------------------------------------------
verifyInvalidTrustAnchorWasNotImported(
- tslTemplateAlternativeTrustAnchorAlternativeCa, alternativeTslSignerP12Path);
+ "Offer a TSL with alternative CAs and the first alternative TSL signer certificate."
+ + " ",
+ tslTemplateAlternativeTrustAnchorAlternativeCa,
+ alternativeTslSignerP12Path);
verifyInvalidTrustAnchorWasNotImported(
- tslTemplateAlternativeTrustAnchorAlternativeCa, alternativeSecondTslSignerP12Path);
+ "Offer a TSL with alternative CAs and the second alternative TSL signer certificate."
+ + " ",
+ tslTemplateAlternativeTrustAnchorAlternativeCa,
+ alternativeSecondTslSignerP12Path);
+ // ---------------------------------------------------------------------------------
useCaseWithCert(
getPathOfFirstValidCert(),
USECASE_VALID,
@@ -311,21 +369,29 @@ void verifyMultipleAnnouncedTrustAnchorsInTsl(final TestInfo testInfo)
afoId = "GS-A_4643",
description = "TUC_PKI_013: Import TI-Vertrauensanker aus TSL - Schritt 2")
@DisplayName("Test for an announced broken trust anchor and cannot be extracted")
- void verifyNewTrustAnchorsIsBroken(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ void verifyNewTrustAnchorsIsBroken(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialStateWithAlternativeTemplate();
- tryToImportAnnouncedInvalidTrustAnchor(
- tslTemplateDefectTrustAnchorChangeBroken, defaultTslSigner, OCSP_REQUEST_EXPECT);
+ log.info("Announce new trust anchor, TSL signer CA is broken");
+ updateTrustStore(
+ "Try to import invalid trust anchor: offer of a TSL (without alternative CAs) announcing a"
+ + " new trust anchor that has broken ASN.1 certificate structure. ",
+ tslTemplateDefectTrustAnchorChangeBroken,
+ defaultTslSigner,
+ OCSP_REQUEST_EXPECT,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID);
- useCaseWithCert(
+ updateTrustStore(
+ "Offer the default TSL.",
+ tslSettings.getDefaultTemplate(),
+ defaultTslSigner,
+ OCSP_REQUEST_EXPECT,
getPathOfFirstValidCert(),
- USECASE_VALID,
- OCSP_RESP_TYPE_DEFAULT_USECASE,
- OCSP_REQUEST_EXPECT);
+ USECASE_VALID);
}
/** gematikId: UE_PKI_TC_0106_005, UE_PKI_TC_0106_006 */
@@ -341,8 +407,7 @@ void verifyNewTrustAnchorsIsBroken(final TestInfo testInfo)
"Test overwrite behaviour and proper handling of StatusStartingTime of announced trust"
+ " anchors")
void verifyHandlingOfStatusStartingTimeAndOverwriteAnnouncedInactiveTrustAnchors(
- final int testOrder, final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ final int testOrder, final TestInfo testInfo) {
if (testOrder == 1) {
log.info("execute test case verifyHandlingOfStatusStartingTimeOfAnnouncedTrustAnchor");
@@ -361,8 +426,7 @@ private void waitWithExtraSeconds(long waitingTimeSeconds) {
log.info("waiting is over");
}
- private void verifyHandlingOfStatusStartingTimeOfAnnouncedTrustAnchor(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ private void verifyHandlingOfStatusStartingTimeOfAnnouncedTrustAnchor(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -370,25 +434,32 @@ private void verifyHandlingOfStatusStartingTimeOfAnnouncedTrustAnchor(final Test
final long tripleTslDownloadTime = getTripleTslDownloadTime();
final ZonedDateTime newActivationTime = GemLibPkiUtils.now().plusSeconds(tripleTslDownloadTime);
- log.info("StartingStatusTime of new trust anchor: {}", newActivationTime);
+ log.info("StartingStatusTime of announced trust anchor: {}", newActivationTime);
- importNewValidTrustAnchor(
+ updateTrustStore(
+ "Offer a TSL without alternative test CAs and with announcement of a new trust anchor to be"
+ + " activated after next 3 TSL downloads."
+ + " ",
tslTemplateTrustAnchorChange,
defaultTslSigner,
- newActivationTime,
- OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR);
-
- useCaseWithCert(
+ OCSP_REQUEST_EXPECT,
getPathOfAlternativeCertificate(),
USECASE_INVALID,
- OCSP_RESP_TYPE_DEFAULT_USECASE,
- OCSP_REQUEST_DO_NOT_EXPECT);
+ OCSP_REQUEST_DO_NOT_EXPECT,
+ getActivationTimeModifier(defaultTslSigner, newActivationTime),
+ OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR);
+ // ---------------------------------------------------------------------------------
try {
- tryToImportAnnouncedInvalidTrustAnchor(
+ updateTrustStore(
+ "Try to import invalid trust anchor - too early: Offer a TSL with alternative CAs and the"
+ + " TSL signer certificate from the new trust anchor. Trust anchor is not yet"
+ + " active. ",
tslTemplateAlternativeTrustAnchorAlternativeCa,
alternativeTslSignerP12Path,
- OCSP_REQUEST_IGNORE);
+ OCSP_REQUEST_IGNORE,
+ getPathOfAlternativeCertificate(),
+ USECASE_INVALID);
} catch (final Exception e) {
// TODO integrate this fallback into tryToImportAnnouncedInvalidTrustAnchor around
// useCaseWithCert
@@ -399,23 +470,28 @@ private void verifyHandlingOfStatusStartingTimeOfAnnouncedTrustAnchor(final Test
"a trust anchor was unexpectedly imported into the test object - a fallback was performed"
+ " to switch to the default trust anchor");
}
+ // ---------------------------------------------------------------------------------
waitWithExtraSeconds(tripleTslDownloadTime);
log.info(
"new trust anchor should be activated now - StartingStatusTime: {}", newActivationTime);
+ verifyInvalidTrustAnchorWasNotImported(
+ "Offer a TSL with alternative CAs and TSL signer certificate from the standard trust"
+ + " space. ",
+ tslSettings.getAlternativeTemplate(),
+ defaultTslSigner);
- verifyInvalidTrustAnchorWasNotImported(tslSettings.getAlternativeTemplate(), defaultTslSigner);
+ // ---------------------------------------------------------------------------------
- importNewValidTrustAnchor(
+ updateTrustStore(
+ "Offer a TSL with alternative test CAs and TSL signer certificate from the new trust"
+ + " anchor. Trust anchor should be active."
+ + " ",
tslTemplateAlternativeTrustAnchorAlternativeCa,
alternativeTslSignerP12Path,
- null,
- OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
-
- useCaseWithCert(
+ OCSP_REQUEST_EXPECT,
getPathOfAlternativeCertificate(),
USECASE_VALID,
- OCSP_RESP_TYPE_DEFAULT_USECASE,
OCSP_REQUEST_EXPECT);
fallBackFromAlternativeToDefaultTrustAnchorAndCheck(alternativeTslSignerP12Path);
@@ -441,8 +517,7 @@ private static long getTripleTslDownloadTime() {
return tripleTslDownloadTime;
}
- private void verifyOverwriteAnnouncedInactiveTrustAnchor(final TestInfo testInfo)
- throws DatatypeConfigurationException, IOException {
+ private void verifyOverwriteAnnouncedInactiveTrustAnchor(final TestInfo testInfo) {
testCaseMessage(testInfo);
initialState();
@@ -452,51 +527,81 @@ private void verifyOverwriteAnnouncedInactiveTrustAnchor(final TestInfo testInfo
final long tripleTslDownloadTime = getTripleTslDownloadTime();
final ZonedDateTime newActivationTime = now.plusSeconds(tripleTslDownloadTime);
- importNewValidTrustAnchor(
+ log.info("StartingStatusTime of announced trust anchor: {}", newActivationTime);
+ updateTrustStore(
+ "Announce first new trust anchor (TA1): Offer a TSL without alternative test CAs and with"
+ + " announcement of a new trust anchor. Activation time: 3 x TSL download interval."
+ + " ",
tslTemplateTrustAnchorChangeFuture,
defaultTslSigner,
- newActivationTime,
+ OCSP_REQUEST_EXPECT,
+ null,
+ SKIP_USECASE,
+ null,
+ getActivationTimeModifier(defaultTslSigner, newActivationTime),
OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
+ // ---------------------------------------------------------------------------------
+
final long tripleTslDownloadTimeM10 = tripleTslDownloadTime - 10;
if (tripleTslDownloadTimeM10 < 0) {
// TODO implement fallback
log.error("activation of new trust anchor is in the past (too early)");
}
-
final ZonedDateTime newActivationTime2 = now.plusSeconds(tripleTslDownloadTimeM10);
+ log.info("StartingStatusTime of announced trust anchor: {}", newActivationTime2);
- log.info("StartingStatusTime of new trust anchor: {}", newActivationTime2);
-
- importNewValidTrustAnchor(
+ updateTrustStore(
+ "Announce first new trust anchor (TA2): Offer a TSL without alternative test CAs and with"
+ + " announcement of another new trust anchor. Activation time: (3 x TSL download"
+ + " interval) - 10 seconds. ",
tslTemplateTrustAnchorChangeAlternativeTrustAnchor2FutureShort,
defaultTslSigner,
- newActivationTime2,
+ OCSP_REQUEST_EXPECT,
+ null,
+ SKIP_USECASE,
+ null,
+ getActivationTimeModifier(defaultTslSigner, newActivationTime2),
OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR);
+ // ---------------------------------------------------------------------------------
waitWithExtraSeconds(tripleTslDownloadTime);
log.info(
"new trust anchor should be activated now - StartingStatusTime: {}", newActivationTime2);
+ log.info(
+ "Try to use first new trust anchor TA1 (must not be in the truststore of the test object)");
verifyInvalidTrustAnchorWasNotImported(
- tslTemplateAlternativeTrustAnchorAlternativeCa, alternativeTslSignerP12Path);
+ "Offer a TSL with alternative test CAs and TSL signer certificate from the first new trust"
+ + " anchor. ",
+ tslTemplateAlternativeTrustAnchorAlternativeCa,
+ alternativeTslSignerP12Path);
+
+ log.info(
+ "Try to use second new trust anchor TA2 (should be in the truststore of the test object)");
- importNewValidTrustAnchor(
+ updateTrustStore(
+ "Offer a TSL with alternative test CAs and TSL signer certificate from the second"
+ + " (alternative) new trust anchor. ",
tslTemplateAlternativeTrustAnchor2AlternativeCa,
alternativeSecondTslSignerP12Path,
- null,
- OcspSeqNrUpdateMode.DO_NOT_UPDATE_OCSP_SEQ_NR);
-
- useCaseWithCert(
+ OcspRequestExpectationBehaviour.OCSP_REQUEST_EXPECT,
getPathOfAlternativeCertificate(),
USECASE_VALID,
- OCSP_RESP_TYPE_DEFAULT_USECASE,
OCSP_REQUEST_EXPECT);
- importNewValidTrustAnchor(
+ // ---------------------------------------------------------------------------------
+
+ updateTrustStore(
+ getSwitchMessage(TA_NAME_ALT2, TA_NAME_DEFAULT)
+ + "",
tslTemplateAlternativeTrustAnchor2TrustAnchorChange,
alternativeSecondTslSignerP12Path,
+ OCSP_REQUEST_EXPECT,
+ null,
+ SKIP_USECASE,
+ null,
null,
OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR);
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalUtilsBaseIT.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalUtilsBaseIT.java
index 7258c02..10840f2 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalUtilsBaseIT.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaApprovalUtilsBaseIT.java
@@ -16,16 +16,15 @@
package de.gematik.pki.pkits.testsuite.approval;
-import static de.gematik.pki.pkits.testsuite.common.TestSuiteConstants.SIGNER_KEY_USAGE_CHECK_ENABLED;
-import static de.gematik.pki.pkits.testsuite.common.TestSuiteConstants.SIGNER_VALIDITY_CHECK_ENABLED;
-
import de.gematik.pki.gemlibpki.tsl.TslConstants;
import de.gematik.pki.gemlibpki.tsl.TslModifier;
import de.gematik.pki.pkits.common.PkitsConstants;
+import de.gematik.pki.pkits.testsuite.approval.support.UseCaseResult;
import de.gematik.pki.pkits.testsuite.common.tsl.TslDownload;
-import java.io.IOException;
+import de.gematik.pki.pkits.testsuite.exceptions.TestSuiteException;
import java.nio.file.Path;
import java.time.ZonedDateTime;
+import java.util.function.Consumer;
import javax.xml.datatype.DatatypeConfigurationException;
import lombok.NonNull;
import lombok.extern.slf4j.Slf4j;
@@ -33,6 +32,7 @@
@Slf4j
public abstract class TslVaApprovalUtilsBaseIT extends ApprovalTestsBaseIT {
+ protected static final UseCaseResult SKIP_USECASE = null;
final Path alternativeTslSignerP12Path =
Path.of(TRUST_ANCHOR_TEMPLATES_DIRNAME, "TSL-Signing-Unit-9-TEST-ONLY.p12");
@@ -42,63 +42,43 @@ public abstract class TslVaApprovalUtilsBaseIT extends ApprovalTestsBaseIT {
final Path tslSignerFromExpiredTrustAnchorP12Path =
Path.of(TRUST_ANCHOR_TEMPLATES_DIRNAME, "valid_tsl_signer_from_expired_ta.p12");
- protected enum OcspSeqNrUpdateMode {
- UPDATE_OCSP_SEQ_NR,
- DO_NOT_UPDATE_OCSP_SEQ_NR
+ protected static final String TA_NAME_DEFAULT = "default";
+ protected static final String TA_NAME_ALT1 = "first alternative";
+ protected static final String TA_NAME_ALT2 = "second alternative";
+
+ protected static String getSwitchMessage(final String anchorType1, final String anchorType2) {
+ return "Offer a TSL to switch from the %s trust anchor to the %s trust anchor."
+ .formatted(anchorType1, anchorType2);
+ }
+
+ Consumer getActivationTimeModifier(
+ final Path tslSignerPath, final ZonedDateTime newActivationTime) {
+ return (tslDownload) -> {
+ if (newActivationTime != null) {
+ setNewActivationTime(tslDownload, tslSignerPath, newActivationTime);
+ }
+ };
}
private void setNewActivationTime(
final TslDownload tslDownload,
@NonNull final Path tslSignerPath,
- final ZonedDateTime newActivationTime)
- throws DatatypeConfigurationException, IOException {
+ final ZonedDateTime newActivationTime) {
byte[] tslBytes = tslDownload.getTslBytes();
- tslBytes =
- TslModifier.modifiedStatusStartingTime(
- tslBytes,
- PkitsConstants.GEMATIK_TEST_TSP,
- TslConstants.STI_SRV_CERT_CHANGE,
- null,
- newActivationTime);
-
- signAndSetTslBytes(tslDownload, tslSignerPath, tslBytes);
- writeTsl(tslDownload, "_modified");
- }
-
- protected void importNewValidTrustAnchor(
- @NonNull final Path tslTemplate,
- @NonNull final Path tslSignerPath,
- final ZonedDateTime newActivationTime,
- final OcspSeqNrUpdateMode ocspSeqNrUpdateMode)
- throws DatatypeConfigurationException, IOException {
-
- log.info("importNewValidTrustAnchor - start: tsl template {}", tslTemplate);
-
- final int offeredSeqNr = tslSequenceNr.getNextTslSeqNr();
- log.info("Offering TSL with seqNr. {} for download.", offeredSeqNr);
-
- final TslDownload tslDownload =
- getTslDownloadWithTemplateAndSigner(
- offeredSeqNr,
- tslTemplate,
- tslSignerPath,
- SIGNER_KEY_USAGE_CHECK_ENABLED,
- SIGNER_VALIDITY_CHECK_ENABLED);
- if (newActivationTime != null) {
- setNewActivationTime(tslDownload, tslSignerPath, newActivationTime);
+ try {
+ tslBytes =
+ TslModifier.modifiedStatusStartingTime(
+ tslBytes,
+ PkitsConstants.GEMATIK_TEST_TSP,
+ TslConstants.STI_SRV_CERT_CHANGE,
+ null,
+ newActivationTime);
+ } catch (final DatatypeConfigurationException e) {
+ throw new TestSuiteException("cannot modify TSL", e);
}
- printCurrentTslSeqNr();
- tslSequenceNr.setLastOfferedNr(offeredSeqNr);
- tslDownload.waitUntilTslDownloadCompleted(offeredSeqNr, getExpectedOcspTslSeqNr());
- tslSequenceNr.setExpectedNrInTestObject(offeredSeqNr);
-
- if (ocspSeqNrUpdateMode == OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR) {
- setExpectedOcspTslSeqNr(tslSequenceNr.getExpectedNrInTestObject());
- }
-
- log.info("importNewValidTrustAnchor - finish\n\n");
+ signAndSetTslBytes(tslDownload, tslSignerPath, tslBytes);
}
}
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaSwitchUtils.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaSwitchUtils.java
index 409725b..22610a4 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaSwitchUtils.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/TslVaSwitchUtils.java
@@ -20,9 +20,8 @@
import static de.gematik.pki.pkits.testsuite.common.ocsp.OcspHistory.OcspRequestExpectationBehaviour.OCSP_REQUEST_EXPECT;
import de.gematik.pki.gemlibpki.utils.GemLibPkiUtils;
-import java.io.IOException;
+import de.gematik.pki.pkits.testsuite.approval.support.OcspSeqNrUpdateMode;
import java.nio.file.Path;
-import javax.xml.datatype.DatatypeConfigurationException;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.Order;
import org.junit.jupiter.api.Test;
@@ -32,11 +31,17 @@ class TslVaSwitchUtils extends TslVaApprovalUtilsBaseIT {
@Test
@Order(101)
- void switchFromDefaultToAlternativeFirst() throws DatatypeConfigurationException, IOException {
+ void switchFromDefaultToAlternativeFirst() {
- switchTrustAnchor(TslVaApprovalTestsIT.tslTemplateTrustAnchorChange, defaultTslSigner, true);
+ switchTrustAnchor(
+ getSwitchMessage(TA_NAME_DEFAULT, TA_NAME_ALT1),
+ TslVaApprovalTestsIT.tslTemplateTrustAnchorChange,
+ defaultTslSigner,
+ true);
updateTrustStore(
+ "Offer a TSL (with alternate test CAs), signed with the new (announced) first alternative"
+ + " trust anchor.",
TslVaApprovalTestsIT.tslTemplateAlternativeTrustAnchorAlternativeCa,
alternativeTslSignerP12Path,
OCSP_REQUEST_EXPECT,
@@ -46,13 +51,15 @@ void switchFromDefaultToAlternativeFirst() throws DatatypeConfigurationException
@Test
@Order(102)
- void switchFromAlternativeFirstToDefault() throws DatatypeConfigurationException, IOException {
+ void switchFromAlternativeFirstToDefault() {
switchTrustAnchor(
+ getSwitchMessage(TA_NAME_ALT1, TA_NAME_DEFAULT),
TslVaApprovalTestsIT.tslTemplateAlternativeTrustAnchorTrustAnchorChange,
alternativeTslSignerP12Path,
false);
updateTrustStore(
+ "Offer the default TSL.",
tslSettings.getDefaultTemplate(),
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -62,13 +69,16 @@ void switchFromAlternativeFirstToDefault() throws DatatypeConfigurationException
@Test
@Order(103)
- void switchFromDefaultToAlternativeSecond() throws DatatypeConfigurationException, IOException {
+ void switchFromDefaultToAlternativeSecond() {
switchTrustAnchor(
+ getSwitchMessage(TA_NAME_DEFAULT, TA_NAME_ALT2),
TslVaApprovalTestsIT.tslTemplateTrustAnchorChangeAlternativeTrustAnchor2FutureShort,
defaultTslSigner,
true);
updateTrustStore(
+ "Offer a TSL with alternative test CAs and TSL signer certificate from the second"
+ + " (alternative) new trust anchor.",
TslVaApprovalTestsIT.tslTemplateAlternativeTrustAnchor2AlternativeCa,
alternativeSecondTslSignerP12Path,
OCSP_REQUEST_EXPECT,
@@ -78,13 +88,15 @@ void switchFromDefaultToAlternativeSecond() throws DatatypeConfigurationExceptio
@Test
@Order(104)
- void switchFromAlternativeSecondToDefault() throws DatatypeConfigurationException, IOException {
+ void switchFromAlternativeSecondToDefault() {
switchTrustAnchor(
+ getSwitchMessage(TA_NAME_ALT2, TA_NAME_DEFAULT),
TslVaApprovalTestsIT.tslTemplateAlternativeTrustAnchor2TrustAnchorChange,
alternativeSecondTslSignerP12Path,
false);
updateTrustStore(
+ "Offer the default TSL.",
tslSettings.getDefaultTemplate(),
defaultTslSigner,
OCSP_REQUEST_EXPECT,
@@ -93,8 +105,10 @@ void switchFromAlternativeSecondToDefault() throws DatatypeConfigurationExceptio
}
void switchTrustAnchor(
- final Path tslTemplate, final Path tslSignerP12Path, final boolean withInitialState)
- throws DatatypeConfigurationException, IOException {
+ final String description,
+ final Path tslTemplate,
+ final Path tslSignerP12Path,
+ final boolean withInitialState) {
retrieveCurrentTslSeqNrInTestObject();
if (withInitialState) {
@@ -107,10 +121,15 @@ void switchTrustAnchor(
log.info(
"switchTrustAnchor:\ntslTemplate {}\n, tslSignerP12Path {}", tslTemplate, tslSignerP12Path);
- importNewValidTrustAnchor(
+ updateTrustStore(
+ description,
tslTemplate,
tslSignerP12Path,
- GemLibPkiUtils.now(),
+ OCSP_REQUEST_EXPECT,
+ null,
+ SKIP_USECASE,
+ null,
+ getActivationTimeModifier(tslSignerP12Path, GemLibPkiUtils.now()),
OcspSeqNrUpdateMode.UPDATE_OCSP_SEQ_NR);
log.info("switchTrustAnchor\n\n");
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/support/OcspSeqNrUpdateMode.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/support/OcspSeqNrUpdateMode.java
new file mode 100644
index 0000000..3688b32
--- /dev/null
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/support/OcspSeqNrUpdateMode.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2023 gematik GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the License);
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an 'AS IS' BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.gematik.pki.pkits.testsuite.approval.support;
+
+public enum OcspSeqNrUpdateMode {
+ UPDATE_OCSP_SEQ_NR,
+ DO_NOT_UPDATE_OCSP_SEQ_NR
+}
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/PkitsTestSuiteUtils.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/PkitsTestSuiteUtils.java
index a0503e3..6798d85 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/PkitsTestSuiteUtils.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/PkitsTestSuiteUtils.java
@@ -62,8 +62,10 @@ public static long waitForEventMillis(
.pollInterval(Duration.ofMillis(pollIntervalMillis))
.until(eventChecker);
} catch (final ConditionTimeoutException e) {
- final String message = "Timeout for event \"%s\":: %s".formatted(name, getCallerTrace());
- log.error(message, e);
+ final String message =
+ "Timeout for event \"%s\"\n%s:%s\n:: %s%n"
+ .formatted(name, e.getClass().getCanonicalName(), e.getMessage(), getCallerTrace());
+ log.error(message);
throw new TestSuiteException(message, e);
}
final ZonedDateTime zdtEnd = ZonedDateTime.now();
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/tsl/TslDownload.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/tsl/TslDownload.java
index fdcb816..40b9401 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/tsl/TslDownload.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/common/tsl/TslDownload.java
@@ -148,7 +148,7 @@ public void waitUntilOcspRequestForSignerOptional() {
try {
waitUntilOcspRequestForSigner();
} catch (final TestSuiteException e) {
- log.info("no ocsp optional requests received -> continue\n\n");
+ log.info("no (optional) OCSP requests received -> CONTINUE\n\n");
}
}
diff --git a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/config/TslSettings.java b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/config/TslSettings.java
index 4da6334..497f6ed 100644
--- a/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/config/TslSettings.java
+++ b/pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/config/TslSettings.java
@@ -39,6 +39,7 @@ public class TslSettings {
description = "Alternative template to generate a TSL with additional CAs during tests.")
Path alternativeTemplate = Path.of("./testDataTemplates/tsl/TSL_altCA.xml");
+ /** TSLTypeID 202 */
@ParameterDescription(
withDefault = true,
description =
@@ -46,6 +47,7 @@ public class TslSettings {
Path defectAlternativeCaBrokenTemplate =
Path.of("./testDataTemplates/tsl/TSL_defect_altCA_broken.xml");
+ /** TSLTypeID 203 */
@ParameterDescription(
withDefault = true,
description =
@@ -53,6 +55,7 @@ public class TslSettings {
Path defectAlternativeCaUnspecifiedTemplate =
Path.of("./testDataTemplates/tsl/TSL_defect_unspecified-CA_altCA.xml");
+ /** TSLTypeID 204 */
@ParameterDescription(
withDefault = true,
description =
diff --git a/pkits-testsuite/src/site/pdf.xml b/pkits-testsuite/src/site/pdf.xml
deleted file mode 100644
index 9d80adf..0000000
--- a/pkits-testsuite/src/site/pdf.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-
-
-
-
-
- gematik PKI test suite test report
- gematik GmbH
-
-
-
-