authenticatingCrossSignedCertificate() — netty Function Reference

Source Code

pkitesting/src/test/java/io/netty/pkitesting/CertificateBuilderTest.java lines 444–467

    @Test
    void authenticatingCrossSignedCertificate() throws Exception {
        CertificateBuilder caBuilder = BASE.copy()
                .setIsCertificateAuthority(true)
                .setKeyUsage(true, KeyUsage.digitalSignature, KeyUsage.keyCertSign, KeyUsage.cRLSign);

        // Roots. Different subjects.
        X509Bundle oldRoot = caBuilder.subject("CN=root-a").buildSelfSigned();
        X509Bundle newRoot = caBuilder.subject("CN=root-b").buildSelfSigned();

        // Intermediates. Same subject. Will be cross-signed.
        CertificateBuilder intermediateBuilder = caBuilder.copy().subject("CN=issuer.netty.io");
        X509Bundle oldIssuer = intermediateBuilder.buildIssuedBy(oldRoot);
        X509Bundle crossIssuer = intermediateBuilder.keyPair(oldIssuer.getKeyPair()).buildIssuedBy(newRoot);

        // Leaf. Cross-signed by cross-signed issuer.
        CertificateBuilder leafBuilder = BASE.copy().subject("CN=leaf.netty.io").addExtendedKeyUsageClientAuth();
        X509Bundle leaf = leafBuilder.buildIssuedBy(crossIssuer)
                .mergeIntermediates(leafBuilder.buildIssuedBy(oldIssuer));

        // This trust manager only knows about the old root. It will throw if it can't find a path to it.
        X509TrustManager oldRootTrustManager = (X509TrustManager) oldRoot.toTrustManager();
        oldRootTrustManager.checkClientTrusted(leaf.getCertificatePath(), "UNKNOWN");
    }