Using CERTivity Samples
------

The sample folder, {certivity.home}/doc/samples, contains PKI files grouped per their type in the following 10 sub-folders. When opening a file type for the first time CERTivity points to the corresponding sample directory.
- KeyStore Samples;
- CRL Samples;
- CSR Samples;
- Certificate Samples;
- KeyPair Samples;
- Private Key Samples;
- Public Key Samples;
- JAR Signature Samples;
- PDF Signature Samples;
- XML Signature Samples.


KeyStore Samples
---

In the keystore folder, we present a KeyStore sample for each of the CERTivity supported KeyStore types.
For the KeyStore samples in this folder, we have used the following passwords, unless explicitely specified otherwise:
- KeyStore password: kspwd;
- Private Key (Key Pair) password: pkpwd;
- Secret Key password: skpwd.
Public key certificates do not have passwords, because normally there is no need to keep them secret. Public and private keys have a one-to-one correspondence - matching public and private keys are called Key Pair.

A KeyStore, as the name implies, provides storage for keys. CERTivity supports the following KeyStore types:
- JKS - Java KeyStore (Oracle's KeyStore format);
- PKCS#12 - Public-Key Cryptography Standards #12 KeyStore (RSA's Personal Information Exchange Syntax Standard);
- JCEKS - Java Cryptography Extension KeyStore (More secure version of JKS);
- BKS - Bouncy Castle KeyStore (Bouncy Castle's version of JKS);
- UBER - Bouncy Castle UBER KeyStore (More secure version of BKS).

The following KeyStore sample files are available:

- JKS-KeyStore-sample.jks is a JKS KeyStore sample. JKS KeyStore is protected by a password. 
Each private key inside a JKS KeyStore is protected by a password.  JKS do not support secret keys. JKS supports only lower case aliases.

- PKCS12-KeyStore-Sample.p12 is a PKCS#12 KeyStore sample. PKCS#12 is protected by a password. If the PKCS#12 uses a password that is greater than 7 characters, you may need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files so you can read the file. This is a matter of U.S. policy and U.S. export controls (not due to technical reasons).
You can download the required Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 1.7 from:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.
The private keys inside a PKCS#12 KeyStore are not protected  by password.  
PKCS#12 do not support secret keys.
PKCS#12 KeyStore supports case aware aliases.

- PKCS12-large-password.p12 is an example of PKCS#12 KeyStore with a password larger than 7 characters - this sample's password is 123456789. As described above, because the password is greater than 7 characters you will need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for openning this KeyStore.

- JCEKS-KeyStore-Sample.jce is a JCEKS KeyStore sample. JCEKS KeyStore is protected by a password. Each private and secret key inside a keystore can be protected by a password.  JCEKS KeyStore supports secret keys. Secret keys are used by symmetric encryption algorithms. In the sample file, there are present all types of secret keys (depending on the algorithm) supported by CERTivity -  AES; ARCFOUR; Blowfish; DES; DESede; HmacMD5; HmacSHA1; HmacSHA256; HmacSHA384; HmacSHA512; RC2.You cannot use secret keys for SSL (the SSL protocol actually generates secret keys on the fly, but normally you don't have control over them).
JCEKS supports only lower case aliases.
				
- BKS-KeyStore-Sample.bks is a BKS KeyStore sample.BKS KeyStore is protected by a password and it supports secret keys.
BKS supports case sensitive aliases.
- UBER-KeyStore-Sample.ubr is a UBER Keystore sample. UBER KeyStore is protected by a password and it supports secret keys.
UBER supports case sensitive aliases.

CRL Samples
---

In the crl folder, you can find 3 Certificate Revocation List (CRL) files:
- a sample CRL file (DER type, containing 5 revoked certificates, 2 extensions (and 2 extensions for each Revoked Certificate Entry) and valid "Next Update" date) - SampleDerCrl.crl. 
- a sample CRL file (DER type, containing no revoked certificates, 2 extensions, and valid "Next Update" date) - SampleDerCrlNoRevokedCerts.crl.
- a sample CRL file (PEM type, containing 5 revoked certificates, 2 extensions (and 2 extensions for each Revoked Certificate Entry) and a "Next Update" date which was exceeded) - SamplePemCrl.pem.

A CRL file is a Certificate Revocation List file which is a list of certificates (or more exactly a list of serial numbers of the certificates) which have been revoked. You can also open remote Certificate Revocation Lists using a CRL URL.


CSR Samples
---

In the csr folder, you can find:
 - a generated CSR file (with challenge password: sample challenge)- CSR-File-Sample(kp-dsaver1).p10 (made using the Key Pair kp-dsaver1 from JKS-KeyStore-sample.jks keystore) and a CA Reply file - CAReply(kp-dsaver1).p7r
 - a generated CSR file (with no challenge password)- CSR-File-Sample(kp-md5rsaver1).p10 (made using the Key Pair kp-md5rsaver1 from JKS-KeyStore-sample.jks keystore) and a CA Reply file - CAReply(kp-md5rsaver1).p7r
 - a generated CSR file (with no challenge password)- CSR-File-Sample(kp-sha1rsaver3).p10 (made using the Key Pair kp-sha1rsaver3 from JKS-KeyStore-sample.jks keystore) and a CA Reply file - CAReply(kp-sha1rsaver3).p7r
 
A CSR file is a Certificate Signing Request file.  The CA Reply is the reply received from a CA as the result of submitting a Certificate Signing Request (CSR) to that CA (Certification Authority). You can import the CA Reply file and add it to the Certificate Chain of a Key Pair. 


Certificate Samples
---

In the certificates folder, you can find:
	- a valid certificate - jira.cer;
	- an expired certificate - delicious.cer;
	- examples of certificates that can be obtain by using "Export Certificate" feature of CERTivity application. The exported certificates can be PEM encoded or not. The following formats are supported:
		 X.509 Certificate Files;
		 X.509 Certificate Files (PEM encrypted);
		 PKCS #7 Certificate Files;
		 PKCS #7 Certificate Files (PEM encrypted);
		 PKI Path Certificate Files.
	There is an example for each of the supported types.


Key Pair Samples
---

CERTivity application can export key pairs which have the extension .p12 and .pfx.
In the keypair folder, you can find two key pair files, one with .p12 extension and the other with .pfx extension.
Both of them were exported using the password: pkpwd.


Private Key Samples
---
CERTivity can export two types of private keys: PKCS#8 and OpenSSL.
For PKCS#8 type, the private key can be PEM encoded or not, for OpenSSL only PEM encoded is available.
Also, both types can be encrypted using a specific encryption algorithms.
For PKCS#8, we have the following possible encryption algorithms:
	- PBE_SHA1_2DES, 
	- PBE_SHA1_3DES, 
	- PBE_SHA1_RC2_40, 
	- PBE_SHA1_RC2_128, 
	- PBE_SHA1_RC4_40, 
	- PBE_SHA1_RC4_128;
for OpenSSL, the following encryption algorithms are available:
	- AES_128_CBC, AES_128_CFB, AES_128_ECB,  AES_128_OFB,	
	- BF_CBC, BF_CFB, BF_ECB, BF_OFB,
	- DES_CBC, DES_CFB, DES_ECB, DES_OFB,
    - DES_EDE, DES_EDE_CBC, DES_EDE_CFB, DES_EDE_ECB, DES_EDE_OFB,
	- DES_EDE3, DES_EDE3_CBC, DES_EDE3_CFB, DES_EDE3_ECB, DES_EDE3_OFB,
	- RC2_CBC, RC2_CFB, RC2_ECB, RC2_OFB, RC2_40_CBC, RC2_64_CBC;

For each of private key types and for each encryption algorithm, you can find a sample. The private key was encrypted using pkpwd password.


Public Key Sample
---

The public keys can be exported in OpenSSL format, PEM encoded or not.
In the publickey folder, you can find samples for both possibilities.	


JAR Signature Samples
---

In the jar folder, we have a jar file and the signed jars with different methods.
The jar signed used signature file name: kp-md2rsaver1 from  JKS-KeyStore-sample.jks and used MD2 with RSA, MD5 with RSA, SHA1 with RSA signature algorithm. To see the signing results, check the META-INF folder of the jar and look into the MANIFEST.MF.


PDF Samples
---

In the pdf folder, we have am unsigned PDF - UnsignedPDF.pdf, which is signed with signature subfilter:
 - ADBE_PKCS7_DETACHED -  SignedPDFwith ADBE_PKCS7_DETACHED.pdf, 
 - ADBE_PKCS7_SHA1 - SignedPDFwithADBE_PKCS7_SHA1.pdf, 
 - ADBE_X509_RSA_SHA - SignedPDFwithADBE_X509_RSA_SHA.pdf.
 To see the signature, you can open the PDF file, look into the signature panel an see signature details.
 
 
XML Samples
---

In the xml folder, we have an unsigned XML - Unsigned.xml. CERTivity has the following signature type:
	- enveloped - the signature applied over the XML content that contains the signature as an element. See : Signed_Enveloped_SHA1_Inclusive.xml; Signed_Enveloped_SHA1_Exclusive.xml;
	- enveloping - the signature applied over the content found within an Object element of the signature itself. See : Signed_Enveloping_SHA1_Inclusive.xml; Signed_Enveloping_SHA1_Exclusive.xml;
	- detached - the signature applied over the content external to the Signature element, and it can be identified by way of a URI or a transform. See Signed_Detached_SHA1_Exclusive.xml; Signed_Detached_SHA1_Inclusive.xml.
Available digest algorithm: SHA1; SHA256;SHA512.
The samples were signed using the kp-md2rsaver1 Key Pair from the JKS-KeyStore-sample.jks KeyStore.
For the detached signature, the unsigend XML file and the signed file must be in the same directory, because the sign file contains an URI reference to the unsigned file.
