1 package org.cacert.gigi.pages.account;
3 import static org.hamcrest.CoreMatchers.*;
4 import static org.junit.Assert.*;
6 import java.io.ByteArrayInputStream;
7 import java.io.IOException;
8 import java.io.InputStreamReader;
9 import java.io.OutputStream;
10 import java.io.UnsupportedEncodingException;
11 import java.net.HttpURLConnection;
12 import java.net.MalformedURLException;
14 import java.net.URLConnection;
15 import java.net.URLEncoder;
16 import java.security.GeneralSecurityException;
17 import java.security.KeyPair;
18 import java.security.Signature;
19 import java.security.cert.CertificateException;
20 import java.security.cert.CertificateFactory;
21 import java.security.cert.X509Certificate;
22 import java.text.SimpleDateFormat;
23 import java.util.Arrays;
24 import java.util.Base64;
25 import java.util.Calendar;
26 import java.util.Date;
27 import java.util.TimeZone;
28 import java.util.Vector;
29 import java.util.regex.Matcher;
30 import java.util.regex.Pattern;
32 import org.cacert.gigi.crypto.SPKAC;
33 import org.cacert.gigi.dbObjects.Digest;
34 import org.cacert.gigi.dbObjects.User;
35 import org.cacert.gigi.pages.account.certs.CertificateAdd;
36 import org.cacert.gigi.pages.account.certs.CertificateIssueForm;
37 import org.cacert.gigi.testUtils.IOUtils;
38 import org.cacert.gigi.testUtils.ManagedTest;
39 import org.cacert.gigi.util.PEM;
40 import org.junit.Test;
42 import sun.security.pkcs.PKCS9Attribute;
43 import sun.security.pkcs10.PKCS10Attribute;
44 import sun.security.pkcs10.PKCS10Attributes;
45 import sun.security.util.ObjectIdentifier;
46 import sun.security.x509.CertificateExtensions;
47 import sun.security.x509.DNSName;
48 import sun.security.x509.ExtendedKeyUsageExtension;
49 import sun.security.x509.GeneralName;
50 import sun.security.x509.GeneralNameInterface;
51 import sun.security.x509.GeneralNames;
52 import sun.security.x509.RFC822Name;
53 import sun.security.x509.SubjectAlternativeNameExtension;
54 import sun.security.x509.X509Key;
56 public class TestCertificateAdd extends ManagedTest {
58 KeyPair kp = generateKeypair();
60 User u = User.getById(createVerifiedUser("testuser", "testname", uniq + "@testdom.com", TEST_PASSWORD));
62 String session = login(uniq + "@testdom.com", TEST_PASSWORD);
66 public TestCertificateAdd() throws GeneralSecurityException, IOException {
67 TestDomain.addDomain(session, uniq + ".tld");
72 public void testSimpleServer() throws IOException, GeneralSecurityException {
73 PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
74 CertificateIssueForm.OID_KEY_USAGE_SSL_SERVER
75 }, new DNSName(uniq + ".tld"));
77 String pem = generatePEMCSR(kp, "CN=a." + uniq + ".tld", atts);
79 String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
80 assertArrayEquals(new String[] {
81 "server", "CAcert WoT User", "dns:a." + uniq + ".tld\ndns:" + uniq + ".tld\n", Digest.SHA256.toString()
86 public void testSimpleMail() throws IOException, GeneralSecurityException {
87 PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
88 CertificateIssueForm.OID_KEY_USAGE_EMAIL_PROTECTION
89 }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(uniq + "@testdom.com"));
91 String pem = generatePEMCSR(kp, "CN=testuser testname", atts, "SHA384WithRSA");
93 String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
94 assertArrayEquals(new String[] {
95 "mail", "testuser testname", "dns:a." + uniq + ".tld\ndns:b." + uniq + ".tld\nemail:" + uniq + "@testdom.com\n", Digest.SHA384.toString()
100 public void testSimpleClient() throws IOException, GeneralSecurityException {
101 PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
102 CertificateIssueForm.OID_KEY_USAGE_SSL_CLIENT
103 }, new RFC822Name(uniq + "@testdom.com"));
105 String pem = generatePEMCSR(kp, "CN=testuser testname,email=" + uniq + "@testdom.com", atts, "SHA512WithRSA");
107 String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
108 assertArrayEquals(new String[] {
109 "client", "testuser testname", "email:" + uniq + "@testdom.com\n", Digest.SHA512.toString()
114 public void testSPKAC() throws GeneralSecurityException, IOException {
120 public void testIssue() throws IOException, GeneralSecurityException {
121 PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
122 CertificateIssueForm.OID_KEY_USAGE_SSL_CLIENT
123 }, new RFC822Name(uniq + "@testdom.com"));
125 String pem = generatePEMCSR(kp, "CN=testuser testname,email=" + uniq + "@testdom.com", atts, "SHA512WithRSA");
127 String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
128 assertArrayEquals(new String[] {
129 "client", "testuser testname", "email:" + uniq + "@testdom.com\n", Digest.SHA512.toString()
132 HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
133 huc.setRequestProperty("Cookie", session);
134 huc.setDoOutput(true);
135 OutputStream out = huc.getOutputStream();
136 out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes());
137 out.write(("&profile=client&CN=testuser+testname&SANs=" + URLEncoder.encode("email:" + uniq + "@testdom.com\n", "UTF-8")).getBytes());
138 out.write(("&hash_alg=SHA512&CCA=y").getBytes());
139 URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt"));
140 String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
142 uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer"));
143 byte[] cer = IOUtils.readURL(uc.getInputStream());
144 assertArrayEquals(cer, PEM.decode("CERTIFICATE", crt));
146 uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install"));
147 byte[] cer2 = IOUtils.readURL(uc.getInputStream());
148 assertArrayEquals(cer, cer2);
149 assertEquals("application/x-x509-user-cert", uc.getHeaderField("Content-type"));
151 uc = authenticate(new URL(huc.getHeaderField("Location")));
152 String gui = IOUtils.readURL(uc);
153 assertThat(gui, containsString("clientAuth"));
154 assertThat(gui, containsString("CN=testuser testname"));
155 assertThat(gui, containsString("SHA512withRSA"));
156 assertThat(gui, containsString("RFC822Name: " + uniq + "@testdom.com"));
161 public void testValidityPeriodCalendar() throws IOException, GeneralSecurityException {
162 testCertificateValidityRelative(Calendar.YEAR, 2, "2y", true);
163 testCertificateValidityRelative(Calendar.YEAR, 1, "1y", true);
164 testCertificateValidityRelative(Calendar.MONTH, 3, "3m", true);
165 testCertificateValidityRelative(Calendar.MONTH, 7, "7m", true);
166 testCertificateValidityRelative(Calendar.MONTH, 13, "13m", true);
168 testCertificateValidityRelative(Calendar.MONTH, 13, "-1m", false);
172 public void testValidityPeriodWhishStart() throws IOException, GeneralSecurityException {
173 long now = System.currentTimeMillis();
174 final long MS_PER_DAY = 24 * 60 * 60 * 1000;
175 now -= now % MS_PER_DAY;
177 SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
178 sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
180 Date start = new Date(now);
181 Date end = new Date(now + MS_PER_DAY * 10);
182 X509Certificate res = createCertWithValidity("&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end));
183 assertEquals(start, res.getNotBefore());
184 assertEquals(end, res.getNotAfter());
187 private void testCertificateValidityRelative(int field, int amount, String length, boolean shouldsucceed) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
188 X509Certificate parsed = createCertWithValidity("&validFrom=now&validity=" + length);
189 if (parsed == null) {
190 assertTrue( !shouldsucceed);
193 assertTrue(shouldsucceed);
196 long now = System.currentTimeMillis();
197 Date start = parsed.getNotBefore();
198 Date end = parsed.getNotAfter();
199 Calendar c = Calendar.getInstance();
200 c.setTimeZone(TimeZone.getTimeZone("UTC"));
202 c.add(field, amount);
203 assertTrue(Math.abs(start.getTime() - now) < 10000);
204 assertEquals(c.getTime(), end);
207 private X509Certificate createCertWithValidity(String validity) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
208 PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
209 CertificateIssueForm.OID_KEY_USAGE_SSL_CLIENT
210 }, new RFC822Name(uniq + "@testdom.com"));
212 String pem = generatePEMCSR(kp, "CN=testuser testname", atts, "SHA512WithRSA");
213 fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
215 HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
216 huc.setRequestProperty("Cookie", session);
217 huc.setDoOutput(true);
218 OutputStream out = huc.getOutputStream();
219 out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes());
220 out.write(("&profile=client&CN=testuser+testname&SANs=" + URLEncoder.encode("email:" + uniq + "@testdom.com\n", "UTF-8")).getBytes());
221 out.write(("&hash_alg=SHA512&CCA=y&").getBytes());
222 out.write(validity.getBytes());
224 String certurl = huc.getHeaderField("Location");
225 if (certurl == null) {
228 URLConnection uc = authenticate(new URL(certurl + ".crt"));
229 String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
231 CertificateFactory cf = CertificateFactory.getInstance("X.509");
232 X509Certificate parsed = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(crt.getBytes()));
236 private URLConnection authenticate(URL url) throws IOException {
237 URLConnection uc = url.openConnection();
238 uc.setRequestProperty("Cookie", session);
242 protected String testSPKAC(boolean correctChallange) throws GeneralSecurityException, IOException {
243 HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
244 uc.setRequestProperty("Cookie", session);
245 String s = IOUtils.readURL(uc);
247 csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
248 String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
250 SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallange ? "" : "b"));
251 Signature sign = Signature.getInstance("SHA512WithRSA");
252 sign.initSign(kp.getPrivate());
254 String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
255 if ( !correctChallange) {
256 fail("Should not succeed with wrong challange.");
258 assertArrayEquals(new String[] {
259 "client", CertificateIssueForm.DEFAULT_CN, "", Digest.SHA512.toString()
262 assertTrue(e.getMessage().startsWith("<div>Challenge mismatch"));
267 private PKCS10Attributes buildAtts(ObjectIdentifier[] ekuOIDs, GeneralNameInterface... SANs) throws IOException {
268 CertificateExtensions attributeValue = new CertificateExtensions();
269 GeneralNames names = new GeneralNames();
271 for (GeneralNameInterface name : SANs) {
272 names.add(new GeneralName(name));
274 attributeValue.set("SANs", new SubjectAlternativeNameExtension(names));
275 PKCS10Attributes atts = new PKCS10Attributes(new PKCS10Attribute[] {
276 new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue)
278 ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(//
279 new Vector<>(Arrays.<ObjectIdentifier>asList(ekuOIDs)));
280 attributeValue.set("eku", eku);
284 private final URL ncert = new URL("https://" + getServerName() + CertificateAdd.PATH);
286 private String[] fillOutForm(String pem) throws IOException {
287 HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
288 uc.setRequestProperty("Cookie", session);
290 return fillOutFormDirect(pem);
294 private String[] fillOutFormDirect(String pem) throws IOException {
296 HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
297 uc.setRequestProperty("Cookie", session);
298 uc.setDoOutput(true);
299 uc.getOutputStream().write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" + pem).getBytes());
300 uc.getOutputStream().flush();
302 return extractFormData(uc);
305 private String[] extractFormData(HttpURLConnection uc) throws IOException, Error {
306 String result = IOUtils.readURL(uc);
307 if (result.contains("<div class='formError'>")) {
308 String s = fetchStartErrorMessage(result);
312 String profileKey = extractPattern(result, Pattern.compile("<option value=\"([^\"]*)\" selected>"));
313 String resultingCN = extractPattern(result, Pattern.compile("<input [^>]*name='CN' [^>]*value='([^']*)'>"));
314 String txt = extractPattern(result, Pattern.compile("<textarea [^>]*name='SANs' [^>]*>([^<]*)</textarea>"));
315 String md = extractPattern(result, Pattern.compile("<input type=\"radio\" [^>]*name=\"hash_alg\" value=\"([^\"]*)\" checked='checked'/>"));
316 return new String[] {
317 profileKey, resultingCN, txt, md
321 private String extractPattern(String result, Pattern p) {
322 Matcher m = p.matcher(result);
323 assertTrue(m.find());
324 String resultingCN = m.group(1);