]> WPIA git - gigi.git/blob - tests/club/wpia/gigi/pages/account/TestCertificateAdd.java
projects / gigi.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
upd: change wording
[gigi.git] / tests / club / wpia / gigi / pages / account / TestCertificateAdd.java
1 package club.wpia.gigi.pages.account;
2
3 import static org.hamcrest.CoreMatchers.*;
4 import static org.hamcrest.MatcherAssert.assertThat;
5 import static org.junit.Assert.*;
6
7 import java.io.ByteArrayInputStream;
8 import java.io.IOException;
9 import java.io.InputStreamReader;
10 import java.io.OutputStream;
11 import java.io.UnsupportedEncodingException;
12 import java.net.HttpURLConnection;
13 import java.net.MalformedURLException;
14 import java.net.URL;
15 import java.net.URLConnection;
16 import java.net.URLEncoder;
17 import java.security.GeneralSecurityException;
18 import java.security.KeyPair;
19 import java.security.Signature;
20 import java.security.cert.Certificate;
21 import java.security.cert.CertificateException;
22 import java.security.cert.CertificateFactory;
23 import java.security.cert.X509Certificate;
24 import java.text.SimpleDateFormat;
25 import java.util.Arrays;
26 import java.util.Base64;
27 import java.util.Calendar;
28 import java.util.Date;
29 import java.util.TimeZone;
30 import java.util.Vector;
31 import java.util.regex.Matcher;
32 import java.util.regex.Pattern;
33
34 import org.junit.Test;
35
36 import club.wpia.gigi.crypto.SPKAC;
37 import club.wpia.gigi.dbObjects.CertificateOwner;
38 import club.wpia.gigi.dbObjects.Digest;
39 import club.wpia.gigi.pages.account.certs.CertificateAdd;
40 import club.wpia.gigi.pages.account.certs.CertificateRequest;
41 import club.wpia.gigi.pages.account.certs.Certificates;
42 import club.wpia.gigi.testUtils.ClientTest;
43 import club.wpia.gigi.testUtils.IOUtils;
44 import club.wpia.gigi.util.PEM;
45 import club.wpia.gigi.util.RandomToken;
46 import sun.security.pkcs.PKCS7;
47 import sun.security.pkcs.PKCS9Attribute;
48 import sun.security.pkcs10.PKCS10Attribute;
49 import sun.security.pkcs10.PKCS10Attributes;
50 import sun.security.util.ObjectIdentifier;
51 import sun.security.x509.CertificateExtensions;
52 import sun.security.x509.DNSName;
53 import sun.security.x509.ExtendedKeyUsageExtension;
54 import sun.security.x509.GeneralName;
55 import sun.security.x509.GeneralNameInterface;
56 import sun.security.x509.GeneralNames;
57 import sun.security.x509.RFC822Name;
58 import sun.security.x509.SubjectAlternativeNameExtension;
59 import sun.security.x509.X509Key;
60
61 public class TestCertificateAdd extends ClientTest {
62
63     private static class OnPageError extends Error {
64
65         private static final long serialVersionUID = 1L;
66
67         public OnPageError(String page) {
68             super(page);
69         }
70     }
71
72     KeyPair kp = generateKeypair();
73
74     /**
75      * This KeyPair is used for testing the KeyCheck for proper rejection of
76      * invalid keys. The generated keys suffers from small factors.
77      */
78     KeyPair kpBroken = generateBrokenKeypair();
79
80     String csrf;
81
82     public TestCertificateAdd() throws GeneralSecurityException, IOException {
83         TestDomain.addDomain(cookie, uniq + ".tld");
84
85     }
86
87     @Test
88     public void testSimpleServer() throws IOException, GeneralSecurityException {
89         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
90                 CertificateRequest.OID_KEY_USAGE_SSL_SERVER
91         }, new DNSName(uniq + ".tld"));
92
93         String pem = generatePEMCSR(kp, "CN=a." + uniq + ".tld", atts);
94         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
95         assertArrayEquals(new String[] {
96                 "server", CertificateRequest.DEFAULT_CN, "dns:a." + uniq + ".tld\ndns:" + uniq + ".tld\n", Digest.SHA512.toString()
97         }, res);
98     }
99
100     @Test
101     public void testSimpleMail() throws IOException, GeneralSecurityException {
102         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
103                 CertificateRequest.OID_KEY_USAGE_EMAIL_PROTECTION
104         }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(email));
105
106         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA384WithRSA");
107
108         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
109         assertArrayEquals(new String[] {
110                 "mail", "a b", "email:" + email + "\ndns:a." + uniq + ".tld\ndns:b." + uniq + ".tld\n", Digest.SHA384.toString()
111         }, res);
112     }
113
114     @Test
115     public void testSimpleClient() throws IOException, GeneralSecurityException {
116         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
117                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
118         }, new RFC822Name(email));
119
120         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA256WithRSA");
121
122         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
123         assertArrayEquals(new String[] {
124                 "client", "a b", "email:" + email + "\n", Digest.SHA256.toString()
125         }, res);
126     }
127
128     @Test
129     public void testSPKAC() throws GeneralSecurityException, IOException {
130         testSPKAC(false);
131         testSPKAC(true);
132     }
133
134     @Test
135     public void testIssue() throws IOException, GeneralSecurityException {
136         HttpURLConnection huc = sendCertificateForm("description");
137         URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt"));
138         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
139
140         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer"));
141         byte[] cer = IOUtils.readURL(uc.getInputStream());
142         assertArrayEquals(cer, PEM.decode("CERTIFICATE", crt));
143
144         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install&chain"));
145         byte[] pkcs7 = IOUtils.readURL(uc.getInputStream());
146         PKCS7 p7 = new PKCS7(pkcs7);
147         byte[] sub = verifyChain(p7.getCertificates());
148         assertArrayEquals(cer, sub);
149         assertEquals("application/x-x509-user-cert", uc.getHeaderField("Content-type"));
150
151         uc = authenticate(new URL(huc.getHeaderField("Location")));
152         String gui = IOUtils.readURL(uc);
153         Pattern p = Pattern.compile("-----BEGIN CERTIFICATE-----[^-]+-----END CERTIFICATE-----");
154         Matcher m = p.matcher(gui);
155         assertTrue(m.find());
156         byte[] cert = PEM.decode("CERTIFICATE", m.group(0));
157         Certificate c = CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(cert));
158         gui = c.toString();
159         assertThat(gui, containsString("clientAuth"));
160         assertThat(gui, containsString("CN=" + CertificateRequest.DEFAULT_CN));
161         assertThat(gui, containsString("SHA512withRSA"));
162         assertThat(gui, containsString("RFC822Name: " + email));
163     }
164
165     @Test
166     public void testIssueWithDescription() throws IOException, GeneralSecurityException {
167         String description = "Just a new comment." + RandomToken.generateToken(32);
168         HttpURLConnection huc = sendCertificateForm(description);
169         assertEquals(302, huc.getResponseCode());
170
171         URLConnection uc = get(Certificates.PATH);
172         assertThat(IOUtils.readURL(uc), containsString(description));
173
174         description = "Just a new comment." + RandomToken.generateToken(100);
175         huc = sendCertificateForm(description);
176         assertThat(fetchStartErrorMessage(IOUtils.readURL(huc)), containsString("Submitted description is longer than 100 characters."));
177     }
178
179     private HttpURLConnection sendCertificateForm(String description) throws IOException, GeneralSecurityException {
180         HttpURLConnection huc = openCertificateForm();
181         OutputStream out = huc.getOutputStream();
182         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
183         out.write(("&CN=" + URLEncoder.encode(CertificateRequest.DEFAULT_CN, "UTF-8") + "&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
184         out.write(("&hash_alg=SHA512").getBytes("UTF-8"));
185         out.write(("&description=" + URLEncoder.encode(description, "UTF-8")).getBytes("UTF-8"));
186         return huc;
187     }
188
189     private HttpURLConnection openCertificateForm() throws IOException, GeneralSecurityException, UnsupportedEncodingException {
190         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
191                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
192         }, new RFC822Name(email));
193
194         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
195
196         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
197         assertArrayEquals(new String[] {
198                 "client", "a b", "email:" + email + "\n", Digest.SHA512.toString()
199         }, res);
200
201         HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
202         huc.setRequestProperty("Cookie", cookie);
203         huc.setDoOutput(true);
204         return huc;
205     }
206
207     private byte[] verifyChain(X509Certificate[] x509Certificates) throws GeneralSecurityException {
208         X509Certificate current = null;
209         nextCert:
210         while (true) {
211             for (int i = 0; i < x509Certificates.length; i++) {
212                 X509Certificate cert = x509Certificates[i];
213                 if (current == null) {
214                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
215                         current = cert;
216                         continue nextCert;
217                     }
218                 } else {
219                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
220                         continue;
221                     }
222                     if (current.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
223                         Signature s = Signature.getInstance(cert.getSigAlgName());
224                         s.initVerify(current.getPublicKey());
225                         s.update(cert.getTBSCertificate());
226                         assertTrue(s.verify(cert.getSignature()));
227                         current = cert;
228                         continue nextCert;
229                     }
230                 }
231             }
232             assertNotNull(current);
233             return current.getEncoded();
234         }
235     }
236
237     @Test
238     public void testValidityPeriodCalendar() throws IOException, GeneralSecurityException {
239         testCertificateValidityRelative(Calendar.YEAR, 2, "2y", true);
240         testCertificateValidityRelative(Calendar.YEAR, 1, "1y", true);
241         testCertificateValidityRelative(Calendar.MONTH, 3, "3m", true);
242         testCertificateValidityRelative(Calendar.MONTH, 7, "7m", true);
243         testCertificateValidityRelative(Calendar.MONTH, 13, "13m", true);
244
245         testCertificateValidityRelative(Calendar.MONTH, 13, "-1m", false);
246     }
247
248     @Test
249     public void testValidityPeriodWhishStart() throws IOException, GeneralSecurityException {
250         long now = System.currentTimeMillis();
251         final long MS_PER_DAY = 24 * 60 * 60 * 1000;
252         now -= now % MS_PER_DAY;
253         now += MS_PER_DAY;
254         SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
255         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
256
257         Date start = new Date(now);
258         Date end = new Date(now + MS_PER_DAY * 10);
259         String validity = "&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end);
260         X509Certificate res = createCertWithValidity(validity, false);
261         assertNotNull(validity, res);
262         assertEquals(start, res.getNotBefore());
263         assertEquals(end, res.getNotAfter());
264     }
265
266     private void testCertificateValidityRelative(int field, int amount, String length, boolean shouldsucceed) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
267         X509Certificate parsed = createCertWithValidity("&validFrom=now&validity=" + length, false);
268         if (parsed == null) {
269             assertTrue( !shouldsucceed);
270             return;
271         } else {
272             assertTrue(shouldsucceed);
273         }
274
275         long now = System.currentTimeMillis();
276         Date start = parsed.getNotBefore();
277         Date end = parsed.getNotAfter();
278         Calendar c = Calendar.getInstance();
279         c.setTimeZone(TimeZone.getTimeZone("UTC"));
280         c.setTime(start);
281         c.add(field, amount);
282         assertTrue(Math.abs(start.getTime() - now) < 10000);
283         assertEquals(c.getTime(), end);
284     }
285
286     private X509Certificate createCertWithValidity(String validity, boolean login) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
287         HttpURLConnection huc = openCertificateForm();
288         OutputStream out = huc.getOutputStream();
289         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
290         out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
291         out.write(("&hash_alg=SHA512&").getBytes("UTF-8"));
292         if (login) {
293             out.write(("login=1&").getBytes("UTF-8"));
294         }
295         out.write(validity.getBytes("UTF-8"));
296
297         String certurl = huc.getHeaderField("Location");
298         if (certurl == null) {
299             return null;
300         }
301         URLConnection uc = authenticate(new URL(certurl + ".crt"));
302         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
303
304         CertificateFactory cf = CertificateFactory.getInstance("X.509");
305         X509Certificate parsed = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(crt.getBytes("UTF-8")));
306         return parsed;
307     }
308
309     private URLConnection authenticate(URL url) throws IOException {
310         URLConnection uc = url.openConnection();
311         uc.setRequestProperty("Cookie", cookie);
312         return uc;
313     }
314
315     protected String testSPKAC(boolean correctChallenge) throws GeneralSecurityException, IOException {
316         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
317         uc.setRequestProperty("Cookie", cookie);
318         String s = IOUtils.readURL(uc);
319
320         csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
321         String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
322
323         SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallenge ? "" : "b"));
324         Signature sign = Signature.getInstance("SHA512WithRSA");
325         sign.initSign(kp.getPrivate());
326         try {
327             String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
328             if ( !correctChallenge) {
329                 fail("Should not succeed with wrong challenge.");
330             }
331             assertArrayEquals(new String[] {
332                     "client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString()
333             }, res);
334         } catch (OnPageError e) {
335             String error = fetchStartErrorMessage(e.getMessage());
336             assertTrue(error, error.startsWith("<p>Challenge mismatch"));
337         }
338         return csrf;
339     }
340
341     private PKCS10Attributes buildAtts(ObjectIdentifier[] ekuOIDs, GeneralNameInterface... SANs) throws IOException {
342         CertificateExtensions attributeValue = new CertificateExtensions();
343         GeneralNames names = new GeneralNames();
344
345         for (GeneralNameInterface name : SANs) {
346             names.add(new GeneralName(name));
347         }
348         attributeValue.set("SANs", new SubjectAlternativeNameExtension(names));
349         PKCS10Attributes atts = new PKCS10Attributes(new PKCS10Attribute[] {
350                 new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue)
351         });
352         ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(//
353                 new Vector<>(Arrays.<ObjectIdentifier>asList(ekuOIDs)));
354         attributeValue.set("eku", eku);
355         return atts;
356     }
357
358     private final URL ncert = new URL("https://" + getServerName() + CertificateAdd.PATH);
359
360     private String[] fillOutForm(String pem) throws IOException {
361         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
362         uc.setRequestProperty("Cookie", cookie);
363         csrf = getCSRF(uc);
364         return fillOutFormDirect(pem);
365
366     }
367
368     private String[] fillOutFormDirect(String pem) throws IOException {
369
370         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
371         uc.setRequestProperty("Cookie", cookie);
372         uc.setDoOutput(true);
373         uc.getOutputStream().write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" + pem).getBytes("UTF-8"));
374         uc.getOutputStream().flush();
375
376         return extractFormData(uc);
377     }
378
379     private String[] extractFormData(HttpURLConnection uc) throws IOException, Error {
380         String result = IOUtils.readURL(uc);
381         if (hasError().matches(result)) {
382             throw new OnPageError(result);
383         }
384
385         String profileKey = extractPattern(result, Pattern.compile("<option value=\"([^\"]*)\" selected>"));
386         String resultingCN = extractPattern(result, Pattern.compile("<input [^>]*name='CN' [^>]*value='([^']*)'/>"));
387         String txt = extractPattern(result, Pattern.compile("<textarea [^>]*name='SANs' [^>]*>([^<]*)</textarea>"));
388         String md = extractPattern(result, Pattern.compile("<input type=\"radio\" [^>]*name=\"hash_alg\" value=\"([^\"]*)\" checked='checked'/>"));
389         return new String[] {
390                 profileKey, resultingCN, txt, md
391         };
392     }
393
394     private String extractPattern(String result, Pattern p) {
395         Matcher m = p.matcher(result);
396         assertTrue(m.find());
397         String resultingCN = m.group(1);
398         return resultingCN;
399     }
400
401     @Test
402     public void testSetLoginEnabled() throws IOException, GeneralSecurityException {
403         X509Certificate parsedLoginNotEnabled = createCertWithValidity("&validFrom=now&validity=1m", false);
404         assertNull(CertificateOwner.getByEnabledSerial(parsedLoginNotEnabled.getSerialNumber()));
405
406         X509Certificate parsedLoginEnabled = createCertWithValidity("&validFrom=now&validity=1m", true);
407         assertEquals(u, CertificateOwner.getByEnabledSerial(parsedLoginEnabled.getSerialNumber()));
408     }
409
410     @Test
411     public void testInvalidKeyInCSR() throws IOException, GeneralSecurityException {
412         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
413                 CertificateRequest.OID_KEY_USAGE_SSL_SERVER
414         }, new DNSName(uniq + ".tld"));
415
416         String pem = generatePEMCSR(kpBroken, "CN=a." + uniq + ".tld", atts);
417
418         HttpURLConnection huc = post(CertificateAdd.PATH, "CSR=" + URLEncoder.encode(pem, "UTF-8"));
419         assertThat(IOUtils.readURL(huc), hasError());
420     }
421
422 }
WPIA Certificate Web Issuance Platform