tests/club/wpia/gigi/pages/account/TestCertificateAdd.java

   1 package club.wpia.gigi.pages.account;
   2
   3 import static org.hamcrest.CoreMatchers.*;
   4 import static org.junit.Assert.*;
   5
   6 import java.io.ByteArrayInputStream;
   7 import java.io.IOException;
   8 import java.io.InputStreamReader;
   9 import java.io.OutputStream;
  10 import java.io.UnsupportedEncodingException;
  11 import java.net.HttpURLConnection;
  12 import java.net.MalformedURLException;
  13 import java.net.URL;
  14 import java.net.URLConnection;
  15 import java.net.URLEncoder;
  16 import java.security.GeneralSecurityException;
  17 import java.security.KeyPair;
  18 import java.security.Signature;
  19 import java.security.cert.Certificate;
  20 import java.security.cert.CertificateException;
  21 import java.security.cert.CertificateFactory;
  22 import java.security.cert.X509Certificate;
  23 import java.text.SimpleDateFormat;
  24 import java.util.Arrays;
  25 import java.util.Base64;
  26 import java.util.Calendar;
  27 import java.util.Date;
  28 import java.util.TimeZone;
  29 import java.util.Vector;
  30 import java.util.regex.Matcher;
  31 import java.util.regex.Pattern;
  32
  33 import org.junit.Test;
  34
  35 import club.wpia.gigi.crypto.SPKAC;
  36 import club.wpia.gigi.dbObjects.CertificateOwner;
  37 import club.wpia.gigi.dbObjects.Digest;
  38 import club.wpia.gigi.pages.account.certs.CertificateAdd;
  39 import club.wpia.gigi.pages.account.certs.CertificateRequest;
  40 import club.wpia.gigi.testUtils.ClientTest;
  41 import club.wpia.gigi.testUtils.IOUtils;
  42 import club.wpia.gigi.util.PEM;
  43 import sun.security.pkcs.PKCS7;
  44 import sun.security.pkcs.PKCS9Attribute;
  45 import sun.security.pkcs10.PKCS10Attribute;
  46 import sun.security.pkcs10.PKCS10Attributes;
  47 import sun.security.util.ObjectIdentifier;
  48 import sun.security.x509.CertificateExtensions;
  49 import sun.security.x509.DNSName;
  50 import sun.security.x509.ExtendedKeyUsageExtension;
  51 import sun.security.x509.GeneralName;
  52 import sun.security.x509.GeneralNameInterface;
  53 import sun.security.x509.GeneralNames;
  54 import sun.security.x509.RFC822Name;
  55 import sun.security.x509.SubjectAlternativeNameExtension;
  56 import sun.security.x509.X509Key;
  57
  58 public class TestCertificateAdd extends ClientTest {
  59
  60     private static class OnPageError extends Error {
  61
  62         private static final long serialVersionUID = 1L;
  63
  64         public OnPageError(String page) {
  65             super(page);
  66         }
  67     }
  68
  69     KeyPair kp = generateKeypair();
  70
  71     String csrf;
  72
  73     public TestCertificateAdd() throws GeneralSecurityException, IOException {
  74         TestDomain.addDomain(cookie, uniq + ".tld");
  75
  76     }
  77
  78     @Test
  79     public void testSimpleServer() throws IOException, GeneralSecurityException {
  80         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
  81                 CertificateRequest.OID_KEY_USAGE_SSL_SERVER
  82         }, new DNSName(uniq + ".tld"));
  83
  84         String pem = generatePEMCSR(kp, "CN=a." + uniq + ".tld", atts);
  85         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
  86         assertArrayEquals(new String[] {
  87                 "server", CertificateRequest.DEFAULT_CN, "dns:a." + uniq + ".tld\ndns:" + uniq + ".tld\n", Digest.SHA512.toString()
  88         }, res);
  89     }
  90
  91     @Test
  92     public void testSimpleMail() throws IOException, GeneralSecurityException {
  93         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
  94                 CertificateRequest.OID_KEY_USAGE_EMAIL_PROTECTION
  95         }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(email));
  96
  97         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA384WithRSA");
  98
  99         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
 100         assertArrayEquals(new String[] {
 101                 "mail", "a b", "email:" + email + "\ndns:a." + uniq + ".tld\ndns:b." + uniq + ".tld\n", Digest.SHA384.toString()
 102         }, res);
 103     }
 104
 105     @Test
 106     public void testSimpleClient() throws IOException, GeneralSecurityException {
 107         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
 108                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
 109         }, new RFC822Name(email));
 110
 111         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA256WithRSA");
 112
 113         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
 114         assertArrayEquals(new String[] {
 115                 "client", "a b", "email:" + email + "\n", Digest.SHA256.toString()
 116         }, res);
 117     }
 118
 119     @Test
 120     public void testSPKAC() throws GeneralSecurityException, IOException {
 121         testSPKAC(false);
 122         testSPKAC(true);
 123     }
 124
 125     @Test
 126     public void testIssue() throws IOException, GeneralSecurityException {
 127         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
 128                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
 129         }, new RFC822Name(email));
 130
 131         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
 132
 133         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
 134         assertArrayEquals(new String[] {
 135                 "client", "a b", "email:" + email + "\n", Digest.SHA512.toString()
 136         }, res);
 137
 138         HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
 139         huc.setRequestProperty("Cookie", cookie);
 140         huc.setDoOutput(true);
 141         OutputStream out = huc.getOutputStream();
 142         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
 143         out.write(("&CN=" + URLEncoder.encode(CertificateRequest.DEFAULT_CN, "UTF-8") + "&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
 144         out.write(("&hash_alg=SHA512").getBytes("UTF-8"));
 145         URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt"));
 146         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
 147
 148         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer"));
 149         byte[] cer = IOUtils.readURL(uc.getInputStream());
 150         assertArrayEquals(cer, PEM.decode("CERTIFICATE", crt));
 151
 152         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install&chain"));
 153         byte[] pkcs7 = IOUtils.readURL(uc.getInputStream());
 154         PKCS7 p7 = new PKCS7(pkcs7);
 155         byte[] sub = verifyChain(p7.getCertificates());
 156         assertArrayEquals(cer, sub);
 157         assertEquals("application/x-x509-user-cert", uc.getHeaderField("Content-type"));
 158
 159         uc = authenticate(new URL(huc.getHeaderField("Location")));
 160         String gui = IOUtils.readURL(uc);
 161         Pattern p = Pattern.compile("-----BEGIN CERTIFICATE-----[^-]+-----END CERTIFICATE-----");
 162         Matcher m = p.matcher(gui);
 163         assertTrue(m.find());
 164         byte[] cert = PEM.decode("CERTIFICATE", m.group(0));
 165         Certificate c = CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(cert));
 166         gui = c.toString();
 167         assertThat(gui, containsString("clientAuth"));
 168         assertThat(gui, containsString("CN=" + CertificateRequest.DEFAULT_CN));
 169         assertThat(gui, containsString("SHA512withRSA"));
 170         assertThat(gui, containsString("RFC822Name: " + email));
 171
 172     }
 173
 174     private byte[] verifyChain(X509Certificate[] x509Certificates) throws GeneralSecurityException {
 175         X509Certificate current = null;
 176         nextCert:
 177         while (true) {
 178             for (int i = 0; i < x509Certificates.length; i++) {
 179                 X509Certificate cert = x509Certificates[i];
 180                 if (current == null) {
 181                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
 182                         current = cert;
 183                         continue nextCert;
 184                     }
 185                 } else {
 186                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
 187                         continue;
 188                     }
 189                     if (current.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
 190                         Signature s = Signature.getInstance(cert.getSigAlgName());
 191                         s.initVerify(current.getPublicKey());
 192                         s.update(cert.getTBSCertificate());
 193                         assertTrue(s.verify(cert.getSignature()));
 194                         current = cert;
 195                         continue nextCert;
 196                     }
 197                 }
 198             }
 199             assertNotNull(current);
 200             return current.getEncoded();
 201         }
 202     }
 203
 204     @Test
 205     public void testValidityPeriodCalendar() throws IOException, GeneralSecurityException {
 206         testCertificateValidityRelative(Calendar.YEAR, 2, "2y", true);
 207         testCertificateValidityRelative(Calendar.YEAR, 1, "1y", true);
 208         testCertificateValidityRelative(Calendar.MONTH, 3, "3m", true);
 209         testCertificateValidityRelative(Calendar.MONTH, 7, "7m", true);
 210         testCertificateValidityRelative(Calendar.MONTH, 13, "13m", true);
 211
 212         testCertificateValidityRelative(Calendar.MONTH, 13, "-1m", false);
 213     }
 214
 215     @Test
 216     public void testValidityPeriodWhishStart() throws IOException, GeneralSecurityException {
 217         long now = System.currentTimeMillis();
 218         final long MS_PER_DAY = 24 * 60 * 60 * 1000;
 219         now -= now % MS_PER_DAY;
 220         now += MS_PER_DAY;
 221         SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
 222         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
 223
 224         Date start = new Date(now);
 225         Date end = new Date(now + MS_PER_DAY * 10);
 226         String validity = "&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end);
 227         X509Certificate res = createCertWithValidity(validity, false);
 228         assertNotNull(validity, res);
 229         assertEquals(start, res.getNotBefore());
 230         assertEquals(end, res.getNotAfter());
 231     }
 232
 233     private void testCertificateValidityRelative(int field, int amount, String length, boolean shouldsucceed) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
 234         X509Certificate parsed = createCertWithValidity("&validFrom=now&validity=" + length, false);
 235         if (parsed == null) {
 236             assertTrue( !shouldsucceed);
 237             return;
 238         } else {
 239             assertTrue(shouldsucceed);
 240         }
 241
 242         long now = System.currentTimeMillis();
 243         Date start = parsed.getNotBefore();
 244         Date end = parsed.getNotAfter();
 245         Calendar c = Calendar.getInstance();
 246         c.setTimeZone(TimeZone.getTimeZone("UTC"));
 247         c.setTime(start);
 248         c.add(field, amount);
 249         assertTrue(Math.abs(start.getTime() - now) < 10000);
 250         assertEquals(c.getTime(), end);
 251     }
 252
 253     private X509Certificate createCertWithValidity(String validity, boolean login) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
 254         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
 255                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
 256         }, new RFC822Name(email));
 257
 258         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA512WithRSA");
 259         fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
 260
 261         HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
 262         huc.setRequestProperty("Cookie", cookie);
 263         huc.setDoOutput(true);
 264         OutputStream out = huc.getOutputStream();
 265         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
 266         out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
 267         out.write(("&hash_alg=SHA512&").getBytes("UTF-8"));
 268         if (login) {
 269             out.write(("login=1&").getBytes("UTF-8"));
 270         }
 271         out.write(validity.getBytes("UTF-8"));
 272
 273         String certurl = huc.getHeaderField("Location");
 274         if (certurl == null) {
 275             return null;
 276         }
 277         URLConnection uc = authenticate(new URL(certurl + ".crt"));
 278         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
 279
 280         CertificateFactory cf = CertificateFactory.getInstance("X.509");
 281         X509Certificate parsed = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(crt.getBytes("UTF-8")));
 282         return parsed;
 283     }
 284
 285     private URLConnection authenticate(URL url) throws IOException {
 286         URLConnection uc = url.openConnection();
 287         uc.setRequestProperty("Cookie", cookie);
 288         return uc;
 289     }
 290
 291     protected String testSPKAC(boolean correctChallenge) throws GeneralSecurityException, IOException {
 292         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
 293         uc.setRequestProperty("Cookie", cookie);
 294         String s = IOUtils.readURL(uc);
 295
 296         csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
 297         String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
 298
 299         SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallenge ? "" : "b"));
 300         Signature sign = Signature.getInstance("SHA512WithRSA");
 301         sign.initSign(kp.getPrivate());
 302         try {
 303             String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
 304             if ( !correctChallenge) {
 305                 fail("Should not succeed with wrong challenge.");
 306             }
 307             assertArrayEquals(new String[] {
 308                     "client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString()
 309             }, res);
 310         } catch (OnPageError e) {
 311             String error = fetchStartErrorMessage(e.getMessage());
 312             assertTrue(error, error.startsWith("<p>Challenge mismatch"));
 313         }
 314         return csrf;
 315     }
 316
 317     private PKCS10Attributes buildAtts(ObjectIdentifier[] ekuOIDs, GeneralNameInterface... SANs) throws IOException {
 318         CertificateExtensions attributeValue = new CertificateExtensions();
 319         GeneralNames names = new GeneralNames();
 320
 321         for (GeneralNameInterface name : SANs) {
 322             names.add(new GeneralName(name));
 323         }
 324         attributeValue.set("SANs", new SubjectAlternativeNameExtension(names));
 325         PKCS10Attributes atts = new PKCS10Attributes(new PKCS10Attribute[] {
 326                 new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue)
 327         });
 328         ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(//
 329                 new Vector<>(Arrays.<ObjectIdentifier>asList(ekuOIDs)));
 330         attributeValue.set("eku", eku);
 331         return atts;
 332     }
 333
 334     private final URL ncert = new URL("https://" + getServerName() + CertificateAdd.PATH);
 335
 336     private String[] fillOutForm(String pem) throws IOException {
 337         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
 338         uc.setRequestProperty("Cookie", cookie);
 339         csrf = getCSRF(uc);
 340         return fillOutFormDirect(pem);
 341
 342     }
 343
 344     private String[] fillOutFormDirect(String pem) throws IOException {
 345
 346         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
 347         uc.setRequestProperty("Cookie", cookie);
 348         uc.setDoOutput(true);
 349         uc.getOutputStream().write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" + pem).getBytes("UTF-8"));
 350         uc.getOutputStream().flush();
 351
 352         return extractFormData(uc);
 353     }
 354
 355     private String[] extractFormData(HttpURLConnection uc) throws IOException, Error {
 356         String result = IOUtils.readURL(uc);
 357         if (hasError().matches(result)) {
 358             throw new OnPageError(result);
 359         }
 360
 361         String profileKey = extractPattern(result, Pattern.compile("<option value=\"([^\"]*)\" selected>"));
 362         String resultingCN = extractPattern(result, Pattern.compile("<input [^>]*name='CN' [^>]*value='([^']*)'/>"));
 363         String txt = extractPattern(result, Pattern.compile("<textarea [^>]*name='SANs' [^>]*>([^<]*)</textarea>"));
 364         String md = extractPattern(result, Pattern.compile("<input type=\"radio\" [^>]*name=\"hash_alg\" value=\"([^\"]*)\" checked='checked'/>"));
 365         return new String[] {
 366                 profileKey, resultingCN, txt, md
 367         };
 368     }
 369
 370     private String extractPattern(String result, Pattern p) {
 371         Matcher m = p.matcher(result);
 372         assertTrue(m.find());
 373         String resultingCN = m.group(1);
 374         return resultingCN;
 375     }
 376
 377     @Test
 378     public void testSetLoginEnabled() throws IOException, GeneralSecurityException {
 379         X509Certificate parsedLoginNotEnabled = createCertWithValidity("&validFrom=now&validity=1m", false);
 380         assertNull(CertificateOwner.getByEnabledSerial(parsedLoginNotEnabled.getSerialNumber().toString(16).toLowerCase()));
 381
 382         X509Certificate parsedLoginEnabled = createCertWithValidity("&validFrom=now&validity=1m", true);
 383         assertEquals(u, CertificateOwner.getByEnabledSerial(parsedLoginEnabled.getSerialNumber().toString(16).toLowerCase()));
 384     }
 385 }