tests/org/cacert/gigi/TestCertificate.java

   1 package org.cacert.gigi;
   2
   3 import static org.junit.Assert.*;
   4
   5 import java.io.IOException;
   6 import java.security.GeneralSecurityException;
   7 import java.security.KeyPair;
   8 import java.security.PrivateKey;
   9 import java.security.cert.X509Certificate;
  10 import java.sql.SQLException;
  11 import java.util.Collection;
  12 import java.util.List;
  13
  14 import org.cacert.gigi.dbObjects.Certificate;
  15 import org.cacert.gigi.dbObjects.Certificate.CSRType;
  16 import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
  17 import org.cacert.gigi.dbObjects.Certificate.SANType;
  18 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  19 import org.cacert.gigi.dbObjects.Digest;
  20 import org.cacert.gigi.dbObjects.User;
  21 import org.cacert.gigi.pages.account.certs.Certificates;
  22 import org.cacert.gigi.testUtils.IOUtils;
  23 import org.cacert.gigi.testUtils.ManagedTest;
  24 import org.junit.Test;
  25
  26 import sun.security.x509.GeneralNameInterface;
  27
  28 public class TestCertificate extends ManagedTest {
  29
  30     User u = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.com", TEST_PASSWORD));
  31
  32     @Test
  33     public void testClientCertLoginStates() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  34         KeyPair kp = generateKeypair();
  35         String key1 = generatePEMCSR(kp, "CN=testmail@example.com");
  36         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key1, CSRType.CSR, getClientProfile());
  37         final PrivateKey pk = kp.getPrivate();
  38         await(c.issue(null, "2y", u));
  39         final X509Certificate ce = c.cert();
  40         c.setLoginEnabled(true);
  41         assertNotNull(login(pk, ce));
  42     }
  43
  44     @Test
  45     public void testSANs() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  46         KeyPair kp = generateKeypair();
  47         String key = generatePEMCSR(kp, "CN=testmail@example.com");
  48         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, getClientProfile(),//
  49                 new SubjectAlternateName(SANType.EMAIL, "testmail@example.com"), new SubjectAlternateName(SANType.DNS, "testmail.example.com"));
  50
  51         testFails(CertificateStatus.DRAFT, c);
  52         await(c.issue(null, "2y", u));
  53         X509Certificate cert = c.cert();
  54         Collection<List<?>> sans = cert.getSubjectAlternativeNames();
  55         assertEquals(2, sans.size());
  56         boolean hadDNS = false;
  57         boolean hadEmail = false;
  58         for (List<?> list : sans) {
  59             assertEquals(2, list.size());
  60             Integer type = (Integer) list.get(0);
  61             switch (type) {
  62             case GeneralNameInterface.NAME_RFC822:
  63                 hadEmail = true;
  64                 assertEquals("testmail@example.com", list.get(1));
  65                 break;
  66             case GeneralNameInterface.NAME_DNS:
  67                 hadDNS = true;
  68                 assertEquals("testmail.example.com", list.get(1));
  69                 break;
  70             default:
  71                 fail("Unknown type");
  72
  73             }
  74         }
  75         assertTrue(hadDNS);
  76         assertTrue(hadEmail);
  77
  78         testFails(CertificateStatus.ISSUED, c);
  79
  80         Certificate c2 = Certificate.getBySerial(c.getSerial());
  81         assertNotNull(c2);
  82         assertEquals(2, c2.getSANs().size());
  83         assertEquals(c.getSANs().get(0).getName(), c2.getSANs().get(0).getName());
  84         assertEquals(c.getSANs().get(0).getType(), c2.getSANs().get(0).getType());
  85         assertEquals(c.getSANs().get(1).getName(), c2.getSANs().get(1).getName());
  86         assertEquals(c.getSANs().get(1).getType(), c2.getSANs().get(1).getType());
  87
  88         try {
  89             c2.getSANs().remove(0);
  90             fail("the list should not be modifiable");
  91         } catch (UnsupportedOperationException e) {
  92             // expected
  93         }
  94     }
  95
  96     @Test
  97     public void testCertLifeCycle() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  98         KeyPair kp = generateKeypair();
  99         String key = generatePEMCSR(kp, "CN=testmail@example.com");
 100         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, getClientProfile());
 101         final PrivateKey pk = kp.getPrivate();
 102
 103         testFails(CertificateStatus.DRAFT, c);
 104         await(c.issue(null, "2y", u));
 105
 106         String cookie = login(u.getEmail(), TEST_PASSWORD);
 107         testFails(CertificateStatus.ISSUED, c);
 108         X509Certificate cert = c.cert();
 109         c.setLoginEnabled(true);
 110         assertNotNull(login(pk, cert));
 111         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH)), "<td>(?:REVOKED|ISSUED)</td>"));
 112         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH + "?withRevoked")), "<td>(?:REVOKED|ISSUED)</td>"));
 113         await(c.revoke());
 114
 115         testFails(CertificateStatus.REVOKED, c);
 116         assertNull(login(pk, cert));
 117
 118         assertEquals(0, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH)), "<td>(?:REVOKED|ISSUED)</td>"));
 119         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH + "?withRevoked")), "<td>(?:REVOKED|ISSUED)</td>"));
 120     }
 121
 122     private void testFails(CertificateStatus status, Certificate c) throws IOException, GeneralSecurityException, SQLException, GigiApiException {
 123         assertEquals(status, c.getStatus());
 124         if (status != CertificateStatus.ISSUED) {
 125             try {
 126                 c.revoke();
 127                 fail(status + " is in invalid state");
 128             } catch (IllegalStateException ise) {
 129
 130             }
 131         }
 132         if (status != CertificateStatus.DRAFT) {
 133             try {
 134                 c.issue(null, "2y", u);
 135                 fail(status + " is in invalid state");
 136             } catch (IllegalStateException ise) {
 137
 138             }
 139         }
 140         if (status != CertificateStatus.ISSUED) {
 141             try {
 142                 c.cert();
 143                 if (status != CertificateStatus.REVOKED) {
 144                     fail(status + " is in invalid state");
 145                 }
 146             } catch (IllegalStateException ise) {
 147
 148             }
 149         }
 150     }
 151 }