tests/org/cacert/gigi/TestCertificate.java

   1 package org.cacert.gigi;
   2
   3 import static org.junit.Assert.*;
   4
   5 import java.io.IOException;
   6 import java.security.GeneralSecurityException;
   7 import java.security.KeyPair;
   8 import java.security.PrivateKey;
   9 import java.security.cert.X509Certificate;
  10 import java.sql.SQLException;
  11 import java.util.Collection;
  12 import java.util.List;
  13
  14 import org.cacert.gigi.dbObjects.Certificate;
  15 import org.cacert.gigi.dbObjects.Certificate.CSRType;
  16 import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
  17 import org.cacert.gigi.dbObjects.Certificate.SANType;
  18 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  19 import org.cacert.gigi.dbObjects.CertificateProfile;
  20 import org.cacert.gigi.dbObjects.Digest;
  21 import org.cacert.gigi.dbObjects.User;
  22 import org.cacert.gigi.pages.account.certs.Certificates;
  23 import org.cacert.gigi.testUtils.IOUtils;
  24 import org.cacert.gigi.testUtils.ManagedTest;
  25 import org.junit.Test;
  26
  27 import sun.security.x509.GeneralNameInterface;
  28
  29 public class TestCertificate extends ManagedTest {
  30
  31     User u = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.com", TEST_PASSWORD));
  32
  33     @Test
  34     public void testClientCertLoginStates() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  35         KeyPair kp = generateKeypair();
  36         String key1 = generatePEMCSR(kp, "CN=testmail@example.com");
  37         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getById(1));
  38         final PrivateKey pk = kp.getPrivate();
  39         await(c.issue(null, "2y", u));
  40         final X509Certificate ce = c.cert();
  41         c.setLoginEnabled(true);
  42         assertNotNull(login(pk, ce));
  43     }
  44
  45     @Test
  46     public void testSANs() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  47         KeyPair kp = generateKeypair();
  48         String key = generatePEMCSR(kp, "CN=testmail@example.com");
  49         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, CertificateProfile.getById(1),//
  50                 new SubjectAlternateName(SANType.EMAIL, "testmail@example.com"), new SubjectAlternateName(SANType.DNS, "testmail.example.com"));
  51
  52         testFails(CertificateStatus.DRAFT, c);
  53         await(c.issue(null, "2y", u));
  54         X509Certificate cert = c.cert();
  55         Collection<List<?>> sans = cert.getSubjectAlternativeNames();
  56         assertEquals(2, sans.size());
  57         boolean hadDNS = false;
  58         boolean hadEmail = false;
  59         for (List<?> list : sans) {
  60             assertEquals(2, list.size());
  61             Integer type = (Integer) list.get(0);
  62             switch (type) {
  63             case GeneralNameInterface.NAME_RFC822:
  64                 hadEmail = true;
  65                 assertEquals("testmail@example.com", list.get(1));
  66                 break;
  67             case GeneralNameInterface.NAME_DNS:
  68                 hadDNS = true;
  69                 assertEquals("testmail.example.com", list.get(1));
  70                 break;
  71             default:
  72                 fail("Unknown type");
  73
  74             }
  75         }
  76         assertTrue(hadDNS);
  77         assertTrue(hadEmail);
  78
  79         testFails(CertificateStatus.ISSUED, c);
  80
  81         Certificate c2 = Certificate.getBySerial(c.getSerial());
  82         assertNotNull(c2);
  83         assertEquals(2, c2.getSANs().size());
  84         assertEquals(c.getSANs().get(0).getName(), c2.getSANs().get(0).getName());
  85         assertEquals(c.getSANs().get(0).getType(), c2.getSANs().get(0).getType());
  86         assertEquals(c.getSANs().get(1).getName(), c2.getSANs().get(1).getName());
  87         assertEquals(c.getSANs().get(1).getType(), c2.getSANs().get(1).getType());
  88
  89         try {
  90             c2.getSANs().remove(0);
  91             fail("the list should not be modifiable");
  92         } catch (UnsupportedOperationException e) {
  93             // expected
  94         }
  95     }
  96
  97     @Test
  98     public void testCertLifeCycle() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  99         KeyPair kp = generateKeypair();
 100         String key = generatePEMCSR(kp, "CN=testmail@example.com");
 101         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, CertificateProfile.getById(1));
 102         final PrivateKey pk = kp.getPrivate();
 103
 104         testFails(CertificateStatus.DRAFT, c);
 105         await(c.issue(null, "2y", u));
 106
 107         String cookie = login(u.getEmail(), TEST_PASSWORD);
 108         testFails(CertificateStatus.ISSUED, c);
 109         X509Certificate cert = c.cert();
 110         c.setLoginEnabled(true);
 111         assertNotNull(login(pk, cert));
 112         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH)), "<td>(?:REVOKED|ISSUED)</td>"));
 113         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH + "?withRevoked")), "<td>(?:REVOKED|ISSUED)</td>"));
 114         await(c.revoke());
 115
 116         testFails(CertificateStatus.REVOKED, c);
 117         assertNull(login(pk, cert));
 118
 119         assertEquals(0, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH)), "<td>(?:REVOKED|ISSUED)</td>"));
 120         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH + "?withRevoked")), "<td>(?:REVOKED|ISSUED)</td>"));
 121     }
 122
 123     private void testFails(CertificateStatus status, Certificate c) throws IOException, GeneralSecurityException, SQLException, GigiApiException {
 124         assertEquals(status, c.getStatus());
 125         if (status != CertificateStatus.ISSUED) {
 126             try {
 127                 c.revoke();
 128                 fail(status + " is in invalid state");
 129             } catch (IllegalStateException ise) {
 130
 131             }
 132         }
 133         if (status != CertificateStatus.DRAFT) {
 134             try {
 135                 c.issue(null, "2y", u);
 136                 fail(status + " is in invalid state");
 137             } catch (IllegalStateException ise) {
 138
 139             }
 140         }
 141         if (status != CertificateStatus.ISSUED) {
 142             try {
 143                 c.cert();
 144                 if (status != CertificateStatus.REVOKED) {
 145                     fail(status + " is in invalid state");
 146                 }
 147             } catch (IllegalStateException ise) {
 148
 149             }
 150         }
 151     }
 152 }