tests/org/cacert/gigi/TestCertificate.java

   1 package org.cacert.gigi;
   2
   3 import static org.junit.Assert.*;
   4
   5 import java.io.IOException;
   6 import java.security.GeneralSecurityException;
   7 import java.security.KeyPair;
   8 import java.security.PrivateKey;
   9 import java.security.cert.X509Certificate;
  10 import java.sql.SQLException;
  11 import java.util.Collection;
  12 import java.util.List;
  13
  14 import org.cacert.gigi.dbObjects.Certificate;
  15 import org.cacert.gigi.dbObjects.Certificate.CSRType;
  16 import org.cacert.gigi.dbObjects.Certificate.CertificateStatus;
  17 import org.cacert.gigi.dbObjects.Certificate.SANType;
  18 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  19 import org.cacert.gigi.dbObjects.CertificateProfile;
  20 import org.cacert.gigi.dbObjects.Digest;
  21 import org.cacert.gigi.dbObjects.User;
  22 import org.cacert.gigi.pages.account.certs.Certificates;
  23 import org.cacert.gigi.testUtils.IOUtils;
  24 import org.cacert.gigi.testUtils.ManagedTest;
  25 import org.junit.Test;
  26
  27 import sun.security.x509.GeneralNameInterface;
  28
  29 public class TestCertificate extends ManagedTest {
  30
  31     User u = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@example.com", TEST_PASSWORD));
  32
  33     @Test
  34     public void testClientCertLoginStates() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  35         KeyPair kp = generateKeypair();
  36         String key1 = generatePEMCSR(kp, "CN=testmail@example.com");
  37         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key1, CSRType.CSR, CertificateProfile.getById(1));
  38         final PrivateKey pk = kp.getPrivate();
  39         c.issue(null, "2y", u).waitFor(60000);
  40         final X509Certificate ce = c.cert();
  41         assertNotNull(login(pk, ce));
  42     }
  43
  44     @Test
  45     public void testSANs() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  46         KeyPair kp = generateKeypair();
  47         String key = generatePEMCSR(kp, "CN=testmail@example.com");
  48         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, CertificateProfile.getById(1),//
  49                 new SubjectAlternateName(SANType.EMAIL, "testmail@example.com"), new SubjectAlternateName(SANType.DNS, "testmail.example.com"));
  50
  51         testFails(CertificateStatus.DRAFT, c);
  52         c.issue(null, "2y", u).waitFor(60000);
  53         X509Certificate cert = c.cert();
  54         Collection<List<?>> sans = cert.getSubjectAlternativeNames();
  55         assertEquals(2, sans.size());
  56         boolean hadDNS = false;
  57         boolean hadEmail = false;
  58         for (List<?> list : sans) {
  59             assertEquals(2, list.size());
  60             Integer type = (Integer) list.get(0);
  61             switch (type) {
  62             case GeneralNameInterface.NAME_RFC822:
  63                 hadEmail = true;
  64                 assertEquals("testmail@example.com", list.get(1));
  65                 break;
  66             case GeneralNameInterface.NAME_DNS:
  67                 hadDNS = true;
  68                 assertEquals("testmail.example.com", list.get(1));
  69                 break;
  70             default:
  71                 fail("Unknown type");
  72
  73             }
  74         }
  75         assertTrue(hadDNS);
  76         assertTrue(hadEmail);
  77
  78         testFails(CertificateStatus.ISSUED, c);
  79
  80         Certificate c2 = Certificate.getBySerial(c.getSerial());
  81         assertNotNull(c2);
  82         assertEquals(2, c2.getSANs().size());
  83         assertEquals(c.getSANs().get(0).getName(), c2.getSANs().get(0).getName());
  84         assertEquals(c.getSANs().get(0).getType(), c2.getSANs().get(0).getType());
  85         assertEquals(c.getSANs().get(1).getName(), c2.getSANs().get(1).getName());
  86         assertEquals(c.getSANs().get(1).getType(), c2.getSANs().get(1).getType());
  87
  88         try {
  89             c2.getSANs().remove(0);
  90             fail("the list should not be modifiable");
  91         } catch (UnsupportedOperationException e) {
  92             // expected
  93         }
  94     }
  95
  96     @Test
  97     public void testCertLifeCycle() throws IOException, GeneralSecurityException, SQLException, InterruptedException, GigiApiException {
  98         KeyPair kp = generateKeypair();
  99         String key = generatePEMCSR(kp, "CN=testmail@example.com");
 100         Certificate c = new Certificate(u, u, Certificate.buildDN("CN", "testmail@example.com"), Digest.SHA256, key, CSRType.CSR, CertificateProfile.getById(1));
 101         final PrivateKey pk = kp.getPrivate();
 102
 103         testFails(CertificateStatus.DRAFT, c);
 104         c.issue(null, "2y", u).waitFor(60000);
 105
 106         String cookie = login(u.getEmail(), TEST_PASSWORD);
 107         testFails(CertificateStatus.ISSUED, c);
 108         X509Certificate cert = c.cert();
 109         assertNotNull(login(pk, cert));
 110         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH)), "<td>(?:REVOKED|ISSUED)</td>"));
 111         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH + "?withRevoked")), "<td>(?:REVOKED|ISSUED)</td>"));
 112         c.revoke().waitFor(60000);
 113
 114         testFails(CertificateStatus.REVOKED, c);
 115         assertNull(login(pk, cert));
 116
 117         assertEquals(0, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH)), "<td>(?:REVOKED|ISSUED)</td>"));
 118         assertEquals(1, countRegex(IOUtils.readURL(get(cookie, Certificates.PATH + "?withRevoked")), "<td>(?:REVOKED|ISSUED)</td>"));
 119     }
 120
 121     private void testFails(CertificateStatus status, Certificate c) throws IOException, GeneralSecurityException, SQLException, GigiApiException {
 122         assertEquals(status, c.getStatus());
 123         if (status != CertificateStatus.ISSUED) {
 124             try {
 125                 c.revoke();
 126                 fail(status + " is in invalid state");
 127             } catch (IllegalStateException ise) {
 128
 129             }
 130         }
 131         if (status != CertificateStatus.DRAFT) {
 132             try {
 133                 c.issue(null, "2y", u);
 134                 fail(status + " is in invalid state");
 135             } catch (IllegalStateException ise) {
 136
 137             }
 138         }
 139         if (status != CertificateStatus.ISSUED) {
 140             try {
 141                 c.cert();
 142                 if (status != CertificateStatus.REVOKED) {
 143                     fail(status + " is in invalid state");
 144                 }
 145             } catch (IllegalStateException ise) {
 146
 147             }
 148         }
 149     }
 150 }