tests/org/cacert/gigi/pages/account/TestCertificateAdd.java

   1 package org.cacert.gigi.pages.account;
   2
   3 import static org.hamcrest.CoreMatchers.*;
   4 import static org.junit.Assert.*;
   5
   6 import java.io.ByteArrayInputStream;
   7 import java.io.IOException;
   8 import java.io.InputStreamReader;
   9 import java.io.OutputStream;
  10 import java.io.UnsupportedEncodingException;
  11 import java.net.HttpURLConnection;
  12 import java.net.MalformedURLException;
  13 import java.net.URL;
  14 import java.net.URLConnection;
  15 import java.net.URLEncoder;
  16 import java.security.GeneralSecurityException;
  17 import java.security.KeyPair;
  18 import java.security.Signature;
  19 import java.security.cert.Certificate;
  20 import java.security.cert.CertificateException;
  21 import java.security.cert.CertificateFactory;
  22 import java.security.cert.X509Certificate;
  23 import java.text.SimpleDateFormat;
  24 import java.util.Arrays;
  25 import java.util.Base64;
  26 import java.util.Calendar;
  27 import java.util.Date;
  28 import java.util.TimeZone;
  29 import java.util.Vector;
  30 import java.util.regex.Matcher;
  31 import java.util.regex.Pattern;
  32
  33 import org.cacert.gigi.crypto.SPKAC;
  34 import org.cacert.gigi.dbObjects.Digest;
  35 import org.cacert.gigi.pages.account.certs.CertificateAdd;
  36 import org.cacert.gigi.pages.account.certs.CertificateRequest;
  37 import org.cacert.gigi.testUtils.ClientTest;
  38 import org.cacert.gigi.testUtils.IOUtils;
  39 import org.cacert.gigi.util.PEM;
  40 import org.junit.Test;
  41
  42 import sun.security.pkcs.PKCS7;
  43 import sun.security.pkcs.PKCS9Attribute;
  44 import sun.security.pkcs10.PKCS10Attribute;
  45 import sun.security.pkcs10.PKCS10Attributes;
  46 import sun.security.util.ObjectIdentifier;
  47 import sun.security.x509.CertificateExtensions;
  48 import sun.security.x509.DNSName;
  49 import sun.security.x509.ExtendedKeyUsageExtension;
  50 import sun.security.x509.GeneralName;
  51 import sun.security.x509.GeneralNameInterface;
  52 import sun.security.x509.GeneralNames;
  53 import sun.security.x509.RFC822Name;
  54 import sun.security.x509.SubjectAlternativeNameExtension;
  55 import sun.security.x509.X509Key;
  56
  57 public class TestCertificateAdd extends ClientTest {
  58
  59     private static class OnPageError extends Error {
  60
  61         public OnPageError(String page) {
  62             super(page);
  63         }
  64     }
  65
  66     KeyPair kp = generateKeypair();
  67
  68     String csrf;
  69
  70     public TestCertificateAdd() throws GeneralSecurityException, IOException {
  71         TestDomain.addDomain(cookie, uniq + ".tld");
  72
  73     }
  74
  75     @Test
  76     public void testSimpleServer() throws IOException, GeneralSecurityException {
  77         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
  78                 CertificateRequest.OID_KEY_USAGE_SSL_SERVER
  79         }, new DNSName(uniq + ".tld"));
  80
  81         String pem = generatePEMCSR(kp, "CN=a." + uniq + ".tld", atts);
  82
  83         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
  84         assertArrayEquals(new String[] {
  85                 "server", "CAcert WoT User", "dns:a." + uniq + ".tld\ndns:" + uniq + ".tld\n", Digest.SHA256.toString()
  86         }, res);
  87     }
  88
  89     @Test
  90     public void testSimpleMail() throws IOException, GeneralSecurityException {
  91         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
  92                 CertificateRequest.OID_KEY_USAGE_EMAIL_PROTECTION
  93         }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(email));
  94
  95         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA384WithRSA");
  96
  97         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
  98         assertArrayEquals(new String[] {
  99                 "mail", "a b", "email:" + email + "\ndns:a." + uniq + ".tld\ndns:b." + uniq + ".tld\n", Digest.SHA384.toString()
 100         }, res);
 101     }
 102
 103     @Test
 104     public void testSimpleClient() throws IOException, GeneralSecurityException {
 105         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
 106                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
 107         }, new RFC822Name(email));
 108
 109         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
 110
 111         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
 112         assertArrayEquals(new String[] {
 113                 "client", "a b", "email:" + email + "\n", Digest.SHA512.toString()
 114         }, res);
 115     }
 116
 117     @Test
 118     public void testSPKAC() throws GeneralSecurityException, IOException {
 119         testSPKAC(false);
 120         testSPKAC(true);
 121     }
 122
 123     @Test
 124     public void testIssue() throws IOException, GeneralSecurityException {
 125         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
 126                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
 127         }, new RFC822Name(email));
 128
 129         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
 130
 131         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
 132         assertArrayEquals(new String[] {
 133                 "client", "a b", "email:" + email + "\n", Digest.SHA512.toString()
 134         }, res);
 135
 136         HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
 137         huc.setRequestProperty("Cookie", cookie);
 138         huc.setDoOutput(true);
 139         OutputStream out = huc.getOutputStream();
 140         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
 141         out.write(("&CN=CAcert+WoT+User&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
 142         out.write(("&hash_alg=SHA512").getBytes("UTF-8"));
 143         URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt"));
 144         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
 145
 146         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer"));
 147         byte[] cer = IOUtils.readURL(uc.getInputStream());
 148         assertArrayEquals(cer, PEM.decode("CERTIFICATE", crt));
 149
 150         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install&chain"));
 151         byte[] pkcs7 = IOUtils.readURL(uc.getInputStream());
 152         PKCS7 p7 = new PKCS7(pkcs7);
 153         byte[] sub = verifyChain(p7.getCertificates());
 154         assertArrayEquals(cer, sub);
 155         assertEquals("application/x-x509-user-cert", uc.getHeaderField("Content-type"));
 156
 157         uc = authenticate(new URL(huc.getHeaderField("Location")));
 158         String gui = IOUtils.readURL(uc);
 159         Pattern p = Pattern.compile("-----BEGIN CERTIFICATE-----[^-]+-----END CERTIFICATE-----");
 160         Matcher m = p.matcher(gui);
 161         assertTrue(m.find());
 162         byte[] cert = PEM.decode("CERTIFICATE", m.group(0));
 163         Certificate c = CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(cert));
 164         gui = c.toString();
 165         assertThat(gui, containsString("clientAuth"));
 166         assertThat(gui, containsString("CN=CAcert WoT User"));
 167         assertThat(gui, containsString("SHA512withRSA"));
 168         assertThat(gui, containsString("RFC822Name: " + email));
 169
 170     }
 171
 172     private byte[] verifyChain(X509Certificate[] x509Certificates) throws GeneralSecurityException {
 173         X509Certificate current = null;
 174         nextCert:
 175         while (true) {
 176             for (int i = 0; i < x509Certificates.length; i++) {
 177                 X509Certificate cert = x509Certificates[i];
 178                 if (current == null) {
 179                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
 180                         current = cert;
 181                         continue nextCert;
 182                     }
 183                 } else {
 184                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
 185                         continue;
 186                     }
 187                     if (current.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
 188                         Signature s = Signature.getInstance(cert.getSigAlgName());
 189                         s.initVerify(current.getPublicKey());
 190                         s.update(cert.getTBSCertificate());
 191                         assertTrue(s.verify(cert.getSignature()));
 192                         current = cert;
 193                         continue nextCert;
 194                     }
 195                 }
 196             }
 197             assertNotNull(current);
 198             return current.getEncoded();
 199         }
 200     }
 201
 202     @Test
 203     public void testValidityPeriodCalendar() throws IOException, GeneralSecurityException {
 204         testCertificateValidityRelative(Calendar.YEAR, 2, "2y", true);
 205         testCertificateValidityRelative(Calendar.YEAR, 1, "1y", true);
 206         testCertificateValidityRelative(Calendar.MONTH, 3, "3m", true);
 207         testCertificateValidityRelative(Calendar.MONTH, 7, "7m", true);
 208         testCertificateValidityRelative(Calendar.MONTH, 13, "13m", true);
 209
 210         testCertificateValidityRelative(Calendar.MONTH, 13, "-1m", false);
 211     }
 212
 213     @Test
 214     public void testValidityPeriodWhishStart() throws IOException, GeneralSecurityException {
 215         long now = System.currentTimeMillis();
 216         final long MS_PER_DAY = 24 * 60 * 60 * 1000;
 217         now -= now % MS_PER_DAY;
 218         now += MS_PER_DAY;
 219         SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
 220         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
 221
 222         Date start = new Date(now);
 223         Date end = new Date(now + MS_PER_DAY * 10);
 224         String validity = "&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end);
 225         X509Certificate res = createCertWithValidity(validity);
 226         assertNotNull(validity, res);
 227         assertEquals(start, res.getNotBefore());
 228         assertEquals(end, res.getNotAfter());
 229     }
 230
 231     private void testCertificateValidityRelative(int field, int amount, String length, boolean shouldsucceed) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
 232         X509Certificate parsed = createCertWithValidity("&validFrom=now&validity=" + length);
 233         if (parsed == null) {
 234             assertTrue( !shouldsucceed);
 235             return;
 236         } else {
 237             assertTrue(shouldsucceed);
 238         }
 239
 240         long now = System.currentTimeMillis();
 241         Date start = parsed.getNotBefore();
 242         Date end = parsed.getNotAfter();
 243         Calendar c = Calendar.getInstance();
 244         c.setTimeZone(TimeZone.getTimeZone("UTC"));
 245         c.setTime(start);
 246         c.add(field, amount);
 247         assertTrue(Math.abs(start.getTime() - now) < 10000);
 248         assertEquals(c.getTime(), end);
 249     }
 250
 251     private X509Certificate createCertWithValidity(String validity) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
 252         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
 253                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
 254         }, new RFC822Name(email));
 255
 256         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA512WithRSA");
 257         fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
 258
 259         HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
 260         huc.setRequestProperty("Cookie", cookie);
 261         huc.setDoOutput(true);
 262         OutputStream out = huc.getOutputStream();
 263         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
 264         out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
 265         out.write(("&hash_alg=SHA512&").getBytes("UTF-8"));
 266         out.write(validity.getBytes("UTF-8"));
 267
 268         String certurl = huc.getHeaderField("Location");
 269         if (certurl == null) {
 270             return null;
 271         }
 272         URLConnection uc = authenticate(new URL(certurl + ".crt"));
 273         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
 274
 275         CertificateFactory cf = CertificateFactory.getInstance("X.509");
 276         X509Certificate parsed = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(crt.getBytes("UTF-8")));
 277         return parsed;
 278     }
 279
 280     private URLConnection authenticate(URL url) throws IOException {
 281         URLConnection uc = url.openConnection();
 282         uc.setRequestProperty("Cookie", cookie);
 283         return uc;
 284     }
 285
 286     protected String testSPKAC(boolean correctChallange) throws GeneralSecurityException, IOException {
 287         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
 288         uc.setRequestProperty("Cookie", cookie);
 289         String s = IOUtils.readURL(uc);
 290
 291         csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
 292         String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
 293
 294         SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallange ? "" : "b"));
 295         Signature sign = Signature.getInstance("SHA512WithRSA");
 296         sign.initSign(kp.getPrivate());
 297         try {
 298             String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
 299             if ( !correctChallange) {
 300                 fail("Should not succeed with wrong challange.");
 301             }
 302             assertArrayEquals(new String[] {
 303                     "client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString()
 304             }, res);
 305         } catch (OnPageError e) {
 306             String error = fetchStartErrorMessage(e.getMessage());
 307             assertTrue(error, error.startsWith("<p>Challenge mismatch"));
 308         }
 309         return csrf;
 310     }
 311
 312     private PKCS10Attributes buildAtts(ObjectIdentifier[] ekuOIDs, GeneralNameInterface... SANs) throws IOException {
 313         CertificateExtensions attributeValue = new CertificateExtensions();
 314         GeneralNames names = new GeneralNames();
 315
 316         for (GeneralNameInterface name : SANs) {
 317             names.add(new GeneralName(name));
 318         }
 319         attributeValue.set("SANs", new SubjectAlternativeNameExtension(names));
 320         PKCS10Attributes atts = new PKCS10Attributes(new PKCS10Attribute[] {
 321                 new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue)
 322         });
 323         ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(//
 324                 new Vector<>(Arrays.<ObjectIdentifier>asList(ekuOIDs)));
 325         attributeValue.set("eku", eku);
 326         return atts;
 327     }
 328
 329     private final URL ncert = new URL("https://" + getServerName() + CertificateAdd.PATH);
 330
 331     private String[] fillOutForm(String pem) throws IOException {
 332         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
 333         uc.setRequestProperty("Cookie", cookie);
 334         csrf = getCSRF(uc);
 335         return fillOutFormDirect(pem);
 336
 337     }
 338
 339     private String[] fillOutFormDirect(String pem) throws IOException {
 340
 341         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
 342         uc.setRequestProperty("Cookie", cookie);
 343         uc.setDoOutput(true);
 344         uc.getOutputStream().write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" + pem).getBytes("UTF-8"));
 345         uc.getOutputStream().flush();
 346
 347         return extractFormData(uc);
 348     }
 349
 350     private String[] extractFormData(HttpURLConnection uc) throws IOException, Error {
 351         String result = IOUtils.readURL(uc);
 352         if (hasError().matches(result)) {
 353             throw new OnPageError(result);
 354         }
 355
 356         String profileKey = extractPattern(result, Pattern.compile("<option value=\"([^\"]*)\" selected>"));
 357         String resultingCN = extractPattern(result, Pattern.compile("<input [^>]*name='CN' [^>]*value='([^']*)'/>"));
 358         String txt = extractPattern(result, Pattern.compile("<textarea [^>]*name='SANs' [^>]*>([^<]*)</textarea>"));
 359         String md = extractPattern(result, Pattern.compile("<input type=\"radio\" [^>]*name=\"hash_alg\" value=\"([^\"]*)\" checked='checked'/>"));
 360         return new String[] {
 361                 profileKey, resultingCN, txt, md
 362         };
 363     }
 364
 365     private String extractPattern(String result, Pattern p) {
 366         Matcher m = p.matcher(result);
 367         assertTrue(m.find());
 368         String resultingCN = m.group(1);
 369         return resultingCN;
 370     }
 371 }