]> WPIA git - gigi.git/blob - tests/org/cacert/gigi/pages/account/TestCertificateAdd.java
projects / gigi.git / blob
? search:


6f7c8be43ae602c774074644bb3cf1c97ef1f634
[gigi.git] / tests / org / cacert / gigi / pages / account / TestCertificateAdd.java
1 package org.cacert.gigi.pages.account;
2
3 import static org.hamcrest.CoreMatchers.*;
4 import static org.junit.Assert.*;
5
6 import java.io.ByteArrayInputStream;
7 import java.io.IOException;
8 import java.io.InputStreamReader;
9 import java.io.OutputStream;
10 import java.io.UnsupportedEncodingException;
11 import java.net.HttpURLConnection;
12 import java.net.MalformedURLException;
13 import java.net.URL;
14 import java.net.URLConnection;
15 import java.net.URLEncoder;
16 import java.security.GeneralSecurityException;
17 import java.security.KeyPair;
18 import java.security.Signature;
19 import java.security.cert.Certificate;
20 import java.security.cert.CertificateException;
21 import java.security.cert.CertificateFactory;
22 import java.security.cert.X509Certificate;
23 import java.text.SimpleDateFormat;
24 import java.util.Arrays;
25 import java.util.Base64;
26 import java.util.Calendar;
27 import java.util.Date;
28 import java.util.TimeZone;
29 import java.util.Vector;
30 import java.util.regex.Matcher;
31 import java.util.regex.Pattern;
32
33 import org.cacert.gigi.crypto.SPKAC;
34 import org.cacert.gigi.dbObjects.CertificateOwner;
35 import org.cacert.gigi.dbObjects.Digest;
36 import org.cacert.gigi.pages.account.certs.CertificateAdd;
37 import org.cacert.gigi.pages.account.certs.CertificateRequest;
38 import org.cacert.gigi.testUtils.ClientTest;
39 import org.cacert.gigi.testUtils.IOUtils;
40 import org.cacert.gigi.util.PEM;
41 import org.junit.Test;
42
43 import sun.security.pkcs.PKCS7;
44 import sun.security.pkcs.PKCS9Attribute;
45 import sun.security.pkcs10.PKCS10Attribute;
46 import sun.security.pkcs10.PKCS10Attributes;
47 import sun.security.util.ObjectIdentifier;
48 import sun.security.x509.CertificateExtensions;
49 import sun.security.x509.DNSName;
50 import sun.security.x509.ExtendedKeyUsageExtension;
51 import sun.security.x509.GeneralName;
52 import sun.security.x509.GeneralNameInterface;
53 import sun.security.x509.GeneralNames;
54 import sun.security.x509.RFC822Name;
55 import sun.security.x509.SubjectAlternativeNameExtension;
56 import sun.security.x509.X509Key;
57
58 public class TestCertificateAdd extends ClientTest {
59
60     private static class OnPageError extends Error {
61
62         public OnPageError(String page) {
63             super(page);
64         }
65     }
66
67     KeyPair kp = generateKeypair();
68
69     String csrf;
70
71     public TestCertificateAdd() throws GeneralSecurityException, IOException {
72         TestDomain.addDomain(cookie, uniq + ".tld");
73
74     }
75
76     @Test
77     public void testSimpleServer() throws IOException, GeneralSecurityException {
78         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
79                 CertificateRequest.OID_KEY_USAGE_SSL_SERVER
80         }, new DNSName(uniq + ".tld"));
81
82         String pem = generatePEMCSR(kp, "CN=a." + uniq + ".tld", atts);
83
84         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
85         assertArrayEquals(new String[] {
86                 "server", "CAcert WoT User", "dns:a." + uniq + ".tld\ndns:" + uniq + ".tld\n", Digest.SHA256.toString()
87         }, res);
88     }
89
90     @Test
91     public void testSimpleMail() throws IOException, GeneralSecurityException {
92         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
93                 CertificateRequest.OID_KEY_USAGE_EMAIL_PROTECTION
94         }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(email));
95
96         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA384WithRSA");
97
98         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
99         assertArrayEquals(new String[] {
100                 "mail", "a b", "email:" + email + "\ndns:a." + uniq + ".tld\ndns:b." + uniq + ".tld\n", Digest.SHA384.toString()
101         }, res);
102     }
103
104     @Test
105     public void testSimpleClient() throws IOException, GeneralSecurityException {
106         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
107                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
108         }, new RFC822Name(email));
109
110         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
111
112         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
113         assertArrayEquals(new String[] {
114                 "client", "a b", "email:" + email + "\n", Digest.SHA512.toString()
115         }, res);
116     }
117
118     @Test
119     public void testSPKAC() throws GeneralSecurityException, IOException {
120         testSPKAC(false);
121         testSPKAC(true);
122     }
123
124     @Test
125     public void testIssue() throws IOException, GeneralSecurityException {
126         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
127                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
128         }, new RFC822Name(email));
129
130         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
131
132         String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
133         assertArrayEquals(new String[] {
134                 "client", "a b", "email:" + email + "\n", Digest.SHA512.toString()
135         }, res);
136
137         HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
138         huc.setRequestProperty("Cookie", cookie);
139         huc.setDoOutput(true);
140         OutputStream out = huc.getOutputStream();
141         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
142         out.write(("&CN=CAcert+WoT+User&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
143         out.write(("&hash_alg=SHA512").getBytes("UTF-8"));
144         URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt"));
145         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
146
147         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer"));
148         byte[] cer = IOUtils.readURL(uc.getInputStream());
149         assertArrayEquals(cer, PEM.decode("CERTIFICATE", crt));
150
151         uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install&chain"));
152         byte[] pkcs7 = IOUtils.readURL(uc.getInputStream());
153         PKCS7 p7 = new PKCS7(pkcs7);
154         byte[] sub = verifyChain(p7.getCertificates());
155         assertArrayEquals(cer, sub);
156         assertEquals("application/x-x509-user-cert", uc.getHeaderField("Content-type"));
157
158         uc = authenticate(new URL(huc.getHeaderField("Location")));
159         String gui = IOUtils.readURL(uc);
160         Pattern p = Pattern.compile("-----BEGIN CERTIFICATE-----[^-]+-----END CERTIFICATE-----");
161         Matcher m = p.matcher(gui);
162         assertTrue(m.find());
163         byte[] cert = PEM.decode("CERTIFICATE", m.group(0));
164         Certificate c = CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(cert));
165         gui = c.toString();
166         assertThat(gui, containsString("clientAuth"));
167         assertThat(gui, containsString("CN=CAcert WoT User"));
168         assertThat(gui, containsString("SHA512withRSA"));
169         assertThat(gui, containsString("RFC822Name: " + email));
170
171     }
172
173     private byte[] verifyChain(X509Certificate[] x509Certificates) throws GeneralSecurityException {
174         X509Certificate current = null;
175         nextCert:
176         while (true) {
177             for (int i = 0; i < x509Certificates.length; i++) {
178                 X509Certificate cert = x509Certificates[i];
179                 if (current == null) {
180                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
181                         current = cert;
182                         continue nextCert;
183                     }
184                 } else {
185                     if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
186                         continue;
187                     }
188                     if (current.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
189                         Signature s = Signature.getInstance(cert.getSigAlgName());
190                         s.initVerify(current.getPublicKey());
191                         s.update(cert.getTBSCertificate());
192                         assertTrue(s.verify(cert.getSignature()));
193                         current = cert;
194                         continue nextCert;
195                     }
196                 }
197             }
198             assertNotNull(current);
199             return current.getEncoded();
200         }
201     }
202
203     @Test
204     public void testValidityPeriodCalendar() throws IOException, GeneralSecurityException {
205         testCertificateValidityRelative(Calendar.YEAR, 2, "2y", true);
206         testCertificateValidityRelative(Calendar.YEAR, 1, "1y", true);
207         testCertificateValidityRelative(Calendar.MONTH, 3, "3m", true);
208         testCertificateValidityRelative(Calendar.MONTH, 7, "7m", true);
209         testCertificateValidityRelative(Calendar.MONTH, 13, "13m", true);
210
211         testCertificateValidityRelative(Calendar.MONTH, 13, "-1m", false);
212     }
213
214     @Test
215     public void testValidityPeriodWhishStart() throws IOException, GeneralSecurityException {
216         long now = System.currentTimeMillis();
217         final long MS_PER_DAY = 24 * 60 * 60 * 1000;
218         now -= now % MS_PER_DAY;
219         now += MS_PER_DAY;
220         SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
221         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
222
223         Date start = new Date(now);
224         Date end = new Date(now + MS_PER_DAY * 10);
225         String validity = "&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end);
226         X509Certificate res = createCertWithValidity(validity, false);
227         assertNotNull(validity, res);
228         assertEquals(start, res.getNotBefore());
229         assertEquals(end, res.getNotAfter());
230     }
231
232     private void testCertificateValidityRelative(int field, int amount, String length, boolean shouldsucceed) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
233         X509Certificate parsed = createCertWithValidity("&validFrom=now&validity=" + length, false);
234         if (parsed == null) {
235             assertTrue( !shouldsucceed);
236             return;
237         } else {
238             assertTrue(shouldsucceed);
239         }
240
241         long now = System.currentTimeMillis();
242         Date start = parsed.getNotBefore();
243         Date end = parsed.getNotAfter();
244         Calendar c = Calendar.getInstance();
245         c.setTimeZone(TimeZone.getTimeZone("UTC"));
246         c.setTime(start);
247         c.add(field, amount);
248         assertTrue(Math.abs(start.getTime() - now) < 10000);
249         assertEquals(c.getTime(), end);
250     }
251
252     private X509Certificate createCertWithValidity(String validity, boolean login) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
253         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
254                 CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
255         }, new RFC822Name(email));
256
257         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA512WithRSA");
258         fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8"));
259
260         HttpURLConnection huc = (HttpURLConnection) ncert.openConnection();
261         huc.setRequestProperty("Cookie", cookie);
262         huc.setDoOutput(true);
263         OutputStream out = huc.getOutputStream();
264         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
265         out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
266         out.write(("&hash_alg=SHA512&").getBytes("UTF-8"));
267         if (login) {
268             out.write(("login=1&").getBytes("UTF-8"));
269         }
270         out.write(validity.getBytes("UTF-8"));
271
272         String certurl = huc.getHeaderField("Location");
273         if (certurl == null) {
274             return null;
275         }
276         URLConnection uc = authenticate(new URL(certurl + ".crt"));
277         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
278
279         CertificateFactory cf = CertificateFactory.getInstance("X.509");
280         X509Certificate parsed = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(crt.getBytes("UTF-8")));
281         return parsed;
282     }
283
284     private URLConnection authenticate(URL url) throws IOException {
285         URLConnection uc = url.openConnection();
286         uc.setRequestProperty("Cookie", cookie);
287         return uc;
288     }
289
290     protected String testSPKAC(boolean correctChallange) throws GeneralSecurityException, IOException {
291         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
292         uc.setRequestProperty("Cookie", cookie);
293         String s = IOUtils.readURL(uc);
294
295         csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
296         String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
297
298         SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallange ? "" : "b"));
299         Signature sign = Signature.getInstance("SHA512WithRSA");
300         sign.initSign(kp.getPrivate());
301         try {
302             String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
303             if ( !correctChallange) {
304                 fail("Should not succeed with wrong challange.");
305             }
306             assertArrayEquals(new String[] {
307                     "client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString()
308             }, res);
309         } catch (OnPageError e) {
310             String error = fetchStartErrorMessage(e.getMessage());
311             assertTrue(error, error.startsWith("<p>Challenge mismatch"));
312         }
313         return csrf;
314     }
315
316     private PKCS10Attributes buildAtts(ObjectIdentifier[] ekuOIDs, GeneralNameInterface... SANs) throws IOException {
317         CertificateExtensions attributeValue = new CertificateExtensions();
318         GeneralNames names = new GeneralNames();
319
320         for (GeneralNameInterface name : SANs) {
321             names.add(new GeneralName(name));
322         }
323         attributeValue.set("SANs", new SubjectAlternativeNameExtension(names));
324         PKCS10Attributes atts = new PKCS10Attributes(new PKCS10Attribute[] {
325                 new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue)
326         });
327         ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(//
328                 new Vector<>(Arrays.<ObjectIdentifier>asList(ekuOIDs)));
329         attributeValue.set("eku", eku);
330         return atts;
331     }
332
333     private final URL ncert = new URL("https://" + getServerName() + CertificateAdd.PATH);
334
335     private String[] fillOutForm(String pem) throws IOException {
336         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
337         uc.setRequestProperty("Cookie", cookie);
338         csrf = getCSRF(uc);
339         return fillOutFormDirect(pem);
340
341     }
342
343     private String[] fillOutFormDirect(String pem) throws IOException {
344
345         HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
346         uc.setRequestProperty("Cookie", cookie);
347         uc.setDoOutput(true);
348         uc.getOutputStream().write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" + pem).getBytes("UTF-8"));
349         uc.getOutputStream().flush();
350
351         return extractFormData(uc);
352     }
353
354     private String[] extractFormData(HttpURLConnection uc) throws IOException, Error {
355         String result = IOUtils.readURL(uc);
356         if (hasError().matches(result)) {
357             throw new OnPageError(result);
358         }
359
360         String profileKey = extractPattern(result, Pattern.compile("<option value=\"([^\"]*)\" selected>"));
361         String resultingCN = extractPattern(result, Pattern.compile("<input [^>]*name='CN' [^>]*value='([^']*)'/>"));
362         String txt = extractPattern(result, Pattern.compile("<textarea [^>]*name='SANs' [^>]*>([^<]*)</textarea>"));
363         String md = extractPattern(result, Pattern.compile("<input type=\"radio\" [^>]*name=\"hash_alg\" value=\"([^\"]*)\" checked='checked'/>"));
364         return new String[] {
365                 profileKey, resultingCN, txt, md
366         };
367     }
368
369     private String extractPattern(String result, Pattern p) {
370         Matcher m = p.matcher(result);
371         assertTrue(m.find());
372         String resultingCN = m.group(1);
373         return resultingCN;
374     }
375
376     @Test
377     public void testSetLoginEnabled() throws IOException, GeneralSecurityException {
378         X509Certificate parsedLoginNotEnabled = createCertWithValidity("&validFrom=now&validity=1m", false);
379         assertNull(CertificateOwner.getByEnabledSerial(parsedLoginNotEnabled.getSerialNumber().toString(16)));
380
381         X509Certificate parsedLoginEnabled = createCertWithValidity("&validFrom=now&validity=1m", true);
382         assertEquals(u, CertificateOwner.getByEnabledSerial(parsedLoginEnabled.getSerialNumber().toString(16)));
383     }
384 }
WPIA Certificate Web Issuance Platform