tests/org/cacert/gigi/ping/TestSSL.java

   1 package org.cacert.gigi.ping;
   2
   3 import static org.junit.Assert.*;
   4 import static org.junit.Assume.*;
   5
   6 import java.io.IOException;
   7 import java.net.Socket;
   8 import java.net.URL;
   9 import java.net.URLEncoder;
  10 import java.security.GeneralSecurityException;
  11 import java.security.KeyManagementException;
  12 import java.security.KeyPair;
  13 import java.security.NoSuchAlgorithmException;
  14 import java.security.Principal;
  15 import java.security.PrivateKey;
  16 import java.security.SecureRandom;
  17 import java.security.cert.CertificateException;
  18 import java.security.cert.X509Certificate;
  19 import java.sql.SQLException;
  20 import java.util.regex.Matcher;
  21 import java.util.regex.Pattern;
  22
  23 import javax.net.ssl.KeyManager;
  24 import javax.net.ssl.SSLContext;
  25 import javax.net.ssl.SSLServerSocket;
  26 import javax.net.ssl.SSLServerSocketFactory;
  27 import javax.net.ssl.TrustManager;
  28 import javax.net.ssl.X509KeyManager;
  29 import javax.net.ssl.X509TrustManager;
  30
  31 import org.cacert.gigi.GigiApiException;
  32 import org.cacert.gigi.dbObjects.Certificate;
  33 import org.cacert.gigi.dbObjects.Certificate.CSRType;
  34 import org.cacert.gigi.dbObjects.CertificateProfile;
  35 import org.cacert.gigi.dbObjects.User;
  36 import org.cacert.gigi.pages.account.domain.DomainOverview;
  37 import org.cacert.gigi.testUtils.IOUtils;
  38 import org.cacert.gigi.testUtils.PingTest;
  39 import org.cacert.gigi.testUtils.TestEmailReciever.TestMail;
  40 import org.junit.Test;
  41
  42 public class TestSSL extends PingTest {
  43
  44     private KeyPair kp;
  45
  46     private Certificate c;
  47
  48     @Test(timeout = 70000)
  49     public void sslAndMailSuccess() throws IOException, InterruptedException, SQLException, GeneralSecurityException, GigiApiException {
  50         testEmailAndSSL(0, 0, true);
  51     }
  52
  53     @Test(timeout = 70000)
  54     public void sslWongTypeAndMailSuccess() throws IOException, InterruptedException, SQLException, GeneralSecurityException, GigiApiException {
  55         testEmailAndSSL(1, 0, true);
  56     }
  57
  58     @Test(timeout = 70000)
  59     public void sslOneMissingAndMailSuccess() throws IOException, InterruptedException, SQLException, GeneralSecurityException, GigiApiException {
  60         testEmailAndSSL(2, 0, true);
  61     }
  62
  63     @Test(timeout = 70000)
  64     public void sslBothMissingAndMailSuccess() throws IOException, InterruptedException, SQLException, GeneralSecurityException, GigiApiException {
  65         testEmailAndSSL(3, 0, true);
  66     }
  67
  68     @Test(timeout = 70000)
  69     public void sslWrongTypeAndMailFail() throws IOException, InterruptedException, SQLException, GeneralSecurityException, GigiApiException {
  70         testEmailAndSSL(1, 1, false);
  71     }
  72
  73     /**
  74      * @param sslVariant
  75      *            <ul>
  76      *            <li>0= all valid</li>
  77      *            <li>1= wrong type</li>
  78      *            <li>2= one server missing</li>
  79      *            <li>3= both servers missing</li>
  80      *            </ul>
  81      * @param emailVariant
  82      * @param successSSL
  83      * @param successMail
  84      * @throws IOException
  85      * @throws InterruptedException
  86      * @throws SQLException
  87      * @throws GeneralSecurityException
  88      * @throws GigiApiException
  89      */
  90
  91     private void testEmailAndSSL(int sslVariant, int emailVariant, boolean successMail) throws IOException, InterruptedException, SQLException, GeneralSecurityException, GigiApiException {
  92         String test = getTestProps().getProperty("domain.local");
  93         assumeNotNull(test);
  94         URL u = new URL("https://" + getServerName() + DomainOverview.PATH);
  95
  96         initailizeDomainForm(u);
  97
  98         createCertificate(test, CertificateProfile.getByName(sslVariant == 1 ? "client" : "server"));
  99         SSLServerSocket sss = createSSLServer(kp.getPrivate(), c.cert());
 100         int port = sss.getLocalPort();
 101         SSLServerSocket sss2 = createSSLServer(kp.getPrivate(), c.cert());
 102         int port2 = sss2.getLocalPort();
 103         if (sslVariant == 3 || sslVariant == 2) {
 104             sss2.close();
 105             if (sslVariant == 3) {
 106                 sss.close();
 107             }
 108         }
 109         String content = "newdomain=" + URLEncoder.encode(test, "UTF-8") + //
 110                 "&emailType=y&email=2&SSLType=y" + //
 111                 "&ssl-type-0=direct&ssl-port-0=" + port + //
 112                 "&ssl-type-1=direct&ssl-port-1=" + port2 + //
 113                 "&ssl-type-2=direct&ssl-port-2=" + //
 114                 "&ssl-type-3=direct&ssl-port-3=" + //
 115                 "&adddomain&csrf=" + csrf;
 116         URL u2 = sendDomainForm(u, content);
 117         boolean firstSucceeds = sslVariant != 0 && sslVariant != 2;
 118         assertTrue(firstSucceeds ^ acceptSSLServer(sss));
 119         boolean secondsSucceeds = sslVariant != 0;
 120         assertTrue(secondsSucceeds ^ acceptSSLServer(sss2));
 121
 122         TestMail mail = getMailReciever().recieve();
 123         if (emailVariant == 0) {
 124             String link = mail.extractLink();
 125             new URL(link).openConnection().getHeaderField("");
 126         }
 127         waitForPings(3);
 128
 129         String newcontent = IOUtils.readURL(cookie(u2.openConnection(), cookie));
 130         Pattern pat = Pattern.compile("<td>ssl</td>\\s*<td>success</td>");
 131         Matcher matcher = pat.matcher(newcontent);
 132         assertTrue(newcontent, firstSucceeds ^ matcher.find());
 133         assertTrue(newcontent, secondsSucceeds ^ matcher.find());
 134         assertFalse(newcontent, matcher.find());
 135         pat = Pattern.compile("<td>email</td>\\s*<td>success</td>");
 136         assertTrue(newcontent, !successMail ^ pat.matcher(newcontent).find());
 137     }
 138
 139     private void createCertificate(String test, CertificateProfile profile) throws GeneralSecurityException, IOException, SQLException, InterruptedException, GigiApiException {
 140         kp = generateKeypair();
 141         String csr = generatePEMCSR(kp, "CN=" + test);
 142         c = new Certificate(User.getById(id), Certificate.buildDN("CN", test), "sha256", csr, CSRType.CSR, profile);
 143         c.issue(null, "2y").waitFor(60000);
 144     }
 145
 146     private boolean acceptSSLServer(SSLServerSocket sss) throws IOException {
 147         try {
 148             Socket s = sss.accept();
 149             s.getOutputStream().write('b');
 150             s.getOutputStream().close();
 151             return true;
 152         } catch (IOException e) {
 153             return false;
 154         }
 155     }
 156
 157     private SSLServerSocket createSSLServer(final PrivateKey priv, final X509Certificate cert) throws Error, IOException {
 158         SSLContext sc;
 159         try {
 160             sc = SSLContext.getInstance("SSL");
 161             sc.init(new KeyManager[] {
 162                 new X509KeyManager() {
 163
 164                     @Override
 165                     public String[] getServerAliases(String keyType, Principal[] issuers) {
 166                         return new String[] {
 167                             "server"
 168                         };
 169                     }
 170
 171                     @Override
 172                     public PrivateKey getPrivateKey(String alias) {
 173                         return priv;
 174                     }
 175
 176                     @Override
 177                     public String[] getClientAliases(String keyType, Principal[] issuers) {
 178                         throw new Error();
 179                     }
 180
 181                     @Override
 182                     public X509Certificate[] getCertificateChain(String alias) {
 183                         return new X509Certificate[] {
 184                             cert
 185                         };
 186                     }
 187
 188                     @Override
 189                     public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
 190                         throw new Error();
 191                     }
 192
 193                     @Override
 194                     public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
 195                         return "server";
 196                     }
 197
 198                 }
 199             }, new TrustManager[] {
 200                 new X509TrustManager() {
 201
 202                     @Override
 203                     public X509Certificate[] getAcceptedIssuers() {
 204                         return null;
 205                     }
 206
 207                     @Override
 208                     public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
 209
 210                     @Override
 211                     public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
 212                 }
 213             }, new SecureRandom());
 214         } catch (NoSuchAlgorithmException e) {
 215             e.printStackTrace();
 216             throw new Error(e);
 217         } catch (KeyManagementException e) {
 218             e.printStackTrace();
 219             throw new Error(e);
 220         }
 221
 222         SSLServerSocketFactory sssf = sc.getServerSocketFactory();
 223         return (SSLServerSocket) sssf.createServerSocket(0);
 224     }
 225
 226 }