KeyPair kp = generateKeypair();
+ /**
+ * This KeyPair is used for testing the KeyCheck for proper rejection of
+ * invalid keys. The generated keys suffers from small factors.
+ */
+ KeyPair kpBroken = generateBrokenKeypair();
+
String csrf;
public TestCertificateAdd() throws GeneralSecurityException, IOException {
return uc;
}
- protected String testSPKAC(boolean correctChallange) throws GeneralSecurityException, IOException {
+ protected String testSPKAC(boolean correctChallenge) throws GeneralSecurityException, IOException {
HttpURLConnection uc = (HttpURLConnection) ncert.openConnection();
uc.setRequestProperty("Cookie", cookie);
String s = IOUtils.readURL(uc);
csrf = extractPattern(s, Pattern.compile("<input [^>]*name='csrf' [^>]*value='([^']*)'>"));
String challenge = extractPattern(s, Pattern.compile("<keygen [^>]*name=\"SPKAC\" [^>]*challenge=\"([^\"]*)\"/>"));
- SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallange ? "" : "b"));
+ SPKAC spk = new SPKAC((X509Key) kp.getPublic(), challenge + (correctChallenge ? "" : "b"));
Signature sign = Signature.getInstance("SHA512WithRSA");
sign.initSign(kp.getPrivate());
try {
String[] res = fillOutFormDirect("SPKAC=" + URLEncoder.encode(Base64.getEncoder().encodeToString(spk.getEncoded(sign)), "UTF-8"));
- if ( !correctChallange) {
- fail("Should not succeed with wrong challange.");
+ if ( !correctChallenge) {
+ fail("Should not succeed with wrong challenge.");
}
assertArrayEquals(new String[] {
"client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString()
X509Certificate parsedLoginEnabled = createCertWithValidity("&validFrom=now&validity=1m", true);
assertEquals(u, CertificateOwner.getByEnabledSerial(parsedLoginEnabled.getSerialNumber().toString(16).toLowerCase()));
}
+
+ @Test
+ public void testInvalidKeyInCSR() throws IOException, GeneralSecurityException {
+ PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
+ CertificateRequest.OID_KEY_USAGE_SSL_SERVER
+ }, new DNSName(uniq + ".tld"));
+
+ String pem = generatePEMCSR(kpBroken, "CN=a." + uniq + ".tld", atts);
+
+ HttpURLConnection huc = post(CertificateAdd.PATH, "CSR=" + URLEncoder.encode(pem, "UTF-8"));
+ assertThat(IOUtils.readURL(huc), hasError());
+ }
+
}