]> WPIA git - gigi.git/blobdiff - tests/org/cacert/gigi/pages/account/TestCertificateAdd.java
projects / gigi.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge "Update notes about password security"
[gigi.git] / tests / org / cacert / gigi / pages / account / TestCertificateAdd.java
diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java b/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java
index aa118973862eb2a2c0821fa83e7deaa52ce09713..57a5e634c8d10585bba4312936bbfcb601441a7f 100644 (file)
--- a/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java
+++ b/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java
@@ -16,6 +16,7 @@ import java.net.URLEncoder;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.Signature;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -38,6 +39,7 @@ import org.cacert.gigi.testUtils.IOUtils;
 import org.cacert.gigi.util.PEM;
 import org.junit.Test;
 
+import sun.security.pkcs.PKCS7;
 import sun.security.pkcs.PKCS9Attribute;
 import sun.security.pkcs10.PKCS10Attribute;
 import sun.security.pkcs10.PKCS10Attributes;
@@ -66,7 +68,7 @@ public class TestCertificateAdd extends ClientTest {
     @Test
     public void testSimpleServer() throws IOException, GeneralSecurityException {
         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
-            CertificateRequest.OID_KEY_USAGE_SSL_SERVER
+                CertificateRequest.OID_KEY_USAGE_SSL_SERVER
         }, new DNSName(uniq + ".tld"));
 
         String pem = generatePEMCSR(kp, "CN=a." + uniq + ".tld", atts);
@@ -80,7 +82,7 @@ public class TestCertificateAdd extends ClientTest {
     @Test
     public void testSimpleMail() throws IOException, GeneralSecurityException {
         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
-            CertificateRequest.OID_KEY_USAGE_EMAIL_PROTECTION
+                CertificateRequest.OID_KEY_USAGE_EMAIL_PROTECTION
         }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(email));
 
         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA384WithRSA");
@@ -94,7 +96,7 @@ public class TestCertificateAdd extends ClientTest {
     @Test
     public void testSimpleClient() throws IOException, GeneralSecurityException {
         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
-            CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
+                CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
         }, new RFC822Name(email));
 
         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
@@ -114,7 +116,7 @@ public class TestCertificateAdd extends ClientTest {
     @Test
     public void testIssue() throws IOException, GeneralSecurityException {
         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
-            CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
+                CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
         }, new RFC822Name(email));
 
         String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA");
@@ -129,8 +131,8 @@ public class TestCertificateAdd extends ClientTest {
         huc.setDoOutput(true);
         OutputStream out = huc.getOutputStream();
         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
-        out.write(("&profile=client&CN=a+b&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
-        out.write(("&hash_alg=SHA512&CCA=y").getBytes("UTF-8"));
+        out.write(("&CN=CAcert+WoT+User&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
+        out.write(("&hash_alg=SHA512&tos_agree=y").getBytes("UTF-8"));
         URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt"));
         String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8"));
 
@@ -138,20 +140,58 @@ public class TestCertificateAdd extends ClientTest {
         byte[] cer = IOUtils.readURL(uc.getInputStream());
         assertArrayEquals(cer, PEM.decode("CERTIFICATE", crt));
 
-        uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install"));
-        byte[] cer2 = IOUtils.readURL(uc.getInputStream());
-        assertArrayEquals(cer, cer2);
+        uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install&chain"));
+        byte[] pkcs7 = IOUtils.readURL(uc.getInputStream());
+        PKCS7 p7 = new PKCS7(pkcs7);
+        byte[] sub = verifyChain(p7.getCertificates());
+        assertArrayEquals(cer, sub);
         assertEquals("application/x-x509-user-cert", uc.getHeaderField("Content-type"));
 
         uc = authenticate(new URL(huc.getHeaderField("Location")));
         String gui = IOUtils.readURL(uc);
+        Pattern p = Pattern.compile("-----BEGIN CERTIFICATE-----[^-]+-----END CERTIFICATE-----");
+        Matcher m = p.matcher(gui);
+        assertTrue(m.find());
+        byte[] cert = PEM.decode("CERTIFICATE", m.group(0));
+        Certificate c = CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(cert));
+        gui = c.toString();
         assertThat(gui, containsString("clientAuth"));
-        assertThat(gui, containsString("CN=a b"));
+        assertThat(gui, containsString("CN=CAcert WoT User"));
         assertThat(gui, containsString("SHA512withRSA"));
         assertThat(gui, containsString("RFC822Name: " + email));
 
     }
 
+    private byte[] verifyChain(X509Certificate[] x509Certificates) throws GeneralSecurityException {
+        X509Certificate current = null;
+        nextCert:
+        while (true) {
+            for (int i = 0; i < x509Certificates.length; i++) {
+                X509Certificate cert = x509Certificates[i];
+                if (current == null) {
+                    if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
+                        current = cert;
+                        continue nextCert;
+                    }
+                } else {
+                    if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
+                        continue;
+                    }
+                    if (current.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) {
+                        Signature s = Signature.getInstance(cert.getSigAlgName());
+                        s.initVerify(current.getPublicKey());
+                        s.update(cert.getTBSCertificate());
+                        assertTrue(s.verify(cert.getSignature()));
+                        current = cert;
+                        continue nextCert;
+                    }
+                }
+            }
+            assertNotNull(current);
+            return current.getEncoded();
+        }
+    }
+
     @Test
     public void testValidityPeriodCalendar() throws IOException, GeneralSecurityException {
         testCertificateValidityRelative(Calendar.YEAR, 2, "2y", true);
@@ -174,7 +214,9 @@ public class TestCertificateAdd extends ClientTest {
 
         Date start = new Date(now);
         Date end = new Date(now + MS_PER_DAY * 10);
-        X509Certificate res = createCertWithValidity("&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end));
+        String validity = "&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end);
+        X509Certificate res = createCertWithValidity(validity);
+        assertNotNull(validity, res);
         assertEquals(start, res.getNotBefore());
         assertEquals(end, res.getNotAfter());
     }
@@ -201,7 +243,7 @@ public class TestCertificateAdd extends ClientTest {
 
     private X509Certificate createCertWithValidity(String validity) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException {
         PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] {
-            CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
+                CertificateRequest.OID_KEY_USAGE_SSL_CLIENT
         }, new RFC822Name(email));
 
         String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA512WithRSA");
@@ -212,8 +254,8 @@ public class TestCertificateAdd extends ClientTest {
         huc.setDoOutput(true);
         OutputStream out = huc.getOutputStream();
         out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8"));
-        out.write(("&profile=client&CN=a+b&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
-        out.write(("&hash_alg=SHA512&CCA=y&").getBytes("UTF-8"));
+        out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8"));
+        out.write(("&hash_alg=SHA512&tos_agree=y&").getBytes("UTF-8"));
         out.write(validity.getBytes("UTF-8"));
 
         String certurl = huc.getHeaderField("Location");
@@ -268,7 +310,7 @@ public class TestCertificateAdd extends ClientTest {
         }
         attributeValue.set("SANs", new SubjectAlternativeNameExtension(names));
         PKCS10Attributes atts = new PKCS10Attributes(new PKCS10Attribute[] {
-            new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue)
+                new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue)
         });
         ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(//
                 new Vector<>(Arrays.<ObjectIdentifier>asList(ekuOIDs)));
WPIA Certificate Web Issuance Platform