X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=tests%2Forg%2Fcacert%2Fgigi%2Fpages%2Faccount%2FTestCertificateAdd.java;h=4d6529db3197554802749bfefeee3430c04db9aa;hp=e1cc64fddffea0b3d7d19410b29a2c00bc251ddd;hb=d40f5d54f3332e655eb64e75c34bf4212e610710;hpb=da72882d9ff14bd4077d9f71ae134a67581c49cb diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java b/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java index e1cc64fd..4d6529db 100644 --- a/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java +++ b/tests/org/cacert/gigi/pages/account/TestCertificateAdd.java @@ -16,6 +16,7 @@ import java.net.URLEncoder; import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.Signature; +import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -30,15 +31,16 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; import org.cacert.gigi.crypto.SPKAC; +import org.cacert.gigi.dbObjects.CertificateOwner; import org.cacert.gigi.dbObjects.Digest; -import org.cacert.gigi.dbObjects.User; import org.cacert.gigi.pages.account.certs.CertificateAdd; -import org.cacert.gigi.pages.account.certs.CertificateIssueForm; +import org.cacert.gigi.pages.account.certs.CertificateRequest; +import org.cacert.gigi.testUtils.ClientTest; import org.cacert.gigi.testUtils.IOUtils; -import org.cacert.gigi.testUtils.ManagedTest; import org.cacert.gigi.util.PEM; import org.junit.Test; +import sun.security.pkcs.PKCS7; import sun.security.pkcs.PKCS9Attribute; import sun.security.pkcs10.PKCS10Attribute; import sun.security.pkcs10.PKCS10Attributes; @@ -53,60 +55,65 @@ import sun.security.x509.RFC822Name; import sun.security.x509.SubjectAlternativeNameExtension; import sun.security.x509.X509Key; -public class TestCertificateAdd extends ManagedTest { +public class TestCertificateAdd extends ClientTest { - KeyPair kp = generateKeypair(); + private static class OnPageError extends Error { + + private static final long serialVersionUID = 1L; - User u = User.getById(createVerifiedUser("testuser", "testname", uniq + "@testdom.com", TEST_PASSWORD)); + public OnPageError(String page) { + super(page); + } + } - String session = login(uniq + "@testdom.com", TEST_PASSWORD); + KeyPair kp = generateKeypair(); String csrf; public TestCertificateAdd() throws GeneralSecurityException, IOException { - TestDomain.addDomain(session, uniq + ".tld"); + TestDomain.addDomain(cookie, uniq + ".tld"); } @Test public void testSimpleServer() throws IOException, GeneralSecurityException { PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] { - CertificateIssueForm.OID_KEY_USAGE_SSL_SERVER + CertificateRequest.OID_KEY_USAGE_SSL_SERVER }, new DNSName(uniq + ".tld")); String pem = generatePEMCSR(kp, "CN=a." + uniq + ".tld", atts); String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8")); assertArrayEquals(new String[] { - "server", "CAcert WoT User", "dns:a." + uniq + ".tld\ndns:" + uniq + ".tld\n", Digest.SHA256.toString() + "server", CertificateRequest.DEFAULT_CN, "dns:a." + uniq + ".tld\ndns:" + uniq + ".tld\n", Digest.SHA256.toString() }, res); } @Test public void testSimpleMail() throws IOException, GeneralSecurityException { PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] { - CertificateIssueForm.OID_KEY_USAGE_EMAIL_PROTECTION - }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(uniq + "@testdom.com")); + CertificateRequest.OID_KEY_USAGE_EMAIL_PROTECTION + }, new DNSName("a." + uniq + ".tld"), new DNSName("b." + uniq + ".tld"), new RFC822Name(email)); - String pem = generatePEMCSR(kp, "CN=testuser testname", atts, "SHA384WithRSA"); + String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA384WithRSA"); String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8")); assertArrayEquals(new String[] { - "mail", "testuser testname", "dns:a." + uniq + ".tld\ndns:b." + uniq + ".tld\nemail:" + uniq + "@testdom.com\n", Digest.SHA384.toString() + "mail", "a b", "email:" + email + "\ndns:a." + uniq + ".tld\ndns:b." + uniq + ".tld\n", Digest.SHA384.toString() }, res); } @Test public void testSimpleClient() throws IOException, GeneralSecurityException { PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] { - CertificateIssueForm.OID_KEY_USAGE_SSL_CLIENT - }, new RFC822Name(uniq + "@testdom.com")); + CertificateRequest.OID_KEY_USAGE_SSL_CLIENT + }, new RFC822Name(email)); - String pem = generatePEMCSR(kp, "CN=testuser testname,email=" + uniq + "@testdom.com", atts, "SHA512WithRSA"); + String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA"); String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8")); assertArrayEquals(new String[] { - "client", "testuser testname", "email:" + uniq + "@testdom.com\n", Digest.SHA512.toString() + "client", "a b", "email:" + email + "\n", Digest.SHA512.toString() }, res); } @@ -119,23 +126,23 @@ public class TestCertificateAdd extends ManagedTest { @Test public void testIssue() throws IOException, GeneralSecurityException { PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] { - CertificateIssueForm.OID_KEY_USAGE_SSL_CLIENT - }, new RFC822Name(uniq + "@testdom.com")); + CertificateRequest.OID_KEY_USAGE_SSL_CLIENT + }, new RFC822Name(email)); - String pem = generatePEMCSR(kp, "CN=testuser testname,email=" + uniq + "@testdom.com", atts, "SHA512WithRSA"); + String pem = generatePEMCSR(kp, "CN=a b,email=" + email, atts, "SHA512WithRSA"); String[] res = fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8")); assertArrayEquals(new String[] { - "client", "testuser testname", "email:" + uniq + "@testdom.com\n", Digest.SHA512.toString() + "client", "a b", "email:" + email + "\n", Digest.SHA512.toString() }, res); HttpURLConnection huc = (HttpURLConnection) ncert.openConnection(); - huc.setRequestProperty("Cookie", session); + huc.setRequestProperty("Cookie", cookie); huc.setDoOutput(true); OutputStream out = huc.getOutputStream(); - out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes()); - out.write(("&profile=client&CN=testuser+testname&SANs=" + URLEncoder.encode("email:" + uniq + "@testdom.com\n", "UTF-8")).getBytes()); - out.write(("&hash_alg=SHA512&CCA=y").getBytes()); + out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8")); + out.write(("&CN=" + URLEncoder.encode(CertificateRequest.DEFAULT_CN, "UTF-8") + "&profile=client&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8")); + out.write(("&hash_alg=SHA512").getBytes("UTF-8")); URLConnection uc = authenticate(new URL(huc.getHeaderField("Location") + ".crt")); String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8")); @@ -143,20 +150,58 @@ public class TestCertificateAdd extends ManagedTest { byte[] cer = IOUtils.readURL(uc.getInputStream()); assertArrayEquals(cer, PEM.decode("CERTIFICATE", crt)); - uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install")); - byte[] cer2 = IOUtils.readURL(uc.getInputStream()); - assertArrayEquals(cer, cer2); + uc = authenticate(new URL(huc.getHeaderField("Location") + ".cer?install&chain")); + byte[] pkcs7 = IOUtils.readURL(uc.getInputStream()); + PKCS7 p7 = new PKCS7(pkcs7); + byte[] sub = verifyChain(p7.getCertificates()); + assertArrayEquals(cer, sub); assertEquals("application/x-x509-user-cert", uc.getHeaderField("Content-type")); uc = authenticate(new URL(huc.getHeaderField("Location"))); String gui = IOUtils.readURL(uc); + Pattern p = Pattern.compile("-----BEGIN CERTIFICATE-----[^-]+-----END CERTIFICATE-----"); + Matcher m = p.matcher(gui); + assertTrue(m.find()); + byte[] cert = PEM.decode("CERTIFICATE", m.group(0)); + Certificate c = CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(cert)); + gui = c.toString(); assertThat(gui, containsString("clientAuth")); - assertThat(gui, containsString("CN=testuser testname")); + assertThat(gui, containsString("CN=" + CertificateRequest.DEFAULT_CN)); assertThat(gui, containsString("SHA512withRSA")); - assertThat(gui, containsString("RFC822Name: " + uniq + "@testdom.com")); + assertThat(gui, containsString("RFC822Name: " + email)); } + private byte[] verifyChain(X509Certificate[] x509Certificates) throws GeneralSecurityException { + X509Certificate current = null; + nextCert: + while (true) { + for (int i = 0; i < x509Certificates.length; i++) { + X509Certificate cert = x509Certificates[i]; + if (current == null) { + if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) { + current = cert; + continue nextCert; + } + } else { + if (cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) { + continue; + } + if (current.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) { + Signature s = Signature.getInstance(cert.getSigAlgName()); + s.initVerify(current.getPublicKey()); + s.update(cert.getTBSCertificate()); + assertTrue(s.verify(cert.getSignature())); + current = cert; + continue nextCert; + } + } + } + assertNotNull(current); + return current.getEncoded(); + } + } + @Test public void testValidityPeriodCalendar() throws IOException, GeneralSecurityException { testCertificateValidityRelative(Calendar.YEAR, 2, "2y", true); @@ -179,13 +224,15 @@ public class TestCertificateAdd extends ManagedTest { Date start = new Date(now); Date end = new Date(now + MS_PER_DAY * 10); - X509Certificate res = createCertWithValidity("&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end)); + String validity = "&validFrom=" + sdf.format(start) + "&validity=" + sdf.format(end); + X509Certificate res = createCertWithValidity(validity, false); + assertNotNull(validity, res); assertEquals(start, res.getNotBefore()); assertEquals(end, res.getNotAfter()); } private void testCertificateValidityRelative(int field, int amount, String length, boolean shouldsucceed) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException { - X509Certificate parsed = createCertWithValidity("&validFrom=now&validity=" + length); + X509Certificate parsed = createCertWithValidity("&validFrom=now&validity=" + length, false); if (parsed == null) { assertTrue( !shouldsucceed); return; @@ -204,22 +251,25 @@ public class TestCertificateAdd extends ManagedTest { assertEquals(c.getTime(), end); } - private X509Certificate createCertWithValidity(String validity) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException { + private X509Certificate createCertWithValidity(String validity, boolean login) throws IOException, GeneralSecurityException, UnsupportedEncodingException, MalformedURLException, CertificateException { PKCS10Attributes atts = buildAtts(new ObjectIdentifier[] { - CertificateIssueForm.OID_KEY_USAGE_SSL_CLIENT - }, new RFC822Name(uniq + "@testdom.com")); + CertificateRequest.OID_KEY_USAGE_SSL_CLIENT + }, new RFC822Name(email)); - String pem = generatePEMCSR(kp, "CN=testuser testname", atts, "SHA512WithRSA"); + String pem = generatePEMCSR(kp, "CN=a b", atts, "SHA512WithRSA"); fillOutForm("CSR=" + URLEncoder.encode(pem, "UTF-8")); HttpURLConnection huc = (HttpURLConnection) ncert.openConnection(); - huc.setRequestProperty("Cookie", session); + huc.setRequestProperty("Cookie", cookie); huc.setDoOutput(true); OutputStream out = huc.getOutputStream(); - out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes()); - out.write(("&profile=client&CN=testuser+testname&SANs=" + URLEncoder.encode("email:" + uniq + "@testdom.com\n", "UTF-8")).getBytes()); - out.write(("&hash_alg=SHA512&CCA=y&").getBytes()); - out.write(validity.getBytes()); + out.write(("csrf=" + URLEncoder.encode(csrf, "UTF-8")).getBytes("UTF-8")); + out.write(("&profile=client&CN=" + CertificateRequest.DEFAULT_CN + "&SANs=" + URLEncoder.encode("email:" + email + "\n", "UTF-8")).getBytes("UTF-8")); + out.write(("&hash_alg=SHA512&").getBytes("UTF-8")); + if (login) { + out.write(("login=1&").getBytes("UTF-8")); + } + out.write(validity.getBytes("UTF-8")); String certurl = huc.getHeaderField("Location"); if (certurl == null) { @@ -229,19 +279,19 @@ public class TestCertificateAdd extends ManagedTest { String crt = IOUtils.readURL(new InputStreamReader(uc.getInputStream(), "UTF-8")); CertificateFactory cf = CertificateFactory.getInstance("X.509"); - X509Certificate parsed = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(crt.getBytes())); + X509Certificate parsed = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(crt.getBytes("UTF-8"))); return parsed; } private URLConnection authenticate(URL url) throws IOException { URLConnection uc = url.openConnection(); - uc.setRequestProperty("Cookie", session); + uc.setRequestProperty("Cookie", cookie); return uc; } protected String testSPKAC(boolean correctChallange) throws GeneralSecurityException, IOException { HttpURLConnection uc = (HttpURLConnection) ncert.openConnection(); - uc.setRequestProperty("Cookie", session); + uc.setRequestProperty("Cookie", cookie); String s = IOUtils.readURL(uc); csrf = extractPattern(s, Pattern.compile("]*name='csrf' [^>]*value='([^']*)'>")); @@ -256,10 +306,11 @@ public class TestCertificateAdd extends ManagedTest { fail("Should not succeed with wrong challange."); } assertArrayEquals(new String[] { - "client", CertificateIssueForm.DEFAULT_CN, "", Digest.SHA512.toString() + "client", CertificateRequest.DEFAULT_CN, "", Digest.SHA512.toString() }, res); - } catch (Error e) { - assertTrue(e.getMessage().startsWith("
Challenge mismatch")); + } catch (OnPageError e) { + String error = fetchStartErrorMessage(e.getMessage()); + assertTrue(error, error.startsWith("

Challenge mismatch")); } return csrf; } @@ -273,7 +324,7 @@ public class TestCertificateAdd extends ManagedTest { } attributeValue.set("SANs", new SubjectAlternativeNameExtension(names)); PKCS10Attributes atts = new PKCS10Attributes(new PKCS10Attribute[] { - new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue) + new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, attributeValue) }); ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(// new Vector<>(Arrays.asList(ekuOIDs))); @@ -285,7 +336,7 @@ public class TestCertificateAdd extends ManagedTest { private String[] fillOutForm(String pem) throws IOException { HttpURLConnection uc = (HttpURLConnection) ncert.openConnection(); - uc.setRequestProperty("Cookie", session); + uc.setRequestProperty("Cookie", cookie); csrf = getCSRF(uc); return fillOutFormDirect(pem); @@ -294,9 +345,9 @@ public class TestCertificateAdd extends ManagedTest { private String[] fillOutFormDirect(String pem) throws IOException { HttpURLConnection uc = (HttpURLConnection) ncert.openConnection(); - uc.setRequestProperty("Cookie", session); + uc.setRequestProperty("Cookie", cookie); uc.setDoOutput(true); - uc.getOutputStream().write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" + pem).getBytes()); + uc.getOutputStream().write(("csrf=" + URLEncoder.encode(csrf, "UTF-8") + "&" + pem).getBytes("UTF-8")); uc.getOutputStream().flush(); return extractFormData(uc); @@ -304,9 +355,8 @@ public class TestCertificateAdd extends ManagedTest { private String[] extractFormData(HttpURLConnection uc) throws IOException, Error { String result = IOUtils.readURL(uc); - if (result.contains("

")) { - String s = fetchStartErrorMessage(result); - throw new Error(s); + if (hasError().matches(result)) { + throw new OnPageError(result); } String profileKey = extractPattern(result, Pattern.compile("