1 13 14 package se.anatom.ejbca.protocol.cmp; 15 16 import java.io.ByteArrayInputStream ; 17 import java.io.ByteArrayOutputStream ; 18 import java.rmi.RemoteException ; 19 import java.security.KeyPair ; 20 import java.security.cert.CertificateEncodingException ; 21 import java.security.cert.CertificateException ; 22 import java.security.cert.X509Certificate ; 23 import java.util.Collection ; 24 import java.util.Iterator ; 25 26 import javax.ejb.CreateException ; 27 import javax.ejb.DuplicateKeyException ; 28 import javax.ejb.FinderException ; 29 import javax.naming.Context ; 30 import javax.naming.NamingException ; 31 32 import org.apache.commons.lang.StringUtils; 33 import org.apache.log4j.Logger; 34 import org.bouncycastle.asn1.ASN1InputStream; 35 import org.bouncycastle.asn1.DEROutputStream; 36 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionHome; 37 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionRemote; 38 import org.ejbca.core.ejb.ra.IUserAdminSessionHome; 39 import org.ejbca.core.ejb.ra.IUserAdminSessionRemote; 40 import org.ejbca.core.model.SecConst; 41 import org.ejbca.core.model.approval.ApprovalException; 42 import org.ejbca.core.model.approval.WaitingForApprovalException; 43 import org.ejbca.core.model.authorization.AuthorizationDeniedException; 44 import org.ejbca.core.model.ca.caadmin.CAInfo; 45 import org.ejbca.core.model.ca.catoken.CATokenConstants; 46 import org.ejbca.core.model.log.Admin; 47 import org.ejbca.core.model.ra.UserDataConstants; 48 import org.ejbca.core.model.ra.raadmin.UserDoesntFullfillEndEntityProfile; 49 import org.ejbca.core.protocol.cmp.CmpMessageHelper; 50 import org.ejbca.util.Base64; 51 import org.ejbca.util.CertTools; 52 import org.ejbca.util.KeyTools; 53 54 import com.novosec.pkix.asn1.cmp.PKIMessage; 55 56 62 public class CrmfRATcpRequestTest extends CmpTestCase { 63 64 private static Logger log = Logger.getLogger(CrmfRATcpRequestTest.class); 65 66 private static final String PBEPASSWORD = "password"; 67 68 private static String userDN = "CN=tomas1,UID=tomas2,O=PrimeKey Solutions AB,C=SE"; 69 private static String issuerDN = "CN=AdminCA1,O=EJBCA Sample,C=SE"; 70 private KeyPair keys = null; 71 72 private static IUserAdminSessionRemote usersession; 73 private static int caid = 0; 74 private static Admin admin; 75 private static X509Certificate cacert = null; 76 77 public CrmfRATcpRequestTest(String arg0) throws NamingException , RemoteException , CreateException , CertificateEncodingException , CertificateException { 78 super(arg0); 79 admin = new Admin(Admin.TYPE_BATCHCOMMANDLINE_USER); 80 CertTools.installBCProvider(); 81 Context ctx = getInitialContext(); 82 Object obj = ctx.lookup("CAAdminSession"); 83 ICAAdminSessionHome cahome = (ICAAdminSessionHome) javax.rmi.PortableRemoteObject.narrow(obj, ICAAdminSessionHome.class); 84 ICAAdminSessionRemote casession = cahome.create(); 85 CAInfo adminca1 = casession.getCAInfo(admin, "AdminCA1"); 87 if (adminca1 == null) { 88 Collection caids = casession.getAvailableCAs(admin); 89 Iterator iter = caids.iterator(); 90 while (iter.hasNext()) { 91 caid = ((Integer ) iter.next()).intValue(); 92 } 93 } else { 94 caid = adminca1.getCAId(); 95 } 96 if (caid == 0) { 97 assertTrue("No active CA! Must have at least one active CA to run tests!", false); 98 } 99 CAInfo cainfo = casession.getCAInfo(admin, caid); 100 Collection certs = cainfo.getCertificateChain(); 101 if (certs.size() > 0) { 102 Iterator certiter = certs.iterator(); 103 X509Certificate cert = (X509Certificate ) certiter.next(); 104 String subject = CertTools.getSubjectDN(cert); 105 if (StringUtils.equals(subject, cainfo.getSubjectDN())) { 106 cacert = CertTools.getCertfromByteArray(cert.getEncoded()); 108 } 109 } else { 110 log.error("NO CACERT for caid " + caid); 111 } 112 obj = ctx.lookup("UserAdminSession"); 113 IUserAdminSessionHome userhome = (IUserAdminSessionHome) javax.rmi.PortableRemoteObject.narrow(obj, IUserAdminSessionHome.class); 114 usersession = userhome.create(); 115 116 issuerDN = cacert.getIssuerDN().getName(); 117 } 118 119 private Context getInitialContext() throws NamingException { 120 log.debug(">getInitialContext"); 121 Context ctx = new javax.naming.InitialContext (); 122 log.debug("<getInitialContext"); 123 return ctx; 124 } 125 protected void setUp() throws Exception { 126 super.setUp(); 127 if (keys == null) { 128 keys = KeyTools.genKeys("512", CATokenConstants.KEYALGORITHM_RSA); 129 } 130 } 131 132 protected void tearDown() throws Exception { 133 super.tearDown(); 134 } 135 136 public void test01CrmfHttpUnknowUser() throws Exception { 137 userDN = "CN=abc123rry5774466, O=PrimeKey Solutions AB, C=SE"; 139 140 byte[] nonce = CmpMessageHelper.createSenderNonce(); 141 byte[] transid = CmpMessageHelper.createSenderNonce(); 142 143 PKIMessage one = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, true); 144 PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD); 145 int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); 146 assertNotNull(req); 147 ByteArrayOutputStream bao = new ByteArrayOutputStream (); 148 DEROutputStream out = new DEROutputStream(bao); 149 out.writeObject(req); 150 byte[] ba = bao.toByteArray(); 151 byte[] resp = sendCmpTcp(ba, 5); 153 assertNotNull(resp); 154 assertTrue(resp.length > 0); 155 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, true, false); 156 checkCmpCertRepMessage(userDN, cacert, resp, reqId); 157 } 158 159 160 public void test02CrmfHttpOkUser() throws Exception { 161 162 createCmpUser(); 164 165 byte[] nonce = CmpMessageHelper.createSenderNonce(); 166 byte[] transid = CmpMessageHelper.createSenderNonce(); 167 168 PKIMessage one = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, true); 169 PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD); 170 171 int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); 172 assertNotNull(req); 173 ByteArrayOutputStream bao = new ByteArrayOutputStream (); 174 DEROutputStream out = new DEROutputStream(bao); 175 out.writeObject(req); 176 byte[] ba = bao.toByteArray(); 177 byte[] resp = sendCmpTcp(ba, 5); 179 assertNotNull(resp); 180 assertTrue(resp.length > 0); 181 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, true, false); 182 checkCmpCertRepMessage(userDN, cacert, resp, reqId); 183 184 String hash = "foo123"; 186 PKIMessage confirm = genCertConfirm(userDN, cacert, nonce, transid, hash, reqId); 187 assertNotNull(confirm); 188 bao = new ByteArrayOutputStream (); 189 out = new DEROutputStream(bao); 190 out.writeObject(confirm); 191 ba = bao.toByteArray(); 192 resp = sendCmpTcp(ba, 5); 194 assertNotNull(resp); 195 assertTrue(resp.length > 0); 196 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, false, false); 197 checkCmpPKIConfirmMessage(userDN, cacert, resp); 198 } 199 200 public void test03BlueXCrmf() throws Exception { 201 PKIMessage req = PKIMessage.getInstance(new ASN1InputStream(new ByteArrayInputStream (bluexir)).readObject()); 202 byte[] resp = sendCmpTcp(bluexir, 5); 203 userDN="CN=Some Common Name"; assertNotNull(resp); 205 byte[] senderNonce = req.getHeader().getSenderNonce().getOctets(); 206 byte[] transId = req.getHeader().getTransactionID().getOctets(); 207 int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); 208 checkCmpResponseGeneral(resp, issuerDN, "CN=Some Common Name", cacert, senderNonce, transId, true, false); 209 checkCmpCertRepMessage(userDN, cacert, resp, reqId); 210 } 211 212 public void test04CrmfUnuahtenticated() throws Exception { 213 214 byte[] nonce = CmpMessageHelper.createSenderNonce(); 215 byte[] transid = CmpMessageHelper.createSenderNonce(); 216 217 PKIMessage req = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, true); 218 219 assertNotNull(req); 220 ByteArrayOutputStream bao = new ByteArrayOutputStream (); 221 DEROutputStream out = new DEROutputStream(bao); 222 out.writeObject(req); 223 byte[] ba = bao.toByteArray(); 224 byte[] resp = sendCmpTcp(ba, 5); 226 assertNotNull(resp); 227 assertTrue(resp.length > 0); 228 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, false, false); 229 checkCmpPKIErrorMessage(resp, issuerDN, userDN, 2, "Received an unathenticated message in RA mode."); 230 } 231 232 public void test05CrmfUnknownProtection() throws Exception { 233 234 byte[] nonce = CmpMessageHelper.createSenderNonce(); 235 byte[] transid = CmpMessageHelper.createSenderNonce(); 236 237 PKIMessage one = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, true); 238 PKIMessage req = protectPKIMessage(one, true, PBEPASSWORD); 239 240 assertNotNull(req); 241 ByteArrayOutputStream bao = new ByteArrayOutputStream (); 242 DEROutputStream out = new DEROutputStream(bao); 243 out.writeObject(req); 244 byte[] ba = bao.toByteArray(); 245 byte[] resp = sendCmpTcp(ba, 5); 247 assertNotNull(resp); 248 assertTrue(resp.length > 0); 249 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, false, false); 250 checkCmpPKIErrorMessage(resp, issuerDN, userDN, 2, "Received CMP message with unknown protection alg: 1.2.840.113533.7.66.13.7."); 251 } 252 253 254 private void createCmpUser() throws RemoteException , AuthorizationDeniedException, FinderException , UserDoesntFullfillEndEntityProfile, ApprovalException, WaitingForApprovalException { 258 boolean userExists = false; 260 userDN = "C=SE,O=PrimeKey,CN=cmptest"; 261 try { 262 usersession.addUser(admin,"cmptest","foo123",userDN,null,"cmptest@primekey.se",false,SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,caid); 263 log.debug("created user: cmptest, foo123, "+userDN); 264 } catch (RemoteException re) { 265 if (re.detail instanceof DuplicateKeyException ) { 266 userExists = true; 267 } 268 } catch (DuplicateKeyException dke) { 269 userExists = true; 270 } 271 272 if (userExists) { 273 log.debug("User cmptest already exists."); 274 usersession.setUserStatus(admin,"cmptest",UserDataConstants.STATUS_NEW); 275 log.debug("Reset status to NEW"); 276 } 277 278 } 279 280 static byte[] bluexir = Base64.decode(("MIICIjCB1AIBAqQCMACkVjBUMQswCQYDVQQGEwJOTDEbMBkGA1UEChMSQS5FLlQu"+ 281 "IEV1cm9wZSBCLlYuMRQwEgYDVQQLEwtEZXZlbG9wbWVudDESMBAGA1UEAxMJVGVz"+ 282 "dCBDQSAxoT4wPAYJKoZIhvZ9B0INMC8EEAK/H7Do+55N724Kdvxm7NcwCQYFKw4D"+ 283 "AhoFAAICA+gwDAYIKwYBBQUIAQIFAKILBAlzc2xjbGllbnSkEgQQpFpBsonfhnW8"+ 284 "ia1otGchraUSBBAyzd3nkKAzcJqGFrDw0jkYoIIBLjCCASowggEmMIIBIAIBADCC"+ 285 "ARmkJqARGA8yMDA2MDkxOTE2MTEyNlqhERgPMjAwOTA2MTUxNjExMjZapR0wGzEZ"+ 286 "MBcGA1UEAwwQU29tZSBDb21tb24gTmFtZaaBoDANBgkqhkiG9w0BAQEFAAOBjgAw"+ 287 "gYoCgYEAuBgTGPgXrS3AIPN6iXO6LNf5GzAcb/WZhvebXMdxdrMo9+5hw/Le5St/"+ 288 "Sz4J93rxU95b2LMuHTg8U6njxC2lZarNExZTdEwnI37X6ep7lq1purq80zD9bFXj"+ 289 "ougRD5MHfhDUAQC+btOgEXkanoAo8St3cbtHoYUacAXN2Zs/RVcCBAABAAGpLTAr"+ 290 "BgNVHREEJDAioCAGCisGAQQBgjcUAgOgEgwQdXBuQGFldGV1cm9wZS5ubIAAoBcD"+ 291 "FQAy/vSoNUevcdUxXkCQx3fvxkjh6A==").getBytes()); 292 293 } 294 | Popular Tags |