CrmfRequestTest


1   /*************************************************************************
2    *                                                                       *
3    *  EJBCA: The OpenSource Certificate Authority                          *
4    *                                                                       *
5    *  This software is free software; you can redistribute it and/or       *
6    *  modify it under the terms of the GNU Lesser General Public           *
7    *  License as published by the Free Software Foundation; either         *
8    *  version 2.1 of the License, or any later version.                    *
9    *                                                                       *
10   *  See terms of license at gnu.org.                                     *
11   *                                                                       *
12   *************************************************************************/
13  
14  package se.anatom.ejbca.protocol.cmp;
15  
16  import java.io.ByteArrayOutputStream  ;
17  import java.rmi.RemoteException  ;
18  import java.security.KeyPair  ;
19  import java.security.cert.CertificateEncodingException  ;
20  import java.security.cert.CertificateException  ;
21  import java.security.cert.X509Certificate  ;
22  import java.util.Collection  ;
23  import java.util.Iterator  ;
24  
25  import javax.ejb.CreateException  ;
26  import javax.ejb.DuplicateKeyException  ;
27  import javax.ejb.FinderException  ;
28  import javax.naming.Context  ;
29  import javax.naming.NamingException  ;
30  
31  import org.apache.commons.lang.StringUtils;
32  import org.apache.log4j.Logger;
33  import org.bouncycastle.asn1.DEROutputStream;
34  import org.ejbca.core.ejb.ServiceLocator;
35  import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionHome;
36  import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionRemote;
37  import org.ejbca.core.ejb.ra.IUserAdminSessionHome;
38  import org.ejbca.core.ejb.ra.IUserAdminSessionRemote;
39  import org.ejbca.core.model.SecConst;
40  import org.ejbca.core.model.approval.ApprovalException;
41  import org.ejbca.core.model.approval.WaitingForApprovalException;
42  import org.ejbca.core.model.authorization.AuthorizationDeniedException;
43  import org.ejbca.core.model.ca.caadmin.CAInfo;
44  import org.ejbca.core.model.ca.catoken.CATokenConstants;
45  import org.ejbca.core.model.log.Admin;
46  import org.ejbca.core.model.ra.UserDataConstants;
47  import org.ejbca.core.model.ra.raadmin.UserDoesntFullfillEndEntityProfile;
48  import org.ejbca.core.protocol.cmp.CmpMessageHelper;
49  import org.ejbca.util.Base64;
50  import org.ejbca.util.CertTools;
51  import org.ejbca.util.KeyTools;
52  
53  import com.novosec.pkix.asn1.cmp.PKIMessage;
54  
55  /**
56   * This test must be run in normal mode (default mode)
57   * 
58   * @author tomas
59   * @version $Id: CrmfRequestTest.java,v 1.14 2006/12/13 10:42:07 anatom Exp $
60   *
61   */
62  public class CrmfRequestTest extends CmpTestCase {
63      
64      private static Logger log = Logger.getLogger(CrmfRequestTest.class);
65  
66      private static String   userDN = "CN=tomas1, UID=tomas2, O=PrimeKey Solutions AB, C=SE";
67      private static String   issuerDN = "CN=AdminCA1,O=EJBCA Sample,C=SE";
68      private KeyPair   keys = null;  
69  
70      private static IUserAdminSessionRemote usersession;
71      private static int caid = 0;
72      private static Admin admin;
73      private static X509Certificate   cacert = null;
74  
75      public CrmfRequestTest(String   arg0) throws NamingException  , RemoteException  , CreateException  , CertificateEncodingException  , CertificateException   {
76          super(arg0);
77          admin = new Admin(Admin.TYPE_BATCHCOMMANDLINE_USER);
78          CertTools.installBCProvider();
79          Context   ctx = getInitialContext();
80          Object   obj = ctx.lookup("CAAdminSession");
81          ICAAdminSessionHome cahome = (ICAAdminSessionHome) javax.rmi.PortableRemoteObject.narrow(obj, ICAAdminSessionHome.class);
82          ICAAdminSessionRemote casession = cahome.create();
83          // Try to use AdminCA1 if it exists
84          CAInfo adminca1 = casession.getCAInfo(admin, "AdminCA1");
85          if (adminca1 == null) {
86              Collection   caids = casession.getAvailableCAs(admin);
87              Iterator   iter = caids.iterator();
88              while (iter.hasNext()) {
89                  caid = ((Integer  ) iter.next()).intValue();
90              }           
91          } else {
92              caid = adminca1.getCAId();
93          }
94          if (caid == 0) {
95              assertTrue("No active CA! Must have at least one active CA to run tests!", false);
96          }           
97          CAInfo cainfo = casession.getCAInfo(admin, caid);
98          Collection   certs = cainfo.getCertificateChain();
99          if (certs.size() > 0) {
100             Iterator   certiter = certs.iterator();
101             X509Certificate   cert = (X509Certificate  ) certiter.next();
102             String   subject = CertTools.getSubjectDN(cert);
103             if (StringUtils.equals(subject, cainfo.getSubjectDN())) {
104                 // Make sure we have a BC certificate
105                 cacert = CertTools.getCertfromByteArray(cert.getEncoded());             
106             }
107         } else {
108             log.error("NO CACERT for caid " + caid);
109         }
110         IUserAdminSessionHome userhome = (IUserAdminSessionHome) ServiceLocator.getInstance().getRemoteHome(IUserAdminSessionHome.JNDI_NAME, IUserAdminSessionHome.class);
111         usersession = userhome.create();
112         
113         issuerDN = cacert.getIssuerDN().getName();
114     }
115     
116     private Context   getInitialContext() throws NamingException   {
117         log.debug(">getInitialContext");
118         Context   ctx = new javax.naming.InitialContext  ();
119         log.debug("<getInitialContext");
120         return ctx;
121     }
122     protected void setUp() throws Exception   {
123         super.setUp();
124         if (keys == null) {
125             keys = KeyTools.genKeys("512", CATokenConstants.KEYALGORITHM_RSA);
126         }
127     }
128     
129     protected void tearDown() throws Exception   {
130         super.tearDown();
131     }
132 
133     
134     public void test01CrmfHttpUnknowUser() throws Exception   {
135         // A name that does not exis
136         userDN = "CN=abc123rry5774466, O=PrimeKey Solutions AB, C=SE";
137 
138         byte[] nonce = CmpMessageHelper.createSenderNonce();
139         byte[] transid = CmpMessageHelper.createSenderNonce();
140         
141         PKIMessage req = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, false);
142         assertNotNull(req);
143         int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
144         ByteArrayOutputStream   bao = new ByteArrayOutputStream  ();
145         DEROutputStream out = new DEROutputStream(bao);
146         out.writeObject(req);
147         byte[] ba = bao.toByteArray();
148         // Send request and receive response
149         /*
150         FileOutputStream fos = new FileOutputStream("/home/tomas/dev/support/cmp_0_ir");
151         fos.write(ba);
152         fos.close();
153         */
154         byte[] resp = sendCmpHttp(ba);
155         assertNotNull(resp);
156         assertTrue(resp.length > 0);
157         checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, true, false);
158         checkCmpFailMessage(resp, "User abc123rry5774466 not found.", 1, reqId, 7);
159     }
160     
161     public void test02CrmfHttpOkUser() throws Exception   {
162 
163         // Create a new good user
164         createCmpUser();
165 
166         byte[] nonce = CmpMessageHelper.createSenderNonce();
167         byte[] transid = CmpMessageHelper.createSenderNonce();
168         
169         PKIMessage req = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, false);
170         assertNotNull(req);
171         int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
172         ByteArrayOutputStream   bao = new ByteArrayOutputStream  ();
173         DEROutputStream out = new DEROutputStream(bao);
174         out.writeObject(req);
175         byte[] ba = bao.toByteArray();
176         // Send request and receive response
177         byte[] resp = sendCmpHttp(ba);
178         assertNotNull(resp);
179         assertTrue(resp.length > 0);
180         checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, true, false);
181         X509Certificate   cert = checkCmpCertRepMessage(userDN, cacert, resp, reqId);
182         String   altNames = CertTools.getSubjectAlternativeName(cert);
183         assertNull(altNames);
184         
185         // Send a confirm message to the CA
186         String   hash = "foo123";
187         PKIMessage confirm = genCertConfirm(userDN, cacert, nonce, transid, hash, reqId);
188         assertNotNull(confirm);
189         bao = new ByteArrayOutputStream  ();
190         out = new DEROutputStream(bao);
191         out.writeObject(confirm);
192         ba = bao.toByteArray();
193         // Send request and receive response
194         resp = sendCmpHttp(ba);
195         assertNotNull(resp);
196         assertTrue(resp.length > 0);
197         checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, false, false);
198         checkCmpPKIConfirmMessage(userDN, cacert, resp);
199         
200         // Now revoke the bastard!
201         PKIMessage rev = genRevReq(issuerDN, userDN, cert.getSerialNumber(), cacert, nonce, transid);
202         assertNotNull(rev);
203         bao = new ByteArrayOutputStream  ();
204         out = new DEROutputStream(bao);
205         out.writeObject(rev);
206         ba = bao.toByteArray();
207         // Send request and receive response
208         resp = sendCmpHttp(ba);
209         assertNotNull(resp);
210         assertTrue(resp.length > 0);
211         checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, false, false);
212         checkCmpFailMessage(resp, "No PKI protection to verify.", 23, reqId, 1);
213     }
214 
215     public void test03BlueXCrmf() throws Exception   {
216         byte[] resp = sendCmpHttp(bluexir);
217         assertNotNull(resp);
218         checkCmpPKIErrorMessage(resp, "C=NL,O=A.E.T. Europe B.V.,OU=Development,CN=Test CA 1", "", 64, null); // 64 is WRONG_AUTHORITY
219     }
220     
221     public void test04BadBytes() throws Exception   {
222         byte[] msg = bluexir;
223         // Change some bytes to make the message bad
224         msg[10] = 0;
225         msg[15] = 0;
226         msg[22] = 0;
227         msg[56] = 0;
228         msg[88] = 0;
229         byte[] resp = sendCmpHttp(msg);
230         assertNotNull(resp);
231         checkCmpPKIErrorMessage(resp, "CN=Failure Sender", "CN=Failure Recipient", 4, null); // 4 is BAD_REQUEST
232     }
233 
234     //
235     // Private helper methods
236     //
237     
238     //
239     // Private helper methods
240     //
241     private void createCmpUser() throws RemoteException  , AuthorizationDeniedException, FinderException  , UserDoesntFullfillEndEntityProfile, ApprovalException, WaitingForApprovalException {
242         // Make user that we know...
243         boolean userExists = false;
244         userDN = "C=SE,O=PrimeKey,CN=cmptest";
245         try {
246             usersession.addUser(admin,"cmptest","foo123",userDN,null,"cmptest@primekey.se",false,SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,caid);
247             log.debug("created user: cmptest, foo123, "+userDN);
248         } catch (RemoteException   re) {
249             if (re.detail instanceof DuplicateKeyException  ) {
250                 userExists = true;
251             }
252         } catch (DuplicateKeyException   dke) {
253             userExists = true;
254         }
255 
256         if (userExists) {
257             log.debug("User cmptest already exists.");
258             usersession.setUserStatus(admin,"cmptest",UserDataConstants.STATUS_NEW);
259             log.debug("Reset status to NEW");
260         }
261         
262     }
263 
264     static byte[] bluexir = Base64.decode(("MIICIjCB1AIBAqQCMACkVjBUMQswCQYDVQQGEwJOTDEbMBkGA1UEChMSQS5FLlQu"+
265         "IEV1cm9wZSBCLlYuMRQwEgYDVQQLEwtEZXZlbG9wbWVudDESMBAGA1UEAxMJVGVz"+
266         "dCBDQSAxoT4wPAYJKoZIhvZ9B0INMC8EEAK/H7Do+55N724Kdvxm7NcwCQYFKw4D"+
267         "AhoFAAICA+gwDAYIKwYBBQUIAQIFAKILBAlzc2xjbGllbnSkEgQQpFpBsonfhnW8"+
268         "ia1otGchraUSBBAyzd3nkKAzcJqGFrDw0jkYoIIBLjCCASowggEmMIIBIAIBADCC"+
269         "ARmkJqARGA8yMDA2MDkxOTE2MTEyNlqhERgPMjAwOTA2MTUxNjExMjZapR0wGzEZ"+
270         "MBcGA1UEAwwQU29tZSBDb21tb24gTmFtZaaBoDANBgkqhkiG9w0BAQEFAAOBjgAw"+
271         "gYoCgYEAuBgTGPgXrS3AIPN6iXO6LNf5GzAcb/WZhvebXMdxdrMo9+5hw/Le5St/"+
272         "Sz4J93rxU95b2LMuHTg8U6njxC2lZarNExZTdEwnI37X6ep7lq1purq80zD9bFXj"+
273         "ougRD5MHfhDUAQC+btOgEXkanoAo8St3cbtHoYUacAXN2Zs/RVcCBAABAAGpLTAr"+
274         "BgNVHREEJDAioCAGCisGAQQBgjcUAgOgEgwQdXBuQGFldGV1cm9wZS5ubIAAoBcD"+
275         "FQAy/vSoNUevcdUxXkCQx3fvxkjh6A==").getBytes());
276 
277 }
278
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags