1 13 14 package se.anatom.ejbca.protocol.cmp; 15 16 import java.io.ByteArrayOutputStream ; 17 import java.rmi.RemoteException ; 18 import java.security.KeyPair ; 19 import java.security.cert.CertificateEncodingException ; 20 import java.security.cert.CertificateException ; 21 import java.security.cert.X509Certificate ; 22 import java.util.Collection ; 23 import java.util.Iterator ; 24 25 import javax.ejb.CreateException ; 26 import javax.ejb.DuplicateKeyException ; 27 import javax.ejb.FinderException ; 28 import javax.naming.Context ; 29 import javax.naming.NamingException ; 30 31 import org.apache.commons.lang.StringUtils; 32 import org.apache.log4j.Logger; 33 import org.bouncycastle.asn1.DEROutputStream; 34 import org.ejbca.core.ejb.ServiceLocator; 35 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionHome; 36 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionRemote; 37 import org.ejbca.core.ejb.ra.IUserAdminSessionHome; 38 import org.ejbca.core.ejb.ra.IUserAdminSessionRemote; 39 import org.ejbca.core.model.SecConst; 40 import org.ejbca.core.model.approval.ApprovalException; 41 import org.ejbca.core.model.approval.WaitingForApprovalException; 42 import org.ejbca.core.model.authorization.AuthorizationDeniedException; 43 import org.ejbca.core.model.ca.caadmin.CAInfo; 44 import org.ejbca.core.model.ca.catoken.CATokenConstants; 45 import org.ejbca.core.model.log.Admin; 46 import org.ejbca.core.model.ra.UserDataConstants; 47 import org.ejbca.core.model.ra.raadmin.UserDoesntFullfillEndEntityProfile; 48 import org.ejbca.core.protocol.cmp.CmpMessageHelper; 49 import org.ejbca.util.Base64; 50 import org.ejbca.util.CertTools; 51 import org.ejbca.util.KeyTools; 52 53 import com.novosec.pkix.asn1.cmp.PKIMessage; 54 55 62 public class CrmfRequestTest extends CmpTestCase { 63 64 private static Logger log = Logger.getLogger(CrmfRequestTest.class); 65 66 private static String userDN = "CN=tomas1, UID=tomas2, O=PrimeKey Solutions AB, C=SE"; 67 private static String issuerDN = "CN=AdminCA1,O=EJBCA Sample,C=SE"; 68 private KeyPair keys = null; 69 70 private static IUserAdminSessionRemote usersession; 71 private static int caid = 0; 72 private static Admin admin; 73 private static X509Certificate cacert = null; 74 75 public CrmfRequestTest(String arg0) throws NamingException , RemoteException , CreateException , CertificateEncodingException , CertificateException { 76 super(arg0); 77 admin = new Admin(Admin.TYPE_BATCHCOMMANDLINE_USER); 78 CertTools.installBCProvider(); 79 Context ctx = getInitialContext(); 80 Object obj = ctx.lookup("CAAdminSession"); 81 ICAAdminSessionHome cahome = (ICAAdminSessionHome) javax.rmi.PortableRemoteObject.narrow(obj, ICAAdminSessionHome.class); 82 ICAAdminSessionRemote casession = cahome.create(); 83 CAInfo adminca1 = casession.getCAInfo(admin, "AdminCA1"); 85 if (adminca1 == null) { 86 Collection caids = casession.getAvailableCAs(admin); 87 Iterator iter = caids.iterator(); 88 while (iter.hasNext()) { 89 caid = ((Integer ) iter.next()).intValue(); 90 } 91 } else { 92 caid = adminca1.getCAId(); 93 } 94 if (caid == 0) { 95 assertTrue("No active CA! Must have at least one active CA to run tests!", false); 96 } 97 CAInfo cainfo = casession.getCAInfo(admin, caid); 98 Collection certs = cainfo.getCertificateChain(); 99 if (certs.size() > 0) { 100 Iterator certiter = certs.iterator(); 101 X509Certificate cert = (X509Certificate ) certiter.next(); 102 String subject = CertTools.getSubjectDN(cert); 103 if (StringUtils.equals(subject, cainfo.getSubjectDN())) { 104 cacert = CertTools.getCertfromByteArray(cert.getEncoded()); 106 } 107 } else { 108 log.error("NO CACERT for caid " + caid); 109 } 110 IUserAdminSessionHome userhome = (IUserAdminSessionHome) ServiceLocator.getInstance().getRemoteHome(IUserAdminSessionHome.JNDI_NAME, IUserAdminSessionHome.class); 111 usersession = userhome.create(); 112 113 issuerDN = cacert.getIssuerDN().getName(); 114 } 115 116 private Context getInitialContext() throws NamingException { 117 log.debug(">getInitialContext"); 118 Context ctx = new javax.naming.InitialContext (); 119 log.debug("<getInitialContext"); 120 return ctx; 121 } 122 protected void setUp() throws Exception { 123 super.setUp(); 124 if (keys == null) { 125 keys = KeyTools.genKeys("512", CATokenConstants.KEYALGORITHM_RSA); 126 } 127 } 128 129 protected void tearDown() throws Exception { 130 super.tearDown(); 131 } 132 133 134 public void test01CrmfHttpUnknowUser() throws Exception { 135 userDN = "CN=abc123rry5774466, O=PrimeKey Solutions AB, C=SE"; 137 138 byte[] nonce = CmpMessageHelper.createSenderNonce(); 139 byte[] transid = CmpMessageHelper.createSenderNonce(); 140 141 PKIMessage req = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, false); 142 assertNotNull(req); 143 int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); 144 ByteArrayOutputStream bao = new ByteArrayOutputStream (); 145 DEROutputStream out = new DEROutputStream(bao); 146 out.writeObject(req); 147 byte[] ba = bao.toByteArray(); 148 154 byte[] resp = sendCmpHttp(ba); 155 assertNotNull(resp); 156 assertTrue(resp.length > 0); 157 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, true, false); 158 checkCmpFailMessage(resp, "User abc123rry5774466 not found.", 1, reqId, 7); 159 } 160 161 public void test02CrmfHttpOkUser() throws Exception { 162 163 createCmpUser(); 165 166 byte[] nonce = CmpMessageHelper.createSenderNonce(); 167 byte[] transid = CmpMessageHelper.createSenderNonce(); 168 169 PKIMessage req = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, false); 170 assertNotNull(req); 171 int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue(); 172 ByteArrayOutputStream bao = new ByteArrayOutputStream (); 173 DEROutputStream out = new DEROutputStream(bao); 174 out.writeObject(req); 175 byte[] ba = bao.toByteArray(); 176 byte[] resp = sendCmpHttp(ba); 178 assertNotNull(resp); 179 assertTrue(resp.length > 0); 180 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, true, false); 181 X509Certificate cert = checkCmpCertRepMessage(userDN, cacert, resp, reqId); 182 String altNames = CertTools.getSubjectAlternativeName(cert); 183 assertNull(altNames); 184 185 String hash = "foo123"; 187 PKIMessage confirm = genCertConfirm(userDN, cacert, nonce, transid, hash, reqId); 188 assertNotNull(confirm); 189 bao = new ByteArrayOutputStream (); 190 out = new DEROutputStream(bao); 191 out.writeObject(confirm); 192 ba = bao.toByteArray(); 193 resp = sendCmpHttp(ba); 195 assertNotNull(resp); 196 assertTrue(resp.length > 0); 197 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, false, false); 198 checkCmpPKIConfirmMessage(userDN, cacert, resp); 199 200 PKIMessage rev = genRevReq(issuerDN, userDN, cert.getSerialNumber(), cacert, nonce, transid); 202 assertNotNull(rev); 203 bao = new ByteArrayOutputStream (); 204 out = new DEROutputStream(bao); 205 out.writeObject(rev); 206 ba = bao.toByteArray(); 207 resp = sendCmpHttp(ba); 209 assertNotNull(resp); 210 assertTrue(resp.length > 0); 211 checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, false, false); 212 checkCmpFailMessage(resp, "No PKI protection to verify.", 23, reqId, 1); 213 } 214 215 public void test03BlueXCrmf() throws Exception { 216 byte[] resp = sendCmpHttp(bluexir); 217 assertNotNull(resp); 218 checkCmpPKIErrorMessage(resp, "C=NL,O=A.E.T. Europe B.V.,OU=Development,CN=Test CA 1", "", 64, null); } 220 221 public void test04BadBytes() throws Exception { 222 byte[] msg = bluexir; 223 msg[10] = 0; 225 msg[15] = 0; 226 msg[22] = 0; 227 msg[56] = 0; 228 msg[88] = 0; 229 byte[] resp = sendCmpHttp(msg); 230 assertNotNull(resp); 231 checkCmpPKIErrorMessage(resp, "CN=Failure Sender", "CN=Failure Recipient", 4, null); } 233 234 238 private void createCmpUser() throws RemoteException , AuthorizationDeniedException, FinderException , UserDoesntFullfillEndEntityProfile, ApprovalException, WaitingForApprovalException { 242 boolean userExists = false; 244 userDN = "C=SE,O=PrimeKey,CN=cmptest"; 245 try { 246 usersession.addUser(admin,"cmptest","foo123",userDN,null,"cmptest@primekey.se",false,SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,caid); 247 log.debug("created user: cmptest, foo123, "+userDN); 248 } catch (RemoteException re) { 249 if (re.detail instanceof DuplicateKeyException ) { 250 userExists = true; 251 } 252 } catch (DuplicateKeyException dke) { 253 userExists = true; 254 } 255 256 if (userExists) { 257 log.debug("User cmptest already exists."); 258 usersession.setUserStatus(admin,"cmptest",UserDataConstants.STATUS_NEW); 259 log.debug("Reset status to NEW"); 260 } 261 262 } 263 264 static byte[] bluexir = Base64.decode(("MIICIjCB1AIBAqQCMACkVjBUMQswCQYDVQQGEwJOTDEbMBkGA1UEChMSQS5FLlQu"+ 265 "IEV1cm9wZSBCLlYuMRQwEgYDVQQLEwtEZXZlbG9wbWVudDESMBAGA1UEAxMJVGVz"+ 266 "dCBDQSAxoT4wPAYJKoZIhvZ9B0INMC8EEAK/H7Do+55N724Kdvxm7NcwCQYFKw4D"+ 267 "AhoFAAICA+gwDAYIKwYBBQUIAQIFAKILBAlzc2xjbGllbnSkEgQQpFpBsonfhnW8"+ 268 "ia1otGchraUSBBAyzd3nkKAzcJqGFrDw0jkYoIIBLjCCASowggEmMIIBIAIBADCC"+ 269 "ARmkJqARGA8yMDA2MDkxOTE2MTEyNlqhERgPMjAwOTA2MTUxNjExMjZapR0wGzEZ"+ 270 "MBcGA1UEAwwQU29tZSBDb21tb24gTmFtZaaBoDANBgkqhkiG9w0BAQEFAAOBjgAw"+ 271 "gYoCgYEAuBgTGPgXrS3AIPN6iXO6LNf5GzAcb/WZhvebXMdxdrMo9+5hw/Le5St/"+ 272 "Sz4J93rxU95b2LMuHTg8U6njxC2lZarNExZTdEwnI37X6ep7lq1purq80zD9bFXj"+ 273 "ougRD5MHfhDUAQC+btOgEXkanoAo8St3cbtHoYUacAXN2Zs/RVcCBAABAAGpLTAr"+ 274 "BgNVHREEJDAioCAGCisGAQQBgjcUAgOgEgwQdXBuQGFldGV1cm9wZS5ubIAAoBcD"+ 275 "FQAy/vSoNUevcdUxXkCQx3fvxkjh6A==").getBytes()); 276 277 } 278 | Popular Tags |