|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
require_once 'test/smimeTest.php'; |
|
4
|
|
|
|
|
5
|
|
|
// Disable OCSP for tests |
|
6
|
|
|
define('PLUGIN_SMIME_ENABLE_OCSP', false); |
|
7
|
|
|
define('SMIME_STATUS_SUCCESS', 1); |
|
8
|
|
|
define('SMIME_OCSP_DISABLED', 1); |
|
9
|
|
|
|
|
10
|
|
|
require_once 'php/util.php'; |
|
11
|
|
|
|
|
12
|
|
|
/** |
|
13
|
|
|
* @internal |
|
14
|
|
|
* |
|
15
|
|
|
* @coversNothing |
|
16
|
|
|
*/ |
|
17
|
|
|
class UploadCertificateTest extends SMIMETest { |
|
18
|
|
|
public const DAY_EPOCH = 86400; |
|
19
|
|
|
public const PASSPHRASE = 'test'; |
|
20
|
|
|
public const EMAIL_ADDRESS = '[email protected]'; |
|
21
|
|
|
|
|
22
|
|
|
// Cache private key generation |
|
23
|
|
|
private $privkey = ''; |
|
24
|
|
|
|
|
25
|
|
|
private function generatePKCS12($emailAddress = self::EMAIL_ADDRESS, $passphrase = self::PASSPHRASE) { |
|
26
|
|
|
$validFrom = time(); |
|
27
|
|
|
$validTo = time() + self::DAY_EPOCH * 365; |
|
28
|
|
|
$daysvalid = ($validTo - $validFrom) / self::DAY_EPOCH; |
|
29
|
|
|
$dn = [ |
|
30
|
|
|
"countryName" => "NL", |
|
31
|
|
|
"stateOrProvinceName" => "Zuid Holland", |
|
32
|
|
|
"localityName" => "Delft", |
|
33
|
|
|
"organizationName" => "grommunio", |
|
34
|
|
|
"organizationalUnitName" => "Dev", |
|
35
|
|
|
"commonName" => "John", |
|
36
|
|
|
"emailAddress" => $emailAddress, |
|
37
|
|
|
]; |
|
38
|
|
|
$config = ['config' => OPENSSL_CONF_PATH]; |
|
39
|
|
|
if (empty($this->privkey)) { |
|
40
|
|
|
$this->privkey = openssl_pkey_new(); |
|
41
|
|
|
} |
|
42
|
|
|
|
|
43
|
|
|
$csr = openssl_csr_new($dn, $this->privkey, $config); |
|
|
|
|
|
|
44
|
|
|
$sscert = openssl_csr_sign($csr, null, $this->privkey, $daysvalid, $config); |
|
45
|
|
|
openssl_x509_export($sscert, $publickey); |
|
46
|
|
|
openssl_pkcs12_export($publickey, $out, $this->privkey, $passphrase); |
|
47
|
|
|
|
|
48
|
|
|
return $out; |
|
49
|
|
|
} |
|
50
|
|
|
|
|
51
|
|
|
/** |
|
52
|
|
|
* @param string $days string formatted as -500d or +500d |
|
53
|
|
|
*/ |
|
54
|
|
|
private function generatePKCS12Faketime($days) { |
|
55
|
|
|
$libfaketime = '/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1'; |
|
56
|
|
|
if (!file_exists($libfaketime)) { |
|
57
|
|
|
// Arch libfaketime location |
|
58
|
|
|
$libfaketime = '/usr/lib/faketime/libfaketime.so.1'; |
|
59
|
|
|
} |
|
60
|
|
|
|
|
61
|
|
|
return base64_decode(shell_exec("LD_PRELOAD='{$libfaketime}' FAKETIME={$days} php ./test/create_pkcs12.php")); |
|
62
|
|
|
} |
|
63
|
|
|
|
|
64
|
|
|
/** |
|
65
|
|
|
* Test a valid generate certificate. |
|
66
|
|
|
*/ |
|
67
|
|
|
public function testValidCert() { |
|
68
|
|
|
$pkcs12 = $this->generatePKCS12(); |
|
69
|
|
|
[$message, $cert, $data, $imported] = validateUploadedPKCS($pkcs12, self::PASSPHRASE, self::EMAIL_ADDRESS); |
|
70
|
|
|
$this->assertEquals($message, ''); |
|
71
|
|
|
$this->assertNotEmpty($cert); |
|
72
|
|
|
$this->assertNotEmpty($data); |
|
73
|
|
|
} |
|
74
|
|
|
|
|
75
|
|
|
/** |
|
76
|
|
|
* Test an invalid PKCS#12 format. |
|
77
|
|
|
*/ |
|
78
|
|
|
public function testFaultyPKCS12() { |
|
79
|
|
|
$this->assertEquals(validateUploadedPKCS('burp', 'burp', '[email protected]')[0], 'Unable to decrypt certificate'); |
|
80
|
|
|
} |
|
81
|
|
|
|
|
82
|
|
|
/** |
|
83
|
|
|
* Test an incorrect passphrase. |
|
84
|
|
|
*/ |
|
85
|
|
|
public function testIncorrectPassphrase() { |
|
86
|
|
|
$pkcs12 = $this->generatePKCS12(); |
|
87
|
|
|
$this->assertEquals(validateUploadedPKCS($pkcs12, 'burp', '[email protected]')[0], 'Unable to decrypt certificate'); |
|
88
|
|
|
} |
|
89
|
|
|
|
|
90
|
|
|
/** |
|
91
|
|
|
* Test incorrect email address, which does not match the account <-> cert. |
|
92
|
|
|
*/ |
|
93
|
|
|
public function testIncorrectEmailAddress() { |
|
94
|
|
|
$pkcs12 = $this->generatePKCS12(); |
|
95
|
|
|
$this->assertEquals( |
|
96
|
|
|
validateUploadedPKCS($pkcs12, self::PASSPHRASE, '[email protected]')[0], |
|
97
|
|
|
"Certificate email address doesn't match grommunio Web account " . self::EMAIL_ADDRESS |
|
98
|
|
|
); |
|
99
|
|
|
} |
|
100
|
|
|
|
|
101
|
|
|
/** |
|
102
|
|
|
* Test an expired certificate. |
|
103
|
|
|
*/ |
|
104
|
|
|
public function testCertificateDateExpired() { |
|
105
|
|
|
$pkcs12 = $this->generatePKCS12Faketime('-500d'); |
|
106
|
|
|
[$message, $cert, $data, $imported] = validateUploadedPKCS($pkcs12, self::PASSPHRASE, self::EMAIL_ADDRESS); |
|
107
|
|
|
$validTo = date('Y-m-d', $data['validTo_time_t']); |
|
108
|
|
|
|
|
109
|
|
|
$this->assertEquals($message, sprintf("Certificate was expired on %s. Certificate has not been imported", $validTo)); |
|
110
|
|
|
$this->assertNotEmpty($cert); |
|
111
|
|
|
} |
|
112
|
|
|
|
|
113
|
|
|
/** |
|
114
|
|
|
* Test an certificate in the future. |
|
115
|
|
|
*/ |
|
116
|
|
|
public function testCertificateNotValid() { |
|
117
|
|
|
$pkcs12 = $this->generatePKCS12Faketime('+500d'); |
|
118
|
|
|
[$message, $cert, $data, $imported] = validateUploadedPKCS($pkcs12, self::PASSPHRASE, self::EMAIL_ADDRESS); |
|
119
|
|
|
$validFrom = date('Y-m-d', $data['validFrom_time_t']); |
|
120
|
|
|
|
|
121
|
|
|
$this->assertEquals($message, sprintf("Certificate is not yet valid %s. Certificate has not been imported", $validFrom)); |
|
122
|
|
|
$this->assertNotEmpty($cert); |
|
123
|
|
|
} |
|
124
|
|
|
} |
|
125
|
|
|
|
grommunio /
grommunio-web
Loading history...