/**
* @return array
*/
protected function createCA()
{
$caKeyPair = KeyPair::create();
$this->assertNotEmpty($caKeyPair['privatekey']);
$this->assertNotEmpty($caKeyPair['publickey']);
$caCert = CA::create($caKeyPair, '/O=test');
$this->assertNotEmpty($caCert);
return array($caKeyPair, $caCert);
}
public function testRoundtrip()
{
$test = $this;
$caKeyPair = KeyPair::create();
$this->assertNotEmpty($caKeyPair['privatekey']);
$this->assertNotEmpty($caKeyPair['publickey']);
$caCert = CA::create($caKeyPair, '/O=test');
$this->assertNotEmpty($caCert);
$certValidator = new DefaultCertificateValidator($caCert, NULL, NULL);
// The application provider sets up a RegistrationServer.
// The site connects to the registration server.
$appKeyPair = KeyPair::create();
$appMeta = array('title' => 'My App', 'appId' => 'app:abcd1234abcd1234', 'appCert' => CA::signCSR($caKeyPair, $caCert, CA::createAppCSR($appKeyPair, '/O=Application Provider, CN=app:abcd1234abcd1234')), 'appUrl' => 'http://app-a.com/cxn', 'perm' => array('api' => array(), 'grant' => array('view all contacts')));
$appCxnStore = new ArrayCxnStore();
$regServer = new RegistrationServer($appMeta, $appKeyPair, $appCxnStore);
$regServer->setCertValidator($certValidator);
$siteCxnStore = new ArrayCxnStore();
$regClient = new RegistrationClient($siteCxnStore, 'http://example.org/civicrm/cxn/api');
$regClient->setCertValidator($certValidator);
$regClient->setHttp(new Http\FakeHttp(function ($verb, $url, $blob) use($regServer, $test) {
$test->assertEquals('http://app-a.com/cxn', $url);
return $regServer->handle($blob)->toHttp();
}));
list($cxnId, $regResponse) = $regClient->register($appMeta, $siteCxnStore);
$this->assertEquals(0, $regResponse['is_error']);
$siteCxn = $siteCxnStore->getByCxnId($cxnId);
$this->assertEquals($siteCxn['appUrl'], 'http://app-a.com/cxn');
$appCxn = $appCxnStore->getByCxnId($cxnId);
$this->assertEquals($appCxn['siteUrl'], 'http://example.org/civicrm/cxn/api');
// The application provider issues an API call to the site.
$apiServer = new ApiServer($siteCxnStore);
$apiServer->setCertValidator(new DefaultCertificateValidator($caCert, NULL, NULL));
$apiServer->setRouter(function ($cxn, $entity, $action, $params) {
if ($action == 'echo') {
return $params;
} else {
return array('message' => 'unrecognized action');
}
});
$apiClient = new ApiClient($appMeta, $appCxnStore, $cxnId);
$apiClient->setHttp(new Http\FakeHttp(function ($verb, $url, $blob) use($apiServer, $test) {
$test->assertEquals('http://example.org/civicrm/cxn/api', $url);
return $apiServer->handle($blob)->toHttp();
}));
$this->assertEquals(array('whimsy'), $apiClient->call('Foo', 'echo', array('whimsy')));
$this->assertEquals(array('message' => 'unrecognized action'), $apiClient->call('Foo', 'bar', array()));
// The site unregisters.
list($unregCxnId, $unregResponse) = $regClient->unregister($appMeta);
$this->assertEquals(0, $unregResponse['is_error']);
$this->assertNull($siteCxnStore->getByCxnId($cxnId));
$this->assertNull($appCxnStore->getByCxnId($cxnId));
}
/**
* @param Message $invalidInput
* @throws Exception\InvalidMessageException
* @dataProvider invalidInputExamples
*/
public function testInvalidInput($appKeyPair, $invalidInput)
{
$caKeyPair = KeyPair::create();
$this->assertNotEmpty($caKeyPair['privatekey']);
$this->assertNotEmpty($caKeyPair['publickey']);
$caCert = CA::create($caKeyPair, '/O=test');
$this->assertNotEmpty($caCert);
$appMeta = array('title' => 'My App', 'appId' => self::APP_ID, 'appCert' => CA::signCSR($caKeyPair, $caCert, CA::createAppCSR($appKeyPair, '/O=Application Provider')), 'appUrl' => 'http://app-a.com/cxn', 'perm' => array('api' => array(), 'grant' => array('view all contacts')));
$appCxnStore = new ArrayCxnStore();
$regServer = new RegistrationServer($appMeta, $appKeyPair, $appCxnStore);
list($headers, $blob, $code) = $regServer->handle($invalidInput->encode())->toHttp();
$this->assertEquals(400, $code);
$message = InsecureMessage::decode($blob);
$data = $message->getData();
$this->assertEquals(1, $data['is_error']);
$this->assertEquals('Invalid message coding', $data['error_message']);
}
/**
* In this case, we have an app whose $appCertPem appears valid, and we have CRL
* whose $crlDistCertPem is signed, but the $crlDistCertPem has usage rules
* which do not allow signing CRLs.
*/
public function testCRL_SignedByNonDist()
{
// create CA
$caKeyPairPems = KeyPair::create();
$caCertPem = CA::create($caKeyPairPems, '/O=test');
$this->assertNotEmpty($caCertPem);
// create would-be CRL dist authority -- but not really authorized for signing CRLs.
// note createCSR() instead of createCrlDistCSR().
$crlDistKeyPairPems = KeyPair::create();
$crlDistCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($crlDistKeyPairPems, '/O=test'));
$this->assertNotEmpty($crlDistCertPem);
$certValidator = new DefaultCertificateValidator($caCertPem, NULL, NULL);
$certValidator->validateCert($crlDistCertPem);
// create CRL
$crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem);
$this->assertNotEmpty($crlDistCertObj);
$crlObj = new \File_X509();
$crlObj->setSerialNumber(1, 10);
$crlObj->setEndDate('+2 days');
$crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj));
$this->assertNotEmpty($crlPem);
$crlObj->loadCRL($crlPem);
// create cert
$appKeyPair = KeyPair::create();
$appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321);
// validate cert - fails due to improper CRL
try {
$certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem);
$certValidator->validateCert($appCertPem);
$this->fail('Expected InvalidCertException, but no exception was reported.');
} catch (InvalidCertException $e) {
$this->assertRegExp('/CRL-signing certificate is not a CRL-signing certificate/', $e->getMessage());
}
}
