/** * Parse the ciphertext, process it, and return the response. * * FIXME Catch exceptions and return in a nice format. * * @param string $blob * POST'ed ciphertext. * @return Message */ public function handle($blob) { try { $reqMessage = $this->decode(StdMessage::NAME, $blob); } catch (InvalidMessageException $e) { $this->log->debug('Received invalid message', array('exception' => $e)); $resp = new InsecureMessage(array('is_error' => 1, 'error_message' => 'Invalid message coding', array($e->getMessage(), $e->getTraceAsString()))); return $resp->setCode(400); } $cxn = $this->cxnStore->getByCxnId($reqMessage->getCxnId()); $validation = Cxn::getValidationMessages($cxn); if (!empty($validation)) { $this->log->error('Invalid cxn ({cxnId})', array('cxnId' => $reqMessage->getCxnId(), 'messages' => $validation)); // $cxn is not valid, so we can't encode it use it for encoding. $resp = new InsecureMessage(array('is_error' => 1, 'error_message' => 'Invalid cxn details: ' . implode(', ', array_keys($validation)))); return $resp->setCode(400); } try { list($entity, $action, $params, $appCert) = $reqMessage->getData(); if ($this->certValidator) { $this->certValidator->validateCert($appCert); $appCertObj = X509Util::loadCert($appCert); $cn = $appCertObj->getDNProp('CN'); if (count($cn) != 1 || $cn[0] !== $cxn['appId']) { throw new InvalidMessageException('Invalid message: Submitted certificate does not matched expected appId'); } } $respData = call_user_func($this->router, $cxn, $entity, $action, $params); $this->log->info('Processed API call ({entity}.{action})', array('entity' => $entity, 'action' => $action)); } catch (\Exception $e) { $this->log->error('Error executing API call', array('request' => $reqMessage->getData(), 'exception' => $e)); $respData = array('is_error' => 1, 'error_message' => $e->getMessage()); } return new StdMessage($reqMessage->getCxnId(), $cxn['secret'], $respData); }
/** * In this case, we have an app whose $appCertPem appears valid, and we have CRL * whose $crlDistCertPem is signed, but the $crlDistCertPem has usage rules * which do not allow signing CRLs. */ public function testCRL_SignedByNonDist() { // create CA $caKeyPairPems = KeyPair::create(); $caCertPem = CA::create($caKeyPairPems, '/O=test'); $this->assertNotEmpty($caCertPem); // create would-be CRL dist authority -- but not really authorized for signing CRLs. // note createCSR() instead of createCrlDistCSR(). $crlDistKeyPairPems = KeyPair::create(); $crlDistCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($crlDistKeyPairPems, '/O=test')); $this->assertNotEmpty($crlDistCertPem); $certValidator = new DefaultCertificateValidator($caCertPem, NULL, NULL); $certValidator->validateCert($crlDistCertPem); // create CRL $crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem); $this->assertNotEmpty($crlDistCertObj); $crlObj = new \File_X509(); $crlObj->setSerialNumber(1, 10); $crlObj->setEndDate('+2 days'); $crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj)); $this->assertNotEmpty($crlPem); $crlObj->loadCRL($crlPem); // create cert $appKeyPair = KeyPair::create(); $appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321); // validate cert - fails due to improper CRL try { $certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem); $certValidator->validateCert($appCertPem); $this->fail('Expected InvalidCertException, but no exception was reported.'); } catch (InvalidCertException $e) { $this->assertRegExp('/CRL-signing certificate is not a CRL-signing certificate/', $e->getMessage()); } }