Esempio n. 1
0
 /**
  * Parse the ciphertext, process it, and return the response.
  *
  * FIXME Catch exceptions and return in a nice format.
  *
  * @param string $blob
  *   POST'ed ciphertext.
  * @return Message
  */
 public function handle($blob)
 {
     try {
         $reqMessage = $this->decode(StdMessage::NAME, $blob);
     } catch (InvalidMessageException $e) {
         $this->log->debug('Received invalid message', array('exception' => $e));
         $resp = new InsecureMessage(array('is_error' => 1, 'error_message' => 'Invalid message coding', array($e->getMessage(), $e->getTraceAsString())));
         return $resp->setCode(400);
     }
     $cxn = $this->cxnStore->getByCxnId($reqMessage->getCxnId());
     $validation = Cxn::getValidationMessages($cxn);
     if (!empty($validation)) {
         $this->log->error('Invalid cxn ({cxnId})', array('cxnId' => $reqMessage->getCxnId(), 'messages' => $validation));
         // $cxn is not valid, so we can't encode it use it for encoding.
         $resp = new InsecureMessage(array('is_error' => 1, 'error_message' => 'Invalid cxn details: ' . implode(', ', array_keys($validation))));
         return $resp->setCode(400);
     }
     try {
         list($entity, $action, $params, $appCert) = $reqMessage->getData();
         if ($this->certValidator) {
             $this->certValidator->validateCert($appCert);
             $appCertObj = X509Util::loadCert($appCert);
             $cn = $appCertObj->getDNProp('CN');
             if (count($cn) != 1 || $cn[0] !== $cxn['appId']) {
                 throw new InvalidMessageException('Invalid message: Submitted certificate does not matched expected appId');
             }
         }
         $respData = call_user_func($this->router, $cxn, $entity, $action, $params);
         $this->log->info('Processed API call ({entity}.{action})', array('entity' => $entity, 'action' => $action));
     } catch (\Exception $e) {
         $this->log->error('Error executing API call', array('request' => $reqMessage->getData(), 'exception' => $e));
         $respData = array('is_error' => 1, 'error_message' => $e->getMessage());
     }
     return new StdMessage($reqMessage->getCxnId(), $cxn['secret'], $respData);
 }
Esempio n. 2
0
 /**
  * In this case, we have an app whose $appCertPem appears valid, and we have CRL
  * whose $crlDistCertPem is signed, but the $crlDistCertPem has usage rules
  * which do not allow signing CRLs.
  */
 public function testCRL_SignedByNonDist()
 {
     // create CA
     $caKeyPairPems = KeyPair::create();
     $caCertPem = CA::create($caKeyPairPems, '/O=test');
     $this->assertNotEmpty($caCertPem);
     // create would-be CRL dist authority -- but not really authorized for signing CRLs.
     // note createCSR() instead of createCrlDistCSR().
     $crlDistKeyPairPems = KeyPair::create();
     $crlDistCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($crlDistKeyPairPems, '/O=test'));
     $this->assertNotEmpty($crlDistCertPem);
     $certValidator = new DefaultCertificateValidator($caCertPem, NULL, NULL);
     $certValidator->validateCert($crlDistCertPem);
     // create CRL
     $crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem);
     $this->assertNotEmpty($crlDistCertObj);
     $crlObj = new \File_X509();
     $crlObj->setSerialNumber(1, 10);
     $crlObj->setEndDate('+2 days');
     $crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj));
     $this->assertNotEmpty($crlPem);
     $crlObj->loadCRL($crlPem);
     // create cert
     $appKeyPair = KeyPair::create();
     $appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321);
     // validate cert - fails due to improper CRL
     try {
         $certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem);
         $certValidator->validateCert($appCertPem);
         $this->fail('Expected InvalidCertException, but no exception was reported.');
     } catch (InvalidCertException $e) {
         $this->assertRegExp('/CRL-signing certificate is not a CRL-signing certificate/', $e->getMessage());
     }
 }