smallstep-certificates/test/integration/scep/common_test.go

package sceptest

import (
	"context"
	"crypto/rand"
	"crypto/rsa"
	"crypto/tls"
	"crypto/x509"
	"encoding/base64"
	"errors"
	"fmt"
	"io"
	"math/big"
	"net"
	"net/http"
	"net/url"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/smallstep/pkcs7"
	"github.com/smallstep/scep"
	"go.step.sm/crypto/minica"
	"go.step.sm/crypto/x509util"

	"github.com/smallstep/certificates/ca"
	"github.com/smallstep/certificates/cas/apiv1"
)

func newCAClient(t *testing.T, caURL, rootFilepath string) *ca.Client {
	caClient, err := ca.NewClient(
		caURL,
		ca.WithRootFile(rootFilepath),
	)
	require.NoError(t, err)
	return caClient
}

func requireHealthyCA(t *testing.T, caClient *ca.Client) {
	ctx := context.Background()
	healthResponse, err := caClient.HealthWithContext(ctx)
	require.NoError(t, err)
	if assert.NotNil(t, healthResponse) {
		require.Equal(t, "ok", healthResponse.Status)
	}
}

// reservePort "reserves" a TCP port by opening a listener on a random
// port and immediately closing it. The port can then be assumed to be
// available for running a server on.
func reservePort(t *testing.T) (host, port string) {
	t.Helper()
	l, err := net.Listen("tcp", ":0")
	require.NoError(t, err)

	address := l.Addr().String()
	err = l.Close()
	require.NoError(t, err)

	host, port, err = net.SplitHostPort(address)
	require.NoError(t, err)

	return
}

type client struct {
	caURL      string
	caCert     *x509.Certificate
	httpClient *http.Client
}

func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) *client {
	t.Helper()
	trustedRoots := x509.NewCertPool()
	trustedRoots.AddCert(root)
	transport := http.DefaultTransport.(*http.Transport).Clone()
	transport.TLSClientConfig = &tls.Config{
		RootCAs: trustedRoots,
	}
	httpClient := &http.Client{
		Transport: transport,
	}
	return &client{
		caURL:      caURL,
		httpClient: httpClient,
	}
}

func (c *client) getCACert(t *testing.T) error {
	// return early if CA certificate already available
	if c.caCert != nil {
		return nil
	}

	resp, err := c.httpClient.Get(fmt.Sprintf("%s?operation=GetCACert&message=test", c.caURL))
	if err != nil {
		return fmt.Errorf("failed get request: %w", err)
	}
	defer resp.Body.Close()

	body, err := io.ReadAll(resp.Body)
	if err != nil {
		return fmt.Errorf("failed reading response body: %w", err)
	}

	t.Log(string(body))

	// SCEP CA/RA certificate selection. If there's only a single certificate, it will
	// be used as the CA certificate at all times. If there's multiple, the first certificate
	// is assumed to be the certificate of the recipient to encrypt messages to.
	switch ct := resp.Header.Get("Content-Type"); ct {
	case "application/x-x509-ca-cert":
		cert, err := x509.ParseCertificate(body)
		if err != nil {
			return fmt.Errorf("failed parsing response body: %w", err)
		}
		if _, ok := cert.PublicKey.(*rsa.PublicKey); !ok {
			return fmt.Errorf("certificate has unexpected public key type %T", cert.PublicKey)
		}
		c.caCert = cert
	case "application/x-x509-ca-ra-cert":
		certs, err := scep.CACerts(body)
		if err != nil {
			return fmt.Errorf("failed parsing response body: %w", err)
		}
		cert := certs[0]
		if _, ok := cert.PublicKey.(*rsa.PublicKey); !ok {
			return fmt.Errorf("certificate has unexpected public key type %T", cert.PublicKey)
		}
		c.caCert = cert
	default:
		return fmt.Errorf("unexpected content-type value %q", ct)
	}

	return nil
}

func (c *client) requestCertificate(t *testing.T, commonName string, sans []string) (*x509.Certificate, error) {
	if err := c.getCACert(t); err != nil {
		return nil, fmt.Errorf("failed getting CA certificate: %w", err)
	}

	signer, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return nil, fmt.Errorf("failed creating SCEP private key: %w", err)
	}

	csr, err := x509util.CreateCertificateRequest(commonName, sans, signer)
	if err != nil {
		return nil, fmt.Errorf("failed creating CSR: %w", err)
	}

	tmpl := &x509.Certificate{
		Subject:        csr.Subject,
		PublicKey:      signer.Public(),
		SerialNumber:   big.NewInt(1),
		NotBefore:      time.Now().Add(-1 * time.Hour),
		NotAfter:       time.Now().Add(1 * time.Hour),
		DNSNames:       csr.DNSNames,
		IPAddresses:    csr.IPAddresses,
		EmailAddresses: csr.EmailAddresses,
		URIs:           csr.URIs,
	}

	selfSigned, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, signer.Public(), signer)
	if err != nil {
		return nil, fmt.Errorf("failed creating self signed certificate: %w", err)
	}
	selfSignedCertificate, err := x509.ParseCertificate(selfSigned)
	if err != nil {
		return nil, fmt.Errorf("failed parsing self signed certificate: %w", err)
	}

	msgTmpl := &scep.PKIMessage{
		TransactionID: "test-1",
		MessageType:   scep.PKCSReq,
		SenderNonce:   []byte("test-nonce-1"),
		Recipients:    []*x509.Certificate{c.caCert},
		SignerCert:    selfSignedCertificate,
		SignerKey:     signer,
	}

	msg, err := scep.NewCSRRequest(csr, msgTmpl)
	if err != nil {
		return nil, fmt.Errorf("failed creating SCEP PKCSReq message: %w", err)
	}

	t.Log(string(msg.Raw))

	u, err := url.Parse(c.caURL)
	if err != nil {
		return nil, fmt.Errorf("failed parsing CA URL: %w", err)
	}

	opURL := u.ResolveReference(&url.URL{RawQuery: fmt.Sprintf("operation=PKIOperation&message=%s", url.QueryEscape(base64.StdEncoding.EncodeToString(msg.Raw)))})
	resp, err := c.httpClient.Get(opURL.String())
	if err != nil {
		return nil, fmt.Errorf("failed get request: %w", err)
	}
	defer resp.Body.Close()

	if ct := resp.Header.Get("Content-Type"); ct != "application/x-pki-message" {
		return nil, fmt.Errorf("received unexpected content type %q", ct)
	}

	body, err := io.ReadAll(resp.Body)
	if err != nil {
		return nil, fmt.Errorf("failed reading response body: %w", err)
	}

	t.Log(string(body))

	signedData, err := pkcs7.Parse(body)
	if err != nil {
		return nil, fmt.Errorf("failed parsing response body: %w", err)
	}

	// TODO: verify the signature?

	p7, err := pkcs7.Parse(signedData.Content)
	if err != nil {
		return nil, fmt.Errorf("failed decrypting inner p7: %w", err)
	}

	content, err := p7.Decrypt(selfSignedCertificate, signer)
	if err != nil {
		return nil, fmt.Errorf("failed decrypting response: %w", err)
	}

	p7, err = pkcs7.Parse(content)
	if err != nil {
		return nil, fmt.Errorf("failed parsing p7 content: %w", err)
	}

	cert := p7.Certificates[0]

	return cert, nil
}

type testCAS struct {
	ca *minica.CA
}

func (c *testCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) {
	cert, err := c.ca.SignCSR(req.CSR)
	if err != nil {
		return nil, fmt.Errorf("failed signing CSR: %w", err)
	}

	return &apiv1.CreateCertificateResponse{
		Certificate:      cert,
		CertificateChain: []*x509.Certificate{cert, c.ca.Intermediate},
	}, nil
}
func (c *testCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
	return nil, errors.New("not implemented")
}

func (c *testCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) {
	return nil, errors.New("not implemented")
}

func (c *testCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) {
	return &apiv1.GetCertificateAuthorityResponse{
		RootCertificate:          c.ca.Root,
		IntermediateCertificates: []*x509.Certificate{c.ca.Intermediate},
	}, nil
}

var _ apiv1.CertificateAuthorityService = (*testCAS)(nil)
var _ apiv1.CertificateAuthorityGetter = (*testCAS)(nil)