| /* |
| * Copyright (C) 2015 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.conscrypt.ct; |
| |
| import static org.conscrypt.TestUtils.openTestFile; |
| import static org.conscrypt.TestUtils.readTestFile; |
| |
| import java.security.PublicKey; |
| import java.util.Arrays; |
| import junit.framework.TestCase; |
| import org.conscrypt.OpenSSLKey; |
| import org.conscrypt.OpenSSLX509Certificate; |
| |
| public class CTVerifierTest extends TestCase { |
| private OpenSSLX509Certificate ca; |
| private OpenSSLX509Certificate cert; |
| private OpenSSLX509Certificate certEmbedded; |
| private CTVerifier ctVerifier; |
| |
| @Override |
| public void setUp() throws Exception { |
| ca = OpenSSLX509Certificate.fromX509PemInputStream(openTestFile("ca-cert.pem")); |
| cert = OpenSSLX509Certificate.fromX509PemInputStream(openTestFile("cert.pem")); |
| certEmbedded = OpenSSLX509Certificate.fromX509PemInputStream( |
| openTestFile("cert-ct-embedded.pem")); |
| |
| PublicKey key = OpenSSLKey.fromPublicKeyPemInputStream( |
| openTestFile("ct-server-key-public.pem")).getPublicKey(); |
| |
| final CTLogInfo log = new CTLogInfo(key, "Test Log", "foo"); |
| CTLogStore store = new CTLogStore() { |
| public CTLogInfo getKnownLog(byte[] logId) { |
| if (Arrays.equals(logId, log.getID())) { |
| return log; |
| } else { |
| return null; |
| } |
| } |
| }; |
| |
| ctVerifier = new CTVerifier(store); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withOCSPResponse() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| byte[] ocspResponse = readTestFile("ocsp-response.der"); |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, null, ocspResponse); |
| assertEquals(1, result.getValidSCTs().size()); |
| assertEquals(0, result.getInvalidSCTs().size()); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withTLSExtension() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| byte[] tlsExtension = readTestFile("ct-signed-timestamp-list"); |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); |
| assertEquals(1, result.getValidSCTs().size()); |
| assertEquals(0, result.getInvalidSCTs().size()); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withEmbeddedExtension() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { certEmbedded, ca }; |
| |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, null, null); |
| assertEquals(1, result.getValidSCTs().size()); |
| assertEquals(0, result.getInvalidSCTs().size()); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withoutTimestamp() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, null, null); |
| assertEquals(0, result.getValidSCTs().size()); |
| assertEquals(0, result.getInvalidSCTs().size()); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withInvalidSignature() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| byte[] tlsExtension = readTestFile("ct-signed-timestamp-list-invalid"); |
| |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); |
| assertEquals(0, result.getValidSCTs().size()); |
| assertEquals(1, result.getInvalidSCTs().size()); |
| assertEquals(VerifiedSCT.Status.INVALID_SIGNATURE, |
| result.getInvalidSCTs().get(0).status); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withUnknownLog() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| byte[] tlsExtension = readTestFile("ct-signed-timestamp-list-unknown"); |
| |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); |
| assertEquals(0, result.getValidSCTs().size()); |
| assertEquals(1, result.getInvalidSCTs().size()); |
| assertEquals(VerifiedSCT.Status.UNKNOWN_LOG, |
| result.getInvalidSCTs().get(0).status); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withInvalidEncoding() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| // Just some garbage data which will fail to deserialize |
| byte[] tlsExtension = new byte[] { 1, 2, 3, 4 }; |
| |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); |
| assertEquals(0, result.getValidSCTs().size()); |
| assertEquals(0, result.getInvalidSCTs().size()); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withInvalidOCSPResponse() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| // Just some garbage data which will fail to deserialize |
| byte[] ocspResponse = new byte[] { 1, 2, 3, 4 }; |
| |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, null, ocspResponse); |
| assertEquals(0, result.getValidSCTs().size()); |
| assertEquals(0, result.getInvalidSCTs().size()); |
| } |
| |
| public void test_verifySignedCertificateTimestamps_withMultipleTimestamps() throws Exception { |
| OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; |
| |
| byte[] tlsExtension = readTestFile("ct-signed-timestamp-list-invalid"); |
| byte[] ocspResponse = readTestFile("ocsp-response.der"); |
| |
| CTVerificationResult result = |
| ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, ocspResponse); |
| assertEquals(1, result.getValidSCTs().size()); |
| assertEquals(1, result.getInvalidSCTs().size()); |
| assertEquals(SignedCertificateTimestamp.Origin.OCSP_RESPONSE, |
| result.getValidSCTs().get(0).sct.getOrigin()); |
| assertEquals(SignedCertificateTimestamp.Origin.TLS_EXTENSION, |
| result.getInvalidSCTs().get(0).sct.getOrigin()); |
| } |
| } |
| |