added buildChainFromDerList tests

1 files changed, 98 insertions, 1 deletions

diff --git a/crypto_test.go b/crypto_test.go
index 577244a..b7179f3 100644
--- a/crypto_test.go
+++ b/crypto_test.go
@@ -7,14 +7,97 @@ import (
 	"testing"
 
 	cttestdata "github.com/google/certificate-transparency-go/trillian/testdata"
+	"github.com/system-transparency/stfe/x509util"
+	"github.com/system-transparency/stfe/x509util/testdata"
 )
 
 var (
 	testLeaf = make([]byte, 64)
 )
 
-// TODO: TestBuildChainFromDerList
 func TestBuildChainFromDerList(t *testing.T) {
+	for _, table := range []struct {
+		description string
+		maxChain    int64    // including trust anchor
+		anchors     []byte   // pem block
+		chain       [][]byte // der list
+		wantErr     bool
+	}{
+		{
+			description: "bad chain: cannot be parsed because empty",
+			maxChain:    3,
+			anchors:     testdata.RootCertificate,
+			wantErr:     true,
+		},
+		{
+			description: "bad chain: no path from end-entity to intermediate",
+			maxChain:    3,
+			anchors:     testdata.RootCertificate2,
+			chain:       mustMakeDerList(t, testdata.ChainBadIntermediate)[:2],
+			wantErr:     true,
+		},
+		{
+			description: "bad chain: no path from intermediate to root",
+			maxChain:    3,
+			anchors:     testdata.RootCertificate2,
+			chain:       mustMakeDerList(t, testdata.IntermediateChain),
+			wantErr:     true,
+		},
+		{
+			description: "bad chain: end-entity certificate expired",
+			maxChain:    3,
+			anchors:     testdata.RootCertificate,
+			chain:       mustMakeDerList(t, testdata.ExpiredChain),
+		},
+		{
+			description: "bad chain: too large",
+			maxChain:    2,
+			anchors:     testdata.RootCertificate,
+			chain:       mustMakeDerList(t, testdata.IntermediateChain),
+			wantErr:     true,
+		},
+		{
+			description: "ok chain: one explicit trust anchor",
+			maxChain:    3,
+			anchors:     testdata.RootCertificate,
+			chain:       mustMakeDerList(t, testdata.RootChain),
+		},
+		{
+			description: "ok chain: unnecessary certificates are ignored",
+			maxChain:    3,
+			anchors:     testdata.RootCertificate,
+			chain:       append(mustMakeDerList(t, testdata.IntermediateChain), mustMakeDerList(t, testdata.IntermediateChain2)...),
+		},
+		{
+			description: "ok chain: multiple anchors but one valid path",
+			maxChain:    3,
+			anchors:     testdata.TrustAnchors,
+			chain:       mustMakeDerList(t, testdata.IntermediateChain),
+		},
+		// Note that the underlying verify function also checks name constraints
+		// and extended key usages.  Not relied upon atm, so not tested.
+	} {
+		anchorList, err := x509util.NewCertificateList(table.anchors)
+		if err != nil {
+			t.Fatalf("must parse trust anchors: %v", err)
+		}
+		lp := &LogParameters{
+			LogId:      testLogId,
+			TreeId:     testTreeId,
+			Prefix:     testPrefix,
+			MaxRange:   testMaxRange,
+			MaxChain:   table.maxChain,
+			AnchorPool: x509util.NewCertPool(anchorList),
+			AnchorList: anchorList,
+			KeyUsage:   testExtKeyUsage,
+			Signer:     nil,
+			HashType:   testHashType,
+		}
+		_, err = lp.buildChainFromDerList(table.chain)
+		if got, want := err != nil, table.wantErr; got != want {
+			t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err)
+		}
+	}
 }
 
 // TODO: TestVerifySignature
@@ -133,3 +216,17 @@ func TestGenV1Sth(t *testing.T) {
 }
 
 // TODO: test that metrics are updated correctly?
+
+// mustMakeDerList must parse a PEM-encoded list of certificates to DER
+func mustMakeDerList(t *testing.T, pem []byte) [][]byte {
+	certs, err := x509util.NewCertificateList(pem)
+	if err != nil {
+		t.Fatalf("must parse pem-encoded certificates: %v", err)
+	}
+
+	list := make([][]byte, 0, len(certs))
+	for _, cert := range certs {
+		list = append(list, cert.Raw)
+	}
+	return list
+}