aboutsummaryrefslogtreecommitdiff
path: root/crypto_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'crypto_test.go')
-rw-r--r--crypto_test.go99
1 files changed, 98 insertions, 1 deletions
diff --git a/crypto_test.go b/crypto_test.go
index 577244a..b7179f3 100644
--- a/crypto_test.go
+++ b/crypto_test.go
@@ -7,14 +7,97 @@ import (
"testing"
cttestdata "github.com/google/certificate-transparency-go/trillian/testdata"
+ "github.com/system-transparency/stfe/x509util"
+ "github.com/system-transparency/stfe/x509util/testdata"
)
var (
testLeaf = make([]byte, 64)
)
-// TODO: TestBuildChainFromDerList
func TestBuildChainFromDerList(t *testing.T) {
+ for _, table := range []struct {
+ description string
+ maxChain int64 // including trust anchor
+ anchors []byte // pem block
+ chain [][]byte // der list
+ wantErr bool
+ }{
+ {
+ description: "bad chain: cannot be parsed because empty",
+ maxChain: 3,
+ anchors: testdata.RootCertificate,
+ wantErr: true,
+ },
+ {
+ description: "bad chain: no path from end-entity to intermediate",
+ maxChain: 3,
+ anchors: testdata.RootCertificate2,
+ chain: mustMakeDerList(t, testdata.ChainBadIntermediate)[:2],
+ wantErr: true,
+ },
+ {
+ description: "bad chain: no path from intermediate to root",
+ maxChain: 3,
+ anchors: testdata.RootCertificate2,
+ chain: mustMakeDerList(t, testdata.IntermediateChain),
+ wantErr: true,
+ },
+ {
+ description: "bad chain: end-entity certificate expired",
+ maxChain: 3,
+ anchors: testdata.RootCertificate,
+ chain: mustMakeDerList(t, testdata.ExpiredChain),
+ },
+ {
+ description: "bad chain: too large",
+ maxChain: 2,
+ anchors: testdata.RootCertificate,
+ chain: mustMakeDerList(t, testdata.IntermediateChain),
+ wantErr: true,
+ },
+ {
+ description: "ok chain: one explicit trust anchor",
+ maxChain: 3,
+ anchors: testdata.RootCertificate,
+ chain: mustMakeDerList(t, testdata.RootChain),
+ },
+ {
+ description: "ok chain: unnecessary certificates are ignored",
+ maxChain: 3,
+ anchors: testdata.RootCertificate,
+ chain: append(mustMakeDerList(t, testdata.IntermediateChain), mustMakeDerList(t, testdata.IntermediateChain2)...),
+ },
+ {
+ description: "ok chain: multiple anchors but one valid path",
+ maxChain: 3,
+ anchors: testdata.TrustAnchors,
+ chain: mustMakeDerList(t, testdata.IntermediateChain),
+ },
+ // Note that the underlying verify function also checks name constraints
+ // and extended key usages. Not relied upon atm, so not tested.
+ } {
+ anchorList, err := x509util.NewCertificateList(table.anchors)
+ if err != nil {
+ t.Fatalf("must parse trust anchors: %v", err)
+ }
+ lp := &LogParameters{
+ LogId: testLogId,
+ TreeId: testTreeId,
+ Prefix: testPrefix,
+ MaxRange: testMaxRange,
+ MaxChain: table.maxChain,
+ AnchorPool: x509util.NewCertPool(anchorList),
+ AnchorList: anchorList,
+ KeyUsage: testExtKeyUsage,
+ Signer: nil,
+ HashType: testHashType,
+ }
+ _, err = lp.buildChainFromDerList(table.chain)
+ if got, want := err != nil, table.wantErr; got != want {
+ t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err)
+ }
+ }
}
// TODO: TestVerifySignature
@@ -133,3 +216,17 @@ func TestGenV1Sth(t *testing.T) {
}
// TODO: test that metrics are updated correctly?
+
+// mustMakeDerList must parse a PEM-encoded list of certificates to DER
+func mustMakeDerList(t *testing.T, pem []byte) [][]byte {
+ certs, err := x509util.NewCertificateList(pem)
+ if err != nil {
+ t.Fatalf("must parse pem-encoded certificates: %v", err)
+ }
+
+ list := make([][]byte, 0, len(certs))
+ for _, cert := range certs {
+ list = append(list, cert.Raw)
+ }
+ return list
+}