aboutsummaryrefslogtreecommitdiff
path: root/crypto_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'crypto_test.go')
-rw-r--r--crypto_test.go171
1 files changed, 0 insertions, 171 deletions
diff --git a/crypto_test.go b/crypto_test.go
index d304b93..cfbb0a8 100644
--- a/crypto_test.go
+++ b/crypto_test.go
@@ -6,170 +6,13 @@ import (
"fmt"
"testing"
- "crypto/ed25519"
- "crypto/tls"
-
cttestdata "github.com/google/certificate-transparency-go/trillian/testdata"
- "github.com/system-transparency/stfe/x509util"
- "github.com/system-transparency/stfe/x509util/testdata"
)
var (
testLeaf = make([]byte, 64)
)
-func TestBuildChainFromDerList(t *testing.T) {
- for _, table := range []struct {
- description string
- maxChain int64 // including trust anchor
- anchors []byte // pem block
- chain [][]byte // der list
- wantErr bool
- }{
- {
- description: "bad chain: cannot be parsed because empty",
- maxChain: 3,
- anchors: testdata.RootCertificate,
- wantErr: true,
- },
- {
- description: "bad chain: no path from end-entity to intermediate",
- maxChain: 3,
- anchors: testdata.RootCertificate2,
- chain: mustMakeDerList(t, testdata.ChainBadIntermediate)[:2],
- wantErr: true,
- },
- {
- description: "bad chain: no path from intermediate to root",
- maxChain: 3,
- anchors: testdata.RootCertificate2,
- chain: mustMakeDerList(t, testdata.IntermediateChain),
- wantErr: true,
- },
- {
- description: "bad chain: end-entity certificate expired",
- maxChain: 3,
- anchors: testdata.RootCertificate,
- chain: mustMakeDerList(t, testdata.ExpiredChain),
- wantErr: false,
- },
- {
- description: "bad chain: too large",
- maxChain: 2,
- anchors: testdata.RootCertificate,
- chain: mustMakeDerList(t, testdata.IntermediateChain),
- wantErr: true,
- },
- {
- description: "ok chain: one explicit trust anchor",
- maxChain: 3,
- anchors: testdata.RootCertificate,
- chain: mustMakeDerList(t, testdata.RootChain),
- },
- {
- description: "ok chain: unnecessary certificates are ignored",
- maxChain: 3,
- anchors: testdata.RootCertificate,
- chain: append(mustMakeDerList(t, testdata.IntermediateChain), mustMakeDerList(t, testdata.IntermediateChain2)...),
- },
- {
- description: "ok chain: multiple anchors but one valid path",
- maxChain: 3,
- anchors: testdata.TrustAnchors,
- chain: mustMakeDerList(t, testdata.IntermediateChain),
- },
- // Note that the underlying verify function also checks name constraints
- // and extended key usages. Not relied upon atm, so not tested.
- } {
- anchorList, err := x509util.NewCertificateList(table.anchors)
- if err != nil {
- t.Fatalf("must parse trust anchors: %v", err)
- }
- lp := &LogParameters{
- LogId: testLogId,
- TreeId: testTreeId,
- Prefix: testPrefix,
- MaxRange: testMaxRange,
- MaxChain: table.maxChain,
- AnchorPool: x509util.NewCertPool(anchorList),
- AnchorList: anchorList,
- KeyUsage: testExtKeyUsage,
- Signer: nil,
- HashType: testHashType,
- }
- _, err = lp.buildChainFromDerList(table.chain)
- if got, want := err != nil, table.wantErr; got != want {
- t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err)
- }
- }
-}
-
-func TestVerifySignature(t *testing.T) {
- lp := makeTestLogParameters(t, nil)
- for _, table := range []struct {
- description string
- certificate []byte // pem
- key []byte // pem
- scheme tls.SignatureScheme
- wantErr bool
- }{
- {
- description: "invalid signature scheme",
- certificate: testdata.EndEntityCertificate,
- key: testdata.EndEntityPrivateKey,
- scheme: tls.ECDSAWithP256AndSHA256,
- wantErr: true,
- },
- {
- description: "invalid signature: certificate and key mismatch",
- certificate: testdata.EndEntityCertificate,
- key: testdata.EndEntityPrivateKey2,
- scheme: tls.Ed25519,
- wantErr: true,
- },
- {
- description: "valid signature",
- certificate: testdata.EndEntityCertificate,
- key: testdata.EndEntityPrivateKey,
- scheme: tls.Ed25519,
- },
- } {
- msg := []byte("msg")
- key, err := x509util.NewEd25519PrivateKey(table.key)
- if err != nil {
- t.Fatalf("must make ed25519 signing key: %v", err)
- }
- list, err := x509util.NewCertificateList(table.certificate)
- if err != nil {
- t.Fatalf("must make certificate list: %v", err)
- }
- if len(list) != 1 {
- t.Fatalf("must make one certificate: got %d", len(list))
- }
- certificate := list[0]
- sig := ed25519.Sign(key, msg)
-
- err = lp.verifySignature(certificate, table.scheme, msg, sig)
- if got, want := err != nil, table.wantErr; got != want {
- t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err)
- }
- if err != nil {
- continue
- }
-
- msg[0] += 1 // modify message
- if err = lp.verifySignature(certificate, table.scheme, msg, sig); err == nil {
- t.Errorf("got no error for modified msg in test %q", table.description)
- }
-
- msg[0] -= 1 // restore message
- sig[0] += 1 // modify signature
- if err = lp.verifySignature(certificate, table.scheme, msg, sig); err == nil {
- t.Errorf("got no error for modified signature in test %q", table.description)
- }
- }
-}
-
// TestGenV1Sdi tests that a signature failure works as expected, and that
// the issued SDI (if any) is populated correctly.
func TestGenV1Sdi(t *testing.T) {
@@ -280,17 +123,3 @@ func TestGenV1Sth(t *testing.T) {
}
}
}
-
-// mustMakeDerList must parse a PEM-encoded list of certificates to DER
-func mustMakeDerList(t *testing.T, pem []byte) [][]byte {
- certs, err := x509util.NewCertificateList(pem)
- if err != nil {
- t.Fatalf("must parse pem-encoded certificates: %v", err)
- }
-
- list := make([][]byte, 0, len(certs))
- for _, cert := range certs {
- list = append(list, cert.Raw)
- }
- return list
-}