From aa9189a05fa548bbad80af42a84027a6e9c40737 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Fri, 27 Nov 2020 19:49:24 +0100 Subject: added buildChainFromDerList tests --- crypto_test.go | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 98 insertions(+), 1 deletion(-) (limited to 'crypto_test.go') diff --git a/crypto_test.go b/crypto_test.go index 577244a..b7179f3 100644 --- a/crypto_test.go +++ b/crypto_test.go @@ -7,14 +7,97 @@ import ( "testing" cttestdata "github.com/google/certificate-transparency-go/trillian/testdata" + "github.com/system-transparency/stfe/x509util" + "github.com/system-transparency/stfe/x509util/testdata" ) var ( testLeaf = make([]byte, 64) ) -// TODO: TestBuildChainFromDerList func TestBuildChainFromDerList(t *testing.T) { + for _, table := range []struct { + description string + maxChain int64 // including trust anchor + anchors []byte // pem block + chain [][]byte // der list + wantErr bool + }{ + { + description: "bad chain: cannot be parsed because empty", + maxChain: 3, + anchors: testdata.RootCertificate, + wantErr: true, + }, + { + description: "bad chain: no path from end-entity to intermediate", + maxChain: 3, + anchors: testdata.RootCertificate2, + chain: mustMakeDerList(t, testdata.ChainBadIntermediate)[:2], + wantErr: true, + }, + { + description: "bad chain: no path from intermediate to root", + maxChain: 3, + anchors: testdata.RootCertificate2, + chain: mustMakeDerList(t, testdata.IntermediateChain), + wantErr: true, + }, + { + description: "bad chain: end-entity certificate expired", + maxChain: 3, + anchors: testdata.RootCertificate, + chain: mustMakeDerList(t, testdata.ExpiredChain), + }, + { + description: "bad chain: too large", + maxChain: 2, + anchors: testdata.RootCertificate, + chain: mustMakeDerList(t, testdata.IntermediateChain), + wantErr: true, + }, + { + description: "ok chain: one explicit trust anchor", + maxChain: 3, + anchors: testdata.RootCertificate, + chain: mustMakeDerList(t, testdata.RootChain), + }, + { + description: "ok chain: unnecessary certificates are ignored", + maxChain: 3, + anchors: testdata.RootCertificate, + chain: append(mustMakeDerList(t, testdata.IntermediateChain), mustMakeDerList(t, testdata.IntermediateChain2)...), + }, + { + description: "ok chain: multiple anchors but one valid path", + maxChain: 3, + anchors: testdata.TrustAnchors, + chain: mustMakeDerList(t, testdata.IntermediateChain), + }, + // Note that the underlying verify function also checks name constraints + // and extended key usages. Not relied upon atm, so not tested. + } { + anchorList, err := x509util.NewCertificateList(table.anchors) + if err != nil { + t.Fatalf("must parse trust anchors: %v", err) + } + lp := &LogParameters{ + LogId: testLogId, + TreeId: testTreeId, + Prefix: testPrefix, + MaxRange: testMaxRange, + MaxChain: table.maxChain, + AnchorPool: x509util.NewCertPool(anchorList), + AnchorList: anchorList, + KeyUsage: testExtKeyUsage, + Signer: nil, + HashType: testHashType, + } + _, err = lp.buildChainFromDerList(table.chain) + if got, want := err != nil, table.wantErr; got != want { + t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err) + } + } } // TODO: TestVerifySignature @@ -133,3 +216,17 @@ func TestGenV1Sth(t *testing.T) { } // TODO: test that metrics are updated correctly? + +// mustMakeDerList must parse a PEM-encoded list of certificates to DER +func mustMakeDerList(t *testing.T, pem []byte) [][]byte { + certs, err := x509util.NewCertificateList(pem) + if err != nil { + t.Fatalf("must parse pem-encoded certificates: %v", err) + } + + list := make([][]byte, 0, len(certs)) + for _, cert := range certs { + list = append(list, cert.Raw) + } + return list +} -- cgit v1.2.3