/* * Copyright (C) 2014 Square, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.squareup.okhttp; import java.security.GeneralSecurityException; import java.util.Set; import javax.net.ssl.SSLPeerUnverifiedException; import com.squareup.okhttp.internal.HeldCertificate; import okio.ByteString; import org.junit.Test; import static com.squareup.okhttp.TestUtil.setOf; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; public final class CertificatePinnerTest { static HeldCertificate certA1; static String certA1Pin; static ByteString certA1PinBase64; static HeldCertificate certB1; static String certB1Pin; static ByteString certB1PinBase64; static HeldCertificate certC1; static String certC1Pin; static { try { certA1 = new HeldCertificate.Builder() .serialNumber("100") .build(); certA1Pin = CertificatePinner.pin(certA1.certificate); certA1PinBase64 = pinToBase64(certA1Pin); certB1 = new HeldCertificate.Builder() .serialNumber("200") .build(); certB1Pin = CertificatePinner.pin(certB1.certificate); certB1PinBase64 = pinToBase64(certB1Pin); certC1 = new HeldCertificate.Builder() .serialNumber("300") .build(); certC1Pin = CertificatePinner.pin(certC1.certificate); } catch (GeneralSecurityException e) { throw new AssertionError(e); } } static ByteString pinToBase64(String pin) { return ByteString.decodeBase64(pin.substring("sha1/".length())); } @Test public void malformedPin() throws Exception { CertificatePinner.Builder builder = new CertificatePinner.Builder(); try { builder.add("example.com", "md5/DmxUShsZuNiqPQsX2Oi9uv2sCnw="); fail(); } catch (IllegalArgumentException expected) { } } @Test public void malformedBase64() throws Exception { CertificatePinner.Builder builder = new CertificatePinner.Builder(); try { builder.add("example.com", "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw*"); fail(); } catch (IllegalArgumentException expected) { } } /** Multiple certificates generated from the same keypair have the same pin. */ @Test public void sameKeypairSamePin() throws Exception { HeldCertificate heldCertificateA2 = new HeldCertificate.Builder() .keyPair(certA1.keyPair) .serialNumber("101") .build(); String keypairACertificate2Pin = CertificatePinner.pin(heldCertificateA2.certificate); HeldCertificate heldCertificateB2 = new HeldCertificate.Builder() .keyPair(certB1.keyPair) .serialNumber("201") .build(); String keypairBCertificate2Pin = CertificatePinner.pin(heldCertificateB2.certificate); assertTrue(certA1Pin.equals(keypairACertificate2Pin)); assertTrue(certB1Pin.equals(keypairBCertificate2Pin)); assertFalse(certA1Pin.equals(certB1Pin)); } @Test public void successfulCheck() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("example.com", certA1Pin) .build(); certificatePinner.check("example.com", certA1.certificate); } @Test public void successfulMatchAcceptsAnyMatchingCertificate() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("example.com", certB1Pin) .build(); certificatePinner.check("example.com", certA1.certificate, certB1.certificate); } @Test public void unsuccessfulCheck() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("example.com", certA1Pin) .build(); try { certificatePinner.check("example.com", certB1.certificate); fail(); } catch (SSLPeerUnverifiedException expected) { } } @Test public void multipleCertificatesForOneHostname() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("example.com", certA1Pin, certB1Pin) .build(); certificatePinner.check("example.com", certA1.certificate); certificatePinner.check("example.com", certB1.certificate); } @Test public void multipleHostnamesForOneCertificate() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("example.com", certA1Pin) .add("www.example.com", certA1Pin) .build(); certificatePinner.check("example.com", certA1.certificate); certificatePinner.check("www.example.com", certA1.certificate); } @Test public void absentHostnameMatches() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder().build(); certificatePinner.check("example.com", certA1.certificate); } @Test public void successfulCheckForWildcardHostname() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certA1Pin) .build(); certificatePinner.check("a.example.com", certA1.certificate); } @Test public void successfulMatchAcceptsAnyMatchingCertificateForWildcardHostname() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certB1Pin) .build(); certificatePinner.check("a.example.com", certA1.certificate, certB1.certificate); } @Test public void unsuccessfulCheckForWildcardHostname() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certA1Pin) .build(); try { certificatePinner.check("a.example.com", certB1.certificate); fail(); } catch (SSLPeerUnverifiedException expected) { } } @Test public void multipleCertificatesForOneWildcardHostname() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certA1Pin, certB1Pin) .build(); certificatePinner.check("a.example.com", certA1.certificate); certificatePinner.check("a.example.com", certB1.certificate); } @Test public void successfulCheckForOneHostnameWithWildcardAndDirectCertificate() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certA1Pin) .add("a.example.com", certB1Pin) .build(); certificatePinner.check("a.example.com", certA1.certificate); certificatePinner.check("a.example.com", certB1.certificate); } @Test public void unsuccessfulCheckForOneHostnameWithWildcardAndDirectCertificate() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certA1Pin) .add("a.example.com", certB1Pin) .build(); try { certificatePinner.check("a.example.com", certC1.certificate); fail(); } catch (SSLPeerUnverifiedException expected) { } } @Test public void successfulFindMatchingPins() { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("first.com", certA1Pin, certB1Pin) .add("second.com", certC1Pin) .build(); Set expectedPins = setOf(certA1PinBase64, certB1PinBase64); Set matchedPins = certificatePinner.findMatchingPins("first.com"); assertEquals(expectedPins, matchedPins); } @Test public void successfulFindMatchingPinsForWildcardAndDirectCertificates() { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certA1Pin) .add("a.example.com", certB1Pin) .add("b.example.com", certC1Pin) .build(); Set expectedPins = setOf(certA1PinBase64, certB1PinBase64); Set matchedPins = certificatePinner.findMatchingPins("a.example.com"); assertEquals(expectedPins, matchedPins); } @Test public void wildcardHostnameShouldNotMatchThroughDot() throws Exception { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("*.example.com", certA1Pin) .build(); assertNull(certificatePinner.findMatchingPins("example.com")); assertNull(certificatePinner.findMatchingPins("a.b.example.com")); } }