1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.conscrypt.ct; 18 19 import static org.conscrypt.TestUtils.openTestFile; 20 import static org.conscrypt.TestUtils.readTestFile; 21 import static org.junit.Assert.assertEquals; 22 23 import java.security.PublicKey; 24 import java.util.Arrays; 25 import org.conscrypt.OpenSSLX509Certificate; 26 import org.conscrypt.TestUtils; 27 import org.junit.Before; 28 import org.junit.Test; 29 import org.junit.runner.RunWith; 30 import org.junit.runners.JUnit4; 31 32 @RunWith(JUnit4.class) 33 public class CTVerifierTest { 34 private OpenSSLX509Certificate ca; 35 private OpenSSLX509Certificate cert; 36 private OpenSSLX509Certificate certEmbedded; 37 private CTVerifier ctVerifier; 38 39 @Before setUp()40 public void setUp() throws Exception { 41 ca = OpenSSLX509Certificate.fromX509PemInputStream(openTestFile("ca-cert.pem")); 42 cert = OpenSSLX509Certificate.fromX509PemInputStream(openTestFile("cert.pem")); 43 certEmbedded = OpenSSLX509Certificate.fromX509PemInputStream( 44 openTestFile("cert-ct-embedded.pem")); 45 46 PublicKey key = TestUtils.readPublicKeyPemFile("ct-server-key-public.pem"); 47 48 final CTLogInfo log = new CTLogInfo(key, "Test Log", "foo"); 49 CTLogStore store = new CTLogStore() { 50 @Override 51 public CTLogInfo getKnownLog(byte[] logId) { 52 if (Arrays.equals(logId, log.getID())) { 53 return log; 54 } else { 55 return null; 56 } 57 } 58 }; 59 60 ctVerifier = new CTVerifier(store); 61 } 62 63 @Test test_verifySignedCertificateTimestamps_withOCSPResponse()64 public void test_verifySignedCertificateTimestamps_withOCSPResponse() throws Exception { 65 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 66 67 byte[] ocspResponse = readTestFile("ocsp-response.der"); 68 CTVerificationResult result = 69 ctVerifier.verifySignedCertificateTimestamps(chain, null, ocspResponse); 70 assertEquals(1, result.getValidSCTs().size()); 71 assertEquals(0, result.getInvalidSCTs().size()); 72 } 73 74 @Test test_verifySignedCertificateTimestamps_withTLSExtension()75 public void test_verifySignedCertificateTimestamps_withTLSExtension() throws Exception { 76 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 77 78 byte[] tlsExtension = readTestFile("ct-signed-timestamp-list"); 79 CTVerificationResult result = 80 ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); 81 assertEquals(1, result.getValidSCTs().size()); 82 assertEquals(0, result.getInvalidSCTs().size()); 83 } 84 85 @Test test_verifySignedCertificateTimestamps_withEmbeddedExtension()86 public void test_verifySignedCertificateTimestamps_withEmbeddedExtension() throws Exception { 87 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { certEmbedded, ca }; 88 89 CTVerificationResult result = 90 ctVerifier.verifySignedCertificateTimestamps(chain, null, null); 91 assertEquals(1, result.getValidSCTs().size()); 92 assertEquals(0, result.getInvalidSCTs().size()); 93 } 94 95 @Test test_verifySignedCertificateTimestamps_withoutTimestamp()96 public void test_verifySignedCertificateTimestamps_withoutTimestamp() throws Exception { 97 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 98 99 CTVerificationResult result = 100 ctVerifier.verifySignedCertificateTimestamps(chain, null, null); 101 assertEquals(0, result.getValidSCTs().size()); 102 assertEquals(0, result.getInvalidSCTs().size()); 103 } 104 105 @Test test_verifySignedCertificateTimestamps_withInvalidSignature()106 public void test_verifySignedCertificateTimestamps_withInvalidSignature() throws Exception { 107 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 108 109 byte[] tlsExtension = readTestFile("ct-signed-timestamp-list-invalid"); 110 111 CTVerificationResult result = 112 ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); 113 assertEquals(0, result.getValidSCTs().size()); 114 assertEquals(1, result.getInvalidSCTs().size()); 115 assertEquals(VerifiedSCT.Status.INVALID_SIGNATURE, 116 result.getInvalidSCTs().get(0).status); 117 } 118 119 @Test test_verifySignedCertificateTimestamps_withUnknownLog()120 public void test_verifySignedCertificateTimestamps_withUnknownLog() throws Exception { 121 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 122 123 byte[] tlsExtension = readTestFile("ct-signed-timestamp-list-unknown"); 124 125 CTVerificationResult result = 126 ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); 127 assertEquals(0, result.getValidSCTs().size()); 128 assertEquals(1, result.getInvalidSCTs().size()); 129 assertEquals(VerifiedSCT.Status.UNKNOWN_LOG, 130 result.getInvalidSCTs().get(0).status); 131 } 132 133 @Test test_verifySignedCertificateTimestamps_withInvalidEncoding()134 public void test_verifySignedCertificateTimestamps_withInvalidEncoding() throws Exception { 135 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 136 137 // Just some garbage data which will fail to deserialize 138 byte[] tlsExtension = new byte[] { 1, 2, 3, 4 }; 139 140 CTVerificationResult result = 141 ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, null); 142 assertEquals(0, result.getValidSCTs().size()); 143 assertEquals(0, result.getInvalidSCTs().size()); 144 } 145 146 @Test test_verifySignedCertificateTimestamps_withInvalidOCSPResponse()147 public void test_verifySignedCertificateTimestamps_withInvalidOCSPResponse() throws Exception { 148 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 149 150 // Just some garbage data which will fail to deserialize 151 byte[] ocspResponse = new byte[] { 1, 2, 3, 4 }; 152 153 CTVerificationResult result = 154 ctVerifier.verifySignedCertificateTimestamps(chain, null, ocspResponse); 155 assertEquals(0, result.getValidSCTs().size()); 156 assertEquals(0, result.getInvalidSCTs().size()); 157 } 158 159 @Test test_verifySignedCertificateTimestamps_withMultipleTimestamps()160 public void test_verifySignedCertificateTimestamps_withMultipleTimestamps() throws Exception { 161 OpenSSLX509Certificate[] chain = new OpenSSLX509Certificate[] { cert, ca }; 162 163 byte[] tlsExtension = readTestFile("ct-signed-timestamp-list-invalid"); 164 byte[] ocspResponse = readTestFile("ocsp-response.der"); 165 166 CTVerificationResult result = 167 ctVerifier.verifySignedCertificateTimestamps(chain, tlsExtension, ocspResponse); 168 assertEquals(1, result.getValidSCTs().size()); 169 assertEquals(1, result.getInvalidSCTs().size()); 170 assertEquals(SignedCertificateTimestamp.Origin.OCSP_RESPONSE, 171 result.getValidSCTs().get(0).sct.getOrigin()); 172 assertEquals(SignedCertificateTimestamp.Origin.TLS_EXTENSION, 173 result.getInvalidSCTs().get(0).sct.getOrigin()); 174 } 175 } 176 177