1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
#include <gflags/gflags.h>
#include <glog/logging.h>
#include <gtest/gtest.h>
#include <openssl/bio.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <string>
#include "log/cert.h"
#include "log/ct_extensions.h"
#include "util/openssl_scoped_types.h"
#include "util/status_test_util.h"
#include "util/testing.h"
#include "util/util.h"
namespace cert_trans {
using std::string;
using std::unique_ptr;
using util::StatusOr;
static const char kSimpleCert[] = "test-cert.pem";
static const char kSimpleCaCert[] = "ca-cert.pem";
static const char kFakeCertWithSCT[] = "test-cert-proof.pem";
static const char kCertWithPrecertSigning[] = "ca-pre-cert.pem";
static const char kCertWithPoison[] = "test-embedded-pre-cert.pem";
static const char kCertWithEmbeddedSCT[] = "test-embedded-cert.pem";
class CtExtensionsTest : public ::testing::Test {
protected:
string simple_cert_;
string simple_ca_cert_;
string sct_cert_;
string pre_signing_cert_;
string poison_cert_;
string embedded_sct_cert_;
void SetUp() {
const string cert_dir(FLAGS_test_srcdir + "/test/testdata");
CHECK(util::ReadTextFile(cert_dir + "/" + kSimpleCert, &simple_cert_))
<< "Could not read test data from " << cert_dir
<< ". Wrong --test_srcdir?";
CHECK(
util::ReadTextFile(cert_dir + "/" + kSimpleCaCert, &simple_ca_cert_));
CHECK(util::ReadTextFile(cert_dir + "/" + kFakeCertWithSCT, &sct_cert_));
CHECK(util::ReadTextFile(cert_dir + "/" + kCertWithPrecertSigning,
&pre_signing_cert_));
CHECK(util::ReadTextFile(cert_dir + "/" + kCertWithPoison, &poison_cert_));
CHECK(util::ReadTextFile(cert_dir + "/" + kCertWithEmbeddedSCT,
&embedded_sct_cert_));
}
};
TEST_F(CtExtensionsTest, TestSCTExtension) {
// Sanity check
const unique_ptr<Cert> simple_cert(Cert::FromPemString(simple_cert_));
ASSERT_TRUE(simple_cert.get());
EXPECT_FALSE(
simple_cert
->HasExtension(cert_trans::NID_ctSignedCertificateTimestampList)
.ValueOrDie());
const unique_ptr<Cert> sct_cert(Cert::FromPemString(sct_cert_));
ASSERT_TRUE(sct_cert.get());
// Check we can find the extension by its advertised NID.
// We should really be checking that the OID matches the expected OID but
// what other extension could this cert be having that the other one doesn't?
ASSERT_TRUE(
sct_cert->HasExtension(cert_trans::NID_ctSignedCertificateTimestampList)
.ValueOrDie());
string ext_data;
EXPECT_OK(sct_cert->OctetStringExtensionData(
cert_trans::NID_ctSignedCertificateTimestampList, &ext_data));
EXPECT_FALSE(ext_data.empty());
// Now fish the extension data out using the print methods and check they
// operate as expected.
// TODO(ekasper):
const StatusOr<X509_EXTENSION*> ext(sct_cert->GetExtension(
cert_trans::NID_ctSignedCertificateTimestampList));
ASSERT_OK(ext);
ScopedBIO buf(BIO_new(BIO_s_mem()));
ASSERT_NE(buf.get(), static_cast<BIO*>(NULL));
EXPECT_EQ(1, X509V3_EXT_print(buf.get(), ext.ValueOrDie(), 0, 0));
CHECK_EQ(1, BIO_write(buf.get(), "", 1)); // NULL-terminate
char* result;
BIO_get_mem_data(buf.get(), &result);
// Should be printing the octet string contents in hex.
EXPECT_STRCASEEQ(util::HexString(ext_data, ':').c_str(), result);
}
TEST_F(CtExtensionsTest, TestEmbeddedSCTExtension) {
// Sanity check
const unique_ptr<Cert> simple_cert(Cert::FromPemString(simple_cert_));
ASSERT_TRUE(simple_cert.get());
EXPECT_FALSE(
simple_cert
->HasExtension(
cert_trans::NID_ctEmbeddedSignedCertificateTimestampList)
.ValueOrDie());
const unique_ptr<Cert> embedded_sct_cert(
Cert::FromPemString(embedded_sct_cert_));
ASSERT_TRUE(embedded_sct_cert.get());
// Check we can find the extension by its advertised NID.
// We should really be checking that the OID matches the expected OID but
// what other extension could this cert be having that the other one doesn't?
ASSERT_TRUE(embedded_sct_cert
->HasExtension(
cert_trans::NID_ctEmbeddedSignedCertificateTimestampList)
.ValueOrDie());
string ext_data;
EXPECT_OK(embedded_sct_cert->OctetStringExtensionData(
cert_trans::NID_ctEmbeddedSignedCertificateTimestampList, &ext_data));
EXPECT_FALSE(ext_data.empty());
// Now fish the extension data out using the print methods and check they
// operate as expected.
const StatusOr<X509_EXTENSION*> ext(embedded_sct_cert->GetExtension(
cert_trans::NID_ctEmbeddedSignedCertificateTimestampList));
ASSERT_OK(ext);
ScopedBIO buf(BIO_new(BIO_s_mem()));
ASSERT_NE(buf.get(), static_cast<BIO*>(NULL));
EXPECT_EQ(1, X509V3_EXT_print(buf.get(), ext.ValueOrDie(), 0, 0));
CHECK_EQ(1, BIO_write(buf.get(), "", 1)); // NULL-terminate
char* result;
BIO_get_mem_data(buf.get(), &result);
// Should be printing the octet string contents in hex.
EXPECT_STRCASEEQ(util::HexString(ext_data, ':').c_str(), result);
}
TEST_F(CtExtensionsTest, TestPoisonExtension) {
// Sanity check
const unique_ptr<Cert> simple_cert(Cert::FromPemString(simple_cert_));
ASSERT_TRUE(simple_cert.get());
EXPECT_FALSE(
simple_cert->HasExtension(cert_trans::NID_ctPoison).ValueOrDie());
const unique_ptr<Cert> poison_cert(Cert::FromPemString(poison_cert_));
ASSERT_TRUE(poison_cert.get());
// Check we can find the extension by its advertised NID.
// We should really be checking that the OID matches the expected OID but
// what other extension could this cert be having that the other one doesn't?
ASSERT_TRUE(
poison_cert->HasExtension(cert_trans::NID_ctPoison).ValueOrDie());
// Now fish the extension data out using the print methods and check they
// operate as expected.
const StatusOr<X509_EXTENSION*> ext(
poison_cert->GetExtension(cert_trans::NID_ctPoison));
ASSERT_OK(ext);
ScopedBIO buf(BIO_new(BIO_s_mem()));
ASSERT_NE(buf.get(), static_cast<BIO*>(NULL));
EXPECT_EQ(1, X509V3_EXT_print(buf.get(), ext.ValueOrDie(), 0, 0));
CHECK_EQ(1, BIO_write(buf.get(), "", 1)); // NULL-terminate
char* result;
BIO_get_mem_data(buf.get(), &result);
// Should be printing "NULL".
EXPECT_STREQ("NULL", result);
}
TEST_F(CtExtensionsTest, TestPrecertSigning) {
// Sanity check
const unique_ptr<Cert> simple_ca_cert(Cert::FromPemString(simple_ca_cert_));
ASSERT_TRUE(simple_ca_cert.get());
EXPECT_FALSE(
simple_ca_cert
->HasExtendedKeyUsage(cert_trans::NID_ctPrecertificateSigning)
.ValueOrDie());
const unique_ptr<Cert> pre_signing_cert(
Cert::FromPemString(pre_signing_cert_));
ASSERT_TRUE(pre_signing_cert.get());
// Check we can find the key usage by its advertised NID.
// We should really be checking that the OID matches the expected OID but
// what other key usage could this cert be having that the other one doesn't?
ASSERT_TRUE(
pre_signing_cert
->HasExtendedKeyUsage(cert_trans::NID_ctPrecertificateSigning)
.ValueOrDie());
}
} // namespace cert_trans
int main(int argc, char** argv) {
cert_trans::test::InitTesting(argv[0], &argc, &argv, true);
OpenSSL_add_all_algorithms();
cert_trans::LoadCtExtensions();
return RUN_ALL_TESTS();
}
|
