1 package didx509resolver
2
3 import (
4 "os"
5 "testing"
6 )
7
8 func checkFailed(t *testing.T, err error) {
9 t.Helper()
10 if err == nil {
11 t.Errorf("error: should have failed")
12 }
13 }
14
15 func checkOk(t *testing.T, err error) {
16 t.Helper()
17 if err != nil {
18 t.Errorf("error: rejected valid DID: %s", err)
19 }
20 }
21
22 func loadCertificateChain(t *testing.T, path string) string {
23 t.Helper()
24 chain, err := os.ReadFile(path)
25 if err != nil {
26 t.Errorf("error: can't read file")
27 }
28 return string(chain)
29 }
30
31 func TestWrongPrefix(t *testing.T) {
32 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
33 _, err := Resolve(chain, "djd:y508:1:abcd::", true)
34 checkFailed(t, err)
35 }
36
37 func TestRootCA(t *testing.T) {
38 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
39 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:Microsoft%20Corporation", true)
40 checkOk(t, err)
41 }
42
43 func TestIntermediateCA(t *testing.T) {
44 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
45 _, err := Resolve(chain, "did:x509:0:sha256:VtqHIq_ZQGb_4eRZVHOkhUiSuEOggn1T-32PSu7R4Ys::subject:CN:Microsoft%20Corporation", true)
46 checkOk(t, err)
47 }
48
49 func TestInvalidLeafCA(t *testing.T) {
50 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
51 _, err := Resolve(chain, "did:x509:0:sha256:h::subject:CN:Microsoft%20Corporation", true)
52 checkFailed(t, err)
53 }
54
55 func TestInvalidCA(t *testing.T) {
56 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
57 _, err := Resolve(chain, "did:x509:0:sha256:abc::CN:Microsoft%20Corporation", true)
58 checkFailed(t, err)
59 }
60
61 func TestMultiplePolicies(t *testing.T) {
62 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
63 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.3.6.1.5.5.7.3.3::eku:1.3.6.1.4.1.311.10.3.21", true)
64 checkOk(t, err)
65 }
66
67 func TestSubject(t *testing.T) {
68 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
69 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:Microsoft%20Corporation", true)
70 checkOk(t, err)
71 }
72
73 func TestSubjectInvalidName(t *testing.T) {
74 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
75 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:MicrosoftCorporation", true)
76 checkFailed(t, err)
77 }
78
79 func TestSubjectDuplicateField(t *testing.T) {
80 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
81 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:Microsoft%20Corporation:CN:Microsoft%20Corporation", true)
82 checkFailed(t, err)
83 }
84
85 func TestSAN(t *testing.T) {
86 chain := loadCertificateChain(t, "test-data/fulcio-email.pem")
87 _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::san:email:igarcia%40suse.com", true)
88 checkOk(t, err)
89 }
90
91 func TestSANInvalidType(t *testing.T) {
92 chain := loadCertificateChain(t, "test-data/fulcio-email.pem")
93 _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::san:uri:igarcia%40suse.com", true)
94 checkFailed(t, err)
95 }
96
97 func TestSANInvalidValue(t *testing.T) {
98 chain := loadCertificateChain(t, "test-data/fulcio-email.pem")
99 _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::email:bob%40example.com", true)
100 checkFailed(t, err)
101 }
102
103 func TestBadEKU(t *testing.T) {
104 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
105 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.3.6.1.5.5.7.3.12", true)
106 checkFailed(t, err)
107 }
108
109 func TestGoodEKU(t *testing.T) {
110 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
111 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.3.6.1.4.1.311.10.3.21", true)
112 checkOk(t, err)
113 }
114
115 func TestEKUInvalidValue(t *testing.T) {
116 chain := loadCertificateChain(t, "test-data/ms-code-signing.pem")
117 _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.2.3", true)
118 checkFailed(t, err)
119 }
120
121 func TestFulcioIssuerWithEmailSAN(t *testing.T) {
122 chain := loadCertificateChain(t, "test-data/fulcio-email.pem")
123 _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::fulcio-issuer:github.com%2Flogin%2Foauth::san:email:igarcia%40suse.com", true)
124 checkOk(t, err)
125 }
126
127 func TestFulcioIssuerWithURISAN(t *testing.T) {
128 chain := loadCertificateChain(t, "test-data/fulcio-github-actions.pem")
129 _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::fulcio-issuer:token.actions.githubusercontent.com::san:uri:https%3A%2F%2Fgithub.com%2Fbrendancassells%2Fmcw-continuous-delivery-lab-files%2F.github%2Fworkflows%2Ffabrikam-web.yml%40refs%2Fheads%2Fmain", true)
130 checkOk(t, err)
131 }
132
View as plain text