fix_test.go

Documentation: github.com/google/certificate-transparency-go/fixchain

     1  // Copyright 2016 Google LLC. All Rights Reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package fixchain
    16  
    17  import (
    18  	"net/http"
    19  	"testing"
    20  
    21  	"github.com/google/certificate-transparency-go/x509"
    22  )
    23  
    24  var constructChainTests = []fixTest{
    25  	// constructChain()
    26  	{ // Correct chain returns chain
    27  		cert:  googleLeaf,
    28  		chain: []string{thawteIntermediate, verisignRoot},
    29  		roots: []string{verisignRoot},
    30  
    31  		function: "constructChain",
    32  		expectedChains: [][]string{
    33  			{"Google", "Thawte", "VeriSign"},
    34  		},
    35  	},
    36  	{
    37  		cert:  testLeaf,
    38  		chain: []string{testIntermediate2, testIntermediate1, testRoot},
    39  		roots: []string{testRoot},
    40  
    41  		function: "constructChain",
    42  		expectedChains: [][]string{
    43  			{"Leaf", "Intermediate2", "Intermediate1", "CA"},
    44  		},
    45  	},
    46  	{ // No roots results in an error
    47  		cert:  googleLeaf,
    48  		chain: []string{thawteIntermediate, verisignRoot},
    49  
    50  		function:     "constructChain",
    51  		expectedErrs: []errorType{VerifyFailed},
    52  	},
    53  	{ // Incomplete chain results in an error
    54  		cert:  googleLeaf,
    55  		roots: []string{verisignRoot},
    56  
    57  		function:     "constructChain",
    58  		expectedErrs: []errorType{VerifyFailed},
    59  	},
    60  	{ // The wrong intermediate and root results in an error
    61  		cert:  megaLeaf,
    62  		chain: []string{thawteIntermediate, verisignRoot},
    63  		roots: []string{verisignRoot},
    64  
    65  		function:     "constructChain",
    66  		expectedErrs: []errorType{VerifyFailed},
    67  	},
    68  	{ // The wrong root results in an error
    69  		cert:  megaLeaf,
    70  		chain: []string{comodoIntermediate, verisignRoot},
    71  		roots: []string{verisignRoot},
    72  
    73  		function:     "constructChain",
    74  		expectedErrs: []errorType{VerifyFailed},
    75  	},
    76  }
    77  
    78  var fixChainTests = []fixTest{
    79  	// fixChain()
    80  	{ // Correct chain returns chain
    81  		cert:  googleLeaf,
    82  		chain: []string{thawteIntermediate, verisignRoot},
    83  		roots: []string{verisignRoot},
    84  
    85  		function: "fixChain",
    86  		expectedChains: [][]string{
    87  			{"Google", "Thawte", "VeriSign"},
    88  		},
    89  	},
    90  	{ // No roots results in an error
    91  		cert:  googleLeaf,
    92  		chain: []string{thawteIntermediate, verisignRoot},
    93  
    94  		function:     "fixChain",
    95  		expectedErrs: []errorType{FixFailed},
    96  	},
    97  	{ // No roots where chain that will be built contains a loop results in error
    98  		cert:  testC,
    99  		chain: []string{testB, testA},
   100  
   101  		function:     "fixChain",
   102  		expectedErrs: []errorType{FixFailed},
   103  	},
   104  	{ // Incomplete chain returns fixed chain
   105  		cert:  googleLeaf,
   106  		roots: []string{verisignRoot},
   107  
   108  		function: "fixChain",
   109  		expectedChains: [][]string{
   110  			{"Google", "Thawte", "VeriSign"},
   111  		},
   112  	},
   113  	{
   114  		cert:  testLeaf,
   115  		chain: []string{testIntermediate2},
   116  		roots: []string{testRoot},
   117  
   118  		function: "fixChain",
   119  		expectedChains: [][]string{
   120  			{"Leaf", "Intermediate2", "Intermediate1", "CA"},
   121  		},
   122  	},
   123  	{
   124  		cert:  testLeaf,
   125  		chain: []string{testIntermediate1},
   126  		roots: []string{testRoot},
   127  
   128  		function: "fixChain",
   129  		expectedChains: [][]string{
   130  			{"Leaf", "Intermediate2", "Intermediate1", "CA"},
   131  		},
   132  	},
   133  	{
   134  		cert:  testLeaf,
   135  		roots: []string{testRoot},
   136  
   137  		function: "fixChain",
   138  		expectedChains: [][]string{
   139  			{"Leaf", "Intermediate2", "Intermediate1", "CA"},
   140  		},
   141  	},
   142  	{ // The wrong intermediate and root results in an error
   143  		cert:  megaLeaf,
   144  		chain: []string{thawteIntermediate, verisignRoot},
   145  		roots: []string{verisignRoot},
   146  
   147  		function:     "fixChain",
   148  		expectedErrs: []errorType{FixFailed},
   149  	},
   150  	{ // The wrong root results in an error
   151  		cert:  megaLeaf,
   152  		chain: []string{comodoIntermediate, verisignRoot},
   153  		roots: []string{verisignRoot},
   154  
   155  		function:     "fixChain",
   156  		expectedErrs: []errorType{FixFailed},
   157  	},
   158  	// TODO(katjoyce): Add test where cert has multiple URLs in AIA extension.
   159  }
   160  
   161  func setUpFix(t *testing.T, i int, ft *fixTest) *toFix {
   162  	// Create & populate toFix to test from fixTest info
   163  	fix := &toFix{
   164  		cert:  GetTestCertificateFromPEM(t, ft.cert),
   165  		chain: newDedupedChain(extractTestChain(t, i, ft.chain)),
   166  		roots: extractTestRoots(t, i, ft.roots),
   167  		cache: newURLCache(&http.Client{Transport: &testRoundTripper{}}, false),
   168  	}
   169  
   170  	intermediates := x509.NewCertPool()
   171  	for j, cert := range ft.chain {
   172  		ok := intermediates.AppendCertsFromPEM([]byte(cert))
   173  		if !ok {
   174  			t.Errorf("#%d: Failed to parse intermediate #%d", i, j)
   175  		}
   176  	}
   177  
   178  	fix.opts = &x509.VerifyOptions{
   179  		Intermediates:     intermediates,
   180  		Roots:             fix.roots,
   181  		DisableTimeChecks: true,
   182  		KeyUsages:         []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
   183  	}
   184  
   185  	return fix
   186  }
   187  
   188  func testFixChainFunctions(t *testing.T, i int, ft *fixTest) {
   189  	fix := setUpFix(t, i, ft)
   190  
   191  	var chains [][]*x509.Certificate
   192  	var ferrs []*FixError
   193  	switch ft.function {
   194  	case "constructChain":
   195  		chains, ferrs = fix.constructChain()
   196  	case "fixChain":
   197  		chains, ferrs = fix.fixChain()
   198  	case "handleChain":
   199  		chains, ferrs = fix.handleChain()
   200  	}
   201  
   202  	matchTestChainList(t, i, ft.expectedChains, chains)
   203  	matchTestErrorList(t, i, ft.expectedErrs, ferrs)
   204  }
   205  
   206  func TestFixChainFunctions(t *testing.T) {
   207  	var allTests []fixTest
   208  	allTests = append(allTests, constructChainTests...)
   209  	allTests = append(allTests, fixChainTests...)
   210  	allTests = append(allTests, handleChainTests...)
   211  	for i, ft := range allTests {
   212  		testFixChainFunctions(t, i, &ft)
   213  	}
   214  }
   215  
   216  func TestFix(t *testing.T) {
   217  	for i, test := range handleChainTests {
   218  		chains, ferrs := Fix(GetTestCertificateFromPEM(t, test.cert),
   219  			extractTestChain(t, i, test.chain),
   220  			extractTestRoots(t, i, test.roots),
   221  			&http.Client{Transport: &testRoundTripper{}})
   222  
   223  		matchTestChainList(t, i, test.expectedChains, chains)
   224  		matchTestErrorList(t, i, test.expectedErrs, ferrs)
   225  	}
   226  }
   227
View as plain text