From 027e957f9f0f1f0da07d04af3c995b0984870559 Mon Sep 17 00:00:00 2001 From: Ties de Kock Date: Tue, 10 May 2022 17:45:19 +0200 Subject: [PATCH 1/2] Add test cases for basic constraints handling --- .../commons/interop/BBNCMSConformanceTest.java | 14 ++++++++++++++ .../interop/BBNCertificateConformanceTest.java | 11 +++++++++++ 2 files changed, 25 insertions(+) diff --git a/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java b/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java index 3e3c3438b..974569149 100644 --- a/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java +++ b/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java @@ -63,6 +63,20 @@ public void testGenericCMSSignedObject(String testNumber, String testCaseFile, S assertTrue("Should reject certificate with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); } + @CsvSource({ + "572, badEEHasBasicConstraints, basic constraints extension present 6487#4.8.1", + "575, badEEHasCABasicConstraint, basic constraints extension present with CA bool set to true 6487#4.8.1", + "574, badEEKeyUsageHasKeyCertSign, KU has digitalSignature and keyCertSign but no CA basic constraint 6487#4.8.4", + "576, badEEKeyUsageHasKeyCertSignCABool, KU has digitalSignature and keyCertSign and CA basic constraint 6487#4.8.4" + }) + @ParameterizedTest(name = "{displayName} - {0} {1} {2}") + public void shouldRejectCMSWithIncorrectBasicConstrainsOrKU(String testCasenumber, String testCaseFile, String testCaseDescription) throws IOException { + final String fileName = String.format("root/%s.roa", testCaseFile); + + assertTrue("Should reject EE certificate with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); + } + + @Disabled("These checks are not implemented yet.") @CsvSource({ "518, 2DigestAlgs, # two digest algorithms 6488#2.1.2", diff --git a/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java b/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java index 97a3be5f6..6f3ac717d 100644 --- a/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java +++ b/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java @@ -53,6 +53,17 @@ public void shouldRejectCertificateWithTwoKeyUsageBits() throws IOException { assertTrue(parseCertificate("root/badCert2KeyUsage.cer")); } + @CsvSource({ + "173, badCertNoBasicConstr, no basic constraints extension 6487#4.8,4.8.1", + "174, badCert2BasicConstrr, two basic constraints extensions 5280#4.2", + }) + @ParameterizedTest(name = "{displayName} - {0} {1} {2}") + public void shouldRejectCertificateWithIncorrectBasicConstrainsOrKU(String testCasenumber, String testCaseFile, String testCaseDescription) throws IOException { + final String fileName = String.format("root/%s.cer", testCaseFile); + + assertTrue("Should reject certificate with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); + } + @CsvSource({ "127, KUsageExtra, has disallowed key usage bit (nonRepudiation) 6487#4.8.4", "217, KUsageDigitalSig, has disallowed key usage bit (digitalSignature) 6487#4.8.4", From 7f493d883e72b7e0b5b5bc2c067d72d3a8a8a294 Mon Sep 17 00:00:00 2001 From: Ties de Kock Date: Wed, 11 May 2022 07:48:25 +0200 Subject: [PATCH 2/2] Enable more test cases including some not implementable with bouncycastle API --- .../interop/BBNCMSConformanceTest.java | 24 +++++++++---------- .../BBNCertificateConformanceTest.java | 12 +++++++--- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java b/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java index 974569149..341552e2d 100644 --- a/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java +++ b/src/test/java/net/ripe/rpki/commons/interop/BBNCMSConformanceTest.java @@ -56,11 +56,11 @@ public class BBNCMSConformanceTest { "571, SigInfoBadSigVal, # incorrect signature 6488#2.1.6.6", "543, SigInfoNoHashAlg, # had no hash algorithm 6488#2.1.6.3" }) - @ParameterizedTest(name = "{displayName} - {0} {1} {2}") + @ParameterizedTest(name = "{index}: {arguments}") public void testGenericCMSSignedObject(String testNumber, String testCaseFile, String testCaseDescription) throws IOException { final String fileName = String.format("root/badCMS%s.roa", testCaseFile); - assertTrue("Should reject certificate with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); + assertTrue("Should reject signed object with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); } @CsvSource({ @@ -69,26 +69,25 @@ public void testGenericCMSSignedObject(String testNumber, String testCaseFile, S "574, badEEKeyUsageHasKeyCertSign, KU has digitalSignature and keyCertSign but no CA basic constraint 6487#4.8.4", "576, badEEKeyUsageHasKeyCertSignCABool, KU has digitalSignature and keyCertSign and CA basic constraint 6487#4.8.4" }) - @ParameterizedTest(name = "{displayName} - {0} {1} {2}") + @ParameterizedTest(name = "{index}: {arguments}") public void shouldRejectCMSWithIncorrectBasicConstrainsOrKU(String testCasenumber, String testCaseFile, String testCaseDescription) throws IOException { final String fileName = String.format("root/%s.roa", testCaseFile); - assertTrue("Should reject EE certificate with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); + assertTrue("Should reject signed object with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); } - @Disabled("These checks are not implemented yet.") @CsvSource({ - "518, 2DigestAlgs, # two digest algorithms 6488#2.1.2", - "526, SigInfoWrongSid, # wrong choice of Signer Identifier 6488#2.1.6.2", - "542, SigInfoWrongSigAlg, # has wrong signature algorithm 6488#2.1.6.5 6485#2", - "722, SigInfoForbiddenAttr, # extra - forbidden attribute 6488#2.1.6.4", + "518, true, 2DigestAlgs, two digest algorithms 6488#2.1.2", + "526, false, SigInfoWrongSid, wrong choice of Signer Identifier 6488#2.1.6.2", + "542, false, SigInfoWrongSigAlg, has wrong signature algorithm 6488#2.1.6.5 6485#2", + "722, false, SigInfoForbiddenAttr, extra - forbidden attribute 6488#2.1.6.4", }) - @ParameterizedTest(name = "{displayName} - {0} {1} {2}") - public void testGenericCMSSignedObject_ignored(String testNumber, String testCaseFile, String testCaseDescription) throws IOException { + @ParameterizedTest(name = "{index}: {arguments}") + public void testGenericCMSSignedObject_ignored(String testNumber, boolean ignoreFailure, String testCaseFile, String testCaseDescription) throws IOException { final String fileName = String.format("root/badCMS%s.roa", testCaseFile); - assertTrue("Should reject certificate with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); + assertTrue("Should reject signed object with " + testCaseDescription + " from " + fileName, parseCertificate(fileName)); } private boolean parseCertificate(String certificate) throws IOException { @@ -102,7 +101,6 @@ private boolean parseCertificate(String certificate) throws IOException { result.getWarnings().stream() .forEach(warning -> System.out.println("[warning]: " + warning.toString())); - return result.hasFailures(); } } diff --git a/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java b/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java index 6f3ac717d..ea645249e 100644 --- a/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java +++ b/src/test/java/net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.java @@ -55,9 +55,9 @@ public void shouldRejectCertificateWithTwoKeyUsageBits() throws IOException { @CsvSource({ "173, badCertNoBasicConstr, no basic constraints extension 6487#4.8,4.8.1", - "174, badCert2BasicConstrr, two basic constraints extensions 5280#4.2", + "174, badCert2BasicConstr, two basic constraints extensions 5280#4.2", }) - @ParameterizedTest(name = "{displayName} - {0} {1} {2}") + @ParameterizedTest(name = "{index}: {arguments}") public void shouldRejectCertificateWithIncorrectBasicConstrainsOrKU(String testCasenumber, String testCaseFile, String testCaseDescription) throws IOException { final String fileName = String.format("root/%s.cer", testCaseFile); @@ -71,7 +71,7 @@ public void shouldRejectCertificateWithIncorrectBasicConstrainsOrKU(String testC "129, KUsageNoCrit, key usage extension not critical 6487#4.8.4", "131, KUsageNoCRLSign, lacks bit for signing CRLs 6487#4.8.4" }) - @ParameterizedTest(name = "{displayName} - {0} {1} {2}") + @ParameterizedTest(name = "{index}: {arguments}") public void shouldRejectCertificateWithIncorrectKeyUsageBits(String testCasenumber, String testCaseFile, String testCaseDescription) throws IOException { final String fileName = String.format("root/badCert%s.cer", testCaseFile); @@ -91,6 +91,12 @@ private boolean parseCertificate(String certificate) throws IOException { byte[] encoded = Files.toByteArray(file); ValidationResult result = ValidationResult.withLocation(file.getName()); new X509ResourceCertificateParser().parse(result, encoded); + + result.getFailuresForAllLocations().stream() + .forEach(failure -> System.out.println("[failure]: " + failure.toString())); + result.getWarnings().stream() + .forEach(warning -> System.out.println("[warning]: " + warning.toString())); + return result.hasFailures(); } } \ No newline at end of file