helpers_test.go 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664
  1. package helpers
  2. import (
  3. "bytes"
  4. "crypto/ecdsa"
  5. "crypto/elliptic"
  6. "crypto/rand"
  7. "crypto/rsa"
  8. "crypto/x509"
  9. "crypto/x509/pkix"
  10. "encoding/asn1"
  11. "encoding/pem"
  12. "io/ioutil"
  13. "math"
  14. "testing"
  15. "time"
  16. "golang.org/x/crypto/ocsp"
  17. "github.com/google/certificate-transparency-go"
  18. )
  19. const (
  20. testCertFile = "testdata/cert.pem"
  21. testCertDERFile = "testdata/cert.der"
  22. testBundleFile = "testdata/bundle.pem"
  23. testExtraWSCertFile = "testdata/cert_with_whitespace.pem"
  24. testExtraWSBundleFile = "testdata/bundle_with_whitespace.pem"
  25. testMessedUpBundleFile = "testdata/messed_up_bundle.pem"
  26. testMessedUpCertFile = "testdata/messedupcert.pem"
  27. testEmptyCertFile = "testdata/emptycert.pem"
  28. testPrivateRSAKey = "testdata/priv_rsa_key.pem"
  29. testPrivateECDSAKey = "testdata/private_ecdsa_key.pem"
  30. testPrivateEd25519Key = "testdata/private_ed25519_key.pem"
  31. testPrivateOpenSSLECKey = "testdata/openssl_secp384.pem"
  32. testUnsupportedECDSAKey = "testdata/secp256k1-key.pem"
  33. testMessedUpPrivateKey = "testdata/messed_up_priv_key.pem"
  34. testEncryptedPrivateKey = "testdata/enc_priv_key.pem"
  35. testEmptyPem = "testdata/empty.pem"
  36. testNoHeaderCert = "testdata/noheadercert.pem"
  37. testSinglePKCS7 = "testdata/cert_pkcs7.pem" // openssl crl2pkcs7 -nocrl -out cert_pkcs7.pem -in cert.pem
  38. testEmptyPKCS7DER = "testdata/empty_pkcs7.der" // openssl crl2pkcs7 -nocrl -out empty_pkcs7.der -outform der
  39. testEmptyPKCS7PEM = "testdata/empty_pkcs7.pem" // openssl crl2pkcs7 -nocrl -out empty_pkcs7.pem -outform pem
  40. testMultiplePKCS7 = "testdata/bundle_pkcs7.pem"
  41. testPKCS12EmptyPswd = "testdata/emptypasswordpkcs12.p12"
  42. testPKCS12Passwordispassword = "testdata/passwordpkcs12.p12"
  43. testPKCS12MultipleCerts = "testdata/multiplecerts.p12"
  44. testCSRPEM = "testdata/test.csr.pem"
  45. testCSRPEMBad = "testdata/test.bad.csr.pem"
  46. )
  47. func TestParseCertificatesDER(t *testing.T) {
  48. var password = []string{"password", "", ""}
  49. for i, testFile := range []string{testPKCS12Passwordispassword, testPKCS12EmptyPswd, testCertDERFile} {
  50. testDER, err := ioutil.ReadFile(testFile)
  51. if err != nil {
  52. t.Fatal(err)
  53. }
  54. if _, _, err := ParseCertificatesDER(testDER, password[i]); err != nil {
  55. t.Fatal(err)
  56. }
  57. // Incorrect Password for PKCS12 formatted files
  58. if _, _, err := ParseCertificatesDER(testDER, "incorrectpassword"); err == nil && i != 2 {
  59. t.Fatal(err)
  60. }
  61. }
  62. testDER, err := ioutil.ReadFile(testEmptyPKCS7DER)
  63. if err != nil {
  64. t.Fatal(err)
  65. }
  66. // PKCS7 with no certificates
  67. if _, _, err := ParseCertificatesDER(testDER, ""); err == nil {
  68. t.Fatal(err)
  69. }
  70. }
  71. func TestKeyLength(t *testing.T) {
  72. expNil := 0
  73. recNil := KeyLength(nil)
  74. if expNil != recNil {
  75. t.Fatal("KeyLength on nil did not return 0")
  76. }
  77. expNonsense := 0
  78. inNonsense := "string?"
  79. outNonsense := KeyLength(inNonsense)
  80. if expNonsense != outNonsense {
  81. t.Fatal("KeyLength malfunctioning on nonsense input")
  82. }
  83. //test the ecdsa branch
  84. ecdsaPriv, _ := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
  85. ecdsaIn, _ := ecdsaPriv.Public().(*ecdsa.PublicKey)
  86. expEcdsa := ecdsaIn.Curve.Params().BitSize
  87. outEcdsa := KeyLength(ecdsaIn)
  88. if expEcdsa != outEcdsa {
  89. t.Fatal("KeyLength malfunctioning on ecdsa input")
  90. }
  91. //test the rsa branch
  92. rsaPriv, _ := rsa.GenerateKey(rand.Reader, 256)
  93. rsaIn, _ := rsaPriv.Public().(*rsa.PublicKey)
  94. expRsa := rsaIn.N.BitLen()
  95. outRsa := KeyLength(rsaIn)
  96. if expRsa != outRsa {
  97. t.Fatal("KeyLength malfunctioning on rsa input")
  98. }
  99. }
  100. func TestExpiryTime(t *testing.T) {
  101. // nil case
  102. var expNil time.Time
  103. inNil := []*x509.Certificate{}
  104. outNil := ExpiryTime(inNil)
  105. if expNil != outNil {
  106. t.Fatal("Expiry time is malfunctioning on empty input")
  107. }
  108. //read a pem file and use that expiry date
  109. bytes, _ := ioutil.ReadFile(testBundleFile)
  110. certs, err := ParseCertificatesPEM(bytes)
  111. if err != nil {
  112. t.Fatalf("%v", err)
  113. }
  114. expected := time.Date(2014, time.April, 15, 0, 0, 0, 0, time.UTC)
  115. out := ExpiryTime(certs)
  116. if out != expected {
  117. t.Fatalf("Expected %v, got %v", expected, out)
  118. }
  119. }
  120. func TestMonthsValid(t *testing.T) {
  121. var cert = &x509.Certificate{
  122. NotBefore: time.Date(2015, time.April, 01, 0, 0, 0, 0, time.UTC),
  123. NotAfter: time.Date(2015, time.April, 01, 0, 0, 0, 0, time.UTC),
  124. }
  125. if MonthsValid(cert) != 0 {
  126. t.Fail()
  127. }
  128. cert.NotAfter = time.Date(2016, time.April, 01, 0, 0, 0, 0, time.UTC)
  129. if MonthsValid(cert) != 12 {
  130. t.Fail()
  131. }
  132. // extra days should be rounded up to 1 month
  133. cert.NotAfter = time.Date(2016, time.April, 02, 0, 0, 0, 0, time.UTC)
  134. if MonthsValid(cert) != 13 {
  135. t.Fail()
  136. }
  137. }
  138. func TestHasValidExpiry(t *testing.T) {
  139. // Issue period > April 1, 2015
  140. var cert = &x509.Certificate{
  141. NotBefore: time.Date(2015, time.April, 01, 0, 0, 0, 0, time.UTC),
  142. NotAfter: time.Date(2016, time.April, 01, 0, 0, 0, 0, time.UTC),
  143. }
  144. if !ValidExpiry(cert) {
  145. t.Fail()
  146. }
  147. cert.NotAfter = time.Date(2019, time.April, 01, 01, 0, 0, 0, time.UTC)
  148. if ValidExpiry(cert) {
  149. t.Fail()
  150. }
  151. // Issue period < July 1, 2012
  152. cert.NotBefore = time.Date(2009, time.March, 01, 0, 0, 0, 0, time.UTC)
  153. if ValidExpiry(cert) {
  154. t.Fail()
  155. }
  156. // Issue period July 1, 2012 - April 1, 2015
  157. cert.NotBefore = time.Date(2012, time.July, 01, 0, 0, 0, 0, time.UTC)
  158. cert.NotAfter = time.Date(2017, time.July, 01, 0, 0, 0, 0, time.UTC)
  159. if !ValidExpiry(cert) {
  160. t.Fail()
  161. }
  162. }
  163. func TestHashAlgoString(t *testing.T) {
  164. if HashAlgoString(x509.MD2WithRSA) != "MD2" {
  165. t.Fatal("standin")
  166. }
  167. if HashAlgoString(x509.MD5WithRSA) != "MD5" {
  168. t.Fatal("standin")
  169. }
  170. if HashAlgoString(x509.SHA1WithRSA) != "SHA1" {
  171. t.Fatal("standin")
  172. }
  173. if HashAlgoString(x509.SHA256WithRSA) != "SHA256" {
  174. t.Fatal("standin")
  175. }
  176. if HashAlgoString(x509.SHA384WithRSA) != "SHA384" {
  177. t.Fatal("standin")
  178. }
  179. if HashAlgoString(x509.SHA512WithRSA) != "SHA512" {
  180. t.Fatal("standin")
  181. }
  182. if HashAlgoString(x509.DSAWithSHA1) != "SHA1" {
  183. t.Fatal("standin")
  184. }
  185. if HashAlgoString(x509.DSAWithSHA256) != "SHA256" {
  186. t.Fatal("standin")
  187. }
  188. if HashAlgoString(x509.ECDSAWithSHA1) != "SHA1" {
  189. t.Fatal("standin")
  190. }
  191. if HashAlgoString(x509.ECDSAWithSHA256) != "SHA256" {
  192. t.Fatal("standin")
  193. }
  194. if HashAlgoString(x509.ECDSAWithSHA384) != "SHA384" {
  195. t.Fatal("standin")
  196. }
  197. if HashAlgoString(x509.ECDSAWithSHA512) != "SHA512" {
  198. t.Fatal("standin")
  199. }
  200. if HashAlgoString(math.MaxInt32) != "Unknown Hash Algorithm" {
  201. t.Fatal("standin")
  202. }
  203. }
  204. func TestSignatureString(t *testing.T) {
  205. if SignatureString(x509.MD2WithRSA) != "MD2WithRSA" {
  206. t.Fatal("Signature String functioning improperly")
  207. }
  208. if SignatureString(x509.MD5WithRSA) != "MD5WithRSA" {
  209. t.Fatal("Signature String functioning improperly")
  210. }
  211. if SignatureString(x509.SHA1WithRSA) != "SHA1WithRSA" {
  212. t.Fatal("Signature String functioning improperly")
  213. }
  214. if SignatureString(x509.SHA256WithRSA) != "SHA256WithRSA" {
  215. t.Fatal("Signature String functioning improperly")
  216. }
  217. if SignatureString(x509.SHA384WithRSA) != "SHA384WithRSA" {
  218. t.Fatal("Signature String functioning improperly")
  219. }
  220. if SignatureString(x509.SHA512WithRSA) != "SHA512WithRSA" {
  221. t.Fatal("Signature String functioning improperly")
  222. }
  223. if SignatureString(x509.DSAWithSHA1) != "DSAWithSHA1" {
  224. t.Fatal("Signature String functioning improperly")
  225. }
  226. if SignatureString(x509.DSAWithSHA256) != "DSAWithSHA256" {
  227. t.Fatal("Signature String functioning improperly")
  228. }
  229. if SignatureString(x509.ECDSAWithSHA1) != "ECDSAWithSHA1" {
  230. t.Fatal("Signature String functioning improperly")
  231. }
  232. if SignatureString(x509.ECDSAWithSHA256) != "ECDSAWithSHA256" {
  233. t.Fatal("Signature String functioning improperly")
  234. }
  235. if SignatureString(x509.ECDSAWithSHA384) != "ECDSAWithSHA384" {
  236. t.Fatal("Signature String functioning improperly")
  237. }
  238. if SignatureString(x509.ECDSAWithSHA512) != "ECDSAWithSHA512" {
  239. t.Fatal("Signature String functioning improperly")
  240. }
  241. if SignatureString(math.MaxInt32) != "Unknown Signature" {
  242. t.Fatal("Signature String functioning improperly")
  243. }
  244. }
  245. func TestParseCertificatePEM(t *testing.T) {
  246. for _, testFile := range []string{testCertFile, testExtraWSCertFile, testSinglePKCS7} {
  247. certPEM, err := ioutil.ReadFile(testFile)
  248. if err != nil {
  249. t.Fatal(err)
  250. }
  251. if _, err := ParseCertificatePEM(certPEM); err != nil {
  252. t.Log(testFile)
  253. t.Fatal(err)
  254. }
  255. }
  256. for _, testFile := range []string{testBundleFile, testMessedUpCertFile, testEmptyPKCS7PEM, testEmptyCertFile, testMultiplePKCS7} {
  257. certPEM, err := ioutil.ReadFile(testFile)
  258. if err != nil {
  259. t.Fatal(err)
  260. }
  261. if _, err := ParseCertificatePEM(certPEM); err == nil {
  262. t.Fatal("Incorrect cert failed to raise error")
  263. }
  264. }
  265. }
  266. func TestParseCertificatesPEM(t *testing.T) {
  267. // expected cases
  268. for _, testFile := range []string{testBundleFile, testExtraWSBundleFile, testSinglePKCS7, testMultiplePKCS7} {
  269. bundlePEM, err := ioutil.ReadFile(testFile)
  270. if err != nil {
  271. t.Fatal(err)
  272. }
  273. if _, err := ParseCertificatesPEM(bundlePEM); err != nil {
  274. t.Log(testFile)
  275. t.Fatal(err)
  276. }
  277. }
  278. // test failure cases
  279. // few lines deleted, then headers removed
  280. for _, testFile := range []string{testMessedUpBundleFile, testEmptyPKCS7PEM, testNoHeaderCert} {
  281. bundlePEM, err := ioutil.ReadFile(testFile)
  282. if err != nil {
  283. t.Fatal(err)
  284. }
  285. if _, err := ParseCertificatesPEM(bundlePEM); err == nil {
  286. t.Fatal("Incorrectly-formatted file failed to produce an error")
  287. }
  288. }
  289. }
  290. func TestSelfSignedCertificatePEM(t *testing.T) {
  291. testPEM, err := ioutil.ReadFile(testCertFile)
  292. if err != nil {
  293. t.Fatal(err)
  294. }
  295. _, err = ParseSelfSignedCertificatePEM(testPEM)
  296. if err != nil {
  297. t.Fatalf("%v", err)
  298. }
  299. // a few lines deleted from the pem file
  300. wrongPEM, err := ioutil.ReadFile(testMessedUpCertFile)
  301. if err != nil {
  302. t.Fatal(err)
  303. }
  304. _, err2 := ParseSelfSignedCertificatePEM(wrongPEM)
  305. if err2 == nil {
  306. t.Fatal("Improper pem file failed to raise an error")
  307. }
  308. // alter the signature of a valid certificate
  309. blk, _ := pem.Decode(testPEM)
  310. blk.Bytes[len(blk.Bytes)-10]++ // some hacking to get to the sig
  311. alteredBytes := pem.EncodeToMemory(blk)
  312. _, err = ParseSelfSignedCertificatePEM(alteredBytes)
  313. if err == nil {
  314. t.Fatal("Incorrect cert failed to produce an error")
  315. }
  316. }
  317. func TestParsePrivateKeyPEM(t *testing.T) {
  318. // expected cases
  319. testRSAPEM, err := ioutil.ReadFile(testPrivateRSAKey)
  320. if err != nil {
  321. t.Fatal(err)
  322. }
  323. _, err = ParsePrivateKeyPEM(testRSAPEM)
  324. if err != nil {
  325. t.Fatal(err)
  326. }
  327. testECDSAPEM, err := ioutil.ReadFile(testPrivateECDSAKey)
  328. if err != nil {
  329. t.Fatal(err)
  330. }
  331. _, err = ParsePrivateKeyPEM(testECDSAPEM)
  332. if err != nil {
  333. t.Fatal(err)
  334. }
  335. testEd25519PEM, err := ioutil.ReadFile(testPrivateEd25519Key)
  336. if err != nil {
  337. t.Fatal(err)
  338. }
  339. _, err = ParsePrivateKeyPEM(testEd25519PEM)
  340. if err != nil {
  341. t.Fatal(err)
  342. }
  343. testOpenSSLECKey, err := ioutil.ReadFile(testPrivateOpenSSLECKey)
  344. if err != nil {
  345. t.Fatal(err)
  346. }
  347. _, err = ParsePrivateKeyPEM(testOpenSSLECKey)
  348. if err != nil {
  349. t.Fatal(err)
  350. }
  351. // error cases
  352. errCases := []string{
  353. testMessedUpPrivateKey, // a few lines deleted
  354. testEmptyPem, // empty file
  355. testEncryptedPrivateKey, // encrypted key
  356. testUnsupportedECDSAKey, // ECDSA curve not currently supported by Go standard library
  357. }
  358. for _, fname := range errCases {
  359. testPEM, _ := ioutil.ReadFile(fname)
  360. _, err = ParsePrivateKeyPEM(testPEM)
  361. if err == nil {
  362. t.Fatal("Incorrect private key failed to produce an error")
  363. }
  364. }
  365. }
  366. // Imported from signers/local/testdata/
  367. const ecdsaTestCSR = "testdata/ecdsa256.csr"
  368. func TestParseCSRPEM(t *testing.T) {
  369. in, err := ioutil.ReadFile(ecdsaTestCSR)
  370. if err != nil {
  371. t.Fatalf("%v", err)
  372. }
  373. _, _, err = ParseCSR(in)
  374. if err != nil {
  375. t.Fatalf("%v", err)
  376. }
  377. in[12]++
  378. _, _, err = ParseCSR(in)
  379. if err == nil {
  380. t.Fatalf("Expected an invalid CSR.")
  381. }
  382. in[12]--
  383. }
  384. func TestParseCSRPEMMore(t *testing.T) {
  385. csrPEM, err := ioutil.ReadFile(testCSRPEM)
  386. if err != nil {
  387. t.Fatal(err)
  388. }
  389. if _, err := ParseCSRPEM(csrPEM); err != nil {
  390. t.Fatal(err)
  391. }
  392. csrPEM, err = ioutil.ReadFile(testCSRPEMBad)
  393. if err != nil {
  394. t.Fatal(err)
  395. }
  396. if _, err := ParseCSRPEM(csrPEM); err == nil {
  397. t.Fatal(err)
  398. }
  399. if _, err := ParseCSRPEM([]byte("not even pem")); err == nil {
  400. t.Fatal("Expected an invalid CSR.")
  401. }
  402. }
  403. // Imported from signers/local/testdata/
  404. const rsaOldTestCSR = "testdata/rsa-old.csr"
  405. func TestParseOldCSR(t *testing.T) {
  406. in, err := ioutil.ReadFile(rsaOldTestCSR)
  407. if err != nil {
  408. t.Fatalf("%v", err)
  409. }
  410. _, _, err = ParseCSR(in)
  411. if err != nil {
  412. t.Fatalf("%v", err)
  413. }
  414. }
  415. // Imported from signers/local/testdata/
  416. const clientCertFile = "testdata/ca.pem"
  417. const clientKeyFile = "testdata/ca_key.pem"
  418. func TestClientCertParams(t *testing.T) {
  419. _, err := LoadClientCertificate(testCertFile, testPrivateRSAKey)
  420. if err == nil {
  421. t.Fatal("Unmatched cert/key should generate error")
  422. }
  423. cert, err := LoadClientCertificate("", "")
  424. if err != nil || cert != nil {
  425. t.Fatal("Certificate atempted to loaded with missing key and cert")
  426. }
  427. cert, err = LoadClientCertificate(clientCertFile, "")
  428. if err != nil || cert != nil {
  429. t.Fatal("Certificate atempted to loaded with missing key")
  430. }
  431. cert, err = LoadClientCertificate("", clientKeyFile)
  432. if err != nil || cert != nil {
  433. t.Fatal("Certificate atempted to loaded with missing cert")
  434. }
  435. cert, err = LoadClientCertificate(clientCertFile, clientKeyFile)
  436. if err != nil {
  437. t.Fatal(err)
  438. }
  439. if cert == nil {
  440. t.Fatal("cert not created")
  441. }
  442. }
  443. func TestLoadPEMCertPool(t *testing.T) {
  444. certPool, err := PEMToCertPool([]byte{})
  445. if certPool != nil || err != nil {
  446. t.Fatal("Empty file name should not generate error or a cert pool")
  447. }
  448. in, err := ioutil.ReadFile(testEmptyPem)
  449. if err != nil {
  450. t.Fatalf("%v", err)
  451. }
  452. certPool, err = PEMToCertPool(in)
  453. if certPool != nil {
  454. t.Fatal("Empty file should not generate a cert pool")
  455. } else if err == nil {
  456. t.Fatal("Expected error for empty file")
  457. }
  458. in, err = ioutil.ReadFile(testEmptyCertFile)
  459. if err != nil {
  460. t.Fatalf("%v", err)
  461. }
  462. certPool, err = PEMToCertPool(in)
  463. if certPool != nil {
  464. t.Fatal("Empty cert should not generate a cert pool")
  465. } else if err == nil {
  466. t.Fatal("Expected error for empty cert")
  467. }
  468. in, err = ioutil.ReadFile(clientCertFile)
  469. if err != nil {
  470. t.Fatalf("%v", err)
  471. }
  472. certPool, err = PEMToCertPool(in)
  473. if err != nil {
  474. t.Fatalf("%v", err)
  475. } else if certPool == nil {
  476. t.Fatal("cert pool not created")
  477. }
  478. }
  479. // sctEquals returns true if all fields of both SCTs are equivalent.
  480. func sctEquals(sctA, sctB ct.SignedCertificateTimestamp) bool {
  481. if sctA.SCTVersion == sctB.SCTVersion &&
  482. sctA.LogID == sctB.LogID &&
  483. sctA.Timestamp == sctB.Timestamp &&
  484. bytes.Equal(sctA.Extensions, sctB.Extensions) &&
  485. sctA.Signature.Algorithm == sctB.Signature.Algorithm &&
  486. bytes.Equal(sctA.Signature.Signature, sctA.Signature.Signature) {
  487. return true
  488. }
  489. return false
  490. }
  491. // NOTE: TestDeserializeSCTList tests both DeserializeSCTList and
  492. // SerializeSCTList.
  493. func TestDeserializeSCTList(t *testing.T) {
  494. // Here we make sure that empty SCT lists return an error
  495. emptyLists := [][]byte{nil, {}}
  496. for _, emptyList := range emptyLists {
  497. _, err := DeserializeSCTList(emptyList)
  498. if err == nil {
  499. t.Fatalf("DeserializeSCTList(%v) should raise an error\n", emptyList)
  500. }
  501. }
  502. // Here we make sure that an SCT list with a zero SCT is deserialized
  503. // correctly
  504. var zeroSCT ct.SignedCertificateTimestamp
  505. serializedSCT, err := SerializeSCTList([]ct.SignedCertificateTimestamp{zeroSCT})
  506. if err != nil {
  507. t.Fatal(err)
  508. }
  509. deserializedSCTList, err := DeserializeSCTList(serializedSCT)
  510. if err != nil {
  511. t.Fatal(err)
  512. }
  513. if !sctEquals(zeroSCT, (deserializedSCTList)[0]) {
  514. t.Fatal("SCTs don't match")
  515. }
  516. // Here we verify that an error is raised when the SCT list length
  517. // field is greater than its actual length
  518. serializedSCT, err = SerializeSCTList([]ct.SignedCertificateTimestamp{zeroSCT})
  519. if err != nil {
  520. t.Fatal(err)
  521. }
  522. serializedSCT[0] = 15
  523. _, err = DeserializeSCTList(serializedSCT)
  524. if err == nil {
  525. t.Fatalf("DeserializeSCTList should raise an error when " +
  526. "the SCT list length field and the list length don't match\n")
  527. }
  528. // Here we verify that an error is raised when the SCT list length
  529. // field is less than its actual length
  530. serializedSCT[0] = 0
  531. serializedSCT[1] = 0
  532. _, err = DeserializeSCTList(serializedSCT)
  533. if err == nil {
  534. t.Fatalf("DeserializeSCTList should raise an error when " +
  535. "the SCT list length field and the list length don't match\n")
  536. }
  537. // Here we verify that an error is raised when the SCT length field is
  538. // greater than its actual length
  539. serializedSCT[0] = 0
  540. serializedSCT[1] = 49
  541. serializedSCT[2] = 1
  542. _, err = DeserializeSCTList(serializedSCT)
  543. if err == nil {
  544. t.Fatalf("DeserializeSCTList should raise an error when " +
  545. "the SCT length field and the SCT length don't match\n")
  546. }
  547. // Here we verify that an error is raised when the SCT length field is
  548. // less than its actual length
  549. serializedSCT[2] = 0
  550. serializedSCT[3] = 0
  551. _, err = DeserializeSCTList(serializedSCT)
  552. if err == nil {
  553. t.Fatalf("DeserializeSCTList should raise an error when " +
  554. "the SCT length field and the SCT length don't match\n")
  555. }
  556. }
  557. func TestSCTListFromOCSPResponse(t *testing.T) {
  558. var response ocsp.Response
  559. lst, err := SCTListFromOCSPResponse(&response)
  560. if err != nil {
  561. t.Fatal(err)
  562. }
  563. if len(lst) != 0 {
  564. t.Fatal("SCTListFromOCSPResponse should return an empty SCT list for an empty extension")
  565. }
  566. var zeroSCT ct.SignedCertificateTimestamp
  567. serializedSCTList, err := SerializeSCTList([]ct.SignedCertificateTimestamp{zeroSCT})
  568. if err != nil {
  569. t.Fatal("failed to serialize SCT list")
  570. }
  571. serializedSCTList, err = asn1.Marshal(serializedSCTList)
  572. if err != nil {
  573. t.Fatal("failed to serialize SCT list")
  574. }
  575. // The value of Id below is the object identifier of the OCSP Stapling
  576. // SCT extension (see section 3.3. of RFC 6962).
  577. response.Extensions = []pkix.Extension{{
  578. Id: asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 5},
  579. Critical: false,
  580. Value: serializedSCTList,
  581. }}
  582. lst, err = SCTListFromOCSPResponse(&response)
  583. if err != nil {
  584. t.Fatal(err)
  585. }
  586. if !sctEquals(zeroSCT, lst[0]) {
  587. t.Fatal("SCTs don't match")
  588. }
  589. }