public void CleaningChainWithOnlyLeafThrowsException()
{
// when we clean a valid chain
var certsChain = Data.LoadCerts(Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE);
var builtChain = CertificateChainBuilder.Build(certsChain);
Assert.AreEqual(builtChain, null);
}
public void ReallyLargeValidChainThrowsException()
{
var rootCert = Data.LoadCerts(Data.ELEVEN_CERTS_ROOT_CERT)[0];
var certsChain = Data.LoadCerts(Data.ELEVEN_CERTS_CHAIN);
var builtChain = CertificateChainBuilder.Build(certsChain, rootCert);
// when we clean a chain with more than 10 certs (inc root)
Assert.IsTrue(builtChain.Count > 10);
}
public void TrustedCertInMiddleOfChainReturnsSuccessfully()
{
var certsChain = Data.LoadCerts(
Data.TEN_CERTS_CHAIN);
var trustedCert = certsChain[5];
var builtChain = CertificateChainBuilder.Build(certsChain, trustedCert);
// then the expected chain is returned
Assert.True(certsChain.SequenceEqual(builtChain));
}
public void TrustedSelfSignedRootCertReturnsSuccessfully()
{
var rootCert = Data.LoadCerts(Data.SELF_SIGNED_ROOT_CERT)[0];
var certsChain = new[] { rootCert };
var builtChain = CertificateChainBuilder.Build(certsChain, rootCert);
// then the expected chain is returned
Assert.True(certsChain.SequenceEqual(builtChain));
}
public void CleaningIncompleteChainThrowsException()
{
// when we clean a chain with missing certs (TestData.PRE_CERT_SIGNING_BY_INTERMEDIATE)
var certsChain = Data.LoadCerts(
Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE,
Data.INTERMEDIATE_CA_CERT);
var builtChain = CertificateChainBuilder.Build(certsChain);
Assert.AreEqual(builtChain, null);
}
public void CleaningChainWithOnlyLeafThrowsException()
{
// given a basic chain cleaner
var chainCleaner = GetChainCleaner();
// when we clean a valid chain
var certsChain = Data.LoadCerts(
Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE).ToJavaCerts();
Assert.Throws <SSLPeerUnverifiedException>(() => chainCleaner.Clean(certsChain));
}
public void CleaningIncompleteChainThrowsException()
{
// given a basic chain cleaner
var chainCleaner = GetChainCleaner();
// when we clean a chain with missing certs (TestData.PRE_CERT_SIGNING_BY_INTERMEDIATE)
var certsChain = Data.LoadCerts(
Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE,
Data.INTERMEDIATE_CA_CERT).ToJavaCerts();
Assert.Throws <SSLPeerUnverifiedException>(() => chainCleaner.Clean(certsChain));
}
public void ExcludeHostsRuleOnlyBlocksSpecifiedSubdomainMatching()
{
var ctv = GetCertVerifier(new[] { "*.*" }, new[] { DisallowedRandomCom });
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(AllowedRandomCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.Trusted);
}
public void IncludeHostsRuleMatchesSubdomain()
{
var ctv = GetCertVerifier(_includeRandom);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(AllowedRandomCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.Trusted);
}
public void OriginalChainDisallowedWhenNullLogs()
{
var ctv = GetCertVerifierNoLogs(_includeBabylon);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.LogServersFailed);
}
private ICertificateChainCleaner GetChainCleaner(X509Certificate rootCert = null)
{
var trustManager = new Moq.Mock <IX509TrustManager>();
trustManager.Setup(tm => tm.GetAcceptedIssuers())
.Returns(rootCert == null
? Data.LoadCerts(Data.ROOT_CA_CERT)
.ToJavaCerts()
.ToArray()
: new[] { rootCert });
return(new CertificateChainCleaner(trustManager.Object));
}
public void ReallyLargeValidChainThrowsException()
{
var rootCert = Data.LoadCerts(
Data.ELEVEN_CERTS_ROOT_CERT).ToJavaCerts()[0];
var certsChain = Data.LoadCerts(
Data.ELEVEN_CERTS_CHAIN).ToJavaCerts();
// given a basic chain cleaner
var chainCleaner = GetChainCleaner(rootCert);
// when we clean a chain with more than 10 certs (inc root)
Assert.Throws <SSLPeerUnverifiedException>(() => chainCleaner.Clean(certsChain));
}
public void OriginalChainAllowedWhenHostNotChecked()
{
var ctv = GetCertVerifier(_includeRandom);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.DisabledForHost);
}
public void MitmDisallowedWhenHostChecked()
{
var ctv = GetCertVerifier(_includeBabylon);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ATTACK_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.NoScts);
}
public void CleaningOutOfOrderChainReturnsSuccessfully()
{
// when we clean a valid chain
var certsChain = Data.LoadCerts(
Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE,
Data.INTERMEDIATE_CA_CERT,
Data.PRE_CERT_SIGNING_BY_INTERMEDIATE);
var builtChain = CertificateChainBuilder.Build(certsChain);
// then the expected chain is returned
Assert.True(_expectedChain.SequenceEqual(builtChain));
}
public void LargeValidChainReturnsSuccessfully()
{
var rootCert = Data.LoadCerts(Data.TEN_CERTS_ROOT_CERT)[0];
var certsChain = Data.LoadCerts(Data.TEN_CERTS_CHAIN);
var builtChain = CertificateChainBuilder.Build(certsChain, rootCert);
var expected = certsChain.ToList();
expected.Add(rootCert);
// then the expected chain is returned
Assert.True(expected.SequenceEqual(builtChain));
}
public void UntrustedCertificateThrowsException()
{
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ATTACK_CHAIN);
try
{
var certsChain = CertificateChainBuilder.Build(certsToCheck);
Assert.AreEqual(certsChain, null);
}
catch
{
Assert.IsTrue(true);
}
}
public void TrustedCertInMiddleOfChainReturnsSuccessfully()
{
var certsChain = Data.LoadCerts(
Data.TEN_CERTS_CHAIN).ToJavaCerts();
var trustedCert = certsChain[5];
// given a basic chain cleaner
var chainCleaner = GetChainCleaner(trustedCert);
// when we clean a chain of exactly 10 certs
var builtChain = chainCleaner.Clean(certsChain);
// then the expected chain is returned
Assert.True(certsChain.SequenceEqual(builtChain, new JavaX509CertificateEquality()));
}
internal static IList <X509Certificate2> Build(IEnumerable <X509Certificate2> chain, X509Certificate2 rootCert = null)
{
rootCert ??= Data.LoadCerts(Data.ROOT_CA_CERT).First();
var rootCerts = new[] { rootCert }.ToJavaCerts().ToArray();
var trustManager = new Moq.Mock <IX509TrustManager>();
trustManager.Setup(tm => tm.GetAcceptedIssuers())
.Returns(TrustManager.GetAcceptedIssuers().Concat(rootCerts).ToArray());
var chainBuilder = new CertificateChainCleaner(trustManager.Object);
var completeChain = chain.ToJavaCerts();
return(chainBuilder.Clean(completeChain).ToDotNetCerts());
}
public void TrustedSelfSignedRootCertReturnsSuccessfully()
{
var rootCert = Data.LoadCerts(
Data.SELF_SIGNED_ROOT_CERT).ToJavaCerts()[0];
// given a basic chain cleaner
var chainCleaner = GetChainCleaner(rootCert);
var certsChain = new[] { rootCert };
// when we clean a chain of the self-signed root cert
var builtChain = chainCleaner.Clean(certsChain);
// then the expected chain is returned
Assert.True(certsChain.SequenceEqual(builtChain, new JavaX509CertificateEquality()));
}
public void CleaningOutOfOrderChainReturnsSuccessfully()
{
// given a basic chain cleaner
var chainCleaner = GetChainCleaner();
// when we clean a valid chain
var certsChain = Data.LoadCerts(
Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE,
Data.INTERMEDIATE_CA_CERT,
Data.PRE_CERT_SIGNING_BY_INTERMEDIATE).ToJavaCerts();
var builtChain = chainCleaner.Clean(certsChain);
// then the expected chain is returned
Assert.True(_expectedChain.SequenceEqual(builtChain, new JavaX509CertificateEquality()));
}
public void OriginalChainDisallowedWhenOnlyOneSct()
{
var ctv = GetCertVerifier(_includeBabylon);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var certWithSingleSct = SingleSctOnly(certsChain.First());
certsChain.RemoveAt(0);
certsChain.Insert(0, certWithSingleSct);
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.TooFewSctsTrusted);
}
public void LargeValidChainReturnsSuccessfully()
{
var rootCert = Data.LoadCerts(
Data.TEN_CERTS_ROOT_CERT).ToJavaCerts()[0];
var certsChain = Data.LoadCerts(
Data.TEN_CERTS_CHAIN).ToJavaCerts();
// given a basic chain cleaner
var chainCleaner = GetChainCleaner(rootCert);
// when we clean a chain of exactly 10 certs
var builtChain = chainCleaner.Clean(certsChain);
var expected = certsChain.ToList();
expected.Add(rootCert);
// then the expected chain is returned
Assert.True(expected.SequenceEqual(builtChain, new JavaX509CertificateEquality()));
}
internal static IList <X509Certificate2> Build(IEnumerable <X509Certificate2> chain, X509Certificate rootCert = null)
{
if (chain?.Any() != true)
{
return(null);
}
rootCert ??= Data.LoadCerts(Data.ROOT_CA_CERT).First();
var leaf = chain.First();
chain = chain.Skip(1);
using var chainBuilder = new X509Chain();
chainBuilder.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
chainBuilder.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
foreach (var c in chain)
{
chainBuilder.ChainPolicy.ExtraStore.Add(c);
}
chainBuilder.ChainPolicy.ExtraStore.Add(rootCert);
var isValidChain = chainBuilder.Build(leaf);
var builtChain = chainBuilder.ChainElements.OfType <X509ChainElement>().Select(i => i.Certificate).ToList();
isValidChain |= chainBuilder.ChainStatus.All(
s => s.Status == X509ChainStatusFlags.UntrustedRoot ||
s.Status == X509ChainStatusFlags.HasNotSupportedCriticalExtension ||
s.Status == X509ChainStatusFlags.InvalidExtension ||
s.Status == X509ChainStatusFlags.NotTimeValid ||
(s.Status == X509ChainStatusFlags.PartialChain && chain.Contains(rootCert)));
return(isValidChain || chain.Contains(rootCert)
? builtChain
: null);
}
