public void Should_Revoke_SSL_Certificate_When_Request_Signed_With_Issuer_Private_Key()
{
{
string rootCertFilePath = "../../../test-data/certs/test-ca/Test-Root-CA-RSA-2048.cer";
byte[] rootCertEncoded = File.ReadAllBytes(rootCertFilePath);
byte[] rootCertDigest = DigestUtilities.CalculateDigest("SHA_256", rootCertEncoded);
byte[] requestSignature = SignUtil.generateAddTrustedRootCAOperationRequestSignature(rootCertEncoded);
bool result =
RootCaCertificateHandler.AddTrustedRootCaCertificate(rootCertDigest, rootCertEncoded,
requestSignature);
Assert.True(result);
}
{
string subCaCertFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.cer";
byte[] subCaCertEncoded = File.ReadAllBytes(subCaCertFilePath);
byte[] subCaCertificateHash = DigestUtilities.CalculateDigest("SHA_256", subCaCertEncoded);
byte[] subCaAddRequestSignature = null;
bool result = SubCaCertificateHandler.AddSubCaCertificate(subCaCertificateHash, subCaCertEncoded,
subCaAddRequestSignature);
Assert.True(result);
}
string sSLCertFilePath = "../../../test-data/certs/test-ca/Test-SSL-RSA-2048.cer";
byte[] sSLCertEncoded = File.ReadAllBytes(sSLCertFilePath);
byte[] sSLCertHash = DigestUtilities.CalculateDigest("SHA_256", sSLCertEncoded);
bool sslCertAddResult = SslCertificateHandler.AddSslCertificate(sSLCertHash, sSLCertEncoded);
Assert.True(sslCertAddResult);
string sSLCertIssuerPkcs8PrivateKeyFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.pk8";
byte[] revokeSSLCertificateRequestSignature =
SignUtil.generateRevokeSSLCertificateOperationRequestRSAPSSSignature(sSLCertEncoded,
sSLCertIssuerPkcs8PrivateKeyFilePath);
Certificate sslCertificate = CertificateParser.Parse(sSLCertEncoded);
bool revokeSSLCertificateResult = SslCertificateHandler.RevokeSslCertificate(sSLCertHash, sSLCertEncoded,
revokeSSLCertificateRequestSignature);
Assert.True(revokeSSLCertificateResult);
byte[] sSLCertificateEntryByte = StorageUtil.readFromStorage(sSLCertHash);
EndEntityCertificateEntry sSLCertificateEntry =
(EndEntityCertificateEntry)SerializationUtil.Deserialize(sSLCertificateEntryByte);
Assert.True(sSLCertificateEntry.IsRevoked);
Assert.Equal(sSLCertificateEntry.CertificateValue, sSLCertEncoded);
}
private static void LogSSLCertificateWithCertificateHashValue(byte[] certificateHash)
{
byte[] certificateEnrtySerialized = StorageUtil.readFromStorage(certificateHash);
if (certificateEnrtySerialized != null)
{
EndEntityCertificateEntry endEntityCertificateEntry =
(EndEntityCertificateEntry)SerializationUtil.Deserialize(certificateEnrtySerialized);
Logger.log("SSL Certificate Exists in Storage");
Logger.log("IsRevoked: ", endEntityCertificateEntry.IsRevoked);
Logger.log(endEntityCertificateEntry.CertificateValue);
}
else
{
Logger.log("SSL Certificate Not Exists in Storage");
}
}
public void Should_Add_SSL_Certificate()
{
{
string rootCertFilePath = "../../../test-data/certs/test-ca/Test-Root-CA-RSA-2048.cer";
byte[] rootCertEncoded = File.ReadAllBytes(rootCertFilePath);
byte[] rootCertDigest = DigestUtilities.CalculateDigest("SHA_256", rootCertEncoded);
byte[] requestSignature = SignUtil.generateAddTrustedRootCAOperationRequestSignature(rootCertEncoded);
bool result =
RootCaCertificateHandler.AddTrustedRootCaCertificate(rootCertDigest, rootCertEncoded,
requestSignature);
Assert.True(result);
}
{
string subCaCertFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.cer";
byte[] subCaCertEncoded = File.ReadAllBytes(subCaCertFilePath);
byte[] subCaCertificateHash = DigestUtilities.CalculateDigest("SHA_256", subCaCertEncoded);
byte[] subCaAddRequestSignature = null;
bool result = SubCaCertificateHandler.AddSubCaCertificate(subCaCertificateHash, subCaCertEncoded,
subCaAddRequestSignature);
Assert.True(result);
}
string sSLCertFilePath = "../../../test-data/certs/test-ca/Test-SSL-RSA-2048.cer";
byte[] sSLCertEncoded = File.ReadAllBytes(sSLCertFilePath);
byte[] sSLCertHash = DigestUtilities.CalculateDigest("SHA_256", sSLCertEncoded);
bool sslCertAddResult = SslCertificateHandler.AddSslCertificate(sSLCertHash, sSLCertEncoded);
Assert.True(sslCertAddResult);
Certificate sslCertificate = CertificateParser.Parse(sSLCertEncoded);
byte[] sSLCertificateEntryByte = StorageUtil.readFromStorage(sSLCertHash);
EndEntityCertificateEntry sSLCertificateEntry =
(EndEntityCertificateEntry)SerializationUtil.Deserialize(sSLCertificateEntryByte);
Assert.False(sSLCertificateEntry.IsRevoked);
Assert.Equal(sSLCertificateEntry.CertificateValue, sSLCertEncoded);
//Is Added To Issuer list
{
byte[] storageKey = ArrayUtil.Concat(CertificateStorageManager.ELEMENT_LIST,
sslCertificate.AuthorityKeyIdentifier.keyIdentifier);
byte[] certHashMapEntrySerialized = StorageUtil.readFromStorage(storageKey);
Assert.True(certHashMapEntrySerialized != null);
CertificateHashMapEntry certHashMapEntry =
(CertificateHashMapEntry)SerializationUtil.Deserialize(certHashMapEntrySerialized);
Assert.True(certHashMapEntry.certificateHashArray != null);
Assert.True(certHashMapEntry.certificateHashArray.Length == 1);
byte[] subjectKeyIdCertificateHashEntrySerialized = certHashMapEntry.certificateHashArray[0];
CertificateHashEntry subjectKeyIdCertificateHashEntry =
(CertificateHashEntry)SerializationUtil.Deserialize(subjectKeyIdCertificateHashEntrySerialized);
Assert.Equal(subjectKeyIdCertificateHashEntry.CertificateHash, sSLCertHash);
Assert.False(subjectKeyIdCertificateHashEntry.IsCa);
}
//Domain Name List - Common Name
{
byte[] certHashMapEntrySerialized =
StorageUtil.readFromStorage(HexUtil.HexStringToByteArray("6f6e742e696f"));
Assert.True(certHashMapEntrySerialized != null);
CertificateHashMapEntry certHashMapEntry =
(CertificateHashMapEntry)SerializationUtil.Deserialize(certHashMapEntrySerialized);
Assert.True(certHashMapEntry.certificateHashArray != null);
Assert.True(certHashMapEntry.certificateHashArray.Length == 1);
byte[] subjectKeyIdCertificateHashEntrySerialized = certHashMapEntry.certificateHashArray[0];
CertificateHashEntry subjectKeyIdCertificateHashEntry =
(CertificateHashEntry)SerializationUtil.Deserialize(subjectKeyIdCertificateHashEntrySerialized);
Assert.Equal(subjectKeyIdCertificateHashEntry.CertificateHash, sSLCertHash);
Assert.False(subjectKeyIdCertificateHashEntry.IsCa);
}
//Domain Name List - Subject Alternative Name
{
byte[] certHashMapEntrySerialized =
StorageUtil.readFromStorage(HexUtil.HexStringToByteArray("7777772e6f6e742e696f"));
Assert.True(certHashMapEntrySerialized != null);
CertificateHashMapEntry certHashMapEntry =
(CertificateHashMapEntry)SerializationUtil.Deserialize(certHashMapEntrySerialized);
Assert.True(certHashMapEntry.certificateHashArray != null);
Assert.True(certHashMapEntry.certificateHashArray.Length == 1);
byte[] subjectKeyIdCertificateHashEntrySerialized = certHashMapEntry.certificateHashArray[0];
CertificateHashEntry subjectKeyIdCertificateHashEntry =
(CertificateHashEntry)SerializationUtil.Deserialize(subjectKeyIdCertificateHashEntrySerialized);
Assert.Equal(subjectKeyIdCertificateHashEntry.CertificateHash, sSLCertHash);
Assert.False(subjectKeyIdCertificateHashEntry.IsCa);
}
}
public static bool ReportFraud(byte[] fraudId, byte[] fakeButValidCertificateBytes,
byte[] fakeButValidCertificateHash,
byte[] signerCertificateBytes, byte[] signerCertificateBytesHash, byte[] signature)
{
Certificate fakeButValidCertificate = CertificateParser.Parse(fakeButValidCertificateBytes);
if (!fakeButValidCertificate.IsLoaded)
{
Logger.log("Can not parse Fake But Valid SSL Certificate");
return(false);
}
EndEntityCertificateEntry fakeButValidCertificateEntry =
CertificateStorageManager.RetrieveEndEntityCertificateFromStorage(fakeButValidCertificateHash);
if (fakeButValidCertificateEntry.CertificateValue == null)
{
Logger.log("Can not find Fake But Valid SSL Certificate");
return(false);
}
if (fakeButValidCertificateEntry.IsRevoked)
{
Logger.log("Fake But Valid SSL Certificate is revoked before");
return(false);
}
Certificate signerCertificate = CertificateParser.Parse(signerCertificateBytes);
if (!signerCertificate.IsLoaded)
{
Logger.log("Can not parse Signer Certificate");
return(false);
}
var signerCertificateContainFakeButValidCertificateDnsEntry =
checkDnsValues(fakeButValidCertificate, signerCertificate);
if (!signerCertificateContainFakeButValidCertificateDnsEntry)
{
Logger.log("Signer Certificate Does not contain required DNS value");
return(false);
}
Logger.log("Starting Validate Signature For Report Fraud Request");
bool signatureValidationResult =
SignatureValidator.CheckReportFraudRequestSignature(signature, fakeButValidCertificate,
signerCertificate);
if (!signatureValidationResult)
{
Logger.log("Report Fraud Request signature Invalid");
return(false);
}
Logger.log("Validated Signature For Report Fraud Request");
FraudStorageManager.AddFraudReportToStorage(fraudId, signerCertificateBytes, fakeButValidCertificateHash);
//todo: add fraud notification after log infrastructure fixed
return(true);
}
public void Should_UnTrusted_Root_Certificate()
{
string rootCertFilePath = "../../../test-data/certs/test-ca/Test-Root-CA-RSA-2048.cer";
byte[] rootCertEncoded = File.ReadAllBytes(rootCertFilePath);
byte[] rootCertDigest = DigestUtilities.CalculateDigest("SHA_256", rootCertEncoded);
byte[] requestSignature = SignUtil.generateAddTrustedRootCAOperationRequestSignature(rootCertEncoded);
bool result =
RootCaCertificateHandler.AddTrustedRootCaCertificate(rootCertDigest, rootCertEncoded, requestSignature);
Assert.True(result);
Certificate rootCertificate = CertificateParser.Parse(rootCertEncoded);
byte[] rootCACertificateEntryByte = StorageUtil.readFromStorage(rootCertDigest);
CaCertificateEntry caCertificateEntry =
(CaCertificateEntry)SerializationUtil.Deserialize(rootCACertificateEntryByte);
Assert.True(caCertificateEntry.IsTrusted);
Assert.False(caCertificateEntry.IsRevoked);
Assert.Equal(caCertificateEntry.CertificateValue, rootCertEncoded);
byte[] cACertificateSubjectKeyIdEntrySerialized =
StorageUtil.readFromStorage(rootCertificate.SubjectKeyIdentifier.keyIdentifier);
CaCertificateSubjectKeyIdEntry cACertificateSubjectKeyIdEntry =
(CaCertificateSubjectKeyIdEntry)SerializationUtil.Deserialize(
cACertificateSubjectKeyIdEntrySerialized);
Assert.True(cACertificateSubjectKeyIdEntry.IsRootCa);
Assert.Equal(cACertificateSubjectKeyIdEntry.CertificateHash, rootCertDigest);
byte[] certificateHashMapEntrySerialized =
StorageUtil.readFromStorage(CertificateStorageManager.TRUSTED_ROOT_CA_LIST_STORAGE_KEY);
CertificateHashMapEntry trustedRootCAListHashMapEntry =
(CertificateHashMapEntry)SerializationUtil.Deserialize(certificateHashMapEntrySerialized);
Assert.Equal(1, trustedRootCAListHashMapEntry.certificateHashArray.Length);
byte[] certificateHashEntrySerialized = trustedRootCAListHashMapEntry.certificateHashArray[0];
CertificateHashEntry certificateHashEntry =
(CertificateHashEntry)SerializationUtil.Deserialize(certificateHashEntrySerialized);
Assert.True(certificateHashEntry.IsCa);
Assert.Equal(rootCertDigest, certificateHashEntry.CertificateHash);
string subCaCertFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.cer";
byte[] subCaCertEncoded = File.ReadAllBytes(subCaCertFilePath);
byte[] subCaCertificateHash = DigestUtilities.CalculateDigest("SHA_256", subCaCertEncoded);
byte[] subCaAddRequestSignature = null;
result = SubCaCertificateHandler.AddSubCaCertificate(subCaCertificateHash, subCaCertEncoded,
subCaAddRequestSignature);
Assert.True(result);
string sSLCertFilePath = "../../../test-data/certs/test-ca/Test-SSL-RSA-2048.cer";
byte[] sSLCertEncoded = File.ReadAllBytes(sSLCertFilePath);
byte[] sSLCertHash = DigestUtilities.CalculateDigest("SHA_256", sSLCertEncoded);
bool sslCertAddResult = SslCertificateHandler.AddSslCertificate(sSLCertHash, sSLCertEncoded);
Assert.True(sslCertAddResult);
byte[] subCaCertificateEntryBytes = StorageUtil.readFromStorage(subCaCertificateHash);
CaCertificateEntry subCaCertificateEntry =
(CaCertificateEntry)SerializationUtil.Deserialize(subCaCertificateEntryBytes);
Assert.False(subCaCertificateEntry.IsTrusted);
Assert.False(subCaCertificateEntry.IsRevoked);
byte[] endEntityCertificateEntrySerialized = StorageUtil.readFromStorage(sSLCertHash);
EndEntityCertificateEntry endEntityCertificateEntry =
(EndEntityCertificateEntry)SerializationUtil.Deserialize(endEntityCertificateEntrySerialized);
Assert.False(endEntityCertificateEntry.IsRevoked);
requestSignature = SignUtil.generateUntrustRootCAOperationRequestSignature(rootCertEncoded);
result = RootCaCertificateHandler.UntrustRootCaCertificate(rootCertDigest, rootCertEncoded,
requestSignature);
Assert.True(result);
rootCACertificateEntryByte = StorageUtil.readFromStorage(rootCertDigest);
caCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(rootCACertificateEntryByte);
Assert.False(caCertificateEntry.IsTrusted);
Assert.False(caCertificateEntry.IsRevoked);
subCaCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(rootCACertificateEntryByte);
Assert.False(subCaCertificateEntry.IsTrusted);
subCaCertificateEntryBytes = StorageUtil.readFromStorage(subCaCertificateHash);
subCaCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(subCaCertificateEntryBytes);
Assert.True(subCaCertificateEntry.IsRevoked);
endEntityCertificateEntrySerialized = StorageUtil.readFromStorage(sSLCertHash);
endEntityCertificateEntry =
(EndEntityCertificateEntry)SerializationUtil.Deserialize(endEntityCertificateEntrySerialized);
Assert.True(endEntityCertificateEntry.IsRevoked);
}
