public void CleaningChainWithOnlyLeafThrowsException()
{
// when we clean a valid chain
var certsChain = Data.LoadCerts(Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE);
var builtChain = CertificateChainBuilder.Build(certsChain);
Assert.AreEqual(builtChain, null);
}
public void ReallyLargeValidChainThrowsException()
{
var rootCert = Data.LoadCerts(Data.ELEVEN_CERTS_ROOT_CERT)[0];
var certsChain = Data.LoadCerts(Data.ELEVEN_CERTS_CHAIN);
var builtChain = CertificateChainBuilder.Build(certsChain, rootCert);
// when we clean a chain with more than 10 certs (inc root)
Assert.IsTrue(builtChain.Count > 10);
}
public void CleaningIncompleteChainThrowsException()
{
// when we clean a chain with missing certs (TestData.PRE_CERT_SIGNING_BY_INTERMEDIATE)
var certsChain = Data.LoadCerts(
Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE,
Data.INTERMEDIATE_CA_CERT);
var builtChain = CertificateChainBuilder.Build(certsChain);
Assert.AreEqual(builtChain, null);
}
public void TrustedSelfSignedRootCertReturnsSuccessfully()
{
var rootCert = Data.LoadCerts(Data.SELF_SIGNED_ROOT_CERT)[0];
var certsChain = new[] { rootCert };
var builtChain = CertificateChainBuilder.Build(certsChain, rootCert);
// then the expected chain is returned
Assert.True(certsChain.SequenceEqual(builtChain));
}
public void TrustedCertInMiddleOfChainReturnsSuccessfully()
{
var certsChain = Data.LoadCerts(
Data.TEN_CERTS_CHAIN);
var trustedCert = certsChain[5];
var builtChain = CertificateChainBuilder.Build(certsChain, trustedCert);
// then the expected chain is returned
Assert.True(certsChain.SequenceEqual(builtChain));
}
public void CleaningOutOfOrderChainReturnsSuccessfully()
{
// when we clean a valid chain
var certsChain = Data.LoadCerts(
Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE,
Data.INTERMEDIATE_CA_CERT,
Data.PRE_CERT_SIGNING_BY_INTERMEDIATE);
var builtChain = CertificateChainBuilder.Build(certsChain);
// then the expected chain is returned
Assert.True(_expectedChain.SequenceEqual(builtChain));
}
public void OriginalChainAllowedWhenHostNotChecked()
{
var ctv = GetCertVerifier(_includeRandom);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.DisabledForHost);
}
public void MitmDisallowedWhenHostChecked()
{
var ctv = GetCertVerifier(_includeBabylon);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ATTACK_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.NoScts);
}
public void ExcludeHostsRuleOnlyBlocksSpecifiedSubdomainMatching()
{
var ctv = GetCertVerifier(new[] { "*.*" }, new[] { DisallowedRandomCom });
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(AllowedRandomCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.Trusted);
}
public void IncludeHostsRuleMatchesSubdomain()
{
var ctv = GetCertVerifier(_includeRandom);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(AllowedRandomCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.Trusted);
}
public void OriginalChainDisallowedWhenNullLogs()
{
var ctv = GetCertVerifierNoLogs(_includeBabylon);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.LogServersFailed);
}
public void LargeValidChainReturnsSuccessfully()
{
var rootCert = Data.LoadCerts(Data.TEN_CERTS_ROOT_CERT)[0];
var certsChain = Data.LoadCerts(Data.TEN_CERTS_CHAIN);
var builtChain = CertificateChainBuilder.Build(certsChain, rootCert);
var expected = certsChain.ToList();
expected.Add(rootCert);
// then the expected chain is returned
Assert.True(expected.SequenceEqual(builtChain));
}
public void UntrustedCertificateThrowsException()
{
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ATTACK_CHAIN);
try
{
var certsChain = CertificateChainBuilder.Build(certsToCheck);
Assert.AreEqual(certsChain, null);
}
catch
{
Assert.IsTrue(true);
}
}
public void OriginalChainDisallowedWhenOnlyOneSct()
{
var ctv = GetCertVerifier(_includeBabylon);
var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT);
var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN);
var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single());
var certWithSingleSct = SingleSctOnly(certsChain.First());
certsChain.RemoveAt(0);
certsChain.Insert(0, certWithSingleSct);
var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result;
Assert.IsTrue(result.Result == CtResult.TooFewSctsTrusted);
}
