public void Should_Revoke_SSL_Certificate_When_Request_Signed_With_Issuer_Private_Key() { { string rootCertFilePath = "../../../test-data/certs/test-ca/Test-Root-CA-RSA-2048.cer"; byte[] rootCertEncoded = File.ReadAllBytes(rootCertFilePath); byte[] rootCertDigest = DigestUtilities.CalculateDigest("SHA_256", rootCertEncoded); byte[] requestSignature = SignUtil.generateAddTrustedRootCAOperationRequestSignature(rootCertEncoded); bool result = RootCaCertificateHandler.AddTrustedRootCaCertificate(rootCertDigest, rootCertEncoded, requestSignature); Assert.True(result); } { string subCaCertFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.cer"; byte[] subCaCertEncoded = File.ReadAllBytes(subCaCertFilePath); byte[] subCaCertificateHash = DigestUtilities.CalculateDigest("SHA_256", subCaCertEncoded); byte[] subCaAddRequestSignature = null; bool result = SubCaCertificateHandler.AddSubCaCertificate(subCaCertificateHash, subCaCertEncoded, subCaAddRequestSignature); Assert.True(result); } string sSLCertFilePath = "../../../test-data/certs/test-ca/Test-SSL-RSA-2048.cer"; byte[] sSLCertEncoded = File.ReadAllBytes(sSLCertFilePath); byte[] sSLCertHash = DigestUtilities.CalculateDigest("SHA_256", sSLCertEncoded); bool sslCertAddResult = SslCertificateHandler.AddSslCertificate(sSLCertHash, sSLCertEncoded); Assert.True(sslCertAddResult); string sSLCertIssuerPkcs8PrivateKeyFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.pk8"; byte[] revokeSSLCertificateRequestSignature = SignUtil.generateRevokeSSLCertificateOperationRequestRSAPSSSignature(sSLCertEncoded, sSLCertIssuerPkcs8PrivateKeyFilePath); Certificate sslCertificate = CertificateParser.Parse(sSLCertEncoded); bool revokeSSLCertificateResult = SslCertificateHandler.RevokeSslCertificate(sSLCertHash, sSLCertEncoded, revokeSSLCertificateRequestSignature); Assert.True(revokeSSLCertificateResult); byte[] sSLCertificateEntryByte = StorageUtil.readFromStorage(sSLCertHash); EndEntityCertificateEntry sSLCertificateEntry = (EndEntityCertificateEntry)SerializationUtil.Deserialize(sSLCertificateEntryByte); Assert.True(sSLCertificateEntry.IsRevoked); Assert.Equal(sSLCertificateEntry.CertificateValue, sSLCertEncoded); }
private static void LogSSLCertificateWithCertificateHashValue(byte[] certificateHash) { byte[] certificateEnrtySerialized = StorageUtil.readFromStorage(certificateHash); if (certificateEnrtySerialized != null) { EndEntityCertificateEntry endEntityCertificateEntry = (EndEntityCertificateEntry)SerializationUtil.Deserialize(certificateEnrtySerialized); Logger.log("SSL Certificate Exists in Storage"); Logger.log("IsRevoked: ", endEntityCertificateEntry.IsRevoked); Logger.log(endEntityCertificateEntry.CertificateValue); } else { Logger.log("SSL Certificate Not Exists in Storage"); } }
public void Should_Add_SSL_Certificate() { { string rootCertFilePath = "../../../test-data/certs/test-ca/Test-Root-CA-RSA-2048.cer"; byte[] rootCertEncoded = File.ReadAllBytes(rootCertFilePath); byte[] rootCertDigest = DigestUtilities.CalculateDigest("SHA_256", rootCertEncoded); byte[] requestSignature = SignUtil.generateAddTrustedRootCAOperationRequestSignature(rootCertEncoded); bool result = RootCaCertificateHandler.AddTrustedRootCaCertificate(rootCertDigest, rootCertEncoded, requestSignature); Assert.True(result); } { string subCaCertFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.cer"; byte[] subCaCertEncoded = File.ReadAllBytes(subCaCertFilePath); byte[] subCaCertificateHash = DigestUtilities.CalculateDigest("SHA_256", subCaCertEncoded); byte[] subCaAddRequestSignature = null; bool result = SubCaCertificateHandler.AddSubCaCertificate(subCaCertificateHash, subCaCertEncoded, subCaAddRequestSignature); Assert.True(result); } string sSLCertFilePath = "../../../test-data/certs/test-ca/Test-SSL-RSA-2048.cer"; byte[] sSLCertEncoded = File.ReadAllBytes(sSLCertFilePath); byte[] sSLCertHash = DigestUtilities.CalculateDigest("SHA_256", sSLCertEncoded); bool sslCertAddResult = SslCertificateHandler.AddSslCertificate(sSLCertHash, sSLCertEncoded); Assert.True(sslCertAddResult); Certificate sslCertificate = CertificateParser.Parse(sSLCertEncoded); byte[] sSLCertificateEntryByte = StorageUtil.readFromStorage(sSLCertHash); EndEntityCertificateEntry sSLCertificateEntry = (EndEntityCertificateEntry)SerializationUtil.Deserialize(sSLCertificateEntryByte); Assert.False(sSLCertificateEntry.IsRevoked); Assert.Equal(sSLCertificateEntry.CertificateValue, sSLCertEncoded); //Is Added To Issuer list { byte[] storageKey = ArrayUtil.Concat(CertificateStorageManager.ELEMENT_LIST, sslCertificate.AuthorityKeyIdentifier.keyIdentifier); byte[] certHashMapEntrySerialized = StorageUtil.readFromStorage(storageKey); Assert.True(certHashMapEntrySerialized != null); CertificateHashMapEntry certHashMapEntry = (CertificateHashMapEntry)SerializationUtil.Deserialize(certHashMapEntrySerialized); Assert.True(certHashMapEntry.certificateHashArray != null); Assert.True(certHashMapEntry.certificateHashArray.Length == 1); byte[] subjectKeyIdCertificateHashEntrySerialized = certHashMapEntry.certificateHashArray[0]; CertificateHashEntry subjectKeyIdCertificateHashEntry = (CertificateHashEntry)SerializationUtil.Deserialize(subjectKeyIdCertificateHashEntrySerialized); Assert.Equal(subjectKeyIdCertificateHashEntry.CertificateHash, sSLCertHash); Assert.False(subjectKeyIdCertificateHashEntry.IsCa); } //Domain Name List - Common Name { byte[] certHashMapEntrySerialized = StorageUtil.readFromStorage(HexUtil.HexStringToByteArray("6f6e742e696f")); Assert.True(certHashMapEntrySerialized != null); CertificateHashMapEntry certHashMapEntry = (CertificateHashMapEntry)SerializationUtil.Deserialize(certHashMapEntrySerialized); Assert.True(certHashMapEntry.certificateHashArray != null); Assert.True(certHashMapEntry.certificateHashArray.Length == 1); byte[] subjectKeyIdCertificateHashEntrySerialized = certHashMapEntry.certificateHashArray[0]; CertificateHashEntry subjectKeyIdCertificateHashEntry = (CertificateHashEntry)SerializationUtil.Deserialize(subjectKeyIdCertificateHashEntrySerialized); Assert.Equal(subjectKeyIdCertificateHashEntry.CertificateHash, sSLCertHash); Assert.False(subjectKeyIdCertificateHashEntry.IsCa); } //Domain Name List - Subject Alternative Name { byte[] certHashMapEntrySerialized = StorageUtil.readFromStorage(HexUtil.HexStringToByteArray("7777772e6f6e742e696f")); Assert.True(certHashMapEntrySerialized != null); CertificateHashMapEntry certHashMapEntry = (CertificateHashMapEntry)SerializationUtil.Deserialize(certHashMapEntrySerialized); Assert.True(certHashMapEntry.certificateHashArray != null); Assert.True(certHashMapEntry.certificateHashArray.Length == 1); byte[] subjectKeyIdCertificateHashEntrySerialized = certHashMapEntry.certificateHashArray[0]; CertificateHashEntry subjectKeyIdCertificateHashEntry = (CertificateHashEntry)SerializationUtil.Deserialize(subjectKeyIdCertificateHashEntrySerialized); Assert.Equal(subjectKeyIdCertificateHashEntry.CertificateHash, sSLCertHash); Assert.False(subjectKeyIdCertificateHashEntry.IsCa); } }
public static bool ReportFraud(byte[] fraudId, byte[] fakeButValidCertificateBytes, byte[] fakeButValidCertificateHash, byte[] signerCertificateBytes, byte[] signerCertificateBytesHash, byte[] signature) { Certificate fakeButValidCertificate = CertificateParser.Parse(fakeButValidCertificateBytes); if (!fakeButValidCertificate.IsLoaded) { Logger.log("Can not parse Fake But Valid SSL Certificate"); return(false); } EndEntityCertificateEntry fakeButValidCertificateEntry = CertificateStorageManager.RetrieveEndEntityCertificateFromStorage(fakeButValidCertificateHash); if (fakeButValidCertificateEntry.CertificateValue == null) { Logger.log("Can not find Fake But Valid SSL Certificate"); return(false); } if (fakeButValidCertificateEntry.IsRevoked) { Logger.log("Fake But Valid SSL Certificate is revoked before"); return(false); } Certificate signerCertificate = CertificateParser.Parse(signerCertificateBytes); if (!signerCertificate.IsLoaded) { Logger.log("Can not parse Signer Certificate"); return(false); } var signerCertificateContainFakeButValidCertificateDnsEntry = checkDnsValues(fakeButValidCertificate, signerCertificate); if (!signerCertificateContainFakeButValidCertificateDnsEntry) { Logger.log("Signer Certificate Does not contain required DNS value"); return(false); } Logger.log("Starting Validate Signature For Report Fraud Request"); bool signatureValidationResult = SignatureValidator.CheckReportFraudRequestSignature(signature, fakeButValidCertificate, signerCertificate); if (!signatureValidationResult) { Logger.log("Report Fraud Request signature Invalid"); return(false); } Logger.log("Validated Signature For Report Fraud Request"); FraudStorageManager.AddFraudReportToStorage(fraudId, signerCertificateBytes, fakeButValidCertificateHash); //todo: add fraud notification after log infrastructure fixed return(true); }
public void Should_UnTrusted_Root_Certificate() { string rootCertFilePath = "../../../test-data/certs/test-ca/Test-Root-CA-RSA-2048.cer"; byte[] rootCertEncoded = File.ReadAllBytes(rootCertFilePath); byte[] rootCertDigest = DigestUtilities.CalculateDigest("SHA_256", rootCertEncoded); byte[] requestSignature = SignUtil.generateAddTrustedRootCAOperationRequestSignature(rootCertEncoded); bool result = RootCaCertificateHandler.AddTrustedRootCaCertificate(rootCertDigest, rootCertEncoded, requestSignature); Assert.True(result); Certificate rootCertificate = CertificateParser.Parse(rootCertEncoded); byte[] rootCACertificateEntryByte = StorageUtil.readFromStorage(rootCertDigest); CaCertificateEntry caCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(rootCACertificateEntryByte); Assert.True(caCertificateEntry.IsTrusted); Assert.False(caCertificateEntry.IsRevoked); Assert.Equal(caCertificateEntry.CertificateValue, rootCertEncoded); byte[] cACertificateSubjectKeyIdEntrySerialized = StorageUtil.readFromStorage(rootCertificate.SubjectKeyIdentifier.keyIdentifier); CaCertificateSubjectKeyIdEntry cACertificateSubjectKeyIdEntry = (CaCertificateSubjectKeyIdEntry)SerializationUtil.Deserialize( cACertificateSubjectKeyIdEntrySerialized); Assert.True(cACertificateSubjectKeyIdEntry.IsRootCa); Assert.Equal(cACertificateSubjectKeyIdEntry.CertificateHash, rootCertDigest); byte[] certificateHashMapEntrySerialized = StorageUtil.readFromStorage(CertificateStorageManager.TRUSTED_ROOT_CA_LIST_STORAGE_KEY); CertificateHashMapEntry trustedRootCAListHashMapEntry = (CertificateHashMapEntry)SerializationUtil.Deserialize(certificateHashMapEntrySerialized); Assert.Equal(1, trustedRootCAListHashMapEntry.certificateHashArray.Length); byte[] certificateHashEntrySerialized = trustedRootCAListHashMapEntry.certificateHashArray[0]; CertificateHashEntry certificateHashEntry = (CertificateHashEntry)SerializationUtil.Deserialize(certificateHashEntrySerialized); Assert.True(certificateHashEntry.IsCa); Assert.Equal(rootCertDigest, certificateHashEntry.CertificateHash); string subCaCertFilePath = "../../../test-data/certs/test-ca/Test-Sub-CA-RSA-2048.cer"; byte[] subCaCertEncoded = File.ReadAllBytes(subCaCertFilePath); byte[] subCaCertificateHash = DigestUtilities.CalculateDigest("SHA_256", subCaCertEncoded); byte[] subCaAddRequestSignature = null; result = SubCaCertificateHandler.AddSubCaCertificate(subCaCertificateHash, subCaCertEncoded, subCaAddRequestSignature); Assert.True(result); string sSLCertFilePath = "../../../test-data/certs/test-ca/Test-SSL-RSA-2048.cer"; byte[] sSLCertEncoded = File.ReadAllBytes(sSLCertFilePath); byte[] sSLCertHash = DigestUtilities.CalculateDigest("SHA_256", sSLCertEncoded); bool sslCertAddResult = SslCertificateHandler.AddSslCertificate(sSLCertHash, sSLCertEncoded); Assert.True(sslCertAddResult); byte[] subCaCertificateEntryBytes = StorageUtil.readFromStorage(subCaCertificateHash); CaCertificateEntry subCaCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(subCaCertificateEntryBytes); Assert.False(subCaCertificateEntry.IsTrusted); Assert.False(subCaCertificateEntry.IsRevoked); byte[] endEntityCertificateEntrySerialized = StorageUtil.readFromStorage(sSLCertHash); EndEntityCertificateEntry endEntityCertificateEntry = (EndEntityCertificateEntry)SerializationUtil.Deserialize(endEntityCertificateEntrySerialized); Assert.False(endEntityCertificateEntry.IsRevoked); requestSignature = SignUtil.generateUntrustRootCAOperationRequestSignature(rootCertEncoded); result = RootCaCertificateHandler.UntrustRootCaCertificate(rootCertDigest, rootCertEncoded, requestSignature); Assert.True(result); rootCACertificateEntryByte = StorageUtil.readFromStorage(rootCertDigest); caCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(rootCACertificateEntryByte); Assert.False(caCertificateEntry.IsTrusted); Assert.False(caCertificateEntry.IsRevoked); subCaCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(rootCACertificateEntryByte); Assert.False(subCaCertificateEntry.IsTrusted); subCaCertificateEntryBytes = StorageUtil.readFromStorage(subCaCertificateHash); subCaCertificateEntry = (CaCertificateEntry)SerializationUtil.Deserialize(subCaCertificateEntryBytes); Assert.True(subCaCertificateEntry.IsRevoked); endEntityCertificateEntrySerialized = StorageUtil.readFromStorage(sSLCertHash); endEntityCertificateEntry = (EndEntityCertificateEntry)SerializationUtil.Deserialize(endEntityCertificateEntrySerialized); Assert.True(endEntityCertificateEntry.IsRevoked); }