public void CleaningChainWithOnlyLeafThrowsException() { // when we clean a valid chain var certsChain = Data.LoadCerts(Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE); var builtChain = CertificateChainBuilder.Build(certsChain); Assert.AreEqual(builtChain, null); }
public void ReallyLargeValidChainThrowsException() { var rootCert = Data.LoadCerts(Data.ELEVEN_CERTS_ROOT_CERT)[0]; var certsChain = Data.LoadCerts(Data.ELEVEN_CERTS_CHAIN); var builtChain = CertificateChainBuilder.Build(certsChain, rootCert); // when we clean a chain with more than 10 certs (inc root) Assert.IsTrue(builtChain.Count > 10); }
public void TrustedCertInMiddleOfChainReturnsSuccessfully() { var certsChain = Data.LoadCerts( Data.TEN_CERTS_CHAIN); var trustedCert = certsChain[5]; var builtChain = CertificateChainBuilder.Build(certsChain, trustedCert); // then the expected chain is returned Assert.True(certsChain.SequenceEqual(builtChain)); }
public void TrustedSelfSignedRootCertReturnsSuccessfully() { var rootCert = Data.LoadCerts(Data.SELF_SIGNED_ROOT_CERT)[0]; var certsChain = new[] { rootCert }; var builtChain = CertificateChainBuilder.Build(certsChain, rootCert); // then the expected chain is returned Assert.True(certsChain.SequenceEqual(builtChain)); }
public void CleaningIncompleteChainThrowsException() { // when we clean a chain with missing certs (TestData.PRE_CERT_SIGNING_BY_INTERMEDIATE) var certsChain = Data.LoadCerts( Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE, Data.INTERMEDIATE_CA_CERT); var builtChain = CertificateChainBuilder.Build(certsChain); Assert.AreEqual(builtChain, null); }
public void CleaningChainWithOnlyLeafThrowsException() { // given a basic chain cleaner var chainCleaner = GetChainCleaner(); // when we clean a valid chain var certsChain = Data.LoadCerts( Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE).ToJavaCerts(); Assert.Throws <SSLPeerUnverifiedException>(() => chainCleaner.Clean(certsChain)); }
public void CleaningIncompleteChainThrowsException() { // given a basic chain cleaner var chainCleaner = GetChainCleaner(); // when we clean a chain with missing certs (TestData.PRE_CERT_SIGNING_BY_INTERMEDIATE) var certsChain = Data.LoadCerts( Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE, Data.INTERMEDIATE_CA_CERT).ToJavaCerts(); Assert.Throws <SSLPeerUnverifiedException>(() => chainCleaner.Clean(certsChain)); }
public void ExcludeHostsRuleOnlyBlocksSpecifiedSubdomainMatching() { var ctv = GetCertVerifier(new[] { "*.*" }, new[] { DisallowedRandomCom }); var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT); var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN); var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single()); var result = ctv.IsValidAsync(AllowedRandomCom, certsChain, default).Result; Assert.IsTrue(result.Result == CtResult.Trusted); }
public void IncludeHostsRuleMatchesSubdomain() { var ctv = GetCertVerifier(_includeRandom); var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT); var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN); var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single()); var result = ctv.IsValidAsync(AllowedRandomCom, certsChain, default).Result; Assert.IsTrue(result.Result == CtResult.Trusted); }
public void OriginalChainDisallowedWhenNullLogs() { var ctv = GetCertVerifierNoLogs(_includeBabylon); var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT); var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN); var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single()); var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result; Assert.IsTrue(result.Result == CtResult.LogServersFailed); }
private ICertificateChainCleaner GetChainCleaner(X509Certificate rootCert = null) { var trustManager = new Moq.Mock <IX509TrustManager>(); trustManager.Setup(tm => tm.GetAcceptedIssuers()) .Returns(rootCert == null ? Data.LoadCerts(Data.ROOT_CA_CERT) .ToJavaCerts() .ToArray() : new[] { rootCert }); return(new CertificateChainCleaner(trustManager.Object)); }
public void ReallyLargeValidChainThrowsException() { var rootCert = Data.LoadCerts( Data.ELEVEN_CERTS_ROOT_CERT).ToJavaCerts()[0]; var certsChain = Data.LoadCerts( Data.ELEVEN_CERTS_CHAIN).ToJavaCerts(); // given a basic chain cleaner var chainCleaner = GetChainCleaner(rootCert); // when we clean a chain with more than 10 certs (inc root) Assert.Throws <SSLPeerUnverifiedException>(() => chainCleaner.Clean(certsChain)); }
public void OriginalChainAllowedWhenHostNotChecked() { var ctv = GetCertVerifier(_includeRandom); var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT); var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN); var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single()); var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result; Assert.IsTrue(result.Result == CtResult.DisabledForHost); }
public void MitmDisallowedWhenHostChecked() { var ctv = GetCertVerifier(_includeBabylon); var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT); var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ATTACK_CHAIN); var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single()); var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result; Assert.IsTrue(result.Result == CtResult.NoScts); }
public void CleaningOutOfOrderChainReturnsSuccessfully() { // when we clean a valid chain var certsChain = Data.LoadCerts( Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE, Data.INTERMEDIATE_CA_CERT, Data.PRE_CERT_SIGNING_BY_INTERMEDIATE); var builtChain = CertificateChainBuilder.Build(certsChain); // then the expected chain is returned Assert.True(_expectedChain.SequenceEqual(builtChain)); }
public void LargeValidChainReturnsSuccessfully() { var rootCert = Data.LoadCerts(Data.TEN_CERTS_ROOT_CERT)[0]; var certsChain = Data.LoadCerts(Data.TEN_CERTS_CHAIN); var builtChain = CertificateChainBuilder.Build(certsChain, rootCert); var expected = certsChain.ToList(); expected.Add(rootCert); // then the expected chain is returned Assert.True(expected.SequenceEqual(builtChain)); }
public void UntrustedCertificateThrowsException() { var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ATTACK_CHAIN); try { var certsChain = CertificateChainBuilder.Build(certsToCheck); Assert.AreEqual(certsChain, null); } catch { Assert.IsTrue(true); } }
public void TrustedCertInMiddleOfChainReturnsSuccessfully() { var certsChain = Data.LoadCerts( Data.TEN_CERTS_CHAIN).ToJavaCerts(); var trustedCert = certsChain[5]; // given a basic chain cleaner var chainCleaner = GetChainCleaner(trustedCert); // when we clean a chain of exactly 10 certs var builtChain = chainCleaner.Clean(certsChain); // then the expected chain is returned Assert.True(certsChain.SequenceEqual(builtChain, new JavaX509CertificateEquality())); }
internal static IList <X509Certificate2> Build(IEnumerable <X509Certificate2> chain, X509Certificate2 rootCert = null) { rootCert ??= Data.LoadCerts(Data.ROOT_CA_CERT).First(); var rootCerts = new[] { rootCert }.ToJavaCerts().ToArray(); var trustManager = new Moq.Mock <IX509TrustManager>(); trustManager.Setup(tm => tm.GetAcceptedIssuers()) .Returns(TrustManager.GetAcceptedIssuers().Concat(rootCerts).ToArray()); var chainBuilder = new CertificateChainCleaner(trustManager.Object); var completeChain = chain.ToJavaCerts(); return(chainBuilder.Clean(completeChain).ToDotNetCerts()); }
public void TrustedSelfSignedRootCertReturnsSuccessfully() { var rootCert = Data.LoadCerts( Data.SELF_SIGNED_ROOT_CERT).ToJavaCerts()[0]; // given a basic chain cleaner var chainCleaner = GetChainCleaner(rootCert); var certsChain = new[] { rootCert }; // when we clean a chain of the self-signed root cert var builtChain = chainCleaner.Clean(certsChain); // then the expected chain is returned Assert.True(certsChain.SequenceEqual(builtChain, new JavaX509CertificateEquality())); }
public void CleaningOutOfOrderChainReturnsSuccessfully() { // given a basic chain cleaner var chainCleaner = GetChainCleaner(); // when we clean a valid chain var certsChain = Data.LoadCerts( Data.TEST_PRE_CERT_SIGNED_BY_PRECA_INTERMEDIATE, Data.INTERMEDIATE_CA_CERT, Data.PRE_CERT_SIGNING_BY_INTERMEDIATE).ToJavaCerts(); var builtChain = chainCleaner.Clean(certsChain); // then the expected chain is returned Assert.True(_expectedChain.SequenceEqual(builtChain, new JavaX509CertificateEquality())); }
public void OriginalChainDisallowedWhenOnlyOneSct() { var ctv = GetCertVerifier(_includeBabylon); var rootCert = Data.LoadCerts(Data.TEST_MITMPROXY_ROOT_CERT); var certsToCheck = Data.LoadCerts(Data.TEST_MITMPROXY_ORIGINAL_CHAIN); var certsChain = CertificateChainBuilder.Build(certsToCheck, rootCert.Single()); var certWithSingleSct = SingleSctOnly(certsChain.First()); certsChain.RemoveAt(0); certsChain.Insert(0, certWithSingleSct); var result = ctv.IsValidAsync(BabylonHealthCom, certsChain, default).Result; Assert.IsTrue(result.Result == CtResult.TooFewSctsTrusted); }
public void LargeValidChainReturnsSuccessfully() { var rootCert = Data.LoadCerts( Data.TEN_CERTS_ROOT_CERT).ToJavaCerts()[0]; var certsChain = Data.LoadCerts( Data.TEN_CERTS_CHAIN).ToJavaCerts(); // given a basic chain cleaner var chainCleaner = GetChainCleaner(rootCert); // when we clean a chain of exactly 10 certs var builtChain = chainCleaner.Clean(certsChain); var expected = certsChain.ToList(); expected.Add(rootCert); // then the expected chain is returned Assert.True(expected.SequenceEqual(builtChain, new JavaX509CertificateEquality())); }
internal static IList <X509Certificate2> Build(IEnumerable <X509Certificate2> chain, X509Certificate rootCert = null) { if (chain?.Any() != true) { return(null); } rootCert ??= Data.LoadCerts(Data.ROOT_CA_CERT).First(); var leaf = chain.First(); chain = chain.Skip(1); using var chainBuilder = new X509Chain(); chainBuilder.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag; chainBuilder.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; foreach (var c in chain) { chainBuilder.ChainPolicy.ExtraStore.Add(c); } chainBuilder.ChainPolicy.ExtraStore.Add(rootCert); var isValidChain = chainBuilder.Build(leaf); var builtChain = chainBuilder.ChainElements.OfType <X509ChainElement>().Select(i => i.Certificate).ToList(); isValidChain |= chainBuilder.ChainStatus.All( s => s.Status == X509ChainStatusFlags.UntrustedRoot || s.Status == X509ChainStatusFlags.HasNotSupportedCriticalExtension || s.Status == X509ChainStatusFlags.InvalidExtension || s.Status == X509ChainStatusFlags.NotTimeValid || (s.Status == X509ChainStatusFlags.PartialChain && chain.Contains(rootCert))); return(isValidChain || chain.Contains(rootCert) ? builtChain : null); }