2017-07-03 09:30:10 +02:00
|
|
|
/*!
|
|
|
|
|
* \brief Unit tests for \ref CertificateChecker
|
|
|
|
|
*
|
|
|
|
|
* \copyright Copyright (c) 2015 Governikus GmbH & Co. KG
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "AppSettings.h"
|
|
|
|
|
#include "CertificateChecker.h"
|
|
|
|
|
#include "LogHandler.h"
|
|
|
|
|
#include "SecureStorage.h"
|
|
|
|
|
#include "context/AuthContext.h"
|
|
|
|
|
|
|
|
|
|
#include "MockActivationContext.h"
|
|
|
|
|
#include "TestFileHelper.h"
|
|
|
|
|
|
|
|
|
|
#include <QSslKey>
|
|
|
|
|
#include <QtTest>
|
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
|
|
|
|
|
|
using namespace governikus;
|
|
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
Q_DECLARE_METATYPE(QSsl::KeyAlgorithm)
|
2017-07-03 09:30:10 +02:00
|
|
|
|
|
|
|
|
class test_CertificateChecker
|
|
|
|
|
: public QObject
|
|
|
|
|
{
|
|
|
|
|
Q_OBJECT
|
|
|
|
|
|
|
|
|
|
QVector<QSslCertificate> certs;
|
|
|
|
|
|
|
|
|
|
static QSslKey createQSslKeyWithHandle(const QByteArray& pPemEncodedEvpPKey)
|
|
|
|
|
{
|
|
|
|
|
BIO* bio = BIO_new(BIO_s_mem());
|
|
|
|
|
BIO_write(bio, pPemEncodedEvpPKey.constData(), pPemEncodedEvpPKey.length());
|
|
|
|
|
QSslKey key(PEM_read_bio_PUBKEY(bio, nullptr, nullptr, nullptr), QSsl::PublicKey);
|
|
|
|
|
BIO_free(bio);
|
|
|
|
|
return key;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private Q_SLOTS:
|
|
|
|
|
void initTestCase()
|
|
|
|
|
{
|
|
|
|
|
LogHandler::getInstance().init();
|
|
|
|
|
AppSettings::getInstance().load();
|
|
|
|
|
certs = AppSettings::getInstance().getSecureStorage().getUpdateCertificates();
|
|
|
|
|
QVERIFY(certs.size() > 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void cleanup()
|
|
|
|
|
{
|
|
|
|
|
LogHandler::getInstance().resetBacklog();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void validUpdateCert()
|
|
|
|
|
{
|
|
|
|
|
QSharedPointer<AuthContext> model(new AuthContext(new MockActivationContext()));
|
|
|
|
|
|
|
|
|
|
QCOMPARE(model->getCertificateList().size(), 0);
|
2017-07-03 09:33:28 +02:00
|
|
|
QCOMPARE(CertificateChecker::checkAndSaveCertificate(certs.at(0), QUrl("dummy"), model), CertificateChecker::CertificateStatus::Good);
|
2017-07-03 09:30:10 +02:00
|
|
|
QCOMPARE(model->getCertificateList().size(), 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
void hasUpdateCertificateKeyLength()
|
2017-07-03 09:30:10 +02:00
|
|
|
{
|
2017-07-03 09:33:28 +02:00
|
|
|
for (const auto& cert : qAsConst(certs))
|
|
|
|
|
{
|
|
|
|
|
QVERIFY(CertificateChecker::hasValidCertificateKeyLength(cert));
|
|
|
|
|
}
|
2017-07-03 09:30:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
void hasCertificateKeyLength_data()
|
2017-07-03 09:30:10 +02:00
|
|
|
{
|
2017-07-03 09:33:28 +02:00
|
|
|
QTest::addColumn<QString>("filename");
|
|
|
|
|
QTest::addColumn<QString>("output");
|
2017-07-03 09:30:10 +02:00
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
QTest::newRow("rsa") << ":/core/invalid.keysize.rsa.der" << "Rsa key with insufficient key size found 1024";
|
|
|
|
|
QTest::newRow("dsa") << ":/core/invalid.keysize.dsa.der" << "Dsa key with insufficient key size found 1024";
|
|
|
|
|
QTest::newRow("ec") << ":/core/invalid.keysize.ec.der" << "Ec key with insufficient key size found 128";
|
2017-07-03 09:30:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
void hasCertificateKeyLength()
|
2017-07-03 09:30:10 +02:00
|
|
|
{
|
2017-07-03 09:33:28 +02:00
|
|
|
QFETCH(QString, filename);
|
|
|
|
|
QFETCH(QString, output);
|
|
|
|
|
|
|
|
|
|
const auto& content = TestFileHelper::readFile(filename);
|
|
|
|
|
QVERIFY(!content.isEmpty());
|
|
|
|
|
QSslCertificate invalidCert(content);
|
2017-07-03 09:30:10 +02:00
|
|
|
QSignalSpy spy(&LogHandler::getInstance(), &LogHandler::fireLog);
|
|
|
|
|
QVERIFY(!CertificateChecker::hasValidCertificateKeyLength(invalidCert));
|
|
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
QCOMPARE(spy.count(), 3);
|
2017-07-03 09:30:10 +02:00
|
|
|
auto param = spy.takeLast();
|
2017-07-03 09:33:28 +02:00
|
|
|
QVERIFY(param.at(0).toString().contains(output));
|
2017-07-03 09:30:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void checkCertificateHash()
|
|
|
|
|
{
|
|
|
|
|
QVERIFY(!CertificateChecker::checkCertificate(certs.at(0), QCryptographicHash::Algorithm::Sha256, QSet<QString>() << "dummy" << "bla bla"));
|
|
|
|
|
QVERIFY(CertificateChecker::checkCertificate(certs.at(0), QCryptographicHash::Algorithm::Sha256, QSet<QString>() << "dummy" << "4381E8E49218524CB6A59C26379B1234C32DDBCB04A12988DE249C098FF32ED7" << "bla bla"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void hasEmptyEphemeralKey()
|
|
|
|
|
{
|
|
|
|
|
QSslKey key;
|
|
|
|
|
QVERIFY(!CertificateChecker::hasValidEphemeralKeyLength(key));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
void hasValidEphemeralKeyLength_data()
|
2017-07-03 09:30:10 +02:00
|
|
|
{
|
2017-07-03 09:33:28 +02:00
|
|
|
QTest::addColumn<QByteArray>("pem");
|
|
|
|
|
QTest::addColumn<QSsl::KeyAlgorithm>("algorithm");
|
|
|
|
|
QTest::addColumn<bool>("sufficient");
|
|
|
|
|
|
2017-07-03 09:30:10 +02:00
|
|
|
/*
|
|
|
|
|
* openssl ecparam -name secp112r2 -out secp112r2_param.pem
|
|
|
|
|
* openssl ecparam -in secp112r2_param.pem -genkey -noout -out secp112r2_key.pem
|
|
|
|
|
* openssl ec -in secp112r2_key.pem -pubout -out secp112r2_pubkey.pem
|
|
|
|
|
*/
|
2017-07-03 09:33:28 +02:00
|
|
|
QByteArray ec112("-----BEGIN PUBLIC KEY-----\n"
|
|
|
|
|
"MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEWo89aCax3oUWJho7rFZ1u70WqghvA7Tf\n"
|
|
|
|
|
"SXXiZw==\n"
|
|
|
|
|
"-----END PUBLIC KEY-----");
|
2017-07-03 09:30:10 +02:00
|
|
|
|
2017-07-03 09:33:28 +02:00
|
|
|
QTest::newRow("ec112") << ec112 << QSsl::KeyAlgorithm::Ec << false;
|
2017-07-03 09:30:10 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* openssl ecparam -name secp521r1 -out secp521r1_param.pem
|
|
|
|
|
* openssl ecparam -in secp521r1_param.pem -genkey -noout -out secp521r1_key.pem
|
|
|
|
|
* openssl ec -in secp521r1_key.pem -pubout -out secp521r1_pubkey.pem
|
|
|
|
|
*/
|
2017-07-03 09:33:28 +02:00
|
|
|
QByteArray ec521("-----BEGIN PUBLIC KEY-----\n"
|
|
|
|
|
"MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBi5e64Y/7EGT7Tbpe5h4cZGSpNidN\n"
|
|
|
|
|
"fiPz6F/aG1yApWkTgqVoQTUCahP851skkDI6PzHedE67CR2KPJ8VNt6WmuIAc4Cg\n"
|
|
|
|
|
"zBwxpgBC09TO/3D8fS70xVqBX6dzA4lO9MUZCqgBMt2LTFpklUabviy657kcRQ+H\n"
|
|
|
|
|
"tTAy2sDy+bhcj1UyWlE=\n"
|
|
|
|
|
"-----END PUBLIC KEY-----");
|
|
|
|
|
QTest::newRow("ec521") << ec521 << QSsl::KeyAlgorithm::Ec << true;
|
2017-07-03 09:30:10 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* openssl dsaparam -out dsa768_param.pem 1024
|
|
|
|
|
* openssl gendsa -out dsa768_key.pem dsa768_param.pem
|
|
|
|
|
* openssl dsa -in dsa768_key.pem -pubout -out dsa768_pubkey.pem
|
|
|
|
|
*/
|
2017-07-03 09:33:28 +02:00
|
|
|
QByteArray dsa768("-----BEGIN PUBLIC KEY-----\n"
|
|
|
|
|
"MIIBUTCB6AYHKoZIzjgEATCB3AJhAMZ8q4KifsiCkTcL/qaqrghMK1Ah2EC6cO3b\n"
|
|
|
|
|
"a0Dq1FhA7cEQpe0YVcFhcnjd6CCEGz+Zl5nlHGKpgrjdBUZZP66JIFy/WhUb2adZ\n"
|
|
|
|
|
"HRcswrSlE/NQS+sPH3CA0WddlcLaDwIVAKsBnl++V6aRAvYR9HVxr5LajwnVAmBq\n"
|
|
|
|
|
"7heqwtm9j317cWptXSwR1jKKWPqkOXzaxSVG1PhEEGXTq6PeQgoBRivzbE+/Ome8\n"
|
|
|
|
|
"DqfcBsIOCMc47bupEUqK38fmnALGLaig7cup3njaNkxyuoQPngtb0qUiT0dy7dED\n"
|
|
|
|
|
"ZAACYQCz1c7kF720wMi9SnrpPD3mZWsC3dqOn5r8EwxanHnkf4KyPctawqGmhZsK\n"
|
|
|
|
|
"b3586zIW9Fdg/Rq4yda8GzMLVAtF540s3k5RmsJvnxPEGXlc3c+wEOKR/iHwPrg4\n"
|
|
|
|
|
"DNXOVys=\n"
|
|
|
|
|
"-----END PUBLIC KEY-----");
|
|
|
|
|
QTest::newRow("dsa768") << dsa768 << QSsl::KeyAlgorithm::Dsa << false;
|
2017-07-03 09:30:10 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* openssl dsaparam -out dsa1024_param.pem 1024
|
|
|
|
|
* openssl gendsa -out dsa1024_key.pem dsa1024_param.pem
|
|
|
|
|
* openssl dsa -in dsa1024_key.pem -pubout -out dsa1024_pubkey.pem
|
|
|
|
|
*/
|
2017-07-03 09:33:28 +02:00
|
|
|
QByteArray dsa1024("-----BEGIN PUBLIC KEY-----\n"
|
|
|
|
|
"MIIBtzCCASwGByqGSM44BAEwggEfAoGBAMGEyYRk7Hj45r/1vnY4FFIPSLGDnq6g\n"
|
|
|
|
|
"60T514zhDaL3A9qXdy+U/i2zm+wscG0mP+9SuznBpTRCM063saCmfQODTCwtg/nZ\n"
|
|
|
|
|
"Hn7XGfT1dp5jyqzLDLJ+OSGkazLpUXg5gMPRtju7H8z4oPQMaZZX7bnafBbkQ/Xo\n"
|
|
|
|
|
"X9Gn5PGpWqaNAhUA1YRAaKf5eR8cC+SRWIIvP8b3pMcCgYEAmf5LMvR+m2akqKu2\n"
|
|
|
|
|
"piW7dN1PxyH0Ixx12aQVF4Hek1cHK6LZW/a/SGrG1pdvz60iq/6aA3vyt2CI8rRi\n"
|
|
|
|
|
"mjlCjM5YGGYCKn6l6cTrGQCB2QL7ThIeKFAmPy2wLWe2uGUa12texb4PGKGV7HsO\n"
|
|
|
|
|
"wnWAsuMYQ8DLM5tT1v8s/779g/wDgYQAAoGASzXSQchr3SyX5vxTtbZ3v8x/a7nZ\n"
|
|
|
|
|
"HAYEiBXfVG8iW+kaAGkyU0L0AIFXJFTUYbjI3EAO24kyFmwWI2e8BkXmibIuAlwY\n"
|
|
|
|
|
"1vSGQgpXPK6250pSrx8r8pngr9Qxrt8ElFpLtK+Of6Th/wSTe8COYbXSOP/6Yx7v\n"
|
|
|
|
|
"6cObyPo7eAmX8Sg=\n"
|
|
|
|
|
"-----END PUBLIC KEY-----");
|
|
|
|
|
QTest::newRow("dsa1024") << dsa1024 << QSsl::KeyAlgorithm::Dsa << true;
|
2017-07-03 09:30:10 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* openssl genrsa -out rsa1024_key.pem 1024
|
|
|
|
|
* openssl rsa -in rsa1024_key.pem -out rsa1024_pubkey.pem -pubout
|
|
|
|
|
*/
|
2017-07-03 09:33:28 +02:00
|
|
|
QByteArray rsa1024("-----BEGIN PUBLIC KEY-----\n"
|
|
|
|
|
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3cWoq9XuQI1soyaOM4hjVw4Lc\n"
|
|
|
|
|
"TA1HCypXuF/GaTmvxc82J+2F6ISxNFWnSXOs+wpgavXgpfDL7od5fo8EbnMRZLXQ\n"
|
|
|
|
|
"tHKRnCy0sQiCQqmSNmWe4qeLwXslKxm1fqj3/tvrX+0VxDVxXz5jS0HH7hHMdELQ\n"
|
|
|
|
|
"om/I1IppJFS4IkqEoQIDAQAB\n"
|
|
|
|
|
"-----END PUBLIC KEY-----");
|
|
|
|
|
QTest::newRow("rsa1024") << rsa1024 << QSsl::KeyAlgorithm::Rsa << false;
|
2017-07-03 09:30:10 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* openssl genrsa -out rsa2048_key.pem 2048
|
|
|
|
|
* openssl rsa -in rsa2048_key.pem -out rsa2048_pubkey.pem -pubout
|
|
|
|
|
*/
|
2017-07-03 09:33:28 +02:00
|
|
|
QByteArray rsa2048("-----BEGIN PUBLIC KEY-----\n"
|
|
|
|
|
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs1xh1ymbXRDOBxDmx2I9\n"
|
|
|
|
|
"oQbBvqE3QYK5ktPI9mHX38lwQ71AYw7pUxsGzCwwLDRBnHNc1gKtn8IoXhtujsWi\n"
|
|
|
|
|
"FvVpayI0GQkJ1Pob66Vr7DY9ZC9dfsJddZi+ce1cAdzg3Od/31y5c3Tiz0laNTkv\n"
|
|
|
|
|
"tyGhyyIovfPDJbdX2Srgg8GJAo0AtYJjVCJxZX5TDJLHmBdvK61ZXotgYIjkl7lA\n"
|
|
|
|
|
"DO9y31b/10IiLpFcgIUMI+8oF8OypQ/24XKIPVSJm4DZZkjSbUCuwT/mA+61m0no\n"
|
|
|
|
|
"q0hOP6K9hZ7pBZvqLZ0gZdVWqarIf9w/I5yS2QGN9jgJN/oJIKyljlreGuSagST/\n"
|
|
|
|
|
"5wIDAQAB\n"
|
|
|
|
|
"-----END PUBLIC KEY-----");
|
|
|
|
|
QTest::newRow("rsa2048") << rsa2048 << QSsl::KeyAlgorithm::Rsa << true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void hasValidEphemeralKeyLength()
|
|
|
|
|
{
|
|
|
|
|
QFETCH(QByteArray, pem);
|
|
|
|
|
QFETCH(QSsl::KeyAlgorithm, algorithm);
|
|
|
|
|
QFETCH(bool, sufficient);
|
|
|
|
|
|
2017-07-03 09:30:10 +02:00
|
|
|
QSslKey key = createQSslKeyWithHandle(pem);
|
2017-07-03 09:33:28 +02:00
|
|
|
QVERIFY(!key.isNull());
|
|
|
|
|
|
|
|
|
|
#if QT_VERSION >= 0x050800
|
|
|
|
|
QCOMPARE(key.algorithm(), algorithm);
|
|
|
|
|
#else
|
|
|
|
|
Q_UNUSED(algorithm)
|
|
|
|
|
QCOMPARE(key.algorithm(), QSsl::Opaque);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
QCOMPARE(CertificateChecker::hasValidEphemeralKeyLength(key), sufficient);
|
2017-07-03 09:30:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
QTEST_GUILESS_MAIN(test_CertificateChecker)
|
|
|
|
|
#include "test_CertificateChecker.moc"
|
