CTTestUtils.cpp (37402B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "CTTestUtils.h" 8 9 #include <stdint.h> 10 #include <iomanip> 11 12 #include "BTTypes.h" 13 #include "CTSerialization.h" 14 #include "gtest/gtest.h" 15 #include "mozpkix/Input.h" 16 #include "mozpkix/pkix.h" 17 #include "mozpkix/pkixnss.h" 18 #include "mozpkix/pkixtypes.h" 19 #include "mozpkix/Result.h" 20 #include "mozpkix/pkixcheck.h" 21 #include "mozpkix/pkixutil.h" 22 #include "SignedCertificateTimestamp.h" 23 24 namespace mozilla { 25 namespace ct { 26 27 using namespace mozilla::pkix; 28 29 // The following test vectors are from the CT test data repository at 30 // https://github.com/google/certificate-transparency/tree/master/test/testdata 31 32 // test-cert.pem 33 const char kDefaultDerCert[] = 34 "308202ca30820233a003020102020106300d06092a864886f70d01010505003055310b3009" 35 "06035504061302474231243022060355040a131b4365727469666963617465205472616e73" 36 "706172656e6379204341310e300c0603550408130557616c65733110300e06035504071307" 37 "4572772057656e301e170d3132303630313030303030305a170d3232303630313030303030" 38 "305a3052310b30090603550406130247423121301f060355040a1318436572746966696361" 39 "7465205472616e73706172656e6379310e300c0603550408130557616c65733110300e0603" 40 "55040713074572772057656e30819f300d06092a864886f70d010101050003818d00308189" 41 "02818100b1fa37936111f8792da2081c3fe41925008531dc7f2c657bd9e1de4704160b4c9f" 42 "19d54ada4470404c1c51341b8f1f7538dddd28d9aca48369fc5646ddcc7617f8168aae5b41" 43 "d43331fca2dadfc804d57208949061f9eef902ca47ce88c644e000f06eeeccabdc9dd2f68a" 44 "22ccb09dc76e0dbc73527765b1a37a8c676253dcc10203010001a381ac3081a9301d060355" 45 "1d0e041604146a0d982a3b62c44b6d2ef4e9bb7a01aa9cb798e2307d0603551d2304763074" 46 "80145f9d880dc873e654d4f80dd8e6b0c124b447c355a159a4573055310b30090603550406" 47 "1302474231243022060355040a131b4365727469666963617465205472616e73706172656e" 48 "6379204341310e300c0603550408130557616c65733110300e060355040713074572772057" 49 "656e82010030090603551d1304023000300d06092a864886f70d010105050003818100171c" 50 "d84aac414a9a030f22aac8f688b081b2709b848b4e5511406cd707fed028597a9faefc2eee" 51 "2978d633aaac14ed3235197da87e0f71b8875f1ac9e78b281749ddedd007e3ecf50645f8cb" 52 "f667256cd6a1647b5e13203bb8582de7d6696f656d1c60b95f456b7fcf338571908f1c6972" 53 "7d24c4fccd249295795814d1dac0e6"; 54 55 // key hash of test-cert.pem's issuer (ca-cert.pem) 56 const char kDefaultIssuerKeyHash[] = 57 "02adddca08b8bf9861f035940c940156d8350fdff899a6239c6bd77255b8f8fc"; 58 59 const char kDefaultDerTbsCert[] = 60 "30820233a003020102020107300d06092a864886f70d01010505003055310b300906035504" 61 "061302474231243022060355040a131b4365727469666963617465205472616e7370617265" 62 "6e6379204341310e300c0603550408130557616c65733110300e0603550407130745727720" 63 "57656e301e170d3132303630313030303030305a170d3232303630313030303030305a3052" 64 "310b30090603550406130247423121301f060355040a131843657274696669636174652054" 65 "72616e73706172656e6379310e300c0603550408130557616c65733110300e060355040713" 66 "074572772057656e30819f300d06092a864886f70d010101050003818d0030818902818100" 67 "beef98e7c26877ae385f75325a0c1d329bedf18faaf4d796bf047eb7e1ce15c95ba2f80ee4" 68 "58bd7db86f8a4b252191a79bd700c38e9c0389b45cd4dc9a120ab21e0cb41cd0e72805a410" 69 "cd9c5bdb5d4927726daf1710f60187377ea25b1a1e39eed0b88119dc154dc68f7da8e30caf" 70 "158a33e6c9509f4a05b01409ff5dd87eb50203010001a381ac3081a9301d0603551d0e0416" 71 "04142031541af25c05ffd8658b6843794f5e9036f7b4307d0603551d230476307480145f9d" 72 "880dc873e654d4f80dd8e6b0c124b447c355a159a4573055310b3009060355040613024742" 73 "31243022060355040a131b4365727469666963617465205472616e73706172656e63792043" 74 "41310e300c0603550408130557616c65733110300e060355040713074572772057656e8201" 75 "0030090603551d1304023000"; 76 77 // DigitallySigned of test-cert.proof 78 const char kTestDigitallySigned[] = 79 "0403004730450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c208dfbfe9ef53" 80 "6cf7f2022100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc45689a2c0187ef5" 81 "a5"; 82 83 // test-cert.proof 84 const char kTestSignedCertificateTimestamp[] = 85 "00df1c2ec11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d7640000013d" 86 "db27ded900000403004730450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c2" 87 "08dfbfe9ef536cf7f2022100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc456" 88 "89a2c0187ef5a5"; 89 90 // The signatures on the following "SCT"s are not actually valid. The intent is 91 // to test the parsing of extensions. 92 const char kTestSignedCertificateTimestampWithLeafIndexExtension[] = 93 "00df1c2ec11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d7640000013d" 94 "db27ded9" 95 "0008" // 8 bytes of extensions 96 "0000050000000034" // leaf_index of 52 97 "0403004730450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c2" 98 "08dfbfe9ef536cf7f2022100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc456" 99 "89a2c0187ef5a5"; 100 101 const char kTestSignedCertificateTimestampWithTwoLeafIndexExtensions[] = 102 "00df1c2ec11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d7640000013d" 103 "db27ded9" 104 "0010" // 16 bytes of extensions 105 "0000050000000034" // leaf_index of 52 106 "0000050000000051" // leaf_index of 81 107 "0403004730450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c2" 108 "08dfbfe9ef536cf7f2022100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc456" 109 "89a2c0187ef5a5"; 110 111 const char kTestSignedCertificateTimestampWithUnknownExtension[] = 112 "00df1c2ec11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d7640000013d" 113 "db27ded9" 114 "0008" // 8 bytes of extensions 115 "0100050000000034" // an (unknown) extension with id 1 116 "0403004730450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c2" 117 "08dfbfe9ef536cf7f2022100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc456" 118 "89a2c0187ef5a5"; 119 120 const char kTestSignedCertificateTimestampWithUnknownAndLeafIndexExtensions[] = 121 "00df1c2ec11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d7640000013d" 122 "db27ded9" 123 "0010" // 16 bytes of extensions 124 "0100050000000034" // an (unknown) extension with id 1 125 "0000050000000051" // leaf_index of 81 126 "0403004730450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c2" 127 "08dfbfe9ef536cf7f2022100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc456" 128 "89a2c0187ef5a5"; 129 130 const char kTestSignedCertificateTimestampWithTooShortExtension[] = 131 "00df1c2ec11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d7640000013d" 132 "db27ded9" 133 "0008" // 8 bytes of extensions 134 "000005000034" // 3 bytes of extension data when there should be 5 135 "0403004730450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c2" 136 "08dfbfe9ef536cf7f2022100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc456" 137 "89a2c0187ef5a5"; 138 139 // ct-server-key-public.pem 140 const char kEcP256PublicKey[] = 141 "3059301306072a8648ce3d020106082a8648ce3d0301070342000499783cb14533c0161a5a" 142 "b45bf95d08a29cd0ea8dd4c84274e2be59ad15c676960cf0afa1074a57ac644b23479e5b3f" 143 "b7b245eb4b420ef370210371a944beaceb"; 144 145 // key id (sha256) of ct-server-key-public.pem 146 const char kTestKeyId[] = 147 "df1c2ec11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d764"; 148 149 // signature field of DigitallySigned from test-cert.proof 150 const char kTestSCTSignatureData[] = 151 "30450220606e10ae5c2d5a1b0aed49dc4937f48de71a4e9784e9c208dfbfe9ef536cf7f202" 152 "2100beb29c72d7d06d61d06bdb38a069469aa86fe12e18bb7cc45689a2c0187ef5a5"; 153 154 // signature field of DigitallySigned from test-embedded-pre-cert.proof 155 const char kTestSCTPrecertSignatureData[] = 156 "30450220482f6751af35dba65436be1fd6640f3dbf9a41429495924530288fa3e5e23e0602" 157 "2100e4edc0db3ac572b1e2f5e8ab6a680653987dcf41027dfeffa105519d89edbf08"; 158 159 // test-embedded-cert.pem 160 const char kTestEmbeddedCertData[] = 161 "30820359308202c2a003020102020107300d06092a864886f70d01010505" 162 "003055310b300906035504061302474231243022060355040a131b436572" 163 "7469666963617465205472616e73706172656e6379204341310e300c0603" 164 "550408130557616c65733110300e060355040713074572772057656e301e" 165 "170d3132303630313030303030305a170d3232303630313030303030305a" 166 "3052310b30090603550406130247423121301f060355040a131843657274" 167 "69666963617465205472616e73706172656e6379310e300c060355040813" 168 "0557616c65733110300e060355040713074572772057656e30819f300d06" 169 "092a864886f70d010101050003818d0030818902818100beef98e7c26877" 170 "ae385f75325a0c1d329bedf18faaf4d796bf047eb7e1ce15c95ba2f80ee4" 171 "58bd7db86f8a4b252191a79bd700c38e9c0389b45cd4dc9a120ab21e0cb4" 172 "1cd0e72805a410cd9c5bdb5d4927726daf1710f60187377ea25b1a1e39ee" 173 "d0b88119dc154dc68f7da8e30caf158a33e6c9509f4a05b01409ff5dd87e" 174 "b50203010001a382013a30820136301d0603551d0e041604142031541af2" 175 "5c05ffd8658b6843794f5e9036f7b4307d0603551d230476307480145f9d" 176 "880dc873e654d4f80dd8e6b0c124b447c355a159a4573055310b30090603" 177 "5504061302474231243022060355040a131b436572746966696361746520" 178 "5472616e73706172656e6379204341310e300c0603550408130557616c65" 179 "733110300e060355040713074572772057656e82010030090603551d1304" 180 "02300030818a060a2b06010401d679020402047c047a0078007600df1c2e" 181 "c11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d76400" 182 "00013ddb27df9300000403004730450220482f6751af35dba65436be1fd6" 183 "640f3dbf9a41429495924530288fa3e5e23e06022100e4edc0db3ac572b1" 184 "e2f5e8ab6a680653987dcf41027dfeffa105519d89edbf08300d06092a86" 185 "4886f70d0101050500038181008a0c4bef099d479279afa0a28e689f91e1" 186 "c4421be2d269a2ea6ca4e8215ddeddca1504a11e7c87c4b77e80f0e97903" 187 "5268f27ca20e166804ae556f316981f96a394ab7abfd3e255ac0044513fe" 188 "76570c6795abe4703133d303f89f3afa6bbcfc517319dfd95b934241211f" 189 "634035c3d078307a68c6075a2e20c89f36b8910ca0"; 190 191 const char kTestTbsCertData[] = 192 "30820233a003020102020107300d06092a864886f70d0101050500305531" 193 "0b300906035504061302474231243022060355040a131b43657274696669" 194 "63617465205472616e73706172656e6379204341310e300c060355040813" 195 "0557616c65733110300e060355040713074572772057656e301e170d3132" 196 "303630313030303030305a170d3232303630313030303030305a3052310b" 197 "30090603550406130247423121301f060355040a13184365727469666963" 198 "617465205472616e73706172656e6379310e300c0603550408130557616c" 199 "65733110300e060355040713074572772057656e30819f300d06092a8648" 200 "86f70d010101050003818d0030818902818100beef98e7c26877ae385f75" 201 "325a0c1d329bedf18faaf4d796bf047eb7e1ce15c95ba2f80ee458bd7db8" 202 "6f8a4b252191a79bd700c38e9c0389b45cd4dc9a120ab21e0cb41cd0e728" 203 "05a410cd9c5bdb5d4927726daf1710f60187377ea25b1a1e39eed0b88119" 204 "dc154dc68f7da8e30caf158a33e6c9509f4a05b01409ff5dd87eb5020301" 205 "0001a381ac3081a9301d0603551d0e041604142031541af25c05ffd8658b" 206 "6843794f5e9036f7b4307d0603551d230476307480145f9d880dc873e654" 207 "d4f80dd8e6b0c124b447c355a159a4573055310b30090603550406130247" 208 "4231243022060355040a131b4365727469666963617465205472616e7370" 209 "6172656e6379204341310e300c0603550408130557616c65733110300e06" 210 "0355040713074572772057656e82010030090603551d1304023000"; 211 212 // test-embedded-with-preca-cert.pem 213 const char kTestEmbeddedWithPreCaCertData[] = 214 "30820359308202c2a003020102020108300d06092a864886f70d01010505" 215 "003055310b300906035504061302474231243022060355040a131b436572" 216 "7469666963617465205472616e73706172656e6379204341310e300c0603" 217 "550408130557616c65733110300e060355040713074572772057656e301e" 218 "170d3132303630313030303030305a170d3232303630313030303030305a" 219 "3052310b30090603550406130247423121301f060355040a131843657274" 220 "69666963617465205472616e73706172656e6379310e300c060355040813" 221 "0557616c65733110300e060355040713074572772057656e30819f300d06" 222 "092a864886f70d010101050003818d0030818902818100afaeeacac51ab7" 223 "cebdf9eacae7dd175295e193955a17989aef8d97ab7cdff7761093c0b823" 224 "d2a4e3a51a17b86f28162b66a2538935ebecdc1036233da2dd6531b0c63b" 225 "cc68761ebdc854037b77399246b870a7b72b14c9b1667de09a9640ed9f3f" 226 "3c725d950b4d26559869fe7f1e919a66eb76d35c0117c6bcd0d8cfd21028" 227 "b10203010001a382013a30820136301d0603551d0e04160414612c64efac" 228 "79b728397c9d93e6df86465fa76a88307d0603551d230476307480145f9d" 229 "880dc873e654d4f80dd8e6b0c124b447c355a159a4573055310b30090603" 230 "5504061302474231243022060355040a131b436572746966696361746520" 231 "5472616e73706172656e6379204341310e300c0603550408130557616c65" 232 "733110300e060355040713074572772057656e82010030090603551d1304" 233 "02300030818a060a2b06010401d679020402047c047a0078007600df1c2e" 234 "c11500945247a96168325ddc5c7959e8f7c6d388fc002e0bbd3f74d76400" 235 "00013ddb27e05b000004030047304502207aa79604c47480f3727b084f90" 236 "b3989f79091885e00484431a2a297cbf3a355c022100b49fd8120b0d644c" 237 "d7e75269b4da6317a9356cb950224fc11cc296b2e39b2386300d06092a86" 238 "4886f70d010105050003818100a3a86c41ad0088a25aedc4e7b529a2ddbf" 239 "9e187ffb362157e9302d961b73b43cba0ae1e230d9e45049b7e8c924792e" 240 "bbe7d175baa87b170dfad8ee788984599d05257994084e2e0e796fca5836" 241 "881c3e053553e06ab230f919089b914e4a8e2da45f8a87f2c81a25a61f04" 242 "fe1cace60155653827d41fad9f0658f287d058192c"; 243 244 // ca-cert.pem 245 const char kCaCertData[] = 246 "308202d030820239a003020102020100300d06092a864886f70d01010505" 247 "003055310b300906035504061302474231243022060355040a131b436572" 248 "7469666963617465205472616e73706172656e6379204341310e300c0603" 249 "550408130557616c65733110300e060355040713074572772057656e301e" 250 "170d3132303630313030303030305a170d3232303630313030303030305a" 251 "3055310b300906035504061302474231243022060355040a131b43657274" 252 "69666963617465205472616e73706172656e6379204341310e300c060355" 253 "0408130557616c65733110300e060355040713074572772057656e30819f" 254 "300d06092a864886f70d010101050003818d0030818902818100d58a6853" 255 "6210a27119936e778321181c2a4013c6d07b8c76eb9157d3d0fb4b3b516e" 256 "cecbd1c98d91c52f743fab635d55099cd13abaf31ae541442451a74c7816" 257 "f2243cf848cf2831cce67ba04a5a23819f3cba37e624d9c3bdb299b839dd" 258 "fe2631d2cb3a84fc7bb2b5c52fcfc14fff406f5cd44669cbb2f7cfdf86fb" 259 "6ab9d1b10203010001a381af3081ac301d0603551d0e041604145f9d880d" 260 "c873e654d4f80dd8e6b0c124b447c355307d0603551d230476307480145f" 261 "9d880dc873e654d4f80dd8e6b0c124b447c355a159a4573055310b300906" 262 "035504061302474231243022060355040a131b4365727469666963617465" 263 "205472616e73706172656e6379204341310e300c0603550408130557616c" 264 "65733110300e060355040713074572772057656e820100300c0603551d13" 265 "040530030101ff300d06092a864886f70d0101050500038181000608cc4a" 266 "6d64f2205e146c04b276f92b0efa94a5daf23afc3806606d3990d0a1ea23" 267 "3d40295769463b046661e7fa1d179915209aea2e0a775176411227d7c003" 268 "07c7470e61584fd7334224727f51d690bc47a9df354db0f6eb25955de189" 269 "3c4dd5202b24a2f3e440d274b54e1bd376269ca96289b76ecaa41090e14f" 270 "3b0a942e"; 271 272 // intermediate-cert.pem 273 const char kIntermediateCertData[] = 274 "308202dd30820246a003020102020109300d06092a864886f70d01010505" 275 "003055310b300906035504061302474231243022060355040a131b436572" 276 "7469666963617465205472616e73706172656e6379204341310e300c0603" 277 "550408130557616c65733110300e060355040713074572772057656e301e" 278 "170d3132303630313030303030305a170d3232303630313030303030305a" 279 "3062310b30090603550406130247423131302f060355040a132843657274" 280 "69666963617465205472616e73706172656e637920496e7465726d656469" 281 "617465204341310e300c0603550408130557616c65733110300e06035504" 282 "0713074572772057656e30819f300d06092a864886f70d01010105000381" 283 "8d0030818902818100d76a678d116f522e55ff821c90642508b7074b14d7" 284 "71159064f7927efdedb87135a1365ee7de18cbd5ce865f860c78f433b4d0" 285 "d3d3407702e7a3ef542b1dfe9bbaa7cdf94dc5975fc729f86f105f381b24" 286 "3535cf9c800f5ca780c1d3c84400ee65d16ee9cf52db8adffe50f5c49335" 287 "0b2190bf50d5bc36f3cac5a8daae92cd8b0203010001a381af3081ac301d" 288 "0603551d0e04160414965508050278479e8773764131bc143a47e229ab30" 289 "7d0603551d230476307480145f9d880dc873e654d4f80dd8e6b0c124b447" 290 "c355a159a4573055310b300906035504061302474231243022060355040a" 291 "131b4365727469666963617465205472616e73706172656e637920434131" 292 "0e300c0603550408130557616c65733110300e0603550407130745727720" 293 "57656e820100300c0603551d13040530030101ff300d06092a864886f70d" 294 "0101050500038181002206dab1c66b71dce095c3f6aa2ef72cf7761be7ab" 295 "d7fc39c31a4cfe1bd96d6734ca82f22dde5a0c8bbbdd825d7b6f3e7612ad" 296 "8db300a7e21169886023262284c3aa5d2191efda10bf9235d37b3a2a340d" 297 "59419b94a48566f3fac3cd8b53d5a4e98270ead297b07210f9ce4a2138b1" 298 "8811143b93fa4e7a87dd37e1385f2c2908"; 299 300 // test-embedded-with-intermediate-cert.pem 301 const char kTestEmbeddedWithIntermediateCertData[] = 302 "30820366308202cfa003020102020102300d06092a864886f70d01010505" 303 "003062310b30090603550406130247423131302f060355040a1328436572" 304 "7469666963617465205472616e73706172656e637920496e7465726d6564" 305 "69617465204341310e300c0603550408130557616c65733110300e060355" 306 "040713074572772057656e301e170d3132303630313030303030305a170d" 307 "3232303630313030303030305a3052310b30090603550406130247423121" 308 "301f060355040a13184365727469666963617465205472616e7370617265" 309 "6e6379310e300c0603550408130557616c65733110300e06035504071307" 310 "4572772057656e30819f300d06092a864886f70d010101050003818d0030" 311 "818902818100bb272b26e5deb5459d4acca027e8f12a4d839ac3730a6a10" 312 "9ff7e25498ddbd3f1895d08ba41f8de34967a3a086ce13a90dd5adbb5418" 313 "4bdc08e1ac7826adb8dc9c717bfd7da5b41b4db1736e00f1dac3cec9819c" 314 "cb1a28ba120b020a820e940dd61f95b5432a4bc05d0818f18ce2154eb38d" 315 "2fa7d22d72b976e560db0c7fc77f0203010001a382013a30820136301d06" 316 "03551d0e04160414b1b148e658e703f5f7f3105f20b3c384d7eff1bf307d" 317 "0603551d23047630748014965508050278479e8773764131bc143a47e229" 318 "aba159a4573055310b300906035504061302474231243022060355040a13" 319 "1b4365727469666963617465205472616e73706172656e6379204341310e" 320 "300c0603550408130557616c65733110300e060355040713074572772057" 321 "656e82010930090603551d130402300030818a060a2b06010401d6790204" 322 "02047c047a0078007600df1c2ec11500945247a96168325ddc5c7959e8f7" 323 "c6d388fc002e0bbd3f74d7640000013ddb27e2a400000403004730450221" 324 "00a6d34517f3392d9ec5d257adf1c597dc45bd4cd3b73856c616a9fb99e5" 325 "ae75a802205e26c8d1c7e222fe8cda29baeb04a834ee97d34fd81718f1aa" 326 "e0cd66f4b8a93f300d06092a864886f70d0101050500038181000f95a5b4" 327 "e128a914b1e88be8b32964221b58f4558433d020a8e246cca65a40bcbf5f" 328 "2d48933ebc99be6927ca756472fb0bdc7f505f41f462f2bc19d0b299c990" 329 "918df8820f3d31db37979e8bad563b17f00ae67b0f8731c106c943a73bf5" 330 "36af168afe21ef4adfcae19a3cc074899992bf506bc5ce1decaaf07ffeeb" 331 "c805c039"; 332 333 // test-embedded-with-intermediate-preca-cert.pem 334 const char kTestEmbeddedWithIntermediatePreCaCertData[] = 335 "30820366308202cfa003020102020103300d06092a864886f70d01010505" 336 "003062310b30090603550406130247423131302f060355040a1328436572" 337 "7469666963617465205472616e73706172656e637920496e7465726d6564" 338 "69617465204341310e300c0603550408130557616c65733110300e060355" 339 "040713074572772057656e301e170d3132303630313030303030305a170d" 340 "3232303630313030303030305a3052310b30090603550406130247423121" 341 "301f060355040a13184365727469666963617465205472616e7370617265" 342 "6e6379310e300c0603550408130557616c65733110300e06035504071307" 343 "4572772057656e30819f300d06092a864886f70d010101050003818d0030" 344 "818902818100d4497056cdfc65e1342cc3df6e654b8af0104702acd2275c" 345 "7d3fb1fc438a89b212110d6419bcc13ae47d64bba241e6706b9ed627f8b3" 346 "4a0d7dff1c44b96287c54bea9d10dc017bceb64f7b6aff3c35a474afec40" 347 "38ab3640b0cd1fb0582ec03b179a2776c8c435d14ab4882d59d7b724fa37" 348 "7ca6db08392173f9c6056b3abadf0203010001a382013a30820136301d06" 349 "03551d0e0416041432da5518d87f1d26ea2767973c0bef286e786a4a307d" 350 "0603551d23047630748014965508050278479e8773764131bc143a47e229" 351 "aba159a4573055310b300906035504061302474231243022060355040a13" 352 "1b4365727469666963617465205472616e73706172656e6379204341310e" 353 "300c0603550408130557616c65733110300e060355040713074572772057" 354 "656e82010930090603551d130402300030818a060a2b06010401d6790204" 355 "02047c047a0078007600df1c2ec11500945247a96168325ddc5c7959e8f7" 356 "c6d388fc002e0bbd3f74d7640000013ddb27e3be00000403004730450221" 357 "00d9f61a07fee021e3159f3ca2f570d833ff01374b2096cba5658c5e16fb" 358 "43eb3002200b76fe475138d8cf76833831304dabf043eb1213c96e13ff4f" 359 "a37f7cd3c8dc1f300d06092a864886f70d01010505000381810088ee4e9e" 360 "5eed6b112cc764b151ed929400e9406789c15fbbcfcdab2f10b400234139" 361 "e6ce65c1e51b47bf7c8950f80bccd57168567954ed35b0ce9346065a5eae" 362 "5bf95d41da8e27cee9eeac688f4bd343f9c2888327abd8b9f68dcb1e3050" 363 "041d31bda8e2dd6d39b3664de5ce0870f5fc7e6a00d6ed00528458d953d2" 364 "37586d73"; 365 366 // Given the ordered set of data [ 0x00, 0x01, 0x02, deadbeef ], 367 // the 'inclusion proof' of the leaf of index '2' (for '0x02') is created from 368 // the Merkle Tree generated for that set of data. 369 // A Merkle inclusion proof for a leaf in a Merkle Tree is the shortest list 370 // of additional nodes in the Merkle Tree required to compute the Merkle Tree 371 // Hash (also called 'Merkle Tree head') for that tree. 372 // This follows the structure defined in RFC 6962-bis. 373 // 374 // https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-24#section-2.1 375 376 const char kTestInclusionProof[] = 377 "020100" // logId 378 "0000000000000004" // tree size 379 "0000000000000002" // leaf index 380 "0042" // inclusion path length 381 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 382 "9" // node 383 // hash 384 // 0 385 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 386 "a"; // node 387 // hash 388 // 1 389 390 const char kTestNodeHash0[] = 391 "48c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed321729"; 392 393 const char kTestNodeHash1[] = 394 "a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953a"; 395 396 const char kTestInclusionProofUnexpectedData[] = "12345678"; 397 398 const char kTestInclusionProofInvalidHashSize[] = 399 "020100" // logId 400 "0000000000000004" // treesize 401 "0000000000000002" // leafindex 402 "0042" // inclusion path length 403 "3048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 404 "9" // invalid hash size 405 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 406 "a"; // node hash 1 407 408 const char kTestInclusionProofInvalidHash[] = 409 "020100" // logId 410 "0000000000000004" // treesize 411 "0000000000000002" // leafindex 412 "0042" // inclusion path length 413 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 414 "9" // node 415 // hash 416 // 0 417 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427"; // truncated node hash 1 418 419 const char kTestInclusionProofMissingLogId[] = 420 "0000000000000004" // treesize 421 "0000000000000002" // leafindex 422 "0042" 423 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 424 "9" // node 425 // hash 426 // 0 427 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 428 "a"; // node 429 // hash 430 // 1 431 432 const char kTestInclusionProofNullPathLength[] = 433 "020100" 434 "0000000000000004" // treesize 435 "0000000000000002" // leafindex 436 "0000" 437 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 438 "9" // node 439 // hash 440 // 0 441 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 442 "a"; // node 443 // hash 444 // 1 445 446 const char kTestInclusionProofPathLengthTooSmall[] = 447 "020100" 448 "0000000000000004" // treesize 449 "0000000000000002" // leafindex 450 "0036" 451 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 452 "9" // node 453 // hash 454 // 0 455 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 456 "a"; // node 457 // hash 458 // 1 459 460 const char kTestInclusionProofPathLengthTooLarge[] = 461 "020100" 462 "0000000000000004" // treesize 463 "0000000000000002" // leafindex 464 "0080" 465 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 466 "9" // node 467 // hash 468 // 0 469 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 470 "a"; // node 471 // hash 472 // 1 473 474 const char kTestInclusionProofNullTreeSize[] = 475 "020100" 476 "0000000000000000" // treesize 477 "0000000000000002" // leafindex 478 "0042" 479 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 480 "9" // node 481 // hash 482 // 0 483 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 484 "a"; // node 485 // hash 486 // 1 487 488 const char kTestInclusionProofLeafIndexOutOfBounds[] = 489 "020100" 490 "0000000000000004" // treesize 491 "0000000000000004" // leafindex 492 "0042" 493 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 494 "9" // node 495 // hash 496 // 0 497 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 498 "a"; // node 499 // hash 500 // 1 501 502 const char kTestInclusionProofExtraData[] = 503 "020100" // logId 504 "0000000000000004" // tree size 505 "0000000000000002" // leaf index 506 "0042" // inclusion path length 507 "2048c90c8ae24688d6bef5d48a30c2cc8b6754335a8db21793cc0a8e3bed32172" 508 "9" // node 509 // hash 510 // 0 511 "20a20bf9a7cc2dc8a08f5f415a71b19f6ac427bab54d24eec868b5d3103449953" 512 "a" // node 513 // hash 514 // 1 515 "123456"; // extra data after the proof 516 517 static uint8_t CharToByte(char c) { 518 if (c >= '0' && c <= '9') { 519 return c - '0'; 520 } 521 if (c >= 'a' && c <= 'f') { 522 return c - 'a' + 10; 523 } 524 if (c >= 'A' && c <= 'F') { 525 return c - 'A' + 10; 526 } 527 abort(); 528 } 529 530 Buffer HexToBytes(const char* hexData) { 531 size_t hexLen = strlen(hexData); 532 if (!(hexLen > 0 && (hexLen % 2 == 0))) { 533 abort(); 534 } 535 size_t resultLen = hexLen / 2; 536 Buffer result; 537 result.reserve(resultLen); 538 for (size_t i = 0; i < resultLen; ++i) { 539 uint8_t hi = CharToByte(hexData[i * 2]); 540 uint8_t lo = CharToByte(hexData[i * 2 + 1]); 541 result.push_back((hi << 4) | lo); 542 } 543 return result; 544 } 545 546 void GetX509CertLogEntry(LogEntry& entry) { 547 entry.Reset(); 548 entry.type = ct::LogEntry::Type::X509; 549 entry.leafCertificate = HexToBytes(kDefaultDerCert); 550 } 551 552 Buffer GetDEREncodedX509Cert() { return HexToBytes(kDefaultDerCert); } 553 554 void GetPrecertLogEntry(LogEntry& entry) { 555 entry.Reset(); 556 entry.type = ct::LogEntry::Type::Precert; 557 entry.issuerKeyHash = HexToBytes(kDefaultIssuerKeyHash); 558 entry.tbsCertificate = HexToBytes(kDefaultDerTbsCert); 559 } 560 561 Buffer GetTestDigitallySigned() { return HexToBytes(kTestDigitallySigned); } 562 563 Buffer GetTestDigitallySignedData() { 564 Buffer encoded = GetTestDigitallySigned(); 565 // The encoded buffer contains the signature data itself from the 4th byte. 566 // The first bytes are: 567 // 1 byte of hash algorithm 568 // 1 byte of signature algorithm 569 // 2 bytes - prefix containing length of the signature data. 570 Buffer result; 571 result.assign(encoded.begin() + 4, encoded.end()); 572 return result; 573 } 574 575 Buffer GetTestSignedCertificateTimestamp() { 576 return HexToBytes(kTestSignedCertificateTimestamp); 577 } 578 579 Buffer GetTestSignedCertificateTimestampWithLeafIndexExtension() { 580 return HexToBytes(kTestSignedCertificateTimestampWithLeafIndexExtension); 581 } 582 583 Buffer GetTestSignedCertificateTimestampWithTwoLeafIndexExtensions() { 584 return HexToBytes(kTestSignedCertificateTimestampWithTwoLeafIndexExtensions); 585 } 586 587 Buffer GetTestSignedCertificateTimestampWithUnknownExtension() { 588 return HexToBytes(kTestSignedCertificateTimestampWithUnknownExtension); 589 } 590 591 Buffer GetTestSignedCertificateTimestampWithUnknownAndLeafIndexExtensions() { 592 return HexToBytes( 593 kTestSignedCertificateTimestampWithUnknownAndLeafIndexExtensions); 594 } 595 596 Buffer GetTestSignedCertificateTimestampWithTooShortExtension() { 597 return HexToBytes(kTestSignedCertificateTimestampWithTooShortExtension); 598 } 599 600 Buffer GetTestInclusionProof() { return HexToBytes(kTestInclusionProof); } 601 602 Buffer GetTestInclusionProofUnexpectedData() { 603 return HexToBytes(kTestInclusionProofUnexpectedData); 604 } 605 606 Buffer GetTestInclusionProofInvalidHashSize() { 607 return HexToBytes(kTestInclusionProofInvalidHashSize); 608 } 609 610 Buffer GetTestInclusionProofInvalidHash() { 611 return HexToBytes(kTestInclusionProofInvalidHash); 612 } 613 614 Buffer GetTestInclusionProofMissingLogId() { 615 return HexToBytes(kTestInclusionProofMissingLogId); 616 } 617 618 Buffer GetTestInclusionProofNullPathLength() { 619 return HexToBytes(kTestInclusionProofNullPathLength); 620 } 621 622 Buffer GetTestInclusionProofPathLengthTooSmall() { 623 return HexToBytes(kTestInclusionProofPathLengthTooSmall); 624 } 625 626 Buffer GetTestInclusionProofPathLengthTooLarge() { 627 return HexToBytes(kTestInclusionProofPathLengthTooLarge); 628 } 629 630 Buffer GetTestInclusionProofNullTreeSize() { 631 return HexToBytes(kTestInclusionProofNullTreeSize); 632 } 633 634 Buffer GetTestInclusionProofLeafIndexOutOfBounds() { 635 return HexToBytes(kTestInclusionProofLeafIndexOutOfBounds); 636 } 637 638 Buffer GetTestInclusionProofExtraData() { 639 return HexToBytes(kTestInclusionProofExtraData); 640 } 641 642 Buffer GetTestNodeHash0() { return HexToBytes(kTestNodeHash0); } 643 644 Buffer GetTestNodeHash1() { return HexToBytes(kTestNodeHash1); } 645 646 Buffer GetTestPublicKey() { return HexToBytes(kEcP256PublicKey); } 647 648 Buffer GetTestPublicKeyId() { return HexToBytes(kTestKeyId); } 649 650 void GetX509CertSCT(SignedCertificateTimestamp& sct) { 651 sct.version = ct::SignedCertificateTimestamp::Version::V1; 652 sct.logId = HexToBytes(kTestKeyId); 653 // Time the log issued a SCT for this certificate, which is 654 // Fri Apr 5 10:04:16.089 2013 655 sct.timestamp = INT64_C(1365181456089); 656 sct.extensions.clear(); 657 658 sct.signature.hashAlgorithm = ct::DigitallySigned::HashAlgorithm::SHA256; 659 sct.signature.signatureAlgorithm = 660 ct::DigitallySigned::SignatureAlgorithm::ECDSA; 661 sct.signature.signatureData = HexToBytes(kTestSCTSignatureData); 662 } 663 664 void GetPrecertSCT(SignedCertificateTimestamp& sct) { 665 sct.version = ct::SignedCertificateTimestamp::Version::V1; 666 sct.logId = HexToBytes(kTestKeyId); 667 // Time the log issued a SCT for this Precertificate, which is 668 // Fri Apr 5 10:04:16.275 2013 669 sct.timestamp = INT64_C(1365181456275); 670 sct.extensions.clear(); 671 672 sct.signature.hashAlgorithm = ct::DigitallySigned::HashAlgorithm::SHA256; 673 sct.signature.signatureAlgorithm = 674 ct::DigitallySigned::SignatureAlgorithm::ECDSA; 675 sct.signature.signatureData = HexToBytes(kTestSCTPrecertSignatureData); 676 } 677 678 Buffer GetDefaultIssuerKeyHash() { return HexToBytes(kDefaultIssuerKeyHash); } 679 680 Buffer GetDEREncodedTestEmbeddedCert() { 681 return HexToBytes(kTestEmbeddedCertData); 682 } 683 684 Buffer GetDEREncodedTestTbsCert() { return HexToBytes(kTestTbsCertData); } 685 686 Buffer GetDEREncodedTestEmbeddedWithPreCACert() { 687 return HexToBytes(kTestEmbeddedWithPreCaCertData); 688 } 689 690 Buffer GetDEREncodedCACert() { return HexToBytes(kCaCertData); } 691 692 Buffer GetDEREncodedIntermediateCert() { 693 return HexToBytes(kIntermediateCertData); 694 } 695 696 Buffer GetDEREncodedTestEmbeddedWithIntermediateCert() { 697 return HexToBytes(kTestEmbeddedWithIntermediateCertData); 698 } 699 700 Buffer GetDEREncodedTestEmbeddedWithIntermediatePreCACert() { 701 return HexToBytes(kTestEmbeddedWithIntermediatePreCaCertData); 702 } 703 704 Buffer ExtractCertSPKI(Input cert) { 705 BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); 706 if (backCert.Init() != Success) { 707 abort(); 708 } 709 710 Input spkiInput = backCert.GetSubjectPublicKeyInfo(); 711 Buffer spki; 712 InputToBuffer(spkiInput, spki); 713 return spki; 714 } 715 716 Buffer ExtractCertSPKI(const Buffer& cert) { 717 return ExtractCertSPKI(InputForBuffer(cert)); 718 } 719 720 void ExtractEmbeddedSCTList(Input cert, Buffer& result) { 721 result.clear(); 722 BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); 723 ASSERT_EQ(Success, backCert.Init()); 724 const Input* scts = backCert.GetSignedCertificateTimestamps(); 725 if (scts) { 726 Input sctList; 727 ASSERT_EQ(Success, ExtractSignedCertificateTimestampListFromExtension( 728 *scts, sctList)); 729 InputToBuffer(sctList, result); 730 } 731 } 732 733 void ExtractEmbeddedSCTList(const Buffer& cert, Buffer& result) { 734 ExtractEmbeddedSCTList(InputForBuffer(cert), result); 735 } 736 737 class OCSPExtensionTrustDomain : public TrustDomain { 738 public: 739 pkix::Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input, 740 TrustLevel&) override { 741 ADD_FAILURE(); 742 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 743 } 744 745 pkix::Result FindIssuer(Input, IssuerChecker&, Time) override { 746 ADD_FAILURE(); 747 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 748 } 749 750 pkix::Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, 751 const Input*, const Input*) override { 752 ADD_FAILURE(); 753 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 754 } 755 756 pkix::Result IsChainValid(const DERArray&, Time, 757 const CertPolicyId&) override { 758 ADD_FAILURE(); 759 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 760 } 761 762 pkix::Result DigestBuf(Input item, DigestAlgorithm digestAlg, 763 /*out*/ uint8_t* digestBuf, 764 size_t digestBufLen) override { 765 return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen); 766 } 767 768 pkix::Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA, 769 Time) override { 770 ADD_FAILURE(); 771 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 772 } 773 774 pkix::Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override { 775 ADD_FAILURE(); 776 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 777 } 778 779 pkix::Result VerifyECDSASignedData(Input data, 780 DigestAlgorithm digestAlgorithm, 781 Input signature, 782 Input subjectPublicKeyInfo) override { 783 return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, 784 subjectPublicKeyInfo, nullptr); 785 } 786 787 pkix::Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, 788 unsigned int) override { 789 ADD_FAILURE(); 790 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 791 } 792 793 pkix::Result VerifyRSAPKCS1SignedData(Input data, 794 DigestAlgorithm digestAlgorithm, 795 Input signature, 796 Input subjectPublicKeyInfo) override { 797 return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, 798 subjectPublicKeyInfo, nullptr); 799 } 800 801 pkix::Result VerifyRSAPSSSignedData(Input data, 802 DigestAlgorithm digestAlgorithm, 803 Input signature, 804 Input subjectPublicKeyInfo) override { 805 return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature, 806 subjectPublicKeyInfo, nullptr); 807 } 808 809 pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, 810 KeyPurposeId) override { 811 ADD_FAILURE(); 812 return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; 813 } 814 815 void NoteAuxiliaryExtension(AuxiliaryExtension extension, 816 Input data) override { 817 if (extension != AuxiliaryExtension::SCTListFromOCSPResponse) { 818 ADD_FAILURE(); 819 return; 820 } 821 InputToBuffer(data, signedCertificateTimestamps); 822 } 823 824 Buffer signedCertificateTimestamps; 825 }; 826 827 void ExtractSCTListFromOCSPResponse(Input cert, Input issuerSPKI, 828 Input encodedResponse, Time time, 829 Buffer& result) { 830 result.clear(); 831 832 BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); 833 ASSERT_EQ(Success, backCert.Init()); 834 835 CertID certID(backCert.GetIssuer(), issuerSPKI, backCert.GetSerialNumber()); 836 837 bool expired; 838 OCSPExtensionTrustDomain trustDomain; 839 pkix::Result rv = 840 VerifyEncodedOCSPResponse(trustDomain, certID, time, /*time*/ 841 1000, /*maxLifetimeInDays*/ 842 encodedResponse, expired); 843 ASSERT_EQ(Success, rv); 844 845 result = std::move(trustDomain.signedCertificateTimestamps); 846 } 847 848 Input InputForBuffer(const Buffer& buffer) { 849 Input input; 850 if (input.Init(buffer.data(), buffer.size()) != Success) { 851 abort(); 852 } 853 return input; 854 } 855 856 Input InputForSECItem(const SECItem& item) { 857 Input input; 858 if (input.Init(item.data, item.len) != Success) { 859 abort(); 860 } 861 return input; 862 } 863 864 } // namespace ct 865 } // namespace mozilla 866 867 namespace mozilla { 868 869 std::ostream& operator<<(std::ostream& stream, const ct::Buffer& buffer) { 870 if (buffer.empty()) { 871 stream << "EMPTY"; 872 } else { 873 for (size_t i = 0; i < buffer.size(); ++i) { 874 if (i >= 1000) { 875 stream << "..."; 876 break; 877 } 878 stream << std::hex << std::setw(2) << std::setfill('0') 879 << static_cast<unsigned>(buffer[i]); 880 } 881 } 882 stream << std::dec; 883 return stream; 884 } 885 886 } // namespace mozilla