mirror of
https://github.com/google/nomulus.git
synced 2025-05-09 08:18:21 +02:00
c458c05801
The dark lord Gosling designed the Java package naming system so that ownership flows from the DNS system. Since we own the domain name registry.google, it seems only appropriate that we should use google.registry as our package name.
111 lines
4 KiB
Java
111 lines
4 KiB
Java
// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package google.registry.tmch;
|
|
|
|
import static google.registry.tmch.TmchTestData.loadString;
|
|
import static google.registry.util.ResourceUtils.readResourceUtf8;
|
|
import static google.registry.util.X509Utils.loadCertificate;
|
|
|
|
import google.registry.model.tmch.TmchCrl;
|
|
import google.registry.testing.AppEngineRule;
|
|
import google.registry.testing.ExceptionRule;
|
|
import google.registry.testing.FakeClock;
|
|
import google.registry.testing.InjectRule;
|
|
import google.registry.testing.RegistryConfigRule;
|
|
|
|
import org.joda.time.DateTime;
|
|
import org.junit.Before;
|
|
import org.junit.Rule;
|
|
import org.junit.Test;
|
|
import org.junit.runner.RunWith;
|
|
import org.junit.runners.JUnit4;
|
|
|
|
import java.security.SignatureException;
|
|
import java.security.cert.CertificateExpiredException;
|
|
import java.security.cert.CertificateNotYetValidException;
|
|
import java.security.cert.CertificateRevokedException;
|
|
|
|
/** Unit tests for {@link TmchCertificateAuthority}. */
|
|
@RunWith(JUnit4.class)
|
|
public class TmchCertificateAuthorityTest {
|
|
|
|
public static final String GOOD_TEST_CERTIFICATE = loadString("icann-tmch-test-good.crt");
|
|
public static final String REVOKED_TEST_CERTIFICATE = loadString("icann-tmch-test-revoked.crt");
|
|
|
|
@Rule
|
|
public final AppEngineRule appEngine = AppEngineRule.builder()
|
|
.withDatastore()
|
|
.build();
|
|
|
|
@Rule
|
|
public final ExceptionRule thrown = new ExceptionRule();
|
|
|
|
@Rule
|
|
public final InjectRule inject = new InjectRule();
|
|
|
|
@Rule
|
|
public final RegistryConfigRule configRule = new RegistryConfigRule();
|
|
|
|
private FakeClock clock = new FakeClock(DateTime.parse("2014-01-01T00:00:00Z"));
|
|
|
|
@Before
|
|
public void before() throws Exception {
|
|
inject.setStaticField(TmchCertificateAuthority.class, "clock", clock);
|
|
}
|
|
|
|
@Test
|
|
public void testFailure_prodRootExpired() throws Exception {
|
|
thrown.expectRootCause(
|
|
CertificateExpiredException.class, "NotAfter: Sun Jul 23 23:59:59 UTC 2023");
|
|
configRule.useTmchProdCert();
|
|
clock.setTo(DateTime.parse("2024-01-01T00:00:00Z"));
|
|
TmchCertificateAuthority.getRoot();
|
|
}
|
|
|
|
@Test
|
|
public void testFailure_prodRootNotYetValid() throws Exception {
|
|
thrown.expectRootCause(CertificateNotYetValidException.class,
|
|
"NotBefore: Wed Jul 24 00:00:00 UTC 2013");
|
|
configRule.useTmchProdCert();
|
|
clock.setTo(DateTime.parse("2000-01-01T00:00:00Z"));
|
|
TmchCertificateAuthority.getRoot();
|
|
}
|
|
|
|
@Test
|
|
public void testFailure_crlDoesntMatchCerts() throws Exception {
|
|
thrown.expectRootCause(SignatureException.class, "Signature does not match");
|
|
// Use the prod cl, which won't match our test certificate.
|
|
TmchCrl.set(readResourceUtf8(TmchCertificateAuthority.class, "icann-tmch.crl"));
|
|
TmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE));
|
|
}
|
|
|
|
@Test
|
|
public void testSuccess_verify() throws Exception {
|
|
TmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE));
|
|
}
|
|
|
|
@Test
|
|
public void testFailure_verifySignatureDoesntMatch() throws Exception {
|
|
thrown.expectRootCause(SignatureException.class, "Signature does not match");
|
|
configRule.useTmchProdCert();
|
|
TmchCertificateAuthority.verify(loadCertificate(GOOD_TEST_CERTIFICATE));
|
|
}
|
|
|
|
@Test
|
|
public void testFailure_verifyRevoked() throws Exception {
|
|
thrown.expect(CertificateRevokedException.class, "revoked, reason: KEY_COMPROMISE");
|
|
TmchCertificateAuthority.verify(loadCertificate(REVOKED_TEST_CERTIFICATE));
|
|
}
|
|
}
|