| blob | a65180ea92df9b3764a20ae1341d5f7c19166471 |
1 import { Integer as asn1jsInteger } from 'asn1js';
3 import { HOUR, SECOND, YEAR } from '@proton/shared/lib/constants';
5 import { KT_CERTIFICATE_ISSUER } from '../lib';
6 import {
7 parseCertChain,
8 parseCertificate,
9 verifyAltName,
10 verifyCertChain,
11 verifySCT,
12 } from '../lib/verification/verifyCertificates';
13 import { letsEncryptCertificateChain, zeroSSLCertificateChain } from './verifyCertificate.data';
14 import { epoch } from './verifyKeys.data';
16 describe('certificate transparency', () => {
17 it('should fail to parse with corrupt certificate', async () => {
18 let errorThrown = true;
19 try {
20 await parseCertificate('corrupt');
21 errorThrown = false;
22 } catch (err) {
23 expect(err.message).toEqual("Object's schema was not verified against input data for Certificate");
24 }
25 expect(errorThrown).toEqual(true);
26 });
28 it('should fail in verifyAltName with missing extensions', async () => {
29 const { Certificate, ChainHash, EpochID, CertificateTime } = epoch;
30 const [cert] = await parseCertChain(Certificate);
31 const { extensions, ...certNoExt } = cert;
33 let errorThrown = true;
34 try {
35 await verifyAltName(certNoExt, ChainHash, EpochID, CertificateTime);
36 errorThrown = false;
37 } catch (err) {
38 expect(err.message).toEqual('Epoch certificate does not have extensions');
39 }
40 expect(errorThrown).toEqual(true);
41 });
43 it('should fail in verifyAltName with missing AltName extension', async () => {
44 const { Certificate, ChainHash, EpochID, CertificateTime } = epoch;
45 const [cert] = await parseCertChain(Certificate);
46 const corruptExt = cert.extensions.filter((ext) => ext.extnID !== '2.5.29.17');
48 let errorThrown = true;
49 try {
50 await verifyAltName({ ...cert, extensions: corruptExt }, ChainHash, EpochID, CertificateTime);
51 errorThrown = false;
52 } catch (err) {
53 expect(err.message).toEqual('Epoch certificate does not have AltName extension');
54 }
55 expect(errorThrown).toEqual(true);
56 });
58 it('should fail in verifySCT with corrupt certificate', async () => {
59 const { Certificate } = epoch;
60 const certChain = await parseCertChain(Certificate);
61 const epochCert = certChain[0];
62 const issuerCert = certChain[1];
63 epochCert.serialNumber = new asn1jsInteger();
65 let errorThrown = true;
66 try {
67 await verifySCT(epochCert, issuerCert);
68 errorThrown = false;
69 } catch (err) {
70 expect(err.message).toEqual('The number of verified SCTs does not reach the number of operator threshold');
71 }
72 expect(errorThrown).toEqual(true);
73 });
74 });
76 describe('certificate chain verification', () => {
77 it('Should verify 0SSL certificate', async () => {
78 const now = new Date(1709515033 * SECOND + 24 * HOUR); // 24h after epoch was published.
79 let error;
80 try {
81 await verifyCertChain(await parseCertChain(zeroSSLCertificateChain), KT_CERTIFICATE_ISSUER.ZEROSSL, now);
82 } catch (err) {
83 error = err;
84 }
85 expect(error).toBeUndefined();
86 });
87 it('Should verify LE certificate', async () => {
88 const now = new Date(1709529634 * SECOND + 24 * HOUR); // 24h after epoch was published.
89 let error;
90 try {
91 await verifyCertChain(
92 await parseCertChain(letsEncryptCertificateChain),
93 KT_CERTIFICATE_ISSUER.LETSENCRYPT,
94 now
95 );
96 } catch (err) {
97 error = err;
98 }
99 expect(error).toBeUndefined();
100 });
101 it('Should fail on expiry', async () => {
102 const now = new Date(1709529634 * SECOND + 1 * YEAR); // 1year after epoch was published.
103 let error;
104 try {
105 await verifyCertChain(
106 await parseCertChain(letsEncryptCertificateChain),
107 KT_CERTIFICATE_ISSUER.LETSENCRYPT,
108 now
109 );
110 } catch (err) {
111 error = err;
112 }
113 expect(error).toBeDefined();
114 expect(error.message).toEqual("Epoch certificate did not pass verification against issuer's certificate chain");
115 });
116 it('Should fail if the certificate is in the future', async () => {
117 const now = new Date(1709529634 * SECOND - 1 * YEAR); // 1year before epoch was published.
118 let error;
119 try {
120 await verifyCertChain(
121 await parseCertChain(letsEncryptCertificateChain),
122 KT_CERTIFICATE_ISSUER.LETSENCRYPT,
123 now
124 );
125 } catch (err) {
126 error = err;
127 }
128 expect(error).toBeDefined();
129 expect(error.message).toEqual("Epoch certificate did not pass verification against issuer's certificate chain");
130 });
131 it('Should fail if the certificate chain is broken', async () => {
132 const now = new Date(1709529634 * SECOND + 24 * HOUR); // 24h after epoch was published.
133 let error;
134 try {
135 const zeroSSLChain = await parseCertChain(zeroSSLCertificateChain);
136 const letsEncryptChain = await parseCertChain(letsEncryptCertificateChain);
137 const chain = [letsEncryptChain[0], ...zeroSSLChain.slice(1)];
138 await verifyCertChain(chain, KT_CERTIFICATE_ISSUER.LETSENCRYPT, now);
139 } catch (err) {
140 error = err;
141 }
142 expect(error).toBeDefined();
143 expect(error.message).toEqual("Epoch certificate did not pass verification against issuer's certificate chain");
144 });
145 });