Skip to content

Commit

Permalink
improve tests
Browse files Browse the repository at this point in the history
  • Loading branch information
Taowyoo committed Nov 11, 2024
1 parent 9b0d3c2 commit 07442c7
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 9 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/java-example-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
echo "Maven is already installed"
fi
- name: Build with Maven
run: mvn -B package --file key-attestation/java-example/pom.xml
run: mvn -B package -Dstyle.color=always --file key-attestation/java-example/pom.xml
env:
AMER_APP_API_KEY: ${{ secrets.AMER_APP_API_KEY }}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ public static void verify(List<X509Certificate> authorityChain, X509Certificate
verify_cert_chain_signature(authorityChain, trustRootCa, verifyCrl);
} catch (Exception e) {
throw new KeyAttestationStatementVerifyException(
"The signature in 'Fortanix DSM Key Attestation' certificate is invalid, " + e.toString());
"Failed to verify signatures in `authorityChain`, " + e.toString());
}

CertChecker statementChecker = new KeyAttestationStatementCertChecker();
Expand Down Expand Up @@ -141,13 +141,14 @@ public static void verify_cert_chain_signature(List<X509Certificate> chain, X509
// Because root CA does not contain CRL distribution point extension,
// CertPathValidator will throw error when CRL revocation check is enabled.
// As a result, root CA need to be removed from cert chain.
CertPath certPath = factory.generateCertPath(chain.subList(0, chain.size() - 1));
List<X509Certificate> modified_chain = chain.subList(0, chain.size() - 1);
CertPath certPath = factory.generateCertPath(modified_chain);

// Set up TrustAnchor using the last certificate as the root certificate
TrustAnchor trustAnchor = new TrustAnchor(trust_ca, null);
Set<TrustAnchor> trustAnchors = Collections.singleton(trustAnchor);

CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", "BC");
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
Expand All @@ -160,7 +161,7 @@ public static void verify_cert_chain_signature(List<X509Certificate> chain, X509
}

// Validate CertPath
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC");
try {
validator.validate(certPath, pkixParams);
} catch (CertPathValidatorException e) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,10 @@ public void verifyStatementFromPemWithoutCrlCheck() throws Exception {
X509Certificate trusted = cert_chain.get(cert_chain.size() - 1);
// because at time this code is written, CRL server is not setup, we turn of the
// CRL check
KeyAttestationStatementVerifyException exception = assertThrows(KeyAttestationStatementVerifyException.class,
Exception exception = assertThrows(Exception.class,
() -> Verify.verify(authorityChain, cert_chain.get(0), trusted, false));
assertTrue("certificates should already expired", exception.toString().contains("validity check failed"));
assertTrue("certificates should already expired, exception: " + exception.toString(),
exception.toString().contains("certificate expired") || exception.toString().contains("NotAfter"));
}

/**
Expand All @@ -100,9 +101,10 @@ public void verifyStatementFromJsonWithoutCrlCheck() throws Exception {
X509Certificate trusted = Verify.readBase64EncodedCertificate(authorityChain.get(authorityChain.size() - 1));
// because at time this code is written, CRL server is not setup, we turn of the
// CRL check
KeyAttestationStatementVerifyException exception = assertThrows(KeyAttestationStatementVerifyException.class,
Exception exception = assertThrows(Exception.class,
() -> Verify.verify(decodedResponse, trusted, false));
assertTrue("certificates should already expired", exception.toString().contains("validity check failed"));
assertTrue("certificates should already expired, exception: " + exception.toString(),
exception.toString().contains("certificate expired") || exception.toString().contains("NotAfter"));
}

/**
Expand Down

0 comments on commit 07442c7

Please sign in to comment.