@Test public void testGetPublicCertificates() throws Exception { Collection<PublicCertificate> certs = appIdentity.getPublicCertificatesForApp(); Assert.assertTrue("No certificates returned.", !certs.isEmpty()); for (PublicCertificate publicCert : certs) { Assert.assertTrue( "No name for certificate.", !publicCert.getCertificateName().trim().isEmpty()); String pemFormat = publicCert.getX509CertificateInPemFormat(); String errMsg = "getX509CertificateInPemFormat():" + pemFormat; // TODO better check? Assert.assertTrue(errMsg, pemFormat.startsWith("-----BEGIN")); Assert.assertTrue(errMsg, pemFormat.contains("-----END")); InputStream stream = new ByteArrayInputStream(publicCert.getX509CertificateInPemFormat().getBytes("UTF-8")); CertificateFactory cf = CertificateFactory.getInstance("X.509"); Certificate cert = cf.generateCertificate(stream); PublicKey pk = cert.getPublicKey(); Assert.assertNotNull(pk.getEncoded()); } }
/* * Try all certificates with the signed blob. Any cert throws an exception is a test Error. * Any cert is valid with no exceptions, then pass. * * Debugging this can be a pain, so being extra verbose and explicit with logging. */ private boolean verifySignatureWithAllCertsForApp( byte[] blob, byte[] signedBlob, Collection<PublicCertificate> certsForApp) { if (certsForApp.isEmpty()) { throw new IllegalStateException("No certificates to validate. Must have at least 1."); } int currentCertNum = 0; int totalValid = 0; int totalInvalid = 0; List<Exception> allExceptions = new ArrayList<>(); for (PublicCertificate publicCert : certsForApp) { Signature signature; Certificate cert = null; currentCertNum++; log.info("Processing certNum:" + currentCertNum); try { byte[] certBytes = publicCert.getX509CertificateInPemFormat().getBytes("UTF-8"); InputStream stream = new ByteArrayInputStream(certBytes); signature = Signature.getInstance("SHA256withRSA"); // Make this configurable? CertificateFactory cf = CertificateFactory.getInstance("X.509"); cert = cf.generateCertificate(stream); log.info(cert.toString()); PublicKey pk = cert.getPublicKey(); signature.initVerify(pk); signature.update(blob); boolean isValidSignature = signature.verify(signedBlob); if (isValidSignature) { totalValid++; } else { totalInvalid++; } log.info("certNum:" + currentCertNum + ": is valid:" + isValidSignature); // These can be thrown: // UnsupportedEncodingException, NoSuchAlgorithmException, CertificateException, // SignatureException, InvalidKeyException } catch (Exception e) { Exception logException = createExceptionForLog(e, currentCertNum, cert); allExceptions.add(logException); log.info(e.toString()); } } String summary = "totalCerts:" + certsForApp.size() + ": totalValid:" + totalValid + " totalInvalid:" + totalInvalid + " totalExceptions:" + allExceptions.size(); log.info(summary); // At least one certificate caused an exception so make test Error. if (allExceptions.size() > 0) { throw new IllegalStateException(summary + "\n\n" + exceptionListToString(allExceptions)); } // At least one signature was valid and no exceptions thrown. return (totalValid > 0); }