@Test
public void testGetPublicCertificates() throws Exception {
Collection<PublicCertificate> certs = appIdentity.getPublicCertificatesForApp();
Assert.assertTrue("No certificates returned.", !certs.isEmpty());
for (PublicCertificate publicCert : certs) {
Assert.assertTrue(
"No name for certificate.", !publicCert.getCertificateName().trim().isEmpty());
String pemFormat = publicCert.getX509CertificateInPemFormat();
String errMsg = "getX509CertificateInPemFormat():" + pemFormat;
// TODO better check?
Assert.assertTrue(errMsg, pemFormat.startsWith("-----BEGIN"));
Assert.assertTrue(errMsg, pemFormat.contains("-----END"));
InputStream stream =
new ByteArrayInputStream(publicCert.getX509CertificateInPemFormat().getBytes("UTF-8"));
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(stream);
PublicKey pk = cert.getPublicKey();
Assert.assertNotNull(pk.getEncoded());
}
}
/*
* Try all certificates with the signed blob. Any cert throws an exception is a test Error.
* Any cert is valid with no exceptions, then pass.
*
* Debugging this can be a pain, so being extra verbose and explicit with logging.
*/
private boolean verifySignatureWithAllCertsForApp(
byte[] blob, byte[] signedBlob, Collection<PublicCertificate> certsForApp) {
if (certsForApp.isEmpty()) {
throw new IllegalStateException("No certificates to validate. Must have at least 1.");
}
int currentCertNum = 0;
int totalValid = 0;
int totalInvalid = 0;
List<Exception> allExceptions = new ArrayList<>();
for (PublicCertificate publicCert : certsForApp) {
Signature signature;
Certificate cert = null;
currentCertNum++;
log.info("Processing certNum:" + currentCertNum);
try {
byte[] certBytes = publicCert.getX509CertificateInPemFormat().getBytes("UTF-8");
InputStream stream = new ByteArrayInputStream(certBytes);
signature = Signature.getInstance("SHA256withRSA"); // Make this configurable?
CertificateFactory cf = CertificateFactory.getInstance("X.509");
cert = cf.generateCertificate(stream);
log.info(cert.toString());
PublicKey pk = cert.getPublicKey();
signature.initVerify(pk);
signature.update(blob);
boolean isValidSignature = signature.verify(signedBlob);
if (isValidSignature) {
totalValid++;
} else {
totalInvalid++;
}
log.info("certNum:" + currentCertNum + ": is valid:" + isValidSignature);
// These can be thrown:
// UnsupportedEncodingException, NoSuchAlgorithmException, CertificateException,
// SignatureException, InvalidKeyException
} catch (Exception e) {
Exception logException = createExceptionForLog(e, currentCertNum, cert);
allExceptions.add(logException);
log.info(e.toString());
}
}
String summary =
"totalCerts:"
+ certsForApp.size()
+ ": totalValid:"
+ totalValid
+ " totalInvalid:"
+ totalInvalid
+ " totalExceptions:"
+ allExceptions.size();
log.info(summary);
// At least one certificate caused an exception so make test Error.
if (allExceptions.size() > 0) {
throw new IllegalStateException(summary + "\n\n" + exceptionListToString(allExceptions));
}
// At least one signature was valid and no exceptions thrown.
return (totalValid > 0);
}
