go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers/network/resources/certificates/cert_test.go

go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers/network/resources/certificates/cert_test.go (about)

     1  // Copyright (c) Mondoo, Inc.
     2  // SPDX-License-Identifier: BUSL-1.1
     3  
     4  package certificates
     5  
     6  import (
     7  	"crypto/ecdsa"
     8  	"crypto/x509"
     9  	"encoding/asn1"
    10  	"fmt"
    11  	"os"
    12  	"testing"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  	"github.com/stretchr/testify/require"
    16  )
    17  
    18  func TestRemoteCertificates(t *testing.T) {
    19  	certChain, err := Fetch("www.google.com:443")
    20  	require.NoError(t, err)
    21  	assert.True(t, len(certChain) >= 2)
    22  
    23  	for i := range certChain {
    24  		data, err := EncodeCertAsPEM(certChain[i])
    25  		require.NoError(t, err)
    26  		fmt.Println(string(data))
    27  	}
    28  
    29  	assert.Equal(t, "www.google.com", certChain[0].Subject.CommonName)
    30  	// assert.Equal(t, "GTS CA 1C3", certChain[1].Subject.CommonName)
    31  }
    32  
    33  func TestParseCertificates(t *testing.T) {
    34  	file := "./testdata/google.crt"
    35  
    36  	f, err := os.Open(file)
    37  	require.NoError(t, err)
    38  
    39  	certChain, err := ParseCertsFromPEM(f)
    40  	require.NoError(t, err)
    41  
    42  	// root certificate is GlobalSign
    43  	// assert.Equal(t, "", certChain[2].Subject.CommonName)
    44  
    45  	cert := certChain[0]
    46  	assert.Equal(t, []string{"US"}, cert.Subject.Country)
    47  	assert.Equal(t, []string{"California"}, cert.Subject.Province)
    48  	assert.Equal(t, []string{"Mountain View"}, cert.Subject.Locality)
    49  	assert.Equal(t, []string{"Google LLC"}, cert.Subject.Organization)
    50  	assert.Equal(t, "CN=www.google.com,O=Google LLC,L=Mountain View,ST=California,C=US", cert.Subject.String())
    51  
    52  	assert.Equal(t, []string{"US"}, cert.Issuer.Country)
    53  	assert.Equal(t, []string{"Google Trust Services"}, cert.Issuer.Organization)
    54  	assert.Equal(t, "GTS CA 1O1", cert.Issuer.CommonName)
    55  	assert.Equal(t, "CN=GTS CA 1O1,O=Google Trust Services,C=US", cert.Issuer.String())
    56  
    57  	assert.Equal(t, int64(1590507003), cert.NotBefore.Unix())
    58  	assert.Equal(t, int64(1597764603), cert.NotAfter.Unix())
    59  
    60  	// TODO: subject alt names
    61  
    62  	// public key info
    63  	pk := cert.PublicKey.(*ecdsa.PublicKey)
    64  	assert.Equal(t, "P-256", pk.Params().Name)   // NIST Curve
    65  	assert.Equal(t, 256, pk.Params().BitSize)    // Key Size
    66  	assert.Equal(t, 256, pk.Params().P.BitLen()) // Curve: P-256
    67  	assert.Equal(t, "ECDSA", cert.PublicKeyAlgorithm.String())
    68  
    69  	// miscellaneous
    70  	// TODO: fill with leading 00 pad
    71  	assert.Equal(t, "b2:6c:68:c0:28:6d:9e:92:08:00:00:00:00:43:55:25", HexEncodeToHumanString(cert.SerialNumber.Bytes()))
    72  	assert.Equal(t, 3, cert.Version)
    73  	assert.Equal(t, "SHA256-RSA", cert.SignatureAlgorithm.String())
    74  
    75  	// SHA-1 Fingerprint
    76  	assert.Equal(t, "df:03:32:0d:6d:b8:ac:f2:50:07:24:86:ba:9d:d5:04:15:31:61:ce", HexEncodeToHumanString(Sha1Hash(cert)))
    77  
    78  	// SHA-256 Fingerprint
    79  	assert.Equal(t, "91:4e:a6:a7:26:b8:57:f2:56:0d:f5:1c:8d:87:39:36:ab:d9:f2:22:3f:5a:a9:da:25:46:25:8c:11:50:8e:0a", HexEncodeToHumanString(Sha256Hash(cert)))
    80  
    81  	// constraints
    82  	assert.Equal(t, false, cert.IsCA)
    83  
    84  	// key uses
    85  	assert.Equal(t, x509.KeyUsageDigitalSignature, cert.KeyUsage)
    86  
    87  	// extended key uses
    88  	assert.Equal(t, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, cert.ExtKeyUsage)
    89  
    90  	// subject key id
    91  	assert.Equal(t, "bd:81:6d:df:93:94:14:53:0b:92:39:22:74:9f:33:99:22:f8:f1:15", HexEncodeToHumanString(cert.SubjectKeyId))
    92  
    93  	// authority key id
    94  	assert.Equal(t, "98:d1:f8:6e:10:eb:cf:9b:ec:60:9f:18:90:1b:a0:eb:7d:09:fd:2b", HexEncodeToHumanString(cert.AuthorityKeyId))
    95  
    96  	// crl endpoints
    97  	assert.Equal(t, []string{"http://crl.pki.goog/GTS1O1core.crl"}, cert.CRLDistributionPoints)
    98  
    99  	// authority info (aia)
   100  	// location, method OCSP
   101  	assert.Equal(t, []string{"http://ocsp.pki.goog/gts1o1core"}, cert.OCSPServer)
   102  	assert.Equal(t, []string{"http://pki.goog/gsr2/GTS1O1.crt"}, cert.IssuingCertificateURL)
   103  
   104  	// certificate policies
   105  	// policy name and value
   106  	assert.Equal(t, []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 2}, {1, 3, 6, 1, 4, 1, 11129, 2, 5, 3}}, cert.PolicyIdentifiers)
   107  
   108  	// extensions
   109  	for i := range cert.Extensions {
   110  		extension := cert.Extensions[i]
   111  		fmt.Printf("%s: %t value: %s\n", extension.Id, extension.Critical, string(extension.Value))
   112  	}
   113  }
   114  
   115  func TestHexPrint(t *testing.T) {
   116  	data := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
   117  	res := HexEncodeToHumanString(data)
   118  	assert.Equal(t, "00:01:02:03:04:05:06:07:08:09:0a:0b:0c", res)
   119  }