diff --git a/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs index 2334333e3dfb74b2cba0141f0ad309f26f57d248..a49819b007ef15fac6a89811577e037dc7c7c316 100644 --- a/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs @@ -42,6 +42,70 @@ namespace dk.gov.oiosi.test.unit.security.ldap }; } + + + [Test] + public void TestLdapTestServerFoces2Subject() + { + var ldapCertificateLookup = new LdapCertificateLookup(this._ldapSettings); + var certSubject = new CertificateSubject(TestConstants.TEST_CERTIFICATE_SUBJECT_FUNCTION); + + X509Certificate2 cert = null; + + try + { + cert = ldapCertificateLookup.GetCertificate(certSubject); + } + catch (CertificateValidationException ex) + { + // We managed to connect and get a certificate. For some (possibly local) reason it didn't + // pass validation but that is not important for this test. + cert = (X509Certificate2)ex.Data["Certificate"]; + } + + // java: assertEquals("Wrong cert. found...", BigInteger.valueOf(1538079514), cert.getSerialNumber()); + var actualSerialNumber = cert.GetSerialNumberString(); + Assert.AreEqual("5FA69907", actualSerialNumber.ToUpperInvariant(), + message: "Wrong cert. found..."); + + // java: assertEquals("Wrong end date found...", "2022-12-16T14:31:07 UTC", DateUtil.formatDate(cert.getNotAfter())); + var expectedEndDate = "2025-12-11T12:47:33.0000000Z"; + var actualEndDate = cert.NotAfter.ToUniversalTime().ToString("o"); + Assert.AreEqual(expectedEndDate, actualEndDate, message: "Wrong end date found..."); + } + + [Test] + public void TestLdapTestServerFoces2SubjectWithFIDInAliasAndName() + { + var ldapCertificateLookup = new LdapCertificateLookup(this._ldapSettings); + var certSubject = new CertificateSubject("SERIALNUMBER=CVR:30808460-FID:94731315 + CN=FOO-FID-bar (funktionscertifikat), O=TESTFID A/S // CVR:30808460, C=DK"); + + X509Certificate2 cert = null; + + try + { + cert = ldapCertificateLookup.GetCertificate(certSubject); + } + catch (CertificateValidationException ex) + { + // We managed to connect and get a certificate. For some (possibly local) reason it didn't + // pass validation but that is not important for this test. + cert = (X509Certificate2)ex.Data["Certificate"]; + } + + // NOTE: These asserts correspond to certificate "SERIALNUMBER=CVR:30808460-FID:94731315 + CN=TU GENEREL FOCES gyldig (funktionscertifikat), O=NETS DANID A/S // CVR:30808460, C=DK" + // The lookup will still resolve this even though we used a modified certSubject above, since the actual lookup uses the SERIALNUMBER, not the other parts + // java: assertEquals("Wrong cert. found...", BigInteger.valueOf(1538079514), cert.getSerialNumber()); + var actualSerialNumber = cert.GetSerialNumberString(); + Assert.AreEqual("5FA69907", actualSerialNumber.ToUpperInvariant(), + message: "Wrong cert. found..."); + + // java: assertEquals("Wrong end date found...", "2022-12-16T14:31:07 UTC", DateUtil.formatDate(cert.getNotAfter())); + var expectedEndDate = "2025-12-11T12:47:33.0000000Z"; + var actualEndDate = cert.NotAfter.ToUniversalTime().ToString("o"); + Assert.AreEqual(expectedEndDate, actualEndDate, message: "Wrong end date found..."); + } + [Test] public void TestGetMitIdCertificateFromTestLdap() { diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/CrlLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/CrlLookupTest.cs index 606b39be592818ac232d199daaa478ba776fad04..4f03bb5354169a4aa0284437d9fdd071423b5faf 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/CrlLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/CrlLookupTest.cs @@ -18,6 +18,114 @@ namespace dk.gov.oiosi.test.unit.security.revocation ConfigurationUtil.SetupConfiguration(); } + //[Test] + //public void LookupTestOkayFoces1() + //{ + // try + // { + // X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1OkayCertificate, "Test1234"); + + // CrlLookup crlLookup = new CrlLookup(); + // RevocationResponse response = crlLookup.CheckCertificate(certificate); + // Assert.IsTrue(response.IsValid); + // Assert.IsNull(response.Exception, "The lookup return an exception."); + // Assert.AreEqual(RevocationCheckStatus.AllChecksPassed, response.RevocationCheckStatus, "Not all check was performed."); + // } + // catch (Exception exception) + // { + // Assert.Fail(exception.ToString()); + // } + //} + + //[Test] + //public void LookupTestRevokedFoces1() + //{ + // try + // { + // X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1RevokedCertificate, "Test1234"); + // Assert.IsNotNull(certificate, "Test certificate was null."); + + // CrlLookup crlLookup = new CrlLookup(); + // RevocationResponse response = crlLookup.CheckCertificate(certificate); + // Assert.IsFalse(response.IsValid); + // Assert.IsNull(response.Exception, "The lookup return an exception."); + // Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + + // /*OcspLookup ocspLookup = new OcspLookup(); + // RevocationResponse ocspResponse = ocspLookup.CheckCertificate(certificate); + // Assert.IsFalse(ocspResponse.IsValid);*/ + // } + // catch (Exception exception) + // { + // Assert.Fail(exception.ToString()); + // } + //} + + /* + * Not the CRL job to check for expired certificate + * CRL check only check if the certificate has been revoked - is has not - it does not exist in the CRL list + * because it is very old and expired. + [Test] + public void LookupTestExpiredFoces1() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1ExpiredCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + CrlLookup crlLookup = new CrlLookup(); + RevocationResponse response = crlLookup.CheckCertificate(certificate); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "The revokation validation did not parse all check"); + Assert.IsFalse(response.IsValid, "The revoked certifikate was valid"); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ + + [Test] + [Ignore("Ignore a test")] + public void LookupTestOkayFoces2() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + CrlLookup crlLookup = new CrlLookup(); + RevocationResponse response = crlLookup.CheckCertificate(certificate); + Assert.IsTrue(response.IsValid); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.AllChecksPassed, response.RevocationCheckStatus, "Not all check was performed."); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + } + + [Test] + [Ignore("Ignore a test")] + public void LookupTestRevokedFoces2() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2RevokedCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + CrlLookup crlLookup = new CrlLookup(); + RevocationResponse response = crlLookup.CheckCertificate(certificate); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "The revokation validation did not parse all check"); + Assert.IsFalse(response.IsValid, "The revoked certifikate was valid"); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + } /*[Test] public void LookupTestRevokedMoces1() @@ -40,6 +148,33 @@ namespace dk.gov.oiosi.test.unit.security.revocation } }*/ + /* + * Not the CRL job to check for expired certificate + * CRL check only check if the certificate has been revoked - is has not - it does not exist in the CRL list + * because it is very old and expired. + * [Test] + public void LookupTestExpiredFoces2() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2ExpiredCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + CrlLookup crlLookup = new CrlLookup(); + Assert.IsNotNull(certificate, "Test certificate was null."); + RevocationResponse response = crlLookup.CheckCertificate(certificate); + + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "The revokation validation did not parse all check"); + + Assert.IsFalse(response.IsValid, "The revoked certifikate was valid"); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ + /* * * This test fail on the build server - it does not failed when it is run local @@ -64,7 +199,8 @@ namespace dk.gov.oiosi.test.unit.security.revocation } } - private X509Certificate2 certificateMoces = new X509Certificate2(CrlLookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + private X509Certificate2 certificateFoces = new X509Certificate2(CrlLookupTest.foces2OkayCertificate, "Test1234"); + //private X509Certificate2 certificateMoces = new X509Certificate2(CrlLookupTest. medarbejdercertifikatRevoked, "Test1234"); private void ThreadCertificateCheck() { @@ -77,7 +213,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation { Console.WriteLine("{0} ThreadCertificateCheck number:{1} foces1 allOkay", DateTime.Now, i); - RevocationResponse response = crlLookup.CheckCertificate(certificateMoces); + RevocationResponse response = crlLookup.CheckCertificate(certificateFoces); if (response.Exception != null) { Console.WriteLine("{0} ThreadCertificateCheck number:{1} foces1 Exception: " + response.Exception.ToString(), DateTime.Now, i); @@ -93,7 +229,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation else { Console.WriteLine("{0} ThreadCertificateCheck number:{1} foces1 not all checked parsed ", DateTime.Now, i); - Assert.Fail("Moces certifiate should have been valid."); + Assert.Fail("Foces2 certifiate should have been valid."); } } else diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs index ad78f036200416a2bc06d59f921b3d560787e4a2..7a23fcbadc31792881f997c0a23a1b1be6f2d694 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs @@ -8,6 +8,10 @@ namespace dk.gov.oiosi.test.unit.security.revocation public abstract class LookupTest { //public const string medarbejdercertifikatRevoked = "Resources/Certificates/CVR30808460.Expire20130307.Test MOCES1 (medarbejdercertificat 2)(Spærret).pfx"; + public const string foces2ExpiredCertificate = "Resources/Certificates/CVR30808460.Expire20111102.TU GENEREL FOCES2 (Udløbet) (Funktionscertifikat).pfx"; + + public const string foces2RevokedCertificate = "Resources/Certificates/CVR30808460.Expire20200313.TU GENEREL FOCES spaerret (Funktionscertifikat).pfx"; + public const string foces2OkayCertificate = TestConstants.PATH_CERTIFICATE_DEVICE;//"Resources/Certificates/CVR30808460.Expire20200130.TU GENEREL FOCES gyldig (Funktionscertifikat).pfx"; public const string mitIdFocesOkayCertificate = TestConstants.PATH_CERTIFICATE_MITID_OCES;//"Resources/Certificates/CVR30808460.Expire20200130.TU GENEREL FOCES gyldig (Funktionscertifikat).pfx"; diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index 1f219e616ad90a90c0ad4322064e0674e40b7eac..e5efb71ac16e0771ea8ba919609f5ffeefdd6ff3 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -40,6 +40,92 @@ namespace dk.gov.oiosi.test.unit.security.revocation return ocspLookup; } + + //[Test] + //public void LookupTestOkayFoces1() + //{ + // try + // { + // X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1OkayCertificate, "Test1234"); + // Assert.IsNotNull(certificate, "Test certificate was null."); + + // OcspLookup ocspLookup = this.CreateOcesLookup(); + // RevocationResponse response = ocspLookup.CheckCertificate(certificate); + // Assert.IsTrue(response.IsValid, "Certificate is not valid."); + // Assert.IsNull(response.Exception, "The lookup return an exception."); + // Assert.AreEqual(RevocationCheckStatus.AllChecksPassed, response.RevocationCheckStatus, "Not all check was performed."); + // } + // catch (Exception exception) + // { + // Assert.Fail(exception.ToString()); + // } + //} + + + // Foces1 certificate is not used anymore - can not get a general foces1 that is revoked + //[Test] + //public void LookupTestRevokedFoces1() + //{ + // try + // { + // X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1RevokedCertificate, "Test1234"); + // Assert.IsNotNull(certificate, "Test certificate was null."); + + // OcspLookup ocspLookup = this.CreateOcesLookup(); + // RevocationResponse response = ocspLookup.CheckCertificate(certificate); + // Assert.IsFalse(response.IsValid, "Certificate is not valid."); + // Assert.IsNull(response.Exception, "The lookup return an exception."); + // Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + // } + // catch (Exception exception) + // { + // Assert.Fail(exception.ToString()); + // } + //} + + + /* + * Not the OCSP job to check for expired certificate + * [Test] + public void LookupTestExpiredFoces1() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1ExpiredCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + OcspLookup ocspLookup = this.CreateOcesLookup(); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + Assert.IsFalse(response.IsValid, "Certificate is not valid."); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ + /* + [Test] + public void testMitIdTestCertificate() throws Exception + { + KeyStore p12 = KeyStore.getInstance("pkcs12"); + p12.load(new FileInputStream(TestConstants.PATH_MITID_ORG_TEST), "?3ngCR4,gq86".toCharArray()); + Enumeration e = p12.aliases(); + Assert.True("No elements found", e.hasMoreElements()); + string alias = e.nextElement(); + X509Certificate certificate = (X509Certificate)p12.getCertificate(alias); + Assert.AreEqual("Wrong cert. subject found", "C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.getSubjectDN().TOString()); + + System.err.println(certificate.getIssuerX500Principal()); + System.err.println(certificate.getSubjectX500Principal()); + + //assertEquals("Wrong cert. found", "SERIALNUMBER=CVR:30808460-FID:94731315 + CN=TU GENEREL FOCES gyldig (funktionscertifikat), O=NETS DANID A/S // CVR:30808460, C=DK", c.getSubjectDN().toString()); + + RevocationResponse revocationResponse = CreateOcesLookup().revocationResponseOnline(certificate); + assertTrue("Certificate should be OCSP valid...", revocationResponse.isValid()); + + }*/ /** * Verify that our self-signed check functionality works. */ @@ -62,6 +148,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation { Assert.Fail(ex.ToString()); } + try { var certificate1 = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, TestConstants.PASSWORD_CERTIFICATE_MITID_OCES); @@ -76,6 +163,22 @@ namespace dk.gov.oiosi.test.unit.security.revocation { Assert.Fail(ex.ToString()); } + + try + { + var certificate2 = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234"); + Assert.IsNotNull(certificate2); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde Foces2 test certifikat: " + LookupTest.foces2OkayCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + try { var oces2RootCertificate = new X509Certificate2(LookupTest.oces2RootCertificate); @@ -105,6 +208,8 @@ namespace dk.gov.oiosi.test.unit.security.revocation { Assert.Fail(ex.ToString()); } + + } @@ -160,5 +265,94 @@ namespace dk.gov.oiosi.test.unit.security.revocation Assert.Fail(exception.ToString()); } } + + + + + [Test] + public void LookupTestOkayFoces2() + { + try + { + + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + OcspLookup ocspLookup = this.CreateOcesLookup(); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + Assert.IsTrue(response.IsValid, "Certificate is not valid."); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.AllChecksPassed, response.RevocationCheckStatus, "Not all check was performed."); + + + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + } + + [Test] + [Ignore("Certificate expired - get a fresh one!!!")] + public void LookupTestRevokedFoces2() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2RevokedCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + OcspLookup ocspLookup = this.CreateOcesLookup(); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + //Assert.IsFalse(response.IsValid, "Certificate is not valid."); + Assert.IsNull(response.Exception, "The lookup return an exception."); + //Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + } + + /* + * Not the OCSP job to check for expired certificate + * [Test] + public void LookupTestExpiredFoces2() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2ExpiredCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + OcspLookup ocspLookup = this.CreateOcesLookup(); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "The revokation validation did not parse all check"); + Assert.IsFalse(response.IsValid, "The revoked certifikate was valid"); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ + + /* */ + + /* [Test] + public void LookupTestExpiredFoces2() + { + try + { + OcspLookup ocspLookup = this.CreateOcesLookup(); + X509Certificate2 certificate = new X509Certificate2(this.foces2ExpiredCertificate, "Test1234"); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + Assert.IsFalse(response.IsValid, "Certificate is not valid."); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ } } \ No newline at end of file