2021-03-03 18:42:47 +03:00
|
|
|
// Copyright (c) Microsoft Corporation.
|
|
|
|
|
// Licensed under the MIT license.
|
|
|
|
|
|
|
|
|
|
import path from 'path';
|
2021-03-06 09:18:25 +03:00
|
|
|
import { ErrorCode } from '../src/error';
|
2021-03-10 22:34:42 +03:00
|
|
|
import { LogLevels } from '../src/logger';
|
2021-04-14 21:24:22 +03:00
|
|
|
import { verifyAndImportHealthCardIssuerKey } from '../src/shcKeyValidator';
|
2021-03-10 22:34:42 +03:00
|
|
|
import * as utils from '../src/utils';
|
2021-03-03 18:42:47 +03:00
|
|
|
const testdataDir = './testdata/';
|
|
|
|
|
|
2021-03-31 00:29:29 +03:00
|
|
|
const EXPECTED_SUBJECT_ALT_NAME = 'https://smarthealth.cards/examples/issuer';
|
|
|
|
|
|
2021-04-01 08:05:53 +03:00
|
|
|
// Check if openssl is available. If not, this will add a warning in tests where an issuer key
|
|
|
|
|
// set contains a key with a x5c value.
|
2021-03-31 21:49:32 +03:00
|
|
|
const OPENSSL_AVAILABLE = utils.isOpensslAvailable();
|
|
|
|
|
|
2021-06-03 20:15:09 +03:00
|
|
|
async function testKey(fileName: string, subjectAltName = ''): Promise<ErrorCode[]> {
|
2021-03-03 18:42:47 +03:00
|
|
|
const filePath = path.join(testdataDir, fileName);
|
2022-06-04 00:30:49 +03:00
|
|
|
// fix cert validation to avoid cert expiration errors for pregenerated certs
|
|
|
|
|
const validationTime = "1653955200"; // May 31, 2022 12:00:00 AM
|
|
|
|
|
const result = (await verifyAndImportHealthCardIssuerKey(utils.loadJSONFromFile(filePath), validationTime, undefined ,subjectAltName));
|
2021-06-03 20:15:09 +03:00
|
|
|
return result.flatten(LogLevels.WARNING).map(item => item.code);
|
2021-03-03 18:42:47 +03:00
|
|
|
}
|
2021-03-11 22:10:21 +03:00
|
|
|
|
2021-03-03 18:42:47 +03:00
|
|
|
test("Keys: valid", async () => {
|
2021-03-06 09:18:25 +03:00
|
|
|
expect(await testKey('valid_key.json')).toHaveLength(0);
|
|
|
|
|
});
|
2021-03-03 18:42:47 +03:00
|
|
|
|
2021-03-11 21:46:14 +03:00
|
|
|
test("Keys: valid keys", async () => {
|
|
|
|
|
expect(await testKey('valid_keys.json')).toHaveLength(0);
|
|
|
|
|
});
|
|
|
|
|
|
2021-03-31 00:29:29 +03:00
|
|
|
test("Keys: valid with x5c (3-cert chain)", async () => {
|
2021-03-31 21:49:32 +03:00
|
|
|
expect(await testKey('valid_key_with_x5c.json', EXPECTED_SUBJECT_ALT_NAME)).toHaveLength(OPENSSL_AVAILABLE ? 0 : 1);
|
2021-03-31 00:29:29 +03:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("Keys: valid with x5c (2-cert chain)", async () => {
|
2021-03-31 21:49:32 +03:00
|
|
|
expect(await testKey('valid_2_chain.public.json', EXPECTED_SUBJECT_ALT_NAME)).toHaveLength(OPENSSL_AVAILABLE ? 0 : 1);
|
2021-03-30 20:41:43 +03:00
|
|
|
});
|
|
|
|
|
|
2021-03-03 18:42:47 +03:00
|
|
|
test("Keys: wrong key identifier (kid)", async () => {
|
2021-03-11 23:42:38 +03:00
|
|
|
expect(await testKey('wrong_kid_key.json')).toContain(ErrorCode.INVALID_KEY_WRONG_KID);
|
2021-03-06 09:18:25 +03:00
|
|
|
});
|
2021-03-03 18:42:47 +03:00
|
|
|
|
|
|
|
|
test("Keys: wrong elliptic curve", async () => {
|
2022-03-11 22:34:51 +03:00
|
|
|
expect(await testKey('wrong_curve_key.json')).toContain(ErrorCode.INVALID_KEY_WRONG_CRV);
|
2021-03-06 09:18:25 +03:00
|
|
|
});
|
2021-03-03 18:42:47 +03:00
|
|
|
|
2021-03-06 09:18:25 +03:00
|
|
|
test("Keys: wrong key use (use)", async () => {
|
2021-03-11 23:42:38 +03:00
|
|
|
expect(await testKey('wrong_use_key.json')).toContain(ErrorCode.INVALID_KEY_WRONG_USE);
|
2021-03-06 09:18:25 +03:00
|
|
|
});
|
2021-03-03 18:42:47 +03:00
|
|
|
|
|
|
|
|
test("Keys: wrong algorithm (alg)", async () => {
|
2021-03-11 23:42:38 +03:00
|
|
|
expect(await testKey('wrong_alg_key.json')).toContain(ErrorCode.INVALID_KEY_WRONG_ALG);
|
2021-03-06 09:18:25 +03:00
|
|
|
});
|
2021-03-03 18:42:47 +03:00
|
|
|
|
|
|
|
|
test("Keys: wrong key type (kty)", async () => {
|
2021-03-11 23:42:38 +03:00
|
|
|
expect(await testKey('wrong_kty_key.json')).toContain(ErrorCode.INVALID_KEY_WRONG_KTY);
|
2021-03-06 09:18:25 +03:00
|
|
|
});
|
2021-03-11 22:44:51 +03:00
|
|
|
|
|
|
|
|
test("Keys: private key", async () => {
|
2021-03-11 23:42:38 +03:00
|
|
|
expect(await testKey('private_key.json')).toContain(ErrorCode.INVALID_KEY_PRIVATE);
|
2021-03-11 22:44:51 +03:00
|
|
|
});
|
2021-03-30 20:41:43 +03:00
|
|
|
|
2021-03-31 00:29:29 +03:00
|
|
|
test("Keys: wrong SAN in x5c cert", async () => {
|
2021-03-31 21:49:32 +03:00
|
|
|
expect(await testKey('valid_key_with_x5c.json', 'https://invalid.url')).toContain(OPENSSL_AVAILABLE ? ErrorCode.INVALID_KEY_X5C : ErrorCode.OPENSSL_NOT_AVAILABLE);
|
2021-03-30 20:41:43 +03:00
|
|
|
});
|
|
|
|
|
|
2021-03-31 00:29:29 +03:00
|
|
|
test("Keys: wrong SAN in x5c cert (DNS prefix)", async () => {
|
2021-03-31 21:49:32 +03:00
|
|
|
expect(await testKey('invalid_DNS_SAN.public.json', EXPECTED_SUBJECT_ALT_NAME)).toContain(OPENSSL_AVAILABLE ? ErrorCode.INVALID_KEY_X5C : ErrorCode.OPENSSL_NOT_AVAILABLE);
|
2021-03-31 00:29:29 +03:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("Keys: no SAN in x5c cert", async () => {
|
2021-03-31 21:49:32 +03:00
|
|
|
expect(await testKey('invalid_no_SAN.public.json', EXPECTED_SUBJECT_ALT_NAME)).toContain(OPENSSL_AVAILABLE ? ErrorCode.INVALID_KEY_X5C : ErrorCode.OPENSSL_NOT_AVAILABLE);
|
2021-03-31 00:29:29 +03:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("Keys: key and x5c cert mismatch", async () => {
|
2021-03-31 21:49:32 +03:00
|
|
|
expect(await testKey('cert_mismatch.public.json')).toContain(OPENSSL_AVAILABLE ? ErrorCode.INVALID_KEY_X5C : ErrorCode.OPENSSL_NOT_AVAILABLE);
|
2021-03-31 00:29:29 +03:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
test("Keys: invalid x5c cert chain", async () => {
|
2021-03-31 21:49:32 +03:00
|
|
|
expect(await testKey('invalid_chain.public.json')).toContain(OPENSSL_AVAILABLE ? ErrorCode.INVALID_KEY_X5C : ErrorCode.OPENSSL_NOT_AVAILABLE);
|
2021-03-31 00:29:29 +03:00
|
|
|
});
|
