47 lines
1.5 KiB
Rust
47 lines
1.5 KiB
Rust
use rpki::data_model::rc::ResourceCertificate;
|
|
use rpki::data_model::ta::{TaCertificate, TaCertificateVerifyError};
|
|
|
|
#[test]
|
|
fn ta_verify_self_signature_succeeds_for_fixture() {
|
|
let der = std::fs::read("tests/fixtures/ta/apnic-ta.cer").expect("read apnic ta");
|
|
let ta = TaCertificate::decode_der(&der).expect("decode TA");
|
|
ta.verify_self_signature().expect("verify self signature");
|
|
}
|
|
|
|
#[test]
|
|
fn ta_verify_self_signature_rejects_trailing_bytes() {
|
|
let der = std::fs::read("tests/fixtures/ta/apnic-ta.cer").expect("read apnic ta");
|
|
let rc_ca = ResourceCertificate::decode_der(&der).expect("decode rc");
|
|
|
|
let mut raw_with_trailing = der.clone();
|
|
raw_with_trailing.extend_from_slice(&[0u8, 1u8, 2u8]);
|
|
|
|
let ta = TaCertificate {
|
|
raw_der: raw_with_trailing,
|
|
rc_ca,
|
|
};
|
|
let err = ta.verify_self_signature().unwrap_err();
|
|
assert!(matches!(err, TaCertificateVerifyError::TrailingBytes(3)));
|
|
}
|
|
|
|
#[test]
|
|
fn ta_verify_self_signature_rejects_tampered_signature() {
|
|
let der = std::fs::read("tests/fixtures/ta/apnic-ta.cer").expect("read apnic ta");
|
|
let rc_ca = ResourceCertificate::decode_der(&der).expect("decode rc");
|
|
|
|
let mut tampered = der.clone();
|
|
if let Some(last) = tampered.last_mut() {
|
|
*last ^= 0x01;
|
|
}
|
|
let ta = TaCertificate {
|
|
raw_der: tampered,
|
|
rc_ca,
|
|
};
|
|
|
|
let err = ta.verify_self_signature().unwrap_err();
|
|
assert!(matches!(
|
|
err,
|
|
TaCertificateVerifyError::InvalidSelfSignature(_) | TaCertificateVerifyError::Parse(_)
|
|
));
|
|
}
|