Google Git
Sign in
chromium / chromium / src / 54041d62f2ece007b0e289fa66ad89ecc3c39135 / . / components / cast_certificate / cast_cert_validator_unittest.cc
blob: d3de949d5719d441176028538a436d1afa7b2777 [file] [log] [blame]
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/cast_certificate/cast_cert_validator.h"
#include "components/cast_certificate/cast_cert_validator_test_helpers.h"
#include "net/cert/internal/parsed_certificate.h"
#include "net/cert/internal/trust_store_in_memory.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace cast_certificate {
namespace {
// Creates an std::string given a uint8_t array.
template <size_t N>
std::string CreateString(const uint8_t (&data)[N]) {
return std::string(reinterpret_cast<const char*>(data), N);
}
// Indicates the expected result of test verification.
enum TestResult {
RESULT_SUCCESS,
RESULT_FAIL,
};
enum TrustStoreDependency {
// Uses the built-in trust store for Cast. This is how certificates are
// verified in production.
TRUST_STORE_BUILTIN,
// Instead of using the built-in trust store, use root certificate in the
// provided test chain as the trust anchor.
//
// This trust anchor is initialized with anchor constraints, similar to how
// TrustAnchors in the built-in store are setup.
TRUST_STORE_FROM_TEST_FILE,
// This is the same as TRUST_STORE_FROM_TEST_FILE except the TrustAnchor is
// setup to NOT enforce anchor constraints. This mode is useful for
// verifying control groups. It is not how code works in production.
TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED,
};
// Reads a test chain from |certs_file_name|, and asserts that verifying it as
// a Cast device certificate yields |expected_result|.
//
// RunTest() also checks that the resulting CertVerificationContext does not
// incorrectly verify invalid signatures.
//
// * |expected_policy| - The policy that should have been identified for the
// device certificate.
// * |time| - The timestamp to use when verifying the certificate.
// * |trust_store_dependency| - Which trust store to use when verifying (see
// enum's definition).
// * |optional_signed_data_file_name| - optional path to a PEM file containing
// a valid signature generated by the device certificate.
//
void RunTest(TestResult expected_result,
const std::string& expected_common_name,
CastDeviceCertPolicy expected_policy,
const std::string& certs_file_name,
const base::Time& time,
TrustStoreDependency trust_store_dependency,
const std::string& optional_signed_data_file_name) {
auto certs =
cast_certificate::testing::ReadCertificateChainFromFile(certs_file_name);
std::unique_ptr<net::TrustStoreInMemory> trust_store;
switch (trust_store_dependency) {
case TRUST_STORE_BUILTIN:
// Leave trust_store as nullptr.
break;
case TRUST_STORE_FROM_TEST_FILE:
case TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED: {
ASSERT_FALSE(certs.empty());
// Parse the root certificate of the chain.
scoped_refptr<net::ParsedCertificate> root =
net::ParsedCertificate::CreateFromCertificateCopy(certs.back(), {});
ASSERT_TRUE(root);
// Remove it from the chain.
certs.pop_back();
// Add it to the trust store as a trust anchor
trust_store.reset(new net::TrustStoreInMemory);
if (trust_store_dependency == TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED) {
// This is a test-only mode where anchor constraints are not enforced.
trust_store->AddTrustAnchor(
net::TrustAnchor::CreateFromCertificateNoConstraints(
std::move(root)));
} else {
// This is the regular mode used by the TrustAnchors for the built-in
// Cast store.
trust_store->AddTrustAnchor(
net::TrustAnchor::CreateFromCertificateWithConstraints(
std::move(root)));
}
}
}
std::unique_ptr<CertVerificationContext> context;
CastDeviceCertPolicy policy;
bool result;
if (trust_store.get()) {
result =
VerifyDeviceCertForTest(certs, time, &context, &policy, nullptr,
CRLPolicy::CRL_OPTIONAL, trust_store.get());
} else {
result = VerifyDeviceCert(certs, time, &context, &policy, nullptr,
CRLPolicy::CRL_OPTIONAL);
}
if (expected_result == RESULT_FAIL) {
ASSERT_FALSE(result);
return;
}
ASSERT_TRUE(result);
EXPECT_EQ(expected_policy, policy);
ASSERT_TRUE(context.get());
// Test that the context is good.
EXPECT_EQ(expected_common_name, context->GetCommonName());
ASSERT_TRUE(context);
// Test verification of some invalid signatures.
EXPECT_FALSE(
context->VerifySignatureOverData("bogus signature", "bogus data"));
EXPECT_FALSE(context->VerifySignatureOverData("", "bogus data"));
EXPECT_FALSE(context->VerifySignatureOverData("", ""));
// If valid signatures are known for this device certificate, test them.
if (!optional_signed_data_file_name.empty()) {
auto signature_data = cast_certificate::testing::ReadSignatureTestData(
optional_signed_data_file_name);
// Test verification of a valid SHA1 signature.
EXPECT_TRUE(context->VerifySignatureOverData(signature_data.signature_sha1,
signature_data.message));
// Test verification of a valid SHA256
//
// TODO(eroman): This fails because there isn't currently support
// for specifying a signature algorithm other than RSASSA PKCS#1 v1.5 with
// SHA1. Once support for different algorithms is added to the API this
// should be changed to expect success.
EXPECT_FALSE(context->VerifySignatureOverData(
signature_data.signature_sha256, signature_data.message));
}
}
// Creates a time in UTC at midnight.
//
// The maximum date usable here is limited to year 2038 on 32 bit systems due to
// base::Time::FromExploded clamping the range to what is supported by mktime
// and timegm.
base::Time CreateDate(int year, int month, int day) {
base::Time::Exploded time = {0};
time.year = year;
time.month = month;
time.day_of_month = day;
base::Time result;
EXPECT_TRUE(base::Time::FromUTCExploded(time, &result));
return result;
}
// Returns 2016-04-01 00:00:00 UTC.
//
// This is a time when most of the test certificate paths are
// valid.
base::Time AprilFirst2016() {
return CreateDate(2016, 4, 1);
}
// Returns 2015-01-01 00:00:00 UTC.
base::Time JanuaryFirst2015() {
return CreateDate(2015, 1, 1);
}
// Returns 2037-03-01 00:00:00 UTC.
//
// This is so far in the future that the test chains in this unit-test
// should all be invalid.
base::Time MarchFirst2037() {
return CreateDate(2037, 3, 1);
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 2ZZBG9 FA8FCA3EF91A
// 1: Eureka Gen1 ICA
//
// Chains to trust anchor:
// Eureka Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, ChromecastGen1) {
RunTest(RESULT_SUCCESS, "2ZZBG9 FA8FCA3EF91A", CastDeviceCertPolicy::NONE,
"certificates/chromecast_gen1.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 2ZZBG9 FA8FCA3EF91A
// 1: Eureka Gen1 ICA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, ChromecastGen1Reissue) {
RunTest(RESULT_SUCCESS, "2ZZBG9 FA8FCA3EF91A", CastDeviceCertPolicy::NONE,
"certificates/chromecast_gen1_reissue.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 3ZZAK6 FA8FCA3F0D35
// 1: Chromecast ICA 3
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, ChromecastGen2) {
RunTest(RESULT_SUCCESS, "3ZZAK6 FA8FCA3F0D35", CastDeviceCertPolicy::NONE,
"certificates/chromecast_gen2.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 3:
//
// 0: -6394818897508095075
// 1: Asus fugu Cast ICA
// 2: Widevine Cast Subroot
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, Fugu) {
RunTest(RESULT_SUCCESS, "-6394818897508095075", CastDeviceCertPolicy::NONE,
"certificates/fugu.pem", AprilFirst2016(), TRUST_STORE_BUILTIN, "");
}
// Tests verifying an invalid certificate chain of length 1:
//
// 0: Cast Test Untrusted Device
//
// Chains to:
// Cast Test Untrusted ICA (Not part of trust store)
//
// This is invalid because it does not chain to a trust anchor.
TEST(VerifyCastDeviceCertTest, Unchained) {
RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE,
"certificates/unchained.pem", AprilFirst2016(), TRUST_STORE_BUILTIN,
"");
}
// Tests verifying one of the self-signed trust anchors (chain of length 1):
//
// 0: Cast Root CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// Although this is a valid and trusted certificate (it is one of the
// trust anchors after all) it fails the test as it is not a *device
// certificate*.
TEST(VerifyCastDeviceCertTest, CastRootCa) {
RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE,
"certificates/cast_root_ca.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 4ZZDZJ FA8FCA7EFE3C
// 1: Chromecast ICA 4 (Audio)
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, ChromecastAudio) {
RunTest(RESULT_SUCCESS, "4ZZDZJ FA8FCA7EFE3C",
CastDeviceCertPolicy::AUDIO_ONLY, "certificates/chromecast_audio.pem",
AprilFirst2016(), TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 3:
//
// 0: MediaTek Audio Dev Test
// 1: MediaTek Audio Dev Model
// 2: Cast Audio Dev Root CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, MtkAudioDev) {
RunTest(RESULT_SUCCESS, "MediaTek Audio Dev Test",
CastDeviceCertPolicy::AUDIO_ONLY, "certificates/mtk_audio_dev.pem",
JanuaryFirst2015(), TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 9V0000VB FA8FCA784D01
// 1: Cast TV ICA (Vizio)
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, Vizio) {
RunTest(RESULT_SUCCESS, "9V0000VB FA8FCA784D01", CastDeviceCertPolicy::NONE,
"certificates/vizio.pem", AprilFirst2016(), TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 2 using expired
// time points.
TEST(VerifyCastDeviceCertTest, ChromecastGen2InvalidTime) {
const char* kCertsFile = "certificates/chromecast_gen2.pem";
// Control test - certificate should be valid at some time otherwise
// this test is pointless.
RunTest(RESULT_SUCCESS, "3ZZAK6 FA8FCA3F0D35", CastDeviceCertPolicy::NONE,
kCertsFile, AprilFirst2016(), TRUST_STORE_BUILTIN, "");
// Use a time before notBefore.
RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE, kCertsFile,
JanuaryFirst2015(), TRUST_STORE_BUILTIN, "");
// Use a time after notAfter.
RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE, kCertsFile,
MarchFirst2037(), TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 3:
//
// 0: Audio Reference Dev Test
// 1: Audio Reference Dev Model
// 2: Cast Audio Dev Root CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, AudioRefDevTestChain3) {
RunTest(RESULT_SUCCESS, "Audio Reference Dev Test",
CastDeviceCertPolicy::AUDIO_ONLY,
"certificates/audio_ref_dev_test_chain_3.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "signeddata/AudioReferenceDevTest.pem");
}
// Tests verifying a valid certificate chain of length 3. Note that the first
// intermediate has a serial number that is 21 octets long, which violates RFC
// 5280. However cast verification accepts this certificate for compatibility
// reasons.
//
// 0: 8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA
// 1: Sony so16vic CA
// 2: Cast Audio Sony CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, IntermediateSerialNumberTooLong) {
RunTest(RESULT_SUCCESS, "8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA",
CastDeviceCertPolicy::AUDIO_ONLY,
"certificates/intermediate_serialnumber_toolong.pem",
AprilFirst2016(), TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 2 when the trust anchor
// is "expired". This is expected to work since expiration is not an enforced
// anchor constraint, even though it may appear in the root certificate.
//
// 0: CastDevice
// 1: CastIntermediate
//
// Chains to trust anchor:
// Expired CastRoot (provided by test data)
TEST(VerifyCastDeviceCertTest, ExpiredTrustAnchor) {
// The root certificate is only valid in 2015, so validating with a time in
// 2016 means it is expired.
RunTest(RESULT_SUCCESS, "CastDevice", CastDeviceCertPolicy::NONE,
"certificates/expired_root.pem", AprilFirst2016(),
TRUST_STORE_FROM_TEST_FILE, "");
}
// Tests verifying a certificate chain where the root certificate has a pathlen
// constraint which is violated by the chain. In this case Root has a pathlen=1
// constraint, however neither intermediate is constrained.
//
// The expectation is for pathlen constraints on trust anchors to be enforced,
// so this validation must fail.
//
// 0: Target
// 1: Intermediate2
// 2: Intermediate1
//
// Chains to trust anchor:
// Root (provided by test data; has pathlen=1 constraint)
TEST(VerifyCastDeviceCertTest, ViolatesPathlenTrustAnchorConstraint) {
// First do a control test -- when anchor constraints are NOT enforced this
// chain should validate just fine.
RunTest(RESULT_SUCCESS, "Target", CastDeviceCertPolicy::NONE,
"certificates/violates_root_pathlen_constraint.pem", AprilFirst2016(),
TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED, "");
// Now do the real test and verify validation fails when using a TrustAncho
// with pathlen constraint.
RunTest(RESULT_FAIL, "Target", CastDeviceCertPolicy::NONE,
"certificates/violates_root_pathlen_constraint.pem", AprilFirst2016(),
TRUST_STORE_FROM_TEST_FILE, "");
}
// ------------------------------------------------------
// Valid signature using 1024-bit RSA key
// ------------------------------------------------------
// This test vector comes from the NIST test vectors (pkcs1v15sign-vectors.txt),
// PKCS#1 v1.5 Signature Example 1.2.
//
// It is a valid signature using a 1024 bit key and SHA-1.
const uint8_t kEx1Message[] = {
0x85, 0x13, 0x84, 0xcd, 0xfe, 0x81, 0x9c, 0x22, 0xed, 0x6c, 0x4c,
0xcb, 0x30, 0xda, 0xeb, 0x5c, 0xf0, 0x59, 0xbc, 0x8e, 0x11, 0x66,
0xb7, 0xe3, 0x53, 0x0c, 0x4c, 0x23, 0x3e, 0x2b, 0x5f, 0x8f, 0x71,
0xa1, 0xcc, 0xa5, 0x82, 0xd4, 0x3e, 0xcc, 0x72, 0xb1, 0xbc, 0xa1,
0x6d, 0xfc, 0x70, 0x13, 0x22, 0x6b, 0x9e,
};
const uint8_t kEx1Signature[] = {
0x84, 0xfd, 0x2c, 0xe7, 0x34, 0xec, 0x1d, 0xa8, 0x28, 0xd0, 0xf1, 0x5b,
0xf4, 0x9a, 0x87, 0x07, 0xc1, 0x5d, 0x05, 0x94, 0x81, 0x36, 0xde, 0x53,
0x7a, 0x3d, 0xb4, 0x21, 0x38, 0x41, 0x67, 0xc8, 0x6f, 0xae, 0x02, 0x25,
0x87, 0xee, 0x9e, 0x13, 0x7d, 0xae, 0xe7, 0x54, 0x73, 0x82, 0x62, 0x93,
0x2d, 0x27, 0x1c, 0x74, 0x4c, 0x6d, 0x3a, 0x18, 0x9a, 0xd4, 0x31, 0x1b,
0xdb, 0x02, 0x04, 0x92, 0xe3, 0x22, 0xfb, 0xdd, 0xc4, 0x04, 0x06, 0xea,
0x86, 0x0d, 0x4e, 0x8e, 0xa2, 0xa4, 0x08, 0x4a, 0xa9, 0x8b, 0x96, 0x22,
0xa4, 0x46, 0x75, 0x6f, 0xdb, 0x74, 0x0d, 0xdb, 0x3d, 0x91, 0xdb, 0x76,
0x70, 0xe2, 0x11, 0x66, 0x1b, 0xbf, 0x87, 0x09, 0xb1, 0x1c, 0x08, 0xa7,
0x07, 0x71, 0x42, 0x2d, 0x1a, 0x12, 0xde, 0xf2, 0x9f, 0x06, 0x88, 0xa1,
0x92, 0xae, 0xbd, 0x89, 0xe0, 0xf8, 0x96, 0xf8,
};
const uint8_t kEx1PublicKeySpki[] = {
0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
0x89, 0x02, 0x81, 0x81, 0x00, 0xa5, 0x6e, 0x4a, 0x0e, 0x70, 0x10, 0x17,
0x58, 0x9a, 0x51, 0x87, 0xdc, 0x7e, 0xa8, 0x41, 0xd1, 0x56, 0xf2, 0xec,
0x0e, 0x36, 0xad, 0x52, 0xa4, 0x4d, 0xfe, 0xb1, 0xe6, 0x1f, 0x7a, 0xd9,
0x91, 0xd8, 0xc5, 0x10, 0x56, 0xff, 0xed, 0xb1, 0x62, 0xb4, 0xc0, 0xf2,
0x83, 0xa1, 0x2a, 0x88, 0xa3, 0x94, 0xdf, 0xf5, 0x26, 0xab, 0x72, 0x91,
0xcb, 0xb3, 0x07, 0xce, 0xab, 0xfc, 0xe0, 0xb1, 0xdf, 0xd5, 0xcd, 0x95,
0x08, 0x09, 0x6d, 0x5b, 0x2b, 0x8b, 0x6d, 0xf5, 0xd6, 0x71, 0xef, 0x63,
0x77, 0xc0, 0x92, 0x1c, 0xb2, 0x3c, 0x27, 0x0a, 0x70, 0xe2, 0x59, 0x8e,
0x6f, 0xf8, 0x9d, 0x19, 0xf1, 0x05, 0xac, 0xc2, 0xd3, 0xf0, 0xcb, 0x35,
0xf2, 0x92, 0x80, 0xe1, 0x38, 0x6b, 0x6f, 0x64, 0xc4, 0xef, 0x22, 0xe1,
0xe1, 0xf2, 0x0d, 0x0c, 0xe8, 0xcf, 0xfb, 0x22, 0x49, 0xbd, 0x9a, 0x21,
0x37, 0x02, 0x03, 0x01, 0x00, 0x01,
};
// Tests that a valid signature fails, because it uses a 1024-bit RSA key (too
// weak).
TEST(VerifyCastDeviceCertTest, VerifySignature1024BitRsa) {
auto context =
CertVerificationContextImplForTest(CreateString(kEx1PublicKeySpki));
EXPECT_FALSE(context->VerifySignatureOverData(CreateString(kEx1Signature),
CreateString(kEx1Message)));
}
// ------------------------------------------------------
// Valid signature using 2048-bit RSA key
// ------------------------------------------------------
// This test vector was generated (using WebCrypto). It is a valid signature
// using a 2048-bit RSA key, RSASSA PKCS#1 v1.5 with SHA-1.
const uint8_t kEx2Message[] = {
// "hello"
0x68, 0x65, 0x6c, 0x6c, 0x6f,
};
const uint8_t kEx2Signature[] = {
0xc1, 0x21, 0x84, 0xe1, 0x62, 0x0e, 0x59, 0x52, 0x5b, 0xa4, 0x10, 0x1e,
0x11, 0x80, 0x5b, 0x9e, 0xcb, 0xa0, 0x20, 0x78, 0x29, 0xfc, 0xc0, 0x9a,
0xd9, 0x48, 0x90, 0x81, 0x03, 0xa9, 0xc0, 0x2f, 0x0a, 0xc4, 0x20, 0x34,
0xb5, 0xdb, 0x19, 0x04, 0xec, 0x94, 0x9b, 0xba, 0x48, 0x43, 0xf3, 0x5a,
0x15, 0x56, 0xfc, 0x4a, 0x87, 0x79, 0xf8, 0x50, 0xff, 0x5d, 0x66, 0x25,
0xdc, 0xa5, 0xd8, 0xe8, 0x9f, 0x5a, 0x73, 0x79, 0x6f, 0x5d, 0x99, 0xe0,
0xd5, 0xa5, 0x84, 0x49, 0x20, 0x3c, 0xe2, 0xa3, 0xd0, 0x69, 0x31, 0x2c,
0x13, 0xaf, 0x15, 0xd9, 0x10, 0x0d, 0x6f, 0xdd, 0x9d, 0x62, 0x5d, 0x7b,
0xe1, 0x1a, 0x48, 0x59, 0xaf, 0xf7, 0xbe, 0x87, 0x92, 0x60, 0x5d, 0x1a,
0xb5, 0xfe, 0x27, 0x38, 0x02, 0x20, 0xe9, 0xaf, 0x04, 0x57, 0xd3, 0x3b,
0x70, 0x04, 0x63, 0x5b, 0xc6, 0x5d, 0x83, 0xe2, 0xaf, 0x02, 0xb4, 0xef,
0x1c, 0x33, 0x54, 0x38, 0xf8, 0xb5, 0x19, 0xa8, 0x88, 0xdd, 0x1d, 0x96,
0x1c, 0x5e, 0x54, 0x80, 0xde, 0x7b, 0xb6, 0x29, 0xb8, 0x6b, 0xea, 0x47,
0xe5, 0xf1, 0x7e, 0xed, 0xe1, 0x91, 0xc8, 0xb8, 0x54, 0xd9, 0x1e, 0xfd,
0x07, 0x10, 0xbd, 0xa9, 0xd4, 0x93, 0x5e, 0x65, 0x8b, 0x6b, 0x46, 0x93,
0x4b, 0x60, 0x2a, 0x26, 0xf0, 0x1b, 0x4e, 0xca, 0x04, 0x82, 0xc0, 0x8d,
0xb1, 0xa5, 0xa8, 0x70, 0xdd, 0x66, 0x68, 0x95, 0x09, 0xb4, 0x85, 0x62,
0xf5, 0x17, 0x04, 0x48, 0xb4, 0x9d, 0x66, 0x2b, 0x25, 0x82, 0x7e, 0x99,
0x3e, 0xa1, 0x11, 0x63, 0xc3, 0xdf, 0x10, 0x20, 0x52, 0x56, 0x32, 0x35,
0xa9, 0x36, 0xde, 0x2a, 0xac, 0x10, 0x0d, 0x75, 0x21, 0xed, 0x5b, 0x38,
0xb6, 0xb5, 0x1e, 0xb5, 0x5b, 0x9a, 0x72, 0xd5, 0xf8, 0x1a, 0xd3, 0x91,
0xb8, 0x29, 0x0e, 0x58,
};
const uint8_t kEx2PublicKeySpki[] = {
0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xcf, 0xde, 0xa5,
0x2e, 0x9d, 0x38, 0x62, 0x72, 0x47, 0x84, 0x8f, 0x2e, 0xa5, 0xe3, 0xd6,
0x34, 0xb0, 0xf9, 0x79, 0xa9, 0x10, 0x63, 0xa9, 0x93, 0x5a, 0xa1, 0xb9,
0xa3, 0x03, 0xd3, 0xcd, 0x9d, 0x84, 0x7d, 0xb6, 0x92, 0x47, 0xb4, 0x7d,
0x4a, 0xe8, 0x3a, 0x4b, 0xc5, 0xf6, 0x35, 0x6f, 0x18, 0x72, 0xf3, 0xbc,
0xd2, 0x1c, 0x7a, 0xd2, 0xe5, 0xdf, 0xcf, 0xb9, 0xac, 0x28, 0xd3, 0x49,
0x2a, 0x4f, 0x08, 0x62, 0xb9, 0xf1, 0xaa, 0x3d, 0x76, 0xe3, 0xa9, 0x96,
0x32, 0x24, 0x94, 0x9e, 0x88, 0xf8, 0x5e, 0xc3, 0x3c, 0x14, 0x32, 0x86,
0x72, 0xa2, 0x34, 0x3d, 0x41, 0xd0, 0xb2, 0x01, 0x99, 0x01, 0xf3, 0x93,
0xa3, 0x76, 0x5a, 0xff, 0x42, 0x28, 0x54, 0xe0, 0xcc, 0x4c, 0xcd, 0x2d,
0x3b, 0x0b, 0x47, 0xcc, 0xc2, 0x75, 0x02, 0xc1, 0xb7, 0x0b, 0x37, 0x65,
0xe6, 0x0d, 0xe4, 0xc3, 0x85, 0x86, 0x29, 0x3c, 0x77, 0xce, 0xb0, 0x34,
0xa9, 0x03, 0xe9, 0x13, 0xbe, 0x97, 0x1e, 0xfd, 0xeb, 0x0d, 0x60, 0xc2,
0xb3, 0x19, 0xa1, 0x75, 0x72, 0x57, 0x3f, 0x5d, 0x0e, 0x75, 0xac, 0x10,
0x96, 0xad, 0x95, 0x67, 0x9f, 0xa2, 0x84, 0x15, 0x6a, 0x61, 0xb1, 0x47,
0xd1, 0x24, 0x78, 0xb4, 0x40, 0x2b, 0xc3, 0x5c, 0x73, 0xd4, 0xc1, 0x8d,
0x12, 0xf1, 0x3f, 0xb4, 0x93, 0x17, 0xfe, 0x5d, 0xbf, 0x39, 0xf2, 0x45,
0xf9, 0xcf, 0x38, 0x44, 0x40, 0x5b, 0x47, 0x2a, 0xbf, 0xb9, 0xac, 0xa6,
0x14, 0xb6, 0x1b, 0xe3, 0xa8, 0x14, 0xf8, 0xfe, 0x47, 0x67, 0xea, 0x90,
0x51, 0x12, 0xcf, 0x5e, 0x28, 0xec, 0x92, 0x83, 0x7c, 0xc6, 0x29, 0x9f,
0x12, 0x29, 0x88, 0x49, 0xf7, 0xb7, 0xed, 0x5e, 0x3a, 0x78, 0xd6, 0x8a,
0xba, 0x42, 0x6e, 0x0a, 0xf4, 0x0d, 0xc1, 0xc0, 0x8f, 0xdb, 0x26, 0x41,
0x57, 0x02, 0x03, 0x01, 0x00, 0x01,
};
// Tests that a valid signature using 2048-bit key succeeds.
TEST(VerifyCastDeviceCertTest, VerifySignature2048BitRsa) {
auto context =
CertVerificationContextImplForTest(CreateString(kEx2PublicKeySpki));
EXPECT_TRUE(context->VerifySignatureOverData(CreateString(kEx2Signature),
CreateString(kEx2Message)));
}
} // namespace
} // namespace cast_certificate