improve tests (#8)

Improve test messages. Use `BC` for cert path builder & validator provider.
fortanix · Nov 11, 2024 · 11607d3 · 11607d3
1 parent 265005e
commit 11607d3
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 9 deletions.
diff --git a/.github/workflows/java-example-ci.yml b/.github/workflows/java-example-ci.yml
@@ -44,7 +44,7 @@ jobs:
             echo "Maven is already installed"
           fi
     - name: Build with Maven
-      run: mvn -B package --file key-attestation/java-example/pom.xml
+      run: mvn -B package -Dstyle.color=always --file key-attestation/java-example/pom.xml
       env:
         AMER_APP_API_KEY: ${{ secrets.AMER_APP_API_KEY }}
 

diff --git a/...ation/java-example/src/main/java/com/fortanix/keyattestationstatementverifier/Verify.java b/...ation/java-example/src/main/java/com/fortanix/keyattestationstatementverifier/Verify.java
@@ -102,7 +102,7 @@ public static void verify(List<X509Certificate> authorityChain, X509Certificate
             verify_cert_chain_signature(authorityChain, trustRootCa, verifyCrl);
         } catch (Exception e) {
             throw new KeyAttestationStatementVerifyException(
-                    "The signature in 'Fortanix DSM Key Attestation' certificate is invalid, " + e.toString());
+                    "Failed to verify signatures in `authorityChain`, " + e.toString());
         }
 
         CertChecker statementChecker = new KeyAttestationStatementCertChecker();
@@ -141,13 +141,14 @@ public static void verify_cert_chain_signature(List<X509Certificate> chain, X509
         // Because root CA does not contain CRL distribution point extension,
         // CertPathValidator will throw error when CRL revocation check is enabled.
         // As a result, root CA need to be removed from cert chain.
-        CertPath certPath = factory.generateCertPath(chain.subList(0, chain.size() - 1));
+        List<X509Certificate> modified_chain = chain.subList(0, chain.size() - 1);
+        CertPath certPath = factory.generateCertPath(modified_chain);
 
         // Set up TrustAnchor using the last certificate as the root certificate
         TrustAnchor trustAnchor = new TrustAnchor(trust_ca, null);
         Set<TrustAnchor> trustAnchors = Collections.singleton(trustAnchor);
 
-        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", "BC");
         PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
         rc.setOptions(EnumSet.of(
                 PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
@@ -160,7 +161,7 @@ public static void verify_cert_chain_signature(List<X509Certificate> chain, X509
         }
 
         // Validate CertPath
-        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC");
         try {
             validator.validate(certPath, pkixParams);
         } catch (CertPathValidatorException e) {

diff --git a/...n/java-example/src/test/java/com/fortanix/keyattestationstatementverifier/VerifyTest.java b/...n/java-example/src/test/java/com/fortanix/keyattestationstatementverifier/VerifyTest.java
@@ -73,9 +73,10 @@ public void verifyStatementFromPemWithoutCrlCheck() throws Exception {
         X509Certificate trusted = cert_chain.get(cert_chain.size() - 1);
         // because at time this code is written, CRL server is not setup, we turn of the
         // CRL check
-        KeyAttestationStatementVerifyException exception = assertThrows(KeyAttestationStatementVerifyException.class,
+        Exception exception = assertThrows(Exception.class,
                 () -> Verify.verify(authorityChain, cert_chain.get(0), trusted, false));
-        assertTrue("certificates should already expired", exception.toString().contains("validity check failed"));
+        assertTrue("certificates should already expired, exception: " + exception.toString(),
+                exception.toString().contains("certificate expired") || exception.toString().contains("NotAfter"));
     }
 
     /**
@@ -100,9 +101,10 @@ public void verifyStatementFromJsonWithoutCrlCheck() throws Exception {
         X509Certificate trusted = Verify.readBase64EncodedCertificate(authorityChain.get(authorityChain.size() - 1));
         // because at time this code is written, CRL server is not setup, we turn of the
         // CRL check
-        KeyAttestationStatementVerifyException exception = assertThrows(KeyAttestationStatementVerifyException.class,
+        Exception exception = assertThrows(Exception.class,
                 () -> Verify.verify(decodedResponse, trusted, false));
-        assertTrue("certificates should already expired", exception.toString().contains("validity check failed"));
+        assertTrue("certificates should already expired, exception: " + exception.toString(),
+                exception.toString().contains("certificate expired") || exception.toString().contains("NotAfter"));
     }
 
     /**