|
| 1 | + |
| 2 | +// Copyright 2026 Keyfactor |
| 3 | +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. |
| 4 | +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 |
| 5 | +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, |
| 6 | +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions |
| 7 | +// and limitations under the License. |
| 8 | + |
| 9 | +using System.Collections.Generic; |
| 10 | +using System.IO; |
| 11 | +using System.Text; |
| 12 | +using FluentAssertions; |
| 13 | +using Keyfactor.Extensions.Orchestrator.Aws.Acm.Jobs; |
| 14 | +using Org.BouncyCastle.OpenSsl; |
| 15 | +using Org.BouncyCastle.Pkcs; |
| 16 | +using Org.BouncyCastle.X509; |
| 17 | +using Xunit; |
| 18 | + |
| 19 | +namespace Keyfactor.Extensions.Orchestrator.Aws.Acm.Tests |
| 20 | +{ |
| 21 | + /// <summary> |
| 22 | + /// Covers <see cref="Management.GetChain"/>. The leaf/end-entity certificate is sent to ACM |
| 23 | + /// separately as the Certificate body of the ImportCertificateRequest, so it must NOT appear in |
| 24 | + /// the CertificateChain. Including it caused the leaf to show up twice within a published |
| 25 | + /// certificate's chain - the bug these tests guard against. |
| 26 | + /// </summary> |
| 27 | + public class GetChainTests |
| 28 | + { |
| 29 | + private const string KeyAlias = "leaf-entry"; |
| 30 | + |
| 31 | + [Fact] |
| 32 | + public void GetChain_LeafAndRoot_ReturnsOnlyTheRoot_NotTheLeaf() |
| 33 | + { |
| 34 | + // Root signs the leaf directly; the PKCS#12 chain is [leaf, root]. |
| 35 | + var (root, rootKeyPair) = BcCertFactory.CreateSelfSigned("Test Root CA"); |
| 36 | + var leafKeyPair = BcCertFactory.GenerateRsaKeyPair(); |
| 37 | + var leaf = BcCertFactory.CreateCertificate("Test Leaf", "Test Root CA", leafKeyPair.Public, rootKeyPair.Private); |
| 38 | + |
| 39 | + var store = BcCertFactory.BuildStore(KeyAlias, leafKeyPair.Private, leaf, root); |
| 40 | + |
| 41 | + var subjects = ReadChainSubjects(store, KeyAlias); |
| 42 | + |
| 43 | + subjects.Should().ContainSingle().Which.Should().Be("CN=Test Root CA"); |
| 44 | + subjects.Should().NotContain("CN=Test Leaf"); |
| 45 | + } |
| 46 | + |
| 47 | + [Fact] |
| 48 | + public void GetChain_LeafIntermediateAndRoot_ReturnsIntermediateAndRoot_InOrder_WithoutLeaf() |
| 49 | + { |
| 50 | + // Root -> Intermediate -> Leaf; the PKCS#12 chain is [leaf, intermediate, root]. |
| 51 | + var (root, rootKeyPair) = BcCertFactory.CreateSelfSigned("Test Root CA"); |
| 52 | + var intermediateKeyPair = BcCertFactory.GenerateRsaKeyPair(); |
| 53 | + var intermediate = BcCertFactory.CreateCertificate("Test Intermediate CA", "Test Root CA", intermediateKeyPair.Public, rootKeyPair.Private); |
| 54 | + var leafKeyPair = BcCertFactory.GenerateRsaKeyPair(); |
| 55 | + var leaf = BcCertFactory.CreateCertificate("Test Leaf", "Test Intermediate CA", leafKeyPair.Public, intermediateKeyPair.Private); |
| 56 | + |
| 57 | + var store = BcCertFactory.BuildStore(KeyAlias, leafKeyPair.Private, leaf, intermediate, root); |
| 58 | + |
| 59 | + var subjects = ReadChainSubjects(store, KeyAlias); |
| 60 | + |
| 61 | + subjects.Should().Equal("CN=Test Intermediate CA", "CN=Test Root CA"); |
| 62 | + subjects.Should().NotContain("CN=Test Leaf"); |
| 63 | + } |
| 64 | + |
| 65 | + [Fact] |
| 66 | + public void GetChain_LeafOnly_ReturnsNull() |
| 67 | + { |
| 68 | + // A self-signed leaf with no issuers above it: nothing to send as a chain. |
| 69 | + var leafKeyPair = BcCertFactory.GenerateRsaKeyPair(); |
| 70 | + var leaf = BcCertFactory.CreateCertificate("Test Leaf", "Test Leaf", leafKeyPair.Public, leafKeyPair.Private); |
| 71 | + |
| 72 | + var store = BcCertFactory.BuildStore(KeyAlias, leafKeyPair.Private, leaf); |
| 73 | + |
| 74 | + MemoryStream chainStream = Management.GetChain(store, KeyAlias); |
| 75 | + |
| 76 | + chainStream.Should().BeNull("a leaf-only PFX has no intermediates, so the chain must be omitted rather than sent empty"); |
| 77 | + } |
| 78 | + |
| 79 | + // Invokes the production GetChain and parses the PEM it produces back into subject DNs. |
| 80 | + private static List<string> ReadChainSubjects(Pkcs12Store store, string alias) |
| 81 | + { |
| 82 | + using (MemoryStream chainStream = Management.GetChain(store, alias)) |
| 83 | + { |
| 84 | + chainStream.Should().NotBeNull("a chain containing intermediates should produce PEM output"); |
| 85 | + |
| 86 | + string pem = Encoding.ASCII.GetString(chainStream.ToArray()); |
| 87 | + |
| 88 | + var subjects = new List<string>(); |
| 89 | + using (var reader = new StringReader(pem)) |
| 90 | + { |
| 91 | + var pemReader = new PemReader(reader); |
| 92 | + object parsed; |
| 93 | + while ((parsed = pemReader.ReadObject()) != null) |
| 94 | + { |
| 95 | + if (parsed is X509Certificate certificate) |
| 96 | + { |
| 97 | + subjects.Add(certificate.SubjectDN.ToString()); |
| 98 | + } |
| 99 | + } |
| 100 | + } |
| 101 | + |
| 102 | + return subjects; |
| 103 | + } |
| 104 | + } |
| 105 | + } |
| 106 | +} |
0 commit comments