From e3d8566844142a1a358616fc3086b674ffbc4329 Mon Sep 17 00:00:00 2001
From: Damian Duesentrieb <dp141016@fh-muenster.de>
Date: Fri, 20 Nov 2015 21:18:45 +0100
Subject: [PATCH] Added test: CA must reject CSRs with invalid signatures.

---
 ca/certificate-authority_test.go      |  20 ++++++++++++++++++++
 ca/testdata/invalid_signature.der.csr | Bin 0 -> 771 bytes
 2 files changed, 20 insertions(+)
 create mode 100644 ca/testdata/invalid_signature.der.csr

diff --git a/ca/certificate-authority_test.go b/ca/certificate-authority_test.go
index 4c3b3d23a..75b81cdd1 100644
--- a/ca/certificate-authority_test.go
+++ b/ca/certificate-authority_test.go
@@ -90,6 +90,10 @@ var (
 	// * DNSNames = moreCAPs.com, morecaps.com, evenMOREcaps.com, Capitalizedletters.COM
 	CapitalizedCSR = mustRead("./testdata/capitalized_cn_and_san.der.csr")
 
+	// CSR generated by OpenSSL:
+	// Edited signature to become invalid.
+	WrongSignatureCSR = mustRead("./testdata/invalid_signature.der.csr")
+
 	log = mocks.UseMockLog()
 )
 
@@ -411,6 +415,22 @@ func TestCapitalizedLetters(t *testing.T) {
 	test.AssertDeepEquals(t, expected, parsedCert.DNSNames)
 }
 
+func TestWrongSignature(t *testing.T) {
+	ctx := setup(t)
+	defer ctx.cleanUp()
+	ctx.caConfig.MaxNames = 3
+	ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCertFile)
+	ca.Publisher = &mocks.Publisher{}
+	ca.PA = ctx.pa
+	ca.SA = ctx.sa
+
+	// x509.ParseCertificateRequest() does not check for invalid signatures...
+	csr, _ := x509.ParseCertificateRequest(WrongSignatureCSR)
+
+	_, err = ca.IssueCertificate(*csr, ctx.reg.ID)
+	test.AssertError(t, err, "Issued a certificate based on a CSR with an invalid signature.")
+}
+
 func TestHSMFaultTimeout(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
diff --git a/ca/testdata/invalid_signature.der.csr b/ca/testdata/invalid_signature.der.csr
new file mode 100644
index 0000000000000000000000000000000000000000..dc76844ae6013c3b17b21f5d0ee936bcd07e1faf
GIT binary patch
literal 771
zcmXqLV)}2;#Q2<vk-?yGt|7MpCmVAp3!5;Li>o1z0T+nF!Ncqq6mBSJzz^cF^Kkf<
zrsfrwq!t-U8%TnLxOjw|{cJN*b8_<a%JYkIQuLDZa}6a8#6gnWJOV(;q{>tzDG>u9
zkQ6fycWOmqZb42eScANQEE}g*n@8JsUPewvF@fB~%p3<K1wdyi8SuiDFfy_-FgG#s
zGXTZ8n3@<F8Mc0KVNp__JIQQ?Nn*yleJi%dTRflJ?eJ*-Vyh#YyQi^s-Jhuy`nfvd
zCU=YL!EMnjX3H1EtY7>-RiK=)_5FUWW{r}Ti%W{^d)A!PVY^tjfW5f7{l?>ChL4V%
z{r-Tl&sx&<#-f(q|Ere@*T1p8TB)`zd-Am@`~R?<&1IRf>&~j(YI9^S=I^__NXa2Y
zR@hK)FXQt69h}E2tUMEsT7A65&2nb;Jk6WjZVx?lu8KWRS>^rp`rpHgb2lto_hZ-8
zzXB#}B2(vE$^HC2x9+6fk7!ZuwAnh9YiBK*u0K_6+G4Agcj*~#j(OROpKi$7m?xR~
z_ra`sP92s_?U&x3SU7L0DC6uunoP`$42%n845Z*;#K~mH%fp>gnp&Kis^FQItcM(a
z+~DwIWbk`AJ-^eAH?d{sfA;NyX{#2$_BCL0VVdVMkwwXDIWI$LZ|CXPm-2)ir<`Ut
z->+=v`qM_xk?pmX^3q9elOL;kUzjL#;PH*xprgL)8`=J&0rS{a)_E}^y|H)2%4FWn
z{1+T*exA3>f0Id*>+zS?Cqh0{8v8c>Ir3$>URb#Ff+-f)V+Go5CZ1jG{`aA*fm)gP
z61KZ>W*aXZ)Z4^u&8pEKY%qEM{#}<9B-3u}RIBQnweH)r{^;$Scb|{gweqB+W8|dH
zJ~?B#zZKgacqM=NXyNpq+hRt=n;@Ux=Y(9BtY5~wYQE@Bo@?pMf(1w8dE{gnR#%<*
F2>`j*Jof+q

literal 0
HcmV?d00001