X.509 certificates are used in TLS connections to verify the identity of clients and servers. To this end, clients and servers have to check whether a certificate is valid and correctly signed. This makes X.509 certificates an important target for further testing. As for TLS, we already built a framework for combinatorial testing of X.509 certificates, called X.509 Anvil. Your task will be to extend this framework. Here are some possible directions:
Revocation Handling. Clients and servers can verify whether a specific certificate has been revoked by the issuing certificate authority. Two known and used revocation mechanism are OCSP and CRL. In this direction, you should evaluate different TLS server applications for their (in)correct handling of certificate revocation with OCSP and CRL and implement the corresponding test cases for the framework (and possible extensions to our X.509 Attacker, which is used by X.509 Anvil).
More Extension Support. Currently supported extensions are: KeyUsage, BasicConstraints, SubjectKeyIdentifier, and AuthorityKeyIdentifier. These are implemented in X.509 Attacker and have existing tests in our X.509 Anvil. Your task is it to implement more extensions in X.509 Attacker and create test cases for them in our framework (based on MUST statements from the RFC). Interesting extensions for this would, for example, be the ExtendedKeyUsage and the SubjectAlternativeNames. Afterwards, TLS client / server implementations should be tested for their (in)correct handling of the test cases.
What to bring:
- Programming Knowledge (Java)
- Interest in TLS/X.509
- Willingness to get used to Java Frameworks
What to gain:
- TLS-Anvil has been published on a Tier 1 conference for IT security and is part of an industry collaboration so you will be working on current research topics with a real world impact
