Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1146)

Side by Side Diff: net/cert/internal/path_builder_pkits_unittest.cc

Issue 2907353002: Update PKITs test data to include "user_constrained_policy_set". (Closed)
Patch Set: re-run generator script Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/path_builder.h" 5 #include "net/cert/internal/path_builder.h"
6 6
7 #include "net/base/net_errors.h" 7 #include "net/base/net_errors.h"
8 #include "net/cert/internal/cert_issuer_source_static.h" 8 #include "net/cert/internal/cert_issuer_source_static.h"
9 #include "net/cert/internal/parse_certificate.h" 9 #include "net/cert/internal/parse_certificate.h"
10 #include "net/cert/internal/parsed_certificate.h" 10 #include "net/cert/internal/parsed_certificate.h"
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after
44 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 44 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5
45 45
46 #include "net/cert/internal/nist_pkits_unittest.h" 46 #include "net/cert/internal/nist_pkits_unittest.h"
47 47
48 namespace net { 48 namespace net {
49 49
50 namespace { 50 namespace {
51 51
52 class PathBuilderPkitsTestDelegate { 52 class PathBuilderPkitsTestDelegate {
53 public: 53 public:
54 static bool Verify(std::vector<std::string> cert_ders, 54 static void RunTest(std::vector<std::string> cert_ders,
55 std::vector<std::string> crl_ders, 55 std::vector<std::string> crl_ders,
56 const PkitsTestSettings& settings) { 56 const PkitsTestInfo& info) {
57 if (cert_ders.empty()) { 57 ASSERT_FALSE(cert_ders.empty());
58 ADD_FAILURE() << "cert_ders is empty";
59 return false;
60 }
61 ParsedCertificateList certs; 58 ParsedCertificateList certs;
62 for (const std::string& der : cert_ders) { 59 for (const std::string& der : cert_ders) {
63 CertErrors errors; 60 CertErrors errors;
64 if (!ParsedCertificate::CreateAndAddToVector( 61 ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector(
65 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( 62 bssl::UniquePtr<CRYPTO_BUFFER>(
66 reinterpret_cast<const uint8_t*>(der.data()), der.size(), 63 CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(der.data()),
67 nullptr)), 64 der.size(), nullptr)),
68 {}, &certs, &errors)) { 65 {}, &certs, &errors))
69 ADD_FAILURE() << "ParseCertificate::CreateAndAddToVector() failed:\n" 66 << errors.ToDebugString();
70 << errors.ToDebugString();
71 return false;
72 }
73 } 67 }
74 // First entry in the PKITS chain is the trust anchor. 68 // First entry in the PKITS chain is the trust anchor.
75 // TODO(mattm): test with all possible trust anchors in the trust store? 69 // TODO(mattm): test with all possible trust anchors in the trust store?
76 TrustStoreInMemory trust_store; 70 TrustStoreInMemory trust_store;
77 71
78 trust_store.AddTrustAnchor(certs[0]); 72 trust_store.AddTrustAnchor(certs[0]);
79 73
80 // TODO(mattm): test with other irrelevant certs in cert_issuer_sources? 74 // TODO(mattm): test with other irrelevant certs in cert_issuer_sources?
81 CertIssuerSourceStatic cert_issuer_source; 75 CertIssuerSourceStatic cert_issuer_source;
82 for (size_t i = 1; i < cert_ders.size() - 1; ++i) 76 for (size_t i = 1; i < cert_ders.size() - 1; ++i)
83 cert_issuer_source.AddCert(certs[i]); 77 cert_issuer_source.AddCert(certs[i]);
84 78
85 scoped_refptr<ParsedCertificate> target_cert(certs.back()); 79 scoped_refptr<ParsedCertificate> target_cert(certs.back());
86 80
87 SimpleSignaturePolicy signature_policy(1024); 81 SimpleSignaturePolicy signature_policy(1024);
88 82
89 // Run all tests at the time the PKITS was published.
90 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};
91
92 CertPathBuilder::Result result; 83 CertPathBuilder::Result result;
93 CertPathBuilder path_builder(std::move(target_cert), &trust_store, 84 CertPathBuilder path_builder(std::move(target_cert), &trust_store,
94 &signature_policy, time, KeyPurpose::ANY_EKU, 85 &signature_policy, info.time,
95 &result); 86 KeyPurpose::ANY_EKU, &result);
96 path_builder.AddCertIssuerSource(&cert_issuer_source); 87 path_builder.AddCertIssuerSource(&cert_issuer_source);
97 88
98 path_builder.Run(); 89 path_builder.Run();
99 90
100 return result.HasValidPath(); 91 ASSERT_EQ(info.should_validate, result.HasValidPath());
101 } 92 }
102 }; 93 };
103 94
104 } // namespace 95 } // namespace
105 96
106 class PkitsTest01SignatureVerificationCustomPathBuilderFoo 97 class PkitsTest01SignatureVerificationCustomPathBuilderFoo
107 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; 98 : public PkitsTest<PathBuilderPkitsTestDelegate> {};
108 99
109 // Modified version of 4.1.4 Valid DSA Signatures Test4 100 // Modified version of 4.1.4 Valid DSA Signatures Test4
110 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, 101 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo,
111 Section1ValidDSASignaturesTest4Custom) { 102 Section1ValidDSASignaturesTest4Custom) {
112 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", 103 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
113 "ValidDSASignaturesTest4EE"}; 104 "ValidDSASignaturesTest4EE"};
114 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; 105 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"};
115 // DSA signatures are intentionally unsupported. 106 // DSA signatures are intentionally unsupported.
116 ASSERT_FALSE(this->Verify(certs, crls, {})); 107 PkitsTestInfo info;
108 info.should_validate = false;
109
110 this->RunTest(certs, crls, info);
117 } 111 }
118 112
119 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 113 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5
120 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, 114 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo,
121 Section1ValidDSAParameterInheritanceTest5Custom) { 115 Section1ValidDSAParameterInheritanceTest5Custom) {
122 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", 116 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
123 "DSAParametersInheritedCACert", 117 "DSAParametersInheritedCACert",
124 "ValidDSAParameterInheritanceTest5EE"}; 118 "ValidDSAParameterInheritanceTest5EE"};
125 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", 119 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL",
126 "DSAParametersInheritedCACRL"}; 120 "DSAParametersInheritedCACRL"};
127 // DSA signatures are intentionally unsupported. 121 // DSA signatures are intentionally unsupported.
128 ASSERT_FALSE(this->Verify(certs, crls, {})); 122 PkitsTestInfo info;
123 info.should_validate = false;
124
125 this->RunTest(certs, crls, info);
129 } 126 }
130 127
131 class PkitsTest13SignatureVerificationCustomPathBuilderFoo 128 class PkitsTest13SignatureVerificationCustomPathBuilderFoo
132 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; 129 : public PkitsTest<PathBuilderPkitsTestDelegate> {};
133 130
134 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 131 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21
135 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, 132 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,
136 Section13ValidRFC822nameConstraintsTest21Custom) { 133 Section13ValidRFC822nameConstraintsTest21Custom) {
137 const char* const certs[] = {"TrustAnchorRootCertificate", 134 const char* const certs[] = {"TrustAnchorRootCertificate",
138 "nameConstraintsRFC822CA1Cert", 135 "nameConstraintsRFC822CA1Cert",
139 "ValidRFC822nameConstraintsTest21EE"}; 136 "ValidRFC822nameConstraintsTest21EE"};
140 const char* const crls[] = {"TrustAnchorRootCRL", 137 const char* const crls[] = {"TrustAnchorRootCRL",
141 "nameConstraintsRFC822CA1CRL"}; 138 "nameConstraintsRFC822CA1CRL"};
142 // Name constraints on rfc822Names are not supported. 139 // Name constraints on rfc822Names are not supported.
143 ASSERT_FALSE(this->Verify(certs, crls, {})); 140 PkitsTestInfo info;
141 info.should_validate = false;
142
143 this->RunTest(certs, crls, info);
144 } 144 }
145 145
146 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 146 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23
147 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, 147 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,
148 Section13ValidRFC822nameConstraintsTest23Custom) { 148 Section13ValidRFC822nameConstraintsTest23Custom) {
149 const char* const certs[] = {"TrustAnchorRootCertificate", 149 const char* const certs[] = {"TrustAnchorRootCertificate",
150 "nameConstraintsRFC822CA2Cert", 150 "nameConstraintsRFC822CA2Cert",
151 "ValidRFC822nameConstraintsTest23EE"}; 151 "ValidRFC822nameConstraintsTest23EE"};
152 const char* const crls[] = {"TrustAnchorRootCRL", 152 const char* const crls[] = {"TrustAnchorRootCRL",
153 "nameConstraintsRFC822CA2CRL"}; 153 "nameConstraintsRFC822CA2CRL"};
154 // Name constraints on rfc822Names are not supported. 154 // Name constraints on rfc822Names are not supported.
155 ASSERT_FALSE(this->Verify(certs, crls, {})); 155 PkitsTestInfo info;
156 info.should_validate = false;
157
158 this->RunTest(certs, crls, info);
156 } 159 }
157 160
158 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 161 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25
159 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, 162 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,
160 Section13ValidRFC822nameConstraintsTest25Custom) { 163 Section13ValidRFC822nameConstraintsTest25Custom) {
161 const char* const certs[] = {"TrustAnchorRootCertificate", 164 const char* const certs[] = {"TrustAnchorRootCertificate",
162 "nameConstraintsRFC822CA3Cert", 165 "nameConstraintsRFC822CA3Cert",
163 "ValidRFC822nameConstraintsTest25EE"}; 166 "ValidRFC822nameConstraintsTest25EE"};
164 const char* const crls[] = {"TrustAnchorRootCRL", 167 const char* const crls[] = {"TrustAnchorRootCRL",
165 "nameConstraintsRFC822CA3CRL"}; 168 "nameConstraintsRFC822CA3CRL"};
166 // Name constraints on rfc822Names are not supported. 169 // Name constraints on rfc822Names are not supported.
167 ASSERT_FALSE(this->Verify(certs, crls, {})); 170 PkitsTestInfo info;
171 info.should_validate = false;
172
173 this->RunTest(certs, crls, info);
168 } 174 }
169 175
170 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 176 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27
171 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, 177 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,
172 Section13ValidDNandRFC822nameConstraintsTest27Custom) { 178 Section13ValidDNandRFC822nameConstraintsTest27Custom) {
173 const char* const certs[] = {"TrustAnchorRootCertificate", 179 const char* const certs[] = {"TrustAnchorRootCertificate",
174 "nameConstraintsDN1CACert", 180 "nameConstraintsDN1CACert",
175 "nameConstraintsDN1subCA3Cert", 181 "nameConstraintsDN1subCA3Cert",
176 "ValidDNandRFC822nameConstraintsTest27EE"}; 182 "ValidDNandRFC822nameConstraintsTest27EE"};
177 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", 183 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL",
178 "nameConstraintsDN1subCA3CRL"}; 184 "nameConstraintsDN1subCA3CRL"};
179 // Name constraints on rfc822Names are not supported. 185 // Name constraints on rfc822Names are not supported.
180 ASSERT_FALSE(this->Verify(certs, crls, {})); 186 PkitsTestInfo info;
187 info.should_validate = false;
188
189 this->RunTest(certs, crls, info);
181 } 190 }
182 191
183 // Modified version of 4.13.34 Valid URI nameConstraints Test34 192 // Modified version of 4.13.34 Valid URI nameConstraints Test34
184 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, 193 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,
185 Section13ValidURInameConstraintsTest34Custom) { 194 Section13ValidURInameConstraintsTest34Custom) {
186 const char* const certs[] = {"TrustAnchorRootCertificate", 195 const char* const certs[] = {"TrustAnchorRootCertificate",
187 "nameConstraintsURI1CACert", 196 "nameConstraintsURI1CACert",
188 "ValidURInameConstraintsTest34EE"}; 197 "ValidURInameConstraintsTest34EE"};
189 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; 198 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"};
190 // Name constraints on uniformResourceIdentifiers are not supported. 199 // Name constraints on uniformResourceIdentifiers are not supported.
191 ASSERT_FALSE(this->Verify(certs, crls, {})); 200 PkitsTestInfo info;
201 info.should_validate = false;
202
203 this->RunTest(certs, crls, info);
192 } 204 }
193 205
194 // Modified version of 4.13.36 Valid URI nameConstraints Test36 206 // Modified version of 4.13.36 Valid URI nameConstraints Test36
195 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, 207 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,
196 Section13ValidURInameConstraintsTest36Custom) { 208 Section13ValidURInameConstraintsTest36Custom) {
197 const char* const certs[] = {"TrustAnchorRootCertificate", 209 const char* const certs[] = {"TrustAnchorRootCertificate",
198 "nameConstraintsURI2CACert", 210 "nameConstraintsURI2CACert",
199 "ValidURInameConstraintsTest36EE"}; 211 "ValidURInameConstraintsTest36EE"};
200 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; 212 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"};
201 // Name constraints on uniformResourceIdentifiers are not supported. 213 // Name constraints on uniformResourceIdentifiers are not supported.
202 ASSERT_FALSE(this->Verify(certs, crls, {})); 214 PkitsTestInfo info;
215 info.should_validate = false;
216
217 this->RunTest(certs, crls, info);
203 } 218 }
204 219
205 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, 220 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder,
206 PkitsTest01SignatureVerification, 221 PkitsTest01SignatureVerification,
207 PathBuilderPkitsTestDelegate); 222 PathBuilderPkitsTestDelegate);
208 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, 223 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder,
209 PkitsTest02ValidityPeriods, 224 PkitsTest02ValidityPeriods,
210 PathBuilderPkitsTestDelegate); 225 PathBuilderPkitsTestDelegate);
211 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, 226 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder,
212 PkitsTest03VerifyingNameChaining, 227 PkitsTest03VerifyingNameChaining,
(...skipping 13 matching lines...) Expand all
226 241
227 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, 242 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests,
228 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, 243 // PkitsTest05VerifyingPathswithSelfIssuedCertificates,
229 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs 244 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
230 245
231 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, 246 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies,
232 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, 247 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings,
233 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy 248 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy
234 249
235 } // namespace net 250 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/nist_pkits_unittest.cc ('k') | net/cert/internal/verify_certificate_chain_pkits_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698