| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "net/base/net_errors.h" | 7 #include "net/base/net_errors.h" |
| 8 #include "net/cert/internal/cert_issuer_source_static.h" | 8 #include "net/cert/internal/cert_issuer_source_static.h" |
| 9 #include "net/cert/internal/parse_certificate.h" | 9 #include "net/cert/internal/parse_certificate.h" |
| 10 #include "net/cert/internal/parsed_certificate.h" | 10 #include "net/cert/internal/parsed_certificate.h" |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 44 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 44 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
| 45 | 45 |
| 46 #include "net/cert/internal/nist_pkits_unittest.h" | 46 #include "net/cert/internal/nist_pkits_unittest.h" |
| 47 | 47 |
| 48 namespace net { | 48 namespace net { |
| 49 | 49 |
| 50 namespace { | 50 namespace { |
| 51 | 51 |
| 52 class PathBuilderPkitsTestDelegate { | 52 class PathBuilderPkitsTestDelegate { |
| 53 public: | 53 public: |
| 54 static bool Verify(std::vector<std::string> cert_ders, | 54 static void RunTest(std::vector<std::string> cert_ders, |
| 55 std::vector<std::string> crl_ders, | 55 std::vector<std::string> crl_ders, |
| 56 const PkitsTestSettings& settings) { | 56 const PkitsTestInfo& info) { |
| 57 if (cert_ders.empty()) { | 57 ASSERT_FALSE(cert_ders.empty()); |
| 58 ADD_FAILURE() << "cert_ders is empty"; | |
| 59 return false; | |
| 60 } | |
| 61 ParsedCertificateList certs; | 58 ParsedCertificateList certs; |
| 62 for (const std::string& der : cert_ders) { | 59 for (const std::string& der : cert_ders) { |
| 63 CertErrors errors; | 60 CertErrors errors; |
| 64 if (!ParsedCertificate::CreateAndAddToVector( | 61 ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector( |
| 65 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( | 62 bssl::UniquePtr<CRYPTO_BUFFER>( |
| 66 reinterpret_cast<const uint8_t*>(der.data()), der.size(), | 63 CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(der.data()), |
| 67 nullptr)), | 64 der.size(), nullptr)), |
| 68 {}, &certs, &errors)) { | 65 {}, &certs, &errors)) |
| 69 ADD_FAILURE() << "ParseCertificate::CreateAndAddToVector() failed:\n" | 66 << errors.ToDebugString(); |
| 70 << errors.ToDebugString(); | |
| 71 return false; | |
| 72 } | |
| 73 } | 67 } |
| 74 // First entry in the PKITS chain is the trust anchor. | 68 // First entry in the PKITS chain is the trust anchor. |
| 75 // TODO(mattm): test with all possible trust anchors in the trust store? | 69 // TODO(mattm): test with all possible trust anchors in the trust store? |
| 76 TrustStoreInMemory trust_store; | 70 TrustStoreInMemory trust_store; |
| 77 | 71 |
| 78 trust_store.AddTrustAnchor(certs[0]); | 72 trust_store.AddTrustAnchor(certs[0]); |
| 79 | 73 |
| 80 // TODO(mattm): test with other irrelevant certs in cert_issuer_sources? | 74 // TODO(mattm): test with other irrelevant certs in cert_issuer_sources? |
| 81 CertIssuerSourceStatic cert_issuer_source; | 75 CertIssuerSourceStatic cert_issuer_source; |
| 82 for (size_t i = 1; i < cert_ders.size() - 1; ++i) | 76 for (size_t i = 1; i < cert_ders.size() - 1; ++i) |
| 83 cert_issuer_source.AddCert(certs[i]); | 77 cert_issuer_source.AddCert(certs[i]); |
| 84 | 78 |
| 85 scoped_refptr<ParsedCertificate> target_cert(certs.back()); | 79 scoped_refptr<ParsedCertificate> target_cert(certs.back()); |
| 86 | 80 |
| 87 SimpleSignaturePolicy signature_policy(1024); | 81 SimpleSignaturePolicy signature_policy(1024); |
| 88 | 82 |
| 89 // Run all tests at the time the PKITS was published. | |
| 90 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; | |
| 91 | |
| 92 CertPathBuilder::Result result; | 83 CertPathBuilder::Result result; |
| 93 CertPathBuilder path_builder(std::move(target_cert), &trust_store, | 84 CertPathBuilder path_builder(std::move(target_cert), &trust_store, |
| 94 &signature_policy, time, KeyPurpose::ANY_EKU, | 85 &signature_policy, info.time, |
| 95 &result); | 86 KeyPurpose::ANY_EKU, &result); |
| 96 path_builder.AddCertIssuerSource(&cert_issuer_source); | 87 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 97 | 88 |
| 98 path_builder.Run(); | 89 path_builder.Run(); |
| 99 | 90 |
| 100 return result.HasValidPath(); | 91 ASSERT_EQ(info.should_validate, result.HasValidPath()); |
| 101 } | 92 } |
| 102 }; | 93 }; |
| 103 | 94 |
| 104 } // namespace | 95 } // namespace |
| 105 | 96 |
| 106 class PkitsTest01SignatureVerificationCustomPathBuilderFoo | 97 class PkitsTest01SignatureVerificationCustomPathBuilderFoo |
| 107 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; | 98 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
| 108 | 99 |
| 109 // Modified version of 4.1.4 Valid DSA Signatures Test4 | 100 // Modified version of 4.1.4 Valid DSA Signatures Test4 |
| 110 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, | 101 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
| 111 Section1ValidDSASignaturesTest4Custom) { | 102 Section1ValidDSASignaturesTest4Custom) { |
| 112 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 103 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
| 113 "ValidDSASignaturesTest4EE"}; | 104 "ValidDSASignaturesTest4EE"}; |
| 114 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | 105 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; |
| 115 // DSA signatures are intentionally unsupported. | 106 // DSA signatures are intentionally unsupported. |
| 116 ASSERT_FALSE(this->Verify(certs, crls, {})); | 107 PkitsTestInfo info; |
| 108 info.should_validate = false; |
| 109 |
| 110 this->RunTest(certs, crls, info); |
| 117 } | 111 } |
| 118 | 112 |
| 119 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | 113 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 |
| 120 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, | 114 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
| 121 Section1ValidDSAParameterInheritanceTest5Custom) { | 115 Section1ValidDSAParameterInheritanceTest5Custom) { |
| 122 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 116 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
| 123 "DSAParametersInheritedCACert", | 117 "DSAParametersInheritedCACert", |
| 124 "ValidDSAParameterInheritanceTest5EE"}; | 118 "ValidDSAParameterInheritanceTest5EE"}; |
| 125 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | 119 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", |
| 126 "DSAParametersInheritedCACRL"}; | 120 "DSAParametersInheritedCACRL"}; |
| 127 // DSA signatures are intentionally unsupported. | 121 // DSA signatures are intentionally unsupported. |
| 128 ASSERT_FALSE(this->Verify(certs, crls, {})); | 122 PkitsTestInfo info; |
| 123 info.should_validate = false; |
| 124 |
| 125 this->RunTest(certs, crls, info); |
| 129 } | 126 } |
| 130 | 127 |
| 131 class PkitsTest13SignatureVerificationCustomPathBuilderFoo | 128 class PkitsTest13SignatureVerificationCustomPathBuilderFoo |
| 132 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; | 129 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
| 133 | 130 |
| 134 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | 131 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 |
| 135 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | 132 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 136 Section13ValidRFC822nameConstraintsTest21Custom) { | 133 Section13ValidRFC822nameConstraintsTest21Custom) { |
| 137 const char* const certs[] = {"TrustAnchorRootCertificate", | 134 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 138 "nameConstraintsRFC822CA1Cert", | 135 "nameConstraintsRFC822CA1Cert", |
| 139 "ValidRFC822nameConstraintsTest21EE"}; | 136 "ValidRFC822nameConstraintsTest21EE"}; |
| 140 const char* const crls[] = {"TrustAnchorRootCRL", | 137 const char* const crls[] = {"TrustAnchorRootCRL", |
| 141 "nameConstraintsRFC822CA1CRL"}; | 138 "nameConstraintsRFC822CA1CRL"}; |
| 142 // Name constraints on rfc822Names are not supported. | 139 // Name constraints on rfc822Names are not supported. |
| 143 ASSERT_FALSE(this->Verify(certs, crls, {})); | 140 PkitsTestInfo info; |
| 141 info.should_validate = false; |
| 142 |
| 143 this->RunTest(certs, crls, info); |
| 144 } | 144 } |
| 145 | 145 |
| 146 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | 146 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 |
| 147 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | 147 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 148 Section13ValidRFC822nameConstraintsTest23Custom) { | 148 Section13ValidRFC822nameConstraintsTest23Custom) { |
| 149 const char* const certs[] = {"TrustAnchorRootCertificate", | 149 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 150 "nameConstraintsRFC822CA2Cert", | 150 "nameConstraintsRFC822CA2Cert", |
| 151 "ValidRFC822nameConstraintsTest23EE"}; | 151 "ValidRFC822nameConstraintsTest23EE"}; |
| 152 const char* const crls[] = {"TrustAnchorRootCRL", | 152 const char* const crls[] = {"TrustAnchorRootCRL", |
| 153 "nameConstraintsRFC822CA2CRL"}; | 153 "nameConstraintsRFC822CA2CRL"}; |
| 154 // Name constraints on rfc822Names are not supported. | 154 // Name constraints on rfc822Names are not supported. |
| 155 ASSERT_FALSE(this->Verify(certs, crls, {})); | 155 PkitsTestInfo info; |
| 156 info.should_validate = false; |
| 157 |
| 158 this->RunTest(certs, crls, info); |
| 156 } | 159 } |
| 157 | 160 |
| 158 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | 161 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 |
| 159 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | 162 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 160 Section13ValidRFC822nameConstraintsTest25Custom) { | 163 Section13ValidRFC822nameConstraintsTest25Custom) { |
| 161 const char* const certs[] = {"TrustAnchorRootCertificate", | 164 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 162 "nameConstraintsRFC822CA3Cert", | 165 "nameConstraintsRFC822CA3Cert", |
| 163 "ValidRFC822nameConstraintsTest25EE"}; | 166 "ValidRFC822nameConstraintsTest25EE"}; |
| 164 const char* const crls[] = {"TrustAnchorRootCRL", | 167 const char* const crls[] = {"TrustAnchorRootCRL", |
| 165 "nameConstraintsRFC822CA3CRL"}; | 168 "nameConstraintsRFC822CA3CRL"}; |
| 166 // Name constraints on rfc822Names are not supported. | 169 // Name constraints on rfc822Names are not supported. |
| 167 ASSERT_FALSE(this->Verify(certs, crls, {})); | 170 PkitsTestInfo info; |
| 171 info.should_validate = false; |
| 172 |
| 173 this->RunTest(certs, crls, info); |
| 168 } | 174 } |
| 169 | 175 |
| 170 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | 176 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 |
| 171 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | 177 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 172 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | 178 Section13ValidDNandRFC822nameConstraintsTest27Custom) { |
| 173 const char* const certs[] = {"TrustAnchorRootCertificate", | 179 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 174 "nameConstraintsDN1CACert", | 180 "nameConstraintsDN1CACert", |
| 175 "nameConstraintsDN1subCA3Cert", | 181 "nameConstraintsDN1subCA3Cert", |
| 176 "ValidDNandRFC822nameConstraintsTest27EE"}; | 182 "ValidDNandRFC822nameConstraintsTest27EE"}; |
| 177 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | 183 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", |
| 178 "nameConstraintsDN1subCA3CRL"}; | 184 "nameConstraintsDN1subCA3CRL"}; |
| 179 // Name constraints on rfc822Names are not supported. | 185 // Name constraints on rfc822Names are not supported. |
| 180 ASSERT_FALSE(this->Verify(certs, crls, {})); | 186 PkitsTestInfo info; |
| 187 info.should_validate = false; |
| 188 |
| 189 this->RunTest(certs, crls, info); |
| 181 } | 190 } |
| 182 | 191 |
| 183 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | 192 // Modified version of 4.13.34 Valid URI nameConstraints Test34 |
| 184 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | 193 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 185 Section13ValidURInameConstraintsTest34Custom) { | 194 Section13ValidURInameConstraintsTest34Custom) { |
| 186 const char* const certs[] = {"TrustAnchorRootCertificate", | 195 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 187 "nameConstraintsURI1CACert", | 196 "nameConstraintsURI1CACert", |
| 188 "ValidURInameConstraintsTest34EE"}; | 197 "ValidURInameConstraintsTest34EE"}; |
| 189 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | 198 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; |
| 190 // Name constraints on uniformResourceIdentifiers are not supported. | 199 // Name constraints on uniformResourceIdentifiers are not supported. |
| 191 ASSERT_FALSE(this->Verify(certs, crls, {})); | 200 PkitsTestInfo info; |
| 201 info.should_validate = false; |
| 202 |
| 203 this->RunTest(certs, crls, info); |
| 192 } | 204 } |
| 193 | 205 |
| 194 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | 206 // Modified version of 4.13.36 Valid URI nameConstraints Test36 |
| 195 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | 207 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 196 Section13ValidURInameConstraintsTest36Custom) { | 208 Section13ValidURInameConstraintsTest36Custom) { |
| 197 const char* const certs[] = {"TrustAnchorRootCertificate", | 209 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 198 "nameConstraintsURI2CACert", | 210 "nameConstraintsURI2CACert", |
| 199 "ValidURInameConstraintsTest36EE"}; | 211 "ValidURInameConstraintsTest36EE"}; |
| 200 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | 212 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; |
| 201 // Name constraints on uniformResourceIdentifiers are not supported. | 213 // Name constraints on uniformResourceIdentifiers are not supported. |
| 202 ASSERT_FALSE(this->Verify(certs, crls, {})); | 214 PkitsTestInfo info; |
| 215 info.should_validate = false; |
| 216 |
| 217 this->RunTest(certs, crls, info); |
| 203 } | 218 } |
| 204 | 219 |
| 205 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 220 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 206 PkitsTest01SignatureVerification, | 221 PkitsTest01SignatureVerification, |
| 207 PathBuilderPkitsTestDelegate); | 222 PathBuilderPkitsTestDelegate); |
| 208 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 223 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 209 PkitsTest02ValidityPeriods, | 224 PkitsTest02ValidityPeriods, |
| 210 PathBuilderPkitsTestDelegate); | 225 PathBuilderPkitsTestDelegate); |
| 211 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 226 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 212 PkitsTest03VerifyingNameChaining, | 227 PkitsTest03VerifyingNameChaining, |
| (...skipping 13 matching lines...) Expand all Loading... |
| 226 | 241 |
| 227 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 242 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
| 228 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 243 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
| 229 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 244 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
| 230 | 245 |
| 231 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, | 246 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, |
| 232 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, | 247 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, |
| 233 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy | 248 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy |
| 234 | 249 |
| 235 } // namespace net | 250 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2907353002:
Update PKITs test data to include "user_constrained_policy_set". (Closed)
