Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(114)

Side by Side Diff: net/cert/internal/verify_certificate_chain_pkits_unittest.cc

Issue 2907353002: Update PKITs test data to include "user_constrained_policy_set". (Closed)
Patch Set: re-run generator script Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/verify_certificate_chain.h" 5 #include "net/cert/internal/verify_certificate_chain.h"
6 6
7 #include "net/cert/internal/parsed_certificate.h" 7 #include "net/cert/internal/parsed_certificate.h"
8 #include "net/cert/internal/signature_policy.h" 8 #include "net/cert/internal/signature_policy.h"
9 #include "net/cert/internal/trust_store.h" 9 #include "net/cert/internal/trust_store.h"
10 #include "net/der/input.h" 10 #include "net/der/input.h"
(...skipping 29 matching lines...) Expand all
40 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 40 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5
41 41
42 #include "net/cert/internal/nist_pkits_unittest.h" 42 #include "net/cert/internal/nist_pkits_unittest.h"
43 43
44 namespace net { 44 namespace net {
45 45
46 namespace { 46 namespace {
47 47
48 class VerifyCertificateChainPkitsTestDelegate { 48 class VerifyCertificateChainPkitsTestDelegate {
49 public: 49 public:
50 static bool Verify(std::vector<std::string> cert_ders, 50 static void RunTest(std::vector<std::string> cert_ders,
51 std::vector<std::string> crl_ders, 51 std::vector<std::string> crl_ders,
52 const PkitsTestSettings& settings) { 52 const PkitsTestInfo& info) {
53 if (cert_ders.empty()) { 53 ASSERT_FALSE(cert_ders.empty());
54 ADD_FAILURE() << "cert_ders is empty";
55 return false;
56 }
57 54
58 // PKITS lists chains from trust anchor to target, whereas 55 // PKITS lists chains from trust anchor to target, whereas
59 // VerifyCertificateChain takes them starting with the target and ending 56 // VerifyCertificateChain takes them starting with the target and ending
60 // with the trust anchor. 57 // with the trust anchor.
61 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; 58 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
62 CertErrors parsing_errors; 59 CertErrors parsing_errors;
63 for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) { 60 for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) {
64 if (!net::ParsedCertificate::CreateAndAddToVector( 61 ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector(
65 bssl::UniquePtr<CRYPTO_BUFFER>( 62 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
66 CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(i->data()), 63 reinterpret_cast<const uint8_t*>(i->data()), i->size(), nullptr)),
67 i->size(), nullptr)), 64 {}, &input_chain, &parsing_errors))
68 {}, &input_chain, &parsing_errors)) { 65 << parsing_errors.ToDebugString();
69 ADD_FAILURE() << "Cert failed to parse:\n"
70 << parsing_errors.ToDebugString();
71 return false;
72 }
73 } 66 }
74 67
75 SimpleSignaturePolicy signature_policy(1024); 68 SimpleSignaturePolicy signature_policy(1024);
76 69
77 // Run all tests at the time the PKITS was published.
78 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};
79
80 CertPathErrors path_errors; 70 CertPathErrors path_errors;
81 VerifyCertificateChain(input_chain, CertificateTrust::ForTrustAnchor(), 71 VerifyCertificateChain(input_chain, CertificateTrust::ForTrustAnchor(),
82 &signature_policy, time, KeyPurpose::ANY_EKU, 72 &signature_policy, info.time, KeyPurpose::ANY_EKU,
83 &path_errors); 73 &path_errors);
74 bool did_succeed = !path_errors.ContainsHighSeverityErrors();
84 75
85 // TODO(crbug.com/634443): Test errors on failure? 76 // TODO(crbug.com/634443): Test errors on failure?
86 return !path_errors.ContainsHighSeverityErrors(); 77 if (info.should_validate != did_succeed) {
78 ASSERT_EQ(info.should_validate, did_succeed)
79 << path_errors.ToDebugString(input_chain);
80 }
87 } 81 }
88 }; 82 };
89 83
90 } // namespace 84 } // namespace
91 85
92 class PkitsTest01SignatureVerificationCustom 86 class PkitsTest01SignatureVerificationCustom
93 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; 87 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
94 88
95 // Modified version of 4.1.4 Valid DSA Signatures Test4 89 // Modified version of 4.1.4 Valid DSA Signatures Test4
96 TEST_F(PkitsTest01SignatureVerificationCustom, 90 TEST_F(PkitsTest01SignatureVerificationCustom,
97 Section1ValidDSASignaturesTest4Custom) { 91 Section1ValidDSASignaturesTest4Custom) {
98 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", 92 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
99 "ValidDSASignaturesTest4EE"}; 93 "ValidDSASignaturesTest4EE"};
100 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; 94 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"};
101 // DSA signatures are intentionally unsupported. 95 // DSA signatures are intentionally unsupported.
102 ASSERT_FALSE(this->Verify(certs, crls, {})); 96 PkitsTestInfo info;
97 info.should_validate = false;
98
99 this->RunTest(certs, crls, info);
103 } 100 }
104 101
105 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 102 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5
106 TEST_F(PkitsTest01SignatureVerificationCustom, 103 TEST_F(PkitsTest01SignatureVerificationCustom,
107 Section1ValidDSAParameterInheritanceTest5Custom) { 104 Section1ValidDSAParameterInheritanceTest5Custom) {
108 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", 105 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
109 "DSAParametersInheritedCACert", 106 "DSAParametersInheritedCACert",
110 "ValidDSAParameterInheritanceTest5EE"}; 107 "ValidDSAParameterInheritanceTest5EE"};
111 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", 108 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL",
112 "DSAParametersInheritedCACRL"}; 109 "DSAParametersInheritedCACRL"};
113 // DSA signatures are intentionally unsupported. 110 // DSA signatures are intentionally unsupported.
114 ASSERT_FALSE(this->Verify(certs, crls, {})); 111 PkitsTestInfo info;
112 info.should_validate = false;
113
114 this->RunTest(certs, crls, info);
115 } 115 }
116 116
117 class PkitsTest13SignatureVerificationCustom 117 class PkitsTest13SignatureVerificationCustom
118 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; 118 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
119 119
120 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 120 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21
121 TEST_F(PkitsTest13SignatureVerificationCustom, 121 TEST_F(PkitsTest13SignatureVerificationCustom,
122 Section13ValidRFC822nameConstraintsTest21Custom) { 122 Section13ValidRFC822nameConstraintsTest21Custom) {
123 const char* const certs[] = {"TrustAnchorRootCertificate", 123 const char* const certs[] = {"TrustAnchorRootCertificate",
124 "nameConstraintsRFC822CA1Cert", 124 "nameConstraintsRFC822CA1Cert",
125 "ValidRFC822nameConstraintsTest21EE"}; 125 "ValidRFC822nameConstraintsTest21EE"};
126 const char* const crls[] = {"TrustAnchorRootCRL", 126 const char* const crls[] = {"TrustAnchorRootCRL",
127 "nameConstraintsRFC822CA1CRL"}; 127 "nameConstraintsRFC822CA1CRL"};
128 // Name constraints on rfc822Names are not supported. 128 // Name constraints on rfc822Names are not supported.
129 ASSERT_FALSE(this->Verify(certs, crls, {})); 129 PkitsTestInfo info;
130 info.should_validate = false;
131
132 this->RunTest(certs, crls, info);
130 } 133 }
131 134
132 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 135 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23
133 TEST_F(PkitsTest13SignatureVerificationCustom, 136 TEST_F(PkitsTest13SignatureVerificationCustom,
134 Section13ValidRFC822nameConstraintsTest23Custom) { 137 Section13ValidRFC822nameConstraintsTest23Custom) {
135 const char* const certs[] = {"TrustAnchorRootCertificate", 138 const char* const certs[] = {"TrustAnchorRootCertificate",
136 "nameConstraintsRFC822CA2Cert", 139 "nameConstraintsRFC822CA2Cert",
137 "ValidRFC822nameConstraintsTest23EE"}; 140 "ValidRFC822nameConstraintsTest23EE"};
138 const char* const crls[] = {"TrustAnchorRootCRL", 141 const char* const crls[] = {"TrustAnchorRootCRL",
139 "nameConstraintsRFC822CA2CRL"}; 142 "nameConstraintsRFC822CA2CRL"};
140 // Name constraints on rfc822Names are not supported. 143 // Name constraints on rfc822Names are not supported.
141 ASSERT_FALSE(this->Verify(certs, crls, {})); 144 PkitsTestInfo info;
145 info.should_validate = false;
146
147 this->RunTest(certs, crls, info);
142 } 148 }
143 149
144 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 150 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25
145 TEST_F(PkitsTest13SignatureVerificationCustom, 151 TEST_F(PkitsTest13SignatureVerificationCustom,
146 Section13ValidRFC822nameConstraintsTest25Custom) { 152 Section13ValidRFC822nameConstraintsTest25Custom) {
147 const char* const certs[] = {"TrustAnchorRootCertificate", 153 const char* const certs[] = {"TrustAnchorRootCertificate",
148 "nameConstraintsRFC822CA3Cert", 154 "nameConstraintsRFC822CA3Cert",
149 "ValidRFC822nameConstraintsTest25EE"}; 155 "ValidRFC822nameConstraintsTest25EE"};
150 const char* const crls[] = {"TrustAnchorRootCRL", 156 const char* const crls[] = {"TrustAnchorRootCRL",
151 "nameConstraintsRFC822CA3CRL"}; 157 "nameConstraintsRFC822CA3CRL"};
152 // Name constraints on rfc822Names are not supported. 158 // Name constraints on rfc822Names are not supported.
153 ASSERT_FALSE(this->Verify(certs, crls, {})); 159 PkitsTestInfo info;
160 info.should_validate = false;
161
162 this->RunTest(certs, crls, info);
154 } 163 }
155 164
156 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 165 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27
157 TEST_F(PkitsTest13SignatureVerificationCustom, 166 TEST_F(PkitsTest13SignatureVerificationCustom,
158 Section13ValidDNandRFC822nameConstraintsTest27Custom) { 167 Section13ValidDNandRFC822nameConstraintsTest27Custom) {
159 const char* const certs[] = {"TrustAnchorRootCertificate", 168 const char* const certs[] = {"TrustAnchorRootCertificate",
160 "nameConstraintsDN1CACert", 169 "nameConstraintsDN1CACert",
161 "nameConstraintsDN1subCA3Cert", 170 "nameConstraintsDN1subCA3Cert",
162 "ValidDNandRFC822nameConstraintsTest27EE"}; 171 "ValidDNandRFC822nameConstraintsTest27EE"};
163 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", 172 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL",
164 "nameConstraintsDN1subCA3CRL"}; 173 "nameConstraintsDN1subCA3CRL"};
165 // Name constraints on rfc822Names are not supported. 174 // Name constraints on rfc822Names are not supported.
166 ASSERT_FALSE(this->Verify(certs, crls, {})); 175 PkitsTestInfo info;
176 info.should_validate = false;
177
178 this->RunTest(certs, crls, info);
167 } 179 }
168 180
169 // Modified version of 4.13.34 Valid URI nameConstraints Test34 181 // Modified version of 4.13.34 Valid URI nameConstraints Test34
170 TEST_F(PkitsTest13SignatureVerificationCustom, 182 TEST_F(PkitsTest13SignatureVerificationCustom,
171 Section13ValidURInameConstraintsTest34Custom) { 183 Section13ValidURInameConstraintsTest34Custom) {
172 const char* const certs[] = {"TrustAnchorRootCertificate", 184 const char* const certs[] = {"TrustAnchorRootCertificate",
173 "nameConstraintsURI1CACert", 185 "nameConstraintsURI1CACert",
174 "ValidURInameConstraintsTest34EE"}; 186 "ValidURInameConstraintsTest34EE"};
175 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; 187 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"};
176 // Name constraints on uniformResourceIdentifiers are not supported. 188 // Name constraints on uniformResourceIdentifiers are not supported.
177 ASSERT_FALSE(this->Verify(certs, crls, {})); 189 PkitsTestInfo info;
190 info.should_validate = false;
191
192 this->RunTest(certs, crls, info);
178 } 193 }
179 194
180 // Modified version of 4.13.36 Valid URI nameConstraints Test36 195 // Modified version of 4.13.36 Valid URI nameConstraints Test36
181 TEST_F(PkitsTest13SignatureVerificationCustom, 196 TEST_F(PkitsTest13SignatureVerificationCustom,
182 Section13ValidURInameConstraintsTest36Custom) { 197 Section13ValidURInameConstraintsTest36Custom) {
183 const char* const certs[] = {"TrustAnchorRootCertificate", 198 const char* const certs[] = {"TrustAnchorRootCertificate",
184 "nameConstraintsURI2CACert", 199 "nameConstraintsURI2CACert",
185 "ValidURInameConstraintsTest36EE"}; 200 "ValidURInameConstraintsTest36EE"};
186 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; 201 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"};
187 // Name constraints on uniformResourceIdentifiers are not supported. 202 // Name constraints on uniformResourceIdentifiers are not supported.
188 ASSERT_FALSE(this->Verify(certs, crls, {})); 203 PkitsTestInfo info;
204 info.should_validate = false;
205
206 this->RunTest(certs, crls, info);
189 } 207 }
190 208
191 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, 209 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
192 PkitsTest01SignatureVerification, 210 PkitsTest01SignatureVerification,
193 VerifyCertificateChainPkitsTestDelegate); 211 VerifyCertificateChainPkitsTestDelegate);
194 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, 212 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
195 PkitsTest02ValidityPeriods, 213 PkitsTest02ValidityPeriods,
196 VerifyCertificateChainPkitsTestDelegate); 214 VerifyCertificateChainPkitsTestDelegate);
197 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, 215 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
198 PkitsTest03VerifyingNameChaining, 216 PkitsTest03VerifyingNameChaining,
(...skipping 13 matching lines...) Expand all
212 230
213 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, 231 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests,
214 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, 232 // PkitsTest05VerifyingPathswithSelfIssuedCertificates,
215 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs 233 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
216 234
217 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, 235 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies,
218 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, 236 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings,
219 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy 237 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy
220 238
221 } // namespace net 239 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/path_builder_pkits_unittest.cc ('k') | net/third_party/nist-pkits/generate_tests.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698