| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "net/base/net_errors.h" | 7 #include "net/base/net_errors.h" |
| 8 #include "net/cert/internal/cert_issuer_source_static.h" | 8 #include "net/cert/internal/cert_issuer_source_static.h" |
| 9 #include "net/cert/internal/parse_certificate.h" | 9 #include "net/cert/internal/parse_certificate.h" |
| 10 #include "net/cert/internal/parsed_certificate.h" | 10 #include "net/cert/internal/parsed_certificate.h" |
| 11 #include "net/cert/internal/signature_policy.h" | 11 #include "net/cert/internal/signature_policy.h" |
| 12 #include "net/cert/internal/trust_store_in_memory.h" | 12 #include "net/cert/internal/trust_store_in_memory.h" |
| 13 #include "net/cert/internal/verify_certificate_chain.h" | 13 #include "net/cert/internal/verify_certificate_chain.h" |
| 14 #include "net/der/input.h" | 14 #include "net/der/input.h" |
| 15 #include "third_party/boringssl/src/include/openssl/pool.h" | 15 #include "third_party/boringssl/src/include/openssl/pool.h" |
| 16 | 16 |
| 17 // Disable tests that require DSA signatures (DSA signatures are intentionally | |
| 18 // unsupported). Custom versions of the DSA tests are defined below which expect | |
| 19 // verification to fail. | |
| 20 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 | |
| 21 #define Section1ValidDSAParameterInheritanceTest5 \ | |
| 22 DISABLED_Section1ValidDSAParameterInheritanceTest5 | |
| 23 | |
| 24 // Disable tests that require name constraints with name types that are | |
| 25 // intentionally unsupported. Custom versions of the tests are defined below | |
| 26 // which expect verification to fail. | |
| 27 #define Section13ValidRFC822nameConstraintsTest21 \ | |
| 28 DISABLED_Section13ValidRFC822nameConstraintsTest21 | |
| 29 #define Section13ValidRFC822nameConstraintsTest23 \ | |
| 30 DISABLED_Section13ValidRFC822nameConstraintsTest23 | |
| 31 #define Section13ValidRFC822nameConstraintsTest25 \ | |
| 32 DISABLED_Section13ValidRFC822nameConstraintsTest25 | |
| 33 #define Section13ValidDNandRFC822nameConstraintsTest27 \ | |
| 34 DISABLED_Section13ValidDNandRFC822nameConstraintsTest27 | |
| 35 #define Section13ValidURInameConstraintsTest34 \ | |
| 36 DISABLED_Section13ValidURInameConstraintsTest34 | |
| 37 #define Section13ValidURInameConstraintsTest36 \ | |
| 38 DISABLED_Section13ValidURInameConstraintsTest36 | |
| 39 | 17 |
| 40 // TODO(mattm): these require CRL support: | 18 // TODO(mattm): these require CRL support: |
| 41 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ | 19 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ |
| 42 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 | 20 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
| 43 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ | 21 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
| 44 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 22 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
| 45 | 23 |
| 46 #include "net/cert/internal/nist_pkits_unittest.h" | 24 #include "net/cert/internal/nist_pkits_unittest.h" |
| 47 | 25 |
| 48 namespace net { | 26 namespace net { |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 path_builder.AddCertIssuerSource(&cert_issuer_source); | 65 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 88 | 66 |
| 89 path_builder.Run(); | 67 path_builder.Run(); |
| 90 | 68 |
| 91 ASSERT_EQ(info.should_validate, result.HasValidPath()); | 69 ASSERT_EQ(info.should_validate, result.HasValidPath()); |
| 92 } | 70 } |
| 93 }; | 71 }; |
| 94 | 72 |
| 95 } // namespace | 73 } // namespace |
| 96 | 74 |
| 97 class PkitsTest01SignatureVerificationCustomPathBuilderFoo | |
| 98 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; | |
| 99 | |
| 100 // Modified version of 4.1.4 Valid DSA Signatures Test4 | |
| 101 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, | |
| 102 Section1ValidDSASignaturesTest4Custom) { | |
| 103 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
| 104 "ValidDSASignaturesTest4EE"}; | |
| 105 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | |
| 106 // DSA signatures are intentionally unsupported. | |
| 107 PkitsTestInfo info; | |
| 108 info.should_validate = false; | |
| 109 | |
| 110 this->RunTest(certs, crls, info); | |
| 111 } | |
| 112 | |
| 113 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | |
| 114 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, | |
| 115 Section1ValidDSAParameterInheritanceTest5Custom) { | |
| 116 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
| 117 "DSAParametersInheritedCACert", | |
| 118 "ValidDSAParameterInheritanceTest5EE"}; | |
| 119 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | |
| 120 "DSAParametersInheritedCACRL"}; | |
| 121 // DSA signatures are intentionally unsupported. | |
| 122 PkitsTestInfo info; | |
| 123 info.should_validate = false; | |
| 124 | |
| 125 this->RunTest(certs, crls, info); | |
| 126 } | |
| 127 | |
| 128 class PkitsTest13SignatureVerificationCustomPathBuilderFoo | |
| 129 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; | |
| 130 | |
| 131 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | |
| 132 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 133 Section13ValidRFC822nameConstraintsTest21Custom) { | |
| 134 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 135 "nameConstraintsRFC822CA1Cert", | |
| 136 "ValidRFC822nameConstraintsTest21EE"}; | |
| 137 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 138 "nameConstraintsRFC822CA1CRL"}; | |
| 139 // Name constraints on rfc822Names are not supported. | |
| 140 PkitsTestInfo info; | |
| 141 info.should_validate = false; | |
| 142 | |
| 143 this->RunTest(certs, crls, info); | |
| 144 } | |
| 145 | |
| 146 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | |
| 147 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 148 Section13ValidRFC822nameConstraintsTest23Custom) { | |
| 149 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 150 "nameConstraintsRFC822CA2Cert", | |
| 151 "ValidRFC822nameConstraintsTest23EE"}; | |
| 152 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 153 "nameConstraintsRFC822CA2CRL"}; | |
| 154 // Name constraints on rfc822Names are not supported. | |
| 155 PkitsTestInfo info; | |
| 156 info.should_validate = false; | |
| 157 | |
| 158 this->RunTest(certs, crls, info); | |
| 159 } | |
| 160 | |
| 161 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | |
| 162 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 163 Section13ValidRFC822nameConstraintsTest25Custom) { | |
| 164 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 165 "nameConstraintsRFC822CA3Cert", | |
| 166 "ValidRFC822nameConstraintsTest25EE"}; | |
| 167 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 168 "nameConstraintsRFC822CA3CRL"}; | |
| 169 // Name constraints on rfc822Names are not supported. | |
| 170 PkitsTestInfo info; | |
| 171 info.should_validate = false; | |
| 172 | |
| 173 this->RunTest(certs, crls, info); | |
| 174 } | |
| 175 | |
| 176 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | |
| 177 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 178 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | |
| 179 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 180 "nameConstraintsDN1CACert", | |
| 181 "nameConstraintsDN1subCA3Cert", | |
| 182 "ValidDNandRFC822nameConstraintsTest27EE"}; | |
| 183 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | |
| 184 "nameConstraintsDN1subCA3CRL"}; | |
| 185 // Name constraints on rfc822Names are not supported. | |
| 186 PkitsTestInfo info; | |
| 187 info.should_validate = false; | |
| 188 | |
| 189 this->RunTest(certs, crls, info); | |
| 190 } | |
| 191 | |
| 192 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | |
| 193 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 194 Section13ValidURInameConstraintsTest34Custom) { | |
| 195 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 196 "nameConstraintsURI1CACert", | |
| 197 "ValidURInameConstraintsTest34EE"}; | |
| 198 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | |
| 199 // Name constraints on uniformResourceIdentifiers are not supported. | |
| 200 PkitsTestInfo info; | |
| 201 info.should_validate = false; | |
| 202 | |
| 203 this->RunTest(certs, crls, info); | |
| 204 } | |
| 205 | |
| 206 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | |
| 207 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 208 Section13ValidURInameConstraintsTest36Custom) { | |
| 209 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 210 "nameConstraintsURI2CACert", | |
| 211 "ValidURInameConstraintsTest36EE"}; | |
| 212 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | |
| 213 // Name constraints on uniformResourceIdentifiers are not supported. | |
| 214 PkitsTestInfo info; | |
| 215 info.should_validate = false; | |
| 216 | |
| 217 this->RunTest(certs, crls, info); | |
| 218 } | |
| 219 | 75 |
| 220 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 76 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 221 PkitsTest01SignatureVerification, | 77 PkitsTest01SignatureVerification, |
| 222 PathBuilderPkitsTestDelegate); | 78 PathBuilderPkitsTestDelegate); |
| 223 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 79 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 224 PkitsTest02ValidityPeriods, | 80 PkitsTest02ValidityPeriods, |
| 225 PathBuilderPkitsTestDelegate); | 81 PathBuilderPkitsTestDelegate); |
| 226 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 82 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 227 PkitsTest03VerifyingNameChaining, | 83 PkitsTest03VerifyingNameChaining, |
| 228 PathBuilderPkitsTestDelegate); | 84 PathBuilderPkitsTestDelegate); |
| (...skipping 12 matching lines...) Expand all Loading... |
| 241 | 97 |
| 242 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 98 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
| 243 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 99 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
| 244 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 100 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
| 245 | 101 |
| 246 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, | 102 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, |
| 247 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, | 103 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, |
| 248 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy | 104 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy |
| 249 | 105 |
| 250 } // namespace net | 106 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2918913002:
Add path validation error expectations for PKITS tests. (Closed)
