| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "net/base/net_errors.h" | 7 #include "net/base/net_errors.h" |
| 8 #include "net/cert/internal/cert_issuer_source_static.h" | 8 #include "net/cert/internal/cert_issuer_source_static.h" |
| 9 #include "net/cert/internal/parse_certificate.h" | 9 #include "net/cert/internal/parse_certificate.h" |
| 10 #include "net/cert/internal/parsed_certificate.h" | 10 #include "net/cert/internal/parsed_certificate.h" |
| 11 #include "net/cert/internal/signature_policy.h" | 11 #include "net/cert/internal/signature_policy.h" |
| 12 #include "net/cert/internal/trust_store_in_memory.h" | 12 #include "net/cert/internal/trust_store_in_memory.h" |
| 13 #include "net/cert/internal/verify_certificate_chain.h" | 13 #include "net/cert/internal/verify_certificate_chain.h" |
| 14 #include "net/der/input.h" | 14 #include "net/der/input.h" |
| 15 #include "third_party/boringssl/src/include/openssl/pool.h" | 15 #include "third_party/boringssl/src/include/openssl/pool.h" |
| 16 | 16 |
| 17 // Disable tests that require DSA signatures (DSA signatures are intentionally | |
| 18 // unsupported). Custom versions of the DSA tests are defined below which expect | |
| 19 // verification to fail. | |
| 20 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 | |
| 21 #define Section1ValidDSAParameterInheritanceTest5 \ | |
| 22 DISABLED_Section1ValidDSAParameterInheritanceTest5 | |
| 23 | |
| 24 // Disable tests that require name constraints with name types that are | |
| 25 // intentionally unsupported. Custom versions of the tests are defined below | |
| 26 // which expect verification to fail. | |
| 27 #define Section13ValidRFC822nameConstraintsTest21 \ | |
| 28 DISABLED_Section13ValidRFC822nameConstraintsTest21 | |
| 29 #define Section13ValidRFC822nameConstraintsTest23 \ | |
| 30 DISABLED_Section13ValidRFC822nameConstraintsTest23 | |
| 31 #define Section13ValidRFC822nameConstraintsTest25 \ | |
| 32 DISABLED_Section13ValidRFC822nameConstraintsTest25 | |
| 33 #define Section13ValidDNandRFC822nameConstraintsTest27 \ | |
| 34 DISABLED_Section13ValidDNandRFC822nameConstraintsTest27 | |
| 35 #define Section13ValidURInameConstraintsTest34 \ | |
| 36 DISABLED_Section13ValidURInameConstraintsTest34 | |
| 37 #define Section13ValidURInameConstraintsTest36 \ | |
| 38 DISABLED_Section13ValidURInameConstraintsTest36 | |
| 39 | 17 |
| 40 // TODO(mattm): these require CRL support: | 18 // TODO(mattm): these require CRL support: |
| 41 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ | 19 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ |
| 42 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 | 20 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
| 43 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ | 21 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
| 44 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 22 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
| 45 | 23 |
| 46 #include "net/cert/internal/nist_pkits_unittest.h" | 24 #include "net/cert/internal/nist_pkits_unittest.h" |
| 47 | 25 |
| 48 namespace net { | 26 namespace net { |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 94 | 72 |
| 95 if (result.HasValidPath()) { | 73 if (result.HasValidPath()) { |
| 96 EXPECT_EQ(info.user_constrained_policy_set, | 74 EXPECT_EQ(info.user_constrained_policy_set, |
| 97 result.GetBestValidPath()->user_constrained_policy_set); | 75 result.GetBestValidPath()->user_constrained_policy_set); |
| 98 } | 76 } |
| 99 } | 77 } |
| 100 }; | 78 }; |
| 101 | 79 |
| 102 } // namespace | 80 } // namespace |
| 103 | 81 |
| 104 class PkitsTest01SignatureVerificationCustomPathBuilderFoo | |
| 105 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; | |
| 106 | |
| 107 // Modified version of 4.1.4 Valid DSA Signatures Test4 | |
| 108 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, | |
| 109 Section1ValidDSASignaturesTest4Custom) { | |
| 110 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
| 111 "ValidDSASignaturesTest4EE"}; | |
| 112 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | |
| 113 // DSA signatures are intentionally unsupported. | |
| 114 PkitsTestInfo info; | |
| 115 info.should_validate = false; | |
| 116 | |
| 117 this->RunTest(certs, crls, info); | |
| 118 } | |
| 119 | |
| 120 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | |
| 121 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, | |
| 122 Section1ValidDSAParameterInheritanceTest5Custom) { | |
| 123 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
| 124 "DSAParametersInheritedCACert", | |
| 125 "ValidDSAParameterInheritanceTest5EE"}; | |
| 126 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | |
| 127 "DSAParametersInheritedCACRL"}; | |
| 128 // DSA signatures are intentionally unsupported. | |
| 129 PkitsTestInfo info; | |
| 130 info.should_validate = false; | |
| 131 | |
| 132 this->RunTest(certs, crls, info); | |
| 133 } | |
| 134 | |
| 135 class PkitsTest13SignatureVerificationCustomPathBuilderFoo | |
| 136 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; | |
| 137 | |
| 138 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | |
| 139 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 140 Section13ValidRFC822nameConstraintsTest21Custom) { | |
| 141 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 142 "nameConstraintsRFC822CA1Cert", | |
| 143 "ValidRFC822nameConstraintsTest21EE"}; | |
| 144 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 145 "nameConstraintsRFC822CA1CRL"}; | |
| 146 // Name constraints on rfc822Names are not supported. | |
| 147 PkitsTestInfo info; | |
| 148 info.should_validate = false; | |
| 149 | |
| 150 this->RunTest(certs, crls, info); | |
| 151 } | |
| 152 | |
| 153 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | |
| 154 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 155 Section13ValidRFC822nameConstraintsTest23Custom) { | |
| 156 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 157 "nameConstraintsRFC822CA2Cert", | |
| 158 "ValidRFC822nameConstraintsTest23EE"}; | |
| 159 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 160 "nameConstraintsRFC822CA2CRL"}; | |
| 161 // Name constraints on rfc822Names are not supported. | |
| 162 PkitsTestInfo info; | |
| 163 info.should_validate = false; | |
| 164 | |
| 165 this->RunTest(certs, crls, info); | |
| 166 } | |
| 167 | |
| 168 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | |
| 169 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 170 Section13ValidRFC822nameConstraintsTest25Custom) { | |
| 171 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 172 "nameConstraintsRFC822CA3Cert", | |
| 173 "ValidRFC822nameConstraintsTest25EE"}; | |
| 174 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 175 "nameConstraintsRFC822CA3CRL"}; | |
| 176 // Name constraints on rfc822Names are not supported. | |
| 177 PkitsTestInfo info; | |
| 178 info.should_validate = false; | |
| 179 | |
| 180 this->RunTest(certs, crls, info); | |
| 181 } | |
| 182 | |
| 183 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | |
| 184 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 185 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | |
| 186 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 187 "nameConstraintsDN1CACert", | |
| 188 "nameConstraintsDN1subCA3Cert", | |
| 189 "ValidDNandRFC822nameConstraintsTest27EE"}; | |
| 190 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | |
| 191 "nameConstraintsDN1subCA3CRL"}; | |
| 192 // Name constraints on rfc822Names are not supported. | |
| 193 PkitsTestInfo info; | |
| 194 info.should_validate = false; | |
| 195 | |
| 196 this->RunTest(certs, crls, info); | |
| 197 } | |
| 198 | |
| 199 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | |
| 200 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 201 Section13ValidURInameConstraintsTest34Custom) { | |
| 202 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 203 "nameConstraintsURI1CACert", | |
| 204 "ValidURInameConstraintsTest34EE"}; | |
| 205 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | |
| 206 // Name constraints on uniformResourceIdentifiers are not supported. | |
| 207 PkitsTestInfo info; | |
| 208 info.should_validate = false; | |
| 209 | |
| 210 this->RunTest(certs, crls, info); | |
| 211 } | |
| 212 | |
| 213 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | |
| 214 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, | |
| 215 Section13ValidURInameConstraintsTest36Custom) { | |
| 216 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 217 "nameConstraintsURI2CACert", | |
| 218 "ValidURInameConstraintsTest36EE"}; | |
| 219 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | |
| 220 // Name constraints on uniformResourceIdentifiers are not supported. | |
| 221 PkitsTestInfo info; | |
| 222 info.should_validate = false; | |
| 223 | |
| 224 this->RunTest(certs, crls, info); | |
| 225 } | |
| 226 | 82 |
| 227 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 83 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 228 PkitsTest01SignatureVerification, | 84 PkitsTest01SignatureVerification, |
| 229 PathBuilderPkitsTestDelegate); | 85 PathBuilderPkitsTestDelegate); |
| 230 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 86 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 231 PkitsTest02ValidityPeriods, | 87 PkitsTest02ValidityPeriods, |
| 232 PathBuilderPkitsTestDelegate); | 88 PathBuilderPkitsTestDelegate); |
| 233 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 89 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 234 PkitsTest03VerifyingNameChaining, | 90 PkitsTest03VerifyingNameChaining, |
| 235 PathBuilderPkitsTestDelegate); | 91 PathBuilderPkitsTestDelegate); |
| (...skipping 23 matching lines...) Expand all Loading... |
| 259 PathBuilderPkitsTestDelegate); | 115 PathBuilderPkitsTestDelegate); |
| 260 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, | 116 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 261 PkitsTest16PrivateCertificateExtensions, | 117 PkitsTest16PrivateCertificateExtensions, |
| 262 PathBuilderPkitsTestDelegate); | 118 PathBuilderPkitsTestDelegate); |
| 263 | 119 |
| 264 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 120 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
| 265 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 121 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
| 266 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 122 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
| 267 | 123 |
| 268 } // namespace net | 124 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2918913002:
Add path validation error expectations for PKITS tests. (Closed)
