| // Copyright 2016 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "path_builder.h" |
| |
| #include <algorithm> |
| |
| #include "cert_error_params.h" |
| #include "cert_issuer_source_static.h" |
| #include "common_cert_errors.h" |
| #include "input.h" |
| #include "mock_signature_verify_cache.h" |
| #include "parsed_certificate.h" |
| #include "simple_path_builder_delegate.h" |
| #include "test_helpers.h" |
| #include "trust_store_collection.h" |
| #include "trust_store_in_memory.h" |
| #include "verify_certificate_chain.h" |
| |
| #include <gmock/gmock.h> |
| #include <gtest/gtest.h> |
| #include <openssl/pool.h> |
| |
| namespace bssl { |
| |
| // TODO(crbug.com/634443): Assert the errors for each ResultPath. |
| |
| namespace { |
| |
| using ::testing::_; |
| using ::testing::Invoke; |
| using ::testing::StrictMock; |
| |
| class TestPathBuilderDelegate : public SimplePathBuilderDelegate { |
| public: |
| TestPathBuilderDelegate(size_t min_rsa_modulus_length_bits, |
| DigestPolicy digest_policy) |
| : SimplePathBuilderDelegate(min_rsa_modulus_length_bits, digest_policy) {} |
| |
| bool IsDeadlineExpired() override { return deadline_is_expired_; } |
| |
| void SetDeadlineExpiredForTesting(bool deadline_is_expired) { |
| deadline_is_expired_ = deadline_is_expired; |
| } |
| |
| SignatureVerifyCache *GetVerifyCache() override { |
| return use_signature_cache_ ? &cache_ : nullptr; |
| } |
| |
| void ActivateCache() { use_signature_cache_ = true; } |
| |
| void DeActivateCache() { use_signature_cache_ = false; } |
| |
| MockSignatureVerifyCache *GetMockVerifyCache() { return &cache_; } |
| |
| void AllowPrecert() { allow_precertificate_ = true; } |
| |
| void DisallowPrecert() { allow_precertificate_ = false; } |
| |
| bool AcceptPreCertificates() override { |
| return allow_precertificate_; |
| } |
| |
| private: |
| bool deadline_is_expired_ = false; |
| bool use_signature_cache_ = false; |
| bool allow_precertificate_ = false; |
| MockSignatureVerifyCache cache_; |
| }; |
| |
| class CertPathBuilderDelegateBase : public SimplePathBuilderDelegate { |
| public: |
| CertPathBuilderDelegateBase() |
| : SimplePathBuilderDelegate( |
| 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {} |
| void CheckPathAfterVerification(const CertPathBuilder &path_builder, |
| CertPathBuilderResultPath *path) override { |
| ADD_FAILURE() << "Tests must override this"; |
| } |
| }; |
| |
| class MockPathBuilderDelegate : public CertPathBuilderDelegateBase { |
| public: |
| MOCK_METHOD2(CheckPathAfterVerification, |
| void(const CertPathBuilder &path_builder, |
| CertPathBuilderResultPath *path)); |
| }; |
| |
| // AsyncCertIssuerSourceStatic always returns its certs asynchronously. |
| class AsyncCertIssuerSourceStatic : public CertIssuerSource { |
| public: |
| class StaticAsyncRequest : public Request { |
| public: |
| explicit StaticAsyncRequest(ParsedCertificateList &&issuers) { |
| issuers_.swap(issuers); |
| issuers_iter_ = issuers_.begin(); |
| } |
| |
| StaticAsyncRequest(const StaticAsyncRequest &) = delete; |
| StaticAsyncRequest &operator=(const StaticAsyncRequest &) = delete; |
| |
| ~StaticAsyncRequest() override = default; |
| |
| void GetNext(ParsedCertificateList *out_certs) override { |
| if (issuers_iter_ != issuers_.end()) { |
| out_certs->push_back(std::move(*issuers_iter_++)); |
| } |
| } |
| |
| ParsedCertificateList issuers_; |
| ParsedCertificateList::iterator issuers_iter_; |
| }; |
| |
| ~AsyncCertIssuerSourceStatic() override = default; |
| |
| void SetAsyncGetCallback(std::function<void()> closure) { |
| async_get_callback_ = std::move(closure); |
| } |
| |
| void AddCert(std::shared_ptr<const ParsedCertificate> cert) { |
| static_cert_issuer_source_.AddCert(std::move(cert)); |
| } |
| |
| void SyncGetIssuersOf(const ParsedCertificate *cert, |
| ParsedCertificateList *issuers) override {} |
| void AsyncGetIssuersOf(const ParsedCertificate *cert, |
| std::unique_ptr<Request> *out_req) override { |
| num_async_gets_++; |
| ParsedCertificateList issuers; |
| static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers); |
| auto req = std::make_unique<StaticAsyncRequest>(std::move(issuers)); |
| *out_req = std::move(req); |
| if (async_get_callback_) { |
| async_get_callback_(); |
| } |
| } |
| int num_async_gets() const { return num_async_gets_; } |
| |
| private: |
| CertIssuerSourceStatic static_cert_issuer_source_; |
| |
| int num_async_gets_ = 0; |
| std::function<void()> async_get_callback_ = nullptr; |
| }; |
| |
| ::testing::AssertionResult ReadTestPem(const std::string &file_name, |
| const std::string &block_name, |
| std::string *result) { |
| const PemBlockMapping mappings[] = { |
| {block_name.c_str(), result}, |
| }; |
| |
| return ReadTestDataFromPemFile(file_name, mappings); |
| } |
| |
| ::testing::AssertionResult ReadTestCert( |
| const std::string &file_name, |
| std::shared_ptr<const ParsedCertificate> *result) { |
| std::string der; |
| ::testing::AssertionResult r = ReadTestPem( |
| "testdata/path_builder_unittest/" + file_name, "CERTIFICATE", &der); |
| if (!r) { |
| return r; |
| } |
| CertErrors errors; |
| *result = ParsedCertificate::Create( |
| bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( |
| reinterpret_cast<const uint8_t *>(der.data()), der.size(), nullptr)), |
| {}, &errors); |
| if (!*result) { |
| return ::testing::AssertionFailure() |
| << "ParseCertificate::Create() failed:\n" |
| << errors.ToDebugString(); |
| } |
| return ::testing::AssertionSuccess(); |
| } |
| |
| class PathBuilderMultiRootTest : public ::testing::Test { |
| public: |
| PathBuilderMultiRootTest() |
| : delegate_(1024, TestPathBuilderDelegate::DigestPolicy::kWeakAllowSha1) { |
| } |
| |
| void SetUp() override { |
| ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b_)); |
| ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c_)); |
| ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f_)); |
| ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d_)); |
| ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e_)); |
| ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d_)); |
| ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e_)); |
| ASSERT_TRUE(ReadTestCert("multi-root-F-by-E.pem", &f_by_e_)); |
| } |
| |
| protected: |
| std::shared_ptr<const ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, |
| c_by_e_, d_by_d_, e_by_e_, f_by_e_; |
| |
| TestPathBuilderDelegate delegate_; |
| der::GeneralizedTime time_ = {2017, 3, 1, 0, 0, 0}; |
| |
| const InitialExplicitPolicy initial_explicit_policy_ = |
| InitialExplicitPolicy::kFalse; |
| const std::set<der::Input> user_initial_policy_set_ = { |
| der::Input(kAnyPolicyOid)}; |
| const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_ = |
| InitialPolicyMappingInhibit::kFalse; |
| const InitialAnyPolicyInhibit initial_any_policy_inhibit_ = |
| InitialAnyPolicyInhibit::kFalse; |
| }; |
| |
| // Tests when the target cert has the same name and key as a trust anchor, |
| // however is signed by a different trust anchor. This should successfully build |
| // a path, however the trust anchor will be the signer of this cert. |
| // |
| // (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor |
| // but with different data; also in this test the target cert itself is in the |
| // trust store). |
| TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(a_by_b_); |
| trust_store.AddTrustAnchor(b_by_f_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_TRUE(result.HasValidPath()); |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| const auto &path = *result.GetBestValidPath(); |
| ASSERT_EQ(2U, path.certs.size()); |
| EXPECT_EQ(a_by_b_, path.certs[0]); |
| EXPECT_EQ(b_by_f_, path.certs[1]); |
| } |
| |
| // If the target cert is has the same name and key as a trust anchor, however |
| // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI |
| // is trusted, the certificate contents cannot be verified. |
| TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(a_by_b_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| EXPECT_EQ(1U, result.max_depth_seen); |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| // Test a failed path building when the trust anchor is provided as a |
| // supplemental certificate. Conceptually the following paths could be built: |
| // |
| // B(C) <- C(D) <- [Trust anchor D] |
| // B(C) <- C(D) <- D(D) <- [Trust anchor D] |
| // |
| // However the second one is extraneous given the shorter path. |
| TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(d_by_d_); |
| |
| // The (extraneous) trust anchor D(D) is supplied as a certificate, as is the |
| // intermediate needed for path building C(D). |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(d_by_d_); |
| sync_certs.AddCert(c_by_d_); |
| |
| // C(D) is not valid at this time, so path building will fail. |
| der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; |
| |
| CertPathBuilder path_builder( |
| b_by_c_, &trust_store, &delegate_, expired_time, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_EQ(1U, result.paths.size()); |
| |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| const auto &path0 = *result.paths[0]; |
| ASSERT_EQ(3U, path0.certs.size()); |
| EXPECT_EQ(b_by_c_, path0.certs[0]); |
| EXPECT_EQ(c_by_d_, path0.certs[1]); |
| EXPECT_EQ(d_by_d_, path0.certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::CERTIFICATE_NOT_YET_VALID) |
| << error.DiagnosticString(); |
| } |
| |
| // Test verifying a certificate that is a trust anchor. |
| TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(e_by_e_); |
| // This is not necessary for the test, just an extra... |
| trust_store.AddTrustAnchor(f_by_e_); |
| |
| CertPathBuilder path_builder( |
| e_by_e_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| // Verifying a trusted leaf certificate is not permitted, however this |
| // certificate is self-signed, and can chain to itself. |
| const auto &path = *result.GetBestValidPath(); |
| ASSERT_EQ(2U, path.certs.size()); |
| EXPECT_EQ(e_by_e_, path.certs[0]); |
| EXPECT_EQ(e_by_e_, path.certs[1]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // If the target cert is directly issued by a trust anchor, it should verify |
| // without any intermediate certs being provided. |
| TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(b_by_f_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_TRUE(result.HasValidPath()); |
| const auto &path = *result.GetBestValidPath(); |
| ASSERT_EQ(2U, path.certs.size()); |
| EXPECT_EQ(a_by_b_, path.certs[0]); |
| EXPECT_EQ(b_by_f_, path.certs[1]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that async cert queries are not made if the path can be successfully |
| // built with synchronously available certs. |
| TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(e_by_e_); |
| |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_f_); |
| sync_certs.AddCert(f_by_e_); |
| |
| AsyncCertIssuerSourceStatic async_certs; |
| async_certs.AddCert(b_by_c_); |
| async_certs.AddCert(c_by_e_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&async_certs); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| EXPECT_EQ(0, async_certs.num_async_gets()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // If async queries are needed, all async sources will be queried |
| // simultaneously. |
| TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(e_by_e_); |
| |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| sync_certs.AddCert(b_by_f_); |
| |
| AsyncCertIssuerSourceStatic async_certs1; |
| async_certs1.AddCert(c_by_e_); |
| |
| AsyncCertIssuerSourceStatic async_certs2; |
| async_certs2.AddCert(f_by_e_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&async_certs1); |
| path_builder.AddCertIssuerSource(&async_certs2); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| EXPECT_EQ(1, async_certs1.num_async_gets()); |
| EXPECT_EQ(1, async_certs2.num_async_gets()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that PathBuilder does not generate longer paths than necessary if one of |
| // the supplied certs is itself a trust anchor. |
| TEST_F(PathBuilderMultiRootTest, TestLongChain) { |
| // Both D(D) and C(D) are trusted roots. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(d_by_d_); |
| trust_store.AddTrustAnchor(c_by_d_); |
| |
| // Certs B(C), and C(D) are all supplied. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| sync_certs.AddCert(c_by_d_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| // The result path should be A(B) <- B(C) <- C(D) |
| // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) |
| EXPECT_EQ(3U, result.GetBestValidPath()->certs.size()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that PathBuilder will backtrack and try a different path if the first |
| // one doesn't work out. |
| TEST_F(PathBuilderMultiRootTest, TestBacktracking) { |
| // Only D(D) is a trusted root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(d_by_d_); |
| |
| // Certs B(F) and F(E) are supplied synchronously, thus the path |
| // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_f_); |
| sync_certs.AddCert(f_by_e_); |
| |
| // Certs B(C), and C(D) are supplied asynchronously, so the path |
| // A(B) <- B(C) <- C(D) <- D(D) should be tried second. |
| AsyncCertIssuerSourceStatic async_certs; |
| async_certs.AddCert(b_by_c_); |
| async_certs.AddCert(c_by_d_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| path_builder.AddCertIssuerSource(&async_certs); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| // The partial path should be returned even though it didn't reach a trust |
| // anchor. |
| ASSERT_EQ(2U, result.paths.size()); |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]); |
| EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]); |
| |
| // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| EXPECT_EQ(1U, result.best_result_index); |
| EXPECT_TRUE(result.paths[1]->IsValid()); |
| const auto &path = *result.GetBestValidPath(); |
| ASSERT_EQ(4U, path.certs.size()); |
| EXPECT_EQ(a_by_b_, path.certs[0]); |
| EXPECT_EQ(b_by_c_, path.certs[1]); |
| EXPECT_EQ(c_by_d_, path.certs[2]); |
| EXPECT_EQ(d_by_d_, path.certs[3]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that if no path to a trust anchor was found, the partial path is |
| // returned. |
| TEST_F(PathBuilderMultiRootTest, TestOnlyPartialPathResult) { |
| TrustStoreInMemory trust_store; |
| |
| // Certs B(F) and F(E) are supplied synchronously, thus the path |
| // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_f_); |
| sync_certs.AddCert(f_by_e_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| // The partial path should be returned even though it didn't reach a trust |
| // anchor. |
| ASSERT_EQ(1U, result.paths.size()); |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]); |
| EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that if two partial paths are returned, the first is marked as the best |
| // path. |
| TEST_F(PathBuilderMultiRootTest, TestTwoPartialPathResults) { |
| TrustStoreInMemory trust_store; |
| |
| // Certs B(F) and F(E) are supplied synchronously, thus the path |
| // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_f_); |
| sync_certs.AddCert(f_by_e_); |
| |
| // Certs B(C), and C(D) are supplied asynchronously, so the path |
| // A(B) <- B(C) <- C(D) <- D(D) should be tried second. |
| AsyncCertIssuerSourceStatic async_certs; |
| async_certs.AddCert(b_by_c_); |
| async_certs.AddCert(c_by_d_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| path_builder.AddCertIssuerSource(&async_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| // First partial path found should be marked as the best one. |
| EXPECT_EQ(0U, result.best_result_index); |
| |
| ASSERT_EQ(2U, result.paths.size()); |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]); |
| EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[1]->IsValid()); |
| ASSERT_EQ(3U, result.paths[1]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[1]->certs[0]); |
| EXPECT_EQ(b_by_c_, result.paths[1]->certs[1]); |
| EXPECT_EQ(c_by_d_, result.paths[1]->certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that if no valid path is found, and the first invalid path is a partial |
| // path, but the 2nd invalid path ends with a cert with a trust record, the 2nd |
| // path should be preferred. |
| TEST_F(PathBuilderMultiRootTest, TestDistrustedPathPreferredOverPartialPath) { |
| // Only D(D) has a trust record, but it is distrusted. |
| TrustStoreInMemory trust_store; |
| trust_store.AddDistrustedCertificateForTest(d_by_d_); |
| |
| // Certs B(F) and F(E) are supplied synchronously, thus the path |
| // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_f_); |
| sync_certs.AddCert(f_by_e_); |
| |
| // Certs B(C), and C(D) are supplied asynchronously, so the path |
| // A(B) <- B(C) <- C(D) <- D(D) should be tried second. |
| AsyncCertIssuerSourceStatic async_certs; |
| async_certs.AddCert(b_by_c_); |
| async_certs.AddCert(c_by_d_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| path_builder.AddCertIssuerSource(&async_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| // The partial path should be returned even though it didn't reach a trust |
| // anchor. |
| ASSERT_EQ(2U, result.paths.size()); |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]); |
| EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]); |
| |
| // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| EXPECT_EQ(1U, result.best_result_index); |
| EXPECT_FALSE(result.paths[1]->IsValid()); |
| const auto &path = *result.GetBestPathPossiblyInvalid(); |
| ASSERT_EQ(4U, path.certs.size()); |
| EXPECT_EQ(a_by_b_, path.certs[0]); |
| EXPECT_EQ(b_by_c_, path.certs[1]); |
| EXPECT_EQ(c_by_d_, path.certs[2]); |
| EXPECT_EQ(d_by_d_, path.certs[3]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that whichever order CertIssuerSource returns the issuers, the path |
| // building still succeeds. |
| TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { |
| // Only D(D) is a trusted root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(d_by_d_); |
| |
| for (bool reverse_order : {false, true}) { |
| SCOPED_TRACE(reverse_order); |
| std::vector<std::shared_ptr<const ParsedCertificate>> certs = { |
| b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; |
| CertIssuerSourceStatic sync_certs; |
| if (reverse_order) { |
| for (auto it = certs.rbegin(); it != certs.rend(); ++it) { |
| sync_certs.AddCert(*it); |
| } |
| } else { |
| for (const auto &cert : certs) { |
| sync_certs.AddCert(cert); |
| } |
| } |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| const auto &path = *result.GetBestValidPath(); |
| ASSERT_EQ(4U, path.certs.size()); |
| EXPECT_EQ(a_by_b_, path.certs[0]); |
| EXPECT_EQ(b_by_c_, path.certs[1]); |
| EXPECT_EQ(c_by_d_, path.certs[2]); |
| EXPECT_EQ(d_by_d_, path.certs[3]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| } |
| |
| TEST_F(PathBuilderMultiRootTest, TestIterationLimit) { |
| // D(D) is the trust root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(d_by_d_); |
| |
| // Certs B(C) and C(D) are supplied. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| sync_certs.AddCert(c_by_d_); |
| |
| for (const bool insufficient_limit : {true, false}) { |
| SCOPED_TRACE(insufficient_limit); |
| |
| StrictMock<MockPathBuilderDelegate> mock_delegate; |
| // The CheckPathAfterVerification delegate should be called regardless if |
| // the iteration limit is reached. |
| EXPECT_CALL(mock_delegate, CheckPathAfterVerification(_, _)); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &mock_delegate, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| if (insufficient_limit) { |
| // A limit of one is insufficient to build a path in this case. Therefore |
| // building is expected to fail in this case. |
| path_builder.SetIterationLimit(1); |
| } else { |
| // The other tests in this file exercise the case that |SetIterationLimit| |
| // isn't called. Therefore set a sufficient limit for the path to be |
| // found. |
| path_builder.SetIterationLimit(5); |
| } |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_EQ(!insufficient_limit, result.HasValidPath()); |
| EXPECT_EQ(insufficient_limit, result.exceeded_iteration_limit); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| if (insufficient_limit) { |
| EXPECT_EQ(2U, result.iteration_count); |
| ASSERT_EQ(error.Code(), |
| VerifyError::StatusCode::PATH_ITERATION_COUNT_EXCEEDED) |
| << error.DiagnosticString(); |
| } else { |
| EXPECT_EQ(3U, result.iteration_count); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| } |
| } |
| |
| TEST_F(PathBuilderMultiRootTest, TestTrivialDeadline) { |
| // C(D) is the trust root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(c_by_d_); |
| |
| // Cert B(C) is supplied. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| |
| for (const bool insufficient_limit : {true, false}) { |
| SCOPED_TRACE(insufficient_limit); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| // Make the deadline either expired or not. |
| delegate_.SetDeadlineExpiredForTesting(insufficient_limit); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_EQ(!insufficient_limit, result.HasValidPath()); |
| EXPECT_EQ(insufficient_limit, result.exceeded_deadline); |
| EXPECT_EQ(delegate_.IsDeadlineExpired(), insufficient_limit); |
| |
| if (insufficient_limit) { |
| ASSERT_EQ(1U, result.paths.size()); |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(1U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_TRUE(result.paths[0]->errors.ContainsError( |
| cert_errors::kDeadlineExceeded)); |
| } else { |
| ASSERT_EQ(1U, result.paths.size()); |
| EXPECT_TRUE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]); |
| EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]); |
| } |
| } |
| } |
| |
| TEST_F(PathBuilderMultiRootTest, TestVerifyCache) { |
| // C(D) is the trust root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(c_by_d_); |
| |
| // Cert B(C) is supplied. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| |
| // Test Activation / DeActivation of the cache. |
| EXPECT_FALSE(delegate_.GetVerifyCache()); |
| delegate_.ActivateCache(); |
| EXPECT_TRUE(delegate_.GetVerifyCache()); |
| delegate_.DeActivateCache(); |
| EXPECT_FALSE(delegate_.GetVerifyCache()); |
| delegate_.ActivateCache(); |
| EXPECT_TRUE(delegate_.GetVerifyCache()); |
| for (size_t i = 0; i < 3; i++) { |
| SCOPED_TRACE(i); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_EQ(1U, result.paths.size()); |
| EXPECT_TRUE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]); |
| EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]); |
| |
| // The path is 3 certificates long, so requires 2 distinct signature |
| // verifications. The first time through the loop will cause 2 cache misses |
| // and stores, subsequent iterations will repeat the same verifications, |
| // causing 2 cache hits. |
| EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheHits(), i * 2); |
| EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheMisses(), 2U); |
| EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheStores(), 2U); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| } |
| |
| TEST_F(PathBuilderMultiRootTest, TestDeadline) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(d_by_d_); |
| |
| // Cert B(C) is supplied statically. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| |
| // Cert C(D) is supplied asynchronously and will expire the deadline before |
| // returning the async result. |
| AsyncCertIssuerSourceStatic async_certs; |
| async_certs.AddCert(c_by_d_); |
| async_certs.SetAsyncGetCallback( |
| [&] { delegate_.SetDeadlineExpiredForTesting(true); }); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| path_builder.AddCertIssuerSource(&async_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| EXPECT_TRUE(result.exceeded_deadline); |
| EXPECT_TRUE(delegate_.IsDeadlineExpired()); |
| |
| // The chain returned should end in c_by_d_, since the deadline would only be |
| // checked again after the async results had been checked (since |
| // AsyncCertIssuerSourceStatic makes the async results available immediately.) |
| ASSERT_EQ(1U, result.paths.size()); |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]); |
| EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]); |
| EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]); |
| EXPECT_TRUE( |
| result.paths[0]->errors.ContainsError(cert_errors::kDeadlineExceeded)); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEADLINE_EXCEEDED) |
| << error.DiagnosticString(); |
| } |
| |
| TEST_F(PathBuilderMultiRootTest, TestDepthLimit) { |
| // D(D) is the trust root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(d_by_d_); |
| |
| // Certs B(C) and C(D) are supplied. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| sync_certs.AddCert(c_by_d_); |
| |
| for (const bool insufficient_limit : {true, false}) { |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| if (insufficient_limit) { |
| // A limit of depth equal to 2 is insufficient to build the path. |
| // Therefore, building is expected to fail. |
| path_builder.SetDepthLimit(2); |
| } else { |
| // The other tests in this file exercise the case that |SetDepthLimit| |
| // isn't called. Therefore, set a sufficient limit for the path to be |
| // found. |
| path_builder.SetDepthLimit(5); |
| } |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_EQ(!insufficient_limit, result.HasValidPath()); |
| EXPECT_EQ(insufficient_limit, |
| result.AnyPathContainsError(cert_errors::kDepthLimitExceeded)); |
| VerifyError error = result.GetBestPathVerifyError(); |
| if (insufficient_limit) { |
| EXPECT_EQ(2U, result.max_depth_seen); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEPTH_LIMIT_REACHED) |
| << error.DiagnosticString(); |
| } else { |
| EXPECT_EQ(4U, result.max_depth_seen); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| } |
| } |
| |
| TEST_F(PathBuilderMultiRootTest, TestDepthLimitMultiplePaths) { |
| // This case tests path building backtracking due to reaching the path depth |
| // limit. Given the root and issuer certificates below, there can be two paths |
| // from between the leaf to a trusted root, one has length of 3 and the other |
| // has length of 4. These certificates are specifically chosen because path |
| // building will first explore the 4-certificate long path then the |
| // 3-certificate long path. So with a depth limit of 3, we can test the |
| // backtracking code path. |
| |
| // E(E) and C(D) are the trust roots. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(e_by_e_); |
| trust_store.AddTrustAnchor(c_by_d_); |
| |
| // Certs B(C). B(F) and F(E) are supplied. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(b_by_c_); |
| sync_certs.AddCert(b_by_f_); |
| sync_certs.AddCert(f_by_e_); |
| |
| CertPathBuilder path_builder( |
| a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| path_builder.SetDepthLimit(3); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| EXPECT_TRUE(result.AnyPathContainsError(cert_errors::kDepthLimitExceeded)); |
| |
| ASSERT_EQ(result.paths.size(), 2u); |
| |
| const CertPathBuilderResultPath *truncated_path = result.paths[0].get(); |
| EXPECT_FALSE(truncated_path->IsValid()); |
| EXPECT_TRUE( |
| truncated_path->errors.ContainsError(cert_errors::kDepthLimitExceeded)); |
| ASSERT_EQ(truncated_path->certs.size(), 3u); |
| EXPECT_EQ(a_by_b_, truncated_path->certs[0]); |
| EXPECT_EQ(b_by_f_, truncated_path->certs[1]); |
| EXPECT_EQ(f_by_e_, truncated_path->certs[2]); |
| |
| const CertPathBuilderResultPath *valid_path = result.paths[1].get(); |
| EXPECT_TRUE(valid_path->IsValid()); |
| EXPECT_FALSE( |
| valid_path->errors.ContainsError(cert_errors::kDepthLimitExceeded)); |
| ASSERT_EQ(valid_path->certs.size(), 3u); |
| EXPECT_EQ(a_by_b_, valid_path->certs[0]); |
| EXPECT_EQ(b_by_c_, valid_path->certs[1]); |
| EXPECT_EQ(c_by_d_, valid_path->certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| TEST_F(PathBuilderMultiRootTest, TestPreCertificate) { |
| |
| std::string test_dir = |
| "testdata/path_builder_unittest/precertificate/"; |
| std::shared_ptr<const ParsedCertificate> root1 = |
| ReadCertFromFile(test_dir + "root.pem"); |
| ASSERT_TRUE(root1); |
| std::shared_ptr<const ParsedCertificate> target = |
| ReadCertFromFile(test_dir + "precertificate.pem"); |
| ASSERT_TRUE(target); |
| |
| der::GeneralizedTime precert_time = {2023, 10, 1, 0, 0, 0}; |
| |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(root1); |
| |
| // PreCertificate should be rejected by default. |
| EXPECT_FALSE(delegate_.AcceptPreCertificates()); |
| CertPathBuilder path_builder( |
| target, &trust_store, &delegate_, precert_time, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| auto result = path_builder.Run(); |
| ASSERT_EQ(1U, result.paths.size()); |
| ASSERT_FALSE(result.paths[0]->IsValid()) |
| << result.paths[0]->errors.ToDebugString(result.paths[0]->certs); |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::CERTIFICATE_INVALID) |
| << error.DiagnosticString(); |
| |
| |
| // PreCertificate should be accepted if configured. |
| delegate_.AllowPrecert(); |
| EXPECT_TRUE(delegate_.AcceptPreCertificates()); |
| CertPathBuilder path_builder2( |
| target, &trust_store, &delegate_, precert_time, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| auto result2 = path_builder2.Run(); |
| ASSERT_EQ(1U, result2.paths.size()); |
| ASSERT_TRUE(result2.paths[0]->IsValid()) |
| << result2.paths[0]->errors.ToDebugString(result.paths[0]->certs); |
| VerifyError error2 = result2.GetBestPathVerifyError(); |
| ASSERT_EQ(error2.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error2.DiagnosticString(); |
| } |
| |
| class PathBuilderKeyRolloverTest : public ::testing::Test { |
| public: |
| PathBuilderKeyRolloverTest() |
| : delegate_(1024, |
| SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {} |
| |
| void SetUp() override { |
| ParsedCertificateList path; |
| |
| VerifyCertChainTest test; |
| ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| "testdata/verify_certificate_chain_unittest/key-rollover/oldchain.test", |
| &test)); |
| path = test.chain; |
| ASSERT_EQ(3U, path.size()); |
| target_ = path[0]; |
| oldintermediate_ = path[1]; |
| oldroot_ = path[2]; |
| time_ = test.time; |
| |
| ASSERT_TRUE(target_); |
| ASSERT_TRUE(oldintermediate_); |
| |
| ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| "testdata/verify_certificate_chain_unittest/" |
| "key-rollover/longrolloverchain.test", |
| &test)); |
| path = test.chain; |
| |
| ASSERT_EQ(5U, path.size()); |
| newintermediate_ = path[1]; |
| newroot_ = path[2]; |
| newrootrollover_ = path[3]; |
| ASSERT_TRUE(newintermediate_); |
| ASSERT_TRUE(newroot_); |
| ASSERT_TRUE(newrootrollover_); |
| } |
| |
| protected: |
| // oldroot-------->newrootrollover newroot |
| // | | | |
| // v v v |
| // oldintermediate newintermediate |
| // | | |
| // +------------+-------------+ |
| // | |
| // v |
| // target |
| std::shared_ptr<const ParsedCertificate> target_; |
| std::shared_ptr<const ParsedCertificate> oldintermediate_; |
| std::shared_ptr<const ParsedCertificate> newintermediate_; |
| std::shared_ptr<const ParsedCertificate> oldroot_; |
| std::shared_ptr<const ParsedCertificate> newroot_; |
| std::shared_ptr<const ParsedCertificate> newrootrollover_; |
| |
| SimplePathBuilderDelegate delegate_; |
| der::GeneralizedTime time_; |
| |
| const InitialExplicitPolicy initial_explicit_policy_ = |
| InitialExplicitPolicy::kFalse; |
| const std::set<der::Input> user_initial_policy_set_ = { |
| der::Input(kAnyPolicyOid)}; |
| const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_ = |
| InitialPolicyMappingInhibit::kFalse; |
| const InitialAnyPolicyInhibit initial_any_policy_inhibit_ = |
| InitialAnyPolicyInhibit::kFalse; |
| }; |
| |
| // Tests that if only the old root cert is trusted, the path builder can build a |
| // path through the new intermediate and rollover cert to the old root. |
| TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { |
| // Only oldroot is trusted. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(oldroot_); |
| |
| // Old intermediate cert is not provided, so the pathbuilder will need to go |
| // through the rollover cert. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(newintermediate_); |
| sync_certs.AddCert(newrootrollover_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| |
| // Due to authorityKeyIdentifier prioritization, path builder will first |
| // attempt: target <- newintermediate <- newrootrollover <- oldroot |
| // which will succeed. |
| ASSERT_EQ(1U, result.paths.size()); |
| const auto &path0 = *result.paths[0]; |
| EXPECT_EQ(0U, result.best_result_index); |
| EXPECT_TRUE(path0.IsValid()); |
| ASSERT_EQ(4U, path0.certs.size()); |
| EXPECT_EQ(target_, path0.certs[0]); |
| EXPECT_EQ(newintermediate_, path0.certs[1]); |
| EXPECT_EQ(newrootrollover_, path0.certs[2]); |
| EXPECT_EQ(oldroot_, path0.certs[3]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Tests that if both old and new roots are trusted it builds a path through |
| // the new intermediate. |
| TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { |
| // Both oldroot and newroot are trusted. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(oldroot_); |
| trust_store.AddTrustAnchor(newroot_); |
| |
| // Both old and new intermediates + rollover cert are provided. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(oldintermediate_); |
| sync_certs.AddCert(newintermediate_); |
| sync_certs.AddCert(newrootrollover_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| |
| ASSERT_EQ(1U, result.paths.size()); |
| const auto &path = *result.paths[0]; |
| EXPECT_TRUE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, path.certs.size()); |
| EXPECT_EQ(target_, path.certs[0]); |
| // The newer intermediate should be used as newer certs are prioritized in |
| // path building. |
| EXPECT_EQ(newintermediate_, path.certs[1]); |
| EXPECT_EQ(newroot_, path.certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // If trust anchor query returned no results, and there are no issuer |
| // sources, path building should fail at that point. |
| TEST_F(PathBuilderKeyRolloverTest, TestAnchorsNoMatchAndNoIssuerSources) { |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(newroot_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| ASSERT_EQ(1U, result.paths.size()); |
| const auto &path = *result.paths[0]; |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(1U, path.certs.size()); |
| EXPECT_EQ(target_, path.certs[0]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| // If a path to a trust anchor could not be found, and the last issuer(s) in |
| // the chain were culled by the loop checker, the partial path up to that point |
| // should be returned. |
| TEST_F(PathBuilderKeyRolloverTest, TestReturnsPartialPathEndedByLoopChecker) { |
| TrustStoreInMemory trust_store; |
| |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(newintermediate_); |
| sync_certs.AddCert(newroot_); |
| |
| CertIssuerSourceStatic rollover_certs; |
| rollover_certs.AddCert(newrootrollover_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| // The rollover root is added as a second issuer source to ensure we get paths |
| // back in a deterministic order, otherwise newroot and newrootrollover do not |
| // differ in any way that the path builder would use for prioritizing which |
| // path comes back first. |
| path_builder.AddCertIssuerSource(&rollover_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_EQ(2U, result.paths.size()); |
| |
| // Since none of the certs are trusted, the path builder should build 4 |
| // candidate paths, all of which are disallowed due to the loop checker: |
| // target->newintermediate->newroot->newroot |
| // target->newintermediate->newroot->newrootrollover |
| // target->newintermediate->newrootrollover->newroot |
| // target->newintermediate->newrootrollover->newrootrollover |
| // This should end up returning the 2 partial paths which are the longest |
| // paths for which no acceptable issuers could be found: |
| // target->newintermediate->newroot |
| // target->newintermediate->newrootrollover |
| |
| { |
| const auto &path = *result.paths[0]; |
| EXPECT_FALSE(path.IsValid()); |
| ASSERT_EQ(3U, path.certs.size()); |
| EXPECT_EQ(target_, path.certs[0]); |
| EXPECT_EQ(newintermediate_, path.certs[1]); |
| EXPECT_EQ(newroot_, path.certs[2]); |
| EXPECT_TRUE(path.errors.ContainsError(cert_errors::kNoIssuersFound)); |
| } |
| |
| { |
| const auto &path = *result.paths[1]; |
| EXPECT_FALSE(path.IsValid()); |
| ASSERT_EQ(3U, path.certs.size()); |
| EXPECT_EQ(target_, path.certs[0]); |
| EXPECT_EQ(newintermediate_, path.certs[1]); |
| EXPECT_EQ(newrootrollover_, path.certs[2]); |
| EXPECT_TRUE(path.errors.ContainsError(cert_errors::kNoIssuersFound)); |
| } |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| // Tests that multiple trust root matches on a single path will be considered. |
| // Both roots have the same subject but different keys. Only one of them will |
| // verify. |
| TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { |
| TrustStoreCollection trust_store_collection; |
| TrustStoreInMemory trust_store1; |
| TrustStoreInMemory trust_store2; |
| trust_store_collection.AddTrustStore(&trust_store1); |
| trust_store_collection.AddTrustStore(&trust_store2); |
| // Add two trust anchors (newroot_ and oldroot_). Path building will attempt |
| // them in this same order, as trust_store1 was added to |
| // trust_store_collection first. |
| trust_store1.AddTrustAnchor(newroot_); |
| trust_store2.AddTrustAnchor(oldroot_); |
| |
| // Only oldintermediate is supplied, so the path with newroot should fail, |
| // oldroot should succeed. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(oldintermediate_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store_collection, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| ASSERT_EQ(1U, result.paths.size()); |
| |
| // Due to authorityKeyIdentifier prioritization, path builder will first |
| // attempt: target <- old intermediate <- oldroot |
| // which should succeed. |
| EXPECT_TRUE(result.paths[result.best_result_index]->IsValid()); |
| const auto &path = *result.paths[result.best_result_index]; |
| ASSERT_EQ(3U, path.certs.size()); |
| EXPECT_EQ(target_, path.certs[0]); |
| EXPECT_EQ(oldintermediate_, path.certs[1]); |
| EXPECT_EQ(oldroot_, path.certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Tests that the path builder doesn't build longer than necessary paths, |
| // by skipping certs where the same Name+SAN+SPKI is already in the current |
| // path. |
| TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { |
| // Only oldroot is trusted. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(oldroot_); |
| |
| // New intermediate and new root are provided synchronously. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(newintermediate_); |
| sync_certs.AddCert(newroot_); |
| |
| // Rollover cert is only provided asynchronously. This will force the |
| // pathbuilder to first try building a longer than necessary path. |
| AsyncCertIssuerSourceStatic async_certs; |
| async_certs.AddCert(newrootrollover_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| path_builder.AddCertIssuerSource(&async_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| ASSERT_EQ(3U, result.paths.size()); |
| |
| // Path builder will first attempt: |
| // target <- newintermediate <- newroot <- oldroot |
| // but it will fail since newroot is self-signed. |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| const auto &path0 = *result.paths[0]; |
| ASSERT_EQ(4U, path0.certs.size()); |
| EXPECT_EQ(target_, path0.certs[0]); |
| EXPECT_EQ(newintermediate_, path0.certs[1]); |
| EXPECT_EQ(newroot_, path0.certs[2]); |
| EXPECT_EQ(oldroot_, path0.certs[3]); |
| |
| // Path builder will next attempt: target <- newintermediate <- oldroot |
| // but it will fail since newintermediate is signed by newroot. |
| EXPECT_FALSE(result.paths[1]->IsValid()); |
| const auto &path1 = *result.paths[1]; |
| ASSERT_EQ(3U, path1.certs.size()); |
| EXPECT_EQ(target_, path1.certs[0]); |
| EXPECT_EQ(newintermediate_, path1.certs[1]); |
| EXPECT_EQ(oldroot_, path1.certs[2]); |
| |
| // Path builder will skip: |
| // target <- newintermediate <- newroot <- newrootrollover <- ... |
| // Since newroot and newrootrollover have the same Name+SAN+SPKI. |
| |
| // Finally path builder will use: |
| // target <- newintermediate <- newrootrollover <- oldroot |
| EXPECT_EQ(2U, result.best_result_index); |
| EXPECT_TRUE(result.paths[2]->IsValid()); |
| const auto &path2 = *result.paths[2]; |
| ASSERT_EQ(4U, path2.certs.size()); |
| EXPECT_EQ(target_, path2.certs[0]); |
| EXPECT_EQ(newintermediate_, path2.certs[1]); |
| EXPECT_EQ(newrootrollover_, path2.certs[2]); |
| EXPECT_EQ(oldroot_, path2.certs[3]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Tests that when SetExploreAllPaths is combined with SetIterationLimit the |
| // path builder will return all the paths that were able to be built before the |
| // iteration limit was reached. |
| TEST_F(PathBuilderKeyRolloverTest, ExploreAllPathsWithIterationLimit) { |
| struct Expectation { |
| int iteration_limit; |
| size_t expected_num_paths; |
| std::vector<std::shared_ptr<const ParsedCertificate>> partial_path; |
| } kExpectations[] = { |
| // No iteration limit. All possible paths should be built. |
| {0, 4, {}}, |
| // Limit 1 is only enough to reach the intermediate, no complete path |
| // should be built. |
| {1, 0, {target_, newintermediate_}}, |
| // Limit 2 allows reaching the root on the first path. |
| {2, 1, {target_, newintermediate_}}, |
| // Next iteration uses oldroot instead of newroot. |
| {3, 2, {target_, newintermediate_}}, |
| // Backtracking to the target cert. |
| {4, 2, {target_}}, |
| // Adding oldintermediate. |
| {5, 2, {target_, oldintermediate_}}, |
| // Trying oldroot. |
| {6, 3, {target_, oldintermediate_}}, |
| // Trying newroot. |
| {7, 4, {target_, oldintermediate_}}, |
| }; |
| |
| // Trust both old and new roots. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(oldroot_); |
| trust_store.AddTrustAnchor(newroot_); |
| |
| // Intermediates and root rollover are all provided synchronously. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(oldintermediate_); |
| sync_certs.AddCert(newintermediate_); |
| |
| for (const auto &expectation : kExpectations) { |
| SCOPED_TRACE(expectation.iteration_limit); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| // Explore all paths, rather than stopping at the first valid path. |
| path_builder.SetExploreAllPaths(true); |
| |
| // Limit the number of iterations. |
| path_builder.SetIterationLimit(expectation.iteration_limit); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_EQ(expectation.expected_num_paths > 0, result.HasValidPath()); |
| VerifyError error = result.GetBestPathVerifyError(); |
| if (expectation.expected_num_paths > 0) { |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } else { |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_ITERATION_COUNT_EXCEEDED) |
| << error.DiagnosticString(); |
| } |
| |
| if (expectation.partial_path.empty()) { |
| ASSERT_EQ(expectation.expected_num_paths, result.paths.size()); |
| } else { |
| ASSERT_EQ(1 + expectation.expected_num_paths, result.paths.size()); |
| const auto &path = *result.paths[result.paths.size() - 1]; |
| EXPECT_FALSE(path.IsValid()); |
| EXPECT_EQ(expectation.partial_path, path.certs); |
| EXPECT_TRUE( |
| path.errors.ContainsError(cert_errors::kIterationLimitExceeded)); |
| } |
| |
| if (expectation.expected_num_paths > 0) { |
| // Path builder will first build path: target <- newintermediate <- |
| // newroot |
| const auto &path0 = *result.paths[0]; |
| EXPECT_TRUE(path0.IsValid()); |
| ASSERT_EQ(3U, path0.certs.size()); |
| EXPECT_EQ(target_, path0.certs[0]); |
| EXPECT_EQ(newintermediate_, path0.certs[1]); |
| EXPECT_EQ(newroot_, path0.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| |
| if (expectation.expected_num_paths > 1) { |
| // Next path: target <- newintermediate <- oldroot |
| const auto &path1 = *result.paths[1]; |
| EXPECT_FALSE(path1.IsValid()); |
| ASSERT_EQ(3U, path1.certs.size()); |
| EXPECT_EQ(target_, path1.certs[0]); |
| EXPECT_EQ(newintermediate_, path1.certs[1]); |
| EXPECT_EQ(oldroot_, path1.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| |
| if (expectation.expected_num_paths > 2) { |
| // Next path: target <- oldintermediate <- oldroot |
| const auto &path2 = *result.paths[2]; |
| EXPECT_TRUE(path2.IsValid()); |
| ASSERT_EQ(3U, path2.certs.size()); |
| EXPECT_EQ(target_, path2.certs[0]); |
| EXPECT_EQ(oldintermediate_, path2.certs[1]); |
| EXPECT_EQ(oldroot_, path2.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| |
| if (expectation.expected_num_paths > 3) { |
| // Final path: target <- oldintermediate <- newroot |
| const auto &path3 = *result.paths[3]; |
| EXPECT_FALSE(path3.IsValid()); |
| ASSERT_EQ(3U, path3.certs.size()); |
| EXPECT_EQ(target_, path3.certs[0]); |
| EXPECT_EQ(oldintermediate_, path3.certs[1]); |
| EXPECT_EQ(newroot_, path3.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| } |
| } |
| |
| // Tests that when SetValidPathLimit is used path builder returns the number of |
| // valid paths we expect before the valid path limit was reached. |
| TEST_F(PathBuilderKeyRolloverTest, ExplorePathsWithPathLimit) { |
| struct Expectation { |
| size_t valid_path_limit; |
| size_t expected_num_paths; |
| } kExpectations[] = { |
| {0, 4}, // No path limit. Three valid, one partial path should be built |
| {1, 1}, // One valid path |
| {2, 3}, // Two valid, one partial |
| {3, 4}, {4, 4}, {5, 4}, |
| }; |
| |
| // Trust both old and new roots. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(oldroot_); |
| trust_store.AddTrustAnchor(newroot_); |
| |
| // Intermediates and root rollover are all provided synchronously. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(oldintermediate_); |
| sync_certs.AddCert(newintermediate_); |
| |
| for (const auto &expectation : kExpectations) { |
| SCOPED_TRACE(expectation.valid_path_limit); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| // Stop after finding enough valid paths. |
| path_builder.SetValidPathLimit(expectation.valid_path_limit); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| ASSERT_EQ(expectation.expected_num_paths, result.paths.size()); |
| |
| if (result.paths.size() > 0) { |
| // Path builder will first build path: target <- newintermediate <- |
| // newroot |
| const auto &path0 = *result.paths[0]; |
| EXPECT_TRUE(path0.IsValid()); |
| ASSERT_EQ(3U, path0.certs.size()); |
| EXPECT_EQ(target_, path0.certs[0]); |
| EXPECT_EQ(newintermediate_, path0.certs[1]); |
| EXPECT_EQ(newroot_, path0.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| |
| if (result.paths.size() > 1) { |
| // Next path: target <- newintermediate <- oldroot |
| const auto &path1 = *result.paths[1]; |
| EXPECT_FALSE(path1.IsValid()); |
| ASSERT_EQ(3U, path1.certs.size()); |
| EXPECT_EQ(target_, path1.certs[0]); |
| EXPECT_EQ(newintermediate_, path1.certs[1]); |
| EXPECT_EQ(oldroot_, path1.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| |
| if (result.paths.size() > 2) { |
| // Next path: target <- oldintermediate <- oldroot |
| const auto &path2 = *result.paths[2]; |
| EXPECT_TRUE(path2.IsValid()); |
| ASSERT_EQ(3U, path2.certs.size()); |
| EXPECT_EQ(target_, path2.certs[0]); |
| EXPECT_EQ(oldintermediate_, path2.certs[1]); |
| EXPECT_EQ(oldroot_, path2.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| |
| if (result.paths.size() > 3) { |
| // Final path: target <- oldintermediate <- newroot |
| const auto &path3 = *result.paths[3]; |
| EXPECT_FALSE(path3.IsValid()); |
| ASSERT_EQ(3U, path3.certs.size()); |
| EXPECT_EQ(target_, path3.certs[0]); |
| EXPECT_EQ(oldintermediate_, path3.certs[1]); |
| EXPECT_EQ(newroot_, path3.certs[2]); |
| EXPECT_EQ(3U, result.max_depth_seen); |
| } |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| } |
| |
| // If the target cert is a trust anchor, however is not itself *signed* by a |
| // trust anchor, then it is not considered valid (the SPKI and name of the |
| // trust anchor matches the SPKI and subject of the target certificate, but the |
| // rest of the certificate cannot be verified). |
| TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { |
| // Trust newintermediate. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(newintermediate_); |
| |
| // Newintermediate is also the target cert. |
| CertPathBuilder path_builder( |
| newintermediate_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path |
| // can still be built. |
| // Since LoopChecker will prevent the intermediate from being included, this |
| // currently does NOT verify. This case shouldn't occur in the web PKI. |
| TEST_F(PathBuilderKeyRolloverTest, |
| TestEndEntityHasSameNameAndSpkiAsIntermediate) { |
| // Trust oldroot. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(oldroot_); |
| |
| // New root rollover is provided synchronously. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(newrootrollover_); |
| |
| // Newroot is the target cert. |
| CertPathBuilder path_builder( |
| newroot_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| // This could actually be OK, but CertPathBuilder does not build the |
| // newroot <- newrootrollover <- oldroot path. |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), |
| VerifyError::StatusCode::CERTIFICATE_INVALID_SIGNATURE) |
| << error.DiagnosticString(); |
| } |
| |
| // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) |
| // path can still be built. |
| TEST_F(PathBuilderKeyRolloverTest, |
| TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { |
| // Trust newrootrollover. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(newrootrollover_); |
| |
| // Newroot is the target cert. |
| CertPathBuilder path_builder( |
| newroot_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| |
| auto result = path_builder.Run(); |
| |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| const CertPathBuilderResultPath *best_result = result.GetBestValidPath(); |
| |
| // Newroot has same name+SPKI as newrootrollover, thus the path is valid and |
| // only contains newroot. |
| EXPECT_TRUE(best_result->IsValid()); |
| ASSERT_EQ(2U, best_result->certs.size()); |
| EXPECT_EQ(newroot_, best_result->certs[0]); |
| EXPECT_EQ(newrootrollover_, best_result->certs[1]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that PathBuilder will not try the same path twice if multiple |
| // CertIssuerSources provide the same certificate. |
| TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { |
| // Create a separate copy of oldintermediate. |
| std::shared_ptr<const ParsedCertificate> oldintermediate_dupe( |
| ParsedCertificate::Create( |
| bssl::UniquePtr<CRYPTO_BUFFER>( |
| CRYPTO_BUFFER_new(oldintermediate_->der_cert().data(), |
| oldintermediate_->der_cert().size(), nullptr)), |
| {}, nullptr)); |
| |
| // Only newroot is a trusted root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(newroot_); |
| |
| // The oldintermediate is supplied synchronously by |sync_certs1| and |
| // another copy of oldintermediate is supplied synchronously by |sync_certs2|. |
| // The path target <- oldintermediate <- newroot should be built first, |
| // though it won't verify. It should not be attempted again even though |
| // oldintermediate was supplied twice. |
| CertIssuerSourceStatic sync_certs1; |
| sync_certs1.AddCert(oldintermediate_); |
| CertIssuerSourceStatic sync_certs2; |
| sync_certs2.AddCert(oldintermediate_dupe); |
| |
| // The newintermediate is supplied asynchronously, so the path |
| // target <- newintermediate <- newroot should be tried second. |
| AsyncCertIssuerSourceStatic async_certs; |
| async_certs.AddCert(newintermediate_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs1); |
| path_builder.AddCertIssuerSource(&sync_certs2); |
| path_builder.AddCertIssuerSource(&async_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| ASSERT_EQ(2U, result.paths.size()); |
| |
| // Path builder will first attempt: target <- oldintermediate <- newroot |
| // but it will fail since oldintermediate is signed by oldroot. |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| const auto &path0 = *result.paths[0]; |
| |
| ASSERT_EQ(3U, path0.certs.size()); |
| EXPECT_EQ(target_, path0.certs[0]); |
| // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| // of oldintermediate was used in the path. |
| EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert()); |
| EXPECT_EQ(newroot_, path0.certs[2]); |
| |
| // Path builder will next attempt: target <- newintermediate <- newroot |
| // which will succeed. |
| EXPECT_EQ(1U, result.best_result_index); |
| EXPECT_TRUE(result.paths[1]->IsValid()); |
| const auto &path1 = *result.paths[1]; |
| ASSERT_EQ(3U, path1.certs.size()); |
| EXPECT_EQ(target_, path1.certs[0]); |
| EXPECT_EQ(newintermediate_, path1.certs[1]); |
| EXPECT_EQ(newroot_, path1.certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Test when PathBuilder is given a cert via CertIssuerSources that has the same |
| // SPKI as a trust anchor. |
| TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { |
| // Create a separate copy of newroot. |
| std::shared_ptr<const ParsedCertificate> newroot_dupe( |
| ParsedCertificate::Create( |
| bssl::UniquePtr<CRYPTO_BUFFER>( |
| CRYPTO_BUFFER_new(newroot_->der_cert().data(), |
| newroot_->der_cert().size(), nullptr)), |
| {}, nullptr)); |
| |
| // Only newroot is a trusted root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(newroot_); |
| |
| // The oldintermediate and newroot are supplied synchronously by |sync_certs|. |
| CertIssuerSourceStatic sync_certs; |
| sync_certs.AddCert(oldintermediate_); |
| sync_certs.AddCert(newroot_dupe); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&sync_certs); |
| |
| auto result = path_builder.Run(); |
| |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_EQ(1U, result.paths.size()); |
| |
| // Path builder attempt: target <- oldintermediate <- newroot |
| // but it will fail since oldintermediate is signed by oldroot. |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| const auto &path = *result.paths[0]; |
| ASSERT_EQ(3U, path.certs.size()); |
| EXPECT_EQ(target_, path.certs[0]); |
| EXPECT_EQ(oldintermediate_, path.certs[1]); |
| // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| // of newroot was used in the path. |
| EXPECT_EQ(newroot_->der_cert(), path.certs[2]->der_cert()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), |
| VerifyError::StatusCode::CERTIFICATE_INVALID_SIGNATURE) |
| << error.DiagnosticString(); |
| } |
| |
| class MockCertIssuerSourceRequest : public CertIssuerSource::Request { |
| public: |
| MOCK_METHOD1(GetNext, void(ParsedCertificateList *)); |
| }; |
| |
| class MockCertIssuerSource : public CertIssuerSource { |
| public: |
| MOCK_METHOD2(SyncGetIssuersOf, |
| void(const ParsedCertificate *, ParsedCertificateList *)); |
| MOCK_METHOD2(AsyncGetIssuersOf, |
| void(const ParsedCertificate *, std::unique_ptr<Request> *)); |
| }; |
| |
| // Helper class to pass the Request to the PathBuilder when it calls |
| // AsyncGetIssuersOf. (GoogleMock has a ByMove helper, but it apparently can |
| // only be used with Return, not SetArgPointee.) |
| class CertIssuerSourceRequestMover { |
| public: |
| explicit CertIssuerSourceRequestMover( |
| std::unique_ptr<CertIssuerSource::Request> req) |
| : request_(std::move(req)) {} |
| void MoveIt(const ParsedCertificate *cert, |
| std::unique_ptr<CertIssuerSource::Request> *out_req) { |
| *out_req = std::move(request_); |
| } |
| |
| private: |
| std::unique_ptr<CertIssuerSource::Request> request_; |
| }; |
| |
| // Functor that when called with a ParsedCertificateList* will append the |
| // specified certificate. |
| class AppendCertToList { |
| public: |
| explicit AppendCertToList( |
| const std::shared_ptr<const ParsedCertificate> &cert) |
| : cert_(cert) {} |
| |
| void operator()(ParsedCertificateList *out) { out->push_back(cert_); } |
| |
| private: |
| std::shared_ptr<const ParsedCertificate> cert_; |
| }; |
| |
| // Test that a single CertIssuerSource returning multiple async batches of |
| // issuers is handled correctly. Due to the StrictMocks, it also tests that path |
| // builder does not request issuers of certs that it shouldn't. |
| TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncIssuersFromSingleSource) { |
| StrictMock<MockCertIssuerSource> cert_issuer_source; |
| |
| // Only newroot is a trusted root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(newroot_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&cert_issuer_source); |
| |
| // Create the mock CertIssuerSource::Request... |
| auto target_issuers_req_owner = |
| std::make_unique<StrictMock<MockCertIssuerSourceRequest>>(); |
| // Keep a raw pointer to the Request... |
| StrictMock<MockCertIssuerSourceRequest> *target_issuers_req = |
| target_issuers_req_owner.get(); |
| // Setup helper class to pass ownership of the Request to the PathBuilder when |
| // it calls AsyncGetIssuersOf. |
| CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); |
| { |
| ::testing::InSequence s; |
| EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); |
| EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _)) |
| .WillOnce(Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt)); |
| } |
| |
| EXPECT_CALL(*target_issuers_req, GetNext(_)) |
| // First async batch: return oldintermediate_. |
| .WillOnce(Invoke(AppendCertToList(oldintermediate_))) |
| // Second async batch: return newintermediate_. |
| .WillOnce(Invoke(AppendCertToList(newintermediate_))); |
| { |
| ::testing::InSequence s; |
| // oldintermediate_ does not create a valid path, so both sync and async |
| // lookups are expected. |
| EXPECT_CALL(cert_issuer_source, |
| SyncGetIssuersOf(oldintermediate_.get(), _)); |
| EXPECT_CALL(cert_issuer_source, |
| AsyncGetIssuersOf(oldintermediate_.get(), _)); |
| } |
| |
| // newroot_ is in the trust store, so this path will be completed |
| // synchronously. AsyncGetIssuersOf will not be called on newintermediate_. |
| EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); |
| |
| // Ensure pathbuilder finished and filled result. |
| auto result = path_builder.Run(); |
| |
| // Note that VerifyAndClearExpectations(target_issuers_req) is not called |
| // here. PathBuilder could have destroyed it already, so just let the |
| // expectations get checked by the destructor. |
| ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| ASSERT_EQ(2U, result.paths.size()); |
| |
| // Path builder first attempts: target <- oldintermediate <- newroot |
| // but it will fail since oldintermediate is signed by oldroot. |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| const auto &path0 = *result.paths[0]; |
| ASSERT_EQ(3U, path0.certs.size()); |
| EXPECT_EQ(target_, path0.certs[0]); |
| EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| EXPECT_EQ(newroot_, path0.certs[2]); |
| |
| // After the second batch of async results, path builder will attempt: |
| // target <- newintermediate <- newroot which will succeed. |
| EXPECT_TRUE(result.paths[1]->IsValid()); |
| const auto &path1 = *result.paths[1]; |
| ASSERT_EQ(3U, path1.certs.size()); |
| EXPECT_EQ(target_, path1.certs[0]); |
| EXPECT_EQ(newintermediate_, path1.certs[1]); |
| EXPECT_EQ(newroot_, path1.certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| // Test that PathBuilder will not try the same path twice if CertIssuerSources |
| // asynchronously provide the same certificate multiple times. |
| TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { |
| StrictMock<MockCertIssuerSource> cert_issuer_source; |
| |
| // Only newroot is a trusted root. |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(newroot_); |
| |
| CertPathBuilder path_builder( |
| target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, |
| initial_explicit_policy_, user_initial_policy_set_, |
| initial_policy_mapping_inhibit_, initial_any_policy_inhibit_); |
| path_builder.AddCertIssuerSource(&cert_issuer_source); |
| |
| // Create the mock CertIssuerSource::Request... |
| auto target_issuers_req_owner = |
| std::make_unique<StrictMock<MockCertIssuerSourceRequest>>(); |
| // Keep a raw pointer to the Request... |
| StrictMock<MockCertIssuerSourceRequest> *target_issuers_req = |
| target_issuers_req_owner.get(); |
| // Setup helper class to pass ownership of the Request to the PathBuilder when |
| // it calls AsyncGetIssuersOf. |
| CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); |
| { |
| ::testing::InSequence s; |
| EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); |
| EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _)) |
| .WillOnce(Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt)); |
| } |
| |
| std::shared_ptr<const ParsedCertificate> oldintermediate_dupe( |
| ParsedCertificate::Create( |
| bssl::UniquePtr<CRYPTO_BUFFER>( |
| CRYPTO_BUFFER_new(oldintermediate_->der_cert().data(), |
| oldintermediate_->der_cert().size(), nullptr)), |
| {}, nullptr)); |
| |
| EXPECT_CALL(*target_issuers_req, GetNext(_)) |
| // First async batch: return oldintermediate_. |
| .WillOnce(Invoke(AppendCertToList(oldintermediate_))) |
| // Second async batch: return a different copy of oldintermediate_ again. |
| .WillOnce(Invoke(AppendCertToList(oldintermediate_dupe))) |
| // Third async batch: return newintermediate_. |
| .WillOnce(Invoke(AppendCertToList(newintermediate_))); |
| |
| { |
| ::testing::InSequence s; |
| // oldintermediate_ does not create a valid path, so both sync and async |
| // lookups are expected. |
| EXPECT_CALL(cert_issuer_source, |
| SyncGetIssuersOf(oldintermediate_.get(), _)); |
| EXPECT_CALL(cert_issuer_source, |
| AsyncGetIssuersOf(oldintermediate_.get(), _)); |
| } |
| |
| // newroot_ is in the trust store, so this path will be completed |
| // synchronously. AsyncGetIssuersOf will not be called on newintermediate_. |
| EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); |
| |
| // Ensure pathbuilder finished and filled result. |
| auto result = path_builder.Run(); |
| |
| ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| |
| EXPECT_TRUE(result.HasValidPath()); |
| ASSERT_EQ(2U, result.paths.size()); |
| |
| // Path builder first attempts: target <- oldintermediate <- newroot |
| // but it will fail since oldintermediate is signed by oldroot. |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| const auto &path0 = *result.paths[0]; |
| ASSERT_EQ(3U, path0.certs.size()); |
| EXPECT_EQ(target_, path0.certs[0]); |
| EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| EXPECT_EQ(newroot_, path0.certs[2]); |
| |
| // The second async result does not generate any path. |
| |
| // After the third batch of async results, path builder will attempt: |
| // target <- newintermediate <- newroot which will succeed. |
| EXPECT_TRUE(result.paths[1]->IsValid()); |
| const auto &path1 = *result.paths[1]; |
| ASSERT_EQ(3U, path1.certs.size()); |
| EXPECT_EQ(target_, path1.certs[0]); |
| EXPECT_EQ(newintermediate_, path1.certs[1]); |
| EXPECT_EQ(newroot_, path1.certs[2]); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| class PathBuilderSimpleChainTest : public ::testing::Test { |
| public: |
| PathBuilderSimpleChainTest() = default; |
| |
| protected: |
| void SetUp() override { |
| // Read a simple test chain comprised of a target, intermediate, and root. |
| ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| "testdata/verify_certificate_chain_unittest/target-and-intermediate/" |
| "main.test", |
| &test_)); |
| ASSERT_EQ(3u, test_.chain.size()); |
| } |
| |
| // Runs the path builder for the target certificate while |distrusted_cert| is |
| // blocked, and |delegate| if non-null. |
| CertPathBuilder::Result RunPathBuilder( |
| const std::shared_ptr<const ParsedCertificate> &distrusted_cert, |
| CertPathBuilderDelegate *optional_delegate) { |
| // Set up the trust store such that |distrusted_cert| is blocked, and |
| // the root is trusted (except if it was |distrusted_cert|). |
| TrustStoreInMemory trust_store; |
| if (distrusted_cert != test_.chain.back()) { |
| trust_store.AddTrustAnchor(test_.chain.back()); |
| } |
| if (distrusted_cert) { |
| trust_store.AddDistrustedCertificateForTest(distrusted_cert); |
| } |
| |
| // Add the single intermediate. |
| CertIssuerSourceStatic intermediates; |
| intermediates.AddCert(test_.chain[1]); |
| |
| SimplePathBuilderDelegate default_delegate( |
| 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); |
| CertPathBuilderDelegate *delegate = |
| optional_delegate ? optional_delegate : &default_delegate; |
| |
| const InitialExplicitPolicy initial_explicit_policy = |
| InitialExplicitPolicy::kFalse; |
| const std::set<der::Input> user_initial_policy_set = { |
| der::Input(kAnyPolicyOid)}; |
| const InitialPolicyMappingInhibit initial_policy_mapping_inhibit = |
| InitialPolicyMappingInhibit::kFalse; |
| const InitialAnyPolicyInhibit initial_any_policy_inhibit = |
| InitialAnyPolicyInhibit::kFalse; |
| |
| CertPathBuilder path_builder( |
| test_.chain.front(), &trust_store, delegate, test_.time, |
| KeyPurpose::ANY_EKU, initial_explicit_policy, user_initial_policy_set, |
| initial_policy_mapping_inhibit, initial_any_policy_inhibit); |
| path_builder.AddCertIssuerSource(&intermediates); |
| return path_builder.Run(); |
| } |
| |
| protected: |
| VerifyCertChainTest test_; |
| }; |
| |
| // Test fixture for running the path builder over a simple chain, while varying |
| // the trustedness of certain certificates. |
| class PathBuilderDistrustTest : public PathBuilderSimpleChainTest { |
| public: |
| PathBuilderDistrustTest() = default; |
| |
| protected: |
| // Runs the path builder for the target certificate while |distrusted_cert| is |
| // blocked. |
| CertPathBuilder::Result RunPathBuilderWithDistrustedCert( |
| const std::shared_ptr<const ParsedCertificate> &distrusted_cert) { |
| return RunPathBuilder(distrusted_cert, nullptr); |
| } |
| }; |
| |
| // Tests that path building fails when the target, intermediate, or root are |
| // distrusted (but the path is otherwise valid). |
| TEST_F(PathBuilderDistrustTest, TargetIntermediateRoot) { |
| // First do a control test -- path building without any blocked |
| // certificates should work. |
| CertPathBuilder::Result result = RunPathBuilderWithDistrustedCert(nullptr); |
| { |
| ASSERT_TRUE(result.HasValidPath()); |
| // The built path should be identical the the one read from disk. |
| const auto &path = *result.GetBestValidPath(); |
| ASSERT_EQ(test_.chain.size(), path.certs.size()); |
| for (size_t i = 0; i < test_.chain.size(); ++i) { |
| EXPECT_EQ(test_.chain[i], path.certs[i]); |
| } |
| } |
| |
| // Try path building when only the target is blocked - should fail. |
| result = RunPathBuilderWithDistrustedCert(test_.chain[0]); |
| { |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_LT(result.best_result_index, result.paths.size()); |
| const auto &best_path = result.paths[result.best_result_index]; |
| |
| // The built chain has length 1 since path building stopped once |
| // it encountered the blocked certificate (target). |
| ASSERT_EQ(1u, best_path->certs.size()); |
| EXPECT_EQ(best_path->certs[0], test_.chain[0]); |
| EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); |
| best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore); |
| } |
| |
| // Try path building when only the intermediate is blocked - should fail. |
| result = RunPathBuilderWithDistrustedCert(test_.chain[1]); |
| { |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_LT(result.best_result_index, result.paths.size()); |
| const auto &best_path = result.paths[result.best_result_index]; |
| |
| // The built chain has length 2 since path building stopped once |
| // it encountered the blocked certificate (intermediate). |
| ASSERT_EQ(2u, best_path->certs.size()); |
| EXPECT_EQ(best_path->certs[0], test_.chain[0]); |
| EXPECT_EQ(best_path->certs[1], test_.chain[1]); |
| EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); |
| best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore); |
| } |
| |
| // Try path building when only the root is blocked - should fail. |
| result = RunPathBuilderWithDistrustedCert(test_.chain[2]); |
| { |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_LT(result.best_result_index, result.paths.size()); |
| const auto &best_path = result.paths[result.best_result_index]; |
| |
| // The built chain has length 3 since path building stopped once |
| // it encountered the blocked certificate (root). |
| ASSERT_EQ(3u, best_path->certs.size()); |
| EXPECT_EQ(best_path->certs[0], test_.chain[0]); |
| EXPECT_EQ(best_path->certs[1], test_.chain[1]); |
| EXPECT_EQ(best_path->certs[2], test_.chain[2]); |
| EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); |
| best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore); |
| } |
| } |
| |
| // Test fixture for running the path builder over a simple chain, while varying |
| // what CheckPathAfterVerification() does. |
| class PathBuilderCheckPathAfterVerificationTest |
| : public PathBuilderSimpleChainTest {}; |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, NoOpToValidPath) { |
| StrictMock<MockPathBuilderDelegate> delegate; |
| // Just verify that the hook is called. |
| EXPECT_CALL(delegate, CheckPathAfterVerification(_, _)); |
| |
| CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate); |
| EXPECT_TRUE(result.HasValidPath()); |
| } |
| |
| DEFINE_CERT_ERROR_ID(kWarningFromDelegate, "Warning from delegate"); |
| |
| class AddWarningPathBuilderDelegate : public CertPathBuilderDelegateBase { |
| public: |
| void CheckPathAfterVerification(const CertPathBuilder &path_builder, |
| CertPathBuilderResultPath *path) override { |
| path->errors.GetErrorsForCert(1)->AddWarning(kWarningFromDelegate, nullptr); |
| } |
| }; |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsWarningToValidPath) { |
| AddWarningPathBuilderDelegate delegate; |
| CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate); |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| // A warning should have been added to certificate at index 1 in the path. |
| const CertErrors *cert1_errors = |
| result.GetBestValidPath()->errors.GetErrorsForCert(1); |
| ASSERT_TRUE(cert1_errors); |
| EXPECT_TRUE(cert1_errors->ContainsErrorWithSeverity( |
| kWarningFromDelegate, CertError::SEVERITY_WARNING)); |
| |
| // The warning should not affect the VerifyError |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| } |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, TestVerifyErrorMapping) { |
| struct error_mapping { |
| CertErrorId internal_error; |
| VerifyError::StatusCode code; |
| }; |
| struct error_mapping AllErrors[] = { |
| {cert_errors::kInternalError, |
| VerifyError::StatusCode::VERIFICATION_FAILURE}, |
| {cert_errors::kValidityFailedNotAfter, |
| VerifyError::StatusCode::CERTIFICATE_EXPIRED}, |
| {cert_errors::kValidityFailedNotBefore, |
| VerifyError::StatusCode::CERTIFICATE_NOT_YET_VALID}, |
| {cert_errors::kDistrustedByTrustStore, |
| VerifyError::StatusCode::PATH_NOT_FOUND}, |
| {cert_errors::kSignatureAlgorithmMismatch, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kChainIsEmpty, |
| VerifyError::StatusCode::VERIFICATION_FAILURE}, |
| {cert_errors::kUnconsumedCriticalExtension, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kKeyCertSignBitNotSet, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kMaxPathLengthViolated, |
| VerifyError::StatusCode::PATH_NOT_FOUND}, |
| {cert_errors::kBasicConstraintsIndicatesNotCa, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kTargetCertShouldNotBeCa, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kMissingBasicConstraints, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kNotPermittedByNameConstraints, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kTooManyNameConstraintChecks, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kSubjectDoesNotMatchIssuer, |
| VerifyError::StatusCode::PATH_NOT_FOUND}, |
| {cert_errors::kVerifySignedDataFailed, |
| VerifyError::StatusCode::CERTIFICATE_INVALID_SIGNATURE}, |
| {cert_errors::kSignatureAlgorithmsDifferentEncoding, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kEkuLacksServerAuth, |
| VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU}, |
| {cert_errors::kEkuLacksServerAuthButHasAnyEKU, |
| VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU}, |
| {cert_errors::kEkuLacksClientAuth, |
| VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU}, |
| {cert_errors::kEkuLacksClientAuthButHasAnyEKU, |
| VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU}, |
| {cert_errors::kEkuLacksClientAuthOrServerAuth, |
| VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU}, |
| {cert_errors::kEkuHasProhibitedOCSPSigning, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kEkuHasProhibitedTimeStamping, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kEkuHasProhibitedCodeSigning, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kEkuNotPresent, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kCertIsNotTrustAnchor, |
| VerifyError::StatusCode::PATH_NOT_FOUND}, |
| {cert_errors::kNoValidPolicy, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kPolicyMappingAnyPolicy, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kFailedParsingSpki, |
| VerifyError::StatusCode::CERTIFICATE_INVALID}, |
| {cert_errors::kUnacceptableSignatureAlgorithm, |
| VerifyError::StatusCode::CERTIFICATE_UNSUPPORTED_SIGNATURE_ALGORITHM}, |
| {cert_errors::kUnacceptablePublicKey, |
| VerifyError::StatusCode::CERTIFICATE_UNSUPPORTED_KEY}, |
| {cert_errors::kCertificateRevoked, |
| VerifyError::StatusCode::CERTIFICATE_REVOKED}, |
| {cert_errors::kNoRevocationMechanism, |
| VerifyError::StatusCode::CERTIFICATE_NO_REVOCATION_MECHANISM}, |
| {cert_errors::kUnableToCheckRevocation, |
| VerifyError::StatusCode::CERTIFICATE_UNABLE_TO_CHECK_REVOCATION}, |
| {cert_errors::kNoIssuersFound, VerifyError::StatusCode::PATH_NOT_FOUND}, |
| {cert_errors::kDeadlineExceeded, |
| VerifyError::StatusCode::PATH_DEADLINE_EXCEEDED}, |
| {cert_errors::kIterationLimitExceeded, |
| VerifyError::StatusCode::PATH_ITERATION_COUNT_EXCEEDED}, |
| {cert_errors::kDepthLimitExceeded, |
| VerifyError::StatusCode::PATH_DEPTH_LIMIT_REACHED}, |
| }; |
| |
| for (struct error_mapping mapping : AllErrors) { |
| AddWarningPathBuilderDelegate delegate; |
| CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate); |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| CertErrors *errors = |
| (CertErrors *)result.GetBestValidPath()->errors.GetErrorsForCert(1); |
| errors->AddError(mapping.internal_error, nullptr); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), mapping.code) |
| << error.DiagnosticString(); |
| } |
| } |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, |
| TestVerifyErrorMulipleMapping) { |
| AddWarningPathBuilderDelegate delegate; |
| CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate); |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| CertErrors *errors = |
| (CertErrors *)result.GetBestValidPath()->errors.GetErrorsForCert(1); |
| errors->AddError(cert_errors::kEkuNotPresent, nullptr); |
| errors->AddError(cert_errors::kNoValidPolicy, nullptr); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_MULTIPLE_ERRORS) |
| << error.DiagnosticString(); |
| } |
| |
| |
| DEFINE_CERT_ERROR_ID(kErrorFromDelegate, "Error from delegate"); |
| |
| class AddErrorPathBuilderDelegate : public CertPathBuilderDelegateBase { |
| public: |
| void CheckPathAfterVerification(const CertPathBuilder &path_builder, |
| CertPathBuilderResultPath *path) override { |
| path->errors.GetErrorsForCert(2)->AddError(kErrorFromDelegate, nullptr); |
| } |
| }; |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsErrorToValidPath) { |
| AddErrorPathBuilderDelegate delegate; |
| CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate); |
| |
| // Verification failed. |
| ASSERT_FALSE(result.HasValidPath()); |
| |
| ASSERT_LT(result.best_result_index, result.paths.size()); |
| const CertPathBuilderResultPath *failed_path = |
| result.paths[result.best_result_index].get(); |
| ASSERT_TRUE(failed_path); |
| |
| // An error should have been added to certificate at index 2 in the path. |
| const CertErrors *cert2_errors = failed_path->errors.GetErrorsForCert(2); |
| ASSERT_TRUE(cert2_errors); |
| EXPECT_TRUE(cert2_errors->ContainsError(kErrorFromDelegate)); |
| |
| // The newly defined delegate error should map to CERTIFICATE_INVALID |
| // since it is associated with a certificate (at index 2) |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::CERTIFICATE_INVALID) |
| << error.DiagnosticString(); |
| } |
| |
| class AddOtherErrorPathBuilderDelegate : public CertPathBuilderDelegateBase { |
| public: |
| void CheckPathAfterVerification(const CertPathBuilder &path_builder, |
| CertPathBuilderResultPath *path) override { |
| path->errors.GetOtherErrors()->AddError(kErrorFromDelegate, nullptr); |
| } |
| }; |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsErrorToOtherErrors) { |
| AddOtherErrorPathBuilderDelegate delegate; |
| CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate); |
| |
| // Verification failed. |
| ASSERT_FALSE(result.HasValidPath()); |
| |
| ASSERT_LT(result.best_result_index, result.paths.size()); |
| const CertPathBuilderResultPath *failed_path = |
| result.paths[result.best_result_index].get(); |
| ASSERT_TRUE(failed_path); |
| |
| // An error should have been added to other errors |
| const CertErrors *other_errors = failed_path->errors.GetOtherErrors(); |
| ASSERT_TRUE(other_errors); |
| EXPECT_TRUE(other_errors->ContainsError(kErrorFromDelegate)); |
| |
| // The newly defined delegate error should map to VERIFICATION_FAILURE |
| // since the error is not associated to a certificate. |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::VERIFICATION_FAILURE) |
| << error.DiagnosticString(); |
| } |
| |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, NoopToAlreadyInvalidPath) { |
| StrictMock<MockPathBuilderDelegate> delegate; |
| // Just verify that the hook is called (on an invalid path). |
| EXPECT_CALL(delegate, CheckPathAfterVerification(_, _)); |
| |
| // Run the pathbuilder with certificate at index 1 actively distrusted. |
| CertPathBuilder::Result result = RunPathBuilder(test_.chain[1], &delegate); |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| } |
| |
| struct DelegateData : public CertPathBuilderDelegateData { |
| int value = 0xB33F; |
| }; |
| |
| class SetsDelegateDataPathBuilderDelegate : public CertPathBuilderDelegateBase { |
| public: |
| void CheckPathAfterVerification(const CertPathBuilder &path_builder, |
| CertPathBuilderResultPath *path) override { |
| path->delegate_data = std::make_unique<DelegateData>(); |
| } |
| }; |
| |
| TEST_F(PathBuilderCheckPathAfterVerificationTest, SetsDelegateData) { |
| SetsDelegateDataPathBuilderDelegate delegate; |
| CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate); |
| ASSERT_TRUE(result.HasValidPath()); |
| |
| DelegateData *data = reinterpret_cast<DelegateData *>( |
| result.GetBestValidPath()->delegate_data.get()); |
| |
| EXPECT_EQ(0xB33F, data->value); |
| } |
| |
| TEST(PathBuilderPrioritizationTest, DatePrioritization) { |
| std::string test_dir = |
| "testdata/path_builder_unittest/validity_date_prioritization/"; |
| std::shared_ptr<const ParsedCertificate> root = |
| ReadCertFromFile(test_dir + "root.pem"); |
| ASSERT_TRUE(root); |
| std::shared_ptr<const ParsedCertificate> int_ac = |
| ReadCertFromFile(test_dir + "int_ac.pem"); |
| ASSERT_TRUE(int_ac); |
| std::shared_ptr<const ParsedCertificate> int_ad = |
| ReadCertFromFile(test_dir + "int_ad.pem"); |
| ASSERT_TRUE(int_ad); |
| std::shared_ptr<const ParsedCertificate> int_bc = |
| ReadCertFromFile(test_dir + "int_bc.pem"); |
| ASSERT_TRUE(int_bc); |
| std::shared_ptr<const ParsedCertificate> int_bd = |
| ReadCertFromFile(test_dir + "int_bd.pem"); |
| ASSERT_TRUE(int_bd); |
| std::shared_ptr<const ParsedCertificate> target = |
| ReadCertFromFile(test_dir + "target.pem"); |
| ASSERT_TRUE(target); |
| |
| SimplePathBuilderDelegate delegate( |
| 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); |
| der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0}; |
| |
| // Distrust the root certificate. This will force the path builder to attempt |
| // all possible paths. |
| TrustStoreInMemory trust_store; |
| trust_store.AddDistrustedCertificateForTest(root); |
| |
| for (bool reverse_input_order : {false, true}) { |
| SCOPED_TRACE(reverse_input_order); |
| |
| CertIssuerSourceStatic intermediates; |
| // Test with the intermediates supplied in two different orders to ensure |
| // the results don't depend on input ordering. |
| if (reverse_input_order) { |
| intermediates.AddCert(int_bd); |
| intermediates.AddCert(int_bc); |
| intermediates.AddCert(int_ad); |
| intermediates.AddCert(int_ac); |
| } else { |
| intermediates.AddCert(int_ac); |
| intermediates.AddCert(int_ad); |
| intermediates.AddCert(int_bc); |
| intermediates.AddCert(int_bd); |
| } |
| |
| CertPathBuilder path_builder( |
| target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU, |
| InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)}, |
| InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse); |
| path_builder.AddCertIssuerSource(&intermediates); |
| |
| CertPathBuilder::Result result = path_builder.Run(); |
| EXPECT_FALSE(result.HasValidPath()); |
| |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| |
| ASSERT_EQ(4U, result.paths.size()); |
| |
| // Path builder should have attempted paths using the intermediates in |
| // order: bd, bc, ad, ac |
| |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(target, result.paths[0]->certs[0]); |
| EXPECT_EQ(int_bd, result.paths[0]->certs[1]); |
| EXPECT_EQ(root, result.paths[0]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[1]->IsValid()); |
| ASSERT_EQ(3U, result.paths[1]->certs.size()); |
| EXPECT_EQ(target, result.paths[1]->certs[0]); |
| EXPECT_EQ(int_bc, result.paths[1]->certs[1]); |
| EXPECT_EQ(root, result.paths[1]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[2]->IsValid()); |
| ASSERT_EQ(3U, result.paths[2]->certs.size()); |
| EXPECT_EQ(target, result.paths[2]->certs[0]); |
| EXPECT_EQ(int_ad, result.paths[2]->certs[1]); |
| EXPECT_EQ(root, result.paths[2]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[3]->IsValid()); |
| ASSERT_EQ(3U, result.paths[3]->certs.size()); |
| EXPECT_EQ(target, result.paths[3]->certs[0]); |
| EXPECT_EQ(int_ac, result.paths[3]->certs[1]); |
| EXPECT_EQ(root, result.paths[3]->certs[2]); |
| } |
| } |
| |
| TEST(PathBuilderPrioritizationTest, KeyIdPrioritization) { |
| std::string test_dir = |
| "testdata/path_builder_unittest/key_id_prioritization/"; |
| std::shared_ptr<const ParsedCertificate> root = |
| ReadCertFromFile(test_dir + "root.pem"); |
| ASSERT_TRUE(root); |
| std::shared_ptr<const ParsedCertificate> int_matching_ski_a = |
| ReadCertFromFile(test_dir + "int_matching_ski_a.pem"); |
| ASSERT_TRUE(int_matching_ski_a); |
| std::shared_ptr<const ParsedCertificate> int_matching_ski_b = |
| ReadCertFromFile(test_dir + "int_matching_ski_b.pem"); |
| ASSERT_TRUE(int_matching_ski_b); |
| std::shared_ptr<const ParsedCertificate> int_no_ski_a = |
| ReadCertFromFile(test_dir + "int_no_ski_a.pem"); |
| ASSERT_TRUE(int_no_ski_a); |
| std::shared_ptr<const ParsedCertificate> int_no_ski_b = |
| ReadCertFromFile(test_dir + "int_no_ski_b.pem"); |
| ASSERT_TRUE(int_no_ski_b); |
| std::shared_ptr<const ParsedCertificate> int_different_ski_a = |
| ReadCertFromFile(test_dir + "int_different_ski_a.pem"); |
| ASSERT_TRUE(int_different_ski_a); |
| std::shared_ptr<const ParsedCertificate> int_different_ski_b = |
| ReadCertFromFile(test_dir + "int_different_ski_b.pem"); |
| ASSERT_TRUE(int_different_ski_b); |
| std::shared_ptr<const ParsedCertificate> target = |
| ReadCertFromFile(test_dir + "target.pem"); |
| ASSERT_TRUE(target); |
| |
| SimplePathBuilderDelegate delegate( |
| 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); |
| der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0}; |
| |
| // Distrust the root certificate. This will force the path builder to attempt |
| // all possible paths. |
| TrustStoreInMemory trust_store; |
| trust_store.AddDistrustedCertificateForTest(root); |
| |
| for (bool reverse_input_order : {false, true}) { |
| SCOPED_TRACE(reverse_input_order); |
| |
| CertIssuerSourceStatic intermediates; |
| // Test with the intermediates supplied in two different orders to ensure |
| // the results don't depend on input ordering. |
| if (reverse_input_order) { |
| intermediates.AddCert(int_different_ski_b); |
| intermediates.AddCert(int_different_ski_a); |
| intermediates.AddCert(int_no_ski_b); |
| intermediates.AddCert(int_no_ski_a); |
| intermediates.AddCert(int_matching_ski_b); |
| intermediates.AddCert(int_matching_ski_a); |
| } else { |
| intermediates.AddCert(int_matching_ski_a); |
| intermediates.AddCert(int_matching_ski_b); |
| intermediates.AddCert(int_no_ski_a); |
| intermediates.AddCert(int_no_ski_b); |
| intermediates.AddCert(int_different_ski_a); |
| intermediates.AddCert(int_different_ski_b); |
| } |
| |
| CertPathBuilder path_builder( |
| target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU, |
| InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)}, |
| InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse); |
| path_builder.AddCertIssuerSource(&intermediates); |
| |
| CertPathBuilder::Result result = path_builder.Run(); |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_EQ(6U, result.paths.size()); |
| |
| // Path builder should have attempted paths using the intermediates in |
| // order: matching_ski_b, matching_ski_a, no_ski_b, no_ski_a, |
| // different_ski_b, different_ski_a |
| |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(target, result.paths[0]->certs[0]); |
| EXPECT_EQ(int_matching_ski_b, result.paths[0]->certs[1]); |
| EXPECT_EQ(root, result.paths[0]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[1]->IsValid()); |
| ASSERT_EQ(3U, result.paths[1]->certs.size()); |
| EXPECT_EQ(target, result.paths[1]->certs[0]); |
| EXPECT_EQ(int_matching_ski_a, result.paths[1]->certs[1]); |
| EXPECT_EQ(root, result.paths[1]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[2]->IsValid()); |
| ASSERT_EQ(3U, result.paths[2]->certs.size()); |
| EXPECT_EQ(target, result.paths[2]->certs[0]); |
| EXPECT_EQ(int_no_ski_b, result.paths[2]->certs[1]); |
| EXPECT_EQ(root, result.paths[2]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[3]->IsValid()); |
| ASSERT_EQ(3U, result.paths[3]->certs.size()); |
| EXPECT_EQ(target, result.paths[3]->certs[0]); |
| EXPECT_EQ(int_no_ski_a, result.paths[3]->certs[1]); |
| EXPECT_EQ(root, result.paths[3]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[4]->IsValid()); |
| ASSERT_EQ(3U, result.paths[4]->certs.size()); |
| EXPECT_EQ(target, result.paths[4]->certs[0]); |
| EXPECT_EQ(int_different_ski_b, result.paths[4]->certs[1]); |
| EXPECT_EQ(root, result.paths[4]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[5]->IsValid()); |
| ASSERT_EQ(3U, result.paths[5]->certs.size()); |
| EXPECT_EQ(target, result.paths[5]->certs[0]); |
| EXPECT_EQ(int_different_ski_a, result.paths[5]->certs[1]); |
| EXPECT_EQ(root, result.paths[5]->certs[2]); |
| } |
| } |
| |
| TEST(PathBuilderPrioritizationTest, TrustAndKeyIdPrioritization) { |
| std::string test_dir = |
| "testdata/path_builder_unittest/key_id_prioritization/"; |
| std::shared_ptr<const ParsedCertificate> root = |
| ReadCertFromFile(test_dir + "root.pem"); |
| ASSERT_TRUE(root); |
| std::shared_ptr<const ParsedCertificate> trusted_and_matching = |
| ReadCertFromFile(test_dir + "int_matching_ski_a.pem"); |
| ASSERT_TRUE(trusted_and_matching); |
| std::shared_ptr<const ParsedCertificate> matching = |
| ReadCertFromFile(test_dir + "int_matching_ski_b.pem"); |
| ASSERT_TRUE(matching); |
| std::shared_ptr<const ParsedCertificate> distrusted_and_matching = |
| ReadCertFromFile(test_dir + "int_matching_ski_c.pem"); |
| ASSERT_TRUE(distrusted_and_matching); |
| std::shared_ptr<const ParsedCertificate> trusted_and_no_match_data = |
| ReadCertFromFile(test_dir + "int_no_ski_a.pem"); |
| ASSERT_TRUE(trusted_and_no_match_data); |
| std::shared_ptr<const ParsedCertificate> no_match_data = |
| ReadCertFromFile(test_dir + "int_no_ski_b.pem"); |
| ASSERT_TRUE(no_match_data); |
| std::shared_ptr<const ParsedCertificate> distrusted_and_no_match_data = |
| ReadCertFromFile(test_dir + "int_no_ski_c.pem"); |
| ASSERT_TRUE(distrusted_and_no_match_data); |
| std::shared_ptr<const ParsedCertificate> trusted_and_mismatch = |
| ReadCertFromFile(test_dir + "int_different_ski_a.pem"); |
| ASSERT_TRUE(trusted_and_mismatch); |
| std::shared_ptr<const ParsedCertificate> mismatch = |
| ReadCertFromFile(test_dir + "int_different_ski_b.pem"); |
| ASSERT_TRUE(mismatch); |
| std::shared_ptr<const ParsedCertificate> distrusted_and_mismatch = |
| ReadCertFromFile(test_dir + "int_different_ski_c.pem"); |
| ASSERT_TRUE(distrusted_and_mismatch); |
| std::shared_ptr<const ParsedCertificate> target = |
| ReadCertFromFile(test_dir + "target.pem"); |
| ASSERT_TRUE(target); |
| |
| SimplePathBuilderDelegate delegate( |
| 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); |
| der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0}; |
| |
| for (bool reverse_input_order : {false, true}) { |
| SCOPED_TRACE(reverse_input_order); |
| |
| TrustStoreInMemory trust_store; |
| // Test with the intermediates supplied in two different orders to ensure |
| // the results don't depend on input ordering. |
| if (reverse_input_order) { |
| trust_store.AddTrustAnchor(trusted_and_matching); |
| trust_store.AddCertificateWithUnspecifiedTrust(matching); |
| trust_store.AddDistrustedCertificateForTest(distrusted_and_matching); |
| trust_store.AddTrustAnchor(trusted_and_no_match_data); |
| trust_store.AddCertificateWithUnspecifiedTrust(no_match_data); |
| trust_store.AddDistrustedCertificateForTest(distrusted_and_no_match_data); |
| trust_store.AddTrustAnchor(trusted_and_mismatch); |
| trust_store.AddCertificateWithUnspecifiedTrust(mismatch); |
| trust_store.AddDistrustedCertificateForTest(distrusted_and_mismatch); |
| } else { |
| trust_store.AddDistrustedCertificateForTest(distrusted_and_matching); |
| trust_store.AddCertificateWithUnspecifiedTrust(no_match_data); |
| trust_store.AddTrustAnchor(trusted_and_no_match_data); |
| trust_store.AddTrustAnchor(trusted_and_matching); |
| trust_store.AddCertificateWithUnspecifiedTrust(matching); |
| trust_store.AddCertificateWithUnspecifiedTrust(mismatch); |
| trust_store.AddDistrustedCertificateForTest(distrusted_and_no_match_data); |
| trust_store.AddTrustAnchor(trusted_and_mismatch); |
| trust_store.AddDistrustedCertificateForTest(distrusted_and_mismatch); |
| } |
| // Also distrust the root certificate. This will force the path builder to |
| // report paths that included an unspecified trust intermediate. |
| trust_store.AddDistrustedCertificateForTest(root); |
| |
| CertPathBuilder path_builder( |
| target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU, |
| InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)}, |
| InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse); |
| path_builder.SetValidPathLimit(0); |
| |
| CertPathBuilder::Result result = path_builder.Run(); |
| EXPECT_TRUE(result.HasValidPath()); |
| ASSERT_EQ(9U, result.paths.size()); |
| |
| // Path builder should have attempted paths using the intermediates in |
| // order: trusted_and_matching, trusted_and_no_match_data, matching, |
| // no_match_data, trusted_and_mismatch, mismatch, distrusted_and_matching, |
| // distrusted_and_no_match_data, distrusted_and_mismatch. |
| |
| EXPECT_TRUE(result.paths[0]->IsValid()); |
| ASSERT_EQ(2U, result.paths[0]->certs.size()); |
| EXPECT_EQ(target, result.paths[0]->certs[0]); |
| EXPECT_EQ(trusted_and_matching, result.paths[0]->certs[1]); |
| |
| EXPECT_TRUE(result.paths[1]->IsValid()); |
| ASSERT_EQ(2U, result.paths[1]->certs.size()); |
| EXPECT_EQ(target, result.paths[1]->certs[0]); |
| EXPECT_EQ(trusted_and_no_match_data, result.paths[1]->certs[1]); |
| |
| EXPECT_FALSE(result.paths[2]->IsValid()); |
| ASSERT_EQ(3U, result.paths[2]->certs.size()); |
| EXPECT_EQ(target, result.paths[2]->certs[0]); |
| EXPECT_EQ(matching, result.paths[2]->certs[1]); |
| EXPECT_EQ(root, result.paths[2]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[3]->IsValid()); |
| ASSERT_EQ(3U, result.paths[3]->certs.size()); |
| EXPECT_EQ(target, result.paths[3]->certs[0]); |
| EXPECT_EQ(no_match_data, result.paths[3]->certs[1]); |
| EXPECT_EQ(root, result.paths[3]->certs[2]); |
| |
| // Although this intermediate is trusted, it has the wrong key, so |
| // the path should not be valid. |
| EXPECT_FALSE(result.paths[4]->IsValid()); |
| ASSERT_EQ(2U, result.paths[4]->certs.size()); |
| EXPECT_EQ(target, result.paths[4]->certs[0]); |
| EXPECT_EQ(trusted_and_mismatch, result.paths[4]->certs[1]); |
| |
| EXPECT_FALSE(result.paths[5]->IsValid()); |
| ASSERT_EQ(3U, result.paths[5]->certs.size()); |
| EXPECT_EQ(target, result.paths[5]->certs[0]); |
| EXPECT_EQ(mismatch, result.paths[5]->certs[1]); |
| EXPECT_EQ(root, result.paths[5]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[6]->IsValid()); |
| ASSERT_EQ(2U, result.paths[6]->certs.size()); |
| EXPECT_EQ(target, result.paths[6]->certs[0]); |
| EXPECT_EQ(distrusted_and_matching, result.paths[6]->certs[1]); |
| |
| EXPECT_FALSE(result.paths[7]->IsValid()); |
| ASSERT_EQ(2U, result.paths[7]->certs.size()); |
| EXPECT_EQ(target, result.paths[7]->certs[0]); |
| EXPECT_EQ(distrusted_and_no_match_data, result.paths[7]->certs[1]); |
| |
| EXPECT_FALSE(result.paths[8]->IsValid()); |
| ASSERT_EQ(2U, result.paths[8]->certs.size()); |
| EXPECT_EQ(target, result.paths[8]->certs[0]); |
| EXPECT_EQ(distrusted_and_mismatch, result.paths[8]->certs[1]); |
| } |
| } |
| |
| // PathBuilder does not support prioritization based on the issuer name & |
| // serial in authorityKeyIdentifier, so this test just ensures that it does not |
| // affect prioritization order and that it is generally just ignored |
| // completely. |
| TEST(PathBuilderPrioritizationTest, KeyIdNameAndSerialPrioritization) { |
| std::string test_dir = |
| "testdata/path_builder_unittest/key_id_name_and_serial_prioritization/"; |
| std::shared_ptr<const ParsedCertificate> root = |
| ReadCertFromFile(test_dir + "root.pem"); |
| ASSERT_TRUE(root); |
| std::shared_ptr<const ParsedCertificate> root2 = |
| ReadCertFromFile(test_dir + "root2.pem"); |
| ASSERT_TRUE(root2); |
| std::shared_ptr<const ParsedCertificate> int_matching = |
| ReadCertFromFile(test_dir + "int_matching.pem"); |
| ASSERT_TRUE(int_matching); |
| std::shared_ptr<const ParsedCertificate> int_match_name_only = |
| ReadCertFromFile(test_dir + "int_match_name_only.pem"); |
| ASSERT_TRUE(int_match_name_only); |
| std::shared_ptr<const ParsedCertificate> int_mismatch = |
| ReadCertFromFile(test_dir + "int_mismatch.pem"); |
| ASSERT_TRUE(int_mismatch); |
| std::shared_ptr<const ParsedCertificate> target = |
| ReadCertFromFile(test_dir + "target.pem"); |
| ASSERT_TRUE(target); |
| |
| SimplePathBuilderDelegate delegate( |
| 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); |
| der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0}; |
| |
| // Distrust the root certificates. This will force the path builder to attempt |
| // all possible paths. |
| TrustStoreInMemory trust_store; |
| trust_store.AddDistrustedCertificateForTest(root); |
| trust_store.AddDistrustedCertificateForTest(root2); |
| |
| for (bool reverse_input_order : {false, true}) { |
| SCOPED_TRACE(reverse_input_order); |
| |
| CertIssuerSourceStatic intermediates; |
| // Test with the intermediates supplied in two different orders to ensure |
| // the results don't depend on input ordering. |
| if (reverse_input_order) { |
| intermediates.AddCert(int_mismatch); |
| intermediates.AddCert(int_match_name_only); |
| intermediates.AddCert(int_matching); |
| } else { |
| intermediates.AddCert(int_matching); |
| intermediates.AddCert(int_match_name_only); |
| intermediates.AddCert(int_mismatch); |
| } |
| |
| CertPathBuilder path_builder( |
| target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU, |
| InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)}, |
| InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse); |
| path_builder.AddCertIssuerSource(&intermediates); |
| |
| CertPathBuilder::Result result = path_builder.Run(); |
| EXPECT_FALSE(result.HasValidPath()); |
| ASSERT_EQ(3U, result.paths.size()); |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) |
| << error.DiagnosticString(); |
| |
| // The serial & issuer method is not used in prioritization, so the certs |
| // should have been prioritized based on dates. The test certs have the |
| // date priority order in the reverse of what authorityKeyIdentifier |
| // prioritization would have done if it were supported. |
| // Path builder should have attempted paths using the intermediates in |
| // order: mismatch, match_name_only, matching |
| |
| EXPECT_FALSE(result.paths[0]->IsValid()); |
| ASSERT_EQ(3U, result.paths[0]->certs.size()); |
| EXPECT_EQ(target, result.paths[0]->certs[0]); |
| EXPECT_EQ(int_mismatch, result.paths[0]->certs[1]); |
| EXPECT_EQ(root2, result.paths[0]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[1]->IsValid()); |
| ASSERT_EQ(3U, result.paths[1]->certs.size()); |
| EXPECT_EQ(target, result.paths[1]->certs[0]); |
| EXPECT_EQ(int_match_name_only, result.paths[1]->certs[1]); |
| EXPECT_EQ(root, result.paths[1]->certs[2]); |
| |
| EXPECT_FALSE(result.paths[2]->IsValid()); |
| ASSERT_EQ(3U, result.paths[2]->certs.size()); |
| EXPECT_EQ(target, result.paths[2]->certs[0]); |
| EXPECT_EQ(int_matching, result.paths[2]->certs[1]); |
| EXPECT_EQ(root, result.paths[2]->certs[2]); |
| } |
| } |
| |
| TEST(PathBuilderPrioritizationTest, SelfIssuedPrioritization) { |
| std::string test_dir = |
| "testdata/path_builder_unittest/self_issued_prioritization/"; |
| std::shared_ptr<const ParsedCertificate> root1 = |
| ReadCertFromFile(test_dir + "root1.pem"); |
| ASSERT_TRUE(root1); |
| std::shared_ptr<const ParsedCertificate> root1_cross = |
| ReadCertFromFile(test_dir + "root1_cross.pem"); |
| ASSERT_TRUE(root1_cross); |
| std::shared_ptr<const ParsedCertificate> target = |
| ReadCertFromFile(test_dir + "target.pem"); |
| ASSERT_TRUE(target); |
| |
| SimplePathBuilderDelegate delegate( |
| 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); |
| der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0}; |
| |
| TrustStoreInMemory trust_store; |
| trust_store.AddTrustAnchor(root1); |
| trust_store.AddTrustAnchor(root1_cross); |
| CertPathBuilder path_builder( |
| target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU, |
| InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)}, |
| InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse); |
| path_builder.SetValidPathLimit(0); |
| |
| CertPathBuilder::Result result = path_builder.Run(); |
| EXPECT_TRUE(result.HasValidPath()); |
| VerifyError error = result.GetBestPathVerifyError(); |
| ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED) |
| << error.DiagnosticString(); |
| |
| // Path builder should have built paths to both trusted roots. |
| ASSERT_EQ(2U, result.paths.size()); |
| |
| // |root1| should have been preferred because it is self-issued, even though |
| // the notBefore date is older than |root1_cross|. |
| EXPECT_TRUE(result.paths[0]->IsValid()); |
| ASSERT_EQ(2U, result.paths[0]->certs.size()); |
| EXPECT_EQ(target, result.paths[0]->certs[0]); |
| EXPECT_EQ(root1, result.paths[0]->certs[1]); |
| |
| EXPECT_TRUE(result.paths[1]->IsValid()); |
| ASSERT_EQ(2U, result.paths[1]->certs.size()); |
| EXPECT_EQ(target, result.paths[1]->certs[0]); |
| EXPECT_EQ(root1_cross, result.paths[1]->certs[1]); |
| } |
| |
| } // namespace |
| |
| } // namespace bssl |