blob: f7787319a1bd1e667547b1cdc41cf5f96e1a44f4 [file] [log] [blame]
/* Copyright 2023 The BoringSSL Authors
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <string.h>
#include <optional>
#include <vector>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <openssl/pki/verify.h>
#include <openssl/pki/verify_error.h>
#include <openssl/sha.h>
#include "test_helpers.h"
BSSL_NAMESPACE_BEGIN
static std::unique_ptr<VerifyTrustStore> MozillaRootStore() {
std::string diagnostic;
return VerifyTrustStore::FromDER(
bssl::ReadTestFileToString(
"testdata/verify_unittest/mozilla_roots.der"),
&diagnostic);
}
using ::testing::UnorderedElementsAre;
static std::string GetTestdata(std::string_view filename) {
return bssl::ReadTestFileToString("testdata/verify_unittest/" +
std::string(filename));
}
TEST(VerifyTest, GoogleChain) {
const std::string leaf = GetTestdata("google-leaf.der");
const std::string intermediate1 = GetTestdata("google-intermediate1.der");
const std::string intermediate2 = GetTestdata("google-intermediate2.der");
CertificateVerifyOptions opts;
opts.leaf_cert = leaf;
opts.intermediates = {intermediate1, intermediate2};
opts.time = 1499727444;
std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore();
opts.trust_store = roots.get();
VerifyError error;
ASSERT_TRUE(CertificateVerify(opts, &error)) << error.DiagnosticString();
opts.intermediates = {};
EXPECT_FALSE(CertificateVerify(opts, &error));
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
TEST(VerifyTest, ExtraIntermediates) {
const std::string leaf = GetTestdata("google-leaf.der");
const std::string intermediate1 = GetTestdata("google-intermediate1.der");
const std::string intermediate2 = GetTestdata("google-intermediate2.der");
CertificateVerifyOptions opts;
opts.leaf_cert = leaf;
std::string diagnostic;
const auto cert_pool_status = CertPool::FromCerts(
{
intermediate1,
intermediate2,
},
&diagnostic);
ASSERT_TRUE(cert_pool_status) << diagnostic;
opts.extra_intermediates = cert_pool_status.get();
opts.time = 1499727444;
std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore();
opts.trust_store = roots.get();
VerifyError error;
ASSERT_TRUE(CertificateVerify(opts, &error)) << error.DiagnosticString();
}
TEST(VerifyTest, AllPaths) {
const std::string leaf = GetTestdata("lencr-leaf.der");
const std::string intermediate1 = GetTestdata("lencr-intermediate-r3.der");
const std::string intermediate2 =
GetTestdata("lencr-root-x1-cross-signed.der");
const std::string root1 = GetTestdata("lencr-root-x1.der");
const std::string root2 = GetTestdata("lencr-root-dst-x3.der");
std::vector<std::string> expected_path1 = {leaf, intermediate1, root1};
std::vector<std::string> expected_path2 = {leaf, intermediate1, intermediate2,
root2};
CertificateVerifyOptions opts;
opts.leaf_cert = leaf;
opts.intermediates = {intermediate1, intermediate2};
opts.time = 1699404611;
std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore();
opts.trust_store = roots.get();
auto paths = CertificateVerifyAllPaths(opts);
ASSERT_TRUE(paths);
EXPECT_EQ(2U, paths.value().size());
EXPECT_THAT(paths.value(),
UnorderedElementsAre(expected_path1, expected_path2));
}
TEST(VerifyTest, DepthLimit) {
const std::string leaf = GetTestdata("google-leaf.der");
const std::string intermediate1 = GetTestdata("google-intermediate1.der");
const std::string intermediate2 = GetTestdata("google-intermediate2.der");
CertificateVerifyOptions opts;
opts.leaf_cert = leaf;
opts.intermediates = {intermediate1, intermediate2};
opts.time = 1499727444;
// Set the |max_path_building_depth| explicitly to test the non-default case.
// Depth of 5 is enough to successfully find a path.
opts.max_path_building_depth = 5;
std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore();
opts.trust_store = roots.get();
VerifyError error;
ASSERT_TRUE(CertificateVerify(opts, &error)) << error.DiagnosticString();
// Depth of 2 is not enough to find a path.
opts.max_path_building_depth = 2;
EXPECT_FALSE(CertificateVerify(opts, &error));
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEPTH_LIMIT_REACHED)
<< error.DiagnosticString();
}
BSSL_NAMESPACE_END