Google Git
Sign in
boringssl / boringssl.git / 286ea215ec6669152feb71a28075ae69b957f4bf / . / pki / path_builder_pkits_unittest.cc
blob: a6da30f7e87883528d5ee0c5ec9f336d0e5356ba [file] [log] [blame]
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1// Copyright 2016 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "path_builder.h"
6
7#include <cstdint>
8
9#include "fillins/net_errors.h"
10
11#include "cert_issuer_source_static.h"
12#include "common_cert_errors.h"
13#include "crl.h"
14#include "parse_certificate.h"
15#include "parsed_certificate.h"
16#include "simple_path_builder_delegate.h"
17#include "trust_store_in_memory.h"
18#include "verify_certificate_chain.h"
19#include "encode_values.h"
20#include "input.h"
21#include <openssl/pool.h>
22
23#include "nist_pkits_unittest.h"
24
25constexpr int64_t kOneYear = 60 * 60 * 24 * 365;
26
27namespace bssl {
28
29namespace {
30
31class CrlCheckingPathBuilderDelegate : public SimplePathBuilderDelegate {
32 public:
33 CrlCheckingPathBuilderDelegate(const std::vector<std::string>& der_crls,
34 int64_t verify_time,
35 int64_t max_age,
36 size_t min_rsa_modulus_length_bits,
37 DigestPolicy digest_policy)
38 : SimplePathBuilderDelegate(min_rsa_modulus_length_bits, digest_policy),
39 der_crls_(der_crls),
40 verify_time_(verify_time),
41 max_age_(max_age) {}
42
43 void CheckPathAfterVerification(const CertPathBuilder& path_builder,
44 CertPathBuilderResultPath* path) override {
45 SimplePathBuilderDelegate::CheckPathAfterVerification(path_builder, path);
46
47 if (!path->IsValid())
48 return;
49
50 // It would be preferable if this test could use
51 // CheckValidatedChainRevocation somehow, but that only supports getting
52 // CRLs by http distributionPoints. So this just settles for writing a
53 // little bit of wrapper code to test CheckCRL directly.
54 const ParsedCertificateList& certs = path->certs;
55 for (size_t reverse_i = 0; reverse_i < certs.size(); ++reverse_i) {
56 size_t i = certs.size() - reverse_i - 1;
57
58 // Trust anchors bypass OCSP/CRL revocation checks. (The only way to
59 // revoke trust anchors is via CRLSet or the built-in SPKI block list).
60 if (reverse_i == 0 && path->last_cert_trust.IsTrustAnchor())
61 continue;
62
63 // RFC 5280 6.3.3. [If the CRL was not specified in a distribution
64 // point], assume a DP with both the reasons and the
65 // cRLIssuer fields omitted and a distribution point
66 // name of the certificate issuer.
67 // Since this implementation only supports URI names in distribution
68 // points, this means a default-initialized ParsedDistributionPoint is
69 // sufficient.
70 ParsedDistributionPoint fake_cert_dp;
71 const ParsedDistributionPoint* cert_dp = &fake_cert_dp;
72
73 // If the target cert does have a distribution point, use it.
74 std::vector<ParsedDistributionPoint> distribution_points;
75 ParsedExtension crl_dp_extension;
76 if (certs[i]->GetExtension(der::Input(kCrlDistributionPointsOid),
77 &crl_dp_extension)) {
78 ASSERT_TRUE(ParseCrlDistributionPoints(crl_dp_extension.value,
79 &distribution_points));
80 // TODO(mattm): some test cases (some of the 4.14.* onlySomeReasons
81 // tests)) have two CRLs and two distribution points, one point
82 // corresponding to each CRL. Should select the matching point for
83 // each CRL. (Doesn't matter currently since we don't support
84 // reasons.)
85
86 // Look for a DistributionPoint without reasons.
87 for (const auto& dp : distribution_points) {
88 if (!dp.reasons) {
89 cert_dp = &dp;
90 break;
91 }
92 }
93 // If there were only DistributionPoints with reasons, just use the
94 // first one.
95 if (cert_dp == &fake_cert_dp && !distribution_points.empty())
96 cert_dp = &distribution_points[0];
97 }
98
99 bool cert_good = false;
100
101 for (const auto& der_crl : der_crls_) {
102 CRLRevocationStatus crl_status =
103 CheckCRL(der_crl, certs, i, *cert_dp, verify_time_, max_age_);
104 if (crl_status == CRLRevocationStatus::REVOKED) {
105 path->errors.GetErrorsForCert(i)->AddError(
106 cert_errors::kCertificateRevoked);
107 return;
108 }
109 if (crl_status == CRLRevocationStatus::GOOD) {
110 cert_good = true;
111 break;
112 }
113 }
114 if (!cert_good) {
115 // PKITS tests assume hard-fail revocation checking.
116 // From PKITS 4.4: "When running the tests in this section, the
117 // application should be configured in such a way that the
118 // certification path is not accepted unless valid, up-to-date
119 // revocation data is available for every certificate in the path."
120 path->errors.GetErrorsForCert(i)->AddError(
121 cert_errors::kUnableToCheckRevocation);
122 }
123 }
124 }
125
126 private:
127 std::vector<std::string> der_crls_;
128 int64_t verify_time_;
129 int64_t max_age_;
130};
131
132class PathBuilderPkitsTestDelegate {
133 public:
134 static void RunTest(std::vector<std::string> cert_ders,
135 std::vector<std::string> crl_ders,
136 const PkitsTestInfo& orig_info) {
137 PkitsTestInfo info = orig_info;
138
139 ASSERT_FALSE(cert_ders.empty());
140 ParsedCertificateList certs;
141 for (const std::string& der : cert_ders) {
142 CertErrors errors;
143 ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector(
144 bssl::UniquePtr<CRYPTO_BUFFER>(
145 CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(der.data()),
146 der.size(), nullptr)),
147 {}, &certs, &errors))
148 << errors.ToDebugString();
149 }
150 // First entry in the PKITS chain is the trust anchor.
151 // TODO(mattm): test with all possible trust anchors in the trust store?
152 TrustStoreInMemory trust_store;
153
154 trust_store.AddTrustAnchor(certs[0]);
155
156 // TODO(mattm): test with other irrelevant certs in cert_issuer_sources?
157 CertIssuerSourceStatic cert_issuer_source;
158 for (size_t i = 1; i < cert_ders.size() - 1; ++i)
159 cert_issuer_source.AddCert(certs[i]);
160
161 std::shared_ptr<const ParsedCertificate> target_cert(certs.back());
162
163 int64_t verify_time;
164 ASSERT_TRUE(der::GeneralizedTimeToPosixTime(info.time, &verify_time));
165 CrlCheckingPathBuilderDelegate path_builder_delegate(
166 crl_ders, verify_time, /*max_age=*/kOneYear * 2, 1024,
167 SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
168
169 std::string_view test_number = info.test_number;
170 if (test_number == "4.4.19" || test_number == "4.5.3" ||
171 test_number == "4.5.4" || test_number == "4.5.6") {
172 // 4.4.19 - fails since CRL is signed by a certificate that is not part
173 // of the verified chain, which is not supported.
174 // 4.5.3 - fails since non-URI distribution point names are not supported
175 // 4.5.4, 4.5.6 - fails since CRL is signed by a certificate that is not
176 // part of verified chain, and also non-URI distribution
177 // point names not supported
178 info.should_validate = false;
179 } else if (test_number == "4.14.1" || test_number == "4.14.4" ||
180 test_number == "4.14.5" || test_number == "4.14.7" ||
181 test_number == "4.14.18" || test_number == "4.14.19" ||
182 test_number == "4.14.22" || test_number == "4.14.24" ||
183 test_number == "4.14.25" || test_number == "4.14.28" ||
184 test_number == "4.14.29" || test_number == "4.14.30" ||
185 test_number == "4.14.33") {
186 // 4.14 tests:
187 // .1 - fails since non-URI distribution point names not supported
188 // .2, .3 - fails since non-URI distribution point names not supported
189 // (but test is expected to fail for other reason)
190 // .4, .5 - fails since non-URI distribution point names not supported,
191 // also uses nameRelativeToCRLIssuer which is not supported
192 // .6 - fails since non-URI distribution point names not supported, also
193 // uses nameRelativeToCRLIssuer which is not supported (but test is
194 // expected to fail for other reason)
195 // .7 - fails since relative distributionPointName not supported
196 // .8, .9 - fails since relative distributionPointName not supported (but
197 // test is expected to fail for other reason)
198 // .10, .11, .12, .13, .14, .27, .35 - PASS
199 // .15, .16, .17, .20, .21 - fails since onlySomeReasons is not supported
200 // (but test is expected to fail for other
201 // reason)
202 // .18, .19 - fails since onlySomeReasons is not supported
203 // .22, .24, .25, .28, .29, .30, .33 - fails since indirect CRLs are not
204 // supported
205 // .23, .26, .31, .32, .34 - fails since indirect CRLs are not supported
206 // (but test is expected to fail for other
207 // reason)
208 info.should_validate = false;
209 } else if (test_number == "4.15.1" || test_number == "4.15.5") {
210 // 4.15 tests:
211 // .1 - fails due to unhandled critical deltaCRLIndicator extension
212 // .2, .3, .6, .7, .8, .9, .10 - PASS since expected cert status is
213 // reflected in base CRL and delta CRL is
214 // ignored
215 // .5 - fails, cert status is "on hold" in base CRL but the delta CRL
216 // which removes the cert from CRL is ignored
217 info.should_validate = false;
218 } else if (test_number == "4.15.4") {
219 // 4.15.4 - Invalid delta-CRL Test4 has the target cert marked revoked in
220 // a delta-CRL. Since delta-CRLs are not supported, the chain validates
221 // successfully.
222 info.should_validate = true;
223 }
224
225 CertPathBuilder path_builder(
226 std::move(target_cert), &trust_store, &path_builder_delegate, info.time,
227 KeyPurpose::ANY_EKU, info.initial_explicit_policy,
228 info.initial_policy_set, info.initial_policy_mapping_inhibit,
229 info.initial_inhibit_any_policy);
230 path_builder.AddCertIssuerSource(&cert_issuer_source);
231
232 CertPathBuilder::Result result = path_builder.Run();
233
234 if (info.should_validate != result.HasValidPath()) {
235 for (size_t i = 0; i < result.paths.size(); ++i) {
236#if defined(DVLOG)
237 const CertPathBuilderResultPath* result_path =
238 result.paths[i].get();
239 LOG(ERROR) << "path " << i << " errors:\n"
240 << result_path->errors.ToDebugString(result_path->certs);
241#endif
242 }
243 }
244
245 ASSERT_EQ(info.should_validate, result.HasValidPath());
246
247 if (result.HasValidPath()) {
248 EXPECT_EQ(info.user_constrained_policy_set,
249 result.GetBestValidPath()->user_constrained_policy_set);
250 }
251 }
252};
253
254} // namespace
255
256INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
257 PkitsTest01SignatureVerification,
258 PathBuilderPkitsTestDelegate);
259INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
260 PkitsTest02ValidityPeriods,
261 PathBuilderPkitsTestDelegate);
262INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
263 PkitsTest03VerifyingNameChaining,
264 PathBuilderPkitsTestDelegate);
265INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
266 PkitsTest04BasicCertificateRevocationTests,
267 PathBuilderPkitsTestDelegate);
268INSTANTIATE_TYPED_TEST_SUITE_P(
269 PathBuilder,
270 PkitsTest05VerifyingPathswithSelfIssuedCertificates,
271 PathBuilderPkitsTestDelegate);
272INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
273 PkitsTest06VerifyingBasicConstraints,
274 PathBuilderPkitsTestDelegate);
275INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
276 PkitsTest07KeyUsage,
277 PathBuilderPkitsTestDelegate);
278INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
279 PkitsTest08CertificatePolicies,
280 PathBuilderPkitsTestDelegate);
281INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
282 PkitsTest09RequireExplicitPolicy,
283 PathBuilderPkitsTestDelegate);
284INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
285 PkitsTest10PolicyMappings,
286 PathBuilderPkitsTestDelegate);
287INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
288 PkitsTest11InhibitPolicyMapping,
289 PathBuilderPkitsTestDelegate);
290INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
291 PkitsTest12InhibitAnyPolicy,
292 PathBuilderPkitsTestDelegate);
293INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
294 PkitsTest13NameConstraints,
295 PathBuilderPkitsTestDelegate);
296INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
297 PkitsTest14DistributionPoints,
298 PathBuilderPkitsTestDelegate);
299INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
300 PkitsTest15DeltaCRLs,
301 PathBuilderPkitsTestDelegate);
302INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
303 PkitsTest16PrivateCertificateExtensions,
304 PathBuilderPkitsTestDelegate);
305
306} // namespace net