Google Git
Sign in
boringssl / boringssl.git / 538b2a6cf0497cf8bb61ae726a484a3d7a34e54e / . / pki / trust_store_collection_unittest.cc
blob: 94989ba39fe7ac4791257166c7ac78e58b96f93d [file] [log] [blame]
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1// Copyright 2016 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "trust_store_collection.h"
6
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]7#include <gtest/gtest.h>
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]8#include "test_helpers.h"
9#include "trust_store_in_memory.h"
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]10
11namespace bssl {
12
13namespace {
14
15class TrustStoreCollectionTest : public testing::Test {
16 public:
17 void SetUp() override {
18 ParsedCertificateList chain;
19 ASSERT_TRUE(ReadCertChainFromFile(
20 "testdata/verify_certificate_chain_unittest/key-rollover/oldchain.pem",
21 &chain));
22
23 ASSERT_EQ(3U, chain.size());
24 target_ = chain[0];
25 oldintermediate_ = chain[1];
26 oldroot_ = chain[2];
27 ASSERT_TRUE(target_);
28 ASSERT_TRUE(oldintermediate_);
29 ASSERT_TRUE(oldroot_);
30
31 ASSERT_TRUE(
32 ReadCertChainFromFile("testdata/verify_certificate_chain_unittest/"
33 "key-rollover/longrolloverchain.pem",
34 &chain));
35
36 ASSERT_EQ(5U, chain.size());
37 newintermediate_ = chain[1];
38 newroot_ = chain[2];
39 newrootrollover_ = chain[3];
40 ASSERT_TRUE(newintermediate_);
41 ASSERT_TRUE(newroot_);
42 ASSERT_TRUE(newrootrollover_);
43 }
44
45 protected:
46 std::shared_ptr<const ParsedCertificate> oldroot_;
47 std::shared_ptr<const ParsedCertificate> newroot_;
48 std::shared_ptr<const ParsedCertificate> newrootrollover_;
49
50 std::shared_ptr<const ParsedCertificate> target_;
51 std::shared_ptr<const ParsedCertificate> oldintermediate_;
52 std::shared_ptr<const ParsedCertificate> newintermediate_;
53};
54
55// Collection contains no stores, should return no results.
56TEST_F(TrustStoreCollectionTest, NoStores) {
57 ParsedCertificateList issuers;
58
59 TrustStoreCollection collection;
60 collection.SyncGetIssuersOf(target_.get(), &issuers);
61
62 EXPECT_TRUE(issuers.empty());
63}
64
65// Collection contains only one store.
66TEST_F(TrustStoreCollectionTest, OneStore) {
67 ParsedCertificateList issuers;
68
69 TrustStoreCollection collection;
70 TrustStoreInMemory in_memory;
71 in_memory.AddTrustAnchor(newroot_);
72 collection.AddTrustStore(&in_memory);
73 collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
74
75 ASSERT_EQ(1U, issuers.size());
76 EXPECT_EQ(newroot_.get(), issuers[0].get());
77
78 // newroot_ is trusted.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]79 CertificateTrust trust = collection.GetTrust(newroot_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]80 EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
81 trust.ToDebugString());
82
83 // oldroot_ is not.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]84 trust = collection.GetTrust(oldroot_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]85 EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
86 trust.ToDebugString());
87}
88
89// SyncGetIssuersOf() should append to its output parameters rather than assign
90// them.
91TEST_F(TrustStoreCollectionTest, OutputVectorsAppendedTo) {
92 ParsedCertificateList issuers;
93
94 // Populate the out-parameter with some values.
95 issuers.resize(3);
96
97 TrustStoreCollection collection;
98 TrustStoreInMemory in_memory;
99 in_memory.AddTrustAnchor(newroot_);
100 collection.AddTrustStore(&in_memory);
101 collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
102
103 ASSERT_EQ(4U, issuers.size());
104 EXPECT_EQ(newroot_.get(), issuers[3].get());
105
106 // newroot_ is trusted.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]107 CertificateTrust trust = collection.GetTrust(newroot_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]108 EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
109 trust.ToDebugString());
110
111 // newrootrollover_ is not.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]112 trust = collection.GetTrust(newrootrollover_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]113 EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
114 trust.ToDebugString());
115}
116
117// Collection contains two stores.
118TEST_F(TrustStoreCollectionTest, TwoStores) {
119 ParsedCertificateList issuers;
120
121 TrustStoreCollection collection;
122 TrustStoreInMemory in_memory1;
123 TrustStoreInMemory in_memory2;
124 in_memory1.AddTrustAnchor(newroot_);
125 in_memory2.AddTrustAnchor(oldroot_);
126 collection.AddTrustStore(&in_memory1);
127 collection.AddTrustStore(&in_memory2);
128 collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
129
130 ASSERT_EQ(2U, issuers.size());
131 EXPECT_EQ(newroot_.get(), issuers[0].get());
132 EXPECT_EQ(oldroot_.get(), issuers[1].get());
133
134 // newroot_ is trusted.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]135 CertificateTrust trust = collection.GetTrust(newroot_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]136 EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
137 trust.ToDebugString());
138
139 // oldroot_ is trusted.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]140 trust = collection.GetTrust(oldroot_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]141 EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
142 trust.ToDebugString());
143
144 // newrootrollover_ is not.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]145 trust = collection.GetTrust(newrootrollover_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]146 EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
147 trust.ToDebugString());
148}
149
150// Collection contains two stores. The certificate is marked as trusted in one,
151// but distrusted in the other.
152TEST_F(TrustStoreCollectionTest, DistrustTakesPriority) {
153 ParsedCertificateList issuers;
154
155 TrustStoreCollection collection;
156 TrustStoreInMemory in_memory1;
157 TrustStoreInMemory in_memory2;
158
159 // newroot_ is trusted in store1, distrusted in store2.
160 in_memory1.AddTrustAnchor(newroot_);
161 in_memory2.AddDistrustedCertificateForTest(newroot_);
162
163 // oldintermediate is distrusted in store1, trusted in store2.
164 in_memory1.AddDistrustedCertificateForTest(oldintermediate_);
165 in_memory2.AddTrustAnchor(oldintermediate_);
166
167 collection.AddTrustStore(&in_memory1);
168 collection.AddTrustStore(&in_memory2);
169
170 // newroot_ is distrusted..
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]171 CertificateTrust trust = collection.GetTrust(newroot_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]172 EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
173 trust.ToDebugString());
174
175 // oldintermediate_ is distrusted.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]176 trust = collection.GetTrust(oldintermediate_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]177 EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
178 trust.ToDebugString());
179
180 // newrootrollover_ is unspecified.
Bob Beckd24a3822023-09-26 17:06:37 -0600[diff] [blame]181 trust = collection.GetTrust(newrootrollover_.get());
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]182 EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
183 trust.ToDebugString());
184}
185
186} // namespace
187
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]188} // namespace bssl