|  | /* Copyright 2023 The BoringSSL Authors | 
|  | * | 
|  | * Permission to use, copy, modify, and/or distribute this software for any | 
|  | * purpose with or without fee is hereby granted, provided that the above | 
|  | * copyright notice and this permission notice appear in all copies. | 
|  | * | 
|  | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | 
|  | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | 
|  | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY | 
|  | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | 
|  | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION | 
|  | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN | 
|  | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ | 
|  |  | 
|  | #include <string.h> | 
|  |  | 
|  | #include <optional> | 
|  | #include <vector> | 
|  |  | 
|  | #include <gmock/gmock.h> | 
|  | #include <gtest/gtest.h> | 
|  | #include <openssl/pki/verify.h> | 
|  | #include <openssl/pki/verify_error.h> | 
|  | #include <openssl/sha.h> | 
|  |  | 
|  | #include "test_helpers.h" | 
|  |  | 
|  | BSSL_NAMESPACE_BEGIN | 
|  |  | 
|  | static std::unique_ptr<VerifyTrustStore> MozillaRootStore() { | 
|  | std::string diagnostic; | 
|  | return VerifyTrustStore::FromDER( | 
|  | bssl::ReadTestFileToString( | 
|  | "testdata/verify_unittest/mozilla_roots.der"), | 
|  | &diagnostic); | 
|  | } | 
|  |  | 
|  | using ::testing::UnorderedElementsAre; | 
|  |  | 
|  | static std::string GetTestdata(std::string_view filename) { | 
|  | return bssl::ReadTestFileToString("testdata/verify_unittest/" + | 
|  | std::string(filename)); | 
|  | } | 
|  |  | 
|  | TEST(VerifyTest, GoogleChain) { | 
|  | const std::string leaf = GetTestdata("google-leaf.der"); | 
|  | const std::string intermediate1 = GetTestdata("google-intermediate1.der"); | 
|  | const std::string intermediate2 = GetTestdata("google-intermediate2.der"); | 
|  | CertificateVerifyOptions opts; | 
|  | opts.leaf_cert = leaf; | 
|  | opts.intermediates = {intermediate1, intermediate2}; | 
|  | opts.time = 1499727444; | 
|  | std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore(); | 
|  | opts.trust_store = roots.get(); | 
|  |  | 
|  | VerifyError error; | 
|  | ASSERT_TRUE(CertificateVerify(opts, &error)) << error.DiagnosticString(); | 
|  |  | 
|  | opts.intermediates = {}; | 
|  | EXPECT_FALSE(CertificateVerify(opts, &error)); | 
|  | ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND) | 
|  | << error.DiagnosticString(); | 
|  | } | 
|  |  | 
|  |  | 
|  | TEST(VerifyTest, ExtraIntermediates) { | 
|  | const std::string leaf = GetTestdata("google-leaf.der"); | 
|  | const std::string intermediate1 = GetTestdata("google-intermediate1.der"); | 
|  | const std::string intermediate2 = GetTestdata("google-intermediate2.der"); | 
|  |  | 
|  | CertificateVerifyOptions opts; | 
|  | opts.leaf_cert = leaf; | 
|  | std::string diagnostic; | 
|  | const auto cert_pool_status = CertPool::FromCerts( | 
|  | { | 
|  | intermediate1, | 
|  | intermediate2, | 
|  | }, | 
|  | &diagnostic); | 
|  | ASSERT_TRUE(cert_pool_status) << diagnostic; | 
|  | opts.extra_intermediates = cert_pool_status.get(); | 
|  | opts.time = 1499727444; | 
|  | std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore(); | 
|  | opts.trust_store = roots.get(); | 
|  |  | 
|  | VerifyError error; | 
|  | ASSERT_TRUE(CertificateVerify(opts, &error)) << error.DiagnosticString(); | 
|  | } | 
|  |  | 
|  | TEST(VerifyTest, AllPaths) { | 
|  | const std::string leaf = GetTestdata("lencr-leaf.der"); | 
|  | const std::string intermediate1 = GetTestdata("lencr-intermediate-r3.der"); | 
|  | const std::string intermediate2 = | 
|  | GetTestdata("lencr-root-x1-cross-signed.der"); | 
|  | const std::string root1 = GetTestdata("lencr-root-x1.der"); | 
|  | const std::string root2 = GetTestdata("lencr-root-dst-x3.der"); | 
|  |  | 
|  | std::vector<std::string> expected_path1 = {leaf, intermediate1, root1}; | 
|  | std::vector<std::string> expected_path2 = {leaf, intermediate1, intermediate2, | 
|  | root2}; | 
|  |  | 
|  | CertificateVerifyOptions opts; | 
|  | opts.leaf_cert = leaf; | 
|  | opts.intermediates = {intermediate1, intermediate2}; | 
|  | opts.time = 1699404611; | 
|  | std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore(); | 
|  | opts.trust_store = roots.get(); | 
|  |  | 
|  | auto paths = CertificateVerifyAllPaths(opts); | 
|  | ASSERT_TRUE(paths); | 
|  | EXPECT_EQ(2U, paths.value().size()); | 
|  | EXPECT_THAT(paths.value(), | 
|  | UnorderedElementsAre(expected_path1, expected_path2)); | 
|  | } | 
|  |  | 
|  | TEST(VerifyTest, DepthLimit) { | 
|  | const std::string leaf = GetTestdata("google-leaf.der"); | 
|  | const std::string intermediate1 = GetTestdata("google-intermediate1.der"); | 
|  | const std::string intermediate2 = GetTestdata("google-intermediate2.der"); | 
|  | CertificateVerifyOptions opts; | 
|  | opts.leaf_cert = leaf; | 
|  | opts.intermediates = {intermediate1, intermediate2}; | 
|  | opts.time = 1499727444; | 
|  | // Set the |max_path_building_depth| explicitly to test the non-default case. | 
|  | // Depth of 5 is enough to successfully find a path. | 
|  | opts.max_path_building_depth = 5; | 
|  | std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore(); | 
|  | opts.trust_store = roots.get(); | 
|  |  | 
|  | VerifyError error; | 
|  | ASSERT_TRUE(CertificateVerify(opts, &error)) << error.DiagnosticString(); | 
|  |  | 
|  | // Depth of 2 is not enough to find a path. | 
|  | opts.max_path_building_depth = 2; | 
|  | EXPECT_FALSE(CertificateVerify(opts, &error)); | 
|  | ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEPTH_LIMIT_REACHED) | 
|  | << error.DiagnosticString(); | 
|  | } | 
|  |  | 
|  | BSSL_NAMESPACE_END |