blob: 05d961965183980cf79968f171d5717127d33e8a [file] [log] [blame]
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "path_builder.h"
#include <algorithm>
#include "cert_error_params.h"
#include "cert_issuer_source_static.h"
#include "common_cert_errors.h"
#include "input.h"
#include "mock_signature_verify_cache.h"
#include "parsed_certificate.h"
#include "simple_path_builder_delegate.h"
#include "test_helpers.h"
#include "trust_store_collection.h"
#include "trust_store_in_memory.h"
#include "verify_certificate_chain.h"
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <openssl/pool.h>
namespace bssl {
// TODO(crbug.com/634443): Assert the errors for each ResultPath.
namespace {
using ::testing::_;
using ::testing::Invoke;
using ::testing::StrictMock;
class TestPathBuilderDelegate : public SimplePathBuilderDelegate {
public:
TestPathBuilderDelegate(size_t min_rsa_modulus_length_bits,
DigestPolicy digest_policy)
: SimplePathBuilderDelegate(min_rsa_modulus_length_bits, digest_policy) {}
bool IsDeadlineExpired() override { return deadline_is_expired_; }
void SetDeadlineExpiredForTesting(bool deadline_is_expired) {
deadline_is_expired_ = deadline_is_expired;
}
SignatureVerifyCache *GetVerifyCache() override {
return use_signature_cache_ ? &cache_ : nullptr;
}
void ActivateCache() { use_signature_cache_ = true; }
void DeActivateCache() { use_signature_cache_ = false; }
MockSignatureVerifyCache *GetMockVerifyCache() { return &cache_; }
void AllowPrecert() { allow_precertificate_ = true; }
void DisallowPrecert() { allow_precertificate_ = false; }
bool AcceptPreCertificates() override {
return allow_precertificate_;
}
private:
bool deadline_is_expired_ = false;
bool use_signature_cache_ = false;
bool allow_precertificate_ = false;
MockSignatureVerifyCache cache_;
};
class CertPathBuilderDelegateBase : public SimplePathBuilderDelegate {
public:
CertPathBuilderDelegateBase()
: SimplePathBuilderDelegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {}
void CheckPathAfterVerification(const CertPathBuilder &path_builder,
CertPathBuilderResultPath *path) override {
ADD_FAILURE() << "Tests must override this";
}
};
class MockPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
MOCK_METHOD2(CheckPathAfterVerification,
void(const CertPathBuilder &path_builder,
CertPathBuilderResultPath *path));
};
// AsyncCertIssuerSourceStatic always returns its certs asynchronously.
class AsyncCertIssuerSourceStatic : public CertIssuerSource {
public:
class StaticAsyncRequest : public Request {
public:
explicit StaticAsyncRequest(ParsedCertificateList &&issuers) {
issuers_.swap(issuers);
issuers_iter_ = issuers_.begin();
}
StaticAsyncRequest(const StaticAsyncRequest &) = delete;
StaticAsyncRequest &operator=(const StaticAsyncRequest &) = delete;
~StaticAsyncRequest() override = default;
void GetNext(ParsedCertificateList *out_certs) override {
if (issuers_iter_ != issuers_.end()) {
out_certs->push_back(std::move(*issuers_iter_++));
}
}
ParsedCertificateList issuers_;
ParsedCertificateList::iterator issuers_iter_;
};
~AsyncCertIssuerSourceStatic() override = default;
void SetAsyncGetCallback(std::function<void()> closure) {
async_get_callback_ = std::move(closure);
}
void AddCert(std::shared_ptr<const ParsedCertificate> cert) {
static_cert_issuer_source_.AddCert(std::move(cert));
}
void SyncGetIssuersOf(const ParsedCertificate *cert,
ParsedCertificateList *issuers) override {}
void AsyncGetIssuersOf(const ParsedCertificate *cert,
std::unique_ptr<Request> *out_req) override {
num_async_gets_++;
ParsedCertificateList issuers;
static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers);
auto req = std::make_unique<StaticAsyncRequest>(std::move(issuers));
*out_req = std::move(req);
if (async_get_callback_) {
async_get_callback_();
}
}
int num_async_gets() const { return num_async_gets_; }
private:
CertIssuerSourceStatic static_cert_issuer_source_;
int num_async_gets_ = 0;
std::function<void()> async_get_callback_ = nullptr;
};
::testing::AssertionResult ReadTestPem(const std::string &file_name,
const std::string &block_name,
std::string *result) {
const PemBlockMapping mappings[] = {
{block_name.c_str(), result},
};
return ReadTestDataFromPemFile(file_name, mappings);
}
::testing::AssertionResult ReadTestCert(
const std::string &file_name,
std::shared_ptr<const ParsedCertificate> *result) {
std::string der;
::testing::AssertionResult r = ReadTestPem(
"testdata/path_builder_unittest/" + file_name, "CERTIFICATE", &der);
if (!r) {
return r;
}
CertErrors errors;
*result = ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
reinterpret_cast<const uint8_t *>(der.data()), der.size(), nullptr)),
{}, &errors);
if (!*result) {
return ::testing::AssertionFailure()
<< "ParseCertificate::Create() failed:\n"
<< errors.ToDebugString();
}
return ::testing::AssertionSuccess();
}
class PathBuilderMultiRootTest : public ::testing::Test {
public:
PathBuilderMultiRootTest()
: delegate_(1024, TestPathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {
}
void SetUp() override {
ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b_));
ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c_));
ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f_));
ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d_));
ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e_));
ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d_));
ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e_));
ASSERT_TRUE(ReadTestCert("multi-root-F-by-E.pem", &f_by_e_));
}
protected:
std::shared_ptr<const ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_,
c_by_e_, d_by_d_, e_by_e_, f_by_e_;
TestPathBuilderDelegate delegate_;
der::GeneralizedTime time_ = {2017, 3, 1, 0, 0, 0};
const InitialExplicitPolicy initial_explicit_policy_ =
InitialExplicitPolicy::kFalse;
const std::set<der::Input> user_initial_policy_set_ = {
der::Input(kAnyPolicyOid)};
const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_ =
InitialPolicyMappingInhibit::kFalse;
const InitialAnyPolicyInhibit initial_any_policy_inhibit_ =
InitialAnyPolicyInhibit::kFalse;
};
// Tests when the target cert has the same name and key as a trust anchor,
// however is signed by a different trust anchor. This should successfully build
// a path, however the trust anchor will be the signer of this cert.
//
// (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor
// but with different data; also in this test the target cert itself is in the
// trust store).
TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(a_by_b_);
trust_store.AddTrustAnchor(b_by_f_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
const auto &path = *result.GetBestValidPath();
ASSERT_EQ(2U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_f_, path.certs[1]);
}
// If the target cert is has the same name and key as a trust anchor, however
// is NOT itself signed by a trust anchor, it fails. Although the provided SPKI
// is trusted, the certificate contents cannot be verified.
TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(a_by_b_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
EXPECT_EQ(1U, result.max_depth_seen);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
// Test a failed path building when the trust anchor is provided as a
// supplemental certificate. Conceptually the following paths could be built:
//
// B(C) <- C(D) <- [Trust anchor D]
// B(C) <- C(D) <- D(D) <- [Trust anchor D]
//
// However the second one is extraneous given the shorter path.
TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(d_by_d_);
// The (extraneous) trust anchor D(D) is supplied as a certificate, as is the
// intermediate needed for path building C(D).
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(d_by_d_);
sync_certs.AddCert(c_by_d_);
// C(D) is not valid at this time, so path building will fail.
der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0};
CertPathBuilder path_builder(
b_by_c_, &trust_store, &delegate_, expired_time, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
ASSERT_EQ(1U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(b_by_c_, path0.certs[0]);
EXPECT_EQ(c_by_d_, path0.certs[1]);
EXPECT_EQ(d_by_d_, path0.certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::CERTIFICATE_NOT_YET_VALID)
<< error.DiagnosticString();
}
// Test verifying a certificate that is a trust anchor.
TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(e_by_e_);
// This is not necessary for the test, just an extra...
trust_store.AddTrustAnchor(f_by_e_);
CertPathBuilder path_builder(
e_by_e_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
// Verifying a trusted leaf certificate is not permitted, however this
// certificate is self-signed, and can chain to itself.
const auto &path = *result.GetBestValidPath();
ASSERT_EQ(2U, path.certs.size());
EXPECT_EQ(e_by_e_, path.certs[0]);
EXPECT_EQ(e_by_e_, path.certs[1]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// If the target cert is directly issued by a trust anchor, it should verify
// without any intermediate certs being provided.
TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(b_by_f_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
const auto &path = *result.GetBestValidPath();
ASSERT_EQ(2U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_f_, path.certs[1]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Test that async cert queries are not made if the path can be successfully
// built with synchronously available certs.
TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(e_by_e_);
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_f_);
sync_certs.AddCert(f_by_e_);
AsyncCertIssuerSourceStatic async_certs;
async_certs.AddCert(b_by_c_);
async_certs.AddCert(c_by_e_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&async_certs);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
EXPECT_EQ(0, async_certs.num_async_gets());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// If async queries are needed, all async sources will be queried
// simultaneously.
TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(e_by_e_);
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
sync_certs.AddCert(b_by_f_);
AsyncCertIssuerSourceStatic async_certs1;
async_certs1.AddCert(c_by_e_);
AsyncCertIssuerSourceStatic async_certs2;
async_certs2.AddCert(f_by_e_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&async_certs1);
path_builder.AddCertIssuerSource(&async_certs2);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
EXPECT_EQ(1, async_certs1.num_async_gets());
EXPECT_EQ(1, async_certs2.num_async_gets());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Test that PathBuilder does not generate longer paths than necessary if one of
// the supplied certs is itself a trust anchor.
TEST_F(PathBuilderMultiRootTest, TestLongChain) {
// Both D(D) and C(D) are trusted roots.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(d_by_d_);
trust_store.AddTrustAnchor(c_by_d_);
// Certs B(C), and C(D) are all supplied.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
sync_certs.AddCert(c_by_d_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
// The result path should be A(B) <- B(C) <- C(D)
// not the longer but also valid A(B) <- B(C) <- C(D) <- D(D)
EXPECT_EQ(3U, result.GetBestValidPath()->certs.size());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Test that PathBuilder will backtrack and try a different path if the first
// one doesn't work out.
TEST_F(PathBuilderMultiRootTest, TestBacktracking) {
// Only D(D) is a trusted root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(d_by_d_);
// Certs B(F) and F(E) are supplied synchronously, thus the path
// A(B) <- B(F) <- F(E) should be built first, though it won't verify.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_f_);
sync_certs.AddCert(f_by_e_);
// Certs B(C), and C(D) are supplied asynchronously, so the path
// A(B) <- B(C) <- C(D) <- D(D) should be tried second.
AsyncCertIssuerSourceStatic async_certs;
async_certs.AddCert(b_by_c_);
async_certs.AddCert(c_by_d_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
path_builder.AddCertIssuerSource(&async_certs);
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
// The partial path should be returned even though it didn't reach a trust
// anchor.
ASSERT_EQ(2U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);
EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);
// The result path should be A(B) <- B(C) <- C(D) <- D(D)
EXPECT_EQ(1U, result.best_result_index);
EXPECT_TRUE(result.paths[1]->IsValid());
const auto &path = *result.GetBestValidPath();
ASSERT_EQ(4U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_c_, path.certs[1]);
EXPECT_EQ(c_by_d_, path.certs[2]);
EXPECT_EQ(d_by_d_, path.certs[3]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Test that if no path to a trust anchor was found, the partial path is
// returned.
TEST_F(PathBuilderMultiRootTest, TestOnlyPartialPathResult) {
TrustStoreInMemory trust_store;
// Certs B(F) and F(E) are supplied synchronously, thus the path
// A(B) <- B(F) <- F(E) should be built first, though it won't verify.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_f_);
sync_certs.AddCert(f_by_e_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
// The partial path should be returned even though it didn't reach a trust
// anchor.
ASSERT_EQ(1U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);
EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
// Test that if two partial paths are returned, the first is marked as the best
// path.
TEST_F(PathBuilderMultiRootTest, TestTwoPartialPathResults) {
TrustStoreInMemory trust_store;
// Certs B(F) and F(E) are supplied synchronously, thus the path
// A(B) <- B(F) <- F(E) should be built first, though it won't verify.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_f_);
sync_certs.AddCert(f_by_e_);
// Certs B(C), and C(D) are supplied asynchronously, so the path
// A(B) <- B(C) <- C(D) <- D(D) should be tried second.
AsyncCertIssuerSourceStatic async_certs;
async_certs.AddCert(b_by_c_);
async_certs.AddCert(c_by_d_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
path_builder.AddCertIssuerSource(&async_certs);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
// First partial path found should be marked as the best one.
EXPECT_EQ(0U, result.best_result_index);
ASSERT_EQ(2U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);
EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);
EXPECT_FALSE(result.paths[1]->IsValid());
ASSERT_EQ(3U, result.paths[1]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[1]->certs[0]);
EXPECT_EQ(b_by_c_, result.paths[1]->certs[1]);
EXPECT_EQ(c_by_d_, result.paths[1]->certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
// Test that if no valid path is found, and the first invalid path is a partial
// path, but the 2nd invalid path ends with a cert with a trust record, the 2nd
// path should be preferred.
TEST_F(PathBuilderMultiRootTest, TestDistrustedPathPreferredOverPartialPath) {
// Only D(D) has a trust record, but it is distrusted.
TrustStoreInMemory trust_store;
trust_store.AddDistrustedCertificateForTest(d_by_d_);
// Certs B(F) and F(E) are supplied synchronously, thus the path
// A(B) <- B(F) <- F(E) should be built first, though it won't verify.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_f_);
sync_certs.AddCert(f_by_e_);
// Certs B(C), and C(D) are supplied asynchronously, so the path
// A(B) <- B(C) <- C(D) <- D(D) should be tried second.
AsyncCertIssuerSourceStatic async_certs;
async_certs.AddCert(b_by_c_);
async_certs.AddCert(c_by_d_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
path_builder.AddCertIssuerSource(&async_certs);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
// The partial path should be returned even though it didn't reach a trust
// anchor.
ASSERT_EQ(2U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);
EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);
// The result path should be A(B) <- B(C) <- C(D) <- D(D)
EXPECT_EQ(1U, result.best_result_index);
EXPECT_FALSE(result.paths[1]->IsValid());
const auto &path = *result.GetBestPathPossiblyInvalid();
ASSERT_EQ(4U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_c_, path.certs[1]);
EXPECT_EQ(c_by_d_, path.certs[2]);
EXPECT_EQ(d_by_d_, path.certs[3]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
// Test that whichever order CertIssuerSource returns the issuers, the path
// building still succeeds.
TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) {
// Only D(D) is a trusted root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(d_by_d_);
for (bool reverse_order : {false, true}) {
SCOPED_TRACE(reverse_order);
std::vector<std::shared_ptr<const ParsedCertificate>> certs = {
b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_};
CertIssuerSourceStatic sync_certs;
if (reverse_order) {
for (auto it = certs.rbegin(); it != certs.rend(); ++it) {
sync_certs.AddCert(*it);
}
} else {
for (const auto &cert : certs) {
sync_certs.AddCert(cert);
}
}
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
// The result path should be A(B) <- B(C) <- C(D) <- D(D)
const auto &path = *result.GetBestValidPath();
ASSERT_EQ(4U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_c_, path.certs[1]);
EXPECT_EQ(c_by_d_, path.certs[2]);
EXPECT_EQ(d_by_d_, path.certs[3]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
}
TEST_F(PathBuilderMultiRootTest, TestIterationLimit) {
// D(D) is the trust root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(d_by_d_);
// Certs B(C) and C(D) are supplied.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
sync_certs.AddCert(c_by_d_);
for (const bool insufficient_limit : {true, false}) {
SCOPED_TRACE(insufficient_limit);
StrictMock<MockPathBuilderDelegate> mock_delegate;
// The CheckPathAfterVerification delegate should be called regardless if
// the iteration limit is reached.
EXPECT_CALL(mock_delegate, CheckPathAfterVerification(_, _));
CertPathBuilder path_builder(
a_by_b_, &trust_store, &mock_delegate, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
if (insufficient_limit) {
// A limit of one is insufficient to build a path in this case. Therefore
// building is expected to fail in this case.
path_builder.SetIterationLimit(1);
} else {
// The other tests in this file exercise the case that |SetIterationLimit|
// isn't called. Therefore set a sufficient limit for the path to be
// found.
path_builder.SetIterationLimit(5);
}
auto result = path_builder.Run();
EXPECT_EQ(!insufficient_limit, result.HasValidPath());
EXPECT_EQ(insufficient_limit, result.exceeded_iteration_limit);
VerifyError error = result.GetBestPathVerifyError();
if (insufficient_limit) {
EXPECT_EQ(2U, result.iteration_count);
ASSERT_EQ(error.Code(),
VerifyError::StatusCode::PATH_ITERATION_COUNT_EXCEEDED)
<< error.DiagnosticString();
} else {
EXPECT_EQ(3U, result.iteration_count);
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
}
}
TEST_F(PathBuilderMultiRootTest, TestTrivialDeadline) {
// C(D) is the trust root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(c_by_d_);
// Cert B(C) is supplied.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
for (const bool insufficient_limit : {true, false}) {
SCOPED_TRACE(insufficient_limit);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
// Make the deadline either expired or not.
delegate_.SetDeadlineExpiredForTesting(insufficient_limit);
auto result = path_builder.Run();
EXPECT_EQ(!insufficient_limit, result.HasValidPath());
EXPECT_EQ(insufficient_limit, result.exceeded_deadline);
EXPECT_EQ(delegate_.IsDeadlineExpired(), insufficient_limit);
if (insufficient_limit) {
ASSERT_EQ(1U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(1U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_TRUE(result.paths[0]->errors.ContainsError(
cert_errors::kDeadlineExceeded));
} else {
ASSERT_EQ(1U, result.paths.size());
EXPECT_TRUE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]);
EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]);
}
}
}
TEST_F(PathBuilderMultiRootTest, TestVerifyCache) {
// C(D) is the trust root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(c_by_d_);
// Cert B(C) is supplied.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
// Test Activation / DeActivation of the cache.
EXPECT_FALSE(delegate_.GetVerifyCache());
delegate_.ActivateCache();
EXPECT_TRUE(delegate_.GetVerifyCache());
delegate_.DeActivateCache();
EXPECT_FALSE(delegate_.GetVerifyCache());
delegate_.ActivateCache();
EXPECT_TRUE(delegate_.GetVerifyCache());
for (size_t i = 0; i < 3; i++) {
SCOPED_TRACE(i);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
ASSERT_EQ(1U, result.paths.size());
EXPECT_TRUE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]);
EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]);
// The path is 3 certificates long, so requires 2 distinct signature
// verifications. The first time through the loop will cause 2 cache misses
// and stores, subsequent iterations will repeat the same verifications,
// causing 2 cache hits.
EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheHits(), i * 2);
EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheMisses(), 2U);
EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheStores(), 2U);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
}
TEST_F(PathBuilderMultiRootTest, TestDeadline) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(d_by_d_);
// Cert B(C) is supplied statically.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
// Cert C(D) is supplied asynchronously and will expire the deadline before
// returning the async result.
AsyncCertIssuerSourceStatic async_certs;
async_certs.AddCert(c_by_d_);
async_certs.SetAsyncGetCallback(
[&] { delegate_.SetDeadlineExpiredForTesting(true); });
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
path_builder.AddCertIssuerSource(&async_certs);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
EXPECT_TRUE(result.exceeded_deadline);
EXPECT_TRUE(delegate_.IsDeadlineExpired());
// The chain returned should end in c_by_d_, since the deadline would only be
// checked again after the async results had been checked (since
// AsyncCertIssuerSourceStatic makes the async results available immediately.)
ASSERT_EQ(1U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);
EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]);
EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]);
EXPECT_TRUE(
result.paths[0]->errors.ContainsError(cert_errors::kDeadlineExceeded));
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEADLINE_EXCEEDED)
<< error.DiagnosticString();
}
TEST_F(PathBuilderMultiRootTest, TestDepthLimit) {
// D(D) is the trust root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(d_by_d_);
// Certs B(C) and C(D) are supplied.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
sync_certs.AddCert(c_by_d_);
for (const bool insufficient_limit : {true, false}) {
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
if (insufficient_limit) {
// A limit of depth equal to 2 is insufficient to build the path.
// Therefore, building is expected to fail.
path_builder.SetDepthLimit(2);
} else {
// The other tests in this file exercise the case that |SetDepthLimit|
// isn't called. Therefore, set a sufficient limit for the path to be
// found.
path_builder.SetDepthLimit(5);
}
auto result = path_builder.Run();
EXPECT_EQ(!insufficient_limit, result.HasValidPath());
EXPECT_EQ(insufficient_limit,
result.AnyPathContainsError(cert_errors::kDepthLimitExceeded));
VerifyError error = result.GetBestPathVerifyError();
if (insufficient_limit) {
EXPECT_EQ(2U, result.max_depth_seen);
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEPTH_LIMIT_REACHED)
<< error.DiagnosticString();
} else {
EXPECT_EQ(4U, result.max_depth_seen);
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
}
}
TEST_F(PathBuilderMultiRootTest, TestDepthLimitMultiplePaths) {
// This case tests path building backtracking due to reaching the path depth
// limit. Given the root and issuer certificates below, there can be two paths
// from between the leaf to a trusted root, one has length of 3 and the other
// has length of 4. These certificates are specifically chosen because path
// building will first explore the 4-certificate long path then the
// 3-certificate long path. So with a depth limit of 3, we can test the
// backtracking code path.
// E(E) and C(D) are the trust roots.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(e_by_e_);
trust_store.AddTrustAnchor(c_by_d_);
// Certs B(C). B(F) and F(E) are supplied.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(b_by_c_);
sync_certs.AddCert(b_by_f_);
sync_certs.AddCert(f_by_e_);
CertPathBuilder path_builder(
a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
path_builder.SetDepthLimit(3);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
EXPECT_TRUE(result.AnyPathContainsError(cert_errors::kDepthLimitExceeded));
ASSERT_EQ(result.paths.size(), 2u);
const CertPathBuilderResultPath *truncated_path = result.paths[0].get();
EXPECT_FALSE(truncated_path->IsValid());
EXPECT_TRUE(
truncated_path->errors.ContainsError(cert_errors::kDepthLimitExceeded));
ASSERT_EQ(truncated_path->certs.size(), 3u);
EXPECT_EQ(a_by_b_, truncated_path->certs[0]);
EXPECT_EQ(b_by_f_, truncated_path->certs[1]);
EXPECT_EQ(f_by_e_, truncated_path->certs[2]);
const CertPathBuilderResultPath *valid_path = result.paths[1].get();
EXPECT_TRUE(valid_path->IsValid());
EXPECT_FALSE(
valid_path->errors.ContainsError(cert_errors::kDepthLimitExceeded));
ASSERT_EQ(valid_path->certs.size(), 3u);
EXPECT_EQ(a_by_b_, valid_path->certs[0]);
EXPECT_EQ(b_by_c_, valid_path->certs[1]);
EXPECT_EQ(c_by_d_, valid_path->certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
TEST_F(PathBuilderMultiRootTest, TestPreCertificate) {
std::string test_dir =
"testdata/path_builder_unittest/precertificate/";
std::shared_ptr<const ParsedCertificate> root1 =
ReadCertFromFile(test_dir + "root.pem");
ASSERT_TRUE(root1);
std::shared_ptr<const ParsedCertificate> target =
ReadCertFromFile(test_dir + "precertificate.pem");
ASSERT_TRUE(target);
der::GeneralizedTime precert_time = {2023, 10, 1, 0, 0, 0};
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(root1);
// PreCertificate should be rejected by default.
EXPECT_FALSE(delegate_.AcceptPreCertificates());
CertPathBuilder path_builder(
target, &trust_store, &delegate_, precert_time, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
ASSERT_EQ(1U, result.paths.size());
ASSERT_FALSE(result.paths[0]->IsValid())
<< result.paths[0]->errors.ToDebugString(result.paths[0]->certs);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::CERTIFICATE_INVALID)
<< error.DiagnosticString();
// PreCertificate should be accepted if configured.
delegate_.AllowPrecert();
EXPECT_TRUE(delegate_.AcceptPreCertificates());
CertPathBuilder path_builder2(
target, &trust_store, &delegate_, precert_time, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result2 = path_builder2.Run();
ASSERT_EQ(1U, result2.paths.size());
ASSERT_TRUE(result2.paths[0]->IsValid())
<< result2.paths[0]->errors.ToDebugString(result.paths[0]->certs);
VerifyError error2 = result2.GetBestPathVerifyError();
ASSERT_EQ(error2.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error2.DiagnosticString();
}
class PathBuilderKeyRolloverTest : public ::testing::Test {
public:
PathBuilderKeyRolloverTest()
: delegate_(1024,
SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {}
void SetUp() override {
ParsedCertificateList path;
VerifyCertChainTest test;
ASSERT_TRUE(ReadVerifyCertChainTestFromFile(
"testdata/verify_certificate_chain_unittest/key-rollover/oldchain.test",
&test));
path = test.chain;
ASSERT_EQ(3U, path.size());
target_ = path[0];
oldintermediate_ = path[1];
oldroot_ = path[2];
time_ = test.time;
ASSERT_TRUE(target_);
ASSERT_TRUE(oldintermediate_);
ASSERT_TRUE(ReadVerifyCertChainTestFromFile(
"testdata/verify_certificate_chain_unittest/"
"key-rollover/longrolloverchain.test",
&test));
path = test.chain;
ASSERT_EQ(5U, path.size());
newintermediate_ = path[1];
newroot_ = path[2];
newrootrollover_ = path[3];
ASSERT_TRUE(newintermediate_);
ASSERT_TRUE(newroot_);
ASSERT_TRUE(newrootrollover_);
}
protected:
// oldroot-------->newrootrollover newroot
// | | |
// v v v
// oldintermediate newintermediate
// | |
// +------------+-------------+
// |
// v
// target
std::shared_ptr<const ParsedCertificate> target_;
std::shared_ptr<const ParsedCertificate> oldintermediate_;
std::shared_ptr<const ParsedCertificate> newintermediate_;
std::shared_ptr<const ParsedCertificate> oldroot_;
std::shared_ptr<const ParsedCertificate> newroot_;
std::shared_ptr<const ParsedCertificate> newrootrollover_;
SimplePathBuilderDelegate delegate_;
der::GeneralizedTime time_;
const InitialExplicitPolicy initial_explicit_policy_ =
InitialExplicitPolicy::kFalse;
const std::set<der::Input> user_initial_policy_set_ = {
der::Input(kAnyPolicyOid)};
const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_ =
InitialPolicyMappingInhibit::kFalse;
const InitialAnyPolicyInhibit initial_any_policy_inhibit_ =
InitialAnyPolicyInhibit::kFalse;
};
// Tests that if only the old root cert is trusted, the path builder can build a
// path through the new intermediate and rollover cert to the old root.
TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) {
// Only oldroot is trusted.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(oldroot_);
// Old intermediate cert is not provided, so the pathbuilder will need to go
// through the rollover cert.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(newintermediate_);
sync_certs.AddCert(newrootrollover_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
// Due to authorityKeyIdentifier prioritization, path builder will first
// attempt: target <- newintermediate <- newrootrollover <- oldroot
// which will succeed.
ASSERT_EQ(1U, result.paths.size());
const auto &path0 = *result.paths[0];
EXPECT_EQ(0U, result.best_result_index);
EXPECT_TRUE(path0.IsValid());
ASSERT_EQ(4U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(newintermediate_, path0.certs[1]);
EXPECT_EQ(newrootrollover_, path0.certs[2]);
EXPECT_EQ(oldroot_, path0.certs[3]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Tests that if both old and new roots are trusted it builds a path through
// the new intermediate.
TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) {
// Both oldroot and newroot are trusted.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(oldroot_);
trust_store.AddTrustAnchor(newroot_);
// Both old and new intermediates + rollover cert are provided.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(oldintermediate_);
sync_certs.AddCert(newintermediate_);
sync_certs.AddCert(newrootrollover_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(1U, result.paths.size());
const auto &path = *result.paths[0];
EXPECT_TRUE(result.paths[0]->IsValid());
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
// The newer intermediate should be used as newer certs are prioritized in
// path building.
EXPECT_EQ(newintermediate_, path.certs[1]);
EXPECT_EQ(newroot_, path.certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// If trust anchor query returned no results, and there are no issuer
// sources, path building should fail at that point.
TEST_F(PathBuilderKeyRolloverTest, TestAnchorsNoMatchAndNoIssuerSources) {
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(newroot_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
ASSERT_EQ(1U, result.paths.size());
const auto &path = *result.paths[0];
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(1U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
// If a path to a trust anchor could not be found, and the last issuer(s) in
// the chain were culled by the loop checker, the partial path up to that point
// should be returned.
TEST_F(PathBuilderKeyRolloverTest, TestReturnsPartialPathEndedByLoopChecker) {
TrustStoreInMemory trust_store;
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(newintermediate_);
sync_certs.AddCert(newroot_);
CertIssuerSourceStatic rollover_certs;
rollover_certs.AddCert(newrootrollover_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
// The rollover root is added as a second issuer source to ensure we get paths
// back in a deterministic order, otherwise newroot and newrootrollover do not
// differ in any way that the path builder would use for prioritizing which
// path comes back first.
path_builder.AddCertIssuerSource(&rollover_certs);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
ASSERT_EQ(2U, result.paths.size());
// Since none of the certs are trusted, the path builder should build 4
// candidate paths, all of which are disallowed due to the loop checker:
// target->newintermediate->newroot->newroot
// target->newintermediate->newroot->newrootrollover
// target->newintermediate->newrootrollover->newroot
// target->newintermediate->newrootrollover->newrootrollover
// This should end up returning the 2 partial paths which are the longest
// paths for which no acceptable issuers could be found:
// target->newintermediate->newroot
// target->newintermediate->newrootrollover
{
const auto &path = *result.paths[0];
EXPECT_FALSE(path.IsValid());
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
EXPECT_EQ(newintermediate_, path.certs[1]);
EXPECT_EQ(newroot_, path.certs[2]);
EXPECT_TRUE(path.errors.ContainsError(cert_errors::kNoIssuersFound));
}
{
const auto &path = *result.paths[1];
EXPECT_FALSE(path.IsValid());
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
EXPECT_EQ(newintermediate_, path.certs[1]);
EXPECT_EQ(newrootrollover_, path.certs[2]);
EXPECT_TRUE(path.errors.ContainsError(cert_errors::kNoIssuersFound));
}
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
// Tests that multiple trust root matches on a single path will be considered.
// Both roots have the same subject but different keys. Only one of them will
// verify.
TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) {
TrustStoreCollection trust_store_collection;
TrustStoreInMemory trust_store1;
TrustStoreInMemory trust_store2;
trust_store_collection.AddTrustStore(&trust_store1);
trust_store_collection.AddTrustStore(&trust_store2);
// Add two trust anchors (newroot_ and oldroot_). Path building will attempt
// them in this same order, as trust_store1 was added to
// trust_store_collection first.
trust_store1.AddTrustAnchor(newroot_);
trust_store2.AddTrustAnchor(oldroot_);
// Only oldintermediate is supplied, so the path with newroot should fail,
// oldroot should succeed.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(oldintermediate_);
CertPathBuilder path_builder(
target_, &trust_store_collection, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(1U, result.paths.size());
// Due to authorityKeyIdentifier prioritization, path builder will first
// attempt: target <- old intermediate <- oldroot
// which should succeed.
EXPECT_TRUE(result.paths[result.best_result_index]->IsValid());
const auto &path = *result.paths[result.best_result_index];
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
EXPECT_EQ(oldintermediate_, path.certs[1]);
EXPECT_EQ(oldroot_, path.certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Tests that the path builder doesn't build longer than necessary paths,
// by skipping certs where the same Name+SAN+SPKI is already in the current
// path.
TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) {
// Only oldroot is trusted.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(oldroot_);
// New intermediate and new root are provided synchronously.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(newintermediate_);
sync_certs.AddCert(newroot_);
// Rollover cert is only provided asynchronously. This will force the
// pathbuilder to first try building a longer than necessary path.
AsyncCertIssuerSourceStatic async_certs;
async_certs.AddCert(newrootrollover_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
path_builder.AddCertIssuerSource(&async_certs);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(3U, result.paths.size());
// Path builder will first attempt:
// target <- newintermediate <- newroot <- oldroot
// but it will fail since newroot is self-signed.
EXPECT_FALSE(result.paths[0]->IsValid());
const auto &path0 = *result.paths[0];
ASSERT_EQ(4U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(newintermediate_, path0.certs[1]);
EXPECT_EQ(newroot_, path0.certs[2]);
EXPECT_EQ(oldroot_, path0.certs[3]);
// Path builder will next attempt: target <- newintermediate <- oldroot
// but it will fail since newintermediate is signed by newroot.
EXPECT_FALSE(result.paths[1]->IsValid());
const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
EXPECT_EQ(oldroot_, path1.certs[2]);
// Path builder will skip:
// target <- newintermediate <- newroot <- newrootrollover <- ...
// Since newroot and newrootrollover have the same Name+SAN+SPKI.
// Finally path builder will use:
// target <- newintermediate <- newrootrollover <- oldroot
EXPECT_EQ(2U, result.best_result_index);
EXPECT_TRUE(result.paths[2]->IsValid());
const auto &path2 = *result.paths[2];
ASSERT_EQ(4U, path2.certs.size());
EXPECT_EQ(target_, path2.certs[0]);
EXPECT_EQ(newintermediate_, path2.certs[1]);
EXPECT_EQ(newrootrollover_, path2.certs[2]);
EXPECT_EQ(oldroot_, path2.certs[3]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Tests that when SetExploreAllPaths is combined with SetIterationLimit the
// path builder will return all the paths that were able to be built before the
// iteration limit was reached.
TEST_F(PathBuilderKeyRolloverTest, ExploreAllPathsWithIterationLimit) {
struct Expectation {
int iteration_limit;
size_t expected_num_paths;
std::vector<std::shared_ptr<const ParsedCertificate>> partial_path;
} kExpectations[] = {
// No iteration limit. All possible paths should be built.
{0, 4, {}},
// Limit 1 is only enough to reach the intermediate, no complete path
// should be built.
{1, 0, {target_, newintermediate_}},
// Limit 2 allows reaching the root on the first path.
{2, 1, {target_, newintermediate_}},
// Next iteration uses oldroot instead of newroot.
{3, 2, {target_, newintermediate_}},
// Backtracking to the target cert.
{4, 2, {target_}},
// Adding oldintermediate.
{5, 2, {target_, oldintermediate_}},
// Trying oldroot.
{6, 3, {target_, oldintermediate_}},
// Trying newroot.
{7, 4, {target_, oldintermediate_}},
};
// Trust both old and new roots.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(oldroot_);
trust_store.AddTrustAnchor(newroot_);
// Intermediates and root rollover are all provided synchronously.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(oldintermediate_);
sync_certs.AddCert(newintermediate_);
for (const auto &expectation : kExpectations) {
SCOPED_TRACE(expectation.iteration_limit);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
// Explore all paths, rather than stopping at the first valid path.
path_builder.SetExploreAllPaths(true);
// Limit the number of iterations.
path_builder.SetIterationLimit(expectation.iteration_limit);
auto result = path_builder.Run();
EXPECT_EQ(expectation.expected_num_paths > 0, result.HasValidPath());
VerifyError error = result.GetBestPathVerifyError();
if (expectation.expected_num_paths > 0) {
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
} else {
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_ITERATION_COUNT_EXCEEDED)
<< error.DiagnosticString();
}
if (expectation.partial_path.empty()) {
ASSERT_EQ(expectation.expected_num_paths, result.paths.size());
} else {
ASSERT_EQ(1 + expectation.expected_num_paths, result.paths.size());
const auto &path = *result.paths[result.paths.size() - 1];
EXPECT_FALSE(path.IsValid());
EXPECT_EQ(expectation.partial_path, path.certs);
EXPECT_TRUE(
path.errors.ContainsError(cert_errors::kIterationLimitExceeded));
}
if (expectation.expected_num_paths > 0) {
// Path builder will first build path: target <- newintermediate <-
// newroot
const auto &path0 = *result.paths[0];
EXPECT_TRUE(path0.IsValid());
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(newintermediate_, path0.certs[1]);
EXPECT_EQ(newroot_, path0.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
if (expectation.expected_num_paths > 1) {
// Next path: target <- newintermediate <- oldroot
const auto &path1 = *result.paths[1];
EXPECT_FALSE(path1.IsValid());
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
EXPECT_EQ(oldroot_, path1.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
if (expectation.expected_num_paths > 2) {
// Next path: target <- oldintermediate <- oldroot
const auto &path2 = *result.paths[2];
EXPECT_TRUE(path2.IsValid());
ASSERT_EQ(3U, path2.certs.size());
EXPECT_EQ(target_, path2.certs[0]);
EXPECT_EQ(oldintermediate_, path2.certs[1]);
EXPECT_EQ(oldroot_, path2.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
if (expectation.expected_num_paths > 3) {
// Final path: target <- oldintermediate <- newroot
const auto &path3 = *result.paths[3];
EXPECT_FALSE(path3.IsValid());
ASSERT_EQ(3U, path3.certs.size());
EXPECT_EQ(target_, path3.certs[0]);
EXPECT_EQ(oldintermediate_, path3.certs[1]);
EXPECT_EQ(newroot_, path3.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
}
}
// Tests that when SetValidPathLimit is used path builder returns the number of
// valid paths we expect before the valid path limit was reached.
TEST_F(PathBuilderKeyRolloverTest, ExplorePathsWithPathLimit) {
struct Expectation {
size_t valid_path_limit;
size_t expected_num_paths;
} kExpectations[] = {
{0, 4}, // No path limit. Three valid, one partial path should be built
{1, 1}, // One valid path
{2, 3}, // Two valid, one partial
{3, 4}, {4, 4}, {5, 4},
};
// Trust both old and new roots.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(oldroot_);
trust_store.AddTrustAnchor(newroot_);
// Intermediates and root rollover are all provided synchronously.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(oldintermediate_);
sync_certs.AddCert(newintermediate_);
for (const auto &expectation : kExpectations) {
SCOPED_TRACE(expectation.valid_path_limit);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
// Stop after finding enough valid paths.
path_builder.SetValidPathLimit(expectation.valid_path_limit);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(expectation.expected_num_paths, result.paths.size());
if (result.paths.size() > 0) {
// Path builder will first build path: target <- newintermediate <-
// newroot
const auto &path0 = *result.paths[0];
EXPECT_TRUE(path0.IsValid());
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(newintermediate_, path0.certs[1]);
EXPECT_EQ(newroot_, path0.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
if (result.paths.size() > 1) {
// Next path: target <- newintermediate <- oldroot
const auto &path1 = *result.paths[1];
EXPECT_FALSE(path1.IsValid());
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
EXPECT_EQ(oldroot_, path1.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
if (result.paths.size() > 2) {
// Next path: target <- oldintermediate <- oldroot
const auto &path2 = *result.paths[2];
EXPECT_TRUE(path2.IsValid());
ASSERT_EQ(3U, path2.certs.size());
EXPECT_EQ(target_, path2.certs[0]);
EXPECT_EQ(oldintermediate_, path2.certs[1]);
EXPECT_EQ(oldroot_, path2.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
if (result.paths.size() > 3) {
// Final path: target <- oldintermediate <- newroot
const auto &path3 = *result.paths[3];
EXPECT_FALSE(path3.IsValid());
ASSERT_EQ(3U, path3.certs.size());
EXPECT_EQ(target_, path3.certs[0]);
EXPECT_EQ(oldintermediate_, path3.certs[1]);
EXPECT_EQ(newroot_, path3.certs[2]);
EXPECT_EQ(3U, result.max_depth_seen);
}
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
}
// If the target cert is a trust anchor, however is not itself *signed* by a
// trust anchor, then it is not considered valid (the SPKI and name of the
// trust anchor matches the SPKI and subject of the target certificate, but the
// rest of the certificate cannot be verified).
TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) {
// Trust newintermediate.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(newintermediate_);
// Newintermediate is also the target cert.
CertPathBuilder path_builder(
newintermediate_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
// If target has same Name+SAN+SPKI as a necessary intermediate, test if a path
// can still be built.
// Since LoopChecker will prevent the intermediate from being included, this
// currently does NOT verify. This case shouldn't occur in the web PKI.
TEST_F(PathBuilderKeyRolloverTest,
TestEndEntityHasSameNameAndSpkiAsIntermediate) {
// Trust oldroot.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(oldroot_);
// New root rollover is provided synchronously.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(newrootrollover_);
// Newroot is the target cert.
CertPathBuilder path_builder(
newroot_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
// This could actually be OK, but CertPathBuilder does not build the
// newroot <- newrootrollover <- oldroot path.
EXPECT_FALSE(result.HasValidPath());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(),
VerifyError::StatusCode::CERTIFICATE_INVALID_SIGNATURE)
<< error.DiagnosticString();
}
// If target has same Name+SAN+SPKI as the trust root, test that a (trivial)
// path can still be built.
TEST_F(PathBuilderKeyRolloverTest,
TestEndEntityHasSameNameAndSpkiAsTrustAnchor) {
// Trust newrootrollover.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(newrootrollover_);
// Newroot is the target cert.
CertPathBuilder path_builder(
newroot_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
const CertPathBuilderResultPath *best_result = result.GetBestValidPath();
// Newroot has same name+SPKI as newrootrollover, thus the path is valid and
// only contains newroot.
EXPECT_TRUE(best_result->IsValid());
ASSERT_EQ(2U, best_result->certs.size());
EXPECT_EQ(newroot_, best_result->certs[0]);
EXPECT_EQ(newrootrollover_, best_result->certs[1]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Test that PathBuilder will not try the same path twice if multiple
// CertIssuerSources provide the same certificate.
TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) {
// Create a separate copy of oldintermediate.
std::shared_ptr<const ParsedCertificate> oldintermediate_dupe(
ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(
CRYPTO_BUFFER_new(oldintermediate_->der_cert().data(),
oldintermediate_->der_cert().size(), nullptr)),
{}, nullptr));
// Only newroot is a trusted root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(newroot_);
// The oldintermediate is supplied synchronously by |sync_certs1| and
// another copy of oldintermediate is supplied synchronously by |sync_certs2|.
// The path target <- oldintermediate <- newroot should be built first,
// though it won't verify. It should not be attempted again even though
// oldintermediate was supplied twice.
CertIssuerSourceStatic sync_certs1;
sync_certs1.AddCert(oldintermediate_);
CertIssuerSourceStatic sync_certs2;
sync_certs2.AddCert(oldintermediate_dupe);
// The newintermediate is supplied asynchronously, so the path
// target <- newintermediate <- newroot should be tried second.
AsyncCertIssuerSourceStatic async_certs;
async_certs.AddCert(newintermediate_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs1);
path_builder.AddCertIssuerSource(&sync_certs2);
path_builder.AddCertIssuerSource(&async_certs);
auto result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(2U, result.paths.size());
// Path builder will first attempt: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
// Compare the DER instead of ParsedCertificate pointer, don't care which copy
// of oldintermediate was used in the path.
EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert());
EXPECT_EQ(newroot_, path0.certs[2]);
// Path builder will next attempt: target <- newintermediate <- newroot
// which will succeed.
EXPECT_EQ(1U, result.best_result_index);
EXPECT_TRUE(result.paths[1]->IsValid());
const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
EXPECT_EQ(newroot_, path1.certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Test when PathBuilder is given a cert via CertIssuerSources that has the same
// SPKI as a trust anchor.
TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) {
// Create a separate copy of newroot.
std::shared_ptr<const ParsedCertificate> newroot_dupe(
ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(
CRYPTO_BUFFER_new(newroot_->der_cert().data(),
newroot_->der_cert().size(), nullptr)),
{}, nullptr));
// Only newroot is a trusted root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(newroot_);
// The oldintermediate and newroot are supplied synchronously by |sync_certs|.
CertIssuerSourceStatic sync_certs;
sync_certs.AddCert(oldintermediate_);
sync_certs.AddCert(newroot_dupe);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&sync_certs);
auto result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
ASSERT_EQ(1U, result.paths.size());
// Path builder attempt: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
const auto &path = *result.paths[0];
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
EXPECT_EQ(oldintermediate_, path.certs[1]);
// Compare the DER instead of ParsedCertificate pointer, don't care which copy
// of newroot was used in the path.
EXPECT_EQ(newroot_->der_cert(), path.certs[2]->der_cert());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(),
VerifyError::StatusCode::CERTIFICATE_INVALID_SIGNATURE)
<< error.DiagnosticString();
}
class MockCertIssuerSourceRequest : public CertIssuerSource::Request {
public:
MOCK_METHOD1(GetNext, void(ParsedCertificateList *));
};
class MockCertIssuerSource : public CertIssuerSource {
public:
MOCK_METHOD2(SyncGetIssuersOf,
void(const ParsedCertificate *, ParsedCertificateList *));
MOCK_METHOD2(AsyncGetIssuersOf,
void(const ParsedCertificate *, std::unique_ptr<Request> *));
};
// Helper class to pass the Request to the PathBuilder when it calls
// AsyncGetIssuersOf. (GoogleMock has a ByMove helper, but it apparently can
// only be used with Return, not SetArgPointee.)
class CertIssuerSourceRequestMover {
public:
explicit CertIssuerSourceRequestMover(
std::unique_ptr<CertIssuerSource::Request> req)
: request_(std::move(req)) {}
void MoveIt(const ParsedCertificate *cert,
std::unique_ptr<CertIssuerSource::Request> *out_req) {
*out_req = std::move(request_);
}
private:
std::unique_ptr<CertIssuerSource::Request> request_;
};
// Functor that when called with a ParsedCertificateList* will append the
// specified certificate.
class AppendCertToList {
public:
explicit AppendCertToList(
const std::shared_ptr<const ParsedCertificate> &cert)
: cert_(cert) {}
void operator()(ParsedCertificateList *out) { out->push_back(cert_); }
private:
std::shared_ptr<const ParsedCertificate> cert_;
};
// Test that a single CertIssuerSource returning multiple async batches of
// issuers is handled correctly. Due to the StrictMocks, it also tests that path
// builder does not request issuers of certs that it shouldn't.
TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncIssuersFromSingleSource) {
StrictMock<MockCertIssuerSource> cert_issuer_source;
// Only newroot is a trusted root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(newroot_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&cert_issuer_source);
// Create the mock CertIssuerSource::Request...
auto target_issuers_req_owner =
std::make_unique<StrictMock<MockCertIssuerSourceRequest>>();
// Keep a raw pointer to the Request...
StrictMock<MockCertIssuerSourceRequest> *target_issuers_req =
target_issuers_req_owner.get();
// Setup helper class to pass ownership of the Request to the PathBuilder when
// it calls AsyncGetIssuersOf.
CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner));
{
::testing::InSequence s;
EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _));
EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _))
.WillOnce(Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt));
}
EXPECT_CALL(*target_issuers_req, GetNext(_))
// First async batch: return oldintermediate_.
.WillOnce(Invoke(AppendCertToList(oldintermediate_)))
// Second async batch: return newintermediate_.
.WillOnce(Invoke(AppendCertToList(newintermediate_)));
{
::testing::InSequence s;
// oldintermediate_ does not create a valid path, so both sync and async
// lookups are expected.
EXPECT_CALL(cert_issuer_source,
SyncGetIssuersOf(oldintermediate_.get(), _));
EXPECT_CALL(cert_issuer_source,
AsyncGetIssuersOf(oldintermediate_.get(), _));
}
// newroot_ is in the trust store, so this path will be completed
// synchronously. AsyncGetIssuersOf will not be called on newintermediate_.
EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _));
// Ensure pathbuilder finished and filled result.
auto result = path_builder.Run();
// Note that VerifyAndClearExpectations(target_issuers_req) is not called
// here. PathBuilder could have destroyed it already, so just let the
// expectations get checked by the destructor.
::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source);
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(2U, result.paths.size());
// Path builder first attempts: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(oldintermediate_, path0.certs[1]);
EXPECT_EQ(newroot_, path0.certs[2]);
// After the second batch of async results, path builder will attempt:
// target <- newintermediate <- newroot which will succeed.
EXPECT_TRUE(result.paths[1]->IsValid());
const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
EXPECT_EQ(newroot_, path1.certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
// Test that PathBuilder will not try the same path twice if CertIssuerSources
// asynchronously provide the same certificate multiple times.
TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) {
StrictMock<MockCertIssuerSource> cert_issuer_source;
// Only newroot is a trusted root.
TrustStoreInMemory trust_store;
trust_store.AddTrustAnchor(newroot_);
CertPathBuilder path_builder(
target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
initial_explicit_policy_, user_initial_policy_set_,
initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
path_builder.AddCertIssuerSource(&cert_issuer_source);
// Create the mock CertIssuerSource::Request...
auto target_issuers_req_owner =
std::make_unique<StrictMock<MockCertIssuerSourceRequest>>();
// Keep a raw pointer to the Request...
StrictMock<MockCertIssuerSourceRequest> *target_issuers_req =
target_issuers_req_owner.get();
// Setup helper class to pass ownership of the Request to the PathBuilder when
// it calls AsyncGetIssuersOf.
CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner));
{
::testing::InSequence s;
EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _));
EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _))
.WillOnce(Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt));
}
std::shared_ptr<const ParsedCertificate> oldintermediate_dupe(
ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(
CRYPTO_BUFFER_new(oldintermediate_->der_cert().data(),
oldintermediate_->der_cert().size(), nullptr)),
{}, nullptr));
EXPECT_CALL(*target_issuers_req, GetNext(_))
// First async batch: return oldintermediate_.
.WillOnce(Invoke(AppendCertToList(oldintermediate_)))
// Second async batch: return a different copy of oldintermediate_ again.
.WillOnce(Invoke(AppendCertToList(oldintermediate_dupe)))
// Third async batch: return newintermediate_.
.WillOnce(Invoke(AppendCertToList(newintermediate_)));
{
::testing::InSequence s;
// oldintermediate_ does not create a valid path, so both sync and async
// lookups are expected.
EXPECT_CALL(cert_issuer_source,
SyncGetIssuersOf(oldintermediate_.get(), _));
EXPECT_CALL(cert_issuer_source,
AsyncGetIssuersOf(oldintermediate_.get(), _));
}
// newroot_ is in the trust store, so this path will be completed
// synchronously. AsyncGetIssuersOf will not be called on newintermediate_.
EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _));
// Ensure pathbuilder finished and filled result.
auto result = path_builder.Run();
::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source);
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(2U, result.paths.size());
// Path builder first attempts: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(oldintermediate_, path0.certs[1]);
EXPECT_EQ(newroot_, path0.certs[2]);
// The second async result does not generate any path.
// After the third batch of async results, path builder will attempt:
// target <- newintermediate <- newroot which will succeed.
EXPECT_TRUE(result.paths[1]->IsValid());
const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
EXPECT_EQ(newroot_, path1.certs[2]);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
class PathBuilderSimpleChainTest : public ::testing::Test {
public:
PathBuilderSimpleChainTest() = default;
protected:
void SetUp() override {
// Read a simple test chain comprised of a target, intermediate, and root.
ASSERT_TRUE(ReadVerifyCertChainTestFromFile(
"testdata/verify_certificate_chain_unittest/target-and-intermediate/"
"main.test",
&test_));
ASSERT_EQ(3u, test_.chain.size());
}
// Runs the path builder for the target certificate while |distrusted_cert| is
// blocked, and |delegate| if non-null.
CertPathBuilder::Result RunPathBuilder(
const std::shared_ptr<const ParsedCertificate> &distrusted_cert,
CertPathBuilderDelegate *optional_delegate) {
// Set up the trust store such that |distrusted_cert| is blocked, and
// the root is trusted (except if it was |distrusted_cert|).
TrustStoreInMemory trust_store;
if (distrusted_cert != test_.chain.back()) {
trust_store.AddTrustAnchor(test_.chain.back());
}
if (distrusted_cert) {
trust_store.AddDistrustedCertificateForTest(distrusted_cert);
}
// Add the single intermediate.
CertIssuerSourceStatic intermediates;
intermediates.AddCert(test_.chain[1]);
SimplePathBuilderDelegate default_delegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
CertPathBuilderDelegate *delegate =
optional_delegate ? optional_delegate : &default_delegate;
const InitialExplicitPolicy initial_explicit_policy =
InitialExplicitPolicy::kFalse;
const std::set<der::Input> user_initial_policy_set = {
der::Input(kAnyPolicyOid)};
const InitialPolicyMappingInhibit initial_policy_mapping_inhibit =
InitialPolicyMappingInhibit::kFalse;
const InitialAnyPolicyInhibit initial_any_policy_inhibit =
InitialAnyPolicyInhibit::kFalse;
CertPathBuilder path_builder(
test_.chain.front(), &trust_store, delegate, test_.time,
KeyPurpose::ANY_EKU, initial_explicit_policy, user_initial_policy_set,
initial_policy_mapping_inhibit, initial_any_policy_inhibit);
path_builder.AddCertIssuerSource(&intermediates);
return path_builder.Run();
}
protected:
VerifyCertChainTest test_;
};
// Test fixture for running the path builder over a simple chain, while varying
// the trustedness of certain certificates.
class PathBuilderDistrustTest : public PathBuilderSimpleChainTest {
public:
PathBuilderDistrustTest() = default;
protected:
// Runs the path builder for the target certificate while |distrusted_cert| is
// blocked.
CertPathBuilder::Result RunPathBuilderWithDistrustedCert(
const std::shared_ptr<const ParsedCertificate> &distrusted_cert) {
return RunPathBuilder(distrusted_cert, nullptr);
}
};
// Tests that path building fails when the target, intermediate, or root are
// distrusted (but the path is otherwise valid).
TEST_F(PathBuilderDistrustTest, TargetIntermediateRoot) {
// First do a control test -- path building without any blocked
// certificates should work.
CertPathBuilder::Result result = RunPathBuilderWithDistrustedCert(nullptr);
{
ASSERT_TRUE(result.HasValidPath());
// The built path should be identical the the one read from disk.
const auto &path = *result.GetBestValidPath();
ASSERT_EQ(test_.chain.size(), path.certs.size());
for (size_t i = 0; i < test_.chain.size(); ++i) {
EXPECT_EQ(test_.chain[i], path.certs[i]);
}
}
// Try path building when only the target is blocked - should fail.
result = RunPathBuilderWithDistrustedCert(test_.chain[0]);
{
EXPECT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
const auto &best_path = result.paths[result.best_result_index];
// The built chain has length 1 since path building stopped once
// it encountered the blocked certificate (target).
ASSERT_EQ(1u, best_path->certs.size());
EXPECT_EQ(best_path->certs[0], test_.chain[0]);
EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors());
best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore);
}
// Try path building when only the intermediate is blocked - should fail.
result = RunPathBuilderWithDistrustedCert(test_.chain[1]);
{
EXPECT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
const auto &best_path = result.paths[result.best_result_index];
// The built chain has length 2 since path building stopped once
// it encountered the blocked certificate (intermediate).
ASSERT_EQ(2u, best_path->certs.size());
EXPECT_EQ(best_path->certs[0], test_.chain[0]);
EXPECT_EQ(best_path->certs[1], test_.chain[1]);
EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors());
best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore);
}
// Try path building when only the root is blocked - should fail.
result = RunPathBuilderWithDistrustedCert(test_.chain[2]);
{
EXPECT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
const auto &best_path = result.paths[result.best_result_index];
// The built chain has length 3 since path building stopped once
// it encountered the blocked certificate (root).
ASSERT_EQ(3u, best_path->certs.size());
EXPECT_EQ(best_path->certs[0], test_.chain[0]);
EXPECT_EQ(best_path->certs[1], test_.chain[1]);
EXPECT_EQ(best_path->certs[2], test_.chain[2]);
EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors());
best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore);
}
}
// Test fixture for running the path builder over a simple chain, while varying
// what CheckPathAfterVerification() does.
class PathBuilderCheckPathAfterVerificationTest
: public PathBuilderSimpleChainTest {};
TEST_F(PathBuilderCheckPathAfterVerificationTest, NoOpToValidPath) {
StrictMock<MockPathBuilderDelegate> delegate;
// Just verify that the hook is called.
EXPECT_CALL(delegate, CheckPathAfterVerification(_, _));
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
EXPECT_TRUE(result.HasValidPath());
}
DEFINE_CERT_ERROR_ID(kWarningFromDelegate, "Warning from delegate");
class AddWarningPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
void CheckPathAfterVerification(const CertPathBuilder &path_builder,
CertPathBuilderResultPath *path) override {
path->errors.GetErrorsForCert(1)->AddWarning(kWarningFromDelegate, nullptr);
}
};
TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsWarningToValidPath) {
AddWarningPathBuilderDelegate delegate;
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
ASSERT_TRUE(result.HasValidPath());
// A warning should have been added to certificate at index 1 in the path.
const CertErrors *cert1_errors =
result.GetBestValidPath()->errors.GetErrorsForCert(1);
ASSERT_TRUE(cert1_errors);
EXPECT_TRUE(cert1_errors->ContainsErrorWithSeverity(
kWarningFromDelegate, CertError::SEVERITY_WARNING));
// The warning should not affect the VerifyError
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)
<< error.DiagnosticString();
}
TEST_F(PathBuilderCheckPathAfterVerificationTest, TestVerifyErrorMapping) {
struct error_mapping {
CertErrorId internal_error;
VerifyError::StatusCode code;
};
struct error_mapping AllErrors[] = {
{cert_errors::kInternalError,
VerifyError::StatusCode::VERIFICATION_FAILURE},
{cert_errors::kValidityFailedNotAfter,
VerifyError::StatusCode::CERTIFICATE_EXPIRED},
{cert_errors::kValidityFailedNotBefore,
VerifyError::StatusCode::CERTIFICATE_NOT_YET_VALID},
{cert_errors::kDistrustedByTrustStore,
VerifyError::StatusCode::PATH_NOT_FOUND},
{cert_errors::kSignatureAlgorithmMismatch,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kChainIsEmpty,
VerifyError::StatusCode::VERIFICATION_FAILURE},
{cert_errors::kUnconsumedCriticalExtension,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kKeyCertSignBitNotSet,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kMaxPathLengthViolated,
VerifyError::StatusCode::PATH_NOT_FOUND},
{cert_errors::kBasicConstraintsIndicatesNotCa,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kTargetCertShouldNotBeCa,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kMissingBasicConstraints,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kNotPermittedByNameConstraints,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kTooManyNameConstraintChecks,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kSubjectDoesNotMatchIssuer,
VerifyError::StatusCode::PATH_NOT_FOUND},
{cert_errors::kVerifySignedDataFailed,
VerifyError::StatusCode::CERTIFICATE_INVALID_SIGNATURE},
{cert_errors::kSignatureAlgorithmsDifferentEncoding,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kEkuLacksServerAuth,
VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU},
{cert_errors::kEkuLacksServerAuthButHasAnyEKU,
VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU},
{cert_errors::kEkuLacksClientAuth,
VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU},
{cert_errors::kEkuLacksClientAuthButHasAnyEKU,
VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU},
{cert_errors::kEkuLacksClientAuthOrServerAuth,
VerifyError::StatusCode::CERTIFICATE_NO_MATCHING_EKU},
{cert_errors::kEkuHasProhibitedOCSPSigning,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kEkuHasProhibitedTimeStamping,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kEkuHasProhibitedCodeSigning,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kEkuNotPresent,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kCertIsNotTrustAnchor,
VerifyError::StatusCode::PATH_NOT_FOUND},
{cert_errors::kNoValidPolicy,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kPolicyMappingAnyPolicy,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kFailedParsingSpki,
VerifyError::StatusCode::CERTIFICATE_INVALID},
{cert_errors::kUnacceptableSignatureAlgorithm,
VerifyError::StatusCode::CERTIFICATE_UNSUPPORTED_SIGNATURE_ALGORITHM},
{cert_errors::kUnacceptablePublicKey,
VerifyError::StatusCode::CERTIFICATE_UNSUPPORTED_KEY},
{cert_errors::kCertificateRevoked,
VerifyError::StatusCode::CERTIFICATE_REVOKED},
{cert_errors::kNoRevocationMechanism,
VerifyError::StatusCode::CERTIFICATE_NO_REVOCATION_MECHANISM},
{cert_errors::kUnableToCheckRevocation,
VerifyError::StatusCode::CERTIFICATE_UNABLE_TO_CHECK_REVOCATION},
{cert_errors::kNoIssuersFound, VerifyError::StatusCode::PATH_NOT_FOUND},
{cert_errors::kDeadlineExceeded,
VerifyError::StatusCode::PATH_DEADLINE_EXCEEDED},
{cert_errors::kIterationLimitExceeded,
VerifyError::StatusCode::PATH_ITERATION_COUNT_EXCEEDED},
{cert_errors::kDepthLimitExceeded,
VerifyError::StatusCode::PATH_DEPTH_LIMIT_REACHED},
};
for (struct error_mapping mapping : AllErrors) {
AddWarningPathBuilderDelegate delegate;
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
ASSERT_TRUE(result.HasValidPath());
CertErrors *errors =
(CertErrors *)result.GetBestValidPath()->errors.GetErrorsForCert(1);
errors->AddError(mapping.internal_error, nullptr);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), mapping.code)
<< error.DiagnosticString();
}
}
TEST_F(PathBuilderCheckPathAfterVerificationTest,
TestVerifyErrorMulipleMapping) {
AddWarningPathBuilderDelegate delegate;
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
ASSERT_TRUE(result.HasValidPath());
CertErrors *errors =
(CertErrors *)result.GetBestValidPath()->errors.GetErrorsForCert(1);
errors->AddError(cert_errors::kEkuNotPresent, nullptr);
errors->AddError(cert_errors::kNoValidPolicy, nullptr);
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_MULTIPLE_ERRORS)
<< error.DiagnosticString();
}
DEFINE_CERT_ERROR_ID(kErrorFromDelegate, "Error from delegate");
class AddErrorPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
void CheckPathAfterVerification(const CertPathBuilder &path_builder,
CertPathBuilderResultPath *path) override {
path->errors.GetErrorsForCert(2)->AddError(kErrorFromDelegate, nullptr);
}
};
TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsErrorToValidPath) {
AddErrorPathBuilderDelegate delegate;
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
// Verification failed.
ASSERT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
const CertPathBuilderResultPath *failed_path =
result.paths[result.best_result_index].get();
ASSERT_TRUE(failed_path);
// An error should have been added to certificate at index 2 in the path.
const CertErrors *cert2_errors = failed_path->errors.GetErrorsForCert(2);
ASSERT_TRUE(cert2_errors);
EXPECT_TRUE(cert2_errors->ContainsError(kErrorFromDelegate));
// The newly defined delegate error should map to CERTIFICATE_INVALID
// since it is associated with a certificate (at index 2)
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::CERTIFICATE_INVALID)
<< error.DiagnosticString();
}
class AddOtherErrorPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
void CheckPathAfterVerification(const CertPathBuilder &path_builder,
CertPathBuilderResultPath *path) override {
path->errors.GetOtherErrors()->AddError(kErrorFromDelegate, nullptr);
}
};
TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsErrorToOtherErrors) {
AddOtherErrorPathBuilderDelegate delegate;
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
// Verification failed.
ASSERT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
const CertPathBuilderResultPath *failed_path =
result.paths[result.best_result_index].get();
ASSERT_TRUE(failed_path);
// An error should have been added to other errors
const CertErrors *other_errors = failed_path->errors.GetOtherErrors();
ASSERT_TRUE(other_errors);
EXPECT_TRUE(other_errors->ContainsError(kErrorFromDelegate));
// The newly defined delegate error should map to VERIFICATION_FAILURE
// since the error is not associated to a certificate.
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::VERIFICATION_FAILURE)
<< error.DiagnosticString();
}
TEST_F(PathBuilderCheckPathAfterVerificationTest, NoopToAlreadyInvalidPath) {
StrictMock<MockPathBuilderDelegate> delegate;
// Just verify that the hook is called (on an invalid path).
EXPECT_CALL(delegate, CheckPathAfterVerification(_, _));
// Run the pathbuilder with certificate at index 1 actively distrusted.
CertPathBuilder::Result result = RunPathBuilder(test_.chain[1], &delegate);
EXPECT_FALSE(result.HasValidPath());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
}
struct DelegateData : public CertPathBuilderDelegateData {
int value = 0xB33F;
};
class SetsDelegateDataPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
void CheckPathAfterVerification(const CertPathBuilder &path_builder,
CertPathBuilderResultPath *path) override {
path->delegate_data = std::make_unique<DelegateData>();
}
};
TEST_F(PathBuilderCheckPathAfterVerificationTest, SetsDelegateData) {
SetsDelegateDataPathBuilderDelegate delegate;
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
ASSERT_TRUE(result.HasValidPath());
DelegateData *data = reinterpret_cast<DelegateData *>(
result.GetBestValidPath()->delegate_data.get());
EXPECT_EQ(0xB33F, data->value);
}
TEST(PathBuilderPrioritizationTest, DatePrioritization) {
std::string test_dir =
"testdata/path_builder_unittest/validity_date_prioritization/";
std::shared_ptr<const ParsedCertificate> root =
ReadCertFromFile(test_dir + "root.pem");
ASSERT_TRUE(root);
std::shared_ptr<const ParsedCertificate> int_ac =
ReadCertFromFile(test_dir + "int_ac.pem");
ASSERT_TRUE(int_ac);
std::shared_ptr<const ParsedCertificate> int_ad =
ReadCertFromFile(test_dir + "int_ad.pem");
ASSERT_TRUE(int_ad);
std::shared_ptr<const ParsedCertificate> int_bc =
ReadCertFromFile(test_dir + "int_bc.pem");
ASSERT_TRUE(int_bc);
std::shared_ptr<const ParsedCertificate> int_bd =
ReadCertFromFile(test_dir + "int_bd.pem");
ASSERT_TRUE(int_bd);
std::shared_ptr<const ParsedCertificate> target =
ReadCertFromFile(test_dir + "target.pem");
ASSERT_TRUE(target);
SimplePathBuilderDelegate delegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
// Distrust the root certificate. This will force the path builder to attempt
// all possible paths.
TrustStoreInMemory trust_store;
trust_store.AddDistrustedCertificateForTest(root);
for (bool reverse_input_order : {false, true}) {
SCOPED_TRACE(reverse_input_order);
CertIssuerSourceStatic intermediates;
// Test with the intermediates supplied in two different orders to ensure
// the results don't depend on input ordering.
if (reverse_input_order) {
intermediates.AddCert(int_bd);
intermediates.AddCert(int_bc);
intermediates.AddCert(int_ad);
intermediates.AddCert(int_ac);
} else {
intermediates.AddCert(int_ac);
intermediates.AddCert(int_ad);
intermediates.AddCert(int_bc);
intermediates.AddCert(int_bd);
}
CertPathBuilder path_builder(
target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)},
InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
path_builder.AddCertIssuerSource(&intermediates);
CertPathBuilder::Result result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
VerifyError error = result.GetBestPathVerifyError();
ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)
<< error.DiagnosticString();
ASSERT_EQ(4U, result.paths.size());
// Path builder should have attempted paths using the intermediates in
// order: bd, bc, ad, ac
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(target, result.paths[0]->certs[0]);
EXPECT_EQ(int_bd, result.paths[0]->certs[1]);
EXPECT_EQ(root, result.paths[0]->certs[2]);
EXPECT_FALSE(result.paths[1]->IsValid());
ASSERT_EQ(3U, result.paths[1]->certs.size());
EXPECT_EQ(target, result.paths[1]->certs[0]);
EXPECT_EQ(int_bc, result.paths[1]->certs[1]);
EXPECT_EQ(root, result.paths[1]->certs[2]);
EXPECT_FALSE(result.paths[2]->IsValid());
ASSERT_EQ(3U, result.paths[2]->certs.size());
EXPECT_EQ(target, result.paths[2]->certs[0]);
EXPECT_EQ(int_ad, result.paths[2]->certs[1]);
EXPECT_EQ(root, result.paths[2]->certs[2]);
EXPECT_FALSE(result.paths[3]->IsValid());
ASSERT_EQ(3U, result.paths[3]->certs.size());
EXPECT_EQ(target, result.paths[3]->certs[0]);
EXPECT_EQ(int_ac, result.paths[3]->certs[1]);
EXPECT_EQ(root, result.paths[3]->certs[2]);
}
}
TEST(PathBuilderPrioritizationTest, KeyIdPrioritization) {
std::string test_dir =
"testdata/path_builder_unittest/key_id_prioritization/";
std::shared_ptr<const ParsedCertificate> root =
ReadCertFromFile(test_dir + "root.pem");
ASSERT_TRUE(root);
std::shared_ptr<const ParsedCertificate> int_matching_ski_a =
ReadCertFromFile(test_dir + "int_matching_ski_a.pem");
ASSERT_TRUE(int_matching_ski_a);
std::shared_ptr<const ParsedCertificate> int_matching_ski_b =
ReadCertFromFile(test_dir + "int_matching_ski_b.pem");
ASSERT_TRUE(int_matching_ski_b);
std::shared_ptr<const ParsedCertificate> int_no_ski_a =
ReadCertFromFile(test_dir + "int_no_ski_a.pem");
ASSERT_TRUE(int_no_ski_a);
std::shared_ptr<const ParsedCertificate> int_no_ski_b =
ReadCertFromFile(test_dir + "int_no_ski_b.pem");
ASSERT_TRUE(int_no_ski_b);
std::shared_ptr<const ParsedCertificate> int_different_ski_a =
ReadCertFromFile(test_dir + "int_different_ski_a.pem");
ASSERT_TRUE(int_different_ski_a);
std::shared_ptr<const ParsedCertificate> int_different_ski_b =
ReadCertFromFile(test_dir + "int_different_ski_b.pem");
ASSERT_TRUE(int_different_ski_b);
std::shared_ptr<const ParsedCertificate> target =
ReadCertFromFile(test_dir + "target.pem");
ASSERT_TRUE(target);
SimplePathBuilderDelegate delegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
// Distrust the root certificate. This will force the path builder to attempt
// all possible paths.
TrustStoreInMemory trust_store;
trust_store.AddDistrustedCertificateForTest(root);
for (bool reverse_input_order : {false, true}) {
SCOPED_TRACE(reverse_input_order);
CertIssuerSourceStatic intermediates;
// Test with the intermediates supplied in two different orders to ensure
// the results don't depend on input ordering.
if (reverse_input_order) {
intermediates.AddCert(int_different_ski_b);
intermediates.AddCert(int_different_ski_a);
intermediates.AddCert(int_no_ski_b);
intermediates.AddCert(int_no_ski_a);
intermediates.AddCert(int_matching_ski_b);
intermediates.AddCert(int_matching_ski_a);
} else {
intermediates.AddCert(int_matching_ski_a);
intermediates.AddCert(int_matching_ski_b);
intermediates.AddCert(int_no_ski_a);
intermediates.AddCert(int_no_ski_b);
intermediates.AddCert(int_different_ski_a);
intermediates.AddCert(int_different_ski_b);
}
CertPathBuilder path_builder(
target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)},
InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
path_builder.AddCertIssuerSource(&intermediates);
CertPathBuilder::Result result = path_builder.Run();
EXPECT_FALSE(result.HasValidPath());
ASSERT_EQ(6U, result.paths.size());
// Path builder should have attempted paths using the intermediates in
// order: matching_ski_b, matching_ski_a, no_ski_b, no_ski_a,
// different_ski_b, different_ski_a
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(3U, result.paths[0]->certs.size());
EXPECT_EQ(target, result.paths[0]->certs[0]);
EXPECT_EQ(int_matching_ski_b, result.paths[0]->certs[1]);
EXPECT_EQ(root, result.paths[0]->certs[2]);
EXPECT_FALSE(result.paths[1]->IsValid());
ASSERT_EQ(3U, result.paths[1]->certs.size());
EXPECT_EQ(target, result.paths[1]->certs[0]);
EXPECT_EQ(int_matching_ski_a, result.paths[1]->certs[1]);
EXPECT_EQ(root, result.paths[1]->certs[2]);
EXPECT_FALSE(result.paths[2]->IsValid());
ASSERT_EQ(3U, result.paths[2]->certs.size());
EXPECT_EQ(target, result.paths[2]->certs[0]);
EXPECT_EQ(int_no_ski_b, result.paths[2]->certs[1]);
EXPECT_EQ(root, result.paths[2]->certs[2]);
EXPECT_FALSE(result.paths[3]->IsValid());
ASSERT_EQ(3U, result.paths[3]->certs.size());
EXPECT_EQ(target, result.paths[3]->certs[0]);
EXPECT_EQ(int_no_ski_a, result.paths[3]->certs[1]);
EXPECT_EQ(root, result.paths[3]->certs[2]);
EXPECT_FALSE(result.paths[4]->IsValid());
ASSERT_EQ(3U, result.paths[4]->certs.size());
EXPECT_EQ(target, result.paths[4]->certs[0]);
EXPECT_EQ(int_different_ski_b, result.paths[4]->certs[1]);
EXPECT_EQ(root, result.paths[4]->certs[2]);
EXPECT_FALSE(result.paths[5]->IsValid());
ASSERT_EQ(3U, result.paths[5]->certs.size());
EXPECT_EQ(target, result.paths[5]->certs[0]);
EXPECT_EQ(int_different_ski_a, result.paths[5]->certs[1]);
EXPECT_EQ(root, result.paths[5]->certs[2]);
}
}
TEST(PathBuilderPrioritizationTest, TrustAndKeyIdPrioritization) {
std::string test_dir =
"testdata/path_builder_unittest/key_id_prioritization/";
std::shared_ptr<const ParsedCertificate> root =
ReadCertFromFile(test_dir + "root.pem");
ASSERT_TRUE(root);
std::shared_ptr<const ParsedCertificate> trusted_and_matching =
ReadCertFromFile(test_dir + "int_matching_ski_a.pem");
ASSERT_TRUE(trusted_and_matching);
std::shared_ptr<const ParsedCertificate> matching =
ReadCertFromFile(test_dir + "int_matching_ski_b.pem");
ASSERT_TRUE(matching);
std::shared_ptr<const ParsedCertificate> distrusted_and_matching =
ReadCertFromFile(test_dir + "int_matching_ski_c.pem");
ASSERT_TRUE(distrusted_and_matching);
std::shared_ptr<const ParsedCertificate> trusted_and_no_match_data =
ReadCertFromFile(test_dir + "int_no_ski_a.pem");
ASSERT_TRUE(trusted_and_no_match_data);
std::shared_ptr<const ParsedCertificate> no_match_data =
ReadCertFromFile(test_dir + "int_no_ski_b.pem");
ASSERT_TRUE(no_match_data);
std::shared_ptr<const ParsedCertificate> distrusted_and_no_match_data =
ReadCertFromFile(test_dir + "int_no_ski_c.pem");
ASSERT_TRUE(distrusted_and_no_match_data);
std::shared_ptr<const ParsedCertificate> trusted_and_mismatch =
ReadCertFromFile(test_dir + "int_different_ski_a.pem");
ASSERT_TRUE(trusted_and_mismatch);
std::shared_ptr<const ParsedCertificate> mismatch =
ReadCertFromFile(test_dir + "int_different_ski_b.pem");
ASSERT_TRUE(mismatch);
std::shared_ptr<const ParsedCertificate> distrusted_and_mismatch =
ReadCertFromFile(test_dir + "int_different_ski_c.pem");
ASSERT_TRUE(distrusted_and_mismatch);
std::shared_ptr<const ParsedCertificate> target =
ReadCertFromFile(test_dir + "target.pem");
ASSERT_TRUE(target);
SimplePathBuilderDelegate delegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
for (bool reverse_input_order : {false, true}) {
SCOPED_TRACE(reverse_input_order);
TrustStoreInMemory trust_store;
// Test with the intermediates supplied in two different orders to ensure
// the results don't depend on input ordering.
if (reverse_input_order) {
trust_store.AddTrustAnchor(trusted_and_matching);
trust_store.AddCertificateWithUnspecifiedTrust(matching);
trust_store.AddDistrustedCertificateForTest(distrusted_and_matching);
trust_store.AddTrustAnchor(trusted_and_no_match_data);
trust_store.AddCertificateWithUnspecifiedTrust(no_match_data);
trust_store.AddDistrustedCertificateForTest(distrusted_and_no_match_data);
trust_store.AddTrustAnchor(trusted_and_mismatch);
trust_store.AddCertificateWithUnspecifiedTrust(mismatch);
trust_store.AddDistrustedCertificateForTest(distrusted_and_mismatch);
} else {
trust_store.AddDistrustedCertificateForTest(distrusted_and_matching);
trust_store.AddCertificateWithUnspecifiedTrust(no_match_data);
trust_store.AddTrustAnchor(trusted_and_no_match_data);
trust_store.AddTrustAnchor(trusted_and_matching);
trust_store.AddCertificateWithUnspecifiedTrust(matching);
trust_store.AddCertificateWithUnspecifiedTrust(mismatch);
trust_store.AddDistrustedCertificateForTest(distrusted_and_no_match_data);
trust_store.AddTrustAnchor(trusted_and_mismatch);
trust_store.AddDistrustedCertificateForTest(distrusted_and_mismatch);
}
// Also distrust the root certificate. This will force the path builder to
// report paths that included an unspecified trust intermediate.
trust_store.AddDistrustedCertificateForTest(root);
CertPathBuilder path_builder(
target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
InitialExplicitPolicy::kFalse, {der::Input(kAnyPolicyOid)},
InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
path_builder.SetValidPathLimit(0);
CertPathBuilder::Result result = path_builder.Run();
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(9U, result.paths.size());
// Path builder should have attempted paths using the intermediates in
// order: trusted_and_matching, trusted_and_no_match_data, matching,
// no_match_data, trusted_and_mismatch, mismatch, distrusted_and_matching,
// distrusted_and_no_match_data, distrusted_and_mismatch.
EXPECT_TRUE(result.paths[0]->IsValid());
ASSERT_EQ(2U, result.paths[0]->certs.size());
EXPECT_EQ(target, result.paths[0]->certs[0]);
EXPECT_EQ(trusted_and_matching, result.paths[0]->certs[1]);
EXPECT_TRUE(result.paths[1]->IsValid());
ASSERT_EQ(2U, result.paths[1]->certs.size());
EXPECT_EQ(target, result.paths[1]->certs[0]);
EXPECT_EQ(trusted_and_no_match_data, result.paths[1]->certs[1]);
EXPECT_FALSE(result.paths[2]->IsValid());
ASSERT_EQ(3U, result.paths[2]->certs.size());
EXPECT_EQ(target, result.paths[2]->certs[0]);
EXPECT_EQ(matching, result.paths[2]->certs[1]);
EXPECT_EQ(root, result.paths[2]->certs[2]);
EXPECT_FALSE(result.paths[3]->IsValid());
ASSERT_EQ(3U, result.paths[3]->certs.size());
EXPECT_EQ(target, result.paths[3]->certs[0]);
EXPECT_EQ(no_match_data, result.paths[3]->certs[1]);
EXPECT_EQ(root, result.paths[3]->certs[2]);
// Although this intermediate is trusted, it has the wrong key, so
// the path should not be valid.
EXPECT_FALSE(result.paths[4]->IsValid());
ASSERT_EQ(2U, result.paths[4]->certs.size());
EXPECT_EQ(target, result.paths[4]->certs[0]);
EXPECT_EQ(trusted_and_mismatch, result.paths[4]->certs[1]);
EXPECT_FALSE(result.paths[5]->IsValid());
ASSERT_EQ(3U, result.paths[5]->certs.size());
EXPECT_EQ(target, result.paths[5]->certs[0]);
EXPECT_EQ(mismatch, result.paths[5]->certs[1]);
EXPECT_EQ(root, result.paths[5]->certs[2]);
EXPECT_FALSE(result.paths[6]->IsValid());
ASSERT_EQ(2U, result.paths[6]->certs.size());
EXPECT_EQ(target, result.paths[6]->certs[0]);
EXPECT_EQ(distrusted_and_matching, result.paths[6]->certs[1]);
EXPECT_FALSE(result.paths[7]->IsValid());
ASSERT_EQ(2U, result.paths[7]->certs.size());
EXPECT_EQ(target, result.paths[7]->certs[0]);
EXPECT_EQ(distrusted_and_no_match_data, result.paths[7]->certs[1]);
EXPECT_FALSE(result.paths[8]->IsValid());
ASSERT_EQ(2U, result.paths[8]->certs.size());
EXPECT_EQ(target, result.paths[8]->certs[0]);
EXPECT_EQ(distrusted_and_mismatch, result.paths[8]->certs[1]);
}
}
// PathBuilder does not support prioritization based on the issuer name &
// serial in authorityKeyIdentifier, so this test just ensures that it does not
// affect prioritization order and that it is generally just ignored
// completely.
TEST(PathBuilderPrioritizationTest, KeyIdNameAndSerialPrioritization) {
std::string test_dir =
"testdata/path_builder_unittest/key_id_name_and_serial_prioritization/";
std::shared_ptr<const ParsedCertificate> root =
ReadCertFromFile(test_dir + "root.pem");
ASSERT_TRUE(root);
std::shared_ptr<const ParsedCertificate> root2 =
ReadCertFromFile(test_dir + "root2.pem");
ASSERT_TRUE(root2);
std::shared_ptr<const ParsedCertificate> int_matching =
ReadCertFromFile(test_dir + "int_matching.pem");
ASSERT_TRUE(int_matching);
std::shared_ptr<const ParsedCertificate> int_match_name_only =
ReadCertFromFile(test_dir + "int_match_name_only.pem");
ASSERT_TRUE(int_match_name_only);
std::shared_ptr<const ParsedCertificate> int_mismatch =
ReadCertFromFile(test_dir + "int_mismatch.pem");
ASSERT_TRUE(int_mismatch);
std::shared_ptr<const ParsedCertificate> target =
ReadCertFromFile(test_dir + "target.pem");
ASSERT_TRUE(target);
SimplePathBuilderDelegate delegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
der::