blob: 1d9be6feef8d1656db61a54ec90aceae99d5b4c6 [file] [log] [blame]
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "verify_certificate_chain.h"
#include "cert_errors.h"
#include "common_cert_errors.h"
#include "mock_signature_verify_cache.h"
#include "simple_path_builder_delegate.h"
#include "test_helpers.h"
#include "trust_store.h"
#include "verify_certificate_chain_typed_unittest.h"
BSSL_NAMESPACE_BEGIN
namespace {
class VerifyCertificateChainTestDelegate {
public:
static void Verify(const VerifyCertChainTest &test,
const std::string &test_file_path) {
SimplePathBuilderDelegate delegate(1024, test.digest_policy);
CertPathErrors errors;
std::set<der::Input> user_constrained_policy_set;
VerifyCertificateChain(
test.chain, test.last_cert_trust, &delegate, test.time,
test.key_purpose, test.initial_explicit_policy,
test.user_initial_policy_set, test.initial_policy_mapping_inhibit,
test.initial_any_policy_inhibit, &user_constrained_policy_set, &errors);
VerifyCertPathErrors(test.expected_errors, errors, test.chain,
test_file_path);
VerifyUserConstrainedPolicySet(test.expected_user_constrained_policy_set,
user_constrained_policy_set, test_file_path);
}
};
} // namespace
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
VerifyCertificateChainSingleRootTest,
VerifyCertificateChainTestDelegate);
TEST(VerifyCertificateIsSelfSigned, TargetOnly) {
auto cert = ReadCertFromFile(
"testdata/verify_certificate_chain_unittest/target-only/chain.pem");
ASSERT_TRUE(cert);
// Test with null cache and errors.
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
/*errors=*/nullptr));
// Test with cache and errors.
CertErrors errors;
MockSignatureVerifyCache cache;
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_TRUE(
errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
EXPECT_TRUE(errors.ContainsError(cert_errors::kSubjectDoesNotMatchIssuer));
// Should not try to verify signature if names don't match.
EXPECT_EQ(cache.CacheHits(), 0U);
EXPECT_EQ(cache.CacheMisses(), 0U);
EXPECT_EQ(cache.CacheStores(), 0U);
}
TEST(VerifyCertificateIsSelfSigned, SelfIssued) {
auto cert = ReadCertFromFile(
"testdata/verify_certificate_chain_unittest/target-selfissued/chain.pem");
ASSERT_TRUE(cert);
// Test with null cache and errors.
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
/*errors=*/nullptr));
// Test with cache and errors.
CertErrors errors;
MockSignatureVerifyCache cache;
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_TRUE(
errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
EXPECT_TRUE(errors.ContainsError(cert_errors::kVerifySignedDataFailed));
EXPECT_EQ(cache.CacheHits(), 0U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
// Trying again should use cached signature verification result.
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_EQ(cache.CacheHits(), 1U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
}
TEST(VerifyCertificateIsSelfSigned, SelfSigned) {
auto cert = ReadCertFromFile(
"testdata/verify_certificate_chain_unittest/target-selfsigned/chain.pem");
ASSERT_TRUE(cert);
// Test with null cache and errors.
EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
/*errors=*/nullptr));
// Test with cache and errors.
CertErrors errors;
MockSignatureVerifyCache cache;
EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_FALSE(errors.ContainsAnyErrorWithSeverity(
CertError::Severity::SEVERITY_WARNING));
EXPECT_FALSE(
errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
EXPECT_EQ(cache.CacheHits(), 0U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
// Trying again should use cached signature verification result.
EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_EQ(cache.CacheHits(), 1U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
}
BSSL_NAMESPACE_END