Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
diff --git a/pki/verify_certificate_chain_pkits_unittest.cc b/pki/verify_certificate_chain_pkits_unittest.cc new file mode 100644 index 0000000..f36efa6 --- /dev/null +++ b/pki/verify_certificate_chain_pkits_unittest.cc
@@ -0,0 +1,129 @@ +// Copyright 2016 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "verify_certificate_chain.h" + +#include "parsed_certificate.h" +#include "simple_path_builder_delegate.h" +#include "trust_store.h" +#include "input.h" +#include <openssl/pool.h> + +// These require CRL support, which is not implemented at the +// VerifyCertificateChain level. +#define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ + DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 +#define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ + DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 + +#include "nist_pkits_unittest.h" + +namespace bssl { + +namespace { + +class VerifyCertificateChainPkitsTestDelegate { + public: + static void RunTest(std::vector<std::string> cert_ders, + std::vector<std::string> crl_ders, + const PkitsTestInfo& info) { + ASSERT_FALSE(cert_ders.empty()); + + // PKITS lists chains from trust anchor to target, whereas + // VerifyCertificateChain takes them starting with the target and ending + // with the trust anchor. + std::vector<std::shared_ptr<const ParsedCertificate>> input_chain; + CertErrors parsing_errors; + for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) { + ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector( + bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( + reinterpret_cast<const uint8_t*>(i->data()), i->size(), nullptr)), + {}, &input_chain, &parsing_errors)) + << parsing_errors.ToDebugString(); + } + + SimplePathBuilderDelegate path_builder_delegate( + 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); + + std::set<der::Input> user_constrained_policy_set; + + CertPathErrors path_errors; + VerifyCertificateChain( + input_chain, CertificateTrust::ForTrustAnchor(), &path_builder_delegate, + info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy, + info.initial_policy_set, info.initial_policy_mapping_inhibit, + info.initial_inhibit_any_policy, &user_constrained_policy_set, + &path_errors); + bool did_succeed = !path_errors.ContainsHighSeverityErrors(); + + EXPECT_EQ(info.should_validate, did_succeed); + EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set); + + // Check that the errors match expectations. The errors are saved in a + // parallel file, as they don't apply generically to the third_party + // PKITS data. + if (!info.should_validate && !did_succeed) { + std::string errors_file_path = + std::string( + "testdata/verify_certificate_chain_unittest/pkits_errors/") + + info.test_number + std::string(".txt"); + + std::string expected_errors = ReadTestFileToString(errors_file_path); + + // Check that the errors match. + VerifyCertPathErrors(expected_errors, path_errors, input_chain, + errors_file_path); + } else if (!did_succeed) { + // If it failed and wasn't supposed to fail, print the errors. + EXPECT_EQ("", path_errors.ToDebugString(input_chain)); + } + } +}; + +} // namespace + +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest01SignatureVerification, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest02ValidityPeriods, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest03VerifyingNameChaining, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest06VerifyingBasicConstraints, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest07KeyUsage, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest08CertificatePolicies, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest09RequireExplicitPolicy, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest10PolicyMappings, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest11InhibitPolicyMapping, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest12InhibitAnyPolicy, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest13NameConstraints, + VerifyCertificateChainPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, + PkitsTest16PrivateCertificateExtensions, + VerifyCertificateChainPkitsTestDelegate); + +// These require CRL support, which is not implemented at the +// VerifyCertificateChain level: +// PkitsTest04BasicCertificateRevocationTests, +// PkitsTest05VerifyingPathswithSelfIssuedCertificates, +// PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs + +} // namespace net