blob: d3f641f53740c840860ad7704ee3fd2a9a945f76 [file] [log] [blame]
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "verify_certificate_chain.h"
#include <openssl/pool.h>
#include "input.h"
#include "parsed_certificate.h"
#include "simple_path_builder_delegate.h"
#include "trust_store.h"
// These require CRL support, which is not implemented at the
// VerifyCertificateChain level.
#define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \
DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4
#define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \
DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5
#include "nist_pkits_unittest.h"
BSSL_NAMESPACE_BEGIN
namespace {
class VerifyCertificateChainPkitsTestDelegate {
public:
static void RunTest(std::vector<std::string> cert_ders,
std::vector<std::string> crl_ders,
const PkitsTestInfo &info) {
ASSERT_FALSE(cert_ders.empty());
// PKITS lists chains from trust anchor to target, whereas
// VerifyCertificateChain takes them starting with the target and ending
// with the trust anchor.
std::vector<std::shared_ptr<const ParsedCertificate>> input_chain;
CertErrors parsing_errors;
for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) {
ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector(
bssl::UniquePtr<CRYPTO_BUFFER>(
CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(i->data()),
i->size(), nullptr)),
{}, &input_chain, &parsing_errors))
<< parsing_errors.ToDebugString();
}
SimplePathBuilderDelegate path_builder_delegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
std::set<der::Input> user_constrained_policy_set;
CertPathErrors path_errors;
VerifyCertificateChain(
input_chain, CertificateTrust::ForTrustAnchor(), &path_builder_delegate,
info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy,
info.initial_policy_set, info.initial_policy_mapping_inhibit,
info.initial_inhibit_any_policy, &user_constrained_policy_set,
&path_errors);
bool did_succeed = !path_errors.ContainsHighSeverityErrors();
EXPECT_EQ(info.should_validate, did_succeed);
EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set);
// Check that the errors match expectations. The errors are saved in a
// parallel file, as they don't apply generically to the third_party
// PKITS data.
if (!info.should_validate && !did_succeed) {
std::string errors_file_path =
std::string(
"testdata/verify_certificate_chain_unittest/pkits_errors/") +
info.test_number + std::string(".txt");
std::string expected_errors = ReadTestFileToString(errors_file_path);
// Check that the errors match.
VerifyCertPathErrors(expected_errors, path_errors, input_chain,
errors_file_path);
} else if (!did_succeed) {
// If it failed and wasn't supposed to fail, print the errors.
EXPECT_EQ("", path_errors.ToDebugString(input_chain));
}
}
};
} // namespace
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest01SignatureVerification,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest02ValidityPeriods,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest03VerifyingNameChaining,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest06VerifyingBasicConstraints,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, PkitsTest07KeyUsage,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest08CertificatePolicies,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest09RequireExplicitPolicy,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest10PolicyMappings,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest11InhibitPolicyMapping,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest12InhibitAnyPolicy,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest13NameConstraints,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest16PrivateCertificateExtensions,
VerifyCertificateChainPkitsTestDelegate);
// These require CRL support, which is not implemented at the
// VerifyCertificateChain level:
// PkitsTest04BasicCertificateRevocationTests,
// PkitsTest05VerifyingPathswithSelfIssuedCertificates,
// PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
BSSL_NAMESPACE_END