| Bob Beck | bc97b7a | 2023-04-18 08:35:15 -0600 | [diff] [blame^] | 1 | // Copyright 2016 The Chromium Authors |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include "verify_certificate_chain.h" |
| 6 | |
| 7 | #include "parsed_certificate.h" |
| 8 | #include "simple_path_builder_delegate.h" |
| 9 | #include "trust_store.h" |
| 10 | #include "input.h" |
| 11 | #include <openssl/pool.h> |
| 12 | |
| 13 | // These require CRL support, which is not implemented at the |
| 14 | // VerifyCertificateChain level. |
| 15 | #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ |
| 16 | DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
| 17 | #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
| 18 | DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
| 19 | |
| 20 | #include "nist_pkits_unittest.h" |
| 21 | |
| 22 | namespace bssl { |
| 23 | |
| 24 | namespace { |
| 25 | |
| 26 | class VerifyCertificateChainPkitsTestDelegate { |
| 27 | public: |
| 28 | static void RunTest(std::vector<std::string> cert_ders, |
| 29 | std::vector<std::string> crl_ders, |
| 30 | const PkitsTestInfo& info) { |
| 31 | ASSERT_FALSE(cert_ders.empty()); |
| 32 | |
| 33 | // PKITS lists chains from trust anchor to target, whereas |
| 34 | // VerifyCertificateChain takes them starting with the target and ending |
| 35 | // with the trust anchor. |
| 36 | std::vector<std::shared_ptr<const ParsedCertificate>> input_chain; |
| 37 | CertErrors parsing_errors; |
| 38 | for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) { |
| 39 | ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector( |
| 40 | bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( |
| 41 | reinterpret_cast<const uint8_t*>(i->data()), i->size(), nullptr)), |
| 42 | {}, &input_chain, &parsing_errors)) |
| 43 | << parsing_errors.ToDebugString(); |
| 44 | } |
| 45 | |
| 46 | SimplePathBuilderDelegate path_builder_delegate( |
| 47 | 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); |
| 48 | |
| 49 | std::set<der::Input> user_constrained_policy_set; |
| 50 | |
| 51 | CertPathErrors path_errors; |
| 52 | VerifyCertificateChain( |
| 53 | input_chain, CertificateTrust::ForTrustAnchor(), &path_builder_delegate, |
| 54 | info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy, |
| 55 | info.initial_policy_set, info.initial_policy_mapping_inhibit, |
| 56 | info.initial_inhibit_any_policy, &user_constrained_policy_set, |
| 57 | &path_errors); |
| 58 | bool did_succeed = !path_errors.ContainsHighSeverityErrors(); |
| 59 | |
| 60 | EXPECT_EQ(info.should_validate, did_succeed); |
| 61 | EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set); |
| 62 | |
| 63 | // Check that the errors match expectations. The errors are saved in a |
| 64 | // parallel file, as they don't apply generically to the third_party |
| 65 | // PKITS data. |
| 66 | if (!info.should_validate && !did_succeed) { |
| 67 | std::string errors_file_path = |
| 68 | std::string( |
| 69 | "testdata/verify_certificate_chain_unittest/pkits_errors/") + |
| 70 | info.test_number + std::string(".txt"); |
| 71 | |
| 72 | std::string expected_errors = ReadTestFileToString(errors_file_path); |
| 73 | |
| 74 | // Check that the errors match. |
| 75 | VerifyCertPathErrors(expected_errors, path_errors, input_chain, |
| 76 | errors_file_path); |
| 77 | } else if (!did_succeed) { |
| 78 | // If it failed and wasn't supposed to fail, print the errors. |
| 79 | EXPECT_EQ("", path_errors.ToDebugString(input_chain)); |
| 80 | } |
| 81 | } |
| 82 | }; |
| 83 | |
| 84 | } // namespace |
| 85 | |
| 86 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 87 | PkitsTest01SignatureVerification, |
| 88 | VerifyCertificateChainPkitsTestDelegate); |
| 89 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 90 | PkitsTest02ValidityPeriods, |
| 91 | VerifyCertificateChainPkitsTestDelegate); |
| 92 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 93 | PkitsTest03VerifyingNameChaining, |
| 94 | VerifyCertificateChainPkitsTestDelegate); |
| 95 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 96 | PkitsTest06VerifyingBasicConstraints, |
| 97 | VerifyCertificateChainPkitsTestDelegate); |
| 98 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 99 | PkitsTest07KeyUsage, |
| 100 | VerifyCertificateChainPkitsTestDelegate); |
| 101 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 102 | PkitsTest08CertificatePolicies, |
| 103 | VerifyCertificateChainPkitsTestDelegate); |
| 104 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 105 | PkitsTest09RequireExplicitPolicy, |
| 106 | VerifyCertificateChainPkitsTestDelegate); |
| 107 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 108 | PkitsTest10PolicyMappings, |
| 109 | VerifyCertificateChainPkitsTestDelegate); |
| 110 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 111 | PkitsTest11InhibitPolicyMapping, |
| 112 | VerifyCertificateChainPkitsTestDelegate); |
| 113 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 114 | PkitsTest12InhibitAnyPolicy, |
| 115 | VerifyCertificateChainPkitsTestDelegate); |
| 116 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 117 | PkitsTest13NameConstraints, |
| 118 | VerifyCertificateChainPkitsTestDelegate); |
| 119 | INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, |
| 120 | PkitsTest16PrivateCertificateExtensions, |
| 121 | VerifyCertificateChainPkitsTestDelegate); |
| 122 | |
| 123 | // These require CRL support, which is not implemented at the |
| 124 | // VerifyCertificateChain level: |
| 125 | // PkitsTest04BasicCertificateRevocationTests, |
| 126 | // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
| 127 | // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
| 128 | |
| 129 | } // namespace net |
