1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/internal/verify_certificate_chain.h"
#include "net/cert/internal/parsed_certificate.h"
#include "net/cert/internal/signature_policy.h"
#include "net/cert/internal/trust_store.h"
#include "net/der/input.h"
// Disable tests that require DSA signatures (DSA signatures are intentionally
// unsupported). Custom versions of the DSA tests are defined below which expect
// verification to fail.
#define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4
#define Section1ValidDSAParameterInheritanceTest5 \
DISABLED_Section1ValidDSAParameterInheritanceTest5
// Disable tests that require name constraints with name types that are
// intentionally unsupported. Custom versions of the tests are defined below
// which expect verification to fail.
#define Section13ValidRFC822nameConstraintsTest21 \
DISABLED_Section13ValidRFC822nameConstraintsTest21
#define Section13ValidRFC822nameConstraintsTest23 \
DISABLED_Section13ValidRFC822nameConstraintsTest23
#define Section13ValidRFC822nameConstraintsTest25 \
DISABLED_Section13ValidRFC822nameConstraintsTest25
#define Section13ValidDNandRFC822nameConstraintsTest27 \
DISABLED_Section13ValidDNandRFC822nameConstraintsTest27
#define Section13ValidURInameConstraintsTest34 \
DISABLED_Section13ValidURInameConstraintsTest34
#define Section13ValidURInameConstraintsTest36 \
DISABLED_Section13ValidURInameConstraintsTest36
// TODO(mattm): these require CRL support:
#define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \
DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4
#define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \
DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5
#include "net/cert/internal/nist_pkits_unittest.h"
namespace net {
namespace {
class VerifyCertificateChainPkitsTestDelegate {
public:
static bool Verify(std::vector<std::string> cert_ders,
std::vector<std::string> crl_ders) {
if (cert_ders.empty()) {
ADD_FAILURE() << "cert_ders is empty";
return false;
}
// PKITS lists chains from trust anchor to target, VerifyCertificateChain
// takes them starting with the target and not including the trust anchor.
std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
CertErrors errors;
for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) {
if (!net::ParsedCertificate::CreateAndAddToVector(*i, {}, &input_chain,
&errors)) {
ADD_FAILURE() << "Cert failed to parse:\n" << errors.ToDebugString();
return false;
}
}
scoped_refptr<TrustAnchor> trust_anchor =
TrustAnchor::CreateFromCertificateNoConstraints(input_chain.back());
input_chain.pop_back();
SimpleSignaturePolicy signature_policy(1024);
// Run all tests at the time the PKITS was published.
der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};
bool result = VerifyCertificateChain(input_chain, trust_anchor.get(),
&signature_policy, time, &errors);
// TODO(crbug.com/634443): Test errors on failure?
if (!result)
EXPECT_FALSE(errors.empty());
return result;
}
};
} // namespace
class PkitsTest01SignatureVerificationCustom
: public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
// Modified version of 4.1.4 Valid DSA Signatures Test4
TEST_F(PkitsTest01SignatureVerificationCustom,
Section1ValidDSASignaturesTest4Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
"ValidDSASignaturesTest4EE"};
const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"};
// DSA signatures are intentionally unsupported.
ASSERT_FALSE(this->Verify(certs, crls));
}
// Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5
TEST_F(PkitsTest01SignatureVerificationCustom,
Section1ValidDSAParameterInheritanceTest5Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
"DSAParametersInheritedCACert",
"ValidDSAParameterInheritanceTest5EE"};
const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL",
"DSAParametersInheritedCACRL"};
// DSA signatures are intentionally unsupported.
ASSERT_FALSE(this->Verify(certs, crls));
}
class PkitsTest13SignatureVerificationCustom
: public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
// Modified version of 4.13.21 Valid RFC822 nameConstraints Test21
TEST_F(PkitsTest13SignatureVerificationCustom,
Section13ValidRFC822nameConstraintsTest21Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate",
"nameConstraintsRFC822CA1Cert",
"ValidRFC822nameConstraintsTest21EE"};
const char* const crls[] = {"TrustAnchorRootCRL",
"nameConstraintsRFC822CA1CRL"};
// Name constraints on rfc822Names are not supported.
ASSERT_FALSE(this->Verify(certs, crls));
}
// Modified version of 4.13.23 Valid RFC822 nameConstraints Test23
TEST_F(PkitsTest13SignatureVerificationCustom,
Section13ValidRFC822nameConstraintsTest23Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate",
"nameConstraintsRFC822CA2Cert",
"ValidRFC822nameConstraintsTest23EE"};
const char* const crls[] = {"TrustAnchorRootCRL",
"nameConstraintsRFC822CA2CRL"};
// Name constraints on rfc822Names are not supported.
ASSERT_FALSE(this->Verify(certs, crls));
}
// Modified version of 4.13.25 Valid RFC822 nameConstraints Test25
TEST_F(PkitsTest13SignatureVerificationCustom,
Section13ValidRFC822nameConstraintsTest25Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate",
"nameConstraintsRFC822CA3Cert",
"ValidRFC822nameConstraintsTest25EE"};
const char* const crls[] = {"TrustAnchorRootCRL",
"nameConstraintsRFC822CA3CRL"};
// Name constraints on rfc822Names are not supported.
ASSERT_FALSE(this->Verify(certs, crls));
}
// Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27
TEST_F(PkitsTest13SignatureVerificationCustom,
Section13ValidDNandRFC822nameConstraintsTest27Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate",
"nameConstraintsDN1CACert",
"nameConstraintsDN1subCA3Cert",
"ValidDNandRFC822nameConstraintsTest27EE"};
const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL",
"nameConstraintsDN1subCA3CRL"};
// Name constraints on rfc822Names are not supported.
ASSERT_FALSE(this->Verify(certs, crls));
}
// Modified version of 4.13.34 Valid URI nameConstraints Test34
TEST_F(PkitsTest13SignatureVerificationCustom,
Section13ValidURInameConstraintsTest34Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate",
"nameConstraintsURI1CACert",
"ValidURInameConstraintsTest34EE"};
const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"};
// Name constraints on uniformResourceIdentifiers are not supported.
ASSERT_FALSE(this->Verify(certs, crls));
}
// Modified version of 4.13.36 Valid URI nameConstraints Test36
TEST_F(PkitsTest13SignatureVerificationCustom,
Section13ValidURInameConstraintsTest36Custom) {
const char* const certs[] = {"TrustAnchorRootCertificate",
"nameConstraintsURI2CACert",
"ValidURInameConstraintsTest36EE"};
const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"};
// Name constraints on uniformResourceIdentifiers are not supported.
ASSERT_FALSE(this->Verify(certs, crls));
}
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
PkitsTest01SignatureVerification,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
PkitsTest02ValidityPeriods,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
PkitsTest03VerifyingNameChaining,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
PkitsTest06VerifyingBasicConstraints,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
PkitsTest07KeyUsage,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
PkitsTest13NameConstraints,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
PkitsTest16PrivateCertificateExtensions,
VerifyCertificateChainPkitsTestDelegate);
// TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests,
// PkitsTest05VerifyingPathswithSelfIssuedCertificates,
// PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
// TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies,
// PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings,
// PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy
} // namespace net
|
