summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp')
-rw-r--r--security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp146
1 files changed, 146 insertions, 0 deletions
diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
new file mode 100644
index 000000000..ff154e7ec
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -0,0 +1,146 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+class CreateEncodedOCSPRequestTrustDomain final
+ : public EverythingFailsByDefaultTrustDomain
+{
+private:
+ Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+ /*out*/ uint8_t *digestBuf, size_t digestBufLen)
+ override
+ {
+ return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
+ }
+
+ Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
+ override
+ {
+ return Success;
+ }
+};
+
+class pkixocsp_CreateEncodedOCSPRequest : public ::testing::Test
+{
+protected:
+ void MakeIssuerCertIDComponents(const char* issuerASCII,
+ /*out*/ ByteString& issuerDER,
+ /*out*/ ByteString& issuerSPKI)
+ {
+ issuerDER = CNToDERName(issuerASCII);
+ ASSERT_FALSE(ENCODING_FAILED(issuerDER));
+
+ ScopedTestKeyPair keyPair(GenerateKeyPair());
+ ASSERT_TRUE(keyPair.get());
+ issuerSPKI = keyPair->subjectPublicKeyInfo;
+ }
+
+ CreateEncodedOCSPRequestTrustDomain trustDomain;
+};
+
+// Test that the large length of the child serial number causes
+// CreateEncodedOCSPRequest to fail.
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest)
+{
+ static const uint8_t UNSUPPORTED_LEN = 128; // must be larger than 127
+
+ ByteString serialNumberString;
+ // tag + length + value is 1 + 2 + UNSUPPORTED_LEN
+ // Encoding the length takes two bytes: one byte to indicate that a
+ // second byte follows, and the second byte to indicate the length.
+ serialNumberString.push_back(0x80 + 1);
+ serialNumberString.push_back(UNSUPPORTED_LEN);
+ // value is 0x010000...00
+ serialNumberString.push_back(0x01);
+ for (size_t i = 1; i < UNSUPPORTED_LEN; ++i) {
+ serialNumberString.push_back(0x00);
+ }
+
+ ByteString issuerDER;
+ ByteString issuerSPKI;
+ ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+ issuerSPKI));
+
+ Input issuer;
+ ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+ Input spki;
+ ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+ Input serialNumber;
+ ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+ serialNumberString.length()));
+
+ uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+ size_t ocspRequestLength;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ CreateEncodedOCSPRequest(trustDomain,
+ CertID(issuer, spki, serialNumber),
+ ocspRequest, ocspRequestLength));
+}
+
+// Test that CreateEncodedOCSPRequest handles the longest serial number that
+// it's required to support (i.e. 20 octets).
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, LongestSupportedSerialNumberTest)
+{
+ static const uint8_t LONGEST_REQUIRED_LEN = 20;
+
+ ByteString serialNumberString;
+ // tag + length + value is 1 + 1 + LONGEST_REQUIRED_LEN
+ serialNumberString.push_back(der::INTEGER);
+ serialNumberString.push_back(LONGEST_REQUIRED_LEN);
+ serialNumberString.push_back(0x01);
+ // value is 0x010000...00
+ for (size_t i = 1; i < LONGEST_REQUIRED_LEN; ++i) {
+ serialNumberString.push_back(0x00);
+ }
+
+ ByteString issuerDER;
+ ByteString issuerSPKI;
+ ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+ issuerSPKI));
+
+ Input issuer;
+ ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+ Input spki;
+ ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+ Input serialNumber;
+ ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+ serialNumberString.length()));
+
+ uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+ size_t ocspRequestLength;
+ ASSERT_EQ(Success,
+ CreateEncodedOCSPRequest(trustDomain,
+ CertID(issuer, spki, serialNumber),
+ ocspRequest, ocspRequestLength));
+}