diff options
Diffstat (limited to 'security/nss/cmd/libpkix/pkix/certsel')
-rwxr-xr-x | security/nss/cmd/libpkix/pkix/certsel/Makefile | 47 | ||||
-rwxr-xr-x | security/nss/cmd/libpkix/pkix/certsel/manifest.mn | 21 | ||||
-rw-r--r-- | security/nss/cmd/libpkix/pkix/certsel/test_certselector.c | 1683 | ||||
-rw-r--r-- | security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c | 800 |
4 files changed, 2551 insertions, 0 deletions
diff --git a/security/nss/cmd/libpkix/pkix/certsel/Makefile b/security/nss/cmd/libpkix/pkix/certsel/Makefile new file mode 100755 index 000000000..09ca5f1c6 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/certsel/Makefile @@ -0,0 +1,47 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +include $(PKIX_DEPTH)/config.mk + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include $(PLAT_DEPTH)/platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +include $(PLAT_DEPTH)/platrules.mk diff --git a/security/nss/cmd/libpkix/pkix/certsel/manifest.mn b/security/nss/cmd/libpkix/pkix/certsel/manifest.mn new file mode 100755 index 000000000..2e8198cb3 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/certsel/manifest.mn @@ -0,0 +1,21 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +PKIX_DEPTH = ../.. +PLAT_DEPTH = $(PKIX_DEPTH)/.. +CORE_DEPTH = $(PKIX_DEPTH)/../../.. + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = test_certselector.c \ + test_comcertselparams.c \ + $(NULL) + +LIBRARY_NAME=pkixtoolcertsel + +SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR) + +NO_MD_RELEASE = 1 diff --git a/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c b/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c new file mode 100644 index 000000000..cbe773779 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c @@ -0,0 +1,1683 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_certselector.c + * + * Test Cert Selector + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS 5 +#define PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS 2 +#define PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS 2 +#define PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS 4 +#define PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS 1 + +static void *plContext = NULL; + +/* + * The first three certs are used to obtain policies to test + * policy matching. Changing the table could break tests. + */ +static char *certList[] = { +#define POLICY1CERT 0 + "GoodCACert.crt", +#define ANYPOLICYCERT 1 + "anyPolicyCACert.crt", +#define POLICY2CERT 2 + "PoliciesP12CACert.crt", +#define SUBJECTCERT 3 + "PoliciesP3CACert.crt", + "PoliciesP1234CACert.crt", + "pathLenConstraint0CACert.crt", + "pathLenConstraint1CACert.crt", + "pathLenConstraint6CACert.crt", + "TrustAnchorRootCertificate.crt", + "GoodsubCACert.crt", + "AnyPolicyTest14EE.crt", + "UserNoticeQualifierTest16EE.crt" +}; +#define NUMCERTS (sizeof(certList) / sizeof(certList[0])) + +/* + * Following are Certs values for NameConstraints tests + * + * Cert0:nameConstraintsDN1subCA1Cert.crt: + * Subject:CN=nameConstraints DN1 subCA1,OU=permittedSubtree1, + * O=Test Certificates,C=US + * Permitted Name:(OU=permittedSubtree2,OU=permittedSubtree1, + * O=Test Certificates,C=US) + * Excluded Name: (EMPTY) + * Cert1:nameConstraintsDN3subCA2Cert.crt: + * Subject:CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US + * Permitted Name:(O=Test Certificates,C=US) + * Excluded Name:(EMPTY) + * Cert2:nameConstraintsDN2CACert.crt + * Subject:CN=nameConstraints DN2 CA,O=Test Certificates,C=US + * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US, + * OU=permittedSubtree2,O=Test Certificates,C=US) + * Excluded Name:(EMPTY) + * Cert3:nameConstraintsDN3subCA1Cert.crt + * Subject:CN=nameConstraints DN3 subCA1,O=Test Certificates,C=US + * Permitted Name:(EMPTY) + * Excluded Name:(OU=excludedSubtree2,O=Test Certificates,C=US) + * Cert4:nameConstraintsDN4CACert.crt + * Subject:CN=nameConstraints DN4 CA,O=Test Certificates,C=US + * Permitted Name:(EMPTY) + * Excluded Name:(OU=excludedSubtree1,O=Test Certificates,C=US, + * OU=excludedSubtree2,O=Test Certificates,C=US) + * Cert5:nameConstraintsDN5CACert.crt + * Subject:CN=nameConstraints DN5 CA,O=Test Certificates,C=US + * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US) + * Excluded Name:(OU=excludedSubtree1,OU=permittedSubtree1, + * O=Test Certificates,C=US) + * Cert6:ValidDNnameConstraintsTest1EE.crt + * Subject:CN=Valid DN nameConstraints EE Certificate Test1, + * OU=permittedSubtree1,O=Test Certificates,C=US + * + */ +static char *ncCertList[] = { + "nameConstraintsDN1subCA1Cert.crt", + "nameConstraintsDN3subCA2Cert.crt", + "nameConstraintsDN2CACert.crt", + "nameConstraintsDN3subCA1Cert.crt", + "nameConstraintsDN4CACert.crt", + "nameConstraintsDN5CACert.crt", + "ValidDNnameConstraintsTest1EE.crt" +}; +#define NUMNCCERTS (sizeof(ncCertList) / sizeof(ncCertList[0])) + +static char *sanCertList[] = { + "InvalidDNnameConstraintsTest3EE.crt", + "InvalidDNSnameConstraintsTest38EE.crt" +}; +#define NUMSANCERTS (sizeof(sanCertList) / sizeof(sanCertList[0])) + +/* + * This function calls the CertSelector pointed to by "selector" for each + * cert in the List pointed to by "certs", and compares the results against + * the bit array given by the UInt32 "expectedResults". If the first cert is + * expected to pass, the lower-order bit of "expectedResults" should be 1. + * If the second cert is expected to pass, the second bit of "expectedResults" + * should be 1, and so on. If more than 32 certs are provided, only the first + * 32 will be checked. It is not an error to provide more bits than needed. + * (For example, if you expect every cert to pass, "expectedResult" can be + * set to 0xFFFFFFFF, even if the chain has fewer than 32 certs.) + */ +static void +testSelector( + PKIX_CertSelector *selector, + PKIX_List *certs, + PKIX_UInt32 expectedResults) +{ + PKIX_UInt32 i = 0; + PKIX_UInt32 numCerts = 0; + PKIX_PL_Cert *cert = NULL; + PKIX_CertSelector_MatchCallback callback = NULL; + PKIX_Error *errReturn = NULL; + PKIX_Boolean result = PKIX_TRUE; + + PKIX_TEST_STD_VARS(); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(selector, &callback, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + if (numCerts > 32) { + numCerts = 32; + } + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); + errReturn = callback(selector, cert, &result, plContext); + + if (errReturn || result == PKIX_FALSE) { + if ((expectedResults & 1) == 1) { + testError("selector unexpectedly failed"); + (void)printf(" processing cert:\t%d\n", i); + } + } else { + if ((expectedResults & 1) == 0) { + testError("selector unexpectedly passed"); + (void)printf(" processing cert:\t%d\n", i); + } + } + + expectedResults = expectedResults >> 1; + PKIX_TEST_DECREF_BC(cert); + PKIX_TEST_DECREF_BC(errReturn); + } + +cleanup: + + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(errReturn); + + PKIX_TEST_RETURN(); +} + +/* + * This function gets a policy from the Cert pointed to by "cert", according + * to the index provided by "index", creates an immutable List containing the + * OID of that policy, and stores the result at "pPolicyList". + */ +static void +testGetPolicyFromCert( + PKIX_PL_Cert *cert, + PKIX_UInt32 index, + PKIX_List **pPolicyList) +{ + PKIX_List *policyInfo = NULL; + PKIX_PL_CertPolicyInfo *firstPolicy = NULL; + PKIX_PL_OID *policyOID = NULL; + PKIX_List *list = NULL; + + PKIX_TEST_STD_VARS(); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &policyInfo, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(policyInfo, + index, + (PKIX_PL_Object **)&firstPolicy, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(firstPolicy, &policyOID, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list, (PKIX_PL_Object *)policyOID, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(list, plContext)); + + *pPolicyList = list; + +cleanup: + + PKIX_TEST_DECREF_AC(policyInfo); + PKIX_TEST_DECREF_AC(firstPolicy); + PKIX_TEST_DECREF_AC(policyOID); + + PKIX_TEST_RETURN(); +} + +/* + * This custom matchCallback will pass any Certificate which has no + * CertificatePolicies extension and any Certificate whose Policies + * extension include a CertPolicyQualifier. + */ +static PKIX_Error * +custom_CertSelector_MatchCallback( + PKIX_CertSelector *selector, + PKIX_PL_Cert *cert, + PKIX_Boolean *pResult, + void *plContext) +{ + PKIX_UInt32 i = 0; + PKIX_UInt32 numPolicies = 0; + PKIX_List *certPolicies = NULL; + PKIX_List *quals = NULL; + PKIX_PL_CertPolicyInfo *policy = NULL; + PKIX_Error *error = NULL; + + PKIX_TEST_STD_VARS(); + + *pResult = PKIX_TRUE; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &certPolicies, plContext)); + + if (certPolicies) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certPolicies, &numPolicies, plContext)); + + for (i = 0; i < numPolicies; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certPolicies, + i, + (PKIX_PL_Object **)&policy, + plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(policy, &quals, plContext)); + if (quals) { + goto cleanup; + } + PKIX_TEST_DECREF_BC(policy); + } + PKIX_TEST_DECREF_BC(certPolicies); + *pResult = PKIX_FALSE; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(PKIX_CERTSELECTOR_ERROR, + NULL, + NULL, + PKIX_TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, + &error, + plContext)); + } + +cleanup: + + PKIX_TEST_DECREF_AC(certPolicies); + PKIX_TEST_DECREF_AC(policy); + PKIX_TEST_DECREF_AC(quals); + + return (error); +} + +/* + * This custom matchCallback will pass any Certificate whose + * CertificatePolicies extension asserts the Policy specified by + * the OID in the CertSelectorContext object. + */ +static PKIX_Error * +custom_CertSelector_MatchOIDCallback( + PKIX_CertSelector *selector, + PKIX_PL_Cert *cert, + PKIX_Boolean *pResult, + void *plContext) +{ + PKIX_UInt32 i = 0; + PKIX_UInt32 numPolicies = 0; + PKIX_Boolean match = PKIX_FALSE; + PKIX_PL_Object *certSelectorContext = NULL; + PKIX_PL_OID *constraintOID = NULL; + PKIX_List *certPolicies = NULL; + PKIX_PL_CertPolicyInfo *policy = NULL; + PKIX_PL_OID *policyOID = NULL; + PKIX_PL_String *errorDesc = NULL; + PKIX_Error *error = NULL; + + PKIX_TEST_STD_VARS(); + + *pResult = PKIX_TRUE; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCertSelectorContext(selector, &certSelectorContext, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType(certSelectorContext, PKIX_OID_TYPE, plContext)); + + constraintOID = (PKIX_PL_OID *)certSelectorContext; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &certPolicies, plContext)); + + if (certPolicies) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certPolicies, &numPolicies, plContext)); + + for (i = 0; i < numPolicies; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certPolicies, + i, + (PKIX_PL_Object **)&policy, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(policy, &policyOID, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)policyOID, + (PKIX_PL_Object *)constraintOID, + &match, + plContext)); + + if (match) { + goto cleanup; + } + PKIX_TEST_DECREF_BC(policy); + PKIX_TEST_DECREF_BC(policyOID); + } + } + + PKIX_TEST_DECREF_BC(certSelectorContext); + PKIX_TEST_DECREF_BC(certPolicies); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(PKIX_CERTSELECTOR_ERROR, + NULL, + NULL, + PKIX_TESTNOMATCHINGPOLICY, + &error, + plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(certSelectorContext); + PKIX_TEST_DECREF_AC(certPolicies); + PKIX_TEST_DECREF_AC(policy); + PKIX_TEST_DECREF_AC(policyOID); + PKIX_TEST_DECREF_AC(errorDesc); + + return (error); +} + +static void +testSubjectMatch( + PKIX_List *certs, + PKIX_PL_Cert *certNameToMatch) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *subjParams = NULL; + PKIX_PL_X500Name *subjectName = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("Subject name match"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&subjParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(certNameToMatch, &subjectName, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(subjParams, subjectName, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, subjParams, plContext)); + testSelector(selector, certs, 0x008); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(subjParams); + PKIX_TEST_DECREF_AC(subjectName); + + PKIX_TEST_RETURN(); +} + +static void +testBasicConstraintsMatch( + PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *bcParams = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("Basic Constraints match"); + subTest(" pathLenContraint = -2: pass only EE's"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&bcParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, -2, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); + testSelector(selector, certs, 0xC00); + + subTest(" pathLenContraint = -1: pass all certs"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, -1, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); + testSelector(selector, certs, 0xFFF); + + subTest(" pathLenContraint = 1: pass only certs with pathLen >= 1"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, 1, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); + testSelector(selector, certs, 0x3DF); + + subTest(" pathLenContraint = 2: pass only certs with pathLen >= 2"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, 2, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); + testSelector(selector, certs, 0x39F); + +cleanup: + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(bcParams); + + PKIX_TEST_RETURN(); +} + +static void testPolicyMatch( + PKIX_List *certs, + PKIX_PL_Cert *NIST1Cert, /* a source for policy NIST1 */ + PKIX_PL_Cert *NIST2Cert, /* a source for policy NIST2 */ + PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ +{ + PKIX_CertSelector *selector = NULL; + PKIX_List *emptyList = NULL; /* no members */ + PKIX_List *policy1List = NULL; /* OIDs */ + PKIX_List *policy2List = NULL; /* OIDs */ + PKIX_List *anyPolicyList = NULL; /* OIDs */ + PKIX_ComCertSelParams *polParams = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("Policy match"); + testGetPolicyFromCert(NIST1Cert, 0, &policy1List); + testGetPolicyFromCert(NIST2Cert, 1, &policy2List); + testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); + + subTest(" Pass certs with any CertificatePolicies extension"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, emptyList, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); + testSelector(selector, certs, 0xEFF); + PKIX_TEST_DECREF_BC(polParams); + + subTest(" Pass only certs with policy NIST1"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, policy1List, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); + testSelector(selector, certs, 0xEF5); + PKIX_TEST_DECREF_BC(polParams); + + subTest(" Pass only certs with policy NIST2"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, policy2List, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); + testSelector(selector, certs, 0x814); + PKIX_TEST_DECREF_BC(polParams); + + subTest(" Pass only certs with policy anyPolicy"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, anyPolicyList, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); + testSelector(selector, certs, 0x002); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(emptyList); + PKIX_TEST_DECREF_AC(policy1List); + PKIX_TEST_DECREF_AC(policy2List); + PKIX_TEST_DECREF_AC(anyPolicyList); + PKIX_TEST_DECREF_AC(polParams); + + PKIX_TEST_RETURN(); +} + +static void +testCertificateMatch( + PKIX_List *certs, + PKIX_PL_Cert *certToMatch) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("Certificate match"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(params, certToMatch, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + testSelector(selector, certs, 0x008); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(params); + + PKIX_TEST_RETURN(); +} + +static void +testNameConstraintsMatch(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_PL_CertNameConstraints *permitNameConstraints1 = NULL; + PKIX_PL_CertNameConstraints *permitNameConstraints2 = NULL; + PKIX_PL_CertNameConstraints *permitNameConstraints3 = NULL; + PKIX_PL_CertNameConstraints *excludeNameConstraints1 = NULL; + PKIX_PL_CertNameConstraints *excludeNameConstraints2 = NULL; + PKIX_PL_CertNameConstraints *excludeNameConstraints3 = NULL; + PKIX_UInt32 numCerts = 0; + + PKIX_TEST_STD_VARS(); + + subTest("test NameConstraints Cert Selector"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + subTest(" PKIX_PL_Cert_GetNameConstraints <cert0-permitted>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 0, (PKIX_PL_Object **)&cert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints1, plContext)); + PKIX_TEST_DECREF_BC(cert); + + subTest(" PKIX_PL_Cert_GetNameConstraints <cert1-permitted>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 1, (PKIX_PL_Object **)&cert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints2, plContext)); + PKIX_TEST_DECREF_BC(cert); + + subTest(" PKIX_PL_Cert_GetNameConstraints <cert2-permitted>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 2, (PKIX_PL_Object **)&cert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints3, plContext)); + PKIX_TEST_DECREF_BC(cert); + + subTest(" PKIX_PL_Cert_GetNameConstraints <cert3-excluded>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 3, (PKIX_PL_Object **)&cert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints1, plContext)); + PKIX_TEST_DECREF_BC(cert); + + subTest(" PKIX_PL_Cert_GetNameConstraints <cert4-excluded>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 4, (PKIX_PL_Object **)&cert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints2, plContext)); + PKIX_TEST_DECREF_BC(cert); + + subTest(" PKIX_PL_Cert_GetNameConstraints <cert5-excluded>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 5, (PKIX_PL_Object **)&cert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints3, plContext)); + PKIX_TEST_DECREF_BC(cert); + + subTest(" Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" CertNameConstraints testing permitted NONE"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints1, plContext)); + testSelector(selector, certs, 0x0); + + subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, NULL, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" CertNameConstraints testing permitted ALL"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints2, plContext)); + testSelector(selector, certs, 0x07F); + + subTest(" CertNameConstraints testing permitted TWO"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints3, plContext)); + testSelector(selector, certs, 0x0041); + + subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, NULL, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" CertNameConstraints testing excluded"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints1, plContext)); + testSelector(selector, certs, 0x07F); + + subTest(" CertNameConstraints testing excluded"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints2, plContext)); + testSelector(selector, certs, 0x07F); + + subTest(" CertNameConstraints testing excluded"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints3, plContext)); + testSelector(selector, certs, 0x41); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(permitNameConstraints1); + PKIX_TEST_DECREF_AC(permitNameConstraints2); + PKIX_TEST_DECREF_AC(permitNameConstraints3); + PKIX_TEST_DECREF_AC(excludeNameConstraints1); + PKIX_TEST_DECREF_AC(excludeNameConstraints2); + PKIX_TEST_DECREF_AC(excludeNameConstraints3); + + PKIX_TEST_RETURN(); +} + +static void +testPathToNamesMatch(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_List *nameList = NULL; + PKIX_PL_GeneralName *name = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test PathToName Cert Selector"); + + subTest(" PKIX_PL_GeneralName List create"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); + + subTest(" Add directory name <O=NotATest Certificates,C=US>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, + "O=NotATest Certificates,C=US", + plContext); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); + + subTest(" Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" PKIX_ComCertSelParams_SetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); + + subTest(" Permitting THREE"); + testSelector(selector, certs, 0x58); + + subTest(" Remove directory name <O=NotATest Certificates,C=US...>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(nameList, 0, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" Add directory name <OU=permittedSubtree1,O=Test...>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, + "OU=permittedSubtree1,O=Test Certificates,C=US", + plContext); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); + + subTest(" PKIX_ComCertSelParams_SetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); + + subTest(" Permitting SIX"); + testSelector(selector, certs, 0x5F); + + subTest(" Remove directory name <OU=permittedSubtree1,O=Test...>"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(nameList, 0, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" Add directory name <O=Test Certificates,C=US...>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, + "O=Test Certificates,C=US", + plContext); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" PKIX_ComCertSelParams_SetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); + + subTest(" Permitting FOUR"); + testSelector(selector, certs, 0x47); + + subTest(" Only directory name <OU=permittedSubtree1,O=Test ...>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, + "OU=permittedSubtree1,O=Test Certificates,C=US", + plContext); + + subTest(" PKIX_ComCertSelParams_AddPathToName"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName(params, name, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" Permitting FOUR"); + testSelector(selector, certs, 0x47); + + subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + PKIX_TEST_DECREF_BC(nameList); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); + + subTest(" Add directory name <CN=Valid DN nameConstraints EE...>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, "CN=Valid DN nameConstraints EE " + "Certificate Test1,OU=permittedSubtree1," + "O=Test Certificates,C=US", + plContext); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" PKIX_ComCertSelParams_SetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); + + subTest(" Permitting SIX"); + testSelector(selector, certs, 0x7e); + + subTest(" Add directory name <OU=permittedSubtree1,O=Test>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, + "OU=permittedSubtree1,O=Test", + plContext); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" PKIX_ComCertSelParams_SetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); + + subTest(" Permitting SIX"); + testSelector(selector, certs, 0x58); + + subTest(" Add directory name <O=Test Certificates,C=US>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext); + + subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName(params, name, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" Permitting FOUR"); + testSelector(selector, certs, 0x47); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(nameList); + + PKIX_TEST_RETURN(); +} + +static void +testSubjAltNamesMatch(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_List *nameList = NULL; + PKIX_PL_GeneralName *name = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test SubjAltNames Cert Selector"); + + subTest(" PKIX_PL_GeneralName List create"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); + + subTest(" Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" Add directory name <CN=Invalid DN nameConstraints EE...>"); + name = createGeneralName(PKIX_DIRECTORY_NAME, + "CN=Invalid DN nameConstraints EE Certificate Test3," + "OU=excludedSubtree1,O=Test Certificates,C=US", + plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); + + subTest(" PKIX_ComCertSelParams_SetSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames(params, nameList, plContext)); + + PKIX_TEST_DECREF_BC(name); + PKIX_TEST_DECREF_BC(nameList); + + subTest(" Permitting ONE"); + testSelector(selector, certs, 0x1); + + subTest(" Add DNS name <mytestcertificates.gov>"); + name = createGeneralName(PKIX_DNS_NAME, + "mytestcertificates.gov", + plContext); + + subTest(" PKIX_ComCertSelParams_AddSubjAltName"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(params, name, plContext)); + PKIX_TEST_DECREF_BC(name); + + subTest(" Permitting NONE"); + testSelector(selector, certs, 0x0); + + subTest(" PKIX_ComCertSelParams_SetMatchAllSubjAltNames to FALSE"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(params, PKIX_FALSE, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" Permitting TWO"); + testSelector(selector, certs, 0x3); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(name); + PKIX_TEST_DECREF_AC(nameList); + + PKIX_TEST_RETURN(); +} + +static void +testCertificateValidMatch( + PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_PL_String *stringRep = NULL; + PKIX_PL_Date *testDate = NULL; + char *asciiRep = "050501000000Z"; + + PKIX_TEST_STD_VARS(); + + subTest("CertificateValid match"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(params, testDate, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + testSelector(selector, certs, 0xFFFFFFFF); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(stringRep); + PKIX_TEST_DECREF_AC(testDate); + + PKIX_TEST_RETURN(); +} + +static void +test_customCallback1(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("custom matchCallback"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(custom_CertSelector_MatchCallback, + NULL, + &selector, + plContext)); + + testSelector(selector, certs, 0x900); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + + PKIX_TEST_RETURN(); +} + +static void test_customCallback2(PKIX_List *certs, + PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ +{ + PKIX_CertSelector *selector = NULL; + PKIX_List *anyPolicyList = NULL; /* OIDs */ + PKIX_PL_OID *policyOID = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("custom matchCallback with CertSelectorContext"); + + testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(anyPolicyList, 0, (PKIX_PL_Object **)&policyOID, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(custom_CertSelector_MatchOIDCallback, + (PKIX_PL_Object *)policyOID, + &selector, + plContext)); + + testSelector(selector, certs, (1 << ANYPOLICYCERT)); + +cleanup: + + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(anyPolicyList); + PKIX_TEST_DECREF_AC(policyOID); + + PKIX_TEST_RETURN(); +} + +static void +testExtendedKeyUsageMatch(char *certDir) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_OID *ekuOid = NULL; + PKIX_List *ekuOidList = NULL; + PKIX_PL_String *dirString = NULL; + PKIX_CertStore_CertCallback certCallback; + PKIX_CertStore *certStore = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_List *certList = NULL; + PKIX_UInt32 numCert = 0; + void *nbioContext = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test Extended KeyUsage Cert Selector"); + + subTest(" PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest(" Create Extended Key Usage OID List"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&ekuOidList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.2", &ekuOid, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); + + PKIX_TEST_DECREF_BC(ekuOid); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.3", &ekuOid, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); + + PKIX_TEST_DECREF_BC(ekuOid); + + subTest(" PKIX_ComCertSelParams_SetExtendedKeyUsage"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage(goodParams, ekuOidList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); + + subTest(" PKIX_PL_CollectionCertStoreContext_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); + + subTest(" PKIX_CertSelector_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); + + subTest(" PKIX_CertStore_GetCertCallback"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); + + subTest(" Getting data from Cert Callback"); + PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); + + if (numCert != PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS) { + pkixTestErrorMsg = "unexpected Cert number mismatch"; + } + +cleanup: + + PKIX_TEST_DECREF_AC(ekuOid); + PKIX_TEST_DECREF_AC(ekuOidList); + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(certList); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(certStore); + + PKIX_TEST_RETURN(); +} + +static void +testKeyUsageMatch(char *certDir) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_String *dirString = NULL; + PKIX_CertStore_CertCallback certCallback; + PKIX_CertStore *certStore = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_List *certList = NULL; + PKIX_UInt32 numCert = 0; + void *nbioContext = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test KeyUsage Cert Selector"); + + subTest(" PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest(" PKIX_ComCertSelParams_SetKeyUsage"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage(goodParams, PKIX_CRL_SIGN, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); + + subTest(" PKIX_PL_CollectionCertStoreContext_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); + + subTest(" PKIX_CertSelector_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); + + subTest(" PKIX_CertStore_GetCertCallback"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); + + subTest(" Getting data from Cert Callback"); + PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); + + if (numCert != PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS) { + pkixTestErrorMsg = "unexpected Cert number mismatch"; + } + +cleanup: + + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(certList); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(certStore); + + PKIX_TEST_RETURN(); +} + +static void +testCertValidMatch(char *certDir) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_Date *validDate = NULL; + PKIX_PL_String *dirString = NULL; + PKIX_CertStore_CertCallback certCallback; + PKIX_CertStore *certStore = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_List *certList = NULL; + PKIX_UInt32 numCert = 0; + void *nbioContext = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test CertValid Cert Selector"); + + subTest(" PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + validDate = createDate("050601000000Z", plContext); + + subTest(" PKIX_ComCertSelParams_SetCertificateValid"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(goodParams, validDate, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); + + subTest(" PKIX_PL_CollectionCertStoreContext_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); + + subTest(" PKIX_CertSelector_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); + + subTest(" PKIX_CertStore_GetCertCallback"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); + + subTest(" Getting data from Cert Callback"); + PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); + + if (numCert != PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS) { + pkixTestErrorMsg = "unexpected Cert number mismatch"; + } + +cleanup: + + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(validDate); + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(certList); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(certStore); + + PKIX_TEST_RETURN(); +} + +static void +testIssuerMatch(char *certDir) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_X500Name *issuer = NULL; + PKIX_PL_String *issuerStr = NULL; + PKIX_PL_String *dirString = NULL; + PKIX_CertStore_CertCallback certCallback; + PKIX_CertStore *certStore = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_List *certList = NULL; + char *issuerName = "CN=science,O=mit,C=US"; + PKIX_UInt32 numCert = 0; + void *nbioContext = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test Issuer Cert Selector"); + + subTest(" PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, issuerName, 0, &issuerStr, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuerStr, &issuer, plContext)); + + subTest(" PKIX_ComCertSelParams_SetIssuer"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer(goodParams, issuer, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); + + subTest(" PKIX_PL_CollectionCertStoreContext_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); + + subTest(" PKIX_CertSelector_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); + + subTest(" PKIX_CertStore_GetCertCallback"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); + + subTest(" Getting data from Cert Callback"); + PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); + + if (numCert != PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS) { + pkixTestErrorMsg = "unexpected Cert number mismatch"; + } + +cleanup: + + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(issuer); + PKIX_TEST_DECREF_AC(issuerStr); + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(certList); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(certStore); + + PKIX_TEST_RETURN(); +} + +static void +testSerialNumberVersionMatch(char *certDir) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_BigInt *serialNumber = NULL; + PKIX_PL_String *serialNumberStr = NULL; + PKIX_PL_String *dirString = NULL; + PKIX_CertStore_CertCallback certCallback; + PKIX_CertStore *certStore = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_List *certList = NULL; + PKIX_UInt32 numCert = 0; + void *nbioContext = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test Serial Number Cert Selector"); + + subTest(" PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "01", 0, &serialNumberStr, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(serialNumberStr, &serialNumber, plContext)); + + subTest(" PKIX_ComCertSelParams_SetSerialNumber"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber(goodParams, serialNumber, plContext)); + + subTest(" PKIX_ComCertSelParams_SetVersion"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 0, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); + + subTest(" PKIX_PL_CollectionCertStoreContext_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); + + subTest(" PKIX_CertSelector_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); + + subTest(" PKIX_CertStore_GetCertCallback"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); + + subTest(" Getting data from Cert Callback"); + PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); + + PKIX_TEST_DECREF_BC(certList); + + if (numCert != 0) { + pkixTestErrorMsg = "unexpected Version mismatch"; + } + + subTest(" PKIX_ComCertSelParams_SetVersion"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 2, plContext)); + + subTest(" Getting data from Cert Callback"); + PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); + + if (numCert != PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS) { + pkixTestErrorMsg = "unexpected Serial Number mismatch"; + } + +cleanup: + + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(serialNumber); + PKIX_TEST_DECREF_AC(serialNumberStr); + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(certList); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(certStore); + + PKIX_TEST_RETURN(); +} + +static void +testSubjKeyIdMatch(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_PL_ByteArray *selSubjKeyId = NULL; + PKIX_UInt32 item = 0; + + PKIX_TEST_STD_VARS(); + + subTest("test Subject Key Id Cert Selector"); + + item = 2; + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); + + subTest(" PKIX_PL_Cert_GetSubjectKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(cert, &selSubjKeyId, plContext)); + + subTest(" Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" PKIX_ComCertSelParams_SetSubjKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier(params, selSubjKeyId, plContext)); + + subTest(" Select One"); + testSelector(selector, certs, 1 << item); + +cleanup: + + PKIX_TEST_DECREF_AC(selSubjKeyId); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(selector); + + PKIX_TEST_RETURN(); +} + +static void +testAuthKeyIdMatch(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_PL_ByteArray *selAuthKeyId = NULL; + PKIX_UInt32 item = 0; + + PKIX_TEST_STD_VARS(); + + subTest("test Auth Key Id Cert Selector"); + + item = 3; + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); + + subTest(" PKIX_PL_Cert_GetAuthorityKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier(cert, &selAuthKeyId, plContext)); + + subTest(" Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" PKIX_ComCertSelParams_SetAuthorityKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(params, selAuthKeyId, plContext)); + + subTest(" Select TWO"); + testSelector(selector, certs, (1 << item) | (1 << 1)); + +cleanup: + + PKIX_TEST_DECREF_AC(selAuthKeyId); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(selector); + + PKIX_TEST_RETURN(); +} + +static void +testSubjPKAlgIdMatch(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_PL_OID *selAlgId = NULL; + PKIX_UInt32 item = 0; + + PKIX_TEST_STD_VARS(); + + subTest("test Subject Public Key Algorithm Id Cert Selector"); + + item = 0; + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); + + subTest(" PKIX_PL_Cert_GetSubjectPublicKeyAlgId"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId(cert, &selAlgId, plContext)); + + subTest(" Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" PKIX_ComCertSelParams_SetSubjPKAlgId"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId(params, selAlgId, plContext)); + + subTest(" Select All"); + testSelector(selector, certs, 0x7F); + +cleanup: + + PKIX_TEST_DECREF_AC(selAlgId); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(selector); + + PKIX_TEST_RETURN(); +} + +static void +testSubjPublicKeyMatch(PKIX_List *certs) +{ + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *params = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_PL_PublicKey *selPublicKey = NULL; + PKIX_UInt32 item = 0; + + PKIX_TEST_STD_VARS(); + + subTest("test Subject Public Key Cert Selector"); + + item = 5; + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); + + subTest(" PKIX_PL_Cert_GetSubjectPublicKey"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(cert, &selPublicKey, plContext)); + + subTest(" Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); + + subTest(" PKIX_ComCertSelParams_SetSubjPubKey"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey(params, selPublicKey, plContext)); + + subTest(" Select ONE"); + testSelector(selector, certs, 1 << item); + +cleanup: + + PKIX_TEST_DECREF_AC(selPublicKey); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(params); + PKIX_TEST_DECREF_AC(selector); + + PKIX_TEST_RETURN(); +} + +static void +test_CertSelector_Duplicate(PKIX_CertSelector *selector) +{ + PKIX_Int32 goodBasicConstraints = 0; + PKIX_Int32 equalBasicConstraints = 0; + PKIX_CertSelector *dupSelector = NULL; + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_ComCertSelParams *equalParams = NULL; + PKIX_CertSelector_MatchCallback goodCallback = NULL; + PKIX_CertSelector_MatchCallback equalCallback = NULL; + PKIX_PL_X500Name *goodSubject = NULL; + PKIX_PL_X500Name *equalSubject = NULL; + PKIX_List *goodPolicy = NULL; + PKIX_List *equalPolicy = NULL; + PKIX_PL_Cert *goodCert = NULL; + PKIX_PL_Cert *equalCert = NULL; + PKIX_PL_Date *goodDate = NULL; + PKIX_PL_Date *equalDate = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("test_CertSelector_Duplicate"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)selector, + (PKIX_PL_Object **)&dupSelector, + plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams(selector, &goodParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams(dupSelector, &equalParams, plContext)); + /* There is no equals function, so look at components separately. */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(goodParams, &goodSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); + if (goodSubject && equalSubject) { + testEqualsHelper((PKIX_PL_Object *)goodSubject, + (PKIX_PL_Object *)equalSubject, + PKIX_TRUE, + plContext); + } else { + if + PKIX_EXACTLY_ONE_NULL(goodSubject, equalSubject) + { + pkixTestErrorMsg = "Subject Names are not equal!"; + goto cleanup; + } + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(goodParams, &goodPolicy, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicy, plContext)); + if (goodPolicy && equalPolicy) { + testEqualsHelper((PKIX_PL_Object *)goodPolicy, + (PKIX_PL_Object *)equalPolicy, + PKIX_TRUE, + plContext); + } else { + if + PKIX_EXACTLY_ONE_NULL(goodPolicy, equalPolicy) + { + pkixTestErrorMsg = "Policy Lists are not equal!"; + goto cleanup; + } + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(goodParams, &goodCert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(equalParams, &equalCert, plContext)); + if (goodCert && equalCert) { + testEqualsHelper((PKIX_PL_Object *)goodCert, + (PKIX_PL_Object *)equalCert, + PKIX_TRUE, + plContext); + } else { + if + PKIX_EXACTLY_ONE_NULL(goodCert, equalCert) + { + pkixTestErrorMsg = "Cert Lists are not equal!"; + goto cleanup; + } + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(goodParams, &goodDate, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(equalParams, &equalDate, plContext)); + if (goodCert && equalCert) { + testEqualsHelper((PKIX_PL_Object *)goodDate, + (PKIX_PL_Object *)equalDate, + PKIX_TRUE, + plContext); + } else { + if + PKIX_EXACTLY_ONE_NULL(goodDate, equalDate) + { + pkixTestErrorMsg = "Date Lists are not equal!"; + goto cleanup; + } + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(goodParams, &goodBasicConstraints, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalBasicConstraints, plContext)); + if (goodBasicConstraints != equalBasicConstraints) { + pkixTestErrorMsg = "BasicConstraints are not equal!"; + goto cleanup; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(selector, &goodCallback, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(dupSelector, &equalCallback, plContext)); + if (goodCallback != equalCallback) { + pkixTestErrorMsg = "MatchCallbacks are not equal!"; + } + +cleanup: + + PKIX_TEST_DECREF_AC(dupSelector); + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(equalParams); + PKIX_TEST_DECREF_AC(goodSubject); + PKIX_TEST_DECREF_AC(equalSubject); + PKIX_TEST_DECREF_AC(goodPolicy); + PKIX_TEST_DECREF_AC(equalPolicy); + PKIX_TEST_DECREF_AC(goodCert); + PKIX_TEST_DECREF_AC(equalCert); + PKIX_TEST_DECREF_AC(goodDate); + PKIX_TEST_DECREF_AC(equalDate); + + PKIX_TEST_RETURN(); +} + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\ttest_certselector <NIST_FILES_DIR> <cert-dir>\n\n"); +} + +int +test_certselector(int argc, char *argv[]) +{ + + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_UInt32 actualMinorVersion; + + PKIX_CertSelector *emptySelector = NULL; + PKIX_List *certs = NULL; + PKIX_List *nameConstraintsCerts = NULL; + PKIX_List *subjAltNamesCerts = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_PL_Cert *policy1Cert = NULL; + PKIX_PL_Cert *policy2Cert = NULL; + PKIX_PL_Cert *anyPolicyCert = NULL; + PKIX_PL_Cert *subjectCert = NULL; + PKIX_ComCertSelParams *selParams = NULL; + char *certDir = NULL; + char *dirName = NULL; + + PKIX_TEST_STD_VARS(); + + startTests("CertSelector"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + if (argc < 3) { + printUsage(); + return (0); + } + + dirName = argv[j + 1]; + certDir = argv[j + 3]; + + /* Create a List of certs to use in testing the selector */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); + + for (i = 0; i < NUMCERTS; i++) { + + cert = createCert(dirName, certList[i], plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs, (PKIX_PL_Object *)cert, plContext)); + if (i == POLICY1CERT) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); + policy1Cert = cert; + } + if (i == ANYPOLICYCERT) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); + anyPolicyCert = cert; + } + if (i == POLICY2CERT) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); + policy2Cert = cert; + } + if (i == SUBJECTCERT) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); + subjectCert = cert; + } + PKIX_TEST_DECREF_BC(cert); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameConstraintsCerts, plContext)); + + for (i = 0; i < NUMNCCERTS; i++) { + + cert = createCert(dirName, ncCertList[i], plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameConstraintsCerts, + (PKIX_PL_Object *)cert, + plContext)); + + PKIX_TEST_DECREF_BC(cert); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&subjAltNamesCerts, plContext)); + + for (i = 0; i < NUMSANCERTS; i++) { + + cert = createCert(dirName, sanCertList[i], plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(subjAltNamesCerts, + (PKIX_PL_Object *)cert, + plContext)); + + PKIX_TEST_DECREF_BC(cert); + } + + subTest("test_CertSelector_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &emptySelector, plContext)); + + subTest("Default Match, no parameters set"); + testSelector(emptySelector, certs, 0xFFFFFFFF); + + testSubjectMatch(certs, subjectCert); + + testBasicConstraintsMatch(certs); + + testPolicyMatch(certs, policy1Cert, policy2Cert, anyPolicyCert); + + testCertificateMatch(certs, subjectCert); + + testCertificateValidMatch(certs); + + subTest("Combination: pass only EE certs that assert some policy"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&selParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(selParams, -2, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(emptySelector, selParams, plContext)); + testSelector(emptySelector, certs, 0xC00); + + testNameConstraintsMatch(nameConstraintsCerts); + + testPathToNamesMatch(nameConstraintsCerts); + + testSubjAltNamesMatch(subjAltNamesCerts); + + testExtendedKeyUsageMatch(certDir); + + testKeyUsageMatch(certDir); + + testIssuerMatch(certDir); + + testSerialNumberVersionMatch(certDir); + + testCertValidMatch(certDir); + + testSubjKeyIdMatch(nameConstraintsCerts); + + testAuthKeyIdMatch(nameConstraintsCerts); + + testSubjPKAlgIdMatch(nameConstraintsCerts); + + testSubjPublicKeyMatch(nameConstraintsCerts); + + test_CertSelector_Duplicate(emptySelector); + + test_customCallback1(certs); + + test_customCallback2(certs, anyPolicyCert); + + subTest("test_CertSelector_Destroy"); + + PKIX_TEST_DECREF_BC(emptySelector); + +cleanup: + + PKIX_TEST_DECREF_AC(emptySelector); + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(policy1Cert); + PKIX_TEST_DECREF_AC(policy2Cert); + PKIX_TEST_DECREF_AC(anyPolicyCert); + PKIX_TEST_DECREF_AC(subjectCert); + PKIX_TEST_DECREF_AC(selParams); + PKIX_TEST_DECREF_AC(nameConstraintsCerts); + PKIX_TEST_DECREF_AC(subjAltNamesCerts); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("CertSelector"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c b/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c new file mode 100644 index 000000000..57f192a42 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c @@ -0,0 +1,800 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_comcertselparams.c + * + * Test Common Cert Selector Params + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +static void *plContext = NULL; + +static void +test_CreateOIDList(PKIX_List *certPolicyInfos, PKIX_List **pPolicyOIDs) +{ + PKIX_UInt32 i = 0; + PKIX_UInt32 numInfos = 0; + PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL; + PKIX_PL_OID *policyOID = NULL; + PKIX_List *certPolicies = NULL; + + PKIX_TEST_STD_VARS(); + + /* Convert from List of CertPolicyInfos to List of OIDs */ + if (certPolicyInfos) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certPolicyInfos, &numInfos, plContext)); + } + + if (numInfos > 0) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certPolicies, plContext)); + } + for (i = 0; i < numInfos; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certPolicyInfos, + i, + (PKIX_PL_Object **)&certPolicyInfo, + plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(certPolicyInfo, &policyOID, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certPolicies, (PKIX_PL_Object *)policyOID, plContext)); + PKIX_TEST_DECREF_BC(certPolicyInfo); + PKIX_TEST_DECREF_BC(policyOID); + } + + *pPolicyOIDs = certPolicies; + +cleanup: + + PKIX_TEST_DECREF_AC(certPolicyInfo); + PKIX_TEST_DECREF_AC(policyOID); + + PKIX_TEST_RETURN(); +} + +static void +test_NameConstraints(char *dirName) +{ + PKIX_PL_Cert *goodCert = NULL; + PKIX_PL_CertNameConstraints *getNameConstraints = NULL; + PKIX_PL_CertNameConstraints *setNameConstraints = NULL; + PKIX_ComCertSelParams *goodParams = NULL; + char *expectedAscii = + "[\n" + "\t\tPermitted Name: (OU=permittedSubtree1," + "O=Test Certificates,C=US, OU=permittedSubtree2," + "O=Test Certificates,C=US)\n" + "\t\tExcluded Name: (EMPTY)\n" + "\t]\n"; + + PKIX_TEST_STD_VARS(); + + subTest("Create Cert for NameConstraints test"); + + goodCert = createCert(dirName, "nameConstraintsDN2CACert.crt", plContext); + + subTest("PKIX_PL_Cert_GetNameConstraints"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(goodCert, &setNameConstraints, plContext)); + + subTest("PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetNameConstraints"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(goodParams, setNameConstraints, plContext)); + + subTest("PKIX_ComCertSelParams_GetNameConstraints"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetNameConstraints(goodParams, &getNameConstraints, plContext)); + + subTest("Compare NameConstraints"); + testEqualsHelper((PKIX_PL_Object *)setNameConstraints, + (PKIX_PL_Object *)getNameConstraints, + PKIX_TRUE, + plContext); + + subTest("Compare NameConstraints with canned string"); + testToStringHelper((PKIX_PL_Object *)getNameConstraints, + expectedAscii, + plContext); + +cleanup: + + PKIX_TEST_DECREF_AC(goodCert); + PKIX_TEST_DECREF_AC(getNameConstraints); + PKIX_TEST_DECREF_AC(setNameConstraints); + PKIX_TEST_DECREF_AC(goodParams); + + PKIX_TEST_RETURN(); +} + +static void +test_PathToNames(void) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_List *setGenNames = NULL; + PKIX_List *getGenNames = NULL; + PKIX_PL_GeneralName *rfc822GenName = NULL; + PKIX_PL_GeneralName *dnsGenName = NULL; + PKIX_PL_GeneralName *dirGenName = NULL; + PKIX_PL_GeneralName *uriGenName = NULL; + PKIX_PL_GeneralName *oidGenName = NULL; + char *rfc822Name = "john.doe@labs.com"; + char *dnsName = "comcast.net"; + char *dirName = "cn=john, ou=labs, o=sun, c=us"; + char *uriName = "http://comcast.net"; + char *oidName = "1.2.840.11"; + char *expectedAscii = + "(john.doe@labs.com, " + "comcast.net, " + "CN=john,OU=labs,O=sun,C=us, " + "http://comcast.net)"; + char *expectedAsciiAll = + "(john.doe@labs.com, " + "comcast.net, " + "CN=john,OU=labs,O=sun,C=us, " + "http://comcast.net, " + "1.2.840.11)"; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_PL_GeneralName_Create"); + dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext); + uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext); + oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext); + dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext); + rfc822GenName = createGeneralName(PKIX_RFC822_NAME, + rfc822Name, + plContext); + + subTest("PKIX_PL_GeneralName List create and append"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dnsGenName, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dirGenName, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)uriGenName, plContext)); + + subTest("PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(goodParams, setGenNames, plContext)); + + subTest("PKIX_ComCertSelParams_GetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPathToNames(goodParams, &getGenNames, plContext)); + + subTest("Compare GeneralName List"); + testEqualsHelper((PKIX_PL_Object *)setGenNames, + (PKIX_PL_Object *)getGenNames, + PKIX_TRUE, + plContext); + + subTest("Compare GeneralName List with canned string"); + testToStringHelper((PKIX_PL_Object *)getGenNames, + expectedAscii, + plContext); + + subTest("PKIX_ComCertSelParams_AddPathToName"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName(goodParams, oidGenName, plContext)); + + PKIX_TEST_DECREF_BC(getGenNames); + + subTest("PKIX_ComCertSelParams_GetPathToNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPathToNames(goodParams, &getGenNames, plContext)); + + subTest("Compare GeneralName List with canned string"); + testToStringHelper((PKIX_PL_Object *)getGenNames, + expectedAsciiAll, + plContext); + +cleanup: + + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(setGenNames); + PKIX_TEST_DECREF_AC(getGenNames); + PKIX_TEST_DECREF_AC(rfc822GenName); + PKIX_TEST_DECREF_AC(dnsGenName); + PKIX_TEST_DECREF_AC(dirGenName); + PKIX_TEST_DECREF_AC(uriGenName); + PKIX_TEST_DECREF_AC(oidGenName); + + PKIX_TEST_RETURN(); +} + +static void +test_SubjAltNames(void) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_List *setGenNames = NULL; + PKIX_List *getGenNames = NULL; + PKIX_PL_GeneralName *rfc822GenName = NULL; + PKIX_PL_GeneralName *dnsGenName = NULL; + PKIX_PL_GeneralName *dirGenName = NULL; + PKIX_PL_GeneralName *uriGenName = NULL; + PKIX_PL_GeneralName *oidGenName = NULL; + PKIX_Boolean matchAll = PKIX_TRUE; + char *rfc822Name = "john.doe@labs.com"; + char *dnsName = "comcast.net"; + char *dirName = "cn=john, ou=labs, o=sun, c=us"; + char *uriName = "http://comcast.net"; + char *oidName = "1.2.840.11"; + char *expectedAscii = + "(john.doe@labs.com, " + "comcast.net, " + "CN=john,OU=labs,O=sun,C=us, " + "http://comcast.net)"; + char *expectedAsciiAll = + "(john.doe@labs.com, " + "comcast.net, " + "CN=john,OU=labs,O=sun,C=us, " + "http://comcast.net, " + "1.2.840.11)"; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_PL_GeneralName_Create"); + dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext); + uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext); + oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext); + dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext); + rfc822GenName = createGeneralName(PKIX_RFC822_NAME, + rfc822Name, + plContext); + + subTest("PKIX_PL_GeneralName List create and append"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dnsGenName, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dirGenName, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)uriGenName, plContext)); + + subTest("PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames(goodParams, setGenNames, plContext)); + + subTest("PKIX_ComCertSelParams_GetSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames(goodParams, &getGenNames, plContext)); + + subTest("Compare GeneralName List"); + testEqualsHelper((PKIX_PL_Object *)setGenNames, + (PKIX_PL_Object *)getGenNames, + PKIX_TRUE, + plContext); + + subTest("Compare GeneralName List with canned string"); + testToStringHelper((PKIX_PL_Object *)getGenNames, + expectedAscii, + plContext); + + subTest("PKIX_ComCertSelParams_AddSubjAltName"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(goodParams, oidGenName, plContext)); + + PKIX_TEST_DECREF_BC(getGenNames); + + subTest("PKIX_ComCertSelParams_GetSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames(goodParams, &getGenNames, plContext)); + + subTest("Compare GeneralName List with canned string"); + testToStringHelper((PKIX_PL_Object *)getGenNames, + expectedAsciiAll, + plContext); + + subTest("PKIX_ComCertSelParams_GetMatchAllSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames(goodParams, &matchAll, plContext)); + if (matchAll != PKIX_TRUE) { + testError("unexpected mismatch <expect TRUE>"); + } + + subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(goodParams, PKIX_FALSE, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames(goodParams, &matchAll, plContext)); + if (matchAll != PKIX_FALSE) { + testError("unexpected mismatch <expect FALSE>"); + } + +cleanup: + + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(setGenNames); + PKIX_TEST_DECREF_AC(getGenNames); + PKIX_TEST_DECREF_AC(rfc822GenName); + PKIX_TEST_DECREF_AC(dnsGenName); + PKIX_TEST_DECREF_AC(dirGenName); + PKIX_TEST_DECREF_AC(uriGenName); + PKIX_TEST_DECREF_AC(oidGenName); + + PKIX_TEST_RETURN(); +} + +static void +test_KeyUsages(void) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_OID *ekuOid = NULL; + PKIX_List *setExtKeyUsage = NULL; + PKIX_List *getExtKeyUsage = NULL; + PKIX_UInt32 getKeyUsage = 0; + PKIX_UInt32 setKeyUsage = 0x1FF; + PKIX_Boolean isEqual = PKIX_FALSE; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetKeyUsage"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage(goodParams, setKeyUsage, plContext)); + + subTest("PKIX_ComCertSelParams_GetKeyUsage"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetKeyUsage(goodParams, &getKeyUsage, plContext)); + + if (setKeyUsage != getKeyUsage) { + testError("unexpected KeyUsage mismatch <expect equal>"); + } + + subTest("PKIX_PL_OID List create and append"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setExtKeyUsage, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.1", &ekuOid, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext)); + PKIX_TEST_DECREF_BC(ekuOid); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.8", &ekuOid, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext)); + PKIX_TEST_DECREF_BC(ekuOid); + + subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage(goodParams, setExtKeyUsage, plContext)); + + subTest("PKIX_ComCertSelParams_GetExtendedKeyUsage"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetExtendedKeyUsage(goodParams, &getExtKeyUsage, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setExtKeyUsage, + (PKIX_PL_Object *)getExtKeyUsage, + &isEqual, + plContext)); + + if (isEqual == PKIX_FALSE) { + testError("unexpected ExtKeyUsage mismatch <expect equal>"); + } + +cleanup: + + PKIX_TEST_DECREF_AC(ekuOid); + PKIX_TEST_DECREF_AC(setExtKeyUsage); + PKIX_TEST_DECREF_AC(getExtKeyUsage); + PKIX_TEST_DECREF_AC(goodParams); + + PKIX_TEST_RETURN(); +} + +static void +test_Version_Issuer_SerialNumber(void) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_UInt32 version = 0; + PKIX_PL_X500Name *setIssuer = NULL; + PKIX_PL_X500Name *getIssuer = NULL; + PKIX_PL_String *str = NULL; + PKIX_PL_BigInt *setSerialNumber = NULL; + PKIX_PL_BigInt *getSerialNumber = NULL; + PKIX_Boolean isEqual = PKIX_FALSE; + char *bigInt = "999999999999999999"; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + /* Version */ + subTest("PKIX_ComCertSelParams_SetVersion"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 2, plContext)); + + subTest("PKIX_ComCertSelParams_GetVersion"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetVersion(goodParams, &version, plContext)); + + if (version != 2) { + testError("unexpected Version mismatch <expect 2>"); + } + + /* Issuer */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "CN=Test,O=Sun,C=US", 0, &str, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(str, &setIssuer, plContext)); + + PKIX_TEST_DECREF_BC(str); + + subTest("PKIX_ComCertSelParams_SetIssuer"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer(goodParams, setIssuer, plContext)); + + subTest("PKIX_ComCertSelParams_GetIssuer"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetIssuer(goodParams, &getIssuer, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setIssuer, + (PKIX_PL_Object *)getIssuer, + &isEqual, + plContext)); + + if (isEqual == PKIX_FALSE) { + testError("unexpected Issuer mismatch <expect equal>"); + } + + /* Serial Number */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, bigInt, PL_strlen(bigInt), &str, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(str, &setSerialNumber, plContext)); + + subTest("PKIX_ComCertSelParams_SetSerialNumber"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber(goodParams, setSerialNumber, plContext)); + + subTest("PKIX_ComCertSelParams_GetSerialNumber"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSerialNumber(goodParams, &getSerialNumber, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setSerialNumber, + (PKIX_PL_Object *)getSerialNumber, + &isEqual, + plContext)); + + if (isEqual == PKIX_FALSE) { + testError("unexpected Serial Number mismatch <expect equal>"); + } + +cleanup: + + PKIX_TEST_DECREF_AC(str); + PKIX_TEST_DECREF_AC(setIssuer); + PKIX_TEST_DECREF_AC(getIssuer); + PKIX_TEST_DECREF_AC(setSerialNumber); + PKIX_TEST_DECREF_AC(getSerialNumber); + PKIX_TEST_DECREF_AC(goodParams); + + PKIX_TEST_RETURN(); +} + +static void +test_SubjKeyId_AuthKeyId(void) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_ByteArray *setKeyId = NULL; + PKIX_PL_ByteArray *getKeyId = NULL; + PKIX_Boolean isEqual = PKIX_FALSE; + + PKIX_TEST_STD_VARS(); + + /* Subject Key Identifier */ + subTest("PKIX_PL_ByteArray_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create((void *)"66099", 1, &setKeyId, plContext)); + + subTest("PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetSubjectKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier(goodParams, setKeyId, plContext)); + + subTest("PKIX_ComCertSelParams_GetSubjectKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjKeyIdentifier(goodParams, &getKeyId, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setKeyId, + (PKIX_PL_Object *)getKeyId, + &isEqual, + plContext)); + + if (isEqual == PKIX_FALSE) { + testError("unexpected Subject Key Id mismatch <expect equal>"); + } + + PKIX_TEST_DECREF_BC(setKeyId); + PKIX_TEST_DECREF_BC(getKeyId); + + /* Authority Key Identifier */ + subTest("PKIX_PL_ByteArray_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create((void *)"11022", 1, &setKeyId, plContext)); + + subTest("PKIX_ComCertSelParams_SetAuthorityKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(goodParams, setKeyId, plContext)); + + subTest("PKIX_ComCertSelParams_GetAuthorityKeyIdentifier"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetAuthorityKeyIdentifier(goodParams, &getKeyId, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setKeyId, + (PKIX_PL_Object *)getKeyId, + &isEqual, + plContext)); + + if (isEqual == PKIX_FALSE) { + testError("unexpected Auth Key Id mismatch <expect equal>"); + } + +cleanup: + + PKIX_TEST_DECREF_AC(setKeyId); + PKIX_TEST_DECREF_AC(getKeyId); + PKIX_TEST_DECREF_AC(goodParams); + + PKIX_TEST_RETURN(); +} + +static void +test_SubjAlgId_SubjPublicKey(char *dirName) +{ + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_PL_OID *setAlgId = NULL; + PKIX_PL_OID *getAlgId = NULL; + PKIX_PL_Cert *goodCert = NULL; + PKIX_PL_PublicKey *setPublicKey = NULL; + PKIX_PL_PublicKey *getPublicKey = NULL; + PKIX_Boolean isEqual = PKIX_FALSE; + + PKIX_TEST_STD_VARS(); + + /* Subject Algorithm Identifier */ + subTest("PKIX_PL_OID_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.1.2.3", &setAlgId, plContext)); + + subTest("PKIX_ComCertSelParams_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetSubjPKAlgId"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId(goodParams, setAlgId, plContext)); + + subTest("PKIX_ComCertSelParams_GetSubjPKAlgId"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPKAlgId(goodParams, &getAlgId, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setAlgId, + (PKIX_PL_Object *)getAlgId, + &isEqual, + plContext)); + + if (isEqual == PKIX_FALSE) { + testError("unexpected Subject Public Key Alg mismatch " + "<expect equal>"); + } + + /* Subject Public Key */ + subTest("Getting Cert for Subject Public Key"); + + goodCert = createCert(dirName, "nameConstraintsDN2CACert.crt", plContext); + + subTest("PKIX_PL_Cert_GetSubjectPublicKey"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(goodCert, &setPublicKey, plContext)); + + subTest("PKIX_ComCertSelParams_SetSubjPubKey"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey(goodParams, setPublicKey, plContext)); + + subTest("PKIX_ComCertSelParams_GetSubjPubKey"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPubKey(goodParams, &getPublicKey, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setPublicKey, + (PKIX_PL_Object *)getPublicKey, + &isEqual, + plContext)); + + if (isEqual == PKIX_FALSE) { + testError("unexpected Subject Public Key mismatch " + "<expect equal>"); + } + +cleanup: + + PKIX_TEST_DECREF_AC(setAlgId); + PKIX_TEST_DECREF_AC(getAlgId); + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(goodCert); + PKIX_TEST_DECREF_AC(setPublicKey); + PKIX_TEST_DECREF_AC(getPublicKey); + + PKIX_TEST_RETURN(); +} + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\ttest_comcertselparams <NIST_FILES_DIR> \n\n"); +} + +int +test_comcertselparams(int argc, char *argv[]) +{ + + PKIX_UInt32 actualMinorVersion; + PKIX_UInt32 j = 0; + + PKIX_PL_Cert *testCert = NULL; + PKIX_PL_Cert *goodCert = NULL; + PKIX_PL_Cert *equalCert = NULL; + PKIX_PL_Cert *diffCert = NULL; + PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL; + PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL; + PKIX_List *testPolicyInfos = NULL; /* CertPolicyInfos */ + PKIX_List *cert2PolicyInfos = NULL; /* CertPolicyInfos */ + + PKIX_ComCertSelParams *goodParams = NULL; + PKIX_ComCertSelParams *equalParams = NULL; + PKIX_PL_X500Name *goodSubject = NULL; + PKIX_PL_X500Name *equalSubject = NULL; + PKIX_PL_X500Name *diffSubject = NULL; + PKIX_PL_X500Name *testSubject = NULL; + PKIX_Int32 goodMinPathLength = 0; + PKIX_Int32 equalMinPathLength = 0; + PKIX_Int32 diffMinPathLength = 0; + PKIX_Int32 testMinPathLength = 0; + PKIX_List *goodPolicies = NULL; /* OIDs */ + PKIX_List *equalPolicies = NULL; /* OIDs */ + PKIX_List *testPolicies = NULL; /* OIDs */ + PKIX_List *cert2Policies = NULL; /* OIDs */ + + PKIX_PL_Date *testDate = NULL; + PKIX_PL_Date *goodDate = NULL; + PKIX_PL_Date *equalDate = NULL; + PKIX_PL_String *stringRep = NULL; + char *asciiRep = NULL; + char *dirName = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 2) { + printUsage(); + return (0); + } + + startTests("ComCertSelParams"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + dirName = argv[j + 1]; + + asciiRep = "050501000000Z"; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext)); + + testCert = createCert(dirName, "PoliciesP1234CACert.crt", plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(testCert, &testSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(testCert, &goodBasicConstraints, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(goodBasicConstraints, &testMinPathLength, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(testCert, &testPolicyInfos, plContext)); + + /* Convert from List of CertPolicyInfos to List of OIDs */ + test_CreateOIDList(testPolicyInfos, &testPolicies); + + subTest("Create goodParams and set its fields"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(goodParams, testSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(goodParams, testMinPathLength, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(goodParams, testDate, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(goodParams, testPolicies, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(goodParams, testCert, plContext)); + + subTest("Duplicate goodParams and verify copy"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)goodParams, + (PKIX_PL_Object **)&equalParams, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(goodParams, &goodSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(goodParams, &goodMinPathLength, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(goodParams, &goodCert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(goodParams, &goodDate, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(goodParams, &goodPolicies, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(equalParams, &equalCert, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(equalParams, &equalDate, plContext)); + + testEqualsHelper((PKIX_PL_Object *)goodSubject, + (PKIX_PL_Object *)equalSubject, + PKIX_TRUE, + plContext); + + if (goodMinPathLength != equalMinPathLength) { + testError("unexpected mismatch"); + (void)printf("goodMinPathLength:\t%d\n", goodMinPathLength); + (void)printf("equalMinPathLength:\t%d\n", equalMinPathLength); + } + + testEqualsHelper((PKIX_PL_Object *)goodPolicies, + (PKIX_PL_Object *)equalPolicies, + PKIX_TRUE, + plContext); + + testEqualsHelper((PKIX_PL_Object *)goodCert, + (PKIX_PL_Object *)equalCert, + PKIX_TRUE, + plContext); + + testEqualsHelper((PKIX_PL_Object *)goodDate, + (PKIX_PL_Object *)equalDate, + PKIX_TRUE, + plContext); + + PKIX_TEST_DECREF_BC(equalSubject); + PKIX_TEST_DECREF_BC(equalPolicies); + PKIX_TEST_DECREF_BC(equalCert); + PKIX_TEST_DECREF_AC(equalDate); + + subTest("Set different values and verify differences"); + + diffCert = createCert(dirName, "pathLenConstraint6CACert.crt", plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(diffCert, &diffSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(diffCert, &diffBasicConstraints, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(diffBasicConstraints, &diffMinPathLength, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &cert2PolicyInfos, plContext)); + test_CreateOIDList(cert2PolicyInfos, &cert2Policies); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject( + equalParams, diffSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(equalParams, diffMinPathLength, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(equalParams, cert2Policies, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext)); + + testEqualsHelper((PKIX_PL_Object *)goodSubject, + (PKIX_PL_Object *)equalSubject, + PKIX_FALSE, + plContext); + + if (goodMinPathLength == equalMinPathLength) { + testError("unexpected match"); + (void)printf("goodMinPathLength:\t%d\n", goodMinPathLength); + (void)printf("equalMinPathLength:\t%d\n", equalMinPathLength); + } + + testEqualsHelper((PKIX_PL_Object *)goodPolicies, + (PKIX_PL_Object *)equalPolicies, + PKIX_FALSE, + plContext); + + test_NameConstraints(dirName); + test_PathToNames(); + test_SubjAltNames(); + test_KeyUsages(); + test_Version_Issuer_SerialNumber(); + test_SubjKeyId_AuthKeyId(); + test_SubjAlgId_SubjPublicKey(dirName); + +cleanup: + + PKIX_TEST_DECREF_AC(testSubject); + PKIX_TEST_DECREF_AC(goodSubject); + PKIX_TEST_DECREF_AC(equalSubject); + PKIX_TEST_DECREF_AC(diffSubject); + PKIX_TEST_DECREF_AC(testSubject); + PKIX_TEST_DECREF_AC(goodPolicies); + PKIX_TEST_DECREF_AC(equalPolicies); + PKIX_TEST_DECREF_AC(testPolicies); + PKIX_TEST_DECREF_AC(cert2Policies); + PKIX_TEST_DECREF_AC(goodParams); + PKIX_TEST_DECREF_AC(equalParams); + PKIX_TEST_DECREF_AC(goodCert); + PKIX_TEST_DECREF_AC(diffCert); + PKIX_TEST_DECREF_AC(testCert); + PKIX_TEST_DECREF_AC(goodBasicConstraints); + PKIX_TEST_DECREF_AC(diffBasicConstraints); + PKIX_TEST_DECREF_AC(testPolicyInfos); + PKIX_TEST_DECREF_AC(cert2PolicyInfos); + PKIX_TEST_DECREF_AC(stringRep); + PKIX_TEST_DECREF_AC(testDate); + PKIX_TEST_DECREF_AC(goodDate); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("ComCertSelParams"); + + return (0); +} |