diff options
Diffstat (limited to 'security/nss/cmd/libpkix/pkix/top')
16 files changed, 4925 insertions, 0 deletions
diff --git a/security/nss/cmd/libpkix/pkix/top/Makefile b/security/nss/cmd/libpkix/pkix/top/Makefile new file mode 100755 index 000000000..09ca5f1c6 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/Makefile @@ -0,0 +1,47 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +include $(PKIX_DEPTH)/config.mk + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include $(PLAT_DEPTH)/platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +include $(PLAT_DEPTH)/platrules.mk diff --git a/security/nss/cmd/libpkix/pkix/top/manifest.mn b/security/nss/cmd/libpkix/pkix/top/manifest.mn new file mode 100755 index 000000000..a7d997dfb --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/manifest.mn @@ -0,0 +1,33 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +PKIX_DEPTH = ../.. +PLAT_DEPTH = $(PKIX_DEPTH)/.. +CORE_DEPTH = $(PKIX_DEPTH)/../../.. + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = test_basicchecker.c \ + test_basicconstraintschecker.c \ + test_buildchain.c \ + test_buildchain_uchecker.c \ + test_buildchain_partialchain.c \ + test_buildchain_resourcelimits.c \ + test_customcrlchecker.c \ + test_defaultcrlchecker2stores.c \ + test_ocsp.c \ + test_policychecker.c \ + test_subjaltnamechecker.c \ + test_validatechain.c \ + test_validatechain_bc.c \ + test_validatechain_NB.c \ + $(NULL) + +LIBRARY_NAME=pkixtooltop + +SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR) + +NO_MD_RELEASE = 1 diff --git a/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c b/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c new file mode 100644 index 000000000..658bf67be --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c @@ -0,0 +1,238 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_basicchecker.c + * + * Test Basic Checking + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +static void *plContext = NULL; + +static void +testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("Basic-Common-Fields <pass>"); + /* + * Tests the Expiration, NameChaining, and Signature Checkers + */ + + chain = createCertChain(dirName, goodInput, diffInput, plContext); + + valParams = createValidateParams(dirName, + goodInput, + diffInput, + dateAscii, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + +cleanup: + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_TEST_RETURN(); +} + +static void +testNameChainingFail( + char *dirName, + char *goodInput, + char *diffInput, + char *dateAscii) +{ + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("NameChaining <fail>"); + + chain = createCertChain(dirName, diffInput, goodInput, plContext); + + valParams = createValidateParams(dirName, + goodInput, + diffInput, + dateAscii, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_TEST_RETURN(); +} + +static void +testDateFail(char *dirName, char *goodInput, char *diffInput) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + + PKIX_TEST_STD_VARS(); + + chain = createCertChain(dirName, goodInput, diffInput, plContext); + + subTest("Expiration <fail>"); + valParams = createValidateParams(dirName, + goodInput, + diffInput, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_TEST_RETURN(); +} + +static void +testSignatureFail( + char *dirName, + char *goodInput, + char *diffInput, + char *dateAscii) +{ + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("Signature <fail>"); + + chain = createCertChain(dirName, diffInput, goodInput, plContext); + + valParams = createValidateParams(dirName, + goodInput, + diffInput, + dateAscii, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_TEST_RETURN(); +} + +static void +printUsage(char *pName) +{ + printf("\nUSAGE: %s <central-data-dir>\n\n", pName); +} + +int +test_basicchecker(int argc, char *argv[]) +{ + + char *goodInput = "yassir2yassir"; + char *diffInput = "yassir2bcn"; + char *dateAscii = "991201000000Z"; + char *dirName = NULL; + PKIX_UInt32 j = 0; + PKIX_UInt32 actualMinorVersion; + + PKIX_TEST_STD_VARS(); + + startTests("SignatureChecker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + if (argc < 2) { + printUsage(argv[0]); + return (0); + } + + dirName = argv[j + 1]; + + /* The NameChaining, Expiration, and Signature Checkers all pass */ + testPass(dirName, goodInput, diffInput, dateAscii); + + /* Individual Checkers fail */ + testNameChainingFail(dirName, goodInput, diffInput, dateAscii); + testDateFail(dirName, goodInput, diffInput); + +/* + * XXX + * since the signature check is done last, we need to create + * certs whose name chaining passes, but their signatures fail; + * we currently don't have any such certs. + */ +/* testSignatureFail(goodInput, diffInput, dateAscii); */ + +cleanup: + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("SignatureChecker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c b/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c new file mode 100644 index 000000000..eba5153ac --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c @@ -0,0 +1,145 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_basicconstraintschecker.c + * + * Test Basic Constraints Checking + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TEST_MAX_CERTS 10 + +static void *plContext = NULL; + +static void +printUsage1(char *pName) +{ + printf("\nUSAGE: %s test-name [ENE|EE] ", pName); + printf("cert [certs].\n"); +} + +static void +printUsageMax(PKIX_UInt32 numCerts) +{ + printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", + numCerts, PKIX_TEST_MAX_CERTS); +} + +int +test_basicconstraintschecker(int argc, char *argv[]) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_UInt32 actualMinorVersion; + char *certNames[PKIX_TEST_MAX_CERTS]; + PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_Boolean testValid = PKIX_FALSE; + char *dirName = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 4) { + printUsage1(argv[0]); + return (0); + } + + startTests("BasicConstraintsChecker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage1(argv[0]); + return (0); + } + + dirName = argv[3 + j]; + + chainLength = (argc - j) - 4; + if (chainLength > PKIX_TEST_MAX_CERTS) { + printUsageMax(chainLength); + } + + for (i = 0; i < chainLength; i++) { + certNames[i] = argv[(4 + j) + i]; + certs[i] = NULL; + } + + subTest(argv[1 + j]); + + subTest("Basic-Constraints - Create Cert Chain"); + + chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); + + /* + * Error occurs when creating Cert, this is critical and test + * should not continue. Since we expect error, we assume this + * error is the one that is expected, so undo the error count. + * + * This work needs future enhancement. We will introduce another + * flag ESE, in addition to the existing EE(expect validation + * error) and ENE(expect no validation error). ESE stands for + * "expect setup error". When running with ESE, if any of the setup + * calls such creating Cert Chain fails, the test can end and + * considered to be successful. + */ + if (testValid == PKIX_FALSE && chain == NULL) { + testErrorUndo("Cert Error - Create failed"); + goto cleanup; + } + + subTest("Basic-Constraints - Create Params"); + + valParams = createValidateParams(dirName, + argv[4 + + j], + NULL, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + subTest("Basic-Constraints - Validate Chain"); + + if (testValid == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } else { + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } + +cleanup: + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("BasicConstraintsChecker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain.c new file mode 100644 index 000000000..5c9ec5968 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain.c @@ -0,0 +1,418 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_buildchain.c + * + * Test BuildChain function + * + */ + +/* #define debuggingWithoutRevocation */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define LDAP_PORT 389 +static PKIX_Boolean usebind = PKIX_FALSE; +static PKIX_Boolean useLDAP = PKIX_FALSE; +static char buf[PR_NETDB_BUF_SIZE]; +static char *serverName = NULL; +static char *sepPtr = NULL; +static PRNetAddr netAddr; +static PRHostEnt hostent; +static PKIX_UInt32 portNum = 0; +static PRIntn hostenum = 0; +static PRStatus prstatus = PR_FAILURE; +static void *ipaddr = NULL; + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\ttest_buildchain [-arenas] [usebind] " + "servername[:port] <testName> [ENE|EE]\n" + "\t <certStoreDirectory> <targetCert>" + " <intermediate Certs...> <trustedCert>\n\n"); + (void)printf("Builds a chain of certificates from <targetCert> to <trustedCert>\n" + "using the certs and CRLs in <certStoreDirectory>. " + "servername[:port] gives\n" + "the address of an LDAP server. If port is not" + " specified, port 389 is used. \"-\" means no LDAP server.\n" + "If ENE is specified, then an Error is Not Expected. " + "EE indicates an Error is Expected.\n"); +} + +static PKIX_Error * +createLdapCertStore( + char *hostname, + PRIntervalTime timeout, + PKIX_CertStore **pLdapCertStore, + void *plContext) +{ + PRIntn backlog = 0; + + char *bindname = ""; + char *auth = ""; + + LDAPBindAPI bindAPI; + LDAPBindAPI *bindPtr = NULL; + PKIX_PL_LdapDefaultClient *ldapClient = NULL; + PKIX_CertStore *ldapCertStore = NULL; + + PKIX_TEST_STD_VARS(); + + if (usebind) { + bindPtr = &bindAPI; + bindAPI.selector = SIMPLE_AUTH; + bindAPI.chooser.simple.bindName = bindname; + bindAPI.chooser.simple.authentication = auth; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName(hostname, timeout, bindPtr, &ldapClient, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create((PKIX_PL_LdapClient *)ldapClient, + &ldapCertStore, + plContext)); + + *pLdapCertStore = ldapCertStore; +cleanup: + + PKIX_TEST_DECREF_AC(ldapClient); + + PKIX_TEST_RETURN(); + + return (pkixTestErrorResult); +} + +int +test_buildchain(int argc, char *argv[]) +{ + PKIX_BuildResult *buildResult = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_TrustAnchor *anchor = NULL; + PKIX_PL_PublicKey *trustedPubKey = NULL; + PKIX_List *anchors = NULL; + PKIX_List *certs = NULL; + PKIX_RevocationChecker *revChecker = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_ProcessingParams *procParams = NULL; + char *dirName = NULL; + PKIX_PL_String *dirNameString = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_PL_Cert *targetCert = NULL; + PKIX_UInt32 actualMinorVersion = 0; + PKIX_UInt32 numCerts = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_UInt32 k = 0; + PKIX_CertStore *ldapCertStore = NULL; + PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */ + /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */ + PKIX_CertStore *certStore = NULL; + PKIX_List *certStores = NULL; + PKIX_List *revCheckers = NULL; + char *asciiResult = NULL; + PKIX_Boolean result = PKIX_FALSE; + PKIX_Boolean testValid = PKIX_TRUE; + PKIX_List *expectedCerts = NULL; + PKIX_PL_Cert *dirCert = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + PKIX_PL_String *actualCertsString = NULL; + PKIX_PL_String *expectedCertsString = NULL; + void *state = NULL; + char *actualCertsAscii = NULL; + char *expectedCertsAscii = NULL; + PRPollDesc *pollDesc = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage(); + return (0); + } + + startTests("BuildChain"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* + * arguments: + * [optional] -arenas + * [optional] usebind + * servername or servername:port ( - for no server) + * testname + * EE or ENE + * cert directory + * target cert (end entity) + * intermediate certs + * trust anchor + */ + + /* optional argument "usebind" for Ldap CertStore */ + if (argv[j + 1]) { + if (PORT_Strcmp(argv[j + 1], "usebind") == 0) { + usebind = PKIX_TRUE; + j++; + } + } + + if (PORT_Strcmp(argv[++j], "-") == 0) { + useLDAP = PKIX_FALSE; + } else { + serverName = argv[j]; + useLDAP = PKIX_TRUE; + } + + subTest(argv[++j]); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[++j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage(); + return (0); + } + + dirName = argv[++j]; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); + + for (k = ++j; k < (PKIX_UInt32)argc; k++) { + + dirCert = createCert(dirName, argv[k], plContext); + + if (k == (PKIX_UInt32)(argc - 1)) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + trustedCert = dirCert; + } else { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, + (PKIX_PL_Object *)dirCert, + plContext)); + + if (k == j) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + targetCert = dirCert; + } + } + + PKIX_TEST_DECREF_BC(dirCert); + } + + /* create processing params with list of trust anchors */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with target certificate in params */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + /* create CertStores */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); + + if (useLDAP == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, + (PKIX_PL_Object *)ldapCertStore, + plContext)); + } else { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores, + NULL, /* testDate, may be NULL */ + trustedPubKey, + numCerts, + &revChecker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); + +#ifdef debuggingWithoutRevocation + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); +#endif + + /* build cert chain using processing params and return buildResult */ + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + &verifyTree, + plContext); + + while (pollDesc != NULL) { + + if (PR_Poll(pollDesc, 1, 0) < 0) { + testError("PR_Poll failed"); + } + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + &verifyTree, + plContext); + } + + if (pkixTestErrorResult) { + if (testValid == PKIX_FALSE) { /* EE */ + (void)printf("EXPECTED ERROR RECEIVED!\n"); + } else { /* ENE */ + testError("UNEXPECTED ERROR RECEIVED"); + } + } else { + if (testValid == PKIX_TRUE) { /* ENE */ + (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); + } else { /* EE */ + (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n"); + } + } + + subTest("Displaying VerifyNode objects"); + + if (verifyTree == NULL) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext)); + } else { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + } + + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + + if (pkixTestErrorResult) { + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + goto cleanup; + } + + if (buildResult) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + printf("\n"); + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, + i, + (PKIX_PL_Object **)&cert, + plContext)); + + asciiResult = PKIX_Cert2ASCII(cert); + + printf("CERT[%d]:\n%s\n", i, asciiResult); + + /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL)); + asciiResult = NULL; + + PKIX_TEST_DECREF_BC(cert); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs, + (PKIX_PL_Object *)expectedCerts, + &result, + plContext)); + + if (!result) { + testError("BUILT CERTCHAIN IS " + "NOT THE ONE THAT WAS EXPECTED"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs, + &actualCertsString, + plContext)); + + actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext); + if (actualCertsAscii == NULL) { + pkixTestErrorMsg = "PKIX_String2ASCII Failed"; + goto cleanup; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts, + &expectedCertsString, + plContext)); + + expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext); + if (expectedCertsAscii == NULL) { + pkixTestErrorMsg = "PKIX_String2ASCII Failed"; + goto cleanup; + } + + (void)printf("Actual value:\t%s\n", actualCertsAscii); + (void)printf("Expected value:\t%s\n", + expectedCertsAscii); + } + } + +cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + + PKIX_PL_Free(asciiResult, NULL); + PKIX_PL_Free(actualCertsAscii, plContext); + PKIX_PL_Free(expectedCertsAscii, plContext); + + PKIX_TEST_DECREF_AC(state); + PKIX_TEST_DECREF_AC(actualCertsString); + PKIX_TEST_DECREF_AC(expectedCertsString); + PKIX_TEST_DECREF_AC(expectedCerts); + PKIX_TEST_DECREF_AC(buildResult); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certStores); + PKIX_TEST_DECREF_AC(revCheckers); + PKIX_TEST_DECREF_AC(revChecker); + PKIX_TEST_DECREF_AC(ldapCertStore); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(dirNameString); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(trustedCert); + PKIX_TEST_DECREF_AC(trustedPubKey); + + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(targetCert); + + PKIX_TEST_RETURN(); + + PKIX_Shutdown(plContext); + + endTests("BuildChain"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c new file mode 100644 index 000000000..4861a8e32 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c @@ -0,0 +1,725 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_buildchain_partialchain.c + * + * Test BuildChain function + * + */ + +#define debuggingWithoutRevocation + +#include "testutil.h" +#include "testutil_nss.h" + +#define LDAP_PORT 389 +static PKIX_Boolean usebind = PKIX_FALSE; +static PKIX_Boolean useLDAP = PKIX_FALSE; +static char buf[PR_NETDB_BUF_SIZE]; +static char *serverName = NULL; +static char *sepPtr = NULL; +static PRNetAddr netAddr; +static PRHostEnt hostent; +static PKIX_UInt32 portNum = 0; +static PRIntn hostenum = 0; +static PRStatus prstatus = PR_FAILURE; +static void *ipaddr = NULL; + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\ttest_buildchain [-arenas] [usebind] " + "servername[:port] <testName> [ENE|EE]\n" + "\t <certStoreDirectory> <targetCert>" + " <intermediate Certs...> <trustedCert>\n\n"); + (void)printf("Builds a chain of certificates from <targetCert> to <trustedCert>\n" + "using the certs and CRLs in <certStoreDirectory>. " + "servername[:port] gives\n" + "the address of an LDAP server. If port is not" + " specified, port 389 is used. \"-\" means no LDAP server.\n" + "If ENE is specified, then an Error is Not Expected. " + "EE indicates an Error is Expected.\n"); +} + +static PKIX_Error * +createLdapCertStore( + char *hostname, + PRIntervalTime timeout, + PKIX_CertStore **pLdapCertStore, + void *plContext) +{ + PRIntn backlog = 0; + + char *bindname = ""; + char *auth = ""; + + LDAPBindAPI bindAPI; + LDAPBindAPI *bindPtr = NULL; + PKIX_PL_LdapDefaultClient *ldapClient = NULL; + PKIX_CertStore *ldapCertStore = NULL; + + PKIX_TEST_STD_VARS(); + + if (usebind) { + bindPtr = &bindAPI; + bindAPI.selector = SIMPLE_AUTH; + bindAPI.chooser.simple.bindName = bindname; + bindAPI.chooser.simple.authentication = auth; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName(hostname, timeout, bindPtr, &ldapClient, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create((PKIX_PL_LdapClient *)ldapClient, + &ldapCertStore, + plContext)); + + *pLdapCertStore = ldapCertStore; +cleanup: + + PKIX_TEST_DECREF_AC(ldapClient); + + PKIX_TEST_RETURN(); + + return (pkixTestErrorResult); +} + +/* Test with all Certs in the partial list, no leaf */ +static PKIX_Error * +testWithNoLeaf( + PKIX_PL_Cert *trustedCert, + PKIX_List *listOfCerts, + PKIX_PL_Cert *targetCert, + PKIX_List *certStores, + PKIX_Boolean testValid, + void *plContext) +{ + PKIX_UInt32 numCerts = 0; + PKIX_UInt32 i = 0; + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_List *hintCerts = NULL; + PKIX_List *revCheckers = NULL; + PKIX_List *certs = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_PL_PublicKey *trustedPubKey = NULL; + PKIX_RevocationChecker *revChecker = NULL; + PKIX_BuildResult *buildResult = NULL; + PRPollDesc *pollDesc = NULL; + void *state = NULL; + char *asciiResult = NULL; + + PKIX_TEST_STD_VARS(); + + /* create processing params with list of trust anchors */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with no target certificate in params */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + /* create hintCerts */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)listOfCerts, + (PKIX_PL_Object **)&hintCerts, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts(procParams, hintCerts, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(listOfCerts, &numCerts, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores, + NULL, /* testDate, may be NULL */ + trustedPubKey, + numCerts, + &revChecker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); + +#ifdef debuggingWithoutRevocation + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); +#endif + + /* build cert chain using processing params and return buildResult */ + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + + while (pollDesc != NULL) { + + if (PR_Poll(pollDesc, 1, 0) < 0) { + testError("PR_Poll failed"); + } + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + } + + if (pkixTestErrorResult) { + if (testValid == PKIX_FALSE) { /* EE */ + (void)printf("EXPECTED ERROR RECEIVED!\n"); + } else { /* ENE */ + testError("UNEXPECTED ERROR RECEIVED"); + } + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + goto cleanup; + } + + if (testValid == PKIX_TRUE) { /* ENE */ + (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); + } else { /* EE */ + (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n"); + } + + if (buildResult) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + printf("\n"); + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, + i, + (PKIX_PL_Object **)&cert, + plContext)); + + asciiResult = PKIX_Cert2ASCII(cert); + + printf("CERT[%d]:\n%s\n", i, asciiResult); + + /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL)); + asciiResult = NULL; + + PKIX_TEST_DECREF_BC(cert); + } + } + +cleanup: + PKIX_PL_Free(asciiResult, NULL); + + PKIX_TEST_DECREF_AC(state); + PKIX_TEST_DECREF_AC(buildResult); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(revCheckers); + PKIX_TEST_DECREF_AC(revChecker); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(hintCerts); + PKIX_TEST_DECREF_AC(trustedPubKey); + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_RETURN(); + + return (pkixTestErrorResult); +} + +/* Test with all Certs in the partial list, leaf duplicates the first one */ +static PKIX_Error * +testWithDuplicateLeaf( + PKIX_PL_Cert *trustedCert, + PKIX_List *listOfCerts, + PKIX_PL_Cert *targetCert, + PKIX_List *certStores, + PKIX_Boolean testValid, + void *plContext) +{ + PKIX_UInt32 numCerts = 0; + PKIX_UInt32 i = 0; + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_List *hintCerts = NULL; + PKIX_List *revCheckers = NULL; + PKIX_List *certs = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_PL_PublicKey *trustedPubKey = NULL; + PKIX_RevocationChecker *revChecker = NULL; + PKIX_BuildResult *buildResult = NULL; + PRPollDesc *pollDesc = NULL; + void *state = NULL; + char *asciiResult = NULL; + + PKIX_TEST_STD_VARS(); + + /* create processing params with list of trust anchors */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with target certificate in params */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + /* create hintCerts */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)listOfCerts, + (PKIX_PL_Object **)&hintCerts, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts(procParams, hintCerts, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(listOfCerts, &numCerts, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores, + NULL, /* testDate, may be NULL */ + trustedPubKey, + numCerts, + &revChecker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); + +#ifdef debuggingWithoutRevocation + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); +#endif + + /* build cert chain using processing params and return buildResult */ + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + + while (pollDesc != NULL) { + + if (PR_Poll(pollDesc, 1, 0) < 0) { + testError("PR_Poll failed"); + } + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + } + + if (pkixTestErrorResult) { + if (testValid == PKIX_FALSE) { /* EE */ + (void)printf("EXPECTED ERROR RECEIVED!\n"); + } else { /* ENE */ + testError("UNEXPECTED ERROR RECEIVED"); + } + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + goto cleanup; + } + + if (testValid == PKIX_TRUE) { /* ENE */ + (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); + } else { /* EE */ + (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n"); + } + + if (buildResult) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + printf("\n"); + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, + i, + (PKIX_PL_Object **)&cert, + plContext)); + + asciiResult = PKIX_Cert2ASCII(cert); + + printf("CERT[%d]:\n%s\n", i, asciiResult); + + /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL)); + asciiResult = NULL; + + PKIX_TEST_DECREF_BC(cert); + } + } + +cleanup: + PKIX_PL_Free(asciiResult, NULL); + + PKIX_TEST_DECREF_AC(state); + PKIX_TEST_DECREF_AC(buildResult); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(revCheckers); + PKIX_TEST_DECREF_AC(revChecker); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(hintCerts); + PKIX_TEST_DECREF_AC(trustedPubKey); + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_RETURN(); + + return (pkixTestErrorResult); +} + +/* Test with all Certs except the leaf in the partial list */ +static PKIX_Error * +testWithLeafAndChain( + PKIX_PL_Cert *trustedCert, + PKIX_List *listOfCerts, + PKIX_PL_Cert *targetCert, + PKIX_List *certStores, + PKIX_Boolean testValid, + void *plContext) +{ + PKIX_UInt32 numCerts = 0; + PKIX_UInt32 i = 0; + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_List *hintCerts = NULL; + PKIX_List *revCheckers = NULL; + PKIX_List *certs = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_PL_PublicKey *trustedPubKey = NULL; + PKIX_RevocationChecker *revChecker = NULL; + PKIX_BuildResult *buildResult = NULL; + PRPollDesc *pollDesc = NULL; + void *state = NULL; + char *asciiResult = NULL; + + PKIX_TEST_STD_VARS(); + + /* create processing params with list of trust anchors */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with target certificate in params */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + /* create hintCerts */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)listOfCerts, + (PKIX_PL_Object **)&hintCerts, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(hintCerts, 0, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts(procParams, hintCerts, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(listOfCerts, &numCerts, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores, + NULL, /* testDate, may be NULL */ + trustedPubKey, + numCerts, + &revChecker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); + +#ifdef debuggingWithoutRevocation + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); +#endif + + /* build cert chain using processing params and return buildResult */ + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + + while (pollDesc != NULL) { + + if (PR_Poll(pollDesc, 1, 0) < 0) { + testError("PR_Poll failed"); + } + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + } + + if (pkixTestErrorResult) { + if (testValid == PKIX_FALSE) { /* EE */ + (void)printf("EXPECTED ERROR RECEIVED!\n"); + } else { /* ENE */ + testError("UNEXPECTED ERROR RECEIVED"); + } + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + goto cleanup; + } + + if (testValid == PKIX_TRUE) { /* ENE */ + (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); + } else { /* EE */ + (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n"); + } + + if (buildResult) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + printf("\n"); + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, + i, + (PKIX_PL_Object **)&cert, + plContext)); + + asciiResult = PKIX_Cert2ASCII(cert); + + printf("CERT[%d]:\n%s\n", i, asciiResult); + + /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL)); + asciiResult = NULL; + + PKIX_TEST_DECREF_BC(cert); + } + } + +cleanup: + + PKIX_TEST_DECREF_AC(state); + PKIX_TEST_DECREF_AC(buildResult); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(revCheckers); + PKIX_TEST_DECREF_AC(revChecker); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(hintCerts); + PKIX_TEST_DECREF_AC(trustedPubKey); + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + + PKIX_TEST_RETURN(); + + return (pkixTestErrorResult); +} + +int +test_buildchain_partialchain(int argc, char *argv[]) +{ + PKIX_UInt32 actualMinorVersion = 0; + PKIX_UInt32 j = 0; + PKIX_UInt32 k = 0; + PKIX_Boolean ene = PKIX_TRUE; /* expect no error */ + PKIX_List *listOfCerts = NULL; + PKIX_List *certStores = NULL; + PKIX_PL_Cert *dirCert = NULL; + PKIX_PL_Cert *trusted = NULL; + PKIX_PL_Cert *target = NULL; + PKIX_CertStore *ldapCertStore = NULL; + PKIX_CertStore *certStore = NULL; + PKIX_PL_String *dirNameString = NULL; + char *dirName = NULL; + + PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */ + /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */ + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage(); + return (0); + } + + startTests("BuildChain"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* + * arguments: + * [optional] -arenas + * [optional] usebind + * servername or servername:port ( - for no server) + * testname + * EE or ENE + * cert directory + * target cert (end entity) + * intermediate certs + * trust anchor + */ + + /* optional argument "usebind" for Ldap CertStore */ + if (argv[j + 1]) { + if (PORT_Strcmp(argv[j + 1], "usebind") == 0) { + usebind = PKIX_TRUE; + j++; + } + } + + if (PORT_Strcmp(argv[++j], "-") == 0) { + useLDAP = PKIX_FALSE; + } else { + serverName = argv[j]; + useLDAP = PKIX_TRUE; + } + + subTest(argv[++j]); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[++j], "ENE") == 0) { + ene = PKIX_TRUE; + } else if (PORT_Strcmp(argv[j], "EE") == 0) { + ene = PKIX_FALSE; + } else { + printUsage(); + return (0); + } + + dirName = argv[++j]; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&listOfCerts, plContext)); + + for (k = ++j; k < ((PKIX_UInt32)argc); k++) { + + dirCert = createCert(dirName, argv[k], plContext); + + if (k == ((PKIX_UInt32)(argc - 1))) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + trusted = dirCert; + } else { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(listOfCerts, + (PKIX_PL_Object *)dirCert, + plContext)); + + if (k == j) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + target = dirCert; + } + } + + PKIX_TEST_DECREF_BC(dirCert); + } + + /* create CertStores */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); + + if (useLDAP == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, + (PKIX_PL_Object *)ldapCertStore, + plContext)); + } else { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); + } + + subTest("testWithNoLeaf"); + PKIX_TEST_EXPECT_NO_ERROR(testWithNoLeaf(trusted, listOfCerts, target, certStores, ene, plContext)); + + subTest("testWithDuplicateLeaf"); + PKIX_TEST_EXPECT_NO_ERROR(testWithDuplicateLeaf(trusted, listOfCerts, target, certStores, ene, plContext)); + + subTest("testWithLeafAndChain"); + PKIX_TEST_EXPECT_NO_ERROR(testWithLeafAndChain(trusted, listOfCerts, target, certStores, ene, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(listOfCerts); + PKIX_TEST_DECREF_AC(certStores); + PKIX_TEST_DECREF_AC(ldapCertStore); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(dirNameString); + PKIX_TEST_DECREF_AC(trusted); + PKIX_TEST_DECREF_AC(target); + + PKIX_TEST_RETURN(); + + PKIX_Shutdown(plContext); + + endTests("BuildChain"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c new file mode 100644 index 000000000..1b28435b0 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c @@ -0,0 +1,438 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_buildchain_resourcelimits.c + * + * Test BuildChain function with constraints on resources + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TESTUSERCHECKER_TYPE (PKIX_NUMTYPES + 30) + +static void *plContext = NULL; +static PKIX_Boolean usebind = PKIX_FALSE; +static PKIX_Boolean useLDAP = PKIX_FALSE; +static char buf[PR_NETDB_BUF_SIZE]; +static char *serverName = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\ttest_buildchain_resourcelimits [-arenas] " + "[usebind] servername[:port]\\\n\t\t<testName> [ENE|EE]" + " <certStoreDirectory>\\\n\t\t<targetCert>" + " <intermediate Certs...> <trustedCert>\n\n"); + (void)printf("Builds a chain of certificates from <targetCert> to <trustedCert>\n" + "using the certs and CRLs in <certStoreDirectory>. " + "servername[:port] gives\n" + "the address of an LDAP server. If port is not" + " specified, port 389 is used.\n\"-\" means no LDAP server.\n\n" + "If ENE is specified, then an Error is Not Expected.\n" + "EE indicates an Error is Expected.\n"); +} + +static PKIX_Error * +createLdapCertStore( + char *hostname, + PRIntervalTime timeout, + PKIX_CertStore **pLdapCertStore, + void *plContext) +{ + PRIntn backlog = 0; + + char *bindname = ""; + char *auth = ""; + + LDAPBindAPI bindAPI; + LDAPBindAPI *bindPtr = NULL; + PKIX_PL_LdapDefaultClient *ldapClient = NULL; + PKIX_CertStore *ldapCertStore = NULL; + + PKIX_TEST_STD_VARS(); + + if (usebind) { + bindPtr = &bindAPI; + bindAPI.selector = SIMPLE_AUTH; + bindAPI.chooser.simple.bindName = bindname; + bindAPI.chooser.simple.authentication = auth; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName(hostname, timeout, bindPtr, &ldapClient, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create((PKIX_PL_LdapClient *)ldapClient, &ldapCertStore, plContext)); + + *pLdapCertStore = ldapCertStore; +cleanup: + + PKIX_TEST_DECREF_AC(ldapClient); + + PKIX_TEST_RETURN(); + + return (pkixTestErrorResult); +} + +static void +Test_BuildResult( + PKIX_ProcessingParams *procParams, + PKIX_Boolean testValid, + PKIX_List *expectedCerts, + void *plContext) +{ + PKIX_PL_Cert *cert = NULL; + PKIX_List *certs = NULL; + PKIX_PL_String *actualCertsString = NULL; + PKIX_PL_String *expectedCertsString = NULL; + PKIX_BuildResult *buildResult = NULL; + PKIX_Boolean result; + PKIX_Boolean supportForward = PKIX_FALSE; + PKIX_UInt32 numCerts, i; + char *asciiResult = NULL; + char *actualCertsAscii = NULL; + char *expectedCertsAscii = NULL; + void *state = NULL; + PRPollDesc *pollDesc = NULL; + + PKIX_TEST_STD_VARS(); + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + + while (pollDesc != NULL) { + + if (PR_Poll(pollDesc, 1, 0) < 0) { + testError("PR_Poll failed"); + } + + pkixTestErrorResult = PKIX_BuildChain(procParams, + (void **)&pollDesc, + &state, + &buildResult, + NULL, + plContext); + } + + if (pkixTestErrorResult) { + if (testValid == PKIX_FALSE) { /* EE */ + (void)printf("EXPECTED ERROR RECEIVED!\n"); + } else { /* ENE */ + testError("UNEXPECTED ERROR RECEIVED!\n"); + } + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + goto cleanup; + } + + if (testValid == PKIX_TRUE) { /* ENE */ + (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); + } else { /* EE */ + testError("UNEXPECTED NON-ERROR RECEIVED!\n"); + } + + if (buildResult) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, NULL)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + printf("\n"); + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, + i, + (PKIX_PL_Object **)&cert, + plContext)); + + asciiResult = PKIX_Cert2ASCII(cert); + + printf("CERT[%d]:\n%s\n", i, asciiResult); + + /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL)); + asciiResult = NULL; + + PKIX_TEST_DECREF_BC(cert); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs, + (PKIX_PL_Object *)expectedCerts, + &result, + plContext)); + + if (!result) { + testError("BUILT CERTCHAIN IS " + "NOT THE ONE THAT WAS EXPECTED"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs, + &actualCertsString, + plContext)); + + actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext); + if (actualCertsAscii == NULL) { + pkixTestErrorMsg = "PKIX_String2ASCII Failed"; + goto cleanup; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts, + &expectedCertsString, + plContext)); + + expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext); + if (expectedCertsAscii == NULL) { + pkixTestErrorMsg = "PKIX_String2ASCII Failed"; + goto cleanup; + } + + (void)printf("Actual value:\t%s\n", actualCertsAscii); + (void)printf("Expected value:\t%s\n", + expectedCertsAscii); + } + } + +cleanup: + + PKIX_PL_Free(asciiResult, NULL); + PKIX_PL_Free(actualCertsAscii, plContext); + PKIX_PL_Free(expectedCertsAscii, plContext); + PKIX_TEST_DECREF_AC(state); + PKIX_TEST_DECREF_AC(buildResult); + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(actualCertsString); + PKIX_TEST_DECREF_AC(expectedCertsString); + + PKIX_TEST_RETURN(); +} + +int +test_buildchain_resourcelimits(int argc, char *argv[]) +{ + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_CertChainChecker *checker = NULL; + PKIX_ResourceLimits *resourceLimits = NULL; + char *dirName = NULL; + PKIX_PL_String *dirNameString = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_PL_Cert *targetCert = NULL; + PKIX_PL_Cert *dirCert = NULL; + PKIX_UInt32 actualMinorVersion = 0; + PKIX_UInt32 j = 0; + PKIX_UInt32 k = 0; + PKIX_CertStore *ldapCertStore = NULL; + PRIntervalTime timeout = 0; /* 0 for non-blocking */ + PKIX_CertStore *certStore = NULL; + PKIX_List *certStores = NULL; + PKIX_List *expectedCerts = NULL; + PKIX_Boolean testValid = PKIX_FALSE; + PKIX_Boolean usebind = PKIX_FALSE; + PKIX_Boolean useLDAP = PKIX_FALSE; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage(); + return (0); + } + + startTests("BuildChain_ResourceLimits"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* + * arguments: + * [optional] -arenas + * [optional] usebind + * servername or servername:port ( - for no server) + * testname + * EE or ENE + * cert directory + * target cert (end entity) + * intermediate certs + * trust anchor + */ + + /* optional argument "usebind" for Ldap CertStore */ + if (argv[j + 1]) { + if (PORT_Strcmp(argv[j + 1], "usebind") == 0) { + usebind = PKIX_TRUE; + j++; + } + } + + if (PORT_Strcmp(argv[++j], "-") == 0) { + useLDAP = PKIX_FALSE; + } else { + serverName = argv[j]; + } + + subTest(argv[++j]); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[++j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage(); + return (0); + } + + dirName = argv[++j]; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); + + for (k = ++j; k < argc; k++) { + + dirCert = createCert(dirName, argv[k], plContext); + + if (k == (argc - 1)) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + trustedCert = dirCert; + } else { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, + (PKIX_PL_Object *)dirCert, + plContext)); + + if (k == j) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + targetCert = dirCert; + } + } + + PKIX_TEST_DECREF_BC(dirCert); + } + + /* create processing params with list of trust anchors */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with target certificate in params */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + /* create CertStores */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, + dirName, + 0, + &dirNameString, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); + +#if 0 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create + (&certStore, plContext)); +#endif + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); + + if (useLDAP == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, + (PKIX_PL_Object *)ldapCertStore, + plContext)); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); + + /* set resource limits */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create(&resourceLimits, plContext)); + + /* need longer time when running dbx for memory leak checking */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 60, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 2, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits(procParams, resourceLimits, plContext)); + + /* build cert chain using processing params and return buildResult */ + + subTest("Testing ResourceLimits MaxFanout & MaxDepth - <pass>"); + Test_BuildResult(procParams, + testValid, + expectedCerts, + plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 1, plContext)); + + subTest("Testing ResourceLimits MaxFanout - <fail>"); + Test_BuildResult(procParams, + PKIX_FALSE, + expectedCerts, + plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 1, plContext)); + + subTest("Testing ResourceLimits MaxDepth - <fail>"); + Test_BuildResult(procParams, + PKIX_FALSE, + expectedCerts, + plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 0, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 0, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 0, plContext)); + + subTest("Testing ResourceLimits No checking - <pass>"); + Test_BuildResult(procParams, + testValid, + expectedCerts, + plContext); + +cleanup: + + PKIX_TEST_DECREF_AC(expectedCerts); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certStores); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(ldapCertStore); + PKIX_TEST_DECREF_AC(dirNameString); + PKIX_TEST_DECREF_AC(trustedCert); + PKIX_TEST_DECREF_AC(targetCert); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(checker); + PKIX_TEST_DECREF_AC(resourceLimits); + + PKIX_TEST_RETURN(); + + PKIX_Shutdown(plContext); + + endTests("BuildChain_UserChecker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c new file mode 100644 index 000000000..43f06ec2a --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c @@ -0,0 +1,327 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_buildchain_uchecker.c + * + * Test BuildChain User Checker function + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +static void *plContext = NULL; +static PKIX_UInt32 numUserCheckerCalled = 0; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\ttest_buildchain_uchecker [ENE|EE] " + "[-|[F]<userOID>] " + "<trustedCert> <targetCert> <certStoreDirectory>\n\n"); + (void)printf("Builds a chain of certificates between " + "<trustedCert> and <targetCert>\n" + "using the certs and CRLs in <certStoreDirectory>.\n" + "If <userOID> is not an empty string, its value is used as\n" + "user defined checker's critical extension OID.\n" + "A - for <userOID> is no OID and F is for supportingForward.\n" + "If ENE is specified, then an Error is Not Expected.\n" + "If EE is specified, an Error is Expected.\n"); +} + +static PKIX_Error * +testUserChecker( + PKIX_CertChainChecker *checker, + PKIX_PL_Cert *cert, + PKIX_List *unresExtOIDs, + void **pNBIOContext, + void *plContext) +{ + numUserCheckerCalled++; + return (0); +} + +int +test_buildchain_uchecker(int argc, char *argv[]) +{ + PKIX_BuildResult *buildResult = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_List *certs = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_CertChainChecker *checker = NULL; + char *dirName = NULL; + PKIX_PL_String *dirNameString = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_PL_Cert *targetCert = NULL; + PKIX_UInt32 numCerts = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_UInt32 k = 0; + PKIX_UInt32 chainLength = 0; + PKIX_CertStore *certStore = NULL; + PKIX_List *certStores = NULL; + char *asciiResult = NULL; + PKIX_Boolean result; + PKIX_Boolean testValid = PKIX_TRUE; + PKIX_Boolean supportForward = PKIX_FALSE; + PKIX_List *expectedCerts = NULL; + PKIX_List *userOIDs = NULL; + PKIX_PL_OID *oid = NULL; + PKIX_PL_Cert *dirCert = NULL; + PKIX_PL_String *actualCertsString = NULL; + PKIX_PL_String *expectedCertsString = NULL; + char *actualCertsAscii = NULL; + char *expectedCertsAscii = NULL; + char *oidString = NULL; + void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */ + void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */ + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage(); + return (0); + } + + startTests("BuildChain_UserChecker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage(); + return (0); + } + + /* OID specified at argv[3+j] */ + + if (*argv[3 + j] != '-') { + + if (*argv[3 + j] == 'F') { + supportForward = PKIX_TRUE; + oidString = argv[3 + j] + 1; + } else { + oidString = argv[3 + j]; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&userOIDs, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(oidString, &oid, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(userOIDs, (PKIX_PL_Object *)oid, plContext)); + PKIX_TEST_DECREF_BC(oid); + } + + subTest(argv[1 + j]); + + dirName = argv[4 + j]; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); + + chainLength = argc - j - 5; + + for (k = 0; k < chainLength; k++) { + + dirCert = createCert(dirName, argv[5 + k + j], plContext); + + if (k == (chainLength - 1)) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + trustedCert = dirCert; + } else { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, + (PKIX_PL_Object *)dirCert, + plContext)); + + if (k == 0) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, + plContext)); + targetCert = dirCert; + } + } + + PKIX_TEST_DECREF_BC(dirCert); + } + + /* create processing params with list of trust anchors */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with target certificate in params */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create(testUserChecker, + supportForward, + PKIX_FALSE, + userOIDs, + NULL, + &checker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker(procParams, checker, plContext)); + + /* create CertStores */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, + dirName, + 0, + &dirNameString, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); + +#if 0 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create + (&certStore, plContext)); +#endif + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); + + /* build cert chain using processing params and return buildResult */ + + pkixTestErrorResult = PKIX_BuildChain(procParams, + &nbioContext, + &buildState, + &buildResult, + NULL, + plContext); + + if (testValid == PKIX_TRUE) { /* ENE */ + if (pkixTestErrorResult) { + (void)printf("UNEXPECTED RESULT RECEIVED!\n"); + } else { + (void)printf("EXPECTED RESULT RECEIVED!\n"); + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + } + } else { /* EE */ + if (pkixTestErrorResult) { + (void)printf("EXPECTED RESULT RECEIVED!\n"); + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + } else { + testError("UNEXPECTED RESULT RECEIVED"); + } + } + + if (buildResult) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, NULL)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + printf("\n"); + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, + i, + (PKIX_PL_Object **)&cert, + plContext)); + + asciiResult = PKIX_Cert2ASCII(cert); + + printf("CERT[%d]:\n%s\n", i, asciiResult); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext)); + asciiResult = NULL; + + PKIX_TEST_DECREF_BC(cert); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs, + (PKIX_PL_Object *)expectedCerts, + &result, + plContext)); + + if (!result) { + testError("BUILT CERTCHAIN IS " + "NOT THE ONE THAT WAS EXPECTED"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs, + &actualCertsString, + plContext)); + + actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext); + if (actualCertsAscii == NULL) { + pkixTestErrorMsg = "PKIX_String2ASCII Failed"; + goto cleanup; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts, + &expectedCertsString, + plContext)); + + expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext); + if (expectedCertsAscii == NULL) { + pkixTestErrorMsg = "PKIX_String2ASCII Failed"; + goto cleanup; + } + + (void)printf("Actual value:\t%s\n", actualCertsAscii); + (void)printf("Expected value:\t%s\n", + expectedCertsAscii); + + if (chainLength - 1 != numUserCheckerCalled) { + pkixTestErrorMsg = + "PKIX user defined checker not called"; + } + + goto cleanup; + } + } + +cleanup: + PKIX_PL_Free(asciiResult, plContext); + PKIX_PL_Free(actualCertsAscii, plContext); + PKIX_PL_Free(expectedCertsAscii, plContext); + + PKIX_TEST_DECREF_AC(actualCertsString); + PKIX_TEST_DECREF_AC(expectedCertsString); + PKIX_TEST_DECREF_AC(expectedCerts); + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(certStores); + PKIX_TEST_DECREF_AC(dirNameString); + PKIX_TEST_DECREF_AC(trustedCert); + PKIX_TEST_DECREF_AC(targetCert); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(buildResult); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(userOIDs); + PKIX_TEST_DECREF_AC(checker); + + PKIX_TEST_RETURN(); + + PKIX_Shutdown(plContext); + + endTests("BuildChain_UserChecker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c b/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c new file mode 100644 index 000000000..d2c667ae7 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c @@ -0,0 +1,435 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_customcrlchecker.c + * + * Test Custom CRL Checking + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TEST_MAX_CERTS 10 +#define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS 5 + +static void *plContext = NULL; +char *dirName = NULL; /* also used in callback */ + +static void +printUsage1(char *pName) +{ + printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName); + printf("cert [certs].\n"); +} + +static void +printUsageMax(PKIX_UInt32 numCerts) +{ + printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", + numCerts, PKIX_TEST_MAX_CERTS); +} + +static PKIX_Error * +getCRLCallback( + PKIX_CertStore *store, + PKIX_CRLSelector *crlSelector, + void **pNBIOContext, + PKIX_List **pCrlList, + void *plContext) +{ + char *crlFileNames[] = { "chem.crl", + "phys.crl", + "prof.crl", + "sci.crl", + "test.crl", + 0 }; + PKIX_PL_CRL *crl = NULL; + PKIX_List *crlList = NULL; + PKIX_UInt32 i = 0; + + PKIX_TEST_STD_VARS(); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&crlList, plContext)); + + while (crlFileNames[i]) { + + crl = createCRL(dirName, crlFileNames[i++], plContext); + + if (crl != NULL) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(crlList, (PKIX_PL_Object *)crl, plContext)); + + PKIX_TEST_DECREF_BC(crl); + } + } + + *pCrlList = crlList; + +cleanup: + + PKIX_TEST_RETURN(); + + return (0); /* this function is called by libpkix */ +} + +static PKIX_Error * +getCRLContinue( + PKIX_CertStore *store, + PKIX_CRLSelector *crlSelector, + void **pNBIOContext, + PKIX_List **pCrlList, + void *plContext) +{ + return (NULL); +} + +static PKIX_Error * +getCertCallback( + PKIX_CertStore *store, + PKIX_CertSelector *certSelector, + void **pNBIOContext, + PKIX_List **pCerts, + void *plContext) +{ + return (NULL); +} + +static PKIX_Error * +getCertContinue( + PKIX_CertStore *store, + PKIX_CertSelector *certSelector, + void **pNBIOContext, + PKIX_List **pCerts, + void *plContext) +{ + return (NULL); +} + +static PKIX_Error * +testCRLSelectorMatchCallback( + PKIX_CRLSelector *selector, + PKIX_PL_CRL *crl, + void *plContext) +{ + PKIX_ComCRLSelParams *comCrlSelParams = NULL; + PKIX_List *issuerList = NULL; + PKIX_PL_X500Name *issuer = NULL; + PKIX_PL_X500Name *crlIssuer = NULL; + PKIX_UInt32 numIssuers = 0; + PKIX_UInt32 i = 0; + PKIX_Boolean result = PKIX_FALSE; + PKIX_Error *error = NULL; + char *errorText = "Not an error, CRL Select mismatch"; + + PKIX_TEST_STD_VARS(); + + subTest("Custom_Selector_MatchCallback"); + + if (selector != NULL) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetCommonCRLSelectorParams(selector, &comCrlSelParams, plContext)); + } + + if (crl != NULL) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer(crl, &crlIssuer, plContext)); + } + + if (comCrlSelParams != NULL) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames(comCrlSelParams, &issuerList, plContext)); + } + + if (issuerList != NULL) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(issuerList, &numIssuers, plContext)); + + for (i = 0; i < numIssuers; i++) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(issuerList, + i, (PKIX_PL_Object **)&issuer, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)crlIssuer, + (PKIX_PL_Object *)issuer, + &result, + plContext)); + + if (result != PKIX_TRUE) { + break; + } + + if (i == numIssuers - 1) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(0, + NULL, + NULL, + PKIX_TESTNOTANERRORCRLSELECTMISMATCH, + &error, + plContext)); + + PKIX_TEST_DECREF_AC(issuer); + issuer = NULL; + break; + } + + PKIX_TEST_DECREF_AC(issuer); + } + } + +cleanup: + + PKIX_TEST_DECREF_AC(comCrlSelParams); + PKIX_TEST_DECREF_AC(crlIssuer); + PKIX_TEST_DECREF_AC(issuer); + PKIX_TEST_DECREF_AC(issuerList); + + PKIX_TEST_RETURN(); + + return (error); +} + +static PKIX_Error * +testAddIssuerName(PKIX_ComCRLSelParams *comCrlSelParams, char *issuerName) +{ + PKIX_PL_String *issuerString = NULL; + PKIX_PL_X500Name *issuer = NULL; + PKIX_UInt32 length = 0; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_ComCRLSelParams_AddIssuerName"); + + length = PL_strlen(issuerName); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_UTF8, + issuerName, + length, + &issuerString, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuerString, + &issuer, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuer, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(issuerString); + PKIX_TEST_DECREF_AC(issuer); + + PKIX_TEST_RETURN(); + + return (0); +} + +static PKIX_Error * +testCustomCertStore(PKIX_ValidateParams *valParams) +{ + PKIX_CertStore_CRLCallback crlCallback; + PKIX_CertStore *certStore = NULL; + PKIX_ProcessingParams *procParams = NULL; + char *issuerName1 = "cn=science,o=mit,c=us"; + char *issuerName2 = "cn=physics,o=mit,c=us"; + char *issuerName3 = "cn=prof noall,o=mit,c=us"; + char *issuerName4 = "cn=testing CRL,o=test,c=us"; + PKIX_ComCRLSelParams *comCrlSelParams = NULL; + PKIX_CRLSelector *crlSelector = NULL; + PKIX_List *crlList = NULL; + PKIX_UInt32 numCrl = 0; + void *nbioContext = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_PL_CollectionCertStore_Create"); + + /* Create CRLSelector, link in CollectionCertStore */ + + subTest("PKIX_ComCRLSelParams_AddIssuerNames"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext)); + + testAddIssuerName(comCrlSelParams, issuerName1); + testAddIssuerName(comCrlSelParams, issuerName2); + testAddIssuerName(comCrlSelParams, issuerName3); + testAddIssuerName(comCrlSelParams, issuerName4); + + subTest("PKIX_CRLSelector_SetCommonCRLSelectorParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(testCRLSelectorMatchCallback, + NULL, + &crlSelector, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector, comCrlSelParams, plContext)); + + /* Create CertStore, link in CRLSelector */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); + + subTest("PKIX_CertStore_Create"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_Create(getCertCallback, + getCRLCallback, + getCertContinue, + getCRLContinue, + NULL, /* trustCallback */ + (PKIX_PL_Object *)crlSelector, /* fake */ + PKIX_FALSE, /* cacheFlag */ + PKIX_TRUE, /* localFlag */ + &certStore, + plContext)); + + subTest("PKIX_ProcessingParams_AddCertStore"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore(procParams, certStore, plContext)); + + subTest("PKIX_ProcessingParams_SetRevocationEnabled"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_TRUE, plContext)); + + subTest("PKIX_CertStore_GetCRLCallback"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback(certStore, + &crlCallback, + NULL)); + + subTest("Getting CRL by CRL Callback"); + PKIX_TEST_EXPECT_NO_ERROR(crlCallback(certStore, + crlSelector, + &nbioContext, + &crlList, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(crlList, + &numCrl, + plContext)); + + if (numCrl != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS) { + pkixTestErrorMsg = "unexpected CRL number mismatch"; + } + +cleanup: + + PKIX_TEST_DECREF_AC(crlList); + PKIX_TEST_DECREF_AC(comCrlSelParams); + PKIX_TEST_DECREF_AC(crlSelector); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certStore); + + PKIX_TEST_RETURN(); + + return (0); +} + +/* + * Validate Certificate Chain with Certificate Revocation List + * Certificate Chain is built based on input certs' sequence. + * CRL is fetched from the directory specified in CollectionCertStore. + * while CollectionCertStore is linked in CertStore Object which then + * linked in ProcessParam. During validation, CRLChecker will invoke + * the crlCallback (this test uses PKIX_PL_CollectionCertStore_GetCRL) + * to get CRL data for revocation check. + * This test set criteria in CRLSelector which is linked in + * CommonCRLSelectorParam. When CRL data is fetched into cache for + * revocation check, CRL's are filtered based on the criteria set. + */ + +int +test_customcrlchecker(int argc, char *argv[]) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_UInt32 actualMinorVersion; + char *certNames[PKIX_TEST_MAX_CERTS]; + PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_Boolean testValid = PKIX_TRUE; + char *anchorName = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage1(argv[0]); + return (0); + } + + startTests("CRL Checker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage1(argv[0]); + return (0); + } + + chainLength = (argc - j) - 5; + if (chainLength > PKIX_TEST_MAX_CERTS) { + printUsageMax(chainLength); + } + + for (i = 0; i < chainLength; i++) { + + certNames[i] = argv[(5 + j) + i]; + certs[i] = NULL; + } + + dirName = argv[3 + j]; + + subTest(argv[1 + j]); + + subTest("Custom-CRL-Checker - Create Cert Chain"); + + chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); + + subTest("Custom-CRL-Checker - Create Params"); + + anchorName = argv[4 + j]; + + valParams = createValidateParams(dirName, + anchorName, + NULL, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + subTest("Custom-CRL-Checker - Set Processing Params for CertStore"); + + testCustomCertStore(valParams); + + subTest("Custom-CRL-Checker - Validate Chain"); + + if (testValid == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } else { + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } + +cleanup: + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("CRL Checker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c b/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c new file mode 100644 index 000000000..3ce451317 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c @@ -0,0 +1,230 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_defaultcrlchecker2stores.c + * + * Test Default CRL with multiple CertStore Checking + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TEST_MAX_CERTS 10 + +static void *plContext = NULL; + +static void +printUsage1(char *pName) +{ + printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName); + printf("crl-directory cert [certs].\n"); +} + +static void +printUsageMax(PKIX_UInt32 numCerts) +{ + printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", + numCerts, PKIX_TEST_MAX_CERTS); +} + +static PKIX_Error * +getCertCallback( + PKIX_CertStore *store, + PKIX_CertSelector *certSelector, + PKIX_List **pCerts, + void *plContext) +{ + return (NULL); +} + +static PKIX_Error * +testDefaultMultipleCertStores(PKIX_ValidateParams *valParams, + char *crlDir1, + char *crlDir2) +{ + PKIX_PL_String *dirString1 = NULL; + PKIX_PL_String *dirString2 = NULL; + PKIX_CertStore *certStore1 = NULL; + PKIX_CertStore *certStore2 = NULL; + PKIX_List *certStoreList = NULL; + PKIX_ProcessingParams *procParams = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_PL_CollectionCertStore_Create"); + + /* Create CollectionCertStore */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, + crlDir1, + 0, + &dirString1, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString1, + &certStore1, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, + crlDir2, + 0, + &dirString2, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString2, + &certStore2, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); + + /* Add multiple CollectionCertStores */ + + subTest("PKIX_ProcessingParams_SetCertStores"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStoreList, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStoreList, (PKIX_PL_Object *)certStore1, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStoreList, plContext)); + + subTest("PKIX_ProcessingParams_AddCertStore"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore(procParams, certStore2, plContext)); + + subTest("PKIX_ProcessingParams_SetRevocationEnabled"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_TRUE, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(dirString1); + PKIX_TEST_DECREF_AC(dirString2); + PKIX_TEST_DECREF_AC(certStore1); + PKIX_TEST_DECREF_AC(certStore2); + PKIX_TEST_DECREF_AC(certStoreList); + PKIX_TEST_DECREF_AC(procParams); + + PKIX_TEST_RETURN(); + + return (0); +} + +/* + * Validate Certificate Chain with Certificate Revocation List + * Certificate Chain is build based on input certs' sequence. + * CRL is fetched from the directory specified in CollectionCertStore. + * while CollectionCertStore is linked in CertStore Object which then + * linked in ProcessParam. During validation, CRLChecker will invoke + * the crlCallback (this test uses PKIX_PL_CollectionCertStore_GetCRL) + * to get CRL data for revocation check. + * This test gets CRL's from two CertStores, each has a valid CRL + * required for revocation check to pass. + */ + +int +test_defaultcrlchecker2stores(int argc, char *argv[]) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_UInt32 actualMinorVersion; + char *certNames[PKIX_TEST_MAX_CERTS]; + PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_Boolean testValid = PKIX_TRUE; + char *dirName = NULL; + char *anchorName = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 6) { + printUsage1(argv[0]); + return (0); + } + + startTests("CRL Checker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage1(argv[0]); + return (0); + } + + chainLength = (argc - j) - 7; + if (chainLength > PKIX_TEST_MAX_CERTS) { + printUsageMax(chainLength); + } + + for (i = 0; i < chainLength; i++) { + + certNames[i] = argv[(7 + j) + i]; + certs[i] = NULL; + } + + subTest(argv[1 + j]); + + subTest("Default-CRL-Checker"); + + subTest("Default-CRL-Checker - Create Cert Chain"); + + dirName = argv[3 + j]; + + chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); + + subTest("Default-CRL-Checker - Create Params"); + + anchorName = argv[6 + j]; + + valParams = createValidateParams(dirName, + anchorName, + NULL, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + subTest("Multiple-CertStores"); + + testDefaultMultipleCertStores(valParams, argv[4 + j], argv[5 + j]); + + subTest("Default-CRL-Checker - Validate Chain"); + + if (testValid == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } else { + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + +cleanup: + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(chain); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("CRL Checker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_ocsp.c b/security/nss/cmd/libpkix/pkix/top/test_ocsp.c new file mode 100644 index 000000000..e97e57096 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_ocsp.c @@ -0,0 +1,288 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_ocspchecker.c + * + * Test OcspChecker function + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\nOcspChecker -d <certStoreDirectory> TestName " + "[ENE|EE] <certLocationDirectory> <trustedCert> " + "<targetCert>\n\n"); + (void)printf("Validates a chain of certificates between " + "<trustedCert> and <targetCert>\n" + "using the certs and CRLs in <certLocationDirectory> and " + "pkcs11 db from <certStoreDirectory>. " + "If ENE is specified,\n" + "then an Error is Not Expected. " + "If EE is specified, an Error is Expected.\n"); +} + +static char * +createFullPathName( + char *dirName, + char *certFile, + void *plContext) +{ + PKIX_UInt32 certFileLen; + PKIX_UInt32 dirNameLen; + char *certPathName = NULL; + + PKIX_TEST_STD_VARS(); + + certFileLen = PL_strlen(certFile); + dirNameLen = PL_strlen(dirName); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(dirNameLen + + certFileLen + + 2, + (void **)&certPathName, + plContext)); + + PL_strcpy(certPathName, dirName); + PL_strcat(certPathName, "/"); + PL_strcat(certPathName, certFile); + printf("certPathName = %s\n", certPathName); + +cleanup: + + PKIX_TEST_RETURN(); + + return (certPathName); +} + +static PKIX_Error * +testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) +{ + PKIX_PL_String *dirString = NULL; + PKIX_CertStore *certStore = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_PL_Date *validity = NULL; + PKIX_List *revCheckers = NULL; + PKIX_RevocationChecker *revChecker = NULL; + PKIX_PL_Object *revCheckerContext = NULL; + PKIX_OcspChecker *ocspChecker = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_PL_CollectionCertStoreContext_Create"); + + /* Create CollectionCertStore */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, crlDir, 0, &dirString, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); + + /* Create CertStore */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); + + subTest("PKIX_ProcessingParams_AddCertStore"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore(procParams, certStore, plContext)); + + subTest("PKIX_ProcessingParams_SetRevocationEnabled"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); + + /* create current Date */ + PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime(PR_Now(), &validity, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); + + /* create revChecker */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize(validity, + NULL, /* pwArg */ + NULL, /* Use default responder */ + &revChecker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_GetRevCheckerContext(revChecker, &revCheckerContext, plContext)); + + /* Check that this object is a ocsp checker */ + PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType(revCheckerContext, PKIX_OCSPCHECKER_TYPE, plContext)); + + ocspChecker = (PKIX_OcspChecker *)revCheckerContext; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_SetVerifyFcn(ocspChecker, + PKIX_PL_OcspResponse_UseBuildChain, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(revCheckers); + PKIX_TEST_DECREF_AC(revChecker); + PKIX_TEST_DECREF_AC(ocspChecker); + PKIX_TEST_DECREF_AC(validity); + + PKIX_TEST_RETURN(); + + return (0); +} + +int +test_ocsp(int argc, char *argv[]) +{ + + PKIX_ValidateParams *valParams = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_UInt32 actualMinorVersion; + PKIX_UInt32 j = 0; + PKIX_UInt32 k = 0; + PKIX_UInt32 chainLength = 0; + PKIX_Boolean testValid = PKIX_TRUE; + PKIX_List *chainCerts = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + PKIX_PL_Cert *dirCert = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_PL_Cert *targetCert = NULL; + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + char *dirCertName = NULL; + char *anchorCertName = NULL; + char *dirName = NULL; + char *databaseDir = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage(); + return (0); + } + + startTests("OcspChecker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage(); + return (0); + } + + subTest(argv[1 + j]); + + dirName = argv[3 + j]; + + chainLength = argc - j - 5; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext)); + + for (k = 0; k < chainLength; k++) { + + dirCert = createCert(dirName, argv[5 + k + j], plContext); + + if (k == 0) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); + targetCert = dirCert; + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(chainCerts, (PKIX_PL_Object *)dirCert, plContext)); + + PKIX_TEST_DECREF_BC(dirCert); + } + + /* create processing params with list of trust anchors */ + + anchorCertName = argv[4 + j]; + trustedCert = createCert(dirName, anchorCertName, plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with target certificate in params */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, chainCerts, &valParams, plContext)); + + testDefaultCertStore(valParams, dirName); + + pkixTestErrorResult = PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext); + + if (pkixTestErrorResult) { + if (testValid == PKIX_FALSE) { /* EE */ + (void)printf("EXPECTED ERROR RECEIVED!\n"); + } else { /* ENE */ + testError("UNEXPECTED ERROR RECEIVED"); + } + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + } else { + if (testValid == PKIX_TRUE) { /* ENE */ + (void)printf("EXPECTED SUCCESSFUL VALIDATION!\n"); + } else { /* EE */ + (void)printf("UNEXPECTED SUCCESSFUL VALIDATION!\n"); + } + } + + subTest("Displaying VerifyTree"); + + if (verifyTree == NULL) { + (void)printf("VerifyTree is NULL\n"); + } else { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", + verifyString->escAsciiString); + PKIX_TEST_DECREF_BC(verifyString); + PKIX_TEST_DECREF_BC(verifyTree); + } + +cleanup: + + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(chainCerts); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(trustedCert); + PKIX_TEST_DECREF_AC(targetCert); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("OcspChecker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_policychecker.c b/security/nss/cmd/libpkix/pkix/top/test_policychecker.c new file mode 100644 index 000000000..1318f13ba --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_policychecker.c @@ -0,0 +1,535 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_policychecker.c + * + * Test Policy Checking + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TEST_MAX_CERTS 10 + +static void *plContext = NULL; + +static void +printUsage(char *testname) +{ + char *fmt = + "USAGE: %s testname" + " [ENE|EE] \"{OID[:OID]*}\" [A|E|P] cert [cert]*\n" + "(The quotes are needed around the OID argument for dbx.)\n" + "(The optional arg A indicates initialAnyPolicyInhibit.)\n" + "(The optional arg E indicates initialExplicitPolicy.)\n" + "(The optional arg P indicates initialPolicyMappingInhibit.)\n"; + printf(fmt, testname); +} + +static void +printUsageMax(PKIX_UInt32 numCerts) +{ + printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", + numCerts, PKIX_TEST_MAX_CERTS); +} + +static PKIX_List * +policySetParse(char *policyString) +{ + char *p = NULL; + char *oid = NULL; + char c = '\0'; + PKIX_Boolean validString = PKIX_FALSE; + PKIX_PL_OID *plOID = NULL; + PKIX_List *policySet = NULL; + + PKIX_TEST_STD_VARS(); + + p = policyString; + + /* + * There may or may not be quotes around the initial-policy-set + * string. If they are omitted, dbx will strip off the curly braces. + * If they are included, dbx will strip off the quotes, but if you + * are running directly from a script, without dbx, the quotes will + * not be stripped. We need to be able to handle both cases. + */ + if (*p == '"') { + p++; + } + + if ('{' != *p++) { + return (NULL); + } + oid = p; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext)); + + /* scan to the end of policyString */ + while (!validString) { + /* scan to the end of the current OID string */ + c = *oid; + while ((c != '\0') && (c != ':') && (c != '}')) { + c = *++oid; + } + + if ((c != ':') || (c != '}')) { + *oid = '\0'; /* store a null terminator */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(p, &plOID, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(policySet, + (PKIX_PL_Object *)plOID, + plContext)); + + PKIX_TEST_DECREF_BC(plOID); + plOID = NULL; + if (c == '}') { + /* + * Any exit but this one means + * we were given a badly-formed string. + */ + validString = PKIX_TRUE; + } + p = ++oid; + } + } + +cleanup: + if (!validString) { + PKIX_TEST_DECREF_AC(plOID); + PKIX_TEST_DECREF_AC(policySet); + policySet = NULL; + } + + PKIX_TEST_RETURN(); + + return (policySet); +} + +/* + * FUNCTION: treeToStringHelper + * This function obtains the string representation of a PolicyNode + * Tree and compares it to the expected value. + * PARAMETERS: + * "parent" - a PolicyNode, the root of a PolicyNodeTree; + * must be non-NULL. + * "expected" - the desired string. + * THREAD SAFETY: + * Thread Safe + * + * Multiple threads can safely call this function without worrying + * about conflicts, even if they're operating on the same object. + * RETURNS: + * Nothing. + */ +static void +treeToStringHelper(PKIX_PolicyNode *parent, char *expected) +{ + PKIX_PL_String *stringRep = NULL; + char *actual = NULL; + PKIX_TEST_STD_VARS(); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)parent, &stringRep, plContext)); + + actual = PKIX_String2ASCII(stringRep, plContext); + if (actual == NULL) { + pkixTestErrorMsg = "PKIX_String2ASCII Failed"; + goto cleanup; + } + + if (PL_strcmp(actual, expected) != 0) { + testError("unexpected mismatch"); + (void)printf("Actual value:\t%s\n", actual); + (void)printf("Expected value:\t%s\n", expected); + } + +cleanup: + + PKIX_PL_Free(actual, plContext); + + PKIX_TEST_DECREF_AC(stringRep); + + PKIX_TEST_RETURN(); +} + +static void +testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("Basic-Common-Fields <pass>"); + /* + * Tests the Expiration, NameChaining, and Signature Checkers + */ + + chain = createCertChain(dirName, goodInput, diffInput, plContext); + + valParams = createValidateParams(dirName, + goodInput, + diffInput, + dateAscii, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_TEST_RETURN(); +} + +static void +testNistTest1(char *dirName) +{ +#define PKIX_TEST_NUM_CERTS 2 + char *trustAnchor = + "TrustAnchorRootCertificate.crt"; + char *intermediateCert = + "GoodCACert.crt"; + char *endEntityCert = + "ValidCertificatePathTest1EE.crt"; + char *certNames[PKIX_TEST_NUM_CERTS]; + char *asciiAnyPolicy = "2.5.29.32.0"; + PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL }; + + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_List *chain = NULL; + PKIX_PL_OID *anyPolicyOID = NULL; + PKIX_List *initialPolicies = NULL; + char *anchorName = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("testNistTest1: Creating the cert chain"); + /* + * Create a chain, but don't include the first certName. + * That's the anchor, and is supplied separately from + * the chain. + */ + certNames[0] = intermediateCert; + certNames[1] = endEntityCert; + chain = createCertChainPlus(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext); + + subTest("testNistTest1: Creating the Validate Parameters"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(asciiAnyPolicy, &anyPolicyOID, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&initialPolicies, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(initialPolicies, (PKIX_PL_Object *)anyPolicyOID, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(initialPolicies, plContext)); + + valParams = createValidateParams(dirName, + trustAnchor, + NULL, + NULL, + initialPolicies, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + subTest("testNistTest1: Validating the chain"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); + +cleanup: + + PKIX_PL_Free(anchorName, plContext); + + PKIX_TEST_DECREF_AC(anyPolicyOID); + PKIX_TEST_DECREF_AC(initialPolicies); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(chain); + + PKIX_TEST_RETURN(); +} + +static void +testNistTest2(char *dirName) +{ +#define PKIX_TEST_NUM_CERTS 2 + char *trustAnchor = + "TrustAnchorRootCertificate.crt"; + char *intermediateCert = + "GoodCACert.crt"; + char *endEntityCert = + "ValidCertificatePathTest1EE.crt"; + char *certNames[PKIX_TEST_NUM_CERTS]; + char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1"; + PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL }; + + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_List *chain = NULL; + PKIX_PL_OID *Nist1PolicyOID = NULL; + PKIX_List *initialPolicies = NULL; + char *anchorName = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("testNistTest2: Creating the cert chain"); + /* + * Create a chain, but don't include the first certName. + * That's the anchor, and is supplied separately from + * the chain. + */ + certNames[0] = intermediateCert; + certNames[1] = endEntityCert; + chain = createCertChainPlus(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext); + + subTest("testNistTest2: Creating the Validate Parameters"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(asciiNist1Policy, &Nist1PolicyOID, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&initialPolicies, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(initialPolicies, plContext)); + + valParams = createValidateParams(dirName, + trustAnchor, + NULL, + NULL, + initialPolicies, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + subTest("testNistTest2: Validating the chain"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); + +cleanup: + + PKIX_PL_Free(anchorName, plContext); + + PKIX_TEST_DECREF_AC(Nist1PolicyOID); + PKIX_TEST_DECREF_AC(initialPolicies); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(chain); + + PKIX_TEST_RETURN(); +} + +static void +printValidPolicyTree(PKIX_ValidateResult *valResult) +{ + PKIX_PolicyNode *validPolicyTree = NULL; + PKIX_PL_String *treeString = NULL; + + PKIX_TEST_STD_VARS(); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree(valResult, &validPolicyTree, plContext)); + if (validPolicyTree) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)validPolicyTree, + &treeString, + plContext)); + (void)printf("validPolicyTree is\n\t%s\n", + treeString->escAsciiString); + } else { + (void)printf("validPolicyTree is NULL\n"); + } + +cleanup: + + PKIX_TEST_DECREF_AC(validPolicyTree); + PKIX_TEST_DECREF_AC(treeString); + + PKIX_TEST_RETURN(); +} + +int +test_policychecker(int argc, char *argv[]) +{ + + PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; + PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; + PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; + PKIX_Boolean expectedResult = PKIX_FALSE; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 initArgs = 0; + PKIX_UInt32 firstCert = 0; + PKIX_UInt32 i = 0; + PKIX_Int32 j = 0; + PKIX_UInt32 actualMinorVersion; + PKIX_ProcessingParams *procParams = NULL; + char *firstTrustAnchor = "yassir2yassir"; + char *secondTrustAnchor = "yassir2bcn"; + char *dateAscii = "991201000000Z"; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */ + char *certNames[PKIX_TEST_MAX_CERTS]; + PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_List *chain = NULL; + PKIX_Error *validationError = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + char *dirName = NULL; + char *dataCentralDir = NULL; + char *anchorName = NULL; + + PKIX_TEST_STD_VARS(); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* + * Perform hard-coded tests if no command line args. + * If command line args are provided, they must be: + * arg[1]: test name + * arg[2]: "ENE" or "EE", for "expect no error" or "expect error" + * arg[3]: directory for certificates + * arg[4]: user-initial-policy-set, consisting of braces + * containing zero or more OID sequences, separated by commas + * arg[5]: (optional) "E", indicating initialExplicitPolicy + * arg[firstCert]: the path and filename of the trust anchor certificate + * arg[firstCert+1..(n-1)]: successive certificates in the chain + * arg[n]: the end entity certificate + * + * Example: test_policychecker test1EE ENE + * {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity + */ + + dirName = argv[3 + j]; + dataCentralDir = argv[4 + j]; + + if (argc <= 5 || ((6 == argc) && (j))) { + + testPass(dataCentralDir, + firstTrustAnchor, + secondTrustAnchor, + dateAscii); + + testNistTest1(dirName); + + testNistTest2(dirName); + + goto cleanup; + } + + if (argc < (7 + j)) { + printUsage(argv[0]); + pkixTestErrorMsg = "Invalid command line arguments."; + goto cleanup; + } + + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + expectedResult = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + expectedResult = PKIX_FALSE; + } else { + printUsage(argv[0]); + pkixTestErrorMsg = "Invalid command line arguments."; + goto cleanup; + } + + userInitialPolicySet = policySetParse(argv[5 + j]); + if (!userInitialPolicySet) { + printUsage(argv[0]); + pkixTestErrorMsg = "Invalid command line arguments."; + goto cleanup; + } + + for (initArgs = 0; initArgs < 3; initArgs++) { + if (PORT_Strcmp(argv[6 + j + initArgs], "A") == 0) { + initialAnyPolicyInhibit = PKIX_TRUE; + } else if (PORT_Strcmp(argv[6 + j + initArgs], "E") == 0) { + initialExplicitPolicy = PKIX_TRUE; + } else if (PORT_Strcmp(argv[6 + j + initArgs], "P") == 0) { + initialPolicyMappingInhibit = PKIX_TRUE; + } else { + break; + } + } + + firstCert = initArgs + j + 6; + chainLength = argc - (firstCert + 1); + if (chainLength > PKIX_TEST_MAX_CERTS) { + printUsageMax(chainLength); + pkixTestErrorMsg = "Invalid command line arguments."; + goto cleanup; + } + + /* + * Create a chain, but don't include the first certName. + * That's the anchor, and is supplied separately from + * the chain. + */ + for (i = 0; i < chainLength; i++) { + + certNames[i] = argv[i + (firstCert + 1)]; + certs[i] = NULL; + } + chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); + + subTest(argv[1 + j]); + + valParams = createValidateParams(dirName, + argv[firstCert], + NULL, + NULL, + userInitialPolicySet, + initialPolicyMappingInhibit, + initialAnyPolicyInhibit, + initialExplicitPolicy, + PKIX_FALSE, + chain, + plContext); + + if (expectedResult == PKIX_TRUE) { + subTest(" (expecting successful validation)"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + + printValidPolicyTree(valResult); + + } else { + subTest(" (expecting validation to fail)"); + validationError = PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext); + if (!validationError) { + printValidPolicyTree(valResult); + pkixTestErrorMsg = "Should have thrown an error here."; + } + PKIX_TEST_DECREF_BC(validationError); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + +cleanup: + + PKIX_PL_Free(anchorName, plContext); + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(userInitialPolicySet); + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(validationError); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("PolicyChecker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c b/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c new file mode 100644 index 000000000..3f9711e69 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c @@ -0,0 +1,261 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_subjaltnamechecker.c + * + * Test Subject Alternative Name Checking + * + */ + +/* + * There is no subjaltnamechecker. Instead, targetcertchecker is doing + * the job for checking subject alternative names' validity. For testing, + * in order to enter names with various type, we create this test excutable + * to parse different scenario. + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TEST_MAX_CERTS 10 + +static void *plContext = NULL; + +static void +printUsage1(char *pName) +{ + printf("\nUSAGE: %s test-name [ENE|EE] ", pName); + printf("cert [certs].\n"); +} + +static void +printUsage2(char *name) +{ + printf("\ninvalid test-name syntax - %s", name); + printf("\ntest-name syntax: [01][DNORU]:<name>+..."); + printf("\n [01] 1 - match all; 0 - match one"); + printf("\n name - type can be specified as"); + printf("\n [DNORU] D-Directory name"); + printf("\n N-DNS name"); + printf("\n O-OID name"); + printf("\n R-RFC822 name"); + printf("\n U-URI name"); + printf("\n + separator for more names\n\n"); +} + +static void +printUsageMax(PKIX_UInt32 numCerts) +{ + printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", + numCerts, PKIX_TEST_MAX_CERTS); +} + +static PKIX_UInt32 +getNameType(char *name) +{ + PKIX_UInt32 nameType; + + PKIX_TEST_STD_VARS(); + + switch (*name) { + case 'D': + nameType = PKIX_DIRECTORY_NAME; + break; + case 'N': + nameType = PKIX_DNS_NAME; + break; + case 'O': + nameType = PKIX_OID_NAME; + break; + case 'R': + nameType = PKIX_RFC822_NAME; + break; + case 'U': + nameType = PKIX_URI_NAME; + break; + default: + printUsage2(name); + nameType = 0xFFFF; + } + + goto cleanup; + +cleanup: + PKIX_TEST_RETURN(); + return (nameType); +} + +int +test_subjaltnamechecker(int argc, char *argv[]) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *selParams = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_PL_GeneralName *name = NULL; + PKIX_UInt32 actualMinorVersion; + char *certNames[PKIX_TEST_MAX_CERTS]; + PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + char *nameStr; + char *nameEnd; + char *names[PKIX_TEST_MAX_CERTS]; + PKIX_UInt32 numNames = 0; + PKIX_UInt32 nameType; + PKIX_Boolean matchAll = PKIX_TRUE; + PKIX_Boolean testValid = PKIX_TRUE; + char *dirName = NULL; + char *anchorName = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage1(argv[0]); + return (0); + } + + startTests("SubjAltNameConstraintChecker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + j++; /* skip test-purpose string */ + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage1(argv[0]); + return (0); + } + + /* taking out leading and trailing ", if any */ + nameStr = argv[1 + j]; + subTest(nameStr); + if (*nameStr == '"') { + nameStr++; + nameEnd = nameStr; + while (*nameEnd != '"' && *nameEnd != '\0') { + nameEnd++; + } + *nameEnd = '\0'; + } + + /* extract first [0|1] inidcating matchAll or not */ + matchAll = (*nameStr == '0') ? PKIX_FALSE : PKIX_TRUE; + nameStr++; + + numNames = 0; + while (*nameStr != '\0') { + names[numNames++] = nameStr; + while (*nameStr != '+' && *nameStr != '\0') { + nameStr++; + } + if (*nameStr == '+') { + *nameStr = '\0'; + nameStr++; + } + } + + chainLength = (argc - j) - 4; + if (chainLength > PKIX_TEST_MAX_CERTS) { + printUsageMax(chainLength); + } + + for (i = 0; i < chainLength; i++) { + certNames[i] = argv[(4 + j) + i]; + certs[i] = NULL; + } + + /* SubjAltName for validation */ + + subTest("Add Subject Alt Name for NameConstraint checking"); + + subTest("Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&selParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, selParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(selParams, matchAll, plContext)); + + subTest("PKIX_ComCertSelParams_AddSubjAltName(s)"); + for (i = 0; i < numNames; i++) { + nameType = getNameType(names[i]); + if (nameType == 0xFFFF) { + return (0); + } + nameStr = names[i] + 2; + name = createGeneralName(nameType, nameStr, plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(selParams, name, plContext)); + PKIX_TEST_DECREF_BC(name); + } + + subTest("SubjAltName-Constraints - Create Cert Chain"); + + dirName = argv[3 + j]; + + chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); + + subTest("SubjAltName-Constraints - Create Params"); + + valParams = createValidateParams(dirName, + argv[4 + + j], + NULL, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + subTest("PKIX_ValidateParams_getProcessingParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); + + subTest("PKIX_ProcessingParams_SetTargetCertConstraints"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, selector, plContext)); + + subTest("Subject Alt Name - Validate Chain"); + + if (testValid == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } else { + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } + +cleanup: + + PKIX_PL_Free(anchorName, plContext); + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(selParams); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(name); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("SubjAltNameConstraintsChecker"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain.c new file mode 100644 index 000000000..98cb7b018 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_validatechain.c @@ -0,0 +1,221 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_validatechain.c + * + * Test ValidateChain function + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\nvalidateChain TestName [ENE|EE] " + "<certStoreDirectory> <trustedCert> <targetCert>\n\n"); + (void)printf("Validates a chain of certificates between " + "<trustedCert> and <targetCert>\n" + "using the certs and CRLs in <certStoreDirectory>. " + "If ENE is specified,\n" + "then an Error is Not Expected. " + "If EE is specified, an Error is Expected.\n"); +} + +static char * +createFullPathName( + char *dirName, + char *certFile, + void *plContext) +{ + PKIX_UInt32 certFileLen; + PKIX_UInt32 dirNameLen; + char *certPathName = NULL; + + PKIX_TEST_STD_VARS(); + + certFileLen = PL_strlen(certFile); + dirNameLen = PL_strlen(dirName); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(dirNameLen + + certFileLen + + 2, + (void **)&certPathName, + plContext)); + + PL_strcpy(certPathName, dirName); + PL_strcat(certPathName, "/"); + PL_strcat(certPathName, certFile); + printf("certPathName = %s\n", certPathName); + +cleanup: + + PKIX_TEST_RETURN(); + + return (certPathName); +} + +static PKIX_Error * +testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) +{ + PKIX_PL_String *dirString = NULL; + PKIX_CertStore *certStore = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_PL_Date *validity = NULL; + PKIX_List *revCheckers = NULL; + PKIX_RevocationChecker *ocspChecker = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_PL_CollectionCertStoreContext_Create"); + + /* Create CollectionCertStore */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, crlDir, 0, &dirString, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); + + /* Create CertStore */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); + + subTest("PKIX_ProcessingParams_AddCertStore"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore(procParams, certStore, plContext)); + + subTest("PKIX_ProcessingParams_SetRevocationEnabled"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_TRUE, plContext)); + + /* create current Date */ + PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime(PR_Now(), &validity, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); + + /* create revChecker */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize(validity, + NULL, /* pwArg */ + NULL, /* Use default responder */ + &ocspChecker, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)ocspChecker, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(revCheckers); + PKIX_TEST_DECREF_AC(ocspChecker); + + PKIX_TEST_RETURN(); + + return (0); +} + +int +test_validatechain(int argc, char *argv[]) +{ + + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_UInt32 actualMinorVersion; + PKIX_UInt32 j = 0; + PKIX_UInt32 k = 0; + PKIX_UInt32 chainLength = 0; + PKIX_Boolean testValid = PKIX_TRUE; + PKIX_List *chainCerts = NULL; + PKIX_PL_Cert *dirCert = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + char *dirCertName = NULL; + char *anchorCertName = NULL; + char *dirName = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage(); + return (0); + } + + startTests("ValidateChain"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage(); + return (0); + } + + subTest(argv[1 + j]); + + dirName = argv[3 + j]; + + chainLength = argc - j - 5; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext)); + + for (k = 0; k < chainLength; k++) { + + dirCert = createCert(dirName, argv[5 + k + j], plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(chainCerts, (PKIX_PL_Object *)dirCert, plContext)); + + PKIX_TEST_DECREF_BC(dirCert); + } + + valParams = createValidateParams(dirName, + argv[4 + + j], + NULL, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chainCerts, + plContext); + + testDefaultCertStore(valParams, dirName); + + if (testValid == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } else { + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } + + subTest("Displaying VerifyNode objects"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + +cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + + PKIX_TEST_DECREF_AC(chainCerts); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("ValidateChain"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c new file mode 100644 index 000000000..ad73a5df7 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c @@ -0,0 +1,351 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_validatechain_NB.c + * + * Test ValidateChain (nonblocking I/O) function + * + */ + +#include "testutil.h" +#include "testutil_nss.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\ntest_validateChain_NB TestName [ENE|EE] " + "<certStoreDirectory> <trustedCert> <targetCert>\n\n"); + (void)printf("Validates a chain of certificates between " + "<trustedCert> and <targetCert>\n" + "using the certs and CRLs in <certStoreDirectory>. " + "If ENE is specified,\n" + "then an Error is Not Expected. " + "If EE is specified, an Error is Expected.\n"); +} + +static char * +createFullPathName( + char *dirName, + char *certFile, + void *plContext) +{ + PKIX_UInt32 certFileLen; + PKIX_UInt32 dirNameLen; + char *certPathName = NULL; + + PKIX_TEST_STD_VARS(); + + certFileLen = PL_strlen(certFile); + dirNameLen = PL_strlen(dirName); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(dirNameLen + + certFileLen + + 2, + (void **)&certPathName, + plContext)); + + PL_strcpy(certPathName, dirName); + PL_strcat(certPathName, "/"); + PL_strcat(certPathName, certFile); + printf("certPathName = %s\n", certPathName); + +cleanup: + + PKIX_TEST_RETURN(); + + return (certPathName); +} + +static PKIX_Error * +testSetupCertStore(PKIX_ValidateParams *valParams, char *ldapName) +{ + PKIX_PL_String *dirString = NULL; + PKIX_CertStore *certStore = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_PL_LdapDefaultClient *ldapClient = NULL; + + PKIX_TEST_STD_VARS(); + + subTest("PKIX_PL_CollectionCertStoreContext_Create"); + + /* Create LDAPCertStore */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName(ldapName, + 0, /* timeout */ + NULL, /* bindPtr */ + &ldapClient, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create((PKIX_PL_LdapClient *)ldapClient, + &certStore, + plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); + + subTest("PKIX_ProcessingParams_AddCertStore"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore(procParams, certStore, plContext)); + + subTest("PKIX_ProcessingParams_SetRevocationEnabled"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_TRUE, plContext)); + +cleanup: + + PKIX_TEST_DECREF_AC(dirString); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(ldapClient); + + PKIX_TEST_RETURN(); + + return (0); +} + +static char *levels[] = { + "None", "Fatal Error", "Error", "Warning", "Debug", "Trace" +}; + +static PKIX_Error * +loggerCallback( + PKIX_Logger *logger, + PKIX_PL_String *message, + PKIX_UInt32 logLevel, + PKIX_ERRORCLASS logComponent, + void *plContext) +{ +#define resultSize 150 + char *msg = NULL; + char result[resultSize]; + + PKIX_TEST_STD_VARS(); + + msg = PKIX_String2ASCII(message, plContext); + PR_snprintf(result, resultSize, + "Logging %s (%s): %s", + levels[logLevel], + PKIX_ERRORCLASSNAMES[logComponent], + msg); + subTest(result); + +cleanup: + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(msg, plContext)); + PKIX_TEST_RETURN(); +} + +static void +testLogErrors( + PKIX_ERRORCLASS module, + PKIX_UInt32 loggingLevel, + PKIX_List *loggers, + void *plContext) +{ + PKIX_Logger *logger = NULL; + PKIX_PL_String *component = NULL; + + PKIX_TEST_STD_VARS(); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_Create(loggerCallback, NULL, &logger, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent(logger, module, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel(logger, loggingLevel, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(loggers, (PKIX_PL_Object *)logger, plContext)); + +cleanup: + PKIX_TEST_DECREF_AC(logger); + PKIX_TEST_DECREF_AC(component); + + PKIX_TEST_RETURN(); +} + +int +test_validatechain_NB(int argc, char *argv[]) +{ + + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_UInt32 actualMinorVersion; + PKIX_UInt32 j = 0; + PKIX_UInt32 k = 0; + PKIX_UInt32 chainLength = 0; + PKIX_Boolean testValid = PKIX_TRUE; + PKIX_List *chainCerts = NULL; + PKIX_PL_Cert *dirCert = NULL; + char *dirCertName = NULL; + char *anchorCertName = NULL; + char *dirName = NULL; + PKIX_UInt32 certIndex = 0; + PKIX_UInt32 anchorIndex = 0; + PKIX_UInt32 checkerIndex = 0; + PKIX_Boolean revChecking = PKIX_FALSE; + PKIX_List *checkers = NULL; + PRPollDesc *pollDesc = NULL; + PRErrorCode errorCode = 0; + PKIX_PL_Socket *socket = NULL; + char *ldapName = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + + PKIX_List *loggers = NULL; + PKIX_Logger *logger = NULL; + char *logging = NULL; + PKIX_PL_String *component = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage(); + return (0); + } + + startTests("ValidateChain_NB"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage(); + return (0); + } + + subTest(argv[1 + j]); + + dirName = argv[3 + j]; + + chainLength = argc - j - 5; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext)); + + for (k = 0; k < chainLength; k++) { + + dirCert = createCert(dirName, argv[5 + k + j], plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(chainCerts, (PKIX_PL_Object *)dirCert, plContext)); + + PKIX_TEST_DECREF_BC(dirCert); + } + + valParams = createValidateParams(dirName, + argv[4 + + j], + NULL, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chainCerts, + plContext); + + ldapName = PR_GetEnvSecure("LDAP"); + /* Is LDAP set in the environment? */ + if ((ldapName == NULL) || (*ldapName == '\0')) { + testError("LDAP not set in environment"); + goto cleanup; + } + + pkixTestErrorResult = pkix_pl_Socket_CreateByName(PKIX_FALSE, /* isServer */ + PR_SecondsToInterval(30), /* try 30 secs for connect */ + ldapName, + &errorCode, + &socket, + plContext); + + if (pkixTestErrorResult != NULL) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)pkixTestErrorResult, plContext); + pkixTestErrorResult = NULL; + testError("Unable to connect to LDAP Server"); + goto cleanup; + } + + PKIX_TEST_DECREF_BC(socket); + + testSetupCertStore(valParams, ldapName); + + logging = PR_GetEnvSecure("LOGGING"); + /* Is LOGGING set in the environment? */ + if ((logging != NULL) && (*logging != '\0')) { + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&loggers, plContext)); + + testLogErrors(PKIX_VALIDATE_ERROR, 2, loggers, plContext); + testLogErrors(PKIX_CERTCHAINCHECKER_ERROR, 2, loggers, plContext); + testLogErrors(PKIX_LDAPDEFAULTCLIENT_ERROR, 2, loggers, plContext); + testLogErrors(PKIX_CERTSTORE_ERROR, 2, loggers, plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggers, plContext)); + } + + pkixTestErrorResult = PKIX_ValidateChain_NB(valParams, + &certIndex, + &anchorIndex, + &checkerIndex, + &revChecking, + &checkers, + (void **)&pollDesc, + &valResult, + &verifyTree, + plContext); + + while (pollDesc != NULL) { + + if (PR_Poll(pollDesc, 1, 0) < 0) { + testError("PR_Poll failed"); + } + + pkixTestErrorResult = PKIX_ValidateChain_NB(valParams, + &certIndex, + &anchorIndex, + &checkerIndex, + &revChecking, + &checkers, + (void **)&pollDesc, + &valResult, + &verifyTree, + plContext); + } + + if (pkixTestErrorResult) { + if (testValid == PKIX_FALSE) { /* EE */ + (void)printf("EXPECTED ERROR RECEIVED!\n"); + } else { /* ENE */ + testError("UNEXPECTED ERROR RECEIVED"); + } + PKIX_TEST_DECREF_BC(pkixTestErrorResult); + } else { + + if (testValid == PKIX_TRUE) { /* ENE */ + (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); + } else { /* EE */ + (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n"); + } + } + +cleanup: + + if (verifyTree) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", + verifyString->escAsciiString); + } + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(checkers); + PKIX_TEST_DECREF_AC(chainCerts); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("ValidateChain_NB"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c new file mode 100644 index 000000000..480ec2643 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c @@ -0,0 +1,233 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * validateChainBasicConstraints.c + * + * Tests Cert Chain Validation + * + */ + +#include <stdio.h> +#include <string.h> +#include <stddef.h> + +#include "pkix_pl_generalname.h" +#include "pkix_pl_cert.h" +#include "pkix.h" +#include "testutil.h" +#include "prlong.h" +#include "plstr.h" +#include "prthread.h" +#include "nspr.h" +#include "prtypes.h" +#include "prtime.h" +#include "pk11func.h" +#include "secasn1.h" +#include "cert.h" +#include "cryptohi.h" +#include "secoid.h" +#include "certdb.h" +#include "secitem.h" +#include "keythi.h" +#include "nss.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + printf("\nUSAGE: incorrect.\n"); +} + +static PKIX_PL_Cert * +createCert(char *inFileName) +{ + PKIX_PL_ByteArray *byteArray = NULL; + void *buf = NULL; + PRFileDesc *inFile = NULL; + PKIX_UInt32 len; + SECItem certDER; + SECStatus rv; + /* default: NULL cert (failure case) */ + PKIX_PL_Cert *cert = NULL; + + PKIX_TEST_STD_VARS(); + + certDER.data = NULL; + + inFile = PR_Open(inFileName, PR_RDONLY, 0); + + if (!inFile) { + pkixTestErrorMsg = "Unable to open cert file"; + goto cleanup; + } else { + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); + if (!rv) { + buf = (void *)certDER.data; + len = certDER.len; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext)); + + SECITEM_FreeItem(&certDER, PR_FALSE); + } else { + pkixTestErrorMsg = "Unable to read DER from cert file"; + goto cleanup; + } + } + +cleanup: + + if (inFile) { + PR_Close(inFile); + } + + if (PKIX_TEST_ERROR_RECEIVED) { + SECITEM_FreeItem(&certDER, PR_FALSE); + } + + PKIX_TEST_DECREF_AC(byteArray); + + PKIX_TEST_RETURN(); + + return (cert); +} + +int +test_validatechain_bc(int argc, char *argv[]) +{ + + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_List *certs = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_PL_X500Name *subject = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + + char *trustedCertFile = NULL; + char *chainCertFile = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_PL_Cert *chainCert = NULL; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_UInt32 actualMinorVersion; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 3) { + printUsage(); + return (0); + } + + startTests("ValidateChainBasicConstraints"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + chainLength = (argc - j) - 2; + + /* create processing params with list of trust anchors */ + trustedCertFile = argv[1 + j]; + trustedCert = createCert(trustedCertFile); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(certSelParams, -1, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_DECREF_BC(subject); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + PKIX_TEST_DECREF_BC(certSelector); + + /* create cert chain */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); + for (i = 0; i < chainLength; i++) { + chainCertFile = argv[i + (2 + j)]; + chainCert = createCert(chainCertFile); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs, (PKIX_PL_Object *)chainCert, plContext)); + + PKIX_TEST_DECREF_BC(chainCert); + } + + /* create validate params with processing params and cert chain */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, certs, &valParams, plContext)); + + /* validate cert chain using processing params and return valResult */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + + if (valResult != NULL) { + printf("SUCCESSFULLY VALIDATED with Basic Constraint "); + printf("Cert Selector minimum path length to be -1\n"); + PKIX_TEST_DECREF_BC(valResult); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + PKIX_TEST_DECREF_BC(verifyString); + PKIX_TEST_DECREF_BC(verifyTree); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(certSelParams, 6, plContext)); + + /* validate cert chain using processing params and return valResult */ + + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + + if (valResult != NULL) { + printf("SUCCESSFULLY VALIDATED with Basic Constraint "); + printf("Cert Selector minimum path length to be 6\n"); + } + + PKIX_TEST_DECREF_BC(trustedCert); + PKIX_TEST_DECREF_BC(anchor); + PKIX_TEST_DECREF_BC(anchors); + PKIX_TEST_DECREF_BC(certs); + PKIX_TEST_DECREF_BC(procParams); + +cleanup: + + if (PKIX_TEST_ERROR_RECEIVED) { + printf("FAILED TO VALIDATE\n"); + } + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(valParams); + + PKIX_TEST_RETURN(); + + PKIX_Shutdown(plContext); + + endTests("ValidateChainBasicConstraints"); + + return (0); +} |