summaryrefslogtreecommitdiffstats
path: root/security/pkix
diff options
context:
space:
mode:
Diffstat (limited to 'security/pkix')
-rw-r--r--security/pkix/include/pkix/Input.h348
-rw-r--r--security/pkix/include/pkix/Result.h235
-rw-r--r--security/pkix/include/pkix/Time.h155
-rw-r--r--security/pkix/include/pkix/pkix.h161
-rw-r--r--security/pkix/include/pkix/pkixnss.h109
-rw-r--r--security/pkix/include/pkix/pkixtypes.h409
-rw-r--r--security/pkix/lib/ScopedPtr.h83
-rw-r--r--security/pkix/lib/pkixbuild.cpp382
-rw-r--r--security/pkix/lib/pkixcert.cpp323
-rw-r--r--security/pkix/lib/pkixcheck.cpp1088
-rw-r--r--security/pkix/lib/pkixcheck.h66
-rw-r--r--security/pkix/lib/pkixder.cpp612
-rw-r--r--security/pkix/lib/pkixder.h565
-rw-r--r--security/pkix/lib/pkixnames.cpp2050
-rw-r--r--security/pkix/lib/pkixnss.cpp228
-rw-r--r--security/pkix/lib/pkixocsp.cpp1007
-rw-r--r--security/pkix/lib/pkixresult.cpp46
-rw-r--r--security/pkix/lib/pkixtime.cpp78
-rw-r--r--security/pkix/lib/pkixutil.h289
-rw-r--r--security/pkix/lib/pkixverify.cpp103
-rw-r--r--security/pkix/moz.build41
-rw-r--r--security/pkix/test/gtest/README.txt61
-rw-r--r--security/pkix/test/gtest/moz.build66
-rw-r--r--security/pkix/test/gtest/pkixbuild_tests.cpp584
-rw-r--r--security/pkix/test/gtest/pkixcert_extension_tests.cpp270
-rw-r--r--security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp247
-rw-r--r--security/pkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp711
-rw-r--r--security/pkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp62
-rw-r--r--security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp284
-rw-r--r--security/pkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp360
-rw-r--r--security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp127
-rw-r--r--security/pkix/test/gtest/pkixcheck_ParseValidity_tests.cpp83
-rw-r--r--security/pkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp114
-rw-r--r--security/pkix/test/gtest/pkixder_input_tests.cpp920
-rw-r--r--security/pkix/test/gtest/pkixder_pki_types_tests.cpp479
-rw-r--r--security/pkix/test/gtest/pkixder_universal_types_tests.cpp1220
-rw-r--r--security/pkix/test/gtest/pkixgtest.cpp46
-rw-r--r--security/pkix/test/gtest/pkixgtest.h255
-rw-r--r--security/pkix/test/gtest/pkixnames_tests.cpp2811
-rw-r--r--security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp145
-rw-r--r--security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp1046
-rw-r--r--security/pkix/test/lib/moz.build39
-rw-r--r--security/pkix/test/lib/pkixtestalg.cpp210
-rw-r--r--security/pkix/test/lib/pkixtestnss.cpp309
-rw-r--r--security/pkix/test/lib/pkixtestutil.cpp1153
-rw-r--r--security/pkix/test/lib/pkixtestutil.h448
-rw-r--r--security/pkix/tools/DottedOIDToCode.py210
-rw-r--r--security/pkix/warnings.mozbuild41
48 files changed, 20679 insertions, 0 deletions
diff --git a/security/pkix/include/pkix/Input.h b/security/pkix/include/pkix/Input.h
new file mode 100644
index 000000000..e09526fb4
--- /dev/null
+++ b/security/pkix/include/pkix/Input.h
@@ -0,0 +1,348 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Input_h
+#define mozilla_pkix_Input_h
+
+#include <algorithm>
+
+#include "pkix/Result.h"
+#include "stdint.h"
+
+namespace mozilla { namespace pkix {
+
+class Reader;
+
+// An Input is a safety-oriented immutable weak reference to a array of bytes
+// of a known size. The data can only be legally accessed by constructing a
+// Reader object, which guarantees all accesses to the data are memory safe.
+// Neither Input not Reader provide any facilities for modifying the data
+// they reference.
+//
+// Inputs are small and should usually be passed by value, not by reference,
+// though for inline functions the distinction doesn't matter:
+//
+// Result GoodExample(Input input);
+// Result BadExample(const Input& input);
+// Result WorseExample(const uint8_t* input, size_t len);
+//
+// Note that in the example, GoodExample has the same performance
+// characteristics as WorseExample, but with much better safety guarantees.
+class Input final
+{
+public:
+ typedef uint16_t size_type;
+
+ // This constructor is useful for inputs that are statically known to be of a
+ // fixed size, e.g.:
+ //
+ // static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
+ // const Input expected(EXPECTED_BYTES);
+ //
+ // This is equivalent to (and preferred over):
+ //
+ // static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
+ // Input expected;
+ // Result rv = expected.Init(EXPECTED_BYTES, sizeof EXPECTED_BYTES);
+ template <size_type N>
+ explicit Input(const uint8_t (&data)[N])
+ : data(data)
+ , len(N)
+ {
+ }
+
+ // Construct a valid, empty, Init-able Input.
+ Input()
+ : data(nullptr)
+ , len(0u)
+ {
+ }
+
+ // This is intentionally not explicit in order to allow value semantics.
+ Input(const Input&) = default;
+
+ // Initialize the input. data must be non-null and len must be less than
+ // 65536. Init may not be called more than once.
+ Result Init(const uint8_t* data, size_t len)
+ {
+ if (this->data) {
+ // already initialized
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ if (!data || len > 0xffffu) {
+ // input too large
+ return Result::ERROR_BAD_DER;
+ }
+
+ this->data = data;
+ this->len = len;
+
+ return Success;
+ }
+
+ // Initialize the input to be equivalent to the given input. Init may not be
+ // called more than once.
+ //
+ // This is basically operator=, but it wasn't given that name because
+ // normally callers do not check the result of operator=, and normally
+ // operator= can be used multiple times.
+ Result Init(Input other)
+ {
+ return Init(other.data, other.len);
+ }
+
+ // Returns the length of the input.
+ //
+ // Having the return type be size_type instead of size_t avoids the need for
+ // callers to ensure that the result is small enough.
+ size_type GetLength() const { return static_cast<size_type>(len); }
+
+ // Don't use this. It is here because we have some "friend" functions that we
+ // don't want to declare in this header file.
+ const uint8_t* UnsafeGetData() const { return data; }
+
+private:
+ const uint8_t* data;
+ size_t len;
+
+ void operator=(const Input&) = delete; // Use Init instead.
+};
+
+inline bool
+InputsAreEqual(const Input& a, const Input& b)
+{
+ return a.GetLength() == b.GetLength() &&
+ std::equal(a.UnsafeGetData(), a.UnsafeGetData() + a.GetLength(), b.UnsafeGetData());
+}
+
+// An Reader is a cursor/iterator through the contents of an Input, designed to
+// maximize safety during parsing while minimizing the performance cost of that
+// safety. In particular, all methods do strict bounds checking to ensure
+// buffer overflows are impossible, and they are all inline so that the
+// compiler can coalesce as many of those checks together as possible.
+//
+// In general, Reader allows for one byte of lookahead and no backtracking.
+// However, the Match* functions internally may have more lookahead.
+class Reader final
+{
+public:
+ Reader()
+ : input(nullptr)
+ , end(nullptr)
+ {
+ }
+
+ explicit Reader(Input input)
+ : input(input.UnsafeGetData())
+ , end(input.UnsafeGetData() + input.GetLength())
+ {
+ }
+
+ Result Init(Input input)
+ {
+ if (this->input) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ this->input = input.UnsafeGetData();
+ this->end = input.UnsafeGetData() + input.GetLength();
+ return Success;
+ }
+
+ bool Peek(uint8_t expectedByte) const
+ {
+ return input < end && *input == expectedByte;
+ }
+
+ Result Read(uint8_t& out)
+ {
+ Result rv = EnsureLength(1);
+ if (rv != Success) {
+ return rv;
+ }
+ out = *input++;
+ return Success;
+ }
+
+ Result Read(uint16_t& out)
+ {
+ Result rv = EnsureLength(2);
+ if (rv != Success) {
+ return rv;
+ }
+ out = *input++;
+ out <<= 8u;
+ out |= *input++;
+ return Success;
+ }
+
+ template <Input::size_type N>
+ bool MatchRest(const uint8_t (&toMatch)[N])
+ {
+ // Normally we use EnsureLength which compares (input + len < end), but
+ // here we want to be sure that there is nothing following the matched
+ // bytes
+ if (static_cast<size_t>(end - input) != N) {
+ return false;
+ }
+ if (!std::equal(input, end, toMatch)) {
+ return false;
+ }
+ input = end;
+ return true;
+ }
+
+ bool MatchRest(Input toMatch)
+ {
+ // Normally we use EnsureLength which compares (input + len < end), but
+ // here we want to be sure that there is nothing following the matched
+ // bytes
+ size_t remaining = static_cast<size_t>(end - input);
+ if (toMatch.GetLength() != remaining) {
+ return false;
+ }
+ if (!std::equal(input, end, toMatch.UnsafeGetData())) {
+ return false;
+ }
+ input = end;
+ return true;
+ }
+
+ Result Skip(Input::size_type len)
+ {
+ Result rv = EnsureLength(len);
+ if (rv != Success) {
+ return rv;
+ }
+ input += len;
+ return Success;
+ }
+
+ Result Skip(Input::size_type len, Reader& skipped)
+ {
+ Result rv = EnsureLength(len);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = skipped.Init(input, len);
+ if (rv != Success) {
+ return rv;
+ }
+ input += len;
+ return Success;
+ }
+
+ Result Skip(Input::size_type len, /*out*/ Input& skipped)
+ {
+ Result rv = EnsureLength(len);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = skipped.Init(input, len);
+ if (rv != Success) {
+ return rv;
+ }
+ input += len;
+ return Success;
+ }
+
+ void SkipToEnd()
+ {
+ input = end;
+ }
+
+ Result SkipToEnd(/*out*/ Input& skipped)
+ {
+ return Skip(static_cast<Input::size_type>(end - input), skipped);
+ }
+
+ Result EnsureLength(Input::size_type len)
+ {
+ if (static_cast<size_t>(end - input) < len) {
+ return Result::ERROR_BAD_DER;
+ }
+ return Success;
+ }
+
+ bool AtEnd() const { return input == end; }
+
+ class Mark final
+ {
+ public:
+ Mark(const Mark&) = default; // Intentionally not explicit.
+ private:
+ friend class Reader;
+ Mark(const Reader& input, const uint8_t* mark) : input(input), mark(mark) { }
+ const Reader& input;
+ const uint8_t* const mark;
+ void operator=(const Mark&) = delete;
+ };
+
+ Mark GetMark() const { return Mark(*this, input); }
+
+ Result GetInput(const Mark& mark, /*out*/ Input& item)
+ {
+ if (&mark.input != this || mark.mark > input) {
+ return NotReached("invalid mark", Result::FATAL_ERROR_INVALID_ARGS);
+ }
+ return item.Init(mark.mark,
+ static_cast<Input::size_type>(input - mark.mark));
+ }
+
+private:
+ Result Init(const uint8_t* data, Input::size_type len)
+ {
+ if (input) {
+ // already initialized
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ input = data;
+ end = data + len;
+ return Success;
+ }
+
+ const uint8_t* input;
+ const uint8_t* end;
+
+ Reader(const Reader&) = delete;
+ void operator=(const Reader&) = delete;
+};
+
+inline bool
+InputContains(const Input& input, uint8_t toFind)
+{
+ Reader reader(input);
+ for (;;) {
+ uint8_t b;
+ if (reader.Read(b) != Success) {
+ return false;
+ }
+ if (b == toFind) {
+ return true;
+ }
+ }
+}
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_Input_h
diff --git a/security/pkix/include/pkix/Result.h b/security/pkix/include/pkix/Result.h
new file mode 100644
index 000000000..410b7bcbe
--- /dev/null
+++ b/security/pkix/include/pkix/Result.h
@@ -0,0 +1,235 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Result_h
+#define mozilla_pkix_Result_h
+
+#include <cassert>
+
+namespace mozilla { namespace pkix {
+
+static const unsigned int FATAL_ERROR_FLAG = 0x800;
+
+// ----------------------------------------------------------------------------
+// SELECTED ERROR CODE EXPLANATIONS
+//
+// Result::ERROR_UNTRUSTED_CERT
+// means that the end-entity certificate was actively distrusted.
+// Result::ERROR_UNTRUSTED_ISSUER
+// means that path building failed because of active distrust.
+// Result::ERROR_INVALID_DER_TIME
+// means the DER-encoded time was unexpected, such as being before the
+// UNIX epoch (allowed by X500, but not valid here).
+// Result::ERROR_EXPIRED_CERTIFICATE
+// means the end entity certificate expired.
+// Result::ERROR_EXPIRED_ISSUER_CERTIFICATE
+// means the CA certificate expired.
+// Result::ERROR_UNKNOWN_ISSUER
+// means that the CA could not be found in the root store.
+// Result::ERROR_POLICY_VALIDATION_FAILED
+// means that an encoded policy could not be applied or wasn't present
+// when expected. Usually this is in the context of Extended Validation.
+// Result::ERROR_BAD_CERT_DOMAIN
+// means that the certificate's name couldn't be matched to the
+// reference identifier.
+// Result::ERROR_CERT_NOT_IN_NAME_SPACE
+// typically means the certificate violates name constraints applied
+// by the issuer.
+// Result::ERROR_BAD_DER
+// means the input was improperly encoded.
+// Result::ERROR_UNKNOWN_ERROR
+// means that an external library (NSS) provided an error we didn't
+// anticipate. See the map below in Result.h to add new ones.
+// Result::FATAL_ERROR_LIBRARY_FAILURE
+// is an unexpected fatal error indicating a library had an unexpected
+// failure, and we can't proceed.
+// Result::FATAL_ERROR_INVALID_ARGS
+// means that we violated our own expectations on inputs and there's a
+// bug somewhere.
+// Result::FATAL_ERROR_INVALID_STATE
+// means that we violated our own expectations on state and there's a
+// bug somewhere.
+// Result::FATAL_ERROR_NO_MEMORY
+// means a memory allocation failed, prohibiting validation.
+// ----------------------------------------------------------------------------
+
+// The first argument to MOZILLA_PKIX_MAP() is used for building the mapping
+// from error code to error name in MapResultToName.
+//
+// The second argument is for defining the value for the enum literal in the
+// Result enum class.
+//
+// The third argument to MOZILLA_PKIX_MAP() is used, along with the first
+// argument, for maintaining the mapping of mozilla::pkix error codes to
+// NSS/NSPR error codes in pkixnss.cpp.
+#define MOZILLA_PKIX_MAP_LIST \
+ MOZILLA_PKIX_MAP(Success, 0, 0) \
+ MOZILLA_PKIX_MAP(ERROR_BAD_DER, 1, \
+ SEC_ERROR_BAD_DER) \
+ MOZILLA_PKIX_MAP(ERROR_CA_CERT_INVALID, 2, \
+ SEC_ERROR_CA_CERT_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_BAD_SIGNATURE, 3, \
+ SEC_ERROR_BAD_SIGNATURE) \
+ MOZILLA_PKIX_MAP(ERROR_CERT_BAD_ACCESS_LOCATION, 4, \
+ SEC_ERROR_CERT_BAD_ACCESS_LOCATION) \
+ MOZILLA_PKIX_MAP(ERROR_CERT_NOT_IN_NAME_SPACE, 5, \
+ SEC_ERROR_CERT_NOT_IN_NAME_SPACE) \
+ MOZILLA_PKIX_MAP(ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 6, \
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) \
+ MOZILLA_PKIX_MAP(ERROR_CONNECT_REFUSED, 7, \
+ PR_CONNECT_REFUSED_ERROR) \
+ MOZILLA_PKIX_MAP(ERROR_EXPIRED_CERTIFICATE, 8, \
+ SEC_ERROR_EXPIRED_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_EXTENSION_VALUE_INVALID, 9, \
+ SEC_ERROR_EXTENSION_VALUE_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_INADEQUATE_CERT_TYPE, 10, \
+ SEC_ERROR_INADEQUATE_CERT_TYPE) \
+ MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_USAGE, 11, \
+ SEC_ERROR_INADEQUATE_KEY_USAGE) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_ALGORITHM, 12, \
+ SEC_ERROR_INVALID_ALGORITHM) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_DER_TIME, 13, \
+ SEC_ERROR_INVALID_TIME) \
+ MOZILLA_PKIX_MAP(ERROR_KEY_PINNING_FAILURE, 14, \
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE) \
+ MOZILLA_PKIX_MAP(ERROR_PATH_LEN_CONSTRAINT_INVALID, 15, \
+ SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_POLICY_VALIDATION_FAILED, 16, \
+ SEC_ERROR_POLICY_VALIDATION_FAILED) \
+ MOZILLA_PKIX_MAP(ERROR_REVOKED_CERTIFICATE, 17, \
+ SEC_ERROR_REVOKED_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_UNKNOWN_CRITICAL_EXTENSION, 18, \
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) \
+ MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ERROR, 19, \
+ PR_UNKNOWN_ERROR) \
+ MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ISSUER, 20, \
+ SEC_ERROR_UNKNOWN_ISSUER) \
+ MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_CERT, 21, \
+ SEC_ERROR_UNTRUSTED_CERT) \
+ MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_ISSUER, 22, \
+ SEC_ERROR_UNTRUSTED_ISSUER) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_BAD_SIGNATURE, 23, \
+ SEC_ERROR_OCSP_BAD_SIGNATURE) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_INVALID_SIGNING_CERT, 24, \
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_REQUEST, 25, \
+ SEC_ERROR_OCSP_MALFORMED_REQUEST) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_RESPONSE, 26, \
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_OLD_RESPONSE, 27, \
+ SEC_ERROR_OCSP_OLD_RESPONSE) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_REQUEST_NEEDS_SIG, 28, \
+ SEC_ERROR_OCSP_REQUEST_NEEDS_SIG) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONDER_CERT_INVALID, 29, \
+ SEC_ERROR_OCSP_RESPONDER_CERT_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_SERVER_ERROR, 30, \
+ SEC_ERROR_OCSP_SERVER_ERROR) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_TRY_SERVER_LATER, 31, \
+ SEC_ERROR_OCSP_TRY_SERVER_LATER) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_UNAUTHORIZED_REQUEST, 32, \
+ SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, 33, \
+ SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_CERT, 34, \
+ SEC_ERROR_OCSP_UNKNOWN_CERT) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_FUTURE_RESPONSE, 35, \
+ SEC_ERROR_OCSP_FUTURE_RESPONSE) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_KEY, 36, \
+ SEC_ERROR_INVALID_KEY) \
+ MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_KEYALG, 37, \
+ SEC_ERROR_UNSUPPORTED_KEYALG) \
+ MOZILLA_PKIX_MAP(ERROR_EXPIRED_ISSUER_CERTIFICATE, 38, \
+ SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_CA_CERT_USED_AS_END_ENTITY, 39, \
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
+ MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_SIZE, 40, \
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
+ MOZILLA_PKIX_MAP(ERROR_V1_CERT_USED_AS_CA, 41, \
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA) \
+ MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, \
+ SSL_ERROR_BAD_CERT_DOMAIN) \
+ MOZILLA_PKIX_MAP(ERROR_NO_RFC822NAME_MATCH, 43, \
+ MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH) \
+ MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_ELLIPTIC_CURVE, 44, \
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE) \
+ MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_CERTIFICATE, 45, \
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46, \
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_EC_POINT_FORM, 47, \
+ SEC_ERROR_UNSUPPORTED_EC_POINT_FORM) \
+ MOZILLA_PKIX_MAP(ERROR_SIGNATURE_ALGORITHM_MISMATCH, 48, \
+ MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, 49, \
+ MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING) \
+ MOZILLA_PKIX_MAP(ERROR_VALIDITY_TOO_LONG, 50, \
+ MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG) \
+ MOZILLA_PKIX_MAP(ERROR_REQUIRED_TLS_FEATURE_MISSING, 51, \
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_INTEGER_ENCODING, 52, \
+ MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING) \
+ MOZILLA_PKIX_MAP(ERROR_EMPTY_ISSUER_NAME, 53, \
+ MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \
+ SEC_ERROR_INVALID_ARGS) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \
+ PR_INVALID_STATE_ERROR) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_LIBRARY_FAILURE, FATAL_ERROR_FLAG | 3, \
+ SEC_ERROR_LIBRARY_FAILURE) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4, \
+ SEC_ERROR_NO_MEMORY) \
+ /* nothing here */
+
+enum class Result
+{
+#define MOZILLA_PKIX_MAP(name, value, nss_name) name = value,
+ MOZILLA_PKIX_MAP_LIST
+#undef MOZILLA_PKIX_MAP
+};
+
+// Returns the stringified name of the given result, e.g. "Result::Success",
+// or nullptr if result is unknown (invalid).
+const char* MapResultToName(Result result);
+
+// We write many comparisons as (x != Success), and this shortened name makes
+// those comparisons clearer, especially because the shortened name often
+// results in less line wrapping.
+static const Result Success = Result::Success;
+
+inline bool
+IsFatalError(Result rv)
+{
+ return (static_cast<unsigned int>(rv) & FATAL_ERROR_FLAG) != 0;
+}
+
+inline Result
+NotReached(const char* /*explanation*/, Result result)
+{
+ assert(false);
+ return result;
+}
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_Result_h
diff --git a/security/pkix/include/pkix/Time.h b/security/pkix/include/pkix/Time.h
new file mode 100644
index 000000000..d96ac82ff
--- /dev/null
+++ b/security/pkix/include/pkix/Time.h
@@ -0,0 +1,155 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Time_h
+#define mozilla_pkix_Time_h
+
+#include <ctime>
+#include <limits>
+#include <stdint.h>
+
+#include "pkix/Result.h"
+
+namespace mozilla { namespace pkix {
+
+// Time with a range from the first second of year 0 (AD) through at least the
+// last second of year 9999, which is the range of legal times in X.509 and
+// OCSP. This type has second-level precision. The time zone is always UTC.
+//
+// Pass by value, not by reference.
+class Time final
+{
+public:
+ // Construct an uninitialized instance.
+ //
+ // This will fail to compile because there is no default constructor:
+ // Time x;
+ //
+ // This will succeed, leaving the time uninitialized:
+ // Time x(Time::uninitialized);
+ enum Uninitialized { uninitialized };
+ explicit Time(Uninitialized) { }
+
+ bool operator==(const Time& other) const
+ {
+ return elapsedSecondsAD == other.elapsedSecondsAD;
+ }
+ bool operator>(const Time& other) const
+ {
+ return elapsedSecondsAD > other.elapsedSecondsAD;
+ }
+ bool operator>=(const Time& other) const
+ {
+ return elapsedSecondsAD >= other.elapsedSecondsAD;
+ }
+ bool operator<(const Time& other) const
+ {
+ return elapsedSecondsAD < other.elapsedSecondsAD;
+ }
+ bool operator<=(const Time& other) const
+ {
+ return elapsedSecondsAD <= other.elapsedSecondsAD;
+ }
+
+ Result AddSeconds(uint64_t seconds)
+ {
+ if (std::numeric_limits<uint64_t>::max() - elapsedSecondsAD
+ < seconds) {
+ return Result::FATAL_ERROR_INVALID_ARGS; // integer overflow
+ }
+ elapsedSecondsAD += seconds;
+ return Success;
+ }
+
+ Result SubtractSeconds(uint64_t seconds)
+ {
+ if (seconds > elapsedSecondsAD) {
+ return Result::FATAL_ERROR_INVALID_ARGS; // integer overflow
+ }
+ elapsedSecondsAD -= seconds;
+ return Success;
+ }
+
+ static const uint64_t ONE_DAY_IN_SECONDS
+ = UINT64_C(24) * UINT64_C(60) * UINT64_C(60);
+
+private:
+ // This constructor is hidden to prevent accidents like this:
+ //
+ // Time foo(time_t t)
+ // {
+ // // WRONG! 1970-01-01-00:00:00 == time_t(0), but not Time(0)!
+ // return Time(t);
+ // }
+ explicit Time(uint64_t elapsedSecondsAD)
+ : elapsedSecondsAD(elapsedSecondsAD)
+ {
+ }
+ friend Time TimeFromElapsedSecondsAD(uint64_t);
+ friend class Duration;
+
+ uint64_t elapsedSecondsAD;
+};
+
+inline Time TimeFromElapsedSecondsAD(uint64_t elapsedSecondsAD)
+{
+ return Time(elapsedSecondsAD);
+}
+
+Time Now();
+
+// Note the epoch is the unix epoch (ie 00:00:00 UTC, 1 January 1970)
+Time TimeFromEpochInSeconds(uint64_t secondsSinceEpoch);
+
+class Duration final
+{
+public:
+ Duration(Time timeA, Time timeB)
+ : durationInSeconds(timeA < timeB
+ ? timeB.elapsedSecondsAD - timeA.elapsedSecondsAD
+ : timeA.elapsedSecondsAD - timeB.elapsedSecondsAD)
+ {
+ }
+
+ explicit Duration(uint64_t durationInSeconds)
+ : durationInSeconds(durationInSeconds)
+ {
+ }
+
+ bool operator>(const Duration& other) const
+ {
+ return durationInSeconds > other.durationInSeconds;
+ }
+ bool operator<(const Duration& other) const
+ {
+ return durationInSeconds < other.durationInSeconds;
+ }
+
+private:
+ uint64_t durationInSeconds;
+};
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_Time_h
diff --git a/security/pkix/include/pkix/pkix.h b/security/pkix/include/pkix/pkix.h
new file mode 100644
index 000000000..da4f63615
--- /dev/null
+++ b/security/pkix/include/pkix/pkix.h
@@ -0,0 +1,161 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkix_h
+#define mozilla_pkix_pkix_h
+
+#include "pkixtypes.h"
+
+namespace mozilla { namespace pkix {
+
+// ----------------------------------------------------------------------------
+// LIMITED SUPPORT FOR CERTIFICATE POLICIES
+//
+// If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
+// parameter then all policy validation will be skipped. Otherwise, path
+// building and validation will be done for the given policy.
+//
+// In RFC 5280 terms:
+//
+// * user-initial-policy-set = { requiredPolicy }.
+// * initial-explicit-policy = true
+// * initial-any-policy-inhibit = false
+//
+// We allow intermediate cerificates to use this extension but since
+// we do not process the inhibit anyPolicy extesion we will fail if this
+// extension is present. TODO(bug 989051)
+// Because we force explicit policy and because we prohibit policy mapping, we
+// do not bother processing the policy mapping, or policy constraint.
+//
+// ----------------------------------------------------------------------------
+// ERROR RANKING
+//
+// BuildCertChain prioritizes certain checks ahead of others so that when a
+// certificate chain has multiple errors, the "most serious" error is
+// returned. In practice, this ranking of seriousness is tied directly to how
+// Firefox's certificate error override mechanism.
+//
+// The ranking is:
+//
+// 1. Active distrust (Result::ERROR_UNTRUSTED_CERT).
+// 2. Problems with issuer-independent properties for CA certificates.
+// 3. Unknown issuer (Result::ERROR_UNKNOWN_ISSUER).
+// 4. Problems with issuer-independent properties for EE certificates.
+// 5. Revocation.
+//
+// In particular, if BuildCertChain returns Result::ERROR_UNKNOWN_ISSUER then
+// the caller can call CERT_CheckCertValidTimes to determine if the certificate
+// is ALSO expired.
+//
+// It would be better if revocation were prioritized above expiration and
+// unknown issuer. However, it is impossible to do revocation checking without
+// knowing the issuer, since the issuer information is needed to validate the
+// revocation information. Also, generally revocation checking only works
+// during the validity period of the certificate.
+//
+// In general, when path building fails, BuildCertChain will return
+// Result::ERROR_UNKNOWN_ISSUER. However, if all attempted paths resulted in
+// the same error (which is trivially true when there is only one potential
+// path), more specific errors will be returned.
+//
+// ----------------------------------------------------------------------------
+// Meanings of specific error codes can be found in Result.h
+
+// This function attempts to find a trustworthy path from the supplied
+// certificate to a trust anchor. In the event that no trusted path is found,
+// the method returns an error result; the error ranking is described above.
+//
+// Parameters:
+// time:
+// Timestamp for which the chain should be valid; this is useful to
+// analyze whether a record was trustworthy when it was made.
+// requiredKeyUsageIfPresent:
+// What key usage bits must be set, if the extension is present at all,
+// to be considered a valid chain. Multiple values should be OR'd
+// together. If you don't want to specify anything, use
+// KeyUsage::noParticularKeyUsageRequired.
+// requiredEKUIfPresent:
+// What extended key usage bits must be set, if the EKU extension
+// exists, to be considered a valid chain. Multiple values should be
+// OR'd together. If you don't want to specify anything, use
+// KeyPurposeId::anyExtendedKeyUsage.
+// requiredPolicy:
+// This is the policy to apply; typically included in EV certificates.
+// If there is no policy, pass in CertPolicyId::anyPolicy.
+Result BuildCertChain(TrustDomain& trustDomain, Input cert,
+ Time time, EndEntityOrCA endEntityOrCA,
+ KeyUsage requiredKeyUsageIfPresent,
+ KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ /*optional*/ const Input* stapledOCSPResponse);
+
+// Verify that the given end-entity cert, which is assumed to have been already
+// validated with BuildCertChain, is valid for the given hostname. The matching
+// function attempts to implement RFC 6125 with a couple of differences:
+// - IP addresses are out of scope of RFC 6125, but this method accepts them for
+// backward compatibility (see SearchNames in pkixnames.cpp)
+// - A wildcard in a DNS-ID may only appear as the entirety of the first label.
+Result CheckCertHostname(Input cert, Input hostname,
+ NameMatchingPolicy& nameMatchingPolicy);
+
+// Construct an RFC-6960-encoded OCSP request, ready for submission to a
+// responder, for the provided CertID. The request has no extensions.
+static const size_t OCSP_REQUEST_MAX_LENGTH = 127;
+Result CreateEncodedOCSPRequest(TrustDomain& trustDomain,
+ const CertID& certID,
+ /*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
+ /*out*/ size_t& outLen);
+
+// The out parameter expired will be true if the response has expired. If the
+// response also indicates a revoked or unknown certificate, that error
+// will be returned. Otherwise, Result::ERROR_OCSP_OLD_RESPONSE will be
+// returned for an expired response.
+//
+// The optional parameter thisUpdate will be the thisUpdate value of
+// the encoded response if it is considered trustworthy. Only
+// good, unknown, or revoked responses that verify correctly are considered
+// trustworthy. If the response is not trustworthy, thisUpdate will be 0.
+// Similarly, the optional parameter validThrough will be the time through
+// which the encoded response is considered trustworthy (that is, as long as
+// the given time at which to validate is less than or equal to validThrough,
+// the response will be considered trustworthy).
+Result VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
+ const CertID& certID, Time time,
+ uint16_t maxLifetimeInDays,
+ Input encodedResponse,
+ /* out */ bool& expired,
+ /* optional out */ Time* thisUpdate = nullptr,
+ /* optional out */ Time* validThrough = nullptr);
+
+// Check that the TLSFeature extensions in a given end-entity cert (which is
+// assumed to have been already validated with BuildCertChain) are satisfied.
+// The only feature which we cancurrently process a requirement for is
+// status_request (OCSP stapling) so we reject any extension that specifies a
+// requirement for another value. Empty extensions are also rejected.
+Result CheckTLSFeaturesAreSatisfied(Input& cert,
+ const Input* stapledOCSPResponse);
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_pkix_h
diff --git a/security/pkix/include/pkix/pkixnss.h b/security/pkix/include/pkix/pkixnss.h
new file mode 100644
index 000000000..2650d8f68
--- /dev/null
+++ b/security/pkix/include/pkix/pkixnss.h
@@ -0,0 +1,109 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixnss_h
+#define mozilla_pkix_pkixnss_h
+
+#include "pkixtypes.h"
+#include "prerror.h"
+#include "seccomon.h"
+
+namespace mozilla { namespace pkix {
+
+// Verifies the PKCS#1.5 signature on the given data using the given RSA public
+// key.
+Result VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
+ Input subjectPublicKeyInfo,
+ void* pkcs11PinArg);
+
+// Verifies the ECDSA signature on the given data using the given ECC public
+// key.
+Result VerifyECDSASignedDigestNSS(const SignedDigest& sd,
+ Input subjectPublicKeyInfo,
+ void* pkcs11PinArg);
+
+// Computes the digest of the given data using the given digest algorithm.
+//
+// item contains the data to hash.
+// digestBuf must point to a buffer to where the digest will be written.
+// digestBufLen must be the size of the buffer, which must be exactly equal
+// to the size of the digest output (20 for SHA-1, 32 for SHA-256,
+// etc.)
+//
+// TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
+// other, extensive, memory safety efforts in mozilla::pkix, and we should find
+// a way to provide a more-obviously-safe interface.
+Result DigestBufNSS(Input item,
+ DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf,
+ size_t digestBufLen);
+
+Result MapPRErrorCodeToResult(PRErrorCode errorCode);
+PRErrorCode MapResultToPRErrorCode(Result result);
+
+// The error codes within each module must fit in 16 bits. We want these
+// errors to fit in the same module as the NSS errors but not overlap with
+// any of them. Converting an NSS SEC, NSS SSL, or PSM error to an NS error
+// involves negating the value of the error and then synthesizing an error
+// in the NS_ERROR_MODULE_SECURITY module. Hence, PSM errors will start at
+// a negative value that both doesn't overlap with the current value
+// ranges for NSS errors and that will fit in 16 bits when negated.
+static const PRErrorCode ERROR_BASE = -0x4000;
+static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
+
+enum ErrorCode
+{
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
+ MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
+ MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH = ERROR_BASE + 7,
+ MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = ERROR_BASE + 8,
+ MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG = ERROR_BASE + 9,
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = ERROR_BASE + 10,
+ MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING = ERROR_BASE + 11,
+ MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = ERROR_BASE + 12,
+ END_OF_LIST
+};
+
+void RegisterErrorTable();
+
+inline SECItem UnsafeMapInputToSECItem(Input input)
+{
+ SECItem result = {
+ siBuffer,
+ const_cast<uint8_t*>(input.UnsafeGetData()),
+ input.GetLength()
+ };
+ static_assert(sizeof(decltype(input.GetLength())) <= sizeof(result.len),
+ "input.GetLength() must fit in a SECItem");
+ return result;
+}
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_pkixnss_h
diff --git a/security/pkix/include/pkix/pkixtypes.h b/security/pkix/include/pkix/pkixtypes.h
new file mode 100644
index 000000000..0a8f770a1
--- /dev/null
+++ b/security/pkix/include/pkix/pkixtypes.h
@@ -0,0 +1,409 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixtypes_h
+#define mozilla_pkix_pkixtypes_h
+
+#include "pkix/Input.h"
+#include "pkix/Time.h"
+#include "stdint.h"
+
+namespace mozilla { namespace pkix {
+
+enum class DigestAlgorithm
+{
+ sha512 = 1,
+ sha384 = 2,
+ sha256 = 3,
+ sha1 = 4,
+};
+
+enum class NamedCurve
+{
+ // secp521r1 (OID 1.3.132.0.35, RFC 5480)
+ secp521r1 = 1,
+
+ // secp384r1 (OID 1.3.132.0.34, RFC 5480)
+ secp384r1 = 2,
+
+ // secp256r1 (OID 1.2.840.10045.3.1.7, RFC 5480)
+ secp256r1 = 3,
+};
+
+struct SignedDigest final
+{
+ Input digest;
+ DigestAlgorithm digestAlgorithm;
+ Input signature;
+
+ void operator=(const SignedDigest&) = delete;
+};
+
+enum class EndEntityOrCA { MustBeEndEntity = 0, MustBeCA = 1 };
+
+enum class KeyUsage : uint8_t
+{
+ digitalSignature = 0,
+ nonRepudiation = 1,
+ keyEncipherment = 2,
+ dataEncipherment = 3,
+ keyAgreement = 4,
+ keyCertSign = 5,
+ // cRLSign = 6,
+ // encipherOnly = 7,
+ // decipherOnly = 8,
+ noParticularKeyUsageRequired = 0xff,
+};
+
+enum class KeyPurposeId
+{
+ anyExtendedKeyUsage = 0,
+ id_kp_serverAuth = 1, // id-kp-serverAuth
+ id_kp_clientAuth = 2, // id-kp-clientAuth
+ id_kp_codeSigning = 3, // id-kp-codeSigning
+ id_kp_emailProtection = 4, // id-kp-emailProtection
+ id_kp_OCSPSigning = 9, // id-kp-OCSPSigning
+};
+
+struct CertPolicyId final
+{
+ uint16_t numBytes;
+ static const uint16_t MAX_BYTES = 24;
+ uint8_t bytes[MAX_BYTES];
+
+ bool IsAnyPolicy() const;
+
+ static const CertPolicyId anyPolicy;
+};
+
+enum class TrustLevel
+{
+ TrustAnchor = 1, // certificate is a trusted root CA certificate or
+ // equivalent *for the given policy*.
+ ActivelyDistrusted = 2, // certificate is known to be bad
+ InheritsTrust = 3 // certificate must chain to a trust anchor
+};
+
+// Extensions extracted during the verification flow.
+// See TrustDomain::NoteAuxiliaryExtension.
+enum class AuxiliaryExtension
+{
+ // Certificate Transparency data, specifically Signed Certificate
+ // Timestamps (SCTs). See RFC 6962.
+
+ // SCT list embedded in the end entity certificate. Called by BuildCertChain
+ // after the certificate containing the SCTs has passed the revocation checks.
+ EmbeddedSCTList = 1,
+ // SCT list from OCSP response. Called by VerifyEncodedOCSPResponse
+ // when its result is a success and the SCT list is present.
+ SCTListFromOCSPResponse = 2
+};
+
+// CertID references the information needed to do revocation checking for the
+// certificate issued by the given issuer with the given serial number.
+//
+// issuer must be the DER-encoded issuer field from the certificate for which
+// revocation checking is being done, **NOT** the subject field of the issuer
+// certificate. (Those two fields must be equal to each other, but they may not
+// be encoded exactly the same, and the encoding matters for OCSP.)
+// issuerSubjectPublicKeyInfo is the entire DER-encoded subjectPublicKeyInfo
+// field from the issuer's certificate. serialNumber is the entire DER-encoded
+// serial number from the subject certificate (the certificate for which we are
+// checking the revocation status).
+struct CertID final
+{
+public:
+ CertID(Input issuer, Input issuerSubjectPublicKeyInfo, Input serialNumber)
+ : issuer(issuer)
+ , issuerSubjectPublicKeyInfo(issuerSubjectPublicKeyInfo)
+ , serialNumber(serialNumber)
+ {
+ }
+ const Input issuer;
+ const Input issuerSubjectPublicKeyInfo;
+ const Input serialNumber;
+
+ void operator=(const CertID&) = delete;
+};
+
+class DERArray
+{
+public:
+ // Returns the number of DER-encoded items in the array.
+ virtual size_t GetLength() const = 0;
+
+ // Returns a weak (non-owning) pointer the ith DER-encoded item in the array
+ // (0-indexed). The result is guaranteed to be non-null if i < GetLength(),
+ // and the result is guaranteed to be nullptr if i >= GetLength().
+ virtual const Input* GetDER(size_t i) const = 0;
+protected:
+ DERArray() { }
+ virtual ~DERArray() { }
+};
+
+// Applications control the behavior of path building and verification by
+// implementing the TrustDomain interface. The TrustDomain is used for all
+// cryptography and for determining which certificates are trusted or
+// distrusted.
+class TrustDomain
+{
+public:
+ virtual ~TrustDomain() { }
+
+ // Determine the level of trust in the given certificate for the given role.
+ // This will be called for every certificate encountered during path
+ // building.
+ //
+ // When policy.IsAnyPolicy(), then no policy-related checking should be done.
+ // When !policy.IsAnyPolicy(), then GetCertTrust MUST NOT return with
+ // trustLevel == TrustAnchor unless the given cert is considered a trust
+ // anchor *for that policy*. In particular, if the user has marked an
+ // intermediate certificate as trusted, but that intermediate isn't in the
+ // list of EV roots, then GetCertTrust must result in
+ // trustLevel == InheritsTrust instead of trustLevel == TrustAnchor
+ // (assuming the candidate cert is not actively distrusted).
+ virtual Result GetCertTrust(EndEntityOrCA endEntityOrCA,
+ const CertPolicyId& policy,
+ Input candidateCertDER,
+ /*out*/ TrustLevel& trustLevel) = 0;
+
+ class IssuerChecker
+ {
+ public:
+ // potentialIssuerDER is the complete DER encoding of the certificate to
+ // be checked as a potential issuer.
+ //
+ // If additionalNameConstraints is not nullptr then it must point to an
+ // encoded NameConstraints extension value; in that case, those name
+ // constraints will be checked in addition to any any name constraints
+ // contained in potentialIssuerDER.
+ virtual Result Check(Input potentialIssuerDER,
+ /*optional*/ const Input* additionalNameConstraints,
+ /*out*/ bool& keepGoing) = 0;
+ protected:
+ IssuerChecker();
+ virtual ~IssuerChecker();
+
+ IssuerChecker(const IssuerChecker&) = delete;
+ void operator=(const IssuerChecker&) = delete;
+ };
+
+ // Search for a CA certificate with the given name. The implementation must
+ // call checker.Check with the DER encoding of the potential issuer
+ // certificate. The implementation must follow these rules:
+ //
+ // * The implementation must be reentrant and must limit the amount of stack
+ // space it uses; see the note on reentrancy and stack usage below.
+ // * When checker.Check does not return Success then immediately return its
+ // return value.
+ // * When checker.Check returns Success and sets keepGoing = false, then
+ // immediately return Success.
+ // * When checker.Check returns Success and sets keepGoing = true, then
+ // call checker.Check again with a different potential issuer certificate,
+ // if any more are available.
+ // * When no more potential issuer certificates are available, return
+ // Success.
+ // * Don't call checker.Check with the same potential issuer certificate more
+ // than once in a given call of FindIssuer.
+ // * The given time parameter may be used to filter out certificates that are
+ // not valid at the given time, or it may be ignored.
+ //
+ // Note on reentrancy and stack usage: checker.Check will attempt to
+ // recursively build a certificate path from the potential issuer it is given
+ // to a trusted root, as determined by this TrustDomain. That means that
+ // checker.Check may call any/all of the methods on this TrustDomain. In
+ // particular, there will be call stacks that look like this:
+ //
+ // BuildCertChain
+ // [...]
+ // TrustDomain::FindIssuer
+ // [...]
+ // IssuerChecker::Check
+ // [...]
+ // TrustDomain::FindIssuer
+ // [...]
+ // IssuerChecker::Check
+ // [...]
+ //
+ // checker.Check is responsible for limiting the recursion to a reasonable
+ // limit.
+ //
+ // checker.Check will verify that the subject's issuer field matches the
+ // potential issuer's subject field. It will also check that the potential
+ // issuer is valid at the given time. However, if the FindIssuer
+ // implementation has an efficient way of filtering potential issuers by name
+ // and/or validity period itself, then it is probably better for performance
+ // for it to do so.
+ virtual Result FindIssuer(Input encodedIssuerName,
+ IssuerChecker& checker, Time time) = 0;
+
+ // Called as soon as we think we have a valid chain but before revocation
+ // checks are done. This function can be used to compute additional checks,
+ // especially checks that require the entire certificate chain. This callback
+ // can also be used to save a copy of the built certificate chain for later
+ // use.
+ //
+ // This function may be called multiple times, regardless of whether it
+ // returns success or failure. It is guaranteed that BuildCertChain will not
+ // return Success unless the last call to IsChainValid returns Success. Further,
+ // it is guaranteed that when BuildCertChain returns Success the last chain
+ // passed to IsChainValid is the valid chain that should be used for further
+ // operations that require the whole chain.
+ //
+ // Keep in mind, in particular, that if the application saves a copy of the
+ // certificate chain the last invocation of IsChainValid during a validation,
+ // it is still possible for BuildCertChain to fail, in which case the
+ // application must not assume anything about the validity of the last
+ // certificate chain passed to IsChainValid; especially, it would be very
+ // wrong to assume that the certificate chain is valid.
+ //
+ // certChain.GetDER(0) is the trust anchor.
+ virtual Result IsChainValid(const DERArray& certChain, Time time) = 0;
+
+ virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
+ const CertID& certID, Time time,
+ Duration validityDuration,
+ /*optional*/ const Input* stapledOCSPresponse,
+ /*optional*/ const Input* aiaExtension) = 0;
+
+ // Check that the given digest algorithm is acceptable for use in signatures.
+ //
+ // Return Success if the algorithm is acceptable,
+ // Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED if the algorithm is not
+ // acceptable, or another error code if another error occurred.
+ virtual Result CheckSignatureDigestAlgorithm(DigestAlgorithm digestAlg,
+ EndEntityOrCA endEntityOrCA,
+ Time notBefore) = 0;
+
+ // Check that the RSA public key size is acceptable.
+ //
+ // Return Success if the key size is acceptable,
+ // Result::ERROR_INADEQUATE_KEY_SIZE if the key size is not acceptable,
+ // or another error code if another error occurred.
+ virtual Result CheckRSAPublicKeyModulusSizeInBits(
+ EndEntityOrCA endEntityOrCA,
+ unsigned int modulusSizeInBits) = 0;
+
+ // Verify the given RSA PKCS#1.5 signature on the given digest using the
+ // given RSA public key.
+ //
+ // CheckRSAPublicKeyModulusSizeInBits will be called before calling this
+ // function, so it is not necessary to repeat those checks here. However,
+ // VerifyRSAPKCS1SignedDigest *is* responsible for doing the mathematical
+ // verification of the public key validity as specified in NIST SP 800-56A.
+ virtual Result VerifyRSAPKCS1SignedDigest(
+ const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo) = 0;
+
+ // Check that the given named ECC curve is acceptable for ECDSA signatures.
+ //
+ // Return Success if the curve is acceptable,
+ // Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE if the curve is not acceptable,
+ // or another error code if another error occurred.
+ virtual Result CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA,
+ NamedCurve curve) = 0;
+
+ // Verify the given ECDSA signature on the given digest using the given ECC
+ // public key.
+ //
+ // CheckECDSACurveIsAcceptable will be called before calling this function,
+ // so it is not necessary to repeat that check here. However,
+ // VerifyECDSASignedDigest *is* responsible for doing the mathematical
+ // verification of the public key validity as specified in NIST SP 800-56A.
+ virtual Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo) = 0;
+
+ // Check that the validity duration is acceptable.
+ //
+ // Return Success if the validity duration is acceptable,
+ // Result::ERROR_VALIDITY_TOO_LONG if the validity duration is not acceptable,
+ // or another error code if another error occurred.
+ virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter,
+ EndEntityOrCA endEntityOrCA,
+ KeyPurposeId keyPurpose) = 0;
+
+ // For compatibility, a CA certificate with an extended key usage that
+ // contains the id-Netscape-stepUp OID but does not contain the
+ // id-kp-serverAuth OID may be considered valid for issuing server auth
+ // certificates. This function allows TrustDomain implementations to control
+ // this setting based on the start of the validity period of the certificate
+ // in question.
+ virtual Result NetscapeStepUpMatchesServerAuth(Time notBefore,
+ /*out*/ bool& matches) = 0;
+
+ // Some certificate or OCSP response extensions do not directly participate
+ // in the verification flow, but might still be of interest to the clients
+ // (notably Certificate Transparency data, RFC 6962). Such extensions are
+ // extracted and passed to this function for further processing.
+ virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+ Input extensionData) = 0;
+
+ // Compute a digest of the data in item using the given digest algorithm.
+ //
+ // item contains the data to hash.
+ // digestBuf points to a buffer to where the digest will be written.
+ // digestBufLen will be the size of the digest output (20 for SHA-1,
+ // 32 for SHA-256, etc.).
+ //
+ // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
+ // other, extensive, memory safety efforts in mozilla::pkix, and we should
+ // find a way to provide a more-obviously-safe interface.
+ virtual Result DigestBuf(Input item,
+ DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf,
+ size_t digestBufLen) = 0;
+protected:
+ TrustDomain() { }
+
+ TrustDomain(const TrustDomain&) = delete;
+ void operator=(const TrustDomain&) = delete;
+};
+
+enum class FallBackToSearchWithinSubject { No = 0, Yes = 1 };
+
+// Applications control the behavior of matching presented name information from
+// a certificate against a reference hostname by implementing the
+// NameMatchingPolicy interface. Used in concert with CheckCertHostname.
+class NameMatchingPolicy
+{
+public:
+ virtual ~NameMatchingPolicy() { }
+
+ // Given that the certificate in question has a notBefore field with the given
+ // value, should name matching fall back to searching within the subject
+ // common name field?
+ virtual Result FallBackToCommonName(
+ Time notBefore,
+ /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) = 0;
+
+protected:
+ NameMatchingPolicy() { }
+
+ NameMatchingPolicy(const NameMatchingPolicy&) = delete;
+ void operator=(const NameMatchingPolicy&) = delete;
+};
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_pkixtypes_h
diff --git a/security/pkix/lib/ScopedPtr.h b/security/pkix/lib/ScopedPtr.h
new file mode 100644
index 000000000..a9e18adc1
--- /dev/null
+++ b/security/pkix/lib/ScopedPtr.h
@@ -0,0 +1,83 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_ScopedPtr_h
+#define mozilla_pkix_ScopedPtr_h
+
+namespace mozilla { namespace pkix {
+
+// A subset polyfill of std::unique_ptr that does not support move construction
+// or move assignment. This is used instead of std::unique_ptr because some
+// important toolchains still don't provide std::unique_ptr, including in
+// particular Android NDK projects with APP_STL=stlport_static or
+// ALL_STL=stlport_shared.
+template <typename T, void (&Destroyer)(T*)>
+class ScopedPtr final
+{
+public:
+ explicit ScopedPtr(T* value = nullptr) : mValue(value) { }
+
+ ScopedPtr(const ScopedPtr&) = delete;
+
+ ~ScopedPtr()
+ {
+ if (mValue) {
+ Destroyer(mValue);
+ }
+ }
+
+ void operator=(const ScopedPtr&) = delete;
+
+ T& operator*() const { return *mValue; }
+ T* operator->() const { return mValue; }
+
+ explicit operator bool() const { return mValue; }
+
+ T* get() const { return mValue; }
+
+ T* release()
+ {
+ T* result = mValue;
+ mValue = nullptr;
+ return result;
+ }
+
+ void reset(T* newValue = nullptr)
+ {
+ // The C++ standard requires std::unique_ptr to destroy the old value
+ // pointed to by mValue, if any, *after* assigning the new value to mValue.
+ T* oldValue = mValue;
+ mValue = newValue;
+ if (oldValue) {
+ Destroyer(oldValue);
+ }
+ }
+
+private:
+ T* mValue;
+};
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_ScopedPtr_h
diff --git a/security/pkix/lib/pkixbuild.cpp b/security/pkix/lib/pkixbuild.cpp
new file mode 100644
index 000000000..fdbd9b59f
--- /dev/null
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -0,0 +1,382 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkix/pkix.h"
+
+#include "pkixcheck.h"
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+static Result BuildForward(TrustDomain& trustDomain,
+ const BackCert& subject,
+ Time time,
+ KeyUsage requiredKeyUsageIfPresent,
+ KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ /*optional*/ const Input* stapledOCSPResponse,
+ unsigned int subCACount);
+
+TrustDomain::IssuerChecker::IssuerChecker() { }
+TrustDomain::IssuerChecker::~IssuerChecker() { }
+
+// The implementation of TrustDomain::IssuerTracker is in a subclass only to
+// hide the implementation from external users.
+class PathBuildingStep final : public TrustDomain::IssuerChecker
+{
+public:
+ PathBuildingStep(TrustDomain& trustDomain, const BackCert& subject,
+ Time time, KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ /*optional*/ const Input* stapledOCSPResponse,
+ unsigned int subCACount, Result deferredSubjectError)
+ : trustDomain(trustDomain)
+ , subject(subject)
+ , time(time)
+ , requiredEKUIfPresent(requiredEKUIfPresent)
+ , requiredPolicy(requiredPolicy)
+ , stapledOCSPResponse(stapledOCSPResponse)
+ , subCACount(subCACount)
+ , deferredSubjectError(deferredSubjectError)
+ , result(Result::FATAL_ERROR_LIBRARY_FAILURE)
+ , resultWasSet(false)
+ {
+ }
+
+ Result Check(Input potentialIssuerDER,
+ /*optional*/ const Input* additionalNameConstraints,
+ /*out*/ bool& keepGoing) override;
+
+ Result CheckResult() const;
+
+private:
+ TrustDomain& trustDomain;
+ const BackCert& subject;
+ const Time time;
+ const KeyPurposeId requiredEKUIfPresent;
+ const CertPolicyId& requiredPolicy;
+ /*optional*/ Input const* const stapledOCSPResponse;
+ const unsigned int subCACount;
+ const Result deferredSubjectError;
+
+ // Initialized lazily.
+ uint8_t subjectSignatureDigestBuf[MAX_DIGEST_SIZE_IN_BYTES];
+ der::PublicKeyAlgorithm subjectSignaturePublicKeyAlg;
+ SignedDigest subjectSignature;
+
+ Result RecordResult(Result currentResult, /*out*/ bool& keepGoing);
+ Result result;
+ bool resultWasSet;
+
+ PathBuildingStep(const PathBuildingStep&) = delete;
+ void operator=(const PathBuildingStep&) = delete;
+};
+
+Result
+PathBuildingStep::RecordResult(Result newResult, /*out*/ bool& keepGoing)
+{
+ if (newResult == Result::ERROR_UNTRUSTED_CERT) {
+ newResult = Result::ERROR_UNTRUSTED_ISSUER;
+ } else if (newResult == Result::ERROR_EXPIRED_CERTIFICATE) {
+ newResult = Result::ERROR_EXPIRED_ISSUER_CERTIFICATE;
+ } else if (newResult == Result::ERROR_NOT_YET_VALID_CERTIFICATE) {
+ newResult = Result::ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE;
+ }
+
+ if (resultWasSet) {
+ if (result == Success) {
+ return NotReached("RecordResult called after finding a chain",
+ Result::FATAL_ERROR_INVALID_STATE);
+ }
+ // If every potential issuer has the same problem (e.g. expired) and/or if
+ // there is only one bad potential issuer, then return a more specific
+ // error. Otherwise, punt on trying to decide which error should be
+ // returned by returning the generic Result::ERROR_UNKNOWN_ISSUER error.
+ if (newResult != Success && newResult != result) {
+ newResult = Result::ERROR_UNKNOWN_ISSUER;
+ }
+ }
+
+ result = newResult;
+ resultWasSet = true;
+ keepGoing = result != Success;
+ return Success;
+}
+
+Result
+PathBuildingStep::CheckResult() const
+{
+ if (!resultWasSet) {
+ return Result::ERROR_UNKNOWN_ISSUER;
+ }
+ return result;
+}
+
+// The code that executes in the inner loop of BuildForward
+Result
+PathBuildingStep::Check(Input potentialIssuerDER,
+ /*optional*/ const Input* additionalNameConstraints,
+ /*out*/ bool& keepGoing)
+{
+ BackCert potentialIssuer(potentialIssuerDER, EndEntityOrCA::MustBeCA,
+ &subject);
+ Result rv = potentialIssuer.Init();
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+
+ // Simple TrustDomain::FindIssuers implementations may pass in all possible
+ // CA certificates without any filtering. Because of this, we don't consider
+ // a mismatched name to be an error. Instead, we just pretend that any
+ // certificate without a matching name was never passed to us. In particular,
+ // we treat the case where the TrustDomain only asks us to check CA
+ // certificates with mismatched names as equivalent to the case where the
+ // TrustDomain never called Check() at all.
+ if (!InputsAreEqual(potentialIssuer.GetSubject(), subject.GetIssuer())) {
+ keepGoing = true;
+ return Success;
+ }
+
+ // Loop prevention, done as recommended by RFC4158 Section 5.2
+ // TODO: this doesn't account for subjectAltNames!
+ // TODO(perf): This probably can and should be optimized in some way.
+ bool loopDetected = false;
+ for (const BackCert* prev = potentialIssuer.childCert;
+ !loopDetected && prev != nullptr; prev = prev->childCert) {
+ if (InputsAreEqual(potentialIssuer.GetSubjectPublicKeyInfo(),
+ prev->GetSubjectPublicKeyInfo()) &&
+ InputsAreEqual(potentialIssuer.GetSubject(), prev->GetSubject())) {
+ // XXX: error code
+ return RecordResult(Result::ERROR_UNKNOWN_ISSUER, keepGoing);
+ }
+ }
+
+ if (potentialIssuer.GetNameConstraints()) {
+ rv = CheckNameConstraints(*potentialIssuer.GetNameConstraints(),
+ subject, requiredEKUIfPresent);
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+ }
+
+ if (additionalNameConstraints) {
+ rv = CheckNameConstraints(*additionalNameConstraints, subject,
+ requiredEKUIfPresent);
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+ }
+
+ rv = CheckTLSFeatures(subject, potentialIssuer);
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+
+ // RFC 5280, Section 4.2.1.3: "If the keyUsage extension is present, then the
+ // subject public key MUST NOT be used to verify signatures on certificates
+ // or CRLs unless the corresponding keyCertSign or cRLSign bit is set."
+ rv = BuildForward(trustDomain, potentialIssuer, time, KeyUsage::keyCertSign,
+ requiredEKUIfPresent, requiredPolicy, nullptr, subCACount);
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+
+ // Calculate the digest of the subject's signed data if we haven't already
+ // done so. We do this lazily to avoid doing it at all if we backtrack before
+ // getting to this point. We cache the result to avoid recalculating it if we
+ // backtrack after getting to this point.
+ if (subjectSignature.digest.GetLength() == 0) {
+ rv = DigestSignedData(trustDomain, subject.GetSignedData(),
+ subjectSignatureDigestBuf,
+ subjectSignaturePublicKeyAlg, subjectSignature);
+ if (rv != Success) {
+ return rv;
+ }
+ }
+
+ rv = VerifySignedDigest(trustDomain, subjectSignaturePublicKeyAlg,
+ subjectSignature,
+ potentialIssuer.GetSubjectPublicKeyInfo());
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+
+ // We avoid doing revocation checking for expired certificates because OCSP
+ // responders are allowed to forget about expired certificates, and many OCSP
+ // responders return an error when asked for the status of an expired
+ // certificate.
+ if (deferredSubjectError != Result::ERROR_EXPIRED_CERTIFICATE) {
+ CertID certID(subject.GetIssuer(), potentialIssuer.GetSubjectPublicKeyInfo(),
+ subject.GetSerialNumber());
+ Time notBefore(Time::uninitialized);
+ Time notAfter(Time::uninitialized);
+ // This should never fail. If we're here, we've already parsed the validity
+ // and checked that the given time is in the certificate's validity period.
+ rv = ParseValidity(subject.GetValidity(), &notBefore, &notAfter);
+ if (rv != Success) {
+ return rv;
+ }
+ Duration validityDuration(notAfter, notBefore);
+ rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
+ validityDuration, stapledOCSPResponse,
+ subject.GetAuthorityInfoAccess());
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+
+ if (subject.endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+ const Input* sctExtension = subject.GetSignedCertificateTimestamps();
+ if (sctExtension) {
+ Input sctList;
+ rv = ExtractSignedCertificateTimestampListFromExtension(*sctExtension,
+ sctList);
+ if (rv != Success) {
+ return RecordResult(rv, keepGoing);
+ }
+ trustDomain.NoteAuxiliaryExtension(AuxiliaryExtension::EmbeddedSCTList,
+ sctList);
+ }
+ }
+ }
+
+ return RecordResult(Success, keepGoing);
+}
+
+// Recursively build the path from the given subject certificate to the root.
+//
+// Be very careful about changing the order of checks. The order is significant
+// because it affects which error we return when a certificate or certificate
+// chain has multiple problems. See the error ranking documentation in
+// pkix/pkix.h.
+static Result
+BuildForward(TrustDomain& trustDomain,
+ const BackCert& subject,
+ Time time,
+ KeyUsage requiredKeyUsageIfPresent,
+ KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ /*optional*/ const Input* stapledOCSPResponse,
+ unsigned int subCACount)
+{
+ Result rv;
+
+ TrustLevel trustLevel;
+ // If this is an end-entity and not a trust anchor, we defer reporting
+ // any error found here until after attempting to find a valid chain.
+ // See the explanation of error prioritization in pkix.h.
+ rv = CheckIssuerIndependentProperties(trustDomain, subject, time,
+ requiredKeyUsageIfPresent,
+ requiredEKUIfPresent, requiredPolicy,
+ subCACount, trustLevel);
+ Result deferredEndEntityError = Success;
+ if (rv != Success) {
+ if (subject.endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+ trustLevel != TrustLevel::TrustAnchor) {
+ deferredEndEntityError = rv;
+ } else {
+ return rv;
+ }
+ }
+
+ if (trustLevel == TrustLevel::TrustAnchor) {
+ // End of the recursion.
+
+ NonOwningDERArray chain;
+ for (const BackCert* cert = &subject; cert; cert = cert->childCert) {
+ rv = chain.Append(cert->GetDER());
+ if (rv != Success) {
+ return NotReached("NonOwningDERArray::SetItem failed.", rv);
+ }
+ }
+
+ // This must be done here, after the chain is built but before any
+ // revocation checks have been done.
+ return trustDomain.IsChainValid(chain, time);
+ }
+
+ if (subject.endEntityOrCA == EndEntityOrCA::MustBeCA) {
+ // Avoid stack overflows and poor performance by limiting cert chain
+ // length.
+ static const unsigned int MAX_SUBCA_COUNT = 6;
+ static_assert(1/*end-entity*/ + MAX_SUBCA_COUNT + 1/*root*/ ==
+ NonOwningDERArray::MAX_LENGTH,
+ "MAX_SUBCA_COUNT and NonOwningDERArray::MAX_LENGTH mismatch.");
+ if (subCACount >= MAX_SUBCA_COUNT) {
+ return Result::ERROR_UNKNOWN_ISSUER;
+ }
+ ++subCACount;
+ } else {
+ assert(subCACount == 0);
+ }
+
+ // Find a trusted issuer.
+
+ PathBuildingStep pathBuilder(trustDomain, subject, time,
+ requiredEKUIfPresent, requiredPolicy,
+ stapledOCSPResponse, subCACount,
+ deferredEndEntityError);
+
+ // TODO(bug 965136): Add SKI/AKI matching optimizations
+ rv = trustDomain.FindIssuer(subject.GetIssuer(), pathBuilder, time);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = pathBuilder.CheckResult();
+ if (rv != Success) {
+ return rv;
+ }
+
+ // If we found a valid chain but deferred reporting an error with the
+ // end-entity certificate, report it now.
+ if (deferredEndEntityError != Success) {
+ return deferredEndEntityError;
+ }
+
+ // We've built a valid chain from the subject cert up to a trusted root.
+ return Success;
+}
+
+Result
+BuildCertChain(TrustDomain& trustDomain, Input certDER,
+ Time time, EndEntityOrCA endEntityOrCA,
+ KeyUsage requiredKeyUsageIfPresent,
+ KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ /*optional*/ const Input* stapledOCSPResponse)
+{
+ // XXX: Support the legacy use of the subject CN field for indicating the
+ // domain name the certificate is valid for.
+ BackCert cert(certDER, endEntityOrCA, nullptr);
+ Result rv = cert.Init();
+ if (rv != Success) {
+ return rv;
+ }
+
+ return BuildForward(trustDomain, cert, time, requiredKeyUsageIfPresent,
+ requiredEKUIfPresent, requiredPolicy, stapledOCSPResponse,
+ 0/*subCACount*/);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixcert.cpp b/security/pkix/lib/pkixcert.cpp
new file mode 100644
index 000000000..ffa58fd3b
--- /dev/null
+++ b/security/pkix/lib/pkixcert.cpp
@@ -0,0 +1,323 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result
+BackCert::Init()
+{
+ Result rv;
+
+ // Certificate ::= SEQUENCE {
+ // tbsCertificate TBSCertificate,
+ // signatureAlgorithm AlgorithmIdentifier,
+ // signatureValue BIT STRING }
+
+ Reader tbsCertificate;
+
+ // The scope of |input| and |certificate| are limited to this block so we
+ // don't accidentally confuse them for tbsCertificate later.
+ {
+ Reader certificate;
+ rv = der::ExpectTagAndGetValueAtEnd(der, der::SEQUENCE, certificate);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::SignedData(certificate, tbsCertificate, signedData);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::End(certificate);
+ if (rv != Success) {
+ return rv;
+ }
+ }
+
+ // TBSCertificate ::= SEQUENCE {
+ // version [0] EXPLICIT Version DEFAULT v1,
+ // serialNumber CertificateSerialNumber,
+ // signature AlgorithmIdentifier,
+ // issuer Name,
+ // validity Validity,
+ // subject Name,
+ // subjectPublicKeyInfo SubjectPublicKeyInfo,
+ // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ // -- If present, version MUST be v2 or v3
+ // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+ // -- If present, version MUST be v2 or v3
+ // extensions [3] EXPLICIT Extensions OPTIONAL
+ // -- If present, version MUST be v3
+ // }
+ rv = der::OptionalVersion(tbsCertificate, version);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::CertificateSerialNumber(tbsCertificate, serialNumber);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::ExpectTagAndGetValue(tbsCertificate, der::SEQUENCE, signature);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE, issuer);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::ExpectTagAndGetValue(tbsCertificate, der::SEQUENCE, validity);
+ if (rv != Success) {
+ return rv;
+ }
+ // TODO(bug XXXXXXX): We rely on the the caller of mozilla::pkix to validate
+ // that the name is syntactically valid, if they care. In Gecko we do this
+ // implicitly by parsing the certificate into a CERTCertificate object.
+ // Instead of relying on the caller to do this, we should do it ourselves.
+ rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE, subject);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE,
+ subjectPublicKeyInfo);
+ if (rv != Success) {
+ return rv;
+ }
+
+ static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
+
+ // According to RFC 5280, all fields below this line are forbidden for
+ // certificate versions less than v3. However, for compatibility reasons,
+ // we parse v1/v2 certificates in the same way as v3 certificates. So if
+ // these fields appear in a v1 certificate, they will be used.
+
+ // Ignore issuerUniqueID if present.
+ if (tbsCertificate.Peek(CSC | 1)) {
+ rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1);
+ if (rv != Success) {
+ return rv;
+ }
+ }
+
+ // Ignore subjectUniqueID if present.
+ if (tbsCertificate.Peek(CSC | 2)) {
+ rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
+ if (rv != Success) {
+ return rv;
+ }
+ }
+
+ rv = der::OptionalExtensions(
+ tbsCertificate, CSC | 3,
+ [this](Reader& extnID, const Input& extnValue, bool critical,
+ /*out*/ bool& understood) {
+ return RememberExtension(extnID, extnValue, critical, understood);
+ });
+ if (rv != Success) {
+ return rv;
+ }
+
+ // The Netscape Certificate Type extension is an obsolete
+ // Netscape-proprietary mechanism that we ignore in favor of the standard
+ // extensions. However, some CAs have issued certificates with the Netscape
+ // Cert Type extension marked critical. Thus, for compatibility reasons, we
+ // "understand" this extension by ignoring it when it is not critical, and
+ // by ensuring that the equivalent standardized extensions are present when
+ // it is marked critical, based on the assumption that the information in
+ // the Netscape Cert Type extension is consistent with the information in
+ // the standard extensions.
+ //
+ // Here is a mapping between the Netscape Cert Type extension and the
+ // standard extensions:
+ //
+ // Netscape Cert Type | BasicConstraints.cA | Extended Key Usage
+ // --------------------+-----------------------+----------------------
+ // SSL Server | false | id_kp_serverAuth
+ // SSL Client | false | id_kp_clientAuth
+ // S/MIME Client | false | id_kp_emailProtection
+ // Object Signing | false | id_kp_codeSigning
+ // SSL Server CA | true | id_pk_serverAuth
+ // SSL Client CA | true | id_kp_clientAuth
+ // S/MIME CA | true | id_kp_emailProtection
+ // Object Signing CA | true | id_kp_codeSigning
+ if (criticalNetscapeCertificateType.GetLength() > 0 &&
+ (basicConstraints.GetLength() == 0 || extKeyUsage.GetLength() == 0)) {
+ return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
+ }
+
+ return der::End(tbsCertificate);
+}
+
+Result
+BackCert::RememberExtension(Reader& extnID, Input extnValue,
+ bool critical, /*out*/ bool& understood)
+{
+ understood = false;
+
+ // python DottedOIDToCode.py id-ce-keyUsage 2.5.29.15
+ static const uint8_t id_ce_keyUsage[] = {
+ 0x55, 0x1d, 0x0f
+ };
+ // python DottedOIDToCode.py id-ce-subjectAltName 2.5.29.17
+ static const uint8_t id_ce_subjectAltName[] = {
+ 0x55, 0x1d, 0x11
+ };
+ // python DottedOIDToCode.py id-ce-basicConstraints 2.5.29.19
+ static const uint8_t id_ce_basicConstraints[] = {
+ 0x55, 0x1d, 0x13
+ };
+ // python DottedOIDToCode.py id-ce-nameConstraints 2.5.29.30
+ static const uint8_t id_ce_nameConstraints[] = {
+ 0x55, 0x1d, 0x1e
+ };
+ // python DottedOIDToCode.py id-ce-certificatePolicies 2.5.29.32
+ static const uint8_t id_ce_certificatePolicies[] = {
+ 0x55, 0x1d, 0x20
+ };
+ // python DottedOIDToCode.py id-ce-policyConstraints 2.5.29.36
+ static const uint8_t id_ce_policyConstraints[] = {
+ 0x55, 0x1d, 0x24
+ };
+ // python DottedOIDToCode.py id-ce-extKeyUsage 2.5.29.37
+ static const uint8_t id_ce_extKeyUsage[] = {
+ 0x55, 0x1d, 0x25
+ };
+ // python DottedOIDToCode.py id-ce-inhibitAnyPolicy 2.5.29.54
+ static const uint8_t id_ce_inhibitAnyPolicy[] = {
+ 0x55, 0x1d, 0x36
+ };
+ // python DottedOIDToCode.py id-pe-authorityInfoAccess 1.3.6.1.5.5.7.1.1
+ static const uint8_t id_pe_authorityInfoAccess[] = {
+ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+ };
+ // python DottedOIDToCode.py id-pkix-ocsp-nocheck 1.3.6.1.5.5.7.48.1.5
+ static const uint8_t id_pkix_ocsp_nocheck[] = {
+ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x05
+ };
+ // python DottedOIDToCode.py Netscape-certificate-type 2.16.840.1.113730.1.1
+ static const uint8_t Netscape_certificate_type[] = {
+ 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01
+ };
+ // python DottedOIDToCode.py id-pe-tlsfeature 1.3.6.1.5.5.7.1.24
+ static const uint8_t id_pe_tlsfeature[] = {
+ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x18
+ };
+ // python DottedOIDToCode.py id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+ // See Section 3.3 of RFC 6962.
+ static const uint8_t id_embeddedSctList[] = {
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+ };
+
+ Input* out = nullptr;
+
+ // We already enforce the maximum possible constraints for policies so we
+ // can safely ignore even critical policy constraint extensions.
+ //
+ // XXX: Doing it this way won't allow us to detect duplicate
+ // policyConstraints extensions, but that's OK because (and only because) we
+ // ignore the extension.
+ Input dummyPolicyConstraints;
+
+ // We don't need to save the contents of this extension if it is present. We
+ // just need to handle its presence (it is essentially ignored right now).
+ Input dummyOCSPNocheck;
+
+ // For compatibility reasons, for some extensions we have to allow empty
+ // extension values. This would normally interfere with our duplicate
+ // extension checking code. However, as long as the extensions we allow to
+ // have empty values are also the ones we implicitly allow duplicates of,
+ // this will work fine.
+ bool emptyValueAllowed = false;
+
+ // RFC says "Conforming CAs MUST mark this extension as non-critical" for
+ // both authorityKeyIdentifier and subjectKeyIdentifier, and we do not use
+ // them for anything, so we totally ignore them here.
+
+ if (extnID.MatchRest(id_ce_keyUsage)) {
+ out = &keyUsage;
+ } else if (extnID.MatchRest(id_ce_subjectAltName)) {
+ out = &subjectAltName;
+ } else if (extnID.MatchRest(id_ce_basicConstraints)) {
+ out = &basicConstraints;
+ } else if (extnID.MatchRest(id_ce_nameConstraints)) {
+ out = &nameConstraints;
+ } else if (extnID.MatchRest(id_ce_certificatePolicies)) {
+ out = &certificatePolicies;
+ } else if (extnID.MatchRest(id_ce_policyConstraints)) {
+ out = &dummyPolicyConstraints;
+ } else if (extnID.MatchRest(id_ce_extKeyUsage)) {
+ out = &extKeyUsage;
+ } else if (extnID.MatchRest(id_ce_inhibitAnyPolicy)) {
+ out = &inhibitAnyPolicy;
+ } else if (extnID.MatchRest(id_pe_authorityInfoAccess)) {
+ out = &authorityInfoAccess;
+ } else if (extnID.MatchRest(id_pe_tlsfeature)) {
+ out = &requiredTLSFeatures;
+ } else if (extnID.MatchRest(id_embeddedSctList)) {
+ out = &signedCertificateTimestamps;
+ } else if (extnID.MatchRest(id_pkix_ocsp_nocheck) && critical) {
+ // We need to make sure we don't reject delegated OCSP response signing
+ // certificates that contain the id-pkix-ocsp-nocheck extension marked as
+ // critical when validating OCSP responses. Without this, an application
+ // that implements soft-fail OCSP might ignore a valid Revoked or Unknown
+ // response, and an application that implements hard-fail OCSP might fail
+ // to connect to a server given a valid Good response.
+ out = &dummyOCSPNocheck;
+ // We allow this extension to have an empty value.
+ // See http://comments.gmane.org/gmane.ietf.x509/30947
+ emptyValueAllowed = true;
+ } else if (extnID.MatchRest(Netscape_certificate_type) && critical) {
+ out = &criticalNetscapeCertificateType;
+ }
+
+ if (out) {
+ // Don't allow an empty value for any extension we understand. This way, we
+ // can test out->GetLength() != 0 or out->Init() to check for duplicates.
+ if (extnValue.GetLength() == 0 && !emptyValueAllowed) {
+ return Result::ERROR_EXTENSION_VALUE_INVALID;
+ }
+ if (out->Init(extnValue) != Success) {
+ // Duplicate extension
+ return Result::ERROR_EXTENSION_VALUE_INVALID;
+ }
+ understood = true;
+ }
+
+ return Success;
+}
+
+Result
+ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
+ Input& sctList)
+{
+ Reader decodedValue;
+ Result rv = der::ExpectTagAndGetValueAtEnd(extnValue, der::OCTET_STRING,
+ decodedValue);
+ if (rv != Success) {
+ return rv;
+ }
+ return decodedValue.SkipToEnd(sctList);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixcheck.cpp b/security/pkix/lib/pkixcheck.cpp
new file mode 100644
index 000000000..be2d2837a
--- /dev/null
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -0,0 +1,1088 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixcheck.h"
+
+#include "pkixder.h"
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+// 4.1.1.2 signatureAlgorithm
+// 4.1.2.3 signature
+
+Result
+CheckSignatureAlgorithm(TrustDomain& trustDomain,
+ EndEntityOrCA endEntityOrCA,
+ Time notBefore,
+ const der::SignedDataWithSignature& signedData,
+ Input signatureValue)
+{
+ // 4.1.1.2. signatureAlgorithm
+ der::PublicKeyAlgorithm publicKeyAlg;
+ DigestAlgorithm digestAlg;
+ Reader signatureAlgorithmReader(signedData.algorithm);
+ Result rv = der::SignatureAlgorithmIdentifierValue(signatureAlgorithmReader,
+ publicKeyAlg, digestAlg);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::End(signatureAlgorithmReader);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // 4.1.2.3. Signature
+ der::PublicKeyAlgorithm signedPublicKeyAlg;
+ DigestAlgorithm signedDigestAlg;
+ Reader signedSignatureAlgorithmReader(signatureValue);
+ rv = der::SignatureAlgorithmIdentifierValue(signedSignatureAlgorithmReader,
+ signedPublicKeyAlg,
+ signedDigestAlg);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::End(signedSignatureAlgorithmReader);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // "This field MUST contain the same algorithm identifier as the
+ // signatureAlgorithm field in the sequence Certificate." However, it may
+ // be encoded differently. In particular, one of the fields may have a NULL
+ // parameter while the other one may omit the parameter field altogether, and
+ // these are considered equivalent. Some certificates generation software
+ // actually generates certificates like that, so we compare the parsed values
+ // instead of comparing the encoded values byte-for-byte.
+ //
+ // Along the same lines, we accept two different OIDs for RSA-with-SHA1, and
+ // we consider those OIDs to be equivalent here.
+ if (publicKeyAlg != signedPublicKeyAlg || digestAlg != signedDigestAlg) {
+ return Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH;
+ }
+
+ // During the time of the deprecation of SHA-1 and the deprecation of RSA
+ // keys of less than 2048 bits, we will encounter many certs signed using
+ // SHA-1 and/or too-small RSA keys. With this in mind, we ask the trust
+ // domain early on if it knows it will reject the signature purely based on
+ // the digest algorithm and/or the RSA key size (if an RSA signature). This
+ // is a good optimization because it completely avoids calling
+ // trustDomain.FindIssuers (which may be slow) for such rejected certs, and
+ // more generally it short-circuits any path building with them (which, of
+ // course, is even slower).
+
+ rv = trustDomain.CheckSignatureDigestAlgorithm(digestAlg, endEntityOrCA,
+ notBefore);
+ if (rv != Success) {
+ return rv;
+ }
+
+ switch (publicKeyAlg) {
+ case der::PublicKeyAlgorithm::RSA_PKCS1:
+ {
+ // The RSA computation may give a result that requires fewer bytes to
+ // encode than the public key (since it is modular arithmetic). However,
+ // the last step of generating a PKCS#1.5 signature is the I2OSP
+ // procedure, which pads any such shorter result with zeros so that it
+ // is exactly the same length as the public key.
+ unsigned int signatureSizeInBits = signedData.signature.GetLength() * 8u;
+ return trustDomain.CheckRSAPublicKeyModulusSizeInBits(
+ endEntityOrCA, signatureSizeInBits);
+ }
+
+ case der::PublicKeyAlgorithm::ECDSA:
+ // In theory, we could implement a similar early-pruning optimization for
+ // ECDSA curves. However, since there has been no similar deprecation for
+ // for any curve that we support, the chances of us encountering a curve
+ // during path building is too low to be worth bothering with.
+ break;
+
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+
+ return Success;
+}
+
+// 4.1.2.4 Issuer
+
+Result
+CheckIssuer(Input encodedIssuer)
+{
+ // "The issuer field MUST contain a non-empty distinguished name (DN)."
+ Reader issuer(encodedIssuer);
+ Input encodedRDNs;
+ ExpectTagAndGetValue(issuer, der::SEQUENCE, encodedRDNs);
+ Reader rdns(encodedRDNs);
+ // Check that the issuer name contains at least one RDN
+ // (Note: this does not check related grammar rules, such as there being one
+ // or more AVAs in each RDN, or the values in AVAs not being empty strings)
+ if (rdns.AtEnd()) {
+ return Result::ERROR_EMPTY_ISSUER_NAME;
+ }
+ return Success;
+}
+
+// 4.1.2.5 Validity
+
+Result
+ParseValidity(Input encodedValidity,
+ /*optional out*/ Time* notBeforeOut,
+ /*optional out*/ Time* notAfterOut)
+{
+ Reader validity(encodedValidity);
+ Time notBefore(Time::uninitialized);
+ if (der::TimeChoice(validity, notBefore) != Success) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+
+ Time notAfter(Time::uninitialized);
+ if (der::TimeChoice(validity, notAfter) != Success) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+
+ if (der::End(validity) != Success) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+
+ if (notBefore > notAfter) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+
+ if (notBeforeOut) {
+ *notBeforeOut = notBefore;
+ }
+ if (notAfterOut) {
+ *notAfterOut = notAfter;
+ }
+
+ return Success;
+}
+
+Result
+CheckValidity(Time time, Time notBefore, Time notAfter)
+{
+ if (time < notBefore) {
+ return Result::ERROR_NOT_YET_VALID_CERTIFICATE;
+ }
+
+ if (time > notAfter) {
+ return Result::ERROR_EXPIRED_CERTIFICATE;
+ }
+
+ return Success;
+}
+
+// 4.1.2.7 Subject Public Key Info
+
+Result
+CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
+ EndEntityOrCA endEntityOrCA)
+{
+ // Here, we validate the syntax and do very basic semantic validation of the
+ // public key of the certificate. The intention here is to filter out the
+ // types of bad inputs that are most likely to trigger non-mathematical
+ // security vulnerabilities in the TrustDomain, like buffer overflows or the
+ // use of unsafe elliptic curves.
+ //
+ // We don't check (all of) the mathematical properties of the public key here
+ // because it is more efficient for the TrustDomain to do it during signature
+ // verification and/or other use of the public key. In particular, we
+ // delegate the arithmetic validation of the public key, as specified in
+ // NIST SP800-56A section 5.6.2, to the TrustDomain, at least for now.
+
+ Reader algorithm;
+ Input subjectPublicKey;
+ Result rv = der::ExpectTagAndGetValue(input, der::SEQUENCE, algorithm);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::BitStringWithNoUnusedBits(input, subjectPublicKey);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::End(input);
+ if (rv != Success) {
+ return rv;
+ }
+
+ Reader subjectPublicKeyReader(subjectPublicKey);
+
+ Reader algorithmOID;
+ rv = der::ExpectTagAndGetValue(algorithm, der::OIDTag, algorithmOID);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // RFC 3279 Section 2.3.1
+ // python DottedOIDToCode.py rsaEncryption 1.2.840.113549.1.1.1
+ static const uint8_t rsaEncryption[] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01
+ };
+
+ // RFC 3279 Section 2.3.5 and RFC 5480 Section 2.1.1
+ // python DottedOIDToCode.py id-ecPublicKey 1.2.840.10045.2.1
+ static const uint8_t id_ecPublicKey[] = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01
+ };
+
+ if (algorithmOID.MatchRest(id_ecPublicKey)) {
+ // An id-ecPublicKey AlgorithmIdentifier has a parameter that identifes
+ // the curve being used. Although RFC 5480 specifies multiple forms, we
+ // only supported the NamedCurve form, where the curve is identified by an
+ // OID.
+
+ Reader namedCurveOIDValue;
+ rv = der::ExpectTagAndGetValue(algorithm, der::OIDTag,
+ namedCurveOIDValue);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // RFC 5480
+ // python DottedOIDToCode.py secp256r1 1.2.840.10045.3.1.7
+ static const uint8_t secp256r1[] = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+ };
+
+ // RFC 5480
+ // python DottedOIDToCode.py secp384r1 1.3.132.0.34
+ static const uint8_t secp384r1[] = {
+ 0x2b, 0x81, 0x04, 0x00, 0x22
+ };
+
+ // RFC 5480
+ // python DottedOIDToCode.py secp521r1 1.3.132.0.35
+ static const uint8_t secp521r1[] = {
+ 0x2b, 0x81, 0x04, 0x00, 0x23
+ };
+
+ // Matching is attempted based on a rough estimate of the commonality of the
+ // elliptic curve, to minimize the number of MatchRest calls.
+ NamedCurve curve;
+ unsigned int bits;
+ if (namedCurveOIDValue.MatchRest(secp256r1)) {
+ curve = NamedCurve::secp256r1;
+ bits = 256;
+ } else if (namedCurveOIDValue.MatchRest(secp384r1)) {
+ curve = NamedCurve::secp384r1;
+ bits = 384;
+ } else if (namedCurveOIDValue.MatchRest(secp521r1)) {
+ curve = NamedCurve::secp521r1;
+ bits = 521;
+ } else {
+ return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+ }
+
+ rv = trustDomain.CheckECDSACurveIsAcceptable(endEntityOrCA, curve);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // RFC 5480 Section 2.2 says that the first octet will be 0x04 to indicate
+ // an uncompressed point, which is the only encoding we support.
+ uint8_t compressedOrUncompressed;
+ rv = subjectPublicKeyReader.Read(compressedOrUncompressed);
+ if (rv != Success) {
+ return rv;
+ }
+ if (compressedOrUncompressed != 0x04) {
+ return Result::ERROR_UNSUPPORTED_EC_POINT_FORM;
+ }
+
+ // The point is encoded as two raw (not DER-encoded) integers, each padded
+ // to the bit length (rounded up to the nearest byte).
+ Input point;
+ rv = subjectPublicKeyReader.SkipToEnd(point);
+ if (rv != Success) {
+ return rv;
+ }
+ if (point.GetLength() != ((bits + 7) / 8u) * 2u) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ // XXX: We defer the mathematical verification of the validity of the point
+ // until signature verification. This means that if we never verify a
+ // signature, we'll never fully check whether the public key is valid.
+ } else if (algorithmOID.MatchRest(rsaEncryption)) {
+ // RFC 3279 Section 2.3.1 says "The parameters field MUST have ASN.1 type
+ // NULL for this algorithm identifier."
+ rv = der::ExpectTagAndEmptyValue(algorithm, der::NULLTag);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // RSAPublicKey :: = SEQUENCE{
+ // modulus INTEGER, --n
+ // publicExponent INTEGER } --e
+ rv = der::Nested(subjectPublicKeyReader, der::SEQUENCE,
+ [&trustDomain, endEntityOrCA](Reader& r) {
+ Input modulus;
+ Input::size_type modulusSignificantBytes;
+ Result rv = der::PositiveInteger(r, modulus, &modulusSignificantBytes);
+ if (rv != Success) {
+ return rv;
+ }
+ // XXX: Should we do additional checks of the modulus?
+ rv = trustDomain.CheckRSAPublicKeyModulusSizeInBits(
+ endEntityOrCA, modulusSignificantBytes * 8u);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // XXX: We don't allow the TrustDomain to validate the exponent.
+ // XXX: We don't do our own sanity checking of the exponent.
+ Input exponent;
+ return der::PositiveInteger(r, exponent);
+ });
+ if (rv != Success) {
+ return rv;
+ }
+ } else {
+ return Result::ERROR_UNSUPPORTED_KEYALG;
+ }
+
+ rv = der::End(algorithm);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::End(subjectPublicKeyReader);
+ if (rv != Success) {
+ return rv;
+ }
+
+ return Success;
+}
+
+Result
+CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo, TrustDomain& trustDomain,
+ EndEntityOrCA endEntityOrCA)
+{
+ Reader spkiReader(subjectPublicKeyInfo);
+ Result rv = der::Nested(spkiReader, der::SEQUENCE, [&](Reader& r) {
+ return CheckSubjectPublicKeyInfoContents(r, trustDomain, endEntityOrCA);
+ });
+ if (rv != Success) {
+ return rv;
+ }
+ return der::End(spkiReader);
+}
+
+// 4.2.1.3. Key Usage (id-ce-keyUsage)
+
+// As explained in the comment in CheckKeyUsage, bit 0 is the most significant
+// bit and bit 7 is the least significant bit.
+inline uint8_t KeyUsageToBitMask(KeyUsage keyUsage)
+{
+ assert(keyUsage != KeyUsage::noParticularKeyUsageRequired);
+ return 0x80u >> static_cast<uint8_t>(keyUsage);
+}
+
+Result
+CheckKeyUsage(EndEntityOrCA endEntityOrCA, const Input* encodedKeyUsage,
+ KeyUsage requiredKeyUsageIfPresent)
+{
+ if (!encodedKeyUsage) {
+ // TODO(bug 970196): Reject certificates that are being used to verify
+ // certificate signatures unless the certificate is a trust anchor, to
+ // reduce the chances of an end-entity certificate being abused as a CA
+ // certificate.
+ // if (endEntityOrCA == EndEntityOrCA::MustBeCA && !isTrustAnchor) {
+ // return Result::ERROR_INADEQUATE_KEY_USAGE;
+ // }
+ //
+ // TODO: Users may configure arbitrary certificates as trust anchors, not
+ // just roots. We should only allow a certificate without a key usage to be
+ // used as a CA when it is self-issued and self-signed.
+ return Success;
+ }
+
+ Reader input(*encodedKeyUsage);
+ Reader value;
+ if (der::ExpectTagAndGetValue(input, der::BIT_STRING, value) != Success) {
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+
+ uint8_t numberOfPaddingBits;
+ if (value.Read(numberOfPaddingBits) != Success) {
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+ if (numberOfPaddingBits > 7) {
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+
+ uint8_t bits;
+ if (value.Read(bits) != Success) {
+ // Reject empty bit masks.
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+
+ // The most significant bit is numbered 0 (digitalSignature) and the least
+ // significant bit is numbered 7 (encipherOnly), and the padding is in the
+ // least significant bits of the last byte. The numbering of bits in a byte
+ // is backwards from how we usually interpret them.
+ //
+ // For example, let's say bits is encoded in one byte with of value 0xB0 and
+ // numberOfPaddingBits == 4. Then, bits is 10110000 in binary:
+ //
+ // bit 0 bit 3
+ // | |
+ // v v
+ // 10110000
+ // ^^^^
+ // |
+ // 4 padding bits
+ //
+ // Since bits is the last byte, we have to consider the padding by ensuring
+ // that the least significant 4 bits are all zero, since DER rules require
+ // all padding bits to be zero. Then we have to look at the bit N bits to the
+ // right of the most significant bit, where N is a value from the KeyUsage
+ // enumeration.
+ //
+ // Let's say we're interested in the keyCertSign (5) bit. We'd need to look
+ // at bit 5, which is zero, so keyCertSign is not asserted. (Since we check
+ // that the padding is all zeros, it is OK to read from the padding bits.)
+ //
+ // Let's say we're interested in the digitalSignature (0) bit. We'd need to
+ // look at the bit 0 (the most significant bit), which is set, so that means
+ // digitalSignature is asserted. Similarly, keyEncipherment (2) and
+ // dataEncipherment (3) are asserted.
+ //
+ // Note that since the KeyUsage enumeration is limited to values 0-7, we
+ // only ever need to examine the first byte test for
+ // requiredKeyUsageIfPresent.
+
+ if (requiredKeyUsageIfPresent != KeyUsage::noParticularKeyUsageRequired) {
+ // Check that the required key usage bit is set.
+ if ((bits & KeyUsageToBitMask(requiredKeyUsageIfPresent)) == 0) {
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+ }
+
+ // RFC 5280 says "The keyCertSign bit is asserted when the subject public
+ // key is used for verifying signatures on public key certificates. If the
+ // keyCertSign bit is asserted, then the cA bit in the basic constraints
+ // extension (Section 4.2.1.9) MUST also be asserted."
+ // However, we allow end-entity certificates (i.e. certificates without
+ // basicConstraints.cA set to TRUE) to claim keyCertSign for compatibility
+ // reasons. This does not compromise security because we only allow
+ // certificates with basicConstraints.cA set to TRUE to act as CAs.
+ if (requiredKeyUsageIfPresent == KeyUsage::keyCertSign &&
+ endEntityOrCA != EndEntityOrCA::MustBeCA) {
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+
+ // The padding applies to the last byte, so skip to the last byte.
+ while (!value.AtEnd()) {
+ if (value.Read(bits) != Success) {
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+ }
+
+ // All of the padding bits must be zero, according to DER rules.
+ uint8_t paddingMask = static_cast<uint8_t>((1 << numberOfPaddingBits) - 1);
+ if ((bits & paddingMask) != 0) {
+ return Result::ERROR_INADEQUATE_KEY_USAGE;
+ }
+
+ return Success;
+}
+
+// RFC5820 4.2.1.4. Certificate Policies
+
+// "The user-initial-policy-set contains the special value any-policy if the
+// user is not concerned about certificate policy."
+//
+// python DottedOIDToCode.py anyPolicy 2.5.29.32.0
+
+static const uint8_t anyPolicy[] = {
+ 0x55, 0x1d, 0x20, 0x00
+};
+
+/*static*/ const CertPolicyId CertPolicyId::anyPolicy = {
+ 4, { 0x55, 0x1d, 0x20, 0x00 }
+};
+
+bool
+CertPolicyId::IsAnyPolicy() const {
+ if (this == &CertPolicyId::anyPolicy) {
+ return true;
+ }
+ return numBytes == sizeof(::mozilla::pkix::anyPolicy) &&
+ std::equal(bytes, bytes + numBytes, ::mozilla::pkix::anyPolicy);
+}
+
+// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+Result
+CheckCertificatePolicies(EndEntityOrCA endEntityOrCA,
+ const Input* encodedCertificatePolicies,
+ const Input* encodedInhibitAnyPolicy,
+ TrustLevel trustLevel,
+ const CertPolicyId& requiredPolicy)
+{
+ if (requiredPolicy.numBytes == 0 ||
+ requiredPolicy.numBytes > sizeof requiredPolicy.bytes) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+
+ bool requiredPolicyFound = requiredPolicy.IsAnyPolicy();
+ if (requiredPolicyFound) {
+ return Success;
+ }
+
+ // Bug 989051. Until we handle inhibitAnyPolicy we will fail close when
+ // inhibitAnyPolicy extension is present and we are validating for a policy.
+ if (!requiredPolicyFound && encodedInhibitAnyPolicy) {
+ return Result::ERROR_POLICY_VALIDATION_FAILED;
+ }
+
+ // The root CA certificate may omit the policies that it has been
+ // trusted for, so we cannot require the policies to be present in those
+ // certificates. Instead, the determination of which roots are trusted for
+ // which policies is made by the TrustDomain's GetCertTrust method.
+ if (trustLevel == TrustLevel::TrustAnchor &&
+ endEntityOrCA == EndEntityOrCA::MustBeCA) {
+ requiredPolicyFound = true;
+ }
+
+ Input requiredPolicyDER;
+ if (requiredPolicyDER.Init(requiredPolicy.bytes, requiredPolicy.numBytes)
+ != Success) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+
+ if (encodedCertificatePolicies) {
+ Reader extension(*encodedCertificatePolicies);
+ Reader certificatePolicies;
+ Result rv = der::ExpectTagAndGetValue(extension, der::SEQUENCE,
+ certificatePolicies);
+ if (rv != Success) {
+ return Result::ERROR_POLICY_VALIDATION_FAILED;
+ }
+ if (!extension.AtEnd()) {
+ return Result::ERROR_POLICY_VALIDATION_FAILED;
+ }
+
+ do {
+ // PolicyInformation ::= SEQUENCE {
+ // policyIdentifier CertPolicyId,
+ // policyQualifiers SEQUENCE SIZE (1..MAX) OF
+ // PolicyQualifierInfo OPTIONAL }
+ Reader policyInformation;
+ rv = der::ExpectTagAndGetValue(certificatePolicies, der::SEQUENCE,
+ policyInformation);
+ if (rv != Success) {
+ return Result::ERROR_POLICY_VALIDATION_FAILED;
+ }
+
+ Reader policyIdentifier;
+ rv = der::ExpectTagAndGetValue(policyInformation, der::OIDTag,
+ policyIdentifier);
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (policyIdentifier.MatchRest(requiredPolicyDER)) {
+ requiredPolicyFound = true;
+ } else if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
+ policyIdentifier.MatchRest(anyPolicy)) {
+ requiredPolicyFound = true;
+ }
+
+ // RFC 5280 Section 4.2.1.4 says "Optional qualifiers, which MAY be
+ // present, are not expected to change the definition of the policy." Also,
+ // it seems that Section 6, which defines validation, does not require any
+ // matching of qualifiers. Thus, doing anything with the policy qualifiers
+ // would be a waste of time and a source of potential incompatibilities, so
+ // we just ignore them.
+ } while (!requiredPolicyFound && !certificatePolicies.AtEnd());
+ }
+
+ if (!requiredPolicyFound) {
+ return Result::ERROR_POLICY_VALIDATION_FAILED;
+ }
+
+ return Success;
+}
+
+static const long UNLIMITED_PATH_LEN = -1; // must be less than zero
+
+// BasicConstraints ::= SEQUENCE {
+// cA BOOLEAN DEFAULT FALSE,
+// pathLenConstraint INTEGER (0..MAX) OPTIONAL }
+
+// RFC5280 4.2.1.9. Basic Constraints (id-ce-basicConstraints)
+Result
+CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
+ const Input* encodedBasicConstraints,
+ const der::Version version, TrustLevel trustLevel,
+ unsigned int subCACount)
+{
+ bool isCA = false;
+ long pathLenConstraint = UNLIMITED_PATH_LEN;
+
+ if (encodedBasicConstraints) {
+ Reader input(*encodedBasicConstraints);
+ Result rv = der::Nested(input, der::SEQUENCE,
+ [&isCA, &pathLenConstraint](Reader& r) {
+ Result rv = der::OptionalBoolean(r, isCA);
+ if (rv != Success) {
+ return rv;
+ }
+ // TODO(bug 985025): If isCA is false, pathLenConstraint
+ // MUST NOT be included (as per RFC 5280 section
+ // 4.2.1.9), but for compatibility reasons, we don't
+ // check this.
+ return der::OptionalInteger(r, UNLIMITED_PATH_LEN, pathLenConstraint);
+ });
+ if (rv != Success) {
+ return Result::ERROR_EXTENSION_VALUE_INVALID;
+ }
+ if (der::End(input) != Success) {
+ return Result::ERROR_EXTENSION_VALUE_INVALID;
+ }
+ } else {
+ // "If the basic constraints extension is not present in a version 3
+ // certificate, or the extension is present but the cA boolean is not
+ // asserted, then the certified public key MUST NOT be used to verify
+ // certificate signatures."
+ //
+ // For compatibility, we must accept v1 trust anchors without basic
+ // constraints as CAs.
+ //
+ // There are devices with v1 certificates that are unlikely to be trust
+ // anchors. In order to allow applications to treat this case differently
+ // from other basic constraints violations (e.g. allowing certificate error
+ // overrides for only this case), we return a different error code.
+ //
+ // TODO: add check for self-signedness?
+ if (endEntityOrCA == EndEntityOrCA::MustBeCA && version == der::Version::v1) {
+ if (trustLevel == TrustLevel::TrustAnchor) {
+ isCA = true;
+ } else {
+ return Result::ERROR_V1_CERT_USED_AS_CA;
+ }
+ }
+ }
+
+ if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+ // CA certificates are not trusted as EE certs.
+
+ if (isCA) {
+ // Note that this check prevents a delegated OCSP response signing
+ // certificate with the CA bit from successfully validating when we check
+ // it from pkixocsp.cpp, which is a good thing.
+ return Result::ERROR_CA_CERT_USED_AS_END_ENTITY;
+ }
+
+ return Success;
+ }
+
+ assert(endEntityOrCA == EndEntityOrCA::MustBeCA);
+
+ // End-entity certificates are not allowed to act as CA certs.
+ if (!isCA) {
+ return Result::ERROR_CA_CERT_INVALID;
+ }
+
+ if (pathLenConstraint >= 0 &&
+ static_cast<long>(subCACount) > pathLenConstraint) {
+ return Result::ERROR_PATH_LEN_CONSTRAINT_INVALID;
+ }
+
+ return Success;
+}
+
+// 4.2.1.12. Extended Key Usage (id-ce-extKeyUsage)
+
+static Result
+MatchEKU(Reader& value, KeyPurposeId requiredEKU,
+ EndEntityOrCA endEntityOrCA, TrustDomain& trustDomain,
+ Time notBefore, /*in/out*/ bool& found,
+ /*in/out*/ bool& foundOCSPSigning)
+{
+ // See Section 5.9 of "A Layman's Guide to a Subset of ASN.1, BER, and DER"
+ // for a description of ASN.1 DER encoding of OIDs.
+
+ // id-pkix OBJECT IDENTIFIER ::=
+ // { iso(1) identified-organization(3) dod(6) internet(1)
+ // security(5) mechanisms(5) pkix(7) }
+ // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+ // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
+ // id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
+ // id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
+ // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+ // id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
+ static const uint8_t server[] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 1 };
+ static const uint8_t client[] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 2 };
+ static const uint8_t code [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 3 };
+ static const uint8_t email [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 4 };
+ static const uint8_t ocsp [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 9 };
+
+ // id-Netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
+ // id-Netscape-policy OBJECT IDENTIFIER ::= { id-Netscape 4 }
+ // id-Netscape-stepUp OBJECT IDENTIFIER ::= { id-Netscape-policy 1 }
+ static const uint8_t serverStepUp[] =
+ { (40*2)+16, 128+6,72, 1, 128+6,128+120,66, 4, 1 };
+
+ bool match = false;
+
+ if (!found) {
+ switch (requiredEKU) {
+ case KeyPurposeId::id_kp_serverAuth: {
+ if (value.MatchRest(server)) {
+ match = true;
+ break;
+ }
+ // Potentially treat CA certs with step-up OID as also having SSL server
+ // type. Comodo has issued certificates that require this behavior that
+ // don't expire until June 2020!
+ if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
+ value.MatchRest(serverStepUp)) {
+ Result rv = trustDomain.NetscapeStepUpMatchesServerAuth(notBefore,
+ match);
+ if (rv != Success) {
+ return rv;
+ }
+ }
+ break;
+ }
+
+ case KeyPurposeId::id_kp_clientAuth:
+ match = value.MatchRest(client);
+ break;
+
+ case KeyPurposeId::id_kp_codeSigning:
+ match = value.MatchRest(code);
+ break;
+
+ case KeyPurposeId::id_kp_emailProtection:
+ match = value.MatchRest(email);
+ break;
+
+ case KeyPurposeId::id_kp_OCSPSigning:
+ match = value.MatchRest(ocsp);
+ break;
+
+ case KeyPurposeId::anyExtendedKeyUsage:
+ return NotReached("anyExtendedKeyUsage should start with found==true",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+ }
+
+ if (match) {
+ found = true;
+ if (requiredEKU == KeyPurposeId::id_kp_OCSPSigning) {
+ foundOCSPSigning = true;
+ }
+ } else if (value.MatchRest(ocsp)) {
+ foundOCSPSigning = true;
+ }
+
+ value.SkipToEnd(); // ignore unmatched OIDs.
+
+ return Success;
+}
+
+Result
+CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
+ const Input* encodedExtendedKeyUsage,
+ KeyPurposeId requiredEKU, TrustDomain& trustDomain,
+ Time notBefore)
+{
+ // XXX: We're using Result::ERROR_INADEQUATE_CERT_TYPE here so that callers
+ // can distinguish EKU mismatch from KU mismatch from basic constraints
+ // mismatch. We should probably add a new error code that is more clear for
+ // this type of problem.
+
+ bool foundOCSPSigning = false;
+
+ if (encodedExtendedKeyUsage) {
+ bool found = requiredEKU == KeyPurposeId::anyExtendedKeyUsage;
+
+ Reader input(*encodedExtendedKeyUsage);
+ Result rv = der::NestedOf(input, der::SEQUENCE, der::OIDTag,
+ der::EmptyAllowed::No, [&](Reader& r) {
+ return MatchEKU(r, requiredEKU, endEntityOrCA, trustDomain, notBefore,
+ found, foundOCSPSigning);
+ });
+ if (rv != Success) {
+ return Result::ERROR_INADEQUATE_CERT_TYPE;
+ }
+ if (der::End(input) != Success) {
+ return Result::ERROR_INADEQUATE_CERT_TYPE;
+ }
+
+ // If the EKU extension was included, then the required EKU must be in the
+ // list.
+ if (!found) {
+ return Result::ERROR_INADEQUATE_CERT_TYPE;
+ }
+ }
+
+ // pkixocsp.cpp depends on the following additional checks.
+
+ if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+ // When validating anything other than an delegated OCSP signing cert,
+ // reject any cert that also claims to be an OCSP responder, because such
+ // a cert does not make sense. For example, if an SSL certificate were to
+ // assert id-kp-OCSPSigning then it could sign OCSP responses for itself,
+ // if not for this check.
+ // That said, we accept CA certificates with id-kp-OCSPSigning because
+ // some CAs in Mozilla's CA program have issued such intermediate
+ // certificates, and because some CAs have reported some Microsoft server
+ // software wrongly requires CA certificates to have id-kp-OCSPSigning.
+ // Allowing this exception does not cause any security issues because we
+ // require delegated OCSP response signing certificates to be end-entity
+ // certificates.
+ if (foundOCSPSigning && requiredEKU != KeyPurposeId::id_kp_OCSPSigning) {
+ return Result::ERROR_INADEQUATE_CERT_TYPE;
+ }
+ // http://tools.ietf.org/html/rfc6960#section-4.2.2.2:
+ // "OCSP signing delegation SHALL be designated by the inclusion of
+ // id-kp-OCSPSigning in an extended key usage certificate extension
+ // included in the OCSP response signer's certificate."
+ //
+ // id-kp-OCSPSigning is the only EKU that isn't implicitly assumed when the
+ // EKU extension is missing from an end-entity certificate. However, any CA
+ // certificate can issue a delegated OCSP response signing certificate, so
+ // we can't require the EKU be explicitly included for CA certificates.
+ if (!foundOCSPSigning && requiredEKU == KeyPurposeId::id_kp_OCSPSigning) {
+ return Result::ERROR_INADEQUATE_CERT_TYPE;
+ }
+ }
+
+ return Success;
+}
+
+Result
+CheckTLSFeatures(const BackCert& subject, BackCert& potentialIssuer)
+{
+ const Input* issuerTLSFeatures = potentialIssuer.GetRequiredTLSFeatures();
+ if (!issuerTLSFeatures) {
+ return Success;
+ }
+
+ const Input* subjectTLSFeatures = subject.GetRequiredTLSFeatures();
+ if (issuerTLSFeatures->GetLength() == 0 ||
+ !subjectTLSFeatures ||
+ !InputsAreEqual(*issuerTLSFeatures, *subjectTLSFeatures)) {
+ return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+ }
+
+ return Success;
+}
+
+Result
+TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures,
+ const Input* stapledOCSPResponse)
+{
+ if (!requiredTLSFeatures) {
+ return Success;
+ }
+
+ // RFC 6066 10.2: ExtensionType status_request
+ const static uint8_t status_request = 5;
+ const static uint8_t status_request_bytes[] = { status_request };
+
+ Reader input(*requiredTLSFeatures);
+ return der::NestedOf(input, der::SEQUENCE, der::INTEGER,
+ der::EmptyAllowed::No, [&](Reader& r) {
+ if (!r.MatchRest(status_request_bytes)) {
+ return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+ }
+
+ if (!stapledOCSPResponse) {
+ return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+ }
+
+ return Result::Success;
+ });
+}
+
+Result
+CheckTLSFeaturesAreSatisfied(Input& cert,
+ const Input* stapledOCSPResponse)
+{
+ BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr);
+ Result rv = backCert.Init();
+ if (rv != Success) {
+ return rv;
+ }
+
+ return TLSFeaturesSatisfiedInternal(backCert.GetRequiredTLSFeatures(),
+ stapledOCSPResponse);
+}
+
+Result
+CheckIssuerIndependentProperties(TrustDomain& trustDomain,
+ const BackCert& cert,
+ Time time,
+ KeyUsage requiredKeyUsageIfPresent,
+ KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ unsigned int subCACount,
+ /*out*/ TrustLevel& trustLevel)
+{
+ Result rv;
+
+ const EndEntityOrCA endEntityOrCA = cert.endEntityOrCA;
+
+ // Check the cert's trust first, because we want to minimize the amount of
+ // processing we do on a distrusted cert, in case it is trying to exploit
+ // some bug in our processing.
+ rv = trustDomain.GetCertTrust(endEntityOrCA, requiredPolicy, cert.GetDER(),
+ trustLevel);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // IMPORTANT: We parse the validity interval here, so that we can use the
+ // notBefore and notAfter values in checks for things that might be deprecated
+ // over time. However, we must not fail for semantic errors until the end of
+ // this method, in order to preserve error ranking.
+ Time notBefore(Time::uninitialized);
+ Time notAfter(Time::uninitialized);
+ rv = ParseValidity(cert.GetValidity(), &notBefore, &notAfter);
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (trustLevel == TrustLevel::TrustAnchor &&
+ endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+ requiredEKUIfPresent == KeyPurposeId::id_kp_OCSPSigning) {
+ // OCSP signer certificates can never be trust anchors, especially
+ // since we don't support designated OCSP responders. All of the checks
+ // below that are dependent on trustLevel rely on this overriding of the
+ // trust level for OCSP signers.
+ trustLevel = TrustLevel::InheritsTrust;
+ }
+
+ switch (trustLevel) {
+ case TrustLevel::InheritsTrust:
+ rv = CheckSignatureAlgorithm(trustDomain, endEntityOrCA, notBefore,
+ cert.GetSignedData(), cert.GetSignature());
+ if (rv != Success) {
+ return rv;
+ }
+ break;
+
+ case TrustLevel::TrustAnchor:
+ // We don't even bother checking signatureAlgorithm or signature for
+ // syntactic validity for trust anchors, because we don't use those
+ // fields for anything, and because the trust anchor might be signed
+ // with a signature algorithm we don't actually support.
+ break;
+
+ case TrustLevel::ActivelyDistrusted:
+ return Result::ERROR_UNTRUSTED_CERT;
+ }
+
+ // Check the SPKI early, because it is one of the most selective properties
+ // of the certificate due to SHA-1 deprecation and the deprecation of
+ // certificates with keys weaker than RSA 2048.
+ rv = CheckSubjectPublicKeyInfo(cert.GetSubjectPublicKeyInfo(), trustDomain,
+ endEntityOrCA);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // 4.1.2.4. Issuer
+ rv = CheckIssuer(cert.GetIssuer());
+ if (rv != Success) {
+ return rv;
+ }
+
+ // 4.2.1.1. Authority Key Identifier is ignored (see bug 965136).
+
+ // 4.2.1.2. Subject Key Identifier is ignored (see bug 965136).
+
+ // 4.2.1.3. Key Usage
+ rv = CheckKeyUsage(endEntityOrCA, cert.GetKeyUsage(),
+ requiredKeyUsageIfPresent);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // 4.2.1.4. Certificate Policies
+ rv = CheckCertificatePolicies(endEntityOrCA, cert.GetCertificatePolicies(),
+ cert.GetInhibitAnyPolicy(), trustLevel,
+ requiredPolicy);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // 4.2.1.5. Policy Mappings are not supported; see the documentation about
+ // policy enforcement in pkix.h.
+
+ // 4.2.1.6. Subject Alternative Name dealt with during name constraint
+ // checking and during name verification (CERT_VerifyCertName).
+
+ // 4.2.1.7. Issuer Alternative Name is not something that needs checking.
+
+ // 4.2.1.8. Subject Directory Attributes is not something that needs
+ // checking.
+
+ // 4.2.1.9. Basic Constraints.
+ rv = CheckBasicConstraints(endEntityOrCA, cert.GetBasicConstraints(),
+ cert.GetVersion(), trustLevel, subCACount);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // 4.2.1.10. Name Constraints is dealt with in during path building.
+
+ // 4.2.1.11. Policy Constraints are implicitly supported; see the
+ // documentation about policy enforcement in pkix.h.
+
+ // 4.2.1.12. Extended Key Usage
+ rv = CheckExtendedKeyUsage(endEntityOrCA, cert.GetExtKeyUsage(),
+ requiredEKUIfPresent, trustDomain, notBefore);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // 4.2.1.13. CRL Distribution Points is not supported, though the
+ // TrustDomain's CheckRevocation method may parse it and process it
+ // on its own.
+
+ // 4.2.1.14. Inhibit anyPolicy is implicitly supported; see the documentation
+ // about policy enforcement in pkix.h.
+
+ // IMPORTANT: Even though we parse validity above, we wait until this point to
+ // check it, so that error ranking works correctly.
+ rv = CheckValidity(time, notBefore, notAfter);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = trustDomain.CheckValidityIsAcceptable(notBefore, notAfter, endEntityOrCA,
+ requiredEKUIfPresent);
+ if (rv != Success) {
+ return rv;
+ }
+
+ return Success;
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixcheck.h b/security/pkix/lib/pkixcheck.h
new file mode 100644
index 000000000..9ea205f3b
--- /dev/null
+++ b/security/pkix/lib/pkixcheck.h
@@ -0,0 +1,66 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixcheck_h
+#define mozilla_pkix_pkixcheck_h
+
+#include "pkix/pkixtypes.h"
+
+namespace mozilla { namespace pkix {
+
+class BackCert;
+
+Result CheckIssuerIndependentProperties(
+ TrustDomain& trustDomain,
+ const BackCert& cert,
+ Time time,
+ KeyUsage requiredKeyUsageIfPresent,
+ KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ unsigned int subCACount,
+ /*out*/ TrustLevel& trustLevel);
+
+Result CheckNameConstraints(Input encodedNameConstraints,
+ const BackCert& firstChild,
+ KeyPurposeId requiredEKUIfPresent);
+
+Result CheckIssuer(Input encodedIssuer);
+
+// ParseValidity and CheckValidity are usually used together. First you parse
+// the dates from the DER Validity sequence, then you compare them to the time
+// at which you are validating. They are separate so that the notBefore and
+// notAfter times can be used for other things before they are checked against
+// the time of validation.
+Result ParseValidity(Input encodedValidity,
+ /*optional out*/ Time* notBeforeOut = nullptr,
+ /*optional out*/ Time* notAfterOut = nullptr);
+Result CheckValidity(Time time, Time notBefore, Time notAfter);
+
+// Check that a subject has TLS Feature (rfc7633) requirements that match its
+// potential issuer
+Result CheckTLSFeatures(const BackCert& subject, BackCert& potentialIssuer);
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_pkixcheck_h
diff --git a/security/pkix/lib/pkixder.cpp b/security/pkix/lib/pkixder.cpp
new file mode 100644
index 000000000..0660b42b2
--- /dev/null
+++ b/security/pkix/lib/pkixder.cpp
@@ -0,0 +1,612 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixder.h"
+
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix { namespace der {
+
+// Too complicated to be inline
+Result
+ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag, /*out*/ Input& value)
+{
+ Result rv;
+
+ rv = input.Read(tag);
+ if (rv != Success) {
+ return rv;
+ }
+ if ((tag & 0x1F) == 0x1F) {
+ return Result::ERROR_BAD_DER; // high tag number form not allowed
+ }
+
+ uint16_t length;
+
+ // The short form of length is a single byte with the high order bit set
+ // to zero. The long form of length is one byte with the high order bit
+ // set, followed by N bytes, where N is encoded in the lowest 7 bits of
+ // the first byte.
+ uint8_t length1;
+ rv = input.Read(length1);
+ if (rv != Success) {
+ return rv;
+ }
+ if (!(length1 & 0x80)) {
+ length = length1;
+ } else if (length1 == 0x81) {
+ uint8_t length2;
+ rv = input.Read(length2);
+ if (rv != Success) {
+ return rv;
+ }
+ if (length2 < 128) {
+ // Not shortest possible encoding
+ return Result::ERROR_BAD_DER;
+ }
+ length = length2;
+ } else if (length1 == 0x82) {
+ rv = input.Read(length);
+ if (rv != Success) {
+ return rv;
+ }
+ if (length < 256) {
+ // Not shortest possible encoding
+ return Result::ERROR_BAD_DER;
+ }
+ } else {
+ // We don't support lengths larger than 2^16 - 1.
+ return Result::ERROR_BAD_DER;
+ }
+
+ return input.Skip(length, value);
+}
+
+static Result
+OptionalNull(Reader& input)
+{
+ if (input.Peek(NULLTag)) {
+ return Null(input);
+ }
+ return Success;
+}
+
+namespace {
+
+Result
+AlgorithmIdentifierValue(Reader& input, /*out*/ Reader& algorithmOIDValue)
+{
+ Result rv = ExpectTagAndGetValue(input, der::OIDTag, algorithmOIDValue);
+ if (rv != Success) {
+ return rv;
+ }
+ return OptionalNull(input);
+}
+
+} // namespace
+
+Result
+SignatureAlgorithmIdentifierValue(Reader& input,
+ /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
+ /*out*/ DigestAlgorithm& digestAlgorithm)
+{
+ // RFC 5758 Section 3.2 (ECDSA with SHA-2), and RFC 3279 Section 2.2.3
+ // (ECDSA with SHA-1) say that parameters must be omitted.
+ //
+ // RFC 4055 Section 5 and RFC 3279 Section 2.2.1 both say that parameters for
+ // RSA must be encoded as NULL; we relax that requirement by allowing the
+ // NULL to be omitted, to match all the other signature algorithms we support
+ // and for compatibility.
+ Reader algorithmID;
+ Result rv = AlgorithmIdentifierValue(input, algorithmID);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // RFC 5758 Section 3.2 (ecdsa-with-SHA224 is intentionally excluded)
+ // python DottedOIDToCode.py ecdsa-with-SHA256 1.2.840.10045.4.3.2
+ static const uint8_t ecdsa_with_SHA256[] = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02
+ };
+ // python DottedOIDToCode.py ecdsa-with-SHA384 1.2.840.10045.4.3.3
+ static const uint8_t ecdsa_with_SHA384[] = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03
+ };
+ // python DottedOIDToCode.py ecdsa-with-SHA512 1.2.840.10045.4.3.4
+ static const uint8_t ecdsa_with_SHA512[] = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+ };
+
+ // RFC 4055 Section 5 (sha224WithRSAEncryption is intentionally excluded)
+ // python DottedOIDToCode.py sha256WithRSAEncryption 1.2.840.113549.1.1.11
+ static const uint8_t sha256WithRSAEncryption[] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+ };
+ // python DottedOIDToCode.py sha384WithRSAEncryption 1.2.840.113549.1.1.12
+ static const uint8_t sha384WithRSAEncryption[] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c
+ };
+ // python DottedOIDToCode.py sha512WithRSAEncryption 1.2.840.113549.1.1.13
+ static const uint8_t sha512WithRSAEncryption[] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
+ };
+
+ // RFC 3279 Section 2.2.1
+ // python DottedOIDToCode.py sha-1WithRSAEncryption 1.2.840.113549.1.1.5
+ static const uint8_t sha_1WithRSAEncryption[] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05
+ };
+
+ // NIST Open Systems Environment (OSE) Implementor's Workshop (OIW)
+ // http://www.oiw.org/agreements/stable/12s-9412.txt (no longer works).
+ // http://www.imc.org/ietf-pkix/old-archive-97/msg01166.html
+ // We need to support this this non-PKIX OID for compatibility.
+ // python DottedOIDToCode.py sha1WithRSASignature 1.3.14.3.2.29
+ static const uint8_t sha1WithRSASignature[] = {
+ 0x2b, 0x0e, 0x03, 0x02, 0x1d
+ };
+
+ // RFC 3279 Section 2.2.3
+ // python DottedOIDToCode.py ecdsa-with-SHA1 1.2.840.10045.4.1
+ static const uint8_t ecdsa_with_SHA1[] = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01
+ };
+
+ // Matching is attempted based on a rough estimate of the commonality of the
+ // algorithm, to minimize the number of MatchRest calls.
+ if (algorithmID.MatchRest(sha256WithRSAEncryption)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+ digestAlgorithm = DigestAlgorithm::sha256;
+ } else if (algorithmID.MatchRest(ecdsa_with_SHA256)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+ digestAlgorithm = DigestAlgorithm::sha256;
+ } else if (algorithmID.MatchRest(sha_1WithRSAEncryption)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+ digestAlgorithm = DigestAlgorithm::sha1;
+ } else if (algorithmID.MatchRest(ecdsa_with_SHA1)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+ digestAlgorithm = DigestAlgorithm::sha1;
+ } else if (algorithmID.MatchRest(ecdsa_with_SHA384)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+ digestAlgorithm = DigestAlgorithm::sha384;
+ } else if (algorithmID.MatchRest(ecdsa_with_SHA512)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+ digestAlgorithm = DigestAlgorithm::sha512;
+ } else if (algorithmID.MatchRest(sha384WithRSAEncryption)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+ digestAlgorithm = DigestAlgorithm::sha384;
+ } else if (algorithmID.MatchRest(sha512WithRSAEncryption)) {
+ publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+ digestAlgorithm = DigestAlgorithm::sha512;
+ } else if (algorithmID.MatchRest(sha1WithRSASignature)) {
+ // XXX(bug 1042479): recognize this old OID for compatibility.
+ publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+ digestAlgorithm = DigestAlgorithm::sha1;
+ } else {
+ return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+ }
+
+ return Success;
+}
+
+Result
+DigestAlgorithmIdentifier(Reader& input, /*out*/ DigestAlgorithm& algorithm)
+{
+ Reader r;
+ return der::Nested(input, SEQUENCE, [&algorithm](Reader& r) -> Result {
+ Reader algorithmID;
+ Result rv = AlgorithmIdentifierValue(r, algorithmID);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // RFC 4055 Section 2.1
+ // python DottedOIDToCode.py id-sha1 1.3.14.3.2.26
+ static const uint8_t id_sha1[] = {
+ 0x2b, 0x0e, 0x03, 0x02, 0x1a
+ };
+ // python DottedOIDToCode.py id-sha256 2.16.840.1.101.3.4.2.1
+ static const uint8_t id_sha256[] = {
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
+ };
+ // python DottedOIDToCode.py id-sha384 2.16.840.1.101.3.4.2.2
+ static const uint8_t id_sha384[] = {
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
+ };
+ // python DottedOIDToCode.py id-sha512 2.16.840.1.101.3.4.2.3
+ static const uint8_t id_sha512[] = {
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
+ };
+
+ // Matching is attempted based on a rough estimate of the commonality of the
+ // algorithm, to minimize the number of MatchRest calls.
+ if (algorithmID.MatchRest(id_sha1)) {
+ algorithm = DigestAlgorithm::sha1;
+ } else if (algorithmID.MatchRest(id_sha256)) {
+ algorithm = DigestAlgorithm::sha256;
+ } else if (algorithmID.MatchRest(id_sha384)) {
+ algorithm = DigestAlgorithm::sha384;
+ } else if (algorithmID.MatchRest(id_sha512)) {
+ algorithm = DigestAlgorithm::sha512;
+ } else {
+ return Result::ERROR_INVALID_ALGORITHM;
+ }
+
+ return Success;
+ });
+}
+
+Result
+SignedData(Reader& input, /*out*/ Reader& tbs,
+ /*out*/ SignedDataWithSignature& signedData)
+{
+ Reader::Mark mark(input.GetMark());
+
+ Result rv;
+ rv = ExpectTagAndGetValue(input, SEQUENCE, tbs);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = input.GetInput(mark, signedData.data);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = ExpectTagAndGetValue(input, der::SEQUENCE, signedData.algorithm);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = BitStringWithNoUnusedBits(input, signedData.signature);
+ if (rv == Result::ERROR_BAD_DER) {
+ rv = Result::ERROR_BAD_SIGNATURE;
+ }
+ return rv;
+}
+
+Result
+BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value)
+{
+ Reader valueWithUnusedBits;
+ Result rv = ExpectTagAndGetValue(input, BIT_STRING, valueWithUnusedBits);
+ if (rv != Success) {
+ return rv;
+ }
+
+ uint8_t unusedBitsAtEnd;
+ if (valueWithUnusedBits.Read(unusedBitsAtEnd) != Success) {
+ return Result::ERROR_BAD_DER;
+ }
+ // XXX: Really the constraint should be that unusedBitsAtEnd must be less
+ // than 7. But, we suspect there are no real-world values in OCSP responses
+ // or certificates with non-zero unused bits. It seems like NSS assumes this
+ // in various places, so we enforce it too in order to simplify this code. If
+ // we find compatibility issues, we'll know we're wrong and we'll have to
+ // figure out how to shift the bits around.
+ if (unusedBitsAtEnd != 0) {
+ return Result::ERROR_BAD_DER;
+ }
+ return valueWithUnusedBits.SkipToEnd(value);
+}
+
+static inline Result
+ReadDigit(Reader& input, /*out*/ unsigned int& value)
+{
+ uint8_t b;
+ if (input.Read(b) != Success) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+ if (b < '0' || b > '9') {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+ value = static_cast<unsigned int>(b - static_cast<uint8_t>('0'));
+ return Success;
+}
+
+static inline Result
+ReadTwoDigits(Reader& input, unsigned int minValue, unsigned int maxValue,
+ /*out*/ unsigned int& value)
+{
+ unsigned int hi;
+ Result rv = ReadDigit(input, hi);
+ if (rv != Success) {
+ return rv;
+ }
+ unsigned int lo;
+ rv = ReadDigit(input, lo);
+ if (rv != Success) {
+ return rv;
+ }
+ value = (hi * 10) + lo;
+ if (value < minValue || value > maxValue) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+ return Success;
+}
+
+namespace internal {
+
+// We parse GeneralizedTime and UTCTime according to RFC 5280 and we do not
+// accept all time formats allowed in the ASN.1 spec. That is,
+// GeneralizedTime must always be in the format YYYYMMDDHHMMSSZ and UTCTime
+// must always be in the format YYMMDDHHMMSSZ. Timezone formats of the form
+// +HH:MM or -HH:MM or NOT accepted.
+Result
+TimeChoice(Reader& tagged, uint8_t expectedTag, /*out*/ Time& time)
+{
+ unsigned int days;
+
+ Reader input;
+ Result rv = ExpectTagAndGetValue(tagged, expectedTag, input);
+ if (rv != Success) {
+ return rv;
+ }
+
+ unsigned int yearHi;
+ unsigned int yearLo;
+ if (expectedTag == GENERALIZED_TIME) {
+ rv = ReadTwoDigits(input, 0, 99, yearHi);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = ReadTwoDigits(input, 0, 99, yearLo);
+ if (rv != Success) {
+ return rv;
+ }
+ } else if (expectedTag == UTCTime) {
+ rv = ReadTwoDigits(input, 0, 99, yearLo);
+ if (rv != Success) {
+ return rv;
+ }
+ yearHi = yearLo >= 50u ? 19u : 20u;
+ } else {
+ return NotReached("invalid tag given to TimeChoice",
+ Result::ERROR_INVALID_DER_TIME);
+ }
+ unsigned int year = (yearHi * 100u) + yearLo;
+ if (year < 1970u) {
+ // We don't support dates before January 1, 1970 because that is the epoch.
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+ days = DaysBeforeYear(year);
+
+ unsigned int month;
+ rv = ReadTwoDigits(input, 1u, 12u, month);
+ if (rv != Success) {
+ return rv;
+ }
+ unsigned int daysInMonth;
+ static const unsigned int jan = 31u;
+ const unsigned int feb = ((year % 4u == 0u) &&
+ ((year % 100u != 0u) || (year % 400u == 0u)))
+ ? 29u
+ : 28u;
+ static const unsigned int mar = 31u;
+ static const unsigned int apr = 30u;
+ static const unsigned int may = 31u;
+ static const unsigned int jun = 30u;
+ static const unsigned int jul = 31u;
+ static const unsigned int aug = 31u;
+ static const unsigned int sep = 30u;
+ static const unsigned int oct = 31u;
+ static const unsigned int nov = 30u;
+ static const unsigned int dec = 31u;
+ switch (month) {
+ case 1: daysInMonth = jan; break;
+ case 2: daysInMonth = feb; days += jan; break;
+ case 3: daysInMonth = mar; days += jan + feb; break;
+ case 4: daysInMonth = apr; days += jan + feb + mar; break;
+ case 5: daysInMonth = may; days += jan + feb + mar + apr; break;
+ case 6: daysInMonth = jun; days += jan + feb + mar + apr + may; break;
+ case 7: daysInMonth = jul; days += jan + feb + mar + apr + may + jun;
+ break;
+ case 8: daysInMonth = aug; days += jan + feb + mar + apr + may + jun +
+ jul;
+ break;
+ case 9: daysInMonth = sep; days += jan + feb + mar + apr + may + jun +
+ jul + aug;
+ break;
+ case 10: daysInMonth = oct; days += jan + feb + mar + apr + may + jun +
+ jul + aug + sep;
+ break;
+ case 11: daysInMonth = nov; days += jan + feb + mar + apr + may + jun +
+ jul + aug + sep + oct;
+ break;
+ case 12: daysInMonth = dec; days += jan + feb + mar + apr + may + jun +
+ jul + aug + sep + oct + nov;
+ break;
+ default:
+ return NotReached("month already bounds-checked by ReadTwoDigits",
+ Result::FATAL_ERROR_INVALID_STATE);
+ }
+
+ unsigned int dayOfMonth;
+ rv = ReadTwoDigits(input, 1u, daysInMonth, dayOfMonth);
+ if (rv != Success) {
+ return rv;
+ }
+ days += dayOfMonth - 1;
+
+ unsigned int hours;
+ rv = ReadTwoDigits(input, 0u, 23u, hours);
+ if (rv != Success) {
+ return rv;
+ }
+ unsigned int minutes;
+ rv = ReadTwoDigits(input, 0u, 59u, minutes);
+ if (rv != Success) {
+ return rv;
+ }
+ unsigned int seconds;
+ rv = ReadTwoDigits(input, 0u, 59u, seconds);
+ if (rv != Success) {
+ return rv;
+ }
+
+ uint8_t b;
+ if (input.Read(b) != Success) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+ if (b != 'Z') {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+ if (End(input) != Success) {
+ return Result::ERROR_INVALID_DER_TIME;
+ }
+
+ uint64_t totalSeconds = (static_cast<uint64_t>(days) * 24u * 60u * 60u) +
+ (static_cast<uint64_t>(hours) * 60u * 60u) +
+ (static_cast<uint64_t>(minutes) * 60u) +
+ seconds;
+
+ time = TimeFromElapsedSecondsAD(totalSeconds);
+ return Success;
+}
+
+Result
+IntegralBytes(Reader& input, uint8_t tag,
+ IntegralValueRestriction valueRestriction,
+ /*out*/ Input& value,
+ /*optional out*/ Input::size_type* significantBytes)
+{
+ Result rv = ExpectTagAndGetValue(input, tag, value);
+ if (rv != Success) {
+ return rv;
+ }
+ Reader reader(value);
+
+ // There must be at least one byte in the value. (Zero is encoded with a
+ // single 0x00 value byte.)
+ uint8_t firstByte;
+ rv = reader.Read(firstByte);
+ if (rv != Success) {
+ if (rv == Result::ERROR_BAD_DER) {
+ return Result::ERROR_INVALID_INTEGER_ENCODING;
+ }
+
+ return rv;
+ }
+
+ // If there is a byte after an initial 0x00/0xFF, then the initial byte
+ // indicates a positive/negative integer value with its high bit set/unset.
+ bool prefixed = !reader.AtEnd() && (firstByte == 0 || firstByte == 0xff);
+
+ if (prefixed) {
+ uint8_t nextByte;
+ if (reader.Read(nextByte) != Success) {
+ return NotReached("Read of one byte failed but not at end.",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+ if ((firstByte & 0x80) == (nextByte & 0x80)) {
+ return Result::ERROR_INVALID_INTEGER_ENCODING;
+ }
+ }
+
+ switch (valueRestriction) {
+ case IntegralValueRestriction::MustBe0To127:
+ if (value.GetLength() != 1 || (firstByte & 0x80) != 0) {
+ return Result::ERROR_INVALID_INTEGER_ENCODING;
+ }
+ break;
+
+ case IntegralValueRestriction::MustBePositive:
+ if ((value.GetLength() == 1 && firstByte == 0) ||
+ (firstByte & 0x80) != 0) {
+ return Result::ERROR_INVALID_INTEGER_ENCODING;
+ }
+ break;
+
+ case IntegralValueRestriction::NoRestriction:
+ break;
+ }
+
+ if (significantBytes) {
+ *significantBytes = value.GetLength();
+ if (prefixed) {
+ assert(*significantBytes > 1);
+ --*significantBytes;
+ }
+
+ assert(*significantBytes > 0);
+ }
+
+ return Success;
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+Result
+IntegralValue(Reader& input, uint8_t tag, /*out*/ uint8_t& value)
+{
+ // Conveniently, all the Integers that we actually have to be able to parse
+ // are positive and very small. Consequently, this parser is *much* simpler
+ // than a general Integer parser would need to be.
+ Input valueBytes;
+ Result rv = IntegralBytes(input, tag, IntegralValueRestriction::MustBe0To127,
+ valueBytes, nullptr);
+ if (rv != Success) {
+ return rv;
+ }
+ Reader valueReader(valueBytes);
+ rv = valueReader.Read(value);
+ if (rv != Success) {
+ return NotReached("IntegralBytes already validated the value.", rv);
+ }
+ rv = End(valueReader);
+ assert(rv == Success); // guaranteed by IntegralBytes's range checks.
+ return rv;
+}
+
+} // namespace internal
+
+Result
+OptionalVersion(Reader& input, /*out*/ Version& version)
+{
+ static const uint8_t TAG = CONTEXT_SPECIFIC | CONSTRUCTED | 0;
+ if (!input.Peek(TAG)) {
+ version = Version::v1;
+ return Success;
+ }
+ return Nested(input, TAG, [&version](Reader& value) -> Result {
+ uint8_t integerValue;
+ Result rv = Integer(value, integerValue);
+ if (rv != Success) {
+ return rv;
+ }
+ // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1,
+ // but we do here for compatibility reasons.
+ switch (integerValue) {
+ case static_cast<uint8_t>(Version::v3): version = Version::v3; break;
+ case static_cast<uint8_t>(Version::v2): version = Version::v2; break;
+ case static_cast<uint8_t>(Version::v1): version = Version::v1; break;
+ case static_cast<uint8_t>(Version::v4): version = Version::v4; break;
+ default:
+ return Result::ERROR_BAD_DER;
+ }
+ return Success;
+ });
+}
+
+} } } // namespace mozilla::pkix::der
diff --git a/security/pkix/lib/pkixder.h b/security/pkix/lib/pkixder.h
new file mode 100644
index 000000000..a17114bcb
--- /dev/null
+++ b/security/pkix/lib/pkixder.h
@@ -0,0 +1,565 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixder_h
+#define mozilla_pkix_pkixder_h
+
+// Expect* functions advance the input mark and return Success if the input
+// matches the given criteria; they fail with the input mark in an undefined
+// state if the input does not match the criteria.
+//
+// Match* functions advance the input mark and return true if the input matches
+// the given criteria; they return false without changing the input mark if the
+// input does not match the criteria.
+//
+// Skip* functions unconditionally advance the input mark and return Success if
+// they are able to do so; otherwise they fail with the input mark in an
+// undefined state.
+
+#include "pkix/Input.h"
+#include "pkix/pkixtypes.h"
+
+namespace mozilla { namespace pkix { namespace der {
+
+enum Class : uint8_t
+{
+ UNIVERSAL = 0 << 6,
+// APPLICATION = 1 << 6, // unused
+ CONTEXT_SPECIFIC = 2 << 6,
+// PRIVATE = 3 << 6 // unused
+};
+
+enum Constructed
+{
+ CONSTRUCTED = 1 << 5
+};
+
+enum Tag : uint8_t
+{
+ BOOLEAN = UNIVERSAL | 0x01,
+ INTEGER = UNIVERSAL | 0x02,
+ BIT_STRING = UNIVERSAL | 0x03,
+ OCTET_STRING = UNIVERSAL | 0x04,
+ NULLTag = UNIVERSAL | 0x05,
+ OIDTag = UNIVERSAL | 0x06,
+ ENUMERATED = UNIVERSAL | 0x0a,
+ UTF8String = UNIVERSAL | 0x0c,
+ SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10, // 0x30
+ SET = UNIVERSAL | CONSTRUCTED | 0x11, // 0x31
+ PrintableString = UNIVERSAL | 0x13,
+ TeletexString = UNIVERSAL | 0x14,
+ IA5String = UNIVERSAL | 0x16,
+ UTCTime = UNIVERSAL | 0x17,
+ GENERALIZED_TIME = UNIVERSAL | 0x18,
+};
+
+enum class EmptyAllowed { No = 0, Yes = 1 };
+
+Result ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag,
+ /*out*/ Input& value);
+Result End(Reader& input);
+
+inline Result
+ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Input& value)
+{
+ uint8_t actualTag;
+ Result rv = ReadTagAndGetValue(input, actualTag, value);
+ if (rv != Success) {
+ return rv;
+ }
+ if (tag != actualTag) {
+ return Result::ERROR_BAD_DER;
+ }
+ return Success;
+}
+
+inline Result
+ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Reader& value)
+{
+ Input valueInput;
+ Result rv = ExpectTagAndGetValue(input, tag, valueInput);
+ if (rv != Success) {
+ return rv;
+ }
+ return value.Init(valueInput);
+}
+
+inline Result
+ExpectTagAndEmptyValue(Reader& input, uint8_t tag)
+{
+ Reader value;
+ Result rv = ExpectTagAndGetValue(input, tag, value);
+ if (rv != Success) {
+ return rv;
+ }
+ return End(value);
+}
+
+inline Result
+ExpectTagAndSkipValue(Reader& input, uint8_t tag)
+{
+ Input ignoredValue;
+ return ExpectTagAndGetValue(input, tag, ignoredValue);
+}
+
+// Like ExpectTagAndGetValue, except the output Input will contain the
+// encoded tag and length along with the value.
+inline Result
+ExpectTagAndGetTLV(Reader& input, uint8_t tag, /*out*/ Input& tlv)
+{
+ Reader::Mark mark(input.GetMark());
+ Result rv = ExpectTagAndSkipValue(input, tag);
+ if (rv != Success) {
+ return rv;
+ }
+ return input.GetInput(mark, tlv);
+}
+
+inline Result
+End(Reader& input)
+{
+ if (!input.AtEnd()) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ return Success;
+}
+
+template <typename Decoder>
+inline Result
+Nested(Reader& input, uint8_t tag, Decoder decoder)
+{
+ Reader nested;
+ Result rv = ExpectTagAndGetValue(input, tag, nested);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = decoder(nested);
+ if (rv != Success) {
+ return rv;
+ }
+ return End(nested);
+}
+
+template <typename Decoder>
+inline Result
+Nested(Reader& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
+{
+ Reader nestedInput;
+ Result rv = ExpectTagAndGetValue(input, outerTag, nestedInput);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = Nested(nestedInput, innerTag, decoder);
+ if (rv != Success) {
+ return rv;
+ }
+ return End(nestedInput);
+}
+
+// This can be used to decode constructs like this:
+//
+// ...
+// foos SEQUENCE OF Foo,
+// ...
+// Foo ::= SEQUENCE {
+// }
+//
+// using code like this:
+//
+// Result Foo(Reader& r) { /*...*/ }
+//
+// rv = der::NestedOf(input, der::SEQEUENCE, der::SEQUENCE, Foo);
+//
+// or:
+//
+// Result Bar(Reader& r, int value) { /*...*/ }
+//
+// int value = /*...*/;
+//
+// rv = der::NestedOf(input, der::SEQUENCE, [value](Reader& r) {
+// return Bar(r, value);
+// });
+//
+// In these examples the function will get called once for each element of
+// foos.
+//
+template <typename Decoder>
+inline Result
+NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
+ EmptyAllowed mayBeEmpty, Decoder decoder)
+{
+ Reader inner;
+ Result rv = ExpectTagAndGetValue(input, outerTag, inner);
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (inner.AtEnd()) {
+ if (mayBeEmpty != EmptyAllowed::Yes) {
+ return Result::ERROR_BAD_DER;
+ }
+ return Success;
+ }
+
+ do {
+ rv = Nested(inner, innerTag, decoder);
+ if (rv != Success) {
+ return rv;
+ }
+ } while (!inner.AtEnd());
+
+ return Success;
+}
+
+// Often, a function will need to decode an Input or Reader that contains
+// DER-encoded data wrapped in a SEQUENCE (or similar) with nothing after it.
+// This function reduces the boilerplate necessary for stripping the outermost
+// SEQUENCE (or similar) and ensuring that nothing follows it.
+inline Result
+ExpectTagAndGetValueAtEnd(Reader& outer, uint8_t expectedTag,
+ /*out*/ Reader& inner)
+{
+ Result rv = der::ExpectTagAndGetValue(outer, expectedTag, inner);
+ if (rv != Success) {
+ return rv;
+ }
+ return der::End(outer);
+}
+
+// Similar to the above, but takes an Input instead of a Reader&.
+inline Result
+ExpectTagAndGetValueAtEnd(Input outer, uint8_t expectedTag,
+ /*out*/ Reader& inner)
+{
+ Reader outerReader(outer);
+ return ExpectTagAndGetValueAtEnd(outerReader, expectedTag, inner);
+}
+
+// Universal types
+
+namespace internal {
+
+enum class IntegralValueRestriction
+{
+ NoRestriction,
+ MustBePositive,
+ MustBe0To127,
+};
+
+Result IntegralBytes(Reader& input, uint8_t tag,
+ IntegralValueRestriction valueRestriction,
+ /*out*/ Input& value,
+ /*optional out*/ Input::size_type* significantBytes = nullptr);
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+Result IntegralValue(Reader& input, uint8_t tag, /*out*/ uint8_t& value);
+
+} // namespace internal
+
+Result
+BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value);
+
+inline Result
+Boolean(Reader& input, /*out*/ bool& value)
+{
+ Reader valueReader;
+ Result rv = ExpectTagAndGetValue(input, BOOLEAN, valueReader);
+ if (rv != Success) {
+ return rv;
+ }
+
+ uint8_t intValue;
+ rv = valueReader.Read(intValue);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = End(valueReader);
+ if (rv != Success) {
+ return rv;
+ }
+ switch (intValue) {
+ case 0: value = false; return Success;
+ case 0xFF: value = true; return Success;
+ default:
+ return Result::ERROR_BAD_DER;
+ }
+}
+
+// This is for BOOLEAN DEFAULT FALSE.
+// The standard stipulates that "The encoding of a set value or sequence value
+// shall not include an encoding for any component value which is equal to its
+// default value." However, it appears to be common that other libraries
+// incorrectly include the value of a BOOLEAN even when it's equal to the
+// default value, so we allow invalid explicit encodings here.
+inline Result
+OptionalBoolean(Reader& input, /*out*/ bool& value)
+{
+ value = false;
+ if (input.Peek(BOOLEAN)) {
+ Result rv = Boolean(input, value);
+ if (rv != Success) {
+ return rv;
+ }
+ }
+ return Success;
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+inline Result
+Enumerated(Reader& input, uint8_t& value)
+{
+ return internal::IntegralValue(input, ENUMERATED | 0, value);
+}
+
+namespace internal {
+
+// internal::TimeChoice implements the shared functionality of GeneralizedTime
+// and TimeChoice. tag must be either UTCTime or GENERALIZED_TIME.
+//
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+Result TimeChoice(Reader& input, uint8_t tag, /*out*/ Time& time);
+
+} // namespace internal
+
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+inline Result
+GeneralizedTime(Reader& input, /*out*/ Time& time)
+{
+ return internal::TimeChoice(input, GENERALIZED_TIME, time);
+}
+
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+inline Result
+TimeChoice(Reader& input, /*out*/ Time& time)
+{
+ uint8_t expectedTag = input.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
+ return internal::TimeChoice(input, expectedTag, time);
+}
+
+// Parse a DER integer value into value. Empty values, negative values, and
+// zero are rejected. If significantBytes is not null, then it will be set to
+// the number of significant bytes in the value (the length of the value, less
+// the length of any leading padding), which is useful for key size checks.
+inline Result
+PositiveInteger(Reader& input, /*out*/ Input& value,
+ /*optional out*/ Input::size_type* significantBytes = nullptr)
+{
+ return internal::IntegralBytes(
+ input, INTEGER, internal::IntegralValueRestriction::MustBePositive,
+ value, significantBytes);
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+inline Result
+Integer(Reader& input, /*out*/ uint8_t& value)
+{
+ return internal::IntegralValue(input, INTEGER, value);
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed. The default value must be
+// -1; defaultValue is only a parameter to make it clear in the calling code
+// what the default value is.
+inline Result
+OptionalInteger(Reader& input, long defaultValue, /*out*/ long& value)
+{
+ // If we need to support a different default value in the future, we need to
+ // test that parsedValue != defaultValue.
+ if (defaultValue != -1) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+
+ if (!input.Peek(INTEGER)) {
+ value = defaultValue;
+ return Success;
+ }
+
+ uint8_t parsedValue;
+ Result rv = Integer(input, parsedValue);
+ if (rv != Success) {
+ return rv;
+ }
+ value = parsedValue;
+ return Success;
+}
+
+inline Result
+Null(Reader& input)
+{
+ return ExpectTagAndEmptyValue(input, NULLTag);
+}
+
+template <uint8_t Len>
+Result
+OID(Reader& input, const uint8_t (&expectedOid)[Len])
+{
+ Reader value;
+ Result rv = ExpectTagAndGetValue(input, OIDTag, value);
+ if (rv != Success) {
+ return rv;
+ }
+ if (!value.MatchRest(expectedOid)) {
+ return Result::ERROR_BAD_DER;
+ }
+ return Success;
+}
+
+// PKI-specific types
+
+inline Result
+CertificateSerialNumber(Reader& input, /*out*/ Input& value)
+{
+ // http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
+ //
+ // * "The serial number MUST be a positive integer assigned by the CA to
+ // each certificate."
+ // * "Certificate users MUST be able to handle serialNumber values up to 20
+ // octets. Conforming CAs MUST NOT use serialNumber values longer than 20
+ // octets."
+ // * "Note: Non-conforming CAs may issue certificates with serial numbers
+ // that are negative or zero. Certificate users SHOULD be prepared to
+ // gracefully handle such certificates."
+ return internal::IntegralBytes(
+ input, INTEGER, internal::IntegralValueRestriction::NoRestriction,
+ value);
+}
+
+// x.509 and OCSP both use this same version numbering scheme, though OCSP
+// only supports v1.
+enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };
+
+// X.509 Certificate and OCSP ResponseData both use
+// "[0] EXPLICIT Version DEFAULT v1". Although an explicit encoding of v1 is
+// illegal, we support it because some real-world OCSP responses explicitly
+// encode it.
+Result OptionalVersion(Reader& input, /*out*/ Version& version);
+
+template <typename ExtensionHandler>
+inline Result
+OptionalExtensions(Reader& input, uint8_t tag,
+ ExtensionHandler extensionHandler)
+{
+ if (!input.Peek(tag)) {
+ return Success;
+ }
+
+ return Nested(input, tag, [extensionHandler](Reader& tagged) {
+ // Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+ //
+ // TODO(bug 997994): According to the specification, there should never be
+ // an empty sequence of extensions but we've found OCSP responses that have
+ // that (see bug 991898).
+ return NestedOf(tagged, SEQUENCE, SEQUENCE, EmptyAllowed::Yes,
+ [extensionHandler](Reader& extension) -> Result {
+ // Extension ::= SEQUENCE {
+ // extnID OBJECT IDENTIFIER,
+ // critical BOOLEAN DEFAULT FALSE,
+ // extnValue OCTET STRING
+ // }
+ Reader extnID;
+ Result rv = ExpectTagAndGetValue(extension, OIDTag, extnID);
+ if (rv != Success) {
+ return rv;
+ }
+ bool critical;
+ rv = OptionalBoolean(extension, critical);
+ if (rv != Success) {
+ return rv;
+ }
+ Input extnValue;
+ rv = ExpectTagAndGetValue(extension, OCTET_STRING, extnValue);
+ if (rv != Success) {
+ return rv;
+ }
+ bool understood = false;
+ rv = extensionHandler(extnID, extnValue, critical, understood);
+ if (rv != Success) {
+ return rv;
+ }
+ if (critical && !understood) {
+ return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
+ }
+ return Success;
+ });
+ });
+}
+
+Result DigestAlgorithmIdentifier(Reader& input,
+ /*out*/ DigestAlgorithm& algorithm);
+
+enum class PublicKeyAlgorithm
+{
+ RSA_PKCS1,
+ ECDSA,
+};
+
+Result SignatureAlgorithmIdentifierValue(
+ Reader& input,
+ /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
+ /*out*/ DigestAlgorithm& digestAlgorithm);
+
+struct SignedDataWithSignature final
+{
+public:
+ Input data;
+ Input algorithm;
+ Input signature;
+
+ void operator=(const SignedDataWithSignature&) = delete;
+};
+
+// Parses a SEQUENCE into tbs and then parses an AlgorithmIdentifier followed
+// by a BIT STRING into signedData. This handles the commonality between
+// parsing the signed/signature fields of certificates and OCSP responses. In
+// the case of an OCSP response, the caller needs to parse the certs
+// separately.
+//
+// Note that signatureAlgorithm is NOT parsed or validated.
+//
+// Certificate ::= SEQUENCE {
+// tbsCertificate TBSCertificate,
+// signatureAlgorithm AlgorithmIdentifier,
+// signatureValue BIT STRING }
+//
+// BasicOCSPResponse ::= SEQUENCE {
+// tbsResponseData ResponseData,
+// signatureAlgorithm AlgorithmIdentifier,
+// signature BIT STRING,
+// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+Result SignedData(Reader& input, /*out*/ Reader& tbs,
+ /*out*/ SignedDataWithSignature& signedDataWithSignature);
+
+} } } // namespace mozilla::pkix::der
+
+#endif // mozilla_pkix_pkixder_h
diff --git a/security/pkix/lib/pkixnames.cpp b/security/pkix/lib/pkixnames.cpp
new file mode 100644
index 000000000..ca9b8d7d3
--- /dev/null
+++ b/security/pkix/lib/pkixnames.cpp
@@ -0,0 +1,2050 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This code implements RFC6125-ish name matching, RFC5280-ish name constraint
+// checking, and related things.
+//
+// In this code, identifiers are classified as either "presented" or
+// "reference" identifiers are defined in
+// http://tools.ietf.org/html/rfc6125#section-1.8. A "presented identifier" is
+// one in the subjectAltName of the certificate, or sometimes within a CN of
+// the certificate's subject. The "reference identifier" is the one we are
+// being asked to match the certificate against. When checking name
+// constraints, the reference identifier is the entire encoded name constraint
+// extension value.
+
+#include "pkixcheck.h"
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+namespace {
+
+// GeneralName ::= CHOICE {
+// otherName [0] OtherName,
+// rfc822Name [1] IA5String,
+// dNSName [2] IA5String,
+// x400Address [3] ORAddress,
+// directoryName [4] Name,
+// ediPartyName [5] EDIPartyName,
+// uniformResourceIdentifier [6] IA5String,
+// iPAddress [7] OCTET STRING,
+// registeredID [8] OBJECT IDENTIFIER }
+enum class GeneralNameType : uint8_t
+{
+ // Note that these values are NOT contiguous. Some values have the
+ // der::CONSTRUCTED bit set while others do not.
+ // (The der::CONSTRUCTED bit is for types where the value is a SEQUENCE.)
+ otherName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+ rfc822Name = der::CONTEXT_SPECIFIC | 1,
+ dNSName = der::CONTEXT_SPECIFIC | 2,
+ x400Address = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3,
+ directoryName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 4,
+ ediPartyName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 5,
+ uniformResourceIdentifier = der::CONTEXT_SPECIFIC | 6,
+ iPAddress = der::CONTEXT_SPECIFIC | 7,
+ registeredID = der::CONTEXT_SPECIFIC | 8,
+ // nameConstraints is a pseudo-GeneralName used to signify that a
+ // reference ID is actually the entire name constraint extension.
+ nameConstraints = 0xff
+};
+
+inline Result
+ReadGeneralName(Reader& reader,
+ /*out*/ GeneralNameType& generalNameType,
+ /*out*/ Input& value)
+{
+ uint8_t tag;
+ Result rv = der::ReadTagAndGetValue(reader, tag, value);
+ if (rv != Success) {
+ return rv;
+ }
+ switch (tag) {
+ case static_cast<uint8_t>(GeneralNameType::otherName):
+ generalNameType = GeneralNameType::otherName;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::rfc822Name):
+ generalNameType = GeneralNameType::rfc822Name;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::dNSName):
+ generalNameType = GeneralNameType::dNSName;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::x400Address):
+ generalNameType = GeneralNameType::x400Address;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::directoryName):
+ generalNameType = GeneralNameType::directoryName;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::ediPartyName):
+ generalNameType = GeneralNameType::ediPartyName;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::uniformResourceIdentifier):
+ generalNameType = GeneralNameType::uniformResourceIdentifier;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::iPAddress):
+ generalNameType = GeneralNameType::iPAddress;
+ break;
+ case static_cast<uint8_t>(GeneralNameType::registeredID):
+ generalNameType = GeneralNameType::registeredID;
+ break;
+ default:
+ return Result::ERROR_BAD_DER;
+ }
+ return Success;
+}
+
+enum class MatchResult
+{
+ NoNamesOfGivenType = 0,
+ Mismatch = 1,
+ Match = 2
+};
+
+Result SearchNames(const Input* subjectAltName, Input subject,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ FallBackToSearchWithinSubject fallBackToCommonName,
+ /*out*/ MatchResult& match);
+Result SearchWithinRDN(Reader& rdn,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ FallBackToSearchWithinSubject fallBackToEmailAddress,
+ FallBackToSearchWithinSubject fallBackToCommonName,
+ /*in/out*/ MatchResult& match);
+Result MatchAVA(Input type,
+ uint8_t valueEncodingTag,
+ Input presentedID,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ FallBackToSearchWithinSubject fallBackToEmailAddress,
+ FallBackToSearchWithinSubject fallBackToCommonName,
+ /*in/out*/ MatchResult& match);
+Result ReadAVA(Reader& rdn,
+ /*out*/ Input& type,
+ /*out*/ uint8_t& valueTag,
+ /*out*/ Input& value);
+void MatchSubjectPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+ Input presentedID,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ /*in/out*/ MatchResult& match);
+
+Result MatchPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+ Input presentedID,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ /*in/out*/ MatchResult& matchResult);
+Result CheckPresentedIDConformsToConstraints(GeneralNameType referenceIDType,
+ Input presentedID,
+ Input nameConstraints);
+
+uint8_t LocaleInsensitveToLower(uint8_t a);
+bool StartsWithIDNALabel(Input id);
+
+enum class IDRole
+{
+ ReferenceID = 0,
+ PresentedID = 1,
+ NameConstraint = 2,
+};
+
+enum class AllowWildcards { No = 0, Yes = 1 };
+
+// DNSName constraints implicitly allow subdomain matching when there is no
+// leading dot ("foo.example.com" matches a constraint of "example.com"), but
+// RFC822Name constraints only allow subdomain matching when there is a leading
+// dot ("foo.example.com" does not match "example.com" but does match
+// ".example.com").
+enum class AllowDotlessSubdomainMatches { No = 0, Yes = 1 };
+
+bool IsValidDNSID(Input hostname, IDRole idRole,
+ AllowWildcards allowWildcards);
+
+Result MatchPresentedDNSIDWithReferenceDNSID(
+ Input presentedDNSID,
+ AllowWildcards allowWildcards,
+ AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
+ IDRole referenceDNSIDRole,
+ Input referenceDNSID,
+ /*out*/ bool& matches);
+
+Result MatchPresentedRFC822NameWithReferenceRFC822Name(
+ Input presentedRFC822Name, IDRole referenceRFC822NameRole,
+ Input referenceRFC822Name, /*out*/ bool& matches);
+
+} // namespace
+
+bool IsValidReferenceDNSID(Input hostname);
+bool IsValidPresentedDNSID(Input hostname);
+bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]);
+bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]);
+
+// This is used by the pkixnames_tests.cpp tests.
+Result
+MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
+ Input referenceDNSID,
+ /*out*/ bool& matches)
+{
+ return MatchPresentedDNSIDWithReferenceDNSID(
+ presentedDNSID, AllowWildcards::Yes,
+ AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
+ referenceDNSID, matches);
+}
+
+// Verify that the given end-entity cert, which is assumed to have been already
+// validated with BuildCertChain, is valid for the given hostname. hostname is
+// assumed to be a string representation of an IPv4 address, an IPv6 addresss,
+// or a normalized ASCII (possibly punycode) DNS name.
+Result
+CheckCertHostname(Input endEntityCertDER, Input hostname,
+ NameMatchingPolicy& nameMatchingPolicy)
+{
+ BackCert cert(endEntityCertDER, EndEntityOrCA::MustBeEndEntity, nullptr);
+ Result rv = cert.Init();
+ if (rv != Success) {
+ return rv;
+ }
+
+ Time notBefore(Time::uninitialized);
+ rv = ParseValidity(cert.GetValidity(), &notBefore);
+ if (rv != Success) {
+ return rv;
+ }
+ FallBackToSearchWithinSubject fallBackToSearchWithinSubject;
+ rv = nameMatchingPolicy.FallBackToCommonName(notBefore,
+ fallBackToSearchWithinSubject);
+ if (rv != Success) {
+ return rv;
+ }
+
+ const Input* subjectAltName(cert.GetSubjectAltName());
+ Input subject(cert.GetSubject());
+
+ // For backward compatibility with legacy certificates, we may fall back to
+ // searching for a name match in the subject common name for DNS names and
+ // IPv4 addresses. We don't do so for IPv6 addresses because we do not think
+ // there are many certificates that would need such fallback, and because
+ // comparisons of string representations of IPv6 addresses are particularly
+ // error prone due to the syntactic flexibility that IPv6 addresses have.
+ //
+ // IPv4 and IPv6 addresses are represented using the same type of GeneralName
+ // (iPAddress); they are differentiated by the lengths of the values.
+ MatchResult match;
+ uint8_t ipv6[16];
+ uint8_t ipv4[4];
+ if (IsValidReferenceDNSID(hostname)) {
+ rv = SearchNames(subjectAltName, subject, GeneralNameType::dNSName,
+ hostname, fallBackToSearchWithinSubject, match);
+ } else if (ParseIPv6Address(hostname, ipv6)) {
+ rv = SearchNames(subjectAltName, subject, GeneralNameType::iPAddress,
+ Input(ipv6), FallBackToSearchWithinSubject::No, match);
+ } else if (ParseIPv4Address(hostname, ipv4)) {
+ rv = SearchNames(subjectAltName, subject, GeneralNameType::iPAddress,
+ Input(ipv4), fallBackToSearchWithinSubject, match);
+ } else {
+ return Result::ERROR_BAD_CERT_DOMAIN;
+ }
+ if (rv != Success) {
+ return rv;
+ }
+ switch (match) {
+ case MatchResult::NoNamesOfGivenType: // fall through
+ case MatchResult::Mismatch:
+ return Result::ERROR_BAD_CERT_DOMAIN;
+ case MatchResult::Match:
+ return Success;
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+}
+
+// 4.2.1.10. Name Constraints
+Result
+CheckNameConstraints(Input encodedNameConstraints,
+ const BackCert& firstChild,
+ KeyPurposeId requiredEKUIfPresent)
+{
+ for (const BackCert* child = &firstChild; child; child = child->childCert) {
+ FallBackToSearchWithinSubject fallBackToCommonName
+ = (child->endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+ requiredEKUIfPresent == KeyPurposeId::id_kp_serverAuth)
+ ? FallBackToSearchWithinSubject::Yes
+ : FallBackToSearchWithinSubject::No;
+
+ MatchResult match;
+ Result rv = SearchNames(child->GetSubjectAltName(), child->GetSubject(),
+ GeneralNameType::nameConstraints,
+ encodedNameConstraints, fallBackToCommonName,
+ match);
+ if (rv != Success) {
+ return rv;
+ }
+ switch (match) {
+ case MatchResult::Match: // fall through
+ case MatchResult::NoNamesOfGivenType:
+ break;
+ case MatchResult::Mismatch:
+ return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+ }
+ }
+
+ return Success;
+}
+
+namespace {
+
+// SearchNames is used by CheckCertHostname and CheckNameConstraints.
+//
+// When called during name constraint checking, referenceIDType is
+// GeneralNameType::nameConstraints and referenceID is the entire encoded name
+// constraints extension value.
+//
+// The main benefit of using the exact same code paths for both is that we
+// ensure consistency between name validation and name constraint enforcement
+// regarding thing like "Which CN attributes should be considered as potential
+// CN-IDs" and "Which character sets are acceptable for CN-IDs?" If the name
+// matching and the name constraint enforcement logic were out of sync on these
+// issues (e.g. if name matching were to consider all subject CN attributes,
+// but name constraints were only enforced on the most specific subject CN),
+// trivial name constraint bypasses could result.
+
+Result
+SearchNames(/*optional*/ const Input* subjectAltName,
+ Input subject,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ FallBackToSearchWithinSubject fallBackToCommonName,
+ /*out*/ MatchResult& match)
+{
+ Result rv;
+
+ match = MatchResult::NoNamesOfGivenType;
+
+ // RFC 6125 says "A client MUST NOT seek a match for a reference identifier
+ // of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or
+ // any application-specific identifier types supported by the client."
+ // Accordingly, we only consider CN-IDs if there are no DNS-IDs in the
+ // subjectAltName.
+ //
+ // RFC 6125 says that IP addresses are out of scope, but for backward
+ // compatibility we accept them, by considering IP addresses to be an
+ // "application-specific identifier type supported by the client."
+ //
+ // TODO(bug XXXXXXX): Consider strengthening this check to "A client MUST NOT
+ // seek a match for a reference identifier of CN-ID if the certificate
+ // contains a subjectAltName extension."
+ //
+ // TODO(bug XXXXXXX): Consider dropping support for IP addresses as
+ // identifiers completely.
+
+ if (subjectAltName) {
+ Reader altNames;
+ rv = der::ExpectTagAndGetValueAtEnd(*subjectAltName, der::SEQUENCE,
+ altNames);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // According to RFC 5280, "If the subjectAltName extension is present, the
+ // sequence MUST contain at least one entry." For compatibility reasons, we
+ // do not enforce this. See bug 1143085.
+ while (!altNames.AtEnd()) {
+ GeneralNameType presentedIDType;
+ Input presentedID;
+ rv = ReadGeneralName(altNames, presentedIDType, presentedID);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = MatchPresentedIDWithReferenceID(presentedIDType, presentedID,
+ referenceIDType, referenceID,
+ match);
+ if (rv != Success) {
+ return rv;
+ }
+ if (referenceIDType != GeneralNameType::nameConstraints &&
+ match == MatchResult::Match) {
+ return Success;
+ }
+ if (presentedIDType == GeneralNameType::dNSName ||
+ presentedIDType == GeneralNameType::iPAddress) {
+ fallBackToCommonName = FallBackToSearchWithinSubject::No;
+ }
+ }
+ }
+
+ if (referenceIDType == GeneralNameType::nameConstraints) {
+ rv = CheckPresentedIDConformsToConstraints(GeneralNameType::directoryName,
+ subject, referenceID);
+ if (rv != Success) {
+ return rv;
+ }
+ }
+
+ FallBackToSearchWithinSubject fallBackToEmailAddress;
+ if (!subjectAltName &&
+ (referenceIDType == GeneralNameType::rfc822Name ||
+ referenceIDType == GeneralNameType::nameConstraints)) {
+ fallBackToEmailAddress = FallBackToSearchWithinSubject::Yes;
+ } else {
+ fallBackToEmailAddress = FallBackToSearchWithinSubject::No;
+ }
+
+ // Short-circuit the parsing of the subject name if we're not going to match
+ // any names in it
+ if (fallBackToEmailAddress == FallBackToSearchWithinSubject::No &&
+ fallBackToCommonName == FallBackToSearchWithinSubject::No) {
+ return Success;
+ }
+
+ // Attempt to match the reference ID against the CN-ID, which we consider to
+ // be the most-specific CN AVA in the subject field.
+ //
+ // https://tools.ietf.org/html/rfc6125#section-2.3.1 says:
+ //
+ // To reduce confusion, in this specification we avoid such terms and
+ // instead use the terms provided under Section 1.8; in particular, we
+ // do not use the term "(most specific) Common Name field in the subject
+ // field" from [HTTP-TLS] and instead state that a CN-ID is a Relative
+ // Distinguished Name (RDN) in the certificate subject containing one
+ // and only one attribute-type-and-value pair of type Common Name (thus
+ // removing the possibility that an RDN might contain multiple AVAs
+ // (Attribute Value Assertions) of type CN, one of which could be
+ // considered "most specific").
+ //
+ // https://tools.ietf.org/html/rfc6125#section-7.4 says:
+ //
+ // [...] Although it would be preferable to
+ // forbid multiple CN-IDs entirely, there are several reasons at this
+ // time why this specification states that they SHOULD NOT (instead of
+ // MUST NOT) be included [...]
+ //
+ // Consequently, it is unclear what to do when there are multiple CNs in the
+ // subject, regardless of whether there "SHOULD NOT" be.
+ //
+ // NSS's CERT_VerifyCertName mostly follows RFC2818 in this instance, which
+ // says:
+ //
+ // If a subjectAltName extension of type dNSName is present, that MUST
+ // be used as the identity. Otherwise, the (most specific) Common Name
+ // field in the Subject field of the certificate MUST be used.
+ //
+ // [...]
+ //
+ // In some cases, the URI is specified as an IP address rather than a
+ // hostname. In this case, the iPAddress subjectAltName must be present
+ // in the certificate and must exactly match the IP in the URI.
+ //
+ // (The main difference from RFC2818 is that NSS's CERT_VerifyCertName also
+ // matches IP addresses in the most-specific CN.)
+ //
+ // NSS's CERT_VerifyCertName finds the most specific CN via
+ // CERT_GetCommoName, which uses CERT_GetLastNameElement. Note that many
+ // NSS-based applications, including Gecko, also use CERT_GetCommonName. It
+ // is likely that other, non-NSS-based, applications also expect only the
+ // most specific CN to be matched against the reference ID.
+ //
+ // "A Layman's Guide to a Subset of ASN.1, BER, and DER" and other sources
+ // agree that an RDNSequence is ordered from most significant (least
+ // specific) to least significant (most specific), as do other references.
+ //
+ // However, Chromium appears to use the least-specific (first) CN instead of
+ // the most-specific; see https://crbug.com/366957. Also, MSIE and some other
+ // popular implementations apparently attempt to match the reference ID
+ // against any/all CNs in the subject. Since we're trying to phase out the
+ // use of CN-IDs, we intentionally avoid trying to match MSIE's more liberal
+ // behavior.
+
+ // Name ::= CHOICE { -- only one possibility for now --
+ // rdnSequence RDNSequence }
+ //
+ // RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ //
+ // RelativeDistinguishedName ::=
+ // SET SIZE (1..MAX) OF AttributeTypeAndValue
+ Reader subjectReader(subject);
+ return der::NestedOf(subjectReader, der::SEQUENCE, der::SET,
+ der::EmptyAllowed::Yes, [&](Reader& r) {
+ return SearchWithinRDN(r, referenceIDType, referenceID,
+ fallBackToEmailAddress, fallBackToCommonName, match);
+ });
+}
+
+// RelativeDistinguishedName ::=
+// SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+// AttributeTypeAndValue ::= SEQUENCE {
+// type AttributeType,
+// value AttributeValue }
+Result
+SearchWithinRDN(Reader& rdn,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ FallBackToSearchWithinSubject fallBackToEmailAddress,
+ FallBackToSearchWithinSubject fallBackToCommonName,
+ /*in/out*/ MatchResult& match)
+{
+ do {
+ Input type;
+ uint8_t valueTag;
+ Input value;
+ Result rv = ReadAVA(rdn, type, valueTag, value);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = MatchAVA(type, valueTag, value, referenceIDType, referenceID,
+ fallBackToEmailAddress, fallBackToCommonName, match);
+ if (rv != Success) {
+ return rv;
+ }
+ } while (!rdn.AtEnd());
+
+ return Success;
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+// type AttributeType,
+// value AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+//
+// DirectoryString ::= CHOICE {
+// teletexString TeletexString (SIZE (1..MAX)),
+// printableString PrintableString (SIZE (1..MAX)),
+// universalString UniversalString (SIZE (1..MAX)),
+// utf8String UTF8String (SIZE (1..MAX)),
+// bmpString BMPString (SIZE (1..MAX)) }
+Result
+MatchAVA(Input type, uint8_t valueEncodingTag, Input presentedID,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ FallBackToSearchWithinSubject fallBackToEmailAddress,
+ FallBackToSearchWithinSubject fallBackToCommonName,
+ /*in/out*/ MatchResult& match)
+{
+ // Try to match the CN as a DNSName or an IPAddress.
+ //
+ // id-at-commonName AttributeType ::= { id-at 3 }
+ //
+ // -- Naming attributes of type X520CommonName:
+ // -- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
+ // --
+ // -- Expanded to avoid parameterized type:
+ // X520CommonName ::= CHOICE {
+ // teletexString TeletexString (SIZE (1..ub-common-name)),
+ // printableString PrintableString (SIZE (1..ub-common-name)),
+ // universalString UniversalString (SIZE (1..ub-common-name)),
+ // utf8String UTF8String (SIZE (1..ub-common-name)),
+ // bmpString BMPString (SIZE (1..ub-common-name)) }
+ //
+ // python DottedOIDToCode.py id-at-commonName 2.5.4.3
+ static const uint8_t id_at_commonName[] = {
+ 0x55, 0x04, 0x03
+ };
+ if (fallBackToCommonName == FallBackToSearchWithinSubject::Yes &&
+ InputsAreEqual(type, Input(id_at_commonName))) {
+ // We might have previously found a match. Now that we've found another CN,
+ // we no longer consider that previous match to be a match, so "forget" about
+ // it.
+ match = MatchResult::NoNamesOfGivenType;
+
+ // PrintableString is a subset of ASCII that contains all the characters
+ // allowed in CN-IDs except '*'. Although '*' is illegal, there are many
+ // real-world certificates that are encoded this way, so we accept it.
+ //
+ // In the case of UTF8String, we rely on the fact that in UTF-8 the octets in
+ // a multi-byte encoding of a code point are always distinct from ASCII. Any
+ // non-ASCII byte in a UTF-8 string causes us to fail to match. We make no
+ // attempt to detect or report malformed UTF-8 (e.g. incomplete or overlong
+ // encodings of code points, or encodings of invalid code points).
+ //
+ // TeletexString is supported as long as it does not contain any escape
+ // sequences, which are not supported. We'll reject escape sequences as
+ // invalid characters in names, which means we only accept strings that are
+ // in the default character set, which is a superset of ASCII. Note that NSS
+ // actually treats TeletexString as ISO-8859-1. Many certificates that have
+ // wildcard CN-IDs (e.g. "*.example.com") use TeletexString because
+ // PrintableString is defined to not allow '*' and because, at one point in
+ // history, UTF8String was too new to use for compatibility reasons.
+ //
+ // UniversalString and BMPString are also deprecated, and they are a little
+ // harder to support because they are not single-byte ASCII superset
+ // encodings, so we don't bother.
+ if (valueEncodingTag != der::PrintableString &&
+ valueEncodingTag != der::UTF8String &&
+ valueEncodingTag != der::TeletexString) {
+ return Success;
+ }
+
+ if (IsValidPresentedDNSID(presentedID)) {
+ MatchSubjectPresentedIDWithReferenceID(GeneralNameType::dNSName,
+ presentedID, referenceIDType,
+ referenceID, match);
+ } else {
+ // We don't match CN-IDs for IPv6 addresses.
+ // MatchSubjectPresentedIDWithReferenceID ensures that it won't match an
+ // IPv4 address with an IPv6 address, so we don't need to check that
+ // referenceID is an IPv4 address here.
+ uint8_t ipv4[4];
+ if (ParseIPv4Address(presentedID, ipv4)) {
+ MatchSubjectPresentedIDWithReferenceID(GeneralNameType::iPAddress,
+ Input(ipv4), referenceIDType,
+ referenceID, match);
+ }
+ }
+
+ // Regardless of whether there was a match, we keep going in case we find
+ // another CN later. If we do find another one, then this match/mismatch
+ // will be ignored, because we only care about the most specific CN.
+
+ return Success;
+ }
+
+ // Match an email address against an emailAddress attribute in the
+ // subject.
+ //
+ // id-emailAddress AttributeType ::= { pkcs-9 1 }
+ //
+ // EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length))
+ //
+ // python DottedOIDToCode.py id-emailAddress 1.2.840.113549.1.9.1
+ static const uint8_t id_emailAddress[] = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01
+ };
+ if (fallBackToEmailAddress == FallBackToSearchWithinSubject::Yes &&
+ InputsAreEqual(type, Input(id_emailAddress))) {
+ if (referenceIDType == GeneralNameType::rfc822Name &&
+ match == MatchResult::Match) {
+ // We already found a match; we don't need to match another one
+ return Success;
+ }
+ if (valueEncodingTag != der::IA5String) {
+ return Result::ERROR_BAD_DER;
+ }
+ return MatchPresentedIDWithReferenceID(GeneralNameType::rfc822Name,
+ presentedID, referenceIDType,
+ referenceID, match);
+ }
+
+ return Success;
+}
+
+void
+MatchSubjectPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+ Input presentedID,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ /*in/out*/ MatchResult& match)
+{
+ Result rv = MatchPresentedIDWithReferenceID(presentedIDType, presentedID,
+ referenceIDType, referenceID,
+ match);
+ if (rv != Success) {
+ match = MatchResult::Mismatch;
+ }
+}
+
+Result
+MatchPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+ Input presentedID,
+ GeneralNameType referenceIDType,
+ Input referenceID,
+ /*out*/ MatchResult& matchResult)
+{
+ if (referenceIDType == GeneralNameType::nameConstraints) {
+ // matchResult is irrelevant when checking name constraints; only the
+ // pass/fail result of CheckPresentedIDConformsToConstraints matters.
+ return CheckPresentedIDConformsToConstraints(presentedIDType, presentedID,
+ referenceID);
+ }
+
+ if (presentedIDType != referenceIDType) {
+ matchResult = MatchResult::Mismatch;
+ return Success;
+ }
+
+ Result rv;
+ bool foundMatch;
+
+ switch (referenceIDType) {
+ case GeneralNameType::dNSName:
+ rv = MatchPresentedDNSIDWithReferenceDNSID(
+ presentedID, AllowWildcards::Yes,
+ AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
+ referenceID, foundMatch);
+ break;
+
+ case GeneralNameType::iPAddress:
+ foundMatch = InputsAreEqual(presentedID, referenceID);
+ rv = Success;
+ break;
+
+ case GeneralNameType::rfc822Name:
+ rv = MatchPresentedRFC822NameWithReferenceRFC822Name(
+ presentedID, IDRole::ReferenceID, referenceID, foundMatch);
+ break;
+
+ case GeneralNameType::directoryName:
+ // TODO: At some point, we may add APIs for matching DirectoryNames.
+ // fall through
+
+ case GeneralNameType::otherName: // fall through
+ case GeneralNameType::x400Address: // fall through
+ case GeneralNameType::ediPartyName: // fall through
+ case GeneralNameType::uniformResourceIdentifier: // fall through
+ case GeneralNameType::registeredID: // fall through
+ case GeneralNameType::nameConstraints:
+ return NotReached("unexpected nameType for SearchType::Match",
+ Result::FATAL_ERROR_INVALID_ARGS);
+
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+
+ if (rv != Success) {
+ return rv;
+ }
+ matchResult = foundMatch ? MatchResult::Match : MatchResult::Mismatch;
+ return Success;
+}
+
+enum class NameConstraintsSubtrees : uint8_t
+{
+ permittedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
+ excludedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1
+};
+
+Result CheckPresentedIDConformsToNameConstraintsSubtrees(
+ GeneralNameType presentedIDType,
+ Input presentedID,
+ Reader& nameConstraints,
+ NameConstraintsSubtrees subtreesType);
+Result MatchPresentedIPAddressWithConstraint(Input presentedID,
+ Input iPAddressConstraint,
+ /*out*/ bool& foundMatch);
+Result MatchPresentedDirectoryNameWithConstraint(
+ NameConstraintsSubtrees subtreesType, Input presentedID,
+ Input directoryNameConstraint, /*out*/ bool& matches);
+
+Result
+CheckPresentedIDConformsToConstraints(
+ GeneralNameType presentedIDType,
+ Input presentedID,
+ Input encodedNameConstraints)
+{
+ // NameConstraints ::= SEQUENCE {
+ // permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ // excludedSubtrees [1] GeneralSubtrees OPTIONAL }
+ Reader nameConstraints;
+ Result rv = der::ExpectTagAndGetValueAtEnd(encodedNameConstraints,
+ der::SEQUENCE, nameConstraints);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // RFC 5280 says "Conforming CAs MUST NOT issue certificates where name
+ // constraints is an empty sequence. That is, either the permittedSubtrees
+ // field or the excludedSubtrees MUST be present."
+ if (nameConstraints.AtEnd()) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ rv = CheckPresentedIDConformsToNameConstraintsSubtrees(
+ presentedIDType, presentedID, nameConstraints,
+ NameConstraintsSubtrees::permittedSubtrees);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = CheckPresentedIDConformsToNameConstraintsSubtrees(
+ presentedIDType, presentedID, nameConstraints,
+ NameConstraintsSubtrees::excludedSubtrees);
+ if (rv != Success) {
+ return rv;
+ }
+
+ return der::End(nameConstraints);
+}
+
+Result
+CheckPresentedIDConformsToNameConstraintsSubtrees(
+ GeneralNameType presentedIDType,
+ Input presentedID,
+ Reader& nameConstraints,
+ NameConstraintsSubtrees subtreesType)
+{
+ if (!nameConstraints.Peek(static_cast<uint8_t>(subtreesType))) {
+ return Success;
+ }
+
+ Reader subtrees;
+ Result rv = der::ExpectTagAndGetValue(nameConstraints,
+ static_cast<uint8_t>(subtreesType),
+ subtrees);
+ if (rv != Success) {
+ return rv;
+ }
+
+ bool hasPermittedSubtreesMatch = false;
+ bool hasPermittedSubtreesMismatch = false;
+
+ // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ //
+ // do { ... } while(...) because subtrees isn't allowed to be empty.
+ do {
+ // GeneralSubtree ::= SEQUENCE {
+ // base GeneralName,
+ // minimum [0] BaseDistance DEFAULT 0,
+ // maximum [1] BaseDistance OPTIONAL }
+ Reader subtree;
+ rv = ExpectTagAndGetValue(subtrees, der::SEQUENCE, subtree);
+ if (rv != Success) {
+ return rv;
+ }
+ GeneralNameType nameConstraintType;
+ Input base;
+ rv = ReadGeneralName(subtree, nameConstraintType, base);
+ if (rv != Success) {
+ return rv;
+ }
+ // http://tools.ietf.org/html/rfc5280#section-4.2.1.10: "Within this
+ // profile, the minimum and maximum fields are not used with any name
+ // forms, thus, the minimum MUST be zero, and maximum MUST be absent."
+ //
+ // Since the default value isn't allowed to be encoded according to the DER
+ // encoding rules for DEFAULT, this is equivalent to saying that neither
+ // minimum or maximum must be encoded.
+ rv = der::End(subtree);
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (presentedIDType == nameConstraintType) {
+ bool matches;
+
+ switch (presentedIDType) {
+ case GeneralNameType::dNSName:
+ rv = MatchPresentedDNSIDWithReferenceDNSID(
+ presentedID, AllowWildcards::Yes,
+ AllowDotlessSubdomainMatches::Yes, IDRole::NameConstraint,
+ base, matches);
+ if (rv != Success) {
+ return rv;
+ }
+ break;
+
+ case GeneralNameType::iPAddress:
+ rv = MatchPresentedIPAddressWithConstraint(presentedID, base,
+ matches);
+ if (rv != Success) {
+ return rv;
+ }
+ break;
+
+ case GeneralNameType::directoryName:
+ rv = MatchPresentedDirectoryNameWithConstraint(subtreesType,
+ presentedID, base,
+ matches);
+ if (rv != Success) {
+ return rv;
+ }
+ break;
+
+ case GeneralNameType::rfc822Name:
+ rv = MatchPresentedRFC822NameWithReferenceRFC822Name(
+ presentedID, IDRole::NameConstraint, base, matches);
+ if (rv != Success) {
+ return rv;
+ }
+ break;
+
+ // RFC 5280 says "Conforming CAs [...] SHOULD NOT impose name
+ // constraints on the x400Address, ediPartyName, or registeredID
+ // name forms. It also says "Applications conforming to this profile
+ // [...] SHOULD be able to process name constraints that are imposed
+ // on [...] uniformResourceIdentifier [...]", but we don't bother.
+ //
+ // TODO: Ask to have spec updated to say ""Conforming CAs [...] SHOULD
+ // NOT impose name constraints on the otherName, x400Address,
+ // ediPartyName, uniformResourceIdentifier, or registeredID name
+ // forms."
+ case GeneralNameType::otherName: // fall through
+ case GeneralNameType::x400Address: // fall through
+ case GeneralNameType::ediPartyName: // fall through
+ case GeneralNameType::uniformResourceIdentifier: // fall through
+ case GeneralNameType::registeredID: // fall through
+ return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+
+ case GeneralNameType::nameConstraints:
+ return NotReached("invalid presentedIDType",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+
+ switch (subtreesType) {
+ case NameConstraintsSubtrees::permittedSubtrees:
+ if (matches) {
+ hasPermittedSubtreesMatch = true;
+ } else {
+ hasPermittedSubtreesMismatch = true;
+ }
+ break;
+ case NameConstraintsSubtrees::excludedSubtrees:
+ if (matches) {
+ return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+ }
+ break;
+ }
+ }
+ } while (!subtrees.AtEnd());
+
+ if (hasPermittedSubtreesMismatch && !hasPermittedSubtreesMatch) {
+ // If there was any entry of the given type in permittedSubtrees, then it
+ // required that at least one of them must match. Since none of them did,
+ // we have a failure.
+ return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+ }
+
+ return Success;
+}
+
+// We do not distinguish between a syntactically-invalid presentedDNSID and one
+// that is syntactically valid but does not match referenceDNSID; in both
+// cases, the result is false.
+//
+// We assume that both presentedDNSID and referenceDNSID are encoded in such a
+// way that US-ASCII (7-bit) characters are encoded in one byte and no encoding
+// of a non-US-ASCII character contains a code point in the range 0-127. For
+// example, UTF-8 is OK but UTF-16 is not.
+//
+// RFC6125 says that a wildcard label may be of the form <x>*<y>.<DNSID>, where
+// <x> and/or <y> may be empty. However, NSS requires <y> to be empty, and we
+// follow NSS's stricter policy by accepting wildcards only of the form
+// <x>*.<DNSID>, where <x> may be empty.
+//
+// An relative presented DNS ID matches both an absolute reference ID and a
+// relative reference ID. Absolute presented DNS IDs are not supported:
+//
+// Presented ID Reference ID Result
+// -------------------------------------
+// example.com example.com Match
+// example.com. example.com Mismatch
+// example.com example.com. Match
+// example.com. example.com. Mismatch
+//
+// There are more subtleties documented inline in the code.
+//
+// Name constraints ///////////////////////////////////////////////////////////
+//
+// This is all RFC 5280 has to say about DNSName constraints:
+//
+// DNS name restrictions are expressed as host.example.com. Any DNS
+// name that can be constructed by simply adding zero or more labels to
+// the left-hand side of the name satisfies the name constraint. For
+// example, www.host.example.com would satisfy the constraint but
+// host1.example.com would not.
+//
+// This lack of specificity has lead to a lot of uncertainty regarding
+// subdomain matching. In particular, the following questions have been
+// raised and answered:
+//
+// Q: Does a presented identifier equal (case insensitive) to the name
+// constraint match the constraint? For example, does the presented
+// ID "host.example.com" match a "host.example.com" constraint?
+// A: Yes. RFC5280 says "by simply adding zero or more labels" and this
+// is the case of adding zero labels.
+//
+// Q: When the name constraint does not start with ".", do subdomain
+// presented identifiers match it? For example, does the presented
+// ID "www.host.example.com" match a "host.example.com" constraint?
+// A: Yes. RFC5280 says "by simply adding zero or more labels" and this
+// is the case of adding more than zero labels. The example is the
+// one from RFC 5280.
+//
+// Q: When the name constraint does not start with ".", does a
+// non-subdomain prefix match it? For example, does "bigfoo.bar.com"
+// match "foo.bar.com"? [4]
+// A: No. We interpret RFC 5280's language of "adding zero or more labels"
+// to mean that whole labels must be prefixed.
+//
+// (Note that the above three scenarios are the same as the RFC 6265
+// domain matching rules [0].)
+//
+// Q: Is a name constraint that starts with "." valid, and if so, what
+// semantics does it have? For example, does a presented ID of
+// "www.example.com" match a constraint of ".example.com"? Does a
+// presented ID of "example.com" match a constraint of ".example.com"?
+// A: This implementation, NSS[1], and SChannel[2] all support a
+// leading ".", but OpenSSL[3] does not yet. Amongst the
+// implementations that support it, a leading "." is legal and means
+// the same thing as when the "." is omitted, EXCEPT that a
+// presented identifier equal (case insensitive) to the name
+// constraint is not matched; i.e. presented DNSName identifiers
+// must be subdomains. Some CAs in Mozilla's CA program (e.g. HARICA)
+// have name constraints with the leading "." in their root
+// certificates. The name constraints imposed on DCISS by Mozilla also
+// have the it, so supporting this is a requirement for backward
+// compatibility, even if it is not yet standardized. So, for example, a
+// presented ID of "www.example.com" matches a constraint of
+// ".example.com" but a presented ID of "example.com" does not.
+//
+// Q: Is there a way to prevent subdomain matches?
+// A: Yes.
+//
+// Some people have proposed that dNSName constraints that do not
+// start with a "." should be restricted to exact (case insensitive)
+// matches. However, such a change of semantics from what RFC5280
+// specifies would be a non-backward-compatible change in the case of
+// permittedSubtrees constraints, and it would be a security issue for
+// excludedSubtrees constraints.
+//
+// However, it can be done with a combination of permittedSubtrees and
+// excludedSubtrees, e.g. "example.com" in permittedSubtrees and
+// ".example.com" in excudedSubtrees.
+//
+// Q: Are name constraints allowed to be specified as absolute names?
+// For example, does a presented ID of "example.com" match a name
+// constraint of "example.com." and vice versa.
+// A: Absolute names are not supported as presented IDs or name
+// constraints. Only reference IDs may be absolute.
+//
+// Q: Is "" a valid DNSName constraints? If so, what does it mean?
+// A: Yes. Any valid presented DNSName can be formed "by simply adding zero
+// or more labels to the left-hand side" of "". In particular, an
+// excludedSubtrees DNSName constraint of "" forbids all DNSNames.
+//
+// Q: Is "." a valid DNSName constraints? If so, what does it mean?
+// A: No, because absolute names are not allowed (see above).
+//
+// [0] RFC 6265 (Cookies) Domain Matching rules:
+// http://tools.ietf.org/html/rfc6265#section-5.1.3
+// [1] NSS source code:
+// https://mxr.mozilla.org/nss/source/lib/certdb/genname.c?rev=2a7348f013cb#1209
+// [2] Description of SChannel's behavior from Microsoft:
+// http://www.imc.org/ietf-pkix/mail-archive/msg04668.html
+// [3] Proposal to add such support to OpenSSL:
+// http://www.mail-archive.com/openssl-dev%40openssl.org/msg36204.html
+// https://rt.openssl.org/Ticket/Display.html?id=3562
+// [4] Feedback on the lack of clarify in the definition that never got
+// incorporated into the spec:
+// https://www.ietf.org/mail-archive/web/pkix/current/msg21192.html
+Result
+MatchPresentedDNSIDWithReferenceDNSID(
+ Input presentedDNSID,
+ AllowWildcards allowWildcards,
+ AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
+ IDRole referenceDNSIDRole,
+ Input referenceDNSID,
+ /*out*/ bool& matches)
+{
+ if (!IsValidDNSID(presentedDNSID, IDRole::PresentedID, allowWildcards)) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ if (!IsValidDNSID(referenceDNSID, referenceDNSIDRole, AllowWildcards::No)) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ Reader presented(presentedDNSID);
+ Reader reference(referenceDNSID);
+
+ switch (referenceDNSIDRole)
+ {
+ case IDRole::ReferenceID:
+ break;
+
+ case IDRole::NameConstraint:
+ {
+ if (presentedDNSID.GetLength() > referenceDNSID.GetLength()) {
+ if (referenceDNSID.GetLength() == 0) {
+ // An empty constraint matches everything.
+ matches = true;
+ return Success;
+ }
+ // If the reference ID starts with a dot then skip the prefix of
+ // of the presented ID and start the comparison at the position of that
+ // dot. Examples:
+ //
+ // Matches Doesn't Match
+ // -----------------------------------------------------------
+ // original presented ID: www.example.com badexample.com
+ // skipped: www ba
+ // presented ID w/o prefix: .example.com dexample.com
+ // reference ID: .example.com .example.com
+ //
+ // If the reference ID does not start with a dot then we skip the
+ // prefix of the presented ID but also verify that the prefix ends with
+ // a dot. Examples:
+ //
+ // Matches Doesn't Match
+ // -----------------------------------------------------------
+ // original presented ID: www.example.com badexample.com
+ // skipped: www ba
+ // must be '.': . d
+ // presented ID w/o prefix: example.com example.com
+ // reference ID: example.com example.com
+ //
+ if (reference.Peek('.')) {
+ if (presented.Skip(static_cast<Input::size_type>(
+ presentedDNSID.GetLength() -
+ referenceDNSID.GetLength())) != Success) {
+ return NotReached("skipping subdomain failed",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+ } else if (allowDotlessSubdomainMatches ==
+ AllowDotlessSubdomainMatches::Yes) {
+ if (presented.Skip(static_cast<Input::size_type>(
+ presentedDNSID.GetLength() -
+ referenceDNSID.GetLength() - 1)) != Success) {
+ return NotReached("skipping subdomains failed",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+ uint8_t b;
+ if (presented.Read(b) != Success) {
+ return NotReached("reading from presentedDNSID failed",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+ if (b != '.') {
+ matches = false;
+ return Success;
+ }
+ }
+ }
+ break;
+ }
+
+ case IDRole::PresentedID: // fall through
+ return NotReached("IDRole::PresentedID is not a valid referenceDNSIDRole",
+ Result::FATAL_ERROR_INVALID_ARGS);
+ }
+
+ // We only allow wildcard labels that consist only of '*'.
+ if (presented.Peek('*')) {
+ if (presented.Skip(1) != Success) {
+ return NotReached("Skipping '*' failed",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+ do {
+ // This will happen if reference is a single, relative label
+ if (reference.AtEnd()) {
+ matches = false;
+ return Success;
+ }
+ uint8_t referenceByte;
+ if (reference.Read(referenceByte) != Success) {
+ return NotReached("invalid reference ID",
+ Result::FATAL_ERROR_INVALID_ARGS);
+ }
+ } while (!reference.Peek('.'));
+ }
+
+ for (;;) {
+ uint8_t presentedByte;
+ if (presented.Read(presentedByte) != Success) {
+ matches = false;
+ return Success;
+ }
+ uint8_t referenceByte;
+ if (reference.Read(referenceByte) != Success) {
+ matches = false;
+ return Success;
+ }
+ if (LocaleInsensitveToLower(presentedByte) !=
+ LocaleInsensitveToLower(referenceByte)) {
+ matches = false;
+ return Success;
+ }
+ if (presented.AtEnd()) {
+ // Don't allow presented IDs to be absolute.
+ if (presentedByte == '.') {
+ return Result::ERROR_BAD_DER;
+ }
+ break;
+ }
+ }
+
+ // Allow a relative presented DNS ID to match an absolute reference DNS ID,
+ // unless we're matching a name constraint.
+ if (!reference.AtEnd()) {
+ if (referenceDNSIDRole != IDRole::NameConstraint) {
+ uint8_t referenceByte;
+ if (reference.Read(referenceByte) != Success) {
+ return NotReached("read failed but not at end",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+ if (referenceByte != '.') {
+ matches = false;
+ return Success;
+ }
+ }
+ if (!reference.AtEnd()) {
+ matches = false;
+ return Success;
+ }
+ }
+
+ matches = true;
+ return Success;
+}
+
+// https://tools.ietf.org/html/rfc5280#section-4.2.1.10 says:
+//
+// For IPv4 addresses, the iPAddress field of GeneralName MUST contain
+// eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent
+// an address range [RFC4632]. For IPv6 addresses, the iPAddress field
+// MUST contain 32 octets similarly encoded. For example, a name
+// constraint for "class C" subnet 192.0.2.0 is represented as the
+// octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
+// 192.0.2.0/24 (mask 255.255.255.0).
+Result
+MatchPresentedIPAddressWithConstraint(Input presentedID,
+ Input iPAddressConstraint,
+ /*out*/ bool& foundMatch)
+{
+ if (presentedID.GetLength() != 4 && presentedID.GetLength() != 16) {
+ return Result::ERROR_BAD_DER;
+ }
+ if (iPAddressConstraint.GetLength() != 8 &&
+ iPAddressConstraint.GetLength() != 32) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ // an IPv4 address never matches an IPv6 constraint, and vice versa.
+ if (presentedID.GetLength() * 2 != iPAddressConstraint.GetLength()) {
+ foundMatch = false;
+ return Success;
+ }
+
+ Reader constraint(iPAddressConstraint);
+ Reader constraintAddress;
+ Result rv = constraint.Skip(iPAddressConstraint.GetLength() / 2u,
+ constraintAddress);
+ if (rv != Success) {
+ return rv;
+ }
+ Reader constraintMask;
+ rv = constraint.Skip(iPAddressConstraint.GetLength() / 2u, constraintMask);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::End(constraint);
+ if (rv != Success) {
+ return rv;
+ }
+
+ Reader presented(presentedID);
+ do {
+ uint8_t presentedByte;
+ rv = presented.Read(presentedByte);
+ if (rv != Success) {
+ return rv;
+ }
+ uint8_t constraintAddressByte;
+ rv = constraintAddress.Read(constraintAddressByte);
+ if (rv != Success) {
+ return rv;
+ }
+ uint8_t constraintMaskByte;
+ rv = constraintMask.Read(constraintMaskByte);
+ if (rv != Success) {
+ return rv;
+ }
+ foundMatch =
+ ((presentedByte ^ constraintAddressByte) & constraintMaskByte) == 0;
+ } while (foundMatch && !presented.AtEnd());
+
+ return Success;
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+// type AttributeType,
+// value AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+Result
+ReadAVA(Reader& rdn,
+ /*out*/ Input& type,
+ /*out*/ uint8_t& valueTag,
+ /*out*/ Input& value)
+{
+ return der::Nested(rdn, der::SEQUENCE, [&](Reader& ava) -> Result {
+ Result rv = der::ExpectTagAndGetValue(ava, der::OIDTag, type);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::ReadTagAndGetValue(ava, valueTag, value);
+ if (rv != Success) {
+ return rv;
+ }
+ return Success;
+ });
+}
+
+// Names are sequences of RDNs. RDNS are sets of AVAs. That means that RDNs are
+// unordered, so in theory we should match RDNs with equivalent AVAs that are
+// in different orders. Within the AVAs are DirectoryNames that are supposed to
+// be compared according to LDAP stringprep normalization rules (e.g.
+// normalizing whitespace), consideration of different character encodings,
+// etc. Indeed, RFC 5280 says we MUST deal with all of that.
+//
+// In practice, many implementations, including NSS, only match Names in a way
+// that only meets a subset of the requirements of RFC 5280. Those
+// normalization and character encoding conversion steps appear to be
+// unnecessary for processing real-world certificates, based on experience from
+// having used NSS in Firefox for many years.
+//
+// RFC 5280 also says "CAs issuing certificates with a restriction of the form
+// directoryName SHOULD NOT rely on implementation of the full
+// ISO DN name comparison algorithm. This implies name restrictions MUST
+// be stated identically to the encoding used in the subject field or
+// subjectAltName extension." It goes on to say, in the security
+// considerations:
+//
+// In addition, name constraints for distinguished names MUST be stated
+// identically to the encoding used in the subject field or
+// subjectAltName extension. If not, then name constraints stated as
+// excludedSubtrees will not match and invalid paths will be accepted
+// and name constraints expressed as permittedSubtrees will not match
+// and valid paths will be rejected. To avoid acceptance of invalid
+// paths, CAs SHOULD state name constraints for distinguished names as
+// permittedSubtrees wherever possible.
+//
+// For permittedSubtrees, the MUST-level requirement is relaxed for
+// compatibility in the case of PrintableString and UTF8String. That is, if a
+// name constraint has been encoded using UTF8String and the presented ID has
+// been encoded with a PrintableString (or vice-versa), they are considered to
+// match if they are equal everywhere except for the tag identifying the
+// encoding. See bug 1150114.
+//
+// For excludedSubtrees, we simply prohibit any non-empty directoryName
+// constraint to ensure we are not being too lenient. We support empty
+// DirectoryName constraints in excludedSubtrees so that a CA can say "Do not
+// allow any DirectoryNames in issued certificates."
+Result
+MatchPresentedDirectoryNameWithConstraint(NameConstraintsSubtrees subtreesType,
+ Input presentedID,
+ Input directoryNameConstraint,
+ /*out*/ bool& matches)
+{
+ Reader constraintRDNs;
+ Result rv = der::ExpectTagAndGetValueAtEnd(directoryNameConstraint,
+ der::SEQUENCE, constraintRDNs);
+ if (rv != Success) {
+ return rv;
+ }
+ Reader presentedRDNs;
+ rv = der::ExpectTagAndGetValueAtEnd(presentedID, der::SEQUENCE,
+ presentedRDNs);
+ if (rv != Success) {
+ return rv;
+ }
+
+ switch (subtreesType) {
+ case NameConstraintsSubtrees::permittedSubtrees:
+ break; // dealt with below
+ case NameConstraintsSubtrees::excludedSubtrees:
+ if (!constraintRDNs.AtEnd() || !presentedRDNs.AtEnd()) {
+ return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+ }
+ matches = true;
+ return Success;
+ }
+
+ for (;;) {
+ // The AVAs have to be fully equal, but the constraint RDNs just need to be
+ // a prefix of the presented RDNs.
+ if (constraintRDNs.AtEnd()) {
+ matches = true;
+ return Success;
+ }
+ if (presentedRDNs.AtEnd()) {
+ matches = false;
+ return Success;
+ }
+ Reader constraintRDN;
+ rv = der::ExpectTagAndGetValue(constraintRDNs, der::SET, constraintRDN);
+ if (rv != Success) {
+ return rv;
+ }
+ Reader presentedRDN;
+ rv = der::ExpectTagAndGetValue(presentedRDNs, der::SET, presentedRDN);
+ if (rv != Success) {
+ return rv;
+ }
+ while (!constraintRDN.AtEnd() && !presentedRDN.AtEnd()) {
+ Input constraintType;
+ uint8_t constraintValueTag;
+ Input constraintValue;
+ rv = ReadAVA(constraintRDN, constraintType, constraintValueTag,
+ constraintValue);
+ if (rv != Success) {
+ return rv;
+ }
+ Input presentedType;
+ uint8_t presentedValueTag;
+ Input presentedValue;
+ rv = ReadAVA(presentedRDN, presentedType, presentedValueTag,
+ presentedValue);
+ if (rv != Success) {
+ return rv;
+ }
+ // TODO (bug 1155767): verify that if an AVA is a PrintableString it
+ // consists only of characters valid for PrintableStrings.
+ bool avasMatch =
+ InputsAreEqual(constraintType, presentedType) &&
+ InputsAreEqual(constraintValue, presentedValue) &&
+ (constraintValueTag == presentedValueTag ||
+ (constraintValueTag == der::Tag::UTF8String &&
+ presentedValueTag == der::Tag::PrintableString) ||
+ (constraintValueTag == der::Tag::PrintableString &&
+ presentedValueTag == der::Tag::UTF8String));
+ if (!avasMatch) {
+ matches = false;
+ return Success;
+ }
+ }
+ if (!constraintRDN.AtEnd() || !presentedRDN.AtEnd()) {
+ matches = false;
+ return Success;
+ }
+ }
+}
+
+// RFC 5280 says:
+//
+// The format of an rfc822Name is a "Mailbox" as defined in Section 4.1.2
+// of [RFC2821]. A Mailbox has the form "Local-part@Domain". Note that a
+// Mailbox has no phrase (such as a common name) before it, has no comment
+// (text surrounded in parentheses) after it, and is not surrounded by "<"
+// and ">". Rules for encoding Internet mail addresses that include
+// internationalized domain names are specified in Section 7.5.
+//
+// and:
+//
+// A name constraint for Internet mail addresses MAY specify a
+// particular mailbox, all addresses at a particular host, or all
+// mailboxes in a domain. To indicate a particular mailbox, the
+// constraint is the complete mail address. For example,
+// "root@example.com" indicates the root mailbox on the host
+// "example.com". To indicate all Internet mail addresses on a
+// particular host, the constraint is specified as the host name. For
+// example, the constraint "example.com" is satisfied by any mail
+// address at the host "example.com". To specify any address within a
+// domain, the constraint is specified with a leading period (as with
+// URIs). For example, ".example.com" indicates all the Internet mail
+// addresses in the domain "example.com", but not Internet mail
+// addresses on the host "example.com".
+
+bool
+IsValidRFC822Name(Input input)
+{
+ Reader reader(input);
+
+ // Local-part@.
+ bool startOfAtom = true;
+ for (;;) {
+ uint8_t presentedByte;
+ if (reader.Read(presentedByte) != Success) {
+ return false;
+ }
+ switch (presentedByte) {
+ // atext is defined in https://tools.ietf.org/html/rfc2822#section-3.2.4
+ case 'A': case 'a': case 'N': case 'n': case '0': case '!': case '#':
+ case 'B': case 'b': case 'O': case 'o': case '1': case '$': case '%':
+ case 'C': case 'c': case 'P': case 'p': case '2': case '&': case '\'':
+ case 'D': case 'd': case 'Q': case 'q': case '3': case '*': case '+':
+ case 'E': case 'e': case 'R': case 'r': case '4': case '-': case '/':
+ case 'F': case 'f': case 'S': case 's': case '5': case '=': case '?':
+ case 'G': case 'g': case 'T': case 't': case '6': case '^': case '_':
+ case 'H': case 'h': case 'U': case 'u': case '7': case '`': case '{':
+ case 'I': case 'i': case 'V': case 'v': case '8': case '|': case '}':
+ case 'J': case 'j': case 'W': case 'w': case '9': case '~':
+ case 'K': case 'k': case 'X': case 'x':
+ case 'L': case 'l': case 'Y': case 'y':
+ case 'M': case 'm': case 'Z': case 'z':
+ startOfAtom = false;
+ break;
+
+ case '.':
+ if (startOfAtom) {
+ return false;
+ }
+ startOfAtom = true;
+ break;
+
+ case '@':
+ {
+ if (startOfAtom) {
+ return false;
+ }
+ Input domain;
+ if (reader.SkipToEnd(domain) != Success) {
+ return false;
+ }
+ return IsValidDNSID(domain, IDRole::PresentedID, AllowWildcards::No);
+ }
+
+ default:
+ return false;
+ }
+ }
+}
+
+Result
+MatchPresentedRFC822NameWithReferenceRFC822Name(Input presentedRFC822Name,
+ IDRole referenceRFC822NameRole,
+ Input referenceRFC822Name,
+ /*out*/ bool& matches)
+{
+ if (!IsValidRFC822Name(presentedRFC822Name)) {
+ return Result::ERROR_BAD_DER;
+ }
+ Reader presented(presentedRFC822Name);
+
+ switch (referenceRFC822NameRole)
+ {
+ case IDRole::PresentedID:
+ return Result::FATAL_ERROR_INVALID_ARGS;
+
+ case IDRole::ReferenceID:
+ break;
+
+ case IDRole::NameConstraint:
+ {
+ if (InputContains(referenceRFC822Name, '@')) {
+ // The constraint is of the form "Local-part@Domain".
+ break;
+ }
+
+ // The constraint is of the form "example.com" or ".example.com".
+
+ // Skip past the '@' in the presented ID.
+ for (;;) {
+ uint8_t presentedByte;
+ if (presented.Read(presentedByte) != Success) {
+ return Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ if (presentedByte == '@') {
+ break;
+ }
+ }
+
+ Input presentedDNSID;
+ if (presented.SkipToEnd(presentedDNSID) != Success) {
+ return Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+
+ return MatchPresentedDNSIDWithReferenceDNSID(
+ presentedDNSID, AllowWildcards::No,
+ AllowDotlessSubdomainMatches::No, IDRole::NameConstraint,
+ referenceRFC822Name, matches);
+ }
+ }
+
+ if (!IsValidRFC822Name(referenceRFC822Name)) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ Reader reference(referenceRFC822Name);
+
+ for (;;) {
+ uint8_t presentedByte;
+ if (presented.Read(presentedByte) != Success) {
+ matches = reference.AtEnd();
+ return Success;
+ }
+ uint8_t referenceByte;
+ if (reference.Read(referenceByte) != Success) {
+ matches = false;
+ return Success;
+ }
+ if (LocaleInsensitveToLower(presentedByte) !=
+ LocaleInsensitveToLower(referenceByte)) {
+ matches = false;
+ return Success;
+ }
+ }
+}
+
+// We avoid isdigit because it is locale-sensitive. See
+// http://pubs.opengroup.org/onlinepubs/009695399/functions/tolower.html.
+inline uint8_t
+LocaleInsensitveToLower(uint8_t a)
+{
+ if (a >= 'A' && a <= 'Z') { // unlikely
+ return static_cast<uint8_t>(
+ static_cast<uint8_t>(a - static_cast<uint8_t>('A')) +
+ static_cast<uint8_t>('a'));
+ }
+ return a;
+}
+
+bool
+StartsWithIDNALabel(Input id)
+{
+ static const uint8_t IDN_ALABEL_PREFIX[4] = { 'x', 'n', '-', '-' };
+ Reader input(id);
+ for (size_t i = 0; i < sizeof(IDN_ALABEL_PREFIX); ++i) {
+ uint8_t b;
+ if (input.Read(b) != Success) {
+ return false;
+ }
+ if (b != IDN_ALABEL_PREFIX[i]) {
+ return false;
+ }
+ }
+ return true;
+}
+
+bool
+ReadIPv4AddressComponent(Reader& input, bool lastComponent,
+ /*out*/ uint8_t& valueOut)
+{
+ size_t length = 0;
+ unsigned int value = 0; // Must be larger than uint8_t.
+
+ for (;;) {
+ if (input.AtEnd() && lastComponent) {
+ break;
+ }
+
+ uint8_t b;
+ if (input.Read(b) != Success) {
+ return false;
+ }
+
+ if (b >= '0' && b <= '9') {
+ if (value == 0 && length > 0) {
+ return false; // Leading zeros are not allowed.
+ }
+ value = (value * 10) + (b - '0');
+ if (value > 255) {
+ return false; // Component's value is too large.
+ }
+ ++length;
+ } else if (!lastComponent && b == '.') {
+ break;
+ } else {
+ return false; // Invalid character.
+ }
+ }
+
+ if (length == 0) {
+ return false; // empty components not allowed
+ }
+
+ valueOut = static_cast<uint8_t>(value);
+ return true;
+}
+
+} // namespace
+
+// On Windows and maybe other platforms, OS-provided IP address parsing
+// functions might fail if the protocol (IPv4 or IPv6) has been disabled, so we
+// can't rely on them.
+bool
+ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4])
+{
+ Reader input(hostname);
+ return ReadIPv4AddressComponent(input, false, out[0]) &&
+ ReadIPv4AddressComponent(input, false, out[1]) &&
+ ReadIPv4AddressComponent(input, false, out[2]) &&
+ ReadIPv4AddressComponent(input, true, out[3]);
+}
+
+namespace {
+
+bool
+FinishIPv6Address(/*in/out*/ uint8_t (&address)[16], int numComponents,
+ int contractionIndex)
+{
+ assert(numComponents >= 0);
+ assert(numComponents <= 8);
+ assert(contractionIndex >= -1);
+ assert(contractionIndex <= 8);
+ assert(contractionIndex <= numComponents);
+ if (!(numComponents >= 0 &&
+ numComponents <= 8 &&
+ contractionIndex >= -1 &&
+ contractionIndex <= 8 &&
+ contractionIndex <= numComponents)) {
+ return false;
+ }
+
+ if (contractionIndex == -1) {
+ // no contraction
+ return numComponents == 8;
+ }
+
+ if (numComponents >= 8) {
+ return false; // no room left to expand the contraction.
+ }
+
+ // Shift components that occur after the contraction over.
+ size_t componentsToMove = static_cast<size_t>(numComponents -
+ contractionIndex);
+ memmove(address + (2u * static_cast<size_t>(8 - componentsToMove)),
+ address + (2u * static_cast<size_t>(contractionIndex)),
+ componentsToMove * 2u);
+ // Fill in the contracted area with zeros.
+ std::fill_n(address + 2u * static_cast<size_t>(contractionIndex),
+ (8u - static_cast<size_t>(numComponents)) * 2u, static_cast<uint8_t>(0u));
+
+ return true;
+}
+
+} // namespace
+
+// On Windows and maybe other platforms, OS-provided IP address parsing
+// functions might fail if the protocol (IPv4 or IPv6) has been disabled, so we
+// can't rely on them.
+bool
+ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16])
+{
+ Reader input(hostname);
+
+ int currentComponentIndex = 0;
+ int contractionIndex = -1;
+
+ if (input.Peek(':')) {
+ // A valid input can only start with ':' if there is a contraction at the
+ // beginning.
+ uint8_t b;
+ if (input.Read(b) != Success || b != ':') {
+ assert(false);
+ return false;
+ }
+ if (input.Read(b) != Success) {
+ return false;
+ }
+ if (b != ':') {
+ return false;
+ }
+ contractionIndex = 0;
+ }
+
+ for (;;) {
+ // If we encounter a '.' then we'll have to backtrack to parse the input
+ // from startOfComponent to the end of the input as an IPv4 address.
+ Reader::Mark startOfComponent(input.GetMark());
+ uint16_t componentValue = 0;
+ size_t componentLength = 0;
+ while (!input.AtEnd() && !input.Peek(':')) {
+ uint8_t value;
+ uint8_t b;
+ if (input.Read(b) != Success) {
+ assert(false);
+ return false;
+ }
+ switch (b) {
+ case '0': case '1': case '2': case '3': case '4':
+ case '5': case '6': case '7': case '8': case '9':
+ value = static_cast<uint8_t>(b - static_cast<uint8_t>('0'));
+ break;
+ case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
+ value = static_cast<uint8_t>(b - static_cast<uint8_t>('a') +
+ UINT8_C(10));
+ break;
+ case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
+ value = static_cast<uint8_t>(b - static_cast<uint8_t>('A') +
+ UINT8_C(10));
+ break;
+ case '.':
+ {
+ // A dot indicates we hit a IPv4-syntax component. Backtrack, parsing
+ // the input from startOfComponent to the end of the input as an IPv4
+ // address, and then combine it with the other components.
+
+ if (currentComponentIndex > 6) {
+ return false; // Too many components before the IPv4 component
+ }
+
+ input.SkipToEnd();
+ Input ipv4Component;
+ if (input.GetInput(startOfComponent, ipv4Component) != Success) {
+ return false;
+ }
+ uint8_t (*ipv4)[4] =
+ reinterpret_cast<uint8_t(*)[4]>(&out[2 * currentComponentIndex]);
+ if (!ParseIPv4Address(ipv4Component, *ipv4)) {
+ return false;
+ }
+ assert(input.AtEnd());
+ currentComponentIndex += 2;
+
+ return FinishIPv6Address(out, currentComponentIndex,
+ contractionIndex);
+ }
+ default:
+ return false;
+ }
+ if (componentLength >= 4) {
+ // component too long
+ return false;
+ }
+ ++componentLength;
+ componentValue = (componentValue * 0x10u) + value;
+ }
+
+ if (currentComponentIndex >= 8) {
+ return false; // too many components
+ }
+
+ if (componentLength == 0) {
+ if (input.AtEnd() && currentComponentIndex == contractionIndex) {
+ if (contractionIndex == 0) {
+ // don't accept "::"
+ return false;
+ }
+ return FinishIPv6Address(out, currentComponentIndex,
+ contractionIndex);
+ }
+ return false;
+ }
+
+ out[2 * currentComponentIndex] =
+ static_cast<uint8_t>(componentValue / 0x100);
+ out[(2 * currentComponentIndex) + 1] =
+ static_cast<uint8_t>(componentValue % 0x100);
+
+ ++currentComponentIndex;
+
+ if (input.AtEnd()) {
+ return FinishIPv6Address(out, currentComponentIndex,
+ contractionIndex);
+ }
+
+ uint8_t b;
+ if (input.Read(b) != Success || b != ':') {
+ assert(false);
+ return false;
+ }
+
+ if (input.Peek(':')) {
+ // Contraction
+ if (contractionIndex != -1) {
+ return false; // multiple contractions are not allowed.
+ }
+ if (input.Read(b) != Success || b != ':') {
+ assert(false);
+ return false;
+ }
+ contractionIndex = currentComponentIndex;
+ if (input.AtEnd()) {
+ // "::" at the end of the input.
+ return FinishIPv6Address(out, currentComponentIndex,
+ contractionIndex);
+ }
+ }
+ }
+}
+
+bool
+IsValidReferenceDNSID(Input hostname)
+{
+ return IsValidDNSID(hostname, IDRole::ReferenceID, AllowWildcards::No);
+}
+
+bool
+IsValidPresentedDNSID(Input hostname)
+{
+ return IsValidDNSID(hostname, IDRole::PresentedID, AllowWildcards::Yes);
+}
+
+namespace {
+
+// RFC 5280 Section 4.2.1.6 says that a dNSName "MUST be in the 'preferred name
+// syntax', as specified by Section 3.5 of [RFC1034] and as modified by Section
+// 2.1 of [RFC1123]" except "a dNSName of ' ' MUST NOT be used." Additionally,
+// we allow underscores for compatibility with existing practice.
+bool
+IsValidDNSID(Input hostname, IDRole idRole, AllowWildcards allowWildcards)
+{
+ if (hostname.GetLength() > 253) {
+ return false;
+ }
+
+ Reader input(hostname);
+
+ if (idRole == IDRole::NameConstraint && input.AtEnd()) {
+ return true;
+ }
+
+ size_t dotCount = 0;
+ size_t labelLength = 0;
+ bool labelIsAllNumeric = false;
+ bool labelEndsWithHyphen = false;
+
+ // Only presented IDs are allowed to have wildcard labels. And, like
+ // Chromium, be stricter than RFC 6125 requires by insisting that a
+ // wildcard label consist only of '*'.
+ bool isWildcard = allowWildcards == AllowWildcards::Yes && input.Peek('*');
+ bool isFirstByte = !isWildcard;
+ if (isWildcard) {
+ Result rv = input.Skip(1);
+ if (rv != Success) {
+ assert(false);
+ return false;
+ }
+
+ uint8_t b;
+ rv = input.Read(b);
+ if (rv != Success) {
+ return false;
+ }
+ if (b != '.') {
+ return false;
+ }
+ ++dotCount;
+ }
+
+ do {
+ static const size_t MAX_LABEL_LENGTH = 63;
+
+ uint8_t b;
+ if (input.Read(b) != Success) {
+ return false;
+ }
+ switch (b) {
+ case '-':
+ if (labelLength == 0) {
+ return false; // Labels must not start with a hyphen.
+ }
+ labelIsAllNumeric = false;
+ labelEndsWithHyphen = true;
+ ++labelLength;
+ if (labelLength > MAX_LABEL_LENGTH) {
+ return false;
+ }
+ break;
+
+ // We avoid isdigit because it is locale-sensitive. See
+ // http://pubs.opengroup.org/onlinepubs/009695399/functions/isdigit.html
+ case '0': case '5':
+ case '1': case '6':
+ case '2': case '7':
+ case '3': case '8':
+ case '4': case '9':
+ if (labelLength == 0) {
+ labelIsAllNumeric = true;
+ }
+ labelEndsWithHyphen = false;
+ ++labelLength;
+ if (labelLength > MAX_LABEL_LENGTH) {
+ return false;
+ }
+ break;
+
+ // We avoid using islower/isupper/tolower/toupper or similar things, to
+ // avoid any possibility of this code being locale-sensitive. See
+ // http://pubs.opengroup.org/onlinepubs/009695399/functions/isupper.html
+ case 'a': case 'A': case 'n': case 'N':
+ case 'b': case 'B': case 'o': case 'O':
+ case 'c': case 'C': case 'p': case 'P':
+ case 'd': case 'D': case 'q': case 'Q':
+ case 'e': case 'E': case 'r': case 'R':
+ case 'f': case 'F': case 's': case 'S':
+ case 'g': case 'G': case 't': case 'T':
+ case 'h': case 'H': case 'u': case 'U':
+ case 'i': case 'I': case 'v': case 'V':
+ case 'j': case 'J': case 'w': case 'W':
+ case 'k': case 'K': case 'x': case 'X':
+ case 'l': case 'L': case 'y': case 'Y':
+ case 'm': case 'M': case 'z': case 'Z':
+ // We allow underscores for compatibility with existing practices.
+ // See bug 1136616.
+ case '_':
+ labelIsAllNumeric = false;
+ labelEndsWithHyphen = false;
+ ++labelLength;
+ if (labelLength > MAX_LABEL_LENGTH) {
+ return false;
+ }
+ break;
+
+ case '.':
+ ++dotCount;
+ if (labelLength == 0 &&
+ (idRole != IDRole::NameConstraint || !isFirstByte)) {
+ return false;
+ }
+ if (labelEndsWithHyphen) {
+ return false; // Labels must not end with a hyphen.
+ }
+ labelLength = 0;
+ break;
+
+ default:
+ return false; // Invalid character.
+ }
+ isFirstByte = false;
+ } while (!input.AtEnd());
+
+ // Only reference IDs, not presented IDs or name constraints, may be
+ // absolute.
+ if (labelLength == 0 && idRole != IDRole::ReferenceID) {
+ return false;
+ }
+
+ if (labelEndsWithHyphen) {
+ return false; // Labels must not end with a hyphen.
+ }
+
+ if (labelIsAllNumeric) {
+ return false; // Last label must not be all numeric.
+ }
+
+ if (isWildcard) {
+ // If the DNS ID ends with a dot, the last dot signifies an absolute ID.
+ size_t labelCount = (labelLength == 0) ? dotCount : (dotCount + 1);
+
+ // Like NSS, require at least two labels to follow the wildcard label.
+ //
+ // TODO(bug XXXXXXX): Allow the TrustDomain to control this on a
+ // per-eTLD+1 basis, similar to Chromium. Even then, it might be better to
+ // still enforce that there are at least two labels after the wildcard.
+ if (labelCount < 3) {
+ return false;
+ }
+ // XXX: RFC6125 says that we shouldn't accept wildcards within an IDN
+ // A-Label. The consequence of this is that we effectively discriminate
+ // against users of languages that cannot be encoded with ASCII.
+ if (StartsWithIDNALabel(hostname)) {
+ return false;
+ }
+
+ // TODO(bug XXXXXXX): Wildcards are not allowed for EV certificates.
+ // Provide an option to indicate whether wildcards should be matched, for
+ // the purpose of helping the application enforce this.
+ }
+
+ return true;
+}
+
+} // namespace
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixnss.cpp b/security/pkix/lib/pkixnss.cpp
new file mode 100644
index 000000000..798a19265
--- /dev/null
+++ b/security/pkix/lib/pkixnss.cpp
@@ -0,0 +1,228 @@
+/*- *- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkix/pkixnss.h"
+
+#include <limits>
+
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "pk11pub.h"
+#include "pkix/pkix.h"
+#include "pkixutil.h"
+#include "ScopedPtr.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+namespace mozilla { namespace pkix {
+
+namespace {
+
+Result
+VerifySignedDigest(const SignedDigest& sd,
+ Input subjectPublicKeyInfo,
+ SECOidTag pubKeyAlg,
+ void* pkcs11PinArg)
+{
+ SECOidTag digestAlg;
+ switch (sd.digestAlgorithm) {
+ case DigestAlgorithm::sha512: digestAlg = SEC_OID_SHA512; break;
+ case DigestAlgorithm::sha384: digestAlg = SEC_OID_SHA384; break;
+ case DigestAlgorithm::sha256: digestAlg = SEC_OID_SHA256; break;
+ case DigestAlgorithm::sha1: digestAlg = SEC_OID_SHA1; break;
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+
+ SECItem subjectPublicKeyInfoSECItem =
+ UnsafeMapInputToSECItem(subjectPublicKeyInfo);
+ ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
+ spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&subjectPublicKeyInfoSECItem));
+ if (!spki) {
+ return MapPRErrorCodeToResult(PR_GetError());
+ }
+ ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
+ pubKey(SECKEY_ExtractPublicKey(spki.get()));
+ if (!pubKey) {
+ return MapPRErrorCodeToResult(PR_GetError());
+ }
+
+ SECItem digestSECItem(UnsafeMapInputToSECItem(sd.digest));
+ SECItem signatureSECItem(UnsafeMapInputToSECItem(sd.signature));
+ SECStatus srv = VFY_VerifyDigestDirect(&digestSECItem, pubKey.get(),
+ &signatureSECItem, pubKeyAlg,
+ digestAlg, pkcs11PinArg);
+ if (srv != SECSuccess) {
+ return MapPRErrorCodeToResult(PR_GetError());
+ }
+
+ return Success;
+}
+
+} // namespace
+
+Result
+VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
+ Input subjectPublicKeyInfo,
+ void* pkcs11PinArg)
+{
+ return VerifySignedDigest(sd, subjectPublicKeyInfo,
+ SEC_OID_PKCS1_RSA_ENCRYPTION, pkcs11PinArg);
+}
+
+Result
+VerifyECDSASignedDigestNSS(const SignedDigest& sd,
+ Input subjectPublicKeyInfo,
+ void* pkcs11PinArg)
+{
+ return VerifySignedDigest(sd, subjectPublicKeyInfo,
+ SEC_OID_ANSIX962_EC_PUBLIC_KEY, pkcs11PinArg);
+}
+
+Result
+DigestBufNSS(Input item,
+ DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf,
+ size_t digestBufLen)
+{
+ SECOidTag oid;
+ size_t bits;
+ switch (digestAlg) {
+ case DigestAlgorithm::sha512: oid = SEC_OID_SHA512; bits = 512; break;
+ case DigestAlgorithm::sha384: oid = SEC_OID_SHA384; bits = 384; break;
+ case DigestAlgorithm::sha256: oid = SEC_OID_SHA256; bits = 256; break;
+ case DigestAlgorithm::sha1: oid = SEC_OID_SHA1; bits = 160; break;
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+ if (digestBufLen != bits / 8) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+
+ SECItem itemSECItem = UnsafeMapInputToSECItem(item);
+ if (itemSECItem.len >
+ static_cast<decltype(itemSECItem.len)>(
+ std::numeric_limits<int32_t>::max())) {
+ PR_NOT_REACHED("large items should not be possible here");
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ SECStatus srv = PK11_HashBuf(oid, digestBuf, itemSECItem.data,
+ static_cast<int32_t>(itemSECItem.len));
+ if (srv != SECSuccess) {
+ return MapPRErrorCodeToResult(PR_GetError());
+ }
+ return Success;
+}
+
+Result
+MapPRErrorCodeToResult(PRErrorCode error)
+{
+ switch (error)
+ {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+ case nss_result: return Result::mozilla_pkix_result;
+
+ MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+ default:
+ return Result::ERROR_UNKNOWN_ERROR;
+ }
+}
+
+PRErrorCode
+MapResultToPRErrorCode(Result result)
+{
+ switch (result)
+ {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+ case Result::mozilla_pkix_result: return nss_result;
+
+ MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+}
+
+void
+RegisterErrorTable()
+{
+ // Note that these error strings are not localizable.
+ // When these strings change, update the localization information too.
+ static const PRErrorMessage ErrorTableText[] = {
+ { "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE",
+ "The server uses key pinning (HPKP) but no trusted certificate chain "
+ "could be constructed that matches the pinset. Key pinning violations "
+ "cannot be overridden." },
+ { "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
+ "The server uses a certificate with a basic constraints extension "
+ "identifying it as a certificate authority. For a properly-issued "
+ "certificate, this should not be the case." },
+ { "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
+ "The server presented a certificate with a key size that is too small "
+ "to establish a secure connection." },
+ { "MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA",
+ "An X.509 version 1 certificate that is not a trust anchor was used to "
+ "issue the server's certificate. X.509 version 1 certificates are "
+ "deprecated and should not be used to sign other certificates." },
+ { "MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH",
+ "The certificate is not valid for the given email address." },
+ { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE",
+ "The server presented a certificate that is not yet valid." },
+ { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE",
+ "A certificate that is not yet valid was used to issue the server's "
+ "certificate." },
+ { "MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH",
+ "The signature algorithm in the signature field of the certificate does "
+ "not match the algorithm in its signatureAlgorithm field." },
+ { "MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING",
+ "The OCSP response does not include a status for the certificate being "
+ "verified." },
+ { "MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG",
+ "The server presented a certificate that is valid for too long." },
+ { "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING",
+ "A required TLS feature is missing." },
+ { "MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING",
+ "The server presented a certificate that contains an invalid encoding of "
+ "an integer. Common causes include negative serial numbers, negative RSA "
+ "moduli, and encodings that are longer than necessary." },
+ { "MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME",
+ "The server presented a certificate with an empty issuer distinguished "
+ "name." },
+ };
+ // Note that these error strings are not localizable.
+ // When these strings change, update the localization information too.
+
+ static const PRErrorTable ErrorTable = {
+ ErrorTableText,
+ "pkixerrors",
+ ERROR_BASE,
+ PR_ARRAY_SIZE(ErrorTableText)
+ };
+
+ (void) PR_ErrorInstallTable(&ErrorTable);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixocsp.cpp b/security/pkix/lib/pkixocsp.cpp
new file mode 100644
index 000000000..06cb53bc4
--- /dev/null
+++ b/security/pkix/lib/pkixocsp.cpp
@@ -0,0 +1,1007 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <limits>
+
+#include "pkix/pkix.h"
+#include "pkixcheck.h"
+#include "pkixutil.h"
+
+namespace {
+
+const size_t SHA1_DIGEST_LENGTH = 160 / 8;
+
+} // namespace
+
+namespace mozilla { namespace pkix {
+
+// These values correspond to the tag values in the ASN.1 CertStatus
+enum class CertStatus : uint8_t {
+ Good = der::CONTEXT_SPECIFIC | 0,
+ Revoked = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+ Unknown = der::CONTEXT_SPECIFIC | 2
+};
+
+class Context final
+{
+public:
+ Context(TrustDomain& trustDomain, const CertID& certID, Time time,
+ uint16_t maxLifetimeInDays, /*optional out*/ Time* thisUpdate,
+ /*optional out*/ Time* validThrough)
+ : trustDomain(trustDomain)
+ , certID(certID)
+ , time(time)
+ , maxLifetimeInDays(maxLifetimeInDays)
+ , certStatus(CertStatus::Unknown)
+ , thisUpdate(thisUpdate)
+ , validThrough(validThrough)
+ , expired(false)
+ , matchFound(false)
+ {
+ if (thisUpdate) {
+ *thisUpdate = TimeFromElapsedSecondsAD(0);
+ }
+ if (validThrough) {
+ *validThrough = TimeFromElapsedSecondsAD(0);
+ }
+ }
+
+ TrustDomain& trustDomain;
+ const CertID& certID;
+ const Time time;
+ const uint16_t maxLifetimeInDays;
+ CertStatus certStatus;
+ Time* thisUpdate;
+ Time* validThrough;
+ bool expired;
+
+ Input signedCertificateTimestamps;
+
+ // Keep track of whether the OCSP response contains the status of the
+ // certificate we're interested in. Responders might reply without
+ // including the status of any of the requested certs, we should
+ // indicate a server failure in those cases.
+ bool matchFound;
+
+ Context(const Context&) = delete;
+ void operator=(const Context&) = delete;
+};
+
+// Verify that potentialSigner is a valid delegated OCSP response signing cert
+// according to RFC 6960 section 4.2.2.2.
+static Result
+CheckOCSPResponseSignerCert(TrustDomain& trustDomain,
+ BackCert& potentialSigner,
+ Input issuerSubject,
+ Input issuerSubjectPublicKeyInfo,
+ Time time)
+{
+ Result rv;
+
+ // We don't need to do a complete verification of the signer (i.e. we don't
+ // have to call BuildCertChain to verify the entire chain) because we
+ // already know that the issuer is valid, since revocation checking is done
+ // from the root to the parent after we've built a complete chain that we
+ // know is otherwise valid. Rather, we just need to do a one-step validation
+ // from potentialSigner to the issuer.
+ //
+ // It seems reasonable to require the KU_DIGITAL_SIGNATURE key usage on the
+ // OCSP responder certificate if the OCSP responder certificate has a
+ // key usage extension. However, according to bug 240456, some OCSP responder
+ // certificates may have only the nonRepudiation bit set. Also, the OCSP
+ // specification (RFC 6960) does not mandate any particular key usage to be
+ // asserted for OCSP responde signers. Oddly, the CABForum Baseline
+ // Requirements v.1.1.5 do say "If the Root CA Private Key is used for
+ // signing OCSP responses, then the digitalSignature bit MUST be set."
+ //
+ // Note that CheckIssuerIndependentProperties processes
+ // SEC_OID_OCSP_RESPONDER in the way that the OCSP specification requires us
+ // to--in particular, it doesn't allow SEC_OID_OCSP_RESPONDER to be implied
+ // by a missing EKU extension, unlike other EKUs.
+ //
+ // TODO(bug 926261): If we're validating for a policy then the policy OID we
+ // are validating for should be passed to CheckIssuerIndependentProperties.
+ TrustLevel unusedTrustLevel;
+ rv = CheckIssuerIndependentProperties(trustDomain, potentialSigner, time,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_OCSPSigning,
+ CertPolicyId::anyPolicy, 0,
+ unusedTrustLevel);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // It is possible that there exists a certificate with the same key as the
+ // issuer but with a different name, so we need to compare names
+ // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
+ // comparison.
+ // TODO: needs test
+ if (!InputsAreEqual(potentialSigner.GetIssuer(), issuerSubject)) {
+ return Result::ERROR_OCSP_RESPONDER_CERT_INVALID;
+ }
+
+ // TODO(bug 926260): check name constraints
+
+ rv = VerifySignedData(trustDomain, potentialSigner.GetSignedData(),
+ issuerSubjectPublicKeyInfo);
+
+ // TODO: check for revocation of the OCSP responder certificate unless no-check
+ // or the caller forcing no-check. To properly support the no-check policy, we'd
+ // need to enforce policy constraints from the issuerChain.
+
+ return rv;
+}
+
+enum class ResponderIDType : uint8_t
+{
+ byName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+ byKey = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 2
+};
+
+static inline Result OCSPResponse(Reader&, Context&);
+static inline Result ResponseBytes(Reader&, Context&);
+static inline Result BasicResponse(Reader&, Context&);
+static inline Result ResponseData(
+ Reader& tbsResponseData,
+ Context& context,
+ const der::SignedDataWithSignature& signedResponseData,
+ const DERArray& certs);
+static inline Result SingleResponse(Reader& input, Context& context);
+static Result ExtensionNotUnderstood(Reader& extnID, Input extnValue,
+ bool critical, /*out*/ bool& understood);
+static Result RememberSingleExtension(Context& context, Reader& extnID,
+ Input extnValue, bool critical,
+ /*out*/ bool& understood);
+static inline Result CertID(Reader& input,
+ const Context& context,
+ /*out*/ bool& match);
+static Result MatchKeyHash(TrustDomain& trustDomain,
+ Input issuerKeyHash,
+ Input issuerSubjectPublicKeyInfo,
+ /*out*/ bool& match);
+static Result KeyHash(TrustDomain& trustDomain,
+ Input subjectPublicKeyInfo,
+ /*out*/ uint8_t* hashBuf, size_t hashBufSize);
+
+static Result
+MatchResponderID(TrustDomain& trustDomain,
+ ResponderIDType responderIDType,
+ Input responderID,
+ Input potentialSignerSubject,
+ Input potentialSignerSubjectPublicKeyInfo,
+ /*out*/ bool& match)
+{
+ match = false;
+
+ switch (responderIDType) {
+ case ResponderIDType::byName:
+ // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
+ // comparison.
+ match = InputsAreEqual(responderID, potentialSignerSubject);
+ return Success;
+
+ case ResponderIDType::byKey:
+ {
+ Reader input(responderID);
+ Input keyHash;
+ Result rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, keyHash);
+ if (rv != Success) {
+ return rv;
+ }
+ return MatchKeyHash(trustDomain, keyHash,
+ potentialSignerSubjectPublicKeyInfo, match);
+ }
+
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+}
+
+static Result
+VerifyOCSPSignedData(TrustDomain& trustDomain,
+ const der::SignedDataWithSignature& signedResponseData,
+ Input spki)
+{
+ Result rv = VerifySignedData(trustDomain, signedResponseData, spki);
+ if (rv == Result::ERROR_BAD_SIGNATURE) {
+ rv = Result::ERROR_OCSP_BAD_SIGNATURE;
+ }
+ return rv;
+}
+
+// RFC 6960 section 4.2.2.2: The OCSP responder must either be the issuer of
+// the cert or it must be a delegated OCSP response signing cert directly
+// issued by the issuer. If the OCSP responder is a delegated OCSP response
+// signer, then its certificate is (probably) embedded within the OCSP
+// response and we'll need to verify that it is a valid certificate that chains
+// *directly* to issuerCert.
+static Result
+VerifySignature(Context& context, ResponderIDType responderIDType,
+ Input responderID, const DERArray& certs,
+ const der::SignedDataWithSignature& signedResponseData)
+{
+ bool match;
+ Result rv = MatchResponderID(context.trustDomain, responderIDType,
+ responderID, context.certID.issuer,
+ context.certID.issuerSubjectPublicKeyInfo,
+ match);
+ if (rv != Success) {
+ return rv;
+ }
+ if (match) {
+ return VerifyOCSPSignedData(context.trustDomain, signedResponseData,
+ context.certID.issuerSubjectPublicKeyInfo);
+ }
+
+ size_t numCerts = certs.GetLength();
+ for (size_t i = 0; i < numCerts; ++i) {
+ BackCert cert(*certs.GetDER(i), EndEntityOrCA::MustBeEndEntity, nullptr);
+ rv = cert.Init();
+ if (rv != Success) {
+ return rv;
+ }
+ rv = MatchResponderID(context.trustDomain, responderIDType, responderID,
+ cert.GetSubject(), cert.GetSubjectPublicKeyInfo(),
+ match);
+ if (rv != Success) {
+ if (IsFatalError(rv)) {
+ return rv;
+ }
+ continue;
+ }
+
+ if (match) {
+ rv = CheckOCSPResponseSignerCert(context.trustDomain, cert,
+ context.certID.issuer,
+ context.certID.issuerSubjectPublicKeyInfo,
+ context.time);
+ if (rv != Success) {
+ if (IsFatalError(rv)) {
+ return rv;
+ }
+ continue;
+ }
+
+ return VerifyOCSPSignedData(context.trustDomain, signedResponseData,
+ cert.GetSubjectPublicKeyInfo());
+ }
+ }
+
+ return Result::ERROR_OCSP_INVALID_SIGNING_CERT;
+}
+
+static inline Result
+MapBadDERToMalformedOCSPResponse(Result rv)
+{
+ if (rv == Result::ERROR_BAD_DER) {
+ return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+ }
+ return rv;
+}
+
+Result
+VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const struct CertID& certID,
+ Time time, uint16_t maxOCSPLifetimeInDays,
+ Input encodedResponse,
+ /*out*/ bool& expired,
+ /*optional out*/ Time* thisUpdate,
+ /*optional out*/ Time* validThrough)
+{
+ // Always initialize this to something reasonable.
+ expired = false;
+
+ Context context(trustDomain, certID, time, maxOCSPLifetimeInDays,
+ thisUpdate, validThrough);
+
+ Reader input(encodedResponse);
+ Result rv = der::Nested(input, der::SEQUENCE, [&context](Reader& r) {
+ return OCSPResponse(r, context);
+ });
+ if (rv != Success) {
+ return MapBadDERToMalformedOCSPResponse(rv);
+ }
+ rv = der::End(input);
+ if (rv != Success) {
+ return MapBadDERToMalformedOCSPResponse(rv);
+ }
+ if (!context.matchFound) {
+ return Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING;
+ }
+
+ expired = context.expired;
+
+ switch (context.certStatus) {
+ case CertStatus::Good:
+ if (expired) {
+ return Result::ERROR_OCSP_OLD_RESPONSE;
+ }
+ if (context.signedCertificateTimestamps.GetLength()) {
+ Input sctList;
+ rv = ExtractSignedCertificateTimestampListFromExtension(
+ context.signedCertificateTimestamps, sctList);
+ if (rv != Success) {
+ return MapBadDERToMalformedOCSPResponse(rv);
+ }
+ context.trustDomain.NoteAuxiliaryExtension(
+ AuxiliaryExtension::SCTListFromOCSPResponse, sctList);
+ }
+ return Success;
+ case CertStatus::Revoked:
+ return Result::ERROR_REVOKED_CERTIFICATE;
+ case CertStatus::Unknown:
+ return Result::ERROR_OCSP_UNKNOWN_CERT;
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+}
+
+// OCSPResponse ::= SEQUENCE {
+// responseStatus OCSPResponseStatus,
+// responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
+//
+static inline Result
+OCSPResponse(Reader& input, Context& context)
+{
+ // OCSPResponseStatus ::= ENUMERATED {
+ // successful (0), -- Response has valid confirmations
+ // malformedRequest (1), -- Illegal confirmation request
+ // internalError (2), -- Internal error in issuer
+ // tryLater (3), -- Try again later
+ // -- (4) is not used
+ // sigRequired (5), -- Must sign the request
+ // unauthorized (6) -- Request unauthorized
+ // }
+ uint8_t responseStatus;
+
+ Result rv = der::Enumerated(input, responseStatus);
+ if (rv != Success) {
+ return rv;
+ }
+ switch (responseStatus) {
+ case 0: break; // successful
+ case 1: return Result::ERROR_OCSP_MALFORMED_REQUEST;
+ case 2: return Result::ERROR_OCSP_SERVER_ERROR;
+ case 3: return Result::ERROR_OCSP_TRY_SERVER_LATER;
+ case 5: return Result::ERROR_OCSP_REQUEST_NEEDS_SIG;
+ case 6: return Result::ERROR_OCSP_UNAUTHORIZED_REQUEST;
+ default: return Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS;
+ }
+
+ return der::Nested(input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+ der::SEQUENCE, [&context](Reader& r) {
+ return ResponseBytes(r, context);
+ });
+}
+
+// ResponseBytes ::= SEQUENCE {
+// responseType OBJECT IDENTIFIER,
+// response OCTET STRING }
+static inline Result
+ResponseBytes(Reader& input, Context& context)
+{
+ static const uint8_t id_pkix_ocsp_basic[] = {
+ 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+ };
+
+ Result rv = der::OID(input, id_pkix_ocsp_basic);
+ if (rv != Success) {
+ return rv;
+ }
+
+ return der::Nested(input, der::OCTET_STRING, der::SEQUENCE,
+ [&context](Reader& r) {
+ return BasicResponse(r, context);
+ });
+}
+
+// BasicOCSPResponse ::= SEQUENCE {
+// tbsResponseData ResponseData,
+// signatureAlgorithm AlgorithmIdentifier,
+// signature BIT STRING,
+// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+Result
+BasicResponse(Reader& input, Context& context)
+{
+ Reader tbsResponseData;
+ der::SignedDataWithSignature signedData;
+ Result rv = der::SignedData(input, tbsResponseData, signedData);
+ if (rv != Success) {
+ if (rv == Result::ERROR_BAD_SIGNATURE) {
+ return Result::ERROR_OCSP_BAD_SIGNATURE;
+ }
+ return rv;
+ }
+
+ // Parse certificates, if any
+ NonOwningDERArray certs;
+ if (!input.AtEnd()) {
+ rv = der::Nested(input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+ der::SEQUENCE, [&certs](Reader& certsDER) -> Result {
+ while (!certsDER.AtEnd()) {
+ Input cert;
+ Result rv = der::ExpectTagAndGetTLV(certsDER, der::SEQUENCE, cert);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = certs.Append(cert);
+ if (rv != Success) {
+ return Result::ERROR_BAD_DER; // Too many certs
+ }
+ }
+ return Success;
+ });
+ if (rv != Success) {
+ return rv;
+ }
+ }
+
+ return ResponseData(tbsResponseData, context, signedData, certs);
+}
+
+// ResponseData ::= SEQUENCE {
+// version [0] EXPLICIT Version DEFAULT v1,
+// responderID ResponderID,
+// producedAt GeneralizedTime,
+// responses SEQUENCE OF SingleResponse,
+// responseExtensions [1] EXPLICIT Extensions OPTIONAL }
+static inline Result
+ResponseData(Reader& input, Context& context,
+ const der::SignedDataWithSignature& signedResponseData,
+ const DERArray& certs)
+{
+ der::Version version;
+ Result rv = der::OptionalVersion(input, version);
+ if (rv != Success) {
+ return rv;
+ }
+ if (version != der::Version::v1) {
+ // TODO: more specific error code for bad version?
+ return Result::ERROR_BAD_DER;
+ }
+
+ // ResponderID ::= CHOICE {
+ // byName [1] Name,
+ // byKey [2] KeyHash }
+ Input responderID;
+ ResponderIDType responderIDType
+ = input.Peek(static_cast<uint8_t>(ResponderIDType::byName))
+ ? ResponderIDType::byName
+ : ResponderIDType::byKey;
+ rv = der::ExpectTagAndGetValue(input, static_cast<uint8_t>(responderIDType),
+ responderID);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // This is the soonest we can verify the signature. We verify the signature
+ // right away to follow the principal of minimizing the processing of data
+ // before verifying its signature.
+ rv = VerifySignature(context, responderIDType, responderID, certs,
+ signedResponseData);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // TODO: Do we even need to parse this? Should we just skip it?
+ Time producedAt(Time::uninitialized);
+ rv = der::GeneralizedTime(input, producedAt);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // We don't accept an empty sequence of responses. In practice, a legit OCSP
+ // responder will never return an empty response, and handling the case of an
+ // empty response makes things unnecessarily complicated.
+ rv = der::NestedOf(input, der::SEQUENCE, der::SEQUENCE,
+ der::EmptyAllowed::No, [&context](Reader& r) {
+ return SingleResponse(r, context);
+ });
+ if (rv != Success) {
+ return rv;
+ }
+
+ return der::OptionalExtensions(input,
+ der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+ ExtensionNotUnderstood);
+}
+
+// SingleResponse ::= SEQUENCE {
+// certID CertID,
+// certStatus CertStatus,
+// thisUpdate GeneralizedTime,
+// nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+// singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl |
+// re-ocsp-archive-cutoff |
+// CrlEntryExtensions, ...}
+// } OPTIONAL }
+static inline Result
+SingleResponse(Reader& input, Context& context)
+{
+ bool match = false;
+ Result rv = der::Nested(input, der::SEQUENCE, [&context, &match](Reader& r) {
+ return CertID(r, context, match);
+ });
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (!match) {
+ // This response does not reference the certificate we're interested in.
+ // By consuming the rest of our input and returning successfully, we can
+ // continue processing and examine another response that might have what
+ // we want.
+ input.SkipToEnd();
+ return Success;
+ }
+
+ // We found a response for the cert we're interested in.
+ context.matchFound = true;
+
+ // CertStatus ::= CHOICE {
+ // good [0] IMPLICIT NULL,
+ // revoked [1] IMPLICIT RevokedInfo,
+ // unknown [2] IMPLICIT UnknownInfo }
+ //
+ // In the event of multiple SingleResponses for a cert that have conflicting
+ // statuses, we use the following precedence rules:
+ //
+ // * revoked overrides good and unknown
+ // * good overrides unknown
+ if (input.Peek(static_cast<uint8_t>(CertStatus::Good))) {
+ rv = der::ExpectTagAndEmptyValue(input,
+ static_cast<uint8_t>(CertStatus::Good));
+ if (rv != Success) {
+ return rv;
+ }
+ if (context.certStatus != CertStatus::Revoked) {
+ context.certStatus = CertStatus::Good;
+ }
+ } else if (input.Peek(static_cast<uint8_t>(CertStatus::Revoked))) {
+ // We don't need any info from the RevokedInfo structure, so we don't even
+ // parse it. TODO: We should mention issues like this in the explanation of
+ // why we treat invalid OCSP responses equivalently to revoked for OCSP
+ // stapling.
+ rv = der::ExpectTagAndSkipValue(input,
+ static_cast<uint8_t>(CertStatus::Revoked));
+ if (rv != Success) {
+ return rv;
+ }
+ context.certStatus = CertStatus::Revoked;
+ } else {
+ rv = der::ExpectTagAndEmptyValue(input,
+ static_cast<uint8_t>(CertStatus::Unknown));
+ if (rv != Success) {
+ return rv;
+ }
+ }
+
+ // http://tools.ietf.org/html/rfc6960#section-3.2
+ // 5. The time at which the status being indicated is known to be
+ // correct (thisUpdate) is sufficiently recent;
+ // 6. When available, the time at or before which newer information will
+ // be available about the status of the certificate (nextUpdate) is
+ // greater than the current time.
+
+ Time thisUpdate(Time::uninitialized);
+ rv = der::GeneralizedTime(input, thisUpdate);
+ if (rv != Success) {
+ return rv;
+ }
+
+ static const uint64_t SLOP_SECONDS = Time::ONE_DAY_IN_SECONDS;
+
+ Time timePlusSlop(context.time);
+ rv = timePlusSlop.AddSeconds(SLOP_SECONDS);
+ if (rv != Success) {
+ return rv;
+ }
+ if (thisUpdate > timePlusSlop) {
+ return Result::ERROR_OCSP_FUTURE_RESPONSE;
+ }
+
+ Time notAfter(Time::uninitialized);
+ static const uint8_t NEXT_UPDATE_TAG =
+ der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0;
+ if (input.Peek(NEXT_UPDATE_TAG)) {
+ Time nextUpdate(Time::uninitialized);
+ rv = der::Nested(input, NEXT_UPDATE_TAG, [&nextUpdate](Reader& r) {
+ return der::GeneralizedTime(r, nextUpdate);
+ });
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (nextUpdate < thisUpdate) {
+ return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+ }
+ notAfter = thisUpdate;
+ if (notAfter.AddSeconds(context.maxLifetimeInDays *
+ Time::ONE_DAY_IN_SECONDS) != Success) {
+ // This could only happen if we're dealing with times beyond the year
+ // 10,000AD.
+ return Result::ERROR_OCSP_FUTURE_RESPONSE;
+ }
+ if (nextUpdate <= notAfter) {
+ notAfter = nextUpdate;
+ }
+ } else {
+ // NSS requires all OCSP responses without a nextUpdate to be recent.
+ // Match that stricter behavior.
+ notAfter = thisUpdate;
+ if (notAfter.AddSeconds(Time::ONE_DAY_IN_SECONDS) != Success) {
+ // This could only happen if we're dealing with times beyond the year
+ // 10,000AD.
+ return Result::ERROR_OCSP_FUTURE_RESPONSE;
+ }
+ }
+
+ // Add some slop to hopefully handle clock-skew.
+ Time notAfterPlusSlop(notAfter);
+ rv = notAfterPlusSlop.AddSeconds(SLOP_SECONDS);
+ if (rv != Success) {
+ // This could only happen if we're dealing with times beyond the year
+ // 10,000AD.
+ return Result::ERROR_OCSP_FUTURE_RESPONSE;
+ }
+ if (context.time > notAfterPlusSlop) {
+ context.expired = true;
+ }
+
+ rv = der::OptionalExtensions(
+ input,
+ der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+ [&context](Reader& extnID, const Input& extnValue, bool critical,
+ /*out*/ bool& understood) {
+ return RememberSingleExtension(context, extnID, extnValue, critical,
+ understood);
+ });
+
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (context.thisUpdate) {
+ *context.thisUpdate = thisUpdate;
+ }
+ if (context.validThrough) {
+ *context.validThrough = notAfterPlusSlop;
+ }
+
+ return Success;
+}
+
+// CertID ::= SEQUENCE {
+// hashAlgorithm AlgorithmIdentifier,
+// issuerNameHash OCTET STRING, -- Hash of issuer's DN
+// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
+// serialNumber CertificateSerialNumber }
+static inline Result
+CertID(Reader& input, const Context& context, /*out*/ bool& match)
+{
+ match = false;
+
+ DigestAlgorithm hashAlgorithm;
+ Result rv = der::DigestAlgorithmIdentifier(input, hashAlgorithm);
+ if (rv != Success) {
+ if (rv == Result::ERROR_INVALID_ALGORITHM) {
+ // Skip entries that are hashed with algorithms we don't support.
+ input.SkipToEnd();
+ return Success;
+ }
+ return rv;
+ }
+
+ Input issuerNameHash;
+ rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerNameHash);
+ if (rv != Success) {
+ return rv;
+ }
+
+ Input issuerKeyHash;
+ rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerKeyHash);
+ if (rv != Success) {
+ return rv;
+ }
+
+ Input serialNumber;
+ rv = der::CertificateSerialNumber(input, serialNumber);
+ if (rv != Success) {
+ return rv;
+ }
+
+ if (!InputsAreEqual(serialNumber, context.certID.serialNumber)) {
+ // This does not reference the certificate we're interested in.
+ // Consume the rest of the input and return successfully to
+ // potentially continue processing other responses.
+ input.SkipToEnd();
+ return Success;
+ }
+
+ // TODO: support SHA-2 hashes.
+
+ if (hashAlgorithm != DigestAlgorithm::sha1) {
+ // Again, not interested in this response. Consume input, return success.
+ input.SkipToEnd();
+ return Success;
+ }
+
+ if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
+ return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+ }
+
+ // From http://tools.ietf.org/html/rfc6960#section-4.1.1:
+ // "The hash shall be calculated over the DER encoding of the
+ // issuer's name field in the certificate being checked."
+ uint8_t hashBuf[SHA1_DIGEST_LENGTH];
+ rv = context.trustDomain.DigestBuf(context.certID.issuer,
+ DigestAlgorithm::sha1, hashBuf,
+ sizeof(hashBuf));
+ if (rv != Success) {
+ return rv;
+ }
+ Input computed(hashBuf);
+ if (!InputsAreEqual(computed, issuerNameHash)) {
+ // Again, not interested in this response. Consume input, return success.
+ input.SkipToEnd();
+ return Success;
+ }
+
+ return MatchKeyHash(context.trustDomain, issuerKeyHash,
+ context.certID.issuerSubjectPublicKeyInfo, match);
+}
+
+// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
+// "The hash shall be calculated over the value (excluding tag and length) of
+// the subject public key field in the issuer's certificate."
+//
+// From http://tools.ietf.org/html/rfc6960#appendix-B.1:
+// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+// -- (i.e., the SHA-1 hash of the value of the
+// -- BIT STRING subjectPublicKey [excluding
+// -- the tag, length, and number of unused
+// -- bits] in the responder's certificate)
+static Result
+MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
+ const Input subjectPublicKeyInfo, /*out*/ bool& match)
+{
+ if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
+ return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+ }
+ uint8_t hashBuf[SHA1_DIGEST_LENGTH];
+ Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
+ sizeof hashBuf);
+ if (rv != Success) {
+ return rv;
+ }
+ Input computed(hashBuf);
+ match = InputsAreEqual(computed, keyHash);
+ return Success;
+}
+
+// TODO(bug 966856): support SHA-2 hashes
+Result
+KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
+ /*out*/ uint8_t* hashBuf, size_t hashBufSize)
+{
+ if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
+ return Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+
+ // RFC 5280 Section 4.1
+ //
+ // SubjectPublicKeyInfo ::= SEQUENCE {
+ // algorithm AlgorithmIdentifier,
+ // subjectPublicKey BIT STRING }
+
+ Reader spki;
+ Result rv = der::ExpectTagAndGetValueAtEnd(subjectPublicKeyInfo,
+ der::SEQUENCE, spki);
+ if (rv != Success) {
+ return rv;
+ }
+
+ // Skip AlgorithmIdentifier
+ rv = der::ExpectTagAndSkipValue(spki, der::SEQUENCE);
+ if (rv != Success) {
+ return rv;
+ }
+
+ Input subjectPublicKey;
+ rv = der::BitStringWithNoUnusedBits(spki, subjectPublicKey);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = der::End(spki);
+ if (rv != Success) {
+ return rv;
+ }
+
+ return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
+ hashBuf, hashBufSize);
+}
+
+Result
+ExtensionNotUnderstood(Reader& /*extnID*/, Input /*extnValue*/,
+ bool /*critical*/, /*out*/ bool& understood)
+{
+ understood = false;
+ return Success;
+}
+
+Result
+RememberSingleExtension(Context& context, Reader& extnID, Input extnValue,
+ bool /*critical*/, /*out*/ bool& understood)
+{
+ understood = false;
+
+ // SingleExtension for Signed Certificate Timestamp List.
+ // See Section 3.3 of RFC 6962.
+ // python DottedOIDToCode.py
+ // id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5
+ static const uint8_t id_ocsp_singleExtensionSctList[] = {
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05
+ };
+
+ if (extnID.MatchRest(id_ocsp_singleExtensionSctList)) {
+ // Empty values are not allowed for this extension. Note that
+ // we assume this later, when checking if the extension was present.
+ if (extnValue.GetLength() == 0) {
+ return Result::ERROR_EXTENSION_VALUE_INVALID;
+ }
+ if (context.signedCertificateTimestamps.Init(extnValue) != Success) {
+ // Duplicate extension.
+ return Result::ERROR_EXTENSION_VALUE_INVALID;
+ }
+ understood = true;
+ }
+
+ return Success;
+}
+
+// 1. The certificate identified in a received response corresponds to
+// the certificate that was identified in the corresponding request;
+// 2. The signature on the response is valid;
+// 3. The identity of the signer matches the intended recipient of the
+// request;
+// 4. The signer is currently authorized to provide a response for the
+// certificate in question;
+// 5. The time at which the status being indicated is known to be
+// correct (thisUpdate) is sufficiently recent;
+// 6. When available, the time at or before which newer information will
+// be available about the status of the certificate (nextUpdate) is
+// greater than the current time.
+//
+// Responses whose nextUpdate value is earlier than
+// the local system time value SHOULD be considered unreliable.
+// Responses whose thisUpdate time is later than the local system time
+// SHOULD be considered unreliable.
+//
+// If nextUpdate is not set, the responder is indicating that newer
+// revocation information is available all the time.
+//
+// http://tools.ietf.org/html/rfc5019#section-4
+
+Result
+CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
+ /*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
+ /*out*/ size_t& outLen)
+{
+ // We do not add any extensions to the request.
+
+ // RFC 6960 says "An OCSP client MAY wish to specify the kinds of response
+ // types it understands. To do so, it SHOULD use an extension with the OID
+ // id-pkix-ocsp-response." This use of MAY and SHOULD is unclear. MSIE11
+ // on Windows 8.1 does not include any extensions, whereas NSS has always
+ // included the id-pkix-ocsp-response extension. Avoiding the sending the
+ // extension is better for OCSP GET because it makes the request smaller,
+ // and thus more likely to fit within the 255 byte limit for OCSP GET that
+ // is specified in RFC 5019 Section 5.
+
+ // Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
+
+ // Since we don't know whether the OCSP responder supports anything other
+ // than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
+ // issuerKeyHash.
+ static const uint8_t hashAlgorithm[11] = {
+ 0x30, 0x09, // SEQUENCE
+ 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, // OBJECT IDENTIFIER id-sha1
+ 0x05, 0x00, // NULL
+ };
+ static const uint8_t hashLen = 160 / 8;
+
+ static const unsigned int totalLenWithoutSerialNumberData
+ = 2 // OCSPRequest
+ + 2 // tbsRequest
+ + 2 // requestList
+ + 2 // Request
+ + 2 // reqCert (CertID)
+ + sizeof(hashAlgorithm) // hashAlgorithm
+ + 2 + hashLen // issuerNameHash
+ + 2 + hashLen // issuerKeyHash
+ + 2; // serialNumber (header)
+
+ // The only way we could have a request this large is if the serialNumber was
+ // ridiculously and unreasonably large. RFC 5280 says "Conforming CAs MUST
+ // NOT use serialNumber values longer than 20 octets." With this restriction,
+ // we allow for some amount of non-conformance with that requirement while
+ // still ensuring we can encode the length values in the ASN.1 TLV structures
+ // in a single byte.
+ static_assert(totalLenWithoutSerialNumberData < OCSP_REQUEST_MAX_LENGTH,
+ "totalLenWithoutSerialNumberData too big");
+ if (certID.serialNumber.GetLength() >
+ OCSP_REQUEST_MAX_LENGTH - totalLenWithoutSerialNumberData) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ outLen = totalLenWithoutSerialNumberData + certID.serialNumber.GetLength();
+
+ uint8_t totalLen = static_cast<uint8_t>(outLen);
+
+ uint8_t* d = out;
+ *d++ = 0x30; *d++ = totalLen - 2u; // OCSPRequest (SEQUENCE)
+ *d++ = 0x30; *d++ = totalLen - 4u; // tbsRequest (SEQUENCE)
+ *d++ = 0x30; *d++ = totalLen - 6u; // requestList (SEQUENCE OF)
+ *d++ = 0x30; *d++ = totalLen - 8u; // Request (SEQUENCE)
+ *d++ = 0x30; *d++ = totalLen - 10u; // reqCert (CertID SEQUENCE)
+
+ // reqCert.hashAlgorithm
+ for (size_t i = 0; i < sizeof(hashAlgorithm); ++i) {
+ *d++ = hashAlgorithm[i];
+ }
+
+ // reqCert.issuerNameHash (OCTET STRING)
+ *d++ = 0x04;
+ *d++ = hashLen;
+ Result rv = trustDomain.DigestBuf(certID.issuer, DigestAlgorithm::sha1, d,
+ hashLen);
+ if (rv != Success) {
+ return rv;
+ }
+ d += hashLen;
+
+ // reqCert.issuerKeyHash (OCTET STRING)
+ *d++ = 0x04;
+ *d++ = hashLen;
+ rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
+ if (rv != Success) {
+ return rv;
+ }
+ d += hashLen;
+
+ // reqCert.serialNumber (INTEGER)
+ *d++ = 0x02; // INTEGER
+ *d++ = static_cast<uint8_t>(certID.serialNumber.GetLength());
+ Reader serialNumber(certID.serialNumber);
+ do {
+ rv = serialNumber.Read(*d);
+ if (rv != Success) {
+ return rv;
+ }
+ ++d;
+ } while (!serialNumber.AtEnd());
+
+ assert(d == out + totalLen);
+
+ return Success;
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixresult.cpp b/security/pkix/lib/pkixresult.cpp
new file mode 100644
index 000000000..670642de8
--- /dev/null
+++ b/security/pkix/lib/pkixresult.cpp
@@ -0,0 +1,46 @@
+/*- *- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkix/Result.h"
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+const char*
+MapResultToName(Result result)
+{
+ switch (result)
+ {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+ case Result::mozilla_pkix_result: return "Result::" #mozilla_pkix_result;
+
+ MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixtime.cpp b/security/pkix/lib/pkixtime.cpp
new file mode 100644
index 000000000..ace23dd41
--- /dev/null
+++ b/security/pkix/lib/pkixtime.cpp
@@ -0,0 +1,78 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkix/Time.h"
+#include "pkixutil.h"
+
+#ifdef WIN32
+#ifdef _MSC_VER
+#pragma warning(push, 3)
+#endif
+#include "windows.h"
+#ifdef _MSC_VER
+#pragma warning(pop)
+#endif
+#else
+#include "sys/time.h"
+#endif
+
+namespace mozilla { namespace pkix {
+
+Time
+Now()
+{
+ uint64_t seconds;
+
+#ifdef WIN32
+ // "Contains a 64-bit value representing the number of 100-nanosecond
+ // intervals since January 1, 1601 (UTC)."
+ // - http://msdn.microsoft.com/en-us/library/windows/desktop/ms724284(v=vs.85).aspx
+ FILETIME ft;
+ GetSystemTimeAsFileTime(&ft);
+ uint64_t ft64 = (static_cast<uint64_t>(ft.dwHighDateTime) << 32) |
+ ft.dwLowDateTime;
+ seconds = (DaysBeforeYear(1601) * Time::ONE_DAY_IN_SECONDS) +
+ ft64 / (1000u * 1000u * 1000u / 100u);
+#else
+ // "The gettimeofday() function shall obtain the current time, expressed as
+ // seconds and microseconds since the Epoch."
+ // - http://pubs.opengroup.org/onlinepubs/009695399/functions/gettimeofday.html
+ timeval tv;
+ (void) gettimeofday(&tv, nullptr);
+ seconds = (DaysBeforeYear(1970) * Time::ONE_DAY_IN_SECONDS) +
+ static_cast<uint64_t>(tv.tv_sec);
+#endif
+
+ return TimeFromElapsedSecondsAD(seconds);
+}
+
+Time
+TimeFromEpochInSeconds(uint64_t secondsSinceEpoch)
+{
+ uint64_t seconds = (DaysBeforeYear(1970) * Time::ONE_DAY_IN_SECONDS) +
+ secondsSinceEpoch;
+ return TimeFromElapsedSecondsAD(seconds);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/lib/pkixutil.h b/security/pkix/lib/pkixutil.h
new file mode 100644
index 000000000..31557ea81
--- /dev/null
+++ b/security/pkix/lib/pkixutil.h
@@ -0,0 +1,289 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixutil_h
+#define mozilla_pkix_pkixutil_h
+
+#include "pkixder.h"
+
+namespace mozilla { namespace pkix {
+
+// During path building and verification, we build a linked list of BackCerts
+// from the current cert toward the end-entity certificate. The linked list
+// is used to verify properties that aren't local to the current certificate
+// and/or the direct link between the current certificate and its issuer,
+// such as name constraints.
+//
+// Each BackCert contains pointers to all the given certificate's extensions
+// so that we can parse the extension block once and then process the
+// extensions in an order that may be different than they appear in the cert.
+class BackCert final
+{
+public:
+ // certDER and childCert must be valid for the lifetime of BackCert.
+ BackCert(Input certDER, EndEntityOrCA endEntityOrCA,
+ const BackCert* childCert)
+ : der(certDER)
+ , endEntityOrCA(endEntityOrCA)
+ , childCert(childCert)
+ {
+ }
+
+ Result Init();
+
+ const Input GetDER() const { return der; }
+ const der::SignedDataWithSignature& GetSignedData() const {
+ return signedData;
+ }
+
+ der::Version GetVersion() const { return version; }
+ const Input GetSerialNumber() const { return serialNumber; }
+ const Input GetSignature() const { return signature; }
+ const Input GetIssuer() const { return issuer; }
+ // XXX: "validity" is a horrible name for the structure that holds
+ // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
+ // RFC 5280 names for everything.
+ const Input GetValidity() const { return validity; }
+ const Input GetSubject() const { return subject; }
+ const Input GetSubjectPublicKeyInfo() const
+ {
+ return subjectPublicKeyInfo;
+ }
+ const Input* GetAuthorityInfoAccess() const
+ {
+ return MaybeInput(authorityInfoAccess);
+ }
+ const Input* GetBasicConstraints() const
+ {
+ return MaybeInput(basicConstraints);
+ }
+ const Input* GetCertificatePolicies() const
+ {
+ return MaybeInput(certificatePolicies);
+ }
+ const Input* GetExtKeyUsage() const
+ {
+ return MaybeInput(extKeyUsage);
+ }
+ const Input* GetKeyUsage() const
+ {
+ return MaybeInput(keyUsage);
+ }
+ const Input* GetInhibitAnyPolicy() const
+ {
+ return MaybeInput(inhibitAnyPolicy);
+ }
+ const Input* GetNameConstraints() const
+ {
+ return MaybeInput(nameConstraints);
+ }
+ const Input* GetSubjectAltName() const
+ {
+ return MaybeInput(subjectAltName);
+ }
+ const Input* GetRequiredTLSFeatures() const
+ {
+ return MaybeInput(requiredTLSFeatures);
+ }
+ const Input* GetSignedCertificateTimestamps() const
+ {
+ return MaybeInput(signedCertificateTimestamps);
+ }
+
+private:
+ const Input der;
+
+public:
+ const EndEntityOrCA endEntityOrCA;
+ BackCert const* const childCert;
+
+private:
+ // When parsing certificates in BackCert::Init, we don't accept empty
+ // extensions. Consequently, we don't have to store a distinction between
+ // empty extensions and extensions that weren't included. However, when
+ // *processing* extensions, we distinguish between whether an extension was
+ // included or not based on whetehr the GetXXX function for the extension
+ // returns nullptr.
+ static inline const Input* MaybeInput(const Input& item)
+ {
+ return item.GetLength() > 0 ? &item : nullptr;
+ }
+
+ der::SignedDataWithSignature signedData;
+
+ der::Version version;
+ Input serialNumber;
+ Input signature;
+ Input issuer;
+ // XXX: "validity" is a horrible name for the structure that holds
+ // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
+ // RFC 5280 names for everything.
+ Input validity;
+ Input subject;
+ Input subjectPublicKeyInfo;
+
+ Input authorityInfoAccess;
+ Input basicConstraints;
+ Input certificatePolicies;
+ Input extKeyUsage;
+ Input inhibitAnyPolicy;
+ Input keyUsage;
+ Input nameConstraints;
+ Input subjectAltName;
+ Input criticalNetscapeCertificateType;
+ Input requiredTLSFeatures;
+ Input signedCertificateTimestamps; // RFC 6962 (Certificate Transparency)
+
+ Result RememberExtension(Reader& extnID, Input extnValue, bool critical,
+ /*out*/ bool& understood);
+
+ BackCert(const BackCert&) = delete;
+ void operator=(const BackCert&) = delete;
+};
+
+class NonOwningDERArray final : public DERArray
+{
+public:
+ NonOwningDERArray()
+ : numItems(0)
+ {
+ // we don't need to initialize the items array because we always check
+ // numItems before accessing i.
+ }
+
+ size_t GetLength() const override { return numItems; }
+
+ const Input* GetDER(size_t i) const override
+ {
+ return i < numItems ? &items[i] : nullptr;
+ }
+
+ Result Append(Input der)
+ {
+ if (numItems >= MAX_LENGTH) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ Result rv = items[numItems].Init(der); // structure assignment
+ if (rv != Success) {
+ return rv;
+ }
+ ++numItems;
+ return Success;
+ }
+
+ // Public so we can static_assert on this. Keep in sync with MAX_SUBCA_COUNT.
+ static const size_t MAX_LENGTH = 8;
+private:
+ Input items[MAX_LENGTH]; // avoids any heap allocations
+ size_t numItems;
+
+ NonOwningDERArray(const NonOwningDERArray&) = delete;
+ void operator=(const NonOwningDERArray&) = delete;
+};
+
+// Extracts the SignedCertificateTimestampList structure which is encoded as an
+// OCTET STRING within the X.509v3 / OCSP extensions (see RFC 6962 section 3.3).
+Result
+ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
+ Input& sctList);
+
+inline unsigned int
+DaysBeforeYear(unsigned int year)
+{
+ assert(year <= 9999);
+ return ((year - 1u) * 365u)
+ + ((year - 1u) / 4u) // leap years are every 4 years,
+ - ((year - 1u) / 100u) // except years divisible by 100,
+ + ((year - 1u) / 400u); // except years divisible by 400.
+}
+
+static const size_t MAX_DIGEST_SIZE_IN_BYTES = 512 / 8; // sha-512
+
+Result DigestSignedData(TrustDomain& trustDomain,
+ const der::SignedDataWithSignature& signedData,
+ /*out*/ uint8_t(&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
+ /*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
+ /*out*/ SignedDigest& signedDigest);
+
+Result VerifySignedDigest(TrustDomain& trustDomain,
+ der::PublicKeyAlgorithm publicKeyAlg,
+ const SignedDigest& signedDigest,
+ Input signerSubjectPublicKeyInfo);
+
+// Combines DigestSignedData and VerifySignedDigest
+Result VerifySignedData(TrustDomain& trustDomain,
+ const der::SignedDataWithSignature& signedData,
+ Input signerSubjectPublicKeyInfo);
+
+// Extracts the key parameters from |subjectPublicKeyInfo|, invoking
+// the relevant methods of |trustDomain|.
+Result
+CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo, TrustDomain& trustDomain,
+ EndEntityOrCA endEntityOrCA);
+
+// In a switch over an enum, sometimes some compilers are not satisfied that
+// all control flow paths have been considered unless there is a default case.
+// However, in our code, such a default case is almost always unreachable dead
+// code. That can be particularly problematic when the compiler wants the code
+// to choose a value, such as a return value, for the default case, but there's
+// no appropriate "impossible case" value to choose.
+//
+// MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM accounts for this. Example:
+//
+// // In xy.cpp
+// #include "xt.h"
+//
+// enum class XY { X, Y };
+//
+// int func(XY xy) {
+// switch (xy) {
+// case XY::X: return 1;
+// case XY::Y; return 2;
+// MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+// }
+// }
+#if defined(__clang__)
+// Clang will warn if not all cases are covered (-Wswitch-enum) AND it will
+// warn if a switch statement that covers every enum label has a default case
+// (-W-covered-switch-default). Versions prior to 3.5 warned about unreachable
+// code in such default cases (-Wunreachable-code) even when
+// -W-covered-switch-default was disabled, but that changed in Clang 3.5.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM // empty
+#elif defined(__GNUC__)
+// GCC will warn if not all cases are covered (-Wswitch-enum). It does not
+// assume that the default case is unreachable.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
+ default: assert(false); __builtin_unreachable();
+#elif defined(_MSC_VER)
+// MSVC will warn if not all cases are covered (C4061, level 4). It does not
+// assume that the default case is unreachable.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
+ default: assert(false); __assume(0);
+#else
+#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
+#endif
+
+} } // namespace mozilla::pkix
+
+#endif // mozilla_pkix_pkixutil_h
diff --git a/security/pkix/lib/pkixverify.cpp b/security/pkix/lib/pkixverify.cpp
new file mode 100644
index 000000000..16737e49d
--- /dev/null
+++ b/security/pkix/lib/pkixverify.cpp
@@ -0,0 +1,103 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result
+DigestSignedData(TrustDomain& trustDomain,
+ const der::SignedDataWithSignature& signedData,
+ /*out*/ uint8_t(&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
+ /*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
+ /*out*/ SignedDigest& signedDigest)
+{
+ Reader signatureAlg(signedData.algorithm);
+ Result rv = der::SignatureAlgorithmIdentifierValue(
+ signatureAlg, publicKeyAlg, signedDigest.digestAlgorithm);
+ if (rv != Success) {
+ return rv;
+ }
+ if (!signatureAlg.AtEnd()) {
+ return Result::ERROR_BAD_DER;
+ }
+
+ size_t digestLen;
+ switch (signedDigest.digestAlgorithm) {
+ case DigestAlgorithm::sha512: digestLen = 512 / 8; break;
+ case DigestAlgorithm::sha384: digestLen = 384 / 8; break;
+ case DigestAlgorithm::sha256: digestLen = 256 / 8; break;
+ case DigestAlgorithm::sha1: digestLen = 160 / 8; break;
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+ assert(digestLen <= sizeof(digestBuf));
+
+ rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,
+ digestBuf, digestLen);
+ if (rv != Success) {
+ return rv;
+ }
+ rv = signedDigest.digest.Init(digestBuf, digestLen);
+ if (rv != Success) {
+ return rv;
+ }
+
+ return signedDigest.signature.Init(signedData.signature);
+}
+
+Result
+VerifySignedDigest(TrustDomain& trustDomain,
+ der::PublicKeyAlgorithm publicKeyAlg,
+ const SignedDigest& signedDigest,
+ Input signerSubjectPublicKeyInfo)
+{
+ switch (publicKeyAlg) {
+ case der::PublicKeyAlgorithm::ECDSA:
+ return trustDomain.VerifyECDSASignedDigest(signedDigest,
+ signerSubjectPublicKeyInfo);
+ case der::PublicKeyAlgorithm::RSA_PKCS1:
+ return trustDomain.VerifyRSAPKCS1SignedDigest(signedDigest,
+ signerSubjectPublicKeyInfo);
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+}
+
+Result
+VerifySignedData(TrustDomain& trustDomain,
+ const der::SignedDataWithSignature& signedData,
+ Input signerSubjectPublicKeyInfo)
+{
+ uint8_t digestBuf[MAX_DIGEST_SIZE_IN_BYTES];
+ der::PublicKeyAlgorithm publicKeyAlg;
+ SignedDigest signedDigest;
+ Result rv = DigestSignedData(trustDomain, signedData, digestBuf,
+ publicKeyAlg, signedDigest);
+ if (rv != Success) {
+ return rv;
+ }
+ return VerifySignedDigest(trustDomain, publicKeyAlg, signedDigest,
+ signerSubjectPublicKeyInfo);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/pkix/moz.build b/security/pkix/moz.build
new file mode 100644
index 000000000..70d6d4756
--- /dev/null
+++ b/security/pkix/moz.build
@@ -0,0 +1,41 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SOURCES += [
+ 'lib/pkixbuild.cpp',
+ 'lib/pkixcert.cpp',
+ 'lib/pkixcheck.cpp',
+ 'lib/pkixder.cpp',
+ 'lib/pkixnames.cpp',
+ 'lib/pkixnss.cpp',
+ 'lib/pkixocsp.cpp',
+ 'lib/pkixresult.cpp',
+ 'lib/pkixtime.cpp',
+ 'lib/pkixverify.cpp',
+]
+
+LOCAL_INCLUDES += [
+ 'include',
+]
+
+TEST_DIRS += [
+ 'test/gtest',
+ 'test/lib',
+]
+
+include('warnings.mozbuild')
+
+Library('mozillapkix')
+
+FINAL_LIBRARY = 'xul'
+
+if CONFIG['GNU_CXX']:
+ CXXFLAGS += ['-Wno-error=shadow']
+
+if CONFIG['_MSC_VER']:
+ # This is intended as a temporary hack to support building with VS2015.
+ # declaration of '*' hides class member
+ CXXFLAGS += ['-wd4458']
diff --git a/security/pkix/test/gtest/README.txt b/security/pkix/test/gtest/README.txt
new file mode 100644
index 000000000..5d3484a21
--- /dev/null
+++ b/security/pkix/test/gtest/README.txt
@@ -0,0 +1,61 @@
+-------------
+Running Tests
+-------------
+
+Because of the rules below, you can run all the unit tests in this directory,
+and only these tests, with:
+
+ mach gtest "pkix*"
+
+You can run just the tests for functions defined in filename pkixfoo.cpp with:
+
+ mach gtest "pkixfoo*"
+
+If you run "mach gtest" then you'll end up running every gtest in Gecko.
+
+
+
+------------
+Naming Files
+------------
+
+Name files containing tests according to one of the following patterns:
+
+ * <filename>_tests.cpp
+ * <filename>_<Function>_tests.cpp
+ * <filename>_<category>_tests.cpp
+
+ <filename> is the name of the file containing the definitions of the
+ function(s) being tested by every test.
+ <Function> is the name of the function that is being tested by every
+ test.
+ <category> describes the group of related functions that are being
+ tested by every test.
+
+
+
+------------------------------------------------
+Always Use a Fixture Class: TEST_F(), not TEST()
+------------------------------------------------
+
+Many tests don't technically need a fixture, and so TEST() could technically
+be used to define the test. However, when you use TEST_F() instead of TEST(),
+the compiler will not allow you to make any typos in the test case name, but
+if you use TEST() then the name of the test case is not checked.
+
+See https://code.google.com/p/googletest/wiki/Primer#Test_Fixtures:_Using_the_Same_Data_Configuration_for_Multiple_Te
+to learn more about test fixtures.
+
+---------------
+Naming Fixtures
+---------------
+
+When all tests in a file use the same fixture, use the base name of the file
+without the "_tests" suffix as the name of the fixture class; e.g. tests in
+"pkixocsp.cpp" should use a fixture "class pkixocsp" by default.
+
+Sometimes tests in a file need separate fixtures. In this case, name the
+fixture class according to the pattern <fixture_base>_<fixture_suffix>, where
+<fixture_base> is the base name of the file without the "_tests" suffix, and
+<fixture_suffix> is a descriptive name for the fixture class, e.g.
+"class pkixocsp_DelegatedResponder".
diff --git a/security/pkix/test/gtest/moz.build b/security/pkix/test/gtest/moz.build
new file mode 100644
index 000000000..50d7ae966
--- /dev/null
+++ b/security/pkix/test/gtest/moz.build
@@ -0,0 +1,66 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SOURCES += [
+ 'pkixbuild_tests.cpp',
+ 'pkixcert_extension_tests.cpp',
+ 'pkixcert_signature_algorithm_tests.cpp',
+ 'pkixcheck_CheckExtendedKeyUsage_tests.cpp',
+ 'pkixcheck_CheckIssuer_tests.cpp',
+ 'pkixcheck_CheckKeyUsage_tests.cpp',
+ 'pkixcheck_CheckSignatureAlgorithm_tests.cpp',
+ 'pkixcheck_CheckValidity_tests.cpp',
+ 'pkixcheck_ParseValidity_tests.cpp',
+ 'pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp',
+
+ # The naming conventions are described in ./README.txt.
+
+ 'pkixder_input_tests.cpp',
+ 'pkixder_pki_types_tests.cpp',
+ 'pkixder_universal_types_tests.cpp',
+ 'pkixgtest.cpp',
+ 'pkixnames_tests.cpp',
+ 'pkixocsp_CreateEncodedOCSPRequest_tests.cpp',
+ 'pkixocsp_VerifyEncodedOCSPResponse.cpp',
+]
+
+LOCAL_INCLUDES += [
+ '../../include',
+ '../../lib',
+ '../lib',
+]
+
+FINAL_LIBRARY = 'xul-gtest'
+
+include('../../warnings.mozbuild')
+
+# These warnings are disabled in order to minimize the amount of boilerplate
+# required to implement tests, and/or because they originate in the GTest
+# framework in a way we cannot otherwise work around.
+if CONFIG['GNU_CXX']:
+ CXXFLAGS += [
+ '-Wno-error=shadow',
+ '-Wno-old-style-cast',
+ ]
+ if CONFIG['CLANG_CXX']:
+ CXXFLAGS += [
+ '-Wno-exit-time-destructors',
+ '-Wno-global-constructors',
+ '-Wno-used-but-marked-unused',
+ ]
+elif CONFIG['_MSC_VER']:
+ CXXFLAGS += [
+ '-wd4350', # behavior change: 'std::_Wrap_alloc<std::allocator<_Ty>>::...
+ '-wd4275', # non dll-interface class used as base for dll-interface class
+ '-wd4548', # Expression before comma has no effect
+ '-wd4625', # copy constructor could not be generated.
+ '-wd4626', # assugment operator could not be generated.
+ '-wd4640', # construction of local static object is not thread safe.
+
+ # This is intended as a temporary hack to support building with VS2015.
+ # declaration of '*' hides class member
+ '-wd4458',
+ ]
diff --git a/security/pkix/test/gtest/pkixbuild_tests.cpp b/security/pkix/test/gtest/pkixbuild_tests.cpp
new file mode 100644
index 000000000..6ddd88823
--- /dev/null
+++ b/security/pkix/test/gtest/pkixbuild_tests.cpp
@@ -0,0 +1,584 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#if defined(_MSC_VER) && _MSC_VER < 1900
+// When building with -D_HAS_EXCEPTIONS=0, MSVC's <xtree> header triggers
+// warning C4702: unreachable code.
+// https://connect.microsoft.com/VisualStudio/feedback/details/809962
+#pragma warning(push)
+#pragma warning(disable: 4702)
+#endif
+
+#include <map>
+#include <vector>
+
+#if defined(_MSC_VER) && _MSC_VER < 1900
+#pragma warning(pop)
+#endif
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static ByteString
+CreateCert(const char* issuerCN, // null means "empty name"
+ const char* subjectCN, // null means "empty name"
+ EndEntityOrCA endEntityOrCA,
+ /*optional modified*/ std::map<ByteString, ByteString>*
+ subjectDERToCertDER = nullptr,
+ /*optional*/ const ByteString* extension = nullptr)
+{
+ static long serialNumberValue = 0;
+ ++serialNumberValue;
+ ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+ EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+ ByteString issuerDER(issuerCN ? CNToDERName(issuerCN) : Name(ByteString()));
+ ByteString subjectDER(subjectCN ? CNToDERName(subjectCN) : Name(ByteString()));
+
+ std::vector<ByteString> extensions;
+ if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+ ByteString basicConstraints =
+ CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
+ EXPECT_FALSE(ENCODING_FAILED(basicConstraints));
+ extensions.push_back(basicConstraints);
+ }
+ if (extension) {
+ extensions.push_back(*extension);
+ }
+ extensions.push_back(ByteString()); // marks the end of the list
+
+ ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+ ByteString certDER(CreateEncodedCertificate(
+ v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+ oneDayBeforeNow, oneDayAfterNow, subjectDER,
+ *reusedKey, extensions.data(), *reusedKey,
+ sha256WithRSAEncryption()));
+ EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+ if (subjectDERToCertDER) {
+ (*subjectDERToCertDER)[subjectDER] = certDER;
+ }
+
+ return certDER;
+}
+
+class TestTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+ // The "cert chain tail" is a longish chain of certificates that is used by
+ // all of the tests here. We share this chain across all the tests in order
+ // to speed up the tests (generating keypairs for the certs is very slow).
+ bool SetUpCertChainTail()
+ {
+ static char const* const names[] = {
+ "CA1 (Root)", "CA2", "CA3", "CA4", "CA5", "CA6", "CA7"
+ };
+
+ for (size_t i = 0; i < MOZILLA_PKIX_ARRAY_LENGTH(names); ++i) {
+ const char* issuerName = i == 0 ? names[0] : names[i-1];
+ CreateCACert(issuerName, names[i]);
+ if (i == 0) {
+ rootCACertDER = leafCACertDER;
+ }
+ }
+
+ return true;
+ }
+
+ void CreateCACert(const char* issuerName, const char* subjectName)
+ {
+ leafCACertDER = CreateCert(issuerName, subjectName,
+ EndEntityOrCA::MustBeCA, &subjectDERToCertDER);
+ assert(!ENCODING_FAILED(leafCACertDER));
+ }
+
+ ByteString GetLeafCACertDER() const { return leafCACertDER; }
+
+private:
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+ /*out*/ TrustLevel& trustLevel) override
+ {
+ trustLevel = InputEqualsByteString(candidateCert, rootCACertDER)
+ ? TrustLevel::TrustAnchor
+ : TrustLevel::InheritsTrust;
+ return Success;
+ }
+
+ Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+ override
+ {
+ ByteString subjectDER(InputToByteString(encodedIssuerName));
+ ByteString certDER(subjectDERToCertDER[subjectDER]);
+ Input derCert;
+ Result rv = derCert.Init(certDER.data(), certDER.length());
+ if (rv != Success) {
+ return rv;
+ }
+ bool keepGoing;
+ rv = checker.Check(derCert, nullptr/*additionalNameConstraints*/,
+ keepGoing);
+ if (rv != Success) {
+ return rv;
+ }
+ return Success;
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ /*optional*/ const Input*, /*optional*/ const Input*)
+ override
+ {
+ return Success;
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ return Success;
+ }
+
+ std::map<ByteString, ByteString> subjectDERToCertDER;
+ ByteString leafCACertDER;
+ ByteString rootCACertDER;
+};
+
+class pkixbuild : public ::testing::Test
+{
+public:
+ static void SetUpTestCase()
+ {
+ if (!trustDomain.SetUpCertChainTail()) {
+ abort();
+ }
+ }
+
+protected:
+
+ static TestTrustDomain trustDomain;
+};
+
+/*static*/ TestTrustDomain pkixbuild::trustDomain;
+
+TEST_F(pkixbuild, MaxAcceptableCertChainLength)
+{
+ {
+ ByteString leafCACert(trustDomain.GetLeafCACertDER());
+ Input certDER;
+ ASSERT_EQ(Success, certDER.Init(leafCACert.data(), leafCACert.length()));
+ ASSERT_EQ(Success,
+ BuildCertChain(trustDomain, certDER, Now(),
+ EndEntityOrCA::MustBeCA,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+ }
+
+ {
+ ByteString certDER(CreateCert("CA7", "Direct End-Entity",
+ EndEntityOrCA::MustBeEndEntity));
+ ASSERT_FALSE(ENCODING_FAILED(certDER));
+ Input certDERInput;
+ ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+ ASSERT_EQ(Success,
+ BuildCertChain(trustDomain, certDERInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+ }
+}
+
+TEST_F(pkixbuild, BeyondMaxAcceptableCertChainLength)
+{
+ static char const* const caCertName = "CA Too Far";
+
+ trustDomain.CreateCACert("CA7", caCertName);
+
+ {
+ ByteString certDER(trustDomain.GetLeafCACertDER());
+ Input certDERInput;
+ ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+ ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+ BuildCertChain(trustDomain, certDERInput, Now(),
+ EndEntityOrCA::MustBeCA,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+ }
+
+ {
+ ByteString certDER(CreateCert(caCertName, "End-Entity Too Far",
+ EndEntityOrCA::MustBeEndEntity));
+ ASSERT_FALSE(ENCODING_FAILED(certDER));
+ Input certDERInput;
+ ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+ ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+ BuildCertChain(trustDomain, certDERInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+ }
+}
+
+// A TrustDomain that checks certificates against a given root certificate.
+// It is initialized with the DER encoding of a root certificate that
+// is treated as a trust anchor and is assumed to have issued all certificates
+// (i.e. FindIssuer always attempts to build the next step in the chain with
+// it).
+class SingleRootTrustDomain : public DefaultCryptoTrustDomain
+{
+public:
+ explicit SingleRootTrustDomain(ByteString rootDER)
+ : rootDER(rootDER)
+ {
+ }
+
+ // The CertPolicyId argument is unused because we don't care about EV.
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+ /*out*/ TrustLevel& trustLevel) override
+ {
+ Input rootCert;
+ Result rv = rootCert.Init(rootDER.data(), rootDER.length());
+ if (rv != Success) {
+ return rv;
+ }
+ if (InputsAreEqual(candidateCert, rootCert)) {
+ trustLevel = TrustLevel::TrustAnchor;
+ } else {
+ trustLevel = TrustLevel::InheritsTrust;
+ }
+ return Success;
+ }
+
+ Result FindIssuer(Input, IssuerChecker& checker, Time) override
+ {
+ // keepGoing is an out parameter from IssuerChecker.Check. It would tell us
+ // whether or not to continue attempting other potential issuers. We only
+ // know of one potential issuer, however, so we ignore it.
+ bool keepGoing;
+ Input rootCert;
+ Result rv = rootCert.Init(rootDER.data(), rootDER.length());
+ if (rv != Success) {
+ return rv;
+ }
+ return checker.Check(rootCert, nullptr, keepGoing);
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ return Success;
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ /*optional*/ const Input*, /*optional*/ const Input*)
+ override
+ {
+ return Success;
+ }
+
+private:
+ ByteString rootDER;
+};
+
+// A TrustDomain that explicitly fails if CheckRevocation is called.
+class ExpiredCertTrustDomain final : public SingleRootTrustDomain
+{
+public:
+ explicit ExpiredCertTrustDomain(ByteString rootDER)
+ : SingleRootTrustDomain(rootDER)
+ {
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ /*optional*/ const Input*, /*optional*/ const Input*)
+ override
+ {
+ ADD_FAILURE();
+ return NotReached("CheckRevocation should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+};
+
+TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert)
+{
+ const char* rootCN = "Root CA";
+ ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
+ nullptr));
+ EXPECT_FALSE(ENCODING_FAILED(rootDER));
+ ExpiredCertTrustDomain expiredCertTrustDomain(rootDER);
+
+ ByteString serialNumber(CreateEncodedSerialNumber(100));
+ EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+ ByteString issuerDER(CNToDERName(rootCN));
+ ByteString subjectDER(CNToDERName("Expired End-Entity Cert"));
+ ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+ ByteString certDER(CreateEncodedCertificate(
+ v3, sha256WithRSAEncryption(),
+ serialNumber, issuerDER,
+ twoDaysBeforeNow,
+ oneDayBeforeNow,
+ subjectDER, *reusedKey, nullptr, *reusedKey,
+ sha256WithRSAEncryption()));
+ EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+ Input cert;
+ ASSERT_EQ(Success, cert.Init(certDER.data(), certDER.length()));
+ ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
+ BuildCertChain(expiredCertTrustDomain, cert, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy,
+ nullptr));
+}
+
+class DSSTrustDomain final : public EverythingFailsByDefaultTrustDomain
+{
+public:
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
+ Input, /*out*/ TrustLevel& trustLevel) override
+ {
+ trustLevel = TrustLevel::TrustAnchor;
+ return Success;
+ }
+};
+
+class pkixbuild_DSS : public ::testing::Test { };
+
+TEST_F(pkixbuild_DSS, DSSEndEntityKeyNotAccepted)
+{
+ DSSTrustDomain trustDomain;
+
+ ByteString serialNumber(CreateEncodedSerialNumber(1));
+ ASSERT_FALSE(ENCODING_FAILED(serialNumber));
+
+ ByteString subjectDER(CNToDERName("DSS"));
+ ASSERT_FALSE(ENCODING_FAILED(subjectDER));
+ ScopedTestKeyPair subjectKey(GenerateDSSKeyPair());
+ ASSERT_TRUE(subjectKey.get());
+
+ ByteString issuerDER(CNToDERName("RSA"));
+ ASSERT_FALSE(ENCODING_FAILED(issuerDER));
+ ScopedTestKeyPair issuerKey(CloneReusedKeyPair());
+ ASSERT_TRUE(issuerKey.get());
+
+ ByteString cert(CreateEncodedCertificate(v3, sha256WithRSAEncryption(),
+ serialNumber, issuerDER,
+ oneDayBeforeNow, oneDayAfterNow,
+ subjectDER, *subjectKey, nullptr,
+ *issuerKey, sha256WithRSAEncryption()));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certDER;
+ ASSERT_EQ(Success, certDER.Init(cert.data(), cert.length()));
+
+ ASSERT_EQ(Result::ERROR_UNSUPPORTED_KEYALG,
+ BuildCertChain(trustDomain, certDER, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+}
+
+class IssuerNameCheckTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+ IssuerNameCheckTrustDomain(const ByteString& issuer, bool expectedKeepGoing)
+ : issuer(issuer)
+ , expectedKeepGoing(expectedKeepGoing)
+ {
+ }
+
+ Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&, Input,
+ /*out*/ TrustLevel& trustLevel) override
+ {
+ trustLevel = endEntityOrCA == EndEntityOrCA::MustBeCA
+ ? TrustLevel::TrustAnchor
+ : TrustLevel::InheritsTrust;
+ return Success;
+ }
+
+ Result FindIssuer(Input, IssuerChecker& checker, Time) override
+ {
+ Input issuerInput;
+ EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
+ bool keepGoing;
+ EXPECT_EQ(Success,
+ checker.Check(issuerInput, nullptr /*additionalNameConstraints*/,
+ keepGoing));
+ EXPECT_EQ(expectedKeepGoing, keepGoing);
+ return Success;
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ /*optional*/ const Input*, /*optional*/ const Input*)
+ override
+ {
+ return Success;
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ return Success;
+ }
+
+private:
+ const ByteString issuer;
+ const bool expectedKeepGoing;
+};
+
+struct IssuerNameCheckParams
+{
+ const char* subjectIssuerCN; // null means "empty name"
+ const char* issuerSubjectCN; // null means "empty name"
+ bool matches;
+ Result expectedError;
+};
+
+static const IssuerNameCheckParams ISSUER_NAME_CHECK_PARAMS[] =
+{
+ { "foo", "foo", true, Success },
+ { "foo", "bar", false, Result::ERROR_UNKNOWN_ISSUER },
+ { "f", "foo", false, Result::ERROR_UNKNOWN_ISSUER }, // prefix
+ { "foo", "f", false, Result::ERROR_UNKNOWN_ISSUER }, // prefix
+ { "foo", "Foo", false, Result::ERROR_UNKNOWN_ISSUER }, // case sensitive
+ { "", "", true, Success },
+ { nullptr, nullptr, false, Result::ERROR_EMPTY_ISSUER_NAME }, // empty issuer
+
+ // check that certificate-related errors are deferred and superseded by
+ // ERROR_UNKNOWN_ISSUER when a chain can't be built due to name mismatches
+ { "foo", nullptr, false, Result::ERROR_UNKNOWN_ISSUER },
+ { nullptr, "foo", false, Result::ERROR_UNKNOWN_ISSUER }
+};
+
+class pkixbuild_IssuerNameCheck
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<IssuerNameCheckParams>
+{
+};
+
+TEST_P(pkixbuild_IssuerNameCheck, MatchingName)
+{
+ const IssuerNameCheckParams& params(GetParam());
+
+ ByteString issuerCertDER(CreateCert(params.issuerSubjectCN,
+ params.issuerSubjectCN,
+ EndEntityOrCA::MustBeCA, nullptr));
+ ASSERT_FALSE(ENCODING_FAILED(issuerCertDER));
+
+ ByteString subjectCertDER(CreateCert(params.subjectIssuerCN, "end-entity",
+ EndEntityOrCA::MustBeEndEntity,
+ nullptr));
+ ASSERT_FALSE(ENCODING_FAILED(subjectCertDER));
+
+ Input subjectCertDERInput;
+ ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
+ subjectCertDER.length()));
+
+ IssuerNameCheckTrustDomain trustDomain(issuerCertDER, !params.matches);
+ ASSERT_EQ(params.expectedError,
+ BuildCertChain(trustDomain, subjectCertDERInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixbuild_IssuerNameCheck, pkixbuild_IssuerNameCheck,
+ testing::ValuesIn(ISSUER_NAME_CHECK_PARAMS));
+
+
+// Records the embedded SCT list extension for later examination.
+class EmbeddedSCTListTestTrustDomain final : public SingleRootTrustDomain
+{
+public:
+ explicit EmbeddedSCTListTestTrustDomain(ByteString rootDER)
+ : SingleRootTrustDomain(rootDER)
+ {
+ }
+
+ virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+ Input extensionData) override
+ {
+ if (extension == AuxiliaryExtension::EmbeddedSCTList) {
+ signedCertificateTimestamps = InputToByteString(extensionData);
+ } else {
+ ADD_FAILURE();
+ }
+ }
+
+ ByteString signedCertificateTimestamps;
+};
+
+TEST_F(pkixbuild, CertificateTransparencyExtension)
+{
+ // python security/pkix/tools/DottedOIDToCode.py --tlv
+ // id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+ static const uint8_t tlv_id_embeddedSctList[] = {
+ 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+ };
+ static const uint8_t dummySctList[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05
+ };
+
+ ByteString ctExtension = TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_embeddedSctList) +
+ Boolean(false) +
+ TLV(der::OCTET_STRING,
+ // SignedCertificateTimestampList structure is encoded as an OCTET STRING
+ // within the X.509v3 extension (see RFC 6962 section 3.3).
+ // pkix decodes it internally and returns the actual structure.
+ TLV(der::OCTET_STRING, BytesToByteString(dummySctList))));
+
+ const char* rootCN = "Root CA";
+ ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA));
+ ASSERT_FALSE(ENCODING_FAILED(rootDER));
+
+ ByteString certDER(CreateCert(rootCN, "Cert with SCT list",
+ EndEntityOrCA::MustBeEndEntity,
+ nullptr, /*subjectDERToCertDER*/
+ &ctExtension));
+ ASSERT_FALSE(ENCODING_FAILED(certDER));
+
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+
+ EmbeddedSCTListTestTrustDomain extTrustDomain(rootDER);
+ ASSERT_EQ(Success,
+ BuildCertChain(extTrustDomain, certInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::anyExtendedKeyUsage,
+ CertPolicyId::anyPolicy,
+ nullptr /*stapledOCSPResponse*/));
+ ASSERT_EQ(BytesToByteString(dummySctList),
+ extTrustDomain.signedCertificateTimestamps);
+}
diff --git a/security/pkix/test/gtest/pkixcert_extension_tests.cpp b/security/pkix/test/gtest/pkixcert_extension_tests.cpp
new file mode 100644
index 000000000..464643134
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcert_extension_tests.cpp
@@ -0,0 +1,270 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+#include "pkixtestutil.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+// Creates a self-signed certificate with the given extension.
+static ByteString
+CreateCertWithExtensions(const char* subjectCN,
+ const ByteString* extensions)
+{
+ static long serialNumberValue = 0;
+ ++serialNumberValue;
+ ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+ EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+ ByteString issuerDER(CNToDERName(subjectCN));
+ EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+ ByteString subjectDER(CNToDERName(subjectCN));
+ EXPECT_FALSE(ENCODING_FAILED(subjectDER));
+ ScopedTestKeyPair subjectKey(CloneReusedKeyPair());
+ return CreateEncodedCertificate(v3, sha256WithRSAEncryption(),
+ serialNumber, issuerDER,
+ oneDayBeforeNow, oneDayAfterNow,
+ subjectDER, *subjectKey, extensions,
+ *subjectKey,
+ sha256WithRSAEncryption());
+}
+
+// Creates a self-signed certificate with the given extension.
+static ByteString
+CreateCertWithOneExtension(const char* subjectStr, const ByteString& extension)
+{
+ const ByteString extensions[] = { extension, ByteString() };
+ return CreateCertWithExtensions(subjectStr, extensions);
+}
+
+class TrustEverythingTrustDomain final : public DefaultCryptoTrustDomain
+{
+private:
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input,
+ /*out*/ TrustLevel& trustLevel) override
+ {
+ trustLevel = TrustLevel::TrustAnchor;
+ return Success;
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ /*optional*/ const Input*, /*optional*/ const Input*)
+ override
+ {
+ return Success;
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ return Success;
+ }
+};
+
+// python DottedOIDToCode.py --tlv unknownExtensionOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
+static const uint8_t tlv_unknownExtensionOID[] = {
+ 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
+ 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
+};
+
+// python DottedOIDToCode.py --tlv id-pe-authorityInformationAccess 1.3.6.1.5.5.7.1.1
+static const uint8_t tlv_id_pe_authorityInformationAccess[] = {
+ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv wrongExtensionOID 1.3.6.6.1.5.5.7.1.1
+// (there is an extra "6" that shouldn't be in this OID)
+static const uint8_t tlv_wrongExtensionOID[] = {
+ 0x06, 0x09, 0x2b, 0x06, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv id-ce-unknown 2.5.29.55
+// (this is a made-up OID for testing "id-ce"-prefixed OIDs that mozilla::pkix
+// doesn't handle)
+static const uint8_t tlv_id_ce_unknown[] = {
+ 0x06, 0x03, 0x55, 0x1d, 0x37
+};
+
+// python DottedOIDToCode.py --tlv id-ce-inhibitAnyPolicy 2.5.29.54
+static const uint8_t tlv_id_ce_inhibitAnyPolicy[] = {
+ 0x06, 0x03, 0x55, 0x1d, 0x36
+};
+
+// python DottedOIDToCode.py --tlv id-pkix-ocsp-nocheck 1.3.6.1.5.5.7.48.1.5
+static const uint8_t tlv_id_pkix_ocsp_nocheck[] = {
+ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x05
+};
+
+struct ExtensionTestcase
+{
+ ByteString extension;
+ Result expectedResult;
+};
+
+static const ExtensionTestcase EXTENSION_TESTCASES[] =
+{
+ // Tests that a non-critical extension not in the id-ce or id-pe arcs (which
+ // is thus unknown to us) verifies successfully even if empty (extensions we
+ // know about aren't normally allowed to be empty).
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_unknownExtensionOID) +
+ TLV(der::OCTET_STRING, ByteString())),
+ Success
+ },
+
+ // Tests that a critical extension not in the id-ce or id-pe arcs (which is
+ // thus unknown to us) is detected and that verification fails with the
+ // appropriate error.
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_unknownExtensionOID) +
+ Boolean(true) +
+ TLV(der::OCTET_STRING, ByteString())),
+ Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+ },
+
+ // Tests that a id-pe-authorityInformationAccess critical extension
+ // is detected and that verification succeeds.
+ // XXX: According to RFC 5280 an AIA that consists of an empty sequence is
+ // not legal, but we accept it and that is not what we're testing here.
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_pe_authorityInformationAccess) +
+ Boolean(true) +
+ TLV(der::OCTET_STRING, TLV(der::SEQUENCE, ByteString()))),
+ Success
+ },
+
+ // Tests that an incorrect OID for id-pe-authorityInformationAccess
+ // (when marked critical) is detected and that verification fails.
+ // (Until bug 1020993 was fixed, this wrong value was used for
+ // id-pe-authorityInformationAccess.)
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_wrongExtensionOID) +
+ Boolean(true) +
+ TLV(der::OCTET_STRING, ByteString())),
+ Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+ },
+
+ // We know about some id-ce extensions (OID arc 2.5.29), but not all of them.
+ // Tests that an unknown id-ce extension is detected and that verification
+ // fails.
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_ce_unknown) +
+ Boolean(true) +
+ TLV(der::OCTET_STRING, ByteString())),
+ Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+ },
+
+ // Tests that a certificate with a known critical id-ce extension (in this
+ // case, OID 2.5.29.54, which is id-ce-inhibitAnyPolicy), verifies
+ // successfully.
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_ce_inhibitAnyPolicy) +
+ Boolean(true) +
+ TLV(der::OCTET_STRING, Integer(0))),
+ Success
+ },
+
+ // Tests that a certificate with the id-pkix-ocsp-nocheck extension (marked
+ // critical) verifies successfully.
+ // RFC 6960:
+ // ext-ocsp-nocheck EXTENSION ::= { SYNTAX NULL IDENTIFIED
+ // BY id-pkix-ocsp-nocheck }
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_pkix_ocsp_nocheck) +
+ Boolean(true) +
+ TLV(der::OCTET_STRING, TLV(der::NULLTag, ByteString()))),
+ Success
+ },
+
+ // Tests that a certificate with another representation of the
+ // id-pkix-ocsp-nocheck extension (marked critical) verifies successfully.
+ // According to http://comments.gmane.org/gmane.ietf.x509/30947,
+ // some code creates certificates where value of the extension is
+ // an empty OCTET STRING.
+ { TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_pkix_ocsp_nocheck) +
+ Boolean(true) +
+ TLV(der::OCTET_STRING, ByteString())),
+ Success
+ },
+};
+
+class pkixcert_extension
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<ExtensionTestcase>
+{
+protected:
+ static TrustEverythingTrustDomain trustDomain;
+};
+
+/*static*/ TrustEverythingTrustDomain pkixcert_extension::trustDomain;
+
+TEST_P(pkixcert_extension, ExtensionHandledProperly)
+{
+ const ExtensionTestcase& testcase(GetParam());
+ const char* cn = "Cert Extension Test";
+ ByteString cert(CreateCertWithOneExtension(cn, testcase.extension));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+ ASSERT_EQ(testcase.expectedResult,
+ BuildCertChain(trustDomain, certInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::anyExtendedKeyUsage,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixcert_extension,
+ pkixcert_extension,
+ testing::ValuesIn(EXTENSION_TESTCASES));
+
+// Two subjectAltNames must result in an error.
+TEST_F(pkixcert_extension, DuplicateSubjectAltName)
+{
+ // python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
+ static const uint8_t tlv_id_ce_subjectAltName[] = {
+ 0x06, 0x03, 0x55, 0x1d, 0x11
+ };
+
+ ByteString subjectAltName(
+ TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_ce_subjectAltName) +
+ TLV(der::OCTET_STRING, TLV(der::SEQUENCE, DNSName("example.com")))));
+ static const ByteString extensions[] = { subjectAltName, subjectAltName,
+ ByteString() };
+ static const char* certCN = "Cert With Duplicate subjectAltName";
+ ByteString cert(CreateCertWithExtensions(certCN, extensions));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+ ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
+ BuildCertChain(trustDomain, certInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::anyExtendedKeyUsage,
+ CertPolicyId::anyPolicy,
+ nullptr/*stapledOCSPResponse*/));
+}
diff --git a/security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp b/security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
new file mode 100644
index 000000000..924c2b053
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
@@ -0,0 +1,247 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static ByteString
+CreateCert(const char* issuerCN,
+ const char* subjectCN,
+ EndEntityOrCA endEntityOrCA,
+ const TestSignatureAlgorithm& signatureAlgorithm,
+ /*out*/ ByteString& subjectDER)
+{
+ static long serialNumberValue = 0;
+ ++serialNumberValue;
+ ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+ EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+ ByteString issuerDER(CNToDERName(issuerCN));
+ EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+ subjectDER = CNToDERName(subjectCN);
+ EXPECT_FALSE(ENCODING_FAILED(subjectDER));
+
+ ByteString extensions[2];
+ if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+ extensions[0] =
+ CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
+ EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+ }
+
+ ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+ ByteString certDER(CreateEncodedCertificate(v3, signatureAlgorithm,
+ serialNumber, issuerDER,
+ oneDayBeforeNow, oneDayAfterNow,
+ subjectDER, *reusedKey,
+ extensions, *reusedKey,
+ signatureAlgorithm));
+ EXPECT_FALSE(ENCODING_FAILED(certDER));
+ return certDER;
+}
+
+class AlgorithmTestsTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+ AlgorithmTestsTrustDomain(const ByteString& rootDER,
+ const ByteString& rootSubjectDER,
+ /*optional*/ const ByteString& intDER,
+ /*optional*/ const ByteString& intSubjectDER)
+ : rootDER(rootDER)
+ , rootSubjectDER(rootSubjectDER)
+ , intDER(intDER)
+ , intSubjectDER(intSubjectDER)
+ {
+ }
+
+private:
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+ /*out*/ TrustLevel& trustLevel) override
+ {
+ if (InputEqualsByteString(candidateCert, rootDER)) {
+ trustLevel = TrustLevel::TrustAnchor;
+ } else {
+ trustLevel = TrustLevel::InheritsTrust;
+ }
+ return Success;
+ }
+
+ Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+ override
+ {
+ ByteString* issuerDER = nullptr;
+ if (InputEqualsByteString(encodedIssuerName, rootSubjectDER)) {
+ issuerDER = &rootDER;
+ } else if (InputEqualsByteString(encodedIssuerName, intSubjectDER)) {
+ issuerDER = &intDER;
+ } else {
+ // FindIssuer just returns success if it can't find a potential issuer.
+ return Success;
+ }
+ Input issuerCert;
+ Result rv = issuerCert.Init(issuerDER->data(), issuerDER->length());
+ if (rv != Success) {
+ return rv;
+ }
+ bool keepGoing;
+ return checker.Check(issuerCert, nullptr, keepGoing);
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ const Input*, const Input*) override
+ {
+ return Success;
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ return Success;
+ }
+
+ ByteString rootDER;
+ ByteString rootSubjectDER;
+ ByteString intDER;
+ ByteString intSubjectDER;
+};
+
+static const TestSignatureAlgorithm NO_INTERMEDIATE
+{
+ TestPublicKeyAlgorithm(ByteString()),
+ TestDigestAlgorithmID::MD2,
+ ByteString(),
+ false
+};
+
+struct ChainValidity final
+{
+ ChainValidity(const TestSignatureAlgorithm& endEntitySignatureAlgorithm,
+ const TestSignatureAlgorithm& optionalIntSignatureAlgorithm,
+ const TestSignatureAlgorithm& rootSignatureAlgorithm,
+ bool isValid)
+ : endEntitySignatureAlgorithm(endEntitySignatureAlgorithm)
+ , optionalIntermediateSignatureAlgorithm(optionalIntSignatureAlgorithm)
+ , rootSignatureAlgorithm(rootSignatureAlgorithm)
+ , isValid(isValid)
+ { }
+
+ // In general, a certificate is generated for each of these. However, if
+ // optionalIntermediateSignatureAlgorithm is NO_INTERMEDIATE, then only 2
+ // certificates are generated.
+ // The certificate generated for the given rootSignatureAlgorithm is the
+ // trust anchor.
+ TestSignatureAlgorithm endEntitySignatureAlgorithm;
+ TestSignatureAlgorithm optionalIntermediateSignatureAlgorithm;
+ TestSignatureAlgorithm rootSignatureAlgorithm;
+ bool isValid;
+};
+
+static const ChainValidity CHAIN_VALIDITY[] =
+{
+ // The trust anchor may have a signature with an unsupported signature
+ // algorithm.
+ ChainValidity(sha256WithRSAEncryption(),
+ NO_INTERMEDIATE,
+ md5WithRSAEncryption(),
+ true),
+ ChainValidity(sha256WithRSAEncryption(),
+ NO_INTERMEDIATE,
+ md2WithRSAEncryption(),
+ true),
+
+ // Certificates that are not trust anchors must not have a signature with an
+ // unsupported signature algorithm.
+ ChainValidity(md5WithRSAEncryption(),
+ NO_INTERMEDIATE,
+ sha256WithRSAEncryption(),
+ false),
+ ChainValidity(md2WithRSAEncryption(),
+ NO_INTERMEDIATE,
+ sha256WithRSAEncryption(),
+ false),
+ ChainValidity(md2WithRSAEncryption(),
+ NO_INTERMEDIATE,
+ md5WithRSAEncryption(),
+ false),
+ ChainValidity(sha256WithRSAEncryption(),
+ md5WithRSAEncryption(),
+ sha256WithRSAEncryption(),
+ false),
+ ChainValidity(sha256WithRSAEncryption(),
+ md2WithRSAEncryption(),
+ sha256WithRSAEncryption(),
+ false),
+ ChainValidity(sha256WithRSAEncryption(),
+ md2WithRSAEncryption(),
+ md5WithRSAEncryption(),
+ false),
+};
+
+class pkixcert_IsValidChainForAlgorithm
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<ChainValidity>
+{
+};
+
+TEST_P(pkixcert_IsValidChainForAlgorithm, IsValidChainForAlgorithm)
+{
+ const ChainValidity& chainValidity(GetParam());
+ const char* rootCN = "CN=Root";
+ ByteString rootSubjectDER;
+ ByteString rootEncoded(
+ CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
+ chainValidity.rootSignatureAlgorithm, rootSubjectDER));
+ EXPECT_FALSE(ENCODING_FAILED(rootEncoded));
+ EXPECT_FALSE(ENCODING_FAILED(rootSubjectDER));
+
+ const char* issuerCN = rootCN;
+
+ const char* intermediateCN = "CN=Intermediate";
+ ByteString intermediateSubjectDER;
+ ByteString intermediateEncoded;
+
+ // If the the algorithmIdentifier is empty, then it's NO_INTERMEDIATE.
+ if (!chainValidity.optionalIntermediateSignatureAlgorithm
+ .algorithmIdentifier.empty()) {
+ intermediateEncoded =
+ CreateCert(rootCN, intermediateCN, EndEntityOrCA::MustBeCA,
+ chainValidity.optionalIntermediateSignatureAlgorithm,
+ intermediateSubjectDER);
+ EXPECT_FALSE(ENCODING_FAILED(intermediateEncoded));
+ EXPECT_FALSE(ENCODING_FAILED(intermediateSubjectDER));
+ issuerCN = intermediateCN;
+ }
+
+ AlgorithmTestsTrustDomain trustDomain(rootEncoded, rootSubjectDER,
+ intermediateEncoded,
+ intermediateSubjectDER);
+
+ const char* endEntityCN = "CN=End Entity";
+ ByteString endEntitySubjectDER;
+ ByteString endEntityEncoded(
+ CreateCert(issuerCN, endEntityCN, EndEntityOrCA::MustBeEndEntity,
+ chainValidity.endEntitySignatureAlgorithm,
+ endEntitySubjectDER));
+ EXPECT_FALSE(ENCODING_FAILED(endEntityEncoded));
+ EXPECT_FALSE(ENCODING_FAILED(endEntitySubjectDER));
+
+ Input endEntity;
+ ASSERT_EQ(Success, endEntity.Init(endEntityEncoded.data(),
+ endEntityEncoded.length()));
+ Result expectedResult = chainValidity.isValid
+ ? Success
+ : Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+ ASSERT_EQ(expectedResult,
+ BuildCertChain(trustDomain, endEntity, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::id_kp_serverAuth,
+ CertPolicyId::anyPolicy, nullptr));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixcert_IsValidChainForAlgorithm,
+ pkixcert_IsValidChainForAlgorithm,
+ testing::ValuesIn(CHAIN_VALIDITY));
diff --git a/security/pkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp b/security/pkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
new file mode 100644
index 000000000..4bfbd2265
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
@@ -0,0 +1,711 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2016 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+#include "pkixutil.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
+ const Input* encodedExtendedKeyUsage,
+ KeyPurposeId requiredEKU,
+ TrustDomain& trustDomain, Time notBefore);
+
+} } // namespace mozilla::pkix
+
+class pkixcheck_CheckExtendedKeyUsage : public ::testing::Test
+{
+protected:
+ DefaultCryptoTrustDomain mTrustDomain;
+};
+
+#define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_CERT_TYPE, x)
+
+// tlv_id_kp_OCSPSigning and tlv_id_kp_serverAuth are defined in pkixtestutil.h
+
+// python DottedOIDToCode.py --tlv id-kp-clientAuth 1.3.6.1.5.5.7.3.2
+static const uint8_t tlv_id_kp_clientAuth[] = {
+ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02
+};
+
+// python DottedOIDToCode.py --tlv id-kp-codeSigning 1.3.6.1.5.5.7.3.3
+static const uint8_t tlv_id_kp_codeSigning[] = {
+ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03
+};
+
+// python DottedOIDToCode.py --tlv id_kp_emailProtection 1.3.6.1.5.5.7.3.4
+static const uint8_t tlv_id_kp_emailProtection[] = {
+ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04
+};
+
+// python DottedOIDToCode.py --tlv id-Netscape-stepUp 2.16.840.1.113730.4.1
+static const uint8_t tlv_id_Netscape_stepUp[] = {
+ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01
+};
+
+// python DottedOIDToCode.py --tlv unknownOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
+static const uint8_t tlv_unknownOID[] = {
+ 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
+ 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
+};
+
+// python DottedOIDToCode.py --tlv anyExtendedKeyUsage 2.5.29.37.0
+static const uint8_t tlv_anyExtendedKeyUsage[] = {
+ 0x06, 0x04, 0x55, 0x1d, 0x25, 0x00
+};
+
+TEST_F(pkixcheck_CheckExtendedKeyUsage, none)
+{
+ // The input Input is nullptr. This means the cert had no extended key usage
+ // extension. This is always valid except for when the certificate is an
+ // end-entity and the required usage is id-kp-OCSPSigning.
+
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ nullptr,
+ KeyPurposeId::anyExtendedKeyUsage,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+ KeyPurposeId::anyExtendedKeyUsage,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ nullptr,
+ KeyPurposeId::id_kp_serverAuth,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+ KeyPurposeId::id_kp_serverAuth,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ nullptr,
+ KeyPurposeId::id_kp_clientAuth,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+ KeyPurposeId::id_kp_clientAuth,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ nullptr,
+ KeyPurposeId::id_kp_codeSigning,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+ KeyPurposeId::id_kp_codeSigning,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ nullptr,
+ KeyPurposeId::id_kp_emailProtection,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+ KeyPurposeId::id_kp_emailProtection,
+ mTrustDomain, Now()));
+ ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+ KeyPurposeId::id_kp_OCSPSigning,
+ mTrustDomain, Now()));
+ ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+ KeyPurposeId::id_kp_OCSPSigning,
+ mTrustDomain, Now()));
+}
+
+static const Input empty_null;
+
+TEST_F(pkixcheck_CheckExtendedKeyUsage, empty)
+{
+ // The input Input is empty. The cert has an empty extended key usage
+ // extension, which is syntactically invalid.
+ ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
+ KeyPurposeId::id_kp_serverAuth,
+ mTrustDomain, Now()));
+ ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
+ KeyPurposeId::id_kp_serverAuth,
+ mTrustDomain, Now()));
+
+ static const uint8_t dummy = 0x00;
+ Input empty_nonnull;
+ ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+ ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
+ KeyPurposeId::id_kp_serverAuth,
+ mTrustDomain, Now()));
+ ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
+ KeyPurposeId::id_kp_serverAuth,
+ mTrustDomain, Now()));
+}
+
+struct EKUTestcase
+{
+ ByteString ekuSEQUENCE;
+ KeyPurposeId keyPurposeId;
+ Result expectedResultEndEntity;
+ Result expectedResultCA;
+};
+
+class CheckExtendedKeyUsageTest
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<EKUTestcase>
+{
+protected:
+ DefaultCryptoTrustDomain mTrustDomain;
+};
+
+TEST_P(CheckExtendedKeyUsageTest, EKUTestcase)
+{
+ const EKUTestcase& param(GetParam());
+ Input encodedEKU;
+ ASSERT_EQ(Success, encodedEKU.Init(param.ekuSEQUENCE.data(),
+ param.ekuSEQUENCE.length()));
+ ASSERT_EQ(param.expectedResultEndEntity,
+ CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &encodedEKU,
+ param.keyPurposeId,
+ mTrustDomain, Now()));
+ ASSERT_EQ(param.expectedResultCA,
+ CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &encodedEKU,
+ param.keyPurposeId,
+ mTrustDomain, Now()));
+}
+
+#define SINGLE_EKU_SUCCESS(oidBytes, keyPurposeId) \
+ { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+ Success, Success }
+#define SINGLE_EKU_SUCCESS_CA(oidBytes, keyPurposeId) \
+ { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+ Result::ERROR_INADEQUATE_CERT_TYPE, Success }
+#define SINGLE_EKU_FAILURE(oidBytes, keyPurposeId) \
+ { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+ Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
+#define DOUBLE_EKU_SUCCESS(oidBytes1, oidBytes2, keyPurposeId) \
+ { TLV(der::SEQUENCE, \
+ BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+ keyPurposeId, \
+ Success, Success }
+#define DOUBLE_EKU_SUCCESS_CA(oidBytes1, oidBytes2, keyPurposeId) \
+ { TLV(der::SEQUENCE, \
+ BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+ keyPurposeId, \
+ Result::ERROR_INADEQUATE_CERT_TYPE, Success }
+#define DOUBLE_EKU_FAILURE(oidBytes1, oidBytes2, keyPurposeId) \
+ { TLV(der::SEQUENCE, \
+ BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+ keyPurposeId, \
+ Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
+
+static const EKUTestcase EKU_TESTCASES[] =
+{
+ SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::anyExtendedKeyUsage),
+ SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+ SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
+ SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+ SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+ SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+ SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+ // For end-entities, if id-kp-OCSPSigning is present, no usage is allowed
+ // except OCSPSigning.
+ SINGLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+ SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ SINGLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+ // For compatibility, id-Netscape-stepUp is treated as equivalent to
+ // id-kp-serverAuth for CAs.
+ SINGLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+ SINGLE_EKU_SUCCESS(tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+ SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+ SINGLE_EKU_SUCCESS(tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+ DOUBLE_EKU_SUCCESS(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+ DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+ DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+ DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+ DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+ DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+};
+
+INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
+ CheckExtendedKeyUsageTest,
+ ::testing::ValuesIn(EKU_TESTCASES));
+
+struct EKUChainTestcase
+{
+ ByteString ekuExtensionEE;
+ ByteString ekuExtensionCA;
+ KeyPurposeId keyPurposeId;
+ Result expectedResult;
+};
+
+class CheckExtendedKeyUsageChainTest
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<EKUChainTestcase>
+{
+};
+
+static ByteString
+CreateCert(const char* issuerCN, const char* subjectCN,
+ EndEntityOrCA endEntityOrCA, ByteString encodedEKU)
+{
+ static long serialNumberValue = 0;
+ ++serialNumberValue;
+ ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+ EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+ ByteString issuerDER(CNToDERName(issuerCN));
+ ByteString subjectDER(CNToDERName(subjectCN));
+
+ ByteString extensions[3];
+ extensions[0] =
+ CreateEncodedBasicConstraints(endEntityOrCA == EndEntityOrCA::MustBeCA,
+ nullptr, Critical::Yes);
+ EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+ if (encodedEKU.length() > 0) {
+ extensions[1] = encodedEKU;
+ }
+
+ ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+ ByteString certDER(CreateEncodedCertificate(
+ v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+ oneDayBeforeNow, oneDayAfterNow, subjectDER,
+ *reusedKey, extensions, *reusedKey,
+ sha256WithRSAEncryption()));
+ EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+ return certDER;
+}
+
+class EKUTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+ explicit EKUTrustDomain(ByteString issuerCertDER)
+ : mIssuerCertDER(issuerCertDER)
+ {
+ }
+
+private:
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+ TrustLevel& trustLevel) override
+ {
+ trustLevel = InputEqualsByteString(candidateCert, mIssuerCertDER)
+ ? TrustLevel::TrustAnchor
+ : TrustLevel::InheritsTrust;
+ return Success;
+ }
+
+ Result FindIssuer(Input, IssuerChecker& checker, Time) override
+ {
+ Input derCert;
+ Result rv = derCert.Init(mIssuerCertDER.data(), mIssuerCertDER.length());
+ if (rv != Success) {
+ return rv;
+ }
+ bool keepGoing;
+ return checker.Check(derCert, nullptr, keepGoing);
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ const Input*, const Input*) override
+ {
+ return Success;
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ return Success;
+ }
+
+ ByteString mIssuerCertDER;
+};
+
+TEST_P(CheckExtendedKeyUsageChainTest, EKUChainTestcase)
+{
+ const EKUChainTestcase& param(GetParam());
+ ByteString issuerCertDER(CreateCert("CA", "CA", EndEntityOrCA::MustBeCA,
+ param.ekuExtensionCA));
+ ByteString subjectCertDER(CreateCert("CA", "EE",
+ EndEntityOrCA::MustBeEndEntity,
+ param.ekuExtensionEE));
+
+ EKUTrustDomain trustDomain(issuerCertDER);
+
+ Input subjectCertDERInput;
+ ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
+ subjectCertDER.length()));
+ ASSERT_EQ(param.expectedResult,
+ BuildCertChain(trustDomain, subjectCertDERInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ param.keyPurposeId,
+ CertPolicyId::anyPolicy,
+ nullptr));
+}
+
+// python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
+static const uint8_t tlv_id_ce_extKeyUsage[] = {
+ 0x06, 0x03, 0x55, 0x1d, 0x25
+};
+
+static inline ByteString
+CreateEKUExtension(ByteString ekuOIDs)
+{
+ return TLV(der::SEQUENCE,
+ BytesToByteString(tlv_id_ce_extKeyUsage) +
+ TLV(der::OCTET_STRING, TLV(der::SEQUENCE, ekuOIDs)));
+}
+
+static const EKUChainTestcase EKU_CHAIN_TESTCASES[] =
+{
+ {
+ // Both end-entity and CA have id-kp-serverAuth => should succeed
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Success
+ },
+ {
+ // CA has no EKU extension => should succeed
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ ByteString(),
+ KeyPurposeId::id_kp_serverAuth,
+ Success
+ },
+ {
+ // End-entity has no EKU extension => should succeed
+ ByteString(),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Success
+ },
+ {
+ // No EKU extensions at all => should succeed
+ ByteString(),
+ ByteString(),
+ KeyPurposeId::id_kp_serverAuth,
+ Success
+ },
+ {
+ // CA has EKU without id-kp-serverAuth => should fail
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Result::ERROR_INADEQUATE_CERT_TYPE
+ },
+ {
+ // End-entity has EKU without id-kp-serverAuth => should fail
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Result::ERROR_INADEQUATE_CERT_TYPE
+ },
+ {
+ // Both end-entity and CA have EKU without id-kp-serverAuth => should fail
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Result::ERROR_INADEQUATE_CERT_TYPE
+ },
+ {
+ // End-entity has no EKU, CA doesn't have id-kp-serverAuth => should fail
+ ByteString(),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Result::ERROR_INADEQUATE_CERT_TYPE
+ },
+ {
+ // End-entity doesn't have id-kp-serverAuth, CA has no EKU => should fail
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+ ByteString(),
+ KeyPurposeId::id_kp_serverAuth,
+ Result::ERROR_INADEQUATE_CERT_TYPE
+ },
+ {
+ // CA has id-Netscape-stepUp => should succeed
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
+ KeyPurposeId::id_kp_serverAuth,
+ Success
+ },
+ {
+ // End-entity has id-Netscape-stepUp => should fail
+ CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Result::ERROR_INADEQUATE_CERT_TYPE
+ },
+ {
+ // End-entity and CA have id-kp-serverAuth and id-kp-clientAuth => should
+ // succeed
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+ BytesToByteString(tlv_id_kp_clientAuth)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+ BytesToByteString(tlv_id_kp_clientAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Success
+ },
+ {
+ // End-entity has id-kp-serverAuth and id-kp-OCSPSigning => should fail
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+ BytesToByteString(tlv_id_kp_OCSPSigning)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+ BytesToByteString(tlv_id_kp_clientAuth)),
+ KeyPurposeId::id_kp_serverAuth,
+ Result::ERROR_INADEQUATE_CERT_TYPE
+ },
+ {
+ // CA has id-kp-serverAuth and id-kp-OCSPSigning => should succeed
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+ BytesToByteString(tlv_id_kp_clientAuth)),
+ CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+ BytesToByteString(tlv_id_kp_OCSPSigning)),
+ KeyPurposeId::id_kp_serverAuth,
+ Success
+ },
+};
+
+INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
+ CheckExtendedKeyUsageChainTest,
+ ::testing::ValuesIn(EKU_CHAIN_TESTCASES));
diff --git a/security/pkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp b/security/pkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp
new file mode 100644
index 000000000..d7fcfb210
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2016 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixcheck.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+class pkixcheck_CheckIssuer : public ::testing::Test { };
+
+static const uint8_t EMPTY_NAME_DATA[] = {
+ 0x30, 0x00 /* tag, length */
+};
+static const Input EMPTY_NAME(EMPTY_NAME_DATA);
+
+static const uint8_t VALID_NAME_DATA[] = {
+ /* From https://www.example.com/: C=US, O=DigiCert Inc, OU=www.digicert.com,
+ * CN=DigiCert SHA2 High Assurance Server CA */
+ 0x30, 0x70, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A,
+ 0x13, 0x0C, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x49,
+ 0x6E, 0x63, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13,
+ 0x10, 0x77, 0x77, 0x77, 0x2E, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72,
+ 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x2F, 0x30, 0x2D, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x13, 0x26, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74,
+ 0x20, 0x53, 0x48, 0x41, 0x32, 0x20, 0x48, 0x69, 0x67, 0x68, 0x20, 0x41,
+ 0x73, 0x73, 0x75, 0x72, 0x61, 0x6E, 0x63, 0x65, 0x20, 0x53, 0x65, 0x72,
+ 0x76, 0x65, 0x72, 0x20, 0x43, 0x41
+};
+static const Input VALID_NAME(VALID_NAME_DATA);
+
+TEST_F(pkixcheck_CheckIssuer, ValidIssuer)
+{
+ ASSERT_EQ(Success, CheckIssuer(VALID_NAME));
+}
+
+TEST_F(pkixcheck_CheckIssuer, EmptyIssuer)
+{
+ ASSERT_EQ(Result::ERROR_EMPTY_ISSUER_NAME, CheckIssuer(EMPTY_NAME));
+}
diff --git a/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp b/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
new file mode 100644
index 000000000..136f8719a
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
@@ -0,0 +1,284 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckKeyUsage(EndEntityOrCA endEntityOrCA,
+ const Input* encodedKeyUsage,
+ KeyUsage requiredKeyUsageIfPresent);
+
+} } // namespace mozilla::pkix
+
+class pkixcheck_CheckKeyUsage : public ::testing::Test { };
+
+#define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_KEY_USAGE, x)
+
+// Make it easy to define test data for the common, simplest cases.
+#define NAMED_SIMPLE_KU(name, unusedBits, bits) \
+ const uint8_t name##_bytes[4] = { \
+ 0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, unusedBits, bits \
+ }; \
+ const Input name(name##_bytes);
+
+static const Input empty_null;
+
+// Note that keyCertSign is really the only interesting case for CA
+// certificates since we don't support cRLSign.
+
+TEST_F(pkixcheck_CheckKeyUsage, EE_none)
+{
+ // The input Input is nullptr. This means the cert had no keyUsage
+ // extension. This is always valid because no key usage in an end-entity
+ // means that there are no key usage restrictions.
+
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+ KeyUsage::noParticularKeyUsageRequired));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+ KeyUsage::digitalSignature));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+ KeyUsage::nonRepudiation));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+ KeyUsage::keyEncipherment));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+ KeyUsage::dataEncipherment));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+ KeyUsage::keyAgreement));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, EE_empty)
+{
+ // The input Input is empty. The cert had an empty keyUsage extension,
+ // which is syntactically invalid.
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
+ KeyUsage::digitalSignature));
+ static const uint8_t dummy = 0x00;
+ Input empty_nonnull;
+ ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
+ KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, CA_none)
+{
+ // A CA certificate does not have a KU extension.
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+ KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, CA_empty)
+{
+ // A CA certificate has an empty KU extension.
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
+ KeyUsage::keyCertSign));
+ static const uint8_t dummy = 0x00;
+ Input empty_nonnull;
+ ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
+ KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, maxUnusedBits)
+{
+ NAMED_SIMPLE_KU(encoded, 7, 0x80);
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &encoded,
+ KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, tooManyUnusedBits)
+{
+ static uint8_t oneValueByteData[] = {
+ 0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 8/*unused bits*/, 0x80
+ };
+ static const Input oneValueByte(oneValueByteData);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
+ KeyUsage::digitalSignature));
+
+ static uint8_t twoValueBytesData[] = {
+ 0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 8/*unused bits*/, 0x01, 0x00
+ };
+ static const Input twoValueBytes(twoValueBytesData);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
+ KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_NoPaddingBits)
+{
+ static const uint8_t DER_BYTES[] = {
+ 0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 0/*unused bits*/
+ };
+ static const Input DER(DER_BYTES);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+ KeyUsage::digitalSignature));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+ KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_7PaddingBits)
+{
+ static const uint8_t DER_BYTES[] = {
+ 0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 7/*unused bits*/
+ };
+ static const Input DER(DER_BYTES);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+ KeyUsage::digitalSignature));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+ KeyUsage::keyCertSign));
+}
+
+void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage)
+{
+ // Test that only the right bit is accepted for the usage for both EE and CA
+ // certs.
+ NAMED_SIMPLE_KU(good, unusedBits, bits);
+ ASSERT_EQ(Success,
+ CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &good, usage));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, &good, usage));
+
+ // We use (~bits >> unusedBits) << unusedBits) instead of using the same
+ // calculation that is in CheckKeyUsage to validate that the calculation in
+ // CheckKeyUsage is correct.
+
+ // Test that none of the other non-padding bits are mistaken for the given
+ // key usage in the single-byte value case.
+ NAMED_SIMPLE_KU(notGood, unusedBits,
+ static_cast<uint8_t>((~bits >> unusedBits) << unusedBits));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &notGood, usage));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood, usage));
+
+ // Test that none of the other non-padding bits are mistaken for the given
+ // key usage in the two-byte value case.
+ const uint8_t twoByteNotGoodData[] = {
+ 0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, unusedBits,
+ static_cast<uint8_t>(~bits),
+ static_cast<uint8_t>((0xFFu >> unusedBits) << unusedBits)
+ };
+ Input twoByteNotGood(twoByteNotGoodData);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
+ usage));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood, usage));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, simpleCases)
+{
+ ASSERT_SimpleCase(7, 0x80, KeyUsage::digitalSignature);
+ ASSERT_SimpleCase(6, 0x40, KeyUsage::nonRepudiation);
+ ASSERT_SimpleCase(5, 0x20, KeyUsage::keyEncipherment);
+ ASSERT_SimpleCase(4, 0x10, KeyUsage::dataEncipherment);
+ ASSERT_SimpleCase(3, 0x08, KeyUsage::keyAgreement);
+}
+
+// Only CAs are allowed to assert keyCertSign.
+// End-entity certs may assert it along with other key usages if keyCertSign
+// isn't the required key usage. This is for compatibility.
+TEST_F(pkixcheck_CheckKeyUsage, keyCertSign)
+{
+ NAMED_SIMPLE_KU(good, 2, 0x04);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &good,
+ KeyUsage::keyCertSign));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, &good,
+ KeyUsage::keyCertSign));
+
+ // Test that none of the other non-padding bits are mistaken for the given
+ // key usage in the one-byte value case.
+ NAMED_SIMPLE_KU(notGood, 2, 0xFB);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &notGood,
+ KeyUsage::keyCertSign));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood,
+ KeyUsage::keyCertSign));
+
+ // Test that none of the other non-padding bits are mistaken for the given
+ // key usage in the two-byte value case.
+ static uint8_t twoByteNotGoodData[] = {
+ 0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 2/*unused bits*/, 0xFBu, 0xFCu
+ };
+ static const Input twoByteNotGood(twoByteNotGoodData);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
+ KeyUsage::keyCertSign));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood,
+ KeyUsage::keyCertSign));
+
+ // If an end-entity certificate does assert keyCertSign, this is allowed
+ // as long as that isn't the required key usage.
+ NAMED_SIMPLE_KU(digitalSignatureAndKeyCertSign, 2, 0x84);
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ &digitalSignatureAndKeyCertSign,
+ KeyUsage::digitalSignature));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ &digitalSignatureAndKeyCertSign,
+ KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
+{
+ // single byte control case
+ static uint8_t controlOneValueByteData[] = {
+ 0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80
+ };
+ static const Input controlOneValueByte(controlOneValueByteData);
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ &controlOneValueByte,
+ KeyUsage::digitalSignature));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
+ &controlOneValueByte,
+ KeyUsage::digitalSignature));
+
+ // single-byte test case
+ static uint8_t oneValueByteData[] = {
+ 0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80 | 0x01
+ };
+ static const Input oneValueByte(oneValueByteData);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
+ KeyUsage::digitalSignature));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &oneValueByte,
+ KeyUsage::digitalSignature));
+
+ // two-byte control case
+ static uint8_t controlTwoValueBytesData[] = {
+ 0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
+ 0x80 | 0x01, 0x80
+ };
+ static const Input controlTwoValueBytes(controlTwoValueBytesData);
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+ &controlTwoValueBytes,
+ KeyUsage::digitalSignature));
+ ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
+ &controlTwoValueBytes,
+ KeyUsage::digitalSignature));
+
+ // two-byte test case
+ static uint8_t twoValueBytesData[] = {
+ 0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
+ 0x80 | 0x01, 0x80 | 0x01
+ };
+ static const Input twoValueBytes(twoValueBytesData);
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
+ KeyUsage::digitalSignature));
+ ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoValueBytes,
+ KeyUsage::digitalSignature));
+}
diff --git a/security/pkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp b/security/pkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
new file mode 100644
index 000000000..7ab9d095a
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
@@ -0,0 +1,360 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckSignatureAlgorithm(
+ TrustDomain& trustDomain, EndEntityOrCA endEntityOrCA,
+ Time notBefore,
+ const der::SignedDataWithSignature& signedData,
+ Input signatureValue);
+
+} } // namespace mozilla::pkix
+
+struct CheckSignatureAlgorithmTestParams
+{
+ ByteString signatureAlgorithmValue;
+ ByteString signatureValue;
+ unsigned int signatureLengthInBytes;
+ Result expectedResult;
+};
+
+#define BS(s) ByteString(s, MOZILLA_PKIX_ARRAY_LENGTH(s))
+
+// python DottedOIDToCode.py --tlv sha256WithRSAEncryption 1.2.840.113549.1.1.11
+static const uint8_t tlv_sha256WithRSAEncryption[] = {
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+};
+
+// Same as tlv_sha256WithRSAEncryption, except one without the "0x0b" and with
+// the DER length decreased accordingly.
+static const uint8_t tlv_sha256WithRSAEncryption_truncated[] = {
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv sha-1WithRSAEncryption 1.2.840.113549.1.1.5
+static const uint8_t tlv_sha_1WithRSAEncryption[] = {
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05
+};
+
+// python DottedOIDToCode.py --tlv sha1WithRSASignature 1.3.14.3.2.29
+static const uint8_t tlv_sha1WithRSASignature[] = {
+ 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1d
+};
+
+// python DottedOIDToCode.py --tlv md5WithRSAEncryption 1.2.840.113549.1.1.4
+static const uint8_t tlv_md5WithRSAEncryption[] = {
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04
+};
+
+static const CheckSignatureAlgorithmTestParams
+ CHECKSIGNATUREALGORITHM_TEST_PARAMS[] =
+{
+ { // Both algorithm IDs are empty
+ ByteString(),
+ ByteString(),
+ 2048 / 8,
+ Result::ERROR_BAD_DER,
+ },
+ { // signatureAlgorithm is empty, signature is supported.
+ ByteString(),
+ BS(tlv_sha256WithRSAEncryption),
+ 2048 / 8,
+ Result::ERROR_BAD_DER,
+ },
+ { // signatureAlgorithm is supported, signature is empty.
+ BS(tlv_sha256WithRSAEncryption),
+ ByteString(),
+ 2048 / 8,
+ Result::ERROR_BAD_DER,
+ },
+ { // Algorithms match, both are supported.
+ BS(tlv_sha256WithRSAEncryption),
+ BS(tlv_sha256WithRSAEncryption),
+ 2048 / 8,
+ Success
+ },
+ { // Algorithms do not match because signatureAlgorithm is truncated.
+ BS(tlv_sha256WithRSAEncryption_truncated),
+ BS(tlv_sha256WithRSAEncryption),
+ 2048 / 8,
+ Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ },
+ { // Algorithms do not match because signature is truncated.
+ BS(tlv_sha256WithRSAEncryption),
+ BS(tlv_sha256WithRSAEncryption_truncated),
+ 2048 / 8,
+ Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ },
+ { // Algorithms do not match, both are supported.
+ BS(tlv_sha_1WithRSAEncryption),
+ BS(tlv_sha256WithRSAEncryption),
+ 2048 / 8,
+ Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH,
+ },
+ { // Algorithms do not match, both are supported.
+ BS(tlv_sha256WithRSAEncryption),
+ BS(tlv_sha_1WithRSAEncryption),
+ 2048 / 8,
+ Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH,
+ },
+ { // Algorithms match, both are unsupported.
+ BS(tlv_md5WithRSAEncryption),
+ BS(tlv_md5WithRSAEncryption),
+ 2048 / 8,
+ Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ },
+ { // signatureAlgorithm is unsupported, signature is supported.
+ BS(tlv_md5WithRSAEncryption),
+ BS(tlv_sha256WithRSAEncryption),
+ 2048 / 8,
+ Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ },
+ { // signatureAlgorithm is supported, signature is unsupported.
+ BS(tlv_sha256WithRSAEncryption),
+ BS(tlv_md5WithRSAEncryption),
+ 2048 / 8,
+ Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ },
+ { // Both have the optional NULL parameter.
+ BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+ BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+ 2048 / 8,
+ Success
+ },
+ { // signatureAlgorithm has the optional NULL parameter, signature doesn't.
+ BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+ BS(tlv_sha256WithRSAEncryption),
+ 2048 / 8,
+ Success
+ },
+ { // signatureAlgorithm does not have the optional NULL parameter, signature
+ // does.
+ BS(tlv_sha256WithRSAEncryption),
+ BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+ 2048 / 8,
+ Success
+ },
+ { // The different OIDs for RSA-with-SHA1 we support are semantically
+ // equivalent.
+ BS(tlv_sha1WithRSASignature),
+ BS(tlv_sha_1WithRSAEncryption),
+ 2048 / 8,
+ Success,
+ },
+ { // The different OIDs for RSA-with-SHA1 we support are semantically
+ // equivalent (opposite order).
+ BS(tlv_sha_1WithRSAEncryption),
+ BS(tlv_sha1WithRSASignature),
+ 2048 / 8,
+ Success,
+ },
+ { // Algorithms match, both are supported, key size is not a multile of 128
+ // bits. This test verifies that we're not wrongly rounding up the
+ // signature size like we did in the original patch for bug 1131767.
+ BS(tlv_sha256WithRSAEncryption),
+ BS(tlv_sha256WithRSAEncryption),
+ (2048 / 8) - 1,
+ Success
+ },
+};
+
+class pkixcheck_CheckSignatureAlgorithm
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<CheckSignatureAlgorithmTestParams>
+{
+};
+
+class pkixcheck_CheckSignatureAlgorithm_TrustDomain final
+ : public EverythingFailsByDefaultTrustDomain
+{
+public:
+ explicit pkixcheck_CheckSignatureAlgorithm_TrustDomain(
+ unsigned int publicKeySizeInBits)
+ : publicKeySizeInBits(publicKeySizeInBits)
+ , checkedDigestAlgorithm(false)
+ , checkedModulusSizeInBits(false)
+ {
+ }
+
+ Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA, Time)
+ override
+ {
+ checkedDigestAlgorithm = true;
+ return Success;
+ }
+
+ Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA endEntityOrCA,
+ unsigned int modulusSizeInBits)
+ override
+ {
+ EXPECT_EQ(EndEntityOrCA::MustBeEndEntity, endEntityOrCA);
+ EXPECT_EQ(publicKeySizeInBits, modulusSizeInBits);
+ checkedModulusSizeInBits = true;
+ return Success;
+ }
+
+ const unsigned int publicKeySizeInBits;
+ bool checkedDigestAlgorithm;
+ bool checkedModulusSizeInBits;
+};
+
+TEST_P(pkixcheck_CheckSignatureAlgorithm, CheckSignatureAlgorithm)
+{
+ const Time now(Now());
+ const CheckSignatureAlgorithmTestParams& params(GetParam());
+
+ Input signatureValueInput;
+ ASSERT_EQ(Success,
+ signatureValueInput.Init(params.signatureValue.data(),
+ params.signatureValue.length()));
+
+ pkixcheck_CheckSignatureAlgorithm_TrustDomain
+ trustDomain(params.signatureLengthInBytes * 8);
+
+ der::SignedDataWithSignature signedData;
+ ASSERT_EQ(Success,
+ signedData.algorithm.Init(params.signatureAlgorithmValue.data(),
+ params.signatureAlgorithmValue.length()));
+
+ ByteString dummySignature(params.signatureLengthInBytes, 0xDE);
+ ASSERT_EQ(Success,
+ signedData.signature.Init(dummySignature.data(),
+ dummySignature.length()));
+
+ ASSERT_EQ(params.expectedResult,
+ CheckSignatureAlgorithm(trustDomain, EndEntityOrCA::MustBeEndEntity,
+ now, signedData, signatureValueInput));
+ ASSERT_EQ(params.expectedResult == Success,
+ trustDomain.checkedDigestAlgorithm);
+ ASSERT_EQ(params.expectedResult == Success,
+ trustDomain.checkedModulusSizeInBits);
+}
+
+INSTANTIATE_TEST_CASE_P(
+ pkixcheck_CheckSignatureAlgorithm, pkixcheck_CheckSignatureAlgorithm,
+ testing::ValuesIn(CHECKSIGNATUREALGORITHM_TEST_PARAMS));
+
+class pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain
+ : public DefaultCryptoTrustDomain
+{
+public:
+ explicit pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain(
+ const ByteString& issuer)
+ : issuer(issuer)
+ {
+ }
+
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
+ Input cert, /*out*/ TrustLevel& trustLevel) override
+ {
+ trustLevel = InputEqualsByteString(cert, issuer)
+ ? TrustLevel::TrustAnchor
+ : TrustLevel::InheritsTrust;
+ return Success;
+ }
+
+ Result FindIssuer(Input, IssuerChecker& checker, Time) override
+ {
+ EXPECT_FALSE(ENCODING_FAILED(issuer));
+
+ Input issuerInput;
+ EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
+
+ bool keepGoing;
+ EXPECT_EQ(Success, checker.Check(issuerInput, nullptr, keepGoing));
+ EXPECT_FALSE(keepGoing);
+
+ return Success;
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ /*optional*/ const Input*,
+ /*optional*/ const Input*) override
+ {
+ return Success;
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ return Success;
+ }
+
+ ByteString issuer;
+};
+
+// Test that CheckSignatureAlgorithm actually gets called at some point when
+// BuildCertChain is called.
+TEST_F(pkixcheck_CheckSignatureAlgorithm, BuildCertChain)
+{
+ ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+ ASSERT_TRUE(keyPair.get());
+
+ ByteString issuerExtensions[2];
+ issuerExtensions[0] = CreateEncodedBasicConstraints(true, nullptr,
+ Critical::No);
+ ASSERT_FALSE(ENCODING_FAILED(issuerExtensions[0]));
+
+ ByteString issuer(CreateEncodedCertificate(3,
+ sha256WithRSAEncryption(),
+ CreateEncodedSerialNumber(1),
+ CNToDERName("issuer"),
+ oneDayBeforeNow, oneDayAfterNow,
+ CNToDERName("issuer"),
+ *keyPair,
+ issuerExtensions,
+ *keyPair,
+ sha256WithRSAEncryption()));
+ ASSERT_FALSE(ENCODING_FAILED(issuer));
+
+ ByteString subject(CreateEncodedCertificate(3,
+ sha1WithRSAEncryption(),
+ CreateEncodedSerialNumber(2),
+ CNToDERName("issuer"),
+ oneDayBeforeNow, oneDayAfterNow,
+ CNToDERName("subject"),
+ *keyPair,
+ nullptr,
+ *keyPair,
+ sha256WithRSAEncryption()));
+ ASSERT_FALSE(ENCODING_FAILED(subject));
+
+ Input subjectInput;
+ ASSERT_EQ(Success, subjectInput.Init(subject.data(), subject.length()));
+ pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain
+ trustDomain(issuer);
+ Result rv = BuildCertChain(trustDomain, subjectInput, Now(),
+ EndEntityOrCA::MustBeEndEntity,
+ KeyUsage::noParticularKeyUsageRequired,
+ KeyPurposeId::anyExtendedKeyUsage,
+ CertPolicyId::anyPolicy,
+ nullptr);
+ ASSERT_EQ(Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH, rv);
+}
diff --git a/security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp b/security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
new file mode 100644
index 000000000..a77a2f47c
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
@@ -0,0 +1,127 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixcheck.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static const Time PAST_TIME(YMDHMS(1998, 12, 31, 12, 23, 56));
+
+#define OLDER_GENERALIZEDTIME \
+ 0x18, 15, /* tag, length */ \
+ '1', '9', '9', '9', '0', '1', '0', '1', /* 1999-01-01 */ \
+ '0', '0', '0', '0', '0', '0', 'Z' /* 00:00:00Z */
+
+#define OLDER_UTCTIME \
+ 0x17, 13, /* tag, length */ \
+ '9', '9', '0', '1', '0', '1', /* (19)99-01-01 */ \
+ '0', '0', '0', '0', '0', '0', 'Z' /* 00:00:00Z */
+
+static const Time NOW(YMDHMS(2016, 12, 31, 12, 23, 56));
+
+#define NEWER_GENERALIZEDTIME \
+ 0x18, 15, /* tag, length */ \
+ '2', '0', '2', '1', '0', '1', '0', '1', /* 2021-01-01 */ \
+ '0', '0', '0', '0', '0', '0', 'Z' /* 00:00:00Z */
+
+#define NEWER_UTCTIME \
+ 0x17, 13, /* tag, length */ \
+ '2', '1', '0', '1', '0', '1', /* 2021-01-01 */ \
+ '0', '0', '0', '0', '0', '0', 'Z' /* 00:00:00Z */
+
+static const Time FUTURE_TIME(YMDHMS(2025, 12, 31, 12, 23, 56));
+
+class pkixcheck_CheckValidity : public ::testing::Test { };
+
+static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = {
+ OLDER_UTCTIME,
+ NEWER_UTCTIME,
+};
+static const Input
+OLDER_UTCTIME_NEWER_UTCTIME(OLDER_UTCTIME_NEWER_UTCTIME_DATA);
+
+TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_UTCTIME)
+{
+ static Time notBefore(Time::uninitialized);
+ static Time notAfter(Time::uninitialized);
+ ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+ ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_GENERALIZEDTIME)
+{
+ static const uint8_t DER[] = {
+ OLDER_GENERALIZEDTIME,
+ NEWER_GENERALIZEDTIME,
+ };
+ static const Input validity(DER);
+ static Time notBefore(Time::uninitialized);
+ static Time notAfter(Time::uninitialized);
+ ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+ ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_UTCTIME)
+{
+ static const uint8_t DER[] = {
+ OLDER_GENERALIZEDTIME,
+ NEWER_UTCTIME,
+ };
+ static const Input validity(DER);
+ static Time notBefore(Time::uninitialized);
+ static Time notAfter(Time::uninitialized);
+ ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+ ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_GENERALIZEDTIME)
+{
+ static const uint8_t DER[] = {
+ OLDER_UTCTIME,
+ NEWER_GENERALIZEDTIME,
+ };
+ static const Input validity(DER);
+ static Time notBefore(Time::uninitialized);
+ static Time notAfter(Time::uninitialized);
+ ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+ ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, InvalidBeforeNotBefore)
+{
+ static Time notBefore(Time::uninitialized);
+ static Time notAfter(Time::uninitialized);
+ ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+ ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE, CheckValidity(PAST_TIME, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, InvalidAfterNotAfter)
+{
+ static Time notBefore(Time::uninitialized);
+ static Time notAfter(Time::uninitialized);
+ ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+ ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(FUTURE_TIME, notBefore, notAfter));
+}
diff --git a/security/pkix/test/gtest/pkixcheck_ParseValidity_tests.cpp b/security/pkix/test/gtest/pkixcheck_ParseValidity_tests.cpp
new file mode 100644
index 000000000..5206ce14f
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_ParseValidity_tests.cpp
@@ -0,0 +1,83 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixcheck.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+#define OLDER_UTCTIME \
+ 0x17, 13, /* tag, length */ \
+ '9', '9', '0', '1', '0', '1', /* (19)99-01-01 */ \
+ '0', '0', '0', '0', '0', '0', 'Z' /* 00:00:00Z */
+
+#define NEWER_UTCTIME \
+ 0x17, 13, /* tag, length */ \
+ '2', '1', '0', '1', '0', '1', /* 2021-01-01 */ \
+ '0', '0', '0', '0', '0', '0', 'Z' /* 00:00:00Z */
+
+static const Time FUTURE_TIME(YMDHMS(2025, 12, 31, 12, 23, 56));
+
+class pkixcheck_ParseValidity : public ::testing::Test { };
+
+TEST_F(pkixcheck_ParseValidity, BothEmptyNull)
+{
+ static const uint8_t DER[] = {
+ 0x17/*UTCTime*/, 0/*length*/,
+ 0x17/*UTCTime*/, 0/*length*/,
+ };
+ static const Input validity(DER);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, NotBeforeEmptyNull)
+{
+ static const uint8_t DER[] = {
+ 0x17/*UTCTime*/, 0x00/*length*/,
+ NEWER_UTCTIME
+ };
+ static const Input validity(DER);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, NotAfterEmptyNull)
+{
+ static const uint8_t DER[] = {
+ NEWER_UTCTIME,
+ 0x17/*UTCTime*/, 0x00/*length*/,
+ };
+ static const Input validity(DER);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, InvalidNotAfterBeforeNotBefore)
+{
+ static const uint8_t DER[] = {
+ NEWER_UTCTIME,
+ OLDER_UTCTIME,
+ };
+ static const Input validity(DER);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
diff --git a/security/pkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp b/security/pkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
new file mode 100644
index 000000000..28db4d150
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
@@ -0,0 +1,114 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+ extern Result TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures,
+ const Input* stapledOCSPResponse);
+} } // namespace mozilla::pkix
+
+struct TLSFeaturesTestParams
+{
+ ByteString requiredTLSFeatures;
+ Result expectedResultWithResponse;
+ Result expectedResultWithoutResponse;
+};
+
+#define BS(s) ByteString(s, MOZILLA_PKIX_ARRAY_LENGTH(s))
+static const uint8_t statusRequest[] = {
+ 0x30, 0x03, 0x02, 0x01, 0x05
+};
+
+static const uint8_t unknown[] = {
+ 0x30, 0x03, 0x02, 0x01, 0x06
+};
+
+static const uint8_t statusRequestAndUnknown[] = {
+ 0x30, 0x06, 0x02, 0x01, 0x05, 0x02, 0x01, 0x06
+};
+
+static const uint8_t duplicateStatusRequest[] = {
+ 0x30, 0x06, 0x02, 0x01, 0x05, 0x02, 0x01, 0x05
+};
+
+static const uint8_t twoByteUnknown[] = {
+ 0x30, 0x04, 0x02, 0x02, 0x05, 0x05
+};
+
+static const uint8_t zeroByteInteger[] = {
+ 0x30, 0x02, 0x02, 0x00
+};
+
+static const TLSFeaturesTestParams
+ TLSFEATURESSATISFIED_TEST_PARAMS[] =
+{
+ // some tests with checks enforced
+ { ByteString(), Result::ERROR_BAD_DER, Result::ERROR_BAD_DER },
+ { BS(statusRequest), Success, Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+ { BS(unknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+ { BS(statusRequestAndUnknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+ { BS(duplicateStatusRequest), Success,
+ Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+ { BS(twoByteUnknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+ { BS(zeroByteInteger), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+};
+
+class pkixcheck_TLSFeaturesSatisfiedInternal
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<TLSFeaturesTestParams>
+{
+};
+
+TEST_P(pkixcheck_TLSFeaturesSatisfiedInternal, TLSFeaturesSatisfiedInternal) {
+ const TLSFeaturesTestParams& params(GetParam());
+
+ Input featuresInput;
+ ASSERT_EQ(Success, featuresInput.Init(params.requiredTLSFeatures.data(),
+ params.requiredTLSFeatures.length()));
+ Input responseInput;
+ // just create an input with any data in it
+ ByteString stapledOCSPResponse = BS(statusRequest);
+ ASSERT_EQ(Success, responseInput.Init(stapledOCSPResponse.data(),
+ stapledOCSPResponse.length()));
+ // first we omit the response
+ ASSERT_EQ(params.expectedResultWithoutResponse,
+ TLSFeaturesSatisfiedInternal(&featuresInput, nullptr));
+ // then we try again with the response
+ ASSERT_EQ(params.expectedResultWithResponse,
+ TLSFeaturesSatisfiedInternal(&featuresInput, &responseInput));
+}
+
+INSTANTIATE_TEST_CASE_P(
+ pkixcheck_TLSFeaturesSatisfiedInternal,
+ pkixcheck_TLSFeaturesSatisfiedInternal,
+ testing::ValuesIn(TLSFEATURESSATISFIED_TEST_PARAMS));
diff --git a/security/pkix/test/gtest/pkixder_input_tests.cpp b/security/pkix/test/gtest/pkixder_input_tests.cpp
new file mode 100644
index 000000000..b0a6c8bf0
--- /dev/null
+++ b/security/pkix/test/gtest/pkixder_input_tests.cpp
@@ -0,0 +1,920 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <vector>
+#include "pkixgtest.h"
+
+#include "pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+
+namespace {
+
+class pkixder_input_tests : public ::testing::Test { };
+
+static const uint8_t DER_SEQUENCE_EMPTY[] = {
+ 0x30, // SEQUENCE
+ 0x00, // length
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY[] = {
+ 0x30, // SEQUENCE
+ 0x01, // length
+ 'X', // value
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY_VALUE[] = {
+ 'X', // value
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED[] = {
+ 0x30, // SEQUENCE
+ 0x01, // length
+};
+
+const uint8_t DER_SEQUENCE_OF_INT8[] = {
+ 0x30, // SEQUENCE
+ 0x09, // length
+ 0x02, 0x01, 0x01, // INTEGER length 1 value 0x01
+ 0x02, 0x01, 0x02, // INTEGER length 1 value 0x02
+ 0x02, 0x01, 0x03 // INTEGER length 1 value 0x03
+};
+
+const uint8_t DER_TRUNCATED_SEQUENCE_OF_INT8[] = {
+ 0x30, // SEQUENCE
+ 0x09, // length
+ 0x02, 0x01, 0x01, // INTEGER length 1 value 0x01
+ 0x02, 0x01, 0x02 // INTEGER length 1 value 0x02
+ // MISSING DATA HERE ON PURPOSE
+};
+
+const uint8_t DER_OVERRUN_SEQUENCE_OF_INT8[] = {
+ 0x30, // SEQUENCE
+ 0x09, // length
+ 0x02, 0x01, 0x01, // INTEGER length 1 value 0x01
+ 0x02, 0x01, 0x02, // INTEGER length 1 value 0x02
+ 0x02, 0x02, 0xFF, 0x03 // INTEGER length 2 value 0xFF03
+};
+
+const uint8_t DER_INT16[] = {
+ 0x02, // INTEGER
+ 0x02, // length
+ 0x12, 0x34 // 0x1234
+};
+
+static const Input EMPTY_INPUT;
+
+TEST_F(pkixder_input_tests, InputInit)
+{
+ Input buf;
+ ASSERT_EQ(Success,
+ buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+}
+
+TEST_F(pkixder_input_tests, InputInitWithNullPointerOrZeroLength)
+{
+ Input buf;
+ ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 0));
+
+ ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 100));
+
+ // Though it seems odd to initialize with zero-length and non-null ptr, this
+ // is working as intended. The Reader class was intended to protect against
+ // buffer overflows, and there's no risk with the current behavior. See bug
+ // 1000354.
+ ASSERT_EQ(Success, buf.Init((const uint8_t*) "hello", 0));
+ ASSERT_TRUE(buf.GetLength() == 0);
+}
+
+TEST_F(pkixder_input_tests, InputInitWithLargeData)
+{
+ Input buf;
+ // Data argument length does not matter, it is not touched, just
+ // needs to be non-null
+ ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init((const uint8_t*) "", 0xffff+1));
+
+ ASSERT_EQ(Success, buf.Init((const uint8_t*) "", 0xffff));
+}
+
+TEST_F(pkixder_input_tests, InputInitMultipleTimes)
+{
+ Input buf;
+
+ ASSERT_EQ(Success,
+ buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+
+ ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS,
+ buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+}
+
+TEST_F(pkixder_input_tests, PeekWithinBounds)
+{
+ const uint8_t der[] = { 0x11, 0x11 };
+ Input buf(der);
+ Reader input(buf);
+ ASSERT_TRUE(input.Peek(0x11));
+ ASSERT_FALSE(input.Peek(0x22));
+}
+
+TEST_F(pkixder_input_tests, PeekPastBounds)
+{
+ const uint8_t der[] = { 0x11, 0x22 };
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 1));
+ Reader input(buf);
+
+ uint8_t readByte;
+ ASSERT_EQ(Success, input.Read(readByte));
+ ASSERT_EQ(0x11, readByte);
+ ASSERT_FALSE(input.Peek(0x22));
+}
+
+TEST_F(pkixder_input_tests, ReadByte)
+{
+ const uint8_t der[] = { 0x11, 0x22 };
+ Input buf(der);
+ Reader input(buf);
+
+ uint8_t readByte1;
+ ASSERT_EQ(Success, input.Read(readByte1));
+ ASSERT_EQ(0x11, readByte1);
+
+ uint8_t readByte2;
+ ASSERT_EQ(Success, input.Read(readByte2));
+ ASSERT_EQ(0x22, readByte2);
+}
+
+TEST_F(pkixder_input_tests, ReadBytePastEnd)
+{
+ const uint8_t der[] = { 0x11, 0x22 };
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 1));
+ Reader input(buf);
+
+ uint8_t readByte1 = 0;
+ ASSERT_EQ(Success, input.Read(readByte1));
+ ASSERT_EQ(0x11, readByte1);
+
+ uint8_t readByte2 = 0;
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readByte2));
+ ASSERT_NE(0x22, readByte2);
+}
+
+TEST_F(pkixder_input_tests, ReadByteWrapAroundPointer)
+{
+ // The original implementation of our buffer read overflow checks was
+ // susceptible to integer overflows which could make the checks ineffective.
+ // This attempts to verify that we've fixed that. Unfortunately, decrementing
+ // a null pointer is undefined behavior according to the C++ language spec.,
+ // but this should catch the problem on at least some compilers, if not all of
+ // them.
+ const uint8_t* der = nullptr;
+ --der;
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 0));
+ Reader input(buf);
+
+ uint8_t b;
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
+}
+
+TEST_F(pkixder_input_tests, ReadWord)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ uint16_t readWord1 = 0;
+ ASSERT_EQ(Success, input.Read(readWord1));
+ ASSERT_EQ(0x1122, readWord1);
+
+ uint16_t readWord2 = 0;
+ ASSERT_EQ(Success, input.Read(readWord2));
+ ASSERT_EQ(0x3344, readWord2);
+}
+
+TEST_F(pkixder_input_tests, ReadWordPastEnd)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 2)); // Initialize with too-short length
+ Reader input(buf);
+
+ uint16_t readWord1 = 0;
+ ASSERT_EQ(Success, input.Read(readWord1));
+ ASSERT_EQ(0x1122, readWord1);
+
+ uint16_t readWord2 = 0;
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord2));
+ ASSERT_NE(0x3344, readWord2);
+}
+
+TEST_F(pkixder_input_tests, ReadWordWithInsufficentData)
+{
+ const uint8_t der[] = { 0x11, 0x22 };
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 1));
+ Reader input(buf);
+
+ uint16_t readWord1 = 0;
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord1));
+ ASSERT_NE(0x1122, readWord1);
+}
+
+TEST_F(pkixder_input_tests, ReadWordWrapAroundPointer)
+{
+ // The original implementation of our buffer read overflow checks was
+ // susceptible to integer overflows which could make the checks ineffective.
+ // This attempts to verify that we've fixed that. Unfortunately, decrementing
+ // a null pointer is undefined behavior according to the C++ language spec.,
+ // but this should catch the problem on at least some compilers, if not all of
+ // them.
+ const uint8_t* der = nullptr;
+ --der;
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 0));
+ Reader input(buf);
+ uint16_t b;
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
+}
+
+TEST_F(pkixder_input_tests, Skip)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ ASSERT_EQ(Success, input.Skip(1));
+
+ uint8_t readByte1 = 0;
+ ASSERT_EQ(Success, input.Read(readByte1));
+ ASSERT_EQ(0x22, readByte1);
+
+ ASSERT_EQ(Success, input.Skip(1));
+
+ uint8_t readByte2 = 0;
+ ASSERT_EQ(Success, input.Read(readByte2));
+ ASSERT_EQ(0x44, readByte2);
+}
+
+TEST_F(pkixder_input_tests, Skip_ToEnd)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+ ASSERT_EQ(Success, input.Skip(sizeof der));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, Skip_PastEnd)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToNewInput)
+{
+ const uint8_t der[] = { 0x01, 0x02, 0x03, 0x04 };
+ Input buf(der);
+ Reader input(buf);
+
+ Reader skippedInput;
+ ASSERT_EQ(Success, input.Skip(3, skippedInput));
+
+ uint8_t readByte1 = 0;
+ ASSERT_EQ(Success, input.Read(readByte1));
+ ASSERT_EQ(0x04, readByte1);
+
+ ASSERT_TRUE(input.AtEnd());
+
+ // Reader has no Remaining() or Length() so we simply read the bytes
+ // and then expect to be at the end.
+
+ for (uint8_t i = 1; i <= 3; ++i) {
+ uint8_t readByte = 0;
+ ASSERT_EQ(Success, skippedInput.Read(readByte));
+ ASSERT_EQ(i, readByte);
+ }
+
+ ASSERT_TRUE(skippedInput.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, Skip_ToNewInputPastEnd)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ Reader skippedInput;
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der * 2, skippedInput));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToInput)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
+
+ Input item;
+ ASSERT_EQ(Success, input.Skip(sizeof expectedItemData, item));
+
+ Input expected(expectedItemData);
+ ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_input_tests, Skip_WrapAroundPointer)
+{
+ // The original implementation of our buffer read overflow checks was
+ // susceptible to integer overflows which could make the checks ineffective.
+ // This attempts to verify that we've fixed that. Unfortunately, decrementing
+ // a null pointer is undefined behavior according to the C++ language spec.,
+ // but this should catch the problem on at least some compilers, if not all of
+ // them.
+ const uint8_t* der = nullptr;
+ --der;
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 0));
+ Reader input(buf);
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(1));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToInputPastEnd)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ Input skipped;
+ ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1, skipped));
+}
+
+TEST_F(pkixder_input_tests, SkipToEnd_ToInput)
+{
+ static const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ Input skipped;
+ ASSERT_EQ(Success, input.SkipToEnd(skipped));
+}
+
+TEST_F(pkixder_input_tests, SkipToEnd_ToInput_InputAlreadyInited)
+{
+ static const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ static const uint8_t initialValue[] = { 0x01, 0x02, 0x03 };
+ Input x(initialValue);
+ // Fails because skipped was already initialized once, and Inputs are not
+ // allowed to be Init()d multiple times.
+ ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.SkipToEnd(x));
+ ASSERT_TRUE(InputsAreEqual(x, Input(initialValue)));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValue)
+{
+ Input buf(DER_SEQUENCE_OF_INT8);
+ Reader input(buf);
+
+ ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
+ ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithTruncatedData)
+{
+ Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+ Reader input(buf);
+
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndSkipValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithOverrunData)
+{
+ Input buf(DER_OVERRUN_SEQUENCE_OF_INT8);
+ Reader input(buf);
+ ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
+ ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+TEST_F(pkixder_input_tests, AtEndOnUnInitializedInput)
+{
+ Reader input;
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, AtEndAtBeginning)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+ ASSERT_FALSE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, AtEndAtEnd)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+ ASSERT_EQ(Success, input.Skip(sizeof der));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, MarkAndGetInput)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ Reader::Mark mark = input.GetMark();
+
+ const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
+
+ ASSERT_EQ(Success, input.Skip(sizeof expectedItemData));
+
+ Input item;
+ ASSERT_EQ(Success, input.GetInput(mark, item));
+ Input expected(expectedItemData);
+ ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+// Cannot run this test on debug builds because of the NotReached
+#ifdef NDEBUG
+TEST_F(pkixder_input_tests, MarkAndGetInputDifferentInput)
+{
+ const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+ Input buf(der);
+ Reader input(buf);
+
+ Reader another;
+ Reader::Mark mark = another.GetMark();
+
+ ASSERT_EQ(Success, input.Skip(3));
+
+ Input item;
+ ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.GetInput(mark, item));
+}
+#endif
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_AtEnd)
+{
+ Reader input(EMPTY_INPUT);
+ uint8_t tag;
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_TruncatedAfterTag)
+{
+ static const uint8_t DER[] = { SEQUENCE };
+ Input buf(DER);
+ Reader input(buf);
+ uint8_t tag;
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_ValidEmpty)
+{
+ Input buf(DER_SEQUENCE_EMPTY);
+ Reader input(buf);
+ uint8_t tag = 0;
+ Input value;
+ ASSERT_EQ(Success, ReadTagAndGetValue(input, tag, value));
+ ASSERT_EQ(SEQUENCE, tag);
+ ASSERT_EQ(0u, value.GetLength());
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_ValidNotEmpty)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ uint8_t tag = 0;
+ Input value;
+ ASSERT_EQ(Success, ReadTagAndGetValue(input, tag, value));
+ ASSERT_EQ(SEQUENCE, tag);
+ Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
+ ASSERT_TRUE(InputsAreEqual(expected, value));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+ ReadTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+ Reader input(buf);
+ uint8_t tag;
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidWrongLength)
+{
+ Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+ Reader input(buf);
+ uint8_t tag;
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm1)
+{
+ // High tag number form is not allowed (illegal 1 byte tag)
+ //
+ // If the decoder treats 0x1F as a valid low tag number tag, then it will
+ // treat the actual tag (1) as a length, and then it will return Success
+ // with value == { 0x00 } and tag == 0x1f.
+ //
+ // It is illegal to encode tag 1 in the high tag number form because it isn't
+ // the shortest encoding (the low tag number form is).
+ static const uint8_t DER[] = {
+ 0x1F, // high tag number form indicator
+ 1, // tag 1 (not legal!)
+ 0 // length zero
+ };
+ Input buf(DER);
+ Reader input(buf);
+ uint8_t tag;
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm2)
+{
+ // High tag number form is not allowed (legal 1 byte tag).
+ //
+ // ReadTagAndGetValue's check to prohibit the high tag number form has no
+ // effect on whether this test passes or fails, because ReadTagAndGetValue
+ // will interpret the second byte (31) as a length, and the input doesn't
+ // have 31 bytes following it. This test is here to guard against the case
+ // where somebody actually implements high tag number form parsing, to remind
+ // that person that they need to add tests here, including in particular
+ // tests for overly-long encodings.
+ static const uint8_t DER[] = {
+ 0x1F, // high tag number form indicator
+ 31, // tag 31
+ 0 // length zero
+ };
+ Input buf(DER);
+ Reader input(buf);
+ uint8_t tag;
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm3)
+{
+ // High tag number form is not allowed (2 byte legal tag)
+ //
+ // ReadTagAndGetValue's check to prohibit the high tag number form has no
+ // effect on whether this test passes or fails, because ReadTagAndGetValue
+ // will interpret the second byte as a length, and the input doesn't have
+ // that many bytes following it. This test is here to guard against the case
+ // where somebody actually implements high tag number form parsing, to remind
+ // that person that they need to add tests here, including in particular
+ // tests for overly-long encodings.
+ static const uint8_t DER[] = {
+ 0x1F, // high tag number form indicator
+ 0x80 | 0x01, 0x00, // tag 0x100 (256)
+ 0 // length zero
+ };
+ Input buf(DER);
+ Reader input(buf);
+ uint8_t tag;
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidEmpty)
+{
+ Input buf(DER_SEQUENCE_EMPTY);
+ Reader input(buf);
+ Reader value;
+ ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+ ASSERT_TRUE(value.AtEnd());
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidNotEmpty)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ Reader value;
+ ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+ ASSERT_TRUE(value.MatchRest(DER_SEQUENCE_NOT_EMPTY_VALUE));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+ ExpectTagAndGetValue_Reader_InvalidNotEmptyValueTruncated)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+ Reader input(buf);
+ Reader value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongLength)
+{
+ Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+ Reader input(buf);
+ Reader value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongTag)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ Reader value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ExpectTagAndGetValue(input, INTEGER, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidEmpty)
+{
+ Input buf(DER_SEQUENCE_EMPTY);
+ Reader input(buf);
+ Input value;
+ ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+ ASSERT_EQ(0u, value.GetLength());
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidNotEmpty)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ Input value;
+ ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+ Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
+ ASSERT_TRUE(InputsAreEqual(expected, value));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+ ExpectTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+ Reader input(buf);
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongLength)
+{
+ Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+ Reader input(buf);
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongTag)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ Input value;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ ExpectTagAndGetValue(input, INTEGER, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_ValidEmpty)
+{
+ Input buf(DER_SEQUENCE_EMPTY);
+ Reader input(buf);
+ ASSERT_EQ(Success, ExpectTagAndEmptyValue(input, SEQUENCE));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InValidNotEmpty)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests,
+ ExpectTagAndEmptyValue_Input_InvalidNotEmptyValueTruncated)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+ Reader input(buf);
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InvalidWrongLength)
+{
+ Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+ Reader input(buf);
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InvalidWrongTag)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, INTEGER));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidEmpty)
+{
+ Input buf(DER_SEQUENCE_EMPTY);
+ Reader input(buf);
+ Input tlv;
+ ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+ Input expected(DER_SEQUENCE_EMPTY);
+ ASSERT_TRUE(InputsAreEqual(expected, tlv));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidNotEmpty)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ Input tlv;
+ ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+ Input expected(DER_SEQUENCE_NOT_EMPTY);
+ ASSERT_TRUE(InputsAreEqual(expected, tlv));
+ ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+ ExpectTagAndGetTLV_Input_InvalidNotEmptyValueTruncated)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+ Reader input(buf);
+ Input tlv;
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongLength)
+{
+ Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+ Reader input(buf);
+ Input tlv;
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongTag)
+{
+ Input buf(DER_SEQUENCE_NOT_EMPTY);
+ Reader input(buf);
+ Input tlv;
+ ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, INTEGER, tlv));
+}
+
+TEST_F(pkixder_input_tests, EndAtEnd)
+{
+ Input buf(DER_INT16);
+ Reader input(buf);
+ ASSERT_EQ(Success, input.Skip(4));
+ ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, EndBeforeEnd)
+{
+ Input buf(DER_INT16);
+ Reader input(buf);
+ ASSERT_EQ(Success, input.Skip(2));
+ ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+TEST_F(pkixder_input_tests, EndAtBeginning)
+{
+ Input buf(DER_INT16);
+ Reader input(buf);
+ ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+// TODO: Need tests for Nested too?
+
+Result NestedOfHelper(Reader& input, std::vector<uint8_t>& readValues)
+{
+ uint8_t value = 0;
+ Result rv = input.Read(value);
+ EXPECT_EQ(Success, rv);
+ if (rv != Success) {
+ return rv;
+ }
+ readValues.push_back(value);
+ return Success;
+}
+
+TEST_F(pkixder_input_tests, NestedOf)
+{
+ Input buf(DER_SEQUENCE_OF_INT8);
+ Reader input(buf);
+
+ std::vector<uint8_t> readValues;
+ ASSERT_EQ(Success,
+ NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
+ [&readValues](Reader& r) {
+ return NestedOfHelper(r, readValues);
+ }));
+ ASSERT_EQ(3u, readValues.size());
+ ASSERT_EQ(0x01, readValues[0]);
+ ASSERT_EQ(0x02, readValues[1]);
+ ASSERT_EQ(0x03, readValues[2]);
+ ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, NestedOfWithTruncatedData)
+{
+ Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+ Reader input(buf);
+
+ std::vector<uint8_t> readValues;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
+ [&readValues](Reader& r) {
+ return NestedOfHelper(r, readValues);
+ }));
+ ASSERT_EQ(0u, readValues.size());
+}
+
+TEST_F(pkixder_input_tests, MatchRestAtEnd)
+{
+ static const uint8_t der[1] = { };
+ Input buf;
+ ASSERT_EQ(Success, buf.Init(der, 0));
+ Reader input(buf);
+ ASSERT_TRUE(input.AtEnd());
+ static const uint8_t toMatch[] = { 1 };
+ ASSERT_FALSE(input.MatchRest(toMatch));
+}
+
+TEST_F(pkixder_input_tests, MatchRest1Match)
+{
+ static const uint8_t der[] = { 1 };
+ Input buf(der);
+ Reader input(buf);
+ ASSERT_FALSE(input.AtEnd());
+ ASSERT_TRUE(input.MatchRest(der));
+}
+
+TEST_F(pkixder_input_tests, MatchRest1Mismatch)
+{
+ static const uint8_t der[] = { 1 };
+ Input buf(der);
+ Reader input(buf);
+ static const uint8_t toMatch[] = { 2 };
+ ASSERT_FALSE(input.MatchRest(toMatch));
+ ASSERT_FALSE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, MatchRest2WithTrailingByte)
+{
+ static const uint8_t der[] = { 1, 2, 3 };
+ Input buf(der);
+ Reader input(buf);
+ static const uint8_t toMatch[] = { 1, 2 };
+ ASSERT_FALSE(input.MatchRest(toMatch));
+}
+
+TEST_F(pkixder_input_tests, MatchRest2Mismatch)
+{
+ static const uint8_t der[] = { 1, 2, 3 };
+ Input buf(der);
+ Reader input(buf);
+ static const uint8_t toMatchMismatch[] = { 1, 3 };
+ ASSERT_FALSE(input.MatchRest(toMatchMismatch));
+ ASSERT_TRUE(input.MatchRest(der));
+}
+
+} // namespace
diff --git a/security/pkix/test/gtest/pkixder_pki_types_tests.cpp b/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
new file mode 100644
index 000000000..e40c2a4c3
--- /dev/null
+++ b/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
@@ -0,0 +1,479 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <vector>
+
+#include "pkixgtest.h"
+#include "pkix/pkixtypes.h"
+#include "pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+
+class pkixder_pki_types_tests : public ::testing::Test { };
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumber)
+{
+ const uint8_t DER_CERT_SERIAL[] = {
+ 0x02, // INTEGER
+ 8, // length
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
+ };
+ Input input(DER_CERT_SERIAL);
+ Reader reader(input);
+
+ Input item;
+ ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+
+ Input expected;
+ ASSERT_EQ(Success,
+ expected.Init(DER_CERT_SERIAL + 2, sizeof DER_CERT_SERIAL - 2));
+ ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberLongest)
+{
+ const uint8_t DER_CERT_SERIAL_LONGEST[] = {
+ 0x02, // INTEGER
+ 20, // length
+ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
+ };
+ Input input(DER_CERT_SERIAL_LONGEST);
+ Reader reader(input);
+
+ Input item;
+ ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+
+ Input expected;
+ ASSERT_EQ(Success,
+ expected.Init(DER_CERT_SERIAL_LONGEST + 2,
+ sizeof DER_CERT_SERIAL_LONGEST - 2));
+ ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberCrazyLong)
+{
+ const uint8_t DER_CERT_SERIAL_CRAZY_LONG[] = {
+ 0x02, // INTEGER
+ 32, // length
+ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
+ 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32
+ };
+ Input input(DER_CERT_SERIAL_CRAZY_LONG);
+ Reader reader(input);
+
+ Input item;
+ ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberZeroLength)
+{
+ const uint8_t DER_CERT_SERIAL_ZERO_LENGTH[] = {
+ 0x02, // INTEGER
+ 0x00 // length
+ };
+ Input input(DER_CERT_SERIAL_ZERO_LENGTH);
+ Reader reader(input);
+
+ Input item;
+ ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING,
+ CertificateSerialNumber(reader, item));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingAllowed)
+{
+ const uint8_t DER_OPTIONAL_VERSION_V1[] = {
+ 0xa0, 0x03, // context specific 0
+ 0x02, 0x01, 0x00 // INTEGER(0)
+ };
+ Input input(DER_OPTIONAL_VERSION_V1);
+ Reader reader(input);
+
+ // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
+ // do here for compatibility reasons.
+ // Version version;
+ // ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+ der::Version version = der::Version::v3;
+ ASSERT_EQ(Success, OptionalVersion(reader, version));
+ ASSERT_EQ(der::Version::v1, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV2)
+{
+ const uint8_t DER_OPTIONAL_VERSION_V2[] = {
+ 0xa0, 0x03, // context specific 0
+ 0x02, 0x01, 0x01 // INTEGER(1)
+ };
+ Input input(DER_OPTIONAL_VERSION_V2);
+ Reader reader(input);
+
+ der::Version version = der::Version::v1;
+ ASSERT_EQ(Success, OptionalVersion(reader, version));
+ ASSERT_EQ(der::Version::v2, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV3)
+{
+ const uint8_t DER_OPTIONAL_VERSION_V3[] = {
+ 0xa0, 0x03, // context specific 0
+ 0x02, 0x01, 0x02 // INTEGER(2)
+ };
+ Input input(DER_OPTIONAL_VERSION_V3);
+ Reader reader(input);
+
+ der::Version version = der::Version::v1;
+ ASSERT_EQ(Success, OptionalVersion(reader, version));
+ ASSERT_EQ(der::Version::v3, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionUnknown)
+{
+ const uint8_t DER_OPTIONAL_VERSION_INVALID[] = {
+ 0xa0, 0x03, // context specific 0
+ 0x02, 0x01, 0x42 // INTEGER(0x42)
+ };
+ Input input(DER_OPTIONAL_VERSION_INVALID);
+ Reader reader(input);
+
+ der::Version version = der::Version::v1;
+ ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionInvalidTooLong)
+{
+ const uint8_t DER_OPTIONAL_VERSION_INVALID_TOO_LONG[] = {
+ 0xa0, 0x03, // context specific 0
+ 0x02, 0x02, 0x12, 0x34 // INTEGER(0x1234)
+ };
+ Input input(DER_OPTIONAL_VERSION_INVALID_TOO_LONG);
+ Reader reader(input);
+
+ der::Version version;
+ ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionMissing)
+{
+ const uint8_t DER_OPTIONAL_VERSION_MISSING[] = {
+ 0x02, 0x11, 0x22 // INTEGER
+ };
+ Input input(DER_OPTIONAL_VERSION_MISSING);
+ Reader reader(input);
+
+ der::Version version = der::Version::v3;
+ ASSERT_EQ(Success, OptionalVersion(reader, version));
+ ASSERT_EQ(der::Version::v1, version);
+}
+
+static const size_t MAX_ALGORITHM_OID_DER_LENGTH = 13;
+
+struct InvalidAlgorithmIdentifierTestInfo
+{
+ uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+ size_t derLength;
+};
+
+struct ValidDigestAlgorithmIdentifierTestInfo
+{
+ DigestAlgorithm algorithm;
+ uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+ size_t derLength;
+};
+
+class pkixder_DigestAlgorithmIdentifier_Valid
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<ValidDigestAlgorithmIdentifierTestInfo>
+{
+};
+
+static const ValidDigestAlgorithmIdentifierTestInfo
+ VALID_DIGEST_ALGORITHM_TEST_INFO[] =
+{
+ { DigestAlgorithm::sha512,
+ { 0x30, 0x0b, 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 },
+ 13
+ },
+ { DigestAlgorithm::sha384,
+ { 0x30, 0x0b, 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 },
+ 13
+ },
+ { DigestAlgorithm::sha256,
+ { 0x30, 0x0b, 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 },
+ 13
+ },
+ { DigestAlgorithm::sha1,
+ { 0x30, 0x07, 0x06, 0x05,
+ 0x2b, 0x0e, 0x03, 0x02, 0x1a },
+ 9
+ },
+};
+
+TEST_P(pkixder_DigestAlgorithmIdentifier_Valid, Valid)
+{
+ const ValidDigestAlgorithmIdentifierTestInfo& param(GetParam());
+
+ {
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+ Reader reader(input);
+ DigestAlgorithm alg;
+ ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
+ ASSERT_EQ(param.algorithm, alg);
+ ASSERT_EQ(Success, End(reader));
+ }
+
+ {
+ uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
+ memcpy(derWithNullParam, param.der, param.derLength);
+ derWithNullParam[1] += 2; // we're going to expand the value by 2 bytes
+ derWithNullParam[param.derLength] = 0x05; // NULL tag
+ derWithNullParam[param.derLength + 1] = 0x00; // length zero
+
+ Input input;
+ ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+ Reader reader(input);
+ DigestAlgorithm alg;
+ ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
+ ASSERT_EQ(param.algorithm, alg);
+ ASSERT_EQ(Success, End(reader));
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixder_DigestAlgorithmIdentifier_Valid,
+ pkixder_DigestAlgorithmIdentifier_Valid,
+ testing::ValuesIn(VALID_DIGEST_ALGORITHM_TEST_INFO));
+
+class pkixder_DigestAlgorithmIdentifier_Invalid
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<InvalidAlgorithmIdentifierTestInfo>
+{
+};
+
+static const InvalidAlgorithmIdentifierTestInfo
+ INVALID_DIGEST_ALGORITHM_TEST_INFO[] =
+{
+ { // MD5
+ { 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05 },
+ 12,
+ },
+ { // ecdsa-with-SHA256 (1.2.840.10045.4.3.2) (not a hash algorithm)
+ { 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 },
+ 12,
+ },
+};
+
+TEST_P(pkixder_DigestAlgorithmIdentifier_Invalid, Invalid)
+{
+ const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+ Reader reader(input);
+ DigestAlgorithm alg;
+ ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
+ DigestAlgorithmIdentifier(reader, alg));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixder_DigestAlgorithmIdentifier_Invalid,
+ pkixder_DigestAlgorithmIdentifier_Invalid,
+ testing::ValuesIn(INVALID_DIGEST_ALGORITHM_TEST_INFO));
+
+struct ValidSignatureAlgorithmIdentifierValueTestInfo
+{
+ PublicKeyAlgorithm publicKeyAlg;
+ DigestAlgorithm digestAlg;
+ uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+ size_t derLength;
+};
+
+static const ValidSignatureAlgorithmIdentifierValueTestInfo
+ VALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO[] =
+{
+ // ECDSA
+ { PublicKeyAlgorithm::ECDSA,
+ DigestAlgorithm::sha512,
+ { 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04 },
+ 10,
+ },
+ { PublicKeyAlgorithm::ECDSA,
+ DigestAlgorithm::sha384,
+ { 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03 },
+ 10,
+ },
+ { PublicKeyAlgorithm::ECDSA,
+ DigestAlgorithm::sha256,
+ { 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 },
+ 10,
+ },
+ { PublicKeyAlgorithm::ECDSA,
+ DigestAlgorithm::sha1,
+ { 0x06, 0x07,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01 },
+ 9,
+ },
+
+ // RSA
+ { PublicKeyAlgorithm::RSA_PKCS1,
+ DigestAlgorithm::sha512,
+ { 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d },
+ 11,
+ },
+ { PublicKeyAlgorithm::RSA_PKCS1,
+ DigestAlgorithm::sha384,
+ { 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c },
+ 11,
+ },
+ { PublicKeyAlgorithm::RSA_PKCS1,
+ DigestAlgorithm::sha256,
+ { 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b },
+ 11,
+ },
+ { PublicKeyAlgorithm::RSA_PKCS1,
+ DigestAlgorithm::sha1,
+ // IETF Standard OID
+ { 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05 },
+ 11,
+ },
+ { PublicKeyAlgorithm::RSA_PKCS1,
+ DigestAlgorithm::sha1,
+ // Legacy OIW OID (bug 1042479)
+ { 0x06, 0x05,
+ 0x2b, 0x0e, 0x03, 0x02, 0x1d },
+ 7,
+ },
+};
+
+class pkixder_SignatureAlgorithmIdentifierValue_Valid
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<
+ ValidSignatureAlgorithmIdentifierValueTestInfo>
+{
+};
+
+TEST_P(pkixder_SignatureAlgorithmIdentifierValue_Valid, Valid)
+{
+ const ValidSignatureAlgorithmIdentifierValueTestInfo& param(GetParam());
+
+ {
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+ Reader reader(input);
+ PublicKeyAlgorithm publicKeyAlg;
+ DigestAlgorithm digestAlg;
+ ASSERT_EQ(Success,
+ SignatureAlgorithmIdentifierValue(reader, publicKeyAlg,
+ digestAlg));
+ ASSERT_EQ(param.publicKeyAlg, publicKeyAlg);
+ ASSERT_EQ(param.digestAlg, digestAlg);
+ ASSERT_EQ(Success, End(reader));
+ }
+
+ {
+ uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
+ memcpy(derWithNullParam, param.der, param.derLength);
+ derWithNullParam[param.derLength] = 0x05; // NULL tag
+ derWithNullParam[param.derLength + 1] = 0x00; // length zero
+
+ Input input;
+ ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+ Reader reader(input);
+ PublicKeyAlgorithm publicKeyAlg;
+ DigestAlgorithm digestAlg;
+ ASSERT_EQ(Success,
+ SignatureAlgorithmIdentifierValue(reader, publicKeyAlg,
+ digestAlg));
+ ASSERT_EQ(param.publicKeyAlg, publicKeyAlg);
+ ASSERT_EQ(param.digestAlg, digestAlg);
+ ASSERT_EQ(Success, End(reader));
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(
+ pkixder_SignatureAlgorithmIdentifierValue_Valid,
+ pkixder_SignatureAlgorithmIdentifierValue_Valid,
+ testing::ValuesIn(VALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO));
+
+static const InvalidAlgorithmIdentifierTestInfo
+ INVALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO[] =
+{
+ // id-dsa-with-sha256 (2.16.840.1.101.3.4.3.2)
+ { { 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02 },
+ 11,
+ },
+
+ // id-dsa-with-sha1 (1.2.840.10040.4.3)
+ { { 0x06, 0x07,
+ 0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03 },
+ 9,
+ },
+
+ // RSA-with-MD5 (1.2.840.113549.1.1.4)
+ { { 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04 },
+ 11,
+ },
+
+ // id-sha256 (2.16.840.1.101.3.4.2.1). It is invalid because SHA-256 is not
+ // a signature algorithm.
+ { { 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 },
+ 11,
+ },
+};
+
+class pkixder_SignatureAlgorithmIdentifier_Invalid
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<InvalidAlgorithmIdentifierTestInfo>
+{
+};
+
+TEST_P(pkixder_SignatureAlgorithmIdentifier_Invalid, Invalid)
+{
+ const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+ Reader reader(input);
+ der::PublicKeyAlgorithm publicKeyAlg;
+ DigestAlgorithm digestAlg;
+ ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+ SignatureAlgorithmIdentifierValue(reader, publicKeyAlg, digestAlg));
+}
+
+INSTANTIATE_TEST_CASE_P(
+ pkixder_SignatureAlgorithmIdentifier_Invalid,
+ pkixder_SignatureAlgorithmIdentifier_Invalid,
+ testing::ValuesIn(INVALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO));
diff --git a/security/pkix/test/gtest/pkixder_universal_types_tests.cpp b/security/pkix/test/gtest/pkixder_universal_types_tests.cpp
new file mode 100644
index 000000000..bf4175bac
--- /dev/null
+++ b/security/pkix/test/gtest/pkixder_universal_types_tests.cpp
@@ -0,0 +1,1220 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <limits>
+#include <stdint.h>
+#include <vector>
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+using namespace mozilla::pkix::test;
+using namespace std;
+
+class pkixder_universal_types_tests : public ::testing::Test { };
+
+TEST_F(pkixder_universal_types_tests, BooleanTrue01)
+{
+ const uint8_t DER_BOOLEAN_TRUE_01[] = {
+ 0x01, // BOOLEAN
+ 0x01, // length
+ 0x01 // invalid
+ };
+ Input input(DER_BOOLEAN_TRUE_01);
+ Reader reader(input);
+ bool value = false;
+ ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanTrue42)
+{
+ const uint8_t DER_BOOLEAN_TRUE_42[] = {
+ 0x01, // BOOLEAN
+ 0x01, // length
+ 0x42 // invalid
+ };
+ Input input(DER_BOOLEAN_TRUE_42);
+ Reader reader(input);
+ bool value = false;
+ ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+static const uint8_t DER_BOOLEAN_TRUE[] = {
+ 0x01, // BOOLEAN
+ 0x01, // length
+ 0xff // true
+};
+
+TEST_F(pkixder_universal_types_tests, BooleanTrueFF)
+{
+ Input input(DER_BOOLEAN_TRUE);
+ Reader reader(input);
+ bool value = false;
+ ASSERT_EQ(Success, Boolean(reader, value));
+ ASSERT_TRUE(value);
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanFalse)
+{
+ const uint8_t DER_BOOLEAN_FALSE[] = {
+ 0x01, // BOOLEAN
+ 0x01, // length
+ 0x00 // false
+ };
+ Input input(DER_BOOLEAN_FALSE);
+ Reader reader(input);
+
+ bool value = true;
+ ASSERT_EQ(Success, Boolean(reader, value));
+ ASSERT_FALSE(value);
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanInvalidLength)
+{
+ const uint8_t DER_BOOLEAN_INVALID_LENGTH[] = {
+ 0x01, // BOOLEAN
+ 0x02, // length
+ 0x42, 0x42 // invalid
+ };
+ Input input(DER_BOOLEAN_INVALID_LENGTH);
+ Reader reader(input);
+
+ bool value = true;
+ ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanInvalidZeroLength)
+{
+ const uint8_t DER_BOOLEAN_INVALID_ZERO_LENGTH[] = {
+ 0x01, // BOOLEAN
+ 0x00 // length
+ };
+ Input input(DER_BOOLEAN_INVALID_ZERO_LENGTH);
+ Reader reader(input);
+
+ bool value = true;
+ ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+// OptionalBoolean implements decoding of OPTIONAL BOOLEAN DEFAULT FALSE.
+// If the field is present, it must be a valid encoding of a BOOLEAN with
+// value TRUE. If the field is not present, it defaults to FALSE. For
+// compatibility reasons, OptionalBoolean also accepts encodings where the field
+// is present with value FALSE (this is technically not a valid DER encoding).
+TEST_F(pkixder_universal_types_tests, OptionalBooleanValidEncodings)
+{
+ {
+ const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_TRUE[] = {
+ 0x01, // BOOLEAN
+ 0x01, // length
+ 0xff // true
+ };
+ Input input(DER_OPTIONAL_BOOLEAN_PRESENT_TRUE);
+ Reader reader(input);
+ bool value = false;
+ ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+ "Should accept the only valid encoding of a present OPTIONAL BOOLEAN";
+ ASSERT_TRUE(value);
+ ASSERT_TRUE(reader.AtEnd());
+ }
+
+ {
+ // The OPTIONAL BOOLEAN is omitted in this data.
+ const uint8_t DER_INTEGER_05[] = {
+ 0x02, // INTEGER
+ 0x01, // length
+ 0x05
+ };
+ Input input(DER_INTEGER_05);
+ Reader reader(input);
+ bool value = true;
+ ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+ "Should accept a valid encoding of an omitted OPTIONAL BOOLEAN";
+ ASSERT_FALSE(value);
+ ASSERT_FALSE(reader.AtEnd());
+ }
+
+ {
+ Input input;
+ ASSERT_EQ(Success, input.Init(reinterpret_cast<const uint8_t*>(""), 0));
+ Reader reader(input);
+ bool value = true;
+ ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+ "Should accept another valid encoding of an omitted OPTIONAL BOOLEAN";
+ ASSERT_FALSE(value);
+ ASSERT_TRUE(reader.AtEnd());
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalBooleanInvalidEncodings)
+{
+ const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_FALSE[] = {
+ 0x01, // BOOLEAN
+ 0x01, // length
+ 0x00 // false
+ };
+
+ {
+ Input input(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
+ Reader reader(input);
+ bool value = true;
+ ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+ "Should accept an invalid, default-value encoding of OPTIONAL BOOLEAN";
+ ASSERT_FALSE(value);
+ ASSERT_TRUE(reader.AtEnd());
+ }
+
+ const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_42[] = {
+ 0x01, // BOOLEAN
+ 0x01, // length
+ 0x42 // (invalid value for a BOOLEAN)
+ };
+
+ {
+ Input input(DER_OPTIONAL_BOOLEAN_PRESENT_42);
+ Reader reader(input);
+ bool value;
+ ASSERT_EQ(Result::ERROR_BAD_DER, OptionalBoolean(reader, value)) <<
+ "Should reject an invalid-valued encoding of OPTIONAL BOOLEAN";
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, Enumerated)
+{
+ const uint8_t DER_ENUMERATED[] = {
+ 0x0a, // ENUMERATED
+ 0x01, // length
+ 0x42 // value
+ };
+ Input input(DER_ENUMERATED);
+ Reader reader(input);
+
+ uint8_t value = 0;
+ ASSERT_EQ(Success, Enumerated(reader, value));
+ ASSERT_EQ(0x42, value);
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedNotShortestPossibleDER)
+{
+ const uint8_t DER_ENUMERATED[] = {
+ 0x0a, // ENUMERATED
+ 0x02, // length
+ 0x00, 0x01 // value
+ };
+ Input input(DER_ENUMERATED);
+ Reader reader(input);
+
+ uint8_t value = 0;
+ ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedOutOfAcceptedRange)
+{
+ // Although this is a valid ENUMERATED value according to ASN.1, we
+ // intentionally don't support these large values because there are no
+ // ENUMERATED values in X.509 certs or OCSP this large, and we're trying to
+ // keep the parser simple and fast.
+ const uint8_t DER_ENUMERATED_INVALID_LENGTH[] = {
+ 0x0a, // ENUMERATED
+ 0x02, // length
+ 0x12, 0x34 // value
+ };
+ Input input(DER_ENUMERATED_INVALID_LENGTH);
+ Reader reader(input);
+
+ uint8_t value = 0;
+ ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedInvalidZeroLength)
+{
+ const uint8_t DER_ENUMERATED_INVALID_ZERO_LENGTH[] = {
+ 0x0a, // ENUMERATED
+ 0x00 // length
+ };
+ Input input(DER_ENUMERATED_INVALID_ZERO_LENGTH);
+ Reader reader(input);
+
+ uint8_t value = 0;
+ ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+////////////////////////////////////////
+// GeneralizedTime and TimeChoice
+//
+// From RFC 5280 section 4.1.2.5.2
+//
+// For the purposes of this profile, GeneralizedTime values MUST be
+// expressed in Greenwich Mean Time (Zulu) and MUST include seconds
+// (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds
+// is zero. GeneralizedTime values MUST NOT include fractional seconds.
+//
+// And from from RFC 6960 (OCSP) section 4.2.2.1:
+//
+// Responses can contain four times -- thisUpdate, nextUpdate,
+// producedAt, and revocationTime. The semantics of these fields are
+// defined in Section 2.4. The format for GeneralizedTime is as
+// specified in Section 4.1.2.5.2 of [RFC5280].
+//
+// So while we can could accept other ASN1 (ITU-T X.680) encodings for
+// GeneralizedTime we should not accept them, and breaking reading of these
+// other encodings is actually encouraged.
+
+// e.g. TWO_CHARS(53) => '5', '3'
+#define TWO_CHARS(t) \
+ static_cast<uint8_t>('0' + (static_cast<uint8_t>(t) / 10u)), \
+ static_cast<uint8_t>('0' + (static_cast<uint8_t>(t) % 10u))
+
+// Calls TimeChoice on the UTCTime variant of the given generalized time.
+template <uint16_t LENGTH>
+Result
+TimeChoiceForEquivalentUTCTime(const uint8_t (&generalizedTimeDER)[LENGTH],
+ /*out*/ Time& value)
+{
+ static_assert(LENGTH >= 4,
+ "TimeChoiceForEquivalentUTCTime input too small");
+ uint8_t utcTimeDER[LENGTH - 2];
+ utcTimeDER[0] = 0x17; // tag UTCTime
+ utcTimeDER[1] = LENGTH - 1/*tag*/ - 1/*value*/ - 2/*century*/;
+ // Copy the value except for the first two digits of the year
+ for (size_t i = 2; i < LENGTH - 2; ++i) {
+ utcTimeDER[i] = generalizedTimeDER[i + 2];
+ }
+
+ Input input(utcTimeDER);
+ Reader reader(input);
+ return TimeChoice(reader, value);
+}
+
+template <uint16_t LENGTH>
+void
+ExpectGoodTime(Time expectedValue,
+ const uint8_t (&generalizedTimeDER)[LENGTH])
+{
+ // GeneralizedTime
+ {
+ Input input(generalizedTimeDER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success, GeneralizedTime(reader, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+
+ // TimeChoice: GeneralizedTime
+ {
+ Input input(generalizedTimeDER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success, TimeChoice(reader, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+
+ // TimeChoice: UTCTime
+ {
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success,
+ TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+}
+
+template <uint16_t LENGTH>
+void
+ExpectBadTime(const uint8_t (&generalizedTimeDER)[LENGTH])
+{
+ // GeneralizedTime
+ {
+ Input input(generalizedTimeDER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+ }
+
+ // TimeChoice: GeneralizedTime
+ {
+ Input input(generalizedTimeDER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+ }
+
+ // TimeChoice: UTCTime
+ {
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME,
+ TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
+ }
+}
+
+// Control value: a valid time
+TEST_F(pkixder_universal_types_tests, ValidControl)
+{
+ const uint8_t GT_DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0', 'Z'
+ };
+ ExpectGoodTime(YMDHMS(1991, 5, 6, 16, 45, 40), GT_DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeTimeZoneOffset)
+{
+ const uint8_t DER_GENERALIZED_TIME_OFFSET[] = {
+ 0x18, // Generalized Time
+ 19, // Length = 19
+ '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0', '-',
+ '0', '7', '0', '0'
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_OFFSET);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidZeroLength)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH[] = {
+ 0x18, // GeneralizedTime
+ 0x00 // Length = 0
+ };
+
+ Time value(Time::uninitialized);
+
+ // GeneralizedTime
+ Input gtBuf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+ Reader gt(gtBuf);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(gt, value));
+
+ // TimeChoice: GeneralizedTime
+ Input tc_gt_buf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+ Reader tc_gt(tc_gt_buf);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(tc_gt, value));
+
+ // TimeChoice: UTCTime
+ const uint8_t DER_UTCTIME_INVALID_ZERO_LENGTH[] = {
+ 0x17, // UTCTime
+ 0x00 // Length = 0
+ };
+ Input tc_utc_buf(DER_UTCTIME_INVALID_ZERO_LENGTH);
+ Reader tc_utc(tc_utc_buf);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(tc_utc, value));
+}
+
+// A non zulu time should fail
+TEST_F(pkixder_universal_types_tests, TimeInvalidLocal)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_LOCAL[] = {
+ 0x18, // Generalized Time
+ 14, // Length = 14
+ '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0'
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_LOCAL);
+}
+
+// A time missing seconds and zulu should fail
+TEST_F(pkixder_universal_types_tests, TimeInvalidTruncated)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_TRUNCATED[] = {
+ 0x18, // Generalized Time
+ 12, // Length = 12
+ '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5'
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_TRUNCATED);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeNoSeconds)
+{
+ const uint8_t DER_GENERALIZED_TIME_NO_SECONDS[] = {
+ 0x18, // Generalized Time
+ 13, // Length = 13
+ '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', 'Z'
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_NO_SECONDS);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidPrefixedYear)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_PREFIXED_YEAR[] = {
+ 0x18, // Generalized Time
+ 16, // Length = 16
+ ' ', '1', '9', '9', '1', '0', '1', '0', '1', '0', '1', '0', '1', '0', '1', 'Z'
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_PREFIXED_YEAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeTooManyDigits)
+{
+ const uint8_t DER_GENERALIZED_TIME_TOO_MANY_DIGITS[] = {
+ 0x18, // Generalized Time
+ 16, // Length = 16
+ '1', '1', '1', '1', '1', '0', '1', '0', '1', '0', '1', '0', '1', '0', '1', 'Z'
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_TOO_MANY_DIGITS);
+}
+
+// In order to ensure we we don't run into any trouble with conversions to and
+// from time_t we only accept times from 1970 onwards.
+TEST_F(pkixder_universal_types_tests, GeneralizedTimeYearValidRange)
+{
+ // Note that by using the last second of the last day of the year, we're also
+ // effectively testing all the accumulated conversions from Gregorian to to
+ // Julian time, including in particular the effects of leap years.
+
+ for (uint16_t i = 1970; i <= 9999; ++i) {
+ const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ TWO_CHARS(i / 100), TWO_CHARS(i % 100), // YYYY
+ '1', '2', '3', '1', // 12-31
+ '2', '3', '5', '9', '5', '9', 'Z' // 23:59:59Z
+ };
+
+ Time expectedValue = YMDHMS(i, 12, 31, 23, 59, 59);
+
+ // We have to test GeneralizedTime separately from UTCTime instead of using
+ // ExpectGooDtime because the range of UTCTime is less than the range of
+ // GeneralizedTime.
+
+ // GeneralizedTime
+ {
+ Input input(DER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success, GeneralizedTime(reader, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+
+ // TimeChoice: GeneralizedTime
+ {
+ Input input(DER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success, TimeChoice(reader, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+
+ // TimeChoice: UTCTime, which is limited to years less than 2049.
+ if (i <= 2049) {
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success, TimeChoiceForEquivalentUTCTime(DER, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+ }
+}
+
+// In order to ensure we we don't run into any trouble with conversions to and
+// from time_t we only accept times from 1970 onwards.
+TEST_F(pkixder_universal_types_tests, TimeYearInvalid1969)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '1', '9', '6', '9', '1', '2', '3', '1', // !!!1969!!!-12-31
+ '2', '3', '5', '9', '5', '9', 'Z' // 23:59:59Z
+ };
+ ExpectBadTime(DER);
+}
+
+static const uint8_t DAYS_IN_MONTH[] = {
+ 0, // unused
+ 31, // January
+ 28, // February (leap years tested separately)
+ 31, // March
+ 30, // April
+ 31, // May
+ 30, // Jun
+ 31, // July
+ 31, // August
+ 30, // September
+ 31, // October
+ 30, // November
+ 31, // December
+};
+
+TEST_F(pkixder_universal_types_tests, TimeMonthDaysValidRange)
+{
+ for (uint16_t month = 1; month <= 12; ++month) {
+ for (uint8_t day = 1; day <= DAYS_IN_MONTH[month]; ++day) {
+ const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '5', TWO_CHARS(month), TWO_CHARS(day), // (2015-mm-dd)
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+ ExpectGoodTime(YMDHMS(2015, month, day, 16, 45, 40), DER);
+ }
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthInvalid0)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '5', '0', '0', '1', '5', // 2015-!!!00!!!-15
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+ ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthInvalid13)
+{
+ const uint8_t DER_GENERALIZED_TIME_13TH_MONTH[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '1', '9', '9', '1', //YYYY (1991)
+ '1', '3', //MM 13th month of the year
+ '0', '6', '1', '6', '4', '5', '4', '0', 'Z'
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_13TH_MONTH);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeDayInvalid0)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '5', '0', '1', '0', '0', // 2015-01-!!!00!!!
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+ ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthDayInvalidPastEndOfMonth)
+{
+ for (int16_t month = 1; month <= 12; ++month) {
+ const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '1', '9', '9', '1', // YYYY 1991
+ TWO_CHARS(month), // MM
+ TWO_CHARS(1 + (month == 2 ? 29 : DAYS_IN_MONTH[month])), // !!!DD!!!
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+ ExpectBadTime(DER);
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2016)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '6', '0', '2', '2', '9', // 2016-02-29
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+ ExpectGoodTime(YMDHMS(2016, 2, 29, 16, 45, 40), DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2000)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '0', '0', '0', '2', '2', '9', // 2000-02-29
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+ ExpectGoodTime(YMDHMS(2000, 2, 29, 16, 45, 40), DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2400)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '4', '0', '0', '0', '2', '2', '9', // 2400-02-29
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+
+ // We don't use ExpectGoodTime here because UTCTime can't represent 2400.
+
+ Time expectedValue = YMDHMS(2400, 2, 29, 16, 45, 40);
+
+ // GeneralizedTime
+ {
+ Input input(DER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success, GeneralizedTime(reader, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+
+ // TimeChoice: GeneralizedTime
+ {
+ Input input(DER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Success, TimeChoice(reader, value));
+ EXPECT_EQ(expectedValue, value);
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2014)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '4', '0', '2', '2', '9', // 2014-02-29
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+ ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2100)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '1', '0', '0', '0', '2', '2', '9', // 2100-02-29
+ '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+ };
+
+ // We don't use ExpectBadTime here because UTCTime can't represent 2100.
+
+ // GeneralizedTime
+ {
+ Input input(DER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+ }
+
+ // TimeChoice: GeneralizedTime
+ {
+ Input input(DER);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeHoursValidRange)
+{
+ for (uint8_t i = 0; i <= 23; ++i) {
+ const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ TWO_CHARS(i), '5', '9', '0', '1', 'Z' // HHMMSSZ (!!!!ii!!!!:59:01 Zulu)
+ };
+ ExpectGoodTime(YMDHMS(2012, 6, 30, i, 59, 1), DER);
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeHoursInvalid_24_00_00)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '4', '0', '0', '0', '0', 'Z' // HHMMSSZ (!!24!!:00:00 Zulu)
+ };
+ ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMinutesValidRange)
+{
+ for (uint8_t i = 0; i <= 59; ++i) {
+ const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '3', TWO_CHARS(i), '0', '1', 'Z' // HHMMSSZ (23:!!!!ii!!!!:01 Zulu)
+ };
+ ExpectGoodTime(YMDHMS(2012, 6, 30, 23, i, 1), DER);
+ }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMinutesInvalid60)
+{
+ const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '3', '6', '0', '5', '9', 'Z' // HHMMSSZ (23:!!!60!!!:01 Zulu)
+ };
+ ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeSecondsValidRange)
+{
+ for (uint8_t i = 0; i <= 59; ++i) {
+ const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '3', '5', '9', TWO_CHARS(i), 'Z' // HHMMSSZ (23:59:!!!!ii!!!! Zulu)
+ };
+ ExpectGoodTime(YMDHMS(2012, 6, 30, 23, 59, i), DER);
+ }
+}
+
+// No Leap Seconds (60)
+TEST_F(pkixder_universal_types_tests, TimeSecondsInvalid60)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '3', '5', '9', '6', '0', 'Z' // HHMMSSZ (23:59:!!!!60!!!! Zulu)
+ };
+ ExpectBadTime(DER);
+}
+
+// No Leap Seconds (61)
+TEST_F(pkixder_universal_types_tests, TimeSecondsInvalid61)
+{
+ static const uint8_t DER[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '3', '5', '9', '6', '1', 'Z' // HHMMSSZ (23:59:!!!!61!!!! Zulu)
+ };
+ ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidZulu)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_ZULU[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '3', '5', '9', '5', '9', 'z' // HHMMSSZ (23:59:59 !!!z!!!) should be Z
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_ZULU);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidExtraData)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_EXTRA_DATA[] = {
+ 0x18, // Generalized Time
+ 16, // Length = 16
+ '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+ '2', '3', '5', '9', '5', '9', 'Z', // HHMMSSZ (23:59:59Z)
+ 0 // Extra null character
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_EXTRA_DATA);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidCenturyChar)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ 'X', '9', '9', '1', '1', '2', '0', '6', // YYYYMMDD (X991-12-06)
+ '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+ };
+
+ // We can't use ExpectBadTime here, because ExpectBadTime requires
+ // consistent results for GeneralizedTime and UTCTime, but the results
+ // for this input are different.
+
+ // GeneralizedTime
+ {
+ Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+ }
+
+ // TimeChoice: GeneralizedTime
+ {
+ Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+ Reader reader(input);
+ Time value(Time::uninitialized);
+ ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+ }
+
+ // This test is not applicable to TimeChoice: UTCTime
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidYearChar)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_YEAR_CHAR[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '1', '9', '9', 'I', '0', '1', '0', '6', // YYYYMMDD (199I-12-06)
+ '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_YEAR_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, GeneralizedTimeInvalidMonthChar)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_MONTH_CHAR[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '1', '9', '9', '1', '0', 'I', '0', '6', // YYYYMMDD (1991-0I-06)
+ '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_MONTH_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidDayChar)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_DAY_CHAR[] = {
+ 0x18, // Generalized Time
+ 15, // Length = 15
+ '1', '9', '9', '1', '0', '1', '0', 'S', // YYYYMMDD (1991-01-0S)
+ '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_DAY_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidFractionalSeconds)
+{
+ const uint8_t DER_GENERALIZED_TIME_INVALID_FRACTIONAL_SECONDS[] = {
+ 0x18, // Generalized Time
+ 17, // Length = 17
+ '1', '9', '9', '1', '0', '1', '0', '1', // YYYYMMDD (1991-01-01)
+ '1', '6', '4', '5', '4', '0', '.', '3', 'Z' // HHMMSS.FFF (16:45:40.3Z)
+ };
+ ExpectBadTime(DER_GENERALIZED_TIME_INVALID_FRACTIONAL_SECONDS);
+}
+
+struct IntegerTestParams
+{
+ ByteString encoded;
+ struct PositiveIntegerParams
+ {
+ Result expectedResult;
+ Input::size_type significantBytesIfValid;
+ } positiveInteger;
+ struct SmallNonnegativeIntegerParams
+ {
+ Result expectedResult;
+ uint8_t valueIfValid;
+ } smallNonnegativeInteger;
+};
+
+class pkixder_universal_types_tests_Integer
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<IntegerTestParams>
+{
+};
+
+#define INVALID 0xFF
+
+static const IntegerTestParams INTEGER_TEST_PARAMS[] =
+{
+ // Zero is encoded with one value byte of 0x00.
+ { TLV(2, ByteString()),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x00"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Success, 0 } },
+
+ // Positive single-byte values
+ { TLV(2, "\x01"), { Success, 1 }, { Success, 1} },
+ { TLV(2, "\x02"), { Success, 1 }, { Success, 2} },
+ { TLV(2, "\x7e"), { Success, 1 }, { Success, 0x7e} },
+ { TLV(2, "\x7f"), { Success, 1 }, { Success, 0x7f} },
+
+ // Negative single-byte values
+ { TLV(2, "\x80"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x81"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\xFE"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\xFF"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+ // Positive two-byte values not starting with 0x00
+ { TLV(2, "\x7F\x00"),
+ { Success, 2 },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x01\x00"),
+ { Success, 2 },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x01\x02"),
+ { Success, 2 },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+ // Negative two-byte values not starting with 0xFF
+ { TLV(2, "\x80\x00"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x80\x7F"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x80\x80"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x80\xFF"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+ // The leading zero is necessary.
+ { TLV(2, "\x00\x80"),
+ { Success, 1},
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x00\x81"),
+ { Success, 1},
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x00\xFF"),
+ { Success, 1},
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+ // The leading zero is unnecessary.
+ { TLV(2, "\x00\x01"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\x00\x7F"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+ // The leading 0xFF is necessary.
+ { TLV(2, "\xFF\x00"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\xFF\x7F"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+ // The leading 0xFF is unnecessary.
+ { TLV(2, "\xFF\x80"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2, "\xFF\xFF"),
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+ // Truncated values
+ { TLV(2, 1, ByteString(/*missing value*/)),
+ { Result::ERROR_BAD_DER, INVALID },
+ { Result::ERROR_BAD_DER, INVALID } },
+ { TLV(2, 3, "\x11\x22" /*truncated*/),
+ { Result::ERROR_BAD_DER, INVALID },
+ { Result::ERROR_BAD_DER, INVALID } },
+ { TLV(2, 4, "\x11\x22" /*truncated*/),
+ { Result::ERROR_BAD_DER, INVALID },
+ { Result::ERROR_BAD_DER, INVALID } },
+ { TLV(2, 2, "\x00" /*truncated*/),
+ { Result::ERROR_BAD_DER, INVALID },
+ { Result::ERROR_BAD_DER, INVALID } },
+ { TLV(2, 2, "\xFF" /*truncated*/),
+ { Result::ERROR_BAD_DER, INVALID },
+ { Result::ERROR_BAD_DER, INVALID } },
+ { TLV(2, 3, "\x00\x80" /*truncated*/),
+ { Result::ERROR_BAD_DER, INVALID },
+ { Result::ERROR_BAD_DER, INVALID } },
+ { TLV(2, 3, "\xFF\x00" /*truncated*/),
+ { Result::ERROR_BAD_DER, INVALID },
+ { Result::ERROR_BAD_DER, INVALID } },
+
+ // Misc. larger values
+ { TLV(2, 4, "\x11\x22\x33\x44"),
+ { Success, 4 },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+ { TLV(2,
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"),
+ { Success, 256 },
+ { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+};
+
+TEST_P(pkixder_universal_types_tests_Integer, Integer)
+{
+ const IntegerTestParams& params(GetParam());
+ Input input;
+ ASSERT_EQ(Success, input.Init(params.encoded.data(),
+ params.encoded.length()));
+ Reader reader(input);
+ Result expectedResult = params.smallNonnegativeInteger.expectedResult;
+ uint8_t value;
+ ASSERT_EQ(expectedResult, der::Integer(reader, value));
+ if (expectedResult == Success) {
+ ASSERT_EQ(params.smallNonnegativeInteger.valueIfValid, value);
+ ASSERT_TRUE(reader.AtEnd());
+ }
+}
+
+TEST_P(pkixder_universal_types_tests_Integer,
+ PositiveInteger_without_significantBytes)
+{
+ const IntegerTestParams& params(GetParam());
+ Input input;
+ ASSERT_EQ(Success, input.Init(params.encoded.data(),
+ params.encoded.length()));
+ Reader reader(input);
+ Result expectedResult = params.positiveInteger.expectedResult;
+ Input value;
+ ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value));
+ if (expectedResult == Success) {
+ Reader anotherReader(input);
+ Input expectedValue;
+ ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader,
+ der::INTEGER, expectedValue));
+ ASSERT_TRUE(InputsAreEqual(expectedValue, value));
+ ASSERT_TRUE(reader.AtEnd());
+ }
+}
+
+TEST_P(pkixder_universal_types_tests_Integer,
+ PositiveInteger_with_significantBytes)
+{
+ const IntegerTestParams& params(GetParam());
+ Input input;
+ ASSERT_EQ(Success, input.Init(params.encoded.data(),
+ params.encoded.length()));
+ Reader reader(input);
+ Result expectedResult = params.positiveInteger.expectedResult;
+ Input value;
+ Input::size_type significantBytes = INVALID;
+ ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value,
+ &significantBytes));
+ if (expectedResult == Success) {
+ ASSERT_NE(INVALID, params.positiveInteger.significantBytesIfValid);
+ ASSERT_EQ(params.positiveInteger.significantBytesIfValid,
+ significantBytes);
+
+ Reader anotherReader(input);
+ Input expectedValue;
+ ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader,
+ der::INTEGER, expectedValue));
+ ASSERT_TRUE(InputsAreEqual(expectedValue, value));
+ ASSERT_TRUE(reader.AtEnd());
+ }
+}
+
+#undef INVALID
+
+INSTANTIATE_TEST_CASE_P(pkixder_universal_types_tests_Integer,
+ pkixder_universal_types_tests_Integer,
+ testing::ValuesIn(INTEGER_TEST_PARAMS));
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefault)
+{
+ // The input is a BOOLEAN and not INTEGER for the input so we'll not parse
+ // anything and instead use the default value.
+ Input input(DER_BOOLEAN_TRUE);
+ Reader reader(input);
+
+ long value = 1;
+ ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+ ASSERT_EQ(-1, value);
+ bool boolValue;
+ ASSERT_EQ(Success, Boolean(reader, boolValue));
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerUnsupportedDefault)
+{
+ // The same as the previous test, except with an unsupported default value
+ // passed in.
+ Input input(DER_BOOLEAN_TRUE);
+ Reader reader(input);
+
+ long value;
+ ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, OptionalInteger(reader, 0, value));
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefaultAtEnd)
+{
+ static const uint8_t dummy = 1;
+ Input input;
+ ASSERT_EQ(Success, input.Init(&dummy, 0));
+ Reader reader(input);
+
+ long value = 1;
+ ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+ ASSERT_EQ(-1, value);
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerNonDefaultValue)
+{
+ static const uint8_t DER[] = {
+ 0x02, // INTEGER
+ 0x01, // length
+ 0x00
+ };
+ Input input(DER);
+ Reader reader(input);
+
+ long value = 2;
+ ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+ ASSERT_EQ(0, value);
+ ASSERT_TRUE(reader.AtEnd());
+}
+
+TEST_F(pkixder_universal_types_tests, Null)
+{
+ const uint8_t DER_NUL[] = {
+ 0x05,
+ 0x00
+ };
+ Input input(DER_NUL);
+ Reader reader(input);
+
+ ASSERT_EQ(Success, Null(reader));
+}
+
+TEST_F(pkixder_universal_types_tests, NullWithBadLength)
+{
+ const uint8_t DER_NULL_BAD_LENGTH[] = {
+ 0x05,
+ 0x01,
+ 0x00
+ };
+ Input input(DER_NULL_BAD_LENGTH);
+ Reader reader(input);
+
+ ASSERT_EQ(Result::ERROR_BAD_DER, Null(reader));
+}
+
+TEST_F(pkixder_universal_types_tests, OID)
+{
+ const uint8_t DER_VALID_OID[] = {
+ 0x06,
+ 0x09,
+ 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+ };
+ Input input(DER_VALID_OID);
+ Reader reader(input);
+
+ const uint8_t expectedOID[] = {
+ 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+ };
+
+ ASSERT_EQ(Success, OID(reader, expectedOID));
+}
diff --git a/security/pkix/test/gtest/pkixgtest.cpp b/security/pkix/test/gtest/pkixgtest.cpp
new file mode 100644
index 000000000..77baef857
--- /dev/null
+++ b/security/pkix/test/gtest/pkixgtest.cpp
@@ -0,0 +1,46 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include <ctime>
+
+#include "pkix/Time.h"
+
+namespace mozilla { namespace pkix { namespace test {
+
+static const std::time_t ONE_DAY_IN_SECONDS_AS_TIME_T =
+ static_cast<std::time_t>(Time::ONE_DAY_IN_SECONDS);
+
+// This assumes that time/time_t are POSIX-compliant in that time() returns
+// the number of seconds since the Unix epoch.
+static const std::time_t now(time(nullptr));
+const std::time_t oneDayBeforeNow(now - ONE_DAY_IN_SECONDS_AS_TIME_T);
+const std::time_t oneDayAfterNow(now + ONE_DAY_IN_SECONDS_AS_TIME_T);
+const std::time_t twoDaysBeforeNow(now - (2 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t twoDaysAfterNow(now + (2 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t tenDaysBeforeNow(now - (10 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t tenDaysAfterNow(now + (10 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/pkix/test/gtest/pkixgtest.h b/security/pkix/test/gtest/pkixgtest.h
new file mode 100644
index 000000000..1ec8727e2
--- /dev/null
+++ b/security/pkix/test/gtest/pkixgtest.h
@@ -0,0 +1,255 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef mozilla_pkix_pkixgtest_h
+#define mozilla_pkix_pkixgtest_h
+
+#include <ostream>
+
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated"
+#pragma clang diagnostic ignored "-Wmissing-noreturn"
+#pragma clang diagnostic ignored "-Wshift-sign-overflow"
+#pragma clang diagnostic ignored "-Wsign-conversion"
+#pragma clang diagnostic ignored "-Wundef"
+#elif defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wextra"
+#elif defined(_MSC_VER)
+#pragma warning(push, 3)
+// C4224: Nonstandard extension used: formal parameter 'X' was previously
+// defined as a type.
+#pragma warning(disable: 4224)
+// C4826: Conversion from 'type1 ' to 'type_2' is sign - extended. This may
+// cause unexpected runtime behavior.
+#pragma warning(disable: 4826)
+#endif
+
+#include "gtest/gtest.h"
+
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#elif defined(__GNUC__)
+#pragma GCC diagnostic pop
+#elif defined(_MSC_VER)
+#pragma warning(pop)
+#endif
+
+#include "pkix/pkix.h"
+#include "pkixtestutil.h"
+
+// PrintTo must be in the same namespace as the type we're overloading it for.
+namespace mozilla { namespace pkix {
+
+inline void
+PrintTo(const Result& result, ::std::ostream* os)
+{
+ const char* stringified = MapResultToName(result);
+ if (stringified) {
+ *os << stringified;
+ } else {
+ *os << "mozilla::pkix::Result(" << static_cast<unsigned int>(result) << ")";
+ }
+}
+
+} } // namespace mozilla::pkix
+
+namespace mozilla { namespace pkix { namespace test {
+
+extern const std::time_t oneDayBeforeNow;
+extern const std::time_t oneDayAfterNow;
+extern const std::time_t twoDaysBeforeNow;
+extern const std::time_t twoDaysAfterNow;
+extern const std::time_t tenDaysBeforeNow;
+extern const std::time_t tenDaysAfterNow;
+
+
+class EverythingFailsByDefaultTrustDomain : public TrustDomain
+{
+public:
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
+ Input, /*out*/ TrustLevel&) override
+ {
+ ADD_FAILURE();
+ return NotReached("GetCertTrust should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result FindIssuer(Input, IssuerChecker&, Time) override
+ {
+ ADD_FAILURE();
+ return NotReached("FindIssuer should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+ /*optional*/ const Input*,
+ /*optional*/ const Input*) override
+ {
+ ADD_FAILURE();
+ return NotReached("CheckRevocation should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result IsChainValid(const DERArray&, Time) override
+ {
+ ADD_FAILURE();
+ return NotReached("IsChainValid should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result DigestBuf(Input, DigestAlgorithm, /*out*/ uint8_t*, size_t) override
+ {
+ ADD_FAILURE();
+ return NotReached("DigestBuf should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result CheckSignatureDigestAlgorithm(DigestAlgorithm,
+ EndEntityOrCA,
+ Time) override
+ {
+ ADD_FAILURE();
+ return NotReached("CheckSignatureDigestAlgorithm should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override
+ {
+ ADD_FAILURE();
+ return NotReached("CheckECDSACurveIsAcceptable should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result VerifyECDSASignedDigest(const SignedDigest&, Input) override
+ {
+ ADD_FAILURE();
+ return NotReached("VerifyECDSASignedDigest should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
+ override
+ {
+ ADD_FAILURE();
+ return NotReached("CheckRSAPublicKeyModulusSizeInBits should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override
+ {
+ ADD_FAILURE();
+ return NotReached("VerifyRSAPKCS1SignedDigest should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, KeyPurposeId)
+ override
+ {
+ ADD_FAILURE();
+ return NotReached("CheckValidityIsAcceptable should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ Result NetscapeStepUpMatchesServerAuth(Time, bool&) override
+ {
+ ADD_FAILURE();
+ return NotReached("NetscapeStepUpMatchesServerAuth should not be called",
+ Result::FATAL_ERROR_LIBRARY_FAILURE);
+ }
+
+ virtual void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override
+ {
+ ADD_FAILURE();
+ }
+};
+
+class DefaultCryptoTrustDomain : public EverythingFailsByDefaultTrustDomain
+{
+ Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf, size_t digestBufLen) override
+ {
+ return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
+ }
+
+ Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA, Time)
+ override
+ {
+ return Success;
+ }
+
+ Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override
+ {
+ return Success;
+ }
+
+ Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo) override
+ {
+ return TestVerifyECDSASignedDigest(signedDigest, subjectPublicKeyInfo);
+ }
+
+ Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
+ override
+ {
+ return Success;
+ }
+
+ Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo) override
+ {
+ return TestVerifyRSAPKCS1SignedDigest(signedDigest, subjectPublicKeyInfo);
+ }
+
+ Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, KeyPurposeId)
+ override
+ {
+ return Success;
+ }
+
+ Result NetscapeStepUpMatchesServerAuth(Time, /*out*/ bool& matches) override
+ {
+ matches = true;
+ return Success;
+ }
+
+ void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override
+ {
+ }
+};
+
+class DefaultNameMatchingPolicy : public NameMatchingPolicy
+{
+public:
+ virtual Result FallBackToCommonName(
+ Time, /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) override
+ {
+ fallBackToCommonName = FallBackToSearchWithinSubject::Yes;
+ return Success;
+ }
+};
+
+} } } // namespace mozilla::pkix::test
+
+#endif // mozilla_pkix_pkixgtest_h
diff --git a/security/pkix/test/gtest/pkixnames_tests.cpp b/security/pkix/test/gtest/pkixnames_tests.cpp
new file mode 100644
index 000000000..9e2303ad0
--- /dev/null
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@@ -0,0 +1,2811 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "pkixcheck.h"
+#include "pkixder.h"
+#include "pkixgtest.h"
+#include "pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
+ Input referenceDNSID,
+ /*out*/ bool& matches);
+
+bool IsValidReferenceDNSID(Input hostname);
+bool IsValidPresentedDNSID(Input hostname);
+bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]);
+bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]);
+
+} } // namespace mozilla::pkix
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+struct PresentedMatchesReference
+{
+ ByteString presentedDNSID;
+ ByteString referenceDNSID;
+ Result expectedResult;
+ bool expectedMatches; // only valid when expectedResult == Success
+};
+
+#define DNS_ID_MATCH(a, b) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+ ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+ Success, \
+ true \
+ }
+
+#define DNS_ID_MISMATCH(a, b) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+ ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+ Success, \
+ false \
+ }
+
+#define DNS_ID_BAD_DER(a, b) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+ ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+ Result::ERROR_BAD_DER, \
+ false \
+ }
+
+static const PresentedMatchesReference DNSID_MATCH_PARAMS[] =
+{
+ DNS_ID_BAD_DER("", "a"),
+
+ DNS_ID_MATCH("a", "a"),
+ DNS_ID_MISMATCH("b", "a"),
+
+ DNS_ID_MATCH("*.b.a", "c.b.a"),
+ DNS_ID_MISMATCH("*.b.a", "b.a"),
+ DNS_ID_MISMATCH("*.b.a", "b.a."),
+
+ // We allow underscores for compatibility with existing practices.
+ DNS_ID_MATCH("a_b", "a_b"),
+ DNS_ID_MATCH("*.example.com", "uses_underscore.example.com"),
+ DNS_ID_MATCH("*.uses_underscore.example.com", "a.uses_underscore.example.com"),
+
+ // See bug 1139039
+ DNS_ID_MATCH("_.example.com", "_.example.com"),
+ DNS_ID_MATCH("*.example.com", "_.example.com"),
+ DNS_ID_MATCH("_", "_"),
+ DNS_ID_MATCH("___", "___"),
+ DNS_ID_MATCH("example_", "example_"),
+ DNS_ID_MATCH("_example", "_example"),
+ DNS_ID_MATCH("*._._", "x._._"),
+
+ // See bug 1139039
+ // A DNS-ID must not end in an all-numeric label. We don't consider
+ // underscores to be numeric.
+ DNS_ID_MATCH("_1", "_1"),
+ DNS_ID_MATCH("example._1", "example._1"),
+ DNS_ID_MATCH("example.1_", "example.1_"),
+
+ // Wildcard not in leftmost label
+ DNS_ID_MATCH("d.c.b.a", "d.c.b.a"),
+ DNS_ID_BAD_DER("d.*.b.a", "d.c.b.a"),
+ DNS_ID_BAD_DER("d.c*.b.a", "d.c.b.a"),
+ DNS_ID_BAD_DER("d.c*.b.a", "d.cc.b.a"),
+
+ // case sensitivity
+ DNS_ID_MATCH("abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"),
+ DNS_ID_MATCH("ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz"),
+ DNS_ID_MATCH("aBc", "Abc"),
+
+ // digits
+ DNS_ID_MATCH("a1", "a1"),
+
+ // A trailing dot indicates an absolute name. Absolute presented names are
+ // not allowed, but absolute reference names are allowed.
+ DNS_ID_MATCH("example", "example"),
+ DNS_ID_BAD_DER("example.", "example."),
+ DNS_ID_MATCH("example", "example."),
+ DNS_ID_BAD_DER("example.", "example"),
+ DNS_ID_MATCH("example.com", "example.com"),
+ DNS_ID_BAD_DER("example.com.", "example.com."),
+ DNS_ID_MATCH("example.com", "example.com."),
+ DNS_ID_BAD_DER("example.com.", "example.com"),
+ DNS_ID_BAD_DER("example.com..", "example.com."),
+ DNS_ID_BAD_DER("example.com..", "example.com"),
+ DNS_ID_BAD_DER("example.com...", "example.com."),
+
+ // xn-- IDN prefix
+ DNS_ID_BAD_DER("x*.b.a", "xa.b.a"),
+ DNS_ID_BAD_DER("x*.b.a", "xna.b.a"),
+ DNS_ID_BAD_DER("x*.b.a", "xn-a.b.a"),
+ DNS_ID_BAD_DER("x*.b.a", "xn--a.b.a"),
+ DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"),
+ DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"),
+ DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"),
+ DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"),
+ DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"),
+ DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"),
+ DNS_ID_BAD_DER("xn---*.b.a", "xn--a.b.a"),
+
+ // "*" cannot expand to nothing.
+ DNS_ID_BAD_DER("c*.b.a", "c.b.a"),
+
+ /////////////////////////////////////////////////////////////////////////////
+ // These are test cases adapted from Chromium's x509_certificate_unittest.cc.
+ // The parameter order is the opposite in Chromium's tests. Also, some tests
+ // were modified to fit into this framework or due to intentional differences
+ // between mozilla::pkix and Chromium.
+
+ DNS_ID_MATCH("foo.com", "foo.com"),
+ DNS_ID_MATCH("f", "f"),
+ DNS_ID_MISMATCH("i", "h"),
+ DNS_ID_MATCH("*.foo.com", "bar.foo.com"),
+ DNS_ID_MATCH("*.test.fr", "www.test.fr"),
+ DNS_ID_MATCH("*.test.FR", "wwW.tESt.fr"),
+ DNS_ID_BAD_DER(".uk", "f.uk"),
+ DNS_ID_BAD_DER("?.bar.foo.com", "w.bar.foo.com"),
+ DNS_ID_BAD_DER("(www|ftp).foo.com", "www.foo.com"), // regex!
+ DNS_ID_BAD_DER("www.foo.com\0", "www.foo.com"),
+ DNS_ID_BAD_DER("www.foo.com\0*.foo.com", "www.foo.com"),
+ DNS_ID_MISMATCH("ww.house.example", "www.house.example"),
+ DNS_ID_MISMATCH("www.test.org", "test.org"),
+ DNS_ID_MISMATCH("*.test.org", "test.org"),
+ DNS_ID_BAD_DER("*.org", "test.org"),
+ DNS_ID_BAD_DER("w*.bar.foo.com", "w.bar.foo.com"),
+ DNS_ID_BAD_DER("ww*ww.bar.foo.com", "www.bar.foo.com"),
+ DNS_ID_BAD_DER("ww*ww.bar.foo.com", "wwww.bar.foo.com"),
+
+ // Different than Chromium, matches NSS.
+ DNS_ID_BAD_DER("w*w.bar.foo.com", "wwww.bar.foo.com"),
+
+ DNS_ID_BAD_DER("w*w.bar.foo.c0m", "wwww.bar.foo.com"),
+
+ // '*' must be the only character in the wildcard label
+ DNS_ID_BAD_DER("wa*.bar.foo.com", "WALLY.bar.foo.com"),
+
+ // We require "*" to be the last character in a wildcard label, but
+ // Chromium does not.
+ DNS_ID_BAD_DER("*Ly.bar.foo.com", "wally.bar.foo.com"),
+
+ // Chromium does URL decoding of the reference ID, but we don't, and we also
+ // require that the reference ID is valid, so we can't test these two.
+ // DNS_ID_MATCH("www.foo.com", "ww%57.foo.com"),
+ // DNS_ID_MATCH("www&.foo.com", "www%26.foo.com"),
+
+ DNS_ID_MISMATCH("*.test.de", "www.test.co.jp"),
+ DNS_ID_BAD_DER("*.jp", "www.test.co.jp"),
+ DNS_ID_MISMATCH("www.test.co.uk", "www.test.co.jp"),
+ DNS_ID_BAD_DER("www.*.co.jp", "www.test.co.jp"),
+ DNS_ID_MATCH("www.bar.foo.com", "www.bar.foo.com"),
+ DNS_ID_MISMATCH("*.foo.com", "www.bar.foo.com"),
+ DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"),
+ DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"),
+
+ // Our matcher requires the reference ID to be a valid DNS name, so we cannot
+ // test this case.
+ //DNS_ID_BAD_DER("*.*.bar.foo.com", "*..bar.foo.com"),
+
+ DNS_ID_MATCH("www.bath.org", "www.bath.org"),
+
+ // Our matcher requires the reference ID to be a valid DNS name, so we cannot
+ // test these cases.
+ // DNS_ID_BAD_DER("www.bath.org", ""),
+ // DNS_ID_BAD_DER("www.bath.org", "20.30.40.50"),
+ // DNS_ID_BAD_DER("www.bath.org", "66.77.88.99"),
+
+ // IDN tests
+ DNS_ID_MATCH("xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+ DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"),
+ DNS_ID_MISMATCH("*.xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+ DNS_ID_BAD_DER("xn--poema-*.com.br", "xn--poema-9qae5a.com.br"),
+ DNS_ID_BAD_DER("xn--*-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+ DNS_ID_BAD_DER("*--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+
+ // The following are adapted from the examples quoted from
+ // http://tools.ietf.org/html/rfc6125#section-6.4.3
+ // (e.g., *.example.com would match foo.example.com but
+ // not bar.foo.example.com or example.com).
+ DNS_ID_MATCH("*.example.com", "foo.example.com"),
+ DNS_ID_MISMATCH("*.example.com", "bar.foo.example.com"),
+ DNS_ID_MISMATCH("*.example.com", "example.com"),
+ // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
+ // be taken to match baz1.example.net and foobaz.example.net and
+ // buzz.example.net, respectively. However, we don't allow any characters
+ // other than '*' in the wildcard label.
+ DNS_ID_BAD_DER("baz*.example.net", "baz1.example.net"),
+
+ // Both of these are different from Chromium, but match NSS, becaues the
+ // wildcard character "*" is not the last character of the label.
+ DNS_ID_BAD_DER("*baz.example.net", "foobaz.example.net"),
+ DNS_ID_BAD_DER("b*z.example.net", "buzz.example.net"),
+
+ // Wildcards should not be valid for public registry controlled domains,
+ // and unknown/unrecognized domains, at least three domain components must
+ // be present. For mozilla::pkix and NSS, there must always be at least two
+ // labels after the wildcard label.
+ DNS_ID_MATCH("*.test.example", "www.test.example"),
+ DNS_ID_MATCH("*.example.co.uk", "test.example.co.uk"),
+ DNS_ID_BAD_DER("*.exmaple", "test.example"),
+
+ // The result is different than Chromium, because Chromium takes into account
+ // the additional knowledge it has that "co.uk" is a TLD. mozilla::pkix does
+ // not know that.
+ DNS_ID_MATCH("*.co.uk", "example.co.uk"),
+
+ DNS_ID_BAD_DER("*.com", "foo.com"),
+ DNS_ID_BAD_DER("*.us", "foo.us"),
+ DNS_ID_BAD_DER("*", "foo"),
+
+ // IDN variants of wildcards and registry controlled domains.
+ DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"),
+ DNS_ID_MATCH("*.example.xn--mgbaam7a8h", "test.example.xn--mgbaam7a8h"),
+
+ // RFC6126 allows this, and NSS accepts it, but Chromium disallows it.
+ // TODO: File bug against Chromium.
+ DNS_ID_MATCH("*.com.br", "xn--poema-9qae5a.com.br"),
+
+ DNS_ID_BAD_DER("*.xn--mgbaam7a8h", "example.xn--mgbaam7a8h"),
+ // Wildcards should be permissible for 'private' registry-controlled
+ // domains. (In mozilla::pkix, we do not know if it is a private registry-
+ // controlled domain or not.)
+ DNS_ID_MATCH("*.appspot.com", "www.appspot.com"),
+ DNS_ID_MATCH("*.s3.amazonaws.com", "foo.s3.amazonaws.com"),
+
+ // Multiple wildcards are not valid.
+ DNS_ID_BAD_DER("*.*.com", "foo.example.com"),
+ DNS_ID_BAD_DER("*.bar.*.com", "foo.bar.example.com"),
+
+ // Absolute vs relative DNS name tests. Although not explicitly specified
+ // in RFC 6125, absolute reference names (those ending in a .) should
+ // match either absolute or relative presented names. We don't allow
+ // absolute presented names.
+ // TODO: File errata against RFC 6125 about this.
+ DNS_ID_BAD_DER("foo.com.", "foo.com"),
+ DNS_ID_MATCH("foo.com", "foo.com."),
+ DNS_ID_BAD_DER("foo.com.", "foo.com."),
+ DNS_ID_BAD_DER("f.", "f"),
+ DNS_ID_MATCH("f", "f."),
+ DNS_ID_BAD_DER("f.", "f."),
+ DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com"),
+ DNS_ID_MATCH("*.bar.foo.com", "www-3.bar.foo.com."),
+ DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com."),
+
+ // We require the reference ID to be a valid DNS name, so we cannot test this
+ // case.
+ // DNS_ID_MISMATCH(".", "."),
+
+ DNS_ID_BAD_DER("*.com.", "example.com"),
+ DNS_ID_BAD_DER("*.com", "example.com."),
+ DNS_ID_BAD_DER("*.com.", "example.com."),
+ DNS_ID_BAD_DER("*.", "foo."),
+ DNS_ID_BAD_DER("*.", "foo"),
+
+ // The result is different than Chromium because we don't know that co.uk is
+ // a TLD.
+ DNS_ID_MATCH("*.co.uk", "foo.co.uk"),
+ DNS_ID_MATCH("*.co.uk", "foo.co.uk."),
+ DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk"),
+ DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk."),
+
+ DNS_ID_MISMATCH("*.example.com", "localhost"),
+ DNS_ID_MISMATCH("*.example.com", "localhost."),
+ // Note that we already have the testcase DNS_ID_BAD_DER("*", "foo") above
+};
+
+struct InputValidity
+{
+ ByteString input;
+ bool isValidReferenceID;
+ bool isValidPresentedID;
+};
+
+// str is null-terminated, which is why we subtract 1. str may contain embedded
+// nulls (including at the end) preceding the null terminator though.
+#define I(str, validReferenceID, validPresentedID) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+ validReferenceID, \
+ validPresentedID, \
+ }
+
+static const InputValidity DNSNAMES_VALIDITY[] =
+{
+ I("a", true, true),
+ I("a.b", true, true),
+ I("a.b.c", true, true),
+ I("a.b.c.d", true, true),
+
+ // empty labels
+ I("", false, false),
+ I(".", false, false),
+ I("a", true, true),
+ I(".a", false, false),
+ I(".a.b", false, false),
+ I("..a", false, false),
+ I("a..b", false, false),
+ I("a...b", false, false),
+ I("a..b.c", false, false),
+ I("a.b..c", false, false),
+ I(".a.b.c.", false, false),
+
+ // absolute names (only allowed for reference names)
+ I("a.", true, false),
+ I("a.b.", true, false),
+ I("a.b.c.", true, false),
+
+ // absolute names with empty label at end
+ I("a..", false, false),
+ I("a.b..", false, false),
+ I("a.b.c..", false, false),
+ I("a...", false, false),
+
+ // Punycode
+ I("xn--", false, false),
+ I("xn--.", false, false),
+ I("xn--.a", false, false),
+ I("a.xn--", false, false),
+ I("a.xn--.", false, false),
+ I("a.xn--.b", false, false),
+ I("a.xn--.b", false, false),
+ I("a.xn--\0.b", false, false),
+ I("a.xn--a.b", true, true),
+ I("xn--a", true, true),
+ I("a.xn--a", true, true),
+ I("a.xn--a.a", true, true),
+ I("\xc4\x95.com", false, false), // UTF-8 ĕ
+ I("xn--jea.com", true, true), // punycode ĕ
+ I("xn--\xc4\x95.com", false, false), // UTF-8 ĕ, malformed punycode + UTF-8 mashup
+
+ // Surprising punycode
+ I("xn--google.com", true, true), // 䕮䕵䕶䕱.com
+ I("xn--citibank.com", true, true), // 岍岊岊岅岉岎.com
+ I("xn--cnn.com", true, true), // 䁾.com
+ I("a.xn--cnn", true, true), // a.䁾
+ I("a.xn--cnn.com", true, true), // a.䁾.com
+
+ I("1.2.3.4", false, false), // IPv4 address
+ I("1::2", false, false), // IPV6 address
+
+ // whitespace not allowed anywhere.
+ I(" ", false, false),
+ I(" a", false, false),
+ I("a ", false, false),
+ I("a b", false, false),
+ I("a.b 1", false, false),
+ I("a\t", false, false),
+
+ // Nulls not allowed
+ I("\0", false, false),
+ I("a\0", false, false),
+ I("example.org\0.example.com", false, false), // Hi Moxie!
+ I("\0a", false, false),
+ I("xn--\0", false, false),
+
+ // Allowed character set
+ I("a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z", true, true),
+ I("A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z", true, true),
+ I("0.1.2.3.4.5.6.7.8.9.a", true, true), // "a" needed to avoid numeric last label
+ I("a-b", true, true), // hyphen (a label cannot start or end with a hyphen)
+
+ // Underscores
+ I("a_b", true, true),
+ // See bug 1139039
+ I("_", true, true),
+ I("a_", true, true),
+ I("_a", true, true),
+ I("_1", true, true),
+ I("1_", true, true),
+ I("___", true, true),
+
+ // An invalid character in various positions
+ I("!", false, false),
+ I("!a", false, false),
+ I("a!", false, false),
+ I("a!b", false, false),
+ I("a.!", false, false),
+ I("a.a!", false, false),
+ I("a.!a", false, false),
+ I("a.a!a", false, false),
+ I("a.!a.a", false, false),
+ I("a.a!.a", false, false),
+ I("a.a!a.a", false, false),
+
+ // Various other invalid characters
+ I("a!", false, false),
+ I("a@", false, false),
+ I("a#", false, false),
+ I("a$", false, false),
+ I("a%", false, false),
+ I("a^", false, false),
+ I("a&", false, false),
+ I("a*", false, false),
+ I("a(", false, false),
+ I("a)", false, false),
+
+ // last label can't be fully numeric
+ I("1", false, false),
+ I("a.1", false, false),
+
+ // other labels can be fully numeric
+ I("1.a", true, true),
+ I("1.2.a", true, true),
+ I("1.2.3.a", true, true),
+
+ // last label can be *partly* numeric
+ I("1a", true, true),
+ I("1.1a", true, true),
+ I("1-1", true, true),
+ I("a.1-1", true, true),
+ I("a.1-a", true, true),
+
+ // labels cannot start with a hyphen
+ I("-", false, false),
+ I("-1", false, false),
+
+ // labels cannot end with a hyphen
+ I("1-", false, false),
+ I("1-.a", false, false),
+ I("a-", false, false),
+ I("a-.a", false, false),
+ I("a.1-.a", false, false),
+ I("a.a-.a", false, false),
+
+ // labels can contain a hyphen in the middle
+ I("a-b", true, true),
+ I("1-2", true, true),
+ I("a.a-1", true, true),
+
+ // multiple consecutive hyphens allowed
+ I("a--1", true, true),
+ I("1---a", true, true),
+ I("a-----------------b", true, true),
+
+ // Wildcard specifications are not valid reference names, but are valid
+ // presented names if there are enough labels and if '*' is the only
+ // character in the wildcard label.
+ I("*.a", false, false),
+ I("a*", false, false),
+ I("a*.", false, false),
+ I("a*.a", false, false),
+ I("a*.a.", false, false),
+ I("*.a.b", false, true),
+ I("*.a.b.", false, false),
+ I("a*.b.c", false, false),
+ I("*.a.b.c", false, true),
+ I("a*.b.c.d", false, false),
+
+ // Multiple wildcards are not allowed.
+ I("a**.b.c", false, false),
+ I("a*b*.c.d", false, false),
+ I("a*.b*.c", false, false),
+
+ // Wildcards are only allowed in the first label.
+ I("a.*", false, false),
+ I("a.*.b", false, false),
+ I("a.b.*", false, false),
+ I("a.b*.c", false, false),
+ I("*.b*.c", false, false),
+ I(".*.a.b", false, false),
+ I(".a*.b.c", false, false),
+
+ // Wildcards must be at the *end* of the first label.
+ I("*a.b.c", false, false),
+ I("a*b.c.d", false, false),
+
+ // Wildcards not allowed with IDNA prefix
+ I("x*.a.b", false, false),
+ I("xn*.a.b", false, false),
+ I("xn-*.a.b", false, false),
+ I("xn--*.a.b", false, false),
+ I("xn--w*.a.b", false, false),
+
+ // Redacted labels from RFC6962bis draft 4
+ // https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-04#section-3.2.2
+ I("(PRIVATE).foo", false, false),
+
+ // maximum label length is 63 characters
+ I("1234567890" "1234567890" "1234567890"
+ "1234567890" "1234567890" "1234567890" "abc", true, true),
+ I("1234567890" "1234567890" "1234567890"
+ "1234567890" "1234567890" "1234567890" "abcd", false, false),
+
+ // maximum total length is 253 characters
+ I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "12345678" "a",
+ true, true),
+ I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+ "1234567890" "1234567890" "1234567890" "1234567890" "123456789" "a",
+ false, false),
+};
+
+static const InputValidity DNSNAMES_VALIDITY_TURKISH_I[] =
+{
+ // http://en.wikipedia.org/wiki/Dotted_and_dotless_I#In_computing
+ // IDN registration rules disallow "latin capital letter i with dot above,"
+ // but our checks aren't intended to enforce those rules.
+ I("I", true, true), // ASCII capital I
+ I("i", true, true), // ASCII lowercase i
+ I("\xC4\xB0", false, false), // latin capital letter i with dot above
+ I("\xC4\xB1", false, false), // latin small letter dotless i
+ I("xn--i-9bb", true, true), // latin capital letter i with dot above, in punycode
+ I("xn--cfa", true, true), // latin small letter dotless i, in punycode
+ I("xn--\xC4\xB0", false, false), // latin capital letter i with dot above, mashup
+ I("xn--\xC4\xB1", false, false), // latin small letter dotless i, mashup
+};
+
+static const uint8_t LOWERCASE_I_VALUE[1] = { 'i' };
+static const uint8_t UPPERCASE_I_VALUE[1] = { 'I' };
+static const Input LOWERCASE_I(LOWERCASE_I_VALUE);
+static const Input UPPERCASE_I(UPPERCASE_I_VALUE);
+
+template <unsigned int L>
+struct IPAddressParams
+{
+ ByteString input;
+ bool isValid;
+ uint8_t expectedValueIfValid[L];
+};
+
+#define IPV4_VALID(str, a, b, c, d) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+ true, \
+ { a, b, c, d } \
+ }
+
+// The value of expectedValueIfValid must be ignored for invalid IP addresses.
+// The value { 73, 73, 73, 73 } is used because it is unlikely to result in an
+// accidental match, unlike { 0, 0, 0, 0 }, which is a value we actually test.
+#define IPV4_INVALID(str) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+ false, \
+ { 73, 73, 73, 73 } \
+ }
+
+static const IPAddressParams<4> IPV4_ADDRESSES[] =
+{
+ IPV4_INVALID(""),
+ IPV4_INVALID("1"),
+ IPV4_INVALID("1.2"),
+ IPV4_INVALID("1.2.3"),
+ IPV4_VALID("1.2.3.4", 1, 2, 3, 4),
+ IPV4_INVALID("1.2.3.4.5"),
+
+ IPV4_INVALID("1.2.3.4a"), // a DNSName!
+ IPV4_INVALID("a.2.3.4"), // not even a DNSName!
+ IPV4_INVALID("1::2"), // IPv6 address
+
+ // Whitespace not allowed
+ IPV4_INVALID(" 1.2.3.4"),
+ IPV4_INVALID("1.2.3.4 "),
+ IPV4_INVALID("1 .2.3.4"),
+ IPV4_INVALID("\n1.2.3.4"),
+ IPV4_INVALID("1.2.3.4\n"),
+
+ // Nulls not allowed
+ IPV4_INVALID("\0"),
+ IPV4_INVALID("\0" "1.2.3.4"),
+ IPV4_INVALID("1.2.3.4\0"),
+ IPV4_INVALID("1.2.3.4\0.5"),
+
+ // Range
+ IPV4_VALID("0.0.0.0", 0, 0, 0, 0),
+ IPV4_VALID("255.255.255.255", 255, 255, 255, 255),
+ IPV4_INVALID("256.0.0.0"),
+ IPV4_INVALID("0.256.0.0"),
+ IPV4_INVALID("0.0.256.0"),
+ IPV4_INVALID("0.0.0.256"),
+ IPV4_INVALID("999.0.0.0"),
+ IPV4_INVALID("9999999999999999999.0.0.0"),
+
+ // All digits allowed
+ IPV4_VALID("0.1.2.3", 0, 1, 2, 3),
+ IPV4_VALID("4.5.6.7", 4, 5, 6, 7),
+ IPV4_VALID("8.9.0.1", 8, 9, 0, 1),
+
+ // Leading zeros not allowed
+ IPV4_INVALID("01.2.3.4"),
+ IPV4_INVALID("001.2.3.4"),
+ IPV4_INVALID("00000000001.2.3.4"),
+ IPV4_INVALID("010.2.3.4"),
+ IPV4_INVALID("1.02.3.4"),
+ IPV4_INVALID("1.2.03.4"),
+ IPV4_INVALID("1.2.3.04"),
+
+ // Empty components
+ IPV4_INVALID(".2.3.4"),
+ IPV4_INVALID("1..3.4"),
+ IPV4_INVALID("1.2..4"),
+ IPV4_INVALID("1.2.3."),
+
+ // Too many components
+ IPV4_INVALID("1.2.3.4.5"),
+ IPV4_INVALID("1.2.3.4.5.6"),
+ IPV4_INVALID("0.1.2.3.4"),
+ IPV4_INVALID("1.2.3.4.0"),
+
+ // Leading/trailing dot
+ IPV4_INVALID(".1.2.3.4"),
+ IPV4_INVALID("1.2.3.4."),
+
+ // Other common forms of IPv4 address
+ // http://en.wikipedia.org/wiki/IPv4#Address_representations
+ IPV4_VALID("192.0.2.235", 192, 0, 2, 235), // dotted decimal (control value)
+ IPV4_INVALID("0xC0.0x00.0x02.0xEB"), // dotted hex
+ IPV4_INVALID("0301.0000.0002.0353"), // dotted octal
+ IPV4_INVALID("0xC00002EB"), // non-dotted hex
+ IPV4_INVALID("3221226219"), // non-dotted decimal
+ IPV4_INVALID("030000001353"), // non-dotted octal
+ IPV4_INVALID("192.0.0002.0xEB"), // mixed
+};
+
+#define IPV6_VALID(str, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+ true, \
+ { a, b, c, d, \
+ e, f, g, h, \
+ i, j, k, l, \
+ m, n, o, p } \
+ }
+
+#define IPV6_INVALID(str) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+ false, \
+ { 73, 73, 73, 73, \
+ 73, 73, 73, 73, \
+ 73, 73, 73, 73, \
+ 73, 73, 73, 73 } \
+ }
+
+static const IPAddressParams<16> IPV6_ADDRESSES[] =
+{
+ IPV6_INVALID(""),
+ IPV6_INVALID("1234"),
+ IPV6_INVALID("1234:5678"),
+ IPV6_INVALID("1234:5678:9abc"),
+ IPV6_INVALID("1234:5678:9abc:def0"),
+ IPV6_INVALID("1234:5678:9abc:def0:1234:"),
+ IPV6_INVALID("1234:5678:9abc:def0:1234:5678:"),
+ IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:"),
+ IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc:def0",
+ 0x12, 0x34, 0x56, 0x78,
+ 0x9a, 0xbc, 0xde, 0xf0,
+ 0x12, 0x34, 0x56, 0x78,
+ 0x9a, 0xbc, 0xde, 0xf0),
+ IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:"),
+ IPV6_INVALID(":1234:5678:9abc:def0:1234:5678:9abc:def0"),
+ IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:0000"),
+
+ // Valid contractions
+ IPV6_VALID("::1",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01),
+ IPV6_VALID("::1234",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x12, 0x34),
+ IPV6_VALID("1234::",
+ 0x12, 0x34, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00),
+ IPV6_VALID("1234::5678",
+ 0x12, 0x34, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x56, 0x78),
+ IPV6_VALID("1234:5678::abcd",
+ 0x12, 0x34, 0x56, 0x78,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xab, 0xcd),
+ IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc::",
+ 0x12, 0x34, 0x56, 0x78,
+ 0x9a, 0xbc, 0xde, 0xf0,
+ 0x12, 0x34, 0x56, 0x78,
+ 0x9a, 0xbc, 0x00, 0x00),
+
+ // Contraction in full IPv6 addresses not allowed
+ IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"), // start
+ IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"), // end
+ IPV6_INVALID("1234:5678::9abc:def0:1234:5678:9abc:def0"), // interior
+
+ // Multiple contractions not allowed
+ IPV6_INVALID("::1::"),
+ IPV6_INVALID("::1::2"),
+ IPV6_INVALID("1::2::"),
+
+ // Colon madness!
+ IPV6_INVALID(":"),
+ IPV6_INVALID("::"),
+ IPV6_INVALID(":::"),
+ IPV6_INVALID("::::"),
+ IPV6_INVALID(":::1"),
+ IPV6_INVALID("::::1"),
+ IPV6_INVALID("1:::2"),
+ IPV6_INVALID("1::::2"),
+ IPV6_INVALID("1:2:::"),
+ IPV6_INVALID("1:2::::"),
+ IPV6_INVALID("::1234:"),
+ IPV6_INVALID(":1234::"),
+
+ IPV6_INVALID("01234::"), // too many digits, even if zero
+ IPV6_INVALID("12345678::"), // too many digits or missing colon
+
+ // uppercase
+ IPV6_VALID("ABCD:EFAB::",
+ 0xab, 0xcd, 0xef, 0xab,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00),
+
+ // miXeD CAse
+ IPV6_VALID("aBcd:eFAb::",
+ 0xab, 0xcd, 0xef, 0xab,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00),
+
+ // IPv4-style
+ IPV6_VALID("::2.3.4.5",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x02, 0x03, 0x04, 0x05),
+ IPV6_VALID("1234::2.3.4.5",
+ 0x12, 0x34, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x02, 0x03, 0x04, 0x05),
+ IPV6_VALID("::abcd:2.3.4.5",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xab, 0xcd,
+ 0x02, 0x03, 0x04, 0x05),
+ IPV6_VALID("1234:5678:9abc:def0:1234:5678:252.253.254.255",
+ 0x12, 0x34, 0x56, 0x78,
+ 0x9a, 0xbc, 0xde, 0xf0,
+ 0x12, 0x34, 0x56, 0x78,
+ 252, 253, 254, 255),
+ IPV6_VALID("1234:5678:9abc:def0:1234::252.253.254.255",
+ 0x12, 0x34, 0x56, 0x78,
+ 0x9a, 0xbc, 0xde, 0xf0,
+ 0x12, 0x34, 0x00, 0x00,
+ 252, 253, 254, 255),
+ IPV6_INVALID("1234::252.253.254"),
+ IPV6_INVALID("::252.253.254"),
+ IPV6_INVALID("::252.253.254.300"),
+ IPV6_INVALID("1234::252.253.254.255:"),
+ IPV6_INVALID("1234::252.253.254.255:5678"),
+
+ // Contractions that don't contract
+ IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"),
+ IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"),
+ IPV6_INVALID("1234:5678:9abc:def0::1234:5678:9abc:def0"),
+ IPV6_INVALID("1234:5678:9abc:def0:1234:5678::252.253.254.255"),
+
+ // With and without leading zeros
+ IPV6_VALID("::123",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x01, 0x23),
+ IPV6_VALID("::0123",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x01, 0x23),
+ IPV6_VALID("::012",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x12),
+ IPV6_VALID("::0012",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x12),
+ IPV6_VALID("::01",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01),
+ IPV6_VALID("::001",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01),
+ IPV6_VALID("::0001",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01),
+ IPV6_VALID("::0",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00),
+ IPV6_VALID("::00",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00),
+ IPV6_VALID("::000",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00),
+ IPV6_VALID("::0000",
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00),
+ IPV6_INVALID("::01234"),
+ IPV6_INVALID("::00123"),
+ IPV6_INVALID("::000123"),
+
+ // Trailing zero
+ IPV6_INVALID("::12340"),
+
+ // Whitespace
+ IPV6_INVALID(" 1234:5678:9abc:def0:1234:5678:9abc:def0"),
+ IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0"),
+ IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0\n"),
+ IPV6_INVALID("1234 :5678:9abc:def0:1234:5678:9abc:def0"),
+ IPV6_INVALID("1234: 5678:9abc:def0:1234:5678:9abc:def0"),
+ IPV6_INVALID(":: 2.3.4.5"),
+ IPV6_INVALID("1234::252.253.254.255 "),
+ IPV6_INVALID("1234::252.253.254.255\n"),
+ IPV6_INVALID("1234::252.253. 254.255"),
+
+ // Nulls
+ IPV6_INVALID("\0"),
+ IPV6_INVALID("::1\0:2"),
+ IPV6_INVALID("::1\0"),
+ IPV6_INVALID("::1.2.3.4\0"),
+ IPV6_INVALID("::1.2\02.3.4"),
+};
+
+class pkixnames_MatchPresentedDNSIDWithReferenceDNSID
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<PresentedMatchesReference>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+ MatchPresentedDNSIDWithReferenceDNSID)
+{
+ const PresentedMatchesReference& param(GetParam());
+ SCOPED_TRACE(param.presentedDNSID.c_str());
+ SCOPED_TRACE(param.referenceDNSID.c_str());
+ Input presented;
+ ASSERT_EQ(Success, presented.Init(param.presentedDNSID.data(),
+ param.presentedDNSID.length()));
+ Input reference;
+ ASSERT_EQ(Success, reference.Init(param.referenceDNSID.data(),
+ param.referenceDNSID.length()));
+
+ // sanity check that test makes sense
+ ASSERT_TRUE(IsValidReferenceDNSID(reference));
+
+ bool matches;
+ ASSERT_EQ(param.expectedResult,
+ MatchPresentedDNSIDWithReferenceDNSID(presented, reference,
+ matches));
+ if (param.expectedResult == Success) {
+ ASSERT_EQ(param.expectedMatches, matches);
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+ pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+ testing::ValuesIn(DNSID_MATCH_PARAMS));
+
+class pkixnames_Turkish_I_Comparison
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<InputValidity>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_Turkish_I_Comparison, MatchPresentedDNSIDWithReferenceDNSID)
+{
+ // Make sure we don't have the similar problems that strcasecmp and others
+ // have with the other kinds of "i" and "I" commonly used in Turkish locales.
+
+ const InputValidity& inputValidity(GetParam());
+ SCOPED_TRACE(inputValidity.input.c_str());
+ Input input;
+ ASSERT_EQ(Success, input.Init(inputValidity.input.data(),
+ inputValidity.input.length()));
+
+ bool isASCII = InputsAreEqual(LOWERCASE_I, input) ||
+ InputsAreEqual(UPPERCASE_I, input);
+ {
+ bool matches;
+ ASSERT_EQ(inputValidity.isValidPresentedID ? Success
+ : Result::ERROR_BAD_DER,
+ MatchPresentedDNSIDWithReferenceDNSID(input, LOWERCASE_I,
+ matches));
+ if (inputValidity.isValidPresentedID) {
+ ASSERT_EQ(isASCII, matches);
+ }
+ }
+ {
+ bool matches;
+ ASSERT_EQ(inputValidity.isValidPresentedID ? Success
+ : Result::ERROR_BAD_DER,
+ MatchPresentedDNSIDWithReferenceDNSID(input, UPPERCASE_I,
+ matches));
+ if (inputValidity.isValidPresentedID) {
+ ASSERT_EQ(isASCII, matches);
+ }
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_Turkish_I_Comparison,
+ pkixnames_Turkish_I_Comparison,
+ testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I));
+
+class pkixnames_IsValidReferenceDNSID
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<InputValidity>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_IsValidReferenceDNSID, IsValidReferenceDNSID)
+{
+ const InputValidity& inputValidity(GetParam());
+ SCOPED_TRACE(inputValidity.input.c_str());
+ Input input;
+ ASSERT_EQ(Success, input.Init(inputValidity.input.data(),
+ inputValidity.input.length()));
+ ASSERT_EQ(inputValidity.isValidReferenceID, IsValidReferenceDNSID(input));
+ ASSERT_EQ(inputValidity.isValidPresentedID, IsValidPresentedDNSID(input));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_IsValidReferenceDNSID,
+ pkixnames_IsValidReferenceDNSID,
+ testing::ValuesIn(DNSNAMES_VALIDITY));
+INSTANTIATE_TEST_CASE_P(pkixnames_IsValidReferenceDNSID_Turkish_I,
+ pkixnames_IsValidReferenceDNSID,
+ testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I));
+
+class pkixnames_ParseIPv4Address
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<IPAddressParams<4>>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_ParseIPv4Address, ParseIPv4Address)
+{
+ const IPAddressParams<4>& param(GetParam());
+ SCOPED_TRACE(param.input.c_str());
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.input.data(),
+ param.input.length()));
+ uint8_t ipAddress[4];
+ ASSERT_EQ(param.isValid, ParseIPv4Address(input, ipAddress));
+ if (param.isValid) {
+ for (size_t i = 0; i < sizeof(ipAddress); ++i) {
+ ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]);
+ }
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_ParseIPv4Address,
+ pkixnames_ParseIPv4Address,
+ testing::ValuesIn(IPV4_ADDRESSES));
+
+class pkixnames_ParseIPv6Address
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<IPAddressParams<16>>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_ParseIPv6Address, ParseIPv6Address)
+{
+ const IPAddressParams<16>& param(GetParam());
+ SCOPED_TRACE(param.input.c_str());
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.input.data(),
+ param.input.length()));
+ uint8_t ipAddress[16];
+ ASSERT_EQ(param.isValid, ParseIPv6Address(input, ipAddress));
+ if (param.isValid) {
+ for (size_t i = 0; i < sizeof(ipAddress); ++i) {
+ ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]);
+ }
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_ParseIPv6Address,
+ pkixnames_ParseIPv6Address,
+ testing::ValuesIn(IPV6_ADDRESSES));
+
+// This is an arbitrary string that is used to indicate that no SAN extension
+// should be put into the generated certificate. It needs to be different from
+// "" or any other subjectAltName value that we actually want to test, but its
+// actual value does not matter. Note that this isn't a correctly-encoded SAN
+// extension value!
+static const ByteString
+ NO_SAN(reinterpret_cast<const uint8_t*>("I'm a bad, bad, certificate"));
+
+struct CheckCertHostnameParams
+{
+ ByteString hostname;
+ ByteString subject;
+ ByteString subjectAltName;
+ Result result;
+};
+
+class pkixnames_CheckCertHostname
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<CheckCertHostnameParams>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+#define WITH_SAN(r, ps, psan, result) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \
+ ps, \
+ psan, \
+ result \
+ }
+
+#define WITHOUT_SAN(r, ps, result) \
+ { \
+ ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \
+ ps, \
+ NO_SAN, \
+ result \
+ }
+
+static const uint8_t example_com[] = {
+ 'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm'
+};
+
+// Note that We avoid zero-valued bytes in these IP addresses so that we don't
+// get false negatives from anti-NULL-byte defenses in dNSName decoding.
+static const uint8_t ipv4_addr_bytes[] = {
+ 1, 2, 3, 4
+};
+static const uint8_t ipv4_addr_bytes_as_str[] = "\x01\x02\x03\x04";
+static const uint8_t ipv4_addr_str[] = "1.2.3.4";
+static const uint8_t ipv4_addr_bytes_FFFFFFFF[8] = {
+ 1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff
+};
+
+static const uint8_t ipv4_compatible_ipv6_addr_bytes[] = {
+ 0, 0, 0, 0,
+ 0, 0, 0, 0,
+ 0, 0, 0, 0,
+ 1, 2, 3, 4
+};
+static const uint8_t ipv4_compatible_ipv6_addr_str[] = "::1.2.3.4";
+
+static const uint8_t ipv4_mapped_ipv6_addr_bytes[] = {
+ 0, 0, 0, 0,
+ 0, 0, 0, 0,
+ 0, 0, 0xFF, 0xFF,
+ 1, 2, 3, 4
+};
+static const uint8_t ipv4_mapped_ipv6_addr_str[] = "::FFFF:1.2.3.4";
+
+static const uint8_t ipv6_addr_bytes[] = {
+ 0x11, 0x22, 0x33, 0x44,
+ 0x55, 0x66, 0x77, 0x88,
+ 0x99, 0xaa, 0xbb, 0xcc,
+ 0xdd, 0xee, 0xff, 0x11
+};
+static const uint8_t ipv6_addr_bytes_as_str[] =
+ "\x11\x22\x33\x44"
+ "\x55\x66\x77\x88"
+ "\x99\xaa\xbb\xcc"
+ "\xdd\xee\xff\x11";
+
+static const uint8_t ipv6_addr_str[] =
+ "1122:3344:5566:7788:99aa:bbcc:ddee:ff11";
+
+static const uint8_t ipv6_other_addr_bytes[] = {
+ 0xff, 0xee, 0xdd, 0xcc,
+ 0xbb, 0xaa, 0x99, 0x88,
+ 0x77, 0x66, 0x55, 0x44,
+ 0x33, 0x22, 0x11, 0x00,
+};
+
+static const uint8_t ipv4_other_addr_bytes[] = {
+ 5, 6, 7, 8
+};
+static const uint8_t ipv4_other_addr_bytes_FFFFFFFF[] = {
+ 5, 6, 7, 8, 0xff, 0xff, 0xff, 0xff
+};
+
+static const uint8_t ipv4_addr_00000000_bytes[] = {
+ 0, 0, 0, 0
+};
+static const uint8_t ipv4_addr_FFFFFFFF_bytes[] = {
+ 0, 0, 0, 0
+};
+
+static const uint8_t ipv4_constraint_all_zeros_bytes[] = {
+ 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv6_addr_all_zeros_bytes[] = {
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+};
+
+static const uint8_t ipv6_constraint_all_zeros_bytes[] = {
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv4_constraint_CIDR_16_bytes[] = {
+ 1, 2, 0, 0, 0xff, 0xff, 0, 0
+};
+static const uint8_t ipv4_constraint_CIDR_17_bytes[] = {
+ 1, 2, 0, 0, 0xff, 0xff, 0x80, 0
+};
+
+// The subnet is 1.2.0.0/16 but it is specified as 1.2.3.0/16
+static const uint8_t ipv4_constraint_CIDR_16_bad_addr_bytes[] = {
+ 1, 2, 3, 0, 0xff, 0xff, 0, 0
+};
+
+// Masks are supposed to be of the form <ones><zeros>, but this one is of the
+// form <ones><zeros><ones><zeros>.
+static const uint8_t ipv4_constraint_bad_mask_bytes[] = {
+ 1, 2, 3, 0, 0xff, 0, 0xff, 0
+};
+
+static const uint8_t ipv6_constraint_CIDR_16_bytes[] = {
+ 0x11, 0x22, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0xff, 0xff, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+// The subnet is 1122::/16 but it is specified as 1122:3344::/16
+static const uint8_t ipv6_constraint_CIDR_16_bad_addr_bytes[] = {
+ 0x11, 0x22, 0x33, 0x44, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0xff, 0xff, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+// Masks are supposed to be of the form <ones><zeros>, but this one is of the
+// form <ones><zeros><ones><zeros>.
+static const uint8_t ipv6_constraint_bad_mask_bytes[] = {
+ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+};
+
+static const uint8_t ipv4_addr_truncated_bytes[] = {
+ 1, 2, 3
+};
+static const uint8_t ipv4_addr_overlong_bytes[] = {
+ 1, 2, 3, 4, 5
+};
+static const uint8_t ipv4_constraint_truncated_bytes[] = {
+ 0, 0, 0, 0,
+ 0, 0, 0,
+};
+static const uint8_t ipv4_constraint_overlong_bytes[] = {
+ 0, 0, 0, 0,
+ 0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv6_addr_truncated_bytes[] = {
+ 0x11, 0x22, 0x33, 0x44,
+ 0x55, 0x66, 0x77, 0x88,
+ 0x99, 0xaa, 0xbb, 0xcc,
+ 0xdd, 0xee, 0xff
+};
+static const uint8_t ipv6_addr_overlong_bytes[] = {
+ 0x11, 0x22, 0x33, 0x44,
+ 0x55, 0x66, 0x77, 0x88,
+ 0x99, 0xaa, 0xbb, 0xcc,
+ 0xdd, 0xee, 0xff, 0x11, 0x00
+};
+static const uint8_t ipv6_constraint_truncated_bytes[] = {
+ 0x11, 0x22, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0xff, 0xff, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0
+};
+static const uint8_t ipv6_constraint_overlong_bytes[] = {
+ 0x11, 0x22, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ 0xff, 0xff, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+// Note that, for DNSNames, these test cases in CHECK_CERT_HOSTNAME_PARAMS are
+// mostly about testing different scenerios regarding the structure of entries
+// in the subjectAltName and subject of the certificate, than about the how
+// specific presented identifier values are matched against the reference
+// identifier values. This is because we also use the test cases in
+// DNSNAMES_VALIDITY to test CheckCertHostname. Consequently, tests about
+// whether specific presented DNSNames (including wildcards, in particular) are
+// matched against a reference DNSName only need to be added to
+// DNSNAMES_VALIDITY, and not here.
+static const CheckCertHostnameParams CHECK_CERT_HOSTNAME_PARAMS[] =
+{
+ // This is technically illegal. PrintableString is defined in such a way that
+ // '*' is not an allowed character, but there are many real-world certificates
+ // that are encoded this way.
+ WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::PrintableString)),
+ Success),
+ WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::UTF8String)),
+ Success),
+
+ // Many certificates use TeletexString when encoding wildcards in CN-IDs
+ // because PrintableString is defined as not allowing '*' and UTF8String was,
+ // at one point in history, considered too new to depend on for compatibility.
+ // We accept TeletexString-encoded CN-IDs when they don't contain any escape
+ // sequences. The reference I used for the escape codes was
+ // https://tools.ietf.org/html/rfc1468. The escaping mechanism is actually
+ // pretty complex and these tests don't even come close to testing all the
+ // possibilities.
+ WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::TeletexString)),
+ Success),
+ // "ESC ( B" ({0x1B,0x50,0x42}) is the escape code to switch to ASCII, which
+ // is redundant because it already the default.
+ WITHOUT_SAN("foo.example.com",
+ RDN(CN("\x1B(B*.example.com", der::TeletexString)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ WITHOUT_SAN("foo.example.com",
+ RDN(CN("*.example\x1B(B.com", der::TeletexString)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ WITHOUT_SAN("foo.example.com",
+ RDN(CN("*.example.com\x1B(B", der::TeletexString)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // "ESC $ B" ({0x1B,0x24,0x42}) is the escape code to switch to
+ // JIS X 0208-1983 (a Japanese character set).
+ WITHOUT_SAN("foo.example.com",
+ RDN(CN("\x1B$B*.example.com", der::TeletexString)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ WITHOUT_SAN("foo.example.com",
+ RDN(CN("*.example.com\x1B$B", der::TeletexString)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+
+ // Match a DNSName SAN entry with a redundant (ignored) matching CN-ID.
+ WITH_SAN("a", RDN(CN("a")), DNSName("a"), Success),
+ // Match a DNSName SAN entry when there is an CN-ID that doesn't match.
+ WITH_SAN("b", RDN(CN("a")), DNSName("b"), Success),
+ // Do not match a CN-ID when there is a valid DNSName SAN Entry.
+ WITH_SAN("a", RDN(CN("a")), DNSName("b"), Result::ERROR_BAD_CERT_DOMAIN),
+ // Do not match a CN-ID when there is a malformed DNSName SAN Entry.
+ WITH_SAN("a", RDN(CN("a")), DNSName("!"), Result::ERROR_BAD_DER),
+ // Do not match a matching CN-ID when there is a valid IPAddress SAN entry.
+ WITH_SAN("a", RDN(CN("a")), IPAddress(ipv4_addr_bytes),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Do not match a matching CN-ID when there is a malformed IPAddress SAN entry.
+ WITH_SAN("a", RDN(CN("a")), IPAddress(example_com),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Match a DNSName against a matching CN-ID when there is a SAN, but the SAN
+ // does not contain an DNSName or IPAddress entry.
+ WITH_SAN("a", RDN(CN("a")), RFC822Name("foo@example.com"), Success),
+ // Match a matching CN-ID when there is no SAN.
+ WITHOUT_SAN("a", RDN(CN("a")), Success),
+ // Do not match a mismatching CN-ID when there is no SAN.
+ WITHOUT_SAN("a", RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN),
+
+ // The first DNSName matches.
+ WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success),
+ // The last DNSName matches.
+ WITH_SAN("b", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success),
+ // The middle DNSName matches.
+ WITH_SAN("b", RDN(CN("foo")),
+ DNSName("a") + DNSName("b") + DNSName("c"), Success),
+ // After an IP address.
+ WITH_SAN("b", RDN(CN("foo")),
+ IPAddress(ipv4_addr_bytes) + DNSName("b"), Success),
+ // Before an IP address.
+ WITH_SAN("a", RDN(CN("foo")),
+ DNSName("a") + IPAddress(ipv4_addr_bytes), Success),
+ // Between an RFC822Name and an IP address.
+ WITH_SAN("b", RDN(CN("foo")),
+ RFC822Name("foo@example.com") + DNSName("b") +
+ IPAddress(ipv4_addr_bytes),
+ Success),
+ // Duplicate DNSName.
+ WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("a"), Success),
+ // After an invalid DNSName.
+ WITH_SAN("b", RDN(CN("foo")), DNSName("!") + DNSName("b"),
+ Result::ERROR_BAD_DER),
+
+ // http://tools.ietf.org/html/rfc5280#section-4.2.1.6: "If the subjectAltName
+ // extension is present, the sequence MUST contain at least one entry."
+ // However, for compatibility reasons, this is not enforced. See bug 1143085.
+ // This case is treated as if the extension is not present (i.e. name
+ // matching falls back to the subject CN).
+ WITH_SAN("a", RDN(CN("a")), ByteString(), Success),
+ WITH_SAN("a", RDN(CN("b")), ByteString(), Result::ERROR_BAD_CERT_DOMAIN),
+
+ // http://tools.ietf.org/html/rfc5280#section-4.1.2.6 says "If subject naming
+ // information is present only in the subjectAltName extension (e.g., a key
+ // bound only to an email address or URI), then the subject name MUST be an
+ // empty sequence and the subjectAltName extension MUST be critical." So, we
+ // have to support an empty subject. We don't enforce that the SAN must be
+ // critical or even that there is a SAN when the subject is empty, though.
+ WITH_SAN("a", ByteString(), DNSName("a"), Success),
+ // Make sure we return ERROR_BAD_CERT_DOMAIN and not ERROR_BAD_DER.
+ WITHOUT_SAN("a", ByteString(), Result::ERROR_BAD_CERT_DOMAIN),
+
+ // Two CNs in the same RDN, both match.
+ WITHOUT_SAN("a", RDN(CN("a") + CN("a")), Success),
+ // Two CNs in the same RDN, both DNSNames, first one matches.
+ WITHOUT_SAN("a", RDN(CN("a") + CN("b")),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Two CNs in the same RDN, both DNSNames, last one matches.
+ WITHOUT_SAN("b", RDN(CN("a") + CN("b")), Success),
+ // Two CNs in the same RDN, first one matches, second isn't a DNSName.
+ WITHOUT_SAN("a", RDN(CN("a") + CN("Not a DNSName")),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Two CNs in the same RDN, first one not a DNSName, second matches.
+ WITHOUT_SAN("b", RDN(CN("Not a DNSName") + CN("b")), Success),
+
+ // Two CNs in separate RDNs, both match.
+ WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("a")), Success),
+ // Two CNs in separate RDNs, both DNSNames, first one matches.
+ WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("b")),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Two CNs in separate RDNs, both DNSNames, last one matches.
+ WITHOUT_SAN("b", RDN(CN("a")) + RDN(CN("b")), Success),
+ // Two CNs in separate RDNs, first one matches, second isn't a DNSName.
+ WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("Not a DNSName")),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Two CNs in separate RDNs, first one not a DNSName, second matches.
+ WITHOUT_SAN("b", RDN(CN("Not a DNSName")) + RDN(CN("b")), Success),
+
+ // One CN, one RDN, CN is the first AVA in the RDN, CN matches.
+ WITHOUT_SAN("a", RDN(CN("a") + OU("b")), Success),
+ // One CN, one RDN, CN is the first AVA in the RDN, CN does not match.
+ WITHOUT_SAN("b", RDN(CN("a") + OU("b")),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // One CN, one RDN, CN is not the first AVA in the RDN, CN matches.
+ WITHOUT_SAN("b", RDN(OU("a") + CN("b")), Success),
+ // One CN, one RDN, CN is not the first AVA in the RDN, CN does not match.
+ WITHOUT_SAN("a", RDN(OU("a") + CN("b")),
+ Result::ERROR_BAD_CERT_DOMAIN),
+
+ // One CN, multiple RDNs, CN is in the first RDN, CN matches.
+ WITHOUT_SAN("a", RDN(CN("a")) + RDN(OU("b")), Success),
+ // One CN, multiple RDNs, CN is in the first RDN, CN does not match.
+ WITHOUT_SAN("b", RDN(CN("a")) + RDN(OU("b")), Result::ERROR_BAD_CERT_DOMAIN),
+ // One CN, multiple RDNs, CN is not in the first RDN, CN matches.
+ WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")), Success),
+ // One CN, multiple RDNs, CN is not in the first RDN, CN does not match.
+ WITHOUT_SAN("a", RDN(OU("a")) + RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN),
+
+ // One CN, one RDN, CN is not in the first or last AVA, CN matches.
+ WITHOUT_SAN("b", RDN(OU("a") + CN("b") + OU("c")), Success),
+ // One CN, multiple RDNs, CN is not in the first or last RDN, CN matches.
+ WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")) + RDN(OU("c")), Success),
+
+ // Empty CN does not match.
+ WITHOUT_SAN("example.com", RDN(CN("")), Result::ERROR_BAD_CERT_DOMAIN),
+
+ WITHOUT_SAN("uses_underscore.example.com", RDN(CN("*.example.com")), Success),
+ WITHOUT_SAN("a.uses_underscore.example.com",
+ RDN(CN("*.uses_underscore.example.com")), Success),
+ WITH_SAN("uses_underscore.example.com", RDN(CN("foo")),
+ DNSName("*.example.com"), Success),
+ WITH_SAN("a.uses_underscore.example.com", RDN(CN("foo")),
+ DNSName("*.uses_underscore.example.com"), Success),
+
+ // Do not match a DNSName that is encoded in a malformed IPAddress.
+ WITH_SAN("example.com", RDN(CN("foo")), IPAddress(example_com),
+ Result::ERROR_BAD_CERT_DOMAIN),
+
+ // We skip over the malformed IPAddress and match the DNSName entry because
+ // we've heard reports of real-world certificates that have malformed
+ // IPAddress SANs.
+ WITH_SAN("example.org", RDN(CN("foo")),
+ IPAddress(example_com) + DNSName("example.org"), Success),
+
+ WITH_SAN("example.com", RDN(CN("foo")),
+ DNSName("!") + DNSName("example.com"), Result::ERROR_BAD_DER),
+
+ // Match a matching IPv4 address SAN entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN("foo")), IPAddress(ipv4_addr_bytes),
+ Success),
+ // Match a matching IPv4 addresses in the CN when there is no SAN
+ WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), Success),
+ // Do not match a matching IPv4 address in the CN when there is a SAN with
+ // a DNSName entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+ DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN),
+ // Do not match a matching IPv4 address in the CN when there is a SAN with
+ // a non-matching IPAddress entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+ IPAddress(ipv6_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN),
+ // Match a matching IPv4 address in the CN when there is a SAN with a
+ // non-IPAddress, non-DNSName entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+ RFC822Name("foo@example.com"), Success),
+ // Do not match a matching IPv4 address in the CN when there is a SAN with a
+ // malformed IPAddress entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+ IPAddress(example_com), Result::ERROR_BAD_CERT_DOMAIN),
+ // Do not match a matching IPv4 address in the CN when there is a SAN with a
+ // malformed DNSName entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+ DNSName("!"), Result::ERROR_BAD_CERT_DOMAIN),
+
+ // We don't match IPv6 addresses in the CN, regardless of whether there is
+ // a SAN.
+ WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+ DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN),
+ WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+ IPAddress(ipv6_addr_bytes), Success),
+ WITH_SAN(ipv6_addr_str, RDN(CN("foo")), IPAddress(ipv6_addr_bytes),
+ Success),
+
+ // We don't match the binary encoding of the bytes of IP addresses in the
+ // CN.
+ WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_bytes_as_str)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_bytes_as_str)),
+ Result::ERROR_BAD_CERT_DOMAIN),
+
+ // We don't match IP addresses with DNSName SANs.
+ WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+ DNSName(ipv4_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN),
+ WITH_SAN(ipv4_addr_str, RDN(CN("foo")), DNSName(ipv4_addr_str),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ WITH_SAN(ipv6_addr_str, RDN(CN("foo")),
+ DNSName(ipv6_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN),
+ WITH_SAN(ipv6_addr_str, RDN(CN("foo")), DNSName(ipv6_addr_str),
+ Result::ERROR_BAD_CERT_DOMAIN),
+
+ // Do not match an IPv4 reference ID against the equivalent IPv4-compatible
+ // IPv6 SAN entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+ IPAddress(ipv4_compatible_ipv6_addr_bytes),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6
+ // SAN entry.
+ WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+ IPAddress(ipv4_mapped_ipv6_addr_bytes),
+ Result::ERROR_BAD_CERT_DOMAIN),
+ // Do not match an IPv4-compatible IPv6 reference ID against the equivalent
+ // IPv4 SAN entry.
+ WITH_SAN(ipv4_compatible_ipv6_addr_str, RDN(CN("foo")),
+ IPAddress(ipv4_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN),
+ // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6
+ // SAN entry.
+ WITH_SAN(ipv4_mapped_ipv6_addr_str, RDN(CN("foo")),
+ IPAddress(ipv4_addr_bytes),
+ Result::ERROR_BAD_CERT_DOMAIN),
+
+ // Test that the presence of an otherName entry is handled appropriately.
+ // (The actual value of the otherName entry isn't important - that's not what
+ // we're testing here.)
+ WITH_SAN("example.com", ByteString(),
+ // The tag for otherName is CONTEXT_SPECIFIC | CONSTRUCTED | 0
+ TLV((2 << 6) | (1 << 5) | 0, ByteString()) + DNSName("example.com"),
+ Success),
+ WITH_SAN("example.com", ByteString(),
+ TLV((2 << 6) | (1 << 5) | 0, ByteString()),
+ Result::ERROR_BAD_CERT_DOMAIN),
+};
+
+ByteString
+CreateCert(const ByteString& subject, const ByteString& subjectAltName,
+ EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity)
+{
+ ByteString serialNumber(CreateEncodedSerialNumber(1));
+ EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+ ByteString issuerDER(Name(RDN(CN("issuer"))));
+ EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+
+ ByteString extensions[2];
+ if (subjectAltName != NO_SAN) {
+ extensions[0] = CreateEncodedSubjectAltName(subjectAltName);
+ EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+ }
+ if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+ // Currently, these tests assume that if we're creating a CA certificate, it
+ // will not have a subjectAlternativeName extension. If that assumption
+ // changes, this code will have to be updated. Ideally this would be
+ // ASSERT_EQ, but that inserts a 'return;', which doesn't match this
+ // function's return type.
+ EXPECT_EQ(subjectAltName, NO_SAN);
+ extensions[0] = CreateEncodedBasicConstraints(true, nullptr,
+ Critical::Yes);
+ EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+ }
+
+ ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+ return CreateEncodedCertificate(
+ v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+ oneDayBeforeNow, oneDayAfterNow, Name(subject), *keyPair,
+ extensions, *keyPair, sha256WithRSAEncryption());
+}
+
+TEST_P(pkixnames_CheckCertHostname, CheckCertHostname)
+{
+ const CheckCertHostnameParams& param(GetParam());
+
+ ByteString cert(CreateCert(param.subject, param.subjectAltName));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+ Input hostnameInput;
+ ASSERT_EQ(Success, hostnameInput.Init(param.hostname.data(),
+ param.hostname.length()));
+
+ ASSERT_EQ(param.result, CheckCertHostname(certInput, hostnameInput,
+ mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname,
+ pkixnames_CheckCertHostname,
+ testing::ValuesIn(CHECK_CERT_HOSTNAME_PARAMS));
+
+TEST_F(pkixnames_CheckCertHostname, SANWithoutSequence)
+{
+ // A certificate with a truly empty SAN extension (one that doesn't even
+ // contain a SEQUENCE at all) is malformed. If we didn't treat this as
+ // malformed then we'd have to treat it like the CN_EmptySAN cases.
+
+ ByteString serialNumber(CreateEncodedSerialNumber(1));
+ EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+ ByteString extensions[2];
+ extensions[0] = CreateEncodedEmptySubjectAltName();
+ ASSERT_FALSE(ENCODING_FAILED(extensions[0]));
+
+ ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+ ByteString certDER(CreateEncodedCertificate(
+ v3, sha256WithRSAEncryption(), serialNumber,
+ Name(RDN(CN("issuer"))), oneDayBeforeNow, oneDayAfterNow,
+ Name(RDN(CN("a"))), *keyPair, extensions,
+ *keyPair, sha256WithRSAEncryption()));
+ ASSERT_FALSE(ENCODING_FAILED(certDER));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+
+ static const uint8_t a[] = { 'a' };
+ ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
+ CheckCertHostname(certInput, Input(a), mNameMatchingPolicy));
+}
+
+class pkixnames_CheckCertHostname_PresentedMatchesReference
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<PresentedMatchesReference>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference, CN_NoSAN)
+{
+ // Since there is no SAN, a valid presented DNS ID in the subject CN field
+ // should result in a match.
+
+ const PresentedMatchesReference& param(GetParam());
+
+ ByteString cert(CreateCert(RDN(CN(param.presentedDNSID)), NO_SAN));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+ Input hostnameInput;
+ ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(),
+ param.referenceDNSID.length()));
+
+ ASSERT_EQ(param.expectedMatches ? Success : Result::ERROR_BAD_CERT_DOMAIN,
+ CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference,
+ SubjectAltName_CNNotDNSName)
+{
+ // A DNSName SAN entry should match, regardless of the contents of the
+ // subject CN.
+
+ const PresentedMatchesReference& param(GetParam());
+
+ ByteString cert(CreateCert(RDN(CN("Common Name")),
+ DNSName(param.presentedDNSID)));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+ Input hostnameInput;
+ ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(),
+ param.referenceDNSID.length()));
+ Result expectedResult
+ = param.expectedResult != Success ? param.expectedResult
+ : param.expectedMatches ? Success
+ : Result::ERROR_BAD_CERT_DOMAIN;
+ ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput,
+ mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname_DNSID_MATCH_PARAMS,
+ pkixnames_CheckCertHostname_PresentedMatchesReference,
+ testing::ValuesIn(DNSID_MATCH_PARAMS));
+
+TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_CN_NoSAN)
+{
+ // Make sure we don't have the similar problems that strcasecmp and others
+ // have with the other kinds of "i" and "I" commonly used in Turkish locales,
+ // when we're matching a CN due to lack of subjectAltName.
+
+ const InputValidity& param(GetParam());
+ SCOPED_TRACE(param.input.c_str());
+
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length()));
+
+ ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+ Result expectedResult = (InputsAreEqual(LOWERCASE_I, input) ||
+ InputsAreEqual(UPPERCASE_I, input))
+ ? Success
+ : Result::ERROR_BAD_CERT_DOMAIN;
+
+ ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I,
+ mNameMatchingPolicy));
+ ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I,
+ mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_SAN)
+{
+ // Make sure we don't have the similar problems that strcasecmp and others
+ // have with the other kinds of "i" and "I" commonly used in Turkish locales,
+ // when we're matching a dNSName in the SAN.
+
+ const InputValidity& param(GetParam());
+ SCOPED_TRACE(param.input.c_str());
+
+ Input input;
+ ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length()));
+
+ ByteString cert(CreateCert(RDN(CN("Common Name")), DNSName(param.input)));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+ Result expectedResult
+ = (!param.isValidPresentedID) ? Result::ERROR_BAD_DER
+ : (InputsAreEqual(LOWERCASE_I, input) ||
+ InputsAreEqual(UPPERCASE_I, input)) ? Success
+ : Result::ERROR_BAD_CERT_DOMAIN;
+
+ ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I,
+ mNameMatchingPolicy));
+ ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I,
+ mNameMatchingPolicy));
+}
+
+class pkixnames_CheckCertHostname_IPV4_Addresses
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<IPAddressParams<4>>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses,
+ ValidIPv4AddressInIPAddressSAN)
+{
+ // When the reference hostname is a valid IPv4 address, a correctly-formed
+ // IPv4 Address SAN matches it.
+
+ const IPAddressParams<4>& param(GetParam());
+
+ ByteString cert(CreateCert(RDN(CN("Common Name")),
+ IPAddress(param.expectedValueIfValid)));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+ Input hostnameInput;
+ ASSERT_EQ(Success, hostnameInput.Init(param.input.data(),
+ param.input.length()));
+
+ ASSERT_EQ(param.isValid ? Success : Result::ERROR_BAD_CERT_DOMAIN,
+ CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses,
+ ValidIPv4AddressInCN_NoSAN)
+{
+ // When the reference hostname is a valid IPv4 address, a correctly-formed
+ // IPv4 Address in the CN matches it when there is no SAN.
+
+ const IPAddressParams<4>& param(GetParam());
+
+ SCOPED_TRACE(param.input.c_str());
+
+ ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN));
+ ASSERT_FALSE(ENCODING_FAILED(cert));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+ Input hostnameInput;
+ ASSERT_EQ(Success, hostnameInput.Init(param.input.data(),
+ param.input.length()));
+
+ // Some of the invalid IPv4 addresses are valid DNS names!
+ Result expectedResult = (param.isValid || IsValidReferenceDNSID(hostnameInput))
+ ? Success
+ : Result::ERROR_BAD_CERT_DOMAIN;
+
+ ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput,
+ mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname_IPV4_ADDRESSES,
+ pkixnames_CheckCertHostname_IPV4_Addresses,
+ testing::ValuesIn(IPV4_ADDRESSES));
+
+struct NameConstraintParams
+{
+ ByteString subject;
+ ByteString subjectAltName;
+ ByteString subtrees;
+ Result expectedPermittedSubtreesResult;
+ Result expectedExcludedSubtreesResult;
+};
+
+static ByteString
+PermittedSubtrees(const ByteString& generalSubtrees)
+{
+ return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+ generalSubtrees);
+}
+
+static ByteString
+ExcludedSubtrees(const ByteString& generalSubtrees)
+{
+ return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+ generalSubtrees);
+}
+
+// Does not encode min or max.
+static ByteString
+GeneralSubtree(const ByteString& base)
+{
+ return TLV(der::SEQUENCE, base);
+}
+
+static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] =
+{
+ /////////////////////////////////////////////////////////////////////////////
+ // XXX: Malformed name constraints for supported types of names are ignored
+ // when there are no names of that type to constrain.
+ { ByteString(), NO_SAN,
+ GeneralSubtree(DNSName("!")),
+ Success, Success
+ },
+ { // DirectoryName constraints are an exception, because *every* certificate
+ // has at least one DirectoryName (tbsCertificate.subject).
+ ByteString(), NO_SAN,
+ GeneralSubtree(Name(ByteString(reinterpret_cast<const uint8_t*>("!"), 1))),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { ByteString(), NO_SAN,
+ GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+ Success, Success
+ },
+ { ByteString(), NO_SAN,
+ GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+ Success, Success
+ },
+ { ByteString(), NO_SAN,
+ GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+ Success, Success
+ },
+ { ByteString(), NO_SAN,
+ GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+ Success, Success
+ },
+ { ByteString(), NO_SAN,
+ GeneralSubtree(RFC822Name("!")),
+ Success, Success
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // Edge cases of name constraint absolute vs. relative and subdomain matching
+ // that are not clearly explained in RFC 5280. (See the long comment above
+ // MatchPresentedDNSIDWithReferenceDNSID.)
+
+ // Q: Does a presented identifier equal (case insensitive) to the name
+ // constraint match the constraint? For example, does the presented
+ // ID "host.example.com" match a "host.example.com" constraint?
+ { ByteString(), DNSName("host.example.com"),
+ GeneralSubtree(DNSName("host.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // This test case is an example from RFC 5280.
+ ByteString(), DNSName("host1.example.com"),
+ GeneralSubtree(DNSName("host.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { ByteString(), RFC822Name("a@host.example.com"),
+ GeneralSubtree(RFC822Name("host.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // This test case is an example from RFC 5280.
+ ByteString(), RFC822Name("a@host1.example.com"),
+ GeneralSubtree(RFC822Name("host.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+
+ // Q: When the name constraint does not start with ".", do subdomain
+ // presented identifiers match it? For example, does the presented
+ // ID "www.host.example.com" match a "host.example.com" constraint?
+ { // This test case is an example from RFC 5280.
+ ByteString(), DNSName("www.host.example.com"),
+ GeneralSubtree(DNSName( "host.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // The subdomain matching rule for host names that do not start with "." is
+ // different for RFC822Names than for DNSNames!
+ ByteString(), RFC822Name("a@www.host.example.com"),
+ GeneralSubtree(RFC822Name( "host.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+ Success
+ },
+
+ // Q: When the name constraint does not start with ".", does a
+ // non-subdomain prefix match it? For example, does "bigfoo.bar.com"
+ // match "foo.bar.com"?
+ { ByteString(), DNSName("bigfoo.bar.com"),
+ GeneralSubtree(DNSName( "foo.bar.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { ByteString(), RFC822Name("a@bigfoo.bar.com"),
+ GeneralSubtree(RFC822Name( "foo.bar.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+
+ // Q: Is a name constraint that starts with "." valid, and if so, what
+ // semantics does it have? For example, does a presented ID of
+ // "www.example.com" match a constraint of ".example.com"? Does a
+ // presented ID of "example.com" match a constraint of ".example.com"?
+ { ByteString(), DNSName("www.example.com"),
+ GeneralSubtree(DNSName( ".example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // When there is no Local-part, an RFC822 name constraint's domain may
+ // start with '.', and the semantics are the same as for DNSNames.
+ ByteString(), RFC822Name("a@www.example.com"),
+ GeneralSubtree(RFC822Name( ".example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // When there is a Local-part, an RFC822 name constraint's domain must not
+ // start with '.'.
+ ByteString(), RFC822Name("a@www.example.com"),
+ GeneralSubtree(RFC822Name( "a@.example.com")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // Check that we only allow subdomains to match.
+ ByteString(), DNSName( "example.com"),
+ GeneralSubtree(DNSName(".example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // Check that we only allow subdomains to match.
+ ByteString(), RFC822Name("a@example.com"),
+ GeneralSubtree(RFC822Name(".example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // Check that we don't get confused and consider "b" == "."
+ ByteString(), DNSName("bexample.com"),
+ GeneralSubtree(DNSName(".example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // Check that we don't get confused and consider "b" == "."
+ ByteString(), RFC822Name("a@bexample.com"),
+ GeneralSubtree(RFC822Name( ".example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+
+ // Q: Is there a way to prevent subdomain matches?
+ // (This is tested in a different set of tests because it requires a
+ // combination of permittedSubtrees and excludedSubtrees.)
+
+ // Q: Are name constraints allowed to be specified as absolute names?
+ // For example, does a presented ID of "example.com" match a name
+ // constraint of "example.com." and vice versa?
+ //
+ { // The DNSName in the constraint is not valid because constraint DNS IDs
+ // are not allowed to be absolute.
+ ByteString(), DNSName("example.com"),
+ GeneralSubtree(DNSName("example.com.")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { ByteString(), RFC822Name("a@example.com"),
+ GeneralSubtree(RFC822Name( "example.com.")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { // The DNSName in the SAN is not valid because presented DNS IDs are not
+ // allowed to be absolute.
+ ByteString(), DNSName("example.com."),
+ GeneralSubtree(DNSName("example.com")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { ByteString(), RFC822Name("a@example.com."),
+ GeneralSubtree(RFC822Name( "example.com")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { // The presented DNSName is the same length as the constraint, because the
+ // subdomain is only one character long and because the constraint both
+ // begins and ends with ".". But, it doesn't matter because absolute names
+ // are not allowed for DNSName constraints.
+ ByteString(), DNSName("p.example.com"),
+ GeneralSubtree(DNSName(".example.com.")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { // The presented DNSName is the same length as the constraint, because the
+ // subdomain is only one character long and because the constraint both
+ // begins and ends with ".".
+ ByteString(), RFC822Name("a@p.example.com"),
+ GeneralSubtree(RFC822Name( ".example.com.")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { // Same as previous test case, but using a wildcard presented ID.
+ ByteString(), DNSName("*.example.com"),
+ GeneralSubtree(DNSName(".example.com.")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // Same as previous test case, but using a wildcard presented ID, which is
+ // invalid in an RFC822Name.
+ ByteString(), RFC822Name("a@*.example.com"),
+ GeneralSubtree(RFC822Name( ".example.com.")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+
+ // Q: Are "" and "." valid DNSName constraints? If so, what do they mean?
+ { ByteString(), DNSName("example.com"),
+ GeneralSubtree(DNSName("")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), RFC822Name("a@example.com"),
+ GeneralSubtree(RFC822Name("")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // The malformed (absolute) presented ID does not match.
+ ByteString(), DNSName("example.com."),
+ GeneralSubtree(DNSName("")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("a@example.com."),
+ GeneralSubtree(RFC822Name("")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // Invalid syntax in name constraint
+ ByteString(), DNSName("example.com"),
+ GeneralSubtree(DNSName(".")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { // Invalid syntax in name constraint
+ ByteString(), RFC822Name("a@example.com"),
+ GeneralSubtree(RFC822Name(".")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+ },
+ { ByteString(), DNSName("example.com."),
+ GeneralSubtree(DNSName(".")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("a@example.com."),
+ GeneralSubtree(RFC822Name(".")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // Basic IP Address constraints (non-CN-ID)
+
+ // The Mozilla CA Policy says this means "no IPv4 addresses allowed."
+ { ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), IPAddress(ipv4_addr_00000000_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), IPAddress(ipv4_addr_FFFFFFFF_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+
+ // The Mozilla CA Policy says this means "no IPv6 addresses allowed."
+ { ByteString(), IPAddress(ipv6_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), IPAddress(ipv6_addr_all_zeros_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+
+ // RFC 5280 doesn't partition IP address constraints into separate IPv4 and
+ // IPv6 categories, so a IPv4 permittedSubtrees constraint excludes all IPv6
+ // addresses, and vice versa.
+ { ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { ByteString(), IPAddress(ipv6_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+
+ // IPv4 Subnets
+ { ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_CIDR_17_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), IPAddress(ipv4_other_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // XXX(bug 1089430): We don't reject this even though it is weird.
+ ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bad_addr_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // XXX(bug 1089430): We don't reject this even though it is weird.
+ ByteString(), IPAddress(ipv4_other_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_bad_mask_bytes)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+
+ // IPv6 Subnets
+ { ByteString(), IPAddress(ipv6_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), IPAddress(ipv6_other_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // XXX(bug 1089430): We don't reject this even though it is weird.
+ ByteString(), IPAddress(ipv6_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bad_addr_bytes)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // XXX(bug 1089430): We don't reject this even though it is weird.
+ ByteString(), IPAddress(ipv6_other_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_bad_mask_bytes)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+
+ // Malformed presented IP addresses and constraints
+
+ { // The presented IPv4 address is empty
+ ByteString(), IPAddress(),
+ GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv4 address is truncated
+ ByteString(), IPAddress(ipv4_addr_truncated_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv4 address is too long
+ ByteString(), IPAddress(ipv4_addr_overlong_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv4 constraint is empty
+ ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress()),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv4 constraint is truncated
+ ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv4 constraint is too long
+ ByteString(), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv6 address is empty
+ ByteString(), IPAddress(),
+ GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv6 address is truncated
+ ByteString(), IPAddress(ipv6_addr_truncated_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv6 address is too long
+ ByteString(), IPAddress(ipv6_addr_overlong_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv6 constraint is empty
+ ByteString(), IPAddress(ipv6_addr_bytes),
+ GeneralSubtree(IPAddress()),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv6 constraint is truncated
+ ByteString(), IPAddress(ipv6_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ { // The presented IPv6 constraint is too long
+ ByteString(), IPAddress(ipv6_addr_bytes),
+ GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // XXX: We don't reject malformed name constraints when there are no names of
+ // that type.
+ { ByteString(), NO_SAN, GeneralSubtree(DNSName("!")),
+ Success, Success
+ },
+ { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv4_addr_overlong_bytes)),
+ Success, Success
+ },
+ { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv6_addr_overlong_bytes)),
+ Success, Success
+ },
+ { ByteString(), NO_SAN, GeneralSubtree(RFC822Name("\0")),
+ Success, Success
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // Basic CN-ID DNSName constraint tests.
+
+ { // Empty Name is ignored for DNSName constraints.
+ ByteString(), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { // Empty CN is ignored for DNSName constraints because it isn't a
+ // syntactically-valid DNSName.
+ //
+ // NSS gives different results.
+ RDN(CN("")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { // IP Address is ignored for DNSName constraints.
+ //
+ // NSS gives different results.
+ RDN(CN("1.2.3.4")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { // OU has something that looks like a dNSName that matches.
+ RDN(OU("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { // OU has something that looks like a dNSName that does not match.
+ RDN(OU("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { // NSS gives different results.
+ RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // DNSName CN-ID match is detected when there is a SAN w/o any DNSName or
+ // IPAddress
+ RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+ GeneralSubtree(DNSName("a.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // DNSName CN-ID mismatch is detected when there is a SAN w/o any DNSName
+ // or IPAddress
+ RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+ GeneralSubtree(DNSName("b.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // DNSName CN-ID match not reported when there is a DNSName SAN
+ RDN(CN("a.example.com")), DNSName("b.example.com"),
+ GeneralSubtree(DNSName("a.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // DNSName CN-ID mismatch not reported when there is a DNSName SAN
+ RDN(CN("a.example.com")), DNSName("b.example.com"),
+ GeneralSubtree(DNSName("b.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+ },
+ { // DNSName CN-ID match not reported when there is an IPAddress SAN
+ RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { // DNSName CN-ID mismatch not reported when there is an IPAddress SAN
+ RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+ GeneralSubtree(DNSName("b.example.com")),
+ Success, Success
+ },
+
+ { // IPAddress CN-ID match is detected when there is a SAN w/o any DNSName or
+ // IPAddress
+ RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+ GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // IPAddress CN-ID mismatch is detected when there is a SAN w/o any DNSName
+ // or IPAddress
+ RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+ GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // IPAddress CN-ID match not reported when there is a DNSName SAN
+ RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+ GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+ Success, Success
+ },
+ { // IPAddress CN-ID mismatch not reported when there is a DNSName SAN
+ RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+ GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+ Success, Success
+ },
+ { // IPAddress CN-ID match not reported when there is an IPAddress SAN
+ RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // IPAddress CN-ID mismatch not reported when there is an IPAddress SAN
+ RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+ GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // Test that constraints are applied to the most specific (last) CN, and only
+ // that CN-ID.
+
+ { // Name constraint only matches a.example.com, but the most specific CN
+ // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.)
+ RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN,
+ GeneralSubtree(DNSName("a.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // Name constraint only matches a.example.com, but the most specific CN
+ // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.)
+ RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN,
+ GeneralSubtree(DNSName("a.example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+ },
+ { // Name constraint only permits b.example.com, and the most specific CN
+ // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.)
+ RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN,
+ GeneralSubtree(DNSName("b.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // Name constraint only permits b.example.com, and the most specific CN
+ // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.)
+ RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN,
+ GeneralSubtree(DNSName("b.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // Additional RFC822 name constraint tests. There are more tests regarding
+ // the DNSName part of the constraint mixed into the DNSName constraint
+ // tests.
+
+ { ByteString(), RFC822Name("a@example.com"),
+ GeneralSubtree(RFC822Name("a@example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+
+ // Bug 1056773: name constraints that omit Local-part but include '@' are
+ // invalid.
+ { ByteString(), RFC822Name("a@example.com"),
+ GeneralSubtree(RFC822Name("@example.com")),
+ Result::ERROR_BAD_DER,
+ Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("@example.com"),
+ GeneralSubtree(RFC822Name("@example.com")),
+ Result::ERROR_BAD_DER,
+ Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("example.com"),
+ GeneralSubtree(RFC822Name("@example.com")),
+ Result::ERROR_BAD_DER,
+ Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("a@mail.example.com"),
+ GeneralSubtree(RFC822Name("a@*.example.com")),
+ Result::ERROR_BAD_DER,
+ Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("a@*.example.com"),
+ GeneralSubtree(RFC822Name(".example.com")),
+ Result::ERROR_BAD_DER,
+ Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("@example.com"),
+ GeneralSubtree(RFC822Name(".example.com")),
+ Result::ERROR_BAD_DER,
+ Result::ERROR_BAD_DER
+ },
+ { ByteString(), RFC822Name("@a.example.com"),
+ GeneralSubtree(RFC822Name(".example.com")),
+ Result::ERROR_BAD_DER,
+ Result::ERROR_BAD_DER
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // Test name constraints with underscores.
+ //
+ { ByteString(), DNSName("uses_underscore.example.com"),
+ GeneralSubtree(DNSName("uses_underscore.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), DNSName("uses_underscore.example.com"),
+ GeneralSubtree(DNSName("example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), DNSName("a.uses_underscore.example.com"),
+ GeneralSubtree(DNSName("uses_underscore.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), RFC822Name("a@uses_underscore.example.com"),
+ GeneralSubtree(RFC822Name("uses_underscore.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), RFC822Name("uses_underscore@example.com"),
+ GeneralSubtree(RFC822Name("example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), RFC822Name("a@a.uses_underscore.example.com"),
+ GeneralSubtree(RFC822Name(".uses_underscore.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // Name constraint tests that relate to having an empty SAN. According to RFC
+ // 5280 this isn't valid, but we allow it for compatibility reasons (see bug
+ // 1143085).
+ { // For DNSNames, we fall back to the subject CN.
+ RDN(CN("a.example.com")), ByteString(),
+ GeneralSubtree(DNSName("a.example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // For RFC822Names, we do not fall back to the subject emailAddress.
+ // This new implementation seems to conform better to the standards for
+ // RFC822 name constraints, by only applying the name constraints to
+ // emailAddress names in the certificate subject if there is no
+ // subjectAltName extension in the cert.
+ // In this case, the presence of the (empty) SAN extension means that RFC822
+ // name constraints are not enforced on the emailAddress attributes of the
+ // subject.
+ RDN(emailAddress("a@example.com")), ByteString(),
+ GeneralSubtree(RFC822Name("a@example.com")),
+ Success, Success
+ },
+ { // Compare this to the case where there is no SAN (i.e. the name
+ // constraints are enforced, because the extension is not present at all).
+ RDN(emailAddress("a@example.com")), NO_SAN,
+ GeneralSubtree(RFC822Name("a@example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+
+ /////////////////////////////////////////////////////////////////////////////
+ // DirectoryName name constraint tests
+
+ { // One AVA per RDN
+ RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+ RDN(CN("example.com"))))),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // RDNs can have multiple AVAs.
+ RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+ CN("example.com"))))),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // The constraint is a prefix of the subject DN.
+ RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // The name constraint is not a prefix of the subject DN.
+ // Note that for excludedSubtrees, we simply prohibit any non-empty
+ // directoryName constraint to ensure we are not being too lenient.
+ RDN(OU("Other Example Organization")) + RDN(CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+ RDN(CN("example.com"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // Same as the previous one, but one RDN with multiple AVAs.
+ RDN(OU("Other Example Organization") + CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+ CN("example.com"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // With multiple AVAs per RDN in the subject DN, the constraint is not a
+ // prefix of the subject DN.
+ RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // The subject DN RDN has multiple AVAs, but the name constraint has only
+ // one AVA per RDN.
+ RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+ RDN(CN("example.com"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // The name constraint RDN has multiple AVAs, but the subject DN has only
+ // one AVA per RDN.
+ RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+ CN("example.com"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // In this case, the constraint uses a different encoding from the subject.
+ // We consider them to match because we allow UTF8String and
+ // PrintableString to compare equal when their contents are equal.
+ RDN(OU("Example Organization", der::UTF8String)) + RDN(CN("example.com")),
+ NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+ der::PrintableString)) +
+ RDN(CN("example.com"))))),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // Same as above, but with UTF8String/PrintableString switched.
+ RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")),
+ NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+ der::UTF8String)) +
+ RDN(CN("example.com"))))),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // If the contents aren't the same, then they shouldn't match.
+ RDN(OU("Other Example Organization", der::UTF8String)) + RDN(CN("example.com")),
+ NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+ der::PrintableString)) +
+ RDN(CN("example.com"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { // Only UTF8String and PrintableString are considered equivalent.
+ RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")),
+ NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+ der::TeletexString)) +
+ RDN(CN("example.com"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ // Some additional tests for completeness:
+ // Ensure that wildcards are handled:
+ { RDN(CN("*.example.com")), NO_SAN, GeneralSubtree(DNSName("example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), DNSName("*.example.com"),
+ GeneralSubtree(DNSName("example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), DNSName("www.example.com"),
+ GeneralSubtree(DNSName("*.example.com")),
+ Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+ },
+ // Handle multiple name constraint entries:
+ { RDN(CN("example.com")), NO_SAN,
+ GeneralSubtree(DNSName("example.org")) +
+ GeneralSubtree(DNSName("example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { ByteString(), DNSName("example.com"),
+ GeneralSubtree(DNSName("example.org")) +
+ GeneralSubtree(DNSName("example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ // Handle multiple names in subject alternative name extension:
+ { ByteString(), DNSName("example.com") + DNSName("example.org"),
+ GeneralSubtree(DNSName("example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ // Handle a mix of DNSName and DirectoryName:
+ { RDN(OU("Example Organization")), DNSName("example.com"),
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+ GeneralSubtree(DNSName("example.com")),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { RDN(OU("Other Example Organization")), DNSName("example.com"),
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+ GeneralSubtree(DNSName("example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ { RDN(OU("Example Organization")), DNSName("example.org"),
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+ GeneralSubtree(DNSName("example.com")),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ // Handle a certificate with no DirectoryName:
+ { ByteString(), DNSName("example.com"),
+ GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+};
+
+class pkixnames_CheckNameConstraints
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<NameConstraintParams>
+{
+public:
+ DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckNameConstraints,
+ NameConstraintsEnforcedForDirectlyIssuedEndEntity)
+{
+ // Test that name constraints are enforced on a certificate directly issued by
+ // a certificate with the given name constraints.
+
+ const NameConstraintParams& param(GetParam());
+
+ ByteString certDER(CreateCert(param.subject, param.subjectAltName));
+ ASSERT_FALSE(ENCODING_FAILED(certDER));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+ BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+ ASSERT_EQ(Success, cert.Init());
+
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ PermittedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedPermittedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_serverAuth));
+ }
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ ExcludedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedExcludedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_serverAuth));
+ }
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ PermittedSubtrees(param.subtrees) +
+ ExcludedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ((param.expectedPermittedSubtreesResult ==
+ param.expectedExcludedSubtreesResult)
+ ? param.expectedExcludedSubtreesResult
+ : Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_serverAuth));
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraints,
+ pkixnames_CheckNameConstraints,
+ testing::ValuesIn(NAME_CONSTRAINT_PARAMS));
+
+// The |subjectAltName| param is not used for these test cases (hence the use of
+// "NO_SAN").
+static const NameConstraintParams NO_FALLBACK_NAME_CONSTRAINT_PARAMS[] =
+{
+ // The only difference between end-entities being verified for serverAuth and
+ // intermediates or end-entities being verified for other uses is that for
+ // the latter cases, there is no fallback matching of DNSName entries to the
+ // subject common name.
+ { RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+ Success, Success
+ },
+ // Sanity-check that name constraints are in fact enforced in these cases.
+ { RDN(CN("Example Name")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+ Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+ // (In this implementation, if a DirectoryName is in excludedSubtrees, nothing
+ // is considered to be in the name space.)
+ { RDN(CN("Other Example Name")), NO_SAN,
+ GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+ Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+ },
+};
+
+class pkixnames_CheckNameConstraintsOnIntermediate
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsOnIntermediate,
+ NameConstraintsEnforcedOnIntermediate)
+{
+ // Test that name constraints are enforced on an intermediate certificate
+ // directly issued by a certificate with the given name constraints.
+
+ const NameConstraintParams& param(GetParam());
+
+ ByteString certDER(CreateCert(param.subject, NO_SAN,
+ EndEntityOrCA::MustBeCA));
+ ASSERT_FALSE(ENCODING_FAILED(certDER));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+ BackCert cert(certInput, EndEntityOrCA::MustBeCA, nullptr);
+ ASSERT_EQ(Success, cert.Init());
+
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ PermittedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedPermittedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_serverAuth));
+ }
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ ExcludedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedExcludedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_serverAuth));
+ }
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ PermittedSubtrees(param.subtrees) +
+ ExcludedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedExcludedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_serverAuth));
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsOnIntermediate,
+ pkixnames_CheckNameConstraintsOnIntermediate,
+ testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));
+
+class pkixnames_CheckNameConstraintsForNonServerAuthUsage
+ : public ::testing::Test
+ , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+ NameConstraintsEnforcedForNonServerAuthUsage)
+{
+ // Test that for key purposes other than serverAuth, fallback to the subject
+ // common name does not occur.
+
+ const NameConstraintParams& param(GetParam());
+
+ ByteString certDER(CreateCert(param.subject, NO_SAN));
+ ASSERT_FALSE(ENCODING_FAILED(certDER));
+ Input certInput;
+ ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+ BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+ ASSERT_EQ(Success, cert.Init());
+
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ PermittedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedPermittedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_clientAuth));
+ }
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ ExcludedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedExcludedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_clientAuth));
+ }
+ {
+ ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+ PermittedSubtrees(param.subtrees) +
+ ExcludedSubtrees(param.subtrees)));
+ Input nameConstraints;
+ ASSERT_EQ(Success,
+ nameConstraints.Init(nameConstraintsDER.data(),
+ nameConstraintsDER.length()));
+ ASSERT_EQ(param.expectedExcludedSubtreesResult,
+ CheckNameConstraints(nameConstraints, cert,
+ KeyPurposeId::id_kp_clientAuth));
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+ pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+ testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));
diff --git a/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp b/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
new file mode 100644
index 000000000..ffc987c86
--- /dev/null
+++ b/security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -0,0 +1,145 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+#include "pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+class CreateEncodedOCSPRequestTrustDomain final
+ : public EverythingFailsByDefaultTrustDomain
+{
+private:
+ Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+ /*out*/ uint8_t *digestBuf, size_t digestBufLen)
+ override
+ {
+ return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
+ }
+
+ Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
+ override
+ {
+ return Success;
+ }
+};
+
+class pkixocsp_CreateEncodedOCSPRequest : public ::testing::Test
+{
+protected:
+ void MakeIssuerCertIDComponents(const char* issuerASCII,
+ /*out*/ ByteString& issuerDER,
+ /*out*/ ByteString& issuerSPKI)
+ {
+ issuerDER = CNToDERName(issuerASCII);
+ ASSERT_FALSE(ENCODING_FAILED(issuerDER));
+
+ ScopedTestKeyPair keyPair(GenerateKeyPair());
+ ASSERT_TRUE(keyPair.get());
+ issuerSPKI = keyPair->subjectPublicKeyInfo;
+ }
+
+ CreateEncodedOCSPRequestTrustDomain trustDomain;
+};
+
+// Test that the large length of the child serial number causes
+// CreateEncodedOCSPRequest to fail.
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest)
+{
+ static const uint8_t UNSUPPORTED_LEN = 128; // must be larger than 127
+
+ ByteString serialNumberString;
+ // tag + length + value is 1 + 2 + UNSUPPORTED_LEN
+ // Encoding the length takes two bytes: one byte to indicate that a
+ // second byte follows, and the second byte to indicate the length.
+ serialNumberString.push_back(0x80 + 1);
+ serialNumberString.push_back(UNSUPPORTED_LEN);
+ // value is 0x010000...00
+ serialNumberString.push_back(0x01);
+ for (size_t i = 1; i < UNSUPPORTED_LEN; ++i) {
+ serialNumberString.push_back(0x00);
+ }
+
+ ByteString issuerDER;
+ ByteString issuerSPKI;
+ ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+ issuerSPKI));
+
+ Input issuer;
+ ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+ Input spki;
+ ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+ Input serialNumber;
+ ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+ serialNumberString.length()));
+
+ uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+ size_t ocspRequestLength;
+ ASSERT_EQ(Result::ERROR_BAD_DER,
+ CreateEncodedOCSPRequest(trustDomain,
+ CertID(issuer, spki, serialNumber),
+ ocspRequest, ocspRequestLength));
+}
+
+// Test that CreateEncodedOCSPRequest handles the longest serial number that
+// it's required to support (i.e. 20 octets).
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, LongestSupportedSerialNumberTest)
+{
+ static const uint8_t LONGEST_REQUIRED_LEN = 20;
+
+ ByteString serialNumberString;
+ // tag + length + value is 1 + 1 + LONGEST_REQUIRED_LEN
+ serialNumberString.push_back(der::INTEGER);
+ serialNumberString.push_back(LONGEST_REQUIRED_LEN);
+ serialNumberString.push_back(0x01);
+ // value is 0x010000...00
+ for (size_t i = 1; i < LONGEST_REQUIRED_LEN; ++i) {
+ serialNumberString.push_back(0x00);
+ }
+
+ ByteString issuerDER;
+ ByteString issuerSPKI;
+ ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+ issuerSPKI));
+
+ Input issuer;
+ ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+ Input spki;
+ ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+ Input serialNumber;
+ ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+ serialNumberString.length()));
+
+ uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+ size_t ocspRequestLength;
+ ASSERT_EQ(Success,
+ CreateEncodedOCSPRequest(trustDomain,
+ CertID(issuer, spki, serialNumber),
+ ocspRequest, ocspRequestLength));
+}
diff --git a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
new file mode 100644
index 000000000..d7dab09d9
--- /dev/null
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -0,0 +1,1046 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixder.h"
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+const uint16_t END_ENTITY_MAX_LIFETIME_IN_DAYS = 10;
+
+// Note that CheckRevocation is never called for OCSP signing certificates.
+class OCSPTestTrustDomain : public DefaultCryptoTrustDomain
+{
+public:
+ OCSPTestTrustDomain() { }
+
+ Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
+ Input, /*out*/ TrustLevel& trustLevel)
+ /*non-final*/ override
+ {
+ EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
+ trustLevel = TrustLevel::InheritsTrust;
+ return Success;
+ }
+
+ virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+ Input extensionData) override
+ {
+ if (extension == AuxiliaryExtension::SCTListFromOCSPResponse) {
+ signedCertificateTimestamps = InputToByteString(extensionData);
+ } else {
+ // We do not currently expect to receive any other extension here.
+ ADD_FAILURE();
+ }
+ }
+
+ ByteString signedCertificateTimestamps;
+};
+
+namespace {
+char const* const rootName = "Test CA 1";
+void deleteCertID(CertID* certID) { delete certID; }
+} // namespace
+
+class pkixocsp_VerifyEncodedResponse : public ::testing::Test
+{
+public:
+ static void SetUpTestCase()
+ {
+ rootKeyPair.reset(GenerateKeyPair());
+ if (!rootKeyPair) {
+ abort();
+ }
+ }
+
+ void SetUp()
+ {
+ rootNameDER = CNToDERName(rootName);
+ if (ENCODING_FAILED(rootNameDER)) {
+ abort();
+ }
+ Input rootNameDERInput;
+ if (rootNameDERInput.Init(rootNameDER.data(), rootNameDER.length())
+ != Success) {
+ abort();
+ }
+
+ serialNumberDER =
+ CreateEncodedSerialNumber(static_cast<long>(++rootIssuedCount));
+ if (ENCODING_FAILED(serialNumberDER)) {
+ abort();
+ }
+ Input serialNumberDERInput;
+ if (serialNumberDERInput.Init(serialNumberDER.data(),
+ serialNumberDER.length()) != Success) {
+ abort();
+ }
+
+ Input rootSPKIDER;
+ if (rootSPKIDER.Init(rootKeyPair->subjectPublicKeyInfo.data(),
+ rootKeyPair->subjectPublicKeyInfo.length())
+ != Success) {
+ abort();
+ }
+ endEntityCertID.reset(new (std::nothrow) CertID(rootNameDERInput, rootSPKIDER,
+ serialNumberDERInput));
+ if (!endEntityCertID) {
+ abort();
+ }
+ }
+
+ static ScopedTestKeyPair rootKeyPair;
+ static uint32_t rootIssuedCount;
+ OCSPTestTrustDomain trustDomain;
+
+ // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
+ ByteString rootNameDER;
+ ByteString serialNumberDER;
+ // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
+ ScopedPtr<CertID, deleteCertID> endEntityCertID;
+};
+
+/*static*/ ScopedTestKeyPair pkixocsp_VerifyEncodedResponse::rootKeyPair;
+/*static*/ uint32_t pkixocsp_VerifyEncodedResponse::rootIssuedCount = 0;
+
+///////////////////////////////////////////////////////////////////////////////
+// responseStatus
+
+struct WithoutResponseBytes
+{
+ uint8_t responseStatus;
+ Result expectedError;
+};
+
+static const WithoutResponseBytes WITHOUT_RESPONSEBYTES[] = {
+ { OCSPResponseContext::successful, Result::ERROR_OCSP_MALFORMED_RESPONSE },
+ { OCSPResponseContext::malformedRequest, Result::ERROR_OCSP_MALFORMED_REQUEST },
+ { OCSPResponseContext::internalError, Result::ERROR_OCSP_SERVER_ERROR },
+ { OCSPResponseContext::tryLater, Result::ERROR_OCSP_TRY_SERVER_LATER },
+ { 4/*unused*/, Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS },
+ { OCSPResponseContext::sigRequired, Result::ERROR_OCSP_REQUEST_NEEDS_SIG },
+ { OCSPResponseContext::unauthorized, Result::ERROR_OCSP_UNAUTHORIZED_REQUEST },
+ { OCSPResponseContext::unauthorized + 1,
+ Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+ },
+};
+
+class pkixocsp_VerifyEncodedResponse_WithoutResponseBytes
+ : public pkixocsp_VerifyEncodedResponse
+ , public ::testing::WithParamInterface<WithoutResponseBytes>
+{
+protected:
+ ByteString CreateEncodedOCSPErrorResponse(uint8_t status)
+ {
+ static const Input EMPTY;
+ OCSPResponseContext context(CertID(EMPTY, EMPTY, EMPTY),
+ oneDayBeforeNow);
+ context.responseStatus = status;
+ context.skipResponseBytes = true;
+ return CreateEncodedOCSPResponse(context);
+ }
+};
+
+TEST_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes, CorrectErrorCode)
+{
+ ByteString
+ responseString(CreateEncodedOCSPErrorResponse(GetParam().responseStatus));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(GetParam().expectedError,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes,
+ pkixocsp_VerifyEncodedResponse_WithoutResponseBytes,
+ testing::ValuesIn(WITHOUT_RESPONSEBYTES));
+
+///////////////////////////////////////////////////////////////////////////////
+// "successful" responses
+
+namespace {
+
+// Alias for nullptr to aid readability in the code below.
+static const char* byKey = nullptr;
+
+} // namespace
+
+class pkixocsp_VerifyEncodedResponse_successful
+ : public pkixocsp_VerifyEncodedResponse
+{
+public:
+ void SetUp()
+ {
+ pkixocsp_VerifyEncodedResponse::SetUp();
+ }
+
+ static void SetUpTestCase()
+ {
+ pkixocsp_VerifyEncodedResponse::SetUpTestCase();
+ }
+
+ ByteString CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::CertStatus certStatus,
+ const CertID& certID,
+ /*optional*/ const char* signerName,
+ const TestKeyPair& signerKeyPair,
+ time_t producedAt, time_t thisUpdate,
+ /*optional*/ const time_t* nextUpdate,
+ const TestSignatureAlgorithm& signatureAlgorithm,
+ /*optional*/ const ByteString* certs = nullptr,
+ /*optional*/ OCSPResponseExtension* singleExtensions = nullptr,
+ /*optional*/ OCSPResponseExtension* responseExtensions = nullptr)
+ {
+ OCSPResponseContext context(certID, producedAt);
+ if (signerName) {
+ context.signerNameDER = CNToDERName(signerName);
+ EXPECT_FALSE(ENCODING_FAILED(context.signerNameDER));
+ }
+ context.signerKeyPair.reset(signerKeyPair.Clone());
+ EXPECT_TRUE(context.signerKeyPair.get());
+ context.responseStatus = OCSPResponseContext::successful;
+ context.producedAt = producedAt;
+ context.signatureAlgorithm = signatureAlgorithm;
+ context.certs = certs;
+ context.singleExtensions = singleExtensions;
+ context.responseExtensions = responseExtensions;
+
+ context.certStatus = static_cast<uint8_t>(certStatus);
+ context.thisUpdate = thisUpdate;
+ context.nextUpdate = nextUpdate ? *nextUpdate : 0;
+ context.includeNextUpdate = nextUpdate != nullptr;
+
+ return CreateEncodedOCSPResponse(context);
+ }
+};
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey)
+{
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID, byKey,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+ Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byName)
+{
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID, rootName,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey_without_nextUpdate)
+{
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID, byKey,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, nullptr,
+ sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, revoked)
+{
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::revoked, *endEntityCertID, byKey,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
+{
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::unknown, *endEntityCertID, byKey,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful,
+ good_unsupportedSignatureAlgorithm)
+{
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID, byKey,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ md5WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+ Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+// Added for bug 1079436. The output variable validThrough represents the
+// latest time for which VerifyEncodedOCSPResponse will succeed, which is
+// different from the nextUpdate time in the OCSP response due to the slop we
+// add for time comparisons to deal with clock skew.
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, check_validThrough)
+{
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID, byKey,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption()));
+ Time validThrough(Time::uninitialized);
+ {
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+ Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired, nullptr,
+ &validThrough));
+ ASSERT_FALSE(expired);
+ // The response was created to be valid until one day after now, so the
+ // value we got for validThrough should be after that.
+ Time oneDayAfterNowAsPKIXTime(
+ TimeFromEpochInSeconds(static_cast<uint64_t>(oneDayAfterNow)));
+ ASSERT_TRUE(validThrough > oneDayAfterNowAsPKIXTime);
+ }
+ {
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ // Given validThrough from a previous verification, this response should be
+ // valid through that time.
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+ validThrough, END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+ }
+ {
+ Time noLongerValid(validThrough);
+ ASSERT_EQ(Success, noLongerValid.AddSeconds(1));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ // The verification time is now after when the response will be considered
+ // valid.
+ ASSERT_EQ(Result::ERROR_OCSP_OLD_RESPONSE,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+ noLongerValid, END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_TRUE(expired);
+ }
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, ct_extension)
+{
+ // python DottedOIDToCode.py --tlv
+ // id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5
+ static const uint8_t tlv_id_ocsp_singleExtensionSctList[] = {
+ 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05
+ };
+ static const uint8_t dummySctList[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05
+ };
+
+ OCSPResponseExtension ctExtension;
+ ctExtension.id = BytesToByteString(tlv_id_ocsp_singleExtensionSctList);
+ // SignedCertificateTimestampList structure is encoded as an OCTET STRING
+ // within the extension value (see RFC 6962 section 3.3).
+ // pkix decodes it internally and returns the actual structure.
+ ctExtension.value = TLV(der::OCTET_STRING, BytesToByteString(dummySctList));
+
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID, byKey,
+ *rootKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption(),
+ /*certs*/ nullptr,
+ &ctExtension));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+ Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+ ASSERT_EQ(BytesToByteString(dummySctList),
+ trustDomain.signedCertificateTimestamps);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// indirect responses (signed by a delegated OCSP responder cert)
+
+class pkixocsp_VerifyEncodedResponse_DelegatedResponder
+ : public pkixocsp_VerifyEncodedResponse_successful
+{
+protected:
+ // certSubjectName should be unique for each call. This way, we avoid any
+ // issues with NSS caching the certificates internally. For the same reason,
+ // we generate a new keypair on each call. Either one of these should be
+ // sufficient to avoid issues with the NSS cache, but we do both to be
+ // cautious.
+ //
+ // signerName should be byKey to use the byKey ResponderID construction, or
+ // another value (usually equal to certSubjectName) to use the byName
+ // ResponderID construction.
+ //
+ // certSignatureAlgorithm specifies the signature algorithm that the
+ // certificate will be signed with, not the OCSP response.
+ //
+ // If signerEKU is omitted, then the certificate will have the
+ // id-kp-OCSPSigning EKU. If signerEKU is SEC_OID_UNKNOWN then it will not
+ // have any EKU extension. Otherwise, the certificate will have the given
+ // EKU.
+ ByteString CreateEncodedIndirectOCSPSuccessfulResponse(
+ const char* certSubjectName,
+ OCSPResponseContext::CertStatus certStatus,
+ const char* signerName,
+ const TestSignatureAlgorithm& certSignatureAlgorithm,
+ /*optional*/ const Input* signerEKUDER = &OCSPSigningEKUDER,
+ /*optional, out*/ ByteString* signerDEROut = nullptr)
+ {
+ assert(certSubjectName);
+
+ const ByteString extensions[] = {
+ signerEKUDER
+ ? CreateEncodedEKUExtension(*signerEKUDER, Critical::No)
+ : ByteString(),
+ ByteString()
+ };
+ ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+ ByteString signerDER(CreateEncodedCertificate(
+ ++rootIssuedCount, certSignatureAlgorithm,
+ rootName, oneDayBeforeNow, oneDayAfterNow,
+ certSubjectName, *signerKeyPair,
+ signerEKUDER ? extensions : nullptr,
+ *rootKeyPair));
+ EXPECT_FALSE(ENCODING_FAILED(signerDER));
+ if (signerDEROut) {
+ *signerDEROut = signerDER;
+ }
+
+ ByteString signerNameDER;
+ if (signerName) {
+ signerNameDER = CNToDERName(signerName);
+ EXPECT_FALSE(ENCODING_FAILED(signerNameDER));
+ }
+ ByteString certs[] = { signerDER, ByteString() };
+ return CreateEncodedOCSPSuccessfulResponse(certStatus, *endEntityCertID,
+ signerName, *signerKeyPair,
+ oneDayBeforeNow,
+ oneDayBeforeNow,
+ &oneDayAfterNow,
+ sha256WithRSAEncryption(),
+ certs);
+ }
+
+ static ByteString CreateEncodedCertificate(uint32_t serialNumber,
+ const TestSignatureAlgorithm& signatureAlg,
+ const char* issuer,
+ time_t notBefore,
+ time_t notAfter,
+ const char* subject,
+ const TestKeyPair& subjectKeyPair,
+ /*optional*/ const ByteString* extensions,
+ const TestKeyPair& signerKeyPair)
+ {
+ ByteString serialNumberDER(CreateEncodedSerialNumber(
+ static_cast<long>(serialNumber)));
+ if (ENCODING_FAILED(serialNumberDER)) {
+ return ByteString();
+ }
+ ByteString issuerDER(CNToDERName(issuer));
+ if (ENCODING_FAILED(issuerDER)) {
+ return ByteString();
+ }
+ ByteString subjectDER(CNToDERName(subject));
+ if (ENCODING_FAILED(subjectDER)) {
+ return ByteString();
+ }
+ return ::mozilla::pkix::test::CreateEncodedCertificate(
+ v3, signatureAlg, serialNumberDER,
+ issuerDER, notBefore, notAfter,
+ subjectDER, subjectKeyPair, extensions,
+ signerKeyPair, signatureAlg);
+ }
+
+ static const Input OCSPSigningEKUDER;
+};
+
+/*static*/ const Input pkixocsp_VerifyEncodedResponse_DelegatedResponder::
+ OCSPSigningEKUDER(tlv_id_kp_OCSPSigning);
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byKey)
+{
+ ByteString responseString(
+ CreateEncodedIndirectOCSPSuccessfulResponse(
+ "good_indirect_byKey", OCSPResponseContext::good,
+ byKey, sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byName)
+{
+ ByteString responseString(
+ CreateEncodedIndirectOCSPSuccessfulResponse(
+ "good_indirect_byName", OCSPResponseContext::good,
+ "good_indirect_byName", sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+ good_byKey_missing_signer)
+{
+ ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
+ ASSERT_TRUE(missingSignerKeyPair.get());
+
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID, byKey,
+ *missingSignerKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, nullptr,
+ sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+ good_byName_missing_signer)
+{
+ ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
+ ASSERT_TRUE(missingSignerKeyPair.get());
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID,
+ "missing", *missingSignerKeyPair,
+ oneDayBeforeNow, oneDayBeforeNow, nullptr,
+ sha256WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_expired)
+{
+ static const char* signerName = "good_indirect_expired";
+
+ const ByteString extensions[] = {
+ CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+ ByteString()
+ };
+
+ ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+ ByteString signerDER(CreateEncodedCertificate(
+ ++rootIssuedCount, sha256WithRSAEncryption(),
+ rootName,
+ tenDaysBeforeNow,
+ twoDaysBeforeNow,
+ signerName, *signerKeyPair, extensions,
+ *rootKeyPair));
+ ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+ ByteString certs[] = { signerDER, ByteString() };
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID,
+ signerName, *signerKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption(), certs));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_future)
+{
+ static const char* signerName = "good_indirect_future";
+
+ const ByteString extensions[] = {
+ CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+ ByteString()
+ };
+
+ ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+ ByteString signerDER(CreateEncodedCertificate(
+ ++rootIssuedCount, sha256WithRSAEncryption(),
+ rootName,
+ twoDaysAfterNow,
+ tenDaysAfterNow,
+ signerName, *signerKeyPair, extensions,
+ *rootKeyPair));
+ ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+ ByteString certs[] = { signerDER, ByteString() };
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID,
+ signerName, *signerKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption(), certs));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_no_eku)
+{
+ ByteString responseString(
+ CreateEncodedIndirectOCSPSuccessfulResponse(
+ "good_indirect_wrong_eku",
+ OCSPResponseContext::good, byKey,
+ sha256WithRSAEncryption(), nullptr));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+static const Input serverAuthEKUDER(tlv_id_kp_serverAuth);
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+ good_indirect_wrong_eku)
+{
+ ByteString responseString(
+ CreateEncodedIndirectOCSPSuccessfulResponse(
+ "good_indirect_wrong_eku",
+ OCSPResponseContext::good, byKey,
+ sha256WithRSAEncryption(), &serverAuthEKUDER));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+// Test that signature of OCSP response signer cert is verified
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_tampered_eku)
+{
+ ByteString tamperedResponse(
+ CreateEncodedIndirectOCSPSuccessfulResponse(
+ "good_indirect_tampered_eku",
+ OCSPResponseContext::good, byKey,
+ sha256WithRSAEncryption(), &serverAuthEKUDER));
+ ASSERT_EQ(Success,
+ TamperOnce(tamperedResponse,
+ ByteString(tlv_id_kp_serverAuth,
+ sizeof(tlv_id_kp_serverAuth)),
+ ByteString(tlv_id_kp_OCSPSigning,
+ sizeof(tlv_id_kp_OCSPSigning))));
+ Input tamperedResponseInput;
+ ASSERT_EQ(Success, tamperedResponseInput.Init(tamperedResponse.data(),
+ tamperedResponse.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ tamperedResponseInput, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_unknown_issuer)
+{
+ static const char* subCAName = "good_indirect_unknown_issuer sub-CA";
+ static const char* signerName = "good_indirect_unknown_issuer OCSP signer";
+
+ // unknown issuer
+ ScopedTestKeyPair unknownKeyPair(GenerateKeyPair());
+ ASSERT_TRUE(unknownKeyPair.get());
+
+ // Delegated responder cert signed by unknown issuer
+ const ByteString extensions[] = {
+ CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+ ByteString()
+ };
+ ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+ ByteString signerDER(CreateEncodedCertificate(
+ 1, sha256WithRSAEncryption(), subCAName,
+ oneDayBeforeNow, oneDayAfterNow, signerName,
+ *signerKeyPair, extensions, *unknownKeyPair));
+ ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+ // OCSP response signed by that delegated responder
+ ByteString certs[] = { signerDER, ByteString() };
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID,
+ signerName, *signerKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption(), certs));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+// The CA that issued the OCSP responder cert is a sub-CA of the issuer of
+// the certificate that the OCSP response is for. That sub-CA cert is included
+// in the OCSP response before the OCSP responder cert.
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+ good_indirect_subca_1_first)
+{
+ static const char* subCAName = "good_indirect_subca_1_first sub-CA";
+ static const char* signerName = "good_indirect_subca_1_first OCSP signer";
+
+ // sub-CA of root (root is the direct issuer of endEntity)
+ const ByteString subCAExtensions[] = {
+ CreateEncodedBasicConstraints(true, 0, Critical::No),
+ ByteString()
+ };
+ ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
+ ByteString subCADER(CreateEncodedCertificate(
+ ++rootIssuedCount, sha256WithRSAEncryption(), rootName,
+ oneDayBeforeNow, oneDayAfterNow, subCAName,
+ *subCAKeyPair, subCAExtensions, *rootKeyPair));
+ ASSERT_FALSE(ENCODING_FAILED(subCADER));
+
+ // Delegated responder cert signed by that sub-CA
+ const ByteString extensions[] = {
+ CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+ ByteString(),
+ };
+ ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+ ByteString signerDER(CreateEncodedCertificate(
+ 1, sha256WithRSAEncryption(), subCAName,
+ oneDayBeforeNow, oneDayAfterNow, signerName,
+ *signerKeyPair, extensions, *subCAKeyPair));
+ ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+ // OCSP response signed by the delegated responder issued by the sub-CA
+ // that is trying to impersonate the root.
+ ByteString certs[] = { subCADER, signerDER, ByteString() };
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID,
+ signerName, *signerKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption(), certs));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+// The CA that issued the OCSP responder cert is a sub-CA of the issuer of
+// the certificate that the OCSP response is for. That sub-CA cert is included
+// in the OCSP response after the OCSP responder cert.
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+ good_indirect_subca_1_second)
+{
+ static const char* subCAName = "good_indirect_subca_1_second sub-CA";
+ static const char* signerName = "good_indirect_subca_1_second OCSP signer";
+
+ // sub-CA of root (root is the direct issuer of endEntity)
+ const ByteString subCAExtensions[] = {
+ CreateEncodedBasicConstraints(true, 0, Critical::No),
+ ByteString()
+ };
+ ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
+ ByteString subCADER(CreateEncodedCertificate(++rootIssuedCount,
+ sha256WithRSAEncryption(),
+ rootName,
+ oneDayBeforeNow, oneDayAfterNow,
+ subCAName, *subCAKeyPair,
+ subCAExtensions, *rootKeyPair));
+ ASSERT_FALSE(ENCODING_FAILED(subCADER));
+
+ // Delegated responder cert signed by that sub-CA
+ const ByteString extensions[] = {
+ CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+ ByteString()
+ };
+ ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+ ByteString signerDER(CreateEncodedCertificate(
+ 1, sha256WithRSAEncryption(), subCAName,
+ oneDayBeforeNow, oneDayAfterNow, signerName,
+ *signerKeyPair, extensions, *subCAKeyPair));
+ ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+ // OCSP response signed by the delegated responder issued by the sub-CA
+ // that is trying to impersonate the root.
+ ByteString certs[] = { signerDER, subCADER, ByteString() };
+ ByteString responseString(
+ CreateEncodedOCSPSuccessfulResponse(
+ OCSPResponseContext::good, *endEntityCertID,
+ signerName, *signerKeyPair, oneDayBeforeNow,
+ oneDayBeforeNow, &oneDayAfterNow,
+ sha256WithRSAEncryption(), certs));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+ good_unsupportedSignatureAlgorithmOnResponder)
+{
+ // Note that the algorithm ID (md5WithRSAEncryption) identifies the signature
+ // algorithm that will be used to sign the certificate that issues the OCSP
+ // responses, not the responses themselves.
+ ByteString responseString(
+ CreateEncodedIndirectOCSPSuccessfulResponse(
+ "good_indirect_unsupportedSignatureAlgorithm",
+ OCSPResponseContext::good, byKey,
+ md5WithRSAEncryption()));
+ Input response;
+ ASSERT_EQ(Success,
+ response.Init(responseString.data(), responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+}
+
+class pkixocsp_VerifyEncodedResponse_GetCertTrust
+ : public pkixocsp_VerifyEncodedResponse_DelegatedResponder {
+public:
+ void SetUp()
+ {
+ pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
+
+ responseString =
+ CreateEncodedIndirectOCSPSuccessfulResponse(
+ "OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
+ byKey, sha256WithRSAEncryption(), &OCSPSigningEKUDER,
+ &signerCertDER);
+ if (ENCODING_FAILED(responseString)) {
+ abort();
+ }
+ if (response.Init(responseString.data(), responseString.length())
+ != Success) {
+ abort();
+ }
+ if (signerCertDER.length() == 0) {
+ abort();
+ }
+ }
+
+ class TrustDomain final : public OCSPTestTrustDomain
+ {
+ public:
+ TrustDomain()
+ : certTrustLevel(TrustLevel::InheritsTrust)
+ {
+ }
+
+ bool SetCertTrust(const ByteString& certDER, TrustLevel certTrustLevel)
+ {
+ this->certDER = certDER;
+ this->certTrustLevel = certTrustLevel;
+ return true;
+ }
+ private:
+ Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
+ Input candidateCert, /*out*/ TrustLevel& trustLevel)
+ override
+ {
+ EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
+ EXPECT_FALSE(certDER.empty());
+ Input certDERInput;
+ EXPECT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+ EXPECT_TRUE(InputsAreEqual(certDERInput, candidateCert));
+ trustLevel = certTrustLevel;
+ return Success;
+ }
+
+ ByteString certDER;
+ TrustLevel certTrustLevel;
+ };
+
+ TrustDomain trustDomain;
+ ByteString signerCertDER;
+ ByteString responseString;
+ Input response; // references data in responseString
+};
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, InheritTrust)
+{
+ ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+ TrustLevel::InheritsTrust));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, TrustAnchor)
+{
+ ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+ TrustLevel::TrustAnchor));
+ bool expired;
+ ASSERT_EQ(Success,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ response, expired));
+ ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, ActivelyDistrusted)
+{
+ ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+ TrustLevel::ActivelyDistrusted));
+ Input responseInput;
+ ASSERT_EQ(Success,
+ responseInput.Init(responseString.data(),
+ responseString.length()));
+ bool expired;
+ ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+ VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+ END_ENTITY_MAX_LIFETIME_IN_DAYS,
+ responseInput, expired));
+ ASSERT_FALSE(expired);
+}
diff --git a/security/pkix/test/lib/moz.build b/security/pkix/test/lib/moz.build
new file mode 100644
index 000000000..c99aedf3a
--- /dev/null
+++ b/security/pkix/test/lib/moz.build
@@ -0,0 +1,39 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# This code is made available to you under your choice of the following sets
+# of licensing terms:
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# Copyright 2013 Mozilla Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SOURCES += [
+ 'pkixtestalg.cpp',
+ 'pkixtestnss.cpp',
+ 'pkixtestutil.cpp',
+]
+
+Library('pkixtestutil')
+
+LOCAL_INCLUDES += [
+ '../../include',
+ '../../lib',
+]
+
+FINAL_LIBRARY = 'xul-gtest'
+
+if CONFIG['GNU_CXX']:
+ CXXFLAGS += ['-Wno-error=shadow']
diff --git a/security/pkix/test/lib/pkixtestalg.cpp b/security/pkix/test/lib/pkixtestalg.cpp
new file mode 100644
index 000000000..a19fd26f3
--- /dev/null
+++ b/security/pkix/test/lib/pkixtestalg.cpp
@@ -0,0 +1,210 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixtestutil.h"
+
+#include "pkixder.h"
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10040 1.2.840.10040
+#define PREFIX_1_2_840_10040 0x2a, 0x86, 0x48, 0xce, 0x38
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10045 1.2.840.10045
+#define PREFIX_1_2_840_10045 0x2a, 0x86, 0x48, 0xce, 0x3d
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_113549 1.2.840.113549
+#define PREFIX_1_2_840_113549 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+enum class NULLParam { NO, YES };
+
+template <size_t SIZE>
+ByteString
+OID(const uint8_t (&rawValue)[SIZE])
+{
+ return TLV(der::OIDTag, ByteString(rawValue, SIZE));
+}
+
+template <size_t SIZE>
+ByteString
+SimpleAlgID(const uint8_t (&rawValue)[SIZE],
+ NULLParam nullParam = NULLParam::NO)
+{
+ ByteString sequenceValue(OID(rawValue));
+ if (nullParam == NULLParam::YES) {
+ sequenceValue.append(TLV(der::NULLTag, ByteString()));
+ }
+ return TLV(der::SEQUENCE, sequenceValue);
+}
+
+template <size_t SIZE>
+ByteString
+DERInteger(const uint8_t (&rawValue)[SIZE])
+{
+ ByteString value(rawValue, SIZE);
+ if (value[0] & 0x80u) {
+ // Prefix with a leading zero to disambiguate this from a negative value.
+ value.insert(value.begin(), 0x00);
+ }
+ return TLV(der::INTEGER, value);
+}
+
+// Generated with "openssl dsaparam -C -noout 2048" and reformatted.
+// openssl 1.0 or later must be used so that a 256-bit Q value is
+// generated.
+static const uint8_t DSS_P_RAW[] =
+{
+ 0xB3,0xCD,0x29,0x44,0xF0,0x25,0xA7,0x73,0xFC,0x86,0x70,0xA2,
+ 0x69,0x5A,0x97,0x3F,0xBD,0x1C,0x6F,0xAA,0x4A,0x40,0x42,0x8E,
+ 0xCF,0xAE,0x62,0x12,0xED,0xB4,0xFD,0x05,0xC2,0xAE,0xB1,0x8C,
+ 0xFC,0xBE,0x38,0x90,0xBB,0x7C,0xFF,0x16,0xF4,0xED,0xCE,0x72,
+ 0x12,0x93,0x83,0xF0,0xA4,0xA1,0x71,0xDC,0x4B,0xF0,0x4E,0x3A,
+ 0x2B,0xFA,0x17,0xB7,0xB3,0x2A,0xCC,0x2C,0xD3,0xC8,0x21,0x49,
+ 0x7A,0x83,0x71,0x8B,0x3D,0x62,0x96,0xDC,0xAD,0xA8,0x03,0xBE,
+ 0x1D,0x33,0x11,0xF3,0xEB,0xD8,0x1B,0x8D,0xDB,0x62,0x79,0x83,
+ 0xF8,0x67,0x4E,0x62,0x21,0x2C,0x81,0x59,0xE8,0x73,0xD7,0xAF,
+ 0xB9,0x63,0x60,0xEA,0xAE,0xEC,0x68,0x6A,0xB4,0xB0,0x65,0xBA,
+ 0xA3,0x4C,0x09,0x99,0x29,0x6A,0x2E,0x2B,0xFC,0x6D,0x51,0xCA,
+ 0x30,0xA2,0x2F,0x7A,0x65,0x76,0xA7,0x55,0x13,0x11,0xA0,0x02,
+ 0xA2,0x59,0x4B,0xCE,0xA7,0x05,0xF6,0x07,0x35,0x9B,0x41,0xD7,
+ 0x11,0x5A,0x18,0x57,0xA7,0x78,0x88,0xC3,0xA8,0xE3,0x39,0xF5,
+ 0x47,0x3D,0x2E,0x18,0x54,0xB0,0xF0,0xBF,0x65,0x3F,0x77,0xC7,
+ 0x11,0xB8,0x0D,0x52,0xAD,0xC8,0xE8,0x6D,0xF6,0x7E,0x88,0x65,
+ 0x84,0x2B,0xF7,0xEF,0x8E,0xB5,0x7C,0xBD,0x2E,0x0D,0xF3,0xC6,
+ 0xDD,0x0B,0xB4,0xF2,0x23,0x1F,0xDA,0x55,0x05,0xF5,0xDC,0x53,
+ 0xA6,0x83,0xDA,0x5C,0xEF,0x29,0x02,0x78,0x68,0xD0,0xA4,0x39,
+ 0x09,0x7F,0xFA,0x49,0x18,0xD0,0xB5,0x19,0x35,0x31,0x8E,0xDE,
+ 0x43,0x35,0xA3,0xB9,0x6D,0xC1,0x70,0xC6,0x0D,0x18,0x24,0xEB,
+ 0x1E,0x4D,0x52,0xB7,
+};
+
+static const uint8_t DSS_Q_RAW[] =
+{
+ 0x8D,0x6B,0x86,0x89,0x9C,0x8D,0x30,0x91,0xCC,0x6E,0x34,0xF1,
+ 0xE8,0x9C,0x8A,0x5C,0xD6,0xAB,0x01,0x1E,0xC4,0xDB,0xFD,0x07,
+ 0xEB,0x5F,0x4E,0xE8,0xFA,0xFC,0x98,0x2D,
+};
+
+static const uint8_t DSS_G_RAW[] =
+{
+ 0x0E,0x2C,0x34,0xB2,0xE1,0x66,0x49,0xB6,0x9A,0x7D,0x67,0x3E,
+ 0xEE,0x98,0x35,0x18,0x28,0x35,0xFC,0x05,0x36,0x3B,0x94,0xE6,
+ 0x1E,0x1C,0x5B,0x05,0x3E,0x86,0x1B,0xE3,0xED,0xD2,0xE1,0xF3,
+ 0xF7,0xF7,0x60,0x6D,0x7D,0xA1,0xAF,0x9A,0xD1,0xDF,0xA2,0x9C,
+ 0xFC,0xA2,0xEB,0x90,0x8B,0x1C,0x82,0x92,0x45,0x7B,0x30,0x2A,
+ 0xFD,0x7A,0xE6,0x68,0x8F,0xEC,0x89,0x3A,0x9A,0xAD,0xFE,0x25,
+ 0x5E,0x51,0xC5,0x29,0x45,0x7F,0xAC,0xDE,0xFC,0xB4,0x1B,0x3A,
+ 0xDA,0xC7,0x21,0x68,0x87,0x27,0x8D,0x7B,0xB2,0xBB,0x41,0x60,
+ 0x46,0x42,0x5B,0x6B,0xE8,0x80,0xD2,0xE4,0xA3,0x30,0x8F,0xD5,
+ 0x71,0x07,0x8A,0x7B,0x32,0x56,0x84,0x41,0x1C,0xDF,0x69,0xE9,
+ 0xFD,0xBA,0x48,0xE0,0x43,0xA0,0x38,0x92,0x12,0xF3,0x52,0xA5,
+ 0x40,0x87,0xCB,0x34,0xBB,0x3E,0x25,0x29,0x3C,0xC6,0xA5,0x17,
+ 0xFD,0x58,0x47,0x89,0xDB,0x9B,0xB9,0xCF,0xE9,0xA8,0xF2,0xEC,
+ 0x55,0x76,0xF5,0xF1,0x9C,0x6E,0x0A,0x3F,0x16,0x5F,0x49,0x31,
+ 0x31,0x1C,0x43,0xA2,0x83,0xDA,0xDD,0x7F,0x1C,0xEA,0x05,0x36,
+ 0x7B,0xED,0x09,0xFB,0x6F,0x8A,0x2B,0x55,0xB9,0xBC,0x4A,0x8C,
+ 0x28,0xC1,0x4D,0x13,0x6E,0x47,0xF4,0xAD,0x79,0x00,0xE9,0x5A,
+ 0xB6,0xC7,0x73,0x28,0xA9,0x89,0xAD,0xE8,0x6E,0xC6,0x54,0xA5,
+ 0x56,0x2D,0xAA,0x81,0x83,0x9E,0xC1,0x13,0x79,0xA4,0x12,0xE0,
+ 0x76,0x1F,0x25,0x43,0xB6,0xDE,0x56,0xF7,0x52,0xCC,0x07,0xB8,
+ 0x37,0xE2,0x8C,0xC5,0x56,0x8C,0xDD,0x63,0xF5,0xB6,0xA3,0x46,
+ 0x62,0xF6,0x35,0x76,
+};
+
+} // namespace
+
+TestSignatureAlgorithm::TestSignatureAlgorithm(
+ const TestPublicKeyAlgorithm& publicKeyAlg,
+ TestDigestAlgorithmID digestAlg,
+ const ByteString& algorithmIdentifier,
+ bool accepted)
+ : publicKeyAlg(publicKeyAlg)
+ , digestAlg(digestAlg)
+ , algorithmIdentifier(algorithmIdentifier)
+ , accepted(accepted)
+{
+}
+
+ByteString DSS_P() { return ByteString(DSS_P_RAW, sizeof(DSS_P_RAW)); }
+ByteString DSS_Q() { return ByteString(DSS_Q_RAW, sizeof(DSS_Q_RAW)); }
+ByteString DSS_G() { return ByteString(DSS_G_RAW, sizeof(DSS_G_RAW)); }
+
+TestPublicKeyAlgorithm
+DSS()
+{
+ static const uint8_t oidValue[] = { PREFIX_1_2_840_10040, 4, 1 };
+
+ // RFC 3279 Section-2.3.2
+ return TestPublicKeyAlgorithm(
+ TLV(der::SEQUENCE,
+ OID(oidValue) +
+ TLV(der::SEQUENCE,
+ DERInteger(DSS_P_RAW) +
+ DERInteger(DSS_Q_RAW) +
+ DERInteger(DSS_G_RAW))));
+}
+
+// RFC 3279 Section 2.3.1
+TestPublicKeyAlgorithm
+RSA_PKCS1()
+{
+ static const uint8_t rsaEncryption[] = { PREFIX_1_2_840_113549, 1, 1, 1 };
+ return TestPublicKeyAlgorithm(SimpleAlgID(rsaEncryption, NULLParam::YES));
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm md2WithRSAEncryption()
+{
+ static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 2 };
+ return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::MD2,
+ SimpleAlgID(oidValue), false);
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm md5WithRSAEncryption()
+{
+ static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 4 };
+ return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::MD5,
+ SimpleAlgID(oidValue), false);
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm sha1WithRSAEncryption()
+{
+ static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 5 };
+ return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::SHA1,
+ SimpleAlgID(oidValue), true);
+}
+
+// RFC 4055 Section 5
+TestSignatureAlgorithm sha256WithRSAEncryption()
+{
+ static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 11 };
+ return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::SHA256,
+ SimpleAlgID(oidValue), true);
+}
+
+} } } // namespace mozilla::pkix
diff --git a/security/pkix/test/lib/pkixtestnss.cpp b/security/pkix/test/lib/pkixtestnss.cpp
new file mode 100644
index 000000000..4d49b9e31
--- /dev/null
+++ b/security/pkix/test/lib/pkixtestnss.cpp
@@ -0,0 +1,309 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixtestutil.h"
+
+#include <limits>
+
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "nss.h"
+#include "pk11pqg.h"
+#include "pk11pub.h"
+#include "pkix/pkixnss.h"
+#include "pkixder.h"
+#include "pkixutil.h"
+#include "prinit.h"
+#include "secerr.h"
+#include "secitem.h"
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
+ ScopedSECKEYPublicKey;
+typedef ScopedPtr<SECKEYPrivateKey, SECKEY_DestroyPrivateKey>
+ ScopedSECKEYPrivateKey;
+
+inline void
+SECITEM_FreeItem_true(SECItem* item)
+{
+ SECITEM_FreeItem(item, true);
+}
+
+typedef mozilla::pkix::ScopedPtr<SECItem, SECITEM_FreeItem_true> ScopedSECItem;
+
+TestKeyPair* GenerateKeyPairInner();
+
+void
+InitNSSIfNeeded()
+{
+ if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+ abort();
+ }
+}
+
+static ScopedTestKeyPair reusedKeyPair;
+
+PRStatus
+InitReusedKeyPair()
+{
+ InitNSSIfNeeded();
+ reusedKeyPair.reset(GenerateKeyPairInner());
+ return reusedKeyPair ? PR_SUCCESS : PR_FAILURE;
+}
+
+class NSSTestKeyPair final : public TestKeyPair
+{
+public:
+ // NSSTestKeyPair takes ownership of privateKey.
+ NSSTestKeyPair(const TestPublicKeyAlgorithm& publicKeyAlg,
+ const ByteString& spk,
+ SECKEYPrivateKey* privateKey)
+ : TestKeyPair(publicKeyAlg, spk)
+ , privateKey(privateKey)
+ {
+ }
+
+ Result SignData(const ByteString& tbs,
+ const TestSignatureAlgorithm& signatureAlgorithm,
+ /*out*/ ByteString& signature) const override
+ {
+ SECOidTag oidTag;
+ if (signatureAlgorithm.publicKeyAlg == RSA_PKCS1()) {
+ switch (signatureAlgorithm.digestAlg) {
+ case TestDigestAlgorithmID::MD2:
+ oidTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+ break;
+ case TestDigestAlgorithmID::MD5:
+ oidTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+ break;
+ case TestDigestAlgorithmID::SHA1:
+ oidTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+ break;
+ case TestDigestAlgorithmID::SHA224:
+ oidTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION;
+ break;
+ case TestDigestAlgorithmID::SHA256:
+ oidTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+ break;
+ case TestDigestAlgorithmID::SHA384:
+ oidTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+ break;
+ case TestDigestAlgorithmID::SHA512:
+ oidTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+ break;
+ MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+ } else {
+ abort();
+ }
+
+ SECItem signatureItem;
+ if (SEC_SignData(&signatureItem, tbs.data(),
+ static_cast<int>(tbs.length()),
+ privateKey.get(), oidTag) != SECSuccess) {
+ return MapPRErrorCodeToResult(PR_GetError());
+ }
+ signature.assign(signatureItem.data, signatureItem.len);
+ SECITEM_FreeItem(&signatureItem, false);
+ return Success;
+ }
+
+ TestKeyPair* Clone() const override
+ {
+ ScopedSECKEYPrivateKey
+ privateKeyCopy(SECKEY_CopyPrivateKey(privateKey.get()));
+ if (!privateKeyCopy) {
+ return nullptr;
+ }
+ return new (std::nothrow) NSSTestKeyPair(publicKeyAlg,
+ subjectPublicKey,
+ privateKeyCopy.release());
+ }
+
+private:
+ ScopedSECKEYPrivateKey privateKey;
+};
+
+} // namespace
+
+// This private function is also used by Gecko's PSM test framework
+// (OCSPCommon.cpp).
+//
+// Ownership of privateKey is transfered.
+TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
+ const SECKEYPublicKey& publicKey,
+ SECKEYPrivateKey* privateKey)
+{
+ ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
+ spki(SECKEY_CreateSubjectPublicKeyInfo(&publicKey));
+ if (!spki) {
+ return nullptr;
+ }
+ SECItem spkDER = spki->subjectPublicKey;
+ DER_ConvertBitString(&spkDER); // bits to bytes
+ return new (std::nothrow) NSSTestKeyPair(publicKeyAlg,
+ ByteString(spkDER.data, spkDER.len),
+ privateKey);
+}
+
+namespace {
+
+TestKeyPair*
+GenerateKeyPairInner()
+{
+ ScopedPtr<PK11SlotInfo, PK11_FreeSlot> slot(PK11_GetInternalSlot());
+ if (!slot) {
+ abort();
+ }
+
+ // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
+ // entropy to generate a random key. Attempting to add some entropy and
+ // retrying appears to solve this issue.
+ for (uint32_t retries = 0; retries < 10; retries++) {
+ PK11RSAGenParams params;
+ params.keySizeInBits = 2048;
+ params.pe = 3;
+ SECKEYPublicKey* publicKeyTemp = nullptr;
+ ScopedSECKEYPrivateKey
+ privateKey(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
+ &params, &publicKeyTemp, false, true,
+ nullptr));
+ ScopedSECKEYPublicKey publicKey(publicKeyTemp);
+ if (privateKey) {
+ return CreateTestKeyPair(RSA_PKCS1(), *publicKey, privateKey.release());
+ }
+
+ assert(!publicKeyTemp);
+
+ if (PR_GetError() != SEC_ERROR_PKCS11_FUNCTION_FAILED) {
+ break;
+ }
+
+ // Since these keys are only for testing, we don't need them to be good,
+ // random keys.
+ // https://xkcd.com/221/
+ static const uint8_t RANDOM_NUMBER[] = { 4, 4, 4, 4, 4, 4, 4, 4 };
+ if (PK11_RandomUpdate((void*) &RANDOM_NUMBER,
+ sizeof(RANDOM_NUMBER)) != SECSuccess) {
+ break;
+ }
+ }
+
+ abort();
+}
+
+} // namespace
+
+TestKeyPair*
+GenerateKeyPair()
+{
+ InitNSSIfNeeded();
+ return GenerateKeyPairInner();
+}
+
+TestKeyPair*
+CloneReusedKeyPair()
+{
+ static PRCallOnceType initCallOnce;
+ if (PR_CallOnce(&initCallOnce, InitReusedKeyPair) != PR_SUCCESS) {
+ abort();
+ }
+ assert(reusedKeyPair);
+ return reusedKeyPair->Clone();
+}
+
+TestKeyPair*
+GenerateDSSKeyPair()
+{
+ InitNSSIfNeeded();
+
+ ScopedPtr<PK11SlotInfo, PK11_FreeSlot> slot(PK11_GetInternalSlot());
+ if (!slot) {
+ return nullptr;
+ }
+
+ ByteString p(DSS_P());
+ ByteString q(DSS_Q());
+ ByteString g(DSS_G());
+
+ static const PQGParams PARAMS = {
+ nullptr,
+ { siBuffer,
+ const_cast<uint8_t*>(p.data()),
+ static_cast<unsigned int>(p.length())
+ },
+ { siBuffer,
+ const_cast<uint8_t*>(q.data()),
+ static_cast<unsigned int>(q.length())
+ },
+ { siBuffer,
+ const_cast<uint8_t*>(g.data()),
+ static_cast<unsigned int>(g.length())
+ }
+ };
+
+ SECKEYPublicKey* publicKeyTemp = nullptr;
+ ScopedSECKEYPrivateKey
+ privateKey(PK11_GenerateKeyPair(slot.get(), CKM_DSA_KEY_PAIR_GEN,
+ const_cast<PQGParams*>(&PARAMS),
+ &publicKeyTemp, false, true, nullptr));
+ if (!privateKey) {
+ return nullptr;
+ }
+ ScopedSECKEYPublicKey publicKey(publicKeyTemp);
+ return CreateTestKeyPair(DSS(), *publicKey, privateKey.release());
+}
+
+Result
+TestVerifyECDSASignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo)
+{
+ InitNSSIfNeeded();
+ return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+ nullptr);
+}
+
+Result
+TestVerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo)
+{
+ InitNSSIfNeeded();
+ return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+ nullptr);
+}
+
+Result
+TestDigestBuf(Input item,
+ DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf,
+ size_t digestBufLen)
+{
+ InitNSSIfNeeded();
+ return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
+}
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/pkix/test/lib/pkixtestutil.cpp b/security/pkix/test/lib/pkixtestutil.cpp
new file mode 100644
index 000000000..decdee09a
--- /dev/null
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -0,0 +1,1153 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixtestutil.h"
+
+#include <cerrno>
+#include <cstdio>
+#include <limits>
+#include <new>
+#include <sstream>
+#include <cstdlib>
+
+#include "pkixder.h"
+#include "pkixutil.h"
+
+using namespace std;
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+inline void
+fclose_void(FILE* file) {
+ (void) fclose(file);
+}
+
+typedef mozilla::pkix::ScopedPtr<FILE, fclose_void> ScopedFILE;
+
+FILE*
+OpenFile(const string& dir, const string& filename, const string& mode)
+{
+ string path = dir + '/' + filename;
+
+ ScopedFILE file;
+#ifdef _MSC_VER
+ {
+ FILE* rawFile;
+ errno_t error = fopen_s(&rawFile, path.c_str(), mode.c_str());
+ if (error) {
+ // TODO: map error to NSPR error code
+ rawFile = nullptr;
+ }
+ file.reset(rawFile);
+ }
+#else
+ file.reset(fopen(path.c_str(), mode.c_str()));
+#endif
+ return file.release();
+}
+
+} // namespace
+
+bool
+InputEqualsByteString(Input input, const ByteString& bs)
+{
+ Input bsInput;
+ if (bsInput.Init(bs.data(), bs.length()) != Success) {
+ // Init can only fail if it is given a bad pointer or if the input is too
+ // long, which won't ever happen. Plus, if it does, it is ok to call abort
+ // since this is only test code.
+ abort();
+ }
+ return InputsAreEqual(input, bsInput);
+}
+
+ByteString
+InputToByteString(Input input)
+{
+ ByteString result;
+ Reader reader(input);
+ for (;;) {
+ uint8_t b;
+ if (reader.Read(b) != Success) {
+ return result;
+ }
+ result.push_back(b);
+ }
+}
+
+Result
+TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,
+ const ByteString& to)
+{
+ if (from.length() < 8) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ if (from.length() != to.length()) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+ size_t pos = item.find(from);
+ if (pos == string::npos) {
+ return Result::FATAL_ERROR_INVALID_ARGS; // No matches.
+ }
+ if (item.find(from, pos + from.length()) != string::npos) {
+ return Result::FATAL_ERROR_INVALID_ARGS; // More than once match.
+ }
+ item.replace(pos, from.length(), to);
+ return Success;
+}
+
+// Given a tag and a value, generates a DER-encoded tag-length-value item.
+ByteString
+TLV(uint8_t tag, size_t length, const ByteString& value)
+{
+ ByteString result;
+ result.push_back(tag);
+
+ if (value.length() < 128) {
+ result.push_back(static_cast<uint8_t>(length));
+ } else if (value.length() < 256) {
+ result.push_back(0x81u);
+ result.push_back(static_cast<uint8_t>(length));
+ } else if (value.length() < 65536) {
+ result.push_back(0x82u);
+ result.push_back(static_cast<uint8_t>(length / 256));
+ result.push_back(static_cast<uint8_t>(length % 256));
+ } else {
+ // It is MUCH more convenient for TLV to be infallible than for it to have
+ // "proper" error handling.
+ abort();
+ }
+ result.append(value);
+ return result;
+}
+
+OCSPResponseExtension::OCSPResponseExtension()
+ : id()
+ , critical(false)
+ , value()
+ , next(nullptr)
+{
+}
+
+OCSPResponseContext::OCSPResponseContext(const CertID& certID, time_t time)
+ : certID(certID)
+ , responseStatus(successful)
+ , skipResponseBytes(false)
+ , producedAt(time)
+ , singleExtensions(nullptr)
+ , responseExtensions(nullptr)
+ , includeEmptyExtensions(false)
+ , signatureAlgorithm(sha256WithRSAEncryption())
+ , badSignature(false)
+ , certs(nullptr)
+
+ , certStatus(good)
+ , revocationTime(0)
+ , thisUpdate(time)
+ , nextUpdate(time + static_cast<time_t>(Time::ONE_DAY_IN_SECONDS))
+ , includeNextUpdate(true)
+{
+}
+
+static ByteString ResponseBytes(OCSPResponseContext& context);
+static ByteString BasicOCSPResponse(OCSPResponseContext& context);
+static ByteString ResponseData(OCSPResponseContext& context);
+static ByteString ResponderID(OCSPResponseContext& context);
+static ByteString KeyHash(const ByteString& subjectPublicKeyInfo);
+static ByteString SingleResponse(OCSPResponseContext& context);
+static ByteString CertID(OCSPResponseContext& context);
+static ByteString CertStatus(OCSPResponseContext& context);
+
+static ByteString
+SHA1(const ByteString& toHash)
+{
+ uint8_t digestBuf[20];
+ Input input;
+ if (input.Init(toHash.data(), toHash.length()) != Success) {
+ abort();
+ }
+ Result rv = TestDigestBuf(input, DigestAlgorithm::sha1, digestBuf,
+ sizeof(digestBuf));
+ if (rv != Success) {
+ abort();
+ }
+ return ByteString(digestBuf, sizeof(digestBuf));
+}
+
+static ByteString
+HashedOctetString(const ByteString& bytes)
+{
+ ByteString digest(SHA1(bytes));
+ if (ENCODING_FAILED(digest)) {
+ return ByteString();
+ }
+ return TLV(der::OCTET_STRING, digest);
+}
+
+static ByteString
+BitString(const ByteString& rawBytes, bool corrupt)
+{
+ ByteString prefixed;
+ // We have to add a byte at the beginning indicating no unused bits.
+ // TODO: add ability to have bit strings of bit length not divisible by 8,
+ // resulting in unused bits in the bitstring encoding
+ prefixed.push_back(0);
+ prefixed.append(rawBytes);
+ if (corrupt) {
+ assert(prefixed.length() > 8);
+ prefixed[8]++;
+ }
+ return TLV(der::BIT_STRING, prefixed);
+}
+
+ByteString
+Boolean(bool value)
+{
+ ByteString encodedValue;
+ encodedValue.push_back(value ? 0xffu : 0x00u);
+ return TLV(der::BOOLEAN, encodedValue);
+}
+
+ByteString
+Integer(long value)
+{
+ if (value < 0 || value > 127) {
+ // TODO: add encoding of larger values
+ // It is MUCH more convenient for Integer to be infallible than for it to
+ // have "proper" error handling.
+ abort();
+ }
+
+ ByteString encodedValue;
+ encodedValue.push_back(static_cast<uint8_t>(value));
+ return TLV(der::INTEGER, encodedValue);
+}
+
+enum TimeEncoding { UTCTime = 0, GeneralizedTime = 1 };
+
+// Windows doesn't provide gmtime_r, but it provides something very similar.
+#if defined(WIN32) && !defined(_POSIX_THREAD_SAFE_FUNCTIONS)
+static tm*
+gmtime_r(const time_t* t, /*out*/ tm* exploded)
+{
+ if (gmtime_s(exploded, t) != 0) {
+ return nullptr;
+ }
+ return exploded;
+}
+#endif
+
+// http://tools.ietf.org/html/rfc5280#section-4.1.2.5
+// UTCTime: YYMMDDHHMMSSZ (years 1950-2049 only)
+// GeneralizedTime: YYYYMMDDHHMMSSZ
+//
+// This assumes that time/time_t are POSIX-compliant in that time() returns
+// the number of seconds since the Unix epoch.
+static ByteString
+TimeToEncodedTime(time_t time, TimeEncoding encoding)
+{
+ assert(encoding == UTCTime || encoding == GeneralizedTime);
+
+ tm exploded;
+ if (!gmtime_r(&time, &exploded)) {
+ return ByteString();
+ }
+
+ if (exploded.tm_sec >= 60) {
+ // round down for leap seconds
+ exploded.tm_sec = 59;
+ }
+
+ // exploded.tm_year is the year offset by 1900.
+ int year = exploded.tm_year + 1900;
+
+ if (encoding == UTCTime && (year < 1950 || year >= 2050)) {
+ return ByteString();
+ }
+
+ ByteString value;
+
+ if (encoding == GeneralizedTime) {
+ value.push_back(static_cast<uint8_t>('0' + (year / 1000)));
+ value.push_back(static_cast<uint8_t>('0' + ((year % 1000) / 100)));
+ }
+
+ value.push_back(static_cast<uint8_t>('0' + ((year % 100) / 10)));
+ value.push_back(static_cast<uint8_t>('0' + (year % 10)));
+ value.push_back(static_cast<uint8_t>('0' + ((exploded.tm_mon + 1) / 10)));
+ value.push_back(static_cast<uint8_t>('0' + ((exploded.tm_mon + 1) % 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_mday / 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_mday % 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_hour / 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_hour % 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_min / 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_min % 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_sec / 10)));
+ value.push_back(static_cast<uint8_t>('0' + (exploded.tm_sec % 10)));
+ value.push_back('Z');
+
+ return TLV(encoding == GeneralizedTime ? der::GENERALIZED_TIME : der::UTCTime,
+ value);
+}
+
+static ByteString
+TimeToGeneralizedTime(time_t time)
+{
+ return TimeToEncodedTime(time, GeneralizedTime);
+}
+
+// http://tools.ietf.org/html/rfc5280#section-4.1.2.5: "CAs conforming to this
+// profile MUST always encode certificate validity dates through the year 2049
+// as UTCTime; certificate validity dates in 2050 or later MUST be encoded as
+// GeneralizedTime." (This is a special case of the rule that we must always
+// use the shortest possible encoding.)
+static ByteString
+TimeToTimeChoice(time_t time)
+{
+ tm exploded;
+ if (!gmtime_r(&time, &exploded)) {
+ return ByteString();
+ }
+ TimeEncoding encoding = (exploded.tm_year + 1900 >= 1950 &&
+ exploded.tm_year + 1900 < 2050)
+ ? UTCTime
+ : GeneralizedTime;
+
+ return TimeToEncodedTime(time, encoding);
+}
+
+Time
+YMDHMS(uint16_t year, uint16_t month, uint16_t day,
+ uint16_t hour, uint16_t minutes, uint16_t seconds)
+{
+ assert(year <= 9999);
+ assert(month >= 1);
+ assert(month <= 12);
+ assert(day >= 1);
+ assert(hour < 24);
+ assert(minutes < 60);
+ assert(seconds < 60);
+
+ uint64_t days = DaysBeforeYear(year);
+
+ {
+ static const int16_t DAYS_IN_MONTH[] = {
+ 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
+ };
+
+ int16_t i = 1;
+ for (;;) {
+ int16_t daysInMonth = DAYS_IN_MONTH[i - 1];
+ if (i == 2 &&
+ ((year % 4 == 0) && ((year % 100 != 0) || (year % 400 == 0)))) {
+ // Add leap day
+ ++daysInMonth;
+ }
+ if (i == month) {
+ assert(day <= daysInMonth);
+ break;
+ }
+ days += daysInMonth;
+ ++i;
+ }
+ }
+
+ days += (day - 1);
+
+ uint64_t totalSeconds = days * Time::ONE_DAY_IN_SECONDS;
+ totalSeconds += hour * 60 * 60;
+ totalSeconds += minutes * 60;
+ totalSeconds += seconds;
+ return TimeFromElapsedSecondsAD(totalSeconds);
+}
+
+static ByteString
+SignedData(const ByteString& tbsData,
+ const TestKeyPair& keyPair,
+ const TestSignatureAlgorithm& signatureAlgorithm,
+ bool corrupt, /*optional*/ const ByteString* certs)
+{
+ ByteString signature;
+ if (keyPair.SignData(tbsData, signatureAlgorithm, signature) != Success) {
+ return ByteString();
+ }
+
+ // TODO: add ability to have signatures of bit length not divisible by 8,
+ // resulting in unused bits in the bitstring encoding
+ ByteString signatureNested(BitString(signature, corrupt));
+ if (ENCODING_FAILED(signatureNested)) {
+ return ByteString();
+ }
+
+ ByteString certsNested;
+ if (certs) {
+ ByteString certsSequenceValue;
+ while (!(*certs).empty()) {
+ certsSequenceValue.append(*certs);
+ ++certs;
+ }
+ ByteString certsSequence(TLV(der::SEQUENCE, certsSequenceValue));
+ certsNested = TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+ certsSequence);
+ }
+
+ ByteString value;
+ value.append(tbsData);
+ value.append(signatureAlgorithm.algorithmIdentifier);
+ value.append(signatureNested);
+ value.append(certsNested);
+ return TLV(der::SEQUENCE, value);
+}
+
+// Extension ::= SEQUENCE {
+// extnID OBJECT IDENTIFIER,
+// critical BOOLEAN DEFAULT FALSE,
+// extnValue OCTET STRING
+// -- contains the DER encoding of an ASN.1 value
+// -- corresponding to the extension type identified
+// -- by extnID
+// }
+static ByteString
+Extension(Input extnID, Critical critical, const ByteString& extnValueBytes)
+{
+ ByteString encoded;
+
+ encoded.append(ByteString(extnID.UnsafeGetData(), extnID.GetLength()));
+
+ if (critical == Critical::Yes) {
+ encoded.append(Boolean(true));
+ }
+
+ ByteString extnValueSequence(TLV(der::SEQUENCE, extnValueBytes));
+ ByteString extnValue(TLV(der::OCTET_STRING, extnValueSequence));
+ encoded.append(extnValue);
+ return TLV(der::SEQUENCE, encoded);
+}
+
+static ByteString
+EmptyExtension(Input extnID, Critical critical)
+{
+ ByteString encoded(extnID.UnsafeGetData(), extnID.GetLength());
+
+ if (critical == Critical::Yes) {
+ encoded.append(Boolean(true));
+ }
+
+ ByteString extnValue(TLV(der::OCTET_STRING, ByteString()));
+ encoded.append(extnValue);
+ return TLV(der::SEQUENCE, encoded);
+}
+
+std::string
+GetEnv(const char* name)
+{
+ std::string result;
+
+#ifndef _MSC_VER
+ // XXX: Not thread safe.
+ const char* value = getenv(name);
+ if (value) {
+ result = value;
+ }
+#else
+ char* value = nullptr;
+ size_t valueLength = 0;
+ if (_dupenv_s(&value, &valueLength, name) != 0) {
+ abort();
+ }
+ if (value) {
+ result = value;
+ free(value);
+ }
+#endif
+ return result;
+}
+
+void
+MaybeLogOutput(const ByteString& result, const char* suffix)
+{
+ assert(suffix);
+
+ // This allows us to more easily debug the generated output, by creating a
+ // file in the directory given by MOZILLA_PKIX_TEST_LOG_DIR for each
+ // NOT THREAD-SAFE!!!
+ std::string logPath(GetEnv("MOZILLA_PKIX_TEST_LOG_DIR"));
+ if (!logPath.empty()) {
+ static int counter = 0;
+
+ std::ostringstream counterStream;
+ counterStream << counter;
+ if (!counterStream) {
+ assert(false);
+ return;
+ }
+ string filename = counterStream.str() + '-' + suffix + ".der";
+
+ ++counter;
+ ScopedFILE file(OpenFile(logPath, filename, "wb"));
+ if (file) {
+ (void) fwrite(result.data(), result.length(), 1, file.get());
+ }
+ }
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Certificates
+
+static ByteString TBSCertificate(long version, const ByteString& serialNumber,
+ const ByteString& signature,
+ const ByteString& issuer,
+ time_t notBefore, time_t notAfter,
+ const ByteString& subject,
+ const ByteString& subjectPublicKeyInfo,
+ /*optional*/ const ByteString* extensions);
+
+// Certificate ::= SEQUENCE {
+// tbsCertificate TBSCertificate,
+// signatureAlgorithm AlgorithmIdentifier,
+// signatureValue BIT STRING }
+ByteString
+CreateEncodedCertificate(long version,
+ const TestSignatureAlgorithm& signature,
+ const ByteString& serialNumber,
+ const ByteString& issuerNameDER,
+ time_t notBefore, time_t notAfter,
+ const ByteString& subjectNameDER,
+ const TestKeyPair& subjectKeyPair,
+ /*optional*/ const ByteString* extensions,
+ const TestKeyPair& issuerKeyPair,
+ const TestSignatureAlgorithm& signatureAlgorithm)
+{
+ ByteString tbsCertificate(TBSCertificate(version, serialNumber,
+ signature.algorithmIdentifier,
+ issuerNameDER, notBefore,
+ notAfter, subjectNameDER,
+ subjectKeyPair.subjectPublicKeyInfo,
+ extensions));
+ if (ENCODING_FAILED(tbsCertificate)) {
+ return ByteString();
+ }
+
+ ByteString result(SignedData(tbsCertificate, issuerKeyPair,
+ signatureAlgorithm, false, nullptr));
+ if (ENCODING_FAILED(result)) {
+ return ByteString();
+ }
+
+ MaybeLogOutput(result, "cert");
+
+ return result;
+}
+
+// TBSCertificate ::= SEQUENCE {
+// version [0] Version DEFAULT v1,
+// serialNumber CertificateSerialNumber,
+// signature AlgorithmIdentifier,
+// issuer Name,
+// validity Validity,
+// subject Name,
+// subjectPublicKeyInfo SubjectPublicKeyInfo,
+// issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+// -- If present, version MUST be v2 or v3
+// subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+// -- If present, version MUST be v2 or v3
+// extensions [3] Extensions OPTIONAL
+// -- If present, version MUST be v3 -- }
+static ByteString
+TBSCertificate(long versionValue,
+ const ByteString& serialNumber, const ByteString& signature,
+ const ByteString& issuer, time_t notBeforeTime,
+ time_t notAfterTime, const ByteString& subject,
+ const ByteString& subjectPublicKeyInfo,
+ /*optional*/ const ByteString* extensions)
+{
+ ByteString value;
+
+ if (versionValue != static_cast<long>(der::Version::v1)) {
+ ByteString versionInteger(Integer(versionValue));
+ ByteString version(TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+ versionInteger));
+ value.append(version);
+ }
+
+ value.append(serialNumber);
+ value.append(signature);
+ value.append(issuer);
+
+ // Validity ::= SEQUENCE {
+ // notBefore Time,
+ // notAfter Time }
+ ByteString validity;
+ {
+ ByteString notBefore(TimeToTimeChoice(notBeforeTime));
+ if (ENCODING_FAILED(notBefore)) {
+ return ByteString();
+ }
+ ByteString notAfter(TimeToTimeChoice(notAfterTime));
+ if (ENCODING_FAILED(notAfter)) {
+ return ByteString();
+ }
+ ByteString validityValue;
+ validityValue.append(notBefore);
+ validityValue.append(notAfter);
+ validity = TLV(der::SEQUENCE, validityValue);
+ if (ENCODING_FAILED(validity)) {
+ return ByteString();
+ }
+ }
+ value.append(validity);
+
+ value.append(subject);
+
+ value.append(subjectPublicKeyInfo);
+
+ if (extensions) {
+ ByteString extensionsValue;
+ while (!(*extensions).empty()) {
+ extensionsValue.append(*extensions);
+ ++extensions;
+ }
+ ByteString extensionsSequence(TLV(der::SEQUENCE, extensionsValue));
+ if (ENCODING_FAILED(extensionsSequence)) {
+ return ByteString();
+ }
+ ByteString extensionsWrapped(
+ TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3, extensionsSequence));
+ if (ENCODING_FAILED(extensionsWrapped)) {
+ return ByteString();
+ }
+ value.append(extensionsWrapped);
+ }
+
+ return TLV(der::SEQUENCE, value);
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+// type AttributeType,
+// value AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+//
+// DirectoryString ::= CHOICE {
+// teletexString TeletexString (SIZE (1..MAX)),
+// printableString PrintableString (SIZE (1..MAX)),
+// universalString UniversalString (SIZE (1..MAX)),
+// utf8String UTF8String (SIZE (1..MAX)),
+// bmpString BMPString (SIZE (1..MAX)) }
+template <size_t N>
+static ByteString
+AVA(const uint8_t (&type)[N], uint8_t directoryStringType,
+ const ByteString& value)
+{
+ ByteString wrappedValue(TLV(directoryStringType, value));
+ ByteString ava;
+ ava.append(type, N);
+ ava.append(wrappedValue);
+ return TLV(der::SEQUENCE, ava);
+}
+
+ByteString
+CN(const ByteString& value, uint8_t encodingTag)
+{
+ // id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+ // id-at-commonName AttributeType ::= { id-at 3 }
+ // python DottedOIDToCode.py --tlv id-at-commonName 2.5.4.3
+ static const uint8_t tlv_id_at_commonName[] = {
+ 0x06, 0x03, 0x55, 0x04, 0x03
+ };
+ return AVA(tlv_id_at_commonName, encodingTag, value);
+}
+
+ByteString
+OU(const ByteString& value, uint8_t encodingTag)
+{
+ // id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+ // id-at-organizationalUnitName AttributeType ::= { id-at 11 }
+ // python DottedOIDToCode.py --tlv id-at-organizationalUnitName 2.5.4.11
+ static const uint8_t tlv_id_at_organizationalUnitName[] = {
+ 0x06, 0x03, 0x55, 0x04, 0x0b
+ };
+
+ return AVA(tlv_id_at_organizationalUnitName, encodingTag, value);
+}
+
+ByteString
+emailAddress(const ByteString& value)
+{
+ // id-emailAddress AttributeType ::= { pkcs-9 1 }
+ // python DottedOIDToCode.py --tlv id-emailAddress 1.2.840.113549.1.9.1
+ static const uint8_t tlv_id_emailAddress[] = {
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01
+ };
+
+ return AVA(tlv_id_emailAddress, der::IA5String, value);
+}
+
+// RelativeDistinguishedName ::=
+// SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+ByteString
+RDN(const ByteString& avas)
+{
+ return TLV(der::SET, avas);
+}
+
+// Name ::= CHOICE { -- only one possibility for now --
+// rdnSequence RDNSequence }
+//
+// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+//
+ByteString
+Name(const ByteString& rdns)
+{
+ return TLV(der::SEQUENCE, rdns);
+}
+
+ByteString
+CreateEncodedSerialNumber(long serialNumberValue)
+{
+ return Integer(serialNumberValue);
+}
+
+// BasicConstraints ::= SEQUENCE {
+// cA BOOLEAN DEFAULT FALSE,
+// pathLenConstraint INTEGER (0..MAX) OPTIONAL }
+ByteString
+CreateEncodedBasicConstraints(bool isCA,
+ /*optional*/ long* pathLenConstraintValue,
+ Critical critical)
+{
+ ByteString value;
+
+ if (isCA) {
+ ByteString cA(Boolean(true));
+ value.append(cA);
+ }
+
+ if (pathLenConstraintValue) {
+ ByteString pathLenConstraint(Integer(*pathLenConstraintValue));
+ value.append(pathLenConstraint);
+ }
+
+ // python DottedOIDToCode.py --tlv id-ce-basicConstraints 2.5.29.19
+ static const uint8_t tlv_id_ce_basicConstraints[] = {
+ 0x06, 0x03, 0x55, 0x1d, 0x13
+ };
+ return Extension(Input(tlv_id_ce_basicConstraints), critical, value);
+}
+
+// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+// KeyPurposeId ::= OBJECT IDENTIFIER
+ByteString
+CreateEncodedEKUExtension(Input ekuOID, Critical critical)
+{
+ ByteString value(ekuOID.UnsafeGetData(), ekuOID.GetLength());
+
+ // python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
+ static const uint8_t tlv_id_ce_extKeyUsage[] = {
+ 0x06, 0x03, 0x55, 0x1d, 0x25
+ };
+
+ return Extension(Input(tlv_id_ce_extKeyUsage), critical, value);
+}
+
+// python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
+static const uint8_t tlv_id_ce_subjectAltName[] = {
+ 0x06, 0x03, 0x55, 0x1d, 0x11
+};
+
+ByteString
+CreateEncodedSubjectAltName(const ByteString& names)
+{
+ return Extension(Input(tlv_id_ce_subjectAltName), Critical::No, names);
+}
+
+ByteString
+CreateEncodedEmptySubjectAltName()
+{
+ return EmptyExtension(Input(tlv_id_ce_subjectAltName), Critical::No);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// OCSP responses
+
+ByteString
+CreateEncodedOCSPResponse(OCSPResponseContext& context)
+{
+ if (!context.skipResponseBytes) {
+ if (!context.signerKeyPair) {
+ return ByteString();
+ }
+ }
+
+ // OCSPResponse ::= SEQUENCE {
+ // responseStatus OCSPResponseStatus,
+ // responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
+
+ // OCSPResponseStatus ::= ENUMERATED {
+ // successful (0), -- Response has valid confirmations
+ // malformedRequest (1), -- Illegal confirmation request
+ // internalError (2), -- Internal error in issuer
+ // tryLater (3), -- Try again later
+ // -- (4) is not used
+ // sigRequired (5), -- Must sign the request
+ // unauthorized (6) -- Request unauthorized
+ // }
+ ByteString reponseStatusValue;
+ reponseStatusValue.push_back(context.responseStatus);
+ ByteString responseStatus(TLV(der::ENUMERATED, reponseStatusValue));
+
+ ByteString responseBytesNested;
+ if (!context.skipResponseBytes) {
+ ByteString responseBytes(ResponseBytes(context));
+ if (ENCODING_FAILED(responseBytes)) {
+ return ByteString();
+ }
+
+ responseBytesNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC,
+ responseBytes);
+ }
+
+ ByteString value;
+ value.append(responseStatus);
+ value.append(responseBytesNested);
+ ByteString result(TLV(der::SEQUENCE, value));
+
+ MaybeLogOutput(result, "ocsp");
+
+ return result;
+}
+
+// ResponseBytes ::= SEQUENCE {
+// responseType OBJECT IDENTIFIER,
+// response OCTET STRING }
+ByteString
+ResponseBytes(OCSPResponseContext& context)
+{
+ // Includes tag and length
+ static const uint8_t id_pkix_ocsp_basic_encoded[] = {
+ 0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+ };
+ ByteString response(BasicOCSPResponse(context));
+ if (ENCODING_FAILED(response)) {
+ return ByteString();
+ }
+ ByteString responseNested = TLV(der::OCTET_STRING, response);
+
+ ByteString value;
+ value.append(id_pkix_ocsp_basic_encoded,
+ sizeof(id_pkix_ocsp_basic_encoded));
+ value.append(responseNested);
+ return TLV(der::SEQUENCE, value);
+}
+
+// BasicOCSPResponse ::= SEQUENCE {
+// tbsResponseData ResponseData,
+// signatureAlgorithm AlgorithmIdentifier,
+// signature BIT STRING,
+// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ByteString
+BasicOCSPResponse(OCSPResponseContext& context)
+{
+ ByteString tbsResponseData(ResponseData(context));
+ if (ENCODING_FAILED(tbsResponseData)) {
+ return ByteString();
+ }
+
+ return SignedData(tbsResponseData, *context.signerKeyPair,
+ context.signatureAlgorithm, context.badSignature,
+ context.certs);
+}
+
+// Extension ::= SEQUENCE {
+// id OBJECT IDENTIFIER,
+// critical BOOLEAN DEFAULT FALSE
+// value OCTET STRING
+// }
+static ByteString
+OCSPExtension(OCSPResponseExtension& extension)
+{
+ ByteString encoded;
+ encoded.append(extension.id);
+ if (extension.critical) {
+ encoded.append(Boolean(true));
+ }
+ ByteString value(TLV(der::OCTET_STRING, extension.value));
+ encoded.append(value);
+ return TLV(der::SEQUENCE, encoded);
+}
+
+// Extensions ::= [1] {
+// SEQUENCE OF Extension
+// }
+static ByteString
+OCSPExtensions(OCSPResponseExtension* extensions)
+{
+ ByteString value;
+ for (OCSPResponseExtension* extension = extensions;
+ extension; extension = extension->next) {
+ ByteString extensionEncoded(OCSPExtension(*extension));
+ if (ENCODING_FAILED(extensionEncoded)) {
+ return ByteString();
+ }
+ value.append(extensionEncoded);
+ }
+ ByteString sequence(TLV(der::SEQUENCE, value));
+ return TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1, sequence);
+}
+
+// ResponseData ::= SEQUENCE {
+// version [0] EXPLICIT Version DEFAULT v1,
+// responderID ResponderID,
+// producedAt GeneralizedTime,
+// responses SEQUENCE OF SingleResponse,
+// responseExtensions [1] EXPLICIT Extensions OPTIONAL }
+ByteString
+ResponseData(OCSPResponseContext& context)
+{
+ ByteString responderID(ResponderID(context));
+ if (ENCODING_FAILED(responderID)) {
+ return ByteString();
+ }
+ ByteString producedAtEncoded(TimeToGeneralizedTime(context.producedAt));
+ if (ENCODING_FAILED(producedAtEncoded)) {
+ return ByteString();
+ }
+ ByteString response(SingleResponse(context));
+ if (ENCODING_FAILED(response)) {
+ return ByteString();
+ }
+ ByteString responses(TLV(der::SEQUENCE, response));
+ ByteString responseExtensions;
+ if (context.responseExtensions || context.includeEmptyExtensions) {
+ responseExtensions = OCSPExtensions(context.responseExtensions);
+ }
+
+ ByteString value;
+ value.append(responderID);
+ value.append(producedAtEncoded);
+ value.append(responses);
+ value.append(responseExtensions);
+ return TLV(der::SEQUENCE, value);
+}
+
+// ResponderID ::= CHOICE {
+// byName [1] Name,
+// byKey [2] KeyHash }
+// }
+ByteString
+ResponderID(OCSPResponseContext& context)
+{
+ ByteString contents;
+ uint8_t responderIDType;
+ if (!context.signerNameDER.empty()) {
+ contents = context.signerNameDER;
+ responderIDType = 1; // byName
+ } else {
+ contents = KeyHash(context.signerKeyPair->subjectPublicKey);
+ if (ENCODING_FAILED(contents)) {
+ return ByteString();
+ }
+ responderIDType = 2; // byKey
+ }
+
+ // XXX: MSVC 2015 wrongly warns about signed/unsigned conversion without the
+ // static_cast.
+ uint8_t tag = static_cast<uint8_t>(der::CONSTRUCTED | der::CONTEXT_SPECIFIC |
+ responderIDType);
+ return TLV(tag, contents);
+}
+
+// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+// -- (i.e., the SHA-1 hash of the value of the
+// -- BIT STRING subjectPublicKey [excluding
+// -- the tag, length, and number of unused
+// -- bits] in the responder's certificate)
+ByteString
+KeyHash(const ByteString& subjectPublicKey)
+{
+ return HashedOctetString(subjectPublicKey);
+}
+
+// SingleResponse ::= SEQUENCE {
+// certID CertID,
+// certStatus CertStatus,
+// thisUpdate GeneralizedTime,
+// nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
+// singleExtensions [1] EXPLICIT Extensions OPTIONAL }
+ByteString
+SingleResponse(OCSPResponseContext& context)
+{
+ ByteString certID(CertID(context));
+ if (ENCODING_FAILED(certID)) {
+ return ByteString();
+ }
+ ByteString certStatus(CertStatus(context));
+ if (ENCODING_FAILED(certStatus)) {
+ return ByteString();
+ }
+ ByteString thisUpdateEncoded(TimeToGeneralizedTime(context.thisUpdate));
+ if (ENCODING_FAILED(thisUpdateEncoded)) {
+ return ByteString();
+ }
+ ByteString nextUpdateEncodedNested;
+ if (context.includeNextUpdate) {
+ ByteString nextUpdateEncoded(TimeToGeneralizedTime(context.nextUpdate));
+ if (ENCODING_FAILED(nextUpdateEncoded)) {
+ return ByteString();
+ }
+ nextUpdateEncodedNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
+ nextUpdateEncoded);
+ }
+ ByteString singleExtensions;
+ if (context.singleExtensions || context.includeEmptyExtensions) {
+ singleExtensions = OCSPExtensions(context.singleExtensions);
+ }
+
+ ByteString value;
+ value.append(certID);
+ value.append(certStatus);
+ value.append(thisUpdateEncoded);
+ value.append(nextUpdateEncodedNested);
+ value.append(singleExtensions);
+ return TLV(der::SEQUENCE, value);
+}
+
+// CertID ::= SEQUENCE {
+// hashAlgorithm AlgorithmIdentifier,
+// issuerNameHash OCTET STRING, -- Hash of issuer's DN
+// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
+// serialNumber CertificateSerialNumber }
+ByteString
+CertID(OCSPResponseContext& context)
+{
+ ByteString issuerName(context.certID.issuer.UnsafeGetData(),
+ context.certID.issuer.GetLength());
+ ByteString issuerNameHash(HashedOctetString(issuerName));
+ if (ENCODING_FAILED(issuerNameHash)) {
+ return ByteString();
+ }
+
+ ByteString issuerKeyHash;
+ {
+ // context.certID.issuerSubjectPublicKeyInfo is the entire
+ // SubjectPublicKeyInfo structure, but we need just the subjectPublicKey
+ // part.
+ Reader input(context.certID.issuerSubjectPublicKeyInfo);
+ Reader contents;
+ if (der::ExpectTagAndGetValue(input, der::SEQUENCE, contents) != Success) {
+ return ByteString();
+ }
+ // Skip AlgorithmIdentifier
+ if (der::ExpectTagAndSkipValue(contents, der::SEQUENCE) != Success) {
+ return ByteString();
+ }
+ Input subjectPublicKey;
+ if (der::BitStringWithNoUnusedBits(contents, subjectPublicKey)
+ != Success) {
+ return ByteString();
+ }
+ issuerKeyHash = KeyHash(ByteString(subjectPublicKey.UnsafeGetData(),
+ subjectPublicKey.GetLength()));
+ if (ENCODING_FAILED(issuerKeyHash)) {
+ return ByteString();
+ }
+ }
+
+ ByteString serialNumberValue(context.certID.serialNumber.UnsafeGetData(),
+ context.certID.serialNumber.GetLength());
+ ByteString serialNumber(TLV(der::INTEGER, serialNumberValue));
+
+ // python DottedOIDToCode.py --alg id-sha1 1.3.14.3.2.26
+ static const uint8_t alg_id_sha1[] = {
+ 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a
+ };
+
+ ByteString value;
+ value.append(alg_id_sha1, sizeof(alg_id_sha1));
+ value.append(issuerNameHash);
+ value.append(issuerKeyHash);
+ value.append(serialNumber);
+ return TLV(der::SEQUENCE, value);
+}
+
+// CertStatus ::= CHOICE {
+// good [0] IMPLICIT NULL,
+// revoked [1] IMPLICIT RevokedInfo,
+// unknown [2] IMPLICIT UnknownInfo }
+//
+// RevokedInfo ::= SEQUENCE {
+// revocationTime GeneralizedTime,
+// revocationReason [0] EXPLICIT CRLReason OPTIONAL }
+//
+// UnknownInfo ::= NULL
+//
+ByteString
+CertStatus(OCSPResponseContext& context)
+{
+ switch (context.certStatus) {
+ // Both good and unknown are ultimately represented as NULL - the only
+ // difference is in the tag that identifies them.
+ case 0:
+ case 2:
+ {
+ // XXX: MSVC 2015 wrongly warns about signed/unsigned conversion without
+ // the static cast.
+ return TLV(static_cast<uint8_t>(der::CONTEXT_SPECIFIC |
+ context.certStatus), ByteString());
+ }
+ case 1:
+ {
+ ByteString revocationTime(TimeToGeneralizedTime(context.revocationTime));
+ if (ENCODING_FAILED(revocationTime)) {
+ return ByteString();
+ }
+ // TODO(bug 980536): add support for revocationReason
+ return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, revocationTime);
+ }
+ default:
+ assert(false);
+ // fall through
+ }
+ return ByteString();
+}
+
+static const ByteString NO_UNUSED_BITS(1, 0x00);
+
+// The SubjectPublicKeyInfo syntax is specified in RFC 5280 Section 4.1.
+TestKeyPair::TestKeyPair(const TestPublicKeyAlgorithm& publicKeyAlg,
+ const ByteString& spk)
+ : publicKeyAlg(publicKeyAlg)
+ , subjectPublicKeyInfo(TLV(der::SEQUENCE,
+ publicKeyAlg.algorithmIdentifier +
+ TLV(der::BIT_STRING, NO_UNUSED_BITS + spk)))
+ , subjectPublicKey(spk)
+{
+}
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/pkix/test/lib/pkixtestutil.h b/security/pkix/test/lib/pkixtestutil.h
new file mode 100644
index 000000000..b36f1f8ad
--- /dev/null
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -0,0 +1,448 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_test_pkixtestutils_h
+#define mozilla_pkix_test_pkixtestutils_h
+
+#include <ctime>
+#include <stdint.h> // Some Mozilla-supported compilers lack <cstdint>
+#include <string>
+#include <cstring>
+
+#include "pkix/pkixtypes.h"
+#include "../../lib/ScopedPtr.h"
+
+namespace mozilla { namespace pkix { namespace test {
+
+typedef std::basic_string<uint8_t> ByteString;
+
+inline bool ENCODING_FAILED(const ByteString& bs) { return bs.empty(); }
+
+template <size_t L>
+inline ByteString
+BytesToByteString(const uint8_t (&bytes)[L])
+{
+ return ByteString(bytes, L);
+}
+
+// XXX: Ideally, we should define this instead:
+//
+// template <typename T, std::size_t N>
+// constexpr inline std::size_t
+// ArrayLength(T (&)[N])
+// {
+// return N;
+// }
+//
+// However, we don't because not all supported compilers support constexpr,
+// and we need to calculate array lengths in static_assert sometimes.
+//
+// XXX: Evaluates its argument twice
+#define MOZILLA_PKIX_ARRAY_LENGTH(x) (sizeof(x) / sizeof((x)[0]))
+
+bool InputEqualsByteString(Input input, const ByteString& bs);
+ByteString InputToByteString(Input input);
+
+// python DottedOIDToCode.py --tlv id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
+static const uint8_t tlv_id_kp_OCSPSigning[] = {
+ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09
+};
+
+// python DottedOIDToCode.py --tlv id-kp-serverAuth 1.3.6.1.5.5.7.3.1
+static const uint8_t tlv_id_kp_serverAuth[] = {
+ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01
+};
+
+enum class TestDigestAlgorithmID
+{
+ MD2,
+ MD5,
+ SHA1,
+ SHA224,
+ SHA256,
+ SHA384,
+ SHA512,
+};
+
+struct TestPublicKeyAlgorithm
+{
+ explicit TestPublicKeyAlgorithm(const ByteString& algorithmIdentifier)
+ : algorithmIdentifier(algorithmIdentifier) { }
+ bool operator==(const TestPublicKeyAlgorithm& other) const
+ {
+ return algorithmIdentifier == other.algorithmIdentifier;
+ }
+ ByteString algorithmIdentifier;
+};
+
+ByteString DSS_P();
+ByteString DSS_Q();
+ByteString DSS_G();
+
+TestPublicKeyAlgorithm DSS();
+TestPublicKeyAlgorithm RSA_PKCS1();
+
+struct TestSignatureAlgorithm
+{
+ TestSignatureAlgorithm(const TestPublicKeyAlgorithm& publicKeyAlg,
+ TestDigestAlgorithmID digestAlg,
+ const ByteString& algorithmIdentifier,
+ bool accepted);
+
+ TestPublicKeyAlgorithm publicKeyAlg;
+ TestDigestAlgorithmID digestAlg;
+ ByteString algorithmIdentifier;
+ bool accepted;
+};
+
+TestSignatureAlgorithm md2WithRSAEncryption();
+TestSignatureAlgorithm md5WithRSAEncryption();
+TestSignatureAlgorithm sha1WithRSAEncryption();
+TestSignatureAlgorithm sha256WithRSAEncryption();
+
+// e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
+mozilla::pkix::Time YMDHMS(uint16_t year, uint16_t month, uint16_t day,
+ uint16_t hour, uint16_t minutes, uint16_t seconds);
+
+ByteString TLV(uint8_t tag, size_t length, const ByteString& value);
+
+inline ByteString
+TLV(uint8_t tag, const ByteString& value)
+{
+ return TLV(tag, value.length(), value);
+}
+
+// Although we can't enforce it without relying on Cuser-defined literals,
+// which aren't supported by all of our compilers yet, you should only pass
+// string literals as the last parameter to the following two functions.
+
+template <size_t N>
+inline ByteString
+TLV(uint8_t tag, const char(&value)[N])
+{
+ static_assert(N > 0, "cannot have string literal of size 0");
+ assert(value[N - 1] == 0);
+ return TLV(tag, ByteString(reinterpret_cast<const uint8_t*>(&value), N - 1));
+}
+
+template <size_t N>
+inline ByteString
+TLV(uint8_t tag, size_t length, const char(&value)[N])
+{
+ static_assert(N > 0, "cannot have string literal of size 0");
+ assert(value[N - 1] == 0);
+ return TLV(tag, length,
+ ByteString(reinterpret_cast<const uint8_t*>(&value), N - 1));
+}
+
+ByteString Boolean(bool value);
+ByteString Integer(long value);
+
+ByteString CN(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
+
+inline ByteString
+CN(const char* value, uint8_t encodingTag = 0x0c /*UTF8String*/)
+{
+ return CN(ByteString(reinterpret_cast<const uint8_t*>(value),
+ std::strlen(value)), encodingTag);
+}
+
+ByteString OU(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
+
+inline ByteString
+OU(const char* value, uint8_t encodingTag = 0x0c /*UTF8String*/)
+{
+ return OU(ByteString(reinterpret_cast<const uint8_t*>(value),
+ std::strlen(value)), encodingTag);
+}
+
+ByteString emailAddress(const ByteString&);
+
+inline ByteString
+emailAddress(const char* value)
+{
+ return emailAddress(ByteString(reinterpret_cast<const uint8_t*>(value),
+ std::strlen(value)));
+}
+
+// RelativeDistinguishedName ::=
+// SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+ByteString RDN(const ByteString& avas);
+
+// Name ::= CHOICE { -- only one possibility for now --
+// rdnSequence RDNSequence }
+//
+// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+//
+ByteString Name(const ByteString& rdns);
+
+inline ByteString
+CNToDERName(const ByteString& cn)
+{
+ return Name(RDN(CN(cn)));
+}
+
+inline ByteString
+CNToDERName(const char* cn)
+{
+ return Name(RDN(CN(cn)));
+}
+
+// GeneralName ::= CHOICE {
+// otherName [0] OtherName,
+// rfc822Name [1] IA5String,
+// dNSName [2] IA5String,
+// x400Address [3] ORAddress,
+// directoryName [4] Name,
+// ediPartyName [5] EDIPartyName,
+// uniformResourceIdentifier [6] IA5String,
+// iPAddress [7] OCTET STRING,
+// registeredID [8] OBJECT IDENTIFIER }
+
+inline ByteString
+RFC822Name(const ByteString& name)
+{
+ // (2 << 6) means "context-specific", 1 is the GeneralName tag.
+ return TLV((2 << 6) | 1, name);
+}
+
+template <size_t L>
+inline ByteString
+RFC822Name(const char (&bytes)[L])
+{
+ return RFC822Name(ByteString(reinterpret_cast<const uint8_t*>(&bytes),
+ L - 1));
+}
+
+inline ByteString
+DNSName(const ByteString& name)
+{
+ // (2 << 6) means "context-specific", 2 is the GeneralName tag.
+ return TLV((2 << 6) | 2, name);
+}
+
+template <size_t L>
+inline ByteString
+DNSName(const char (&bytes)[L])
+{
+ return DNSName(ByteString(reinterpret_cast<const uint8_t*>(&bytes),
+ L - 1));
+}
+
+inline ByteString
+DirectoryName(const ByteString& name)
+{
+ // (2 << 6) means "context-specific", (1 << 5) means "constructed", and 4 is
+ // the DirectoryName tag.
+ return TLV((2 << 6) | (1 << 5) | 4, name);
+}
+
+inline ByteString
+IPAddress()
+{
+ // (2 << 6) means "context-specific", 7 is the GeneralName tag.
+ return TLV((2 << 6) | 7, ByteString());
+}
+
+template <size_t L>
+inline ByteString
+IPAddress(const uint8_t (&bytes)[L])
+{
+ // (2 << 6) means "context-specific", 7 is the GeneralName tag.
+ return TLV((2 << 6) | 7, ByteString(bytes, L));
+}
+
+// Names should be zero or more GeneralNames, like DNSName and IPAddress return,
+// concatenated together.
+//
+// CreatedEncodedSubjectAltName(ByteString()) results in a SAN with an empty
+// sequence. CreateEmptyEncodedSubjectName() results in a SAN without any
+// sequence.
+ByteString CreateEncodedSubjectAltName(const ByteString& names);
+ByteString CreateEncodedEmptySubjectAltName();
+
+class TestKeyPair
+{
+public:
+ virtual ~TestKeyPair() { }
+
+ const TestPublicKeyAlgorithm publicKeyAlg;
+
+ // The DER encoding of the entire SubjectPublicKeyInfo structure. This is
+ // what is encoded in certificates.
+ const ByteString subjectPublicKeyInfo;
+
+ // The DER encoding of subjectPublicKeyInfo.subjectPublicKey. This is what is
+ // hashed to create CertIDs for OCSP.
+ const ByteString subjectPublicKey;
+
+ virtual Result SignData(const ByteString& tbs,
+ const TestSignatureAlgorithm& signatureAlgorithm,
+ /*out*/ ByteString& signature) const = 0;
+
+ virtual TestKeyPair* Clone() const = 0;
+protected:
+ TestKeyPair(const TestPublicKeyAlgorithm& publicKeyAlg, const ByteString& spk);
+ TestKeyPair(const TestKeyPair&) = delete;
+ void operator=(const TestKeyPair&) = delete;
+};
+
+TestKeyPair* CloneReusedKeyPair();
+TestKeyPair* GenerateKeyPair();
+TestKeyPair* GenerateDSSKeyPair();
+inline void DeleteTestKeyPair(TestKeyPair* keyPair) { delete keyPair; }
+typedef ScopedPtr<TestKeyPair, DeleteTestKeyPair> ScopedTestKeyPair;
+
+Result TestVerifyECDSASignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo);
+Result TestVerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo);
+Result TestDigestBuf(Input item, DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf, size_t digestBufLen);
+
+// Replace one substring in item with another of the same length, but only if
+// the substring was found exactly once. The "same length" restriction is
+// useful for avoiding invalidating lengths encoded within the item. The
+// "only once" restriction is helpful for avoiding making accidental changes.
+//
+// The string to search for must be 8 or more bytes long so that it is
+// extremely unlikely that there will ever be any false positive matches
+// in digital signatures, keys, hashes, etc.
+Result TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,
+ const ByteString& to);
+
+///////////////////////////////////////////////////////////////////////////////
+// Encode Certificates
+
+enum Version { v1 = 0, v2 = 1, v3 = 2 };
+
+// signature is assumed to be the DER encoding of an AlgorithmIdentifer. It is
+// put into the signature field of the TBSCertificate. In most cases, it will
+// be the same as signatureAlgorithm, which is the algorithm actually used
+// to sign the certificate.
+// serialNumber is assumed to be the DER encoding of an INTEGER.
+//
+// If extensions is null, then no extensions will be encoded. Otherwise,
+// extensions must point to an array of ByteStrings, terminated with an empty
+// ByteString. (If the first item of the array is empty then an empty
+// Extensions sequence will be encoded.)
+ByteString CreateEncodedCertificate(long version,
+ const TestSignatureAlgorithm& signature,
+ const ByteString& serialNumber,
+ const ByteString& issuerNameDER,
+ time_t notBefore, time_t notAfter,
+ const ByteString& subjectNameDER,
+ const TestKeyPair& subjectKeyPair,
+ /*optional*/ const ByteString* extensions,
+ const TestKeyPair& issuerKeyPair,
+ const TestSignatureAlgorithm& signatureAlgorithm);
+
+ByteString CreateEncodedSerialNumber(long value);
+
+enum class Critical { No = 0, Yes = 1 };
+
+ByteString CreateEncodedBasicConstraints(bool isCA,
+ /*optional*/ long* pathLenConstraint,
+ Critical critical);
+
+// Creates a DER-encoded extKeyUsage extension with one EKU OID.
+ByteString CreateEncodedEKUExtension(Input eku, Critical critical);
+
+///////////////////////////////////////////////////////////////////////////////
+// Encode OCSP responses
+
+class OCSPResponseExtension final
+{
+public:
+ OCSPResponseExtension();
+
+ ByteString id;
+ bool critical;
+ ByteString value;
+ OCSPResponseExtension* next;
+};
+
+class OCSPResponseContext final
+{
+public:
+ OCSPResponseContext(const CertID& certID, std::time_t time);
+
+ const CertID& certID;
+ // TODO(bug 980538): add a way to specify what certificates are included.
+
+ // The fields below are in the order that they appear in an OCSP response.
+
+ enum OCSPResponseStatus
+ {
+ successful = 0,
+ malformedRequest = 1,
+ internalError = 2,
+ tryLater = 3,
+ // 4 is not used
+ sigRequired = 5,
+ unauthorized = 6,
+ };
+ uint8_t responseStatus; // an OCSPResponseStatus or an invalid value
+ bool skipResponseBytes; // If true, don't include responseBytes
+
+ // responderID
+ ByteString signerNameDER; // If set, responderID will use the byName
+ // form; otherwise responderID will use the
+ // byKeyHash form.
+
+ std::time_t producedAt;
+
+ // SingleResponse extensions (for the certID given in the constructor).
+ OCSPResponseExtension* singleExtensions;
+ // ResponseData extensions.
+ OCSPResponseExtension* responseExtensions;
+ bool includeEmptyExtensions; // If true, include the extension wrapper
+ // regardless of if there are any actual
+ // extensions.
+ ScopedTestKeyPair signerKeyPair;
+ TestSignatureAlgorithm signatureAlgorithm;
+ bool badSignature; // If true, alter the signature to fail verification
+ const ByteString* certs; // optional; array terminated by an empty string
+
+ // The following fields are on a per-SingleResponse basis. In the future we
+ // may support including multiple SingleResponses per response.
+ enum CertStatus
+ {
+ good = 0,
+ revoked = 1,
+ unknown = 2,
+ };
+ uint8_t certStatus; // CertStatus or an invalid value
+ std::time_t revocationTime; // For certStatus == revoked
+ std::time_t thisUpdate;
+ std::time_t nextUpdate;
+ bool includeNextUpdate;
+};
+
+ByteString CreateEncodedOCSPResponse(OCSPResponseContext& context);
+
+} } } // namespace mozilla::pkix::test
+
+#endif // mozilla_pkix_test_pkixtestutils_h
diff --git a/security/pkix/tools/DottedOIDToCode.py b/security/pkix/tools/DottedOIDToCode.py
new file mode 100644
index 000000000..b8eb88d83
--- /dev/null
+++ b/security/pkix/tools/DottedOIDToCode.py
@@ -0,0 +1,210 @@
+# This code is made available to you under your choice of the following sets
+# of licensing terms:
+###############################################################################
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+###############################################################################
+# Copyright 2013 Mozilla Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import print_function
+import argparse
+import itertools
+import sys
+
+def base128(value):
+ """
+ Given an integral value, returns an array of the base-128 representation
+ of that value, with all but the last byte having the high bit set as
+ required by the DER rules for the nodes of an OID after the first two
+ bytes.
+
+ >>> base128(1)
+ [1]
+ >>> base128(10045)
+ [206, 61]
+ """
+
+ if value < 0:
+ raise ValueError("An OID must have only positive-value nodes.")
+
+ # least significant byte has highest bit unset
+ result = [value % 0x80]
+ value /= 0x80
+
+ while value != 0:
+ result = [0x80 | (value % 0x80)] + result
+ value /= 0x80
+
+ return result
+
+def dottedOIDToEncodedArray(dottedOID):
+ """
+ Takes a dotted OID string (e.g. '1.2.840.10045.4.3.4') as input, and
+ returns an array that contains the DER encoding of its value, without
+ the tag and length (e.g. [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04]).
+ """
+ nodes = [int(x) for x in dottedOID.strip().split(".")]
+ if len(nodes) < 2:
+ raise ValueError("An OID must have at least two nodes.")
+ if not (0 <= nodes[0] <= 2):
+ raise ValueError("The first node of an OID must be 0, 1, or 2.")
+ if not (0 <= nodes[1] <= 39):
+ # XXX: Does this restriction apply when the first part is 2?
+ raise ValueError("The second node of an OID must be 0-39.")
+ firstByte = (40 * nodes[0]) + nodes[1]
+ restBase128 = [base128(x) for x in nodes[2:]]
+ return [firstByte] + list(itertools.chain.from_iterable(restBase128))
+
+def dottedOIDToCArray(dottedOID, mode):
+ """
+ Takes a dotted OID string (e.g. '1.2.840.10045.4.3.4') as input, and
+ returns a string that contains the hex encoding of the OID in C++ literal
+ notation, e.g. '0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04'.
+ """
+ bytes = dottedOIDToEncodedArray(dottedOID)
+
+ if mode != "value" and mode != "prefixdefine":
+ bytes = [0x06, len(bytes)] + bytes
+
+ if mode == "alg":
+ # Wrap the DER-encoded OID in a SEQUENCE to create an
+ # AlgorithmIdentifier with no parameters.
+ bytes = [0x30, len(bytes)] + bytes
+
+ return ", ".join(["0x%.2x" % b for b in bytes])
+
+def specNameToCName(specName):
+ """
+ Given an string containing an ASN.1 name, returns a string that is a valid
+ C++ identifier that is as similar to that name as possible. Since most
+ ASN.1 identifiers used in PKIX specifications are legal C++ names except
+ for containing hyphens, this function just converts the hyphens to
+ underscores. This may need to be improved in the future if we encounter
+ names with other funny characters.
+ """
+ return specName.replace("-", "_")
+
+def toCode(programName, specName, dottedOID, mode):
+ """
+ Given an ASN.1 name and a string containing the dotted representation of an
+ OID, returns a string that contains a C++ declaration for a named constant
+ that contains that OID value. If mode is "value" then only the value of
+ the OID (without the tag or length) will be included in the output. If mode
+ is "tlv" then the value will be prefixed with the tag and length. If mode
+ is "alg" then the value will be a complete der-encoded AlgorithmIdentifier
+ with no parameters.
+
+ This:
+
+ toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+ "value")
+
+ would result in a string like:
+
+ // python DottedOIDToCode.py ecdsa-with-SHA512 1.2.840.10045.4.3.4
+ static const uint8_t ecdsa_with_SHA512[] = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+ };
+
+ This:
+
+ toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+ "tlv")
+
+ would result in a string like:
+
+ // python DottedOIDToCode.py --tlv ecdsa-with-SHA512 1.2.840.10045.4.3.4
+ static const uint8_t tlv_ecdsa_with_SHA512[] = {
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+ };
+
+ This:
+
+ toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+ "alg")
+
+ would result in a string like:
+
+ // python DottedOIDToCode.py --alg ecdsa-with-SHA512 1.2.840.10045.4.3.4
+ static const uint8_t alg_ecdsa_with_SHA512[] = {
+ 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+ };
+
+ This:
+
+ toCode("DottedOIDToCode.py", "PREFIX_1_2_840_10045", "1.2.840.10045",
+ "prefixdefine")
+
+ would result in a string like this (note the lack of indention):
+
+ // python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10045 1.2.840.10045
+ #define PREFIX_1_2_840_10045 0x2a, 0x86, 0x48, 0xce, 0x3d
+ """
+ programNameWithOptions = programName
+
+ if mode == "prefixdefine":
+ programNameWithOptions += " --prefixdefine"
+ varName = specName
+ return ("// python %s %s %s\n" +
+ "#define %s %s\n") % (programNameWithOptions, specName,
+ dottedOID, varName,
+ dottedOIDToCArray(dottedOID, mode))
+
+ varName = specNameToCName(specName)
+ if mode == "tlv":
+ programNameWithOptions += " --tlv"
+ varName = "tlv_" + varName
+ elif mode == "alg":
+ programNameWithOptions += " --alg"
+ varName = "alg_" + varName
+ elif mode == "prefixdefine":
+ programNameWithOptions += " --alg"
+ varName = varName
+
+ return (" // python %s %s %s\n" +
+ " static const uint8_t %s[] = {\n" +
+ " %s\n" +
+ " };\n") % (programNameWithOptions, specName, dottedOID, varName,
+ dottedOIDToCArray(dottedOID, mode))
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser(
+ description="Generate code snippets to handle OIDs in C++",
+ epilog="example: python %s ecdsa-with-SHA1 1.2.840.10045.4.1"
+ % sys.argv[0])
+ group = parser.add_mutually_exclusive_group()
+ group.add_argument("--tlv", action='store_true',
+ help="Wrap the encoded OID value with the tag and length")
+ group.add_argument("--alg", action='store_true',
+ help="Wrap the encoded OID value in an encoded SignatureAlgorithm")
+ group.add_argument("--prefixdefine", action='store_true',
+ help="generate a OID prefix #define")
+ parser.add_argument("name",
+ help="The name given to the OID in the specification")
+ parser.add_argument("dottedOID", metavar="dotted-oid",
+ help="The OID value, in dotted notation")
+
+ args = parser.parse_args()
+ if args.alg:
+ mode = 'alg'
+ elif args.tlv:
+ mode = 'tlv'
+ elif args.prefixdefine:
+ mode = 'prefixdefine'
+ else:
+ mode = 'value'
+
+ print(toCode(sys.argv[0], args.name, args.dottedOID, mode))
diff --git a/security/pkix/warnings.mozbuild b/security/pkix/warnings.mozbuild
new file mode 100644
index 000000000..3fdc10bd7
--- /dev/null
+++ b/security/pkix/warnings.mozbuild
@@ -0,0 +1,41 @@
+if CONFIG['CLANG_CXX']:
+ CXXFLAGS += [
+ '-Weverything',
+
+ '-Wno-c++98-compat',
+ '-Wno-c++98-compat-pedantic',
+ '-Wno-missing-prototypes',
+ '-Wno-missing-variable-declarations',
+ '-Wno-padded',
+ '-Wno-reserved-id-macro', # NSPR and NSS use reserved IDs in their include guards.
+ '-Wno-shadow', # XXX: Clang's rules are too strict for constructors.
+ '-Wno-weak-vtables', # We rely on the linker to merge the duplicate vtables.
+ ]
+elif CONFIG['_MSC_VER']:
+ CXXFLAGS += [
+ '-sdl', # Enable additional security checks based on Microsoft's SDL.
+
+ '-Wall',
+
+ '-wd4464', # relative include path contains '..'
+ '-wd4514', # 'function': unreferenced inline function has been removed
+ '-wd4668', # warning C4668: 'X' is not defined as a preprocessor macro,
+ # replacing with '0' for '#if/#elif'.
+ '-wd4710', # 'function': function not inlined
+ '-wd4711', # function 'function' selected for inline expansion
+ '-wd4800', # forcing value to bool 'true' or 'false'
+ '-wd4820', # 'bytes' bytes padding added after construct 'member_name'
+
+ # XXX: We cannot use /Za (Disable Microsoft Extensions) because windows.h
+ # won't copmile with it.
+ '-Zc:forScope', # Standard C++ rules for variable scope in for loops.
+ '-Zc:inline', # Standard C++ rules requiring definition inline functions.
+ '-Zc:rvalueCast', # Standard C++ rules for result of cast being an rvalue.
+ '-Zc:strictStrings', # Standard C++ rule that string literals are const.
+ ]
+else:
+ CXXFLAGS += [
+ '-Wall',
+ '-Wextra',
+ '-pedantic-errors',
+ ]