| /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ |
| /* vim: set ts=4 et sw=4 tw=80: */ |
| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this file, |
| * You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| #include <string.h> |
| |
| #include "nss.h" |
| #include "pk11pub.h" |
| #include "prenv.h" |
| #include "prerror.h" |
| #include "secmod.h" |
| |
| #include "gtest/gtest.h" |
| #include "nss_scoped_ptrs.h" |
| #include "util.h" |
| |
| namespace nss_test { |
| |
| // These test certificates were generated using pycert/pykey from |
| // mozilla-central (https://hg.mozilla.org/mozilla-central/file/ ... |
| // 9968319230a74eb8c1953444a0e6973c7500a9f8/security/manager/ssl/ ... |
| // tests/unit/pycert.py). |
| |
| // issuer:test cert |
| // subject:test cert |
| // issuerKey:secp256r1 |
| // subjectKey:secp256r1 |
| // serialNumber:1 |
| const std::vector<uint8_t> kTestCert1DER = { |
| 0x30, 0x82, 0x01, 0x1D, 0x30, 0x81, 0xC2, 0xA0, 0x03, 0x02, 0x01, 0x02, |
| 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, |
| 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, |
| 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, |
| 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, |
| 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, |
| 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, |
| 0x30, 0x30, 0x30, 0x5A, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, |
| 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, 0x63, 0x65, |
| 0x72, 0x74, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, |
| 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, |
| 0x07, 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, 0xBB, 0x61, 0xE0, 0xF8, |
| 0xF9, 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, 0xE2, 0xEC, 0x05, 0x0B, |
| 0x42, 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, 0x4F, 0x79, 0x4B, 0x45, |
| 0x5C, 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, 0xC4, 0x11, 0x9D, 0x07, |
| 0x06, 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, 0xD7, 0x99, 0x1B, 0x7B, |
| 0x2D, 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, 0xC0, 0x30, 0x0D, 0x06, |
| 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, |
| 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x5C, 0x75, 0x51, 0x9F, 0x13, |
| 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, 0xBC, 0x06, 0x30, 0x91, |
| 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, 0xFD, 0xCB, 0x42, 0x80, |
| 0x0A, 0x70, 0xE6, 0x02, 0x20, 0x11, 0xFA, 0xA2, 0xCA, 0x06, 0xF3, 0xBC, |
| 0x5F, 0x8A, 0xCA, 0x17, 0x63, 0x36, 0x87, 0xCF, 0x8D, 0x5C, 0xA0, 0x56, |
| 0x84, 0x44, 0x61, 0xB2, 0x33, 0x42, 0x07, 0x58, 0x9F, 0x0C, 0x9E, 0x49, |
| 0x83, |
| }; |
| |
| // issuer:test cert |
| // subject:test cert |
| // issuerKey:secp256r1 |
| // subjectKey:secp256r1 |
| // serialNumber:2 |
| const std::vector<uint8_t> kTestCert2DER = { |
| 0x30, 0x82, 0x01, 0x1E, 0x30, 0x81, 0xC2, 0xA0, 0x03, 0x02, 0x01, 0x02, |
| 0x02, 0x01, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, |
| 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, |
| 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, |
| 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, |
| 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, |
| 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, |
| 0x30, 0x30, 0x30, 0x5A, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, |
| 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, 0x63, 0x65, |
| 0x72, 0x74, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, |
| 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, |
| 0x07, 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, 0xBB, 0x61, 0xE0, 0xF8, |
| 0xF9, 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, 0xE2, 0xEC, 0x05, 0x0B, |
| 0x42, 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, 0x4F, 0x79, 0x4B, 0x45, |
| 0x5C, 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, 0xC4, 0x11, 0x9D, 0x07, |
| 0x06, 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, 0xD7, 0x99, 0x1B, 0x7B, |
| 0x2D, 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, 0xC0, 0x30, 0x0D, 0x06, |
| 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, |
| 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x5C, 0x75, 0x51, 0x9F, 0x13, |
| 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, 0xBC, 0x06, 0x30, 0x91, |
| 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, 0xFD, 0xCB, 0x42, 0x80, |
| 0x0A, 0x70, 0xE6, 0x02, 0x21, 0x00, 0xF6, 0x5E, 0x42, 0xC7, 0x54, 0x40, |
| 0x81, 0xE9, 0x4C, 0x16, 0x48, 0xB1, 0x39, 0x0A, 0xA0, 0xE2, 0x8C, 0x23, |
| 0xAA, 0xC5, 0xBB, 0xAC, 0xEB, 0x9B, 0x15, 0x0B, 0x2F, 0xB7, 0xF5, 0x85, |
| 0xB2, 0x54, |
| }; |
| |
| const std::vector<uint8_t> kTestCertSubjectDER = { |
| 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, |
| 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, 0x63, 0x65, 0x72, 0x74, |
| }; |
| |
| // issuer:test cert |
| // subject:unrelated subject DN |
| // issuerKey:secp256r1 |
| // subjectKey:secp256r1 |
| // serialNumber:3 |
| const std::vector<uint8_t> kUnrelatedTestCertDER = { |
| 0x30, 0x82, 0x01, 0x28, 0x30, 0x81, 0xCD, 0xA0, 0x03, 0x02, 0x01, 0x02, |
| 0x02, 0x01, 0x03, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, |
| 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, |
| 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, |
| 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, |
| 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, |
| 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, |
| 0x30, 0x30, 0x30, 0x5A, 0x30, 0x1F, 0x31, 0x1D, 0x30, 0x1B, 0x06, 0x03, |
| 0x55, 0x04, 0x03, 0x0C, 0x14, 0x75, 0x6E, 0x72, 0x65, 0x6C, 0x61, 0x74, |
| 0x65, 0x64, 0x20, 0x73, 0x75, 0x62, 0x6A, 0x65, 0x63, 0x74, 0x20, 0x44, |
| 0x4E, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, |
| 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, |
| 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, 0xBB, 0x61, 0xE0, 0xF8, 0xF9, |
| 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, 0xE2, 0xEC, 0x05, 0x0B, 0x42, |
| 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, 0x4F, 0x79, 0x4B, 0x45, 0x5C, |
| 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, 0xC4, 0x11, 0x9D, 0x07, 0x06, |
| 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, 0xD7, 0x99, 0x1B, 0x7B, 0x2D, |
| 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, 0xC0, 0x30, 0x0D, 0x06, 0x09, |
| 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, |
| 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x5C, 0x75, 0x51, 0x9F, 0x13, 0x11, |
| 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, 0xBC, 0x06, 0x30, 0x91, 0xFF, |
| 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, 0xFD, 0xCB, 0x42, 0x80, 0x0A, |
| 0x70, 0xE6, 0x02, 0x20, 0x0F, 0x1A, 0x04, 0xC2, 0xF8, 0xBA, 0xC2, 0x94, |
| 0x26, 0x6E, 0xBC, 0x91, 0x7D, 0xDB, 0x75, 0x7B, 0xE8, 0xA3, 0x4F, 0x69, |
| 0x1B, 0xF3, 0x1F, 0x2C, 0xCE, 0x82, 0x67, 0xC9, 0x5B, 0xBB, 0xBA, 0x0A, |
| }; |
| |
| class PK11FindCertsTestBase : public ::testing::Test { |
| protected: |
| PK11FindCertsTestBase() |
| : m_slot(nullptr), test_cert_db_dir_("PK11FindCertsTestBase-") {} |
| |
| virtual void SetUp() { |
| std::string test_cert_db_path(test_cert_db_dir_.GetPath()); |
| const char* test_name = |
| ::testing::UnitTest::GetInstance()->current_test_info()->name(); |
| std::string mod_spec = "configDir='sql:"; |
| mod_spec.append(test_cert_db_path); |
| mod_spec.append("' tokenDescription='"); |
| mod_spec.append(test_name); |
| mod_spec.append("'"); |
| m_slot = SECMOD_OpenUserDB(mod_spec.c_str()); |
| ASSERT_NE(nullptr, m_slot); |
| } |
| |
| virtual void TearDown() { |
| ASSERT_EQ(SECSuccess, SECMOD_CloseUserDB(m_slot)); |
| PK11_FreeSlot(m_slot); |
| std::string test_cert_db_path(test_cert_db_dir_.GetPath()); |
| ASSERT_EQ(0, unlink((test_cert_db_path + "/cert9.db").c_str())); |
| ASSERT_EQ(0, unlink((test_cert_db_path + "/key4.db").c_str())); |
| } |
| |
| PK11SlotInfo* m_slot; |
| ScopedUniqueDirectory test_cert_db_dir_; |
| }; |
| |
| class PK11FindRawCertsBySubjectTest : public PK11FindCertsTestBase {}; |
| |
| TEST_F(PK11FindCertsTestBase, CertAddListWithData) { |
| ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); |
| ASSERT_TRUE(slot); |
| SECItem cert1_item = {siBuffer, const_cast<uint8_t*>(kTestCert1DER.data()), |
| (unsigned int)kTestCert1DER.size()}; |
| SECItem cert2_item = {siBuffer, const_cast<uint8_t*>(kTestCert2DER.data()), |
| (unsigned int)kTestCert2DER.size()}; |
| |
| // Make certificates. ScopedCERTCertList will own. |
| ScopedCERTCertList list(CERT_NewCertList()); |
| ASSERT_TRUE(list); |
| CERTCertificate* cert1 = CERT_NewTempCertificate( |
| CERT_GetDefaultCertDB(), &cert1_item, nullptr, false, false); |
| CERTCertificate* cert2 = CERT_NewTempCertificate( |
| CERT_GetDefaultCertDB(), &cert2_item, nullptr, false, false); |
| ASSERT_NE(nullptr, cert1); |
| ASSERT_NE(nullptr, cert2); |
| ASSERT_NE(cert1, cert2); |
| |
| SECStatus rv = CERT_AddCertToListHeadWithData(list.get(), cert1, cert1); |
| EXPECT_EQ(SECSuccess, rv); |
| rv = CERT_AddCertToListTailWithData(list.get(), cert2, cert2); |
| EXPECT_EQ(SECSuccess, rv); |
| |
| CERTCertListNode* node = CERT_LIST_HEAD(list.get()); |
| ASSERT_NE(nullptr, node); |
| EXPECT_EQ(node->cert, cert1); |
| EXPECT_EQ(node->appData, cert1); |
| |
| node = CERT_LIST_TAIL(list.get()); |
| ASSERT_NE(nullptr, node); |
| EXPECT_EQ(node->cert, cert2); |
| EXPECT_EQ(node->appData, cert2); |
| } |
| |
| // If we don't have any certificates, we shouldn't get any when we search for |
| // them. |
| TEST_F(PK11FindRawCertsBySubjectTest, TestNoCertsImportedNoCertsFound) { |
| SECItem subject_item = { |
| siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), |
| (unsigned int)kTestCertSubjectDER.size()}; |
| CERTCertificateList* certificates = nullptr; |
| SECStatus rv = |
| PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); |
| EXPECT_EQ(SECSuccess, rv); |
| EXPECT_EQ(nullptr, certificates); |
| } |
| |
| // If we have one certificate but it has an unrelated subject DN, we shouldn't |
| // get it when we search. |
| TEST_F(PK11FindRawCertsBySubjectTest, TestOneCertImportedNoCertsFound) { |
| char cert_nickname[] = "Unrelated Cert"; |
| SECItem cert_item = {siBuffer, |
| const_cast<unsigned char*>(kUnrelatedTestCertDER.data()), |
| (unsigned int)kUnrelatedTestCertDER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, |
| cert_nickname, false)); |
| |
| SECItem subject_item = { |
| siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), |
| (unsigned int)kTestCertSubjectDER.size()}; |
| CERTCertificateList* certificates = nullptr; |
| SECStatus rv = |
| PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); |
| EXPECT_EQ(SECSuccess, rv); |
| EXPECT_EQ(nullptr, certificates); |
| } |
| |
| TEST_F(PK11FindRawCertsBySubjectTest, TestMultipleMatchingCertsFound) { |
| char cert1_nickname[] = "Test Cert 1"; |
| SECItem cert1_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert1DER.data()), |
| (unsigned int)kTestCert1DER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, |
| cert1_nickname, false)); |
| char cert2_nickname[] = "Test Cert 2"; |
| SECItem cert2_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert2DER.data()), |
| (unsigned int)kTestCert2DER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert2_item, CK_INVALID_HANDLE, |
| cert2_nickname, false)); |
| char unrelated_cert_nickname[] = "Unrelated Test Cert"; |
| SECItem unrelated_cert_item = { |
| siBuffer, const_cast<unsigned char*>(kUnrelatedTestCertDER.data()), |
| (unsigned int)kUnrelatedTestCertDER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &unrelated_cert_item, CK_INVALID_HANDLE, |
| unrelated_cert_nickname, false)); |
| |
| CERTCertificateList* certificates = nullptr; |
| SECItem subject_item = { |
| siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), |
| (unsigned int)kTestCertSubjectDER.size()}; |
| SECStatus rv = |
| PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); |
| EXPECT_EQ(SECSuccess, rv); |
| ASSERT_NE(nullptr, certificates); |
| ScopedCERTCertificateList scoped_certificates(certificates); |
| ASSERT_EQ(2, scoped_certificates->len); |
| |
| std::vector<uint8_t> found_cert1( |
| scoped_certificates->certs[0].data, |
| scoped_certificates->certs[0].data + scoped_certificates->certs[0].len); |
| std::vector<uint8_t> found_cert2( |
| scoped_certificates->certs[1].data, |
| scoped_certificates->certs[1].data + scoped_certificates->certs[1].len); |
| EXPECT_TRUE(found_cert1 == kTestCert1DER || found_cert1 == kTestCert2DER); |
| EXPECT_TRUE(found_cert2 == kTestCert1DER || found_cert2 == kTestCert2DER); |
| EXPECT_TRUE(found_cert1 != found_cert2); |
| } |
| |
| // If we try to search the internal slots, we won't find the certificate we just |
| // imported (because it's on a different slot). |
| TEST_F(PK11FindRawCertsBySubjectTest, TestNoCertsOnInternalSlots) { |
| char cert1_nickname[] = "Test Cert 1"; |
| SECItem cert1_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert1DER.data()), |
| (unsigned int)kTestCert1DER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, |
| cert1_nickname, false)); |
| |
| SECItem subject_item = { |
| siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), |
| (unsigned int)kTestCertSubjectDER.size()}; |
| CERTCertificateList* internal_key_slot_certificates = nullptr; |
| ScopedPK11SlotInfo internal_key_slot(PK11_GetInternalKeySlot()); |
| SECStatus rv = PK11_FindRawCertsWithSubject( |
| internal_key_slot.get(), &subject_item, &internal_key_slot_certificates); |
| EXPECT_EQ(SECSuccess, rv); |
| EXPECT_EQ(nullptr, internal_key_slot_certificates); |
| |
| CERTCertificateList* internal_slot_certificates = nullptr; |
| ScopedPK11SlotInfo internal_slot(PK11_GetInternalSlot()); |
| rv = PK11_FindRawCertsWithSubject(internal_slot.get(), &subject_item, |
| &internal_slot_certificates); |
| EXPECT_EQ(SECSuccess, rv); |
| EXPECT_EQ(nullptr, internal_slot_certificates); |
| } |
| |
| // issuer:test cert |
| // subject:(empty - this had to be done by hand as pycert doesn't support this) |
| // issuerKey:secp256r1 |
| // subjectKey:secp256r1 |
| // serialNumber:4 |
| const std::vector<uint8_t> kEmptySubjectCertDER = { |
| 0x30, 0x82, 0x01, 0x09, 0x30, 0x81, 0xAE, 0xA0, 0x03, 0x02, 0x01, 0x02, |
| 0x02, 0x01, 0x04, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, |
| 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, |
| 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, |
| 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, |
| 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, |
| 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, |
| 0x30, 0x30, 0x30, 0x5A, 0x30, 0x00, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, |
| 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, |
| 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, |
| 0xBB, 0x61, 0xE0, 0xF8, 0xF9, 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, |
| 0xE2, 0xEC, 0x05, 0x0B, 0x42, 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, |
| 0x4F, 0x79, 0x4B, 0x45, 0x5C, 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, |
| 0xC4, 0x11, 0x9D, 0x07, 0x06, 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, |
| 0xD7, 0x99, 0x1B, 0x7B, 0x2D, 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, |
| 0xC0, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, |
| 0x01, 0x0B, 0x05, 0x00, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x5C, |
| 0x75, 0x51, 0x9F, 0x13, 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, |
| 0xBC, 0x06, 0x30, 0x91, 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, |
| 0xFD, 0xCB, 0x42, 0x80, 0x0A, 0x70, 0xE6, 0x02, 0x20, 0x31, 0x1B, 0x92, |
| 0xAA, 0xA8, 0xB7, 0x51, 0x52, 0x7B, 0x64, 0xD6, 0xF7, 0x2F, 0x0C, 0xFB, |
| 0xBB, 0xD5, 0xDF, 0x86, 0xA3, 0x97, 0x96, 0x60, 0x42, 0xDA, 0xD4, 0xA8, |
| 0x5F, 0x2F, 0xA4, 0xDE, 0x7C}; |
| |
| std::vector<uint8_t> kEmptySubjectDER = {0x30, 0x00}; |
| |
| // This certificate has the smallest possible subject. Finding it should work. |
| TEST_F(PK11FindRawCertsBySubjectTest, TestFindEmptySubject) { |
| char empty_subject_cert_nickname[] = "Empty Subject Cert"; |
| SECItem empty_subject_cert_item = { |
| siBuffer, const_cast<unsigned char*>(kEmptySubjectCertDER.data()), |
| (unsigned int)kEmptySubjectCertDER.size()}; |
| ASSERT_EQ(SECSuccess, PK11_ImportDERCert(m_slot, &empty_subject_cert_item, |
| CK_INVALID_HANDLE, |
| empty_subject_cert_nickname, false)); |
| |
| SECItem subject_item = {siBuffer, |
| const_cast<unsigned char*>(kEmptySubjectDER.data()), |
| (unsigned int)kEmptySubjectDER.size()}; |
| CERTCertificateList* certificates = nullptr; |
| SECStatus rv = |
| PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); |
| EXPECT_EQ(SECSuccess, rv); |
| ASSERT_NE(nullptr, certificates); |
| ScopedCERTCertificateList scoped_certificates(certificates); |
| ASSERT_EQ(1, scoped_certificates->len); |
| |
| std::vector<uint8_t> found_cert( |
| scoped_certificates->certs[0].data, |
| scoped_certificates->certs[0].data + scoped_certificates->certs[0].len); |
| EXPECT_EQ(kEmptySubjectCertDER, found_cert); |
| } |
| |
| // Searching for a zero-length subject doesn't make sense (the minimum subject |
| // is the SEQUENCE tag followed by a length byte of 0), but it shouldn't cause |
| // problems. |
| TEST_F(PK11FindRawCertsBySubjectTest, TestSearchForNullSubject) { |
| char cert1_nickname[] = "Test Cert 1"; |
| SECItem cert1_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert1DER.data()), |
| (unsigned int)kTestCert1DER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, |
| cert1_nickname, false)); |
| |
| SECItem subject_item = {siBuffer, nullptr, 0}; |
| CERTCertificateList* certificates = nullptr; |
| SECStatus rv = |
| PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); |
| EXPECT_EQ(SECSuccess, rv); |
| EXPECT_EQ(nullptr, certificates); |
| } |
| |
| class PK11GetCertsMatchingPrivateKeyTest : public PK11FindCertsTestBase {}; |
| |
| // This is the private secp256r1 key corresponding to the above test |
| // certificates. |
| const std::vector<uint8_t> kTestPrivateKeyInfoDER = { |
| 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, |
| 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, |
| 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, |
| 0x21, 0x91, 0x40, 0x3d, 0x57, 0x10, 0xbf, 0x15, 0xa2, 0x65, 0x81, 0x8c, |
| 0xd4, 0x2e, 0xd6, 0xfe, 0xdf, 0x09, 0xad, 0xd9, 0x2d, 0x78, 0xb1, 0x8e, |
| 0x7a, 0x1e, 0x9f, 0xeb, 0x95, 0x52, 0x47, 0x02, 0xa1, 0x44, 0x03, 0x42, |
| 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, |
| 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, |
| 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, |
| 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, |
| 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, |
| 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, |
| }; |
| |
| // issuer:test cert (different key) |
| // subject:test cert (different key) |
| // issuerKey:secp256k1 |
| // subjectKey:secp256k1 |
| // serialNumber:1 |
| const std::vector<uint8_t> kTestCertWithOtherKeyDER = { |
| 0x30, 0x82, 0x01, 0x3a, 0x30, 0x81, 0xdf, 0xa0, 0x03, 0x02, 0x01, 0x02, |
| 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, |
| 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x24, 0x31, 0x22, 0x30, 0x20, |
| 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19, 0x74, 0x65, 0x73, 0x74, 0x20, |
| 0x63, 0x65, 0x72, 0x74, 0x20, 0x28, 0x64, 0x69, 0x66, 0x66, 0x65, 0x72, |
| 0x65, 0x6e, 0x74, 0x20, 0x6b, 0x65, 0x79, 0x29, 0x30, 0x22, 0x18, 0x0f, |
| 0x32, 0x30, 0x31, 0x37, 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, |
| 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, |
| 0x35, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x24, 0x31, 0x22, |
| 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19, 0x74, 0x65, 0x73, |
| 0x74, 0x20, 0x63, 0x65, 0x72, 0x74, 0x20, 0x28, 0x64, 0x69, 0x66, 0x66, |
| 0x65, 0x72, 0x65, 0x6e, 0x74, 0x20, 0x6b, 0x65, 0x79, 0x29, 0x30, 0x56, |
| 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, |
| 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a, 0x03, 0x42, 0x00, 0x04, 0x35, 0xee, |
| 0x7c, 0x72, 0x89, 0xd8, 0xfe, 0xf7, 0xa8, 0x6a, 0xfe, 0x5d, 0xa6, 0x6d, |
| 0x8b, 0xc2, 0xeb, 0xb6, 0xa8, 0x54, 0x3f, 0xd2, 0xfe, 0xad, 0x08, 0x9f, |
| 0x45, 0xce, 0x7a, 0xcd, 0x0f, 0xa6, 0x43, 0x82, 0xa9, 0x50, 0x0c, 0x41, |
| 0xda, 0xd7, 0x70, 0xff, 0xd4, 0xb5, 0x11, 0xbf, 0x4b, 0x49, 0x2e, 0xb1, |
| 0x23, 0x88, 0x00, 0xc3, 0x2c, 0x4f, 0x76, 0xc7, 0x3a, 0x3f, 0x32, 0x94, |
| 0xe7, 0xc5, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, |
| 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, |
| 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff, 0xd1, 0x16, 0x4e, |
| 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77, 0x5c, 0x93, 0x60, |
| 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02, 0x20, 0x1e, 0xa0, |
| 0x7b, 0xee, 0x90, 0x9b, 0x5f, 0x2c, 0x49, 0xd6, 0x61, 0xda, 0x31, 0x14, |
| 0xb1, 0xa4, 0x0d, 0x2d, 0x90, 0x2b, 0x70, 0xd8, 0x6b, 0x07, 0x64, 0x27, |
| 0xa5, 0x2e, 0xfe, 0xca, 0x6e, 0xe6, |
| }; |
| |
| // If there are no certs at all, we'll get back a null list. |
| TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestNoCertsAtAll) { |
| SECItem private_key_info = { |
| siBuffer, const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), |
| (unsigned int)kTestPrivateKeyInfoDER.size(), |
| }; |
| SECKEYPrivateKey* priv_key = nullptr; |
| ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( |
| m_slot, &private_key_info, nullptr, nullptr, false, |
| false, KU_ALL, &priv_key, nullptr)); |
| ASSERT_NE(nullptr, priv_key); |
| ScopedSECKEYPrivateKey scoped_priv_key(priv_key); |
| ScopedCERTCertList certs( |
| PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); |
| ASSERT_TRUE(CERT_LIST_EMPTY(certs)); |
| } |
| |
| // If there are no certs for the private key, we'll get back a null list. |
| TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestNoCertsForKey) { |
| SECItem private_key_info = { |
| siBuffer, const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), |
| (unsigned int)kTestPrivateKeyInfoDER.size(), |
| }; |
| SECKEYPrivateKey* priv_key = nullptr; |
| ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( |
| m_slot, &private_key_info, nullptr, nullptr, false, |
| false, KU_ALL, &priv_key, nullptr)); |
| ASSERT_NE(nullptr, priv_key); |
| ScopedSECKEYPrivateKey scoped_priv_key(priv_key); |
| |
| char cert_nickname[] = "Test Cert With Other Key"; |
| SECItem cert_item = { |
| siBuffer, const_cast<unsigned char*>(kTestCertWithOtherKeyDER.data()), |
| (unsigned int)kTestCertWithOtherKeyDER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, |
| cert_nickname, false)); |
| |
| ScopedCERTCertList certs( |
| PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); |
| ASSERT_TRUE(CERT_LIST_EMPTY(certs)); |
| } |
| |
| void CheckCertListForSubjects( |
| ScopedCERTCertList& list, |
| const std::vector<const char*>& expected_subjects) { |
| ASSERT_NE(nullptr, list.get()); |
| ASSERT_NE(0ul, expected_subjects.size()); |
| for (const auto& expected_subject : expected_subjects) { |
| size_t list_length = 0; |
| bool found = false; |
| for (CERTCertListNode* n = CERT_LIST_HEAD(list); !CERT_LIST_END(n, list); |
| n = CERT_LIST_NEXT(n)) { |
| list_length++; |
| if (strcmp(n->cert->subjectName, expected_subject) == 0) { |
| ASSERT_FALSE(found); |
| found = true; |
| } |
| } |
| ASSERT_TRUE(found); |
| ASSERT_EQ(expected_subjects.size(), list_length); |
| } |
| } |
| |
| // We should only get back certs that actually match the private key. |
| TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestOneCertForKey) { |
| SECItem private_key_info = { |
| siBuffer, const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), |
| (unsigned int)kTestPrivateKeyInfoDER.size(), |
| }; |
| SECKEYPrivateKey* priv_key = nullptr; |
| ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( |
| m_slot, &private_key_info, nullptr, nullptr, false, |
| false, KU_ALL, &priv_key, nullptr)); |
| ASSERT_NE(nullptr, priv_key); |
| ScopedSECKEYPrivateKey scoped_priv_key(priv_key); |
| |
| char cert1_nickname[] = "Test Cert 1"; |
| SECItem cert1_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert1DER.data()), |
| (unsigned int)kTestCert1DER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, |
| cert1_nickname, false)); |
| |
| char cert_nickname[] = "Test Cert With Other Key"; |
| SECItem cert_item = { |
| siBuffer, const_cast<unsigned char*>(kTestCertWithOtherKeyDER.data()), |
| (unsigned int)kTestCertWithOtherKeyDER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, |
| cert_nickname, false)); |
| |
| ScopedCERTCertList certs( |
| PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); |
| CheckCertListForSubjects(certs, {"CN=test cert"}); |
| } |
| |
| // We should be able to get back all certs that match the private key. |
| TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestTwoCertsForKey) { |
| SECItem private_key_info = { |
| siBuffer, const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), |
| (unsigned int)kTestPrivateKeyInfoDER.size(), |
| }; |
| SECKEYPrivateKey* priv_key = nullptr; |
| ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( |
| m_slot, &private_key_info, nullptr, nullptr, false, |
| false, KU_ALL, &priv_key, nullptr)); |
| ASSERT_NE(nullptr, priv_key); |
| ScopedSECKEYPrivateKey scoped_priv_key(priv_key); |
| |
| char cert1_nickname[] = "Test Cert 1"; |
| SECItem cert1_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert1DER.data()), |
| (unsigned int)kTestCert1DER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, |
| cert1_nickname, false)); |
| char cert2_nickname[] = "Test Cert 2 (same key, different subject)"; |
| SECItem cert2_item = { |
| siBuffer, const_cast<unsigned char*>(kUnrelatedTestCertDER.data()), |
| (unsigned int)kUnrelatedTestCertDER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert2_item, CK_INVALID_HANDLE, |
| cert2_nickname, false)); |
| |
| char cert_nickname[] = "Test Cert With Other Key"; |
| SECItem cert_item = { |
| siBuffer, const_cast<unsigned char*>(kTestCertWithOtherKeyDER.data()), |
| (unsigned int)kTestCertWithOtherKeyDER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, |
| cert_nickname, false)); |
| |
| ScopedCERTCertList certs( |
| PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); |
| CheckCertListForSubjects(certs, {"CN=test cert", "CN=unrelated subject DN"}); |
| } |
| |
| class PK11FindEncodedCertInSlotTest : public PK11FindCertsTestBase {}; |
| |
| TEST_F(PK11FindEncodedCertInSlotTest, TestFindEncodedCert) { |
| char cert_nickname[] = "Test Cert"; |
| SECItem cert_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert1DER.data()), |
| (unsigned int)kTestCert1DER.size()}; |
| ASSERT_EQ(SECSuccess, |
| PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, |
| cert_nickname, false)); |
| |
| // This certificate was just imported, so finding it by its encoded value |
| // should succeed. |
| CK_OBJECT_HANDLE cert_handle_in_slot = |
| PK11_FindEncodedCertInSlot(m_slot, &cert_item, nullptr); |
| // CK_INVALID_HANDLE is #defined to be the literal 0, which the compiler |
| // interprets as a signed value, which then causes a warning-as-an-error |
| // about comparing values of different signs. |
| ASSERT_NE(static_cast<CK_ULONG>(CK_INVALID_HANDLE), cert_handle_in_slot); |
| |
| // The certificate should not exist on the internal slot, so this should |
| // return CK_INVALID_HANDLE. |
| ScopedPK11SlotInfo internal_slot(PK11_GetInternalSlot()); |
| ASSERT_NE(nullptr, internal_slot); |
| CK_OBJECT_HANDLE cert_handle_in_internal_slot = |
| PK11_FindEncodedCertInSlot(internal_slot.get(), &cert_item, nullptr); |
| ASSERT_EQ(static_cast<CK_ULONG>(CK_INVALID_HANDLE), |
| cert_handle_in_internal_slot); |
| |
| // The certificate should not exist on the internal key slot, so this should |
| // return CK_INVALID_HANDLE. |
| ScopedPK11SlotInfo internal_key_slot(PK11_GetInternalKeySlot()); |
| ASSERT_NE(nullptr, internal_key_slot); |
| CK_OBJECT_HANDLE cert_handle_in_internal_key_slot = |
| PK11_FindEncodedCertInSlot(internal_key_slot.get(), &cert_item, nullptr); |
| ASSERT_EQ(static_cast<CK_ULONG>(CK_INVALID_HANDLE), |
| cert_handle_in_internal_key_slot); |
| |
| // This certificate hasn't been imported to any token, so looking for it |
| // should return CK_INVALID_HANDLE. |
| SECItem unknown_cert_item = {siBuffer, |
| const_cast<unsigned char*>(kTestCert2DER.data()), |
| (unsigned int)kTestCert2DER.size()}; |
| CK_OBJECT_HANDLE unknown_cert_handle_in_slot = |
| PK11_FindEncodedCertInSlot(m_slot, &unknown_cert_item, nullptr); |
| ASSERT_EQ(static_cast<CK_ULONG>(CK_INVALID_HANDLE), |
| unknown_cert_handle_in_slot); |
| } |
| |
| } // namespace nss_test |