| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| /* |
| * test_certselector.c |
| * |
| * Test Cert Selector |
| * |
| */ |
| |
| #include "testutil.h" |
| #include "testutil_nss.h" |
| |
| #define PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS 5 |
| #define PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS 2 |
| #define PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS 2 |
| #define PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS 4 |
| #define PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS 1 |
| |
| static void *plContext = NULL; |
| |
| /* |
| * The first three certs are used to obtain policies to test |
| * policy matching. Changing the table could break tests. |
| */ |
| static char *certList[] = { |
| #define POLICY1CERT 0 |
| "GoodCACert.crt", |
| #define ANYPOLICYCERT 1 |
| "anyPolicyCACert.crt", |
| #define POLICY2CERT 2 |
| "PoliciesP12CACert.crt", |
| #define SUBJECTCERT 3 |
| "PoliciesP3CACert.crt", |
| "PoliciesP1234CACert.crt", |
| "pathLenConstraint0CACert.crt", |
| "pathLenConstraint1CACert.crt", |
| "pathLenConstraint6CACert.crt", |
| "TrustAnchorRootCertificate.crt", |
| "GoodsubCACert.crt", |
| "AnyPolicyTest14EE.crt", |
| "UserNoticeQualifierTest16EE.crt" |
| }; |
| #define NUMCERTS (sizeof(certList) / sizeof(certList[0])) |
| |
| /* |
| * Following are Certs values for NameConstraints tests |
| * |
| * Cert0:nameConstraintsDN1subCA1Cert.crt: |
| * Subject:CN=nameConstraints DN1 subCA1,OU=permittedSubtree1, |
| * O=Test Certificates,C=US |
| * Permitted Name:(OU=permittedSubtree2,OU=permittedSubtree1, |
| * O=Test Certificates,C=US) |
| * Excluded Name: (EMPTY) |
| * Cert1:nameConstraintsDN3subCA2Cert.crt: |
| * Subject:CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US |
| * Permitted Name:(O=Test Certificates,C=US) |
| * Excluded Name:(EMPTY) |
| * Cert2:nameConstraintsDN2CACert.crt |
| * Subject:CN=nameConstraints DN2 CA,O=Test Certificates,C=US |
| * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US, |
| * OU=permittedSubtree2,O=Test Certificates,C=US) |
| * Excluded Name:(EMPTY) |
| * Cert3:nameConstraintsDN3subCA1Cert.crt |
| * Subject:CN=nameConstraints DN3 subCA1,O=Test Certificates,C=US |
| * Permitted Name:(EMPTY) |
| * Excluded Name:(OU=excludedSubtree2,O=Test Certificates,C=US) |
| * Cert4:nameConstraintsDN4CACert.crt |
| * Subject:CN=nameConstraints DN4 CA,O=Test Certificates,C=US |
| * Permitted Name:(EMPTY) |
| * Excluded Name:(OU=excludedSubtree1,O=Test Certificates,C=US, |
| * OU=excludedSubtree2,O=Test Certificates,C=US) |
| * Cert5:nameConstraintsDN5CACert.crt |
| * Subject:CN=nameConstraints DN5 CA,O=Test Certificates,C=US |
| * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US) |
| * Excluded Name:(OU=excludedSubtree1,OU=permittedSubtree1, |
| * O=Test Certificates,C=US) |
| * Cert6:ValidDNnameConstraintsTest1EE.crt |
| * Subject:CN=Valid DN nameConstraints EE Certificate Test1, |
| * OU=permittedSubtree1,O=Test Certificates,C=US |
| * |
| */ |
| static char *ncCertList[] = { |
| "nameConstraintsDN1subCA1Cert.crt", |
| "nameConstraintsDN3subCA2Cert.crt", |
| "nameConstraintsDN2CACert.crt", |
| "nameConstraintsDN3subCA1Cert.crt", |
| "nameConstraintsDN4CACert.crt", |
| "nameConstraintsDN5CACert.crt", |
| "ValidDNnameConstraintsTest1EE.crt" |
| }; |
| #define NUMNCCERTS (sizeof(ncCertList) / sizeof(ncCertList[0])) |
| |
| static char *sanCertList[] = { |
| "InvalidDNnameConstraintsTest3EE.crt", |
| "InvalidDNSnameConstraintsTest38EE.crt" |
| }; |
| #define NUMSANCERTS (sizeof(sanCertList) / sizeof(sanCertList[0])) |
| |
| /* |
| * This function calls the CertSelector pointed to by "selector" for each |
| * cert in the List pointed to by "certs", and compares the results against |
| * the bit array given by the UInt32 "expectedResults". If the first cert is |
| * expected to pass, the lower-order bit of "expectedResults" should be 1. |
| * If the second cert is expected to pass, the second bit of "expectedResults" |
| * should be 1, and so on. If more than 32 certs are provided, only the first |
| * 32 will be checked. It is not an error to provide more bits than needed. |
| * (For example, if you expect every cert to pass, "expectedResult" can be |
| * set to 0xFFFFFFFF, even if the chain has fewer than 32 certs.) |
| */ |
| static void |
| testSelector( |
| PKIX_CertSelector *selector, |
| PKIX_List *certs, |
| PKIX_UInt32 expectedResults) |
| { |
| PKIX_UInt32 i = 0; |
| PKIX_UInt32 numCerts = 0; |
| PKIX_PL_Cert *cert = NULL; |
| PKIX_CertSelector_MatchCallback callback = NULL; |
| PKIX_Error *errReturn = NULL; |
| PKIX_Boolean result = PKIX_TRUE; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(selector, &callback, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); |
| if (numCerts > 32) { |
| numCerts = 32; |
| } |
| |
| for (i = 0; i < numCerts; i++) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); |
| errReturn = callback(selector, cert, &result, plContext); |
| |
| if (errReturn || result == PKIX_FALSE) { |
| if ((expectedResults & 1) == 1) { |
| testError("selector unexpectedly failed"); |
| (void)printf(" processing cert:\t%d\n", i); |
| } |
| } else { |
| if ((expectedResults & 1) == 0) { |
| testError("selector unexpectedly passed"); |
| (void)printf(" processing cert:\t%d\n", i); |
| } |
| } |
| |
| expectedResults = expectedResults >> 1; |
| PKIX_TEST_DECREF_BC(cert); |
| PKIX_TEST_DECREF_BC(errReturn); |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(cert); |
| PKIX_TEST_DECREF_AC(errReturn); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| /* |
| * This function gets a policy from the Cert pointed to by "cert", according |
| * to the index provided by "index", creates an immutable List containing the |
| * OID of that policy, and stores the result at "pPolicyList". |
| */ |
| static void |
| testGetPolicyFromCert( |
| PKIX_PL_Cert *cert, |
| PKIX_UInt32 index, |
| PKIX_List **pPolicyList) |
| { |
| PKIX_List *policyInfo = NULL; |
| PKIX_PL_CertPolicyInfo *firstPolicy = NULL; |
| PKIX_PL_OID *policyOID = NULL; |
| PKIX_List *list = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &policyInfo, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(policyInfo, |
| index, |
| (PKIX_PL_Object **)&firstPolicy, |
| plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(firstPolicy, &policyOID, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list, (PKIX_PL_Object *)policyOID, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(list, plContext)); |
| |
| *pPolicyList = list; |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(policyInfo); |
| PKIX_TEST_DECREF_AC(firstPolicy); |
| PKIX_TEST_DECREF_AC(policyOID); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| /* |
| * This custom matchCallback will pass any Certificate which has no |
| * CertificatePolicies extension and any Certificate whose Policies |
| * extension include a CertPolicyQualifier. |
| */ |
| static PKIX_Error * |
| custom_CertSelector_MatchCallback( |
| PKIX_CertSelector *selector, |
| PKIX_PL_Cert *cert, |
| PKIX_Boolean *pResult, |
| void *plContext) |
| { |
| PKIX_UInt32 i = 0; |
| PKIX_UInt32 numPolicies = 0; |
| PKIX_List *certPolicies = NULL; |
| PKIX_List *quals = NULL; |
| PKIX_PL_CertPolicyInfo *policy = NULL; |
| PKIX_Error *error = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| *pResult = PKIX_TRUE; |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &certPolicies, plContext)); |
| |
| if (certPolicies) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certPolicies, &numPolicies, plContext)); |
| |
| for (i = 0; i < numPolicies; i++) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certPolicies, |
| i, |
| (PKIX_PL_Object **)&policy, |
| plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(policy, &quals, plContext)); |
| if (quals) { |
| goto cleanup; |
| } |
| PKIX_TEST_DECREF_BC(policy); |
| } |
| PKIX_TEST_DECREF_BC(certPolicies); |
| *pResult = PKIX_FALSE; |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(PKIX_CERTSELECTOR_ERROR, |
| NULL, |
| NULL, |
| PKIX_TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, |
| &error, |
| plContext)); |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(certPolicies); |
| PKIX_TEST_DECREF_AC(policy); |
| PKIX_TEST_DECREF_AC(quals); |
| |
| return (error); |
| } |
| |
| /* |
| * This custom matchCallback will pass any Certificate whose |
| * CertificatePolicies extension asserts the Policy specified by |
| * the OID in the CertSelectorContext object. |
| */ |
| static PKIX_Error * |
| custom_CertSelector_MatchOIDCallback( |
| PKIX_CertSelector *selector, |
| PKIX_PL_Cert *cert, |
| PKIX_Boolean *pResult, |
| void *plContext) |
| { |
| PKIX_UInt32 i = 0; |
| PKIX_UInt32 numPolicies = 0; |
| PKIX_Boolean match = PKIX_FALSE; |
| PKIX_PL_Object *certSelectorContext = NULL; |
| PKIX_PL_OID *constraintOID = NULL; |
| PKIX_List *certPolicies = NULL; |
| PKIX_PL_CertPolicyInfo *policy = NULL; |
| PKIX_PL_OID *policyOID = NULL; |
| PKIX_PL_String *errorDesc = NULL; |
| PKIX_Error *error = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| *pResult = PKIX_TRUE; |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCertSelectorContext(selector, &certSelectorContext, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType(certSelectorContext, PKIX_OID_TYPE, plContext)); |
| |
| constraintOID = (PKIX_PL_OID *)certSelectorContext; |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &certPolicies, plContext)); |
| |
| if (certPolicies) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certPolicies, &numPolicies, plContext)); |
| |
| for (i = 0; i < numPolicies; i++) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certPolicies, |
| i, |
| (PKIX_PL_Object **)&policy, |
| plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(policy, &policyOID, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)policyOID, |
| (PKIX_PL_Object *)constraintOID, |
| &match, |
| plContext)); |
| |
| if (match) { |
| goto cleanup; |
| } |
| PKIX_TEST_DECREF_BC(policy); |
| PKIX_TEST_DECREF_BC(policyOID); |
| } |
| } |
| |
| PKIX_TEST_DECREF_BC(certSelectorContext); |
| PKIX_TEST_DECREF_BC(certPolicies); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(PKIX_CERTSELECTOR_ERROR, |
| NULL, |
| NULL, |
| PKIX_TESTNOMATCHINGPOLICY, |
| &error, |
| plContext)); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(certSelectorContext); |
| PKIX_TEST_DECREF_AC(certPolicies); |
| PKIX_TEST_DECREF_AC(policy); |
| PKIX_TEST_DECREF_AC(policyOID); |
| PKIX_TEST_DECREF_AC(errorDesc); |
| |
| return (error); |
| } |
| |
| static void |
| testSubjectMatch( |
| PKIX_List *certs, |
| PKIX_PL_Cert *certNameToMatch) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *subjParams = NULL; |
| PKIX_PL_X500Name *subjectName = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("Subject name match"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&subjParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(certNameToMatch, &subjectName, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(subjParams, subjectName, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, subjParams, plContext)); |
| testSelector(selector, certs, 0x008); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(subjParams); |
| PKIX_TEST_DECREF_AC(subjectName); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testBasicConstraintsMatch( |
| PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *bcParams = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("Basic Constraints match"); |
| subTest(" pathLenContraint = -2: pass only EE's"); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&bcParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, -2, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); |
| testSelector(selector, certs, 0xC00); |
| |
| subTest(" pathLenContraint = -1: pass all certs"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, -1, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); |
| testSelector(selector, certs, 0xFFF); |
| |
| subTest(" pathLenContraint = 1: pass only certs with pathLen >= 1"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, 1, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); |
| testSelector(selector, certs, 0x3DF); |
| |
| subTest(" pathLenContraint = 2: pass only certs with pathLen >= 2"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, 2, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); |
| testSelector(selector, certs, 0x39F); |
| |
| cleanup: |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(bcParams); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void testPolicyMatch( |
| PKIX_List *certs, |
| PKIX_PL_Cert *NIST1Cert, /* a source for policy NIST1 */ |
| PKIX_PL_Cert *NIST2Cert, /* a source for policy NIST2 */ |
| PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_List *emptyList = NULL; /* no members */ |
| PKIX_List *policy1List = NULL; /* OIDs */ |
| PKIX_List *policy2List = NULL; /* OIDs */ |
| PKIX_List *anyPolicyList = NULL; /* OIDs */ |
| PKIX_ComCertSelParams *polParams = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("Policy match"); |
| testGetPolicyFromCert(NIST1Cert, 0, &policy1List); |
| testGetPolicyFromCert(NIST2Cert, 1, &policy2List); |
| testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); |
| |
| subTest(" Pass certs with any CertificatePolicies extension"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, emptyList, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); |
| testSelector(selector, certs, 0xEFF); |
| PKIX_TEST_DECREF_BC(polParams); |
| |
| subTest(" Pass only certs with policy NIST1"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, policy1List, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); |
| testSelector(selector, certs, 0xEF5); |
| PKIX_TEST_DECREF_BC(polParams); |
| |
| subTest(" Pass only certs with policy NIST2"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, policy2List, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); |
| testSelector(selector, certs, 0x814); |
| PKIX_TEST_DECREF_BC(polParams); |
| |
| subTest(" Pass only certs with policy anyPolicy"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, anyPolicyList, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); |
| testSelector(selector, certs, 0x002); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(emptyList); |
| PKIX_TEST_DECREF_AC(policy1List); |
| PKIX_TEST_DECREF_AC(policy2List); |
| PKIX_TEST_DECREF_AC(anyPolicyList); |
| PKIX_TEST_DECREF_AC(polParams); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testCertificateMatch( |
| PKIX_List *certs, |
| PKIX_PL_Cert *certToMatch) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("Certificate match"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(params, certToMatch, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| testSelector(selector, certs, 0x008); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(params); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testNameConstraintsMatch(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_PL_Cert *cert = NULL; |
| PKIX_PL_CertNameConstraints *permitNameConstraints1 = NULL; |
| PKIX_PL_CertNameConstraints *permitNameConstraints2 = NULL; |
| PKIX_PL_CertNameConstraints *permitNameConstraints3 = NULL; |
| PKIX_PL_CertNameConstraints *excludeNameConstraints1 = NULL; |
| PKIX_PL_CertNameConstraints *excludeNameConstraints2 = NULL; |
| PKIX_PL_CertNameConstraints *excludeNameConstraints3 = NULL; |
| PKIX_UInt32 numCerts = 0; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test NameConstraints Cert Selector"); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); |
| |
| subTest(" PKIX_PL_Cert_GetNameConstraints <cert0-permitted>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 0, (PKIX_PL_Object **)&cert, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints1, plContext)); |
| PKIX_TEST_DECREF_BC(cert); |
| |
| subTest(" PKIX_PL_Cert_GetNameConstraints <cert1-permitted>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 1, (PKIX_PL_Object **)&cert, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints2, plContext)); |
| PKIX_TEST_DECREF_BC(cert); |
| |
| subTest(" PKIX_PL_Cert_GetNameConstraints <cert2-permitted>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 2, (PKIX_PL_Object **)&cert, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints3, plContext)); |
| PKIX_TEST_DECREF_BC(cert); |
| |
| subTest(" PKIX_PL_Cert_GetNameConstraints <cert3-excluded>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 3, (PKIX_PL_Object **)&cert, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints1, plContext)); |
| PKIX_TEST_DECREF_BC(cert); |
| |
| subTest(" PKIX_PL_Cert_GetNameConstraints <cert4-excluded>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 4, (PKIX_PL_Object **)&cert, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints2, plContext)); |
| PKIX_TEST_DECREF_BC(cert); |
| |
| subTest(" PKIX_PL_Cert_GetNameConstraints <cert5-excluded>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 5, (PKIX_PL_Object **)&cert, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints3, plContext)); |
| PKIX_TEST_DECREF_BC(cert); |
| |
| subTest(" Create Selector and ComCertSelParams"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" CertNameConstraints testing permitted NONE"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints1, plContext)); |
| testSelector(selector, certs, 0x0); |
| |
| subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, NULL, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" CertNameConstraints testing permitted ALL"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints2, plContext)); |
| testSelector(selector, certs, 0x07F); |
| |
| subTest(" CertNameConstraints testing permitted TWO"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints3, plContext)); |
| testSelector(selector, certs, 0x0041); |
| |
| subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, NULL, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" CertNameConstraints testing excluded"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints1, plContext)); |
| testSelector(selector, certs, 0x07F); |
| |
| subTest(" CertNameConstraints testing excluded"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints2, plContext)); |
| testSelector(selector, certs, 0x07F); |
| |
| subTest(" CertNameConstraints testing excluded"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints3, plContext)); |
| testSelector(selector, certs, 0x41); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(permitNameConstraints1); |
| PKIX_TEST_DECREF_AC(permitNameConstraints2); |
| PKIX_TEST_DECREF_AC(permitNameConstraints3); |
| PKIX_TEST_DECREF_AC(excludeNameConstraints1); |
| PKIX_TEST_DECREF_AC(excludeNameConstraints2); |
| PKIX_TEST_DECREF_AC(excludeNameConstraints3); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testPathToNamesMatch(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_List *nameList = NULL; |
| PKIX_PL_GeneralName *name = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test PathToName Cert Selector"); |
| |
| subTest(" PKIX_PL_GeneralName List create"); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); |
| |
| subTest(" Add directory name <O=NotATest Certificates,C=US>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, |
| "O=NotATest Certificates,C=US", |
| plContext); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); |
| |
| subTest(" Create Selector and ComCertSelParams"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetPathToNames"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); |
| |
| subTest(" Permitting THREE"); |
| testSelector(selector, certs, 0x58); |
| |
| subTest(" Remove directory name <O=NotATest Certificates,C=US...>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(nameList, 0, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" Add directory name <OU=permittedSubtree1,O=Test...>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, |
| "OU=permittedSubtree1,O=Test Certificates,C=US", |
| plContext); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetPathToNames"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); |
| |
| subTest(" Permitting SIX"); |
| testSelector(selector, certs, 0x5F); |
| |
| subTest(" Remove directory name <OU=permittedSubtree1,O=Test...>"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(nameList, 0, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" Add directory name <O=Test Certificates,C=US...>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, |
| "O=Test Certificates,C=US", |
| plContext); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" PKIX_ComCertSelParams_SetPathToNames"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); |
| |
| subTest(" Permitting FOUR"); |
| testSelector(selector, certs, 0x47); |
| |
| subTest(" Only directory name <OU=permittedSubtree1,O=Test ...>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, |
| "OU=permittedSubtree1,O=Test Certificates,C=US", |
| plContext); |
| |
| subTest(" PKIX_ComCertSelParams_AddPathToName"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName(params, name, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" Permitting FOUR"); |
| testSelector(selector, certs, 0x47); |
| |
| subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| PKIX_TEST_DECREF_BC(nameList); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); |
| |
| subTest(" Add directory name <CN=Valid DN nameConstraints EE...>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, "CN=Valid DN nameConstraints EE " |
| "Certificate Test1,OU=permittedSubtree1," |
| "O=Test Certificates,C=US", |
| plContext); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" PKIX_ComCertSelParams_SetPathToNames"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); |
| |
| subTest(" Permitting SIX"); |
| testSelector(selector, certs, 0x7e); |
| |
| subTest(" Add directory name <OU=permittedSubtree1,O=Test>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, |
| "OU=permittedSubtree1,O=Test", |
| plContext); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" PKIX_ComCertSelParams_SetPathToNames"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); |
| |
| subTest(" Permitting SIX"); |
| testSelector(selector, certs, 0x58); |
| |
| subTest(" Add directory name <O=Test Certificates,C=US>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext); |
| |
| subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName(params, name, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" Permitting FOUR"); |
| testSelector(selector, certs, 0x47); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(nameList); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testSubjAltNamesMatch(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_List *nameList = NULL; |
| PKIX_PL_GeneralName *name = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test SubjAltNames Cert Selector"); |
| |
| subTest(" PKIX_PL_GeneralName List create"); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); |
| |
| subTest(" Create Selector and ComCertSelParams"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" Add directory name <CN=Invalid DN nameConstraints EE...>"); |
| name = createGeneralName(PKIX_DIRECTORY_NAME, |
| "CN=Invalid DN nameConstraints EE Certificate Test3," |
| "OU=excludedSubtree1,O=Test Certificates,C=US", |
| plContext); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetSubjAltNames"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames(params, nameList, plContext)); |
| |
| PKIX_TEST_DECREF_BC(name); |
| PKIX_TEST_DECREF_BC(nameList); |
| |
| subTest(" Permitting ONE"); |
| testSelector(selector, certs, 0x1); |
| |
| subTest(" Add DNS name <mytestcertificates.gov>"); |
| name = createGeneralName(PKIX_DNS_NAME, |
| "mytestcertificates.gov", |
| plContext); |
| |
| subTest(" PKIX_ComCertSelParams_AddSubjAltName"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(params, name, plContext)); |
| PKIX_TEST_DECREF_BC(name); |
| |
| subTest(" Permitting NONE"); |
| testSelector(selector, certs, 0x0); |
| |
| subTest(" PKIX_ComCertSelParams_SetMatchAllSubjAltNames to FALSE"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(params, PKIX_FALSE, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" Permitting TWO"); |
| testSelector(selector, certs, 0x3); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(name); |
| PKIX_TEST_DECREF_AC(nameList); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testCertificateValidMatch( |
| PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_PL_String *stringRep = NULL; |
| PKIX_PL_Date *testDate = NULL; |
| char *asciiRep = "050501000000Z"; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("CertificateValid match"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(params, testDate, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| testSelector(selector, certs, 0xFFFFFFFF); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(stringRep); |
| PKIX_TEST_DECREF_AC(testDate); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| test_customCallback1(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("custom matchCallback"); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(custom_CertSelector_MatchCallback, |
| NULL, |
| &selector, |
| plContext)); |
| |
| testSelector(selector, certs, 0x900); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void test_customCallback2(PKIX_List *certs, |
| PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_List *anyPolicyList = NULL; /* OIDs */ |
| PKIX_PL_OID *policyOID = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("custom matchCallback with CertSelectorContext"); |
| |
| testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(anyPolicyList, 0, (PKIX_PL_Object **)&policyOID, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(custom_CertSelector_MatchOIDCallback, |
| (PKIX_PL_Object *)policyOID, |
| &selector, |
| plContext)); |
| |
| testSelector(selector, certs, (1 << ANYPOLICYCERT)); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selector); |
| PKIX_TEST_DECREF_AC(anyPolicyList); |
| PKIX_TEST_DECREF_AC(policyOID); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testExtendedKeyUsageMatch(char *certDir) |
| { |
| PKIX_ComCertSelParams *goodParams = NULL; |
| PKIX_PL_OID *ekuOid = NULL; |
| PKIX_List *ekuOidList = NULL; |
| PKIX_PL_String *dirString = NULL; |
| PKIX_CertStore_CertCallback certCallback; |
| PKIX_CertStore *certStore = NULL; |
| PKIX_CertSelector *certSelector = NULL; |
| PKIX_List *certList = NULL; |
| PKIX_UInt32 numCert = 0; |
| void *nbioContext = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test Extended KeyUsage Cert Selector"); |
| |
| subTest(" PKIX_ComCertSelParams_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); |
| |
| subTest(" Create Extended Key Usage OID List"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&ekuOidList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.2", &ekuOid, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); |
| |
| PKIX_TEST_DECREF_BC(ekuOid); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.3", &ekuOid, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); |
| |
| PKIX_TEST_DECREF_BC(ekuOid); |
| |
| subTest(" PKIX_ComCertSelParams_SetExtendedKeyUsage"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage(goodParams, ekuOidList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); |
| |
| subTest(" PKIX_PL_CollectionCertStoreContext_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); |
| |
| subTest(" PKIX_CertSelector_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); |
| |
| subTest(" PKIX_CertStore_GetCertCallback"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); |
| |
| subTest(" Getting data from Cert Callback"); |
| PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); |
| |
| if (numCert != PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS) { |
| pkixTestErrorMsg = "unexpected Cert number mismatch"; |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(ekuOid); |
| PKIX_TEST_DECREF_AC(ekuOidList); |
| PKIX_TEST_DECREF_AC(goodParams); |
| PKIX_TEST_DECREF_AC(dirString); |
| PKIX_TEST_DECREF_AC(certList); |
| PKIX_TEST_DECREF_AC(certSelector); |
| PKIX_TEST_DECREF_AC(certStore); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testKeyUsageMatch(char *certDir) |
| { |
| PKIX_ComCertSelParams *goodParams = NULL; |
| PKIX_PL_String *dirString = NULL; |
| PKIX_CertStore_CertCallback certCallback; |
| PKIX_CertStore *certStore = NULL; |
| PKIX_CertSelector *certSelector = NULL; |
| PKIX_List *certList = NULL; |
| PKIX_UInt32 numCert = 0; |
| void *nbioContext = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test KeyUsage Cert Selector"); |
| |
| subTest(" PKIX_ComCertSelParams_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetKeyUsage"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage(goodParams, PKIX_CRL_SIGN, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); |
| |
| subTest(" PKIX_PL_CollectionCertStoreContext_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); |
| |
| subTest(" PKIX_CertSelector_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); |
| |
| subTest(" PKIX_CertStore_GetCertCallback"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); |
| |
| subTest(" Getting data from Cert Callback"); |
| PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); |
| |
| if (numCert != PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS) { |
| pkixTestErrorMsg = "unexpected Cert number mismatch"; |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(goodParams); |
| PKIX_TEST_DECREF_AC(dirString); |
| PKIX_TEST_DECREF_AC(certList); |
| PKIX_TEST_DECREF_AC(certSelector); |
| PKIX_TEST_DECREF_AC(certStore); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testCertValidMatch(char *certDir) |
| { |
| PKIX_ComCertSelParams *goodParams = NULL; |
| PKIX_PL_Date *validDate = NULL; |
| PKIX_PL_String *dirString = NULL; |
| PKIX_CertStore_CertCallback certCallback; |
| PKIX_CertStore *certStore = NULL; |
| PKIX_CertSelector *certSelector = NULL; |
| PKIX_List *certList = NULL; |
| PKIX_UInt32 numCert = 0; |
| void *nbioContext = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test CertValid Cert Selector"); |
| |
| subTest(" PKIX_ComCertSelParams_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); |
| |
| validDate = createDate("050601000000Z", plContext); |
| |
| subTest(" PKIX_ComCertSelParams_SetCertificateValid"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(goodParams, validDate, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); |
| |
| subTest(" PKIX_PL_CollectionCertStoreContext_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); |
| |
| subTest(" PKIX_CertSelector_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); |
| |
| subTest(" PKIX_CertStore_GetCertCallback"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); |
| |
| subTest(" Getting data from Cert Callback"); |
| PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); |
| |
| if (numCert != PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS) { |
| pkixTestErrorMsg = "unexpected Cert number mismatch"; |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(goodParams); |
| PKIX_TEST_DECREF_AC(validDate); |
| PKIX_TEST_DECREF_AC(dirString); |
| PKIX_TEST_DECREF_AC(certList); |
| PKIX_TEST_DECREF_AC(certSelector); |
| PKIX_TEST_DECREF_AC(certStore); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testIssuerMatch(char *certDir) |
| { |
| PKIX_ComCertSelParams *goodParams = NULL; |
| PKIX_PL_X500Name *issuer = NULL; |
| PKIX_PL_String *issuerStr = NULL; |
| PKIX_PL_String *dirString = NULL; |
| PKIX_CertStore_CertCallback certCallback; |
| PKIX_CertStore *certStore = NULL; |
| PKIX_CertSelector *certSelector = NULL; |
| PKIX_List *certList = NULL; |
| char *issuerName = "CN=science,O=mit,C=US"; |
| PKIX_UInt32 numCert = 0; |
| void *nbioContext = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test Issuer Cert Selector"); |
| |
| subTest(" PKIX_ComCertSelParams_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, issuerName, 0, &issuerStr, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuerStr, &issuer, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetIssuer"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer(goodParams, issuer, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); |
| |
| subTest(" PKIX_PL_CollectionCertStoreContext_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); |
| |
| subTest(" PKIX_CertSelector_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); |
| |
| subTest(" PKIX_CertStore_GetCertCallback"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); |
| |
| subTest(" Getting data from Cert Callback"); |
| PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); |
| |
| if (numCert != PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS) { |
| pkixTestErrorMsg = "unexpected Cert number mismatch"; |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(goodParams); |
| PKIX_TEST_DECREF_AC(issuer); |
| PKIX_TEST_DECREF_AC(issuerStr); |
| PKIX_TEST_DECREF_AC(dirString); |
| PKIX_TEST_DECREF_AC(certList); |
| PKIX_TEST_DECREF_AC(certSelector); |
| PKIX_TEST_DECREF_AC(certStore); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testSerialNumberVersionMatch(char *certDir) |
| { |
| PKIX_ComCertSelParams *goodParams = NULL; |
| PKIX_PL_BigInt *serialNumber = NULL; |
| PKIX_PL_String *serialNumberStr = NULL; |
| PKIX_PL_String *dirString = NULL; |
| PKIX_CertStore_CertCallback certCallback; |
| PKIX_CertStore *certStore = NULL; |
| PKIX_CertSelector *certSelector = NULL; |
| PKIX_List *certList = NULL; |
| PKIX_UInt32 numCert = 0; |
| void *nbioContext = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test Serial Number Cert Selector"); |
| |
| subTest(" PKIX_ComCertSelParams_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "01", 0, &serialNumberStr, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(serialNumberStr, &serialNumber, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetSerialNumber"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber(goodParams, serialNumber, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetVersion"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 0, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); |
| |
| subTest(" PKIX_PL_CollectionCertStoreContext_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); |
| |
| subTest(" PKIX_CertSelector_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); |
| |
| subTest(" PKIX_CertStore_GetCertCallback"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); |
| |
| subTest(" Getting data from Cert Callback"); |
| PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); |
| |
| PKIX_TEST_DECREF_BC(certList); |
| |
| if (numCert != 0) { |
| pkixTestErrorMsg = "unexpected Version mismatch"; |
| } |
| |
| subTest(" PKIX_ComCertSelParams_SetVersion"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 2, plContext)); |
| |
| subTest(" Getting data from Cert Callback"); |
| PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); |
| |
| if (numCert != PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS) { |
| pkixTestErrorMsg = "unexpected Serial Number mismatch"; |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(goodParams); |
| PKIX_TEST_DECREF_AC(serialNumber); |
| PKIX_TEST_DECREF_AC(serialNumberStr); |
| PKIX_TEST_DECREF_AC(dirString); |
| PKIX_TEST_DECREF_AC(certList); |
| PKIX_TEST_DECREF_AC(certSelector); |
| PKIX_TEST_DECREF_AC(certStore); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testSubjKeyIdMatch(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_PL_Cert *cert = NULL; |
| PKIX_PL_ByteArray *selSubjKeyId = NULL; |
| PKIX_UInt32 item = 0; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test Subject Key Id Cert Selector"); |
| |
| item = 2; |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); |
| |
| subTest(" PKIX_PL_Cert_GetSubjectKeyIdentifier"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(cert, &selSubjKeyId, plContext)); |
| |
| subTest(" Create Selector and ComCertSelParams"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetSubjKeyIdentifier"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier(params, selSubjKeyId, plContext)); |
| |
| subTest(" Select One"); |
| testSelector(selector, certs, 1 << item); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selSubjKeyId); |
| PKIX_TEST_DECREF_AC(cert); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(selector); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testAuthKeyIdMatch(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_PL_Cert *cert = NULL; |
| PKIX_PL_ByteArray *selAuthKeyId = NULL; |
| PKIX_UInt32 item = 0; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test Auth Key Id Cert Selector"); |
| |
| item = 3; |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); |
| |
| subTest(" PKIX_PL_Cert_GetAuthorityKeyIdentifier"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier(cert, &selAuthKeyId, plContext)); |
| |
| subTest(" Create Selector and ComCertSelParams"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetAuthorityKeyIdentifier"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(params, selAuthKeyId, plContext)); |
| |
| subTest(" Select TWO"); |
| testSelector(selector, certs, (1 << item) | (1 << 1)); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selAuthKeyId); |
| PKIX_TEST_DECREF_AC(cert); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(selector); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testSubjPKAlgIdMatch(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_PL_Cert *cert = NULL; |
| PKIX_PL_OID *selAlgId = NULL; |
| PKIX_UInt32 item = 0; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test Subject Public Key Algorithm Id Cert Selector"); |
| |
| item = 0; |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); |
| |
| subTest(" PKIX_PL_Cert_GetSubjectPublicKeyAlgId"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId(cert, &selAlgId, plContext)); |
| |
| subTest(" Create Selector and ComCertSelParams"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetSubjPKAlgId"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId(params, selAlgId, plContext)); |
| |
| subTest(" Select All"); |
| testSelector(selector, certs, 0x7F); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selAlgId); |
| PKIX_TEST_DECREF_AC(cert); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(selector); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testSubjPublicKeyMatch(PKIX_List *certs) |
| { |
| PKIX_CertSelector *selector = NULL; |
| PKIX_ComCertSelParams *params = NULL; |
| PKIX_PL_Cert *cert = NULL; |
| PKIX_PL_PublicKey *selPublicKey = NULL; |
| PKIX_UInt32 item = 0; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test Subject Public Key Cert Selector"); |
| |
| item = 5; |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); |
| |
| subTest(" PKIX_PL_Cert_GetSubjectPublicKey"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(cert, &selPublicKey, plContext)); |
| |
| subTest(" Create Selector and ComCertSelParams"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); |
| |
| subTest(" PKIX_ComCertSelParams_SetSubjPubKey"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey(params, selPublicKey, plContext)); |
| |
| subTest(" Select ONE"); |
| testSelector(selector, certs, 1 << item); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(selPublicKey); |
| PKIX_TEST_DECREF_AC(cert); |
| PKIX_TEST_DECREF_AC(params); |
| PKIX_TEST_DECREF_AC(selector); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| test_CertSelector_Duplicate(PKIX_CertSelector *selector) |
| { |
| PKIX_Int32 goodBasicConstraints = 0; |
| PKIX_Int32 equalBasicConstraints = 0; |
| PKIX_CertSelector *dupSelector = NULL; |
| PKIX_ComCertSelParams *goodParams = NULL; |
| PKIX_ComCertSelParams *equalParams = NULL; |
| PKIX_CertSelector_MatchCallback goodCallback = NULL; |
| PKIX_CertSelector_MatchCallback equalCallback = NULL; |
| PKIX_PL_X500Name *goodSubject = NULL; |
| PKIX_PL_X500Name *equalSubject = NULL; |
| PKIX_List *goodPolicy = NULL; |
| PKIX_List *equalPolicy = NULL; |
| PKIX_PL_Cert *goodCert = NULL; |
| PKIX_PL_Cert *equalCert = NULL; |
| PKIX_PL_Date *goodDate = NULL; |
| PKIX_PL_Date *equalDate = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("test_CertSelector_Duplicate"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)selector, |
| (PKIX_PL_Object **)&dupSelector, |
| plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams(selector, &goodParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams(dupSelector, &equalParams, plContext)); |
| /* There is no equals function, so look at components separately. */ |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(goodParams, &goodSubject, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); |
| if (goodSubject && equalSubject) { |
| testEqualsHelper((PKIX_PL_Object *)goodSubject, |
| (PKIX_PL_Object *)equalSubject, |
| PKIX_TRUE, |
| plContext); |
| } else { |
| if |
| PKIX_EXACTLY_ONE_NULL(goodSubject, equalSubject) |
| { |
| pkixTestErrorMsg = "Subject Names are not equal!"; |
| goto cleanup; |
| } |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(goodParams, &goodPolicy, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicy, plContext)); |
| if (goodPolicy && equalPolicy) { |
| testEqualsHelper((PKIX_PL_Object *)goodPolicy, |
| (PKIX_PL_Object *)equalPolicy, |
| PKIX_TRUE, |
| plContext); |
| } else { |
| if |
| PKIX_EXACTLY_ONE_NULL(goodPolicy, equalPolicy) |
| { |
| pkixTestErrorMsg = "Policy Lists are not equal!"; |
| goto cleanup; |
| } |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(goodParams, &goodCert, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(equalParams, &equalCert, plContext)); |
| if (goodCert && equalCert) { |
| testEqualsHelper((PKIX_PL_Object *)goodCert, |
| (PKIX_PL_Object *)equalCert, |
| PKIX_TRUE, |
| plContext); |
| } else { |
| if |
| PKIX_EXACTLY_ONE_NULL(goodCert, equalCert) |
| { |
| pkixTestErrorMsg = "Cert Lists are not equal!"; |
| goto cleanup; |
| } |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(goodParams, &goodDate, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(equalParams, &equalDate, plContext)); |
| if (goodCert && equalCert) { |
| testEqualsHelper((PKIX_PL_Object *)goodDate, |
| (PKIX_PL_Object *)equalDate, |
| PKIX_TRUE, |
| plContext); |
| } else { |
| if |
| PKIX_EXACTLY_ONE_NULL(goodDate, equalDate) |
| { |
| pkixTestErrorMsg = "Date Lists are not equal!"; |
| goto cleanup; |
| } |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(goodParams, &goodBasicConstraints, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalBasicConstraints, plContext)); |
| if (goodBasicConstraints != equalBasicConstraints) { |
| pkixTestErrorMsg = "BasicConstraints are not equal!"; |
| goto cleanup; |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(selector, &goodCallback, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(dupSelector, &equalCallback, plContext)); |
| if (goodCallback != equalCallback) { |
| pkixTestErrorMsg = "MatchCallbacks are not equal!"; |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(dupSelector); |
| PKIX_TEST_DECREF_AC(goodParams); |
| PKIX_TEST_DECREF_AC(equalParams); |
| PKIX_TEST_DECREF_AC(goodSubject); |
| PKIX_TEST_DECREF_AC(equalSubject); |
| PKIX_TEST_DECREF_AC(goodPolicy); |
| PKIX_TEST_DECREF_AC(equalPolicy); |
| PKIX_TEST_DECREF_AC(goodCert); |
| PKIX_TEST_DECREF_AC(equalCert); |
| PKIX_TEST_DECREF_AC(goodDate); |
| PKIX_TEST_DECREF_AC(equalDate); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| printUsage(void) |
| { |
| (void)printf("\nUSAGE:\ttest_certselector <NIST_FILES_DIR> <cert-dir>\n\n"); |
| } |
| |
| int |
| test_certselector(int argc, char *argv[]) |
| { |
| |
| PKIX_UInt32 i = 0; |
| PKIX_UInt32 j = 0; |
| PKIX_UInt32 actualMinorVersion; |
| |
| PKIX_CertSelector *emptySelector = NULL; |
| PKIX_List *certs = NULL; |
| PKIX_List *nameConstraintsCerts = NULL; |
| PKIX_List *subjAltNamesCerts = NULL; |
| PKIX_PL_Cert *cert = NULL; |
| PKIX_PL_Cert *policy1Cert = NULL; |
| PKIX_PL_Cert *policy2Cert = NULL; |
| PKIX_PL_Cert *anyPolicyCert = NULL; |
| PKIX_PL_Cert *subjectCert = NULL; |
| PKIX_ComCertSelParams *selParams = NULL; |
| char *certDir = NULL; |
| char *dirName = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| startTests("CertSelector"); |
| |
| PKIX_TEST_EXPECT_NO_ERROR( |
| PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); |
| |
| if (argc < 3) { |
| printUsage(); |
| return (0); |
| } |
| |
| dirName = argv[j + 1]; |
| certDir = argv[j + 3]; |
| |
| /* Create a List of certs to use in testing the selector */ |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); |
| |
| for (i = 0; i < NUMCERTS; i++) { |
| |
| cert = createCert(dirName, certList[i], plContext); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs, (PKIX_PL_Object *)cert, plContext)); |
| if (i == POLICY1CERT) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); |
| policy1Cert = cert; |
| } |
| if (i == ANYPOLICYCERT) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); |
| anyPolicyCert = cert; |
| } |
| if (i == POLICY2CERT) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); |
| policy2Cert = cert; |
| } |
| if (i == SUBJECTCERT) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); |
| subjectCert = cert; |
| } |
| PKIX_TEST_DECREF_BC(cert); |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameConstraintsCerts, plContext)); |
| |
| for (i = 0; i < NUMNCCERTS; i++) { |
| |
| cert = createCert(dirName, ncCertList[i], plContext); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameConstraintsCerts, |
| (PKIX_PL_Object *)cert, |
| plContext)); |
| |
| PKIX_TEST_DECREF_BC(cert); |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&subjAltNamesCerts, plContext)); |
| |
| for (i = 0; i < NUMSANCERTS; i++) { |
| |
| cert = createCert(dirName, sanCertList[i], plContext); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(subjAltNamesCerts, |
| (PKIX_PL_Object *)cert, |
| plContext)); |
| |
| PKIX_TEST_DECREF_BC(cert); |
| } |
| |
| subTest("test_CertSelector_Create"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &emptySelector, plContext)); |
| |
| subTest("Default Match, no parameters set"); |
| testSelector(emptySelector, certs, 0xFFFFFFFF); |
| |
| testSubjectMatch(certs, subjectCert); |
| |
| testBasicConstraintsMatch(certs); |
| |
| testPolicyMatch(certs, policy1Cert, policy2Cert, anyPolicyCert); |
| |
| testCertificateMatch(certs, subjectCert); |
| |
| testCertificateValidMatch(certs); |
| |
| subTest("Combination: pass only EE certs that assert some policy"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&selParams, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(selParams, -2, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(emptySelector, selParams, plContext)); |
| testSelector(emptySelector, certs, 0xC00); |
| |
| testNameConstraintsMatch(nameConstraintsCerts); |
| |
| testPathToNamesMatch(nameConstraintsCerts); |
| |
| testSubjAltNamesMatch(subjAltNamesCerts); |
| |
| testExtendedKeyUsageMatch(certDir); |
| |
| testKeyUsageMatch(certDir); |
| |
| testIssuerMatch(certDir); |
| |
| testSerialNumberVersionMatch(certDir); |
| |
| testCertValidMatch(certDir); |
| |
| testSubjKeyIdMatch(nameConstraintsCerts); |
| |
| testAuthKeyIdMatch(nameConstraintsCerts); |
| |
| testSubjPKAlgIdMatch(nameConstraintsCerts); |
| |
| testSubjPublicKeyMatch(nameConstraintsCerts); |
| |
| test_CertSelector_Duplicate(emptySelector); |
| |
| test_customCallback1(certs); |
| |
| test_customCallback2(certs, anyPolicyCert); |
| |
| subTest("test_CertSelector_Destroy"); |
| |
| PKIX_TEST_DECREF_BC(emptySelector); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(emptySelector); |
| PKIX_TEST_DECREF_AC(certs); |
| PKIX_TEST_DECREF_AC(cert); |
| PKIX_TEST_DECREF_AC(policy1Cert); |
| PKIX_TEST_DECREF_AC(policy2Cert); |
| PKIX_TEST_DECREF_AC(anyPolicyCert); |
| PKIX_TEST_DECREF_AC(subjectCert); |
| PKIX_TEST_DECREF_AC(selParams); |
| PKIX_TEST_DECREF_AC(nameConstraintsCerts); |
| PKIX_TEST_DECREF_AC(subjAltNamesCerts); |
| |
| PKIX_Shutdown(plContext); |
| |
| PKIX_TEST_RETURN(); |
| |
| endTests("CertSelector"); |
| |
| return (0); |
| } |