| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| /* |
| * test_policychecker.c |
| * |
| * Test Policy Checking |
| * |
| */ |
| |
| #include "testutil.h" |
| #include "testutil_nss.h" |
| |
| #define PKIX_TEST_MAX_CERTS 10 |
| |
| static void *plContext = NULL; |
| |
| static void |
| printUsage(char *testname) |
| { |
| char *fmt = |
| "USAGE: %s testname" |
| " [ENE|EE] \"{OID[:OID]*}\" [A|E|P] cert [cert]*\n" |
| "(The quotes are needed around the OID argument for dbx.)\n" |
| "(The optional arg A indicates initialAnyPolicyInhibit.)\n" |
| "(The optional arg E indicates initialExplicitPolicy.)\n" |
| "(The optional arg P indicates initialPolicyMappingInhibit.)\n"; |
| printf(fmt, testname); |
| } |
| |
| static void |
| printUsageMax(PKIX_UInt32 numCerts) |
| { |
| printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", |
| numCerts, PKIX_TEST_MAX_CERTS); |
| } |
| |
| static PKIX_List * |
| policySetParse(char *policyString) |
| { |
| char *p = NULL; |
| char *oid = NULL; |
| char c = '\0'; |
| PKIX_Boolean validString = PKIX_FALSE; |
| PKIX_PL_OID *plOID = NULL; |
| PKIX_List *policySet = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| p = policyString; |
| |
| /* |
| * There may or may not be quotes around the initial-policy-set |
| * string. If they are omitted, dbx will strip off the curly braces. |
| * If they are included, dbx will strip off the quotes, but if you |
| * are running directly from a script, without dbx, the quotes will |
| * not be stripped. We need to be able to handle both cases. |
| */ |
| if (*p == '"') { |
| p++; |
| } |
| |
| if ('{' != *p++) { |
| return (NULL); |
| } |
| oid = p; |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext)); |
| |
| /* scan to the end of policyString */ |
| while (!validString) { |
| /* scan to the end of the current OID string */ |
| c = *oid; |
| while ((c != '\0') && (c != ':') && (c != '}')) { |
| c = *++oid; |
| } |
| |
| if ((c != ':') || (c != '}')) { |
| *oid = '\0'; /* store a null terminator */ |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(p, &plOID, plContext)); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(policySet, |
| (PKIX_PL_Object *)plOID, |
| plContext)); |
| |
| PKIX_TEST_DECREF_BC(plOID); |
| plOID = NULL; |
| if (c == '}') { |
| /* |
| * Any exit but this one means |
| * we were given a badly-formed string. |
| */ |
| validString = PKIX_TRUE; |
| } |
| p = ++oid; |
| } |
| } |
| |
| cleanup: |
| if (!validString) { |
| PKIX_TEST_DECREF_AC(plOID); |
| PKIX_TEST_DECREF_AC(policySet); |
| policySet = NULL; |
| } |
| |
| PKIX_TEST_RETURN(); |
| |
| return (policySet); |
| } |
| |
| /* |
| * FUNCTION: treeToStringHelper |
| * This function obtains the string representation of a PolicyNode |
| * Tree and compares it to the expected value. |
| * PARAMETERS: |
| * "parent" - a PolicyNode, the root of a PolicyNodeTree; |
| * must be non-NULL. |
| * "expected" - the desired string. |
| * THREAD SAFETY: |
| * Thread Safe |
| * |
| * Multiple threads can safely call this function without worrying |
| * about conflicts, even if they're operating on the same object. |
| * RETURNS: |
| * Nothing. |
| */ |
| static void |
| treeToStringHelper(PKIX_PolicyNode *parent, char *expected) |
| { |
| PKIX_PL_String *stringRep = NULL; |
| char *actual = NULL; |
| PKIX_TEST_STD_VARS(); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)parent, &stringRep, plContext)); |
| |
| actual = PKIX_String2ASCII(stringRep, plContext); |
| if (actual == NULL) { |
| pkixTestErrorMsg = "PKIX_String2ASCII Failed"; |
| goto cleanup; |
| } |
| |
| if (PL_strcmp(actual, expected) != 0) { |
| testError("unexpected mismatch"); |
| (void)printf("Actual value:\t%s\n", actual); |
| (void)printf("Expected value:\t%s\n", expected); |
| } |
| |
| cleanup: |
| |
| PKIX_PL_Free(actual, plContext); |
| |
| PKIX_TEST_DECREF_AC(stringRep); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii) |
| { |
| |
| PKIX_List *chain = NULL; |
| PKIX_ValidateParams *valParams = NULL; |
| PKIX_ValidateResult *valResult = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("Basic-Common-Fields <pass>"); |
| /* |
| * Tests the Expiration, NameChaining, and Signature Checkers |
| */ |
| |
| chain = createCertChain(dirName, goodInput, diffInput, plContext); |
| |
| valParams = createValidateParams(dirName, |
| goodInput, |
| diffInput, |
| dateAscii, |
| NULL, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| chain, |
| plContext); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(chain); |
| PKIX_TEST_DECREF_AC(valParams); |
| PKIX_TEST_DECREF_AC(valResult); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testNistTest1(char *dirName) |
| { |
| #define PKIX_TEST_NUM_CERTS 2 |
| char *trustAnchor = |
| "TrustAnchorRootCertificate.crt"; |
| char *intermediateCert = |
| "GoodCACert.crt"; |
| char *endEntityCert = |
| "ValidCertificatePathTest1EE.crt"; |
| char *certNames[PKIX_TEST_NUM_CERTS]; |
| char *asciiAnyPolicy = "2.5.29.32.0"; |
| PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL }; |
| |
| PKIX_ValidateParams *valParams = NULL; |
| PKIX_ValidateResult *valResult = NULL; |
| PKIX_List *chain = NULL; |
| PKIX_PL_OID *anyPolicyOID = NULL; |
| PKIX_List *initialPolicies = NULL; |
| char *anchorName = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("testNistTest1: Creating the cert chain"); |
| /* |
| * Create a chain, but don't include the first certName. |
| * That's the anchor, and is supplied separately from |
| * the chain. |
| */ |
| certNames[0] = intermediateCert; |
| certNames[1] = endEntityCert; |
| chain = createCertChainPlus(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext); |
| |
| subTest("testNistTest1: Creating the Validate Parameters"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(asciiAnyPolicy, &anyPolicyOID, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&initialPolicies, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(initialPolicies, (PKIX_PL_Object *)anyPolicyOID, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(initialPolicies, plContext)); |
| |
| valParams = createValidateParams(dirName, |
| trustAnchor, |
| NULL, |
| NULL, |
| initialPolicies, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| chain, |
| plContext); |
| |
| subTest("testNistTest1: Validating the chain"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); |
| |
| cleanup: |
| |
| PKIX_PL_Free(anchorName, plContext); |
| |
| PKIX_TEST_DECREF_AC(anyPolicyOID); |
| PKIX_TEST_DECREF_AC(initialPolicies); |
| PKIX_TEST_DECREF_AC(valParams); |
| PKIX_TEST_DECREF_AC(valResult); |
| PKIX_TEST_DECREF_AC(chain); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| testNistTest2(char *dirName) |
| { |
| #define PKIX_TEST_NUM_CERTS 2 |
| char *trustAnchor = |
| "TrustAnchorRootCertificate.crt"; |
| char *intermediateCert = |
| "GoodCACert.crt"; |
| char *endEntityCert = |
| "ValidCertificatePathTest1EE.crt"; |
| char *certNames[PKIX_TEST_NUM_CERTS]; |
| char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1"; |
| PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL }; |
| |
| PKIX_ValidateParams *valParams = NULL; |
| PKIX_ValidateResult *valResult = NULL; |
| PKIX_List *chain = NULL; |
| PKIX_PL_OID *Nist1PolicyOID = NULL; |
| PKIX_List *initialPolicies = NULL; |
| char *anchorName = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| subTest("testNistTest2: Creating the cert chain"); |
| /* |
| * Create a chain, but don't include the first certName. |
| * That's the anchor, and is supplied separately from |
| * the chain. |
| */ |
| certNames[0] = intermediateCert; |
| certNames[1] = endEntityCert; |
| chain = createCertChainPlus(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext); |
| |
| subTest("testNistTest2: Creating the Validate Parameters"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(asciiNist1Policy, &Nist1PolicyOID, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&initialPolicies, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext)); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(initialPolicies, plContext)); |
| |
| valParams = createValidateParams(dirName, |
| trustAnchor, |
| NULL, |
| NULL, |
| initialPolicies, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| PKIX_FALSE, |
| chain, |
| plContext); |
| |
| subTest("testNistTest2: Validating the chain"); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, NULL, plContext)); |
| |
| cleanup: |
| |
| PKIX_PL_Free(anchorName, plContext); |
| |
| PKIX_TEST_DECREF_AC(Nist1PolicyOID); |
| PKIX_TEST_DECREF_AC(initialPolicies); |
| PKIX_TEST_DECREF_AC(valParams); |
| PKIX_TEST_DECREF_AC(valResult); |
| PKIX_TEST_DECREF_AC(chain); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| static void |
| printValidPolicyTree(PKIX_ValidateResult *valResult) |
| { |
| PKIX_PolicyNode *validPolicyTree = NULL; |
| PKIX_PL_String *treeString = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree(valResult, &validPolicyTree, plContext)); |
| if (validPolicyTree) { |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)validPolicyTree, |
| &treeString, |
| plContext)); |
| (void)printf("validPolicyTree is\n\t%s\n", |
| treeString->escAsciiString); |
| } else { |
| (void)printf("validPolicyTree is NULL\n"); |
| } |
| |
| cleanup: |
| |
| PKIX_TEST_DECREF_AC(validPolicyTree); |
| PKIX_TEST_DECREF_AC(treeString); |
| |
| PKIX_TEST_RETURN(); |
| } |
| |
| int |
| test_policychecker(int argc, char *argv[]) |
| { |
| |
| PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; |
| PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; |
| PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; |
| PKIX_Boolean expectedResult = PKIX_FALSE; |
| PKIX_UInt32 chainLength = 0; |
| PKIX_UInt32 initArgs = 0; |
| PKIX_UInt32 firstCert = 0; |
| PKIX_UInt32 i = 0; |
| PKIX_Int32 j = 0; |
| PKIX_UInt32 actualMinorVersion; |
| PKIX_ProcessingParams *procParams = NULL; |
| char *firstTrustAnchor = "yassir2yassir"; |
| char *secondTrustAnchor = "yassir2bcn"; |
| char *dateAscii = "991201000000Z"; |
| PKIX_ValidateParams *valParams = NULL; |
| PKIX_ValidateResult *valResult = NULL; |
| PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */ |
| char *certNames[PKIX_TEST_MAX_CERTS]; |
| PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; |
| PKIX_List *chain = NULL; |
| PKIX_Error *validationError = NULL; |
| PKIX_VerifyNode *verifyTree = NULL; |
| PKIX_PL_String *verifyString = NULL; |
| char *dirName = NULL; |
| char *dataCentralDir = NULL; |
| char *anchorName = NULL; |
| |
| PKIX_TEST_STD_VARS(); |
| |
| PKIX_TEST_EXPECT_NO_ERROR( |
| PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); |
| |
| /* |
| * Perform hard-coded tests if no command line args. |
| * If command line args are provided, they must be: |
| * arg[1]: test name |
| * arg[2]: "ENE" or "EE", for "expect no error" or "expect error" |
| * arg[3]: directory for certificates |
| * arg[4]: user-initial-policy-set, consisting of braces |
| * containing zero or more OID sequences, separated by commas |
| * arg[5]: (optional) "E", indicating initialExplicitPolicy |
| * arg[firstCert]: the path and filename of the trust anchor certificate |
| * arg[firstCert+1..(n-1)]: successive certificates in the chain |
| * arg[n]: the end entity certificate |
| * |
| * Example: test_policychecker test1EE ENE |
| * {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity |
| */ |
| |
| dirName = argv[3 + j]; |
| dataCentralDir = argv[4 + j]; |
| |
| if (argc <= 5 || ((6 == argc) && (j))) { |
| |
| testPass(dataCentralDir, |
| firstTrustAnchor, |
| secondTrustAnchor, |
| dateAscii); |
| |
| testNistTest1(dirName); |
| |
| testNistTest2(dirName); |
| |
| goto cleanup; |
| } |
| |
| if (argc < (7 + j)) { |
| printUsage(argv[0]); |
| pkixTestErrorMsg = "Invalid command line arguments."; |
| goto cleanup; |
| } |
| |
| if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { |
| expectedResult = PKIX_TRUE; |
| } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { |
| expectedResult = PKIX_FALSE; |
| } else { |
| printUsage(argv[0]); |
| pkixTestErrorMsg = "Invalid command line arguments."; |
| goto cleanup; |
| } |
| |
| userInitialPolicySet = policySetParse(argv[5 + j]); |
| if (!userInitialPolicySet) { |
| printUsage(argv[0]); |
| pkixTestErrorMsg = "Invalid command line arguments."; |
| goto cleanup; |
| } |
| |
| for (initArgs = 0; initArgs < 3; initArgs++) { |
| if (PORT_Strcmp(argv[6 + j + initArgs], "A") == 0) { |
| initialAnyPolicyInhibit = PKIX_TRUE; |
| } else if (PORT_Strcmp(argv[6 + j + initArgs], "E") == 0) { |
| initialExplicitPolicy = PKIX_TRUE; |
| } else if (PORT_Strcmp(argv[6 + j + initArgs], "P") == 0) { |
| initialPolicyMappingInhibit = PKIX_TRUE; |
| } else { |
| break; |
| } |
| } |
| |
| firstCert = initArgs + j + 6; |
| chainLength = argc - (firstCert + 1); |
| if (chainLength > PKIX_TEST_MAX_CERTS) { |
| printUsageMax(chainLength); |
| pkixTestErrorMsg = "Invalid command line arguments."; |
| goto cleanup; |
| } |
| |
| /* |
| * Create a chain, but don't include the first certName. |
| * That's the anchor, and is supplied separately from |
| * the chain. |
| */ |
| for (i = 0; i < chainLength; i++) { |
| |
| certNames[i] = argv[i + (firstCert + 1)]; |
| certs[i] = NULL; |
| } |
| chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); |
| |
| subTest(argv[1 + j]); |
| |
| valParams = createValidateParams(dirName, |
| argv[firstCert], |
| NULL, |
| NULL, |
| userInitialPolicySet, |
| initialPolicyMappingInhibit, |
| initialAnyPolicyInhibit, |
| initialExplicitPolicy, |
| PKIX_FALSE, |
| chain, |
| plContext); |
| |
| if (expectedResult == PKIX_TRUE) { |
| subTest(" (expecting successful validation)"); |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); |
| |
| printValidPolicyTree(valResult); |
| |
| } else { |
| subTest(" (expecting validation to fail)"); |
| validationError = PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext); |
| if (!validationError) { |
| printValidPolicyTree(valResult); |
| pkixTestErrorMsg = "Should have thrown an error here."; |
| } |
| PKIX_TEST_DECREF_BC(validationError); |
| } |
| |
| PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); |
| (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); |
| |
| cleanup: |
| |
| PKIX_PL_Free(anchorName, plContext); |
| |
| PKIX_TEST_DECREF_AC(verifyString); |
| PKIX_TEST_DECREF_AC(verifyTree); |
| PKIX_TEST_DECREF_AC(userInitialPolicySet); |
| PKIX_TEST_DECREF_AC(chain); |
| PKIX_TEST_DECREF_AC(valParams); |
| PKIX_TEST_DECREF_AC(valResult); |
| PKIX_TEST_DECREF_AC(validationError); |
| |
| PKIX_Shutdown(plContext); |
| |
| PKIX_TEST_RETURN(); |
| |
| endTests("PolicyChecker"); |
| |
| return (0); |
| } |