test_certselector.c (62569B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * test_certselector.c 6 * 7 * Test Cert Selector 8 * 9 */ 10 11 #include "testutil.h" 12 #include "testutil_nss.h" 13 14 #define PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS 5 15 #define PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS 2 16 #define PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS 2 17 #define PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS 4 18 #define PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS 1 19 20 static void *plContext = NULL; 21 22 /* 23 * The first three certs are used to obtain policies to test 24 * policy matching. Changing the table could break tests. 25 */ 26 static char *certList[] = { 27 #define POLICY1CERT 0 28 "GoodCACert.crt", 29 #define ANYPOLICYCERT 1 30 "anyPolicyCACert.crt", 31 #define POLICY2CERT 2 32 "PoliciesP12CACert.crt", 33 #define SUBJECTCERT 3 34 "PoliciesP3CACert.crt", 35 "PoliciesP1234CACert.crt", 36 "pathLenConstraint0CACert.crt", 37 "pathLenConstraint1CACert.crt", 38 "pathLenConstraint6CACert.crt", 39 "TrustAnchorRootCertificate.crt", 40 "GoodsubCACert.crt", 41 "AnyPolicyTest14EE.crt", 42 "UserNoticeQualifierTest16EE.crt" 43 }; 44 #define NUMCERTS (sizeof(certList) / sizeof(certList[0])) 45 46 /* 47 * Following are Certs values for NameConstraints tests 48 * 49 * Cert0:nameConstraintsDN1subCA1Cert.crt: 50 * Subject:CN=nameConstraints DN1 subCA1,OU=permittedSubtree1, 51 * O=Test Certificates,C=US 52 * Permitted Name:(OU=permittedSubtree2,OU=permittedSubtree1, 53 * O=Test Certificates,C=US) 54 * Excluded Name: (EMPTY) 55 * Cert1:nameConstraintsDN3subCA2Cert.crt: 56 * Subject:CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US 57 * Permitted Name:(O=Test Certificates,C=US) 58 * Excluded Name:(EMPTY) 59 * Cert2:nameConstraintsDN2CACert.crt 60 * Subject:CN=nameConstraints DN2 CA,O=Test Certificates,C=US 61 * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US, 62 * OU=permittedSubtree2,O=Test Certificates,C=US) 63 * Excluded Name:(EMPTY) 64 * Cert3:nameConstraintsDN3subCA1Cert.crt 65 * Subject:CN=nameConstraints DN3 subCA1,O=Test Certificates,C=US 66 * Permitted Name:(EMPTY) 67 * Excluded Name:(OU=excludedSubtree2,O=Test Certificates,C=US) 68 * Cert4:nameConstraintsDN4CACert.crt 69 * Subject:CN=nameConstraints DN4 CA,O=Test Certificates,C=US 70 * Permitted Name:(EMPTY) 71 * Excluded Name:(OU=excludedSubtree1,O=Test Certificates,C=US, 72 * OU=excludedSubtree2,O=Test Certificates,C=US) 73 * Cert5:nameConstraintsDN5CACert.crt 74 * Subject:CN=nameConstraints DN5 CA,O=Test Certificates,C=US 75 * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US) 76 * Excluded Name:(OU=excludedSubtree1,OU=permittedSubtree1, 77 * O=Test Certificates,C=US) 78 * Cert6:ValidDNnameConstraintsTest1EE.crt 79 * Subject:CN=Valid DN nameConstraints EE Certificate Test1, 80 * OU=permittedSubtree1,O=Test Certificates,C=US 81 * 82 */ 83 static char *ncCertList[] = { 84 "nameConstraintsDN1subCA1Cert.crt", 85 "nameConstraintsDN3subCA2Cert.crt", 86 "nameConstraintsDN2CACert.crt", 87 "nameConstraintsDN3subCA1Cert.crt", 88 "nameConstraintsDN4CACert.crt", 89 "nameConstraintsDN5CACert.crt", 90 "ValidDNnameConstraintsTest1EE.crt" 91 }; 92 #define NUMNCCERTS (sizeof(ncCertList) / sizeof(ncCertList[0])) 93 94 static char *sanCertList[] = { 95 "InvalidDNnameConstraintsTest3EE.crt", 96 "InvalidDNSnameConstraintsTest38EE.crt" 97 }; 98 #define NUMSANCERTS (sizeof(sanCertList) / sizeof(sanCertList[0])) 99 100 /* 101 * This function calls the CertSelector pointed to by "selector" for each 102 * cert in the List pointed to by "certs", and compares the results against 103 * the bit array given by the UInt32 "expectedResults". If the first cert is 104 * expected to pass, the lower-order bit of "expectedResults" should be 1. 105 * If the second cert is expected to pass, the second bit of "expectedResults" 106 * should be 1, and so on. If more than 32 certs are provided, only the first 107 * 32 will be checked. It is not an error to provide more bits than needed. 108 * (For example, if you expect every cert to pass, "expectedResult" can be 109 * set to 0xFFFFFFFF, even if the chain has fewer than 32 certs.) 110 */ 111 static void 112 testSelector( 113 PKIX_CertSelector *selector, 114 PKIX_List *certs, 115 PKIX_UInt32 expectedResults) 116 { 117 PKIX_UInt32 i = 0; 118 PKIX_UInt32 numCerts = 0; 119 PKIX_PL_Cert *cert = NULL; 120 PKIX_CertSelector_MatchCallback callback = NULL; 121 PKIX_Error *errReturn = NULL; 122 PKIX_Boolean result = PKIX_TRUE; 123 124 PKIX_TEST_STD_VARS(); 125 126 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(selector, &callback, plContext)); 127 128 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); 129 if (numCerts > 32) { 130 numCerts = 32; 131 } 132 133 for (i = 0; i < numCerts; i++) { 134 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); 135 errReturn = callback(selector, cert, &result, plContext); 136 137 if (errReturn || result == PKIX_FALSE) { 138 if ((expectedResults & 1) == 1) { 139 testError("selector unexpectedly failed"); 140 (void)printf(" processing cert:\t%d\n", i); 141 } 142 } else { 143 if ((expectedResults & 1) == 0) { 144 testError("selector unexpectedly passed"); 145 (void)printf(" processing cert:\t%d\n", i); 146 } 147 } 148 149 expectedResults = expectedResults >> 1; 150 PKIX_TEST_DECREF_BC(cert); 151 PKIX_TEST_DECREF_BC(errReturn); 152 } 153 154 cleanup: 155 156 PKIX_TEST_DECREF_AC(cert); 157 PKIX_TEST_DECREF_AC(errReturn); 158 159 PKIX_TEST_RETURN(); 160 } 161 162 /* 163 * This function gets a policy from the Cert pointed to by "cert", according 164 * to the index provided by "index", creates an immutable List containing the 165 * OID of that policy, and stores the result at "pPolicyList". 166 */ 167 static void 168 testGetPolicyFromCert( 169 PKIX_PL_Cert *cert, 170 PKIX_UInt32 index, 171 PKIX_List **pPolicyList) 172 { 173 PKIX_List *policyInfo = NULL; 174 PKIX_PL_CertPolicyInfo *firstPolicy = NULL; 175 PKIX_PL_OID *policyOID = NULL; 176 PKIX_List *list = NULL; 177 178 PKIX_TEST_STD_VARS(); 179 180 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &policyInfo, plContext)); 181 182 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(policyInfo, 183 index, 184 (PKIX_PL_Object **)&firstPolicy, 185 plContext)); 186 187 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(firstPolicy, &policyOID, plContext)); 188 189 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext)); 190 191 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list, (PKIX_PL_Object *)policyOID, plContext)); 192 193 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(list, plContext)); 194 195 *pPolicyList = list; 196 197 cleanup: 198 199 PKIX_TEST_DECREF_AC(policyInfo); 200 PKIX_TEST_DECREF_AC(firstPolicy); 201 PKIX_TEST_DECREF_AC(policyOID); 202 203 PKIX_TEST_RETURN(); 204 } 205 206 /* 207 * This custom matchCallback will pass any Certificate which has no 208 * CertificatePolicies extension and any Certificate whose Policies 209 * extension include a CertPolicyQualifier. 210 */ 211 static PKIX_Error * 212 custom_CertSelector_MatchCallback( 213 PKIX_CertSelector *selector, 214 PKIX_PL_Cert *cert, 215 PKIX_Boolean *pResult, 216 void *plContext) 217 { 218 PKIX_UInt32 i = 0; 219 PKIX_UInt32 numPolicies = 0; 220 PKIX_List *certPolicies = NULL; 221 PKIX_List *quals = NULL; 222 PKIX_PL_CertPolicyInfo *policy = NULL; 223 PKIX_Error *error = NULL; 224 225 PKIX_TEST_STD_VARS(); 226 227 *pResult = PKIX_TRUE; 228 229 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &certPolicies, plContext)); 230 231 if (certPolicies) { 232 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certPolicies, &numPolicies, plContext)); 233 234 for (i = 0; i < numPolicies; i++) { 235 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certPolicies, 236 i, 237 (PKIX_PL_Object **)&policy, 238 plContext)); 239 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(policy, &quals, plContext)); 240 if (quals) { 241 goto cleanup; 242 } 243 PKIX_TEST_DECREF_BC(policy); 244 } 245 PKIX_TEST_DECREF_BC(certPolicies); 246 *pResult = PKIX_FALSE; 247 248 PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(PKIX_CERTSELECTOR_ERROR, 249 NULL, 250 NULL, 251 PKIX_TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, 252 &error, 253 plContext)); 254 } 255 256 cleanup: 257 258 PKIX_TEST_DECREF_AC(certPolicies); 259 PKIX_TEST_DECREF_AC(policy); 260 PKIX_TEST_DECREF_AC(quals); 261 262 return (error); 263 } 264 265 /* 266 * This custom matchCallback will pass any Certificate whose 267 * CertificatePolicies extension asserts the Policy specified by 268 * the OID in the CertSelectorContext object. 269 */ 270 static PKIX_Error * 271 custom_CertSelector_MatchOIDCallback( 272 PKIX_CertSelector *selector, 273 PKIX_PL_Cert *cert, 274 PKIX_Boolean *pResult, 275 void *plContext) 276 { 277 PKIX_UInt32 i = 0; 278 PKIX_UInt32 numPolicies = 0; 279 PKIX_Boolean match = PKIX_FALSE; 280 PKIX_PL_Object *certSelectorContext = NULL; 281 PKIX_PL_OID *constraintOID = NULL; 282 PKIX_List *certPolicies = NULL; 283 PKIX_PL_CertPolicyInfo *policy = NULL; 284 PKIX_PL_OID *policyOID = NULL; 285 PKIX_PL_String *errorDesc = NULL; 286 PKIX_Error *error = NULL; 287 288 PKIX_TEST_STD_VARS(); 289 290 *pResult = PKIX_TRUE; 291 292 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCertSelectorContext(selector, &certSelectorContext, plContext)); 293 294 PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType(certSelectorContext, PKIX_OID_TYPE, plContext)); 295 296 constraintOID = (PKIX_PL_OID *)certSelectorContext; 297 298 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(cert, &certPolicies, plContext)); 299 300 if (certPolicies) { 301 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certPolicies, &numPolicies, plContext)); 302 303 for (i = 0; i < numPolicies; i++) { 304 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certPolicies, 305 i, 306 (PKIX_PL_Object **)&policy, 307 plContext)); 308 309 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(policy, &policyOID, plContext)); 310 311 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)policyOID, 312 (PKIX_PL_Object *)constraintOID, 313 &match, 314 plContext)); 315 316 if (match) { 317 goto cleanup; 318 } 319 PKIX_TEST_DECREF_BC(policy); 320 PKIX_TEST_DECREF_BC(policyOID); 321 } 322 } 323 324 PKIX_TEST_DECREF_BC(certSelectorContext); 325 PKIX_TEST_DECREF_BC(certPolicies); 326 327 PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(PKIX_CERTSELECTOR_ERROR, 328 NULL, 329 NULL, 330 PKIX_TESTNOMATCHINGPOLICY, 331 &error, 332 plContext)); 333 334 cleanup: 335 336 PKIX_TEST_DECREF_AC(certSelectorContext); 337 PKIX_TEST_DECREF_AC(certPolicies); 338 PKIX_TEST_DECREF_AC(policy); 339 PKIX_TEST_DECREF_AC(policyOID); 340 PKIX_TEST_DECREF_AC(errorDesc); 341 342 return (error); 343 } 344 345 static void 346 testSubjectMatch( 347 PKIX_List *certs, 348 PKIX_PL_Cert *certNameToMatch) 349 { 350 PKIX_CertSelector *selector = NULL; 351 PKIX_ComCertSelParams *subjParams = NULL; 352 PKIX_PL_X500Name *subjectName = NULL; 353 354 PKIX_TEST_STD_VARS(); 355 356 subTest("Subject name match"); 357 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 358 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&subjParams, plContext)); 359 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(certNameToMatch, &subjectName, plContext)); 360 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(subjParams, subjectName, plContext)); 361 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, subjParams, plContext)); 362 testSelector(selector, certs, 0x008); 363 364 cleanup: 365 366 PKIX_TEST_DECREF_AC(selector); 367 PKIX_TEST_DECREF_AC(subjParams); 368 PKIX_TEST_DECREF_AC(subjectName); 369 370 PKIX_TEST_RETURN(); 371 } 372 373 static void 374 testBasicConstraintsMatch( 375 PKIX_List *certs) 376 { 377 PKIX_CertSelector *selector = NULL; 378 PKIX_ComCertSelParams *bcParams = NULL; 379 380 PKIX_TEST_STD_VARS(); 381 382 subTest("Basic Constraints match"); 383 subTest(" pathLenContraint = -2: pass only EE's"); 384 385 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 386 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&bcParams, plContext)); 387 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, -2, plContext)); 388 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); 389 testSelector(selector, certs, 0xC00); 390 391 subTest(" pathLenContraint = -1: pass all certs"); 392 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, -1, plContext)); 393 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); 394 testSelector(selector, certs, 0xFFF); 395 396 subTest(" pathLenContraint = 1: pass only certs with pathLen >= 1"); 397 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, 1, plContext)); 398 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); 399 testSelector(selector, certs, 0x3DF); 400 401 subTest(" pathLenContraint = 2: pass only certs with pathLen >= 2"); 402 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(bcParams, 2, plContext)); 403 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, bcParams, plContext)); 404 testSelector(selector, certs, 0x39F); 405 406 cleanup: 407 PKIX_TEST_DECREF_AC(selector); 408 PKIX_TEST_DECREF_AC(bcParams); 409 410 PKIX_TEST_RETURN(); 411 } 412 413 static void 414 testPolicyMatch( 415 PKIX_List *certs, 416 PKIX_PL_Cert *NIST1Cert, /* a source for policy NIST1 */ 417 PKIX_PL_Cert *NIST2Cert, /* a source for policy NIST2 */ 418 PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ 419 { 420 PKIX_CertSelector *selector = NULL; 421 PKIX_List *emptyList = NULL; /* no members */ 422 PKIX_List *policy1List = NULL; /* OIDs */ 423 PKIX_List *policy2List = NULL; /* OIDs */ 424 PKIX_List *anyPolicyList = NULL; /* OIDs */ 425 PKIX_ComCertSelParams *polParams = NULL; 426 427 PKIX_TEST_STD_VARS(); 428 429 subTest("Policy match"); 430 testGetPolicyFromCert(NIST1Cert, 0, &policy1List); 431 testGetPolicyFromCert(NIST2Cert, 1, &policy2List); 432 testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); 433 434 subTest(" Pass certs with any CertificatePolicies extension"); 435 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext)); 436 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); 437 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, emptyList, plContext)); 438 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 439 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); 440 testSelector(selector, certs, 0xEFF); 441 PKIX_TEST_DECREF_BC(polParams); 442 443 subTest(" Pass only certs with policy NIST1"); 444 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); 445 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, policy1List, plContext)); 446 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); 447 testSelector(selector, certs, 0xEF5); 448 PKIX_TEST_DECREF_BC(polParams); 449 450 subTest(" Pass only certs with policy NIST2"); 451 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); 452 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, policy2List, plContext)); 453 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); 454 testSelector(selector, certs, 0x814); 455 PKIX_TEST_DECREF_BC(polParams); 456 457 subTest(" Pass only certs with policy anyPolicy"); 458 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&polParams, plContext)); 459 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(polParams, anyPolicyList, plContext)); 460 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, polParams, plContext)); 461 testSelector(selector, certs, 0x002); 462 463 cleanup: 464 465 PKIX_TEST_DECREF_AC(selector); 466 PKIX_TEST_DECREF_AC(emptyList); 467 PKIX_TEST_DECREF_AC(policy1List); 468 PKIX_TEST_DECREF_AC(policy2List); 469 PKIX_TEST_DECREF_AC(anyPolicyList); 470 PKIX_TEST_DECREF_AC(polParams); 471 472 PKIX_TEST_RETURN(); 473 } 474 475 static void 476 testCertificateMatch( 477 PKIX_List *certs, 478 PKIX_PL_Cert *certToMatch) 479 { 480 PKIX_CertSelector *selector = NULL; 481 PKIX_ComCertSelParams *params = NULL; 482 483 PKIX_TEST_STD_VARS(); 484 485 subTest("Certificate match"); 486 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 487 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 488 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(params, certToMatch, plContext)); 489 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 490 testSelector(selector, certs, 0x008); 491 492 cleanup: 493 494 PKIX_TEST_DECREF_AC(selector); 495 PKIX_TEST_DECREF_AC(params); 496 497 PKIX_TEST_RETURN(); 498 } 499 500 static void 501 testNameConstraintsMatch(PKIX_List *certs) 502 { 503 PKIX_CertSelector *selector = NULL; 504 PKIX_ComCertSelParams *params = NULL; 505 PKIX_PL_Cert *cert = NULL; 506 PKIX_PL_CertNameConstraints *permitNameConstraints1 = NULL; 507 PKIX_PL_CertNameConstraints *permitNameConstraints2 = NULL; 508 PKIX_PL_CertNameConstraints *permitNameConstraints3 = NULL; 509 PKIX_PL_CertNameConstraints *excludeNameConstraints1 = NULL; 510 PKIX_PL_CertNameConstraints *excludeNameConstraints2 = NULL; 511 PKIX_PL_CertNameConstraints *excludeNameConstraints3 = NULL; 512 PKIX_UInt32 numCerts = 0; 513 514 PKIX_TEST_STD_VARS(); 515 516 subTest("test NameConstraints Cert Selector"); 517 518 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); 519 520 subTest(" PKIX_PL_Cert_GetNameConstraints <cert0-permitted>"); 521 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 0, (PKIX_PL_Object **)&cert, plContext)); 522 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints1, plContext)); 523 PKIX_TEST_DECREF_BC(cert); 524 525 subTest(" PKIX_PL_Cert_GetNameConstraints <cert1-permitted>"); 526 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 1, (PKIX_PL_Object **)&cert, plContext)); 527 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints2, plContext)); 528 PKIX_TEST_DECREF_BC(cert); 529 530 subTest(" PKIX_PL_Cert_GetNameConstraints <cert2-permitted>"); 531 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 2, (PKIX_PL_Object **)&cert, plContext)); 532 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &permitNameConstraints3, plContext)); 533 PKIX_TEST_DECREF_BC(cert); 534 535 subTest(" PKIX_PL_Cert_GetNameConstraints <cert3-excluded>"); 536 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 3, (PKIX_PL_Object **)&cert, plContext)); 537 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints1, plContext)); 538 PKIX_TEST_DECREF_BC(cert); 539 540 subTest(" PKIX_PL_Cert_GetNameConstraints <cert4-excluded>"); 541 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 4, (PKIX_PL_Object **)&cert, plContext)); 542 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints2, plContext)); 543 PKIX_TEST_DECREF_BC(cert); 544 545 subTest(" PKIX_PL_Cert_GetNameConstraints <cert5-excluded>"); 546 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, 5, (PKIX_PL_Object **)&cert, plContext)); 547 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(cert, &excludeNameConstraints3, plContext)); 548 PKIX_TEST_DECREF_BC(cert); 549 550 subTest(" Create Selector and ComCertSelParams"); 551 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 552 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 553 554 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 555 556 subTest(" CertNameConstraints testing permitted NONE"); 557 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints1, plContext)); 558 testSelector(selector, certs, 0x0); 559 560 subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); 561 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, NULL, plContext)); 562 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 563 564 subTest(" CertNameConstraints testing permitted ALL"); 565 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints2, plContext)); 566 testSelector(selector, certs, 0x07F); 567 568 subTest(" CertNameConstraints testing permitted TWO"); 569 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, permitNameConstraints3, plContext)); 570 testSelector(selector, certs, 0x0041); 571 572 subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); 573 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, NULL, plContext)); 574 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 575 576 subTest(" CertNameConstraints testing excluded"); 577 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints1, plContext)); 578 testSelector(selector, certs, 0x07F); 579 580 subTest(" CertNameConstraints testing excluded"); 581 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints2, plContext)); 582 testSelector(selector, certs, 0x07F); 583 584 subTest(" CertNameConstraints testing excluded"); 585 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints(params, excludeNameConstraints3, plContext)); 586 testSelector(selector, certs, 0x41); 587 588 cleanup: 589 590 PKIX_TEST_DECREF_AC(selector); 591 PKIX_TEST_DECREF_AC(params); 592 PKIX_TEST_DECREF_AC(permitNameConstraints1); 593 PKIX_TEST_DECREF_AC(permitNameConstraints2); 594 PKIX_TEST_DECREF_AC(permitNameConstraints3); 595 PKIX_TEST_DECREF_AC(excludeNameConstraints1); 596 PKIX_TEST_DECREF_AC(excludeNameConstraints2); 597 PKIX_TEST_DECREF_AC(excludeNameConstraints3); 598 599 PKIX_TEST_RETURN(); 600 } 601 602 static void 603 testPathToNamesMatch(PKIX_List *certs) 604 { 605 PKIX_CertSelector *selector = NULL; 606 PKIX_ComCertSelParams *params = NULL; 607 PKIX_List *nameList = NULL; 608 PKIX_PL_GeneralName *name = NULL; 609 610 PKIX_TEST_STD_VARS(); 611 612 subTest("test PathToName Cert Selector"); 613 614 subTest(" PKIX_PL_GeneralName List create"); 615 616 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); 617 618 subTest(" Add directory name <O=NotATest Certificates,C=US>"); 619 name = createGeneralName(PKIX_DIRECTORY_NAME, 620 "O=NotATest Certificates,C=US", 621 plContext); 622 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); 623 624 subTest(" Create Selector and ComCertSelParams"); 625 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 626 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 627 628 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 629 630 subTest(" PKIX_ComCertSelParams_SetPathToNames"); 631 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); 632 633 subTest(" Permitting THREE"); 634 testSelector(selector, certs, 0x58); 635 636 subTest(" Remove directory name <O=NotATest Certificates,C=US...>"); 637 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(nameList, 0, plContext)); 638 PKIX_TEST_DECREF_BC(name); 639 640 subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); 641 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); 642 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 643 644 subTest(" Add directory name <OU=permittedSubtree1,O=Test...>"); 645 name = createGeneralName(PKIX_DIRECTORY_NAME, 646 "OU=permittedSubtree1,O=Test Certificates,C=US", 647 plContext); 648 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); 649 650 subTest(" PKIX_ComCertSelParams_SetPathToNames"); 651 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); 652 653 subTest(" Permitting SIX"); 654 testSelector(selector, certs, 0x5F); 655 656 subTest(" Remove directory name <OU=permittedSubtree1,O=Test...>"); 657 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(nameList, 0, plContext)); 658 PKIX_TEST_DECREF_BC(name); 659 660 subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); 661 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); 662 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 663 664 subTest(" Add directory name <O=Test Certificates,C=US...>"); 665 name = createGeneralName(PKIX_DIRECTORY_NAME, 666 "O=Test Certificates,C=US", 667 plContext); 668 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); 669 PKIX_TEST_DECREF_BC(name); 670 671 subTest(" PKIX_ComCertSelParams_SetPathToNames"); 672 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); 673 674 subTest(" Permitting FOUR"); 675 testSelector(selector, certs, 0x47); 676 677 subTest(" Only directory name <OU=permittedSubtree1,O=Test ...>"); 678 name = createGeneralName(PKIX_DIRECTORY_NAME, 679 "OU=permittedSubtree1,O=Test Certificates,C=US", 680 plContext); 681 682 subTest(" PKIX_ComCertSelParams_AddPathToName"); 683 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName(params, name, plContext)); 684 PKIX_TEST_DECREF_BC(name); 685 686 subTest(" Permitting FOUR"); 687 testSelector(selector, certs, 0x47); 688 689 subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); 690 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); 691 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 692 PKIX_TEST_DECREF_BC(nameList); 693 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); 694 695 subTest(" Add directory name <CN=Valid DN nameConstraints EE...>"); 696 name = createGeneralName(PKIX_DIRECTORY_NAME, "CN=Valid DN nameConstraints EE " 697 "Certificate Test1,OU=permittedSubtree1," 698 "O=Test Certificates,C=US", 699 plContext); 700 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); 701 PKIX_TEST_DECREF_BC(name); 702 703 subTest(" PKIX_ComCertSelParams_SetPathToNames"); 704 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); 705 706 subTest(" Permitting SIX"); 707 testSelector(selector, certs, 0x7e); 708 709 subTest(" Add directory name <OU=permittedSubtree1,O=Test>"); 710 name = createGeneralName(PKIX_DIRECTORY_NAME, 711 "OU=permittedSubtree1,O=Test", 712 plContext); 713 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); 714 PKIX_TEST_DECREF_BC(name); 715 716 subTest(" PKIX_ComCertSelParams_SetPathToNames"); 717 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, nameList, plContext)); 718 719 subTest(" Permitting SIX"); 720 testSelector(selector, certs, 0x58); 721 722 subTest(" Add directory name <O=Test Certificates,C=US>"); 723 name = createGeneralName(PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext); 724 725 subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); 726 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames(params, NULL, plContext)); 727 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName(params, name, plContext)); 728 PKIX_TEST_DECREF_BC(name); 729 730 subTest(" Permitting FOUR"); 731 testSelector(selector, certs, 0x47); 732 733 cleanup: 734 735 PKIX_TEST_DECREF_AC(selector); 736 PKIX_TEST_DECREF_AC(params); 737 PKIX_TEST_DECREF_AC(nameList); 738 739 PKIX_TEST_RETURN(); 740 } 741 742 static void 743 testSubjAltNamesMatch(PKIX_List *certs) 744 { 745 PKIX_CertSelector *selector = NULL; 746 PKIX_ComCertSelParams *params = NULL; 747 PKIX_List *nameList = NULL; 748 PKIX_PL_GeneralName *name = NULL; 749 750 PKIX_TEST_STD_VARS(); 751 752 subTest("test SubjAltNames Cert Selector"); 753 754 subTest(" PKIX_PL_GeneralName List create"); 755 756 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); 757 758 subTest(" Create Selector and ComCertSelParams"); 759 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 760 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 761 762 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 763 764 subTest(" Add directory name <CN=Invalid DN nameConstraints EE...>"); 765 name = createGeneralName(PKIX_DIRECTORY_NAME, 766 "CN=Invalid DN nameConstraints EE Certificate Test3," 767 "OU=excludedSubtree1,O=Test Certificates,C=US", 768 plContext); 769 770 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameList, (PKIX_PL_Object *)name, plContext)); 771 772 subTest(" PKIX_ComCertSelParams_SetSubjAltNames"); 773 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames(params, nameList, plContext)); 774 775 PKIX_TEST_DECREF_BC(name); 776 PKIX_TEST_DECREF_BC(nameList); 777 778 subTest(" Permitting ONE"); 779 testSelector(selector, certs, 0x1); 780 781 subTest(" Add DNS name <mytestcertificates.gov>"); 782 name = createGeneralName(PKIX_DNS_NAME, 783 "mytestcertificates.gov", 784 plContext); 785 786 subTest(" PKIX_ComCertSelParams_AddSubjAltName"); 787 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(params, name, plContext)); 788 PKIX_TEST_DECREF_BC(name); 789 790 subTest(" Permitting NONE"); 791 testSelector(selector, certs, 0x0); 792 793 subTest(" PKIX_ComCertSelParams_SetMatchAllSubjAltNames to FALSE"); 794 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(params, PKIX_FALSE, plContext)); 795 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 796 797 subTest(" Permitting TWO"); 798 testSelector(selector, certs, 0x3); 799 800 cleanup: 801 802 PKIX_TEST_DECREF_AC(selector); 803 PKIX_TEST_DECREF_AC(params); 804 PKIX_TEST_DECREF_AC(name); 805 PKIX_TEST_DECREF_AC(nameList); 806 807 PKIX_TEST_RETURN(); 808 } 809 810 static void 811 testCertificateValidMatch( 812 PKIX_List *certs) 813 { 814 PKIX_CertSelector *selector = NULL; 815 PKIX_ComCertSelParams *params = NULL; 816 PKIX_PL_String *stringRep = NULL; 817 PKIX_PL_Date *testDate = NULL; 818 char *asciiRep = "050501000000Z"; 819 820 PKIX_TEST_STD_VARS(); 821 822 subTest("CertificateValid match"); 823 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 824 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 825 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext)); 826 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext)); 827 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(params, testDate, plContext)); 828 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 829 testSelector(selector, certs, 0xFFFFFFFF); 830 831 cleanup: 832 833 PKIX_TEST_DECREF_AC(selector); 834 PKIX_TEST_DECREF_AC(params); 835 PKIX_TEST_DECREF_AC(stringRep); 836 PKIX_TEST_DECREF_AC(testDate); 837 838 PKIX_TEST_RETURN(); 839 } 840 841 static void 842 test_customCallback1(PKIX_List *certs) 843 { 844 PKIX_CertSelector *selector = NULL; 845 846 PKIX_TEST_STD_VARS(); 847 848 subTest("custom matchCallback"); 849 850 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(custom_CertSelector_MatchCallback, 851 NULL, 852 &selector, 853 plContext)); 854 855 testSelector(selector, certs, 0x900); 856 857 cleanup: 858 859 PKIX_TEST_DECREF_AC(selector); 860 861 PKIX_TEST_RETURN(); 862 } 863 864 static void 865 test_customCallback2(PKIX_List *certs, 866 PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ 867 { 868 PKIX_CertSelector *selector = NULL; 869 PKIX_List *anyPolicyList = NULL; /* OIDs */ 870 PKIX_PL_OID *policyOID = NULL; 871 872 PKIX_TEST_STD_VARS(); 873 874 subTest("custom matchCallback with CertSelectorContext"); 875 876 testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); 877 878 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(anyPolicyList, 0, (PKIX_PL_Object **)&policyOID, plContext)); 879 880 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(custom_CertSelector_MatchOIDCallback, 881 (PKIX_PL_Object *)policyOID, 882 &selector, 883 plContext)); 884 885 testSelector(selector, certs, (1 << ANYPOLICYCERT)); 886 887 cleanup: 888 889 PKIX_TEST_DECREF_AC(selector); 890 PKIX_TEST_DECREF_AC(anyPolicyList); 891 PKIX_TEST_DECREF_AC(policyOID); 892 893 PKIX_TEST_RETURN(); 894 } 895 896 static void 897 testExtendedKeyUsageMatch(char *certDir) 898 { 899 PKIX_ComCertSelParams *goodParams = NULL; 900 PKIX_PL_OID *ekuOid = NULL; 901 PKIX_List *ekuOidList = NULL; 902 PKIX_PL_String *dirString = NULL; 903 PKIX_CertStore_CertCallback certCallback; 904 PKIX_CertStore *certStore = NULL; 905 PKIX_CertSelector *certSelector = NULL; 906 PKIX_List *certList = NULL; 907 PKIX_UInt32 numCert = 0; 908 void *nbioContext = NULL; 909 910 PKIX_TEST_STD_VARS(); 911 912 subTest("test Extended KeyUsage Cert Selector"); 913 914 subTest(" PKIX_ComCertSelParams_Create"); 915 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); 916 917 subTest(" Create Extended Key Usage OID List"); 918 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&ekuOidList, plContext)); 919 920 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.2", &ekuOid, plContext)); 921 922 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); 923 924 PKIX_TEST_DECREF_BC(ekuOid); 925 926 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.3", &ekuOid, plContext)); 927 928 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); 929 930 PKIX_TEST_DECREF_BC(ekuOid); 931 932 subTest(" PKIX_ComCertSelParams_SetExtendedKeyUsage"); 933 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage(goodParams, ekuOidList, plContext)); 934 935 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); 936 937 subTest(" PKIX_PL_CollectionCertStoreContext_Create"); 938 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); 939 940 subTest(" PKIX_CertSelector_Create"); 941 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); 942 943 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); 944 945 subTest(" PKIX_CertStore_GetCertCallback"); 946 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); 947 948 subTest(" Getting data from Cert Callback"); 949 PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); 950 951 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); 952 953 if (numCert != PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS) { 954 pkixTestErrorMsg = "unexpected Cert number mismatch"; 955 } 956 957 cleanup: 958 959 PKIX_TEST_DECREF_AC(ekuOid); 960 PKIX_TEST_DECREF_AC(ekuOidList); 961 PKIX_TEST_DECREF_AC(goodParams); 962 PKIX_TEST_DECREF_AC(dirString); 963 PKIX_TEST_DECREF_AC(certList); 964 PKIX_TEST_DECREF_AC(certSelector); 965 PKIX_TEST_DECREF_AC(certStore); 966 967 PKIX_TEST_RETURN(); 968 } 969 970 static void 971 testKeyUsageMatch(char *certDir) 972 { 973 PKIX_ComCertSelParams *goodParams = NULL; 974 PKIX_PL_String *dirString = NULL; 975 PKIX_CertStore_CertCallback certCallback; 976 PKIX_CertStore *certStore = NULL; 977 PKIX_CertSelector *certSelector = NULL; 978 PKIX_List *certList = NULL; 979 PKIX_UInt32 numCert = 0; 980 void *nbioContext = NULL; 981 982 PKIX_TEST_STD_VARS(); 983 984 subTest("test KeyUsage Cert Selector"); 985 986 subTest(" PKIX_ComCertSelParams_Create"); 987 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); 988 989 subTest(" PKIX_ComCertSelParams_SetKeyUsage"); 990 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage(goodParams, PKIX_CRL_SIGN, plContext)); 991 992 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); 993 994 subTest(" PKIX_PL_CollectionCertStoreContext_Create"); 995 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); 996 997 subTest(" PKIX_CertSelector_Create"); 998 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); 999 1000 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); 1001 1002 subTest(" PKIX_CertStore_GetCertCallback"); 1003 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); 1004 1005 subTest(" Getting data from Cert Callback"); 1006 PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); 1007 1008 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); 1009 1010 if (numCert != PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS) { 1011 pkixTestErrorMsg = "unexpected Cert number mismatch"; 1012 } 1013 1014 cleanup: 1015 1016 PKIX_TEST_DECREF_AC(goodParams); 1017 PKIX_TEST_DECREF_AC(dirString); 1018 PKIX_TEST_DECREF_AC(certList); 1019 PKIX_TEST_DECREF_AC(certSelector); 1020 PKIX_TEST_DECREF_AC(certStore); 1021 1022 PKIX_TEST_RETURN(); 1023 } 1024 1025 static void 1026 testCertValidMatch(char *certDir) 1027 { 1028 PKIX_ComCertSelParams *goodParams = NULL; 1029 PKIX_PL_Date *validDate = NULL; 1030 PKIX_PL_String *dirString = NULL; 1031 PKIX_CertStore_CertCallback certCallback; 1032 PKIX_CertStore *certStore = NULL; 1033 PKIX_CertSelector *certSelector = NULL; 1034 PKIX_List *certList = NULL; 1035 PKIX_UInt32 numCert = 0; 1036 void *nbioContext = NULL; 1037 1038 PKIX_TEST_STD_VARS(); 1039 1040 subTest("test CertValid Cert Selector"); 1041 1042 subTest(" PKIX_ComCertSelParams_Create"); 1043 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); 1044 1045 validDate = createDate("050601000000Z", plContext); 1046 1047 subTest(" PKIX_ComCertSelParams_SetCertificateValid"); 1048 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(goodParams, validDate, plContext)); 1049 1050 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); 1051 1052 subTest(" PKIX_PL_CollectionCertStoreContext_Create"); 1053 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); 1054 1055 subTest(" PKIX_CertSelector_Create"); 1056 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); 1057 1058 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); 1059 1060 subTest(" PKIX_CertStore_GetCertCallback"); 1061 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); 1062 1063 subTest(" Getting data from Cert Callback"); 1064 PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); 1065 1066 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); 1067 1068 if (numCert != PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS) { 1069 pkixTestErrorMsg = "unexpected Cert number mismatch"; 1070 } 1071 1072 cleanup: 1073 1074 PKIX_TEST_DECREF_AC(goodParams); 1075 PKIX_TEST_DECREF_AC(validDate); 1076 PKIX_TEST_DECREF_AC(dirString); 1077 PKIX_TEST_DECREF_AC(certList); 1078 PKIX_TEST_DECREF_AC(certSelector); 1079 PKIX_TEST_DECREF_AC(certStore); 1080 1081 PKIX_TEST_RETURN(); 1082 } 1083 1084 static void 1085 testIssuerMatch(char *certDir) 1086 { 1087 PKIX_ComCertSelParams *goodParams = NULL; 1088 PKIX_PL_X500Name *issuer = NULL; 1089 PKIX_PL_String *issuerStr = NULL; 1090 PKIX_PL_String *dirString = NULL; 1091 PKIX_CertStore_CertCallback certCallback; 1092 PKIX_CertStore *certStore = NULL; 1093 PKIX_CertSelector *certSelector = NULL; 1094 PKIX_List *certList = NULL; 1095 char *issuerName = "CN=science,O=mit,C=US"; 1096 PKIX_UInt32 numCert = 0; 1097 void *nbioContext = NULL; 1098 1099 PKIX_TEST_STD_VARS(); 1100 1101 subTest("test Issuer Cert Selector"); 1102 1103 subTest(" PKIX_ComCertSelParams_Create"); 1104 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); 1105 1106 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, issuerName, 0, &issuerStr, plContext)); 1107 1108 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuerStr, &issuer, plContext)); 1109 1110 subTest(" PKIX_ComCertSelParams_SetIssuer"); 1111 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer(goodParams, issuer, plContext)); 1112 1113 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); 1114 1115 subTest(" PKIX_PL_CollectionCertStoreContext_Create"); 1116 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); 1117 1118 subTest(" PKIX_CertSelector_Create"); 1119 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); 1120 1121 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); 1122 1123 subTest(" PKIX_CertStore_GetCertCallback"); 1124 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); 1125 1126 subTest(" Getting data from Cert Callback"); 1127 PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); 1128 1129 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); 1130 1131 if (numCert != PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS) { 1132 pkixTestErrorMsg = "unexpected Cert number mismatch"; 1133 } 1134 1135 cleanup: 1136 1137 PKIX_TEST_DECREF_AC(goodParams); 1138 PKIX_TEST_DECREF_AC(issuer); 1139 PKIX_TEST_DECREF_AC(issuerStr); 1140 PKIX_TEST_DECREF_AC(dirString); 1141 PKIX_TEST_DECREF_AC(certList); 1142 PKIX_TEST_DECREF_AC(certSelector); 1143 PKIX_TEST_DECREF_AC(certStore); 1144 1145 PKIX_TEST_RETURN(); 1146 } 1147 1148 static void 1149 testSerialNumberVersionMatch(char *certDir) 1150 { 1151 PKIX_ComCertSelParams *goodParams = NULL; 1152 PKIX_PL_BigInt *serialNumber = NULL; 1153 PKIX_PL_String *serialNumberStr = NULL; 1154 PKIX_PL_String *dirString = NULL; 1155 PKIX_CertStore_CertCallback certCallback; 1156 PKIX_CertStore *certStore = NULL; 1157 PKIX_CertSelector *certSelector = NULL; 1158 PKIX_List *certList = NULL; 1159 PKIX_UInt32 numCert = 0; 1160 void *nbioContext = NULL; 1161 1162 PKIX_TEST_STD_VARS(); 1163 1164 subTest("test Serial Number Cert Selector"); 1165 1166 subTest(" PKIX_ComCertSelParams_Create"); 1167 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); 1168 1169 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "01", 0, &serialNumberStr, plContext)); 1170 1171 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(serialNumberStr, &serialNumber, plContext)); 1172 1173 subTest(" PKIX_ComCertSelParams_SetSerialNumber"); 1174 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber(goodParams, serialNumber, plContext)); 1175 1176 subTest(" PKIX_ComCertSelParams_SetVersion"); 1177 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 0, plContext)); 1178 1179 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, certDir, 0, &dirString, plContext)); 1180 1181 subTest(" PKIX_PL_CollectionCertStoreContext_Create"); 1182 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext)); 1183 1184 subTest(" PKIX_CertSelector_Create"); 1185 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); 1186 1187 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, goodParams, plContext)); 1188 1189 subTest(" PKIX_CertStore_GetCertCallback"); 1190 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &certCallback, NULL)); 1191 1192 subTest(" Getting data from Cert Callback"); 1193 PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); 1194 1195 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); 1196 1197 PKIX_TEST_DECREF_BC(certList); 1198 1199 if (numCert != 0) { 1200 pkixTestErrorMsg = "unexpected Version mismatch"; 1201 } 1202 1203 subTest(" PKIX_ComCertSelParams_SetVersion"); 1204 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 2, plContext)); 1205 1206 subTest(" Getting data from Cert Callback"); 1207 PKIX_TEST_EXPECT_NO_ERROR(certCallback(certStore, certSelector, &nbioContext, &certList, plContext)); 1208 1209 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); 1210 1211 if (numCert != PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS) { 1212 pkixTestErrorMsg = "unexpected Serial Number mismatch"; 1213 } 1214 1215 cleanup: 1216 1217 PKIX_TEST_DECREF_AC(goodParams); 1218 PKIX_TEST_DECREF_AC(serialNumber); 1219 PKIX_TEST_DECREF_AC(serialNumberStr); 1220 PKIX_TEST_DECREF_AC(dirString); 1221 PKIX_TEST_DECREF_AC(certList); 1222 PKIX_TEST_DECREF_AC(certSelector); 1223 PKIX_TEST_DECREF_AC(certStore); 1224 1225 PKIX_TEST_RETURN(); 1226 } 1227 1228 static void 1229 testSubjKeyIdMatch(PKIX_List *certs) 1230 { 1231 PKIX_CertSelector *selector = NULL; 1232 PKIX_ComCertSelParams *params = NULL; 1233 PKIX_PL_Cert *cert = NULL; 1234 PKIX_PL_ByteArray *selSubjKeyId = NULL; 1235 PKIX_UInt32 item = 0; 1236 1237 PKIX_TEST_STD_VARS(); 1238 1239 subTest("test Subject Key Id Cert Selector"); 1240 1241 item = 2; 1242 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); 1243 1244 subTest(" PKIX_PL_Cert_GetSubjectKeyIdentifier"); 1245 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(cert, &selSubjKeyId, plContext)); 1246 1247 subTest(" Create Selector and ComCertSelParams"); 1248 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 1249 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 1250 1251 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 1252 1253 subTest(" PKIX_ComCertSelParams_SetSubjKeyIdentifier"); 1254 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier(params, selSubjKeyId, plContext)); 1255 1256 subTest(" Select One"); 1257 testSelector(selector, certs, 1 << item); 1258 1259 cleanup: 1260 1261 PKIX_TEST_DECREF_AC(selSubjKeyId); 1262 PKIX_TEST_DECREF_AC(cert); 1263 PKIX_TEST_DECREF_AC(params); 1264 PKIX_TEST_DECREF_AC(selector); 1265 1266 PKIX_TEST_RETURN(); 1267 } 1268 1269 static void 1270 testAuthKeyIdMatch(PKIX_List *certs) 1271 { 1272 PKIX_CertSelector *selector = NULL; 1273 PKIX_ComCertSelParams *params = NULL; 1274 PKIX_PL_Cert *cert = NULL; 1275 PKIX_PL_ByteArray *selAuthKeyId = NULL; 1276 PKIX_UInt32 item = 0; 1277 1278 PKIX_TEST_STD_VARS(); 1279 1280 subTest("test Auth Key Id Cert Selector"); 1281 1282 item = 3; 1283 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); 1284 1285 subTest(" PKIX_PL_Cert_GetAuthorityKeyIdentifier"); 1286 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier(cert, &selAuthKeyId, plContext)); 1287 1288 subTest(" Create Selector and ComCertSelParams"); 1289 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 1290 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 1291 1292 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 1293 1294 subTest(" PKIX_ComCertSelParams_SetAuthorityKeyIdentifier"); 1295 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(params, selAuthKeyId, plContext)); 1296 1297 subTest(" Select TWO"); 1298 testSelector(selector, certs, (1 << item) | (1 << 1)); 1299 1300 cleanup: 1301 1302 PKIX_TEST_DECREF_AC(selAuthKeyId); 1303 PKIX_TEST_DECREF_AC(cert); 1304 PKIX_TEST_DECREF_AC(params); 1305 PKIX_TEST_DECREF_AC(selector); 1306 1307 PKIX_TEST_RETURN(); 1308 } 1309 1310 static void 1311 testSubjPKAlgIdMatch(PKIX_List *certs) 1312 { 1313 PKIX_CertSelector *selector = NULL; 1314 PKIX_ComCertSelParams *params = NULL; 1315 PKIX_PL_Cert *cert = NULL; 1316 PKIX_PL_OID *selAlgId = NULL; 1317 PKIX_UInt32 item = 0; 1318 1319 PKIX_TEST_STD_VARS(); 1320 1321 subTest("test Subject Public Key Algorithm Id Cert Selector"); 1322 1323 item = 0; 1324 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); 1325 1326 subTest(" PKIX_PL_Cert_GetSubjectPublicKeyAlgId"); 1327 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId(cert, &selAlgId, plContext)); 1328 1329 subTest(" Create Selector and ComCertSelParams"); 1330 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 1331 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 1332 1333 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 1334 1335 subTest(" PKIX_ComCertSelParams_SetSubjPKAlgId"); 1336 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId(params, selAlgId, plContext)); 1337 1338 subTest(" Select All"); 1339 testSelector(selector, certs, 0x7F); 1340 1341 cleanup: 1342 1343 PKIX_TEST_DECREF_AC(selAlgId); 1344 PKIX_TEST_DECREF_AC(cert); 1345 PKIX_TEST_DECREF_AC(params); 1346 PKIX_TEST_DECREF_AC(selector); 1347 1348 PKIX_TEST_RETURN(); 1349 } 1350 1351 static void 1352 testSubjPublicKeyMatch(PKIX_List *certs) 1353 { 1354 PKIX_CertSelector *selector = NULL; 1355 PKIX_ComCertSelParams *params = NULL; 1356 PKIX_PL_Cert *cert = NULL; 1357 PKIX_PL_PublicKey *selPublicKey = NULL; 1358 PKIX_UInt32 item = 0; 1359 1360 PKIX_TEST_STD_VARS(); 1361 1362 subTest("test Subject Public Key Cert Selector"); 1363 1364 item = 5; 1365 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, item, (PKIX_PL_Object **)&cert, plContext)); 1366 1367 subTest(" PKIX_PL_Cert_GetSubjectPublicKey"); 1368 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(cert, &selPublicKey, plContext)); 1369 1370 subTest(" Create Selector and ComCertSelParams"); 1371 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 1372 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(¶ms, plContext)); 1373 1374 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, params, plContext)); 1375 1376 subTest(" PKIX_ComCertSelParams_SetSubjPubKey"); 1377 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey(params, selPublicKey, plContext)); 1378 1379 subTest(" Select ONE"); 1380 testSelector(selector, certs, 1 << item); 1381 1382 cleanup: 1383 1384 PKIX_TEST_DECREF_AC(selPublicKey); 1385 PKIX_TEST_DECREF_AC(cert); 1386 PKIX_TEST_DECREF_AC(params); 1387 PKIX_TEST_DECREF_AC(selector); 1388 1389 PKIX_TEST_RETURN(); 1390 } 1391 1392 static void 1393 test_CertSelector_Duplicate(PKIX_CertSelector *selector) 1394 { 1395 PKIX_Int32 goodBasicConstraints = 0; 1396 PKIX_Int32 equalBasicConstraints = 0; 1397 PKIX_CertSelector *dupSelector = NULL; 1398 PKIX_ComCertSelParams *goodParams = NULL; 1399 PKIX_ComCertSelParams *equalParams = NULL; 1400 PKIX_CertSelector_MatchCallback goodCallback = NULL; 1401 PKIX_CertSelector_MatchCallback equalCallback = NULL; 1402 PKIX_PL_X500Name *goodSubject = NULL; 1403 PKIX_PL_X500Name *equalSubject = NULL; 1404 PKIX_List *goodPolicy = NULL; 1405 PKIX_List *equalPolicy = NULL; 1406 PKIX_PL_Cert *goodCert = NULL; 1407 PKIX_PL_Cert *equalCert = NULL; 1408 PKIX_PL_Date *goodDate = NULL; 1409 PKIX_PL_Date *equalDate = NULL; 1410 1411 PKIX_TEST_STD_VARS(); 1412 1413 subTest("test_CertSelector_Duplicate"); 1414 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)selector, 1415 (PKIX_PL_Object **)&dupSelector, 1416 plContext)); 1417 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams(selector, &goodParams, plContext)); 1418 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams(dupSelector, &equalParams, plContext)); 1419 /* There is no equals function, so look at components separately. */ 1420 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(goodParams, &goodSubject, plContext)); 1421 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); 1422 if (goodSubject && equalSubject) { 1423 testEqualsHelper((PKIX_PL_Object *)goodSubject, 1424 (PKIX_PL_Object *)equalSubject, 1425 PKIX_TRUE, 1426 plContext); 1427 } else { 1428 if PKIX_EXACTLY_ONE_NULL (goodSubject, equalSubject) { 1429 pkixTestErrorMsg = "Subject Names are not equal!"; 1430 goto cleanup; 1431 } 1432 } 1433 1434 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(goodParams, &goodPolicy, plContext)); 1435 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicy, plContext)); 1436 if (goodPolicy && equalPolicy) { 1437 testEqualsHelper((PKIX_PL_Object *)goodPolicy, 1438 (PKIX_PL_Object *)equalPolicy, 1439 PKIX_TRUE, 1440 plContext); 1441 } else { 1442 if PKIX_EXACTLY_ONE_NULL (goodPolicy, equalPolicy) { 1443 pkixTestErrorMsg = "Policy Lists are not equal!"; 1444 goto cleanup; 1445 } 1446 } 1447 1448 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(goodParams, &goodCert, plContext)); 1449 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(equalParams, &equalCert, plContext)); 1450 if (goodCert && equalCert) { 1451 testEqualsHelper((PKIX_PL_Object *)goodCert, 1452 (PKIX_PL_Object *)equalCert, 1453 PKIX_TRUE, 1454 plContext); 1455 } else { 1456 if PKIX_EXACTLY_ONE_NULL (goodCert, equalCert) { 1457 pkixTestErrorMsg = "Cert Lists are not equal!"; 1458 goto cleanup; 1459 } 1460 } 1461 1462 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(goodParams, &goodDate, plContext)); 1463 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(equalParams, &equalDate, plContext)); 1464 if (goodCert && equalCert) { 1465 testEqualsHelper((PKIX_PL_Object *)goodDate, 1466 (PKIX_PL_Object *)equalDate, 1467 PKIX_TRUE, 1468 plContext); 1469 } else { 1470 if PKIX_EXACTLY_ONE_NULL (goodDate, equalDate) { 1471 pkixTestErrorMsg = "Date Lists are not equal!"; 1472 goto cleanup; 1473 } 1474 } 1475 1476 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(goodParams, &goodBasicConstraints, plContext)); 1477 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalBasicConstraints, plContext)); 1478 if (goodBasicConstraints != equalBasicConstraints) { 1479 pkixTestErrorMsg = "BasicConstraints are not equal!"; 1480 goto cleanup; 1481 } 1482 1483 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(selector, &goodCallback, plContext)); 1484 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback(dupSelector, &equalCallback, plContext)); 1485 if (goodCallback != equalCallback) { 1486 pkixTestErrorMsg = "MatchCallbacks are not equal!"; 1487 } 1488 1489 cleanup: 1490 1491 PKIX_TEST_DECREF_AC(dupSelector); 1492 PKIX_TEST_DECREF_AC(goodParams); 1493 PKIX_TEST_DECREF_AC(equalParams); 1494 PKIX_TEST_DECREF_AC(goodSubject); 1495 PKIX_TEST_DECREF_AC(equalSubject); 1496 PKIX_TEST_DECREF_AC(goodPolicy); 1497 PKIX_TEST_DECREF_AC(equalPolicy); 1498 PKIX_TEST_DECREF_AC(goodCert); 1499 PKIX_TEST_DECREF_AC(equalCert); 1500 PKIX_TEST_DECREF_AC(goodDate); 1501 PKIX_TEST_DECREF_AC(equalDate); 1502 1503 PKIX_TEST_RETURN(); 1504 } 1505 1506 static void 1507 printUsage(void) 1508 { 1509 (void)printf("\nUSAGE:\ttest_certselector <NIST_FILES_DIR> <cert-dir>\n\n"); 1510 } 1511 1512 int 1513 test_certselector(int argc, char *argv[]) 1514 { 1515 1516 PKIX_UInt32 i = 0; 1517 PKIX_UInt32 j = 0; 1518 PKIX_UInt32 actualMinorVersion; 1519 1520 PKIX_CertSelector *emptySelector = NULL; 1521 PKIX_List *certs = NULL; 1522 PKIX_List *nameConstraintsCerts = NULL; 1523 PKIX_List *subjAltNamesCerts = NULL; 1524 PKIX_PL_Cert *cert = NULL; 1525 PKIX_PL_Cert *policy1Cert = NULL; 1526 PKIX_PL_Cert *policy2Cert = NULL; 1527 PKIX_PL_Cert *anyPolicyCert = NULL; 1528 PKIX_PL_Cert *subjectCert = NULL; 1529 PKIX_ComCertSelParams *selParams = NULL; 1530 char *certDir = NULL; 1531 char *dirName = NULL; 1532 1533 PKIX_TEST_STD_VARS(); 1534 1535 startTests("CertSelector"); 1536 1537 PKIX_TEST_EXPECT_NO_ERROR( 1538 PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); 1539 1540 if (argc < 3) { 1541 printUsage(); 1542 return (0); 1543 } 1544 1545 dirName = argv[j + 1]; 1546 certDir = argv[j + 3]; 1547 1548 /* Create a List of certs to use in testing the selector */ 1549 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); 1550 1551 for (i = 0; i < NUMCERTS; i++) { 1552 1553 cert = createCert(dirName, certList[i], plContext); 1554 1555 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs, (PKIX_PL_Object *)cert, plContext)); 1556 if (i == POLICY1CERT) { 1557 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); 1558 policy1Cert = cert; 1559 } 1560 if (i == ANYPOLICYCERT) { 1561 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); 1562 anyPolicyCert = cert; 1563 } 1564 if (i == POLICY2CERT) { 1565 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); 1566 policy2Cert = cert; 1567 } 1568 if (i == SUBJECTCERT) { 1569 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)cert, plContext)); 1570 subjectCert = cert; 1571 } 1572 PKIX_TEST_DECREF_BC(cert); 1573 } 1574 1575 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameConstraintsCerts, plContext)); 1576 1577 for (i = 0; i < NUMNCCERTS; i++) { 1578 1579 cert = createCert(dirName, ncCertList[i], plContext); 1580 1581 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(nameConstraintsCerts, 1582 (PKIX_PL_Object *)cert, 1583 plContext)); 1584 1585 PKIX_TEST_DECREF_BC(cert); 1586 } 1587 1588 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&subjAltNamesCerts, plContext)); 1589 1590 for (i = 0; i < NUMSANCERTS; i++) { 1591 1592 cert = createCert(dirName, sanCertList[i], plContext); 1593 1594 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(subjAltNamesCerts, 1595 (PKIX_PL_Object *)cert, 1596 plContext)); 1597 1598 PKIX_TEST_DECREF_BC(cert); 1599 } 1600 1601 subTest("test_CertSelector_Create"); 1602 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &emptySelector, plContext)); 1603 1604 subTest("Default Match, no parameters set"); 1605 testSelector(emptySelector, certs, 0xFFFFFFFF); 1606 1607 testSubjectMatch(certs, subjectCert); 1608 1609 testBasicConstraintsMatch(certs); 1610 1611 testPolicyMatch(certs, policy1Cert, policy2Cert, anyPolicyCert); 1612 1613 testCertificateMatch(certs, subjectCert); 1614 1615 testCertificateValidMatch(certs); 1616 1617 subTest("Combination: pass only EE certs that assert some policy"); 1618 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&selParams, plContext)); 1619 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(selParams, -2, plContext)); 1620 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(emptySelector, selParams, plContext)); 1621 testSelector(emptySelector, certs, 0xC00); 1622 1623 testNameConstraintsMatch(nameConstraintsCerts); 1624 1625 testPathToNamesMatch(nameConstraintsCerts); 1626 1627 testSubjAltNamesMatch(subjAltNamesCerts); 1628 1629 testExtendedKeyUsageMatch(certDir); 1630 1631 testKeyUsageMatch(certDir); 1632 1633 testIssuerMatch(certDir); 1634 1635 testSerialNumberVersionMatch(certDir); 1636 1637 testCertValidMatch(certDir); 1638 1639 testSubjKeyIdMatch(nameConstraintsCerts); 1640 1641 testAuthKeyIdMatch(nameConstraintsCerts); 1642 1643 testSubjPKAlgIdMatch(nameConstraintsCerts); 1644 1645 testSubjPublicKeyMatch(nameConstraintsCerts); 1646 1647 test_CertSelector_Duplicate(emptySelector); 1648 1649 test_customCallback1(certs); 1650 1651 test_customCallback2(certs, anyPolicyCert); 1652 1653 subTest("test_CertSelector_Destroy"); 1654 1655 PKIX_TEST_DECREF_BC(emptySelector); 1656 1657 cleanup: 1658 1659 PKIX_TEST_DECREF_AC(emptySelector); 1660 PKIX_TEST_DECREF_AC(certs); 1661 PKIX_TEST_DECREF_AC(cert); 1662 PKIX_TEST_DECREF_AC(policy1Cert); 1663 PKIX_TEST_DECREF_AC(policy2Cert); 1664 PKIX_TEST_DECREF_AC(anyPolicyCert); 1665 PKIX_TEST_DECREF_AC(subjectCert); 1666 PKIX_TEST_DECREF_AC(selParams); 1667 PKIX_TEST_DECREF_AC(nameConstraintsCerts); 1668 PKIX_TEST_DECREF_AC(subjAltNamesCerts); 1669 1670 PKIX_Shutdown(plContext); 1671 1672 PKIX_TEST_RETURN(); 1673 1674 endTests("CertSelector"); 1675 1676 return (0); 1677 }