test_customcrlchecker.c (13510B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * test_customcrlchecker.c 6 * 7 * Test Custom CRL Checking 8 * 9 */ 10 11 #include "testutil.h" 12 #include "testutil_nss.h" 13 14 #define PKIX_TEST_MAX_CERTS 10 15 #define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS 5 16 17 static void *plContext = NULL; 18 char *dirName = NULL; /* also used in callback */ 19 20 static void 21 printUsage1(char *pName) 22 { 23 printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName); 24 printf("cert [certs].\n"); 25 } 26 27 static void 28 printUsageMax(PKIX_UInt32 numCerts) 29 { 30 printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", 31 numCerts, PKIX_TEST_MAX_CERTS); 32 } 33 34 static PKIX_Error * 35 getCRLCallback( 36 PKIX_CertStore *store, 37 PKIX_CRLSelector *crlSelector, 38 void **pNBIOContext, 39 PKIX_List **pCrlList, 40 void *plContext) 41 { 42 char *crlFileNames[] = { "chem.crl", 43 "phys.crl", 44 "prof.crl", 45 "sci.crl", 46 "test.crl", 47 0 }; 48 PKIX_PL_CRL *crl = NULL; 49 PKIX_List *crlList = NULL; 50 PKIX_UInt32 i = 0; 51 52 PKIX_TEST_STD_VARS(); 53 54 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&crlList, plContext)); 55 56 while (crlFileNames[i]) { 57 58 crl = createCRL(dirName, crlFileNames[i++], plContext); 59 60 if (crl != NULL) { 61 62 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(crlList, (PKIX_PL_Object *)crl, plContext)); 63 64 PKIX_TEST_DECREF_BC(crl); 65 } 66 } 67 68 *pCrlList = crlList; 69 70 cleanup: 71 72 PKIX_TEST_RETURN(); 73 74 return (0); /* this function is called by libpkix */ 75 } 76 77 static PKIX_Error * 78 getCRLContinue( 79 PKIX_CertStore *store, 80 PKIX_CRLSelector *crlSelector, 81 void **pNBIOContext, 82 PKIX_List **pCrlList, 83 void *plContext) 84 { 85 return (NULL); 86 } 87 88 static PKIX_Error * 89 getCertCallback( 90 PKIX_CertStore *store, 91 PKIX_CertSelector *certSelector, 92 void **pNBIOContext, 93 PKIX_List **pCerts, 94 void *plContext) 95 { 96 return (NULL); 97 } 98 99 static PKIX_Error * 100 getCertContinue( 101 PKIX_CertStore *store, 102 PKIX_CertSelector *certSelector, 103 void **pNBIOContext, 104 PKIX_List **pCerts, 105 void *plContext) 106 { 107 return (NULL); 108 } 109 110 static PKIX_Error * 111 testCRLSelectorMatchCallback( 112 PKIX_CRLSelector *selector, 113 PKIX_PL_CRL *crl, 114 void *plContext) 115 { 116 PKIX_ComCRLSelParams *comCrlSelParams = NULL; 117 PKIX_List *issuerList = NULL; 118 PKIX_PL_X500Name *issuer = NULL; 119 PKIX_PL_X500Name *crlIssuer = NULL; 120 PKIX_UInt32 numIssuers = 0; 121 PKIX_UInt32 i = 0; 122 PKIX_Boolean result = PKIX_FALSE; 123 PKIX_Error *error = NULL; 124 char *errorText = "Not an error, CRL Select mismatch"; 125 126 PKIX_TEST_STD_VARS(); 127 128 subTest("Custom_Selector_MatchCallback"); 129 130 if (selector != NULL) { 131 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetCommonCRLSelectorParams(selector, &comCrlSelParams, plContext)); 132 } 133 134 if (crl != NULL) { 135 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer(crl, &crlIssuer, plContext)); 136 } 137 138 if (comCrlSelParams != NULL) { 139 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames(comCrlSelParams, &issuerList, plContext)); 140 } 141 142 if (issuerList != NULL) { 143 144 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(issuerList, &numIssuers, plContext)); 145 146 for (i = 0; i < numIssuers; i++) { 147 148 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(issuerList, 149 i, (PKIX_PL_Object **)&issuer, 150 plContext)); 151 152 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)crlIssuer, 153 (PKIX_PL_Object *)issuer, 154 &result, 155 plContext)); 156 157 if (result != PKIX_TRUE) { 158 break; 159 } 160 161 if (i == numIssuers - 1) { 162 163 PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create(0, 164 NULL, 165 NULL, 166 PKIX_TESTNOTANERRORCRLSELECTMISMATCH, 167 &error, 168 plContext)); 169 170 PKIX_TEST_DECREF_AC(issuer); 171 issuer = NULL; 172 break; 173 } 174 175 PKIX_TEST_DECREF_AC(issuer); 176 } 177 } 178 179 cleanup: 180 181 PKIX_TEST_DECREF_AC(comCrlSelParams); 182 PKIX_TEST_DECREF_AC(crlIssuer); 183 PKIX_TEST_DECREF_AC(issuer); 184 PKIX_TEST_DECREF_AC(issuerList); 185 186 PKIX_TEST_RETURN(); 187 188 return (error); 189 } 190 191 static PKIX_Error * 192 testAddIssuerName(PKIX_ComCRLSelParams *comCrlSelParams, char *issuerName) 193 { 194 PKIX_PL_String *issuerString = NULL; 195 PKIX_PL_X500Name *issuer = NULL; 196 PKIX_UInt32 length = 0; 197 198 PKIX_TEST_STD_VARS(); 199 200 subTest("PKIX_ComCRLSelParams_AddIssuerName"); 201 202 length = PL_strlen(issuerName); 203 204 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_UTF8, 205 issuerName, 206 length, 207 &issuerString, 208 plContext)); 209 210 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuerString, 211 &issuer, 212 plContext)); 213 214 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuer, plContext)); 215 216 cleanup: 217 218 PKIX_TEST_DECREF_AC(issuerString); 219 PKIX_TEST_DECREF_AC(issuer); 220 221 PKIX_TEST_RETURN(); 222 223 return (0); 224 } 225 226 static PKIX_Error * 227 testCustomCertStore(PKIX_ValidateParams *valParams) 228 { 229 PKIX_CertStore_CRLCallback crlCallback; 230 PKIX_CertStore *certStore = NULL; 231 PKIX_ProcessingParams *procParams = NULL; 232 char *issuerName1 = "cn=science,o=mit,c=us"; 233 char *issuerName2 = "cn=physics,o=mit,c=us"; 234 char *issuerName3 = "cn=prof noall,o=mit,c=us"; 235 char *issuerName4 = "cn=testing CRL,o=test,c=us"; 236 PKIX_ComCRLSelParams *comCrlSelParams = NULL; 237 PKIX_CRLSelector *crlSelector = NULL; 238 PKIX_List *crlList = NULL; 239 PKIX_UInt32 numCrl = 0; 240 void *nbioContext = NULL; 241 242 PKIX_TEST_STD_VARS(); 243 244 subTest("PKIX_PL_CollectionCertStore_Create"); 245 246 /* Create CRLSelector, link in CollectionCertStore */ 247 248 subTest("PKIX_ComCRLSelParams_AddIssuerNames"); 249 250 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext)); 251 252 testAddIssuerName(comCrlSelParams, issuerName1); 253 testAddIssuerName(comCrlSelParams, issuerName2); 254 testAddIssuerName(comCrlSelParams, issuerName3); 255 testAddIssuerName(comCrlSelParams, issuerName4); 256 257 subTest("PKIX_CRLSelector_SetCommonCRLSelectorParams"); 258 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(testCRLSelectorMatchCallback, 259 NULL, 260 &crlSelector, 261 plContext)); 262 263 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector, comCrlSelParams, plContext)); 264 265 /* Create CertStore, link in CRLSelector */ 266 267 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); 268 269 subTest("PKIX_CertStore_Create"); 270 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_Create(getCertCallback, 271 getCRLCallback, 272 getCertContinue, 273 getCRLContinue, 274 NULL, /* trustCallback */ 275 (PKIX_PL_Object *)crlSelector, /* fake */ 276 PKIX_FALSE, /* cacheFlag */ 277 PKIX_TRUE, /* localFlag */ 278 &certStore, 279 plContext)); 280 281 subTest("PKIX_ProcessingParams_AddCertStore"); 282 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore(procParams, certStore, plContext)); 283 284 subTest("PKIX_ProcessingParams_SetRevocationEnabled"); 285 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_TRUE, plContext)); 286 287 subTest("PKIX_CertStore_GetCRLCallback"); 288 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback(certStore, 289 &crlCallback, 290 NULL)); 291 292 subTest("Getting CRL by CRL Callback"); 293 PKIX_TEST_EXPECT_NO_ERROR(crlCallback(certStore, 294 crlSelector, 295 &nbioContext, 296 &crlList, 297 plContext)); 298 299 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(crlList, 300 &numCrl, 301 plContext)); 302 303 if (numCrl != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS) { 304 pkixTestErrorMsg = "unexpected CRL number mismatch"; 305 } 306 307 cleanup: 308 309 PKIX_TEST_DECREF_AC(crlList); 310 PKIX_TEST_DECREF_AC(comCrlSelParams); 311 PKIX_TEST_DECREF_AC(crlSelector); 312 PKIX_TEST_DECREF_AC(procParams); 313 PKIX_TEST_DECREF_AC(certStore); 314 315 PKIX_TEST_RETURN(); 316 317 return (0); 318 } 319 320 /* 321 * Validate Certificate Chain with Certificate Revocation List 322 * Certificate Chain is built based on input certs' sequence. 323 * CRL is fetched from the directory specified in CollectionCertStore. 324 * while CollectionCertStore is linked in CertStore Object which then 325 * linked in ProcessParam. During validation, CRLChecker will invoke 326 * the crlCallback (this test uses PKIX_PL_CollectionCertStore_GetCRL) 327 * to get CRL data for revocation check. 328 * This test set criteria in CRLSelector which is linked in 329 * CommonCRLSelectorParam. When CRL data is fetched into cache for 330 * revocation check, CRL's are filtered based on the criteria set. 331 */ 332 333 int 334 test_customcrlchecker(int argc, char *argv[]) 335 { 336 337 PKIX_List *chain = NULL; 338 PKIX_ValidateParams *valParams = NULL; 339 PKIX_ValidateResult *valResult = NULL; 340 PKIX_UInt32 actualMinorVersion; 341 char *certNames[PKIX_TEST_MAX_CERTS]; 342 PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; 343 PKIX_VerifyNode *verifyTree = NULL; 344 PKIX_PL_String *verifyString = NULL; 345 PKIX_UInt32 chainLength = 0; 346 PKIX_UInt32 i = 0; 347 PKIX_UInt32 j = 0; 348 PKIX_Boolean testValid = PKIX_TRUE; 349 char *anchorName = NULL; 350 351 PKIX_TEST_STD_VARS(); 352 353 if (argc < 5) { 354 printUsage1(argv[0]); 355 return (0); 356 } 357 358 startTests("CRL Checker"); 359 360 PKIX_TEST_EXPECT_NO_ERROR( 361 PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); 362 363 /* ENE = expect no error; EE = expect error */ 364 if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { 365 testValid = PKIX_TRUE; 366 } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { 367 testValid = PKIX_FALSE; 368 } else { 369 printUsage1(argv[0]); 370 return (0); 371 } 372 373 chainLength = (argc - j) - 5; 374 if (chainLength > PKIX_TEST_MAX_CERTS) { 375 printUsageMax(chainLength); 376 } 377 378 for (i = 0; i < chainLength; i++) { 379 380 certNames[i] = argv[(5 + j) + i]; 381 certs[i] = NULL; 382 } 383 384 dirName = argv[3 + j]; 385 386 subTest(argv[1 + j]); 387 388 subTest("Custom-CRL-Checker - Create Cert Chain"); 389 390 chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); 391 392 subTest("Custom-CRL-Checker - Create Params"); 393 394 anchorName = argv[4 + j]; 395 396 valParams = createValidateParams(dirName, 397 anchorName, 398 NULL, 399 NULL, 400 NULL, 401 PKIX_FALSE, 402 PKIX_FALSE, 403 PKIX_FALSE, 404 PKIX_FALSE, 405 chain, 406 plContext); 407 408 subTest("Custom-CRL-Checker - Set Processing Params for CertStore"); 409 410 testCustomCertStore(valParams); 411 412 subTest("Custom-CRL-Checker - Validate Chain"); 413 414 if (testValid == PKIX_TRUE) { 415 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); 416 } else { 417 PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); 418 } 419 420 cleanup: 421 422 PKIX_TEST_DECREF_AC(verifyString); 423 PKIX_TEST_DECREF_AC(verifyTree); 424 PKIX_TEST_DECREF_AC(chain); 425 PKIX_TEST_DECREF_AC(valParams); 426 PKIX_TEST_DECREF_AC(valResult); 427 428 PKIX_Shutdown(plContext); 429 430 PKIX_TEST_RETURN(); 431 432 endTests("CRL Checker"); 433 434 return (0); 435 }