tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_subjaltnamechecker.c (7587B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 /*
      5 * test_subjaltnamechecker.c
      6 *
      7 * Test Subject Alternative Name Checking
      8 *
      9 */
     10 
     11 /*
     12 * There is no subjaltnamechecker. Instead, targetcertchecker is doing
     13 * the job for checking subject alternative names' validity. For testing,
     14 * in order to enter names with various type, we create this test excutable
     15 * to parse different scenario.
     16 */
     17 
     18 #include "testutil.h"
     19 #include "testutil_nss.h"
     20 
     21 #define PKIX_TEST_MAX_CERTS 10
     22 
     23 static void *plContext = NULL;
     24 
     25 static void
     26 printUsage1(char *pName)
     27 {
     28    printf("\nUSAGE: %s test-name [ENE|EE] ", pName);
     29    printf("cert [certs].\n");
     30 }
     31 
     32 static void
     33 printUsage2(char *name)
     34 {
     35    printf("\ninvalid test-name syntax - %s", name);
     36    printf("\ntest-name syntax: [01][DNORU]:<name>+...");
     37    printf("\n             [01] 1 - match all; 0 - match one");
     38    printf("\n    name - type can be specified as");
     39    printf("\n          [DNORU] D-Directory name");
     40    printf("\n                  N-DNS name");
     41    printf("\n                  O-OID name");
     42    printf("\n                  R-RFC822 name");
     43    printf("\n                  U-URI name");
     44    printf("\n                + separator for more names\n\n");
     45 }
     46 
     47 static void
     48 printUsageMax(PKIX_UInt32 numCerts)
     49 {
     50    printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
     51           numCerts, PKIX_TEST_MAX_CERTS);
     52 }
     53 
     54 static PKIX_UInt32
     55 getNameType(char *name)
     56 {
     57    PKIX_UInt32 nameType;
     58 
     59    PKIX_TEST_STD_VARS();
     60 
     61    switch (*name) {
     62        case 'D':
     63            nameType = PKIX_DIRECTORY_NAME;
     64            break;
     65        case 'N':
     66            nameType = PKIX_DNS_NAME;
     67            break;
     68        case 'O':
     69            nameType = PKIX_OID_NAME;
     70            break;
     71        case 'R':
     72            nameType = PKIX_RFC822_NAME;
     73            break;
     74        case 'U':
     75            nameType = PKIX_URI_NAME;
     76            break;
     77        default:
     78            printUsage2(name);
     79            nameType = 0xFFFF;
     80    }
     81 
     82    goto cleanup;
     83 
     84 cleanup:
     85    PKIX_TEST_RETURN();
     86    return (nameType);
     87 }
     88 
     89 int
     90 test_subjaltnamechecker(int argc, char *argv[])
     91 {
     92 
     93    PKIX_List *chain = NULL;
     94    PKIX_ValidateParams *valParams = NULL;
     95    PKIX_ValidateResult *valResult = NULL;
     96    PKIX_CertSelector *selector = NULL;
     97    PKIX_ComCertSelParams *selParams = NULL;
     98    PKIX_ProcessingParams *procParams = NULL;
     99    PKIX_PL_GeneralName *name = NULL;
    100    PKIX_UInt32 actualMinorVersion;
    101    char *certNames[PKIX_TEST_MAX_CERTS];
    102    PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
    103    PKIX_UInt32 chainLength = 0;
    104    PKIX_UInt32 i = 0;
    105    PKIX_UInt32 j = 0;
    106    char *nameStr;
    107    char *nameEnd;
    108    char *names[PKIX_TEST_MAX_CERTS];
    109    PKIX_UInt32 numNames = 0;
    110    PKIX_UInt32 nameType;
    111    PKIX_Boolean matchAll = PKIX_TRUE;
    112    PKIX_Boolean testValid = PKIX_TRUE;
    113    char *dirName = NULL;
    114    char *anchorName = NULL;
    115    PKIX_VerifyNode *verifyTree = NULL;
    116    PKIX_PL_String *verifyString = NULL;
    117 
    118    PKIX_TEST_STD_VARS();
    119 
    120    if (argc < 5) {
    121        printUsage1(argv[0]);
    122        return (0);
    123    }
    124 
    125    startTests("SubjAltNameConstraintChecker");
    126 
    127    PKIX_TEST_EXPECT_NO_ERROR(
    128        PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
    129 
    130    j++; /* skip test-purpose string */
    131 
    132    /* ENE = expect no error; EE = expect error */
    133    if (PORT_Strcmp(argv[2 + j], "ENE") == 0) {
    134        testValid = PKIX_TRUE;
    135    } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) {
    136        testValid = PKIX_FALSE;
    137    } else {
    138        printUsage1(argv[0]);
    139        return (0);
    140    }
    141 
    142    /* taking out leading and trailing ", if any */
    143    nameStr = argv[1 + j];
    144    subTest(nameStr);
    145    if (*nameStr == '"') {
    146        nameStr++;
    147        nameEnd = nameStr;
    148        while (*nameEnd != '"' && *nameEnd != '\0') {
    149            nameEnd++;
    150        }
    151        *nameEnd = '\0';
    152    }
    153 
    154    /* extract first [0|1] inidcating matchAll or not */
    155    matchAll = (*nameStr == '0') ? PKIX_FALSE : PKIX_TRUE;
    156    nameStr++;
    157 
    158    numNames = 0;
    159    while (*nameStr != '\0') {
    160        names[numNames++] = nameStr;
    161        while (*nameStr != '+' && *nameStr != '\0') {
    162            nameStr++;
    163        }
    164        if (*nameStr == '+') {
    165            *nameStr = '\0';
    166            nameStr++;
    167        }
    168    }
    169 
    170    chainLength = (argc - j) - 4;
    171    if (chainLength > PKIX_TEST_MAX_CERTS) {
    172        printUsageMax(chainLength);
    173    }
    174 
    175    for (i = 0; i < chainLength; i++) {
    176        certNames[i] = argv[(4 + j) + i];
    177        certs[i] = NULL;
    178    }
    179 
    180    /* SubjAltName for validation */
    181 
    182    subTest("Add Subject Alt Name for NameConstraint checking");
    183 
    184    subTest("Create Selector and ComCertSelParams");
    185    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext));
    186    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&selParams, plContext));
    187    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, selParams, plContext));
    188 
    189    subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
    190    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(selParams, matchAll, plContext));
    191 
    192    subTest("PKIX_ComCertSelParams_AddSubjAltName(s)");
    193    for (i = 0; i < numNames; i++) {
    194        nameType = getNameType(names[i]);
    195        if (nameType == 0xFFFF) {
    196            return (0);
    197        }
    198        nameStr = names[i] + 2;
    199        name = createGeneralName(nameType, nameStr, plContext);
    200 
    201        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(selParams, name, plContext));
    202        PKIX_TEST_DECREF_BC(name);
    203    }
    204 
    205    subTest("SubjAltName-Constraints - Create Cert Chain");
    206 
    207    dirName = argv[3 + j];
    208 
    209    chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext);
    210 
    211    subTest("SubjAltName-Constraints - Create Params");
    212 
    213    valParams = createValidateParams(dirName,
    214                                     argv[4 +
    215                                          j],
    216                                     NULL,
    217                                     NULL,
    218                                     NULL,
    219                                     PKIX_FALSE,
    220                                     PKIX_FALSE,
    221                                     PKIX_FALSE,
    222                                     PKIX_FALSE,
    223                                     chain,
    224                                     plContext);
    225 
    226    subTest("PKIX_ValidateParams_getProcessingParams");
    227    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext));
    228 
    229    subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
    230    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, selector, plContext));
    231 
    232    subTest("Subject Alt Name - Validate Chain");
    233 
    234    if (testValid == PKIX_TRUE) {
    235        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
    236    } else {
    237        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
    238    }
    239 
    240 cleanup:
    241 
    242    PKIX_PL_Free(anchorName, plContext);
    243 
    244    PKIX_TEST_DECREF_AC(verifyString);
    245    PKIX_TEST_DECREF_AC(verifyTree);
    246    PKIX_TEST_DECREF_AC(chain);
    247    PKIX_TEST_DECREF_AC(valParams);
    248    PKIX_TEST_DECREF_AC(valResult);
    249    PKIX_TEST_DECREF_AC(selector);
    250    PKIX_TEST_DECREF_AC(selParams);
    251    PKIX_TEST_DECREF_AC(procParams);
    252    PKIX_TEST_DECREF_AC(name);
    253 
    254    PKIX_Shutdown(plContext);
    255 
    256    PKIX_TEST_RETURN();
    257 
    258    endTests("SubjAltNameConstraintsChecker");
    259 
    260    return (0);
    261 }