tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_validatechain_bc.c (6846B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 /*
      5 * validateChainBasicConstraints.c
      6 *
      7 * Tests Cert Chain Validation
      8 *
      9 */
     10 
     11 #include <stdio.h>
     12 #include <string.h>
     13 #include <stddef.h>
     14 
     15 #include "pkix_pl_generalname.h"
     16 #include "pkix_pl_cert.h"
     17 #include "pkix.h"
     18 #include "testutil.h"
     19 #include "prlong.h"
     20 #include "plstr.h"
     21 #include "prthread.h"
     22 #include "nspr.h"
     23 #include "prtypes.h"
     24 #include "prtime.h"
     25 #include "pk11func.h"
     26 #include "secasn1.h"
     27 #include "cert.h"
     28 #include "cryptohi.h"
     29 #include "secoid.h"
     30 #include "certdb.h"
     31 #include "secitem.h"
     32 #include "keythi.h"
     33 #include "nss.h"
     34 
     35 static void *plContext = NULL;
     36 
     37 static void
     38 printUsage(void)
     39 {
     40    printf("\nUSAGE: incorrect.\n");
     41 }
     42 
     43 static PKIX_PL_Cert *
     44 createCert(char *inFileName)
     45 {
     46    PKIX_PL_ByteArray *byteArray = NULL;
     47    void *buf = NULL;
     48    PRFileDesc *inFile = NULL;
     49    PKIX_UInt32 len;
     50    SECItem certDER;
     51    SECStatus rv;
     52    /* default: NULL cert (failure case) */
     53    PKIX_PL_Cert *cert = NULL;
     54 
     55    PKIX_TEST_STD_VARS();
     56 
     57    certDER.data = NULL;
     58 
     59    inFile = PR_Open(inFileName, PR_RDONLY, 0);
     60 
     61    if (!inFile) {
     62        pkixTestErrorMsg = "Unable to open cert file";
     63        goto cleanup;
     64    } else {
     65        rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
     66        if (!rv) {
     67            buf = (void *)certDER.data;
     68            len = certDER.len;
     69 
     70            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext));
     71 
     72            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext));
     73 
     74            SECITEM_FreeItem(&certDER, PR_FALSE);
     75        } else {
     76            pkixTestErrorMsg = "Unable to read DER from cert file";
     77            goto cleanup;
     78        }
     79    }
     80 
     81 cleanup:
     82 
     83    if (inFile) {
     84        PR_Close(inFile);
     85    }
     86 
     87    if (PKIX_TEST_ERROR_RECEIVED) {
     88        SECITEM_FreeItem(&certDER, PR_FALSE);
     89    }
     90 
     91    PKIX_TEST_DECREF_AC(byteArray);
     92 
     93    PKIX_TEST_RETURN();
     94 
     95    return (cert);
     96 }
     97 
     98 int
     99 test_validatechain_bc(int argc, char *argv[])
    100 {
    101 
    102    PKIX_TrustAnchor *anchor = NULL;
    103    PKIX_List *anchors = NULL;
    104    PKIX_List *certs = NULL;
    105    PKIX_ProcessingParams *procParams = NULL;
    106    PKIX_ValidateParams *valParams = NULL;
    107    PKIX_ValidateResult *valResult = NULL;
    108    PKIX_PL_X500Name *subject = NULL;
    109    PKIX_ComCertSelParams *certSelParams = NULL;
    110    PKIX_CertSelector *certSelector = NULL;
    111 
    112    char *trustedCertFile = NULL;
    113    char *chainCertFile = NULL;
    114    PKIX_PL_Cert *trustedCert = NULL;
    115    PKIX_PL_Cert *chainCert = NULL;
    116    PKIX_UInt32 chainLength = 0;
    117    PKIX_UInt32 i = 0;
    118    PKIX_UInt32 j = 0;
    119    PKIX_UInt32 actualMinorVersion;
    120    PKIX_VerifyNode *verifyTree = NULL;
    121    PKIX_PL_String *verifyString = NULL;
    122 
    123    PKIX_TEST_STD_VARS();
    124 
    125    if (argc < 3) {
    126        printUsage();
    127        return (0);
    128    }
    129 
    130    startTests("ValidateChainBasicConstraints");
    131 
    132    PKIX_TEST_EXPECT_NO_ERROR(
    133        PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
    134 
    135    chainLength = (argc - j) - 2;
    136 
    137    /* create processing params with list of trust anchors */
    138    trustedCertFile = argv[1 + j];
    139    trustedCert = createCert(trustedCertFile);
    140 
    141    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
    142 
    143    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
    144 
    145    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(certSelParams, -1, plContext));
    146 
    147    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
    148 
    149    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
    150 
    151    PKIX_TEST_DECREF_BC(subject);
    152 
    153    PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
    154 
    155    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
    156    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
    157    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
    158 
    159    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext));
    160 
    161    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
    162 
    163    PKIX_TEST_DECREF_BC(certSelector);
    164 
    165    /* create cert chain */
    166    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
    167    for (i = 0; i < chainLength; i++) {
    168        chainCertFile = argv[i + (2 + j)];
    169        chainCert = createCert(chainCertFile);
    170 
    171        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs, (PKIX_PL_Object *)chainCert, plContext));
    172 
    173        PKIX_TEST_DECREF_BC(chainCert);
    174    }
    175 
    176    /* create validate params with processing params and cert chain */
    177    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, certs, &valParams, plContext));
    178 
    179    /* validate cert chain using processing params and return valResult */
    180 
    181    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
    182 
    183    if (valResult != NULL) {
    184        printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
    185        printf("Cert Selector minimum path length to be -1\n");
    186        PKIX_TEST_DECREF_BC(valResult);
    187    }
    188 
    189    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
    190    (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
    191    PKIX_TEST_DECREF_BC(verifyString);
    192    PKIX_TEST_DECREF_BC(verifyTree);
    193 
    194    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(certSelParams, 6, plContext));
    195 
    196    /* validate cert chain using processing params and return valResult */
    197 
    198    PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
    199 
    200    if (valResult != NULL) {
    201        printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
    202        printf("Cert Selector minimum path length to be 6\n");
    203    }
    204 
    205    PKIX_TEST_DECREF_BC(trustedCert);
    206    PKIX_TEST_DECREF_BC(anchor);
    207    PKIX_TEST_DECREF_BC(anchors);
    208    PKIX_TEST_DECREF_BC(certs);
    209    PKIX_TEST_DECREF_BC(procParams);
    210 
    211 cleanup:
    212 
    213    if (PKIX_TEST_ERROR_RECEIVED) {
    214        printf("FAILED TO VALIDATE\n");
    215    }
    216 
    217    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
    218    (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
    219    PKIX_TEST_DECREF_AC(verifyString);
    220    PKIX_TEST_DECREF_AC(verifyTree);
    221 
    222    PKIX_TEST_DECREF_AC(certSelParams);
    223    PKIX_TEST_DECREF_AC(valResult);
    224    PKIX_TEST_DECREF_AC(valParams);
    225 
    226    PKIX_TEST_RETURN();
    227 
    228    PKIX_Shutdown(plContext);
    229 
    230    endTests("ValidateChainBasicConstraints");
    231 
    232    return (0);
    233 }