test_pk11certstore.c (22111B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * test_pk11certstore.c 6 * 7 * Test Pk11CertStore Type 8 * 9 */ 10 11 #include "testutil.h" 12 #include "testutil_nss.h" 13 14 static void *plContext = NULL; 15 16 /* 17 * This function creates a certSelector with ComCertSelParams set up to 18 * select entries whose Subject Name matches that in the given Cert and 19 * whose validity window includes the Date specified by "validityDate". 20 */ 21 static void 22 test_makeSubjectCertSelector( 23 PKIX_PL_Cert *certNameToMatch, 24 PKIX_PL_Date *validityDate, 25 PKIX_CertSelector **pSelector, 26 void *plContext) 27 { 28 PKIX_CertSelector *selector = NULL; 29 PKIX_ComCertSelParams *subjParams = NULL; 30 PKIX_PL_X500Name *subjectName = NULL; 31 32 PKIX_TEST_STD_VARS(); 33 34 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 35 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&subjParams, plContext)); 36 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(certNameToMatch, &subjectName, plContext)); 37 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(subjParams, subjectName, plContext)); 38 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(subjParams, validityDate, plContext)); 39 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, subjParams, plContext)); 40 *pSelector = selector; 41 42 cleanup: 43 44 PKIX_TEST_DECREF_AC(subjParams); 45 PKIX_TEST_DECREF_AC(subjectName); 46 47 PKIX_TEST_RETURN(); 48 } 49 50 /* 51 * This function creates a certSelector with ComCertSelParams set up to 52 * select entries containing a Basic Constraints extension with a path 53 * length of at least the specified "minPathLength". 54 */ 55 static void 56 test_makePathCertSelector( 57 PKIX_Int32 minPathLength, 58 PKIX_CertSelector **pSelector, 59 void *plContext) 60 { 61 PKIX_CertSelector *selector = NULL; 62 PKIX_ComCertSelParams *pathParams = NULL; 63 64 PKIX_TEST_STD_VARS(); 65 66 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); 67 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&pathParams, plContext)); 68 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(pathParams, minPathLength, plContext)); 69 70 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, pathParams, plContext)); 71 *pSelector = selector; 72 73 cleanup: 74 75 PKIX_TEST_DECREF_AC(pathParams); 76 77 PKIX_TEST_RETURN(); 78 } 79 80 /* 81 * This function reads a directory-file cert specified by "desiredSubjectCert", 82 * and decodes the SubjectName. It uses that name to set up the CertSelector 83 * for a Subject Name match, and then queries the database for matching entries. 84 * It is intended to test a "smart" database query. 85 */ 86 static void 87 testMatchCertSubject( 88 char *crlDir, 89 char *desiredSubjectCert, 90 char *expectedAscii, 91 PKIX_PL_Date *validityDate, 92 void *plContext) 93 { 94 PKIX_UInt32 numCert = 0; 95 PKIX_PL_Cert *certWithDesiredSubject = NULL; 96 PKIX_CertStore *certStore = NULL; 97 PKIX_CertSelector *certSelector = NULL; 98 PKIX_List *certList = NULL; 99 PKIX_CertStore_CertCallback getCert = NULL; 100 void *nbioContext = NULL; 101 102 PKIX_TEST_STD_VARS(); 103 104 certWithDesiredSubject = createCert(crlDir, desiredSubjectCert, plContext); 105 106 test_makeSubjectCertSelector(certWithDesiredSubject, 107 validityDate, 108 &certSelector, 109 plContext); 110 111 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&certStore, plContext)); 112 113 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &getCert, plContext)); 114 115 PKIX_TEST_EXPECT_NO_ERROR(getCert(certStore, 116 certSelector, 117 &nbioContext, 118 &certList, 119 plContext)); 120 121 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); 122 123 if (numCert > 0) { 124 /* List should be immutable */ 125 PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(certList, 0, plContext)); 126 } 127 128 if (expectedAscii) { 129 testToStringHelper((PKIX_PL_Object *)certList, expectedAscii, plContext); 130 } 131 132 cleanup: 133 134 PKIX_TEST_DECREF_AC(certWithDesiredSubject); 135 PKIX_TEST_DECREF_AC(certStore); 136 PKIX_TEST_DECREF_AC(certSelector); 137 PKIX_TEST_DECREF_AC(certList); 138 139 PKIX_TEST_RETURN(); 140 } 141 142 /* 143 * This function uses the minimum path length specified by "minPath" to set up 144 * a CertSelector for a BasicConstraints match, and then queries the database 145 * for matching entries. It is intended to test the case where there 146 * is no "smart" database query, so the database will be asked for all 147 * available certs and the filtering will be done by the interaction of the 148 * certstore and the selector. 149 */ 150 static void 151 testMatchCertMinPath( 152 PKIX_Int32 minPath, 153 char *expectedAscii, 154 void *plContext) 155 { 156 PKIX_CertStore *certStore = NULL; 157 PKIX_CertSelector *certSelector = NULL; 158 PKIX_List *certList = NULL; 159 PKIX_CertStore_CertCallback getCert = NULL; 160 void *nbioContext = NULL; 161 162 PKIX_TEST_STD_VARS(); 163 164 subTest("Searching Certs for minPath"); 165 166 test_makePathCertSelector(minPath, &certSelector, plContext); 167 168 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&certStore, plContext)); 169 170 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &getCert, plContext)); 171 172 PKIX_TEST_EXPECT_NO_ERROR(getCert(certStore, 173 certSelector, 174 &nbioContext, 175 &certList, 176 plContext)); 177 178 if (expectedAscii) { 179 testToStringHelper((PKIX_PL_Object *)certList, expectedAscii, plContext); 180 } 181 182 cleanup: 183 184 PKIX_TEST_DECREF_AC(certStore); 185 PKIX_TEST_DECREF_AC(certSelector); 186 PKIX_TEST_DECREF_AC(certList); 187 188 PKIX_TEST_RETURN(); 189 } 190 191 /* 192 * This function creates a crlSelector with ComCrlSelParams set up to 193 * select entries whose Issuer Name matches that in the given Crl. 194 */ 195 static void 196 test_makeIssuerCRLSelector( 197 PKIX_PL_CRL *crlNameToMatch, 198 PKIX_CRLSelector **pSelector, 199 void *plContext) 200 { 201 PKIX_CRLSelector *selector = NULL; 202 PKIX_ComCRLSelParams *issuerParams = NULL; 203 PKIX_PL_X500Name *issuerName = NULL; 204 PKIX_List *names = NULL; 205 206 PKIX_TEST_STD_VARS(); 207 208 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(NULL, NULL, &selector, plContext)); 209 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&issuerParams, plContext)); 210 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer(crlNameToMatch, &issuerName, plContext)); 211 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&names, plContext)); 212 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(names, (PKIX_PL_Object *)issuerName, plContext)); 213 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames(issuerParams, names, plContext)); 214 215 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(selector, issuerParams, plContext)); 216 *pSelector = selector; 217 218 cleanup: 219 220 PKIX_TEST_DECREF_AC(issuerParams); 221 PKIX_TEST_DECREF_AC(issuerName); 222 PKIX_TEST_DECREF_AC(names); 223 224 PKIX_TEST_RETURN(); 225 } 226 227 /* 228 * This function creates a crlSelector with ComCrlSelParams set up to 229 * select entries that would be valid at the Date specified by the Date 230 * criterion. 231 */ 232 static void 233 test_makeDateCRLSelector( 234 PKIX_PL_Date *dateToMatch, 235 PKIX_CRLSelector **pSelector, 236 void *plContext) 237 { 238 PKIX_CRLSelector *selector = NULL; 239 PKIX_ComCRLSelParams *dateParams = NULL; 240 241 PKIX_TEST_STD_VARS(); 242 243 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(NULL, NULL, &selector, plContext)); 244 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&dateParams, plContext)); 245 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetDateAndTime(dateParams, dateToMatch, plContext)); 246 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(selector, dateParams, plContext)); 247 *pSelector = selector; 248 249 cleanup: 250 PKIX_TEST_DECREF_AC(dateParams); 251 252 PKIX_TEST_RETURN(); 253 } 254 255 /* 256 * This function reads a directory-file crl specified by "desiredIssuerCrl", 257 * and decodes the IssuerName. It uses that name to set up the CrlSelector 258 * for a Issuer Name match, and then queries the database for matching entries. 259 * It is intended to test the case of a "smart" database query. 260 */ 261 static void 262 testMatchCrlIssuer( 263 char *crlDir, 264 char *desiredIssuerCrl, 265 char *expectedAscii, 266 void *plContext) 267 { 268 PKIX_UInt32 numCrl = 0; 269 PKIX_PL_CRL *crlWithDesiredIssuer = NULL; 270 PKIX_CertStore *crlStore = NULL; 271 PKIX_CRLSelector *crlSelector = NULL; 272 PKIX_List *crlList = NULL; 273 PKIX_CertStore_CRLCallback getCrl = NULL; 274 void *nbioContext = NULL; 275 276 PKIX_TEST_STD_VARS(); 277 278 subTest("Searching CRLs for matching Issuer"); 279 280 crlWithDesiredIssuer = createCRL(crlDir, desiredIssuerCrl, plContext); 281 282 test_makeIssuerCRLSelector(crlWithDesiredIssuer, &crlSelector, plContext); 283 284 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&crlStore, plContext)); 285 286 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback(crlStore, &getCrl, plContext)); 287 288 PKIX_TEST_EXPECT_NO_ERROR(getCrl(crlStore, 289 crlSelector, 290 &nbioContext, 291 &crlList, 292 plContext)); 293 294 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(crlList, &numCrl, plContext)); 295 296 if (numCrl > 0) { 297 /* List should be immutable */ 298 PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(crlList, 0, plContext)); 299 } 300 301 if (expectedAscii) { 302 testToStringHelper((PKIX_PL_Object *)crlList, expectedAscii, plContext); 303 } 304 305 cleanup: 306 307 PKIX_TEST_DECREF_AC(crlWithDesiredIssuer); 308 PKIX_TEST_DECREF_AC(crlStore); 309 PKIX_TEST_DECREF_AC(crlSelector); 310 PKIX_TEST_DECREF_AC(crlList); 311 312 PKIX_TEST_RETURN(); 313 } 314 315 /* 316 * This function uses the date specified by "matchDate" to set up the 317 * CrlSelector for a Date match. It is intended to test the case where there 318 * is no "smart" database query, so the CertStore should throw an error 319 * rather than ask the database for all available CRLs and then filter the 320 * results using the selector. 321 */ 322 static void 323 testMatchCrlDate( 324 char *dateMatch, 325 char *expectedAscii, 326 void *plContext) 327 { 328 PKIX_PL_Date *dateCriterion = NULL; 329 PKIX_CertStore *crlStore = NULL; 330 PKIX_CRLSelector *crlSelector = NULL; 331 PKIX_List *crlList = NULL; 332 PKIX_CertStore_CRLCallback getCrl = NULL; 333 334 PKIX_TEST_STD_VARS(); 335 336 subTest("Searching CRLs for matching Date"); 337 338 dateCriterion = createDate(dateMatch, plContext); 339 test_makeDateCRLSelector(dateCriterion, &crlSelector, plContext); 340 341 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&crlStore, plContext)); 342 343 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback(crlStore, &getCrl, plContext)); 344 345 PKIX_TEST_EXPECT_ERROR(getCrl(crlStore, crlSelector, NULL, &crlList, plContext)); 346 347 cleanup: 348 349 PKIX_TEST_DECREF_AC(dateCriterion); 350 PKIX_TEST_DECREF_AC(crlStore); 351 PKIX_TEST_DECREF_AC(crlSelector); 352 PKIX_TEST_DECREF_AC(crlList); 353 354 PKIX_TEST_RETURN(); 355 } 356 357 static void 358 printUsage(char *pName) 359 { 360 printf("\nUSAGE: %s <-d data-dir> <database-dir>\n\n", pName); 361 } 362 363 /* Functional tests for Pk11CertStore public functions */ 364 365 int 366 test_pk11certstore(int argc, char *argv[]) 367 { 368 369 PKIX_UInt32 j = 0; 370 PKIX_UInt32 actualMinorVersion; 371 PKIX_PL_Date *validityDate = NULL; 372 PKIX_PL_Date *betweenDate = NULL; 373 char *crlDir = NULL; 374 char *expectedProfAscii = "([\n" 375 "\tVersion: v3\n" 376 "\tSerialNumber: 00ca\n" 377 "\tIssuer: CN=chemistry,O=mit,C=us\n" 378 "\tSubject: CN=prof noall,O=mit,C=us\n" 379 "\tValidity: [From: Fri Feb 11 14:14:06 2005\n" 380 "\t To: Mon Jan 18, 2105]\n" 381 "\tSubjectAltNames: (null)\n" 382 "\tAuthorityKeyId: (null)\n" 383 "\tSubjectKeyId: (null)\n" 384 "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" 385 "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" 386 "\tExtKeyUsages: (null)\n" 387 "\tBasicConstraint: CA(6)\n" 388 "\tCertPolicyInfo: (null)\n" 389 "\tPolicyMappings: (null)\n" 390 "\tExplicitPolicy: -1\n" 391 "\tInhibitMapping: -1\n" 392 "\tInhibitAnyPolicy:-1\n" 393 "\tNameConstraints: (null)\n" 394 "]\n" 395 ", [\n" 396 "\tVersion: v3\n" 397 "\tSerialNumber: 03\n" 398 "\tIssuer: CN=physics,O=mit,C=us\n" 399 "\tSubject: CN=prof noall,O=mit,C=us\n" 400 "\tValidity: [From: Fri Feb 11 12:52:26 2005\n" 401 "\t To: Mon Jan 18, 2105]\n" 402 "\tSubjectAltNames: (null)\n" 403 "\tAuthorityKeyId: (null)\n" 404 "\tSubjectKeyId: (null)\n" 405 "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" 406 "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" 407 "\tExtKeyUsages: (null)\n" 408 "\tBasicConstraint: CA(0)\n" 409 "\tCertPolicyInfo: (null)\n" 410 "\tPolicyMappings: (null)\n" 411 "\tExplicitPolicy: -1\n" 412 "\tInhibitMapping: -1\n" 413 "\tInhibitAnyPolicy:-1\n" 414 "\tNameConstraints: (null)\n" 415 "]\n" 416 ")"; 417 char *expectedValidityAscii = "([\n" 418 "\tVersion: v3\n" 419 "\tSerialNumber: 03\n" 420 "\tIssuer: CN=physics,O=mit,C=us\n" 421 "\tSubject: CN=prof noall,O=mit,C=us\n" 422 "\tValidity: [From: Fri Feb 11 12:52:26 2005\n" 423 "\t To: Mon Jan 18, 2105]\n" 424 "\tSubjectAltNames: (null)\n" 425 "\tAuthorityKeyId: (null)\n" 426 "\tSubjectKeyId: (null)\n" 427 "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" 428 "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" 429 "\tExtKeyUsages: (null)\n" 430 "\tBasicConstraint: CA(0)\n" 431 "\tCertPolicyInfo: (null)\n" 432 "\tPolicyMappings: (null)\n" 433 "\tExplicitPolicy: -1\n" 434 "\tInhibitMapping: -1\n" 435 "\tInhibitAnyPolicy:-1\n" 436 "\tNameConstraints: (null)\n" 437 "]\n" 438 ")"; 439 char *expectedMinPathAscii = "([\n" 440 "\tVersion: v3\n" 441 "\tSerialNumber: 01\n" 442 "\tIssuer: CN=science,O=mit,C=us\n" 443 "\tSubject: CN=science,O=mit,C=us\n" 444 "\tValidity: [From: Fri Feb 11 12:47:58 2005\n" 445 "\t To: Mon Jan 18, 2105]\n" 446 "\tSubjectAltNames: (null)\n" 447 "\tAuthorityKeyId: (null)\n" 448 "\tSubjectKeyId: (null)\n" 449 "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" 450 "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" 451 "\tExtKeyUsages: (null)\n" 452 "\tBasicConstraint: CA(10)\n" 453 "\tCertPolicyInfo: (null)\n" 454 "\tPolicyMappings: (null)\n" 455 "\tExplicitPolicy: -1\n" 456 "\tInhibitMapping: -1\n" 457 "\tInhibitAnyPolicy:-1\n" 458 "\tNameConstraints: (null)\n" 459 "]\n" 460 ")"; 461 char *expectedIssuerAscii = "([\n" 462 "\tVersion: v2\n" 463 "\tIssuer: CN=physics,O=mit,C=us\n" 464 "\tUpdate: [Last: Fri Feb 11 13:51:38 2005\n" 465 "\t Next: Mon Jan 18, 2105]\n" 466 "\tSignatureAlgId: 1.2.840.10040.4.3\n" 467 "\tCRL Number : (null)\n" 468 "\n" 469 "\tEntry List: (\n" 470 "\t[\n" 471 "\tSerialNumber: 67\n" 472 "\tReasonCode: 257\n" 473 "\tRevocationDate: Fri Feb 11 13:51:38 2005\n" 474 "\tCritExtOIDs: (EMPTY)\n" 475 "\t]\n" 476 "\t)\n" 477 "\n" 478 "\tCritExtOIDs: (EMPTY)\n" 479 "]\n" 480 ")"; 481 char *expectedDateAscii = "([\n" 482 "\tVersion: v2\n" 483 "\tIssuer: CN=science,O=mit,C=us\n" 484 "\tUpdate: [Last: Fri Feb 11 13:34:40 2005\n" 485 "\t Next: Mon Jan 18, 2105]\n" 486 "\tSignatureAlgId: 1.2.840.10040.4.3\n" 487 "\tCRL Number : (null)\n" 488 "\n" 489 "\tEntry List: (\n" 490 "\t[\n" 491 "\tSerialNumber: 65\n" 492 "\tReasonCode: 260\n" 493 "\tRevocationDate: Fri Feb 11 13:34:40 2005\n" 494 "\tCritExtOIDs: (EMPTY)\n" 495 "\t]\n" 496 "\t)\n" 497 "\n" 498 "\tCritExtOIDs: (EMPTY)\n" 499 "]\n" 500 ", [\n" 501 "\tVersion: v2\n" 502 "\tIssuer: CN=testing CRL,O=test,C=us\n" 503 "\tUpdate: [Last: Fri Feb 11 13:14:38 2005\n" 504 "\t Next: Mon Jan 18, 2105]\n" 505 "\tSignatureAlgId: 1.2.840.10040.4.3\n" 506 "\tCRL Number : (null)\n" 507 "\n" 508 "\tEntry List: (\n" 509 "\t[\n" 510 "\tSerialNumber: 67\n" 511 "\tReasonCode: 258\n" 512 "\tRevocationDate: Fri Feb 11 13:14:38 2005\n" 513 "\tCritExtOIDs: (EMPTY)\n" 514 "\t]\n" 515 "\t)\n" 516 "\n" 517 "\tCritExtOIDs: (EMPTY)\n" 518 "]\n" 519 ")"; 520 521 PKIX_TEST_STD_VARS(); 522 523 startTests("Pk11CertStore"); 524 525 if (argc < 3) { 526 printUsage(argv[0]); 527 return (0); 528 } 529 530 PKIX_TEST_EXPECT_NO_ERROR( 531 PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); 532 533 crlDir = argv[j + 2]; 534 535 /* Two certs for prof should be valid now */ 536 PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime(PR_Now(), &validityDate, plContext)); 537 538 subTest("Searching Certs for Subject"); 539 540 testMatchCertSubject(crlDir, 541 "phy2prof.crt", 542 NULL, /* expectedProfAscii, */ 543 validityDate, 544 plContext); 545 546 /* One of the certs was not yet valid at this time. */ 547 betweenDate = createDate("050210184000Z", plContext); 548 549 subTest("Searching Certs for Subject and Validity"); 550 551 testMatchCertSubject(crlDir, 552 "phy2prof.crt", 553 NULL, /* expectedValidityAscii, */ 554 betweenDate, 555 plContext); 556 557 testMatchCertMinPath(9, 558 NULL, /* expectedMinPathAscii, */ 559 plContext); 560 561 testMatchCrlIssuer(crlDir, 562 "phys.crl", 563 NULL, /* expectedIssuerAscii, */ 564 plContext); 565 566 testMatchCrlDate("050211184000Z", 567 NULL, /* expectedDateAscii, */ 568 plContext); 569 570 cleanup: 571 572 PKIX_TEST_DECREF_AC(validityDate); 573 PKIX_TEST_DECREF_AC(betweenDate); 574 575 PKIX_TEST_RETURN(); 576 577 endTests("Pk11CertStore"); 578 579 return (0); 580 }