void SetUp()
{
rootNameDER = CNToDERName(rootName);
if (ENCODING_FAILED(rootNameDER)) {
abort();
}
Input rootNameDERInput;
if (rootNameDERInput.Init(rootNameDER.data(), rootNameDER.length())
!= Success) {
abort();
}
serialNumberDER =
CreateEncodedSerialNumber(static_cast<long>(++rootIssuedCount));
if (ENCODING_FAILED(serialNumberDER)) {
abort();
}
Input serialNumberDERInput;
if (serialNumberDERInput.Init(serialNumberDER.data(),
serialNumberDER.length()) != Success) {
abort();
}
Input rootSPKIDER;
if (rootSPKIDER.Init(rootKeyPair->subjectPublicKeyInfo.data(),
rootKeyPair->subjectPublicKeyInfo.length())
!= Success) {
abort();
}
endEntityCertID.reset(new (std::nothrow) CertID(rootNameDERInput, rootSPKIDER,
serialNumberDERInput));
if (!endEntityCertID) {
abort();
}
}
TEST_F(pkixbuild, BeyondMaxAcceptableCertChainLength)
{
static char const* const caCertName = "CA Too Far";
trustDomain.CreateCACert("CA7", caCertName);
{
ByteString certDER(trustDomain.GetLeafCACertDER());
Input certDERInput;
ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
BuildCertChain(trustDomain, certDERInput, Now(),
EndEntityOrCA::MustBeCA,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
{
ByteString certDER(CreateCert(caCertName, "End-Entity Too Far",
EndEntityOrCA::MustBeEndEntity));
ASSERT_FALSE(ENCODING_FAILED(certDER));
Input certDERInput;
ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
BuildCertChain(trustDomain, certDERInput, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
}
// The resultant issuerDER and issuerSPKI are owned by the arena.
SECStatus MakeIssuerCertIDComponents(const char* issuerASCII,
/*out*/ Input& issuerDER,
/*out*/ Input& issuerSPKI)
{
const SECItem* issuerDERSECItem = ASCIIToDERName(arena.get(), issuerASCII);
if (!issuerDERSECItem) {
return SECFailure;
}
if (issuerDER.Init(issuerDERSECItem->data, issuerDERSECItem->len)
!= Success) {
return SECFailure;
}
ScopedSECKEYPublicKey issuerPublicKey;
ScopedSECKEYPrivateKey issuerPrivateKey;
if (GenerateKeyPair(issuerPublicKey, issuerPrivateKey) != SECSuccess) {
return SECFailure;
}
ScopedSECItem issuerSPKIOriginal(
SECKEY_EncodeDERSubjectPublicKeyInfo(issuerPublicKey.get()));
if (!issuerSPKIOriginal) {
return SECFailure;
}
SECItem issuerSPKICopy;
if (SECITEM_CopyItem(arena.get(), &issuerSPKICopy,
issuerSPKIOriginal.get()) != SECSuccess) {
return SECFailure;
}
if (issuerSPKI.Init(issuerSPKICopy.data, issuerSPKICopy.len) != Success) {
return SECFailure;
}
return SECSuccess;
}
TEST_P(pkixder_DigestAlgorithmIdentifier_Valid, Valid)
{
const ValidDigestAlgorithmIdentifierTestInfo& param(GetParam());
{
Input input;
ASSERT_EQ(Success, input.Init(param.der, param.derLength));
Reader reader(input);
DigestAlgorithm alg;
ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
ASSERT_EQ(param.algorithm, alg);
ASSERT_EQ(Success, End(reader));
}
{
uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
memcpy(derWithNullParam, param.der, param.derLength);
derWithNullParam[1] += 2; // we're going to expand the value by 2 bytes
derWithNullParam[param.derLength] = 0x05; // NULL tag
derWithNullParam[param.derLength + 1] = 0x00; // length zero
Input input;
ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
Reader reader(input);
DigestAlgorithm alg;
ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
ASSERT_EQ(param.algorithm, alg);
ASSERT_EQ(Success, End(reader));
}
}
TEST_F(pkixbuild, MaxAcceptableCertChainLength)
{
{
ByteString leafCACert(trustDomain.GetLeafCACertDER());
Input certDER;
ASSERT_EQ(Success, certDER.Init(leafCACert.data(), leafCACert.length()));
ASSERT_EQ(Success,
BuildCertChain(trustDomain, certDER, Now(),
EndEntityOrCA::MustBeCA,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
{
ByteString certDER(CreateCert("CA7", "Direct End-Entity",
EndEntityOrCA::MustBeEndEntity));
ASSERT_FALSE(ENCODING_FAILED(certDER));
Input certDERInput;
ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
ASSERT_EQ(Success,
BuildCertChain(trustDomain, certDERInput, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
}
// Added for bug 1079436. The output variable validThrough represents the
// latest time for which VerifyEncodedOCSPResponse will succeed, which is
// different from the nextUpdate time in the OCSP response due to the slop we
// add for time comparisons to deal with clock skew.
TEST_F(pkixocsp_VerifyEncodedResponse_successful, check_validThrough)
{
ByteString responseString(
CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, byKey,
*rootKeyPair, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow,
sha256WithRSAEncryption()));
Time validThrough(Time::uninitialized);
{
Input response;
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
bool expired;
ASSERT_EQ(Success,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
response, expired, nullptr,
&validThrough));
ASSERT_FALSE(expired);
// The response was created to be valid until one day after now, so the
// value we got for validThrough should be after that.
Time oneDayAfterNowAsPKIXTime(
TimeFromEpochInSeconds(static_cast<uint64_t>(oneDayAfterNow)));
ASSERT_TRUE(validThrough > oneDayAfterNowAsPKIXTime);
}
{
Input response;
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
bool expired;
// Given validThrough from a previous verification, this response should be
// valid through that time.
ASSERT_EQ(Success,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
validThrough, END_ENTITY_MAX_LIFETIME_IN_DAYS,
response, expired));
ASSERT_FALSE(expired);
}
{
Time noLongerValid(validThrough);
ASSERT_EQ(Success, noLongerValid.AddSeconds(1));
Input response;
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
bool expired;
// The verification time is now after when the response will be considered
// valid.
ASSERT_EQ(Result::ERROR_OCSP_OLD_RESPONSE,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
noLongerValid, END_ENTITY_MAX_LIFETIME_IN_DAYS,
response, expired));
ASSERT_TRUE(expired);
}
}
TEST_P(pkixcheck_CheckSignatureAlgorithm, CheckSignatureAlgorithm)
{
const Time now(Now());
const CheckSignatureAlgorithmTestParams& params(GetParam());
Input signatureValueInput;
ASSERT_EQ(Success,
signatureValueInput.Init(params.signatureValue.data(),
params.signatureValue.length()));
pkixcheck_CheckSignatureAlgorithm_TrustDomain
trustDomain(params.signatureLengthInBytes * 8);
der::SignedDataWithSignature signedData;
ASSERT_EQ(Success,
signedData.algorithm.Init(params.signatureAlgorithmValue.data(),
params.signatureAlgorithmValue.length()));
ByteString dummySignature(params.signatureLengthInBytes, 0xDE);
ASSERT_EQ(Success,
signedData.signature.Init(dummySignature.data(),
dummySignature.length()));
ASSERT_EQ(params.expectedResult,
CheckSignatureAlgorithm(trustDomain, EndEntityOrCA::MustBeEndEntity,
now, signedData, signatureValueInput));
ASSERT_EQ(params.expectedResult == Success,
trustDomain.checkedDigestAlgorithm);
ASSERT_EQ(params.expectedResult == Success,
trustDomain.checkedModulusSizeInBits);
}
// Creates a self-signed certificate with the given extension.
static Input
CreateCert(PLArenaPool* arena, const char* subjectStr,
SECItem const* const* extensions, // null-terminated array
/*out*/ ScopedSECKEYPrivateKey& subjectKey)
{
static long serialNumberValue = 0;
++serialNumberValue;
const SECItem* serialNumber(CreateEncodedSerialNumber(arena,
serialNumberValue));
EXPECT_TRUE(serialNumber);
const SECItem* issuerDER(ASCIIToDERName(arena, subjectStr));
EXPECT_TRUE(issuerDER);
const SECItem* subjectDER(ASCIIToDERName(arena, subjectStr));
EXPECT_TRUE(subjectDER);
SECItem* cert = CreateEncodedCertificate(
arena, v3,
SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
serialNumber, issuerDER,
PR_Now() - ONE_DAY,
PR_Now() + ONE_DAY,
subjectDER, extensions,
nullptr, SEC_OID_SHA256, subjectKey);
EXPECT_TRUE(cert);
Input result;
EXPECT_EQ(Success, result.Init(cert->data, cert->len));
return result;
}
TEST_F(pkixbuild, AvoidUnboundedPathSearchingFailure)
{
SelfIssuedCertificatesTrustDomain localTrustDomain;
// This creates a few hundred million potential paths of length 8 (end entity
// + 6 sub-CAs + root). It would be prohibitively expensive to enumerate all
// of these, so we give mozilla::pkix a budget that is spent when searching
// paths. If the budget is exhausted, it simply returns an unknown issuer
// error. In the future it might be nice to return a specific error that would
// give the front-end a hint that maybe it shouldn't have so many certificates
// that all have the same subject and issuer DN but different SPKIs.
localTrustDomain.SetUpCerts(18);
ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity,
nullptr, nullptr,
localTrustDomain.GetFirstIssuerKey()));
ASSERT_FALSE(ENCODING_FAILED(certDER));
Input certDERInput;
ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
BuildCertChain(localTrustDomain, certDERInput, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
TEST_F(pkixbuild, BadEmbeddedSCTWithMultiplePaths)
{
MultiplePathTrustDomain localTrustDomain;
localTrustDomain.SetUpCerts();
// python security/pkix/tools/DottedOIDToCode.py --tlv
// id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
static const uint8_t tlv_id_embeddedSctList[] = {
0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
};
static const uint8_t dummySctList[] = {
0x01, 0x02, 0x03, 0x04, 0x05
};
ByteString ctExtension = TLV(der::SEQUENCE,
BytesToByteString(tlv_id_embeddedSctList) +
Boolean(false) +
// The contents of the OCTET STRING are supposed to consist of an OCTET
// STRING of useful data. We're testing what happens if it isn't, so shove
// some bogus (non-OCTET STRING) data in there.
TLV(der::OCTET_STRING, BytesToByteString(dummySctList)));
ByteString certDER(CreateCert("Intermediate", "Cert with bogus SCT list",
EndEntityOrCA::MustBeEndEntity,
nullptr, /*subjectDERToCertDER*/
&ctExtension));
ASSERT_FALSE(ENCODING_FAILED(certDER));
Input certDERInput;
ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
ASSERT_EQ(Result::ERROR_BAD_DER,
BuildCertChain(localTrustDomain, certDERInput, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert)
{
const char* rootCN = "Root CA";
ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
nullptr));
EXPECT_FALSE(ENCODING_FAILED(rootDER));
ExpiredCertTrustDomain expiredCertTrustDomain(rootDER);
ByteString serialNumber(CreateEncodedSerialNumber(100));
EXPECT_FALSE(ENCODING_FAILED(serialNumber));
ByteString issuerDER(CNToDERName(rootCN));
ByteString subjectDER(CNToDERName("Expired End-Entity Cert"));
ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
ByteString certDER(CreateEncodedCertificate(
v3, sha256WithRSAEncryption(),
serialNumber, issuerDER,
oneDayBeforeNow - ONE_DAY_IN_SECONDS_AS_TIME_T,
oneDayBeforeNow,
subjectDER, *reusedKey, nullptr, *reusedKey,
sha256WithRSAEncryption()));
EXPECT_FALSE(ENCODING_FAILED(certDER));
Input cert;
ASSERT_EQ(Success, cert.Init(certDER.data(), certDER.length()));
ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
BuildCertChain(expiredCertTrustDomain, cert, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr));
}
// Two subjectAltNames must result in an error.
TEST_F(pkixcert_extension, DuplicateSubjectAltName)
{
// python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
static const uint8_t tlv_id_ce_subjectAltName[] = {
0x06, 0x03, 0x55, 0x1d, 0x11
};
ByteString subjectAltName(
TLV(der::SEQUENCE,
BytesToByteString(tlv_id_ce_subjectAltName) +
TLV(der::OCTET_STRING, TLV(der::SEQUENCE, DNSName("example.com")))));
static const ByteString extensions[] = { subjectAltName, subjectAltName,
ByteString() };
static const char* certCN = "Cert With Duplicate subjectAltName";
ByteString cert(CreateCertWithExtensions(certCN, extensions));
ASSERT_FALSE(ENCODING_FAILED(cert));
Input certInput;
ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
BuildCertChain(trustDomain, certInput, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::anyExtendedKeyUsage,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
TEST_F(pkixbuild_DSS, DSSEndEntityKeyNotAccepted)
{
DSSTrustDomain trustDomain;
ByteString serialNumber(CreateEncodedSerialNumber(1));
ASSERT_FALSE(ENCODING_FAILED(serialNumber));
ByteString subjectDER(CNToDERName("DSS"));
ASSERT_FALSE(ENCODING_FAILED(subjectDER));
ScopedTestKeyPair subjectKey(GenerateDSSKeyPair());
ASSERT_TRUE(subjectKey.get());
ByteString issuerDER(CNToDERName("RSA"));
ASSERT_FALSE(ENCODING_FAILED(issuerDER));
ScopedTestKeyPair issuerKey(CloneReusedKeyPair());
ASSERT_TRUE(issuerKey.get());
ByteString cert(CreateEncodedCertificate(v3, sha256WithRSAEncryption(),
serialNumber, issuerDER,
oneDayBeforeNow, oneDayAfterNow,
subjectDER, *subjectKey, nullptr,
*issuerKey, sha256WithRSAEncryption()));
ASSERT_FALSE(ENCODING_FAILED(cert));
Input certDER;
ASSERT_EQ(Success, certDER.Init(cert.data(), cert.length()));
ASSERT_EQ(Result::ERROR_UNSUPPORTED_KEYALG,
BuildCertChain(trustDomain, certDER, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
// The result is owned by the arena
Input CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::CertStatus certStatus,
const CertID& certID,
/*optional*/ const char* signerName,
const ScopedSECKEYPrivateKey& signerPrivateKey,
PRTime producedAt, PRTime thisUpdate,
/*optional*/ const PRTime* nextUpdate,
/*optional*/ SECItem const* const* certs = nullptr)
{
OCSPResponseContext context(arena.get(), certID, producedAt);
if (signerName) {
context.signerNameDER = ASCIIToDERName(arena.get(), signerName);
EXPECT_TRUE(context.signerNameDER);
}
context.signerPrivateKey = SECKEY_CopyPrivateKey(signerPrivateKey.get());
EXPECT_TRUE(context.signerPrivateKey);
context.responseStatus = OCSPResponseContext::successful;
context.producedAt = producedAt;
context.certs = certs;
context.certIDHashAlg = SEC_OID_SHA1;
context.certStatus = certStatus;
context.thisUpdate = thisUpdate;
context.nextUpdate = nextUpdate ? *nextUpdate : 0;
context.includeNextUpdate = nextUpdate != nullptr;
SECItem* response = CreateEncodedOCSPResponse(context);
EXPECT_TRUE(response);
Input result;
EXPECT_EQ(Success, result.Init(response->data, response->len));
return result;
}
TEST_P(pkixbuild_IssuerNameCheck, MatchingName)
{
const IssuerNameCheckParams& params(GetParam());
ByteString issuerCertDER(CreateCert(params.issuerSubjectCN,
params.issuerSubjectCN,
EndEntityOrCA::MustBeCA, nullptr));
ASSERT_FALSE(ENCODING_FAILED(issuerCertDER));
ByteString subjectCertDER(CreateCert(params.subjectIssuerCN, "end-entity",
EndEntityOrCA::MustBeEndEntity,
nullptr));
ASSERT_FALSE(ENCODING_FAILED(subjectCertDER));
Input subjectCertDERInput;
ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
subjectCertDER.length()));
IssuerNameCheckTrustDomain trustDomain(issuerCertDER, !params.matches);
ASSERT_EQ(params.matches ? Success : Result::ERROR_UNKNOWN_ISSUER,
BuildCertChain(trustDomain, subjectCertDERInput, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy,
nullptr/*stapledOCSPResponse*/));
}
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_expired)
{
static const char* signerName = "good_indirect_expired";
const ByteString extensions[] = {
CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
ByteString()
};
ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
ByteString signerDER(CreateEncodedCertificate(
++rootIssuedCount, sha256WithRSAEncryption(),
rootName,
now - (10 * ONE_DAY_IN_SECONDS_AS_TIME_T),
now - (2 * ONE_DAY_IN_SECONDS_AS_TIME_T),
signerName, *signerKeyPair, extensions,
*rootKeyPair));
ASSERT_FALSE(ENCODING_FAILED(signerDER));
ByteString certs[] = { signerDER, ByteString() };
ByteString responseString(
CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
signerName, *signerKeyPair, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow,
sha256WithRSAEncryption(), certs));
Input response;
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
bool expired;
ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
END_ENTITY_MAX_LIFETIME_IN_DAYS,
response, expired));
}
TEST_P(pkixder_universal_types_tests_Integer,
PositiveInteger_with_significantBytes)
{
const IntegerTestParams& params(GetParam());
Input input;
ASSERT_EQ(Success, input.Init(params.encoded.data(),
params.encoded.length()));
Reader reader(input);
Result expectedResult = params.positiveInteger.expectedResult;
Input value;
Input::size_type significantBytes = INVALID;
ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value,
&significantBytes));
if (expectedResult == Success) {
ASSERT_NE(INVALID, params.positiveInteger.significantBytesIfValid);
ASSERT_EQ(params.positiveInteger.significantBytesIfValid,
significantBytes);
Reader anotherReader(input);
Input expectedValue;
ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader,
der::INTEGER, expectedValue));
ASSERT_TRUE(InputsAreEqual(expectedValue, value));
ASSERT_TRUE(reader.AtEnd());
}
}
Input
InputForBuffer(const Buffer& buffer)
{
Input input;
MOZ_RELEASE_ASSERT(Success ==
input.Init(buffer.begin(), buffer.length()));
return input;
}
TEST_P(pkixcert_IsValidChainForAlgorithm, IsValidChainForAlgorithm)
{
const ChainValidity& chainValidity(GetParam());
const char* rootCN = "CN=Root";
ScopedTestKeyPair rootKey;
ByteString rootSubjectDER;
ByteString rootEncoded(
CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
chainValidity.rootSignatureAlgorithm,
nullptr, rootKey, rootSubjectDER));
EXPECT_FALSE(ENCODING_FAILED(rootEncoded));
EXPECT_FALSE(ENCODING_FAILED(rootSubjectDER));
const char* issuerCN = rootCN;
TestKeyPair* issuerKey = rootKey.get();
const char* intermediateCN = "CN=Intermediate";
ScopedTestKeyPair intermediateKey;
ByteString intermediateSubjectDER;
ByteString intermediateEncoded;
if (chainValidity.optionalIntermediateSignatureAlgorithm != NO_INTERMEDIATE) {
intermediateEncoded =
CreateCert(rootCN, intermediateCN, EndEntityOrCA::MustBeCA,
chainValidity.optionalIntermediateSignatureAlgorithm,
rootKey.get(), intermediateKey, intermediateSubjectDER);
EXPECT_FALSE(ENCODING_FAILED(intermediateEncoded));
EXPECT_FALSE(ENCODING_FAILED(intermediateSubjectDER));
issuerCN = intermediateCN;
issuerKey = intermediateKey.get();
}
AlgorithmTestsTrustDomain trustDomain(rootEncoded, rootSubjectDER,
intermediateEncoded,
intermediateSubjectDER);
const char* endEntityCN = "CN=End Entity";
ScopedTestKeyPair endEntityKey;
ByteString endEntitySubjectDER;
ByteString endEntityEncoded(
CreateCert(issuerCN, endEntityCN, EndEntityOrCA::MustBeEndEntity,
chainValidity.endEntitySignatureAlgorithm,
issuerKey, endEntityKey, endEntitySubjectDER));
EXPECT_FALSE(ENCODING_FAILED(endEntityEncoded));
EXPECT_FALSE(ENCODING_FAILED(endEntitySubjectDER));
Input endEntity;
ASSERT_EQ(Success, endEntity.Init(endEntityEncoded.data(),
endEntityEncoded.length()));
Result expectedResult = chainValidity.isValid
? Success
: Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
ASSERT_EQ(expectedResult,
BuildCertChain(trustDomain, endEntity, Now(),
EndEntityOrCA::MustBeEndEntity,
KeyUsage::noParticularKeyUsageRequired,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy, nullptr));
}
TEST_P(pkixcheck_TLSFeaturesSatisfiedInternal, TLSFeaturesSatisfiedInternal) {
const TLSFeaturesTestParams& params(GetParam());
Input featuresInput;
ASSERT_EQ(Success, featuresInput.Init(params.requiredTLSFeatures.data(),
params.requiredTLSFeatures.length()));
Input responseInput;
// just create an input with any data in it
ByteString stapledOCSPResponse = BS(statusRequest);
ASSERT_EQ(Success, responseInput.Init(stapledOCSPResponse.data(),
stapledOCSPResponse.length()));
// first we omit the response
ASSERT_EQ(params.expectedResultWithoutResponse,
TLSFeaturesSatisfiedInternal(&featuresInput, nullptr));
// then we try again with the response
ASSERT_EQ(params.expectedResultWithResponse,
TLSFeaturesSatisfiedInternal(&featuresInput, &responseInput));
}
bool DX11::CreateWindow()
{
static LPCWSTR AMJU_WINDOW_CLASS_NAME = L"MY_WINDOWS_CLASS";
// Register class
WNDCLASSEX wcex;
wcex.cbSize = sizeof( WNDCLASSEX );
wcex.style = CS_HREDRAW | CS_VREDRAW;
wcex.lpfnWndProc = MyDefaultWndProc; // TODO you should supply your own
wcex.cbClsExtra = 0;
wcex.cbWndExtra = 0;
wcex.hInstance = g_hInst;
wcex.hIcon = 0;
wcex.hCursor = LoadCursor( NULL, IDC_ARROW );
wcex.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH);
wcex.lpszMenuName = NULL;
wcex.lpszClassName = AMJU_WINDOW_CLASS_NAME;
wcex.hIconSm = 0;
if( !RegisterClassEx( &wcex ) )
return false;
HWND hWnd = CreateWindowEx(
NULL,
AMJU_WINDOW_CLASS_NAME,
L"DX Boiler", // TODO you should supply a window title
WS_OVERLAPPEDWINDOW | WS_VISIBLE,
100,
100,
640, // TODO you should supply width
480, // ..and height
NULL,
NULL,
g_hInst,
NULL);
if (!hWnd)
{
return false;
}
ShowWindow(hWnd, SW_SHOW);
UpdateWindow(hWnd);
g_hWnd = hWnd;
if (!m_input.Init(&g_hWnd))
{
return false;
}
if (InitDevice() != S_OK)
{
return false;
}
return true;
}
Result CheckCert(ByteString& certDER, IssuerChecker& checker, bool& keepGoing)
{
Input derCert;
Result rv = derCert.Init(certDER.data(), certDER.length());
if (rv != Success) {
return rv;
}
return checker.Check(derCert, nullptr/*additionalNameConstraints*/,
keepGoing);
}
TEST_P(pkixder_DigestAlgorithmIdentifier_Invalid, Invalid)
{
const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
Input input;
ASSERT_EQ(Success, input.Init(param.der, param.derLength));
Reader reader(input);
DigestAlgorithm alg;
ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
DigestAlgorithmIdentifier(reader, alg));
}
void
GetSampleSTHTreeHeadDecodedSignature(DigitallySigned& signature)
{
Buffer ths = HexToBytes(kSampleSTHTreeHeadSignature);
Input thsInput;
MOZ_RELEASE_ASSERT(thsInput.Init(ths.begin(), ths.length()) == Success);
Reader thsReader(thsInput);
MOZ_RELEASE_ASSERT(DecodeDigitallySigned(thsReader, signature) == Success);
MOZ_RELEASE_ASSERT(thsReader.AtEnd());
}
TEST_P(pkixder_SignatureAlgorithmIdentifier_Invalid, Invalid)
{
const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
Input input;
ASSERT_EQ(Success, input.Init(param.der, param.derLength));
Reader reader(input);
der::PublicKeyAlgorithm publicKeyAlg;
DigestAlgorithm digestAlg;
ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
SignatureAlgorithmIdentifierValue(reader, publicKeyAlg, digestAlg));
}
TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefaultAtEnd)
{
static const uint8_t dummy = 1;
Input input;
ASSERT_EQ(Success, input.Init(&dummy, 0));
Reader reader(input);
long value = 1;
ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
ASSERT_EQ(-1, value);
}
Result FindIssuer(Input, IssuerChecker& checker, Time) override
{
Input issuerInput;
EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
bool keepGoing;
EXPECT_EQ(Success,
checker.Check(issuerInput, nullptr /*additionalNameConstraints*/,
keepGoing));
EXPECT_EQ(expectedKeepGoing, keepGoing);
return Success;
}
Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
Input candidateCert, /*out*/ TrustLevel& trustLevel)
override
{
EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
EXPECT_FALSE(certDER.empty());
Input certDERInput;
EXPECT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
EXPECT_TRUE(InputsAreEqual(certDERInput, candidateCert));
trustLevel = certTrustLevel;
return Success;
}
Result FindIssuer(Input, IssuerChecker& checker, Time) override
{
// keepGoing is an out parameter from IssuerChecker.Check. It would tell us
// whether or not to continue attempting other potential issuers. We only
// know of one potential issuer, however, so we ignore it.
bool keepGoing;
Input rootCert;
Result rv = rootCert.Init(rootDER.data(), rootDER.length());
if (rv != Success) {
return rv;
}
return checker.Check(rootCert, nullptr, keepGoing);
}
TEST_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes, CorrectErrorCode)
{
ByteString
responseString(CreateEncodedOCSPErrorResponse(GetParam().responseStatus));
Input response;
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
bool expired;
ASSERT_EQ(GetParam().expectedError,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
END_ENTITY_MAX_LIFETIME_IN_DAYS,
response, expired));
}
