void SetUp() { rootNameDER = CNToDERName(rootName); if (ENCODING_FAILED(rootNameDER)) { abort(); } Input rootNameDERInput; if (rootNameDERInput.Init(rootNameDER.data(), rootNameDER.length()) != Success) { abort(); } serialNumberDER = CreateEncodedSerialNumber(static_cast<long>(++rootIssuedCount)); if (ENCODING_FAILED(serialNumberDER)) { abort(); } Input serialNumberDERInput; if (serialNumberDERInput.Init(serialNumberDER.data(), serialNumberDER.length()) != Success) { abort(); } Input rootSPKIDER; if (rootSPKIDER.Init(rootKeyPair->subjectPublicKeyInfo.data(), rootKeyPair->subjectPublicKeyInfo.length()) != Success) { abort(); } endEntityCertID.reset(new (std::nothrow) CertID(rootNameDERInput, rootSPKIDER, serialNumberDERInput)); if (!endEntityCertID) { abort(); } }
TEST_F(pkixbuild, BeyondMaxAcceptableCertChainLength) { static char const* const caCertName = "CA Too Far"; trustDomain.CreateCACert("CA7", caCertName); { ByteString certDER(trustDomain.GetLeafCACertDER()); Input certDERInput; ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length())); ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER, BuildCertChain(trustDomain, certDERInput, Now(), EndEntityOrCA::MustBeCA, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); } { ByteString certDER(CreateCert(caCertName, "End-Entity Too Far", EndEntityOrCA::MustBeEndEntity)); ASSERT_FALSE(ENCODING_FAILED(certDER)); Input certDERInput; ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length())); ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER, BuildCertChain(trustDomain, certDERInput, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); } }
// The resultant issuerDER and issuerSPKI are owned by the arena. SECStatus MakeIssuerCertIDComponents(const char* issuerASCII, /*out*/ Input& issuerDER, /*out*/ Input& issuerSPKI) { const SECItem* issuerDERSECItem = ASCIIToDERName(arena.get(), issuerASCII); if (!issuerDERSECItem) { return SECFailure; } if (issuerDER.Init(issuerDERSECItem->data, issuerDERSECItem->len) != Success) { return SECFailure; } ScopedSECKEYPublicKey issuerPublicKey; ScopedSECKEYPrivateKey issuerPrivateKey; if (GenerateKeyPair(issuerPublicKey, issuerPrivateKey) != SECSuccess) { return SECFailure; } ScopedSECItem issuerSPKIOriginal( SECKEY_EncodeDERSubjectPublicKeyInfo(issuerPublicKey.get())); if (!issuerSPKIOriginal) { return SECFailure; } SECItem issuerSPKICopy; if (SECITEM_CopyItem(arena.get(), &issuerSPKICopy, issuerSPKIOriginal.get()) != SECSuccess) { return SECFailure; } if (issuerSPKI.Init(issuerSPKICopy.data, issuerSPKICopy.len) != Success) { return SECFailure; } return SECSuccess; }
TEST_P(pkixder_DigestAlgorithmIdentifier_Valid, Valid) { const ValidDigestAlgorithmIdentifierTestInfo& param(GetParam()); { Input input; ASSERT_EQ(Success, input.Init(param.der, param.derLength)); Reader reader(input); DigestAlgorithm alg; ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg)); ASSERT_EQ(param.algorithm, alg); ASSERT_EQ(Success, End(reader)); } { uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2]; memcpy(derWithNullParam, param.der, param.derLength); derWithNullParam[1] += 2; // we're going to expand the value by 2 bytes derWithNullParam[param.derLength] = 0x05; // NULL tag derWithNullParam[param.derLength + 1] = 0x00; // length zero Input input; ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2)); Reader reader(input); DigestAlgorithm alg; ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg)); ASSERT_EQ(param.algorithm, alg); ASSERT_EQ(Success, End(reader)); } }
TEST_F(pkixbuild, MaxAcceptableCertChainLength) { { ByteString leafCACert(trustDomain.GetLeafCACertDER()); Input certDER; ASSERT_EQ(Success, certDER.Init(leafCACert.data(), leafCACert.length())); ASSERT_EQ(Success, BuildCertChain(trustDomain, certDER, Now(), EndEntityOrCA::MustBeCA, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); } { ByteString certDER(CreateCert("CA7", "Direct End-Entity", EndEntityOrCA::MustBeEndEntity)); ASSERT_FALSE(ENCODING_FAILED(certDER)); Input certDERInput; ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length())); ASSERT_EQ(Success, BuildCertChain(trustDomain, certDERInput, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); } }
// Added for bug 1079436. The output variable validThrough represents the // latest time for which VerifyEncodedOCSPResponse will succeed, which is // different from the nextUpdate time in the OCSP response due to the slop we // add for time comparisons to deal with clock skew. TEST_F(pkixocsp_VerifyEncodedResponse_successful, check_validThrough) { ByteString responseString( CreateEncodedOCSPSuccessfulResponse( OCSPResponseContext::good, *endEntityCertID, byKey, *rootKeyPair, oneDayBeforeNow, oneDayBeforeNow, &oneDayAfterNow, sha256WithRSAEncryption())); Time validThrough(Time::uninitialized); { Input response; ASSERT_EQ(Success, response.Init(responseString.data(), responseString.length())); bool expired; ASSERT_EQ(Success, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS, response, expired, nullptr, &validThrough)); ASSERT_FALSE(expired); // The response was created to be valid until one day after now, so the // value we got for validThrough should be after that. Time oneDayAfterNowAsPKIXTime( TimeFromEpochInSeconds(static_cast<uint64_t>(oneDayAfterNow))); ASSERT_TRUE(validThrough > oneDayAfterNowAsPKIXTime); } { Input response; ASSERT_EQ(Success, response.Init(responseString.data(), responseString.length())); bool expired; // Given validThrough from a previous verification, this response should be // valid through that time. ASSERT_EQ(Success, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, validThrough, END_ENTITY_MAX_LIFETIME_IN_DAYS, response, expired)); ASSERT_FALSE(expired); } { Time noLongerValid(validThrough); ASSERT_EQ(Success, noLongerValid.AddSeconds(1)); Input response; ASSERT_EQ(Success, response.Init(responseString.data(), responseString.length())); bool expired; // The verification time is now after when the response will be considered // valid. ASSERT_EQ(Result::ERROR_OCSP_OLD_RESPONSE, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, noLongerValid, END_ENTITY_MAX_LIFETIME_IN_DAYS, response, expired)); ASSERT_TRUE(expired); } }
TEST_P(pkixcheck_CheckSignatureAlgorithm, CheckSignatureAlgorithm) { const Time now(Now()); const CheckSignatureAlgorithmTestParams& params(GetParam()); Input signatureValueInput; ASSERT_EQ(Success, signatureValueInput.Init(params.signatureValue.data(), params.signatureValue.length())); pkixcheck_CheckSignatureAlgorithm_TrustDomain trustDomain(params.signatureLengthInBytes * 8); der::SignedDataWithSignature signedData; ASSERT_EQ(Success, signedData.algorithm.Init(params.signatureAlgorithmValue.data(), params.signatureAlgorithmValue.length())); ByteString dummySignature(params.signatureLengthInBytes, 0xDE); ASSERT_EQ(Success, signedData.signature.Init(dummySignature.data(), dummySignature.length())); ASSERT_EQ(params.expectedResult, CheckSignatureAlgorithm(trustDomain, EndEntityOrCA::MustBeEndEntity, now, signedData, signatureValueInput)); ASSERT_EQ(params.expectedResult == Success, trustDomain.checkedDigestAlgorithm); ASSERT_EQ(params.expectedResult == Success, trustDomain.checkedModulusSizeInBits); }
// Creates a self-signed certificate with the given extension. static Input CreateCert(PLArenaPool* arena, const char* subjectStr, SECItem const* const* extensions, // null-terminated array /*out*/ ScopedSECKEYPrivateKey& subjectKey) { static long serialNumberValue = 0; ++serialNumberValue; const SECItem* serialNumber(CreateEncodedSerialNumber(arena, serialNumberValue)); EXPECT_TRUE(serialNumber); const SECItem* issuerDER(ASCIIToDERName(arena, subjectStr)); EXPECT_TRUE(issuerDER); const SECItem* subjectDER(ASCIIToDERName(arena, subjectStr)); EXPECT_TRUE(subjectDER); SECItem* cert = CreateEncodedCertificate( arena, v3, SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION, serialNumber, issuerDER, PR_Now() - ONE_DAY, PR_Now() + ONE_DAY, subjectDER, extensions, nullptr, SEC_OID_SHA256, subjectKey); EXPECT_TRUE(cert); Input result; EXPECT_EQ(Success, result.Init(cert->data, cert->len)); return result; }
TEST_F(pkixbuild, AvoidUnboundedPathSearchingFailure) { SelfIssuedCertificatesTrustDomain localTrustDomain; // This creates a few hundred million potential paths of length 8 (end entity // + 6 sub-CAs + root). It would be prohibitively expensive to enumerate all // of these, so we give mozilla::pkix a budget that is spent when searching // paths. If the budget is exhausted, it simply returns an unknown issuer // error. In the future it might be nice to return a specific error that would // give the front-end a hint that maybe it shouldn't have so many certificates // that all have the same subject and issuer DN but different SPKIs. localTrustDomain.SetUpCerts(18); ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity, nullptr, nullptr, localTrustDomain.GetFirstIssuerKey())); ASSERT_FALSE(ENCODING_FAILED(certDER)); Input certDERInput; ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length())); ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER, BuildCertChain(localTrustDomain, certDERInput, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); }
TEST_F(pkixbuild, BadEmbeddedSCTWithMultiplePaths) { MultiplePathTrustDomain localTrustDomain; localTrustDomain.SetUpCerts(); // python security/pkix/tools/DottedOIDToCode.py --tlv // id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2 static const uint8_t tlv_id_embeddedSctList[] = { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02 }; static const uint8_t dummySctList[] = { 0x01, 0x02, 0x03, 0x04, 0x05 }; ByteString ctExtension = TLV(der::SEQUENCE, BytesToByteString(tlv_id_embeddedSctList) + Boolean(false) + // The contents of the OCTET STRING are supposed to consist of an OCTET // STRING of useful data. We're testing what happens if it isn't, so shove // some bogus (non-OCTET STRING) data in there. TLV(der::OCTET_STRING, BytesToByteString(dummySctList))); ByteString certDER(CreateCert("Intermediate", "Cert with bogus SCT list", EndEntityOrCA::MustBeEndEntity, nullptr, /*subjectDERToCertDER*/ &ctExtension)); ASSERT_FALSE(ENCODING_FAILED(certDER)); Input certDERInput; ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length())); ASSERT_EQ(Result::ERROR_BAD_DER, BuildCertChain(localTrustDomain, certDERInput, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); }
TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert) { const char* rootCN = "Root CA"; ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA, nullptr)); EXPECT_FALSE(ENCODING_FAILED(rootDER)); ExpiredCertTrustDomain expiredCertTrustDomain(rootDER); ByteString serialNumber(CreateEncodedSerialNumber(100)); EXPECT_FALSE(ENCODING_FAILED(serialNumber)); ByteString issuerDER(CNToDERName(rootCN)); ByteString subjectDER(CNToDERName("Expired End-Entity Cert")); ScopedTestKeyPair reusedKey(CloneReusedKeyPair()); ByteString certDER(CreateEncodedCertificate( v3, sha256WithRSAEncryption(), serialNumber, issuerDER, oneDayBeforeNow - ONE_DAY_IN_SECONDS_AS_TIME_T, oneDayBeforeNow, subjectDER, *reusedKey, nullptr, *reusedKey, sha256WithRSAEncryption())); EXPECT_FALSE(ENCODING_FAILED(certDER)); Input cert; ASSERT_EQ(Success, cert.Init(certDER.data(), certDER.length())); ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, BuildCertChain(expiredCertTrustDomain, cert, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr)); }
// Two subjectAltNames must result in an error. TEST_F(pkixcert_extension, DuplicateSubjectAltName) { // python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17 static const uint8_t tlv_id_ce_subjectAltName[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 }; ByteString subjectAltName( TLV(der::SEQUENCE, BytesToByteString(tlv_id_ce_subjectAltName) + TLV(der::OCTET_STRING, TLV(der::SEQUENCE, DNSName("example.com"))))); static const ByteString extensions[] = { subjectAltName, subjectAltName, ByteString() }; static const char* certCN = "Cert With Duplicate subjectAltName"; ByteString cert(CreateCertWithExtensions(certCN, extensions)); ASSERT_FALSE(ENCODING_FAILED(cert)); Input certInput; ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID, BuildCertChain(trustDomain, certInput, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::anyExtendedKeyUsage, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); }
TEST_F(pkixbuild_DSS, DSSEndEntityKeyNotAccepted) { DSSTrustDomain trustDomain; ByteString serialNumber(CreateEncodedSerialNumber(1)); ASSERT_FALSE(ENCODING_FAILED(serialNumber)); ByteString subjectDER(CNToDERName("DSS")); ASSERT_FALSE(ENCODING_FAILED(subjectDER)); ScopedTestKeyPair subjectKey(GenerateDSSKeyPair()); ASSERT_TRUE(subjectKey.get()); ByteString issuerDER(CNToDERName("RSA")); ASSERT_FALSE(ENCODING_FAILED(issuerDER)); ScopedTestKeyPair issuerKey(CloneReusedKeyPair()); ASSERT_TRUE(issuerKey.get()); ByteString cert(CreateEncodedCertificate(v3, sha256WithRSAEncryption(), serialNumber, issuerDER, oneDayBeforeNow, oneDayAfterNow, subjectDER, *subjectKey, nullptr, *issuerKey, sha256WithRSAEncryption())); ASSERT_FALSE(ENCODING_FAILED(cert)); Input certDER; ASSERT_EQ(Success, certDER.Init(cert.data(), cert.length())); ASSERT_EQ(Result::ERROR_UNSUPPORTED_KEYALG, BuildCertChain(trustDomain, certDER, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); }
// The result is owned by the arena Input CreateEncodedOCSPSuccessfulResponse( OCSPResponseContext::CertStatus certStatus, const CertID& certID, /*optional*/ const char* signerName, const ScopedSECKEYPrivateKey& signerPrivateKey, PRTime producedAt, PRTime thisUpdate, /*optional*/ const PRTime* nextUpdate, /*optional*/ SECItem const* const* certs = nullptr) { OCSPResponseContext context(arena.get(), certID, producedAt); if (signerName) { context.signerNameDER = ASCIIToDERName(arena.get(), signerName); EXPECT_TRUE(context.signerNameDER); } context.signerPrivateKey = SECKEY_CopyPrivateKey(signerPrivateKey.get()); EXPECT_TRUE(context.signerPrivateKey); context.responseStatus = OCSPResponseContext::successful; context.producedAt = producedAt; context.certs = certs; context.certIDHashAlg = SEC_OID_SHA1; context.certStatus = certStatus; context.thisUpdate = thisUpdate; context.nextUpdate = nextUpdate ? *nextUpdate : 0; context.includeNextUpdate = nextUpdate != nullptr; SECItem* response = CreateEncodedOCSPResponse(context); EXPECT_TRUE(response); Input result; EXPECT_EQ(Success, result.Init(response->data, response->len)); return result; }
TEST_P(pkixbuild_IssuerNameCheck, MatchingName) { const IssuerNameCheckParams& params(GetParam()); ByteString issuerCertDER(CreateCert(params.issuerSubjectCN, params.issuerSubjectCN, EndEntityOrCA::MustBeCA, nullptr)); ASSERT_FALSE(ENCODING_FAILED(issuerCertDER)); ByteString subjectCertDER(CreateCert(params.subjectIssuerCN, "end-entity", EndEntityOrCA::MustBeEndEntity, nullptr)); ASSERT_FALSE(ENCODING_FAILED(subjectCertDER)); Input subjectCertDERInput; ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(), subjectCertDER.length())); IssuerNameCheckTrustDomain trustDomain(issuerCertDER, !params.matches); ASSERT_EQ(params.matches ? Success : Result::ERROR_UNKNOWN_ISSUER, BuildCertChain(trustDomain, subjectCertDERInput, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr/*stapledOCSPResponse*/)); }
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_expired) { static const char* signerName = "good_indirect_expired"; const ByteString extensions[] = { CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No), ByteString() }; ScopedTestKeyPair signerKeyPair(GenerateKeyPair()); ByteString signerDER(CreateEncodedCertificate( ++rootIssuedCount, sha256WithRSAEncryption(), rootName, now - (10 * ONE_DAY_IN_SECONDS_AS_TIME_T), now - (2 * ONE_DAY_IN_SECONDS_AS_TIME_T), signerName, *signerKeyPair, extensions, *rootKeyPair)); ASSERT_FALSE(ENCODING_FAILED(signerDER)); ByteString certs[] = { signerDER, ByteString() }; ByteString responseString( CreateEncodedOCSPSuccessfulResponse( OCSPResponseContext::good, *endEntityCertID, signerName, *signerKeyPair, oneDayBeforeNow, oneDayBeforeNow, &oneDayAfterNow, sha256WithRSAEncryption(), certs)); Input response; ASSERT_EQ(Success, response.Init(responseString.data(), responseString.length())); bool expired; ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS, response, expired)); }
TEST_P(pkixder_universal_types_tests_Integer, PositiveInteger_with_significantBytes) { const IntegerTestParams& params(GetParam()); Input input; ASSERT_EQ(Success, input.Init(params.encoded.data(), params.encoded.length())); Reader reader(input); Result expectedResult = params.positiveInteger.expectedResult; Input value; Input::size_type significantBytes = INVALID; ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value, &significantBytes)); if (expectedResult == Success) { ASSERT_NE(INVALID, params.positiveInteger.significantBytesIfValid); ASSERT_EQ(params.positiveInteger.significantBytesIfValid, significantBytes); Reader anotherReader(input); Input expectedValue; ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader, der::INTEGER, expectedValue)); ASSERT_TRUE(InputsAreEqual(expectedValue, value)); ASSERT_TRUE(reader.AtEnd()); } }
Input InputForBuffer(const Buffer& buffer) { Input input; MOZ_RELEASE_ASSERT(Success == input.Init(buffer.begin(), buffer.length())); return input; }
TEST_P(pkixcert_IsValidChainForAlgorithm, IsValidChainForAlgorithm) { const ChainValidity& chainValidity(GetParam()); const char* rootCN = "CN=Root"; ScopedTestKeyPair rootKey; ByteString rootSubjectDER; ByteString rootEncoded( CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA, chainValidity.rootSignatureAlgorithm, nullptr, rootKey, rootSubjectDER)); EXPECT_FALSE(ENCODING_FAILED(rootEncoded)); EXPECT_FALSE(ENCODING_FAILED(rootSubjectDER)); const char* issuerCN = rootCN; TestKeyPair* issuerKey = rootKey.get(); const char* intermediateCN = "CN=Intermediate"; ScopedTestKeyPair intermediateKey; ByteString intermediateSubjectDER; ByteString intermediateEncoded; if (chainValidity.optionalIntermediateSignatureAlgorithm != NO_INTERMEDIATE) { intermediateEncoded = CreateCert(rootCN, intermediateCN, EndEntityOrCA::MustBeCA, chainValidity.optionalIntermediateSignatureAlgorithm, rootKey.get(), intermediateKey, intermediateSubjectDER); EXPECT_FALSE(ENCODING_FAILED(intermediateEncoded)); EXPECT_FALSE(ENCODING_FAILED(intermediateSubjectDER)); issuerCN = intermediateCN; issuerKey = intermediateKey.get(); } AlgorithmTestsTrustDomain trustDomain(rootEncoded, rootSubjectDER, intermediateEncoded, intermediateSubjectDER); const char* endEntityCN = "CN=End Entity"; ScopedTestKeyPair endEntityKey; ByteString endEntitySubjectDER; ByteString endEntityEncoded( CreateCert(issuerCN, endEntityCN, EndEntityOrCA::MustBeEndEntity, chainValidity.endEntitySignatureAlgorithm, issuerKey, endEntityKey, endEntitySubjectDER)); EXPECT_FALSE(ENCODING_FAILED(endEntityEncoded)); EXPECT_FALSE(ENCODING_FAILED(endEntitySubjectDER)); Input endEntity; ASSERT_EQ(Success, endEntity.Init(endEntityEncoded.data(), endEntityEncoded.length())); Result expectedResult = chainValidity.isValid ? Success : Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED; ASSERT_EQ(expectedResult, BuildCertChain(trustDomain, endEntity, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::id_kp_serverAuth, CertPolicyId::anyPolicy, nullptr)); }
TEST_P(pkixcheck_TLSFeaturesSatisfiedInternal, TLSFeaturesSatisfiedInternal) { const TLSFeaturesTestParams& params(GetParam()); Input featuresInput; ASSERT_EQ(Success, featuresInput.Init(params.requiredTLSFeatures.data(), params.requiredTLSFeatures.length())); Input responseInput; // just create an input with any data in it ByteString stapledOCSPResponse = BS(statusRequest); ASSERT_EQ(Success, responseInput.Init(stapledOCSPResponse.data(), stapledOCSPResponse.length())); // first we omit the response ASSERT_EQ(params.expectedResultWithoutResponse, TLSFeaturesSatisfiedInternal(&featuresInput, nullptr)); // then we try again with the response ASSERT_EQ(params.expectedResultWithResponse, TLSFeaturesSatisfiedInternal(&featuresInput, &responseInput)); }
bool DX11::CreateWindow() { static LPCWSTR AMJU_WINDOW_CLASS_NAME = L"MY_WINDOWS_CLASS"; // Register class WNDCLASSEX wcex; wcex.cbSize = sizeof( WNDCLASSEX ); wcex.style = CS_HREDRAW | CS_VREDRAW; wcex.lpfnWndProc = MyDefaultWndProc; // TODO you should supply your own wcex.cbClsExtra = 0; wcex.cbWndExtra = 0; wcex.hInstance = g_hInst; wcex.hIcon = 0; wcex.hCursor = LoadCursor( NULL, IDC_ARROW ); wcex.hbrBackground = (HBRUSH)GetStockObject(BLACK_BRUSH); wcex.lpszMenuName = NULL; wcex.lpszClassName = AMJU_WINDOW_CLASS_NAME; wcex.hIconSm = 0; if( !RegisterClassEx( &wcex ) ) return false; HWND hWnd = CreateWindowEx( NULL, AMJU_WINDOW_CLASS_NAME, L"DX Boiler", // TODO you should supply a window title WS_OVERLAPPEDWINDOW | WS_VISIBLE, 100, 100, 640, // TODO you should supply width 480, // ..and height NULL, NULL, g_hInst, NULL); if (!hWnd) { return false; } ShowWindow(hWnd, SW_SHOW); UpdateWindow(hWnd); g_hWnd = hWnd; if (!m_input.Init(&g_hWnd)) { return false; } if (InitDevice() != S_OK) { return false; } return true; }
Result CheckCert(ByteString& certDER, IssuerChecker& checker, bool& keepGoing) { Input derCert; Result rv = derCert.Init(certDER.data(), certDER.length()); if (rv != Success) { return rv; } return checker.Check(derCert, nullptr/*additionalNameConstraints*/, keepGoing); }
TEST_P(pkixder_DigestAlgorithmIdentifier_Invalid, Invalid) { const InvalidAlgorithmIdentifierTestInfo& param(GetParam()); Input input; ASSERT_EQ(Success, input.Init(param.der, param.derLength)); Reader reader(input); DigestAlgorithm alg; ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM, DigestAlgorithmIdentifier(reader, alg)); }
void GetSampleSTHTreeHeadDecodedSignature(DigitallySigned& signature) { Buffer ths = HexToBytes(kSampleSTHTreeHeadSignature); Input thsInput; MOZ_RELEASE_ASSERT(thsInput.Init(ths.begin(), ths.length()) == Success); Reader thsReader(thsInput); MOZ_RELEASE_ASSERT(DecodeDigitallySigned(thsReader, signature) == Success); MOZ_RELEASE_ASSERT(thsReader.AtEnd()); }
TEST_P(pkixder_SignatureAlgorithmIdentifier_Invalid, Invalid) { const InvalidAlgorithmIdentifierTestInfo& param(GetParam()); Input input; ASSERT_EQ(Success, input.Init(param.der, param.derLength)); Reader reader(input); der::PublicKeyAlgorithm publicKeyAlg; DigestAlgorithm digestAlg; ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, SignatureAlgorithmIdentifierValue(reader, publicKeyAlg, digestAlg)); }
TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefaultAtEnd) { static const uint8_t dummy = 1; Input input; ASSERT_EQ(Success, input.Init(&dummy, 0)); Reader reader(input); long value = 1; ASSERT_EQ(Success, OptionalInteger(reader, -1, value)); ASSERT_EQ(-1, value); }
Result FindIssuer(Input, IssuerChecker& checker, Time) override { Input issuerInput; EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length())); bool keepGoing; EXPECT_EQ(Success, checker.Check(issuerInput, nullptr /*additionalNameConstraints*/, keepGoing)); EXPECT_EQ(expectedKeepGoing, keepGoing); return Success; }
Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&, Input candidateCert, /*out*/ TrustLevel& trustLevel) override { EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity); EXPECT_FALSE(certDER.empty()); Input certDERInput; EXPECT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length())); EXPECT_TRUE(InputsAreEqual(certDERInput, candidateCert)); trustLevel = certTrustLevel; return Success; }
Result FindIssuer(Input, IssuerChecker& checker, Time) override { // keepGoing is an out parameter from IssuerChecker.Check. It would tell us // whether or not to continue attempting other potential issuers. We only // know of one potential issuer, however, so we ignore it. bool keepGoing; Input rootCert; Result rv = rootCert.Init(rootDER.data(), rootDER.length()); if (rv != Success) { return rv; } return checker.Check(rootCert, nullptr, keepGoing); }
TEST_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes, CorrectErrorCode) { ByteString responseString(CreateEncodedOCSPErrorResponse(GetParam().responseStatus)); Input response; ASSERT_EQ(Success, response.Init(responseString.data(), responseString.length())); bool expired; ASSERT_EQ(GetParam().expectedError, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS, response, expired)); }