/* * This function creates a certSelector with ComCertSelParams set up to * select entries containing a Basic Constraints extension with a path * length of at least the specified "minPathLength". */ static void test_makePathCertSelector( PKIX_Int32 minPathLength, PKIX_CertSelector **pSelector, void *plContext) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *pathParams = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&pathParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints (pathParams, minPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, pathParams, plContext)); *pSelector = selector; cleanup: PKIX_TEST_DECREF_AC(pathParams); PKIX_TEST_RETURN(); }
int test_validatechain_bc(int argc, char *argv[]) { PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_PL_X500Name *subject = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; char *trustedCertFile = NULL; char *chainCertFile = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *chainCert = NULL; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); if (argc < 3){ printUsage(); return (0); } startTests("ValidateChainBasicConstraints"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); chainLength = (argc - j) - 2; /* create processing params with list of trust anchors */ trustedCertFile = argv[1+j]; trustedCert = createCert(trustedCertFile); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints (certSelParams, -1, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, certSelParams, plContext)); PKIX_TEST_DECREF_BC(subject); PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert (trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create (anchors, &procParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled (procParams, PKIX_FALSE, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ProcessingParams_SetTargetCertConstraints (procParams, certSelector, plContext)); PKIX_TEST_DECREF_BC(certSelector); /* create cert chain */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); for (i = 0; i < chainLength; i++){ chainCertFile = argv[i + (2+j)]; chainCert = createCert(chainCertFile); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (certs, (PKIX_PL_Object *)chainCert, plContext)); PKIX_TEST_DECREF_BC(chainCert); } /* create validate params with processing params and cert chain */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create (procParams, certs, &valParams, plContext)); /* validate cert chain using processing params and return valResult */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); if (valResult != NULL){ printf("SUCCESSFULLY VALIDATED with Basic Constraint "); printf("Cert Selector minimum path length to be -1\n"); PKIX_TEST_DECREF_BC(valResult); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); PKIX_TEST_DECREF_BC(verifyString); PKIX_TEST_DECREF_BC(verifyTree); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints (certSelParams, 6, plContext)); /* validate cert chain using processing params and return valResult */ PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); if (valResult != NULL){ printf("SUCCESSFULLY VALIDATED with Basic Constraint "); printf("Cert Selector minimum path length to be 6\n"); } PKIX_TEST_DECREF_BC(trustedCert); PKIX_TEST_DECREF_BC(anchor); PKIX_TEST_DECREF_BC(anchors); PKIX_TEST_DECREF_BC(certs); PKIX_TEST_DECREF_BC(procParams); cleanup: if (PKIX_TEST_ERROR_RECEIVED){ printf("FAILED TO VALIDATE\n"); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("ValidateChainBasicConstraints"); return (0); }
int test_comcertselparams(int argc, char *argv[]) { PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; PKIX_PL_Cert *testCert = NULL; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL; PKIX_List *testPolicyInfos = NULL; /* CertPolicyInfos */ PKIX_List *cert2PolicyInfos = NULL; /* CertPolicyInfos */ PKIX_ComCertSelParams *goodParams = NULL; PKIX_ComCertSelParams *equalParams = NULL; PKIX_PL_X500Name *goodSubject = NULL; PKIX_PL_X500Name *equalSubject = NULL; PKIX_PL_X500Name *diffSubject = NULL; PKIX_PL_X500Name *testSubject = NULL; PKIX_Int32 goodMinPathLength = 0; PKIX_Int32 equalMinPathLength = 0; PKIX_Int32 diffMinPathLength = 0; PKIX_Int32 testMinPathLength = 0; PKIX_List *goodPolicies = NULL; /* OIDs */ PKIX_List *equalPolicies = NULL; /* OIDs */ PKIX_List *testPolicies = NULL; /* OIDs */ PKIX_List *cert2Policies = NULL; /* OIDs */ PKIX_PL_Date *testDate = NULL; PKIX_PL_Date *goodDate = NULL; PKIX_PL_Date *equalDate = NULL; PKIX_PL_String *stringRep = NULL; char *asciiRep = NULL; char *dirName = NULL; PKIX_TEST_STD_VARS(); if (argc < 2) { printUsage(); return (0); } startTests("ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); dirName = argv[j + 1]; asciiRep = "050501000000Z"; PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext)); testCert = createCert(dirName, "PoliciesP1234CACert.crt", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(testCert, &testSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(testCert, &goodBasicConstraints, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(goodBasicConstraints, &testMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(testCert, &testPolicyInfos, plContext)); /* Convert from List of CertPolicyInfos to List of OIDs */ test_CreateOIDList(testPolicyInfos, &testPolicies); subTest("Create goodParams and set its fields"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(goodParams, testSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(goodParams, testMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(goodParams, testDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(goodParams, testPolicies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(goodParams, testCert, plContext)); subTest("Duplicate goodParams and verify copy"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)goodParams, (PKIX_PL_Object **)&equalParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(goodParams, &goodSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(goodParams, &goodMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(goodParams, &goodCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(goodParams, &goodDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(goodParams, &goodPolicies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(equalParams, &equalCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(equalParams, &equalDate, plContext)); testEqualsHelper((PKIX_PL_Object *)goodSubject, (PKIX_PL_Object *)equalSubject, PKIX_TRUE, plContext); if (goodMinPathLength != equalMinPathLength) { testError("unexpected mismatch"); (void)printf("goodMinPathLength:\t%d\n", goodMinPathLength); (void)printf("equalMinPathLength:\t%d\n", equalMinPathLength); } testEqualsHelper((PKIX_PL_Object *)goodPolicies, (PKIX_PL_Object *)equalPolicies, PKIX_TRUE, plContext); testEqualsHelper((PKIX_PL_Object *)goodCert, (PKIX_PL_Object *)equalCert, PKIX_TRUE, plContext); testEqualsHelper((PKIX_PL_Object *)goodDate, (PKIX_PL_Object *)equalDate, PKIX_TRUE, plContext); PKIX_TEST_DECREF_BC(equalSubject); PKIX_TEST_DECREF_BC(equalPolicies); PKIX_TEST_DECREF_BC(equalCert); PKIX_TEST_DECREF_AC(equalDate); subTest("Set different values and verify differences"); diffCert = createCert(dirName, "pathLenConstraint6CACert.crt", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(diffCert, &diffSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(diffCert, &diffBasicConstraints, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(diffBasicConstraints, &diffMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &cert2PolicyInfos, plContext)); test_CreateOIDList(cert2PolicyInfos, &cert2Policies); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject( equalParams, diffSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(equalParams, diffMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(equalParams, cert2Policies, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext)); testEqualsHelper((PKIX_PL_Object *)goodSubject, (PKIX_PL_Object *)equalSubject, PKIX_FALSE, plContext); if (goodMinPathLength == equalMinPathLength) { testError("unexpected match"); (void)printf("goodMinPathLength:\t%d\n", goodMinPathLength); (void)printf("equalMinPathLength:\t%d\n", equalMinPathLength); } testEqualsHelper((PKIX_PL_Object *)goodPolicies, (PKIX_PL_Object *)equalPolicies, PKIX_FALSE, plContext); test_NameConstraints(dirName); test_PathToNames(); test_SubjAltNames(); test_KeyUsages(); test_Version_Issuer_SerialNumber(); test_SubjKeyId_AuthKeyId(); test_SubjAlgId_SubjPublicKey(dirName); cleanup: PKIX_TEST_DECREF_AC(testSubject); PKIX_TEST_DECREF_AC(goodSubject); PKIX_TEST_DECREF_AC(equalSubject); PKIX_TEST_DECREF_AC(diffSubject); PKIX_TEST_DECREF_AC(testSubject); PKIX_TEST_DECREF_AC(goodPolicies); PKIX_TEST_DECREF_AC(equalPolicies); PKIX_TEST_DECREF_AC(testPolicies); PKIX_TEST_DECREF_AC(cert2Policies); PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(equalParams); PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_DECREF_AC(testCert); PKIX_TEST_DECREF_AC(goodBasicConstraints); PKIX_TEST_DECREF_AC(diffBasicConstraints); PKIX_TEST_DECREF_AC(testPolicyInfos); PKIX_TEST_DECREF_AC(cert2PolicyInfos); PKIX_TEST_DECREF_AC(stringRep); PKIX_TEST_DECREF_AC(testDate); PKIX_TEST_DECREF_AC(goodDate); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("ComCertSelParams"); return (0); }