1 // Copyright 2019 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "cast/common/certificate/cast_cert_validator.h"
6
7 #include <stdio.h>
8 #include <string.h>
9
10 #include "cast/common/certificate/cast_cert_validator_internal.h"
11 #include "cast/common/certificate/testing/test_helpers.h"
12 #include "gtest/gtest.h"
13 #include "openssl/pem.h"
14 #include "platform/test/paths.h"
15 #include "util/crypto/pem_helpers.h"
16
17 namespace openscreen {
18 namespace cast {
19 namespace {
20
21 enum TrustStoreDependency {
22 // Uses the built-in trust store for Cast. This is how certificates are
23 // verified in production.
24 TRUST_STORE_BUILTIN,
25
26 // Instead of using the built-in trust store, use root certificate in the
27 // provided test chain as the trust anchor.
28 //
29 // This trust anchor is initialized with anchor constraints, similar to how
30 // TrustAnchors in the built-in store are setup.
31 TRUST_STORE_FROM_TEST_FILE,
32 };
33
34 // Reads a test chain from |certs_file_name|, and asserts that verifying it as
35 // a Cast device certificate yields |expected_result|.
36 //
37 // RunTest() also checks that the resulting CertVerificationContext does not
38 // incorrectly verify invalid signatures.
39 //
40 // * |expected_policy| - The policy that should have been identified for the
41 // device certificate.
42 // * |time| - The timestamp to use when verifying the certificate.
43 // * |trust_store_dependency| - Which trust store to use when verifying (see
44 // enum's definition).
45 // * |optional_signed_data_file_name| - optional path to a PEM file containing
46 // a valid signature generated by the device certificate.
47 //
RunTest(Error::Code expected_result,const std::string & expected_common_name,CastDeviceCertPolicy expected_policy,const std::string & certs_file_name,const DateTime & time,TrustStoreDependency trust_store_dependency,const std::string & optional_signed_data_file_name)48 void RunTest(Error::Code expected_result,
49 const std::string& expected_common_name,
50 CastDeviceCertPolicy expected_policy,
51 const std::string& certs_file_name,
52 const DateTime& time,
53 TrustStoreDependency trust_store_dependency,
54 const std::string& optional_signed_data_file_name) {
55 std::vector<std::string> certs = ReadCertificatesFromPemFile(certs_file_name);
56 TrustStore* trust_store;
57 std::unique_ptr<TrustStore> fake_trust_store;
58
59 switch (trust_store_dependency) {
60 case TRUST_STORE_BUILTIN:
61 trust_store = nullptr;
62 break;
63
64 case TRUST_STORE_FROM_TEST_FILE: {
65 ASSERT_FALSE(certs.empty());
66
67 // Parse the root certificate of the chain.
68 const uint8_t* data = (const uint8_t*)certs.back().data();
69 X509* fake_root = d2i_X509(nullptr, &data, certs.back().size());
70 ASSERT_TRUE(fake_root);
71 certs.pop_back();
72
73 // Add a trust anchor and enforce constraints on it (regular mode for
74 // built-in Cast roots).
75 fake_trust_store = std::make_unique<TrustStore>();
76 fake_trust_store->certs.emplace_back(fake_root);
77 trust_store = fake_trust_store.get();
78 }
79 }
80
81 std::unique_ptr<CertVerificationContext> context;
82 CastDeviceCertPolicy policy;
83
84 Error result = VerifyDeviceCert(certs, time, &context, &policy, nullptr,
85 CRLPolicy::kCrlOptional, trust_store);
86
87 ASSERT_EQ(expected_result, result.code());
88 if (expected_result != Error::Code::kNone)
89 return;
90
91 EXPECT_EQ(expected_policy, policy);
92 ASSERT_TRUE(context);
93
94 // Test that the context is good.
95 EXPECT_EQ(expected_common_name, context->GetCommonName());
96
97 #define DATA_SPAN_FROM_LITERAL(s) \
98 ConstDataSpan{const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>(s)), \
99 sizeof(s) - 1}
100
101 // Test verification of some invalid signatures.
102 EXPECT_FALSE(context->VerifySignatureOverData(
103 DATA_SPAN_FROM_LITERAL("bogus signature"),
104 DATA_SPAN_FROM_LITERAL("bogus data"), DigestAlgorithm::kSha256));
105 EXPECT_FALSE(context->VerifySignatureOverData(
106 DATA_SPAN_FROM_LITERAL(""), DATA_SPAN_FROM_LITERAL("bogus data"),
107 DigestAlgorithm::kSha256));
108 EXPECT_FALSE(context->VerifySignatureOverData(DATA_SPAN_FROM_LITERAL(""),
109 DATA_SPAN_FROM_LITERAL(""),
110 DigestAlgorithm::kSha256));
111
112 // If valid signatures are known for this device certificate, test them.
113 if (!optional_signed_data_file_name.empty()) {
114 testing::SignatureTestData signatures =
115 testing::ReadSignatureTestData(optional_signed_data_file_name);
116
117 // Test verification of a valid SHA1 signature.
118 EXPECT_TRUE(context->VerifySignatureOverData(
119 signatures.sha1, signatures.message, DigestAlgorithm::kSha1));
120
121 // Test verification of a valid SHA256 signature.
122 EXPECT_TRUE(context->VerifySignatureOverData(
123 signatures.sha256, signatures.message, DigestAlgorithm::kSha256));
124 }
125 }
126
127 // Creates a time in UTC at midnight.
CreateDate(int year,int month,int day)128 DateTime CreateDate(int year, int month, int day) {
129 DateTime time = {};
130 time.year = year;
131 time.month = month;
132 time.day = day;
133 return time;
134 }
135
136 // Returns 2016-04-01 00:00:00 UTC.
137 //
138 // This is a time when most of the test certificate paths are valid.
AprilFirst2016()139 DateTime AprilFirst2016() {
140 return CreateDate(2016, 4, 1);
141 }
142
AprilFirst2020()143 DateTime AprilFirst2020() {
144 return CreateDate(2020, 4, 1);
145 }
146
147 // Returns 2015-01-01 00:00:00 UTC.
JanuaryFirst2015()148 DateTime JanuaryFirst2015() {
149 return CreateDate(2015, 1, 1);
150 }
151
152 // Returns 2037-03-01 00:00:00 UTC.
153 //
154 // This is so far in the future that the test chains in this unit-test should
155 // all be invalid.
MarchFirst2037()156 DateTime MarchFirst2037() {
157 return CreateDate(2037, 3, 1);
158 }
159
GetSpecificTestDataPath()160 const std::string& GetSpecificTestDataPath() {
161 static std::string data_path =
162 GetTestDataPath() + "/cast/common/certificate/";
163 return data_path;
164 }
165
166 // Tests verifying a valid certificate chain of length 2:
167 //
168 // 0: 2ZZBG9 FA8FCA3EF91A
169 // 1: Eureka Gen1 ICA
170 //
171 // Chains to trust anchor:
172 // Eureka Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest,ChromecastGen1)173 TEST(VerifyCastDeviceCertTest, ChromecastGen1) {
174 std::string data_path = GetSpecificTestDataPath();
175 RunTest(Error::Code::kNone, "2ZZBG9 FA8FCA3EF91A",
176 CastDeviceCertPolicy::kUnrestricted,
177 data_path + "certificates/chromecast_gen1.pem", AprilFirst2016(),
178 TRUST_STORE_BUILTIN,
179 data_path + "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
180 }
181
182 // Tests verifying a valid certificate chain of length 2:
183 //
184 // 0: 2ZZBG9 FA8FCA3EF91A
185 // 1: Eureka Gen1 ICA
186 //
187 // Chains to trust anchor:
188 // Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest,ChromecastGen1Reissue)189 TEST(VerifyCastDeviceCertTest, ChromecastGen1Reissue) {
190 std::string data_path = GetSpecificTestDataPath();
191 RunTest(Error::Code::kNone, "2ZZBG9 FA8FCA3EF91A",
192 CastDeviceCertPolicy::kUnrestricted,
193 data_path + "certificates/chromecast_gen1_reissue.pem",
194 AprilFirst2016(), TRUST_STORE_BUILTIN,
195 data_path + "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
196 }
197
198 // Tests verifying a valid certificate chain of length 2:
199 //
200 // 0: 3ZZAK6 FA8FCA3F0D35
201 // 1: Chromecast ICA 3
202 //
203 // Chains to trust anchor:
204 // Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest,ChromecastGen2)205 TEST(VerifyCastDeviceCertTest, ChromecastGen2) {
206 std::string data_path = GetSpecificTestDataPath();
207 RunTest(Error::Code::kNone, "3ZZAK6 FA8FCA3F0D35",
208 CastDeviceCertPolicy::kUnrestricted,
209 data_path + "certificates/chromecast_gen2.pem", AprilFirst2016(),
210 TRUST_STORE_BUILTIN, "");
211 }
212
213 // Tests verifying a valid certificate chain of length 3:
214 //
215 // 0: -6394818897508095075
216 // 1: Asus fugu Cast ICA
217 // 2: Widevine Cast Subroot
218 //
219 // Chains to trust anchor:
220 // Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest,Fugu)221 TEST(VerifyCastDeviceCertTest, Fugu) {
222 std::string data_path = GetSpecificTestDataPath();
223 RunTest(Error::Code::kNone, "-6394818897508095075",
224 CastDeviceCertPolicy::kUnrestricted,
225 data_path + "certificates/fugu.pem", AprilFirst2016(),
226 TRUST_STORE_BUILTIN, "");
227 }
228
229 // Tests verifying an invalid certificate chain of length 1:
230 //
231 // 0: Cast Test Untrusted Device
232 //
233 // Chains to:
234 // Cast Test Untrusted ICA (Not part of trust store)
235 //
236 // This is invalid because it does not chain to a trust anchor.
TEST(VerifyCastDeviceCertTest,Unchained)237 TEST(VerifyCastDeviceCertTest, Unchained) {
238 std::string data_path = GetSpecificTestDataPath();
239 RunTest(Error::Code::kErrCertsVerifyUntrustedCert, "",
240 CastDeviceCertPolicy::kUnrestricted,
241 data_path + "certificates/unchained.pem", AprilFirst2016(),
242 TRUST_STORE_BUILTIN, "");
243 }
244
245 // Tests verifying one of the self-signed trust anchors (chain of length 1):
246 //
247 // 0: Cast Root CA
248 //
249 // Chains to trust anchor:
250 // Cast Root CA (built-in trust store)
251 //
252 // Although this is a valid and trusted certificate (it is one of the
253 // trust anchors after all) it fails the test as it is not a *device
254 // certificate*.
TEST(VerifyCastDeviceCertTest,CastRootCa)255 TEST(VerifyCastDeviceCertTest, CastRootCa) {
256 std::string data_path = GetSpecificTestDataPath();
257 RunTest(Error::Code::kErrCertsRestrictions, "",
258 CastDeviceCertPolicy::kUnrestricted,
259 data_path + "certificates/cast_root_ca.pem", AprilFirst2016(),
260 TRUST_STORE_BUILTIN, "");
261 }
262
263 // Tests verifying a valid certificate chain of length 2:
264 //
265 // 0: 4ZZDZJ FA8FCA7EFE3C
266 // 1: Chromecast ICA 4 (Audio)
267 //
268 // Chains to trust anchor:
269 // Cast Root CA (built-in trust store)
270 //
271 // This device certificate has a policy that means it is valid only for audio
272 // devices.
TEST(VerifyCastDeviceCertTest,ChromecastAudio)273 TEST(VerifyCastDeviceCertTest, ChromecastAudio) {
274 std::string data_path = GetSpecificTestDataPath();
275 RunTest(Error::Code::kNone, "4ZZDZJ FA8FCA7EFE3C",
276 CastDeviceCertPolicy::kAudioOnly,
277 data_path + "certificates/chromecast_audio.pem", AprilFirst2016(),
278 TRUST_STORE_BUILTIN, "");
279 }
280
281 // Tests verifying a valid certificate chain of length 3:
282 //
283 // 0: MediaTek Audio Dev Test
284 // 1: MediaTek Audio Dev Model
285 // 2: Cast Audio Dev Root CA
286 //
287 // Chains to trust anchor:
288 // Cast Root CA (built-in trust store)
289 //
290 // This device certificate has a policy that means it is valid only for audio
291 // devices.
TEST(VerifyCastDeviceCertTest,MtkAudioDev)292 TEST(VerifyCastDeviceCertTest, MtkAudioDev) {
293 std::string data_path = GetSpecificTestDataPath();
294 RunTest(Error::Code::kNone, "MediaTek Audio Dev Test",
295 CastDeviceCertPolicy::kAudioOnly,
296 data_path + "certificates/mtk_audio_dev.pem", JanuaryFirst2015(),
297 TRUST_STORE_BUILTIN, "");
298 }
299
300 // Tests verifying a valid certificate chain of length 2:
301 //
302 // 0: 9V0000VB FA8FCA784D01
303 // 1: Cast TV ICA (Vizio)
304 //
305 // Chains to trust anchor:
306 // Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest,Vizio)307 TEST(VerifyCastDeviceCertTest, Vizio) {
308 std::string data_path = GetSpecificTestDataPath();
309 RunTest(Error::Code::kNone, "9V0000VB FA8FCA784D01",
310 CastDeviceCertPolicy::kUnrestricted,
311 data_path + "certificates/vizio.pem", AprilFirst2016(),
312 TRUST_STORE_BUILTIN, "");
313 }
314
315 // Tests verifying a valid certificate chain of length 2 using expired
316 // time points.
TEST(VerifyCastDeviceCertTest,ChromecastGen2InvalidTime)317 TEST(VerifyCastDeviceCertTest, ChromecastGen2InvalidTime) {
318 const std::string certs_file =
319 GetSpecificTestDataPath() + "certificates/chromecast_gen2.pem";
320
321 // Control test - certificate should be valid at some time otherwise
322 // this test is pointless.
323 RunTest(Error::Code::kNone, "3ZZAK6 FA8FCA3F0D35",
324 CastDeviceCertPolicy::kUnrestricted, certs_file, AprilFirst2016(),
325 TRUST_STORE_BUILTIN, "");
326
327 // Use a time before notBefore.
328 RunTest(Error::Code::kErrCertsDateInvalid, "",
329 CastDeviceCertPolicy::kUnrestricted, certs_file, JanuaryFirst2015(),
330 TRUST_STORE_BUILTIN, "");
331
332 // Use a time after notAfter.
333 RunTest(Error::Code::kErrCertsDateInvalid, "",
334 CastDeviceCertPolicy::kUnrestricted, certs_file, MarchFirst2037(),
335 TRUST_STORE_BUILTIN, "");
336 }
337
338 // Tests verifying a valid certificate chain of length 3:
339 //
340 // 0: Audio Reference Dev Test
341 // 1: Audio Reference Dev Model
342 // 2: Cast Audio Dev Root CA
343 //
344 // Chains to trust anchor:
345 // Cast Root CA (built-in trust store)
346 //
347 // This device certificate has a policy that means it is valid only for audio
348 // devices.
TEST(VerifyCastDeviceCertTest,AudioRefDevTestChain3)349 TEST(VerifyCastDeviceCertTest, AudioRefDevTestChain3) {
350 std::string data_path = GetSpecificTestDataPath();
351 RunTest(Error::Code::kNone, "Audio Reference Dev Test",
352 CastDeviceCertPolicy::kAudioOnly,
353 data_path + "certificates/audio_ref_dev_test_chain_3.pem",
354 AprilFirst2016(), TRUST_STORE_BUILTIN,
355 data_path + "signeddata/AudioReferenceDevTest.pem");
356 }
357
358 // TODO(btolsch): This won't work by default with boringssl, so do we want to
359 // find a way to work around this or is it safe to enforce 20-octet length now?
360 // Previous TODO from eroman@ suggested 2017 or even sooner was safe to remove
361 // this.
362 #if 0
363 // Tests verifying a valid certificate chain of length 3. Note that the first
364 // intermediate has a serial number that is 21 octets long, which violates RFC
365 // 5280. However cast verification accepts this certificate for compatibility
366 // reasons.
367 //
368 // 0: 8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA
369 // 1: Sony so16vic CA
370 // 2: Cast Audio Sony CA
371 //
372 // Chains to trust anchor:
373 // Cast Root CA (built-in trust store)
374 //
375 // This device certificate has a policy that means it is valid only for audio
376 // devices.
377 TEST(VerifyCastDeviceCertTest, IntermediateSerialNumberTooLong) {
378 RunTest(Error::Code::kNone, "8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA",
379 CastDeviceCertPolicy::AUDIO_ONLY,
380 "certificates/intermediate_serialnumber_toolong.pem",
381 AprilFirst2016(), TRUST_STORE_BUILTIN, "");
382 }
383 #endif
384
385 // Tests verifying a valid certificate chain of length 2 when the trust anchor
386 // is "expired". This is expected to work since expiration is not an enforced
387 // anchor constraint, even though it may appear in the root certificate.
388 //
389 // 0: CastDevice
390 // 1: CastIntermediate
391 //
392 // Chains to trust anchor:
393 // Expired CastRoot (provided by test data)
TEST(VerifyCastDeviceCertTest,ExpiredTrustAnchor)394 TEST(VerifyCastDeviceCertTest, ExpiredTrustAnchor) {
395 std::string data_path = GetSpecificTestDataPath();
396 // The root certificate is only valid in 2015, so validating with a time in
397 // 2016 means it is expired.
398 RunTest(Error::Code::kNone, "CastDevice", CastDeviceCertPolicy::kUnrestricted,
399 data_path + "certificates/expired_root.pem", AprilFirst2016(),
400 TRUST_STORE_FROM_TEST_FILE, "");
401 }
402
403 // Tests verifying a certificate chain where the root certificate has a pathlen
404 // constraint which is violated by the chain. In this case Root has a pathlen=1
405 // constraint, however neither intermediate is constrained.
406 //
407 // The expectation is for pathlen constraints on trust anchors to be enforced,
408 // so this validation must fail.
409 //
410 // 0: Target
411 // 1: Intermediate2
412 // 2: Intermediate1
413 //
414 // Chains to trust anchor:
415 // Root (provided by test data; has pathlen=1 constraint)
TEST(VerifyCastDeviceCertTest,ViolatesPathlenTrustAnchorConstraint)416 TEST(VerifyCastDeviceCertTest, ViolatesPathlenTrustAnchorConstraint) {
417 std::string data_path = GetSpecificTestDataPath();
418 // Test that the chain verification fails due to the pathlen constraint.
419 RunTest(Error::Code::kErrCertsPathlen, "Target",
420 CastDeviceCertPolicy::kUnrestricted,
421 data_path + "certificates/violates_root_pathlen_constraint.pem",
422 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
423 }
424
425 // Tests verifying a certificate chain with the policies:
426 //
427 // Root: policies={}
428 // Intermediate: policies={anyPolicy}
429 // Leaf: policies={anyPolicy}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAnypolicyLeafAnypolicy)430 TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafAnypolicy) {
431 std::string data_path = GetSpecificTestDataPath();
432 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
433 data_path + "certificates/policies_ica_anypolicy_leaf_anypolicy.pem",
434 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
435 }
436
437 // Test verifying a certificate chain with the policies:
438 //
439 // Root: policies={}
440 // Intermediate: policies={anyPolicy}
441 // Leaf: policies={audioOnly}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAnypolicyLeafAudioonly)442 TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafAudioonly) {
443 std::string data_path = GetSpecificTestDataPath();
444 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
445 data_path + "certificates/policies_ica_anypolicy_leaf_audioonly.pem",
446 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
447 }
448
449 // Test verifying a certificate chain with the policies:
450 //
451 // Root: policies={}
452 // Intermediate: policies={anyPolicy}
453 // Leaf: policies={foo}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAnypolicyLeafFoo)454 TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafFoo) {
455 std::string data_path = GetSpecificTestDataPath();
456 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
457 data_path + "certificates/policies_ica_anypolicy_leaf_foo.pem",
458 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
459 }
460
461 // Test verifying a certificate chain with the policies:
462 //
463 // Root: policies={}
464 // Intermediate: policies={anyPolicy}
465 // Leaf: policies={}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAnypolicyLeafNone)466 TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafNone) {
467 std::string data_path = GetSpecificTestDataPath();
468 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
469 data_path + "certificates/policies_ica_anypolicy_leaf_none.pem",
470 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
471 }
472
473 // Test verifying a certificate chain with the policies:
474 //
475 // Root: policies={}
476 // Intermediate: policies={audioOnly}
477 // Leaf: policies={anyPolicy}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAudioonlyLeafAnypolicy)478 TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafAnypolicy) {
479 std::string data_path = GetSpecificTestDataPath();
480 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
481 data_path + "certificates/policies_ica_audioonly_leaf_anypolicy.pem",
482 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
483 }
484
485 // Test verifying a certificate chain with the policies:
486 //
487 // Root: policies={}
488 // Intermediate: policies={audioOnly}
489 // Leaf: policies={audioOnly}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAudioonlyLeafAudioonly)490 TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafAudioonly) {
491 std::string data_path = GetSpecificTestDataPath();
492 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
493 data_path + "certificates/policies_ica_audioonly_leaf_audioonly.pem",
494 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
495 }
496
497 // Test verifying a certificate chain with the policies:
498 //
499 // Root: policies={}
500 // Intermediate: policies={audioOnly}
501 // Leaf: policies={foo}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAudioonlyLeafFoo)502 TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafFoo) {
503 std::string data_path = GetSpecificTestDataPath();
504 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
505 data_path + "certificates/policies_ica_audioonly_leaf_foo.pem",
506 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
507 }
508
509 // Test verifying a certificate chain with the policies:
510 //
511 // Root: policies={}
512 // Intermediate: policies={audioOnly}
513 // Leaf: policies={}
TEST(VerifyCastDeviceCertTest,PoliciesIcaAudioonlyLeafNone)514 TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafNone) {
515 std::string data_path = GetSpecificTestDataPath();
516 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
517 data_path + "certificates/policies_ica_audioonly_leaf_none.pem",
518 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
519 }
520
521 // Test verifying a certificate chain with the policies:
522 //
523 // Root: policies={}
524 // Intermediate: policies={}
525 // Leaf: policies={anyPolicy}
TEST(VerifyCastDeviceCertTest,PoliciesIcaNoneLeafAnypolicy)526 TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafAnypolicy) {
527 std::string data_path = GetSpecificTestDataPath();
528 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
529 data_path + "certificates/policies_ica_none_leaf_anypolicy.pem",
530 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
531 }
532
533 // Test verifying a certificate chain with the policies:
534 //
535 // Root: policies={}
536 // Intermediate: policies={}
537 // Leaf: policies={audioOnly}
TEST(VerifyCastDeviceCertTest,PoliciesIcaNoneLeafAudioonly)538 TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafAudioonly) {
539 std::string data_path = GetSpecificTestDataPath();
540 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
541 data_path + "certificates/policies_ica_none_leaf_audioonly.pem",
542 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
543 }
544
545 // Test verifying a certificate chain with the policies:
546 //
547 // Root: policies={}
548 // Intermediate: policies={}
549 // Leaf: policies={foo}
TEST(VerifyCastDeviceCertTest,PoliciesIcaNoneLeafFoo)550 TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafFoo) {
551 std::string data_path = GetSpecificTestDataPath();
552 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
553 data_path + "certificates/policies_ica_none_leaf_foo.pem",
554 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
555 }
556
557 // Test verifying a certificate chain with the policies:
558 //
559 // Root: policies={}
560 // Intermediate: policies={}
561 // Leaf: policies={}
TEST(VerifyCastDeviceCertTest,PoliciesIcaNoneLeafNone)562 TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafNone) {
563 std::string data_path = GetSpecificTestDataPath();
564 RunTest(Error::Code::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
565 data_path + "certificates/policies_ica_none_leaf_none.pem",
566 AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
567 }
568
569 // Tests verifying a certificate chain where the leaf certificate has a
570 // 1024-bit RSA key. Verification should fail since the target's key is
571 // too weak.
TEST(VerifyCastDeviceCertTest,DeviceCertHas1024BitRsaKey)572 TEST(VerifyCastDeviceCertTest, DeviceCertHas1024BitRsaKey) {
573 std::string data_path = GetSpecificTestDataPath();
574 RunTest(Error::Code::kErrCertsVerifyGeneric, "RSA 1024 Device Cert",
575 CastDeviceCertPolicy::kUnrestricted,
576 data_path + "certificates/rsa1024_device_cert.pem", AprilFirst2016(),
577 TRUST_STORE_FROM_TEST_FILE, "");
578 }
579
580 // Tests verifying a certificate chain where the leaf certificate has a
581 // 2048-bit RSA key, and then verifying signed data (both SHA1 and SHA256)
582 // for it.
TEST(VerifyCastDeviceCertTest,DeviceCertHas2048BitRsaKey)583 TEST(VerifyCastDeviceCertTest, DeviceCertHas2048BitRsaKey) {
584 std::string data_path = GetSpecificTestDataPath();
585 RunTest(Error::Code::kNone, "RSA 2048 Device Cert",
586 CastDeviceCertPolicy::kUnrestricted,
587 data_path + "certificates/rsa2048_device_cert.pem", AprilFirst2016(),
588 TRUST_STORE_FROM_TEST_FILE,
589 data_path + "signeddata/rsa2048_device_cert_data.pem");
590 }
591
592 // Tests verifying a certificate chain where an intermediate certificate has a
593 // nameConstraints extension but the leaf certificate is still permitted under
594 // these constraints.
TEST(VerifyCastDeviceCertTest,NameConstraintsObeyed)595 TEST(VerifyCastDeviceCertTest, NameConstraintsObeyed) {
596 std::string data_path = GetSpecificTestDataPath();
597 RunTest(Error::Code::kNone, "Device", CastDeviceCertPolicy::kUnrestricted,
598 data_path + "certificates/nc.pem", AprilFirst2020(),
599 TRUST_STORE_FROM_TEST_FILE, "");
600 }
601
602 // Tests verifying a certificate chain where an intermediate certificate has a
603 // nameConstraints extension and the leaf certificate is not permitted under
604 // these constraints.
TEST(VerifyCastDeviceCertTest,NameConstraintsViolated)605 TEST(VerifyCastDeviceCertTest, NameConstraintsViolated) {
606 std::string data_path = GetSpecificTestDataPath();
607 RunTest(Error::Code::kErrCertsVerifyGeneric, "Device",
608 CastDeviceCertPolicy::kUnrestricted,
609 data_path + "certificates/nc_fail.pem", AprilFirst2020(),
610 TRUST_STORE_FROM_TEST_FILE, "");
611 }
612
613 // Tests reversibility between DateTimeToSeconds and DateTimeFromSeconds
TEST(VerifyCastDeviceCertTest,TimeDateConversionValidate)614 TEST(VerifyCastDeviceCertTest, TimeDateConversionValidate) {
615 DateTime org_date = AprilFirst2020();
616 DateTime converted_date = {};
617 std::chrono::seconds seconds = DateTimeToSeconds(org_date);
618 DateTimeFromSeconds(seconds.count(), &converted_date);
619
620 EXPECT_EQ(org_date.second, converted_date.second);
621 EXPECT_EQ(org_date.minute, converted_date.minute);
622 EXPECT_EQ(org_date.hour, converted_date.hour);
623 EXPECT_EQ(org_date.day, converted_date.day);
624 EXPECT_EQ(org_date.month, converted_date.month);
625 EXPECT_EQ(org_date.year, converted_date.year);
626 }
627
628 } // namespace
629 } // namespace cast
630 } // namespace openscreen
631