1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_PKI_NIST_PKITS_UNITTEST_H_ 6 #define NET_CERT_PKI_NIST_PKITS_UNITTEST_H_ 7 8 #include <set> 9 10 #include "net/cert/pki/test_helpers.h" 11 #include "net/der/parse_values.h" 12 #include "testing/gtest/include/gtest/gtest.h" 13 14 namespace net { 15 16 // Describes the inputs and outputs (other than the certificates) for 17 // the PKITS tests. 18 struct PkitsTestInfo { 19 // Default construction results in the "default settings". 20 PkitsTestInfo(); 21 PkitsTestInfo(const PkitsTestInfo& other); 22 ~PkitsTestInfo(); 23 24 // Sets |initial_policy_set| to the specified policies. The 25 // policies are described as comma-separated symbolic strings like 26 // "anyPolicy" and "NIST-test-policy-1". 27 // 28 // If this isn't called, the default is "anyPolicy". 29 void SetInitialPolicySet(const char* const policy_names); 30 31 // Sets |user_constrained_policy_set| to the specified policies. The 32 // policies are described as comma-separated symbolic strings like 33 // "anyPolicy" and "NIST-test-policy-1". 34 // 35 // If this isn't called, the default is "NIST-test-policy-1". 36 void SetUserConstrainedPolicySet(const char* const policy_names); 37 38 void SetInitialExplicitPolicy(bool b); 39 void SetInitialPolicyMappingInhibit(bool b); 40 void SetInitialInhibitAnyPolicy(bool b); 41 42 // ---------------- 43 // Info 44 // ---------------- 45 46 // The PKITS test number. For example, "4.1.1". 47 const char* test_number = nullptr; 48 49 // ---------------- 50 // Inputs 51 // ---------------- 52 53 // A set of policy OIDs to use for "initial-policy-set". 54 std::set<der::Input> initial_policy_set; 55 56 // The value of "initial-explicit-policy". 57 InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse; 58 59 // The value of "initial-policy-mapping-inhibit". 60 InitialPolicyMappingInhibit initial_policy_mapping_inhibit = 61 InitialPolicyMappingInhibit::kFalse; 62 63 // The value of "initial-inhibit-any-policy". 64 InitialAnyPolicyInhibit initial_inhibit_any_policy = 65 InitialAnyPolicyInhibit::kFalse; 66 67 // This is the time when PKITS was published. 68 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; 69 70 // ---------------- 71 // Expected outputs 72 // ---------------- 73 74 // Whether path validation should succeed. 75 bool should_validate = false; 76 77 std::set<der::Input> user_constrained_policy_set; 78 }; 79 80 // Parameterized test class for PKITS tests. 81 // The instantiating code should define a PkitsTestDelegate with an appropriate 82 // static RunTest method, and then INSTANTIATE_TYPED_TEST_SUITE_P for each 83 // testcase (each TYPED_TEST_SUITE_P in pkits_testcases-inl.h). 84 template <typename PkitsTestDelegate> 85 class PkitsTest : public ::testing::Test { 86 public: 87 template <size_t num_certs, size_t num_crls> RunTest(const char * const (& cert_names)[num_certs],const char * const (& crl_names)[num_crls],const PkitsTestInfo & info)88 void RunTest(const char* const (&cert_names)[num_certs], 89 const char* const (&crl_names)[num_crls], 90 const PkitsTestInfo& info) { 91 std::vector<std::string> cert_ders; 92 for (const std::string& s : cert_names) 93 cert_ders.push_back(net::ReadTestFileToString( 94 "net/third_party/nist-pkits/certs/" + s + ".crt")); 95 std::vector<std::string> crl_ders; 96 for (const std::string& s : crl_names) 97 crl_ders.push_back(net::ReadTestFileToString( 98 "net/third_party/nist-pkits/crls/" + s + ".crl")); 99 100 std::string_view test_number = info.test_number; 101 102 // Some of the PKITS tests are intentionally given different expectations 103 // from PKITS.pdf. 104 // 105 // Empty user_constrained_policy_set due to short-circuit on invalid 106 // signatures: 107 // 108 // 4.1.2 - Invalid CA Signature Test2 109 // 4.1.3 - Invalid EE Signature Test3 110 // 4.1.6 - Invalid DSA Signature Test6 111 // 112 // Expected to fail because DSA signatures are not supported: 113 // 114 // 4.1.4 - Valid DSA Signatures Test4 115 // 4.1.5 - Valid DSA Parameter Inheritance Test5 116 // 117 // Expected to fail because Name constraints on rfc822Names are not 118 // supported: 119 // 120 // 4.13.21 - Valid RFC822 nameConstraints Test21 121 // 4.13.23 - Valid RFC822 nameConstraints Test23 122 // 4.13.25 - Valid RFC822 nameConstraints Test25 123 // 4.13.27 - Valid DN and RFC822 nameConstraints Test27 124 // 125 // Expected to fail because Name constraints on 126 // uniformResourceIdentifiers are not supported: 127 // 128 // 4.13.34 - Valid URI nameConstraints Test34 129 // 4.13.36 - Valid URI nameConstraints Test36 130 if (test_number == "4.1.2" || test_number == "4.1.3" || 131 test_number == "4.1.6") { 132 PkitsTestInfo modified_info = info; 133 modified_info.user_constrained_policy_set = {}; 134 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 135 } else if (test_number == "4.1.4" || test_number == "4.1.5") { 136 PkitsTestInfo modified_info = info; 137 modified_info.user_constrained_policy_set = {}; 138 modified_info.should_validate = false; 139 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 140 } else if (test_number == "4.13.21" || test_number == "4.13.23" || 141 test_number == "4.13.25" || test_number == "4.13.27" || 142 test_number == "4.13.34" || test_number == "4.13.36") { 143 PkitsTestInfo modified_info = info; 144 modified_info.should_validate = false; 145 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 146 } else { 147 PkitsTestDelegate::RunTest(cert_ders, crl_ders, info); 148 } 149 } 150 }; 151 152 // Inline the generated test code: 153 #include "net/third_party/nist-pkits/pkits_testcases-inl.h" 154 155 } // namespace net 156 157 #endif // NET_CERT_PKI_NIST_PKITS_UNITTEST_H_ 158