1 // Copyright 2019 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crl.h"
6
7 #include <string_view>
8
9 #include "cert_errors.h"
10 #include "parsed_certificate.h"
11 #include "string_util.h"
12 #include "test_helpers.h"
13 #include <gtest/gtest.h>
14 #include <openssl/pool.h>
15
16 namespace bssl {
17
18 namespace {
19
20 constexpr int64_t kAgeOneWeek = 7 * 24 * 60 * 60;
21
GetFilePath(std::string_view file_name)22 std::string GetFilePath(std::string_view file_name) {
23 return std::string("testdata/crl_unittest/") + std::string(file_name);
24 }
25
ParseCertificate(std::string_view data)26 std::shared_ptr<const ParsedCertificate> ParseCertificate(
27 std::string_view data) {
28 CertErrors errors;
29 return ParsedCertificate::Create(
30 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
31 reinterpret_cast<const uint8_t*>(data.data()), data.size(), nullptr)),
32 {}, &errors);
33 }
34
35 class CheckCRLTest : public ::testing::TestWithParam<const char*> {};
36
37 // Test prefix naming scheme:
38 // good = valid CRL, cert affirmatively not revoked
39 // revoked = valid CRL, cert affirmatively revoked
40 // bad = valid CRL, but cert status is unknown (cases like unhandled features,
41 // mismatching issuer or signature, etc)
42 // invalid = corrupt or violates some spec requirement
43 constexpr char const* kTestParams[] = {
44 "good.pem",
45 "good_issuer_name_normalization.pem",
46 "good_issuer_no_keyusage.pem",
47 "good_no_nextupdate.pem",
48 "good_fake_extension.pem",
49 "good_fake_extension_no_nextupdate.pem",
50 "good_generalizedtime.pem",
51 "good_no_version.pem",
52 "good_no_crldp.pem",
53 "good_key_rollover.pem",
54 "good_idp_contains_uri.pem",
55 "good_idp_onlycontainsusercerts.pem",
56 "good_idp_onlycontainsusercerts_no_basic_constraints.pem",
57 "good_idp_onlycontainscacerts.pem",
58 "good_idp_uri_and_onlycontainsusercerts.pem",
59 "good_idp_uri_and_onlycontainscacerts.pem",
60 "revoked.pem",
61 "revoked_no_nextupdate.pem",
62 "revoked_fake_crlentryextension.pem",
63 "revoked_generalized_revocationdate.pem",
64 "revoked_key_rollover.pem",
65 "bad_crldp_has_crlissuer.pem",
66 "bad_fake_critical_extension.pem",
67 "bad_fake_critical_crlentryextension.pem",
68 "bad_signature.pem",
69 "bad_thisupdate_in_future.pem",
70 "bad_thisupdate_too_old.pem",
71 "bad_nextupdate_too_old.pem",
72 "bad_wrong_issuer.pem",
73 "bad_key_rollover_signature.pem",
74 "bad_idp_contains_wrong_uri.pem",
75 "bad_idp_indirectcrl.pem",
76 "bad_idp_onlycontainsusercerts.pem",
77 "bad_idp_onlycontainscacerts.pem",
78 "bad_idp_onlycontainscacerts_no_basic_constraints.pem",
79 "bad_idp_uri_and_onlycontainsusercerts.pem",
80 "bad_idp_uri_and_onlycontainscacerts.pem",
81 "invalid_mismatched_signature_algorithm.pem",
82 "invalid_revoked_empty_sequence.pem",
83 "invalid_v1_with_extension.pem",
84 "invalid_v1_with_crlentryextension.pem",
85 "invalid_v1_explicit.pem",
86 "invalid_v3.pem",
87 "invalid_issuer_keyusage_no_crlsign.pem",
88 "invalid_key_rollover_issuer_keyusage_no_crlsign.pem",
89 "invalid_garbage_version.pem",
90 "invalid_garbage_tbs_signature_algorithm.pem",
91 "invalid_garbage_issuer_name.pem",
92 "invalid_garbage_thisupdate.pem",
93 "invalid_garbage_after_thisupdate.pem",
94 "invalid_garbage_after_nextupdate.pem",
95 "invalid_garbage_after_revokedcerts.pem",
96 "invalid_garbage_after_extensions.pem",
97 "invalid_garbage_tbscertlist.pem",
98 "invalid_garbage_signaturealgorithm.pem",
99 "invalid_garbage_signaturevalue.pem",
100 "invalid_garbage_after_signaturevalue.pem",
101 "invalid_garbage_revoked_serial_number.pem",
102 "invalid_garbage_revocationdate.pem",
103 "invalid_garbage_after_revocationdate.pem",
104 "invalid_garbage_after_crlentryextensions.pem",
105 "invalid_garbage_crlentry.pem",
106 "invalid_idp_dpname_choice_extra_data.pem",
107 "invalid_idp_empty_sequence.pem",
108 "invalid_idp_onlycontains_user_and_ca_certs.pem",
109 "invalid_idp_onlycontainsusercerts_v1_leaf.pem",
110 };
111
112 struct PrintTestName {
operator ()bssl::__anondc8e07f80111::PrintTestName113 std::string operator()(
114 const testing::TestParamInfo<const char*>& info) const {
115 std::string_view name(info.param);
116 // Strip ".pem" from the end as GTest names cannot contain period.
117 name.remove_suffix(4);
118 return std::string(name);
119 }
120 };
121
122 INSTANTIATE_TEST_SUITE_P(All,
123 CheckCRLTest,
124 ::testing::ValuesIn(kTestParams),
125 PrintTestName());
126
TEST_P(CheckCRLTest,FromFile)127 TEST_P(CheckCRLTest, FromFile) {
128 std::string_view file_name(GetParam());
129
130 std::string crl_data;
131 std::string ca_data_2;
132 std::string ca_data;
133 std::string cert_data;
134 const PemBlockMapping mappings[] = {
135 {"CRL", &crl_data},
136 {"CA CERTIFICATE 2", &ca_data_2, /*optional=*/true},
137 {"CA CERTIFICATE", &ca_data},
138 {"CERTIFICATE", &cert_data},
139 };
140
141 ASSERT_TRUE(ReadTestDataFromPemFile(GetFilePath(file_name), mappings));
142
143 std::shared_ptr<const ParsedCertificate> cert = ParseCertificate(cert_data);
144 ASSERT_TRUE(cert);
145 std::shared_ptr<const ParsedCertificate> issuer_cert =
146 ParseCertificate(ca_data);
147 ASSERT_TRUE(issuer_cert);
148 ParsedCertificateList certs = {cert, issuer_cert};
149 if (!ca_data_2.empty()) {
150 std::shared_ptr<const ParsedCertificate> issuer_cert_2 =
151 ParseCertificate(ca_data_2);
152 ASSERT_TRUE(issuer_cert_2);
153 certs.push_back(issuer_cert_2);
154 }
155
156 // Assumes that all the target certs in the test data certs have at most 1
157 // CRL distributionPoint. If the cert has a CRL distributionPoint, it is
158 // used for verifying the CRL, otherwise the CRL is verified with a
159 // synthesized distributionPoint. This is allowed since there are some
160 // conditions that require a V1 certificate to test, which cannot have a
161 // crlDistributionPoints extension.
162 // TODO(https://crbug.com/749276): This seems slightly hacky. Maybe the
163 // distribution point to use should be specified separately in the test PEM?
164 ParsedDistributionPoint fake_cert_dp;
165 ParsedDistributionPoint* cert_dp = &fake_cert_dp;
166 std::vector<ParsedDistributionPoint> distribution_points;
167 ParsedExtension crl_dp_extension;
168 if (cert->GetExtension(der::Input(kCrlDistributionPointsOid),
169 &crl_dp_extension)) {
170 ASSERT_TRUE(ParseCrlDistributionPoints(crl_dp_extension.value,
171 &distribution_points));
172 ASSERT_LE(distribution_points.size(), 1U);
173 if (!distribution_points.empty()) {
174 cert_dp = &distribution_points[0];
175 }
176 }
177 ASSERT_TRUE(cert_dp);
178
179 // Mar 9 00:00:00 2017 GMT
180 int64_t kVerifyTime = 1489017600;
181
182 CRLRevocationStatus expected_revocation_status = CRLRevocationStatus::UNKNOWN;
183 if (string_util::StartsWith(file_name, "good")) {
184 expected_revocation_status = CRLRevocationStatus::GOOD;
185 } else if (string_util::StartsWith(file_name, "revoked")) {
186 expected_revocation_status = CRLRevocationStatus::REVOKED;
187 }
188
189 CRLRevocationStatus revocation_status =
190 CheckCRL(crl_data, certs, /*target_cert_index=*/0, *cert_dp, kVerifyTime,
191 kAgeOneWeek);
192 EXPECT_EQ(expected_revocation_status, revocation_status);
193
194 // Test with a random cert added to the front of the chain and
195 // |target_cert_index=1|. This is a hacky way to verify that
196 // target_cert_index is actually being honored.
197 ParsedCertificateList other_certs;
198 ASSERT_TRUE(ReadCertChainFromFile(
199 "testdata/parse_certificate_unittest/cert_version3.pem", &other_certs));
200 ASSERT_FALSE(other_certs.empty());
201 certs.insert(certs.begin(), other_certs[0]);
202 revocation_status = CheckCRL(crl_data, certs, /*target_cert_index=*/1,
203 *cert_dp, kVerifyTime, kAgeOneWeek);
204 EXPECT_EQ(expected_revocation_status, revocation_status);
205 }
206
207 } // namespace
208
209 } // namespace net
210