1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
* License, v. 2.0. If a copy of the MPL was not distributed with this
3
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
12
#include "testutil_nss.h"
14
#define PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS 5
15
#define PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS 2
16
#define PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS 2
17
#define PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS 4
18
#define PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS 1
20
static void *plContext = NULL;
23
* The first three certs are used to obtain policies to test
24
* policy matching. Changing the table could break tests.
26
static char *certList[] = {
29
#define ANYPOLICYCERT 1
30
"anyPolicyCACert.crt",
32
"PoliciesP12CACert.crt",
34
"PoliciesP3CACert.crt",
35
"PoliciesP1234CACert.crt",
36
"pathLenConstraint0CACert.crt",
37
"pathLenConstraint1CACert.crt",
38
"pathLenConstraint6CACert.crt",
39
"TrustAnchorRootCertificate.crt",
41
"AnyPolicyTest14EE.crt",
42
"UserNoticeQualifierTest16EE.crt"
44
#define NUMCERTS (sizeof (certList)/sizeof (certList[0]))
47
* Following are Certs values for NameConstraints tests
49
* Cert0:nameConstraintsDN1subCA1Cert.crt:
50
* Subject:CN=nameConstraints DN1 subCA1,OU=permittedSubtree1,
51
* O=Test Certificates,C=US
52
* Permitted Name:(OU=permittedSubtree2,OU=permittedSubtree1,
53
* O=Test Certificates,C=US)
54
* Excluded Name: (EMPTY)
55
* Cert1:nameConstraintsDN3subCA2Cert.crt:
56
* Subject:CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US
57
* Permitted Name:(O=Test Certificates,C=US)
58
* Excluded Name:(EMPTY)
59
* Cert2:nameConstraintsDN2CACert.crt
60
* Subject:CN=nameConstraints DN2 CA,O=Test Certificates,C=US
61
* Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US,
62
* OU=permittedSubtree2,O=Test Certificates,C=US)
63
* Excluded Name:(EMPTY)
64
* Cert3:nameConstraintsDN3subCA1Cert.crt
65
* Subject:CN=nameConstraints DN3 subCA1,O=Test Certificates,C=US
66
* Permitted Name:(EMPTY)
67
* Excluded Name:(OU=excludedSubtree2,O=Test Certificates,C=US)
68
* Cert4:nameConstraintsDN4CACert.crt
69
* Subject:CN=nameConstraints DN4 CA,O=Test Certificates,C=US
70
* Permitted Name:(EMPTY)
71
* Excluded Name:(OU=excludedSubtree1,O=Test Certificates,C=US,
72
* OU=excludedSubtree2,O=Test Certificates,C=US)
73
* Cert5:nameConstraintsDN5CACert.crt
74
* Subject:CN=nameConstraints DN5 CA,O=Test Certificates,C=US
75
* Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US)
76
* Excluded Name:(OU=excludedSubtree1,OU=permittedSubtree1,
77
* O=Test Certificates,C=US)
78
* Cert6:ValidDNnameConstraintsTest1EE.crt
79
* Subject:CN=Valid DN nameConstraints EE Certificate Test1,
80
* OU=permittedSubtree1,O=Test Certificates,C=US
83
static char *ncCertList[] = {
84
"nameConstraintsDN1subCA1Cert.crt",
85
"nameConstraintsDN3subCA2Cert.crt",
86
"nameConstraintsDN2CACert.crt",
87
"nameConstraintsDN3subCA1Cert.crt",
88
"nameConstraintsDN4CACert.crt",
89
"nameConstraintsDN5CACert.crt",
90
"ValidDNnameConstraintsTest1EE.crt"
92
#define NUMNCCERTS (sizeof (ncCertList)/sizeof (ncCertList[0]))
94
static char *sanCertList[] = {
95
"InvalidDNnameConstraintsTest3EE.crt",
96
"InvalidDNSnameConstraintsTest38EE.crt"
98
#define NUMSANCERTS (sizeof (sanCertList)/sizeof (sanCertList[0]))
101
* This function calls the CertSelector pointed to by "selector" for each
102
* cert in the List pointed to by "certs", and compares the results against
103
* the bit array given by the UInt32 "expectedResults". If the first cert is
104
* expected to pass, the lower-order bit of "expectedResults" should be 1.
105
* If the second cert is expected to pass, the second bit of "expectedResults"
106
* should be 1, and so on. If more than 32 certs are provided, only the first
107
* 32 will be checked. It is not an error to provide more bits than needed.
108
* (For example, if you expect every cert to pass, "expectedResult" can be
109
* set to 0xFFFFFFFF, even if the chain has fewer than 32 certs.)
113
PKIX_CertSelector *selector,
115
PKIX_UInt32 expectedResults)
118
PKIX_UInt32 numCerts = 0;
119
PKIX_PL_Cert *cert = NULL;
120
PKIX_CertSelector_MatchCallback callback = NULL;
121
PKIX_Error *errReturn = NULL;
122
PKIX_Boolean result = PKIX_TRUE;
124
PKIX_TEST_STD_VARS();
126
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
127
(selector, &callback, plContext));
129
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
130
(certs, &numCerts, plContext));
135
for (i = 0; i < numCerts; i++) {
136
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
137
(certs, i, (PKIX_PL_Object **)&cert, plContext));
138
errReturn = callback(selector, cert, &result, plContext);
140
if (errReturn || result == PKIX_FALSE) {
141
if ((expectedResults & 1) == 1) {
142
testError("selector unexpectedly failed");
143
(void) printf(" processing cert:\t%d\n", i);
146
if ((expectedResults & 1) == 0) {
147
testError("selector unexpectedly passed");
148
(void) printf(" processing cert:\t%d\n", i);
152
expectedResults = expectedResults >> 1;
153
PKIX_TEST_DECREF_BC(cert);
154
PKIX_TEST_DECREF_BC(errReturn);
159
PKIX_TEST_DECREF_AC(cert);
160
PKIX_TEST_DECREF_AC(errReturn);
166
* This function gets a policy from the Cert pointed to by "cert", according
167
* to the index provided by "index", creates an immutable List containing the
168
* OID of that policy, and stores the result at "pPolicyList".
170
static void testGetPolicyFromCert(
173
PKIX_List **pPolicyList)
175
PKIX_List *policyInfo = NULL;
176
PKIX_PL_CertPolicyInfo *firstPolicy = NULL;
177
PKIX_PL_OID *policyOID = NULL;
178
PKIX_List *list = NULL;
180
PKIX_TEST_STD_VARS();
182
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
183
(cert, &policyInfo, plContext));
185
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
188
(PKIX_PL_Object **)&firstPolicy,
191
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
192
(firstPolicy, &policyOID, plContext));
194
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
196
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
197
(list, (PKIX_PL_Object *)policyOID, plContext));
199
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(list, plContext));
205
PKIX_TEST_DECREF_AC(policyInfo);
206
PKIX_TEST_DECREF_AC(firstPolicy);
207
PKIX_TEST_DECREF_AC(policyOID);
213
* This custom matchCallback will pass any Certificate which has no
214
* CertificatePolicies extension and any Certificate whose Policies
215
* extension include a CertPolicyQualifier.
218
custom_CertSelector_MatchCallback(
219
PKIX_CertSelector *selector,
221
PKIX_Boolean *pResult,
225
PKIX_UInt32 numPolicies = 0;
226
PKIX_List *certPolicies = NULL;
227
PKIX_List *quals = NULL;
228
PKIX_PL_CertPolicyInfo *policy = NULL;
229
PKIX_Error *error = NULL;
231
PKIX_TEST_STD_VARS();
233
*pResult = PKIX_TRUE;
235
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
236
(cert, &certPolicies, plContext));
239
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
240
(certPolicies, &numPolicies, plContext));
242
for (i = 0; i < numPolicies; i++) {
243
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
246
(PKIX_PL_Object **)&policy,
248
PKIX_TEST_EXPECT_NO_ERROR
249
(PKIX_PL_CertPolicyInfo_GetPolQualifiers
250
(policy, &quals, plContext));
254
PKIX_TEST_DECREF_BC(policy);
256
PKIX_TEST_DECREF_BC(certPolicies);
257
*pResult = PKIX_FALSE;
259
PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
260
(PKIX_CERTSELECTOR_ERROR,
263
PKIX_TESTPOLICYEXTWITHNOPOLICYQUALIFIERS,
271
PKIX_TEST_DECREF_AC(certPolicies);
272
PKIX_TEST_DECREF_AC(policy);
273
PKIX_TEST_DECREF_AC(quals);
279
* This custom matchCallback will pass any Certificate whose
280
* CertificatePolicies extension asserts the Policy specified by
281
* the OID in the CertSelectorContext object.
284
custom_CertSelector_MatchOIDCallback(
285
PKIX_CertSelector *selector,
287
PKIX_Boolean *pResult,
291
PKIX_UInt32 numPolicies = 0;
292
PKIX_Boolean match = PKIX_FALSE;
293
PKIX_PL_Object *certSelectorContext = NULL;
294
PKIX_PL_OID *constraintOID = NULL;
295
PKIX_List *certPolicies = NULL;
296
PKIX_PL_CertPolicyInfo *policy = NULL;
297
PKIX_PL_OID *policyOID = NULL;
298
PKIX_PL_String *errorDesc = NULL;
299
PKIX_Error *error = NULL;
301
PKIX_TEST_STD_VARS();
303
*pResult = PKIX_TRUE;
305
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCertSelectorContext
306
(selector, &certSelectorContext, plContext));
308
PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType
309
(certSelectorContext, PKIX_OID_TYPE, plContext));
311
constraintOID = (PKIX_PL_OID *)certSelectorContext;
313
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
314
(cert, &certPolicies, plContext));
317
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
318
(certPolicies, &numPolicies, plContext));
320
for (i = 0; i < numPolicies; i++) {
321
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
324
(PKIX_PL_Object **)&policy,
327
PKIX_TEST_EXPECT_NO_ERROR
328
(PKIX_PL_CertPolicyInfo_GetPolicyId
329
(policy, &policyOID, plContext));
331
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
332
((PKIX_PL_Object *)policyOID,
333
(PKIX_PL_Object *)constraintOID,
340
PKIX_TEST_DECREF_BC(policy);
341
PKIX_TEST_DECREF_BC(policyOID);
345
PKIX_TEST_DECREF_BC(certSelectorContext);
346
PKIX_TEST_DECREF_BC(certPolicies);
348
PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
349
(PKIX_CERTSELECTOR_ERROR,
352
PKIX_TESTNOMATCHINGPOLICY,
358
PKIX_TEST_DECREF_AC(certSelectorContext);
359
PKIX_TEST_DECREF_AC(certPolicies);
360
PKIX_TEST_DECREF_AC(policy);
361
PKIX_TEST_DECREF_AC(policyOID);
362
PKIX_TEST_DECREF_AC(errorDesc);
368
void testSubjectMatch(
370
PKIX_PL_Cert *certNameToMatch)
372
PKIX_CertSelector *selector = NULL;
373
PKIX_ComCertSelParams *subjParams = NULL;
374
PKIX_PL_X500Name *subjectName = NULL;
376
PKIX_TEST_STD_VARS();
378
subTest("Subject name match");
379
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
380
(NULL, NULL, &selector, plContext));
381
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
382
(&subjParams, plContext));
383
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
384
(certNameToMatch, &subjectName, plContext));
385
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
386
(subjParams, subjectName, plContext));
387
PKIX_TEST_EXPECT_NO_ERROR
388
(PKIX_CertSelector_SetCommonCertSelectorParams
389
(selector, subjParams, plContext));
390
testSelector(selector, certs, 0x008);
394
PKIX_TEST_DECREF_AC(selector);
395
PKIX_TEST_DECREF_AC(subjParams);
396
PKIX_TEST_DECREF_AC(subjectName);
402
void testBasicConstraintsMatch(
405
PKIX_CertSelector *selector = NULL;
406
PKIX_ComCertSelParams *bcParams = NULL;
408
PKIX_TEST_STD_VARS();
410
subTest("Basic Constraints match");
411
subTest(" pathLenContraint = -2: pass only EE's");
413
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
414
(NULL, NULL, &selector, plContext));
415
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
416
(&bcParams, plContext));
417
PKIX_TEST_EXPECT_NO_ERROR
418
(PKIX_ComCertSelParams_SetBasicConstraints
419
(bcParams, -2, plContext));
420
PKIX_TEST_EXPECT_NO_ERROR
421
(PKIX_CertSelector_SetCommonCertSelectorParams
422
(selector, bcParams, plContext));
423
testSelector(selector, certs, 0xC00);
425
subTest(" pathLenContraint = -1: pass all certs");
426
PKIX_TEST_EXPECT_NO_ERROR
427
(PKIX_ComCertSelParams_SetBasicConstraints
428
(bcParams, -1, plContext));
429
PKIX_TEST_EXPECT_NO_ERROR
430
(PKIX_CertSelector_SetCommonCertSelectorParams
431
(selector, bcParams, plContext));
432
testSelector(selector, certs, 0xFFF);
434
subTest(" pathLenContraint = 1: pass only certs with pathLen >= 1");
435
PKIX_TEST_EXPECT_NO_ERROR
436
(PKIX_ComCertSelParams_SetBasicConstraints
437
(bcParams, 1, plContext));
438
PKIX_TEST_EXPECT_NO_ERROR
439
(PKIX_CertSelector_SetCommonCertSelectorParams
440
(selector, bcParams, plContext));
441
testSelector(selector, certs, 0x3DF);
443
subTest(" pathLenContraint = 2: pass only certs with pathLen >= 2");
444
PKIX_TEST_EXPECT_NO_ERROR
445
(PKIX_ComCertSelParams_SetBasicConstraints
446
(bcParams, 2, plContext));
447
PKIX_TEST_EXPECT_NO_ERROR
448
(PKIX_CertSelector_SetCommonCertSelectorParams
449
(selector, bcParams, plContext));
450
testSelector(selector, certs, 0x39F);
453
PKIX_TEST_DECREF_AC(selector);
454
PKIX_TEST_DECREF_AC(bcParams);
460
void testPolicyMatch(
462
PKIX_PL_Cert *NIST1Cert, /* a source for policy NIST1 */
463
PKIX_PL_Cert *NIST2Cert, /* a source for policy NIST2 */
464
PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */
466
PKIX_CertSelector *selector = NULL;
467
PKIX_List *emptyList = NULL; /* no members */
468
PKIX_List *policy1List = NULL; /* OIDs */
469
PKIX_List *policy2List = NULL; /* OIDs */
470
PKIX_List *anyPolicyList = NULL; /* OIDs */
471
PKIX_ComCertSelParams *polParams = NULL;
473
PKIX_TEST_STD_VARS();
475
subTest("Policy match");
476
testGetPolicyFromCert(NIST1Cert, 0, &policy1List);
477
testGetPolicyFromCert(NIST2Cert, 1, &policy2List);
478
testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList);
480
subTest(" Pass certs with any CertificatePolicies extension");
481
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext));
482
PKIX_TEST_EXPECT_NO_ERROR
483
(PKIX_ComCertSelParams_Create(&polParams, plContext));
484
PKIX_TEST_EXPECT_NO_ERROR
485
(PKIX_ComCertSelParams_SetPolicy
486
(polParams, emptyList, plContext));
487
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
488
(NULL, NULL, &selector, plContext));
489
PKIX_TEST_EXPECT_NO_ERROR
490
(PKIX_CertSelector_SetCommonCertSelectorParams
491
(selector, polParams, plContext));
492
testSelector(selector, certs, 0xEFF);
493
PKIX_TEST_DECREF_BC(polParams);
495
subTest(" Pass only certs with policy NIST1");
496
PKIX_TEST_EXPECT_NO_ERROR
497
(PKIX_ComCertSelParams_Create(&polParams, plContext));
498
PKIX_TEST_EXPECT_NO_ERROR
499
(PKIX_ComCertSelParams_SetPolicy
500
(polParams, policy1List, plContext));
501
PKIX_TEST_EXPECT_NO_ERROR
502
(PKIX_CertSelector_SetCommonCertSelectorParams
503
(selector, polParams, plContext));
504
testSelector(selector, certs, 0xEF5);
505
PKIX_TEST_DECREF_BC(polParams);
507
subTest(" Pass only certs with policy NIST2");
508
PKIX_TEST_EXPECT_NO_ERROR
509
(PKIX_ComCertSelParams_Create(&polParams, plContext));
510
PKIX_TEST_EXPECT_NO_ERROR
511
(PKIX_ComCertSelParams_SetPolicy
512
(polParams, policy2List, plContext));
513
PKIX_TEST_EXPECT_NO_ERROR
514
(PKIX_CertSelector_SetCommonCertSelectorParams
515
(selector, polParams, plContext));
516
testSelector(selector, certs, 0x814);
517
PKIX_TEST_DECREF_BC(polParams);
519
subTest(" Pass only certs with policy anyPolicy");
520
PKIX_TEST_EXPECT_NO_ERROR
521
(PKIX_ComCertSelParams_Create(&polParams, plContext));
522
PKIX_TEST_EXPECT_NO_ERROR
523
(PKIX_ComCertSelParams_SetPolicy
524
(polParams, anyPolicyList, plContext));
525
PKIX_TEST_EXPECT_NO_ERROR
526
(PKIX_CertSelector_SetCommonCertSelectorParams
527
(selector, polParams, plContext));
528
testSelector(selector, certs, 0x002);
532
PKIX_TEST_DECREF_AC(selector);
533
PKIX_TEST_DECREF_AC(emptyList);
534
PKIX_TEST_DECREF_AC(policy1List);
535
PKIX_TEST_DECREF_AC(policy2List);
536
PKIX_TEST_DECREF_AC(anyPolicyList);
537
PKIX_TEST_DECREF_AC(polParams);
543
void testCertificateMatch(
545
PKIX_PL_Cert *certToMatch)
547
PKIX_CertSelector *selector = NULL;
548
PKIX_ComCertSelParams *params = NULL;
550
PKIX_TEST_STD_VARS();
552
subTest("Certificate match");
553
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
554
(NULL, NULL, &selector, plContext));
555
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
556
(¶ms, plContext));
557
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
558
(params, certToMatch, plContext));
559
PKIX_TEST_EXPECT_NO_ERROR
560
(PKIX_CertSelector_SetCommonCertSelectorParams
561
(selector, params, plContext));
562
testSelector(selector, certs, 0x008);
566
PKIX_TEST_DECREF_AC(selector);
567
PKIX_TEST_DECREF_AC(params);
573
void testNameConstraintsMatch(PKIX_List *certs)
575
PKIX_CertSelector *selector = NULL;
576
PKIX_ComCertSelParams *params = NULL;
577
PKIX_PL_Cert *cert = NULL;
578
PKIX_PL_CertNameConstraints *permitNameConstraints1 = NULL;
579
PKIX_PL_CertNameConstraints *permitNameConstraints2 = NULL;
580
PKIX_PL_CertNameConstraints *permitNameConstraints3 = NULL;
581
PKIX_PL_CertNameConstraints *excludeNameConstraints1 = NULL;
582
PKIX_PL_CertNameConstraints *excludeNameConstraints2 = NULL;
583
PKIX_PL_CertNameConstraints *excludeNameConstraints3 = NULL;
584
PKIX_UInt32 numCerts = 0;
586
PKIX_TEST_STD_VARS();
588
subTest("test NameConstraints Cert Selector");
590
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
591
(certs, &numCerts, plContext));
593
subTest(" PKIX_PL_Cert_GetNameConstraints <cert0-permitted>");
594
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
595
(certs, 0, (PKIX_PL_Object **)&cert, plContext));
596
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
597
(cert, &permitNameConstraints1, plContext));
598
PKIX_TEST_DECREF_BC(cert);
600
subTest(" PKIX_PL_Cert_GetNameConstraints <cert1-permitted>");
601
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
602
(certs, 1, (PKIX_PL_Object **)&cert, plContext));
603
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
604
(cert, &permitNameConstraints2, plContext));
605
PKIX_TEST_DECREF_BC(cert);
607
subTest(" PKIX_PL_Cert_GetNameConstraints <cert2-permitted>");
608
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
609
(certs, 2, (PKIX_PL_Object **)&cert, plContext));
610
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
611
(cert, &permitNameConstraints3, plContext));
612
PKIX_TEST_DECREF_BC(cert);
614
subTest(" PKIX_PL_Cert_GetNameConstraints <cert3-excluded>");
615
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
616
(certs, 3, (PKIX_PL_Object **)&cert, plContext));
617
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
618
(cert, &excludeNameConstraints1, plContext));
619
PKIX_TEST_DECREF_BC(cert);
621
subTest(" PKIX_PL_Cert_GetNameConstraints <cert4-excluded>");
622
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
623
(certs, 4, (PKIX_PL_Object **)&cert, plContext));
624
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
625
(cert, &excludeNameConstraints2, plContext));
626
PKIX_TEST_DECREF_BC(cert);
628
subTest(" PKIX_PL_Cert_GetNameConstraints <cert5-excluded>");
629
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
630
(certs, 5, (PKIX_PL_Object **)&cert, plContext));
631
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
632
(cert, &excludeNameConstraints3, plContext));
633
PKIX_TEST_DECREF_BC(cert);
635
subTest(" Create Selector and ComCertSelParams");
636
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
637
(NULL, NULL, &selector, plContext));
638
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
639
(¶ms, plContext));
641
PKIX_TEST_EXPECT_NO_ERROR
642
(PKIX_CertSelector_SetCommonCertSelectorParams
643
(selector, params, plContext));
645
subTest(" CertNameConstraints testing permitted NONE");
646
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
647
(params, permitNameConstraints1, plContext));
648
testSelector(selector, certs, 0x0);
650
subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset");
651
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
652
(params, NULL, plContext));
653
PKIX_TEST_EXPECT_NO_ERROR
654
(PKIX_CertSelector_SetCommonCertSelectorParams
655
(selector, params, plContext));
657
subTest(" CertNameConstraints testing permitted ALL");
658
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
659
(params, permitNameConstraints2, plContext));
660
testSelector(selector, certs, 0x07F);
662
subTest(" CertNameConstraints testing permitted TWO");
663
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
664
(params, permitNameConstraints3, plContext));
665
testSelector(selector, certs, 0x0041);
667
subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset");
668
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
669
(params, NULL, plContext));
670
PKIX_TEST_EXPECT_NO_ERROR
671
(PKIX_CertSelector_SetCommonCertSelectorParams
672
(selector, params, plContext));
674
subTest(" CertNameConstraints testing excluded");
675
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
676
(params, excludeNameConstraints1, plContext));
677
testSelector(selector, certs, 0x07F);
679
subTest(" CertNameConstraints testing excluded");
680
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
681
(params, excludeNameConstraints2, plContext));
682
testSelector(selector, certs, 0x07F);
684
subTest(" CertNameConstraints testing excluded");
685
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
686
(params, excludeNameConstraints3, plContext));
687
testSelector(selector, certs, 0x41);
691
PKIX_TEST_DECREF_AC(selector);
692
PKIX_TEST_DECREF_AC(params);
693
PKIX_TEST_DECREF_AC(permitNameConstraints1);
694
PKIX_TEST_DECREF_AC(permitNameConstraints2);
695
PKIX_TEST_DECREF_AC(permitNameConstraints3);
696
PKIX_TEST_DECREF_AC(excludeNameConstraints1);
697
PKIX_TEST_DECREF_AC(excludeNameConstraints2);
698
PKIX_TEST_DECREF_AC(excludeNameConstraints3);
704
void testPathToNamesMatch(PKIX_List *certs)
706
PKIX_CertSelector *selector = NULL;
707
PKIX_ComCertSelParams *params = NULL;
708
PKIX_List *nameList = NULL;
709
PKIX_PL_GeneralName *name = NULL;
711
PKIX_TEST_STD_VARS();
713
subTest("test PathToName Cert Selector");
715
subTest(" PKIX_PL_GeneralName List create");
717
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
719
subTest(" Add directory name <O=NotATest Certificates,C=US>");
720
name = createGeneralName
721
(PKIX_DIRECTORY_NAME,
722
"O=NotATest Certificates,C=US",
724
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
725
(nameList, (PKIX_PL_Object *)name, plContext));
727
subTest(" Create Selector and ComCertSelParams");
728
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
729
(NULL, NULL, &selector, plContext));
730
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
731
(¶ms, plContext));
733
PKIX_TEST_EXPECT_NO_ERROR
734
(PKIX_CertSelector_SetCommonCertSelectorParams
735
(selector, params, plContext));
737
subTest(" PKIX_ComCertSelParams_SetPathToNames");
738
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
739
(params, nameList, plContext));
741
subTest(" Permitting THREE");
742
testSelector(selector, certs, 0x58);
744
subTest(" Remove directory name <O=NotATest Certificates,C=US...>");
745
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
746
(nameList, 0, plContext));
747
PKIX_TEST_DECREF_BC(name);
749
subTest(" PKIX_ComCertSelParams_SetPathToNames Reset");
750
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
751
(params, NULL, plContext));
752
PKIX_TEST_EXPECT_NO_ERROR
753
(PKIX_CertSelector_SetCommonCertSelectorParams
754
(selector, params, plContext));
756
subTest(" Add directory name <OU=permittedSubtree1,O=Test...>");
757
name = createGeneralName
758
(PKIX_DIRECTORY_NAME,
759
"OU=permittedSubtree1,O=Test Certificates,C=US",
761
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
762
(nameList, (PKIX_PL_Object *)name, plContext));
764
subTest(" PKIX_ComCertSelParams_SetPathToNames");
765
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
766
(params, nameList, plContext));
768
subTest(" Permitting SIX");
769
testSelector(selector, certs, 0x5F);
771
subTest(" Remove directory name <OU=permittedSubtree1,O=Test...>");
772
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
773
(nameList, 0, plContext));
774
PKIX_TEST_DECREF_BC(name);
776
subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset");
777
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
778
(params, NULL, plContext));
779
PKIX_TEST_EXPECT_NO_ERROR
780
(PKIX_CertSelector_SetCommonCertSelectorParams
781
(selector, params, plContext));
783
subTest(" Add directory name <O=Test Certificates,C=US...>");
784
name = createGeneralName
785
(PKIX_DIRECTORY_NAME,
786
"O=Test Certificates,C=US",
788
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
789
(nameList, (PKIX_PL_Object *)name, plContext));
790
PKIX_TEST_DECREF_BC(name);
792
subTest(" PKIX_ComCertSelParams_SetPathToNames");
793
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
794
(params, nameList, plContext));
796
subTest(" Permitting FOUR");
797
testSelector(selector, certs, 0x47);
799
subTest(" Only directory name <OU=permittedSubtree1,O=Test ...>");
800
name = createGeneralName
801
(PKIX_DIRECTORY_NAME,
802
"OU=permittedSubtree1,O=Test Certificates,C=US",
805
subTest(" PKIX_ComCertSelParams_AddPathToName");
806
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
807
(params, name, plContext));
808
PKIX_TEST_DECREF_BC(name);
810
subTest(" Permitting FOUR");
811
testSelector(selector, certs, 0x47);
813
subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset");
814
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
815
(params, NULL, plContext));
816
PKIX_TEST_EXPECT_NO_ERROR
817
(PKIX_CertSelector_SetCommonCertSelectorParams
818
(selector, params, plContext));
819
PKIX_TEST_DECREF_BC(nameList);
820
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
822
subTest(" Add directory name <CN=Valid DN nameConstraints EE...>");
823
name = createGeneralName
824
(PKIX_DIRECTORY_NAME, "CN=Valid DN nameConstraints EE "
825
"Certificate Test1,OU=permittedSubtree1,"
826
"O=Test Certificates,C=US",
828
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
829
(nameList, (PKIX_PL_Object *)name, plContext));
830
PKIX_TEST_DECREF_BC(name);
832
subTest(" PKIX_ComCertSelParams_SetPathToNames");
833
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
834
(params, nameList, plContext));
836
subTest(" Permitting SIX");
837
testSelector(selector, certs, 0x7e);
839
subTest(" Add directory name <OU=permittedSubtree1,O=Test>");
840
name = createGeneralName
841
(PKIX_DIRECTORY_NAME,
842
"OU=permittedSubtree1,O=Test",
844
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
845
(nameList, (PKIX_PL_Object *)name, plContext));
846
PKIX_TEST_DECREF_BC(name);
848
subTest(" PKIX_ComCertSelParams_SetPathToNames");
849
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
850
(params, nameList, plContext));
852
subTest(" Permitting SIX");
853
testSelector(selector, certs, 0x58);
855
subTest(" Add directory name <O=Test Certificates,C=US>");
856
name = createGeneralName
857
(PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext);
859
subTest(" PKIX_ComCertSelParams_SetPathToNames Reset");
860
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
861
(params, NULL, plContext));
862
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
863
(params, name, plContext));
864
PKIX_TEST_DECREF_BC(name);
866
subTest(" Permitting FOUR");
867
testSelector(selector, certs, 0x47);
871
PKIX_TEST_DECREF_AC(selector);
872
PKIX_TEST_DECREF_AC(params);
873
PKIX_TEST_DECREF_AC(nameList);
879
void testSubjAltNamesMatch(PKIX_List *certs)
881
PKIX_CertSelector *selector = NULL;
882
PKIX_ComCertSelParams *params = NULL;
883
PKIX_List *nameList = NULL;
884
PKIX_PL_GeneralName *name = NULL;
886
PKIX_TEST_STD_VARS();
888
subTest("test SubjAltNames Cert Selector");
890
subTest(" PKIX_PL_GeneralName List create");
892
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
894
subTest(" Create Selector and ComCertSelParams");
895
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
896
(NULL, NULL, &selector, plContext));
897
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
898
(¶ms, plContext));
900
PKIX_TEST_EXPECT_NO_ERROR
901
(PKIX_CertSelector_SetCommonCertSelectorParams
902
(selector, params, plContext));
904
subTest(" Add directory name <CN=Invalid DN nameConstraints EE...>");
905
name = createGeneralName
906
(PKIX_DIRECTORY_NAME,
907
"CN=Invalid DN nameConstraints EE Certificate Test3,"
908
"OU=excludedSubtree1,O=Test Certificates,C=US",
911
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
912
(nameList, (PKIX_PL_Object *)name, plContext));
914
subTest(" PKIX_ComCertSelParams_SetSubjAltNames");
915
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames
916
(params, nameList, plContext));
918
PKIX_TEST_DECREF_BC(name);
919
PKIX_TEST_DECREF_BC(nameList);
921
subTest(" Permitting ONE");
922
testSelector(selector, certs, 0x1);
924
subTest(" Add DNS name <mytestcertificates.gov>");
925
name = createGeneralName
927
"mytestcertificates.gov",
930
subTest(" PKIX_ComCertSelParams_AddSubjAltName");
931
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
932
(params, name, plContext));
933
PKIX_TEST_DECREF_BC(name);
935
subTest(" Permitting NONE");
936
testSelector(selector, certs, 0x0);
938
subTest(" PKIX_ComCertSelParams_SetMatchAllSubjAltNames to FALSE");
939
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
940
(params, PKIX_FALSE, plContext));
941
PKIX_TEST_EXPECT_NO_ERROR
942
(PKIX_CertSelector_SetCommonCertSelectorParams
943
(selector, params, plContext));
945
subTest(" Permitting TWO");
946
testSelector(selector, certs, 0x3);
950
PKIX_TEST_DECREF_AC(selector);
951
PKIX_TEST_DECREF_AC(params);
952
PKIX_TEST_DECREF_AC(name);
953
PKIX_TEST_DECREF_AC(nameList);
959
void testCertificateValidMatch(
962
PKIX_CertSelector *selector = NULL;
963
PKIX_ComCertSelParams *params = NULL;
964
PKIX_PL_String *stringRep = NULL;
965
PKIX_PL_Date *testDate = NULL;
966
char *asciiRep = "050501000000Z";
968
PKIX_TEST_STD_VARS();
970
subTest("CertificateValid match");
971
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
972
(NULL, NULL, &selector, plContext));
973
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
974
(¶ms, plContext));
975
PKIX_TEST_EXPECT_NO_ERROR
976
(PKIX_PL_String_Create
977
(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext));
978
PKIX_TEST_EXPECT_NO_ERROR
979
(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext));
980
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
981
(params, testDate, plContext));
982
PKIX_TEST_EXPECT_NO_ERROR
983
(PKIX_CertSelector_SetCommonCertSelectorParams
984
(selector, params, plContext));
985
testSelector(selector, certs, 0xFFFFFFFF);
989
PKIX_TEST_DECREF_AC(selector);
990
PKIX_TEST_DECREF_AC(params);
991
PKIX_TEST_DECREF_AC(stringRep);
992
PKIX_TEST_DECREF_AC(testDate);
998
void test_customCallback1(PKIX_List *certs)
1000
PKIX_CertSelector *selector = NULL;
1002
PKIX_TEST_STD_VARS();
1004
subTest("custom matchCallback");
1006
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1007
(custom_CertSelector_MatchCallback,
1012
testSelector(selector, certs, 0x900);
1016
PKIX_TEST_DECREF_AC(selector);
1022
void test_customCallback2
1024
PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */
1026
PKIX_CertSelector *selector = NULL;
1027
PKIX_List *anyPolicyList = NULL; /* OIDs */
1028
PKIX_PL_OID *policyOID = NULL;
1030
PKIX_TEST_STD_VARS();
1032
subTest("custom matchCallback with CertSelectorContext");
1034
testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList);
1036
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
1037
(anyPolicyList, 0, (PKIX_PL_Object **)&policyOID, plContext));
1039
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1040
(custom_CertSelector_MatchOIDCallback,
1041
(PKIX_PL_Object *)policyOID,
1045
testSelector(selector, certs, (1 << ANYPOLICYCERT));
1049
PKIX_TEST_DECREF_AC(selector);
1050
PKIX_TEST_DECREF_AC(anyPolicyList);
1051
PKIX_TEST_DECREF_AC(policyOID);
1057
void testExtendedKeyUsageMatch(char *certDir)
1059
PKIX_ComCertSelParams *goodParams = NULL;
1060
PKIX_PL_OID *ekuOid = NULL;
1061
PKIX_List *ekuOidList = NULL;
1062
PKIX_PL_String *dirString = NULL;
1063
PKIX_CertStore_CertCallback certCallback;
1064
PKIX_CertStore *certStore = NULL;
1065
PKIX_CertSelector *certSelector = NULL;
1066
PKIX_List *certList = NULL;
1067
PKIX_UInt32 numCert = 0;
1068
void *nbioContext = NULL;
1070
PKIX_TEST_STD_VARS();
1072
subTest("test Extended KeyUsage Cert Selector");
1074
subTest(" PKIX_ComCertSelParams_Create");
1075
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1076
(&goodParams, plContext));
1078
subTest(" Create Extended Key Usage OID List");
1079
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&ekuOidList, plContext));
1081
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
1082
("1.3.6.1.5.5.7.3.2", &ekuOid, plContext));
1084
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
1085
(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext));
1087
PKIX_TEST_DECREF_BC(ekuOid);
1089
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
1090
("1.3.6.1.5.5.7.3.3", &ekuOid, plContext));
1092
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
1093
(ekuOidList, (PKIX_PL_Object *)ekuOid, plContext));
1095
PKIX_TEST_DECREF_BC(ekuOid);
1097
subTest(" PKIX_ComCertSelParams_SetExtendedKeyUsage");
1098
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
1099
(goodParams, ekuOidList, plContext));
1101
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
1102
(PKIX_ESCASCII, certDir, 0, &dirString, plContext));
1104
subTest(" PKIX_PL_CollectionCertStoreContext_Create");
1105
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
1106
(dirString, &certStore, plContext));
1108
subTest(" PKIX_CertSelector_Create");
1109
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1110
(NULL, NULL, &certSelector, plContext));
1112
PKIX_TEST_EXPECT_NO_ERROR
1113
(PKIX_CertSelector_SetCommonCertSelectorParams
1114
(certSelector, goodParams, plContext));
1116
subTest(" PKIX_CertStore_GetCertCallback");
1117
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
1118
(certStore, &certCallback, NULL));
1120
subTest(" Getting data from Cert Callback");
1121
PKIX_TEST_EXPECT_NO_ERROR(certCallback
1122
(certStore, certSelector, &nbioContext, &certList, plContext));
1124
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
1125
(certList, &numCert, plContext));
1127
if (numCert != PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS) {
1128
pkixTestErrorMsg = "unexpected Cert number mismatch";
1133
PKIX_TEST_DECREF_AC(ekuOid);
1134
PKIX_TEST_DECREF_AC(ekuOidList);
1135
PKIX_TEST_DECREF_AC(goodParams);
1136
PKIX_TEST_DECREF_AC(dirString);
1137
PKIX_TEST_DECREF_AC(certList);
1138
PKIX_TEST_DECREF_AC(certSelector);
1139
PKIX_TEST_DECREF_AC(certStore);
1145
void testKeyUsageMatch(char *certDir)
1147
PKIX_ComCertSelParams *goodParams = NULL;
1148
PKIX_PL_String *dirString = NULL;
1149
PKIX_CertStore_CertCallback certCallback;
1150
PKIX_CertStore *certStore = NULL;
1151
PKIX_CertSelector *certSelector = NULL;
1152
PKIX_List *certList = NULL;
1153
PKIX_UInt32 numCert = 0;
1154
void *nbioContext = NULL;
1156
PKIX_TEST_STD_VARS();
1158
subTest("test KeyUsage Cert Selector");
1160
subTest(" PKIX_ComCertSelParams_Create");
1161
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1162
(&goodParams, plContext));
1164
subTest(" PKIX_ComCertSelParams_SetKeyUsage");
1165
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage
1166
(goodParams, PKIX_CRL_SIGN, plContext));
1168
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
1169
(PKIX_ESCASCII, certDir, 0, &dirString, plContext));
1171
subTest(" PKIX_PL_CollectionCertStoreContext_Create");
1172
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
1173
(dirString, &certStore, plContext));
1175
subTest(" PKIX_CertSelector_Create");
1176
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1177
(NULL, NULL, &certSelector, plContext));
1179
PKIX_TEST_EXPECT_NO_ERROR
1180
(PKIX_CertSelector_SetCommonCertSelectorParams
1181
(certSelector, goodParams, plContext));
1183
subTest(" PKIX_CertStore_GetCertCallback");
1184
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
1185
(certStore, &certCallback, NULL));
1187
subTest(" Getting data from Cert Callback");
1188
PKIX_TEST_EXPECT_NO_ERROR(certCallback
1189
(certStore, certSelector, &nbioContext, &certList, plContext));
1191
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
1192
(certList, &numCert, plContext));
1194
if (numCert != PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS) {
1195
pkixTestErrorMsg = "unexpected Cert number mismatch";
1200
PKIX_TEST_DECREF_AC(goodParams);
1201
PKIX_TEST_DECREF_AC(dirString);
1202
PKIX_TEST_DECREF_AC(certList);
1203
PKIX_TEST_DECREF_AC(certSelector);
1204
PKIX_TEST_DECREF_AC(certStore);
1210
void testCertValidMatch(char *certDir)
1212
PKIX_ComCertSelParams *goodParams = NULL;
1213
PKIX_PL_Date *validDate = NULL;
1214
PKIX_PL_String *dirString = NULL;
1215
PKIX_CertStore_CertCallback certCallback;
1216
PKIX_CertStore *certStore = NULL;
1217
PKIX_CertSelector *certSelector = NULL;
1218
PKIX_List *certList = NULL;
1219
PKIX_UInt32 numCert = 0;
1220
void *nbioContext = NULL;
1222
PKIX_TEST_STD_VARS();
1224
subTest("test CertValid Cert Selector");
1226
subTest(" PKIX_ComCertSelParams_Create");
1227
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1228
(&goodParams, plContext));
1230
validDate = createDate("050601000000Z", plContext);
1232
subTest(" PKIX_ComCertSelParams_SetCertificateValid");
1233
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
1234
(goodParams, validDate, plContext));
1236
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
1237
(PKIX_ESCASCII, certDir, 0, &dirString, plContext));
1239
subTest(" PKIX_PL_CollectionCertStoreContext_Create");
1240
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
1241
(dirString, &certStore, plContext));
1243
subTest(" PKIX_CertSelector_Create");
1244
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1245
(NULL, NULL, &certSelector, plContext));
1247
PKIX_TEST_EXPECT_NO_ERROR
1248
(PKIX_CertSelector_SetCommonCertSelectorParams
1249
(certSelector, goodParams, plContext));
1251
subTest(" PKIX_CertStore_GetCertCallback");
1252
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
1253
(certStore, &certCallback, NULL));
1255
subTest(" Getting data from Cert Callback");
1256
PKIX_TEST_EXPECT_NO_ERROR(certCallback
1257
(certStore, certSelector, &nbioContext, &certList, plContext));
1259
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
1260
(certList, &numCert, plContext));
1262
if (numCert != PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS) {
1263
pkixTestErrorMsg = "unexpected Cert number mismatch";
1268
PKIX_TEST_DECREF_AC(goodParams);
1269
PKIX_TEST_DECREF_AC(validDate);
1270
PKIX_TEST_DECREF_AC(dirString);
1271
PKIX_TEST_DECREF_AC(certList);
1272
PKIX_TEST_DECREF_AC(certSelector);
1273
PKIX_TEST_DECREF_AC(certStore);
1279
void testIssuerMatch(char *certDir)
1281
PKIX_ComCertSelParams *goodParams = NULL;
1282
PKIX_PL_X500Name *issuer = NULL;
1283
PKIX_PL_String *issuerStr = NULL;
1284
PKIX_PL_String *dirString = NULL;
1285
PKIX_CertStore_CertCallback certCallback;
1286
PKIX_CertStore *certStore = NULL;
1287
PKIX_CertSelector *certSelector = NULL;
1288
PKIX_List *certList = NULL;
1289
char *issuerName = "CN=science,O=mit,C=US";
1290
PKIX_UInt32 numCert = 0;
1291
void *nbioContext = NULL;
1293
PKIX_TEST_STD_VARS();
1295
subTest("test Issuer Cert Selector");
1297
subTest(" PKIX_ComCertSelParams_Create");
1298
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1299
(&goodParams, plContext));
1301
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
1302
(PKIX_ESCASCII, issuerName, 0, &issuerStr, plContext));
1304
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create
1305
(issuerStr, &issuer, plContext));
1307
subTest(" PKIX_ComCertSelParams_SetIssuer");
1308
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer
1309
(goodParams, issuer, plContext));
1311
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
1312
(PKIX_ESCASCII, certDir, 0, &dirString, plContext));
1314
subTest(" PKIX_PL_CollectionCertStoreContext_Create");
1315
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
1316
(dirString, &certStore, plContext));
1318
subTest(" PKIX_CertSelector_Create");
1319
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1320
(NULL, NULL, &certSelector, plContext));
1322
PKIX_TEST_EXPECT_NO_ERROR
1323
(PKIX_CertSelector_SetCommonCertSelectorParams
1324
(certSelector, goodParams, plContext));
1326
subTest(" PKIX_CertStore_GetCertCallback");
1327
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
1328
(certStore, &certCallback, NULL));
1330
subTest(" Getting data from Cert Callback");
1331
PKIX_TEST_EXPECT_NO_ERROR(certCallback
1332
(certStore, certSelector, &nbioContext, &certList, plContext));
1334
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
1335
(certList, &numCert, plContext));
1337
if (numCert != PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS) {
1338
pkixTestErrorMsg = "unexpected Cert number mismatch";
1343
PKIX_TEST_DECREF_AC(goodParams);
1344
PKIX_TEST_DECREF_AC(issuer);
1345
PKIX_TEST_DECREF_AC(issuerStr);
1346
PKIX_TEST_DECREF_AC(dirString);
1347
PKIX_TEST_DECREF_AC(certList);
1348
PKIX_TEST_DECREF_AC(certSelector);
1349
PKIX_TEST_DECREF_AC(certStore);
1355
void testSerialNumberVersionMatch(char *certDir)
1357
PKIX_ComCertSelParams *goodParams = NULL;
1358
PKIX_PL_BigInt *serialNumber = NULL;
1359
PKIX_PL_String *serialNumberStr = NULL;
1360
PKIX_PL_String *dirString = NULL;
1361
PKIX_CertStore_CertCallback certCallback;
1362
PKIX_CertStore *certStore = NULL;
1363
PKIX_CertSelector *certSelector = NULL;
1364
PKIX_List *certList = NULL;
1365
PKIX_UInt32 numCert = 0;
1366
void *nbioContext = NULL;
1368
PKIX_TEST_STD_VARS();
1370
subTest("test Serial Number Cert Selector");
1372
subTest(" PKIX_ComCertSelParams_Create");
1373
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1374
(&goodParams, plContext));
1376
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
1377
(PKIX_ESCASCII, "01", 0, &serialNumberStr, plContext));
1379
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
1380
(serialNumberStr, &serialNumber, plContext));
1382
subTest(" PKIX_ComCertSelParams_SetSerialNumber");
1383
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber
1384
(goodParams, serialNumber, plContext));
1386
subTest(" PKIX_ComCertSelParams_SetVersion");
1387
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
1388
(goodParams, 0, plContext));
1390
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
1391
(PKIX_ESCASCII, certDir, 0, &dirString, plContext));
1393
subTest(" PKIX_PL_CollectionCertStoreContext_Create");
1394
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
1395
(dirString, &certStore, plContext));
1397
subTest(" PKIX_CertSelector_Create");
1398
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1399
(NULL, NULL, &certSelector, plContext));
1401
PKIX_TEST_EXPECT_NO_ERROR
1402
(PKIX_CertSelector_SetCommonCertSelectorParams
1403
(certSelector, goodParams, plContext));
1405
subTest(" PKIX_CertStore_GetCertCallback");
1406
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
1407
(certStore, &certCallback, NULL));
1409
subTest(" Getting data from Cert Callback");
1410
PKIX_TEST_EXPECT_NO_ERROR(certCallback
1411
(certStore, certSelector, &nbioContext, &certList, plContext));
1413
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
1414
(certList, &numCert, plContext));
1416
PKIX_TEST_DECREF_BC(certList);
1419
pkixTestErrorMsg = "unexpected Version mismatch";
1422
subTest(" PKIX_ComCertSelParams_SetVersion");
1423
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
1424
(goodParams, 2, plContext));
1426
subTest(" Getting data from Cert Callback");
1427
PKIX_TEST_EXPECT_NO_ERROR(certCallback
1428
(certStore, certSelector, &nbioContext, &certList, plContext));
1430
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
1431
(certList, &numCert, plContext));
1433
if (numCert != PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS) {
1434
pkixTestErrorMsg = "unexpected Serial Number mismatch";
1439
PKIX_TEST_DECREF_AC(goodParams);
1440
PKIX_TEST_DECREF_AC(serialNumber);
1441
PKIX_TEST_DECREF_AC(serialNumberStr);
1442
PKIX_TEST_DECREF_AC(dirString);
1443
PKIX_TEST_DECREF_AC(certList);
1444
PKIX_TEST_DECREF_AC(certSelector);
1445
PKIX_TEST_DECREF_AC(certStore);
1451
void testSubjKeyIdMatch(PKIX_List *certs)
1453
PKIX_CertSelector *selector = NULL;
1454
PKIX_ComCertSelParams *params = NULL;
1455
PKIX_PL_Cert *cert = NULL;
1456
PKIX_PL_ByteArray *selSubjKeyId = NULL;
1457
PKIX_UInt32 item = 0;
1459
PKIX_TEST_STD_VARS();
1461
subTest("test Subject Key Id Cert Selector");
1464
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
1465
(certs, item, (PKIX_PL_Object **)&cert, plContext));
1467
subTest(" PKIX_PL_Cert_GetSubjectKeyIdentifier");
1468
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier
1469
(cert, &selSubjKeyId, plContext));
1471
subTest(" Create Selector and ComCertSelParams");
1472
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1473
(NULL, NULL, &selector, plContext));
1474
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1475
(¶ms, plContext));
1477
PKIX_TEST_EXPECT_NO_ERROR
1478
(PKIX_CertSelector_SetCommonCertSelectorParams
1479
(selector, params, plContext));
1481
subTest(" PKIX_ComCertSelParams_SetSubjKeyIdentifier");
1482
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier
1483
(params, selSubjKeyId, plContext));
1485
subTest(" Select One");
1486
testSelector(selector, certs, 1<<item);
1490
PKIX_TEST_DECREF_AC(selSubjKeyId);
1491
PKIX_TEST_DECREF_AC(cert);
1492
PKIX_TEST_DECREF_AC(params);
1493
PKIX_TEST_DECREF_AC(selector);
1499
void testAuthKeyIdMatch(PKIX_List *certs)
1501
PKIX_CertSelector *selector = NULL;
1502
PKIX_ComCertSelParams *params = NULL;
1503
PKIX_PL_Cert *cert = NULL;
1504
PKIX_PL_ByteArray *selAuthKeyId = NULL;
1505
PKIX_UInt32 item = 0;
1507
PKIX_TEST_STD_VARS();
1509
subTest("test Auth Key Id Cert Selector");
1512
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
1513
(certs, item, (PKIX_PL_Object **)&cert, plContext));
1515
subTest(" PKIX_PL_Cert_GetAuthorityKeyIdentifier");
1516
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier
1517
(cert, &selAuthKeyId, plContext));
1519
subTest(" Create Selector and ComCertSelParams");
1520
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1521
(NULL, NULL, &selector, plContext));
1522
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1523
(¶ms, plContext));
1525
PKIX_TEST_EXPECT_NO_ERROR
1526
(PKIX_CertSelector_SetCommonCertSelectorParams
1527
(selector, params, plContext));
1529
subTest(" PKIX_ComCertSelParams_SetAuthorityKeyIdentifier");
1530
PKIX_TEST_EXPECT_NO_ERROR
1531
(PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
1532
(params, selAuthKeyId, plContext));
1534
subTest(" Select TWO");
1535
testSelector(selector, certs, (1<<item)|(1<<1));
1539
PKIX_TEST_DECREF_AC(selAuthKeyId);
1540
PKIX_TEST_DECREF_AC(cert);
1541
PKIX_TEST_DECREF_AC(params);
1542
PKIX_TEST_DECREF_AC(selector);
1548
void testSubjPKAlgIdMatch(PKIX_List *certs)
1550
PKIX_CertSelector *selector = NULL;
1551
PKIX_ComCertSelParams *params = NULL;
1552
PKIX_PL_Cert *cert = NULL;
1553
PKIX_PL_OID *selAlgId = NULL;
1554
PKIX_UInt32 item = 0;
1556
PKIX_TEST_STD_VARS();
1558
subTest("test Subject Public Key Algorithm Id Cert Selector");
1561
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
1562
(certs, item, (PKIX_PL_Object **)&cert, plContext));
1564
subTest(" PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
1565
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
1566
(cert, &selAlgId, plContext));
1568
subTest(" Create Selector and ComCertSelParams");
1569
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1570
(NULL, NULL, &selector, plContext));
1571
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1572
(¶ms, plContext));
1574
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
1575
(selector, params, plContext));
1577
subTest(" PKIX_ComCertSelParams_SetSubjPKAlgId");
1578
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId
1579
(params, selAlgId, plContext));
1581
subTest(" Select All");
1582
testSelector(selector, certs, 0x7F);
1586
PKIX_TEST_DECREF_AC(selAlgId);
1587
PKIX_TEST_DECREF_AC(cert);
1588
PKIX_TEST_DECREF_AC(params);
1589
PKIX_TEST_DECREF_AC(selector);
1595
void testSubjPublicKeyMatch(PKIX_List *certs)
1597
PKIX_CertSelector *selector = NULL;
1598
PKIX_ComCertSelParams *params = NULL;
1599
PKIX_PL_Cert *cert = NULL;
1600
PKIX_PL_PublicKey *selPublicKey = NULL;
1601
PKIX_UInt32 item = 0;
1603
PKIX_TEST_STD_VARS();
1605
subTest("test Subject Public Key Cert Selector");
1608
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
1609
(certs, item, (PKIX_PL_Object **)&cert, plContext));
1611
subTest(" PKIX_PL_Cert_GetSubjectPublicKey");
1612
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
1613
(cert, &selPublicKey, plContext));
1615
subTest(" Create Selector and ComCertSelParams");
1616
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1617
(NULL, NULL, &selector, plContext));
1618
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
1619
(¶ms, plContext));
1621
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
1622
(selector, params, plContext));
1624
subTest(" PKIX_ComCertSelParams_SetSubjPubKey");
1625
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey
1626
(params, selPublicKey, plContext));
1628
subTest(" Select ONE");
1629
testSelector(selector, certs, 1<<item);
1633
PKIX_TEST_DECREF_AC(selPublicKey);
1634
PKIX_TEST_DECREF_AC(cert);
1635
PKIX_TEST_DECREF_AC(params);
1636
PKIX_TEST_DECREF_AC(selector);
1642
void test_CertSelector_Duplicate(PKIX_CertSelector *selector)
1644
PKIX_Int32 goodBasicConstraints = 0;
1645
PKIX_Int32 equalBasicConstraints = 0;
1646
PKIX_CertSelector *dupSelector = NULL;
1647
PKIX_ComCertSelParams *goodParams = NULL;
1648
PKIX_ComCertSelParams *equalParams = NULL;
1649
PKIX_CertSelector_MatchCallback goodCallback = NULL;
1650
PKIX_CertSelector_MatchCallback equalCallback = NULL;
1651
PKIX_PL_X500Name *goodSubject = NULL;
1652
PKIX_PL_X500Name *equalSubject = NULL;
1653
PKIX_List *goodPolicy = NULL;
1654
PKIX_List *equalPolicy = NULL;
1655
PKIX_PL_Cert *goodCert = NULL;
1656
PKIX_PL_Cert *equalCert = NULL;
1657
PKIX_PL_Date *goodDate = NULL;
1658
PKIX_PL_Date *equalDate = NULL;
1660
PKIX_TEST_STD_VARS();
1662
subTest("test_CertSelector_Duplicate");
1663
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
1664
((PKIX_PL_Object *)selector,
1665
(PKIX_PL_Object **)&dupSelector,
1667
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams
1668
(selector, &goodParams, plContext));
1669
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams
1670
(dupSelector, &equalParams, plContext));
1671
/* There is no equals function, so look at components separately. */
1672
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
1673
(goodParams, &goodSubject, plContext));
1674
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
1675
(equalParams, &equalSubject, plContext));
1676
if (goodSubject && equalSubject) {
1678
((PKIX_PL_Object *)goodSubject,
1679
(PKIX_PL_Object *)equalSubject,
1683
if PKIX_EXACTLY_ONE_NULL(goodSubject, equalSubject) {
1684
pkixTestErrorMsg = "Subject Names are not equal!";
1689
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
1690
(goodParams, &goodPolicy, plContext));
1691
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
1692
(equalParams, &equalPolicy, plContext));
1693
if (goodPolicy && equalPolicy) {
1695
((PKIX_PL_Object *)goodPolicy,
1696
(PKIX_PL_Object *)equalPolicy,
1700
if PKIX_EXACTLY_ONE_NULL(goodPolicy, equalPolicy) {
1701
pkixTestErrorMsg = "Policy Lists are not equal!";
1706
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
1707
(goodParams, &goodCert, plContext));
1708
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
1709
(equalParams, &equalCert, plContext));
1710
if (goodCert && equalCert) {
1712
((PKIX_PL_Object *)goodCert,
1713
(PKIX_PL_Object *)equalCert,
1717
if PKIX_EXACTLY_ONE_NULL(goodCert, equalCert) {
1718
pkixTestErrorMsg = "Cert Lists are not equal!";
1723
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
1724
(goodParams, &goodDate, plContext));
1725
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
1726
(equalParams, &equalDate, plContext));
1727
if (goodCert && equalCert) {
1729
((PKIX_PL_Object *)goodDate,
1730
(PKIX_PL_Object *)equalDate,
1734
if PKIX_EXACTLY_ONE_NULL(goodDate, equalDate) {
1735
pkixTestErrorMsg = "Date Lists are not equal!";
1740
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
1741
(goodParams, &goodBasicConstraints, plContext));
1742
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
1743
(equalParams, &equalBasicConstraints, plContext));
1744
if (goodBasicConstraints != equalBasicConstraints) {
1745
pkixTestErrorMsg = "BasicConstraints are not equal!";
1749
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
1750
(selector, &goodCallback, plContext));
1751
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
1752
(dupSelector, &equalCallback, plContext));
1753
if (goodCallback != equalCallback) {
1754
pkixTestErrorMsg = "MatchCallbacks are not equal!";
1759
PKIX_TEST_DECREF_AC(dupSelector);
1760
PKIX_TEST_DECREF_AC(goodParams);
1761
PKIX_TEST_DECREF_AC(equalParams);
1762
PKIX_TEST_DECREF_AC(goodSubject);
1763
PKIX_TEST_DECREF_AC(equalSubject);
1764
PKIX_TEST_DECREF_AC(goodPolicy);
1765
PKIX_TEST_DECREF_AC(equalPolicy);
1766
PKIX_TEST_DECREF_AC(goodCert);
1767
PKIX_TEST_DECREF_AC(equalCert);
1768
PKIX_TEST_DECREF_AC(goodDate);
1769
PKIX_TEST_DECREF_AC(equalDate);
1775
void printUsage(void) {
1776
(void) printf("\nUSAGE:\ttest_certselector <NIST_FILES_DIR> <cert-dir>\n\n");
1779
int test_certselector(int argc, char *argv[]) {
1783
PKIX_UInt32 actualMinorVersion;
1785
PKIX_CertSelector *emptySelector = NULL;
1786
PKIX_List *certs = NULL;
1787
PKIX_List *nameConstraintsCerts = NULL;
1788
PKIX_List *subjAltNamesCerts = NULL;
1789
PKIX_PL_Cert *cert = NULL;
1790
PKIX_PL_Cert *policy1Cert = NULL;
1791
PKIX_PL_Cert *policy2Cert = NULL;
1792
PKIX_PL_Cert *anyPolicyCert = NULL;
1793
PKIX_PL_Cert *subjectCert = NULL;
1794
PKIX_ComCertSelParams *selParams = NULL;
1795
char *certDir = NULL;
1796
char *dirName = NULL;
1798
PKIX_TEST_STD_VARS();
1800
startTests("CertSelector");
1802
PKIX_TEST_EXPECT_NO_ERROR(
1803
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
1810
dirName = argv[j+1];
1811
certDir = argv[j+3];
1813
/* Create a List of certs to use in testing the selector */
1814
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
1816
for (i = 0; i < NUMCERTS; i++) {
1818
cert = createCert(dirName, certList[i], plContext);
1820
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
1821
(certs, (PKIX_PL_Object *)cert, plContext));
1822
if (i == POLICY1CERT) {
1823
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
1824
((PKIX_PL_Object *)cert, plContext));
1827
if (i == ANYPOLICYCERT) {
1828
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
1829
((PKIX_PL_Object *)cert, plContext));
1830
anyPolicyCert = cert;
1832
if (i == POLICY2CERT) {
1833
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
1834
((PKIX_PL_Object *)cert, plContext));
1837
if (i == SUBJECTCERT) {
1838
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
1839
((PKIX_PL_Object *)cert, plContext));
1842
PKIX_TEST_DECREF_BC(cert);
1845
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
1846
(&nameConstraintsCerts, plContext));
1848
for (i = 0; i < NUMNCCERTS; i++) {
1850
cert = createCert(dirName, ncCertList[i], plContext);
1852
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
1853
(nameConstraintsCerts,
1854
(PKIX_PL_Object *)cert,
1857
PKIX_TEST_DECREF_BC(cert);
1860
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
1861
(&subjAltNamesCerts, plContext));
1863
for (i = 0; i < NUMSANCERTS; i++) {
1865
cert = createCert(dirName, sanCertList[i], plContext);
1867
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
1869
(PKIX_PL_Object *)cert,
1872
PKIX_TEST_DECREF_BC(cert);
1875
subTest("test_CertSelector_Create");
1876
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
1877
(NULL, NULL, &emptySelector, plContext));
1879
subTest("Default Match, no parameters set");
1880
testSelector(emptySelector, certs, 0xFFFFFFFF);
1882
testSubjectMatch(certs, subjectCert);
1884
testBasicConstraintsMatch(certs);
1886
testPolicyMatch(certs, policy1Cert, policy2Cert, anyPolicyCert);
1888
testCertificateMatch(certs, subjectCert);
1890
testCertificateValidMatch(certs);
1892
subTest("Combination: pass only EE certs that assert some policy");
1893
PKIX_TEST_EXPECT_NO_ERROR
1894
(PKIX_ComCertSelParams_Create(&selParams, plContext));
1895
PKIX_TEST_EXPECT_NO_ERROR
1896
(PKIX_ComCertSelParams_SetBasicConstraints
1897
(selParams, -2, plContext));
1898
PKIX_TEST_EXPECT_NO_ERROR
1899
(PKIX_CertSelector_SetCommonCertSelectorParams
1900
(emptySelector, selParams, plContext));
1901
testSelector(emptySelector, certs, 0xC00);
1903
testNameConstraintsMatch(nameConstraintsCerts);
1905
testPathToNamesMatch(nameConstraintsCerts);
1907
testSubjAltNamesMatch(subjAltNamesCerts);
1909
testExtendedKeyUsageMatch(certDir);
1911
testKeyUsageMatch(certDir);
1913
testIssuerMatch(certDir);
1915
testSerialNumberVersionMatch(certDir);
1917
testCertValidMatch(certDir);
1919
testSubjKeyIdMatch(nameConstraintsCerts);
1921
testAuthKeyIdMatch(nameConstraintsCerts);
1923
testSubjPKAlgIdMatch(nameConstraintsCerts);
1925
testSubjPublicKeyMatch(nameConstraintsCerts);
1927
test_CertSelector_Duplicate(emptySelector);
1929
test_customCallback1(certs);
1931
test_customCallback2(certs, anyPolicyCert);
1933
subTest("test_CertSelector_Destroy");
1935
PKIX_TEST_DECREF_BC(emptySelector);
1941
PKIX_TEST_DECREF_AC(emptySelector);
1942
PKIX_TEST_DECREF_AC(certs);
1943
PKIX_TEST_DECREF_AC(cert);
1944
PKIX_TEST_DECREF_AC(policy1Cert);
1945
PKIX_TEST_DECREF_AC(policy2Cert);
1946
PKIX_TEST_DECREF_AC(anyPolicyCert);
1947
PKIX_TEST_DECREF_AC(subjectCert);
1948
PKIX_TEST_DECREF_AC(selParams);
1949
PKIX_TEST_DECREF_AC(nameConstraintsCerts);
1950
PKIX_TEST_DECREF_AC(subjAltNamesCerts);
1952
PKIX_Shutdown(plContext);
1956
endTests("CertSelector");