diff options
Diffstat (limited to 'trust/tests')
| -rw-r--r-- | trust/tests/test-data.c | 18 | ||||
| -rw-r--r-- | trust/tests/test-data.h | 9 | ||||
| -rw-r--r-- | trust/tests/test-parser.c | 246 | ||||
| -rw-r--r-- | trust/tests/test-token.c | 2 |
4 files changed, 218 insertions, 57 deletions
diff --git a/trust/tests/test-data.c b/trust/tests/test-data.c index a3d5373..f159926 100644 --- a/trust/tests/test-data.c +++ b/trust/tests/test-data.c @@ -74,7 +74,7 @@ test_check_cacert3_ca_msg (CuTest *cu, const char *label) { CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ULONG category = 0; /* TODO: Implement */ + CK_ULONG category = 2; /* authority */ CK_ATTRIBUTE expected[] = { { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, @@ -94,6 +94,22 @@ test_check_cacert3_ca_msg (CuTest *cu, } void +test_check_id_msg (CuTest *cu, + const char *file, + int line, + CK_ATTRIBUTE *expected, + CK_ATTRIBUTE *attr) +{ + CK_ATTRIBUTE *one; + CK_ATTRIBUTE *two; + + one = p11_attrs_find (expected, CKA_ID); + two = p11_attrs_find (attr, CKA_ID); + + test_check_attr_msg (cu, file, line, one, two); +} + +void test_check_attrs_msg (CuTest *cu, const char *file, int line, diff --git a/trust/tests/test-data.h b/trust/tests/test-data.h index e4ff938..300e342 100644 --- a/trust/tests/test-data.h +++ b/trust/tests/test-data.h @@ -74,6 +74,15 @@ void test_check_attr_msg (CuTest *cu, CK_ATTRIBUTE *expected, CK_ATTRIBUTE *attr); +#define test_check_id(cu, expected, attrs) \ + test_check_id_msg (cu, __FILE__, __LINE__, expected, attrs) + +void test_check_id_msg (CuTest *cu, + const char *file, + int line, + CK_ATTRIBUTE *expected, + CK_ATTRIBUTE *attr); + static const unsigned char test_cacert3_ca_der[] = { 0x30, 0x82, 0x07, 0x59, 0x30, 0x82, 0x05, 0x41, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x0a, 0x41, 0x8a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c index 493dcb3..5bb690a 100644 --- a/trust/tests/test-parser.c +++ b/trust/tests/test-parser.c @@ -86,8 +86,9 @@ on_parse_object (CK_ATTRIBUTE *attrs, static void test_parse_der_certificate (CuTest *cu) { - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *attr; + CK_ATTRIBUTE *cert; + CK_ATTRIBUTE *object; + CK_BBOOL bval; int ret; setup (cu); @@ -99,11 +100,19 @@ test_parse_der_certificate (CuTest *cu) /* Should have gotten certificate and a trust object */ CuAssertIntEquals (cu, 2, test.objects->num); - attrs = test.objects->elem[0]; - test_check_cacert3_ca (cu, attrs, NULL); + cert = test.objects->elem[0]; + test_check_cacert3_ca (cu, cert, NULL); + + if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) + CuFail (cu, "missing CKA_TRUSTED"); + CuAssertIntEquals (cu, CK_FALSE, bval); + + if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) + CuFail (cu, "missing CKA_X_DISTRUSTED"); + CuAssertIntEquals (cu, CK_FALSE, bval); - attr = p11_attrs_find (attrs, CKA_TRUSTED); - CuAssertPtrEquals (cu, NULL, attr); + object = test.objects->elem[1]; + test_check_id (cu, cert, object); teardown (cu); } @@ -111,8 +120,9 @@ test_parse_der_certificate (CuTest *cu) static void test_parse_pem_certificate (CuTest *cu) { - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *attr; + CK_ATTRIBUTE *cert; + CK_ATTRIBUTE *object; + CK_BBOOL bval; int ret; setup (cu); @@ -124,11 +134,19 @@ test_parse_pem_certificate (CuTest *cu) /* Should have gotten certificate and a trust object */ CuAssertIntEquals (cu, 2, test.objects->num); - attrs = test.objects->elem[0]; - test_check_cacert3_ca (cu, attrs, NULL); + cert = test.objects->elem[0]; + test_check_cacert3_ca (cu, cert, NULL); + + if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) + CuFail (cu, "missing CKA_TRUSTED"); + CuAssertIntEquals (cu, CK_FALSE, bval); + + if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) + CuFail (cu, "missing CKA_X_DISTRUSTED"); + CuAssertIntEquals (cu, CK_FALSE, bval); - attr = p11_attrs_find (attrs, CKA_TRUSTED); - CuAssertPtrEquals (cu, NULL, attr); + object = test.objects->elem[1]; + test_check_id (cu, cert, object); teardown (cu); } @@ -136,7 +154,7 @@ test_parse_pem_certificate (CuTest *cu) static void test_parse_openssl_trusted (CuTest *cu) { - CK_TRUST trusted = CKT_NETSCAPE_TRUSTED; + CK_TRUST trusted = CKT_NETSCAPE_TRUSTED_DELEGATOR; CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED; CK_TRUST unknown = CKT_NETSCAPE_TRUST_UNKNOWN; CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; @@ -149,6 +167,8 @@ test_parse_openssl_trusted (CuTest *cu) { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, { CKA_X_CRITICAL, &vtrue, sizeof (vtrue) }, + { CKA_VALUE, "\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06" + "\x01\x05\x05\x07\x03\x02", 22 }, { CKA_INVALID }, }; @@ -157,6 +177,7 @@ test_parse_openssl_trusted (CuTest *cu) { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, { CKA_X_CRITICAL, &vfalse, sizeof (vfalse) }, + { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 12 }, { CKA_INVALID }, }; @@ -186,33 +207,149 @@ test_parse_openssl_trusted (CuTest *cu) { CKA_INVALID, } }; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *attr; + CK_ATTRIBUTE *cert; + CK_ATTRIBUTE *object; + CK_BBOOL bval; int ret; setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3-trusted.pem", - 0, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); /* Should have gotten certificate, two stapled extensions, and a trust object */ CuAssertIntEquals (cu, 4, test.objects->num); - attrs = test.objects->elem[0]; - test_check_cacert3_ca (cu, attrs, NULL); + cert = test.objects->elem[0]; + test_check_cacert3_ca (cu, cert, NULL); + + if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) + CuFail (cu, "missing CKA_TRUSTED"); + CuAssertIntEquals (cu, CK_TRUE, bval); + + if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) + CuFail (cu, "missing CKA_X_DISTRUSTED"); + CuAssertIntEquals (cu, CK_FALSE, bval); + + object = test.objects->elem[1]; + test_check_attrs (cu, eku_extension, object); + test_check_id (cu, cert, object); + + object = test.objects->elem[2]; + test_check_attrs (cu, reject_extension, object); + test_check_id (cu, cert, object); + + object = test.objects->elem[3]; + test_check_attrs (cu, nss_trust, object); + test_check_id (cu, cert, object); + + teardown (cu); +} + +static void +test_parse_openssl_distrusted (CuTest *cu) +{ + CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED; + CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; + CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS klass = CKO_CERTIFICATE; + CK_CERTIFICATE_TYPE x509 = CKC_X_509; + CK_ULONG category = 2; /* authority */ + CK_BBOOL vtrue = CK_TRUE; + CK_BBOOL vfalse = CK_FALSE; + + CK_ATTRIBUTE certificate[] = { + { CKA_CLASS, &klass, sizeof (klass), }, + { CKA_TOKEN, &vtrue, sizeof (vtrue) }, + { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, + { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, + { CKA_CLASS, &klass, sizeof (klass) }, + { CKA_LABEL, "Red Hat Is the CA", 17 }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, + { CKA_CHECK_VALUE, "\xe9z}", 3 }, + { CKA_START_DATE, "20090916", 8 }, + { CKA_END_DATE, "20190914", 8, }, + { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, + { CKA_TRUSTED, &vfalse, sizeof (vfalse) }, + { CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE eku_extension[] = { + { CKA_LABEL, "Red Hat Is the CA", 17 }, + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, + { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, + { CKA_X_CRITICAL, &vtrue, sizeof (vtrue) }, + { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE reject_extension[] = { + { CKA_LABEL, "Red Hat Is the CA", 17 }, + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, + { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, + { CKA_X_CRITICAL, &vfalse, sizeof (vfalse) }, + { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE nss_trust[] = { + { CKA_LABEL, "Red Hat Is the CA", 17 }, + { CKA_CLASS, &trust_object, sizeof (trust_object), }, + { CKA_CERT_SHA1_HASH, "\xe9z}\xe3\x82""7\xa0U\xb1k\xfe\xffo.\x03\x15*\xba\xb9\x90", 20 }, + { CKA_CERT_MD5_HASH, "\xda\xb4<\xe7;QK\x1a\xe5\xeau\xa1\xc9 \xdf""B", 16 }, + { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, + { CKA_TRUST_SERVER_AUTH, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_CLIENT_AUTH, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_EMAIL_PROTECTION, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_CODE_SIGNING, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_IPSEC_END_SYSTEM, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_IPSEC_TUNNEL, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_IPSEC_USER, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_TIME_STAMPING, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_DIGITAL_SIGNATURE, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_NON_REPUDIATION, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_KEY_ENCIPHERMENT, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_DATA_ENCIPHERMENT, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_KEY_AGREEMENT, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_KEY_CERT_SIGN, &distrusted, sizeof (distrusted) }, + { CKA_TRUST_CRL_SIGN, &distrusted, sizeof (distrusted) }, + { CKA_INVALID, } + }; - attr = p11_attrs_find (attrs, CKA_TRUSTED); - CuAssertPtrEquals (cu, NULL, attr); + CK_ATTRIBUTE *cert; + CK_ATTRIBUTE *object; + int ret; - attrs = test.objects->elem[1]; - test_check_attrs (cu, eku_extension, attrs); + setup (cu); - attrs = test.objects->elem[2]; - test_check_attrs (cu, reject_extension, attrs); + /* + * OpenSSL style is to litter the blacklist in with the anchors, + * so we parse this as an anchor, but expect it to be blacklisted + */ + ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem", + P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); + CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - attrs = test.objects->elem[3]; - test_check_attrs (cu, nss_trust, attrs); + /* Should have gotten certificate, one stapled extensions, and a trust object */ + CuAssertIntEquals (cu, 4, test.objects->num); + + cert = test.objects->elem[0]; + test_check_attrs (cu, certificate, cert); + + object = test.objects->elem[1]; + test_check_attrs (cu, eku_extension, object); + test_check_id (cu, cert, object); + + object = test.objects->elem[2]; + test_check_attrs (cu, reject_extension, object); + test_check_id (cu, cert, object); + + object = test.objects->elem[3]; + test_check_attrs (cu, nss_trust, object); + test_check_id (cu, cert, object); teardown (cu); } @@ -227,7 +364,7 @@ test_parse_with_key_usage (CuTest *cu) CK_BBOOL vtrue = CK_TRUE; CK_BBOOL vfalse = CK_FALSE; CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ULONG category = 0; /* TODO: Implement */ + CK_ULONG category = 3; /* other entity */ CK_ATTRIBUTE certificate[] = { { CKA_CLASS, &klass, sizeof (klass), }, @@ -244,6 +381,8 @@ test_parse_with_key_usage (CuTest *cu) { CKA_ISSUER, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, { CKA_SUBJECT, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, { CKA_SERIAL_NUMBER, "\x02\x02\x03x", 4 }, + { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, + { CKA_X_DISTRUSTED, &vfalse, sizeof (vfalse) }, { CKA_INVALID }, }; @@ -273,41 +412,34 @@ test_parse_with_key_usage (CuTest *cu) { CKA_INVALID, } }; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *attr; + CK_ATTRIBUTE *cert; + CK_ATTRIBUTE *object; + CK_BBOOL bval; int ret; setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/self-signed-with-ku.der", - 0, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - /* Should have gotten certificate, two stapled extensions, and a trust object */ + /* Should have gotten certificate, and a trust object */ CuAssertIntEquals (cu, 2, test.objects->num); - attrs = test.objects->elem[0]; - test_check_attrs (cu, certificate, attrs); + cert = test.objects->elem[0]; + test_check_attrs (cu, certificate, cert); - attr = p11_attrs_find (attrs, CKA_TRUSTED); - CuAssertPtrEquals (cu, NULL, attr); + if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) + CuFail (cu, "missing CKA_TRUSTED"); + CuAssertIntEquals (cu, CK_TRUE, bval); - attrs = test.objects->elem[1]; - test_check_attrs (cu, nss_trust, attrs); + if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) + CuFail (cu, "missing CKA_X_DISTRUSTED"); + CuAssertIntEquals (cu, CK_FALSE, bval); - teardown (cu); -} - -static void -test_parse_distrusted (CuTest *cu) -{ - int ret; - - setup (cu); - - ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem", - 0, on_parse_object, cu); - CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); + object = test.objects->elem[1]; + test_check_attrs (cu, nss_trust, object); + test_check_id (cu, cert, object); teardown (cu); } @@ -315,7 +447,8 @@ test_parse_distrusted (CuTest *cu) static void test_parse_anchor (CuTest *cu) { - CK_ATTRIBUTE *attrs; + CK_ATTRIBUTE *cert; + CK_ATTRIBUTE *object; CK_ATTRIBUTE *attr; CK_BBOOL vtrue = CK_TRUE; CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrue, sizeof (vtrue) }; @@ -330,12 +463,15 @@ test_parse_anchor (CuTest *cu) /* Should have gotten a certificate and a trust object */ CuAssertIntEquals (cu, 2, test.objects->num); - attrs = test.objects->elem[0]; - test_check_cacert3_ca (cu, attrs, NULL); + cert = test.objects->elem[0]; + test_check_cacert3_ca (cu, cert, NULL); - attr = p11_attrs_find (attrs, CKA_TRUSTED); + attr = p11_attrs_find (cert, CKA_TRUSTED); test_check_attr (cu, &trusted, attr); + object = test.objects->elem[1]; + test_check_id (cu, cert, object); + teardown (cu); } @@ -499,8 +635,8 @@ main (void) SUITE_ADD_TEST (suite, test_parse_der_certificate); SUITE_ADD_TEST (suite, test_parse_pem_certificate); SUITE_ADD_TEST (suite, test_parse_openssl_trusted); + SUITE_ADD_TEST (suite, test_parse_openssl_distrusted); SUITE_ADD_TEST (suite, test_parse_with_key_usage); - SUITE_ADD_TEST (suite, test_parse_distrusted); SUITE_ADD_TEST (suite, test_parse_anchor); SUITE_ADD_TEST (suite, test_parse_no_sink); SUITE_ADD_TEST (suite, test_parse_invalid_file); diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c index 8a5b34d..2ed1134 100644 --- a/trust/tests/test-token.c +++ b/trust/tests/test-token.c @@ -76,7 +76,7 @@ test_token_load (CuTest *cu) /* A certificate and trust object for each parsed object + builtin */ objects = p11_token_objects (test.token); - CuAssertIntEquals (cu, ((count - 1) * 2) + 1, p11_dict_size (objects)); + CuAssertTrue (cu, ((count - 1) * 2) + 1 <= p11_dict_size (objects)); teardown (cu); } |