From 7f40204f43f12009774bff37b5248145eb033c4e Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Wed, 15 Oct 2014 16:03:25 +0200
Subject: Implement cert chain validation.

NOTE0: Presence of and constraints on names are not being validated.
NOTE1: Validation not invoked at submission yet.
---
 src/x509_test.erl | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 src/x509_test.erl

(limited to 'src/x509_test.erl')

diff --git a/src/x509_test.erl b/src/x509_test.erl
new file mode 100644
index 0000000..c06bc8b
--- /dev/null
+++ b/src/x509_test.erl
@@ -0,0 +1,53 @@
+-module(x509_test).
+
+-include_lib("eunit/include/eunit.hrl").
+
+%% remove_poison_test_() ->
+%%     {foreach,
+%%      fun() -> {ok, Pem} = file:read(File), Pem end,
+%%      fun(_) -> ok end,
+%%      fun(ChainPem) ->
+%%              [CleanPem = x509:detox_precert(ChainPem),
+%%               ?_assertEqual(CleanPem, )]
+%%                  }.
+
+-include("x509_test.hrl").
+valid_cert_test_() ->
+    C0 = ?C0,
+    C1 = ?C1,
+    [
+     %% Root not in chain but in trust store.
+     ?_assertMatch(true, x509:valid_chain_p([C1], [C0], 10)),
+     ?_assertMatch(true, x509:valid_chain_p([C1], [C0], 2)),
+     %% Chain too long.
+     ?_assertMatch(false, x509:valid_chain_p([C1], [C0], 1)),
+     %% Root in chain and in trust store.
+     ?_assertMatch(true, x509:valid_chain_p([C1], [C0, C1], 2)),
+     %% Chain too long.
+     ?_assertMatch(false, x509:valid_chain_p([C1], [C0, C1], 1)),
+     %% Root not in trust store.
+     ?_assertMatch(false, x509:valid_chain_p([], [C0, C1], 10)),
+     %% Invalid signer.
+     ?_assertMatch(false, x509:valid_chain_p([C0], [C0, C1], 10)),
+     ?_assertMatch(false, x509:valid_chain_p([C0], [C1], 10)),
+     %% Selfsigned. Actually OK.
+     ?_assertMatch(true, x509:valid_chain_p([C0], [C0], 10)),
+     ?_assertMatch(true, x509:valid_chain_p([C0], [C0], 1)),
+     %% Max chain length 0 is not OK.
+     ?_assertMatch(false, x509:valid_chain_p([C0], [C0], 0))
+     %% ?_assertMatch(true, x509:valid_chain_p(certs_from_file(certfile(cabundle)),
+     %%                                        certs_from_file(certfile(0)))),
+     %% ?_assertEqual(false, x509:valid_chain_p(certs_from_file(certfile(cabundle)),
+     %%                                         certs_from_file(certfile(1))))
+    ].
+
+certfile(cabundle) ->
+    "../certs/testcerts/acceptable_roots.pem";
+certfile(0) ->
+    "../certs/testcerts/cert1.txt";
+certfile(1) ->
+    "../certs/testcerts/cert2.txt".
+
+certs_from_file(Fname) ->
+    {ok, Pems}  = file:read_file(Fname),
+    public_key:pem_decode(Pems).
-- 
cgit v1.1