diff options
Diffstat (limited to 'security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c')
| -rw-r--r-- | security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c | 261 |
1 files changed, 261 insertions, 0 deletions
diff --git a/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c b/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c new file mode 100644 index 0000000000..3f9711e691 --- /dev/null +++ b/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c @@ -0,0 +1,261 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * test_subjaltnamechecker.c + * + * Test Subject Alternative Name Checking + * + */ + +/* + * There is no subjaltnamechecker. Instead, targetcertchecker is doing + * the job for checking subject alternative names' validity. For testing, + * in order to enter names with various type, we create this test excutable + * to parse different scenario. + */ + +#include "testutil.h" +#include "testutil_nss.h" + +#define PKIX_TEST_MAX_CERTS 10 + +static void *plContext = NULL; + +static void +printUsage1(char *pName) +{ + printf("\nUSAGE: %s test-name [ENE|EE] ", pName); + printf("cert [certs].\n"); +} + +static void +printUsage2(char *name) +{ + printf("\ninvalid test-name syntax - %s", name); + printf("\ntest-name syntax: [01][DNORU]:<name>+..."); + printf("\n [01] 1 - match all; 0 - match one"); + printf("\n name - type can be specified as"); + printf("\n [DNORU] D-Directory name"); + printf("\n N-DNS name"); + printf("\n O-OID name"); + printf("\n R-RFC822 name"); + printf("\n U-URI name"); + printf("\n + separator for more names\n\n"); +} + +static void +printUsageMax(PKIX_UInt32 numCerts) +{ + printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", + numCerts, PKIX_TEST_MAX_CERTS); +} + +static PKIX_UInt32 +getNameType(char *name) +{ + PKIX_UInt32 nameType; + + PKIX_TEST_STD_VARS(); + + switch (*name) { + case 'D': + nameType = PKIX_DIRECTORY_NAME; + break; + case 'N': + nameType = PKIX_DNS_NAME; + break; + case 'O': + nameType = PKIX_OID_NAME; + break; + case 'R': + nameType = PKIX_RFC822_NAME; + break; + case 'U': + nameType = PKIX_URI_NAME; + break; + default: + printUsage2(name); + nameType = 0xFFFF; + } + + goto cleanup; + +cleanup: + PKIX_TEST_RETURN(); + return (nameType); +} + +int +test_subjaltnamechecker(int argc, char *argv[]) +{ + + PKIX_List *chain = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_CertSelector *selector = NULL; + PKIX_ComCertSelParams *selParams = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_PL_GeneralName *name = NULL; + PKIX_UInt32 actualMinorVersion; + char *certNames[PKIX_TEST_MAX_CERTS]; + PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + char *nameStr; + char *nameEnd; + char *names[PKIX_TEST_MAX_CERTS]; + PKIX_UInt32 numNames = 0; + PKIX_UInt32 nameType; + PKIX_Boolean matchAll = PKIX_TRUE; + PKIX_Boolean testValid = PKIX_TRUE; + char *dirName = NULL; + char *anchorName = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 5) { + printUsage1(argv[0]); + return (0); + } + + startTests("SubjAltNameConstraintChecker"); + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + j++; /* skip test-purpose string */ + + /* ENE = expect no error; EE = expect error */ + if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { + testValid = PKIX_TRUE; + } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { + testValid = PKIX_FALSE; + } else { + printUsage1(argv[0]); + return (0); + } + + /* taking out leading and trailing ", if any */ + nameStr = argv[1 + j]; + subTest(nameStr); + if (*nameStr == '"') { + nameStr++; + nameEnd = nameStr; + while (*nameEnd != '"' && *nameEnd != '\0') { + nameEnd++; + } + *nameEnd = '\0'; + } + + /* extract first [0|1] inidcating matchAll or not */ + matchAll = (*nameStr == '0') ? PKIX_FALSE : PKIX_TRUE; + nameStr++; + + numNames = 0; + while (*nameStr != '\0') { + names[numNames++] = nameStr; + while (*nameStr != '+' && *nameStr != '\0') { + nameStr++; + } + if (*nameStr == '+') { + *nameStr = '\0'; + nameStr++; + } + } + + chainLength = (argc - j) - 4; + if (chainLength > PKIX_TEST_MAX_CERTS) { + printUsageMax(chainLength); + } + + for (i = 0; i < chainLength; i++) { + certNames[i] = argv[(4 + j) + i]; + certs[i] = NULL; + } + + /* SubjAltName for validation */ + + subTest("Add Subject Alt Name for NameConstraint checking"); + + subTest("Create Selector and ComCertSelParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&selParams, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, selParams, plContext)); + + subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(selParams, matchAll, plContext)); + + subTest("PKIX_ComCertSelParams_AddSubjAltName(s)"); + for (i = 0; i < numNames; i++) { + nameType = getNameType(names[i]); + if (nameType == 0xFFFF) { + return (0); + } + nameStr = names[i] + 2; + name = createGeneralName(nameType, nameStr, plContext); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(selParams, name, plContext)); + PKIX_TEST_DECREF_BC(name); + } + + subTest("SubjAltName-Constraints - Create Cert Chain"); + + dirName = argv[3 + j]; + + chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); + + subTest("SubjAltName-Constraints - Create Params"); + + valParams = createValidateParams(dirName, + argv[4 + + j], + NULL, + NULL, + NULL, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + PKIX_FALSE, + chain, + plContext); + + subTest("PKIX_ValidateParams_getProcessingParams"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); + + subTest("PKIX_ProcessingParams_SetTargetCertConstraints"); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, selector, plContext)); + + subTest("Subject Alt Name - Validate Chain"); + + if (testValid == PKIX_TRUE) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } else { + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + } + +cleanup: + + PKIX_PL_Free(anchorName, plContext); + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(chain); + PKIX_TEST_DECREF_AC(valParams); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(selector); + PKIX_TEST_DECREF_AC(selParams); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(name); + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("SubjAltNameConstraintsChecker"); + + return (0); +} |