diff options
Diffstat (limited to 'security/nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc')
-rw-r--r-- | security/nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc | 630 |
1 files changed, 630 insertions, 0 deletions
diff --git a/security/nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc new file mode 100644 index 0000000000..b5e1474b02 --- /dev/null +++ b/security/nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc @@ -0,0 +1,630 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* vim: set ts=4 et sw=4 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <string.h> + +#include "nss.h" +#include "pk11pub.h" +#include "prenv.h" +#include "prerror.h" +#include "secmod.h" + +#include "gtest/gtest.h" +#include "nss_scoped_ptrs.h" +#include "util.h" + +namespace nss_test { + +// These test certificates were generated using pycert/pykey from +// mozilla-central (https://hg.mozilla.org/mozilla-central/file/ ... +// 9968319230a74eb8c1953444a0e6973c7500a9f8/security/manager/ssl/ ... +// tests/unit/pycert.py). + +// issuer:test cert +// subject:test cert +// issuerKey:secp256r1 +// subjectKey:secp256r1 +// serialNumber:1 +const std::vector<uint8_t> kTestCert1DER = { + 0x30, 0x82, 0x01, 0x1D, 0x30, 0x81, 0xC2, 0xA0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, + 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, + 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, + 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, + 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5A, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, 0x63, 0x65, + 0x72, 0x74, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, 0xBB, 0x61, 0xE0, 0xF8, + 0xF9, 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, 0xE2, 0xEC, 0x05, 0x0B, + 0x42, 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, 0x4F, 0x79, 0x4B, 0x45, + 0x5C, 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, 0xC4, 0x11, 0x9D, 0x07, + 0x06, 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, 0xD7, 0x99, 0x1B, 0x7B, + 0x2D, 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, 0xC0, 0x30, 0x0D, 0x06, + 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, + 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x5C, 0x75, 0x51, 0x9F, 0x13, + 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, 0xBC, 0x06, 0x30, 0x91, + 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, 0xFD, 0xCB, 0x42, 0x80, + 0x0A, 0x70, 0xE6, 0x02, 0x20, 0x11, 0xFA, 0xA2, 0xCA, 0x06, 0xF3, 0xBC, + 0x5F, 0x8A, 0xCA, 0x17, 0x63, 0x36, 0x87, 0xCF, 0x8D, 0x5C, 0xA0, 0x56, + 0x84, 0x44, 0x61, 0xB2, 0x33, 0x42, 0x07, 0x58, 0x9F, 0x0C, 0x9E, 0x49, + 0x83, +}; + +// issuer:test cert +// subject:test cert +// issuerKey:secp256r1 +// subjectKey:secp256r1 +// serialNumber:2 +const std::vector<uint8_t> kTestCert2DER = { + 0x30, 0x82, 0x01, 0x1E, 0x30, 0x81, 0xC2, 0xA0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x01, 0x02, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, + 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, + 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, + 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, + 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5A, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, 0x63, 0x65, + 0x72, 0x74, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, + 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, + 0x07, 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, 0xBB, 0x61, 0xE0, 0xF8, + 0xF9, 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, 0xE2, 0xEC, 0x05, 0x0B, + 0x42, 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, 0x4F, 0x79, 0x4B, 0x45, + 0x5C, 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, 0xC4, 0x11, 0x9D, 0x07, + 0x06, 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, 0xD7, 0x99, 0x1B, 0x7B, + 0x2D, 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, 0xC0, 0x30, 0x0D, 0x06, + 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, + 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x5C, 0x75, 0x51, 0x9F, 0x13, + 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, 0xBC, 0x06, 0x30, 0x91, + 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, 0xFD, 0xCB, 0x42, 0x80, + 0x0A, 0x70, 0xE6, 0x02, 0x21, 0x00, 0xF6, 0x5E, 0x42, 0xC7, 0x54, 0x40, + 0x81, 0xE9, 0x4C, 0x16, 0x48, 0xB1, 0x39, 0x0A, 0xA0, 0xE2, 0x8C, 0x23, + 0xAA, 0xC5, 0xBB, 0xAC, 0xEB, 0x9B, 0x15, 0x0B, 0x2F, 0xB7, 0xF5, 0x85, + 0xB2, 0x54, +}; + +const std::vector<uint8_t> kTestCertSubjectDER = { + 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, 0x63, 0x65, 0x72, 0x74, +}; + +// issuer:test cert +// subject:unrelated subject DN +// issuerKey:secp256r1 +// subjectKey:secp256r1 +// serialNumber:3 +const std::vector<uint8_t> kUnrelatedTestCertDER = { + 0x30, 0x82, 0x01, 0x28, 0x30, 0x81, 0xCD, 0xA0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x01, 0x03, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, + 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, + 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, + 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, + 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5A, 0x30, 0x1F, 0x31, 0x1D, 0x30, 0x1B, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0C, 0x14, 0x75, 0x6E, 0x72, 0x65, 0x6C, 0x61, 0x74, + 0x65, 0x64, 0x20, 0x73, 0x75, 0x62, 0x6A, 0x65, 0x63, 0x74, 0x20, 0x44, + 0x4E, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, + 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, + 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, 0xBB, 0x61, 0xE0, 0xF8, 0xF9, + 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, 0xE2, 0xEC, 0x05, 0x0B, 0x42, + 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, 0x4F, 0x79, 0x4B, 0x45, 0x5C, + 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, 0xC4, 0x11, 0x9D, 0x07, 0x06, + 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, 0xD7, 0x99, 0x1B, 0x7B, 0x2D, + 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, 0xC0, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, + 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x5C, 0x75, 0x51, 0x9F, 0x13, 0x11, + 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, 0xBC, 0x06, 0x30, 0x91, 0xFF, + 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, 0xFD, 0xCB, 0x42, 0x80, 0x0A, + 0x70, 0xE6, 0x02, 0x20, 0x0F, 0x1A, 0x04, 0xC2, 0xF8, 0xBA, 0xC2, 0x94, + 0x26, 0x6E, 0xBC, 0x91, 0x7D, 0xDB, 0x75, 0x7B, 0xE8, 0xA3, 0x4F, 0x69, + 0x1B, 0xF3, 0x1F, 0x2C, 0xCE, 0x82, 0x67, 0xC9, 0x5B, 0xBB, 0xBA, 0x0A, +}; + +class PK11FindCertsTestBase : public ::testing::Test { + protected: + PK11FindCertsTestBase() + : m_slot(nullptr), test_cert_db_dir_("PK11FindCertsTestBase-") {} + + virtual void SetUp() { + std::string test_cert_db_path(test_cert_db_dir_.GetPath()); + const char* test_name = + ::testing::UnitTest::GetInstance()->current_test_info()->name(); + std::string mod_spec = "configDir='sql:"; + mod_spec.append(test_cert_db_path); + mod_spec.append("' tokenDescription='"); + mod_spec.append(test_name); + mod_spec.append("'"); + m_slot = SECMOD_OpenUserDB(mod_spec.c_str()); + ASSERT_NE(nullptr, m_slot); + } + + virtual void TearDown() { + ASSERT_EQ(SECSuccess, SECMOD_CloseUserDB(m_slot)); + PK11_FreeSlot(m_slot); + std::string test_cert_db_path(test_cert_db_dir_.GetPath()); + ASSERT_EQ(0, unlink((test_cert_db_path + "/cert9.db").c_str())); + ASSERT_EQ(0, unlink((test_cert_db_path + "/key4.db").c_str())); + } + + PK11SlotInfo* m_slot; + ScopedUniqueDirectory test_cert_db_dir_; +}; + +class PK11FindRawCertsBySubjectTest : public PK11FindCertsTestBase {}; + +TEST_F(PK11FindCertsTestBase, CertAddListWithData) { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + SECItem cert1_item = {siBuffer, const_cast<uint8_t*>(kTestCert1DER.data()), + (unsigned int)kTestCert1DER.size()}; + SECItem cert2_item = {siBuffer, const_cast<uint8_t*>(kTestCert2DER.data()), + (unsigned int)kTestCert2DER.size()}; + + // Make certificates. ScopedCERTCertList will own. + ScopedCERTCertList list(CERT_NewCertList()); + ASSERT_TRUE(list); + CERTCertificate* cert1 = CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &cert1_item, nullptr, false, false); + CERTCertificate* cert2 = CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &cert2_item, nullptr, false, false); + ASSERT_NE(nullptr, cert1); + ASSERT_NE(nullptr, cert2); + ASSERT_NE(cert1, cert2); + + SECStatus rv = CERT_AddCertToListHeadWithData(list.get(), cert1, cert1); + EXPECT_EQ(SECSuccess, rv); + rv = CERT_AddCertToListTailWithData(list.get(), cert2, cert2); + EXPECT_EQ(SECSuccess, rv); + + CERTCertListNode* node = CERT_LIST_HEAD(list.get()); + ASSERT_NE(nullptr, node); + EXPECT_EQ(node->cert, cert1); + EXPECT_EQ(node->appData, cert1); + + node = CERT_LIST_TAIL(list.get()); + ASSERT_NE(nullptr, node); + EXPECT_EQ(node->cert, cert2); + EXPECT_EQ(node->appData, cert2); +} + +// If we don't have any certificates, we shouldn't get any when we search for +// them. +TEST_F(PK11FindRawCertsBySubjectTest, TestNoCertsImportedNoCertsFound) { + SECItem subject_item = { + siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), + (unsigned int)kTestCertSubjectDER.size()}; + CERTCertificateList* certificates = nullptr; + SECStatus rv = + PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(nullptr, certificates); +} + +// If we have one certificate but it has an unrelated subject DN, we shouldn't +// get it when we search. +TEST_F(PK11FindRawCertsBySubjectTest, TestOneCertImportedNoCertsFound) { + char cert_nickname[] = "Unrelated Cert"; + SECItem cert_item = {siBuffer, + const_cast<unsigned char*>(kUnrelatedTestCertDER.data()), + (unsigned int)kUnrelatedTestCertDER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, + cert_nickname, false)); + + SECItem subject_item = { + siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), + (unsigned int)kTestCertSubjectDER.size()}; + CERTCertificateList* certificates = nullptr; + SECStatus rv = + PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(nullptr, certificates); +} + +TEST_F(PK11FindRawCertsBySubjectTest, TestMultipleMatchingCertsFound) { + char cert1_nickname[] = "Test Cert 1"; + SECItem cert1_item = {siBuffer, + const_cast<unsigned char*>(kTestCert1DER.data()), + (unsigned int)kTestCert1DER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, + cert1_nickname, false)); + char cert2_nickname[] = "Test Cert 2"; + SECItem cert2_item = {siBuffer, + const_cast<unsigned char*>(kTestCert2DER.data()), + (unsigned int)kTestCert2DER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert2_item, CK_INVALID_HANDLE, + cert2_nickname, false)); + char unrelated_cert_nickname[] = "Unrelated Test Cert"; + SECItem unrelated_cert_item = { + siBuffer, const_cast<unsigned char*>(kUnrelatedTestCertDER.data()), + (unsigned int)kUnrelatedTestCertDER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &unrelated_cert_item, CK_INVALID_HANDLE, + unrelated_cert_nickname, false)); + + CERTCertificateList* certificates = nullptr; + SECItem subject_item = { + siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), + (unsigned int)kTestCertSubjectDER.size()}; + SECStatus rv = + PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); + EXPECT_EQ(SECSuccess, rv); + ASSERT_NE(nullptr, certificates); + ScopedCERTCertificateList scoped_certificates(certificates); + ASSERT_EQ(2, scoped_certificates->len); + + std::vector<uint8_t> found_cert1( + scoped_certificates->certs[0].data, + scoped_certificates->certs[0].data + scoped_certificates->certs[0].len); + std::vector<uint8_t> found_cert2( + scoped_certificates->certs[1].data, + scoped_certificates->certs[1].data + scoped_certificates->certs[1].len); + EXPECT_TRUE(found_cert1 == kTestCert1DER || found_cert1 == kTestCert2DER); + EXPECT_TRUE(found_cert2 == kTestCert1DER || found_cert2 == kTestCert2DER); + EXPECT_TRUE(found_cert1 != found_cert2); +} + +// If we try to search the internal slots, we won't find the certificate we just +// imported (because it's on a different slot). +TEST_F(PK11FindRawCertsBySubjectTest, TestNoCertsOnInternalSlots) { + char cert1_nickname[] = "Test Cert 1"; + SECItem cert1_item = {siBuffer, + const_cast<unsigned char*>(kTestCert1DER.data()), + (unsigned int)kTestCert1DER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, + cert1_nickname, false)); + + SECItem subject_item = { + siBuffer, const_cast<unsigned char*>(kTestCertSubjectDER.data()), + (unsigned int)kTestCertSubjectDER.size()}; + CERTCertificateList* internal_key_slot_certificates = nullptr; + ScopedPK11SlotInfo internal_key_slot(PK11_GetInternalKeySlot()); + SECStatus rv = PK11_FindRawCertsWithSubject( + internal_key_slot.get(), &subject_item, &internal_key_slot_certificates); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(nullptr, internal_key_slot_certificates); + + CERTCertificateList* internal_slot_certificates = nullptr; + ScopedPK11SlotInfo internal_slot(PK11_GetInternalSlot()); + rv = PK11_FindRawCertsWithSubject(internal_slot.get(), &subject_item, + &internal_slot_certificates); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(nullptr, internal_slot_certificates); +} + +// issuer:test cert +// subject:(empty - this had to be done by hand as pycert doesn't support this) +// issuerKey:secp256r1 +// subjectKey:secp256r1 +// serialNumber:4 +const std::vector<uint8_t> kEmptySubjectCertDER = { + 0x30, 0x82, 0x01, 0x09, 0x30, 0x81, 0xAE, 0xA0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x01, 0x04, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, + 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x09, 0x74, 0x65, 0x73, 0x74, 0x20, + 0x63, 0x65, 0x72, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, + 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x18, + 0x0F, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x5A, 0x30, 0x00, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, + 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, + 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4F, 0xBF, 0xBB, + 0xBB, 0x61, 0xE0, 0xF8, 0xF9, 0xB1, 0xA6, 0x0A, 0x59, 0xAC, 0x87, 0x04, + 0xE2, 0xEC, 0x05, 0x0B, 0x42, 0x3E, 0x3C, 0xF7, 0x2E, 0x92, 0x3F, 0x2C, + 0x4F, 0x79, 0x4B, 0x45, 0x5C, 0x2A, 0x69, 0xD2, 0x33, 0x45, 0x6C, 0x36, + 0xC4, 0x11, 0x9D, 0x07, 0x06, 0xE0, 0x0E, 0xED, 0xC8, 0xD1, 0x93, 0x90, + 0xD7, 0x99, 0x1B, 0x7B, 0x2D, 0x07, 0xA3, 0x04, 0xEA, 0xA0, 0x4A, 0xA6, + 0xC0, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, + 0x01, 0x0B, 0x05, 0x00, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x5C, + 0x75, 0x51, 0x9F, 0x13, 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20, 0xA3, + 0xBC, 0x06, 0x30, 0x91, 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64, 0xEC, + 0xFD, 0xCB, 0x42, 0x80, 0x0A, 0x70, 0xE6, 0x02, 0x20, 0x31, 0x1B, 0x92, + 0xAA, 0xA8, 0xB7, 0x51, 0x52, 0x7B, 0x64, 0xD6, 0xF7, 0x2F, 0x0C, 0xFB, + 0xBB, 0xD5, 0xDF, 0x86, 0xA3, 0x97, 0x96, 0x60, 0x42, 0xDA, 0xD4, 0xA8, + 0x5F, 0x2F, 0xA4, 0xDE, 0x7C}; + +std::vector<uint8_t> kEmptySubjectDER = {0x30, 0x00}; + +// This certificate has the smallest possible subject. Finding it should work. +TEST_F(PK11FindRawCertsBySubjectTest, TestFindEmptySubject) { + char empty_subject_cert_nickname[] = "Empty Subject Cert"; + SECItem empty_subject_cert_item = { + siBuffer, const_cast<unsigned char*>(kEmptySubjectCertDER.data()), + (unsigned int)kEmptySubjectCertDER.size()}; + ASSERT_EQ(SECSuccess, PK11_ImportDERCert(m_slot, &empty_subject_cert_item, + CK_INVALID_HANDLE, + empty_subject_cert_nickname, false)); + + SECItem subject_item = {siBuffer, + const_cast<unsigned char*>(kEmptySubjectDER.data()), + (unsigned int)kEmptySubjectDER.size()}; + CERTCertificateList* certificates = nullptr; + SECStatus rv = + PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); + EXPECT_EQ(SECSuccess, rv); + ASSERT_NE(nullptr, certificates); + ScopedCERTCertificateList scoped_certificates(certificates); + ASSERT_EQ(1, scoped_certificates->len); + + std::vector<uint8_t> found_cert( + scoped_certificates->certs[0].data, + scoped_certificates->certs[0].data + scoped_certificates->certs[0].len); + EXPECT_EQ(kEmptySubjectCertDER, found_cert); +} + +// Searching for a zero-length subject doesn't make sense (the minimum subject +// is the SEQUENCE tag followed by a length byte of 0), but it shouldn't cause +// problems. +TEST_F(PK11FindRawCertsBySubjectTest, TestSearchForNullSubject) { + char cert1_nickname[] = "Test Cert 1"; + SECItem cert1_item = {siBuffer, + const_cast<unsigned char*>(kTestCert1DER.data()), + (unsigned int)kTestCert1DER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, + cert1_nickname, false)); + + SECItem subject_item = {siBuffer, nullptr, 0}; + CERTCertificateList* certificates = nullptr; + SECStatus rv = + PK11_FindRawCertsWithSubject(m_slot, &subject_item, &certificates); + EXPECT_EQ(SECSuccess, rv); + EXPECT_EQ(nullptr, certificates); +} + +class PK11GetCertsMatchingPrivateKeyTest : public PK11FindCertsTestBase {}; + +// This is the private secp256r1 key corresponding to the above test +// certificates. +const std::vector<uint8_t> kTestPrivateKeyInfoDER = { + 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x21, 0x91, 0x40, 0x3d, 0x57, 0x10, 0xbf, 0x15, 0xa2, 0x65, 0x81, 0x8c, + 0xd4, 0x2e, 0xd6, 0xfe, 0xdf, 0x09, 0xad, 0xd9, 0x2d, 0x78, 0xb1, 0x8e, + 0x7a, 0x1e, 0x9f, 0xeb, 0x95, 0x52, 0x47, 0x02, 0xa1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, + 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, + 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, + 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, + 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, + 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, +}; + +// issuer:test cert (different key) +// subject:test cert (different key) +// issuerKey:secp256k1 +// subjectKey:secp256k1 +// serialNumber:1 +const std::vector<uint8_t> kTestCertWithOtherKeyDER = { + 0x30, 0x82, 0x01, 0x3a, 0x30, 0x81, 0xdf, 0xa0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x24, 0x31, 0x22, 0x30, 0x20, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19, 0x74, 0x65, 0x73, 0x74, 0x20, + 0x63, 0x65, 0x72, 0x74, 0x20, 0x28, 0x64, 0x69, 0x66, 0x66, 0x65, 0x72, + 0x65, 0x6e, 0x74, 0x20, 0x6b, 0x65, 0x79, 0x29, 0x30, 0x22, 0x18, 0x0f, + 0x32, 0x30, 0x31, 0x37, 0x31, 0x31, 0x32, 0x37, 0x30, 0x30, 0x30, 0x30, + 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x30, 0x30, 0x32, 0x30, + 0x35, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x24, 0x31, 0x22, + 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19, 0x74, 0x65, 0x73, + 0x74, 0x20, 0x63, 0x65, 0x72, 0x74, 0x20, 0x28, 0x64, 0x69, 0x66, 0x66, + 0x65, 0x72, 0x65, 0x6e, 0x74, 0x20, 0x6b, 0x65, 0x79, 0x29, 0x30, 0x56, + 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, + 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a, 0x03, 0x42, 0x00, 0x04, 0x35, 0xee, + 0x7c, 0x72, 0x89, 0xd8, 0xfe, 0xf7, 0xa8, 0x6a, 0xfe, 0x5d, 0xa6, 0x6d, + 0x8b, 0xc2, 0xeb, 0xb6, 0xa8, 0x54, 0x3f, 0xd2, 0xfe, 0xad, 0x08, 0x9f, + 0x45, 0xce, 0x7a, 0xcd, 0x0f, 0xa6, 0x43, 0x82, 0xa9, 0x50, 0x0c, 0x41, + 0xda, 0xd7, 0x70, 0xff, 0xd4, 0xb5, 0x11, 0xbf, 0x4b, 0x49, 0x2e, 0xb1, + 0x23, 0x88, 0x00, 0xc3, 0x2c, 0x4f, 0x76, 0xc7, 0x3a, 0x3f, 0x32, 0x94, + 0xe7, 0xc5, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, + 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff, 0xd1, 0x16, 0x4e, + 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77, 0x5c, 0x93, 0x60, + 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02, 0x20, 0x1e, 0xa0, + 0x7b, 0xee, 0x90, 0x9b, 0x5f, 0x2c, 0x49, 0xd6, 0x61, 0xda, 0x31, 0x14, + 0xb1, 0xa4, 0x0d, 0x2d, 0x90, 0x2b, 0x70, 0xd8, 0x6b, 0x07, 0x64, 0x27, + 0xa5, 0x2e, 0xfe, 0xca, 0x6e, 0xe6, +}; + +// If there are no certs at all, we'll get back a null list. +TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestNoCertsAtAll) { + SECItem private_key_info = { + siBuffer, + const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), + (unsigned int)kTestPrivateKeyInfoDER.size(), + }; + SECKEYPrivateKey* priv_key = nullptr; + ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( + m_slot, &private_key_info, nullptr, nullptr, false, + false, KU_ALL, &priv_key, nullptr)); + ASSERT_NE(nullptr, priv_key); + ScopedSECKEYPrivateKey scoped_priv_key(priv_key); + ScopedCERTCertList certs( + PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); + ASSERT_TRUE(CERT_LIST_EMPTY(certs)); +} + +// If there are no certs for the private key, we'll get back a null list. +TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestNoCertsForKey) { + SECItem private_key_info = { + siBuffer, + const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), + (unsigned int)kTestPrivateKeyInfoDER.size(), + }; + SECKEYPrivateKey* priv_key = nullptr; + ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( + m_slot, &private_key_info, nullptr, nullptr, false, + false, KU_ALL, &priv_key, nullptr)); + ASSERT_NE(nullptr, priv_key); + ScopedSECKEYPrivateKey scoped_priv_key(priv_key); + + char cert_nickname[] = "Test Cert With Other Key"; + SECItem cert_item = { + siBuffer, const_cast<unsigned char*>(kTestCertWithOtherKeyDER.data()), + (unsigned int)kTestCertWithOtherKeyDER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, + cert_nickname, false)); + + ScopedCERTCertList certs( + PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); + ASSERT_TRUE(CERT_LIST_EMPTY(certs)); +} + +void CheckCertListForSubjects( + ScopedCERTCertList& list, + const std::vector<const char*>& expected_subjects) { + ASSERT_NE(nullptr, list.get()); + ASSERT_NE(0ul, expected_subjects.size()); + for (const auto& expected_subject : expected_subjects) { + size_t list_length = 0; + bool found = false; + for (CERTCertListNode* n = CERT_LIST_HEAD(list); !CERT_LIST_END(n, list); + n = CERT_LIST_NEXT(n)) { + list_length++; + if (strcmp(n->cert->subjectName, expected_subject) == 0) { + ASSERT_FALSE(found); + found = true; + } + } + ASSERT_TRUE(found); + ASSERT_EQ(expected_subjects.size(), list_length); + } +} + +// We should only get back certs that actually match the private key. +TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestOneCertForKey) { + SECItem private_key_info = { + siBuffer, + const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), + (unsigned int)kTestPrivateKeyInfoDER.size(), + }; + SECKEYPrivateKey* priv_key = nullptr; + ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( + m_slot, &private_key_info, nullptr, nullptr, false, + false, KU_ALL, &priv_key, nullptr)); + ASSERT_NE(nullptr, priv_key); + ScopedSECKEYPrivateKey scoped_priv_key(priv_key); + + char cert1_nickname[] = "Test Cert 1"; + SECItem cert1_item = {siBuffer, + const_cast<unsigned char*>(kTestCert1DER.data()), + (unsigned int)kTestCert1DER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, + cert1_nickname, false)); + + char cert_nickname[] = "Test Cert With Other Key"; + SECItem cert_item = { + siBuffer, const_cast<unsigned char*>(kTestCertWithOtherKeyDER.data()), + (unsigned int)kTestCertWithOtherKeyDER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, + cert_nickname, false)); + + ScopedCERTCertList certs( + PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); + CheckCertListForSubjects(certs, {"CN=test cert"}); +} + +// We should be able to get back all certs that match the private key. +TEST_F(PK11GetCertsMatchingPrivateKeyTest, TestTwoCertsForKey) { + SECItem private_key_info = { + siBuffer, + const_cast<unsigned char*>(kTestPrivateKeyInfoDER.data()), + (unsigned int)kTestPrivateKeyInfoDER.size(), + }; + SECKEYPrivateKey* priv_key = nullptr; + ASSERT_EQ(SECSuccess, PK11_ImportDERPrivateKeyInfoAndReturnKey( + m_slot, &private_key_info, nullptr, nullptr, false, + false, KU_ALL, &priv_key, nullptr)); + ASSERT_NE(nullptr, priv_key); + ScopedSECKEYPrivateKey scoped_priv_key(priv_key); + + char cert1_nickname[] = "Test Cert 1"; + SECItem cert1_item = {siBuffer, + const_cast<unsigned char*>(kTestCert1DER.data()), + (unsigned int)kTestCert1DER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert1_item, CK_INVALID_HANDLE, + cert1_nickname, false)); + char cert2_nickname[] = "Test Cert 2 (same key, different subject)"; + SECItem cert2_item = { + siBuffer, const_cast<unsigned char*>(kUnrelatedTestCertDER.data()), + (unsigned int)kUnrelatedTestCertDER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert2_item, CK_INVALID_HANDLE, + cert2_nickname, false)); + + char cert_nickname[] = "Test Cert With Other Key"; + SECItem cert_item = { + siBuffer, const_cast<unsigned char*>(kTestCertWithOtherKeyDER.data()), + (unsigned int)kTestCertWithOtherKeyDER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, + cert_nickname, false)); + + ScopedCERTCertList certs( + PK11_GetCertsMatchingPrivateKey(scoped_priv_key.get())); + CheckCertListForSubjects(certs, {"CN=test cert", "CN=unrelated subject DN"}); +} + +class PK11FindEncodedCertInSlotTest : public PK11FindCertsTestBase {}; + +TEST_F(PK11FindEncodedCertInSlotTest, TestFindEncodedCert) { + char cert_nickname[] = "Test Cert"; + SECItem cert_item = {siBuffer, + const_cast<unsigned char*>(kTestCert1DER.data()), + (unsigned int)kTestCert1DER.size()}; + ASSERT_EQ(SECSuccess, + PK11_ImportDERCert(m_slot, &cert_item, CK_INVALID_HANDLE, + cert_nickname, false)); + + // This certificate was just imported, so finding it by its encoded value + // should succeed. + CK_OBJECT_HANDLE cert_handle_in_slot = + PK11_FindEncodedCertInSlot(m_slot, &cert_item, nullptr); + // CK_INVALID_HANDLE is #defined to be the literal 0, which the compiler + // interprets as a signed value, which then causes a warning-as-an-error + // about comparing values of different signs. + ASSERT_NE(static_cast<CK_ULONG>(CK_INVALID_HANDLE), cert_handle_in_slot); + + // The certificate should not exist on the internal slot, so this should + // return CK_INVALID_HANDLE. + ScopedPK11SlotInfo internal_slot(PK11_GetInternalSlot()); + ASSERT_NE(nullptr, internal_slot); + CK_OBJECT_HANDLE cert_handle_in_internal_slot = + PK11_FindEncodedCertInSlot(internal_slot.get(), &cert_item, nullptr); + ASSERT_EQ(static_cast<CK_ULONG>(CK_INVALID_HANDLE), + cert_handle_in_internal_slot); + + // The certificate should not exist on the internal key slot, so this should + // return CK_INVALID_HANDLE. + ScopedPK11SlotInfo internal_key_slot(PK11_GetInternalKeySlot()); + ASSERT_NE(nullptr, internal_key_slot); + CK_OBJECT_HANDLE cert_handle_in_internal_key_slot = + PK11_FindEncodedCertInSlot(internal_key_slot.get(), &cert_item, nullptr); + ASSERT_EQ(static_cast<CK_ULONG>(CK_INVALID_HANDLE), + cert_handle_in_internal_key_slot); + + // This certificate hasn't been imported to any token, so looking for it + // should return CK_INVALID_HANDLE. + SECItem unknown_cert_item = {siBuffer, + const_cast<unsigned char*>(kTestCert2DER.data()), + (unsigned int)kTestCert2DER.size()}; + CK_OBJECT_HANDLE unknown_cert_handle_in_slot = + PK11_FindEncodedCertInSlot(m_slot, &unknown_cert_item, nullptr); + ASSERT_EQ(static_cast<CK_ULONG>(CK_INVALID_HANDLE), + unknown_cert_handle_in_slot); +} + +} // namespace nss_test |