/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * test_subjaltnamechecker.c * * Test Subject Alternative Name Checking * */ /* * There is no subjaltnamechecker. Instead, targetcertchecker is doing * the job for checking subject alternative names' validity. For testing, * in order to enter names with various type, we create this test excutable * to parse different scenario. */ #include "testutil.h" #include "testutil_nss.h" #define PKIX_TEST_MAX_CERTS 10 static void *plContext = NULL; static void printUsage1(char *pName) { printf("\nUSAGE: %s test-name [ENE|EE] ", pName); printf("cert [certs].\n"); } static void printUsage2(char *name) { printf("\ninvalid test-name syntax - %s", name); printf("\ntest-name syntax: [01][DNORU]:+..."); printf("\n [01] 1 - match all; 0 - match one"); printf("\n name - type can be specified as"); printf("\n [DNORU] D-Directory name"); printf("\n N-DNS name"); printf("\n O-OID name"); printf("\n R-RFC822 name"); printf("\n U-URI name"); printf("\n + separator for more names\n\n"); } static void printUsageMax(PKIX_UInt32 numCerts) { printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n", numCerts, PKIX_TEST_MAX_CERTS); } static PKIX_UInt32 getNameType(char *name) { PKIX_UInt32 nameType; PKIX_TEST_STD_VARS(); switch (*name) { case 'D': nameType = PKIX_DIRECTORY_NAME; break; case 'N': nameType = PKIX_DNS_NAME; break; case 'O': nameType = PKIX_OID_NAME; break; case 'R': nameType = PKIX_RFC822_NAME; break; case 'U': nameType = PKIX_URI_NAME; break; default: printUsage2(name); nameType = 0xFFFF; } goto cleanup; cleanup: PKIX_TEST_RETURN(); return (nameType); } int test_subjaltnamechecker(int argc, char *argv[]) { PKIX_List *chain = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *selParams = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_PL_GeneralName *name = NULL; PKIX_UInt32 actualMinorVersion; char *certNames[PKIX_TEST_MAX_CERTS]; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; char *nameStr; char *nameEnd; char *names[PKIX_TEST_MAX_CERTS]; PKIX_UInt32 numNames = 0; PKIX_UInt32 nameType; PKIX_Boolean matchAll = PKIX_TRUE; PKIX_Boolean testValid = PKIX_TRUE; char *dirName = NULL; char *anchorName = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage1(argv[0]); return (0); } startTests("SubjAltNameConstraintChecker"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); j++; /* skip test-purpose string */ /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2 + j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage1(argv[0]); return (0); } /* taking out leading and trailing ", if any */ nameStr = argv[1 + j]; subTest(nameStr); if (*nameStr == '"') { nameStr++; nameEnd = nameStr; while (*nameEnd != '"' && *nameEnd != '\0') { nameEnd++; } *nameEnd = '\0'; } /* extract first [0|1] inidcating matchAll or not */ matchAll = (*nameStr == '0') ? PKIX_FALSE : PKIX_TRUE; nameStr++; numNames = 0; while (*nameStr != '\0') { names[numNames++] = nameStr; while (*nameStr != '+' && *nameStr != '\0') { nameStr++; } if (*nameStr == '+') { *nameStr = '\0'; nameStr++; } } chainLength = (argc - j) - 4; if (chainLength > PKIX_TEST_MAX_CERTS) { printUsageMax(chainLength); } for (i = 0; i < chainLength; i++) { certNames[i] = argv[(4 + j) + i]; certs[i] = NULL; } /* SubjAltName for validation */ subTest("Add Subject Alt Name for NameConstraint checking"); subTest("Create Selector and ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&selParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, selParams, plContext)); subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(selParams, matchAll, plContext)); subTest("PKIX_ComCertSelParams_AddSubjAltName(s)"); for (i = 0; i < numNames; i++) { nameType = getNameType(names[i]); if (nameType == 0xFFFF) { return (0); } nameStr = names[i] + 2; name = createGeneralName(nameType, nameStr, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(selParams, name, plContext)); PKIX_TEST_DECREF_BC(name); } subTest("SubjAltName-Constraints - Create Cert Chain"); dirName = argv[3 + j]; chain = createCertChainPlus(dirName, certNames, certs, chainLength, plContext); subTest("SubjAltName-Constraints - Create Params"); valParams = createValidateParams(dirName, argv[4 + j], NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chain, plContext); subTest("PKIX_ValidateParams_getProcessingParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext)); subTest("PKIX_ProcessingParams_SetTargetCertConstraints"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, selector, plContext)); subTest("Subject Alt Name - Validate Chain"); if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); } cleanup: PKIX_PL_Free(anchorName, plContext); PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(selParams); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(name); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("SubjAltNameConstraintsChecker"); return (0); }