From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- .../pkixocsp_CreateEncodedOCSPRequest_tests.cpp | 146 +++++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp (limited to 'security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp') diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp new file mode 100644 index 0000000000..ff154e7ec7 --- /dev/null +++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp @@ -0,0 +1,146 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This code is made available to you under your choice of the following sets + * of licensing terms: + */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ +/* Copyright 2013 Mozilla Contributors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "pkixgtest.h" + +#include "mozpkix/pkixder.h" + +using namespace mozilla::pkix; +using namespace mozilla::pkix::test; + +class CreateEncodedOCSPRequestTrustDomain final + : public EverythingFailsByDefaultTrustDomain +{ +private: + Result DigestBuf(Input item, DigestAlgorithm digestAlg, + /*out*/ uint8_t *digestBuf, size_t digestBufLen) + override + { + return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen); + } + + Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int) + override + { + return Success; + } +}; + +class pkixocsp_CreateEncodedOCSPRequest : public ::testing::Test +{ +protected: + void MakeIssuerCertIDComponents(const char* issuerASCII, + /*out*/ ByteString& issuerDER, + /*out*/ ByteString& issuerSPKI) + { + issuerDER = CNToDERName(issuerASCII); + ASSERT_FALSE(ENCODING_FAILED(issuerDER)); + + ScopedTestKeyPair keyPair(GenerateKeyPair()); + ASSERT_TRUE(keyPair.get()); + issuerSPKI = keyPair->subjectPublicKeyInfo; + } + + CreateEncodedOCSPRequestTrustDomain trustDomain; +}; + +// Test that the large length of the child serial number causes +// CreateEncodedOCSPRequest to fail. +TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest) +{ + static const uint8_t UNSUPPORTED_LEN = 128; // must be larger than 127 + + ByteString serialNumberString; + // tag + length + value is 1 + 2 + UNSUPPORTED_LEN + // Encoding the length takes two bytes: one byte to indicate that a + // second byte follows, and the second byte to indicate the length. + serialNumberString.push_back(0x80 + 1); + serialNumberString.push_back(UNSUPPORTED_LEN); + // value is 0x010000...00 + serialNumberString.push_back(0x01); + for (size_t i = 1; i < UNSUPPORTED_LEN; ++i) { + serialNumberString.push_back(0x00); + } + + ByteString issuerDER; + ByteString issuerSPKI; + ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER, + issuerSPKI)); + + Input issuer; + ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length())); + + Input spki; + ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length())); + + Input serialNumber; + ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(), + serialNumberString.length())); + + uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH]; + size_t ocspRequestLength; + ASSERT_EQ(Result::ERROR_BAD_DER, + CreateEncodedOCSPRequest(trustDomain, + CertID(issuer, spki, serialNumber), + ocspRequest, ocspRequestLength)); +} + +// Test that CreateEncodedOCSPRequest handles the longest serial number that +// it's required to support (i.e. 20 octets). +TEST_F(pkixocsp_CreateEncodedOCSPRequest, LongestSupportedSerialNumberTest) +{ + static const uint8_t LONGEST_REQUIRED_LEN = 20; + + ByteString serialNumberString; + // tag + length + value is 1 + 1 + LONGEST_REQUIRED_LEN + serialNumberString.push_back(der::INTEGER); + serialNumberString.push_back(LONGEST_REQUIRED_LEN); + serialNumberString.push_back(0x01); + // value is 0x010000...00 + for (size_t i = 1; i < LONGEST_REQUIRED_LEN; ++i) { + serialNumberString.push_back(0x00); + } + + ByteString issuerDER; + ByteString issuerSPKI; + ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER, + issuerSPKI)); + + Input issuer; + ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length())); + + Input spki; + ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length())); + + Input serialNumber; + ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(), + serialNumberString.length())); + + uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH]; + size_t ocspRequestLength; + ASSERT_EQ(Success, + CreateEncodedOCSPRequest(trustDomain, + CertID(issuer, spki, serialNumber), + ocspRequest, ocspRequestLength)); +} -- cgit v1.2.3