/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * test_cert.c * * Test Cert Type * */ #include "testutil.h" #include "testutil_nss.h" static PKIX_PL_Cert *altNameNoneCert = NULL; static PKIX_PL_Cert *altNameOtherCert = NULL; static PKIX_PL_Cert *altNameOtherCert_diff = NULL; static PKIX_PL_Cert *altNameRfc822Cert = NULL; static PKIX_PL_Cert *altNameRfc822Cert_diff = NULL; static PKIX_PL_Cert *altNameDnsCert = NULL; static PKIX_PL_Cert *altNameDnsCert_diff = NULL; static PKIX_PL_Cert *altNameX400Cert = NULL; static PKIX_PL_Cert *altNameX400Cert_diff = NULL; static PKIX_PL_Cert *altNameDnCert = NULL; static PKIX_PL_Cert *altNameDnCert_diff = NULL; static PKIX_PL_Cert *altNameEdiCert = NULL; static PKIX_PL_Cert *altNameEdiCert_diff = NULL; static PKIX_PL_Cert *altNameUriCert = NULL; static PKIX_PL_Cert *altNameUriCert_diff = NULL; static PKIX_PL_Cert *altNameIpCert = NULL; static PKIX_PL_Cert *altNameIpCert_diff = NULL; static PKIX_PL_Cert *altNameOidCert = NULL; static PKIX_PL_Cert *altNameOidCert_diff = NULL; static PKIX_PL_Cert *altNameMultipleCert = NULL; static void *plContext = NULL; static void createCerts( char *dataCentralDir, char *goodInput, char *diffInput, PKIX_PL_Cert **goodObject, PKIX_PL_Cert **equalObject, PKIX_PL_Cert **diffObject) { subTest("PKIX_PL_Cert_Create "); *goodObject = createCert(dataCentralDir, goodInput, plContext); subTest("PKIX_PL_Cert_Create "); *equalObject = createCert(dataCentralDir, goodInput, plContext); subTest("PKIX_PL_Cert_Create "); *diffObject = createCert(dataCentralDir, diffInput, plContext); } static void createCertsWithSubjectAltNames(char *dataCentralDir) { subTest("PKIX_PL_Cert_Create "); altNameDnsCert = createCert(dataCentralDir, "generalName/altNameDnsCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameDnsCert_diff = createCert(dataCentralDir, "generalName/altNameDnsCert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameRfc822Cert = createCert(dataCentralDir, "generalName/altNameRfc822Cert", plContext); subTest("PKIX_PL_Cert_Create "); altNameRfc822Cert_diff = createCert(dataCentralDir, "generalName/altNameRfc822Cert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameX400Cert = createCert(dataCentralDir, "generalName/altNameX400Cert", plContext); subTest("PKIX_PL_Cert_Create "); altNameX400Cert_diff = createCert(dataCentralDir, "generalName/altNameX400Cert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameDnCert = createCert(dataCentralDir, "generalName/altNameDnCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameDnCert_diff = createCert(dataCentralDir, "generalName/altNameDnCert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameEdiCert = createCert(dataCentralDir, "generalName/altNameEdiCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameEdiCert_diff = createCert(dataCentralDir, "generalName/altNameEdiCert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameUriCert = createCert(dataCentralDir, "generalName/altNameUriCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameUriCert_diff = createCert(dataCentralDir, "generalName/altNameUriCert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameIpCert = createCert(dataCentralDir, "generalName/altNameIpCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameIpCert_diff = createCert(dataCentralDir, "generalName/altNameIpCert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameOidCert = createCert(dataCentralDir, "generalName/altNameOidCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameOidCert_diff = createCert(dataCentralDir, "generalName/altNameOidCert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameOtherCert = createCert(dataCentralDir, "generalName/altNameOtherCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameOtherCert_diff = createCert(dataCentralDir, "generalName/altNameOtherCert_diff", plContext); subTest("PKIX_PL_Cert_Create "); altNameNoneCert = createCert(dataCentralDir, "generalName/altNameNoneCert", plContext); subTest("PKIX_PL_Cert_Create "); altNameMultipleCert = createCert(dataCentralDir, "generalName/altNameRfc822DnsCert", plContext); } static void testGetVersion( PKIX_PL_Cert *goodObject) { PKIX_UInt32 goodVersion; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetVersion"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetVersion(goodObject, &goodVersion, plContext)); if (goodVersion != 2) { testError("unexpected mismatch"); (void)printf("Actual value:\t%d\n", goodVersion); (void)printf("Expected value:\t2\n"); goto cleanup; } cleanup: PKIX_TEST_RETURN(); } static void testGetSerialNumber( PKIX_PL_Cert *goodObject, PKIX_PL_Cert *equalObject, PKIX_PL_Cert *diffObject) { PKIX_PL_BigInt *goodSN = NULL; PKIX_PL_BigInt *equalSN = NULL; PKIX_PL_BigInt *diffSN = NULL; char *expectedAscii = "37bc66ec"; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetSerialNumber"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber(goodObject, &goodSN, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber(equalObject, &equalSN, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber(diffObject, &diffSN, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodSN, equalSN, diffSN, expectedAscii, BigInt, PKIX_TRUE); cleanup: PKIX_TEST_DECREF_AC(goodSN); PKIX_TEST_DECREF_AC(equalSN); PKIX_TEST_DECREF_AC(diffSN); PKIX_TEST_RETURN(); } static void testGetSubject( PKIX_PL_Cert *goodObject, PKIX_PL_Cert *equalObject, PKIX_PL_Cert *diffObject) { PKIX_PL_X500Name *goodSubject = NULL; PKIX_PL_X500Name *equalSubject = NULL; PKIX_PL_X500Name *diffSubject = NULL; char *expectedAscii = "OU=bcn,OU=east,O=sun,C=us"; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetSubject"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(goodObject, &goodSubject, plContext)); if (!goodSubject) { testError("Certificate Subject should not be NULL"); goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(equalObject, &equalSubject, plContext)); if (!equalSubject) { testError("Certificate Subject should not be NULL"); goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(diffObject, &diffSubject, plContext)); if (!diffSubject) { testError("Certificate Subject should not be NULL"); goto cleanup; } PKIX_TEST_EQ_HASH_TOSTR_DUP(goodSubject, equalSubject, diffSubject, expectedAscii, X500Name, PKIX_TRUE); cleanup: PKIX_TEST_DECREF_AC(goodSubject); PKIX_TEST_DECREF_AC(equalSubject); PKIX_TEST_DECREF_AC(diffSubject); PKIX_TEST_RETURN(); } static void testGetIssuer( PKIX_PL_Cert *goodObject, PKIX_PL_Cert *equalObject, PKIX_PL_Cert *diffObject) { PKIX_PL_X500Name *goodIssuer = NULL; PKIX_PL_X500Name *equalIssuer = NULL; PKIX_PL_X500Name *diffIssuer = NULL; char *expectedAscii = "CN=yassir,OU=bcn,OU=east,O=sun,C=us"; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetIssuer"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer(goodObject, &goodIssuer, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer(equalObject, &equalIssuer, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer(diffObject, &diffIssuer, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodIssuer, equalIssuer, diffIssuer, expectedAscii, X500Name, PKIX_TRUE); cleanup: PKIX_TEST_DECREF_AC(goodIssuer); PKIX_TEST_DECREF_AC(equalIssuer); PKIX_TEST_DECREF_AC(diffIssuer); PKIX_TEST_RETURN(); } static void testAltNames( PKIX_PL_Cert *goodCert, PKIX_PL_Cert *diffCert, char *expectedAscii) { PKIX_List *goodAltNames = NULL; PKIX_List *diffAltNames = NULL; PKIX_PL_GeneralName *goodAltName = NULL; PKIX_PL_GeneralName *diffAltName = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(goodCert, &goodAltNames, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodAltNames, 0, (PKIX_PL_Object **)&goodAltName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(diffCert, &diffAltNames, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffAltNames, 0, (PKIX_PL_Object **)&diffAltName, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodAltName, goodAltName, diffAltName, expectedAscii, GeneralName, PKIX_TRUE); cleanup: PKIX_TEST_DECREF_AC(goodAltNames); PKIX_TEST_DECREF_AC(goodAltName); PKIX_TEST_DECREF_AC(diffAltNames); PKIX_TEST_DECREF_AC(diffAltName); PKIX_TEST_RETURN(); } static void testAltNamesNone(PKIX_PL_Cert *cert) { PKIX_List *altNames = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(cert, &altNames, plContext)); if (altNames != NULL) { testError("unexpected mismatch"); (void)printf("Actual value:\t%p\n", (void *)altNames); (void)printf("Expected value:\tNULL\n"); goto cleanup; } cleanup: PKIX_TEST_DECREF_AC(altNames); PKIX_TEST_RETURN(); } static void testAltNamesMultiple() { PKIX_List *altNames = NULL; PKIX_PL_GeneralName *firstAltName = NULL; PKIX_Int32 firstExpectedType = PKIX_RFC822_NAME; PKIX_PL_GeneralName *secondAltName = NULL; PKIX_Int32 secondExpectedType = PKIX_DNS_NAME; char *expectedAscii = "[\n" "\tVersion: v3\n" "\tSerialNumber: 2d\n" "\tIssuer: OU=labs,O=sun,C=us\n" "\tSubject: CN=yassir,OU=labs,O=sun,C=us\n" "\tValidity: [From: Mon Feb 09, 2004\n" /* "\tValidity: [From: Mon Feb 09 14:43:52 2004\n" */ "\t To: Mon Feb 09, 2004]\n" /* "\t To: Mon Feb 09 14:43:52 2004]\n" */ "\tSubjectAltNames: (yassir@sun.com, sunray.sun.com)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (EMPTY)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: (null)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "\tAuthorityInfoAccess: (null)\n" "\tSubjectInfoAccess: (null)\n" "\tCacheFlag: 0\n" "]\n"; PKIX_TEST_STD_VARS(); testToStringHelper((PKIX_PL_Object *)altNameMultipleCert, expectedAscii, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(altNameMultipleCert, &altNames, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(altNames, 0, (PKIX_PL_Object **)&firstAltName, plContext)); if (firstAltName->type != firstExpectedType) { testError("unexpected mismatch"); (void)printf("Actual value:\t%d\n", firstAltName->type); (void)printf("Expected value:\t%d\n", firstExpectedType); goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(altNames, 1, (PKIX_PL_Object **)&secondAltName, plContext)); if (secondAltName->type != secondExpectedType) { testError("unexpected mismatch"); (void)printf("Actual value:\t%d\n", secondAltName->type); (void)printf("Expected value:\t%d\n", secondExpectedType); goto cleanup; } cleanup: PKIX_TEST_DECREF_AC(altNames); PKIX_TEST_DECREF_AC(firstAltName); PKIX_TEST_DECREF_AC(secondAltName); PKIX_TEST_RETURN(); } static void testGetSubjectAltNames(char *dataCentralDir) { char *expectedAscii = NULL; createCertsWithSubjectAltNames(dataCentralDir); subTest("PKIX_PL_Cert_GetSubjectAltNames "); expectedAscii = "east.sun.com"; testAltNames(altNameDnsCert, altNameDnsCert_diff, expectedAscii); subTest("PKIX_PL_Cert_GetSubjectAltNames "); expectedAscii = "alice.barnes@bcn.east.sun.com"; testAltNames(altNameRfc822Cert, altNameRfc822Cert_diff, expectedAscii); /* *this should work once bugzilla bug #233586 is fixed. *subTest("PKIX_PL_Cert_GetSubjectAltNames "); *expectedAscii = "X400Address: "; *testAltNames(altNameX400Cert, altNameX400Cert_diff, expectedAscii); */ subTest("PKIX_PL_Cert_GetSubjectAltNames "); expectedAscii = "CN=elley,OU=labs,O=sun,C=us"; testAltNames(altNameDnCert, altNameDnCert_diff, expectedAscii); /* * this should work once bugzilla bug #233586 is fixed. * subTest("PKIX_PL_Cert_GetSubjectAltNames "); * expectedAscii = "EDIPartyName: "; * testAltNames(altNameEdiCert, altNameEdiCert_diff, expectedAscii); */ subTest("PKIX_PL_Cert_GetSubjectAltNames "); expectedAscii = "http://www.sun.com"; testAltNames(altNameUriCert, altNameUriCert_diff, expectedAscii); subTest("PKIX_PL_Cert_GetSubjectAltNames "); expectedAscii = "1.2.3.4"; testAltNames(altNameIpCert, altNameIpCert_diff, expectedAscii); subTest("PKIX_PL_Cert_GetSubjectAltNames "); expectedAscii = "1.2.39"; testAltNames(altNameOidCert, altNameOidCert_diff, expectedAscii); subTest("PKIX_PL_Cert_GetSubjectAltNames "); expectedAscii = "1.7.26.97"; testAltNames(altNameOtherCert, altNameOtherCert_diff, expectedAscii); subTest("PKIX_PL_Cert_GetSubjectAltNames "); testAltNamesNone(altNameNoneCert); subTest("PKIX_PL_Cert_GetSubjectAltNames "); testAltNamesMultiple(); } static void testGetSubjectPublicKey( PKIX_PL_Cert *goodObject, PKIX_PL_Cert *equalObject, PKIX_PL_Cert *diffObject) { PKIX_PL_PublicKey *goodPubKey = NULL; PKIX_PL_PublicKey *equalPubKey = NULL; PKIX_PL_PublicKey *diffPubKey = NULL; char *expectedAscii = "ANSI X9.57 DSA Signature"; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetSubjectPublicKey"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(goodObject, &goodPubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(equalObject, &equalPubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(diffObject, &diffPubKey, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodPubKey, equalPubKey, diffPubKey, expectedAscii, PublicKey, PKIX_TRUE); cleanup: PKIX_TEST_DECREF_AC(goodPubKey); PKIX_TEST_DECREF_AC(equalPubKey); PKIX_TEST_DECREF_AC(diffPubKey); PKIX_TEST_RETURN(); } static void testGetSubjectPublicKeyAlgId(PKIX_PL_Cert *goodObject) { PKIX_PL_OID *pkixPubKeyOID = NULL; char *expectedAscii = "1.2.840.10040.4.1"; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetSubjectPublicKeyAlgId"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId(goodObject, &pkixPubKeyOID, plContext)); testToStringHelper((PKIX_PL_Object *)pkixPubKeyOID, expectedAscii, plContext); cleanup: PKIX_TEST_DECREF_AC(pkixPubKeyOID); PKIX_TEST_RETURN(); } static void testCritExtensionsPresent(PKIX_PL_Cert *cert) { PKIX_List *critOIDList = NULL; char *firstOIDAscii = "2.5.29.15"; PKIX_PL_OID *firstOID = NULL; char *secondOIDAscii = "2.5.29.19"; PKIX_PL_OID *secondOID = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs(cert, &critOIDList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(critOIDList, 0, (PKIX_PL_Object **)&firstOID, plContext)); testToStringHelper((PKIX_PL_Object *)firstOID, firstOIDAscii, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(critOIDList, 1, (PKIX_PL_Object **)&secondOID, plContext)); testToStringHelper((PKIX_PL_Object *)secondOID, secondOIDAscii, plContext); cleanup: PKIX_TEST_DECREF_AC(critOIDList); PKIX_TEST_DECREF_AC(firstOID); PKIX_TEST_DECREF_AC(secondOID); PKIX_TEST_RETURN(); } static void testCritExtensionsAbsent(PKIX_PL_Cert *cert) { PKIX_List *oidList = NULL; PKIX_Boolean empty; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs(cert, &oidList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsEmpty(oidList, &empty, plContext)); if (!empty) { pkixTestErrorMsg = "unexpected mismatch"; } cleanup: PKIX_TEST_DECREF_AC(oidList); PKIX_TEST_RETURN(); } static void testAllExtensionsAbsent(char *dataCentralDir) { PKIX_List *oidList = NULL; PKIX_PL_Cert *cert = NULL; PKIX_Boolean empty; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_Create "); cert = createCert(dataCentralDir, "noExtensionsCert", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs(cert, &oidList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsEmpty(oidList, &empty, plContext)); if (!empty) { pkixTestErrorMsg = "unexpected mismatch"; } cleanup: PKIX_TEST_DECREF_AC(oidList); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_RETURN(); } static void testGetCriticalExtensionOIDs(char *dataCentralDir, PKIX_PL_Cert *goodObject) { subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs " ""); testCritExtensionsPresent(goodObject); subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs " ""); testCritExtensionsAbsent(altNameOidCert); subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs " ""); testAllExtensionsAbsent(dataCentralDir); } static void testKeyIdentifiersMatching(char *dataCentralDir) { PKIX_PL_Cert *subjKeyIDCert = NULL; PKIX_PL_Cert *authKeyIDCert = NULL; PKIX_PL_ByteArray *subjKeyID = NULL; PKIX_PL_ByteArray *authKeyID = NULL; PKIX_PL_ByteArray *subjKeyID_diff = NULL; char *expectedAscii = "[116, 021, 213, 036, 028, 189, 094, 101, 136, 031, 225," " 139, 009, 126, 127, 234, 025, 072, 078, 097]"; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_Create "); subjKeyIDCert = createCert(dataCentralDir, "keyIdentifier/subjKeyIDCert", plContext); subTest("PKIX_PL_Cert_Create "); authKeyIDCert = createCert(dataCentralDir, "keyIdentifier/authKeyIDCert", plContext); subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(subjKeyIDCert, &subjKeyID, plContext)); subTest("PKIX_PL_Cert_GetAuthorityKeyIdentifier "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier(authKeyIDCert, &authKeyID, plContext)); subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(authKeyIDCert, &subjKeyID_diff, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(subjKeyID, authKeyID, subjKeyID_diff, expectedAscii, ByteArray, PKIX_TRUE); cleanup: PKIX_TEST_DECREF_AC(subjKeyIDCert); PKIX_TEST_DECREF_AC(authKeyIDCert); PKIX_TEST_DECREF_AC(subjKeyID); PKIX_TEST_DECREF_AC(authKeyID); PKIX_TEST_DECREF_AC(subjKeyID_diff); PKIX_TEST_RETURN(); } static void testKeyIdentifierAbsent(PKIX_PL_Cert *cert) { PKIX_PL_ByteArray *subjKeyID = NULL; PKIX_PL_ByteArray *authKeyID = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(cert, &subjKeyID, plContext)); if (subjKeyID != NULL) { pkixTestErrorMsg = "unexpected mismatch"; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier(cert, &authKeyID, plContext)); if (authKeyID != NULL) { pkixTestErrorMsg = "unexpected mismatch"; } cleanup: PKIX_TEST_DECREF_AC(subjKeyID); PKIX_TEST_DECREF_AC(authKeyID); PKIX_TEST_RETURN(); } static void testGetKeyIdentifiers(char *dataCentralDir, PKIX_PL_Cert *goodObject) { testKeyIdentifiersMatching(dataCentralDir); testKeyIdentifierAbsent(goodObject); } static void testVerifyKeyUsage( char *dataCentralDir, char *dataDir, PKIX_PL_Cert *multiKeyUsagesCert) { PKIX_PL_Cert *encipherOnlyCert = NULL; PKIX_PL_Cert *decipherOnlyCert = NULL; PKIX_PL_Cert *noKeyUsagesCert = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_Create "); encipherOnlyCert = createCert(dataCentralDir, "keyUsage/encipherOnlyCert", plContext); subTest("PKIX_PL_Cert_Create "); decipherOnlyCert = createCert(dataCentralDir, "keyUsage/decipherOnlyCert", plContext); subTest("PKIX_PL_Cert_Create "); noKeyUsagesCert = createCert(dataCentralDir, "keyUsage/noKeyUsagesCert", plContext); subTest("PKIX_PL_Cert_VerifyKeyUsage "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(multiKeyUsagesCert, PKIX_KEY_CERT_SIGN, plContext)); subTest("PKIX_PL_Cert_VerifyKeyUsage "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(multiKeyUsagesCert, PKIX_KEY_CERT_SIGN | PKIX_DIGITAL_SIGNATURE, plContext)); subTest("PKIX_PL_Cert_VerifyKeyUsage "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(encipherOnlyCert, PKIX_ENCIPHER_ONLY, plContext)); subTest("PKIX_PL_Cert_VerifyKeyUsage "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(noKeyUsagesCert, PKIX_ENCIPHER_ONLY, plContext)); subTest("PKIX_PL_Cert_VerifyKeyUsage "); PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_VerifyKeyUsage(decipherOnlyCert, PKIX_DECIPHER_ONLY, plContext)); cleanup: PKIX_TEST_DECREF_AC(encipherOnlyCert); PKIX_TEST_DECREF_AC(decipherOnlyCert); PKIX_TEST_DECREF_AC(noKeyUsagesCert); PKIX_TEST_RETURN(); } static void testGetExtendedKeyUsage(char *dataCentralDir) { PKIX_PL_Cert *codeSigningEKUCert = NULL; PKIX_PL_Cert *multiEKUCert = NULL; PKIX_PL_Cert *noEKUCert = NULL; PKIX_List *firstExtKeyUsage = NULL; PKIX_List *secondExtKeyUsage = NULL; PKIX_List *thirdExtKeyUsage = NULL; PKIX_PL_OID *firstOID = NULL; char *oidAscii = "1.3.6.1.5.5.7.3.3"; PKIX_PL_OID *secondOID = NULL; char *secondOIDAscii = "1.3.6.1.5.5.7.3.1"; PKIX_PL_OID *thirdOID = NULL; char *thirdOIDAscii = "1.3.6.1.5.5.7.3.2"; PKIX_PL_OID *fourthOID = NULL; PKIX_UInt32 length = 0; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_Create "); codeSigningEKUCert = createCert(dataCentralDir, "extKeyUsage/codeSigningEKUCert", plContext); subTest("PKIX_PL_Cert_Create "); multiEKUCert = createCert(dataCentralDir, "extKeyUsage/multiEKUCert", plContext); subTest("PKIX_PL_Cert_Create "); noEKUCert = createCert(dataCentralDir, "extKeyUsage/noEKUCert", plContext); subTest("PKIX_PL_Cert_ExtendedKeyUsage "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage(codeSigningEKUCert, &firstExtKeyUsage, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(firstExtKeyUsage, 0, (PKIX_PL_Object **)&firstOID, plContext)); testToStringHelper((PKIX_PL_Object *)firstOID, oidAscii, plContext); subTest("PKIX_PL_Cert_ExtendedKeyUsage "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage(multiEKUCert, &secondExtKeyUsage, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(secondExtKeyUsage, &length, plContext)); if (length != 3) { testError("unexpected mismatch"); (void)printf("Actual value:\t%d\n", length); (void)printf("Expected value:\t3\n"); goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(secondExtKeyUsage, 0, (PKIX_PL_Object **)&secondOID, plContext)); testToStringHelper((PKIX_PL_Object *)secondOID, oidAscii, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(secondExtKeyUsage, 1, (PKIX_PL_Object **)&thirdOID, plContext)); testToStringHelper((PKIX_PL_Object *)thirdOID, secondOIDAscii, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(secondExtKeyUsage, 2, (PKIX_PL_Object **)&fourthOID, plContext)); testToStringHelper((PKIX_PL_Object *)fourthOID, thirdOIDAscii, plContext); subTest("PKIX_PL_Cert_ExtendedKeyUsage "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage(noEKUCert, &thirdExtKeyUsage, plContext)); if (thirdExtKeyUsage != NULL) { testError("unexpected mismatch"); (void)printf("Actual value:\t%p\n", (void *)thirdExtKeyUsage); (void)printf("Expected value:\tNULL\n"); goto cleanup; } cleanup: PKIX_TEST_DECREF_AC(firstOID); PKIX_TEST_DECREF_AC(secondOID); PKIX_TEST_DECREF_AC(thirdOID); PKIX_TEST_DECREF_AC(fourthOID); PKIX_TEST_DECREF_AC(firstExtKeyUsage); PKIX_TEST_DECREF_AC(secondExtKeyUsage); PKIX_TEST_DECREF_AC(thirdExtKeyUsage); PKIX_TEST_DECREF_AC(codeSigningEKUCert); PKIX_TEST_DECREF_AC(multiEKUCert); PKIX_TEST_DECREF_AC(noEKUCert); PKIX_TEST_RETURN(); } static void testMakeInheritedDSAPublicKey(char *dataCentralDir) { PKIX_PL_PublicKey *firstKey = NULL; PKIX_PL_PublicKey *secondKey = NULL; PKIX_PL_PublicKey *resultKeyPositive = NULL; PKIX_PL_PublicKey *resultKeyNegative = NULL; PKIX_PL_Cert *firstCert = NULL; PKIX_PL_Cert *secondCert = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_Create "); firstCert = createCert(dataCentralDir, "publicKey/dsaWithoutParams", plContext); subTest("PKIX_PL_Cert_Create "); secondCert = createCert(dataCentralDir, "publicKey/dsaWithParams", plContext); subTest("PKIX_PL_Cert_GetSubjectPublicKey "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(firstCert, &firstKey, plContext)); subTest("PKIX_PL_Cert_GetSubjectPublicKey "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(secondCert, &secondKey, plContext)); subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(firstKey, secondKey, &resultKeyPositive, plContext)); if (resultKeyPositive == NULL) { testError("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey failed"); } subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey "); PKIX_TEST_EXPECT_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(firstKey, firstKey, &resultKeyNegative, plContext)); cleanup: PKIX_TEST_DECREF_AC(firstCert); PKIX_TEST_DECREF_AC(secondCert); PKIX_TEST_DECREF_AC(firstKey); PKIX_TEST_DECREF_AC(secondKey); PKIX_TEST_DECREF_AC(resultKeyPositive); PKIX_TEST_DECREF_AC(resultKeyNegative); PKIX_TEST_RETURN(); } static void testVerifySignature(char *dataCentralDir) { PKIX_PL_Cert *firstCert = NULL; PKIX_PL_Cert *secondCert = NULL; PKIX_PL_PublicKey *firstPubKey = NULL; PKIX_PL_PublicKey *secondPubKey = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_Create "); firstCert = createCert(dataCentralDir, "publicKey/labs2yassir", plContext); subTest("PKIX_PL_Cert_Create "); secondCert = createCert(dataCentralDir, "publicKey/yassir2labs", plContext); subTest("PKIX_PL_Cert_GetSubjectPublicKey "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(firstCert, &firstPubKey, plContext)); subTest("PKIX_PL_Cert_GetSubjectPublicKey "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(secondCert, &secondPubKey, plContext)); subTest("PKIX_PL_Cert_VerifySignature "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifySignature(secondCert, firstPubKey, plContext)); subTest("PKIX_PL_Cert_VerifySignature "); PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_VerifySignature(secondCert, secondPubKey, plContext)); cleanup: PKIX_TEST_DECREF_AC(firstCert); PKIX_TEST_DECREF_AC(secondCert); PKIX_TEST_DECREF_AC(firstPubKey); PKIX_TEST_DECREF_AC(secondPubKey); PKIX_TEST_RETURN(); } static void testCheckValidity( PKIX_PL_Cert *olderCert, PKIX_PL_Cert *newerCert) { /* * olderCert has the following Validity: * notBefore = August 19, 1999: 20:19:56 GMT * notAfter = August 18, 2000: 20:19:56 GMT * * newerCert has the following Validity: * notBefore = November 13, 2003: 16:46:03 GMT * notAfter = February 13, 2009: 16:46:03 GMT */ /* olderDateAscii = March 29, 2000: 13:48:47 GMT */ char *olderAscii = "000329134847Z"; PKIX_PL_String *olderString = NULL; PKIX_PL_Date *olderDate = NULL; /* newerDateAscii = March 29, 2004: 13:48:47 GMT */ char *newerAscii = "040329134847Z"; PKIX_PL_String *newerString = NULL; PKIX_PL_Date *newerDate = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_CheckValidity "); /* create newer date when newer cert is valid but older cert is not */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, newerAscii, 0, &newerString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(newerString, &newerDate, plContext)); /* create older date when older cert is valid but newer cert is not */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, olderAscii, 0, &olderString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(olderString, &olderDate, plContext)); /* check validity of both certificates using olderDate */ subTest("PKIX_PL_Cert_CheckValidity "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckValidity(olderCert, olderDate, plContext)); subTest("PKIX_PL_Cert_CheckValidity "); PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckValidity(newerCert, olderDate, plContext)); /* check validity of both certificates using newerDate */ subTest("PKIX_PL_Cert_CheckValidity "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckValidity(newerCert, newerDate, plContext)); subTest("PKIX_PL_Cert_CheckValidity "); PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckValidity(olderCert, newerDate, plContext)); /* * check validity of both certificates using current time * NOTE: these "now" tests will not work when the current * time is after newerCert.notAfter (~ February 13, 2009) */ subTest("PKIX_PL_Cert_CheckValidity "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckValidity(newerCert, NULL, plContext)); subTest("PKIX_PL_Cert_CheckValidity "); PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckValidity(olderCert, NULL, plContext)); cleanup: PKIX_TEST_DECREF_AC(olderString); PKIX_TEST_DECREF_AC(newerString); PKIX_TEST_DECREF_AC(olderDate); PKIX_TEST_DECREF_AC(newerDate); PKIX_TEST_RETURN(); } static void readCertBasicConstraints( char *dataDir, char *goodCertName, char *diffCertName, PKIX_PL_CertBasicConstraints **goodBasicConstraints, PKIX_PL_CertBasicConstraints **equalBasicConstraints, PKIX_PL_CertBasicConstraints **diffBasicConstraints) { PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_TEST_STD_VARS(); createCerts(dataDir, goodCertName, diffCertName, &goodCert, &equalCert, &diffCert); /* * Warning: pointer will be NULL if BasicConstraints * extension is not present in the certificate. */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(goodCert, goodBasicConstraints, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(equalCert, equalBasicConstraints, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(diffCert, diffBasicConstraints, plContext)); cleanup: PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(equalCert); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_RETURN(); } static void testBasicConstraintsHelper( char *dataDir, char *goodCertName, char *diffCertName, char *expectedAscii) { PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL; PKIX_TEST_STD_VARS(); readCertBasicConstraints(dataDir, goodCertName, diffCertName, &goodBasicConstraints, &equalBasicConstraints, &diffBasicConstraints); /* * The standard test macro is applicable only * if BasicConstraint extension is present * in the certificate. Otherwise some * pointers will be null. */ if ((goodBasicConstraints) && (equalBasicConstraints) && (diffBasicConstraints)) { PKIX_TEST_EQ_HASH_TOSTR_DUP(goodBasicConstraints, equalBasicConstraints, diffBasicConstraints, expectedAscii, BasicConstraints, PKIX_TRUE); } else { /* Test what we can */ if (goodBasicConstraints) { if (!equalBasicConstraints) { testError("Unexpected NULL value of equalBasicConstraints"); goto cleanup; } subTest("PKIX_PL_BasicConstraints_Equals "); testEqualsHelper((PKIX_PL_Object *)(goodBasicConstraints), (PKIX_PL_Object *)(equalBasicConstraints), PKIX_TRUE, plContext); subTest("PKIX_PL_BasicConstraints_Hashcode "); testHashcodeHelper((PKIX_PL_Object *)(goodBasicConstraints), (PKIX_PL_Object *)(equalBasicConstraints), PKIX_TRUE, plContext); if (diffBasicConstraints) { subTest("PKIX_PL_BasicConstraints_Equals "); testEqualsHelper((PKIX_PL_Object *)(goodBasicConstraints), (PKIX_PL_Object *)(diffBasicConstraints), PKIX_FALSE, plContext); subTest("PKIX_PL_BasicConstraints_Hashcode "); testHashcodeHelper((PKIX_PL_Object *)(goodBasicConstraints), (PKIX_PL_Object *)(diffBasicConstraints), PKIX_FALSE, plContext); } subTest("PKIX_PL_BasicConstraints_Duplicate"); testDuplicateHelper((PKIX_PL_Object *)goodBasicConstraints, plContext); } if (expectedAscii) { subTest("PKIX_PL_BasicConstraints_ToString"); testToStringHelper((PKIX_PL_Object *)(goodBasicConstraints), expectedAscii, plContext); } } cleanup: PKIX_TEST_DECREF_AC(goodBasicConstraints); PKIX_TEST_DECREF_AC(equalBasicConstraints); PKIX_TEST_DECREF_AC(diffBasicConstraints); PKIX_TEST_RETURN(); } static void testBasicConstraints_GetCAFlag(char *dataCentralDir) { /* * XXX When we have a certificate with a non-null Basic * Constraints field and a value of FALSE for CAFlag, * this test should be modified to use that * certificate for diffCertName, and to verify that * GetCAFlag returns a FALSE value. But our certificates for * non-CAs are created with no BasicConstraints extension. */ PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL; char *goodCertName = "yassir2yassir"; char *diffCertName = "nss2alice"; PKIX_Boolean goodCAFlag = PKIX_FALSE; PKIX_Boolean diffCAFlag = PKIX_FALSE; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_BasicConstraints_GetCAFlag"); readCertBasicConstraints(dataCentralDir, goodCertName, diffCertName, &goodBasicConstraints, &equalBasicConstraints, &diffBasicConstraints); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag(goodBasicConstraints, &goodCAFlag, plContext)); if (!goodCAFlag) { testError("BasicConstraint CAFlag unexpectedly FALSE"); goto cleanup; } if (diffBasicConstraints) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag(diffBasicConstraints, &diffCAFlag, plContext)); if (diffCAFlag) { testError("BasicConstraint CAFlag unexpectedly TRUE"); goto cleanup; } } cleanup: PKIX_TEST_DECREF_AC(goodBasicConstraints); PKIX_TEST_DECREF_AC(equalBasicConstraints); PKIX_TEST_DECREF_AC(diffBasicConstraints); PKIX_TEST_RETURN(); } static void testBasicConstraints_GetPathLenConstraint(char *dataCentralDir) { PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL; PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL; char *goodCertName = "yassir2yassir"; char *diffCertName = "sun2sun"; PKIX_Int32 goodPathLen = 0; PKIX_Int32 diffPathLen = 0; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_BasicConstraints_GetPathLenConstraint"); readCertBasicConstraints(dataCentralDir, goodCertName, diffCertName, &goodBasicConstraints, &equalBasicConstraints, &diffBasicConstraints); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(goodBasicConstraints, &goodPathLen, plContext)); if (0 != goodPathLen) { testError("unexpected basicConstraint pathLen"); (void)printf("Actual value:\t%d\n", goodPathLen); (void)printf("Expected value:\t0\n"); goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(diffBasicConstraints, &diffPathLen, plContext)); if (1 != diffPathLen) { testError("unexpected basicConstraint pathLen"); (void)printf("Actual value:\t%d\n", diffPathLen); (void)printf("Expected value:\t1\n"); goto cleanup; } cleanup: PKIX_TEST_DECREF_AC(goodBasicConstraints); PKIX_TEST_DECREF_AC(equalBasicConstraints); PKIX_TEST_DECREF_AC(diffBasicConstraints); PKIX_TEST_RETURN(); } static void testGetBasicConstraints(char *dataCentralDir) { char *goodCertName = NULL; char *diffCertName = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetBasicConstraints "); goodCertName = "yassir2yassir"; diffCertName = "nss2alice"; testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, "CA(0)"); subTest("PKIX_PL_Cert_GetBasicConstraints "); goodCertName = "nss2alice"; diffCertName = "sun2sun"; testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, NULL); subTest("PKIX_PL_Cert_GetBasicConstraints "); goodCertName = "yassir2bcn"; diffCertName = "sun2sun"; testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, "CA(0)"); subTest("PKIX_PL_Cert_GetBasicConstraints "); goodCertName = "anchor2dsa"; diffCertName = "sun2sun"; testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, "CA(-1)"); PKIX_TEST_RETURN(); } static void testGetPolicyInformation(char *dataDir) { char *goodCertName = "UserNoticeQualifierTest15EE.crt"; char *equalCertName = "UserNoticeQualifierTest15EE.crt"; char *diffCertName = "UserNoticeQualifierTest17EE.crt"; PKIX_Boolean isImmutable = PKIX_FALSE; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_List *goodPolicyInfo = NULL; PKIX_List *equalPolicyInfo = NULL; PKIX_List *diffPolicyInfo = NULL; PKIX_PL_CertPolicyInfo *goodPolicy = NULL; PKIX_PL_CertPolicyInfo *equalPolicy = NULL; PKIX_PL_CertPolicyInfo *diffPolicy = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetPolicyInformation"); /* * Get the cert, then the list of policyInfos. * Take the first policyInfo from the list. */ /* Get the PolicyInfo objects */ goodCert = createCert(dataDir, goodCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext)); equalCert = createCert(dataDir, equalCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo, 0, (PKIX_PL_Object **)&equalPolicy, plContext)); diffCert = createCert(dataDir, diffCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodPolicy, equalPolicy, diffPolicy, NULL, CertPolicyInfo, PKIX_FALSE); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable(goodPolicyInfo, &isImmutable, plContext)); if (isImmutable != PKIX_TRUE) { testError("PolicyInfo List is not immutable"); } cleanup: PKIX_TEST_DECREF_AC(goodPolicy); PKIX_TEST_DECREF_AC(equalPolicy); PKIX_TEST_DECREF_AC(diffPolicy); PKIX_TEST_DECREF_AC(goodPolicyInfo); PKIX_TEST_DECREF_AC(equalPolicyInfo); PKIX_TEST_DECREF_AC(diffPolicyInfo); PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(equalCert); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_RETURN(); } static void testCertPolicy_GetPolicyId(char *dataDir) { char *goodCertName = "UserNoticeQualifierTest15EE.crt"; char *equalCertName = "UserNoticeQualifierTest16EE.crt"; char *diffCertName = "UserNoticeQualifierTest17EE.crt"; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_List *goodPolicyInfo = NULL; PKIX_List *equalPolicyInfo = NULL; PKIX_List *diffPolicyInfo = NULL; PKIX_PL_CertPolicyInfo *goodPolicy = NULL; PKIX_PL_CertPolicyInfo *equalPolicy = NULL; PKIX_PL_CertPolicyInfo *diffPolicy = NULL; PKIX_PL_OID *goodID = NULL; PKIX_PL_OID *equalID = NULL; PKIX_PL_OID *diffID = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_CertPolicyInfo_GetPolicyId"); /* * Get the cert, then the list of policyInfos. * Take the first policyInfo from the list. * Finally, get the policyInfo's ID. */ /* Get the PolicyInfo objects */ goodCert = createCert(dataDir, goodCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(goodPolicy, &goodID, plContext)); equalCert = createCert(dataDir, equalCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo, 0, (PKIX_PL_Object **)&equalPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(equalPolicy, &equalID, plContext)); diffCert = createCert(dataDir, diffCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(diffPolicy, &diffID, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodID, equalID, diffID, NULL, OID, PKIX_FALSE); cleanup: PKIX_TEST_DECREF_AC(goodID); PKIX_TEST_DECREF_AC(equalID); PKIX_TEST_DECREF_AC(diffID); PKIX_TEST_DECREF_AC(goodPolicy); PKIX_TEST_DECREF_AC(equalPolicy); PKIX_TEST_DECREF_AC(diffPolicy); PKIX_TEST_DECREF_AC(goodPolicyInfo); PKIX_TEST_DECREF_AC(equalPolicyInfo); PKIX_TEST_DECREF_AC(diffPolicyInfo); PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(equalCert); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_RETURN(); } static void testCertPolicy_GetPolQualifiers(char *dataDir) { char *goodCertName = "UserNoticeQualifierTest15EE.crt"; char *equalCertName = "UserNoticeQualifierTest16EE.crt"; char *diffCertName = "UserNoticeQualifierTest18EE.crt"; PKIX_Boolean isImmutable = PKIX_FALSE; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_List *goodPolicyInfo = NULL; PKIX_List *equalPolicyInfo = NULL; PKIX_List *diffPolicyInfo = NULL; PKIX_PL_CertPolicyInfo *goodPolicy = NULL; PKIX_PL_CertPolicyInfo *equalPolicy = NULL; PKIX_PL_CertPolicyInfo *diffPolicy = NULL; PKIX_List *goodQuals = NULL; PKIX_List *equalQuals = NULL; PKIX_List *diffQuals = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_CertPolicyInfo_GetPolQualifiers"); /* * Get the cert, then the list of policyInfos. * Take the first policyInfo from the list. * Get its list of PolicyQualifiers. */ /* Get the PolicyInfo objects */ goodCert = createCert(dataDir, goodCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(goodPolicy, &goodQuals, plContext)); equalCert = createCert(dataDir, equalCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo, 0, (PKIX_PL_Object **)&equalPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(equalPolicy, &equalQuals, plContext)); diffCert = createCert(dataDir, diffCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(diffPolicy, &diffQuals, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodQuals, equalQuals, diffQuals, NULL, List, PKIX_FALSE); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable(goodQuals, &isImmutable, plContext)); if (isImmutable != PKIX_TRUE) { testError("PolicyQualifier List is not immutable"); } cleanup: PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(goodPolicyInfo); PKIX_TEST_DECREF_AC(goodPolicy); PKIX_TEST_DECREF_AC(goodQuals); PKIX_TEST_DECREF_AC(equalCert); PKIX_TEST_DECREF_AC(equalPolicyInfo); PKIX_TEST_DECREF_AC(equalQuals); PKIX_TEST_DECREF_AC(equalPolicy); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_DECREF_AC(diffPolicyInfo); PKIX_TEST_DECREF_AC(diffPolicy); PKIX_TEST_DECREF_AC(diffQuals); PKIX_TEST_RETURN(); } static void testPolicyQualifier_GetQualifier(char *dataDir) { char *goodCertName = "UserNoticeQualifierTest15EE.crt"; char *equalCertName = "UserNoticeQualifierTest16EE.crt"; char *diffCertName = "UserNoticeQualifierTest18EE.crt"; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_List *goodPolicyInfo = NULL; PKIX_List *equalPolicyInfo = NULL; PKIX_List *diffPolicyInfo = NULL; PKIX_PL_CertPolicyInfo *goodPolicy = NULL; PKIX_PL_CertPolicyInfo *equalPolicy = NULL; PKIX_PL_CertPolicyInfo *diffPolicy = NULL; PKIX_List *goodQuals = NULL; PKIX_List *equalQuals = NULL; PKIX_List *diffQuals = NULL; PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL; PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL; PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL; PKIX_PL_ByteArray *goodArray = NULL; PKIX_PL_ByteArray *equalArray = NULL; PKIX_PL_ByteArray *diffArray = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_PolicyQualifier_GetQualifier"); /* * Get the cert, then the list of policyInfos. * Take the first policyInfo from the list. * Get its list of PolicyQualifiers. * Take the first policyQualifier from the list. * Finally, get the policyQualifier's ByteArray. */ /* Get the PolicyInfo objects */ goodCert = createCert(dataDir, goodCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(goodPolicy, &goodQuals, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodQuals, 0, (PKIX_PL_Object **)&goodPolQualifier, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier(goodPolQualifier, &goodArray, plContext)); equalCert = createCert(dataDir, equalCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo, 0, (PKIX_PL_Object **)&equalPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(equalPolicy, &equalQuals, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalQuals, 0, (PKIX_PL_Object **)&equalPolQualifier, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier(equalPolQualifier, &equalArray, plContext)); diffCert = createCert(dataDir, diffCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(diffPolicy, &diffQuals, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffQuals, 0, (PKIX_PL_Object **)&diffPolQualifier, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier(diffPolQualifier, &diffArray, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodArray, equalArray, diffArray, NULL, ByteArray, PKIX_FALSE); cleanup: PKIX_TEST_DECREF_AC(goodArray); PKIX_TEST_DECREF_AC(equalArray); PKIX_TEST_DECREF_AC(diffArray); PKIX_TEST_DECREF_AC(goodPolQualifier); PKIX_TEST_DECREF_AC(equalPolQualifier); PKIX_TEST_DECREF_AC(diffPolQualifier); PKIX_TEST_DECREF_AC(goodQuals); PKIX_TEST_DECREF_AC(equalQuals); PKIX_TEST_DECREF_AC(diffQuals); PKIX_TEST_DECREF_AC(goodPolicy); PKIX_TEST_DECREF_AC(equalPolicy); PKIX_TEST_DECREF_AC(diffPolicy); PKIX_TEST_DECREF_AC(goodPolicyInfo); PKIX_TEST_DECREF_AC(equalPolicyInfo); PKIX_TEST_DECREF_AC(diffPolicyInfo); PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(equalCert); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_RETURN(); } static void testPolicyQualifier_GetPolicyQualifierId(char *dataDir) { char *goodCertName = "UserNoticeQualifierTest15EE.crt"; char *equalCertName = "UserNoticeQualifierTest16EE.crt"; char *diffCertName = "CPSPointerQualifierTest20EE.crt"; PKIX_PL_Cert *goodCert = NULL; PKIX_PL_Cert *equalCert = NULL; PKIX_PL_Cert *diffCert = NULL; PKIX_List *goodPolicyInfo = NULL; PKIX_List *equalPolicyInfo = NULL; PKIX_List *diffPolicyInfo = NULL; PKIX_PL_CertPolicyInfo *goodPolicy = NULL; PKIX_PL_CertPolicyInfo *equalPolicy = NULL; PKIX_PL_CertPolicyInfo *diffPolicy = NULL; PKIX_List *goodQuals = NULL; PKIX_List *equalQuals = NULL; PKIX_List *diffQuals = NULL; PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL; PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL; PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL; PKIX_PL_OID *goodID = NULL; PKIX_PL_OID *equalID = NULL; PKIX_PL_OID *diffID = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_PolicyQualifier_GetPolicyQualifierId"); /* * Get the cert, then the list of policyInfos. * Take the first policyInfo from the list. * Get its list of PolicyQualifiers. * Take the first policyQualifier from the list. * Finally, get the policyQualifier's ID. */ /* Get the PolicyQualifier objects */ goodCert = createCert(dataDir, goodCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(goodPolicy, &goodQuals, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodQuals, 0, (PKIX_PL_Object **)&goodPolQualifier, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId(goodPolQualifier, &goodID, plContext)); equalCert = createCert(dataDir, equalCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo, 0, (PKIX_PL_Object **)&equalPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(equalPolicy, &equalQuals, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalQuals, 0, (PKIX_PL_Object **)&equalPolQualifier, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId(equalPolQualifier, &equalID, plContext)); diffCert = createCert(dataDir, diffCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(diffPolicy, &diffQuals, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffQuals, 0, (PKIX_PL_Object **)&diffPolQualifier, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId(diffPolQualifier, &diffID, plContext)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodID, equalID, diffID, NULL, OID, PKIX_FALSE); cleanup: PKIX_TEST_DECREF_AC(goodID); PKIX_TEST_DECREF_AC(equalID); PKIX_TEST_DECREF_AC(diffID); PKIX_TEST_DECREF_AC(goodPolQualifier); PKIX_TEST_DECREF_AC(equalPolQualifier); PKIX_TEST_DECREF_AC(diffPolQualifier); PKIX_TEST_DECREF_AC(goodQuals); PKIX_TEST_DECREF_AC(equalQuals); PKIX_TEST_DECREF_AC(diffQuals); PKIX_TEST_DECREF_AC(goodPolicy); PKIX_TEST_DECREF_AC(equalPolicy); PKIX_TEST_DECREF_AC(diffPolicy); PKIX_TEST_DECREF_AC(goodPolicyInfo); PKIX_TEST_DECREF_AC(equalPolicyInfo); PKIX_TEST_DECREF_AC(diffPolicyInfo); PKIX_TEST_DECREF_AC(goodCert); PKIX_TEST_DECREF_AC(equalCert); PKIX_TEST_DECREF_AC(diffCert); PKIX_TEST_RETURN(); } static void testAreCertPoliciesCritical(char *dataCentralDir, char *dataDir) { char *trueCertName = "CertificatePoliciesCritical.crt"; char *falseCertName = "UserNoticeQualifierTest15EE.crt"; PKIX_PL_Cert *trueCert = NULL; PKIX_PL_Cert *falseCert = NULL; PKIX_Boolean trueVal = PKIX_FALSE; PKIX_Boolean falseVal = PKIX_FALSE; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_AreCertPoliciesCritical - "); trueCert = createCert(dataCentralDir, trueCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical(trueCert, &trueVal, plContext)); if (trueVal != PKIX_TRUE) { testError("unexpected mismatch"); (void)printf("Actual value:\t%d\n", trueVal); (void)printf("Expected value:\t1\n"); goto cleanup; } subTest("PKIX_PL_Cert_AreCertPoliciesCritical - "); falseCert = createCert(dataDir, falseCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical(falseCert, &falseVal, plContext)); if (falseVal != PKIX_FALSE) { testError("unexpected mismatch"); (void)printf("Actual value:\t%d\n", falseVal); (void)printf("Expected value:\t0\n"); goto cleanup; } cleanup: PKIX_TEST_DECREF_AC(trueCert); PKIX_TEST_DECREF_AC(falseCert); PKIX_TEST_RETURN(); } static void testCertPolicyConstraints(char *dataDir) { char *requireExplicitPolicy2CertName = "requireExplicitPolicy2CACert.crt"; char *inhibitPolicyMapping5CertName = "inhibitPolicyMapping5CACert.crt"; char *inhibitAnyPolicy5CertName = "inhibitAnyPolicy5CACert.crt"; char *inhibitAnyPolicy0CertName = "inhibitAnyPolicy0CACert.crt"; PKIX_PL_Cert *requireExplicitPolicy2Cert = NULL; PKIX_PL_Cert *inhibitPolicyMapping5Cert = NULL; PKIX_PL_Cert *inhibitAnyPolicy5Cert = NULL; PKIX_PL_Cert *inhibitAnyPolicy0Cert = NULL; PKIX_Int32 skipCerts = 0; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetRequireExplicitPolicy"); requireExplicitPolicy2Cert = createCert(dataDir, requireExplicitPolicy2CertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetRequireExplicitPolicy(requireExplicitPolicy2Cert, &skipCerts, NULL)); PR_ASSERT(skipCerts == 2); subTest("PKIX_PL_Cert_GetPolicyMappingInhibited"); inhibitPolicyMapping5Cert = createCert(dataDir, inhibitPolicyMapping5CertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappingInhibited(inhibitPolicyMapping5Cert, &skipCerts, NULL)); PR_ASSERT(skipCerts == 5); subTest("PKIX_PL_Cert_GetInhibitAnyPolicy"); inhibitAnyPolicy5Cert = createCert(dataDir, inhibitAnyPolicy5CertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy(inhibitAnyPolicy5Cert, &skipCerts, NULL)); PR_ASSERT(skipCerts == 5); inhibitAnyPolicy0Cert = createCert(dataDir, inhibitAnyPolicy0CertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy(inhibitAnyPolicy0Cert, &skipCerts, NULL)); PR_ASSERT(skipCerts == 0); cleanup: PKIX_TEST_DECREF_AC(requireExplicitPolicy2Cert); PKIX_TEST_DECREF_AC(inhibitPolicyMapping5Cert); PKIX_TEST_DECREF_AC(inhibitAnyPolicy5Cert); PKIX_TEST_DECREF_AC(inhibitAnyPolicy0Cert); PKIX_TEST_RETURN(); } static void testCertPolicyMaps(char *dataDir) { char *policyMappingsCertName = "P1Mapping1to234CACert.crt"; char *expectedAscii = "2.16.840.1.101.3.2.1.48.1=>2.16.840.1.101.3.2.1.48.2"; PKIX_PL_Cert *policyMappingsCert = NULL; PKIX_List *mappings = NULL; PKIX_PL_CertPolicyMap *goodMap = NULL; PKIX_PL_CertPolicyMap *equalMap = NULL; PKIX_PL_CertPolicyMap *diffMap = NULL; PKIX_PL_OID *goodOID = NULL; PKIX_PL_OID *equalOID = NULL; PKIX_PL_OID *diffOID = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_GetPolicyMappings"); policyMappingsCert = createCert(dataDir, policyMappingsCertName, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappings(policyMappingsCert, &mappings, NULL)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(mappings, 0, (PKIX_PL_Object **)&goodMap, NULL)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(mappings, 0, (PKIX_PL_Object **)&equalMap, NULL)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(mappings, 2, (PKIX_PL_Object **)&diffMap, NULL)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodMap, equalMap, diffMap, expectedAscii, CertPolicyMap, PKIX_TRUE); subTest("PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(goodMap, &goodOID, NULL)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(diffMap, &equalOID, NULL)); subTest("PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy(diffMap, &diffOID, NULL)); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodOID, equalOID, diffOID, "2.16.840.1.101.3.2.1.48.1", OID, PKIX_FALSE); subTest("pkix_pl_CertPolicyMap_Destroy"); PKIX_TEST_DECREF_BC(goodMap); PKIX_TEST_DECREF_BC(equalMap); PKIX_TEST_DECREF_BC(diffMap); cleanup: PKIX_TEST_DECREF_AC(policyMappingsCert); PKIX_TEST_DECREF_AC(mappings); PKIX_TEST_DECREF_AC(goodOID); PKIX_TEST_DECREF_AC(equalOID); PKIX_TEST_DECREF_AC(diffOID); PKIX_TEST_RETURN(); } static void testNameConstraints(char *dataDir) { char *firstPname = "nameConstraintsDN3subCA2Cert.crt"; char *secondPname = "nameConstraintsDN4CACert.crt"; char *thirdPname = "nameConstraintsDN5CACert.crt"; char *lastPname = "InvalidDNnameConstraintsTest3EE.crt"; PKIX_PL_Cert *firstCert = NULL; PKIX_PL_Cert *secondCert = NULL; PKIX_PL_Cert *thirdCert = NULL; PKIX_PL_Cert *lastCert = NULL; PKIX_PL_CertNameConstraints *firstNC = NULL; PKIX_PL_CertNameConstraints *secondNC = NULL; PKIX_PL_CertNameConstraints *thirdNC = NULL; PKIX_PL_CertNameConstraints *firstMergedNC = NULL; PKIX_PL_CertNameConstraints *secondMergedNC = NULL; char *firstExpectedAscii = "[\n" "\t\tPermitted Name: (O=Test Certificates,C=US)\n" "\t\tExcluded Name: (OU=excludedSubtree1,O=Test Certificates," "C=US, OU=excludedSubtree2,O=Test Certificates,C=US)\n" "\t]\n"; char *secondExpectedAscii = "[\n" "\t\tPermitted Name: (O=Test Certificates,C=US, " "OU=permittedSubtree1,O=Test Certificates,C=US)\n" "\t\tExcluded Name: (OU=excludedSubtree1," "O=Test Certificates," "C=US, OU=excludedSubtree2,O=Test Certificates,C=US, " "OU=excludedSubtree1,OU=permittedSubtree1," "O=Test Certificates,C=US)\n" "\t]\n"; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_CertNameConstraints"); firstCert = createCert(dataDir, firstPname, plContext); secondCert = createCert(dataDir, secondPname, plContext); thirdCert = createCert(dataDir, thirdPname, plContext); lastCert = createCert(dataDir, lastPname, plContext); subTest("PKIX_PL_Cert_GetNameConstraints "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(firstCert, &firstNC, NULL)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(secondCert, &secondNC, NULL)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints(thirdCert, &thirdNC, NULL)); subTest("PKIX_PL_Cert_MergeNameConstraints <1st and 2nd>"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_MergeNameConstraints(firstNC, secondNC, &firstMergedNC, NULL)); subTest("PKIX_PL_Cert_MergeNameConstraints <1st+2nd and 3rd>"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_MergeNameConstraints(firstMergedNC, thirdNC, &secondMergedNC, NULL)); testToStringHelper((PKIX_PL_Object *)firstMergedNC, firstExpectedAscii, plContext); testToStringHelper((PKIX_PL_Object *)secondMergedNC, secondExpectedAscii, plContext); subTest("PKIX_PL_Cert_CheckNameConstraints "); /* Subject: CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckNameConstraints(firstCert, firstMergedNC, NULL)); subTest("PKIX_PL_Cert_CheckNameConstraints "); /* * Subject: CN=Invalid DN nameConstraints EE Certificate Test3, * OU=permittedSubtree1,O=Test Certificates,C=US */ PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints(lastCert, secondMergedNC, NULL)); subTest("PKIX_PL_Cert_CheckNameConstraints "); /* * Subject: CN=Invalid DN nameConstraints EE Certificate Test3, * OU=permittedSubtree1,O=Test Certificates,C=US * SubjectAltNames: CN=Invalid DN nameConstraints EE Certificate * Test3,OU=excludedSubtree1,O=Test Certificates,C=US */ PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints(lastCert, firstMergedNC, NULL)); subTest("PKIX_PL_Cert_CheckNameConstraints "); PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints(firstCert, secondMergedNC, NULL)); cleanup: PKIX_TEST_DECREF_AC(firstCert); PKIX_TEST_DECREF_AC(secondCert); PKIX_TEST_DECREF_AC(thirdCert); PKIX_TEST_DECREF_AC(lastCert); PKIX_TEST_DECREF_AC(firstNC); PKIX_TEST_DECREF_AC(secondNC); PKIX_TEST_DECREF_AC(thirdNC); PKIX_TEST_DECREF_AC(firstMergedNC); PKIX_TEST_DECREF_AC(secondMergedNC); PKIX_TEST_RETURN(); } static void testDestroy(void *goodObject, void *equalObject, void *diffObject) { PKIX_TEST_STD_VARS(); subTest("PKIX_PL_Cert_Destroy"); PKIX_TEST_DECREF_BC(goodObject); PKIX_TEST_DECREF_BC(equalObject); PKIX_TEST_DECREF_BC(diffObject); PKIX_TEST_DECREF_BC(altNameNoneCert); PKIX_TEST_DECREF_BC(altNameOtherCert); PKIX_TEST_DECREF_BC(altNameOtherCert_diff); PKIX_TEST_DECREF_BC(altNameRfc822Cert); PKIX_TEST_DECREF_BC(altNameRfc822Cert_diff); PKIX_TEST_DECREF_BC(altNameDnsCert); PKIX_TEST_DECREF_BC(altNameDnsCert_diff); PKIX_TEST_DECREF_BC(altNameX400Cert); PKIX_TEST_DECREF_BC(altNameX400Cert_diff); PKIX_TEST_DECREF_BC(altNameDnCert); PKIX_TEST_DECREF_BC(altNameDnCert_diff); PKIX_TEST_DECREF_BC(altNameEdiCert); PKIX_TEST_DECREF_BC(altNameEdiCert_diff); PKIX_TEST_DECREF_BC(altNameUriCert); PKIX_TEST_DECREF_BC(altNameUriCert_diff); PKIX_TEST_DECREF_BC(altNameIpCert); PKIX_TEST_DECREF_BC(altNameIpCert_diff); PKIX_TEST_DECREF_BC(altNameOidCert); PKIX_TEST_DECREF_BC(altNameOidCert_diff); PKIX_TEST_DECREF_BC(altNameMultipleCert); cleanup: PKIX_TEST_RETURN(); } static void printUsage(void) { (void)printf("\nUSAGE:\ttest_cert \n\n"); } int test_cert(int argc, char *argv[]) { PKIX_PL_Cert *goodObject = NULL; PKIX_PL_Cert *equalObject = NULL; PKIX_PL_Cert *diffObject = NULL; PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; char *dataCentralDir = NULL; char *dataDir = NULL; char *goodInput = "yassir2bcn"; char *diffInput = "nss2alice"; char *expectedAscii = "[\n" "\tVersion: v3\n" "\tSerialNumber: 37bc66ec\n" "\tIssuer: CN=yassir,OU=bcn,OU=east,O=sun,C=us\n" "\tSubject: OU=bcn,OU=east,O=sun,C=us\n" "\tValidity: [From: Thu Aug 19, 1999\n" /* "\tValidity: [From: Thu Aug 19 16:19:56 1999\n" */ "\t To: Fri Aug 18, 2000]\n" /* "\t To: Fri Aug 18 16:19:56 2000]\n" */ "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(0)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "\tAuthorityInfoAccess: (null)\n" "\tSubjectInfoAccess: (null)\n" "\tCacheFlag: 0\n" "]\n"; PKIX_TEST_STD_VARS(); startTests("Cert"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); if (argc < 3 + j) { printUsage(); return (0); } dataCentralDir = argv[2 + j]; dataDir = argv[3 + j]; createCerts(dataCentralDir, goodInput, diffInput, &goodObject, &equalObject, &diffObject); testToStringHelper((PKIX_PL_Object *)goodObject, expectedAscii, plContext); PKIX_TEST_EQ_HASH_TOSTR_DUP(goodObject, equalObject, diffObject, expectedAscii, Cert, PKIX_TRUE); testVerifyKeyUsage(dataCentralDir, dataDir, goodObject); testGetExtendedKeyUsage(dataCentralDir); testGetKeyIdentifiers(dataCentralDir, goodObject); testGetVersion(goodObject); testGetSerialNumber(goodObject, equalObject, diffObject); testGetSubject(goodObject, equalObject, diffObject); testGetIssuer(goodObject, equalObject, diffObject); testGetSubjectAltNames(dataCentralDir); testGetCriticalExtensionOIDs(dataCentralDir, goodObject); testGetSubjectPublicKey(goodObject, equalObject, diffObject); testGetSubjectPublicKeyAlgId(goodObject); testMakeInheritedDSAPublicKey(dataCentralDir); testCheckValidity(goodObject, diffObject); testBasicConstraints_GetCAFlag(dataCentralDir); testBasicConstraints_GetPathLenConstraint(dataCentralDir); testGetBasicConstraints(dataCentralDir); /* Basic Policy Processing */ testGetPolicyInformation(dataDir); testCertPolicy_GetPolicyId(dataDir); testCertPolicy_GetPolQualifiers(dataDir); testPolicyQualifier_GetPolicyQualifierId(dataDir); testPolicyQualifier_GetQualifier(dataDir); testAreCertPoliciesCritical(dataCentralDir, dataDir); /* Advanced Policy Processing */ testCertPolicyConstraints(dataDir); testCertPolicyMaps(dataDir); testNameConstraints(dataDir); testVerifySignature(dataCentralDir); testDestroy(goodObject, equalObject, diffObject); cleanup: PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("Cert"); return (0); }