/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * test_pk11certstore.c * * Test Pk11CertStore Type * */ #include "testutil.h" #include "testutil_nss.h" static void *plContext = NULL; /* * This function creates a certSelector with ComCertSelParams set up to * select entries whose Subject Name matches that in the given Cert and * whose validity window includes the Date specified by "validityDate". */ static void test_makeSubjectCertSelector( PKIX_PL_Cert *certNameToMatch, PKIX_PL_Date *validityDate, PKIX_CertSelector **pSelector, void *plContext) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *subjParams = NULL; PKIX_PL_X500Name *subjectName = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&subjParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(certNameToMatch, &subjectName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(subjParams, subjectName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(subjParams, validityDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, subjParams, plContext)); *pSelector = selector; cleanup: PKIX_TEST_DECREF_AC(subjParams); PKIX_TEST_DECREF_AC(subjectName); PKIX_TEST_RETURN(); } /* * This function creates a certSelector with ComCertSelParams set up to * select entries containing a Basic Constraints extension with a path * length of at least the specified "minPathLength". */ static void test_makePathCertSelector( PKIX_Int32 minPathLength, PKIX_CertSelector **pSelector, void *plContext) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *pathParams = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&pathParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(pathParams, minPathLength, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(selector, pathParams, plContext)); *pSelector = selector; cleanup: PKIX_TEST_DECREF_AC(pathParams); PKIX_TEST_RETURN(); } /* * This function reads a directory-file cert specified by "desiredSubjectCert", * and decodes the SubjectName. It uses that name to set up the CertSelector * for a Subject Name match, and then queries the database for matching entries. * It is intended to test a "smart" database query. */ static void testMatchCertSubject( char *crlDir, char *desiredSubjectCert, char *expectedAscii, PKIX_PL_Date *validityDate, void *plContext) { PKIX_UInt32 numCert = 0; PKIX_PL_Cert *certWithDesiredSubject = NULL; PKIX_CertStore *certStore = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *certList = NULL; PKIX_CertStore_CertCallback getCert = NULL; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); certWithDesiredSubject = createCert(crlDir, desiredSubjectCert, plContext); test_makeSubjectCertSelector(certWithDesiredSubject, validityDate, &certSelector, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &getCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(getCert(certStore, certSelector, &nbioContext, &certList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certList, &numCert, plContext)); if (numCert > 0) { /* List should be immutable */ PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(certList, 0, plContext)); } if (expectedAscii) { testToStringHelper((PKIX_PL_Object *)certList, expectedAscii, plContext); } cleanup: PKIX_TEST_DECREF_AC(certWithDesiredSubject); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(certList); PKIX_TEST_RETURN(); } /* * This function uses the minimum path length specified by "minPath" to set up * a CertSelector for a BasicConstraints match, and then queries the database * for matching entries. It is intended to test the case where there * is no "smart" database query, so the database will be asked for all * available certs and the filtering will be done by the interaction of the * certstore and the selector. */ static void testMatchCertMinPath( PKIX_Int32 minPath, char *expectedAscii, void *plContext) { PKIX_CertStore *certStore = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *certList = NULL; PKIX_CertStore_CertCallback getCert = NULL; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); subTest("Searching Certs for minPath"); test_makePathCertSelector(minPath, &certSelector, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback(certStore, &getCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(getCert(certStore, certSelector, &nbioContext, &certList, plContext)); if (expectedAscii) { testToStringHelper((PKIX_PL_Object *)certList, expectedAscii, plContext); } cleanup: PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(certList); PKIX_TEST_RETURN(); } /* * This function creates a crlSelector with ComCrlSelParams set up to * select entries whose Issuer Name matches that in the given Crl. */ static void test_makeIssuerCRLSelector( PKIX_PL_CRL *crlNameToMatch, PKIX_CRLSelector **pSelector, void *plContext) { PKIX_CRLSelector *selector = NULL; PKIX_ComCRLSelParams *issuerParams = NULL; PKIX_PL_X500Name *issuerName = NULL; PKIX_List *names = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&issuerParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer(crlNameToMatch, &issuerName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&names, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(names, (PKIX_PL_Object *)issuerName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames(issuerParams, names, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(selector, issuerParams, plContext)); *pSelector = selector; cleanup: PKIX_TEST_DECREF_AC(issuerParams); PKIX_TEST_DECREF_AC(issuerName); PKIX_TEST_DECREF_AC(names); PKIX_TEST_RETURN(); } /* * This function creates a crlSelector with ComCrlSelParams set up to * select entries that would be valid at the Date specified by the Date * criterion. */ static void test_makeDateCRLSelector( PKIX_PL_Date *dateToMatch, PKIX_CRLSelector **pSelector, void *plContext) { PKIX_CRLSelector *selector = NULL; PKIX_ComCRLSelParams *dateParams = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&dateParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetDateAndTime(dateParams, dateToMatch, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(selector, dateParams, plContext)); *pSelector = selector; cleanup: PKIX_TEST_DECREF_AC(dateParams); PKIX_TEST_RETURN(); } /* * This function reads a directory-file crl specified by "desiredIssuerCrl", * and decodes the IssuerName. It uses that name to set up the CrlSelector * for a Issuer Name match, and then queries the database for matching entries. * It is intended to test the case of a "smart" database query. */ static void testMatchCrlIssuer( char *crlDir, char *desiredIssuerCrl, char *expectedAscii, void *plContext) { PKIX_UInt32 numCrl = 0; PKIX_PL_CRL *crlWithDesiredIssuer = NULL; PKIX_CertStore *crlStore = NULL; PKIX_CRLSelector *crlSelector = NULL; PKIX_List *crlList = NULL; PKIX_CertStore_CRLCallback getCrl = NULL; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); subTest("Searching CRLs for matching Issuer"); crlWithDesiredIssuer = createCRL(crlDir, desiredIssuerCrl, plContext); test_makeIssuerCRLSelector(crlWithDesiredIssuer, &crlSelector, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&crlStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback(crlStore, &getCrl, plContext)); PKIX_TEST_EXPECT_NO_ERROR(getCrl(crlStore, crlSelector, &nbioContext, &crlList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(crlList, &numCrl, plContext)); if (numCrl > 0) { /* List should be immutable */ PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(crlList, 0, plContext)); } if (expectedAscii) { testToStringHelper((PKIX_PL_Object *)crlList, expectedAscii, plContext); } cleanup: PKIX_TEST_DECREF_AC(crlWithDesiredIssuer); PKIX_TEST_DECREF_AC(crlStore); PKIX_TEST_DECREF_AC(crlSelector); PKIX_TEST_DECREF_AC(crlList); PKIX_TEST_RETURN(); } /* * This function uses the date specified by "matchDate" to set up the * CrlSelector for a Date match. It is intended to test the case where there * is no "smart" database query, so the CertStore should throw an error * rather than ask the database for all available CRLs and then filter the * results using the selector. */ static void testMatchCrlDate( char *dateMatch, char *expectedAscii, void *plContext) { PKIX_PL_Date *dateCriterion = NULL; PKIX_CertStore *crlStore = NULL; PKIX_CRLSelector *crlSelector = NULL; PKIX_List *crlList = NULL; PKIX_CertStore_CRLCallback getCrl = NULL; PKIX_TEST_STD_VARS(); subTest("Searching CRLs for matching Date"); dateCriterion = createDate(dateMatch, plContext); test_makeDateCRLSelector(dateCriterion, &crlSelector, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create(&crlStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback(crlStore, &getCrl, plContext)); PKIX_TEST_EXPECT_ERROR(getCrl(crlStore, crlSelector, NULL, &crlList, plContext)); cleanup: PKIX_TEST_DECREF_AC(dateCriterion); PKIX_TEST_DECREF_AC(crlStore); PKIX_TEST_DECREF_AC(crlSelector); PKIX_TEST_DECREF_AC(crlList); PKIX_TEST_RETURN(); } static void printUsage(char *pName) { printf("\nUSAGE: %s <-d data-dir> \n\n", pName); } /* Functional tests for Pk11CertStore public functions */ int test_pk11certstore(int argc, char *argv[]) { PKIX_UInt32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_PL_Date *validityDate = NULL; PKIX_PL_Date *betweenDate = NULL; char *crlDir = NULL; char *expectedProfAscii = "([\n" "\tVersion: v3\n" "\tSerialNumber: 00ca\n" "\tIssuer: CN=chemistry,O=mit,C=us\n" "\tSubject: CN=prof noall,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 14:14:06 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(6)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ", [\n" "\tVersion: v3\n" "\tSerialNumber: 03\n" "\tIssuer: CN=physics,O=mit,C=us\n" "\tSubject: CN=prof noall,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 12:52:26 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(0)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ")"; char *expectedValidityAscii = "([\n" "\tVersion: v3\n" "\tSerialNumber: 03\n" "\tIssuer: CN=physics,O=mit,C=us\n" "\tSubject: CN=prof noall,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 12:52:26 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(0)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ")"; char *expectedMinPathAscii = "([\n" "\tVersion: v3\n" "\tSerialNumber: 01\n" "\tIssuer: CN=science,O=mit,C=us\n" "\tSubject: CN=science,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 12:47:58 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(10)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ")"; char *expectedIssuerAscii = "([\n" "\tVersion: v2\n" "\tIssuer: CN=physics,O=mit,C=us\n" "\tUpdate: [Last: Fri Feb 11 13:51:38 2005\n" "\t Next: Mon Jan 18, 2105]\n" "\tSignatureAlgId: 1.2.840.10040.4.3\n" "\tCRL Number : (null)\n" "\n" "\tEntry List: (\n" "\t[\n" "\tSerialNumber: 67\n" "\tReasonCode: 257\n" "\tRevocationDate: Fri Feb 11 13:51:38 2005\n" "\tCritExtOIDs: (EMPTY)\n" "\t]\n" "\t)\n" "\n" "\tCritExtOIDs: (EMPTY)\n" "]\n" ")"; char *expectedDateAscii = "([\n" "\tVersion: v2\n" "\tIssuer: CN=science,O=mit,C=us\n" "\tUpdate: [Last: Fri Feb 11 13:34:40 2005\n" "\t Next: Mon Jan 18, 2105]\n" "\tSignatureAlgId: 1.2.840.10040.4.3\n" "\tCRL Number : (null)\n" "\n" "\tEntry List: (\n" "\t[\n" "\tSerialNumber: 65\n" "\tReasonCode: 260\n" "\tRevocationDate: Fri Feb 11 13:34:40 2005\n" "\tCritExtOIDs: (EMPTY)\n" "\t]\n" "\t)\n" "\n" "\tCritExtOIDs: (EMPTY)\n" "]\n" ", [\n" "\tVersion: v2\n" "\tIssuer: CN=testing CRL,O=test,C=us\n" "\tUpdate: [Last: Fri Feb 11 13:14:38 2005\n" "\t Next: Mon Jan 18, 2105]\n" "\tSignatureAlgId: 1.2.840.10040.4.3\n" "\tCRL Number : (null)\n" "\n" "\tEntry List: (\n" "\t[\n" "\tSerialNumber: 67\n" "\tReasonCode: 258\n" "\tRevocationDate: Fri Feb 11 13:14:38 2005\n" "\tCritExtOIDs: (EMPTY)\n" "\t]\n" "\t)\n" "\n" "\tCritExtOIDs: (EMPTY)\n" "]\n" ")"; PKIX_TEST_STD_VARS(); startTests("Pk11CertStore"); if (argc < 3) { printUsage(argv[0]); return (0); } PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); crlDir = argv[j + 2]; /* Two certs for prof should be valid now */ PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime(PR_Now(), &validityDate, plContext)); subTest("Searching Certs for Subject"); testMatchCertSubject(crlDir, "phy2prof.crt", NULL, /* expectedProfAscii, */ validityDate, plContext); /* One of the certs was not yet valid at this time. */ betweenDate = createDate("050210184000Z", plContext); subTest("Searching Certs for Subject and Validity"); testMatchCertSubject(crlDir, "phy2prof.crt", NULL, /* expectedValidityAscii, */ betweenDate, plContext); testMatchCertMinPath(9, NULL, /* expectedMinPathAscii, */ plContext); testMatchCrlIssuer(crlDir, "phys.crl", NULL, /* expectedIssuerAscii, */ plContext); testMatchCrlDate("050211184000Z", NULL, /* expectedDateAscii, */ plContext); cleanup: PKIX_TEST_DECREF_AC(validityDate); PKIX_TEST_DECREF_AC(betweenDate); PKIX_TEST_RETURN(); endTests("Pk11CertStore"); return (0); }