1 // Copyright 2015 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef BSSL_PKI_TEST_HELPERS_H_
16 #define BSSL_PKI_TEST_HELPERS_H_
17 
18 #include <stddef.h>
19 
20 #include <ostream>
21 #include <string>
22 #include <string_view>
23 #include <vector>
24 
25 #include <gtest/gtest.h>
26 #include "input.h"
27 #include "parsed_certificate.h"
28 #include "simple_path_builder_delegate.h"
29 #include "trust_store.h"
30 #include "verify_certificate_chain.h"
31 
32 BSSL_NAMESPACE_BEGIN
33 
34 namespace der {
35 
36 // This function is used by GTest to support EXPECT_EQ() for der::Input.
37 void PrintTo(Input data, ::std::ostream *os);
38 
39 }  // namespace der
40 
41 // Parses |s| as a DER SEQUENCE TLV and returns a der::Input corresponding to
42 // the value portion. On error returns an empty der::Input and adds a gtest
43 // failure.
44 //
45 // The returned der::Input() is only valid so long as the input string is alive
46 // and is not mutated.
47 der::Input SequenceValueFromString(std::string_view s);
48 
49 // Helper structure that maps a PEM block header (for instance "CERTIFICATE") to
50 // the destination where the value for that block should be written.
51 struct PemBlockMapping {
52   // The name of the PEM header. Example "CERTIFICATE".
53   const char *block_name;
54 
55   // The destination where the read value should be written to.
56   std::string *value;
57 
58   // True to indicate that the block is not required to be present. If the
59   // block is optional and is not present, then |value| will not be modified.
60   bool optional = false;
61 };
62 
63 // ReadTestDataFromPemFile() is a helper function that reads a PEM test file
64 // rooted in the "src/" directory.
65 //
66 //   * file_path_ascii:
67 //       The path to the PEM file, relative to src. For instance
68 //       "testdata/verify_signed_data_unittest/foopy.pem"
69 //
70 //   * mappings:
71 //       An array of length |mappings_length| which maps the expected PEM
72 //       headers to the destination to write its data.
73 //
74 // The function ensures that each of the chosen mappings is satisfied exactly
75 // once. In other words, the header must be present (unless marked as
76 // optional=true), have valid data, and appear no more than once.
77 ::testing::AssertionResult ReadTestDataFromPemFile(
78     const std::string &file_path_ascii, const PemBlockMapping *mappings,
79     size_t mappings_length);
80 
81 // This is the same as the variant above, however it uses template magic so an
82 // mappings array can be passed in directly (and the correct length is
83 // inferred).
84 template <size_t N>
ReadTestDataFromPemFile(const std::string & file_path_ascii,const PemBlockMapping (& mappings)[N])85 ::testing::AssertionResult ReadTestDataFromPemFile(
86     const std::string &file_path_ascii, const PemBlockMapping (&mappings)[N]) {
87   return ReadTestDataFromPemFile(file_path_ascii, mappings, N);
88 }
89 
90 // Test cases are comprised of all the parameters to certificate
91 // verification, as well as the expected outputs.
92 struct VerifyCertChainTest {
93   VerifyCertChainTest();
94   ~VerifyCertChainTest();
95 
96   // The chain of certificates (with the zero-th being the target).
97   ParsedCertificateList chain;
98 
99   // Details on the trustedness of the last certificate.
100   CertificateTrust last_cert_trust;
101 
102   // The time to use when verifying the chain.
103   der::GeneralizedTime time;
104 
105   // The Key Purpose to use when verifying the chain.
106   KeyPurpose key_purpose = KeyPurpose::ANY_EKU;
107 
108   InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse;
109 
110   std::set<der::Input> user_initial_policy_set;
111 
112   InitialPolicyMappingInhibit initial_policy_mapping_inhibit =
113       InitialPolicyMappingInhibit::kFalse;
114 
115   InitialAnyPolicyInhibit initial_any_policy_inhibit =
116       InitialAnyPolicyInhibit::kFalse;
117 
118   // The expected errors/warnings from verification (as a string).
119   std::string expected_errors;
120 
121   // Expected user_constrained_policy_set, as a set of numeric OID strings.
122   std::set<std::string> expected_user_constrained_policy_set;
123 
124   SimplePathBuilderDelegate::DigestPolicy digest_policy =
125       SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1;
126 
127   // Returns true if |expected_errors| contains any high severity errors (a
128   // non-empty expected_errors doesn't necessarily mean verification is
129   // expected to fail, as it may have contained warnings).
130   bool HasHighSeverityErrors() const;
131 };
132 
133 // Reads a test case from |file_path_ascii| (which is relative to //src).
134 // Generally |file_path_ascii| will start with:
135 //   net/data/verify_certificate_chain_unittest/
136 bool ReadVerifyCertChainTestFromFile(const std::string &file_path_ascii,
137                                      VerifyCertChainTest *test);
138 
139 // Reads a certificate chain from |file_path_ascii|
140 bool ReadCertChainFromFile(const std::string &file_path_ascii,
141                            ParsedCertificateList *chain);
142 
143 // Reads a certificate from |file_path_ascii|. Returns nullptr if the file
144 // contained more that one certificate.
145 std::shared_ptr<const ParsedCertificate> ReadCertFromFile(
146     const std::string &file_path_ascii);
147 
148 // Reads a data file relative to the src root directory.
149 std::string ReadTestFileToString(const std::string &file_path_ascii);
150 
151 // Asserts that |actual_errors| matches |expected_errors_str|.
152 //
153 // This is a helper function to simplify rebasing the error expectations when
154 // they originate from a test file.
155 void VerifyCertPathErrors(const std::string &expected_errors_str,
156                           const CertPathErrors &actual_errors,
157                           const ParsedCertificateList &chain,
158                           const std::string &errors_file_path);
159 
160 // Asserts that |actual_errors| matches |expected_errors_str|.
161 //
162 // This is a helper function to simplify rebasing the error expectations when
163 // they originate from a test file.
164 void VerifyCertErrors(const std::string &expected_errors_str,
165                       const CertErrors &actual_errors,
166                       const std::string &errors_file_path);
167 
168 // Asserts that |actual_user_constrained_policy_set| matches
169 // |expected_user_constrained_policy_set|.
170 void VerifyUserConstrainedPolicySet(
171     const std::set<std::string> &expected_user_constrained_policy_str_set,
172     const std::set<der::Input> &actual_user_constrained_policy_set,
173     const std::string &errors_file_path);
174 
175 BSSL_NAMESPACE_END
176 
177 #endif  // BSSL_PKI_TEST_HELPERS_H_
178