1 // Copyright 2016 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef BSSL_PKI_NIST_PKITS_UNITTEST_H_
16 #define BSSL_PKI_NIST_PKITS_UNITTEST_H_
17 
18 #include <set>
19 
20 #include <gtest/gtest.h>
21 #include "parse_values.h"
22 #include "test_helpers.h"
23 
24 BSSL_NAMESPACE_BEGIN
25 
26 // Describes the inputs and outputs (other than the certificates) for
27 // the PKITS tests.
28 struct PkitsTestInfo {
29   // Default construction results in the "default settings".
30   PkitsTestInfo();
31   PkitsTestInfo(const PkitsTestInfo &other);
32   ~PkitsTestInfo();
33 
34   // Sets |initial_policy_set| to the specified policies. The
35   // policies are described as comma-separated symbolic strings like
36   // "anyPolicy" and "NIST-test-policy-1".
37   //
38   // If this isn't called, the default is "anyPolicy".
39   void SetInitialPolicySet(const char *const policy_names);
40 
41   // Sets |user_constrained_policy_set| to the specified policies. The
42   // policies are described as comma-separated symbolic strings like
43   // "anyPolicy" and "NIST-test-policy-1".
44   //
45   // If this isn't called, the default is "NIST-test-policy-1".
46   void SetUserConstrainedPolicySet(const char *const policy_names);
47 
48   void SetInitialExplicitPolicy(bool b);
49   void SetInitialPolicyMappingInhibit(bool b);
50   void SetInitialInhibitAnyPolicy(bool b);
51 
52   // ----------------
53   // Info
54   // ----------------
55 
56   // The PKITS test number. For example, "4.1.1".
57   const char *test_number = nullptr;
58 
59   // ----------------
60   // Inputs
61   // ----------------
62 
63   // A set of policy OIDs to use for "initial-policy-set".
64   std::set<der::Input> initial_policy_set;
65 
66   // The value of "initial-explicit-policy".
67   InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse;
68 
69   // The value of "initial-policy-mapping-inhibit".
70   InitialPolicyMappingInhibit initial_policy_mapping_inhibit =
71       InitialPolicyMappingInhibit::kFalse;
72 
73   // The value of "initial-inhibit-any-policy".
74   InitialAnyPolicyInhibit initial_inhibit_any_policy =
75       InitialAnyPolicyInhibit::kFalse;
76 
77   // This is the time when PKITS was published.
78   der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};
79 
80   // ----------------
81   // Expected outputs
82   // ----------------
83 
84   // Whether path validation should succeed.
85   bool should_validate = false;
86 
87   std::set<der::Input> user_constrained_policy_set;
88 };
89 
90 // Parameterized test class for PKITS tests.
91 // The instantiating code should define a PkitsTestDelegate with an appropriate
92 // static RunTest method, and then INSTANTIATE_TYPED_TEST_SUITE_P for each
93 // testcase (each TYPED_TEST_SUITE_P in pkits_testcases-inl.h).
94 template <typename PkitsTestDelegate>
95 class PkitsTest : public ::testing::Test {
96  public:
97   template <size_t num_certs, size_t num_crls>
RunTest(const char * const (& cert_names)[num_certs],const char * const (& crl_names)[num_crls],const PkitsTestInfo & info)98   void RunTest(const char *const (&cert_names)[num_certs],
99                const char *const (&crl_names)[num_crls],
100                const PkitsTestInfo &info) {
101     std::vector<std::string> cert_ders;
102     for (const std::string s : cert_names) {
103       cert_ders.push_back(bssl::ReadTestFileToString(
104           "testdata/nist-pkits/certs/" + s + ".crt"));
105     }
106     std::vector<std::string> crl_ders;
107     for (const std::string s : crl_names) {
108       crl_ders.push_back(
109           bssl::ReadTestFileToString("testdata/nist-pkits/crls/" + s + ".crl"));
110     }
111 
112     std::string_view test_number = info.test_number;
113 
114     // Some of the PKITS tests are intentionally given different expectations
115     // from PKITS.pdf.
116     //
117     // Empty user_constrained_policy_set due to short-circuit on invalid
118     // signatures:
119     //
120     //   4.1.2 - Invalid CA Signature Test2
121     //   4.1.3 - Invalid EE Signature Test3
122     //   4.1.6 - Invalid DSA Signature Test6
123     //
124     // Expected to fail because DSA signatures are not supported:
125     //
126     //   4.1.4 - Valid DSA Signatures Test4
127     //   4.1.5 - Valid DSA Parameter Inheritance Test5
128     //
129     // Expected to fail because Name constraints on
130     // uniformResourceIdentifiers are not supported:
131     //
132     //   4.13.34 - Valid URI nameConstraints Test34
133     //   4.13.36 - Valid URI nameConstraints Test36
134     if (test_number == "4.1.2" || test_number == "4.1.3" ||
135         test_number == "4.1.6") {
136       PkitsTestInfo modified_info = info;
137       modified_info.user_constrained_policy_set = {};
138       PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info);
139     } else if (test_number == "4.1.4" || test_number == "4.1.5") {
140       PkitsTestInfo modified_info = info;
141       modified_info.user_constrained_policy_set = {};
142       modified_info.should_validate = false;
143       PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info);
144     } else if (test_number == "4.13.34" || test_number == "4.13.36") {
145       PkitsTestInfo modified_info = info;
146       modified_info.should_validate = false;
147       PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info);
148     } else {
149       PkitsTestDelegate::RunTest(cert_ders, crl_ders, info);
150     }
151   }
152 };
153 
154 // Inline the generated test code:
155 #include "testdata/nist-pkits/pkits_testcases-inl.h"
156 
157 BSSL_NAMESPACE_END
158 
159 #endif  // BSSL_PKI_NIST_PKITS_UNITTEST_H_
160