1 // Copyright 2016 The Chromium Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef BSSL_PKI_NIST_PKITS_UNITTEST_H_ 16 #define BSSL_PKI_NIST_PKITS_UNITTEST_H_ 17 18 #include <set> 19 20 #include <gtest/gtest.h> 21 #include "parse_values.h" 22 #include "test_helpers.h" 23 24 BSSL_NAMESPACE_BEGIN 25 26 // Describes the inputs and outputs (other than the certificates) for 27 // the PKITS tests. 28 struct PkitsTestInfo { 29 // Default construction results in the "default settings". 30 PkitsTestInfo(); 31 PkitsTestInfo(const PkitsTestInfo &other); 32 ~PkitsTestInfo(); 33 34 // Sets |initial_policy_set| to the specified policies. The 35 // policies are described as comma-separated symbolic strings like 36 // "anyPolicy" and "NIST-test-policy-1". 37 // 38 // If this isn't called, the default is "anyPolicy". 39 void SetInitialPolicySet(const char *const policy_names); 40 41 // Sets |user_constrained_policy_set| to the specified policies. The 42 // policies are described as comma-separated symbolic strings like 43 // "anyPolicy" and "NIST-test-policy-1". 44 // 45 // If this isn't called, the default is "NIST-test-policy-1". 46 void SetUserConstrainedPolicySet(const char *const policy_names); 47 48 void SetInitialExplicitPolicy(bool b); 49 void SetInitialPolicyMappingInhibit(bool b); 50 void SetInitialInhibitAnyPolicy(bool b); 51 52 // ---------------- 53 // Info 54 // ---------------- 55 56 // The PKITS test number. For example, "4.1.1". 57 const char *test_number = nullptr; 58 59 // ---------------- 60 // Inputs 61 // ---------------- 62 63 // A set of policy OIDs to use for "initial-policy-set". 64 std::set<der::Input> initial_policy_set; 65 66 // The value of "initial-explicit-policy". 67 InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse; 68 69 // The value of "initial-policy-mapping-inhibit". 70 InitialPolicyMappingInhibit initial_policy_mapping_inhibit = 71 InitialPolicyMappingInhibit::kFalse; 72 73 // The value of "initial-inhibit-any-policy". 74 InitialAnyPolicyInhibit initial_inhibit_any_policy = 75 InitialAnyPolicyInhibit::kFalse; 76 77 // This is the time when PKITS was published. 78 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; 79 80 // ---------------- 81 // Expected outputs 82 // ---------------- 83 84 // Whether path validation should succeed. 85 bool should_validate = false; 86 87 std::set<der::Input> user_constrained_policy_set; 88 }; 89 90 // Parameterized test class for PKITS tests. 91 // The instantiating code should define a PkitsTestDelegate with an appropriate 92 // static RunTest method, and then INSTANTIATE_TYPED_TEST_SUITE_P for each 93 // testcase (each TYPED_TEST_SUITE_P in pkits_testcases-inl.h). 94 template <typename PkitsTestDelegate> 95 class PkitsTest : public ::testing::Test { 96 public: 97 template <size_t num_certs, size_t num_crls> RunTest(const char * const (& cert_names)[num_certs],const char * const (& crl_names)[num_crls],const PkitsTestInfo & info)98 void RunTest(const char *const (&cert_names)[num_certs], 99 const char *const (&crl_names)[num_crls], 100 const PkitsTestInfo &info) { 101 std::vector<std::string> cert_ders; 102 for (const std::string s : cert_names) { 103 cert_ders.push_back(bssl::ReadTestFileToString( 104 "testdata/nist-pkits/certs/" + s + ".crt")); 105 } 106 std::vector<std::string> crl_ders; 107 for (const std::string s : crl_names) { 108 crl_ders.push_back( 109 bssl::ReadTestFileToString("testdata/nist-pkits/crls/" + s + ".crl")); 110 } 111 112 std::string_view test_number = info.test_number; 113 114 // Some of the PKITS tests are intentionally given different expectations 115 // from PKITS.pdf. 116 // 117 // Empty user_constrained_policy_set due to short-circuit on invalid 118 // signatures: 119 // 120 // 4.1.2 - Invalid CA Signature Test2 121 // 4.1.3 - Invalid EE Signature Test3 122 // 4.1.6 - Invalid DSA Signature Test6 123 // 124 // Expected to fail because DSA signatures are not supported: 125 // 126 // 4.1.4 - Valid DSA Signatures Test4 127 // 4.1.5 - Valid DSA Parameter Inheritance Test5 128 // 129 // Expected to fail because Name constraints on 130 // uniformResourceIdentifiers are not supported: 131 // 132 // 4.13.34 - Valid URI nameConstraints Test34 133 // 4.13.36 - Valid URI nameConstraints Test36 134 if (test_number == "4.1.2" || test_number == "4.1.3" || 135 test_number == "4.1.6") { 136 PkitsTestInfo modified_info = info; 137 modified_info.user_constrained_policy_set = {}; 138 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 139 } else if (test_number == "4.1.4" || test_number == "4.1.5") { 140 PkitsTestInfo modified_info = info; 141 modified_info.user_constrained_policy_set = {}; 142 modified_info.should_validate = false; 143 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 144 } else if (test_number == "4.13.34" || test_number == "4.13.36") { 145 PkitsTestInfo modified_info = info; 146 modified_info.should_validate = false; 147 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 148 } else { 149 PkitsTestDelegate::RunTest(cert_ders, crl_ders, info); 150 } 151 } 152 }; 153 154 // Inline the generated test code: 155 #include "testdata/nist-pkits/pkits_testcases-inl.h" 156 157 BSSL_NAMESPACE_END 158 159 #endif // BSSL_PKI_NIST_PKITS_UNITTEST_H_ 160