1 // Copyright 2016 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "trust_store_collection.h"
16 
17 #include <gtest/gtest.h>
18 #include "test_helpers.h"
19 #include "trust_store_in_memory.h"
20 
21 BSSL_NAMESPACE_BEGIN
22 
23 namespace {
24 
25 class TrustStoreCollectionTest : public testing::Test {
26  public:
SetUp()27   void SetUp() override {
28     ParsedCertificateList chain;
29     ASSERT_TRUE(ReadCertChainFromFile(
30         "testdata/verify_certificate_chain_unittest/key-rollover/oldchain.pem",
31         &chain));
32 
33     ASSERT_EQ(3U, chain.size());
34     target_ = chain[0];
35     oldintermediate_ = chain[1];
36     oldroot_ = chain[2];
37     ASSERT_TRUE(target_);
38     ASSERT_TRUE(oldintermediate_);
39     ASSERT_TRUE(oldroot_);
40 
41     ASSERT_TRUE(
42         ReadCertChainFromFile("testdata/verify_certificate_chain_unittest/"
43                               "key-rollover/longrolloverchain.pem",
44                               &chain));
45 
46     ASSERT_EQ(5U, chain.size());
47     newintermediate_ = chain[1];
48     newroot_ = chain[2];
49     newrootrollover_ = chain[3];
50     ASSERT_TRUE(newintermediate_);
51     ASSERT_TRUE(newroot_);
52     ASSERT_TRUE(newrootrollover_);
53   }
54 
55  protected:
56   std::shared_ptr<const ParsedCertificate> oldroot_;
57   std::shared_ptr<const ParsedCertificate> newroot_;
58   std::shared_ptr<const ParsedCertificate> newrootrollover_;
59 
60   std::shared_ptr<const ParsedCertificate> target_;
61   std::shared_ptr<const ParsedCertificate> oldintermediate_;
62   std::shared_ptr<const ParsedCertificate> newintermediate_;
63 };
64 
65 // Collection contains no stores, should return no results.
TEST_F(TrustStoreCollectionTest,NoStores)66 TEST_F(TrustStoreCollectionTest, NoStores) {
67   ParsedCertificateList issuers;
68 
69   TrustStoreCollection collection;
70   collection.SyncGetIssuersOf(target_.get(), &issuers);
71 
72   EXPECT_TRUE(issuers.empty());
73 }
74 
75 // Collection contains only one store.
TEST_F(TrustStoreCollectionTest,OneStore)76 TEST_F(TrustStoreCollectionTest, OneStore) {
77   ParsedCertificateList issuers;
78 
79   TrustStoreCollection collection;
80   TrustStoreInMemory in_memory;
81   in_memory.AddTrustAnchor(newroot_);
82   collection.AddTrustStore(&in_memory);
83   collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
84 
85   ASSERT_EQ(1U, issuers.size());
86   EXPECT_EQ(newroot_.get(), issuers[0].get());
87 
88   // newroot_ is trusted.
89   CertificateTrust trust = collection.GetTrust(newroot_.get());
90   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
91             trust.ToDebugString());
92 
93   // oldroot_ is not.
94   trust = collection.GetTrust(oldroot_.get());
95   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
96             trust.ToDebugString());
97 }
98 
99 // SyncGetIssuersOf() should append to its output parameters rather than assign
100 // them.
TEST_F(TrustStoreCollectionTest,OutputVectorsAppendedTo)101 TEST_F(TrustStoreCollectionTest, OutputVectorsAppendedTo) {
102   ParsedCertificateList issuers;
103 
104   // Populate the out-parameter with some values.
105   issuers.resize(3);
106 
107   TrustStoreCollection collection;
108   TrustStoreInMemory in_memory;
109   in_memory.AddTrustAnchor(newroot_);
110   collection.AddTrustStore(&in_memory);
111   collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
112 
113   ASSERT_EQ(4U, issuers.size());
114   EXPECT_EQ(newroot_.get(), issuers[3].get());
115 
116   // newroot_ is trusted.
117   CertificateTrust trust = collection.GetTrust(newroot_.get());
118   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
119             trust.ToDebugString());
120 
121   // newrootrollover_ is not.
122   trust = collection.GetTrust(newrootrollover_.get());
123   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
124             trust.ToDebugString());
125 }
126 
127 // Collection contains two stores.
TEST_F(TrustStoreCollectionTest,TwoStores)128 TEST_F(TrustStoreCollectionTest, TwoStores) {
129   ParsedCertificateList issuers;
130 
131   TrustStoreCollection collection;
132   TrustStoreInMemory in_memory1;
133   TrustStoreInMemory in_memory2;
134   in_memory1.AddTrustAnchor(newroot_);
135   in_memory2.AddTrustAnchor(oldroot_);
136   collection.AddTrustStore(&in_memory1);
137   collection.AddTrustStore(&in_memory2);
138   collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
139 
140   ASSERT_EQ(2U, issuers.size());
141   EXPECT_EQ(newroot_.get(), issuers[0].get());
142   EXPECT_EQ(oldroot_.get(), issuers[1].get());
143 
144   // newroot_ is trusted.
145   CertificateTrust trust = collection.GetTrust(newroot_.get());
146   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
147             trust.ToDebugString());
148 
149   // oldroot_ is trusted.
150   trust = collection.GetTrust(oldroot_.get());
151   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
152             trust.ToDebugString());
153 
154   // newrootrollover_ is not.
155   trust = collection.GetTrust(newrootrollover_.get());
156   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
157             trust.ToDebugString());
158 }
159 
160 // Collection contains two stores. The certificate is marked as trusted in one,
161 // but distrusted in the other.
TEST_F(TrustStoreCollectionTest,DistrustTakesPriority)162 TEST_F(TrustStoreCollectionTest, DistrustTakesPriority) {
163   ParsedCertificateList issuers;
164 
165   TrustStoreCollection collection;
166   TrustStoreInMemory in_memory1;
167   TrustStoreInMemory in_memory2;
168 
169   // newroot_ is trusted in store1, distrusted in store2.
170   in_memory1.AddTrustAnchor(newroot_);
171   in_memory2.AddDistrustedCertificateForTest(newroot_);
172 
173   // oldintermediate is distrusted in store1, trusted in store2.
174   in_memory1.AddDistrustedCertificateForTest(oldintermediate_);
175   in_memory2.AddTrustAnchor(oldintermediate_);
176 
177   collection.AddTrustStore(&in_memory1);
178   collection.AddTrustStore(&in_memory2);
179 
180   // newroot_ is distrusted..
181   CertificateTrust trust = collection.GetTrust(newroot_.get());
182   EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
183             trust.ToDebugString());
184 
185   // oldintermediate_ is distrusted.
186   trust = collection.GetTrust(oldintermediate_.get());
187   EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
188             trust.ToDebugString());
189 
190   // newrootrollover_ is unspecified.
191   trust = collection.GetTrust(newrootrollover_.get());
192   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
193             trust.ToDebugString());
194 }
195 
196 }  // namespace
197 
198 BSSL_NAMESPACE_END
199