1 // Copyright 2023 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "trust_store_in_memory.h"
16
17 #include <gtest/gtest.h>
18 #include "test_helpers.h"
19
20 BSSL_NAMESPACE_BEGIN
21 namespace {
22
23 class TrustStoreInMemoryTest : public testing::Test {
24 public:
SetUp()25 void SetUp() override {
26 ParsedCertificateList chain;
27 ASSERT_TRUE(ReadCertChainFromFile(
28 "testdata/verify_certificate_chain_unittest/key-rollover/oldchain.pem",
29 &chain));
30
31 ASSERT_EQ(3U, chain.size());
32 target_ = chain[0];
33 oldintermediate_ = chain[1];
34 oldroot_ = chain[2];
35 ASSERT_TRUE(target_);
36 ASSERT_TRUE(oldintermediate_);
37 ASSERT_TRUE(oldroot_);
38
39 ASSERT_TRUE(
40 ReadCertChainFromFile("testdata/verify_certificate_chain_unittest/"
41 "key-rollover/longrolloverchain.pem",
42 &chain));
43
44 ASSERT_EQ(5U, chain.size());
45 newintermediate_ = chain[1];
46 newroot_ = chain[2];
47 newrootrollover_ = chain[3];
48 ASSERT_TRUE(newintermediate_);
49 ASSERT_TRUE(newroot_);
50 ASSERT_TRUE(newrootrollover_);
51 }
52
53 protected:
54 std::shared_ptr<const ParsedCertificate> oldroot_;
55 std::shared_ptr<const ParsedCertificate> newroot_;
56 std::shared_ptr<const ParsedCertificate> newrootrollover_;
57
58 std::shared_ptr<const ParsedCertificate> target_;
59 std::shared_ptr<const ParsedCertificate> oldintermediate_;
60 std::shared_ptr<const ParsedCertificate> newintermediate_;
61 };
62
TEST_F(TrustStoreInMemoryTest,OneRootTrusted)63 TEST_F(TrustStoreInMemoryTest, OneRootTrusted) {
64 TrustStoreInMemory in_memory;
65 in_memory.AddTrustAnchor(newroot_);
66
67 // newroot_ is trusted.
68 CertificateTrust trust = in_memory.GetTrust(newroot_.get());
69 EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
70 trust.ToDebugString());
71
72 // oldroot_ is not.
73 trust = in_memory.GetTrust(oldroot_.get());
74 EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
75 trust.ToDebugString());
76 }
77
TEST_F(TrustStoreInMemoryTest,DistrustBySPKI)78 TEST_F(TrustStoreInMemoryTest, DistrustBySPKI) {
79 TrustStoreInMemory in_memory;
80 in_memory.AddDistrustedCertificateBySPKI(
81 std::string(BytesAsStringView(newroot_->tbs().spki_tlv)));
82
83 // newroot_ is distrusted.
84 CertificateTrust trust = in_memory.GetTrust(newroot_.get());
85 EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
86 trust.ToDebugString());
87
88 // oldroot_ is unspecified.
89 trust = in_memory.GetTrust(oldroot_.get());
90 EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
91 trust.ToDebugString());
92
93 // newrootrollover_ is also distrusted because it has the same key.
94 trust = in_memory.GetTrust(newrootrollover_.get());
95 EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
96 trust.ToDebugString());
97 }
98
TEST_F(TrustStoreInMemoryTest,DistrustBySPKIOverridesTrust)99 TEST_F(TrustStoreInMemoryTest, DistrustBySPKIOverridesTrust) {
100 TrustStoreInMemory in_memory;
101 in_memory.AddTrustAnchor(newroot_);
102 in_memory.AddDistrustedCertificateBySPKI(
103 std::string(BytesAsStringView(newroot_->tbs().spki_tlv)));
104
105 // newroot_ is distrusted.
106 CertificateTrust trust = in_memory.GetTrust(newroot_.get());
107 EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
108 trust.ToDebugString());
109 }
110
111 } // namespace
112 BSSL_NAMESPACE_END
113