1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BSSL_PKI_NIST_PKITS_UNITTEST_H_ 6 #define BSSL_PKI_NIST_PKITS_UNITTEST_H_ 7 8 #include <set> 9 10 #include <gtest/gtest.h> 11 #include "parse_values.h" 12 #include "test_helpers.h" 13 14 namespace bssl { 15 16 // Describes the inputs and outputs (other than the certificates) for 17 // the PKITS tests. 18 struct PkitsTestInfo { 19 // Default construction results in the "default settings". 20 PkitsTestInfo(); 21 PkitsTestInfo(const PkitsTestInfo &other); 22 ~PkitsTestInfo(); 23 24 // Sets |initial_policy_set| to the specified policies. The 25 // policies are described as comma-separated symbolic strings like 26 // "anyPolicy" and "NIST-test-policy-1". 27 // 28 // If this isn't called, the default is "anyPolicy". 29 void SetInitialPolicySet(const char *const policy_names); 30 31 // Sets |user_constrained_policy_set| to the specified policies. The 32 // policies are described as comma-separated symbolic strings like 33 // "anyPolicy" and "NIST-test-policy-1". 34 // 35 // If this isn't called, the default is "NIST-test-policy-1". 36 void SetUserConstrainedPolicySet(const char *const policy_names); 37 38 void SetInitialExplicitPolicy(bool b); 39 void SetInitialPolicyMappingInhibit(bool b); 40 void SetInitialInhibitAnyPolicy(bool b); 41 42 // ---------------- 43 // Info 44 // ---------------- 45 46 // The PKITS test number. For example, "4.1.1". 47 const char *test_number = nullptr; 48 49 // ---------------- 50 // Inputs 51 // ---------------- 52 53 // A set of policy OIDs to use for "initial-policy-set". 54 std::set<der::Input> initial_policy_set; 55 56 // The value of "initial-explicit-policy". 57 InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse; 58 59 // The value of "initial-policy-mapping-inhibit". 60 InitialPolicyMappingInhibit initial_policy_mapping_inhibit = 61 InitialPolicyMappingInhibit::kFalse; 62 63 // The value of "initial-inhibit-any-policy". 64 InitialAnyPolicyInhibit initial_inhibit_any_policy = 65 InitialAnyPolicyInhibit::kFalse; 66 67 // This is the time when PKITS was published. 68 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; 69 70 // ---------------- 71 // Expected outputs 72 // ---------------- 73 74 // Whether path validation should succeed. 75 bool should_validate = false; 76 77 std::set<der::Input> user_constrained_policy_set; 78 }; 79 80 // Parameterized test class for PKITS tests. 81 // The instantiating code should define a PkitsTestDelegate with an appropriate 82 // static RunTest method, and then INSTANTIATE_TYPED_TEST_SUITE_P for each 83 // testcase (each TYPED_TEST_SUITE_P in pkits_testcases-inl.h). 84 template <typename PkitsTestDelegate> 85 class PkitsTest : public ::testing::Test { 86 public: 87 template <size_t num_certs, size_t num_crls> RunTest(const char * const (& cert_names)[num_certs],const char * const (& crl_names)[num_crls],const PkitsTestInfo & info)88 void RunTest(const char *const (&cert_names)[num_certs], 89 const char *const (&crl_names)[num_crls], 90 const PkitsTestInfo &info) { 91 std::vector<std::string> cert_ders; 92 for (const std::string s : cert_names) { 93 cert_ders.push_back(bssl::ReadTestFileToString( 94 "testdata/nist-pkits/certs/" + s + ".crt")); 95 } 96 std::vector<std::string> crl_ders; 97 for (const std::string s : crl_names) { 98 crl_ders.push_back( 99 bssl::ReadTestFileToString("testdata/nist-pkits/crls/" + s + ".crl")); 100 } 101 102 std::string_view test_number = info.test_number; 103 104 // Some of the PKITS tests are intentionally given different expectations 105 // from PKITS.pdf. 106 // 107 // Empty user_constrained_policy_set due to short-circuit on invalid 108 // signatures: 109 // 110 // 4.1.2 - Invalid CA Signature Test2 111 // 4.1.3 - Invalid EE Signature Test3 112 // 4.1.6 - Invalid DSA Signature Test6 113 // 114 // Expected to fail because DSA signatures are not supported: 115 // 116 // 4.1.4 - Valid DSA Signatures Test4 117 // 4.1.5 - Valid DSA Parameter Inheritance Test5 118 // 119 // Expected to fail because Name constraints on 120 // uniformResourceIdentifiers are not supported: 121 // 122 // 4.13.34 - Valid URI nameConstraints Test34 123 // 4.13.36 - Valid URI nameConstraints Test36 124 if (test_number == "4.1.2" || test_number == "4.1.3" || 125 test_number == "4.1.6") { 126 PkitsTestInfo modified_info = info; 127 modified_info.user_constrained_policy_set = {}; 128 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 129 } else if (test_number == "4.1.4" || test_number == "4.1.5") { 130 PkitsTestInfo modified_info = info; 131 modified_info.user_constrained_policy_set = {}; 132 modified_info.should_validate = false; 133 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 134 } else if (test_number == "4.13.34" || test_number == "4.13.36") { 135 PkitsTestInfo modified_info = info; 136 modified_info.should_validate = false; 137 PkitsTestDelegate::RunTest(cert_ders, crl_ders, modified_info); 138 } else { 139 PkitsTestDelegate::RunTest(cert_ders, crl_ders, info); 140 } 141 } 142 }; 143 144 // Inline the generated test code: 145 #include "testdata/nist-pkits/pkits_testcases-inl.h" 146 147 } // namespace bssl 148 149 #endif // BSSL_PKI_NIST_PKITS_UNITTEST_H_ 150