/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * test_certselector.c * * Test Cert Selector * */ #include "testutil.h" #include "testutil_nss.h" #define PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS 5 #define PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS 2 #define PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS 2 #define PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS 4 #define PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS 1 static void *plContext = NULL; /* * The first three certs are used to obtain policies to test * policy matching. Changing the table could break tests. */ static char *certList[] = { #define POLICY1CERT 0 "GoodCACert.crt", #define ANYPOLICYCERT 1 "anyPolicyCACert.crt", #define POLICY2CERT 2 "PoliciesP12CACert.crt", #define SUBJECTCERT 3 "PoliciesP3CACert.crt", "PoliciesP1234CACert.crt", "pathLenConstraint0CACert.crt", "pathLenConstraint1CACert.crt", "pathLenConstraint6CACert.crt", "TrustAnchorRootCertificate.crt", "GoodsubCACert.crt", "AnyPolicyTest14EE.crt", "UserNoticeQualifierTest16EE.crt" }; #define NUMCERTS (sizeof (certList)/sizeof (certList[0])) /* * Following are Certs values for NameConstraints tests * * Cert0:nameConstraintsDN1subCA1Cert.crt: * Subject:CN=nameConstraints DN1 subCA1,OU=permittedSubtree1, * O=Test Certificates,C=US * Permitted Name:(OU=permittedSubtree2,OU=permittedSubtree1, * O=Test Certificates,C=US) * Excluded Name: (EMPTY) * Cert1:nameConstraintsDN3subCA2Cert.crt: * Subject:CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US * Permitted Name:(O=Test Certificates,C=US) * Excluded Name:(EMPTY) * Cert2:nameConstraintsDN2CACert.crt * Subject:CN=nameConstraints DN2 CA,O=Test Certificates,C=US * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US, * OU=permittedSubtree2,O=Test Certificates,C=US) * Excluded Name:(EMPTY) * Cert3:nameConstraintsDN3subCA1Cert.crt * Subject:CN=nameConstraints DN3 subCA1,O=Test Certificates,C=US * Permitted Name:(EMPTY) * Excluded Name:(OU=excludedSubtree2,O=Test Certificates,C=US) * Cert4:nameConstraintsDN4CACert.crt * Subject:CN=nameConstraints DN4 CA,O=Test Certificates,C=US * Permitted Name:(EMPTY) * Excluded Name:(OU=excludedSubtree1,O=Test Certificates,C=US, * OU=excludedSubtree2,O=Test Certificates,C=US) * Cert5:nameConstraintsDN5CACert.crt * Subject:CN=nameConstraints DN5 CA,O=Test Certificates,C=US * Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US) * Excluded Name:(OU=excludedSubtree1,OU=permittedSubtree1, * O=Test Certificates,C=US) * Cert6:ValidDNnameConstraintsTest1EE.crt * Subject:CN=Valid DN nameConstraints EE Certificate Test1, * OU=permittedSubtree1,O=Test Certificates,C=US * */ static char *ncCertList[] = { "nameConstraintsDN1subCA1Cert.crt", "nameConstraintsDN3subCA2Cert.crt", "nameConstraintsDN2CACert.crt", "nameConstraintsDN3subCA1Cert.crt", "nameConstraintsDN4CACert.crt", "nameConstraintsDN5CACert.crt", "ValidDNnameConstraintsTest1EE.crt" }; #define NUMNCCERTS (sizeof (ncCertList)/sizeof (ncCertList[0])) static char *sanCertList[] = { "InvalidDNnameConstraintsTest3EE.crt", "InvalidDNSnameConstraintsTest38EE.crt" }; #define NUMSANCERTS (sizeof (sanCertList)/sizeof (sanCertList[0])) /* * This function calls the CertSelector pointed to by "selector" for each * cert in the List pointed to by "certs", and compares the results against * the bit array given by the UInt32 "expectedResults". If the first cert is * expected to pass, the lower-order bit of "expectedResults" should be 1. * If the second cert is expected to pass, the second bit of "expectedResults" * should be 1, and so on. If more than 32 certs are provided, only the first * 32 will be checked. It is not an error to provide more bits than needed. * (For example, if you expect every cert to pass, "expectedResult" can be * set to 0xFFFFFFFF, even if the chain has fewer than 32 certs.) */ static void testSelector( PKIX_CertSelector *selector, PKIX_List *certs, PKIX_UInt32 expectedResults) { PKIX_UInt32 i = 0; PKIX_UInt32 numCerts = 0; PKIX_PL_Cert *cert = NULL; PKIX_CertSelector_MatchCallback callback = NULL; PKIX_Error *errReturn = NULL; PKIX_Boolean result = PKIX_TRUE; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback (selector, &callback, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certs, &numCerts, plContext)); if (numCerts > 32) { numCerts = 32; } for (i = 0; i < numCerts; i++) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, i, (PKIX_PL_Object **)&cert, plContext)); errReturn = callback(selector, cert, &result, plContext); if (errReturn || result == PKIX_FALSE) { if ((expectedResults & 1) == 1) { testError("selector unexpectedly failed"); (void) printf(" processing cert:\t%d\n", i); } } else { if ((expectedResults & 1) == 0) { testError("selector unexpectedly passed"); (void) printf(" processing cert:\t%d\n", i); } } expectedResults = expectedResults >> 1; PKIX_TEST_DECREF_BC(cert); PKIX_TEST_DECREF_BC(errReturn); } cleanup: PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(errReturn); PKIX_TEST_RETURN(); } /* * This function gets a policy from the Cert pointed to by "cert", according * to the index provided by "index", creates an immutable List containing the * OID of that policy, and stores the result at "pPolicyList". */ static void testGetPolicyFromCert( PKIX_PL_Cert *cert, PKIX_UInt32 index, PKIX_List **pPolicyList) { PKIX_List *policyInfo = NULL; PKIX_PL_CertPolicyInfo *firstPolicy = NULL; PKIX_PL_OID *policyOID = NULL; PKIX_List *list = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation (cert, &policyInfo, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (policyInfo, index, (PKIX_PL_Object **)&firstPolicy, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId (firstPolicy, &policyOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (list, (PKIX_PL_Object *)policyOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(list, plContext)); *pPolicyList = list; cleanup: PKIX_TEST_DECREF_AC(policyInfo); PKIX_TEST_DECREF_AC(firstPolicy); PKIX_TEST_DECREF_AC(policyOID); PKIX_TEST_RETURN(); } /* * This custom matchCallback will pass any Certificate which has no * CertificatePolicies extension and any Certificate whose Policies * extension include a CertPolicyQualifier. */ static PKIX_Error * custom_CertSelector_MatchCallback( PKIX_CertSelector *selector, PKIX_PL_Cert *cert, PKIX_Boolean *pResult, void *plContext) { PKIX_UInt32 i = 0; PKIX_UInt32 numPolicies = 0; PKIX_List *certPolicies = NULL; PKIX_List *quals = NULL; PKIX_PL_CertPolicyInfo *policy = NULL; PKIX_Error *error = NULL; PKIX_TEST_STD_VARS(); *pResult = PKIX_TRUE; PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation (cert, &certPolicies, plContext)); if (certPolicies) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certPolicies, &numPolicies, plContext)); for (i = 0; i < numPolicies; i++) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certPolicies, i, (PKIX_PL_Object **)&policy, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_CertPolicyInfo_GetPolQualifiers (policy, &quals, plContext)); if (quals) { goto cleanup; } PKIX_TEST_DECREF_BC(policy); } PKIX_TEST_DECREF_BC(certPolicies); *pResult = PKIX_FALSE; PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create (PKIX_CERTSELECTOR_ERROR, NULL, NULL, PKIX_TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, &error, plContext)); } cleanup: PKIX_TEST_DECREF_AC(certPolicies); PKIX_TEST_DECREF_AC(policy); PKIX_TEST_DECREF_AC(quals); return(error); } /* * This custom matchCallback will pass any Certificate whose * CertificatePolicies extension asserts the Policy specified by * the OID in the CertSelectorContext object. */ static PKIX_Error * custom_CertSelector_MatchOIDCallback( PKIX_CertSelector *selector, PKIX_PL_Cert *cert, PKIX_Boolean *pResult, void *plContext) { PKIX_UInt32 i = 0; PKIX_UInt32 numPolicies = 0; PKIX_Boolean match = PKIX_FALSE; PKIX_PL_Object *certSelectorContext = NULL; PKIX_PL_OID *constraintOID = NULL; PKIX_List *certPolicies = NULL; PKIX_PL_CertPolicyInfo *policy = NULL; PKIX_PL_OID *policyOID = NULL; PKIX_PL_String *errorDesc = NULL; PKIX_Error *error = NULL; PKIX_TEST_STD_VARS(); *pResult = PKIX_TRUE; PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCertSelectorContext (selector, &certSelectorContext, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType (certSelectorContext, PKIX_OID_TYPE, plContext)); constraintOID = (PKIX_PL_OID *)certSelectorContext; PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation (cert, &certPolicies, plContext)); if (certPolicies) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certPolicies, &numPolicies, plContext)); for (i = 0; i < numPolicies; i++) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certPolicies, i, (PKIX_PL_Object **)&policy, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_CertPolicyInfo_GetPolicyId (policy, &policyOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals ((PKIX_PL_Object *)policyOID, (PKIX_PL_Object *)constraintOID, &match, plContext)); if (match) { goto cleanup; } PKIX_TEST_DECREF_BC(policy); PKIX_TEST_DECREF_BC(policyOID); } } PKIX_TEST_DECREF_BC(certSelectorContext); PKIX_TEST_DECREF_BC(certPolicies); PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create (PKIX_CERTSELECTOR_ERROR, NULL, NULL, PKIX_TESTNOMATCHINGPOLICY, &error, plContext)); cleanup: PKIX_TEST_DECREF_AC(certSelectorContext); PKIX_TEST_DECREF_AC(certPolicies); PKIX_TEST_DECREF_AC(policy); PKIX_TEST_DECREF_AC(policyOID); PKIX_TEST_DECREF_AC(errorDesc); return(error); } static void testSubjectMatch( PKIX_List *certs, PKIX_PL_Cert *certNameToMatch) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *subjParams = NULL; PKIX_PL_X500Name *subjectName = NULL; PKIX_TEST_STD_VARS(); subTest("Subject name match"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&subjParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject (certNameToMatch, &subjectName, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject (subjParams, subjectName, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, subjParams, plContext)); testSelector(selector, certs, 0x008); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(subjParams); PKIX_TEST_DECREF_AC(subjectName); PKIX_TEST_RETURN(); } static void testBasicConstraintsMatch( PKIX_List *certs) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *bcParams = NULL; PKIX_TEST_STD_VARS(); subTest("Basic Constraints match"); subTest(" pathLenContraint = -2: pass only EE's"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&bcParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetBasicConstraints (bcParams, -2, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, bcParams, plContext)); testSelector(selector, certs, 0xC00); subTest(" pathLenContraint = -1: pass all certs"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetBasicConstraints (bcParams, -1, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, bcParams, plContext)); testSelector(selector, certs, 0xFFF); subTest(" pathLenContraint = 1: pass only certs with pathLen >= 1"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetBasicConstraints (bcParams, 1, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, bcParams, plContext)); testSelector(selector, certs, 0x3DF); subTest(" pathLenContraint = 2: pass only certs with pathLen >= 2"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetBasicConstraints (bcParams, 2, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, bcParams, plContext)); testSelector(selector, certs, 0x39F); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(bcParams); PKIX_TEST_RETURN(); } static void testPolicyMatch( PKIX_List *certs, PKIX_PL_Cert *NIST1Cert, /* a source for policy NIST1 */ PKIX_PL_Cert *NIST2Cert, /* a source for policy NIST2 */ PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ { PKIX_CertSelector *selector = NULL; PKIX_List *emptyList = NULL; /* no members */ PKIX_List *policy1List = NULL; /* OIDs */ PKIX_List *policy2List = NULL; /* OIDs */ PKIX_List *anyPolicyList = NULL; /* OIDs */ PKIX_ComCertSelParams *polParams = NULL; PKIX_TEST_STD_VARS(); subTest("Policy match"); testGetPolicyFromCert(NIST1Cert, 0, &policy1List); testGetPolicyFromCert(NIST2Cert, 1, &policy2List); testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); subTest(" Pass certs with any CertificatePolicies extension"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&polParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetPolicy (polParams, emptyList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, polParams, plContext)); testSelector(selector, certs, 0xEFF); PKIX_TEST_DECREF_BC(polParams); subTest(" Pass only certs with policy NIST1"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&polParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetPolicy (polParams, policy1List, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, polParams, plContext)); testSelector(selector, certs, 0xEF5); PKIX_TEST_DECREF_BC(polParams); subTest(" Pass only certs with policy NIST2"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&polParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetPolicy (polParams, policy2List, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, polParams, plContext)); testSelector(selector, certs, 0x814); PKIX_TEST_DECREF_BC(polParams); subTest(" Pass only certs with policy anyPolicy"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&polParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetPolicy (polParams, anyPolicyList, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, polParams, plContext)); testSelector(selector, certs, 0x002); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(emptyList); PKIX_TEST_DECREF_AC(policy1List); PKIX_TEST_DECREF_AC(policy2List); PKIX_TEST_DECREF_AC(anyPolicyList); PKIX_TEST_DECREF_AC(polParams); PKIX_TEST_RETURN(); } static void testCertificateMatch( PKIX_List *certs, PKIX_PL_Cert *certToMatch) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *params = NULL; PKIX_TEST_STD_VARS(); subTest("Certificate match"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (¶ms, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate (params, certToMatch, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); testSelector(selector, certs, 0x008); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(params); PKIX_TEST_RETURN(); } static void testNameConstraintsMatch(PKIX_List *certs) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *params = NULL; PKIX_PL_Cert *cert = NULL; PKIX_PL_CertNameConstraints *permitNameConstraints1 = NULL; PKIX_PL_CertNameConstraints *permitNameConstraints2 = NULL; PKIX_PL_CertNameConstraints *permitNameConstraints3 = NULL; PKIX_PL_CertNameConstraints *excludeNameConstraints1 = NULL; PKIX_PL_CertNameConstraints *excludeNameConstraints2 = NULL; PKIX_PL_CertNameConstraints *excludeNameConstraints3 = NULL; PKIX_UInt32 numCerts = 0; PKIX_TEST_STD_VARS(); subTest("test NameConstraints Cert Selector"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certs, &numCerts, plContext)); subTest(" PKIX_PL_Cert_GetNameConstraints "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, 0, (PKIX_PL_Object **)&cert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &permitNameConstraints1, plContext)); PKIX_TEST_DECREF_BC(cert); subTest(" PKIX_PL_Cert_GetNameConstraints "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, 1, (PKIX_PL_Object **)&cert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &permitNameConstraints2, plContext)); PKIX_TEST_DECREF_BC(cert); subTest(" PKIX_PL_Cert_GetNameConstraints "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, 2, (PKIX_PL_Object **)&cert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &permitNameConstraints3, plContext)); PKIX_TEST_DECREF_BC(cert); subTest(" PKIX_PL_Cert_GetNameConstraints "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, 3, (PKIX_PL_Object **)&cert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &excludeNameConstraints1, plContext)); PKIX_TEST_DECREF_BC(cert); subTest(" PKIX_PL_Cert_GetNameConstraints "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, 4, (PKIX_PL_Object **)&cert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &excludeNameConstraints2, plContext)); PKIX_TEST_DECREF_BC(cert); subTest(" PKIX_PL_Cert_GetNameConstraints "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, 5, (PKIX_PL_Object **)&cert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints (cert, &excludeNameConstraints3, plContext)); PKIX_TEST_DECREF_BC(cert); subTest(" Create Selector and ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (¶ms, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" CertNameConstraints testing permitted NONE"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, permitNameConstraints1, plContext)); testSelector(selector, certs, 0x0); subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, NULL, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" CertNameConstraints testing permitted ALL"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, permitNameConstraints2, plContext)); testSelector(selector, certs, 0x07F); subTest(" CertNameConstraints testing permitted TWO"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, permitNameConstraints3, plContext)); testSelector(selector, certs, 0x0041); subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, NULL, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" CertNameConstraints testing excluded"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, excludeNameConstraints1, plContext)); testSelector(selector, certs, 0x07F); subTest(" CertNameConstraints testing excluded"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, excludeNameConstraints2, plContext)); testSelector(selector, certs, 0x07F); subTest(" CertNameConstraints testing excluded"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints (params, excludeNameConstraints3, plContext)); testSelector(selector, certs, 0x41); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(params); PKIX_TEST_DECREF_AC(permitNameConstraints1); PKIX_TEST_DECREF_AC(permitNameConstraints2); PKIX_TEST_DECREF_AC(permitNameConstraints3); PKIX_TEST_DECREF_AC(excludeNameConstraints1); PKIX_TEST_DECREF_AC(excludeNameConstraints2); PKIX_TEST_DECREF_AC(excludeNameConstraints3); PKIX_TEST_RETURN(); } static void testPathToNamesMatch(PKIX_List *certs) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *params = NULL; PKIX_List *nameList = NULL; PKIX_PL_GeneralName *name = NULL; PKIX_TEST_STD_VARS(); subTest("test PathToName Cert Selector"); subTest(" PKIX_PL_GeneralName List create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); subTest(" Add directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "O=NotATest Certificates,C=US", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (nameList, (PKIX_PL_Object *)name, plContext)); subTest(" Create Selector and ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (¶ms, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" PKIX_ComCertSelParams_SetPathToNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, nameList, plContext)); subTest(" Permitting THREE"); testSelector(selector, certs, 0x58); subTest(" Remove directory name "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem (nameList, 0, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, NULL, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" Add directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "OU=permittedSubtree1,O=Test Certificates,C=US", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (nameList, (PKIX_PL_Object *)name, plContext)); subTest(" PKIX_ComCertSelParams_SetPathToNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, nameList, plContext)); subTest(" Permitting SIX"); testSelector(selector, certs, 0x5F); subTest(" Remove directory name "); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem (nameList, 0, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, NULL, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" Add directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (nameList, (PKIX_PL_Object *)name, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" PKIX_ComCertSelParams_SetPathToNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, nameList, plContext)); subTest(" Permitting FOUR"); testSelector(selector, certs, 0x47); subTest(" Only directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "OU=permittedSubtree1,O=Test Certificates,C=US", plContext); subTest(" PKIX_ComCertSelParams_AddPathToName"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName (params, name, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" Permitting FOUR"); testSelector(selector, certs, 0x47); subTest(" PKIX_ComCertSelParams_SetNameConstraint Reset"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, NULL, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); PKIX_TEST_DECREF_BC(nameList); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); subTest(" Add directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "CN=Valid DN nameConstraints EE " "Certificate Test1,OU=permittedSubtree1," "O=Test Certificates,C=US", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (nameList, (PKIX_PL_Object *)name, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" PKIX_ComCertSelParams_SetPathToNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, nameList, plContext)); subTest(" Permitting SIX"); testSelector(selector, certs, 0x7e); subTest(" Add directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "OU=permittedSubtree1,O=Test", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (nameList, (PKIX_PL_Object *)name, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" PKIX_ComCertSelParams_SetPathToNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, nameList, plContext)); subTest(" Permitting SIX"); testSelector(selector, certs, 0x58); subTest(" Add directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext); subTest(" PKIX_ComCertSelParams_SetPathToNames Reset"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames (params, NULL, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName (params, name, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" Permitting FOUR"); testSelector(selector, certs, 0x47); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(params); PKIX_TEST_DECREF_AC(nameList); PKIX_TEST_RETURN(); } static void testSubjAltNamesMatch(PKIX_List *certs) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *params = NULL; PKIX_List *nameList = NULL; PKIX_PL_GeneralName *name = NULL; PKIX_TEST_STD_VARS(); subTest("test SubjAltNames Cert Selector"); subTest(" PKIX_PL_GeneralName List create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext)); subTest(" Create Selector and ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (¶ms, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" Add directory name "); name = createGeneralName (PKIX_DIRECTORY_NAME, "CN=Invalid DN nameConstraints EE Certificate Test3," "OU=excludedSubtree1,O=Test Certificates,C=US", plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (nameList, (PKIX_PL_Object *)name, plContext)); subTest(" PKIX_ComCertSelParams_SetSubjAltNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames (params, nameList, plContext)); PKIX_TEST_DECREF_BC(name); PKIX_TEST_DECREF_BC(nameList); subTest(" Permitting ONE"); testSelector(selector, certs, 0x1); subTest(" Add DNS name "); name = createGeneralName (PKIX_DNS_NAME, "mytestcertificates.gov", plContext); subTest(" PKIX_ComCertSelParams_AddSubjAltName"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName (params, name, plContext)); PKIX_TEST_DECREF_BC(name); subTest(" Permitting NONE"); testSelector(selector, certs, 0x0); subTest(" PKIX_ComCertSelParams_SetMatchAllSubjAltNames to FALSE"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames (params, PKIX_FALSE, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" Permitting TWO"); testSelector(selector, certs, 0x3); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(params); PKIX_TEST_DECREF_AC(name); PKIX_TEST_DECREF_AC(nameList); PKIX_TEST_RETURN(); } static void testCertificateValidMatch( PKIX_List *certs) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *params = NULL; PKIX_PL_String *stringRep = NULL; PKIX_PL_Date *testDate = NULL; char *asciiRep = "050501000000Z"; PKIX_TEST_STD_VARS(); subTest("CertificateValid match"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (¶ms, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_String_Create (PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid (params, testDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); testSelector(selector, certs, 0xFFFFFFFF); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(params); PKIX_TEST_DECREF_AC(stringRep); PKIX_TEST_DECREF_AC(testDate); PKIX_TEST_RETURN(); } static void test_customCallback1(PKIX_List *certs) { PKIX_CertSelector *selector = NULL; PKIX_TEST_STD_VARS(); subTest("custom matchCallback"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (custom_CertSelector_MatchCallback, NULL, &selector, plContext)); testSelector(selector, certs, 0x900); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_RETURN(); } static void test_customCallback2 (PKIX_List *certs, PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */ { PKIX_CertSelector *selector = NULL; PKIX_List *anyPolicyList = NULL; /* OIDs */ PKIX_PL_OID *policyOID = NULL; PKIX_TEST_STD_VARS(); subTest("custom matchCallback with CertSelectorContext"); testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (anyPolicyList, 0, (PKIX_PL_Object **)&policyOID, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (custom_CertSelector_MatchOIDCallback, (PKIX_PL_Object *)policyOID, &selector, plContext)); testSelector(selector, certs, (1 << ANYPOLICYCERT)); cleanup: PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(anyPolicyList); PKIX_TEST_DECREF_AC(policyOID); PKIX_TEST_RETURN(); } static void testExtendedKeyUsageMatch(char *certDir) { PKIX_ComCertSelParams *goodParams = NULL; PKIX_PL_OID *ekuOid = NULL; PKIX_List *ekuOidList = NULL; PKIX_PL_String *dirString = NULL; PKIX_CertStore_CertCallback certCallback; PKIX_CertStore *certStore = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *certList = NULL; PKIX_UInt32 numCert = 0; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); subTest("test Extended KeyUsage Cert Selector"); subTest(" PKIX_ComCertSelParams_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&goodParams, plContext)); subTest(" Create Extended Key Usage OID List"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&ekuOidList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create ("1.3.6.1.5.5.7.3.2", &ekuOid, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); PKIX_TEST_DECREF_BC(ekuOid); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create ("1.3.6.1.5.5.7.3.3", &ekuOid, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (ekuOidList, (PKIX_PL_Object *)ekuOid, plContext)); PKIX_TEST_DECREF_BC(ekuOid); subTest(" PKIX_ComCertSelParams_SetExtendedKeyUsage"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage (goodParams, ekuOidList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, certDir, 0, &dirString, plContext)); subTest(" PKIX_PL_CollectionCertStoreContext_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString, &certStore, plContext)); subTest(" PKIX_CertSelector_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, goodParams, plContext)); subTest(" PKIX_CertStore_GetCertCallback"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback (certStore, &certCallback, NULL)); subTest(" Getting data from Cert Callback"); PKIX_TEST_EXPECT_NO_ERROR(certCallback (certStore, certSelector, &nbioContext, &certList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certList, &numCert, plContext)); if (numCert != PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS) { pkixTestErrorMsg = "unexpected Cert number mismatch"; } cleanup: PKIX_TEST_DECREF_AC(ekuOid); PKIX_TEST_DECREF_AC(ekuOidList); PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(dirString); PKIX_TEST_DECREF_AC(certList); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_RETURN(); } static void testKeyUsageMatch(char *certDir) { PKIX_ComCertSelParams *goodParams = NULL; PKIX_PL_String *dirString = NULL; PKIX_CertStore_CertCallback certCallback; PKIX_CertStore *certStore = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *certList = NULL; PKIX_UInt32 numCert = 0; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); subTest("test KeyUsage Cert Selector"); subTest(" PKIX_ComCertSelParams_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&goodParams, plContext)); subTest(" PKIX_ComCertSelParams_SetKeyUsage"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage (goodParams, PKIX_CRL_SIGN, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, certDir, 0, &dirString, plContext)); subTest(" PKIX_PL_CollectionCertStoreContext_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString, &certStore, plContext)); subTest(" PKIX_CertSelector_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, goodParams, plContext)); subTest(" PKIX_CertStore_GetCertCallback"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback (certStore, &certCallback, NULL)); subTest(" Getting data from Cert Callback"); PKIX_TEST_EXPECT_NO_ERROR(certCallback (certStore, certSelector, &nbioContext, &certList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certList, &numCert, plContext)); if (numCert != PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS) { pkixTestErrorMsg = "unexpected Cert number mismatch"; } cleanup: PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(dirString); PKIX_TEST_DECREF_AC(certList); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_RETURN(); } static void testCertValidMatch(char *certDir) { PKIX_ComCertSelParams *goodParams = NULL; PKIX_PL_Date *validDate = NULL; PKIX_PL_String *dirString = NULL; PKIX_CertStore_CertCallback certCallback; PKIX_CertStore *certStore = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *certList = NULL; PKIX_UInt32 numCert = 0; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); subTest("test CertValid Cert Selector"); subTest(" PKIX_ComCertSelParams_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&goodParams, plContext)); validDate = createDate("050601000000Z", plContext); subTest(" PKIX_ComCertSelParams_SetCertificateValid"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid (goodParams, validDate, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, certDir, 0, &dirString, plContext)); subTest(" PKIX_PL_CollectionCertStoreContext_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString, &certStore, plContext)); subTest(" PKIX_CertSelector_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, goodParams, plContext)); subTest(" PKIX_CertStore_GetCertCallback"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback (certStore, &certCallback, NULL)); subTest(" Getting data from Cert Callback"); PKIX_TEST_EXPECT_NO_ERROR(certCallback (certStore, certSelector, &nbioContext, &certList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certList, &numCert, plContext)); if (numCert != PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS) { pkixTestErrorMsg = "unexpected Cert number mismatch"; } cleanup: PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(validDate); PKIX_TEST_DECREF_AC(dirString); PKIX_TEST_DECREF_AC(certList); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_RETURN(); } static void testIssuerMatch(char *certDir) { PKIX_ComCertSelParams *goodParams = NULL; PKIX_PL_X500Name *issuer = NULL; PKIX_PL_String *issuerStr = NULL; PKIX_PL_String *dirString = NULL; PKIX_CertStore_CertCallback certCallback; PKIX_CertStore *certStore = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *certList = NULL; char *issuerName = "CN=science,O=mit,C=US"; PKIX_UInt32 numCert = 0; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); subTest("test Issuer Cert Selector"); subTest(" PKIX_ComCertSelParams_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&goodParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, issuerName, 0, &issuerStr, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create (issuerStr, &issuer, plContext)); subTest(" PKIX_ComCertSelParams_SetIssuer"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer (goodParams, issuer, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, certDir, 0, &dirString, plContext)); subTest(" PKIX_PL_CollectionCertStoreContext_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString, &certStore, plContext)); subTest(" PKIX_CertSelector_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, goodParams, plContext)); subTest(" PKIX_CertStore_GetCertCallback"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback (certStore, &certCallback, NULL)); subTest(" Getting data from Cert Callback"); PKIX_TEST_EXPECT_NO_ERROR(certCallback (certStore, certSelector, &nbioContext, &certList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certList, &numCert, plContext)); if (numCert != PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS) { pkixTestErrorMsg = "unexpected Cert number mismatch"; } cleanup: PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(issuer); PKIX_TEST_DECREF_AC(issuerStr); PKIX_TEST_DECREF_AC(dirString); PKIX_TEST_DECREF_AC(certList); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_RETURN(); } static void testSerialNumberVersionMatch(char *certDir) { PKIX_ComCertSelParams *goodParams = NULL; PKIX_PL_BigInt *serialNumber = NULL; PKIX_PL_String *serialNumberStr = NULL; PKIX_PL_String *dirString = NULL; PKIX_CertStore_CertCallback certCallback; PKIX_CertStore *certStore = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_List *certList = NULL; PKIX_UInt32 numCert = 0; void *nbioContext = NULL; PKIX_TEST_STD_VARS(); subTest("test Serial Number Cert Selector"); subTest(" PKIX_ComCertSelParams_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&goodParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, "01", 0, &serialNumberStr, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create (serialNumberStr, &serialNumber, plContext)); subTest(" PKIX_ComCertSelParams_SetSerialNumber"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber (goodParams, serialNumber, plContext)); subTest(" PKIX_ComCertSelParams_SetVersion"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion (goodParams, 0, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, certDir, 0, &dirString, plContext)); subTest(" PKIX_PL_CollectionCertStoreContext_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString, &certStore, plContext)); subTest(" PKIX_CertSelector_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, goodParams, plContext)); subTest(" PKIX_CertStore_GetCertCallback"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback (certStore, &certCallback, NULL)); subTest(" Getting data from Cert Callback"); PKIX_TEST_EXPECT_NO_ERROR(certCallback (certStore, certSelector, &nbioContext, &certList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certList, &numCert, plContext)); PKIX_TEST_DECREF_BC(certList); if (numCert != 0) { pkixTestErrorMsg = "unexpected Version mismatch"; } subTest(" PKIX_ComCertSelParams_SetVersion"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion (goodParams, 2, plContext)); subTest(" Getting data from Cert Callback"); PKIX_TEST_EXPECT_NO_ERROR(certCallback (certStore, certSelector, &nbioContext, &certList, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength (certList, &numCert, plContext)); if (numCert != PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS) { pkixTestErrorMsg = "unexpected Serial Number mismatch"; } cleanup: PKIX_TEST_DECREF_AC(goodParams); PKIX_TEST_DECREF_AC(serialNumber); PKIX_TEST_DECREF_AC(serialNumberStr); PKIX_TEST_DECREF_AC(dirString); PKIX_TEST_DECREF_AC(certList); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_RETURN(); } static void testSubjKeyIdMatch(PKIX_List *certs) { PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *params = NULL; PKIX_PL_Cert *cert = NULL; PKIX_PL_ByteArray *selSubjKeyId = NULL; PKIX_UInt32 item = 0; PKIX_TEST_STD_VARS(); subTest("test Subject Key Id Cert Selector"); item = 2; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem (certs, item, (PKIX_PL_Object **)&cert, plContext)); subTest(" PKIX_PL_Cert_GetSubjectKeyIdentifier"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier (cert, &selSubjKeyId, plContext)); subTest(" Create Selector and ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (¶ms, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, params, plContext)); subTest(" PKIX_ComCertSelParams_SetSubjKeyIdentifier"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier (params, selSubjKeyId, plContext)); subTest(" Select One"); testSelector(selector, certs, 1< \n\n"); } int test_certselector(int argc, char *argv[]) { PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_CertSelector *emptySelector = NULL; PKIX_List *certs = NULL; PKIX_List *nameConstraintsCerts = NULL; PKIX_List *subjAltNamesCerts = NULL; PKIX_PL_Cert *cert = NULL; PKIX_PL_Cert *policy1Cert = NULL; PKIX_PL_Cert *policy2Cert = NULL; PKIX_PL_Cert *anyPolicyCert = NULL; PKIX_PL_Cert *subjectCert = NULL; PKIX_ComCertSelParams *selParams = NULL; char *certDir = NULL; char *dirName = NULL; PKIX_TEST_STD_VARS(); startTests("CertSelector"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); if (argc < 3) { printUsage(); return (0); } dirName = argv[j+1]; certDir = argv[j+3]; /* Create a List of certs to use in testing the selector */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); for (i = 0; i < NUMCERTS; i++) { cert = createCert(dirName, certList[i], plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (certs, (PKIX_PL_Object *)cert, plContext)); if (i == POLICY1CERT) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef ((PKIX_PL_Object *)cert, plContext)); policy1Cert = cert; } if (i == ANYPOLICYCERT) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef ((PKIX_PL_Object *)cert, plContext)); anyPolicyCert = cert; } if (i == POLICY2CERT) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef ((PKIX_PL_Object *)cert, plContext)); policy2Cert = cert; } if (i == SUBJECTCERT) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef ((PKIX_PL_Object *)cert, plContext)); subjectCert = cert; } PKIX_TEST_DECREF_BC(cert); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create (&nameConstraintsCerts, plContext)); for (i = 0; i < NUMNCCERTS; i++) { cert = createCert(dirName, ncCertList[i], plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (nameConstraintsCerts, (PKIX_PL_Object *)cert, plContext)); PKIX_TEST_DECREF_BC(cert); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create (&subjAltNamesCerts, plContext)); for (i = 0; i < NUMSANCERTS; i++) { cert = createCert(dirName, sanCertList[i], plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (subjAltNamesCerts, (PKIX_PL_Object *)cert, plContext)); PKIX_TEST_DECREF_BC(cert); } subTest("test_CertSelector_Create"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &emptySelector, plContext)); subTest("Default Match, no parameters set"); testSelector(emptySelector, certs, 0xFFFFFFFF); testSubjectMatch(certs, subjectCert); testBasicConstraintsMatch(certs); testPolicyMatch(certs, policy1Cert, policy2Cert, anyPolicyCert); testCertificateMatch(certs, subjectCert); testCertificateValidMatch(certs); subTest("Combination: pass only EE certs that assert some policy"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&selParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetBasicConstraints (selParams, -2, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (emptySelector, selParams, plContext)); testSelector(emptySelector, certs, 0xC00); testNameConstraintsMatch(nameConstraintsCerts); testPathToNamesMatch(nameConstraintsCerts); testSubjAltNamesMatch(subjAltNamesCerts); testExtendedKeyUsageMatch(certDir); testKeyUsageMatch(certDir); testIssuerMatch(certDir); testSerialNumberVersionMatch(certDir); testCertValidMatch(certDir); testSubjKeyIdMatch(nameConstraintsCerts); testAuthKeyIdMatch(nameConstraintsCerts); testSubjPKAlgIdMatch(nameConstraintsCerts); testSubjPublicKeyMatch(nameConstraintsCerts); test_CertSelector_Duplicate(emptySelector); test_customCallback1(certs); test_customCallback2(certs, anyPolicyCert); subTest("test_CertSelector_Destroy"); PKIX_TEST_DECREF_BC(emptySelector); cleanup: PKIX_TEST_DECREF_AC(emptySelector); PKIX_TEST_DECREF_AC(certs); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(policy1Cert); PKIX_TEST_DECREF_AC(policy2Cert); PKIX_TEST_DECREF_AC(anyPolicyCert); PKIX_TEST_DECREF_AC(subjectCert); PKIX_TEST_DECREF_AC(selParams); PKIX_TEST_DECREF_AC(nameConstraintsCerts); PKIX_TEST_DECREF_AC(subjAltNamesCerts); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("CertSelector"); return (0); }