xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/trust_store_collection_unittest.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "trust_store_collection.h"
6 
7 #include <gtest/gtest.h>
8 #include "test_helpers.h"
9 #include "trust_store_in_memory.h"
10 
11 namespace bssl {
12 
13 namespace {
14 
15 class TrustStoreCollectionTest : public testing::Test {
16  public:
SetUp()17   void SetUp() override {
18     ParsedCertificateList chain;
19     ASSERT_TRUE(ReadCertChainFromFile(
20         "testdata/verify_certificate_chain_unittest/key-rollover/oldchain.pem",
21         &chain));
22 
23     ASSERT_EQ(3U, chain.size());
24     target_ = chain[0];
25     oldintermediate_ = chain[1];
26     oldroot_ = chain[2];
27     ASSERT_TRUE(target_);
28     ASSERT_TRUE(oldintermediate_);
29     ASSERT_TRUE(oldroot_);
30 
31     ASSERT_TRUE(
32         ReadCertChainFromFile("testdata/verify_certificate_chain_unittest/"
33                               "key-rollover/longrolloverchain.pem",
34                               &chain));
35 
36     ASSERT_EQ(5U, chain.size());
37     newintermediate_ = chain[1];
38     newroot_ = chain[2];
39     newrootrollover_ = chain[3];
40     ASSERT_TRUE(newintermediate_);
41     ASSERT_TRUE(newroot_);
42     ASSERT_TRUE(newrootrollover_);
43   }
44 
45  protected:
46   std::shared_ptr<const ParsedCertificate> oldroot_;
47   std::shared_ptr<const ParsedCertificate> newroot_;
48   std::shared_ptr<const ParsedCertificate> newrootrollover_;
49 
50   std::shared_ptr<const ParsedCertificate> target_;
51   std::shared_ptr<const ParsedCertificate> oldintermediate_;
52   std::shared_ptr<const ParsedCertificate> newintermediate_;
53 };
54 
55 // Collection contains no stores, should return no results.
TEST_F(TrustStoreCollectionTest,NoStores)56 TEST_F(TrustStoreCollectionTest, NoStores) {
57   ParsedCertificateList issuers;
58 
59   TrustStoreCollection collection;
60   collection.SyncGetIssuersOf(target_.get(), &issuers);
61 
62   EXPECT_TRUE(issuers.empty());
63 }
64 
65 // Collection contains only one store.
TEST_F(TrustStoreCollectionTest,OneStore)66 TEST_F(TrustStoreCollectionTest, OneStore) {
67   ParsedCertificateList issuers;
68 
69   TrustStoreCollection collection;
70   TrustStoreInMemory in_memory;
71   in_memory.AddTrustAnchor(newroot_);
72   collection.AddTrustStore(&in_memory);
73   collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
74 
75   ASSERT_EQ(1U, issuers.size());
76   EXPECT_EQ(newroot_.get(), issuers[0].get());
77 
78   // newroot_ is trusted.
79   CertificateTrust trust = collection.GetTrust(newroot_.get());
80   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
81             trust.ToDebugString());
82 
83   // oldroot_ is not.
84   trust = collection.GetTrust(oldroot_.get());
85   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
86             trust.ToDebugString());
87 }
88 
89 // SyncGetIssuersOf() should append to its output parameters rather than assign
90 // them.
TEST_F(TrustStoreCollectionTest,OutputVectorsAppendedTo)91 TEST_F(TrustStoreCollectionTest, OutputVectorsAppendedTo) {
92   ParsedCertificateList issuers;
93 
94   // Populate the out-parameter with some values.
95   issuers.resize(3);
96 
97   TrustStoreCollection collection;
98   TrustStoreInMemory in_memory;
99   in_memory.AddTrustAnchor(newroot_);
100   collection.AddTrustStore(&in_memory);
101   collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
102 
103   ASSERT_EQ(4U, issuers.size());
104   EXPECT_EQ(newroot_.get(), issuers[3].get());
105 
106   // newroot_ is trusted.
107   CertificateTrust trust = collection.GetTrust(newroot_.get());
108   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
109             trust.ToDebugString());
110 
111   // newrootrollover_ is not.
112   trust = collection.GetTrust(newrootrollover_.get());
113   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
114             trust.ToDebugString());
115 }
116 
117 // Collection contains two stores.
TEST_F(TrustStoreCollectionTest,TwoStores)118 TEST_F(TrustStoreCollectionTest, TwoStores) {
119   ParsedCertificateList issuers;
120 
121   TrustStoreCollection collection;
122   TrustStoreInMemory in_memory1;
123   TrustStoreInMemory in_memory2;
124   in_memory1.AddTrustAnchor(newroot_);
125   in_memory2.AddTrustAnchor(oldroot_);
126   collection.AddTrustStore(&in_memory1);
127   collection.AddTrustStore(&in_memory2);
128   collection.SyncGetIssuersOf(newintermediate_.get(), &issuers);
129 
130   ASSERT_EQ(2U, issuers.size());
131   EXPECT_EQ(newroot_.get(), issuers[0].get());
132   EXPECT_EQ(oldroot_.get(), issuers[1].get());
133 
134   // newroot_ is trusted.
135   CertificateTrust trust = collection.GetTrust(newroot_.get());
136   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
137             trust.ToDebugString());
138 
139   // oldroot_ is trusted.
140   trust = collection.GetTrust(oldroot_.get());
141   EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
142             trust.ToDebugString());
143 
144   // newrootrollover_ is not.
145   trust = collection.GetTrust(newrootrollover_.get());
146   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
147             trust.ToDebugString());
148 }
149 
150 // Collection contains two stores. The certificate is marked as trusted in one,
151 // but distrusted in the other.
TEST_F(TrustStoreCollectionTest,DistrustTakesPriority)152 TEST_F(TrustStoreCollectionTest, DistrustTakesPriority) {
153   ParsedCertificateList issuers;
154 
155   TrustStoreCollection collection;
156   TrustStoreInMemory in_memory1;
157   TrustStoreInMemory in_memory2;
158 
159   // newroot_ is trusted in store1, distrusted in store2.
160   in_memory1.AddTrustAnchor(newroot_);
161   in_memory2.AddDistrustedCertificateForTest(newroot_);
162 
163   // oldintermediate is distrusted in store1, trusted in store2.
164   in_memory1.AddDistrustedCertificateForTest(oldintermediate_);
165   in_memory2.AddTrustAnchor(oldintermediate_);
166 
167   collection.AddTrustStore(&in_memory1);
168   collection.AddTrustStore(&in_memory2);
169 
170   // newroot_ is distrusted..
171   CertificateTrust trust = collection.GetTrust(newroot_.get());
172   EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
173             trust.ToDebugString());
174 
175   // oldintermediate_ is distrusted.
176   trust = collection.GetTrust(oldintermediate_.get());
177   EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
178             trust.ToDebugString());
179 
180   // newrootrollover_ is unspecified.
181   trust = collection.GetTrust(newrootrollover_.get());
182   EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
183             trust.ToDebugString());
184 }
185 
186 }  // namespace
187 
188 }  // namespace bssl
189