xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/verify_certificate_chain_unittest.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "verify_certificate_chain.h"
6 
7 #include "cert_errors.h"
8 #include "common_cert_errors.h"
9 #include "mock_signature_verify_cache.h"
10 #include "simple_path_builder_delegate.h"
11 #include "test_helpers.h"
12 #include "trust_store.h"
13 #include "verify_certificate_chain_typed_unittest.h"
14 
15 namespace bssl {
16 
17 namespace {
18 
19 class VerifyCertificateChainTestDelegate {
20  public:
Verify(const VerifyCertChainTest & test,const std::string & test_file_path)21   static void Verify(const VerifyCertChainTest &test,
22                      const std::string &test_file_path) {
23     SimplePathBuilderDelegate delegate(1024, test.digest_policy);
24 
25     CertPathErrors errors;
26     std::set<der::Input> user_constrained_policy_set;
27     VerifyCertificateChain(
28         test.chain, test.last_cert_trust, &delegate, test.time,
29         test.key_purpose, test.initial_explicit_policy,
30         test.user_initial_policy_set, test.initial_policy_mapping_inhibit,
31         test.initial_any_policy_inhibit, &user_constrained_policy_set, &errors);
32     VerifyCertPathErrors(test.expected_errors, errors, test.chain,
33                          test_file_path);
34     VerifyUserConstrainedPolicySet(test.expected_user_constrained_policy_set,
35                                    user_constrained_policy_set, test_file_path);
36   }
37 };
38 
39 }  // namespace
40 
41 INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
42                                VerifyCertificateChainSingleRootTest,
43                                VerifyCertificateChainTestDelegate);
44 
TEST(VerifyCertificateIsSelfSigned,TargetOnly)45 TEST(VerifyCertificateIsSelfSigned, TargetOnly) {
46   auto cert = ReadCertFromFile(
47       "testdata/verify_certificate_chain_unittest/target-only/chain.pem");
48   ASSERT_TRUE(cert);
49 
50   // Test with null cache and errors.
51   EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
52                                              /*errors=*/nullptr));
53 
54   // Test with cache and errors.
55   CertErrors errors;
56   MockSignatureVerifyCache cache;
57   EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
58 
59   EXPECT_TRUE(
60       errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
61   EXPECT_TRUE(errors.ContainsError(cert_errors::kSubjectDoesNotMatchIssuer));
62 
63   // Should not try to verify signature if names don't match.
64   EXPECT_EQ(cache.CacheHits(), 0U);
65   EXPECT_EQ(cache.CacheMisses(), 0U);
66   EXPECT_EQ(cache.CacheStores(), 0U);
67 }
68 
TEST(VerifyCertificateIsSelfSigned,SelfIssued)69 TEST(VerifyCertificateIsSelfSigned, SelfIssued) {
70   auto cert = ReadCertFromFile(
71       "testdata/verify_certificate_chain_unittest/target-selfissued/chain.pem");
72   ASSERT_TRUE(cert);
73 
74   // Test with null cache and errors.
75   EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
76                                              /*errors=*/nullptr));
77 
78   // Test with cache and errors.
79   CertErrors errors;
80   MockSignatureVerifyCache cache;
81   EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
82 
83   EXPECT_TRUE(
84       errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
85   EXPECT_TRUE(errors.ContainsError(cert_errors::kVerifySignedDataFailed));
86 
87   EXPECT_EQ(cache.CacheHits(), 0U);
88   EXPECT_EQ(cache.CacheMisses(), 1U);
89   EXPECT_EQ(cache.CacheStores(), 1U);
90 
91   // Trying again should use cached signature verification result.
92   EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
93   EXPECT_EQ(cache.CacheHits(), 1U);
94   EXPECT_EQ(cache.CacheMisses(), 1U);
95   EXPECT_EQ(cache.CacheStores(), 1U);
96 }
97 
TEST(VerifyCertificateIsSelfSigned,SelfSigned)98 TEST(VerifyCertificateIsSelfSigned, SelfSigned) {
99   auto cert = ReadCertFromFile(
100       "testdata/verify_certificate_chain_unittest/target-selfsigned/chain.pem");
101   ASSERT_TRUE(cert);
102 
103   // Test with null cache and errors.
104   EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
105                                             /*errors=*/nullptr));
106 
107   // Test with cache and errors.
108   CertErrors errors;
109   MockSignatureVerifyCache cache;
110   EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
111 
112   EXPECT_FALSE(errors.ContainsAnyErrorWithSeverity(
113       CertError::Severity::SEVERITY_WARNING));
114   EXPECT_FALSE(
115       errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
116 
117   EXPECT_EQ(cache.CacheHits(), 0U);
118   EXPECT_EQ(cache.CacheMisses(), 1U);
119   EXPECT_EQ(cache.CacheStores(), 1U);
120 
121   // Trying again should use cached signature verification result.
122   EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
123   EXPECT_EQ(cache.CacheHits(), 1U);
124   EXPECT_EQ(cache.CacheMisses(), 1U);
125   EXPECT_EQ(cache.CacheStores(), 1U);
126 }
127 
128 }  // namespace bssl
129