Return to test_certpolicy.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / tests / suites |
1.1 misho 1: /* 2: * Copyright (C) 2014 Martin Willi 3: * Copyright (C) 2014 revosec AG 4: * 5: * This program is free software; you can redistribute it and/or modify it 6: * under the terms of the GNU General Public License as published by the 7: * Free Software Foundation; either version 2 of the License, or (at your 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 9: * 10: * This program is distributed in the hope that it will be useful, but 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13: * for more details. 14: */ 15: 16: #include "test_suite.h" 17: 18: #include <asn1/asn1.h> 19: #include <credentials/sets/mem_cred.h> 20: #include <credentials/certificates/x509.h> 21: 22: /** 23: * RSA private key, so we don't have to generate one 24: */ 25: static char keydata[] = { 26: 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24, 27: 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d, 28: 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf, 29: 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f, 30: 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27, 31: 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad, 32: 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63, 33: 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71, 34: 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01, 35: 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5, 36: 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4, 37: 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb, 38: 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f, 39: 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93, 40: 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88, 41: 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4, 42: 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd, 43: 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b, 44: 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21, 45: 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee, 46: 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7, 47: 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4, 48: 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54, 49: 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9, 50: 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7, 51: 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61, 52: 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef, 53: 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6, 54: 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08, 55: 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65, 56: 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e, 57: 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e, 58: 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d, 59: 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02, 60: 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b, 61: 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71, 62: 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda, 63: 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02, 64: 0x49,0xe8, 65: }; 66: 67: /** 68: * Issue a certificate fr given policy, including extended flags 69: */ 70: static certificate_t* create_cert_ext(certificate_t *ca, char *subject, 71: char *oid, x509_flag_t flags, 72: char *map_s, char *map_i, 73: u_int require_explicit, 74: u_int inhibit_mapping, 75: u_int inhibit_any) 76: { 77: private_key_t *privkey; 78: public_key_t *pubkey; 79: certificate_t *cert; 80: identification_t *id; 81: linked_list_t *policies, *maps; 82: x509_cert_policy_t policy = {}; 83: x509_policy_mapping_t map = {}; 84: 85: privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, 86: BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata), 87: BUILD_END); 88: ck_assert(privkey); 89: pubkey = privkey->get_public_key(privkey); 90: ck_assert(pubkey); 91: policies = linked_list_create(); 92: if (oid) 93: { 94: policy.oid = asn1_oid_from_string(oid); 95: ck_assert(policy.oid.ptr); 96: policies->insert_last(policies, &policy); 97: } 98: maps = linked_list_create(); 99: if (map_s && map_i) 100: { 101: map.subject = asn1_oid_from_string(map_s); 102: ck_assert(map.subject.ptr); 103: map.issuer = asn1_oid_from_string(map_i); 104: ck_assert(map.issuer.ptr); 105: maps->insert_last(maps, &map); 106: } 107: id = identification_create_from_string(subject); 108: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, 109: BUILD_SIGNING_KEY, privkey, 110: BUILD_PUBLIC_KEY, pubkey, 111: BUILD_SUBJECT, id, 112: BUILD_X509_FLAG, flags, 113: BUILD_CERTIFICATE_POLICIES, policies, 114: BUILD_POLICY_MAPPINGS, maps, 115: BUILD_SIGNING_CERT, ca, 116: BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, 117: BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, 118: BUILD_POLICY_INHIBIT_ANY, inhibit_any, 119: BUILD_END); 120: ck_assert(cert); 121: id->destroy(id); 122: policies->destroy(policies); 123: maps->destroy(maps); 124: privkey->destroy(privkey); 125: pubkey->destroy(pubkey); 126: free(policy.oid.ptr); 127: free(map.subject.ptr); 128: free(map.issuer.ptr); 129: 130: return cert; 131: } 132: 133: /** 134: * Issue a certificate with given certificate policy and flags 135: */ 136: static certificate_t* create_cert(certificate_t *ca, char *subject, 137: char *oid, x509_flag_t flags, 138: char *map_s, char *map_i) 139: { 140: return create_cert_ext(ca, subject, oid, flags, map_s, map_i, 141: X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 142: X509_NO_CONSTRAINT); 143: } 144: 145: /** 146: * Check if a certificate with given subject has an oid 147: */ 148: static bool check_oid(identification_t *subject, char *oid) 149: { 150: enumerator_t *certs, *auths; 151: certificate_t *cert; 152: auth_cfg_t *auth; 153: bool found = FALSE; 154: auth_rule_t type; 155: char *current; 156: 157: certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, 158: subject, FALSE); 159: if (!certs->enumerate(certs, &cert, &auth)) 160: { 161: certs->destroy(certs); 162: ck_assert_msg(FALSE, "no trusted certificate found for %Y", subject); 163: } 164: auths = auth->create_enumerator(auth); 165: while (auths->enumerate(auths, &type, ¤t)) 166: { 167: if (type == AUTH_RULE_CERT_POLICY) 168: { 169: if (streq(current, oid)) 170: { 171: found = TRUE; 172: break; 173: } 174: } 175: } 176: auths->destroy(auths); 177: certs->destroy(certs); 178: 179: return found; 180: } 181: 182: /** 183: * Check if a certificate with given subject has a valid trustchain 184: */ 185: static bool check_trust(identification_t *subject) 186: { 187: enumerator_t *certs; 188: certificate_t *cert; 189: bool trusted; 190: 191: certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, 192: subject, FALSE); 193: trusted = certs->enumerate(certs, &cert, NULL); 194: certs->destroy(certs); 195: 196: return trusted; 197: } 198: 199: static mem_cred_t *creds; 200: 201: static char *anyPolicy = "2.5.29.32.0"; 202: static char *extended = "2.23.140.1.1"; 203: static char *baseline = "2.23.140.1.2"; 204: 205: START_SETUP(setup) 206: { 207: creds = mem_cred_create(); 208: lib->credmgr->add_set(lib->credmgr, &creds->set); 209: } 210: END_SETUP 211: 212: START_TEARDOWN(teardown) 213: { 214: lib->credmgr->remove_set(lib->credmgr, &creds->set); 215: creds->destroy(creds); 216: lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); 217: } 218: END_TEARDOWN 219: 220: START_TEST(test_valid_fixed) 221: { 222: certificate_t *ca, *im, *sj; 223: 224: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 225: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); 226: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 227: 228: creds->add_cert(creds, TRUE, ca); 229: creds->add_cert(creds, FALSE, im); 230: creds->add_cert(creds, FALSE, sj); 231: 232: ck_assert(check_oid(sj->get_subject(sj), baseline)); 233: } 234: END_TEST 235: 236: START_TEST(test_valid_any1) 237: { 238: certificate_t *ca, *im, *sj; 239: 240: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); 241: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); 242: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 243: 244: creds->add_cert(creds, TRUE, ca); 245: creds->add_cert(creds, FALSE, im); 246: creds->add_cert(creds, FALSE, sj); 247: 248: ck_assert(check_oid(sj->get_subject(sj), baseline)); 249: } 250: END_TEST 251: 252: START_TEST(test_valid_any2) 253: { 254: certificate_t *ca, *im, *sj; 255: 256: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); 257: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); 258: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 259: 260: creds->add_cert(creds, TRUE, ca); 261: creds->add_cert(creds, FALSE, im); 262: creds->add_cert(creds, FALSE, sj); 263: 264: ck_assert(check_oid(sj->get_subject(sj), baseline)); 265: } 266: END_TEST 267: 268: START_TEST(test_invalid_missing) 269: { 270: certificate_t *ca, *im, *sj; 271: 272: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 273: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); 274: sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL); 275: 276: creds->add_cert(creds, TRUE, ca); 277: creds->add_cert(creds, FALSE, im); 278: creds->add_cert(creds, FALSE, sj); 279: 280: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 281: } 282: END_TEST 283: 284: START_TEST(test_invalid_wrong) 285: { 286: certificate_t *ca, *im, *sj; 287: 288: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 289: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); 290: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 291: 292: creds->add_cert(creds, TRUE, ca); 293: creds->add_cert(creds, FALSE, im); 294: creds->add_cert(creds, FALSE, sj); 295: 296: ck_assert(!check_oid(sj->get_subject(sj), extended)); 297: } 298: END_TEST 299: 300: START_TEST(test_invalid_any1) 301: { 302: certificate_t *ca, *im, *sj; 303: 304: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); 305: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); 306: sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL); 307: 308: creds->add_cert(creds, TRUE, ca); 309: creds->add_cert(creds, FALSE, im); 310: creds->add_cert(creds, FALSE, sj); 311: 312: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 313: } 314: END_TEST 315: 316: START_TEST(test_invalid_any2) 317: { 318: certificate_t *ca, *im, *sj; 319: 320: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); 321: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); 322: sj = create_cert(im, "CN=SJ", anyPolicy, 0, NULL, NULL); 323: 324: creds->add_cert(creds, TRUE, ca); 325: creds->add_cert(creds, FALSE, im); 326: creds->add_cert(creds, FALSE, sj); 327: 328: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 329: } 330: END_TEST 331: 332: START_TEST(test_badchain_wrong) 333: { 334: certificate_t *ca, *im, *sj; 335: 336: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 337: im = create_cert(ca, "CN=IM", extended, X509_CA, NULL, NULL); 338: sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL); 339: 340: creds->add_cert(creds, TRUE, ca); 341: creds->add_cert(creds, FALSE, im); 342: creds->add_cert(creds, FALSE, sj); 343: 344: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 345: ck_assert(!check_oid(sj->get_subject(sj), extended)); 346: } 347: END_TEST 348: 349: START_TEST(test_badchain_gap) 350: { 351: certificate_t *ca, *im, *sj; 352: 353: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 354: im = create_cert(ca, "CN=IM", NULL, X509_CA, NULL, NULL); 355: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 356: 357: creds->add_cert(creds, TRUE, ca); 358: creds->add_cert(creds, FALSE, im); 359: creds->add_cert(creds, FALSE, sj); 360: 361: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 362: } 363: END_TEST 364: 365: START_TEST(test_badchain_any) 366: { 367: certificate_t *ca, *im, *sj; 368: 369: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 370: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); 371: sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL); 372: 373: creds->add_cert(creds, TRUE, ca); 374: creds->add_cert(creds, FALSE, im); 375: creds->add_cert(creds, FALSE, sj); 376: 377: ck_assert(!check_oid(sj->get_subject(sj), extended)); 378: } 379: END_TEST 380: 381: START_TEST(test_valid_mapping) 382: { 383: certificate_t *ca, *im, *sj; 384: 385: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); 386: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); 387: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 388: 389: creds->add_cert(creds, TRUE, ca); 390: creds->add_cert(creds, FALSE, im); 391: creds->add_cert(creds, FALSE, sj); 392: 393: ck_assert(check_oid(sj->get_subject(sj), baseline)); 394: } 395: END_TEST 396: 397: START_TEST(test_valid_mapping_twice) 398: { 399: certificate_t *ca, *im, *sj; 400: 401: ca = create_cert(NULL, "CN=CA", "2.23.140.1.3", X509_CA, 402: extended, "2.23.140.1.3"); 403: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); 404: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 405: 406: creds->add_cert(creds, TRUE, ca); 407: creds->add_cert(creds, FALSE, im); 408: creds->add_cert(creds, FALSE, sj); 409: 410: ck_assert(check_oid(sj->get_subject(sj), baseline)); 411: } 412: END_TEST 413: 414: START_TEST(test_invalid_mapping_loop) 415: { 416: certificate_t *ca, *im, *sj; 417: 418: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); 419: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, baseline); 420: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 421: 422: creds->add_cert(creds, TRUE, ca); 423: creds->add_cert(creds, FALSE, im); 424: creds->add_cert(creds, FALSE, sj); 425: 426: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 427: } 428: END_TEST 429: 430: START_TEST(test_invalid_mapping_notallowed) 431: { 432: certificate_t *ca, *im, *sj; 433: 434: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 435: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); 436: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 437: 438: creds->add_cert(creds, TRUE, ca); 439: creds->add_cert(creds, FALSE, im); 440: creds->add_cert(creds, FALSE, sj); 441: 442: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 443: } 444: END_TEST 445: 446: START_TEST(test_invalid_mapping_nopolicy) 447: { 448: certificate_t *ca, *im, *sj; 449: 450: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); 451: im = create_cert(ca, "CN=IM", "2.23.140.1.3", X509_CA, baseline, extended); 452: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 453: 454: creds->add_cert(creds, TRUE, ca); 455: creds->add_cert(creds, FALSE, im); 456: creds->add_cert(creds, FALSE, sj); 457: 458: ck_assert(!check_oid(sj->get_subject(sj), baseline)); 459: } 460: END_TEST 461: 462: START_TEST(test_inhibit_mapping_good) 463: { 464: certificate_t *ca, *im, *sj; 465: 466: ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL, 467: X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT); 468: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); 469: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 470: 471: creds->add_cert(creds, TRUE, ca); 472: creds->add_cert(creds, FALSE, im); 473: creds->add_cert(creds, FALSE, sj); 474: 475: ck_assert(check_oid(sj->get_subject(sj), baseline)); 476: } 477: END_TEST 478: 479: START_TEST(test_inhibit_mapping_bad) 480: { 481: certificate_t *ca, *i1, *i2, *sj; 482: 483: ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL, 484: X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT); 485: i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL); 486: i2 = create_cert(i1, "CN=IM2", extended, X509_CA, baseline, extended); 487: sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL); 488: 489: creds->add_cert(creds, TRUE, ca); 490: creds->add_cert(creds, FALSE, i1); 491: creds->add_cert(creds, FALSE, i2); 492: creds->add_cert(creds, FALSE, sj); 493: 494: /* TODO: we currently reject the certificate completely, but should 495: * actually just invalidate the policy not mapped properly */ 496: ck_assert(!check_trust(sj->get_subject(sj))); 497: } 498: END_TEST 499: 500: START_TEST(test_inhibit_any_good) 501: { 502: certificate_t *ca, *im, *sj; 503: 504: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, 505: X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1); 506: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); 507: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 508: 509: creds->add_cert(creds, TRUE, ca); 510: creds->add_cert(creds, FALSE, im); 511: creds->add_cert(creds, FALSE, sj); 512: 513: ck_assert(check_oid(sj->get_subject(sj), baseline)); 514: } 515: END_TEST 516: 517: START_TEST(test_inhibit_any_bad) 518: { 519: certificate_t *ca, *i1, *i2, *sj; 520: 521: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, 522: X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1); 523: i1 = create_cert(ca, "CN=IM1", anyPolicy, X509_CA, NULL, NULL); 524: i2 = create_cert(i1, "CN=IM2", anyPolicy, X509_CA, NULL, NULL); 525: sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL); 526: 527: creds->add_cert(creds, TRUE, ca); 528: creds->add_cert(creds, FALSE, i1); 529: creds->add_cert(creds, FALSE, i2); 530: creds->add_cert(creds, FALSE, sj); 531: 532: /* TODO: we currently reject the certificate completely, but should 533: * actually just invalidate the policy relying on inhibited anyPolicy */ 534: ck_assert(!check_trust(sj->get_subject(sj))); 535: } 536: END_TEST 537: 538: START_TEST(test_require_explicit_good) 539: { 540: certificate_t *ca, *im, *sj; 541: 542: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, 543: 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT); 544: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); 545: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); 546: 547: creds->add_cert(creds, TRUE, ca); 548: creds->add_cert(creds, FALSE, im); 549: creds->add_cert(creds, FALSE, sj); 550: 551: ck_assert(check_oid(sj->get_subject(sj), baseline)); 552: } 553: END_TEST 554: 555: START_TEST(test_require_explicit_bad) 556: { 557: certificate_t *ca, *i1, *i2, *sj; 558: 559: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, 560: 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT); 561: i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL); 562: i2 = create_cert(i1, "CN=IM2", extended, X509_CA, NULL, NULL); 563: sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL); 564: 565: creds->add_cert(creds, TRUE, ca); 566: creds->add_cert(creds, FALSE, i1); 567: creds->add_cert(creds, FALSE, i2); 568: creds->add_cert(creds, FALSE, sj); 569: 570: /* TODO: we currently reject the certificate completely, but should 571: * actually just invalidate the policy violating requireExplicit */ 572: ck_assert(!check_trust(sj->get_subject(sj))); 573: } 574: END_TEST 575: 576: Suite *certpolicy_suite_create() 577: { 578: Suite *s; 579: TCase *tc; 580: 581: s = suite_create("certpolicy"); 582: 583: tc = tcase_create("policy valid"); 584: tcase_add_checked_fixture(tc, setup, teardown); 585: tcase_add_test(tc, test_valid_fixed); 586: tcase_add_test(tc, test_valid_any1); 587: tcase_add_test(tc, test_valid_any2); 588: suite_add_tcase(s, tc); 589: 590: tc = tcase_create("policy invalid"); 591: tcase_add_checked_fixture(tc, setup, teardown); 592: tcase_add_test(tc, test_invalid_missing); 593: tcase_add_test(tc, test_invalid_wrong); 594: tcase_add_test(tc, test_invalid_any1); 595: tcase_add_test(tc, test_invalid_any2); 596: suite_add_tcase(s, tc); 597: 598: tc = tcase_create("policy badchain"); 599: tcase_add_checked_fixture(tc, setup, teardown); 600: tcase_add_test(tc, test_badchain_wrong); 601: tcase_add_test(tc, test_badchain_gap); 602: tcase_add_test(tc, test_badchain_any); 603: suite_add_tcase(s, tc); 604: 605: tc = tcase_create("policy valid mapping"); 606: tcase_add_checked_fixture(tc, setup, teardown); 607: tcase_add_test(tc, test_valid_mapping); 608: tcase_add_test(tc, test_valid_mapping_twice); 609: suite_add_tcase(s, tc); 610: 611: tc = tcase_create("policy invalid mapping"); 612: tcase_add_checked_fixture(tc, setup, teardown); 613: tcase_add_test(tc, test_invalid_mapping_loop); 614: tcase_add_test(tc, test_invalid_mapping_notallowed); 615: tcase_add_test(tc, test_invalid_mapping_nopolicy); 616: suite_add_tcase(s, tc); 617: 618: tc = tcase_create("inhibit policy mapping"); 619: tcase_add_checked_fixture(tc, setup, teardown); 620: tcase_add_test(tc, test_inhibit_mapping_good); 621: tcase_add_test(tc, test_inhibit_mapping_bad); 622: suite_add_tcase(s, tc); 623: 624: tc = tcase_create("inhibit any policy"); 625: tcase_add_checked_fixture(tc, setup, teardown); 626: tcase_add_test(tc, test_inhibit_any_good); 627: tcase_add_test(tc, test_inhibit_any_bad); 628: suite_add_tcase(s, tc); 629: 630: tc = tcase_create("require explicit policy"); 631: tcase_add_checked_fixture(tc, setup, teardown); 632: tcase_add_test(tc, test_require_explicit_good); 633: tcase_add_test(tc, test_require_explicit_bad); 634: suite_add_tcase(s, tc); 635: 636: return s; 637: }