Annotation of embedaddon/strongswan/src/libstrongswan/tests/suites/test_certpolicy.c, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2014 Martin Willi
3: * Copyright (C) 2014 revosec AG
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: #include "test_suite.h"
17:
18: #include <asn1/asn1.h>
19: #include <credentials/sets/mem_cred.h>
20: #include <credentials/certificates/x509.h>
21:
22: /**
23: * RSA private key, so we don't have to generate one
24: */
25: static char keydata[] = {
26: 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24,
27: 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d,
28: 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf,
29: 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f,
30: 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27,
31: 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad,
32: 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63,
33: 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71,
34: 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01,
35: 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5,
36: 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4,
37: 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb,
38: 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f,
39: 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93,
40: 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88,
41: 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4,
42: 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd,
43: 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b,
44: 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21,
45: 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee,
46: 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7,
47: 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4,
48: 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54,
49: 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9,
50: 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7,
51: 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61,
52: 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef,
53: 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6,
54: 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08,
55: 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65,
56: 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e,
57: 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e,
58: 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d,
59: 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02,
60: 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b,
61: 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71,
62: 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda,
63: 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02,
64: 0x49,0xe8,
65: };
66:
67: /**
68: * Issue a certificate fr given policy, including extended flags
69: */
70: static certificate_t* create_cert_ext(certificate_t *ca, char *subject,
71: char *oid, x509_flag_t flags,
72: char *map_s, char *map_i,
73: u_int require_explicit,
74: u_int inhibit_mapping,
75: u_int inhibit_any)
76: {
77: private_key_t *privkey;
78: public_key_t *pubkey;
79: certificate_t *cert;
80: identification_t *id;
81: linked_list_t *policies, *maps;
82: x509_cert_policy_t policy = {};
83: x509_policy_mapping_t map = {};
84:
85: privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
86: BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata),
87: BUILD_END);
88: ck_assert(privkey);
89: pubkey = privkey->get_public_key(privkey);
90: ck_assert(pubkey);
91: policies = linked_list_create();
92: if (oid)
93: {
94: policy.oid = asn1_oid_from_string(oid);
95: ck_assert(policy.oid.ptr);
96: policies->insert_last(policies, &policy);
97: }
98: maps = linked_list_create();
99: if (map_s && map_i)
100: {
101: map.subject = asn1_oid_from_string(map_s);
102: ck_assert(map.subject.ptr);
103: map.issuer = asn1_oid_from_string(map_i);
104: ck_assert(map.issuer.ptr);
105: maps->insert_last(maps, &map);
106: }
107: id = identification_create_from_string(subject);
108: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
109: BUILD_SIGNING_KEY, privkey,
110: BUILD_PUBLIC_KEY, pubkey,
111: BUILD_SUBJECT, id,
112: BUILD_X509_FLAG, flags,
113: BUILD_CERTIFICATE_POLICIES, policies,
114: BUILD_POLICY_MAPPINGS, maps,
115: BUILD_SIGNING_CERT, ca,
116: BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
117: BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
118: BUILD_POLICY_INHIBIT_ANY, inhibit_any,
119: BUILD_END);
120: ck_assert(cert);
121: id->destroy(id);
122: policies->destroy(policies);
123: maps->destroy(maps);
124: privkey->destroy(privkey);
125: pubkey->destroy(pubkey);
126: free(policy.oid.ptr);
127: free(map.subject.ptr);
128: free(map.issuer.ptr);
129:
130: return cert;
131: }
132:
133: /**
134: * Issue a certificate with given certificate policy and flags
135: */
136: static certificate_t* create_cert(certificate_t *ca, char *subject,
137: char *oid, x509_flag_t flags,
138: char *map_s, char *map_i)
139: {
140: return create_cert_ext(ca, subject, oid, flags, map_s, map_i,
141: X509_NO_CONSTRAINT, X509_NO_CONSTRAINT,
142: X509_NO_CONSTRAINT);
143: }
144:
145: /**
146: * Check if a certificate with given subject has an oid
147: */
148: static bool check_oid(identification_t *subject, char *oid)
149: {
150: enumerator_t *certs, *auths;
151: certificate_t *cert;
152: auth_cfg_t *auth;
153: bool found = FALSE;
154: auth_rule_t type;
155: char *current;
156:
157: certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
158: subject, FALSE);
159: if (!certs->enumerate(certs, &cert, &auth))
160: {
161: certs->destroy(certs);
162: ck_assert_msg(FALSE, "no trusted certificate found for %Y", subject);
163: }
164: auths = auth->create_enumerator(auth);
165: while (auths->enumerate(auths, &type, ¤t))
166: {
167: if (type == AUTH_RULE_CERT_POLICY)
168: {
169: if (streq(current, oid))
170: {
171: found = TRUE;
172: break;
173: }
174: }
175: }
176: auths->destroy(auths);
177: certs->destroy(certs);
178:
179: return found;
180: }
181:
182: /**
183: * Check if a certificate with given subject has a valid trustchain
184: */
185: static bool check_trust(identification_t *subject)
186: {
187: enumerator_t *certs;
188: certificate_t *cert;
189: bool trusted;
190:
191: certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
192: subject, FALSE);
193: trusted = certs->enumerate(certs, &cert, NULL);
194: certs->destroy(certs);
195:
196: return trusted;
197: }
198:
199: static mem_cred_t *creds;
200:
201: static char *anyPolicy = "2.5.29.32.0";
202: static char *extended = "2.23.140.1.1";
203: static char *baseline = "2.23.140.1.2";
204:
205: START_SETUP(setup)
206: {
207: creds = mem_cred_create();
208: lib->credmgr->add_set(lib->credmgr, &creds->set);
209: }
210: END_SETUP
211:
212: START_TEARDOWN(teardown)
213: {
214: lib->credmgr->remove_set(lib->credmgr, &creds->set);
215: creds->destroy(creds);
216: lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
217: }
218: END_TEARDOWN
219:
220: START_TEST(test_valid_fixed)
221: {
222: certificate_t *ca, *im, *sj;
223:
224: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
225: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
226: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
227:
228: creds->add_cert(creds, TRUE, ca);
229: creds->add_cert(creds, FALSE, im);
230: creds->add_cert(creds, FALSE, sj);
231:
232: ck_assert(check_oid(sj->get_subject(sj), baseline));
233: }
234: END_TEST
235:
236: START_TEST(test_valid_any1)
237: {
238: certificate_t *ca, *im, *sj;
239:
240: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
241: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
242: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
243:
244: creds->add_cert(creds, TRUE, ca);
245: creds->add_cert(creds, FALSE, im);
246: creds->add_cert(creds, FALSE, sj);
247:
248: ck_assert(check_oid(sj->get_subject(sj), baseline));
249: }
250: END_TEST
251:
252: START_TEST(test_valid_any2)
253: {
254: certificate_t *ca, *im, *sj;
255:
256: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
257: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
258: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
259:
260: creds->add_cert(creds, TRUE, ca);
261: creds->add_cert(creds, FALSE, im);
262: creds->add_cert(creds, FALSE, sj);
263:
264: ck_assert(check_oid(sj->get_subject(sj), baseline));
265: }
266: END_TEST
267:
268: START_TEST(test_invalid_missing)
269: {
270: certificate_t *ca, *im, *sj;
271:
272: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
273: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
274: sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
275:
276: creds->add_cert(creds, TRUE, ca);
277: creds->add_cert(creds, FALSE, im);
278: creds->add_cert(creds, FALSE, sj);
279:
280: ck_assert(!check_oid(sj->get_subject(sj), baseline));
281: }
282: END_TEST
283:
284: START_TEST(test_invalid_wrong)
285: {
286: certificate_t *ca, *im, *sj;
287:
288: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
289: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
290: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
291:
292: creds->add_cert(creds, TRUE, ca);
293: creds->add_cert(creds, FALSE, im);
294: creds->add_cert(creds, FALSE, sj);
295:
296: ck_assert(!check_oid(sj->get_subject(sj), extended));
297: }
298: END_TEST
299:
300: START_TEST(test_invalid_any1)
301: {
302: certificate_t *ca, *im, *sj;
303:
304: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
305: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
306: sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
307:
308: creds->add_cert(creds, TRUE, ca);
309: creds->add_cert(creds, FALSE, im);
310: creds->add_cert(creds, FALSE, sj);
311:
312: ck_assert(!check_oid(sj->get_subject(sj), baseline));
313: }
314: END_TEST
315:
316: START_TEST(test_invalid_any2)
317: {
318: certificate_t *ca, *im, *sj;
319:
320: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
321: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
322: sj = create_cert(im, "CN=SJ", anyPolicy, 0, NULL, NULL);
323:
324: creds->add_cert(creds, TRUE, ca);
325: creds->add_cert(creds, FALSE, im);
326: creds->add_cert(creds, FALSE, sj);
327:
328: ck_assert(!check_oid(sj->get_subject(sj), baseline));
329: }
330: END_TEST
331:
332: START_TEST(test_badchain_wrong)
333: {
334: certificate_t *ca, *im, *sj;
335:
336: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
337: im = create_cert(ca, "CN=IM", extended, X509_CA, NULL, NULL);
338: sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
339:
340: creds->add_cert(creds, TRUE, ca);
341: creds->add_cert(creds, FALSE, im);
342: creds->add_cert(creds, FALSE, sj);
343:
344: ck_assert(!check_oid(sj->get_subject(sj), baseline));
345: ck_assert(!check_oid(sj->get_subject(sj), extended));
346: }
347: END_TEST
348:
349: START_TEST(test_badchain_gap)
350: {
351: certificate_t *ca, *im, *sj;
352:
353: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
354: im = create_cert(ca, "CN=IM", NULL, X509_CA, NULL, NULL);
355: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
356:
357: creds->add_cert(creds, TRUE, ca);
358: creds->add_cert(creds, FALSE, im);
359: creds->add_cert(creds, FALSE, sj);
360:
361: ck_assert(!check_oid(sj->get_subject(sj), baseline));
362: }
363: END_TEST
364:
365: START_TEST(test_badchain_any)
366: {
367: certificate_t *ca, *im, *sj;
368:
369: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
370: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
371: sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
372:
373: creds->add_cert(creds, TRUE, ca);
374: creds->add_cert(creds, FALSE, im);
375: creds->add_cert(creds, FALSE, sj);
376:
377: ck_assert(!check_oid(sj->get_subject(sj), extended));
378: }
379: END_TEST
380:
381: START_TEST(test_valid_mapping)
382: {
383: certificate_t *ca, *im, *sj;
384:
385: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
386: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
387: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
388:
389: creds->add_cert(creds, TRUE, ca);
390: creds->add_cert(creds, FALSE, im);
391: creds->add_cert(creds, FALSE, sj);
392:
393: ck_assert(check_oid(sj->get_subject(sj), baseline));
394: }
395: END_TEST
396:
397: START_TEST(test_valid_mapping_twice)
398: {
399: certificate_t *ca, *im, *sj;
400:
401: ca = create_cert(NULL, "CN=CA", "2.23.140.1.3", X509_CA,
402: extended, "2.23.140.1.3");
403: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
404: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
405:
406: creds->add_cert(creds, TRUE, ca);
407: creds->add_cert(creds, FALSE, im);
408: creds->add_cert(creds, FALSE, sj);
409:
410: ck_assert(check_oid(sj->get_subject(sj), baseline));
411: }
412: END_TEST
413:
414: START_TEST(test_invalid_mapping_loop)
415: {
416: certificate_t *ca, *im, *sj;
417:
418: ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
419: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, baseline);
420: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
421:
422: creds->add_cert(creds, TRUE, ca);
423: creds->add_cert(creds, FALSE, im);
424: creds->add_cert(creds, FALSE, sj);
425:
426: ck_assert(!check_oid(sj->get_subject(sj), baseline));
427: }
428: END_TEST
429:
430: START_TEST(test_invalid_mapping_notallowed)
431: {
432: certificate_t *ca, *im, *sj;
433:
434: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
435: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
436: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
437:
438: creds->add_cert(creds, TRUE, ca);
439: creds->add_cert(creds, FALSE, im);
440: creds->add_cert(creds, FALSE, sj);
441:
442: ck_assert(!check_oid(sj->get_subject(sj), baseline));
443: }
444: END_TEST
445:
446: START_TEST(test_invalid_mapping_nopolicy)
447: {
448: certificate_t *ca, *im, *sj;
449:
450: ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
451: im = create_cert(ca, "CN=IM", "2.23.140.1.3", X509_CA, baseline, extended);
452: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
453:
454: creds->add_cert(creds, TRUE, ca);
455: creds->add_cert(creds, FALSE, im);
456: creds->add_cert(creds, FALSE, sj);
457:
458: ck_assert(!check_oid(sj->get_subject(sj), baseline));
459: }
460: END_TEST
461:
462: START_TEST(test_inhibit_mapping_good)
463: {
464: certificate_t *ca, *im, *sj;
465:
466: ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
467: X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
468: im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
469: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
470:
471: creds->add_cert(creds, TRUE, ca);
472: creds->add_cert(creds, FALSE, im);
473: creds->add_cert(creds, FALSE, sj);
474:
475: ck_assert(check_oid(sj->get_subject(sj), baseline));
476: }
477: END_TEST
478:
479: START_TEST(test_inhibit_mapping_bad)
480: {
481: certificate_t *ca, *i1, *i2, *sj;
482:
483: ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
484: X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
485: i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
486: i2 = create_cert(i1, "CN=IM2", extended, X509_CA, baseline, extended);
487: sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
488:
489: creds->add_cert(creds, TRUE, ca);
490: creds->add_cert(creds, FALSE, i1);
491: creds->add_cert(creds, FALSE, i2);
492: creds->add_cert(creds, FALSE, sj);
493:
494: /* TODO: we currently reject the certificate completely, but should
495: * actually just invalidate the policy not mapped properly */
496: ck_assert(!check_trust(sj->get_subject(sj)));
497: }
498: END_TEST
499:
500: START_TEST(test_inhibit_any_good)
501: {
502: certificate_t *ca, *im, *sj;
503:
504: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
505: X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1);
506: im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
507: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
508:
509: creds->add_cert(creds, TRUE, ca);
510: creds->add_cert(creds, FALSE, im);
511: creds->add_cert(creds, FALSE, sj);
512:
513: ck_assert(check_oid(sj->get_subject(sj), baseline));
514: }
515: END_TEST
516:
517: START_TEST(test_inhibit_any_bad)
518: {
519: certificate_t *ca, *i1, *i2, *sj;
520:
521: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
522: X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1);
523: i1 = create_cert(ca, "CN=IM1", anyPolicy, X509_CA, NULL, NULL);
524: i2 = create_cert(i1, "CN=IM2", anyPolicy, X509_CA, NULL, NULL);
525: sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
526:
527: creds->add_cert(creds, TRUE, ca);
528: creds->add_cert(creds, FALSE, i1);
529: creds->add_cert(creds, FALSE, i2);
530: creds->add_cert(creds, FALSE, sj);
531:
532: /* TODO: we currently reject the certificate completely, but should
533: * actually just invalidate the policy relying on inhibited anyPolicy */
534: ck_assert(!check_trust(sj->get_subject(sj)));
535: }
536: END_TEST
537:
538: START_TEST(test_require_explicit_good)
539: {
540: certificate_t *ca, *im, *sj;
541:
542: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
543: 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT);
544: im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
545: sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
546:
547: creds->add_cert(creds, TRUE, ca);
548: creds->add_cert(creds, FALSE, im);
549: creds->add_cert(creds, FALSE, sj);
550:
551: ck_assert(check_oid(sj->get_subject(sj), baseline));
552: }
553: END_TEST
554:
555: START_TEST(test_require_explicit_bad)
556: {
557: certificate_t *ca, *i1, *i2, *sj;
558:
559: ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
560: 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT);
561: i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
562: i2 = create_cert(i1, "CN=IM2", extended, X509_CA, NULL, NULL);
563: sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
564:
565: creds->add_cert(creds, TRUE, ca);
566: creds->add_cert(creds, FALSE, i1);
567: creds->add_cert(creds, FALSE, i2);
568: creds->add_cert(creds, FALSE, sj);
569:
570: /* TODO: we currently reject the certificate completely, but should
571: * actually just invalidate the policy violating requireExplicit */
572: ck_assert(!check_trust(sj->get_subject(sj)));
573: }
574: END_TEST
575:
576: Suite *certpolicy_suite_create()
577: {
578: Suite *s;
579: TCase *tc;
580:
581: s = suite_create("certpolicy");
582:
583: tc = tcase_create("policy valid");
584: tcase_add_checked_fixture(tc, setup, teardown);
585: tcase_add_test(tc, test_valid_fixed);
586: tcase_add_test(tc, test_valid_any1);
587: tcase_add_test(tc, test_valid_any2);
588: suite_add_tcase(s, tc);
589:
590: tc = tcase_create("policy invalid");
591: tcase_add_checked_fixture(tc, setup, teardown);
592: tcase_add_test(tc, test_invalid_missing);
593: tcase_add_test(tc, test_invalid_wrong);
594: tcase_add_test(tc, test_invalid_any1);
595: tcase_add_test(tc, test_invalid_any2);
596: suite_add_tcase(s, tc);
597:
598: tc = tcase_create("policy badchain");
599: tcase_add_checked_fixture(tc, setup, teardown);
600: tcase_add_test(tc, test_badchain_wrong);
601: tcase_add_test(tc, test_badchain_gap);
602: tcase_add_test(tc, test_badchain_any);
603: suite_add_tcase(s, tc);
604:
605: tc = tcase_create("policy valid mapping");
606: tcase_add_checked_fixture(tc, setup, teardown);
607: tcase_add_test(tc, test_valid_mapping);
608: tcase_add_test(tc, test_valid_mapping_twice);
609: suite_add_tcase(s, tc);
610:
611: tc = tcase_create("policy invalid mapping");
612: tcase_add_checked_fixture(tc, setup, teardown);
613: tcase_add_test(tc, test_invalid_mapping_loop);
614: tcase_add_test(tc, test_invalid_mapping_notallowed);
615: tcase_add_test(tc, test_invalid_mapping_nopolicy);
616: suite_add_tcase(s, tc);
617:
618: tc = tcase_create("inhibit policy mapping");
619: tcase_add_checked_fixture(tc, setup, teardown);
620: tcase_add_test(tc, test_inhibit_mapping_good);
621: tcase_add_test(tc, test_inhibit_mapping_bad);
622: suite_add_tcase(s, tc);
623:
624: tc = tcase_create("inhibit any policy");
625: tcase_add_checked_fixture(tc, setup, teardown);
626: tcase_add_test(tc, test_inhibit_any_good);
627: tcase_add_test(tc, test_inhibit_any_bad);
628: suite_add_tcase(s, tc);
629:
630: tc = tcase_create("require explicit policy");
631: tcase_add_checked_fixture(tc, setup, teardown);
632: tcase_add_test(tc, test_require_explicit_good);
633: tcase_add_test(tc, test_require_explicit_bad);
634: suite_add_tcase(s, tc);
635:
636: return s;
637: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>