Chiebot-Mirror
/
boringssl
mirror of https://gitee.com/mirrors/boringssl.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity
Mirror of BoringSSL (grpc依赖) https://boringssl.googlesource.com/boringssl
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1629 Commits
59 Branches
16 Tags
480 MiB
 
 
 
 
 
 
Tag: Branch: Tree: dd68e4bb4d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dd68e4bb4d'
${ noResults }
boringssl/pki/verify_certificate_chain_un...

128 lines
4.5 KiB
Raw Blame History

// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "verify_certificate_chain.h"
#include "cert_errors.h"
#include "common_cert_errors.h"
#include "mock_signature_verify_cache.h"
#include "simple_path_builder_delegate.h"
#include "test_helpers.h"
#include "trust_store.h"
#include "verify_certificate_chain_typed_unittest.h"
namespace bssl {
namespace {
class VerifyCertificateChainTestDelegate {
public:
static void Verify(const VerifyCertChainTest& test,
const std::string& test_file_path) {
SimplePathBuilderDelegate delegate(1024, test.digest_policy);
CertPathErrors errors;
std::set<der::Input> user_constrained_policy_set;
VerifyCertificateChain(
test.chain, test.last_cert_trust, &delegate, test.time,
test.key_purpose, test.initial_explicit_policy,
test.user_initial_policy_set, test.initial_policy_mapping_inhibit,
test.initial_any_policy_inhibit, &user_constrained_policy_set, &errors);
VerifyCertPathErrors(test.expected_errors, errors, test.chain,
test_file_path);
VerifyUserConstrainedPolicySet(test.expected_user_constrained_policy_set,
user_constrained_policy_set, test_file_path);
}
};
} // namespace
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
VerifyCertificateChainSingleRootTest,
VerifyCertificateChainTestDelegate);
TEST(VerifyCertificateIsSelfSigned, TargetOnly) {
auto cert = ReadCertFromFile(
"testdata/verify_certificate_chain_unittest/target-only/chain.pem");
ASSERT_TRUE(cert);
// Test with null cache and errors.
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
/*errors=*/nullptr));
// Test with cache and errors.
CertErrors errors;
MockSignatureVerifyCache cache;
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_TRUE(
errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
EXPECT_TRUE(errors.ContainsError(cert_errors::kSubjectDoesNotMatchIssuer));
// Should not try to verify signature if names don't match.
EXPECT_EQ(cache.CacheHits(), 0U);
EXPECT_EQ(cache.CacheMisses(), 0U);
EXPECT_EQ(cache.CacheStores(), 0U);
}
TEST(VerifyCertificateIsSelfSigned, SelfIssued) {
auto cert = ReadCertFromFile(
"testdata/verify_certificate_chain_unittest/target-selfissued/chain.pem");
ASSERT_TRUE(cert);
// Test with null cache and errors.
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
/*errors=*/nullptr));
// Test with cache and errors.
CertErrors errors;
MockSignatureVerifyCache cache;
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_TRUE(
errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
EXPECT_TRUE(errors.ContainsError(cert_errors::kVerifySignedDataFailed));
EXPECT_EQ(cache.CacheHits(), 0U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
// Trying again should use cached signature verification result.
EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_EQ(cache.CacheHits(), 1U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
}
TEST(VerifyCertificateIsSelfSigned, SelfSigned) {
auto cert = ReadCertFromFile(
"testdata/verify_certificate_chain_unittest/target-selfsigned/chain.pem");
ASSERT_TRUE(cert);
// Test with null cache and errors.
EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr,
/*errors=*/nullptr));
// Test with cache and errors.
CertErrors errors;
MockSignatureVerifyCache cache;
EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_FALSE(errors.ContainsAnyErrorWithSeverity(
CertError::Severity::SEVERITY_WARNING));
EXPECT_FALSE(
errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH));
EXPECT_EQ(cache.CacheHits(), 0U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
// Trying again should use cached signature verification result.
EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors));
EXPECT_EQ(cache.CacheHits(), 1U);
EXPECT_EQ(cache.CacheMisses(), 1U);
EXPECT_EQ(cache.CacheStores(), 1U);
}
} // namespace net