1/* Copyright (c) 2016, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15#include <string> 16#include <vector> 17 18#include <gtest/gtest.h> 19 20#include <openssl/bio.h> 21#include <openssl/bytestring.h> 22#include <openssl/curve25519.h> 23#include <openssl/crypto.h> 24#include <openssl/digest.h> 25#include <openssl/err.h> 26#include <openssl/pem.h> 27#include <openssl/pool.h> 28#include <openssl/x509.h> 29#include <openssl/x509v3.h> 30 31#include "../internal.h" 32 33 34std::string GetTestData(const char *path); 35 36static const char kCrossSigningRootPEM[] = 37 "-----BEGIN CERTIFICATE-----\n" 38 "MIICcTCCAdqgAwIBAgIIagJHiPvE0MowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n" 39 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n" 40 "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowPDEaMBgGA1UE\n" 41 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n" 42 "dCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwo3qFvSB9Zmlbpzn9wJp\n" 43 "ikI75Rxkatez8VkLqyxbOhPYl2Haz8F5p1gDG96dCI6jcLGgu3AKT9uhEQyyUko5\n" 44 "EKYasazSeA9CQrdyhPg0mkTYVETnPM1W/ebid1YtqQbq1CMWlq2aTDoSGAReGFKP\n" 45 "RTdXAbuAXzpCfi/d8LqV13UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgIEMB0GA1Ud\n" 46 "JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MBkGA1Ud\n" 47 "DgQSBBBHKHC7V3Z/3oLvEZx0RZRwMBsGA1UdIwQUMBKAEEcocLtXdn/egu8RnHRF\n" 48 "lHAwDQYJKoZIhvcNAQELBQADgYEAnglibsy6mGtpIXivtlcz4zIEnHw/lNW+r/eC\n" 49 "CY7evZTmOoOuC/x9SS3MF9vawt1HFUummWM6ZgErqVBOXIB4//ykrcCgf5ZbF5Hr\n" 50 "+3EFprKhBqYiXdD8hpBkrBoXwn85LPYWNd2TceCrx0YtLIprE2R5MB2RIq8y4Jk3\n" 51 "YFXvkME=\n" 52 "-----END CERTIFICATE-----\n"; 53 54static const char kRootCAPEM[] = 55 "-----BEGIN CERTIFICATE-----\n" 56 "MIICVTCCAb6gAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwLjEaMBgGA1UE\n" 57 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwIBcNMTUwMTAx\n" 58 "MDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMC4xGjAYBgNVBAoTEUJvcmluZ1NTTCBU\n" 59 "RVNUSU5HMRAwDgYDVQQDEwdSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n" 60 "iQKBgQDpDn8RDOZa5oaDcPZRBy4CeBH1siSSOO4mYgLHlPE+oXdqwI/VImi2XeJM\n" 61 "2uCFETXCknJJjYG0iJdrt/yyRFvZTQZw+QzGj+mz36NqhGxDWb6dstB2m8PX+plZ\n" 62 "w7jl81MDvUnWs8yiQ/6twgu5AbhWKZQDJKcNKCEpqa6UW0r5nwIDAQABo3oweDAO\n" 63 "BgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8G\n" 64 "A1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEEA31wH7QC+4HH5UBCeMWQEwGwYDVR0j\n" 65 "BBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOBgQDXylEK77Za\n" 66 "kKeY6ZerrScWyZhrjIGtHFu09qVpdJEzrk87k2G7iHHR9CAvSofCgEExKtWNS9dN\n" 67 "+9WiZp/U48iHLk7qaYXdEuO07No4BYtXn+lkOykE+FUxmA4wvOF1cTd2tdj3MzX2\n" 68 "kfGIBAYhzGZWhY3JbhIfTEfY1PNM1pWChQ==\n" 69 "-----END CERTIFICATE-----\n"; 70 71static const char kRootCrossSignedPEM[] = 72 "-----BEGIN CERTIFICATE-----\n" 73 "MIICYzCCAcygAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n" 74 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n" 75 "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowLjEaMBgGA1UE\n" 76 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZI\n" 77 "hvcNAQEBBQADgY0AMIGJAoGBAOkOfxEM5lrmhoNw9lEHLgJ4EfWyJJI47iZiAseU\n" 78 "8T6hd2rAj9UiaLZd4kza4IURNcKSckmNgbSIl2u3/LJEW9lNBnD5DMaP6bPfo2qE\n" 79 "bENZvp2y0Habw9f6mVnDuOXzUwO9SdazzKJD/q3CC7kBuFYplAMkpw0oISmprpRb\n" 80 "SvmfAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcD\n" 81 "AQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQQDfXAftAL7gc\n" 82 "flQEJ4xZATAbBgNVHSMEFDASgBBHKHC7V3Z/3oLvEZx0RZRwMA0GCSqGSIb3DQEB\n" 83 "CwUAA4GBAErTxYJ0en9HVRHAAr5OO5wuk5Iq3VMc79TMyQLCXVL8YH8Uk7KEwv+q\n" 84 "9MEKZv2eR/Vfm4HlXlUuIqfgUXbwrAYC/YVVX86Wnbpy/jc73NYVCq8FEZeO+0XU\n" 85 "90SWAPDdp+iL7aZdimnMtG1qlM1edmz8AKbrhN/R3IbA2CL0nCWV\n" 86 "-----END CERTIFICATE-----\n"; 87 88static const char kIntermediatePEM[] = 89 "-----BEGIN CERTIFICATE-----\n" 90 "MIICXjCCAcegAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMC4xGjAYBgNV\n" 91 "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRAwDgYDVQQDEwdSb290IENBMCAXDTE1MDEw\n" 92 "MTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjA2MRowGAYDVQQKExFCb3JpbmdTU0wg\n" 93 "VEVTVElORzEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEB\n" 94 "AQUAA4GNADCBiQKBgQC7YtI0l8ocTYJ0gKyXTtPL4iMJCNY4OcxXl48jkncVG1Hl\n" 95 "blicgNUa1r9m9YFtVkxvBinb8dXiUpEGhVg4awRPDcatlsBSEBuJkiZGYbRcAmSu\n" 96 "CmZYnf6u3aYQ18SU8WqVERPpE4cwVVs+6kwlzRw0+XDoZAczu8ZezVhCUc6NbQID\n" 97 "AQABo3oweDAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\n" 98 "AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEIwaaKi1dttdV3sfjRSy\n" 99 "BqMwGwYDVR0jBBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOB\n" 100 "gQCvnolNWEHuQS8PFVVyuLR+FKBeUUdrVbSfHSzTqNAqQGp0C9fk5oCzDq6ZgTfY\n" 101 "ESXM4cJhb3IAnW0UM0NFsYSKQJ50JZL2L3z5ZLQhHdbs4RmODGoC40BVdnJ4/qgB\n" 102 "aGSh09eQRvAVmbVCviDK2ipkWNegdyI19jFfNP5uIkGlYg==\n" 103 "-----END CERTIFICATE-----\n"; 104 105static const char kIntermediateSelfSignedPEM[] = 106 "-----BEGIN CERTIFICATE-----\n" 107 "MIICZjCCAc+gAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n" 108 "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n" 109 "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDYxGjAYBgNVBAoTEUJv\n" 110 "cmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ\n" 111 "KoZIhvcNAQEBBQADgY0AMIGJAoGBALti0jSXyhxNgnSArJdO08viIwkI1jg5zFeX\n" 112 "jyOSdxUbUeVuWJyA1RrWv2b1gW1WTG8GKdvx1eJSkQaFWDhrBE8Nxq2WwFIQG4mS\n" 113 "JkZhtFwCZK4KZlid/q7dphDXxJTxapURE+kThzBVWz7qTCXNHDT5cOhkBzO7xl7N\n" 114 "WEJRzo1tAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEF\n" 115 "BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQjBpoqLV2\n" 116 "211Xex+NFLIGozAbBgNVHSMEFDASgBCMGmiotXbbXVd7H40UsgajMA0GCSqGSIb3\n" 117 "DQEBCwUAA4GBALcccSrAQ0/EqQBsx0ZDTUydHXXNP2DrUkpUKmAXIe8McqIVSlkT\n" 118 "6H4xz7z8VRKBo9j+drjjtCw2i0CQc8aOLxRb5WJ8eVLnaW2XRlUqAzhF0CrulfVI\n" 119 "E4Vs6ZLU+fra1WAuIj6qFiigRja+3YkZArG8tMA9vtlhTX/g7YBZIkqH\n" 120 "-----END CERTIFICATE-----\n"; 121 122static const char kLeafPEM[] = 123 "-----BEGIN CERTIFICATE-----\n" 124 "MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE\n" 125 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg\n" 126 "Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y\n" 127 "aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3\n" 128 "DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c\n" 129 "oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j\n" 130 "5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh\n" 131 "TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\n" 132 "CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0\n" 133 "4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB\n" 134 "gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y\n" 135 "rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU\n" 136 "xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==\n" 137 "-----END CERTIFICATE-----\n"; 138 139static const char kLeafNoKeyUsagePEM[] = 140 "-----BEGIN CERTIFICATE-----\n" 141 "MIICNTCCAZ6gAwIBAgIJAIFQGaLQ0G2mMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n" 142 "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n" 143 "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDcxGjAYBgNVBAoTEUJv\n" 144 "cmluZ1NTTCBURVNUSU5HMRkwFwYDVQQDExBldmlsLmV4YW1wbGUuY29tMIGfMA0G\n" 145 "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOKoZe75NPz77EOaMMl4/0s3PyQw++zJvp\n" 146 "ejHAxZiTPCJgMbEHLrSzNoHdopg+CLUH5bE4wTXM8w9Inv5P8OAFJt7gJuPUunmk\n" 147 "j+NoU3QfzOR6BroePcz1vXX9jyVHRs087M/sLqWRHu9IR+/A+UTcBaWaFiDVUxtJ\n" 148 "YOwFMwjNPQIDAQABo0gwRjAMBgNVHRMBAf8EAjAAMBkGA1UdDgQSBBBJfLEUWHq1\n" 149 "27rZ1AVx2J5GMBsGA1UdIwQUMBKAEIwaaKi1dttdV3sfjRSyBqMwDQYJKoZIhvcN\n" 150 "AQELBQADgYEALVKN2Y3LZJOtu6SxFIYKxbLaXhTGTdIjxipZhmbBRDFjbZjZZOTe\n" 151 "6Oo+VDNPYco4rBexK7umYXJyfTqoY0E8dbiImhTcGTEj7OAB3DbBomgU1AYe+t2D\n" 152 "uwBqh4Y3Eto+Zn4pMVsxGEfUpjzjZDel7bN1/oU/9KWPpDfywfUmjgk=\n" 153 "-----END CERTIFICATE-----\n"; 154 155static const char kForgeryPEM[] = 156 "-----BEGIN CERTIFICATE-----\n" 157 "MIICZzCCAdCgAwIBAgIIdTlMzQoKkeMwDQYJKoZIhvcNAQELBQAwNzEaMBgGA1UE\n" 158 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGTAXBgNVBAMTEGV2aWwuZXhhbXBsZS5jb20w\n" 159 "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDoxGjAYBgNVBAoTEUJv\n" 160 "cmluZ1NTTCBURVNUSU5HMRwwGgYDVQQDExNmb3JnZXJ5LmV4YW1wbGUuY29tMIGf\n" 161 "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADTwruBQZGb7Ay6s9HiYv5d1lwtEy\n" 162 "xQdA2Sy8Rn8uA20Q4KgqwVY7wzIZ+z5Butrsmwb70gdG1XU+yRaDeE7XVoW6jSpm\n" 163 "0sw35/5vJbTcL4THEFbnX0OPZnvpuZDFUkvVtq5kxpDWsVyM24G8EEq7kPih3Sa3\n" 164 "OMhXVXF8kso6UQIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI\n" 165 "KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEEYJ/WHM\n" 166 "8p64erPWIg4/liwwGwYDVR0jBBQwEoAQSXyxFFh6tdu62dQFcdieRjANBgkqhkiG\n" 167 "9w0BAQsFAAOBgQA+zH7bHPElWRWJvjxDqRexmYLn+D3Aivs8XgXQJsM94W0EzSUf\n" 168 "DSLfRgaQwcb2gg2xpDFoG+W0vc6O651uF23WGt5JaFFJJxqjII05IexfCNhuPmp4\n" 169 "4UZAXPttuJXpn74IY1tuouaM06B3vXKZR+/ityKmfJvSwxacmFcK+2ziAg==\n" 170 "-----END CERTIFICATE-----\n"; 171 172// kExamplePSSCert is an example RSA-PSS self-signed certificate, signed with 173// the default hash functions. 174static const char kExamplePSSCert[] = 175 "-----BEGIN CERTIFICATE-----\n" 176 "MIICYjCCAcagAwIBAgIJAI3qUyT6SIfzMBIGCSqGSIb3DQEBCjAFogMCAWowRTEL\n" 177 "MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy\n" 178 "bmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xNDEwMDkxOTA5NTVaFw0xNTEwMDkxOTA5\n" 179 "NTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK\n" 180 "DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A\n" 181 "MIGJAoGBAPi4bIO0vNmoV8CltFl2jFQdeesiUgR+0zfrQf2D+fCmhRU0dXFahKg8\n" 182 "0u9aTtPel4rd/7vPCqqGkr64UOTNb4AzMHYTj8p73OxaymPHAyXvqIqDWHYg+hZ3\n" 183 "13mSYwFIGth7Z/FSVUlO1m5KXNd6NzYM3t2PROjCpywrta9kS2EHAgMBAAGjUDBO\n" 184 "MB0GA1UdDgQWBBTQQfuJQR6nrVrsNF1JEflVgXgfEzAfBgNVHSMEGDAWgBTQQfuJ\n" 185 "QR6nrVrsNF1JEflVgXgfEzAMBgNVHRMEBTADAQH/MBIGCSqGSIb3DQEBCjAFogMC\n" 186 "AWoDgYEASUy2RZcgNbNQZA0/7F+V1YTLEXwD16bm+iSVnzGwtexmQVEYIZG74K/w\n" 187 "xbdZQdTbpNJkp1QPjPfh0zsatw6dmt5QoZ8K8No0DjR9dgf+Wvv5WJvJUIQBoAVN\n" 188 "Z0IL+OQFz6+LcTHxD27JJCebrATXZA0wThGTQDm7crL+a+SujBY=\n" 189 "-----END CERTIFICATE-----\n"; 190 191// kBadPSSCertPEM is a self-signed RSA-PSS certificate with bad parameters. 192static const char kBadPSSCertPEM[] = 193 "-----BEGIN CERTIFICATE-----\n" 194 "MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI\n" 195 "AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD\n" 196 "VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz\n" 197 "NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj\n" 198 "ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH\n" 199 "qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL\n" 200 "IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT\n" 201 "IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k\n" 202 "dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq\n" 203 "QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa\n" 204 "5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2\n" 205 "4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB\n" 206 "Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii\n" 207 "BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb\n" 208 "xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn\n" 209 "plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY\n" 210 "DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p\n" 211 "NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ\n" 212 "lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=\n" 213 "-----END CERTIFICATE-----\n"; 214 215static const char kRSAKey[] = 216 "-----BEGIN RSA PRIVATE KEY-----\n" 217 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n" 218 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n" 219 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n" 220 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n" 221 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n" 222 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n" 223 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n" 224 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n" 225 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n" 226 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n" 227 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n" 228 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n" 229 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n" 230 "-----END RSA PRIVATE KEY-----\n"; 231 232// kCRLTestRoot is a test root certificate. It has private key: 233// 234// -----BEGIN RSA PRIVATE KEY----- 235// MIIEpAIBAAKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3BS/dUBpbrzd1aeFzN 236// lI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+5R/Du0iCb1tCZIPY 237// 07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWpuRqO6rctN9qUoMlT 238// IAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n8H922qmvPNA9idmX 239// 9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbLP2o9orxGx7aCtnnB 240// ZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABAoIBAQCJF9MTHfHGkk+/ 241// DwCXlA0Wg0e6hBuHl10iNobYkMWIl/xXjOknhYiqOqb181py76472SVC5ERprC+r 242// Lf0PXzqKuA117mnkwT2bYLCL9Skf8WEhoFLQNbVlloF6wYjqXcYgKYKh8HgQbZl4 243// aLg2YQl2NADTNABsUWj/4H2WEelsODVviqfFs725lFg9KHDI8zxAZXLzDt/M9uVL 244// GxJiX12tr0AwaeAFZ1oPM/y+LznM3N3+Ht3jHHw3jZ/u8Z1RdAmdpu3bZ6tbwGBr 245// 9edsH5rKkm9aBvMrY7eX5VHqaqyRNFyG152ZOJh4XiiFG7EmgTPCpaHo50Y018Re 246// grVtk+FBAoGBANY3lY+V8ZOwMxSHes+kTnoimHO5Ob7nxrOC71i27x+4HHsYUeAr 247// /zOOghiDIn+oNkuiX5CIOWZKx159Bp65CPpCbTb/fh+HYnSgXFgCw7XptycO7LXM 248// 5GwR5jSfpfzBFdYxjxoUzDMFBwTEYRTm0HkUHkH+s+ajjw5wqqbcGLcfAoGBAMM8 249// DKW6Tb66xsf708f0jonAjKYTLZ+WOcwsBEWSFHoY8dUjvW5gqx5acHTEsc5ZTeh4 250// BCFLa+Mn9cuJWVJNs09k7Xb2PNl92HQ4GN2vbdkJhExbkT6oLDHg1hVD0w8KLfz1 251// lTAW6pS+6CdOHMEJpvqx89EgU/1GgIQ1fXYczE75AoGAKeJoXdDFkUjsU+FBhAPu 252// TDcjc80Nm2QaF9NMFR5/lsYa236f06MGnQAKM9zADBHJu/Qdl1brUjLg1HrBppsr 253// RDNkw1IlSOjhuUf5hkPUHGd8Jijm440SRIcjabqla8wdBupdvo2+d2NOQgJbsQiI 254// ToQ+fkzcxAXK3Nnuo/1436UCgYBjLH7UNOZHS8OsVM0I1r8NVKVdu4JCfeJQR8/H 255// s2P5ffBir+wLRMnH+nMDreMQiibcPxMCArkERAlE4jlgaJ38Z62E76KLbLTmnJRt 256// EC9Bv+bXjvAiHvWMRMUbOj/ddPNVez7Uld+FvdBaHwDWQlvzHzBWfBCOKSEhh7Z6 257// qDhUqQKBgQDPMDx2i5rfmQp3imV9xUcCkIRsyYQVf8Eo7NV07IdUy/otmksgn4Zt 258// Lbf3v2dvxOpTNTONWjp2c+iUQo8QxJCZr5Sfb21oQ9Ktcrmc/CY7LeBVDibXwxdM 259// vRG8kBzvslFWh7REzC3u06GSVhyKDfW93kN2cKVwGoahRlhj7oHuZQ== 260// -----END RSA PRIVATE KEY----- 261static const char kCRLTestRoot[] = 262 "-----BEGIN CERTIFICATE-----\n" 263 "MIIDbzCCAlegAwIBAgIJAODri7v0dDUFMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV\n" 264 "BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\n" 265 "aWV3MRIwEAYDVQQKDAlCb3JpbmdTU0wwHhcNMTYwOTI2MTUwNjI2WhcNMjYwOTI0\n" 266 "MTUwNjI2WjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n" 267 "A1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9yaW5nU1NMMIIBIjANBgkq\n" 268 "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3B\n" 269 "S/dUBpbrzd1aeFzNlI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+\n" 270 "5R/Du0iCb1tCZIPY07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWp\n" 271 "uRqO6rctN9qUoMlTIAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n\n" 272 "8H922qmvPNA9idmX9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbL\n" 273 "P2o9orxGx7aCtnnBZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABo1Aw\n" 274 "TjAdBgNVHQ4EFgQUWPt3N5cZ/CRvubbrkqfBnAqhq94wHwYDVR0jBBgwFoAUWPt3\n" 275 "N5cZ/CRvubbrkqfBnAqhq94wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n" 276 "AQEAORu6M0MOwXy+3VEBwNilfTxyqDfruQsc1jA4PT8Oe8zora1WxE1JB4q2FJOz\n" 277 "EAuM3H/NXvEnBuN+ITvKZAJUfm4NKX97qmjMJwLKWe1gVv+VQTr63aR7mgWJReQN\n" 278 "XdMztlVeZs2dppV6uEg3ia1X0G7LARxGpA9ETbMyCpb39XxlYuTClcbA5ftDN99B\n" 279 "3Xg9KNdd++Ew22O3HWRDvdDpTO/JkzQfzi3sYwUtzMEonENhczJhGf7bQMmvL/w5\n" 280 "24Wxj4Z7KzzWIHsNqE/RIs6RV3fcW61j/mRgW2XyoWnMVeBzvcJr9NXp4VQYmFPw\n" 281 "amd8GKMZQvP0ufGnUn7D7uartA==\n" 282 "-----END CERTIFICATE-----\n"; 283 284static const char kCRLTestLeaf[] = 285 "-----BEGIN CERTIFICATE-----\n" 286 "MIIDkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCVVMx\n" 287 "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEjAQ\n" 288 "BgNVBAoMCUJvcmluZ1NTTDAeFw0xNjA5MjYxNTA4MzFaFw0xNzA5MjYxNTA4MzFa\n" 289 "MEsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlC\n" 290 "b3JpbmdTU0wxEzARBgNVBAMMCmJvcmluZy5zc2wwggEiMA0GCSqGSIb3DQEBAQUA\n" 291 "A4IBDwAwggEKAoIBAQDc5v1S1M0W+QWM+raWfO0LH8uvqEwuJQgODqMaGnSlWUx9\n" 292 "8iQcnWfjyPja3lWg9K62hSOFDuSyEkysKHDxijz5R93CfLcfnVXjWQDJe7EJTTDP\n" 293 "ozEvxN6RjAeYv7CF000euYr3QT5iyBjg76+bon1p0jHZBJeNPP1KqGYgyxp+hzpx\n" 294 "e0gZmTlGAXd8JQK4v8kpdYwD6PPifFL/jpmQpqOtQmH/6zcLjY4ojmqpEdBqIKIX\n" 295 "+saA29hMq0+NK3K+wgg31RU+cVWxu3tLOIiesETkeDgArjWRS1Vkzbi4v9SJxtNu\n" 296 "OZuAxWiynRJw3JwH/OFHYZIvQqz68ZBoj96cepjPAgMBAAGjezB5MAkGA1UdEwQC\n" 297 "MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl\n" 298 "MB0GA1UdDgQWBBTGn0OVVh/aoYt0bvEKG+PIERqnDzAfBgNVHSMEGDAWgBRY+3c3\n" 299 "lxn8JG+5tuuSp8GcCqGr3jANBgkqhkiG9w0BAQsFAAOCAQEAd2nM8gCQN2Dc8QJw\n" 300 "XSZXyuI3DBGGCHcay/3iXu0JvTC3EiQo8J6Djv7WLI0N5KH8mkm40u89fJAB2lLZ\n" 301 "ShuHVtcC182bOKnePgwp9CNwQ21p0rDEu/P3X46ZvFgdxx82E9xLa0tBB8PiPDWh\n" 302 "lV16jbaKTgX5AZqjnsyjR5o9/mbZVupZJXx5Syq+XA8qiJfstSYJs4KyKK9UOjql\n" 303 "ICkJVKpi2ahDBqX4MOH4SLfzVk8pqSpviS6yaA1RXqjpkxiN45WWaXDldVHMSkhC\n" 304 "5CNXsXi4b1nAntu89crwSLA3rEwzCWeYj+BX7e1T9rr3oJdwOU/2KQtW1js1yQUG\n" 305 "tjJMFw==\n" 306 "-----END CERTIFICATE-----\n"; 307 308static const char kBasicCRL[] = 309 "-----BEGIN X509 CRL-----\n" 310 "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n" 311 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n" 312 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV\n" 313 "HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN\n" 314 "ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo\n" 315 "eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os\n" 316 "dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv\n" 317 "diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho\n" 318 "/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==\n" 319 "-----END X509 CRL-----\n"; 320 321static const char kRevokedCRL[] = 322 "-----BEGIN X509 CRL-----\n" 323 "MIIBvjCBpwIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n" 324 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n" 325 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEyNDRaFw0xNjEwMjYxNTEyNDRaMBUwEwICEAAX\n" 326 "DTE2MDkyNjE1MTIyNlqgDjAMMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IB\n" 327 "AQCUGaM4DcWzlQKrcZvI8TMeR8BpsvQeo5BoI/XZu2a8h//PyRyMwYeaOM+3zl0d\n" 328 "sjgCT8b3C1FPgT+P2Lkowv7rJ+FHJRNQkogr+RuqCSPTq65ha4WKlRGWkMFybzVH\n" 329 "NloxC+aU3lgp/NlX9yUtfqYmJek1CDrOOGPrAEAwj1l/BUeYKNGqfBWYJQtPJu+5\n" 330 "OaSvIYGpETCZJscUWODmLEb/O3DM438vLvxonwGqXqS0KX37+CHpUlyhnSovxXxp\n" 331 "Pz4aF+L7OtczxL0GYtD2fR9B7TDMqsNmHXgQrixvvOY7MUdLGbd4RfJL3yA53hyO\n" 332 "xzfKY2TzxLiOmctG0hXFkH5J\n" 333 "-----END X509 CRL-----\n"; 334 335static const char kBadIssuerCRL[] = 336 "-----BEGIN X509 CRL-----\n" 337 "MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n" 338 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwN\n" 339 "Tm90IEJvcmluZ1NTTBcNMTYwOTI2MTUxMjQ0WhcNMTYxMDI2MTUxMjQ0WjAVMBMC\n" 340 "AhAAFw0xNjA5MjYxNTEyMjZaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsF\n" 341 "AAOCAQEAlBmjOA3Fs5UCq3GbyPEzHkfAabL0HqOQaCP12btmvIf/z8kcjMGHmjjP\n" 342 "t85dHbI4Ak/G9wtRT4E/j9i5KML+6yfhRyUTUJKIK/kbqgkj06uuYWuFipURlpDB\n" 343 "cm81RzZaMQvmlN5YKfzZV/clLX6mJiXpNQg6zjhj6wBAMI9ZfwVHmCjRqnwVmCUL\n" 344 "TybvuTmkryGBqREwmSbHFFjg5ixG/ztwzON/Ly78aJ8Bql6ktCl9+/gh6VJcoZ0q\n" 345 "L8V8aT8+Ghfi+zrXM8S9BmLQ9n0fQe0wzKrDZh14EK4sb7zmOzFHSxm3eEXyS98g\n" 346 "Od4cjsc3ymNk88S4jpnLRtIVxZB+SQ==\n" 347 "-----END X509 CRL-----\n"; 348 349// kKnownCriticalCRL is kBasicCRL but with a critical issuing distribution point 350// extension. 351static const char kKnownCriticalCRL[] = 352 "-----BEGIN X509 CRL-----\n" 353 "MIIBujCBowIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n" 354 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n" 355 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCEwHzAKBgNV\n" 356 "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+3\n" 357 "i+5e5Ub8sccfgOBs6WVJFI9c8gvJjrJ8/dYfFIAuCyeocs7DFXn1n13CRZ+URR/Q\n" 358 "mVWgU28+xeusuSPYFpd9cyYTcVyNUGNTI3lwgcE/yVjPaOmzSZKdPakApRxtpKKQ\n" 359 "NN/56aQz3bnT/ZSHQNciRB8U6jiD9V30t0w+FDTpGaG+7bzzUH3UVF9xf9Ctp60A\n" 360 "3mfLe0scas7owSt4AEFuj2SPvcE7yvdOXbu+IEv21cEJUVExJAbhvIweHXh6yRW+\n" 361 "7VVeiNzdIjkZjyTmAzoXGha4+wbxXyBRbfH+XWcO/H+8nwyG8Gktdu2QB9S9nnIp\n" 362 "o/1TpfOMSGhMyMoyPrk=\n" 363 "-----END X509 CRL-----\n"; 364 365// kUnknownCriticalCRL is kBasicCRL but with an unknown critical extension. 366static const char kUnknownCriticalCRL[] = 367 "-----BEGIN X509 CRL-----\n" 368 "MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n" 369 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n" 370 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCMwITAKBgNV\n" 371 "HRQEAwIBATATBgwqhkiG9xIEAYS3CQABAf8EADANBgkqhkiG9w0BAQsFAAOCAQEA\n" 372 "GvBP0xqL509InMj/3493YVRV+ldTpBv5uTD6jewzf5XdaxEQ/VjTNe5zKnxbpAib\n" 373 "Kf7cwX0PMSkZjx7k7kKdDlEucwVvDoqC+O9aJcqVmM6GDyNb9xENxd0XCXja6MZC\n" 374 "yVgP4AwLauB2vSiEprYJyI1APph3iAEeDm60lTXX/wBM/tupQDDujKh2GPyvBRfJ\n" 375 "+wEDwGg3ICwvu4gO4zeC5qnFR+bpL9t5tOMAQnVZ0NWv+k7mkd2LbHdD44dxrfXC\n" 376 "nhtfERx99SDmC/jtUAJrGhtCO8acr7exCeYcduN7KKCm91OeCJKK6OzWst0Og1DB\n" 377 "kwzzU2rL3G65CrZ7H0SZsQ==\n" 378 "-----END X509 CRL-----\n"; 379 380// kUnknownCriticalCRL2 is kBasicCRL but with a critical issuing distribution 381// point extension followed by an unknown critical extension 382static const char kUnknownCriticalCRL2[] = 383 "-----BEGIN X509 CRL-----\n" 384 "MIIBzzCBuAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n" 385 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n" 386 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoDYwNDAKBgNV\n" 387 "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wEwYMKoZIhvcSBAGEtwkAAQH/BAAw\n" 388 "DQYJKoZIhvcNAQELBQADggEBACTcpQC8jXL12JN5YzOcQ64ubQIe0XxRAd30p7qB\n" 389 "BTXGpgqBjrjxRfLms7EBYodEXB2oXMsDq3km0vT1MfYdsDD05S+SQ9CDsq/pUfaC\n" 390 "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n" 391 "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n" 392 "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n" 393 "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n" 394 "-----END X509 CRL-----\n"; 395 396// kEd25519Cert is a self-signed Ed25519 certificate. 397static const char kEd25519Cert[] = 398 "-----BEGIN CERTIFICATE-----\n" 399 "MIIBkTCCAUOgAwIBAgIJAJwooam0UCDmMAUGAytlcDBFMQswCQYDVQQGEwJBVTET\n" 400 "MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ\n" 401 "dHkgTHRkMB4XDTE0MDQyMzIzMjE1N1oXDTE0MDUyMzIzMjE1N1owRTELMAkGA1UE\n" 402 "BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp\n" 403 "ZGdpdHMgUHR5IEx0ZDAqMAUGAytlcAMhANdamAGCsQq31Uv+08lkBzoO4XLz2qYj\n" 404 "Ja8CGmj3B1Eao1AwTjAdBgNVHQ4EFgQUoux7eV+fJK2v3ah6QPU/lj1/+7UwHwYD\n" 405 "VR0jBBgwFoAUoux7eV+fJK2v3ah6QPU/lj1/+7UwDAYDVR0TBAUwAwEB/zAFBgMr\n" 406 "ZXADQQBuCzqji8VP9xU8mHEMjXGChX7YP5J664UyVKHKH9Z1u4wEbB8dJ3ScaWSL\n" 407 "r+VHVKUhsrvcdCelnXRrrSD7xWAL\n" 408 "-----END CERTIFICATE-----\n"; 409 410// kEd25519CertNull is an invalid self-signed Ed25519 with an explicit NULL in 411// the signature algorithm. 412static const char kEd25519CertNull[] = 413 "-----BEGIN CERTIFICATE-----\n" 414 "MIIBlTCCAUWgAwIBAgIJAJwooam0UCDmMAcGAytlcAUAMEUxCzAJBgNVBAYTAkFV\n" 415 "MRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRz\n" 416 "IFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQswCQYD\n" 417 "VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg\n" 418 "V2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEA11qYAYKxCrfVS/7TyWQHOg7hcvPa\n" 419 "piMlrwIaaPcHURqjUDBOMB0GA1UdDgQWBBSi7Ht5X58kra/dqHpA9T+WPX/7tTAf\n" 420 "BgNVHSMEGDAWgBSi7Ht5X58kra/dqHpA9T+WPX/7tTAMBgNVHRMEBTADAQH/MAcG\n" 421 "AytlcAUAA0EA70uefNocdJohkKPNROKVyBuBD3LXMyvmdTklsaxSRY3PcZdOohlr\n" 422 "recgVPpVS7B+d9g4EwtZXIh4lodTBDHBBw==\n" 423 "-----END CERTIFICATE-----\n"; 424 425// CertFromPEM parses the given, NUL-terminated pem block and returns an 426// |X509*|. 427static bssl::UniquePtr<X509> CertFromPEM(const char *pem) { 428 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem))); 429 return bssl::UniquePtr<X509>( 430 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)); 431} 432 433// CRLFromPEM parses the given, NUL-terminated pem block and returns an 434// |X509_CRL*|. 435static bssl::UniquePtr<X509_CRL> CRLFromPEM(const char *pem) { 436 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem))); 437 return bssl::UniquePtr<X509_CRL>( 438 PEM_read_bio_X509_CRL(bio.get(), nullptr, nullptr, nullptr)); 439} 440 441// PrivateKeyFromPEM parses the given, NUL-terminated pem block and returns an 442// |EVP_PKEY*|. 443static bssl::UniquePtr<EVP_PKEY> PrivateKeyFromPEM(const char *pem) { 444 bssl::UniquePtr<BIO> bio( 445 BIO_new_mem_buf(const_cast<char *>(pem), strlen(pem))); 446 return bssl::UniquePtr<EVP_PKEY>( 447 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr)); 448} 449 450// CertsToStack converts a vector of |X509*| to an OpenSSL STACK_OF(X509), 451// bumping the reference counts for each certificate in question. 452static bssl::UniquePtr<STACK_OF(X509)> CertsToStack( 453 const std::vector<X509 *> &certs) { 454 bssl::UniquePtr<STACK_OF(X509)> stack(sk_X509_new_null()); 455 if (!stack) { 456 return nullptr; 457 } 458 for (auto cert : certs) { 459 if (!sk_X509_push(stack.get(), cert)) { 460 return nullptr; 461 } 462 X509_up_ref(cert); 463 } 464 465 return stack; 466} 467 468// CRLsToStack converts a vector of |X509_CRL*| to an OpenSSL 469// STACK_OF(X509_CRL), bumping the reference counts for each CRL in question. 470static bssl::UniquePtr<STACK_OF(X509_CRL)> CRLsToStack( 471 const std::vector<X509_CRL *> &crls) { 472 bssl::UniquePtr<STACK_OF(X509_CRL)> stack(sk_X509_CRL_new_null()); 473 if (!stack) { 474 return nullptr; 475 } 476 for (auto crl : crls) { 477 if (!sk_X509_CRL_push(stack.get(), crl)) { 478 return nullptr; 479 } 480 X509_CRL_up_ref(crl); 481 } 482 483 return stack; 484} 485 486static int Verify(X509 *leaf, const std::vector<X509 *> &roots, 487 const std::vector<X509 *> &intermediates, 488 const std::vector<X509_CRL *> &crls, 489 unsigned long flags, 490 bool use_additional_untrusted) { 491 bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots)); 492 bssl::UniquePtr<STACK_OF(X509)> intermediates_stack( 493 CertsToStack(intermediates)); 494 bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls)); 495 496 if (!roots_stack || 497 !intermediates_stack || 498 !crls_stack) { 499 return X509_V_ERR_UNSPECIFIED; 500 } 501 502 bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new()); 503 bssl::UniquePtr<X509_STORE> store(X509_STORE_new()); 504 if (!ctx || 505 !store) { 506 return X509_V_ERR_UNSPECIFIED; 507 } 508 509 if (use_additional_untrusted) { 510 X509_STORE_set0_additional_untrusted(store.get(), 511 intermediates_stack.get()); 512 } 513 514 if (!X509_STORE_CTX_init( 515 ctx.get(), store.get(), leaf, 516 use_additional_untrusted ? nullptr : intermediates_stack.get())) { 517 return X509_V_ERR_UNSPECIFIED; 518 } 519 520 X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get()); 521 X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get()); 522 523 X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); 524 if (param == nullptr) { 525 return X509_V_ERR_UNSPECIFIED; 526 } 527 X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */); 528 X509_VERIFY_PARAM_set_depth(param, 16); 529 if (flags) { 530 X509_VERIFY_PARAM_set_flags(param, flags); 531 } 532 X509_STORE_CTX_set0_param(ctx.get(), param); 533 534 ERR_clear_error(); 535 if (X509_verify_cert(ctx.get()) != 1) { 536 return X509_STORE_CTX_get_error(ctx.get()); 537 } 538 539 return X509_V_OK; 540} 541 542static int Verify(X509 *leaf, const std::vector<X509 *> &roots, 543 const std::vector<X509 *> &intermediates, 544 const std::vector<X509_CRL *> &crls, 545 unsigned long flags = 0) { 546 const int r1 = Verify(leaf, roots, intermediates, crls, flags, false); 547 const int r2 = Verify(leaf, roots, intermediates, crls, flags, true); 548 549 if (r1 != r2) { 550 fprintf(stderr, 551 "Verify with, and without, use_additional_untrusted gave different " 552 "results: %d vs %d.\n", 553 r1, r2); 554 return false; 555 } 556 557 return r1; 558} 559 560TEST(X509Test, TestVerify) { 561 bssl::UniquePtr<X509> cross_signing_root(CertFromPEM(kCrossSigningRootPEM)); 562 bssl::UniquePtr<X509> root(CertFromPEM(kRootCAPEM)); 563 bssl::UniquePtr<X509> root_cross_signed(CertFromPEM(kRootCrossSignedPEM)); 564 bssl::UniquePtr<X509> intermediate(CertFromPEM(kIntermediatePEM)); 565 bssl::UniquePtr<X509> intermediate_self_signed( 566 CertFromPEM(kIntermediateSelfSignedPEM)); 567 bssl::UniquePtr<X509> leaf(CertFromPEM(kLeafPEM)); 568 bssl::UniquePtr<X509> leaf_no_key_usage(CertFromPEM(kLeafNoKeyUsagePEM)); 569 bssl::UniquePtr<X509> forgery(CertFromPEM(kForgeryPEM)); 570 571 ASSERT_TRUE(cross_signing_root); 572 ASSERT_TRUE(root); 573 ASSERT_TRUE(root_cross_signed); 574 ASSERT_TRUE(intermediate); 575 ASSERT_TRUE(intermediate_self_signed); 576 ASSERT_TRUE(leaf); 577 ASSERT_TRUE(forgery); 578 ASSERT_TRUE(leaf_no_key_usage); 579 580 std::vector<X509*> empty; 581 std::vector<X509_CRL*> empty_crls; 582 ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 583 Verify(leaf.get(), empty, empty, empty_crls)); 584 ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 585 Verify(leaf.get(), empty, {intermediate.get()}, empty_crls)); 586 587 ASSERT_EQ(X509_V_OK, 588 Verify(leaf.get(), {root.get()}, {intermediate.get()}, empty_crls)); 589 ASSERT_EQ(X509_V_OK, 590 Verify(leaf.get(), {cross_signing_root.get()}, 591 {intermediate.get(), root_cross_signed.get()}, empty_crls)); 592 ASSERT_EQ(X509_V_OK, 593 Verify(leaf.get(), {cross_signing_root.get(), root.get()}, 594 {intermediate.get(), root_cross_signed.get()}, empty_crls)); 595 596 /* This is the “altchains” test – we remove the cross-signing CA but include 597 * the cross-sign in the intermediates. */ 598 ASSERT_EQ(X509_V_OK, 599 Verify(leaf.get(), {root.get()}, 600 {intermediate.get(), root_cross_signed.get()}, empty_crls)); 601 ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 602 Verify(leaf.get(), {root.get()}, 603 {intermediate.get(), root_cross_signed.get()}, empty_crls, 604 X509_V_FLAG_NO_ALT_CHAINS)); 605 ASSERT_EQ(X509_V_ERR_INVALID_CA, 606 Verify(forgery.get(), {intermediate_self_signed.get()}, 607 {leaf_no_key_usage.get()}, empty_crls)); 608 609 /* Test that one cannot skip Basic Constraints checking with a contorted set 610 * of roots and intermediates. This is a regression test for CVE-2015-1793. */ 611 ASSERT_EQ(X509_V_ERR_INVALID_CA, 612 Verify(forgery.get(), 613 {intermediate_self_signed.get(), root_cross_signed.get()}, 614 {leaf_no_key_usage.get(), intermediate.get()}, empty_crls)); 615} 616 617TEST(X509Test, TestCRL) { 618 bssl::UniquePtr<X509> root(CertFromPEM(kCRLTestRoot)); 619 bssl::UniquePtr<X509> leaf(CertFromPEM(kCRLTestLeaf)); 620 bssl::UniquePtr<X509_CRL> basic_crl(CRLFromPEM(kBasicCRL)); 621 bssl::UniquePtr<X509_CRL> revoked_crl(CRLFromPEM(kRevokedCRL)); 622 bssl::UniquePtr<X509_CRL> bad_issuer_crl(CRLFromPEM(kBadIssuerCRL)); 623 bssl::UniquePtr<X509_CRL> known_critical_crl(CRLFromPEM(kKnownCriticalCRL)); 624 bssl::UniquePtr<X509_CRL> unknown_critical_crl( 625 CRLFromPEM(kUnknownCriticalCRL)); 626 bssl::UniquePtr<X509_CRL> unknown_critical_crl2( 627 CRLFromPEM(kUnknownCriticalCRL2)); 628 629 ASSERT_TRUE(root); 630 ASSERT_TRUE(leaf); 631 ASSERT_TRUE(basic_crl); 632 ASSERT_TRUE(revoked_crl); 633 ASSERT_TRUE(bad_issuer_crl); 634 ASSERT_TRUE(known_critical_crl); 635 ASSERT_TRUE(unknown_critical_crl); 636 ASSERT_TRUE(unknown_critical_crl2); 637 638 ASSERT_EQ(X509_V_OK, Verify(leaf.get(), {root.get()}, {root.get()}, 639 {basic_crl.get()}, X509_V_FLAG_CRL_CHECK)); 640 ASSERT_EQ( 641 X509_V_ERR_CERT_REVOKED, 642 Verify(leaf.get(), {root.get()}, {root.get()}, 643 {basic_crl.get(), revoked_crl.get()}, X509_V_FLAG_CRL_CHECK)); 644 645 std::vector<X509_CRL *> empty_crls; 646 ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_CRL, 647 Verify(leaf.get(), {root.get()}, {root.get()}, empty_crls, 648 X509_V_FLAG_CRL_CHECK)); 649 ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_CRL, 650 Verify(leaf.get(), {root.get()}, {root.get()}, 651 {bad_issuer_crl.get()}, X509_V_FLAG_CRL_CHECK)); 652 ASSERT_EQ(X509_V_OK, 653 Verify(leaf.get(), {root.get()}, {root.get()}, 654 {known_critical_crl.get()}, X509_V_FLAG_CRL_CHECK)); 655 ASSERT_EQ(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, 656 Verify(leaf.get(), {root.get()}, {root.get()}, 657 {unknown_critical_crl.get()}, X509_V_FLAG_CRL_CHECK)); 658 ASSERT_EQ(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, 659 Verify(leaf.get(), {root.get()}, {root.get()}, 660 {unknown_critical_crl2.get()}, X509_V_FLAG_CRL_CHECK)); 661} 662 663TEST(X509Test, ManyNamesAndConstraints) { 664 bssl::UniquePtr<X509> many_constraints( 665 CertFromPEM(GetTestData("crypto/x509/many_constraints.pem").c_str())); 666 ASSERT_TRUE(many_constraints); 667 bssl::UniquePtr<X509> many_names1( 668 CertFromPEM(GetTestData("crypto/x509/many_names1.pem").c_str())); 669 ASSERT_TRUE(many_names1); 670 bssl::UniquePtr<X509> many_names2( 671 CertFromPEM(GetTestData("crypto/x509/many_names2.pem").c_str())); 672 ASSERT_TRUE(many_names2); 673 bssl::UniquePtr<X509> many_names3( 674 CertFromPEM(GetTestData("crypto/x509/many_names3.pem").c_str())); 675 ASSERT_TRUE(many_names3); 676 bssl::UniquePtr<X509> some_names1( 677 CertFromPEM(GetTestData("crypto/x509/some_names1.pem").c_str())); 678 ASSERT_TRUE(some_names1); 679 bssl::UniquePtr<X509> some_names2( 680 CertFromPEM(GetTestData("crypto/x509/some_names2.pem").c_str())); 681 ASSERT_TRUE(some_names2); 682 bssl::UniquePtr<X509> some_names3( 683 CertFromPEM(GetTestData("crypto/x509/some_names3.pem").c_str())); 684 ASSERT_TRUE(some_names3); 685 686 EXPECT_EQ(X509_V_ERR_UNSPECIFIED, 687 Verify(many_names1.get(), {many_constraints.get()}, 688 {many_constraints.get()}, {})); 689 EXPECT_EQ(X509_V_ERR_UNSPECIFIED, 690 Verify(many_names2.get(), {many_constraints.get()}, 691 {many_constraints.get()}, {})); 692 EXPECT_EQ(X509_V_ERR_UNSPECIFIED, 693 Verify(many_names3.get(), {many_constraints.get()}, 694 {many_constraints.get()}, {})); 695 696 EXPECT_EQ(X509_V_OK, Verify(some_names1.get(), {many_constraints.get()}, 697 {many_constraints.get()}, {})); 698 EXPECT_EQ(X509_V_OK, Verify(some_names2.get(), {many_constraints.get()}, 699 {many_constraints.get()}, {})); 700 EXPECT_EQ(X509_V_OK, Verify(some_names3.get(), {many_constraints.get()}, 701 {many_constraints.get()}, {})); 702} 703 704TEST(X509Test, TestPSS) { 705 bssl::UniquePtr<X509> cert(CertFromPEM(kExamplePSSCert)); 706 ASSERT_TRUE(cert); 707 708 bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get())); 709 ASSERT_TRUE(pkey); 710 711 ASSERT_TRUE(X509_verify(cert.get(), pkey.get())); 712} 713 714TEST(X509Test, TestPSSBadParameters) { 715 bssl::UniquePtr<X509> cert(CertFromPEM(kBadPSSCertPEM)); 716 ASSERT_TRUE(cert); 717 718 bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get())); 719 ASSERT_TRUE(pkey); 720 721 ASSERT_FALSE(X509_verify(cert.get(), pkey.get())); 722 ERR_clear_error(); 723} 724 725TEST(X509Test, TestEd25519) { 726 bssl::UniquePtr<X509> cert(CertFromPEM(kEd25519Cert)); 727 ASSERT_TRUE(cert); 728 729 bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get())); 730 ASSERT_TRUE(pkey); 731 732 ASSERT_TRUE(X509_verify(cert.get(), pkey.get())); 733} 734 735TEST(X509Test, TestEd25519BadParameters) { 736 bssl::UniquePtr<X509> cert(CertFromPEM(kEd25519CertNull)); 737 ASSERT_TRUE(cert); 738 739 bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get())); 740 ASSERT_TRUE(pkey); 741 742 ASSERT_FALSE(X509_verify(cert.get(), pkey.get())); 743 744 uint32_t err = ERR_get_error(); 745 ASSERT_EQ(ERR_LIB_X509, ERR_GET_LIB(err)); 746 ASSERT_EQ(X509_R_INVALID_PARAMETER, ERR_GET_REASON(err)); 747 ERR_clear_error(); 748} 749 750static bool SignatureRoundTrips(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) { 751 // Make a certificate like signed with |md_ctx|'s settings.' 752 bssl::UniquePtr<X509> cert(CertFromPEM(kLeafPEM)); 753 if (!cert || !X509_sign_ctx(cert.get(), md_ctx)) { 754 return false; 755 } 756 757 // Ensure that |pkey| may still be used to verify the resulting signature. All 758 // settings in |md_ctx| must have been serialized appropriately. 759 return !!X509_verify(cert.get(), pkey); 760} 761 762TEST(X509Test, RSASign) { 763 bssl::UniquePtr<EVP_PKEY> pkey(PrivateKeyFromPEM(kRSAKey)); 764 ASSERT_TRUE(pkey); 765 // Test PKCS#1 v1.5. 766 bssl::ScopedEVP_MD_CTX md_ctx; 767 ASSERT_TRUE( 768 EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get())); 769 ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pkey.get())); 770 771 // Test RSA-PSS with custom parameters. 772 md_ctx.Reset(); 773 EVP_PKEY_CTX *pkey_ctx; 774 ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL, 775 pkey.get())); 776 ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)); 777 ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512())); 778 ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pkey.get())); 779} 780 781TEST(X509Test, Ed25519Sign) { 782 uint8_t pub_bytes[32], priv_bytes[64]; 783 ED25519_keypair(pub_bytes, priv_bytes); 784 785 bssl::UniquePtr<EVP_PKEY> pub(EVP_PKEY_new_ed25519_public(pub_bytes)); 786 ASSERT_TRUE(pub); 787 bssl::UniquePtr<EVP_PKEY> priv(EVP_PKEY_new_ed25519_private(priv_bytes)); 788 ASSERT_TRUE(priv); 789 790 bssl::ScopedEVP_MD_CTX md_ctx; 791 ASSERT_TRUE( 792 EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, priv.get())); 793 ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pub.get())); 794} 795 796static bool PEMToDER(bssl::UniquePtr<uint8_t> *out, size_t *out_len, 797 const char *pem) { 798 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem))); 799 if (!bio) { 800 return false; 801 } 802 803 char *name, *header; 804 uint8_t *data; 805 long data_len; 806 if (!PEM_read_bio(bio.get(), &name, &header, &data, &data_len)) { 807 fprintf(stderr, "failed to read PEM data.\n"); 808 return false; 809 } 810 OPENSSL_free(name); 811 OPENSSL_free(header); 812 813 out->reset(data); 814 *out_len = data_len; 815 816 return true; 817} 818 819TEST(X509Test, TestFromBuffer) { 820 size_t data_len; 821 bssl::UniquePtr<uint8_t> data; 822 ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM)); 823 824 bssl::UniquePtr<CRYPTO_BUFFER> buf( 825 CRYPTO_BUFFER_new(data.get(), data_len, nullptr)); 826 ASSERT_TRUE(buf); 827 bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get())); 828 ASSERT_TRUE(root); 829 830 const uint8_t *enc_pointer = root->cert_info->enc.enc; 831 const uint8_t *buf_pointer = CRYPTO_BUFFER_data(buf.get()); 832 ASSERT_GE(enc_pointer, buf_pointer); 833 ASSERT_LT(enc_pointer, buf_pointer + CRYPTO_BUFFER_len(buf.get())); 834 buf.reset(); 835 836 /* This ensures the X509 took a reference to |buf|, otherwise this will be a 837 * reference to free memory and ASAN should notice. */ 838 ASSERT_EQ(0x30, enc_pointer[0]); 839} 840 841TEST(X509Test, TestFromBufferWithTrailingData) { 842 size_t data_len; 843 bssl::UniquePtr<uint8_t> data; 844 ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM)); 845 846 std::unique_ptr<uint8_t[]> trailing_data(new uint8_t[data_len + 1]); 847 OPENSSL_memcpy(trailing_data.get(), data.get(), data_len); 848 849 bssl::UniquePtr<CRYPTO_BUFFER> buf_trailing_data( 850 CRYPTO_BUFFER_new(trailing_data.get(), data_len + 1, nullptr)); 851 ASSERT_TRUE(buf_trailing_data); 852 853 bssl::UniquePtr<X509> root_trailing_data( 854 X509_parse_from_buffer(buf_trailing_data.get())); 855 ASSERT_FALSE(root_trailing_data); 856} 857 858TEST(X509Test, TestFromBufferModified) { 859 size_t data_len; 860 bssl::UniquePtr<uint8_t> data; 861 ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM)); 862 863 bssl::UniquePtr<CRYPTO_BUFFER> buf( 864 CRYPTO_BUFFER_new(data.get(), data_len, nullptr)); 865 ASSERT_TRUE(buf); 866 867 bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get())); 868 ASSERT_TRUE(root); 869 870 bssl::UniquePtr<ASN1_INTEGER> fourty_two(ASN1_INTEGER_new()); 871 ASN1_INTEGER_set(fourty_two.get(), 42); 872 X509_set_serialNumber(root.get(), fourty_two.get()); 873 874 ASSERT_EQ(static_cast<long>(data_len), i2d_X509(root.get(), nullptr)); 875 876 X509_CINF_set_modified(root->cert_info); 877 878 ASSERT_NE(static_cast<long>(data_len), i2d_X509(root.get(), nullptr)); 879} 880 881TEST(X509Test, TestFromBufferReused) { 882 size_t data_len; 883 bssl::UniquePtr<uint8_t> data; 884 ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM)); 885 886 bssl::UniquePtr<CRYPTO_BUFFER> buf( 887 CRYPTO_BUFFER_new(data.get(), data_len, nullptr)); 888 ASSERT_TRUE(buf); 889 890 bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get())); 891 ASSERT_TRUE(root); 892 893 size_t data2_len; 894 bssl::UniquePtr<uint8_t> data2; 895 ASSERT_TRUE(PEMToDER(&data2, &data2_len, kLeafPEM)); 896 897 X509 *x509p = root.get(); 898 const uint8_t *inp = data2.get(); 899 X509 *ret = d2i_X509(&x509p, &inp, data2_len); 900 ASSERT_EQ(root.get(), ret); 901 ASSERT_EQ(nullptr, root->buf); 902 903 // Free |data2| and ensure that |root| took its own copy. Otherwise the 904 // following will trigger a use-after-free. 905 data2.reset(); 906 907 uint8_t *i2d = nullptr; 908 int i2d_len = i2d_X509(root.get(), &i2d); 909 ASSERT_GE(i2d_len, 0); 910 bssl::UniquePtr<uint8_t> i2d_storage(i2d); 911 912 ASSERT_TRUE(PEMToDER(&data2, &data2_len, kLeafPEM)); 913 914 ASSERT_EQ(static_cast<long>(data2_len), i2d_len); 915 ASSERT_EQ(0, OPENSSL_memcmp(data2.get(), i2d, i2d_len)); 916 ASSERT_EQ(nullptr, root->buf); 917} 918 919TEST(X509Test, TestFailedParseFromBuffer) { 920 static const uint8_t kNonsense[] = {1, 2, 3, 4, 5}; 921 922 bssl::UniquePtr<CRYPTO_BUFFER> buf( 923 CRYPTO_BUFFER_new(kNonsense, sizeof(kNonsense), nullptr)); 924 ASSERT_TRUE(buf); 925 926 bssl::UniquePtr<X509> cert(X509_parse_from_buffer(buf.get())); 927 ASSERT_FALSE(cert); 928 ERR_clear_error(); 929 930 // Test a buffer with trailing data. 931 size_t data_len; 932 bssl::UniquePtr<uint8_t> data; 933 ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM)); 934 935 std::unique_ptr<uint8_t[]> data_with_trailing_byte(new uint8_t[data_len + 1]); 936 OPENSSL_memcpy(data_with_trailing_byte.get(), data.get(), data_len); 937 data_with_trailing_byte[data_len] = 0; 938 939 bssl::UniquePtr<CRYPTO_BUFFER> buf_with_trailing_byte( 940 CRYPTO_BUFFER_new(data_with_trailing_byte.get(), data_len + 1, nullptr)); 941 ASSERT_TRUE(buf_with_trailing_byte); 942 943 bssl::UniquePtr<X509> root( 944 X509_parse_from_buffer(buf_with_trailing_byte.get())); 945 ASSERT_FALSE(root); 946 ERR_clear_error(); 947} 948 949TEST(X509Test, TestPrintUTCTIME) { 950 static const struct { 951 const char *val, *want; 952 } asn1_utctime_tests[] = { 953 {"", "Bad time value"}, 954 955 // Correct RFC 5280 form. Test years < 2000 and > 2000. 956 {"090303125425Z", "Mar 3 12:54:25 2009 GMT"}, 957 {"900303125425Z", "Mar 3 12:54:25 1990 GMT"}, 958 {"000303125425Z", "Mar 3 12:54:25 2000 GMT"}, 959 960 // Correct form, bad values. 961 {"000000000000Z", "Bad time value"}, 962 {"999999999999Z", "Bad time value"}, 963 964 // Missing components. Not legal RFC 5280, but permitted. 965 {"090303125425", "Mar 3 12:54:25 2009"}, 966 {"9003031254", "Mar 3 12:54:00 1990"}, 967 {"9003031254Z", "Mar 3 12:54:00 1990 GMT"}, 968 969 // GENERALIZEDTIME confused for UTCTIME. 970 {"20090303125425Z", "Bad time value"}, 971 972 // Legal ASN.1, but not legal RFC 5280. 973 {"9003031254+0800", "Bad time value"}, 974 {"9003031254-0800", "Bad time value"}, 975 976 // Trailing garbage. 977 {"9003031254Z ", "Bad time value"}, 978 }; 979 980 for (auto t : asn1_utctime_tests) { 981 SCOPED_TRACE(t.val); 982 bssl::UniquePtr<ASN1_UTCTIME> tm(ASN1_UTCTIME_new()); 983 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem())); 984 985 // Use this instead of ASN1_UTCTIME_set() because some callers get 986 // type-confused and pass ASN1_GENERALIZEDTIME to ASN1_UTCTIME_print(). 987 // ASN1_UTCTIME_set_string() is stricter, and would reject the inputs in 988 // question. 989 ASSERT_TRUE(ASN1_STRING_set(tm.get(), t.val, strlen(t.val))); 990 const int ok = ASN1_UTCTIME_print(bio.get(), tm.get()); 991 992 const uint8_t *contents; 993 size_t len; 994 ASSERT_TRUE(BIO_mem_contents(bio.get(), &contents, &len)); 995 EXPECT_EQ(ok, (strcmp(t.want, "Bad time value") != 0) ? 1 : 0); 996 EXPECT_EQ(t.want, 997 std::string(reinterpret_cast<const char *>(contents), len)); 998 } 999} 1000 1001TEST(X509Test, PrettyPrintIntegers) { 1002 static const char *kTests[] = { 1003 // Small numbers are pretty-printed in decimal. 1004 "0", 1005 "-1", 1006 "1", 1007 "42", 1008 "-42", 1009 "256", 1010 "-256", 1011 // Large numbers are pretty-printed in hex to avoid taking quadratic time. 1012 "0x0123456789", 1013 "-0x0123456789", 1014 }; 1015 for (const char *in : kTests) { 1016 SCOPED_TRACE(in); 1017 BIGNUM *bn = nullptr; 1018 ASSERT_TRUE(BN_asc2bn(&bn, in)); 1019 bssl::UniquePtr<BIGNUM> free_bn(bn); 1020 1021 { 1022 bssl::UniquePtr<ASN1_INTEGER> asn1(BN_to_ASN1_INTEGER(bn, nullptr)); 1023 ASSERT_TRUE(asn1); 1024 bssl::UniquePtr<char> out(i2s_ASN1_INTEGER(nullptr, asn1.get())); 1025 ASSERT_TRUE(out.get()); 1026 EXPECT_STREQ(in, out.get()); 1027 } 1028 1029 { 1030 bssl::UniquePtr<ASN1_ENUMERATED> asn1(BN_to_ASN1_ENUMERATED(bn, nullptr)); 1031 ASSERT_TRUE(asn1); 1032 bssl::UniquePtr<char> out(i2s_ASN1_ENUMERATED(nullptr, asn1.get())); 1033 ASSERT_TRUE(out.get()); 1034 EXPECT_STREQ(in, out.get()); 1035 } 1036 } 1037} 1038