kris
/
boringssl
1
0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
5611 Commity
12 Gałęzie
38 MiB
 
 
 
 
 
 
Drzewo: 17d553d299
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '17d553d299'
${ noResults }
boringssl/crypto/x509/x509_test.cc

1747 wiersze
75 KiB
Czysty Wina Historia 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <algorithm>

  16. #include <functional>

  17. #include <string>

  18. #include <vector>

  19. 

  20. #include <gtest/gtest.h>

  21. 

  22. #include <openssl/bio.h>

  23. #include <openssl/bytestring.h>

  24. #include <openssl/crypto.h>

  25. #include <openssl/curve25519.h>

  26. #include <openssl/digest.h>

  27. #include <openssl/err.h>

  28. #include <openssl/pem.h>

  29. #include <openssl/pool.h>

  30. #include <openssl/x509.h>

  31. #include <openssl/x509v3.h>

  32. 

  33. #include "../internal.h"

  34. #include "../test/test_util.h"

  35. 

  36. 

  37. std::string GetTestData(const char *path);

  38. 

  39. static const char kCrossSigningRootPEM[] =

  40.     "-----BEGIN CERTIFICATE-----\n"

  41.     "MIICcTCCAdqgAwIBAgIIagJHiPvE0MowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  42.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  43.     "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowPDEaMBgGA1UE\n"

  44.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  45.     "dCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwo3qFvSB9Zmlbpzn9wJp\n"

  46.     "ikI75Rxkatez8VkLqyxbOhPYl2Haz8F5p1gDG96dCI6jcLGgu3AKT9uhEQyyUko5\n"

  47.     "EKYasazSeA9CQrdyhPg0mkTYVETnPM1W/ebid1YtqQbq1CMWlq2aTDoSGAReGFKP\n"

  48.     "RTdXAbuAXzpCfi/d8LqV13UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgIEMB0GA1Ud\n"

  49.     "JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MBkGA1Ud\n"

  50.     "DgQSBBBHKHC7V3Z/3oLvEZx0RZRwMBsGA1UdIwQUMBKAEEcocLtXdn/egu8RnHRF\n"

  51.     "lHAwDQYJKoZIhvcNAQELBQADgYEAnglibsy6mGtpIXivtlcz4zIEnHw/lNW+r/eC\n"

  52.     "CY7evZTmOoOuC/x9SS3MF9vawt1HFUummWM6ZgErqVBOXIB4//ykrcCgf5ZbF5Hr\n"

  53.     "+3EFprKhBqYiXdD8hpBkrBoXwn85LPYWNd2TceCrx0YtLIprE2R5MB2RIq8y4Jk3\n"

  54.     "YFXvkME=\n"

  55.     "-----END CERTIFICATE-----\n";

  56. 

  57. static const char kRootCAPEM[] =

  58.     "-----BEGIN CERTIFICATE-----\n"

  59.     "MIICVTCCAb6gAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwLjEaMBgGA1UE\n"

  60.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwIBcNMTUwMTAx\n"

  61.     "MDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMC4xGjAYBgNVBAoTEUJvcmluZ1NTTCBU\n"

  62.     "RVNUSU5HMRAwDgYDVQQDEwdSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n"

  63.     "iQKBgQDpDn8RDOZa5oaDcPZRBy4CeBH1siSSOO4mYgLHlPE+oXdqwI/VImi2XeJM\n"

  64.     "2uCFETXCknJJjYG0iJdrt/yyRFvZTQZw+QzGj+mz36NqhGxDWb6dstB2m8PX+plZ\n"

  65.     "w7jl81MDvUnWs8yiQ/6twgu5AbhWKZQDJKcNKCEpqa6UW0r5nwIDAQABo3oweDAO\n"

  66.     "BgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8G\n"

  67.     "A1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEEA31wH7QC+4HH5UBCeMWQEwGwYDVR0j\n"

  68.     "BBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOBgQDXylEK77Za\n"

  69.     "kKeY6ZerrScWyZhrjIGtHFu09qVpdJEzrk87k2G7iHHR9CAvSofCgEExKtWNS9dN\n"

  70.     "+9WiZp/U48iHLk7qaYXdEuO07No4BYtXn+lkOykE+FUxmA4wvOF1cTd2tdj3MzX2\n"

  71.     "kfGIBAYhzGZWhY3JbhIfTEfY1PNM1pWChQ==\n"

  72.     "-----END CERTIFICATE-----\n";

  73. 

  74. static const char kRootCrossSignedPEM[] =

  75.     "-----BEGIN CERTIFICATE-----\n"

  76.     "MIICYzCCAcygAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  77.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  78.     "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowLjEaMBgGA1UE\n"

  79.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZI\n"

  80.     "hvcNAQEBBQADgY0AMIGJAoGBAOkOfxEM5lrmhoNw9lEHLgJ4EfWyJJI47iZiAseU\n"

  81.     "8T6hd2rAj9UiaLZd4kza4IURNcKSckmNgbSIl2u3/LJEW9lNBnD5DMaP6bPfo2qE\n"

  82.     "bENZvp2y0Habw9f6mVnDuOXzUwO9SdazzKJD/q3CC7kBuFYplAMkpw0oISmprpRb\n"

  83.     "SvmfAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcD\n"

  84.     "AQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQQDfXAftAL7gc\n"

  85.     "flQEJ4xZATAbBgNVHSMEFDASgBBHKHC7V3Z/3oLvEZx0RZRwMA0GCSqGSIb3DQEB\n"

  86.     "CwUAA4GBAErTxYJ0en9HVRHAAr5OO5wuk5Iq3VMc79TMyQLCXVL8YH8Uk7KEwv+q\n"

  87.     "9MEKZv2eR/Vfm4HlXlUuIqfgUXbwrAYC/YVVX86Wnbpy/jc73NYVCq8FEZeO+0XU\n"

  88.     "90SWAPDdp+iL7aZdimnMtG1qlM1edmz8AKbrhN/R3IbA2CL0nCWV\n"

  89.     "-----END CERTIFICATE-----\n";

  90. 

  91. static const char kIntermediatePEM[] =

  92.     "-----BEGIN CERTIFICATE-----\n"

  93.     "MIICXjCCAcegAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMC4xGjAYBgNV\n"

  94.     "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRAwDgYDVQQDEwdSb290IENBMCAXDTE1MDEw\n"

  95.     "MTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjA2MRowGAYDVQQKExFCb3JpbmdTU0wg\n"

  96.     "VEVTVElORzEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEB\n"

  97.     "AQUAA4GNADCBiQKBgQC7YtI0l8ocTYJ0gKyXTtPL4iMJCNY4OcxXl48jkncVG1Hl\n"

  98.     "blicgNUa1r9m9YFtVkxvBinb8dXiUpEGhVg4awRPDcatlsBSEBuJkiZGYbRcAmSu\n"

  99.     "CmZYnf6u3aYQ18SU8WqVERPpE4cwVVs+6kwlzRw0+XDoZAczu8ZezVhCUc6NbQID\n"

  100.     "AQABo3oweDAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\n"

  101.     "AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEIwaaKi1dttdV3sfjRSy\n"

  102.     "BqMwGwYDVR0jBBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOB\n"

  103.     "gQCvnolNWEHuQS8PFVVyuLR+FKBeUUdrVbSfHSzTqNAqQGp0C9fk5oCzDq6ZgTfY\n"

  104.     "ESXM4cJhb3IAnW0UM0NFsYSKQJ50JZL2L3z5ZLQhHdbs4RmODGoC40BVdnJ4/qgB\n"

  105.     "aGSh09eQRvAVmbVCviDK2ipkWNegdyI19jFfNP5uIkGlYg==\n"

  106.     "-----END CERTIFICATE-----\n";

  107. 

  108. static const char kIntermediateSelfSignedPEM[] =

  109.     "-----BEGIN CERTIFICATE-----\n"

  110.     "MIICZjCCAc+gAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  111.     "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  112.     "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDYxGjAYBgNVBAoTEUJv\n"

  113.     "cmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ\n"

  114.     "KoZIhvcNAQEBBQADgY0AMIGJAoGBALti0jSXyhxNgnSArJdO08viIwkI1jg5zFeX\n"

  115.     "jyOSdxUbUeVuWJyA1RrWv2b1gW1WTG8GKdvx1eJSkQaFWDhrBE8Nxq2WwFIQG4mS\n"

  116.     "JkZhtFwCZK4KZlid/q7dphDXxJTxapURE+kThzBVWz7qTCXNHDT5cOhkBzO7xl7N\n"

  117.     "WEJRzo1tAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEF\n"

  118.     "BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQjBpoqLV2\n"

  119.     "211Xex+NFLIGozAbBgNVHSMEFDASgBCMGmiotXbbXVd7H40UsgajMA0GCSqGSIb3\n"

  120.     "DQEBCwUAA4GBALcccSrAQ0/EqQBsx0ZDTUydHXXNP2DrUkpUKmAXIe8McqIVSlkT\n"

  121.     "6H4xz7z8VRKBo9j+drjjtCw2i0CQc8aOLxRb5WJ8eVLnaW2XRlUqAzhF0CrulfVI\n"

  122.     "E4Vs6ZLU+fra1WAuIj6qFiigRja+3YkZArG8tMA9vtlhTX/g7YBZIkqH\n"

  123.     "-----END CERTIFICATE-----\n";

  124. 

  125. static const char kLeafPEM[] =

  126.     "-----BEGIN CERTIFICATE-----\n"

  127.     "MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE\n"

  128.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg\n"

  129.     "Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y\n"

  130.     "aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3\n"

  131.     "DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c\n"

  132.     "oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j\n"

  133.     "5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh\n"

  134.     "TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\n"

  135.     "CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0\n"

  136.     "4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB\n"

  137.     "gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y\n"

  138.     "rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU\n"

  139.     "xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==\n"

  140.     "-----END CERTIFICATE-----\n";

  141. 

  142. static const char kLeafNoKeyUsagePEM[] =

  143.     "-----BEGIN CERTIFICATE-----\n"

  144.     "MIICNTCCAZ6gAwIBAgIJAIFQGaLQ0G2mMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  145.     "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  146.     "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDcxGjAYBgNVBAoTEUJv\n"

  147.     "cmluZ1NTTCBURVNUSU5HMRkwFwYDVQQDExBldmlsLmV4YW1wbGUuY29tMIGfMA0G\n"

  148.     "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOKoZe75NPz77EOaMMl4/0s3PyQw++zJvp\n"

  149.     "ejHAxZiTPCJgMbEHLrSzNoHdopg+CLUH5bE4wTXM8w9Inv5P8OAFJt7gJuPUunmk\n"

  150.     "j+NoU3QfzOR6BroePcz1vXX9jyVHRs087M/sLqWRHu9IR+/A+UTcBaWaFiDVUxtJ\n"

  151.     "YOwFMwjNPQIDAQABo0gwRjAMBgNVHRMBAf8EAjAAMBkGA1UdDgQSBBBJfLEUWHq1\n"

  152.     "27rZ1AVx2J5GMBsGA1UdIwQUMBKAEIwaaKi1dttdV3sfjRSyBqMwDQYJKoZIhvcN\n"

  153.     "AQELBQADgYEALVKN2Y3LZJOtu6SxFIYKxbLaXhTGTdIjxipZhmbBRDFjbZjZZOTe\n"

  154.     "6Oo+VDNPYco4rBexK7umYXJyfTqoY0E8dbiImhTcGTEj7OAB3DbBomgU1AYe+t2D\n"

  155.     "uwBqh4Y3Eto+Zn4pMVsxGEfUpjzjZDel7bN1/oU/9KWPpDfywfUmjgk=\n"

  156.     "-----END CERTIFICATE-----\n";

  157. 

  158. static const char kForgeryPEM[] =

  159.     "-----BEGIN CERTIFICATE-----\n"

  160.     "MIICZzCCAdCgAwIBAgIIdTlMzQoKkeMwDQYJKoZIhvcNAQELBQAwNzEaMBgGA1UE\n"

  161.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGTAXBgNVBAMTEGV2aWwuZXhhbXBsZS5jb20w\n"

  162.     "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDoxGjAYBgNVBAoTEUJv\n"

  163.     "cmluZ1NTTCBURVNUSU5HMRwwGgYDVQQDExNmb3JnZXJ5LmV4YW1wbGUuY29tMIGf\n"

  164.     "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADTwruBQZGb7Ay6s9HiYv5d1lwtEy\n"

  165.     "xQdA2Sy8Rn8uA20Q4KgqwVY7wzIZ+z5Butrsmwb70gdG1XU+yRaDeE7XVoW6jSpm\n"

  166.     "0sw35/5vJbTcL4THEFbnX0OPZnvpuZDFUkvVtq5kxpDWsVyM24G8EEq7kPih3Sa3\n"

  167.     "OMhXVXF8kso6UQIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI\n"

  168.     "KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEEYJ/WHM\n"

  169.     "8p64erPWIg4/liwwGwYDVR0jBBQwEoAQSXyxFFh6tdu62dQFcdieRjANBgkqhkiG\n"

  170.     "9w0BAQsFAAOBgQA+zH7bHPElWRWJvjxDqRexmYLn+D3Aivs8XgXQJsM94W0EzSUf\n"

  171.     "DSLfRgaQwcb2gg2xpDFoG+W0vc6O651uF23WGt5JaFFJJxqjII05IexfCNhuPmp4\n"

  172.     "4UZAXPttuJXpn74IY1tuouaM06B3vXKZR+/ityKmfJvSwxacmFcK+2ziAg==\n"

  173.     "-----END CERTIFICATE-----\n";

  174. 

  175. // kExamplePSSCert is an example RSA-PSS self-signed certificate, signed with

  176. // the default hash functions.

  177. static const char kExamplePSSCert[] =

  178.     "-----BEGIN CERTIFICATE-----\n"

  179.     "MIICYjCCAcagAwIBAgIJAI3qUyT6SIfzMBIGCSqGSIb3DQEBCjAFogMCAWowRTEL\n"

  180.     "MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy\n"

  181.     "bmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xNDEwMDkxOTA5NTVaFw0xNTEwMDkxOTA5\n"

  182.     "NTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK\n"

  183.     "DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A\n"

  184.     "MIGJAoGBAPi4bIO0vNmoV8CltFl2jFQdeesiUgR+0zfrQf2D+fCmhRU0dXFahKg8\n"

  185.     "0u9aTtPel4rd/7vPCqqGkr64UOTNb4AzMHYTj8p73OxaymPHAyXvqIqDWHYg+hZ3\n"

  186.     "13mSYwFIGth7Z/FSVUlO1m5KXNd6NzYM3t2PROjCpywrta9kS2EHAgMBAAGjUDBO\n"

  187.     "MB0GA1UdDgQWBBTQQfuJQR6nrVrsNF1JEflVgXgfEzAfBgNVHSMEGDAWgBTQQfuJ\n"

  188.     "QR6nrVrsNF1JEflVgXgfEzAMBgNVHRMEBTADAQH/MBIGCSqGSIb3DQEBCjAFogMC\n"

  189.     "AWoDgYEASUy2RZcgNbNQZA0/7F+V1YTLEXwD16bm+iSVnzGwtexmQVEYIZG74K/w\n"

  190.     "xbdZQdTbpNJkp1QPjPfh0zsatw6dmt5QoZ8K8No0DjR9dgf+Wvv5WJvJUIQBoAVN\n"

  191.     "Z0IL+OQFz6+LcTHxD27JJCebrATXZA0wThGTQDm7crL+a+SujBY=\n"

  192.     "-----END CERTIFICATE-----\n";

  193. 

  194. // kBadPSSCertPEM is a self-signed RSA-PSS certificate with bad parameters.

  195. static const char kBadPSSCertPEM[] =

  196.     "-----BEGIN CERTIFICATE-----\n"

  197.     "MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI\n"

  198.     "AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD\n"

  199.     "VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz\n"

  200.     "NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj\n"

  201.     "ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH\n"

  202.     "qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL\n"

  203.     "IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT\n"

  204.     "IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k\n"

  205.     "dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq\n"

  206.     "QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa\n"

  207.     "5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2\n"

  208.     "4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB\n"

  209.     "Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii\n"

  210.     "BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb\n"

  211.     "xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn\n"

  212.     "plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY\n"

  213.     "DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p\n"

  214.     "NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ\n"

  215.     "lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=\n"

  216.     "-----END CERTIFICATE-----\n";

  217. 

  218. static const char kRSAKey[] =

  219.     "-----BEGIN RSA PRIVATE KEY-----\n"

  220.     "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"

  221.     "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"

  222.     "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"

  223.     "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"

  224.     "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"

  225.     "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"

  226.     "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"

  227.     "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"

  228.     "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"

  229.     "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"

  230.     "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"

  231.     "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"

  232.     "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"

  233.     "-----END RSA PRIVATE KEY-----\n";

  234. 

  235. // kCRLTestRoot is a test root certificate. It has private key:

  236. //

  237. //     -----BEGIN RSA PRIVATE KEY-----

  238. //     MIIEpAIBAAKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3BS/dUBpbrzd1aeFzN

  239. //     lI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+5R/Du0iCb1tCZIPY

  240. //     07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWpuRqO6rctN9qUoMlT

  241. //     IAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n8H922qmvPNA9idmX

  242. //     9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbLP2o9orxGx7aCtnnB

  243. //     ZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABAoIBAQCJF9MTHfHGkk+/

  244. //     DwCXlA0Wg0e6hBuHl10iNobYkMWIl/xXjOknhYiqOqb181py76472SVC5ERprC+r

  245. //     Lf0PXzqKuA117mnkwT2bYLCL9Skf8WEhoFLQNbVlloF6wYjqXcYgKYKh8HgQbZl4

  246. //     aLg2YQl2NADTNABsUWj/4H2WEelsODVviqfFs725lFg9KHDI8zxAZXLzDt/M9uVL

  247. //     GxJiX12tr0AwaeAFZ1oPM/y+LznM3N3+Ht3jHHw3jZ/u8Z1RdAmdpu3bZ6tbwGBr

  248. //     9edsH5rKkm9aBvMrY7eX5VHqaqyRNFyG152ZOJh4XiiFG7EmgTPCpaHo50Y018Re

  249. //     grVtk+FBAoGBANY3lY+V8ZOwMxSHes+kTnoimHO5Ob7nxrOC71i27x+4HHsYUeAr

  250. //     /zOOghiDIn+oNkuiX5CIOWZKx159Bp65CPpCbTb/fh+HYnSgXFgCw7XptycO7LXM

  251. //     5GwR5jSfpfzBFdYxjxoUzDMFBwTEYRTm0HkUHkH+s+ajjw5wqqbcGLcfAoGBAMM8

  252. //     DKW6Tb66xsf708f0jonAjKYTLZ+WOcwsBEWSFHoY8dUjvW5gqx5acHTEsc5ZTeh4

  253. //     BCFLa+Mn9cuJWVJNs09k7Xb2PNl92HQ4GN2vbdkJhExbkT6oLDHg1hVD0w8KLfz1

  254. //     lTAW6pS+6CdOHMEJpvqx89EgU/1GgIQ1fXYczE75AoGAKeJoXdDFkUjsU+FBhAPu

  255. //     TDcjc80Nm2QaF9NMFR5/lsYa236f06MGnQAKM9zADBHJu/Qdl1brUjLg1HrBppsr

  256. //     RDNkw1IlSOjhuUf5hkPUHGd8Jijm440SRIcjabqla8wdBupdvo2+d2NOQgJbsQiI

  257. //     ToQ+fkzcxAXK3Nnuo/1436UCgYBjLH7UNOZHS8OsVM0I1r8NVKVdu4JCfeJQR8/H

  258. //     s2P5ffBir+wLRMnH+nMDreMQiibcPxMCArkERAlE4jlgaJ38Z62E76KLbLTmnJRt

  259. //     EC9Bv+bXjvAiHvWMRMUbOj/ddPNVez7Uld+FvdBaHwDWQlvzHzBWfBCOKSEhh7Z6

  260. //     qDhUqQKBgQDPMDx2i5rfmQp3imV9xUcCkIRsyYQVf8Eo7NV07IdUy/otmksgn4Zt

  261. //     Lbf3v2dvxOpTNTONWjp2c+iUQo8QxJCZr5Sfb21oQ9Ktcrmc/CY7LeBVDibXwxdM

  262. //     vRG8kBzvslFWh7REzC3u06GSVhyKDfW93kN2cKVwGoahRlhj7oHuZQ==

  263. //     -----END RSA PRIVATE KEY-----

  264. static const char kCRLTestRoot[] =

  265.     "-----BEGIN CERTIFICATE-----\n"

  266.     "MIIDbzCCAlegAwIBAgIJAODri7v0dDUFMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV\n"

  267.     "BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\n"

  268.     "aWV3MRIwEAYDVQQKDAlCb3JpbmdTU0wwHhcNMTYwOTI2MTUwNjI2WhcNMjYwOTI0\n"

  269.     "MTUwNjI2WjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n"

  270.     "A1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9yaW5nU1NMMIIBIjANBgkq\n"

  271.     "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3B\n"

  272.     "S/dUBpbrzd1aeFzNlI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+\n"

  273.     "5R/Du0iCb1tCZIPY07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWp\n"

  274.     "uRqO6rctN9qUoMlTIAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n\n"

  275.     "8H922qmvPNA9idmX9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbL\n"

  276.     "P2o9orxGx7aCtnnBZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABo1Aw\n"

  277.     "TjAdBgNVHQ4EFgQUWPt3N5cZ/CRvubbrkqfBnAqhq94wHwYDVR0jBBgwFoAUWPt3\n"

  278.     "N5cZ/CRvubbrkqfBnAqhq94wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"

  279.     "AQEAORu6M0MOwXy+3VEBwNilfTxyqDfruQsc1jA4PT8Oe8zora1WxE1JB4q2FJOz\n"

  280.     "EAuM3H/NXvEnBuN+ITvKZAJUfm4NKX97qmjMJwLKWe1gVv+VQTr63aR7mgWJReQN\n"

  281.     "XdMztlVeZs2dppV6uEg3ia1X0G7LARxGpA9ETbMyCpb39XxlYuTClcbA5ftDN99B\n"

  282.     "3Xg9KNdd++Ew22O3HWRDvdDpTO/JkzQfzi3sYwUtzMEonENhczJhGf7bQMmvL/w5\n"

  283.     "24Wxj4Z7KzzWIHsNqE/RIs6RV3fcW61j/mRgW2XyoWnMVeBzvcJr9NXp4VQYmFPw\n"

  284.     "amd8GKMZQvP0ufGnUn7D7uartA==\n"

  285.     "-----END CERTIFICATE-----\n";

  286. 

  287. static const char kCRLTestLeaf[] =

  288.     "-----BEGIN CERTIFICATE-----\n"

  289.     "MIIDkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCVVMx\n"

  290.     "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEjAQ\n"

  291.     "BgNVBAoMCUJvcmluZ1NTTDAeFw0xNjA5MjYxNTA4MzFaFw0xNzA5MjYxNTA4MzFa\n"

  292.     "MEsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlC\n"

  293.     "b3JpbmdTU0wxEzARBgNVBAMMCmJvcmluZy5zc2wwggEiMA0GCSqGSIb3DQEBAQUA\n"

  294.     "A4IBDwAwggEKAoIBAQDc5v1S1M0W+QWM+raWfO0LH8uvqEwuJQgODqMaGnSlWUx9\n"

  295.     "8iQcnWfjyPja3lWg9K62hSOFDuSyEkysKHDxijz5R93CfLcfnVXjWQDJe7EJTTDP\n"

  296.     "ozEvxN6RjAeYv7CF000euYr3QT5iyBjg76+bon1p0jHZBJeNPP1KqGYgyxp+hzpx\n"

  297.     "e0gZmTlGAXd8JQK4v8kpdYwD6PPifFL/jpmQpqOtQmH/6zcLjY4ojmqpEdBqIKIX\n"

  298.     "+saA29hMq0+NK3K+wgg31RU+cVWxu3tLOIiesETkeDgArjWRS1Vkzbi4v9SJxtNu\n"

  299.     "OZuAxWiynRJw3JwH/OFHYZIvQqz68ZBoj96cepjPAgMBAAGjezB5MAkGA1UdEwQC\n"

  300.     "MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl\n"

  301.     "MB0GA1UdDgQWBBTGn0OVVh/aoYt0bvEKG+PIERqnDzAfBgNVHSMEGDAWgBRY+3c3\n"

  302.     "lxn8JG+5tuuSp8GcCqGr3jANBgkqhkiG9w0BAQsFAAOCAQEAd2nM8gCQN2Dc8QJw\n"

  303.     "XSZXyuI3DBGGCHcay/3iXu0JvTC3EiQo8J6Djv7WLI0N5KH8mkm40u89fJAB2lLZ\n"

  304.     "ShuHVtcC182bOKnePgwp9CNwQ21p0rDEu/P3X46ZvFgdxx82E9xLa0tBB8PiPDWh\n"

  305.     "lV16jbaKTgX5AZqjnsyjR5o9/mbZVupZJXx5Syq+XA8qiJfstSYJs4KyKK9UOjql\n"

  306.     "ICkJVKpi2ahDBqX4MOH4SLfzVk8pqSpviS6yaA1RXqjpkxiN45WWaXDldVHMSkhC\n"

  307.     "5CNXsXi4b1nAntu89crwSLA3rEwzCWeYj+BX7e1T9rr3oJdwOU/2KQtW1js1yQUG\n"

  308.     "tjJMFw==\n"

  309.     "-----END CERTIFICATE-----\n";

  310. 

  311. static const char kBasicCRL[] =

  312.     "-----BEGIN X509 CRL-----\n"

  313.     "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  314.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  315.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV\n"

  316.     "HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN\n"

  317.     "ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo\n"

  318.     "eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os\n"

  319.     "dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv\n"

  320.     "diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho\n"

  321.     "/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==\n"

  322.     "-----END X509 CRL-----\n";

  323. 

  324. static const char kRevokedCRL[] =

  325.     "-----BEGIN X509 CRL-----\n"

  326.     "MIIBvjCBpwIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  327.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  328.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEyNDRaFw0xNjEwMjYxNTEyNDRaMBUwEwICEAAX\n"

  329.     "DTE2MDkyNjE1MTIyNlqgDjAMMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IB\n"

  330.     "AQCUGaM4DcWzlQKrcZvI8TMeR8BpsvQeo5BoI/XZu2a8h//PyRyMwYeaOM+3zl0d\n"

  331.     "sjgCT8b3C1FPgT+P2Lkowv7rJ+FHJRNQkogr+RuqCSPTq65ha4WKlRGWkMFybzVH\n"

  332.     "NloxC+aU3lgp/NlX9yUtfqYmJek1CDrOOGPrAEAwj1l/BUeYKNGqfBWYJQtPJu+5\n"

  333.     "OaSvIYGpETCZJscUWODmLEb/O3DM438vLvxonwGqXqS0KX37+CHpUlyhnSovxXxp\n"

  334.     "Pz4aF+L7OtczxL0GYtD2fR9B7TDMqsNmHXgQrixvvOY7MUdLGbd4RfJL3yA53hyO\n"

  335.     "xzfKY2TzxLiOmctG0hXFkH5J\n"

  336.     "-----END X509 CRL-----\n";

  337. 

  338. static const char kBadIssuerCRL[] =

  339.     "-----BEGIN X509 CRL-----\n"

  340.     "MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  341.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwN\n"

  342.     "Tm90IEJvcmluZ1NTTBcNMTYwOTI2MTUxMjQ0WhcNMTYxMDI2MTUxMjQ0WjAVMBMC\n"

  343.     "AhAAFw0xNjA5MjYxNTEyMjZaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsF\n"

  344.     "AAOCAQEAlBmjOA3Fs5UCq3GbyPEzHkfAabL0HqOQaCP12btmvIf/z8kcjMGHmjjP\n"

  345.     "t85dHbI4Ak/G9wtRT4E/j9i5KML+6yfhRyUTUJKIK/kbqgkj06uuYWuFipURlpDB\n"

  346.     "cm81RzZaMQvmlN5YKfzZV/clLX6mJiXpNQg6zjhj6wBAMI9ZfwVHmCjRqnwVmCUL\n"

  347.     "TybvuTmkryGBqREwmSbHFFjg5ixG/ztwzON/Ly78aJ8Bql6ktCl9+/gh6VJcoZ0q\n"

  348.     "L8V8aT8+Ghfi+zrXM8S9BmLQ9n0fQe0wzKrDZh14EK4sb7zmOzFHSxm3eEXyS98g\n"

  349.     "Od4cjsc3ymNk88S4jpnLRtIVxZB+SQ==\n"

  350.     "-----END X509 CRL-----\n";

  351. 

  352. // kKnownCriticalCRL is kBasicCRL but with a critical issuing distribution point

  353. // extension.

  354. static const char kKnownCriticalCRL[] =

  355.     "-----BEGIN X509 CRL-----\n"

  356.     "MIIBujCBowIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  357.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  358.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCEwHzAKBgNV\n"

  359.     "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+3\n"

  360.     "i+5e5Ub8sccfgOBs6WVJFI9c8gvJjrJ8/dYfFIAuCyeocs7DFXn1n13CRZ+URR/Q\n"

  361.     "mVWgU28+xeusuSPYFpd9cyYTcVyNUGNTI3lwgcE/yVjPaOmzSZKdPakApRxtpKKQ\n"

  362.     "NN/56aQz3bnT/ZSHQNciRB8U6jiD9V30t0w+FDTpGaG+7bzzUH3UVF9xf9Ctp60A\n"

  363.     "3mfLe0scas7owSt4AEFuj2SPvcE7yvdOXbu+IEv21cEJUVExJAbhvIweHXh6yRW+\n"

  364.     "7VVeiNzdIjkZjyTmAzoXGha4+wbxXyBRbfH+XWcO/H+8nwyG8Gktdu2QB9S9nnIp\n"

  365.     "o/1TpfOMSGhMyMoyPrk=\n"

  366.     "-----END X509 CRL-----\n";

  367. 

  368. // kUnknownCriticalCRL is kBasicCRL but with an unknown critical extension.

  369. static const char kUnknownCriticalCRL[] =

  370.     "-----BEGIN X509 CRL-----\n"

  371.     "MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  372.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  373.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCMwITAKBgNV\n"

  374.     "HRQEAwIBATATBgwqhkiG9xIEAYS3CQABAf8EADANBgkqhkiG9w0BAQsFAAOCAQEA\n"

  375.     "GvBP0xqL509InMj/3493YVRV+ldTpBv5uTD6jewzf5XdaxEQ/VjTNe5zKnxbpAib\n"

  376.     "Kf7cwX0PMSkZjx7k7kKdDlEucwVvDoqC+O9aJcqVmM6GDyNb9xENxd0XCXja6MZC\n"

  377.     "yVgP4AwLauB2vSiEprYJyI1APph3iAEeDm60lTXX/wBM/tupQDDujKh2GPyvBRfJ\n"

  378.     "+wEDwGg3ICwvu4gO4zeC5qnFR+bpL9t5tOMAQnVZ0NWv+k7mkd2LbHdD44dxrfXC\n"

  379.     "nhtfERx99SDmC/jtUAJrGhtCO8acr7exCeYcduN7KKCm91OeCJKK6OzWst0Og1DB\n"

  380.     "kwzzU2rL3G65CrZ7H0SZsQ==\n"

  381.     "-----END X509 CRL-----\n";

  382. 

  383. // kUnknownCriticalCRL2 is kBasicCRL but with a critical issuing distribution

  384. // point extension followed by an unknown critical extension

  385. static const char kUnknownCriticalCRL2[] =

  386.     "-----BEGIN X509 CRL-----\n"

  387.     "MIIBzzCBuAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  388.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  389.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoDYwNDAKBgNV\n"

  390.     "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wEwYMKoZIhvcSBAGEtwkAAQH/BAAw\n"

  391.     "DQYJKoZIhvcNAQELBQADggEBACTcpQC8jXL12JN5YzOcQ64ubQIe0XxRAd30p7qB\n"

  392.     "BTXGpgqBjrjxRfLms7EBYodEXB2oXMsDq3km0vT1MfYdsDD05S+SQ9CDsq/pUfaC\n"

  393.     "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n"

  394.     "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n"

  395.     "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n"

  396.     "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n"

  397.     "-----END X509 CRL-----\n";

  398. 

  399. // kEd25519Cert is a self-signed Ed25519 certificate.

  400. static const char kEd25519Cert[] =

  401.     "-----BEGIN CERTIFICATE-----\n"

  402.     "MIIBkTCCAUOgAwIBAgIJAJwooam0UCDmMAUGAytlcDBFMQswCQYDVQQGEwJBVTET\n"

  403.     "MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ\n"

  404.     "dHkgTHRkMB4XDTE0MDQyMzIzMjE1N1oXDTE0MDUyMzIzMjE1N1owRTELMAkGA1UE\n"

  405.     "BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp\n"

  406.     "ZGdpdHMgUHR5IEx0ZDAqMAUGAytlcAMhANdamAGCsQq31Uv+08lkBzoO4XLz2qYj\n"

  407.     "Ja8CGmj3B1Eao1AwTjAdBgNVHQ4EFgQUoux7eV+fJK2v3ah6QPU/lj1/+7UwHwYD\n"

  408.     "VR0jBBgwFoAUoux7eV+fJK2v3ah6QPU/lj1/+7UwDAYDVR0TBAUwAwEB/zAFBgMr\n"

  409.     "ZXADQQBuCzqji8VP9xU8mHEMjXGChX7YP5J664UyVKHKH9Z1u4wEbB8dJ3ScaWSL\n"

  410.     "r+VHVKUhsrvcdCelnXRrrSD7xWAL\n"

  411.     "-----END CERTIFICATE-----\n";

  412. 

  413. // kEd25519CertNull is an invalid self-signed Ed25519 with an explicit NULL in

  414. // the signature algorithm.

  415. static const char kEd25519CertNull[] =

  416.     "-----BEGIN CERTIFICATE-----\n"

  417.     "MIIBlTCCAUWgAwIBAgIJAJwooam0UCDmMAcGAytlcAUAMEUxCzAJBgNVBAYTAkFV\n"

  418.     "MRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRz\n"

  419.     "IFB0eSBMdGQwHhcNMTQwNDIzMjMyMTU3WhcNMTQwNTIzMjMyMTU3WjBFMQswCQYD\n"

  420.     "VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg\n"

  421.     "V2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEA11qYAYKxCrfVS/7TyWQHOg7hcvPa\n"

  422.     "piMlrwIaaPcHURqjUDBOMB0GA1UdDgQWBBSi7Ht5X58kra/dqHpA9T+WPX/7tTAf\n"

  423.     "BgNVHSMEGDAWgBSi7Ht5X58kra/dqHpA9T+WPX/7tTAMBgNVHRMEBTADAQH/MAcG\n"

  424.     "AytlcAUAA0EA70uefNocdJohkKPNROKVyBuBD3LXMyvmdTklsaxSRY3PcZdOohlr\n"

  425.     "recgVPpVS7B+d9g4EwtZXIh4lodTBDHBBw==\n"

  426.     "-----END CERTIFICATE-----\n";

  427. 

  428. // kSANTypesLeaf is a leaf certificate (signed by |kSANTypesRoot|) which

  429. // contains SANS for example.com, test@example.com, 127.0.0.1, and

  430. // https://example.com/. (The latter is useless for now since crypto/x509

  431. // doesn't deal with URI SANs directly.)

  432. static const char kSANTypesLeaf[] =

  433.     "-----BEGIN CERTIFICATE-----\n"

  434.     "MIIClzCCAgCgAwIBAgIJAOjwnT/iW+qmMA0GCSqGSIb3DQEBCwUAMCsxFzAVBgNV\n"

  435.     "BAoTDkJvcmluZ1NTTCBUZXN0MRAwDgYDVQQDEwdSb290IENBMB4XDTE1MDEwMTAw\n"

  436.     "MDAwMFoXDTI1MDEwMTAwMDAwMFowLzEXMBUGA1UEChMOQm9yaW5nU1NMIFRlc3Qx\n"

  437.     "FDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n"

  438.     "gQDbRn2TLhInBki8Bighq37EtqJd/h5SRYh6NkelCA2SQlvCgcC+l3mYQPtPbRT9\n"

  439.     "KxOLwqUuZ9jUCZ7WIji3Sgt0cyvCNPHRk+WW2XR781ifbGE8wLBB1NkrKyQjd1sc\n"

  440.     "O711Xc4gVM+hY4cdHiTE8x0aUIuqthRD7ZendWL0FMhS1wIDAQABo4G+MIG7MA4G\n"

  441.     "A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD\n"

  442.     "VR0TAQH/BAIwADAZBgNVHQ4EEgQQn5EWH0NDPkmm3m22gNefYDAbBgNVHSMEFDAS\n"

  443.     "gBBAN9cB+0AvuBx+VAQnjFkBMEQGA1UdEQQ9MDuCC2V4YW1wbGUuY29tgRB0ZXN0\n"

  444.     "QGV4YW1wbGUuY29thwR/AAABhhRodHRwczovL2V4YW1wbGUuY29tLzANBgkqhkiG\n"

  445.     "9w0BAQsFAAOBgQBtwJvY6+Tk6D6DOtDVaNoJ5y8E25CCuE/Ga4OuIcYJas+yLckf\n"

  446.     "dZwUV3GUG2oBXl2MrpUFxXd4hKBO1CmlBY+hZEeIx0Yp6QWK9P/vnZeydOTP26mk\n"

  447.     "jusJ2PqSmtKNU1Zcaba4d29oFejmOAfeguhR8AHpsc/zHEaS5Q9cJsuJcw==\n"

  448.     "-----END CERTIFICATE-----\n";

  449. 

  450. // -----BEGIN RSA PRIVATE KEY-----

  451. // MIICWwIBAAKBgQDbRn2TLhInBki8Bighq37EtqJd/h5SRYh6NkelCA2SQlvCgcC+

  452. // l3mYQPtPbRT9KxOLwqUuZ9jUCZ7WIji3Sgt0cyvCNPHRk+WW2XR781ifbGE8wLBB

  453. // 1NkrKyQjd1scO711Xc4gVM+hY4cdHiTE8x0aUIuqthRD7ZendWL0FMhS1wIDAQAB

  454. // AoGACwf7z0i1DxOI2zSwFimLghfyCSp8mgT3fbZ3Wj0SebYu6ZUffjceneM/AVrq

  455. // gGYHYLOVHcWJqfkl7X3hPo9SDhzLx0mM545/q21ZWCwjhswH7WiCEqV2/zeDO9WU

  456. // NIO1VU0VoLm0AQ7ZvwnyB+fpgF9kkkDtbBJW7XWrfNVtlnECQQD97YENpEJ3X1kj

  457. // 3rrkrHWDkKAyoWWY1i8Fm7LnganC9Bv6AVwgn5ZlE/479aWHF8vbOFEA3pFPiNZJ

  458. // t9FTCfpJAkEA3RCXjGI0Y6GALFLwEs+nL/XZAfJaIpJEZVLCVosYQOSaMS4SchfC

  459. // GGYVquT7ZgKk9uvz89Fg87OtBMWS9lrkHwJADGkGLKeBhBoJ3kHtem2fVK3F1pOi

  460. // xoR5SdnhNYVVyaxqjZ5xZTrHe+stOrr3uxGDqhQniVZXXb6/Ul0Egv1y2QJAVg/h

  461. // kAujba4wIhFf2VLyOZ+yjil1ocPj0LZ5Zgvcs1bMGJ1hHP3W2HzVrqRaowoggui1

  462. // HpTC891dXGA2qKYV7QJAFDmT2A7OVvh3y4AEgzVwHrDmCMwMHKjCIntS7fjxrJnF

  463. // YvJUG1zoHwUVrxxbR3DbpTODlktLcl/0b97D0IkH3w==

  464. // -----END RSA PRIVATE KEY-----

  465. 

  466. static const char kSANTypesRoot[] =

  467.     "-----BEGIN CERTIFICATE-----\n"

  468.     "MIICTTCCAbagAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE\n"

  469.     "ChMOQm9yaW5nU1NMIFRlc3QxEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTUwMTAxMDAw\n"

  470.     "MDAwWhcNMjUwMTAxMDAwMDAwWjArMRcwFQYDVQQKEw5Cb3JpbmdTU0wgVGVzdDEQ\n"

  471.     "MA4GA1UEAxMHUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6Q5/\n"

  472.     "EQzmWuaGg3D2UQcuAngR9bIkkjjuJmICx5TxPqF3asCP1SJotl3iTNrghRE1wpJy\n"

  473.     "SY2BtIiXa7f8skRb2U0GcPkMxo/ps9+jaoRsQ1m+nbLQdpvD1/qZWcO45fNTA71J\n"

  474.     "1rPMokP+rcILuQG4VimUAySnDSghKamulFtK+Z8CAwEAAaN6MHgwDgYDVR0PAQH/\n"

  475.     "BAQDAgIEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8E\n"

  476.     "BTADAQH/MBkGA1UdDgQSBBBAN9cB+0AvuBx+VAQnjFkBMBsGA1UdIwQUMBKAEEA3\n"

  477.     "1wH7QC+4HH5UBCeMWQEwDQYJKoZIhvcNAQELBQADgYEAc4N6hTE62/3gwg+kyc2f\n"

  478.     "c/Jj1mHrOt+0NRaBnmvbmNpsEjHS96Ef4Wt/ZlPXPkkv1C1VosJnOIMF3Q522wRH\n"

  479.     "bqaxARldS12VAa3gcWisDWD+SqSyDxjyojz0XDiJkTrFuCTCUiZO+1GLB7SO10Ms\n"

  480.     "d5YVX0c90VMnUhF/dlrqS9U=\n"

  481.     "-----END CERTIFICATE-----\n";

  482. 

  483. // -----BEGIN RSA PRIVATE KEY-----

  484. // MIICXAIBAAKBgQDpDn8RDOZa5oaDcPZRBy4CeBH1siSSOO4mYgLHlPE+oXdqwI/V

  485. // Imi2XeJM2uCFETXCknJJjYG0iJdrt/yyRFvZTQZw+QzGj+mz36NqhGxDWb6dstB2

  486. // m8PX+plZw7jl81MDvUnWs8yiQ/6twgu5AbhWKZQDJKcNKCEpqa6UW0r5nwIDAQAB

  487. // AoGALEF5daZqc+aEsp8X1yky3nsoheyPL0kqSBWii33IFemZgKcSaRnAoqjPWWLS

  488. // 8dHj0I/4rej2MW8iuezVSpDak9tK5boHORC3w4p/wifkizQkLt1DANxTVbzcKvrt

  489. // aZ7LjVaKkhjRJbLddniowFHkkWVbUccjvzcUd7Y2VuLbAhECQQDq4FE88aHio8zg

  490. // bxSd0PwjEFwLYQTR19u812SoR8PmR6ofIL+pDwOV+fVs+OGcAAOgkhIukOrksQ4A

  491. // 1cKtnyhXAkEA/gRI+u3tZ7UE1twIkBfZ6IvCdRodkPqHAYIxMRLzL+MhyZt4MEGc

  492. // Ngb/F6U9/WOBFnoR/PI7IwE3ejutzKcL+QJBAKh+6eilk7QKPETZi1m3/dmNt+p1

  493. // 3EZJ65pqjwxmB3Rg/vs7vCMk4TarTdSyKu+F1xRPFfoP/mK3Xctdjj6NyhsCQAYF

  494. // 7/0TOzfkUPMPUJyqFB6xgbDpJ55ScnUUsznoqx+NkTWInDb4t02IqO/UmT2y6FKy

  495. // Hk8TJ1fTJY+ebqaVp3ECQApx9gQ+n0zIhx97FMUuiRse73xkcW4+pZ8nF+8DmeQL

  496. // /JKuuFGmzkG+rUbXFmo/Zg2ozVplw71NnQJ4znPsf7A=

  497. // -----END RSA PRIVATE KEY-----

  498. 

  499. // The following four certificates were generated with this Go program, varying

  500. // |includeNetscapeExtension| and defining rootKeyPEM and rootCertPEM to be

  501. // strings containing the kSANTypesRoot, above.

  502. 

  503. // package main

  504. 

  505. // import (

  506. //     "crypto/ecdsa"

  507. //     "crypto/elliptic"

  508. //     "crypto/rand"

  509. //     "crypto/x509"

  510. //     "crypto/x509/pkix"

  511. //     "encoding/asn1"

  512. //     "encoding/pem"

  513. //     "math/big"

  514. //     "os"

  515. //     "time"

  516. // )

  517. 

  518. // const includeNetscapeExtension = true

  519. 

  520. // func main() {

  521. //     block, _ := pem.Decode([]byte(rootKeyPEM))

  522. //     rootPriv, _ := x509.ParsePKCS1PrivateKey(block.Bytes)

  523. //     block, _ = pem.Decode([]byte(rootCertPEM))

  524. //     root, _ := x509.ParseCertificate(block.Bytes)

  525. 

  526. //     interTemplate := &x509.Certificate{

  527. //         SerialNumber: big.NewInt(2),

  528. //         Subject: pkix.Name{

  529. //             CommonName: "No Basic Constraints (Netscape)",

  530. //         },

  531. //         NotBefore: time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC),

  532. //         NotAfter:  time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC),

  533. //     }

  534. 

  535. //     if includeNetscapeExtension {

  536. //         interTemplate.ExtraExtensions = []pkix.Extension{

  537. //             pkix.Extension{

  538. //                 Id:    asn1.ObjectIdentifier([]int{2, 16, 840, 1, 113730, 1, 1}),

  539. //                 Value: []byte{0x03, 0x02, 2, 0x04},

  540. //             },

  541. //         }

  542. //     } else {

  543. //         interTemplate.KeyUsage = x509.KeyUsageCertSign

  544. //     }

  545. 

  546. //     interKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  547. 

  548. //     interDER, err := x509.CreateCertificate(rand.Reader, interTemplate, root, &interKey.PublicKey, rootPriv)

  549. //     if err != nil {

  550. //         panic(err)

  551. //     }

  552. 

  553. //     pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: interDER})

  554. 

  555. //     inter, _ := x509.ParseCertificate(interDER)

  556. 

  557. //     leafTemplate := &x509.Certificate{

  558. //         SerialNumber: big.NewInt(3),

  559. //         Subject: pkix.Name{

  560. //             CommonName: "Leaf from CA with no Basic Constraints",

  561. //         },

  562. //         NotBefore:             time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC),

  563. //         NotAfter:              time.Date(2099, time.January, 1, 0, 0, 0, 0, time.UTC),

  564. //         BasicConstraintsValid: true,

  565. //     }

  566. //     leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  567. 

  568. //     leafDER, err := x509.CreateCertificate(rand.Reader, leafTemplate, inter, &leafKey.PublicKey, interKey)

  569. //     if err != nil {

  570. //         panic(err)

  571. //     }

  572. 

  573. //     pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})

  574. // }

  575. 

  576. // kNoBasicConstraintsCertSignIntermediate doesn't have isCA set, but contains

  577. // certSign in the keyUsage.

  578. static const char kNoBasicConstraintsCertSignIntermediate[] =

  579.     "-----BEGIN CERTIFICATE-----\n"

  580.     "MIIBqjCCAROgAwIBAgIBAjANBgkqhkiG9w0BAQsFADArMRcwFQYDVQQKEw5Cb3Jp\n"

  581.     "bmdTU0wgVGVzdDEQMA4GA1UEAxMHUm9vdCBDQTAgFw0wMDAxMDEwMDAwMDBaGA8y\n"

  582.     "MDk5MDEwMTAwMDAwMFowHzEdMBsGA1UEAxMUTm8gQmFzaWMgQ29uc3RyYWludHMw\n"

  583.     "WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASEFMblfxIEDO8My7wHtHWTuDzNyID1\n"

  584.     "OsPkMGkn32O/pSyXxXuAqDeFoMVffUMTyfm8JcYugSEbrv2qEXXM4bZRoy8wLTAO\n"

  585.     "BgNVHQ8BAf8EBAMCAgQwGwYDVR0jBBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkq\n"

  586.     "hkiG9w0BAQsFAAOBgQC1Lh6hIAm3K5kRh5iIydU0YAEm7eV6ZSskERDUq3DLJyl9\n"

  587.     "ZUZCHUzvb464dkwZjeNzaUVS1pdElJslwX3DtGgeJLJGCnk8zUjBjaNrrDm0kzPW\n"

  588.     "xKt/6oif1ci/KCKqKNXJAIFbc4e+IiBpenwpxHk3If4NM+Ek0nKoO8Uj0NkgTQ==\n"

  589.     "-----END CERTIFICATE-----\n";

  590. 

  591. static const char kNoBasicConstraintsCertSignLeaf[] =

  592.     "-----BEGIN CERTIFICATE-----\n"

  593.     "MIIBUDCB96ADAgECAgEDMAoGCCqGSM49BAMCMB8xHTAbBgNVBAMTFE5vIEJhc2lj\n"

  594.     "IENvbnN0cmFpbnRzMCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAx\n"

  595.     "MS8wLQYDVQQDEyZMZWFmIGZyb20gQ0Egd2l0aCBubyBCYXNpYyBDb25zdHJhaW50\n"

  596.     "czBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEsYPMwzdJKjB+2gpC90ib2ilHoB\n"

  597.     "w/arQ6ikUX0CNUDDaKaOu/jF39ogzVlg4lDFrjCKShSfCCcrwgONv70IZGijEDAO\n"

  598.     "MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIgbV7R99yM+okXSIs6Fp3o\n"

  599.     "eCOXiDL60IBxaTOcLS44ywcCIQDbn87Gj5cFgHBYAkzdHqDsyGXkxQTHDq9jmX24\n"

  600.     "Djy3Zw==\n"

  601.     "-----END CERTIFICATE-----\n";

  602. 

  603. // kNoBasicConstraintsNetscapeCAIntermediate doesn't have isCA set, but contains

  604. // a Netscape certificate-type extension that asserts a type of "SSL CA".

  605. static const char kNoBasicConstraintsNetscapeCAIntermediate[] =

  606.     "-----BEGIN CERTIFICATE-----\n"

  607.     "MIIBuDCCASGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADArMRcwFQYDVQQKEw5Cb3Jp\n"

  608.     "bmdTU0wgVGVzdDEQMA4GA1UEAxMHUm9vdCBDQTAgFw0wMDAxMDEwMDAwMDBaGA8y\n"

  609.     "MDk5MDEwMTAwMDAwMFowKjEoMCYGA1UEAxMfTm8gQmFzaWMgQ29uc3RyYWludHMg\n"

  610.     "KE5ldHNjYXBlKTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCeMbmCaOtMzXBqi\n"

  611.     "PrCdNOH23CkaawUA+pAezitAN4RXS1O2CGK5sJjGPVVeogROU8G7/b+mU+ciZIzH\n"

  612.     "1PP8FJKjMjAwMBsGA1UdIwQUMBKAEEA31wH7QC+4HH5UBCeMWQEwEQYJYIZIAYb4\n"

  613.     "QgEBBAQDAgIEMA0GCSqGSIb3DQEBCwUAA4GBAAgNWjh7cfBTClTAk+Ml//5xb9Ju\n"

  614.     "tkBhG6Rm+kkMD+qiSMO6t7xS7CsA0+jIBjkdEYaLZ3oxtQCBdZsVNxUvRxZ0AUfF\n"

  615.     "G3DtRFTsrI1f7IQhpMuqEMF4shPW+5x54hrq0Fo6xMs6XoinJZcTUaaB8EeXRF6M\n"

  616.     "P9p6HuyLrmn0c/F0\n"

  617.     "-----END CERTIFICATE-----\n";

  618. 

  619. static const char kNoBasicConstraintsNetscapeCALeaf[] =

  620.     "-----BEGIN CERTIFICATE-----\n"

  621.     "MIIBXDCCAQKgAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9ObyBCYXNp\n"

  622.     "YyBDb25zdHJhaW50cyAoTmV0c2NhcGUpMCAXDTAwMDEwMTAwMDAwMFoYDzIwOTkw\n"

  623.     "MTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZMZWFmIGZyb20gQ0Egd2l0aCBubyBCYXNp\n"

  624.     "YyBDb25zdHJhaW50czBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDlJKolDu3R2\n"

  625.     "tPqSDycr0QJcWhxdBv76V0EEVflcHRxED6vAioTEcnQszt1OfKtBZvjlo0yp6i6Q\n"

  626.     "DaYit0ZInmWjEDAOMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIhAJsh\n"

  627.     "aZL6BHeEfoUBj1oZ2Ln91qzj3UCVMJ+vrmwAFdYyAiA3wp2JphgchvmoUFuzPXwj\n"

  628.     "XyPwWPbymSTpzKhB4xB7qQ==\n"

  629.     "-----END CERTIFICATE-----\n";

  630. 

  631. static const char kSelfSignedMismatchAlgorithms[] =

  632.     "-----BEGIN CERTIFICATE-----\n"

  633.     "MIIFMjCCAxqgAwIBAgIJAL0mG5fOeJ7xMA0GCSqGSIb3DQEBDQUAMC0xCzAJBgNV\n"

  634.     "BAYTAkdCMQ8wDQYDVQQHDAZMb25kb24xDTALBgNVBAoMBFRlc3QwIBcNMTgwOTE3\n"

  635.     "MTIxNzU3WhgPMjExODA4MjQxMjE3NTdaMC0xCzAJBgNVBAYTAkdCMQ8wDQYDVQQH\n"

  636.     "DAZMb25kb24xDTALBgNVBAoMBFRlc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"

  637.     "ggIKAoICAQDCMhBrRAGGw+n2GdctBr/cEK4FZA6ajiHjihgpCHoSBdyL4R2jGKLS\n"

  638.     "g0WgaMXa1HpkKN7LcIySosEBPlmcRkr1RqbEvQStOSvoFCXYvtx3alM6HTbXMcDR\n"

  639.     "mqoKoABP6LXsPSoMWIgqMtP2X9EOppzHVIK1yFYFfbIlvYUV2Ka+MuMe0Vh5wvD1\n"

  640.     "4GanPb+cWSKgdRSVQovCCMY3yWtZKVEaxRpCsk/mYYIFWz0tcgMjIKwDx1XXgiAV\n"

  641.     "nU6NK43xbaw3XhtnaD/pv9lhTTbNrlcln9LjTD097BaK4R+1AEPHnpfxA9Ui3upn\n"

  642.     "kbsNUdGdOB0ksZi/vd7lh833YgquQUIAhYrbfvq/HFCpVV1gljzlS3sqULYpLE//\n"

  643.     "i3OsuL2mE+CYIJGpIi2GeJJWXciNMTJDOqTn+fRDtVb4RPp4Y70DJirp7XzaBi3q\n"

  644.     "H0edANCzPSRCDbZsOhzIXhXshldiXVRX666DDlbMQgLTEnNKrkwv6DmU8o15XQsb\n"

  645.     "8k1Os2YwXmkEOxUQ7AJZXVTZSf6UK9Znmdq1ZrHjybMfRUkHVxJcnKvrxfryralv\n"

  646.     "gzfvu+D6HuxrCo3Ojqa+nDgIbxKEBtdrcsMhq1jWPFhjwo1fSadAkKOfdCAuXJRD\n"

  647.     "THg3b4Sf+W7Cpc570YHrIpBf7WFl2XsPcEM0mJZ5+yATASCubNozQwIDAQABo1Mw\n"

  648.     "UTAdBgNVHQ4EFgQUES0hupZSqY21JOba10QyZuxm91EwHwYDVR0jBBgwFoAUES0h\n"

  649.     "upZSqY21JOba10QyZuxm91EwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF\n"

  650.     "AAOCAgEABTN5S30ng/RMpBweDm2N561PdpaCdiRXtAFCRVWR2mkDYC/Xj9Vqe6be\n"

  651.     "PyM7L/5OKYVjzF1yJu67z/dx+ja5o+41g17jdqla7hyPx+9B4uRyDh+1KJTa+duj\n"

  652.     "mw/aA1LCr6O6W4WizDOsChJ6FaB2Y1+GlFnKWb5nUdhVJqXQE1WOX9dZnw8Y4Npd\n"

  653.     "VmAsjWot0BZorJrt3fwfcv3QfA896twkbo7Llv/8qzg4sXZXZ4ZtgAOqnPngiSn+\n"

  654.     "JT/vYCXZ406VvAFpFqMcVz2dO/VGuL8lGIMHRKNyafrsV81EzH1W/XmRWOgvgj6r\n"

  655.     "yQI63ln/AMY72HQ97xLkE1xKunGz6bK5Ug5+O43Uftc4Mb6MUgzo+ZqEQ3Ob+cAV\n"

  656.     "cvjmtwDaPO/O39O5Xq0tLTlkn2/cKf4OQ6S++GDxzyRVHh5JXgP4j9+jfZY57Woy\n"

  657.     "R1bE7N50JjY4cDermBJKdlBIjL7UPhqmLyaG7V0hBitFlgGBUCcJtJOV0xYd5aF3\n"

  658.     "pxNkvMXhBmh95fjxJ0cJjpO7tN1RAwtMMNgsl7OUbuVRQCHOPW5DgP5qY21jDeRn\n"

  659.     "BY82382l+9QzykmJLI5MZnmj4BA9uIDCwMtoTTvP++SsvhUAbuvh7MOOUQL0EY4m\n"

  660.     "KStYq7X9PKseN+PvmfeoffIKc5R/Ha39oi7cGMVHCr8aiEhsf94=\n"

  661.     "-----END CERTIFICATE-----\n";

  662. 

  663. // CertFromPEM parses the given, NUL-terminated pem block and returns an

  664. // |X509*|.

  665. static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {

  666.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  667.   return bssl::UniquePtr<X509>(

  668.       PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));

  669. }

  670. 

  671. // CRLFromPEM parses the given, NUL-terminated pem block and returns an

  672. // |X509_CRL*|.

  673. static bssl::UniquePtr<X509_CRL> CRLFromPEM(const char *pem) {

  674.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  675.   return bssl::UniquePtr<X509_CRL>(

  676.       PEM_read_bio_X509_CRL(bio.get(), nullptr, nullptr, nullptr));

  677. }

  678. 

  679. // PrivateKeyFromPEM parses the given, NUL-terminated pem block and returns an

  680. // |EVP_PKEY*|.

  681. static bssl::UniquePtr<EVP_PKEY> PrivateKeyFromPEM(const char *pem) {

  682.   bssl::UniquePtr<BIO> bio(

  683.       BIO_new_mem_buf(const_cast<char *>(pem), strlen(pem)));

  684.   return bssl::UniquePtr<EVP_PKEY>(

  685.       PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));

  686. }

  687. 

  688. // CertsToStack converts a vector of |X509*| to an OpenSSL STACK_OF(X509),

  689. // bumping the reference counts for each certificate in question.

  690. static bssl::UniquePtr<STACK_OF(X509)> CertsToStack(

  691.     const std::vector<X509 *> &certs) {

  692.   bssl::UniquePtr<STACK_OF(X509)> stack(sk_X509_new_null());

  693.   if (!stack) {

  694.     return nullptr;

  695.   }

  696.   for (auto cert : certs) {

  697.     if (!bssl::PushToStack(stack.get(), bssl::UpRef(cert))) {

  698.       return nullptr;

  699.     }

  700.   }

  701. 

  702.   return stack;

  703. }

  704. 

  705. // CRLsToStack converts a vector of |X509_CRL*| to an OpenSSL

  706. // STACK_OF(X509_CRL), bumping the reference counts for each CRL in question.

  707. static bssl::UniquePtr<STACK_OF(X509_CRL)> CRLsToStack(

  708.     const std::vector<X509_CRL *> &crls) {

  709.   bssl::UniquePtr<STACK_OF(X509_CRL)> stack(sk_X509_CRL_new_null());

  710.   if (!stack) {

  711.     return nullptr;

  712.   }

  713.   for (auto crl : crls) {

  714.     if (!bssl::PushToStack(stack.get(), bssl::UpRef(crl))) {

  715.       return nullptr;

  716.     }

  717.   }

  718. 

  719.   return stack;

  720. }

  721. 

  722. static int Verify(X509 *leaf, const std::vector<X509 *> &roots,

  723.                   const std::vector<X509 *> &intermediates,

  724.                   const std::vector<X509_CRL *> &crls, unsigned long flags,

  725.                   bool use_additional_untrusted,

  726.                   std::function<void(X509_VERIFY_PARAM *)> configure_callback) {

  727.   bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));

  728.   bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(

  729.       CertsToStack(intermediates));

  730.   bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls));

  731. 

  732.   if (!roots_stack ||

  733.       !intermediates_stack ||

  734.       !crls_stack) {

  735.     return X509_V_ERR_UNSPECIFIED;

  736.   }

  737. 

  738.   bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());

  739.   bssl::UniquePtr<X509_STORE> store(X509_STORE_new());

  740.   if (!ctx ||

  741.       !store) {

  742.     return X509_V_ERR_UNSPECIFIED;

  743.   }

  744. 

  745.   if (use_additional_untrusted) {

  746.     X509_STORE_set0_additional_untrusted(store.get(),

  747.                                          intermediates_stack.get());

  748.   }

  749. 

  750.   if (!X509_STORE_CTX_init(

  751.           ctx.get(), store.get(), leaf,

  752.           use_additional_untrusted ? nullptr : intermediates_stack.get())) {

  753.     return X509_V_ERR_UNSPECIFIED;

  754.   }

  755. 

  756.   X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get());

  757.   X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get());

  758. 

  759.   X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();

  760.   if (param == nullptr) {

  761.     return X509_V_ERR_UNSPECIFIED;

  762.   }

  763.   X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */);

  764.   X509_VERIFY_PARAM_set_depth(param, 16);

  765.   if (configure_callback) {

  766.     configure_callback(param);

  767.   }

  768.   if (flags) {

  769.     X509_VERIFY_PARAM_set_flags(param, flags);

  770.   }

  771.   X509_STORE_CTX_set0_param(ctx.get(), param);

  772. 

  773.   ERR_clear_error();

  774.   if (X509_verify_cert(ctx.get()) != 1) {

  775.     return X509_STORE_CTX_get_error(ctx.get());

  776.   }

  777. 

  778.   return X509_V_OK;

  779. }

  780. 

  781. static int Verify(X509 *leaf, const std::vector<X509 *> &roots,

  782.                    const std::vector<X509 *> &intermediates,

  783.                    const std::vector<X509_CRL *> &crls,

  784.                    unsigned long flags = 0) {

  785.   const int r1 =

  786.       Verify(leaf, roots, intermediates, crls, flags, false, nullptr);

  787.   const int r2 =

  788.       Verify(leaf, roots, intermediates, crls, flags, true, nullptr);

  789. 

  790.   if (r1 != r2) {

  791.     fprintf(stderr,

  792.             "Verify with, and without, use_additional_untrusted gave different "

  793.             "results: %d vs %d.\n",

  794.             r1, r2);

  795.     return false;

  796.   }

  797. 

  798.   return r1;

  799. }

  800. 

  801. TEST(X509Test, TestVerify) {

  802.   bssl::UniquePtr<X509> cross_signing_root(CertFromPEM(kCrossSigningRootPEM));

  803.   bssl::UniquePtr<X509> root(CertFromPEM(kRootCAPEM));

  804.   bssl::UniquePtr<X509> root_cross_signed(CertFromPEM(kRootCrossSignedPEM));

  805.   bssl::UniquePtr<X509> intermediate(CertFromPEM(kIntermediatePEM));

  806.   bssl::UniquePtr<X509> intermediate_self_signed(

  807.       CertFromPEM(kIntermediateSelfSignedPEM));

  808.   bssl::UniquePtr<X509> leaf(CertFromPEM(kLeafPEM));

  809.   bssl::UniquePtr<X509> leaf_no_key_usage(CertFromPEM(kLeafNoKeyUsagePEM));

  810.   bssl::UniquePtr<X509> forgery(CertFromPEM(kForgeryPEM));

  811. 

  812.   ASSERT_TRUE(cross_signing_root);

  813.   ASSERT_TRUE(root);

  814.   ASSERT_TRUE(root_cross_signed);

  815.   ASSERT_TRUE(intermediate);

  816.   ASSERT_TRUE(intermediate_self_signed);

  817.   ASSERT_TRUE(leaf);

  818.   ASSERT_TRUE(forgery);

  819.   ASSERT_TRUE(leaf_no_key_usage);

  820. 

  821.   std::vector<X509*> empty;

  822.   std::vector<X509_CRL*> empty_crls;

  823.   ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,

  824.             Verify(leaf.get(), empty, empty, empty_crls));

  825.   ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,

  826.             Verify(leaf.get(), empty, {intermediate.get()}, empty_crls));

  827. 

  828.   ASSERT_EQ(X509_V_OK,

  829.             Verify(leaf.get(), {root.get()}, {intermediate.get()}, empty_crls));

  830.   ASSERT_EQ(X509_V_OK,

  831.             Verify(leaf.get(), {cross_signing_root.get()},

  832.                    {intermediate.get(), root_cross_signed.get()}, empty_crls));

  833.   ASSERT_EQ(X509_V_OK,

  834.             Verify(leaf.get(), {cross_signing_root.get(), root.get()},

  835.                    {intermediate.get(), root_cross_signed.get()}, empty_crls));

  836. 

  837.   /* This is the “altchains” test – we remove the cross-signing CA but include

  838.    * the cross-sign in the intermediates. */

  839.   ASSERT_EQ(X509_V_OK,

  840.             Verify(leaf.get(), {root.get()},

  841.                    {intermediate.get(), root_cross_signed.get()}, empty_crls));

  842.   ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,

  843.             Verify(leaf.get(), {root.get()},

  844.                    {intermediate.get(), root_cross_signed.get()}, empty_crls,

  845.                    X509_V_FLAG_NO_ALT_CHAINS));

  846.   ASSERT_EQ(X509_V_ERR_INVALID_CA,

  847.             Verify(forgery.get(), {intermediate_self_signed.get()},

  848.                    {leaf_no_key_usage.get()}, empty_crls));

  849. 

  850.   /* Test that one cannot skip Basic Constraints checking with a contorted set

  851.    * of roots and intermediates. This is a regression test for CVE-2015-1793. */

  852.   ASSERT_EQ(X509_V_ERR_INVALID_CA,

  853.             Verify(forgery.get(),

  854.                    {intermediate_self_signed.get(), root_cross_signed.get()},

  855.                    {leaf_no_key_usage.get(), intermediate.get()}, empty_crls));

  856. }

  857. 

  858. static const char kHostname[] = "example.com";

  859. static const char kWrongHostname[] = "example2.com";

  860. static const char kEmail[] = "test@example.com";

  861. static const char kWrongEmail[] = "test2@example.com";

  862. static const uint8_t kIP[4] = {127, 0, 0, 1};

  863. static const uint8_t kWrongIP[4] = {127, 0, 0, 2};

  864. static const char kIPString[] = "127.0.0.1";

  865. static const char kWrongIPString[] = "127.0.0.2";

  866. 

  867. TEST(X509Test, ZeroLengthsWithX509PARAM) {

  868.   bssl::UniquePtr<X509> leaf(CertFromPEM(kSANTypesLeaf));

  869.   bssl::UniquePtr<X509> root(CertFromPEM(kSANTypesRoot));

  870.   ASSERT_TRUE(leaf);

  871.   ASSERT_TRUE(root);

  872. 

  873.   std::vector<X509_CRL *> empty_crls;

  874. 

  875.   struct X509Test {

  876.     const char *correct_value;

  877.     size_t correct_value_len;

  878.     const char *incorrect_value;

  879.     size_t incorrect_value_len;

  880.     int (*func)(X509_VERIFY_PARAM *, const char *, size_t);

  881.     int mismatch_error;

  882.   };

  883.   const std::vector<X509Test> kTests = {

  884.       {kHostname, strlen(kHostname), kWrongHostname, strlen(kWrongHostname),

  885.        X509_VERIFY_PARAM_set1_host, X509_V_ERR_HOSTNAME_MISMATCH},

  886.       {kEmail, strlen(kEmail), kWrongEmail, strlen(kWrongEmail),

  887.        X509_VERIFY_PARAM_set1_email, X509_V_ERR_EMAIL_MISMATCH},

  888.   };

  889. 

  890.   for (size_t i = 0; i < kTests.size(); i++) {

  891.     SCOPED_TRACE(i);

  892.     const X509Test &test = kTests[i];

  893. 

  894.     // The correct value should work.

  895.     ASSERT_EQ(X509_V_OK,

  896.               Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  897.                      [&test](X509_VERIFY_PARAM *param) {

  898.                        ASSERT_TRUE(test.func(param, test.correct_value,

  899.                                              test.correct_value_len));

  900.                      }));

  901. 

  902.     // The wrong value should trigger a verification error.

  903.     ASSERT_EQ(test.mismatch_error,

  904.               Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  905.                      [&test](X509_VERIFY_PARAM *param) {

  906.                        ASSERT_TRUE(test.func(param, test.incorrect_value,

  907.                                              test.incorrect_value_len));

  908.                      }));

  909. 

  910.     // Passing zero as the length, unlike OpenSSL, should trigger an error and

  911.     // should cause verification to fail.

  912.     ASSERT_EQ(X509_V_ERR_INVALID_CALL,

  913.               Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  914.                      [&test](X509_VERIFY_PARAM *param) {

  915.                        ASSERT_FALSE(test.func(param, test.correct_value, 0));

  916.                      }));

  917. 

  918.     // Passing an empty value should be an error when setting and should cause

  919.     // verification to fail.

  920.     ASSERT_EQ(X509_V_ERR_INVALID_CALL,

  921.               Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  922.                      [&test](X509_VERIFY_PARAM *param) {

  923.                        ASSERT_FALSE(test.func(param, nullptr, 0));

  924.                      }));

  925. 

  926.     // Passing a value with embedded NULs should also be an error and should

  927.     // also cause verification to fail.

  928.     ASSERT_EQ(X509_V_ERR_INVALID_CALL,

  929.               Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  930.                      [&test](X509_VERIFY_PARAM *param) {

  931.                        ASSERT_FALSE(test.func(param, "a", 2));

  932.                      }));

  933.   }

  934. 

  935.   // IP addresses work slightly differently:

  936. 

  937.   // The correct value should still work.

  938.   ASSERT_EQ(X509_V_OK, Verify(leaf.get(), {root.get()}, {}, empty_crls, 0,

  939.                               false, [](X509_VERIFY_PARAM *param) {

  940.                                 ASSERT_TRUE(X509_VERIFY_PARAM_set1_ip(

  941.                                     param, kIP, sizeof(kIP)));

  942.                               }));

  943. 

  944.   // Incorrect values should still fail.

  945.   ASSERT_EQ(X509_V_ERR_IP_ADDRESS_MISMATCH,

  946.             Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  947.                    [](X509_VERIFY_PARAM *param) {

  948.                      ASSERT_TRUE(X509_VERIFY_PARAM_set1_ip(param, kWrongIP,

  949.                                                            sizeof(kWrongIP)));

  950.                    }));

  951. 

  952.   // Zero length values should trigger an error when setting and cause

  953.   // verification to always fail.

  954.   ASSERT_EQ(X509_V_ERR_INVALID_CALL,

  955.             Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  956.                    [](X509_VERIFY_PARAM *param) {

  957.                      ASSERT_FALSE(X509_VERIFY_PARAM_set1_ip(param, kIP, 0));

  958.                    }));

  959. 

  960.   // ... and so should NULL values.

  961.   ASSERT_EQ(X509_V_ERR_INVALID_CALL,

  962.             Verify(leaf.get(), {root.get()}, {}, empty_crls, 0, false,

  963.                    [](X509_VERIFY_PARAM *param) {

  964.                      ASSERT_FALSE(X509_VERIFY_PARAM_set1_ip(param, nullptr, 0));

  965.                    }));

  966. 

  967.   // Zero bytes in an IP address are, of course, fine. This is tested above

  968.   // because |kIP| contains zeros.

  969. }

  970. 

  971. TEST(X509Test, ZeroLengthsWithCheckFunctions) {

  972.   bssl::UniquePtr<X509> leaf(CertFromPEM(kSANTypesLeaf));

  973. 

  974.   EXPECT_EQ(

  975.       1, X509_check_host(leaf.get(), kHostname, strlen(kHostname), 0, nullptr));

  976.   EXPECT_NE(1, X509_check_host(leaf.get(), kWrongHostname,

  977.                                strlen(kWrongHostname), 0, nullptr));

  978. 

  979.   EXPECT_EQ(1, X509_check_email(leaf.get(), kEmail, strlen(kEmail), 0));

  980.   EXPECT_NE(1,

  981.             X509_check_email(leaf.get(), kWrongEmail, strlen(kWrongEmail), 0));

  982. 

  983.   EXPECT_EQ(1, X509_check_ip(leaf.get(), kIP, sizeof(kIP), 0));

  984.   EXPECT_NE(1, X509_check_ip(leaf.get(), kWrongIP, sizeof(kWrongIP), 0));

  985. 

  986.   EXPECT_EQ(1, X509_check_ip_asc(leaf.get(), kIPString, 0));

  987.   EXPECT_NE(1, X509_check_ip_asc(leaf.get(), kWrongIPString, 0));

  988. 

  989.   // OpenSSL supports passing zero as the length for host and email. We do not

  990.   // and it should always fail.

  991.   EXPECT_NE(1, X509_check_host(leaf.get(), kHostname, 0, 0, nullptr));

  992.   EXPECT_NE(1, X509_check_host(leaf.get(), kWrongHostname, 0, 0, nullptr));

  993. 

  994.   EXPECT_NE(1, X509_check_email(leaf.get(), kEmail, 0, 0));

  995.   EXPECT_NE(1, X509_check_email(leaf.get(), kWrongEmail, 0, 0));

  996. 

  997.   EXPECT_NE(1, X509_check_ip(leaf.get(), kIP, 0, 0));

  998.   EXPECT_NE(1, X509_check_ip(leaf.get(), kWrongIP, 0, 0));

  999. 

  1000.   // Unlike all the other functions, |X509_check_ip_asc| doesn't take a length,

  1001.   // so it cannot be zero.

  1002. }

  1003. 

  1004. TEST(X509Test, TestCRL) {

  1005.   bssl::UniquePtr<X509> root(CertFromPEM(kCRLTestRoot));

  1006.   bssl::UniquePtr<X509> leaf(CertFromPEM(kCRLTestLeaf));

  1007.   bssl::UniquePtr<X509_CRL> basic_crl(CRLFromPEM(kBasicCRL));

  1008.   bssl::UniquePtr<X509_CRL> revoked_crl(CRLFromPEM(kRevokedCRL));

  1009.   bssl::UniquePtr<X509_CRL> bad_issuer_crl(CRLFromPEM(kBadIssuerCRL));

  1010.   bssl::UniquePtr<X509_CRL> known_critical_crl(CRLFromPEM(kKnownCriticalCRL));

  1011.   bssl::UniquePtr<X509_CRL> unknown_critical_crl(

  1012.       CRLFromPEM(kUnknownCriticalCRL));

  1013.   bssl::UniquePtr<X509_CRL> unknown_critical_crl2(

  1014.       CRLFromPEM(kUnknownCriticalCRL2));

  1015. 

  1016.   ASSERT_TRUE(root);

  1017.   ASSERT_TRUE(leaf);

  1018.   ASSERT_TRUE(basic_crl);

  1019.   ASSERT_TRUE(revoked_crl);

  1020.   ASSERT_TRUE(bad_issuer_crl);

  1021.   ASSERT_TRUE(known_critical_crl);

  1022.   ASSERT_TRUE(unknown_critical_crl);

  1023.   ASSERT_TRUE(unknown_critical_crl2);

  1024. 

  1025.   ASSERT_EQ(X509_V_OK, Verify(leaf.get(), {root.get()}, {root.get()},

  1026.                               {basic_crl.get()}, X509_V_FLAG_CRL_CHECK));

  1027.   ASSERT_EQ(

  1028.       X509_V_ERR_CERT_REVOKED,

  1029.       Verify(leaf.get(), {root.get()}, {root.get()},

  1030.              {basic_crl.get(), revoked_crl.get()}, X509_V_FLAG_CRL_CHECK));

  1031. 

  1032.   std::vector<X509_CRL *> empty_crls;

  1033.   ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_CRL,

  1034.             Verify(leaf.get(), {root.get()}, {root.get()}, empty_crls,

  1035.                    X509_V_FLAG_CRL_CHECK));

  1036.   ASSERT_EQ(X509_V_ERR_UNABLE_TO_GET_CRL,

  1037.             Verify(leaf.get(), {root.get()}, {root.get()},

  1038.                    {bad_issuer_crl.get()}, X509_V_FLAG_CRL_CHECK));

  1039.   ASSERT_EQ(X509_V_OK,

  1040.             Verify(leaf.get(), {root.get()}, {root.get()},

  1041.                    {known_critical_crl.get()}, X509_V_FLAG_CRL_CHECK));

  1042.   ASSERT_EQ(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION,

  1043.             Verify(leaf.get(), {root.get()}, {root.get()},

  1044.                    {unknown_critical_crl.get()}, X509_V_FLAG_CRL_CHECK));

  1045.   ASSERT_EQ(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION,

  1046.             Verify(leaf.get(), {root.get()}, {root.get()},

  1047.                    {unknown_critical_crl2.get()}, X509_V_FLAG_CRL_CHECK));

  1048. }

  1049. 

  1050. TEST(X509Test, ManyNamesAndConstraints) {

  1051.   bssl::UniquePtr<X509> many_constraints(

  1052.       CertFromPEM(GetTestData("crypto/x509/many_constraints.pem").c_str()));

  1053.   ASSERT_TRUE(many_constraints);

  1054.   bssl::UniquePtr<X509> many_names1(

  1055.       CertFromPEM(GetTestData("crypto/x509/many_names1.pem").c_str()));

  1056.   ASSERT_TRUE(many_names1);

  1057.   bssl::UniquePtr<X509> many_names2(

  1058.       CertFromPEM(GetTestData("crypto/x509/many_names2.pem").c_str()));

  1059.   ASSERT_TRUE(many_names2);

  1060.   bssl::UniquePtr<X509> many_names3(

  1061.       CertFromPEM(GetTestData("crypto/x509/many_names3.pem").c_str()));

  1062.   ASSERT_TRUE(many_names3);

  1063.   bssl::UniquePtr<X509> some_names1(

  1064.       CertFromPEM(GetTestData("crypto/x509/some_names1.pem").c_str()));

  1065.   ASSERT_TRUE(some_names1);

  1066.   bssl::UniquePtr<X509> some_names2(

  1067.       CertFromPEM(GetTestData("crypto/x509/some_names2.pem").c_str()));

  1068.   ASSERT_TRUE(some_names2);

  1069.   bssl::UniquePtr<X509> some_names3(

  1070.       CertFromPEM(GetTestData("crypto/x509/some_names3.pem").c_str()));

  1071.   ASSERT_TRUE(some_names3);

  1072. 

  1073.   EXPECT_EQ(X509_V_ERR_UNSPECIFIED,

  1074.             Verify(many_names1.get(), {many_constraints.get()},

  1075.                    {many_constraints.get()}, {}));

  1076.   EXPECT_EQ(X509_V_ERR_UNSPECIFIED,

  1077.             Verify(many_names2.get(), {many_constraints.get()},

  1078.                    {many_constraints.get()}, {}));

  1079.   EXPECT_EQ(X509_V_ERR_UNSPECIFIED,

  1080.             Verify(many_names3.get(), {many_constraints.get()},

  1081.                    {many_constraints.get()}, {}));

  1082. 

  1083.   EXPECT_EQ(X509_V_OK, Verify(some_names1.get(), {many_constraints.get()},

  1084.                               {many_constraints.get()}, {}));

  1085.   EXPECT_EQ(X509_V_OK, Verify(some_names2.get(), {many_constraints.get()},

  1086.                               {many_constraints.get()}, {}));

  1087.   EXPECT_EQ(X509_V_OK, Verify(some_names3.get(), {many_constraints.get()},

  1088.                               {many_constraints.get()}, {}));

  1089. }

  1090. 

  1091. TEST(X509Test, TestPSS) {

  1092.   bssl::UniquePtr<X509> cert(CertFromPEM(kExamplePSSCert));

  1093.   ASSERT_TRUE(cert);

  1094. 

  1095.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  1096.   ASSERT_TRUE(pkey);

  1097. 

  1098.   ASSERT_TRUE(X509_verify(cert.get(), pkey.get()));

  1099. }

  1100. 

  1101. TEST(X509Test, TestPSSBadParameters) {

  1102.   bssl::UniquePtr<X509> cert(CertFromPEM(kBadPSSCertPEM));

  1103.   ASSERT_TRUE(cert);

  1104. 

  1105.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  1106.   ASSERT_TRUE(pkey);

  1107. 

  1108.   ASSERT_FALSE(X509_verify(cert.get(), pkey.get()));

  1109.   ERR_clear_error();

  1110. }

  1111. 

  1112. TEST(X509Test, TestEd25519) {

  1113.   bssl::UniquePtr<X509> cert(CertFromPEM(kEd25519Cert));

  1114.   ASSERT_TRUE(cert);

  1115. 

  1116.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  1117.   ASSERT_TRUE(pkey);

  1118. 

  1119.   ASSERT_TRUE(X509_verify(cert.get(), pkey.get()));

  1120. }

  1121. 

  1122. TEST(X509Test, TestEd25519BadParameters) {

  1123.   bssl::UniquePtr<X509> cert(CertFromPEM(kEd25519CertNull));

  1124.   ASSERT_TRUE(cert);

  1125. 

  1126.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  1127.   ASSERT_TRUE(pkey);

  1128. 

  1129.   ASSERT_FALSE(X509_verify(cert.get(), pkey.get()));

  1130. 

  1131.   uint32_t err = ERR_get_error();

  1132.   ASSERT_EQ(ERR_LIB_X509, ERR_GET_LIB(err));

  1133.   ASSERT_EQ(X509_R_INVALID_PARAMETER, ERR_GET_REASON(err));

  1134.   ERR_clear_error();

  1135. }

  1136. 

  1137. static bool SignatureRoundTrips(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {

  1138.   // Make a certificate like signed with |md_ctx|'s settings.'

  1139.   bssl::UniquePtr<X509> cert(CertFromPEM(kLeafPEM));

  1140.   if (!cert || !X509_sign_ctx(cert.get(), md_ctx)) {

  1141.     return false;

  1142.   }

  1143. 

  1144.   // Ensure that |pkey| may still be used to verify the resulting signature. All

  1145.   // settings in |md_ctx| must have been serialized appropriately.

  1146.   return !!X509_verify(cert.get(), pkey);

  1147. }

  1148. 

  1149. TEST(X509Test, RSASign) {

  1150.   bssl::UniquePtr<EVP_PKEY> pkey(PrivateKeyFromPEM(kRSAKey));

  1151.   ASSERT_TRUE(pkey);

  1152.   // Test PKCS#1 v1.5.

  1153.   bssl::ScopedEVP_MD_CTX md_ctx;

  1154.   ASSERT_TRUE(

  1155.       EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()));

  1156.   ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pkey.get()));

  1157. 

  1158.   // Test RSA-PSS with custom parameters.

  1159.   md_ctx.Reset();

  1160.   EVP_PKEY_CTX *pkey_ctx;

  1161.   ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,

  1162.                                  pkey.get()));

  1163.   ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));

  1164.   ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()));

  1165.   ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pkey.get()));

  1166. }

  1167. 

  1168. TEST(X509Test, Ed25519Sign) {

  1169.   uint8_t pub_bytes[32], priv_bytes[64];

  1170.   ED25519_keypair(pub_bytes, priv_bytes);

  1171. 

  1172.   bssl::UniquePtr<EVP_PKEY> pub(EVP_PKEY_new_ed25519_public(pub_bytes));

  1173.   ASSERT_TRUE(pub);

  1174.   bssl::UniquePtr<EVP_PKEY> priv(EVP_PKEY_new_ed25519_private(priv_bytes));

  1175.   ASSERT_TRUE(priv);

  1176. 

  1177.   bssl::ScopedEVP_MD_CTX md_ctx;

  1178.   ASSERT_TRUE(

  1179.       EVP_DigestSignInit(md_ctx.get(), nullptr, nullptr, nullptr, priv.get()));

  1180.   ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pub.get()));

  1181. }

  1182. 

  1183. static bool PEMToDER(bssl::UniquePtr<uint8_t> *out, size_t *out_len,

  1184.                      const char *pem) {

  1185.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  1186.   if (!bio) {

  1187.     return false;

  1188.   }

  1189. 

  1190.   char *name, *header;

  1191.   uint8_t *data;

  1192.   long data_len;

  1193.   if (!PEM_read_bio(bio.get(), &name, &header, &data, &data_len)) {

  1194.     fprintf(stderr, "failed to read PEM data.\n");

  1195.     return false;

  1196.   }

  1197.   OPENSSL_free(name);

  1198.   OPENSSL_free(header);

  1199. 

  1200.   out->reset(data);

  1201.   *out_len = data_len;

  1202. 

  1203.   return true;

  1204. }

  1205. 

  1206. TEST(X509Test, TestFromBuffer) {

  1207.   size_t data_len;

  1208.   bssl::UniquePtr<uint8_t> data;

  1209.   ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM));

  1210. 

  1211.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  1212.       CRYPTO_BUFFER_new(data.get(), data_len, nullptr));

  1213.   ASSERT_TRUE(buf);

  1214.   bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));

  1215.   ASSERT_TRUE(root);

  1216. 

  1217.   const uint8_t *enc_pointer = root->cert_info->enc.enc;

  1218.   const uint8_t *buf_pointer = CRYPTO_BUFFER_data(buf.get());

  1219.   ASSERT_GE(enc_pointer, buf_pointer);

  1220.   ASSERT_LT(enc_pointer, buf_pointer + CRYPTO_BUFFER_len(buf.get()));

  1221.   buf.reset();

  1222. 

  1223.   /* This ensures the X509 took a reference to |buf|, otherwise this will be a

  1224.    * reference to free memory and ASAN should notice. */

  1225.   ASSERT_EQ(0x30, enc_pointer[0]);

  1226. }

  1227. 

  1228. TEST(X509Test, TestFromBufferWithTrailingData) {

  1229.   size_t data_len;

  1230.   bssl::UniquePtr<uint8_t> data;

  1231.   ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM));

  1232. 

  1233.   std::unique_ptr<uint8_t[]> trailing_data(new uint8_t[data_len + 1]);

  1234.   OPENSSL_memcpy(trailing_data.get(), data.get(), data_len);

  1235. 

  1236.   bssl::UniquePtr<CRYPTO_BUFFER> buf_trailing_data(

  1237.       CRYPTO_BUFFER_new(trailing_data.get(), data_len + 1, nullptr));

  1238.   ASSERT_TRUE(buf_trailing_data);

  1239. 

  1240.   bssl::UniquePtr<X509> root_trailing_data(

  1241.       X509_parse_from_buffer(buf_trailing_data.get()));

  1242.   ASSERT_FALSE(root_trailing_data);

  1243. }

  1244. 

  1245. TEST(X509Test, TestFromBufferModified) {

  1246.   size_t data_len;

  1247.   bssl::UniquePtr<uint8_t> data;

  1248.   ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM));

  1249. 

  1250.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  1251.       CRYPTO_BUFFER_new(data.get(), data_len, nullptr));

  1252.   ASSERT_TRUE(buf);

  1253. 

  1254.   bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));

  1255.   ASSERT_TRUE(root);

  1256. 

  1257.   bssl::UniquePtr<ASN1_INTEGER> fourty_two(ASN1_INTEGER_new());

  1258.   ASN1_INTEGER_set(fourty_two.get(), 42);

  1259.   X509_set_serialNumber(root.get(), fourty_two.get());

  1260. 

  1261.   ASSERT_EQ(static_cast<long>(data_len), i2d_X509(root.get(), nullptr));

  1262. 

  1263.   X509_CINF_set_modified(root->cert_info);

  1264. 

  1265.   ASSERT_NE(static_cast<long>(data_len), i2d_X509(root.get(), nullptr));

  1266. }

  1267. 

  1268. TEST(X509Test, TestFromBufferReused) {

  1269.   size_t data_len;

  1270.   bssl::UniquePtr<uint8_t> data;

  1271.   ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM));

  1272. 

  1273.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  1274.       CRYPTO_BUFFER_new(data.get(), data_len, nullptr));

  1275.   ASSERT_TRUE(buf);

  1276. 

  1277.   bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));

  1278.   ASSERT_TRUE(root);

  1279. 

  1280.   size_t data2_len;

  1281.   bssl::UniquePtr<uint8_t> data2;

  1282.   ASSERT_TRUE(PEMToDER(&data2, &data2_len, kLeafPEM));

  1283. 

  1284.   X509 *x509p = root.get();

  1285.   const uint8_t *inp = data2.get();

  1286.   X509 *ret = d2i_X509(&x509p, &inp, data2_len);

  1287.   ASSERT_EQ(root.get(), ret);

  1288.   ASSERT_EQ(nullptr, root->buf);

  1289. 

  1290.   // Free |data2| and ensure that |root| took its own copy. Otherwise the

  1291.   // following will trigger a use-after-free.

  1292.   data2.reset();

  1293. 

  1294.   uint8_t *i2d = nullptr;

  1295.   int i2d_len = i2d_X509(root.get(), &i2d);

  1296.   ASSERT_GE(i2d_len, 0);

  1297.   bssl::UniquePtr<uint8_t> i2d_storage(i2d);

  1298. 

  1299.   ASSERT_TRUE(PEMToDER(&data2, &data2_len, kLeafPEM));

  1300. 

  1301.   ASSERT_EQ(static_cast<long>(data2_len), i2d_len);

  1302.   ASSERT_EQ(0, OPENSSL_memcmp(data2.get(), i2d, i2d_len));

  1303.   ASSERT_EQ(nullptr, root->buf);

  1304. }

  1305. 

  1306. TEST(X509Test, TestFailedParseFromBuffer) {

  1307.   static const uint8_t kNonsense[] = {1, 2, 3, 4, 5};

  1308. 

  1309.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  1310.       CRYPTO_BUFFER_new(kNonsense, sizeof(kNonsense), nullptr));

  1311.   ASSERT_TRUE(buf);

  1312. 

  1313.   bssl::UniquePtr<X509> cert(X509_parse_from_buffer(buf.get()));

  1314.   ASSERT_FALSE(cert);

  1315.   ERR_clear_error();

  1316. 

  1317.   // Test a buffer with trailing data.

  1318.   size_t data_len;

  1319.   bssl::UniquePtr<uint8_t> data;

  1320.   ASSERT_TRUE(PEMToDER(&data, &data_len, kRootCAPEM));

  1321. 

  1322.   std::unique_ptr<uint8_t[]> data_with_trailing_byte(new uint8_t[data_len + 1]);

  1323.   OPENSSL_memcpy(data_with_trailing_byte.get(), data.get(), data_len);

  1324.   data_with_trailing_byte[data_len] = 0;

  1325. 

  1326.   bssl::UniquePtr<CRYPTO_BUFFER> buf_with_trailing_byte(

  1327.       CRYPTO_BUFFER_new(data_with_trailing_byte.get(), data_len + 1, nullptr));

  1328.   ASSERT_TRUE(buf_with_trailing_byte);

  1329. 

  1330.   bssl::UniquePtr<X509> root(

  1331.       X509_parse_from_buffer(buf_with_trailing_byte.get()));

  1332.   ASSERT_FALSE(root);

  1333.   ERR_clear_error();

  1334. }

  1335. 

  1336. TEST(X509Test, TestPrintUTCTIME) {

  1337.   static const struct {

  1338.     const char *val, *want;

  1339.   } asn1_utctime_tests[] = {

  1340.     {"", "Bad time value"},

  1341. 

  1342.     // Correct RFC 5280 form. Test years < 2000 and > 2000.

  1343.     {"090303125425Z", "Mar  3 12:54:25 2009 GMT"},

  1344.     {"900303125425Z", "Mar  3 12:54:25 1990 GMT"},

  1345.     {"000303125425Z", "Mar  3 12:54:25 2000 GMT"},

  1346. 

  1347.     // Correct form, bad values.

  1348.     {"000000000000Z", "Bad time value"},

  1349.     {"999999999999Z", "Bad time value"},

  1350. 

  1351.     // Missing components. Not legal RFC 5280, but permitted.

  1352.     {"090303125425", "Mar  3 12:54:25 2009"},

  1353.     {"9003031254", "Mar  3 12:54:00 1990"},

  1354.     {"9003031254Z", "Mar  3 12:54:00 1990 GMT"},

  1355. 

  1356.     // GENERALIZEDTIME confused for UTCTIME.

  1357.     {"20090303125425Z", "Bad time value"},

  1358. 

  1359.     // Legal ASN.1, but not legal RFC 5280.

  1360.     {"9003031254+0800", "Bad time value"},

  1361.     {"9003031254-0800", "Bad time value"},

  1362. 

  1363.     // Trailing garbage.

  1364.     {"9003031254Z ", "Bad time value"},

  1365.   };

  1366. 

  1367.   for (auto t : asn1_utctime_tests) {

  1368.     SCOPED_TRACE(t.val);

  1369.     bssl::UniquePtr<ASN1_UTCTIME> tm(ASN1_UTCTIME_new());

  1370.     bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));

  1371. 

  1372.     // Use this instead of ASN1_UTCTIME_set() because some callers get

  1373.     // type-confused and pass ASN1_GENERALIZEDTIME to ASN1_UTCTIME_print().

  1374.     // ASN1_UTCTIME_set_string() is stricter, and would reject the inputs in

  1375.     // question.

  1376.     ASSERT_TRUE(ASN1_STRING_set(tm.get(), t.val, strlen(t.val)));

  1377.     const int ok = ASN1_UTCTIME_print(bio.get(), tm.get());

  1378. 

  1379.     const uint8_t *contents;

  1380.     size_t len;

  1381.     ASSERT_TRUE(BIO_mem_contents(bio.get(), &contents, &len));

  1382.     EXPECT_EQ(ok, (strcmp(t.want, "Bad time value") != 0) ? 1 : 0);

  1383.     EXPECT_EQ(t.want,

  1384.               std::string(reinterpret_cast<const char *>(contents), len));

  1385.   }

  1386. }

  1387. 

  1388. TEST(X509Test, PrettyPrintIntegers) {

  1389.   static const char *kTests[] = {

  1390.       // Small numbers are pretty-printed in decimal.

  1391.       "0",

  1392.       "-1",

  1393.       "1",

  1394.       "42",

  1395.       "-42",

  1396.       "256",

  1397.       "-256",

  1398.       // Large numbers are pretty-printed in hex to avoid taking quadratic time.

  1399.       "0x0123456789",

  1400.       "-0x0123456789",

  1401.   };

  1402.   for (const char *in : kTests) {

  1403.     SCOPED_TRACE(in);

  1404.     BIGNUM *bn = nullptr;

  1405.     ASSERT_TRUE(BN_asc2bn(&bn, in));

  1406.     bssl::UniquePtr<BIGNUM> free_bn(bn);

  1407. 

  1408.     {

  1409.       bssl::UniquePtr<ASN1_INTEGER> asn1(BN_to_ASN1_INTEGER(bn, nullptr));

  1410.       ASSERT_TRUE(asn1);

  1411.       bssl::UniquePtr<char> out(i2s_ASN1_INTEGER(nullptr, asn1.get()));

  1412.       ASSERT_TRUE(out.get());

  1413.       EXPECT_STREQ(in, out.get());

  1414.     }

  1415. 

  1416.     {

  1417.       bssl::UniquePtr<ASN1_ENUMERATED> asn1(BN_to_ASN1_ENUMERATED(bn, nullptr));

  1418.       ASSERT_TRUE(asn1);

  1419.       bssl::UniquePtr<char> out(i2s_ASN1_ENUMERATED(nullptr, asn1.get()));

  1420.       ASSERT_TRUE(out.get());

  1421.       EXPECT_STREQ(in, out.get());

  1422.     }

  1423.   }

  1424. }

  1425. 

  1426. TEST(X509Test, X509NameSet) {

  1427.   bssl::UniquePtr<X509_NAME> name(X509_NAME_new());

  1428.   EXPECT_TRUE(X509_NAME_add_entry_by_txt(

  1429.       name.get(), "C", MBSTRING_ASC, reinterpret_cast<const uint8_t *>("US"),

  1430.       -1, -1, 0));

  1431.   EXPECT_EQ(X509_NAME_entry_count(name.get()), 1);

  1432.   EXPECT_TRUE(X509_NAME_add_entry_by_txt(

  1433.       name.get(), "C", MBSTRING_ASC, reinterpret_cast<const uint8_t *>("CA"),

  1434.       -1, -1, 0));

  1435.   EXPECT_EQ(X509_NAME_entry_count(name.get()), 2);

  1436.   EXPECT_TRUE(X509_NAME_add_entry_by_txt(

  1437.       name.get(), "C", MBSTRING_ASC, reinterpret_cast<const uint8_t *>("UK"),

  1438.       -1, -1, 0));

  1439.   EXPECT_EQ(X509_NAME_entry_count(name.get()), 3);

  1440.   EXPECT_TRUE(X509_NAME_add_entry_by_txt(

  1441.       name.get(), "C", MBSTRING_ASC, reinterpret_cast<const uint8_t *>("JP"),

  1442.       -1, 1, 0));

  1443.   EXPECT_EQ(X509_NAME_entry_count(name.get()), 4);

  1444. 

  1445.   // Check that the correct entries get incremented when inserting new entry.

  1446.   EXPECT_EQ(X509_NAME_ENTRY_set(X509_NAME_get_entry(name.get(), 1)), 1);

  1447.   EXPECT_EQ(X509_NAME_ENTRY_set(X509_NAME_get_entry(name.get(), 2)), 2);

  1448. }

  1449. 

  1450. TEST(X509Test, StringDecoding) {

  1451.   static const struct {

  1452.     std::vector<uint8_t> in;

  1453.     int type;

  1454.     const char *expected;

  1455.   } kTests[] = {

  1456.       // Non-minimal, two-byte UTF-8.

  1457.       {{0xc0, 0x81}, V_ASN1_UTF8STRING, nullptr},

  1458.       // Non-minimal, three-byte UTF-8.

  1459.       {{0xe0, 0x80, 0x81}, V_ASN1_UTF8STRING, nullptr},

  1460.       // Non-minimal, four-byte UTF-8.

  1461.       {{0xf0, 0x80, 0x80, 0x81}, V_ASN1_UTF8STRING, nullptr},

  1462.       // Truncated, four-byte UTF-8.

  1463.       {{0xf0, 0x80, 0x80}, V_ASN1_UTF8STRING, nullptr},

  1464.       // Low-surrogate value.

  1465.       {{0xed, 0xa0, 0x80}, V_ASN1_UTF8STRING, nullptr},

  1466.       // High-surrogate value.

  1467.       {{0xed, 0xb0, 0x81}, V_ASN1_UTF8STRING, nullptr},

  1468.       // Initial BOMs should be rejected from UCS-2 and UCS-4.

  1469.       {{0xfe, 0xff, 0, 88}, V_ASN1_BMPSTRING, nullptr},

  1470.       {{0, 0, 0xfe, 0xff, 0, 0, 0, 88}, V_ASN1_UNIVERSALSTRING, nullptr},

  1471.       // Otherwise, BOMs should pass through.

  1472.       {{0, 88, 0xfe, 0xff}, V_ASN1_BMPSTRING, "X\xef\xbb\xbf"},

  1473.       {{0, 0, 0, 88, 0, 0, 0xfe, 0xff}, V_ASN1_UNIVERSALSTRING,

  1474.        "X\xef\xbb\xbf"},

  1475.       // The maximum code-point should pass though.

  1476.       {{0, 16, 0xff, 0xfd}, V_ASN1_UNIVERSALSTRING, "\xf4\x8f\xbf\xbd"},

  1477.       // Values outside the Unicode space should not.

  1478.       {{0, 17, 0, 0}, V_ASN1_UNIVERSALSTRING, nullptr},

  1479.       // Non-characters should be rejected.

  1480.       {{0, 1, 0xff, 0xff}, V_ASN1_UNIVERSALSTRING, nullptr},

  1481.       {{0, 1, 0xff, 0xfe}, V_ASN1_UNIVERSALSTRING, nullptr},

  1482.       {{0, 0, 0xfd, 0xd5}, V_ASN1_UNIVERSALSTRING, nullptr},

  1483.       // BMPString is UCS-2, not UTF-16, so surrogate pairs are invalid.

  1484.       {{0xd8, 0, 0xdc, 1}, V_ASN1_BMPSTRING, nullptr},

  1485.   };

  1486. 

  1487.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) {

  1488.     SCOPED_TRACE(i);

  1489.     const auto& test = kTests[i];

  1490.     ASN1_STRING s;

  1491.     s.type = test.type;

  1492.     s.data = const_cast<uint8_t*>(test.in.data());

  1493.     s.length = test.in.size();

  1494. 

  1495.     uint8_t *utf8;

  1496.     const int utf8_len = ASN1_STRING_to_UTF8(&utf8, &s);

  1497.     EXPECT_EQ(utf8_len < 0, test.expected == nullptr);

  1498.     if (utf8_len >= 0) {

  1499.       if (test.expected != nullptr) {

  1500.         EXPECT_EQ(Bytes(test.expected), Bytes(utf8, utf8_len));

  1501.       }

  1502.       OPENSSL_free(utf8);

  1503.     } else {

  1504.       ERR_clear_error();

  1505.     }

  1506.   }

  1507. }

  1508. 

  1509. TEST(X509Test, NoBasicConstraintsCertSign) {

  1510.   bssl::UniquePtr<X509> root(CertFromPEM(kSANTypesRoot));

  1511.   bssl::UniquePtr<X509> intermediate(

  1512.       CertFromPEM(kNoBasicConstraintsCertSignIntermediate));

  1513.   bssl::UniquePtr<X509> leaf(CertFromPEM(kNoBasicConstraintsCertSignLeaf));

  1514. 

  1515.   ASSERT_TRUE(root);

  1516.   ASSERT_TRUE(intermediate);

  1517.   ASSERT_TRUE(leaf);

  1518. 

  1519.   // The intermediate has keyUsage certSign, but is not marked as a CA in the

  1520.   // basicConstraints.

  1521.   EXPECT_EQ(X509_V_ERR_INVALID_CA,

  1522.             Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, 0));

  1523. }

  1524. 

  1525. TEST(X509Test, NoBasicConstraintsNetscapeCA) {

  1526.   bssl::UniquePtr<X509> root(CertFromPEM(kSANTypesRoot));

  1527.   bssl::UniquePtr<X509> intermediate(

  1528.       CertFromPEM(kNoBasicConstraintsNetscapeCAIntermediate));

  1529.   bssl::UniquePtr<X509> leaf(CertFromPEM(kNoBasicConstraintsNetscapeCALeaf));

  1530. 

  1531.   ASSERT_TRUE(root);

  1532.   ASSERT_TRUE(intermediate);

  1533.   ASSERT_TRUE(leaf);

  1534. 

  1535.   // The intermediate has a Netscape certificate type of "SSL CA", but is not

  1536.   // marked as a CA in the basicConstraints.

  1537.   EXPECT_EQ(X509_V_ERR_INVALID_CA,

  1538.             Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, 0));

  1539. }

  1540. 

  1541. TEST(X509Test, MismatchAlgorithms) {

  1542.   bssl::UniquePtr<X509> cert(CertFromPEM(kSelfSignedMismatchAlgorithms));

  1543.   ASSERT_TRUE(cert);

  1544. 

  1545.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  1546.   ASSERT_TRUE(pkey);

  1547. 

  1548.   EXPECT_FALSE(X509_verify(cert.get(), pkey.get()));

  1549.   uint32_t err = ERR_get_error();

  1550.   EXPECT_EQ(ERR_LIB_X509, ERR_GET_LIB(err));

  1551.   EXPECT_EQ(X509_R_SIGNATURE_ALGORITHM_MISMATCH, ERR_GET_REASON(err));

  1552. }

  1553. 

  1554. TEST(X509Test, PEMX509Info) {

  1555.   std::string cert = kRootCAPEM;

  1556.   auto cert_obj = CertFromPEM(kRootCAPEM);

  1557.   ASSERT_TRUE(cert_obj);

  1558. 

  1559.   std::string rsa = kRSAKey;

  1560.   auto rsa_obj = PrivateKeyFromPEM(kRSAKey);

  1561.   ASSERT_TRUE(rsa_obj);

  1562. 

  1563.   std::string crl = kBasicCRL;

  1564.   auto crl_obj = CRLFromPEM(kBasicCRL);

  1565.   ASSERT_TRUE(crl_obj);

  1566. 

  1567.   std::string unknown =

  1568.       "-----BEGIN UNKNOWN-----\n"

  1569.       "AAAA\n"

  1570.       "-----END UNKNOWN-----\n";

  1571. 

  1572.   std::string invalid =

  1573.       "-----BEGIN CERTIFICATE-----\n"

  1574.       "AAAA\n"

  1575.       "-----END CERTIFICATE-----\n";

  1576. 

  1577.   // Each X509_INFO contains at most one certificate, CRL, etc. The format

  1578.   // creates a new X509_INFO when a repeated type is seen.

  1579.   std::string pem =

  1580.       // The first few entries have one of everything in different orders.

  1581.       cert + rsa + crl +

  1582.       rsa + crl + cert +

  1583.       // Unknown types are ignored.

  1584.       crl + unknown + cert + rsa +

  1585.       // Seeing a new certificate starts a new entry, so now we have a bunch of

  1586.       // certificate-only entries.

  1587.       cert + cert + cert +

  1588.       // The key folds into the certificate's entry.

  1589.       cert + rsa +

  1590.       // Doubled keys also start new entries.

  1591.       rsa + rsa + rsa + rsa + crl +

  1592.       // As do CRLs.

  1593.       crl + crl;

  1594. 

  1595.   const struct ExpectedInfo {

  1596.     const X509 *cert;

  1597.     const EVP_PKEY *key;

  1598.     const X509_CRL *crl;

  1599.   } kExpected[] = {

  1600.     {cert_obj.get(), rsa_obj.get(), crl_obj.get()},

  1601.     {cert_obj.get(), rsa_obj.get(), crl_obj.get()},

  1602.     {cert_obj.get(), rsa_obj.get(), crl_obj.get()},

  1603.     {cert_obj.get(), nullptr, nullptr},

  1604.     {cert_obj.get(), nullptr, nullptr},

  1605.     {cert_obj.get(), nullptr, nullptr},

  1606.     {cert_obj.get(), rsa_obj.get(), nullptr},

  1607.     {nullptr, rsa_obj.get(), nullptr},

  1608.     {nullptr, rsa_obj.get(), nullptr},

  1609.     {nullptr, rsa_obj.get(), nullptr},

  1610.     {nullptr, rsa_obj.get(), crl_obj.get()},

  1611.     {nullptr, nullptr, crl_obj.get()},

  1612.     {nullptr, nullptr, crl_obj.get()},

  1613.   };

  1614. 

  1615.   auto check_info = [](const ExpectedInfo *expected, const X509_INFO *info) {

  1616.     if (expected->cert != nullptr) {

  1617.       EXPECT_EQ(0, X509_cmp(expected->cert, info->x509));

  1618.     } else {

  1619.       EXPECT_EQ(nullptr, info->x509);

  1620.     }

  1621.     if (expected->crl != nullptr) {

  1622.       EXPECT_EQ(0, X509_CRL_cmp(expected->crl, info->crl));

  1623.     } else {

  1624.       EXPECT_EQ(nullptr, info->crl);

  1625.     }

  1626.     if (expected->key != nullptr) {

  1627.       ASSERT_NE(nullptr, info->x_pkey);

  1628.       // EVP_PKEY_cmp returns one if the keys are equal.

  1629.       EXPECT_EQ(1, EVP_PKEY_cmp(expected->key, info->x_pkey->dec_pkey));

  1630.     } else {

  1631.       EXPECT_EQ(nullptr, info->x_pkey);

  1632.     }

  1633.   };

  1634. 

  1635.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem.data(), pem.size()));

  1636.   ASSERT_TRUE(bio);

  1637.   bssl::UniquePtr<STACK_OF(X509_INFO)> infos(

  1638.       PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr));

  1639.   ASSERT_TRUE(infos);

  1640.   ASSERT_EQ(OPENSSL_ARRAY_SIZE(kExpected), sk_X509_INFO_num(infos.get()));

  1641.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kExpected); i++) {

  1642.     SCOPED_TRACE(i);

  1643.     check_info(&kExpected[i], sk_X509_INFO_value(infos.get(), i));

  1644.   }

  1645. 

  1646.   // Passing an existing stack appends to it.

  1647.   bio.reset(BIO_new_mem_buf(pem.data(), pem.size()));

  1648.   ASSERT_TRUE(bio);

  1649.   ASSERT_EQ(infos.get(),

  1650.             PEM_X509_INFO_read_bio(bio.get(), infos.get(), nullptr, nullptr));

  1651.   ASSERT_EQ(2 * OPENSSL_ARRAY_SIZE(kExpected), sk_X509_INFO_num(infos.get()));

  1652.   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kExpected); i++) {

  1653.     SCOPED_TRACE(i);

  1654.     check_info(&kExpected[i], sk_X509_INFO_value(infos.get(), i));

  1655.     check_info(

  1656.         &kExpected[i],

  1657.         sk_X509_INFO_value(infos.get(), i + OPENSSL_ARRAY_SIZE(kExpected)));

  1658.   }

  1659. 

  1660.   // Gracefully handle errors in both the append and fresh cases.

  1661.   std::string bad_pem = cert + cert + invalid;

  1662. 

  1663.   bio.reset(BIO_new_mem_buf(bad_pem.data(), bad_pem.size()));

  1664.   ASSERT_TRUE(bio);

  1665.   bssl::UniquePtr<STACK_OF(X509_INFO)> infos2(

  1666.       PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr));

  1667.   EXPECT_FALSE(infos2);

  1668. 

  1669.   bio.reset(BIO_new_mem_buf(bad_pem.data(), bad_pem.size()));

  1670.   ASSERT_TRUE(bio);

  1671.   EXPECT_FALSE(

  1672.       PEM_X509_INFO_read_bio(bio.get(), infos.get(), nullptr, nullptr));

  1673.   EXPECT_EQ(2 * OPENSSL_ARRAY_SIZE(kExpected), sk_X509_INFO_num(infos.get()));

  1674. }

  1675. 

  1676. TEST(X509Test, ReadBIOEmpty) {

  1677.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(nullptr, 0));

  1678.   ASSERT_TRUE(bio);

  1679. 

  1680.   // CPython expects |ASN1_R_HEADER_TOO_LONG| on EOF, to terminate a series of

  1681.   // certificates.

  1682.   bssl::UniquePtr<X509> x509(d2i_X509_bio(bio.get(), nullptr));

  1683.   EXPECT_FALSE(x509);

  1684.   uint32_t err = ERR_get_error();

  1685.   EXPECT_EQ(ERR_LIB_ASN1, ERR_GET_LIB(err));

  1686.   EXPECT_EQ(ASN1_R_HEADER_TOO_LONG, ERR_GET_REASON(err));

  1687. }

  1688. 

  1689. TEST(X509Test, ReadBIOOneByte) {

  1690.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf("\x30", 1));

  1691.   ASSERT_TRUE(bio);

  1692. 

  1693.   // CPython expects |ASN1_R_HEADER_TOO_LONG| on EOF, to terminate a series of

  1694.   // certificates. This EOF appeared after some data, however, so we do not wish

  1695.   // to signal EOF.

  1696.   bssl::UniquePtr<X509> x509(d2i_X509_bio(bio.get(), nullptr));

  1697.   EXPECT_FALSE(x509);

  1698.   uint32_t err = ERR_get_error();

  1699.   EXPECT_EQ(ERR_LIB_ASN1, ERR_GET_LIB(err));

  1700.   EXPECT_EQ(ASN1_R_NOT_ENOUGH_DATA, ERR_GET_REASON(err));

  1701. }

  1702. 

  1703. TEST(X509Test, PartialBIOReturn) {

  1704.   // Create a filter BIO that only reads and writes one byte at a time.

  1705.   bssl::UniquePtr<BIO_METHOD> method(BIO_meth_new(0, nullptr));

  1706.   ASSERT_TRUE(method);

  1707.   ASSERT_TRUE(BIO_meth_set_create(method.get(), [](BIO *b) -> int {

  1708.     BIO_set_init(b, 1);

  1709.     return 1;

  1710.   }));

  1711.   ASSERT_TRUE(

  1712.       BIO_meth_set_read(method.get(), [](BIO *b, char *out, int len) -> int {

  1713.         return BIO_read(BIO_next(b), out, std::min(len, 1));

  1714.       }));

  1715.   ASSERT_TRUE(BIO_meth_set_write(

  1716.       method.get(), [](BIO *b, const char *in, int len) -> int {

  1717.         return BIO_write(BIO_next(b), in, std::min(len, 1));

  1718.       }));

  1719. 

  1720.   bssl::UniquePtr<BIO> bio(BIO_new(method.get()));

  1721.   ASSERT_TRUE(bio);

  1722.   BIO *mem_bio = BIO_new(BIO_s_mem());

  1723.   ASSERT_TRUE(mem_bio);

  1724.   BIO_push(bio.get(), mem_bio);  // BIO_push takes ownership.

  1725. 

  1726.   bssl::UniquePtr<X509> cert(CertFromPEM(kLeafPEM));

  1727.   ASSERT_TRUE(cert);

  1728.   uint8_t *der = nullptr;

  1729.   int der_len = i2d_X509(cert.get(), &der);

  1730.   ASSERT_GT(der_len, 0);

  1731.   bssl::UniquePtr<uint8_t> free_der(der);

  1732. 

  1733.   // Write the certificate into the BIO. Though we only write one byte at a

  1734.   // time, the write should succeed.

  1735.   ASSERT_EQ(1, i2d_X509_bio(bio.get(), cert.get()));

  1736.   const uint8_t *der2;

  1737.   size_t der2_len;

  1738.   ASSERT_TRUE(BIO_mem_contents(mem_bio, &der2, &der2_len));

  1739.   EXPECT_EQ(Bytes(der, static_cast<size_t>(der_len)), Bytes(der2, der2_len));

  1740. 

  1741.   // Read the certificate back out of the BIO. Though we only read one byte at a

  1742.   // time, the read should succeed.

  1743.   bssl::UniquePtr<X509> cert2(d2i_X509_bio(bio.get(), nullptr));

  1744.   ASSERT_TRUE(cert2);

  1745.   EXPECT_EQ(0, X509_cmp(cert.get(), cert2.get()));

  1746. }