kris
/
boringssl
1
0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
3736 Коміти
12 Гілки
38 MiB
 
 
 
 
 
 
Дерево: 3a2b47ab5b
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з '3a2b47ab5b'
${ noResults }
boringssl/crypto/x509/x509_test.cc

1102 рядки
43 KiB
Неформатований Звинувачення Історія 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <vector>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bio.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/crypto.h>

  23. #include <openssl/digest.h>

  24. #include <openssl/err.h>

  25. #include <openssl/pem.h>

  26. #include <openssl/pool.h>

  27. #include <openssl/x509.h>

  28. 

  29. #include "../internal.h"

  30. 

  31. 

  32. static const char kCrossSigningRootPEM[] =

  33.     "-----BEGIN CERTIFICATE-----\n"

  34.     "MIICcTCCAdqgAwIBAgIIagJHiPvE0MowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  35.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  36.     "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowPDEaMBgGA1UE\n"

  37.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  38.     "dCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwo3qFvSB9Zmlbpzn9wJp\n"

  39.     "ikI75Rxkatez8VkLqyxbOhPYl2Haz8F5p1gDG96dCI6jcLGgu3AKT9uhEQyyUko5\n"

  40.     "EKYasazSeA9CQrdyhPg0mkTYVETnPM1W/ebid1YtqQbq1CMWlq2aTDoSGAReGFKP\n"

  41.     "RTdXAbuAXzpCfi/d8LqV13UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgIEMB0GA1Ud\n"

  42.     "JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MBkGA1Ud\n"

  43.     "DgQSBBBHKHC7V3Z/3oLvEZx0RZRwMBsGA1UdIwQUMBKAEEcocLtXdn/egu8RnHRF\n"

  44.     "lHAwDQYJKoZIhvcNAQELBQADgYEAnglibsy6mGtpIXivtlcz4zIEnHw/lNW+r/eC\n"

  45.     "CY7evZTmOoOuC/x9SS3MF9vawt1HFUummWM6ZgErqVBOXIB4//ykrcCgf5ZbF5Hr\n"

  46.     "+3EFprKhBqYiXdD8hpBkrBoXwn85LPYWNd2TceCrx0YtLIprE2R5MB2RIq8y4Jk3\n"

  47.     "YFXvkME=\n"

  48.     "-----END CERTIFICATE-----\n";

  49. 

  50. static const char kRootCAPEM[] =

  51.     "-----BEGIN CERTIFICATE-----\n"

  52.     "MIICVTCCAb6gAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwLjEaMBgGA1UE\n"

  53.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwIBcNMTUwMTAx\n"

  54.     "MDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMC4xGjAYBgNVBAoTEUJvcmluZ1NTTCBU\n"

  55.     "RVNUSU5HMRAwDgYDVQQDEwdSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n"

  56.     "iQKBgQDpDn8RDOZa5oaDcPZRBy4CeBH1siSSOO4mYgLHlPE+oXdqwI/VImi2XeJM\n"

  57.     "2uCFETXCknJJjYG0iJdrt/yyRFvZTQZw+QzGj+mz36NqhGxDWb6dstB2m8PX+plZ\n"

  58.     "w7jl81MDvUnWs8yiQ/6twgu5AbhWKZQDJKcNKCEpqa6UW0r5nwIDAQABo3oweDAO\n"

  59.     "BgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8G\n"

  60.     "A1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEEA31wH7QC+4HH5UBCeMWQEwGwYDVR0j\n"

  61.     "BBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOBgQDXylEK77Za\n"

  62.     "kKeY6ZerrScWyZhrjIGtHFu09qVpdJEzrk87k2G7iHHR9CAvSofCgEExKtWNS9dN\n"

  63.     "+9WiZp/U48iHLk7qaYXdEuO07No4BYtXn+lkOykE+FUxmA4wvOF1cTd2tdj3MzX2\n"

  64.     "kfGIBAYhzGZWhY3JbhIfTEfY1PNM1pWChQ==\n"

  65.     "-----END CERTIFICATE-----\n";

  66. 

  67. static const char kRootCrossSignedPEM[] =

  68.     "-----BEGIN CERTIFICATE-----\n"

  69.     "MIICYzCCAcygAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  70.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  71.     "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowLjEaMBgGA1UE\n"

  72.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZI\n"

  73.     "hvcNAQEBBQADgY0AMIGJAoGBAOkOfxEM5lrmhoNw9lEHLgJ4EfWyJJI47iZiAseU\n"

  74.     "8T6hd2rAj9UiaLZd4kza4IURNcKSckmNgbSIl2u3/LJEW9lNBnD5DMaP6bPfo2qE\n"

  75.     "bENZvp2y0Habw9f6mVnDuOXzUwO9SdazzKJD/q3CC7kBuFYplAMkpw0oISmprpRb\n"

  76.     "SvmfAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcD\n"

  77.     "AQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQQDfXAftAL7gc\n"

  78.     "flQEJ4xZATAbBgNVHSMEFDASgBBHKHC7V3Z/3oLvEZx0RZRwMA0GCSqGSIb3DQEB\n"

  79.     "CwUAA4GBAErTxYJ0en9HVRHAAr5OO5wuk5Iq3VMc79TMyQLCXVL8YH8Uk7KEwv+q\n"

  80.     "9MEKZv2eR/Vfm4HlXlUuIqfgUXbwrAYC/YVVX86Wnbpy/jc73NYVCq8FEZeO+0XU\n"

  81.     "90SWAPDdp+iL7aZdimnMtG1qlM1edmz8AKbrhN/R3IbA2CL0nCWV\n"

  82.     "-----END CERTIFICATE-----\n";

  83. 

  84. static const char kIntermediatePEM[] =

  85.     "-----BEGIN CERTIFICATE-----\n"

  86.     "MIICXjCCAcegAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMC4xGjAYBgNV\n"

  87.     "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRAwDgYDVQQDEwdSb290IENBMCAXDTE1MDEw\n"

  88.     "MTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjA2MRowGAYDVQQKExFCb3JpbmdTU0wg\n"

  89.     "VEVTVElORzEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEB\n"

  90.     "AQUAA4GNADCBiQKBgQC7YtI0l8ocTYJ0gKyXTtPL4iMJCNY4OcxXl48jkncVG1Hl\n"

  91.     "blicgNUa1r9m9YFtVkxvBinb8dXiUpEGhVg4awRPDcatlsBSEBuJkiZGYbRcAmSu\n"

  92.     "CmZYnf6u3aYQ18SU8WqVERPpE4cwVVs+6kwlzRw0+XDoZAczu8ZezVhCUc6NbQID\n"

  93.     "AQABo3oweDAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\n"

  94.     "AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEIwaaKi1dttdV3sfjRSy\n"

  95.     "BqMwGwYDVR0jBBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOB\n"

  96.     "gQCvnolNWEHuQS8PFVVyuLR+FKBeUUdrVbSfHSzTqNAqQGp0C9fk5oCzDq6ZgTfY\n"

  97.     "ESXM4cJhb3IAnW0UM0NFsYSKQJ50JZL2L3z5ZLQhHdbs4RmODGoC40BVdnJ4/qgB\n"

  98.     "aGSh09eQRvAVmbVCviDK2ipkWNegdyI19jFfNP5uIkGlYg==\n"

  99.     "-----END CERTIFICATE-----\n";

  100. 

  101. static const char kIntermediateSelfSignedPEM[] =

  102.     "-----BEGIN CERTIFICATE-----\n"

  103.     "MIICZjCCAc+gAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  104.     "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  105.     "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDYxGjAYBgNVBAoTEUJv\n"

  106.     "cmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ\n"

  107.     "KoZIhvcNAQEBBQADgY0AMIGJAoGBALti0jSXyhxNgnSArJdO08viIwkI1jg5zFeX\n"

  108.     "jyOSdxUbUeVuWJyA1RrWv2b1gW1WTG8GKdvx1eJSkQaFWDhrBE8Nxq2WwFIQG4mS\n"

  109.     "JkZhtFwCZK4KZlid/q7dphDXxJTxapURE+kThzBVWz7qTCXNHDT5cOhkBzO7xl7N\n"

  110.     "WEJRzo1tAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEF\n"

  111.     "BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQjBpoqLV2\n"

  112.     "211Xex+NFLIGozAbBgNVHSMEFDASgBCMGmiotXbbXVd7H40UsgajMA0GCSqGSIb3\n"

  113.     "DQEBCwUAA4GBALcccSrAQ0/EqQBsx0ZDTUydHXXNP2DrUkpUKmAXIe8McqIVSlkT\n"

  114.     "6H4xz7z8VRKBo9j+drjjtCw2i0CQc8aOLxRb5WJ8eVLnaW2XRlUqAzhF0CrulfVI\n"

  115.     "E4Vs6ZLU+fra1WAuIj6qFiigRja+3YkZArG8tMA9vtlhTX/g7YBZIkqH\n"

  116.     "-----END CERTIFICATE-----\n";

  117. 

  118. static const char kLeafPEM[] =

  119.     "-----BEGIN CERTIFICATE-----\n"

  120.     "MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE\n"

  121.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg\n"

  122.     "Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y\n"

  123.     "aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3\n"

  124.     "DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c\n"

  125.     "oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j\n"

  126.     "5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh\n"

  127.     "TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\n"

  128.     "CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0\n"

  129.     "4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB\n"

  130.     "gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y\n"

  131.     "rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU\n"

  132.     "xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==\n"

  133.     "-----END CERTIFICATE-----\n";

  134. 

  135. static const char kLeafNoKeyUsagePEM[] =

  136.     "-----BEGIN CERTIFICATE-----\n"

  137.     "MIICNTCCAZ6gAwIBAgIJAIFQGaLQ0G2mMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  138.     "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  139.     "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDcxGjAYBgNVBAoTEUJv\n"

  140.     "cmluZ1NTTCBURVNUSU5HMRkwFwYDVQQDExBldmlsLmV4YW1wbGUuY29tMIGfMA0G\n"

  141.     "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOKoZe75NPz77EOaMMl4/0s3PyQw++zJvp\n"

  142.     "ejHAxZiTPCJgMbEHLrSzNoHdopg+CLUH5bE4wTXM8w9Inv5P8OAFJt7gJuPUunmk\n"

  143.     "j+NoU3QfzOR6BroePcz1vXX9jyVHRs087M/sLqWRHu9IR+/A+UTcBaWaFiDVUxtJ\n"

  144.     "YOwFMwjNPQIDAQABo0gwRjAMBgNVHRMBAf8EAjAAMBkGA1UdDgQSBBBJfLEUWHq1\n"

  145.     "27rZ1AVx2J5GMBsGA1UdIwQUMBKAEIwaaKi1dttdV3sfjRSyBqMwDQYJKoZIhvcN\n"

  146.     "AQELBQADgYEALVKN2Y3LZJOtu6SxFIYKxbLaXhTGTdIjxipZhmbBRDFjbZjZZOTe\n"

  147.     "6Oo+VDNPYco4rBexK7umYXJyfTqoY0E8dbiImhTcGTEj7OAB3DbBomgU1AYe+t2D\n"

  148.     "uwBqh4Y3Eto+Zn4pMVsxGEfUpjzjZDel7bN1/oU/9KWPpDfywfUmjgk=\n"

  149.     "-----END CERTIFICATE-----\n";

  150. 

  151. static const char kForgeryPEM[] =

  152.     "-----BEGIN CERTIFICATE-----\n"

  153.     "MIICZzCCAdCgAwIBAgIIdTlMzQoKkeMwDQYJKoZIhvcNAQELBQAwNzEaMBgGA1UE\n"

  154.     "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGTAXBgNVBAMTEGV2aWwuZXhhbXBsZS5jb20w\n"

  155.     "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDoxGjAYBgNVBAoTEUJv\n"

  156.     "cmluZ1NTTCBURVNUSU5HMRwwGgYDVQQDExNmb3JnZXJ5LmV4YW1wbGUuY29tMIGf\n"

  157.     "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADTwruBQZGb7Ay6s9HiYv5d1lwtEy\n"

  158.     "xQdA2Sy8Rn8uA20Q4KgqwVY7wzIZ+z5Butrsmwb70gdG1XU+yRaDeE7XVoW6jSpm\n"

  159.     "0sw35/5vJbTcL4THEFbnX0OPZnvpuZDFUkvVtq5kxpDWsVyM24G8EEq7kPih3Sa3\n"

  160.     "OMhXVXF8kso6UQIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI\n"

  161.     "KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEEYJ/WHM\n"

  162.     "8p64erPWIg4/liwwGwYDVR0jBBQwEoAQSXyxFFh6tdu62dQFcdieRjANBgkqhkiG\n"

  163.     "9w0BAQsFAAOBgQA+zH7bHPElWRWJvjxDqRexmYLn+D3Aivs8XgXQJsM94W0EzSUf\n"

  164.     "DSLfRgaQwcb2gg2xpDFoG+W0vc6O651uF23WGt5JaFFJJxqjII05IexfCNhuPmp4\n"

  165.     "4UZAXPttuJXpn74IY1tuouaM06B3vXKZR+/ityKmfJvSwxacmFcK+2ziAg==\n"

  166.     "-----END CERTIFICATE-----\n";

  167. 

  168. // kExamplePSSCert is an example RSA-PSS self-signed certificate, signed with

  169. // the default hash functions.

  170. static const char kExamplePSSCert[] =

  171.     "-----BEGIN CERTIFICATE-----\n"

  172.     "MIICYjCCAcagAwIBAgIJAI3qUyT6SIfzMBIGCSqGSIb3DQEBCjAFogMCAWowRTEL\n"

  173.     "MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy\n"

  174.     "bmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xNDEwMDkxOTA5NTVaFw0xNTEwMDkxOTA5\n"

  175.     "NTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK\n"

  176.     "DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A\n"

  177.     "MIGJAoGBAPi4bIO0vNmoV8CltFl2jFQdeesiUgR+0zfrQf2D+fCmhRU0dXFahKg8\n"

  178.     "0u9aTtPel4rd/7vPCqqGkr64UOTNb4AzMHYTj8p73OxaymPHAyXvqIqDWHYg+hZ3\n"

  179.     "13mSYwFIGth7Z/FSVUlO1m5KXNd6NzYM3t2PROjCpywrta9kS2EHAgMBAAGjUDBO\n"

  180.     "MB0GA1UdDgQWBBTQQfuJQR6nrVrsNF1JEflVgXgfEzAfBgNVHSMEGDAWgBTQQfuJ\n"

  181.     "QR6nrVrsNF1JEflVgXgfEzAMBgNVHRMEBTADAQH/MBIGCSqGSIb3DQEBCjAFogMC\n"

  182.     "AWoDgYEASUy2RZcgNbNQZA0/7F+V1YTLEXwD16bm+iSVnzGwtexmQVEYIZG74K/w\n"

  183.     "xbdZQdTbpNJkp1QPjPfh0zsatw6dmt5QoZ8K8No0DjR9dgf+Wvv5WJvJUIQBoAVN\n"

  184.     "Z0IL+OQFz6+LcTHxD27JJCebrATXZA0wThGTQDm7crL+a+SujBY=\n"

  185.     "-----END CERTIFICATE-----\n";

  186. 

  187. // kBadPSSCertPEM is a self-signed RSA-PSS certificate with bad parameters.

  188. static const char kBadPSSCertPEM[] =

  189.     "-----BEGIN CERTIFICATE-----\n"

  190.     "MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI\n"

  191.     "AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD\n"

  192.     "VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz\n"

  193.     "NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj\n"

  194.     "ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH\n"

  195.     "qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL\n"

  196.     "IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT\n"

  197.     "IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k\n"

  198.     "dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq\n"

  199.     "QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa\n"

  200.     "5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2\n"

  201.     "4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB\n"

  202.     "Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii\n"

  203.     "BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb\n"

  204.     "xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn\n"

  205.     "plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY\n"

  206.     "DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p\n"

  207.     "NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ\n"

  208.     "lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=\n"

  209.     "-----END CERTIFICATE-----\n";

  210. 

  211. static const char kRSAKey[] =

  212.     "-----BEGIN RSA PRIVATE KEY-----\n"

  213.     "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"

  214.     "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"

  215.     "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"

  216.     "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"

  217.     "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"

  218.     "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"

  219.     "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"

  220.     "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"

  221.     "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"

  222.     "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"

  223.     "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"

  224.     "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"

  225.     "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"

  226.     "-----END RSA PRIVATE KEY-----\n";

  227. 

  228. // kCRLTestRoot is a test root certificate. It has private key:

  229. //

  230. //     -----BEGIN RSA PRIVATE KEY-----

  231. //     MIIEpAIBAAKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3BS/dUBpbrzd1aeFzN

  232. //     lI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+5R/Du0iCb1tCZIPY

  233. //     07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWpuRqO6rctN9qUoMlT

  234. //     IAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n8H922qmvPNA9idmX

  235. //     9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbLP2o9orxGx7aCtnnB

  236. //     ZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABAoIBAQCJF9MTHfHGkk+/

  237. //     DwCXlA0Wg0e6hBuHl10iNobYkMWIl/xXjOknhYiqOqb181py76472SVC5ERprC+r

  238. //     Lf0PXzqKuA117mnkwT2bYLCL9Skf8WEhoFLQNbVlloF6wYjqXcYgKYKh8HgQbZl4

  239. //     aLg2YQl2NADTNABsUWj/4H2WEelsODVviqfFs725lFg9KHDI8zxAZXLzDt/M9uVL

  240. //     GxJiX12tr0AwaeAFZ1oPM/y+LznM3N3+Ht3jHHw3jZ/u8Z1RdAmdpu3bZ6tbwGBr

  241. //     9edsH5rKkm9aBvMrY7eX5VHqaqyRNFyG152ZOJh4XiiFG7EmgTPCpaHo50Y018Re

  242. //     grVtk+FBAoGBANY3lY+V8ZOwMxSHes+kTnoimHO5Ob7nxrOC71i27x+4HHsYUeAr

  243. //     /zOOghiDIn+oNkuiX5CIOWZKx159Bp65CPpCbTb/fh+HYnSgXFgCw7XptycO7LXM

  244. //     5GwR5jSfpfzBFdYxjxoUzDMFBwTEYRTm0HkUHkH+s+ajjw5wqqbcGLcfAoGBAMM8

  245. //     DKW6Tb66xsf708f0jonAjKYTLZ+WOcwsBEWSFHoY8dUjvW5gqx5acHTEsc5ZTeh4

  246. //     BCFLa+Mn9cuJWVJNs09k7Xb2PNl92HQ4GN2vbdkJhExbkT6oLDHg1hVD0w8KLfz1

  247. //     lTAW6pS+6CdOHMEJpvqx89EgU/1GgIQ1fXYczE75AoGAKeJoXdDFkUjsU+FBhAPu

  248. //     TDcjc80Nm2QaF9NMFR5/lsYa236f06MGnQAKM9zADBHJu/Qdl1brUjLg1HrBppsr

  249. //     RDNkw1IlSOjhuUf5hkPUHGd8Jijm440SRIcjabqla8wdBupdvo2+d2NOQgJbsQiI

  250. //     ToQ+fkzcxAXK3Nnuo/1436UCgYBjLH7UNOZHS8OsVM0I1r8NVKVdu4JCfeJQR8/H

  251. //     s2P5ffBir+wLRMnH+nMDreMQiibcPxMCArkERAlE4jlgaJ38Z62E76KLbLTmnJRt

  252. //     EC9Bv+bXjvAiHvWMRMUbOj/ddPNVez7Uld+FvdBaHwDWQlvzHzBWfBCOKSEhh7Z6

  253. //     qDhUqQKBgQDPMDx2i5rfmQp3imV9xUcCkIRsyYQVf8Eo7NV07IdUy/otmksgn4Zt

  254. //     Lbf3v2dvxOpTNTONWjp2c+iUQo8QxJCZr5Sfb21oQ9Ktcrmc/CY7LeBVDibXwxdM

  255. //     vRG8kBzvslFWh7REzC3u06GSVhyKDfW93kN2cKVwGoahRlhj7oHuZQ==

  256. //     -----END RSA PRIVATE KEY-----

  257. static const char kCRLTestRoot[] =

  258.     "-----BEGIN CERTIFICATE-----\n"

  259.     "MIIDbzCCAlegAwIBAgIJAODri7v0dDUFMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV\n"

  260.     "BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\n"

  261.     "aWV3MRIwEAYDVQQKDAlCb3JpbmdTU0wwHhcNMTYwOTI2MTUwNjI2WhcNMjYwOTI0\n"

  262.     "MTUwNjI2WjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n"

  263.     "A1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9yaW5nU1NMMIIBIjANBgkq\n"

  264.     "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3B\n"

  265.     "S/dUBpbrzd1aeFzNlI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+\n"

  266.     "5R/Du0iCb1tCZIPY07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWp\n"

  267.     "uRqO6rctN9qUoMlTIAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n\n"

  268.     "8H922qmvPNA9idmX9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbL\n"

  269.     "P2o9orxGx7aCtnnBZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABo1Aw\n"

  270.     "TjAdBgNVHQ4EFgQUWPt3N5cZ/CRvubbrkqfBnAqhq94wHwYDVR0jBBgwFoAUWPt3\n"

  271.     "N5cZ/CRvubbrkqfBnAqhq94wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"

  272.     "AQEAORu6M0MOwXy+3VEBwNilfTxyqDfruQsc1jA4PT8Oe8zora1WxE1JB4q2FJOz\n"

  273.     "EAuM3H/NXvEnBuN+ITvKZAJUfm4NKX97qmjMJwLKWe1gVv+VQTr63aR7mgWJReQN\n"

  274.     "XdMztlVeZs2dppV6uEg3ia1X0G7LARxGpA9ETbMyCpb39XxlYuTClcbA5ftDN99B\n"

  275.     "3Xg9KNdd++Ew22O3HWRDvdDpTO/JkzQfzi3sYwUtzMEonENhczJhGf7bQMmvL/w5\n"

  276.     "24Wxj4Z7KzzWIHsNqE/RIs6RV3fcW61j/mRgW2XyoWnMVeBzvcJr9NXp4VQYmFPw\n"

  277.     "amd8GKMZQvP0ufGnUn7D7uartA==\n"

  278.     "-----END CERTIFICATE-----\n";

  279. 

  280. static const char kCRLTestLeaf[] =

  281.     "-----BEGIN CERTIFICATE-----\n"

  282.     "MIIDkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCVVMx\n"

  283.     "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEjAQ\n"

  284.     "BgNVBAoMCUJvcmluZ1NTTDAeFw0xNjA5MjYxNTA4MzFaFw0xNzA5MjYxNTA4MzFa\n"

  285.     "MEsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlC\n"

  286.     "b3JpbmdTU0wxEzARBgNVBAMMCmJvcmluZy5zc2wwggEiMA0GCSqGSIb3DQEBAQUA\n"

  287.     "A4IBDwAwggEKAoIBAQDc5v1S1M0W+QWM+raWfO0LH8uvqEwuJQgODqMaGnSlWUx9\n"

  288.     "8iQcnWfjyPja3lWg9K62hSOFDuSyEkysKHDxijz5R93CfLcfnVXjWQDJe7EJTTDP\n"

  289.     "ozEvxN6RjAeYv7CF000euYr3QT5iyBjg76+bon1p0jHZBJeNPP1KqGYgyxp+hzpx\n"

  290.     "e0gZmTlGAXd8JQK4v8kpdYwD6PPifFL/jpmQpqOtQmH/6zcLjY4ojmqpEdBqIKIX\n"

  291.     "+saA29hMq0+NK3K+wgg31RU+cVWxu3tLOIiesETkeDgArjWRS1Vkzbi4v9SJxtNu\n"

  292.     "OZuAxWiynRJw3JwH/OFHYZIvQqz68ZBoj96cepjPAgMBAAGjezB5MAkGA1UdEwQC\n"

  293.     "MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl\n"

  294.     "MB0GA1UdDgQWBBTGn0OVVh/aoYt0bvEKG+PIERqnDzAfBgNVHSMEGDAWgBRY+3c3\n"

  295.     "lxn8JG+5tuuSp8GcCqGr3jANBgkqhkiG9w0BAQsFAAOCAQEAd2nM8gCQN2Dc8QJw\n"

  296.     "XSZXyuI3DBGGCHcay/3iXu0JvTC3EiQo8J6Djv7WLI0N5KH8mkm40u89fJAB2lLZ\n"

  297.     "ShuHVtcC182bOKnePgwp9CNwQ21p0rDEu/P3X46ZvFgdxx82E9xLa0tBB8PiPDWh\n"

  298.     "lV16jbaKTgX5AZqjnsyjR5o9/mbZVupZJXx5Syq+XA8qiJfstSYJs4KyKK9UOjql\n"

  299.     "ICkJVKpi2ahDBqX4MOH4SLfzVk8pqSpviS6yaA1RXqjpkxiN45WWaXDldVHMSkhC\n"

  300.     "5CNXsXi4b1nAntu89crwSLA3rEwzCWeYj+BX7e1T9rr3oJdwOU/2KQtW1js1yQUG\n"

  301.     "tjJMFw==\n"

  302.     "-----END CERTIFICATE-----\n";

  303. 

  304. static const char kBasicCRL[] =

  305.     "-----BEGIN X509 CRL-----\n"

  306.     "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  307.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  308.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV\n"

  309.     "HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN\n"

  310.     "ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo\n"

  311.     "eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os\n"

  312.     "dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv\n"

  313.     "diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho\n"

  314.     "/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==\n"

  315.     "-----END X509 CRL-----\n";

  316. 

  317. static const char kRevokedCRL[] =

  318.     "-----BEGIN X509 CRL-----\n"

  319.     "MIIBvjCBpwIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  320.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  321.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEyNDRaFw0xNjEwMjYxNTEyNDRaMBUwEwICEAAX\n"

  322.     "DTE2MDkyNjE1MTIyNlqgDjAMMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IB\n"

  323.     "AQCUGaM4DcWzlQKrcZvI8TMeR8BpsvQeo5BoI/XZu2a8h//PyRyMwYeaOM+3zl0d\n"

  324.     "sjgCT8b3C1FPgT+P2Lkowv7rJ+FHJRNQkogr+RuqCSPTq65ha4WKlRGWkMFybzVH\n"

  325.     "NloxC+aU3lgp/NlX9yUtfqYmJek1CDrOOGPrAEAwj1l/BUeYKNGqfBWYJQtPJu+5\n"

  326.     "OaSvIYGpETCZJscUWODmLEb/O3DM438vLvxonwGqXqS0KX37+CHpUlyhnSovxXxp\n"

  327.     "Pz4aF+L7OtczxL0GYtD2fR9B7TDMqsNmHXgQrixvvOY7MUdLGbd4RfJL3yA53hyO\n"

  328.     "xzfKY2TzxLiOmctG0hXFkH5J\n"

  329.     "-----END X509 CRL-----\n";

  330. 

  331. static const char kBadIssuerCRL[] =

  332.     "-----BEGIN X509 CRL-----\n"

  333.     "MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  334.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwN\n"

  335.     "Tm90IEJvcmluZ1NTTBcNMTYwOTI2MTUxMjQ0WhcNMTYxMDI2MTUxMjQ0WjAVMBMC\n"

  336.     "AhAAFw0xNjA5MjYxNTEyMjZaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsF\n"

  337.     "AAOCAQEAlBmjOA3Fs5UCq3GbyPEzHkfAabL0HqOQaCP12btmvIf/z8kcjMGHmjjP\n"

  338.     "t85dHbI4Ak/G9wtRT4E/j9i5KML+6yfhRyUTUJKIK/kbqgkj06uuYWuFipURlpDB\n"

  339.     "cm81RzZaMQvmlN5YKfzZV/clLX6mJiXpNQg6zjhj6wBAMI9ZfwVHmCjRqnwVmCUL\n"

  340.     "TybvuTmkryGBqREwmSbHFFjg5ixG/ztwzON/Ly78aJ8Bql6ktCl9+/gh6VJcoZ0q\n"

  341.     "L8V8aT8+Ghfi+zrXM8S9BmLQ9n0fQe0wzKrDZh14EK4sb7zmOzFHSxm3eEXyS98g\n"

  342.     "Od4cjsc3ymNk88S4jpnLRtIVxZB+SQ==\n"

  343.     "-----END X509 CRL-----\n";

  344. 

  345. // kKnownCriticalCRL is kBasicCRL but with a critical issuing distribution point

  346. // extension.

  347. static const char kKnownCriticalCRL[] =

  348.     "-----BEGIN X509 CRL-----\n"

  349.     "MIIBujCBowIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  350.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  351.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCEwHzAKBgNV\n"

  352.     "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+3\n"

  353.     "i+5e5Ub8sccfgOBs6WVJFI9c8gvJjrJ8/dYfFIAuCyeocs7DFXn1n13CRZ+URR/Q\n"

  354.     "mVWgU28+xeusuSPYFpd9cyYTcVyNUGNTI3lwgcE/yVjPaOmzSZKdPakApRxtpKKQ\n"

  355.     "NN/56aQz3bnT/ZSHQNciRB8U6jiD9V30t0w+FDTpGaG+7bzzUH3UVF9xf9Ctp60A\n"

  356.     "3mfLe0scas7owSt4AEFuj2SPvcE7yvdOXbu+IEv21cEJUVExJAbhvIweHXh6yRW+\n"

  357.     "7VVeiNzdIjkZjyTmAzoXGha4+wbxXyBRbfH+XWcO/H+8nwyG8Gktdu2QB9S9nnIp\n"

  358.     "o/1TpfOMSGhMyMoyPrk=\n"

  359.     "-----END X509 CRL-----\n";

  360. 

  361. // kUnknownCriticalCRL is kBasicCRL but with an unknown critical extension.

  362. static const char kUnknownCriticalCRL[] =

  363.     "-----BEGIN X509 CRL-----\n"

  364.     "MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  365.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  366.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCMwITAKBgNV\n"

  367.     "HRQEAwIBATATBgwqhkiG9xIEAYS3CQABAf8EADANBgkqhkiG9w0BAQsFAAOCAQEA\n"

  368.     "GvBP0xqL509InMj/3493YVRV+ldTpBv5uTD6jewzf5XdaxEQ/VjTNe5zKnxbpAib\n"

  369.     "Kf7cwX0PMSkZjx7k7kKdDlEucwVvDoqC+O9aJcqVmM6GDyNb9xENxd0XCXja6MZC\n"

  370.     "yVgP4AwLauB2vSiEprYJyI1APph3iAEeDm60lTXX/wBM/tupQDDujKh2GPyvBRfJ\n"

  371.     "+wEDwGg3ICwvu4gO4zeC5qnFR+bpL9t5tOMAQnVZ0NWv+k7mkd2LbHdD44dxrfXC\n"

  372.     "nhtfERx99SDmC/jtUAJrGhtCO8acr7exCeYcduN7KKCm91OeCJKK6OzWst0Og1DB\n"

  373.     "kwzzU2rL3G65CrZ7H0SZsQ==\n"

  374.     "-----END X509 CRL-----\n";

  375. 

  376. // kUnknownCriticalCRL2 is kBasicCRL but with a critical issuing distribution

  377. // point extension followed by an unknown critical extension

  378. static const char kUnknownCriticalCRL2[] =

  379.     "-----BEGIN X509 CRL-----\n"

  380.     "MIIBzzCBuAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  381.     "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  382.     "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoDYwNDAKBgNV\n"

  383.     "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wEwYMKoZIhvcSBAGEtwkAAQH/BAAw\n"

  384.     "DQYJKoZIhvcNAQELBQADggEBACTcpQC8jXL12JN5YzOcQ64ubQIe0XxRAd30p7qB\n"

  385.     "BTXGpgqBjrjxRfLms7EBYodEXB2oXMsDq3km0vT1MfYdsDD05S+SQ9CDsq/pUfaC\n"

  386.     "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n"

  387.     "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n"

  388.     "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n"

  389.     "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n"

  390.     "-----END X509 CRL-----\n";

  391. 

  392. // CertFromPEM parses the given, NUL-terminated pem block and returns an

  393. // |X509*|.

  394. static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {

  395.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  396.   return bssl::UniquePtr<X509>(

  397.       PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));

  398. }

  399. 

  400. // CRLFromPEM parses the given, NUL-terminated pem block and returns an

  401. // |X509_CRL*|.

  402. static bssl::UniquePtr<X509_CRL> CRLFromPEM(const char *pem) {

  403.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  404.   return bssl::UniquePtr<X509_CRL>(

  405.       PEM_read_bio_X509_CRL(bio.get(), nullptr, nullptr, nullptr));

  406. }

  407. 

  408. // PrivateKeyFromPEM parses the given, NUL-terminated pem block and returns an

  409. // |EVP_PKEY*|.

  410. static bssl::UniquePtr<EVP_PKEY> PrivateKeyFromPEM(const char *pem) {

  411.   bssl::UniquePtr<BIO> bio(

  412.       BIO_new_mem_buf(const_cast<char *>(pem), strlen(pem)));

  413.   return bssl::UniquePtr<EVP_PKEY>(

  414.       PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));

  415. }

  416. 

  417. // CertsToStack converts a vector of |X509*| to an OpenSSL STACK_OF(X509),

  418. // bumping the reference counts for each certificate in question.

  419. static bssl::UniquePtr<STACK_OF(X509)> CertsToStack(

  420.     const std::vector<X509 *> &certs) {

  421.   bssl::UniquePtr<STACK_OF(X509)> stack(sk_X509_new_null());

  422.   if (!stack) {

  423.     return nullptr;

  424.   }

  425.   for (auto cert : certs) {

  426.     if (!sk_X509_push(stack.get(), cert)) {

  427.       return nullptr;

  428.     }

  429.     X509_up_ref(cert);

  430.   }

  431. 

  432.   return stack;

  433. }

  434. 

  435. // CRLsToStack converts a vector of |X509_CRL*| to an OpenSSL

  436. // STACK_OF(X509_CRL), bumping the reference counts for each CRL in question.

  437. static bssl::UniquePtr<STACK_OF(X509_CRL)> CRLsToStack(

  438.     const std::vector<X509_CRL *> &crls) {

  439.   bssl::UniquePtr<STACK_OF(X509_CRL)> stack(sk_X509_CRL_new_null());

  440.   if (!stack) {

  441.     return nullptr;

  442.   }

  443.   for (auto crl : crls) {

  444.     if (!sk_X509_CRL_push(stack.get(), crl)) {

  445.       return nullptr;

  446.     }

  447.     X509_CRL_up_ref(crl);

  448.   }

  449. 

  450.   return stack;

  451. }

  452. 

  453. static int Verify(X509 *leaf, const std::vector<X509 *> &roots,

  454.                    const std::vector<X509 *> &intermediates,

  455.                    const std::vector<X509_CRL *> &crls,

  456.                    unsigned long flags,

  457.                    bool use_additional_untrusted) {

  458.   bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));

  459.   bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(

  460.       CertsToStack(intermediates));

  461.   bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls));

  462. 

  463.   if (!roots_stack ||

  464.       !intermediates_stack ||

  465.       !crls_stack) {

  466.     return X509_V_ERR_UNSPECIFIED;

  467.   }

  468. 

  469.   bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());

  470.   bssl::UniquePtr<X509_STORE> store(X509_STORE_new());

  471.   if (!ctx ||

  472.       !store) {

  473.     return X509_V_ERR_UNSPECIFIED;

  474.   }

  475. 

  476.   if (use_additional_untrusted) {

  477.     X509_STORE_set0_additional_untrusted(store.get(),

  478.                                          intermediates_stack.get());

  479.   }

  480. 

  481.   if (!X509_STORE_CTX_init(

  482.           ctx.get(), store.get(), leaf,

  483.           use_additional_untrusted ? nullptr : intermediates_stack.get())) {

  484.     return X509_V_ERR_UNSPECIFIED;

  485.   }

  486. 

  487.   X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get());

  488.   X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get());

  489. 

  490.   X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();

  491.   if (param == nullptr) {

  492.     return X509_V_ERR_UNSPECIFIED;

  493.   }

  494.   X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */);

  495.   X509_VERIFY_PARAM_set_depth(param, 16);

  496.   if (flags) {

  497.     X509_VERIFY_PARAM_set_flags(param, flags);

  498.   }

  499.   X509_STORE_CTX_set0_param(ctx.get(), param);

  500. 

  501.   ERR_clear_error();

  502.   if (X509_verify_cert(ctx.get()) != 1) {

  503.     return X509_STORE_CTX_get_error(ctx.get());

  504.   }

  505. 

  506.   return X509_V_OK;

  507. }

  508. 

  509. static int Verify(X509 *leaf, const std::vector<X509 *> &roots,

  510.                    const std::vector<X509 *> &intermediates,

  511.                    const std::vector<X509_CRL *> &crls,

  512.                    unsigned long flags = 0) {

  513.   const int r1 = Verify(leaf, roots, intermediates, crls, flags, false);

  514.   const int r2 = Verify(leaf, roots, intermediates, crls, flags, true);

  515. 

  516.   if (r1 != r2) {

  517.     fprintf(stderr,

  518.             "Verify with, and without, use_additional_untrusted gave different "

  519.             "results: %d vs %d.\n",

  520.             r1, r2);

  521.     return false;

  522.   }

  523. 

  524.   return r1;

  525. }

  526. 

  527. static bool TestVerify() {

  528.   bssl::UniquePtr<X509> cross_signing_root(CertFromPEM(kCrossSigningRootPEM));

  529.   bssl::UniquePtr<X509> root(CertFromPEM(kRootCAPEM));

  530.   bssl::UniquePtr<X509> root_cross_signed(CertFromPEM(kRootCrossSignedPEM));

  531.   bssl::UniquePtr<X509> intermediate(CertFromPEM(kIntermediatePEM));

  532.   bssl::UniquePtr<X509> intermediate_self_signed(

  533.       CertFromPEM(kIntermediateSelfSignedPEM));

  534.   bssl::UniquePtr<X509> leaf(CertFromPEM(kLeafPEM));

  535.   bssl::UniquePtr<X509> leaf_no_key_usage(CertFromPEM(kLeafNoKeyUsagePEM));

  536.   bssl::UniquePtr<X509> forgery(CertFromPEM(kForgeryPEM));

  537. 

  538.   if (!cross_signing_root ||

  539.       !root ||

  540.       !root_cross_signed ||

  541.       !intermediate ||

  542.       !intermediate_self_signed ||

  543.       !leaf ||

  544.       !leaf_no_key_usage ||

  545.       !forgery) {

  546.     fprintf(stderr, "Failed to parse certificates\n");

  547.     return false;

  548.   }

  549. 

  550.   std::vector<X509*> empty;

  551.   std::vector<X509_CRL*> empty_crls;

  552.   if (Verify(leaf.get(), empty, empty, empty_crls) !=

  553.       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {

  554.     fprintf(stderr, "Leaf verified with no roots!\n");

  555.     return false;

  556.   }

  557. 

  558.   if (Verify(leaf.get(), empty, {intermediate.get()}, empty_crls) !=

  559.       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {

  560.     fprintf(stderr, "Leaf verified with no roots!\n");

  561.     return false;

  562.   }

  563. 

  564.   if (Verify(leaf.get(), {root.get()}, {intermediate.get()}, empty_crls) !=

  565.       X509_V_OK) {

  566.     ERR_print_errors_fp(stderr);

  567.     fprintf(stderr, "Basic chain didn't verify.\n");

  568.     return false;

  569.   }

  570. 

  571.   if (Verify(leaf.get(), {cross_signing_root.get()},

  572.              {intermediate.get(), root_cross_signed.get()},

  573.              empty_crls) != X509_V_OK) {

  574.     ERR_print_errors_fp(stderr);

  575.     fprintf(stderr, "Cross-signed chain didn't verify.\n");

  576.     return false;

  577.   }

  578. 

  579.   if (Verify(leaf.get(), {cross_signing_root.get(), root.get()},

  580.              {intermediate.get(), root_cross_signed.get()},

  581.              empty_crls) != X509_V_OK) {

  582.     ERR_print_errors_fp(stderr);

  583.     fprintf(stderr, "Cross-signed chain with root didn't verify.\n");

  584.     return false;

  585.   }

  586. 

  587.   /* This is the “altchains” test – we remove the cross-signing CA but include

  588.    * the cross-sign in the intermediates. */

  589.   if (Verify(leaf.get(), {root.get()},

  590.              {intermediate.get(), root_cross_signed.get()},

  591.              empty_crls) != X509_V_OK) {

  592.     ERR_print_errors_fp(stderr);

  593.     fprintf(stderr, "Chain with cross-sign didn't backtrack to find root.\n");

  594.     return false;

  595.   }

  596. 

  597.   if (Verify(leaf.get(), {root.get()},

  598.              {intermediate.get(), root_cross_signed.get()}, empty_crls,

  599.              X509_V_FLAG_NO_ALT_CHAINS) !=

  600.       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {

  601.     fprintf(stderr, "Altchains test still passed when disabled.\n");

  602.     return false;

  603.   }

  604. 

  605.   if (Verify(forgery.get(), {intermediate_self_signed.get()},

  606.              {leaf_no_key_usage.get()},

  607.              empty_crls) != X509_V_ERR_INVALID_CA) {

  608.     fprintf(stderr, "Basic constraints weren't checked.\n");

  609.     return false;

  610.   }

  611. 

  612.   /* Test that one cannot skip Basic Constraints checking with a contorted set

  613.    * of roots and intermediates. This is a regression test for CVE-2015-1793. */

  614.   if (Verify(forgery.get(),

  615.              {intermediate_self_signed.get(), root_cross_signed.get()},

  616.              {leaf_no_key_usage.get(), intermediate.get()},

  617.              empty_crls) != X509_V_ERR_INVALID_CA) {

  618.     fprintf(stderr, "Basic constraints weren't checked.\n");

  619.     return false;

  620.   }

  621. 

  622.   return true;

  623. }

  624. 

  625. static bool TestCRL() {

  626.   bssl::UniquePtr<X509> root(CertFromPEM(kCRLTestRoot));

  627.   bssl::UniquePtr<X509> leaf(CertFromPEM(kCRLTestLeaf));

  628.   bssl::UniquePtr<X509_CRL> basic_crl(CRLFromPEM(kBasicCRL));

  629.   bssl::UniquePtr<X509_CRL> revoked_crl(CRLFromPEM(kRevokedCRL));

  630.   bssl::UniquePtr<X509_CRL> bad_issuer_crl(CRLFromPEM(kBadIssuerCRL));

  631.   bssl::UniquePtr<X509_CRL> known_critical_crl(CRLFromPEM(kKnownCriticalCRL));

  632.   bssl::UniquePtr<X509_CRL> unknown_critical_crl(

  633.       CRLFromPEM(kUnknownCriticalCRL));

  634.   bssl::UniquePtr<X509_CRL> unknown_critical_crl2(

  635.       CRLFromPEM(kUnknownCriticalCRL2));

  636. 

  637.   if (!root ||

  638.       !leaf ||

  639.       !basic_crl ||

  640.       !revoked_crl ||

  641.       !bad_issuer_crl ||

  642.       !known_critical_crl ||

  643.       !unknown_critical_crl ||

  644.       !unknown_critical_crl2) {

  645.     fprintf(stderr, "Failed to parse certificates and CRLs.\n");

  646.     return false;

  647.   }

  648. 

  649.   if (Verify(leaf.get(), {root.get()}, {root.get()}, {basic_crl.get()},

  650.              X509_V_FLAG_CRL_CHECK) != X509_V_OK) {

  651.     fprintf(stderr, "Cert with CRL didn't verify.\n");

  652.     return false;

  653.   }

  654. 

  655.   if (Verify(leaf.get(), {root.get()}, {root.get()},

  656.              {basic_crl.get(), revoked_crl.get()},

  657.              X509_V_FLAG_CRL_CHECK) != X509_V_ERR_CERT_REVOKED) {

  658.     fprintf(stderr, "Revoked CRL wasn't checked.\n");

  659.     return false;

  660.   }

  661. 

  662.   std::vector<X509_CRL *> empty_crls;

  663.   if (Verify(leaf.get(), {root.get()}, {root.get()}, empty_crls,

  664.              X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) {

  665.     fprintf(stderr, "CRLs were not required.\n");

  666.     return false;

  667.   }

  668. 

  669.   if (Verify(leaf.get(), {root.get()}, {root.get()}, {bad_issuer_crl.get()},

  670.              X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) {

  671.     fprintf(stderr, "Bad CRL issuer was unnoticed.\n");

  672.     return false;

  673.   }

  674. 

  675.   if (Verify(leaf.get(), {root.get()}, {root.get()}, {known_critical_crl.get()},

  676.              X509_V_FLAG_CRL_CHECK) != X509_V_OK) {

  677.     fprintf(stderr, "CRL with known critical extension was rejected.\n");

  678.     return false;

  679.   }

  680. 

  681.   if (Verify(leaf.get(), {root.get()}, {root.get()},

  682.              {unknown_critical_crl.get()}, X509_V_FLAG_CRL_CHECK) !=

  683.       X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION) {

  684.     fprintf(stderr, "CRL with unknown critical extension was accepted.\n");

  685.     return false;

  686.   }

  687. 

  688.   if (Verify(leaf.get(), {root.get()}, {root.get()},

  689.              {unknown_critical_crl2.get()}, X509_V_FLAG_CRL_CHECK) !=

  690.       X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION) {

  691.     fprintf(stderr, "CRL with unknown critical extension (2) was accepted.\n");

  692.     return false;

  693.   }

  694. 

  695.   return true;

  696. }

  697. 

  698. static bool TestPSS() {

  699.   bssl::UniquePtr<X509> cert(CertFromPEM(kExamplePSSCert));

  700.   if (!cert) {

  701.     return false;

  702.   }

  703. 

  704.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  705.   if (!pkey) {

  706.     return false;

  707.   }

  708. 

  709.   if (!X509_verify(cert.get(), pkey.get())) {

  710.     fprintf(stderr, "Could not verify certificate.\n");

  711.     return false;

  712.   }

  713.   return true;

  714. }

  715. 

  716. static bool TestBadPSSParameters() {

  717.   bssl::UniquePtr<X509> cert(CertFromPEM(kBadPSSCertPEM));

  718.   if (!cert) {

  719.     return false;

  720.   }

  721. 

  722.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  723.   if (!pkey) {

  724.     return false;

  725.   }

  726. 

  727.   if (X509_verify(cert.get(), pkey.get())) {

  728.     fprintf(stderr, "Unexpectedly verified bad certificate.\n");

  729.     return false;

  730.   }

  731.   ERR_clear_error();

  732.   return true;

  733. }

  734. 

  735. static bool SignatureRoundTrips(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {

  736.   // Make a certificate like signed with |md_ctx|'s settings.'

  737.   bssl::UniquePtr<X509> cert(CertFromPEM(kLeafPEM));

  738.   if (!cert || !X509_sign_ctx(cert.get(), md_ctx)) {

  739.     return false;

  740.   }

  741. 

  742.   // Ensure that |pkey| may still be used to verify the resulting signature. All

  743.   // settings in |md_ctx| must have been serialized appropriately.

  744.   return !!X509_verify(cert.get(), pkey);

  745. }

  746. 

  747. static bool TestSignCtx() {

  748.   bssl::UniquePtr<EVP_PKEY> pkey(PrivateKeyFromPEM(kRSAKey));

  749.   if (!pkey) {

  750.     return false;

  751.   }

  752. 

  753.   // Test PKCS#1 v1.5.

  754.   bssl::ScopedEVP_MD_CTX md_ctx;

  755.   if (!EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||

  756.       !SignatureRoundTrips(md_ctx.get(), pkey.get())) {

  757.     fprintf(stderr, "RSA PKCS#1 with SHA-256 failed\n");

  758.     return false;

  759.   }

  760. 

  761.   // Test RSA-PSS with custom parameters.

  762.   md_ctx.Reset();

  763.   EVP_PKEY_CTX *pkey_ctx;

  764.   if (!EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,

  765.                           pkey.get()) ||

  766.       !EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) ||

  767.       !EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) ||

  768.       !SignatureRoundTrips(md_ctx.get(), pkey.get())) {

  769.     fprintf(stderr, "RSA-PSS failed\n");

  770.     return false;

  771.   }

  772. 

  773.   return true;

  774. }

  775. 

  776. static bool PEMToDER(bssl::UniquePtr<uint8_t> *out, size_t *out_len,

  777.                      const char *pem) {

  778.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  779.   if (!bio) {

  780.     return false;

  781.   }

  782. 

  783.   char *name, *header;

  784.   uint8_t *data;

  785.   long data_len;

  786.   if (!PEM_read_bio(bio.get(), &name, &header, &data, &data_len)) {

  787.     fprintf(stderr, "failed to read PEM data.\n");

  788.     return false;

  789.   }

  790.   OPENSSL_free(name);

  791.   OPENSSL_free(header);

  792. 

  793.   out->reset(data);

  794.   *out_len = data_len;

  795. 

  796.   return true;

  797. }

  798. 

  799. static bool TestFromBuffer() {

  800.   size_t data_len;

  801.   bssl::UniquePtr<uint8_t> data;

  802.   if (!PEMToDER(&data, &data_len, kRootCAPEM)) {

  803.     return false;

  804.   }

  805. 

  806.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  807.       CRYPTO_BUFFER_new(data.get(), data_len, nullptr));

  808.   if (!buf) {

  809.     return false;

  810.   }

  811. 

  812.   bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));

  813.   if (!root) {

  814.     return false;

  815.   }

  816. 

  817.   const uint8_t *enc_pointer = root->cert_info->enc.enc;

  818.   const uint8_t *buf_pointer = CRYPTO_BUFFER_data(buf.get());

  819.   if (enc_pointer < buf_pointer ||

  820.       enc_pointer >= buf_pointer + CRYPTO_BUFFER_len(buf.get())) {

  821.     fprintf(stderr, "TestFromBuffer: enc does not alias the buffer.\n");

  822.     return false;

  823.   }

  824. 

  825.   buf.reset();

  826. 

  827.   /* This ensures the X509 took a reference to |buf|, otherwise this will be a

  828.    * reference to free memory and ASAN should notice. */

  829.   if (enc_pointer[0] != CBS_ASN1_SEQUENCE) {

  830.     fprintf(stderr, "TestFromBuffer: enc data is not a SEQUENCE.\n");

  831.     return false;

  832.   }

  833. 

  834.   return true;

  835. }

  836. 

  837. static bool TestFromBufferTrailingData() {

  838.   size_t data_len;

  839.   bssl::UniquePtr<uint8_t> data;

  840.   if (!PEMToDER(&data, &data_len, kRootCAPEM)) {

  841.     return false;

  842.   }

  843. 

  844.   std::unique_ptr<uint8_t[]> trailing_data(new uint8_t[data_len + 1]);

  845.   OPENSSL_memcpy(trailing_data.get(), data.get(), data_len);

  846. 

  847.   bssl::UniquePtr<CRYPTO_BUFFER> buf_trailing_data(

  848.       CRYPTO_BUFFER_new(trailing_data.get(), data_len + 1, nullptr));

  849.   if (!buf_trailing_data) {

  850.     return false;

  851.   }

  852. 

  853.   bssl::UniquePtr<X509> root_trailing_data(

  854.       X509_parse_from_buffer(buf_trailing_data.get()));

  855.   if (root_trailing_data) {

  856.     fprintf(stderr, "TestFromBuffer: trailing data was not rejected.\n");

  857.     return false;

  858.   }

  859. 

  860.   return true;

  861. }

  862. 

  863. static bool TestFromBufferModified() {

  864.   size_t data_len;

  865.   bssl::UniquePtr<uint8_t> data;

  866.   if (!PEMToDER(&data, &data_len, kRootCAPEM)) {

  867.     return false;

  868.   }

  869. 

  870.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  871.       CRYPTO_BUFFER_new(data.get(), data_len, nullptr));

  872.   if (!buf) {

  873.     return false;

  874.   }

  875. 

  876.   bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));

  877.   if (!root) {

  878.     return false;

  879.   }

  880. 

  881.   bssl::UniquePtr<ASN1_INTEGER> fourty_two(ASN1_INTEGER_new());

  882.   ASN1_INTEGER_set(fourty_two.get(), 42);

  883.   X509_set_serialNumber(root.get(), fourty_two.get());

  884. 

  885.   if (i2d_X509(root.get(), nullptr) != static_cast<long>(data_len)) {

  886.     fprintf(stderr,

  887.             "TestFromBufferModified: i2d_X509 gives different answer before "

  888.             "marking as modified.\n");

  889.     return false;

  890.   }

  891. 

  892.   X509_CINF_set_modified(root->cert_info);

  893. 

  894.   if (i2d_X509(root.get(), nullptr) == static_cast<long>(data_len)) {

  895.     fprintf(stderr,

  896.             "TestFromBufferModified: i2d_X509 gives same answer after marking "

  897.             "as modified.\n");

  898.     return false;

  899.   }

  900. 

  901.   return true;

  902. }

  903. 

  904. static bool TestFromBufferReused() {

  905.   size_t data_len;

  906.   bssl::UniquePtr<uint8_t> data;

  907.   if (!PEMToDER(&data, &data_len, kRootCAPEM)) {

  908.     return false;

  909.   }

  910. 

  911.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  912.       CRYPTO_BUFFER_new(data.get(), data_len, nullptr));

  913.   if (!buf) {

  914.     return false;

  915.   }

  916. 

  917.   bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));

  918.   if (!root) {

  919.     return false;

  920.   }

  921. 

  922.   size_t data2_len;

  923.   bssl::UniquePtr<uint8_t> data2;

  924.   if (!PEMToDER(&data2, &data2_len, kLeafPEM)) {

  925.     return false;

  926.   }

  927. 

  928.   X509 *x509p = root.get();

  929.   const uint8_t *inp = data2.get();

  930.   X509 *ret = d2i_X509(&x509p, &inp, data2_len);

  931.   if (ret != root.get()) {

  932.     fprintf(stderr,

  933.             "TestFromBufferReused: d2i_X509 parsed into a different object.\n");

  934.     return false;

  935.   }

  936. 

  937.   if (root->buf != nullptr) {

  938.     fprintf(stderr,

  939.             "TestFromBufferReused: d2i_X509 didn't clear |buf| pointer.\n");

  940.     return false;

  941.   }

  942. 

  943.   // Free |data2| and ensure that |root| took its own copy. Otherwise the

  944.   // following will trigger a use-after-free.

  945.   data2.reset();

  946. 

  947.   uint8_t *i2d = nullptr;

  948.   int i2d_len = i2d_X509(root.get(), &i2d);

  949.   if (i2d_len < 0) {

  950.     return false;

  951.   }

  952.   bssl::UniquePtr<uint8_t> i2d_storage(i2d);

  953. 

  954.   if (!PEMToDER(&data2, &data2_len, kLeafPEM)) {

  955.     return false;

  956.   }

  957.   if (i2d_len != static_cast<long>(data2_len) ||

  958.       OPENSSL_memcmp(data2.get(), i2d, i2d_len) != 0) {

  959.     fprintf(stderr, "TestFromBufferReused: i2d gave wrong result.\n");

  960.     return false;

  961.   }

  962. 

  963.   if (root->buf != NULL) {

  964.     fprintf(stderr, "TestFromBufferReused: X509.buf was not cleared.\n");

  965.     return false;

  966.   }

  967. 

  968.   return true;

  969. }

  970. 

  971. static bool TestFailedParseFromBuffer() {

  972.   static const uint8_t kNonsense[] = {1, 2, 3, 4, 5};

  973. 

  974.   bssl::UniquePtr<CRYPTO_BUFFER> buf(

  975.       CRYPTO_BUFFER_new(kNonsense, sizeof(kNonsense), nullptr));

  976.   if (!buf) {

  977.     return false;

  978.   }

  979. 

  980.   bssl::UniquePtr<X509> cert(X509_parse_from_buffer(buf.get()));

  981.   if (cert) {

  982.     fprintf(stderr, "Nonsense somehow parsed.\n");

  983.     return false;

  984.   }

  985.   ERR_clear_error();

  986. 

  987.   // Test a buffer with trailing data.

  988.   size_t data_len;

  989.   bssl::UniquePtr<uint8_t> data;

  990.   if (!PEMToDER(&data, &data_len, kRootCAPEM)) {

  991.     return false;

  992.   }

  993. 

  994.   std::unique_ptr<uint8_t[]> data_with_trailing_byte(new uint8_t[data_len + 1]);

  995.   OPENSSL_memcpy(data_with_trailing_byte.get(), data.get(), data_len);

  996.   data_with_trailing_byte[data_len] = 0;

  997. 

  998.   bssl::UniquePtr<CRYPTO_BUFFER> buf_with_trailing_byte(

  999.       CRYPTO_BUFFER_new(data_with_trailing_byte.get(), data_len + 1, nullptr));

  1000.   if (!buf_with_trailing_byte) {

  1001.     return false;

  1002.   }

  1003. 

  1004.   bssl::UniquePtr<X509> root(

  1005.       X509_parse_from_buffer(buf_with_trailing_byte.get()));

  1006.   if (root) {

  1007.     fprintf(stderr, "Parsed buffer with trailing byte.\n");

  1008.     return false;

  1009.   }

  1010.   ERR_clear_error();

  1011. 

  1012.   return true;

  1013. }

  1014. 

  1015. static bool TestPrintUTCTIME() {

  1016.   static const struct {

  1017.     const char *val, *want;

  1018.   } asn1_utctime_tests[] = {

  1019.     {"", "Bad time value"},

  1020. 

  1021.     // Correct RFC 5280 form. Test years < 2000 and > 2000.

  1022.     {"090303125425Z", "Mar  3 12:54:25 2009 GMT"},

  1023.     {"900303125425Z", "Mar  3 12:54:25 1990 GMT"},

  1024.     {"000303125425Z", "Mar  3 12:54:25 2000 GMT"},

  1025. 

  1026.     // Correct form, bad values.

  1027.     {"000000000000Z", "Bad time value"},

  1028.     {"999999999999Z", "Bad time value"},

  1029. 

  1030.     // Missing components. Not legal RFC 5280, but permitted.

  1031.     {"090303125425", "Mar  3 12:54:25 2009"},

  1032.     {"9003031254", "Mar  3 12:54:00 1990"},

  1033.     {"9003031254Z", "Mar  3 12:54:00 1990 GMT"},

  1034. 

  1035.     // GENERALIZEDTIME confused for UTCTIME.

  1036.     {"20090303125425Z", "Bad time value"},

  1037. 

  1038.     // Legal ASN.1, but not legal RFC 5280.

  1039.     {"9003031254+0800", "Bad time value"},

  1040.     {"9003031254-0800", "Bad time value"},

  1041. 

  1042.     // Trailing garbage.

  1043.     {"9003031254Z ", "Bad time value"},

  1044.   };

  1045. 

  1046.   for (auto t : asn1_utctime_tests) {

  1047.     bssl::UniquePtr<ASN1_UTCTIME> tm(ASN1_UTCTIME_new());

  1048.     bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));

  1049. 

  1050.     // Use this instead of ASN1_UTCTIME_set() because some callers get

  1051.     // type-confused and pass ASN1_GENERALIZEDTIME to ASN1_UTCTIME_print().

  1052.     // ASN1_UTCTIME_set_string() is stricter, and would reject the inputs in

  1053.     // question.

  1054.     if (!ASN1_STRING_set(tm.get(), t.val, strlen(t.val))) {

  1055.       fprintf(stderr, "ASN1_STRING_set\n");

  1056.       return false;

  1057.     }

  1058.     const int ok = ASN1_UTCTIME_print(bio.get(), tm.get());

  1059. 

  1060.     const uint8_t *contents;

  1061.     size_t len;

  1062.     if (!BIO_mem_contents(bio.get(), &contents, &len)) {

  1063.       fprintf(stderr, "BIO_mem_contents\n");

  1064.       return false;

  1065.     }

  1066. 

  1067.     if (ok != (strcmp(t.want, "Bad time value") != 0)) {

  1068.       fprintf(stderr, "ASN1_UTCTIME_print(%s): bad return value\n", t.val);

  1069.       return false;

  1070.     }

  1071.     if (len != strlen(t.want) || memcmp(contents, t.want, len)) {

  1072.       fprintf(stderr, "ASN1_UTCTIME_print(%s): got %.*s, want %s\n", t.val,

  1073.               static_cast<int>(len),

  1074.               reinterpret_cast<const char *>(contents), t.want);

  1075.       return false;

  1076.     }

  1077.   }

  1078. 

  1079.   return true;

  1080. }

  1081. 

  1082. int main() {

  1083.   CRYPTO_library_init();

  1084. 

  1085.   if (!TestVerify() ||

  1086.       !TestCRL() ||

  1087.       !TestPSS() ||

  1088.       !TestBadPSSParameters() ||

  1089.       !TestSignCtx() ||

  1090.       !TestFromBuffer() ||

  1091.       !TestFromBufferTrailingData() ||

  1092.       !TestFromBufferModified() ||

  1093.       !TestFromBufferReused() ||

  1094.       !TestFailedParseFromBuffer() ||

  1095.       !TestPrintUTCTIME()) {

  1096.     return 1;

  1097.   }

  1098. 

  1099.   printf("PASS\n");

  1100.   return 0;

  1101. }