kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2555 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: f01fb5dc0e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f01fb5dc0e'
${ noResults }
boringssl/crypto/x509/x509_test.cc

473 lines
19 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <vector>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/crypto.h>

  21. #include <openssl/digest.h>

  22. #include <openssl/err.h>

  23. #include <openssl/evp.h>

  24. #include <openssl/pem.h>

  25. #include <openssl/x509.h>

  26. 

  27. #include "../test/scoped_types.h"

  28. 

  29. 

  30. static const char kCrossSigningRootPEM[] =

  31. "-----BEGIN CERTIFICATE-----\n"

  32. "MIICcTCCAdqgAwIBAgIIagJHiPvE0MowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  33. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  34. "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowPDEaMBgGA1UE\n"

  35. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  36. "dCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwo3qFvSB9Zmlbpzn9wJp\n"

  37. "ikI75Rxkatez8VkLqyxbOhPYl2Haz8F5p1gDG96dCI6jcLGgu3AKT9uhEQyyUko5\n"

  38. "EKYasazSeA9CQrdyhPg0mkTYVETnPM1W/ebid1YtqQbq1CMWlq2aTDoSGAReGFKP\n"

  39. "RTdXAbuAXzpCfi/d8LqV13UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgIEMB0GA1Ud\n"

  40. "JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MBkGA1Ud\n"

  41. "DgQSBBBHKHC7V3Z/3oLvEZx0RZRwMBsGA1UdIwQUMBKAEEcocLtXdn/egu8RnHRF\n"

  42. "lHAwDQYJKoZIhvcNAQELBQADgYEAnglibsy6mGtpIXivtlcz4zIEnHw/lNW+r/eC\n"

  43. "CY7evZTmOoOuC/x9SS3MF9vawt1HFUummWM6ZgErqVBOXIB4//ykrcCgf5ZbF5Hr\n"

  44. "+3EFprKhBqYiXdD8hpBkrBoXwn85LPYWNd2TceCrx0YtLIprE2R5MB2RIq8y4Jk3\n"

  45. "YFXvkME=\n"

  46. "-----END CERTIFICATE-----\n";

  47. 

  48. static const char kRootCAPEM[] =

  49. "-----BEGIN CERTIFICATE-----\n"

  50. "MIICVTCCAb6gAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwLjEaMBgGA1UE\n"

  51. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwIBcNMTUwMTAx\n"

  52. "MDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMC4xGjAYBgNVBAoTEUJvcmluZ1NTTCBU\n"

  53. "RVNUSU5HMRAwDgYDVQQDEwdSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n"

  54. "iQKBgQDpDn8RDOZa5oaDcPZRBy4CeBH1siSSOO4mYgLHlPE+oXdqwI/VImi2XeJM\n"

  55. "2uCFETXCknJJjYG0iJdrt/yyRFvZTQZw+QzGj+mz36NqhGxDWb6dstB2m8PX+plZ\n"

  56. "w7jl81MDvUnWs8yiQ/6twgu5AbhWKZQDJKcNKCEpqa6UW0r5nwIDAQABo3oweDAO\n"

  57. "BgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8G\n"

  58. "A1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEEA31wH7QC+4HH5UBCeMWQEwGwYDVR0j\n"

  59. "BBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOBgQDXylEK77Za\n"

  60. "kKeY6ZerrScWyZhrjIGtHFu09qVpdJEzrk87k2G7iHHR9CAvSofCgEExKtWNS9dN\n"

  61. "+9WiZp/U48iHLk7qaYXdEuO07No4BYtXn+lkOykE+FUxmA4wvOF1cTd2tdj3MzX2\n"

  62. "kfGIBAYhzGZWhY3JbhIfTEfY1PNM1pWChQ==\n"

  63. "-----END CERTIFICATE-----\n";

  64. 

  65. static const char kRootCrossSignedPEM[] =

  66. "-----BEGIN CERTIFICATE-----\n"

  67. "MIICYzCCAcygAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  68. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  69. "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowLjEaMBgGA1UE\n"

  70. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZI\n"

  71. "hvcNAQEBBQADgY0AMIGJAoGBAOkOfxEM5lrmhoNw9lEHLgJ4EfWyJJI47iZiAseU\n"

  72. "8T6hd2rAj9UiaLZd4kza4IURNcKSckmNgbSIl2u3/LJEW9lNBnD5DMaP6bPfo2qE\n"

  73. "bENZvp2y0Habw9f6mVnDuOXzUwO9SdazzKJD/q3CC7kBuFYplAMkpw0oISmprpRb\n"

  74. "SvmfAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcD\n"

  75. "AQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQQDfXAftAL7gc\n"

  76. "flQEJ4xZATAbBgNVHSMEFDASgBBHKHC7V3Z/3oLvEZx0RZRwMA0GCSqGSIb3DQEB\n"

  77. "CwUAA4GBAErTxYJ0en9HVRHAAr5OO5wuk5Iq3VMc79TMyQLCXVL8YH8Uk7KEwv+q\n"

  78. "9MEKZv2eR/Vfm4HlXlUuIqfgUXbwrAYC/YVVX86Wnbpy/jc73NYVCq8FEZeO+0XU\n"

  79. "90SWAPDdp+iL7aZdimnMtG1qlM1edmz8AKbrhN/R3IbA2CL0nCWV\n"

  80. "-----END CERTIFICATE-----\n";

  81. 

  82. static const char kIntermediatePEM[] =

  83. "-----BEGIN CERTIFICATE-----\n"

  84. "MIICXjCCAcegAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMC4xGjAYBgNV\n"

  85. "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRAwDgYDVQQDEwdSb290IENBMCAXDTE1MDEw\n"

  86. "MTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjA2MRowGAYDVQQKExFCb3JpbmdTU0wg\n"

  87. "VEVTVElORzEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEB\n"

  88. "AQUAA4GNADCBiQKBgQC7YtI0l8ocTYJ0gKyXTtPL4iMJCNY4OcxXl48jkncVG1Hl\n"

  89. "blicgNUa1r9m9YFtVkxvBinb8dXiUpEGhVg4awRPDcatlsBSEBuJkiZGYbRcAmSu\n"

  90. "CmZYnf6u3aYQ18SU8WqVERPpE4cwVVs+6kwlzRw0+XDoZAczu8ZezVhCUc6NbQID\n"

  91. "AQABo3oweDAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\n"

  92. "AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEIwaaKi1dttdV3sfjRSy\n"

  93. "BqMwGwYDVR0jBBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOB\n"

  94. "gQCvnolNWEHuQS8PFVVyuLR+FKBeUUdrVbSfHSzTqNAqQGp0C9fk5oCzDq6ZgTfY\n"

  95. "ESXM4cJhb3IAnW0UM0NFsYSKQJ50JZL2L3z5ZLQhHdbs4RmODGoC40BVdnJ4/qgB\n"

  96. "aGSh09eQRvAVmbVCviDK2ipkWNegdyI19jFfNP5uIkGlYg==\n"

  97. "-----END CERTIFICATE-----\n";

  98. 

  99. static const char kIntermediateSelfSignedPEM[] =

  100. "-----BEGIN CERTIFICATE-----\n"

  101. "MIICZjCCAc+gAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  102. "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  103. "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDYxGjAYBgNVBAoTEUJv\n"

  104. "cmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ\n"

  105. "KoZIhvcNAQEBBQADgY0AMIGJAoGBALti0jSXyhxNgnSArJdO08viIwkI1jg5zFeX\n"

  106. "jyOSdxUbUeVuWJyA1RrWv2b1gW1WTG8GKdvx1eJSkQaFWDhrBE8Nxq2WwFIQG4mS\n"

  107. "JkZhtFwCZK4KZlid/q7dphDXxJTxapURE+kThzBVWz7qTCXNHDT5cOhkBzO7xl7N\n"

  108. "WEJRzo1tAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEF\n"

  109. "BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQjBpoqLV2\n"

  110. "211Xex+NFLIGozAbBgNVHSMEFDASgBCMGmiotXbbXVd7H40UsgajMA0GCSqGSIb3\n"

  111. "DQEBCwUAA4GBALcccSrAQ0/EqQBsx0ZDTUydHXXNP2DrUkpUKmAXIe8McqIVSlkT\n"

  112. "6H4xz7z8VRKBo9j+drjjtCw2i0CQc8aOLxRb5WJ8eVLnaW2XRlUqAzhF0CrulfVI\n"

  113. "E4Vs6ZLU+fra1WAuIj6qFiigRja+3YkZArG8tMA9vtlhTX/g7YBZIkqH\n"

  114. "-----END CERTIFICATE-----\n";

  115. 

  116. static const char kLeafPEM[] =

  117. "-----BEGIN CERTIFICATE-----\n"

  118. "MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE\n"

  119. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg\n"

  120. "Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y\n"

  121. "aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3\n"

  122. "DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c\n"

  123. "oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j\n"

  124. "5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh\n"

  125. "TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\n"

  126. "CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0\n"

  127. "4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB\n"

  128. "gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y\n"

  129. "rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU\n"

  130. "xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==\n"

  131. "-----END CERTIFICATE-----\n";

  132. 

  133. static const char kLeafNoKeyUsagePEM[] =

  134. "-----BEGIN CERTIFICATE-----\n"

  135. "MIICNTCCAZ6gAwIBAgIJAIFQGaLQ0G2mMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  136. "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  137. "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDcxGjAYBgNVBAoTEUJv\n"

  138. "cmluZ1NTTCBURVNUSU5HMRkwFwYDVQQDExBldmlsLmV4YW1wbGUuY29tMIGfMA0G\n"

  139. "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOKoZe75NPz77EOaMMl4/0s3PyQw++zJvp\n"

  140. "ejHAxZiTPCJgMbEHLrSzNoHdopg+CLUH5bE4wTXM8w9Inv5P8OAFJt7gJuPUunmk\n"

  141. "j+NoU3QfzOR6BroePcz1vXX9jyVHRs087M/sLqWRHu9IR+/A+UTcBaWaFiDVUxtJ\n"

  142. "YOwFMwjNPQIDAQABo0gwRjAMBgNVHRMBAf8EAjAAMBkGA1UdDgQSBBBJfLEUWHq1\n"

  143. "27rZ1AVx2J5GMBsGA1UdIwQUMBKAEIwaaKi1dttdV3sfjRSyBqMwDQYJKoZIhvcN\n"

  144. "AQELBQADgYEALVKN2Y3LZJOtu6SxFIYKxbLaXhTGTdIjxipZhmbBRDFjbZjZZOTe\n"

  145. "6Oo+VDNPYco4rBexK7umYXJyfTqoY0E8dbiImhTcGTEj7OAB3DbBomgU1AYe+t2D\n"

  146. "uwBqh4Y3Eto+Zn4pMVsxGEfUpjzjZDel7bN1/oU/9KWPpDfywfUmjgk=\n"

  147. "-----END CERTIFICATE-----\n";

  148. 

  149. static const char kForgeryPEM[] =

  150. "-----BEGIN CERTIFICATE-----\n"

  151. "MIICZzCCAdCgAwIBAgIIdTlMzQoKkeMwDQYJKoZIhvcNAQELBQAwNzEaMBgGA1UE\n"

  152. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGTAXBgNVBAMTEGV2aWwuZXhhbXBsZS5jb20w\n"

  153. "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDoxGjAYBgNVBAoTEUJv\n"

  154. "cmluZ1NTTCBURVNUSU5HMRwwGgYDVQQDExNmb3JnZXJ5LmV4YW1wbGUuY29tMIGf\n"

  155. "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADTwruBQZGb7Ay6s9HiYv5d1lwtEy\n"

  156. "xQdA2Sy8Rn8uA20Q4KgqwVY7wzIZ+z5Butrsmwb70gdG1XU+yRaDeE7XVoW6jSpm\n"

  157. "0sw35/5vJbTcL4THEFbnX0OPZnvpuZDFUkvVtq5kxpDWsVyM24G8EEq7kPih3Sa3\n"

  158. "OMhXVXF8kso6UQIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI\n"

  159. "KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEEYJ/WHM\n"

  160. "8p64erPWIg4/liwwGwYDVR0jBBQwEoAQSXyxFFh6tdu62dQFcdieRjANBgkqhkiG\n"

  161. "9w0BAQsFAAOBgQA+zH7bHPElWRWJvjxDqRexmYLn+D3Aivs8XgXQJsM94W0EzSUf\n"

  162. "DSLfRgaQwcb2gg2xpDFoG+W0vc6O651uF23WGt5JaFFJJxqjII05IexfCNhuPmp4\n"

  163. "4UZAXPttuJXpn74IY1tuouaM06B3vXKZR+/ityKmfJvSwxacmFcK+2ziAg==\n"

  164. "-----END CERTIFICATE-----\n";

  165. 

  166. // kExamplePSSCert is an example RSA-PSS self-signed certificate, signed with

  167. // the default hash functions.

  168. static const char kExamplePSSCert[] =

  169. "-----BEGIN CERTIFICATE-----\n"

  170. "MIICYjCCAcagAwIBAgIJAI3qUyT6SIfzMBIGCSqGSIb3DQEBCjAFogMCAWowRTEL\n"

  171. "MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy\n"

  172. "bmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xNDEwMDkxOTA5NTVaFw0xNTEwMDkxOTA5\n"

  173. "NTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK\n"

  174. "DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A\n"

  175. "MIGJAoGBAPi4bIO0vNmoV8CltFl2jFQdeesiUgR+0zfrQf2D+fCmhRU0dXFahKg8\n"

  176. "0u9aTtPel4rd/7vPCqqGkr64UOTNb4AzMHYTj8p73OxaymPHAyXvqIqDWHYg+hZ3\n"

  177. "13mSYwFIGth7Z/FSVUlO1m5KXNd6NzYM3t2PROjCpywrta9kS2EHAgMBAAGjUDBO\n"

  178. "MB0GA1UdDgQWBBTQQfuJQR6nrVrsNF1JEflVgXgfEzAfBgNVHSMEGDAWgBTQQfuJ\n"

  179. "QR6nrVrsNF1JEflVgXgfEzAMBgNVHRMEBTADAQH/MBIGCSqGSIb3DQEBCjAFogMC\n"

  180. "AWoDgYEASUy2RZcgNbNQZA0/7F+V1YTLEXwD16bm+iSVnzGwtexmQVEYIZG74K/w\n"

  181. "xbdZQdTbpNJkp1QPjPfh0zsatw6dmt5QoZ8K8No0DjR9dgf+Wvv5WJvJUIQBoAVN\n"

  182. "Z0IL+OQFz6+LcTHxD27JJCebrATXZA0wThGTQDm7crL+a+SujBY=\n"

  183. "-----END CERTIFICATE-----\n";

  184. 

  185. // kBadPSSCertPEM is a self-signed RSA-PSS certificate with bad parameters.

  186. static const char kBadPSSCertPEM[] =

  187. "-----BEGIN CERTIFICATE-----\n"

  188. "MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI\n"

  189. "AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD\n"

  190. "VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz\n"

  191. "NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj\n"

  192. "ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH\n"

  193. "qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL\n"

  194. "IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT\n"

  195. "IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k\n"

  196. "dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq\n"

  197. "QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa\n"

  198. "5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2\n"

  199. "4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB\n"

  200. "Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii\n"

  201. "BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb\n"

  202. "xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn\n"

  203. "plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY\n"

  204. "DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p\n"

  205. "NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ\n"

  206. "lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=\n"

  207. "-----END CERTIFICATE-----\n";

  208. 

  209. static const char kRSAKey[] =

  210. "-----BEGIN RSA PRIVATE KEY-----\n"

  211. "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"

  212. "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"

  213. "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"

  214. "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"

  215. "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"

  216. "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"

  217. "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"

  218. "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"

  219. "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"

  220. "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"

  221. "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"

  222. "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"

  223. "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"

  224. "-----END RSA PRIVATE KEY-----\n";

  225. 

  226. 

  227. // CertFromPEM parses the given, NUL-terminated pem block and returns an

  228. // |X509*|.

  229. static ScopedX509 CertFromPEM(const char *pem) {

  230.   ScopedBIO bio(BIO_new_mem_buf(pem, strlen(pem)));

  231.   return ScopedX509(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));

  232. }

  233. 

  234. // PrivateKeyFromPEM parses the given, NUL-terminated pem block and returns an

  235. // |EVP_PKEY*|.

  236. static ScopedEVP_PKEY PrivateKeyFromPEM(const char *pem) {

  237.   ScopedBIO bio(BIO_new_mem_buf(const_cast<char *>(pem), strlen(pem)));

  238.   return ScopedEVP_PKEY(

  239.       PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));

  240. }

  241. 

  242. // CertsToStack converts a vector of |X509*| to an OpenSSL STACK_OF(X509*),

  243. // bumping the reference counts for each certificate in question.

  244. static STACK_OF(X509)* CertsToStack(const std::vector<X509*> &certs) {

  245.   ScopedX509Stack stack(sk_X509_new_null());

  246.   if (!stack) {

  247.     return nullptr;

  248.   }

  249.   for (auto cert : certs) {

  250.     if (!sk_X509_push(stack.get(), cert)) {

  251.       return nullptr;

  252.     }

  253.     X509_up_ref(cert);

  254.   }

  255. 

  256.   return stack.release();

  257. }

  258. 

  259. static bool Verify(X509 *leaf, const std::vector<X509 *> &roots,

  260.                    const std::vector<X509 *> &intermediates,

  261.                    unsigned long flags = 0) {

  262.   ScopedX509Stack roots_stack(CertsToStack(roots));

  263.   ScopedX509Stack intermediates_stack(CertsToStack(intermediates));

  264.   if (!roots_stack ||

  265.       !intermediates_stack) {

  266.     return false;

  267.   }

  268. 

  269.   ScopedX509_STORE_CTX ctx(X509_STORE_CTX_new());

  270.   if (!ctx) {

  271.     return false;

  272.   }

  273.   if (!X509_STORE_CTX_init(ctx.get(), nullptr /* no X509_STORE */, leaf,

  274.                            intermediates_stack.get())) {

  275.     return false;

  276.   }

  277. 

  278.   X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get());

  279. 

  280.   X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();

  281.   if (param == nullptr) {

  282.     return false;

  283.   }

  284.   X509_VERIFY_PARAM_set_time(param, 1452807555 /* Jan 14th, 2016 */);

  285.   X509_VERIFY_PARAM_set_depth(param, 16);

  286.   if (flags) {

  287.     X509_VERIFY_PARAM_set_flags(param, flags);

  288.   }

  289.   X509_STORE_CTX_set0_param(ctx.get(), param);

  290. 

  291.   ERR_clear_error();

  292.   return X509_verify_cert(ctx.get()) == 1;

  293. }

  294. 

  295. static bool TestVerify() {

  296.   ScopedX509 cross_signing_root(CertFromPEM(kCrossSigningRootPEM));

  297.   ScopedX509 root(CertFromPEM(kRootCAPEM));

  298.   ScopedX509 root_cross_signed(CertFromPEM(kRootCrossSignedPEM));

  299.   ScopedX509 intermediate(CertFromPEM(kIntermediatePEM));

  300.   ScopedX509 intermediate_self_signed(CertFromPEM(kIntermediateSelfSignedPEM));

  301.   ScopedX509 leaf(CertFromPEM(kLeafPEM));

  302.   ScopedX509 leaf_no_key_usage(CertFromPEM(kLeafNoKeyUsagePEM));

  303.   ScopedX509 forgery(CertFromPEM(kForgeryPEM));

  304. 

  305.   if (!cross_signing_root ||

  306.       !root ||

  307.       !root_cross_signed ||

  308.       !intermediate ||

  309.       !intermediate_self_signed ||

  310.       !leaf ||

  311.       !leaf_no_key_usage ||

  312.       !forgery) {

  313.     fprintf(stderr, "Failed to parse certificates\n");

  314.     return false;

  315.   }

  316. 

  317.   std::vector<X509*> empty;

  318.   if (Verify(leaf.get(), empty, empty)) {

  319.     fprintf(stderr, "Leaf verified with no roots!\n");

  320.     return false;

  321.   }

  322. 

  323.   if (Verify(leaf.get(), empty, {intermediate.get()})) {

  324.     fprintf(stderr, "Leaf verified with no roots!\n");

  325.     return false;

  326.   }

  327. 

  328.   if (!Verify(leaf.get(), {root.get()}, {intermediate.get()})) {

  329.     ERR_print_errors_fp(stderr);

  330.     fprintf(stderr, "Basic chain didn't verify.\n");

  331.     return false;

  332.   }

  333. 

  334.   if (!Verify(leaf.get(), {cross_signing_root.get()},

  335.               {intermediate.get(), root_cross_signed.get()})) {

  336.     ERR_print_errors_fp(stderr);

  337.     fprintf(stderr, "Cross-signed chain didn't verify.\n");

  338.     return false;

  339.   }

  340. 

  341.   if (!Verify(leaf.get(), {cross_signing_root.get(), root.get()},

  342.               {intermediate.get(), root_cross_signed.get()})) {

  343.     ERR_print_errors_fp(stderr);

  344.     fprintf(stderr, "Cross-signed chain with root didn't verify.\n");

  345.     return false;

  346.   }

  347. 

  348.   /* This is the “altchains” test – we remove the cross-signing CA but include

  349.    * the cross-sign in the intermediates. */

  350.   if (!Verify(leaf.get(), {root.get()},

  351.               {intermediate.get(), root_cross_signed.get()})) {

  352.     ERR_print_errors_fp(stderr);

  353.     fprintf(stderr, "Chain with cross-sign didn't backtrack to find root.\n");

  354.     return false;

  355.   }

  356. 

  357.   if (Verify(leaf.get(), {root.get()},

  358.              {intermediate.get(), root_cross_signed.get()},

  359.              X509_V_FLAG_NO_ALT_CHAINS)) {

  360.     fprintf(stderr, "Altchains test still passed when disabled.\n");

  361.     return false;

  362.   }

  363. 

  364.   if (Verify(forgery.get(), {intermediate_self_signed.get()},

  365.              {leaf_no_key_usage.get()})) {

  366.     fprintf(stderr, "Basic constraints weren't checked.\n");

  367.     return false;

  368.   }

  369. 

  370.   /* Test that one cannot skip Basic Constraints checking with a contorted set

  371.    * of roots and intermediates. This is a regression test for CVE-2015-1793. */

  372.   if (Verify(forgery.get(),

  373.              {intermediate_self_signed.get(), root_cross_signed.get()},

  374.              {leaf_no_key_usage.get(), intermediate.get()})) {

  375.     fprintf(stderr, "Basic constraints weren't checked.\n");

  376.     return false;

  377.   }

  378. 

  379.   return true;

  380. }

  381. 

  382. static bool TestPSS() {

  383.   ScopedX509 cert(CertFromPEM(kExamplePSSCert));

  384.   if (!cert) {

  385.     return false;

  386.   }

  387. 

  388.   ScopedEVP_PKEY pkey(X509_get_pubkey(cert.get()));

  389.   if (!pkey) {

  390.     return false;

  391.   }

  392. 

  393.   if (!X509_verify(cert.get(), pkey.get())) {

  394.     fprintf(stderr, "Could not verify certificate.\n");

  395.     return false;

  396.   }

  397.   return true;

  398. }

  399. 

  400. static bool TestBadPSSParameters() {

  401.   ScopedX509 cert(CertFromPEM(kBadPSSCertPEM));

  402.   if (!cert) {

  403.     return false;

  404.   }

  405. 

  406.   ScopedEVP_PKEY pkey(X509_get_pubkey(cert.get()));

  407.   if (!pkey) {

  408.     return false;

  409.   }

  410. 

  411.   if (X509_verify(cert.get(), pkey.get())) {

  412.     fprintf(stderr, "Unexpectedly verified bad certificate.\n");

  413.     return false;

  414.   }

  415.   ERR_clear_error();

  416.   return true;

  417. }

  418. 

  419. static bool SignatureRoundTrips(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {

  420.   // Make a certificate like signed with |md_ctx|'s settings.'

  421.   ScopedX509 cert(CertFromPEM(kLeafPEM));

  422.   if (!cert || !X509_sign_ctx(cert.get(), md_ctx)) {

  423.     return false;

  424.   }

  425. 

  426.   // Ensure that |pkey| may still be used to verify the resulting signature. All

  427.   // settings in |md_ctx| must have been serialized appropriately.

  428.   return !!X509_verify(cert.get(), pkey);

  429. }

  430. 

  431. static bool TestSignCtx() {

  432.   ScopedEVP_PKEY pkey(PrivateKeyFromPEM(kRSAKey));

  433.   if (!pkey) {

  434.     return false;

  435.   }

  436. 

  437.   // Test PKCS#1 v1.5.

  438.   ScopedEVP_MD_CTX md_ctx;

  439.   if (!EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||

  440.       !SignatureRoundTrips(md_ctx.get(), pkey.get())) {

  441.     fprintf(stderr, "RSA PKCS#1 with SHA-256 failed\n");

  442.     return false;

  443.   }

  444. 

  445.   // Test RSA-PSS with custom parameters.

  446.   md_ctx.Reset();

  447.   EVP_PKEY_CTX *pkey_ctx;

  448.   if (!EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,

  449.                           pkey.get()) ||

  450.       !EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) ||

  451.       !EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) ||

  452.       !SignatureRoundTrips(md_ctx.get(), pkey.get())) {

  453.     fprintf(stderr, "RSA-PSS failed\n");

  454.     return false;

  455.   }

  456. 

  457.   return true;

  458. }

  459. 

  460. int main(int argc, char **argv) {

  461.   CRYPTO_library_init();

  462. 

  463.   if (!TestVerify() ||

  464.       !TestPSS() ||

  465.       !TestBadPSSParameters() ||

  466.       !TestSignCtx()) {

  467.     return 1;

  468.   }

  469. 

  470.   printf("PASS\n");

  471.   return 0;

  472. }