kris
/
boringssl
1
0
Fork 0
Código Incidencias 0 Pull Requests 0 Lanzamientos 0 Wiki Actividad
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
3295 Commits
12 Ramas
38 MiB
 
 
 
 
 
 
Árbol: f99f2448bd
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde 'f99f2448bd'
${ noResults }
boringssl/crypto/x509/x509_test.cc

662 líneas
28 KiB
Original Blame Histórico 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <vector>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/crypto.h>

  21. #include <openssl/digest.h>

  22. #include <openssl/err.h>

  23. #include <openssl/pem.h>

  24. #include <openssl/x509.h>

  25. 

  26. namespace bssl {

  27. 

  28. static const char kCrossSigningRootPEM[] =

  29. "-----BEGIN CERTIFICATE-----\n"

  30. "MIICcTCCAdqgAwIBAgIIagJHiPvE0MowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  31. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  32. "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowPDEaMBgGA1UE\n"

  33. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  34. "dCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwo3qFvSB9Zmlbpzn9wJp\n"

  35. "ikI75Rxkatez8VkLqyxbOhPYl2Haz8F5p1gDG96dCI6jcLGgu3AKT9uhEQyyUko5\n"

  36. "EKYasazSeA9CQrdyhPg0mkTYVETnPM1W/ebid1YtqQbq1CMWlq2aTDoSGAReGFKP\n"

  37. "RTdXAbuAXzpCfi/d8LqV13UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgIEMB0GA1Ud\n"

  38. "JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MBkGA1Ud\n"

  39. "DgQSBBBHKHC7V3Z/3oLvEZx0RZRwMBsGA1UdIwQUMBKAEEcocLtXdn/egu8RnHRF\n"

  40. "lHAwDQYJKoZIhvcNAQELBQADgYEAnglibsy6mGtpIXivtlcz4zIEnHw/lNW+r/eC\n"

  41. "CY7evZTmOoOuC/x9SS3MF9vawt1HFUummWM6ZgErqVBOXIB4//ykrcCgf5ZbF5Hr\n"

  42. "+3EFprKhBqYiXdD8hpBkrBoXwn85LPYWNd2TceCrx0YtLIprE2R5MB2RIq8y4Jk3\n"

  43. "YFXvkME=\n"

  44. "-----END CERTIFICATE-----\n";

  45. 

  46. static const char kRootCAPEM[] =

  47. "-----BEGIN CERTIFICATE-----\n"

  48. "MIICVTCCAb6gAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwLjEaMBgGA1UE\n"

  49. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwIBcNMTUwMTAx\n"

  50. "MDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMC4xGjAYBgNVBAoTEUJvcmluZ1NTTCBU\n"

  51. "RVNUSU5HMRAwDgYDVQQDEwdSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n"

  52. "iQKBgQDpDn8RDOZa5oaDcPZRBy4CeBH1siSSOO4mYgLHlPE+oXdqwI/VImi2XeJM\n"

  53. "2uCFETXCknJJjYG0iJdrt/yyRFvZTQZw+QzGj+mz36NqhGxDWb6dstB2m8PX+plZ\n"

  54. "w7jl81MDvUnWs8yiQ/6twgu5AbhWKZQDJKcNKCEpqa6UW0r5nwIDAQABo3oweDAO\n"

  55. "BgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8G\n"

  56. "A1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEEA31wH7QC+4HH5UBCeMWQEwGwYDVR0j\n"

  57. "BBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOBgQDXylEK77Za\n"

  58. "kKeY6ZerrScWyZhrjIGtHFu09qVpdJEzrk87k2G7iHHR9CAvSofCgEExKtWNS9dN\n"

  59. "+9WiZp/U48iHLk7qaYXdEuO07No4BYtXn+lkOykE+FUxmA4wvOF1cTd2tdj3MzX2\n"

  60. "kfGIBAYhzGZWhY3JbhIfTEfY1PNM1pWChQ==\n"

  61. "-----END CERTIFICATE-----\n";

  62. 

  63. static const char kRootCrossSignedPEM[] =

  64. "-----BEGIN CERTIFICATE-----\n"

  65. "MIICYzCCAcygAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"

  66. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"

  67. "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowLjEaMBgGA1UE\n"

  68. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZI\n"

  69. "hvcNAQEBBQADgY0AMIGJAoGBAOkOfxEM5lrmhoNw9lEHLgJ4EfWyJJI47iZiAseU\n"

  70. "8T6hd2rAj9UiaLZd4kza4IURNcKSckmNgbSIl2u3/LJEW9lNBnD5DMaP6bPfo2qE\n"

  71. "bENZvp2y0Habw9f6mVnDuOXzUwO9SdazzKJD/q3CC7kBuFYplAMkpw0oISmprpRb\n"

  72. "SvmfAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcD\n"

  73. "AQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQQDfXAftAL7gc\n"

  74. "flQEJ4xZATAbBgNVHSMEFDASgBBHKHC7V3Z/3oLvEZx0RZRwMA0GCSqGSIb3DQEB\n"

  75. "CwUAA4GBAErTxYJ0en9HVRHAAr5OO5wuk5Iq3VMc79TMyQLCXVL8YH8Uk7KEwv+q\n"

  76. "9MEKZv2eR/Vfm4HlXlUuIqfgUXbwrAYC/YVVX86Wnbpy/jc73NYVCq8FEZeO+0XU\n"

  77. "90SWAPDdp+iL7aZdimnMtG1qlM1edmz8AKbrhN/R3IbA2CL0nCWV\n"

  78. "-----END CERTIFICATE-----\n";

  79. 

  80. static const char kIntermediatePEM[] =

  81. "-----BEGIN CERTIFICATE-----\n"

  82. "MIICXjCCAcegAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMC4xGjAYBgNV\n"

  83. "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRAwDgYDVQQDEwdSb290IENBMCAXDTE1MDEw\n"

  84. "MTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjA2MRowGAYDVQQKExFCb3JpbmdTU0wg\n"

  85. "VEVTVElORzEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEB\n"

  86. "AQUAA4GNADCBiQKBgQC7YtI0l8ocTYJ0gKyXTtPL4iMJCNY4OcxXl48jkncVG1Hl\n"

  87. "blicgNUa1r9m9YFtVkxvBinb8dXiUpEGhVg4awRPDcatlsBSEBuJkiZGYbRcAmSu\n"

  88. "CmZYnf6u3aYQ18SU8WqVERPpE4cwVVs+6kwlzRw0+XDoZAczu8ZezVhCUc6NbQID\n"

  89. "AQABo3oweDAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\n"

  90. "AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEIwaaKi1dttdV3sfjRSy\n"

  91. "BqMwGwYDVR0jBBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOB\n"

  92. "gQCvnolNWEHuQS8PFVVyuLR+FKBeUUdrVbSfHSzTqNAqQGp0C9fk5oCzDq6ZgTfY\n"

  93. "ESXM4cJhb3IAnW0UM0NFsYSKQJ50JZL2L3z5ZLQhHdbs4RmODGoC40BVdnJ4/qgB\n"

  94. "aGSh09eQRvAVmbVCviDK2ipkWNegdyI19jFfNP5uIkGlYg==\n"

  95. "-----END CERTIFICATE-----\n";

  96. 

  97. static const char kIntermediateSelfSignedPEM[] =

  98. "-----BEGIN CERTIFICATE-----\n"

  99. "MIICZjCCAc+gAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  100. "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  101. "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDYxGjAYBgNVBAoTEUJv\n"

  102. "cmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ\n"

  103. "KoZIhvcNAQEBBQADgY0AMIGJAoGBALti0jSXyhxNgnSArJdO08viIwkI1jg5zFeX\n"

  104. "jyOSdxUbUeVuWJyA1RrWv2b1gW1WTG8GKdvx1eJSkQaFWDhrBE8Nxq2WwFIQG4mS\n"

  105. "JkZhtFwCZK4KZlid/q7dphDXxJTxapURE+kThzBVWz7qTCXNHDT5cOhkBzO7xl7N\n"

  106. "WEJRzo1tAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEF\n"

  107. "BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQjBpoqLV2\n"

  108. "211Xex+NFLIGozAbBgNVHSMEFDASgBCMGmiotXbbXVd7H40UsgajMA0GCSqGSIb3\n"

  109. "DQEBCwUAA4GBALcccSrAQ0/EqQBsx0ZDTUydHXXNP2DrUkpUKmAXIe8McqIVSlkT\n"

  110. "6H4xz7z8VRKBo9j+drjjtCw2i0CQc8aOLxRb5WJ8eVLnaW2XRlUqAzhF0CrulfVI\n"

  111. "E4Vs6ZLU+fra1WAuIj6qFiigRja+3YkZArG8tMA9vtlhTX/g7YBZIkqH\n"

  112. "-----END CERTIFICATE-----\n";

  113. 

  114. static const char kLeafPEM[] =

  115. "-----BEGIN CERTIFICATE-----\n"

  116. "MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE\n"

  117. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg\n"

  118. "Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y\n"

  119. "aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3\n"

  120. "DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c\n"

  121. "oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j\n"

  122. "5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh\n"

  123. "TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\n"

  124. "CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0\n"

  125. "4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB\n"

  126. "gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y\n"

  127. "rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU\n"

  128. "xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==\n"

  129. "-----END CERTIFICATE-----\n";

  130. 

  131. static const char kLeafNoKeyUsagePEM[] =

  132. "-----BEGIN CERTIFICATE-----\n"

  133. "MIICNTCCAZ6gAwIBAgIJAIFQGaLQ0G2mMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"

  134. "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"

  135. "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDcxGjAYBgNVBAoTEUJv\n"

  136. "cmluZ1NTTCBURVNUSU5HMRkwFwYDVQQDExBldmlsLmV4YW1wbGUuY29tMIGfMA0G\n"

  137. "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOKoZe75NPz77EOaMMl4/0s3PyQw++zJvp\n"

  138. "ejHAxZiTPCJgMbEHLrSzNoHdopg+CLUH5bE4wTXM8w9Inv5P8OAFJt7gJuPUunmk\n"

  139. "j+NoU3QfzOR6BroePcz1vXX9jyVHRs087M/sLqWRHu9IR+/A+UTcBaWaFiDVUxtJ\n"

  140. "YOwFMwjNPQIDAQABo0gwRjAMBgNVHRMBAf8EAjAAMBkGA1UdDgQSBBBJfLEUWHq1\n"

  141. "27rZ1AVx2J5GMBsGA1UdIwQUMBKAEIwaaKi1dttdV3sfjRSyBqMwDQYJKoZIhvcN\n"

  142. "AQELBQADgYEALVKN2Y3LZJOtu6SxFIYKxbLaXhTGTdIjxipZhmbBRDFjbZjZZOTe\n"

  143. "6Oo+VDNPYco4rBexK7umYXJyfTqoY0E8dbiImhTcGTEj7OAB3DbBomgU1AYe+t2D\n"

  144. "uwBqh4Y3Eto+Zn4pMVsxGEfUpjzjZDel7bN1/oU/9KWPpDfywfUmjgk=\n"

  145. "-----END CERTIFICATE-----\n";

  146. 

  147. static const char kForgeryPEM[] =

  148. "-----BEGIN CERTIFICATE-----\n"

  149. "MIICZzCCAdCgAwIBAgIIdTlMzQoKkeMwDQYJKoZIhvcNAQELBQAwNzEaMBgGA1UE\n"

  150. "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGTAXBgNVBAMTEGV2aWwuZXhhbXBsZS5jb20w\n"

  151. "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDoxGjAYBgNVBAoTEUJv\n"

  152. "cmluZ1NTTCBURVNUSU5HMRwwGgYDVQQDExNmb3JnZXJ5LmV4YW1wbGUuY29tMIGf\n"

  153. "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADTwruBQZGb7Ay6s9HiYv5d1lwtEy\n"

  154. "xQdA2Sy8Rn8uA20Q4KgqwVY7wzIZ+z5Butrsmwb70gdG1XU+yRaDeE7XVoW6jSpm\n"

  155. "0sw35/5vJbTcL4THEFbnX0OPZnvpuZDFUkvVtq5kxpDWsVyM24G8EEq7kPih3Sa3\n"

  156. "OMhXVXF8kso6UQIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI\n"

  157. "KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEEYJ/WHM\n"

  158. "8p64erPWIg4/liwwGwYDVR0jBBQwEoAQSXyxFFh6tdu62dQFcdieRjANBgkqhkiG\n"

  159. "9w0BAQsFAAOBgQA+zH7bHPElWRWJvjxDqRexmYLn+D3Aivs8XgXQJsM94W0EzSUf\n"

  160. "DSLfRgaQwcb2gg2xpDFoG+W0vc6O651uF23WGt5JaFFJJxqjII05IexfCNhuPmp4\n"

  161. "4UZAXPttuJXpn74IY1tuouaM06B3vXKZR+/ityKmfJvSwxacmFcK+2ziAg==\n"

  162. "-----END CERTIFICATE-----\n";

  163. 

  164. // kExamplePSSCert is an example RSA-PSS self-signed certificate, signed with

  165. // the default hash functions.

  166. static const char kExamplePSSCert[] =

  167. "-----BEGIN CERTIFICATE-----\n"

  168. "MIICYjCCAcagAwIBAgIJAI3qUyT6SIfzMBIGCSqGSIb3DQEBCjAFogMCAWowRTEL\n"

  169. "MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy\n"

  170. "bmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xNDEwMDkxOTA5NTVaFw0xNTEwMDkxOTA5\n"

  171. "NTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK\n"

  172. "DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A\n"

  173. "MIGJAoGBAPi4bIO0vNmoV8CltFl2jFQdeesiUgR+0zfrQf2D+fCmhRU0dXFahKg8\n"

  174. "0u9aTtPel4rd/7vPCqqGkr64UOTNb4AzMHYTj8p73OxaymPHAyXvqIqDWHYg+hZ3\n"

  175. "13mSYwFIGth7Z/FSVUlO1m5KXNd6NzYM3t2PROjCpywrta9kS2EHAgMBAAGjUDBO\n"

  176. "MB0GA1UdDgQWBBTQQfuJQR6nrVrsNF1JEflVgXgfEzAfBgNVHSMEGDAWgBTQQfuJ\n"

  177. "QR6nrVrsNF1JEflVgXgfEzAMBgNVHRMEBTADAQH/MBIGCSqGSIb3DQEBCjAFogMC\n"

  178. "AWoDgYEASUy2RZcgNbNQZA0/7F+V1YTLEXwD16bm+iSVnzGwtexmQVEYIZG74K/w\n"

  179. "xbdZQdTbpNJkp1QPjPfh0zsatw6dmt5QoZ8K8No0DjR9dgf+Wvv5WJvJUIQBoAVN\n"

  180. "Z0IL+OQFz6+LcTHxD27JJCebrATXZA0wThGTQDm7crL+a+SujBY=\n"

  181. "-----END CERTIFICATE-----\n";

  182. 

  183. // kBadPSSCertPEM is a self-signed RSA-PSS certificate with bad parameters.

  184. static const char kBadPSSCertPEM[] =

  185. "-----BEGIN CERTIFICATE-----\n"

  186. "MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI\n"

  187. "AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD\n"

  188. "VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz\n"

  189. "NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj\n"

  190. "ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH\n"

  191. "qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL\n"

  192. "IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT\n"

  193. "IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k\n"

  194. "dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq\n"

  195. "QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa\n"

  196. "5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2\n"

  197. "4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB\n"

  198. "Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii\n"

  199. "BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb\n"

  200. "xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn\n"

  201. "plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY\n"

  202. "DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p\n"

  203. "NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ\n"

  204. "lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=\n"

  205. "-----END CERTIFICATE-----\n";

  206. 

  207. static const char kRSAKey[] =

  208. "-----BEGIN RSA PRIVATE KEY-----\n"

  209. "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"

  210. "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"

  211. "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"

  212. "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"

  213. "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"

  214. "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"

  215. "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"

  216. "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"

  217. "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"

  218. "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"

  219. "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"

  220. "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"

  221. "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"

  222. "-----END RSA PRIVATE KEY-----\n";

  223. 

  224. 

  225. static const char kCRLTestRoot[] =

  226. "-----BEGIN CERTIFICATE-----\n"

  227. "MIIDbzCCAlegAwIBAgIJAODri7v0dDUFMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV\n"

  228. "BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\n"

  229. "aWV3MRIwEAYDVQQKDAlCb3JpbmdTU0wwHhcNMTYwOTI2MTUwNjI2WhcNMjYwOTI0\n"

  230. "MTUwNjI2WjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n"

  231. "A1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9yaW5nU1NMMIIBIjANBgkq\n"

  232. "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3B\n"

  233. "S/dUBpbrzd1aeFzNlI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+\n"

  234. "5R/Du0iCb1tCZIPY07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWp\n"

  235. "uRqO6rctN9qUoMlTIAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n\n"

  236. "8H922qmvPNA9idmX9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbL\n"

  237. "P2o9orxGx7aCtnnBZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABo1Aw\n"

  238. "TjAdBgNVHQ4EFgQUWPt3N5cZ/CRvubbrkqfBnAqhq94wHwYDVR0jBBgwFoAUWPt3\n"

  239. "N5cZ/CRvubbrkqfBnAqhq94wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"

  240. "AQEAORu6M0MOwXy+3VEBwNilfTxyqDfruQsc1jA4PT8Oe8zora1WxE1JB4q2FJOz\n"

  241. "EAuM3H/NXvEnBuN+ITvKZAJUfm4NKX97qmjMJwLKWe1gVv+VQTr63aR7mgWJReQN\n"

  242. "XdMztlVeZs2dppV6uEg3ia1X0G7LARxGpA9ETbMyCpb39XxlYuTClcbA5ftDN99B\n"

  243. "3Xg9KNdd++Ew22O3HWRDvdDpTO/JkzQfzi3sYwUtzMEonENhczJhGf7bQMmvL/w5\n"

  244. "24Wxj4Z7KzzWIHsNqE/RIs6RV3fcW61j/mRgW2XyoWnMVeBzvcJr9NXp4VQYmFPw\n"

  245. "amd8GKMZQvP0ufGnUn7D7uartA==\n"

  246. "-----END CERTIFICATE-----\n";

  247. 

  248. static const char kCRLTestLeaf[] =

  249. "-----BEGIN CERTIFICATE-----\n"

  250. "MIIDkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCVVMx\n"

  251. "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEjAQ\n"

  252. "BgNVBAoMCUJvcmluZ1NTTDAeFw0xNjA5MjYxNTA4MzFaFw0xNzA5MjYxNTA4MzFa\n"

  253. "MEsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlC\n"

  254. "b3JpbmdTU0wxEzARBgNVBAMMCmJvcmluZy5zc2wwggEiMA0GCSqGSIb3DQEBAQUA\n"

  255. "A4IBDwAwggEKAoIBAQDc5v1S1M0W+QWM+raWfO0LH8uvqEwuJQgODqMaGnSlWUx9\n"

  256. "8iQcnWfjyPja3lWg9K62hSOFDuSyEkysKHDxijz5R93CfLcfnVXjWQDJe7EJTTDP\n"

  257. "ozEvxN6RjAeYv7CF000euYr3QT5iyBjg76+bon1p0jHZBJeNPP1KqGYgyxp+hzpx\n"

  258. "e0gZmTlGAXd8JQK4v8kpdYwD6PPifFL/jpmQpqOtQmH/6zcLjY4ojmqpEdBqIKIX\n"

  259. "+saA29hMq0+NK3K+wgg31RU+cVWxu3tLOIiesETkeDgArjWRS1Vkzbi4v9SJxtNu\n"

  260. "OZuAxWiynRJw3JwH/OFHYZIvQqz68ZBoj96cepjPAgMBAAGjezB5MAkGA1UdEwQC\n"

  261. "MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl\n"

  262. "MB0GA1UdDgQWBBTGn0OVVh/aoYt0bvEKG+PIERqnDzAfBgNVHSMEGDAWgBRY+3c3\n"

  263. "lxn8JG+5tuuSp8GcCqGr3jANBgkqhkiG9w0BAQsFAAOCAQEAd2nM8gCQN2Dc8QJw\n"

  264. "XSZXyuI3DBGGCHcay/3iXu0JvTC3EiQo8J6Djv7WLI0N5KH8mkm40u89fJAB2lLZ\n"

  265. "ShuHVtcC182bOKnePgwp9CNwQ21p0rDEu/P3X46ZvFgdxx82E9xLa0tBB8PiPDWh\n"

  266. "lV16jbaKTgX5AZqjnsyjR5o9/mbZVupZJXx5Syq+XA8qiJfstSYJs4KyKK9UOjql\n"

  267. "ICkJVKpi2ahDBqX4MOH4SLfzVk8pqSpviS6yaA1RXqjpkxiN45WWaXDldVHMSkhC\n"

  268. "5CNXsXi4b1nAntu89crwSLA3rEwzCWeYj+BX7e1T9rr3oJdwOU/2KQtW1js1yQUG\n"

  269. "tjJMFw==\n"

  270. "-----END CERTIFICATE-----\n";

  271. 

  272. static const char kBasicCRL[] =

  273. "-----BEGIN X509 CRL-----\n"

  274. "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  275. "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  276. "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV\n"

  277. "HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN\n"

  278. "ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo\n"

  279. "eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os\n"

  280. "dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv\n"

  281. "diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho\n"

  282. "/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==\n"

  283. "-----END X509 CRL-----\n";

  284. 

  285. static const char kRevokedCRL[] =

  286. "-----BEGIN X509 CRL-----\n"

  287. "MIIBvjCBpwIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  288. "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"

  289. "Qm9yaW5nU1NMFw0xNjA5MjYxNTEyNDRaFw0xNjEwMjYxNTEyNDRaMBUwEwICEAAX\n"

  290. "DTE2MDkyNjE1MTIyNlqgDjAMMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IB\n"

  291. "AQCUGaM4DcWzlQKrcZvI8TMeR8BpsvQeo5BoI/XZu2a8h//PyRyMwYeaOM+3zl0d\n"

  292. "sjgCT8b3C1FPgT+P2Lkowv7rJ+FHJRNQkogr+RuqCSPTq65ha4WKlRGWkMFybzVH\n"

  293. "NloxC+aU3lgp/NlX9yUtfqYmJek1CDrOOGPrAEAwj1l/BUeYKNGqfBWYJQtPJu+5\n"

  294. "OaSvIYGpETCZJscUWODmLEb/O3DM438vLvxonwGqXqS0KX37+CHpUlyhnSovxXxp\n"

  295. "Pz4aF+L7OtczxL0GYtD2fR9B7TDMqsNmHXgQrixvvOY7MUdLGbd4RfJL3yA53hyO\n"

  296. "xzfKY2TzxLiOmctG0hXFkH5J\n"

  297. "-----END X509 CRL-----\n";

  298. 

  299. static const char kBadIssuerCRL[] =

  300. "-----BEGIN X509 CRL-----\n"

  301. "MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n"

  302. "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwN\n"

  303. "Tm90IEJvcmluZ1NTTBcNMTYwOTI2MTUxMjQ0WhcNMTYxMDI2MTUxMjQ0WjAVMBMC\n"

  304. "AhAAFw0xNjA5MjYxNTEyMjZaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsF\n"

  305. "AAOCAQEAlBmjOA3Fs5UCq3GbyPEzHkfAabL0HqOQaCP12btmvIf/z8kcjMGHmjjP\n"

  306. "t85dHbI4Ak/G9wtRT4E/j9i5KML+6yfhRyUTUJKIK/kbqgkj06uuYWuFipURlpDB\n"

  307. "cm81RzZaMQvmlN5YKfzZV/clLX6mJiXpNQg6zjhj6wBAMI9ZfwVHmCjRqnwVmCUL\n"

  308. "TybvuTmkryGBqREwmSbHFFjg5ixG/ztwzON/Ly78aJ8Bql6ktCl9+/gh6VJcoZ0q\n"

  309. "L8V8aT8+Ghfi+zrXM8S9BmLQ9n0fQe0wzKrDZh14EK4sb7zmOzFHSxm3eEXyS98g\n"

  310. "Od4cjsc3ymNk88S4jpnLRtIVxZB+SQ==\n"

  311. "-----END X509 CRL-----\n";

  312. 

  313. // CertFromPEM parses the given, NUL-terminated pem block and returns an

  314. // |X509*|.

  315. static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {

  316.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  317.   return bssl::UniquePtr<X509>(

  318.       PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));

  319. }

  320. 

  321. // CRLFromPEM parses the given, NUL-terminated pem block and returns an

  322. // |X509_CRL*|.

  323. static bssl::UniquePtr<X509_CRL> CRLFromPEM(const char *pem) {

  324.   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));

  325.   return bssl::UniquePtr<X509_CRL>(

  326.       PEM_read_bio_X509_CRL(bio.get(), nullptr, nullptr, nullptr));

  327. }

  328. 

  329. // PrivateKeyFromPEM parses the given, NUL-terminated pem block and returns an

  330. // |EVP_PKEY*|.

  331. static bssl::UniquePtr<EVP_PKEY> PrivateKeyFromPEM(const char *pem) {

  332.   bssl::UniquePtr<BIO> bio(

  333.       BIO_new_mem_buf(const_cast<char *>(pem), strlen(pem)));

  334.   return bssl::UniquePtr<EVP_PKEY>(

  335.       PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));

  336. }

  337. 

  338. // CertsToStack converts a vector of |X509*| to an OpenSSL STACK_OF(X509*),

  339. // bumping the reference counts for each certificate in question.

  340. static STACK_OF(X509)* CertsToStack(const std::vector<X509*> &certs) {

  341.   bssl::UniquePtr<STACK_OF(X509)> stack(sk_X509_new_null());

  342.   if (!stack) {

  343.     return nullptr;

  344.   }

  345.   for (auto cert : certs) {

  346.     if (!sk_X509_push(stack.get(), cert)) {

  347.       return nullptr;

  348.     }

  349.     X509_up_ref(cert);

  350.   }

  351. 

  352.   return stack.release();

  353. }

  354. 

  355. // CRLsToStack converts a vector of |X509_CRL*| to an OpenSSL STACK_OF(X509_CRL*),

  356. // bumping the reference counts for each CRL in question.

  357. static STACK_OF(X509_CRL)* CRLsToStack(const std::vector<X509_CRL*> &crls) {

  358.   bssl::UniquePtr<STACK_OF(X509_CRL)> stack(sk_X509_CRL_new_null());

  359.   if (!stack) {

  360.     return nullptr;

  361.   }

  362.   for (auto crl : crls) {

  363.     if (!sk_X509_CRL_push(stack.get(), crl)) {

  364.       return nullptr;

  365.     }

  366.     X509_CRL_up_ref(crl);

  367.   }

  368. 

  369.   return stack.release();

  370. }

  371. 

  372. static int Verify(X509 *leaf, const std::vector<X509 *> &roots,

  373.                    const std::vector<X509 *> &intermediates,

  374.                    const std::vector<X509_CRL *> &crls,

  375.                    unsigned long flags = 0) {

  376.   bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));

  377.   bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(

  378.       CertsToStack(intermediates));

  379.   bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls));

  380. 

  381.   if (!roots_stack ||

  382.       !intermediates_stack ||

  383.       !crls_stack) {

  384.     return X509_V_ERR_UNSPECIFIED;

  385.   }

  386. 

  387.   bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());

  388.   bssl::UniquePtr<X509_STORE> store(X509_STORE_new());

  389.   if (!ctx ||

  390.       !store) {

  391.     return X509_V_ERR_UNSPECIFIED;

  392.   }

  393. 

  394.   if (!X509_STORE_CTX_init(ctx.get(), store.get(), leaf,

  395.                            intermediates_stack.get())) {

  396.     return X509_V_ERR_UNSPECIFIED;

  397.   }

  398. 

  399.   X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get());

  400.   X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get());

  401. 

  402.   X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();

  403.   if (param == nullptr) {

  404.     return X509_V_ERR_UNSPECIFIED;

  405.   }

  406.   X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */);

  407.   X509_VERIFY_PARAM_set_depth(param, 16);

  408.   if (flags) {

  409.     X509_VERIFY_PARAM_set_flags(param, flags);

  410.   }

  411.   X509_STORE_CTX_set0_param(ctx.get(), param);

  412. 

  413.   ERR_clear_error();

  414.   if (X509_verify_cert(ctx.get()) != 1) {

  415.     return X509_STORE_CTX_get_error(ctx.get());

  416.   }

  417. 

  418.   return X509_V_OK;

  419. }

  420. 

  421. static bool TestVerify() {

  422.   bssl::UniquePtr<X509> cross_signing_root(CertFromPEM(kCrossSigningRootPEM));

  423.   bssl::UniquePtr<X509> root(CertFromPEM(kRootCAPEM));

  424.   bssl::UniquePtr<X509> root_cross_signed(CertFromPEM(kRootCrossSignedPEM));

  425.   bssl::UniquePtr<X509> intermediate(CertFromPEM(kIntermediatePEM));

  426.   bssl::UniquePtr<X509> intermediate_self_signed(

  427.       CertFromPEM(kIntermediateSelfSignedPEM));

  428.   bssl::UniquePtr<X509> leaf(CertFromPEM(kLeafPEM));

  429.   bssl::UniquePtr<X509> leaf_no_key_usage(CertFromPEM(kLeafNoKeyUsagePEM));

  430.   bssl::UniquePtr<X509> forgery(CertFromPEM(kForgeryPEM));

  431. 

  432.   if (!cross_signing_root ||

  433.       !root ||

  434.       !root_cross_signed ||

  435.       !intermediate ||

  436.       !intermediate_self_signed ||

  437.       !leaf ||

  438.       !leaf_no_key_usage ||

  439.       !forgery) {

  440.     fprintf(stderr, "Failed to parse certificates\n");

  441.     return false;

  442.   }

  443. 

  444.   std::vector<X509*> empty;

  445.   std::vector<X509_CRL*> empty_crls;

  446.   if (Verify(leaf.get(), empty, empty, empty_crls) !=

  447.       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {

  448.     fprintf(stderr, "Leaf verified with no roots!\n");

  449.     return false;

  450.   }

  451. 

  452.   if (Verify(leaf.get(), empty, {intermediate.get()}, empty_crls) !=

  453.       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {

  454.     fprintf(stderr, "Leaf verified with no roots!\n");

  455.     return false;

  456.   }

  457. 

  458.   if (Verify(leaf.get(), {root.get()}, {intermediate.get()}, empty_crls) !=

  459.       X509_V_OK) {

  460.     ERR_print_errors_fp(stderr);

  461.     fprintf(stderr, "Basic chain didn't verify.\n");

  462.     return false;

  463.   }

  464. 

  465.   if (Verify(leaf.get(), {cross_signing_root.get()},

  466.              {intermediate.get(), root_cross_signed.get()},

  467.              empty_crls) != X509_V_OK) {

  468.     ERR_print_errors_fp(stderr);

  469.     fprintf(stderr, "Cross-signed chain didn't verify.\n");

  470.     return false;

  471.   }

  472. 

  473.   if (Verify(leaf.get(), {cross_signing_root.get(), root.get()},

  474.              {intermediate.get(), root_cross_signed.get()},

  475.              empty_crls) != X509_V_OK) {

  476.     ERR_print_errors_fp(stderr);

  477.     fprintf(stderr, "Cross-signed chain with root didn't verify.\n");

  478.     return false;

  479.   }

  480. 

  481.   /* This is the “altchains” test – we remove the cross-signing CA but include

  482.    * the cross-sign in the intermediates. */

  483.   if (Verify(leaf.get(), {root.get()},

  484.              {intermediate.get(), root_cross_signed.get()},

  485.              empty_crls) != X509_V_OK) {

  486.     ERR_print_errors_fp(stderr);

  487.     fprintf(stderr, "Chain with cross-sign didn't backtrack to find root.\n");

  488.     return false;

  489.   }

  490. 

  491.   if (Verify(leaf.get(), {root.get()},

  492.              {intermediate.get(), root_cross_signed.get()}, empty_crls,

  493.              X509_V_FLAG_NO_ALT_CHAINS) !=

  494.       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {

  495.     fprintf(stderr, "Altchains test still passed when disabled.\n");

  496.     return false;

  497.   }

  498. 

  499.   if (Verify(forgery.get(), {intermediate_self_signed.get()},

  500.              {leaf_no_key_usage.get()},

  501.              empty_crls) != X509_V_ERR_INVALID_CA) {

  502.     fprintf(stderr, "Basic constraints weren't checked.\n");

  503.     return false;

  504.   }

  505. 

  506.   /* Test that one cannot skip Basic Constraints checking with a contorted set

  507.    * of roots and intermediates. This is a regression test for CVE-2015-1793. */

  508.   if (Verify(forgery.get(),

  509.              {intermediate_self_signed.get(), root_cross_signed.get()},

  510.              {leaf_no_key_usage.get(), intermediate.get()},

  511.              empty_crls) != X509_V_ERR_INVALID_CA) {

  512.     fprintf(stderr, "Basic constraints weren't checked.\n");

  513.     return false;

  514.   }

  515. 

  516.   return true;

  517. }

  518. 

  519. static bool TestCRL() {

  520.   bssl::UniquePtr<X509> root(CertFromPEM(kCRLTestRoot));

  521.   bssl::UniquePtr<X509> leaf(CertFromPEM(kCRLTestLeaf));

  522.   bssl::UniquePtr<X509_CRL> basic_crl(CRLFromPEM(kBasicCRL));

  523.   bssl::UniquePtr<X509_CRL> revoked_crl(CRLFromPEM(kRevokedCRL));

  524.   bssl::UniquePtr<X509_CRL> bad_issuer_crl(CRLFromPEM(kBadIssuerCRL));

  525. 

  526.   if (!root ||

  527.       !leaf ||

  528.       !basic_crl ||

  529.       !revoked_crl ||

  530.       !bad_issuer_crl) {

  531.     fprintf(stderr, "Failed to parse certificates\n");

  532.     return false;

  533.   }

  534. 

  535.   if (Verify(leaf.get(), {root.get()}, {root.get()}, {basic_crl.get()},

  536.              X509_V_FLAG_CRL_CHECK) != X509_V_OK) {

  537.     fprintf(stderr, "Cert with CRL didn't verify.\n");

  538.     return false;

  539.   }

  540. 

  541.   if (Verify(leaf.get(), {root.get()}, {root.get()},

  542.              {basic_crl.get(), revoked_crl.get()},

  543.              X509_V_FLAG_CRL_CHECK) != X509_V_ERR_CERT_REVOKED) {

  544.     fprintf(stderr, "Revoked CRL wasn't checked.\n");

  545.     return false;

  546.   }

  547. 

  548.   std::vector<X509_CRL *> empty_crls;

  549.   if (Verify(leaf.get(), {root.get()}, {root.get()}, empty_crls,

  550.              X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) {

  551.     fprintf(stderr, "CRLs were not required.\n");

  552.     return false;

  553.   }

  554. 

  555.   if (Verify(leaf.get(), {root.get()}, {root.get()}, {bad_issuer_crl.get()},

  556.              X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) {

  557.     fprintf(stderr, "Bad CRL issuer was unnoticed.\n");

  558.     return false;

  559.   }

  560. 

  561.   return true;

  562. }

  563. 

  564. static bool TestPSS() {

  565.   bssl::UniquePtr<X509> cert(CertFromPEM(kExamplePSSCert));

  566.   if (!cert) {

  567.     return false;

  568.   }

  569. 

  570.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  571.   if (!pkey) {

  572.     return false;

  573.   }

  574. 

  575.   if (!X509_verify(cert.get(), pkey.get())) {

  576.     fprintf(stderr, "Could not verify certificate.\n");

  577.     return false;

  578.   }

  579.   return true;

  580. }

  581. 

  582. static bool TestBadPSSParameters() {

  583.   bssl::UniquePtr<X509> cert(CertFromPEM(kBadPSSCertPEM));

  584.   if (!cert) {

  585.     return false;

  586.   }

  587. 

  588.   bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));

  589.   if (!pkey) {

  590.     return false;

  591.   }

  592. 

  593.   if (X509_verify(cert.get(), pkey.get())) {

  594.     fprintf(stderr, "Unexpectedly verified bad certificate.\n");

  595.     return false;

  596.   }

  597.   ERR_clear_error();

  598.   return true;

  599. }

  600. 

  601. static bool SignatureRoundTrips(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {

  602.   // Make a certificate like signed with |md_ctx|'s settings.'

  603.   bssl::UniquePtr<X509> cert(CertFromPEM(kLeafPEM));

  604.   if (!cert || !X509_sign_ctx(cert.get(), md_ctx)) {

  605.     return false;

  606.   }

  607. 

  608.   // Ensure that |pkey| may still be used to verify the resulting signature. All

  609.   // settings in |md_ctx| must have been serialized appropriately.

  610.   return !!X509_verify(cert.get(), pkey);

  611. }

  612. 

  613. static bool TestSignCtx() {

  614.   bssl::UniquePtr<EVP_PKEY> pkey(PrivateKeyFromPEM(kRSAKey));

  615.   if (!pkey) {

  616.     return false;

  617.   }

  618. 

  619.   // Test PKCS#1 v1.5.

  620.   ScopedEVP_MD_CTX md_ctx;

  621.   if (!EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||

  622.       !SignatureRoundTrips(md_ctx.get(), pkey.get())) {

  623.     fprintf(stderr, "RSA PKCS#1 with SHA-256 failed\n");

  624.     return false;

  625.   }

  626. 

  627.   // Test RSA-PSS with custom parameters.

  628.   md_ctx.Reset();

  629.   EVP_PKEY_CTX *pkey_ctx;

  630.   if (!EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,

  631.                           pkey.get()) ||

  632.       !EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) ||

  633.       !EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) ||

  634.       !SignatureRoundTrips(md_ctx.get(), pkey.get())) {

  635.     fprintf(stderr, "RSA-PSS failed\n");

  636.     return false;

  637.   }

  638. 

  639.   return true;

  640. }

  641. 

  642. static int Main() {

  643.   CRYPTO_library_init();

  644. 

  645.   if (!TestVerify() ||

  646.       !TestCRL() ||

  647.       !TestPSS() ||

  648.       !TestBadPSSParameters() ||

  649.       !TestSignCtx()) {

  650.     return 1;

  651.   }

  652. 

  653.   printf("PASS\n");

  654.   return 0;

  655. }

  656. 

  657. }  // namespace bssl

  658. 

  659. int main() {

  660.   return bssl::Main();

  661. }