-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpkits_test.go
186 lines (176 loc) · 8.52 KB
/
pkits_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package x509
import (
"encoding/json"
"os"
"path/filepath"
"slices"
"testing"
)
var nistTestPolicies = map[string]OID{
"anyPolicy": anyPolicyOID,
"NIST-test-policy-1": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 1}),
"NIST-test-policy-2": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 2}),
"NIST-test-policy-3": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 3}),
"NIST-test-policy-6": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 6}),
}
func TestNISTPKITSPolicy(t *testing.T) {
// This test runs a subset of the NIST PKI path validation test suite that
// focuses of policy validation, rather than the entire suite. Since the
// suite assumes you are only validating the path, rather than building
// _and_ validating the path, we take the path as given and run
// policiesValid on it.
certDir := "testdata/nist-pkits/certs"
var testcases []struct {
Name string
CertPath []string
InitialPolicySet []string
InitialPolicyMappingInhibit bool
InitialExplicitPolicy bool
InitialAnyPolicyInhibit bool
ShouldValidate bool
Skipped bool
}
b, err := os.ReadFile("testdata/nist-pkits/vectors.json")
if err != nil {
t.Fatal(err)
}
if err := json.Unmarshal(b, &testcases); err != nil {
t.Fatal(err)
}
policyTests := map[string]bool{
"4.8.1 All Certificates Same Policy Test1 (Subpart 1)": true,
"4.8.1 All Certificates Same Policy Test1 (Subpart 2)": true,
"4.8.1 All Certificates Same Policy Test1 (Subpart 3)": true,
"4.8.1 All Certificates Same Policy Test1 (Subpart 4)": true,
"4.8.2 All Certificates No Policies Test2 (Subpart 1)": true,
"4.8.2 All Certificates No Policies Test2 (Subpart 2)": true,
"4.8.3 Different Policies Test3 (Subpart 1)": true,
"4.8.3 Different Policies Test3 (Subpart 2)": true,
"4.8.3 Different Policies Test3 (Subpart 3)": true,
"4.8.4 Different Policies Test4": true,
"4.8.5 Different Policies Test5": true,
"4.8.6 Overlapping Policies Test6 (Subpart 1)": true,
"4.8.6 Overlapping Policies Test6 (Subpart 2)": true,
"4.8.6 Overlapping Policies Test6 (Subpart 3)": true,
"4.8.7 Different Policies Test7": true,
"4.8.8 Different Policies Test8": true,
"4.8.9 Different Policies Test9": true,
"4.8.10 All Certificates Same Policies Test10 (Subpart 1)": true,
"4.8.10 All Certificates Same Policies Test10 (Subpart 2)": true,
"4.8.10 All Certificates Same Policies Test10 (Subpart 3)": true,
"4.8.11 All Certificates AnyPolicy Test11 (Subpart 1)": true,
"4.8.11 All Certificates AnyPolicy Test11 (Subpart 2)": true,
"4.8.12 Different Policies Test12": true,
"4.8.13 All Certificates Same Policies Test13 (Subpart 1)": true,
"4.8.13 All Certificates Same Policies Test13 (Subpart 2)": true,
"4.8.13 All Certificates Same Policies Test13 (Subpart 3)": true,
"4.8.14 AnyPolicy Test14 (Subpart 1)": true,
"4.8.14 AnyPolicy Test14 (Subpart 2)": true,
"4.8.15 User Notice Qualifier Test15": true,
"4.8.16 User Notice Qualifier Test16": true,
"4.8.17 User Notice Qualifier Test17": true,
"4.8.18 User Notice Qualifier Test18 (Subpart 1)": true,
"4.8.18 User Notice Qualifier Test18 (Subpart 2)": true,
"4.8.19 User Notice Qualifier Test19": true,
"4.8.20 CPS Pointer Qualifier Test20": true,
"4.9.1 Valid RequireExplicitPolicy Test1": true,
"4.9.2 Valid RequireExplicitPolicy Test2": true,
"4.9.3 Invalid RequireExplicitPolicy Test3": true,
"4.9.4 Valid RequireExplicitPolicy Test4": true,
"4.9.5 Invalid RequireExplicitPolicy Test5": true,
"4.9.6 Valid Self-Issued requireExplicitPolicy Test6": true,
"4.9.7 Invalid Self-Issued requireExplicitPolicy Test7": true,
"4.9.8 Invalid Self-Issued requireExplicitPolicy Test8": true,
"4.10.1.1 Valid Policy Mapping Test1 (Subpart 1)": true,
"4.10.1.2 Valid Policy Mapping Test1 (Subpart 2)": true,
"4.10.1.3 Valid Policy Mapping Test1 (Subpart 3)": true,
"4.10.2 Invalid Policy Mapping Test2 (Subpart 1)": true,
"4.10.2 Invalid Policy Mapping Test2 (Subpart 2)": true,
"4.10.3 Valid Policy Mapping Test3 (Subpart 1)": true,
"4.10.3 Valid Policy Mapping Test3 (Subpart 2)": true,
"4.10.4 Invalid Policy Mapping Test4": true,
"4.10.5 Valid Policy Mapping Test5 (Subpart 1)": true,
"4.10.5 Valid Policy Mapping Test5 (Subpart 2)": true,
"4.10.6 Valid Policy Mapping Test6 (Subpart 1)": true,
"4.10.6 Valid Policy Mapping Test6 (Subpart 2)": true,
"4.10.7 Invalid Mapping From anyPolicy Test7": true,
"4.10.8 Invalid Mapping To anyPolicy Test8": true,
"4.10.9 Valid Policy Mapping Test9": true,
"4.10.10 Invalid Policy Mapping Test10": true,
"4.10.11 Valid Policy Mapping Test11": true,
"4.10.12 Valid Policy Mapping Test12 (Subpart 1)": true,
"4.10.12 Valid Policy Mapping Test12 (Subpart 2)": true,
"4.10.13 Valid Policy Mapping Test13 (Subpart 1)": true,
"4.10.13 Valid Policy Mapping Test13 (Subpart 2)": true,
"4.10.13 Valid Policy Mapping Test13 (Subpart 3)": true,
"4.10.14 Valid Policy Mapping Test14": true,
"4.11.1 Invalid inhibitPolicyMapping Test1": true,
"4.11.2 Valid inhibitPolicyMapping Test2": true,
"4.11.3 Invalid inhibitPolicyMapping Test3": true,
"4.11.4 Valid inhibitPolicyMapping Test4": true,
"4.11.5 Invalid inhibitPolicyMapping Test5": true,
"4.11.6 Invalid inhibitPolicyMapping Test6": true,
"4.11.7 Valid Self-Issued inhibitPolicyMapping Test7": true,
"4.11.8 Invalid Self-Issued inhibitPolicyMapping Test8": true,
"4.11.9 Invalid Self-Issued inhibitPolicyMapping Test9": true,
"4.11.10 Invalid Self-Issued inhibitPolicyMapping Test10": true,
"4.11.11 Invalid Self-Issued inhibitPolicyMapping Test11": true,
"4.12.1 Invalid inhibitAnyPolicy Test1": true,
"4.12.2 Valid inhibitAnyPolicy Test2": true,
"4.12.3 inhibitAnyPolicy Test3 (Subpart 1)": true,
"4.12.3 inhibitAnyPolicy Test3 (Subpart 2)": true,
"4.12.4 Invalid inhibitAnyPolicy Test4": true,
"4.12.5 Invalid inhibitAnyPolicy Test5": true,
"4.12.6 Invalid inhibitAnyPolicy Test6": true,
"4.12.7 Valid Self-Issued inhibitAnyPolicy Test7": true,
"4.12.8 Invalid Self-Issued inhibitAnyPolicy Test8": true,
"4.12.9 Valid Self-Issued inhibitAnyPolicy Test9": true,
"4.12.10 Invalid Self-Issued inhibitAnyPolicy Test10": true,
}
for _, tc := range testcases {
if !policyTests[tc.Name] {
continue
}
t.Run(tc.Name, func(t *testing.T) {
var chain []*Certificate
for _, c := range tc.CertPath {
certDER, err := os.ReadFile(filepath.Join(certDir, c))
if err != nil {
t.Fatal(err)
}
cert, err := ParseCertificate(certDER)
if err != nil {
t.Fatal(err)
}
chain = append(chain, cert)
}
slices.Reverse(chain)
var initialPolicies []OID
for _, pstr := range tc.InitialPolicySet {
policy, ok := nistTestPolicies[pstr]
if !ok {
t.Fatalf("unknown test policy: %s", pstr)
}
initialPolicies = append(initialPolicies, policy)
}
valid := policiesValid(chain, VerifyOptions{
CertificatePolicies: initialPolicies,
inhibitPolicyMapping: tc.InitialPolicyMappingInhibit,
requireExplicitPolicy: tc.InitialExplicitPolicy,
inhibitAnyPolicy: tc.InitialAnyPolicyInhibit,
})
if !valid {
if !tc.ShouldValidate {
return
}
t.Fatalf("Failed to validate: %s", err)
}
if !tc.ShouldValidate {
t.Fatal("Expected path validation to fail")
}
})
}
}