blob: c4d3bfc43a8b21e8bab83d5fba92cfc6811dc1d5 [file] [log] [blame]
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "cast/common/certificate/cast_crl.h"
#include "cast/common/certificate/cast_cert_validator.h"
#include "cast/common/certificate/cast_cert_validator_internal.h"
#include "cast/common/certificate/proto/test_suite.pb.h"
#include "cast/common/certificate/testing/test_helpers.h"
#include "gtest/gtest.h"
#include "platform/test/paths.h"
#include "testing/util/read_file.h"
#include "util/osp_logging.h"
namespace openscreen {
namespace cast {
// TODO(crbug.com/openscreen/90): Remove these after Chromium is migrated to
// openscreen::cast
using DeviceCertTestSuite = ::cast::certificate::DeviceCertTestSuite;
using VerificationResult = ::cast::certificate::VerificationResult;
using DeviceCertTest = ::cast::certificate::DeviceCertTest;
namespace {
// Indicates the expected result of test step's verification.
enum TestStepResult {
kResultSuccess,
kResultFail,
};
// Verifies that the provided certificate chain is valid at the specified time
// and chains up to a trust anchor.
bool TestVerifyCertificate(TestStepResult expected_result,
const std::vector<std::string>& der_certs,
const DateTime& time,
TrustStore* cast_trust_store) {
std::unique_ptr<CertVerificationContext> context;
CastDeviceCertPolicy policy;
Error result = VerifyDeviceCert(der_certs, time, &context, &policy, nullptr,
CRLPolicy::kCrlOptional, cast_trust_store);
bool success = (result.code() == Error::Code::kNone) ==
(expected_result == kResultSuccess);
EXPECT_TRUE(success);
return success;
}
// Verifies that the provided Cast CRL is signed by a trusted issuer
// and that the CRL can be parsed successfully.
// The validity of the CRL is also checked at the specified time.
bool TestVerifyCRL(TestStepResult expected_result,
const std::string& crl_bundle,
const DateTime& time,
TrustStore* crl_trust_store) {
std::unique_ptr<CastCRL> crl =
ParseAndVerifyCRL(crl_bundle, time, crl_trust_store);
bool success = (crl != nullptr) == (expected_result == kResultSuccess);
EXPECT_TRUE(success);
return success;
}
// Verifies that the certificate chain provided is not revoked according to
// the provided Cast CRL at |cert_time|.
// The provided CRL is verified at |crl_time|.
// If |crl_required| is set, then a valid Cast CRL must be provided.
// Otherwise, a missing CRL is be ignored.
bool TestVerifyRevocation(Error::Code expected_result,
const std::vector<std::string>& der_certs,
const std::string& crl_bundle,
const DateTime& crl_time,
const DateTime& cert_time,
bool crl_required,
TrustStore* cast_trust_store,
TrustStore* crl_trust_store) {
std::unique_ptr<CastCRL> crl;
if (!crl_bundle.empty()) {
crl = ParseAndVerifyCRL(crl_bundle, crl_time, crl_trust_store);
EXPECT_NE(crl.get(), nullptr);
}
std::unique_ptr<CertVerificationContext> context;
CastDeviceCertPolicy policy;
CRLPolicy crl_policy =
crl_required ? CRLPolicy::kCrlRequired : CRLPolicy::kCrlOptional;
Error result = VerifyDeviceCert(der_certs, cert_time, &context, &policy,
crl.get(), crl_policy, cast_trust_store);
EXPECT_EQ(expected_result, result.code());
return expected_result == result.code();
}
const std::string& GetSpecificTestDataPath() {
static std::string data_path = GetTestDataPath() + "cast/common/certificate/";
return data_path;
}
bool RunTest(const DeviceCertTest& test_case) {
std::unique_ptr<TrustStore> crl_trust_store;
std::unique_ptr<TrustStore> cast_trust_store;
if (test_case.use_test_trust_anchors()) {
crl_trust_store = std::make_unique<TrustStore>();
cast_trust_store = std::make_unique<TrustStore>();
*crl_trust_store = TrustStore::CreateInstanceFromPemFile(
GetSpecificTestDataPath() + "certificates/cast_crl_test_root_ca.pem");
*cast_trust_store = TrustStore::CreateInstanceFromPemFile(
GetSpecificTestDataPath() + "certificates/cast_test_root_ca.pem");
EXPECT_FALSE(crl_trust_store->certs.empty());
EXPECT_FALSE(cast_trust_store->certs.empty());
}
std::vector<std::string> der_cert_path;
for (const auto& cert : test_case.der_cert_path()) {
der_cert_path.push_back(cert);
}
DateTime cert_verification_time;
EXPECT_TRUE(DateTimeFromSeconds(test_case.cert_verification_time_seconds(),
&cert_verification_time));
uint64_t crl_verify_time = test_case.crl_verification_time_seconds();
DateTime crl_verification_time;
EXPECT_TRUE(DateTimeFromSeconds(crl_verify_time, &crl_verification_time));
if (crl_verify_time == 0) {
crl_verification_time = cert_verification_time;
}
std::string crl_bundle = test_case.crl_bundle();
switch (test_case.expected_result()) {
case ::cast::certificate::PATH_VERIFICATION_FAILED:
return TestVerifyCertificate(kResultFail, der_cert_path,
cert_verification_time,
cast_trust_store.get());
case ::cast::certificate::CRL_VERIFICATION_FAILED:
return TestVerifyCRL(kResultFail, crl_bundle, crl_verification_time,
crl_trust_store.get());
case ::cast::certificate::REVOCATION_CHECK_FAILED_WITHOUT_CRL:
return TestVerifyCertificate(kResultSuccess, der_cert_path,
cert_verification_time,
cast_trust_store.get()) &&
TestVerifyCRL(kResultFail, crl_bundle, crl_verification_time,
crl_trust_store.get()) &&
TestVerifyRevocation(
Error::Code::kErrCrlInvalid, der_cert_path, crl_bundle,
crl_verification_time, cert_verification_time, true,
cast_trust_store.get(), crl_trust_store.get());
case ::cast::certificate::
CRL_EXPIRED_AFTER_INITIAL_VERIFICATION: // fallthrough
case ::cast::certificate::REVOCATION_CHECK_FAILED:
return TestVerifyCertificate(kResultSuccess, der_cert_path,
cert_verification_time,
cast_trust_store.get()) &&
TestVerifyCRL(kResultSuccess, crl_bundle, crl_verification_time,
crl_trust_store.get()) &&
TestVerifyRevocation(
Error::Code::kErrCertsRevoked, der_cert_path, crl_bundle,
crl_verification_time, cert_verification_time, true,
cast_trust_store.get(), crl_trust_store.get());
case ::cast::certificate::SUCCESS:
return (crl_bundle.empty() ||
TestVerifyCRL(kResultSuccess, crl_bundle, crl_verification_time,
crl_trust_store.get())) &&
TestVerifyCertificate(kResultSuccess, der_cert_path,
cert_verification_time,
cast_trust_store.get()) &&
TestVerifyRevocation(Error::Code::kNone, der_cert_path, crl_bundle,
crl_verification_time, cert_verification_time,
!crl_bundle.empty(), cast_trust_store.get(),
crl_trust_store.get());
case ::cast::certificate::UNSPECIFIED:
return false;
}
return false;
}
// Parses the provided test suite provided in wire-format proto.
// Each test contains the inputs and the expected output.
// To see the description of the test, execute the test.
// These tests are generated by a test generator in google3.
void RunTestSuite(const std::string& test_suite_file_name) {
std::string testsuite_raw = ReadEntireFileToString(test_suite_file_name);
ASSERT_FALSE(testsuite_raw.empty());
DeviceCertTestSuite test_suite;
ASSERT_TRUE(test_suite.ParseFromString(testsuite_raw));
int successes = 0;
for (auto const& test_case : test_suite.tests()) {
bool result = RunTest(test_case);
successes += result;
EXPECT_TRUE(result) << test_case.description();
}
OSP_LOG_IF(ERROR, successes != test_suite.tests().size())
<< "successes: " << successes
<< ", failures: " << (test_suite.tests().size() - successes);
}
TEST(CastCertificateTest, TestSuite1) {
RunTestSuite(GetSpecificTestDataPath() + "testsuite/testsuite1.pb");
}
} // namespace
} // namespace cast
} // namespace openscreen