diff options
| author | lloyd <[email protected]> | 2012-02-06 14:12:35 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-02-06 14:12:35 +0000 |
| commit | cd58927000ef86eacc9de5b80f361d4d05e71731 (patch) | |
| tree | 975d2e50e77567d14ea3d24e6ebaf24a9e4d7c3b /checks/nist_tests/x509test.cpp | |
| parent | 03bc906a6a94d236f192fa3b1bb370c013fc753a (diff) | |
Fully working path validation. Even fixes the cases in PKITS where we
got the answer wrong before. Still no policy or name constraints
support, though.
Diffstat (limited to 'checks/nist_tests/x509test.cpp')
| -rw-r--r-- | checks/nist_tests/x509test.cpp | 58 |
1 files changed, 13 insertions, 45 deletions
diff --git a/checks/nist_tests/x509test.cpp b/checks/nist_tests/x509test.cpp index 66b274c6c..e4d55d252 100644 --- a/checks/nist_tests/x509test.cpp +++ b/checks/nist_tests/x509test.cpp @@ -20,12 +20,12 @@ using namespace Botan; std::vector<std::string> dir_listing(const std::string&); -void run_one_test(u32bit, X509_Code, +void run_one_test(u32bit, X509_Path_Validation_Code, std::string, std::string, std::vector<std::string>, std::vector<std::string>); -std::map<u32bit, X509_Code> expected_results; +std::map<u32bit, X509_Path_Validation_Code> expected_results; u32bit unexp_failure, unexp_success, wrong_error, skipped; @@ -96,7 +96,7 @@ int main() return 0; } -void run_one_test(u32bit test_no, X509_Code expected, +void run_one_test(u32bit test_no, X509_Path_Validation_Code expected, std::string root_cert, std::string to_verify, std::vector<std::string> certs, std::vector<std::string> crls) @@ -104,16 +104,14 @@ void run_one_test(u32bit test_no, X509_Code expected, std::cout << "Processing test #" << test_no << "... "; std::cout.flush(); - X509_Code result = VERIFIED; + Certificate_Store_In_Memory store; - Certificate_Store_Memory store; - - store.add_cert(X509_Certificate(root_cert)); + store.add_certificate(X509_Certificate(root_cert)); X509_Certificate end_user(to_verify); for(size_t j = 0; j != certs.size(); j++) - store.add_cert(X509_Certificate(certs[j])); + store.add_certificate(X509_Certificate(certs[j])); for(size_t j = 0; j != crls.size(); j++) { @@ -133,18 +131,9 @@ void run_one_test(u32bit test_no, X509_Code expected, store.add_crl(crl); } - /* if everything has gone well up until now */ - - if(result == VERIFIED) - { - result = store.validate_cert(end_user); - - X509_Code result2 = store.validate_cert(end_user); + Path_Validation_Result validation_result = x509_path_validate(end_user, store); - if(result != result2) - std::cout << "Two runs, two answers: " << result << " " - << result2 << std::endl; - } + X509_Path_Validation_Code result = validation_result.validation_result; if(result == expected) { @@ -232,15 +221,7 @@ void populate_expected_results() expected_results[17] = VERIFIED; expected_results[18] = VERIFIED; - /************* CHANGE OF TEST RESULT FOR TEST #19 ************************ - One of the certificates has no attached CRL. By strict X.509 rules, if - there is no good CRL in hand, then the certificate shouldn't be used for - CA stuff. But while this is usually a good idea, it interferes with simple - uses of certificates which shouldn't (IMO) force the use of CRLs. There is - no assigned error code for this scenario because I don't consider it to be - an error (probably would be something like NO_REVOCATION_DATA_AVAILABLE) - **************************************************************************/ - expected_results[19] = VERIFIED; + expected_results[19] = CRL_NOT_FOUND; expected_results[20] = CERT_IS_REVOKED; expected_results[21] = CERT_IS_REVOKED; @@ -314,23 +295,10 @@ void populate_expected_results() expected_results[64] = SIGNATURE_ERROR; - /************ CHANGE OF TEST RESULT FOR TEST #65 ************************* - I cannot figure out what exactly the problem here is supposed to be; - looking at it by hand, everything seems fine. If someone can explain I - would be happy to listen. - ************************************************************************/ - expected_results[65] = VERIFIED; - expected_results[66] = CRL_ISSUER_NOT_FOUND; - - /************ CHANGE OF TEST RESULT FOR TEST #67 ************************* - The test docs say this should be verified. However, the problem being that - there is an extra CRL with an unknown issuer. Returning VERIFIED in this - case is obviously bad, since the user may well want to know that the CRL - in question has no known issuer. So we return CRL_ISSUER_NOT_FOUND instead - of VERIFIED. The actual certificate path of course still verifies, but - it's kind of an all-or-nothing testing procedure. - ************************************************************************/ - expected_results[67] = CRL_ISSUER_NOT_FOUND; + expected_results[65] = CRL_NOT_FOUND; + expected_results[66] = CRL_NOT_FOUND; + + expected_results[67] = VERIFIED; expected_results[68] = CERT_IS_REVOKED; expected_results[69] = CERT_IS_REVOKED; |