propagate from branch 'net.randombit.botan' (head 0d0f3fba72f3300bc995c79124a75a4fc0b83879)

to branch 'net.randombit.botan.x509-path-validation' (head 48d03e596f032c0c69d691dbf49a2a1415b348c3)
author: lloyd <[email protected]> 2012-03-28 21:09:47 +0000
committer: lloyd <[email protected]> 2012-03-28 21:09:47 +0000
commit: d4050e6b838acfd9552b4ab137fbf0717ff1e0ca (patch)
tree: a811718e0ada95191fd64c353bb2357953be86d3 /checks
parent: 199bc49219175d29076692a3131ac5425d750461 (diff)
parent: f1a2b5a7b5f35322927446d1b9a381f05cc677df (diff)
3 files changed, 38 insertions, 67 deletions
diff --git a/checks/nist_tests/Makefile b/checks/nist_tests/Makefile
index 3fcdf212b..52dc340c9 100644
--- a/checks/nist_tests/Makefile
+++ b/checks/nist_tests/Makefile
@@ -1,8 +1,10 @@
 
+BOTAN_CONFIG=../../build/botan-config-1.10
+
 CC=g++
 FLAGS=-g -Os -W -Wall -ansi
-LDFLAGS=-L../.. -lbotan-1.9
-CFLAGS=-I../../build/include
+LDFLAGS=$(shell $(BOTAN_CONFIG) --libs) -L../.. -lbotan-1.10
+CFLAGS=$(shell $(BOTAN_CONFIG) --cflags) -I../../build/include
 
 x509test: x509test.cpp
 	$(CC) $(FLAGS) $(CFLAGS) x509test.cpp $(LDFLAGS) -o x509test
diff --git a/checks/nist_tests/x509test.cpp b/checks/nist_tests/x509test.cpp
index 0c4c04029..e4d55d252 100644
--- a/checks/nist_tests/x509test.cpp
+++ b/checks/nist_tests/x509test.cpp
@@ -4,7 +4,7 @@
   which is available on NIST's web site.
 */
 
-#include <botan/x509stor.h>
+#include <botan/x509path.h>
 #include <botan/init.h>
 using namespace Botan;
 
@@ -20,12 +20,12 @@ using namespace Botan;
 
 std::vector<std::string> dir_listing(const std::string&);
 
-void run_one_test(u32bit, X509_Code,
+void run_one_test(u32bit, X509_Path_Validation_Code,
                   std::string, std::string,
                   std::vector<std::string>,
                   std::vector<std::string>);
 
-std::map<u32bit, X509_Code> expected_results;
+std::map<u32bit, X509_Path_Validation_Code> expected_results;
 
 u32bit unexp_failure, unexp_success, wrong_error, skipped;
 
@@ -96,7 +96,7 @@ int main()
    return 0;
    }
 
-void run_one_test(u32bit test_no, X509_Code expected,
+void run_one_test(u32bit test_no, X509_Path_Validation_Code expected,
                   std::string root_cert, std::string to_verify,
                   std::vector<std::string> certs,
                   std::vector<std::string> crls)
@@ -104,16 +104,14 @@ void run_one_test(u32bit test_no, X509_Code expected,
    std::cout << "Processing test #" << test_no << "... ";
    std::cout.flush();
 
-   X509_Code result = VERIFIED;
+   Certificate_Store_In_Memory store;
 
-   X509_Store store;
-
-   store.add_cert(X509_Certificate(root_cert), true);
+   store.add_certificate(X509_Certificate(root_cert));
 
    X509_Certificate end_user(to_verify);
 
    for(size_t j = 0; j != certs.size(); j++)
-      store.add_cert(X509_Certificate(certs[j]));
+      store.add_certificate(X509_Certificate(certs[j]));
 
    for(size_t j = 0; j != crls.size(); j++)
       {
@@ -130,23 +128,12 @@ void run_one_test(u32bit test_no, X509_Code expected,
          std::cout << std::endl;
          }
       */
-      result = store.add_crl(crl);
-      if(result != VERIFIED)
-         break;
+      store.add_crl(crl);
       }
 
-   /* if everything has gone well up until now */
-
-   if(result == VERIFIED)
-      {
-      result = store.validate_cert(end_user);
+   Path_Validation_Result validation_result = x509_path_validate(end_user, store);
 
-      X509_Code result2 = store.validate_cert(end_user);
-
-      if(result != result2)
-         std::cout << "Two runs, two answers: " << result << " "
-                   << result2 << std::endl;
-      }
+   X509_Path_Validation_Code result = validation_result.validation_result;
 
    if(result == expected)
       {
@@ -234,15 +221,7 @@ void populate_expected_results()
    expected_results[17] = VERIFIED;
    expected_results[18] = VERIFIED;
 
-   /************* CHANGE OF TEST RESULT FOR TEST #19 ************************
-     One of the certificates has no attached CRL. By strict X.509 rules, if
-     there is no good CRL in hand, then the certificate shouldn't be used for
-     CA stuff. But while this is usually a good idea, it interferes with simple
-     uses of certificates which shouldn't (IMO) force the use of CRLs. There is
-     no assigned error code for this scenario because I don't consider it to be
-     an error (probably would be something like NO_REVOCATION_DATA_AVAILABLE)
-   **************************************************************************/
-   expected_results[19] = VERIFIED;
+   expected_results[19] = CRL_NOT_FOUND;
    expected_results[20] = CERT_IS_REVOKED;
    expected_results[21] = CERT_IS_REVOKED;
 
@@ -316,23 +295,10 @@ void populate_expected_results()
 
    expected_results[64] = SIGNATURE_ERROR;
 
-   /************ CHANGE OF TEST RESULT FOR TEST #65 *************************
-     I cannot figure out what exactly the problem here is supposed to be;
-     looking at it by hand, everything seems fine. If someone can explain I
-     would be happy to listen.
-   ************************************************************************/
-   expected_results[65] = VERIFIED;
-   expected_results[66] = CRL_ISSUER_NOT_FOUND;
-
-   /************ CHANGE OF TEST RESULT FOR TEST #67 *************************
-     The test docs say this should be verified. However, the problem being that
-     there is an extra CRL with an unknown issuer. Returning VERIFIED in this
-     case is obviously bad, since the user may well want to know that the CRL
-     in question has no known issuer. So we return CRL_ISSUER_NOT_FOUND instead
-     of VERIFIED. The actual certificate path of course still verifies, but
-     it's kind of an all-or-nothing testing procedure.
-   ************************************************************************/
-   expected_results[67] = CRL_ISSUER_NOT_FOUND;
+   expected_results[65] = CRL_NOT_FOUND;
+   expected_results[66] = CRL_NOT_FOUND;
+
+   expected_results[67] = VERIFIED;
 
    expected_results[68] = CERT_IS_REVOKED;
    expected_results[69] = CERT_IS_REVOKED;
diff --git a/checks/x509.cpp b/checks/x509.cpp
index 8c6cd8187..9ae295d35 100644
--- a/checks/x509.cpp
+++ b/checks/x509.cpp
@@ -21,7 +21,7 @@
 
 #if defined(BOTAN_HAS_X509_CERTIFICATES)
   #include <botan/x509self.h>
-  #include <botan/x509stor.h>
+  #include <botan/x509path.h>
   #include <botan/x509_ca.h>
   #include <botan/pkcs10.h>
 #endif
@@ -191,19 +191,21 @@ void do_x509_tests(RandomNumberGenerator& rng)
    X509_CRL crl1 = ca.new_crl(rng);
 
    /* Verify the certs */
-   X509_Store store;
+   Certificate_Store_In_Memory store;
 
-   store.add_cert(ca_cert, true); // second arg == true: trusted CA cert
+   store.add_certificate(ca_cert);
 
    std::cout << '.' << std::flush;
-   if(store.validate_cert(user1_cert) != VERIFIED)
-      std::cout << "\nFAILED: User cert #1 did not validate" << std::endl;
 
-   if(store.validate_cert(user2_cert) != VERIFIED)
-      std::cout << "\nFAILED: User cert #2 did not validate" << std::endl;
+   Path_Validation_Result result_u1 = x509_path_validate(user1_cert, store);
+   if(result_u1.validation_result != VERIFIED)
+      std::cout << "\nFAILED: User cert #1 did not validate - " << result_u1.validation_result << std::endl;
 
-   if(store.add_crl(crl1) != VERIFIED)
-      std::cout << "\nFAILED: CRL #1 did not validate" << std::endl;
+   Path_Validation_Result result_u2 = x509_path_validate(user2_cert, store);
+   if(result_u2.validation_result != VERIFIED)
+      std::cout << "\nFAILED: User cert #2 did not validate - " << result_u2.validation_result << std::endl;
+
+   store.add_crl(crl1);
 
    std::vector<CRL_Entry> revoked;
    revoked.push_back(CRL_Entry(user1_cert, CESSATION_OF_OPERATION));
@@ -211,23 +213,24 @@ void do_x509_tests(RandomNumberGenerator& rng)
 
    X509_CRL crl2 = ca.update_crl(crl1, revoked, rng);
 
-   if(store.add_crl(crl2) != VERIFIED)
-      std::cout << "\nFAILED: CRL #2 did not validate" << std::endl;
+   store.add_crl(crl2);
 
-   if(store.validate_cert(user1_cert) != CERT_IS_REVOKED)
+   result_u1 = x509_path_validate(user1_cert, store);
+   if(result_u1.validation_result != CERT_IS_REVOKED)
       std::cout << "\nFAILED: User cert #1 was not revoked" << std::endl;
 
-   if(store.validate_cert(user2_cert) != CERT_IS_REVOKED)
+   result_u2 = x509_path_validate(user2_cert, store);
+   if(result_u2.validation_result != CERT_IS_REVOKED)
       std::cout << "\nFAILED: User cert #2 was not revoked" << std::endl;
 
    revoked.clear();
    revoked.push_back(CRL_Entry(user1_cert, REMOVE_FROM_CRL));
    X509_CRL crl3 = ca.update_crl(crl2, revoked, rng);
 
-   if(store.add_crl(crl3) != VERIFIED)
-      std::cout << "\nFAILED: CRL #3 did not validate" << std::endl;
+   store.add_crl(crl3);
 
-   if(store.validate_cert(user1_cert) != VERIFIED)
+   result_u1 = x509_path_validate(user1_cert, store);
+   if(result_u1.validation_result != VERIFIED)
       std::cout << "\nFAILED: User cert #1 was not un-revoked" << std::endl;
 
    check_against_copy(ca_key, rng);
author	lloyd <[email protected]>	2012-03-28 21:09:47 +0000
committer	lloyd <[email protected]>	2012-03-28 21:09:47 +0000
commit	d4050e6b838acfd9552b4ab137fbf0717ff1e0ca (patch)
tree	a811718e0ada95191fd64c353bb2357953be86d3 /checks
parent	199bc49219175d29076692a3131ac5425d750461 (diff)
parent	f1a2b5a7b5f35322927446d1b9a381f05cc677df (diff)