Merge GH #1647 Add X.509 path validation to FFI

author: Jack Lloyd <[email protected]> 2018-08-14 12:15:09 -0400
committer: Jack Lloyd <[email protected]> 2018-08-14 12:15:09 -0400
commit: b1fed4525295b0cf64fd9209eeb1fcf35269a72d (patch)
tree: 620a03c1b0c9b336fc1553738552dadddfc35752 /src/tests
parent: 36b279bd09a274fee8f93e1fd397638586432bda (diff)
parent: dc85761ef02c2ae5d5b676696d7de20c15d571c7 (diff)
1 files changed, 59 insertions, 1 deletions
diff --git a/src/tests/test_ffi.cpp b/src/tests/test_ffi.cpp
index ee16267a1..3cf41bcc6 100644
--- a/src/tests/test_ffi.cpp
+++ b/src/tests/test_ffi.cpp
@@ -55,6 +55,7 @@ class FFI_Unit_Tests final : public Test
          results.push_back(ffi_test_scrypt());
          results.push_back(ffi_test_mp(rng));
          results.push_back(ffi_test_pkcs_hash_id());
+         results.push_back(ffi_test_cert_validation());
 
 #if defined(BOTAN_HAS_AES)
          results.push_back(ffi_test_block_ciphers());
@@ -74,6 +75,7 @@ class FFI_Unit_Tests final : public Test
 
 #endif
 
+
 #if defined(BOTAN_HAS_FPE_FE1)
          results.push_back(ffi_test_fpe());
 #endif
@@ -230,7 +232,7 @@ class FFI_Unit_Tests final : public Test
          {
          Test::Result result("FFI RSA cert");
 
-#if defined(BOTAN_HAS_ECDSA) && defined(BOTAN_HAS_X509_CERTIFICATES)
+#if defined(BOTAN_HAS_RSA) && defined(BOTAN_HAS_X509_CERTIFICATES)
          botan_x509_cert_t cert;
          if(TEST_FFI_OK(botan_x509_cert_load_file, (&cert, Test::data_file("x509/ocsp/randombit.pem").c_str())))
             {
@@ -246,6 +248,54 @@ class FFI_Unit_Tests final : public Test
          return result;
          }
 
+      Test::Result ffi_test_cert_validation()
+         {
+         Test::Result result("FFI Cert validation");
+#if defined(BOTAN_HAS_X509_CERTIFICATES)
+
+         botan_x509_cert_t root;
+         int rc;
+
+         REQUIRE_FFI_OK(botan_x509_cert_load_file, (&root, Test::data_file("x509/nist/root.crt").c_str()));
+
+         botan_x509_cert_t end2;
+         botan_x509_cert_t sub2;
+         REQUIRE_FFI_OK(botan_x509_cert_load_file, (&end2, Test::data_file("x509/nist/test02/end.crt").c_str()));
+         REQUIRE_FFI_OK(botan_x509_cert_load_file, (&sub2, Test::data_file("x509/nist/test02/int.crt").c_str()));
+
+         TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, &sub2, 1, &root, 1, NULL, 0));
+         result.confirm("Validation failed", rc == 5002);
+         result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Signature error");
+
+         TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end2, nullptr, 0, &root, 1, NULL, 0));
+         result.confirm("Validation failed", rc == 3000);
+         result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Certificate issuer not found");
+
+         botan_x509_cert_t end7;
+         botan_x509_cert_t sub7;
+         REQUIRE_FFI_OK(botan_x509_cert_load_file, (&end7, Test::data_file("x509/nist/test07/end.crt").c_str()));
+         REQUIRE_FFI_OK(botan_x509_cert_load_file, (&sub7, Test::data_file("x509/nist/test07/int.crt").c_str()));
+
+         botan_x509_cert_t subs[2] = {sub2, sub7};
+         TEST_FFI_RC(1, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, NULL, 0));
+         result.confirm("Validation failed", rc == 1001);
+         result.test_eq("Validation status string", botan_x509_cert_validation_status(rc),
+                        "Hash function used is considered too weak for security");
+
+         TEST_FFI_RC(0, botan_x509_cert_verify, (&rc, end7, subs, 2, &root, 1, NULL, 80));
+         result.confirm("Validation passed", rc == 0);
+         result.test_eq("Validation status string", botan_x509_cert_validation_status(rc), "Verified");
+
+         TEST_FFI_OK(botan_x509_cert_destroy, (end2));
+         TEST_FFI_OK(botan_x509_cert_destroy, (sub2));
+         TEST_FFI_OK(botan_x509_cert_destroy, (end7));
+         TEST_FFI_OK(botan_x509_cert_destroy, (sub7));
+         TEST_FFI_OK(botan_x509_cert_destroy, (root));
+
+#endif
+         return result;
+         }
+
       Test::Result ffi_test_ecdsa_cert()
          {
          Test::Result result("FFI ECDSA cert");
@@ -268,6 +318,14 @@ class FFI_Unit_Tests final : public Test
             TEST_FFI_OK(botan_x509_cert_get_time_expires, (cert, &date[0], &date_len));
             result.test_eq("cert valid until", date, "280119151800Z");
 
+            uint64_t not_before = 0;
+            TEST_FFI_OK(botan_x509_cert_not_before, (cert, &not_before));
+            result.confirm("cert not before", not_before == 1184858838);
+
+            uint64_t not_after = 0;
+            TEST_FFI_OK(botan_x509_cert_not_after, (cert, &not_after));
+            result.confirm("cert not after", not_after == 1831907880);
+
             size_t serial_len = 0;
             TEST_FFI_RC(BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE, botan_x509_cert_get_serial_number, (cert, nullptr, &serial_len));
author	Jack Lloyd <[email protected]>	2018-08-14 12:15:09 -0400
committer	Jack Lloyd <[email protected]>	2018-08-14 12:15:09 -0400
commit	b1fed4525295b0cf64fd9209eeb1fcf35269a72d (patch)
tree	620a03c1b0c9b336fc1553738552dadddfc35752 /src/tests
parent	36b279bd09a274fee8f93e1fd397638586432bda (diff)
parent	dc85761ef02c2ae5d5b676696d7de20c15d571c7 (diff)