diff options
Diffstat (limited to 'checks')
| -rw-r--r-- | checks/nist_tests/Makefile | 6 | ||||
| -rw-r--r-- | checks/nist_tests/x509test.cpp | 234 | ||||
| -rw-r--r-- | checks/x509.cpp | 54 |
3 files changed, 137 insertions, 157 deletions
diff --git a/checks/nist_tests/Makefile b/checks/nist_tests/Makefile index 3fcdf212b..52dc340c9 100644 --- a/checks/nist_tests/Makefile +++ b/checks/nist_tests/Makefile @@ -1,8 +1,10 @@ +BOTAN_CONFIG=../../build/botan-config-1.10 + CC=g++ FLAGS=-g -Os -W -Wall -ansi -LDFLAGS=-L../.. -lbotan-1.9 -CFLAGS=-I../../build/include +LDFLAGS=$(shell $(BOTAN_CONFIG) --libs) -L../.. -lbotan-1.10 +CFLAGS=$(shell $(BOTAN_CONFIG) --cflags) -I../../build/include x509test: x509test.cpp $(CC) $(FLAGS) $(CFLAGS) x509test.cpp $(LDFLAGS) -o x509test diff --git a/checks/nist_tests/x509test.cpp b/checks/nist_tests/x509test.cpp index 0c4c04029..18ed26534 100644 --- a/checks/nist_tests/x509test.cpp +++ b/checks/nist_tests/x509test.cpp @@ -4,7 +4,7 @@ which is available on NIST's web site. */ -#include <botan/x509stor.h> +#include <botan/x509path.h> #include <botan/init.h> using namespace Botan; @@ -20,12 +20,12 @@ using namespace Botan; std::vector<std::string> dir_listing(const std::string&); -void run_one_test(u32bit, X509_Code, +void run_one_test(u32bit, Path_Validation_Result::Code, std::string, std::string, std::vector<std::string>, std::vector<std::string>); -std::map<u32bit, X509_Code> expected_results; +std::map<u32bit, Path_Validation_Result::Code> expected_results; u32bit unexp_failure, unexp_success, wrong_error, skipped; @@ -96,7 +96,7 @@ int main() return 0; } -void run_one_test(u32bit test_no, X509_Code expected, +void run_one_test(u32bit test_no, Path_Validation_Result::Code expected, std::string root_cert, std::string to_verify, std::vector<std::string> certs, std::vector<std::string> crls) @@ -104,16 +104,14 @@ void run_one_test(u32bit test_no, X509_Code expected, std::cout << "Processing test #" << test_no << "... "; std::cout.flush(); - X509_Code result = VERIFIED; + Certificate_Store_In_Memory store; - X509_Store store; - - store.add_cert(X509_Certificate(root_cert), true); + store.add_certificate(X509_Certificate(root_cert)); X509_Certificate end_user(to_verify); for(size_t j = 0; j != certs.size(); j++) - store.add_cert(X509_Certificate(certs[j])); + store.add_certificate(X509_Certificate(certs[j])); for(size_t j = 0; j != crls.size(); j++) { @@ -130,23 +128,17 @@ void run_one_test(u32bit test_no, X509_Code expected, std::cout << std::endl; } */ - result = store.add_crl(crl); - if(result != VERIFIED) - break; + store.add_crl(crl); } - /* if everything has gone well up until now */ + Path_Validation_Restrictions restrictions(true); - if(result == VERIFIED) - { - result = store.validate_cert(end_user); + Path_Validation_Result validation_result = + x509_path_validate(end_user, + restrictions, + store); - X509_Code result2 = store.validate_cert(end_user); - - if(result != result2) - std::cout << "Two runs, two answers: " << result << " " - << result2 << std::endl; - } + Path_Validation_Result::Code result = validation_result.result(); if(result == expected) { @@ -154,12 +146,12 @@ void run_one_test(u32bit test_no, X509_Code expected, return; } - if(expected == VERIFIED) + if(expected == Path_Validation_Result::VERIFIED) { std::cout << "unexpected failure: " << result << std::endl; unexp_failure++; } - else if(result == VERIFIED) + else if(result == Path_Validation_Result::VERIFIED) { std::cout << "unexpected success: " << expected << std::endl; unexp_success++; @@ -211,54 +203,43 @@ std::vector<std::string> dir_listing(const std::string& dir_name) void populate_expected_results() { /* OK, not a super great way of doing this... */ - expected_results[1] = VERIFIED; - expected_results[2] = SIGNATURE_ERROR; - expected_results[3] = SIGNATURE_ERROR; - expected_results[4] = VERIFIED; - expected_results[5] = CERT_NOT_YET_VALID; - expected_results[6] = CERT_NOT_YET_VALID; - expected_results[7] = VERIFIED; - expected_results[8] = CERT_NOT_YET_VALID; - expected_results[9] = CERT_HAS_EXPIRED; - expected_results[10] = CERT_HAS_EXPIRED; - expected_results[11] = CERT_HAS_EXPIRED; - expected_results[12] = VERIFIED; - expected_results[13] = CERT_ISSUER_NOT_FOUND; - - // FIXME: we get the answer right for the wrong reason - // ummm... I don't know if that is still true. I wish I had thought to - // write down exactly what this 'wrong reason' was in the first place. - expected_results[14] = CERT_ISSUER_NOT_FOUND; - expected_results[15] = VERIFIED; - expected_results[16] = VERIFIED; - expected_results[17] = VERIFIED; - expected_results[18] = VERIFIED; - - /************* CHANGE OF TEST RESULT FOR TEST #19 ************************ - One of the certificates has no attached CRL. By strict X.509 rules, if - there is no good CRL in hand, then the certificate shouldn't be used for - CA stuff. But while this is usually a good idea, it interferes with simple - uses of certificates which shouldn't (IMO) force the use of CRLs. There is - no assigned error code for this scenario because I don't consider it to be - an error (probably would be something like NO_REVOCATION_DATA_AVAILABLE) - **************************************************************************/ - expected_results[19] = VERIFIED; - expected_results[20] = CERT_IS_REVOKED; - expected_results[21] = CERT_IS_REVOKED; - - expected_results[22] = CA_CERT_NOT_FOR_CERT_ISSUER; - expected_results[23] = CA_CERT_NOT_FOR_CERT_ISSUER; - expected_results[24] = VERIFIED; - expected_results[25] = CA_CERT_NOT_FOR_CERT_ISSUER; - expected_results[26] = VERIFIED; - expected_results[27] = VERIFIED; - expected_results[28] = CA_CERT_NOT_FOR_CERT_ISSUER; - expected_results[29] = CA_CERT_NOT_FOR_CERT_ISSUER; - expected_results[30] = VERIFIED; - - expected_results[31] = CA_CERT_NOT_FOR_CRL_ISSUER; - expected_results[32] = CA_CERT_NOT_FOR_CRL_ISSUER; - expected_results[33] = VERIFIED; + expected_results[1] = Path_Validation_Result::VERIFIED; + expected_results[2] = Path_Validation_Result::SIGNATURE_ERROR; + expected_results[3] = Path_Validation_Result::SIGNATURE_ERROR; + expected_results[4] = Path_Validation_Result::VERIFIED; + expected_results[5] = Path_Validation_Result::CERT_NOT_YET_VALID; + expected_results[6] = Path_Validation_Result::CERT_NOT_YET_VALID; + expected_results[7] = Path_Validation_Result::VERIFIED; + expected_results[8] = Path_Validation_Result::CERT_NOT_YET_VALID; + expected_results[9] = Path_Validation_Result::CERT_HAS_EXPIRED; + expected_results[10] = Path_Validation_Result::CERT_HAS_EXPIRED; + expected_results[11] = Path_Validation_Result::CERT_HAS_EXPIRED; + expected_results[12] = Path_Validation_Result::VERIFIED; + expected_results[13] = Path_Validation_Result::CERT_ISSUER_NOT_FOUND; + + expected_results[14] = Path_Validation_Result::CERT_ISSUER_NOT_FOUND; + expected_results[15] = Path_Validation_Result::VERIFIED; + expected_results[16] = Path_Validation_Result::VERIFIED; + expected_results[17] = Path_Validation_Result::VERIFIED; + expected_results[18] = Path_Validation_Result::VERIFIED; + + expected_results[19] = Path_Validation_Result::CRL_NOT_FOUND; + expected_results[20] = Path_Validation_Result::CERT_IS_REVOKED; + expected_results[21] = Path_Validation_Result::CERT_IS_REVOKED; + + expected_results[22] = Path_Validation_Result::CA_CERT_NOT_FOR_CERT_ISSUER; + expected_results[23] = Path_Validation_Result::CA_CERT_NOT_FOR_CERT_ISSUER; + expected_results[24] = Path_Validation_Result::VERIFIED; + expected_results[25] = Path_Validation_Result::CA_CERT_NOT_FOR_CERT_ISSUER; + expected_results[26] = Path_Validation_Result::VERIFIED; + expected_results[27] = Path_Validation_Result::VERIFIED; + expected_results[28] = Path_Validation_Result::CA_CERT_NOT_FOR_CERT_ISSUER; + expected_results[29] = Path_Validation_Result::CA_CERT_NOT_FOR_CERT_ISSUER; + expected_results[30] = Path_Validation_Result::VERIFIED; + + expected_results[31] = Path_Validation_Result::CA_CERT_NOT_FOR_CRL_ISSUER; + expected_results[32] = Path_Validation_Result::CA_CERT_NOT_FOR_CRL_ISSUER; + expected_results[33] = Path_Validation_Result::VERIFIED; /* Policy tests: a little trickier because there are other inputs @@ -280,67 +261,54 @@ void populate_expected_results() This provides reasonably good coverage of the possible outcomes. */ - expected_results[34] = VERIFIED; - expected_results[35] = VERIFIED; - expected_results[36] = VERIFIED; - expected_results[37] = VERIFIED; - expected_results[38] = VERIFIED; - expected_results[39] = VERIFIED; - expected_results[40] = VERIFIED; - expected_results[41] = VERIFIED; - expected_results[42] = VERIFIED; - expected_results[43] = VERIFIED; - expected_results[44] = VERIFIED; - - //expected_results[45] = EXPLICT_POLICY_REQUIRED; - //expected_results[46] = ACCEPT; - //expected_results[47] = EXPLICT_POLICY_REQUIRED; - - expected_results[48] = VERIFIED; - expected_results[49] = VERIFIED; - expected_results[50] = VERIFIED; - expected_results[51] = VERIFIED; - expected_results[52] = VERIFIED; - expected_results[53] = VERIFIED; - - expected_results[54] = CERT_CHAIN_TOO_LONG; - expected_results[55] = CERT_CHAIN_TOO_LONG; - expected_results[56] = VERIFIED; - expected_results[57] = VERIFIED; - expected_results[58] = CERT_CHAIN_TOO_LONG; - expected_results[59] = CERT_CHAIN_TOO_LONG; - expected_results[60] = CERT_CHAIN_TOO_LONG; - expected_results[61] = CERT_CHAIN_TOO_LONG; - expected_results[62] = VERIFIED; - expected_results[63] = VERIFIED; - - expected_results[64] = SIGNATURE_ERROR; - - /************ CHANGE OF TEST RESULT FOR TEST #65 ************************* - I cannot figure out what exactly the problem here is supposed to be; - looking at it by hand, everything seems fine. If someone can explain I - would be happy to listen. - ************************************************************************/ - expected_results[65] = VERIFIED; - expected_results[66] = CRL_ISSUER_NOT_FOUND; - - /************ CHANGE OF TEST RESULT FOR TEST #67 ************************* - The test docs say this should be verified. However, the problem being that - there is an extra CRL with an unknown issuer. Returning VERIFIED in this - case is obviously bad, since the user may well want to know that the CRL - in question has no known issuer. So we return CRL_ISSUER_NOT_FOUND instead - of VERIFIED. The actual certificate path of course still verifies, but - it's kind of an all-or-nothing testing procedure. - ************************************************************************/ - expected_results[67] = CRL_ISSUER_NOT_FOUND; - - expected_results[68] = CERT_IS_REVOKED; - expected_results[69] = CERT_IS_REVOKED; - expected_results[70] = CERT_IS_REVOKED; - expected_results[71] = CERT_IS_REVOKED; - expected_results[72] = CRL_HAS_EXPIRED; - expected_results[73] = CRL_HAS_EXPIRED; - expected_results[74] = VERIFIED; + expected_results[34] = Path_Validation_Result::VERIFIED; + expected_results[35] = Path_Validation_Result::VERIFIED; + expected_results[36] = Path_Validation_Result::VERIFIED; + expected_results[37] = Path_Validation_Result::VERIFIED; + expected_results[38] = Path_Validation_Result::VERIFIED; + expected_results[39] = Path_Validation_Result::VERIFIED; + expected_results[40] = Path_Validation_Result::VERIFIED; + expected_results[41] = Path_Validation_Result::VERIFIED; + expected_results[42] = Path_Validation_Result::VERIFIED; + expected_results[43] = Path_Validation_Result::VERIFIED; + expected_results[44] = Path_Validation_Result::VERIFIED; + + //expected_results[45] = Path_Validation_Result::EXPLICT_POLICY_REQUIRED; + //expected_results[46] = Path_Validation_Result::ACCEPT; + //expected_results[47] = Path_Validation_Result::EXPLICT_POLICY_REQUIRED; + + expected_results[48] = Path_Validation_Result::VERIFIED; + expected_results[49] = Path_Validation_Result::VERIFIED; + expected_results[50] = Path_Validation_Result::VERIFIED; + expected_results[51] = Path_Validation_Result::VERIFIED; + expected_results[52] = Path_Validation_Result::VERIFIED; + expected_results[53] = Path_Validation_Result::VERIFIED; + + expected_results[54] = Path_Validation_Result::CERT_CHAIN_TOO_LONG; + expected_results[55] = Path_Validation_Result::CERT_CHAIN_TOO_LONG; + expected_results[56] = Path_Validation_Result::VERIFIED; + expected_results[57] = Path_Validation_Result::VERIFIED; + expected_results[58] = Path_Validation_Result::CERT_CHAIN_TOO_LONG; + expected_results[59] = Path_Validation_Result::CERT_CHAIN_TOO_LONG; + expected_results[60] = Path_Validation_Result::CERT_CHAIN_TOO_LONG; + expected_results[61] = Path_Validation_Result::CERT_CHAIN_TOO_LONG; + expected_results[62] = Path_Validation_Result::VERIFIED; + expected_results[63] = Path_Validation_Result::VERIFIED; + + expected_results[64] = Path_Validation_Result::SIGNATURE_ERROR; + + expected_results[65] = Path_Validation_Result::CRL_NOT_FOUND; + expected_results[66] = Path_Validation_Result::CRL_NOT_FOUND; + + expected_results[67] = Path_Validation_Result::VERIFIED; + + expected_results[68] = Path_Validation_Result::CERT_IS_REVOKED; + expected_results[69] = Path_Validation_Result::CERT_IS_REVOKED; + expected_results[70] = Path_Validation_Result::CERT_IS_REVOKED; + expected_results[71] = Path_Validation_Result::CERT_IS_REVOKED; + expected_results[72] = Path_Validation_Result::CRL_HAS_EXPIRED; + expected_results[73] = Path_Validation_Result::CRL_HAS_EXPIRED; + expected_results[74] = Path_Validation_Result::VERIFIED; /* These tests use weird CRL extensions which aren't supported yet */ //expected_results[75] = ; diff --git a/checks/x509.cpp b/checks/x509.cpp index a16ff10cd..46b748da6 100644 --- a/checks/x509.cpp +++ b/checks/x509.cpp @@ -21,7 +21,7 @@ #if defined(BOTAN_HAS_X509_CERTIFICATES) #include <botan/x509self.h> - #include <botan/x509stor.h> + #include <botan/x509path.h> #include <botan/x509_ca.h> #include <botan/pkcs10.h> #endif @@ -137,7 +137,7 @@ void do_x509_tests(RandomNumberGenerator& rng) /* Create the CA's key and self-signed cert */ std::cout << '.' << std::flush; - RSA_PrivateKey ca_key(rng, 1024); + RSA_PrivateKey ca_key(rng, 2048); std::cout << '.' << std::flush; X509_Certificate ca_cert = X509::create_self_signed_cert(ca_opts(), @@ -147,7 +147,7 @@ void do_x509_tests(RandomNumberGenerator& rng) std::cout << '.' << std::flush; /* Create user #1's key and cert request */ - DSA_PrivateKey user1_key(rng, DL_Group("dsa/jce/1024")); + DSA_PrivateKey user1_key(rng, DL_Group("dsa/botan/2048")); std::cout << '.' << std::flush; PKCS10_Request user1_req = X509::create_cert_req(req_opts1(), @@ -161,7 +161,7 @@ void do_x509_tests(RandomNumberGenerator& rng) EC_Group ecc_domain(OID("1.2.840.10045.3.1.7")); ECDSA_PrivateKey user2_key(rng, ecc_domain); #else - RSA_PrivateKey user2_key(rng, 1024); + RSA_PrivateKey user2_key(rng, 1536); #endif std::cout << '.' << std::flush; @@ -190,19 +190,25 @@ void do_x509_tests(RandomNumberGenerator& rng) X509_CRL crl1 = ca.new_crl(rng); /* Verify the certs */ - X509_Store store; + Certificate_Store_In_Memory store; - store.add_cert(ca_cert, true); // second arg == true: trusted CA cert + store.add_certificate(ca_cert); std::cout << '.' << std::flush; - if(store.validate_cert(user1_cert) != VERIFIED) - std::cout << "\nFAILED: User cert #1 did not validate" << std::endl; - if(store.validate_cert(user2_cert) != VERIFIED) - std::cout << "\nFAILED: User cert #2 did not validate" << std::endl; + Path_Validation_Restrictions restrictions; - if(store.add_crl(crl1) != VERIFIED) - std::cout << "\nFAILED: CRL #1 did not validate" << std::endl; + Path_Validation_Result result_u1 = x509_path_validate(user1_cert, restrictions, store); + if(!result_u1.successful_validation()) + std::cout << "FAILED: User cert #1 did not validate - " + << result_u1.result_string() << std::endl; + + Path_Validation_Result result_u2 = x509_path_validate(user2_cert, restrictions, store); + if(!result_u2.successful_validation()) + std::cout << "FAILED: User cert #2 did not validate - " + << result_u2.result_string() << std::endl; + + store.add_crl(crl1); std::vector<CRL_Entry> revoked; revoked.push_back(CRL_Entry(user1_cert, CESSATION_OF_OPERATION)); @@ -210,24 +216,28 @@ void do_x509_tests(RandomNumberGenerator& rng) X509_CRL crl2 = ca.update_crl(crl1, revoked, rng); - if(store.add_crl(crl2) != VERIFIED) - std::cout << "\nFAILED: CRL #2 did not validate" << std::endl; + store.add_crl(crl2); - if(store.validate_cert(user1_cert) != CERT_IS_REVOKED) - std::cout << "\nFAILED: User cert #1 was not revoked" << std::endl; + result_u1 = x509_path_validate(user1_cert, restrictions, store); + if(result_u1.result() != Path_Validation_Result::CERT_IS_REVOKED) + std::cout << "FAILED: User cert #1 was not revoked - " + << result_u1.result_string() << std::endl; - if(store.validate_cert(user2_cert) != CERT_IS_REVOKED) - std::cout << "\nFAILED: User cert #2 was not revoked" << std::endl; + result_u2 = x509_path_validate(user2_cert, restrictions, store); + if(result_u2.result() != Path_Validation_Result::CERT_IS_REVOKED) + std::cout << "FAILED: User cert #2 was not revoked - " + << result_u2.result_string() << std::endl; revoked.clear(); revoked.push_back(CRL_Entry(user1_cert, REMOVE_FROM_CRL)); X509_CRL crl3 = ca.update_crl(crl2, revoked, rng); - if(store.add_crl(crl3) != VERIFIED) - std::cout << "\nFAILED: CRL #3 did not validate" << std::endl; + store.add_crl(crl3); - if(store.validate_cert(user1_cert) != VERIFIED) - std::cout << "\nFAILED: User cert #1 was not un-revoked" << std::endl; + result_u1 = x509_path_validate(user1_cert, restrictions, store); + if(!result_u1.successful_validation()) + std::cout << "FAILED: User cert #1 was not un-revoked - " + << result_u1.result_string() << std::endl; check_against_copy(ca_key, rng); check_against_copy(user1_key, rng); |