aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_x509.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_x509.cpp')
-rw-r--r--tests/test_x509.cpp256
1 files changed, 256 insertions, 0 deletions
diff --git a/tests/test_x509.cpp b/tests/test_x509.cpp
new file mode 100644
index 000000000..d5f8dfc7b
--- /dev/null
+++ b/tests/test_x509.cpp
@@ -0,0 +1,256 @@
+/*
+* (C) 2009 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include "tests.h"
+#include "common.h"
+
+#include <botan/filters.h>
+#include <botan/auto_rng.h>
+
+#if defined(BOTAN_HAS_RSA)
+ #include <botan/rsa.h>
+#endif
+
+#if defined(BOTAN_HAS_DSA)
+ #include <botan/dsa.h>
+#endif
+
+#if defined(BOTAN_HAS_ECDSA)
+ #include <botan/ecdsa.h>
+#endif
+
+#if defined(BOTAN_HAS_X509_CERTIFICATES)
+ #include <botan/x509self.h>
+ #include <botan/x509path.h>
+ #include <botan/x509_ca.h>
+ #include <botan/pkcs10.h>
+#endif
+
+using namespace Botan;
+
+#include <iostream>
+#include <memory>
+
+
+#if defined(BOTAN_HAS_X509_CERTIFICATES) && \
+ defined(BOTAN_HAS_RSA) && \
+ defined(BOTAN_HAS_DSA)
+
+namespace {
+
+u64bit key_id(const Public_Key* key)
+ {
+ Pipe pipe(new Hash_Filter("SHA-1", 8));
+ pipe.start_msg();
+ pipe.write(key->algo_name());
+ pipe.write(key->algorithm_identifier().parameters);
+ pipe.write(key->x509_subject_public_key());
+ pipe.end_msg();
+
+ secure_vector<byte> output = pipe.read_all();
+
+ if(output.size() != 8)
+ throw Internal_Error("Public_Key::key_id: Incorrect output size");
+
+ u64bit id = 0;
+ for(u32bit j = 0; j != 8; ++j)
+ id = (id << 8) | output[j];
+ return id;
+ }
+
+
+/* Return some option sets */
+X509_Cert_Options ca_opts()
+ {
+ X509_Cert_Options opts("Test CA/US/Botan Project/Testing");
+
+ opts.uri = "http://botan.randombit.net";
+ opts.dns = "botan.randombit.net";
+ opts.email = "[email protected]";
+
+ opts.CA_key(1);
+
+ return opts;
+ }
+
+X509_Cert_Options req_opts1()
+ {
+ X509_Cert_Options opts("Test User 1/US/Botan Project/Testing");
+
+ opts.uri = "http://botan.randombit.net";
+ opts.dns = "botan.randombit.net";
+ opts.email = "[email protected]";
+
+ return opts;
+ }
+
+X509_Cert_Options req_opts2()
+ {
+ X509_Cert_Options opts("Test User 2/US/Botan Project/Testing");
+
+ opts.uri = "http://botan.randombit.net";
+ opts.dns = "botan.randombit.net";
+ opts.email = "[email protected]";
+
+ opts.add_ex_constraint("PKIX.EmailProtection");
+
+ return opts;
+ }
+
+u32bit check_against_copy(const Private_Key& orig,
+ RandomNumberGenerator& rng)
+ {
+ Private_Key* copy_priv = PKCS8::copy_key(orig, rng);
+ Public_Key* copy_pub = X509::copy_key(orig);
+
+ const std::string passphrase= "I need work! -Mr. T";
+ DataSource_Memory enc_source(PKCS8::PEM_encode(orig, rng, passphrase));
+ Private_Key* copy_priv_enc = PKCS8::load_key(enc_source, rng,
+ passphrase);
+
+ u64bit orig_id = key_id(&orig);
+ u64bit pub_id = key_id(copy_pub);
+ u64bit priv_id = key_id(copy_priv);
+ u64bit priv_enc_id = key_id(copy_priv_enc);
+
+ delete copy_pub;
+ delete copy_priv;
+ delete copy_priv_enc;
+
+ if(orig_id != pub_id || orig_id != priv_id || orig_id != priv_enc_id)
+ {
+ std::cout << "Failed copy check for " << orig.algo_name() << "\n";
+ return 1;
+ }
+ return 0;
+ }
+
+}
+
+size_t test_x509()
+ {
+ AutoSeeded_RNG rng;
+ const std::string hash_fn = "SHA-256";
+
+ size_t fails = 0;
+
+ /* Create the CA's key and self-signed cert */
+ RSA_PrivateKey ca_key(rng, 2048);
+
+ X509_Certificate ca_cert = X509::create_self_signed_cert(ca_opts(),
+ ca_key,
+ hash_fn,
+ rng);
+ /* Create user #1's key and cert request */
+ DSA_PrivateKey user1_key(rng, DL_Group("dsa/botan/2048"));
+
+ PKCS10_Request user1_req = X509::create_cert_req(req_opts1(),
+ user1_key,
+ "SHA-1",
+ rng);
+
+ /* Create user #2's key and cert request */
+#if defined(BOTAN_HAS_ECDSA)
+ EC_Group ecc_domain(OID("1.2.840.10045.3.1.7"));
+ ECDSA_PrivateKey user2_key(rng, ecc_domain);
+#else
+ RSA_PrivateKey user2_key(rng, 1536);
+#endif
+
+ PKCS10_Request user2_req = X509::create_cert_req(req_opts2(),
+ user2_key,
+ hash_fn,
+ rng);
+
+ /* Create the CA object */
+ X509_CA ca(ca_cert, ca_key, hash_fn);
+
+ /* Sign the requests to create the certs */
+ X509_Certificate user1_cert =
+ ca.sign_request(user1_req, rng,
+ X509_Time("2008-01-01"), X509_Time("2100-01-01"));
+
+ X509_Certificate user2_cert = ca.sign_request(user2_req, rng,
+ X509_Time("2008-01-01"),
+ X509_Time("2100-01-01"));
+ X509_CRL crl1 = ca.new_crl(rng);
+
+ /* Verify the certs */
+ Certificate_Store_In_Memory store;
+
+ store.add_certificate(ca_cert);
+
+ Path_Validation_Restrictions restrictions;
+
+ Path_Validation_Result result_u1 = x509_path_validate(user1_cert, restrictions, store);
+ if(!result_u1.successful_validation())
+ {
+ std::cout << "FAILED: User cert #1 did not validate - "
+ << result_u1.result_string() << std::endl;
+ ++fails;
+ }
+
+ Path_Validation_Result result_u2 = x509_path_validate(user2_cert, restrictions, store);
+ if(!result_u2.successful_validation())
+ {
+ std::cout << "FAILED: User cert #2 did not validate - "
+ << result_u2.result_string() << std::endl;
+ ++fails;
+ }
+
+ store.add_crl(crl1);
+
+ std::vector<CRL_Entry> revoked;
+ revoked.push_back(CRL_Entry(user1_cert, CESSATION_OF_OPERATION));
+ revoked.push_back(user2_cert);
+
+ X509_CRL crl2 = ca.update_crl(crl1, revoked, rng);
+
+ store.add_crl(crl2);
+
+ result_u1 = x509_path_validate(user1_cert, restrictions, store);
+ if(result_u1.result() != Certificate_Status_Code::CERT_IS_REVOKED)
+ {
+ std::cout << "FAILED: User cert #1 was not revoked - "
+ << result_u1.result_string() << std::endl;
+ ++fails;
+ }
+
+ result_u2 = x509_path_validate(user2_cert, restrictions, store);
+ if(result_u2.result() != Certificate_Status_Code::CERT_IS_REVOKED)
+ {
+ std::cout << "FAILED: User cert #2 was not revoked - "
+ << result_u2.result_string() << std::endl;
+ ++fails;
+ }
+
+ revoked.clear();
+ revoked.push_back(CRL_Entry(user1_cert, REMOVE_FROM_CRL));
+ X509_CRL crl3 = ca.update_crl(crl2, revoked, rng);
+
+ store.add_crl(crl3);
+
+ result_u1 = x509_path_validate(user1_cert, restrictions, store);
+ if(!result_u1.successful_validation())
+ {
+ std::cout << "FAILED: User cert #1 was not un-revoked - "
+ << result_u1.result_string() << std::endl;
+ ++fails;
+ }
+
+ check_against_copy(ca_key, rng);
+ check_against_copy(user1_key, rng);
+ check_against_copy(user2_key, rng);
+
+ return fails;
+ }
+
+#else
+
+size_t test_x590() { return 0; }
+
+#endif
+