mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
596 lines
19 KiB
C
596 lines
19 KiB
C
|
/* ***** BEGIN LICENSE BLOCK *****
|
||
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||
|
*
|
||
|
* The contents of this file are subject to the Mozilla Public License Version
|
||
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
||
|
* the License. You may obtain a copy of the License at
|
||
|
* http://www.mozilla.org/MPL/
|
||
|
*
|
||
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
||
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||
|
* for the specific language governing rights and limitations under the
|
||
|
* License.
|
||
|
*
|
||
|
* The Original Code is the PKIX-C library.
|
||
|
*
|
||
|
* The Initial Developer of the Original Code is
|
||
|
* Sun Microsystems, Inc.
|
||
|
* Portions created by the Initial Developer are
|
||
|
* Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
|
||
|
*
|
||
|
* Contributor(s):
|
||
|
* Sun Microsystems, Inc.
|
||
|
*
|
||
|
* Alternatively, the contents of this file may be used under the terms of
|
||
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
||
|
* of those above. If you wish to allow use of your version of this file only
|
||
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
||
|
* use your version of this file under the terms of the MPL, indicate your
|
||
|
* decision by deleting the provisions above and replace them with the notice
|
||
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
||
|
* the provisions above, a recipient may use your version of this file under
|
||
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
||
|
*
|
||
|
* ***** END LICENSE BLOCK ***** */
|
||
|
/*
|
||
|
* test_policychecker.c
|
||
|
*
|
||
|
* Test Policy Checking
|
||
|
*
|
||
|
*/
|
||
|
|
||
|
#include "testutil.h"
|
||
|
#include "testutil_nss.h"
|
||
|
|
||
|
#define PKIX_TEST_MAX_CERTS 10
|
||
|
|
||
|
static void *plContext = NULL;
|
||
|
|
||
|
static
|
||
|
void printUsage(char *testname) {
|
||
|
char *fmt =
|
||
|
"USAGE: %s testname"
|
||
|
" [ENE|EE] \"{OID[:OID]*}\" [A|E|P] cert [cert]*\n"
|
||
|
"(The quotes are needed around the OID argument for dbx.)\n"
|
||
|
"(The optional arg A indicates initialAnyPolicyInhibit.)\n"
|
||
|
"(The optional arg E indicates initialExplicitPolicy.)\n"
|
||
|
"(The optional arg P indicates initialPolicyMappingInhibit.)\n";
|
||
|
printf(fmt, testname);
|
||
|
}
|
||
|
|
||
|
static
|
||
|
void printUsageMax(PKIX_UInt32 numCerts)
|
||
|
{
|
||
|
printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
|
||
|
numCerts, PKIX_TEST_MAX_CERTS);
|
||
|
}
|
||
|
|
||
|
static
|
||
|
PKIX_List *policySetParse(char *policyString)
|
||
|
{
|
||
|
char *p = NULL;
|
||
|
char *oid = NULL;
|
||
|
char c = '\0';
|
||
|
PKIX_Boolean validString = PKIX_FALSE;
|
||
|
PKIX_PL_OID *plOID = NULL;
|
||
|
PKIX_List *policySet = NULL;
|
||
|
|
||
|
PKIX_TEST_STD_VARS();
|
||
|
|
||
|
p = policyString;
|
||
|
|
||
|
/*
|
||
|
* There may or may not be quotes around the initial-policy-set
|
||
|
* string. If they are omitted, dbx will strip off the curly braces.
|
||
|
* If they are included, dbx will strip off the quotes, but if you
|
||
|
* are running directly from a script, without dbx, the quotes will
|
||
|
* not be stripped. We need to be able to handle both cases.
|
||
|
*/
|
||
|
if (*p == '"') {
|
||
|
p++;
|
||
|
}
|
||
|
|
||
|
if ('{' != *p++) {
|
||
|
return (NULL);
|
||
|
}
|
||
|
oid = p;
|
||
|
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext));
|
||
|
|
||
|
/* scan to the end of policyString */
|
||
|
while (!validString) {
|
||
|
/* scan to the end of the current OID string */
|
||
|
c = *oid;
|
||
|
while ((c != '\0') && (c != ':') && (c != '}')) {
|
||
|
c = *++oid;
|
||
|
}
|
||
|
|
||
|
if ((c != ':') || (c != '}')) {
|
||
|
*oid = '\0'; /* store a null terminator */
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
|
||
|
(p, &plOID, plContext));
|
||
|
|
||
|
PKIX_TEST_EXPECT_NO_ERROR
|
||
|
(PKIX_List_AppendItem
|
||
|
(policySet,
|
||
|
(PKIX_PL_Object *)plOID,
|
||
|
plContext));
|
||
|
|
||
|
PKIX_TEST_DECREF_BC(plOID);
|
||
|
plOID = NULL;
|
||
|
if (c == '}') {
|
||
|
/*
|
||
|
* Any exit but this one means
|
||
|
* we were given a badly-formed string.
|
||
|
*/
|
||
|
validString = PKIX_TRUE;
|
||
|
}
|
||
|
p = ++oid;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|
||
|
cleanup:
|
||
|
if (!validString) {
|
||
|
PKIX_TEST_DECREF_AC(plOID);
|
||
|
PKIX_TEST_DECREF_AC(policySet);
|
||
|
policySet = NULL;
|
||
|
}
|
||
|
|
||
|
PKIX_TEST_RETURN();
|
||
|
|
||
|
return (policySet);
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* FUNCTION: treeToStringHelper
|
||
|
* This function obtains the string representation of a PolicyNode
|
||
|
* Tree and compares it to the expected value.
|
||
|
* PARAMETERS:
|
||
|
* "parent" - a PolicyNode, the root of a PolicyNodeTree;
|
||
|
* must be non-NULL.
|
||
|
* "expected" - the desired string.
|
||
|
* THREAD SAFETY:
|
||
|
* Thread Safe
|
||
|
*
|
||
|
* Multiple threads can safely call this function without worrying
|
||
|
* about conflicts, even if they're operating on the same object.
|
||
|
* RETURNS:
|
||
|
* Nothing.
|
||
|
*/
|
||
|
static void
|
||
|
treeToStringHelper(PKIX_PolicyNode *parent, char *expected)
|
||
|
{
|
||
|
PKIX_PL_String *stringRep = NULL;
|
||
|
char *actual = NULL;
|
||
|
PKIX_TEST_STD_VARS();
|
||
|
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
|
||
|
((PKIX_PL_Object *)parent, &stringRep, plContext));
|
||
|
|
||
|
actual = PKIX_String2ASCII(stringRep, plContext);
|
||
|
if (actual == NULL){
|
||
|
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
if (PL_strcmp(actual, expected) != 0){
|
||
|
testError("unexpected mismatch");
|
||
|
(void) printf("Actual value:\t%s\n", actual);
|
||
|
(void) printf("Expected value:\t%s\n", expected);
|
||
|
}
|
||
|
|
||
|
cleanup:
|
||
|
|
||
|
PKIX_PL_Free(actual, plContext);
|
||
|
|
||
|
PKIX_TEST_DECREF_AC(stringRep);
|
||
|
|
||
|
PKIX_TEST_RETURN();
|
||
|
}
|
||
|
|
||
|
static
|
||
|
void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){
|
||
|
|
||
|
PKIX_List *chain = NULL;
|
||
|
PKIX_ValidateParams *valParams = NULL;
|
||
|
PKIX_ValidateResult *valResult = NULL;
|
||
|
|
||
|
PKIX_TEST_STD_VARS();
|
||
|
|
||
|
subTest("Basic-Common-Fields <pass>");
|
||
|
/*
|
||
|
* Tests the Expiration, NameChaining, and Signature Checkers
|
||
|
*/
|
||
|
|
||
|
chain = createCertChain(dirName, goodInput, diffInput, plContext);
|
||
|
|
||
|
valParams = createValidateParams
|
||
|
(dirName,
|
||
|
goodInput,
|
||
|
diffInput,
|
||
|
dateAscii,
|
||
|
NULL,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
chain,
|
||
|
plContext);
|
||
|
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
|
||
|
(valParams, &valResult, NULL, plContext));
|
||
|
|
||
|
cleanup:
|
||
|
|
||
|
PKIX_TEST_DECREF_AC(chain);
|
||
|
PKIX_TEST_DECREF_AC(valParams);
|
||
|
PKIX_TEST_DECREF_AC(valResult);
|
||
|
|
||
|
PKIX_TEST_RETURN();
|
||
|
}
|
||
|
|
||
|
static
|
||
|
void testNistTest1(char *dirName)
|
||
|
{
|
||
|
#define PKIX_TEST_NUM_CERTS 2
|
||
|
char *trustAnchor =
|
||
|
"TrustAnchorRootCertificate.crt";
|
||
|
char *intermediateCert =
|
||
|
"GoodCACert.crt";
|
||
|
char *endEntityCert =
|
||
|
"ValidCertificatePathTest1EE.crt";
|
||
|
char *certNames[PKIX_TEST_NUM_CERTS];
|
||
|
char *asciiAnyPolicy = "2.5.29.32.0";
|
||
|
PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
|
||
|
|
||
|
PKIX_ValidateParams *valParams = NULL;
|
||
|
PKIX_ValidateResult *valResult = NULL;
|
||
|
PKIX_List *chain = NULL;
|
||
|
PKIX_PL_OID *anyPolicyOID = NULL;
|
||
|
PKIX_List *initialPolicies = NULL;
|
||
|
char *anchorName = NULL;
|
||
|
|
||
|
PKIX_TEST_STD_VARS();
|
||
|
|
||
|
subTest("testNistTest1: Creating the cert chain");
|
||
|
/*
|
||
|
* Create a chain, but don't include the first certName.
|
||
|
* That's the anchor, and is supplied separately from
|
||
|
* the chain.
|
||
|
*/
|
||
|
certNames[0] = intermediateCert;
|
||
|
certNames[1] = endEntityCert;
|
||
|
chain = createCertChainPlus
|
||
|
(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
|
||
|
|
||
|
subTest("testNistTest1: Creating the Validate Parameters");
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
|
||
|
(asciiAnyPolicy, &anyPolicyOID, plContext));
|
||
|
PKIX_TEST_EXPECT_NO_ERROR
|
||
|
(PKIX_List_Create(&initialPolicies, plContext));
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
|
||
|
(initialPolicies, (PKIX_PL_Object *)anyPolicyOID, plContext));
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
|
||
|
(initialPolicies, plContext));
|
||
|
|
||
|
valParams = createValidateParams
|
||
|
(dirName,
|
||
|
trustAnchor,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
initialPolicies,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
chain,
|
||
|
plContext);
|
||
|
|
||
|
subTest("testNistTest1: Validating the chain");
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
|
||
|
(valParams, &valResult, NULL, plContext));
|
||
|
|
||
|
|
||
|
cleanup:
|
||
|
|
||
|
PKIX_PL_Free(anchorName, plContext);
|
||
|
|
||
|
PKIX_TEST_DECREF_AC(anyPolicyOID);
|
||
|
PKIX_TEST_DECREF_AC(initialPolicies);
|
||
|
PKIX_TEST_DECREF_AC(valParams);
|
||
|
PKIX_TEST_DECREF_AC(valResult);
|
||
|
PKIX_TEST_DECREF_AC(chain);
|
||
|
|
||
|
PKIX_TEST_RETURN();
|
||
|
}
|
||
|
|
||
|
static
|
||
|
void testNistTest2(char *dirName)
|
||
|
{
|
||
|
#define PKIX_TEST_NUM_CERTS 2
|
||
|
char *trustAnchor =
|
||
|
"TrustAnchorRootCertificate.crt";
|
||
|
char *intermediateCert =
|
||
|
"GoodCACert.crt";
|
||
|
char *endEntityCert =
|
||
|
"ValidCertificatePathTest1EE.crt";
|
||
|
char *certNames[PKIX_TEST_NUM_CERTS];
|
||
|
char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1";
|
||
|
PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
|
||
|
|
||
|
PKIX_ValidateParams *valParams = NULL;
|
||
|
PKIX_ValidateResult *valResult = NULL;
|
||
|
PKIX_List *chain = NULL;
|
||
|
PKIX_PL_OID *Nist1PolicyOID = NULL;
|
||
|
PKIX_List *initialPolicies = NULL;
|
||
|
char *anchorName = NULL;
|
||
|
|
||
|
PKIX_TEST_STD_VARS();
|
||
|
|
||
|
subTest("testNistTest2: Creating the cert chain");
|
||
|
/*
|
||
|
* Create a chain, but don't include the first certName.
|
||
|
* That's the anchor, and is supplied separately from
|
||
|
* the chain.
|
||
|
*/
|
||
|
certNames[0] = intermediateCert;
|
||
|
certNames[1] = endEntityCert;
|
||
|
chain = createCertChainPlus
|
||
|
(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
|
||
|
|
||
|
subTest("testNistTest2: Creating the Validate Parameters");
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
|
||
|
(asciiNist1Policy, &Nist1PolicyOID, plContext));
|
||
|
PKIX_TEST_EXPECT_NO_ERROR
|
||
|
(PKIX_List_Create(&initialPolicies, plContext));
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
|
||
|
(initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext));
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
|
||
|
(initialPolicies, plContext));
|
||
|
|
||
|
valParams = createValidateParams
|
||
|
(dirName,
|
||
|
trustAnchor,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
initialPolicies,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
PKIX_FALSE,
|
||
|
chain,
|
||
|
plContext);
|
||
|
|
||
|
subTest("testNistTest2: Validating the chain");
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
|
||
|
(valParams, &valResult, NULL, plContext));
|
||
|
|
||
|
|
||
|
cleanup:
|
||
|
|
||
|
PKIX_PL_Free(anchorName, plContext);
|
||
|
|
||
|
PKIX_TEST_DECREF_AC(Nist1PolicyOID);
|
||
|
PKIX_TEST_DECREF_AC(initialPolicies);
|
||
|
PKIX_TEST_DECREF_AC(valParams);
|
||
|
PKIX_TEST_DECREF_AC(valResult);
|
||
|
PKIX_TEST_DECREF_AC(chain);
|
||
|
|
||
|
PKIX_TEST_RETURN();
|
||
|
}
|
||
|
|
||
|
static void printValidPolicyTree(PKIX_ValidateResult *valResult)
|
||
|
{
|
||
|
PKIX_PolicyNode* validPolicyTree = NULL;
|
||
|
PKIX_PL_String *treeString = NULL;
|
||
|
|
||
|
PKIX_TEST_STD_VARS();
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
|
||
|
(valResult, &validPolicyTree, plContext));
|
||
|
if (validPolicyTree) {
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
|
||
|
((PKIX_PL_Object*)validPolicyTree,
|
||
|
&treeString,
|
||
|
plContext));
|
||
|
(void) printf("validPolicyTree is\n\t%s\n",
|
||
|
treeString->escAsciiString);
|
||
|
} else {
|
||
|
(void) printf("validPolicyTree is NULL\n");
|
||
|
}
|
||
|
|
||
|
cleanup:
|
||
|
|
||
|
PKIX_TEST_DECREF_AC(validPolicyTree);
|
||
|
PKIX_TEST_DECREF_AC(treeString);
|
||
|
|
||
|
PKIX_TEST_RETURN();
|
||
|
}
|
||
|
|
||
|
int test_policychecker(int argc, char *argv[])
|
||
|
{
|
||
|
|
||
|
PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
|
||
|
PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
|
||
|
PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
|
||
|
PKIX_Boolean expectedResult = PKIX_FALSE;
|
||
|
PKIX_UInt32 chainLength = 0;
|
||
|
PKIX_UInt32 initArgs = 0;
|
||
|
PKIX_UInt32 firstCert = 0;
|
||
|
PKIX_UInt32 i = 0;
|
||
|
PKIX_Int32 j = 0;
|
||
|
PKIX_UInt32 actualMinorVersion;
|
||
|
PKIX_ProcessingParams *procParams = NULL;
|
||
|
char *firstTrustAnchor = "yassir2yassir";
|
||
|
char *secondTrustAnchor = "yassir2bcn";
|
||
|
char *dateAscii = "991201000000Z";
|
||
|
PKIX_ValidateParams *valParams = NULL;
|
||
|
PKIX_ValidateResult *valResult = NULL;
|
||
|
PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */
|
||
|
char *certNames[PKIX_TEST_MAX_CERTS];
|
||
|
PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
|
||
|
PKIX_List *chain = NULL;
|
||
|
PKIX_Error *validationError = NULL;
|
||
|
PKIX_VerifyNode *verifyTree = NULL;
|
||
|
PKIX_PL_String *verifyString = NULL;
|
||
|
char *dirName = NULL;
|
||
|
char *dataCentralDir = NULL;
|
||
|
char *anchorName = NULL;
|
||
|
|
||
|
PKIX_TEST_STD_VARS();
|
||
|
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(
|
||
|
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
|
||
|
|
||
|
/*
|
||
|
* Perform hard-coded tests if no command line args.
|
||
|
* If command line args are provided, they must be:
|
||
|
* arg[1]: test name
|
||
|
* arg[2]: "ENE" or "EE", for "expect no error" or "expect error"
|
||
|
* arg[3]: directory for certificates
|
||
|
* arg[4]: user-initial-policy-set, consisting of braces
|
||
|
* containing zero or more OID sequences, separated by commas
|
||
|
* arg[5]: (optional) "E", indicating initialExplicitPolicy
|
||
|
* arg[firstCert]: the path and filename of the trust anchor certificate
|
||
|
* arg[firstCert+1..(n-1)]: successive certificates in the chain
|
||
|
* arg[n]: the end entity certificate
|
||
|
*
|
||
|
* Example: test_policychecker test1EE ENE
|
||
|
* {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity
|
||
|
*/
|
||
|
|
||
|
dirName = argv[3+j];
|
||
|
dataCentralDir = argv[4+j];
|
||
|
|
||
|
if (argc <= 5 || ((6 == argc) && (j))) {
|
||
|
|
||
|
testPass
|
||
|
(dataCentralDir,
|
||
|
firstTrustAnchor,
|
||
|
secondTrustAnchor,
|
||
|
dateAscii);
|
||
|
|
||
|
testNistTest1(dirName);
|
||
|
|
||
|
testNistTest2(dirName);
|
||
|
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
if (argc < (7 + j)) {
|
||
|
printUsage(argv[0]);
|
||
|
pkixTestErrorMsg = "Invalid command line arguments.";
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
|
||
|
expectedResult = PKIX_TRUE;
|
||
|
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
|
||
|
expectedResult = PKIX_FALSE;
|
||
|
} else {
|
||
|
printUsage(argv[0]);
|
||
|
pkixTestErrorMsg = "Invalid command line arguments.";
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
userInitialPolicySet = policySetParse(argv[5+j]);
|
||
|
if (!userInitialPolicySet) {
|
||
|
printUsage(argv[0]);
|
||
|
pkixTestErrorMsg = "Invalid command line arguments.";
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
for (initArgs = 0; initArgs < 3; initArgs++) {
|
||
|
if (PORT_Strcmp(argv[6+j+initArgs], "A") == 0) {
|
||
|
initialAnyPolicyInhibit = PKIX_TRUE;
|
||
|
} else if (PORT_Strcmp(argv[6+j+initArgs], "E") == 0) {
|
||
|
initialExplicitPolicy = PKIX_TRUE;
|
||
|
} else if (PORT_Strcmp(argv[6+j+initArgs], "P") == 0) {
|
||
|
initialPolicyMappingInhibit = PKIX_TRUE;
|
||
|
} else {
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
firstCert = initArgs + j + 6;
|
||
|
chainLength = argc - (firstCert + 1);
|
||
|
if (chainLength > PKIX_TEST_MAX_CERTS) {
|
||
|
printUsageMax(chainLength);
|
||
|
pkixTestErrorMsg = "Invalid command line arguments.";
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* Create a chain, but don't include the first certName.
|
||
|
* That's the anchor, and is supplied separately from
|
||
|
* the chain.
|
||
|
*/
|
||
|
for (i = 0; i < chainLength; i++) {
|
||
|
|
||
|
certNames[i] = argv[i + (firstCert + 1)];
|
||
|
certs[i] = NULL;
|
||
|
}
|
||
|
chain = createCertChainPlus
|
||
|
(dirName, certNames, certs, chainLength, plContext);
|
||
|
|
||
|
subTest(argv[1+j]);
|
||
|
|
||
|
valParams = createValidateParams
|
||
|
(dirName,
|
||
|
argv[firstCert],
|
||
|
NULL,
|
||
|
NULL,
|
||
|
userInitialPolicySet,
|
||
|
initialPolicyMappingInhibit,
|
||
|
initialAnyPolicyInhibit,
|
||
|
initialExplicitPolicy,
|
||
|
PKIX_FALSE,
|
||
|
chain,
|
||
|
plContext);
|
||
|
|
||
|
if (expectedResult == PKIX_TRUE) {
|
||
|
subTest(" (expecting successful validation)");
|
||
|
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
|
||
|
(valParams, &valResult, &verifyTree, plContext));
|
||
|
|
||
|
printValidPolicyTree(valResult);
|
||
|
|
||
|
} else {
|
||
|
subTest(" (expecting validation to fail)");
|
||
|
validationError = PKIX_ValidateChain
|
||
|
(valParams, &valResult, &verifyTree, plContext);
|
||
|
if (!validationError) {
|
||
|
printValidPolicyTree(valResult);
|
||
|
pkixTestErrorMsg = "Should have thrown an error here.";
|
||
|
}
|
||
|
PKIX_TEST_DECREF_BC(validationError);
|
||
|
}
|
||
|
|
||
|
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
|
||
|
((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
|
||
|
(void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
|
||
|
|
||
|
cleanup:
|
||
|
|
||
|
PKIX_PL_Free(anchorName, plContext);
|
||
|
|
||
|
PKIX_TEST_DECREF_AC(verifyString);
|
||
|
PKIX_TEST_DECREF_AC(verifyTree);
|
||
|
PKIX_TEST_DECREF_AC(userInitialPolicySet);
|
||
|
PKIX_TEST_DECREF_AC(chain);
|
||
|
PKIX_TEST_DECREF_AC(valParams);
|
||
|
PKIX_TEST_DECREF_AC(valResult);
|
||
|
PKIX_TEST_DECREF_AC(validationError);
|
||
|
|
||
|
PKIX_Shutdown(plContext);
|
||
|
|
||
|
PKIX_TEST_RETURN();
|
||
|
|
||
|
endTests("PolicyChecker");
|
||
|
|
||
|
return (0);
|
||
|
}
|