wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler

Browse Source 
--HG--
extra : rebase_source : bf57a9eb6ae5c122912e00a47156010e5ea99478
This commit is contained in:
Brian Smith 2014-07-31 12:17:31 -07:00
parent af0283f9fc
commit 2ad8c51b49
34 changed files with 967 additions and 955 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/apps/AppSignatureVerification.cpp
View File

@ -542,7 +542,7 @@ VerifyCertificate(CERTCertificate* signerCert, void* voidContext, void* pinArg)
if (trustDomain.SetTrustedRoot(context.trustedRoot) != SECSuccess) {
return MapSECStatus(SECFailure);
}
InputBuffer certDER;
Input certDER;
Result rv = certDER.Init(signerCert->derCert.data, signerCert->derCert.len);
if (rv != Success) {
return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(rv));

22
security/apps/AppTrustDomain.cpp
View File

@ -94,8 +94,8 @@ AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot)
}
Result
AppTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
IssuerChecker& checker, PRTime time)
AppTrustDomain::FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
PRTime time)
{
MOZ_ASSERT(mTrustedRoot);
@ -112,7 +112,7 @@ AppTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
// 2. Secondly, iterate through the certificates that were stored in the CMS
// message, passing each one to checker.Check.
SECItem encodedIssuerNameSECItem =
UnsafeMapInputBufferToSECItem(encodedIssuerName);
UnsafeMapInputToSECItem(encodedIssuerName);
ScopedCERTCertList
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
&encodedIssuerNameSECItem, time,
@ -120,7 +120,7 @@ AppTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
if (candidates) {
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
InputBuffer certDER;
Input certDER;
Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
if (rv != Success) {
continue; // probably too big
@ -144,7 +144,7 @@ AppTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
Result
AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
InputBuffer candidateCertDER,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel)
{
MOZ_ASSERT(policy.IsAnyPolicy());
@ -162,7 +162,7 @@ AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
// information without constructing a CERTCertificate here, but NSS doesn't
// expose it in any other easy-to-use fashion.
SECItem candidateCertDERSECItem =
UnsafeMapInputBufferToSECItem(candidateCertDER);
UnsafeMapInputToSECItem(candidateCertDER);
ScopedCERTCertificate candidateCert(
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
nullptr, false, true));
@ -201,14 +201,14 @@ AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
Result
AppTrustDomain::VerifySignedData(const SignedDataWithSignature& signedData,
InputBuffer subjectPublicKeyInfo)
Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
mPinArg);
}
Result
AppTrustDomain::DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
AppTrustDomain::DigestBuf(Input item, /*out*/ uint8_t* digestBuf,
size_t digestBufLen)
{
return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
@ -216,8 +216,8 @@ AppTrustDomain::DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
Result
AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, PRTime time,
/*optional*/ const InputBuffer*,
/*optional*/ const InputBuffer*)
/*optional*/ const Input*,
/*optional*/ const Input*)
{
// We don't currently do revocation checking. If we need to distrust an Apps
// certificate, we will use the active distrust mechanism.
@ -236,7 +236,7 @@ AppTrustDomain::IsChainValid(const DERArray& certChain)
}
Result
AppTrustDomain::CheckPublicKey(InputBuffer subjectPublicKeyInfo)
AppTrustDomain::CheckPublicKey(Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
}

14
security/apps/AppTrustDomain.h
View File

@ -25,24 +25,24 @@ public:
virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertPolicyId& policy,
mozilla::pkix::InputBuffer candidateCertDER,
mozilla::pkix::Input candidateCertDER,
/*out*/ mozilla::pkix::TrustLevel& trustLevel)
MOZ_OVERRIDE;
virtual Result FindIssuer(mozilla::pkix::InputBuffer encodedIssuerName,
virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
IssuerChecker& checker,
PRTime time) MOZ_OVERRIDE;
virtual Result CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertID& certID, PRTime time,
/*optional*/ const mozilla::pkix::InputBuffer* stapledOCSPresponse,
/*optional*/ const mozilla::pkix::InputBuffer* aiaExtension);
/*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
/*optional*/ const mozilla::pkix::Input* aiaExtension);
virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain)
MOZ_OVERRIDE;
virtual Result CheckPublicKey(mozilla::pkix::InputBuffer subjectPublicKeyInfo)
virtual Result CheckPublicKey(mozilla::pkix::Input subjectPublicKeyInfo)
MOZ_OVERRIDE;
virtual Result VerifySignedData(
const mozilla::pkix::SignedDataWithSignature& signedData,
mozilla::pkix::InputBuffer subjectPublicKeyInfo) MOZ_OVERRIDE;
virtual Result DigestBuf(mozilla::pkix::InputBuffer item,
mozilla::pkix::Input subjectPublicKeyInfo) MOZ_OVERRIDE;
virtual Result DigestBuf(mozilla::pkix::Input item,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) MOZ_OVERRIDE;

16
security/certverifier/CertVerifier.cpp
View File

@ -156,11 +156,11 @@ SECStatus chainValidationCallback(void* state, const CERTCertList* certList,
}
static Result
BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, InputBuffer certDER,
BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, Input certDER,
PRTime time, KeyUsage ku1, KeyUsage ku2,
KeyUsage ku3, KeyPurposeId eku,
const CertPolicyId& requiredPolicy,
const InputBuffer* stapledOCSPResponse)
const Input* stapledOCSPResponse)
{
Result rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity, ku1,
@ -209,7 +209,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
Result rv;
InputBuffer certDER;
Input certDER;
rv = certDER.Init(cert->derCert.data, cert->derCert.len);
if (rv != Success) {
PR_SetError(MapResultToPRErrorCode(rv), 0);
@ -232,17 +232,17 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ocsp_get_config ocspGETConfig = mOCSPGETEnabled ? ocsp_get_enabled
: ocsp_get_disabled;
InputBuffer stapledOCSPResponseInputBuffer;
const InputBuffer* stapledOCSPResponse = nullptr;
Input stapledOCSPResponseInput;
const Input* stapledOCSPResponse = nullptr;
if (stapledOCSPResponseSECItem) {
rv = stapledOCSPResponseInputBuffer.Init(stapledOCSPResponseSECItem->data,
stapledOCSPResponseSECItem->len);
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
stapledOCSPResponseSECItem->len);
if (rv != Success) {
// The stapled OCSP response was too big.
PR_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE, 0);
return SECFailure;
}
stapledOCSPResponse = &stapledOCSPResponseInputBuffer;
stapledOCSPResponse = &stapledOCSPResponseInput;
}
switch (usage) {

36
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -96,13 +96,12 @@ static const uint8_t PERMIT_FRANCE_GOV_NAME_CONSTRAINTS_DATA[] =
"\x30\x05\x82\x03" ".tf";
Result
NSSCertDBTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
NSSCertDBTrustDomain::FindIssuer(Input encodedIssuerName,
IssuerChecker& checker, PRTime time)
{
// TODO: NSS seems to be ambiguous between "no potential issuers found" and
// "there was an error trying to retrieve the potential issuers."
SECItem encodedIssuerNameSECItem =
UnsafeMapInputBufferToSECItem(encodedIssuerName);
SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName);
ScopedCERTCertList
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
&encodedIssuerNameSECItem, time,
@ -110,22 +109,22 @@ NSSCertDBTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
if (candidates) {
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
InputBuffer certDER;
Input certDER;
Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
if (rv != Success) {
continue; // probably too big
}
bool keepGoing;
InputBuffer anssiSubject;
Input anssiSubject;
rv = anssiSubject.Init(ANSSI_SUBJECT_DATA,
sizeof(ANSSI_SUBJECT_DATA) - 1);
if (rv != Success) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
// TODO: Use CERT_CompareName or equivalent
if (InputBuffersAreEqual(encodedIssuerName, anssiSubject)) {
InputBuffer anssiNameConstraints;
if (InputsAreEqual(encodedIssuerName, anssiSubject)) {
Input anssiNameConstraints;
if (anssiNameConstraints.Init(
PERMIT_FRANCE_GOV_NAME_CONSTRAINTS_DATA,
sizeof(PERMIT_FRANCE_GOV_NAME_CONSTRAINTS_DATA) - 1)
@ -151,7 +150,7 @@ NSSCertDBTrustDomain::FindIssuer(InputBuffer encodedIssuerName,
Result
NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
InputBuffer candidateCertDER,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel)
{
#ifdef MOZ_NO_EV_CERTS
@ -166,8 +165,7 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
// CERT_NewTempCertificate to get a CERTCertificate shouldn't be a
// performance problem because NSS will just find the existing
// CERTCertificate in its in-memory cache and return it.
SECItem candidateCertDERSECItem =
UnsafeMapInputBufferToSECItem(candidateCertDER);
SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER);
ScopedCERTCertificate candidateCert(
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
nullptr, false, true));
@ -221,14 +219,14 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
Result
NSSCertDBTrustDomain::VerifySignedData(const SignedDataWithSignature& signedData,
InputBuffer subjectPublicKeyInfo)
Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
mPinArg);
}
Result
NSSCertDBTrustDomain::DigestBuf(InputBuffer item,
NSSCertDBTrustDomain::DigestBuf(Input item,
/*out*/ uint8_t* digestBuf, size_t digestBufLen)
{
return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
@ -262,11 +260,11 @@ OCSPFetchingTypeToTimeoutTime(NSSCertDBTrustDomain::OCSPFetching ocspFetching)
// by the arena.
static Result
GetOCSPAuthorityInfoAccessLocation(PLArenaPool* arena,
InputBuffer aiaExtension,
Input aiaExtension,
/*out*/ char const*& url)
{
url = nullptr;
SECItem aiaExtensionSECItem = UnsafeMapInputBufferToSECItem(aiaExtension);
SECItem aiaExtensionSECItem = UnsafeMapInputToSECItem(aiaExtension);
CERTAuthInfoAccess** aia =
CERT_DecodeAuthInfoAccessExtension(arena, &aiaExtensionSECItem);
if (!aia) {
@ -310,8 +308,8 @@ GetOCSPAuthorityInfoAccessLocation(PLArenaPool* arena,
Result
NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
const CertID& certID, PRTime time,
/*optional*/ const InputBuffer* stapledOCSPResponse,
/*optional*/ const InputBuffer* aiaExtension)
/*optional*/ const Input* stapledOCSPResponse,
/*optional*/ const Input* aiaExtension)
{
// Actively distrusted certificates will have already been blocked by
// GetCertTrust.
@ -487,7 +485,7 @@ NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
// Only request a response if we didn't have a cached indication of failure
// (don't keep requesting responses from a failing server).
InputBuffer response;
Input response;
bool attemptedRequest;
if (cachedResponseResult == Success ||
cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT ||
@ -589,7 +587,7 @@ NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
Result
NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
const CertID& certID, PRTime time, uint16_t maxLifetimeInDays,
InputBuffer encodedResponse, EncodedResponseSource responseSource,
Input encodedResponse, EncodedResponseSource responseSource,
/*out*/ bool& expired)
{
PRTime thisUpdate = 0;
@ -668,7 +666,7 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray)
}
Result
NSSCertDBTrustDomain::CheckPublicKey(InputBuffer subjectPublicKeyInfo)
NSSCertDBTrustDomain::CheckPublicKey(Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
}

16
security/certverifier/NSSCertDBTrustDomain.h
View File

@ -56,25 +56,25 @@ public:
/*optional*/ CERTChainVerifyCallback* checkChainCallback = nullptr,
/*optional*/ ScopedCERTCertList* builtChain = nullptr);
virtual Result FindIssuer(mozilla::pkix::InputBuffer encodedIssuerName,
virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
IssuerChecker& checker,
PRTime time) MOZ_OVERRIDE;
virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertPolicyId& policy,
mozilla::pkix::InputBuffer candidateCertDER,
mozilla::pkix::Input candidateCertDER,
/*out*/ mozilla::pkix::TrustLevel& trustLevel)
MOZ_OVERRIDE;
virtual Result CheckPublicKey(mozilla::pkix::InputBuffer subjectPublicKeyInfo)
virtual Result CheckPublicKey(mozilla::pkix::Input subjectPublicKeyInfo)
MOZ_OVERRIDE;
virtual Result VerifySignedData(
const mozilla::pkix::SignedDataWithSignature& signedData,
mozilla::pkix::InputBuffer subjectPublicKeyInfo)
mozilla::pkix::Input subjectPublicKeyInfo)
MOZ_OVERRIDE;
virtual Result DigestBuf(mozilla::pkix::InputBuffer item,
virtual Result DigestBuf(mozilla::pkix::Input item,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) MOZ_OVERRIDE;
@ -82,8 +82,8 @@ public:
mozilla::pkix::EndEntityOrCA endEntityOrCA,
const mozilla::pkix::CertID& certID,
PRTime time,
/*optional*/ const mozilla::pkix::InputBuffer* stapledOCSPResponse,
/*optional*/ const mozilla::pkix::InputBuffer* aiaExtension)
/*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
/*optional*/ const mozilla::pkix::Input* aiaExtension)
MOZ_OVERRIDE;
virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain)
@ -97,7 +97,7 @@ private:
static const PRTime ServerFailureDelay = 5 * 60 * PR_USEC_PER_SEC;
Result VerifyAndMaybeCacheEncodedOCSPResponse(
const mozilla::pkix::CertID& certID, PRTime time,
uint16_t maxLifetimeInDays, mozilla::pkix::InputBuffer encodedResponse,
uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
EncodedResponseSource responseSource, /*out*/ bool& expired);
const SECTrustType mCertDBTrustType;

6
security/certverifier/OCSPCache.cpp
View File

@ -62,20 +62,20 @@ CertIDHash(SHA384Buffer& buf, const CertID& certID)
if (rv != SECSuccess) {
return rv;
}
SECItem certIDIssuer = UnsafeMapInputBufferToSECItem(certID.issuer);
SECItem certIDIssuer = UnsafeMapInputToSECItem(certID.issuer);
rv = PK11_DigestOp(context.get(), certIDIssuer.data, certIDIssuer.len);
if (rv != SECSuccess) {
return rv;
}
SECItem certIDIssuerSubjectPublicKeyInfo =
UnsafeMapInputBufferToSECItem(certID.issuerSubjectPublicKeyInfo);
UnsafeMapInputToSECItem(certID.issuerSubjectPublicKeyInfo);
rv = PK11_DigestOp(context.get(), certIDIssuerSubjectPublicKeyInfo.data,
certIDIssuerSubjectPublicKeyInfo.len);
if (rv != SECSuccess) {
return rv;
}
SECItem certIDSerialNumber =
UnsafeMapInputBufferToSECItem(certID.serialNumber);
UnsafeMapInputToSECItem(certID.serialNumber);
rv = PK11_DigestOp(context.get(), certIDSerialNumber.data,
certIDSerialNumber.len);
if (rv != SECSuccess) {

2
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@ -1526,7 +1526,7 @@ ConstructCERTCertListFromReversedDERArray(
size_t numCerts = certArray.GetLength();
for (size_t i = 0; i < numCerts; ++i) {
SECItem certDER(UnsafeMapInputBufferToSECItem(*certArray.GetDER(i)));
SECItem certDER(UnsafeMapInputToSECItem(*certArray.GetDER(i)));
ScopedCERTCertificate cert(CERT_NewTempCertificate(certDB, &certDER,
nullptr, false, true));
if (!cert) {

34
security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
View File

@ -50,15 +50,15 @@ PutAndGet(OCSPCache& cache, const CertID& certID, Result result,
ASSERT_EQ(time, timeOut);
}
TestInputBuffer fakeIssuer1("CN=issuer1");
TestInputBuffer fakeKey000("key000");
TestInputBuffer fakeKey001("key001");
TestInputBuffer fakeSerial0000("0000");
TestInput fakeIssuer1("CN=issuer1");
TestInput fakeKey000("key000");
TestInput fakeKey001("key001");
TestInput fakeSerial0000("0000");
TEST_F(OCSPCacheTest, TestPutAndGet)
{
TestInputBuffer fakeSerial000("000");
TestInputBuffer fakeSerial001("001");
TestInput fakeSerial000("000");
TestInput fakeSerial001("001");
SCOPED_TRACE("");
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial001),
@ -76,7 +76,7 @@ TEST_F(OCSPCacheTest, TestVariousGets)
for (int i = 0; i < MaxCacheEntries; i++) {
uint8_t serialBuf[8];
PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
InputBuffer fakeSerial;
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
Success, timeIn + i);
@ -96,7 +96,7 @@ TEST_F(OCSPCacheTest, TestVariousGets)
ASSERT_EQ(timeIn, timeOut);
// This will be in the middle
static const TestInputBuffer fakeSerial0512("0512");
static const TestInput fakeSerial0512("0512");
CertID cert0512(fakeIssuer1, fakeKey000, fakeSerial0512);
ASSERT_TRUE(cache.Get(cert0512, resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
@ -106,7 +106,7 @@ TEST_F(OCSPCacheTest, TestVariousGets)
ASSERT_EQ(timeIn + 512, timeOut);
// We've never seen this certificate
static const TestInputBuffer fakeSerial1111("1111");
static const TestInput fakeSerial1111("1111");
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey000, fakeSerial1111),
resultOut, timeOut));
}
@ -121,7 +121,7 @@ TEST_F(OCSPCacheTest, TestEviction)
for (int i = 0; i < MaxCacheEntries + 1; i++) {
uint8_t serialBuf[8];
PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
InputBuffer fakeSerial;
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
Success, timeIn + i);
@ -144,7 +144,7 @@ TEST_F(OCSPCacheTest, TestNoEvictionForRevokedResponses)
for (int i = 1; i < MaxCacheEntries + 1; i++) {
uint8_t serialBuf[8];
PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
InputBuffer fakeSerial;
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
Success, timeIn + i);
@ -155,7 +155,7 @@ TEST_F(OCSPCacheTest, TestNoEvictionForRevokedResponses)
ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
ASSERT_EQ(timeIn, timeOut);
TestInputBuffer fakeSerial0001("0001");
TestInput fakeSerial0001("0001");
CertID evicted(fakeIssuer1, fakeKey000, fakeSerial0001);
ASSERT_FALSE(cache.Get(evicted, resultOut, timeOut));
}
@ -168,12 +168,12 @@ TEST_F(OCSPCacheTest, TestEverythingIsRevoked)
for (int i = 0; i < MaxCacheEntries; i++) {
uint8_t serialBuf[8];
PR_snprintf(reinterpret_cast<char*>(serialBuf), sizeof(serialBuf), "%04d", i);
InputBuffer fakeSerial;
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
Result::ERROR_REVOKED_CERTIFICATE, timeIn + i);
}
static const TestInputBuffer fakeSerial1025("1025");
static const TestInput fakeSerial1025("1025");
CertID good(fakeIssuer1, fakeKey000, fakeSerial1025);
// This will "succeed", allowing verification to continue. However,
// nothing was actually put in the cache.
@ -183,7 +183,7 @@ TEST_F(OCSPCacheTest, TestEverythingIsRevoked)
PRTime timeOut;
ASSERT_FALSE(cache.Get(good, resultOut, timeOut));
static const TestInputBuffer fakeSerial1026("1026");
static const TestInput fakeSerial1026("1026");
CertID revoked(fakeIssuer1, fakeKey000, fakeSerial1026);
// This will fail, causing verification to fail.
result = cache.Put(revoked, Result::ERROR_REVOKED_CERTIFICATE,
@ -194,8 +194,8 @@ TEST_F(OCSPCacheTest, TestEverythingIsRevoked)
TEST_F(OCSPCacheTest, VariousIssuers)
{
SCOPED_TRACE("");
static const TestInputBuffer fakeIssuer2("CN=issuer2");
static const TestInputBuffer fakeSerial001("001");
static const TestInput fakeIssuer2("CN=issuer2");
static const TestInput fakeSerial001("001");
PRTime timeIn = PR_Now();
CertID subject(fakeIssuer1, fakeKey000, fakeSerial001);
PutAndGet(cache, subject, Success, timeIn);

6
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
View File

@ -56,16 +56,16 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
PrintPRError("CERT_FindCertIssuer failed");
return nullptr;
}
InputBuffer issuer;
Input issuer;
if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) {
return nullptr;
}
InputBuffer issuerPublicKey;
Input issuerPublicKey;
if (issuerPublicKey.Init(issuerCert->derPublicKey.data,
issuerCert->derPublicKey.len) != Success) {
return nullptr;
}
InputBuffer serialNumber;
Input serialNumber;
if (serialNumber.Init(cert->serialNumber.data,
cert->serialNumber.len) != Success) {
return nullptr;

90
security/pkix/include/pkix/Input.h
View File

@ -34,53 +34,53 @@
namespace mozilla { namespace pkix {
class Input;
class Reader;
// An InputBuffer is a safety-oriented immutable weak reference to a array of
// bytes of a known size. The data can only be legally accessed by constructing
// an Input object, which guarantees all accesses to the data are memory safe.
// Neither InputBuffer not Input provide any facilities for modifying the data
// An Input is a safety-oriented immutable weak reference to a array of bytes
// of a known size. The data can only be legally accessed by constructing a
// Reader object, which guarantees all accesses to the data are memory safe.
// Neither Input not Reader provide any facilities for modifying the data
// they reference.
//
// InputBuffers are small and should usually be passed by value, not by
// reference, though for inline functions the distinction doesn't matter.
// Inputs are small and should usually be passed by value, not by reference,
// though for inline functions the distinction doesn't matter:
//
// Result GoodExample(InputBuffer input);
// Result BadExample(const InputBuffer& input);
// Result GoodExample(Input input);
// Result BadExample(const Input& input);
// Result WorseExample(const uint8_t* input, size_t len);
//
// Note that in the example, GoodExample has the same performance
// characteristics as WorseExample, but with much better safety guarantees.
class InputBuffer
class Input
{
public:
// This constructor is useful for input buffers that are statically known to
// be of a fixed size, e.g.:
// This constructor is useful for inputs that are statically known to be of a
// fixed size, e.g.:
//
// static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
// const InputBuffer expected(EXPECTED_BYTES);
// const Input expected(EXPECTED_BYTES);
//
// This is equivalent to (and preferred over):
//
// static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
// InputBuffer expected;
// Input expected;
// Result rv = expected.Init(EXPECTED_BYTES, sizeof EXPECTED_BYTES);
template <uint16_t N>
explicit InputBuffer(const uint8_t (&data)[N])
explicit Input(const uint8_t (&data)[N])
: data(data)
, len(N)
{
}
// Construct a valid, empty, Init-able InputBuffer.
InputBuffer()
// Construct a valid, empty, Init-able Input.
Input()
: data(nullptr)
, len(0u)
{
}
// Initialize the input buffer. data must be non-null and len must be less
// than 65536. Init may not be called more than once.
// Initialize the input. data must be non-null and len must be less than
// 65536. Init may not be called more than once.
Result Init(const uint8_t* data, size_t len)
{
if (this->data) {
@ -98,18 +98,18 @@ public:
return Success;
}
// Initialize the input buffer to be equivalent to the given input buffer.
// Init may not be called more than once.
// Initialize the input to be equivalent to the given input. Init may not be
// called more than once.
//
// This is basically operator=, but it wasn't given that name because
// normally callers do not check the result of operator=, and normally
// operator= can be used multiple times.
Result Init(InputBuffer other)
Result Init(Input other)
{
return Init(other.data, other.len);
}
// Returns the length of the buffer.
// Returns the length of the input.
//
// Having the return type be uint16_t instead of size_t avoids the need for
// callers to ensure that the result is small enough.
@ -123,36 +123,36 @@ private:
const uint8_t* data;
size_t len;
void operator=(const InputBuffer&) /* = delete */; // Use Init instead.
void operator=(const Input&) /* = delete */; // Use Init instead.
};
inline bool
InputBuffersAreEqual(const InputBuffer& a, const InputBuffer& b)
InputsAreEqual(const Input& a, const Input& b)
{
return a.GetLength() == b.GetLength() &&
!std::memcmp(a.UnsafeGetData(), b.UnsafeGetData(), a.GetLength());
}
// An Input is a cursor/iterator through the contents of an InputBuffer,
// designed to maximize safety during parsing while minimizing the performance
// cost of that safety. In particular, all methods do strict bounds checking to
// ensure buffer overflows are impossible, and they are all inline so that the
// An Reader is a cursor/iterator through the contents of an Input, designed to
// maximize safety during parsing while minimizing the performance cost of that
// safety. In particular, all methods do strict bounds checking to ensure
// buffer overflows are impossible, and they are all inline so that the
// compiler can coalesce as many of those checks together as possible.
//
// In general, Input allows for one byte of lookahead and no backtracking.
// In general, Reader allows for one byte of lookahead and no backtracking.
// However, the Match* functions internally may have more lookahead.
class Input
class Reader
{
public:
Input()
Reader()
: input(nullptr)
, end(nullptr)
{
}
explicit Input(InputBuffer buffer)
: input(buffer.UnsafeGetData())
, end(buffer.UnsafeGetData() + buffer.GetLength())
explicit Reader(Input input)
: input(input.UnsafeGetData())
, end(input.UnsafeGetData() + input.GetLength())
{
}
@ -234,13 +234,13 @@ public:
return Success;
}
Result Skip(uint16_t len, Input& skippedInput)
Result Skip(uint16_t len, Reader& skipped)
{
Result rv = EnsureLength(len);
if (rv != Success) {
return rv;
}
rv = skippedInput.Init(input, len);
rv = skipped.Init(input, len);
if (rv != Success) {
return rv;
}
@ -248,13 +248,13 @@ public:
return Success;
}
Result Skip(uint16_t len, InputBuffer& skippedItem)
Result Skip(uint16_t len, Input& skipped)
{
Result rv = EnsureLength(len);
if (rv != Success) {
return rv;
}
rv = skippedItem.Init(input, len);
rv = skipped.Init(input, len);
if (rv != Success) {
return rv;
}
@ -280,16 +280,16 @@ public:
class Mark
{
private:
friend class Input;
Mark(const Input& input, const uint8_t* mark) : input(input), mark(mark) { }
const Input& input;
friend class Reader;
Mark(const Reader& input, const uint8_t* mark) : input(input), mark(mark) { }
const Reader& input;
const uint8_t* const mark;
void operator=(const Mark&) /* = delete */;
};
Mark GetMark() const { return Mark(*this, input); }
Result GetInputBuffer(const Mark& mark, /*out*/ InputBuffer& item)
Result GetInput(const Mark& mark, /*out*/ Input& item)
{
if (&mark.input != this || mark.mark > input) {
PR_NOT_REACHED("invalid mark");
@ -313,8 +313,8 @@ private:
const uint8_t* input;
const uint8_t* end;
Input(const Input&) /* = delete */;
void operator=(const Input&) /* = delete */;
Reader(const Reader&) /* = delete */;
void operator=(const Reader&) /* = delete */;
};
} } // namespace mozilla::pkix

6
security/pkix/include/pkix/pkix.h
View File

@ -88,12 +88,12 @@ namespace mozilla { namespace pkix {
// of active distrust.
// TODO(bug 968451): Document more of these.
Result BuildCertChain(TrustDomain& trustDomain, InputBuffer cert,
Result BuildCertChain(TrustDomain& trustDomain, Input cert,
PRTime time, EndEntityOrCA endEntityOrCA,
KeyUsage requiredKeyUsageIfPresent,
KeyPurposeId requiredEKUIfPresent,
const CertPolicyId& requiredPolicy,
/*optional*/ const InputBuffer* stapledOCSPResponse);
/*optional*/ const Input* stapledOCSPResponse);
static const size_t OCSP_REQUEST_MAX_LENGTH = 127;
Result CreateEncodedOCSPRequest(TrustDomain& trustDomain,
@ -116,7 +116,7 @@ Result CreateEncodedOCSPRequest(TrustDomain& trustDomain,
Result VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
const CertID& certID, PRTime time,
uint16_t maxLifetimeInDays,
InputBuffer encodedResponse,
Input encodedResponse,
/* out */ bool& expired,
/* optional out */ PRTime* thisUpdate = nullptr,
/* optional out */ PRTime* validThrough = nullptr);

8
security/pkix/include/pkix/pkixnss.h
View File

@ -33,7 +33,7 @@ namespace mozilla { namespace pkix {
// Verify the given signed data using the given public key.
Result VerifySignedData(const SignedDataWithSignature& sd,
InputBuffer subjectPublicKeyInfo,
Input subjectPublicKeyInfo,
void* pkcs11PinArg);
// Computes the SHA-1 hash of the data in the current item.
@ -47,11 +47,11 @@ Result VerifySignedData(const SignedDataWithSignature& sd,
// TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
// other, extensive, memory safety efforts in mozilla::pkix, and we should find
// a way to provide a more-obviously-safe interface.
Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
Result DigestBuf(Input item, /*out*/ uint8_t* digestBuf,
size_t digestBufLen);
// Checks, for RSA keys and DSA keys, that the modulus is at least 1024 bits.
Result CheckPublicKey(InputBuffer subjectPublicKeyInfo);
Result CheckPublicKey(Input subjectPublicKeyInfo);
Result MapPRErrorCodeToResult(PRErrorCode errorCode);
PRErrorCode MapResultToPRErrorCode(Result result);
@ -76,7 +76,7 @@ enum ErrorCode {
void RegisterErrorTable();
inline SECItem UnsafeMapInputBufferToSECItem(InputBuffer ib)
inline SECItem UnsafeMapInputToSECItem(Input ib)
{
SECItem result = {
siBuffer,

33
security/pkix/include/pkix/pkixtypes.h
View File

@ -79,9 +79,9 @@ MOZILLA_PKIX_ENUM_CLASS SignatureAlgorithm
struct SignedDataWithSignature
{
public:
InputBuffer data;
Input data;
SignatureAlgorithm algorithm;
InputBuffer signature;
Input signature;
private:
void operator=(const SignedDataWithSignature&) /*= delete*/;
@ -142,16 +142,15 @@ MOZILLA_PKIX_ENUM_CLASS TrustLevel {
struct CertID
{
public:
CertID(InputBuffer issuer, InputBuffer issuerSubjectPublicKeyInfo,
InputBuffer serialNumber)
CertID(Input issuer, Input issuerSubjectPublicKeyInfo, Input serialNumber)
: issuer(issuer)
, issuerSubjectPublicKeyInfo(issuerSubjectPublicKeyInfo)
, serialNumber(serialNumber)
{
}
const InputBuffer issuer;
const InputBuffer issuerSubjectPublicKeyInfo;
const InputBuffer serialNumber;
const Input issuer;
const Input issuerSubjectPublicKeyInfo;
const Input serialNumber;
private:
void operator=(const CertID&) /*= delete*/;
};
@ -165,7 +164,7 @@ public:
// Returns a weak (non-owning) pointer the ith DER-encoded item in the array
// (0-indexed). The result is guaranteed to be non-null if i < GetLength(),
// and the result is guaranteed to be nullptr if i >= GetLength().
virtual const InputBuffer* GetDER(size_t i) const = 0;
virtual const Input* GetDER(size_t i) const = 0;
protected:
DERArray() { }
virtual ~DERArray() { }
@ -194,7 +193,7 @@ public:
// (assuming the candidate cert is not actively distrusted).
virtual Result GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
InputBuffer candidateCertDER,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) = 0;
class IssuerChecker
@ -207,8 +206,8 @@ public:
// encoded NameConstraints extension value; in that case, those name
// constraints will be checked in addition to any any name constraints
// contained in potentialIssuerDER.
virtual Result Check(InputBuffer potentialIssuerDER,
/*optional*/ const InputBuffer* additionalNameConstraints,
virtual Result Check(Input potentialIssuerDER,
/*optional*/ const Input* additionalNameConstraints,
/*out*/ bool& keepGoing) = 0;
protected:
IssuerChecker();
@ -259,7 +258,7 @@ public:
//
// checker.Check is responsible for limiting the recursion to a reasonable
// limit.
virtual Result FindIssuer(InputBuffer encodedIssuerName,
virtual Result FindIssuer(Input encodedIssuerName,
IssuerChecker& checker, PRTime time) = 0;
// Called as soon as we think we have a valid chain but before revocation
@ -289,8 +288,8 @@ public:
// it.
virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
const CertID& certID, PRTime time,
/*optional*/ const InputBuffer* stapledOCSPresponse,
/*optional*/ const InputBuffer* aiaExtension) = 0;
/*optional*/ const Input* stapledOCSPresponse,
/*optional*/ const Input* aiaExtension) = 0;
// Check that the key size, algorithm, and parameters of the given public key
// are acceptable.
@ -298,7 +297,7 @@ public:
// VerifySignedData() should do the same checks that this function does, but
// mainly for efficiency, some keys are not passed to VerifySignedData().
// This function is called instead for those keys.
virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo) = 0;
virtual Result CheckPublicKey(Input subjectPublicKeyInfo) = 0;
// Verify the given signature using the given public key.
//
@ -308,7 +307,7 @@ public:
// In any case, the implementation must perform checks on the public key
// similar to how mozilla::pkix::CheckPublicKey() does.
virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
InputBuffer subjectPublicKeyInfo) = 0;
Input subjectPublicKeyInfo) = 0;
// Compute the SHA-1 hash of the data in the current item.
//
@ -321,7 +320,7 @@ public:
// other, extensive, memory safety efforts in mozilla::pkix, and we should
// find a way to provide a more-obviously-safe interface.
static const size_t DIGEST_LENGTH = 20; // length of SHA-1 digest
virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
virtual Result DigestBuf(Input item, /*out*/ uint8_t* digestBuf,
size_t digestBufLen) = 0;
protected:
TrustDomain() { }

27
security/pkix/lib/pkixbuild.cpp
View File

@ -37,7 +37,7 @@ static Result BuildForward(TrustDomain& trustDomain,
KeyUsage requiredKeyUsageIfPresent,
KeyPurposeId requiredEKUIfPresent,
const CertPolicyId& requiredPolicy,
/*optional*/ const InputBuffer* stapledOCSPResponse,
/*optional*/ const Input* stapledOCSPResponse,
unsigned int subCACount);
TrustDomain::IssuerChecker::IssuerChecker() { }
@ -51,7 +51,7 @@ public:
PathBuildingStep(TrustDomain& trustDomain, const BackCert& subject,
PRTime time, KeyPurposeId requiredEKUIfPresent,
const CertPolicyId& requiredPolicy,
/*optional*/ const InputBuffer* stapledOCSPResponse,
/*optional*/ const Input* stapledOCSPResponse,
unsigned int subCACount)
: trustDomain(trustDomain)
, subject(subject)
@ -65,8 +65,8 @@ public:
{
}
Result Check(InputBuffer potentialIssuerDER,
/*optional*/ const InputBuffer* additionalNameConstraints,
Result Check(Input potentialIssuerDER,
/*optional*/ const Input* additionalNameConstraints,
/*out*/ bool& keepGoing);
Result CheckResult() const;
@ -77,7 +77,7 @@ private:
const PRTime time;
const KeyPurposeId requiredEKUIfPresent;
const CertPolicyId& requiredPolicy;
/*optional*/ InputBuffer const* const stapledOCSPResponse;
/*optional*/ Input const* const stapledOCSPResponse;
const unsigned int subCACount;
Result RecordResult(Result currentResult, /*out*/ bool& keepGoing);
@ -126,8 +126,8 @@ PathBuildingStep::CheckResult() const
// The code that executes in the inner loop of BuildForward
Result
PathBuildingStep::Check(InputBuffer potentialIssuerDER,
/*optional*/ const InputBuffer* additionalNameConstraints,
PathBuildingStep::Check(Input potentialIssuerDER,
/*optional*/ const Input* additionalNameConstraints,
/*out*/ bool& keepGoing)
{
BackCert potentialIssuer(potentialIssuerDER, EndEntityOrCA::MustBeCA,
@ -146,10 +146,9 @@ PathBuildingStep::Check(InputBuffer potentialIssuerDER,
bool loopDetected = false;
for (const BackCert* prev = potentialIssuer.childCert;
!loopDetected && prev != nullptr; prev = prev->childCert) {
if (InputBuffersAreEqual(potentialIssuer.GetSubjectPublicKeyInfo(),
prev->GetSubjectPublicKeyInfo()) &&
InputBuffersAreEqual(potentialIssuer.GetSubject(),
prev->GetSubject())) {
if (InputsAreEqual(potentialIssuer.GetSubjectPublicKeyInfo(),
prev->GetSubjectPublicKeyInfo()) &&
InputsAreEqual(potentialIssuer.GetSubject(), prev->GetSubject())) {
// XXX: error code
return RecordResult(Result::ERROR_UNKNOWN_ISSUER, keepGoing);
}
@ -211,7 +210,7 @@ BuildForward(TrustDomain& trustDomain,
KeyUsage requiredKeyUsageIfPresent,
KeyPurposeId requiredEKUIfPresent,
const CertPolicyId& requiredPolicy,
/*optional*/ const InputBuffer* stapledOCSPResponse,
/*optional*/ const Input* stapledOCSPResponse,
unsigned int subCACount)
{
Result rv;
@ -294,12 +293,12 @@ BuildForward(TrustDomain& trustDomain,
}
Result
BuildCertChain(TrustDomain& trustDomain, InputBuffer certDER,
BuildCertChain(TrustDomain& trustDomain, Input certDER,
PRTime time, EndEntityOrCA endEntityOrCA,
KeyUsage requiredKeyUsageIfPresent,
KeyPurposeId requiredEKUIfPresent,
const CertPolicyId& requiredPolicy,
/*optional*/ const InputBuffer* stapledOCSPResponse)
/*optional*/ const Input* stapledOCSPResponse)
{
// XXX: Support the legacy use of the subject CN field for indicating the
// domain name the certificate is valid for.

16
security/pkix/lib/pkixcert.cpp
View File

@ -37,13 +37,13 @@ BackCert::Init()
// signatureAlgorithm AlgorithmIdentifier,
// signatureValue BIT STRING }
Input tbsCertificate;
Reader tbsCertificate;
// The scope of |input| and |certificate| are limited to this block so we
// don't accidentally confuse them for tbsCertificate later.
{
Input input(der);
Input certificate;
Reader input(der);
Reader certificate;
rv = der::ExpectTagAndGetValue(input, der::SEQUENCE, certificate);
if (rv != Success) {
return rv;
@ -158,10 +158,10 @@ BackCert::Init()
return der::End(tbsCertificate);
}
// XXX: The second value is of type |const InputBupkffer&| instead of type
// |InputBuffer| due to limitations in our std::bind polyfill.
// XXX: The second value is of type |const Input&| instead of type |Input| due
// to limitations in our std::bind polyfill.
Result
BackCert::RememberExtension(Input& extnID, const InputBuffer& extnValue,
BackCert::RememberExtension(Reader& extnID, const Input& extnValue,
/*out*/ bool& understood)
{
understood = false;
@ -203,7 +203,7 @@ BackCert::RememberExtension(Input& extnID, const InputBuffer& extnValue,
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
};
InputBuffer* out = nullptr;
Input* out = nullptr;
// We already enforce the maximum possible constraints for policies so we
// can safely ignore even critical policy constraint extensions.
@ -211,7 +211,7 @@ BackCert::RememberExtension(Input& extnID, const InputBuffer& extnValue,
// XXX: Doing it this way won't allow us to detect duplicate
// policyConstraints extensions, but that's OK because (and only because) we
// ignore the extension.
InputBuffer dummyPolicyConstraints;
Input dummyPolicyConstraints;
// RFC says "Conforming CAs MUST mark this extension as non-critical" for
// both authorityKeyIdentifier and subjectKeyIdentifier, and we do not use

36
security/pkix/lib/pkixcheck.cpp
View File

@ -35,9 +35,9 @@
namespace mozilla { namespace pkix {
Result
CheckValidity(InputBuffer encodedValidity, PRTime time)
CheckValidity(Input encodedValidity, PRTime time)
{
Input validity(encodedValidity);
Reader validity(encodedValidity);
PRTime notBefore;
if (der::TimeChoice(validity, notBefore) != Success) {
return Result::ERROR_EXPIRED_CERTIFICATE;
@ -68,7 +68,7 @@ inline uint8_t KeyUsageToBitMask(KeyUsage keyUsage)
}
Result
CheckKeyUsage(EndEntityOrCA endEntityOrCA, const InputBuffer* encodedKeyUsage,
CheckKeyUsage(EndEntityOrCA endEntityOrCA, const Input* encodedKeyUsage,
KeyUsage requiredKeyUsageIfPresent)
{
if (!encodedKeyUsage) {
@ -86,8 +86,8 @@ CheckKeyUsage(EndEntityOrCA endEntityOrCA, const InputBuffer* encodedKeyUsage,
return Success;
}
Input input(*encodedKeyUsage);
Input value;
Reader input(*encodedKeyUsage);
Reader value;
if (der::ExpectTagAndGetValue(input, der::BIT_STRING, value) != Success) {
return Result::ERROR_INADEQUATE_KEY_USAGE;
}
@ -199,7 +199,7 @@ bool CertPolicyId::IsAnyPolicy() const
// policyQualifiers SEQUENCE SIZE (1..MAX) OF
// PolicyQualifierInfo OPTIONAL }
inline Result
CheckPolicyInformation(Input& input, EndEntityOrCA endEntityOrCA,
CheckPolicyInformation(Reader& input, EndEntityOrCA endEntityOrCA,
const CertPolicyId& requiredPolicy,
/*in/out*/ bool& found)
{
@ -228,8 +228,8 @@ CheckPolicyInformation(Input& input, EndEntityOrCA endEntityOrCA,
// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
Result
CheckCertificatePolicies(EndEntityOrCA endEntityOrCA,
const InputBuffer* encodedCertificatePolicies,
const InputBuffer* encodedInhibitAnyPolicy,
const Input* encodedCertificatePolicies,
const Input* encodedInhibitAnyPolicy,
TrustLevel trustLevel,
const CertPolicyId& requiredPolicy)
{
@ -267,7 +267,7 @@ CheckCertificatePolicies(EndEntityOrCA endEntityOrCA,
bool found = false;
Input input(*encodedCertificatePolicies);
Reader input(*encodedCertificatePolicies);
if (der::NestedOf(input, der::SEQUENCE, der::SEQUENCE, der::EmptyAllowed::No,
bind(CheckPolicyInformation, _1, endEntityOrCA,
requiredPolicy, ref(found))) != Success) {
@ -289,7 +289,7 @@ static const long UNLIMITED_PATH_LEN = -1; // must be less than zero
// cA BOOLEAN DEFAULT FALSE,
// pathLenConstraint INTEGER (0..MAX) OPTIONAL }
static Result
DecodeBasicConstraints(Input& input, /*out*/ bool& isCA,
DecodeBasicConstraints(Reader& input, /*out*/ bool& isCA,
/*out*/ long& pathLenConstraint)
{
// TODO(bug 989518): cA is by default false. According to DER, default
@ -316,7 +316,7 @@ DecodeBasicConstraints(Input& input, /*out*/ bool& isCA,
// RFC5280 4.2.1.9. Basic Constraints (id-ce-basicConstraints)
Result
CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
const InputBuffer* encodedBasicConstraints,
const Input* encodedBasicConstraints,
const der::Version version, TrustLevel trustLevel,
unsigned int subCACount)
{
@ -324,7 +324,7 @@ CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
long pathLenConstraint = UNLIMITED_PATH_LEN;
if (encodedBasicConstraints) {
Input input(*encodedBasicConstraints);
Reader input(*encodedBasicConstraints);
if (der::Nested(input, der::SEQUENCE,
bind(DecodeBasicConstraints, _1, ref(isCA),
ref(pathLenConstraint))) != Success) {
@ -397,7 +397,7 @@ PORT_FreeArena_false(PLArenaPool* arena) {
// #include "ScopedPtr.h", etc. when this is rewritten to be independent of
// NSS.
Result
CheckNameConstraints(InputBuffer encodedNameConstraints,
CheckNameConstraints(Input encodedNameConstraints,
const BackCert& firstChild,
KeyPurposeId requiredEKUIfPresent)
{
@ -408,7 +408,7 @@ CheckNameConstraints(InputBuffer encodedNameConstraints,
}
SECItem encodedNameConstraintsSECItem =
UnsafeMapInputBufferToSECItem(encodedNameConstraints);
UnsafeMapInputToSECItem(encodedNameConstraints);
// Owned by arena
const CERTNameConstraints* constraints =
@ -419,7 +419,7 @@ CheckNameConstraints(InputBuffer encodedNameConstraints,
}
for (const BackCert* child = &firstChild; child; child = child->childCert) {
SECItem childCertDER = UnsafeMapInputBufferToSECItem(child->GetDER());
SECItem childCertDER = UnsafeMapInputToSECItem(child->GetDER());
ScopedPtr<CERTCertificate, CERT_DestroyCertificate>
nssCert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &childCertDER,
nullptr, false, true));
@ -456,7 +456,7 @@ CheckNameConstraints(InputBuffer encodedNameConstraints,
// 4.2.1.12. Extended Key Usage (id-ce-extKeyUsage)
static Result
MatchEKU(Input& value, KeyPurposeId requiredEKU,
MatchEKU(Reader& value, KeyPurposeId requiredEKU,
EndEntityOrCA endEntityOrCA, /*in/out*/ bool& found,
/*in/out*/ bool& foundOCSPSigning)
{
@ -540,7 +540,7 @@ MatchEKU(Input& value, KeyPurposeId requiredEKU,
Result
CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
const InputBuffer* encodedExtendedKeyUsage,
const Input* encodedExtendedKeyUsage,
KeyPurposeId requiredEKU)
{
// XXX: We're using Result::ERROR_INADEQUATE_CERT_TYPE here so that callers
@ -553,7 +553,7 @@ CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
if (encodedExtendedKeyUsage) {
bool found = requiredEKU == KeyPurposeId::anyExtendedKeyUsage;
Input input(*encodedExtendedKeyUsage);
Reader input(*encodedExtendedKeyUsage);
if (der::NestedOf(input, der::SEQUENCE, der::OIDTag, der::EmptyAllowed::No,
bind(MatchEKU, _1, requiredEKU, endEntityOrCA,
ref(found), ref(foundOCSPSigning)))

2
security/pkix/lib/pkixcheck.h
View File

@ -41,7 +41,7 @@ Result CheckIssuerIndependentProperties(
unsigned int subCACount,
/*out*/ TrustLevel& trustLevel);
Result CheckNameConstraints(InputBuffer encodedNameConstraints,
Result CheckNameConstraints(Input encodedNameConstraints,
const BackCert& firstChild,
KeyPurposeId requiredEKUIfPresent);

41
security/pkix/lib/pkixder.cpp
View File

@ -32,7 +32,7 @@ namespace internal {
// Too complicated to be inline
Result
ExpectTagAndGetLength(Input& input, uint8_t expectedTag, uint16_t& length)
ExpectTagAndGetLength(Reader& input, uint8_t expectedTag, uint16_t& length)
{
PR_ASSERT((expectedTag & 0x1F) != 0x1F); // high tag number form not allowed
@ -90,7 +90,7 @@ ExpectTagAndGetLength(Input& input, uint8_t expectedTag, uint16_t& length)
} // namespace internal
static Result
OptionalNull(Input& input)
OptionalNull(Reader& input)
{
if (input.Peek(NULLTag)) {
return Null(input);
@ -101,7 +101,8 @@ OptionalNull(Input& input)
namespace {
Result
DigestAlgorithmOIDValue(Input& algorithmID, /*out*/ DigestAlgorithm& algorithm)
DigestAlgorithmOIDValue(Reader& algorithmID,
/*out*/ DigestAlgorithm& algorithm)
{
// RFC 4055 Section 2.1
// python DottedOIDToCode.py id-sha1 1.3.14.3.2.26
@ -139,7 +140,7 @@ DigestAlgorithmOIDValue(Input& algorithmID, /*out*/ DigestAlgorithm& algorithm)
}
Result
SignatureAlgorithmOIDValue(Input& algorithmID,
SignatureAlgorithmOIDValue(Reader& algorithmID,
/*out*/ SignatureAlgorithm& algorithm)
{
// RFC 5758 Section 3.1 (id-dsa-with-sha224 is intentionally excluded)
@ -235,16 +236,16 @@ SignatureAlgorithmOIDValue(Input& algorithmID,
template <typename OidValueParser, typename Algorithm>
Result
AlgorithmIdentifier(OidValueParser oidValueParser, Input& input,
AlgorithmIdentifier(OidValueParser oidValueParser, Reader& input,
/*out*/ Algorithm& algorithm)
{
Input value;
Reader value;
Result rv = ExpectTagAndGetValue(input, SEQUENCE, value);
if (rv != Success) {
return rv;
}
Input algorithmID;
Reader algorithmID;
rv = ExpectTagAndGetValue(value, der::OIDTag, algorithmID);
if (rv != Success) {
return rv;
@ -265,23 +266,23 @@ AlgorithmIdentifier(OidValueParser oidValueParser, Input& input,
} // unnamed namespace
Result
SignatureAlgorithmIdentifier(Input& input,
SignatureAlgorithmIdentifier(Reader& input,
/*out*/ SignatureAlgorithm& algorithm)
{
return AlgorithmIdentifier(SignatureAlgorithmOIDValue, input, algorithm);
}
Result
DigestAlgorithmIdentifier(Input& input, /*out*/ DigestAlgorithm& algorithm)
DigestAlgorithmIdentifier(Reader& input, /*out*/ DigestAlgorithm& algorithm)
{
return AlgorithmIdentifier(DigestAlgorithmOIDValue, input, algorithm);
}
Result
SignedData(Input& input, /*out*/ Input& tbs,
SignedData(Reader& input, /*out*/ Reader& tbs,
/*out*/ SignedDataWithSignature& signedData)
{
Input::Mark mark(input.GetMark());
Reader::Mark mark(input.GetMark());
Result rv;
rv = ExpectTagAndGetValue(input, SEQUENCE, tbs);
@ -289,7 +290,7 @@ SignedData(Input& input, /*out*/ Input& tbs,
return rv;
}
rv = input.GetInputBuffer(mark, signedData.data);
rv = input.GetInput(mark, signedData.data);
if (rv != Success) {
return rv;
}
@ -307,9 +308,9 @@ SignedData(Input& input, /*out*/ Input& tbs,
}
Result
BitStringWithNoUnusedBits(Input& input, /*out*/ InputBuffer& value)
BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value)
{
Input valueWithUnusedBits;
Reader valueWithUnusedBits;
Result rv = ExpectTagAndGetValue(input, BIT_STRING, valueWithUnusedBits);
if (rv != Success) {
return rv;
@ -328,13 +329,13 @@ BitStringWithNoUnusedBits(Input& input, /*out*/ InputBuffer& value)
if (unusedBitsAtEnd != 0) {
return Result::ERROR_BAD_DER;
}
Input::Mark mark(valueWithUnusedBits.GetMark());
Reader::Mark mark(valueWithUnusedBits.GetMark());
valueWithUnusedBits.SkipToEnd();
return valueWithUnusedBits.GetInputBuffer(mark, value);
return valueWithUnusedBits.GetInput(mark, value);
}
static inline Result
ReadDigit(Input& input, /*out*/ int& value)
ReadDigit(Reader& input, /*out*/ int& value)
{
uint8_t b;
if (input.Read(b) != Success) {
@ -348,7 +349,7 @@ ReadDigit(Input& input, /*out*/ int& value)
}
static inline Result
ReadTwoDigits(Input& input, int minValue, int maxValue, /*out*/ int& value)
ReadTwoDigits(Reader& input, int minValue, int maxValue, /*out*/ int& value)
{
int hi;
Result rv = ReadDigit(input, hi);
@ -384,11 +385,11 @@ namespace internal {
// must always be in the format YYMMDDHHMMSSZ. Timezone formats of the form
// +HH:MM or -HH:MM or NOT accepted.
Result
TimeChoice(Input& tagged, uint8_t expectedTag, /*out*/ PRTime& time)
TimeChoice(Reader& tagged, uint8_t expectedTag, /*out*/ PRTime& time)
{
int days;
Input input;
Reader input;
Result rv = ExpectTagAndGetValue(tagged, expectedTag, input);
if (rv != Success) {
return rv;

87
security/pkix/lib/pkixder.h
View File

@ -73,7 +73,7 @@ enum Tag
MOZILLA_PKIX_ENUM_CLASS EmptyAllowed { No = 0, Yes = 1 };
inline Result
ExpectTagAndLength(Input& input, uint8_t expectedTag, uint8_t expectedLength)
ExpectTagAndLength(Reader& input, uint8_t expectedTag, uint8_t expectedLength)
{
PR_ASSERT((expectedTag & 0x1F) != 0x1F); // high tag number form not allowed
PR_ASSERT(expectedLength < 128); // must be a single-byte length
@ -97,12 +97,12 @@ ExpectTagAndLength(Input& input, uint8_t expectedTag, uint8_t expectedLength)
namespace internal {
Result
ExpectTagAndGetLength(Input& input, uint8_t expectedTag, uint16_t& length);
ExpectTagAndGetLength(Reader& input, uint8_t expectedTag, uint16_t& length);
} // namespace internal
inline Result
ExpectTagAndSkipValue(Input& input, uint8_t tag)
ExpectTagAndSkipValue(Reader& input, uint8_t tag)
{
uint16_t length;
Result rv = internal::ExpectTagAndGetLength(input, tag, length);
@ -113,7 +113,7 @@ ExpectTagAndSkipValue(Input& input, uint8_t tag)
}
inline Result
ExpectTagAndGetValue(Input& input, uint8_t tag, /*out*/ InputBuffer& value)
ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Input& value)
{
uint16_t length;
Result rv = internal::ExpectTagAndGetLength(input, tag, length);
@ -124,7 +124,7 @@ ExpectTagAndGetValue(Input& input, uint8_t tag, /*out*/ InputBuffer& value)
}
inline Result
ExpectTagAndGetValue(Input& input, uint8_t tag, /*out*/ Input& value)
ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Reader& value)
{
uint16_t length;
Result rv = internal::ExpectTagAndGetLength(input, tag, length);
@ -134,12 +134,12 @@ ExpectTagAndGetValue(Input& input, uint8_t tag, /*out*/ Input& value)
return input.Skip(length, value);
}
// Like ExpectTagAndGetValue, except the output InputBuffer will contain the
// Like ExpectTagAndGetValue, except the output Input will contain the
// encoded tag and length along with the value.
inline Result
ExpectTagAndGetTLV(Input& input, uint8_t tag, /*out*/ InputBuffer& tlv)
ExpectTagAndGetTLV(Reader& input, uint8_t tag, /*out*/ Input& tlv)
{
Input::Mark mark(input.GetMark());
Reader::Mark mark(input.GetMark());
uint16_t length;
Result rv = internal::ExpectTagAndGetLength(input, tag, length);
if (rv != Success) {
@ -149,11 +149,11 @@ ExpectTagAndGetTLV(Input& input, uint8_t tag, /*out*/ InputBuffer& tlv)
if (rv != Success) {
return rv;
}
return input.GetInputBuffer(mark, tlv);
return input.GetInput(mark, tlv);
}
inline Result
End(Input& input)
End(Reader& input)
{
if (!input.AtEnd()) {
return Result::ERROR_BAD_DER;
@ -164,9 +164,9 @@ End(Input& input)
template <typename Decoder>
inline Result
Nested(Input& input, uint8_t tag, Decoder decoder)
Nested(Reader& input, uint8_t tag, Decoder decoder)
{
Input nested;
Reader nested;
Result rv = ExpectTagAndGetValue(input, tag, nested);
if (rv != Success) {
return rv;
@ -180,12 +180,12 @@ Nested(Input& input, uint8_t tag, Decoder decoder)
template <typename Decoder>
inline Result
Nested(Input& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
Nested(Reader& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
{
// XXX: This doesn't work (in VS2010):
// return Nested(input, outerTag, bind(Nested, _1, innerTag, decoder));
Input nestedInput;
Reader nestedInput;
Result rv = ExpectTagAndGetValue(input, outerTag, nestedInput);
if (rv != Success) {
return rv;
@ -209,17 +209,17 @@ Nested(Input& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
//
// rv = NestedOf(input, SEQEUENCE, SEQUENCE, bind(_1, Foo));
//
// Result Foo(Input& input) {
// Result Foo(Reader& input) {
// }
//
// In this example, Foo will get called once for each element of foos.
//
template <typename Decoder>
inline Result
NestedOf(Input& input, uint8_t outerTag, uint8_t innerTag,
NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
EmptyAllowed mayBeEmpty, Decoder decoder)
{
Input inner;
Reader inner;
Result rv = ExpectTagAndGetValue(input, outerTag, inner);
if (rv != Success) {
return rv;
@ -249,7 +249,7 @@ namespace internal {
// This parser will only parse values between 0..127. If this range is
// increased then callers will need to be changed.
template <typename T> inline Result
IntegralValue(Input& input, uint8_t tag, T& value)
IntegralValue(Reader& input, uint8_t tag, T& value)
{
// Conveniently, all the Integers that we actually have to be able to parse
// are positive and very small. Consequently, this parser is *much* simpler
@ -273,10 +273,10 @@ IntegralValue(Input& input, uint8_t tag, T& value)
} // namespace internal
Result
BitStringWithNoUnusedBits(Input& input, /*out*/ InputBuffer& value);
BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value);
inline Result
Boolean(Input& input, /*out*/ bool& value)
Boolean(Reader& input, /*out*/ bool& value)
{
Result rv = ExpectTagAndLength(input, BOOLEAN, 1);
if (rv != Success) {
@ -301,7 +301,7 @@ Boolean(Input& input, /*out*/ bool& value)
// TODO(bug 989518): For compatibility reasons, in some places we allow
// invalid encodings with the explicit default value.
inline Result
OptionalBoolean(Input& input, bool allowInvalidExplicitEncoding,
OptionalBoolean(Reader& input, bool allowInvalidExplicitEncoding,
/*out*/ bool& value)
{
value = false;
@ -320,7 +320,7 @@ OptionalBoolean(Input& input, bool allowInvalidExplicitEncoding,
// This parser will only parse values between 0..127. If this range is
// increased then callers will need to be changed.
inline Result
Enumerated(Input& input, uint8_t& value)
Enumerated(Reader& input, uint8_t& value)
{
return internal::IntegralValue(input, ENUMERATED | 0, value);
}
@ -333,7 +333,7 @@ namespace internal {
// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
// eliminate the chance for complications in converting times to traditional
// time formats that start at 1970.
Result TimeChoice(Input& input, uint8_t tag, /*out*/ PRTime& time);
Result TimeChoice(Reader& input, uint8_t tag, /*out*/ PRTime& time);
} // namespace internal
@ -341,7 +341,7 @@ Result TimeChoice(Input& input, uint8_t tag, /*out*/ PRTime& time);
// eliminate the chance for complications in converting times to traditional
// time formats that start at 1970.
inline Result
GeneralizedTime(Input& input, /*out*/ PRTime& time)
GeneralizedTime(Reader& input, /*out*/ PRTime& time)
{
return internal::TimeChoice(input, GENERALIZED_TIME, time);
}
@ -350,7 +350,7 @@ GeneralizedTime(Input& input, /*out*/ PRTime& time)
// eliminate the chance for complications in converting times to traditional
// time formats that start at 1970.
inline Result
TimeChoice(Input& input, /*out*/ PRTime& time)
TimeChoice(Reader& input, /*out*/ PRTime& time)
{
uint8_t expectedTag = input.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
return internal::TimeChoice(input, expectedTag, time);
@ -359,7 +359,7 @@ TimeChoice(Input& input, /*out*/ PRTime& time)
// This parser will only parse values between 0..127. If this range is
// increased then callers will need to be changed.
inline Result
Integer(Input& input, /*out*/ uint8_t& value)
Integer(Reader& input, /*out*/ uint8_t& value)
{
return internal::IntegralValue(input, INTEGER, value);
}
@ -369,7 +369,7 @@ Integer(Input& input, /*out*/ uint8_t& value)
// -1; defaultValue is only a parameter to make it clear in the calling code
// what the default value is.
inline Result
OptionalInteger(Input& input, long defaultValue, /*out*/ long& value)
OptionalInteger(Reader& input, long defaultValue, /*out*/ long& value)
{
// If we need to support a different default value in the future, we need to
// test that parsedValue != defaultValue.
@ -392,16 +392,16 @@ OptionalInteger(Input& input, long defaultValue, /*out*/ long& value)
}
inline Result
Null(Input& input)
Null(Reader& input)
{
return ExpectTagAndLength(input, NULLTag, 0);
}
template <uint8_t Len>
Result
OID(Input& input, const uint8_t (&expectedOid)[Len])
OID(Reader& input, const uint8_t (&expectedOid)[Len])
{
Input value;
Reader value;
Result rv = ExpectTagAndGetValue(input, OIDTag, value);
if (rv != Success) {
return rv;
@ -415,7 +415,7 @@ OID(Input& input, const uint8_t (&expectedOid)[Len])
// PKI-specific types
inline Result
CertificateSerialNumber(Input& input, /*out*/ InputBuffer& value)
CertificateSerialNumber(Reader& input, /*out*/ Input& value)
{
// http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
//
@ -443,7 +443,7 @@ CertificateSerialNumber(Input& input, /*out*/ InputBuffer& value)
// then the second byte must NOT have its high bit set; otherwise the same
// *negative* value could be encoded without the leading 0xFF byte.
if (value.GetLength() > 1) {
Input valueInput(value);
Reader valueInput(value);
uint8_t firstByte;
rv = valueInput.Read(firstByte);
if (rv != Success) {
@ -471,14 +471,14 @@ MOZILLA_PKIX_ENUM_CLASS Version { v1 = 0, v2 = 1, v3 = 2 };
// "[0] EXPLICIT Version DEFAULT <defaultVersion>" construct, but with
// different default versions.
inline Result
OptionalVersion(Input& input, /*out*/ Version& version)
OptionalVersion(Reader& input, /*out*/ Version& version)
{
static const uint8_t TAG = CONTEXT_SPECIFIC | CONSTRUCTED | 0;
if (!input.Peek(TAG)) {
version = Version::v1;
return Success;
}
Input value;
Reader value;
Result rv = ExpectTagAndGetValue(input, TAG, value);
if (rv != Success) {
return rv;
@ -506,7 +506,8 @@ OptionalVersion(Input& input, /*out*/ Version& version)
template <typename ExtensionHandler>
inline Result
OptionalExtensions(Input& input, uint8_t tag, ExtensionHandler extensionHandler)
OptionalExtensions(Reader& input, uint8_t tag,
ExtensionHandler extensionHandler)
{
if (!input.Peek(tag)) {
return Success;
@ -514,9 +515,9 @@ OptionalExtensions(Input& input, uint8_t tag, ExtensionHandler extensionHandler)
Result rv;
Input extensions;
Reader extensions;
{
Input tagged;
Reader tagged;
rv = ExpectTagAndGetValue(input, tag, tagged);
if (rv != Success) {
return rv;
@ -537,7 +538,7 @@ OptionalExtensions(Input& input, uint8_t tag, ExtensionHandler extensionHandler)
// an empty sequence of extensions but we've found OCSP responses that have
// that (see bug 991898).
while (!extensions.AtEnd()) {
Input extension;
Reader extension;
rv = ExpectTagAndGetValue(extensions, SEQUENCE, extension);
if (rv != Success) {
return rv;
@ -548,7 +549,7 @@ OptionalExtensions(Input& input, uint8_t tag, ExtensionHandler extensionHandler)
// critical BOOLEAN DEFAULT FALSE,
// extnValue OCTET STRING
// }
Input extnID;
Reader extnID;
rv = ExpectTagAndGetValue(extension, OIDTag, extnID);
if (rv != Success) {
return rv;
@ -558,7 +559,7 @@ OptionalExtensions(Input& input, uint8_t tag, ExtensionHandler extensionHandler)
if (rv != Success) {
return rv;
}
InputBuffer extnValue;
Input extnValue;
rv = ExpectTagAndGetValue(extension, OCTET_STRING, extnValue);
if (rv != Success) {
return rv;
@ -581,10 +582,10 @@ OptionalExtensions(Input& input, uint8_t tag, ExtensionHandler extensionHandler)
return Success;
}
Result DigestAlgorithmIdentifier(Input& input,
Result DigestAlgorithmIdentifier(Reader& input,
/*out*/ DigestAlgorithm& algorithm);
Result SignatureAlgorithmIdentifier(Input& input,
Result SignatureAlgorithmIdentifier(Reader& input,
/*out*/ SignatureAlgorithm& algorithm);
// Parses a SEQUENCE into tbs and then parses an AlgorithmIdentifier followed
@ -603,7 +604,7 @@ Result SignatureAlgorithmIdentifier(Input& input,
// signatureAlgorithm AlgorithmIdentifier,
// signature BIT STRING,
// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Result SignedData(Input& input, /*out*/ Input& tbs,
Result SignedData(Reader& input, /*out*/ Reader& tbs,
/*out*/ SignedDataWithSignature& signedDataWithSignature);
} } } // namespace mozilla::pkix::der

16
security/pkix/lib/pkixnss.cpp
View File

@ -39,11 +39,11 @@ namespace mozilla { namespace pkix {
typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey> ScopedSECKeyPublicKey;
Result
CheckPublicKeySize(InputBuffer subjectPublicKeyInfo,
CheckPublicKeySize(Input subjectPublicKeyInfo,
/*out*/ ScopedSECKeyPublicKey& publicKey)
{
SECItem subjectPublicKeyInfoSECItem =
UnsafeMapInputBufferToSECItem(subjectPublicKeyInfo);
UnsafeMapInputToSECItem(subjectPublicKeyInfo);
ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&subjectPublicKeyInfoSECItem));
if (!spki) {
@ -82,7 +82,7 @@ CheckPublicKeySize(InputBuffer subjectPublicKeyInfo,
}
Result
CheckPublicKey(InputBuffer subjectPublicKeyInfo)
CheckPublicKey(Input subjectPublicKeyInfo)
{
ScopedSECKeyPublicKey unused;
return CheckPublicKeySize(subjectPublicKeyInfo, unused);
@ -90,7 +90,7 @@ CheckPublicKey(InputBuffer subjectPublicKeyInfo)
Result
VerifySignedData(const SignedDataWithSignature& sd,
InputBuffer subjectPublicKeyInfo, void* pkcs11PinArg)
Input subjectPublicKeyInfo, void* pkcs11PinArg)
{
// See bug 921585.
if (sd.data.GetLength() >
@ -155,8 +155,8 @@ VerifySignedData(const SignedDataWithSignature& sd,
// The static_cast is safe according to the check above that references
// bug 921585.
SECItem dataSECItem(UnsafeMapInputBufferToSECItem(sd.data));
SECItem signatureSECItem(UnsafeMapInputBufferToSECItem(sd.signature));
SECItem dataSECItem(UnsafeMapInputToSECItem(sd.data));
SECItem signatureSECItem(UnsafeMapInputToSECItem(sd.signature));
SECStatus srv = VFY_VerifyDataDirect(dataSECItem.data,
static_cast<int>(dataSECItem.len),
pubKey.get(), &signatureSECItem,
@ -170,7 +170,7 @@ VerifySignedData(const SignedDataWithSignature& sd,
}
Result
DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
{
static_assert(TrustDomain::DIGEST_LENGTH == SHA1_LENGTH,
"TrustDomain::DIGEST_LENGTH must be 20 (SHA-1 digest length)");
@ -178,7 +178,7 @@ DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
PR_NOT_REACHED("invalid hash length");
return Result::FATAL_ERROR_INVALID_ARGS;
}
SECItem itemSECItem = UnsafeMapInputBufferToSECItem(item);
SECItem itemSECItem = UnsafeMapInputToSECItem(item);
if (itemSECItem.len >
static_cast<decltype(itemSECItem.len)>(
std::numeric_limits<int32_t>::max())) {

100
security/pkix/lib/pkixocsp.cpp
View File

@ -85,8 +85,8 @@ private:
static Result
CheckOCSPResponseSignerCert(TrustDomain& trustDomain,
BackCert& potentialSigner,
InputBuffer issuerSubject,
InputBuffer issuerSubjectPublicKeyInfo,
Input issuerSubject,
Input issuerSubjectPublicKeyInfo,
PRTime time)
{
Result rv;
@ -129,7 +129,7 @@ CheckOCSPResponseSignerCert(TrustDomain& trustDomain,
// XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
// comparison.
// TODO: needs test
if (!InputBuffersAreEqual(potentialSigner.GetIssuer(), issuerSubject)) {
if (!InputsAreEqual(potentialSigner.GetIssuer(), issuerSubject)) {
return Result::ERROR_OCSP_RESPONDER_CERT_INVALID;
}
@ -150,34 +150,34 @@ MOZILLA_PKIX_ENUM_CLASS ResponderIDType : uint8_t
byKey = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 2
};
static inline Result OCSPResponse(Input&, Context&);
static inline Result ResponseBytes(Input&, Context&);
static inline Result BasicResponse(Input&, Context&);
static inline Result OCSPResponse(Reader&, Context&);
static inline Result ResponseBytes(Reader&, Context&);
static inline Result BasicResponse(Reader&, Context&);
static inline Result ResponseData(
Input& tbsResponseData,
Reader& tbsResponseData,
Context& context,
const SignedDataWithSignature& signedResponseData,
const DERArray& certs);
static inline Result SingleResponse(Input& input, Context& context);
static Result ExtensionNotUnderstood(Input& extnID, InputBuffer extnValue,
static inline Result SingleResponse(Reader& input, Context& context);
static Result ExtensionNotUnderstood(Reader& extnID, Input extnValue,
/*out*/ bool& understood);
static inline Result CertID(Input& input,
static inline Result CertID(Reader& input,
const Context& context,
/*out*/ bool& match);
static Result MatchKeyHash(TrustDomain& trustDomain,
InputBuffer issuerKeyHash,
InputBuffer issuerSubjectPublicKeyInfo,
Input issuerKeyHash,
Input issuerSubjectPublicKeyInfo,
/*out*/ bool& match);
static Result KeyHash(TrustDomain& trustDomain,
InputBuffer subjectPublicKeyInfo,
Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
static Result
MatchResponderID(TrustDomain& trustDomain,
ResponderIDType responderIDType,
InputBuffer responderID,
InputBuffer potentialSignerSubject,
InputBuffer potentialSignerSubjectPublicKeyInfo,
Input responderID,
Input potentialSignerSubject,
Input potentialSignerSubjectPublicKeyInfo,
/*out*/ bool& match)
{
match = false;
@ -186,13 +186,13 @@ MatchResponderID(TrustDomain& trustDomain,
case ResponderIDType::byName:
// XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
// comparison.
match = InputBuffersAreEqual(responderID, potentialSignerSubject);
match = InputsAreEqual(responderID, potentialSignerSubject);
return Success;
case ResponderIDType::byKey:
{
Input input(responderID);
InputBuffer keyHash;
Reader input(responderID);
Input keyHash;
Result rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, keyHash);
if (rv != Success) {
return rv;
@ -209,7 +209,7 @@ MatchResponderID(TrustDomain& trustDomain,
static Result
VerifyOCSPSignedData(TrustDomain& trustDomain,
const SignedDataWithSignature& signedResponseData,
InputBuffer spki)
Input spki)
{
Result rv = trustDomain.VerifySignedData(signedResponseData, spki);
if (rv == Result::ERROR_BAD_SIGNATURE) {
@ -226,7 +226,7 @@ VerifyOCSPSignedData(TrustDomain& trustDomain,
// *directly* to issuerCert.
static Result
VerifySignature(Context& context, ResponderIDType responderIDType,
InputBuffer responderID, const DERArray& certs,
Input responderID, const DERArray& certs,
const SignedDataWithSignature& signedResponseData)
{
bool match;
@ -291,7 +291,7 @@ MapBadDERToMalformedOCSPResponse(Result rv)
Result
VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const struct CertID& certID,
PRTime time, uint16_t maxOCSPLifetimeInDays,
InputBuffer encodedResponse,
Input encodedResponse,
/*out*/ bool& expired,
/*optional out*/ PRTime* thisUpdate,
/*optional out*/ PRTime* validThrough)
@ -302,7 +302,7 @@ VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const struct CertID& certID,
Context context(trustDomain, certID, time, maxOCSPLifetimeInDays,
thisUpdate, validThrough);
Input input(encodedResponse);
Reader input(encodedResponse);
Result rv = der::Nested(input, der::SEQUENCE,
bind(OCSPResponse, _1, ref(context)));
if (rv != Success) {
@ -336,7 +336,7 @@ VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const struct CertID& certID,
// responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
//
static inline Result
OCSPResponse(Input& input, Context& context)
OCSPResponse(Reader& input, Context& context)
{
// OCSPResponseStatus ::= ENUMERATED {
// successful (0), -- Response has valid confirmations
@ -371,7 +371,7 @@ OCSPResponse(Input& input, Context& context)
// responseType OBJECT IDENTIFIER,
// response OCTET STRING }
static inline Result
ResponseBytes(Input& input, Context& context)
ResponseBytes(Reader& input, Context& context)
{
static const uint8_t id_pkix_ocsp_basic[] = {
0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
@ -392,9 +392,9 @@ ResponseBytes(Input& input, Context& context)
// signature BIT STRING,
// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Result
BasicResponse(Input& input, Context& context)
BasicResponse(Reader& input, Context& context)
{
Input tbsResponseData;
Reader tbsResponseData;
SignedDataWithSignature signedData;
Result rv = der::SignedData(input, tbsResponseData, signedData);
if (rv != Success) {
@ -413,7 +413,7 @@ BasicResponse(Input& input, Context& context)
// and too long and we'll have leftover data that won't parse as a cert.
// [0] wrapper
Input wrapped;
Reader wrapped;
rv = der::ExpectTagAndGetValue(
input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0, wrapped);
if (rv != Success) {
@ -425,7 +425,7 @@ BasicResponse(Input& input, Context& context)
}
// SEQUENCE wrapper
Input certsSequence;
Reader certsSequence;
rv = der::ExpectTagAndGetValue(wrapped, der::SEQUENCE, certsSequence);
if (rv != Success) {
return rv;
@ -437,7 +437,7 @@ BasicResponse(Input& input, Context& context)
// sequence of certificates
while (!certsSequence.AtEnd()) {
InputBuffer cert;
Input cert;
rv = der::ExpectTagAndGetTLV(certsSequence, der::SEQUENCE, cert);
if (rv != Success) {
return rv;
@ -459,7 +459,7 @@ BasicResponse(Input& input, Context& context)
// responses SEQUENCE OF SingleResponse,
// responseExtensions [1] EXPLICIT Extensions OPTIONAL }
static inline Result
ResponseData(Input& input, Context& context,
ResponseData(Reader& input, Context& context,
const SignedDataWithSignature& signedResponseData,
const DERArray& certs)
{
@ -476,7 +476,7 @@ ResponseData(Input& input, Context& context,
// ResponderID ::= CHOICE {
// byName [1] Name,
// byKey [2] KeyHash }
InputBuffer responderID;
Input responderID;
ResponderIDType responderIDType
= input.Peek(static_cast<uint8_t>(ResponderIDType::byName))
? ResponderIDType::byName
@ -528,7 +528,7 @@ ResponseData(Input& input, Context& context,
// CrlEntryExtensions, ...}
// } OPTIONAL }
static inline Result
SingleResponse(Input& input, Context& context)
SingleResponse(Reader& input, Context& context)
{
bool match = false;
Result rv = der::Nested(input, der::SEQUENCE,
@ -660,7 +660,7 @@ SingleResponse(Input& input, Context& context)
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
static inline Result
CertID(Input& input, const Context& context, /*out*/ bool& match)
CertID(Reader& input, const Context& context, /*out*/ bool& match)
{
match = false;
@ -675,25 +675,25 @@ CertID(Input& input, const Context& context, /*out*/ bool& match)
return rv;
}
InputBuffer issuerNameHash;
Input issuerNameHash;
rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerNameHash);
if (rv != Success) {
return rv;
}
InputBuffer issuerKeyHash;
Input issuerKeyHash;
rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerKeyHash);
if (rv != Success) {
return rv;
}
InputBuffer serialNumber;
Input serialNumber;
rv = der::CertificateSerialNumber(input, serialNumber);
if (rv != Success) {
return rv;
}
if (!InputBuffersAreEqual(serialNumber, context.certID.serialNumber)) {
if (!InputsAreEqual(serialNumber, context.certID.serialNumber)) {
// This does not reference the certificate we're interested in.
// Consume the rest of the input and return successfully to
// potentially continue processing other responses.
@ -722,8 +722,8 @@ CertID(Input& input, const Context& context, /*out*/ bool& match)
if (rv != Success) {
return rv;
}
InputBuffer computed(hashBuf);
if (!InputBuffersAreEqual(computed, issuerNameHash)) {
Input computed(hashBuf);
if (!InputsAreEqual(computed, issuerNameHash)) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
@ -744,8 +744,8 @@ CertID(Input& input, const Context& context, /*out*/ bool& match)
// -- the tag, length, and number of unused
// -- bits] in the responder's certificate)
static Result
MatchKeyHash(TrustDomain& trustDomain, InputBuffer keyHash,
const InputBuffer subjectPublicKeyInfo, /*out*/ bool& match)
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
const Input subjectPublicKeyInfo, /*out*/ bool& match)
{
if (keyHash.GetLength() != TrustDomain::DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
@ -756,14 +756,14 @@ MatchKeyHash(TrustDomain& trustDomain, InputBuffer keyHash,
if (rv != Success) {
return rv;
}
InputBuffer computed(hashBuf);
match = InputBuffersAreEqual(computed, keyHash);
Input computed(hashBuf);
match = InputsAreEqual(computed, keyHash);
return Success;
}
// TODO(bug 966856): support SHA-2 hashes
Result
KeyHash(TrustDomain& trustDomain, const InputBuffer subjectPublicKeyInfo,
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
{
if (!hashBuf || hashBufSize != TrustDomain::DIGEST_LENGTH) {
@ -776,13 +776,13 @@ KeyHash(TrustDomain& trustDomain, const InputBuffer subjectPublicKeyInfo,
// algorithm AlgorithmIdentifier,
// subjectPublicKey BIT STRING }
Input spki;
Reader spki;
Result rv;
{
// The scope of input is limited to reduce the possibility of confusing it
// with spki in places we need to be using spki below.
Input input(subjectPublicKeyInfo);
Reader input(subjectPublicKeyInfo);
rv = der::ExpectTagAndGetValue(input, der::SEQUENCE, spki);
if (rv != Success) {
return rv;
@ -799,7 +799,7 @@ KeyHash(TrustDomain& trustDomain, const InputBuffer subjectPublicKeyInfo,
return rv;
}
InputBuffer subjectPublicKey;
Input subjectPublicKey;
rv = der::BitStringWithNoUnusedBits(spki, subjectPublicKey);
if (rv != Success) {
return rv;
@ -813,7 +813,7 @@ KeyHash(TrustDomain& trustDomain, const InputBuffer subjectPublicKeyInfo,
}
Result
ExtensionNotUnderstood(Input& /*extnID*/, InputBuffer /*extnValue*/,
ExtensionNotUnderstood(Reader& /*extnID*/, Input /*extnValue*/,
/*out*/ bool& understood)
{
understood = false;
@ -932,7 +932,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// reqCert.serialNumber (INTEGER)
*d++ = 0x02; // INTEGER
*d++ = static_cast<uint8_t>(certID.serialNumber.GetLength());
Input serialNumber(certID.serialNumber);
Reader serialNumber(certID.serialNumber);
do {
rv = serialNumber.Read(*d);
if (rv != Success) {

80
security/pkix/lib/pkixutil.h
View File

@ -42,7 +42,7 @@ class BackCert
{
public:
// certDER and childCert must be valid for the lifetime of BackCert.
BackCert(InputBuffer certDER, EndEntityOrCA endEntityOrCA,
BackCert(Input certDER, EndEntityOrCA endEntityOrCA,
const BackCert* childCert)
: der(certDER)
, endEntityOrCA(endEntityOrCA)
@ -52,51 +52,51 @@ public:
Result Init();
const InputBuffer GetDER() const { return der; }
const Input GetDER() const { return der; }
const der::Version GetVersion() const { return version; }
const SignedDataWithSignature& GetSignedData() const { return signedData; }
const InputBuffer GetIssuer() const { return issuer; }
const Input GetIssuer() const { return issuer; }
// XXX: "validity" is a horrible name for the structure that holds
// notBefore & notAfter, but that is the name used in RFC 5280 and we use the
// RFC 5280 names for everything.
const InputBuffer GetValidity() const { return validity; }
const InputBuffer GetSerialNumber() const { return serialNumber; }
const InputBuffer GetSubject() const { return subject; }
const InputBuffer GetSubjectPublicKeyInfo() const
const Input GetValidity() const { return validity; }
const Input GetSerialNumber() const { return serialNumber; }
const Input GetSubject() const { return subject; }
const Input GetSubjectPublicKeyInfo() const
{
return subjectPublicKeyInfo;
}
const InputBuffer* GetAuthorityInfoAccess() const
const Input* GetAuthorityInfoAccess() const
{
return MaybeInputBuffer(authorityInfoAccess);
return MaybeInput(authorityInfoAccess);
}
const InputBuffer* GetBasicConstraints() const
const Input* GetBasicConstraints() const
{
return MaybeInputBuffer(basicConstraints);
return MaybeInput(basicConstraints);
}
const InputBuffer* GetCertificatePolicies() const
const Input* GetCertificatePolicies() const
{
return MaybeInputBuffer(certificatePolicies);
return MaybeInput(certificatePolicies);
}
const InputBuffer* GetExtKeyUsage() const
const Input* GetExtKeyUsage() const
{
return MaybeInputBuffer(extKeyUsage);
return MaybeInput(extKeyUsage);
}
const InputBuffer* GetKeyUsage() const
const Input* GetKeyUsage() const
{
return MaybeInputBuffer(keyUsage);
return MaybeInput(keyUsage);
}
const InputBuffer* GetInhibitAnyPolicy() const
const Input* GetInhibitAnyPolicy() const
{
return MaybeInputBuffer(inhibitAnyPolicy);
return MaybeInput(inhibitAnyPolicy);
}
const InputBuffer* GetNameConstraints() const
const Input* GetNameConstraints() const
{
return MaybeInputBuffer(nameConstraints);
return MaybeInput(nameConstraints);
}
private:
const InputBuffer der;
const Input der;
public:
const EndEntityOrCA endEntityOrCA;
@ -111,31 +111,31 @@ private:
// *processing* extensions, we distinguish between whether an extension was
// included or not based on whetehr the GetXXX function for the extension
// returns nullptr.
static inline const InputBuffer* MaybeInputBuffer(const InputBuffer& item)
static inline const Input* MaybeInput(const Input& item)
{
return item.GetLength() > 0 ? &item : nullptr;
}
SignedDataWithSignature signedData;
InputBuffer issuer;
Input issuer;
// XXX: "validity" is a horrible name for the structure that holds
// notBefore & notAfter, but that is the name used in RFC 5280 and we use the
// RFC 5280 names for everything.
InputBuffer validity;
InputBuffer serialNumber;
InputBuffer subject;
InputBuffer subjectPublicKeyInfo;
Input validity;
Input serialNumber;
Input subject;
Input subjectPublicKeyInfo;
InputBuffer authorityInfoAccess;
InputBuffer basicConstraints;
InputBuffer certificatePolicies;
InputBuffer extKeyUsage;
InputBuffer inhibitAnyPolicy;
InputBuffer keyUsage;
InputBuffer nameConstraints;
InputBuffer subjectAltName;
Input authorityInfoAccess;
Input basicConstraints;
Input certificatePolicies;
Input extKeyUsage;
Input inhibitAnyPolicy;
Input keyUsage;
Input nameConstraints;
Input subjectAltName;
Result RememberExtension(Input& extnID, const InputBuffer& extnValue,
Result RememberExtension(Reader& extnID, const Input& extnValue,
/*out*/ bool& understood);
BackCert(const BackCert&) /* = delete */;
@ -154,12 +154,12 @@ public:
virtual size_t GetLength() const { return numItems; }
virtual const InputBuffer* GetDER(size_t i) const
virtual const Input* GetDER(size_t i) const
{
return i < numItems ? &items[i] : nullptr;
}
Result Append(InputBuffer der)
Result Append(Input der)
{
if (numItems >= MAX_LENGTH) {
return Result::FATAL_ERROR_INVALID_ARGS;
@ -175,7 +175,7 @@ public:
// Public so we can static_assert on this. Keep in sync with MAX_SUBCA_COUNT.
static const size_t MAX_LENGTH = 8;
private:
InputBuffer items[MAX_LENGTH]; // avoids any heap allocations
Input items[MAX_LENGTH]; // avoids any heap allocations
size_t numItems;
NonOwningDERArray(const NonOwningDERArray&) /* = delete*/;

56
security/pkix/test/gtest/pkixbuild_tests.cpp
View File

@ -34,7 +34,7 @@ using namespace mozilla::pkix;
using namespace mozilla::pkix::test;
// The result is owned by the arena
static InputBuffer
static Input
CreateCert(PLArenaPool* arena, const char* issuerStr,
const char* subjectStr, EndEntityOrCA endEntityOrCA,
/*optional*/ SECKEYPrivateKey* issuerKey,
@ -71,7 +71,7 @@ CreateCert(PLArenaPool* arena, const char* issuerStr,
nullptr, false, true);
EXPECT_TRUE(*subjectCert);
}
InputBuffer result;
Input result;
EXPECT_EQ(Success, result.Init(certDER->data, certDER->len));
return result;
}
@ -110,14 +110,14 @@ public:
private:
virtual Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
InputBuffer candidateCert,
Input candidateCert,
/*out*/ TrustLevel& trustLevel)
{
InputBuffer rootDER;
Input rootDER;
Result rv = rootDER.Init(certChainTail[0]->derCert.data,
certChainTail[0]->derCert.len);
EXPECT_EQ(Success, rv);
if (InputBuffersAreEqual(candidateCert, rootDER)) {
if (InputsAreEqual(candidateCert, rootDER)) {
trustLevel = TrustLevel::TrustAnchor;
} else {
trustLevel = TrustLevel::InheritsTrust;
@ -125,11 +125,11 @@ private:
return Success;
}
virtual Result FindIssuer(InputBuffer encodedIssuerName,
virtual Result FindIssuer(Input encodedIssuerName,
IssuerChecker& checker, PRTime time)
{
SECItem encodedIssuerNameSECItem =
UnsafeMapInputBufferToSECItem(encodedIssuerName);
UnsafeMapInputToSECItem(encodedIssuerName);
ScopedCERTCertList
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
&encodedIssuerNameSECItem, time,
@ -138,7 +138,7 @@ private:
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
bool keepGoing;
InputBuffer derCert;
Input derCert;
Result rv = derCert.Init(n->cert->derCert.data, n->cert->derCert.len);
EXPECT_EQ(Success, rv);
if (rv != Success) {
@ -159,8 +159,8 @@ private:
}
virtual Result CheckRevocation(EndEntityOrCA, const CertID&, PRTime,
/*optional*/ const InputBuffer*,
/*optional*/ const InputBuffer*)
/*optional*/ const Input*,
/*optional*/ const Input*)
{
return Success;
}
@ -171,20 +171,20 @@ private:
}
virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
InputBuffer subjectPublicKeyInfo)
Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
nullptr);
}
virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
virtual Result DigestBuf(Input item, /*out*/ uint8_t *digestBuf,
size_t digestBufLen)
{
ADD_FAILURE();
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
}
@ -223,7 +223,7 @@ protected:
TEST_F(pkixbuild, MaxAcceptableCertChainLength)
{
{
InputBuffer certDER;
Input certDER;
ASSERT_EQ(Success, certDER.Init(trustDomain.GetLeafCACert()->derCert.data,
trustDomain.GetLeafCACert()->derCert.len));
ASSERT_EQ(Success,
@ -238,11 +238,11 @@ TEST_F(pkixbuild, MaxAcceptableCertChainLength)
{
ScopedSECKEYPrivateKey privateKey;
ScopedCERTCertificate cert;
InputBuffer certDER(CreateCert(arena.get(),
trustDomain.GetLeafCACert()->subjectName,
"CN=Direct End-Entity",
EndEntityOrCA::MustBeEndEntity,
trustDomain.leafCAKey.get(), privateKey));
Input certDER(CreateCert(arena.get(),
trustDomain.GetLeafCACert()->subjectName,
"CN=Direct End-Entity",
EndEntityOrCA::MustBeEndEntity,
trustDomain.leafCAKey.get(), privateKey));
ASSERT_EQ(Success,
BuildCertChain(trustDomain, certDER, now,
EndEntityOrCA::MustBeEndEntity,
@ -263,11 +263,11 @@ TEST_F(pkixbuild, BeyondMaxAcceptableCertChainLength)
ScopedCERTCertificate caCert;
{
InputBuffer cert(CreateCert(arena.get(),
trustDomain.GetLeafCACert()->subjectName,
caCertName, EndEntityOrCA::MustBeCA,
trustDomain.leafCAKey.get(), caPrivateKey,
&caCert));
Input cert(CreateCert(arena.get(),
trustDomain.GetLeafCACert()->subjectName,
caCertName, EndEntityOrCA::MustBeCA,
trustDomain.leafCAKey.get(), caPrivateKey,
&caCert));
ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
BuildCertChain(trustDomain, cert, now,
EndEntityOrCA::MustBeCA,
@ -279,10 +279,10 @@ TEST_F(pkixbuild, BeyondMaxAcceptableCertChainLength)
{
ScopedSECKEYPrivateKey privateKey;
InputBuffer cert(CreateCert(arena.get(), caCertName,
"CN=End-Entity Too Far",
EndEntityOrCA::MustBeEndEntity,
caPrivateKey.get(), privateKey));
Input cert(CreateCert(arena.get(), caCertName,
"CN=End-Entity Too Far",
EndEntityOrCA::MustBeEndEntity,
caPrivateKey.get(), privateKey));
ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
BuildCertChain(trustDomain, cert, now,
EndEntityOrCA::MustBeEndEntity,

34
security/pkix/test/gtest/pkixcert_extension_tests.cpp
View File

@ -32,7 +32,7 @@ using namespace mozilla::pkix;
using namespace mozilla::pkix::test;
// Creates a self-signed certificate with the given extension.
static InputBuffer
static Input
CreateCert(PLArenaPool* arena, const char* subjectStr,
SECItem const* const* extensions, // null-terminated array
/*out*/ ScopedSECKEYPrivateKey& subjectKey)
@ -55,13 +55,13 @@ CreateCert(PLArenaPool* arena, const char* subjectStr,
subjectDER, extensions,
nullptr, SEC_OID_SHA256, subjectKey);
EXPECT_TRUE(cert);
InputBuffer result;
Input result;
EXPECT_EQ(Success, result.Init(cert->data, cert->len));
return result;
}
// Creates a self-signed certificate with the given extension.
static InputBuffer
static Input
CreateCert(PLArenaPool* arena, const char* subjectStr,
const SECItem* extension,
/*out*/ ScopedSECKEYPrivateKey& subjectKey)
@ -74,14 +74,14 @@ class TrustEverythingTrustDomain : public TrustDomain
{
private:
virtual Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
InputBuffer candidateCert,
Input candidateCert,
/*out*/ TrustLevel& trustLevel)
{
trustLevel = TrustLevel::TrustAnchor;
return Success;
}
virtual Result FindIssuer(InputBuffer /*encodedIssuerName*/,
virtual Result FindIssuer(Input /*encodedIssuerName*/,
IssuerChecker& /*checker*/, PRTime /*time*/)
{
ADD_FAILURE();
@ -89,8 +89,8 @@ private:
}
virtual Result CheckRevocation(EndEntityOrCA, const CertID&, PRTime,
/*optional*/ const InputBuffer*,
/*optional*/ const InputBuffer*)
/*optional*/ const Input*,
/*optional*/ const Input*)
{
return Success;
}
@ -101,19 +101,19 @@ private:
}
virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
InputBuffer subjectPublicKeyInfo)
Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
nullptr);
}
virtual Result DigestBuf(InputBuffer, /*out*/ uint8_t*, size_t)
virtual Result DigestBuf(Input, /*out*/ uint8_t*, size_t)
{
ADD_FAILURE();
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
}
@ -155,7 +155,7 @@ TEST_F(pkixcert_extension, UnknownCriticalExtension)
const char* certCN = "CN=Cert With Unknown Critical Extension";
ScopedSECKEYPrivateKey key;
// cert is owned by the arena
InputBuffer cert(CreateCert(arena.get(), certCN,
Input cert(CreateCert(arena.get(), certCN,
&unknownCriticalExtension, key));
ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
BuildCertChain(trustDomain, cert, now,
@ -186,7 +186,7 @@ TEST_F(pkixcert_extension, UnknownNonCriticalExtension)
const char* certCN = "CN=Cert With Unknown NonCritical Extension";
ScopedSECKEYPrivateKey key;
// cert is owned by the arena
InputBuffer cert(CreateCert(arena.get(), certCN,
Input cert(CreateCert(arena.get(), certCN,
&unknownNonCriticalExtension, key));
ASSERT_EQ(Success,
BuildCertChain(trustDomain, cert, now,
@ -218,7 +218,7 @@ TEST_F(pkixcert_extension, WrongOIDCriticalExtension)
const char* certCN = "CN=Cert With Critical Wrong OID Extension";
ScopedSECKEYPrivateKey key;
// cert is owned by the arena
InputBuffer cert(CreateCert(arena.get(), certCN,
Input cert(CreateCert(arena.get(), certCN,
&wrongOIDCriticalExtension, key));
ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
BuildCertChain(trustDomain, cert, now,
@ -252,7 +252,7 @@ TEST_F(pkixcert_extension, CriticalAIAExtension)
const char* certCN = "CN=Cert With Critical AIA Extension";
ScopedSECKEYPrivateKey key;
// cert is owned by the arena
InputBuffer cert(CreateCert(arena.get(), certCN, &criticalAIAExtension, key));
Input cert(CreateCert(arena.get(), certCN, &criticalAIAExtension, key));
ASSERT_EQ(Success,
BuildCertChain(trustDomain, cert, now,
EndEntityOrCA::MustBeEndEntity,
@ -282,7 +282,7 @@ TEST_F(pkixcert_extension, UnknownCriticalCEExtension)
const char* certCN = "CN=Cert With Unknown Critical id-ce Extension";
ScopedSECKEYPrivateKey key;
// cert is owned by the arena
InputBuffer cert(CreateCert(arena.get(), certCN,
Input cert(CreateCert(arena.get(), certCN,
&unknownCriticalCEExtension, key));
ASSERT_EQ(Result::ERROR_UNKNOWN_CRITICAL_EXTENSION,
BuildCertChain(trustDomain, cert, now,
@ -313,7 +313,7 @@ TEST_F(pkixcert_extension, KnownCriticalCEExtension)
const char* certCN = "CN=Cert With Known Critical id-ce Extension";
ScopedSECKEYPrivateKey key;
// cert is owned by the arena
InputBuffer cert(CreateCert(arena.get(), certCN, &criticalCEExtension, key));
Input cert(CreateCert(arena.get(), certCN, &criticalCEExtension, key));
ASSERT_EQ(Success,
BuildCertChain(trustDomain, cert, now,
EndEntityOrCA::MustBeEndEntity,
@ -344,7 +344,7 @@ TEST_F(pkixcert_extension, DuplicateSubjectAltName)
static const char* certCN = "CN=Cert With Duplicate subjectAltName";
ScopedSECKEYPrivateKey key;
// cert is owned by the arena
InputBuffer cert(CreateCert(arena.get(), certCN, extensions, key));
Input cert(CreateCert(arena.get(), certCN, extensions, key));
ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
BuildCertChain(trustDomain, cert, now,
EndEntityOrCA::MustBeEndEntity,

34
security/pkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp
View File

@ -32,7 +32,7 @@ using namespace mozilla::pkix::test;
namespace mozilla { namespace pkix {
extern Result CheckKeyUsage(EndEntityOrCA endEntityOrCA,
const InputBuffer* encodedKeyUsage,
const Input* encodedKeyUsage,
KeyUsage requiredKeyUsageIfPresent);
} } // namespace mozilla::pkix
@ -46,16 +46,16 @@ class pkixcheck_CheckKeyUsage : public ::testing::Test { };
const uint8_t name##_bytes[4] = { \
0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, unusedBits, bits \
}; \
const InputBuffer name(name##_bytes);
const Input name(name##_bytes);
static const InputBuffer empty_null;
static const Input empty_null;
// Note that keyCertSign is really the only interesting case for CA
// certificates since we don't support cRLSign.
TEST_F(pkixcheck_CheckKeyUsage, EE_none)
{
// The input InputBuffer is nullptr. This means the cert had no keyUsage
// The input Input is nullptr. This means the cert had no keyUsage
// extension. This is always valid because no key usage in an end-entity
// means that there are no key usage restrictions.
@ -75,12 +75,12 @@ TEST_F(pkixcheck_CheckKeyUsage, EE_none)
TEST_F(pkixcheck_CheckKeyUsage, EE_empty)
{
// The input InputBuffer is empty. The cert had an empty keyUsage extension,
// The input Input is empty. The cert had an empty keyUsage extension,
// which is syntactically invalid.
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
KeyUsage::digitalSignature));
static const uint8_t dummy = 0x00;
InputBuffer empty_nonnull;
Input empty_nonnull;
ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
KeyUsage::digitalSignature));
@ -99,7 +99,7 @@ TEST_F(pkixcheck_CheckKeyUsage, CA_empty)
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
KeyUsage::keyCertSign));
static const uint8_t dummy = 0x00;
InputBuffer empty_nonnull;
Input empty_nonnull;
ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
KeyUsage::keyCertSign));
@ -117,14 +117,14 @@ TEST_F(pkixcheck_CheckKeyUsage, tooManyUnusedBits)
static uint8_t oneValueByteData[] = {
0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 8/*unused bits*/, 0x80
};
static const InputBuffer oneValueByte(oneValueByteData);
static const Input oneValueByte(oneValueByteData);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
KeyUsage::digitalSignature));
static uint8_t twoValueBytesData[] = {
0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 8/*unused bits*/, 0x01, 0x00
};
static const InputBuffer twoValueBytes(twoValueBytesData);
static const Input twoValueBytes(twoValueBytesData);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
KeyUsage::digitalSignature));
}
@ -134,7 +134,7 @@ TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_NoPaddingBits)
static const uint8_t DER_BYTES[] = {
0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 0/*unused bits*/
};
static const InputBuffer DER(DER_BYTES);
static const Input DER(DER_BYTES);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
KeyUsage::digitalSignature));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
@ -146,7 +146,7 @@ TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_7PaddingBits)
static const uint8_t DER_BYTES[] = {
0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 7/*unused bits*/
};
static const InputBuffer DER(DER_BYTES);
static const Input DER(DER_BYTES);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
KeyUsage::digitalSignature));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
@ -180,7 +180,7 @@ void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage)
static_cast<uint8_t>(~bits),
static_cast<uint8_t>((0xFFu >> unusedBits) << unusedBits)
};
InputBuffer twoByteNotGood(twoByteNotGoodData);
Input twoByteNotGood(twoByteNotGoodData);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
usage));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood, usage));
@ -217,7 +217,7 @@ TEST_F(pkixcheck_CheckKeyUsage, keyCertSign)
static uint8_t twoByteNotGoodData[] = {
0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 2/*unused bits*/, 0xFBu, 0xFCu
};
static const InputBuffer twoByteNotGood(twoByteNotGoodData);
static const Input twoByteNotGood(twoByteNotGoodData);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
KeyUsage::keyCertSign));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood,
@ -230,7 +230,7 @@ TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
static uint8_t controlOneValueByteData[] = {
0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80
};
static const InputBuffer controlOneValueByte(controlOneValueByteData);
static const Input controlOneValueByte(controlOneValueByteData);
ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
&controlOneValueByte,
KeyUsage::digitalSignature));
@ -242,7 +242,7 @@ TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
static uint8_t oneValueByteData[] = {
0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80 | 0x01
};
static const InputBuffer oneValueByte(oneValueByteData);
static const Input oneValueByte(oneValueByteData);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
KeyUsage::digitalSignature));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &oneValueByte,
@ -253,7 +253,7 @@ TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
0x80 | 0x01, 0x80
};
static const InputBuffer controlTwoValueBytes(controlTwoValueBytesData);
static const Input controlTwoValueBytes(controlTwoValueBytesData);
ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
&controlTwoValueBytes,
KeyUsage::digitalSignature));
@ -266,7 +266,7 @@ TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
0x80 | 0x01, 0x80 | 0x01
};
static const InputBuffer twoValueBytes(twoValueBytesData);
static const Input twoValueBytes(twoValueBytesData);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
KeyUsage::digitalSignature));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoValueBytes,

18
security/pkix/test/gtest/pkixcheck_CheckValidity_tests.cpp
View File

@ -31,7 +31,7 @@ using namespace mozilla::pkix::test;
namespace mozilla { namespace pkix {
Result CheckValidity(const InputBuffer encodedValidity, PRTime time);
Result CheckValidity(const Input encodedValidity, PRTime time);
} } // namespace mozilla::pkix
@ -69,7 +69,7 @@ TEST_F(pkixcheck_CheckValidity, BothEmptyNull)
0x17/*UTCTime*/, 0/*length*/,
0x17/*UTCTime*/, 0/*length*/,
};
static const InputBuffer validity(DER);
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
}
@ -79,7 +79,7 @@ TEST_F(pkixcheck_CheckValidity, NotBeforeEmptyNull)
0x17/*UTCTime*/, 0x00/*length*/,
NEWER_UTCTIME
};
static const InputBuffer validity(DER);
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
}
@ -89,7 +89,7 @@ TEST_F(pkixcheck_CheckValidity, NotAfterEmptyNull)
NEWER_UTCTIME,
0x17/*UTCTime*/, 0x00/*length*/,
};
static const InputBuffer validity(DER);
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
}
@ -97,7 +97,7 @@ static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = {
OLDER_UTCTIME,
NEWER_UTCTIME,
};
static const InputBuffer
static const Input
OLDER_UTCTIME_NEWER_UTCTIME(OLDER_UTCTIME_NEWER_UTCTIME_DATA);
TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_UTCTIME)
@ -111,7 +111,7 @@ TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_GENERALIZEDTIME)
OLDER_GENERALIZEDTIME,
NEWER_GENERALIZEDTIME,
};
static const InputBuffer validity(DER);
static const Input validity(DER);
ASSERT_EQ(Success, CheckValidity(validity, NOW));
}
@ -121,7 +121,7 @@ TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_UTCTIME)
OLDER_GENERALIZEDTIME,
NEWER_UTCTIME,
};
static const InputBuffer validity(DER);
static const Input validity(DER);
ASSERT_EQ(Success, CheckValidity(validity, NOW));
}
@ -131,7 +131,7 @@ TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_GENERALIZEDTIME)
OLDER_UTCTIME,
NEWER_GENERALIZEDTIME,
};
static const InputBuffer validity(DER);
static const Input validity(DER);
ASSERT_EQ(Success, CheckValidity(validity, NOW));
}
@ -153,6 +153,6 @@ TEST_F(pkixcheck_CheckValidity, InvalidNotAfterBeforeNotBefore)
NEWER_UTCTIME,
OLDER_UTCTIME,
};
static const InputBuffer validity(DER);
static const Input validity(DER);
ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(validity, NOW));
}

401
security/pkix/test/gtest/pkixder_input_tests.cpp
View File

@ -86,31 +86,31 @@ const uint8_t DER_INT16[] = {
0x12, 0x34 // 0x1234
};
TEST_F(pkixder_input_tests, InputBufferInit)
TEST_F(pkixder_input_tests, InputInit)
{
InputBuffer buf;
Input buf;
ASSERT_EQ(Success,
buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
}
TEST_F(pkixder_input_tests, InputBufferInitWithNullPointerOrZeroLength)
TEST_F(pkixder_input_tests, InputInitWithNullPointerOrZeroLength)
{
InputBuffer buf;
Input buf;
ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 0));
ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 100));
// Though it seems odd to initialize with zero-length and non-null ptr, this
// is working as intended. The Input class was intended to protect against
// is working as intended. The Reader class was intended to protect against
// buffer overflows, and there's no risk with the current behavior. See bug
// 1000354.
ASSERT_EQ(Success, buf.Init((const uint8_t*) "hello", 0));
ASSERT_TRUE(buf.GetLength() == 0);
}
TEST_F(pkixder_input_tests, InputBufferInitWithLargeData)
TEST_F(pkixder_input_tests, InputInitWithLargeData)
{
InputBuffer buf;
Input buf;
// Data argument length does not matter, it is not touched, just
// needs to be non-null
ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init((const uint8_t*) "", 0xffff+1));
@ -118,9 +118,9 @@ TEST_F(pkixder_input_tests, InputBufferInitWithLargeData)
ASSERT_EQ(Success, buf.Init((const uint8_t*) "", 0xffff));
}
TEST_F(pkixder_input_tests, InputBufferInitMultipleTimes)
TEST_F(pkixder_input_tests, InputInitMultipleTimes)
{
InputBuffer buf;
Input buf;
ASSERT_EQ(Success,
buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
@ -132,8 +132,8 @@ TEST_F(pkixder_input_tests, InputBufferInitMultipleTimes)
TEST_F(pkixder_input_tests, PeekWithinBounds)
{
const uint8_t der[] = { 0x11, 0x11 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
ASSERT_TRUE(input.Peek(0x11));
ASSERT_FALSE(input.Peek(0x22));
}
@ -141,9 +141,9 @@ TEST_F(pkixder_input_tests, PeekWithinBounds)
TEST_F(pkixder_input_tests, PeekPastBounds)
{
const uint8_t der[] = { 0x11, 0x22 };
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 1));
Input input(buf);
Reader input(buf);
uint8_t readByte;
ASSERT_EQ(Success, input.Read(readByte));
@ -154,8 +154,8 @@ TEST_F(pkixder_input_tests, PeekPastBounds)
TEST_F(pkixder_input_tests, ReadByte)
{
const uint8_t der[] = { 0x11, 0x22 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
uint8_t readByte1;
ASSERT_EQ(Success, input.Read(readByte1));
@ -169,9 +169,9 @@ TEST_F(pkixder_input_tests, ReadByte)
TEST_F(pkixder_input_tests, ReadBytePastEnd)
{
const uint8_t der[] = { 0x11, 0x22 };
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 1));
Input input(buf);
Reader input(buf);
uint8_t readByte1 = 0;
ASSERT_EQ(Success, input.Read(readByte1));
@ -192,9 +192,9 @@ TEST_F(pkixder_input_tests, ReadByteWrapAroundPointer)
// them.
const uint8_t* der = nullptr;
--der;
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 0));
Input input(buf);
Reader input(buf);
uint8_t b;
ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
@ -203,8 +203,8 @@ TEST_F(pkixder_input_tests, ReadByteWrapAroundPointer)
TEST_F(pkixder_input_tests, ReadWord)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
uint16_t readWord1 = 0;
ASSERT_EQ(Success, input.Read(readWord1));
@ -218,9 +218,9 @@ TEST_F(pkixder_input_tests, ReadWord)
TEST_F(pkixder_input_tests, ReadWordPastEnd)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 2)); // Initialize with too-short length
Input input(buf);
Reader input(buf);
uint16_t readWord1 = 0;
ASSERT_EQ(Success, input.Read(readWord1));
@ -234,9 +234,9 @@ TEST_F(pkixder_input_tests, ReadWordPastEnd)
TEST_F(pkixder_input_tests, ReadWordWithInsufficentData)
{
const uint8_t der[] = { 0x11, 0x22 };
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 1));
Input input(buf);
Reader input(buf);
uint16_t readWord1 = 0;
ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord1));
@ -253,9 +253,9 @@ TEST_F(pkixder_input_tests, ReadWordWrapAroundPointer)
// them.
const uint8_t* der = nullptr;
--der;
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 0));
Input input(buf);
Reader input(buf);
uint16_t b;
ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
}
@ -263,8 +263,8 @@ TEST_F(pkixder_input_tests, ReadWordWrapAroundPointer)
TEST_F(pkixder_input_tests, InputSkip)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
ASSERT_EQ(Success, input.Skip(1));
@ -282,8 +282,8 @@ TEST_F(pkixder_input_tests, InputSkip)
TEST_F(pkixder_input_tests, InputSkipToEnd)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
ASSERT_EQ(Success, input.Skip(sizeof der));
ASSERT_TRUE(input.AtEnd());
}
@ -291,8 +291,8 @@ TEST_F(pkixder_input_tests, InputSkipToEnd)
TEST_F(pkixder_input_tests, InputSkipPastEnd)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1));
}
@ -300,10 +300,10 @@ TEST_F(pkixder_input_tests, InputSkipPastEnd)
TEST_F(pkixder_input_tests, InputSkipToNewInput)
{
const uint8_t der[] = { 0x01, 0x02, 0x03, 0x04 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
Input skippedInput;
Reader skippedInput;
ASSERT_EQ(Success, input.Skip(3, skippedInput));
uint8_t readByte1 = 0;
@ -312,7 +312,7 @@ TEST_F(pkixder_input_tests, InputSkipToNewInput)
ASSERT_TRUE(input.AtEnd());
// Input has no Remaining() or Length() so we simply read the bytes
// Reader has no Remaining() or Length() so we simply read the bytes
// and then expect to be at the end.
for (uint8_t i = 1; i <= 3; ++i) {
@ -327,26 +327,26 @@ TEST_F(pkixder_input_tests, InputSkipToNewInput)
TEST_F(pkixder_input_tests, InputSkipToNewInputPastEnd)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
Input skippedInput;
Reader skippedInput;
ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der * 2, skippedInput));
}
TEST_F(pkixder_input_tests, InputSkipToInputBuffer)
TEST_F(pkixder_input_tests, InputSkipToInput)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
InputBuffer item;
Input item;
ASSERT_EQ(Success, input.Skip(sizeof expectedItemData, item));
InputBuffer expected(expectedItemData);
ASSERT_TRUE(InputBuffersAreEqual(expected, item));
Input expected(expectedItemData);
ASSERT_TRUE(InputsAreEqual(expected, item));
}
TEST_F(pkixder_input_tests, SkipWrapAroundPointer)
@ -359,26 +359,26 @@ TEST_F(pkixder_input_tests, SkipWrapAroundPointer)
// them.
const uint8_t* der = nullptr;
--der;
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 0));
Input input(buf);
Reader input(buf);
ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(1));
}
TEST_F(pkixder_input_tests, SkipToInputBufferPastEnd)
TEST_F(pkixder_input_tests, SkipToInputPastEnd)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
InputBuffer skipped;
Input skipped;
ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1, skipped));
}
TEST_F(pkixder_input_tests, ExpectTagAndSkipValue)
{
InputBuffer buf(DER_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_SEQUENCE_OF_INT8);
Reader input(buf);
ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
ASSERT_EQ(Success, End(input));
@ -386,84 +386,83 @@ TEST_F(pkixder_input_tests, ExpectTagAndSkipValue)
TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithTruncatedData)
{
InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Reader input(buf);
ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndSkipValue(input, SEQUENCE));
}
TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithOverrunData)
{
InputBuffer buf(DER_OVERRUN_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_OVERRUN_SEQUENCE_OF_INT8);
Reader input(buf);
ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
}
TEST_F(pkixder_input_tests, AtEndOnUnInitializedInput)
{
Input input;
Reader input;
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests, AtEndAtBeginning)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
ASSERT_FALSE(input.AtEnd());
}
TEST_F(pkixder_input_tests, AtEndAtEnd)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
ASSERT_EQ(Success, input.Skip(sizeof der));
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests, MarkAndGetInputBuffer)
TEST_F(pkixder_input_tests, MarkAndGetInput)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
Input::Mark mark = input.GetMark();
Reader::Mark mark = input.GetMark();
const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
ASSERT_EQ(Success, input.Skip(sizeof expectedItemData));
InputBuffer item;
ASSERT_EQ(Success, input.GetInputBuffer(mark, item));
InputBuffer expected(expectedItemData);
ASSERT_TRUE(InputBuffersAreEqual(expected, item));
Input item;
ASSERT_EQ(Success, input.GetInput(mark, item));
Input expected(expectedItemData);
ASSERT_TRUE(InputsAreEqual(expected, item));
}
// Cannot run this test on debug builds because of the PR_NOT_REACHED
#ifndef DEBUG
TEST_F(pkixder_input_tests, MarkAndGetInputBufferDifferentInput)
TEST_F(pkixder_input_tests, MarkAndGetInputDifferentInput)
{
const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
Input another;
Input::Mark mark = another.GetMark();
Reader another;
Reader::Mark mark = another.GetMark();
ASSERT_EQ(Success, input.Skip(3));
InputBuffer item;
ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS,
input.GetInputBuffer(mark, item));
Input item;
ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.GetInput(mark, item));
}
#endif
TEST_F(pkixder_input_tests, ExpectTagAndLength)
{
InputBuffer buf(DER_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_SEQUENCE_OF_INT8);
Reader input(buf);
ASSERT_EQ(Success, ExpectTagAndLength(input, SEQUENCE,
sizeof DER_SEQUENCE_OF_INT8 - 2));
@ -471,8 +470,8 @@ TEST_F(pkixder_input_tests, ExpectTagAndLength)
TEST_F(pkixder_input_tests, ExpectTagAndLengthWithWrongLength)
{
InputBuffer buf(DER_INT16);
Input input(buf);
Input buf(DER_INT16);
Reader input(buf);
// Wrong length
ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndLength(input, INTEGER, 4));
@ -480,8 +479,8 @@ TEST_F(pkixder_input_tests, ExpectTagAndLengthWithWrongLength)
TEST_F(pkixder_input_tests, ExpectTagAndLengthWithWrongTag)
{
InputBuffer buf(DER_INT16);
Input input(buf);
Input buf(DER_INT16);
Reader input(buf);
// Wrong type
ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndLength(input, OCTET_STRING, 2));
@ -489,8 +488,8 @@ TEST_F(pkixder_input_tests, ExpectTagAndLengthWithWrongTag)
TEST_F(pkixder_input_tests, ExpectTagAndGetLength)
{
InputBuffer buf(DER_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_SEQUENCE_OF_INT8);
Reader input(buf);
uint16_t length = 0;
ASSERT_EQ(Success,
@ -502,8 +501,8 @@ TEST_F(pkixder_input_tests, ExpectTagAndGetLength)
TEST_F(pkixder_input_tests, ExpectTagAndGetLengthWithWrongTag)
{
InputBuffer buf(DER_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_SEQUENCE_OF_INT8);
Reader input(buf);
uint16_t length = 0;
ASSERT_EQ(Result::ERROR_BAD_DER,
@ -512,39 +511,88 @@ TEST_F(pkixder_input_tests, ExpectTagAndGetLengthWithWrongTag)
TEST_F(pkixder_input_tests, ExpectTagAndGetLengthWithWrongLength)
{
InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Reader input(buf);
uint16_t length = 0;
ASSERT_EQ(Result::ERROR_BAD_DER,
der::internal::ExpectTagAndGetLength(input, SEQUENCE, length));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidEmpty)
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidEmpty)
{
InputBuffer buf(DER_SEQUENCE_EMPTY);
Input input(buf);
Input value;
Input buf(DER_SEQUENCE_EMPTY);
Reader input(buf);
Reader value;
ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
ASSERT_TRUE(value.AtEnd());
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidNotEmpty)
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidNotEmpty)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
Input input(buf);
Input value;
Input buf(DER_SEQUENCE_NOT_EMPTY);
Reader input(buf);
Reader value;
ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
ASSERT_TRUE(value.MatchRest(DER_SEQUENCE_NOT_EMPTY_VALUE));
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests,
ExpectTagAndGetValue_Reader_InvalidNotEmptyValueTruncated)
{
Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
Reader input(buf);
Reader value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, SEQUENCE, value));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongLength)
{
Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Reader input(buf);
Reader value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, SEQUENCE, value));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetLength_Reader_InvalidWrongTag)
{
Input buf(DER_SEQUENCE_NOT_EMPTY);
Reader input(buf);
Reader value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, INTEGER, value));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidEmpty)
{
Input buf(DER_SEQUENCE_EMPTY);
Reader input(buf);
Input value;
ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
ASSERT_EQ(0u, value.GetLength());
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidNotEmpty)
{
Input buf(DER_SEQUENCE_NOT_EMPTY);
Reader input(buf);
Input value;
ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
ASSERT_TRUE(InputsAreEqual(expected, value));
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests,
ExpectTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
Input input(buf);
Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
Reader input(buf);
Input value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, SEQUENCE, value));
@ -552,8 +600,8 @@ TEST_F(pkixder_input_tests,
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongLength)
{
InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Reader input(buf);
Input value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, SEQUENCE, value));
@ -561,135 +609,86 @@ TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongLength)
TEST_F(pkixder_input_tests, ExpectTagAndGetLength_Input_InvalidWrongTag)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
Input input(buf);
Input buf(DER_SEQUENCE_NOT_EMPTY);
Reader input(buf);
Input value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, INTEGER, value));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_InputBuffer_ValidEmpty)
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidEmpty)
{
InputBuffer buf(DER_SEQUENCE_EMPTY);
Input input(buf);
InputBuffer value;
ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
ASSERT_EQ(0u, value.GetLength());
Input buf(DER_SEQUENCE_EMPTY);
Reader input(buf);
Input tlv;
ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
Input expected(DER_SEQUENCE_EMPTY);
ASSERT_TRUE(InputsAreEqual(expected, tlv));
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_InputBuffer_ValidNotEmpty)
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidNotEmpty)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
Input input(buf);
InputBuffer value;
ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
InputBuffer expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
ASSERT_TRUE(InputBuffersAreEqual(expected, value));
Input buf(DER_SEQUENCE_NOT_EMPTY);
Reader input(buf);
Input tlv;
ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
Input expected(DER_SEQUENCE_NOT_EMPTY);
ASSERT_TRUE(InputsAreEqual(expected, tlv));
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests,
ExpectTagAndGetValue_InputBuffer_InvalidNotEmptyValueTruncated)
ExpectTagAndGetTLV_Input_InvalidNotEmptyValueTruncated)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
Input input(buf);
InputBuffer value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, SEQUENCE, value));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetValue_InputBuffer_InvalidWrongLength)
{
InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Input input(buf);
InputBuffer value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, SEQUENCE, value));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetLength_InputBuffer_InvalidWrongTag)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
Input input(buf);
InputBuffer value;
ASSERT_EQ(Result::ERROR_BAD_DER,
ExpectTagAndGetValue(input, INTEGER, value));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_ValidEmpty)
{
InputBuffer buf(DER_SEQUENCE_EMPTY);
Input input(buf);
InputBuffer tlv;
ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
InputBuffer expected(DER_SEQUENCE_EMPTY);
ASSERT_TRUE(InputBuffersAreEqual(expected, tlv));
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_ValidNotEmpty)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
Input input(buf);
InputBuffer tlv;
ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
InputBuffer expected(DER_SEQUENCE_NOT_EMPTY);
ASSERT_TRUE(InputBuffersAreEqual(expected, tlv));
ASSERT_TRUE(input.AtEnd());
}
TEST_F(pkixder_input_tests,
ExpectTagAndGetTLV_InputBuffer_InvalidNotEmptyValueTruncated)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
Input input(buf);
InputBuffer tlv;
Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
Reader input(buf);
Input tlv;
ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_InvalidWrongLength)
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongLength)
{
InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Input input(buf);
InputBuffer tlv;
Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Reader input(buf);
Input tlv;
ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
}
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_InputBuffer_InvalidWrongTag)
TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongTag)
{
InputBuffer buf(DER_SEQUENCE_NOT_EMPTY);
Input input(buf);
InputBuffer tlv;
Input buf(DER_SEQUENCE_NOT_EMPTY);
Reader input(buf);
Input tlv;
ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, INTEGER, tlv));
}
TEST_F(pkixder_input_tests, EndAtEnd)
{
InputBuffer buf(DER_INT16);
Input input(buf);
Input buf(DER_INT16);
Reader input(buf);
ASSERT_EQ(Success, input.Skip(4));
ASSERT_EQ(Success, End(input));
}
TEST_F(pkixder_input_tests, EndBeforeEnd)
{
InputBuffer buf(DER_INT16);
Input input(buf);
Input buf(DER_INT16);
Reader input(buf);
ASSERT_EQ(Success, input.Skip(2));
ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
}
TEST_F(pkixder_input_tests, EndAtBeginning)
{
InputBuffer buf(DER_INT16);
Input input(buf);
Input buf(DER_INT16);
Reader input(buf);
ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
}
// TODO: Need tests for Nested too?
Result NestedOfHelper(Input& input, std::vector<uint8_t>& readValues)
Result NestedOfHelper(Reader& input, std::vector<uint8_t>& readValues)
{
uint8_t value = 0;
Result rv = input.Read(value);
@ -703,8 +702,8 @@ Result NestedOfHelper(Input& input, std::vector<uint8_t>& readValues)
TEST_F(pkixder_input_tests, NestedOf)
{
InputBuffer buf(DER_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_SEQUENCE_OF_INT8);
Reader input(buf);
std::vector<uint8_t> readValues;
ASSERT_EQ(Success,
@ -720,8 +719,8 @@ TEST_F(pkixder_input_tests, NestedOf)
TEST_F(pkixder_input_tests, NestedOfWithTruncatedData)
{
InputBuffer buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Input input(buf);
Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
Reader input(buf);
std::vector<uint8_t> readValues;
ASSERT_EQ(Result::ERROR_BAD_DER,
@ -734,9 +733,9 @@ TEST_F(pkixder_input_tests, NestedOfWithTruncatedData)
TEST_F(pkixder_input_tests, MatchRestAtEnd)
{
static const uint8_t der[1] = { };
InputBuffer buf;
Input buf;
ASSERT_EQ(Success, buf.Init(der, 0));
Input input(buf);
Reader input(buf);
ASSERT_TRUE(input.AtEnd());
static const uint8_t toMatch[] = { 1 };
ASSERT_FALSE(input.MatchRest(toMatch));
@ -745,8 +744,8 @@ TEST_F(pkixder_input_tests, MatchRestAtEnd)
TEST_F(pkixder_input_tests, MatchRest1Match)
{
static const uint8_t der[] = { 1 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
ASSERT_FALSE(input.AtEnd());
ASSERT_TRUE(input.MatchRest(der));
}
@ -754,8 +753,8 @@ TEST_F(pkixder_input_tests, MatchRest1Match)
TEST_F(pkixder_input_tests, MatchRest1Mismatch)
{
static const uint8_t der[] = { 1 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
static const uint8_t toMatch[] = { 2 };
ASSERT_FALSE(input.MatchRest(toMatch));
ASSERT_FALSE(input.AtEnd());
@ -764,8 +763,8 @@ TEST_F(pkixder_input_tests, MatchRest1Mismatch)
TEST_F(pkixder_input_tests, MatchRest2WithTrailingByte)
{
static const uint8_t der[] = { 1, 2, 3 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
static const uint8_t toMatch[] = { 1, 2 };
ASSERT_FALSE(input.MatchRest(toMatch));
}
@ -773,8 +772,8 @@ TEST_F(pkixder_input_tests, MatchRest2WithTrailingByte)
TEST_F(pkixder_input_tests, MatchRest2Mismatch)
{
static const uint8_t der[] = { 1, 2, 3 };
InputBuffer buf(der);
Input input(buf);
Input buf(der);
Reader input(buf);
static const uint8_t toMatchMismatch[] = { 1, 3 };
ASSERT_FALSE(input.MatchRest(toMatchMismatch));
ASSERT_TRUE(input.MatchRest(der));

142
security/pkix/test/gtest/pkixder_pki_types_tests.cpp
View File

@ -44,16 +44,16 @@ TEST_F(pkixder_pki_types_tests, CertificateSerialNumber)
8, // length
0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
};
InputBuffer buf(DER_CERT_SERIAL);
Input input(buf);
Input input(DER_CERT_SERIAL);
Reader reader(input);
InputBuffer item;
ASSERT_EQ(Success, CertificateSerialNumber(input, item));
Input item;
ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
InputBuffer expected;
Input expected;
ASSERT_EQ(Success,
expected.Init(DER_CERT_SERIAL + 2, sizeof DER_CERT_SERIAL - 2));
ASSERT_TRUE(InputBuffersAreEqual(expected, item));
ASSERT_TRUE(InputsAreEqual(expected, item));
}
TEST_F(pkixder_pki_types_tests, CertificateSerialNumberLongest)
@ -63,17 +63,17 @@ TEST_F(pkixder_pki_types_tests, CertificateSerialNumberLongest)
20, // length
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
};
InputBuffer buf(DER_CERT_SERIAL_LONGEST);
Input input(buf);
Input input(DER_CERT_SERIAL_LONGEST);
Reader reader(input);
InputBuffer item;
ASSERT_EQ(Success, CertificateSerialNumber(input, item));
Input item;
ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
InputBuffer expected;
Input expected;
ASSERT_EQ(Success,
expected.Init(DER_CERT_SERIAL_LONGEST + 2,
sizeof DER_CERT_SERIAL_LONGEST - 2));
ASSERT_TRUE(InputBuffersAreEqual(expected, item));
ASSERT_TRUE(InputsAreEqual(expected, item));
}
TEST_F(pkixder_pki_types_tests, CertificateSerialNumberCrazyLong)
@ -84,11 +84,11 @@ TEST_F(pkixder_pki_types_tests, CertificateSerialNumberCrazyLong)
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32
};
InputBuffer buf(DER_CERT_SERIAL_CRAZY_LONG);
Input input(buf);
Input input(DER_CERT_SERIAL_CRAZY_LONG);
Reader reader(input);
InputBuffer item;
ASSERT_EQ(Success, CertificateSerialNumber(input, item));
Input item;
ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
}
TEST_F(pkixder_pki_types_tests, CertificateSerialNumberZeroLength)
@ -97,11 +97,11 @@ TEST_F(pkixder_pki_types_tests, CertificateSerialNumberZeroLength)
0x02, // INTEGER
0x00 // length
};
InputBuffer buf(DER_CERT_SERIAL_ZERO_LENGTH);
Input input(buf);
Input input(DER_CERT_SERIAL_ZERO_LENGTH);
Reader reader(input);
InputBuffer item;
ASSERT_EQ(Result::ERROR_BAD_DER, CertificateSerialNumber(input, item));
Input item;
ASSERT_EQ(Result::ERROR_BAD_DER, CertificateSerialNumber(reader, item));
}
TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingAllowed)
@ -110,15 +110,15 @@ TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingAllowed)
0xa0, 0x03, // context specific 0
0x02, 0x01, 0x00 // INTEGER(0)
};
InputBuffer buf(DER_OPTIONAL_VERSION_V1);
Input input(buf);
Input input(DER_OPTIONAL_VERSION_V1);
Reader reader(input);
// XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
// do here for compatibility reasons.
// Version version;
// ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(input, version));
// ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
der::Version version = der::Version::v3;
ASSERT_EQ(Success, OptionalVersion(input, version));
ASSERT_EQ(Success, OptionalVersion(reader, version));
ASSERT_EQ(der::Version::v1, version);
}
@ -128,11 +128,11 @@ TEST_F(pkixder_pki_types_tests, OptionalVersionV2)
0xa0, 0x03, // context specific 0
0x02, 0x01, 0x01 // INTEGER(1)
};
InputBuffer buf(DER_OPTIONAL_VERSION_V2);
Input input(buf);
Input input(DER_OPTIONAL_VERSION_V2);
Reader reader(input);
der::Version version = der::Version::v1;
ASSERT_EQ(Success, OptionalVersion(input, version));
ASSERT_EQ(Success, OptionalVersion(reader, version));
ASSERT_EQ(der::Version::v2, version);
}
@ -142,11 +142,11 @@ TEST_F(pkixder_pki_types_tests, OptionalVersionV3)
0xa0, 0x03, // context specific 0
0x02, 0x01, 0x02 // INTEGER(2)
};
InputBuffer buf(DER_OPTIONAL_VERSION_V3);
Input input(buf);
Input input(DER_OPTIONAL_VERSION_V3);
Reader reader(input);
der::Version version = der::Version::v1;
ASSERT_EQ(Success, OptionalVersion(input, version));
ASSERT_EQ(Success, OptionalVersion(reader, version));
ASSERT_EQ(der::Version::v3, version);
}
@ -156,11 +156,11 @@ TEST_F(pkixder_pki_types_tests, OptionalVersionUnknown)
0xa0, 0x03, // context specific 0
0x02, 0x01, 0x42 // INTEGER(0x42)
};
InputBuffer buf(DER_OPTIONAL_VERSION_INVALID);
Input input(buf);
Input input(DER_OPTIONAL_VERSION_INVALID);
Reader reader(input);
der::Version version = der::Version::v1;
ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(input, version));
ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
}
TEST_F(pkixder_pki_types_tests, OptionalVersionInvalidTooLong)
@ -169,11 +169,11 @@ TEST_F(pkixder_pki_types_tests, OptionalVersionInvalidTooLong)
0xa0, 0x03, // context specific 0
0x02, 0x02, 0x12, 0x34 // INTEGER(0x1234)
};
InputBuffer buf(DER_OPTIONAL_VERSION_INVALID_TOO_LONG);
Input input(buf);
Input input(DER_OPTIONAL_VERSION_INVALID_TOO_LONG);
Reader reader(input);
der::Version version;
ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(input, version));
ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
}
TEST_F(pkixder_pki_types_tests, OptionalVersionMissing)
@ -181,11 +181,11 @@ TEST_F(pkixder_pki_types_tests, OptionalVersionMissing)
const uint8_t DER_OPTIONAL_VERSION_MISSING[] = {
0x02, 0x11, 0x22 // INTEGER
};
InputBuffer buf(DER_OPTIONAL_VERSION_MISSING);
Input input(buf);
Input input(DER_OPTIONAL_VERSION_MISSING);
Reader reader(input);
der::Version version = der::Version::v3;
ASSERT_EQ(Success, OptionalVersion(input, version));
ASSERT_EQ(Success, OptionalVersion(reader, version));
ASSERT_EQ(der::Version::v1, version);
}
@ -235,13 +235,13 @@ TEST_P(pkixder_DigestAlgorithmIdentifier, Valid)
const AlgorithmIdentifierTestInfo<DigestAlgorithm>& param(GetParam());
{
InputBuffer buf;
ASSERT_EQ(Success, buf.Init(param.der, param.derLength));
Input input(buf);
Input input;
ASSERT_EQ(Success, input.Init(param.der, param.derLength));
Reader reader(input);
DigestAlgorithm alg;
ASSERT_EQ(Success, DigestAlgorithmIdentifier(input, alg));
ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
ASSERT_EQ(param.algorithm, alg);
ASSERT_EQ(Success, End(input));
ASSERT_EQ(Success, End(reader));
}
{
@ -251,13 +251,13 @@ TEST_P(pkixder_DigestAlgorithmIdentifier, Valid)
derWithNullParam[param.derLength] = 0x05; // NULL tag
derWithNullParam[param.derLength + 1] = 0x00; // length zero
InputBuffer buf;
ASSERT_EQ(Success, buf.Init(derWithNullParam, param.derLength + 2));
Input input(buf);
Input input;
ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
Reader reader(input);
DigestAlgorithm alg;
ASSERT_EQ(Success, DigestAlgorithmIdentifier(input, alg));
ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
ASSERT_EQ(param.algorithm, alg);
ASSERT_EQ(Success, End(input));
ASSERT_EQ(Success, End(reader));
}
}
@ -273,12 +273,12 @@ TEST_F(pkixder_DigestAlgorithmIdentifier, Invalid_MD5)
0x30, 0x0a, 0x06, 0x08,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
DigestAlgorithm alg;
ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
DigestAlgorithmIdentifier(input, alg));
DigestAlgorithmIdentifier(reader, alg));
}
TEST_F(pkixder_DigestAlgorithmIdentifier, Invalid_Digest_ECDSA_WITH_SHA256)
@ -289,12 +289,12 @@ TEST_F(pkixder_DigestAlgorithmIdentifier, Invalid_Digest_ECDSA_WITH_SHA256)
0x30, 0x0a, 0x06, 0x08,
0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, //
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
DigestAlgorithm alg;
ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
DigestAlgorithmIdentifier(input, alg));
DigestAlgorithmIdentifier(reader, alg));
}
static const AlgorithmIdentifierTestInfo<SignatureAlgorithm>
@ -368,13 +368,13 @@ TEST_P(pkixder_SignatureAlgorithmIdentifier, Valid)
const AlgorithmIdentifierTestInfo<SignatureAlgorithm>& param(GetParam());
{
InputBuffer buf;
ASSERT_EQ(Success, buf.Init(param.der, param.derLength));
Input input(buf);
Input input;
ASSERT_EQ(Success, input.Init(param.der, param.derLength));
Reader reader(input);
SignatureAlgorithm alg;
ASSERT_EQ(Success, SignatureAlgorithmIdentifier(input, alg));
ASSERT_EQ(Success, SignatureAlgorithmIdentifier(reader, alg));
ASSERT_EQ(param.algorithm, alg);
ASSERT_EQ(Success, End(input));
ASSERT_EQ(Success, End(reader));
}
{
@ -384,13 +384,13 @@ TEST_P(pkixder_SignatureAlgorithmIdentifier, Valid)
derWithNullParam[param.derLength] = 0x05; // NULL tag
derWithNullParam[param.derLength + 1] = 0x00; // length zero
InputBuffer buf;
ASSERT_EQ(Success, buf.Init(derWithNullParam, param.derLength + 2));
Input input(buf);
Input input;
ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
Reader reader(input);
SignatureAlgorithm alg;
ASSERT_EQ(Success, SignatureAlgorithmIdentifier(input, alg));
ASSERT_EQ(Success, SignatureAlgorithmIdentifier(reader, alg));
ASSERT_EQ(param.algorithm, alg);
ASSERT_EQ(Success, End(input));
ASSERT_EQ(Success, End(reader));
}
}
@ -406,12 +406,12 @@ TEST_F(pkixder_SignatureAlgorithmIdentifier, Invalid_RSA_With_MD5)
0x30, 0x0b, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
SignatureAlgorithm alg;
ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
SignatureAlgorithmIdentifier(input, alg));
SignatureAlgorithmIdentifier(reader, alg));
}
TEST_F(pkixder_SignatureAlgorithmIdentifier, Invalid_SignatureAlgorithm_SHA256)
@ -422,12 +422,12 @@ TEST_F(pkixder_SignatureAlgorithmIdentifier, Invalid_SignatureAlgorithm_SHA256)
0x30, 0x0b, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
SignatureAlgorithm alg;
ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
SignatureAlgorithmIdentifier(input, alg));
SignatureAlgorithmIdentifier(reader, alg));
}
} // unnamed namespace

391
security/pkix/test/gtest/pkixder_universal_types_tests.cpp
View File

@ -47,10 +47,10 @@ TEST_F(pkixder_universal_types_tests, BooleanTrue01)
0x01, // length
0x01 // invalid
};
InputBuffer buf(DER_BOOLEAN_TRUE_01);
Input input(buf);
Input input(DER_BOOLEAN_TRUE_01);
Reader reader(input);
bool value = false;
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
}
TEST_F(pkixder_universal_types_tests, BooleanTrue42)
@ -60,10 +60,10 @@ TEST_F(pkixder_universal_types_tests, BooleanTrue42)
0x01, // length
0x42 // invalid
};
InputBuffer buf(DER_BOOLEAN_TRUE_42);
Input input(buf);
Input input(DER_BOOLEAN_TRUE_42);
Reader reader(input);
bool value = false;
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
}
static const uint8_t DER_BOOLEAN_TRUE[] = {
@ -74,10 +74,10 @@ static const uint8_t DER_BOOLEAN_TRUE[] = {
TEST_F(pkixder_universal_types_tests, BooleanTrueFF)
{
InputBuffer buf(DER_BOOLEAN_TRUE);
Input input(buf);
Input input(DER_BOOLEAN_TRUE);
Reader reader(input);
bool value = false;
ASSERT_EQ(Success, Boolean(input, value));
ASSERT_EQ(Success, Boolean(reader, value));
ASSERT_TRUE(value);
}
@ -88,11 +88,11 @@ TEST_F(pkixder_universal_types_tests, BooleanFalse)
0x01, // length
0x00 // false
};
InputBuffer buf(DER_BOOLEAN_FALSE);
Input input(buf);
Input input(DER_BOOLEAN_FALSE);
Reader reader(input);
bool value = true;
ASSERT_EQ(Success, Boolean(input, value));
ASSERT_EQ(Success, Boolean(reader, value));
ASSERT_FALSE(value);
}
@ -103,11 +103,11 @@ TEST_F(pkixder_universal_types_tests, BooleanInvalidLength)
0x02, // length
0x42, 0x42 // invalid
};
InputBuffer buf(DER_BOOLEAN_INVALID_LENGTH);
Input input(buf);
Input input(DER_BOOLEAN_INVALID_LENGTH);
Reader reader(input);
bool value = true;
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
}
TEST_F(pkixder_universal_types_tests, BooleanInvalidZeroLength)
@ -116,11 +116,11 @@ TEST_F(pkixder_universal_types_tests, BooleanInvalidZeroLength)
0x01, // BOOLEAN
0x00 // length
};
InputBuffer buf(DER_BOOLEAN_INVALID_ZERO_LENGTH);
Input input(buf);
Input input(DER_BOOLEAN_INVALID_ZERO_LENGTH);
Reader reader(input);
bool value = true;
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
}
// OptionalBoolean implements decoding of OPTIONAL BOOLEAN DEFAULT FALSE.
@ -131,41 +131,47 @@ TEST_F(pkixder_universal_types_tests, BooleanInvalidZeroLength)
// valid DER encoding).
TEST_F(pkixder_universal_types_tests, OptionalBooleanValidEncodings)
{
const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_TRUE[] = {
0x01, // BOOLEAN
0x01, // length
0xff // true
};
InputBuffer buf1(DER_OPTIONAL_BOOLEAN_PRESENT_TRUE);
Input input1(buf1);
bool value = false;
ASSERT_EQ(Success, OptionalBoolean(input1, false, value)) <<
"Should accept the only valid encoding of a present OPTIONAL BOOLEAN";
ASSERT_TRUE(value);
ASSERT_TRUE(input1.AtEnd());
{
const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_TRUE[] = {
0x01, // BOOLEAN
0x01, // length
0xff // true
};
Input input(DER_OPTIONAL_BOOLEAN_PRESENT_TRUE);
Reader reader(input);
bool value = false;
ASSERT_EQ(Success, OptionalBoolean(reader, false, value)) <<
"Should accept the only valid encoding of a present OPTIONAL BOOLEAN";
ASSERT_TRUE(value);
ASSERT_TRUE(reader.AtEnd());
}
// The OPTIONAL BOOLEAN is omitted in this data.
const uint8_t DER_INTEGER_05[] = {
0x02, // INTEGER
0x01, // length
0x05
};
InputBuffer buf2(DER_INTEGER_05);
Input input2(buf2);
value = true;
ASSERT_EQ(Success, OptionalBoolean(input2, false, value)) <<
"Should accept a valid encoding of an omitted OPTIONAL BOOLEAN";
ASSERT_FALSE(value);
ASSERT_FALSE(input2.AtEnd());
{
// The OPTIONAL BOOLEAN is omitted in this data.
const uint8_t DER_INTEGER_05[] = {
0x02, // INTEGER
0x01, // length
0x05
};
Input input(DER_INTEGER_05);
Reader reader(input);
bool value = true;
ASSERT_EQ(Success, OptionalBoolean(reader, false, value)) <<
"Should accept a valid encoding of an omitted OPTIONAL BOOLEAN";
ASSERT_FALSE(value);
ASSERT_FALSE(reader.AtEnd());
}
InputBuffer buf3;
ASSERT_EQ(Success, buf3.Init(reinterpret_cast<const uint8_t*>(""), 0));
Input input3(buf3);
value = true;
ASSERT_EQ(Success, OptionalBoolean(input3, false, value)) <<
"Should accept another valid encoding of an omitted OPTIONAL BOOLEAN";
ASSERT_FALSE(value);
ASSERT_TRUE(input3.AtEnd());
{
Input input;
ASSERT_EQ(Success, input.Init(reinterpret_cast<const uint8_t*>(""), 0));
Reader reader(input);
bool value = true;
ASSERT_EQ(Success, OptionalBoolean(reader, false, value)) <<
"Should accept another valid encoding of an omitted OPTIONAL BOOLEAN";
ASSERT_FALSE(value);
ASSERT_TRUE(reader.AtEnd());
}
}
TEST_F(pkixder_universal_types_tests, OptionalBooleanInvalidEncodings)
@ -176,39 +182,48 @@ TEST_F(pkixder_universal_types_tests, OptionalBooleanInvalidEncodings)
0x00 // false
};
InputBuffer buf1(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
Input input1(buf1);
bool value;
// If the second parameter to OptionalBoolean is false, invalid encodings
// that include the field even when it is the DEFAULT FALSE are rejected.
bool allowInvalidEncodings = false;
ASSERT_EQ(Result::ERROR_BAD_DER,
OptionalBoolean(input1, allowInvalidEncodings, value)) <<
"Should reject an invalid encoding of present OPTIONAL BOOLEAN";
{
Input input(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
Reader reader(input);
bool value;
// If the second parameter to OptionalBoolean is false, invalid encodings
// that include the field even when it is the DEFAULT FALSE are rejected.
bool allowInvalidEncodings = false;
ASSERT_EQ(Result::ERROR_BAD_DER,
OptionalBoolean(reader, allowInvalidEncodings, value)) <<
"Should reject an invalid encoding of present OPTIONAL BOOLEAN";
}
InputBuffer buf2(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
Input input2(buf2);
value = true;
// If the second parameter to OptionalBoolean is true, invalid encodings
// that include the field even when it is the DEFAULT FALSE are accepted.
allowInvalidEncodings = true;
ASSERT_EQ(Success, OptionalBoolean(input2, allowInvalidEncodings, value)) <<
"Should now accept an invalid encoding of present OPTIONAL BOOLEAN";
ASSERT_FALSE(value);
ASSERT_TRUE(input2.AtEnd());
{
Input input(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
Reader reader(input);
bool value = true;
// If the second parameter to OptionalBoolean is true, invalid encodings
// that include the field even when it is the DEFAULT FALSE are accepted.
bool allowInvalidEncodings = true;
ASSERT_EQ(Success, OptionalBoolean(reader, allowInvalidEncodings, value)) <<
"Should now accept an invalid encoding of present OPTIONAL BOOLEAN";
ASSERT_FALSE(value);
ASSERT_TRUE(reader.AtEnd());
}
const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_42[] = {
0x01, // BOOLEAN
0x01, // length
0x42 // (invalid value for a BOOLEAN)
};
InputBuffer buf3(DER_OPTIONAL_BOOLEAN_PRESENT_42);
Input input3(buf3);
// Even with the second parameter to OptionalBoolean as true, encodings
// of BOOLEAN that are invalid altogether are rejected.
ASSERT_EQ(Result::ERROR_BAD_DER,
OptionalBoolean(input3, allowInvalidEncodings, value)) <<
"Should reject another invalid encoding of present OPTIONAL BOOLEAN";
{
Input input(DER_OPTIONAL_BOOLEAN_PRESENT_42);
Reader reader(input);
// Even with the second parameter to OptionalBoolean as true, encodings
// of BOOLEAN that are invalid altogether are rejected.
bool allowInvalidEncodings = true;
bool value;
ASSERT_EQ(Result::ERROR_BAD_DER,
OptionalBoolean(reader, allowInvalidEncodings, value)) <<
"Should reject another invalid encoding of present OPTIONAL BOOLEAN";
}
}
TEST_F(pkixder_universal_types_tests, Enumerated)
@ -218,11 +233,11 @@ TEST_F(pkixder_universal_types_tests, Enumerated)
0x01, // length
0x42 // value
};
InputBuffer buf(DER_ENUMERATED);
Input input(buf);
Input input(DER_ENUMERATED);
Reader reader(input);
uint8_t value = 0;
ASSERT_EQ(Success, Enumerated(input, value));
ASSERT_EQ(Success, Enumerated(reader, value));
ASSERT_EQ(0x42, value);
}
@ -233,11 +248,11 @@ TEST_F(pkixder_universal_types_tests, EnumeratedNotShortestPossibleDER)
0x02, // length
0x00, 0x01 // value
};
InputBuffer buf(DER_ENUMERATED);
Input input(buf);
Input input(DER_ENUMERATED);
Reader reader(input);
uint8_t value = 0;
ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(reader, value));
}
TEST_F(pkixder_universal_types_tests, EnumeratedOutOfAcceptedRange)
@ -251,11 +266,11 @@ TEST_F(pkixder_universal_types_tests, EnumeratedOutOfAcceptedRange)
0x02, // length
0x12, 0x34 // value
};
InputBuffer buf(DER_ENUMERATED_INVALID_LENGTH);
Input input(buf);
Input input(DER_ENUMERATED_INVALID_LENGTH);
Reader reader(input);
uint8_t value = 0;
ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(reader, value));
}
TEST_F(pkixder_universal_types_tests, EnumeratedInvalidZeroLength)
@ -264,11 +279,11 @@ TEST_F(pkixder_universal_types_tests, EnumeratedInvalidZeroLength)
0x0a, // ENUMERATED
0x00 // length
};
InputBuffer buf(DER_ENUMERATED_INVALID_ZERO_LENGTH);
Input input(buf);
Input input(DER_ENUMERATED_INVALID_ZERO_LENGTH);
Reader reader(input);
uint8_t value = 0;
ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Enumerated(reader, value));
}
////////////////////////////////////////
@ -312,9 +327,9 @@ TimeChoiceForEquivalentUTCTime(const uint8_t (&generalizedTimeDER)[LENGTH],
utcTimeDER[i] = generalizedTimeDER[i + 2];
}
InputBuffer buf(utcTimeDER);
Input input(buf);
return TimeChoice(input, value);
Input input(utcTimeDER);
Reader reader(input);
return TimeChoice(reader, value);
}
template <uint16_t LENGTH>
@ -324,19 +339,19 @@ ExpectGoodTime(PRTime expectedValue,
{
// GeneralizedTime
{
InputBuffer buf(generalizedTimeDER);
Input input(buf);
Input input(generalizedTimeDER);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Success, GeneralizedTime(input, value));
ASSERT_EQ(Success, GeneralizedTime(reader, value));
EXPECT_EQ(expectedValue, value);
}
// TimeChoice: GeneralizedTime
{
InputBuffer buf(generalizedTimeDER);
Input input(buf);
Input input(generalizedTimeDER);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Success, TimeChoice(input, value));
ASSERT_EQ(Success, TimeChoice(reader, value));
EXPECT_EQ(expectedValue, value);
}
@ -355,18 +370,18 @@ ExpectBadTime(const uint8_t (&generalizedTimeDER)[LENGTH])
{
// GeneralizedTime
{
InputBuffer buf(generalizedTimeDER);
Input input(buf);
Input input(generalizedTimeDER);
Reader reader(input);
PRTime value;
ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(input, value));
ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(reader, value));
}
// TimeChoice: GeneralizedTime
{
InputBuffer buf(generalizedTimeDER);
Input input(buf);
Input input(generalizedTimeDER);
Reader reader(input);
PRTime value;
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(input, value));
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(reader, value));
}
// TimeChoice: UTCTime
@ -409,13 +424,13 @@ TEST_F(pkixder_universal_types_tests, TimeInvalidZeroLength)
PRTime value;
// GeneralizedTime
InputBuffer gtBuf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
Input gt(gtBuf);
Input gtBuf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
Reader gt(gtBuf);
ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(gt, value));
// TimeChoice: GeneralizedTime
InputBuffer tc_gt_buf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
Input tc_gt(tc_gt_buf);
Input tc_gt_buf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
Reader tc_gt(tc_gt_buf);
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(tc_gt, value));
// TimeChoice: UTCTime
@ -423,8 +438,8 @@ TEST_F(pkixder_universal_types_tests, TimeInvalidZeroLength)
0x17, // UTCTime
0x00 // Length = 0
};
InputBuffer tc_utc_buf(DER_UTCTIME_INVALID_ZERO_LENGTH);
Input tc_utc(tc_utc_buf);
Input tc_utc_buf(DER_UTCTIME_INVALID_ZERO_LENGTH);
Reader tc_utc(tc_utc_buf);
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(tc_utc, value));
}
@ -505,19 +520,19 @@ TEST_F(pkixder_universal_types_tests, GeneralizedTimeYearValidRange)
// GeneralizedTime
{
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Success, GeneralizedTime(input, value));
ASSERT_EQ(Success, GeneralizedTime(reader, value));
EXPECT_EQ(expectedValue, value);
}
// TimeChoice: GeneralizedTime
{
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Success, TimeChoice(input, value));
ASSERT_EQ(Success, TimeChoice(reader, value));
EXPECT_EQ(expectedValue, value);
}
@ -660,19 +675,19 @@ TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2400)
// GeneralizedTime
{
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Success, GeneralizedTime(input, value));
ASSERT_EQ(Success, GeneralizedTime(reader, value));
EXPECT_EQ(expectedValue, value);
}
// TimeChoice: GeneralizedTime
{
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Success, TimeChoice(input, value));
ASSERT_EQ(Success, TimeChoice(reader, value));
EXPECT_EQ(expectedValue, value);
}
}
@ -701,18 +716,18 @@ TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2100)
// GeneralizedTime
{
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
PRTime value;
ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(input, value));
ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(reader, value));
}
// TimeChoice: GeneralizedTime
{
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
PRTime value;
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(input, value));
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(reader, value));
}
}
@ -839,18 +854,18 @@ TEST_F(pkixder_universal_types_tests, TimeInvalidCenturyChar)
// GeneralizedTime
{
InputBuffer buf(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
Input input(buf);
Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(input, value));
ASSERT_EQ(Result::ERROR_INVALID_TIME, GeneralizedTime(reader, value));
}
// TimeChoice: GeneralizedTime
{
InputBuffer buf(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
Input input(buf);
Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
Reader reader(input);
PRTime value = 0;
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(input, value));
ASSERT_EQ(Result::ERROR_INVALID_TIME, TimeChoice(reader, value));
}
// This test is not applicable to TimeChoice: UTCTime
@ -908,11 +923,11 @@ TEST_F(pkixder_universal_types_tests, Integer_0_127)
0x01, // length
i, // value
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
uint8_t value = i + 1; // initialize with a value that is NOT i.
ASSERT_EQ(Success, Integer(input, value));
ASSERT_EQ(Success, Integer(reader, value));
ASSERT_EQ(i, value);
}
}
@ -927,11 +942,11 @@ TEST_F(pkixder_universal_types_tests, Integer_Negative1)
0x01, // length
0xff, // -1 (two's complement)
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, Integer_Negative128)
@ -944,11 +959,11 @@ TEST_F(pkixder_universal_types_tests, Integer_Negative128)
0x01, // length
0x80, // -128 (two's complement)
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, Integer_128)
@ -961,11 +976,11 @@ TEST_F(pkixder_universal_types_tests, Integer_128)
0x02, // length
0x00, 0x80 // 128
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, Integer11223344)
@ -978,11 +993,11 @@ TEST_F(pkixder_universal_types_tests, Integer11223344)
0x04, // length
0x11, 0x22, 0x33, 0x44 // 0x11223344
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, IntegerTruncatedOneByte)
@ -992,11 +1007,11 @@ TEST_F(pkixder_universal_types_tests, IntegerTruncatedOneByte)
0x01, // length
// MISSING DATA HERE
};
InputBuffer buf(DER_INTEGER_TRUNCATED);
Input input(buf);
Input input(DER_INTEGER_TRUNCATED);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, IntegerTruncatedLarge)
@ -1007,11 +1022,11 @@ TEST_F(pkixder_universal_types_tests, IntegerTruncatedLarge)
0x11, 0x22 // 0x1122
// MISSING DATA HERE
};
InputBuffer buf(DER_INTEGER_TRUNCATED);
Input input(buf);
Input input(DER_INTEGER_TRUNCATED);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, IntegerZeroLength)
@ -1020,11 +1035,11 @@ TEST_F(pkixder_universal_types_tests, IntegerZeroLength)
0x02, // INTEGER
0x00 // length
};
InputBuffer buf(DER_INTEGER_ZERO_LENGTH);
Input input(buf);
Input input(DER_INTEGER_ZERO_LENGTH);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, IntegerOverlyLong1)
@ -1034,11 +1049,11 @@ TEST_F(pkixder_universal_types_tests, IntegerOverlyLong1)
0x02, // length
0x00, 0x01 //
};
InputBuffer buf(DER_INTEGER_OVERLY_LONG1);
Input input(buf);
Input input(DER_INTEGER_OVERLY_LONG1);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, IntegerOverlyLong2)
@ -1048,47 +1063,47 @@ TEST_F(pkixder_universal_types_tests, IntegerOverlyLong2)
0x02, // length
0xff, 0x80 //
};
InputBuffer buf(DER_INTEGER_OVERLY_LONG2);
Input input(buf);
Input input(DER_INTEGER_OVERLY_LONG2);
Reader reader(input);
uint8_t value;
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(input, value));
ASSERT_EQ(Result::ERROR_BAD_DER, Integer(reader, value));
}
TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefault)
{
// The input is a BOOLEAN and not INTEGER for the input so we'll not parse
// anything and instead use the default value.
InputBuffer buf(DER_BOOLEAN_TRUE);
Input input(buf);
Input input(DER_BOOLEAN_TRUE);
Reader reader(input);
long value = 1;
ASSERT_EQ(Success, OptionalInteger(input, -1, value));
ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
ASSERT_EQ(-1, value);
bool boolValue;
ASSERT_EQ(Success, Boolean(input, boolValue));
ASSERT_EQ(Success, Boolean(reader, boolValue));
}
TEST_F(pkixder_universal_types_tests, OptionalIntegerUnsupportedDefault)
{
// The same as the previous test, except with an unsupported default value
// passed in.
InputBuffer buf(DER_BOOLEAN_TRUE);
Input input(buf);
Input input(DER_BOOLEAN_TRUE);
Reader reader(input);
long value;
ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, OptionalInteger(input, 0, value));
ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, OptionalInteger(reader, 0, value));
}
TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefaultAtEnd)
{
static const uint8_t dummy = 1;
InputBuffer buf;
ASSERT_EQ(Success, buf.Init(&dummy, 0));
Input input(buf);
Input input;
ASSERT_EQ(Success, input.Init(&dummy, 0));
Reader reader(input);
long value = 1;
ASSERT_EQ(Success, OptionalInteger(input, -1, value));
ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
ASSERT_EQ(-1, value);
}
@ -1099,13 +1114,13 @@ TEST_F(pkixder_universal_types_tests, OptionalIntegerNonDefaultValue)
0x01, // length
0x00
};
InputBuffer buf(DER);
Input input(buf);
Input input(DER);
Reader reader(input);
long value = 2;
ASSERT_EQ(Success, OptionalInteger(input, -1, value));
ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
ASSERT_EQ(0, value);
ASSERT_TRUE(input.AtEnd());
ASSERT_TRUE(reader.AtEnd());
}
TEST_F(pkixder_universal_types_tests, Null)
@ -1114,10 +1129,10 @@ TEST_F(pkixder_universal_types_tests, Null)
0x05,
0x00
};
InputBuffer buf(DER_NUL);
Input input(buf);
Input input(DER_NUL);
Reader reader(input);
ASSERT_EQ(Success, Null(input));
ASSERT_EQ(Success, Null(reader));
}
TEST_F(pkixder_universal_types_tests, NullWithBadLength)
@ -1127,10 +1142,10 @@ TEST_F(pkixder_universal_types_tests, NullWithBadLength)
0x01,
0x00
};
InputBuffer buf(DER_NULL_BAD_LENGTH);
Input input(buf);
Input input(DER_NULL_BAD_LENGTH);
Reader reader(input);
ASSERT_EQ(Result::ERROR_BAD_DER, Null(input));
ASSERT_EQ(Result::ERROR_BAD_DER, Null(reader));
}
TEST_F(pkixder_universal_types_tests, OID)
@ -1140,14 +1155,14 @@ TEST_F(pkixder_universal_types_tests, OID)
0x09,
0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
};
InputBuffer buf(DER_VALID_OID);
Input input(buf);
Input input(DER_VALID_OID);
Reader reader(input);
const uint8_t expectedOID[] = {
0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
};
ASSERT_EQ(Success, OID(input, expectedOID));
ASSERT_EQ(Success, OID(reader, expectedOID));
}
} // unnamed namespace

28
security/pkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
View File

@ -36,20 +36,20 @@ class CreateEncodedOCSPRequestTrustDomain : public TrustDomain
{
private:
virtual Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
InputBuffer, /*out*/ TrustLevel&)
Input, /*out*/ TrustLevel&)
{
ADD_FAILURE();
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
virtual Result FindIssuer(InputBuffer, IssuerChecker&, PRTime)
virtual Result FindIssuer(Input, IssuerChecker&, PRTime)
{
ADD_FAILURE();
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
virtual Result CheckRevocation(EndEntityOrCA, const CertID&, PRTime,
const InputBuffer*, const InputBuffer*)
const Input*, const Input*)
{
ADD_FAILURE();
return Result::FATAL_ERROR_LIBRARY_FAILURE;
@ -62,19 +62,19 @@ private:
}
virtual Result VerifySignedData(const SignedDataWithSignature&,
InputBuffer)
Input)
{
ADD_FAILURE();
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
virtual Result DigestBuf(Input item, /*out*/ uint8_t *digestBuf,
size_t digestBufLen)
{
return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
}
virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
}
@ -115,8 +115,8 @@ protected:
// The resultant issuerDER and issuerSPKI are owned by the arena.
SECStatus MakeIssuerCertIDComponents(const char* issuerASCII,
/*out*/ InputBuffer& issuerDER,
/*out*/ InputBuffer& issuerSPKI)
/*out*/ Input& issuerDER,
/*out*/ Input& issuerSPKI)
{
const SECItem* issuerDERSECItem = ASCIIToDERName(arena.get(), issuerASCII);
if (!issuerDERSECItem) {
@ -156,11 +156,11 @@ protected:
// CreateEncodedOCSPRequest to fail.
TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest)
{
InputBuffer issuerDER;
InputBuffer issuerSPKI;
Input issuerDER;
Input issuerSPKI;
ASSERT_EQ(SECSuccess,
MakeIssuerCertIDComponents("CN=CA", issuerDER, issuerSPKI));
InputBuffer serialNumber;
Input serialNumber;
ASSERT_EQ(Success, serialNumber.Init(unsupportedLongSerialNumber->data,
unsupportedLongSerialNumber->len));
uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
@ -176,11 +176,11 @@ TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest)
// it's required to support (i.e. 20 octets).
TEST_F(pkixocsp_CreateEncodedOCSPRequest, LongestSupportedSerialNumberTest)
{
InputBuffer issuerDER;
InputBuffer issuerSPKI;
Input issuerDER;
Input issuerSPKI;
ASSERT_EQ(SECSuccess,
MakeIssuerCertIDComponents("CN=CA", issuerDER, issuerSPKI));
InputBuffer serialNumber;
Input serialNumber;
ASSERT_EQ(Success, serialNumber.Init(longestRequiredSerialNumber->data,
longestRequiredSerialNumber->len));
uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];

102
security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
View File

@ -44,22 +44,22 @@ public:
}
Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
InputBuffer, /*out*/ TrustLevel& trustLevel)
Input, /*out*/ TrustLevel& trustLevel)
{
EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
trustLevel = TrustLevel::InheritsTrust;
return Success;
}
Result FindIssuer(InputBuffer, IssuerChecker&, PRTime)
Result FindIssuer(Input, IssuerChecker&, PRTime)
{
ADD_FAILURE();
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&,
PRTime time, /*optional*/ const InputBuffer*,
/*optional*/ const InputBuffer*)
PRTime time, /*optional*/ const Input*,
/*optional*/ const Input*)
{
// TODO: I guess mozilla::pkix should support revocation of designated
// OCSP responder eventually, but we don't now, so this function should
@ -75,19 +75,19 @@ public:
}
virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
InputBuffer subjectPublicKeyInfo)
Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
nullptr);
}
virtual Result DigestBuf(InputBuffer item, /*out*/ uint8_t* digestBuf,
virtual Result DigestBuf(Input item, /*out*/ uint8_t *digestBuf,
size_t digestBufLen)
{
return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
}
virtual Result CheckPublicKey(InputBuffer subjectPublicKeyInfo)
virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
{
return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
}
@ -131,23 +131,23 @@ public:
{
NSSTest::SetUp();
InputBuffer rootNameDER;
Input rootNameDER;
// The result of ASCIIToDERName is owned by the arena
if (InitInputBufferFromSECItem(ASCIIToDERName(arena.get(), rootName),
rootNameDER) != Success) {
if (InitInputFromSECItem(ASCIIToDERName(arena.get(), rootName),
rootNameDER) != Success) {
PR_Abort();
}
InputBuffer serialNumberDER;
Input serialNumberDER;
// The result of CreateEncodedSerialNumber is owned by the arena
if (InitInputBufferFromSECItem(
if (InitInputFromSECItem(
CreateEncodedSerialNumber(arena.get(), ++rootIssuedCount),
serialNumberDER) != Success) {
PR_Abort();
}
InputBuffer rootSPKIDER;
if (InitInputBufferFromSECItem(rootSPKI.get(), rootSPKIDER) != Success) {
Input rootSPKIDER;
if (InitInputFromSECItem(rootSPKI.get(), rootSPKIDER) != Success) {
PR_Abort();
}
endEntityCertID = new (std::nothrow) CertID(rootNameDER, rootSPKIDER,
@ -199,9 +199,9 @@ class pkixocsp_VerifyEncodedResponse_WithoutResponseBytes
{
protected:
// The result is owned by the arena
InputBuffer CreateEncodedOCSPErrorResponse(uint8_t status)
Input CreateEncodedOCSPErrorResponse(uint8_t status)
{
static const InputBuffer EMPTY;
static const Input EMPTY;
OCSPResponseContext context(arena.get(),
CertID(EMPTY, EMPTY, EMPTY),
oneDayBeforeNow);
@ -209,7 +209,9 @@ protected:
context.skipResponseBytes = true;
SECItem* response = CreateEncodedOCSPResponse(context);
EXPECT_TRUE(response);
InputBuffer result;
// The result will be an empty Input on failure, but it doesn't
// matter because the test is going to fail anyway.
Input result;
EXPECT_EQ(Success, result.Init(response->data, response->len));
return result;
}
@ -217,7 +219,7 @@ protected:
TEST_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes, CorrectErrorCode)
{
InputBuffer
Input
response(CreateEncodedOCSPErrorResponse(GetParam().responseStatus));
bool expired;
@ -256,7 +258,7 @@ public:
}
// The result is owned by the arena
InputBuffer CreateEncodedOCSPSuccessfulResponse(
Input CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::CertStatus certStatus,
const CertID& certID,
/*optional*/ const char* signerName,
@ -284,7 +286,7 @@ public:
SECItem* response = CreateEncodedOCSPResponse(context);
EXPECT_TRUE(response);
InputBuffer result;
Input result;
EXPECT_EQ(Success, result.Init(response->data, response->len));
return result;
}
@ -292,7 +294,7 @@ public:
TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey)
{
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, byKey,
rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
&oneDayAfterNow));
@ -306,7 +308,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey)
TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byName)
{
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, rootName,
rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
&oneDayAfterNow));
@ -320,7 +322,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byName)
TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey_without_nextUpdate)
{
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, byKey,
rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
nullptr));
@ -334,7 +336,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey_without_nextUpdate)
TEST_F(pkixocsp_VerifyEncodedResponse_successful, revoked)
{
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::revoked, *endEntityCertID, byKey,
rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
&oneDayAfterNow));
@ -348,7 +350,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, revoked)
TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
{
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::unknown, *endEntityCertID, byKey,
rootPrivateKey, oneDayBeforeNow, oneDayBeforeNow,
&oneDayAfterNow));
@ -383,12 +385,12 @@ protected:
// EKU.
//
// signerDEROut is owned by the arena
InputBuffer CreateEncodedIndirectOCSPSuccessfulResponse(
Input CreateEncodedIndirectOCSPSuccessfulResponse(
const char* certSubjectName,
OCSPResponseContext::CertStatus certStatus,
const char* signerName,
SECOidTag signerEKU = SEC_OID_OCSP_RESPONDER,
/*optional, out*/ InputBuffer* signerDEROut = nullptr)
/*optional, out*/ Input* signerDEROut = nullptr)
{
PR_ASSERT(certSubjectName);
@ -457,7 +459,7 @@ protected:
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byKey)
{
InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
"CN=good_indirect_byKey", OCSPResponseContext::good,
byKey));
bool expired;
@ -470,7 +472,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byKey)
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byName)
{
InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
"CN=good_indirect_byName", OCSPResponseContext::good,
"CN=good_indirect_byName"));
bool expired;
@ -488,7 +490,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
ScopedSECKEYPrivateKey missingSignerPrivateKey;
ASSERT_SECSuccess(GenerateKeyPair(missingSignerPublicKey,
missingSignerPrivateKey));
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, byKey,
missingSignerPrivateKey, oneDayBeforeNow,
oneDayBeforeNow, nullptr));
@ -507,7 +509,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
ScopedSECKEYPrivateKey missingSignerPrivateKey;
ASSERT_SECSuccess(GenerateKeyPair(missingSignerPublicKey,
missingSignerPrivateKey));
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
"CN=missing", missingSignerPrivateKey,
oneDayBeforeNow, oneDayBeforeNow, nullptr));
@ -540,7 +542,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_expired)
ASSERT_TRUE(signerDER);
SECItem const* const certs[] = { signerDER, nullptr };
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
signerName, signerPrivateKey, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow, certs));
@ -572,7 +574,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_future)
ASSERT_TRUE(signerDER);
SECItem const* const certs[] = { signerDER, nullptr };
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
signerName, signerPrivateKey, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow, certs));
@ -586,7 +588,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_future)
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_no_eku)
{
InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
"CN=good_indirect_wrong_eku",
OCSPResponseContext::good, byKey, SEC_OID_UNKNOWN));
bool expired;
@ -600,10 +602,10 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_no_eku)
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
good_indirect_wrong_eku)
{
InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
"CN=good_indirect_wrong_eku",
OCSPResponseContext::good, byKey,
SEC_OID_EXT_KEY_USAGE_SERVER_AUTH));
Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
"CN=good_indirect_wrong_eku",
OCSPResponseContext::good, byKey,
SEC_OID_EXT_KEY_USAGE_SERVER_AUTH));
bool expired;
ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
@ -615,7 +617,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
// Test that signature of OCSP response signer cert is verified
TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_tampered_eku)
{
InputBuffer response(CreateEncodedIndirectOCSPSuccessfulResponse(
Input response(CreateEncodedIndirectOCSPSuccessfulResponse(
"CN=good_indirect_tampered_eku",
OCSPResponseContext::good, byKey,
SEC_OID_EXT_KEY_USAGE_SERVER_AUTH));
@ -627,7 +629,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_tampered_eku)
static const uint8_t EKU_SERVER_AUTH[] = { EKU_PREFIX, 0x01 }; // serverAuth
static const uint8_t EKU_OCSP_SIGNER[] = { EKU_PREFIX, 0x09 }; // OCSPSigning
#undef EKU_PREFIX
SECItem responseSECItem = UnsafeMapInputBufferToSECItem(response);
SECItem responseSECItem = UnsafeMapInputToSECItem(response);
ASSERT_SECSuccess(TamperOnce(responseSECItem,
EKU_SERVER_AUTH, PR_ARRAY_SIZE(EKU_SERVER_AUTH),
EKU_OCSP_SIGNER, PR_ARRAY_SIZE(EKU_OCSP_SIGNER)));
@ -666,7 +668,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_unknown_issuer)
// OCSP response signed by that delegated responder
SECItem const* const certs[] = { signerDER, nullptr };
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
signerName, signerPrivateKey, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow, certs));
@ -720,7 +722,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
// OCSP response signed by the delegated responder issued by the sub-CA
// that is trying to impersonate the root.
SECItem const* const certs[] = { subCADER, signerDER, nullptr };
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
signerName, signerPrivateKey, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow, certs));
@ -774,7 +776,7 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
// OCSP response signed by the delegated responder issued by the sub-CA
// that is trying to impersonate the root.
SECItem const* const certs[] = { signerDER, subCADER, nullptr };
InputBuffer response(CreateEncodedOCSPSuccessfulResponse(
Input response(CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID,
signerName, signerPrivateKey, oneDayBeforeNow,
oneDayBeforeNow, &oneDayAfterNow, certs));
@ -793,7 +795,7 @@ public:
{
pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
InputBuffer
Input
createdResponse(
CreateEncodedIndirectOCSPSuccessfulResponse(
"CN=OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
@ -815,7 +817,7 @@ public:
{
}
bool SetCertTrust(InputBuffer certDER, TrustLevel certTrustLevel)
bool SetCertTrust(Input certDER, TrustLevel certTrustLevel)
{
EXPECT_EQ(Success, this->certDER.Init(certDER));
this->certTrustLevel = certTrustLevel;
@ -824,23 +826,23 @@ public:
private:
virtual Result GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId&,
InputBuffer candidateCert,
Input candidateCert,
/*out*/ TrustLevel& trustLevel)
{
EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
EXPECT_NE(0, certDER.GetLength());
EXPECT_TRUE(InputBuffersAreEqual(certDER, candidateCert));
EXPECT_TRUE(InputsAreEqual(certDER, candidateCert));
trustLevel = certTrustLevel;
return Success;
}
InputBuffer certDER;
Input certDER;
TrustLevel certTrustLevel;
};
TrustDomain trustDomain;
InputBuffer signerCertDER; // owned by arena
InputBuffer response; // owned by arena
Input signerCertDER; // owned by arena
Input response; // owned by arena
};
TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, InheritTrust)

11
security/pkix/test/lib/pkixtestutil.cpp
View File

@ -149,13 +149,12 @@ TamperOnce(SECItem& item,
}
Result
InitInputBufferFromSECItem(const SECItem* secItem,
/*out*/ InputBuffer& inputBuffer)
InitInputFromSECItem(const SECItem* secItem, /*out*/ Input& input)
{
if (!secItem) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
return inputBuffer.Init(secItem->data, secItem->len);
return input.Init(secItem->data, secItem->len);
}
class Output
@ -1337,7 +1336,7 @@ CertID(OCSPResponseContext& context)
if (!hashAlgorithm) {
return nullptr;
}
SECItem issuerSECItem = UnsafeMapInputBufferToSECItem(context.certID.issuer);
SECItem issuerSECItem = UnsafeMapInputToSECItem(context.certID.issuer);
SECItem* issuerNameHash = HashedOctetString(context.arena, issuerSECItem,
context.certIDHashAlg);
if (!issuerNameHash) {
@ -1345,7 +1344,7 @@ CertID(OCSPResponseContext& context)
}
SECItem issuerSubjectPublicKeyInfoSECItem =
UnsafeMapInputBufferToSECItem(context.certID.issuerSubjectPublicKeyInfo);
UnsafeMapInputToSECItem(context.certID.issuerSubjectPublicKeyInfo);
ScopedPtr<CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo>
spki(SECKEY_DecodeDERSubjectPublicKeyInfo(
&issuerSubjectPublicKeyInfoSECItem));
@ -1362,7 +1361,7 @@ CertID(OCSPResponseContext& context)
{ 0 }
};
SECItem serialNumberSECItem =
UnsafeMapInputBufferToSECItem(context.certID.serialNumber);
UnsafeMapInputToSECItem(context.certID.serialNumber);
SECItem* serialNumber = SEC_ASN1EncodeItem(context.arena, nullptr,
&serialNumberSECItem,
serialTemplate);

9
security/pkix/test/lib/pkixtestutil.h
View File

@ -37,12 +37,12 @@
namespace mozilla { namespace pkix { namespace test {
class TestInputBuffer : public InputBuffer
class TestInput : public Input
{
public:
template <size_t N>
explicit TestInputBuffer(const char (&valueString)[N])
: InputBuffer(reinterpret_cast<const uint8_t(&)[N-1]>(valueString))
explicit TestInput(const char (&valueString)[N])
: Input(reinterpret_cast<const uint8_t(&)[N-1]>(valueString))
{
}
};
@ -95,8 +95,7 @@ const SECItem* ASCIIToDERName(PLArenaPool* arena, const char* cn);
SECStatus TamperOnce(SECItem& item, const uint8_t* from, size_t fromLen,
const uint8_t* to, size_t toLen);
Result InitInputBufferFromSECItem(const SECItem* secItem,
/*out*/ InputBuffer& inputBuffer);
Result InitInputFromSECItem(const SECItem* secItem, /*out*/ Input& input);
///////////////////////////////////////////////////////////////////////////////
// Encode Certificates