From eabf3ca82e7dc6365e2c76d1a3593ef1424ff01a Mon Sep 17 00:00:00 2001
From: Brian Smith <brian@briansmith.org>
Date: Mon, 30 Jun 2014 19:12:35 -0700
Subject: [PATCH] Bug 1019770: Add tests for checking of notAfter and
 notBefore, r=cviecco

--HG--
extra : rebase_source : 614e002886ffa73e7e38218ebb3ea2509edcd1a4
---
 security/pkix/test/gtest/moz.build            |   1 +
 .../test/gtest/pkixcheck_CheckTimes_tests.cpp | 174 ++++++++++++++++++
 .../gtest/pkixder_universal_types_tests.cpp   |  19 +-
 security/pkix/test/lib/pkixtestutil.cpp       |  17 ++
 security/pkix/test/lib/pkixtestutil.h         |   4 +
 5 files changed, 198 insertions(+), 17 deletions(-)
 create mode 100644 security/pkix/test/gtest/pkixcheck_CheckTimes_tests.cpp

diff --git a/security/pkix/test/gtest/moz.build b/security/pkix/test/gtest/moz.build
index 8c5020fd689..2ebd8e8f266 100644
--- a/security/pkix/test/gtest/moz.build
+++ b/security/pkix/test/gtest/moz.build
@@ -12,6 +12,7 @@ SOURCES += [
     'pkix_cert_extension_tests.cpp',
     'pkix_ocsp_request_tests.cpp',
     'pkixcheck_CheckKeyUsage_tests.cpp',
+    'pkixcheck_CheckTimes_tests.cpp',
     'pkixder_input_tests.cpp',
     'pkixder_pki_types_tests.cpp',
     'pkixder_universal_types_tests.cpp',
diff --git a/security/pkix/test/gtest/pkixcheck_CheckTimes_tests.cpp b/security/pkix/test/gtest/pkixcheck_CheckTimes_tests.cpp
new file mode 100644
index 00000000000..c6cefd4e5cf
--- /dev/null
+++ b/security/pkix/test/gtest/pkixcheck_CheckTimes_tests.cpp
@@ -0,0 +1,174 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+#include "pkixtestutil.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckTimes(const CERTValidity& validity, PRTime time);
+
+} } // namespace mozilla::pkix
+
+static const SECItem empty_null = { siBuffer, nullptr, 0 };
+
+static const PRTime PAST_TIME(YMDHMS(1998, 12, 31, 12, 23, 56));
+
+static const uint8_t OLDER_GENERALIZEDTIME_DATA[] = {
+  '1', '9', '9', '9', '0', '1', '0', '1', // 1999-01-01
+  '0', '0', '0', '0', '0', '0', 'Z'       // 00:00:00Z
+};
+static const SECItem OLDER_GENERALIZEDTIME = {
+  siGeneralizedTime,
+  const_cast<uint8_t*>(OLDER_GENERALIZEDTIME_DATA),
+  sizeof(OLDER_GENERALIZEDTIME_DATA)
+};
+
+static const uint8_t OLDER_UTCTIME_DATA[] = {
+  '9', '9', '0', '1', '0', '1',           // (19)99-01-01
+  '0', '0', '0', '0', '0', '0', 'Z'       // 00:00:00Z
+};
+static const SECItem OLDER_UTCTIME = {
+  siUTCTime,
+  const_cast<uint8_t*>(OLDER_UTCTIME_DATA),
+  sizeof(OLDER_UTCTIME_DATA)
+};
+
+static const PRTime NOW(YMDHMS(2016, 12, 31, 12, 23, 56));
+
+static const uint8_t NEWER_GENERALIZEDTIME_DATA[] = {
+  '2', '0', '2', '1', '0', '1', '0', '1', // 2021-01-01
+  '0', '0', '0', '0', '0', '0', 'Z'       // 00:00:00Z
+};
+static const SECItem NEWER_GENERALIZEDTIME = {
+  siGeneralizedTime,
+  const_cast<uint8_t*>(NEWER_GENERALIZEDTIME_DATA),
+  sizeof(NEWER_GENERALIZEDTIME_DATA)
+};
+
+static const uint8_t NEWER_UTCTIME_DATA[] = {
+  '2', '1', '0', '1', '0', '1',           // 2021-01-01
+  '0', '0', '0', '0', '0', '0', 'Z'       // 00:00:00Z
+};
+static const SECItem NEWER_UTCTIME = {
+  siUTCTime,
+  const_cast<uint8_t*>(NEWER_UTCTIME_DATA),
+  sizeof(NEWER_UTCTIME_DATA)
+};
+
+static const PRTime FUTURE_TIME(YMDHMS(2025, 12, 31, 12, 23, 56));
+
+
+
+class pkixcheck_CheckTimes : public ::testing::Test
+{
+public:
+  virtual void SetUp()
+  {
+    PR_SetError(0, 0);
+  }
+};
+
+TEST_F(pkixcheck_CheckTimes, BothEmptyNull)
+{
+  static const CERTValidity validity = { nullptr, empty_null, empty_null };
+  ASSERT_RecoverableError(SEC_ERROR_EXPIRED_CERTIFICATE,
+                          CheckTimes(validity, NOW));
+}
+
+TEST_F(pkixcheck_CheckTimes, NotBeforeEmptyNull)
+{
+  static const CERTValidity validity = { nullptr, empty_null, NEWER_UTCTIME };
+  ASSERT_RecoverableError(SEC_ERROR_EXPIRED_CERTIFICATE,
+                          CheckTimes(validity, NOW));
+}
+
+TEST_F(pkixcheck_CheckTimes, NotAfterEmptyNull)
+{
+  static const CERTValidity validity = { nullptr, OLDER_UTCTIME, empty_null };
+  ASSERT_RecoverableError(SEC_ERROR_EXPIRED_CERTIFICATE,
+                          CheckTimes(validity, NOW));
+}
+
+TEST_F(pkixcheck_CheckTimes, Valid_UTCTIME_UTCTIME)
+{
+  static const CERTValidity validity = {
+    nullptr, OLDER_UTCTIME, NEWER_UTCTIME
+  };
+  ASSERT_Success(CheckTimes(validity, NOW));
+}
+
+TEST_F(pkixcheck_CheckTimes, Valid_GENERALIZEDTIME_GENERALIZEDTIME)
+{
+  static const CERTValidity validity = {
+    nullptr, OLDER_GENERALIZEDTIME, NEWER_GENERALIZEDTIME
+  };
+  ASSERT_Success(CheckTimes(validity, NOW));
+}
+
+TEST_F(pkixcheck_CheckTimes, Valid_GENERALIZEDTIME_UTCTIME)
+{
+  static const CERTValidity validity = {
+    nullptr, OLDER_GENERALIZEDTIME, NEWER_UTCTIME
+  };
+  ASSERT_Success(CheckTimes(validity, NOW));
+}
+
+TEST_F(pkixcheck_CheckTimes, Valid_UTCTIME_GENERALIZEDTIME)
+{
+  static const CERTValidity validity = {
+    nullptr, OLDER_UTCTIME, NEWER_GENERALIZEDTIME
+  };
+  ASSERT_Success(CheckTimes(validity, NOW));
+}
+
+TEST_F(pkixcheck_CheckTimes, InvalidBeforeNotBefore)
+{
+  static const CERTValidity validity = {
+    nullptr, OLDER_UTCTIME, NEWER_UTCTIME
+  };
+  ASSERT_RecoverableError(SEC_ERROR_EXPIRED_CERTIFICATE,
+                          CheckTimes(validity, PAST_TIME));
+}
+
+TEST_F(pkixcheck_CheckTimes, InvalidAfterNotAfter)
+{
+  static const CERTValidity validity = {
+    nullptr, OLDER_UTCTIME, NEWER_UTCTIME
+  };
+  ASSERT_RecoverableError(SEC_ERROR_EXPIRED_CERTIFICATE,
+                          CheckTimes(validity, FUTURE_TIME));
+}
+
+TEST_F(pkixcheck_CheckTimes, InvalidNotAfterBeforeNotBefore)
+{
+  static const CERTValidity validity = {
+    nullptr, NEWER_UTCTIME, OLDER_UTCTIME
+  };
+  ASSERT_RecoverableError(SEC_ERROR_EXPIRED_CERTIFICATE,
+                          CheckTimes(validity, NOW));
+}
diff --git a/security/pkix/test/gtest/pkixder_universal_types_tests.cpp b/security/pkix/test/gtest/pkixder_universal_types_tests.cpp
index e7c9ddf178b..29900668ff7 100644
--- a/security/pkix/test/gtest/pkixder_universal_types_tests.cpp
+++ b/security/pkix/test/gtest/pkixder_universal_types_tests.cpp
@@ -28,9 +28,11 @@
 
 #include "pkix/bind.h"
 #include "pkixder.h"
+#include "pkixtestutil.h"
 #include "stdint.h"
 
 using namespace mozilla::pkix::der;
+using namespace mozilla::pkix::test;
 using namespace std;
 
 namespace {
@@ -305,23 +307,6 @@ TEST_F(pkixder_universal_types_tests, EnumeratedInvalidZeroLength)
   ASSERT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
 }
 
-static PRTime
-YMDHMS(int16_t year, int16_t month, int16_t day,
-       int16_t hour, int16_t minutes, int16_t seconds)
-{
-  PRExplodedTime tm;
-  tm.tm_usec = 0;
-  tm.tm_sec = seconds;
-  tm.tm_min = minutes;
-  tm.tm_hour = hour;
-  tm.tm_mday = day;
-  tm.tm_month = month - 1; // tm_month is zero-based
-  tm.tm_year = year;
-  tm.tm_params.tp_gmt_offset = 0;
-  tm.tm_params.tp_dst_offset = 0;
-  return PR_ImplodeTime(&tm);
-}
-
 ////////////////////////////////////////
 // GeneralizedTime and TimeChoice
 //
diff --git a/security/pkix/test/lib/pkixtestutil.cpp b/security/pkix/test/lib/pkixtestutil.cpp
index 6c9f2a5c209..4df702e66b5 100644
--- a/security/pkix/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -428,6 +428,23 @@ PRTimeToTimeChoice(PLArenaPool* arena, PRTime time)
                                                           : GeneralizedTime);
 }
 
+PRTime
+YMDHMS(int16_t year, int16_t month, int16_t day,
+       int16_t hour, int16_t minutes, int16_t seconds)
+{
+  PRExplodedTime tm;
+  tm.tm_usec = 0;
+  tm.tm_sec = seconds;
+  tm.tm_min = minutes;
+  tm.tm_hour = hour;
+  tm.tm_mday = day;
+  tm.tm_month = month - 1; // tm_month is zero-based
+  tm.tm_year = year;
+  tm.tm_params.tp_gmt_offset = 0;
+  tm.tm_params.tp_dst_offset = 0;
+  return PR_ImplodeTime(&tm);
+}
+
 static SECItem*
 SignedData(PLArenaPool* arena, const SECItem* tbsData,
            SECKEYPrivateKey* privKey, SECOidTag hashAlg,
diff --git a/security/pkix/test/lib/pkixtestutil.h b/security/pkix/test/lib/pkixtestutil.h
index b768818bd8a..68ff66b97e3 100644
--- a/security/pkix/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -62,6 +62,10 @@ FILE* OpenFile(const char* dir, const char* filename, const char* mode);
 
 extern const PRTime ONE_DAY;
 
+// e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
+PRTime YMDHMS(int16_t year, int16_t month, int16_t day,
+              int16_t hour, int16_t minutes, int16_t seconds);
+
 SECStatus GenerateKeyPair(/*out*/ ScopedSECKEYPublicKey& publicKey,
                           /*out*/ ScopedSECKEYPrivateKey& privateKey);