Source file
src/crypto/x509/pkits_test.go
1
2
3
4
5 package x509
6
7 import (
8 "encoding/json"
9 "os"
10 "path/filepath"
11 "slices"
12 "testing"
13 )
14
15 var nistTestPolicies = map[string]OID{
16 "anyPolicy": anyPolicyOID,
17 "NIST-test-policy-1": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 1}),
18 "NIST-test-policy-2": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 2}),
19 "NIST-test-policy-3": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 3}),
20 "NIST-test-policy-6": mustNewOIDFromInts([]uint64{2, 16, 840, 1, 101, 3, 2, 1, 48, 6}),
21 }
22
23 func TestNISTPKITSPolicy(t *testing.T) {
24
25
26
27
28
29
30 certDir := "testdata/nist-pkits/certs"
31
32 var testcases []struct {
33 Name string
34 CertPath []string
35 InitialPolicySet []string
36 InitialPolicyMappingInhibit bool
37 InitialExplicitPolicy bool
38 InitialAnyPolicyInhibit bool
39 ShouldValidate bool
40 Skipped bool
41 }
42 b, err := os.ReadFile("testdata/nist-pkits/vectors.json")
43 if err != nil {
44 t.Fatal(err)
45 }
46 if err := json.Unmarshal(b, &testcases); err != nil {
47 t.Fatal(err)
48 }
49
50 policyTests := map[string]bool{
51 "4.8.1 All Certificates Same Policy Test1 (Subpart 1)": true,
52 "4.8.1 All Certificates Same Policy Test1 (Subpart 2)": true,
53 "4.8.1 All Certificates Same Policy Test1 (Subpart 3)": true,
54 "4.8.1 All Certificates Same Policy Test1 (Subpart 4)": true,
55 "4.8.2 All Certificates No Policies Test2 (Subpart 1)": true,
56 "4.8.2 All Certificates No Policies Test2 (Subpart 2)": true,
57 "4.8.3 Different Policies Test3 (Subpart 1)": true,
58 "4.8.3 Different Policies Test3 (Subpart 2)": true,
59 "4.8.3 Different Policies Test3 (Subpart 3)": true,
60 "4.8.4 Different Policies Test4": true,
61 "4.8.5 Different Policies Test5": true,
62 "4.8.6 Overlapping Policies Test6 (Subpart 1)": true,
63 "4.8.6 Overlapping Policies Test6 (Subpart 2)": true,
64 "4.8.6 Overlapping Policies Test6 (Subpart 3)": true,
65 "4.8.7 Different Policies Test7": true,
66 "4.8.8 Different Policies Test8": true,
67 "4.8.9 Different Policies Test9": true,
68 "4.8.10 All Certificates Same Policies Test10 (Subpart 1)": true,
69 "4.8.10 All Certificates Same Policies Test10 (Subpart 2)": true,
70 "4.8.10 All Certificates Same Policies Test10 (Subpart 3)": true,
71 "4.8.11 All Certificates AnyPolicy Test11 (Subpart 1)": true,
72 "4.8.11 All Certificates AnyPolicy Test11 (Subpart 2)": true,
73 "4.8.12 Different Policies Test12": true,
74 "4.8.13 All Certificates Same Policies Test13 (Subpart 1)": true,
75 "4.8.13 All Certificates Same Policies Test13 (Subpart 2)": true,
76 "4.8.13 All Certificates Same Policies Test13 (Subpart 3)": true,
77 "4.8.14 AnyPolicy Test14 (Subpart 1)": true,
78 "4.8.14 AnyPolicy Test14 (Subpart 2)": true,
79 "4.8.15 User Notice Qualifier Test15": true,
80 "4.8.16 User Notice Qualifier Test16": true,
81 "4.8.17 User Notice Qualifier Test17": true,
82 "4.8.18 User Notice Qualifier Test18 (Subpart 1)": true,
83 "4.8.18 User Notice Qualifier Test18 (Subpart 2)": true,
84 "4.8.19 User Notice Qualifier Test19": true,
85 "4.8.20 CPS Pointer Qualifier Test20": true,
86 "4.9.1 Valid RequireExplicitPolicy Test1": true,
87 "4.9.2 Valid RequireExplicitPolicy Test2": true,
88 "4.9.3 Invalid RequireExplicitPolicy Test3": true,
89 "4.9.4 Valid RequireExplicitPolicy Test4": true,
90 "4.9.5 Invalid RequireExplicitPolicy Test5": true,
91 "4.9.6 Valid Self-Issued requireExplicitPolicy Test6": true,
92 "4.9.7 Invalid Self-Issued requireExplicitPolicy Test7": true,
93 "4.9.8 Invalid Self-Issued requireExplicitPolicy Test8": true,
94 "4.10.1.1 Valid Policy Mapping Test1 (Subpart 1)": true,
95 "4.10.1.2 Valid Policy Mapping Test1 (Subpart 2)": true,
96 "4.10.1.3 Valid Policy Mapping Test1 (Subpart 3)": true,
97 "4.10.2 Invalid Policy Mapping Test2 (Subpart 1)": true,
98 "4.10.2 Invalid Policy Mapping Test2 (Subpart 2)": true,
99 "4.10.3 Valid Policy Mapping Test3 (Subpart 1)": true,
100 "4.10.3 Valid Policy Mapping Test3 (Subpart 2)": true,
101 "4.10.4 Invalid Policy Mapping Test4": true,
102 "4.10.5 Valid Policy Mapping Test5 (Subpart 1)": true,
103 "4.10.5 Valid Policy Mapping Test5 (Subpart 2)": true,
104 "4.10.6 Valid Policy Mapping Test6 (Subpart 1)": true,
105 "4.10.6 Valid Policy Mapping Test6 (Subpart 2)": true,
106 "4.10.7 Invalid Mapping From anyPolicy Test7": true,
107 "4.10.8 Invalid Mapping To anyPolicy Test8": true,
108 "4.10.9 Valid Policy Mapping Test9": true,
109 "4.10.10 Invalid Policy Mapping Test10": true,
110 "4.10.11 Valid Policy Mapping Test11": true,
111 "4.10.12 Valid Policy Mapping Test12 (Subpart 1)": true,
112 "4.10.12 Valid Policy Mapping Test12 (Subpart 2)": true,
113 "4.10.13 Valid Policy Mapping Test13 (Subpart 1)": true,
114 "4.10.13 Valid Policy Mapping Test13 (Subpart 2)": true,
115 "4.10.13 Valid Policy Mapping Test13 (Subpart 3)": true,
116 "4.10.14 Valid Policy Mapping Test14": true,
117 "4.11.1 Invalid inhibitPolicyMapping Test1": true,
118 "4.11.2 Valid inhibitPolicyMapping Test2": true,
119 "4.11.3 Invalid inhibitPolicyMapping Test3": true,
120 "4.11.4 Valid inhibitPolicyMapping Test4": true,
121 "4.11.5 Invalid inhibitPolicyMapping Test5": true,
122 "4.11.6 Invalid inhibitPolicyMapping Test6": true,
123 "4.11.7 Valid Self-Issued inhibitPolicyMapping Test7": true,
124 "4.11.8 Invalid Self-Issued inhibitPolicyMapping Test8": true,
125 "4.11.9 Invalid Self-Issued inhibitPolicyMapping Test9": true,
126 "4.11.10 Invalid Self-Issued inhibitPolicyMapping Test10": true,
127 "4.11.11 Invalid Self-Issued inhibitPolicyMapping Test11": true,
128 "4.12.1 Invalid inhibitAnyPolicy Test1": true,
129 "4.12.2 Valid inhibitAnyPolicy Test2": true,
130 "4.12.3 inhibitAnyPolicy Test3 (Subpart 1)": true,
131 "4.12.3 inhibitAnyPolicy Test3 (Subpart 2)": true,
132 "4.12.4 Invalid inhibitAnyPolicy Test4": true,
133 "4.12.5 Invalid inhibitAnyPolicy Test5": true,
134 "4.12.6 Invalid inhibitAnyPolicy Test6": true,
135 "4.12.7 Valid Self-Issued inhibitAnyPolicy Test7": true,
136 "4.12.8 Invalid Self-Issued inhibitAnyPolicy Test8": true,
137 "4.12.9 Valid Self-Issued inhibitAnyPolicy Test9": true,
138 "4.12.10 Invalid Self-Issued inhibitAnyPolicy Test10": true,
139 }
140
141 for _, tc := range testcases {
142 if !policyTests[tc.Name] {
143 continue
144 }
145 t.Run(tc.Name, func(t *testing.T) {
146 var chain []*Certificate
147 for _, c := range tc.CertPath {
148 certDER, err := os.ReadFile(filepath.Join(certDir, c))
149 if err != nil {
150 t.Fatal(err)
151 }
152 cert, err := ParseCertificate(certDER)
153 if err != nil {
154 t.Fatal(err)
155 }
156 chain = append(chain, cert)
157 }
158 slices.Reverse(chain)
159
160 var initialPolicies []OID
161 for _, pstr := range tc.InitialPolicySet {
162 policy, ok := nistTestPolicies[pstr]
163 if !ok {
164 t.Fatalf("unknown test policy: %s", pstr)
165 }
166 initialPolicies = append(initialPolicies, policy)
167 }
168
169 valid := policiesValid(chain, VerifyOptions{
170 CertificatePolicies: initialPolicies,
171 inhibitPolicyMapping: tc.InitialPolicyMappingInhibit,
172 requireExplicitPolicy: tc.InitialExplicitPolicy,
173 inhibitAnyPolicy: tc.InitialAnyPolicyInhibit,
174 })
175 if !valid {
176 if !tc.ShouldValidate {
177 return
178 }
179 t.Fatalf("Failed to validate: %s", err)
180 }
181 if !tc.ShouldValidate {
182 t.Fatal("Expected path validation to fail")
183 }
184 })
185 }
186 }
187
View as plain text