1 /* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <vector>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <openssl/bio.h>
21 #include <openssl/bytestring.h>
22 #include <openssl/crypto.h>
23 #include <openssl/digest.h>
24 #include <openssl/err.h>
25 #include <openssl/pem.h>
26 #include <openssl/pool.h>
27 #include <openssl/x509.h>
28
29 #include "../internal.h"
30
31
32 static const char kCrossSigningRootPEM[] =
33 "-----BEGIN CERTIFICATE-----\n"
34 "MIICcTCCAdqgAwIBAgIIagJHiPvE0MowDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"
35 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"
36 "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowPDEaMBgGA1UE\n"
37 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"
38 "dCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwo3qFvSB9Zmlbpzn9wJp\n"
39 "ikI75Rxkatez8VkLqyxbOhPYl2Haz8F5p1gDG96dCI6jcLGgu3AKT9uhEQyyUko5\n"
40 "EKYasazSeA9CQrdyhPg0mkTYVETnPM1W/ebid1YtqQbq1CMWlq2aTDoSGAReGFKP\n"
41 "RTdXAbuAXzpCfi/d8LqV13UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgIEMB0GA1Ud\n"
42 "JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MBkGA1Ud\n"
43 "DgQSBBBHKHC7V3Z/3oLvEZx0RZRwMBsGA1UdIwQUMBKAEEcocLtXdn/egu8RnHRF\n"
44 "lHAwDQYJKoZIhvcNAQELBQADgYEAnglibsy6mGtpIXivtlcz4zIEnHw/lNW+r/eC\n"
45 "CY7evZTmOoOuC/x9SS3MF9vawt1HFUummWM6ZgErqVBOXIB4//ykrcCgf5ZbF5Hr\n"
46 "+3EFprKhBqYiXdD8hpBkrBoXwn85LPYWNd2TceCrx0YtLIprE2R5MB2RIq8y4Jk3\n"
47 "YFXvkME=\n"
48 "-----END CERTIFICATE-----\n";
49
50 static const char kRootCAPEM[] =
51 "-----BEGIN CERTIFICATE-----\n"
52 "MIICVTCCAb6gAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwLjEaMBgGA1UE\n"
53 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwIBcNMTUwMTAx\n"
54 "MDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMC4xGjAYBgNVBAoTEUJvcmluZ1NTTCBU\n"
55 "RVNUSU5HMRAwDgYDVQQDEwdSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n"
56 "iQKBgQDpDn8RDOZa5oaDcPZRBy4CeBH1siSSOO4mYgLHlPE+oXdqwI/VImi2XeJM\n"
57 "2uCFETXCknJJjYG0iJdrt/yyRFvZTQZw+QzGj+mz36NqhGxDWb6dstB2m8PX+plZ\n"
58 "w7jl81MDvUnWs8yiQ/6twgu5AbhWKZQDJKcNKCEpqa6UW0r5nwIDAQABo3oweDAO\n"
59 "BgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8G\n"
60 "A1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEEA31wH7QC+4HH5UBCeMWQEwGwYDVR0j\n"
61 "BBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOBgQDXylEK77Za\n"
62 "kKeY6ZerrScWyZhrjIGtHFu09qVpdJEzrk87k2G7iHHR9CAvSofCgEExKtWNS9dN\n"
63 "+9WiZp/U48iHLk7qaYXdEuO07No4BYtXn+lkOykE+FUxmA4wvOF1cTd2tdj3MzX2\n"
64 "kfGIBAYhzGZWhY3JbhIfTEfY1PNM1pWChQ==\n"
65 "-----END CERTIFICATE-----\n";
66
67 static const char kRootCrossSignedPEM[] =
68 "-----BEGIN CERTIFICATE-----\n"
69 "MIICYzCCAcygAwIBAgIIAj5CwoHlWuYwDQYJKoZIhvcNAQELBQAwPDEaMBgGA1UE\n"
70 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxHjAcBgNVBAMTFUNyb3NzLXNpZ25pbmcgUm9v\n"
71 "dCBDQTAgFw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowLjEaMBgGA1UE\n"
72 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxEDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZI\n"
73 "hvcNAQEBBQADgY0AMIGJAoGBAOkOfxEM5lrmhoNw9lEHLgJ4EfWyJJI47iZiAseU\n"
74 "8T6hd2rAj9UiaLZd4kza4IURNcKSckmNgbSIl2u3/LJEW9lNBnD5DMaP6bPfo2qE\n"
75 "bENZvp2y0Habw9f6mVnDuOXzUwO9SdazzKJD/q3CC7kBuFYplAMkpw0oISmprpRb\n"
76 "SvmfAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcD\n"
77 "AQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQQDfXAftAL7gc\n"
78 "flQEJ4xZATAbBgNVHSMEFDASgBBHKHC7V3Z/3oLvEZx0RZRwMA0GCSqGSIb3DQEB\n"
79 "CwUAA4GBAErTxYJ0en9HVRHAAr5OO5wuk5Iq3VMc79TMyQLCXVL8YH8Uk7KEwv+q\n"
80 "9MEKZv2eR/Vfm4HlXlUuIqfgUXbwrAYC/YVVX86Wnbpy/jc73NYVCq8FEZeO+0XU\n"
81 "90SWAPDdp+iL7aZdimnMtG1qlM1edmz8AKbrhN/R3IbA2CL0nCWV\n"
82 "-----END CERTIFICATE-----\n";
83
84 static const char kIntermediatePEM[] =
85 "-----BEGIN CERTIFICATE-----\n"
86 "MIICXjCCAcegAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMC4xGjAYBgNV\n"
87 "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRAwDgYDVQQDEwdSb290IENBMCAXDTE1MDEw\n"
88 "MTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjA2MRowGAYDVQQKExFCb3JpbmdTU0wg\n"
89 "VEVTVElORzEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEB\n"
90 "AQUAA4GNADCBiQKBgQC7YtI0l8ocTYJ0gKyXTtPL4iMJCNY4OcxXl48jkncVG1Hl\n"
91 "blicgNUa1r9m9YFtVkxvBinb8dXiUpEGhVg4awRPDcatlsBSEBuJkiZGYbRcAmSu\n"
92 "CmZYnf6u3aYQ18SU8WqVERPpE4cwVVs+6kwlzRw0+XDoZAczu8ZezVhCUc6NbQID\n"
93 "AQABo3oweDAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\n"
94 "AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEIwaaKi1dttdV3sfjRSy\n"
95 "BqMwGwYDVR0jBBQwEoAQQDfXAftAL7gcflQEJ4xZATANBgkqhkiG9w0BAQsFAAOB\n"
96 "gQCvnolNWEHuQS8PFVVyuLR+FKBeUUdrVbSfHSzTqNAqQGp0C9fk5oCzDq6ZgTfY\n"
97 "ESXM4cJhb3IAnW0UM0NFsYSKQJ50JZL2L3z5ZLQhHdbs4RmODGoC40BVdnJ4/qgB\n"
98 "aGSh09eQRvAVmbVCviDK2ipkWNegdyI19jFfNP5uIkGlYg==\n"
99 "-----END CERTIFICATE-----\n";
100
101 static const char kIntermediateSelfSignedPEM[] =
102 "-----BEGIN CERTIFICATE-----\n"
103 "MIICZjCCAc+gAwIBAgIJAKJMH+7rscPcMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"
104 "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"
105 "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDYxGjAYBgNVBAoTEUJv\n"
106 "cmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ\n"
107 "KoZIhvcNAQEBBQADgY0AMIGJAoGBALti0jSXyhxNgnSArJdO08viIwkI1jg5zFeX\n"
108 "jyOSdxUbUeVuWJyA1RrWv2b1gW1WTG8GKdvx1eJSkQaFWDhrBE8Nxq2WwFIQG4mS\n"
109 "JkZhtFwCZK4KZlid/q7dphDXxJTxapURE+kThzBVWz7qTCXNHDT5cOhkBzO7xl7N\n"
110 "WEJRzo1tAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEF\n"
111 "BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQjBpoqLV2\n"
112 "211Xex+NFLIGozAbBgNVHSMEFDASgBCMGmiotXbbXVd7H40UsgajMA0GCSqGSIb3\n"
113 "DQEBCwUAA4GBALcccSrAQ0/EqQBsx0ZDTUydHXXNP2DrUkpUKmAXIe8McqIVSlkT\n"
114 "6H4xz7z8VRKBo9j+drjjtCw2i0CQc8aOLxRb5WJ8eVLnaW2XRlUqAzhF0CrulfVI\n"
115 "E4Vs6ZLU+fra1WAuIj6qFiigRja+3YkZArG8tMA9vtlhTX/g7YBZIkqH\n"
116 "-----END CERTIFICATE-----\n";
117
118 static const char kLeafPEM[] =
119 "-----BEGIN CERTIFICATE-----\n"
120 "MIICXjCCAcegAwIBAgIIWjO48ufpunYwDQYJKoZIhvcNAQELBQAwNjEaMBgGA1UE\n"
121 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAg\n"
122 "Fw0xNTAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowMjEaMBgGA1UEChMRQm9y\n"
123 "aW5nU1NMIFRFU1RJTkcxFDASBgNVBAMTC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3\n"
124 "DQEBAQUAA4GNADCBiQKBgQDD0U0ZYgqShJ7oOjsyNKyVXEHqeafmk/bAoPqY/h1c\n"
125 "oPw2E8KmeqiUSoTPjG5IXSblOxcqpbAXgnjPzo8DI3GNMhAf8SYNYsoH7gc7Uy7j\n"
126 "5x8bUrisGnuTHqkqH6d4/e7ETJ7i3CpR8bvK16DggEvQTudLipz8FBHtYhFakfdh\n"
127 "TwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\n"
128 "CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEKN5pvbur7mlXjeMEYA0\n"
129 "4nUwGwYDVR0jBBQwEoAQjBpoqLV2211Xex+NFLIGozANBgkqhkiG9w0BAQsFAAOB\n"
130 "gQBj/p+JChp//LnXWC1k121LM/ii7hFzQzMrt70bny406SGz9jAjaPOX4S3gt38y\n"
131 "rhjpPukBlSzgQXFg66y6q5qp1nQTD1Cw6NkKBe9WuBlY3iYfmsf7WT8nhlT1CttU\n"
132 "xNCwyMX9mtdXdQicOfNjIGUCD5OLV5PgHFPRKiHHioBAhg==\n"
133 "-----END CERTIFICATE-----\n";
134
135 static const char kLeafNoKeyUsagePEM[] =
136 "-----BEGIN CERTIFICATE-----\n"
137 "MIICNTCCAZ6gAwIBAgIJAIFQGaLQ0G2mMA0GCSqGSIb3DQEBCwUAMDYxGjAYBgNV\n"
138 "BAoTEUJvcmluZ1NTTCBURVNUSU5HMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0Ew\n"
139 "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDcxGjAYBgNVBAoTEUJv\n"
140 "cmluZ1NTTCBURVNUSU5HMRkwFwYDVQQDExBldmlsLmV4YW1wbGUuY29tMIGfMA0G\n"
141 "CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOKoZe75NPz77EOaMMl4/0s3PyQw++zJvp\n"
142 "ejHAxZiTPCJgMbEHLrSzNoHdopg+CLUH5bE4wTXM8w9Inv5P8OAFJt7gJuPUunmk\n"
143 "j+NoU3QfzOR6BroePcz1vXX9jyVHRs087M/sLqWRHu9IR+/A+UTcBaWaFiDVUxtJ\n"
144 "YOwFMwjNPQIDAQABo0gwRjAMBgNVHRMBAf8EAjAAMBkGA1UdDgQSBBBJfLEUWHq1\n"
145 "27rZ1AVx2J5GMBsGA1UdIwQUMBKAEIwaaKi1dttdV3sfjRSyBqMwDQYJKoZIhvcN\n"
146 "AQELBQADgYEALVKN2Y3LZJOtu6SxFIYKxbLaXhTGTdIjxipZhmbBRDFjbZjZZOTe\n"
147 "6Oo+VDNPYco4rBexK7umYXJyfTqoY0E8dbiImhTcGTEj7OAB3DbBomgU1AYe+t2D\n"
148 "uwBqh4Y3Eto+Zn4pMVsxGEfUpjzjZDel7bN1/oU/9KWPpDfywfUmjgk=\n"
149 "-----END CERTIFICATE-----\n";
150
151 static const char kForgeryPEM[] =
152 "-----BEGIN CERTIFICATE-----\n"
153 "MIICZzCCAdCgAwIBAgIIdTlMzQoKkeMwDQYJKoZIhvcNAQELBQAwNzEaMBgGA1UE\n"
154 "ChMRQm9yaW5nU1NMIFRFU1RJTkcxGTAXBgNVBAMTEGV2aWwuZXhhbXBsZS5jb20w\n"
155 "IBcNMTUwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMDoxGjAYBgNVBAoTEUJv\n"
156 "cmluZ1NTTCBURVNUSU5HMRwwGgYDVQQDExNmb3JnZXJ5LmV4YW1wbGUuY29tMIGf\n"
157 "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDADTwruBQZGb7Ay6s9HiYv5d1lwtEy\n"
158 "xQdA2Sy8Rn8uA20Q4KgqwVY7wzIZ+z5Butrsmwb70gdG1XU+yRaDeE7XVoW6jSpm\n"
159 "0sw35/5vJbTcL4THEFbnX0OPZnvpuZDFUkvVtq5kxpDWsVyM24G8EEq7kPih3Sa3\n"
160 "OMhXVXF8kso6UQIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI\n"
161 "KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEEYJ/WHM\n"
162 "8p64erPWIg4/liwwGwYDVR0jBBQwEoAQSXyxFFh6tdu62dQFcdieRjANBgkqhkiG\n"
163 "9w0BAQsFAAOBgQA+zH7bHPElWRWJvjxDqRexmYLn+D3Aivs8XgXQJsM94W0EzSUf\n"
164 "DSLfRgaQwcb2gg2xpDFoG+W0vc6O651uF23WGt5JaFFJJxqjII05IexfCNhuPmp4\n"
165 "4UZAXPttuJXpn74IY1tuouaM06B3vXKZR+/ityKmfJvSwxacmFcK+2ziAg==\n"
166 "-----END CERTIFICATE-----\n";
167
168 // kExamplePSSCert is an example RSA-PSS self-signed certificate, signed with
169 // the default hash functions.
170 static const char kExamplePSSCert[] =
171 "-----BEGIN CERTIFICATE-----\n"
172 "MIICYjCCAcagAwIBAgIJAI3qUyT6SIfzMBIGCSqGSIb3DQEBCjAFogMCAWowRTEL\n"
173 "MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy\n"
174 "bmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xNDEwMDkxOTA5NTVaFw0xNTEwMDkxOTA5\n"
175 "NTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK\n"
176 "DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A\n"
177 "MIGJAoGBAPi4bIO0vNmoV8CltFl2jFQdeesiUgR+0zfrQf2D+fCmhRU0dXFahKg8\n"
178 "0u9aTtPel4rd/7vPCqqGkr64UOTNb4AzMHYTj8p73OxaymPHAyXvqIqDWHYg+hZ3\n"
179 "13mSYwFIGth7Z/FSVUlO1m5KXNd6NzYM3t2PROjCpywrta9kS2EHAgMBAAGjUDBO\n"
180 "MB0GA1UdDgQWBBTQQfuJQR6nrVrsNF1JEflVgXgfEzAfBgNVHSMEGDAWgBTQQfuJ\n"
181 "QR6nrVrsNF1JEflVgXgfEzAMBgNVHRMEBTADAQH/MBIGCSqGSIb3DQEBCjAFogMC\n"
182 "AWoDgYEASUy2RZcgNbNQZA0/7F+V1YTLEXwD16bm+iSVnzGwtexmQVEYIZG74K/w\n"
183 "xbdZQdTbpNJkp1QPjPfh0zsatw6dmt5QoZ8K8No0DjR9dgf+Wvv5WJvJUIQBoAVN\n"
184 "Z0IL+OQFz6+LcTHxD27JJCebrATXZA0wThGTQDm7crL+a+SujBY=\n"
185 "-----END CERTIFICATE-----\n";
186
187 // kBadPSSCertPEM is a self-signed RSA-PSS certificate with bad parameters.
188 static const char kBadPSSCertPEM[] =
189 "-----BEGIN CERTIFICATE-----\n"
190 "MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI\n"
191 "AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD\n"
192 "VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz\n"
193 "NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj\n"
194 "ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH\n"
195 "qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL\n"
196 "IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT\n"
197 "IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k\n"
198 "dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq\n"
199 "QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa\n"
200 "5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2\n"
201 "4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB\n"
202 "Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii\n"
203 "BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb\n"
204 "xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn\n"
205 "plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY\n"
206 "DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p\n"
207 "NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ\n"
208 "lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=\n"
209 "-----END CERTIFICATE-----\n";
210
211 static const char kRSAKey[] =
212 "-----BEGIN RSA PRIVATE KEY-----\n"
213 "MIICXgIBAAKBgQDYK8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92\n"
214 "kWdGMdAQhLciHnAjkXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiF\n"
215 "KKAnHmUcrgfVW28tQ+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQAB\n"
216 "AoGBAIBy09Fd4DOq/Ijp8HeKuCMKTHqTW1xGHshLQ6jwVV2vWZIn9aIgmDsvkjCe\n"
217 "i6ssZvnbjVcwzSoByhjN8ZCf/i15HECWDFFh6gt0P5z0MnChwzZmvatV/FXCT0j+\n"
218 "WmGNB/gkehKjGXLLcjTb6dRYVJSCZhVuOLLcbWIV10gggJQBAkEA8S8sGe4ezyyZ\n"
219 "m4e9r95g6s43kPqtj5rewTsUxt+2n4eVodD+ZUlCULWVNAFLkYRTBCASlSrm9Xhj\n"
220 "QpmWAHJUkQJBAOVzQdFUaewLtdOJoPCtpYoY1zd22eae8TQEmpGOR11L6kbxLQsk\n"
221 "aMly/DOnOaa82tqAGTdqDEZgSNmCeKKknmECQAvpnY8GUOVAubGR6c+W90iBuQLj\n"
222 "LtFp/9ihd2w/PoDwrHZaoUYVcT4VSfJQog/k7kjE4MYXYWL8eEKg3WTWQNECQQDk\n"
223 "104Wi91Umd1PzF0ijd2jXOERJU1wEKe6XLkYYNHWQAe5l4J4MWj9OdxFXAxIuuR/\n"
224 "tfDwbqkta4xcux67//khAkEAvvRXLHTaa6VFzTaiiO8SaFsHV3lQyXOtMrBpB5jd\n"
225 "moZWgjHvB2W9Ckn7sDqsPB+U2tyX0joDdQEyuiMECDY8oQ==\n"
226 "-----END RSA PRIVATE KEY-----\n";
227
228 // kCRLTestRoot is a test root certificate. It has private key:
229 //
230 // -----BEGIN RSA PRIVATE KEY-----
231 // MIIEpAIBAAKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3BS/dUBpbrzd1aeFzN
232 // lI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+5R/Du0iCb1tCZIPY
233 // 07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWpuRqO6rctN9qUoMlT
234 // IAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n8H922qmvPNA9idmX
235 // 9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbLP2o9orxGx7aCtnnB
236 // ZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABAoIBAQCJF9MTHfHGkk+/
237 // DwCXlA0Wg0e6hBuHl10iNobYkMWIl/xXjOknhYiqOqb181py76472SVC5ERprC+r
238 // Lf0PXzqKuA117mnkwT2bYLCL9Skf8WEhoFLQNbVlloF6wYjqXcYgKYKh8HgQbZl4
239 // aLg2YQl2NADTNABsUWj/4H2WEelsODVviqfFs725lFg9KHDI8zxAZXLzDt/M9uVL
240 // GxJiX12tr0AwaeAFZ1oPM/y+LznM3N3+Ht3jHHw3jZ/u8Z1RdAmdpu3bZ6tbwGBr
241 // 9edsH5rKkm9aBvMrY7eX5VHqaqyRNFyG152ZOJh4XiiFG7EmgTPCpaHo50Y018Re
242 // grVtk+FBAoGBANY3lY+V8ZOwMxSHes+kTnoimHO5Ob7nxrOC71i27x+4HHsYUeAr
243 // /zOOghiDIn+oNkuiX5CIOWZKx159Bp65CPpCbTb/fh+HYnSgXFgCw7XptycO7LXM
244 // 5GwR5jSfpfzBFdYxjxoUzDMFBwTEYRTm0HkUHkH+s+ajjw5wqqbcGLcfAoGBAMM8
245 // DKW6Tb66xsf708f0jonAjKYTLZ+WOcwsBEWSFHoY8dUjvW5gqx5acHTEsc5ZTeh4
246 // BCFLa+Mn9cuJWVJNs09k7Xb2PNl92HQ4GN2vbdkJhExbkT6oLDHg1hVD0w8KLfz1
247 // lTAW6pS+6CdOHMEJpvqx89EgU/1GgIQ1fXYczE75AoGAKeJoXdDFkUjsU+FBhAPu
248 // TDcjc80Nm2QaF9NMFR5/lsYa236f06MGnQAKM9zADBHJu/Qdl1brUjLg1HrBppsr
249 // RDNkw1IlSOjhuUf5hkPUHGd8Jijm440SRIcjabqla8wdBupdvo2+d2NOQgJbsQiI
250 // ToQ+fkzcxAXK3Nnuo/1436UCgYBjLH7UNOZHS8OsVM0I1r8NVKVdu4JCfeJQR8/H
251 // s2P5ffBir+wLRMnH+nMDreMQiibcPxMCArkERAlE4jlgaJ38Z62E76KLbLTmnJRt
252 // EC9Bv+bXjvAiHvWMRMUbOj/ddPNVez7Uld+FvdBaHwDWQlvzHzBWfBCOKSEhh7Z6
253 // qDhUqQKBgQDPMDx2i5rfmQp3imV9xUcCkIRsyYQVf8Eo7NV07IdUy/otmksgn4Zt
254 // Lbf3v2dvxOpTNTONWjp2c+iUQo8QxJCZr5Sfb21oQ9Ktcrmc/CY7LeBVDibXwxdM
255 // vRG8kBzvslFWh7REzC3u06GSVhyKDfW93kN2cKVwGoahRlhj7oHuZQ==
256 // -----END RSA PRIVATE KEY-----
257 static const char kCRLTestRoot[] =
258 "-----BEGIN CERTIFICATE-----\n"
259 "MIIDbzCCAlegAwIBAgIJAODri7v0dDUFMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV\n"
260 "BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW\n"
261 "aWV3MRIwEAYDVQQKDAlCb3JpbmdTU0wwHhcNMTYwOTI2MTUwNjI2WhcNMjYwOTI0\n"
262 "MTUwNjI2WjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG\n"
263 "A1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJQm9yaW5nU1NMMIIBIjANBgkq\n"
264 "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo16WiLWZuaymsD8n5SKPmxV1y6jjgr3B\n"
265 "S/dUBpbrzd1aeFzNlI8l2jfAnzUyp+I21RQ+nh/MhqjGElkTtK9xMn1Y+S9GMRh+\n"
266 "5R/Du0iCb1tCZIPY07Tgrb0KMNWe0v2QKVVruuYSgxIWodBfxlKO64Z8AJ5IbnWp\n"
267 "uRqO6rctN9qUoMlTIAB6dL4G0tDJ/PGFWOJYwOMEIX54bly2wgyYJVBKiRRt4f7n\n"
268 "8H922qmvPNA9idmX9G1VAtgV6x97XXi7ULORIQvn9lVQF6nTYDBJhyuPB+mLThbL\n"
269 "P2o9orxGx7aCtnnBZUIxUvHNOI0FaSaZH7Fi0xsZ/GkG2HZe7ImPJwIDAQABo1Aw\n"
270 "TjAdBgNVHQ4EFgQUWPt3N5cZ/CRvubbrkqfBnAqhq94wHwYDVR0jBBgwFoAUWPt3\n"
271 "N5cZ/CRvubbrkqfBnAqhq94wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\n"
272 "AQEAORu6M0MOwXy+3VEBwNilfTxyqDfruQsc1jA4PT8Oe8zora1WxE1JB4q2FJOz\n"
273 "EAuM3H/NXvEnBuN+ITvKZAJUfm4NKX97qmjMJwLKWe1gVv+VQTr63aR7mgWJReQN\n"
274 "XdMztlVeZs2dppV6uEg3ia1X0G7LARxGpA9ETbMyCpb39XxlYuTClcbA5ftDN99B\n"
275 "3Xg9KNdd++Ew22O3HWRDvdDpTO/JkzQfzi3sYwUtzMEonENhczJhGf7bQMmvL/w5\n"
276 "24Wxj4Z7KzzWIHsNqE/RIs6RV3fcW61j/mRgW2XyoWnMVeBzvcJr9NXp4VQYmFPw\n"
277 "amd8GKMZQvP0ufGnUn7D7uartA==\n"
278 "-----END CERTIFICATE-----\n";
279
280 static const char kCRLTestLeaf[] =
281 "-----BEGIN CERTIFICATE-----\n"
282 "MIIDkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCVVMx\n"
283 "EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEjAQ\n"
284 "BgNVBAoMCUJvcmluZ1NTTDAeFw0xNjA5MjYxNTA4MzFaFw0xNzA5MjYxNTA4MzFa\n"
285 "MEsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlC\n"
286 "b3JpbmdTU0wxEzARBgNVBAMMCmJvcmluZy5zc2wwggEiMA0GCSqGSIb3DQEBAQUA\n"
287 "A4IBDwAwggEKAoIBAQDc5v1S1M0W+QWM+raWfO0LH8uvqEwuJQgODqMaGnSlWUx9\n"
288 "8iQcnWfjyPja3lWg9K62hSOFDuSyEkysKHDxijz5R93CfLcfnVXjWQDJe7EJTTDP\n"
289 "ozEvxN6RjAeYv7CF000euYr3QT5iyBjg76+bon1p0jHZBJeNPP1KqGYgyxp+hzpx\n"
290 "e0gZmTlGAXd8JQK4v8kpdYwD6PPifFL/jpmQpqOtQmH/6zcLjY4ojmqpEdBqIKIX\n"
291 "+saA29hMq0+NK3K+wgg31RU+cVWxu3tLOIiesETkeDgArjWRS1Vkzbi4v9SJxtNu\n"
292 "OZuAxWiynRJw3JwH/OFHYZIvQqz68ZBoj96cepjPAgMBAAGjezB5MAkGA1UdEwQC\n"
293 "MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl\n"
294 "MB0GA1UdDgQWBBTGn0OVVh/aoYt0bvEKG+PIERqnDzAfBgNVHSMEGDAWgBRY+3c3\n"
295 "lxn8JG+5tuuSp8GcCqGr3jANBgkqhkiG9w0BAQsFAAOCAQEAd2nM8gCQN2Dc8QJw\n"
296 "XSZXyuI3DBGGCHcay/3iXu0JvTC3EiQo8J6Djv7WLI0N5KH8mkm40u89fJAB2lLZ\n"
297 "ShuHVtcC182bOKnePgwp9CNwQ21p0rDEu/P3X46ZvFgdxx82E9xLa0tBB8PiPDWh\n"
298 "lV16jbaKTgX5AZqjnsyjR5o9/mbZVupZJXx5Syq+XA8qiJfstSYJs4KyKK9UOjql\n"
299 "ICkJVKpi2ahDBqX4MOH4SLfzVk8pqSpviS6yaA1RXqjpkxiN45WWaXDldVHMSkhC\n"
300 "5CNXsXi4b1nAntu89crwSLA3rEwzCWeYj+BX7e1T9rr3oJdwOU/2KQtW1js1yQUG\n"
301 "tjJMFw==\n"
302 "-----END CERTIFICATE-----\n";
303
304 static const char kBasicCRL[] =
305 "-----BEGIN X509 CRL-----\n"
306 "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"
307 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"
308 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoA4wDDAKBgNV\n"
309 "HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAnrBKKgvd9x9zwK9rtUvVeFeJ7+LN\n"
310 "ZEAc+a5oxpPNEsJx6hXoApYEbzXMxuWBQoCs5iEBycSGudct21L+MVf27M38KrWo\n"
311 "eOkq0a2siqViQZO2Fb/SUFR0k9zb8xl86Zf65lgPplALun0bV/HT7MJcl04Tc4os\n"
312 "dsAReBs5nqTGNEd5AlC1iKHvQZkM//MD51DspKnDpsDiUVi54h9C1SpfZmX8H2Vv\n"
313 "diyu0fZ/bPAM3VAGawatf/SyWfBMyKpoPXEG39oAzmjjOj8en82psn7m474IGaho\n"
314 "/vBbhl1ms5qQiLYPjm4YELtnXQoFyC72tBjbdFd/ZE9k4CNKDbxFUXFbkw==\n"
315 "-----END X509 CRL-----\n";
316
317 static const char kRevokedCRL[] =
318 "-----BEGIN X509 CRL-----\n"
319 "MIIBvjCBpwIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"
320 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"
321 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEyNDRaFw0xNjEwMjYxNTEyNDRaMBUwEwICEAAX\n"
322 "DTE2MDkyNjE1MTIyNlqgDjAMMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBCwUAA4IB\n"
323 "AQCUGaM4DcWzlQKrcZvI8TMeR8BpsvQeo5BoI/XZu2a8h//PyRyMwYeaOM+3zl0d\n"
324 "sjgCT8b3C1FPgT+P2Lkowv7rJ+FHJRNQkogr+RuqCSPTq65ha4WKlRGWkMFybzVH\n"
325 "NloxC+aU3lgp/NlX9yUtfqYmJek1CDrOOGPrAEAwj1l/BUeYKNGqfBWYJQtPJu+5\n"
326 "OaSvIYGpETCZJscUWODmLEb/O3DM438vLvxonwGqXqS0KX37+CHpUlyhnSovxXxp\n"
327 "Pz4aF+L7OtczxL0GYtD2fR9B7TDMqsNmHXgQrixvvOY7MUdLGbd4RfJL3yA53hyO\n"
328 "xzfKY2TzxLiOmctG0hXFkH5J\n"
329 "-----END X509 CRL-----\n";
330
331 static const char kBadIssuerCRL[] =
332 "-----BEGIN X509 CRL-----\n"
333 "MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n"
334 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwN\n"
335 "Tm90IEJvcmluZ1NTTBcNMTYwOTI2MTUxMjQ0WhcNMTYxMDI2MTUxMjQ0WjAVMBMC\n"
336 "AhAAFw0xNjA5MjYxNTEyMjZaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsF\n"
337 "AAOCAQEAlBmjOA3Fs5UCq3GbyPEzHkfAabL0HqOQaCP12btmvIf/z8kcjMGHmjjP\n"
338 "t85dHbI4Ak/G9wtRT4E/j9i5KML+6yfhRyUTUJKIK/kbqgkj06uuYWuFipURlpDB\n"
339 "cm81RzZaMQvmlN5YKfzZV/clLX6mJiXpNQg6zjhj6wBAMI9ZfwVHmCjRqnwVmCUL\n"
340 "TybvuTmkryGBqREwmSbHFFjg5ixG/ztwzON/Ly78aJ8Bql6ktCl9+/gh6VJcoZ0q\n"
341 "L8V8aT8+Ghfi+zrXM8S9BmLQ9n0fQe0wzKrDZh14EK4sb7zmOzFHSxm3eEXyS98g\n"
342 "Od4cjsc3ymNk88S4jpnLRtIVxZB+SQ==\n"
343 "-----END X509 CRL-----\n";
344
345 // kKnownCriticalCRL is kBasicCRL but with a critical issuing distribution point
346 // extension.
347 static const char kKnownCriticalCRL[] =
348 "-----BEGIN X509 CRL-----\n"
349 "MIIBujCBowIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"
350 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"
351 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCEwHzAKBgNV\n"
352 "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+3\n"
353 "i+5e5Ub8sccfgOBs6WVJFI9c8gvJjrJ8/dYfFIAuCyeocs7DFXn1n13CRZ+URR/Q\n"
354 "mVWgU28+xeusuSPYFpd9cyYTcVyNUGNTI3lwgcE/yVjPaOmzSZKdPakApRxtpKKQ\n"
355 "NN/56aQz3bnT/ZSHQNciRB8U6jiD9V30t0w+FDTpGaG+7bzzUH3UVF9xf9Ctp60A\n"
356 "3mfLe0scas7owSt4AEFuj2SPvcE7yvdOXbu+IEv21cEJUVExJAbhvIweHXh6yRW+\n"
357 "7VVeiNzdIjkZjyTmAzoXGha4+wbxXyBRbfH+XWcO/H+8nwyG8Gktdu2QB9S9nnIp\n"
358 "o/1TpfOMSGhMyMoyPrk=\n"
359 "-----END X509 CRL-----\n";
360
361 // kUnknownCriticalCRL is kBasicCRL but with an unknown critical extension.
362 static const char kUnknownCriticalCRL[] =
363 "-----BEGIN X509 CRL-----\n"
364 "MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"
365 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"
366 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoCMwITAKBgNV\n"
367 "HRQEAwIBATATBgwqhkiG9xIEAYS3CQABAf8EADANBgkqhkiG9w0BAQsFAAOCAQEA\n"
368 "GvBP0xqL509InMj/3493YVRV+ldTpBv5uTD6jewzf5XdaxEQ/VjTNe5zKnxbpAib\n"
369 "Kf7cwX0PMSkZjx7k7kKdDlEucwVvDoqC+O9aJcqVmM6GDyNb9xENxd0XCXja6MZC\n"
370 "yVgP4AwLauB2vSiEprYJyI1APph3iAEeDm60lTXX/wBM/tupQDDujKh2GPyvBRfJ\n"
371 "+wEDwGg3ICwvu4gO4zeC5qnFR+bpL9t5tOMAQnVZ0NWv+k7mkd2LbHdD44dxrfXC\n"
372 "nhtfERx99SDmC/jtUAJrGhtCO8acr7exCeYcduN7KKCm91OeCJKK6OzWst0Og1DB\n"
373 "kwzzU2rL3G65CrZ7H0SZsQ==\n"
374 "-----END X509 CRL-----\n";
375
376 // kUnknownCriticalCRL2 is kBasicCRL but with a critical issuing distribution
377 // point extension followed by an unknown critical extension
378 static const char kUnknownCriticalCRL2[] =
379 "-----BEGIN X509 CRL-----\n"
380 "MIIBzzCBuAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n"
381 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzESMBAGA1UECgwJ\n"
382 "Qm9yaW5nU1NMFw0xNjA5MjYxNTEwNTVaFw0xNjEwMjYxNTEwNTVaoDYwNDAKBgNV\n"
383 "HRQEAwIBATARBgNVHRwBAf8EBzAFoQMBAf8wEwYMKoZIhvcSBAGEtwkAAQH/BAAw\n"
384 "DQYJKoZIhvcNAQELBQADggEBACTcpQC8jXL12JN5YzOcQ64ubQIe0XxRAd30p7qB\n"
385 "BTXGpgqBjrjxRfLms7EBYodEXB2oXMsDq3km0vT1MfYdsDD05S+SQ9CDsq/pUfaC\n"
386 "E2WNI5p8WircRnroYvbN2vkjlRbMd1+yNITohXYXCJwjEOAWOx3XIM10bwPYBv4R\n"
387 "rDobuLHoMgL3yHgMHmAkP7YpkBucNqeBV8cCdeAZLuhXFWi6yfr3r/X18yWbC/r2\n"
388 "2xXdkrSqXLFo7ToyP8YKTgiXpya4x6m53biEYwa2ULlas0igL6DK7wjYZX95Uy7H\n"
389 "GKljn9weIYiMPV/BzGymwfv2EW0preLwtyJNJPaxbdin6Jc=\n"
390 "-----END X509 CRL-----\n";
391
392 // CertFromPEM parses the given, NUL-terminated pem block and returns an
393 // |X509*|.
CertFromPEM(const char * pem)394 static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
395 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
396 return bssl::UniquePtr<X509>(
397 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
398 }
399
400 // CRLFromPEM parses the given, NUL-terminated pem block and returns an
401 // |X509_CRL*|.
CRLFromPEM(const char * pem)402 static bssl::UniquePtr<X509_CRL> CRLFromPEM(const char *pem) {
403 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
404 return bssl::UniquePtr<X509_CRL>(
405 PEM_read_bio_X509_CRL(bio.get(), nullptr, nullptr, nullptr));
406 }
407
408 // PrivateKeyFromPEM parses the given, NUL-terminated pem block and returns an
409 // |EVP_PKEY*|.
PrivateKeyFromPEM(const char * pem)410 static bssl::UniquePtr<EVP_PKEY> PrivateKeyFromPEM(const char *pem) {
411 bssl::UniquePtr<BIO> bio(
412 BIO_new_mem_buf(const_cast<char *>(pem), strlen(pem)));
413 return bssl::UniquePtr<EVP_PKEY>(
414 PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
415 }
416
417 // CertsToStack converts a vector of |X509*| to an OpenSSL STACK_OF(X509),
418 // bumping the reference counts for each certificate in question.
CertsToStack(const std::vector<X509 * > & certs)419 static bssl::UniquePtr<STACK_OF(X509)> CertsToStack(
420 const std::vector<X509 *> &certs) {
421 bssl::UniquePtr<STACK_OF(X509)> stack(sk_X509_new_null());
422 if (!stack) {
423 return nullptr;
424 }
425 for (auto cert : certs) {
426 if (!sk_X509_push(stack.get(), cert)) {
427 return nullptr;
428 }
429 X509_up_ref(cert);
430 }
431
432 return stack;
433 }
434
435 // CRLsToStack converts a vector of |X509_CRL*| to an OpenSSL
436 // STACK_OF(X509_CRL), bumping the reference counts for each CRL in question.
CRLsToStack(const std::vector<X509_CRL * > & crls)437 static bssl::UniquePtr<STACK_OF(X509_CRL)> CRLsToStack(
438 const std::vector<X509_CRL *> &crls) {
439 bssl::UniquePtr<STACK_OF(X509_CRL)> stack(sk_X509_CRL_new_null());
440 if (!stack) {
441 return nullptr;
442 }
443 for (auto crl : crls) {
444 if (!sk_X509_CRL_push(stack.get(), crl)) {
445 return nullptr;
446 }
447 X509_CRL_up_ref(crl);
448 }
449
450 return stack;
451 }
452
Verify(X509 * leaf,const std::vector<X509 * > & roots,const std::vector<X509 * > & intermediates,const std::vector<X509_CRL * > & crls,unsigned long flags,bool use_additional_untrusted)453 static int Verify(X509 *leaf, const std::vector<X509 *> &roots,
454 const std::vector<X509 *> &intermediates,
455 const std::vector<X509_CRL *> &crls,
456 unsigned long flags,
457 bool use_additional_untrusted) {
458 bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));
459 bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(
460 CertsToStack(intermediates));
461 bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls));
462
463 if (!roots_stack ||
464 !intermediates_stack ||
465 !crls_stack) {
466 return X509_V_ERR_UNSPECIFIED;
467 }
468
469 bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
470 bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
471 if (!ctx ||
472 !store) {
473 return X509_V_ERR_UNSPECIFIED;
474 }
475
476 if (use_additional_untrusted) {
477 X509_STORE_set0_additional_untrusted(store.get(),
478 intermediates_stack.get());
479 }
480
481 if (!X509_STORE_CTX_init(
482 ctx.get(), store.get(), leaf,
483 use_additional_untrusted ? nullptr : intermediates_stack.get())) {
484 return X509_V_ERR_UNSPECIFIED;
485 }
486
487 X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get());
488 X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get());
489
490 X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
491 if (param == nullptr) {
492 return X509_V_ERR_UNSPECIFIED;
493 }
494 X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */);
495 X509_VERIFY_PARAM_set_depth(param, 16);
496 if (flags) {
497 X509_VERIFY_PARAM_set_flags(param, flags);
498 }
499 X509_STORE_CTX_set0_param(ctx.get(), param);
500
501 ERR_clear_error();
502 if (X509_verify_cert(ctx.get()) != 1) {
503 return X509_STORE_CTX_get_error(ctx.get());
504 }
505
506 return X509_V_OK;
507 }
508
Verify(X509 * leaf,const std::vector<X509 * > & roots,const std::vector<X509 * > & intermediates,const std::vector<X509_CRL * > & crls,unsigned long flags=0)509 static int Verify(X509 *leaf, const std::vector<X509 *> &roots,
510 const std::vector<X509 *> &intermediates,
511 const std::vector<X509_CRL *> &crls,
512 unsigned long flags = 0) {
513 const int r1 = Verify(leaf, roots, intermediates, crls, flags, false);
514 const int r2 = Verify(leaf, roots, intermediates, crls, flags, true);
515
516 if (r1 != r2) {
517 fprintf(stderr,
518 "Verify with, and without, use_additional_untrusted gave different "
519 "results: %d vs %d.\n",
520 r1, r2);
521 return false;
522 }
523
524 return r1;
525 }
526
TestVerify()527 static bool TestVerify() {
528 bssl::UniquePtr<X509> cross_signing_root(CertFromPEM(kCrossSigningRootPEM));
529 bssl::UniquePtr<X509> root(CertFromPEM(kRootCAPEM));
530 bssl::UniquePtr<X509> root_cross_signed(CertFromPEM(kRootCrossSignedPEM));
531 bssl::UniquePtr<X509> intermediate(CertFromPEM(kIntermediatePEM));
532 bssl::UniquePtr<X509> intermediate_self_signed(
533 CertFromPEM(kIntermediateSelfSignedPEM));
534 bssl::UniquePtr<X509> leaf(CertFromPEM(kLeafPEM));
535 bssl::UniquePtr<X509> leaf_no_key_usage(CertFromPEM(kLeafNoKeyUsagePEM));
536 bssl::UniquePtr<X509> forgery(CertFromPEM(kForgeryPEM));
537
538 if (!cross_signing_root ||
539 !root ||
540 !root_cross_signed ||
541 !intermediate ||
542 !intermediate_self_signed ||
543 !leaf ||
544 !leaf_no_key_usage ||
545 !forgery) {
546 fprintf(stderr, "Failed to parse certificates\n");
547 return false;
548 }
549
550 std::vector<X509*> empty;
551 std::vector<X509_CRL*> empty_crls;
552 if (Verify(leaf.get(), empty, empty, empty_crls) !=
553 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
554 fprintf(stderr, "Leaf verified with no roots!\n");
555 return false;
556 }
557
558 if (Verify(leaf.get(), empty, {intermediate.get()}, empty_crls) !=
559 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
560 fprintf(stderr, "Leaf verified with no roots!\n");
561 return false;
562 }
563
564 if (Verify(leaf.get(), {root.get()}, {intermediate.get()}, empty_crls) !=
565 X509_V_OK) {
566 ERR_print_errors_fp(stderr);
567 fprintf(stderr, "Basic chain didn't verify.\n");
568 return false;
569 }
570
571 if (Verify(leaf.get(), {cross_signing_root.get()},
572 {intermediate.get(), root_cross_signed.get()},
573 empty_crls) != X509_V_OK) {
574 ERR_print_errors_fp(stderr);
575 fprintf(stderr, "Cross-signed chain didn't verify.\n");
576 return false;
577 }
578
579 if (Verify(leaf.get(), {cross_signing_root.get(), root.get()},
580 {intermediate.get(), root_cross_signed.get()},
581 empty_crls) != X509_V_OK) {
582 ERR_print_errors_fp(stderr);
583 fprintf(stderr, "Cross-signed chain with root didn't verify.\n");
584 return false;
585 }
586
587 /* This is the “altchains” test – we remove the cross-signing CA but include
588 * the cross-sign in the intermediates. */
589 if (Verify(leaf.get(), {root.get()},
590 {intermediate.get(), root_cross_signed.get()},
591 empty_crls) != X509_V_OK) {
592 ERR_print_errors_fp(stderr);
593 fprintf(stderr, "Chain with cross-sign didn't backtrack to find root.\n");
594 return false;
595 }
596
597 if (Verify(leaf.get(), {root.get()},
598 {intermediate.get(), root_cross_signed.get()}, empty_crls,
599 X509_V_FLAG_NO_ALT_CHAINS) !=
600 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
601 fprintf(stderr, "Altchains test still passed when disabled.\n");
602 return false;
603 }
604
605 if (Verify(forgery.get(), {intermediate_self_signed.get()},
606 {leaf_no_key_usage.get()},
607 empty_crls) != X509_V_ERR_INVALID_CA) {
608 fprintf(stderr, "Basic constraints weren't checked.\n");
609 return false;
610 }
611
612 /* Test that one cannot skip Basic Constraints checking with a contorted set
613 * of roots and intermediates. This is a regression test for CVE-2015-1793. */
614 if (Verify(forgery.get(),
615 {intermediate_self_signed.get(), root_cross_signed.get()},
616 {leaf_no_key_usage.get(), intermediate.get()},
617 empty_crls) != X509_V_ERR_INVALID_CA) {
618 fprintf(stderr, "Basic constraints weren't checked.\n");
619 return false;
620 }
621
622 return true;
623 }
624
TestCRL()625 static bool TestCRL() {
626 bssl::UniquePtr<X509> root(CertFromPEM(kCRLTestRoot));
627 bssl::UniquePtr<X509> leaf(CertFromPEM(kCRLTestLeaf));
628 bssl::UniquePtr<X509_CRL> basic_crl(CRLFromPEM(kBasicCRL));
629 bssl::UniquePtr<X509_CRL> revoked_crl(CRLFromPEM(kRevokedCRL));
630 bssl::UniquePtr<X509_CRL> bad_issuer_crl(CRLFromPEM(kBadIssuerCRL));
631 bssl::UniquePtr<X509_CRL> known_critical_crl(CRLFromPEM(kKnownCriticalCRL));
632 bssl::UniquePtr<X509_CRL> unknown_critical_crl(
633 CRLFromPEM(kUnknownCriticalCRL));
634 bssl::UniquePtr<X509_CRL> unknown_critical_crl2(
635 CRLFromPEM(kUnknownCriticalCRL2));
636
637 if (!root ||
638 !leaf ||
639 !basic_crl ||
640 !revoked_crl ||
641 !bad_issuer_crl ||
642 !known_critical_crl ||
643 !unknown_critical_crl ||
644 !unknown_critical_crl2) {
645 fprintf(stderr, "Failed to parse certificates and CRLs.\n");
646 return false;
647 }
648
649 if (Verify(leaf.get(), {root.get()}, {root.get()}, {basic_crl.get()},
650 X509_V_FLAG_CRL_CHECK) != X509_V_OK) {
651 fprintf(stderr, "Cert with CRL didn't verify.\n");
652 return false;
653 }
654
655 if (Verify(leaf.get(), {root.get()}, {root.get()},
656 {basic_crl.get(), revoked_crl.get()},
657 X509_V_FLAG_CRL_CHECK) != X509_V_ERR_CERT_REVOKED) {
658 fprintf(stderr, "Revoked CRL wasn't checked.\n");
659 return false;
660 }
661
662 std::vector<X509_CRL *> empty_crls;
663 if (Verify(leaf.get(), {root.get()}, {root.get()}, empty_crls,
664 X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) {
665 fprintf(stderr, "CRLs were not required.\n");
666 return false;
667 }
668
669 if (Verify(leaf.get(), {root.get()}, {root.get()}, {bad_issuer_crl.get()},
670 X509_V_FLAG_CRL_CHECK) != X509_V_ERR_UNABLE_TO_GET_CRL) {
671 fprintf(stderr, "Bad CRL issuer was unnoticed.\n");
672 return false;
673 }
674
675 if (Verify(leaf.get(), {root.get()}, {root.get()}, {known_critical_crl.get()},
676 X509_V_FLAG_CRL_CHECK) != X509_V_OK) {
677 fprintf(stderr, "CRL with known critical extension was rejected.\n");
678 return false;
679 }
680
681 if (Verify(leaf.get(), {root.get()}, {root.get()},
682 {unknown_critical_crl.get()}, X509_V_FLAG_CRL_CHECK) !=
683 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION) {
684 fprintf(stderr, "CRL with unknown critical extension was accepted.\n");
685 return false;
686 }
687
688 if (Verify(leaf.get(), {root.get()}, {root.get()},
689 {unknown_critical_crl2.get()}, X509_V_FLAG_CRL_CHECK) !=
690 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION) {
691 fprintf(stderr, "CRL with unknown critical extension (2) was accepted.\n");
692 return false;
693 }
694
695 return true;
696 }
697
TestPSS()698 static bool TestPSS() {
699 bssl::UniquePtr<X509> cert(CertFromPEM(kExamplePSSCert));
700 if (!cert) {
701 return false;
702 }
703
704 bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));
705 if (!pkey) {
706 return false;
707 }
708
709 if (!X509_verify(cert.get(), pkey.get())) {
710 fprintf(stderr, "Could not verify certificate.\n");
711 return false;
712 }
713 return true;
714 }
715
TestBadPSSParameters()716 static bool TestBadPSSParameters() {
717 bssl::UniquePtr<X509> cert(CertFromPEM(kBadPSSCertPEM));
718 if (!cert) {
719 return false;
720 }
721
722 bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));
723 if (!pkey) {
724 return false;
725 }
726
727 if (X509_verify(cert.get(), pkey.get())) {
728 fprintf(stderr, "Unexpectedly verified bad certificate.\n");
729 return false;
730 }
731 ERR_clear_error();
732 return true;
733 }
734
SignatureRoundTrips(EVP_MD_CTX * md_ctx,EVP_PKEY * pkey)735 static bool SignatureRoundTrips(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {
736 // Make a certificate like signed with |md_ctx|'s settings.'
737 bssl::UniquePtr<X509> cert(CertFromPEM(kLeafPEM));
738 if (!cert || !X509_sign_ctx(cert.get(), md_ctx)) {
739 return false;
740 }
741
742 // Ensure that |pkey| may still be used to verify the resulting signature. All
743 // settings in |md_ctx| must have been serialized appropriately.
744 return !!X509_verify(cert.get(), pkey);
745 }
746
TestSignCtx()747 static bool TestSignCtx() {
748 bssl::UniquePtr<EVP_PKEY> pkey(PrivateKeyFromPEM(kRSAKey));
749 if (!pkey) {
750 return false;
751 }
752
753 // Test PKCS#1 v1.5.
754 bssl::ScopedEVP_MD_CTX md_ctx;
755 if (!EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||
756 !SignatureRoundTrips(md_ctx.get(), pkey.get())) {
757 fprintf(stderr, "RSA PKCS#1 with SHA-256 failed\n");
758 return false;
759 }
760
761 // Test RSA-PSS with custom parameters.
762 md_ctx.Reset();
763 EVP_PKEY_CTX *pkey_ctx;
764 if (!EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,
765 pkey.get()) ||
766 !EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) ||
767 !EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) ||
768 !SignatureRoundTrips(md_ctx.get(), pkey.get())) {
769 fprintf(stderr, "RSA-PSS failed\n");
770 return false;
771 }
772
773 return true;
774 }
775
PEMToDER(bssl::UniquePtr<uint8_t> * out,size_t * out_len,const char * pem)776 static bool PEMToDER(bssl::UniquePtr<uint8_t> *out, size_t *out_len,
777 const char *pem) {
778 bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(pem, strlen(pem)));
779 if (!bio) {
780 return false;
781 }
782
783 char *name, *header;
784 uint8_t *data;
785 long data_len;
786 if (!PEM_read_bio(bio.get(), &name, &header, &data, &data_len)) {
787 fprintf(stderr, "failed to read PEM data.\n");
788 return false;
789 }
790 OPENSSL_free(name);
791 OPENSSL_free(header);
792
793 out->reset(data);
794 *out_len = data_len;
795
796 return true;
797 }
798
TestFromBuffer()799 static bool TestFromBuffer() {
800 size_t data_len;
801 bssl::UniquePtr<uint8_t> data;
802 if (!PEMToDER(&data, &data_len, kRootCAPEM)) {
803 return false;
804 }
805
806 bssl::UniquePtr<CRYPTO_BUFFER> buf(
807 CRYPTO_BUFFER_new(data.get(), data_len, nullptr));
808 if (!buf) {
809 return false;
810 }
811
812 bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));
813 if (!root) {
814 return false;
815 }
816
817 const uint8_t *enc_pointer = root->cert_info->enc.enc;
818 const uint8_t *buf_pointer = CRYPTO_BUFFER_data(buf.get());
819 if (enc_pointer < buf_pointer ||
820 enc_pointer >= buf_pointer + CRYPTO_BUFFER_len(buf.get())) {
821 fprintf(stderr, "TestFromBuffer: enc does not alias the buffer.\n");
822 return false;
823 }
824
825 buf.reset();
826
827 /* This ensures the X509 took a reference to |buf|, otherwise this will be a
828 * reference to free memory and ASAN should notice. */
829 if (enc_pointer[0] != CBS_ASN1_SEQUENCE) {
830 fprintf(stderr, "TestFromBuffer: enc data is not a SEQUENCE.\n");
831 return false;
832 }
833
834 return true;
835 }
836
TestFromBufferTrailingData()837 static bool TestFromBufferTrailingData() {
838 size_t data_len;
839 bssl::UniquePtr<uint8_t> data;
840 if (!PEMToDER(&data, &data_len, kRootCAPEM)) {
841 return false;
842 }
843
844 std::unique_ptr<uint8_t[]> trailing_data(new uint8_t[data_len + 1]);
845 OPENSSL_memcpy(trailing_data.get(), data.get(), data_len);
846
847 bssl::UniquePtr<CRYPTO_BUFFER> buf_trailing_data(
848 CRYPTO_BUFFER_new(trailing_data.get(), data_len + 1, nullptr));
849 if (!buf_trailing_data) {
850 return false;
851 }
852
853 bssl::UniquePtr<X509> root_trailing_data(
854 X509_parse_from_buffer(buf_trailing_data.get()));
855 if (root_trailing_data) {
856 fprintf(stderr, "TestFromBuffer: trailing data was not rejected.\n");
857 return false;
858 }
859
860 return true;
861 }
862
TestFromBufferModified()863 static bool TestFromBufferModified() {
864 size_t data_len;
865 bssl::UniquePtr<uint8_t> data;
866 if (!PEMToDER(&data, &data_len, kRootCAPEM)) {
867 return false;
868 }
869
870 bssl::UniquePtr<CRYPTO_BUFFER> buf(
871 CRYPTO_BUFFER_new(data.get(), data_len, nullptr));
872 if (!buf) {
873 return false;
874 }
875
876 bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));
877 if (!root) {
878 return false;
879 }
880
881 bssl::UniquePtr<ASN1_INTEGER> fourty_two(ASN1_INTEGER_new());
882 ASN1_INTEGER_set(fourty_two.get(), 42);
883 X509_set_serialNumber(root.get(), fourty_two.get());
884
885 if (i2d_X509(root.get(), nullptr) != static_cast<long>(data_len)) {
886 fprintf(stderr,
887 "TestFromBufferModified: i2d_X509 gives different answer before "
888 "marking as modified.\n");
889 return false;
890 }
891
892 X509_CINF_set_modified(root->cert_info);
893
894 if (i2d_X509(root.get(), nullptr) == static_cast<long>(data_len)) {
895 fprintf(stderr,
896 "TestFromBufferModified: i2d_X509 gives same answer after marking "
897 "as modified.\n");
898 return false;
899 }
900
901 return true;
902 }
903
TestFromBufferReused()904 static bool TestFromBufferReused() {
905 size_t data_len;
906 bssl::UniquePtr<uint8_t> data;
907 if (!PEMToDER(&data, &data_len, kRootCAPEM)) {
908 return false;
909 }
910
911 bssl::UniquePtr<CRYPTO_BUFFER> buf(
912 CRYPTO_BUFFER_new(data.get(), data_len, nullptr));
913 if (!buf) {
914 return false;
915 }
916
917 bssl::UniquePtr<X509> root(X509_parse_from_buffer(buf.get()));
918 if (!root) {
919 return false;
920 }
921
922 size_t data2_len;
923 bssl::UniquePtr<uint8_t> data2;
924 if (!PEMToDER(&data2, &data2_len, kLeafPEM)) {
925 return false;
926 }
927
928 X509 *x509p = root.get();
929 const uint8_t *inp = data2.get();
930 X509 *ret = d2i_X509(&x509p, &inp, data2_len);
931 if (ret != root.get()) {
932 fprintf(stderr,
933 "TestFromBufferReused: d2i_X509 parsed into a different object.\n");
934 return false;
935 }
936
937 if (root->buf != nullptr) {
938 fprintf(stderr,
939 "TestFromBufferReused: d2i_X509 didn't clear |buf| pointer.\n");
940 return false;
941 }
942
943 // Free |data2| and ensure that |root| took its own copy. Otherwise the
944 // following will trigger a use-after-free.
945 data2.reset();
946
947 uint8_t *i2d = nullptr;
948 int i2d_len = i2d_X509(root.get(), &i2d);
949 if (i2d_len < 0) {
950 return false;
951 }
952 bssl::UniquePtr<uint8_t> i2d_storage(i2d);
953
954 if (!PEMToDER(&data2, &data2_len, kLeafPEM)) {
955 return false;
956 }
957 if (i2d_len != static_cast<long>(data2_len) ||
958 OPENSSL_memcmp(data2.get(), i2d, i2d_len) != 0) {
959 fprintf(stderr, "TestFromBufferReused: i2d gave wrong result.\n");
960 return false;
961 }
962
963 if (root->buf != NULL) {
964 fprintf(stderr, "TestFromBufferReused: X509.buf was not cleared.\n");
965 return false;
966 }
967
968 return true;
969 }
970
TestFailedParseFromBuffer()971 static bool TestFailedParseFromBuffer() {
972 static const uint8_t kNonsense[] = {1, 2, 3, 4, 5};
973
974 bssl::UniquePtr<CRYPTO_BUFFER> buf(
975 CRYPTO_BUFFER_new(kNonsense, sizeof(kNonsense), nullptr));
976 if (!buf) {
977 return false;
978 }
979
980 bssl::UniquePtr<X509> cert(X509_parse_from_buffer(buf.get()));
981 if (cert) {
982 fprintf(stderr, "Nonsense somehow parsed.\n");
983 return false;
984 }
985 ERR_clear_error();
986
987 // Test a buffer with trailing data.
988 size_t data_len;
989 bssl::UniquePtr<uint8_t> data;
990 if (!PEMToDER(&data, &data_len, kRootCAPEM)) {
991 return false;
992 }
993
994 std::unique_ptr<uint8_t[]> data_with_trailing_byte(new uint8_t[data_len + 1]);
995 OPENSSL_memcpy(data_with_trailing_byte.get(), data.get(), data_len);
996 data_with_trailing_byte[data_len] = 0;
997
998 bssl::UniquePtr<CRYPTO_BUFFER> buf_with_trailing_byte(
999 CRYPTO_BUFFER_new(data_with_trailing_byte.get(), data_len + 1, nullptr));
1000 if (!buf_with_trailing_byte) {
1001 return false;
1002 }
1003
1004 bssl::UniquePtr<X509> root(
1005 X509_parse_from_buffer(buf_with_trailing_byte.get()));
1006 if (root) {
1007 fprintf(stderr, "Parsed buffer with trailing byte.\n");
1008 return false;
1009 }
1010 ERR_clear_error();
1011
1012 return true;
1013 }
1014
TestPrintUTCTIME()1015 static bool TestPrintUTCTIME() {
1016 static const struct {
1017 const char *val, *want;
1018 } asn1_utctime_tests[] = {
1019 {"", "Bad time value"},
1020
1021 // Correct RFC 5280 form. Test years < 2000 and > 2000.
1022 {"090303125425Z", "Mar 3 12:54:25 2009 GMT"},
1023 {"900303125425Z", "Mar 3 12:54:25 1990 GMT"},
1024 {"000303125425Z", "Mar 3 12:54:25 2000 GMT"},
1025
1026 // Correct form, bad values.
1027 {"000000000000Z", "Bad time value"},
1028 {"999999999999Z", "Bad time value"},
1029
1030 // Missing components. Not legal RFC 5280, but permitted.
1031 {"090303125425", "Mar 3 12:54:25 2009"},
1032 {"9003031254", "Mar 3 12:54:00 1990"},
1033 {"9003031254Z", "Mar 3 12:54:00 1990 GMT"},
1034
1035 // GENERALIZEDTIME confused for UTCTIME.
1036 {"20090303125425Z", "Bad time value"},
1037
1038 // Legal ASN.1, but not legal RFC 5280.
1039 {"9003031254+0800", "Bad time value"},
1040 {"9003031254-0800", "Bad time value"},
1041
1042 // Trailing garbage.
1043 {"9003031254Z ", "Bad time value"},
1044 };
1045
1046 for (auto t : asn1_utctime_tests) {
1047 bssl::UniquePtr<ASN1_UTCTIME> tm(ASN1_UTCTIME_new());
1048 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
1049
1050 // Use this instead of ASN1_UTCTIME_set() because some callers get
1051 // type-confused and pass ASN1_GENERALIZEDTIME to ASN1_UTCTIME_print().
1052 // ASN1_UTCTIME_set_string() is stricter, and would reject the inputs in
1053 // question.
1054 if (!ASN1_STRING_set(tm.get(), t.val, strlen(t.val))) {
1055 fprintf(stderr, "ASN1_STRING_set\n");
1056 return false;
1057 }
1058 const int ok = ASN1_UTCTIME_print(bio.get(), tm.get());
1059
1060 const uint8_t *contents;
1061 size_t len;
1062 if (!BIO_mem_contents(bio.get(), &contents, &len)) {
1063 fprintf(stderr, "BIO_mem_contents\n");
1064 return false;
1065 }
1066
1067 if (ok != (strcmp(t.want, "Bad time value") != 0)) {
1068 fprintf(stderr, "ASN1_UTCTIME_print(%s): bad return value\n", t.val);
1069 return false;
1070 }
1071 if (len != strlen(t.want) || memcmp(contents, t.want, len)) {
1072 fprintf(stderr, "ASN1_UTCTIME_print(%s): got %.*s, want %s\n", t.val,
1073 static_cast<int>(len),
1074 reinterpret_cast<const char *>(contents), t.want);
1075 return false;
1076 }
1077 }
1078
1079 return true;
1080 }
1081
main()1082 int main() {
1083 CRYPTO_library_init();
1084
1085 if (!TestVerify() ||
1086 !TestCRL() ||
1087 !TestPSS() ||
1088 !TestBadPSSParameters() ||
1089 !TestSignCtx() ||
1090 !TestFromBuffer() ||
1091 !TestFromBufferTrailingData() ||
1092 !TestFromBufferModified() ||
1093 !TestFromBufferReused() ||
1094 !TestFailedParseFromBuffer() ||
1095 !TestPrintUTCTIME()) {
1096 return 1;
1097 }
1098
1099 printf("PASS\n");
1100 return 0;
1101 }
1102