1 // 2 // Pkits_4_05_VerifyingPathWithSelfIssuedCertificates.cs - 3 // NUnit tests for Pkits 4.5 : Verifying Path With Self Issued Certificates 4 // 5 // Author: 6 // Sebastien Pouliot <sebastien@ximian.com> 7 // 8 // Copyright (C) 2006 Novell, Inc (http://www.novell.com) 9 // 10 // Permission is hereby granted, free of charge, to any person obtaining 11 // a copy of this software and associated documentation files (the 12 // "Software"), to deal in the Software without restriction, including 13 // without limitation the rights to use, copy, modify, merge, publish, 14 // distribute, sublicense, and/or sell copies of the Software, and to 15 // permit persons to whom the Software is furnished to do so, subject to 16 // the following conditions: 17 // 18 // The above copyright notice and this permission notice shall be 19 // included in all copies or substantial portions of the Software. 20 // 21 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 22 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 23 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 24 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 25 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 26 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 27 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 28 // 29 30 31 using NUnit.Framework; 32 33 using System; 34 using System.Security.Cryptography.X509Certificates; 35 36 namespace MonoTests.System.Security.Cryptography.X509Certificates { 37 38 /* 39 * See PkitsTest.cs for more details 40 */ 41 42 [TestFixture] 43 [Category ("PKITS")] 44 public class Pkits_4_05_VerifyingPathWithSelfIssuedCertificates: PkitsTest { 45 46 // TODO - incomplete 47 48 public X509Certificate2 BasicSelfIssuedNewKeyCACert { 49 get { return GetCertificate ("BasicSelfIssuedNewKeyCACert.crt"); } 50 } 51 52 public X509Certificate2 BasicSelfIssuedNewKeyOldWithNewCACert { 53 get { return GetCertificate ("BasicSelfIssuedNewKeyOldWithNewCACert.crt"); } 54 } 55 56 public X509Certificate2 BasicSelfIssuedOldKeyCACert { 57 get { return GetCertificate ("BasicSelfIssuedOldKeyCACert.crt"); } 58 } 59 60 public X509Certificate2 BasicSelfIssuedOldKeyNewWithOldCACert { 61 get { return GetCertificate ("BasicSelfIssuedOldKeyNewWithOldCACert.crt"); } 62 } 63 64 public X509Certificate2 BasicSelfIssuedCRLSigningKeyCACert { 65 get { return GetCertificate ("BasicSelfIssuedCRLSigningKeyCACert.crt"); } 66 } 67 68 public X509Certificate2 BasicSelfIssuedCRLSigningKeyCRLCert { 69 get { return GetCertificate ("BasicSelfIssuedCRLSigningKeyCRLCert.crt"); } 70 } 71 72 [Test] 73 [Category ("NotDotNet")] // test case is RFC3280 compliant T1_ValidBasicSelfIssuedOldWithNew()74 public void T1_ValidBasicSelfIssuedOldWithNew () 75 { 76 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedOldWithNewTest1EE.crt"); 77 X509Chain chain = new X509Chain (); 78 Assert.IsTrue (chain.Build (ee), "Build"); 79 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus"); 80 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 81 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 82 Assert.AreEqual (BasicSelfIssuedNewKeyOldWithNewCACert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert"); 83 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status"); 84 Assert.AreEqual (BasicSelfIssuedNewKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert"); 85 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status"); 86 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 87 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 88 } 89 90 [Test] 91 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant T1_ValidBasicSelfIssuedOldWithNew_MS()92 public void T1_ValidBasicSelfIssuedOldWithNew_MS () 93 { 94 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedOldWithNewTest1EE.crt"); 95 X509Chain chain = new X509Chain (); 96 97 // MS-BAD / this is valid wrt RFC3280 98 Assert.IsFalse (chain.Build (ee), "Build"); 99 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus"); 100 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 101 // Chain order is bad - it's not worth checking further 102 } 103 104 [Test] 105 [Category ("NotDotNet")] // test case is RFC3280 compliant T2_InvalidBasicSelfIssuedOldWithNew()106 public void T2_InvalidBasicSelfIssuedOldWithNew () 107 { 108 X509Certificate2 ee = GetCertificate ("InvalidBasicSelfIssuedOldWithNewTest2EE.crt"); 109 X509Chain chain = new X509Chain (); 110 Assert.IsFalse (chain.Build (ee), "Build"); 111 // certificate is revoked 112 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus"); 113 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 114 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 115 Assert.AreEqual (BasicSelfIssuedNewKeyOldWithNewCACert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert"); 116 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status"); 117 Assert.AreEqual (BasicSelfIssuedNewKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert"); 118 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status"); 119 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 120 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 121 } 122 123 [Test] 124 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant T2_InvalidBasicSelfIssuedOldWithNew_MS()125 public void T2_InvalidBasicSelfIssuedOldWithNew_MS () 126 { 127 X509Certificate2 ee = GetCertificate ("InvalidBasicSelfIssuedOldWithNewTest2EE.crt"); 128 X509Chain chain = new X509Chain (); 129 Assert.IsFalse (chain.Build (ee), "Build"); 130 131 // MS-BAD / this is valid wrt RFC3280 132 Assert.IsFalse (chain.Build (ee), "Build"); 133 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus"); 134 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 135 // Chain order is bad - it's not worth checking further 136 } 137 138 [Test] 139 [Category ("NotDotNet")] // test case is RFC3280 compliant T3_ValidBasicSelfIssuedNewWithOld()140 public void T3_ValidBasicSelfIssuedNewWithOld () 141 { 142 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedNewWithOldTest3EE.crt"); 143 X509Chain chain = new X509Chain (); 144 Assert.IsTrue (chain.Build (ee), "Build"); 145 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus"); 146 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 147 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 148 Assert.AreEqual (BasicSelfIssuedOldKeyNewWithOldCACert, chain.ChainElements[1].Certificate, "BasicSelfIssuedOldKeyNewWithOldCACert"); 149 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedOldKeyNewWithOldCACert.Status"); 150 Assert.AreEqual (BasicSelfIssuedOldKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedOldKeyCACert"); 151 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedOldKeyCACert.Status"); 152 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 153 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 154 } 155 156 [Test] 157 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant T3_ValidBasicSelfIssuedNewWithOld_MS()158 public void T3_ValidBasicSelfIssuedNewWithOld_MS () 159 { 160 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedNewWithOldTest3EE.crt"); 161 X509Chain chain = new X509Chain (); 162 Assert.IsFalse (chain.Build (ee), "Build"); 163 164 // MS-BAD / this is valid wrt RFC3280 165 Assert.IsFalse (chain.Build (ee), "Build"); 166 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainStatus, "ChainStatus"); 167 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 168 // Chain order is bad - it's not worth checking further 169 } 170 171 [Test] 172 [Category ("NotDotNet")] // test case is RFC3280 compliant 173 [Category ("NotWorking")] // Mono doesn't support using a different CA to sign CRL T4_ValidBasicSelfIssuedNewWithOld()174 public void T4_ValidBasicSelfIssuedNewWithOld () 175 { 176 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedNewWithOldTest4EE.crt"); 177 X509Chain chain = new X509Chain (); 178 Assert.IsTrue (chain.Build (ee), "Build"); 179 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus"); 180 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 181 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 182 Assert.AreEqual (BasicSelfIssuedOldKeyNewWithOldCACert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert"); 183 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status"); 184 Assert.AreEqual (BasicSelfIssuedOldKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert"); 185 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status"); 186 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 187 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 188 } 189 190 [Test] 191 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant T4_ValidBasicSelfIssuedNewWithOld_MS()192 public void T4_ValidBasicSelfIssuedNewWithOld_MS () 193 { 194 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedNewWithOldTest4EE.crt"); 195 X509Chain chain = new X509Chain (); 196 197 // MS-BAD / this is valid wrt RFC3280 198 Assert.IsFalse (chain.Build (ee), "Build"); 199 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus"); 200 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 201 // Chain order is bad - it's not worth checking further 202 } 203 204 [Test] 205 [Category ("NotDotNet")] // test case is RFC3280 compliant 206 [Category ("NotWorking")] // Mono doesn't support using a different CA to sign CRL T5_InvalidBasicSelfIssuedNewWithOld()207 public void T5_InvalidBasicSelfIssuedNewWithOld () 208 { 209 X509Certificate2 ee = GetCertificate ("InvalidBasicSelfIssuedNewWithOldTest5EE.crt"); 210 X509Chain chain = new X509Chain (); 211 Assert.IsFalse (chain.Build (ee), "Build"); 212 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus"); 213 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 214 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 215 Assert.AreEqual (BasicSelfIssuedOldKeyNewWithOldCACert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert"); 216 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status"); 217 Assert.AreEqual (BasicSelfIssuedOldKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert"); 218 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status"); 219 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 220 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 221 } 222 223 [Test] 224 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant T5_InvalidBasicSelfIssuedNewWithOld_MS()225 public void T5_InvalidBasicSelfIssuedNewWithOld_MS () 226 { 227 X509Certificate2 ee = GetCertificate ("InvalidBasicSelfIssuedNewWithOldTest5EE.crt"); 228 X509Chain chain = new X509Chain (); 229 230 // MS-BAD / this is valid wrt RFC3280 231 // EE certificate has been revoked 232 233 Assert.IsFalse (chain.Build (ee), "Build"); 234 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus"); 235 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 236 // Chain order is bad - it's not worth checking further 237 } 238 239 [Test] 240 [Category ("NotDotNet")] // test case is RFC3280 compliant 241 [Category ("NotWorking")] // Mono doesn't support using a different CA to sign CRL T6_ValidBasicSelfIssuedCRLSigningKey()242 public void T6_ValidBasicSelfIssuedCRLSigningKey () 243 { 244 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt"); 245 X509Chain chain = new X509Chain (); 246 Assert.IsTrue (chain.Build (ee), "Build"); 247 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus"); 248 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 249 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 250 Assert.AreEqual (BasicSelfIssuedCRLSigningKeyCRLCert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert"); 251 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status"); 252 Assert.AreEqual (BasicSelfIssuedCRLSigningKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert"); 253 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status"); 254 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 255 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 256 } 257 258 [Test] 259 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant T6_ValidBasicSelfIssuedCRLSigningKey_MS()260 public void T6_ValidBasicSelfIssuedCRLSigningKey_MS () 261 { 262 X509Certificate2 ee = GetCertificate ("ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt"); 263 X509Chain chain = new X509Chain (); 264 265 // MS-BAD / this is valid wrt RFC3280 266 Assert.IsFalse (chain.Build (ee), "Build"); 267 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus"); 268 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 269 // Chain order is bad - it's not worth checking further 270 } 271 272 [Test] 273 [Category ("NotDotNet")] // test case is RFC3280 compliant 274 [Category ("NotWorking")] // Mono doesn't support using a different CA to sign CRL T7_InvalidBasicSelfIssuedCRLSigningKey()275 public void T7_InvalidBasicSelfIssuedCRLSigningKey () 276 { 277 X509Certificate2 ee = GetCertificate ("InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt"); 278 X509Chain chain = new X509Chain (); 279 Assert.IsFalse (chain.Build (ee), "Build"); 280 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus"); 281 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 282 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 283 Assert.AreEqual (BasicSelfIssuedCRLSigningKeyCRLCert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert"); 284 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status"); 285 Assert.AreEqual (BasicSelfIssuedCRLSigningKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert"); 286 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status"); 287 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 288 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 289 } 290 291 [Test] 292 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant T7_InvalidBasicSelfIssuedCRLSigningKey_MS()293 public void T7_InvalidBasicSelfIssuedCRLSigningKey_MS () 294 { 295 X509Certificate2 ee = GetCertificate ("InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt"); 296 X509Chain chain = new X509Chain (); 297 298 // MS-BAD / this is valid wrt RFC3280 299 // EE certificate has been revoked 300 301 Assert.IsFalse (chain.Build (ee), "Build"); 302 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus"); 303 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 304 // Chain order is bad - it's not worth checking further 305 } 306 307 [Test] T8_InvalidBasicSelfIssuedCRLSigningKey()308 public void T8_InvalidBasicSelfIssuedCRLSigningKey () 309 { 310 X509Certificate2 ee = GetCertificate ("InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt"); 311 X509Chain chain = new X509Chain (); 312 Assert.IsFalse (chain.Build (ee), "Build"); 313 CheckChainStatus (X509ChainStatusFlags.NotValidForUsage | X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus"); 314 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity"); 315 // hmmm... NoError ? 316 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status"); 317 Assert.AreEqual (BasicSelfIssuedCRLSigningKeyCRLCert, chain.ChainElements[1].Certificate, "BasicSelfIssuedNewKeyOldWithNewCACert"); 318 CheckChainStatus (X509ChainStatusFlags.NotValidForUsage | X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[1].ChainElementStatus, "BasicSelfIssuedNewKeyOldWithNewCACert.Status"); 319 Assert.AreEqual (BasicSelfIssuedCRLSigningKeyCACert, chain.ChainElements[2].Certificate, "BasicSelfIssuedNewKeyCACert"); 320 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "BasicSelfIssuedNewKeyCACert.Status"); 321 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot"); 322 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status"); 323 } 324 } 325 } 326 327