1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This code is made available to you under your choice of the following sets
4 * of licensing terms:
5 */
6 /* This Source Code Form is subject to the terms of the Mozilla Public
7 * License, v. 2.0. If a copy of the MPL was not distributed with this
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 */
10 /* Copyright 2016 Mozilla Contributors
11 *
12 * Licensed under the Apache License, Version 2.0 (the "License");
13 * you may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
15 *
16 * http://www.apache.org/licenses/LICENSE-2.0
17 *
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 */
24
25 #include "pkixder.h"
26 #include "pkixgtest.h"
27 #include "pkixutil.h"
28
29 using namespace mozilla::pkix;
30 using namespace mozilla::pkix::test;
31
32 namespace mozilla { namespace pkix {
33
34 extern Result CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
35 const Input* encodedExtendedKeyUsage,
36 KeyPurposeId requiredEKU,
37 TrustDomain& trustDomain, Time notBefore);
38
39 } } // namespace mozilla::pkix
40
41 class pkixcheck_CheckExtendedKeyUsage : public ::testing::Test
42 {
43 protected:
44 DefaultCryptoTrustDomain mTrustDomain;
45 };
46
47 #define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_CERT_TYPE, x)
48
49 // tlv_id_kp_OCSPSigning and tlv_id_kp_serverAuth are defined in pkixtestutil.h
50
51 // python DottedOIDToCode.py --tlv id-kp-clientAuth 1.3.6.1.5.5.7.3.2
52 static const uint8_t tlv_id_kp_clientAuth[] = {
53 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02
54 };
55
56 // python DottedOIDToCode.py --tlv id-kp-codeSigning 1.3.6.1.5.5.7.3.3
57 static const uint8_t tlv_id_kp_codeSigning[] = {
58 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03
59 };
60
61 // python DottedOIDToCode.py --tlv id_kp_emailProtection 1.3.6.1.5.5.7.3.4
62 static const uint8_t tlv_id_kp_emailProtection[] = {
63 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04
64 };
65
66 // python DottedOIDToCode.py --tlv id-Netscape-stepUp 2.16.840.1.113730.4.1
67 static const uint8_t tlv_id_Netscape_stepUp[] = {
68 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01
69 };
70
71 // python DottedOIDToCode.py --tlv unknownOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
72 static const uint8_t tlv_unknownOID[] = {
73 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
74 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
75 };
76
77 // python DottedOIDToCode.py --tlv anyExtendedKeyUsage 2.5.29.37.0
78 static const uint8_t tlv_anyExtendedKeyUsage[] = {
79 0x06, 0x04, 0x55, 0x1d, 0x25, 0x00
80 };
81
TEST_F(pkixcheck_CheckExtendedKeyUsage,none)82 TEST_F(pkixcheck_CheckExtendedKeyUsage, none)
83 {
84 // The input Input is nullptr. This means the cert had no extended key usage
85 // extension. This is always valid except for when the certificate is an
86 // end-entity and the required usage is id-kp-OCSPSigning.
87
88 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
89 nullptr,
90 KeyPurposeId::anyExtendedKeyUsage,
91 mTrustDomain, Now()));
92 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
93 KeyPurposeId::anyExtendedKeyUsage,
94 mTrustDomain, Now()));
95 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
96 nullptr,
97 KeyPurposeId::id_kp_serverAuth,
98 mTrustDomain, Now()));
99 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
100 KeyPurposeId::id_kp_serverAuth,
101 mTrustDomain, Now()));
102 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
103 nullptr,
104 KeyPurposeId::id_kp_clientAuth,
105 mTrustDomain, Now()));
106 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
107 KeyPurposeId::id_kp_clientAuth,
108 mTrustDomain, Now()));
109 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
110 nullptr,
111 KeyPurposeId::id_kp_codeSigning,
112 mTrustDomain, Now()));
113 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
114 KeyPurposeId::id_kp_codeSigning,
115 mTrustDomain, Now()));
116 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
117 nullptr,
118 KeyPurposeId::id_kp_emailProtection,
119 mTrustDomain, Now()));
120 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
121 KeyPurposeId::id_kp_emailProtection,
122 mTrustDomain, Now()));
123 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
124 KeyPurposeId::id_kp_OCSPSigning,
125 mTrustDomain, Now()));
126 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
127 KeyPurposeId::id_kp_OCSPSigning,
128 mTrustDomain, Now()));
129 }
130
131 static const Input empty_null;
132
TEST_F(pkixcheck_CheckExtendedKeyUsage,empty)133 TEST_F(pkixcheck_CheckExtendedKeyUsage, empty)
134 {
135 // The input Input is empty. The cert has an empty extended key usage
136 // extension, which is syntactically invalid.
137 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
138 KeyPurposeId::id_kp_serverAuth,
139 mTrustDomain, Now()));
140 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
141 KeyPurposeId::id_kp_serverAuth,
142 mTrustDomain, Now()));
143
144 static const uint8_t dummy = 0x00;
145 Input empty_nonnull;
146 ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
147 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
148 KeyPurposeId::id_kp_serverAuth,
149 mTrustDomain, Now()));
150 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
151 KeyPurposeId::id_kp_serverAuth,
152 mTrustDomain, Now()));
153 }
154
155 struct EKUTestcase
156 {
157 ByteString ekuSEQUENCE;
158 KeyPurposeId keyPurposeId;
159 Result expectedResultEndEntity;
160 Result expectedResultCA;
161 };
162
163 class CheckExtendedKeyUsageTest
164 : public ::testing::Test
165 , public ::testing::WithParamInterface<EKUTestcase>
166 {
167 protected:
168 DefaultCryptoTrustDomain mTrustDomain;
169 };
170
TEST_P(CheckExtendedKeyUsageTest,EKUTestcase)171 TEST_P(CheckExtendedKeyUsageTest, EKUTestcase)
172 {
173 const EKUTestcase& param(GetParam());
174 Input encodedEKU;
175 ASSERT_EQ(Success, encodedEKU.Init(param.ekuSEQUENCE.data(),
176 param.ekuSEQUENCE.length()));
177 ASSERT_EQ(param.expectedResultEndEntity,
178 CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &encodedEKU,
179 param.keyPurposeId,
180 mTrustDomain, Now()));
181 ASSERT_EQ(param.expectedResultCA,
182 CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &encodedEKU,
183 param.keyPurposeId,
184 mTrustDomain, Now()));
185 }
186
187 #define SINGLE_EKU_SUCCESS(oidBytes, keyPurposeId) \
188 { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
189 Success, Success }
190 #define SINGLE_EKU_SUCCESS_CA(oidBytes, keyPurposeId) \
191 { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
192 Result::ERROR_INADEQUATE_CERT_TYPE, Success }
193 #define SINGLE_EKU_FAILURE(oidBytes, keyPurposeId) \
194 { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
195 Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
196 #define DOUBLE_EKU_SUCCESS(oidBytes1, oidBytes2, keyPurposeId) \
197 { TLV(der::SEQUENCE, \
198 BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
199 keyPurposeId, \
200 Success, Success }
201 #define DOUBLE_EKU_SUCCESS_CA(oidBytes1, oidBytes2, keyPurposeId) \
202 { TLV(der::SEQUENCE, \
203 BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
204 keyPurposeId, \
205 Result::ERROR_INADEQUATE_CERT_TYPE, Success }
206 #define DOUBLE_EKU_FAILURE(oidBytes1, oidBytes2, keyPurposeId) \
207 { TLV(der::SEQUENCE, \
208 BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
209 keyPurposeId, \
210 Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
211
212 static const EKUTestcase EKU_TESTCASES[] =
213 {
214 SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::anyExtendedKeyUsage),
215 SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_serverAuth),
216 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_clientAuth),
217 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_codeSigning),
218 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_emailProtection),
219 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_OCSPSigning),
220
221 SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
222 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
223 SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
224 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
225 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
226 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
227
228 SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
229 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
230 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
231 SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
232 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
233 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
234
235 SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
236 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
237 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
238 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
239 SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
240 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
241
242 // For end-entities, if id-kp-OCSPSigning is present, no usage is allowed
243 // except OCSPSigning.
244 SINGLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
245 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
246 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
247 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
248 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
249 SINGLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
250
251 SINGLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
252 // For compatibility, id-Netscape-stepUp is treated as equivalent to
253 // id-kp-serverAuth for CAs.
254 SINGLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
255 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
256 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
257 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
258 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
259
260 SINGLE_EKU_SUCCESS(tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
261 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
262 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
263 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
264 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
265 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
266
267 SINGLE_EKU_SUCCESS(tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
268 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
269 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
270 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
271 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
272 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
273
274 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
275 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
276 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
277 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
278 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
279 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
280
281 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
282 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
283 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
284 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
285 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
286 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
287
288 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
289 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
290 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
291 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
292 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
293 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
294
295 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
296 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
297 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
298 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
299 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
300 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
301
302 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
303 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
304 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
305 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
306 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
307 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
308
309 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
310 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
311 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
312 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
313 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
314 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
315
316 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
317 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
318 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
319 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
320 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
321 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
322
323 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
324 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
325 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
326 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
327 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
328 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
329
330 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
331 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
332 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
333 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
334 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
335 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
336
337 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
338 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
339 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
340 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
341 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
342 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
343
344 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
345 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
346 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
347 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
348 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
349 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
350
351 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
352 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
353 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
354 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
355 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
356 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
357
358 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
359 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
360 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
361 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
362 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
363 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
364
365 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
366 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
367 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
368 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
369 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
370 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
371
372 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
373 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
374 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
375 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
376 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
377 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
378
379 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
380 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
381 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
382 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
383 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
384 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
385
386 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
387 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
388 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
389 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
390 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
391 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
392
393 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
394 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
395 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
396 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
397 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
398 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
399
400 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
401 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
402 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
403 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
404 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
405 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
406
407 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
408 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
409 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
410 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
411 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
412 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
413
414 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
415 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
416 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
417 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
418 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
419 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
420
421 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
422 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
423 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
424 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
425 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
426 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
427
428 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
429 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
430 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
431 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
432 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
433 DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
434
435 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
436 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
437 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
438 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
439 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
440 DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
441
442 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
443 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
444 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
445 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
446 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
447 DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
448
449 DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
450 DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
451 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
452 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
453 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
454 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
455
456 DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
457 DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
458 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
459 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
460 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
461 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
462
463 DOUBLE_EKU_SUCCESS(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
464 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
465 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
466 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
467 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
468 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
469 };
470
471 INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
472 CheckExtendedKeyUsageTest,
473 ::testing::ValuesIn(EKU_TESTCASES));
474
475 struct EKUChainTestcase
476 {
477 ByteString ekuExtensionEE;
478 ByteString ekuExtensionCA;
479 KeyPurposeId keyPurposeId;
480 Result expectedResult;
481 };
482
483 class CheckExtendedKeyUsageChainTest
484 : public ::testing::Test
485 , public ::testing::WithParamInterface<EKUChainTestcase>
486 {
487 };
488
489 static ByteString
CreateCert(const char * issuerCN,const char * subjectCN,EndEntityOrCA endEntityOrCA,ByteString encodedEKU)490 CreateCert(const char* issuerCN, const char* subjectCN,
491 EndEntityOrCA endEntityOrCA, ByteString encodedEKU)
492 {
493 static long serialNumberValue = 0;
494 ++serialNumberValue;
495 ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
496 EXPECT_FALSE(ENCODING_FAILED(serialNumber));
497
498 ByteString issuerDER(CNToDERName(issuerCN));
499 ByteString subjectDER(CNToDERName(subjectCN));
500
501 ByteString extensions[3];
502 extensions[0] =
503 CreateEncodedBasicConstraints(endEntityOrCA == EndEntityOrCA::MustBeCA,
504 nullptr, Critical::Yes);
505 EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
506 if (encodedEKU.length() > 0) {
507 extensions[1] = encodedEKU;
508 }
509
510 ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
511 ByteString certDER(CreateEncodedCertificate(
512 v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
513 oneDayBeforeNow, oneDayAfterNow, subjectDER,
514 *reusedKey, extensions, *reusedKey,
515 sha256WithRSAEncryption()));
516 EXPECT_FALSE(ENCODING_FAILED(certDER));
517
518 return certDER;
519 }
520
521 class EKUTrustDomain final : public DefaultCryptoTrustDomain
522 {
523 public:
EKUTrustDomain(ByteString issuerCertDER)524 explicit EKUTrustDomain(ByteString issuerCertDER)
525 : mIssuerCertDER(issuerCertDER)
526 {
527 }
528
529 private:
GetCertTrust(EndEntityOrCA,const CertPolicyId &,Input candidateCert,TrustLevel & trustLevel)530 Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
531 TrustLevel& trustLevel) override
532 {
533 trustLevel = InputEqualsByteString(candidateCert, mIssuerCertDER)
534 ? TrustLevel::TrustAnchor
535 : TrustLevel::InheritsTrust;
536 return Success;
537 }
538
FindIssuer(Input,IssuerChecker & checker,Time)539 Result FindIssuer(Input, IssuerChecker& checker, Time) override
540 {
541 Input derCert;
542 Result rv = derCert.Init(mIssuerCertDER.data(), mIssuerCertDER.length());
543 if (rv != Success) {
544 return rv;
545 }
546 bool keepGoing;
547 return checker.Check(derCert, nullptr, keepGoing);
548 }
549
CheckRevocation(EndEntityOrCA,const CertID &,Time,Duration,const Input *,const Input *)550 Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
551 const Input*, const Input*) override
552 {
553 return Success;
554 }
555
IsChainValid(const DERArray &,Time)556 Result IsChainValid(const DERArray&, Time) override
557 {
558 return Success;
559 }
560
561 ByteString mIssuerCertDER;
562 };
563
TEST_P(CheckExtendedKeyUsageChainTest,EKUChainTestcase)564 TEST_P(CheckExtendedKeyUsageChainTest, EKUChainTestcase)
565 {
566 const EKUChainTestcase& param(GetParam());
567 ByteString issuerCertDER(CreateCert("CA", "CA", EndEntityOrCA::MustBeCA,
568 param.ekuExtensionCA));
569 ByteString subjectCertDER(CreateCert("CA", "EE",
570 EndEntityOrCA::MustBeEndEntity,
571 param.ekuExtensionEE));
572
573 EKUTrustDomain trustDomain(issuerCertDER);
574
575 Input subjectCertDERInput;
576 ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
577 subjectCertDER.length()));
578 ASSERT_EQ(param.expectedResult,
579 BuildCertChain(trustDomain, subjectCertDERInput, Now(),
580 EndEntityOrCA::MustBeEndEntity,
581 KeyUsage::noParticularKeyUsageRequired,
582 param.keyPurposeId,
583 CertPolicyId::anyPolicy,
584 nullptr));
585 }
586
587 // python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
588 static const uint8_t tlv_id_ce_extKeyUsage[] = {
589 0x06, 0x03, 0x55, 0x1d, 0x25
590 };
591
592 static inline ByteString
CreateEKUExtension(ByteString ekuOIDs)593 CreateEKUExtension(ByteString ekuOIDs)
594 {
595 return TLV(der::SEQUENCE,
596 BytesToByteString(tlv_id_ce_extKeyUsage) +
597 TLV(der::OCTET_STRING, TLV(der::SEQUENCE, ekuOIDs)));
598 }
599
600 static const EKUChainTestcase EKU_CHAIN_TESTCASES[] =
601 {
602 {
603 // Both end-entity and CA have id-kp-serverAuth => should succeed
604 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
605 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
606 KeyPurposeId::id_kp_serverAuth,
607 Success
608 },
609 {
610 // CA has no EKU extension => should succeed
611 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
612 ByteString(),
613 KeyPurposeId::id_kp_serverAuth,
614 Success
615 },
616 {
617 // End-entity has no EKU extension => should succeed
618 ByteString(),
619 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
620 KeyPurposeId::id_kp_serverAuth,
621 Success
622 },
623 {
624 // No EKU extensions at all => should succeed
625 ByteString(),
626 ByteString(),
627 KeyPurposeId::id_kp_serverAuth,
628 Success
629 },
630 {
631 // CA has EKU without id-kp-serverAuth => should fail
632 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
633 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
634 KeyPurposeId::id_kp_serverAuth,
635 Result::ERROR_INADEQUATE_CERT_TYPE
636 },
637 {
638 // End-entity has EKU without id-kp-serverAuth => should fail
639 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
640 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
641 KeyPurposeId::id_kp_serverAuth,
642 Result::ERROR_INADEQUATE_CERT_TYPE
643 },
644 {
645 // Both end-entity and CA have EKU without id-kp-serverAuth => should fail
646 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
647 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
648 KeyPurposeId::id_kp_serverAuth,
649 Result::ERROR_INADEQUATE_CERT_TYPE
650 },
651 {
652 // End-entity has no EKU, CA doesn't have id-kp-serverAuth => should fail
653 ByteString(),
654 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
655 KeyPurposeId::id_kp_serverAuth,
656 Result::ERROR_INADEQUATE_CERT_TYPE
657 },
658 {
659 // End-entity doesn't have id-kp-serverAuth, CA has no EKU => should fail
660 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
661 ByteString(),
662 KeyPurposeId::id_kp_serverAuth,
663 Result::ERROR_INADEQUATE_CERT_TYPE
664 },
665 {
666 // CA has id-Netscape-stepUp => should succeed
667 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
668 CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
669 KeyPurposeId::id_kp_serverAuth,
670 Success
671 },
672 {
673 // End-entity has id-Netscape-stepUp => should fail
674 CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
675 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
676 KeyPurposeId::id_kp_serverAuth,
677 Result::ERROR_INADEQUATE_CERT_TYPE
678 },
679 {
680 // End-entity and CA have id-kp-serverAuth and id-kp-clientAuth => should
681 // succeed
682 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
683 BytesToByteString(tlv_id_kp_clientAuth)),
684 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
685 BytesToByteString(tlv_id_kp_clientAuth)),
686 KeyPurposeId::id_kp_serverAuth,
687 Success
688 },
689 {
690 // End-entity has id-kp-serverAuth and id-kp-OCSPSigning => should fail
691 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
692 BytesToByteString(tlv_id_kp_OCSPSigning)),
693 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
694 BytesToByteString(tlv_id_kp_clientAuth)),
695 KeyPurposeId::id_kp_serverAuth,
696 Result::ERROR_INADEQUATE_CERT_TYPE
697 },
698 {
699 // CA has id-kp-serverAuth and id-kp-OCSPSigning => should succeed
700 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
701 BytesToByteString(tlv_id_kp_clientAuth)),
702 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
703 BytesToByteString(tlv_id_kp_OCSPSigning)),
704 KeyPurposeId::id_kp_serverAuth,
705 Success
706 },
707 };
708
709 INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
710 CheckExtendedKeyUsageChainTest,
711 ::testing::ValuesIn(EKU_CHAIN_TESTCASES));
712