// Copyright 2016 The Chromium Authors

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

// https://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

#include "path_builder.h"

#include <algorithm>

#include <memory>

#include <gmock/gmock.h>

#include <gtest/gtest.h>

#include <openssl/pool.h>

#include <openssl/pki/verify.h>

#include "cert_error_params.h"

#include "cert_issuer_source.h"

#include "cert_issuer_source_static.h"

#include "certificate_policies.h"

#include "common_cert_errors.h"

#include "input.h"

#include "mock_signature_verify_cache.h"

#include "parsed_certificate.h"

#include "simple_path_builder_delegate.h"

#include "string_util.h"

#include "test_helpers.h"

#include "trust_store.h"

#include "trust_store_collection.h"

#include "trust_store_in_memory.h"

#include "verify_certificate_chain.h"

BSSL_NAMESPACE_BEGIN

// TODO(crbug.com/634443): Assert the errors for each ResultPath.

namespace {

using ::testing::_;

using ::testing::Invoke;

using ::testing::StrictMock;

class TestPathBuilderDelegate : public SimplePathBuilderDelegate {

public:

TestPathBuilderDelegate(size_t min_rsa_modulus_length_bits,

DigestPolicy digest_policy)

: SimplePathBuilderDelegate(min_rsa_modulus_length_bits, digest_policy) {}

bool IsDeadlineExpired() override { return deadline_is_expired_; }

void SetDeadlineExpiredForTesting(bool deadline_is_expired) {

deadline_is_expired_ = deadline_is_expired;

}

SignatureVerifyCache *GetVerifyCache() override {

return use_signature_cache_ ? &cache_ : nullptr;

}

void ActivateCache() { use_signature_cache_ = true; }

void DeActivateCache() { use_signature_cache_ = false; }

MockSignatureVerifyCache *GetMockVerifyCache() { return &cache_; }

void AllowPrecert() { allow_precertificate_ = true; }

void DisallowPrecert() { allow_precertificate_ = false; }

bool AcceptPreCertificates() override {

return allow_precertificate_;

}

private:

bool deadline_is_expired_ = false;

bool use_signature_cache_ = false;

bool allow_precertificate_ = false;

MockSignatureVerifyCache cache_;

};

class CertPathBuilderDelegateBase : public SimplePathBuilderDelegate {

public:

CertPathBuilderDelegateBase()

: SimplePathBuilderDelegate(

1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {}

void CheckPathAfterVerification(const CertPathBuilder &path_builder,

CertPathBuilderResultPath *path) override {

ADD_FAILURE() << "Tests must override this";

}

};

class MockPathBuilderDelegate : public CertPathBuilderDelegateBase {

public:

MOCK_METHOD2(CheckPathAfterVerification,

void(const CertPathBuilder &path_builder,

CertPathBuilderResultPath *path));

};

// AsyncCertIssuerSourceStatic always returns its certs asynchronously.

class AsyncCertIssuerSourceStatic : public CertIssuerSource {

public:

class StaticAsyncRequest : public Request {

public:

explicit StaticAsyncRequest(ParsedCertificateList &&issuers) {

issuers_.swap(issuers);

issuers_iter_ = issuers_.begin();

}

StaticAsyncRequest(const StaticAsyncRequest &) = delete;

StaticAsyncRequest &operator=(const StaticAsyncRequest &) = delete;

~StaticAsyncRequest() override = default;

void GetNext(ParsedCertificateList *out_certs) override {

if (issuers_iter_ != issuers_.end()) {

out_certs->push_back(std::move(*issuers_iter_++));

}

}

ParsedCertificateList issuers_;

ParsedCertificateList::iterator issuers_iter_;

};

~AsyncCertIssuerSourceStatic() override = default;

void SetAsyncGetCallback(std::function<void()> closure) {

async_get_callback_ = std::move(closure);

}

void AddCert(std::shared_ptr<const ParsedCertificate> cert) {

static_cert_issuer_source_.AddCert(std::move(cert));

}

void SyncGetIssuersOf(const ParsedCertificate *cert,

ParsedCertificateList *issuers) override {}

void AsyncGetIssuersOf(const ParsedCertificate *cert,

std::unique_ptr<Request> *out_req) override {

num_async_gets_++;

ParsedCertificateList issuers;

static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers);

auto req = std::make_unique<StaticAsyncRequest>(std::move(issuers));

*out_req = std::move(req);

if (async_get_callback_) {

async_get_callback_();

}

}

int num_async_gets() const { return num_async_gets_; }

private:

CertIssuerSourceStatic static_cert_issuer_source_;

int num_async_gets_ = 0;

std::function<void()> async_get_callback_ = nullptr;

};

::testing::AssertionResult ReadTestPem(const std::string &file_name,

const std::string &block_name,

std::string *result) {

const PemBlockMapping mappings[] = {

{block_name.c_str(), result},

};

return ReadTestDataFromPemFile(file_name, mappings);

}

::testing::AssertionResult ReadTestCert(

const std::string &file_name,

std::shared_ptr<const ParsedCertificate> *result) {

std::string der;

::testing::AssertionResult r = ReadTestPem(

"testdata/path_builder_unittest/" + file_name, "CERTIFICATE", &der);

if (!r) {

return r;

}

CertErrors errors;

*result = ParsedCertificate::Create(

bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(

reinterpret_cast<const uint8_t *>(der.data()), der.size(), nullptr)),

{}, &errors);

if (!*result) {

return ::testing::AssertionFailure()

<< "ParseCertificate::Create() failed:\n"

<< errors.ToDebugString();

}

return ::testing::AssertionSuccess();

}

class PathBuilderMultiRootTest : public ::testing::Test {

public:

PathBuilderMultiRootTest()

: delegate_(1024, TestPathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {

}

void SetUp() override {

ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b_));

ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c_));

ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f_));

ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d_));

ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e_));

ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d_));

ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e_));

ASSERT_TRUE(ReadTestCert("multi-root-F-by-E.pem", &f_by_e_));

}

protected:

std::shared_ptr<const ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_,

c_by_e_, d_by_d_, e_by_e_, f_by_e_;

TestPathBuilderDelegate delegate_;

der::GeneralizedTime time_ = {2017, 3, 1, 0, 0, 0};

const InitialExplicitPolicy initial_explicit_policy_ =

InitialExplicitPolicy::kFalse;

const std::set<der::Input> user_initial_policy_set_ = {

der::Input(kAnyPolicyOid)};

const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_ =

InitialPolicyMappingInhibit::kFalse;

const InitialAnyPolicyInhibit initial_any_policy_inhibit_ =

InitialAnyPolicyInhibit::kFalse;

};

// Tests when the target cert has the same name and key as a trust anchor,

// however is signed by a different trust anchor. This should successfully build

// a path, however the trust anchor will be the signer of this cert.

//

// (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor

// but with different data; also in this test the target cert itself is in the

// trust store).

TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(a_by_b_);

trust_store.AddTrustAnchor(b_by_f_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

auto result = path_builder.Run();

ASSERT_TRUE(result.HasValidPath());

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

const auto &path = *result.GetBestValidPath();

ASSERT_EQ(2U, path.certs.size());

EXPECT_EQ(a_by_b_, path.certs[0]);

EXPECT_EQ(b_by_f_, path.certs[1]);

}

// If the target cert is has the same name and key as a trust anchor, however

// is NOT itself signed by a trust anchor, it fails. Although the provided SPKI

// is trusted, the certificate contents cannot be verified.

TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(a_by_b_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

auto result = path_builder.Run();

EXPECT_FALSE(result.HasValidPath());

EXPECT_EQ(1U, result.max_depth_seen);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)

<< error.DiagnosticString();

}

// Test a failed path building when the trust anchor is provided as a

// supplemental certificate. Conceptually the following paths could be built:

//

// B(C) <- C(D) <- [Trust anchor D]

// B(C) <- C(D) <- D(D) <- [Trust anchor D]

//

// However the second one is extraneous given the shorter path.

TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(d_by_d_);

// The (extraneous) trust anchor D(D) is supplied as a certificate, as is the

// intermediate needed for path building C(D).

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(d_by_d_);

sync_certs.AddCert(c_by_d_);

// C(D) is not valid at this time, so path building will fail.

der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0};

CertPathBuilder path_builder(

b_by_c_, &trust_store, &delegate_, expired_time, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

auto result = path_builder.Run();

EXPECT_FALSE(result.HasValidPath());

ASSERT_EQ(1U, result.paths.size());

EXPECT_FALSE(result.paths[0]->IsValid());

const auto &path0 = *result.paths[0];

ASSERT_EQ(3U, path0.certs.size());

EXPECT_EQ(b_by_c_, path0.certs[0]);

EXPECT_EQ(c_by_d_, path0.certs[1]);

EXPECT_EQ(d_by_d_, path0.certs[2]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::CERTIFICATE_NOT_YET_VALID)

<< error.DiagnosticString();

}

// Test verifying a certificate that is a trust anchor.

TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(e_by_e_);

// This is not necessary for the test, just an extra...

trust_store.AddTrustAnchor(f_by_e_);

CertPathBuilder path_builder(

e_by_e_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

auto result = path_builder.Run();

ASSERT_TRUE(result.HasValidPath());

// Verifying a trusted leaf certificate is not permitted, however this

// certificate is self-signed, and can chain to itself.

const auto &path = *result.GetBestValidPath();

ASSERT_EQ(2U, path.certs.size());

EXPECT_EQ(e_by_e_, path.certs[0]);

EXPECT_EQ(e_by_e_, path.certs[1]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

// If the target cert is directly issued by a trust anchor, it should verify

// without any intermediate certs being provided.

TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(b_by_f_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

auto result = path_builder.Run();

ASSERT_TRUE(result.HasValidPath());

const auto &path = *result.GetBestValidPath();

ASSERT_EQ(2U, path.certs.size());

EXPECT_EQ(a_by_b_, path.certs[0]);

EXPECT_EQ(b_by_f_, path.certs[1]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

// Test that async cert queries are not made if the path can be successfully

// built with synchronously available certs.

TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(e_by_e_);

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_f_);

sync_certs.AddCert(f_by_e_);

AsyncCertIssuerSourceStatic async_certs;

async_certs.AddCert(b_by_c_);

async_certs.AddCert(c_by_e_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&async_certs);

path_builder.AddCertIssuerSource(&sync_certs);

auto result = path_builder.Run();

EXPECT_TRUE(result.HasValidPath());

EXPECT_EQ(0, async_certs.num_async_gets());

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

// If async queries are needed, all async sources will be queried

// simultaneously.

TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(e_by_e_);

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

sync_certs.AddCert(b_by_f_);

AsyncCertIssuerSourceStatic async_certs1;

async_certs1.AddCert(c_by_e_);

AsyncCertIssuerSourceStatic async_certs2;

async_certs2.AddCert(f_by_e_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&async_certs1);

path_builder.AddCertIssuerSource(&async_certs2);

path_builder.AddCertIssuerSource(&sync_certs);

auto result = path_builder.Run();

EXPECT_TRUE(result.HasValidPath());

EXPECT_EQ(1, async_certs1.num_async_gets());

EXPECT_EQ(1, async_certs2.num_async_gets());

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

// Test that PathBuilder does not generate longer paths than necessary if one of

// the supplied certs is itself a trust anchor.

TEST_F(PathBuilderMultiRootTest, TestLongChain) {

// Both D(D) and C(D) are trusted roots.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(d_by_d_);

trust_store.AddTrustAnchor(c_by_d_);

// Certs B(C), and C(D) are all supplied.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

sync_certs.AddCert(c_by_d_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

auto result = path_builder.Run();

ASSERT_TRUE(result.HasValidPath());

// The result path should be A(B) <- B(C) <- C(D)

// not the longer but also valid A(B) <- B(C) <- C(D) <- D(D)

EXPECT_EQ(3U, result.GetBestValidPath()->certs.size());

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

// Test that PathBuilder will backtrack and try a different path if the first

// one doesn't work out.

TEST_F(PathBuilderMultiRootTest, TestBacktracking) {

// Only D(D) is a trusted root.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(d_by_d_);

// Certs B(F) and F(E) are supplied synchronously, thus the path

// A(B) <- B(F) <- F(E) should be built first, though it won't verify.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_f_);

sync_certs.AddCert(f_by_e_);

// Certs B(C), and C(D) are supplied asynchronously, so the path

// A(B) <- B(C) <- C(D) <- D(D) should be tried second.

AsyncCertIssuerSourceStatic async_certs;

async_certs.AddCert(b_by_c_);

async_certs.AddCert(c_by_d_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

path_builder.AddCertIssuerSource(&async_certs);

auto result = path_builder.Run();

ASSERT_TRUE(result.HasValidPath());

// The partial path should be returned even though it didn't reach a trust

// anchor.

ASSERT_EQ(2U, result.paths.size());

EXPECT_FALSE(result.paths[0]->IsValid());

ASSERT_EQ(3U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);

EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);

// The result path should be A(B) <- B(C) <- C(D) <- D(D)

EXPECT_EQ(1U, result.best_result_index);

EXPECT_TRUE(result.paths[1]->IsValid());

const auto &path = *result.GetBestValidPath();

ASSERT_EQ(4U, path.certs.size());

EXPECT_EQ(a_by_b_, path.certs[0]);

EXPECT_EQ(b_by_c_, path.certs[1]);

EXPECT_EQ(c_by_d_, path.certs[2]);

EXPECT_EQ(d_by_d_, path.certs[3]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

// Test that if no path to a trust anchor was found, the partial path is

// returned.

TEST_F(PathBuilderMultiRootTest, TestOnlyPartialPathResult) {

TrustStoreInMemory trust_store;

// Certs B(F) and F(E) are supplied synchronously, thus the path

// A(B) <- B(F) <- F(E) should be built first, though it won't verify.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_f_);

sync_certs.AddCert(f_by_e_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

auto result = path_builder.Run();

EXPECT_FALSE(result.HasValidPath());

// The partial path should be returned even though it didn't reach a trust

// anchor.

ASSERT_EQ(1U, result.paths.size());

EXPECT_FALSE(result.paths[0]->IsValid());

ASSERT_EQ(3U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);

EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)

<< error.DiagnosticString();

}

// Test that if two partial paths are returned, the first is marked as the best

// path.

TEST_F(PathBuilderMultiRootTest, TestTwoPartialPathResults) {

TrustStoreInMemory trust_store;

// Certs B(F) and F(E) are supplied synchronously, thus the path

// A(B) <- B(F) <- F(E) should be built first, though it won't verify.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_f_);

sync_certs.AddCert(f_by_e_);

// Certs B(C), and C(D) are supplied asynchronously, so the path

// A(B) <- B(C) <- C(D) <- D(D) should be tried second.

AsyncCertIssuerSourceStatic async_certs;

async_certs.AddCert(b_by_c_);

async_certs.AddCert(c_by_d_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

path_builder.AddCertIssuerSource(&async_certs);

auto result = path_builder.Run();

EXPECT_FALSE(result.HasValidPath());

// First partial path found should be marked as the best one.

EXPECT_EQ(0U, result.best_result_index);

ASSERT_EQ(2U, result.paths.size());

EXPECT_FALSE(result.paths[0]->IsValid());

ASSERT_EQ(3U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);

EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);

EXPECT_FALSE(result.paths[1]->IsValid());

ASSERT_EQ(3U, result.paths[1]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[1]->certs[0]);

EXPECT_EQ(b_by_c_, result.paths[1]->certs[1]);

EXPECT_EQ(c_by_d_, result.paths[1]->certs[2]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)

<< error.DiagnosticString();

}

// Test that if no valid path is found, and the first invalid path is a partial

// path, but the 2nd invalid path ends with a cert with a trust record, the 2nd

// path should be preferred.

TEST_F(PathBuilderMultiRootTest, TestDistrustedPathPreferredOverPartialPath) {

// Only D(D) has a trust record, but it is distrusted.

TrustStoreInMemory trust_store;

trust_store.AddDistrustedCertificateForTest(d_by_d_);

// Certs B(F) and F(E) are supplied synchronously, thus the path

// A(B) <- B(F) <- F(E) should be built first, though it won't verify.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_f_);

sync_certs.AddCert(f_by_e_);

// Certs B(C), and C(D) are supplied asynchronously, so the path

// A(B) <- B(C) <- C(D) <- D(D) should be tried second.

AsyncCertIssuerSourceStatic async_certs;

async_certs.AddCert(b_by_c_);

async_certs.AddCert(c_by_d_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

path_builder.AddCertIssuerSource(&async_certs);

auto result = path_builder.Run();

EXPECT_FALSE(result.HasValidPath());

// The partial path should be returned even though it didn't reach a trust

// anchor.

ASSERT_EQ(2U, result.paths.size());

EXPECT_FALSE(result.paths[0]->IsValid());

ASSERT_EQ(3U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_EQ(b_by_f_, result.paths[0]->certs[1]);

EXPECT_EQ(f_by_e_, result.paths[0]->certs[2]);

// The result path should be A(B) <- B(C) <- C(D) <- D(D)

EXPECT_EQ(1U, result.best_result_index);

EXPECT_FALSE(result.paths[1]->IsValid());

const auto &path = *result.GetBestPathPossiblyInvalid();

ASSERT_EQ(4U, path.certs.size());

EXPECT_EQ(a_by_b_, path.certs[0]);

EXPECT_EQ(b_by_c_, path.certs[1]);

EXPECT_EQ(c_by_d_, path.certs[2]);

EXPECT_EQ(d_by_d_, path.certs[3]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_NOT_FOUND)

<< error.DiagnosticString();

}

// Test that whichever order CertIssuerSource returns the issuers, the path

// building still succeeds.

TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) {

// Only D(D) is a trusted root.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(d_by_d_);

for (bool reverse_order : {false, true}) {

SCOPED_TRACE(reverse_order);

std::vector<std::shared_ptr<const ParsedCertificate>> certs = {

b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_};

CertIssuerSourceStatic sync_certs;

if (reverse_order) {

for (auto it = certs.rbegin(); it != certs.rend(); ++it) {

sync_certs.AddCert(*it);

}

} else {

for (const auto &cert : certs) {

sync_certs.AddCert(cert);

}

}

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

auto result = path_builder.Run();

ASSERT_TRUE(result.HasValidPath());

// The result path should be A(B) <- B(C) <- C(D) <- D(D)

const auto &path = *result.GetBestValidPath();

ASSERT_EQ(4U, path.certs.size());

EXPECT_EQ(a_by_b_, path.certs[0]);

EXPECT_EQ(b_by_c_, path.certs[1]);

EXPECT_EQ(c_by_d_, path.certs[2]);

EXPECT_EQ(d_by_d_, path.certs[3]);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

}

TEST_F(PathBuilderMultiRootTest, TestIterationLimit) {

// D(D) is the trust root.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(d_by_d_);

// Certs B(C) and C(D) are supplied.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

sync_certs.AddCert(c_by_d_);

for (const bool insufficient_limit : {true, false}) {

SCOPED_TRACE(insufficient_limit);

StrictMock<MockPathBuilderDelegate> mock_delegate;

// The CheckPathAfterVerification delegate should be called regardless if

// the iteration limit is reached.

EXPECT_CALL(mock_delegate, CheckPathAfterVerification(_, _));

CertPathBuilder path_builder(

a_by_b_, &trust_store, &mock_delegate, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

if (insufficient_limit) {

// A limit of one is insufficient to build a path in this case. Therefore

// building is expected to fail in this case.

path_builder.SetIterationLimit(1);

} else {

// The other tests in this file exercise the case that |SetIterationLimit|

// isn't called. Therefore set a sufficient limit for the path to be

// found.

path_builder.SetIterationLimit(5);

}

auto result = path_builder.Run();

EXPECT_EQ(!insufficient_limit, result.HasValidPath());

EXPECT_EQ(insufficient_limit, result.exceeded_iteration_limit);

VerifyError error = result.GetBestPathVerifyError();

if (insufficient_limit) {

EXPECT_EQ(2U, result.iteration_count);

ASSERT_EQ(error.Code(),

VerifyError::StatusCode::PATH_ITERATION_COUNT_EXCEEDED)

<< error.DiagnosticString();

} else {

EXPECT_EQ(3U, result.iteration_count);

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

}

}

TEST_F(PathBuilderMultiRootTest, TestTrivialDeadline) {

// C(D) is the trust root.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(c_by_d_);

// Cert B(C) is supplied.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

for (const bool insufficient_limit : {true, false}) {

SCOPED_TRACE(insufficient_limit);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

// Make the deadline either expired or not.

delegate_.SetDeadlineExpiredForTesting(insufficient_limit);

auto result = path_builder.Run();

EXPECT_EQ(!insufficient_limit, result.HasValidPath());

EXPECT_EQ(insufficient_limit, result.exceeded_deadline);

EXPECT_EQ(delegate_.IsDeadlineExpired(), insufficient_limit);

if (insufficient_limit) {

ASSERT_EQ(1U, result.paths.size());

EXPECT_FALSE(result.paths[0]->IsValid());

ASSERT_EQ(1U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_TRUE(result.paths[0]->errors.ContainsError(

cert_errors::kDeadlineExceeded));

} else {

ASSERT_EQ(1U, result.paths.size());

EXPECT_TRUE(result.paths[0]->IsValid());

ASSERT_EQ(3U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]);

EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]);

}

}

}

TEST_F(PathBuilderMultiRootTest, TestVerifyCache) {

// C(D) is the trust root.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(c_by_d_);

// Cert B(C) is supplied.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

// Test Activation / DeActivation of the cache.

EXPECT_FALSE(delegate_.GetVerifyCache());

delegate_.ActivateCache();

EXPECT_TRUE(delegate_.GetVerifyCache());

delegate_.DeActivateCache();

EXPECT_FALSE(delegate_.GetVerifyCache());

delegate_.ActivateCache();

EXPECT_TRUE(delegate_.GetVerifyCache());

for (size_t i = 0; i < 3; i++) {

SCOPED_TRACE(i);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

auto result = path_builder.Run();

ASSERT_EQ(1U, result.paths.size());

EXPECT_TRUE(result.paths[0]->IsValid());

ASSERT_EQ(3U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]);

EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]);

// The path is 3 certificates long, so requires 2 distinct signature

// verifications. The first time through the loop will cause 2 cache misses

// and stores, subsequent iterations will repeat the same verifications,

// causing 2 cache hits.

EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheHits(), i * 2);

EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheMisses(), 2U);

EXPECT_EQ(delegate_.GetMockVerifyCache()->CacheStores(), 2U);

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

}

TEST_F(PathBuilderMultiRootTest, TestDeadline) {

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(d_by_d_);

// Cert B(C) is supplied statically.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

// Cert C(D) is supplied asynchronously and will expire the deadline before

// returning the async result.

AsyncCertIssuerSourceStatic async_certs;

async_certs.AddCert(c_by_d_);

async_certs.SetAsyncGetCallback(

[&] { delegate_.SetDeadlineExpiredForTesting(true); });

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

path_builder.AddCertIssuerSource(&async_certs);

auto result = path_builder.Run();

EXPECT_FALSE(result.HasValidPath());

EXPECT_TRUE(result.exceeded_deadline);

EXPECT_TRUE(delegate_.IsDeadlineExpired());

// The chain returned should end in c_by_d_, since the deadline would only be

// checked again after the async results had been checked (since

// AsyncCertIssuerSourceStatic makes the async results available immediately.)

ASSERT_EQ(1U, result.paths.size());

EXPECT_FALSE(result.paths[0]->IsValid());

ASSERT_EQ(3U, result.paths[0]->certs.size());

EXPECT_EQ(a_by_b_, result.paths[0]->certs[0]);

EXPECT_EQ(b_by_c_, result.paths[0]->certs[1]);

EXPECT_EQ(c_by_d_, result.paths[0]->certs[2]);

EXPECT_TRUE(

result.paths[0]->errors.ContainsError(cert_errors::kDeadlineExceeded));

VerifyError error = result.GetBestPathVerifyError();

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEADLINE_EXCEEDED)

<< error.DiagnosticString();

}

TEST_F(PathBuilderMultiRootTest, TestDepthLimit) {

// D(D) is the trust root.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(d_by_d_);

// Certs B(C) and C(D) are supplied.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

sync_certs.AddCert(c_by_d_);

for (const bool insufficient_limit : {true, false}) {

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

if (insufficient_limit) {

// A limit of depth equal to 2 is insufficient to build the path.

// Therefore, building is expected to fail.

path_builder.SetDepthLimit(2);

} else {

// The other tests in this file exercise the case that |SetDepthLimit|

// isn't called. Therefore, set a sufficient limit for the path to be

// found.

path_builder.SetDepthLimit(5);

}

auto result = path_builder.Run();

EXPECT_EQ(!insufficient_limit, result.HasValidPath());

EXPECT_EQ(insufficient_limit,

result.AnyPathContainsError(cert_errors::kDepthLimitExceeded));

VerifyError error = result.GetBestPathVerifyError();

if (insufficient_limit) {

EXPECT_EQ(2U, result.max_depth_seen);

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_DEPTH_LIMIT_REACHED)

<< error.DiagnosticString();

} else {

EXPECT_EQ(4U, result.max_depth_seen);

ASSERT_EQ(error.Code(), VerifyError::StatusCode::PATH_VERIFIED)

<< error.DiagnosticString();

}

}

}

TEST_F(PathBuilderMultiRootTest, TestDepthLimitMultiplePaths) {

// This case tests path building backtracking due to reaching the path depth

// limit. Given the root and issuer certificates below, there can be two paths

// from between the leaf to a trusted root, one has length of 3 and the other

// has length of 4. These certificates are specifically chosen because path

// building will first explore the 4-certificate long path then the

// 3-certificate long path. So with a depth limit of 3, we can test the

// backtracking code path.

// E(E) and C(D) are the trust roots.

TrustStoreInMemory trust_store;

trust_store.AddTrustAnchor(e_by_e_);

trust_store.AddTrustAnchor(c_by_d_);

// Certs B(C). B(F) and F(E) are supplied.

CertIssuerSourceStatic sync_certs;

sync_certs.AddCert(b_by_c_);

sync_certs.AddCert(b_by_f_);

sync_certs.AddCert(f_by_e_);

CertPathBuilder path_builder(

a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,

initial_explicit_policy_, user_initial_policy_set_,

initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);

path_builder.AddCertIssuerSource(&sync_certs);

path_builder.SetDepthLimit(3);

auto result = path_builder.Run();

EXPECT_TRUE(result.HasValidPath());

EXPECT_TRUE(result.AnyPathContainsError(cert_errors::kDepthLimitExceeded));

ASSERT_EQ(result.paths.size(), 2u);

const CertPathBuilderResultPath *truncated_path = result.paths[0].get();

EXPECT_FALSE(truncated_path->IsValid());

EXPECT_TRUE(

truncated_path->errors.ContainsError(cert_errors::kDepthLimitExceeded));

ASSERT_EQ(truncated_path->certs.size(), 3u);

EXPECT_EQ(a_by_b_, truncated_path->certs[0]);

EXPECT_EQ(b_by_f_, truncated_path->certs[1]);

EXPECT_EQ(f_by_e_, truncated_path->certs[2]);

const CertPathBuilderResultPath *valid_path = result.paths[1].get();

EXPECT_TRUE(valid_path->IsValid());

EXPECT_FALSE(

valid_path->errors.ContainsError(cert_errors::kDepthLimitExceeded));

ASSERT_EQ(valid_path->certs.size(), 3u);

EXPECT_EQ(a_by_b_, valid_path->certs[0]);