1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
|
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "cast/common/certificate/cast_cert_validator.h"
#include <stdio.h>
#include <string.h>
#include "cast/common/certificate/cast_cert_validator_internal.h"
#include "cast/common/certificate/test_helpers.h"
#include "gtest/gtest.h"
#include "openssl/pem.h"
namespace cast {
namespace certificate {
namespace {
using CastCertError = openscreen::Error::Code;
enum TrustStoreDependency {
// Uses the built-in trust store for Cast. This is how certificates are
// verified in production.
TRUST_STORE_BUILTIN,
// Instead of using the built-in trust store, use root certificate in the
// provided test chain as the trust anchor.
//
// This trust anchor is initialized with anchor constraints, similar to how
// TrustAnchors in the built-in store are setup.
TRUST_STORE_FROM_TEST_FILE,
};
// Reads a test chain from |certs_file_name|, and asserts that verifying it as
// a Cast device certificate yields |expected_result|.
//
// RunTest() also checks that the resulting CertVerificationContext does not
// incorrectly verify invalid signatures.
//
// * |expected_policy| - The policy that should have been identified for the
// device certificate.
// * |time| - The timestamp to use when verifying the certificate.
// * |trust_store_dependency| - Which trust store to use when verifying (see
// enum's definition).
// * |optional_signed_data_file_name| - optional path to a PEM file containing
// a valid signature generated by the device certificate.
//
void RunTest(CastCertError expected_result,
const std::string& expected_common_name,
CastDeviceCertPolicy expected_policy,
const std::string& certs_file_name,
const DateTime& time,
TrustStoreDependency trust_store_dependency,
const std::string& optional_signed_data_file_name) {
std::vector<std::string> certs =
testing::ReadCertificatesFromPemFile(certs_file_name);
TrustStore* trust_store;
std::unique_ptr<TrustStore> fake_trust_store;
switch (trust_store_dependency) {
case TRUST_STORE_BUILTIN:
trust_store = nullptr;
break;
case TRUST_STORE_FROM_TEST_FILE: {
ASSERT_FALSE(certs.empty());
// Parse the root certificate of the chain.
const uint8_t* data = (const uint8_t*)certs.back().data();
X509* fake_root = d2i_X509(nullptr, &data, certs.back().size());
ASSERT_TRUE(fake_root);
certs.pop_back();
// Add a trust anchor and enforce constraints on it (regular mode for
// built-in Cast roots).
fake_trust_store = std::make_unique<TrustStore>();
fake_trust_store->certs.emplace_back(fake_root);
trust_store = fake_trust_store.get();
}
}
std::unique_ptr<CertVerificationContext> context;
CastDeviceCertPolicy policy;
openscreen::Error result =
VerifyDeviceCert(certs, time, &context, &policy, nullptr,
CRLPolicy::kCrlOptional, trust_store);
ASSERT_EQ(expected_result, result.code());
if (expected_result != CastCertError::kNone)
return;
EXPECT_EQ(expected_policy, policy);
ASSERT_TRUE(context);
// Test that the context is good.
EXPECT_EQ(expected_common_name, context->GetCommonName());
#define DATA_SPAN_FROM_LITERAL(s) ConstDataSpan{(uint8_t*)s, sizeof(s) - 1}
// Test verification of some invalid signatures.
EXPECT_FALSE(context->VerifySignatureOverData(
DATA_SPAN_FROM_LITERAL("bogus signature"),
DATA_SPAN_FROM_LITERAL("bogus data"), DigestAlgorithm::kSha256));
EXPECT_FALSE(context->VerifySignatureOverData(
DATA_SPAN_FROM_LITERAL(""), DATA_SPAN_FROM_LITERAL("bogus data"),
DigestAlgorithm::kSha256));
EXPECT_FALSE(context->VerifySignatureOverData(DATA_SPAN_FROM_LITERAL(""),
DATA_SPAN_FROM_LITERAL(""),
DigestAlgorithm::kSha256));
// If valid signatures are known for this device certificate, test them.
if (!optional_signed_data_file_name.empty()) {
testing::SignatureTestData signatures =
testing::ReadSignatureTestData(optional_signed_data_file_name);
// Test verification of a valid SHA1 signature.
EXPECT_TRUE(context->VerifySignatureOverData(
signatures.sha1, signatures.message, DigestAlgorithm::kSha1));
// Test verification of a valid SHA256 signature.
EXPECT_TRUE(context->VerifySignatureOverData(
signatures.sha256, signatures.message, DigestAlgorithm::kSha256));
}
}
// Creates a time in UTC at midnight.
DateTime CreateDate(int year, int month, int day) {
DateTime time = {};
time.year = year;
time.month = month;
time.day = day;
return time;
}
// Returns 2016-04-01 00:00:00 UTC.
//
// This is a time when most of the test certificate paths are valid.
DateTime AprilFirst2016() {
return CreateDate(2016, 4, 1);
}
DateTime AprilFirst2020() {
return CreateDate(2020, 4, 1);
}
// Returns 2015-01-01 00:00:00 UTC.
DateTime JanuaryFirst2015() {
return CreateDate(2015, 1, 1);
}
// Returns 2037-03-01 00:00:00 UTC.
//
// This is so far in the future that the test chains in this unit-test should
// all be invalid.
DateTime MarchFirst2037() {
return CreateDate(2037, 3, 1);
}
#define TEST_DATA_PREFIX "test/data/cast/common/certificate/"
// Tests verifying a valid certificate chain of length 2:
//
// 0: 2ZZBG9 FA8FCA3EF91A
// 1: Eureka Gen1 ICA
//
// Chains to trust anchor:
// Eureka Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, ChromecastGen1) {
RunTest(CastCertError::kNone, "2ZZBG9 FA8FCA3EF91A",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/chromecast_gen1.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN,
TEST_DATA_PREFIX "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 2ZZBG9 FA8FCA3EF91A
// 1: Eureka Gen1 ICA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, ChromecastGen1Reissue) {
RunTest(CastCertError::kNone, "2ZZBG9 FA8FCA3EF91A",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/chromecast_gen1_reissue.pem",
AprilFirst2016(), TRUST_STORE_BUILTIN,
TEST_DATA_PREFIX "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 3ZZAK6 FA8FCA3F0D35
// 1: Chromecast ICA 3
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, ChromecastGen2) {
RunTest(CastCertError::kNone, "3ZZAK6 FA8FCA3F0D35",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/chromecast_gen2.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 3:
//
// 0: -6394818897508095075
// 1: Asus fugu Cast ICA
// 2: Widevine Cast Subroot
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, Fugu) {
RunTest(CastCertError::kNone, "-6394818897508095075",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/fugu.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying an invalid certificate chain of length 1:
//
// 0: Cast Test Untrusted Device
//
// Chains to:
// Cast Test Untrusted ICA (Not part of trust store)
//
// This is invalid because it does not chain to a trust anchor.
TEST(VerifyCastDeviceCertTest, Unchained) {
RunTest(CastCertError::kErrCertsVerifyGeneric, "",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/unchained.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying one of the self-signed trust anchors (chain of length 1):
//
// 0: Cast Root CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// Although this is a valid and trusted certificate (it is one of the
// trust anchors after all) it fails the test as it is not a *device
// certificate*.
TEST(VerifyCastDeviceCertTest, CastRootCa) {
RunTest(CastCertError::kErrCertsRestrictions, "",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/cast_root_ca.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 4ZZDZJ FA8FCA7EFE3C
// 1: Chromecast ICA 4 (Audio)
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, ChromecastAudio) {
RunTest(CastCertError::kNone, "4ZZDZJ FA8FCA7EFE3C",
CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX "certificates/chromecast_audio.pem",
AprilFirst2016(), TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 3:
//
// 0: MediaTek Audio Dev Test
// 1: MediaTek Audio Dev Model
// 2: Cast Audio Dev Root CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, MtkAudioDev) {
RunTest(CastCertError::kNone, "MediaTek Audio Dev Test",
CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX "certificates/mtk_audio_dev.pem", JanuaryFirst2015(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 2:
//
// 0: 9V0000VB FA8FCA784D01
// 1: Cast TV ICA (Vizio)
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
TEST(VerifyCastDeviceCertTest, Vizio) {
RunTest(CastCertError::kNone, "9V0000VB FA8FCA784D01",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/vizio.pem", AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 2 using expired
// time points.
TEST(VerifyCastDeviceCertTest, ChromecastGen2InvalidTime) {
const char* kCertsFile = TEST_DATA_PREFIX "certificates/chromecast_gen2.pem";
// Control test - certificate should be valid at some time otherwise
// this test is pointless.
RunTest(CastCertError::kNone, "3ZZAK6 FA8FCA3F0D35",
CastDeviceCertPolicy::kUnrestricted, kCertsFile, AprilFirst2016(),
TRUST_STORE_BUILTIN, "");
// Use a time before notBefore.
RunTest(CastCertError::kErrCertsDateInvalid, "",
CastDeviceCertPolicy::kUnrestricted, kCertsFile, JanuaryFirst2015(),
TRUST_STORE_BUILTIN, "");
// Use a time after notAfter.
RunTest(CastCertError::kErrCertsDateInvalid, "",
CastDeviceCertPolicy::kUnrestricted, kCertsFile, MarchFirst2037(),
TRUST_STORE_BUILTIN, "");
}
// Tests verifying a valid certificate chain of length 3:
//
// 0: Audio Reference Dev Test
// 1: Audio Reference Dev Model
// 2: Cast Audio Dev Root CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, AudioRefDevTestChain3) {
RunTest(CastCertError::kNone, "Audio Reference Dev Test",
CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX "certificates/audio_ref_dev_test_chain_3.pem",
AprilFirst2016(), TRUST_STORE_BUILTIN,
TEST_DATA_PREFIX "signeddata/AudioReferenceDevTest.pem");
}
// TODO(btolsch): This won't work by default with boringssl, so do we want to
// find a way to work around this or is it safe to enforce 20-octet length now?
// Previous TODO from eroman@ suggested 2017 or even sooner was safe to remove
// this.
#if 0
// Tests verifying a valid certificate chain of length 3. Note that the first
// intermediate has a serial number that is 21 octets long, which violates RFC
// 5280. However cast verification accepts this certificate for compatibility
// reasons.
//
// 0: 8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA
// 1: Sony so16vic CA
// 2: Cast Audio Sony CA
//
// Chains to trust anchor:
// Cast Root CA (built-in trust store)
//
// This device certificate has a policy that means it is valid only for audio
// devices.
TEST(VerifyCastDeviceCertTest, IntermediateSerialNumberTooLong) {
RunTest(CastCertError::kNone, "8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA",
CastDeviceCertPolicy::AUDIO_ONLY,
"certificates/intermediate_serialnumber_toolong.pem",
AprilFirst2016(), TRUST_STORE_BUILTIN, "");
}
#endif
// Tests verifying a valid certificate chain of length 2 when the trust anchor
// is "expired". This is expected to work since expiration is not an enforced
// anchor constraint, even though it may appear in the root certificate.
//
// 0: CastDevice
// 1: CastIntermediate
//
// Chains to trust anchor:
// Expired CastRoot (provided by test data)
TEST(VerifyCastDeviceCertTest, ExpiredTrustAnchor) {
// The root certificate is only valid in 2015, so validating with a time in
// 2016 means it is expired.
RunTest(CastCertError::kNone, "CastDevice",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/expired_root.pem", AprilFirst2016(),
TRUST_STORE_FROM_TEST_FILE, "");
}
// Tests verifying a certificate chain where the root certificate has a pathlen
// constraint which is violated by the chain. In this case Root has a pathlen=1
// constraint, however neither intermediate is constrained.
//
// The expectation is for pathlen constraints on trust anchors to be enforced,
// so this validation must fail.
//
// 0: Target
// 1: Intermediate2
// 2: Intermediate1
//
// Chains to trust anchor:
// Root (provided by test data; has pathlen=1 constraint)
TEST(VerifyCastDeviceCertTest, ViolatesPathlenTrustAnchorConstraint) {
// Test that the chain verification fails due to the pathlen constraint.
RunTest(CastCertError::kErrCertsPathlen, "Target",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/violates_root_pathlen_constraint.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Tests verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={anyPolicy}
// Leaf: policies={anyPolicy}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafAnypolicy) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX
"certificates/policies_ica_anypolicy_leaf_anypolicy.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={anyPolicy}
// Leaf: policies={audioOnly}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafAudioonly) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX
"certificates/policies_ica_anypolicy_leaf_audioonly.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={anyPolicy}
// Leaf: policies={foo}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafFoo) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/policies_ica_anypolicy_leaf_foo.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={anyPolicy}
// Leaf: policies={}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAnypolicyLeafNone) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/policies_ica_anypolicy_leaf_none.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={audioOnly}
// Leaf: policies={anyPolicy}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafAnypolicy) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX
"certificates/policies_ica_audioonly_leaf_anypolicy.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={audioOnly}
// Leaf: policies={audioOnly}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafAudioonly) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX
"certificates/policies_ica_audioonly_leaf_audioonly.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={audioOnly}
// Leaf: policies={foo}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafFoo) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX "certificates/policies_ica_audioonly_leaf_foo.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={audioOnly}
// Leaf: policies={}
TEST(VerifyCastDeviceCertTest, PoliciesIcaAudioonlyLeafNone) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX "certificates/policies_ica_audioonly_leaf_none.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={}
// Leaf: policies={anyPolicy}
TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafAnypolicy) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/policies_ica_none_leaf_anypolicy.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={}
// Leaf: policies={audioOnly}
TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafAudioonly) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kAudioOnly,
TEST_DATA_PREFIX "certificates/policies_ica_none_leaf_audioonly.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={}
// Leaf: policies={foo}
TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafFoo) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/policies_ica_none_leaf_foo.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Test verifying a certificate chain with the policies:
//
// Root: policies={}
// Intermediate: policies={}
// Leaf: policies={}
TEST(VerifyCastDeviceCertTest, PoliciesIcaNoneLeafNone) {
RunTest(CastCertError::kNone, "Leaf", CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/policies_ica_none_leaf_none.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Tests verifying a certificate chain where the leaf certificate has a
// 1024-bit RSA key. Verification should fail since the target's key is
// too weak.
TEST(VerifyCastDeviceCertTest, DeviceCertHas1024BitRsaKey) {
RunTest(CastCertError::kErrCertsVerifyGeneric, "RSA 1024 Device Cert",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/rsa1024_device_cert.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE, "");
}
// Tests verifying a certificate chain where the leaf certificate has a
// 2048-bit RSA key, and then verifying signed data (both SHA1 and SHA256)
// for it.
TEST(VerifyCastDeviceCertTest, DeviceCertHas2048BitRsaKey) {
RunTest(CastCertError::kNone, "RSA 2048 Device Cert",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/rsa2048_device_cert.pem",
AprilFirst2016(), TRUST_STORE_FROM_TEST_FILE,
TEST_DATA_PREFIX "signeddata/rsa2048_device_cert_data.pem");
}
// Tests verifying a certificate chain where an intermediate certificate has a
// nameConstraints extension but the leaf certificate is still permitted under
// these constraints.
TEST(VerifyCastDeviceCertTest, NameConstraintsObeyed) {
RunTest(CastCertError::kNone, "Device", CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/nc.pem", AprilFirst2020(),
TRUST_STORE_FROM_TEST_FILE, "");
}
// Tests verifying a certificate chain where an intermediate certificate has a
// nameConstraints extension and the leaf certificate is not permitted under
// these constraints.
TEST(VerifyCastDeviceCertTest, NameConstraintsViolated) {
RunTest(CastCertError::kErrCertsVerifyGeneric, "Device",
CastDeviceCertPolicy::kUnrestricted,
TEST_DATA_PREFIX "certificates/nc_fail.pem", AprilFirst2020(),
TRUST_STORE_FROM_TEST_FILE, "");
}
} // namespace
} // namespace certificate
} // namespace cast
|
