2 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file capi-certificate-chains.cpp
18 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
27 #include <dpl/test/test_runner.h>
29 #include <tests_common.h>
30 #include <ckm-common.h>
32 #include <ckmc/ckmc-manager.h>
33 #include <ckmc/ckmc-control.h>
34 #include <ckmc/ckmc-type.h>
35 #include <ckmc/ckmc-error.h>
38 const char* CERT[] = {
40 "-----BEGIN CERTIFICATE-----\n"
41 "MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV\n"
42 "UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy\n"
43 "dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1\n"
44 "MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx\n"
45 "dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B\n"
46 "AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f\n"
47 "BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A\n"
48 "cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC\n"
49 "AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ\n"
50 "MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm\n"
51 "aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw\n"
52 "ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj\n"
53 "IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF\n"
54 "MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA\n"
55 "A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y\n"
56 "7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh\n"
57 "1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4\n"
58 "-----END CERTIFICATE-----\n",
60 // GeoTrust Global CA - issued by Equifax
61 "-----BEGIN CERTIFICATE-----\n"
62 "MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT\n"
63 "MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0\n"
64 "aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw\n"
65 "WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE\n"
66 "AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
67 "CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m\n"
68 "OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu\n"
69 "T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c\n"
70 "JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR\n"
71 "Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz\n"
72 "PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm\n"
73 "aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM\n"
74 "TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g\n"
75 "LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO\n"
76 "BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv\n"
77 "dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB\n"
78 "AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL\n"
79 "NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W\n"
80 "b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S\n"
81 "-----END CERTIFICATE-----\n",
83 // Google Internet Authority G2 - issued by GeoTrust Global CA
84 "-----BEGIN CERTIFICATE-----\n"
85 "MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT\n"
86 "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\n"
87 "YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG\n"
88 "EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy\n"
89 "bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
90 "AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP\n"
91 "VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv\n"
92 "h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE\n"
93 "ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ\n"
94 "EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC\n"
95 "DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7\n"
96 "qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD\n"
97 "VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g\n"
98 "K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI\n"
99 "KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n\n"
100 "ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB\n"
101 "BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY\n"
102 "/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/\n"
103 "zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza\n"
104 "HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto\n"
105 "WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6\n"
106 "yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx\n"
107 "-----END CERTIFICATE-----\n",
109 // *.google.com - issued by Google Internet Authority
110 "-----BEGIN CERTIFICATE-----\n"
111 "MIIGxTCCBa2gAwIBAgIIAl5EtcNJFrcwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE\n"
112 "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl\n"
113 "cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTEzMzM3WhcNMTUwMzEwMDAwMDAw\n"
114 "WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN\n"
115 "TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n\n"
116 "b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmng6ZoVeVmmAplSC\n"
117 "9TcTQkkosO5zaPDTXLuuzQU3Bl5JUSF/11w6dlXdJJHXIQ3cIirUuyd288ORbu93\n"
118 "FrTTTaOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG\n"
119 "A1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw\n"
120 "ZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt\n"
121 "YW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds\n"
122 "ZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds\n"
123 "ZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv\n"
124 "b2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q\n"
125 "Lmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n\n"
126 "bGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou\n"
127 "Z29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv\n"
128 "b2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv\n"
129 "LmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq\n"
130 "Lmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq\n"
131 "LnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1\n"
132 "YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k\n"
133 "cm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv\n"
134 "b2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu\n"
135 "YmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC\n"
136 "B4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds\n"
137 "ZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v\n"
138 "Z2xlLmNvbS9vY3NwMB0GA1UdDgQWBBTn6rT+UWACLuZnUas2zTQJkdrq5jAMBgNV\n"
139 "HRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud\n"
140 "IAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp\n"
141 "Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBb4wU7IjXL\n"
142 "msvaYqFlYYDKiYZhBUGHxxLkFWR72vFugYkJ7BbMCaKZJdyln5xL4pCdNHiNGfub\n"
143 "/3ct2t3sKeruc03EydznLQ78qrHuwNJdqUZfDLJ6ILAQUmpnYEXrnmB7C5chCWR0\n"
144 "OKWRLguwZQQQQlRyjZFtdoISHNveel/UkS/Jwijvpbw/wGg9W4L4En6RjDeD259X\n"
145 "zYvNzIwiEq50/5ZQCYE9EH0mWguAji9tuh5NJKPEeaaCQ3lp/UEAkq5uYls7tuSs\n"
146 "MTI9LMZRiYFJab/LYbq2uaz4B/lSuE9vku+ikNYA+J2Qv6eqU3U+jmUOSCfYJ2Qt\n"
148 "-----END CERTIFICATE-----\n",
151 "-----BEGIN CERTIFICATE-----\n"
152 "MIIDnzCCAoegAwIBAgIJAMH/ADkC5YSTMA0GCSqGSIb3DQEBBQUAMGYxCzAJBgNV\n"
153 "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQKDARBQ01FMRAwDgYD\n"
154 "VQQLDAdUZXN0aW5nMSEwHwYDVQQDDBhUZXN0IHJvb3QgY2EgY2VydGlmaWNhdGUw\n"
155 "HhcNMTQxMjMwMTcyMTUyWhcNMjQxMjI3MTcyMTUyWjBmMQswCQYDVQQGEwJBVTET\n"
156 "MBEGA1UECAwKU29tZS1TdGF0ZTENMAsGA1UECgwEQUNNRTEQMA4GA1UECwwHVGVz\n"
157 "dGluZzEhMB8GA1UEAwwYVGVzdCByb290IGNhIGNlcnRpZmljYXRlMIIBIjANBgkq\n"
158 "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0EJRdUtd2th0vTVF7QxvDKzyFCF3w9vC\n"
159 "9IDE/Yr12w+a9jd0s7/eG96qTHIYffS3B7x2MB+d4n+SR3W0qmYh7xk8qfEgH3da\n"
160 "eDoV59IZ9r543KM+g8jm6KffYGX1bIJVVY5OhBRbO9nY6byYpd5kbCIUB6dCf7/W\n"
161 "rQl1aIdLGFIegAzPGFPXDcU6F192686x54bxt/itMX4agHJ9ZC/rrTBIZghVsjJo\n"
162 "5/AH5WZpasv8sfrGiiohAxtieoYoJkv5MOYP4/2lPlOY+Cgw1Yoz+HHv31AllgFs\n"
163 "BquBb/kJVmCCNsAOcnvQzTZUsW/TXz9G2nwRdqI1nSy2JvVjZGsqGQIDAQABo1Aw\n"
164 "TjAdBgNVHQ4EFgQUt6pkzFt1PZlfYRL/HGnufF4frdwwHwYDVR0jBBgwFoAUt6pk\n"
165 "zFt1PZlfYRL/HGnufF4frdwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOC\n"
166 "AQEAld7Qwq0cdzDQ51w1RVLwTR8Oy25PB3rzwEHcSGJmdqlMi3xOdaz80S1R1BBX\n"
167 "ldvGBG5Tn0vT7xSuhmSgI2/HnBpy9ocHVOmhtNB4473NieEpfTYrnGXrFxu46Wus\n"
168 "9m/ZnugcQ2G6C54A/NFtvgLmaC8uH8M7gKdS6uYUwJFQEofkjmd4UpOYSqmcRXhS\n"
169 "Jzd5FYFWkJhKJYp3nlENSOD8CUFFVGekm05nFN2gRVc/qaqQkEX77+XYvhodLRsV\n"
170 "qMn7nf7taidDKLO2T4bhujztnTYOhhaXKgPy7AtZ28N2wvX96VyAPB/vrchGmyBK\n"
171 "kOg11TpPdNDkhb1J4ZCh2gupDg==\n"
172 "-----END CERTIFICATE-----\n",
174 // Test intermediate ca signed with test root ca
175 "-----BEGIN CERTIFICATE-----\n"
176 "MIIDljCCAn6gAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwZjELMAkGA1UEBhMCQVUx\n"
177 "EzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAoMBEFDTUUxEDAOBgNVBAsMB1Rl\n"
178 "c3RpbmcxITAfBgNVBAMMGFRlc3Qgcm9vdCBjYSBjZXJ0aWZpY2F0ZTAeFw0xNTAx\n"
179 "MTYxNjQ1MzRaFw0zNTAxMTExNjQ1MzRaMGQxCzAJBgNVBAYTAkFVMRMwEQYDVQQI\n"
180 "DApTb21lLVN0YXRlMQ0wCwYDVQQKDARBQ01FMRAwDgYDVQQLDAdUZXN0aW5nMR8w\n"
181 "HQYDVQQDDBZUZXN0IElNIENBIGNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEF\n"
182 "AAOCAQ8AMIIBCgKCAQEAzmBF78qClgoKfnLAncMXZwZ14TW+5kags1+QCYeg3c7j\n"
183 "L9+RvDxIaX2tKf1sukJcwQfYqUlQkwt+58LMOb2ORtkpj8Or6WCWCZ0BzneT8ug7\n"
184 "nxJT4m9+bohMF0JoKjjB2H4KNMHamLIwUxRKt6nyfk81kVhJOi2vzzxd+UCPi6Pc\n"
185 "UAbJNH48eNgOIg55nyFovVzYj8GIo/9GvHJj83PPa/KlJZ+Z1qZASZZ/VYorplVT\n"
186 "thsHXKfejhFy5YJ9t7n/vyAQsyBsagZsvX19xnH41fbYXHKf8UbXG23rNaZlchs6\n"
187 "XJVLQdzOpj3WTj/lCocVHqLaZISLhNQ3aI7kUBUdiwIDAQABo1AwTjAdBgNVHQ4E\n"
188 "FgQUoCYNaCBP4jl/3SYQuK8Ka+6i3QEwHwYDVR0jBBgwFoAUt6pkzFt1PZlfYRL/\n"
189 "HGnufF4frdwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjRzWiD97\n"
190 "Htv4Kxpm3P+C+xP9AEteCJfO+7p8MWgtWEJOknJyt55zeKS2JwZIq57KcbqD8U7v\n"
191 "vAUx1ymtUhlFPFd7J1mJ3pou+3aFYmGShYhGHpbrmUwjp7HVP588jrW1NoZVHdMc\n"
192 "4OgJWFrViXeu9+maIcekjMB/+9Y0dUgQuK5ZuT5H/Jwet7Th/o9uufTUZjBzRvrB\n"
193 "pbXgQpqgME2av4Q/6LuldPCTHLtWXgFUU2R+yCGmuGilvhFJnKoQryAbYnIQNWE8\n"
194 "SLoHQ9s1i7Zyb7HU6UAaqMOz15LBkyAqtNyJcO2p7Q/p5YK0xfD4xisI5qXucqVm\n"
196 "-----END CERTIFICATE-----\n",
198 // Test certificate signed with test intermediate ca
199 "-----BEGIN CERTIFICATE-----\n"
200 "MIIDOzCCAiMCAQEwDQYJKoZIhvcNAQEFBQAwZDELMAkGA1UEBhMCQVUxEzARBgNV\n"
201 "BAgMClNvbWUtU3RhdGUxDTALBgNVBAoMBEFDTUUxEDAOBgNVBAsMB1Rlc3Rpbmcx\n"
202 "HzAdBgNVBAMMFlRlc3QgSU0gQ0EgY2VydGlmaWNhdGUwHhcNMTUwMTE2MTY0ODE0\n"
203 "WhcNMzUwMTExMTY0ODE0WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1T\n"
204 "dGF0ZTENMAsGA1UECgwEQUNNRTEQMA4GA1UECwwHVGVzdGluZzEeMBwGA1UEAwwV\n"
205 "VGVzdCBsZWFmIGNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
206 "CgKCAQEAzTdDIa2tDmRxFnIgiG+mBz8GoSVODs0ImNQGbqj+pLhBOFRH8fsah4Jl\n"
207 "z5YF9KwhMVLknnHGFLE/Nb7Ac35kEzhMQMpTRxohW83oxw3eZ8zN/FBoKqg4qHRq\n"
208 "QR8kS10YXTgrBR0ex/Vp+OUKEw6h7yL2r4Tpvrn9/qHwsxtLxqWbDIVf1O9b1Lfc\n"
209 "bllYMdmV5E62yN5tcwrDP8gvHjFnVeLzrG8wTpc9FR90/0Jkfp5jAJcArOBLrT0E\n"
210 "4VRqs+4HuwT8jAwFAmNnc7IYX5qSjtSWkmmHe73K/lzB+OiI0JEc/3eWUTWqwTSk\n"
211 "4tNCiQGBKJ39LXPTBBJdzmxVH7CUDQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAp\n"
212 "UdDOGu3hNiG+Vn10aQ6B1ZmOj3t+45gUV3sC+y8hB8EK1g4P5Ke9bVDts0T5eOnj\n"
213 "CSc+6VoND5O4adI0IFFRFljHNVnvjeosHfUZNnowsmA2ptQBtC1g5ZKRvKXlkC5/\n"
214 "i5BGgRqPFA7y9WB9Y05MrJHf3E+Oz/RBsLeeNiNN+rF5X1vYExvGHpo0M0zS0ze9\n"
215 "HtC0aOy8ocsTrQkf3ceHTAXx2i8ftoSSD4klojtWFpWMrNQa52F7wB9nU6FfKRuF\n"
216 "Zj/T1JkYXKkEwZU6nAR2jdZp3EP9xj3o15V/tyFcXHx6l8NTxn4cJb+Xe4VquQJz\n"
217 "6ON7PVe0ABN/AlwVQiFE\n"
218 "-----END CERTIFICATE-----\n",
221 // index of CERT array
223 CERT_ROOT_CA, // system root ca cert
224 CERT_IM_CA1, // ca cert signed with CERT_ROOT_CA (also present as system root ca (sic!))
225 CERT_IM_CA2, // ca cert signed with CERT_IM_CA1
226 CERT_LEAF, // cert signed with CERT_IM_CA2
227 CERT_TEST_ROOT_CA, // test root ca cert
228 CERT_TEST_IM_CA, // test im ca cert signed with CERT_TEST_ROOT_CA
229 CERT_TEST_LEAF, // test certificate signed with CERT_TEST_IM_CA
232 template <typename F, typename... Args>
233 void assert_result(int expected, F&& func, Args... args)
235 int ret = func(args...);
236 RUNNER_ASSERT_MSG_BT(ret == expected, "Expected " << expected << " got: " << ret);
239 template <typename F, typename... Args>
240 void assert_positive(F&& func, Args... args)
242 assert_result(CKMC_ERROR_NONE, std::move(func), args...);
245 template <typename F, typename... Args>
246 void assert_invalid_param(F&& func, Args... args)
248 assert_result(CKMC_ERROR_INVALID_PARAMETER, std::move(func), args...);
251 template <typename T>
252 size_t list_size(const T* list)
262 typedef std::unique_ptr<ckmc_cert_s, void (*)(ckmc_cert_s*)> CertPtr;
263 typedef std::unique_ptr<ckmc_cert_list_s, void (*)(ckmc_cert_list_s*)> CertListPtr;
264 typedef std::unique_ptr<ckmc_alias_list_s, void (*)(ckmc_alias_list_s*)> AliasListPtr;
266 ckmc_cert_s* create_cert(CertIdx idx) {
267 size_t size = sizeof(CERT)/sizeof(CERT[0]);
268 RUNNER_ASSERT_MSG_BT(idx < size, "Certificate index out of range: " << idx << ">=" << size);
270 ckmc_cert_s* cert = NULL;
271 assert_positive(ckmc_cert_new,
272 reinterpret_cast<unsigned char*>(const_cast<char*>(CERT[idx])),
277 RUNNER_ASSERT_MSG_BT(cert != NULL, "Cert is NULL");
281 void save_cert(const ckmc_cert_s* cert, const char* alias) {
282 ckmc_policy_s policy;
283 policy.password = NULL;
284 policy.extractable = 1;
287 assert_positive(ckmc_save_cert, alias, *cert, policy);
290 // list gets copies of aliases
291 AliasListPtr create_alias_list(const char* alias, ...) {
292 AliasListPtr aliasList(NULL, ckmc_alias_list_all_free);
297 ckmc_alias_list_s* last = NULL;
298 for (const char* a = alias; a != NULL; a = va_arg(ap, const char*)) {
299 if (aliasList == NULL) {
300 ckmc_alias_list_s* tmp = NULL;
301 assert_positive(ckmc_alias_list_new, strdup(a), &tmp);
302 aliasList = AliasListPtr(tmp, ckmc_alias_list_all_free);
303 RUNNER_ASSERT_MSG_BT(!!aliasList, "Alias list is NULL");
304 last = aliasList.get();
306 assert_positive(ckmc_alias_list_add, last, strdup(a), &last);
307 RUNNER_ASSERT_MSG_BT(last != NULL, "Last alias on the list is NULL");
315 // list takes ownership of provided certificates
316 CertListPtr create_cert_list(ckmc_cert_s* cert, ...) {
317 CertListPtr certList(NULL, ckmc_cert_list_all_free);
322 ckmc_cert_list_s* last = NULL;
323 for (ckmc_cert_s* c = cert; c!=NULL; c = va_arg(ap, ckmc_cert_s*)) {
325 ckmc_cert_list_s* tmp = NULL;
326 assert_positive(ckmc_cert_list_new, c, &tmp);
327 certList = CertListPtr(tmp, ckmc_cert_list_all_free);
328 RUNNER_ASSERT_MSG_BT(!!certList, "Cert list is NULL");
329 last = certList.get();
331 assert_positive(ckmc_cert_list_add, last, c, &last);
332 RUNNER_ASSERT_MSG_BT(last != NULL, "Last cert on the list is NULL");
340 const ckmc_alias_list_s* NULL_ALIASES = NULL;
341 const ckmc_cert_s* NULL_CERT = NULL;
342 ckmc_cert_list_s** NULL_CHAIN = NULL;
347 static int createChain(const ckmc_cert_s *cert,
348 const ckmc_cert_list_s *untrustedcerts,
349 const ckmc_cert_list_s* /*trustedcerts*/,
350 const bool /*use_trustedsystemcerts*/,
351 ckmc_cert_list_s **ppcert_chain_list)
353 return ckmc_get_cert_chain(cert, untrustedcerts, ppcert_chain_list);
356 static int createChainWithAlias(const ckmc_cert_s *cert,
357 const ckmc_alias_list_s *untrustedcerts,
358 const ckmc_alias_list_s* /*trustedcerts*/,
359 const bool /*use_trustedsystemcerts*/,
360 ckmc_cert_list_s **ppcert_chain_list)
362 return ckmc_get_cert_chain_with_alias(cert, untrustedcerts, ppcert_chain_list);
369 static int createChain(const ckmc_cert_s *cert,
370 const ckmc_cert_list_s *untrustedcerts,
371 const ckmc_cert_list_s *trustedcerts,
372 const bool use_trustedsystemcerts,
373 ckmc_cert_list_s **ppcert_chain_list)
375 return ckmc_get_certificate_chain(cert,
378 use_trustedsystemcerts,
382 static int createChainWithAlias(const ckmc_cert_s *cert,
383 const ckmc_alias_list_s *untrustedcerts,
384 const ckmc_alias_list_s *trustedcerts,
385 const bool use_trustedsystemcerts,
386 ckmc_cert_list_s **ppcert_chain_list)
388 return ckmc_get_certificate_chain_with_alias(cert,
391 use_trustedsystemcerts,
397 * Helper class for certificate verification
399 template <typename T=ChainApiNew>
406 void addTrusted(CertIdx idx);
407 void addUntrusted(CertIdx idx);
408 void enableSystem(bool enable);
410 void verifyPositive(CertIdx idx, size_t expected);
411 void verifyNegative(CertIdx idx, int error = CKMC_ERROR_VERIFICATION_FAILED);
414 void addCert(ckmc_cert_list_s*& list, ckmc_cert_s* cert);
415 void addAlias(ckmc_alias_list_s*& list, const char* alias);
417 ckmc_cert_list_s* m_trustedCerts;
418 ckmc_alias_list_s* m_trustedAliases;
420 ckmc_cert_list_s* m_untrustedCerts;
421 ckmc_alias_list_s* m_untrustedAliases;
426 template <typename T>
427 ChainVerifier<T>::ChainVerifier() :
428 m_trustedCerts(NULL),
429 m_trustedAliases(NULL),
430 m_untrustedCerts(NULL),
431 m_untrustedAliases(NULL),
436 template <typename T>
437 ChainVerifier<T>::~ChainVerifier()
439 ckmc_cert_list_all_free(m_trustedCerts);
440 ckmc_cert_list_all_free(m_untrustedCerts);
441 ckmc_alias_list_all_free(m_trustedAliases);
442 ckmc_alias_list_all_free(m_untrustedAliases);
445 template <typename T>
446 void ChainVerifier<T>::addTrusted(CertIdx idx)
448 size_t size = list_size(m_trustedCerts);
449 ckmc_cert_s* cert = create_cert(idx);
450 addCert(m_trustedCerts, cert);
452 std::stringstream ss;
453 ss << "TRUSTED_CERT_ALIAS_" << size;
454 save_cert(cert, ss.str().c_str());
455 addAlias(m_trustedAliases, ss.str().c_str());
458 template <typename T>
459 void ChainVerifier<T>::addUntrusted(CertIdx idx)
461 size_t size = list_size(m_untrustedCerts);
462 ckmc_cert_s* cert = create_cert(idx);
463 addCert(m_untrustedCerts, cert);
465 std::stringstream ss;
466 ss << "UNTRUSTED_CERT_ALIAS_" << size;
467 save_cert(cert, ss.str().c_str());
468 addAlias(m_untrustedAliases, ss.str().c_str());
471 template <typename T>
472 void ChainVerifier<T>::enableSystem(bool enable)
477 template <typename T>
478 void ChainVerifier<T>::addCert(ckmc_cert_list_s*& list, ckmc_cert_s* cert)
481 ckmc_cert_list_s* tmp = NULL;
482 assert_positive(ckmc_cert_list_new, cert, &tmp);
483 RUNNER_ASSERT_MSG_BT(!!tmp, "Cert list is NULL");
486 ckmc_cert_list_s* last = list;
489 assert_positive(ckmc_cert_list_add, last, cert, &last);
490 RUNNER_ASSERT_MSG_BT(last != NULL, "Last cert on the list is NULL");
494 template <typename T>
495 void ChainVerifier<T>::addAlias(ckmc_alias_list_s*& list, const char* alias)
498 ckmc_alias_list_s* tmp = NULL;
499 assert_positive(ckmc_alias_list_new, strdup(alias), &tmp);
500 RUNNER_ASSERT_MSG_BT(!!tmp, "Alias list is NULL");
503 ckmc_alias_list_s* last = list;
506 assert_positive(ckmc_alias_list_add, last, strdup(alias), &last);
507 RUNNER_ASSERT_MSG_BT(last != NULL, "Last alias on the list is NULL");
511 template <typename T>
512 void ChainVerifier<T>::verifyPositive(CertIdx idx, size_t expected)
514 ckmc_cert_s* cert = create_cert(idx);
516 ckmc_cert_list_s* chain = NULL;
518 assert_positive(T::createChain,
525 size_t size = list_size(chain);
526 ckmc_cert_list_all_free(chain);
528 RUNNER_ASSERT_MSG_BT(size == expected, "Expected chain size: " << expected << " got: " << size);
530 assert_positive(T::createChainWithAlias,
537 size = list_size(chain);
538 ckmc_cert_list_all_free(chain);
540 RUNNER_ASSERT_MSG_BT(size == expected, "Expected chain size: " << expected << " got: " << size);
541 ckmc_cert_free(cert);
544 template <typename T>
545 void ChainVerifier<T>::verifyNegative(CertIdx idx, int error)
547 ckmc_cert_s* cert = create_cert(idx);
549 ckmc_cert_list_s* chain = NULL;
558 RUNNER_ASSERT_MSG_BT(chain == NULL, "Chain is not empty");
561 T::createChainWithAlias,
568 RUNNER_ASSERT_MSG_BT(chain == NULL, "Chain is not empty");
569 ckmc_cert_free(cert);
572 } // namespace anonymous
574 RUNNER_TEST_GROUP_INIT(T307_CKMC_CAPI_CERTIFICATE_CHAINS);
576 RUNNER_TEST(TCCH_0000_init)
579 assert_positive(ckmc_unlock_user_key, 0, "test-pass");
583 RUNNER_TEST(TCCH_0010_get_chain_old_api)
585 assert_positive(ckmc_remove_user_data,0);
587 ChainVerifier<ChainApiOld> cv;
588 cv.verifyNegative(CERT_LEAF);
590 cv.addUntrusted(CERT_IM_CA2);
591 cv.verifyPositive(CERT_LEAF, 3); // including system cert
592 cv.verifyNegative(CERT_TEST_LEAF);
596 RUNNER_TEST(TCCH_0020_get_chain_old_api_system_only)
598 assert_positive(ckmc_remove_user_data,0);
600 ChainVerifier<ChainApiOld> cv;
601 cv.verifyPositive(CERT_IM_CA2, 2); // including system cert
604 // check invalid arguments
605 RUNNER_TEST(TCCH_0100_get_certificate_chain_invalid_param)
607 assert_positive(ckmc_remove_user_data,0);
609 ckmc_cert_s* ca2 = create_cert(CERT_IM_CA2);
610 ckmc_cert_s* ca1 = create_cert(CERT_IM_CA1);
611 ckmc_cert_list_s* chain = NULL;
614 CertListPtr untrusted_c = create_cert_list(ca1, NULL);
617 assert_invalid_param(ckmc_get_certificate_chain,
624 assert_invalid_param(ckmc_get_certificate_chain,
632 ca1 = create_cert(CERT_IM_CA1);
633 save_cert(ca1, "CERT_IM_CA1");
634 AliasListPtr untrusted_a = create_alias_list("CERT_IM_CA1", NULL);
636 assert_invalid_param(ckmc_get_certificate_chain_with_alias,
643 assert_invalid_param(ckmc_get_certificate_chain_with_alias,
653 // check invalid arguments
654 RUNNER_TEST(TCCH_0110_get_certificate_chain_alias_unknown)
656 assert_positive(ckmc_remove_user_data,0);
658 ckmc_cert_s* ca2 = create_cert(CERT_IM_CA2);
659 ckmc_cert_list_s* chain = NULL;
661 AliasListPtr non_existing = create_alias_list("NON_EXISTING_ALIAS", NULL);
662 assert_result(CKMC_ERROR_DB_ALIAS_UNKNOWN,
663 ckmc_get_certificate_chain_with_alias,
670 assert_result(CKMC_ERROR_DB_ALIAS_UNKNOWN,
671 ckmc_get_certificate_chain_with_alias,
681 * This test verifies that chain of trust won't be successfully built unless system or trusted
682 * certificates are used even if real trusted root ca certs are used as untrusted.
684 RUNNER_TEST(TCCH_0120_get_certificate_chain_root_ca_negative)
686 assert_positive(ckmc_remove_user_data,0);
689 cv.enableSystem(false);
690 cv.verifyNegative(CERT_ROOT_CA);
692 cv.addUntrusted(CERT_IM_CA2);
693 cv.verifyNegative(CERT_LEAF);
697 * This test verifies that it's possible to build a chain of trust with single trusted certificate
698 * and no system certificates.
700 RUNNER_TEST(TCCH_0140_get_certificate_chain_trusted_only)
702 assert_positive(ckmc_remove_user_data,0);
705 cv.enableSystem(false);
706 cv.addTrusted(CERT_TEST_ROOT_CA);
707 cv.verifyPositive(CERT_TEST_IM_CA, 2);
708 cv.verifyNegative(CERT_TEST_LEAF);
712 * This test verifies that it's possible to build a chain of trust with system certificates only
714 RUNNER_TEST(TCCH_0150_get_certificate_chain_system_only)
716 assert_positive(ckmc_remove_user_data,0);
719 cv.verifyPositive(CERT_IM_CA2, 2); // including system cert
720 cv.verifyNegative(CERT_LEAF);
724 * Verifies that chain of trust can be built without untrusted certificates.
726 RUNNER_TEST(TCCH_0160_get_certificate_chain_no_untrusted)
728 assert_positive(ckmc_remove_user_data,0);
731 cv.addTrusted(CERT_TEST_ROOT_CA);
732 cv.verifyPositive(CERT_TEST_IM_CA, 2);// signed with trusted cert (CERT_TEST_ROOT_CA)
733 cv.verifyPositive(CERT_IM_CA2, 2); // signed with system cert (CERT_IM_CA1)
734 cv.verifyNegative(CERT_LEAF);
737 RUNNER_TEST(TCCH_0170_get_certificate_chain_no_trusted)
739 assert_positive(ckmc_remove_user_data,0);
742 cv.addUntrusted(CERT_IM_CA2);
743 cv.verifyPositive(CERT_LEAF,3); // including system cert
744 cv.verifyNegative(CERT_TEST_LEAF);
748 * Check if its possible to build a chain of trust without system certs.
750 RUNNER_TEST(TCCH_0180_get_certificate_chain_no_system)
752 assert_positive(ckmc_remove_user_data,0);
755 cv.enableSystem(false);
756 cv.addTrusted(CERT_TEST_ROOT_CA);
757 cv.addUntrusted(CERT_TEST_IM_CA);
758 cv.verifyPositive(CERT_TEST_LEAF, 3);
759 cv.verifyNegative(CERT_LEAF);
763 * Check if its possible to build a chain of trust with intermediate ca cert in trusted list.
765 RUNNER_TEST(TCCH_0190_get_certificate_chain_im_ca_in_trusted)
767 assert_positive(ckmc_remove_user_data,0);
770 cv.enableSystem(false);
771 cv.addTrusted(CERT_TEST_ROOT_CA);
772 cv.addTrusted(CERT_TEST_IM_CA);
773 cv.verifyPositive(CERT_TEST_LEAF, 3);
774 cv.verifyNegative(CERT_LEAF);
777 RUNNER_TEST(TCCH_0200_get_certificate_chain_all)
779 assert_positive(ckmc_remove_user_data,0);
782 cv.enableSystem(true);
783 cv.addTrusted(CERT_TEST_ROOT_CA);
784 cv.addUntrusted(CERT_IM_CA1);
785 cv.addUntrusted(CERT_IM_CA2);
787 * In combat conditions this may as well be 3. Because of 2 existing GeoTrust certificates with
788 * same Subject and Public key one being root ca and the other not there are 2 possible chains
789 * of trust for this certificate.
791 cv.verifyPositive(CERT_LEAF,4);
792 cv.verifyNegative(CERT_TEST_LEAF);
795 RUNNER_TEST(TCCH_9999_deinit)
799 assert_positive(ckmc_lock_user_key, 0);
800 assert_positive(ckmc_remove_user_data, 0);
projects / platform / core / test / security-tests.git / blob