constraints: Add inhibitPolicyMapping tests
[strongswan.git] / src / libstrongswan / tests / suites / test_certpolicy.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "test_suite.h"
17
18 #include <asn1/asn1.h>
19 #include <credentials/sets/mem_cred.h>
20 #include <credentials/certificates/x509.h>
21
22 /**
23 * RSA private key, so we don't have to generate one
24 */
25 static char keydata[] = {
26 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24,
27 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d,
28 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf,
29 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f,
30 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27,
31 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad,
32 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63,
33 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71,
34 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01,
35 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5,
36 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4,
37 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb,
38 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f,
39 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93,
40 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88,
41 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4,
42 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd,
43 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b,
44 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21,
45 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee,
46 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7,
47 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4,
48 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54,
49 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9,
50 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7,
51 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61,
52 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef,
53 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6,
54 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08,
55 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65,
56 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e,
57 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e,
58 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d,
59 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02,
60 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b,
61 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71,
62 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda,
63 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02,
64 0x49,0xe8,
65 };
66
67 /**
68 * Issue a certificate fr given policy, including extended flags
69 */
70 static certificate_t* create_cert_ext(certificate_t *ca, char *subject,
71 char *oid, x509_flag_t flags,
72 char *map_s, char *map_i,
73 u_int require_explicit,
74 u_int inhibit_mapping,
75 u_int inhibit_any)
76 {
77 private_key_t *privkey;
78 public_key_t *pubkey;
79 certificate_t *cert;
80 identification_t *id;
81 linked_list_t *policies, *maps;
82 x509_cert_policy_t policy = {};
83 x509_policy_mapping_t map = {};
84
85 privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
86 BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata),
87 BUILD_END);
88 ck_assert(privkey);
89 pubkey = privkey->get_public_key(privkey);
90 ck_assert(pubkey);
91 policies = linked_list_create();
92 if (oid)
93 {
94 policy.oid = asn1_oid_from_string(oid);
95 ck_assert(policy.oid.ptr);
96 policies->insert_last(policies, &policy);
97 }
98 maps = linked_list_create();
99 if (map_s && map_i)
100 {
101 map.subject = asn1_oid_from_string(map_s);
102 ck_assert(map.subject.ptr);
103 map.issuer = asn1_oid_from_string(map_i);
104 ck_assert(map.issuer.ptr);
105 maps->insert_last(maps, &map);
106 }
107 id = identification_create_from_string(subject);
108 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
109 BUILD_SIGNING_KEY, privkey,
110 BUILD_PUBLIC_KEY, pubkey,
111 BUILD_SUBJECT, id,
112 BUILD_X509_FLAG, flags,
113 BUILD_CERTIFICATE_POLICIES, policies,
114 BUILD_POLICY_MAPPINGS, maps,
115 BUILD_SIGNING_CERT, ca,
116 BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
117 BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
118 BUILD_POLICY_INHIBIT_ANY, inhibit_any,
119 BUILD_END);
120 ck_assert(cert);
121 id->destroy(id);
122 policies->destroy(policies);
123 maps->destroy(maps);
124 privkey->destroy(privkey);
125 pubkey->destroy(pubkey);
126 free(policy.oid.ptr);
127 free(map.subject.ptr);
128 free(map.issuer.ptr);
129
130 return cert;
131 }
132
133 /**
134 * Issue a certificate with given certificate policy and flags
135 */
136 static certificate_t* create_cert(certificate_t *ca, char *subject,
137 char *oid, x509_flag_t flags,
138 char *map_s, char *map_i)
139 {
140 return create_cert_ext(ca, subject, oid, flags, map_s, map_i,
141 X509_NO_CONSTRAINT, X509_NO_CONSTRAINT,
142 X509_NO_CONSTRAINT);
143 }
144
145 /**
146 * Check if a certificate with given subject has an oid
147 */
148 static bool check_oid(identification_t *subject, char *oid)
149 {
150 enumerator_t *certs, *auths;
151 certificate_t *cert;
152 auth_cfg_t *auth;
153 bool found = FALSE;
154 auth_rule_t type;
155 char *current;
156
157 certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
158 subject, FALSE);
159 if (!certs->enumerate(certs, &cert, &auth))
160 {
161 certs->destroy(certs);
162 ck_assert_msg(FALSE, "no trusted certificate found for %Y", subject);
163 }
164 auths = auth->create_enumerator(auth);
165 while (auths->enumerate(auths, &type, &current))
166 {
167 if (type == AUTH_RULE_CERT_POLICY)
168 {
169 if (streq(current, oid))
170 {
171 found = TRUE;
172 break;
173 }
174 }
175 }
176 auths->destroy(auths);
177 certs->destroy(certs);
178
179 return found;
180 }
181
182 /**
183 * Check if a certificate with given subject has a valid trustchain
184 */
185 static bool check_trust(identification_t *subject)
186 {
187 enumerator_t *certs;
188 certificate_t *cert;
189 bool trusted;
190
191 certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
192 subject, FALSE);
193 trusted = certs->enumerate(certs, &cert, NULL);
194 certs->destroy(certs);
195
196 return trusted;
197 }
198
199 static mem_cred_t *creds;
200
201 static char *anyPolicy = "2.5.29.32.0";
202 static char *extended = "2.23.140.1.1";
203 static char *baseline = "2.23.140.1.2";
204
205 START_SETUP(setup)
206 {
207 creds = mem_cred_create();
208 lib->credmgr->add_set(lib->credmgr, &creds->set);
209 }
210 END_SETUP
211
212 START_TEARDOWN(teardown)
213 {
214 lib->credmgr->remove_set(lib->credmgr, &creds->set);
215 creds->destroy(creds);
216 lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
217 }
218 END_TEARDOWN
219
220 START_TEST(test_valid_fixed)
221 {
222 certificate_t *ca, *im, *sj;
223
224 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
225 im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
226 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
227
228 creds->add_cert(creds, TRUE, ca);
229 creds->add_cert(creds, FALSE, im);
230 creds->add_cert(creds, FALSE, sj);
231
232 ck_assert(check_oid(sj->get_subject(sj), baseline));
233 }
234 END_TEST
235
236 START_TEST(test_valid_any1)
237 {
238 certificate_t *ca, *im, *sj;
239
240 ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
241 im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
242 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
243
244 creds->add_cert(creds, TRUE, ca);
245 creds->add_cert(creds, FALSE, im);
246 creds->add_cert(creds, FALSE, sj);
247
248 ck_assert(check_oid(sj->get_subject(sj), baseline));
249 }
250 END_TEST
251
252 START_TEST(test_valid_any2)
253 {
254 certificate_t *ca, *im, *sj;
255
256 ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
257 im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
258 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
259
260 creds->add_cert(creds, TRUE, ca);
261 creds->add_cert(creds, FALSE, im);
262 creds->add_cert(creds, FALSE, sj);
263
264 ck_assert(check_oid(sj->get_subject(sj), baseline));
265 }
266 END_TEST
267
268 START_TEST(test_invalid_missing)
269 {
270 certificate_t *ca, *im, *sj;
271
272 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
273 im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
274 sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
275
276 creds->add_cert(creds, TRUE, ca);
277 creds->add_cert(creds, FALSE, im);
278 creds->add_cert(creds, FALSE, sj);
279
280 ck_assert(!check_oid(sj->get_subject(sj), baseline));
281 }
282 END_TEST
283
284 START_TEST(test_invalid_wrong)
285 {
286 certificate_t *ca, *im, *sj;
287
288 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
289 im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
290 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
291
292 creds->add_cert(creds, TRUE, ca);
293 creds->add_cert(creds, FALSE, im);
294 creds->add_cert(creds, FALSE, sj);
295
296 ck_assert(!check_oid(sj->get_subject(sj), extended));
297 }
298 END_TEST
299
300 START_TEST(test_invalid_any1)
301 {
302 certificate_t *ca, *im, *sj;
303
304 ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
305 im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
306 sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
307
308 creds->add_cert(creds, TRUE, ca);
309 creds->add_cert(creds, FALSE, im);
310 creds->add_cert(creds, FALSE, sj);
311
312 ck_assert(!check_oid(sj->get_subject(sj), baseline));
313 }
314 END_TEST
315
316 START_TEST(test_invalid_any2)
317 {
318 certificate_t *ca, *im, *sj;
319
320 ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
321 im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
322 sj = create_cert(im, "CN=SJ", anyPolicy, 0, NULL, NULL);
323
324 creds->add_cert(creds, TRUE, ca);
325 creds->add_cert(creds, FALSE, im);
326 creds->add_cert(creds, FALSE, sj);
327
328 ck_assert(!check_oid(sj->get_subject(sj), baseline));
329 }
330 END_TEST
331
332 START_TEST(test_badchain_wrong)
333 {
334 certificate_t *ca, *im, *sj;
335
336 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
337 im = create_cert(ca, "CN=IM", extended, X509_CA, NULL, NULL);
338 sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
339
340 creds->add_cert(creds, TRUE, ca);
341 creds->add_cert(creds, FALSE, im);
342 creds->add_cert(creds, FALSE, sj);
343
344 ck_assert(!check_oid(sj->get_subject(sj), baseline));
345 ck_assert(!check_oid(sj->get_subject(sj), extended));
346 }
347 END_TEST
348
349 START_TEST(test_badchain_gap)
350 {
351 certificate_t *ca, *im, *sj;
352
353 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
354 im = create_cert(ca, "CN=IM", NULL, X509_CA, NULL, NULL);
355 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
356
357 creds->add_cert(creds, TRUE, ca);
358 creds->add_cert(creds, FALSE, im);
359 creds->add_cert(creds, FALSE, sj);
360
361 ck_assert(!check_oid(sj->get_subject(sj), baseline));
362 }
363 END_TEST
364
365 START_TEST(test_badchain_any)
366 {
367 certificate_t *ca, *im, *sj;
368
369 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
370 im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
371 sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
372
373 creds->add_cert(creds, TRUE, ca);
374 creds->add_cert(creds, FALSE, im);
375 creds->add_cert(creds, FALSE, sj);
376
377 ck_assert(!check_oid(sj->get_subject(sj), extended));
378 }
379 END_TEST
380
381 START_TEST(test_valid_mapping)
382 {
383 certificate_t *ca, *im, *sj;
384
385 ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
386 im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
387 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
388
389 creds->add_cert(creds, TRUE, ca);
390 creds->add_cert(creds, FALSE, im);
391 creds->add_cert(creds, FALSE, sj);
392
393 ck_assert(check_oid(sj->get_subject(sj), baseline));
394 }
395 END_TEST
396
397 START_TEST(test_valid_mapping_twice)
398 {
399 certificate_t *ca, *im, *sj;
400
401 ca = create_cert(NULL, "CN=CA", "2.23.140.1.3", X509_CA,
402 extended, "2.23.140.1.3");
403 im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
404 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
405
406 creds->add_cert(creds, TRUE, ca);
407 creds->add_cert(creds, FALSE, im);
408 creds->add_cert(creds, FALSE, sj);
409
410 ck_assert(check_oid(sj->get_subject(sj), baseline));
411 }
412 END_TEST
413
414 START_TEST(test_invalid_mapping_loop)
415 {
416 certificate_t *ca, *im, *sj;
417
418 ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
419 im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, baseline);
420 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
421
422 creds->add_cert(creds, TRUE, ca);
423 creds->add_cert(creds, FALSE, im);
424 creds->add_cert(creds, FALSE, sj);
425
426 ck_assert(!check_oid(sj->get_subject(sj), baseline));
427 }
428 END_TEST
429
430 START_TEST(test_invalid_mapping_notallowed)
431 {
432 certificate_t *ca, *im, *sj;
433
434 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
435 im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
436 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
437
438 creds->add_cert(creds, TRUE, ca);
439 creds->add_cert(creds, FALSE, im);
440 creds->add_cert(creds, FALSE, sj);
441
442 ck_assert(!check_oid(sj->get_subject(sj), baseline));
443 }
444 END_TEST
445
446 START_TEST(test_invalid_mapping_nopolicy)
447 {
448 certificate_t *ca, *im, *sj;
449
450 ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
451 im = create_cert(ca, "CN=IM", "2.23.140.1.3", X509_CA, baseline, extended);
452 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
453
454 creds->add_cert(creds, TRUE, ca);
455 creds->add_cert(creds, FALSE, im);
456 creds->add_cert(creds, FALSE, sj);
457
458 ck_assert(!check_oid(sj->get_subject(sj), baseline));
459 }
460 END_TEST
461
462 START_TEST(test_inhibit_mapping_good)
463 {
464 certificate_t *ca, *im, *sj;
465
466 ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
467 X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
468 im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
469 sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
470
471 creds->add_cert(creds, TRUE, ca);
472 creds->add_cert(creds, FALSE, im);
473 creds->add_cert(creds, FALSE, sj);
474
475 ck_assert(check_oid(sj->get_subject(sj), baseline));
476 }
477 END_TEST
478
479 START_TEST(test_inhibit_mapping_bad)
480 {
481 certificate_t *ca, *i1, *i2, *sj;
482
483 ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
484 X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
485 i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
486 i2 = create_cert(i1, "CN=IM2", extended, X509_CA, baseline, extended);
487 sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
488
489 creds->add_cert(creds, TRUE, ca);
490 creds->add_cert(creds, FALSE, i1);
491 creds->add_cert(creds, FALSE, i2);
492 creds->add_cert(creds, FALSE, sj);
493
494 /* TODO: we currently reject the certificate completely, but should
495 * actually just invalidate the policy not mapped properly */
496 ck_assert(!check_trust(sj->get_subject(sj)));
497 }
498 END_TEST
499
500 Suite *certpolicy_suite_create()
501 {
502 Suite *s;
503 TCase *tc;
504
505 s = suite_create("certpolicy");
506
507 tc = tcase_create("policy valid");
508 tcase_add_checked_fixture(tc, setup, teardown);
509 tcase_add_test(tc, test_valid_fixed);
510 tcase_add_test(tc, test_valid_any1);
511 tcase_add_test(tc, test_valid_any2);
512 suite_add_tcase(s, tc);
513
514 tc = tcase_create("policy invalid");
515 tcase_add_checked_fixture(tc, setup, teardown);
516 tcase_add_test(tc, test_invalid_missing);
517 tcase_add_test(tc, test_invalid_wrong);
518 tcase_add_test(tc, test_invalid_any1);
519 tcase_add_test(tc, test_invalid_any2);
520 suite_add_tcase(s, tc);
521
522 tc = tcase_create("policy badchain");
523 tcase_add_checked_fixture(tc, setup, teardown);
524 tcase_add_test(tc, test_badchain_wrong);
525 tcase_add_test(tc, test_badchain_gap);
526 tcase_add_test(tc, test_badchain_any);
527 suite_add_tcase(s, tc);
528
529 tc = tcase_create("policy valid mapping");
530 tcase_add_checked_fixture(tc, setup, teardown);
531 tcase_add_test(tc, test_valid_mapping);
532 tcase_add_test(tc, test_valid_mapping_twice);
533 suite_add_tcase(s, tc);
534
535 tc = tcase_create("policy invalid mapping");
536 tcase_add_checked_fixture(tc, setup, teardown);
537 tcase_add_test(tc, test_invalid_mapping_loop);
538 tcase_add_test(tc, test_invalid_mapping_notallowed);
539 tcase_add_test(tc, test_invalid_mapping_nopolicy);
540 suite_add_tcase(s, tc);
541
542 tc = tcase_create("inhibit policy mapping");
543 tcase_add_checked_fixture(tc, setup, teardown);
544 tcase_add_test(tc, test_inhibit_mapping_good);
545 tcase_add_test(tc, test_inhibit_mapping_bad);
546 suite_add_tcase(s, tc);
547
548 return s;
549 }