From 2fbb736e010067b017368aac85dc34e1766347cb Mon Sep 17 00:00:00 2001 From: Juan Lang Date: Wed, 28 Oct 2009 09:10:29 -0700 Subject: [PATCH] crypt32: Add some tests of the SSL policy. --- dlls/crypt32/tests/chain.c | 136 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c index ddc9ac523b6..10cea4d5787 100644 --- a/dlls/crypt32/tests/chain.c +++ b/dlls/crypt32/tests/chain.c @@ -1973,6 +1973,8 @@ static ChainCheck chainCheckNoStore[] = { /* Wednesday, Oct 1, 2007 */ static SYSTEMTIME oct2007 = { 2007, 10, 1, 1, 0, 0, 0, 0 }; +/* Wednesday, Oct 28, 2009 */ +static SYSTEMTIME oct2009 = { 2009, 10, 3, 28, 0, 0, 0, 0 }; static void testGetCertChain(void) { @@ -2139,6 +2141,52 @@ static const ChainPolicyCheck basePolicyCheck[] = { { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 }, }; +static const ChainPolicyCheck sslPolicyCheck[] = { + { { sizeof(chain0) / sizeof(chain0[0]), chain0 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain1) / sizeof(chain1[0]), chain1 }, + { 0, TRUST_E_CERT_SIGNATURE, 0, 0, NULL }, NULL, 0 }, + { { sizeof(chain2) / sizeof(chain2[0]), chain2 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain3) / sizeof(chain3[0]), chain3 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain4) / sizeof(chain4[0]), chain4 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, NULL, 0 }, + { { sizeof(chain5) / sizeof(chain5[0]), chain5 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain6) / sizeof(chain6[0]), chain6 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain7) / sizeof(chain7[0]), chain7 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain8) / sizeof(chain8[0]), chain8 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, NULL, 0 }, + { { sizeof(chain9) / sizeof(chain9[0]), chain9 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, -1, NULL }, NULL, 0 }, + { { sizeof(chain10) / sizeof(chain10[0]), chain10 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain11) / sizeof(chain11[0]), chain11 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, + { { sizeof(chain12) / sizeof(chain12[0]), chain12 }, + { 0, TRUST_E_CERT_SIGNATURE, 0, 1, NULL }, NULL, 0 }, + { { sizeof(selfSignedChain) / sizeof(selfSignedChain[0]), selfSignedChain }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 }, +}; + +static const ChainPolicyCheck sslPolicyCheckWithMatchingNameExpired = { + { sizeof(googleChain) / sizeof(googleChain[0]), googleChain }, + { 0, CERT_E_EXPIRED, 0, 0, NULL}, NULL, 0 +}; + +static const ChainPolicyCheck sslPolicyCheckWithMatchingName = { + { sizeof(googleChain) / sizeof(googleChain[0]), googleChain }, + { 0, 0, -1, -1, NULL}, NULL, 0 +}; + +static const ChainPolicyCheck sslPolicyCheckWithoutMatchingName = { + { sizeof(iTunesChain) / sizeof(iTunesChain[0]), iTunesChain }, + { 0, CERT_E_CN_NO_MATCH, 0, 0, NULL}, NULL, 0 +}; + static const ChainPolicyCheck authenticodePolicyCheck[] = { { { sizeof(chain0) / sizeof(chain0[0]), chain0 }, { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, NULL, 0 }, @@ -2312,6 +2360,93 @@ static void checkChainPolicyStatus(LPCSTR policy, const ChainPolicyCheck *check, } } +static void check_ssl_policy(void) +{ + DWORD i; + CERT_CHAIN_POLICY_PARA policyPara = { 0 }; + SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslPolicyPara = { { 0 } }; + WCHAR winehq[] = { 'w','i','n','e','h','q','.','o','r','g',0 }; + WCHAR google_dot_com[] = { 'w','w','w','.','g','o','o','g','l','e','.', + 'c','o','m',0 }; + + /* Check ssl policy with no parameter */ + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, NULL); + /* Check again with a policy parameter that specifies nothing */ + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* Check yet again, but specify an empty SSL_EXTRA_CERT_CHAIN_POLICY_PARA + * argument. + */ + policyPara.pvExtraPolicyPara = &sslPolicyPara; + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* And again, but specify the auth type as a client */ + sslPolicyPara.dwAuthType = AUTHTYPE_CLIENT; + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* And again, but specify the auth type as a server */ + sslPolicyPara.dwAuthType = AUTHTYPE_SERVER; + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* And again authenticating a client, but specify the size of the policy + * parameter. + */ + sslPolicyPara.cbSize = sizeof(sslPolicyCheck); + sslPolicyPara.dwAuthType = AUTHTYPE_CLIENT; + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* One more time authenticating a client, but specify winehq.org as the + * server name. + */ + sslPolicyPara.pwszServerName = winehq; + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* And again authenticating a server, still specifying winehq.org as the + * server name. + */ + sslPolicyPara.dwAuthType = AUTHTYPE_SERVER; + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* And again authenticating a server, this time specifying the size of the + * policy param. + */ + policyPara.cbSize = sizeof(policyPara); + for (i = 0; + i < sizeof(sslPolicyCheck) / sizeof(sslPolicyCheck[0]); i++) + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, &sslPolicyCheck[i], i, + &oct2007, &policyPara); + /* Yet again, but checking the iTunes chain, which contains a name + * extension. + */ + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, + &sslPolicyCheckWithoutMatchingName, 0, &oct2007, &policyPara); + /* And again, but checking the Google chain at a bad date */ + sslPolicyPara.pwszServerName = google_dot_com; + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, + &sslPolicyCheckWithMatchingNameExpired, 0, &oct2007, &policyPara); + /* And again, but checking the Google chain at a good date */ + sslPolicyPara.pwszServerName = google_dot_com; + checkChainPolicyStatus(CERT_CHAIN_POLICY_SSL, + &sslPolicyCheckWithMatchingName, 0, &oct2009, &policyPara); +} + static void testVerifyCertChainPolicy(void) { BOOL ret; @@ -2378,6 +2513,7 @@ static void testVerifyCertChainPolicy(void) i < sizeof(basePolicyCheck) / sizeof(basePolicyCheck[0]); i++) checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, &basePolicyCheck[i], i, &oct2007, NULL); + check_ssl_policy(); /* The authenticode policy doesn't seem to check anything beyond the base * policy. It might check for chains signed by the MS test cert, but none * of these chains is. -- 2.11.4.GIT