Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X.509: Enhance negative testing for CertificatePolicy extension #2836

Merged
merged 4 commits into from
Nov 20, 2019
Merged

X.509: Enhance negative testing for CertificatePolicy extension #2836

merged 4 commits into from
Nov 20, 2019

Commits on Sep 17, 2019

  1. X.509: Remove CRT policy parsing test 'bool len missing' 

    Judging from its name, the purpose of the test

   TBSCertificate v3, ext CertificatePolicies tag, bool len missing

in test_suite_x509parse.data is to exercise the X.509 parsing stack's
behaviour when parsing a CertificatePolicy extension which lacks the
length field of the boolean 'Criticality' value.

However, the test fails at an earlier stage due to a mismatch of inner
and outer length of the explicit ASN.1 extensions structure.

Since we already have tests exercising

- mismatch of inner and outer length in the extensions structure, namely
  'X509 CRT ASN1 (TBS, inv v3Ext, inner tag invalid)'
- missing length of the 'Criticality' field in an extension, namely
  'X509 CRT ASN1 (TBS, inv v3Ext, critical length missing)'

and since for both tests there's no relevance to the use of the
policy extension OID, the test

  'TBSCertificate v3, ext CertificatePolicies tag, bool len missing'

can be dropped.
    Hanno Becker committed Sep 17, 2019
    Configuration menu
    Copy the full SHA
    82a1fe5 View commit details
    Browse the repository at this point in the history

  2. X.509: Move negative tests for CertificatePolicy parsing 

    This commit moves the X.509 negative parsing tests for the
CertificatePolicy extension to the place where negative
testing of other extensions happens.
    Hanno Becker committed Sep 17, 2019
    Configuration menu
    Copy the full SHA
    7b8330a View commit details
    Browse the repository at this point in the history

  3. X.509: Adapt negative parsing test for no data in CrtPolicy ext 

    This commit modifies the test

   X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, data missing)

which exercises the behaviour of the X.509 CRT parser when facing a
CertificatePolicy extension with empty data field.

The following adaptations are made:
- The subject ID and issuer ID are modified to have length 0.
  The previous values `aa` and `bb` are OK, but a generic ASN.1
  parser will try to interpret them as ASN.1 tags and fail. For
  maintainability, it's therefore better to use something that
  can be parsed as ASN.1, and an empty ID is the easiest solution
  here.
- The TBS part of the certificate wasn't followed by signature
  algorithm and signature fields, which makes the test incompatible
  with future changes swapping to breadth-first parsing of
  certificates.
    Hanno Becker committed Sep 17, 2019
    Configuration menu
    Copy the full SHA
    c15ff98 View commit details
    Browse the repository at this point in the history

  4. X.509: Add numerous negative parsing tests for CertificatePolicy ext 

    This commit adds multiple test cases to the X.509 CRT parsing test suite
exercising the stack's behaviour when facing CertificatePolicy extensions
that are malformed for a variety of reasons. It follows the same scheme
as in other negative parsing tests: For each ASN.1 component, have test
cases for (a) unexpected tag, (b) missing length, (c) invalid length
encoding, (d) length out of bounds.
    Hanno Becker committed Sep 17, 2019
    Configuration menu
    Copy the full SHA
    6dfa665 View commit details
    Browse the repository at this point in the history