Skip to content

Commit

Permalink
Tests: Remove redundant tests submodule in dos.rs.
Browse files Browse the repository at this point in the history 
The tests submodule was a holdover from when these were unit tests.
  • Loading branch information
@briansmith
briansmith committed Oct 7, 2023
1 parent 4a7edf1 commit f9650ae
Showing 1 changed file with 72 additions and 83 deletions.
155 changes: 72 additions & 83 deletions tests/dos.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,97 +27,86 @@
#![no_std]

extern crate alloc;
use alloc::vec;

use alloc::{string::ToString, vec, vec::Vec};
use core::convert::TryFrom;
use webpki::{
EndEntityCert, ErrorExt, Time, TlsServerTrustAnchors, TrustAnchor, ECDSA_P256_SHA256,
};

mod tests {
use alloc::string::ToString;
use alloc::vec::Vec;
use core::convert::TryFrom;

use super::*;
enum ChainTrustAnchor {
InChain,
NotInChain,
}

enum ChainTrustAnchor {
InChain,
NotInChain,
fn build_degenerate_chain(intermediate_count: usize, trust_anchor: ChainTrustAnchor) -> ErrorExt {
let alg = &rcgen::PKCS_ECDSA_P256_SHA256;

let make_issuer = |org_name| {
let mut ca_params = rcgen::CertificateParams::new(Vec::new());
ca_params
.distinguished_name
.push(rcgen::DnType::OrganizationName, org_name);
ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
ca_params.key_usages = vec![
rcgen::KeyUsagePurpose::KeyCertSign,
rcgen::KeyUsagePurpose::DigitalSignature,
rcgen::KeyUsagePurpose::CrlSign,
];
ca_params.alg = alg;
rcgen::Certificate::from_params(ca_params).unwrap()
};

let ca_cert = make_issuer("Bogus Subject");
let ca_cert_der = ca_cert.serialize_der().unwrap();

let mut intermediates = Vec::with_capacity(intermediate_count);
if let ChainTrustAnchor::InChain = trust_anchor {
intermediates.push(ca_cert_der.to_vec());
}

fn build_degenerate_chain(
intermediate_count: usize,
trust_anchor: ChainTrustAnchor,
) -> ErrorExt {
let alg = &rcgen::PKCS_ECDSA_P256_SHA256;

let make_issuer = |org_name| {
let mut ca_params = rcgen::CertificateParams::new(Vec::new());
ca_params
.distinguished_name
.push(rcgen::DnType::OrganizationName, org_name);
ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
ca_params.key_usages = vec![
rcgen::KeyUsagePurpose::KeyCertSign,
rcgen::KeyUsagePurpose::DigitalSignature,
rcgen::KeyUsagePurpose::CrlSign,
];
ca_params.alg = alg;
rcgen::Certificate::from_params(ca_params).unwrap()
};

let ca_cert = make_issuer("Bogus Subject");
let ca_cert_der = ca_cert.serialize_der().unwrap();

let mut intermediates = Vec::with_capacity(intermediate_count);
if let ChainTrustAnchor::InChain = trust_anchor {
intermediates.push(ca_cert_der.to_vec());
}

let mut issuer = ca_cert;
for _ in 0..intermediate_count {
let intermediate = make_issuer("Bogus Subject");
let intermediate_der = intermediate.serialize_der_with_signer(&issuer).unwrap();
intermediates.push(intermediate_der);
issuer = intermediate;
}

let mut ee_params = rcgen::CertificateParams::new(vec!["example.com".to_string()]);
ee_params.is_ca = rcgen::IsCa::ExplicitNoCa;
ee_params.alg = alg;
let ee_cert = rcgen::Certificate::from_params(ee_params).unwrap();
let ee_cert_der = ee_cert.serialize_der_with_signer(&issuer).unwrap();

let trust_anchor = match trust_anchor {
ChainTrustAnchor::InChain => make_issuer("Bogus Trust Anchor").serialize_der().unwrap(),
ChainTrustAnchor::NotInChain => ca_cert_der.clone(),
};

let anchors = &[TrustAnchor::try_from_cert_der(&trust_anchor).unwrap()];
let time = Time::from_seconds_since_unix_epoch(0x1fed_f00d);
let cert = EndEntityCert::try_from(&ee_cert_der[..]).unwrap();
let intermediate_certs = intermediates.iter().map(|x| x.as_ref()).collect::<Vec<_>>();

cert.verify_is_valid_tls_server_cert_ext(
&[&ECDSA_P256_SHA256],
&TlsServerTrustAnchors(anchors),
&intermediate_certs,
time,
)
.unwrap_err()
let mut issuer = ca_cert;
for _ in 0..intermediate_count {
let intermediate = make_issuer("Bogus Subject");
let intermediate_der = intermediate.serialize_der_with_signer(&issuer).unwrap();
intermediates.push(intermediate_der);
issuer = intermediate;
}

#[test]
fn test_too_many_signatures() {
assert!(matches!(
build_degenerate_chain(5, ChainTrustAnchor::NotInChain),
ErrorExt::MaximumSignatureChecksExceeded
));
}
let mut ee_params = rcgen::CertificateParams::new(vec!["example.com".to_string()]);
ee_params.is_ca = rcgen::IsCa::ExplicitNoCa;
ee_params.alg = alg;
let ee_cert = rcgen::Certificate::from_params(ee_params).unwrap();
let ee_cert_der = ee_cert.serialize_der_with_signer(&issuer).unwrap();

let trust_anchor = match trust_anchor {
ChainTrustAnchor::InChain => make_issuer("Bogus Trust Anchor").serialize_der().unwrap(),
ChainTrustAnchor::NotInChain => ca_cert_der.clone(),
};

let anchors = &[TrustAnchor::try_from_cert_der(&trust_anchor).unwrap()];
let time = Time::from_seconds_since_unix_epoch(0x1fed_f00d);
let cert = EndEntityCert::try_from(&ee_cert_der[..]).unwrap();
let intermediate_certs = intermediates.iter().map(|x| x.as_ref()).collect::<Vec<_>>();

cert.verify_is_valid_tls_server_cert_ext(
&[&ECDSA_P256_SHA256],
&TlsServerTrustAnchors(anchors),
&intermediate_certs,
time,
)
.unwrap_err()
}

#[test]
fn test_too_many_path_calls() {
let result = build_degenerate_chain(10, ChainTrustAnchor::InChain);
assert!(matches!(result, ErrorExt::MaximumPathBuildCallsExceeded));
}
#[test]
fn test_too_many_signatures() {
assert!(matches!(
build_degenerate_chain(5, ChainTrustAnchor::NotInChain),
ErrorExt::MaximumSignatureChecksExceeded
));
}

#[test]
fn test_too_many_path_calls() {
let result = build_degenerate_chain(10, ChainTrustAnchor::InChain);
assert!(matches!(result, ErrorExt::MaximumPathBuildCallsExceeded));
}

0 comments on commit f9650ae

Please sign in to comment.