diff --git a/tests/dos.rs b/tests/dos.rs index 8c81bf5c..5aa8c446 100644 --- a/tests/dos.rs +++ b/tests/dos.rs @@ -27,97 +27,86 @@ #![no_std] extern crate alloc; -use alloc::vec; - +use alloc::{string::ToString, vec, vec::Vec}; +use core::convert::TryFrom; use webpki::{ EndEntityCert, ErrorExt, Time, TlsServerTrustAnchors, TrustAnchor, ECDSA_P256_SHA256, }; -mod tests { - use alloc::string::ToString; - use alloc::vec::Vec; - use core::convert::TryFrom; - - use super::*; +enum ChainTrustAnchor { + InChain, + NotInChain, +} - enum ChainTrustAnchor { - InChain, - NotInChain, +fn build_degenerate_chain(intermediate_count: usize, trust_anchor: ChainTrustAnchor) -> ErrorExt { + let alg = &rcgen::PKCS_ECDSA_P256_SHA256; + + let make_issuer = |org_name| { + let mut ca_params = rcgen::CertificateParams::new(Vec::new()); + ca_params + .distinguished_name + .push(rcgen::DnType::OrganizationName, org_name); + ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained); + ca_params.key_usages = vec![ + rcgen::KeyUsagePurpose::KeyCertSign, + rcgen::KeyUsagePurpose::DigitalSignature, + rcgen::KeyUsagePurpose::CrlSign, + ]; + ca_params.alg = alg; + rcgen::Certificate::from_params(ca_params).unwrap() + }; + + let ca_cert = make_issuer("Bogus Subject"); + let ca_cert_der = ca_cert.serialize_der().unwrap(); + + let mut intermediates = Vec::with_capacity(intermediate_count); + if let ChainTrustAnchor::InChain = trust_anchor { + intermediates.push(ca_cert_der.to_vec()); } - fn build_degenerate_chain( - intermediate_count: usize, - trust_anchor: ChainTrustAnchor, - ) -> ErrorExt { - let alg = &rcgen::PKCS_ECDSA_P256_SHA256; - - let make_issuer = |org_name| { - let mut ca_params = rcgen::CertificateParams::new(Vec::new()); - ca_params - .distinguished_name - .push(rcgen::DnType::OrganizationName, org_name); - ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained); - ca_params.key_usages = vec![ - rcgen::KeyUsagePurpose::KeyCertSign, - rcgen::KeyUsagePurpose::DigitalSignature, - rcgen::KeyUsagePurpose::CrlSign, - ]; - ca_params.alg = alg; - rcgen::Certificate::from_params(ca_params).unwrap() - }; - - let ca_cert = make_issuer("Bogus Subject"); - let ca_cert_der = ca_cert.serialize_der().unwrap(); - - let mut intermediates = Vec::with_capacity(intermediate_count); - if let ChainTrustAnchor::InChain = trust_anchor { - intermediates.push(ca_cert_der.to_vec()); - } - - let mut issuer = ca_cert; - for _ in 0..intermediate_count { - let intermediate = make_issuer("Bogus Subject"); - let intermediate_der = intermediate.serialize_der_with_signer(&issuer).unwrap(); - intermediates.push(intermediate_der); - issuer = intermediate; - } - - let mut ee_params = rcgen::CertificateParams::new(vec!["example.com".to_string()]); - ee_params.is_ca = rcgen::IsCa::ExplicitNoCa; - ee_params.alg = alg; - let ee_cert = rcgen::Certificate::from_params(ee_params).unwrap(); - let ee_cert_der = ee_cert.serialize_der_with_signer(&issuer).unwrap(); - - let trust_anchor = match trust_anchor { - ChainTrustAnchor::InChain => make_issuer("Bogus Trust Anchor").serialize_der().unwrap(), - ChainTrustAnchor::NotInChain => ca_cert_der.clone(), - }; - - let anchors = &[TrustAnchor::try_from_cert_der(&trust_anchor).unwrap()]; - let time = Time::from_seconds_since_unix_epoch(0x1fed_f00d); - let cert = EndEntityCert::try_from(&ee_cert_der[..]).unwrap(); - let intermediate_certs = intermediates.iter().map(|x| x.as_ref()).collect::>(); - - cert.verify_is_valid_tls_server_cert_ext( - &[&ECDSA_P256_SHA256], - &TlsServerTrustAnchors(anchors), - &intermediate_certs, - time, - ) - .unwrap_err() + let mut issuer = ca_cert; + for _ in 0..intermediate_count { + let intermediate = make_issuer("Bogus Subject"); + let intermediate_der = intermediate.serialize_der_with_signer(&issuer).unwrap(); + intermediates.push(intermediate_der); + issuer = intermediate; } - #[test] - fn test_too_many_signatures() { - assert!(matches!( - build_degenerate_chain(5, ChainTrustAnchor::NotInChain), - ErrorExt::MaximumSignatureChecksExceeded - )); - } + let mut ee_params = rcgen::CertificateParams::new(vec!["example.com".to_string()]); + ee_params.is_ca = rcgen::IsCa::ExplicitNoCa; + ee_params.alg = alg; + let ee_cert = rcgen::Certificate::from_params(ee_params).unwrap(); + let ee_cert_der = ee_cert.serialize_der_with_signer(&issuer).unwrap(); + + let trust_anchor = match trust_anchor { + ChainTrustAnchor::InChain => make_issuer("Bogus Trust Anchor").serialize_der().unwrap(), + ChainTrustAnchor::NotInChain => ca_cert_der.clone(), + }; + + let anchors = &[TrustAnchor::try_from_cert_der(&trust_anchor).unwrap()]; + let time = Time::from_seconds_since_unix_epoch(0x1fed_f00d); + let cert = EndEntityCert::try_from(&ee_cert_der[..]).unwrap(); + let intermediate_certs = intermediates.iter().map(|x| x.as_ref()).collect::>(); + + cert.verify_is_valid_tls_server_cert_ext( + &[&ECDSA_P256_SHA256], + &TlsServerTrustAnchors(anchors), + &intermediate_certs, + time, + ) + .unwrap_err() +} - #[test] - fn test_too_many_path_calls() { - let result = build_degenerate_chain(10, ChainTrustAnchor::InChain); - assert!(matches!(result, ErrorExt::MaximumPathBuildCallsExceeded)); - } +#[test] +fn test_too_many_signatures() { + assert!(matches!( + build_degenerate_chain(5, ChainTrustAnchor::NotInChain), + ErrorExt::MaximumSignatureChecksExceeded + )); +} + +#[test] +fn test_too_many_path_calls() { + let result = build_degenerate_chain(10, ChainTrustAnchor::InChain); + assert!(matches!(result, ErrorExt::MaximumPathBuildCallsExceeded)); }