Skip to content

Commit

Permalink
verify_cert: optional Budget arg for verify_chain helper
Browse files Browse the repository at this point in the history
This commit updates the `verify_chain` helper to allow providing an
optional `Budget` argument (using the default if not provided). This
makes it easier to write tests that need to customize the path building
budget (e.g. `name_constraint_budget`).
  • Loading branch information
cpu authored and djc committed Sep 12, 2023
1 parent 08fd439 commit cce08ee
Showing 1 changed file with 29 additions and 40 deletions.
69 changes: 29 additions & 40 deletions src/verify_cert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -620,7 +620,13 @@ mod tests {
intermediates.pop();
}

verify_chain(&ca_cert_der, &intermediates, &make_end_entity(&issuer)).unwrap_err()
verify_chain(
&ca_cert_der,
&intermediates,
&make_end_entity(&issuer),
None,
)
.unwrap_err()
}

#[test]
Expand Down Expand Up @@ -655,7 +661,12 @@ mod tests {
issuer = intermediate;
}

verify_chain(&ca_cert_der, &intermediates, &make_end_entity(&issuer))
verify_chain(
&ca_cert_der,
&intermediates,
&make_end_entity(&issuer),
None,
)
}

#[test]
Expand All @@ -678,9 +689,6 @@ mod tests {
#[test]
#[cfg(feature = "alloc")]
fn name_constraint_budget() {
use crate::ECDSA_P256_SHA256;
use crate::{EndEntityCert, Time};

// Issue a trust anchor that imposes name constraints. The constraint should match
// the end entity certificate SAN.
let ca_cert = make_issuer(
Expand Down Expand Up @@ -710,18 +718,10 @@ mod tests {
// Create an end-entity cert that is issued by the last of the intermediates.
let ee_cert = make_end_entity(intermediates.last().unwrap());

let anchors = &[TrustAnchor::try_from_cert_der(&ca_cert_der).unwrap()];
let time = Time::from_seconds_since_unix_epoch(0x1fed_f00d);
let cert = EndEntityCert::try_from(&ee_cert[..]).unwrap();
let intermediates_der = intermediates_der
.iter()
.map(|x| x.as_ref())
.collect::<Vec<_>>();

// We use a custom budget to make it easier to write a test, otherwise it is tricky to
// stuff enough names/constraints into the potential chains while staying within the path
// depth limit and the build chain call limit.
let mut passing_budget = Budget {
let passing_budget = Budget {
// One comparison against the intermediate's distinguished name.
// One comparison against the EE's distinguished name.
// One comparison against the EE's SAN.
Expand All @@ -733,41 +733,27 @@ mod tests {
// Validation should succeed with the name constraint comparison budget allocated above.
// This shows that we're not consuming budget on unused intermediates: we didn't budget
// enough comparisons for that to pass the overall chain building.
build_chain_inner(
&ChainOptions {
eku: KeyUsage::server_auth(),
supported_sig_algs: &[&ECDSA_P256_SHA256],
trust_anchors: anchors,
intermediate_certs: &intermediates_der,
crls: &[],
},
cert.inner(),
time,
0,
&mut passing_budget,
verify_chain(
&ca_cert_der,
&intermediates_der,
&ee_cert,
Some(passing_budget),
)
.unwrap();

let mut failing_budget = Budget {
let failing_budget = Budget {
// See passing_budget: 2 comparisons is not sufficient.
name_constraint_comparisons: 2,
..Budget::default()
};
// Validation should fail when the budget is smaller than the number of comparisons performed
// on the validated path. This demonstrates we properly fail path building when too many
// name constraint comparisons occur.
let result = build_chain_inner(
&ChainOptions {
eku: KeyUsage::server_auth(),
supported_sig_algs: &[&ECDSA_P256_SHA256],
trust_anchors: anchors,
intermediate_certs: &intermediates_der,
crls: &[],
},
cert.inner(),
time,
0,
&mut failing_budget,
let result = verify_chain(
&ca_cert_der,
&intermediates_der,
&ee_cert,
Some(failing_budget),
);

assert_eq!(result, Err(Error::MaximumNameConstraintComparisonsExceeded));
Expand All @@ -778,6 +764,7 @@ mod tests {
trust_anchor_der: &[u8],
intermediates_der: &[Vec<u8>],
ee_cert_der: &[u8],
budget: Option<Budget>,
) -> Result<(), Error> {
use crate::ECDSA_P256_SHA256;
use crate::{EndEntityCert, Time};
Expand All @@ -790,7 +777,7 @@ mod tests {
.map(|x| x.as_ref())
.collect::<Vec<_>>();

build_chain(
build_chain_inner(
&ChainOptions {
eku: KeyUsage::server_auth(),
supported_sig_algs: &[&ECDSA_P256_SHA256],
Expand All @@ -800,6 +787,8 @@ mod tests {
},
cert.inner(),
time,
0,
&mut budget.unwrap_or_default(),
)
}
}

0 comments on commit cce08ee

Please sign in to comment.