diff --git a/tests/data/fake-ca.cert b/tests/data/fake-ca.cert new file mode 100644 index 00000000..4218ca39 --- /dev/null +++ b/tests/data/fake-ca.cert @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpzCCAo+gAwIBAgIEBAbK/jANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJH +QjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xDzANBgNVBAoTBkdv +b2dsZTEMMAoGA1UECxMDRW5nMSEwHwYDVQQDExhGYWtlQ2VydGlmaWNhdGVBdXRo +b3JpdHkwHhcNMjIwMjI2MTEzNTU2WhcNMjMwMjI2MTEzNTU2WjBxMQswCQYDVQQG +EwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xDzANBgNVBAoT +Bkdvb2dsZTEMMAoGA1UECxMDRW5nMSEwHwYDVQQDExhGYWtlQ2VydGlmaWNhdGVB +dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH7YBnivKV +qNrzbdxGZfWQ98UK8OKB9zJeNEpLOoKEQDjS8at/0QTKDUtlbRxFOJnt7jHPGiNO +ZlSa7MZXaoVjkRwxDyXxXF3QtMNWeUjIeUrSOtfVXqLuO6vIHYxyZhgfizkD1BI2 +k8HRefSxhsk1ik+nV4PQgcOxW8yZawvj3RdJ17u4XMRYhmbn0wsx8Hykfat3/Hl2 +mupZB6iziovy/iEtR0KXmg3274OqMrlLNqHyLfpE78N/HDJgN+tSLbZv8bVPpYDs +hCfuYbqHih/vMgX3F8or5MTx6MDM4dzKazz+EbFy3X5uySYkH1wml2Rgl1RaS1uX +7gxKYX0G28CNAgMBAAGjRzBFMA0GA1UdDgQGBAQBAgMEMA8GA1UdIwQIMAaABAEC +AwQwEgYDVR0TAQH/BAgwBgEB/wIBCjAPBgNVHQ8BAf8EBQMDB/+AMA0GCSqGSIb3 +DQEBCwUAA4IBAQBr2jezfOsPIRKPMYvh+N0f/qzwDULU7Mjn8FVHIYR+DgeMtOhD +A9+r8DjE8C/2eP+wGoPRxyNRM+awkcdLf5tm/vdwQ9eEQ8XPCkQ8khcZz1sVt5ku +7v1lWhxOGtJ9ley1Df31U61RPlIK3PPHcHW/JyQcr/yqSizT3xtpG+QS/SYcV9ug +wk4pd6QjBgLEyrIQ/OlXRcKVnA9g8Mpj4O8KME5Nd+C+LDWG+g9gvD4Fp3/SPF96 +9bv1o6pErHMfriMyDsQFGzuYO/stMaxiok1zpTpx1al4eDpro3EYjJDS8LtW5LGp +I1Ie0g6GeBIN5JbKWytoFgA5VEBBh0WlQ3EH +-----END CERTIFICATE----- diff --git a/tests/data/fake-ca.der b/tests/data/fake-ca.der new file mode 100644 index 00000000..6559a8a4 Binary files /dev/null and b/tests/data/fake-ca.der differ diff --git a/tests/data/ok-ca.der b/tests/data/ok-ca.der new file mode 100644 index 00000000..e69de29b diff --git a/tests/data/ok-ext-auth-info-access.der b/tests/data/ok-ext-auth-info-access.der new file mode 100644 index 00000000..04568326 Binary files /dev/null and b/tests/data/ok-ext-auth-info-access.der differ diff --git a/tests/data/ok-ext-auth-keyid.der b/tests/data/ok-ext-auth-keyid.der new file mode 100644 index 00000000..7dd207d8 Binary files /dev/null and b/tests/data/ok-ext-auth-keyid.der differ diff --git a/tests/data/ok-ext-auth-keyid2.der b/tests/data/ok-ext-auth-keyid2.der new file mode 100644 index 00000000..54f0664e Binary files /dev/null and b/tests/data/ok-ext-auth-keyid2.der differ diff --git a/tests/data/ok-ext-basic-constraints.der b/tests/data/ok-ext-basic-constraints.der new file mode 100644 index 00000000..ffdbc900 Binary files /dev/null and b/tests/data/ok-ext-basic-constraints.der differ diff --git a/tests/data/ok-ext-cert-policies-any-qual.der b/tests/data/ok-ext-cert-policies-any-qual.der new file mode 100644 index 00000000..5f0434fb Binary files /dev/null and b/tests/data/ok-ext-cert-policies-any-qual.der differ diff --git a/tests/data/ok-ext-cert-policies-any.der b/tests/data/ok-ext-cert-policies-any.der new file mode 100644 index 00000000..bea3f469 Binary files /dev/null and b/tests/data/ok-ext-cert-policies-any.der differ diff --git a/tests/data/ok-ext-cert-policies-ia5-unotice.der b/tests/data/ok-ext-cert-policies-ia5-unotice.der new file mode 100644 index 00000000..f2c20579 Binary files /dev/null and b/tests/data/ok-ext-cert-policies-ia5-unotice.der differ diff --git a/tests/data/ok-ext-cert-policies-unotice.der b/tests/data/ok-ext-cert-policies-unotice.der new file mode 100644 index 00000000..ef11b09e Binary files /dev/null and b/tests/data/ok-ext-cert-policies-unotice.der differ diff --git a/tests/data/ok-ext-cert-policies.der b/tests/data/ok-ext-cert-policies.der new file mode 100644 index 00000000..1a17c638 Binary files /dev/null and b/tests/data/ok-ext-cert-policies.der differ diff --git a/tests/data/ok-ext-crl-point.der b/tests/data/ok-ext-crl-point.der new file mode 100644 index 00000000..d2855023 Binary files /dev/null and b/tests/data/ok-ext-crl-point.der differ diff --git a/tests/data/ok-ext-ct-sct.der b/tests/data/ok-ext-ct-sct.der new file mode 100644 index 00000000..c641d3f0 Binary files /dev/null and b/tests/data/ok-ext-ct-sct.der differ diff --git a/tests/data/ok-ext-extended-key-usage.der b/tests/data/ok-ext-extended-key-usage.der new file mode 100644 index 00000000..64c171a0 Binary files /dev/null and b/tests/data/ok-ext-extended-key-usage.der differ diff --git a/tests/data/ok-ext-extended-key-usage2.der b/tests/data/ok-ext-extended-key-usage2.der new file mode 100644 index 00000000..2114d25a Binary files /dev/null and b/tests/data/ok-ext-extended-key-usage2.der differ diff --git a/tests/data/ok-ext-freshest-crl.der b/tests/data/ok-ext-freshest-crl.der new file mode 100644 index 00000000..5a9b1a52 Binary files /dev/null and b/tests/data/ok-ext-freshest-crl.der differ diff --git a/tests/data/ok-ext-inhibit-anypolicy.der b/tests/data/ok-ext-inhibit-anypolicy.der new file mode 100644 index 00000000..02a8a335 Binary files /dev/null and b/tests/data/ok-ext-inhibit-anypolicy.der differ diff --git a/tests/data/ok-ext-issuer-altname.der b/tests/data/ok-ext-issuer-altname.der new file mode 100644 index 00000000..af53cc14 Binary files /dev/null and b/tests/data/ok-ext-issuer-altname.der differ diff --git a/tests/data/ok-ext-key-usage.der b/tests/data/ok-ext-key-usage.der new file mode 100644 index 00000000..2bb32f19 Binary files /dev/null and b/tests/data/ok-ext-key-usage.der differ diff --git a/tests/data/ok-ext-name-constraints.der b/tests/data/ok-ext-name-constraints.der new file mode 100644 index 00000000..ad6c5ca2 Binary files /dev/null and b/tests/data/ok-ext-name-constraints.der differ diff --git a/tests/data/ok-ext-policy-constraints.der b/tests/data/ok-ext-policy-constraints.der new file mode 100644 index 00000000..42841c41 Binary files /dev/null and b/tests/data/ok-ext-policy-constraints.der differ diff --git a/tests/data/ok-ext-policy-map.der b/tests/data/ok-ext-policy-map.der new file mode 100644 index 00000000..b2b0f9d1 Binary files /dev/null and b/tests/data/ok-ext-policy-map.der differ diff --git a/tests/data/ok-ext-subject-altname.der b/tests/data/ok-ext-subject-altname.der new file mode 100644 index 00000000..3fb87704 Binary files /dev/null and b/tests/data/ok-ext-subject-altname.der differ diff --git a/tests/data/ok-ext-subject-altname2.der b/tests/data/ok-ext-subject-altname2.der new file mode 100644 index 00000000..a22439ce Binary files /dev/null and b/tests/data/ok-ext-subject-altname2.der differ diff --git a/tests/data/ok-ext-subject-dirattr.der b/tests/data/ok-ext-subject-dirattr.der new file mode 100644 index 00000000..560708a3 Binary files /dev/null and b/tests/data/ok-ext-subject-dirattr.der differ diff --git a/tests/data/ok-ext-subject-info-access.der b/tests/data/ok-ext-subject-info-access.der new file mode 100644 index 00000000..c04efe6d Binary files /dev/null and b/tests/data/ok-ext-subject-info-access.der differ diff --git a/tests/data/ok-ext-subject-keyid.der b/tests/data/ok-ext-subject-keyid.der new file mode 100644 index 00000000..ed7150ff Binary files /dev/null and b/tests/data/ok-ext-subject-keyid.der differ diff --git a/tests/data/ok-indefinite-expiry.der b/tests/data/ok-indefinite-expiry.der new file mode 100644 index 00000000..67f3b3a7 Binary files /dev/null and b/tests/data/ok-indefinite-expiry.der differ diff --git a/tests/data/ok-inherited-keyparams.ca.der b/tests/data/ok-inherited-keyparams.ca.der new file mode 100644 index 00000000..5b1d142c Binary files /dev/null and b/tests/data/ok-inherited-keyparams.ca.der differ diff --git a/tests/data/ok-inherited-keyparams.leaf.der b/tests/data/ok-inherited-keyparams.leaf.der new file mode 100644 index 00000000..6ae6f4fe Binary files /dev/null and b/tests/data/ok-inherited-keyparams.leaf.der differ diff --git a/tests/data/ok-intermediate-ca-sign.ca.der b/tests/data/ok-intermediate-ca-sign.ca.der new file mode 100644 index 00000000..7f56ebc6 Binary files /dev/null and b/tests/data/ok-intermediate-ca-sign.ca.der differ diff --git a/tests/data/ok-intermediate-ca-sign.leaf.der b/tests/data/ok-intermediate-ca-sign.leaf.der new file mode 100644 index 00000000..ad474581 Binary files /dev/null and b/tests/data/ok-intermediate-ca-sign.leaf.der differ diff --git a/tests/data/ok-issuer-asn1-differ.der b/tests/data/ok-issuer-asn1-differ.der new file mode 100644 index 00000000..f5f3fe58 Binary files /dev/null and b/tests/data/ok-issuer-asn1-differ.der differ diff --git a/tests/data/ok-long-expiry.der b/tests/data/ok-long-expiry.der new file mode 100644 index 00000000..cb3e5511 Binary files /dev/null and b/tests/data/ok-long-expiry.der differ diff --git a/tests/data/ok-long-serial.der b/tests/data/ok-long-serial.der new file mode 100644 index 00000000..9cfe9c71 Binary files /dev/null and b/tests/data/ok-long-serial.der differ diff --git a/tests/data/ok-pubkey-ecdsa-p256v1.der b/tests/data/ok-pubkey-ecdsa-p256v1.der new file mode 100644 index 00000000..f05eb6c8 Binary files /dev/null and b/tests/data/ok-pubkey-ecdsa-p256v1.der differ diff --git a/tests/data/ok-pubkey-rsa.der b/tests/data/ok-pubkey-rsa.der new file mode 100644 index 00000000..c04789a7 Binary files /dev/null and b/tests/data/ok-pubkey-rsa.der differ diff --git a/tests/data/ok-uniqueid-incomplete-byte.der b/tests/data/ok-uniqueid-incomplete-byte.der new file mode 100644 index 00000000..793a0ede Binary files /dev/null and b/tests/data/ok-uniqueid-incomplete-byte.der differ diff --git a/tests/data/ok-utc-time-wrap.der b/tests/data/ok-utc-time-wrap.der new file mode 100644 index 00000000..88f9a540 Binary files /dev/null and b/tests/data/ok-utc-time-wrap.der differ diff --git a/tests/data/ok-v1.der b/tests/data/ok-v1.der new file mode 100644 index 00000000..28514378 Binary files /dev/null and b/tests/data/ok-v1.der differ diff --git a/tests/data/ok-v2-issuer-asn1-differ.der b/tests/data/ok-v2-issuer-asn1-differ.der new file mode 100644 index 00000000..200e9bf0 Binary files /dev/null and b/tests/data/ok-v2-issuer-asn1-differ.der differ diff --git a/tests/data/ok-v2.der b/tests/data/ok-v2.der new file mode 100644 index 00000000..4127d9ed Binary files /dev/null and b/tests/data/ok-v2.der differ diff --git a/tests/data/ok-v3.der b/tests/data/ok-v3.der new file mode 100644 index 00000000..7bec542b Binary files /dev/null and b/tests/data/ok-v3.der differ diff --git a/tests/data/xf-algo-mismatch1.der b/tests/data/xf-algo-mismatch1.der new file mode 100644 index 00000000..b49453b4 Binary files /dev/null and b/tests/data/xf-algo-mismatch1.der differ diff --git a/tests/data/xf-der-invalid-bitstring.der b/tests/data/xf-der-invalid-bitstring.der new file mode 100644 index 00000000..067ffa7f Binary files /dev/null and b/tests/data/xf-der-invalid-bitstring.der differ diff --git a/tests/data/xf-der-invalid-nonminimal-int.der b/tests/data/xf-der-invalid-nonminimal-int.der new file mode 100644 index 00000000..aa780780 Binary files /dev/null and b/tests/data/xf-der-invalid-nonminimal-int.der differ diff --git a/tests/data/xf-der-invalid-uniqueid.der b/tests/data/xf-der-invalid-uniqueid.der new file mode 100644 index 00000000..fa89df2f Binary files /dev/null and b/tests/data/xf-der-invalid-uniqueid.der differ diff --git a/tests/data/xf-der-pubkey-rsa-nonminimal-int.der b/tests/data/xf-der-pubkey-rsa-nonminimal-int.der new file mode 100644 index 00000000..605f6eaa Binary files /dev/null and b/tests/data/xf-der-pubkey-rsa-nonminimal-int.der differ diff --git a/tests/data/xf-duplicate-extension.der b/tests/data/xf-duplicate-extension.der new file mode 100644 index 00000000..30aac5d1 Binary files /dev/null and b/tests/data/xf-duplicate-extension.der differ diff --git a/tests/data/xf-duplicate-extension2.der b/tests/data/xf-duplicate-extension2.der new file mode 100644 index 00000000..eb26b42f Binary files /dev/null and b/tests/data/xf-duplicate-extension2.der differ diff --git a/tests/data/xf-ext-altname-blank-domain.der b/tests/data/xf-ext-altname-blank-domain.der new file mode 100644 index 00000000..7c9d08e7 Binary files /dev/null and b/tests/data/xf-ext-altname-blank-domain.der differ diff --git a/tests/data/xf-ext-altname-critical-subject.der b/tests/data/xf-ext-altname-critical-subject.der new file mode 100644 index 00000000..3c74ea00 Binary files /dev/null and b/tests/data/xf-ext-altname-critical-subject.der differ diff --git a/tests/data/xf-ext-altname-email-only.der b/tests/data/xf-ext-altname-email-only.der new file mode 100644 index 00000000..764951c5 Binary files /dev/null and b/tests/data/xf-ext-altname-email-only.der differ diff --git a/tests/data/xf-ext-altname-empty.der b/tests/data/xf-ext-altname-empty.der new file mode 100644 index 00000000..b1d52268 Binary files /dev/null and b/tests/data/xf-ext-altname-empty.der differ diff --git a/tests/data/xf-ext-altname-empty2.der b/tests/data/xf-ext-altname-empty2.der new file mode 100644 index 00000000..e6f922fc Binary files /dev/null and b/tests/data/xf-ext-altname-empty2.der differ diff --git a/tests/data/xf-ext-altname-excluded.ca.der b/tests/data/xf-ext-altname-excluded.ca.der new file mode 100644 index 00000000..d1b7ba47 Binary files /dev/null and b/tests/data/xf-ext-altname-excluded.ca.der differ diff --git a/tests/data/xf-ext-altname-excluded.leaf.der b/tests/data/xf-ext-altname-excluded.leaf.der new file mode 100644 index 00000000..f1b96592 Binary files /dev/null and b/tests/data/xf-ext-altname-excluded.leaf.der differ diff --git a/tests/data/xf-ext-altname-invalid-domain.der b/tests/data/xf-ext-altname-invalid-domain.der new file mode 100644 index 00000000..418347db Binary files /dev/null and b/tests/data/xf-ext-altname-invalid-domain.der differ diff --git a/tests/data/xf-ext-altname-invalid-email.der b/tests/data/xf-ext-altname-invalid-email.der new file mode 100644 index 00000000..41dbef15 Binary files /dev/null and b/tests/data/xf-ext-altname-invalid-email.der differ diff --git a/tests/data/xf-ext-altname-invalid-encoding.der b/tests/data/xf-ext-altname-invalid-encoding.der new file mode 100644 index 00000000..802cc7bd Binary files /dev/null and b/tests/data/xf-ext-altname-invalid-encoding.der differ diff --git a/tests/data/xf-ext-altname-ip-wrong.der b/tests/data/xf-ext-altname-ip-wrong.der new file mode 100644 index 00000000..d3831c43 Binary files /dev/null and b/tests/data/xf-ext-altname-ip-wrong.der differ diff --git a/tests/data/xf-ext-altname-noncrit-nosubj.der b/tests/data/xf-ext-altname-noncrit-nosubj.der new file mode 100644 index 00000000..094b6637 Binary files /dev/null and b/tests/data/xf-ext-altname-noncrit-nosubj.der differ diff --git a/tests/data/xf-ext-altname-relative-uri.der b/tests/data/xf-ext-altname-relative-uri.der new file mode 100644 index 00000000..652c5ecd Binary files /dev/null and b/tests/data/xf-ext-altname-relative-uri.der differ diff --git a/tests/data/xf-ext-altname-schemeless-uri.der b/tests/data/xf-ext-altname-schemeless-uri.der new file mode 100644 index 00000000..64048958 Binary files /dev/null and b/tests/data/xf-ext-altname-schemeless-uri.der differ diff --git a/tests/data/xf-ext-auth-info-critical.der b/tests/data/xf-ext-auth-info-critical.der new file mode 100644 index 00000000..ad5f3b26 Binary files /dev/null and b/tests/data/xf-ext-auth-info-critical.der differ diff --git a/tests/data/xf-ext-auth-info-empty.der b/tests/data/xf-ext-auth-info-empty.der new file mode 100644 index 00000000..18f87e42 Binary files /dev/null and b/tests/data/xf-ext-auth-info-empty.der differ diff --git a/tests/data/xf-ext-auth-keyid-critical.der b/tests/data/xf-ext-auth-keyid-critical.der new file mode 100644 index 00000000..c29ed069 Binary files /dev/null and b/tests/data/xf-ext-auth-keyid-critical.der differ diff --git a/tests/data/xf-ext-auth-keyid-invalid-issuer.der b/tests/data/xf-ext-auth-keyid-invalid-issuer.der new file mode 100644 index 00000000..95f9a22a Binary files /dev/null and b/tests/data/xf-ext-auth-keyid-invalid-issuer.der differ diff --git a/tests/data/xf-ext-auth-keyid-mismatch.der b/tests/data/xf-ext-auth-keyid-mismatch.der new file mode 100644 index 00000000..d7330b1f Binary files /dev/null and b/tests/data/xf-ext-auth-keyid-mismatch.der differ diff --git a/tests/data/xf-ext-auth-keyid-noid.der b/tests/data/xf-ext-auth-keyid-noid.der new file mode 100644 index 00000000..1f43f247 Binary files /dev/null and b/tests/data/xf-ext-auth-keyid-noid.der differ diff --git a/tests/data/xf-ext-auth-keyid-onlyserial.der b/tests/data/xf-ext-auth-keyid-onlyserial.der new file mode 100644 index 00000000..0979c815 Binary files /dev/null and b/tests/data/xf-ext-auth-keyid-onlyserial.der differ diff --git a/tests/data/xf-ext-auth-keyid-serial-mismatch.der b/tests/data/xf-ext-auth-keyid-serial-mismatch.der new file mode 100644 index 00000000..4ab70782 Binary files /dev/null and b/tests/data/xf-ext-auth-keyid-serial-mismatch.der differ diff --git a/tests/data/xf-ext-cert-policies-any-qual.der b/tests/data/xf-ext-cert-policies-any-qual.der new file mode 100644 index 00000000..2bb758fe Binary files /dev/null and b/tests/data/xf-ext-cert-policies-any-qual.der differ diff --git a/tests/data/xf-ext-cert-policies-bmp-unotice.der b/tests/data/xf-ext-cert-policies-bmp-unotice.der new file mode 100644 index 00000000..363fb018 Binary files /dev/null and b/tests/data/xf-ext-cert-policies-bmp-unotice.der differ diff --git a/tests/data/xf-ext-cert-policies-dup.der b/tests/data/xf-ext-cert-policies-dup.der new file mode 100644 index 00000000..7319899c Binary files /dev/null and b/tests/data/xf-ext-cert-policies-dup.der differ diff --git a/tests/data/xf-ext-cert-policies-unotice-ch.der b/tests/data/xf-ext-cert-policies-unotice-ch.der new file mode 100644 index 00000000..c000f214 Binary files /dev/null and b/tests/data/xf-ext-cert-policies-unotice-ch.der differ diff --git a/tests/data/xf-ext-constraints-neg-pathlen.der b/tests/data/xf-ext-constraints-neg-pathlen.der new file mode 100644 index 00000000..96d2c0c6 Binary files /dev/null and b/tests/data/xf-ext-constraints-neg-pathlen.der differ diff --git a/tests/data/xf-ext-constraints-noncritical.der b/tests/data/xf-ext-constraints-noncritical.der new file mode 100644 index 00000000..1f86b3b5 Binary files /dev/null and b/tests/data/xf-ext-constraints-noncritical.der differ diff --git a/tests/data/xf-ext-constraints-path-nonca.der b/tests/data/xf-ext-constraints-path-nonca.der new file mode 100644 index 00000000..266342b6 Binary files /dev/null and b/tests/data/xf-ext-constraints-path-nonca.der differ diff --git a/tests/data/xf-ext-constraints-path-nosign.der b/tests/data/xf-ext-constraints-path-nosign.der new file mode 100644 index 00000000..1c1c8496 Binary files /dev/null and b/tests/data/xf-ext-constraints-path-nosign.der differ diff --git a/tests/data/xf-ext-crl-point-critical.der b/tests/data/xf-ext-crl-point-critical.der new file mode 100644 index 00000000..2ae5ceba Binary files /dev/null and b/tests/data/xf-ext-crl-point-critical.der differ diff --git a/tests/data/xf-ext-crl-point-reasons-only.der b/tests/data/xf-ext-crl-point-reasons-only.der new file mode 100644 index 00000000..57214207 Binary files /dev/null and b/tests/data/xf-ext-crl-point-reasons-only.der differ diff --git a/tests/data/xf-ext-ct-poison.der b/tests/data/xf-ext-ct-poison.der new file mode 100644 index 00000000..9a58f5ee Binary files /dev/null and b/tests/data/xf-ext-ct-poison.der differ diff --git a/tests/data/xf-ext-ct-sct-trailing-data.der b/tests/data/xf-ext-ct-sct-trailing-data.der new file mode 100644 index 00000000..05f2a8d7 Binary files /dev/null and b/tests/data/xf-ext-ct-sct-trailing-data.der differ diff --git a/tests/data/xf-ext-ct-sct-wrong-type.der b/tests/data/xf-ext-ct-sct-wrong-type.der new file mode 100644 index 00000000..599adc96 Binary files /dev/null and b/tests/data/xf-ext-ct-sct-wrong-type.der differ diff --git a/tests/data/xf-ext-extended-any-key-usage.der b/tests/data/xf-ext-extended-any-key-usage.der new file mode 100644 index 00000000..48902441 Binary files /dev/null and b/tests/data/xf-ext-extended-any-key-usage.der differ diff --git a/tests/data/xf-ext-extended-key-usage-empty-oid.der b/tests/data/xf-ext-extended-key-usage-empty-oid.der new file mode 100644 index 00000000..1f5f4195 Binary files /dev/null and b/tests/data/xf-ext-extended-key-usage-empty-oid.der differ diff --git a/tests/data/xf-ext-extended-key-usage-empty.der b/tests/data/xf-ext-extended-key-usage-empty.der new file mode 100644 index 00000000..09cc686e Binary files /dev/null and b/tests/data/xf-ext-extended-key-usage-empty.der differ diff --git a/tests/data/xf-ext-freshest-crl-critical.der b/tests/data/xf-ext-freshest-crl-critical.der new file mode 100644 index 00000000..f2b5ac9d Binary files /dev/null and b/tests/data/xf-ext-freshest-crl-critical.der differ diff --git a/tests/data/xf-ext-inhibit-anypolicy-negative.der b/tests/data/xf-ext-inhibit-anypolicy-negative.der new file mode 100644 index 00000000..13e33fdc Binary files /dev/null and b/tests/data/xf-ext-inhibit-anypolicy-negative.der differ diff --git a/tests/data/xf-ext-inhibit-anypolicy-noncritical.der b/tests/data/xf-ext-inhibit-anypolicy-noncritical.der new file mode 100644 index 00000000..468a9deb Binary files /dev/null and b/tests/data/xf-ext-inhibit-anypolicy-noncritical.der differ diff --git a/tests/data/xf-ext-issuer-altname-critical.der b/tests/data/xf-ext-issuer-altname-critical.der new file mode 100644 index 00000000..b5c9690c Binary files /dev/null and b/tests/data/xf-ext-issuer-altname-critical.der differ diff --git a/tests/data/xf-ext-key-usage-empty.der b/tests/data/xf-ext-key-usage-empty.der new file mode 100644 index 00000000..1ce620ac Binary files /dev/null and b/tests/data/xf-ext-key-usage-empty.der differ diff --git a/tests/data/xf-ext-key-usage-noncritical.der b/tests/data/xf-ext-key-usage-noncritical.der new file mode 100644 index 00000000..1d323de2 Binary files /dev/null and b/tests/data/xf-ext-key-usage-noncritical.der differ diff --git a/tests/data/xf-ext-key-usage-sign-nonca.der b/tests/data/xf-ext-key-usage-sign-nonca.der new file mode 100644 index 00000000..5fcf984c Binary files /dev/null and b/tests/data/xf-ext-key-usage-sign-nonca.der differ diff --git a/tests/data/xf-ext-key-usage-too-long.der b/tests/data/xf-ext-key-usage-too-long.der new file mode 100644 index 00000000..e5f81f62 Binary files /dev/null and b/tests/data/xf-ext-key-usage-too-long.der differ diff --git a/tests/data/xf-ext-key-usage-wrong-der.der b/tests/data/xf-ext-key-usage-wrong-der.der new file mode 100644 index 00000000..99292eb2 Binary files /dev/null and b/tests/data/xf-ext-key-usage-wrong-der.der differ diff --git a/tests/data/xf-ext-key-usage-wrong.ca.der b/tests/data/xf-ext-key-usage-wrong.ca.der new file mode 100644 index 00000000..f6b4c73e Binary files /dev/null and b/tests/data/xf-ext-key-usage-wrong.ca.der differ diff --git a/tests/data/xf-ext-key-usage-wrong.leaf.der b/tests/data/xf-ext-key-usage-wrong.leaf.der new file mode 100644 index 00000000..15e868cb Binary files /dev/null and b/tests/data/xf-ext-key-usage-wrong.leaf.der differ diff --git a/tests/data/xf-ext-keysign-nonca.der b/tests/data/xf-ext-keysign-nonca.der new file mode 100644 index 00000000..344d9589 Binary files /dev/null and b/tests/data/xf-ext-keysign-nonca.der differ diff --git a/tests/data/xf-ext-name-constraints-badip.der b/tests/data/xf-ext-name-constraints-badip.der new file mode 100644 index 00000000..38cfdcdb Binary files /dev/null and b/tests/data/xf-ext-name-constraints-badip.der differ diff --git a/tests/data/xf-ext-name-constraints-empty.der b/tests/data/xf-ext-name-constraints-empty.der new file mode 100644 index 00000000..e82af92d Binary files /dev/null and b/tests/data/xf-ext-name-constraints-empty.der differ diff --git a/tests/data/xf-ext-name-constraints-minmax.der b/tests/data/xf-ext-name-constraints-minmax.der new file mode 100644 index 00000000..a86a9c4c Binary files /dev/null and b/tests/data/xf-ext-name-constraints-minmax.der differ diff --git a/tests/data/xf-ext-name-constraints-nonca.der b/tests/data/xf-ext-name-constraints-nonca.der new file mode 100644 index 00000000..841ca541 Binary files /dev/null and b/tests/data/xf-ext-name-constraints-nonca.der differ diff --git a/tests/data/xf-ext-name-constraints-noncrit.der b/tests/data/xf-ext-name-constraints-noncrit.der new file mode 100644 index 00000000..beafa661 Binary files /dev/null and b/tests/data/xf-ext-name-constraints-noncrit.der differ diff --git a/tests/data/xf-ext-name-constraints-regid.der b/tests/data/xf-ext-name-constraints-regid.der new file mode 100644 index 00000000..543ff982 Binary files /dev/null and b/tests/data/xf-ext-name-constraints-regid.der differ diff --git a/tests/data/xf-ext-name-excluded-dn.ca.der b/tests/data/xf-ext-name-excluded-dn.ca.der new file mode 100644 index 00000000..e5b96897 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-dn.ca.der differ diff --git a/tests/data/xf-ext-name-excluded-dn.leaf.der b/tests/data/xf-ext-name-excluded-dn.leaf.der new file mode 100644 index 00000000..99d735d5 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-dn.leaf.der differ diff --git a/tests/data/xf-ext-name-excluded-dns.ca.der b/tests/data/xf-ext-name-excluded-dns.ca.der new file mode 100644 index 00000000..b0f05459 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-dns.ca.der differ diff --git a/tests/data/xf-ext-name-excluded-dns.leaf.der b/tests/data/xf-ext-name-excluded-dns.leaf.der new file mode 100644 index 00000000..ec71cc80 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-dns.leaf.der differ diff --git a/tests/data/xf-ext-name-excluded-email.ca.der b/tests/data/xf-ext-name-excluded-email.ca.der new file mode 100644 index 00000000..b79a8357 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-email.ca.der differ diff --git a/tests/data/xf-ext-name-excluded-email.leaf.der b/tests/data/xf-ext-name-excluded-email.leaf.der new file mode 100644 index 00000000..d1a967a0 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-email.leaf.der differ diff --git a/tests/data/xf-ext-name-excluded-email2.ca.der b/tests/data/xf-ext-name-excluded-email2.ca.der new file mode 100644 index 00000000..ce539fb9 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-email2.ca.der differ diff --git a/tests/data/xf-ext-name-excluded-email2.leaf.der b/tests/data/xf-ext-name-excluded-email2.leaf.der new file mode 100644 index 00000000..14f8284a Binary files /dev/null and b/tests/data/xf-ext-name-excluded-email2.leaf.der differ diff --git a/tests/data/xf-ext-name-excluded-ip.ca.der b/tests/data/xf-ext-name-excluded-ip.ca.der new file mode 100644 index 00000000..f28fea21 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-ip.ca.der differ diff --git a/tests/data/xf-ext-name-excluded-ip.leaf.der b/tests/data/xf-ext-name-excluded-ip.leaf.der new file mode 100644 index 00000000..64199d9c Binary files /dev/null and b/tests/data/xf-ext-name-excluded-ip.leaf.der differ diff --git a/tests/data/xf-ext-name-excluded-uri.ca.der b/tests/data/xf-ext-name-excluded-uri.ca.der new file mode 100644 index 00000000..673e7c80 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-uri.ca.der differ diff --git a/tests/data/xf-ext-name-excluded-uri.leaf.der b/tests/data/xf-ext-name-excluded-uri.leaf.der new file mode 100644 index 00000000..a63e06b7 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-uri.leaf.der differ diff --git a/tests/data/xf-ext-name-excluded-uri2.ca.der b/tests/data/xf-ext-name-excluded-uri2.ca.der new file mode 100644 index 00000000..4726342d Binary files /dev/null and b/tests/data/xf-ext-name-excluded-uri2.ca.der differ diff --git a/tests/data/xf-ext-name-excluded-uri2.leaf.der b/tests/data/xf-ext-name-excluded-uri2.leaf.der new file mode 100644 index 00000000..e0ec7fa0 Binary files /dev/null and b/tests/data/xf-ext-name-excluded-uri2.leaf.der differ diff --git a/tests/data/xf-ext-name-excluded.ca.der b/tests/data/xf-ext-name-excluded.ca.der new file mode 100644 index 00000000..5f812b8d Binary files /dev/null and b/tests/data/xf-ext-name-excluded.ca.der differ diff --git a/tests/data/xf-ext-name-excluded.leaf.der b/tests/data/xf-ext-name-excluded.leaf.der new file mode 100644 index 00000000..a2de7128 Binary files /dev/null and b/tests/data/xf-ext-name-excluded.leaf.der differ diff --git a/tests/data/xf-ext-policy-constraint-empty.der b/tests/data/xf-ext-policy-constraint-empty.der new file mode 100644 index 00000000..344f0ed9 Binary files /dev/null and b/tests/data/xf-ext-policy-constraint-empty.der differ diff --git a/tests/data/xf-ext-policy-constraint-noncrit.der b/tests/data/xf-ext-policy-constraint-noncrit.der new file mode 100644 index 00000000..63a0606d Binary files /dev/null and b/tests/data/xf-ext-policy-constraint-noncrit.der differ diff --git a/tests/data/xf-ext-policy-map-empty.der b/tests/data/xf-ext-policy-map-empty.der new file mode 100644 index 00000000..936c6316 Binary files /dev/null and b/tests/data/xf-ext-policy-map-empty.der differ diff --git a/tests/data/xf-ext-policy-map-from-any.der b/tests/data/xf-ext-policy-map-from-any.der new file mode 100644 index 00000000..5416a9f7 Binary files /dev/null and b/tests/data/xf-ext-policy-map-from-any.der differ diff --git a/tests/data/xf-ext-policy-map-noncritical.der b/tests/data/xf-ext-policy-map-noncritical.der new file mode 100644 index 00000000..7f57ddb5 Binary files /dev/null and b/tests/data/xf-ext-policy-map-noncritical.der differ diff --git a/tests/data/xf-ext-policy-map-to-any.der b/tests/data/xf-ext-policy-map-to-any.der new file mode 100644 index 00000000..841e897d Binary files /dev/null and b/tests/data/xf-ext-policy-map-to-any.der differ diff --git a/tests/data/xf-ext-policy-map-unref.der b/tests/data/xf-ext-policy-map-unref.der new file mode 100644 index 00000000..61a5bb8d Binary files /dev/null and b/tests/data/xf-ext-policy-map-unref.der differ diff --git a/tests/data/xf-ext-subject-dirattr-critical.der b/tests/data/xf-ext-subject-dirattr-critical.der new file mode 100644 index 00000000..13266320 Binary files /dev/null and b/tests/data/xf-ext-subject-dirattr-critical.der differ diff --git a/tests/data/xf-ext-subject-dirattr-empty.der b/tests/data/xf-ext-subject-dirattr-empty.der new file mode 100644 index 00000000..1a9fa878 Binary files /dev/null and b/tests/data/xf-ext-subject-dirattr-empty.der differ diff --git a/tests/data/xf-ext-subject-info-critical.der b/tests/data/xf-ext-subject-info-critical.der new file mode 100644 index 00000000..233dc720 Binary files /dev/null and b/tests/data/xf-ext-subject-info-critical.der differ diff --git a/tests/data/xf-ext-subject-info-empty.der b/tests/data/xf-ext-subject-info-empty.der new file mode 100644 index 00000000..79a4b169 Binary files /dev/null and b/tests/data/xf-ext-subject-info-empty.der differ diff --git a/tests/data/xf-ext-subject-keyid-ca-absent.der b/tests/data/xf-ext-subject-keyid-ca-absent.der new file mode 100644 index 00000000..8d0fdd26 Binary files /dev/null and b/tests/data/xf-ext-subject-keyid-ca-absent.der differ diff --git a/tests/data/xf-ext-subject-keyid-critical.der b/tests/data/xf-ext-subject-keyid-critical.der new file mode 100644 index 00000000..375bdc21 Binary files /dev/null and b/tests/data/xf-ext-subject-keyid-critical.der differ diff --git a/tests/data/xf-gentime-fraction-secs.der b/tests/data/xf-gentime-fraction-secs.der new file mode 100644 index 00000000..eab8682e Binary files /dev/null and b/tests/data/xf-gentime-fraction-secs.der differ diff --git a/tests/data/xf-gentime-no-secs.der b/tests/data/xf-gentime-no-secs.der new file mode 100644 index 00000000..b594de89 Binary files /dev/null and b/tests/data/xf-gentime-no-secs.der differ diff --git a/tests/data/xf-gentime-nonzulu.der b/tests/data/xf-gentime-nonzulu.der new file mode 100644 index 00000000..ac8ab40e Binary files /dev/null and b/tests/data/xf-gentime-nonzulu.der differ diff --git a/tests/data/xf-issuer-mismatch-v2.der b/tests/data/xf-issuer-mismatch-v2.der new file mode 100644 index 00000000..0d8c32ab Binary files /dev/null and b/tests/data/xf-issuer-mismatch-v2.der differ diff --git a/tests/data/xf-issuer-mismatch1.der b/tests/data/xf-issuer-mismatch1.der new file mode 100644 index 00000000..6b13f442 Binary files /dev/null and b/tests/data/xf-issuer-mismatch1.der differ diff --git a/tests/data/xf-key-usage-nonsign-maybe1.ca.der b/tests/data/xf-key-usage-nonsign-maybe1.ca.der new file mode 100644 index 00000000..2b2c44d9 Binary files /dev/null and b/tests/data/xf-key-usage-nonsign-maybe1.ca.der differ diff --git a/tests/data/xf-key-usage-nonsign-maybe1.leaf.der b/tests/data/xf-key-usage-nonsign-maybe1.leaf.der new file mode 100644 index 00000000..59c5fbe3 Binary files /dev/null and b/tests/data/xf-key-usage-nonsign-maybe1.leaf.der differ diff --git a/tests/data/xf-key-usage-nonsign-maybe2.ca.der b/tests/data/xf-key-usage-nonsign-maybe2.ca.der new file mode 100644 index 00000000..2ae784a0 Binary files /dev/null and b/tests/data/xf-key-usage-nonsign-maybe2.ca.der differ diff --git a/tests/data/xf-key-usage-nonsign-maybe2.leaf.der b/tests/data/xf-key-usage-nonsign-maybe2.leaf.der new file mode 100644 index 00000000..8270653d Binary files /dev/null and b/tests/data/xf-key-usage-nonsign-maybe2.leaf.der differ diff --git a/tests/data/xf-key-usage-nonsign.ca.der b/tests/data/xf-key-usage-nonsign.ca.der new file mode 100644 index 00000000..3b722f2f Binary files /dev/null and b/tests/data/xf-key-usage-nonsign.ca.der differ diff --git a/tests/data/xf-key-usage-nonsign.leaf.der b/tests/data/xf-key-usage-nonsign.leaf.der new file mode 100644 index 00000000..6f0ccd6f Binary files /dev/null and b/tests/data/xf-key-usage-nonsign.leaf.der differ diff --git a/tests/data/xf-key-usages-empty.ca.der b/tests/data/xf-key-usages-empty.ca.der new file mode 100644 index 00000000..4e0138d5 Binary files /dev/null and b/tests/data/xf-key-usages-empty.ca.der differ diff --git a/tests/data/xf-key-usages-empty.leaf.der b/tests/data/xf-key-usages-empty.leaf.der new file mode 100644 index 00000000..b45f92f9 Binary files /dev/null and b/tests/data/xf-key-usages-empty.leaf.der differ diff --git a/tests/data/xf-key-usages-empty2.ca.der b/tests/data/xf-key-usages-empty2.ca.der new file mode 100644 index 00000000..16590ee3 Binary files /dev/null and b/tests/data/xf-key-usages-empty2.ca.der differ diff --git a/tests/data/xf-key-usages-empty2.leaf.der b/tests/data/xf-key-usages-empty2.leaf.der new file mode 100644 index 00000000..b5a1f312 Binary files /dev/null and b/tests/data/xf-key-usages-empty2.leaf.der differ diff --git a/tests/data/xf-nonca-sign-maybe1.ca.der b/tests/data/xf-nonca-sign-maybe1.ca.der new file mode 100644 index 00000000..5e127f8d Binary files /dev/null and b/tests/data/xf-nonca-sign-maybe1.ca.der differ diff --git a/tests/data/xf-nonca-sign-maybe1.leaf.der b/tests/data/xf-nonca-sign-maybe1.leaf.der new file mode 100644 index 00000000..26489e34 Binary files /dev/null and b/tests/data/xf-nonca-sign-maybe1.leaf.der differ diff --git a/tests/data/xf-nonca-sign-maybe2.ca.der b/tests/data/xf-nonca-sign-maybe2.ca.der new file mode 100644 index 00000000..7d1f0678 Binary files /dev/null and b/tests/data/xf-nonca-sign-maybe2.ca.der differ diff --git a/tests/data/xf-nonca-sign-maybe2.leaf.der b/tests/data/xf-nonca-sign-maybe2.leaf.der new file mode 100644 index 00000000..961c4d8c Binary files /dev/null and b/tests/data/xf-nonca-sign-maybe2.leaf.der differ diff --git a/tests/data/xf-nonca-sign.ca.der b/tests/data/xf-nonca-sign.ca.der new file mode 100644 index 00000000..1a786829 Binary files /dev/null and b/tests/data/xf-nonca-sign.ca.der differ diff --git a/tests/data/xf-nonca-sign.leaf.der b/tests/data/xf-nonca-sign.leaf.der new file mode 100644 index 00000000..49ddbd9e Binary files /dev/null and b/tests/data/xf-nonca-sign.leaf.der differ diff --git a/tests/data/xf-pubkey-ecdsa-not-on-curve.der b/tests/data/xf-pubkey-ecdsa-not-on-curve.der new file mode 100644 index 00000000..ea82f343 Binary files /dev/null and b/tests/data/xf-pubkey-ecdsa-not-on-curve.der differ diff --git a/tests/data/xf-pubkey-ecdsa-secp192r1.der b/tests/data/xf-pubkey-ecdsa-secp192r1.der new file mode 100644 index 00000000..d0b14ac3 Binary files /dev/null and b/tests/data/xf-pubkey-ecdsa-secp192r1.der differ diff --git a/tests/data/xf-pubkey-ecdsa-unknown-curve.der b/tests/data/xf-pubkey-ecdsa-unknown-curve.der new file mode 100644 index 00000000..42d65496 Binary files /dev/null and b/tests/data/xf-pubkey-ecdsa-unknown-curve.der differ diff --git a/tests/data/xf-pubkey-rsa-exponent-negative.der b/tests/data/xf-pubkey-rsa-exponent-negative.der new file mode 100644 index 00000000..140ce149 Binary files /dev/null and b/tests/data/xf-pubkey-rsa-exponent-negative.der differ diff --git a/tests/data/xf-pubkey-rsa-modulus-negative.der b/tests/data/xf-pubkey-rsa-modulus-negative.der new file mode 100644 index 00000000..f144a5c7 Binary files /dev/null and b/tests/data/xf-pubkey-rsa-modulus-negative.der differ diff --git a/tests/data/xf-pubkey-rsa-param-nonnull.der b/tests/data/xf-pubkey-rsa-param-nonnull.der new file mode 100644 index 00000000..43f0528a Binary files /dev/null and b/tests/data/xf-pubkey-rsa-param-nonnull.der differ diff --git a/tests/data/xf-serial-negative.der b/tests/data/xf-serial-negative.der new file mode 100644 index 00000000..d3771d51 Binary files /dev/null and b/tests/data/xf-serial-negative.der differ diff --git a/tests/data/xf-serial-zero.der b/tests/data/xf-serial-zero.der new file mode 100644 index 00000000..d5265d75 Binary files /dev/null and b/tests/data/xf-serial-zero.der differ diff --git a/tests/data/xf-soon-generalized-time.der b/tests/data/xf-soon-generalized-time.der new file mode 100644 index 00000000..2f18c7a2 Binary files /dev/null and b/tests/data/xf-soon-generalized-time.der differ diff --git a/tests/data/xf-subject-nonprintable.der b/tests/data/xf-subject-nonprintable.der new file mode 100644 index 00000000..94c0c1ae Binary files /dev/null and b/tests/data/xf-subject-nonprintable.der differ diff --git a/tests/data/xf-subject-t61.der b/tests/data/xf-subject-t61.der new file mode 100644 index 00000000..5cf9f794 Binary files /dev/null and b/tests/data/xf-subject-t61.der differ diff --git a/tests/data/xf-unknown-critical-ext.der b/tests/data/xf-unknown-critical-ext.der new file mode 100644 index 00000000..dc0e5240 Binary files /dev/null and b/tests/data/xf-unknown-critical-ext.der differ diff --git a/tests/data/xf-utctime-no-secs.der b/tests/data/xf-utctime-no-secs.der new file mode 100644 index 00000000..7373d81a Binary files /dev/null and b/tests/data/xf-utctime-no-secs.der differ diff --git a/tests/data/xf-utctime-nonzulu.der b/tests/data/xf-utctime-nonzulu.der new file mode 100644 index 00000000..2d6ac63d Binary files /dev/null and b/tests/data/xf-utctime-nonzulu.der differ diff --git a/tests/data/xf-v1-extensions.der b/tests/data/xf-v1-extensions.der new file mode 100644 index 00000000..357a6b59 Binary files /dev/null and b/tests/data/xf-v1-extensions.der differ diff --git a/tests/data/xf-v1-uniqueid.der b/tests/data/xf-v1-uniqueid.der new file mode 100644 index 00000000..c39b1d88 Binary files /dev/null and b/tests/data/xf-v1-uniqueid.der differ diff --git a/tests/data/xf-v2-extensions.der b/tests/data/xf-v2-extensions.der new file mode 100644 index 00000000..56aa2e14 Binary files /dev/null and b/tests/data/xf-v2-extensions.der differ diff --git a/tests/data/xf-v3-uniqueid-noexts1.der b/tests/data/xf-v3-uniqueid-noexts1.der new file mode 100644 index 00000000..3517dd07 Binary files /dev/null and b/tests/data/xf-v3-uniqueid-noexts1.der differ diff --git a/tests/data/xf-v3-uniqueid-noexts2.der b/tests/data/xf-v3-uniqueid-noexts2.der new file mode 100644 index 00000000..9bd51ffe Binary files /dev/null and b/tests/data/xf-v3-uniqueid-noexts2.der differ diff --git a/tests/x509test.rs b/tests/x509test.rs new file mode 100644 index 00000000..ac374c68 --- /dev/null +++ b/tests/x509test.rs @@ -0,0 +1,1979 @@ +// +// AUTOGENERATED by gentests.py on 2022-02-27T14:48:20.473118 -- do not edit +// + +use std::convert::TryFrom; + +use webpki; + +static ALL_SIG_ALGS: &[&webpki::SignatureAlgorithm] = &[ + &webpki::ECDSA_P256_SHA256, + &webpki::ECDSA_P256_SHA384, + &webpki::ECDSA_P384_SHA256, + &webpki::ECDSA_P384_SHA384, + &webpki::ED25519, + &webpki::RSA_PKCS1_2048_8192_SHA256, + &webpki::RSA_PKCS1_2048_8192_SHA384, + &webpki::RSA_PKCS1_2048_8192_SHA512, + &webpki::RSA_PKCS1_3072_8192_SHA384, +]; + +#[test] +fn test_ok_ext_auth_info_access() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-auth-info-access.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_auth_keyid() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-auth-keyid.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_auth_keyid2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-auth-keyid2.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_basic_constraints() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-basic-constraints.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::CaUsedAsEndEntity + ); +} + +#[test] +fn test_ok_ext_cert_policies_any_qual() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-cert-policies-any-qual.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_cert_policies_any() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-cert-policies-any.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_cert_policies_ia5_unotice() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-cert-policies-ia5-unotice.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_cert_policies_unotice() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-cert-policies-unotice.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_cert_policies() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-cert-policies.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_crl_point() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-crl-point.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_ct_sct() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-ct-sct.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_extended_key_usage() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-extended-key-usage.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_extended_key_usage2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-extended-key-usage2.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_freshest_crl() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-freshest-crl.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_inhibit_anypolicy() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-inhibit-anypolicy.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_ok_ext_issuer_altname() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-issuer-altname.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_key_usage() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-key-usage.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_name_constraints() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-name-constraints.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::CaUsedAsEndEntity + ); +} + +#[test] +fn test_ok_ext_policy_constraints() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-policy-constraints.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_ok_ext_policy_map() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-policy-map.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_ok_ext_subject_altname() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-subject-altname.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_subject_altname2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-subject-altname2.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_subject_dirattr() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-subject-dirattr.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_subject_info_access() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-subject-info-access.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_ext_subject_keyid() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-ext-subject-keyid.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_indefinite_expiry() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-indefinite-expiry.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_issuer_asn1_differ() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-issuer-asn1-differ.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_ok_long_expiry() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-long-expiry.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_long_serial() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-long-serial.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_pubkey_ecdsa_p256v1() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-pubkey-ecdsa-p256v1.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_pubkey_rsa() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-pubkey-rsa.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_uniqueid_incomplete_byte() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-uniqueid-incomplete-byte.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::MissingOrMalformedExtensions + ); +} + +#[test] +fn test_ok_utc_time_wrap() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-utc-time-wrap.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDERTime + ); +} + +#[test] +fn test_ok_v1() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-v1.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCertVersion + ); +} + +#[test] +fn test_ok_v2_issuer_asn1_differ() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-v2-issuer-asn1-differ.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCertVersion + ); +} + +#[test] +fn test_ok_v2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-v2.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCertVersion + ); +} + +#[test] +fn test_ok_v3() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-v3.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_ok_inherited_keyparams() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/ok-inherited-keyparams.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/ok-inherited-keyparams.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_ok_intermediate_ca_sign() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/ok-intermediate-ca-sign.ca.der")[..], + ]; + let ee = webpki::EndEntityCert::try_from(&include_bytes!("data/ok-intermediate-ca-sign.leaf.der")[..]) + .expect("cannot parse valid ee cert"); + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300)) + .expect("ee cert should be valid"); +} + +#[test] +fn test_xf_algo_mismatch1() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-algo-mismatch1.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::SignatureAlgorithmMismatch + ); +} + +#[test] +fn test_xf_der_invalid_bitstring() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-der-invalid-bitstring.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::MissingOrMalformedExtensions + ); +} + +#[test] +fn test_xf_der_invalid_nonminimal_int() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-der-invalid-nonminimal-int.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDER + ); +} + +#[test] +fn test_xf_der_invalid_uniqueid() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-der-invalid-uniqueid.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::MissingOrMalformedExtensions + ); +} + +#[test] +fn test_xf_ext_altname_invalid_domain() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-altname-invalid-domain.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDER + ); +} + +#[test] +fn test_xf_ext_altname_invalid_encoding() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-altname-invalid-encoding.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDER + ); +} + +#[test] +fn test_xf_ext_auth_info_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-auth-info-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_auth_keyid_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-auth-keyid-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_constraints_neg_pathlen() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-constraints-neg-pathlen.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDER + ); +} + +#[test] +fn test_xf_ext_crl_point_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-crl-point-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_ct_poison() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-ct-poison.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_extended_any_key_usage() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-extended-any-key-usage.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_extended_key_usage_empty() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-extended-key-usage-empty.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDER + ); +} + +#[test] +fn test_xf_ext_freshest_crl_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-freshest-crl-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_issuer_altname_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-issuer-altname-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_policy_constraint_empty() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-policy-constraint-empty.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_policy_map_empty() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-policy-map-empty.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_policy_map_from_any() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-policy-map-from-any.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_policy_map_to_any() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-policy-map-to-any.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_policy_map_unref() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-policy-map-unref.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_subject_dirattr_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-subject-dirattr-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_subject_info_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-subject-info-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_ext_subject_keyid_critical() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-subject-keyid-critical.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_gentime_fraction_secs() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-gentime-fraction-secs.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDERTime + ); +} + +#[test] +fn test_xf_gentime_no_secs() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-gentime-no-secs.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDERTime + ); +} + +#[test] +fn test_xf_gentime_nonzulu() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-gentime-nonzulu.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDERTime + ); +} + +#[test] +fn test_xf_issuer_mismatch_v2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-issuer-mismatch-v2.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCertVersion + ); +} + +#[test] +fn test_xf_issuer_mismatch1() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-issuer-mismatch1.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_serial_negative() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-serial-negative.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDER + ); +} + +#[test] +fn test_xf_serial_zero() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-serial-zero.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDER + ); +} + +#[test] +fn test_xf_unknown_critical_ext() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-unknown-critical-ext.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCriticalExtension + ); +} + +#[test] +fn test_xf_utctime_no_secs() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-utctime-no-secs.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDERTime + ); +} + +#[test] +fn test_xf_utctime_nonzulu() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-utctime-nonzulu.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::BadDERTime + ); +} + +#[test] +fn test_xf_v1_extensions() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-v1-extensions.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCertVersion + ); +} + +#[test] +fn test_xf_v1_uniqueid() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-v1-uniqueid.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCertVersion + ); +} + +#[test] +fn test_xf_v2_extensions() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-v2-extensions.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnsupportedCertVersion + ); +} + +#[test] +fn test_xf_v3_uniqueid_noexts1() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-v3-uniqueid-noexts1.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::MissingOrMalformedExtensions + ); +} + +#[test] +fn test_xf_v3_uniqueid_noexts2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-v3-uniqueid-noexts2.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::MissingOrMalformedExtensions + ); +} + +#[test] +fn test_xf_ext_altname_excluded() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-altname-excluded.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-altname-excluded.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_key_usage_wrong() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-key-usage-wrong.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-key-usage-wrong.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded_dn() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded-dn.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded-dn.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded_dns() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded-dns.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded-dns.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded_email() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded-email.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded-email.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded_email2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded-email2.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded-email2.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded_ip() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded-ip.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded-ip.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded_uri() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded-uri.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded-uri.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded_uri2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded-uri2.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded-uri2.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_ext_name_excluded() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-ext-name-excluded.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-ext-name-excluded.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_nonca_sign_maybe1() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-nonca-sign-maybe1.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-nonca-sign-maybe1.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_nonca_sign_maybe2() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-nonca-sign-maybe2.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-nonca-sign-maybe2.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} + +#[test] +fn test_xf_nonca_sign() { + let ca = include_bytes!("data/fake-ca.der"); + let ca = webpki::TrustAnchor::try_from_cert_der(&ca[..]) + .expect("cannot parse ca cert"); + let intermediates = [ + &include_bytes!("data/xf-nonca-sign.ca.der")[..], + ]; + assert_eq!( + webpki::EndEntityCert::try_from(&include_bytes!("data/xf-nonca-sign.leaf.der")[..]) + .and_then(|ee| { + ee.verify_is_valid_tls_server_cert(&ALL_SIG_ALGS, + &webpki::TLSServerTrustAnchors(&[ca]), + &intermediates[..], + webpki::Time::from_seconds_since_unix_epoch(1645973300))?; + Ok(ee) + }) + .and_then(|ee| { + ee.verify_is_valid_for_dns_name(webpki::DnsNameRef::try_from_ascii_str("example.com").unwrap()) + }) + .expect_err("ee cert/chain/name expected to be invalid"), + webpki::Error::UnknownIssuer + ); +} +