2 // Pkits_4_04_BasicCertificateRevocationTests.cs -
3 // NUnit tests for Pkits 4.4 : Basic Certificate Revocation Tests
6 // Sebastien Pouliot <sebastien@ximian.com>
8 // Copyright (C) 2006 Novell, Inc (http://www.novell.com)
10 // Permission is hereby granted, free of charge, to any person obtaining
11 // a copy of this software and associated documentation files (the
12 // "Software"), to deal in the Software without restriction, including
13 // without limitation the rights to use, copy, modify, merge, publish,
14 // distribute, sublicense, and/or sell copies of the Software, and to
15 // permit persons to whom the Software is furnished to do so, subject to
16 // the following conditions:
18 // The above copyright notice and this permission notice shall be
19 // included in all copies or substantial portions of the Software.
21 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
22 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
23 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
24 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
25 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
26 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
27 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
31 using NUnit.Framework;
34 using System.Security.Cryptography.X509Certificates;
36 namespace MonoTests.System.Security.Cryptography.X509Certificates {
41 * [MS/XP][!RFC3280] Unknown critical extensions results in
42 * RevocationStatusUnknown instead of Revoked - even if the CRL
43 * list the certificate serial number as revoked!
45 * [MS/XP][!RFC3280] Doesn't support having different keys for
46 * signing certificates and CRL.
48 * See PkitsTest.cs for more details
53 public class Pkits_4_04_BasicCertificateRevocationTests: PkitsTest {
55 public X509Certificate2 NoCRLCACert {
56 get { return GetCertificate ("NoCRLCACert.crt"); }
59 public X509Certificate2 RevokedsubCACert {
60 get { return GetCertificate ("RevokedsubCACert.crt"); }
63 public X509Certificate2 BadCRLSignatureCACert {
64 get { return GetCertificate ("BadCRLSignatureCACert.crt"); }
67 public X509Certificate2 BadCRLIssuerNameCACert {
68 get { return GetCertificate ("BadCRLIssuerNameCACert.crt"); }
71 public X509Certificate2 WrongCRLCACert {
72 get { return GetCertificate ("WrongCRLCACert.crt"); }
75 public X509Certificate2 TwoCRLsCACert {
76 get { return GetCertificate ("TwoCRLsCACert.crt"); }
79 public X509Certificate2 UnknownCRLEntryExtensionCACert {
80 get { return GetCertificate ("UnknownCRLEntryExtensionCACert.crt"); }
83 public X509Certificate2 UnknownCRLExtensionCACert {
84 get { return GetCertificate ("UnknownCRLExtensionCACert.crt"); }
87 public X509Certificate2 OldCRLnextUpdateCACert {
88 get { return GetCertificate ("OldCRLnextUpdateCACert.crt"); }
91 public X509Certificate2 Pre2000CRLnextUpdateCACert {
92 get { return GetCertificate ("pre2000CRLnextUpdateCACert.crt"); }
95 public X509Certificate2 GeneralizedTimeCRLnextUpdateCACert {
96 get { return GetCertificate ("GeneralizedTimeCRLnextUpdateCACert.crt"); }
99 public X509Certificate2 NegativeSerialNumberCACert {
100 get { return GetCertificate ("NegativeSerialNumberCACert.crt"); }
103 public X509Certificate2 LongSerialNumberCACert {
104 get { return GetCertificate ("LongSerialNumberCACert.crt"); }
107 public X509Certificate2 SeparateCertificateandCRLKeysCertificateSigningCACert {
108 get { return GetCertificate ("SeparateCertificateandCRLKeysCertificateSigningCACert.crt"); }
111 public X509Certificate2 SeparateCertificateandCRLKeysCA2CertificateSigningCACert {
112 get { return GetCertificate ("SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt"); }
116 public void T01_MissingCRL ()
118 X509Certificate2 ee = GetCertificate ("InvalidMissingCRLTest1EE.crt");
119 X509Chain chain = new X509Chain ();
120 Assert.IsFalse (chain.Build (ee), "Build");
121 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
122 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
123 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
124 Assert.AreEqual (NoCRLCACert, chain.ChainElements[1].Certificate, "NoCRLCACert");
125 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "NoCRLCACert.Status");
126 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
127 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
131 public void T02_InvalidRevokedCA ()
133 X509Certificate2 ee = GetCertificate ("InvalidRevokedCATest2EE.crt");
134 X509Chain chain = new X509Chain ();
135 Assert.IsFalse (chain.Build (ee), "Build");
136 CheckChainStatus (X509ChainStatusFlags.Revoked | X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainStatus, "ChainStatus");
137 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
138 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
139 Assert.AreEqual (RevokedsubCACert, chain.ChainElements[1].Certificate, "RevokedsubCACert");
140 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[1].ChainElementStatus, "RevokedsubCACert.Status");
141 Assert.AreEqual (GoodCACert, chain.ChainElements[2].Certificate, "GoodCACert");
142 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "GoodCACert.Status");
143 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot");
144 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status");
148 public void T03_InvalidRevokedEE ()
150 X509Certificate2 ee = GetCertificate ("InvalidRevokedEETest3EE.crt");
151 X509Chain chain = new X509Chain ();
152 Assert.IsFalse (chain.Build (ee), "Build");
153 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus");
154 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
155 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
156 Assert.AreEqual (GoodCACert, chain.ChainElements[1].Certificate, "GoodCACert");
157 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "GoodCACert.Status");
158 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
159 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
163 public void T04_InvalidBadCrlSignature ()
165 X509Certificate2 ee = GetCertificate ("InvalidBadCRLSignatureTest4EE.crt");
166 X509Chain chain = new X509Chain ();
167 Assert.IsFalse (chain.Build (ee), "Build");
168 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
169 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
170 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
171 Assert.AreEqual (BadCRLSignatureCACert, chain.ChainElements[1].Certificate, "BadCRLSignatureCACert");
172 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BadCRLSignatureCACert.Status");
173 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
174 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
178 public void T05_InvalidBadCrlIssuerName ()
180 X509Certificate2 ee = GetCertificate ("InvalidBadCRLIssuerNameTest5EE.crt");
181 X509Chain chain = new X509Chain ();
182 Assert.IsFalse (chain.Build (ee), "Build");
183 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
184 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
185 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
186 Assert.AreEqual (BadCRLIssuerNameCACert, chain.ChainElements[1].Certificate, "BadCRLIssuerNameCACert");
187 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BadCRLIssuerNameCACert.Status");
188 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
189 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
193 public void T06_InvalidWrongCrl ()
195 X509Certificate2 ee = GetCertificate ("InvalidWrongCRLTest6EE.crt");
196 X509Chain chain = new X509Chain ();
197 Assert.IsFalse (chain.Build (ee), "Build");
198 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
199 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
200 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
201 Assert.AreEqual (WrongCRLCACert, chain.ChainElements[1].Certificate, "WrongCRLCACert");
202 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "WrongCRLCACert.Status");
203 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
204 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
208 public void T07_ValidTwoCrls ()
210 X509Certificate2 ee = GetCertificate ("ValidTwoCRLsTest7EE.crt");
211 X509Chain chain = new X509Chain ();
212 Assert.IsTrue (chain.Build (ee), "Build");
213 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
214 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
215 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
216 Assert.AreEqual (TwoCRLsCACert, chain.ChainElements[1].Certificate, "TwoCRLsCACert");
217 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "TwoCRLsCACert.Status");
218 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
219 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
223 public void T08_InvalidUnknownCrlEntryExtension ()
225 X509Certificate2 ee = GetCertificate ("InvalidUnknownCRLEntryExtensionTest8EE.crt");
226 X509Chain chain = new X509Chain ();
227 Assert.IsFalse (chain.Build (ee), "Build");
228 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus");
229 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
230 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
231 Assert.AreEqual (UnknownCRLEntryExtensionCACert, chain.ChainElements[1].Certificate, "UnknownCRLEntryExtensionCACert");
232 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "UnknownCRLEntryExtensionCACert.Status");
233 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
234 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
238 [Category ("NotDotNet")] // test case is RFC3280 compliant
239 public void T09_InvalidUnknownCrlExtension ()
241 X509Certificate2 ee = GetCertificate ("InvalidUnknownCRLExtensionTest9EE.crt");
242 X509Chain chain = new X509Chain ();
243 Assert.IsFalse (chain.Build (ee), "Build");
244 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus");
245 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
246 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
247 Assert.AreEqual (UnknownCRLExtensionCACert, chain.ChainElements[1].Certificate, "UnknownCRLExtensionCACert");
248 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "UnknownCRLExtensionCACert.Status");
249 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
250 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
254 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant
255 public void T09_InvalidUnknownCrlExtension_MS ()
257 X509Certificate2 ee = GetCertificate ("InvalidUnknownCRLExtensionTest9EE.crt");
258 X509Chain chain = new X509Chain ();
259 Assert.IsFalse (chain.Build (ee), "Build");
260 // MS-BAD - the certificate is REVOKED even if we don't completely understand
261 // the critical extensions included in the certificate
262 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
263 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
264 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
265 Assert.AreEqual (UnknownCRLExtensionCACert, chain.ChainElements[1].Certificate, "UnknownCRLExtensionCACert");
266 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "UnknownCRLExtensionCACert.Status");
267 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
268 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
272 public void T10_InvalidUnknownCrlExtension ()
274 X509Certificate2 ee = GetCertificate ("InvalidUnknownCRLExtensionTest10EE.crt");
275 X509Chain chain = new X509Chain ();
276 Assert.IsFalse (chain.Build (ee), "Build");
277 // X.509.7.3 we should consider the EE as revoked (RevocationStatusUnknown seems fuzzy)
278 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
279 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
280 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
281 Assert.AreEqual (UnknownCRLExtensionCACert, chain.ChainElements[1].Certificate, "UnknownCRLExtensionCACert");
282 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "UnknownCRLExtensionCACert.Status");
283 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
284 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
288 public void T11_InvalidOldCrlNextUpdate ()
290 X509Certificate2 ee = GetCertificate ("InvalidOldCRLnextUpdateTest11EE.crt");
291 X509Chain chain = new X509Chain ();
292 Assert.IsFalse (chain.Build (ee), "Build");
293 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainStatus, "ChainStatus");
294 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
295 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
296 Assert.AreEqual (OldCRLnextUpdateCACert, chain.ChainElements[1].Certificate, "OldCRLnextUpdateCACert");
297 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "OldCRLnextUpdateCACert.Status");
298 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
299 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
303 public void T12_InvalidPre2000CrlNextUpdate ()
305 X509Certificate2 ee = GetCertificate ("Invalidpre2000CRLnextUpdateTest12EE.crt");
306 X509Chain chain = new X509Chain ();
307 Assert.IsFalse (chain.Build (ee), "Build");
308 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainStatus, "ChainStatus");
309 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
310 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
311 Assert.AreEqual (Pre2000CRLnextUpdateCACert, chain.ChainElements[1].Certificate, "Pre2000CRLnextUpdateCACert");
312 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "Pre2000CRLnextUpdateCACert.Status");
313 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
314 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
318 public void T13_ValidGeneralizedTimeCrlNextUpdate ()
320 X509Certificate2 ee = GetCertificate ("ValidGeneralizedTimeCRLnextUpdateTest13EE.crt");
321 X509Chain chain = new X509Chain ();
322 Assert.IsTrue (chain.Build (ee), "Build");
323 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
324 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
325 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
326 Assert.AreEqual (GeneralizedTimeCRLnextUpdateCACert, chain.ChainElements[1].Certificate, "GeneralizedTimeCRLnextUpdateCACert");
327 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "GeneralizedTimeCRLnextUpdateCACert.Status");
328 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
329 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
333 public void T14_ValidNegativeSerialNumber ()
335 X509Certificate2 ee = GetCertificate ("ValidNegativeSerialNumberTest14EE.crt");
336 X509Chain chain = new X509Chain ();
337 Assert.IsTrue (chain.Build (ee), "Build");
338 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
339 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
340 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
341 Assert.AreEqual (NegativeSerialNumberCACert, chain.ChainElements[1].Certificate, "NegativeSerialNumberCACert");
342 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "NegativeSerialNumberCACert.Status");
343 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
344 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
348 public void T15_InvalidNegativeSerialNumber ()
350 X509Certificate2 ee = GetCertificate ("InvalidNegativeSerialNumberTest15EE.crt");
351 X509Chain chain = new X509Chain ();
352 Assert.IsFalse (chain.Build (ee), "Build");
353 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus");
354 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
355 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
356 Assert.AreEqual (NegativeSerialNumberCACert, chain.ChainElements[1].Certificate, "NegativeSerialNumberCACert");
357 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "NegativeSerialNumberCACert.Status");
358 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
359 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
363 public void T16_ValidLongSerialNumber ()
365 X509Certificate2 ee = GetCertificate ("ValidLongSerialNumberTest16EE.crt");
366 X509Chain chain = new X509Chain ();
367 Assert.IsTrue (chain.Build (ee), "Build");
368 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
369 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
370 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
371 Assert.AreEqual (LongSerialNumberCACert, chain.ChainElements[1].Certificate, "LongSerialNumberCACert");
372 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "LongSerialNumberCACert.Status");
373 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
374 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
378 public void T17_ValidLongSerialNumber ()
380 X509Certificate2 ee = GetCertificate ("ValidLongSerialNumberTest17EE.crt");
381 X509Chain chain = new X509Chain ();
382 Assert.IsTrue (chain.Build (ee), "Build");
383 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
384 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
385 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
386 Assert.AreEqual (LongSerialNumberCACert, chain.ChainElements[1].Certificate, "LongSerialNumberCACert");
387 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "LongSerialNumberCACert.Status");
388 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
389 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
393 public void T18_InvalidLongSerialNumber ()
395 X509Certificate2 ee = GetCertificate ("InvalidLongSerialNumberTest18EE.crt");
396 X509Chain chain = new X509Chain ();
397 Assert.IsFalse (chain.Build (ee), "Build");
398 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainStatus, "ChainStatus");
399 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
400 CheckChainStatus (X509ChainStatusFlags.Revoked, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
401 Assert.AreEqual (LongSerialNumberCACert, chain.ChainElements[1].Certificate, "LongSerialNumberCACert");
402 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "LongSerialNumberCACert.Status");
403 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
404 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
408 public void T19_ValidSeparateCertificateAndCrlKeys ()
410 X509Certificate2 ee = GetCertificate ("ValidSeparateCertificateandCRLKeysTest19EE.crt");
411 X509Chain chain = new X509Chain ();
413 // MS-BAD - doesn't support different keys for signing certificates and CRL
415 Assert.IsFalse (chain.Build (ee), "Build");
416 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
417 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
418 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
419 Assert.AreEqual (SeparateCertificateandCRLKeysCertificateSigningCACert, chain.ChainElements[1].Certificate, "SeparateCertificateandCRLKeysCertificateSigningCACert");
420 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "SeparateCertificateandCRLKeysCertificateSigningCACert.Status");
421 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
422 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
426 public void T20_InvalidSeparateCertificateAndCrlKeys ()
428 X509Certificate2 ee = GetCertificate ("InvalidSeparateCertificateandCRLKeysTest20EE.crt");
429 X509Chain chain = new X509Chain ();
430 // looks ok but in fact it's confused
431 Assert.IsFalse (chain.Build (ee), "Build");
432 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
433 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
434 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
435 Assert.AreEqual (SeparateCertificateandCRLKeysCertificateSigningCACert, chain.ChainElements[1].Certificate, "SeparateCertificateandCRLKeysCertificateSigningCACert");
436 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "SeparateCertificateandCRLKeysCertificateSigningCACert.Status");
437 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
438 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
442 public void T21_InvalidSeparateCertificateAndCrlKeys ()
444 X509Certificate2 ee = GetCertificate ("InvalidSeparateCertificateandCRLKeysTest21EE.crt");
445 X509Chain chain = new X509Chain ();
446 // looks ok but in fact it's confused
447 Assert.IsFalse (chain.Build (ee), "Build");
448 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
449 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
450 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
451 Assert.AreEqual (SeparateCertificateandCRLKeysCA2CertificateSigningCACert, chain.ChainElements[1].Certificate, "SeparateCertificateandCRLKeysCA2CertificateSigningCACert");
452 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "SeparateCertificateandCRLKeysCA2CertificateSigningCACert.Status");
453 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
454 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");