2 // Pkits_4_06_VerifyingBasicConstraints.cs -
3 // NUnit tests for Pkits 4.6 : Verifying Basic Constraints
6 // Sebastien Pouliot <sebastien@ximian.com>
8 // Copyright (C) 2006 Novell, Inc (http://www.novell.com)
10 // Permission is hereby granted, free of charge, to any person obtaining
11 // a copy of this software and associated documentation files (the
12 // "Software"), to deal in the Software without restriction, including
13 // without limitation the rights to use, copy, modify, merge, publish,
14 // distribute, sublicense, and/or sell copies of the Software, and to
15 // permit persons to whom the Software is furnished to do so, subject to
16 // the following conditions:
18 // The above copyright notice and this permission notice shall be
19 // included in all copies or substantial portions of the Software.
21 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
22 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
23 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
24 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
25 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
26 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
27 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
31 using NUnit.Framework;
34 using System.Security.Cryptography.X509Certificates;
36 namespace MonoTests.System.Security.Cryptography.X509Certificates {
39 * See PkitsTest.cs for more details
44 public class Pkits_4_06_VerifyingBasicConstraints: PkitsTest {
46 public X509Certificate2 MissingbasicConstraintsCACert {
47 get { return GetCertificate ("MissingbasicConstraintsCACert.crt"); }
50 public X509Certificate2 BasicConstraintsCriticalcAFalseCACert {
51 get { return GetCertificate ("basicConstraintsCriticalcAFalseCACert.crt"); }
54 public X509Certificate2 BasicConstraintsNotCriticalCACert {
55 get { return GetCertificate ("basicConstraintsNotCriticalCACert.crt"); }
58 public X509Certificate2 BasicConstraintsNotCriticalcAFalseCACert {
59 get { return GetCertificate ("basicConstraintsNotCriticalcAFalseCACert.crt"); }
62 public X509Certificate2 PathLenConstraint0CACert {
63 get { return GetCertificate ("pathLenConstraint0CACert.crt"); }
66 public X509Certificate2 PathLenConstraint0subCACert {
67 get { return GetCertificate ("pathLenConstraint0subCACert.crt"); }
70 public X509Certificate2 PathLenConstraint0subCA2Cert {
71 get { return GetCertificate ("pathLenConstraint0subCA2Cert.crt"); }
74 public X509Certificate2 PathLenConstraint6CACert {
75 get { return GetCertificate ("pathLenConstraint6CACert.crt"); }
78 public X509Certificate2 PathLenConstraint6subCA0Cert {
79 get { return GetCertificate ("pathLenConstraint6subCA0Cert.crt"); }
82 public X509Certificate2 PathLenConstraint6subsubCA00Cert {
83 get { return GetCertificate ("pathLenConstraint6subsubCA00Cert.crt"); }
86 public X509Certificate2 PathLenConstraint6subCA1Cert {
87 get { return GetCertificate ("pathLenConstraint6subCA1Cert.crt"); }
90 public X509Certificate2 PathLenConstraint6subsubCA11Cert {
91 get { return GetCertificate ("pathLenConstraint6subsubCA11Cert.crt"); }
94 public X509Certificate2 PathLenConstraint6subsubsubCA11XCert {
95 get { return GetCertificate ("pathLenConstraint6subsubsubCA11XCert.crt"); }
98 public X509Certificate2 PathLenConstraint6subCA4Cert {
99 get { return GetCertificate ("pathLenConstraint6subCA4Cert.crt"); }
102 public X509Certificate2 PathLenConstraint6subsubCA41Cert {
103 get { return GetCertificate ("pathLenConstraint6subsubCA41Cert.crt"); }
106 public X509Certificate2 PathLenConstraint6subsubsubCA41XCert {
107 get { return GetCertificate ("pathLenConstraint6subsubsubCA41XCert.crt"); }
110 public X509Certificate2 PathLenConstraint0SelfIssuedCACert {
111 get { return GetCertificate ("pathLenConstraint0SelfIssuedCACert.crt"); }
114 public X509Certificate2 PathLenConstraint1CACert {
115 get { return GetCertificate ("pathLenConstraint1CACert.crt"); }
118 public X509Certificate2 PathLenConstraint1SelfIssuedCACert {
119 get { return GetCertificate ("pathLenConstraint1SelfIssuedCACert.crt"); }
122 public X509Certificate2 PathLenConstraint1subCACert {
123 get { return GetCertificate ("pathLenConstraint1subCACert.crt"); }
126 public X509Certificate2 PathLenConstraint1SelfIssuedsubCACert {
127 get { return GetCertificate ("pathLenConstraint1SelfIssuedsubCACert.crt"); }
131 public void T01_InvalidMissingBasicConstaints ()
133 X509Certificate2 ee = GetCertificate ("InvalidMissingbasicConstraintsTest1EE.crt");
134 X509Chain chain = new X509Chain ();
135 Assert.IsFalse (chain.Build (ee), "Build");
136 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
137 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
138 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
139 Assert.AreEqual (MissingbasicConstraintsCACert, chain.ChainElements[1].Certificate, "MissingbasicConstraintsCACert");
140 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[1].ChainElementStatus, "MissingbasicConstraintsCACert.Status");
141 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
142 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
146 public void T02_InvalidCAFalse ()
148 X509Certificate2 ee = GetCertificate ("InvalidcAFalseTest2EE.crt");
149 X509Chain chain = new X509Chain ();
150 Assert.IsFalse (chain.Build (ee), "Build");
151 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
152 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
153 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
154 Assert.AreEqual (BasicConstraintsCriticalcAFalseCACert, chain.ChainElements[1].Certificate, "BasicConstraintsCriticalcAFalseCACert");
155 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[1].ChainElementStatus, "BasicConstraintsCriticalcAFalseCACert.Status");
156 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
157 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
161 public void T03_InvalidCAFalse ()
163 X509Certificate2 ee = GetCertificate ("InvalidcAFalseTest3EE.crt");
164 X509Chain chain = new X509Chain ();
165 Assert.IsFalse (chain.Build (ee), "Build");
166 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
167 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
168 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
169 Assert.AreEqual (BasicConstraintsNotCriticalcAFalseCACert, chain.ChainElements[1].Certificate, "basicConstraintsNotCriticalcAFalseCACert");
170 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[1].ChainElementStatus, "basicConstraintsNotCriticalcAFalseCACert.Status");
171 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
172 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
176 public void T04_ValidBasicConstraintsNotCritical ()
178 X509Certificate2 ee = GetCertificate ("ValidbasicConstraintsNotCriticalTest4EE.crt");
179 X509Chain chain = new X509Chain ();
180 Assert.IsTrue (chain.Build (ee), "Build");
181 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
182 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
183 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
184 Assert.AreEqual (BasicConstraintsNotCriticalCACert, chain.ChainElements[1].Certificate, "BasicConstraintsNotCriticalCACert");
185 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "BasicConstraintsNotCriticalCACert.Status");
186 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
187 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
191 public void T05_InvalidPathLenConstraint ()
193 X509Certificate2 ee = GetCertificate ("InvalidpathLenConstraintTest5EE.crt");
194 X509Chain chain = new X509Chain ();
195 Assert.IsFalse (chain.Build (ee), "Build");
196 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
197 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
198 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
199 Assert.AreEqual (PathLenConstraint0subCACert, chain.ChainElements[1].Certificate, "PathLenConstraint0subCACert");
200 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint0subCACert.Status");
201 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[2].Certificate, "PathLenConstraint0CACert");
202 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint0CACert.Status");
203 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot");
204 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status");
208 public void T06_InvalidPathLenConstraint ()
210 X509Certificate2 ee = GetCertificate ("InvalidpathLenConstraintTest6EE.crt");
211 X509Chain chain = new X509Chain ();
212 Assert.IsFalse (chain.Build (ee), "Build");
213 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
214 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
215 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
216 Assert.AreEqual (PathLenConstraint0subCACert, chain.ChainElements[1].Certificate, "pathLenConstraint0subCACert");
217 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "pathLenConstraint0subCACert.Status");
218 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[2].Certificate, "PathLenConstraint0CACert");
219 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint0CACert.Status");
220 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot");
221 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status");
225 public void T07_ValidPathLenConstraint ()
227 X509Certificate2 ee = GetCertificate ("ValidpathLenConstraintTest7EE.crt");
228 X509Chain chain = new X509Chain ();
229 Assert.IsTrue (chain.Build (ee), "Build");
230 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
231 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
232 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
233 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[1].Certificate, "PathLenConstraint0CACert");
234 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint0CACert.Status");
235 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
236 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
240 public void T08_ValidPathLenConstraint ()
242 X509Certificate2 ee = GetCertificate ("ValidpathLenConstraintTest8EE.crt");
243 X509Chain chain = new X509Chain ();
244 Assert.IsTrue (chain.Build (ee), "Build");
245 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
246 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
247 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
248 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[1].Certificate, "PathLenConstraint0CACert");
249 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint0CACert.Status");
250 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
251 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
255 public void T09_InvalidPathLenConstraint ()
257 X509Certificate2 ee = GetCertificate ("InvalidpathLenConstraintTest9EE.crt");
258 X509Chain chain = new X509Chain ();
259 Assert.IsFalse (chain.Build (ee), "Build");
260 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
261 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
262 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
263 Assert.AreEqual (PathLenConstraint6subsubCA00Cert, chain.ChainElements[1].Certificate, "PathLenConstraint6subsubCA00Cert");
264 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint6subsubCA00Cert.Status");
265 Assert.AreEqual (PathLenConstraint6subCA0Cert, chain.ChainElements[2].Certificate, "PathLenConstraint6subCA0Cert");
266 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint6subCA0Cert.Status");
267 Assert.AreEqual (PathLenConstraint6CACert, chain.ChainElements[3].Certificate, "PathLenConstraint6CACert");
268 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint6CACert.Status");
269 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[4].Certificate, "TrustAnchorRoot");
270 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "TrustAnchorRoot.Status");
274 public void T10_InvalidPathLenConstraint ()
276 X509Certificate2 ee = GetCertificate ("InvalidpathLenConstraintTest10EE.crt");
277 X509Chain chain = new X509Chain ();
278 Assert.IsFalse (chain.Build (ee), "Build");
279 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
280 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
281 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
282 Assert.AreEqual (PathLenConstraint6subsubCA00Cert, chain.ChainElements[1].Certificate, "PathLenConstraint6subsubCA00Cert");
283 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint6subsubCA00Cert.Status");
284 Assert.AreEqual (PathLenConstraint6subCA0Cert, chain.ChainElements[2].Certificate, "PathLenConstraint6subCA0Cert");
285 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint6subCA0Cert.Status");
286 Assert.AreEqual (PathLenConstraint6CACert, chain.ChainElements[3].Certificate, "PathLenConstraint6CACert");
287 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint6CACert.Status");
288 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[4].Certificate, "TrustAnchorRoot");
289 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "TrustAnchorRoot.Status");
293 public void T11_InvalidPathLenConstraint ()
295 X509Certificate2 ee = GetCertificate ("InvalidpathLenConstraintTest11EE.crt");
296 X509Chain chain = new X509Chain ();
297 Assert.IsFalse (chain.Build (ee), "Build");
298 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
299 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
300 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
301 Assert.AreEqual (PathLenConstraint6subsubsubCA11XCert, chain.ChainElements[1].Certificate, "PathLenConstraint6subsubsubCA11XCert");
302 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint6subsubsubCA11XCert.Status");
303 Assert.AreEqual (PathLenConstraint6subsubCA11Cert, chain.ChainElements[2].Certificate, "PathLenConstraint6subsubCA11Cert");
304 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint6subsubCA11Cert.Status");
305 Assert.AreEqual (PathLenConstraint6subCA1Cert, chain.ChainElements[3].Certificate, "PathLenConstraint6subCA1Cert");
306 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint6subCA1Cert.Status");
307 Assert.AreEqual (PathLenConstraint6CACert, chain.ChainElements[4].Certificate, "PathLenConstraint6CACert");
308 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "PathLenConstraint6CACert.Status");
309 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[5].Certificate, "TrustAnchorRoot");
310 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[5].ChainElementStatus, "TrustAnchorRoot.Status");
314 public void T12_InvalidPathLenConstraint ()
316 X509Certificate2 ee = GetCertificate ("InvalidpathLenConstraintTest12EE.crt");
317 X509Chain chain = new X509Chain ();
318 Assert.IsFalse (chain.Build (ee), "Build");
319 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
320 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
321 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
322 Assert.AreEqual (PathLenConstraint6subsubsubCA11XCert, chain.ChainElements[1].Certificate, "PathLenConstraint6subsubsubCA11XCert");
323 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint6subsubsubCA11XCert.Status");
324 Assert.AreEqual (PathLenConstraint6subsubCA11Cert, chain.ChainElements[2].Certificate, "PathLenConstraint6subsubCA11Cert");
325 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint6subsubCA11Cert.Status");
326 Assert.AreEqual (PathLenConstraint6subCA1Cert, chain.ChainElements[3].Certificate, "PathLenConstraint6subCA1Cert");
327 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint6subCA1Cert.Status");
328 Assert.AreEqual (PathLenConstraint6CACert, chain.ChainElements[4].Certificate, "PathLenConstraint6CACert");
329 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "PathLenConstraint6CACert.Status");
330 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[5].Certificate, "TrustAnchorRoot");
331 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[5].ChainElementStatus, "TrustAnchorRoot.Status");
335 public void T13_ValidPathLenConstraint ()
337 X509Certificate2 ee = GetCertificate ("ValidpathLenConstraintTest13EE.crt");
338 X509Chain chain = new X509Chain ();
339 Assert.IsTrue (chain.Build (ee), "Build");
340 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
341 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
342 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
343 Assert.AreEqual (PathLenConstraint6subsubsubCA41XCert, chain.ChainElements[1].Certificate, "PathLenConstraint6subsubsubCA11XCert");
344 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint6subsubsubCA11XCert.Status");
345 Assert.AreEqual (PathLenConstraint6subsubCA41Cert, chain.ChainElements[2].Certificate, "PathLenConstraint6subsubCA11Cert");
346 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint6subsubCA11Cert.Status");
347 Assert.AreEqual (PathLenConstraint6subCA4Cert, chain.ChainElements[3].Certificate, "PathLenConstraint6subCA1Cert");
348 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint6subCA1Cert.Status");
349 Assert.AreEqual (PathLenConstraint6CACert, chain.ChainElements[4].Certificate, "PathLenConstraint6CACert");
350 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "PathLenConstraint6CACert.Status");
351 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[5].Certificate, "TrustAnchorRoot");
352 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[5].ChainElementStatus, "TrustAnchorRoot.Status");
356 public void T14_ValidPathLenConstraint ()
358 X509Certificate2 ee = GetCertificate ("ValidpathLenConstraintTest14EE.crt");
359 X509Chain chain = new X509Chain ();
360 Assert.IsTrue (chain.Build (ee), "Build");
361 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
362 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
363 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
364 Assert.AreEqual (PathLenConstraint6subsubsubCA41XCert, chain.ChainElements[1].Certificate, "PathLenConstraint6subsubsubCA11XCert");
365 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint6subsubsubCA11XCert.Status");
366 Assert.AreEqual (PathLenConstraint6subsubCA41Cert, chain.ChainElements[2].Certificate, "PathLenConstraint6subsubCA11Cert");
367 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint6subsubCA11Cert.Status");
368 Assert.AreEqual (PathLenConstraint6subCA4Cert, chain.ChainElements[3].Certificate, "PathLenConstraint6subCA1Cert");
369 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint6subCA1Cert.Status");
370 Assert.AreEqual (PathLenConstraint6CACert, chain.ChainElements[4].Certificate, "PathLenConstraint6CACert");
371 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "PathLenConstraint6CACert.Status");
372 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[5].Certificate, "TrustAnchorRoot");
373 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[5].ChainElementStatus, "TrustAnchorRoot.Status");
377 [Category ("NotDotNet")] // test case is RFC3280 compliant
378 public void T15_ValidSelfIssuedPathLenConstraint ()
380 X509Certificate2 ee = GetCertificate ("ValidSelfIssuedpathLenConstraintTest15EE.crt");
381 X509Chain chain = new X509Chain ();
382 Assert.IsTrue (chain.Build (ee), "Build");
383 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
384 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
385 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
386 Assert.AreEqual (PathLenConstraint0SelfIssuedCACert, chain.ChainElements[1].Certificate, "PathLenConstraint0SelfIssuedCACert");
387 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint0SelfIssuedCACert.Status");
388 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[2].Certificate, "PathLenConstraint0CACert");
389 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint0CACert.Status");
390 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot");
391 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status");
393 chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreEndRevocationUnknown;
394 Assert.IsTrue (chain.Build (ee), "Build-Bug");
398 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant
399 public void T15_ValidSelfIssuedPathLenConstraint_MS ()
401 X509Certificate2 ee = GetCertificate ("ValidSelfIssuedpathLenConstraintTest15EE.crt");
402 X509Chain chain = new X509Chain ();
404 // MS-BAD / this IS valid wrt RFC3280
405 // The problem seems that the Self Issued CA certificates
406 // from the test suite don't have any, even empty, CRL
408 Assert.IsFalse (chain.Build (ee), "Build");
409 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
410 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
411 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
412 Assert.AreEqual (PathLenConstraint0SelfIssuedCACert, chain.ChainElements[1].Certificate, "PathLenConstraint0SelfIssuedCACert");
413 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint0SelfIssuedCACert.Status");
414 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[2].Certificate, "PathLenConstraint0CACert");
415 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint0CACert.Status");
416 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[3].Certificate, "TrustAnchorRoot");
417 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "TrustAnchorRoot.Status");
419 chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreEndRevocationUnknown;
420 Assert.IsTrue (chain.Build (ee), "Build-Bug");
424 [Category ("NotDotNet")] // test case is RFC3280 compliant
425 public void T16_InvalidSelfIssuedPathLenConstraint ()
427 X509Certificate2 ee = GetCertificate ("InvalidSelfIssuedpathLenConstraintTest16EE.crt");
428 X509Chain chain = new X509Chain ();
429 Assert.IsFalse (chain.Build (ee), "Build");
430 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
431 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
432 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
433 Assert.AreEqual (PathLenConstraint0subCA2Cert, chain.ChainElements[1].Certificate, "pathLenConstraint0subCA2Cert");
434 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "pathLenConstraint0subCA2Cert.Status");
435 Assert.AreEqual (PathLenConstraint0SelfIssuedCACert, chain.ChainElements[2].Certificate, "PathLenConstraint0SelfIssuedCACert");
436 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint0SelfIssuedCACert.Status");
437 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[3].Certificate, "PathLenConstraint0CACert");
438 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint0CACert.Status");
439 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[4].Certificate, "TrustAnchorRoot");
440 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "TrustAnchorRoot.Status");
444 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant
445 public void T16_InvalidSelfIssuedPathLenConstraint_MS ()
447 X509Certificate2 ee = GetCertificate ("InvalidSelfIssuedpathLenConstraintTest16EE.crt");
448 X509Chain chain = new X509Chain ();
449 Assert.IsFalse (chain.Build (ee), "Build");
450 // note again the RevocationStatusUnknown because of the CRL-less self-issued CA
451 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainStatus, "ChainStatus");
452 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
453 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
454 Assert.AreEqual (PathLenConstraint0subCA2Cert, chain.ChainElements[1].Certificate, "pathLenConstraint0subCA2Cert");
455 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[1].ChainElementStatus, "pathLenConstraint0subCA2Cert.Status");
456 Assert.AreEqual (PathLenConstraint0SelfIssuedCACert, chain.ChainElements[2].Certificate, "PathLenConstraint0SelfIssuedCACert");
457 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint0SelfIssuedCACert.Status");
458 Assert.AreEqual (PathLenConstraint0CACert, chain.ChainElements[3].Certificate, "PathLenConstraint0CACert");
459 CheckChainStatus (X509ChainStatusFlags.InvalidBasicConstraints, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint0CACert.Status");
460 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[4].Certificate, "TrustAnchorRoot");
461 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "TrustAnchorRoot.Status");
465 [Category ("NotDotNet")] // test case is RFC3280 compliant
466 public void T17_ValidSelfIssuedPathLenConstraint ()
468 X509Certificate2 ee = GetCertificate ("ValidSelfIssuedpathLenConstraintTest17EE.crt");
469 X509Chain chain = new X509Chain ();
470 Assert.IsTrue (chain.Build (ee), "Build");
471 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
472 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
473 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
474 Assert.AreEqual (PathLenConstraint1SelfIssuedsubCACert, chain.ChainElements[1].Certificate, "PathLenConstraint1SelfIssuedsubCACert");
475 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint1SelfIssuedsubCACert.Status");
476 Assert.AreEqual (PathLenConstraint1subCACert, chain.ChainElements[2].Certificate, "PathLenConstraint1subCACert");
477 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint1subCACert.Status");
478 Assert.AreEqual (PathLenConstraint1SelfIssuedCACert, chain.ChainElements[3].Certificate, "PathLenConstraint1SelfIssuedCACert");
479 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint1SelfIssuedCACert.Status");
480 Assert.AreEqual (PathLenConstraint1CACert, chain.ChainElements[4].Certificate, "PathLenConstraint1CACert");
481 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "PathLenConstraint1CACert.Status");
482 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[5].Certificate, "TrustAnchorRoot");
483 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[5].ChainElementStatus, "TrustAnchorRoot.Status");
487 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant
488 public void T17_ValidSelfIssuedPathLenConstraint_MS ()
490 X509Certificate2 ee = GetCertificate ("ValidSelfIssuedpathLenConstraintTest17EE.crt");
491 X509Chain chain = new X509Chain ();
493 // MS-BAD / this IS valid wrt RFC3280
494 // The problem seems that the Self Issued CA certificates
495 // from the test suite don't have any, even empty, CRL
497 Assert.IsFalse (chain.Build (ee), "Build");
498 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
499 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
500 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
501 Assert.AreEqual (PathLenConstraint1SelfIssuedsubCACert, chain.ChainElements[1].Certificate, "PathLenConstraint1SelfIssuedsubCACert");
502 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "PathLenConstraint1SelfIssuedsubCACert.Status");
503 Assert.AreEqual (PathLenConstraint1subCACert, chain.ChainElements[2].Certificate, "PathLenConstraint1subCACert");
504 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[2].ChainElementStatus, "PathLenConstraint1subCACert.Status");
505 Assert.AreEqual (PathLenConstraint1SelfIssuedCACert, chain.ChainElements[3].Certificate, "PathLenConstraint1SelfIssuedCACert");
506 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[3].ChainElementStatus, "PathLenConstraint1SelfIssuedCACert.Status");
507 Assert.AreEqual (PathLenConstraint1CACert, chain.ChainElements[4].Certificate, "PathLenConstraint1CACert");
508 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[4].ChainElementStatus, "PathLenConstraint1CACert.Status");
509 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[5].Certificate, "TrustAnchorRoot");
510 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[5].ChainElementStatus, "TrustAnchorRoot.Status");