2 // Pkits_4_07_KeyUsage.cs -
3 // NUnit tests for Pkits 4.7 : Key Usage
6 // Sebastien Pouliot <sebastien@ximian.com>
8 // Copyright (C) 2006 Novell, Inc (http://www.novell.com)
10 // Permission is hereby granted, free of charge, to any person obtaining
11 // a copy of this software and associated documentation files (the
12 // "Software"), to deal in the Software without restriction, including
13 // without limitation the rights to use, copy, modify, merge, publish,
14 // distribute, sublicense, and/or sell copies of the Software, and to
15 // permit persons to whom the Software is furnished to do so, subject to
16 // the following conditions:
18 // The above copyright notice and this permission notice shall be
19 // included in all copies or substantial portions of the Software.
21 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
22 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
23 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
24 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
25 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
26 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
27 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
31 using NUnit.Framework;
34 using System.Security.Cryptography.X509Certificates;
36 namespace MonoTests.System.Security.Cryptography.X509Certificates {
41 * [MS/XP][!RFC3280] keyUsage for cRLsign isn't checked
43 * See PkitsTest.cs for more details
48 public class Pkits_4_07_KeyUsage: PkitsTest {
50 public X509Certificate2 KeyUsageCriticalkeyCertSignFalseCACert {
51 get { return GetCertificate ("keyUsageCriticalkeyCertSignFalseCACert.crt"); }
54 public X509Certificate2 KeyUsageNotCriticalkeyCertSignFalseCACert {
55 get { return GetCertificate ("keyUsageNotCriticalkeyCertSignFalseCACert.crt"); }
58 public X509Certificate2 KeyUsageNotCriticalCACert {
59 get { return GetCertificate ("keyUsageNotCriticalCACert.crt"); }
62 public X509Certificate2 KeyUsageCriticalcRLSignFalseCACert {
63 get { return GetCertificate ("keyUsageCriticalcRLSignFalseCACert.crt"); }
66 public X509Certificate2 KeyUsageNotCriticalcRLSignFalseCACert {
67 get { return GetCertificate ("keyUsageNotCriticalcRLSignFalseCACert.crt"); }
71 public void T1_InvalidKeyUsageCriticalKeyCertSignFalse ()
73 X509Certificate2 ee = GetCertificate ("InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt");
74 X509Chain chain = new X509Chain ();
75 Assert.IsFalse (chain.Build (ee), "Build");
76 CheckChainStatus (X509ChainStatusFlags.NotValidForUsage, chain.ChainStatus, "ChainStatus");
77 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
78 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
79 // INFO: keyUsage only has CrlSign (no KeyCertSign)
80 // INFO: it's critical too but that doesn't change anything
81 Assert.AreEqual (KeyUsageCriticalkeyCertSignFalseCACert, chain.ChainElements[1].Certificate, "KeyUsageCriticalkeyCertSignFalseCACert");
82 CheckChainStatus (X509ChainStatusFlags.NotValidForUsage, chain.ChainElements[1].ChainElementStatus, "KeyUsageCriticalkeyCertSignFalseCACert.Status");
83 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
84 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
88 public void T2_InvalidKeyUsageNotCriticalKeyCertSignFalse ()
90 X509Certificate2 ee = GetCertificate ("InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt");
91 X509Chain chain = new X509Chain ();
92 Assert.IsFalse (chain.Build (ee), "Build");
93 CheckChainStatus (X509ChainStatusFlags.NotValidForUsage, chain.ChainStatus, "ChainStatus");
94 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
95 // INFO: keyUsage only has CrlSign (no KeyCertSign)
96 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
97 Assert.AreEqual (KeyUsageNotCriticalkeyCertSignFalseCACert, chain.ChainElements[1].Certificate, "KeyUsageNotCriticalkeyCertSignFalseCACert");
98 CheckChainStatus (X509ChainStatusFlags.NotValidForUsage, chain.ChainElements[1].ChainElementStatus, "KeyUsageNotCriticalkeyCertSignFalseCACert.Status");
99 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
100 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
104 public void T3_ValidKeyUsageNotCritical ()
106 X509Certificate2 ee = GetCertificate ("ValidkeyUsageNotCriticalTest3EE.crt");
107 X509Chain chain = new X509Chain ();
108 Assert.IsTrue (chain.Build (ee), "Build");
109 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
110 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
111 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
112 Assert.AreEqual (KeyUsageNotCriticalCACert, chain.ChainElements[1].Certificate, "KeyUsageNotCriticalCACert");
113 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "KeyUsageNotCriticalCACert.Status");
114 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
115 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
119 [Category ("NotDotNet")] // test case is RFC3280 compliant
120 public void T4_InvalidKeyUsageCriticalCRLSignFalse ()
122 X509Certificate2 ee = GetCertificate ("InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt");
123 X509Chain chain = new X509Chain ();
124 // INFO: keyUsage doesn't allow CRL signature verification
125 Assert.IsFalse (chain.Build (ee), "Build");
126 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
127 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
128 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
129 Assert.AreEqual (KeyUsageCriticalcRLSignFalseCACert, chain.ChainElements[1].Certificate, "KeyUsageCriticalcRLSignFalseCACert");
130 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "KeyUsageCriticalcRLSignFalseCACert.Status");
131 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
132 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
136 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant
137 public void T4_InvalidKeyUsageCriticalCRLSignFalse_MS ()
139 X509Certificate2 ee = GetCertificate ("InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt");
140 X509Chain chain = new X509Chain ();
142 // MS-BAD / this is NOT valid wrt RFC3280
143 // keyUsage doesn't allow CRL signature verification
145 Assert.IsTrue (chain.Build (ee), "Build");
146 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
147 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
148 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
149 Assert.AreEqual (KeyUsageCriticalcRLSignFalseCACert, chain.ChainElements[1].Certificate, "KeyUsageCriticalcRLSignFalseCACert");
150 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "KeyUsageCriticalcRLSignFalseCACert.Status");
151 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
152 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
156 [Category ("NotDotNet")] // test case is RFC3280 compliant
157 public void T5_InvalidKeyUsageNotCriticalCRLSignFalse ()
159 X509Certificate2 ee = GetCertificate ("InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt");
160 X509Chain chain = new X509Chain ();
161 // INFO: keyUsage doesn't allow CRL signature verification
162 Assert.IsFalse (chain.Build (ee), "Build");
163 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainStatus, "ChainStatus");
164 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
165 CheckChainStatus (X509ChainStatusFlags.RevocationStatusUnknown, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
166 Assert.AreEqual (KeyUsageNotCriticalcRLSignFalseCACert, chain.ChainElements[1].Certificate, "KeyUsageNotCriticalcRLSignFalseCACert");
167 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "KeyUsageNotCriticalcRLSignFalseCACert.Status");
168 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
169 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");
173 [Category ("NotWorking")] // WONTFIX - this isn't RFC3280 compliant
174 public void T5_InvalidKeyUsageNotCriticalCRLSignFalse_MS ()
176 X509Certificate2 ee = GetCertificate ("InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt");
177 X509Chain chain = new X509Chain ();
179 // MS-BAD / this is NOT valid wrt RFC3280
180 // keyUsage doesn't allow CRL signature verification
182 Assert.IsTrue (chain.Build (ee), "Build");
183 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainStatus, "ChainStatus");
184 Assert.AreEqual (ee, chain.ChainElements[0].Certificate, "EndEntity");
185 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[0].ChainElementStatus, "EndEntity.Status");
186 Assert.AreEqual (KeyUsageNotCriticalcRLSignFalseCACert, chain.ChainElements[1].Certificate, "KeyUsageNotCriticalcRLSignFalseCACert");
187 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[1].ChainElementStatus, "KeyUsageNotCriticalcRLSignFalseCACert.Status");
188 Assert.AreEqual (TrustAnchorRoot, chain.ChainElements[2].Certificate, "TrustAnchorRoot");
189 CheckChainStatus (X509ChainStatusFlags.NoError, chain.ChainElements[2].ChainElementStatus, "TrustAnchorRoot.Status");