Initial RFC 5280 test cases

.github/workflows/test-harness.yml

@@ -0,0 +1,20 @@
+name: test-harness
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test-gocryptox509:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ">=1.20.5"
+
+      - name: run tests
+        run: make test-go

Makefile

@@ -61,3 +61,7 @@ limbo.json: $(NEEDS_VENV)
 .PHONY: testcases
 testcases: $(NEEDS_VENV)
 	$(MAKE) run ARGS="compile --testcases testcases/ --force"
+
+.PHONY: test-go
+test-go:
+	$(MAKE) -C harness/gocryptox509 run

harness/gocryptox509/Makefile

@@ -0,0 +1,10 @@
+.PHONY: all
+all:
+	@echo "Run my targets individually!"
+
+.PHONY: run
+run:
+	go run .
+
+schema.go: ../../limbo-schema.json
+	go generate

harness/gocryptox509/go.mod

@@ -0,0 +1,8 @@
+module github.com/x509-limbo/harness/gocryptox509
+
+go 1.20
+
+require (
+	github.com/davecgh/go-spew v1.1.1
+	github.com/pkg/errors v0.9.1
+)

harness/gocryptox509/go.sum

@@ -0,0 +1,4 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

harness/gocryptox509/main.go

@@ -0,0 +1,116 @@
+package main
+
+//go:generate go run github.com/atombender/go-jsonschema/cmd/gojsonschema@latest -v -p main -o schema.go ../../limbo-schema.json
+
+import (
+	"bytes"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"time"
+
+	"github.com/davecgh/go-spew/spew"
+	"github.com/pkg/errors"
+)
+
+func main() {
+	testCasePath := flag.String("testcases", "../../limbo.json", "testcases")
+	flag.Parse()
+
+	testcases, err := loadTestcases(*testCasePath)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("Loaded testcases from %s\n", *testCasePath)
+
+	var success, fail int
+	for _, tc := range testcases.Testcases {
+		fmt.Printf("test id=%s ... ", tc.Id)
+		if err := evaluateTestcase(tc); err != nil {
+			fmt.Printf("fail\n\n%+#v\n\nTest description:\n\n%s\n", err, tc.Description)
+			fail++
+		} else {
+			fmt.Printf("ok\n")
+			success++
+		}
+	}
+
+	fmt.Printf("done! succeeded/failed/total %d/%d/%d.\n", success, fail, len(testcases.Testcases))
+	if fail > 0 {
+		os.Exit(1)
+	}
+}
+
+func loadTestcases(path string) (testcases LimboSchemaJson, err error) {
+	contents, err := ioutil.ReadFile(path)
+	if err != nil {
+		return
+	}
+
+	err = json.Unmarshal(contents, &testcases)
+	return
+}
+
+func concatPEMCerts(certs []string) []byte {
+	var buf bytes.Buffer
+	for _, cert := range certs {
+		buf.WriteString(cert)
+	}
+	return buf.Bytes()
+}
+
+const (
+	validationKindClient = "CLIENT"
+	validationKindServer = "SERVER"
+
+	resultSuccess = "SUCCESS"
+	resultFailure = "FAILURE"
+)
+
+func evaluateTestcase(testcase Testcase) error {
+	_ = spew.Dump
+	ts := time.Now()
+	expectSuccess := testcase.ExpectedResult == resultSuccess
+
+	switch testcase.ValidationKind {
+	case validationKindClient:
+		roots, intermediates := x509.NewCertPool(), x509.NewCertPool()
+		roots.AppendCertsFromPEM(concatPEMCerts(testcase.TrustedCerts))
+		intermediates.AppendCertsFromPEM(concatPEMCerts(testcase.UntrustedIntermediates))
+
+		peerAsPEM, rest := pem.Decode([]byte(testcase.PeerCertificate))
+		if peerAsPEM == nil || peerAsPEM.Type != "CERTIFICATE" {
+			return fmt.Errorf("unexpected data, expected cert: %+#v", *peerAsPEM)
+		} else if len(rest) > 0 {
+			return fmt.Errorf("peer certificate has %d trailing bytes", len(rest))
+		}
+
+		peer, err := x509.ParseCertificate(peerAsPEM.Bytes)
+		if err != nil {
+			return errors.Wrap(err, "unable to parse ASN1 certificate from PEM")
+		}
+
+		opts := x509.VerifyOptions{
+			Intermediates: intermediates,
+			Roots:         roots,
+			CurrentTime:   ts,
+			KeyUsages:     nil,
+		}
+		chain, err := peer.Verify(opts)
+		_ = chain
+
+		if err != nil && expectSuccess {
+			return errors.Wrap(err, "validation failed when success was expected")
+		} else if err == nil && !expectSuccess {
+			return fmt.Errorf("validation succeeded when failure was expected")
+		}
+	case validationKindServer:
+		return fmt.Errorf("unimplemented validationKindServer")
+	}
+
+	return nil
+}