diff --git a/src/keytypes/asymmetric.rs b/src/keytypes/asymmetric.rs index ab6dc70..5c33d18 100644 --- a/src/keytypes/asymmetric.rs +++ b/src/keytypes/asymmetric.rs @@ -120,7 +120,7 @@ impl RestrictableKeyType for Asymmetric { #[cfg(test)] mod tests { - use crate::keytypes::{AsymmetricRestriction, User}; + use crate::keytypes::{Asymmetric, AsymmetricRestriction, User}; use crate::tests::utils; use crate::KeyRestriction; @@ -179,4 +179,67 @@ mod tests { assert_eq!(restriction.restriction(), expected.as_ref()); } } + + #[test] + fn test_restrict_keyring_chain() { + let mut keyring = utils::new_test_keyring(); + + // Create and populate a keyring for root certificates. + let mut root = keyring.add_keyring("root-certs").unwrap(); + let root1_certificate = &include_bytes!("data/ca/ca-1.root.crt.der")[..]; + let root2_certificate = &include_bytes!("data/ca/ca-2.root.crt.der")[..]; + root.add_key::("root1", root1_certificate) + .unwrap(); + root.add_key::("root1", root2_certificate) + .unwrap(); + + // Create a keyring to restrict. + let mut chain = keyring.add_keyring("chain").unwrap(); + let restriction = AsymmetricRestriction::Keyring { + keyring: root, + chained: true, + }; + chain + .restrict_by_type::(restriction) + .unwrap(); + + // Add certificates in order. + let intermediate_a = &include_bytes!("data/ca/ca.intermediate.crt.der")[..]; + chain + .add_key::("intermediate_a", intermediate_a) + .unwrap(); + let intermediate_b = &include_bytes!("data/ca/intermediate.term.crt.der")[..]; + chain + .add_key::("intermediate_b", intermediate_b) + .unwrap(); + let terminal = &include_bytes!("data/ca/ca-1.term.crt.der")[..]; + chain + .add_key::("terminal", terminal) + .unwrap(); + } + + #[test] + fn test_restrict_keyring_fail() { + let mut keyring = utils::new_test_keyring(); + + // Create and populate a keyring for root certificates. + let root = keyring.add_keyring("root-certs").unwrap(); + + // Create a keyring to restrict. + let mut chain = keyring.add_keyring("chain").unwrap(); + let restriction = AsymmetricRestriction::Keyring { + keyring: root, + chained: true, + }; + chain + .restrict_by_type::(restriction) + .unwrap(); + + // Add certificates in order. + let terminal = &include_bytes!("data/ca/self.term.crt.der")[..]; + let err = chain + .add_key::("self", terminal) + .unwrap_err(); + assert_eq!(err, errno::Errno(libc::EINVAL)); + } } diff --git a/src/keytypes/data/ca/ca-1.root.crt.der b/src/keytypes/data/ca/ca-1.root.crt.der new file mode 100644 index 0000000..6150a0a Binary files /dev/null and b/src/keytypes/data/ca/ca-1.root.crt.der differ diff --git a/src/keytypes/data/ca/ca-1.term.crt.der b/src/keytypes/data/ca/ca-1.term.crt.der new file mode 100644 index 0000000..31f25ef Binary files /dev/null and b/src/keytypes/data/ca/ca-1.term.crt.der differ diff --git a/src/keytypes/data/ca/ca-2.root.crt.der b/src/keytypes/data/ca/ca-2.root.crt.der new file mode 100644 index 0000000..ae1557d Binary files /dev/null and b/src/keytypes/data/ca/ca-2.root.crt.der differ diff --git a/src/keytypes/data/ca/ca.intermediate.crt.der b/src/keytypes/data/ca/ca.intermediate.crt.der new file mode 100644 index 0000000..a191cc8 Binary files /dev/null and b/src/keytypes/data/ca/ca.intermediate.crt.der differ diff --git a/src/keytypes/data/ca/intermediate.term.crt.der b/src/keytypes/data/ca/intermediate.term.crt.der new file mode 100644 index 0000000..5e19b2e Binary files /dev/null and b/src/keytypes/data/ca/intermediate.term.crt.der differ diff --git a/src/keytypes/data/ca/self.term.crt.der b/src/keytypes/data/ca/self.term.crt.der new file mode 100644 index 0000000..3c1c96b Binary files /dev/null and b/src/keytypes/data/ca/self.term.crt.der differ