!120 证书状态校验支持OCSP和CRL两种方式，支持在线获取CRL列表&证书链校验支持常用的校验策略和校验KeyUsage

Merge pull request !120 from hhhFun/req_cert_verify

BUILD.gn

@@ -31,6 +31,7 @@ group("certificate_framework_fuzztest") {
     deps += [
       "test/fuzztest/cfcreate_fuzzer:fuzztest",
       "test/fuzztest/cfgetandcheck_fuzzer:fuzztest",
+      "test/fuzztest/v1.0/x509certchain_fuzzer:fuzztest",
       "test/fuzztest/v1.0/x509certificate_fuzzer:fuzztest",
       "test/fuzztest/v1.0/x509crl_fuzzer:fuzztest",
     ]

frameworks/adapter/v1.0/BUILD.gn

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Copyright (c) 2023-2024 Huawei Device Co., Ltd.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -54,5 +54,6 @@ ohos_static_library("certificate_openssl_plugin_lib") {
     "crypto_framework:crypto_framework_lib",
     "hilog:libhilog",
     "openssl:libcrypto_shared",
+    "openssl:libssl_shared",
   ]
 }

frameworks/adapter/v1.0/inc/certificate_openssl_common.h

@@ -51,6 +51,11 @@ char *Asn1TimeToStr(const ASN1_GENERALIZEDTIME *time);
 bool CfArrayContains(const CfArray *self, const CfArray *sub);
 CfResult DeepCopyDataToOut(const char *data, uint32_t len, CfBlob *out);
 void SubAltNameArrayDataClearAndFree(SubAltNameArray *array);
+bool CheckIsSelfSigned(const X509 *cert);
+bool CheckIsLeafCert(X509 *cert);
+CfResult IsOrderCertChain(STACK_OF(X509) * certsChain, bool *isOrder);
+CfResult CheckSelfPubkey(X509 *cert, const EVP_PKEY *pubKey);
+X509 *FindCertificateBySubject(STACK_OF(X509) * certs, X509_NAME *subjectName);
 #ifdef __cplusplus
 }
 #endif

frameworks/adapter/v1.0/src/certificate_openssl_common.c

@@ -15,6 +15,8 @@
 
 #include "certificate_openssl_common.h"
 
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
 #include <securec.h>
 #include <string.h>
 
@@ -23,8 +25,6 @@
 #include "cf_result.h"
 #include "config.h"
 
-#include <openssl/err.h>
-
 #define TIME_MON_LEN 2
 #define TIME_HOUR_LEN 8
 #define TIME_MIN_LEN 10
@@ -332,4 +332,164 @@ CfResult DeepCopyDataToOut(const char *data, uint32_t len, CfBlob *out)
     (void)memcpy_s(out->data, len, data, len);
     out->size = len;
     return CF_SUCCESS;
+}
+
+bool CheckIsSelfSigned(const X509 *cert)
+{
+    bool ret = false;
+    X509_NAME *issuer = X509_get_issuer_name(cert);
+    if (issuer == NULL) {
+        LOGE("x509 get issuer name failed!");
+        CfPrintOpensslError();
+        return CF_ERR_CRYPTO_OPERATION;
+    }
+
+    X509_NAME *subject = X509_get_subject_name(cert);
+    if (subject == NULL) {
+        LOGE("x509 get subject name failed!");
+        CfPrintOpensslError();
+        return CF_ERR_CRYPTO_OPERATION;
+    }
+
+    ret = (X509_NAME_cmp(issuer, subject) == 0);
+    LOGI("CheckIsSelfSigned() ret: %d .", ret);
+    return ret;
+}
+
+bool CheckIsLeafCert(X509 *cert)
+{
+    if (cert == NULL) {
+        return false;
+    }
+
+    bool ret = true;
+    if (X509_check_ca(cert)) {
+        return false;
+    }
+
+    return ret;
+}
+
+CfResult IsOrderCertChain(STACK_OF(X509) * certsChain, bool *isOrder)
+{
+    int num = sk_X509_num(certsChain);
+    if (num == 1) {
+        LOGI("1 certs is order chain.");
+        return CF_SUCCESS;
+    }
+
+    X509 *cert = NULL;
+    X509 *certNext = NULL;
+    X509_NAME *issuerName = NULL;
+    X509_NAME *subjectName = NULL;
+    for (int i = num - 1; i > 0; --i) {
+        cert = sk_X509_value(certsChain, i);
+        if (cert == NULL) {
+            LOGE("sk X509 value is null, failed!");
+            CfPrintOpensslError();
+            return CF_ERR_CRYPTO_OPERATION;
+        }
+        certNext = sk_X509_value(certsChain, i - 1);
+        if (certNext == NULL) {
+            LOGE("sk X509 value is null, failed!");
+            CfPrintOpensslError();
+            return CF_ERR_CRYPTO_OPERATION;
+        }
+
+        subjectName = X509_get_subject_name(cert);
+        if (subjectName == NULL) {
+            LOGE("x509 get subject name failed!");
+            CfPrintOpensslError();
+            return CF_ERR_CRYPTO_OPERATION;
+        }
+        issuerName = X509_get_issuer_name(certNext);
+        if (issuerName == NULL) {
+            LOGE("x509 get subject name failed!");
+            CfPrintOpensslError();
+            return CF_ERR_CRYPTO_OPERATION;
+        }
+
+        if (X509_NAME_cmp(subjectName, issuerName) != 0) {
+            *isOrder = false;
+            LOGI("is a misOrder chain.");
+            break;
+        }
+    }
+
+    return CF_SUCCESS;
+}
+
+CfResult CheckSelfPubkey(X509 *cert, const EVP_PKEY *pubKey)
+{
+    EVP_PKEY *certPublicKey = X509_get_pubkey(cert);
+    if (certPublicKey == NULL) {
+        LOGE("get cert public key failed!");
+        CfPrintOpensslError();
+        return CF_ERR_CRYPTO_OPERATION;
+    }
+
+    int isMatch = EVP_PKEY_cmp(certPublicKey, pubKey);
+    if (isMatch != CF_OPENSSL_SUCCESS) {
+        LOGE("cmp cert public key failed!");
+        CfPrintOpensslError();
+        EVP_PKEY_free(certPublicKey);
+        return CF_ERR_CRYPTO_OPERATION;
+    }
+
+    EVP_PKEY_free(certPublicKey);
+    return CF_SUCCESS;
+}
+
+X509 *FindCertificateBySubject(STACK_OF(X509) * certs, X509_NAME *subjectName)
+{
+    X509_STORE_CTX *ctx = NULL;
+    X509 *cert = NULL;
+    X509_OBJECT *obj;
+
+    X509_STORE *store = X509_STORE_new();
+    if (store == NULL) {
+        return NULL;
+    }
+    for (int i = 0; i < sk_X509_num(certs); i++) {
+        cert = sk_X509_value(certs, i);
+        X509_STORE_add_cert(store, cert);
+    }
+
+    if (!(ctx = X509_STORE_CTX_new())) {
+        X509_STORE_free(store);
+        return NULL;
+    }
+    if (X509_STORE_CTX_init(ctx, store, NULL, NULL) != 1) {
+        X509_STORE_free(store);
+        X509_STORE_CTX_free(ctx);
+        return NULL;
+    }
+    obj = X509_STORE_CTX_get_obj_by_subject(ctx, X509_LU_X509, subjectName);
+    if (obj == NULL) {
+        X509_STORE_free(store);
+        X509_STORE_CTX_free(ctx);
+        return NULL;
+    }
+    cert = X509_OBJECT_get0_X509(obj);
+    X509_STORE_free(store);
+    X509_OBJECT_free(obj);
+    X509_STORE_CTX_free(ctx);
+
+    return cert;
+}
+
+void SubAltNameArrayDataClearAndFree(SubAltNameArray *array)
+{
+    if (array == NULL) {
+        LOGD("The input array is null, no need to free.");
+        return;
+    }
+    if (array->data != NULL) {
+        for (uint32_t i = 0; i < array->count; ++i) {
+            CF_FREE_BLOB(array->data[i].name);
+        }
+        CfFree(array->data);
+        array->data = NULL;
+        array->count = 0;
+    }
 }

frameworks/adapter/v1.0/src/x509_crl_openssl.c

@@ -15,7 +15,6 @@
 
 #include "x509_crl_openssl.h"
 
-#include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs7.h>

frameworks/common/v1.0/inc/utils.h

@@ -22,7 +22,6 @@
 #include "cf_blob.h"
 #include "cf_object_base.h"
 #include "object_base.h"
-#include "x509_cert_match_parameters.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -32,7 +31,8 @@ bool IsStrValid(const char *str, uint32_t maxLen);
 bool IsBlobValid(const CfBlob *blob);
 bool IsClassMatch(const CfObjectBase *obj, const char *className);
 bool IsPubKeyClassMatch(const HcfObjectBase *obj, const char *className);
-void SubAltNameArrayDataClearAndFree(SubAltNameArray *array);
+bool IsUrlValid(const char *url);
+bool IsHttp(const char *url);
 
 #ifdef __cplusplus
 }

frameworks/common/v1.0/src/utils.c

@@ -20,6 +20,10 @@
 #include "cf_log.h"
 #include "cf_memory.h"
 
+#define MIN_URL_LEN 5
+#define HTTP_URL_LEN 7
+#define HTTPS_URL_LEN 8
+
 bool IsStrValid(const char *str, uint32_t maxLen)
 {
     if (str == NULL) {
@@ -65,18 +69,49 @@ bool IsPubKeyClassMatch(const HcfObjectBase *obj, const char *className)
     }
 }
 
-void SubAltNameArrayDataClearAndFree(SubAltNameArray *array)
+bool IsUrlValid(const char *url)
 {
-    if (array == NULL) {
-        LOGD("The input array is null, no need to free.");
-        return;
+    if (url == NULL) {
+        return false;
     }
-    if (array->data != NULL) {
-        for (uint32_t i = 0; i < array->count; ++i) {
-            CF_FREE_BLOB(array->data[i].name);
+    if (strlen(url) < MIN_URL_LEN) {
+        return false;
+    }
+    if (strncmp(url, "http://", HTTP_URL_LEN) != 0 && strncmp(url, "https://", HTTPS_URL_LEN) != 0) {
+        return false;
+    }
+
+    int httpHeaderLen = (strncmp(url, "http://", HTTP_URL_LEN) == 0) ? HTTP_URL_LEN : HTTPS_URL_LEN;
+    const char *startDomain = url + httpHeaderLen;
+    const char *endDomain = startDomain;
+    while (*endDomain != '\0' && *endDomain != '/') {
+        endDomain++;
+    }
+    if (endDomain == startDomain) {
+        return false;
+    }
+
+    if (*endDomain == '\0') {
+        return true;
+    } else {
+        const char *startPath = endDomain;
+        while (*startPath == '/') {
+            startPath++;
         }
-        CfFree(array->data);
-        array->data = NULL;
-        array->count = 0;
+        if (*startPath == '\0') {
+            return false;
+        } else {
+            return true;
+        }
+    }
+    return false;
+}
+
+bool IsHttp(const char *url)
+{
+    if (url != NULL && strncmp(url, "http://", strlen("http://")) == 0) {
+        return true;
+    } else {
+        return false;
     }
 }

frameworks/js/napi/certificate/inc/napi_cert_defines.h

@@ -100,6 +100,16 @@ const std::string CERT_CHAIN_TRUSTANCHOR_TAG_CASUBJECT = "CASubject";
 const std::string CERT_CHAIN_VALIDATE_TAG_DATE = "date";
 const std::string CERT_CHAIN_VALIDATE_TAG_TRUSTANCHORS = "trustAnchors";
 const std::string CERT_CHAIN_VALIDATE_TAG_CERTCRLS = "certCRLs";
+const std::string CERT_CHAIN_VALIDATE_TAG_REVOCATIONCHECKPARAM = "revocationCheckParam";
+const std::string CERT_CHAIN_VALIDATE_TAG_OCSP_REQ_EXTENSION = "ocspRequestExtension";
+const std::string CERT_CHAIN_VALIDATE_TAG_OCSP_RESP_URI = "ocspResponderURI";
+const std::string CERT_CHAIN_VALIDATE_TAG_OCSP_RESP_CERT = "ocspResponderCert";
+const std::string CERT_CHAIN_VALIDATE_TAG_OCSP_RESPS = "ocspResponses";
+const std::string CERT_CHAIN_VALIDATE_TAG_CRL_DOWNLOAD_URI = "crlDownloadURI";
+const std::string CERT_CHAIN_VALIDATE_TAG_OPTIONS = "options";
+const std::string CERT_CHAIN_VALIDATE_TAG_POLICY = "policy";
+const std::string CERT_CHAIN_VALIDATE_TAG_SSLHOSTNAME = "sslHostname";
+const std::string CERT_CHAIN_VALIDATE_TAG_KEYUSAGE = "keyUsage";
 // CertChainValidateResult
 const std::string CERT_CHAIN_VALIDATE_RESULLT_TAG_TRUSTANCHOR = "trustAnchor";
 const std::string CERT_CHAIN_VALIDATE_RESULLT_TAG_X509CERT = "entityCert";

frameworks/js/napi/certificate/src/napi_cert_utils.cpp

@@ -628,6 +628,22 @@ bool ParserArray(napi_env env, napi_value arg, uint32_t &arrayLen)
     return true;
 }
 
+void SubAltNameArrayDataClearAndFree(SubAltNameArray *array)
+{
+    if (array == NULL) {
+        LOGD("The input array is null, no need to free.");
+        return;
+    }
+    if (array->data != NULL) {
+        for (uint32_t i = 0; i < array->count; ++i) {
+            CF_FREE_BLOB(array->data[i].name);
+        }
+        CfFree(array->data);
+        array->data = NULL;
+        array->count = 0;
+    }
+}
+
 SubAltNameArray *CertGetSANArrFromArrUarrJSParams(napi_env env, napi_value arg)
 {
     uint32_t length = 0;

frameworks/js/napi/certificate/src/napi_certificate_init.cpp

@@ -170,6 +170,76 @@ static void DefineGeneralNameTypeProperties(napi_env env, napi_value exports)
     napi_define_properties(env, exports, sizeof(desc) / sizeof(desc[0]), desc);
 }
 
+static napi_value CreateRevocationCheckOptions(napi_env env)
+{
+    napi_value revocationCheckOptions = nullptr;
+    napi_create_object(env, &revocationCheckOptions);
+
+    CertAddUint32Property(
+        env, revocationCheckOptions, "REVOCATION_CHECK_OPTION_PREFER_OCSP", CF_REVOCATION_CHECK_OPTION_PREFER_OCSP);
+    CertAddUint32Property(env, revocationCheckOptions, "REVOCATION_CHECK_OPTION_ACCESS_NETWORK",
+        CF_REVOCATION_CHECK_OPTION_ACCESS_NETWORK);
+    CertAddUint32Property(env, revocationCheckOptions, "REVOCATION_CHECK_OPTION_FALLBACK_NO_PREFER",
+        CF_REVOCATION_CHECK_OPTION_FALLBACK_NO_PREFER);
+    CertAddUint32Property(env, revocationCheckOptions, "REVOCATION_CHECK_OPTION_FALLBACK_LOCAL",
+        CF_REVOCATION_CHECK_OPTION_FALLBACK_LOCAL);
+
+    return revocationCheckOptions;
+}
+
+static napi_value CreateValidationPolicyType(napi_env env)
+{
+    napi_value ValidationPolicyType = nullptr;
+    napi_create_object(env, &ValidationPolicyType);
+
+    CertAddUint32Property(env, ValidationPolicyType, "VALIDATION_POLICY_TYPE_X509", CF_VALIDATION_POLICY_TYPE_X509);
+    CertAddUint32Property(env, ValidationPolicyType, "VALIDATION_POLICY_TYPE_SSL", CF_VALIDATION_POLICY_TYPE_SSL);
+
+    return ValidationPolicyType;
+}
+
+static napi_value CreateValidationKeyUsageType(napi_env env)
+{
+    napi_value ValidationKeyUsageType = nullptr;
+    napi_create_object(env, &ValidationKeyUsageType);
+
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_DIGITAL_SIGNATURE", CF_KEYUSAGE_DIGITAL_SIGNATURE);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_NON_REPUDIATION", CF_KEYUSAGE_NON_REPUDIATION);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_KEY_ENCIPHERMENT", CF_KEYUSAGE_KEY_ENCIPHERMENT);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_DATA_ENCIPHERMENT", CF_KEYUSAGE_DATA_ENCIPHERMENT);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_KEY_AGREEMENT", CF_KEYUSAGE_KEY_AGREEMENT);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_KEY_CERT_SIGN", CF_KEYUSAGE_KEY_CERT_SIGN);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_CRL_SIGN", CF_KEYUSAGE_CRL_SIGN);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_ENCIPHER_ONLY", CF_KEYUSAGE_ENCIPHER_ONLY);
+    CertAddUint32Property(env, ValidationKeyUsageType, "KEYUSAGE_DECIPHER_ONLY", CF_KEYUSAGE_DECIPHER_ONLY);
+
+    return ValidationKeyUsageType;
+}
+
+static void DefineOcspCheckOptionTypeProperties(napi_env env, napi_value exports)
+{
+    napi_property_descriptor desc[] = {
+        DECLARE_NAPI_PROPERTY("RevocationCheckOptions", CreateRevocationCheckOptions(env)),
+    };
+    napi_define_properties(env, exports, sizeof(desc) / sizeof(desc[0]), desc);
+}
+
+static void DefineValidationPolicyTypeProperties(napi_env env, napi_value exports)
+{
+    napi_property_descriptor desc[] = {
+        DECLARE_NAPI_PROPERTY("ValidationPolicyType", CreateValidationPolicyType(env)),
+    };
+    napi_define_properties(env, exports, sizeof(desc) / sizeof(desc[0]), desc);
+}
+
+static void DefineValidationKeyUsageTypeProperties(napi_env env, napi_value exports)
+{
+    napi_property_descriptor desc[] = {
+        DECLARE_NAPI_PROPERTY("KeyUsageType", CreateValidationKeyUsageType(env)),
+    };
+    napi_define_properties(env, exports, sizeof(desc) / sizeof(desc[0]), desc);
+}
+
 /***********************************************
  * Module export and register
  ***********************************************/
@@ -182,6 +252,9 @@ static napi_value CertModuleExport(napi_env env, napi_value exports)
     DefineExtensionOidTypeProperties(env, exports);
     DefineExtensionEntryTypeProperties(env, exports);
     DefineGeneralNameTypeProperties(env, exports);
+    DefineOcspCheckOptionTypeProperties(env, exports);
+    DefineValidationPolicyTypeProperties(env, exports);
+    DefineValidationKeyUsageTypeProperties(env, exports);
 
     NapiKey::DefineHcfKeyJSClass(env);
     NapiPubKey::DefinePubKeyJSClass(env);

frameworks/js/napi/certificate/src/napi_x509_cert_chain_validate_params.cpp

@@ -163,6 +163,186 @@ static bool GetCertCRLCollectionArray(napi_env env, napi_value arg, HcfCertCRLCo
     return true;
 }
 
+static bool GetRevocationOptions(napi_env env, napi_value rckObj, HcfRevocationCheckParam *&out)
+{
+    napi_value obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_OPTIONS.c_str());
+    if (obj == nullptr) {
+        return true;
+    }
+    bool flag = false;
+    napi_status status = napi_is_array(env, obj, &flag);
+    if (status != napi_ok || !flag) {
+        return false;
+    }
+
+    uint32_t length = 0;
+    status = napi_get_array_length(env, obj, &length);
+    if (status != napi_ok || length == 0 || length > MAX_NAPI_ARRAY_OF_U8ARR) {
+        return false;
+    }
+    out->options = static_cast<HcfRevChkOpArray *>(HcfMalloc(sizeof(HcfRevChkOpArray), 0));
+    out->options->count = length;
+    out->options->data = static_cast<HcfRevChkOption *>(HcfMalloc(length * sizeof(HcfRevChkOption), 0));
+    for (uint32_t i = 0; i < length; i++) {
+        napi_value element;
+        if (napi_get_element(env, obj, i, &element) != napi_ok ||
+            napi_get_value_int32(env, element, (int32_t *)&(out->options->data[i])) != napi_ok) {
+            return false;
+        }
+        switch (out->options->data[i]) {
+            case REVOCATION_CHECK_OPTION_PREFER_OCSP:
+            case REVOCATION_CHECK_OPTION_ACCESS_NETWORK:
+            case REVOCATION_CHECK_OPTION_FALLBACK_NO_PREFER:
+            case REVOCATION_CHECK_OPTION_FALLBACK_LOCAL:
+                break;
+            default:
+                return false;
+        }
+    }
+    return true;
+}
+
+static bool GetRevocationDetail(napi_env env, napi_value rckObj, HcfRevocationCheckParam *&out)
+{
+    napi_value obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_OCSP_REQ_EXTENSION.c_str());
+    if (obj != nullptr) {
+        out->ocspRequestExtension = CertGetBlobArrFromArrUarrJSParams(env, obj);
+        if (out->ocspRequestExtension == nullptr) {
+            return false;
+        }
+    }
+    obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_OCSP_RESP_URI.c_str());
+    if (obj != nullptr) {
+        out->ocspResponderURI = CertGetBlobFromStringJSParams(env, obj);
+        if (out->ocspResponderURI == nullptr) {
+            return false;
+        }
+    }
+    obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_OCSP_RESP_CERT.c_str());
+    if (obj != nullptr) {
+        NapiX509Certificate *napiX509Cert = nullptr;
+        napi_unwrap(env, obj, reinterpret_cast<void **>(&napiX509Cert));
+        if (napiX509Cert != nullptr) {
+            out->ocspResponderCert = napiX509Cert->GetX509Cert();
+            if (out->ocspResponderCert == nullptr) {
+                return false;
+            }
+        } else {
+            return false;
+        }
+    }
+    obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_OCSP_RESPS.c_str());
+    if (obj != nullptr) {
+        out->ocspResponses = CertGetBlobFromUint8ArrJSParams(env, obj);
+        if (out->ocspResponses == nullptr) {
+            return false;
+        }
+    }
+    obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_CRL_DOWNLOAD_URI.c_str());
+    if (obj != nullptr) {
+        out->crlDownloadURI = CertGetBlobFromStringJSParams(env, obj);
+        if (out->crlDownloadURI == nullptr) {
+            return false;
+        }
+    }
+    return GetRevocationOptions(env, rckObj, out);
+}
+
+static bool GetRevocationCheckParam(napi_env env, napi_value arg, HcfRevocationCheckParam *&out)
+{
+    napi_value rckObj = GetProp(env, arg, CERT_CHAIN_VALIDATE_TAG_REVOCATIONCHECKPARAM.c_str());
+    if (rckObj == nullptr) {
+        LOGI("RevocationCheckParam do not exist!");
+        return true;
+    }
+    napi_valuetype valueType;
+    napi_typeof(env, rckObj, &valueType);
+    if (valueType == napi_null || valueType != napi_object) {
+        LOGE("Failed to check input param!");
+        return false;
+    }
+
+    out = static_cast<HcfRevocationCheckParam *>(HcfMalloc(sizeof(HcfRevocationCheckParam), 0));
+    if (out == nullptr) {
+        LOGE("Failed to allocate out memory!");
+        return false;
+    }
+    if (!GetRevocationDetail(env, rckObj, out)) {
+        LOGE("Failed to get revocation detail!");
+        CfFree(out);
+        return false;
+    }
+
+    return true;
+}
+
+static bool GetValidationPolicyType(napi_env env, napi_value arg, HcfValPolicyType &out)
+{
+    napi_value obj = GetProp(env, arg, CERT_CHAIN_VALIDATE_TAG_POLICY.c_str());
+    if (obj != nullptr) {
+        napi_status status = napi_get_value_int32(env, obj, (int32_t *)&out);
+        if (status != napi_ok) {
+            return false;
+        }
+    }
+    return true;
+}
+
+static bool GetSSLHostname(napi_env env, napi_value arg, CfBlob *&out)
+{
+    napi_value obj = GetProp(env, arg, CERT_CHAIN_VALIDATE_TAG_SSLHOSTNAME.c_str());
+    if (obj == nullptr) {
+        LOGI("Param type not SSLHostname!");
+        return true;
+    }
+    out = CertGetBlobFromStringJSParams(env, obj);
+    if (out == nullptr) {
+        LOGE("SSLHostname is nullptr");
+        return false;
+    }
+    return true;
+}
+
+static bool GetKeyUsage(napi_env env, napi_value arg, HcfKuArray *&out)
+{
+    out = nullptr;
+    napi_value obj = GetProp(env, arg, CERT_CHAIN_VALIDATE_TAG_KEYUSAGE.c_str());
+    if (obj == nullptr) {
+        return true;
+    }
+    bool flag = false;
+    napi_status status = napi_is_array(env, obj, &flag);
+    if (status != napi_ok || !flag) {
+        return false;
+    }
+    uint32_t length = 0;
+    status = napi_get_array_length(env, obj, &length);
+    if (status != napi_ok || length == 0 || length > MAX_NAPI_ARRAY_OF_U8ARR) {
+        return false;
+    }
+    out = static_cast<HcfKuArray *>(HcfMalloc(sizeof(HcfKuArray), 0));
+    if (out == nullptr) {
+        return false;
+    }
+    out->count = length;
+    out->data = static_cast<HcfKeyUsageType *>(HcfMalloc(length * sizeof(HcfKeyUsageType), 0));
+    if (out->data == nullptr) {
+        CfFree(out);
+        out = nullptr;
+        return false;
+    }
+    for (uint32_t i = 0; i < length; i++) {
+        napi_value element;
+        if (napi_get_element(env, obj, i, &element) != napi_ok ||
+            napi_get_value_int32(env, element, (int32_t *)&(out->data[i])) != napi_ok) {
+            CfFree(out);
+            out = nullptr;
+            return false;
+        }
+    }
+    return true;
+}
+
 void FreeX509CertChainValidateParams(HcfX509CertChainValidateParams &param)
 {
     CfBlobFree(&param.date);
@@ -223,6 +403,22 @@ bool BuildX509CertChainValidateParams(napi_env env, napi_value arg, HcfX509CertC
         LOGE("GetCertCRLCollectionArray failed");
         return false;
     }
+    if (!GetRevocationCheckParam(env, arg, param.revocationCheckParam)) {
+        LOGE("Get revocation check param failed!");
+        return false;
+    }
+    if (!GetValidationPolicyType(env, arg, param.policy)) {
+        LOGE("Get validation policy type failed!");
+        return false;
+    }
+    if (!GetSSLHostname(env, arg, param.sslHostname)) {
+        LOGE("Get SSLHostname failed!");
+        return false;
+    }
+    if (!GetKeyUsage(env, arg, param.keyUsage)) {
+        LOGE("Get key usage failed!");
+        return false;
+    }
 
     return true;
 }

interfaces/innerkits/certificate/x509_cert_chain_validate_params.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -24,11 +24,59 @@
 #include "cf_blob.h"
 #include "x509_trust_anchor.h"
 
+typedef enum {
+    VALIDATION_POLICY_TYPE_X509 = 0,
+    VALIDATION_POLICY_TYPE_SSL = 1,
+} HcfValPolicyType;
+
+typedef enum {
+    REVOCATION_CHECK_OPTION_PREFER_OCSP = 0,
+    REVOCATION_CHECK_OPTION_ACCESS_NETWORK = 1,
+    REVOCATION_CHECK_OPTION_FALLBACK_NO_PREFER = 2,
+    REVOCATION_CHECK_OPTION_FALLBACK_LOCAL = 3,
+} HcfRevChkOption;
+
+typedef enum {
+    KEYUSAGE_DIGITAL_SIGNATURE = 0,
+    KEYUSAGE_NON_REPUDIATION = 1,
+    KEYUSAGE_KEY_ENCIPHERMENT = 2,
+    KEYUSAGE_DATA_ENCIPHERMENT = 3,
+    KEYUSAGE_KEY_AGREEMENT = 4,
+    KEYUSAGE_KEY_CERT_SIGN = 5,
+    KEYUSAGE_CRL_SIGN = 6,
+    KEYUSAGE_ENCIPHER_ONLY = 7,
+    KEYUSAGE_DECIPHER_ONLY = 8,
+} HcfKeyUsageType;
+
+typedef struct {
+    HcfKeyUsageType *data;
+    uint32_t count;
+} HcfKuArray;
+
+typedef struct {
+    HcfRevChkOption *data;
+    uint32_t count;
+} HcfRevChkOpArray;
+
+typedef struct HcfRevocationCheckParam HcfRevocationCheckParam;
+struct HcfRevocationCheckParam {
+    CfBlobArray *ocspRequestExtension;
+    CfBlob *ocspResponderURI;
+    HcfX509Certificate *ocspResponderCert;
+    CfBlob *ocspResponses;
+    CfBlob *crlDownloadURI;
+    HcfRevChkOpArray *options;
+};
+
 typedef struct HcfX509CertChainValidateParams HcfX509CertChainValidateParams;
 struct HcfX509CertChainValidateParams {
     CfBlob *date;                                  // string
     HcfX509TrustAnchorArray *trustAnchors;         // Array<X509TrustAnchor>
     HcfCertCRLCollectionArray *certCRLCollections; // Array<CertCRLCollection>;
+    HcfRevocationCheckParam *revocationCheckParam;
+    HcfValPolicyType policy;
+    CfBlob *sslHostname;
+    HcfKuArray *keyUsage;
 };
 
 #endif // X509_CERT_CHAIN_VALIDATE_PARAMETERS_H

interfaces/innerkits/include/cf_type.h

@@ -79,6 +79,30 @@ typedef enum {
     CF_GENERAL_NAME_TYPE_REGISTERED_ID
 } CfGeneralNameType;
 
+typedef enum {
+    CF_REVOCATION_CHECK_OPTION_PREFER_OCSP,
+    CF_REVOCATION_CHECK_OPTION_ACCESS_NETWORK,
+    CF_REVOCATION_CHECK_OPTION_FALLBACK_NO_PREFER,
+    CF_REVOCATION_CHECK_OPTION_FALLBACK_LOCAL,
+} CfRevocationCheckOptionsType;
+
+typedef enum {
+    CF_VALIDATION_POLICY_TYPE_X509,
+    CF_VALIDATION_POLICY_TYPE_SSL,
+} CfValidationPolicyType;
+
+typedef enum {
+    CF_KEYUSAGE_DIGITAL_SIGNATURE,
+    CF_KEYUSAGE_NON_REPUDIATION,
+    CF_KEYUSAGE_KEY_ENCIPHERMENT,
+    CF_KEYUSAGE_DATA_ENCIPHERMENT,
+    CF_KEYUSAGE_KEY_AGREEMENT,
+    CF_KEYUSAGE_KEY_CERT_SIGN,
+    CF_KEYUSAGE_CRL_SIGN,
+    CF_KEYUSAGE_ENCIPHER_ONLY,
+    CF_KEYUSAGE_DECIPHER_ONLY,
+} CfValidationKeyUsageType;
+
 typedef enum {
     CF_GET_TYPE_CERT_ITEM,
     CF_GET_TYPE_EXT_ITEM,

test/fuzztest/v1.0/x509certchain_fuzzer/BUILD.gn

@@ -0,0 +1,49 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+module_output_path = "certificate_framework/certificate_framework"
+
+##############################fuzztest##########################################
+ohos_fuzztest("X509CertChainFuzzTest") {
+  module_out_path = module_output_path
+  fuzz_config_file = "../x509certchain_fuzzer"
+  configs = [ "../../../../config/build:coverage_flag_cc" ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "x509cert_chain_fuzzer.cpp" ]
+
+  external_deps = [
+    "c_utils:utils",
+    "certificate_framework:certificate_framework_core",
+    "crypto_framework:crypto_framework_lib",
+    "hilog:libhilog",
+  ]
+}
+
+###############################################################################
+group("fuzztest") {
+  testonly = true
+  deps = []
+  deps += [
+    # deps file
+    ":X509CertChainFuzzTest",
+  ]
+}
+###############################################################################

test/fuzztest/v1.0/x509certchain_fuzzer/corpus/init

@@ -0,0 +1,14 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FUZZ

test/fuzztest/v1.0/x509certchain_fuzzer/project.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>

test/fuzztest/v1.0/x509certchain_fuzzer/x509cert_chain_fuzzer.cpp

@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "x509cert_chain_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include "securec.h"
+
+#include "cf_blob.h"
+#include "cf_result.h"
+#include "x509_cert_chain.h"
+
+namespace OHOS {
+    static char g_fuzzCert[] =
+    "-----BEGIN CERTIFICATE-----\r\n"
+    "MIIEMjCCAxqgAwIBAgICARAwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UEBhMCQ04x\r\n"
+    "CzAJBgNVBAgMAkJKMQswCQYDVQQHDAJCSjELMAkGA1UECgwCSEQxDDAKBgNVBAsM\r\n"
+    "A2RldjELMAkGA1UEAwwCY2ExJTAjBgkqhkiG9w0BCQEWFmNhQGNyeXB0b2ZyYW1l\r\n"
+    "d29yay5jb20wHhcNMjIwODE5MTI0OTA2WhcNMzIwODE2MTI0OTA2WjB2MQswCQYD\r\n"
+    "VQQGEwJDTjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQswCQYDVQQKDAJIRDEM\r\n"
+    "MAoGA1UECwwDZGV2MQswCQYDVQQDDAJjYTElMCMGCSqGSIb3DQEJARYWY2FAY3J5\r\n"
+    "cHRvZnJhbWV3b3JrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\r\n"
+    "AJ8p0IWE7WwwbtATg+AbYQj33WNBBktU+/AVf+Tl1aAa4TOeW2/ZARc4sdwLVTxd\r\n"
+    "XCipFseuiGN30hwXrXFUHrcMf0w2sCkznJVZ/rQcfEO5Kb1vBz6DEEcgISYEhhqO\r\n"
+    "BfYBit5qfpq5R2+2R/Th/ybV+kBrUl+GssXbDAe6oZCy56lGphDvmHMUO7a13j+S\r\n"
+    "FmThMbI2yeyua1LagSoaBJfY1J+i7jWPmmEFR0dQ2p0EGjHTgQGhRo5VuwDHipNS\r\n"
+    "v0XP8OUA/PYbL/SBj1Fq4C3gtfvjeswUbzVaMoq/wCuy1qcXI80ZLe3whR24c0cX\r\n"
+    "YFO0uGi9egPp24fw7yYGqgECAwEAAaOByTCBxjAdBgNVHQ4EFgQUjKM7QmMBs01R\r\n"
+    "9uQttYN/GDkvt7UwHwYDVR0jBBgwFoAUjKM7QmMBs01R9uQttYN/GDkvt7UwEgYD\r\n"
+    "VR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUH\r\n"
+    "AwEGCCsGAQUFBwMCMCEGA1UdEQQaMBiBFmNhQGNyeXB0b2ZyYW1ld29yay5jb20w\r\n"
+    "IQYDVR0SBBowGIEWY2FAY3J5cHRvZnJhbWV3b3JrLmNvbTANBgkqhkiG9w0BAQsF\r\n"
+    "AAOCAQEAh+4RE6cJ62/gLYssLkc7ESg7exKwZlmisHyBicuy/+XagOZ3cTbgQNXl\r\n"
+    "QoZKbw/ks/B/cInbQGYbpAm47Sudo+I/G9xj0X7gQB9wtSrbStOs6SjnLiYU0xFc\r\n"
+    "Fsc0j6k2SrlyiwRQcjS4POKiUS0Cm3F3DHGdj55PlBkXxudXCq2V3J3VwKf2bVjQ\r\n"
+    "bzz2+M/Q1m+P7FhB+JmeO8eemkqMQ0tFMU3EM441NpejC5iFVAGgownC8S0B+fxH\r\n"
+    "9dBJuHM6vpxEWw3ckZFDZQ1kd91YRgr7jY8fc0v/T0tzHWbOEVzklEIBWL1mompL\r\n"
+    "BCwe0/Gw+BO60bfi2MoJw8t2IcB1Qw==\r\n"
+    "-----END CERTIFICATE-----\r\n";
+
+    static char g_fuzzDate[] = "20231212080000Z";
+    static uint8_t g_fuzzPubKey[] = {
+        0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+        0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+        0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd0, 0x35, 0x39, 0x92, 0x49, 0xb5,
+        0x95, 0x08, 0xef, 0x38, 0xf8, 0xa8, 0x51, 0xd3, 0xef, 0xd8, 0x3e, 0x3a, 0xd9,
+        0x2c, 0xe1, 0x31, 0x1f, 0x99, 0x41, 0x03, 0x86, 0xb3, 0x4a, 0x04, 0x41, 0x23,
+        0x6f, 0xf8, 0xb6, 0xf4, 0x60, 0x5f, 0x9e, 0x9b, 0xc5, 0x75, 0x3d, 0xfa, 0x6b,
+        0x30, 0xa0, 0xd9, 0x53, 0x83, 0x25, 0x14, 0xa3, 0x23, 0x31, 0x67, 0xe2, 0xa0,
+        0x03, 0x71, 0xcf, 0x38, 0x12, 0x67, 0xca, 0x88, 0x31, 0x0c, 0xf7, 0xb1, 0xc5,
+        0xb1, 0x03, 0xe9, 0xf5, 0x14, 0x64, 0xab, 0x11, 0xf9, 0x70, 0x1e, 0x75, 0x11,
+        0x4d, 0x9e, 0x04, 0x4f, 0x54, 0x6b, 0xde, 0x71, 0xfb, 0x04, 0x29, 0xfc, 0xa4,
+        0x9d, 0x0a, 0xa2, 0x13, 0x09, 0x0f, 0xef, 0xca, 0xf9, 0xb7, 0x27, 0x85, 0x29,
+        0x8e, 0x5d, 0x30, 0x95, 0x6f, 0x30, 0x44, 0x23, 0xc2, 0x59, 0xc6, 0x30, 0xde,
+        0x92, 0x82, 0x94, 0x64, 0x64, 0x37, 0x35, 0x6d, 0x23, 0x52, 0x97, 0x9d, 0xfa,
+        0x67, 0xed, 0xf1, 0xb7, 0x37, 0xce, 0x27, 0xef, 0x09, 0x41, 0x6f, 0xd2, 0x06,
+        0x28, 0x91, 0x5a, 0x73, 0xfe, 0xbe, 0x87, 0x1b, 0xd9, 0xc7, 0x6a, 0xa7, 0x7c,
+        0xbb, 0x31, 0x74, 0x82, 0x91, 0xd1, 0x0f, 0xdb, 0x88, 0x6a, 0x14, 0xe9, 0x9f,
+        0x08, 0xcb, 0xf4, 0x7f, 0xa7, 0xb1, 0xa8, 0x3c, 0xef, 0x2f, 0x6a, 0x65, 0x74,
+        0xf7, 0x4f, 0x90, 0x1c, 0x42, 0xf9, 0x01, 0xd4, 0xb3, 0x2a, 0xd1, 0x21, 0x53,
+        0xdb, 0xdd, 0xbd, 0xcb, 0x96, 0x8e, 0x32, 0xf1, 0x56, 0x76, 0x89, 0x2d, 0xf8,
+        0xff, 0xe9, 0x6a, 0x06, 0x66, 0x3f, 0x14, 0x5a, 0x7d, 0xf3, 0x15, 0xb1, 0x28,
+        0x4d, 0x56, 0x80, 0x7e, 0x9d, 0xb1, 0xa9, 0xdc, 0xd6, 0xef, 0x24, 0x6f, 0x8b,
+        0x6a, 0xf5, 0xe3, 0xc9, 0xbd, 0x7a, 0xfe, 0xe5, 0x8c, 0x3a, 0x87, 0xa3, 0xc5,
+        0x17, 0xeb, 0xdb, 0x02, 0x03, 0x01, 0x00, 0x01
+    };
+    static uint8_t g_fuzzSubject[] = {
+        0x30, 0x44, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+        0x55, 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0c,
+        0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x49, 0x6e, 0x63, 0x31,
+        0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x15, 0x47, 0x65, 0x6f,
+        0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x52, 0x53, 0x41, 0x20, 0x43, 0x4e, 0x20,
+        0x43, 0x41, 0x20, 0x47, 0x32
+    };
+    static char g_fuzzSslHostName[] = "*.163.com";
+    constexpr int TEST_DATA_LEN = 1;
+    static bool g_testFlag = true;
+
+    static void FreeTrustAnchor(HcfX509TrustAnchor *trustAnchor)
+    {
+        if (trustAnchor == nullptr) {
+            return;
+        }
+        CfBlobFree(&trustAnchor->CAPubKey);
+        CfBlobFree(&trustAnchor->CASubject);
+        CfObjDestroy(trustAnchor->CACert);
+        trustAnchor->CACert = nullptr;
+        free(trustAnchor);
+        trustAnchor = nullptr;
+    }
+
+    static void FreeValidateResult(HcfX509CertChainValidateResult *result)
+    {
+        if (result->entityCert != nullptr) {
+            CfObjDestroy(result->entityCert);
+            result->entityCert = nullptr;
+        }
+
+        if (result->trustAnchor != nullptr) {
+            FreeTrustAnchor(result->trustAnchor);
+        }
+    }
+
+    static void TestValidateParam(HcfX509CertChainValidateParams &params, HcfCertChain *x509CertChainObj)
+    {
+        CfBlob date = { 0 };
+        date.data = reinterpret_cast<uint8_t *>(g_fuzzDate);
+        date.size = strlen(g_fuzzDate) + 1;
+        HcfX509TrustAnchorArray trustAnchors = { 0 };
+        HcfX509TrustAnchor anchor = { 0 };
+        CfBlob caPubKey = { 0 };
+        caPubKey.data = g_fuzzPubKey;
+        caPubKey.size = strlen(reinterpret_cast<char *>(g_fuzzPubKey)) + 1;
+        anchor.CAPubKey = &caPubKey;
+        CfBlob caSubject = { 0 };
+        caSubject.data = g_fuzzSubject;
+        caSubject.size = strlen(reinterpret_cast<char *>(g_fuzzSubject)) + 1;
+        anchor.CASubject = &caSubject;
+        trustAnchors.data = static_cast<HcfX509TrustAnchor **>(
+            calloc(TEST_DATA_LEN * sizeof(HcfX509TrustAnchor *), 0));
+        if (trustAnchors.data == nullptr) {
+            return;
+        }
+        trustAnchors.data[0] = &anchor;
+        trustAnchors.count = TEST_DATA_LEN;
+
+        HcfRevocationCheckParam revocationCheckParam = { 0 };
+        HcfRevChkOpArray optionData = { 0 };
+        HcfRevChkOption option[TEST_DATA_LEN] = { REVOCATION_CHECK_OPTION_ACCESS_NETWORK };
+        optionData.data = option;
+        optionData.count = TEST_DATA_LEN;
+        revocationCheckParam.options = &optionData;
+
+        CfBlob sslHostname = { 0 };
+        sslHostname.data = reinterpret_cast<uint8_t *>(g_fuzzSslHostName);
+        sslHostname.size = strlen(g_fuzzSslHostName) + 1;
+        HcfKuArray keyUsage = { 0 };
+        HcfKeyUsageType type[TEST_DATA_LEN] = { KEYUSAGE_DIGITAL_SIGNATURE };
+        keyUsage.data = type;
+        keyUsage.count = TEST_DATA_LEN;
+
+        params.date = &date;
+        params.trustAnchors = &trustAnchors;
+        params.sslHostname = &sslHostname;
+        params.policy = HcfValPolicyType::VALIDATION_POLICY_TYPE_SSL;
+        params.keyUsage = &keyUsage;
+        params.revocationCheckParam = &revocationCheckParam;
+        HcfX509CertChainValidateResult result = { 0 };
+        (void)x509CertChainObj->validate(x509CertChainObj, &params, &result);
+        FreeValidateResult(&result);
+        free(params.trustAnchors->data);
+    }
+
+    static void TestQuery(HcfCertChain *x509CertChainObj)
+    {
+        HcfX509CertChainValidateParams params = { 0 };
+        TestValidateParam(params, x509CertChainObj);
+    }
+
+    static void CreateOneCert(void)
+    {
+        CfEncodingBlob inStream = { 0 };
+        inStream.data = reinterpret_cast<uint8_t *>(g_fuzzCert);
+        inStream.encodingFormat = CF_FORMAT_PEM;
+        inStream.len = strlen(g_fuzzCert) + 1;
+        HcfCertChain *x509CertChainObj = nullptr;
+        CfResult res = HcfCertChainCreate(&inStream, nullptr, &x509CertChainObj);
+        if (res != CF_SUCCESS) {
+            return;
+        }
+        TestQuery(x509CertChainObj);
+        CfObjDestroy(x509CertChainObj);
+    }
+
+    bool X509CertChainFuzzTest(const uint8_t* data, size_t size)
+    {
+        if (g_testFlag) {
+            CreateOneCert();
+            g_testFlag = false;
+        }
+        if (data == nullptr) {
+            return false;
+        }
+        CfEncodingBlob inStream = { 0 };
+        inStream.data = const_cast<uint8_t *>(data);
+        inStream.encodingFormat = CF_FORMAT_PEM;
+        inStream.len = size;
+        HcfCertChain *x509CertChainObj = nullptr;
+        CfResult res = HcfCertChainCreate(&inStream, nullptr, &x509CertChainObj);
+        if (res != CF_SUCCESS) {
+            return false;
+        }
+        CfObjDestroy(x509CertChainObj);
+
+        return true;
+    }
+}
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    /* Run your code on data */
+    OHOS::X509CertChainFuzzTest(data, size);
+    return 0;
+}

test/fuzztest/v1.0/x509certchain_fuzzer/x509cert_chain_fuzzer.h

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef X509_CERT_CHAIN_FUZZER_H
+#define X509_CERT_CHAIN_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "x509cert_chain_fuzzer"
+
+#endif

test/unittest/v1.0/BUILD.gn

@@ -36,6 +36,7 @@ ohos_unittest("cf_version1_test") {
   sources = [
     "src/cf_mock.cpp",
     "src/crypto_x509_cert_chain_test.cpp",
+    "src/crypto_x509_cert_chain_test_part2.cpp",
     "src/crypto_x509_cert_chain_validator_test.cpp",
     "src/crypto_x509_cert_crl_collection_test.cpp",
     "src/crypto_x509_certificate_test.cpp",
@@ -102,17 +103,22 @@ ohos_unittest("cf_version1_test") {
     "-Wl,--wrap=OBJ_obj2nid",
     "-Wl,--wrap=OBJ_nid2obj",
     "-Wl,--wrap=OBJ_obj2txt",
+    "-Wl,--wrap=OCSP_REQUEST_new",
+    "-Wl,--wrap=OSSL_HTTP_parse_url",
     "-Wl,--wrap=OPENSSL_sk_deep_copy",
     "-Wl,--wrap=OPENSSL_sk_num",
     "-Wl,--wrap=OPENSSL_sk_value",
     "-Wl,--wrap=OPENSSL_sk_new_null",
     "-Wl,--wrap=OPENSSL_sk_push",
     "-Wl,--wrap=X509_ALGOR_get0",
+    "-Wl,--wrap=X509_check_host",
+    "-Wl,--wrap=X509_CRL_load_http",
     "-Wl,--wrap=X509_dup",
     "-Wl,--wrap=X509_get_pubkey",
     "-Wl,--wrap=X509_get_ext",
     "-Wl,--wrap=X509_get_ext_d2i",
     "-Wl,--wrap=X509_get0_serialNumber",
+    "-Wl,--wrap=X509_get1_ocsp",
     "-Wl,--wrap=X509_getm_notBefore",
     "-Wl,--wrap=X509_getm_notAfter",
     "-Wl,--wrap=X509_NAME_oneline",
@@ -139,5 +145,6 @@ ohos_unittest("cf_version1_test") {
     "googletest:gmock",
     "hilog:libhilog",
     "openssl:libcrypto_shared",
+    "openssl:libssl_shared",
   ]
 }

test/unittest/v1.0/include/cf_mock.h

@@ -18,72 +18,83 @@
 #include <gmock/gmock.h>
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
+#include <openssl/ocsp.h>
 #include <openssl/x509v3.h>
 
 #include "certificate_openssl_common.h"
 #include "x509_certificate.h"
 #include "x509_certificate_openssl.h"
 
+using ::testing::NiceMock;
+
 namespace CFMock {
 class X509OpensslMock {
 public:
-    MOCK_METHOD2(i2d_X509_EXTENSIONS, int(X509_EXTENSIONS *a, unsigned char **out));
-    MOCK_METHOD1(OPENSSL_sk_num, int(const OPENSSL_STACK *st));
-    MOCK_METHOD1(X509_getm_notBefore, ASN1_TIME *(const X509 *x));
-    MOCK_METHOD1(X509_getm_notAfter, ASN1_TIME *(const X509 *x));
-    MOCK_METHOD3(X509_NAME_oneline, char *(const X509_NAME *a, char *buf, int size));
-    MOCK_METHOD2(i2d_X509, int(X509 *a, unsigned char **out));
-    MOCK_METHOD2(BIO_new_mem_buf, BIO *(const void *buf, int len));
-    MOCK_METHOD2(OPENSSL_sk_value, void *(const OPENSSL_STACK *st, int i));
-    MOCK_METHOD2(HcfX509CertificateCreate, CfResult(const CfEncodingBlob *inStream, HcfX509Certificate **returnObj));
-    MOCK_METHOD0(OPENSSL_sk_new_null, OPENSSL_STACK *(void));
-    MOCK_METHOD2(X509_STORE_add_cert, int(X509_STORE *ctx, X509 *x));
-    MOCK_METHOD0(X509_STORE_CTX_new, X509_STORE_CTX *(void));
-    MOCK_METHOD0(X509_STORE_new, X509_STORE *(void));
-    MOCK_METHOD4(X509_STORE_CTX_init, int(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) * chain));
-    MOCK_METHOD1(X509_verify_cert, int(X509_STORE_CTX *ctx));
-    MOCK_METHOD2(i2d_PUBKEY, int(EVP_PKEY *a, unsigned char **pp));
-    MOCK_METHOD4(X509_get_ext_d2i, void *(const X509 *x, int nid, int *crit, int *idx));
-    MOCK_METHOD2(i2d_ASN1_OCTET_STRING, int(ASN1_OCTET_STRING *a, unsigned char **out));
-    MOCK_METHOD2(i2d_AUTHORITY_KEYID, int(AUTHORITY_KEYID *a, unsigned char **out));
-    MOCK_METHOD3(DeepCopyDataToBlob, CfResult(const unsigned char *data, uint32_t len, CfBlob *outBlob));
-    MOCK_METHOD0(ASN1_TIME_new, ASN1_TIME *(void));
-    MOCK_METHOD1(X509_get0_serialNumber, const ASN1_INTEGER *(const X509 *x));
-    MOCK_METHOD2(i2d_ASN1_INTEGER, int(ASN1_INTEGER *a, unsigned char **out));
-    MOCK_METHOD1(X509_get_pubkey, EVP_PKEY *(X509 *x));
-    MOCK_METHOD1(OBJ_nid2obj, ASN1_OBJECT *(int n));
-    MOCK_METHOD4(OBJ_obj2txt, int(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name));
-    MOCK_METHOD3(BN_bin2bn, BIGNUM *(const unsigned char *s, int len, BIGNUM *ret));
-    MOCK_METHOD1(ASN1_TIME_normalize, int(ASN1_TIME *s));
-    MOCK_METHOD4(
-        X509_ALGOR_get0, void(const ASN1_OBJECT **paobj, int *pptype, const void **ppval, const X509_ALGOR *algor));
-    MOCK_METHOD0(ASN1_TYPE_new, ASN1_TYPE *(void));
-    MOCK_METHOD3(ASN1_TYPE_set1, int(ASN1_TYPE *a, int type, const void *value));
-    MOCK_METHOD2(i2d_ASN1_TYPE, int(ASN1_TYPE *a, unsigned char **out));
-    MOCK_METHOD1(ASN1_INTEGER_get, long(const ASN1_INTEGER *a));
-    MOCK_METHOD1(ASN1_STRING_get0_data, const unsigned char *(const ASN1_STRING *x));
-    MOCK_METHOD2(i2d_GENERAL_NAME, int(GENERAL_NAME *a, unsigned char **out));
-    MOCK_METHOD2(X509_get_ext, X509_EXTENSION *(const X509 *x, X509_EXTENSION *loc));
-    MOCK_METHOD1(X509V3_EXT_d2i, void *(X509_EXTENSION *ext));
-    MOCK_METHOD2(GENERAL_NAME_get0_value, void *(const GENERAL_NAME *a, int *ptype));
-    MOCK_METHOD2(X509_verify, int(X509 *a, EVP_PKEY *r));
-    MOCK_METHOD2(DeepCopyBlobToBlob, CfResult(const CfBlob *inBlob, CfBlob **outBlob));
-    MOCK_METHOD2(OPENSSL_sk_push, int(OPENSSL_STACK *st, const int data));
-    MOCK_METHOD2(i2d_X509_REVOKED, int(X509_REVOKED *a, unsigned char **out));
-    MOCK_METHOD2(i2d_X509_CRL, int(X509_CRL *a, unsigned char **out));
-    MOCK_METHOD3(
-        OPENSSL_sk_deep_copy, OPENSSL_STACK *(const OPENSSL_STACK *, OPENSSL_sk_copyfunc c, OPENSSL_sk_freefunc f));
-    MOCK_METHOD1(OBJ_obj2nid, int(const ASN1_OBJECT *o));
-    MOCK_METHOD1(X509_dup, X509 *(X509 *x509));
+    MOCK_METHOD(int, i2d_X509_EXTENSIONS, (X509_EXTENSIONS * a, unsigned char **out));
+    MOCK_METHOD(int, OPENSSL_sk_num, (const OPENSSL_STACK *st));
+    MOCK_METHOD(ASN1_TIME *, X509_getm_notBefore, (const X509 *x));
+    MOCK_METHOD(ASN1_TIME *, X509_getm_notAfter, (const X509 *x));
+    MOCK_METHOD(char *, X509_NAME_oneline, (const X509_NAME *a, char *buf, int size));
+    MOCK_METHOD(int, i2d_X509, (X509 * a, unsigned char **out));
+    MOCK_METHOD(BIO *, BIO_new_mem_buf, (const void *buf, int len));
+    MOCK_METHOD(void *, OPENSSL_sk_value, (const OPENSSL_STACK *st, int i));
+    MOCK_METHOD(CfResult, HcfX509CertificateCreate, (const CfEncodingBlob *inStream, HcfX509Certificate **returnObj));
+    MOCK_METHOD(OPENSSL_STACK *, OPENSSL_sk_new_null, ());
+    MOCK_METHOD(int, X509_STORE_add_cert, (X509_STORE * ctx, X509 *x));
+    MOCK_METHOD(X509_STORE_CTX *, X509_STORE_CTX_new, ());
+    MOCK_METHOD(X509_STORE *, X509_STORE_new, ());
+    MOCK_METHOD(
+        int, X509_STORE_CTX_init, (X509_STORE_CTX * ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) * chain));
+    MOCK_METHOD(int, X509_verify_cert, (X509_STORE_CTX * ctx));
+    MOCK_METHOD(int, i2d_PUBKEY, (EVP_PKEY * a, unsigned char **pp));
+    MOCK_METHOD(void *, X509_get_ext_d2i, (const X509 *x, int nid, int *crit, int *idx));
+    MOCK_METHOD(int, i2d_ASN1_OCTET_STRING, (ASN1_OCTET_STRING * a, unsigned char **out));
+    MOCK_METHOD(int, i2d_AUTHORITY_KEYID, (AUTHORITY_KEYID * a, unsigned char **out));
+    MOCK_METHOD(CfResult, DeepCopyDataToBlob, (const unsigned char *data, uint32_t len, CfBlob *outBlob));
+    MOCK_METHOD(ASN1_TIME *, ASN1_TIME_new, ());
+    MOCK_METHOD(const ASN1_INTEGER *, X509_get0_serialNumber, (const X509 *x));
+    MOCK_METHOD(int, i2d_ASN1_INTEGER, (ASN1_INTEGER * a, unsigned char **out));
+    MOCK_METHOD(EVP_PKEY *, X509_get_pubkey, (X509 * x));
+    MOCK_METHOD(ASN1_OBJECT *, OBJ_nid2obj, (int n));
+    MOCK_METHOD(int, OBJ_obj2txt, (char *buf, int buf_len, const ASN1_OBJECT *a, int no_name));
+    MOCK_METHOD(BIGNUM *, BN_bin2bn, (const unsigned char *s, int len, BIGNUM *ret));
+    MOCK_METHOD(int, ASN1_TIME_normalize, (ASN1_TIME * s));
+    MOCK_METHOD(
+        void, X509_ALGOR_get0, (const ASN1_OBJECT **paobj, int *pptype, const void **ppval, const X509_ALGOR *algor));
+    MOCK_METHOD(ASN1_TYPE *, ASN1_TYPE_new, ());
+    MOCK_METHOD(int, ASN1_TYPE_set1, (ASN1_TYPE * a, int type, const void *value));
+    MOCK_METHOD(int, i2d_ASN1_TYPE, (ASN1_TYPE * a, unsigned char **out));
+    MOCK_METHOD(long, ASN1_INTEGER_get, (const ASN1_INTEGER *a));
+    MOCK_METHOD(const unsigned char *, ASN1_STRING_get0_data, (const ASN1_STRING *x));
+    MOCK_METHOD(int, i2d_GENERAL_NAME, (GENERAL_NAME * a, unsigned char **out));
+    MOCK_METHOD(X509_EXTENSION *, X509_get_ext, (const X509 *x, X509_EXTENSION *loc));
+    MOCK_METHOD(void *, X509V3_EXT_d2i, (X509_EXTENSION * ext));
+    MOCK_METHOD(void *, GENERAL_NAME_get0_value, (const GENERAL_NAME *a, int *ptype));
+    MOCK_METHOD(int, X509_verify, (X509 * a, EVP_PKEY *r));
+    MOCK_METHOD(CfResult, DeepCopyBlobToBlob, (const CfBlob *inBlob, CfBlob **outBlob));
+    MOCK_METHOD(int, OPENSSL_sk_push, (OPENSSL_STACK * st, const int data));
+    MOCK_METHOD(int, i2d_X509_REVOKED, (X509_REVOKED * a, unsigned char **out));
+    MOCK_METHOD(int, i2d_X509_CRL, (X509_CRL * a, unsigned char **out));
+    MOCK_METHOD(
+        OPENSSL_STACK *, OPENSSL_sk_deep_copy, (const OPENSSL_STACK *, OPENSSL_sk_copyfunc c, OPENSSL_sk_freefunc f));
+    MOCK_METHOD(int, OBJ_obj2nid, (const ASN1_OBJECT *o));
+    MOCK_METHOD(X509 *, X509_dup, (X509 * x509));
+    MOCK_METHOD(int, X509_check_host, (X509 * x, const char *chk, size_t chklen, unsigned int flags, char **peername));
+    MOCK_METHOD(OCSP_REQUEST *, OCSP_REQUEST_new, ());
+    MOCK_METHOD(X509_CRL *, X509_CRL_load_http, (const char *url, BIO *bio, BIO *rbio, int timeout));
+    MOCK_METHOD(struct stack_st_OPENSSL_STRING *, X509_get1_ocsp, (X509 * x));
+    MOCK_METHOD(int, OSSL_HTTP_parse_url,
+        (const char *url, int *pssl, char **puser, char **phost, char **pport, int *pport_num, char **ppath,
+            char **pquery, char **pfrag));
 
-    static X509OpensslMock &GetInstance(void);
+    static NiceMock<X509OpensslMock> &GetInstance(void);
     static void SetMockFlag(bool flag);
     static bool GetMockFlag(void);
 
-private:
     X509OpensslMock();
-    virtual ~X509OpensslMock();
+    ~X509OpensslMock();
 
+private:
     void SetMockFunDefaultBehaviorPartOne(void);
     void SetMockFunDefaultBehaviorPartTwo(void);
     void SetMockFunDefaultBehaviorPartThree(void);

test/unittest/v1.0/include/crypto_x509_cert_chain_data_pem_ex.h

@@ -22,6 +22,138 @@
 extern "C" {
 #endif
 
+static const char g_testCertChainPem163[] =
+    "-----BEGIN CERTIFICATE-----\r\n"
+    "MIIGVjCCBT6gAwIBAgIQBMO0W3CU9LWVw1bE/jqYojANBgkqhkiG9w0BAQsFADBE\r\n"
+    "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVH\r\n"
+    "ZW9UcnVzdCBSU0EgQ04gQ0EgRzIwHhcNMjMwMzIzMDAwMDAwWhcNMjQwNDIyMjM1\r\n"
+    "OTU5WjB1MQswCQYDVQQGEwJDTjERMA8GA1UECBMIemhlamlhbmcxETAPBgNVBAcT\r\n"
+    "CGhhbmd6aG91MSwwKgYDVQQKEyNOZXRFYXNlIChIYW5nemhvdSkgTmV0d29yayBD\r\n"
+    "by4sIEx0ZDESMBAGA1UEAwwJKi4xNjMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC\r\n"
+    "AQ8AMIIBCgKCAQEAwELks0Q1Z81u1OpbGdEFE2Snm/WpLfmiC5YFj5nFrinSX+UZ\r\n"
+    "MIk42euBdjYSsWFxbljmWDdUCjstMhG8vRAjz3Nt1QniMCunHHFGujR5rSNLWYHE\r\n"
+    "vCPhfptIhqOaE/rvkWGZZr2KjTQQN0dRf8dm9Oewy8DHu95c9jW6c9AVgKWUVOni\r\n"
+    "tTOcJCnrndWjgCIPfKmKgrwaNaMnuQyy5nPIUHl/5EGzuGHrwjwlF+w+cT+Fwdix\r\n"
+    "C3msEOCwX6wzo6baDs4og2EzuPNyTp4n4UqH5aHhLePgBFboOAyJwWp3+XJNpNGw\r\n"
+    "GkU56cUUy7+AAn268EVvUNr7uQ65t2t+Ys32bQIDAQABo4IDETCCAw0wHwYDVR0j\r\n"
+    "BBgwFoAUJG+RP4mHhw4ywkAY38VM60/ISTIwHQYDVR0OBBYEFD1HyRYJ5jqkvYL7\r\n"
+    "C6TSt8/y3e7hMB0GA1UdEQQWMBSCCSouMTYzLmNvbYIHMTYzLmNvbTAOBgNVHQ8B\r\n"
+    "Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD0GA1UdHwQ2\r\n"
+    "MDQwMqAwoC6GLGh0dHA6Ly9jcmwuZGlnaWNlcnQuY24vR2VvVHJ1c3RSU0FDTkNB\r\n"
+    "RzIuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6\r\n"
+    "Ly93d3cuZGlnaWNlcnQuY29tL0NQUzBxBggrBgEFBQcBAQRlMGMwIwYIKwYBBQUH\r\n"
+    "MAGGF2h0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNuMDwGCCsGAQUFBzAChjBodHRwOi8v\r\n"
+    "Y2FjZXJ0cy5kaWdpY2VydC5jbi9HZW9UcnVzdFJTQUNOQ0FHMi5jcnQwCQYDVR0T\r\n"
+    "BAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUA7s3QZNXbGs7FXLedtM0T\r\n"
+    "ojKHRny87N7DUUhZRnEftZsAAAGHDSE15QAABAMARjBEAiBRpmsJ3F9AI8wFxqOQ\r\n"
+    "bHp+RL6F8cvNydajQ0Bqxjvd3AIgefAU/po3jBm+96dFVdbX+AG1uss67DL3VL5I\r\n"
+    "nUmVva8AdgBz2Z6JG0yWeKAgfUed5rLGHNBRXnEZKoxrgBB6wXdytQAAAYcNITZS\r\n"
+    "AAAEAwBHMEUCID/sUP12odF7uTTEyE0PjCpKo3nF7A3ba3b5wJJsZrDrAiEAxrat\r\n"
+    "W2eeZTD458LPSPrMMBb1/o6zibWXqJCQye+bVFwAdwBIsONr2qZHNA/lagL6nTDr\r\n"
+    "HFIBy1bdLIHZu7+rOdiEcwAAAYcNITYeAAAEAwBIMEYCIQCCJ2ktM1F+d1I5mQju\r\n"
+    "Tn7oDYxy3GCGyG3u/yhu8k7EaAIhANSP8cAaMQFV6y8B2tubKY5eSQtgkF3a6NNq\r\n"
+    "QJjtPnoHMA0GCSqGSIb3DQEBCwUAA4IBAQC8dK/G4nvs/SyQe/mnK+rUYIdSFs+4\r\n"
+    "lgzatmq8V/I1tBly+Sv/FPhnn4F3iCrqy9j8y202FP51ev95DGbjlJRTIFPqVAO8\r\n"
+    "ywYrLhvl1SJhV0b/8NF0Pr3dZVnK5Vfn11+LSBUg0cBB2hcVV30nv3IuVhz3d12n\r\n"
+    "P+VseYQgMpQf7ad+ttpZtA7yqHzrUm4fzr03G7q88GztACRSHoYiPbOlz99SeTgW\r\n"
+    "7bzZl1I4taxy2Q3b0ZBGfUt/kPY05tpKzKwDTbbqSErYszCt5X1RfVvf3coxF8Mo\r\n"
+    "9bHbs2wYIzQBdujDQ/hU0u6ItERer3SUItZoxaSIxdrZ9eXFwVvXsT/g\r\n"
+    "-----END CERTIFICATE-----\r\n"
+    "-----BEGIN CERTIFICATE-----\r\n"
+    "MIIFDzCCA/egAwIBAgIQCxNitu5qnT6WiTDxbiB9OTANBgkqhkiG9w0BAQsFADBh\r\n"
+    "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\n"
+    "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\r\n"
+    "QTAeFw0yMDAzMDQxMjA0NDBaFw0zMDAzMDQxMjA0NDBaMEQxCzAJBgNVBAYTAlVT\r\n"
+    "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxHjAcBgNVBAMTFUdlb1RydXN0IFJTQSBD\r\n"
+    "TiBDQSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANA1OZJJtZUI\r\n"
+    "7zj4qFHT79g+Otks4TEfmUEDhrNKBEEjb/i29GBfnpvFdT36azCg2VODJRSjIzFn\r\n"
+    "4qADcc84EmfKiDEM97HFsQPp9RRkqxH5cB51EU2eBE9Ua95x+wQp/KSdCqITCQ/v\r\n"
+    "yvm3J4Upjl0wlW8wRCPCWcYw3pKClGRkNzVtI1KXnfpn7fG3N84n7wlBb9IGKJFa\r\n"
+    "c/6+hxvZx2qnfLsxdIKR0Q/biGoU6Z8Iy/R/p7GoPO8vamV090+QHEL5AdSzKtEh\r\n"
+    "U9vdvcuWjjLxVnaJLfj/6WoGZj8UWn3zFbEoTVaAfp2xqdzW7yRvi2r148m9ev7l\r\n"
+    "jDqHo8UX69sCAwEAAaOCAd4wggHaMB0GA1UdDgQWBBQkb5E/iYeHDjLCQBjfxUzr\r\n"
+    "T8hJMjAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8E\r\n"
+    "BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQI\r\n"
+    "MAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz\r\n"
+    "cC5kaWdpY2VydC5jbjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLmRpZ2lj\r\n"
+    "ZXJ0LmNuL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDCB3QYDVR0gBIHVMIHSMIHF\r\n"
+    "BglghkgBhv1sAQEwgbcwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0\r\n"
+    "LmNvbS9DUFMwgYoGCCsGAQUFBwICMH4MfEFueSB1c2Ugb2YgdGhpcyBDZXJ0aWZp\r\n"
+    "Y2F0ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBSZWx5aW5nIFBhcnR5\r\n"
+    "IEFncmVlbWVudCBsb2NhdGVkIGF0IGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9y\r\n"
+    "cGEtdWEwCAYGZ4EMAQICMA0GCSqGSIb3DQEBCwUAA4IBAQCzkcXq0TN0oSn4UeXp\r\n"
+    "FBW7U8zrHBIhH9MXHNBp+Yy/yN19133UY05uuHXHaU2Uv0hxefckjPdkaX7ARso+\r\n"
+    "O3Ar6nf7YfBwCqSpqsNckKT7KKtf3Ot95wYFpKDa64jcRUfxzRWnmq12IVzczqHI\r\n"
+    "sIvUZQINw/UHSQcWekdUnMg58bQSHyTjwkj9jcX2RURxaVZkr15wxo/Z3Ydo2PVK\r\n"
+    "3afEr0/vcuFvE7QeGXiI2DJdVt3JefatZ3rj4VTW2aUZwHGUiWWIUudBfQKR0JEp\r\n"
+    "lJ8MFaKDh4/A2VEJnXILu1iwvc1m3jCaPuzZKdoHM/1234bznJI2aAfhfIhoHw90\r\n"
+    "tPO+\r\n"
+    "-----END CERTIFICATE-----\r\n";
+
+static const char g_testOcspResponderCert[] =
+    "-----BEGIN CERTIFICATE-----\r\n"
+    "MIIFDzCCA/egAwIBAgIQCxNitu5qnT6WiTDxbiB9OTANBgkqhkiG9w0BAQsFADBh\r\n"
+    "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\n"
+    "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\r\n"
+    "QTAeFw0yMDAzMDQxMjA0NDBaFw0zMDAzMDQxMjA0NDBaMEQxCzAJBgNVBAYTAlVT\r\n"
+    "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxHjAcBgNVBAMTFUdlb1RydXN0IFJTQSBD\r\n"
+    "TiBDQSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANA1OZJJtZUI\r\n"
+    "7zj4qFHT79g+Otks4TEfmUEDhrNKBEEjb/i29GBfnpvFdT36azCg2VODJRSjIzFn\r\n"
+    "4qADcc84EmfKiDEM97HFsQPp9RRkqxH5cB51EU2eBE9Ua95x+wQp/KSdCqITCQ/v\r\n"
+    "yvm3J4Upjl0wlW8wRCPCWcYw3pKClGRkNzVtI1KXnfpn7fG3N84n7wlBb9IGKJFa\r\n"
+    "c/6+hxvZx2qnfLsxdIKR0Q/biGoU6Z8Iy/R/p7GoPO8vamV090+QHEL5AdSzKtEh\r\n"
+    "U9vdvcuWjjLxVnaJLfj/6WoGZj8UWn3zFbEoTVaAfp2xqdzW7yRvi2r148m9ev7l\r\n"
+    "jDqHo8UX69sCAwEAAaOCAd4wggHaMB0GA1UdDgQWBBQkb5E/iYeHDjLCQBjfxUzr\r\n"
+    "T8hJMjAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8E\r\n"
+    "BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQI\r\n"
+    "MAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz\r\n"
+    "cC5kaWdpY2VydC5jbjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLmRpZ2lj\r\n"
+    "ZXJ0LmNuL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDCB3QYDVR0gBIHVMIHSMIHF\r\n"
+    "BglghkgBhv1sAQEwgbcwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0\r\n"
+    "LmNvbS9DUFMwgYoGCCsGAQUFBwICMH4MfEFueSB1c2Ugb2YgdGhpcyBDZXJ0aWZp\r\n"
+    "Y2F0ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBSZWx5aW5nIFBhcnR5\r\n"
+    "IEFncmVlbWVudCBsb2NhdGVkIGF0IGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9y\r\n"
+    "cGEtdWEwCAYGZ4EMAQICMA0GCSqGSIb3DQEBCwUAA4IBAQCzkcXq0TN0oSn4UeXp\r\n"
+    "FBW7U8zrHBIhH9MXHNBp+Yy/yN19133UY05uuHXHaU2Uv0hxefckjPdkaX7ARso+\r\n"
+    "O3Ar6nf7YfBwCqSpqsNckKT7KKtf3Ot95wYFpKDa64jcRUfxzRWnmq12IVzczqHI\r\n"
+    "sIvUZQINw/UHSQcWekdUnMg58bQSHyTjwkj9jcX2RURxaVZkr15wxo/Z3Ydo2PVK\r\n"
+    "3afEr0/vcuFvE7QeGXiI2DJdVt3JefatZ3rj4VTW2aUZwHGUiWWIUudBfQKR0JEp\r\n"
+    "lJ8MFaKDh4/A2VEJnXILu1iwvc1m3jCaPuzZKdoHM/1234bznJI2aAfhfIhoHw90\r\n"
+    "tPO+\r\n"
+    "-----END CERTIFICATE-----\r\n";
+
+static const char g_testCertChainPemRoot163[] =
+    "-----BEGIN CERTIFICATE-----\r\n"
+    "MIIFDzCCA/egAwIBAgIQCxNitu5qnT6WiTDxbiB9OTANBgkqhkiG9w0BAQsFADBh\r\n"
+    "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\n"
+    "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\r\n"
+    "QTAeFw0yMDAzMDQxMjA0NDBaFw0zMDAzMDQxMjA0NDBaMEQxCzAJBgNVBAYTAlVT\r\n"
+    "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxHjAcBgNVBAMTFUdlb1RydXN0IFJTQSBD\r\n"
+    "TiBDQSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANA1OZJJtZUI\r\n"
+    "7zj4qFHT79g+Otks4TEfmUEDhrNKBEEjb/i29GBfnpvFdT36azCg2VODJRSjIzFn\r\n"
+    "4qADcc84EmfKiDEM97HFsQPp9RRkqxH5cB51EU2eBE9Ua95x+wQp/KSdCqITCQ/v\r\n"
+    "yvm3J4Upjl0wlW8wRCPCWcYw3pKClGRkNzVtI1KXnfpn7fG3N84n7wlBb9IGKJFa\r\n"
+    "c/6+hxvZx2qnfLsxdIKR0Q/biGoU6Z8Iy/R/p7GoPO8vamV090+QHEL5AdSzKtEh\r\n"
+    "U9vdvcuWjjLxVnaJLfj/6WoGZj8UWn3zFbEoTVaAfp2xqdzW7yRvi2r148m9ev7l\r\n"
+    "jDqHo8UX69sCAwEAAaOCAd4wggHaMB0GA1UdDgQWBBQkb5E/iYeHDjLCQBjfxUzr\r\n"
+    "T8hJMjAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8E\r\n"
+    "BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQI\r\n"
+    "MAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz\r\n"
+    "cC5kaWdpY2VydC5jbjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLmRpZ2lj\r\n"
+    "ZXJ0LmNuL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDCB3QYDVR0gBIHVMIHSMIHF\r\n"
+    "BglghkgBhv1sAQEwgbcwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0\r\n"
+    "LmNvbS9DUFMwgYoGCCsGAQUFBwICMH4MfEFueSB1c2Ugb2YgdGhpcyBDZXJ0aWZp\r\n"
+    "Y2F0ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBSZWx5aW5nIFBhcnR5\r\n"
+    "IEFncmVlbWVudCBsb2NhdGVkIGF0IGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9y\r\n"
+    "cGEtdWEwCAYGZ4EMAQICMA0GCSqGSIb3DQEBCwUAA4IBAQCzkcXq0TN0oSn4UeXp\r\n"
+    "FBW7U8zrHBIhH9MXHNBp+Yy/yN19133UY05uuHXHaU2Uv0hxefckjPdkaX7ARso+\r\n"
+    "O3Ar6nf7YfBwCqSpqsNckKT7KKtf3Ot95wYFpKDa64jcRUfxzRWnmq12IVzczqHI\r\n"
+    "sIvUZQINw/UHSQcWekdUnMg58bQSHyTjwkj9jcX2RURxaVZkr15wxo/Z3Ydo2PVK\r\n"
+    "3afEr0/vcuFvE7QeGXiI2DJdVt3JefatZ3rj4VTW2aUZwHGUiWWIUudBfQKR0JEp\r\n"
+    "lJ8MFaKDh4/A2VEJnXILu1iwvc1m3jCaPuzZKdoHM/1234bznJI2aAfhfIhoHw90\r\n"
+    "tPO+\r\n"
+    "-----END CERTIFICATE-----\r\n";
+
 const uint8_t g_testChainKeystore[] = { 0x30, 0x82, 0x0D, 0xF1, 0x02, 0x01, 0x03, 0x30, 0x82, 0x0D, 0xB7, 0x06, 0x09,
     0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01, 0xA0, 0x82, 0x0D, 0xA8, 0x04, 0x82, 0x0D, 0xA4, 0x30, 0x82,
     0x0D, 0xA0, 0x30, 0x82, 0x08, 0x57, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06, 0xA0, 0x82,
@@ -217,6 +349,39 @@ static const char g_testKeystorePwd[] = "123456";
 const uint8_t g_testIssuerValid[] = { 0x30, 0x17, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0C,
     0x54, 0x65, 0x73, 0x74, 0x20, 0x4E, 0x43, 0x20, 0x43, 0x41, 0x20, 0x31 };
 
+static const uint8_t g_testOcspResponses[] = { 0x30, 0x82, 0x01, 0xd3, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x01, 0xcc, 0x30,
+    0x82, 0x01, 0xc8, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, 0x01, 0xb9, 0x30,
+    0x82, 0x01, 0xb5, 0x30, 0x81, 0x9e, 0xa2, 0x16, 0x04, 0x14, 0x24, 0x6f, 0x91, 0x3f, 0x89, 0x87, 0x87, 0x0e, 0x32,
+    0xc2, 0x40, 0x18, 0xdf, 0xc5, 0x4c, 0xeb, 0x4f, 0xc8, 0x49, 0x32, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x34, 0x30, 0x32,
+    0x32, 0x31, 0x31, 0x33, 0x30, 0x30, 0x33, 0x31, 0x5a, 0x30, 0x73, 0x30, 0x71, 0x30, 0x49, 0x30, 0x09, 0x06, 0x05,
+    0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0xd1, 0x5d, 0xff, 0xaa, 0x00, 0x86, 0xa3, 0x32, 0x76, 0x5e,
+    0x89, 0x07, 0x31, 0xdb, 0xba, 0x75, 0x0b, 0x31, 0x13, 0xdb, 0x04, 0x14, 0x24, 0x6f, 0x91, 0x3f, 0x89, 0x87, 0x87,
+    0x0e, 0x32, 0xc2, 0x40, 0x18, 0xdf, 0xc5, 0x4c, 0xeb, 0x4f, 0xc8, 0x49, 0x32, 0x02, 0x10, 0x04, 0xc3, 0xb4, 0x5b,
+    0x70, 0x94, 0xf4, 0xb5, 0x95, 0xc3, 0x56, 0xc4, 0xfe, 0x3a, 0x98, 0xa2, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32,
+    0x34, 0x30, 0x32, 0x32, 0x31, 0x31, 0x32, 0x34, 0x35, 0x30, 0x31, 0x5a, 0xa0, 0x11, 0x18, 0x0f, 0x32, 0x30, 0x32,
+    0x34, 0x30, 0x32, 0x32, 0x38, 0x31, 0x31, 0x34, 0x35, 0x30, 0x31, 0x5a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+    0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xb0, 0xdf, 0x0f, 0x94, 0x4f, 0x25,
+    0x05, 0xec, 0x59, 0x65, 0x15, 0xb7, 0x04, 0x91, 0x10, 0x45, 0xf5, 0xbd, 0x26, 0x16, 0xd1, 0x7d, 0x4e, 0x69, 0x2f,
+    0xb3, 0xb2, 0xb5, 0x1c, 0xaa, 0x1d, 0xe5, 0xe9, 0x2a, 0x52, 0xdb, 0xde, 0x69, 0xed, 0xa0, 0x2e, 0x84, 0x18, 0x88,
+    0xfd, 0x26, 0x9f, 0xe7, 0x1c, 0x09, 0xba, 0xe8, 0x18, 0x7c, 0x17, 0x5e, 0xfd, 0x1f, 0x52, 0x75, 0x7e, 0xec, 0x3c,
+    0xf2, 0x1d, 0x55, 0xa4, 0xf7, 0x2c, 0xdf, 0x40, 0x06, 0x8c, 0x19, 0xc2, 0xbc, 0x72, 0xbb, 0xc2, 0xa1, 0xbb, 0xd7,
+    0xd3, 0x79, 0xb3, 0x70, 0xcb, 0x4c, 0x07, 0x18, 0xbc, 0xd1, 0x4e, 0xe2, 0x3e, 0x18, 0xca, 0x08, 0x3d, 0x7f, 0xbc,
+    0xf2, 0x0c, 0x1a, 0x2c, 0x10, 0x83, 0x59, 0xa0, 0xfb, 0x1f, 0xc2, 0x0e, 0x26, 0x17, 0x27, 0xa3, 0xba, 0x49, 0x9b,
+    0x13, 0xdd, 0x55, 0xeb, 0xc8, 0xa2, 0x49, 0x76, 0xcd, 0x46, 0x5a, 0x78, 0x19, 0x26, 0xde, 0xff, 0x66, 0xac, 0x13,
+    0x42, 0x89, 0x86, 0x7e, 0x5c, 0xa4, 0x67, 0xd7, 0x0d, 0xbb, 0x5f, 0xf4, 0x38, 0x91, 0x87, 0x99, 0xeb, 0xd3, 0x99,
+    0x97, 0xd8, 0x0c, 0xae, 0xfa, 0x23, 0x2c, 0x4a, 0xbd, 0xd1, 0xe6, 0xa5, 0x31, 0xee, 0x8a, 0x88, 0xc2, 0x5d, 0x61,
+    0x2c, 0x43, 0x04, 0x33, 0x57, 0x16, 0x98, 0xc2, 0x9a, 0x01, 0xd1, 0xad, 0x8b, 0xa5, 0x56, 0x0b, 0xd9, 0x4c, 0x81,
+    0x88, 0x90, 0x92, 0x07, 0x38, 0xf3, 0xab, 0x38, 0xf8, 0xbc, 0x97, 0x59, 0xae, 0x71, 0xea, 0x25, 0x05, 0x75, 0x3f,
+    0x35, 0x0b, 0x00, 0xcc, 0x1b, 0xe3, 0x32, 0x46, 0x01, 0x72, 0x4c, 0x46, 0x1a, 0x72, 0xd4, 0x7f, 0x4a, 0x94, 0x4f,
+    0x82, 0xf8, 0x69, 0x86, 0x40, 0x32, 0x69, 0x79, 0xbd, 0x09, 0x16, 0x2b, 0xbb, 0x9a, 0x0a, 0x11, 0xa9, 0x65, 0xf0,
+    0xac, 0xbe, 0xd8 };
+
+static const char g_crlDownloadURI[] = "http://crl.digicert.cn/GeoTrustRSACNCAG2.crl";
+
+static const char g_crlDownloadURIHttps[] = "https://ocsp.digicert.cn";
+
+static const char g_crlDownloadURIHttpsInvalid[] = "https://www.123.com";
+
 #ifdef __cplusplus
 }
 #endif

test/unittest/v1.0/include/crypto_x509_test_common.h

@@ -31,6 +31,7 @@
 #include "key_pair.h"
 #include "memory_mock.h"
 #include "securec.h"
+#include "x509_cert_chain.h"
 #include "x509_crl.h"
 
 #ifdef __cplusplus
@@ -503,12 +504,23 @@ extern const CfEncodingBlob g_inStreamChainDataPemMidCRL;
 extern const CfEncodingBlob g_inStreamChainPemNoRootHasPubKey;
 extern const CfEncodingBlob g_inStreamChainPemNoRootLast;
 extern const CfEncodingBlob g_inStreamChainDataPemDisorder;
+extern const CfEncodingBlob g_inStreamChainDataPem163;
+extern const CfEncodingBlob g_inStreamChainDataPemRoot163;
+extern const CfEncodingBlob g_inStreamOcspResponderCert;
+
 const char *GetInvalidCertClass(void);
 const char *GetInvalidCrlClass(void);
 SubAltNameArray *ConstructSubAltNameArrayData();
 CfArray *ConstructCertPolicyData();
 const char *GetValidCrlClass(void);
 const char *GetValidX509CertificateClass(void);
+void FreeTrustAnchor(HcfX509TrustAnchor *&trustAnchor);
+void BuildAnchorArr(const CfEncodingBlob &certInStream, HcfX509TrustAnchorArray &trustAnchorArray);
+void FreeTrustAnchorArr(HcfX509TrustAnchorArray &trustAnchorArray);
+void BuildCollectionArr(const CfEncodingBlob *certInStream, const CfEncodingBlob *crlInStream,
+    HcfCertCRLCollectionArray &certCRLCollections);
+void FreeCertCrlCollectionArr(HcfCertCRLCollectionArray &certCRLCollections);
+void FreeValidateResult(HcfX509CertChainValidateResult &result);
 
 #ifdef __cplusplus
 }

test/unittest/v1.0/src/cf_mock.cpp

@@ -70,6 +70,12 @@ OPENSSL_STACK *__real_OPENSSL_sk_deep_copy(const OPENSSL_STACK *, OPENSSL_sk_cop
 int __real_OBJ_obj2nid(const ASN1_OBJECT *o);
 X509 *__real_X509_dup(X509 *x509);
 int __real_i2d_X509_EXTENSIONS(X509_EXTENSIONS *a, unsigned char **out);
+int __real_X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername);
+OCSP_REQUEST *__real_OCSP_REQUEST_new(void);
+X509_CRL *__real_X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout);
+struct stack_st_OPENSSL_STRING *__real_X509_get1_ocsp(X509 *x);
+int __real_OSSL_HTTP_parse_url(const char *url, int *pssl, char **puser, char **phost, char **pport, int *pport_num,
+    char **ppath, char **pquery, char **pfrag);
 
 #ifdef __cplusplus
 }
@@ -77,9 +83,9 @@ int __real_i2d_X509_EXTENSIONS(X509_EXTENSIONS *a, unsigned char **out);
 
 static bool g_mockTagX509Openssl = false;
 
-X509OpensslMock &X509OpensslMock::GetInstance(void)
+NiceMock<X509OpensslMock> &X509OpensslMock::GetInstance(void)
 {
-    static X509OpensslMock gX509OpensslMock;
+    static NiceMock<X509OpensslMock> gX509OpensslMock;
     return gX509OpensslMock;
 }
 
@@ -233,6 +239,25 @@ void X509OpensslMock::SetMockFunDefaultBehaviorPartThree(void)
     ON_CALL(*this, i2d_ASN1_INTEGER).WillByDefault([this](ASN1_INTEGER *a, unsigned char **out) {
         return __real_i2d_ASN1_INTEGER(a, out);
     });
+
+    ON_CALL(*this, X509_check_host)
+        .WillByDefault([this](X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername) {
+            return __real_X509_check_host(x, chk, chklen, flags, peername);
+        });
+
+    ON_CALL(*this, OCSP_REQUEST_new).WillByDefault([this](void) { return __real_OCSP_REQUEST_new(); });
+
+    ON_CALL(*this, X509_CRL_load_http).WillByDefault([this](const char *url, BIO *bio, BIO *rbio, int timeout) {
+        return __real_X509_CRL_load_http(url, bio, rbio, timeout);
+    });
+
+    ON_CALL(*this, X509_get1_ocsp).WillByDefault([this](X509 *x) { return __real_X509_get1_ocsp(x); });
+
+    ON_CALL(*this, OSSL_HTTP_parse_url)
+        .WillByDefault([this](const char *url, int *pssl, char **puser, char **phost, char **pport, int *pport_num,
+                           char **ppath, char **pquery, char **pfrag) {
+            return __real_OSSL_HTTP_parse_url(url, pssl, puser, phost, pport, pport_num, ppath, pquery, pfrag);
+        });
 }
 
 X509OpensslMock::X509OpensslMock()
@@ -672,6 +697,53 @@ X509 *__wrap_X509_dup(X509 *x509)
     }
 }
 
+int __wrap_X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername)
+{
+    if (g_mockTagX509Openssl) {
+        return X509OpensslMock::GetInstance().X509_check_host(x, chk, chklen, flags, peername);
+    } else {
+        return __real_X509_check_host(x, chk, chklen, flags, peername);
+    }
+}
+
+OCSP_REQUEST *__wrap_OCSP_REQUEST_new(void)
+{
+    if (g_mockTagX509Openssl) {
+        return X509OpensslMock::GetInstance().OCSP_REQUEST_new();
+    } else {
+        return __real_OCSP_REQUEST_new();
+    }
+}
+
+X509_CRL *__wrap_X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
+{
+    if (g_mockTagX509Openssl) {
+        return X509OpensslMock::GetInstance().X509_CRL_load_http(url, bio, rbio, timeout);
+    } else {
+        return __real_X509_CRL_load_http(url, bio, rbio, timeout);
+    }
+}
+
+struct stack_st_OPENSSL_STRING *__wrap_X509_get1_ocsp(X509 *x)
+{
+    if (g_mockTagX509Openssl) {
+        return X509OpensslMock::GetInstance().X509_get1_ocsp(x);
+    } else {
+        return __real_X509_get1_ocsp(x);
+    }
+}
+
+int __wrap_OSSL_HTTP_parse_url(const char *url, int *pssl, char **puser, char **phost, char **pport, int *pport_num,
+    char **ppath, char **pquery, char **pfrag)
+{
+    if (g_mockTagX509Openssl) {
+        return X509OpensslMock::GetInstance().OSSL_HTTP_parse_url(
+            url, pssl, puser, phost, pport, pport_num, ppath, pquery, pfrag);
+    } else {
+        return __real_OSSL_HTTP_parse_url(url, pssl, puser, phost, pport, pport_num, ppath, pquery, pfrag);
+    }
+}
+
 #ifdef __cplusplus
 }
 #endif

test/unittest/v1.0/src/crypto_x509_cert_chain_test.cpp

@@ -53,6 +53,9 @@ void *__real_OPENSSL_sk_value(const OPENSSL_STACK *st, int i);
 CfResult __real_DeepCopyBlobToBlob(const CfBlob *inBlob, CfBlob **outBlob);
 CfResult __real_HcfX509CertificateCreate(const CfEncodingBlob *inStream, HcfX509Certificate **returnObj);
 int __real_OPENSSL_sk_push(OPENSSL_STACK *st, const int data);
+OPENSSL_STACK *__real_OPENSSL_sk_new_null(void);
+int __real_OPENSSL_sk_push(OPENSSL_STACK *st, const int data);
+X509 *__real_X509_dup(X509 *x509);
 
 #ifdef __cplusplus
 }
@@ -100,93 +103,6 @@ static const char *GetInvalidCertChainClass(void)
     return "HcfInvalidCertChain";
 }
 
-static void FreeTrustAnchor(HcfX509TrustAnchor *&trustAnchor)
-{
-    if (trustAnchor == nullptr) {
-        return;
-    }
-    CfBlobFree(&trustAnchor->CAPubKey);
-    CfBlobFree(&trustAnchor->CASubject);
-    CfObjDestroy(trustAnchor->CACert);
-    trustAnchor->CACert = nullptr;
-    CfFree(trustAnchor);
-    trustAnchor = nullptr;
-}
-
-static void BuildAnchorArr(const CfEncodingBlob &certInStream, HcfX509TrustAnchorArray &trustAnchorArray)
-{
-    HcfX509TrustAnchor *anchor = static_cast<HcfX509TrustAnchor *>(HcfMalloc(sizeof(HcfX509TrustAnchor), 0));
-    ASSERT_NE(anchor, nullptr);
-
-    (void)HcfX509CertificateCreate(&certInStream, &anchor->CACert);
-    trustAnchorArray.data = static_cast<HcfX509TrustAnchor **>(HcfMalloc(1 * sizeof(HcfX509TrustAnchor *), 0));
-    ASSERT_NE(trustAnchorArray.data, nullptr);
-    trustAnchorArray.data[0] = anchor;
-    trustAnchorArray.count = 1;
-}
-
-static void FreeTrustAnchorArr(HcfX509TrustAnchorArray &trustAnchorArray)
-{
-    for (uint32_t i = 0; i < trustAnchorArray.count; ++i) {
-        HcfX509TrustAnchor *anchor = trustAnchorArray.data[i];
-        FreeTrustAnchor(anchor);
-    }
-    CfFree(trustAnchorArray.data);
-    trustAnchorArray.data = nullptr;
-    trustAnchorArray.count = 0;
-}
-
-static void BuildCollectionArr(const CfEncodingBlob *certInStream, const CfEncodingBlob *crlInStream,
-    HcfCertCRLCollectionArray &certCRLCollections)
-{
-    CfResult ret = CF_SUCCESS;
-    HcfX509CertificateArray *certArray = nullptr;
-    if (certInStream != nullptr) {
-        certArray = static_cast<HcfX509CertificateArray *>(HcfMalloc(sizeof(HcfX509CertificateArray), 0));
-        ASSERT_NE(certArray, nullptr);
-
-        HcfX509Certificate *x509CertObj = nullptr;
-        (void)HcfX509CertificateCreate(certInStream, &x509CertObj);
-        ASSERT_NE(x509CertObj, nullptr);
-
-        certArray->data = static_cast<HcfX509Certificate **>(HcfMalloc(1 * sizeof(HcfX509Certificate *), 0));
-        ASSERT_NE(certArray->data, nullptr);
-        certArray->data[0] = x509CertObj;
-        certArray->count = 1;
-    }
-
-    HcfX509CrlArray *crlArray = nullptr;
-    if (crlInStream != nullptr) {
-        crlArray = static_cast<HcfX509CrlArray *>(HcfMalloc(sizeof(HcfX509CrlArray), 0));
-        ASSERT_NE(crlArray, nullptr);
-
-        HcfX509Crl *x509Crl = nullptr;
-        ret = HcfX509CrlCreate(crlInStream, &x509Crl);
-        ASSERT_EQ(ret, CF_SUCCESS);
-        ASSERT_NE(x509Crl, nullptr);
-
-        crlArray->data = static_cast<HcfX509Crl **>(HcfMalloc(1 * sizeof(HcfX509Crl *), 0));
-        ASSERT_NE(crlArray->data, nullptr);
-        crlArray->data[0] = x509Crl;
-        crlArray->count = 1;
-    }
-
-    HcfCertCrlCollection *x509CertCrlCollection = nullptr;
-    ret = HcfCertCrlCollectionCreate(certArray, crlArray, &x509CertCrlCollection);
-    ASSERT_EQ(ret, CF_SUCCESS);
-    ASSERT_NE(x509CertCrlCollection, nullptr);
-
-    certCRLCollections.data = static_cast<HcfCertCrlCollection **>(HcfMalloc(1 * sizeof(HcfCertCrlCollection *), 0));
-    ASSERT_NE(certCRLCollections.data, nullptr);
-    certCRLCollections.data[0] = x509CertCrlCollection;
-    certCRLCollections.count = 1;
-
-    FreeCertArrayData(certArray);
-    CfFree(certArray);
-    FreeCrlArrayData(crlArray);
-    CfFree(crlArray);
-}
-
 void CryptoX509CertChainTest::SetUpTestCase()
 {
     CfResult ret = HcfCertChainCreate(&g_inStreamChainDataP7b, nullptr, &g_certChainP7b);
@@ -234,29 +150,6 @@ void CryptoX509CertChainTest::SetUp() {}
 
 void CryptoX509CertChainTest::TearDown() {}
 
-static void FreeCertCrlCollectionArr(HcfCertCRLCollectionArray &certCRLCollections)
-{
-    for (uint32_t i = 0; i < certCRLCollections.count; ++i) {
-        HcfCertCrlCollection *collection = certCRLCollections.data[i];
-        CfObjDestroy(collection);
-    }
-    CfFree(certCRLCollections.data);
-    certCRLCollections.data = nullptr;
-    certCRLCollections.count = 0;
-}
-
-static void FreeValidateResult(HcfX509CertChainValidateResult &result)
-{
-    if (result.entityCert != nullptr) {
-        CfObjDestroy(result.entityCert);
-        result.entityCert = nullptr;
-    }
-
-    if (result.trustAnchor != nullptr) {
-        FreeTrustAnchor(result.trustAnchor);
-    }
-}
-
 /* invalid encodingBlob. */
 HWTEST_F(CryptoX509CertChainTest, CertChainByEncSpiCreateTest001, TestSize.Level0)
 {
@@ -694,6 +587,7 @@ HWTEST_F(CryptoX509CertChainTest, GetCertListCoreTest004, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest001, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest001");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainDataP7b, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -707,6 +601,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest001, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest002, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest002");
     ASSERT_NE(g_certChainP7bSpi, nullptr);
     CfResult ret = g_certChainP7bSpi->engineValidate(g_certChainP7bSpi, nullptr, nullptr);
     ASSERT_EQ(ret, CF_INVALID_PARAMS);
@@ -714,6 +609,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest002, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest003, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest003");
     ASSERT_NE(g_certChainP7bSpi, nullptr);
     HcfX509TrustAnchor anchor = { 0 };
     CfEncodingBlob inStream = { 0 };
@@ -742,6 +638,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest003, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest004, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest004");
     ASSERT_NE(g_certChainP7bSpi, nullptr);
 
     HcfX509CertChainSpi *certChainSpi = nullptr;
@@ -767,6 +664,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest004, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest005, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest005");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -787,6 +685,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest005, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest006, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest006");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -804,6 +703,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest006, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest007, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest007");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchor anchor = { 0 };
@@ -826,6 +726,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest007, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest008, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest008");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     CfBlob pubkey = { 0, nullptr };
@@ -857,6 +758,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest008, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest009, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest009");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     CfBlob pubkey = { 0, nullptr };
@@ -877,13 +779,14 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest009, TestSize.Level0)
 
     HcfX509CertChainValidateResult result = { 0 };
     CfResult ret = g_certChainPemSpi->engineValidate(g_certChainPemSpi, &pCertChainValidateParams, &result);
-    ASSERT_EQ(ret, CF_ERR_CRYPTO_OPERATION);
+    ASSERT_EQ(ret, CF_INVALID_PARAMS);
 
     CfFree(trustAnchorArray.data);
 }
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest010, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest010");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     CfBlob pubkey = { 0, nullptr };
@@ -919,6 +822,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest010, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest011, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest011");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     CfBlob pubkey = { 0, nullptr };
@@ -952,6 +856,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest011, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest012, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest012");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     CfBlob pubkey = { 0, nullptr };
@@ -973,13 +878,14 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest012, TestSize.Level0)
 
     HcfX509CertChainValidateResult result = { 0 };
     CfResult ret = g_certChainPemSpi->engineValidate(g_certChainPemSpi, &pCertChainValidateParams, &result);
-    ASSERT_EQ(ret, CF_ERR_CRYPTO_OPERATION);
+    ASSERT_EQ(ret, CF_INVALID_PARAMS);
 
     CfFree(trustAnchorArray.data);
 }
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest013, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest013");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     CfBlob pubkey = { 0, nullptr };
@@ -1002,13 +908,14 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest013, TestSize.Level0)
 
     HcfX509CertChainValidateResult result = { 0 };
     CfResult ret = g_certChainPemSpi->engineValidate(g_certChainPemSpi, &pCertChainValidateParams, &result);
-    ASSERT_EQ(ret, CF_ERR_CRYPTO_OPERATION);
+    ASSERT_EQ(ret, CF_INVALID_PARAMS);
 
     CfFree(trustAnchorArray.data);
 }
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest014, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest014");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainDataPemNoRoot, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1033,6 +940,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest014, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest015, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest015");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainPemNoRootHasPubKey, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1067,6 +975,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest015, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest016, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest016");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1085,6 +994,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest016, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest017, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest017");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainDataPemRoot, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1121,6 +1031,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest017, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest018, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest018");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1148,6 +1059,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest018, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest019, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest019");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1175,6 +1087,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest019, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest020, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest020");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1202,6 +1115,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest020, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest021, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest021");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1226,6 +1140,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest021, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest022, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest022");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1250,6 +1165,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest022, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest023, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest023");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1275,6 +1191,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest023, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest024, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest024");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1299,6 +1216,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest024, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest025, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest025");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1324,6 +1242,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest025, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest026, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest026");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1346,6 +1265,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest026, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest027, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest027");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1378,6 +1298,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest027, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest028, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest028");
     for (unsigned int i = 0; i < 1000; i++) {
         HcfX509TrustAnchorArray trustAnchorArray = { 0 };
         BuildAnchorArr(g_inStreamChainDataPemRoot, trustAnchorArray);
@@ -1398,6 +1319,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest028, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest029, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest029");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainPemNoRootHasPubKey, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1422,6 +1344,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest029, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest030, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest030");
     ASSERT_NE(g_certChainPemSpi, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1447,6 +1370,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest030, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest031, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest031");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainDataPemDisorder, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1468,6 +1392,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest031, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest032, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest032");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainPemNoRootHasPubKey, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1502,6 +1427,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest032, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest033, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest033");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainPemNoRootHasPubKey, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1538,6 +1464,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest033, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest034, TestSize.Level0)
 {
+    CF_LOG_I("ValidateOpensslTest034");
     HcfX509CertChainSpi *certChainSpi = nullptr;
     CfResult ret = HcfX509CertChainByEncSpiCreate(&g_inStreamChainPemNoRootHasPubKey, &certChainSpi);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1574,6 +1501,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateOpensslTest034, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateCoreTest001, TestSize.Level0)
 {
+    CF_LOG_I("ValidateCoreTest001");
     HcfCertChain *pCertChain = nullptr;
     CfResult ret = HcfCertChainCreate(&g_inStreamChainDataP7b, nullptr, &pCertChain);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1587,6 +1515,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateCoreTest001, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateCoreTest002, TestSize.Level0)
 {
+    CF_LOG_I("ValidateCoreTest002");
     HcfCertChain *pCertChain = nullptr;
     CfResult ret = HcfCertChainCreate(&g_inStreamChainDataP7b, nullptr, &pCertChain);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1600,6 +1529,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateCoreTest002, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateCoreTest003, TestSize.Level0)
 {
+    CF_LOG_I("ValidateCoreTest003");
     ASSERT_NE(g_certChainP7b, nullptr);
 
     HcfX509TrustAnchorArray trustAnchorArray = { 0 };
@@ -1616,6 +1546,7 @@ HWTEST_F(CryptoX509CertChainTest, ValidateCoreTest003, TestSize.Level0)
 
 HWTEST_F(CryptoX509CertChainTest, ValidateCoreTest004, TestSize.Level0)
 {
+    CF_LOG_I("ValidateCoreTest004");
     HcfCertChain *pCertChain = nullptr;
     CfResult ret = HcfCertChainCreate(&g_inStreamChainDataPem, nullptr, &pCertChain);
     ASSERT_EQ(ret, CF_SUCCESS);
@@ -1780,19 +1711,25 @@ HWTEST_F(CryptoX509CertChainTest, HcfX509CertChainByParamsSpiCreateTest002, Test
 
     // test HcfX509CertChainByParamsSpiCreate failed case
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_new_null()).Times(AnyNumber()).WillOnce(Return(NULL));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_new_null())
+        .WillOnce(Return(NULL))
+        .WillRepeatedly(Invoke(__real_OPENSSL_sk_new_null));
     CfResult result = HcfX509CertChainByParamsSpiCreate(&inParams, &spi);
     EXPECT_EQ(result, CF_ERR_MALLOC);
     X509OpensslMock::SetMockFlag(false);
 
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_dup(_)).Times(AnyNumber()).WillOnce(Return(NULL));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_dup(_))
+        .WillOnce(Return(NULL))
+        .WillRepeatedly(Invoke(__real_X509_dup));
     result = HcfX509CertChainByParamsSpiCreate(&inParams, &spi);
     EXPECT_EQ(result, CF_ERR_MALLOC);
     X509OpensslMock::SetMockFlag(false);
 
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_push(_, _)).Times(AnyNumber()).WillOnce(Return(-1));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_push(_, _))
+        .WillOnce(Return(-1))
+        .WillRepeatedly(Invoke(__real_OPENSSL_sk_push));
     result = HcfX509CertChainByParamsSpiCreate(&inParams, &spi);
     EXPECT_EQ(result, CF_ERR_CRYPTO_OPERATION);
     X509OpensslMock::SetMockFlag(false);

test/unittest/v1.0/src/crypto_x509_certificate_test_part3.cpp

@@ -40,6 +40,22 @@ using ::testing::AnyNumber;
 using ::testing::Invoke;
 using ::testing::Return;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int __real_OPENSSL_sk_num(const OPENSSL_STACK *st);
+void *__real_OPENSSL_sk_value(const OPENSSL_STACK *st, int i);
+long __real_ASN1_INTEGER_get(const ASN1_INTEGER *a);
+void *__real_X509V3_EXT_d2i(X509_EXTENSION *ext);
+X509_EXTENSION *__real_X509_get_ext(const X509 *x, X509_EXTENSION *loc);
+void *__real_X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
+CfResult __real_DeepCopyDataToBlob(const unsigned char *data, uint32_t len, CfBlob *outBlob);
+
+#ifdef __cplusplus
+}
+#endif
+
 namespace {
 class CryptoX509CertificateTestPart3 : public testing::Test {
 public:
@@ -140,7 +156,9 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareSubjectAlternativeNamesTest002,
 
     // test CompareSubAltNameX509Openssl failed case
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_get_ext_d2i(_, _, _, _)).Times(AnyNumber()).WillOnce(Return(NULL));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_get_ext_d2i(_, _, _, _))
+        .WillOnce(Return(NULL))
+        .WillRepeatedly(Invoke(__real_X509_get_ext_d2i));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &matchParams, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);
@@ -182,7 +200,9 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareMatchAllSubjectAltNamesTest001,
 
     // add failed case ret != CF_SUCCESS
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_num(_)).Times(AnyNumber()).WillOnce(Return(-1));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_num(_))
+        .WillOnce(Return(-1))
+        .WillRepeatedly(Invoke(__real_OPENSSL_sk_num));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_ERR_CRYPTO_OPERATION);
     X509OpensslMock::SetMockFlag(false);
@@ -225,8 +245,8 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareAuthorityKeyIdentifierTest001, T
 
     X509OpensslMock::SetMockFlag(true);
     EXPECT_CALL(X509OpensslMock::GetInstance(), DeepCopyDataToBlob(_, _, _))
-        .Times(AnyNumber())
-        .WillOnce(Return(CF_INVALID_PARAMS));
+        .WillOnce(Return(CF_INVALID_PARAMS))
+        .WillRepeatedly(Invoke(__real_DeepCopyDataToBlob));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_INVALID_PARAMS);
     X509OpensslMock::SetMockFlag(false);
@@ -280,14 +300,18 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareMinPathLenConstraintTest002, Tes
     constraints->pathlen = pathlen;
     X509OpensslMock::SetMockFlag(true);
     EXPECT_CALL(X509OpensslMock::GetInstance(), X509V3_EXT_d2i(_)).Times(AnyNumber()).WillOnce(Return(constraints));
-    EXPECT_CALL(X509OpensslMock::GetInstance(), ASN1_INTEGER_get(_)).Times(AnyNumber()).WillOnce(Return(10));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), ASN1_INTEGER_get(_))
+        .WillOnce(Return(10))
+        .WillRepeatedly(Invoke(__real_ASN1_INTEGER_get));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);
     X509OpensslMock::SetMockFlag(false);
 
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), X509V3_EXT_d2i(_)).Times(AnyNumber()).WillOnce(Return(NULL));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), X509V3_EXT_d2i(_))
+        .WillOnce(Return(NULL))
+        .WillRepeatedly(Invoke(__real_X509V3_EXT_d2i));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);
@@ -302,7 +326,9 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareMinPathLenConstraintTest002, Tes
 
     X509OpensslMock::SetMockFlag(true);
     certMatchParameters.minPathLenConstraint = 2;
-    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_get_ext(_, _)).Times(AnyNumber()).WillOnce(Return(NULL));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_get_ext(_, _))
+        .WillOnce(Return(NULL))
+        .WillRepeatedly(Invoke(__real_X509_get_ext));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);
@@ -374,7 +400,9 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareNameConstraintsTest001, TestSize
     tree->base->d.otherName = OTHERNAME_new();
 
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_value(_, _)).Times(AnyNumber()).WillOnce(Return(tree));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_value(_, _))
+        .WillOnce(Return(tree))
+        .WillRepeatedly(Invoke(__real_OPENSSL_sk_value));
     ret = g_testCertWithPrivateKeyValidObj->match(g_testCertWithPrivateKeyValidObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);
@@ -389,7 +417,9 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareNameConstraintsTest001, TestSize
     tree->base->d.x400Address = ASN1_STRING_new();
 
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_value(_, _)).Times(AnyNumber()).WillOnce(Return(tree));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_value(_, _))
+        .WillOnce(Return(tree))
+        .WillRepeatedly(Invoke(__real_OPENSSL_sk_value));
     ret = g_testCertWithPrivateKeyValidObj->match(g_testCertWithPrivateKeyValidObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);
@@ -508,7 +538,9 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareNameConstraintsTest004, TestSize
     tree->base->d.registeredID = ASN1_OBJECT_new();
 
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_value(_, _)).Times(AnyNumber()).WillOnce(Return(tree));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), OPENSSL_sk_value(_, _))
+        .WillOnce(Return(tree))
+        .WillRepeatedly(Invoke(__real_OPENSSL_sk_value));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);
@@ -550,7 +582,9 @@ HWTEST_F(CryptoX509CertificateTestPart3, CompareNameConstraintsTest005, TestSize
     nc->permittedSubtrees = sk_GENERAL_SUBTREE_new_null();
     EXPECT_NE(nc, nullptr);
     X509OpensslMock::SetMockFlag(true);
-    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_get_ext_d2i(_, _, _, _)).Times(AnyNumber()).WillOnce(Return(nc));
+    EXPECT_CALL(X509OpensslMock::GetInstance(), X509_get_ext_d2i(_, _, _, _))
+        .WillOnce(Return(nc))
+        .WillRepeatedly(Invoke(__real_X509_get_ext_d2i));
     ret = g_x509CertExtAttrObj->match(g_x509CertExtAttrObj, &certMatchParameters, &bResult);
     EXPECT_EQ(ret, CF_SUCCESS);
     EXPECT_EQ(bResult, false);

test/unittest/v1.0/src/crypto_x509_test_common.cpp

@@ -16,16 +16,17 @@
 #include "crypto_x509_test_common.h"
 
 #include <gtest/gtest.h>
+#include <openssl/x509v3.h>
 
+#include "cert_crl_common.h"
 #include "certificate_openssl_common.h"
 #include "cf_blob.h"
 #include "cf_log.h"
+#include "fwk_class.h"
 #include "memory_mock.h"
 #include "securec.h"
 #include "x509_certificate.h"
 #include "x509_certificate_openssl.h"
-#include "fwk_class.h"
-#include <openssl/x509v3.h>
 
 #define CONSTRUCT_CERTPOLICY_DATA_SIZE 1
 
@@ -132,12 +133,18 @@ const int g_testCrlWhichEntryWithExtSize = sizeof(g_testCrlWhichEntryWithExt);
 
 const int g_testCertChainPemSize = sizeof(g_testCertChainPem) / sizeof(char);
 
+const int g_testCertChainPem163Size = sizeof(g_testCertChainPem163) / sizeof(char);
+
+const int g_testOcspResponderCertSize = sizeof(g_testOcspResponderCert) / sizeof(char);
+
 const int g_testCertChainPemMidSize = sizeof(g_testCertChainPemMid) / sizeof(char);
 
 const int g_testCertChainPemMidCRLSize = sizeof(g_testCertChainPemMidCRL) / sizeof(char);
 
 const int g_testCertChainPemRootSize = sizeof(g_testCertChainPemRoot) / sizeof(char);
 
+const int g_testCertChainPemRoot163Size = sizeof(g_testCertChainPemRoot163) / sizeof(char);
+
 const int g_testCertChainPemNoRootSize = sizeof(g_testCertChainPemNoRoot) / sizeof(char);
 
 const int g_testCertChainPemNoRootHasPubKeySize = sizeof(g_testCertChainPemNoRootHasPubKey) / sizeof(char);
@@ -215,6 +222,14 @@ const CfEncodingBlob g_inStreamChainDataDer = { const_cast<uint8_t *>(g_testChai
 const CfEncodingBlob g_inStreamChainDataPem = { reinterpret_cast<uint8_t *>(const_cast<char *>(g_testCertChainPem)),
     g_testCertChainPemSize, CF_FORMAT_PEM };
 
+const CfEncodingBlob g_inStreamChainDataPem163 = {
+    reinterpret_cast<uint8_t *>(const_cast<char *>(g_testCertChainPem163)), g_testCertChainPem163Size, CF_FORMAT_PEM
+};
+
+const CfEncodingBlob g_inStreamOcspResponderCert = {
+    reinterpret_cast<uint8_t *>(const_cast<char *>(g_testOcspResponderCert)), g_testOcspResponderCertSize, CF_FORMAT_PEM
+};
+
 const CfEncodingBlob g_inStreamChainDataPemMid = {
     reinterpret_cast<uint8_t *>(const_cast<char *>(g_testCertChainPemMid)), g_testCertChainPemMidSize, CF_FORMAT_PEM
 };
@@ -223,6 +238,10 @@ const CfEncodingBlob g_inStreamChainDataPemRoot = {
     reinterpret_cast<uint8_t *>(const_cast<char *>(g_testCertChainPemRoot)), g_testCertChainPemRootSize, CF_FORMAT_PEM
 };
 
+const CfEncodingBlob g_inStreamChainDataPemRoot163 = { reinterpret_cast<uint8_t *>(
+                                                           const_cast<char *>(g_testCertChainPemRoot163)),
+    g_testCertChainPemRoot163Size, CF_FORMAT_PEM };
+
 const CfEncodingBlob g_inStreamChainDataPemNoRoot = { reinterpret_cast<uint8_t *>(
                                                           const_cast<char *>(g_testCertChainPemNoRoot)),
     g_testCertChainPemNoRootSize, CF_FORMAT_PEM };
@@ -311,3 +330,113 @@ const char *GetValidX509CertificateClass(void)
 {
     return HCF_X509_CERTIFICATE_CLASS;
 }
+
+void FreeTrustAnchor(HcfX509TrustAnchor *&trustAnchor)
+{
+    if (trustAnchor == nullptr) {
+        return;
+    }
+    CfBlobFree(&trustAnchor->CAPubKey);
+    CfBlobFree(&trustAnchor->CASubject);
+    CfObjDestroy(trustAnchor->CACert);
+    trustAnchor->CACert = nullptr;
+    CfFree(trustAnchor);
+    trustAnchor = nullptr;
+}
+
+void BuildAnchorArr(const CfEncodingBlob &certInStream, HcfX509TrustAnchorArray &trustAnchorArray)
+{
+    HcfX509TrustAnchor *anchor = static_cast<HcfX509TrustAnchor *>(HcfMalloc(sizeof(HcfX509TrustAnchor), 0));
+    ASSERT_NE(anchor, nullptr);
+
+    (void)HcfX509CertificateCreate(&certInStream, &anchor->CACert);
+    trustAnchorArray.data = static_cast<HcfX509TrustAnchor **>(HcfMalloc(1 * sizeof(HcfX509TrustAnchor *), 0));
+    ASSERT_NE(trustAnchorArray.data, nullptr);
+    trustAnchorArray.data[0] = anchor;
+    trustAnchorArray.count = 1;
+}
+
+void FreeTrustAnchorArr(HcfX509TrustAnchorArray &trustAnchorArray)
+{
+    for (uint32_t i = 0; i < trustAnchorArray.count; ++i) {
+        HcfX509TrustAnchor *anchor = trustAnchorArray.data[i];
+        FreeTrustAnchor(anchor);
+    }
+    CfFree(trustAnchorArray.data);
+    trustAnchorArray.data = nullptr;
+    trustAnchorArray.count = 0;
+}
+
+void BuildCollectionArr(const CfEncodingBlob *certInStream, const CfEncodingBlob *crlInStream,
+    HcfCertCRLCollectionArray &certCRLCollections)
+{
+    CfResult ret = CF_SUCCESS;
+    HcfX509CertificateArray *certArray = nullptr;
+    if (certInStream != nullptr) {
+        certArray = static_cast<HcfX509CertificateArray *>(HcfMalloc(sizeof(HcfX509CertificateArray), 0));
+        ASSERT_NE(certArray, nullptr);
+
+        HcfX509Certificate *x509CertObj = nullptr;
+        (void)HcfX509CertificateCreate(certInStream, &x509CertObj);
+        ASSERT_NE(x509CertObj, nullptr);
+
+        certArray->data = static_cast<HcfX509Certificate **>(HcfMalloc(1 * sizeof(HcfX509Certificate *), 0));
+        ASSERT_NE(certArray->data, nullptr);
+        certArray->data[0] = x509CertObj;
+        certArray->count = 1;
+    }
+
+    HcfX509CrlArray *crlArray = nullptr;
+    if (crlInStream != nullptr) {
+        crlArray = static_cast<HcfX509CrlArray *>(HcfMalloc(sizeof(HcfX509CrlArray), 0));
+        ASSERT_NE(crlArray, nullptr);
+
+        HcfX509Crl *x509Crl = nullptr;
+        ret = HcfX509CrlCreate(crlInStream, &x509Crl);
+        ASSERT_EQ(ret, CF_SUCCESS);
+        ASSERT_NE(x509Crl, nullptr);
+
+        crlArray->data = static_cast<HcfX509Crl **>(HcfMalloc(1 * sizeof(HcfX509Crl *), 0));
+        ASSERT_NE(crlArray->data, nullptr);
+        crlArray->data[0] = x509Crl;
+        crlArray->count = 1;
+    }
+
+    HcfCertCrlCollection *x509CertCrlCollection = nullptr;
+    ret = HcfCertCrlCollectionCreate(certArray, crlArray, &x509CertCrlCollection);
+    ASSERT_EQ(ret, CF_SUCCESS);
+    ASSERT_NE(x509CertCrlCollection, nullptr);
+
+    certCRLCollections.data = static_cast<HcfCertCrlCollection **>(HcfMalloc(1 * sizeof(HcfCertCrlCollection *), 0));
+    ASSERT_NE(certCRLCollections.data, nullptr);
+    certCRLCollections.data[0] = x509CertCrlCollection;
+    certCRLCollections.count = 1;
+
+    FreeCertArrayData(certArray);
+    CfFree(certArray);
+    FreeCrlArrayData(crlArray);
+    CfFree(crlArray);
+}
+
+void FreeCertCrlCollectionArr(HcfCertCRLCollectionArray &certCRLCollections)
+{
+    for (uint32_t i = 0; i < certCRLCollections.count; ++i) {
+        HcfCertCrlCollection *collection = certCRLCollections.data[i];
+        CfObjDestroy(collection);
+    }
+    CfFree(certCRLCollections.data);
+    certCRLCollections.data = nullptr;
+    certCRLCollections.count = 0;
+}
+
+void FreeValidateResult(HcfX509CertChainValidateResult &result)
+{
+    if (result.entityCert != nullptr) {
+        CfObjDestroy(result.entityCert);
+        result.entityCert = nullptr;
+    }
+
+    if (result.trustAnchor != nullptr) {
+        FreeTrustAnchor(result.trustAnchor);
+    }
+}