OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/crypto/rsa_private_key.h" | 5 #include "base/crypto/rsa_private_key.h" |
6 #include "base/file_path.h" | 6 #include "base/file_path.h" |
7 #include "base/file_util.h" | 7 #include "base/file_util.h" |
8 #include "base/path_service.h" | 8 #include "base/path_service.h" |
9 #include "base/pickle.h" | 9 #include "base/pickle.h" |
10 #include "net/base/cert_status_flags.h" | 10 #include "net/base/cert_status_flags.h" |
(...skipping 410 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
421 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 421 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
422 | 422 |
423 FilePath root_cert_path = certs_dir.AppendASCII("dod_root_ca_2_cert.der"); | 423 FilePath root_cert_path = certs_dir.AppendASCII("dod_root_ca_2_cert.der"); |
424 TestRootCerts* root_certs = TestRootCerts::GetInstance(); | 424 TestRootCerts* root_certs = TestRootCerts::GetInstance(); |
425 ASSERT_TRUE(root_certs->AddFromFile(root_cert_path)); | 425 ASSERT_TRUE(root_certs->AddFromFile(root_cert_path)); |
426 | 426 |
427 X509Certificate::OSCertHandles intermediates; | 427 X509Certificate::OSCertHandles intermediates; |
428 intermediates.push_back(intermediate_cert->os_cert_handle()); | 428 intermediates.push_back(intermediate_cert->os_cert_handle()); |
429 scoped_refptr<X509Certificate> cert_chain = | 429 scoped_refptr<X509Certificate> cert_chain = |
430 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 430 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
431 X509Certificate::SOURCE_FROM_NETWORK, | |
432 intermediates); | 431 intermediates); |
433 | 432 |
434 int flags = 0; | 433 int flags = 0; |
435 CertVerifyResult verify_result; | 434 CertVerifyResult verify_result; |
436 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result); | 435 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result); |
437 EXPECT_EQ(OK, error); | 436 EXPECT_EQ(OK, error); |
438 EXPECT_EQ(0, verify_result.cert_status); | 437 EXPECT_EQ(0, verify_result.cert_status); |
439 root_certs->Clear(); | 438 root_certs->Clear(); |
440 } | 439 } |
441 | 440 |
442 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle. We | 441 // Tests X509CertificateCache via X509Certificate::CreateFromHandle. We |
443 // call X509Certificate::CreateFromHandle several times and observe whether | 442 // call X509Certificate::CreateFromHandle several times and observe whether |
444 // it returns a cached or new X509Certificate object. | 443 // it returns a cached or new X509Certificate object. |
445 // | 444 // |
446 // All the OS certificate handles in this test are actually from the same | 445 // All the OS certificate handles in this test are actually from the same |
447 // source (the bytes of a lone certificate), but we pretend that some of them | 446 // source (the bytes of a lone certificate), but we pretend that some of them |
448 // come from the network. | 447 // come from the network. |
449 TEST(X509CertificateTest, Cache) { | 448 TEST(X509CertificateTest, Cache) { |
450 X509Certificate::OSCertHandle google_cert_handle; | 449 X509Certificate::OSCertHandle google_cert_handle; |
| 450 X509Certificate::OSCertHandle thawte_cert_handle; |
451 | 451 |
452 // Add a certificate from the source SOURCE_LONE_CERT_IMPORT to our | 452 // Add a single certificate to the certificate cache. |
453 // certificate cache. | |
454 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( | 453 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( |
455 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 454 reinterpret_cast<const char*>(google_der), sizeof(google_der)); |
456 scoped_refptr<X509Certificate> cert1(X509Certificate::CreateFromHandle( | 455 scoped_refptr<X509Certificate> cert1(X509Certificate::CreateFromHandle( |
457 google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 456 google_cert_handle, X509Certificate::OSCertHandles())); |
458 X509Certificate::OSCertHandles())); | |
459 X509Certificate::FreeOSCertHandle(google_cert_handle); | 457 X509Certificate::FreeOSCertHandle(google_cert_handle); |
460 | 458 |
461 // Add a certificate from the same source (SOURCE_LONE_CERT_IMPORT). This | 459 // Add the same certificate, but as a new handle. |
462 // should return the cached certificate (cert1). | |
463 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( | 460 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( |
464 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 461 reinterpret_cast<const char*>(google_der), sizeof(google_der)); |
465 scoped_refptr<X509Certificate> cert2(X509Certificate::CreateFromHandle( | 462 scoped_refptr<X509Certificate> cert2(X509Certificate::CreateFromHandle( |
466 google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 463 google_cert_handle, X509Certificate::OSCertHandles())); |
467 X509Certificate::OSCertHandles())); | |
468 X509Certificate::FreeOSCertHandle(google_cert_handle); | 464 X509Certificate::FreeOSCertHandle(google_cert_handle); |
469 | 465 |
470 EXPECT_EQ(cert1, cert2); | 466 // A new X509Certificate should be returned. |
| 467 EXPECT_NE(cert1.get(), cert2.get()); |
| 468 // But both instances should share the underlying OS certificate handle. |
| 469 EXPECT_EQ(cert1->os_cert_handle(), cert2->os_cert_handle()); |
| 470 EXPECT_TRUE(cert1->HasIntermediateCertificates( |
| 471 cert2->GetIntermediateCertificates())); |
471 | 472 |
472 // Add a certificate from the network. This should kick out the original | 473 // Add the same certificate, but this time with an intermediate. This |
473 // cached certificate (cert1) and return a new certificate. | 474 // should result in the intermediate being cached. Note that this is not |
| 475 // a legitimate chain, but is suitable for testing. |
474 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( | 476 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( |
475 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 477 reinterpret_cast<const char*>(google_der), sizeof(google_der)); |
| 478 thawte_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( |
| 479 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)); |
| 480 X509Certificate::OSCertHandles intermediates; |
| 481 intermediates.push_back(thawte_cert_handle); |
476 scoped_refptr<X509Certificate> cert3(X509Certificate::CreateFromHandle( | 482 scoped_refptr<X509Certificate> cert3(X509Certificate::CreateFromHandle( |
477 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK, | 483 google_cert_handle, intermediates)); |
478 X509Certificate::OSCertHandles())); | |
479 X509Certificate::FreeOSCertHandle(google_cert_handle); | 484 X509Certificate::FreeOSCertHandle(google_cert_handle); |
| 485 X509Certificate::FreeOSCertHandle(thawte_cert_handle); |
480 | 486 |
481 EXPECT_NE(cert1, cert3); | 487 // Test that the new certificate, even with intermediates, results in the |
482 | 488 // same underlying handle being used. |
483 // Add one certificate from each source. Both should return the new cached | 489 EXPECT_EQ(cert1->os_cert_handle(), cert3->os_cert_handle()); |
484 // certificate (cert3). | 490 // Though they use the same OS handle, the intermediates should be different. |
485 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( | 491 EXPECT_FALSE(cert1->HasIntermediateCertificates( |
486 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 492 cert3->GetIntermediateCertificates())); |
487 scoped_refptr<X509Certificate> cert4(X509Certificate::CreateFromHandle( | |
488 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK, | |
489 X509Certificate::OSCertHandles())); | |
490 X509Certificate::FreeOSCertHandle(google_cert_handle); | |
491 | |
492 EXPECT_EQ(cert3, cert4); | |
493 | |
494 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( | |
495 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | |
496 scoped_refptr<X509Certificate> cert5(X509Certificate::CreateFromHandle( | |
497 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK, | |
498 X509Certificate::OSCertHandles())); | |
499 X509Certificate::FreeOSCertHandle(google_cert_handle); | |
500 | |
501 EXPECT_EQ(cert3, cert5); | |
502 } | 493 } |
503 | 494 |
504 TEST(X509CertificateTest, Pickle) { | 495 TEST(X509CertificateTest, Pickle) { |
505 X509Certificate::OSCertHandle google_cert_handle = | 496 X509Certificate::OSCertHandle google_cert_handle = |
506 X509Certificate::CreateOSCertHandleFromBytes( | 497 X509Certificate::CreateOSCertHandleFromBytes( |
507 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 498 reinterpret_cast<const char*>(google_der), sizeof(google_der)); |
508 X509Certificate::OSCertHandle thawte_cert_handle = | 499 X509Certificate::OSCertHandle thawte_cert_handle = |
509 X509Certificate::CreateOSCertHandleFromBytes( | 500 X509Certificate::CreateOSCertHandleFromBytes( |
510 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)); | 501 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)); |
511 | 502 |
512 X509Certificate::OSCertHandles intermediates; | 503 X509Certificate::OSCertHandles intermediates; |
513 intermediates.push_back(thawte_cert_handle); | 504 intermediates.push_back(thawte_cert_handle); |
514 // Faking SOURCE_LONE_CERT_IMPORT so that when the pickled certificate is | |
515 // read, it successfully evicts |cert| from the X509Certificate::Cache. | |
516 // This will be fixed when http://crbug.com/49377 is fixed. | |
517 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | 505 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
518 google_cert_handle, | 506 google_cert_handle, intermediates); |
519 X509Certificate::SOURCE_LONE_CERT_IMPORT, | |
520 intermediates); | |
521 | 507 |
522 X509Certificate::FreeOSCertHandle(google_cert_handle); | 508 X509Certificate::FreeOSCertHandle(google_cert_handle); |
523 X509Certificate::FreeOSCertHandle(thawte_cert_handle); | 509 X509Certificate::FreeOSCertHandle(thawte_cert_handle); |
524 | 510 |
525 Pickle pickle; | 511 Pickle pickle; |
526 cert->Persist(&pickle); | 512 cert->Persist(&pickle); |
527 | 513 |
528 void* iter = NULL; | 514 void* iter = NULL; |
529 scoped_refptr<X509Certificate> cert_from_pickle = | 515 scoped_refptr<X509Certificate> cert_from_pickle = |
530 X509Certificate::CreateFromPickle( | 516 X509Certificate::CreateFromPickle( |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
566 EXPECT_TRUE(policy.HasDeniedCert()); | 552 EXPECT_TRUE(policy.HasDeniedCert()); |
567 | 553 |
568 policy.Allow(webkit_cert.get()); | 554 policy.Allow(webkit_cert.get()); |
569 | 555 |
570 EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::DENIED); | 556 EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::DENIED); |
571 EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::ALLOWED); | 557 EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::ALLOWED); |
572 EXPECT_TRUE(policy.HasAllowedCert()); | 558 EXPECT_TRUE(policy.HasAllowedCert()); |
573 EXPECT_TRUE(policy.HasDeniedCert()); | 559 EXPECT_TRUE(policy.HasDeniedCert()); |
574 } | 560 } |
575 | 561 |
576 #if defined(OS_MACOSX) || defined(OS_WIN) | |
577 TEST(X509CertificateTest, IntermediateCertificates) { | 562 TEST(X509CertificateTest, IntermediateCertificates) { |
578 scoped_refptr<X509Certificate> webkit_cert( | 563 scoped_refptr<X509Certificate> webkit_cert( |
579 X509Certificate::CreateFromBytes( | 564 X509Certificate::CreateFromBytes( |
580 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); | 565 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); |
581 | 566 |
582 scoped_refptr<X509Certificate> thawte_cert( | 567 scoped_refptr<X509Certificate> thawte_cert( |
583 X509Certificate::CreateFromBytes( | 568 X509Certificate::CreateFromBytes( |
584 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); | 569 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); |
585 | 570 |
586 scoped_refptr<X509Certificate> paypal_cert( | 571 scoped_refptr<X509Certificate> paypal_cert( |
587 X509Certificate::CreateFromBytes( | 572 X509Certificate::CreateFromBytes( |
588 reinterpret_cast<const char*>(paypal_null_der), | 573 reinterpret_cast<const char*>(paypal_null_der), |
589 sizeof(paypal_null_der))); | 574 sizeof(paypal_null_der))); |
590 | 575 |
591 X509Certificate::OSCertHandle google_handle; | 576 X509Certificate::OSCertHandle google_handle; |
592 // Create object with no intermediates: | 577 // Create object with no intermediates: |
593 google_handle = X509Certificate::CreateOSCertHandleFromBytes( | 578 google_handle = X509Certificate::CreateOSCertHandleFromBytes( |
594 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 579 reinterpret_cast<const char*>(google_der), sizeof(google_der)); |
595 X509Certificate::OSCertHandles intermediates1; | 580 X509Certificate::OSCertHandles intermediates1; |
596 scoped_refptr<X509Certificate> cert1; | 581 scoped_refptr<X509Certificate> cert1; |
597 cert1 = X509Certificate::CreateFromHandle( | 582 cert1 = X509Certificate::CreateFromHandle(google_handle, intermediates1); |
598 google_handle, X509Certificate::SOURCE_FROM_NETWORK, intermediates1); | |
599 EXPECT_TRUE(cert1->HasIntermediateCertificates(intermediates1)); | 583 EXPECT_TRUE(cert1->HasIntermediateCertificates(intermediates1)); |
600 EXPECT_FALSE(cert1->HasIntermediateCertificate( | 584 EXPECT_FALSE(cert1->HasIntermediateCertificate( |
601 webkit_cert->os_cert_handle())); | 585 webkit_cert->os_cert_handle())); |
602 | 586 |
603 // Create object with 2 intermediates: | 587 // Create object with 2 intermediates: |
604 X509Certificate::OSCertHandles intermediates2; | 588 X509Certificate::OSCertHandles intermediates2; |
605 intermediates2.push_back(webkit_cert->os_cert_handle()); | 589 intermediates2.push_back(webkit_cert->os_cert_handle()); |
606 intermediates2.push_back(thawte_cert->os_cert_handle()); | 590 intermediates2.push_back(thawte_cert->os_cert_handle()); |
607 scoped_refptr<X509Certificate> cert2; | 591 scoped_refptr<X509Certificate> cert2; |
608 cert2 = X509Certificate::CreateFromHandle( | 592 cert2 = X509Certificate::CreateFromHandle(google_handle, intermediates2); |
609 google_handle, X509Certificate::SOURCE_FROM_NETWORK, intermediates2); | |
610 | 593 |
611 // The cache should have stored cert2 'cause it has more intermediates: | 594 // The cache should have stored cert2 'cause it has more intermediates: |
612 EXPECT_NE(cert1, cert2); | 595 EXPECT_NE(cert1, cert2); |
613 | 596 |
614 // Verify it has all the intermediates: | 597 // Verify it has all the intermediates: |
615 EXPECT_TRUE(cert2->HasIntermediateCertificate( | 598 EXPECT_TRUE(cert2->HasIntermediateCertificate( |
616 webkit_cert->os_cert_handle())); | 599 webkit_cert->os_cert_handle())); |
617 EXPECT_TRUE(cert2->HasIntermediateCertificate( | 600 EXPECT_TRUE(cert2->HasIntermediateCertificate( |
618 thawte_cert->os_cert_handle())); | 601 thawte_cert->os_cert_handle())); |
619 EXPECT_FALSE(cert2->HasIntermediateCertificate( | 602 EXPECT_FALSE(cert2->HasIntermediateCertificate( |
620 paypal_cert->os_cert_handle())); | 603 paypal_cert->os_cert_handle())); |
621 | 604 |
622 // Create object with 1 intermediate: | |
623 X509Certificate::OSCertHandles intermediates3; | |
624 intermediates2.push_back(thawte_cert->os_cert_handle()); | |
625 scoped_refptr<X509Certificate> cert3; | |
626 cert3 = X509Certificate::CreateFromHandle( | |
627 google_handle, X509Certificate::SOURCE_FROM_NETWORK, intermediates3); | |
628 | |
629 // The cache should have returned cert2 'cause it has more intermediates: | |
630 EXPECT_EQ(cert3, cert2); | |
631 | |
632 // Cleanup | 605 // Cleanup |
633 X509Certificate::FreeOSCertHandle(google_handle); | 606 X509Certificate::FreeOSCertHandle(google_handle); |
634 } | 607 } |
635 #endif | |
636 | 608 |
637 #if defined(OS_MACOSX) | 609 #if defined(OS_MACOSX) |
638 TEST(X509CertificateTest, IsIssuedBy) { | 610 TEST(X509CertificateTest, IsIssuedBy) { |
639 FilePath certs_dir = GetTestCertsDirectory(); | 611 FilePath certs_dir = GetTestCertsDirectory(); |
640 | 612 |
641 // Test a client certificate from MIT. | 613 // Test a client certificate from MIT. |
642 scoped_refptr<X509Certificate> mit_davidben_cert( | 614 scoped_refptr<X509Certificate> mit_davidben_cert( |
643 ImportCertFromFile(certs_dir, "mit.davidben.der")); | 615 ImportCertFromFile(certs_dir, "mit.davidben.der")); |
644 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); | 616 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); |
645 | 617 |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
750 | 722 |
751 for (size_t j = 0; j < 20; ++j) | 723 for (size_t j = 0; j < 20; ++j) |
752 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); | 724 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); |
753 } | 725 } |
754 } | 726 } |
755 | 727 |
756 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, | 728 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, |
757 testing::ValuesIn(FormatTestData)); | 729 testing::ValuesIn(FormatTestData)); |
758 | 730 |
759 } // namespace net | 731 } // namespace net |
OLD | NEW |