Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1934)

Side by Side Diff: net/base/x509_certificate_unittest.cc

Issue 2944008: Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate (Closed)
Patch Set: Rebase to trunk after splitting out 4645001 Created 9 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "base/crypto/rsa_private_key.h" 5 #include "base/crypto/rsa_private_key.h"
6 #include "base/file_path.h" 6 #include "base/file_path.h"
7 #include "base/file_util.h" 7 #include "base/file_util.h"
8 #include "base/path_service.h" 8 #include "base/path_service.h"
9 #include "base/pickle.h" 9 #include "base/pickle.h"
10 #include "net/base/cert_status_flags.h" 10 #include "net/base/cert_status_flags.h"
(...skipping 410 matching lines...) Expand 10 before | Expand all | Expand 10 after
421 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); 421 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
422 422
423 FilePath root_cert_path = certs_dir.AppendASCII("dod_root_ca_2_cert.der"); 423 FilePath root_cert_path = certs_dir.AppendASCII("dod_root_ca_2_cert.der");
424 TestRootCerts* root_certs = TestRootCerts::GetInstance(); 424 TestRootCerts* root_certs = TestRootCerts::GetInstance();
425 ASSERT_TRUE(root_certs->AddFromFile(root_cert_path)); 425 ASSERT_TRUE(root_certs->AddFromFile(root_cert_path));
426 426
427 X509Certificate::OSCertHandles intermediates; 427 X509Certificate::OSCertHandles intermediates;
428 intermediates.push_back(intermediate_cert->os_cert_handle()); 428 intermediates.push_back(intermediate_cert->os_cert_handle());
429 scoped_refptr<X509Certificate> cert_chain = 429 scoped_refptr<X509Certificate> cert_chain =
430 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 430 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
431 X509Certificate::SOURCE_FROM_NETWORK,
432 intermediates); 431 intermediates);
433 432
434 int flags = 0; 433 int flags = 0;
435 CertVerifyResult verify_result; 434 CertVerifyResult verify_result;
436 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result); 435 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result);
437 EXPECT_EQ(OK, error); 436 EXPECT_EQ(OK, error);
438 EXPECT_EQ(0, verify_result.cert_status); 437 EXPECT_EQ(0, verify_result.cert_status);
439 root_certs->Clear(); 438 root_certs->Clear();
440 } 439 }
441 440
442 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle. We 441 // Tests X509CertificateCache via X509Certificate::CreateFromHandle. We
443 // call X509Certificate::CreateFromHandle several times and observe whether 442 // call X509Certificate::CreateFromHandle several times and observe whether
444 // it returns a cached or new X509Certificate object. 443 // it returns a cached or new X509Certificate object.
445 // 444 //
446 // All the OS certificate handles in this test are actually from the same 445 // All the OS certificate handles in this test are actually from the same
447 // source (the bytes of a lone certificate), but we pretend that some of them 446 // source (the bytes of a lone certificate), but we pretend that some of them
448 // come from the network. 447 // come from the network.
449 TEST(X509CertificateTest, Cache) { 448 TEST(X509CertificateTest, Cache) {
450 X509Certificate::OSCertHandle google_cert_handle; 449 X509Certificate::OSCertHandle google_cert_handle;
450 X509Certificate::OSCertHandle thawte_cert_handle;
451 451
452 // Add a certificate from the source SOURCE_LONE_CERT_IMPORT to our 452 // Add a single certificate to the certificate cache.
453 // certificate cache.
454 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 453 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
455 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 454 reinterpret_cast<const char*>(google_der), sizeof(google_der));
456 scoped_refptr<X509Certificate> cert1(X509Certificate::CreateFromHandle( 455 scoped_refptr<X509Certificate> cert1(X509Certificate::CreateFromHandle(
457 google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT, 456 google_cert_handle, X509Certificate::OSCertHandles()));
458 X509Certificate::OSCertHandles()));
459 X509Certificate::FreeOSCertHandle(google_cert_handle); 457 X509Certificate::FreeOSCertHandle(google_cert_handle);
460 458
461 // Add a certificate from the same source (SOURCE_LONE_CERT_IMPORT). This 459 // Add the same certificate, but as a new handle.
462 // should return the cached certificate (cert1).
463 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 460 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
464 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 461 reinterpret_cast<const char*>(google_der), sizeof(google_der));
465 scoped_refptr<X509Certificate> cert2(X509Certificate::CreateFromHandle( 462 scoped_refptr<X509Certificate> cert2(X509Certificate::CreateFromHandle(
466 google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT, 463 google_cert_handle, X509Certificate::OSCertHandles()));
467 X509Certificate::OSCertHandles()));
468 X509Certificate::FreeOSCertHandle(google_cert_handle); 464 X509Certificate::FreeOSCertHandle(google_cert_handle);
469 465
470 EXPECT_EQ(cert1, cert2); 466 // A new X509Certificate should be returned.
467 EXPECT_NE(cert1.get(), cert2.get());
468 // But both instances should share the underlying OS certificate handle.
469 EXPECT_EQ(cert1->os_cert_handle(), cert2->os_cert_handle());
470 EXPECT_TRUE(cert1->HasIntermediateCertificates(
471 cert2->GetIntermediateCertificates()));
471 472
472 // Add a certificate from the network. This should kick out the original 473 // Add the same certificate, but this time with an intermediate. This
473 // cached certificate (cert1) and return a new certificate. 474 // should result in the intermediate being cached. Note that this is not
475 // a legitimate chain, but is suitable for testing.
474 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 476 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
475 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 477 reinterpret_cast<const char*>(google_der), sizeof(google_der));
478 thawte_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
479 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
480 X509Certificate::OSCertHandles intermediates;
481 intermediates.push_back(thawte_cert_handle);
476 scoped_refptr<X509Certificate> cert3(X509Certificate::CreateFromHandle( 482 scoped_refptr<X509Certificate> cert3(X509Certificate::CreateFromHandle(
477 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK, 483 google_cert_handle, intermediates));
478 X509Certificate::OSCertHandles()));
479 X509Certificate::FreeOSCertHandle(google_cert_handle); 484 X509Certificate::FreeOSCertHandle(google_cert_handle);
485 X509Certificate::FreeOSCertHandle(thawte_cert_handle);
480 486
481 EXPECT_NE(cert1, cert3); 487 // Test that the new certificate, even with intermediates, results in the
482 488 // same underlying handle being used.
483 // Add one certificate from each source. Both should return the new cached 489 EXPECT_EQ(cert1->os_cert_handle(), cert3->os_cert_handle());
484 // certificate (cert3). 490 // Though they use the same OS handle, the intermediates should be different.
485 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 491 EXPECT_FALSE(cert1->HasIntermediateCertificates(
486 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 492 cert3->GetIntermediateCertificates()));
487 scoped_refptr<X509Certificate> cert4(X509Certificate::CreateFromHandle(
488 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK,
489 X509Certificate::OSCertHandles()));
490 X509Certificate::FreeOSCertHandle(google_cert_handle);
491
492 EXPECT_EQ(cert3, cert4);
493
494 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
495 reinterpret_cast<const char*>(google_der), sizeof(google_der));
496 scoped_refptr<X509Certificate> cert5(X509Certificate::CreateFromHandle(
497 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK,
498 X509Certificate::OSCertHandles()));
499 X509Certificate::FreeOSCertHandle(google_cert_handle);
500
501 EXPECT_EQ(cert3, cert5);
502 } 493 }
503 494
504 TEST(X509CertificateTest, Pickle) { 495 TEST(X509CertificateTest, Pickle) {
505 X509Certificate::OSCertHandle google_cert_handle = 496 X509Certificate::OSCertHandle google_cert_handle =
506 X509Certificate::CreateOSCertHandleFromBytes( 497 X509Certificate::CreateOSCertHandleFromBytes(
507 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 498 reinterpret_cast<const char*>(google_der), sizeof(google_der));
508 X509Certificate::OSCertHandle thawte_cert_handle = 499 X509Certificate::OSCertHandle thawte_cert_handle =
509 X509Certificate::CreateOSCertHandleFromBytes( 500 X509Certificate::CreateOSCertHandleFromBytes(
510 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)); 501 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
511 502
512 X509Certificate::OSCertHandles intermediates; 503 X509Certificate::OSCertHandles intermediates;
513 intermediates.push_back(thawte_cert_handle); 504 intermediates.push_back(thawte_cert_handle);
514 // Faking SOURCE_LONE_CERT_IMPORT so that when the pickled certificate is
515 // read, it successfully evicts |cert| from the X509Certificate::Cache.
516 // This will be fixed when http://crbug.com/49377 is fixed.
517 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( 505 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
518 google_cert_handle, 506 google_cert_handle, intermediates);
519 X509Certificate::SOURCE_LONE_CERT_IMPORT,
520 intermediates);
521 507
522 X509Certificate::FreeOSCertHandle(google_cert_handle); 508 X509Certificate::FreeOSCertHandle(google_cert_handle);
523 X509Certificate::FreeOSCertHandle(thawte_cert_handle); 509 X509Certificate::FreeOSCertHandle(thawte_cert_handle);
524 510
525 Pickle pickle; 511 Pickle pickle;
526 cert->Persist(&pickle); 512 cert->Persist(&pickle);
527 513
528 void* iter = NULL; 514 void* iter = NULL;
529 scoped_refptr<X509Certificate> cert_from_pickle = 515 scoped_refptr<X509Certificate> cert_from_pickle =
530 X509Certificate::CreateFromPickle( 516 X509Certificate::CreateFromPickle(
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after
566 EXPECT_TRUE(policy.HasDeniedCert()); 552 EXPECT_TRUE(policy.HasDeniedCert());
567 553
568 policy.Allow(webkit_cert.get()); 554 policy.Allow(webkit_cert.get());
569 555
570 EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::DENIED); 556 EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::DENIED);
571 EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::ALLOWED); 557 EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::ALLOWED);
572 EXPECT_TRUE(policy.HasAllowedCert()); 558 EXPECT_TRUE(policy.HasAllowedCert());
573 EXPECT_TRUE(policy.HasDeniedCert()); 559 EXPECT_TRUE(policy.HasDeniedCert());
574 } 560 }
575 561
576 #if defined(OS_MACOSX) || defined(OS_WIN)
577 TEST(X509CertificateTest, IntermediateCertificates) { 562 TEST(X509CertificateTest, IntermediateCertificates) {
578 scoped_refptr<X509Certificate> webkit_cert( 563 scoped_refptr<X509Certificate> webkit_cert(
579 X509Certificate::CreateFromBytes( 564 X509Certificate::CreateFromBytes(
580 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); 565 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
581 566
582 scoped_refptr<X509Certificate> thawte_cert( 567 scoped_refptr<X509Certificate> thawte_cert(
583 X509Certificate::CreateFromBytes( 568 X509Certificate::CreateFromBytes(
584 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); 569 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)));
585 570
586 scoped_refptr<X509Certificate> paypal_cert( 571 scoped_refptr<X509Certificate> paypal_cert(
587 X509Certificate::CreateFromBytes( 572 X509Certificate::CreateFromBytes(
588 reinterpret_cast<const char*>(paypal_null_der), 573 reinterpret_cast<const char*>(paypal_null_der),
589 sizeof(paypal_null_der))); 574 sizeof(paypal_null_der)));
590 575
591 X509Certificate::OSCertHandle google_handle; 576 X509Certificate::OSCertHandle google_handle;
592 // Create object with no intermediates: 577 // Create object with no intermediates:
593 google_handle = X509Certificate::CreateOSCertHandleFromBytes( 578 google_handle = X509Certificate::CreateOSCertHandleFromBytes(
594 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 579 reinterpret_cast<const char*>(google_der), sizeof(google_der));
595 X509Certificate::OSCertHandles intermediates1; 580 X509Certificate::OSCertHandles intermediates1;
596 scoped_refptr<X509Certificate> cert1; 581 scoped_refptr<X509Certificate> cert1;
597 cert1 = X509Certificate::CreateFromHandle( 582 cert1 = X509Certificate::CreateFromHandle(google_handle, intermediates1);
598 google_handle, X509Certificate::SOURCE_FROM_NETWORK, intermediates1);
599 EXPECT_TRUE(cert1->HasIntermediateCertificates(intermediates1)); 583 EXPECT_TRUE(cert1->HasIntermediateCertificates(intermediates1));
600 EXPECT_FALSE(cert1->HasIntermediateCertificate( 584 EXPECT_FALSE(cert1->HasIntermediateCertificate(
601 webkit_cert->os_cert_handle())); 585 webkit_cert->os_cert_handle()));
602 586
603 // Create object with 2 intermediates: 587 // Create object with 2 intermediates:
604 X509Certificate::OSCertHandles intermediates2; 588 X509Certificate::OSCertHandles intermediates2;
605 intermediates2.push_back(webkit_cert->os_cert_handle()); 589 intermediates2.push_back(webkit_cert->os_cert_handle());
606 intermediates2.push_back(thawte_cert->os_cert_handle()); 590 intermediates2.push_back(thawte_cert->os_cert_handle());
607 scoped_refptr<X509Certificate> cert2; 591 scoped_refptr<X509Certificate> cert2;
608 cert2 = X509Certificate::CreateFromHandle( 592 cert2 = X509Certificate::CreateFromHandle(google_handle, intermediates2);
609 google_handle, X509Certificate::SOURCE_FROM_NETWORK, intermediates2);
610 593
611 // The cache should have stored cert2 'cause it has more intermediates: 594 // The cache should have stored cert2 'cause it has more intermediates:
612 EXPECT_NE(cert1, cert2); 595 EXPECT_NE(cert1, cert2);
613 596
614 // Verify it has all the intermediates: 597 // Verify it has all the intermediates:
615 EXPECT_TRUE(cert2->HasIntermediateCertificate( 598 EXPECT_TRUE(cert2->HasIntermediateCertificate(
616 webkit_cert->os_cert_handle())); 599 webkit_cert->os_cert_handle()));
617 EXPECT_TRUE(cert2->HasIntermediateCertificate( 600 EXPECT_TRUE(cert2->HasIntermediateCertificate(
618 thawte_cert->os_cert_handle())); 601 thawte_cert->os_cert_handle()));
619 EXPECT_FALSE(cert2->HasIntermediateCertificate( 602 EXPECT_FALSE(cert2->HasIntermediateCertificate(
620 paypal_cert->os_cert_handle())); 603 paypal_cert->os_cert_handle()));
621 604
622 // Create object with 1 intermediate:
623 X509Certificate::OSCertHandles intermediates3;
624 intermediates2.push_back(thawte_cert->os_cert_handle());
625 scoped_refptr<X509Certificate> cert3;
626 cert3 = X509Certificate::CreateFromHandle(
627 google_handle, X509Certificate::SOURCE_FROM_NETWORK, intermediates3);
628
629 // The cache should have returned cert2 'cause it has more intermediates:
630 EXPECT_EQ(cert3, cert2);
631
632 // Cleanup 605 // Cleanup
633 X509Certificate::FreeOSCertHandle(google_handle); 606 X509Certificate::FreeOSCertHandle(google_handle);
634 } 607 }
635 #endif
636 608
637 #if defined(OS_MACOSX) 609 #if defined(OS_MACOSX)
638 TEST(X509CertificateTest, IsIssuedBy) { 610 TEST(X509CertificateTest, IsIssuedBy) {
639 FilePath certs_dir = GetTestCertsDirectory(); 611 FilePath certs_dir = GetTestCertsDirectory();
640 612
641 // Test a client certificate from MIT. 613 // Test a client certificate from MIT.
642 scoped_refptr<X509Certificate> mit_davidben_cert( 614 scoped_refptr<X509Certificate> mit_davidben_cert(
643 ImportCertFromFile(certs_dir, "mit.davidben.der")); 615 ImportCertFromFile(certs_dir, "mit.davidben.der"));
644 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); 616 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert);
645 617
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after
750 722
751 for (size_t j = 0; j < 20; ++j) 723 for (size_t j = 0; j < 20; ++j)
752 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); 724 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]);
753 } 725 }
754 } 726 }
755 727
756 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, 728 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest,
757 testing::ValuesIn(FormatTestData)); 729 testing::ValuesIn(FormatTestData));
758 730
759 } // namespace net 731 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698