| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "net/base/cert_status_flags.h" | 9 #include "net/base/cert_status_flags.h" |
| 10 #include "net/base/cert_test_util.h" | 10 #include "net/base/cert_test_util.h" |
| 11 #include "net/base/cert_verify_result.h" | 11 #include "net/base/cert_verify_result.h" |
| 12 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
| 13 #include "net/base/test_certificate_data.h" | 13 #include "net/base/test_certificate_data.h" |
| 14 #include "net/base/x509_certificate.h" | 14 #include "net/base/x509_certificate.h" |
| 15 #include "net/base/x509_chain.h" |
| 15 #include "testing/gtest/include/gtest/gtest.h" | 16 #include "testing/gtest/include/gtest/gtest.h" |
| 16 | 17 |
| 17 // Unit tests aren't allowed to access external resources. Unfortunately, to | 18 // Unit tests aren't allowed to access external resources. Unfortunately, to |
| 18 // properly verify the EV-ness of a cert, we need to check for its revocation | 19 // properly verify the EV-ness of a cert, we need to check for its revocation |
| 19 // through online servers. If you're manually running unit tests, feel free to | 20 // through online servers. If you're manually running unit tests, feel free to |
| 20 // turn this on to test EV certs. But leave it turned off for the automated | 21 // turn this on to test EV certs. But leave it turned off for the automated |
| 21 // testing. | 22 // testing. |
| 22 #define ALLOW_EXTERNAL_ACCESS 0 | 23 #define ALLOW_EXTERNAL_ACCESS 0 |
| 23 | 24 |
| 24 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN) | 25 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN) |
| (...skipping 212 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 237 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); | 238 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); |
| 238 | 239 |
| 239 std::vector<std::string> dns_names; | 240 std::vector<std::string> dns_names; |
| 240 google_cert->GetDNSNames(&dns_names); | 241 google_cert->GetDNSNames(&dns_names); |
| 241 ASSERT_EQ(1U, dns_names.size()); | 242 ASSERT_EQ(1U, dns_names.size()); |
| 242 EXPECT_EQ("www.google.com", dns_names[0]); | 243 EXPECT_EQ("www.google.com", dns_names[0]); |
| 243 | 244 |
| 244 #if TEST_EV | 245 #if TEST_EV |
| 245 // TODO(avi): turn this on for the Mac once EV checking is implemented. | 246 // TODO(avi): turn this on for the Mac once EV checking is implemented. |
| 246 CertVerifyResult verify_result; | 247 CertVerifyResult verify_result; |
| 247 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 248 int flags = x509_chain::VERIFY_REV_CHECKING_ENABLED | |
| 248 X509Certificate::VERIFY_EV_CERT; | 249 x509_chain::VERIFY_EV_CERT; |
| 249 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result)); | 250 EXPECT_EQ(OK, x509_chain::VerifySSLServer(google_cert, "www.google.com", |
| 251 flags, &verify_result)); |
| 250 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 252 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); |
| 251 #endif | 253 #endif |
| 252 } | 254 } |
| 253 | 255 |
| 254 TEST(X509CertificateTest, GoogleCertParsing) { | 256 TEST(X509CertificateTest, GoogleCertParsing) { |
| 255 scoped_refptr<X509Certificate> google_cert = | 257 scoped_refptr<X509Certificate> google_cert = |
| 256 X509Certificate::CreateFromBytes( | 258 X509Certificate::CreateFromBytes( |
| 257 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 259 reinterpret_cast<const char*>(google_der), sizeof(google_der)); |
| 258 | 260 |
| 259 CheckGoogleCert(google_cert, google_fingerprint, | 261 CheckGoogleCert(google_cert, google_fingerprint, |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 357 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); | 359 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); |
| 358 for (size_t i = 0; i < 20; ++i) | 360 for (size_t i = 0; i < 20; ++i) |
| 359 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); | 361 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); |
| 360 | 362 |
| 361 std::vector<std::string> dns_names; | 363 std::vector<std::string> dns_names; |
| 362 thawte_cert->GetDNSNames(&dns_names); | 364 thawte_cert->GetDNSNames(&dns_names); |
| 363 ASSERT_EQ(1U, dns_names.size()); | 365 ASSERT_EQ(1U, dns_names.size()); |
| 364 EXPECT_EQ("www.thawte.com", dns_names[0]); | 366 EXPECT_EQ("www.thawte.com", dns_names[0]); |
| 365 | 367 |
| 366 #if TEST_EV | 368 #if TEST_EV |
| 367 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 369 int flags = x509_chain::VERIFY_REV_CHECKING_ENABLED | |
| 368 X509Certificate::VERIFY_EV_CERT; | 370 x509_chain::VERIFY_EV_CERT; |
| 369 CertVerifyResult verify_result; | 371 CertVerifyResult verify_result; |
| 370 // EV cert verification requires revocation checking. | 372 // EV cert verification requires revocation checking. |
| 371 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); | 373 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); |
| 372 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 374 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV); |
| 373 // Consequently, if we don't have revocation checking enabled, we can't claim | 375 // Consequently, if we don't have revocation checking enabled, we can't claim |
| 374 // any cert is EV. | 376 // any cert is EV. |
| 375 flags = X509Certificate::VERIFY_EV_CERT; | 377 flags = X509Certificate::VERIFY_EV_CERT; |
| 376 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); | 378 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); |
| 377 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 379 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); |
| 378 #endif | 380 #endif |
| 379 } | 381 } |
| 380 | 382 |
| 381 TEST(X509CertificateTest, PaypalNullCertParsing) { | 383 TEST(X509CertificateTest, PaypalNullCertParsing) { |
| 382 scoped_refptr<X509Certificate> paypal_null_cert = | 384 scoped_refptr<X509Certificate> paypal_null_cert = |
| 383 X509Certificate::CreateFromBytes( | 385 X509Certificate::CreateFromBytes( |
| 384 reinterpret_cast<const char*>(paypal_null_der), | 386 reinterpret_cast<const char*>(paypal_null_der), |
| 385 sizeof(paypal_null_der)); | 387 sizeof(paypal_null_der)); |
| 386 | 388 |
| 387 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); | 389 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); |
| 388 | 390 |
| 389 const SHA1Fingerprint& fingerprint = | 391 const SHA1Fingerprint& fingerprint = |
| 390 paypal_null_cert->fingerprint(); | 392 paypal_null_cert->fingerprint(); |
| 391 for (size_t i = 0; i < 20; ++i) | 393 for (size_t i = 0; i < 20; ++i) |
| 392 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); | 394 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); |
| 393 | 395 |
| 394 int flags = 0; | 396 int flags = 0; |
| 395 CertVerifyResult verify_result; | 397 CertVerifyResult verify_result; |
| 396 int error = paypal_null_cert->Verify("www.paypal.com", flags, | 398 int error = x509_chain::VerifySSLServer(paypal_null_cert, "www.paypal.com", |
| 397 &verify_result); | 399 flags, &verify_result); |
| 398 EXPECT_NE(OK, error); | 400 EXPECT_NE(OK, error); |
| 399 // Either the system crypto library should correctly report a certificate | 401 // Either the system crypto library should correctly report a certificate |
| 400 // name mismatch, or our certificate blacklist should cause us to report an | 402 // name mismatch, or our certificate blacklist should cause us to report an |
| 401 // invalid certificate. | 403 // invalid certificate. |
| 402 #if !defined(OS_MACOSX) && !defined(USE_OPENSSL) | 404 #if !defined(OS_MACOSX) && !defined(USE_OPENSSL) |
| 403 EXPECT_NE(0, verify_result.cert_status & | 405 EXPECT_NE(0, verify_result.cert_status & |
| 404 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); | 406 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); |
| 405 #endif | 407 #endif |
| 406 } | 408 } |
| 407 | 409 |
| 408 // A certificate whose AIA extension contains an LDAP URL without a host name. | 410 // A certificate whose AIA extension contains an LDAP URL without a host name. |
| 409 // This certificate will expire on 2011-09-08. | 411 // This certificate will expire on 2011-09-08. |
| 410 TEST(X509CertificateTest, UnoSoftCertParsing) { | 412 TEST(X509CertificateTest, UnoSoftCertParsing) { |
| 411 FilePath certs_dir = GetTestCertsDirectory(); | 413 FilePath certs_dir = GetTestCertsDirectory(); |
| 412 scoped_refptr<X509Certificate> unosoft_hu_cert = | 414 scoped_refptr<X509Certificate> unosoft_hu_cert = |
| 413 ImportCertFromFile(certs_dir, "unosoft_hu_cert.der"); | 415 ImportCertFromFile(certs_dir, "unosoft_hu_cert.der"); |
| 414 | 416 |
| 415 ASSERT_NE(static_cast<X509Certificate*>(NULL), unosoft_hu_cert); | 417 ASSERT_NE(static_cast<X509Certificate*>(NULL), unosoft_hu_cert); |
| 416 | 418 |
| 417 const SHA1Fingerprint& fingerprint = | 419 const SHA1Fingerprint& fingerprint = |
| 418 unosoft_hu_cert->fingerprint(); | 420 unosoft_hu_cert->fingerprint(); |
| 419 for (size_t i = 0; i < 20; ++i) | 421 for (size_t i = 0; i < 20; ++i) |
| 420 EXPECT_EQ(unosoft_hu_fingerprint[i], fingerprint.data[i]); | 422 EXPECT_EQ(unosoft_hu_fingerprint[i], fingerprint.data[i]); |
| 421 | 423 |
| 422 int flags = 0; | 424 int flags = 0; |
| 423 CertVerifyResult verify_result; | 425 CertVerifyResult verify_result; |
| 424 int error = unosoft_hu_cert->Verify("www.unosoft.hu", flags, | 426 int error = x509_chain::VerifySSLServer(unosoft_hu_cert, "www.unosoft.hu", |
| 425 &verify_result); | 427 flags, &verify_result); |
| 426 EXPECT_NE(OK, error); | 428 EXPECT_NE(OK, error); |
| 427 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); | 429 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); |
| 428 } | 430 } |
| 429 | 431 |
| 430 #if defined(USE_NSS) || defined(USE_OPENSSL) | 432 #if defined(USE_NSS) || defined(USE_OPENSSL) |
| 431 // A regression test for http://crbug.com/31497. | 433 // A regression test for http://crbug.com/31497. |
| 432 // This certificate will expire on 2012-04-08. | 434 // This certificate will expire on 2012-04-08. |
| 433 // TODO(wtc): we can't run this test on Mac because MacTrustedCertificates | 435 // TODO(wtc): we can't run this test on Mac because MacTrustedCertificates |
| 434 // can hold only one additional trusted root certificate for unit tests. | 436 // can hold only one additional trusted root certificate for unit tests. |
| 435 // TODO(wtc): we can't run this test on Windows because LoadTemporaryRootCert | 437 // TODO(wtc): we can't run this test on Windows because LoadTemporaryRootCert |
| (...skipping 17 matching lines...) Expand all Loading... |
| 453 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | 455 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
| 454 | 456 |
| 455 X509Certificate::OSCertHandles intermediates; | 457 X509Certificate::OSCertHandles intermediates; |
| 456 intermediates.push_back(intermediate_cert->os_cert_handle()); | 458 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 457 scoped_refptr<X509Certificate> cert_chain = | 459 scoped_refptr<X509Certificate> cert_chain = |
| 458 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 460 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 459 intermediates); | 461 intermediates); |
| 460 | 462 |
| 461 int flags = 0; | 463 int flags = 0; |
| 462 CertVerifyResult verify_result; | 464 CertVerifyResult verify_result; |
| 463 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result); | 465 int error = x509_chain::VerifySSLServer(server_cert, "www.us.army.mil", |
| 466 flags, &verify_result); |
| 464 EXPECT_EQ(OK, error); | 467 EXPECT_EQ(OK, error); |
| 465 EXPECT_EQ(0, verify_result.cert_status); | 468 EXPECT_EQ(0, verify_result.cert_status); |
| 466 } | 469 } |
| 467 #endif | 470 #endif |
| 468 | 471 |
| 469 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle. We | 472 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle. We |
| 470 // call X509Certificate::CreateFromHandle several times and observe whether | 473 // call X509Certificate::CreateFromHandle several times and observe whether |
| 471 // it returns a cached or new X509Certificate object. | 474 // it returns a cached or new X509Certificate object. |
| 472 // | 475 // |
| 473 // All the OS certificate handles in this test are actually from the same | 476 // All the OS certificate handles in this test are actually from the same |
| (...skipping 243 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 717 | 720 |
| 718 for (size_t j = 0; j < 20; ++j) | 721 for (size_t j = 0; j < 20; ++j) |
| 719 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); | 722 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); |
| 720 } | 723 } |
| 721 } | 724 } |
| 722 | 725 |
| 723 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, | 726 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, |
| 724 testing::ValuesIn(FormatTestData)); | 727 testing::ValuesIn(FormatTestData)); |
| 725 | 728 |
| 726 } // namespace net | 729 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3112013:
Move chain building/verification out of X509Certificate (Closed)
