Allow the constructed certificate chain to be returned in CertVerifyResult

net/base/x509_certificate_unittest.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_test_util.h"
@@ skipping 607 matching lines @@
       webkit_cert->os_cert_handle()));
   EXPECT_TRUE(cert2->HasIntermediateCertificate(
       thawte_cert->os_cert_handle()));
   EXPECT_FALSE(cert2->HasIntermediateCertificate(
       paypal_cert->os_cert_handle()));
 
   // Cleanup
   X509Certificate::FreeOSCertHandle(google_handle);
 }
 
+TEST(X509CertificateTest, VerifyReturnChainBasic) {
+  FilePath certs_dir = GetTestCertsDirectory();
+  CertificateList certs =
+      CreateCertificateListFromFile(certs_dir, "google.full_chain.pem",
+                                    X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
+
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(certs[1]->os_cert_handle());
+  intermediates.push_back(certs[2]->os_cert_handle());
+
+  scoped_refptr<X509Certificate> google_full_chain =
+      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+                                        intermediates);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
+  ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
+
+  int flags = x509_chain::VERIFY_RETURN_CHAIN;
+  CertVerifyResult verify_result;
+  EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+  int error = x509_chain::VerifySSLServer(google_full_chain,
+                                          "www.google.com", flags,
+                                          &verify_result);
+  EXPECT_EQ(OK, error);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(
+      google_full_chain->os_cert_handle(),
+      verify_result.certificate->os_cert_handle()));
+  const X509Certificate::OSCertHandles& return_intermediates =
+      verify_result.certificate->GetIntermediateCertificates();
+  EXPECT_EQ(2U, return_intermediates.size());
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
+                                            certs[1]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
+                                            certs[2]->os_cert_handle()));
+}
+
+// Test that the certificate returned in CertVerifyResult is an actual
+// certificate chain by supplying the original chain out of order, which
+// will not properly validate unless the underlying crypto library reorders
+// the certificates into a valid chain.
+TEST(X509CertificateTest, VerifyReturnChainProperlyOrders) {
+  FilePath certs_dir = GetTestCertsDirectory();
+  CertificateList certs =
+      CreateCertificateListFromFile(certs_dir, "google.full_chain.pem",
+                                    X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
+
+  // Construct the chain out of order.
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(certs[2]->os_cert_handle());
+  intermediates.push_back(certs[1]->os_cert_handle());
+
+  scoped_refptr<X509Certificate> google_full_chain =
+      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+                                        intermediates);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
+  ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
+
+  int flags = x509_chain::VERIFY_RETURN_CHAIN;
+  CertVerifyResult verify_result;
+  EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+  int error = x509_chain::VerifySSLServer(google_full_chain,
+                                          "www.google.com", flags,
+                                          &verify_result);
+  EXPECT_EQ(OK, error);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(
+      google_full_chain->os_cert_handle(),
+      verify_result.certificate->os_cert_handle()));
+  const X509Certificate::OSCertHandles& return_intermediates =
+      verify_result.certificate->GetIntermediateCertificates();
+  EXPECT_EQ(2U, return_intermediates.size());
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
+                                            certs[1]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
+                                            certs[2]->os_cert_handle()));
+}
+
+// Test that certificates supplied, but that are unrelated to the
+// certificate for which the chain is being constructed and verified, are
+// properly filtered out in the return chain.
+TEST(X509CertificateTest, VerifyReturnChainFiltersUnrelatedCerts) {
+  FilePath certs_dir = GetTestCertsDirectory();
+  CertificateList certs =
+      CreateCertificateListFromFile(certs_dir, "google.full_chain.pem",
+                                    X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
+  scoped_refptr<X509Certificate> unrelated_dod_certificate =
+      ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
+  scoped_refptr<X509Certificate> unrelated_dod_certificate2 =
+      ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2);
+
+  // Interject unrelated certificates into the list of intermediates.
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(unrelated_dod_certificate->os_cert_handle());
+  intermediates.push_back(certs[1]->os_cert_handle());
+  intermediates.push_back(unrelated_dod_certificate2->os_cert_handle());
+  intermediates.push_back(certs[2]->os_cert_handle());
+
+  scoped_refptr<X509Certificate> google_full_chain =
+      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+                                        intermediates);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
+  ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
+
+  int flags = x509_chain::VERIFY_RETURN_CHAIN;
+  CertVerifyResult verify_result;
+  EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+  int error = x509_chain::VerifySSLServer(google_full_chain,
+                                          "www.google.com", flags,
+                                          &verify_result);
+  EXPECT_EQ(OK, error);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(
+      google_full_chain->os_cert_handle(),
+      verify_result.certificate->os_cert_handle()));
+  const X509Certificate::OSCertHandles& return_intermediates =
+      verify_result.certificate->GetIntermediateCertificates();
+  EXPECT_EQ(2U, return_intermediates.size());
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
+                                            certs[1]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
+                                            certs[2]->os_cert_handle()));
+}
+
+#if defined(ALLOW_EXTERNAL_ACCESS)
+// Test verification using only an end entity certificate, but one which has
+// an Authority Information Access extension containing a a location where
+// the intermediate certificate can be downloaded. It is not guaranteed that
+// the underlying crypto library will need to retrieve it using the AIA
+// extension, as it may already have a local copy installed or cached. In
+// order to keep this test reliable, however, and because it may make a
+// request to an external resource, this test is guarded by the define.
+TEST(X509CertificateTest, VerifyReturnsChainUsingAIA) {
+  FilePath certs_dir = GetTestCertsDirectory();
+  scoped_refptr<X509Certificate> google_cert =
+      ImportCertFromFile(certs_dir, "google.single.der");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
+  EXPECT_EQ(0U, google_cert->GetIntermediateCertificates().size());
+
+  int flags = x509_chain::VERIFY_RETURN_CHAIN;
+  CertVerifyResult verify_result;
+  EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+  int error = x509_chain::VerifySSLServer(google_cert, "www.google.com",
+                                          flags, &verify_result);
+  EXPECT_EQ(OK, error);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.certificate);
+
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(
+      google_cert->os_cert_handle(),
+      verify_result.certificate->os_cert_handle()));
+  const X509Certificate::OSCertHandles& intermediates =
+      verify_result.certificate->GetIntermediateCertificates();
+  EXPECT_EQ(2U, intermediates.size());
+}
+#endif
+
 #if defined(OS_MACOSX)
 TEST(X509CertificateTest, IsIssuedBy) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   // Test a client certificate from MIT.
   scoped_refptr<X509Certificate> mit_davidben_cert =
       ImportCertFromFile(certs_dir, "mit.davidben.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert);
 
   CertPrincipal mit_issuer;
@@ skipping 76 matching lines @@
 
     for (size_t j = 0; j < 20; ++j)
       EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]);
   }
 }
 
 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest,
                         testing::ValuesIn(FormatTestData));
 
 }  // namespace net