Chromium Code Reviews Chromium Code Reviews
Issue 4184004:
Add support for certificate name checking (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/base/x509_openssl_util.h" | |
| 6 | |
| 7 #include <algorithm> | |
| 8 | |
| 9 #include "base/string_split.h" | |
| 10 #include "testing/gtest/include/gtest/gtest.h" | |
| 11 | |
| 12 namespace net { | |
| 13 | |
| 14 namespace x509_openssl_util { | |
| 15 | |
| 16 namespace { | |
| 17 | |
| 18 struct CertificateNameVerifyTestData { | |
| 19 // true iff we expect hostname to match an entry in cert_names. | |
| 20 const bool expected; | |
| 21 // The hostname to match. | |
| 22 const char* const hostname; | |
| 23 // '/' separated list of certificate names to match against. Any occurrence | |
| 24 // of '#' will be replaced with a null character before processing. | |
| 25 const char* const cert_names; | |
| 26 }; | |
| 27 | |
| 28 CertificateNameVerifyTestData kNameVerifyTestData[] = { | |
| 29 { true, "foo.com", "foo.com" }, | |
| 30 { true, "foo.com", "foo.com." }, | |
| 31 { true, "f", "f" }, | |
| 32 { true, "f", "f." }, | |
| 33 { true, "192.168.1.1", "192.168.1.1" }, | |
| 34 { true, "bar.foo.com", "*.foo.com" }, | |
| 35 { true, "www-3.bar.foo.com", "*.bar.foo.com." }, | |
| 36 { true, "www.test.fr", "*.test.com/*.test.co.uk/*.test.de/*.test.fr" }, | |
| 37 { true, "wwW.tESt.fr", "//*.*/*.test.de/*.test.FR/www" }, | |
| 38 { false, "foo.com", "*.com" }, | |
| 39 { false, "f.uk", ".uk" }, | |
| 40 { false, "h.co.uk", "*.co.uk" }, | |
| 41 { false, "192.168.1.11", "*.168.1.11" }, | |
|
wtc
2010/11/03 00:29:49
It's important that a wildcard '*' not match IP ad
joth
2010/11/12 18:55:23
The 'false' indicates these shouldn't match.
| |
| 42 { false, "foo.us", "*.us" }, | |
| 43 { false, "www.bar.foo.com", | |
| 44 "*.foo.com/*.*.foo.com/*.*.bar.foo.com/*w*.bar.foo.com/*..bar.foo.com" }, | |
| 45 { false, "w.bar.foo.com", "?.bar.foo.com" }, | |
| 46 { false, "www.foo.com", "(www|ftp).foo.com" }, | |
| 47 { false, "www.foo.com", "www.foo.com#*.foo.com/#" }, // # = null char. | |
| 48 { false, "foo", "*" }, | |
| 49 { false, "foo.", "*." }, | |
| 50 { false, "test.org", "www.test.org/*.test.org/*.org" }, | |
| 51 { false, "1.2.3.4.5.6", "*.2.3.4.5.6" }, | |
| 52 // IDN tests | |
| 53 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, | |
| 54 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, | |
| 55 { false, "xn--poema-9qae5a.com.br.com.br", "*.xn--poema-9qae5a.com.br" }, | |
| 56 // The following are adapted from the examples in http://tools.ietf.org/html /draft-saintandre-tls-server-id-check-09#section-4.4.3 | |
| 57 { true, "foo.example.com", "*.example.com" }, | |
| 58 { false, "bar.foo.example.com", "*.example.com" }, | |
| 59 { false, "example.com", "*.example.com" }, | |
| 60 { false, "baz1.example.net", "baz*.example.net" }, | |
| 61 { false, "baz2.example.net", "baz*.example.net" }, | |
| 62 { false, "bar.*.example.net", "bar.*.example.net" }, | |
| 63 { false, "bar.f*o.example.net", "bar.f*o.example.net" }, | |
| 64 // IPv6 tests. TODO(joth): verify these. | |
| 65 { true, "[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]", | |
|
wtc
2010/11/03 00:29:49
Standalone IPv6 address literals should not includ
joth
2010/11/12 18:55:23
Removed IPv6 non-support for now (crbug.com/62973)
| |
| 66 "[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]" }, | |
| 67 { false, "[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]", "*.]" }, | |
| 68 { true, "[::192.9.5.5]", "[::192.9.5.5]" }, | |
| 69 { false, "[2010:836B:4179::836B:4179]", "[*:836B:4179::836B:4179]" }, | |
| 70 // Invalid host names. | |
| 71 { false, "www%26.foo.com", "www%26.foo.com" }, | |
| 72 { false, "www.*.com", "www.*.com" }, | |
| 73 { false, "w$w.f.com", "w$w.f.com" }, | |
| 74 { false, "www-1.[::FFFF:129.144.52.38]", "*.[::FFFF:129.144.52.38]" }, | |
| 75 }; | |
| 76 | |
| 77 class X509CertificateNameVerifyTest | |
| 78 : public testing::TestWithParam<CertificateNameVerifyTestData> { | |
| 79 protected: | |
|
wtc
2010/11/03 00:29:49
Nit: delete 'protected'.
joth
2010/11/12 18:55:23
Done.
| |
| 80 }; | |
| 81 | |
| 82 TEST_P(X509CertificateNameVerifyTest, VerifyHostname) { | |
| 83 CertificateNameVerifyTestData test_data(GetParam()); | |
| 84 | |
| 85 std::string cert_name_line(test_data.cert_names); | |
| 86 std::replace(cert_name_line.begin(), cert_name_line.end(), '#', '\0'); | |
| 87 std::vector<std::string> cert_names; | |
| 88 base::SplitString(cert_name_line, '/', &cert_names); | |
| 89 const bool result = VerifyHostname(test_data.hostname, cert_names); | |
|
wtc
2010/11/03 00:29:49
Nit: I think it is excessive to use a 'const' loca
joth
2010/11/12 18:55:23
Done.
| |
| 90 EXPECT_EQ(test_data.expected, result) | |
| 91 << "Host [" << test_data.hostname | |
| 92 << "], cert name [" << test_data.cert_names << "]"; | |
| 93 } | |
| 94 | |
| 95 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | |
| 96 testing::ValuesIn(kNameVerifyTestData)); | |
| 97 | |
| 98 } // namespace | |
| 99 | |
| 100 } // namespace x509_openssl_util | |
| 101 | |
| 102 } // namespace net | |
| OLD | NEW |
