| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 755 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 766 webkit_cert->os_cert_handle())); | 766 webkit_cert->os_cert_handle())); |
| 767 EXPECT_TRUE(cert2->HasIntermediateCertificate( | 767 EXPECT_TRUE(cert2->HasIntermediateCertificate( |
| 768 thawte_cert->os_cert_handle())); | 768 thawte_cert->os_cert_handle())); |
| 769 EXPECT_FALSE(cert2->HasIntermediateCertificate( | 769 EXPECT_FALSE(cert2->HasIntermediateCertificate( |
| 770 paypal_cert->os_cert_handle())); | 770 paypal_cert->os_cert_handle())); |
| 771 | 771 |
| 772 // Cleanup | 772 // Cleanup |
| 773 X509Certificate::FreeOSCertHandle(google_handle); | 773 X509Certificate::FreeOSCertHandle(google_handle); |
| 774 } | 774 } |
| 775 | 775 |
| 776 // Basic test for returning the chain in CertVerifyResult. Note that the |
| 777 // returned chain may just be a reflection of the originally supplied chain; |
| 778 // that is, if any unrecoverable errors occur, the default chain returned is |
| 779 // an exact copy of the certificate to be verified. The remaining |
| 780 // VerifyReturn* tests are used to ensure that the actual, verified chain is |
| 781 // being returned by Verify(). |
| 782 TEST(X509CertificateTest, VerifyReturnChainBasic) { |
| 783 FilePath certs_dir = GetTestCertsDirectory(); |
| 784 CertificateList certs = CreateCertificateListFromFile( |
| 785 certs_dir, "x509_verify_results.chain.pem", |
| 786 X509Certificate::FORMAT_AUTO); |
| 787 ASSERT_EQ(3U, certs.size()); |
| 788 |
| 789 X509Certificate::OSCertHandles intermediates; |
| 790 intermediates.push_back(certs[1]->os_cert_handle()); |
| 791 intermediates.push_back(certs[2]->os_cert_handle()); |
| 792 |
| 793 TestRootCerts::GetInstance()->Add(certs[2]); |
| 794 |
| 795 scoped_refptr<X509Certificate> google_full_chain = |
| 796 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 797 intermediates); |
| 798 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 799 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 800 |
| 801 CertVerifyResult verify_result; |
| 802 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 803 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); |
| 804 EXPECT_EQ(OK, error); |
| 805 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 806 |
| 807 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 808 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 809 google_full_chain->os_cert_handle(), |
| 810 verify_result.verified_cert->os_cert_handle())); |
| 811 const X509Certificate::OSCertHandles& return_intermediates = |
| 812 verify_result.verified_cert->GetIntermediateCertificates(); |
| 813 ASSERT_EQ(2U, return_intermediates.size()); |
| 814 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 815 certs[1]->os_cert_handle())); |
| 816 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 817 certs[2]->os_cert_handle())); |
| 818 |
| 819 TestRootCerts::GetInstance()->Clear(); |
| 820 } |
| 821 |
| 822 // Test that the certificate returned in CertVerifyResult is able to reorder |
| 823 // certificates that are not ordered from end-entity to root. While this is |
| 824 // a protocol violation if sent during a TLS handshake, if multiple sources |
| 825 // of intermediate certificates are combined, it's possible that order may |
| 826 // not be maintained. |
| 827 TEST(X509CertificateTest, VerifyReturnChainProperlyOrders) { |
| 828 FilePath certs_dir = GetTestCertsDirectory(); |
| 829 CertificateList certs = CreateCertificateListFromFile( |
| 830 certs_dir, "x509_verify_results.chain.pem", |
| 831 X509Certificate::FORMAT_AUTO); |
| 832 ASSERT_EQ(3U, certs.size()); |
| 833 |
| 834 // Construct the chain out of order. |
| 835 X509Certificate::OSCertHandles intermediates; |
| 836 intermediates.push_back(certs[2]->os_cert_handle()); |
| 837 intermediates.push_back(certs[1]->os_cert_handle()); |
| 838 |
| 839 TestRootCerts::GetInstance()->Add(certs[2]); |
| 840 |
| 841 scoped_refptr<X509Certificate> google_full_chain = |
| 842 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 843 intermediates); |
| 844 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 845 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 846 |
| 847 CertVerifyResult verify_result; |
| 848 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 849 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); |
| 850 EXPECT_EQ(OK, error); |
| 851 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 852 |
| 853 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 854 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 855 google_full_chain->os_cert_handle(), |
| 856 verify_result.verified_cert->os_cert_handle())); |
| 857 const X509Certificate::OSCertHandles& return_intermediates = |
| 858 verify_result.verified_cert->GetIntermediateCertificates(); |
| 859 ASSERT_EQ(2U, return_intermediates.size()); |
| 860 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 861 certs[1]->os_cert_handle())); |
| 862 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 863 certs[2]->os_cert_handle())); |
| 864 |
| 865 TestRootCerts::GetInstance()->Clear(); |
| 866 } |
| 867 |
| 868 // Test that Verify() filters out certificates which are not related to |
| 869 // or part of the certificate/chain being verified. |
| 870 TEST(X509CertificateTest, VerifyReturnChainFiltersUnrelatedCerts) { |
| 871 FilePath certs_dir = GetTestCertsDirectory(); |
| 872 CertificateList certs = CreateCertificateListFromFile( |
| 873 certs_dir, "x509_verify_results.chain.pem", |
| 874 X509Certificate::FORMAT_AUTO); |
| 875 ASSERT_EQ(3U, certs.size()); |
| 876 TestRootCerts::GetInstance()->Add(certs[2]); |
| 877 |
| 878 scoped_refptr<X509Certificate> unrelated_dod_certificate = |
| 879 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); |
| 880 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = |
| 881 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); |
| 882 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); |
| 883 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); |
| 884 |
| 885 // Interject unrelated certificates into the list of intermediates. |
| 886 X509Certificate::OSCertHandles intermediates; |
| 887 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); |
| 888 intermediates.push_back(certs[1]->os_cert_handle()); |
| 889 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); |
| 890 intermediates.push_back(certs[2]->os_cert_handle()); |
| 891 |
| 892 scoped_refptr<X509Certificate> google_full_chain = |
| 893 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 894 intermediates); |
| 895 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 896 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); |
| 897 |
| 898 CertVerifyResult verify_result; |
| 899 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 900 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); |
| 901 EXPECT_EQ(OK, error); |
| 902 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 903 |
| 904 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 905 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 906 google_full_chain->os_cert_handle(), |
| 907 verify_result.verified_cert->os_cert_handle())); |
| 908 const X509Certificate::OSCertHandles& return_intermediates = |
| 909 verify_result.verified_cert->GetIntermediateCertificates(); |
| 910 ASSERT_EQ(2U, return_intermediates.size()); |
| 911 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 912 certs[1]->os_cert_handle())); |
| 913 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 914 certs[2]->os_cert_handle())); |
| 915 TestRootCerts::GetInstance()->Clear(); |
| 916 } |
| 917 |
| 776 #if defined(OS_MACOSX) | 918 #if defined(OS_MACOSX) |
| 777 TEST(X509CertificateTest, IsIssuedBy) { | 919 TEST(X509CertificateTest, IsIssuedBy) { |
| 778 FilePath certs_dir = GetTestCertsDirectory(); | 920 FilePath certs_dir = GetTestCertsDirectory(); |
| 779 | 921 |
| 780 // Test a client certificate from MIT. | 922 // Test a client certificate from MIT. |
| 781 scoped_refptr<X509Certificate> mit_davidben_cert( | 923 scoped_refptr<X509Certificate> mit_davidben_cert( |
| 782 ImportCertFromFile(certs_dir, "mit.davidben.der")); | 924 ImportCertFromFile(certs_dir, "mit.davidben.der")); |
| 783 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); | 925 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); |
| 784 | 926 |
| 785 CertPrincipal mit_issuer; | 927 CertPrincipal mit_issuer; |
| (...skipping 296 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1082 EXPECT_EQ(test_data.expected, | 1224 EXPECT_EQ(test_data.expected, |
| 1083 X509Certificate::VerifyHostname(test_data.hostname, cert_names)) | 1225 X509Certificate::VerifyHostname(test_data.hostname, cert_names)) |
| 1084 << "Host [" << test_data.hostname | 1226 << "Host [" << test_data.hostname |
| 1085 << "], cert name [" << test_data.cert_names << "]"; | 1227 << "], cert name [" << test_data.cert_names << "]"; |
| 1086 } | 1228 } |
| 1087 | 1229 |
| 1088 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | 1230 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, |
| 1089 testing::ValuesIn(kNameVerifyTestData)); | 1231 testing::ValuesIn(kNameVerifyTestData)); |
| 1090 | 1232 |
| 1091 } // namespace net | 1233 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6874039:
Return the constructed certificate chain in X509Certificate::Verify() (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src