| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 218 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 229 google_cert->GetDNSNames(&dns_names); | 229 google_cert->GetDNSNames(&dns_names); |
| 230 ASSERT_EQ(1U, dns_names.size()); | 230 ASSERT_EQ(1U, dns_names.size()); |
| 231 EXPECT_EQ("www.google.com", dns_names[0]); | 231 EXPECT_EQ("www.google.com", dns_names[0]); |
| 232 | 232 |
| 233 #if TEST_EV | 233 #if TEST_EV |
| 234 // TODO(avi): turn this on for the Mac once EV checking is implemented. | 234 // TODO(avi): turn this on for the Mac once EV checking is implemented. |
| 235 CertVerifyResult verify_result; | 235 CertVerifyResult verify_result; |
| 236 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 236 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 237 X509Certificate::VERIFY_EV_CERT; | 237 X509Certificate::VERIFY_EV_CERT; |
| 238 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result)); | 238 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result)); |
| 239 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 239 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 240 #endif | 240 #endif |
| 241 } | 241 } |
| 242 | 242 |
| 243 TEST(X509CertificateTest, GoogleCertParsing) { | 243 TEST(X509CertificateTest, GoogleCertParsing) { |
| 244 scoped_refptr<X509Certificate> google_cert( | 244 scoped_refptr<X509Certificate> google_cert( |
| 245 X509Certificate::CreateFromBytes( | 245 X509Certificate::CreateFromBytes( |
| 246 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 246 reinterpret_cast<const char*>(google_der), sizeof(google_der))); |
| 247 | 247 |
| 248 CheckGoogleCert(google_cert, google_fingerprint, | 248 CheckGoogleCert(google_cert, google_fingerprint, |
| 249 1238192407, // Mar 27 22:20:07 2009 GMT | 249 1238192407, // Mar 27 22:20:07 2009 GMT |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 295 webkit_cert->GetDNSNames(&dns_names); | 295 webkit_cert->GetDNSNames(&dns_names); |
| 296 ASSERT_EQ(2U, dns_names.size()); | 296 ASSERT_EQ(2U, dns_names.size()); |
| 297 EXPECT_EQ("*.webkit.org", dns_names[0]); | 297 EXPECT_EQ("*.webkit.org", dns_names[0]); |
| 298 EXPECT_EQ("webkit.org", dns_names[1]); | 298 EXPECT_EQ("webkit.org", dns_names[1]); |
| 299 | 299 |
| 300 #if TEST_EV | 300 #if TEST_EV |
| 301 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 301 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 302 X509Certificate::VERIFY_EV_CERT; | 302 X509Certificate::VERIFY_EV_CERT; |
| 303 CertVerifyResult verify_result; | 303 CertVerifyResult verify_result; |
| 304 EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, &verify_result)); | 304 EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, &verify_result)); |
| 305 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 305 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 306 #endif | 306 #endif |
| 307 | 307 |
| 308 // Test that the wildcard cert matches properly. | 308 // Test that the wildcard cert matches properly. |
| 309 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); | 309 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); |
| 310 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); | 310 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); |
| 311 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); | 311 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); |
| 312 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); | 312 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); |
| 313 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); | 313 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); |
| 314 } | 314 } |
| 315 | 315 |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 358 thawte_cert->GetDNSNames(&dns_names); | 358 thawte_cert->GetDNSNames(&dns_names); |
| 359 ASSERT_EQ(1U, dns_names.size()); | 359 ASSERT_EQ(1U, dns_names.size()); |
| 360 EXPECT_EQ("www.thawte.com", dns_names[0]); | 360 EXPECT_EQ("www.thawte.com", dns_names[0]); |
| 361 | 361 |
| 362 #if TEST_EV | 362 #if TEST_EV |
| 363 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 363 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 364 X509Certificate::VERIFY_EV_CERT; | 364 X509Certificate::VERIFY_EV_CERT; |
| 365 CertVerifyResult verify_result; | 365 CertVerifyResult verify_result; |
| 366 // EV cert verification requires revocation checking. | 366 // EV cert verification requires revocation checking. |
| 367 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); | 367 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); |
| 368 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 368 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 369 // Consequently, if we don't have revocation checking enabled, we can't claim | 369 // Consequently, if we don't have revocation checking enabled, we can't claim |
| 370 // any cert is EV. | 370 // any cert is EV. |
| 371 flags = X509Certificate::VERIFY_EV_CERT; | 371 flags = X509Certificate::VERIFY_EV_CERT; |
| 372 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); | 372 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); |
| 373 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 373 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 374 #endif | 374 #endif |
| 375 } | 375 } |
| 376 | 376 |
| 377 TEST(X509CertificateTest, PaypalNullCertParsing) { | 377 TEST(X509CertificateTest, PaypalNullCertParsing) { |
| 378 scoped_refptr<X509Certificate> paypal_null_cert( | 378 scoped_refptr<X509Certificate> paypal_null_cert( |
| 379 X509Certificate::CreateFromBytes( | 379 X509Certificate::CreateFromBytes( |
| 380 reinterpret_cast<const char*>(paypal_null_der), | 380 reinterpret_cast<const char*>(paypal_null_der), |
| 381 sizeof(paypal_null_der))); | 381 sizeof(paypal_null_der))); |
| 382 | 382 |
| 383 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); | 383 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 395 // TOOD(bulach): investigate why macosx and win aren't returning | 395 // TOOD(bulach): investigate why macosx and win aren't returning |
| 396 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. | 396 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. |
| 397 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 397 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 398 #else | 398 #else |
| 399 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); | 399 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); |
| 400 #endif | 400 #endif |
| 401 // Either the system crypto library should correctly report a certificate | 401 // Either the system crypto library should correctly report a certificate |
| 402 // name mismatch, or our certificate blacklist should cause us to report an | 402 // name mismatch, or our certificate blacklist should cause us to report an |
| 403 // invalid certificate. | 403 // invalid certificate. |
| 404 #if !defined(OS_MACOSX) && !defined(USE_OPENSSL) | 404 #if !defined(OS_MACOSX) && !defined(USE_OPENSSL) |
| 405 EXPECT_NE(0, verify_result.cert_status & | 405 EXPECT_TRUE(verify_result.cert_status & |
| 406 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); | 406 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); |
| 407 #endif | 407 #endif |
| 408 } | 408 } |
| 409 | 409 |
| 410 TEST(X509CertificateTest, SerialNumbers) { | 410 TEST(X509CertificateTest, SerialNumbers) { |
| 411 scoped_refptr<X509Certificate> google_cert( | 411 scoped_refptr<X509Certificate> google_cert( |
| 412 X509Certificate::CreateFromBytes( | 412 X509Certificate::CreateFromBytes( |
| 413 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 413 reinterpret_cast<const char*>(google_der), sizeof(google_der))); |
| 414 | 414 |
| 415 static const uint8 google_serial[16] = { | 415 static const uint8 google_serial[16] = { |
| 416 0x01,0x2a,0x39,0x76,0x0d,0x3f,0x4f,0xc9, | 416 0x01,0x2a,0x39,0x76,0x0d,0x3f,0x4f,0xc9, |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 492 intermediates.push_back(intermediate_cert->os_cert_handle()); | 492 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 493 scoped_refptr<X509Certificate> cert_chain = | 493 scoped_refptr<X509Certificate> cert_chain = |
| 494 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 494 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 495 intermediates); | 495 intermediates); |
| 496 | 496 |
| 497 CertVerifyResult verify_result; | 497 CertVerifyResult verify_result; |
| 498 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 498 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 499 X509Certificate::VERIFY_EV_CERT; | 499 X509Certificate::VERIFY_EV_CERT; |
| 500 int error = cert_chain->Verify("2029.globalsign.com", flags, &verify_result); | 500 int error = cert_chain->Verify("2029.globalsign.com", flags, &verify_result); |
| 501 if (error == OK) | 501 if (error == OK) |
| 502 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV); | 502 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 503 else | 503 else |
| 504 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 504 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 505 } | 505 } |
| 506 | 506 |
| 507 // Test for bug 94673. | 507 // Test for bug 94673. |
| 508 TEST(X509CertificateTest, GoogleDigiNotarTest) { | 508 TEST(X509CertificateTest, GoogleDigiNotarTest) { |
| 509 FilePath certs_dir = GetTestCertsDirectory(); | 509 FilePath certs_dir = GetTestCertsDirectory(); |
| 510 | 510 |
| 511 scoped_refptr<X509Certificate> server_cert = | 511 scoped_refptr<X509Certificate> server_cert = |
| 512 ImportCertFromFile(certs_dir, "google_diginotar.pem"); | 512 ImportCertFromFile(certs_dir, "google_diginotar.pem"); |
| (...skipping 176 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 689 int flags = 0; | 689 int flags = 0; |
| 690 CertVerifyResult verify_result; | 690 CertVerifyResult verify_result; |
| 691 int error = server_cert->Verify("jira.aquameta.com", flags, &verify_result); | 691 int error = server_cert->Verify("jira.aquameta.com", flags, &verify_result); |
| 692 #if defined(USE_OPENSSL) | 692 #if defined(USE_OPENSSL) |
| 693 // This certificate has two errors: "invalid key usage" and "untrusted CA". | 693 // This certificate has two errors: "invalid key usage" and "untrusted CA". |
| 694 // However, OpenSSL returns only one (the latter), and we can't detect | 694 // However, OpenSSL returns only one (the latter), and we can't detect |
| 695 // the other errors. | 695 // the other errors. |
| 696 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 696 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 697 #else | 697 #else |
| 698 EXPECT_EQ(ERR_CERT_INVALID, error); | 698 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 699 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_INVALID); | 699 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); |
| 700 #endif | 700 #endif |
| 701 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors | 701 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors |
| 702 // from NSS. | 702 // from NSS. |
| 703 #if !defined(USE_NSS) | 703 #if !defined(USE_NSS) |
| 704 // The certificate is issued by an unknown CA. | 704 // The certificate is issued by an unknown CA. |
| 705 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); | 705 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); |
| 706 #endif | 706 #endif |
| 707 } | 707 } |
| 708 | 708 |
| 709 // Tests X509CertificateCache via X509Certificate::CreateFromHandle. We | 709 // Tests X509CertificateCache via X509Certificate::CreateFromHandle. We |
| 710 // call X509Certificate::CreateFromHandle several times and observe whether | 710 // call X509Certificate::CreateFromHandle several times and observe whether |
| 711 // it returns a cached or new OSCertHandle. | 711 // it returns a cached or new OSCertHandle. |
| 712 TEST(X509CertificateTest, Cache) { | 712 TEST(X509CertificateTest, Cache) { |
| 713 X509Certificate::OSCertHandle google_cert_handle; | 713 X509Certificate::OSCertHandle google_cert_handle; |
| 714 X509Certificate::OSCertHandle thawte_cert_handle; | 714 X509Certificate::OSCertHandle thawte_cert_handle; |
| 715 | 715 |
| (...skipping 782 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1498 } | 1498 } |
| 1499 | 1499 |
| 1500 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( | 1500 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( |
| 1501 test_data.hostname, common_name, dns_names, ip_addressses)); | 1501 test_data.hostname, common_name, dns_names, ip_addressses)); |
| 1502 } | 1502 } |
| 1503 | 1503 |
| 1504 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | 1504 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, |
| 1505 testing::ValuesIn(kNameVerifyTestData)); | 1505 testing::ValuesIn(kNameVerifyTestData)); |
| 1506 | 1506 |
| 1507 } // namespace net | 1507 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7819009:
For the SSL cert status, convert anonymous enum that gives bit values into a typedefed uint32. Th... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/