| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 226 std::vector<std::string> dns_names; | 226 std::vector<std::string> dns_names; |
| 227 google_cert->GetDNSNames(&dns_names); | 227 google_cert->GetDNSNames(&dns_names); |
| 228 ASSERT_EQ(1U, dns_names.size()); | 228 ASSERT_EQ(1U, dns_names.size()); |
| 229 EXPECT_EQ("www.google.com", dns_names[0]); | 229 EXPECT_EQ("www.google.com", dns_names[0]); |
| 230 | 230 |
| 231 #if TEST_EV | 231 #if TEST_EV |
| 232 // TODO(avi): turn this on for the Mac once EV checking is implemented. | 232 // TODO(avi): turn this on for the Mac once EV checking is implemented. |
| 233 CertVerifyResult verify_result; | 233 CertVerifyResult verify_result; |
| 234 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 234 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 235 X509Certificate::VERIFY_EV_CERT; | 235 X509Certificate::VERIFY_EV_CERT; |
| 236 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result)); | 236 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, NULL, |
| 237 &verify_result); |
| 237 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); | 238 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 238 #endif | 239 #endif |
| 239 } | 240 } |
| 240 | 241 |
| 241 TEST(X509CertificateTest, GoogleCertParsing) { | 242 TEST(X509CertificateTest, GoogleCertParsing) { |
| 242 scoped_refptr<X509Certificate> google_cert( | 243 scoped_refptr<X509Certificate> google_cert( |
| 243 X509Certificate::CreateFromBytes( | 244 X509Certificate::CreateFromBytes( |
| 244 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 245 reinterpret_cast<const char*>(google_der), sizeof(google_der))); |
| 245 | 246 |
| 246 CheckGoogleCert(google_cert, google_fingerprint, | 247 CheckGoogleCert(google_cert, google_fingerprint, |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 292 std::vector<std::string> dns_names; | 293 std::vector<std::string> dns_names; |
| 293 webkit_cert->GetDNSNames(&dns_names); | 294 webkit_cert->GetDNSNames(&dns_names); |
| 294 ASSERT_EQ(2U, dns_names.size()); | 295 ASSERT_EQ(2U, dns_names.size()); |
| 295 EXPECT_EQ("*.webkit.org", dns_names[0]); | 296 EXPECT_EQ("*.webkit.org", dns_names[0]); |
| 296 EXPECT_EQ("webkit.org", dns_names[1]); | 297 EXPECT_EQ("webkit.org", dns_names[1]); |
| 297 | 298 |
| 298 #if TEST_EV | 299 #if TEST_EV |
| 299 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 300 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 300 X509Certificate::VERIFY_EV_CERT; | 301 X509Certificate::VERIFY_EV_CERT; |
| 301 CertVerifyResult verify_result; | 302 CertVerifyResult verify_result; |
| 302 EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, &verify_result)); | 303 EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, NULL, &verify_result)); |
| 303 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); | 304 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 304 #endif | 305 #endif |
| 305 | 306 |
| 306 // Test that the wildcard cert matches properly. | 307 // Test that the wildcard cert matches properly. |
| 307 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); | 308 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); |
| 308 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); | 309 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); |
| 309 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); | 310 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); |
| 310 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); | 311 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); |
| 311 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); | 312 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); |
| 312 } | 313 } |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 355 std::vector<std::string> dns_names; | 356 std::vector<std::string> dns_names; |
| 356 thawte_cert->GetDNSNames(&dns_names); | 357 thawte_cert->GetDNSNames(&dns_names); |
| 357 ASSERT_EQ(1U, dns_names.size()); | 358 ASSERT_EQ(1U, dns_names.size()); |
| 358 EXPECT_EQ("www.thawte.com", dns_names[0]); | 359 EXPECT_EQ("www.thawte.com", dns_names[0]); |
| 359 | 360 |
| 360 #if TEST_EV | 361 #if TEST_EV |
| 361 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 362 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 362 X509Certificate::VERIFY_EV_CERT; | 363 X509Certificate::VERIFY_EV_CERT; |
| 363 CertVerifyResult verify_result; | 364 CertVerifyResult verify_result; |
| 364 // EV cert verification requires revocation checking. | 365 // EV cert verification requires revocation checking. |
| 365 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); | 366 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL, |
| 367 &verify_result); |
| 366 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 368 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 367 // Consequently, if we don't have revocation checking enabled, we can't claim | 369 // Consequently, if we don't have revocation checking enabled, we can't claim |
| 368 // any cert is EV. | 370 // any cert is EV. |
| 369 flags = X509Certificate::VERIFY_EV_CERT; | 371 flags = X509Certificate::VERIFY_EV_CERT; |
| 370 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); | 372 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL, |
| 373 &verify_result)); |
| 371 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); | 374 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 372 #endif | 375 #endif |
| 373 } | 376 } |
| 374 | 377 |
| 375 TEST(X509CertificateTest, PaypalNullCertParsing) { | 378 TEST(X509CertificateTest, PaypalNullCertParsing) { |
| 376 scoped_refptr<X509Certificate> paypal_null_cert( | 379 scoped_refptr<X509Certificate> paypal_null_cert( |
| 377 X509Certificate::CreateFromBytes( | 380 X509Certificate::CreateFromBytes( |
| 378 reinterpret_cast<const char*>(paypal_null_der), | 381 reinterpret_cast<const char*>(paypal_null_der), |
| 379 sizeof(paypal_null_der))); | 382 sizeof(paypal_null_der))); |
| 380 | 383 |
| 381 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); | 384 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); |
| 382 | 385 |
| 383 const SHA1Fingerprint& fingerprint = | 386 const SHA1Fingerprint& fingerprint = |
| 384 paypal_null_cert->fingerprint(); | 387 paypal_null_cert->fingerprint(); |
| 385 for (size_t i = 0; i < 20; ++i) | 388 for (size_t i = 0; i < 20; ++i) |
| 386 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); | 389 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); |
| 387 | 390 |
| 388 int flags = 0; | 391 int flags = 0; |
| 389 CertVerifyResult verify_result; | 392 CertVerifyResult verify_result; |
| 390 int error = paypal_null_cert->Verify("www.paypal.com", flags, | 393 int error = paypal_null_cert->Verify("www.paypal.com", flags, NULL, |
| 391 &verify_result); | 394 &verify_result); |
| 392 #if defined(USE_OPENSSL) || defined(OS_MACOSX) || defined(OS_WIN) | 395 #if defined(USE_OPENSSL) || defined(OS_MACOSX) || defined(OS_WIN) |
| 393 // TOOD(bulach): investigate why macosx and win aren't returning | 396 // TOOD(bulach): investigate why macosx and win aren't returning |
| 394 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. | 397 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. |
| 395 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 398 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 396 #else | 399 #else |
| 397 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); | 400 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); |
| 398 #endif | 401 #endif |
| 399 // Either the system crypto library should correctly report a certificate | 402 // Either the system crypto library should correctly report a certificate |
| 400 // name mismatch, or our certificate blacklist should cause us to report an | 403 // name mismatch, or our certificate blacklist should cause us to report an |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 453 ASSERT_TRUE(root_certs->AddFromFile(root_cert_path)); | 456 ASSERT_TRUE(root_certs->AddFromFile(root_cert_path)); |
| 454 | 457 |
| 455 X509Certificate::OSCertHandles intermediates; | 458 X509Certificate::OSCertHandles intermediates; |
| 456 intermediates.push_back(intermediate_cert->os_cert_handle()); | 459 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 457 scoped_refptr<X509Certificate> cert_chain = | 460 scoped_refptr<X509Certificate> cert_chain = |
| 458 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 461 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 459 intermediates); | 462 intermediates); |
| 460 | 463 |
| 461 int flags = 0; | 464 int flags = 0; |
| 462 CertVerifyResult verify_result; | 465 CertVerifyResult verify_result; |
| 463 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result); | 466 int error = cert_chain->Verify("www.us.army.mil", flags, NULL, |
| 467 &verify_result); |
| 464 EXPECT_EQ(OK, error); | 468 EXPECT_EQ(OK, error); |
| 465 EXPECT_EQ(0U, verify_result.cert_status); | 469 EXPECT_EQ(0U, verify_result.cert_status); |
| 466 root_certs->Clear(); | 470 root_certs->Clear(); |
| 467 } | 471 } |
| 468 | 472 |
| 469 // Test for bug 58437. | 473 // Test for bug 58437. |
| 470 // This certificate will expire on 2011-12-21. The test will still | 474 // This certificate will expire on 2011-12-21. The test will still |
| 471 // pass if error == ERR_CERT_DATE_INVALID. | 475 // pass if error == ERR_CERT_DATE_INVALID. |
| 472 // This test is DISABLED because it appears that we cannot do | 476 // This test is DISABLED because it appears that we cannot do |
| 473 // certificate revocation checking when running all of the net unit tests. | 477 // certificate revocation checking when running all of the net unit tests. |
| (...skipping 14 matching lines...) Expand all Loading... |
| 488 | 492 |
| 489 X509Certificate::OSCertHandles intermediates; | 493 X509Certificate::OSCertHandles intermediates; |
| 490 intermediates.push_back(intermediate_cert->os_cert_handle()); | 494 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 491 scoped_refptr<X509Certificate> cert_chain = | 495 scoped_refptr<X509Certificate> cert_chain = |
| 492 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 496 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 493 intermediates); | 497 intermediates); |
| 494 | 498 |
| 495 CertVerifyResult verify_result; | 499 CertVerifyResult verify_result; |
| 496 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 500 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 497 X509Certificate::VERIFY_EV_CERT; | 501 X509Certificate::VERIFY_EV_CERT; |
| 498 int error = cert_chain->Verify("2029.globalsign.com", flags, &verify_result); | 502 int error = cert_chain->Verify("2029.globalsign.com", flags, NULL, |
| 503 &verify_result); |
| 499 if (error == OK) | 504 if (error == OK) |
| 500 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 505 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 501 else | 506 else |
| 502 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 507 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 503 } | 508 } |
| 504 | 509 |
| 505 // Test for bug 94673. | 510 // Test for bug 94673. |
| 506 TEST(X509CertificateTest, GoogleDigiNotarTest) { | 511 TEST(X509CertificateTest, GoogleDigiNotarTest) { |
| 507 FilePath certs_dir = GetTestCertsDirectory(); | 512 FilePath certs_dir = GetTestCertsDirectory(); |
| 508 | 513 |
| 509 scoped_refptr<X509Certificate> server_cert = | 514 scoped_refptr<X509Certificate> server_cert = |
| 510 ImportCertFromFile(certs_dir, "google_diginotar.pem"); | 515 ImportCertFromFile(certs_dir, "google_diginotar.pem"); |
| 511 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 516 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 512 | 517 |
| 513 scoped_refptr<X509Certificate> intermediate_cert = | 518 scoped_refptr<X509Certificate> intermediate_cert = |
| 514 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); | 519 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); |
| 515 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 520 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
| 516 | 521 |
| 517 X509Certificate::OSCertHandles intermediates; | 522 X509Certificate::OSCertHandles intermediates; |
| 518 intermediates.push_back(intermediate_cert->os_cert_handle()); | 523 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 519 scoped_refptr<X509Certificate> cert_chain = | 524 scoped_refptr<X509Certificate> cert_chain = |
| 520 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 525 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 521 intermediates); | 526 intermediates); |
| 522 | 527 |
| 523 CertVerifyResult verify_result; | 528 CertVerifyResult verify_result; |
| 524 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED; | 529 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED; |
| 525 int error = cert_chain->Verify("mail.google.com", flags, &verify_result); | 530 int error = cert_chain->Verify("mail.google.com", flags, NULL, |
| 531 &verify_result); |
| 526 EXPECT_NE(OK, error); | 532 EXPECT_NE(OK, error); |
| 527 | 533 |
| 528 // Now turn off revocation checking. Certificate verification should still | 534 // Now turn off revocation checking. Certificate verification should still |
| 529 // fail. | 535 // fail. |
| 530 flags = 0; | 536 flags = 0; |
| 531 error = cert_chain->Verify("mail.google.com", flags, &verify_result); | 537 error = cert_chain->Verify("mail.google.com", flags, NULL, &verify_result); |
| 532 EXPECT_NE(OK, error); | 538 EXPECT_NE(OK, error); |
| 533 } | 539 } |
| 534 | 540 |
| 535 TEST(X509CertificateTest, DigiNotarCerts) { | 541 TEST(X509CertificateTest, DigiNotarCerts) { |
| 536 static const char* const kDigiNotarFilenames[] = { | 542 static const char* const kDigiNotarFilenames[] = { |
| 537 "diginotar_root_ca.pem", | 543 "diginotar_root_ca.pem", |
| 538 "diginotar_cyber_ca.pem", | 544 "diginotar_cyber_ca.pem", |
| 539 "diginotar_services_1024_ca.pem", | 545 "diginotar_services_1024_ca.pem", |
| 540 "diginotar_pkioverheid.pem", | 546 "diginotar_pkioverheid.pem", |
| 541 "diginotar_pkioverheid_g2.pem", | 547 "diginotar_pkioverheid_g2.pem", |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 581 X509Certificate::OSCertHandles intermediates; | 587 X509Certificate::OSCertHandles intermediates; |
| 582 intermediates.push_back(intermediate_cert->os_cert_handle()); | 588 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 583 scoped_refptr<X509Certificate> cert_chain = | 589 scoped_refptr<X509Certificate> cert_chain = |
| 584 X509Certificate::CreateFromHandle(cert->os_cert_handle(), | 590 X509Certificate::CreateFromHandle(cert->os_cert_handle(), |
| 585 intermediates); | 591 intermediates); |
| 586 | 592 |
| 587 int flags = 0; | 593 int flags = 0; |
| 588 CertVerifyResult verify_result; | 594 CertVerifyResult verify_result; |
| 589 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug | 595 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug |
| 590 // against agl. Also see PublicKeyHashes in this file. | 596 // against agl. Also see PublicKeyHashes in this file. |
| 591 int error = cert_chain->Verify("www.nist.gov", flags, &verify_result); | 597 int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result); |
| 592 EXPECT_EQ(OK, error); | 598 EXPECT_EQ(OK, error); |
| 593 EXPECT_EQ(0U, verify_result.cert_status); | 599 EXPECT_EQ(0U, verify_result.cert_status); |
| 594 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 600 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
| 595 } | 601 } |
| 596 | 602 |
| 597 // This is the SHA1 hash of the SubjectPublicKeyInfo of nist.der. | 603 // This is the SHA1 hash of the SubjectPublicKeyInfo of nist.der. |
| 598 static const char nistSPKIHash[] = | 604 static const char nistSPKIHash[] = |
| 599 "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82" | 605 "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82" |
| 600 "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35"; | 606 "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35"; |
| 601 | 607 |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 655 | 661 |
| 656 X509Certificate::OSCertHandles intermediates; | 662 X509Certificate::OSCertHandles intermediates; |
| 657 intermediates.push_back(intermediate_cert->os_cert_handle()); | 663 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 658 scoped_refptr<X509Certificate> cert_chain = | 664 scoped_refptr<X509Certificate> cert_chain = |
| 659 X509Certificate::CreateFromHandle(cert->os_cert_handle(), | 665 X509Certificate::CreateFromHandle(cert->os_cert_handle(), |
| 660 intermediates); | 666 intermediates); |
| 661 | 667 |
| 662 int flags = 0; | 668 int flags = 0; |
| 663 CertVerifyResult verify_result; | 669 CertVerifyResult verify_result; |
| 664 | 670 |
| 665 int error = cert_chain->Verify("www.nist.gov", flags, &verify_result); | 671 int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result); |
| 666 EXPECT_EQ(OK, error); | 672 EXPECT_EQ(OK, error); |
| 667 EXPECT_EQ(0U, verify_result.cert_status); | 673 EXPECT_EQ(0U, verify_result.cert_status); |
| 668 ASSERT_LE(2u, verify_result.public_key_hashes.size()); | 674 ASSERT_LE(2u, verify_result.public_key_hashes.size()); |
| 669 EXPECT_EQ(HexEncode(nistSPKIHash, base::kSHA1Length), | 675 EXPECT_EQ(HexEncode(nistSPKIHash, base::kSHA1Length), |
| 670 HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length)); | 676 HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length)); |
| 671 EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD", | 677 EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD", |
| 672 HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length)); | 678 HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length)); |
| 673 | 679 |
| 674 TestRootCerts::GetInstance()->Clear(); | 680 TestRootCerts::GetInstance()->Clear(); |
| 675 } | 681 } |
| 676 | 682 |
| 677 // A regression test for http://crbug.com/70293. | 683 // A regression test for http://crbug.com/70293. |
| 678 // The Key Usage extension in this RSA SSL server certificate does not have | 684 // The Key Usage extension in this RSA SSL server certificate does not have |
| 679 // the keyEncipherment bit. | 685 // the keyEncipherment bit. |
| 680 TEST(X509CertificateTest, InvalidKeyUsage) { | 686 TEST(X509CertificateTest, InvalidKeyUsage) { |
| 681 FilePath certs_dir = GetTestCertsDirectory(); | 687 FilePath certs_dir = GetTestCertsDirectory(); |
| 682 | 688 |
| 683 scoped_refptr<X509Certificate> server_cert = | 689 scoped_refptr<X509Certificate> server_cert = |
| 684 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); | 690 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); |
| 685 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 691 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 686 | 692 |
| 687 int flags = 0; | 693 int flags = 0; |
| 688 CertVerifyResult verify_result; | 694 CertVerifyResult verify_result; |
| 689 int error = server_cert->Verify("jira.aquameta.com", flags, &verify_result); | 695 int error = server_cert->Verify("jira.aquameta.com", flags, NULL, |
| 696 &verify_result); |
| 690 #if defined(USE_OPENSSL) | 697 #if defined(USE_OPENSSL) |
| 691 // This certificate has two errors: "invalid key usage" and "untrusted CA". | 698 // This certificate has two errors: "invalid key usage" and "untrusted CA". |
| 692 // However, OpenSSL returns only one (the latter), and we can't detect | 699 // However, OpenSSL returns only one (the latter), and we can't detect |
| 693 // the other errors. | 700 // the other errors. |
| 694 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 701 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 695 #else | 702 #else |
| 696 EXPECT_EQ(ERR_CERT_INVALID, error); | 703 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 697 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | 704 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); |
| 698 #endif | 705 #endif |
| 699 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors | 706 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 885 TestRootCerts::GetInstance()->Add(certs[2]); | 892 TestRootCerts::GetInstance()->Add(certs[2]); |
| 886 | 893 |
| 887 scoped_refptr<X509Certificate> google_full_chain = | 894 scoped_refptr<X509Certificate> google_full_chain = |
| 888 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 895 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 889 intermediates); | 896 intermediates); |
| 890 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 897 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 891 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); | 898 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 892 | 899 |
| 893 CertVerifyResult verify_result; | 900 CertVerifyResult verify_result; |
| 894 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 901 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 895 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); | 902 int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result); |
| 896 EXPECT_EQ(OK, error); | 903 EXPECT_EQ(OK, error); |
| 897 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 904 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 898 | 905 |
| 899 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 906 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 900 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 907 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 901 google_full_chain->os_cert_handle(), | 908 google_full_chain->os_cert_handle(), |
| 902 verify_result.verified_cert->os_cert_handle())); | 909 verify_result.verified_cert->os_cert_handle())); |
| 903 const X509Certificate::OSCertHandles& return_intermediates = | 910 const X509Certificate::OSCertHandles& return_intermediates = |
| 904 verify_result.verified_cert->GetIntermediateCertificates(); | 911 verify_result.verified_cert->GetIntermediateCertificates(); |
| 905 ASSERT_EQ(2U, return_intermediates.size()); | 912 ASSERT_EQ(2U, return_intermediates.size()); |
| (...skipping 25 matching lines...) Expand all Loading... |
| 931 TestRootCerts::GetInstance()->Add(certs[2]); | 938 TestRootCerts::GetInstance()->Add(certs[2]); |
| 932 | 939 |
| 933 scoped_refptr<X509Certificate> google_full_chain = | 940 scoped_refptr<X509Certificate> google_full_chain = |
| 934 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 941 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 935 intermediates); | 942 intermediates); |
| 936 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 943 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 937 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); | 944 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 938 | 945 |
| 939 CertVerifyResult verify_result; | 946 CertVerifyResult verify_result; |
| 940 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 947 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 941 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); | 948 int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result); |
| 942 EXPECT_EQ(OK, error); | 949 EXPECT_EQ(OK, error); |
| 943 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 950 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 944 | 951 |
| 945 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 952 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 946 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 953 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 947 google_full_chain->os_cert_handle(), | 954 google_full_chain->os_cert_handle(), |
| 948 verify_result.verified_cert->os_cert_handle())); | 955 verify_result.verified_cert->os_cert_handle())); |
| 949 const X509Certificate::OSCertHandles& return_intermediates = | 956 const X509Certificate::OSCertHandles& return_intermediates = |
| 950 verify_result.verified_cert->GetIntermediateCertificates(); | 957 verify_result.verified_cert->GetIntermediateCertificates(); |
| 951 ASSERT_EQ(2U, return_intermediates.size()); | 958 ASSERT_EQ(2U, return_intermediates.size()); |
| (...skipping 30 matching lines...) Expand all Loading... |
| 982 intermediates.push_back(certs[2]->os_cert_handle()); | 989 intermediates.push_back(certs[2]->os_cert_handle()); |
| 983 | 990 |
| 984 scoped_refptr<X509Certificate> google_full_chain = | 991 scoped_refptr<X509Certificate> google_full_chain = |
| 985 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 992 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 986 intermediates); | 993 intermediates); |
| 987 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 994 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 988 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); | 995 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); |
| 989 | 996 |
| 990 CertVerifyResult verify_result; | 997 CertVerifyResult verify_result; |
| 991 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 998 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 992 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); | 999 int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result); |
| 993 EXPECT_EQ(OK, error); | 1000 EXPECT_EQ(OK, error); |
| 994 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 1001 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 995 | 1002 |
| 996 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 1003 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 997 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 1004 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 998 google_full_chain->os_cert_handle(), | 1005 google_full_chain->os_cert_handle(), |
| 999 verify_result.verified_cert->os_cert_handle())); | 1006 verify_result.verified_cert->os_cert_handle())); |
| 1000 const X509Certificate::OSCertHandles& return_intermediates = | 1007 const X509Certificate::OSCertHandles& return_intermediates = |
| 1001 verify_result.verified_cert->GetIntermediateCertificates(); | 1008 verify_result.verified_cert->GetIntermediateCertificates(); |
| 1002 ASSERT_EQ(2U, return_intermediates.size()); | 1009 ASSERT_EQ(2U, return_intermediates.size()); |
| (...skipping 433 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1436 } | 1443 } |
| 1437 | 1444 |
| 1438 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( | 1445 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( |
| 1439 test_data.hostname, common_name, dns_names, ip_addressses)); | 1446 test_data.hostname, common_name, dns_names, ip_addressses)); |
| 1440 } | 1447 } |
| 1441 | 1448 |
| 1442 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | 1449 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, |
| 1443 testing::ValuesIn(kNameVerifyTestData)); | 1450 testing::ValuesIn(kNameVerifyTestData)); |
| 1444 | 1451 |
| 1445 } // namespace net | 1452 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8342054:
net: enable CRL sets behind a command line flag. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src