Chromium Code Reviews Chromium Code Reviews
Issue 8374020:
Make it a fatal SSL error when encountering certs signed with md[2,4], and interstitial md5 (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 1532 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1543 X509Certificate::OSCertHandles intermediates; | 1543 X509Certificate::OSCertHandles intermediates; |
| 1544 intermediates.push_back(intermediate_cert->os_cert_handle()); | 1544 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 1545 | 1545 |
| 1546 scoped_refptr<X509Certificate> ee_chain = | 1546 scoped_refptr<X509Certificate> ee_chain = |
| 1547 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 1547 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
| 1548 intermediates); | 1548 intermediates); |
| 1549 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); | 1549 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); |
| 1550 | 1550 |
| 1551 int flags = 0; | 1551 int flags = 0; |
| 1552 CertVerifyResult verify_result; | 1552 CertVerifyResult verify_result; |
| 1553 ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); | 1553 int rv = ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); |
| 1554 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); | 1554 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); |
| 1555 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); | 1555 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); |
| 1556 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); | 1556 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); |
| 1557 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); | 1557 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); |
| 1558 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); | 1558 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); |
| 1559 | |
| 1560 // Ensure that MD4 and MD2 are tagged as invalid. | |
| 1561 if (data.expected_has_md4 || data.expected_has_md2) { | |
| 1562 EXPECT_EQ(CERT_STATUS_INVALID, | |
| 1563 (verify_result.cert_status & CERT_STATUS_INVALID)); | |
|
wtc
2011/11/04 22:57:42
The parentheses are not necessary here and on line
| |
| 1564 | |
| 1565 } | |
| 1566 | |
| 1567 // Ensure that MD5 is flagged as weak. | |
| 1568 if (data.expected_has_md5) { | |
| 1569 EXPECT_EQ( | |
| 1570 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, | |
| 1571 (verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM)); | |
| 1572 } | |
| 1573 | |
| 1574 // If there is a root cert present, then the full chain should validate, but | |
| 1575 // be rejected. | |
|
wtc
2011/11/04 22:57:42
Nit: "but be rejected" does not apply to the last
| |
| 1576 if (data.root_cert_filename) { | |
| 1577 if (data.expected_has_md4 || data.expected_has_md2) { | |
| 1578 EXPECT_EQ(ERR_CERT_INVALID, rv); | |
| 1579 } else if (data.expected_has_md5) { | |
| 1580 EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv); | |
| 1581 } else { | |
| 1582 EXPECT_EQ(OK, rv); | |
| 1583 } | |
| 1584 } | |
| 1559 } | 1585 } |
| 1560 | 1586 |
| 1561 // Unlike TEST/TEST_F, which are macros that expand to further macros, | 1587 // Unlike TEST/TEST_F, which are macros that expand to further macros, |
| 1562 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that | 1588 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that |
| 1563 // stringizes the arguments. As a result, macros passed as parameters (such as | 1589 // stringizes the arguments. As a result, macros passed as parameters (such as |
| 1564 // prefix or test_case_name) will not be expanded by the preprocessor. To work | 1590 // prefix or test_case_name) will not be expanded by the preprocessor. To work |
| 1565 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the | 1591 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the |
| 1566 // pre-processor will expand macros such as MAYBE_test_name before | 1592 // pre-processor will expand macros such as MAYBE_test_name before |
| 1567 // instantiating the test. | 1593 // instantiating the test. |
| 1568 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ | 1594 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1688 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1714 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1689 #else | 1715 #else |
| 1690 #define MAYBE_VerifyMixed VerifyMixed | 1716 #define MAYBE_VerifyMixed VerifyMixed |
| 1691 #endif | 1717 #endif |
| 1692 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1718 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1693 MAYBE_VerifyMixed, | 1719 MAYBE_VerifyMixed, |
| 1694 X509CertificateWeakDigestTest, | 1720 X509CertificateWeakDigestTest, |
| 1695 testing::ValuesIn(kVerifyMixedTestData)); | 1721 testing::ValuesIn(kVerifyMixedTestData)); |
| 1696 | 1722 |
| 1697 } // namespace net | 1723 } // namespace net |
| OLD | NEW |
