| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 1595 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1606 X509Certificate::OSCertHandles intermediates; | 1606 X509Certificate::OSCertHandles intermediates; |
| 1607 intermediates.push_back(intermediate_cert->os_cert_handle()); | 1607 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 1608 | 1608 |
| 1609 scoped_refptr<X509Certificate> ee_chain = | 1609 scoped_refptr<X509Certificate> ee_chain = |
| 1610 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 1610 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
| 1611 intermediates); | 1611 intermediates); |
| 1612 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); | 1612 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); |
| 1613 | 1613 |
| 1614 int flags = 0; | 1614 int flags = 0; |
| 1615 CertVerifyResult verify_result; | 1615 CertVerifyResult verify_result; |
| 1616 ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); | 1616 int rv = ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); |
| 1617 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); | 1617 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); |
| 1618 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); | 1618 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); |
| 1619 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); | 1619 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); |
| 1620 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); | 1620 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); |
| 1621 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); | 1621 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); |
| 1622 |
| 1623 // Ensure that MD4 and MD2 are tagged as invalid. |
| 1624 if (data.expected_has_md4 || data.expected_has_md2) { |
| 1625 EXPECT_EQ(CERT_STATUS_INVALID, |
| 1626 verify_result.cert_status & CERT_STATUS_INVALID); |
| 1627 } |
| 1628 |
| 1629 // Ensure that MD5 is flagged as weak. |
| 1630 if (data.expected_has_md5) { |
| 1631 EXPECT_EQ( |
| 1632 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, |
| 1633 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
| 1634 } |
| 1635 |
| 1636 // If a root cert is present, then check that the chain was rejected if any |
| 1637 // weak algorithms are present. This is only checked when a root cert is |
| 1638 // present because the error reported for incomplete chains with weak |
| 1639 // algorithms depends on which implementation was used to validate (NSS, |
| 1640 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm |
| 1641 // present (MD2, MD4, MD5). |
| 1642 if (data.root_cert_filename) { |
| 1643 if (data.expected_has_md4 || data.expected_has_md2) { |
| 1644 EXPECT_EQ(ERR_CERT_INVALID, rv); |
| 1645 } else if (data.expected_has_md5) { |
| 1646 EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv); |
| 1647 } else { |
| 1648 EXPECT_EQ(OK, rv); |
| 1649 } |
| 1650 } |
| 1622 } | 1651 } |
| 1623 | 1652 |
| 1624 // Unlike TEST/TEST_F, which are macros that expand to further macros, | 1653 // Unlike TEST/TEST_F, which are macros that expand to further macros, |
| 1625 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that | 1654 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that |
| 1626 // stringizes the arguments. As a result, macros passed as parameters (such as | 1655 // stringizes the arguments. As a result, macros passed as parameters (such as |
| 1627 // prefix or test_case_name) will not be expanded by the preprocessor. To work | 1656 // prefix or test_case_name) will not be expanded by the preprocessor. To work |
| 1628 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the | 1657 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the |
| 1629 // pre-processor will expand macros such as MAYBE_test_name before | 1658 // pre-processor will expand macros such as MAYBE_test_name before |
| 1630 // instantiating the test. | 1659 // instantiating the test. |
| 1631 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ | 1660 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1751 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1780 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1752 #else | 1781 #else |
| 1753 #define MAYBE_VerifyMixed VerifyMixed | 1782 #define MAYBE_VerifyMixed VerifyMixed |
| 1754 #endif | 1783 #endif |
| 1755 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1784 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1756 MAYBE_VerifyMixed, | 1785 MAYBE_VerifyMixed, |
| 1757 X509CertificateWeakDigestTest, | 1786 X509CertificateWeakDigestTest, |
| 1758 testing::ValuesIn(kVerifyMixedTestData)); | 1787 testing::ValuesIn(kVerifyMixedTestData)); |
| 1759 | 1788 |
| 1760 } // namespace net | 1789 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8374020:
Make it a fatal SSL error when encountering certs signed with md[2,4], and interstitial md5 (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src