Add unittests for the detection of md[2,4,5] when verifying certificates

net/base/x509_certificate_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
@@ skipping 1431 matching lines @@
     }
   }
 
   EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname(
       test_data.hostname, common_name, dns_names, ip_addressses));
 }
 
 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,
                         testing::ValuesIn(kNameVerifyTestData));
 
+// Not implemented on Mac or OpenSSL - http://crbug.com/101123
+#if defined(USE_NSS) || defined(OS_WIN)
+
+struct WeakDigestTestData {
+  const char* root_cert_filename;
+  const char* intermediate_cert_filename;
+  const char* ee_cert_filename;
+  bool expected_has_md5;
+  bool expected_has_md4;
+  bool expected_has_md2;
+  bool expected_has_md5_ca;
+  bool expected_has_md2_ca;
+};
+
+void PrintTo(const WeakDigestTestData& data, std::ostream* os) {

[palmer, 2011/10/26 19:09:15]

You never use this function, so get rid of it.

[Ryan Sleevi, 2011/10/26 22:27:47]

This is GTest "magic" -
code.google.com/p/googletest/wiki/AdvancedGuide#Teaching_Google_Test_How_to_Print_Your_Values
- I wasn't sure how much of a "given" that is (along with
FRIEND_TEST_ALL_PREFIXES, TEST_F, etc). I'll add a comment and update the one on
line 1235. 

For 1235, Valgrind complains because GTest tries to write the first 20 bytes of
the object, which for structs <= 20 bytes, may result in Valgrind being unhappy
(and rightfully so).

Both are preferable to overloading operator<<, since such an overloads affect
ADL in the parent/global namespaces.

+  *os << "root: "
+      << (data.root_cert_filename ? data.root_cert_filename : "none")
+      << "; intermediate: " << data.intermediate_cert_filename
+      << "; end-entity: " << data.ee_cert_filename;
+}
+
+const WeakDigestTestData kVerifyWeakDigestTestData[] = {
+  // The signature algorithm of the root CA should not matter.
+  { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
+    "weak_digest_sha1_ee.pem", false, false, false, false, false },
+  { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
+    "weak_digest_sha1_ee.pem", false, false, false, false, false },
+  { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
+    "weak_digest_sha1_ee.pem", false, false, false, false, false },
+  // The signature algorithm of intermediates should be properly detected.
+  { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
+    "weak_digest_sha1_ee.pem", false, false, true, false, true },
+  { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
+    "weak_digest_sha1_ee.pem", false, true, false, false, false },
+  { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
+    "weak_digest_sha1_ee.pem", true, false, false, true, false },
+  // The signature algorithm of end-entity should be properly detected.
+  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+    "weak_digest_md2_ee.pem", false, false, true, false, false },
+  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+    "weak_digest_md4_ee.pem", false, true, false, false, false },
+  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+    "weak_digest_md5_ee.pem", true, false, false, false, false },
+// Disabled on Windows - currently broken for incomplete chains.
+// http://crbug.com/101123
+#if !defined(OS_WIN)
+  // Incomplete chains should still report the status of the intermediate.
+  { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
+    false, false, true, false, true },
+  { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
+    false, true, false, false, false },
+  { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
+    true, false, false, true, false },
+#endif
+  // Incomplete chains should still report the status of the end-entity.
+  { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
+    false, false, true, false, false },
+  { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
+    false, true, false, false, false },
+  { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
+    true, false, false, false, false },
+  // Differing algorithms between the intermediate and the EE should still be
+  // reported.
+  { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
+    "weak_digest_md2_ee.pem", false, true, true, false, false },
+  { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
+    "weak_digest_md2_ee.pem", true, false, true, true, false },
+  { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
+    "weak_digest_md5_ee.pem", true, false, true, false, true },
+};
+
+class X509CertificateWeakDigestTest
+    : public testing::TestWithParam<WeakDigestTestData> {
+ public:
+  X509CertificateWeakDigestTest() {
+  }
+
+  virtual void TearDown() {
+    TestRootCerts::GetInstance()->Clear();
+  }
+};
+
+TEST_P(X509CertificateWeakDigestTest, VerifyWithWeakDigest) {
+ WeakDigestTestData data = GetParam();
+ FilePath certs_dir = GetTestCertsDirectory();
+
+ if (data.root_cert_filename) {
+    scoped_refptr<X509Certificate> root_cert =
+        ImportCertFromFile(certs_dir, data.root_cert_filename);
+    ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
+    TestRootCerts::GetInstance()->Add(root_cert.get());
+ }

[palmer, 2011/10/26 19:09:15]

Should be indented two spaces.

+
+  scoped_refptr<X509Certificate> intermediate_cert =
+      ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
+  scoped_refptr<X509Certificate> ee_cert =
+      ImportCertFromFile(certs_dir, data.ee_cert_filename);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
+
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(intermediate_cert->os_cert_handle());
+
+  scoped_refptr<X509Certificate> ee_chain =
+      X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
+                                        intermediates);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain);
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result);
+  EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
+  EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
+  EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
+  EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca);
+  EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca);
+}
+
+
+INSTANTIATE_TEST_CASE_P(, X509CertificateWeakDigestTest,
+                        testing::ValuesIn(kVerifyWeakDigestTestData));
+#endif  // defined(USE_NSS) || defined(OS_WIN)
+
 }  // namespace net