| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 574 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 585 &verify_result); | 585 &verify_result); |
| 586 EXPECT_NE(OK, error); | 586 EXPECT_NE(OK, error); |
| 587 | 587 |
| 588 // Now turn off revocation checking. Certificate verification should still | 588 // Now turn off revocation checking. Certificate verification should still |
| 589 // fail. | 589 // fail. |
| 590 flags = 0; | 590 flags = 0; |
| 591 error = cert_chain->Verify("mail.google.com", flags, NULL, &verify_result); | 591 error = cert_chain->Verify("mail.google.com", flags, NULL, &verify_result); |
| 592 EXPECT_NE(OK, error); | 592 EXPECT_NE(OK, error); |
| 593 } | 593 } |
| 594 | 594 |
| 595 TEST(X509CertificateTest, RejectWeakKeys) { |
| 596 FilePath certs_dir = GetTestCertsDirectory(); |
| 597 |
| 598 // Self-signed cert with weak (768-bit) key. |
| 599 scoped_refptr<X509Certificate> weak_cert = |
| 600 ImportCertFromFile(certs_dir, "weak-key.pem"); |
| 601 ASSERT_NE(static_cast<X509Certificate*>(NULL), weak_cert); |
| 602 |
| 603 CertVerifyResult verify_result; |
| 604 int flags = 0; |
| 605 int error = weak_cert->Verify("broken.example.com", flags, NULL, |
| 606 &verify_result); |
| 607 EXPECT_NE(OK, error); |
| 608 EXPECT_EQ(CERT_STATUS_WEAK_KEY, |
| 609 verify_result.cert_status & CERT_STATUS_WEAK_KEY); |
| 610 |
| 611 // EE has 2048-bit key, signer is weak_cert. Even though the EE is fine, |
| 612 // we must still reject it. |
| 613 scoped_refptr<X509Certificate> good_cert = |
| 614 ImportCertFromFile(certs_dir, "strong-key-weak-signer.pem"); |
| 615 ASSERT_NE(static_cast<X509Certificate*>(NULL), good_cert); |
| 616 |
| 617 X509Certificate::OSCertHandles intermediates; |
| 618 intermediates.push_back(weak_cert->os_cert_handle()); |
| 619 scoped_refptr<X509Certificate> cert_chain = |
| 620 X509Certificate::CreateFromHandle(good_cert->os_cert_handle(), |
| 621 intermediates); |
| 622 |
| 623 error = cert_chain->Verify("www.example.org", flags, NULL, &verify_result); |
| 624 EXPECT_NE(OK, error); |
| 625 EXPECT_EQ(CERT_STATUS_WEAK_KEY, |
| 626 verify_result.cert_status & CERT_STATUS_WEAK_KEY); |
| 627 } |
| 628 |
| 595 TEST(X509CertificateTest, DigiNotarCerts) { | 629 TEST(X509CertificateTest, DigiNotarCerts) { |
| 596 static const char* const kDigiNotarFilenames[] = { | 630 static const char* const kDigiNotarFilenames[] = { |
| 597 "diginotar_root_ca.pem", | 631 "diginotar_root_ca.pem", |
| 598 "diginotar_cyber_ca.pem", | 632 "diginotar_cyber_ca.pem", |
| 599 "diginotar_services_1024_ca.pem", | 633 "diginotar_services_1024_ca.pem", |
| 600 "diginotar_pkioverheid.pem", | 634 "diginotar_pkioverheid.pem", |
| 601 "diginotar_pkioverheid_g2.pem", | 635 "diginotar_pkioverheid_g2.pem", |
| 602 NULL, | 636 NULL, |
| 603 }; | 637 }; |
| 604 | 638 |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 670 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 704 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
| 671 &derBytes)); | 705 &derBytes)); |
| 672 | 706 |
| 673 base::StringPiece spkiBytes; | 707 base::StringPiece spkiBytes; |
| 674 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); | 708 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); |
| 675 | 709 |
| 676 uint8 hash[base::kSHA1Length]; | 710 uint8 hash[base::kSHA1Length]; |
| 677 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), | 711 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), |
| 678 spkiBytes.size(), hash); | 712 spkiBytes.size(), hash); |
| 679 | 713 |
| 680 EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash))); | 714 EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash))); |
| 681 } | 715 } |
| 682 | 716 |
| 683 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { | 717 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { |
| 684 FilePath certs_dir = GetTestCertsDirectory(); | 718 FilePath certs_dir = GetTestCertsDirectory(); |
| 685 scoped_refptr<X509Certificate> cert = | 719 scoped_refptr<X509Certificate> cert = |
| 686 ImportCertFromFile(certs_dir, "nist.der"); | 720 ImportCertFromFile(certs_dir, "nist.der"); |
| 687 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | 721 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); |
| 688 | 722 |
| 689 std::string derBytes; | 723 std::string derBytes; |
| 690 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 724 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
| (...skipping 634 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1325 { true, "f", "f" }, | 1359 { true, "f", "f" }, |
| 1326 { false, "h", "i" }, | 1360 { false, "h", "i" }, |
| 1327 { true, "bar.foo.com", "*.foo.com" }, | 1361 { true, "bar.foo.com", "*.foo.com" }, |
| 1328 { true, "www.test.fr", "common.name", | 1362 { true, "www.test.fr", "common.name", |
| 1329 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, | 1363 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, |
| 1330 { true, "wwW.tESt.fr", "common.name", | 1364 { true, "wwW.tESt.fr", "common.name", |
| 1331 ",*.*,*.test.de,*.test.FR,www" }, | 1365 ",*.*,*.test.de,*.test.FR,www" }, |
| 1332 { false, "f.uk", ".uk" }, | 1366 { false, "f.uk", ".uk" }, |
| 1333 { false, "w.bar.foo.com", "?.bar.foo.com" }, | 1367 { false, "w.bar.foo.com", "?.bar.foo.com" }, |
| 1334 { false, "www.foo.com", "(www|ftp).foo.com" }, | 1368 { false, "www.foo.com", "(www|ftp).foo.com" }, |
| 1335 { false, "www.foo.com", "www.foo.com#" }, // # = null char. | 1369 { false, "www.foo.com", "www.foo.com#" }, // # = null char. |
| 1336 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, | 1370 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, |
| 1337 { false, "www.house.example", "ww.house.example" }, | 1371 { false, "www.house.example", "ww.house.example" }, |
| 1338 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, | 1372 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, |
| 1339 { false, "w.bar.foo.com", "w*.bar.foo.com" }, | 1373 { false, "w.bar.foo.com", "w*.bar.foo.com" }, |
| 1340 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, | 1374 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, |
| 1341 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, | 1375 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, |
| 1342 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, | 1376 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, |
| 1343 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, | 1377 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, |
| 1344 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, | 1378 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, |
| 1345 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, | 1379 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1463 } | 1497 } |
| 1464 | 1498 |
| 1465 if (test_data.ip_addrs) { | 1499 if (test_data.ip_addrs) { |
| 1466 // Build up the certificate IP address list. | 1500 // Build up the certificate IP address list. |
| 1467 std::string ip_addrs_line(test_data.ip_addrs); | 1501 std::string ip_addrs_line(test_data.ip_addrs); |
| 1468 std::vector<std::string> ip_addressses_ascii; | 1502 std::vector<std::string> ip_addressses_ascii; |
| 1469 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); | 1503 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); |
| 1470 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { | 1504 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { |
| 1471 std::string& addr_ascii = ip_addressses_ascii[i]; | 1505 std::string& addr_ascii = ip_addressses_ascii[i]; |
| 1472 ASSERT_NE(0U, addr_ascii.length()); | 1506 ASSERT_NE(0U, addr_ascii.length()); |
| 1473 if (addr_ascii[0] == 'x') { // Hex encoded address | 1507 if (addr_ascii[0] == 'x') { // Hex encoded address |
| 1474 addr_ascii.erase(0, 1); | 1508 addr_ascii.erase(0, 1); |
| 1475 std::vector<uint8> bytes; | 1509 std::vector<uint8> bytes; |
| 1476 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) | 1510 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) |
| 1477 << "Could not parse hex address " << addr_ascii << " i = " << i; | 1511 << "Could not parse hex address " << addr_ascii << " i = " << i; |
| 1478 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), | 1512 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), |
| 1479 bytes.size())); | 1513 bytes.size())); |
| 1480 ASSERT_EQ(16U, ip_addressses.back().size()) << i; | 1514 ASSERT_EQ(16U, ip_addressses.back().size()) << i; |
| 1481 } else { // Decimal groups | 1515 } else { // Decimal groups |
| 1482 std::vector<std::string> decimals_ascii; | 1516 std::vector<std::string> decimals_ascii; |
| 1483 base::SplitString(addr_ascii, '.', &decimals_ascii); | 1517 base::SplitString(addr_ascii, '.', &decimals_ascii); |
| (...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1701 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1735 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1702 #else | 1736 #else |
| 1703 #define MAYBE_VerifyMixed VerifyMixed | 1737 #define MAYBE_VerifyMixed VerifyMixed |
| 1704 #endif | 1738 #endif |
| 1705 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1739 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1706 MAYBE_VerifyMixed, | 1740 MAYBE_VerifyMixed, |
| 1707 X509CertificateWeakDigestTest, | 1741 X509CertificateWeakDigestTest, |
| 1708 testing::ValuesIn(kVerifyMixedTestData)); | 1742 testing::ValuesIn(kVerifyMixedTestData)); |
| 1709 | 1743 |
| 1710 } // namespace net | 1744 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8568040:
Refuse to accept certificate chains containing any RSA public key smaller (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/