OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
(...skipping 593 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
604 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 604 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
605 X509Certificate::VERIFY_EV_CERT; | 605 X509Certificate::VERIFY_EV_CERT; |
606 int error = cert_chain->Verify("2029.globalsign.com", flags, NULL, | 606 int error = cert_chain->Verify("2029.globalsign.com", flags, NULL, |
607 &verify_result); | 607 &verify_result); |
608 if (error == OK) | 608 if (error == OK) |
609 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 609 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
610 else | 610 else |
611 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 611 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
612 } | 612 } |
613 | 613 |
614 // Currently, only RSA and DSA are checked for weakness, and our example weak | |
615 // size is 768. These could change in the future. | |
616 static bool is_weak_key_type(const std::string& key_type) { | |
Ryan Sleevi
2011/12/13 05:45:35
nit: Function naming guidelines are
http://google-
| |
617 size_t pos = key_type.find("-"); | |
618 std::string size = key_type.substr(0, pos); | |
619 std::string type = key_type.substr(pos + 1); | |
620 | |
621 return 0 == size.compare("768") && | |
Ryan Sleevi
2011/12/13 05:45:35
nit: Why use .compare() == 0 instead of the more c
| |
622 (0 == type.compare("rsa") || 0 == type.compare("dsa")); | |
623 } | |
624 | |
625 TEST(X509CertificateTest, RejectWeakKeys) { | |
626 FilePath certs_dir = GetTestCertsDirectory(); | |
627 typedef std::vector<std::string> Strings; | |
628 Strings key_types; | |
629 | |
630 // generate-weak-test-chains.sh currently has: | |
631 // key_types="768-rsa 1024-rsa 2048-rsa secp256k1-ecdsa" | |
Ryan Sleevi
2011/12/13 05:45:35
typo? You refer to secp256k1-ecdsa in the comment,
| |
632 // We must use the same key types here. The filenames generated look like: | |
633 // 2048-rsa-ee-by-768-rsa-intermediate.pem | |
634 key_types.push_back("768-rsa"); | |
635 key_types.push_back("1024-rsa"); | |
636 key_types.push_back("2048-rsa"); | |
637 key_types.push_back("prime256v1-ecdsa"); | |
638 | |
639 // Add the root that signed the intermediates for this test. | |
640 scoped_refptr<X509Certificate> root_cert = | |
641 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | |
642 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | |
643 TestRootCerts::GetInstance()->Add(root_cert.get()); | |
644 | |
645 // Now test each chain. | |
646 for (Strings::const_iterator ee_type = key_types.begin(); | |
647 ee_type != key_types.end(); ++ee_type) { | |
648 for (Strings::const_iterator signer_type = key_types.begin(); | |
649 signer_type != key_types.end(); ++signer_type) { | |
Ryan Sleevi
2011/12/13 05:45:35
nit: This sort of iteration within a test, while n
| |
650 std::string basename = *ee_type + "-ee-by-" + *signer_type + | |
651 "-intermediate.pem"; | |
652 DLOG(WARNING) << "Now trying " << basename; | |
653 scoped_refptr<X509Certificate> ee_cert = | |
654 ImportCertFromFile(certs_dir, basename); | |
655 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | |
656 | |
657 basename = *signer_type + "-intermediate.pem"; | |
658 scoped_refptr<X509Certificate> intermediate = | |
659 ImportCertFromFile(certs_dir, basename); | |
660 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); | |
661 | |
662 X509Certificate::OSCertHandles intermediates; | |
663 intermediates.push_back(intermediate->os_cert_handle()); | |
664 scoped_refptr<X509Certificate> cert_chain = | |
665 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | |
666 intermediates); | |
667 | |
668 CertVerifyResult verify_result; | |
669 int error = cert_chain->Verify("127.0.0.1", 0, NULL, &verify_result); | |
670 | |
671 if (is_weak_key_type(*ee_type) || is_weak_key_type(*signer_type)) { | |
672 EXPECT_NE(OK, error); | |
673 EXPECT_EQ(CERT_STATUS_WEAK_KEY, | |
674 verify_result.cert_status & CERT_STATUS_WEAK_KEY); | |
675 } else { | |
676 EXPECT_EQ(OK, error); | |
677 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); | |
678 } | |
679 } | |
680 } | |
681 } | |
682 | |
614 // Test for bug 94673. | 683 // Test for bug 94673. |
615 TEST(X509CertificateTest, GoogleDigiNotarTest) { | 684 TEST(X509CertificateTest, GoogleDigiNotarTest) { |
616 FilePath certs_dir = GetTestCertsDirectory(); | 685 FilePath certs_dir = GetTestCertsDirectory(); |
617 | 686 |
618 scoped_refptr<X509Certificate> server_cert = | 687 scoped_refptr<X509Certificate> server_cert = |
619 ImportCertFromFile(certs_dir, "google_diginotar.pem"); | 688 ImportCertFromFile(certs_dir, "google_diginotar.pem"); |
620 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 689 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
621 | 690 |
622 scoped_refptr<X509Certificate> intermediate_cert = | 691 scoped_refptr<X509Certificate> intermediate_cert = |
623 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); | 692 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
720 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 789 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
721 &derBytes)); | 790 &derBytes)); |
722 | 791 |
723 base::StringPiece spkiBytes; | 792 base::StringPiece spkiBytes; |
724 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); | 793 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); |
725 | 794 |
726 uint8 hash[base::kSHA1Length]; | 795 uint8 hash[base::kSHA1Length]; |
727 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), | 796 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), |
728 spkiBytes.size(), hash); | 797 spkiBytes.size(), hash); |
729 | 798 |
730 EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash))); | 799 EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash))); |
731 } | 800 } |
732 | 801 |
733 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { | 802 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { |
734 FilePath certs_dir = GetTestCertsDirectory(); | 803 FilePath certs_dir = GetTestCertsDirectory(); |
735 scoped_refptr<X509Certificate> cert = | 804 scoped_refptr<X509Certificate> cert = |
736 ImportCertFromFile(certs_dir, "nist.der"); | 805 ImportCertFromFile(certs_dir, "nist.der"); |
737 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | 806 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); |
738 | 807 |
739 std::string derBytes; | 808 std::string derBytes; |
740 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 809 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
(...skipping 634 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1375 { true, "f", "f" }, | 1444 { true, "f", "f" }, |
1376 { false, "h", "i" }, | 1445 { false, "h", "i" }, |
1377 { true, "bar.foo.com", "*.foo.com" }, | 1446 { true, "bar.foo.com", "*.foo.com" }, |
1378 { true, "www.test.fr", "common.name", | 1447 { true, "www.test.fr", "common.name", |
1379 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, | 1448 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, |
1380 { true, "wwW.tESt.fr", "common.name", | 1449 { true, "wwW.tESt.fr", "common.name", |
1381 ",*.*,*.test.de,*.test.FR,www" }, | 1450 ",*.*,*.test.de,*.test.FR,www" }, |
1382 { false, "f.uk", ".uk" }, | 1451 { false, "f.uk", ".uk" }, |
1383 { false, "w.bar.foo.com", "?.bar.foo.com" }, | 1452 { false, "w.bar.foo.com", "?.bar.foo.com" }, |
1384 { false, "www.foo.com", "(www|ftp).foo.com" }, | 1453 { false, "www.foo.com", "(www|ftp).foo.com" }, |
1385 { false, "www.foo.com", "www.foo.com#" }, // # = null char. | 1454 { false, "www.foo.com", "www.foo.com#" }, // # = null char. |
1386 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, | 1455 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, |
1387 { false, "www.house.example", "ww.house.example" }, | 1456 { false, "www.house.example", "ww.house.example" }, |
1388 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, | 1457 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, |
1389 { false, "w.bar.foo.com", "w*.bar.foo.com" }, | 1458 { false, "w.bar.foo.com", "w*.bar.foo.com" }, |
1390 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, | 1459 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, |
1391 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, | 1460 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, |
1392 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, | 1461 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, |
1393 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, | 1462 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, |
1394 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, | 1463 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, |
1395 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, | 1464 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1513 } | 1582 } |
1514 | 1583 |
1515 if (test_data.ip_addrs) { | 1584 if (test_data.ip_addrs) { |
1516 // Build up the certificate IP address list. | 1585 // Build up the certificate IP address list. |
1517 std::string ip_addrs_line(test_data.ip_addrs); | 1586 std::string ip_addrs_line(test_data.ip_addrs); |
1518 std::vector<std::string> ip_addressses_ascii; | 1587 std::vector<std::string> ip_addressses_ascii; |
1519 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); | 1588 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); |
1520 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { | 1589 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { |
1521 std::string& addr_ascii = ip_addressses_ascii[i]; | 1590 std::string& addr_ascii = ip_addressses_ascii[i]; |
1522 ASSERT_NE(0U, addr_ascii.length()); | 1591 ASSERT_NE(0U, addr_ascii.length()); |
1523 if (addr_ascii[0] == 'x') { // Hex encoded address | 1592 if (addr_ascii[0] == 'x') { // Hex encoded address |
1524 addr_ascii.erase(0, 1); | 1593 addr_ascii.erase(0, 1); |
1525 std::vector<uint8> bytes; | 1594 std::vector<uint8> bytes; |
1526 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) | 1595 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) |
1527 << "Could not parse hex address " << addr_ascii << " i = " << i; | 1596 << "Could not parse hex address " << addr_ascii << " i = " << i; |
1528 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), | 1597 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), |
1529 bytes.size())); | 1598 bytes.size())); |
1530 ASSERT_EQ(16U, ip_addressses.back().size()) << i; | 1599 ASSERT_EQ(16U, ip_addressses.back().size()) << i; |
1531 } else { // Decimal groups | 1600 } else { // Decimal groups |
1532 std::vector<std::string> decimals_ascii; | 1601 std::vector<std::string> decimals_ascii; |
1533 base::SplitString(addr_ascii, '.', &decimals_ascii); | 1602 base::SplitString(addr_ascii, '.', &decimals_ascii); |
(...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1751 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1820 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
1752 #else | 1821 #else |
1753 #define MAYBE_VerifyMixed VerifyMixed | 1822 #define MAYBE_VerifyMixed VerifyMixed |
1754 #endif | 1823 #endif |
1755 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1824 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1756 MAYBE_VerifyMixed, | 1825 MAYBE_VerifyMixed, |
1757 X509CertificateWeakDigestTest, | 1826 X509CertificateWeakDigestTest, |
1758 testing::ValuesIn(kVerifyMixedTestData)); | 1827 testing::ValuesIn(kVerifyMixedTestData)); |
1759 | 1828 |
1760 } // namespace net | 1829 } // namespace net |
OLD | NEW |