OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
(...skipping 593 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
604 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 604 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
605 X509Certificate::VERIFY_EV_CERT; | 605 X509Certificate::VERIFY_EV_CERT; |
606 int error = cert_chain->Verify("2029.globalsign.com", flags, NULL, | 606 int error = cert_chain->Verify("2029.globalsign.com", flags, NULL, |
607 &verify_result); | 607 &verify_result); |
608 if (error == OK) | 608 if (error == OK) |
609 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 609 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
610 else | 610 else |
611 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 611 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
612 } | 612 } |
613 | 613 |
614 // Currently, only RSA and DSA keys are checked for weakness, and our example | |
615 // weak size is 768. These could change in the future. | |
616 // | |
617 // Note that this means there may be false negatives: keys for other | |
618 // algorithms and which are weak will pass this test. | |
619 static bool IsWeakKeyType(const std::string& key_type) { | |
620 size_t pos = key_type.find("-"); | |
621 std::string size = key_type.substr(0, pos); | |
622 std::string type = key_type.substr(pos + 1); | |
623 | |
624 if (type == "rsa" || type == "dsa") | |
625 return size == "768"; | |
626 | |
627 return false; | |
628 } | |
629 | |
630 TEST(X509CertificateTest, RejectWeakKeys) { | |
631 FilePath certs_dir = GetTestCertsDirectory(); | |
632 typedef std::vector<std::string> Strings; | |
633 Strings key_types; | |
634 | |
635 // generate-weak-test-chains.sh currently has: | |
636 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" | |
637 // We must use the same key types here. The filenames generated look like: | |
638 // 2048-rsa-ee-by-768-rsa-intermediate.pem | |
639 key_types.push_back("768-rsa"); | |
640 key_types.push_back("1024-rsa"); | |
641 key_types.push_back("2048-rsa"); | |
642 key_types.push_back("prime256v1-ecdsa"); | |
Ryan Sleevi
2011/12/14 03:11:01
Quick follow-up:
This ("prime256v1-ecdsa") will p
wtc
2011/12/15 02:10:36
Will "prime256v1-ecdsa" also fail on Mac OS X 10.5
| |
643 | |
644 // Add the root that signed the intermediates for this test. | |
645 scoped_refptr<X509Certificate> root_cert = | |
646 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | |
647 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | |
648 TestRootCerts::GetInstance()->Add(root_cert.get()); | |
649 | |
650 // Now test each chain. | |
651 for (Strings::const_iterator ee_type = key_types.begin(); | |
652 ee_type != key_types.end(); ++ee_type) { | |
653 for (Strings::const_iterator signer_type = key_types.begin(); | |
654 signer_type != key_types.end(); ++signer_type) { | |
655 std::string basename = *ee_type + "-ee-by-" + *signer_type + | |
656 "-intermediate.pem"; | |
657 scoped_refptr<X509Certificate> ee_cert = | |
658 ImportCertFromFile(certs_dir, basename); | |
659 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | |
660 | |
661 basename = *signer_type + "-intermediate.pem"; | |
662 scoped_refptr<X509Certificate> intermediate = | |
663 ImportCertFromFile(certs_dir, basename); | |
664 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); | |
665 | |
666 X509Certificate::OSCertHandles intermediates; | |
667 intermediates.push_back(intermediate->os_cert_handle()); | |
668 scoped_refptr<X509Certificate> cert_chain = | |
669 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | |
670 intermediates); | |
671 | |
672 CertVerifyResult verify_result; | |
673 int error = cert_chain->Verify("127.0.0.1", 0, NULL, &verify_result); | |
674 | |
675 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { | |
676 EXPECT_NE(OK, error); | |
677 EXPECT_EQ(CERT_STATUS_WEAK_KEY, | |
678 verify_result.cert_status & CERT_STATUS_WEAK_KEY); | |
679 } else { | |
680 EXPECT_EQ(OK, error); | |
681 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); | |
682 } | |
683 } | |
684 } | |
685 | |
686 TestRootCerts::GetInstance()->Clear(); | |
687 } | |
688 | |
614 // Test for bug 94673. | 689 // Test for bug 94673. |
615 TEST(X509CertificateTest, GoogleDigiNotarTest) { | 690 TEST(X509CertificateTest, GoogleDigiNotarTest) { |
616 FilePath certs_dir = GetTestCertsDirectory(); | 691 FilePath certs_dir = GetTestCertsDirectory(); |
617 | 692 |
618 scoped_refptr<X509Certificate> server_cert = | 693 scoped_refptr<X509Certificate> server_cert = |
619 ImportCertFromFile(certs_dir, "google_diginotar.pem"); | 694 ImportCertFromFile(certs_dir, "google_diginotar.pem"); |
620 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 695 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
621 | 696 |
622 scoped_refptr<X509Certificate> intermediate_cert = | 697 scoped_refptr<X509Certificate> intermediate_cert = |
623 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); | 698 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
720 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 795 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
721 &derBytes)); | 796 &derBytes)); |
722 | 797 |
723 base::StringPiece spkiBytes; | 798 base::StringPiece spkiBytes; |
724 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); | 799 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); |
725 | 800 |
726 uint8 hash[base::kSHA1Length]; | 801 uint8 hash[base::kSHA1Length]; |
727 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), | 802 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), |
728 spkiBytes.size(), hash); | 803 spkiBytes.size(), hash); |
729 | 804 |
730 EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash))); | 805 EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash))); |
731 } | 806 } |
732 | 807 |
733 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { | 808 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { |
734 FilePath certs_dir = GetTestCertsDirectory(); | 809 FilePath certs_dir = GetTestCertsDirectory(); |
735 scoped_refptr<X509Certificate> cert = | 810 scoped_refptr<X509Certificate> cert = |
736 ImportCertFromFile(certs_dir, "nist.der"); | 811 ImportCertFromFile(certs_dir, "nist.der"); |
737 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | 812 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); |
738 | 813 |
739 std::string derBytes; | 814 std::string derBytes; |
740 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 815 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
(...skipping 634 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1375 { true, "f", "f" }, | 1450 { true, "f", "f" }, |
1376 { false, "h", "i" }, | 1451 { false, "h", "i" }, |
1377 { true, "bar.foo.com", "*.foo.com" }, | 1452 { true, "bar.foo.com", "*.foo.com" }, |
1378 { true, "www.test.fr", "common.name", | 1453 { true, "www.test.fr", "common.name", |
1379 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, | 1454 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, |
1380 { true, "wwW.tESt.fr", "common.name", | 1455 { true, "wwW.tESt.fr", "common.name", |
1381 ",*.*,*.test.de,*.test.FR,www" }, | 1456 ",*.*,*.test.de,*.test.FR,www" }, |
1382 { false, "f.uk", ".uk" }, | 1457 { false, "f.uk", ".uk" }, |
1383 { false, "w.bar.foo.com", "?.bar.foo.com" }, | 1458 { false, "w.bar.foo.com", "?.bar.foo.com" }, |
1384 { false, "www.foo.com", "(www|ftp).foo.com" }, | 1459 { false, "www.foo.com", "(www|ftp).foo.com" }, |
1385 { false, "www.foo.com", "www.foo.com#" }, // # = null char. | 1460 { false, "www.foo.com", "www.foo.com#" }, // # = null char. |
1386 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, | 1461 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, |
1387 { false, "www.house.example", "ww.house.example" }, | 1462 { false, "www.house.example", "ww.house.example" }, |
1388 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, | 1463 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, |
1389 { false, "w.bar.foo.com", "w*.bar.foo.com" }, | 1464 { false, "w.bar.foo.com", "w*.bar.foo.com" }, |
1390 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, | 1465 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, |
1391 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, | 1466 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, |
1392 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, | 1467 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, |
1393 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, | 1468 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, |
1394 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, | 1469 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, |
1395 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, | 1470 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1513 } | 1588 } |
1514 | 1589 |
1515 if (test_data.ip_addrs) { | 1590 if (test_data.ip_addrs) { |
1516 // Build up the certificate IP address list. | 1591 // Build up the certificate IP address list. |
1517 std::string ip_addrs_line(test_data.ip_addrs); | 1592 std::string ip_addrs_line(test_data.ip_addrs); |
1518 std::vector<std::string> ip_addressses_ascii; | 1593 std::vector<std::string> ip_addressses_ascii; |
1519 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); | 1594 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); |
1520 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { | 1595 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { |
1521 std::string& addr_ascii = ip_addressses_ascii[i]; | 1596 std::string& addr_ascii = ip_addressses_ascii[i]; |
1522 ASSERT_NE(0U, addr_ascii.length()); | 1597 ASSERT_NE(0U, addr_ascii.length()); |
1523 if (addr_ascii[0] == 'x') { // Hex encoded address | 1598 if (addr_ascii[0] == 'x') { // Hex encoded address |
1524 addr_ascii.erase(0, 1); | 1599 addr_ascii.erase(0, 1); |
1525 std::vector<uint8> bytes; | 1600 std::vector<uint8> bytes; |
1526 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) | 1601 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) |
1527 << "Could not parse hex address " << addr_ascii << " i = " << i; | 1602 << "Could not parse hex address " << addr_ascii << " i = " << i; |
1528 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), | 1603 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), |
1529 bytes.size())); | 1604 bytes.size())); |
1530 ASSERT_EQ(16U, ip_addressses.back().size()) << i; | 1605 ASSERT_EQ(16U, ip_addressses.back().size()) << i; |
1531 } else { // Decimal groups | 1606 } else { // Decimal groups |
1532 std::vector<std::string> decimals_ascii; | 1607 std::vector<std::string> decimals_ascii; |
1533 base::SplitString(addr_ascii, '.', &decimals_ascii); | 1608 base::SplitString(addr_ascii, '.', &decimals_ascii); |
(...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1751 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1826 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
1752 #else | 1827 #else |
1753 #define MAYBE_VerifyMixed VerifyMixed | 1828 #define MAYBE_VerifyMixed VerifyMixed |
1754 #endif | 1829 #endif |
1755 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1830 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1756 MAYBE_VerifyMixed, | 1831 MAYBE_VerifyMixed, |
1757 X509CertificateWeakDigestTest, | 1832 X509CertificateWeakDigestTest, |
1758 testing::ValuesIn(kVerifyMixedTestData)); | 1833 testing::ValuesIn(kVerifyMixedTestData)); |
1759 | 1834 |
1760 } // namespace net | 1835 } // namespace net |
OLD | NEW |