| Index: net/base/x509_certificate_unittest.cc
|
| ===================================================================
|
| --- net/base/x509_certificate_unittest.cc (revision 110129)
|
| +++ net/base/x509_certificate_unittest.cc (working copy)
|
| @@ -592,6 +592,40 @@
|
| EXPECT_NE(OK, error);
|
| }
|
|
|
| +TEST(X509CertificateTest, RejectWeakKeys) {
|
| + FilePath certs_dir = GetTestCertsDirectory();
|
| +
|
| + // Self-signed cert with weak (768-bit) key.
|
| + scoped_refptr<X509Certificate> weak_cert =
|
| + ImportCertFromFile(certs_dir, "weak-key.pem");
|
| + ASSERT_NE(static_cast<X509Certificate*>(NULL), weak_cert);
|
| +
|
| + CertVerifyResult verify_result;
|
| + int flags = 0;
|
| + int error = weak_cert->Verify("broken.example.com", flags, NULL,
|
| + &verify_result);
|
| + EXPECT_NE(OK, error);
|
| + EXPECT_EQ(CERT_STATUS_WEAK_KEY,
|
| + verify_result.cert_status & CERT_STATUS_WEAK_KEY);
|
| +
|
| + // EE has 2048-bit key, signer is weak_cert. Even though the EE is fine,
|
| + // we must still reject it.
|
| + scoped_refptr<X509Certificate> good_cert =
|
| + ImportCertFromFile(certs_dir, "strong-key-weak-signer.pem");
|
| + ASSERT_NE(static_cast<X509Certificate*>(NULL), good_cert);
|
| +
|
| + X509Certificate::OSCertHandles intermediates;
|
| + intermediates.push_back(weak_cert->os_cert_handle());
|
| + scoped_refptr<X509Certificate> cert_chain =
|
| + X509Certificate::CreateFromHandle(good_cert->os_cert_handle(),
|
| + intermediates);
|
| +
|
| + error = cert_chain->Verify("www.example.org", flags, NULL, &verify_result);
|
| + EXPECT_NE(OK, error);
|
| + EXPECT_EQ(CERT_STATUS_WEAK_KEY,
|
| + verify_result.cert_status & CERT_STATUS_WEAK_KEY);
|
| +}
|
| +
|
| TEST(X509CertificateTest, DigiNotarCerts) {
|
| static const char* const kDigiNotarFilenames[] = {
|
| "diginotar_root_ca.pem",
|
| @@ -677,7 +711,7 @@
|
| base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
|
| spkiBytes.size(), hash);
|
|
|
| - EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash)));
|
| + EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash)));
|
| }
|
|
|
| TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
|
| @@ -1332,7 +1366,7 @@
|
| { false, "f.uk", ".uk" },
|
| { false, "w.bar.foo.com", "?.bar.foo.com" },
|
| { false, "www.foo.com", "(www|ftp).foo.com" },
|
| - { false, "www.foo.com", "www.foo.com#" }, // # = null char.
|
| + { false, "www.foo.com", "www.foo.com#" }, // # = null char.
|
| { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" },
|
| { false, "www.house.example", "ww.house.example" },
|
| { false, "test.org", "", "www.test.org,*.test.org,*.org" },
|
| @@ -1470,7 +1504,7 @@
|
| for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) {
|
| std::string& addr_ascii = ip_addressses_ascii[i];
|
| ASSERT_NE(0U, addr_ascii.length());
|
| - if (addr_ascii[0] == 'x') { // Hex encoded address
|
| + if (addr_ascii[0] == 'x') { // Hex encoded address
|
| addr_ascii.erase(0, 1);
|
| std::vector<uint8> bytes;
|
| EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes))
|
|
|
Chromium Code Reviews
Issue 8568040:
Refuse to accept certificate chains containing any RSA public key smaller (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/