| OLD | NEW |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| 11 #include "base/string_split.h" | 11 #include "base/string_split.h" |
| 12 #include "crypto/rsa_private_key.h" | 12 #include "crypto/rsa_private_key.h" |
| 13 #include "net/base/asn1_util.h" | 13 #include "net/base/asn1_util.h" |
| 14 #include "net/base/cert_status_flags.h" | 14 #include "net/base/cert_status_flags.h" |
| 15 #include "net/base/cert_test_util.h" | 15 #include "net/base/cert_test_util.h" |
| 16 #include "net/base/cert_verify_result.h" | 16 #include "net/base/cert_verify_result.h" |
| 17 #include "net/base/crl_set.h" |
| 17 #include "net/base/net_errors.h" | 18 #include "net/base/net_errors.h" |
| 18 #include "net/base/test_certificate_data.h" | 19 #include "net/base/test_certificate_data.h" |
| 19 #include "net/base/test_root_certs.h" | 20 #include "net/base/test_root_certs.h" |
| 20 #include "net/base/x509_certificate.h" | 21 #include "net/base/x509_certificate.h" |
| 21 #include "testing/gtest/include/gtest/gtest.h" | 22 #include "testing/gtest/include/gtest/gtest.h" |
| 22 | 23 |
| 23 #if defined(USE_NSS) | 24 #if defined(USE_NSS) |
| 24 #include <cert.h> | 25 #include <cert.h> |
| 25 #endif | 26 #endif |
| 26 | 27 |
| (...skipping 1349 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1376 X509Certificate::CreateSelfSigned( | 1377 X509Certificate::CreateSelfSigned( |
| 1377 private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1)); | 1378 private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1)); |
| 1378 | 1379 |
| 1379 std::string der_cert; | 1380 std::string der_cert; |
| 1380 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 1381 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
| 1381 &der_cert)); | 1382 &der_cert)); |
| 1382 EXPECT_FALSE(der_cert.empty()); | 1383 EXPECT_FALSE(der_cert.empty()); |
| 1383 } | 1384 } |
| 1384 #endif | 1385 #endif |
| 1385 | 1386 |
| 1387 #if defined(USE_NSS) |
| 1388 static const uint8 kCRLSetThawteSPKIBlocked[] = { |
| 1389 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, |
| 1390 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, |
| 1391 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, |
| 1392 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, |
| 1393 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, |
| 1394 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, |
| 1395 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, |
| 1396 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37, |
| 1397 0x58, 0x70, 0x4d, 0x51, 0x4b, 0x78, 0x49, 0x41, 0x39, 0x50, 0x6a, 0x36, 0x37, |
| 1398 0x36, 0x38, 0x76, 0x74, 0x55, 0x6b, 0x6b, 0x7a, 0x48, 0x79, 0x7a, 0x41, 0x6f, |
| 1399 0x6d, 0x6f, 0x4f, 0x68, 0x4b, 0x55, 0x6e, 0x7a, 0x73, 0x55, 0x3d, 0x22, 0x5d, |
| 1400 0x7d, |
| 1401 }; |
| 1402 |
| 1403 static const uint8 kCRLSetThawteSerialBlocked[] = { |
| 1404 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, |
| 1405 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, |
| 1406 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, |
| 1407 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, |
| 1408 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, |
| 1409 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, |
| 1410 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, |
| 1411 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xb1, 0x12, 0x41, 0x42, 0xa5, 0xa1, |
| 1412 0xa5, 0xa2, 0x88, 0x19, 0xc7, 0x35, 0x34, 0x0e, 0xff, 0x8c, 0x9e, 0x2f, 0x81, |
| 1413 0x68, 0xfe, 0xe3, 0xba, 0x18, 0x7f, 0x25, 0x3b, 0xc1, 0xa3, 0x92, 0xd7, 0xe2, |
| 1414 0x01, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x02, |
| 1415 }; |
| 1416 |
| 1417 static const uint8 kCRLSetGoogleSerialBlocked[] = { |
| 1418 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, |
| 1419 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, |
| 1420 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, |
| 1421 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, |
| 1422 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, |
| 1423 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, |
| 1424 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, |
| 1425 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xe9, 0x7e, 0x8c, 0xc5, 0x1e, 0xd7, |
| 1426 0xa4, 0xc4, 0x0a, 0xc4, 0x80, 0x3d, 0x3e, 0x3e, 0xbb, 0xeb, 0xcb, 0xed, 0x52, |
| 1427 0x49, 0x33, 0x1f, 0x2c, 0xc0, 0xa2, 0x6a, 0x0e, 0x84, 0xa5, 0x27, 0xce, 0xc5, |
| 1428 0x01, 0x00, 0x00, 0x00, 0x10, 0x4f, 0x9d, 0x96, 0xd9, 0x66, 0xb0, 0x99, 0x2b, |
| 1429 0x54, 0xc2, 0x95, 0x7c, 0xb4, 0x15, 0x7d, 0x4d, |
| 1430 }; |
| 1431 |
| 1432 // Test that CRLSets are effective in making a certificate appear to be |
| 1433 // revoked. |
| 1434 TEST(X509CertificateTest, CRLSet) { |
| 1435 CertificateList certs = CreateCertificateListFromFile( |
| 1436 GetTestCertsDirectory(), |
| 1437 "googlenew.chain.pem", |
| 1438 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| 1439 |
| 1440 X509Certificate::OSCertHandles intermediates; |
| 1441 intermediates.push_back(certs[1]->os_cert_handle()); |
| 1442 |
| 1443 scoped_refptr<X509Certificate> google_full_chain = |
| 1444 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 1445 intermediates); |
| 1446 |
| 1447 CertVerifyResult verify_result; |
| 1448 int error = google_full_chain->Verify( |
| 1449 "www.google.com", 0, NULL, &verify_result); |
| 1450 EXPECT_EQ(OK, error); |
| 1451 |
| 1452 // First test blocking by SPKI. |
| 1453 base::StringPiece crl_set_bytes( |
| 1454 reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked), |
| 1455 sizeof(kCRLSetThawteSPKIBlocked)); |
| 1456 scoped_refptr<CRLSet> crl_set; |
| 1457 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
| 1458 |
| 1459 error = google_full_chain->Verify( |
| 1460 "www.google.com", 0, crl_set.get(), &verify_result); |
| 1461 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 1462 |
| 1463 // Second, test revocation by serial number of a cert directly under the |
| 1464 // root. |
| 1465 crl_set_bytes = base::StringPiece( |
| 1466 reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked), |
| 1467 sizeof(kCRLSetThawteSerialBlocked)); |
| 1468 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
| 1469 |
| 1470 error = google_full_chain->Verify( |
| 1471 "www.google.com", 0, crl_set.get(), &verify_result); |
| 1472 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 1473 |
| 1474 // Lastly, test revocation by serial number of a certificate not under the |
| 1475 // root. |
| 1476 crl_set_bytes = base::StringPiece( |
| 1477 reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked), |
| 1478 sizeof(kCRLSetGoogleSerialBlocked)); |
| 1479 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
| 1480 |
| 1481 error = google_full_chain->Verify( |
| 1482 "www.google.com", 0, crl_set.get(), &verify_result); |
| 1483 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 1484 } |
| 1485 #endif |
| 1486 |
| 1386 class X509CertificateParseTest | 1487 class X509CertificateParseTest |
| 1387 : public testing::TestWithParam<CertificateFormatTestData> { | 1488 : public testing::TestWithParam<CertificateFormatTestData> { |
| 1388 public: | 1489 public: |
| 1389 virtual ~X509CertificateParseTest() {} | 1490 virtual ~X509CertificateParseTest() {} |
| 1390 virtual void SetUp() { | 1491 virtual void SetUp() { |
| 1391 test_data_ = GetParam(); | 1492 test_data_ = GetParam(); |
| 1392 } | 1493 } |
| 1393 virtual void TearDown() {} | 1494 virtual void TearDown() {} |
| 1394 | 1495 |
| 1395 protected: | 1496 protected: |
| (...skipping 474 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1870 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1971 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1871 #else | 1972 #else |
| 1872 #define MAYBE_VerifyMixed VerifyMixed | 1973 #define MAYBE_VerifyMixed VerifyMixed |
| 1873 #endif | 1974 #endif |
| 1874 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1975 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1875 MAYBE_VerifyMixed, | 1976 MAYBE_VerifyMixed, |
| 1876 X509CertificateWeakDigestTest, | 1977 X509CertificateWeakDigestTest, |
| 1877 testing::ValuesIn(kVerifyMixedTestData)); | 1978 testing::ValuesIn(kVerifyMixedTestData)); |
| 1878 | 1979 |
| 1879 } // namespace net | 1980 } // namespace net |
| OLD | NEW |