Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(104)

Side by Side Diff: net/base/x509_certificate_unittest.cc

Issue 9152011: net: add a test for X509Certificate integration with CRLSet. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/data/ssl/certificates/README » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "base/file_path.h" 5 #include "base/file_path.h"
6 #include "base/file_util.h" 6 #include "base/file_util.h"
7 #include "base/path_service.h" 7 #include "base/path_service.h"
8 #include "base/pickle.h" 8 #include "base/pickle.h"
9 #include "base/sha1.h" 9 #include "base/sha1.h"
10 #include "base/string_number_conversions.h" 10 #include "base/string_number_conversions.h"
11 #include "base/string_split.h" 11 #include "base/string_split.h"
12 #include "crypto/rsa_private_key.h" 12 #include "crypto/rsa_private_key.h"
13 #include "net/base/asn1_util.h" 13 #include "net/base/asn1_util.h"
14 #include "net/base/cert_status_flags.h" 14 #include "net/base/cert_status_flags.h"
15 #include "net/base/cert_test_util.h" 15 #include "net/base/cert_test_util.h"
16 #include "net/base/cert_verify_result.h" 16 #include "net/base/cert_verify_result.h"
17 #include "net/base/crl_set.h"
17 #include "net/base/net_errors.h" 18 #include "net/base/net_errors.h"
18 #include "net/base/test_certificate_data.h" 19 #include "net/base/test_certificate_data.h"
19 #include "net/base/test_root_certs.h" 20 #include "net/base/test_root_certs.h"
20 #include "net/base/x509_certificate.h" 21 #include "net/base/x509_certificate.h"
21 #include "testing/gtest/include/gtest/gtest.h" 22 #include "testing/gtest/include/gtest/gtest.h"
22 23
23 #if defined(USE_NSS) 24 #if defined(USE_NSS)
24 #include <cert.h> 25 #include <cert.h>
25 #endif 26 #endif
26 27
(...skipping 1349 matching lines...) Expand 10 before | Expand all | Expand 10 after
1376 X509Certificate::CreateSelfSigned( 1377 X509Certificate::CreateSelfSigned(
1377 private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1)); 1378 private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1));
1378 1379
1379 std::string der_cert; 1380 std::string der_cert;
1380 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), 1381 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
1381 &der_cert)); 1382 &der_cert));
1382 EXPECT_FALSE(der_cert.empty()); 1383 EXPECT_FALSE(der_cert.empty());
1383 } 1384 }
1384 #endif 1385 #endif
1385 1386
1387 #if defined(USE_NSS)
1388 static const uint8 kCRLSetThawteSPKIBlocked[] = {
1389 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1390 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1391 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1392 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1393 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1394 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1395 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1396 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37,
1397 0x58, 0x70, 0x4d, 0x51, 0x4b, 0x78, 0x49, 0x41, 0x39, 0x50, 0x6a, 0x36, 0x37,
1398 0x36, 0x38, 0x76, 0x74, 0x55, 0x6b, 0x6b, 0x7a, 0x48, 0x79, 0x7a, 0x41, 0x6f,
1399 0x6d, 0x6f, 0x4f, 0x68, 0x4b, 0x55, 0x6e, 0x7a, 0x73, 0x55, 0x3d, 0x22, 0x5d,
1400 0x7d,
1401 };
1402
1403 static const uint8 kCRLSetThawteSerialBlocked[] = {
1404 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1405 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1406 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1407 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1408 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1409 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1410 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1411 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xb1, 0x12, 0x41, 0x42, 0xa5, 0xa1,
1412 0xa5, 0xa2, 0x88, 0x19, 0xc7, 0x35, 0x34, 0x0e, 0xff, 0x8c, 0x9e, 0x2f, 0x81,
1413 0x68, 0xfe, 0xe3, 0xba, 0x18, 0x7f, 0x25, 0x3b, 0xc1, 0xa3, 0x92, 0xd7, 0xe2,
1414 0x01, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x02,
1415 };
1416
1417 static const uint8 kCRLSetGoogleSerialBlocked[] = {
1418 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1419 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1420 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1421 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1422 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1423 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1424 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1425 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xe9, 0x7e, 0x8c, 0xc5, 0x1e, 0xd7,
1426 0xa4, 0xc4, 0x0a, 0xc4, 0x80, 0x3d, 0x3e, 0x3e, 0xbb, 0xeb, 0xcb, 0xed, 0x52,
1427 0x49, 0x33, 0x1f, 0x2c, 0xc0, 0xa2, 0x6a, 0x0e, 0x84, 0xa5, 0x27, 0xce, 0xc5,
1428 0x01, 0x00, 0x00, 0x00, 0x10, 0x4f, 0x9d, 0x96, 0xd9, 0x66, 0xb0, 0x99, 0x2b,
1429 0x54, 0xc2, 0x95, 0x7c, 0xb4, 0x15, 0x7d, 0x4d,
1430 };
1431
1432 // Test that CRLSets are effective in making a certificate appear to be
1433 // revoked.
1434 TEST(X509CertificateTest, CRLSet) {
1435 CertificateList certs = CreateCertificateListFromFile(
1436 GetTestCertsDirectory(),
1437 "googlenew.chain.pem",
1438 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
1439
1440 X509Certificate::OSCertHandles intermediates;
1441 intermediates.push_back(certs[1]->os_cert_handle());
1442
1443 scoped_refptr<X509Certificate> google_full_chain =
1444 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
1445 intermediates);
1446
1447 CertVerifyResult verify_result;
1448 int error = google_full_chain->Verify(
1449 "www.google.com", 0, NULL, &verify_result);
1450 EXPECT_EQ(OK, error);
1451
1452 // First test blocking by SPKI.
1453 base::StringPiece crl_set_bytes(
1454 reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked),
1455 sizeof(kCRLSetThawteSPKIBlocked));
1456 scoped_refptr<CRLSet> crl_set;
1457 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1458
1459 error = google_full_chain->Verify(
1460 "www.google.com", 0, crl_set.get(), &verify_result);
1461 EXPECT_EQ(ERR_CERT_REVOKED, error);
1462
1463 // Second, test revocation by serial number of a cert directly under the
1464 // root.
1465 crl_set_bytes = base::StringPiece(
1466 reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked),
1467 sizeof(kCRLSetThawteSerialBlocked));
1468 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1469
1470 error = google_full_chain->Verify(
1471 "www.google.com", 0, crl_set.get(), &verify_result);
1472 EXPECT_EQ(ERR_CERT_REVOKED, error);
1473
1474 // Lastly, test revocation by serial number of a certificate not under the
1475 // root.
1476 crl_set_bytes = base::StringPiece(
1477 reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked),
1478 sizeof(kCRLSetGoogleSerialBlocked));
1479 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1480
1481 error = google_full_chain->Verify(
1482 "www.google.com", 0, crl_set.get(), &verify_result);
1483 EXPECT_EQ(ERR_CERT_REVOKED, error);
1484 }
1485 #endif
1486
1386 class X509CertificateParseTest 1487 class X509CertificateParseTest
1387 : public testing::TestWithParam<CertificateFormatTestData> { 1488 : public testing::TestWithParam<CertificateFormatTestData> {
1388 public: 1489 public:
1389 virtual ~X509CertificateParseTest() {} 1490 virtual ~X509CertificateParseTest() {}
1390 virtual void SetUp() { 1491 virtual void SetUp() {
1391 test_data_ = GetParam(); 1492 test_data_ = GetParam();
1392 } 1493 }
1393 virtual void TearDown() {} 1494 virtual void TearDown() {}
1394 1495
1395 protected: 1496 protected:
(...skipping 474 matching lines...) Expand 10 before | Expand all | Expand 10 after
1870 #define MAYBE_VerifyMixed DISABLED_VerifyMixed 1971 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
1871 #else 1972 #else
1872 #define MAYBE_VerifyMixed VerifyMixed 1973 #define MAYBE_VerifyMixed VerifyMixed
1873 #endif 1974 #endif
1874 WRAPPED_INSTANTIATE_TEST_CASE_P( 1975 WRAPPED_INSTANTIATE_TEST_CASE_P(
1875 MAYBE_VerifyMixed, 1976 MAYBE_VerifyMixed,
1876 X509CertificateWeakDigestTest, 1977 X509CertificateWeakDigestTest,
1877 testing::ValuesIn(kVerifyMixedTestData)); 1978 testing::ValuesIn(kVerifyMixedTestData));
1878 1979
1879 } // namespace net 1980 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/data/ssl/certificates/README » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698