net/base/cert_verifier_unittest.cc - Issue 9476035: Make CertVerifier a pure virtual interface.

Side by Side Diff: net/base/cert_verifier_unittest.cc

Issue 9476035: Make CertVerifier a pure virtual interface. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Two header fixes Created 8 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
	(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "net/base/cert_verifier.h"

6

7 #include "base/bind.h"

8 #include "base/file_path.h"

9 #include "base/format_macros.h"

10 #include "base/stringprintf.h"

11 #include "net/base/cert_test_util.h"

12 #include "net/base/net_errors.h"

13 #include "net/base/net_log.h"

14 #include "net/base/test_completion_callback.h"

15 #include "net/base/x509_certificate.h"

16 #include "testing/gtest/include/gtest/gtest.h"

17

18 namespace net {

19

20 namespace {

21

22 void FailTest(int /* result */) {

23 FAIL();

24 }

25

26 } // namespace;

27

28 // Tests a cache hit, which should result in synchronous completion.

29 TEST(CertVerifierTest, CacheHit) {

30 CertVerifier verifier;

31

32 FilePath certs_dir = GetTestCertsDirectory();

33 scoped_refptr<X509Certificate> test_cert(

34 ImportCertFromFile(certs_dir, "ok_cert.pem"));

35 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

36

37 int error;

38 CertVerifyResult verify_result;

39 TestCompletionCallback callback;

40 CertVerifier::RequestHandle request_handle;

41

42 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

43 callback.callback(), &request_handle, BoundNetLog());

44 ASSERT_EQ(ERR_IO_PENDING, error);

45 ASSERT_TRUE(request_handle != NULL);

46 error = callback.WaitForResult();

47 ASSERT_TRUE(IsCertificateError(error));

48 ASSERT_EQ(1u, verifier.requests());

49 ASSERT_EQ(0u, verifier.cache_hits());

50 ASSERT_EQ(0u, verifier.inflight_joins());

51 ASSERT_EQ(1u, verifier.GetCacheSize());

52

53 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

54 callback.callback(), &request_handle, BoundNetLog());

55 // Synchronous completion.

56 ASSERT_NE(ERR_IO_PENDING, error);

57 ASSERT_TRUE(IsCertificateError(error));

58 ASSERT_TRUE(request_handle == NULL);

59 ASSERT_EQ(2u, verifier.requests());

60 ASSERT_EQ(1u, verifier.cache_hits());

61 ASSERT_EQ(0u, verifier.inflight_joins());

62 ASSERT_EQ(1u, verifier.GetCacheSize());

63 }

64

65 // Tests the same server certificate with different intermediate CA

66 // certificates. These should be treated as different certificate chains even

67 // though the two X509Certificate objects contain the same server certificate.

68 TEST(CertVerifierTest, DifferentCACerts) {

69 CertVerifier verifier;

70

71 FilePath certs_dir = GetTestCertsDirectory();

72

73 scoped_refptr<X509Certificate> server_cert =

74 ImportCertFromFile(certs_dir, "salesforce_com_test.pem");

75 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);

76

77 scoped_refptr<X509Certificate> intermediate_cert1 =

78 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem");

79 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1);

80

81 scoped_refptr<X509Certificate> intermediate_cert2 =

82 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem");

83 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert2);

84

85 X509Certificate::OSCertHandles intermediates;

86 intermediates.push_back(intermediate_cert1->os_cert_handle());

87 scoped_refptr<X509Certificate> cert_chain1 =

88 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),

89 intermediates);

90

91 intermediates.clear();

92 intermediates.push_back(intermediate_cert2->os_cert_handle());

93 scoped_refptr<X509Certificate> cert_chain2 =

94 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),

95 intermediates);

96

97 int error;

98 CertVerifyResult verify_result;

99 TestCompletionCallback callback;

100 CertVerifier::RequestHandle request_handle;

101

102 error = verifier.Verify(cert_chain1, "www.example.com", 0, NULL,

103 &verify_result, callback.callback(),

104 &request_handle, BoundNetLog());

105 ASSERT_EQ(ERR_IO_PENDING, error);

106 ASSERT_TRUE(request_handle != NULL);

107 error = callback.WaitForResult();

108 ASSERT_TRUE(IsCertificateError(error));

109 ASSERT_EQ(1u, verifier.requests());

110 ASSERT_EQ(0u, verifier.cache_hits());

111 ASSERT_EQ(0u, verifier.inflight_joins());

112 ASSERT_EQ(1u, verifier.GetCacheSize());

113

114 error = verifier.Verify(cert_chain2, "www.example.com", 0, NULL,

115 &verify_result, callback.callback(),

116 &request_handle, BoundNetLog());

117 ASSERT_EQ(ERR_IO_PENDING, error);

118 ASSERT_TRUE(request_handle != NULL);

119 error = callback.WaitForResult();

120 ASSERT_TRUE(IsCertificateError(error));

121 ASSERT_EQ(2u, verifier.requests());

122 ASSERT_EQ(0u, verifier.cache_hits());

123 ASSERT_EQ(0u, verifier.inflight_joins());

124 ASSERT_EQ(2u, verifier.GetCacheSize());

125 }

126

127 // Tests an inflight join.

128 TEST(CertVerifierTest, InflightJoin) {

129 CertVerifier verifier;

130

131 FilePath certs_dir = GetTestCertsDirectory();

132 scoped_refptr<X509Certificate> test_cert(

133 ImportCertFromFile(certs_dir, "ok_cert.pem"));

134 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

135

136 int error;

137 CertVerifyResult verify_result;

138 TestCompletionCallback callback;

139 CertVerifier::RequestHandle request_handle;

140 CertVerifyResult verify_result2;

141 TestCompletionCallback callback2;

142 CertVerifier::RequestHandle request_handle2;

143

144 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

145 callback.callback(), &request_handle, BoundNetLog());

146 ASSERT_EQ(ERR_IO_PENDING, error);

147 ASSERT_TRUE(request_handle != NULL);

148 error = verifier.Verify(

149 test_cert, "www.example.com", 0, NULL, &verify_result2,

150 callback2.callback(), &request_handle2, BoundNetLog());

151 ASSERT_EQ(ERR_IO_PENDING, error);

152 ASSERT_TRUE(request_handle2 != NULL);

153 error = callback.WaitForResult();

154 ASSERT_TRUE(IsCertificateError(error));

155 error = callback2.WaitForResult();

156 ASSERT_TRUE(IsCertificateError(error));

157 ASSERT_EQ(2u, verifier.requests());

158 ASSERT_EQ(0u, verifier.cache_hits());

159 ASSERT_EQ(1u, verifier.inflight_joins());

160 }

161

162 // Tests that the callback of a canceled request is never made.

163 TEST(CertVerifierTest, CancelRequest) {

164 CertVerifier verifier;

165

166 FilePath certs_dir = GetTestCertsDirectory();

167 scoped_refptr<X509Certificate> test_cert(

168 ImportCertFromFile(certs_dir, "ok_cert.pem"));

169 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

170

171 int error;

172 CertVerifyResult verify_result;

173 CertVerifier::RequestHandle request_handle;

174

175 error = verifier.Verify(

176 test_cert, "www.example.com", 0, NULL, &verify_result,

177 base::Bind(&FailTest), &request_handle, BoundNetLog());

178 ASSERT_EQ(ERR_IO_PENDING, error);

179 ASSERT_TRUE(request_handle != NULL);

180 verifier.CancelRequest(request_handle);

181

182 // Issue a few more requests to the worker pool and wait for their

183 // completion, so that the task of the canceled request (which runs on a

184 // worker thread) is likely to complete by the end of this test.

185 TestCompletionCallback callback;

186 for (int i = 0; i < 5; ++i) {

187 error = verifier.Verify(

188 test_cert, "www2.example.com", 0, NULL, &verify_result,

189 callback.callback(), &request_handle, BoundNetLog());

190 ASSERT_EQ(ERR_IO_PENDING, error);

191 ASSERT_TRUE(request_handle != NULL);

192 error = callback.WaitForResult();

193 verifier.ClearCache();

194 }

195 }

196

197 // Tests that a canceled request is not leaked.

198 TEST(CertVerifierTest, CancelRequestThenQuit) {

199 CertVerifier verifier;

200

201 FilePath certs_dir = GetTestCertsDirectory();

202 scoped_refptr<X509Certificate> test_cert(

203 ImportCertFromFile(certs_dir, "ok_cert.pem"));

204 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

205

206 int error;

207 CertVerifyResult verify_result;

208 TestCompletionCallback callback;

209 CertVerifier::RequestHandle request_handle;

210

211 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

212 callback.callback(), &request_handle, BoundNetLog());

213 ASSERT_EQ(ERR_IO_PENDING, error);

214 ASSERT_TRUE(request_handle != NULL);

215 verifier.CancelRequest(request_handle);

216 // Destroy \|verifier\| by going out of scope.

217 }

218

219 TEST(CertVerifierTest, RequestParamsComparators) {

220 SHA1Fingerprint a_key;

221 memset(a_key.data, 'a', sizeof(a_key.data));

222

223 SHA1Fingerprint z_key;

224 memset(z_key.data, 'z', sizeof(z_key.data));

225

226 struct {

227 // Keys to test

228 CertVerifier::RequestParams key1;

229 CertVerifier::RequestParams key2;

230

231 // Expectation:

232 // -1 means key1 is less than key2

233 // 0 means key1 equals key2

234 // 1 means key1 is greater than key2

235 int expected_result;

236 } tests[] = {

237 { // Test for basic equivalence.

238 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

239 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

240 0,

241 },

242 { // Test that different certificates but with the same CA and for

243 // the same host are different validation keys.

244 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

245 CertVerifier::RequestParams(z_key, a_key, "www.example.test", 0),

246 -1,

247 },

248 { // Test that the same EE certificate for the same host, but with

249 // different chains are different validation keys.

250 CertVerifier::RequestParams(a_key, z_key, "www.example.test", 0),

251 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

252 1,

253 },

254 { // The same certificate, with the same chain, but for different

255 // hosts are different validation keys.

256 CertVerifier::RequestParams(a_key, a_key, "www1.example.test", 0),

257 CertVerifier::RequestParams(a_key, a_key, "www2.example.test", 0),

258 -1,

259 },

260 { // The same certificate, chain, and host, but with different flags

261 // are different validation keys.

262 CertVerifier::RequestParams(a_key, a_key, "www.example.test",

263 X509Certificate::VERIFY_EV_CERT),

264 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

265 1,

266 }

267 };

268 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) {

269 SCOPED_TRACE(base::StringPrintf("Test[%" PRIuS "]", i));

270

271 const CertVerifier::RequestParams& key1 = tests[i].key1;

272 const CertVerifier::RequestParams& key2 = tests[i].key2;

273

274 switch (tests[i].expected_result) {

275 case -1:

276 EXPECT_TRUE(key1 < key2);

277 EXPECT_FALSE(key2 < key1);

278 break;

279 case 0:

280 EXPECT_FALSE(key1 < key2);

281 EXPECT_FALSE(key2 < key1);

282 break;

283 case 1:

284 EXPECT_FALSE(key1 < key2);

285 EXPECT_TRUE(key2 < key1);

286 break;

287 default:

288 FAIL() << "Invalid expectation. Can be only -1, 0, 1";

289 }

290 }

291 }

292

293 } // namespace net

OLD	NEW

« net/base/cert_verifier.h ('K') | « net/base/cert_verifier.cc ('k') | net/base/multi_threaded_cert_verifier.h » ('j') | no next file with comments »