OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/cert_verifier.h" | |
6 | |
7 #include "base/bind.h" | |
8 #include "base/file_path.h" | |
9 #include "base/format_macros.h" | |
10 #include "base/stringprintf.h" | |
11 #include "net/base/cert_test_util.h" | |
12 #include "net/base/net_errors.h" | |
13 #include "net/base/net_log.h" | |
14 #include "net/base/test_completion_callback.h" | |
15 #include "net/base/x509_certificate.h" | |
16 #include "testing/gtest/include/gtest/gtest.h" | |
17 | |
18 namespace net { | |
19 | |
20 namespace { | |
21 | |
22 void FailTest(int /* result */) { | |
23 FAIL(); | |
24 } | |
25 | |
26 } // namespace; | |
27 | |
28 // Tests a cache hit, which should result in synchronous completion. | |
29 TEST(CertVerifierTest, CacheHit) { | |
30 CertVerifier verifier; | |
31 | |
32 FilePath certs_dir = GetTestCertsDirectory(); | |
33 scoped_refptr<X509Certificate> test_cert( | |
34 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
35 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
36 | |
37 int error; | |
38 CertVerifyResult verify_result; | |
39 TestCompletionCallback callback; | |
40 CertVerifier::RequestHandle request_handle; | |
41 | |
42 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
43 callback.callback(), &request_handle, BoundNetLog()); | |
44 ASSERT_EQ(ERR_IO_PENDING, error); | |
45 ASSERT_TRUE(request_handle != NULL); | |
46 error = callback.WaitForResult(); | |
47 ASSERT_TRUE(IsCertificateError(error)); | |
48 ASSERT_EQ(1u, verifier.requests()); | |
49 ASSERT_EQ(0u, verifier.cache_hits()); | |
50 ASSERT_EQ(0u, verifier.inflight_joins()); | |
51 ASSERT_EQ(1u, verifier.GetCacheSize()); | |
52 | |
53 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
54 callback.callback(), &request_handle, BoundNetLog()); | |
55 // Synchronous completion. | |
56 ASSERT_NE(ERR_IO_PENDING, error); | |
57 ASSERT_TRUE(IsCertificateError(error)); | |
58 ASSERT_TRUE(request_handle == NULL); | |
59 ASSERT_EQ(2u, verifier.requests()); | |
60 ASSERT_EQ(1u, verifier.cache_hits()); | |
61 ASSERT_EQ(0u, verifier.inflight_joins()); | |
62 ASSERT_EQ(1u, verifier.GetCacheSize()); | |
63 } | |
64 | |
65 // Tests the same server certificate with different intermediate CA | |
66 // certificates. These should be treated as different certificate chains even | |
67 // though the two X509Certificate objects contain the same server certificate. | |
68 TEST(CertVerifierTest, DifferentCACerts) { | |
69 CertVerifier verifier; | |
70 | |
71 FilePath certs_dir = GetTestCertsDirectory(); | |
72 | |
73 scoped_refptr<X509Certificate> server_cert = | |
74 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); | |
75 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | |
76 | |
77 scoped_refptr<X509Certificate> intermediate_cert1 = | |
78 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem"); | |
79 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1); | |
80 | |
81 scoped_refptr<X509Certificate> intermediate_cert2 = | |
82 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem"); | |
83 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert2); | |
84 | |
85 X509Certificate::OSCertHandles intermediates; | |
86 intermediates.push_back(intermediate_cert1->os_cert_handle()); | |
87 scoped_refptr<X509Certificate> cert_chain1 = | |
88 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | |
89 intermediates); | |
90 | |
91 intermediates.clear(); | |
92 intermediates.push_back(intermediate_cert2->os_cert_handle()); | |
93 scoped_refptr<X509Certificate> cert_chain2 = | |
94 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | |
95 intermediates); | |
96 | |
97 int error; | |
98 CertVerifyResult verify_result; | |
99 TestCompletionCallback callback; | |
100 CertVerifier::RequestHandle request_handle; | |
101 | |
102 error = verifier.Verify(cert_chain1, "www.example.com", 0, NULL, | |
103 &verify_result, callback.callback(), | |
104 &request_handle, BoundNetLog()); | |
105 ASSERT_EQ(ERR_IO_PENDING, error); | |
106 ASSERT_TRUE(request_handle != NULL); | |
107 error = callback.WaitForResult(); | |
108 ASSERT_TRUE(IsCertificateError(error)); | |
109 ASSERT_EQ(1u, verifier.requests()); | |
110 ASSERT_EQ(0u, verifier.cache_hits()); | |
111 ASSERT_EQ(0u, verifier.inflight_joins()); | |
112 ASSERT_EQ(1u, verifier.GetCacheSize()); | |
113 | |
114 error = verifier.Verify(cert_chain2, "www.example.com", 0, NULL, | |
115 &verify_result, callback.callback(), | |
116 &request_handle, BoundNetLog()); | |
117 ASSERT_EQ(ERR_IO_PENDING, error); | |
118 ASSERT_TRUE(request_handle != NULL); | |
119 error = callback.WaitForResult(); | |
120 ASSERT_TRUE(IsCertificateError(error)); | |
121 ASSERT_EQ(2u, verifier.requests()); | |
122 ASSERT_EQ(0u, verifier.cache_hits()); | |
123 ASSERT_EQ(0u, verifier.inflight_joins()); | |
124 ASSERT_EQ(2u, verifier.GetCacheSize()); | |
125 } | |
126 | |
127 // Tests an inflight join. | |
128 TEST(CertVerifierTest, InflightJoin) { | |
129 CertVerifier verifier; | |
130 | |
131 FilePath certs_dir = GetTestCertsDirectory(); | |
132 scoped_refptr<X509Certificate> test_cert( | |
133 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
134 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
135 | |
136 int error; | |
137 CertVerifyResult verify_result; | |
138 TestCompletionCallback callback; | |
139 CertVerifier::RequestHandle request_handle; | |
140 CertVerifyResult verify_result2; | |
141 TestCompletionCallback callback2; | |
142 CertVerifier::RequestHandle request_handle2; | |
143 | |
144 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
145 callback.callback(), &request_handle, BoundNetLog()); | |
146 ASSERT_EQ(ERR_IO_PENDING, error); | |
147 ASSERT_TRUE(request_handle != NULL); | |
148 error = verifier.Verify( | |
149 test_cert, "www.example.com", 0, NULL, &verify_result2, | |
150 callback2.callback(), &request_handle2, BoundNetLog()); | |
151 ASSERT_EQ(ERR_IO_PENDING, error); | |
152 ASSERT_TRUE(request_handle2 != NULL); | |
153 error = callback.WaitForResult(); | |
154 ASSERT_TRUE(IsCertificateError(error)); | |
155 error = callback2.WaitForResult(); | |
156 ASSERT_TRUE(IsCertificateError(error)); | |
157 ASSERT_EQ(2u, verifier.requests()); | |
158 ASSERT_EQ(0u, verifier.cache_hits()); | |
159 ASSERT_EQ(1u, verifier.inflight_joins()); | |
160 } | |
161 | |
162 // Tests that the callback of a canceled request is never made. | |
163 TEST(CertVerifierTest, CancelRequest) { | |
164 CertVerifier verifier; | |
165 | |
166 FilePath certs_dir = GetTestCertsDirectory(); | |
167 scoped_refptr<X509Certificate> test_cert( | |
168 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
169 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
170 | |
171 int error; | |
172 CertVerifyResult verify_result; | |
173 CertVerifier::RequestHandle request_handle; | |
174 | |
175 error = verifier.Verify( | |
176 test_cert, "www.example.com", 0, NULL, &verify_result, | |
177 base::Bind(&FailTest), &request_handle, BoundNetLog()); | |
178 ASSERT_EQ(ERR_IO_PENDING, error); | |
179 ASSERT_TRUE(request_handle != NULL); | |
180 verifier.CancelRequest(request_handle); | |
181 | |
182 // Issue a few more requests to the worker pool and wait for their | |
183 // completion, so that the task of the canceled request (which runs on a | |
184 // worker thread) is likely to complete by the end of this test. | |
185 TestCompletionCallback callback; | |
186 for (int i = 0; i < 5; ++i) { | |
187 error = verifier.Verify( | |
188 test_cert, "www2.example.com", 0, NULL, &verify_result, | |
189 callback.callback(), &request_handle, BoundNetLog()); | |
190 ASSERT_EQ(ERR_IO_PENDING, error); | |
191 ASSERT_TRUE(request_handle != NULL); | |
192 error = callback.WaitForResult(); | |
193 verifier.ClearCache(); | |
194 } | |
195 } | |
196 | |
197 // Tests that a canceled request is not leaked. | |
198 TEST(CertVerifierTest, CancelRequestThenQuit) { | |
199 CertVerifier verifier; | |
200 | |
201 FilePath certs_dir = GetTestCertsDirectory(); | |
202 scoped_refptr<X509Certificate> test_cert( | |
203 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
204 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
205 | |
206 int error; | |
207 CertVerifyResult verify_result; | |
208 TestCompletionCallback callback; | |
209 CertVerifier::RequestHandle request_handle; | |
210 | |
211 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
212 callback.callback(), &request_handle, BoundNetLog()); | |
213 ASSERT_EQ(ERR_IO_PENDING, error); | |
214 ASSERT_TRUE(request_handle != NULL); | |
215 verifier.CancelRequest(request_handle); | |
216 // Destroy |verifier| by going out of scope. | |
217 } | |
218 | |
219 TEST(CertVerifierTest, RequestParamsComparators) { | |
220 SHA1Fingerprint a_key; | |
221 memset(a_key.data, 'a', sizeof(a_key.data)); | |
222 | |
223 SHA1Fingerprint z_key; | |
224 memset(z_key.data, 'z', sizeof(z_key.data)); | |
225 | |
226 struct { | |
227 // Keys to test | |
228 CertVerifier::RequestParams key1; | |
229 CertVerifier::RequestParams key2; | |
230 | |
231 // Expectation: | |
232 // -1 means key1 is less than key2 | |
233 // 0 means key1 equals key2 | |
234 // 1 means key1 is greater than key2 | |
235 int expected_result; | |
236 } tests[] = { | |
237 { // Test for basic equivalence. | |
238 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
239 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
240 0, | |
241 }, | |
242 { // Test that different certificates but with the same CA and for | |
243 // the same host are different validation keys. | |
244 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
245 CertVerifier::RequestParams(z_key, a_key, "www.example.test", 0), | |
246 -1, | |
247 }, | |
248 { // Test that the same EE certificate for the same host, but with | |
249 // different chains are different validation keys. | |
250 CertVerifier::RequestParams(a_key, z_key, "www.example.test", 0), | |
251 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
252 1, | |
253 }, | |
254 { // The same certificate, with the same chain, but for different | |
255 // hosts are different validation keys. | |
256 CertVerifier::RequestParams(a_key, a_key, "www1.example.test", 0), | |
257 CertVerifier::RequestParams(a_key, a_key, "www2.example.test", 0), | |
258 -1, | |
259 }, | |
260 { // The same certificate, chain, and host, but with different flags | |
261 // are different validation keys. | |
262 CertVerifier::RequestParams(a_key, a_key, "www.example.test", | |
263 X509Certificate::VERIFY_EV_CERT), | |
264 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
265 1, | |
266 } | |
267 }; | |
268 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) { | |
269 SCOPED_TRACE(base::StringPrintf("Test[%" PRIuS "]", i)); | |
270 | |
271 const CertVerifier::RequestParams& key1 = tests[i].key1; | |
272 const CertVerifier::RequestParams& key2 = tests[i].key2; | |
273 | |
274 switch (tests[i].expected_result) { | |
275 case -1: | |
276 EXPECT_TRUE(key1 < key2); | |
277 EXPECT_FALSE(key2 < key1); | |
278 break; | |
279 case 0: | |
280 EXPECT_FALSE(key1 < key2); | |
281 EXPECT_FALSE(key2 < key1); | |
282 break; | |
283 case 1: | |
284 EXPECT_FALSE(key1 < key2); | |
285 EXPECT_TRUE(key2 < key1); | |
286 break; | |
287 default: | |
288 FAIL() << "Invalid expectation. Can be only -1, 0, 1"; | |
289 } | |
290 } | |
291 } | |
292 | |
293 } // namespace net | |
OLD | NEW |