net/cert/cert_verify_proc_whitelist_unittest.cc - Issue 1042973002: Implement the ability to whitelist certs from specific issuers

Side by Side Diff: net/cert/cert_verify_proc_whitelist_unittest.cc

Issue 1042973002: Implement the ability to whitelist certs from specific issuers (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: WIP Created 5 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/cert/cert_verify_proc_whitelist.h"

	6

	7 #include "base/memory/ref_counted.h"

	8 #include "net/base/test_data_directory.h"

	9 #include "net/cert/x509_certificate.h"

	10 #include "net/test/cert_test_util.h"

	11 #include "testing/gtest/include/gtest/gtest.h"

	12

	13 namespace net {

	14

	15 namespace {

	16

	17 HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {

	18 HashValue hash_value(tag);

	19 memset(hash_value.data(), label, hash_value.size());

	20 return hash_value;

	21 }

	22

	23 HashValueVector GetFakeHashValues() {

	24 HashValueVector public_key_hashes;

	25

	26 // Fake "root" hash

	27 public_key_hashes.push_back(GetTestHashValue(0x00, HASH_VALUE_SHA256));

	28 public_key_hashes.push_back(GetTestHashValue(0x01, HASH_VALUE_SHA1));

	29 // Fake "intermediate" hash

	30 public_key_hashes.push_back(GetTestHashValue(0x02, HASH_VALUE_SHA256));

	31 public_key_hashes.push_back(GetTestHashValue(0x03, HASH_VALUE_SHA1));

	32 // Fake "leaf" hash

	33 public_key_hashes.push_back(GetTestHashValue(0x04, HASH_VALUE_SHA256));

	34 public_key_hashes.push_back(GetTestHashValue(0x05, HASH_VALUE_SHA1));
	davidben 2015/03/31 02:02:13 It's a little confusing that this specifies a fake It's a little confusing that this specifies a fake leaf hash while the whitelist uses the real one. Ryan Sleevi 2015/03/31 18:33:52 It's a public key hash. The whitelist uses a cert Show quoted text On 2015/03/31 02:02:13, David Benjamin wrote: > It's a little confusing that this specifies a fake leaf hash while the whitelist > uses the real one. It's a public key hash. The whitelist uses a cert* hash.
	35

	36 return public_key_hashes;

	37 }

	38

	39 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByRoot) {

	40 scoped_refptr<X509Certificate> cert = ImportCertFromFile(

	41 GetTestCertsDirectory(), "ok_cert.pem");

	42 ASSERT_TRUE(cert);

	43

	44 const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {
	davidben 2015/03/31 02:02:13 uint8_t uint8_t
	45 { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,

	46 0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,

	47 0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,

	48 0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
	davidben 2015/03/31 02:02:13 [Verified this is the SHA-256 hash of ok_cert.pem' [Verified this is the SHA-256 hash of ok_cert.pem's DER form.] It does annoy me that the value's hardcoded in here. It may be worth a comment here just so that, when it comes time to update ok_cert.pem, you don't have to reread the test to figure out how you're meant to generate these. (I was going to suggest making this non-const and computing the hash during the test... I suppose the upside is it's clear what's going on. The downside is that you call the same leaf-hashing function that the real code uses. Maybe pull it up into a const uint8_t kOkCertWhitelist constant up top, so it's only there once?) Ryan Sleevi 2015/03/31 18:33:52 Fair enough. Show quoted text On 2015/03/31 02:02:13, David Benjamin wrote: > [Verified this is the SHA-256 hash of ok_cert.pem's DER form.] > > It does annoy me that the value's hardcoded in here. It may be worth a comment > here just so that, when it comes time to update ok_cert.pem, you don't have to > reread the test to figure out how you're meant to generate these. Fair enough. Show quoted text > (I was going to suggest making this non-const and computing the hash during the > test... I suppose the upside is it's clear what's going on. The downside is that > you call the same leaf-hashing function that the real code uses. Maybe pull it > up into a const uint8_t kOkCertWhitelist constant up top, so it's only there > once?) Even if non-const, because it's an array of array, you'd have to memcpy in. Unless you made it a pointer to a pointer, but then you lose the RO-data optimization.
	49 };

	50 const PublicKeyWhitelist kWhitelist[] = {

	51 { { 0x00 },

	52 kWhitelistCerts,

	53 arraysize(kWhitelistCerts) },

	54 };

	55

	56 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));

	57

	58 HashValueVector public_key_hashes = GetFakeHashValues();

	59

	60 // Should return false, indicating this cert is acceptable because of

	61 // it being whitelisted.

	62 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));

	63

	64 SetCertificateWhitelistForTesting(nullptr, 0);

	65 }

	66

	67 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByIntermediate) {
	davidben 2015/03/31 02:02:13 Probably also worth a RejectsNonWhitelistedEEByInt Probably also worth a RejectsNonWhitelistedEEByIntermediate. This doesn't distinguish between the cert being acceptable because it's whitelisted and the cert being acceptable because the root is ignored.
	68 scoped_refptr<X509Certificate> cert = ImportCertFromFile(

	69 GetTestCertsDirectory(), "ok_cert.pem");

	70 ASSERT_TRUE(cert);

	71

	72 const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {

	73 { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,

	74 0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,

	75 0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,

	76 0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },

	77 };

	78 const PublicKeyWhitelist kWhitelist[] = {

	79 { { 0x02 },

	80 kWhitelistCerts,

	81 arraysize(kWhitelistCerts) },

	82 };

	83

	84 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));

	85

	86 HashValueVector public_key_hashes = GetFakeHashValues();

	87

	88 // Should return false, indicating this cert is acceptable because of

	89 // it being whitelisted.

	90 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));

	91

	92 SetCertificateWhitelistForTesting(nullptr, 0);

	93 }

	94

	95 TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEE) {

	96 scoped_refptr<X509Certificate> cert = ImportCertFromFile(

	97 GetTestCertsDirectory(), "expired_cert.pem");

	98 ASSERT_TRUE(cert);

	99

	100 const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {

	101 { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,

	102 0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,

	103 0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,

	104 0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },

	105 };

	106 const PublicKeyWhitelist kWhitelist[] = {

	107 { { 0x00 },

	108 kWhitelistCerts,

	109 arraysize(kWhitelistCerts) },

	110 };

	111

	112 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));

	113

	114 HashValueVector public_key_hashes = GetFakeHashValues();

	115

	116 // Should return true, indicating this certificate chains to a constrained

	117 // root and is not whitelisted.

	118 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));

	119

	120 SetCertificateWhitelistForTesting(nullptr, 0);

	121 }

	122

	123 TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {

	124 scoped_refptr<X509Certificate> cert = ImportCertFromFile(

	125 GetTestCertsDirectory(), "ok_cert.pem");

	126 ASSERT_TRUE(cert);

	127

	128 const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {

	129 { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,

	130 0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,

	131 0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,

	132 0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },

	133 };

	134 const PublicKeyWhitelist kWhitelist[] = {

	135 { { 0x10 },

	136 kWhitelistCerts,

	137 arraysize(kWhitelistCerts) },

	138 };

	139

	140 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));

	141

	142 HashValueVector public_key_hashes = GetFakeHashValues();

	143

	144 // Should return false, because the chain (as indicated by

	145 // public_key_hashes) is not constrained.

	146 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));

	147

	148 SetCertificateWhitelistForTesting(nullptr, 0);

	149 }

	150

	151 } // namespace

	152

	153 } // namespace net

OLD	NEW

« net/cert/cert_verify_proc_whitelist.cc ('K') | « net/cert/cert_verify_proc_whitelist.cc ('k') | net/net.gypi » ('j') | no next file with comments »