| Index: net/cert/cert_verify_proc_whitelist_unittest.cc
|
| diff --git a/net/cert/cert_verify_proc_whitelist_unittest.cc b/net/cert/cert_verify_proc_whitelist_unittest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..e1206dcd9a2dfdcd792458fc0d6e16466bdd358b
|
| --- /dev/null
|
| +++ b/net/cert/cert_verify_proc_whitelist_unittest.cc
|
| @@ -0,0 +1,189 @@
|
| +// Copyright (c) 2015 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "net/cert/cert_verify_proc_whitelist.h"
|
| +
|
| +#include "base/memory/ref_counted.h"
|
| +#include "net/base/test_data_directory.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +#include "net/test/cert_test_util.h"
|
| +#include "testing/gtest/include/gtest/gtest.h"
|
| +
|
| +namespace net {
|
| +
|
| +namespace {
|
| +
|
| +HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {
|
| + HashValue hash_value(tag);
|
| + memset(hash_value.data(), label, hash_value.size());
|
| + return hash_value;
|
| +}
|
| +
|
| +HashValueVector GetFakeHashValues() {
|
| + HashValueVector public_key_hashes;
|
| +
|
| + // Fake "root" hash
|
| + public_key_hashes.push_back(GetTestHashValue(0x00, HASH_VALUE_SHA256));
|
| + public_key_hashes.push_back(GetTestHashValue(0x01, HASH_VALUE_SHA1));
|
| + // Fake "intermediate" hash
|
| + public_key_hashes.push_back(GetTestHashValue(0x02, HASH_VALUE_SHA256));
|
| + public_key_hashes.push_back(GetTestHashValue(0x03, HASH_VALUE_SHA1));
|
| + // Fake "leaf" hash
|
| + public_key_hashes.push_back(GetTestHashValue(0x04, HASH_VALUE_SHA256));
|
| + public_key_hashes.push_back(GetTestHashValue(0x05, HASH_VALUE_SHA1));
|
| +
|
| + return public_key_hashes;
|
| +}
|
| +
|
| +// The SHA-256 hash of the leaf cert "ok_cert.pem"; obtainable either
|
| +// via X509Certificate::CalculateFingerprint256 or
|
| +// openssl x509 -inform pem -in ok_cert.pem -outform der | openssl
|
| +// dgst -sha256 -c
|
| +const uint8_t kWhitelistCerts[][crypto::kSHA256Length] = {
|
| + /* clang-format off */
|
| + { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
|
| + 0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
|
| + 0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
|
| + 0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
|
| + /* clang-format on */
|
| +};
|
| +
|
| +TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByRoot) {
|
| + scoped_refptr<X509Certificate> cert =
|
| + ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
|
| + ASSERT_TRUE(cert);
|
| +
|
| + // clang-format off
|
| + const PublicKeyWhitelist kWhitelist[] = {
|
| + { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
|
| + kWhitelistCerts, arraysize(kWhitelistCerts)
|
| + },
|
| + };
|
| + // clang-format on
|
| +
|
| + SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
|
| +
|
| + HashValueVector public_key_hashes = GetFakeHashValues();
|
| +
|
| + // Should return false, indicating this cert is acceptable because of
|
| + // it being whitelisted.
|
| + EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
|
| +
|
| + SetCertificateWhitelistForTesting(nullptr, 0);
|
| +}
|
| +
|
| +TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByIntermediate) {
|
| + scoped_refptr<X509Certificate> cert =
|
| + ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
|
| + ASSERT_TRUE(cert);
|
| +
|
| + // clang-format off
|
| + const PublicKeyWhitelist kWhitelist[] = {
|
| + { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
|
| + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
|
| + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
|
| + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
|
| + kWhitelistCerts, arraysize(kWhitelistCerts)
|
| + },
|
| + };
|
| + // clang-format on
|
| +
|
| + SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
|
| +
|
| + HashValueVector public_key_hashes = GetFakeHashValues();
|
| +
|
| + // Should return false, indicating this cert is acceptable because of
|
| + // it being whitelisted.
|
| + EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
|
| +
|
| + SetCertificateWhitelistForTesting(nullptr, 0);
|
| +}
|
| +
|
| +TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEE) {
|
| + scoped_refptr<X509Certificate> cert =
|
| + ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
|
| + ASSERT_TRUE(cert);
|
| +
|
| + // clang-format off
|
| + const PublicKeyWhitelist kWhitelist[] = {
|
| + { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
|
| + kWhitelistCerts, arraysize(kWhitelistCerts)
|
| + },
|
| + };
|
| + // clang-format on
|
| +
|
| + SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
|
| +
|
| + HashValueVector public_key_hashes = GetFakeHashValues();
|
| +
|
| + // Should return true, indicating this certificate chains to a constrained
|
| + // root and is not whitelisted.
|
| + EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
|
| +
|
| + SetCertificateWhitelistForTesting(nullptr, 0);
|
| +}
|
| +
|
| +TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEEByIntermediate) {
|
| + scoped_refptr<X509Certificate> cert =
|
| + ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
|
| + ASSERT_TRUE(cert);
|
| +
|
| + // clang-format off
|
| + const PublicKeyWhitelist kWhitelist[] = {
|
| + { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
|
| + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
|
| + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
|
| + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
|
| + kWhitelistCerts, arraysize(kWhitelistCerts)
|
| + },
|
| + };
|
| + // clang-format on
|
| +
|
| + SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
|
| +
|
| + HashValueVector public_key_hashes = GetFakeHashValues();
|
| +
|
| + // Should return true, indicating this certificate chains to a constrained
|
| + // root and is not whitelisted.
|
| + EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
|
| +
|
| + SetCertificateWhitelistForTesting(nullptr, 0);
|
| +}
|
| +
|
| +TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {
|
| + scoped_refptr<X509Certificate> cert =
|
| + ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
|
| + ASSERT_TRUE(cert);
|
| +
|
| + // clang-format off
|
| + const PublicKeyWhitelist kWhitelist[] = {
|
| + { { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
|
| + 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
|
| + 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
|
| + 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 },
|
| + kWhitelistCerts, arraysize(kWhitelistCerts)
|
| + },
|
| + };
|
| + // clang-format on
|
| +
|
| + SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
|
| +
|
| + HashValueVector public_key_hashes = GetFakeHashValues();
|
| +
|
| + // Should return false, because the chain (as indicated by
|
| + // public_key_hashes) is not constrained.
|
| + EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
|
| +
|
| + SetCertificateWhitelistForTesting(nullptr, 0);
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +} // namespace net
|
|
|
Chromium Code Reviews
Issue 1042973002:
Implement the ability to whitelist certs from specific issuers (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master