Implement the ability to whitelist certs from specific issuers

net/cert/cert_verify_proc_whitelist_unittest.cc

Index: net/cert/cert_verify_proc_whitelist_unittest.cc
diff --git a/net/cert/cert_verify_proc_whitelist_unittest.cc b/net/cert/cert_verify_proc_whitelist_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..168ad21ffee150f8ee8323f1e1fe51dd00effc60
--- /dev/null
+++ b/net/cert/cert_verify_proc_whitelist_unittest.cc
@@ -0,0 +1,153 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_verify_proc_whitelist.h"
+
+#include "base/memory/ref_counted.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+
+HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {
+  HashValue hash_value(tag);
+  memset(hash_value.data(), label, hash_value.size());
+  return hash_value;
+}
+
+HashValueVector GetFakeHashValues() {
+  HashValueVector public_key_hashes;
+
+  // Fake "root" hash
+  public_key_hashes.push_back(GetTestHashValue(0x00, HASH_VALUE_SHA256));
+  public_key_hashes.push_back(GetTestHashValue(0x01, HASH_VALUE_SHA1));
+  // Fake "intermediate" hash
+  public_key_hashes.push_back(GetTestHashValue(0x02, HASH_VALUE_SHA256));
+  public_key_hashes.push_back(GetTestHashValue(0x03, HASH_VALUE_SHA1));
+  // Fake "leaf" hash
+  public_key_hashes.push_back(GetTestHashValue(0x04, HASH_VALUE_SHA256));
+  public_key_hashes.push_back(GetTestHashValue(0x05, HASH_VALUE_SHA1));

[davidben, 2015/03/31 02:02:13]

It's a little confusing that this specifies a fake leaf hash while the whitelist
uses the real one.

[Ryan Sleevi, 2015/03/31 18:33:52]

It's a public key hash. The whitelist uses a *cert* hash.

+
+  return public_key_hashes;
+}
+
+TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByRoot) {
+  scoped_refptr<X509Certificate> cert = ImportCertFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert);
+
+  const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {

[davidben, 2015/03/31 02:02:13]

uint8_t

+    { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
+      0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
+      0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
+      0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },

[davidben, 2015/03/31 02:02:13]

[Verified this is the SHA-256 hash of ok_cert.pem's DER form.]

It does annoy me that the value's hardcoded in here. It may be worth a comment
here just so that, when it comes time to update ok_cert.pem, you don't have to
reread the test to figure out how you're meant to generate these.

(I was going to suggest making this non-const and computing the hash during the
test... I suppose the upside is it's clear what's going on. The downside is that
you call the same leaf-hashing function that the real code uses. Maybe pull it
up into a const uint8_t kOkCertWhitelist constant up top, so it's only there
once?)

[Ryan Sleevi, 2015/03/31 18:33:52]

Fair enough.
Even if non-const, because it's an array of array, you'd have to memcpy in.
Unless you made it a pointer to a pointer, but then you lose the RO-data
optimization.

+  };
+  const PublicKeyWhitelist kWhitelist[] = {
+    { { 0x00 },
+      kWhitelistCerts,
+      arraysize(kWhitelistCerts) },
+  };
+
+  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
+
+  HashValueVector public_key_hashes = GetFakeHashValues();
+
+  // Should return false, indicating this cert is acceptable because of
+  // it being whitelisted.
+  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+
+  SetCertificateWhitelistForTesting(nullptr, 0);
+}
+
+TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByIntermediate) {

[davidben, 2015/03/31 02:02:13]

Probably also worth a RejectsNonWhitelistedEEByIntermediate. This doesn't
distinguish between the cert being acceptable because it's whitelisted and the
cert being acceptable because the root is ignored.

+  scoped_refptr<X509Certificate> cert = ImportCertFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert);
+
+  const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {
+    { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
+      0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
+      0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
+      0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
+  };
+  const PublicKeyWhitelist kWhitelist[] = {
+    { { 0x02 },
+      kWhitelistCerts,
+      arraysize(kWhitelistCerts) },
+  };
+
+  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
+
+  HashValueVector public_key_hashes = GetFakeHashValues();
+
+  // Should return false, indicating this cert is acceptable because of
+  // it being whitelisted.
+  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+  
+  SetCertificateWhitelistForTesting(nullptr, 0);
+}
+
+TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEE) {
+  scoped_refptr<X509Certificate> cert = ImportCertFromFile(
+      GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert);
+
+  const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {
+    { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
+      0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
+      0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
+      0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
+  };
+  const PublicKeyWhitelist kWhitelist[] = {
+    { { 0x00 },
+      kWhitelistCerts,
+      arraysize(kWhitelistCerts) },
+  };
+
+  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
+
+  HashValueVector public_key_hashes = GetFakeHashValues();
+
+  // Should return true, indicating this certificate chains to a constrained
+  // root and is not whitelisted.
+  EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+
+  SetCertificateWhitelistForTesting(nullptr, 0);
+}
+
+TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {
+  scoped_refptr<X509Certificate> cert = ImportCertFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert);
+
+  const uint8 kWhitelistCerts[][crypto::kSHA256Length] = {
+    { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
+      0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
+      0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
+      0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
+  };
+  const PublicKeyWhitelist kWhitelist[] = {
+    { { 0x10 },
+      kWhitelistCerts,
+      arraysize(kWhitelistCerts) },
+  };
+
+  SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
+
+  HashValueVector public_key_hashes = GetFakeHashValues();
+
+  // Should return false, because the chain (as indicated by
+  // public_key_hashes) is not constrained.
+  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+
+  SetCertificateWhitelistForTesting(nullptr, 0);
+}
+
+}  // namespace
+
+}  // namespace net