| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/memory/scoped_ptr.h" | 5 #include "base/memory/scoped_ptr.h" |
| 6 #include "crypto/ec_private_key.h" | 6 #include "crypto/ec_private_key.h" |
| 7 #include "crypto/openssl_util.h" | 7 #include "crypto/openssl_util.h" |
| 8 #include "crypto/scoped_openssl_types.h" | 8 #include "crypto/scoped_openssl_types.h" |
| 9 #include "net/cert/x509_util.h" | 9 #include "net/cert/x509_util.h" |
| 10 #include "net/cert/x509_util_openssl.h" | 10 #include "net/cert/x509_util_openssl.h" |
| 11 #include "net/ssl/scoped_openssl_types.h" | 11 #include "net/ssl/scoped_openssl_types.h" |
| 12 #include "testing/gtest/include/gtest/gtest.h" | 12 #include "testing/gtest/include/gtest/gtest.h" |
| 13 | 13 |
| 14 namespace net { | 14 namespace net { |
| 15 | 15 |
| 16 namespace { | |
| 17 | |
| 18 // Verify that a given certificate was signed with the private key corresponding | |
| 19 // to a given public key. | |
| 20 // |der_cert| is the DER-encoded X.509 certificate. | |
| 21 // |der_spki| is the DER-encoded public key of the signer. | |
| 22 void VerifyCertificateSignature(const std::string& der_cert, | |
| 23 const std::vector<uint8>& der_spki) { | |
| 24 const unsigned char* cert_data = | |
| 25 reinterpret_cast<const unsigned char*>(der_cert.data()); | |
| 26 int cert_data_len = static_cast<int>(der_cert.size()); | |
| 27 ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); | |
| 28 ASSERT_TRUE(cert.get()); | |
| 29 | |
| 30 // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier | |
| 31 // but there is no OpenSSL API to extract it from an X509 object (!?) | |
| 32 // Use X509_verify() directly instead, which takes an EVP_PKEY. | |
| 33 const unsigned char* pub_key_data = &der_spki.front(); | |
| 34 int pub_key_len = static_cast<int>(der_spki.size()); | |
| 35 crypto::ScopedEVP_PKEY pub_key(d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); | |
| 36 ASSERT_TRUE(pub_key.get()); | |
| 37 | |
| 38 // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error. | |
| 39 EXPECT_EQ(1, X509_verify(cert.get(), pub_key.get())); | |
| 40 } | |
| 41 | |
| 42 // Verify the attributes of a domain-bound certificate. | |
| 43 // |domain| is the bound domain name. | |
| 44 // |der_cert| is the DER-encoded X.509 certificate. | |
| 45 void VerifyChannelID(const std::string& domain, | |
| 46 const std::string& der_cert) { | |
| 47 // Origin Bound Cert OID. | |
| 48 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; | |
| 49 crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free> oid_obj( | |
| 50 OBJ_txt2obj(oid_string, 0)); | |
| 51 ASSERT_TRUE(oid_obj.get()); | |
| 52 | |
| 53 const unsigned char* cert_data = | |
| 54 reinterpret_cast<const unsigned char*>(der_cert.data()); | |
| 55 int cert_data_len = static_cast<int>(der_cert.size()); | |
| 56 ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); | |
| 57 ASSERT_TRUE(cert.get()); | |
| 58 | |
| 59 // Find the extension. | |
| 60 int ext_pos = X509_get_ext_by_OBJ(cert.get(), oid_obj.get(), -1); | |
| 61 ASSERT_NE(-1, ext_pos); | |
| 62 X509_EXTENSION* ext = X509_get_ext(cert.get(), ext_pos); | |
| 63 ASSERT_TRUE(ext); | |
| 64 | |
| 65 // Check its value, it must be an ASN.1 IA5STRING | |
| 66 // Which means <tag> <length> <domain>, with: | |
| 67 // <tag> == 22 | |
| 68 // <length> is the domain length, a single byte for short forms. | |
| 69 // <domain> are the domain characters. | |
| 70 // See http://en.wikipedia.org/wiki/X.690 | |
| 71 ASN1_STRING* value_asn1 = X509_EXTENSION_get_data(ext); | |
| 72 ASSERT_TRUE(value_asn1); | |
| 73 std::string value_str(reinterpret_cast<const char*>(value_asn1->data), | |
| 74 value_asn1->length); | |
| 75 | |
| 76 // Check that the domain size is small enough for short form. | |
| 77 ASSERT_LE(domain.size(), 127U) << "Domain is too long!"; | |
| 78 std::string value_expected; | |
| 79 value_expected.resize(2); | |
| 80 value_expected[0] = 22; | |
| 81 value_expected[1] = static_cast<char>(domain.size()); | |
| 82 value_expected += domain; | |
| 83 | |
| 84 EXPECT_EQ(value_expected, value_str); | |
| 85 } | |
| 86 | |
| 87 } // namespace | |
| 88 | |
| 89 TEST(X509UtilOpenSSLTest, IsSupportedValidityRange) { | 16 TEST(X509UtilOpenSSLTest, IsSupportedValidityRange) { |
| 90 base::Time now = base::Time::Now(); | 17 base::Time now = base::Time::Now(); |
| 91 EXPECT_TRUE(x509_util::IsSupportedValidityRange(now, now)); | 18 EXPECT_TRUE(x509_util::IsSupportedValidityRange(now, now)); |
| 92 EXPECT_FALSE(x509_util::IsSupportedValidityRange( | 19 EXPECT_FALSE(x509_util::IsSupportedValidityRange( |
| 93 now, now - base::TimeDelta::FromSeconds(1))); | 20 now, now - base::TimeDelta::FromSeconds(1))); |
| 94 | 21 |
| 95 // See x509_util_openssl.cc to see how these were computed. | 22 // See x509_util_openssl.cc to see how these were computed. |
| 96 const int64 kDaysFromYear0001ToUnixEpoch = 719162; | 23 const int64 kDaysFromYear0001ToUnixEpoch = 719162; |
| 97 const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1; | 24 const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1; |
| 98 | 25 |
| 99 // When computing too_old / too_late, add one day to account for | 26 // When computing too_old / too_late, add one day to account for |
| 100 // possible leap seconds. | 27 // possible leap seconds. |
| 101 base::Time too_old = base::Time::UnixEpoch() - | 28 base::Time too_old = base::Time::UnixEpoch() - |
| 102 base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch + 1); | 29 base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch + 1); |
| 103 | 30 |
| 104 base::Time too_late = base::Time::UnixEpoch() + | 31 base::Time too_late = base::Time::UnixEpoch() + |
| 105 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000 + 1); | 32 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000 + 1); |
| 106 | 33 |
| 107 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, too_old)); | 34 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, too_old)); |
| 108 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, now)); | 35 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, now)); |
| 109 | 36 |
| 110 EXPECT_FALSE(x509_util::IsSupportedValidityRange(now, too_late)); | 37 EXPECT_FALSE(x509_util::IsSupportedValidityRange(now, too_late)); |
| 111 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_late, too_late)); | 38 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_late, too_late)); |
| 112 } | 39 } |
| 113 | 40 |
| 114 TEST(X509UtilOpenSSLTest, CreateChannelIDEC) { | |
| 115 // Create a sample ASCII weborigin. | |
| 116 std::string domain = "weborigin.com"; | |
| 117 base::Time now = base::Time::Now(); | |
| 118 | |
| 119 scoped_ptr<crypto::ECPrivateKey> private_key( | |
| 120 crypto::ECPrivateKey::Create()); | |
| 121 std::string der_cert; | |
| 122 ASSERT_TRUE( | |
| 123 x509_util::CreateChannelIDEC(private_key.get(), | |
| 124 x509_util::DIGEST_SHA1, | |
| 125 domain, | |
| 126 1, | |
| 127 now, | |
| 128 now + base::TimeDelta::FromDays(1), | |
| 129 &der_cert)); | |
| 130 | |
| 131 VerifyChannelID(domain, der_cert); | |
| 132 | |
| 133 // signature_verifier_win and signature_verifier_mac can't handle EC certs. | |
| 134 std::vector<uint8> spki; | |
| 135 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); | |
| 136 VerifyCertificateSignature(der_cert, spki); | |
| 137 } | |
| 138 | |
| 139 } // namespace net | 41 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1076063002:
Remove certificates from Channel ID (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master