Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 22 #include "net/cert/test_root_certs.h" | 22 #include "net/cert/test_root_certs.h" |
| 23 #include "net/cert/x509_certificate.h" | 23 #include "net/cert/x509_certificate.h" |
| 24 #include "net/test/cert_test_util.h" | 24 #include "net/test/cert_test_util.h" |
| 25 #include "net/test/test_certificate_data.h" | 25 #include "net/test/test_certificate_data.h" |
| 26 #include "testing/gtest/include/gtest/gtest.h" | 26 #include "testing/gtest/include/gtest/gtest.h" |
| 27 | 27 |
| 28 #if defined(OS_WIN) | 28 #if defined(OS_WIN) |
| 29 #include "base/win/windows_version.h" | 29 #include "base/win/windows_version.h" |
| 30 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 30 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 31 #include "base/mac/mac_util.h" | 31 #include "base/mac/mac_util.h" |
| 32 #elif defined(OS_ANDROID) | |
| 33 #include "base/android/build_info.h" | |
| 32 #endif | 34 #endif |
| 33 | 35 |
| 34 using base::HexEncode; | 36 using base::HexEncode; |
| 35 | 37 |
| 36 namespace net { | 38 namespace net { |
| 37 | 39 |
| 38 namespace { | 40 namespace { |
| 39 | 41 |
| 40 // A certificate for www.paypal.com with a NULL byte in the common name. | 42 // A certificate for www.paypal.com with a NULL byte in the common name. |
| 41 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 | 43 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 |
| (...skipping 568 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 610 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 612 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug |
| 611 // against agl. See also PublicKeyHashes. | 613 // against agl. See also PublicKeyHashes. |
| 612 int error = Verify(cert_chain.get(), | 614 int error = Verify(cert_chain.get(), |
| 613 "satveda.com", | 615 "satveda.com", |
| 614 flags, | 616 flags, |
| 615 NULL, | 617 NULL, |
| 616 empty_cert_list_, | 618 empty_cert_list_, |
| 617 &verify_result); | 619 &verify_result); |
| 618 EXPECT_EQ(OK, error); | 620 EXPECT_EQ(OK, error); |
| 619 EXPECT_EQ(0U, verify_result.cert_status); | 621 EXPECT_EQ(0U, verify_result.cert_status); |
| 622 #if defined(OS_ANDROID) | |
| 623 // Before API level 17, Android does not populate is_issued_by_known_root | |
| 624 // correctly. | |
| 625 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) | |
| 626 return; | |
| 627 #endif | |
|
Ryan Sleevi
2013/12/19 00:06:59
Can you move each of these conditionals into a com
davidben
2013/12/19 00:42:52
Done.
| |
| 620 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 628 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
| 621 } | 629 } |
| 622 | 630 |
| 623 // The certse.pem certificate has been revoked. crbug.com/259723. | 631 // The certse.pem certificate has been revoked. crbug.com/259723. |
| 624 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 632 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
| 633 #if defined(OS_ANDROID) | |
| 634 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) { | |
| 635 LOG(INFO) << "This test can't run on Android < 4.2"; | |
| 636 return; | |
| 637 } | |
| 638 #endif | |
| 639 | |
| 625 base::FilePath certs_dir = GetTestCertsDirectory(); | 640 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 626 CertificateList certs = CreateCertificateListFromFile( | 641 CertificateList certs = CreateCertificateListFromFile( |
| 627 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 642 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); |
| 628 ASSERT_EQ(2U, certs.size()); | 643 ASSERT_EQ(2U, certs.size()); |
| 629 | 644 |
| 630 X509Certificate::OSCertHandles intermediates; | 645 X509Certificate::OSCertHandles intermediates; |
| 631 intermediates.push_back(certs[1]->os_cert_handle()); | 646 intermediates.push_back(certs[1]->os_cert_handle()); |
| 632 | 647 |
| 633 scoped_refptr<X509Certificate> cert_chain = | 648 scoped_refptr<X509Certificate> cert_chain = |
| 634 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 649 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 710 #endif | 725 #endif |
| 711 } | 726 } |
| 712 | 727 |
| 713 // Basic test for returning the chain in CertVerifyResult. Note that the | 728 // Basic test for returning the chain in CertVerifyResult. Note that the |
| 714 // returned chain may just be a reflection of the originally supplied chain; | 729 // returned chain may just be a reflection of the originally supplied chain; |
| 715 // that is, if any errors occur, the default chain returned is an exact copy | 730 // that is, if any errors occur, the default chain returned is an exact copy |
| 716 // of the certificate to be verified. The remaining VerifyReturn* tests are | 731 // of the certificate to be verified. The remaining VerifyReturn* tests are |
| 717 // used to ensure that the actual, verified chain is being returned by | 732 // used to ensure that the actual, verified chain is being returned by |
| 718 // Verify(). | 733 // Verify(). |
| 719 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) { | 734 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) { |
| 735 #if defined(OS_ANDROID) | |
| 736 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) { | |
| 737 LOG(INFO) << "This test can't run on Android < 4.2"; | |
| 738 return; | |
| 739 } | |
| 740 #endif | |
| 741 | |
| 720 base::FilePath certs_dir = GetTestCertsDirectory(); | 742 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 721 CertificateList certs = CreateCertificateListFromFile( | 743 CertificateList certs = CreateCertificateListFromFile( |
| 722 certs_dir, "x509_verify_results.chain.pem", | 744 certs_dir, "x509_verify_results.chain.pem", |
| 723 X509Certificate::FORMAT_AUTO); | 745 X509Certificate::FORMAT_AUTO); |
| 724 ASSERT_EQ(3U, certs.size()); | 746 ASSERT_EQ(3U, certs.size()); |
| 725 | 747 |
| 726 X509Certificate::OSCertHandles intermediates; | 748 X509Certificate::OSCertHandles intermediates; |
| 727 intermediates.push_back(certs[1]->os_cert_handle()); | 749 intermediates.push_back(certs[1]->os_cert_handle()); |
| 728 intermediates.push_back(certs[2]->os_cert_handle()); | 750 intermediates.push_back(certs[2]->os_cert_handle()); |
| 729 | 751 |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 752 verify_result.verified_cert->os_cert_handle())); | 774 verify_result.verified_cert->os_cert_handle())); |
| 753 const X509Certificate::OSCertHandles& return_intermediates = | 775 const X509Certificate::OSCertHandles& return_intermediates = |
| 754 verify_result.verified_cert->GetIntermediateCertificates(); | 776 verify_result.verified_cert->GetIntermediateCertificates(); |
| 755 ASSERT_EQ(2U, return_intermediates.size()); | 777 ASSERT_EQ(2U, return_intermediates.size()); |
| 756 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], | 778 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 757 certs[1]->os_cert_handle())); | 779 certs[1]->os_cert_handle())); |
| 758 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], | 780 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 759 certs[2]->os_cert_handle())); | 781 certs[2]->os_cert_handle())); |
| 760 } | 782 } |
| 761 | 783 |
| 762 #if defined(OS_ANDROID) | |
| 763 // TODO(ppi): Disabled because is_issued_by_known_root is incorrect on Android. | |
| 764 // Once this is fixed, re-enable this check for android. crbug.com/116838 | |
| 765 #define MAYBE_IntranetHostsRejected DISABLED_IntranetHostsRejected | |
| 766 #else | |
| 767 #define MAYBE_IntranetHostsRejected IntranetHostsRejected | |
| 768 #endif | |
| 769 | |
| 770 // Test that certificates issued for 'intranet' names (that is, containing no | 784 // Test that certificates issued for 'intranet' names (that is, containing no |
| 771 // known public registry controlled domain information) issued by well-known | 785 // known public registry controlled domain information) issued by well-known |
| 772 // CAs are flagged appropriately, while certificates that are issued by | 786 // CAs are flagged appropriately, while certificates that are issued by |
| 773 // internal CAs are not flagged. | 787 // internal CAs are not flagged. |
| 774 TEST_F(CertVerifyProcTest, MAYBE_IntranetHostsRejected) { | 788 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { |
| 775 CertificateList cert_list = CreateCertificateListFromFile( | 789 CertificateList cert_list = CreateCertificateListFromFile( |
| 776 GetTestCertsDirectory(), "ok_cert.pem", | 790 GetTestCertsDirectory(), "ok_cert.pem", |
| 777 X509Certificate::FORMAT_AUTO); | 791 X509Certificate::FORMAT_AUTO); |
| 778 ASSERT_EQ(1U, cert_list.size()); | 792 ASSERT_EQ(1U, cert_list.size()); |
| 779 scoped_refptr<X509Certificate> cert(cert_list[0]); | 793 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 780 | 794 |
| 781 CertVerifyResult verify_result; | 795 CertVerifyResult verify_result; |
| 782 int error = 0; | 796 int error = 0; |
| 783 | 797 |
| 784 // Intranet names for public CAs should be flagged: | 798 // Intranet names for public CAs should be flagged: |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 795 EXPECT_EQ(OK, error); | 809 EXPECT_EQ(OK, error); |
| 796 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 810 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 797 } | 811 } |
| 798 | 812 |
| 799 // Test that the certificate returned in CertVerifyResult is able to reorder | 813 // Test that the certificate returned in CertVerifyResult is able to reorder |
| 800 // certificates that are not ordered from end-entity to root. While this is | 814 // certificates that are not ordered from end-entity to root. While this is |
| 801 // a protocol violation if sent during a TLS handshake, if multiple sources | 815 // a protocol violation if sent during a TLS handshake, if multiple sources |
| 802 // of intermediate certificates are combined, it's possible that order may | 816 // of intermediate certificates are combined, it's possible that order may |
| 803 // not be maintained. | 817 // not be maintained. |
| 804 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { | 818 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { |
| 819 #if defined(OS_ANDROID) | |
| 820 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) { | |
| 821 LOG(INFO) << "This test can't run on Android < 4.2"; | |
| 822 return; | |
| 823 } | |
| 824 #endif | |
| 825 | |
| 805 base::FilePath certs_dir = GetTestCertsDirectory(); | 826 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 806 CertificateList certs = CreateCertificateListFromFile( | 827 CertificateList certs = CreateCertificateListFromFile( |
| 807 certs_dir, "x509_verify_results.chain.pem", | 828 certs_dir, "x509_verify_results.chain.pem", |
| 808 X509Certificate::FORMAT_AUTO); | 829 X509Certificate::FORMAT_AUTO); |
| 809 ASSERT_EQ(3U, certs.size()); | 830 ASSERT_EQ(3U, certs.size()); |
| 810 | 831 |
| 811 // Construct the chain out of order. | 832 // Construct the chain out of order. |
| 812 X509Certificate::OSCertHandles intermediates; | 833 X509Certificate::OSCertHandles intermediates; |
| 813 intermediates.push_back(certs[2]->os_cert_handle()); | 834 intermediates.push_back(certs[2]->os_cert_handle()); |
| 814 intermediates.push_back(certs[1]->os_cert_handle()); | 835 intermediates.push_back(certs[1]->os_cert_handle()); |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 841 ASSERT_EQ(2U, return_intermediates.size()); | 862 ASSERT_EQ(2U, return_intermediates.size()); |
| 842 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], | 863 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 843 certs[1]->os_cert_handle())); | 864 certs[1]->os_cert_handle())); |
| 844 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], | 865 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 845 certs[2]->os_cert_handle())); | 866 certs[2]->os_cert_handle())); |
| 846 } | 867 } |
| 847 | 868 |
| 848 // Test that Verify() filters out certificates which are not related to | 869 // Test that Verify() filters out certificates which are not related to |
| 849 // or part of the certificate chain being verified. | 870 // or part of the certificate chain being verified. |
| 850 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { | 871 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { |
| 872 #if defined(OS_ANDROID) | |
| 873 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) { | |
| 874 LOG(INFO) << "This test can't run on Android < 4.2"; | |
| 875 return; | |
| 876 } | |
| 877 #endif | |
| 878 | |
| 851 base::FilePath certs_dir = GetTestCertsDirectory(); | 879 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 852 CertificateList certs = CreateCertificateListFromFile( | 880 CertificateList certs = CreateCertificateListFromFile( |
| 853 certs_dir, "x509_verify_results.chain.pem", | 881 certs_dir, "x509_verify_results.chain.pem", |
| 854 X509Certificate::FORMAT_AUTO); | 882 X509Certificate::FORMAT_AUTO); |
| 855 ASSERT_EQ(3U, certs.size()); | 883 ASSERT_EQ(3U, certs.size()); |
| 856 ScopedTestRoot scoped_root(certs[2].get()); | 884 ScopedTestRoot scoped_root(certs[2].get()); |
| 857 | 885 |
| 858 scoped_refptr<X509Certificate> unrelated_certificate = | 886 scoped_refptr<X509Certificate> unrelated_certificate = |
| 859 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem"); | 887 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem"); |
| 860 scoped_refptr<X509Certificate> unrelated_certificate2 = | 888 scoped_refptr<X509Certificate> unrelated_certificate2 = |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 939 | 967 |
| 940 // Clearing the |trust_anchors| makes verification fail again (the cache | 968 // Clearing the |trust_anchors| makes verification fail again (the cache |
| 941 // should be skipped). | 969 // should be skipped). |
| 942 error = Verify( | 970 error = Verify( |
| 943 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); | 971 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
| 944 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 972 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 945 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 973 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 946 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 974 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
| 947 } | 975 } |
| 948 | 976 |
| 977 TEST_F(CertVerifyProcTest, NonStandardRoot) { | |
|
Ryan Sleevi
2013/12/19 00:06:59
s/NonStandardRoot/IsIssuedByKnownRootIgnoresTestRo
davidben
2013/12/19 00:42:52
Done.
| |
| 978 // Load root_ca_cert.pem into the test root store. | |
| 979 TestRootCerts* root_certs = TestRootCerts::GetInstance(); | |
| 980 root_certs->AddFromFile( | |
| 981 GetTestCertsDirectory().AppendASCII("root_ca_cert.pem")); | |
| 982 | |
| 983 CertificateList cert_list = CreateCertificateListFromFile( | |
| 984 GetTestCertsDirectory(), "ok_cert.pem", | |
| 985 X509Certificate::FORMAT_AUTO); | |
| 986 ASSERT_EQ(1U, cert_list.size()); | |
| 987 scoped_refptr<X509Certificate> cert(cert_list[0]); | |
| 988 | |
| 989 // Verification should pass. | |
| 990 int flags = 0; | |
| 991 CertVerifyResult verify_result; | |
| 992 int error = Verify( | |
| 993 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); | |
| 994 EXPECT_EQ(OK, error); | |
| 995 EXPECT_EQ(0U, verify_result.cert_status); | |
| 996 // But should not be marked as a known root. | |
| 997 EXPECT_FALSE(verify_result.is_issued_by_known_root); | |
| 998 } | |
| 999 | |
| 949 #if defined(OS_MACOSX) && !defined(OS_IOS) | 1000 #if defined(OS_MACOSX) && !defined(OS_IOS) |
| 950 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust | 1001 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust |
| 951 // Root can be successfully worked around once Apple completes removing the | 1002 // Root can be successfully worked around once Apple completes removing the |
| 952 // older GTE CyberTrust Root from its trusted root store. | 1003 // older GTE CyberTrust Root from its trusted root store. |
| 953 // | 1004 // |
| 954 // The issue is caused by servers supplying the cross-certified intermediate | 1005 // The issue is caused by servers supplying the cross-certified intermediate |
| 955 // (necessary for certain mobile platforms), which OS X does not recognize | 1006 // (necessary for certain mobile platforms), which OS X does not recognize |
| 956 // as already existing within its trust store. | 1007 // as already existing within its trust store. |
| 957 TEST_F(CertVerifyProcTest, CybertrustGTERoot) { | 1008 TEST_F(CertVerifyProcTest, CybertrustGTERoot) { |
| 958 CertificateList certs = CreateCertificateListFromFile( | 1009 CertificateList certs = CreateCertificateListFromFile( |
| (...skipping 565 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1524 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1575 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1525 } | 1576 } |
| 1526 } | 1577 } |
| 1527 | 1578 |
| 1528 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1579 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1529 VerifyName, | 1580 VerifyName, |
| 1530 CertVerifyProcNameTest, | 1581 CertVerifyProcNameTest, |
| 1531 testing::ValuesIn(kVerifyNameData)); | 1582 testing::ValuesIn(kVerifyNameData)); |
| 1532 | 1583 |
| 1533 } // namespace net | 1584 } // namespace net |
| OLD | NEW |