Export verified_cert and public_key_hashes on Android.

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
@@ skipping 11 matching lines @@
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
 #include "base/mac/mac_util.h"
+#elif defined(OS_ANDROID)
+#include "base/android/build_info.h"
 #endif
 
 using base::HexEncode;
 
 namespace net {
 
 namespace {
 
 // A certificate for www.paypal.com with a NULL byte in the common name.
 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
@@ skipping 34 matching lines @@
     X509Certificate* cert,
     const std::string& hostname,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CertVerifyResult* verify_result) {
   verify_result->is_issued_by_known_root = is_well_known_;
   return OK;
 }
 
+bool SupportsReturningVerifiedChain() {
+#if defined(OS_ANDROID)
+  // Before API level 17, Android does not expose the APIs necessary to get at
+  // the verified certificate chain.
+  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
+    return false;
+#endif
+  return true;
+}
+
+bool SupportsDetectingKnownRoots() {
+#if defined(OS_ANDROID)
+  // Before API level 17, Android does not expose the APIs necessary to get at
+  // the verified certificate chain and detect known roots.
+  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
+    return false;
+#endif
+  return true;
+}
+
 }  // namespace
 
 class CertVerifyProcTest : public testing::Test {
  public:
   CertVerifyProcTest()
       : verify_proc_(CertVerifyProc::CreateDefault()) {
   }
   virtual ~CertVerifyProcTest() {}
 
  protected:
@@ skipping 295 matching lines @@
     }
   }
 }
 
 // Regression test for http://crbug.com/108514.
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Disabled on OS X - Security.framework doesn't ignore superflous certificates
 // provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
 // details.
 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
-#elif defined(USE_OPENSSL) || defined(OS_ANDROID)
-// Disabled for OpenSSL / Android - Android and OpenSSL do not attempt to find
-// a minimal certificate chain, thus prefer the MD5 root over the SHA-1 root.
-#define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
 #else
 #define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
 #endif
 TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
+  if (!SupportsReturningVerifiedChain()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
 
   scoped_refptr<X509Certificate> extra_cert =
       ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
 
@@ skipping 128 matching lines @@
   int error = Verify(leaf.get(),
                      "test.example.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
-#if defined(OS_ANDROID)
-// Disabled because Android isn't filling in SPKI hashes: crbug.com/116838.
-#define MAYBE_NameConstraintsFailure DISABLED_NameConstraintsFailure
-#else
-#define MAYBE_NameConstraintsFailure NameConstraintsFailure
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_NameConstraintsFailure) {
+TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
+  if (!SupportsReturningVerifiedChain()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0]);
 
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "name_constraint_bad.crt",
       X509Certificate::FORMAT_AUTO);
@@ skipping 10 matching lines @@
                      "test.example.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error);
   EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
             verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
 }
 
-// The certse.pem certificate has been revoked. crbug.com/259723.
 TEST_F(CertVerifyProcTest, TestKnownRoot) {
+  if (!SupportsDetectingKnownRoots()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(2U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
   // against agl. See also PublicKeyHashes.
   int error = Verify(cert_chain.get(),
                      "satveda.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
 // The certse.pem certificate has been revoked. crbug.com/259723.
 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
+  if (!SupportsReturningVerifiedChain()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(2U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
@@ skipping 75 matching lines @@
 #endif
 }
 
 // Basic test for returning the chain in CertVerifyResult. Note that the
 // returned chain may just be a reflection of the originally supplied chain;
 // that is, if any errors occur, the default chain returned is an exact copy
 // of the certificate to be verified. The remaining VerifyReturn* tests are
 // used to ensure that the actual, verified chain is being returned by
 // Verify().
 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
+  if (!SupportsReturningVerifiedChain()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
   intermediates.push_back(certs[2]->os_cert_handle());
 
@@ skipping 22 matching lines @@
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 }
 
-#if defined(OS_ANDROID)
-// TODO(ppi): Disabled because is_issued_by_known_root is incorrect on Android.
-// Once this is fixed, re-enable this check for android. crbug.com/116838
-#define MAYBE_IntranetHostsRejected DISABLED_IntranetHostsRejected
-#else
-#define MAYBE_IntranetHostsRejected IntranetHostsRejected
-#endif
-
 // Test that certificates issued for 'intranet' names (that is, containing no
 // known public registry controlled domain information) issued by well-known
 // CAs are flagged appropriately, while certificates that are issued by
 // internal CAs are not flagged.
-TEST_F(CertVerifyProcTest, MAYBE_IntranetHostsRejected) {
+TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
+  if (!SupportsDetectingKnownRoots()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "ok_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
 
   CertVerifyResult verify_result;
   int error = 0;
 
   // Intranet names for public CAs should be flagged:
@@ skipping 10 matching lines @@
   EXPECT_EQ(OK, error);
   EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
 }
 
 // Test that the certificate returned in CertVerifyResult is able to reorder
 // certificates that are not ordered from end-entity to root. While this is
 // a protocol violation if sent during a TLS handshake, if multiple sources
 // of intermediate certificates are combined, it's possible that order may
 // not be maintained.
 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
+  if (!SupportsReturningVerifiedChain()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   // Construct the chain out of order.
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[2]->os_cert_handle());
   intermediates.push_back(certs[1]->os_cert_handle());
@@ skipping 26 matching lines @@
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 }
 
 // Test that Verify() filters out certificates which are not related to
 // or part of the certificate chain being verified.
 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
+  if (!SupportsReturningVerifiedChain()) {
+    LOG(INFO) << "Skipping this test in this platform.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
   ScopedTestRoot scoped_root(certs[2].get());
 
   scoped_refptr<X509Certificate> unrelated_certificate =
       ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
   scoped_refptr<X509Certificate> unrelated_certificate2 =
@@ skipping 78 matching lines @@
 
   // Clearing the |trust_anchors| makes verification fail again (the cache
   // should be skipped).
   error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
 }
 
+// Tests that certificates issued by user-supplied roots are not flagged as
+// issued by a known root. This should pass whether or not the platform supports
+// detecting known roots.
+TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
+  // Load root_ca_cert.pem into the test root store.
+  TestRootCerts* root_certs = TestRootCerts::GetInstance();
+  root_certs->AddFromFile(
+      GetTestCertsDirectory().AppendASCII("root_ca_cert.pem"));
+
+  CertificateList cert_list = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<X509Certificate> cert(cert_list[0]);
+
+  // Verification should pass.
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(
+      cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+  // But should not be marked as a known root.
+  EXPECT_FALSE(verify_result.is_issued_by_known_root);
+}
+
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
 // Root can be successfully worked around once Apple completes removing the
 // older GTE CyberTrust Root from its trusted root store.
 //
 // The issue is caused by servers supplying the cross-certified intermediate
 // (necessary for certain mobile platforms), which OS X does not recognize
 // as already existing within its trust store.
 TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
   CertificateList certs = CreateCertificateListFromFile(
@@ skipping 565 matching lines @@
     EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
   }
 }
 
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     VerifyName,
     CertVerifyProcNameTest,
     testing::ValuesIn(kVerifyNameData));
 
 }  // namespace net