net/cert/cert_verify_proc_unittest.cc - Issue 108653013: Export verified_cert and public_key_hashes on Android.

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 108653013: Export verified_cert and public_key_hashes on Android. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Rebase Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/cert_verify_proc_unittest.cc

diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc

index 71a0c0ee9904ac5583d2ad35838d32a715dea347..0d2b6f3da9a26d63d7e0e2b9d349901b1f61ccbe 100644

--- a/net/cert/cert_verify_proc_unittest.cc

+++ b/net/cert/cert_verify_proc_unittest.cc

@@ -29,6 +29,8 @@

#include "base/win/windows_version.h"

#elif defined(OS_MACOSX) && !defined(OS_IOS)

#include "base/mac/mac_util.h"

+#elif defined(OS_ANDROID)

+#include "base/android/build_info.h"

#endif

using base::HexEncode;

@@ -617,11 +619,24 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) {

&verify_result);

EXPECT_EQ(OK, error);

EXPECT_EQ(0U, verify_result.cert_status);

+#if defined(OS_ANDROID)

+ // Before API level 17, Android does not populate is_issued_by_known_root

+ // correctly.

+ if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)

+ return;

+#endif

Ryan Sleevi 2013/12/19 00:06:59 Can you move each of these conditionals into a com

davidben 2013/12/19 00:42:52 Done.

EXPECT_TRUE(verify_result.is_issued_by_known_root);

}

// The certse.pem certificate has been revoked. crbug.com/259723.

TEST_F(CertVerifyProcTest, PublicKeyHashes) {

+#if defined(OS_ANDROID)

+ if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {

+ LOG(INFO) << "This test can't run on Android < 4.2";

+ return;

+ }

+#endif

base::FilePath certs_dir = GetTestCertsDirectory();

CertificateList certs = CreateCertificateListFromFile(

certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);

@@ -717,6 +732,13 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {

// used to ensure that the actual, verified chain is being returned by

// Verify().

TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {

+#if defined(OS_ANDROID)

+ if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {

+ LOG(INFO) << "This test can't run on Android < 4.2";

+ return;

+ }

+#endif

base::FilePath certs_dir = GetTestCertsDirectory();

CertificateList certs = CreateCertificateListFromFile(

certs_dir, "x509_verify_results.chain.pem",

@@ -759,19 +781,11 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {

certs[2]->os_cert_handle()));

}

-#if defined(OS_ANDROID)

-// TODO(ppi): Disabled because is_issued_by_known_root is incorrect on Android.

-// Once this is fixed, re-enable this check for android. crbug.com/116838

-#define MAYBE_IntranetHostsRejected DISABLED_IntranetHostsRejected

-#else

-#define MAYBE_IntranetHostsRejected IntranetHostsRejected

-#endif

// Test that certificates issued for 'intranet' names (that is, containing no

// known public registry controlled domain information) issued by well-known

// CAs are flagged appropriately, while certificates that are issued by

// internal CAs are not flagged.

-TEST_F(CertVerifyProcTest, MAYBE_IntranetHostsRejected) {

+TEST_F(CertVerifyProcTest, IntranetHostsRejected) {

CertificateList cert_list = CreateCertificateListFromFile(

GetTestCertsDirectory(), "ok_cert.pem",

X509Certificate::FORMAT_AUTO);

@@ -802,6 +816,13 @@ TEST_F(CertVerifyProcTest, MAYBE_IntranetHostsRejected) {

// of intermediate certificates are combined, it's possible that order may

// not be maintained.

TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {

+#if defined(OS_ANDROID)

+ if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {

+ LOG(INFO) << "This test can't run on Android < 4.2";

+ return;

+ }

+#endif

base::FilePath certs_dir = GetTestCertsDirectory();

CertificateList certs = CreateCertificateListFromFile(

certs_dir, "x509_verify_results.chain.pem",

@@ -848,6 +869,13 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {

// Test that Verify() filters out certificates which are not related to

// or part of the certificate chain being verified.

TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {

+#if defined(OS_ANDROID)

+ if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {

+ LOG(INFO) << "This test can't run on Android < 4.2";

+ return;

+ }

+#endif

base::FilePath certs_dir = GetTestCertsDirectory();

CertificateList certs = CreateCertificateListFromFile(

certs_dir, "x509_verify_results.chain.pem",

@@ -946,6 +974,29 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {

EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);

}

+TEST_F(CertVerifyProcTest, NonStandardRoot) {

Ryan Sleevi 2013/12/19 00:06:59 s/NonStandardRoot/IsIssuedByKnownRootIgnoresTestRo

davidben 2013/12/19 00:42:52 Done.

+ // Load root_ca_cert.pem into the test root store.

+ TestRootCerts* root_certs = TestRootCerts::GetInstance();

+ root_certs->AddFromFile(

+ GetTestCertsDirectory().AppendASCII("root_ca_cert.pem"));

+ CertificateList cert_list = CreateCertificateListFromFile(

+ GetTestCertsDirectory(), "ok_cert.pem",

+ X509Certificate::FORMAT_AUTO);

+ ASSERT_EQ(1U, cert_list.size());

+ scoped_refptr<X509Certificate> cert(cert_list[0]);

+ // Verification should pass.

+ int flags = 0;

+ CertVerifyResult verify_result;

+ int error = Verify(

+ cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);

+ EXPECT_EQ(OK, error);

+ EXPECT_EQ(0U, verify_result.cert_status);

+ // But should not be marked as a known root.

+ EXPECT_FALSE(verify_result.is_issued_by_known_root);

#if defined(OS_MACOSX) && !defined(OS_IOS)

// Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust

// Root can be successfully worked around once Apple completes removing the

« net/android/java/src/org/chromium/net/X509Util.java ('K') | « net/cert/cert_verify_proc_android.cc ('k') | net/net.gyp » ('j') | no next file with comments »