RFC 2459 name comparison.

net/cert/internal/verify_name_match_unittest.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_name_match.h"
 
+#include "base/base_paths.h"
+#include "base/files/file_path.h"
+#include "base/files/file_util.h"
+#include "base/path_service.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
 #include "net/der/input.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
+namespace {
 
-TEST(VerifyNameMatchTest, Simple) {
-  // TODO(mattm): Use valid Names.
-  EXPECT_TRUE(VerifyNameMatch(der::Input("hello"), der::Input("hello")));
-  EXPECT_FALSE(VerifyNameMatch(der::Input("aello"), der::Input("hello")));
-  EXPECT_FALSE(VerifyNameMatch(der::Input("hello"), der::Input("hello1")));
-  EXPECT_FALSE(VerifyNameMatch(der::Input("hello1"), der::Input("hello")));
+std::string LoadTestData(const std::string& prefix,
+                         const std::string& value_type,
+                         const std::string& suffix) {
+  base::FilePath src_root;
+  PathService::Get(base::DIR_SOURCE_ROOT, &src_root);
+  std::string filename = prefix + "-" + value_type + "-" + suffix + ".der";
+  base::FilePath filepath =
+      src_root.Append("net/data/verify_name_match_unittest/names")
+          .Append(filename);
+  std::string result;
+  bool success = base::ReadFileToString(filepath, &result);
+  EXPECT_TRUE(success);
+  return result;
+}
+
+static const char* kValueTypes[] = {"PRINTABLESTRING",
+                                    "T61STRING",
+                                    "UTF8",
+                                    "BMPSTRING",
+                                    "UNIVERSALSTRING"};
+static const char* kMangleTypes[] = {"unmangled",
+                                     "case_swap",
+                                     "extra_whitespace"};
+
+}  // namespace
+
+class VerifyNameMatchSimpleTest
+    : public ::testing::TestWithParam<
+          ::testing::tuple<const char*, const char*>> {
+ public:
+  std::string value_type() const { return ::testing::get<0>(GetParam()); }
+  std::string suffix() const { return ::testing::get<1>(GetParam()); }
+};
+
+// Compare each input against itself, verifies that all input data is parsed
+// successfully.
+TEST_P(VerifyNameMatchSimpleTest, ExactEquality) {
+  std::string der = LoadTestData("ascii", value_type(), suffix());
+  EXPECT_TRUE(VerifyNameMatch(der::Input(der), der::Input(der)));
+
+  std::string der_extra_attr =
+      LoadTestData("ascii", value_type(), suffix() + "-extra_attr");
+  EXPECT_TRUE(
+      VerifyNameMatch(der::Input(der_extra_attr), der::Input(der_extra_attr)));
+
+  std::string der_extra_rdn =
+      LoadTestData("ascii", value_type(), suffix() + "-extra_rdn");
+  EXPECT_TRUE(
+      VerifyNameMatch(der::Input(der_extra_rdn), der::Input(der_extra_rdn)));
+}
+
+// Ensure that a Name does not match another Name which is exactly the same but
+// with an extra attribute in one Relative Distinguished Name.
+TEST_P(VerifyNameMatchSimpleTest, ExtraAttrDoesNotMatch) {
+  std::string der = LoadTestData("ascii", value_type(), suffix());
+  std::string der_extra_attr =
+      LoadTestData("ascii", value_type(), suffix() + "-extra_attr");
+  EXPECT_FALSE(VerifyNameMatch(der::Input(der), der::Input(der_extra_attr)));
+  EXPECT_FALSE(VerifyNameMatch(der::Input(der_extra_attr), der::Input(der)));
+}
+
+// Ensure that a Name does not match another Name which is exactly the same but
+// with an extra Relative Distinguished Name.
+TEST_P(VerifyNameMatchSimpleTest, ExtraRdnDoesNotMatch) {
+  std::string der = LoadTestData("ascii", value_type(), suffix());
+  std::string der_extra_rdn =
+      LoadTestData("ascii", value_type(), suffix() + "-extra_rdn");
+  EXPECT_FALSE(VerifyNameMatch(der::Input(der), der::Input(der_extra_rdn)));
+  EXPECT_FALSE(VerifyNameMatch(der::Input(der_extra_rdn), der::Input(der)));
+}
+
+INSTANTIATE_TEST_CASE_P(InstantiationName,
+                        VerifyNameMatchSimpleTest,
+                        ::testing::Combine(::testing::ValuesIn(kValueTypes),
+                                           ::testing::ValuesIn(kMangleTypes)));
+
+class VerifyNameMatchNormalizationTest
+    : public ::testing::TestWithParam<::testing::tuple<bool, const char*>> {
+ public:
+  bool expected_result() const { return ::testing::get<0>(GetParam()); }
+  std::string value_type() const { return ::testing::get<1>(GetParam()); }
+};
+
+// Verify matching is case insensitive (for the types which currently support
+// normalization).
+TEST_P(VerifyNameMatchNormalizationTest, CaseInsensitivity) {
+  std::string normal = LoadTestData("ascii", value_type(), "unmangled");
+  std::string case_swap = LoadTestData("ascii", value_type(), "case_swap");
+  EXPECT_EQ(expected_result(),
+            VerifyNameMatch(der::Input(normal), der::Input(case_swap)));
+  EXPECT_EQ(expected_result(),
+            VerifyNameMatch(der::Input(case_swap), der::Input(normal)));
+}
+
+// Verify matching folds whitespace (for the types which currently support
+// normalization).
+TEST_P(VerifyNameMatchNormalizationTest, CollapseWhitespace) {
+  std::string normal = LoadTestData("ascii", value_type(), "unmangled");
+  std::string whitespace =
+      LoadTestData("ascii", value_type(), "extra_whitespace");
+  EXPECT_EQ(expected_result(),
+            VerifyNameMatch(der::Input(normal), der::Input(whitespace)));
+  EXPECT_EQ(expected_result(),
+            VerifyNameMatch(der::Input(whitespace), der::Input(normal)));
+}
+
+// TODO(mattm): Current implementation uses RFC 2459 rules, where only
+// PRINTABLESTRING is normalized. Change the false values below to true when
+// updating to RFC 5280 (at least for UTF8, handling the others is optional).
+INSTANTIATE_TEST_CASE_P(
+    InstantiationName,
+    VerifyNameMatchNormalizationTest,
+    ::testing::Values(std::tr1::make_tuple(true, "PRINTABLESTRING"),
+                      std::tr1::make_tuple(false, "T61STRING"),
+                      std::tr1::make_tuple(false, "UTF8"),
+                      std::tr1::make_tuple(false, "BMPSTRING"),
+                      std::tr1::make_tuple(false, "UNIVERSALSTRING")));

[nharper, 2015/05/14 19:21:44]

Should these be ::testing::make_tuple?

[mattm, 2015/05/14 21:38:57]

oops, done.

+
+class VerifyNameMatchDifferingTypesTest
+    : public ::testing::TestWithParam<
+          ::testing::tuple<const char*, const char*>> {
+ public:
+  std::string value_type_1() const { return ::testing::get<0>(GetParam()); }
+  std::string value_type_2() const { return ::testing::get<1>(GetParam()); }
+};
+
+// TODO(mattm): in RFC 2459, different value types are assumed unequal. In RFC
+// 5280, different types are transcoded to Unicode, so this will need to be
+// updated.
+TEST_P(VerifyNameMatchDifferingTypesTest, DifferentTypesAreNonEqual) {
+  std::string der_1 = LoadTestData("ascii", value_type_1(), "unmangled");
+  std::string der_2 = LoadTestData("ascii", value_type_2(), "unmangled");
+  if (value_type_1() == value_type_2())
+    EXPECT_TRUE(VerifyNameMatch(der::Input(der_1), der::Input(der_2)));
+  else
+    EXPECT_FALSE(VerifyNameMatch(der::Input(der_1), der::Input(der_2)));
+}
+
+INSTANTIATE_TEST_CASE_P(InstantiationName,
+                        VerifyNameMatchDifferingTypesTest,
+                        ::testing::Combine(::testing::ValuesIn(kValueTypes),
+                                           ::testing::ValuesIn(kValueTypes)));
+
+// Matching should fail if a PrintableString contains invalid characters.
+TEST(VerifyNameMatchPrintableStringValidity, FailOnInvalidChars) {
+  std::string normal = LoadTestData("ascii", "PRINTABLESTRING", "unmangled");
+  // Find a known location inside a PrintableString in the DER-encoded data.
+  size_t replace_location = normal.find("0123456789");
+  ASSERT_NE(std::string::npos, replace_location);
+  for (int c = 0; c < 256; ++c) {
+    SCOPED_TRACE(base::IntToString(c));
+    if (IsAsciiAlpha(c) || IsAsciiDigit(c))
+      continue;
+    switch (c) {
+      case ' ':
+      case '\'':
+      case '(':
+      case ')':
+      case '+':
+      case ',':
+      case '-':
+      case '.':
+      case '/':
+      case ':':
+      case '=':
+      case '?':
+        continue;
+    }
+    std::string invalid = normal.replace(replace_location, 1, 1, c);
+    // Verification should fail due to the invalid character.
+    EXPECT_FALSE(VerifyNameMatch(der::Input(invalid), der::Input(invalid)));
+  }
 }

[nharper, 2015/05/14 19:21:44]

All of these test cases assume a valid ASN.1 structure is encoded. Add test
cases for improper structures? (i.e. an AttributeTypeAndValue that has something
after the AttributeType and AttributeValue, or a Name that has something
following the RDNSequence)

[mattm, 2015/05/14 21:38:57]

Good idea, done. (And fixed some cases allowing empty sets/sequences that
shouldn't be allowed.)

 
 }  // namespace net