Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(423)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/verify_certificate_chain_unittest.cc

Issue 1414923007: Add initial code for verifying a certificate chain. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@test_driver
Patch Set: Start tackling Matt's comments Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/internal/verify_certificate_chain.cc ('K') | « net/cert/internal/verify_certificate_chain.cc ('k') | net/net.gypi » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/internal/verify_certificate_chain.h"
6
7 #include "base/base_paths.h"
8 #include "base/files/file_util.h"
9 #include "base/path_service.h"
10 #include "base/strings/string_split.h"
11 #include "base/strings/string_util.h"
12 #include "base/strings/stringprintf.h"
13 #include "net/cert/internal/parse_certificate.h"
14 #include "net/cert/internal/signature_policy.h"
15 #include "net/cert/internal/test_helpers.h"
16 #include "net/cert/pem_tokenizer.h"
17 #include "net/der/input.h"
18 #include "testing/gtest/include/gtest/gtest.h"
19
20 namespace net {
21
22 namespace {
23
24 // Reads a data file from the unit-test data.
25 std::string ReadTestFileToString(const std::string& file_name) {
26 // Compute the full path, relative to the src/ directory.
27 base::FilePath src_root;
28 PathService::Get(base::DIR_SOURCE_ROOT, &src_root);
29 base::FilePath filepath = src_root.AppendASCII(
30 std::string("net/data/verify_certificate_chain_unittest/") + file_name);
31
32 // Read the full contents of the file.
33 std::string file_data;
34 if (!base::ReadFileToString(filepath, &file_data)) {
35 ADD_FAILURE() << "Couldn't read file: " << filepath.value();
36 return std::string();
37 }
38
39 return file_data;
40 }
41
42 // Adds the certificate |cert_der| as a trusted root in |trust_store|.
43 void AddCertificateToTrustStore(const std::string& cert_der,
44 TrustStore* trust_store) {
45 ParsedCertificate cert;
46 ASSERT_TRUE(ParseCertificate(InputFromString(&cert_der), &cert));
47
48 ParsedTbsCertificate tbs;
49 ASSERT_TRUE(ParseTbsCertificate(cert.tbs_certificate_tlv, &tbs));
50 TrustedRoot root = {tbs.spki_tlv.AsString(), tbs.subject_tlv.AsString()};
51 trust_store->roots.push_back(root);
52 }
53
54 // Reads a test case from |file_name|. Test cases are comprised of a
55 // certificate chain, trust store, and timestamp to validate at.
56 void ReadTestFromFile(const std::string& file_name,
57 std::vector<std::string>* chain,
58 TrustStore* trust_store,
59 der::GeneralizedTime* time,
60 bool* verify_result) {
61 chain->clear();
62 *trust_store = TrustStore();
63
64 std::string file_data = ReadTestFileToString(file_name);
65
66 std::vector<std::string> pem_headers;
67
68 const char kCertificateHeader[] = "CERTIFICATE";
69 const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE";
70 const char kTimeHeader[] = "TIME";
71 const char kResultHeader[] = "VERIFY_RESULT";
72
73 pem_headers.push_back(kCertificateHeader);
74 pem_headers.push_back(kTrustedCertificateHeader);
75 pem_headers.push_back(kTimeHeader);
76 pem_headers.push_back(kResultHeader);
davidben 2015/11/19 22:24:02 (We should try to get cxx@chromium.org to allow in
eroman 2015/12/03 04:45:12 Word.
77
78 bool has_time = false;
79 bool has_result = false;
80
81 PEMTokenizer pem_tokenizer(file_data, pem_headers);
82 while (pem_tokenizer.GetNext()) {
83 const std::string& block_type = pem_tokenizer.block_type();
84 const std::string& block_data = pem_tokenizer.data();
85
86 if (block_type == kCertificateHeader) {
87 chain->push_back(block_data);
88 } else if (block_type == kTrustedCertificateHeader) {
89 AddCertificateToTrustStore(block_data, trust_store);
90 } else if (block_type == kTimeHeader) {
91 ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader;
92 has_time = true;
93 ASSERT_TRUE(der::ParseUTCTime(InputFromString(&block_data), time));
94 } else if (block_type == kResultHeader) {
95 ASSERT_FALSE(has_result) << "Duplicate " << kResultHeader;
96 has_result = true;
97 *verify_result = block_data == "SUCCESS";
davidben 2015/11/19 22:24:03 Nit: Probably good to explode if block_data isn't
eroman 2015/12/03 04:45:12 Done.
98 }
99 }
100
101 ASSERT_TRUE(has_time);
102 ASSERT_TRUE(has_result);
103 }
104
105 void RunTest(const char* file_name) {
106 std::vector<std::string> chain;
107 TrustStore trust_store;
108 der::GeneralizedTime time;
109 bool expected_result;
110
111 ReadTestFromFile(file_name, &chain, &trust_store, &time, &expected_result);
112
113 std::vector<der::Input> input_chain;
114 for (const auto& cert_str : chain)
115 input_chain.push_back(InputFromString(&cert_str));
116
117 SimpleSignaturePolicy signature_policy(2048);
118
119 bool result =
120 VerifyCertificateChain(input_chain, trust_store, &signature_policy, time);
121
122 ASSERT_EQ(expected_result, result);
123 }
124
125 TEST(VerifyCertificateChainTest, TargetAndIntermediary) {
126 RunTest("target-and-intermediary.pem");
127 }
128
129 TEST(VerifyCertificateChainTest, UnknownRoot) {
130 RunTest("unknown-root.pem");
131 }
132
133 TEST(VerifyCertificateChainTest, IntermediaryLacksBasicConstraints) {
134 RunTest("intermediary-lacks-basic-constraints.pem");
135 }
136
137 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsCaFalse) {
138 RunTest("intermediary-basic-constraints-ca-false.pem");
139 }
140
141 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsNotCritical) {
142 RunTest("intermediary-basic-constraints-not-critical.pem");
143 }
144
145 TEST(VerifyCertificateChainTest, IntermediaryLacksSigningKeyUsage) {
146 RunTest("intermediary-lacks-signing-key-usage.pem");
147 }
148
149 TEST(VerifyCertificateChainTest, IntermediaryUnknownCriticalExtension) {
150 RunTest("intermediary-unknown-critical-extension.pem");
151 }
152
153 TEST(VerifyCertificateChainTest, IntermediaryUnknownNonCriticalExtension) {
154 RunTest("intermediary-unknown-non-critical-extension.pem");
155 }
156
157 TEST(VerifyCertificateChainTest, ViolatesBasicConstraintsPathlen0) {
158 RunTest("violates-basic-constraints-pathlen-0.pem");
159 }
160
161 TEST(VerifyCertificateChainTest, BasicConstraintsPathlen0SelfIssued) {
162 RunTest("basic-constraints-pathlen-0-self-issued.pem");
163 }
164
165 TEST(VerifyCertificateChainTest, TargetSignedWithMd5) {
166 RunTest("target-signed-with-md5.pem");
167 }
168
169 TEST(VerifyCertificateChainTest, IntermediarySignedWithMd5) {
170 RunTest("intermediary-signed-with-md5.pem");
171 }
172
173 TEST(VerifyCertificateChainTest, TargetWrongSignature) {
174 RunTest("target-wrong-signature.pem");
175 }
176
177 TEST(VerifyCertificateChainTest, TargetSignedBy512bitRsa) {
178 RunTest("target-signed-by-512bit-rsa.pem");
179 }
180
181 TEST(VerifyCertificateChainTest, TargetSignedUsingEcdsa) {
182 RunTest("target-signed-using-ecdsa.pem");
183 }
184
185 TEST(VerifyCertificateChainTest, ExpiredIntermediary) {
186 RunTest("expired-intermediary.pem");
187 }
188
189 TEST(VerifyCertificateChainTest, ExpiredTarget) {
190 RunTest("expired-target.pem");
191 }
192
193 TEST(VerifyCertificateChainTest, ExpiredTargetNotBefore) {
194 RunTest("expired-target-notBefore.pem");
195 }
196
197 TEST(VerifyCertificateChainTest, TargetNotEndEntity) {
198 RunTest("target-not-end-entity.pem");
199 }
200
201 } // namespace
202
203 } // namespace net
OLDNEW
« net/cert/internal/verify_certificate_chain.cc ('K') | « net/cert/internal/verify_certificate_chain.cc ('k') | net/net.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698