Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(299)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/verify_certificate_chain_unittest.cc

Issue 1414923007: Add initial code for verifying a certificate chain. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@test_driver
Patch Set: rebase (and fix a comment) Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/internal/verify_certificate_chain.cc ('K') | « net/cert/internal/verify_certificate_chain.cc ('k') | net/net.gypi » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/internal/verify_certificate_chain.h"
6
7 #include "base/base_paths.h"
8 #include "base/files/file_util.h"
9 #include "base/path_service.h"
10 #include "base/strings/string_split.h"
11 #include "base/strings/string_util.h"
12 #include "base/strings/stringprintf.h"
13 #include "net/cert/internal/parse_certificate.h"
14 #include "net/cert/internal/signature_policy.h"
15 #include "net/cert/internal/test_helpers.h"
16 #include "net/cert/pem_tokenizer.h"
17 #include "net/der/input.h"
18 #include "testing/gtest/include/gtest/gtest.h"
19
20 namespace net {
21
22 namespace {
23
24 // Reads a data file from the unit-test data.
25 std::string ReadTestFileToString(const std::string& file_name) {
26 // Compute the full path, relative to the src/ directory.
27 base::FilePath src_root;
28 PathService::Get(base::DIR_SOURCE_ROOT, &src_root);
29 base::FilePath filepath = src_root.AppendASCII(
30 std::string("net/data/verify_certificate_chain_unittest/") + file_name);
31
32 // Read the full contents of the file.
33 std::string file_data;
34 if (!base::ReadFileToString(filepath, &file_data)) {
35 ADD_FAILURE() << "Couldn't read file: " << filepath.value();
36 return std::string();
37 }
38
39 return file_data;
40 }
41
42 // Adds the certificate |cert_der| as a trust anchor to |trust_store|.
43 void AddCertificateToTrustStore(const std::string& cert_der,
44 TrustStore* trust_store) {
45 ParsedCertificate cert;
46 ASSERT_TRUE(ParseCertificate(InputFromString(&cert_der), &cert));
47
48 ParsedTbsCertificate tbs;
49 ASSERT_TRUE(ParseTbsCertificate(cert.tbs_certificate_tlv, &tbs));
50 TrustAnchor anchor = {tbs.spki_tlv.AsString(), tbs.subject_tlv.AsString()};
51 trust_store->anchors.push_back(anchor);
52 }
53
54 // Reads a test case from |file_name|. Test cases are comprised of a
55 // certificate chain, trust store, a timestamp to validate at, and the
56 // expected result of verification.
57 void ReadTestFromFile(const std::string& file_name,
58 std::vector<std::string>* chain,
59 TrustStore* trust_store,
60 der::GeneralizedTime* time,
61 bool* verify_result) {
62 chain->clear();
63 *trust_store = TrustStore();
64
65 std::string file_data = ReadTestFileToString(file_name);
66
67 std::vector<std::string> pem_headers;
68
69 const char kCertificateHeader[] = "CERTIFICATE";
70 const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE";
71 const char kTimeHeader[] = "TIME";
72 const char kResultHeader[] = "VERIFY_RESULT";
73
74 pem_headers.push_back(kCertificateHeader);
75 pem_headers.push_back(kTrustedCertificateHeader);
76 pem_headers.push_back(kTimeHeader);
77 pem_headers.push_back(kResultHeader);
78
79 bool has_time = false;
80 bool has_result = false;
81
82 PEMTokenizer pem_tokenizer(file_data, pem_headers);
83 while (pem_tokenizer.GetNext()) {
84 const std::string& block_type = pem_tokenizer.block_type();
85 const std::string& block_data = pem_tokenizer.data();
86
87 if (block_type == kCertificateHeader) {
88 chain->push_back(block_data);
89 } else if (block_type == kTrustedCertificateHeader) {
90 AddCertificateToTrustStore(block_data, trust_store);
91 } else if (block_type == kTimeHeader) {
92 ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader;
93 has_time = true;
94 ASSERT_TRUE(der::ParseUTCTime(InputFromString(&block_data), time));
95 } else if (block_type == kResultHeader) {
96 ASSERT_FALSE(has_result) << "Duplicate " << kResultHeader;
97 ASSERT_TRUE(block_data == "SUCCESS" || block_data == "FAIL")
98 << "Unrecognized result: " << block_data;
99 has_result = true;
100 *verify_result = block_data == "SUCCESS";
101 }
102 }
103
104 ASSERT_TRUE(has_time);
105 ASSERT_TRUE(has_result);
106 }
107
108 void RunTest(const char* file_name) {
109 std::vector<std::string> chain;
110 TrustStore trust_store;
111 der::GeneralizedTime time;
112 bool expected_result;
113
114 ReadTestFromFile(file_name, &chain, &trust_store, &time, &expected_result);
115
116 std::vector<der::Input> input_chain;
117 for (const auto& cert_str : chain)
118 input_chain.push_back(InputFromString(&cert_str));
119
120 SimpleSignaturePolicy signature_policy(2048);
121
122 bool result =
123 VerifyCertificateChain(input_chain, trust_store, &signature_policy, time);
124
125 ASSERT_EQ(expected_result, result);
126 }
127
128 TEST(VerifyCertificateChainTest, TargetAndIntermediary) {
129 RunTest("target-and-intermediary.pem");
130 }
131
132 TEST(VerifyCertificateChainTest, UnknownRoot) {
133 RunTest("unknown-root.pem");
134 }
135
136 TEST(VerifyCertificateChainTest, IntermediaryLacksBasicConstraints) {
137 RunTest("intermediary-lacks-basic-constraints.pem");
138 }
139
140 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsCaFalse) {
141 RunTest("intermediary-basic-constraints-ca-false.pem");
142 }
143
144 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsNotCritical) {
145 RunTest("intermediary-basic-constraints-not-critical.pem");
146 }
147
148 TEST(VerifyCertificateChainTest, IntermediaryLacksSigningKeyUsage) {
149 RunTest("intermediary-lacks-signing-key-usage.pem");
150 }
151
152 TEST(VerifyCertificateChainTest, IntermediaryUnknownCriticalExtension) {
153 RunTest("intermediary-unknown-critical-extension.pem");
154 }
155
156 TEST(VerifyCertificateChainTest, IntermediaryUnknownNonCriticalExtension) {
157 RunTest("intermediary-unknown-non-critical-extension.pem");
158 }
159
160 TEST(VerifyCertificateChainTest, ViolatesBasicConstraintsPathlen0) {
161 RunTest("violates-basic-constraints-pathlen-0.pem");
162 }
163
164 TEST(VerifyCertificateChainTest, BasicConstraintsPathlen0SelfIssued) {
165 RunTest("basic-constraints-pathlen-0-self-issued.pem");
166 }
167
168 TEST(VerifyCertificateChainTest, TargetSignedWithMd5) {
169 RunTest("target-signed-with-md5.pem");
170 }
171
172 TEST(VerifyCertificateChainTest, IntermediarySignedWithMd5) {
173 RunTest("intermediary-signed-with-md5.pem");
174 }
175
176 TEST(VerifyCertificateChainTest, TargetWrongSignature) {
177 RunTest("target-wrong-signature.pem");
178 }
179
180 TEST(VerifyCertificateChainTest, TargetSignedBy512bitRsa) {
181 RunTest("target-signed-by-512bit-rsa.pem");
182 }
183
184 TEST(VerifyCertificateChainTest, TargetSignedUsingEcdsa) {
185 RunTest("target-signed-using-ecdsa.pem");
186 }
187
188 TEST(VerifyCertificateChainTest, ExpiredIntermediary) {
189 RunTest("expired-intermediary.pem");
190 }
191
192 TEST(VerifyCertificateChainTest, ExpiredTarget) {
193 RunTest("expired-target.pem");
194 }
195
196 TEST(VerifyCertificateChainTest, ExpiredTargetNotBefore) {
197 RunTest("expired-target-notBefore.pem");
198 }
199
200 TEST(VerifyCertificateChainTest, TargetNotEndEntity) {
201 RunTest("target-not-end-entity.pem");
202 }
203
204 TEST(VerifyCertificateChainTest, TargetHasKeyCertSignButNotCa) {
205 RunTest("target-has-keycertsign-but-not-ca.pem");
206 }
207
208 TEST(VerifyCertificateChainTest, TargetHasPathlenButNotCa) {
209 RunTest("target-has-pathlen-but-not-ca.pem");
210 }
211
212 TEST(VerifyCertificateChainTest, TargetUnknownCriticalExtension) {
213 RunTest("target-unknown-critical-extension.pem");
214 }
215
216 // Tests that verifying a chain with no certificates fails.
217 TEST(VerifyCertificateChainTest, EmptyChainIsInvalid) {
218 TrustStore trust_store;
219 der::GeneralizedTime time;
220 std::vector<der::Input> chain;
221 SimpleSignaturePolicy signature_policy(2048);
222
223 ASSERT_FALSE(
224 VerifyCertificateChain(chain, trust_store, &signature_policy, time));
225 }
226
227 // TODO(eroman): Add test that invalidate validity dates where the day or month
228 // ordinal not in range, like "March 39, 2016" are rejected.
229
230 } // namespace
231
232 } // namespace net
OLDNEW
« net/cert/internal/verify_certificate_chain.cc ('K') | « net/cert/internal/verify_certificate_chain.cc ('k') | net/net.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698