net/cert/cert_verify_proc_unittest.cc - Issue 14492003: Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues

Side by Side Diff: net/cert/cert_verify_proc_unittest.cc

Issue 14492003: Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Review feedback Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <vector>	7 #include <vector>

8	8

9 #include "base/files/file_path.h"	9 #include "base/files/file_path.h"

10 #include "base/logging.h"	10 #include "base/logging.h"

(...skipping 713 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
724	724

725 // Clearing the \|trust_anchors\| makes verification fail again (the cache	725 // Clearing the \|trust_anchors\| makes verification fail again (the cache

726 // should be skipped).	726 // should be skipped).

727 error = Verify(cert, "127.0.0.1", flags, NULL,	727 error = Verify(cert, "127.0.0.1", flags, NULL,

728 empty_cert_list_, &verify_result);	728 empty_cert_list_, &verify_result);

729 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);	729 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);

730 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);	730 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);

731 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);	731 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);

732 }	732 }

733	733

	734 #if defined(OS_MACOSX) && !defined(OS_IOS)

	735 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust

	736 // Root can be successfully worked around once Apple completes removing the

	737 // older GTE CyberTrust Root from its trusted root store.

	738 //

	739 // The issue is caused by servers supplying the cross-certified intermediate

	740 // (necessary for certain mobile platforms), which OS X does not recognize

	741 // as already existing within its trust store.

	742 TEST_F(CertVerifyProcTest, CybertrustGTERoot) {

	743 CertificateList certs = CreateCertificateListFromFile(

	744 GetTestCertsDirectory(),

	745 "cybertrust_omniroot_chain.pem",

	746 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);

	747 ASSERT_EQ(2U, certs.size());

	748

	749 X509Certificate::OSCertHandles intermediates;

	750 intermediates.push_back(certs[1]->os_cert_handle());

	751

	752 scoped_refptr<X509Certificate> cybertrust_basic =

	753 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),

	754 intermediates);

	755 ASSERT_TRUE(cybertrust_basic.get());

	756

	757 scoped_refptr<X509Certificate> baltimore_root =

	758 ImportCertFromFile(GetTestCertsDirectory(),

	759 "cybertrust_baltimore_root.pem");

	760 ASSERT_TRUE(baltimore_root.get());

	761

	762 ScopedTestRoot scoped_root(baltimore_root);

	763

	764 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This

	765 // simulates Keychain removing support for the GTE CyberTrust Root.

	766 TestRootCerts::GetInstance()->SetAllowSystemTrust(false);

	767 base::ScopedClosureRunner reset_system_trust(

	768 base::Bind(&TestRootCerts::SetAllowSystemTrust,

	769 base::Unretained(TestRootCerts::GetInstance()),

	770 true));

	771

	772 // First, make sure a simple certificate chain from

	773 // EE -> Public SureServer SV -> Baltimore CyberTrust

	774 // works. Only the first two certificates are included in the chain.

	775 int flags = 0;

	776 CertVerifyResult verify_result;

	777 int error = Verify(cybertrust_basic, "cacert.omniroot.com", flags, NULL,

	778 empty_cert_list_, &verify_result);

	779 EXPECT_EQ(OK, error);

	780 EXPECT_EQ(0U, verify_result.cert_status);

	781

	782 // Attempt to verify with the first known cross-certified intermediate

	783 // provided.

	784 scoped_refptr<X509Certificate> baltimore_intermediate_1 =

	785 ImportCertFromFile(GetTestCertsDirectory(),

	786 "cybertrust_baltimore_cross_certified_1.pem");

	787 ASSERT_TRUE(baltimore_intermediate_1.get());

	788

	789 X509Certificate::OSCertHandles intermediate_chain_1 =

	790 cybertrust_basic->GetIntermediateCertificates();

	791 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());

	792

	793 scoped_refptr<X509Certificate> baltimore_chain_1 =

	794 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),

	795 intermediate_chain_1);

	796 error = Verify(baltimore_chain_1, "cacert.omniroot.com", flags, NULL,

	797 empty_cert_list_, &verify_result);

	798 EXPECT_EQ(OK, error);

	799 EXPECT_EQ(0U, verify_result.cert_status);

	800

	801 // Attempt to verify with the second known cross-certified intermediate

	802 // provided.

	803 scoped_refptr<X509Certificate> baltimore_intermediate_2 =

	804 ImportCertFromFile(GetTestCertsDirectory(),

	805 "cybertrust_baltimore_cross_certified_2.pem");

	806 ASSERT_TRUE(baltimore_intermediate_2.get());

	807

	808 X509Certificate::OSCertHandles intermediate_chain_2 =

	809 cybertrust_basic->GetIntermediateCertificates();

	810 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());

	811

	812 scoped_refptr<X509Certificate> baltimore_chain_2 =

	813 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),

	814 intermediate_chain_2);

	815 error = Verify(baltimore_chain_2, "cacert.omniroot.com", flags, NULL,

	816 empty_cert_list_, &verify_result);

	817 EXPECT_EQ(OK, error);

	818 EXPECT_EQ(0U, verify_result.cert_status);

	819

	820 // Attempt to verify when both a cross-certified intermediate AND

	821 // the legacy GTE root are provided.

	822 scoped_refptr<X509Certificate> cybertrust_root =

	823 ImportCertFromFile(GetTestCertsDirectory(),

	824 "cybertrust_gte_root.pem");

	825 ASSERT_TRUE(cybertrust_root.get());

	826

	827 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());

	828 scoped_refptr<X509Certificate> baltimore_chain_with_root =

	829 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),

	830 intermediate_chain_2);

	831 error = Verify(baltimore_chain_with_root, "cacert.omniroot.com", flags,

	832 NULL, empty_cert_list_, &verify_result);

	833 EXPECT_EQ(OK, error);

	834 EXPECT_EQ(0U, verify_result.cert_status);

	835

	836 }

	837 #endif

	838

734 #if defined(USE_NSS) \|\| defined(OS_IOS) \|\| defined(OS_WIN) \|\| defined(OS_MACOSX)	839 #if defined(USE_NSS) \|\| defined(OS_IOS) \|\| defined(OS_WIN) \|\| defined(OS_MACOSX)

735 static const uint8 kCRLSetThawteSPKIBlocked[] = {	840 static const uint8 kCRLSetThawteSPKIBlocked[] = {

736 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,	841 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,

737 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,	842 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,

738 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,	843 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,

739 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,	844 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,

740 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,	845 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,

741 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,	846 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,

742 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,	847 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,

743 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37,	848 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37,

(...skipping 329 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1073 #define MAYBE_VerifyMixed DISABLED_VerifyMixed	1178 #define MAYBE_VerifyMixed DISABLED_VerifyMixed

1074 #else	1179 #else

1075 #define MAYBE_VerifyMixed VerifyMixed	1180 #define MAYBE_VerifyMixed VerifyMixed

1076 #endif	1181 #endif

1077 WRAPPED_INSTANTIATE_TEST_CASE_P(	1182 WRAPPED_INSTANTIATE_TEST_CASE_P(

1078 MAYBE_VerifyMixed,	1183 MAYBE_VerifyMixed,

1079 CertVerifyProcWeakDigestTest,	1184 CertVerifyProcWeakDigestTest,

1080 testing::ValuesIn(kVerifyMixedTestData));	1185 testing::ValuesIn(kVerifyMixedTestData));

1081	1186

1082 } // namespace net	1187 } // namespace net

OLD	NEW

« no previous file with comments | « net/cert/cert_verify_proc_mac.cc ('k') | net/cert/test_root_certs.h » ('j') | net/cert/test_root_certs_mac.cc » ('J')