| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 713 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 724 | 724 |
| 725 // Clearing the |trust_anchors| makes verification fail again (the cache | 725 // Clearing the |trust_anchors| makes verification fail again (the cache |
| 726 // should be skipped). | 726 // should be skipped). |
| 727 error = Verify(cert, "127.0.0.1", flags, NULL, | 727 error = Verify(cert, "127.0.0.1", flags, NULL, |
| 728 empty_cert_list_, &verify_result); | 728 empty_cert_list_, &verify_result); |
| 729 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 729 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 730 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 730 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 731 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 731 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
| 732 } | 732 } |
| 733 | 733 |
| 734 #if defined(OS_MACOSX) && !defined(OS_IOS) |
| 735 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust |
| 736 // Root can be successfully worked around once Apple completes removing the |
| 737 // older GTE CyberTrust Root from its trusted root store. |
| 738 // |
| 739 // The issue is caused by servers supplying the cross-certified intermediate |
| 740 // (necessary for certain mobile platforms), which OS X does not recognize |
| 741 // as already existing within its trust store. |
| 742 TEST_F(CertVerifyProcTest, CybertrustGTERoot) { |
| 743 CertificateList certs = CreateCertificateListFromFile( |
| 744 GetTestCertsDirectory(), |
| 745 "cybertrust_omniroot_chain.pem", |
| 746 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| 747 ASSERT_EQ(2U, certs.size()); |
| 748 |
| 749 X509Certificate::OSCertHandles intermediates; |
| 750 intermediates.push_back(certs[1]->os_cert_handle()); |
| 751 |
| 752 scoped_refptr<X509Certificate> cybertrust_basic = |
| 753 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 754 intermediates); |
| 755 ASSERT_TRUE(cybertrust_basic.get()); |
| 756 |
| 757 scoped_refptr<X509Certificate> baltimore_root = |
| 758 ImportCertFromFile(GetTestCertsDirectory(), |
| 759 "cybertrust_baltimore_root.pem"); |
| 760 ASSERT_TRUE(baltimore_root.get()); |
| 761 |
| 762 ScopedTestRoot scoped_root(baltimore_root); |
| 763 |
| 764 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This |
| 765 // simulates Keychain removing support for the GTE CyberTrust Root. |
| 766 TestRootCerts::GetInstance()->SetAllowSystemTrust(false); |
| 767 base::ScopedClosureRunner reset_system_trust( |
| 768 base::Bind(&TestRootCerts::SetAllowSystemTrust, |
| 769 base::Unretained(TestRootCerts::GetInstance()), |
| 770 true)); |
| 771 |
| 772 // First, make sure a simple certificate chain from |
| 773 // EE -> Public SureServer SV -> Baltimore CyberTrust |
| 774 // works. Only the first two certificates are included in the chain. |
| 775 int flags = 0; |
| 776 CertVerifyResult verify_result; |
| 777 int error = Verify(cybertrust_basic, "cacert.omniroot.com", flags, NULL, |
| 778 empty_cert_list_, &verify_result); |
| 779 EXPECT_EQ(OK, error); |
| 780 EXPECT_EQ(0U, verify_result.cert_status); |
| 781 |
| 782 // Attempt to verify with the first known cross-certified intermediate |
| 783 // provided. |
| 784 scoped_refptr<X509Certificate> baltimore_intermediate_1 = |
| 785 ImportCertFromFile(GetTestCertsDirectory(), |
| 786 "cybertrust_baltimore_cross_certified_1.pem"); |
| 787 ASSERT_TRUE(baltimore_intermediate_1.get()); |
| 788 |
| 789 X509Certificate::OSCertHandles intermediate_chain_1 = |
| 790 cybertrust_basic->GetIntermediateCertificates(); |
| 791 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle()); |
| 792 |
| 793 scoped_refptr<X509Certificate> baltimore_chain_1 = |
| 794 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 795 intermediate_chain_1); |
| 796 error = Verify(baltimore_chain_1, "cacert.omniroot.com", flags, NULL, |
| 797 empty_cert_list_, &verify_result); |
| 798 EXPECT_EQ(OK, error); |
| 799 EXPECT_EQ(0U, verify_result.cert_status); |
| 800 |
| 801 // Attempt to verify with the second known cross-certified intermediate |
| 802 // provided. |
| 803 scoped_refptr<X509Certificate> baltimore_intermediate_2 = |
| 804 ImportCertFromFile(GetTestCertsDirectory(), |
| 805 "cybertrust_baltimore_cross_certified_2.pem"); |
| 806 ASSERT_TRUE(baltimore_intermediate_2.get()); |
| 807 |
| 808 X509Certificate::OSCertHandles intermediate_chain_2 = |
| 809 cybertrust_basic->GetIntermediateCertificates(); |
| 810 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle()); |
| 811 |
| 812 scoped_refptr<X509Certificate> baltimore_chain_2 = |
| 813 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 814 intermediate_chain_2); |
| 815 error = Verify(baltimore_chain_2, "cacert.omniroot.com", flags, NULL, |
| 816 empty_cert_list_, &verify_result); |
| 817 EXPECT_EQ(OK, error); |
| 818 EXPECT_EQ(0U, verify_result.cert_status); |
| 819 |
| 820 // Attempt to verify when both a cross-certified intermediate AND |
| 821 // the legacy GTE root are provided. |
| 822 scoped_refptr<X509Certificate> cybertrust_root = |
| 823 ImportCertFromFile(GetTestCertsDirectory(), |
| 824 "cybertrust_gte_root.pem"); |
| 825 ASSERT_TRUE(cybertrust_root.get()); |
| 826 |
| 827 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle()); |
| 828 scoped_refptr<X509Certificate> baltimore_chain_with_root = |
| 829 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 830 intermediate_chain_2); |
| 831 error = Verify(baltimore_chain_with_root, "cacert.omniroot.com", flags, |
| 832 NULL, empty_cert_list_, &verify_result); |
| 833 EXPECT_EQ(OK, error); |
| 834 EXPECT_EQ(0U, verify_result.cert_status); |
| 835 |
| 836 } |
| 837 #endif |
| 838 |
| 734 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) | 839 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) |
| 735 static const uint8 kCRLSetThawteSPKIBlocked[] = { | 840 static const uint8 kCRLSetThawteSPKIBlocked[] = { |
| 736 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, | 841 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, |
| 737 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, | 842 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, |
| 738 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, | 843 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, |
| 739 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, | 844 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, |
| 740 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, | 845 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, |
| 741 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, | 846 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, |
| 742 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, | 847 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, |
| 743 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37, | 848 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37, |
| (...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1073 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1178 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1074 #else | 1179 #else |
| 1075 #define MAYBE_VerifyMixed VerifyMixed | 1180 #define MAYBE_VerifyMixed VerifyMixed |
| 1076 #endif | 1181 #endif |
| 1077 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1182 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1078 MAYBE_VerifyMixed, | 1183 MAYBE_VerifyMixed, |
| 1079 CertVerifyProcWeakDigestTest, | 1184 CertVerifyProcWeakDigestTest, |
| 1080 testing::ValuesIn(kVerifyMixedTestData)); | 1185 testing::ValuesIn(kVerifyMixedTestData)); |
| 1081 | 1186 |
| 1082 } // namespace net | 1187 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14492003:
Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src