Chromium Code Reviews Chromium Code Reviews
Issue 15203007:
Warn if a well-known/"public" CA issues a certificate for a non-TLD (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 36 | 36 |
| 37 namespace { | 37 namespace { |
| 38 | 38 |
| 39 // A certificate for www.paypal.com with a NULL byte in the common name. | 39 // A certificate for www.paypal.com with a NULL byte in the common name. |
| 40 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 | 40 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 |
| 41 unsigned char paypal_null_fingerprint[] = { | 41 unsigned char paypal_null_fingerprint[] = { |
| 42 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba, | 42 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba, |
| 43 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 | 43 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 |
| 44 }; | 44 }; |
| 45 | 45 |
| 46 // Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root| | |
| 47 // for all certificates that are Verified. | |
| 48 class WellKnownCaCertVerifyProc : public CertVerifyProc { | |
| 49 public: | |
| 50 // Initialize a CertVerifyProc that will set | |
| 51 // |verify_result->is_issued_by_known_root| to |is_well_known|. | |
| 52 explicit WellKnownCaCertVerifyProc(bool is_well_known) | |
| 53 : is_well_known_(is_well_known) {} | |
| 54 | |
| 55 // CertVerifyProc implementation: | |
| 56 virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; } | |
| 57 | |
| 58 protected: | |
| 59 virtual ~WellKnownCaCertVerifyProc() {} | |
| 60 | |
| 61 private: | |
| 62 virtual int VerifyInternal(X509Certificate* cert, | |
| 63 const std::string& hostname, | |
| 64 int flags, | |
| 65 CRLSet* crl_set, | |
| 66 const CertificateList& additional_trust_anchors, | |
| 67 CertVerifyResult* verify_result) OVERRIDE; | |
| 68 | |
| 69 bool is_well_known_; | |
|
agl
2013/05/16 16:33:29
nit: const
| |
| 70 | |
| 71 DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc); | |
| 72 }; | |
| 73 | |
| 74 int WellKnownCaCertVerifyProc::VerifyInternal( | |
| 75 X509Certificate* cert, | |
| 76 const std::string& hostname, | |
| 77 int flags, | |
| 78 CRLSet* crl_set, | |
| 79 const CertificateList& additional_trust_anchors, | |
| 80 CertVerifyResult* verify_result) { | |
| 81 verify_result->is_issued_by_known_root = is_well_known_; | |
| 82 return OK; | |
| 83 } | |
| 84 | |
| 46 } // namespace | 85 } // namespace |
| 47 | 86 |
| 48 class CertVerifyProcTest : public testing::Test { | 87 class CertVerifyProcTest : public testing::Test { |
| 49 public: | 88 public: |
| 50 CertVerifyProcTest() | 89 CertVerifyProcTest() |
| 51 : verify_proc_(CertVerifyProc::CreateDefault()) { | 90 : verify_proc_(CertVerifyProc::CreateDefault()) { |
| 52 } | 91 } |
| 53 virtual ~CertVerifyProcTest() {} | 92 virtual ~CertVerifyProcTest() {} |
| 54 | 93 |
| 55 protected: | 94 protected: |
| 56 bool SupportsAdditionalTrustAnchors() { | 95 bool SupportsAdditionalTrustAnchors() { |
| 57 return verify_proc_->SupportsAdditionalTrustAnchors(); | 96 return verify_proc_->SupportsAdditionalTrustAnchors(); |
| 58 } | 97 } |
| 59 | 98 |
| 60 int Verify(X509Certificate* cert, | 99 int Verify(X509Certificate* cert, |
| 61 const std::string& hostname, | 100 const std::string& hostname, |
| 62 int flags, | 101 int flags, |
| 63 CRLSet* crl_set, | 102 CRLSet* crl_set, |
| 64 const CertificateList& additional_trust_anchors, | 103 const CertificateList& additional_trust_anchors, |
| 65 CertVerifyResult* verify_result) { | 104 CertVerifyResult* verify_result) { |
| 66 return verify_proc_->Verify(cert, hostname, flags, crl_set, | 105 return verify_proc_->Verify(cert, hostname, flags, crl_set, |
| 67 additional_trust_anchors, verify_result); | 106 additional_trust_anchors, verify_result); |
| 68 } | 107 } |
| 69 | 108 |
| 70 const CertificateList empty_cert_list_; | 109 const CertificateList empty_cert_list_; |
| 71 | |
| 72 private: | |
| 73 scoped_refptr<CertVerifyProc> verify_proc_; | 110 scoped_refptr<CertVerifyProc> verify_proc_; |
| 74 }; | 111 }; |
| 75 | 112 |
| 76 TEST_F(CertVerifyProcTest, WithoutRevocationChecking) { | 113 TEST_F(CertVerifyProcTest, WithoutRevocationChecking) { |
| 77 // Check that verification without revocation checking works. | 114 // Check that verification without revocation checking works. |
| 78 CertificateList certs = CreateCertificateListFromFile( | 115 CertificateList certs = CreateCertificateListFromFile( |
| 79 GetTestCertsDirectory(), | 116 GetTestCertsDirectory(), |
| 80 "googlenew.chain.pem", | 117 "googlenew.chain.pem", |
| 81 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 118 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| 82 | 119 |
| (...skipping 500 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 583 verify_result.verified_cert->os_cert_handle())); | 620 verify_result.verified_cert->os_cert_handle())); |
| 584 const X509Certificate::OSCertHandles& return_intermediates = | 621 const X509Certificate::OSCertHandles& return_intermediates = |
| 585 verify_result.verified_cert->GetIntermediateCertificates(); | 622 verify_result.verified_cert->GetIntermediateCertificates(); |
| 586 ASSERT_EQ(2U, return_intermediates.size()); | 623 ASSERT_EQ(2U, return_intermediates.size()); |
| 587 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], | 624 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 588 certs[1]->os_cert_handle())); | 625 certs[1]->os_cert_handle())); |
| 589 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], | 626 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 590 certs[2]->os_cert_handle())); | 627 certs[2]->os_cert_handle())); |
| 591 } | 628 } |
| 592 | 629 |
| 630 // Test that certificates issued for 'intranet' names (that is, containing no | |
| 631 // known public registry controlled domain information) issued by well-known | |
| 632 // CAs are flagged appropriately, while certificates that are issued by | |
| 633 // internal CAs are not flagged. | |
| 634 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { | |
| 635 CertificateList cert_list = CreateCertificateListFromFile( | |
| 636 GetTestCertsDirectory(), "ok_cert.pem", | |
| 637 X509Certificate::FORMAT_AUTO); | |
| 638 ASSERT_EQ(1U, cert_list.size()); | |
| 639 scoped_refptr<X509Certificate> cert(cert_list[0]); | |
| 640 | |
| 641 CertVerifyResult verify_result; | |
| 642 int error = 0; | |
| 643 | |
| 644 // Intranet names for public CAs should be flagged: | |
| 645 verify_proc_ = new WellKnownCaCertVerifyProc(true); | |
| 646 | |
| 647 // ... when there is no dot present | |
| 648 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | |
| 649 &verify_result); | |
| 650 EXPECT_EQ(OK, error); | |
| 651 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 652 | |
| 653 // ... even when they have a trailing dot | |
| 654 error = Verify(cert, "intranet.", 0, NULL, empty_cert_list_, | |
| 655 &verify_result); | |
| 656 EXPECT_EQ(OK, error); | |
| 657 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 658 | |
| 659 // ... or multiple name components | |
| 660 error = Verify(cert, "domain.example", 0, NULL, empty_cert_list_, | |
| 661 &verify_result); | |
| 662 EXPECT_EQ(OK, error); | |
| 663 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 664 | |
| 665 // ... or >= 2 name components. | |
| 666 error = Verify(cert, "intranet.domain.example", 0, NULL, empty_cert_list_, | |
| 667 &verify_result); | |
| 668 EXPECT_EQ(OK, error); | |
| 669 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 670 | |
| 671 // However, public suffixes should not be flagged: | |
| 672 // gTLD | |
| 673 error = Verify(cert, "intranet.example.com", 0, NULL, empty_cert_list_, | |
| 674 &verify_result); | |
| 675 EXPECT_EQ(OK, error); | |
| 676 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 677 | |
| 678 // ccTLD | |
| 679 error = Verify(cert, "intranet.example.co.uk", 0, NULL, empty_cert_list_, | |
| 680 &verify_result); | |
| 681 EXPECT_EQ(OK, error); | |
| 682 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 683 | |
| 684 // "private" registry controlled domain | |
| 685 error = Verify(cert, "intranet.appspot.com", 0, NULL, empty_cert_list_, | |
| 686 &verify_result); | |
| 687 EXPECT_EQ(OK, error); | |
| 688 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 689 | |
| 690 // However, if the CA is not well known, none of these should be flagged: | |
| 691 verify_proc_ = new WellKnownCaCertVerifyProc(false); | |
| 692 // ... when there is no dot present | |
| 693 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | |
| 694 &verify_result); | |
| 695 EXPECT_EQ(OK, error); | |
| 696 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 697 | |
| 698 // ... even when they have a trailing dot | |
| 699 error = Verify(cert, "intranet.", 0, NULL, empty_cert_list_, | |
| 700 &verify_result); | |
| 701 EXPECT_EQ(OK, error); | |
| 702 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 703 | |
| 704 // ... or multiple name components | |
| 705 error = Verify(cert, "domain.example", 0, NULL, empty_cert_list_, | |
| 706 &verify_result); | |
| 707 EXPECT_EQ(OK, error); | |
| 708 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 709 | |
| 710 // ... or >= 2 name components. | |
| 711 error = Verify(cert, "intranet.domain.example", 0, NULL, empty_cert_list_, | |
| 712 &verify_result); | |
| 713 EXPECT_EQ(OK, error); | |
| 714 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
| 715 } | |
| 716 | |
| 593 // Test that the certificate returned in CertVerifyResult is able to reorder | 717 // Test that the certificate returned in CertVerifyResult is able to reorder |
| 594 // certificates that are not ordered from end-entity to root. While this is | 718 // certificates that are not ordered from end-entity to root. While this is |
| 595 // a protocol violation if sent during a TLS handshake, if multiple sources | 719 // a protocol violation if sent during a TLS handshake, if multiple sources |
| 596 // of intermediate certificates are combined, it's possible that order may | 720 // of intermediate certificates are combined, it's possible that order may |
| 597 // not be maintained. | 721 // not be maintained. |
| 598 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { | 722 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { |
| 599 base::FilePath certs_dir = GetTestCertsDirectory(); | 723 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 600 CertificateList certs = CreateCertificateListFromFile( | 724 CertificateList certs = CreateCertificateListFromFile( |
| 601 certs_dir, "x509_verify_results.chain.pem", | 725 certs_dir, "x509_verify_results.chain.pem", |
| 602 X509Certificate::FORMAT_AUTO); | 726 X509Certificate::FORMAT_AUTO); |
| (...skipping 470 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1073 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1197 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1074 #else | 1198 #else |
| 1075 #define MAYBE_VerifyMixed VerifyMixed | 1199 #define MAYBE_VerifyMixed VerifyMixed |
| 1076 #endif | 1200 #endif |
| 1077 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1201 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1078 MAYBE_VerifyMixed, | 1202 MAYBE_VerifyMixed, |
| 1079 CertVerifyProcWeakDigestTest, | 1203 CertVerifyProcWeakDigestTest, |
| 1080 testing::ValuesIn(kVerifyMixedTestData)); | 1204 testing::ValuesIn(kVerifyMixedTestData)); |
| 1081 | 1205 |
| 1082 } // namespace net | 1206 } // namespace net |
| OLD | NEW |
