OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
(...skipping 25 matching lines...) Expand all Loading... | |
36 | 36 |
37 namespace { | 37 namespace { |
38 | 38 |
39 // A certificate for www.paypal.com with a NULL byte in the common name. | 39 // A certificate for www.paypal.com with a NULL byte in the common name. |
40 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 | 40 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 |
41 unsigned char paypal_null_fingerprint[] = { | 41 unsigned char paypal_null_fingerprint[] = { |
42 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba, | 42 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba, |
43 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 | 43 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 |
44 }; | 44 }; |
45 | 45 |
46 // Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root| | |
47 // for all certificates that are Verified. | |
48 class WellKnownCaCertVerifyProc : public CertVerifyProc { | |
49 public: | |
50 // Initialize a CertVerifyProc that will set | |
51 // |verify_result->is_issued_by_known_root| to |is_well_known|. | |
52 explicit WellKnownCaCertVerifyProc(bool is_well_known) | |
53 : is_well_known_(is_well_known) {} | |
54 | |
55 // CertVerifyProc implementation: | |
56 virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; } | |
57 | |
58 protected: | |
59 virtual ~WellKnownCaCertVerifyProc() {} | |
60 | |
61 private: | |
62 virtual int VerifyInternal(X509Certificate* cert, | |
63 const std::string& hostname, | |
64 int flags, | |
65 CRLSet* crl_set, | |
66 const CertificateList& additional_trust_anchors, | |
67 CertVerifyResult* verify_result) OVERRIDE; | |
68 | |
69 bool is_well_known_; | |
agl
2013/05/16 16:33:29
nit: const
| |
70 | |
71 DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc); | |
72 }; | |
73 | |
74 int WellKnownCaCertVerifyProc::VerifyInternal( | |
75 X509Certificate* cert, | |
76 const std::string& hostname, | |
77 int flags, | |
78 CRLSet* crl_set, | |
79 const CertificateList& additional_trust_anchors, | |
80 CertVerifyResult* verify_result) { | |
81 verify_result->is_issued_by_known_root = is_well_known_; | |
82 return OK; | |
83 } | |
84 | |
46 } // namespace | 85 } // namespace |
47 | 86 |
48 class CertVerifyProcTest : public testing::Test { | 87 class CertVerifyProcTest : public testing::Test { |
49 public: | 88 public: |
50 CertVerifyProcTest() | 89 CertVerifyProcTest() |
51 : verify_proc_(CertVerifyProc::CreateDefault()) { | 90 : verify_proc_(CertVerifyProc::CreateDefault()) { |
52 } | 91 } |
53 virtual ~CertVerifyProcTest() {} | 92 virtual ~CertVerifyProcTest() {} |
54 | 93 |
55 protected: | 94 protected: |
56 bool SupportsAdditionalTrustAnchors() { | 95 bool SupportsAdditionalTrustAnchors() { |
57 return verify_proc_->SupportsAdditionalTrustAnchors(); | 96 return verify_proc_->SupportsAdditionalTrustAnchors(); |
58 } | 97 } |
59 | 98 |
60 int Verify(X509Certificate* cert, | 99 int Verify(X509Certificate* cert, |
61 const std::string& hostname, | 100 const std::string& hostname, |
62 int flags, | 101 int flags, |
63 CRLSet* crl_set, | 102 CRLSet* crl_set, |
64 const CertificateList& additional_trust_anchors, | 103 const CertificateList& additional_trust_anchors, |
65 CertVerifyResult* verify_result) { | 104 CertVerifyResult* verify_result) { |
66 return verify_proc_->Verify(cert, hostname, flags, crl_set, | 105 return verify_proc_->Verify(cert, hostname, flags, crl_set, |
67 additional_trust_anchors, verify_result); | 106 additional_trust_anchors, verify_result); |
68 } | 107 } |
69 | 108 |
70 const CertificateList empty_cert_list_; | 109 const CertificateList empty_cert_list_; |
71 | |
72 private: | |
73 scoped_refptr<CertVerifyProc> verify_proc_; | 110 scoped_refptr<CertVerifyProc> verify_proc_; |
74 }; | 111 }; |
75 | 112 |
76 TEST_F(CertVerifyProcTest, WithoutRevocationChecking) { | 113 TEST_F(CertVerifyProcTest, WithoutRevocationChecking) { |
77 // Check that verification without revocation checking works. | 114 // Check that verification without revocation checking works. |
78 CertificateList certs = CreateCertificateListFromFile( | 115 CertificateList certs = CreateCertificateListFromFile( |
79 GetTestCertsDirectory(), | 116 GetTestCertsDirectory(), |
80 "googlenew.chain.pem", | 117 "googlenew.chain.pem", |
81 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 118 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
82 | 119 |
(...skipping 500 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
583 verify_result.verified_cert->os_cert_handle())); | 620 verify_result.verified_cert->os_cert_handle())); |
584 const X509Certificate::OSCertHandles& return_intermediates = | 621 const X509Certificate::OSCertHandles& return_intermediates = |
585 verify_result.verified_cert->GetIntermediateCertificates(); | 622 verify_result.verified_cert->GetIntermediateCertificates(); |
586 ASSERT_EQ(2U, return_intermediates.size()); | 623 ASSERT_EQ(2U, return_intermediates.size()); |
587 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], | 624 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
588 certs[1]->os_cert_handle())); | 625 certs[1]->os_cert_handle())); |
589 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], | 626 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
590 certs[2]->os_cert_handle())); | 627 certs[2]->os_cert_handle())); |
591 } | 628 } |
592 | 629 |
630 // Test that certificates issued for 'intranet' names (that is, containing no | |
631 // known public registry controlled domain information) issued by well-known | |
632 // CAs are flagged appropriately, while certificates that are issued by | |
633 // internal CAs are not flagged. | |
634 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { | |
635 CertificateList cert_list = CreateCertificateListFromFile( | |
636 GetTestCertsDirectory(), "ok_cert.pem", | |
637 X509Certificate::FORMAT_AUTO); | |
638 ASSERT_EQ(1U, cert_list.size()); | |
639 scoped_refptr<X509Certificate> cert(cert_list[0]); | |
640 | |
641 CertVerifyResult verify_result; | |
642 int error = 0; | |
643 | |
644 // Intranet names for public CAs should be flagged: | |
645 verify_proc_ = new WellKnownCaCertVerifyProc(true); | |
646 | |
647 // ... when there is no dot present | |
648 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | |
649 &verify_result); | |
650 EXPECT_EQ(OK, error); | |
651 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
652 | |
653 // ... even when they have a trailing dot | |
654 error = Verify(cert, "intranet.", 0, NULL, empty_cert_list_, | |
655 &verify_result); | |
656 EXPECT_EQ(OK, error); | |
657 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
658 | |
659 // ... or multiple name components | |
660 error = Verify(cert, "domain.example", 0, NULL, empty_cert_list_, | |
661 &verify_result); | |
662 EXPECT_EQ(OK, error); | |
663 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
664 | |
665 // ... or >= 2 name components. | |
666 error = Verify(cert, "intranet.domain.example", 0, NULL, empty_cert_list_, | |
667 &verify_result); | |
668 EXPECT_EQ(OK, error); | |
669 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
670 | |
671 // However, public suffixes should not be flagged: | |
672 // gTLD | |
673 error = Verify(cert, "intranet.example.com", 0, NULL, empty_cert_list_, | |
674 &verify_result); | |
675 EXPECT_EQ(OK, error); | |
676 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
677 | |
678 // ccTLD | |
679 error = Verify(cert, "intranet.example.co.uk", 0, NULL, empty_cert_list_, | |
680 &verify_result); | |
681 EXPECT_EQ(OK, error); | |
682 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
683 | |
684 // "private" registry controlled domain | |
685 error = Verify(cert, "intranet.appspot.com", 0, NULL, empty_cert_list_, | |
686 &verify_result); | |
687 EXPECT_EQ(OK, error); | |
688 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
689 | |
690 // However, if the CA is not well known, none of these should be flagged: | |
691 verify_proc_ = new WellKnownCaCertVerifyProc(false); | |
692 // ... when there is no dot present | |
693 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | |
694 &verify_result); | |
695 EXPECT_EQ(OK, error); | |
696 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
697 | |
698 // ... even when they have a trailing dot | |
699 error = Verify(cert, "intranet.", 0, NULL, empty_cert_list_, | |
700 &verify_result); | |
701 EXPECT_EQ(OK, error); | |
702 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
703 | |
704 // ... or multiple name components | |
705 error = Verify(cert, "domain.example", 0, NULL, empty_cert_list_, | |
706 &verify_result); | |
707 EXPECT_EQ(OK, error); | |
708 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
709 | |
710 // ... or >= 2 name components. | |
711 error = Verify(cert, "intranet.domain.example", 0, NULL, empty_cert_list_, | |
712 &verify_result); | |
713 EXPECT_EQ(OK, error); | |
714 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | |
715 } | |
716 | |
593 // Test that the certificate returned in CertVerifyResult is able to reorder | 717 // Test that the certificate returned in CertVerifyResult is able to reorder |
594 // certificates that are not ordered from end-entity to root. While this is | 718 // certificates that are not ordered from end-entity to root. While this is |
595 // a protocol violation if sent during a TLS handshake, if multiple sources | 719 // a protocol violation if sent during a TLS handshake, if multiple sources |
596 // of intermediate certificates are combined, it's possible that order may | 720 // of intermediate certificates are combined, it's possible that order may |
597 // not be maintained. | 721 // not be maintained. |
598 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { | 722 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { |
599 base::FilePath certs_dir = GetTestCertsDirectory(); | 723 base::FilePath certs_dir = GetTestCertsDirectory(); |
600 CertificateList certs = CreateCertificateListFromFile( | 724 CertificateList certs = CreateCertificateListFromFile( |
601 certs_dir, "x509_verify_results.chain.pem", | 725 certs_dir, "x509_verify_results.chain.pem", |
602 X509Certificate::FORMAT_AUTO); | 726 X509Certificate::FORMAT_AUTO); |
(...skipping 470 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1073 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1197 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
1074 #else | 1198 #else |
1075 #define MAYBE_VerifyMixed VerifyMixed | 1199 #define MAYBE_VerifyMixed VerifyMixed |
1076 #endif | 1200 #endif |
1077 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1201 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1078 MAYBE_VerifyMixed, | 1202 MAYBE_VerifyMixed, |
1079 CertVerifyProcWeakDigestTest, | 1203 CertVerifyProcWeakDigestTest, |
1080 testing::ValuesIn(kVerifyMixedTestData)); | 1204 testing::ValuesIn(kVerifyMixedTestData)); |
1081 | 1205 |
1082 } // namespace net | 1206 } // namespace net |
OLD | NEW |