Index: net/cert/cert_verify_proc_unittest.cc |
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc |
index c1722d5d69c1a4f04141fad2dec463f9059632ab..f1ea7874e10b2869857371d35569e99b1cc21e37 100644 |
--- a/net/cert/cert_verify_proc_unittest.cc |
+++ b/net/cert/cert_verify_proc_unittest.cc |
@@ -43,6 +43,45 @@ unsigned char paypal_null_fingerprint[] = { |
0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 |
}; |
+// Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root| |
+// for all certificates that are Verified. |
+class WellKnownCaCertVerifyProc : public CertVerifyProc { |
+ public: |
+ // Initialize a CertVerifyProc that will set |
+ // |verify_result->is_issued_by_known_root| to |is_well_known|. |
+ explicit WellKnownCaCertVerifyProc(bool is_well_known) |
+ : is_well_known_(is_well_known) {} |
+ |
+ // CertVerifyProc implementation: |
+ virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; } |
+ |
+ protected: |
+ virtual ~WellKnownCaCertVerifyProc() {} |
+ |
+ private: |
+ virtual int VerifyInternal(X509Certificate* cert, |
+ const std::string& hostname, |
+ int flags, |
+ CRLSet* crl_set, |
+ const CertificateList& additional_trust_anchors, |
+ CertVerifyResult* verify_result) OVERRIDE; |
+ |
+ bool is_well_known_; |
agl
2013/05/16 16:33:29
nit: const
|
+ |
+ DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc); |
+}; |
+ |
+int WellKnownCaCertVerifyProc::VerifyInternal( |
+ X509Certificate* cert, |
+ const std::string& hostname, |
+ int flags, |
+ CRLSet* crl_set, |
+ const CertificateList& additional_trust_anchors, |
+ CertVerifyResult* verify_result) { |
+ verify_result->is_issued_by_known_root = is_well_known_; |
+ return OK; |
+} |
+ |
} // namespace |
class CertVerifyProcTest : public testing::Test { |
@@ -68,8 +107,6 @@ class CertVerifyProcTest : public testing::Test { |
} |
const CertificateList empty_cert_list_; |
- |
- private: |
scoped_refptr<CertVerifyProc> verify_proc_; |
}; |
@@ -590,6 +627,93 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) { |
certs[2]->os_cert_handle())); |
} |
+// Test that certificates issued for 'intranet' names (that is, containing no |
+// known public registry controlled domain information) issued by well-known |
+// CAs are flagged appropriately, while certificates that are issued by |
+// internal CAs are not flagged. |
+TEST_F(CertVerifyProcTest, IntranetHostsRejected) { |
+ CertificateList cert_list = CreateCertificateListFromFile( |
+ GetTestCertsDirectory(), "ok_cert.pem", |
+ X509Certificate::FORMAT_AUTO); |
+ ASSERT_EQ(1U, cert_list.size()); |
+ scoped_refptr<X509Certificate> cert(cert_list[0]); |
+ |
+ CertVerifyResult verify_result; |
+ int error = 0; |
+ |
+ // Intranet names for public CAs should be flagged: |
+ verify_proc_ = new WellKnownCaCertVerifyProc(true); |
+ |
+ // ... when there is no dot present |
+ error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // ... even when they have a trailing dot |
+ error = Verify(cert, "intranet.", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // ... or multiple name components |
+ error = Verify(cert, "domain.example", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // ... or >= 2 name components. |
+ error = Verify(cert, "intranet.domain.example", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // However, public suffixes should not be flagged: |
+ // gTLD |
+ error = Verify(cert, "intranet.example.com", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // ccTLD |
+ error = Verify(cert, "intranet.example.co.uk", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // "private" registry controlled domain |
+ error = Verify(cert, "intranet.appspot.com", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // However, if the CA is not well known, none of these should be flagged: |
+ verify_proc_ = new WellKnownCaCertVerifyProc(false); |
+ // ... when there is no dot present |
+ error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // ... even when they have a trailing dot |
+ error = Verify(cert, "intranet.", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // ... or multiple name components |
+ error = Verify(cert, "domain.example", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+ |
+ // ... or >= 2 name components. |
+ error = Verify(cert, "intranet.domain.example", 0, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(OK, error); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
+} |
+ |
// Test that the certificate returned in CertVerifyResult is able to reorder |
// certificates that are not ordered from end-entity to root. While this is |
// a protocol violation if sent during a TLS handshake, if multiple sources |