| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 1150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1161 int flags = 0; | 1161 int flags = 0; |
| 1162 CertVerifyResult verify_result; | 1162 CertVerifyResult verify_result; |
| 1163 int error = Verify( | 1163 int error = Verify( |
| 1164 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); | 1164 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
| 1165 EXPECT_EQ(OK, error); | 1165 EXPECT_EQ(OK, error); |
| 1166 EXPECT_EQ(0U, verify_result.cert_status); | 1166 EXPECT_EQ(0U, verify_result.cert_status); |
| 1167 // But should not be marked as a known root. | 1167 // But should not be marked as a known root. |
| 1168 EXPECT_FALSE(verify_result.is_issued_by_known_root); | 1168 EXPECT_FALSE(verify_result.is_issued_by_known_root); |
| 1169 } | 1169 } |
| 1170 | 1170 |
| 1171 #if defined(OS_MACOSX) && !defined(OS_IOS) | |
| 1172 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust | |
| 1173 // Root can be successfully worked around once Apple completes removing the | |
| 1174 // older GTE CyberTrust Root from its trusted root store. | |
| 1175 // | |
| 1176 // The issue is caused by servers supplying the cross-certified intermediate | |
| 1177 // (necessary for certain mobile platforms), which OS X does not recognize | |
| 1178 // as already existing within its trust store. | |
| 1179 TEST_F(CertVerifyProcTest, DISABLED_CybertrustGTERoot) { | |
| 1180 CertificateList certs = CreateCertificateListFromFile( | |
| 1181 GetTestCertsDirectory(), | |
| 1182 "cybertrust_omniroot_chain.pem", | |
| 1183 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | |
| 1184 ASSERT_EQ(2U, certs.size()); | |
| 1185 | |
| 1186 X509Certificate::OSCertHandles intermediates; | |
| 1187 intermediates.push_back(certs[1]->os_cert_handle()); | |
| 1188 | |
| 1189 scoped_refptr<X509Certificate> cybertrust_basic = | |
| 1190 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | |
| 1191 intermediates); | |
| 1192 ASSERT_TRUE(cybertrust_basic.get()); | |
| 1193 | |
| 1194 scoped_refptr<X509Certificate> baltimore_root = | |
| 1195 ImportCertFromFile(GetTestCertsDirectory(), | |
| 1196 "cybertrust_baltimore_root.pem"); | |
| 1197 ASSERT_TRUE(baltimore_root.get()); | |
| 1198 | |
| 1199 ScopedTestRoot scoped_root(baltimore_root.get()); | |
| 1200 | |
| 1201 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This | |
| 1202 // simulates Keychain removing support for the GTE CyberTrust Root. | |
| 1203 TestRootCerts::GetInstance()->SetAllowSystemTrust(false); | |
| 1204 base::ScopedClosureRunner reset_system_trust( | |
| 1205 base::Bind(&TestRootCerts::SetAllowSystemTrust, | |
| 1206 base::Unretained(TestRootCerts::GetInstance()), | |
| 1207 true)); | |
| 1208 | |
| 1209 // First, make sure a simple certificate chain from | |
| 1210 // EE -> Public SureServer SV -> Baltimore CyberTrust | |
| 1211 // works. Only the first two certificates are included in the chain. | |
| 1212 int flags = 0; | |
| 1213 CertVerifyResult verify_result; | |
| 1214 int error = Verify(cybertrust_basic.get(), | |
| 1215 "cacert.omniroot.com", | |
| 1216 flags, | |
| 1217 NULL, | |
| 1218 empty_cert_list_, | |
| 1219 &verify_result); | |
| 1220 EXPECT_EQ(OK, error); | |
| 1221 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
| 1222 | |
| 1223 // Attempt to verify with the first known cross-certified intermediate | |
| 1224 // provided. | |
| 1225 scoped_refptr<X509Certificate> baltimore_intermediate_1 = | |
| 1226 ImportCertFromFile(GetTestCertsDirectory(), | |
| 1227 "cybertrust_baltimore_cross_certified_1.pem"); | |
| 1228 ASSERT_TRUE(baltimore_intermediate_1.get()); | |
| 1229 | |
| 1230 X509Certificate::OSCertHandles intermediate_chain_1 = | |
| 1231 cybertrust_basic->GetIntermediateCertificates(); | |
| 1232 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle()); | |
| 1233 | |
| 1234 scoped_refptr<X509Certificate> baltimore_chain_1 = | |
| 1235 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), | |
| 1236 intermediate_chain_1); | |
| 1237 error = Verify(baltimore_chain_1.get(), | |
| 1238 "cacert.omniroot.com", | |
| 1239 flags, | |
| 1240 NULL, | |
| 1241 empty_cert_list_, | |
| 1242 &verify_result); | |
| 1243 EXPECT_EQ(OK, error); | |
| 1244 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
| 1245 | |
| 1246 // Attempt to verify with the second known cross-certified intermediate | |
| 1247 // provided. | |
| 1248 scoped_refptr<X509Certificate> baltimore_intermediate_2 = | |
| 1249 ImportCertFromFile(GetTestCertsDirectory(), | |
| 1250 "cybertrust_baltimore_cross_certified_2.pem"); | |
| 1251 ASSERT_TRUE(baltimore_intermediate_2.get()); | |
| 1252 | |
| 1253 X509Certificate::OSCertHandles intermediate_chain_2 = | |
| 1254 cybertrust_basic->GetIntermediateCertificates(); | |
| 1255 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle()); | |
| 1256 | |
| 1257 scoped_refptr<X509Certificate> baltimore_chain_2 = | |
| 1258 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), | |
| 1259 intermediate_chain_2); | |
| 1260 error = Verify(baltimore_chain_2.get(), | |
| 1261 "cacert.omniroot.com", | |
| 1262 flags, | |
| 1263 NULL, | |
| 1264 empty_cert_list_, | |
| 1265 &verify_result); | |
| 1266 EXPECT_EQ(OK, error); | |
| 1267 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
| 1268 | |
| 1269 // Attempt to verify when both a cross-certified intermediate AND | |
| 1270 // the legacy GTE root are provided. | |
| 1271 scoped_refptr<X509Certificate> cybertrust_root = | |
| 1272 ImportCertFromFile(GetTestCertsDirectory(), | |
| 1273 "cybertrust_gte_root.pem"); | |
| 1274 ASSERT_TRUE(cybertrust_root.get()); | |
| 1275 | |
| 1276 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle()); | |
| 1277 scoped_refptr<X509Certificate> baltimore_chain_with_root = | |
| 1278 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), | |
| 1279 intermediate_chain_2); | |
| 1280 error = Verify(baltimore_chain_with_root.get(), | |
| 1281 "cacert.omniroot.com", | |
| 1282 flags, | |
| 1283 NULL, | |
| 1284 empty_cert_list_, | |
| 1285 &verify_result); | |
| 1286 EXPECT_EQ(OK, error); | |
| 1287 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
| 1288 | |
| 1289 TestRootCerts::GetInstance()->Clear(); | |
| 1290 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty()); | |
| 1291 } | |
| 1292 #endif | |
| 1293 | |
| 1294 #if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_WIN) || \ | 1171 #if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_WIN) || \ |
| 1295 defined(OS_MACOSX) | 1172 defined(OS_MACOSX) |
| 1296 // Test that CRLSets are effective in making a certificate appear to be | 1173 // Test that CRLSets are effective in making a certificate appear to be |
| 1297 // revoked. | 1174 // revoked. |
| 1298 TEST_F(CertVerifyProcTest, CRLSet) { | 1175 TEST_F(CertVerifyProcTest, CRLSet) { |
| 1299 CertificateList ca_cert_list = | 1176 CertificateList ca_cert_list = |
| 1300 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1177 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 1301 "root_ca_cert.pem", | 1178 "root_ca_cert.pem", |
| 1302 X509Certificate::FORMAT_AUTO); | 1179 X509Certificate::FORMAT_AUTO); |
| 1303 ASSERT_EQ(1U, ca_cert_list.size()); | 1180 ASSERT_EQ(1U, ca_cert_list.size()); |
| (...skipping 649 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1953 int flags = 0; | 1830 int flags = 0; |
| 1954 CertVerifyResult verify_result; | 1831 CertVerifyResult verify_result; |
| 1955 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1832 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1956 &verify_result); | 1833 &verify_result); |
| 1957 EXPECT_EQ(ERR_CERT_INVALID, error); | 1834 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 1958 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); | 1835 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); |
| 1959 } | 1836 } |
| 1960 #endif // defined(OS_MACOSX) && !defined(OS_IOS) | 1837 #endif // defined(OS_MACOSX) && !defined(OS_IOS) |
| 1961 | 1838 |
| 1962 } // namespace net | 1839 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1751733002:
Remove CertVerifyProcTest.CybertrustGTERoot unit test (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master