Chromium Code Reviews Chromium Code Reviews
Issue 18223006:
Add script for generating certificates that require an explicit policy (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 189 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 200 // Either the system crypto library should correctly report a certificate | 200 // Either the system crypto library should correctly report a certificate |
| 201 // name mismatch, or our certificate blacklist should cause us to report an | 201 // name mismatch, or our certificate blacklist should cause us to report an |
| 202 // invalid certificate. | 202 // invalid certificate. |
| 203 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS) | 203 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS) |
| 204 EXPECT_TRUE(verify_result.cert_status & | 204 EXPECT_TRUE(verify_result.cert_status & |
| 205 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); | 205 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); |
| 206 #endif | 206 #endif |
| 207 } | 207 } |
| 208 | 208 |
| 209 // A regression test for http://crbug.com/31497. | 209 // A regression test for http://crbug.com/31497. |
| 210 // This certificate will expire on 2012-04-08. The test will still | |
| 211 // pass if error == ERR_CERT_DATE_INVALID. TODO(wtc): generate test | |
| 212 // certificates for this unit test. http://crbug.com/111742 | |
| 213 TEST_F(CertVerifyProcTest, IntermediateCARequireExplicitPolicy) { | 210 TEST_F(CertVerifyProcTest, IntermediateCARequireExplicitPolicy) { |
| 214 base::FilePath certs_dir = GetTestCertsDirectory(); | 211 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 215 | 212 |
| 216 scoped_refptr<X509Certificate> server_cert = | 213 CertificateList certs = CreateCertificateListFromFile( |
| 217 ImportCertFromFile(certs_dir, "www_us_army_mil_cert.der"); | 214 certs_dir, "explicit-policy-chain.pem", |
| 218 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 215 X509Certificate::FORMAT_AUTO); |
| 219 | 216 ASSERT_EQ(3U, certs.size()); |
| 220 // The intermediate CA certificate's policyConstraints extension has a | |
| 221 // requireExplicitPolicy field with SkipCerts=0. | |
| 222 scoped_refptr<X509Certificate> intermediate_cert = | |
| 223 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | |
| 224 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | |
| 225 | |
| 226 scoped_refptr<X509Certificate> root_cert = | |
| 227 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | |
| 228 ScopedTestRoot scoped_root(root_cert.get()); | |
| 229 | 217 |
| 230 X509Certificate::OSCertHandles intermediates; | 218 X509Certificate::OSCertHandles intermediates; |
| 231 intermediates.push_back(intermediate_cert->os_cert_handle()); | 219 intermediates.push_back(certs[1]->os_cert_handle()); |
| 232 scoped_refptr<X509Certificate> cert_chain = | 220 |
| 233 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 221 scoped_refptr<X509Certificate> cert = |
| 222 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | |
| 234 intermediates); | 223 intermediates); |
| 224 ASSERT_TRUE(cert.get()); | |
| 225 | |
| 226 ScopedTestRoot scoped_root(certs[2].get()); | |
| 235 | 227 |
| 236 int flags = 0; | 228 int flags = 0; |
| 237 CertVerifyResult verify_result; | 229 CertVerifyResult verify_result; |
| 238 int error = Verify(cert_chain.get(), | 230 int error = Verify(cert.get(), |
| 239 "www.us.army.mil", | 231 "policy_test.example", |
| 240 flags, | 232 flags, |
| 241 NULL, | 233 NULL, |
| 242 empty_cert_list_, | 234 empty_cert_list_, |
| 243 &verify_result); | 235 &verify_result); |
| 244 if (error == OK) { | 236 EXPECT_EQ(OK, error); |
| 245 EXPECT_EQ(0U, verify_result.cert_status); | 237 EXPECT_EQ(0u, verify_result.cert_status); |
| 246 } else { | |
| 247 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | |
| 248 EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status); | |
| 249 } | |
| 250 } | 238 } |
| 251 | 239 |
| 252 | 240 |
| 253 // Test for bug 58437. | 241 // Test for bug 58437. |
| 254 // This certificate will expire on 2011-12-21. The test will still | 242 // This certificate will expire on 2011-12-21. The test will still |
| 255 // pass if error == ERR_CERT_DATE_INVALID. | 243 // pass if error == ERR_CERT_DATE_INVALID. |
| 256 // This test is DISABLED because it appears that we cannot do | 244 // This test is DISABLED because it appears that we cannot do |
| 257 // certificate revocation checking when running all of the net unit tests. | 245 // certificate revocation checking when running all of the net unit tests. |
| 258 // This test passes when run individually, but when run with all of the net | 246 // This test passes when run individually, but when run with all of the net |
| 259 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is | 247 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is |
| (...skipping 500 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 760 // Test that Verify() filters out certificates which are not related to | 748 // Test that Verify() filters out certificates which are not related to |
| 761 // or part of the certificate chain being verified. | 749 // or part of the certificate chain being verified. |
| 762 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { | 750 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { |
| 763 base::FilePath certs_dir = GetTestCertsDirectory(); | 751 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 764 CertificateList certs = CreateCertificateListFromFile( | 752 CertificateList certs = CreateCertificateListFromFile( |
| 765 certs_dir, "x509_verify_results.chain.pem", | 753 certs_dir, "x509_verify_results.chain.pem", |
| 766 X509Certificate::FORMAT_AUTO); | 754 X509Certificate::FORMAT_AUTO); |
| 767 ASSERT_EQ(3U, certs.size()); | 755 ASSERT_EQ(3U, certs.size()); |
| 768 ScopedTestRoot scoped_root(certs[2].get()); | 756 ScopedTestRoot scoped_root(certs[2].get()); |
| 769 | 757 |
| 770 scoped_refptr<X509Certificate> unrelated_dod_certificate = | 758 scoped_refptr<X509Certificate> unrelated_certificate = |
| 771 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | 759 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem"); |
| 772 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = | 760 scoped_refptr<X509Certificate> unrelated_certificate2 = |
| 773 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | 761 ImportCertFromFile(certs_dir, "aia-cert.pem"); |
|
wtc
2013/07/01 19:46:53
Nit: the change to this unit test is not reflected
| |
| 774 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); | 762 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate); |
| 775 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); | 763 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2); |
| 776 | 764 |
| 777 // Interject unrelated certificates into the list of intermediates. | 765 // Interject unrelated certificates into the list of intermediates. |
| 778 X509Certificate::OSCertHandles intermediates; | 766 X509Certificate::OSCertHandles intermediates; |
| 779 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); | 767 intermediates.push_back(unrelated_certificate->os_cert_handle()); |
| 780 intermediates.push_back(certs[1]->os_cert_handle()); | 768 intermediates.push_back(certs[1]->os_cert_handle()); |
| 781 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); | 769 intermediates.push_back(unrelated_certificate2->os_cert_handle()); |
| 782 intermediates.push_back(certs[2]->os_cert_handle()); | 770 intermediates.push_back(certs[2]->os_cert_handle()); |
| 783 | 771 |
| 784 scoped_refptr<X509Certificate> google_full_chain = | 772 scoped_refptr<X509Certificate> google_full_chain = |
| 785 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 773 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 786 intermediates); | 774 intermediates); |
| 787 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 775 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 788 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); | 776 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); |
| 789 | 777 |
| 790 CertVerifyResult verify_result; | 778 CertVerifyResult verify_result; |
| 791 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 779 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| (...skipping 597 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1389 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { | 1377 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { |
| 1390 const NonUniqueNameTestData& test_data = GetParam(); | 1378 const NonUniqueNameTestData& test_data = GetParam(); |
| 1391 | 1379 |
| 1392 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); | 1380 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); |
| 1393 } | 1381 } |
| 1394 | 1382 |
| 1395 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, | 1383 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, |
| 1396 testing::ValuesIn(kNonUniqueNameTestData)); | 1384 testing::ValuesIn(kNonUniqueNameTestData)); |
| 1397 | 1385 |
| 1398 } // namespace net | 1386 } // namespace net |
| OLD | NEW |
