| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 199 // Either the system crypto library should correctly report a certificate | 199 // Either the system crypto library should correctly report a certificate |
| 200 // name mismatch, or our certificate blacklist should cause us to report an | 200 // name mismatch, or our certificate blacklist should cause us to report an |
| 201 // invalid certificate. | 201 // invalid certificate. |
| 202 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS) | 202 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS) |
| 203 EXPECT_TRUE(verify_result.cert_status & | 203 EXPECT_TRUE(verify_result.cert_status & |
| 204 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); | 204 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); |
| 205 #endif | 205 #endif |
| 206 } | 206 } |
| 207 | 207 |
| 208 // A regression test for http://crbug.com/31497. | 208 // A regression test for http://crbug.com/31497. |
| 209 // This certificate will expire on 2012-04-08. The test will still | 209 #if defined(OS_ANDROID) |
| 210 // pass if error == ERR_CERT_DATE_INVALID. TODO(wtc): generate test | 210 // Disabled on Android, as the Android verification libraries require an |
| 211 // certificates for this unit test. http://crbug.com/111742 | 211 // explicit policy to be specified, even when anyPolicy is permitted. |
| 212 TEST_F(CertVerifyProcTest, IntermediateCARequireExplicitPolicy) { | 212 #define MAYBE_IntermediateCARequireExplicitPolicy \ |
| 213 DISABLED_IntermediateCARequireExplicitPolicy |
| 214 #else |
| 215 #define MAYBE_IntermediateCARequireExplicitPolicy \ |
| 216 IntermediateCARequireExplicitPolicy |
| 217 #endif |
| 218 TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) { |
| 213 base::FilePath certs_dir = GetTestCertsDirectory(); | 219 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 214 | 220 |
| 215 scoped_refptr<X509Certificate> server_cert = | 221 CertificateList certs = CreateCertificateListFromFile( |
| 216 ImportCertFromFile(certs_dir, "www_us_army_mil_cert.der"); | 222 certs_dir, "explicit-policy-chain.pem", |
| 217 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 223 X509Certificate::FORMAT_AUTO); |
| 218 | 224 ASSERT_EQ(3U, certs.size()); |
| 219 // The intermediate CA certificate's policyConstraints extension has a | |
| 220 // requireExplicitPolicy field with SkipCerts=0. | |
| 221 scoped_refptr<X509Certificate> intermediate_cert = | |
| 222 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | |
| 223 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | |
| 224 | |
| 225 scoped_refptr<X509Certificate> root_cert = | |
| 226 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | |
| 227 ScopedTestRoot scoped_root(root_cert.get()); | |
| 228 | 225 |
| 229 X509Certificate::OSCertHandles intermediates; | 226 X509Certificate::OSCertHandles intermediates; |
| 230 intermediates.push_back(intermediate_cert->os_cert_handle()); | 227 intermediates.push_back(certs[1]->os_cert_handle()); |
| 231 scoped_refptr<X509Certificate> cert_chain = | 228 |
| 232 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 229 scoped_refptr<X509Certificate> cert = |
| 230 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 233 intermediates); | 231 intermediates); |
| 232 ASSERT_TRUE(cert.get()); |
| 233 |
| 234 ScopedTestRoot scoped_root(certs[2].get()); |
| 234 | 235 |
| 235 int flags = 0; | 236 int flags = 0; |
| 236 CertVerifyResult verify_result; | 237 CertVerifyResult verify_result; |
| 237 int error = Verify(cert_chain.get(), | 238 int error = Verify(cert.get(), |
| 238 "www.us.army.mil", | 239 "policy_test.example", |
| 239 flags, | 240 flags, |
| 240 NULL, | 241 NULL, |
| 241 empty_cert_list_, | 242 empty_cert_list_, |
| 242 &verify_result); | 243 &verify_result); |
| 243 if (error == OK) { | 244 EXPECT_EQ(OK, error); |
| 244 EXPECT_EQ(0U, verify_result.cert_status); | 245 EXPECT_EQ(0u, verify_result.cert_status); |
| 245 } else { | |
| 246 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | |
| 247 EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status); | |
| 248 } | |
| 249 } | 246 } |
| 250 | 247 |
| 251 | 248 |
| 252 // Test for bug 58437. | 249 // Test for bug 58437. |
| 253 // This certificate will expire on 2011-12-21. The test will still | 250 // This certificate will expire on 2011-12-21. The test will still |
| 254 // pass if error == ERR_CERT_DATE_INVALID. | 251 // pass if error == ERR_CERT_DATE_INVALID. |
| 255 // This test is DISABLED because it appears that we cannot do | 252 // This test is DISABLED because it appears that we cannot do |
| 256 // certificate revocation checking when running all of the net unit tests. | 253 // certificate revocation checking when running all of the net unit tests. |
| 257 // This test passes when run individually, but when run with all of the net | 254 // This test passes when run individually, but when run with all of the net |
| 258 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is | 255 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is |
| (...skipping 517 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 776 // Test that Verify() filters out certificates which are not related to | 773 // Test that Verify() filters out certificates which are not related to |
| 777 // or part of the certificate chain being verified. | 774 // or part of the certificate chain being verified. |
| 778 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { | 775 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { |
| 779 base::FilePath certs_dir = GetTestCertsDirectory(); | 776 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 780 CertificateList certs = CreateCertificateListFromFile( | 777 CertificateList certs = CreateCertificateListFromFile( |
| 781 certs_dir, "x509_verify_results.chain.pem", | 778 certs_dir, "x509_verify_results.chain.pem", |
| 782 X509Certificate::FORMAT_AUTO); | 779 X509Certificate::FORMAT_AUTO); |
| 783 ASSERT_EQ(3U, certs.size()); | 780 ASSERT_EQ(3U, certs.size()); |
| 784 ScopedTestRoot scoped_root(certs[2].get()); | 781 ScopedTestRoot scoped_root(certs[2].get()); |
| 785 | 782 |
| 786 scoped_refptr<X509Certificate> unrelated_dod_certificate = | 783 scoped_refptr<X509Certificate> unrelated_certificate = |
| 787 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | 784 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem"); |
| 788 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = | 785 scoped_refptr<X509Certificate> unrelated_certificate2 = |
| 789 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | 786 ImportCertFromFile(certs_dir, "aia-cert.pem"); |
| 790 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); | 787 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate); |
| 791 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); | 788 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2); |
| 792 | 789 |
| 793 // Interject unrelated certificates into the list of intermediates. | 790 // Interject unrelated certificates into the list of intermediates. |
| 794 X509Certificate::OSCertHandles intermediates; | 791 X509Certificate::OSCertHandles intermediates; |
| 795 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); | 792 intermediates.push_back(unrelated_certificate->os_cert_handle()); |
| 796 intermediates.push_back(certs[1]->os_cert_handle()); | 793 intermediates.push_back(certs[1]->os_cert_handle()); |
| 797 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); | 794 intermediates.push_back(unrelated_certificate2->os_cert_handle()); |
| 798 intermediates.push_back(certs[2]->os_cert_handle()); | 795 intermediates.push_back(certs[2]->os_cert_handle()); |
| 799 | 796 |
| 800 scoped_refptr<X509Certificate> google_full_chain = | 797 scoped_refptr<X509Certificate> google_full_chain = |
| 801 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 798 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 802 intermediates); | 799 intermediates); |
| 803 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 800 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 804 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); | 801 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); |
| 805 | 802 |
| 806 CertVerifyResult verify_result; | 803 CertVerifyResult verify_result; |
| 807 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 804 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| (...skipping 613 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1421 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { | 1418 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { |
| 1422 const NonUniqueNameTestData& test_data = GetParam(); | 1419 const NonUniqueNameTestData& test_data = GetParam(); |
| 1423 | 1420 |
| 1424 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); | 1421 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); |
| 1425 } | 1422 } |
| 1426 | 1423 |
| 1427 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, | 1424 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, |
| 1428 testing::ValuesIn(kNonUniqueNameTestData)); | 1425 testing::ValuesIn(kNonUniqueNameTestData)); |
| 1429 | 1426 |
| 1430 } // namespace net | 1427 } // namespace net |
| OLD | NEW |