net/cert/internal/ocsp_unittest.cc - Issue 1849773002: Adding OCSP Verification

Side by Side Diff: net/cert/internal/ocsp_unittest.cc

Issue 1849773002: Adding OCSP Verification Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fix scoped_ptr. Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/internal/parse_ocsp.h"	5 #include "net/cert/internal/ocsp.h"

6	6

7 #include "base/files/file_path.h"	7 #include "base/files/file_path.h"

8 #include "base/logging.h"	8 #include "base/logging.h"

9 #include "net/base/test_data_directory.h"	9 #include "net/base/test_data_directory.h"

10 #include "net/cert/internal/test_helpers.h"	10 #include "net/cert/internal/test_helpers.h"

11 #include "net/cert/x509_certificate.h"	11 #include "net/cert/x509_certificate.h"

12 #include "testing/gtest/include/gtest/gtest.h"	12 #include "testing/gtest/include/gtest/gtest.h"

13	13

14 namespace net {	14 namespace net {

15	15

16 namespace {	16 namespace {

17	17

18 std::string GetFilePath(const std::string& file_name) {	18 std::string GetFilePath(const std::string& file_name) {

19 return std::string("net/data/parse_ocsp_unittest/") + file_name;	19 return std::string("net/data/ocsp_unittest/") + file_name;

20 }	20 }

21	21

22 enum OCSPFailure {	22 enum OCSPFailure {

23 OCSP_SUCCESS,	23 OCSP_SUCCESS,

24 PARSE_CERT,	24 PARSE_CERT,

25 PARSE_OCSP,	25 PARSE_OCSP,

26 OCSP_NOT_SUCCESSFUL,	26 OCSP_NOT_SUCCESSFUL,

27 PARSE_OCSP_DATA,	27 PARSE_OCSP_DATA,

28 PARSE_OCSP_SINGLE_RESPONSE,	28 PARSE_OCSP_SINGLE_RESPONSE,

29 VERIFY_OCSP,	29 VERIFY_OCSP,

30 OCSP_SUCCESS_REVOKED,	30 OCSP_SUCCESS_REVOKED,

31 OCSP_SUCCESS_UNKNOWN,	31 OCSP_SUCCESS_UNKNOWN,

32 };	32 };

33	33

34 OCSPFailure ParseOCSP(const std::string& file_name) {	34 OCSPFailure ParseOCSP(const std::string& file_name) {
	eroman 2016/05/31 19:12:47 Please rename this as well, to reflect the other c Please rename this as well, to reflect the other changes. (i.e. call it VerifyOCSP() or something).
35 std::string ocsp_data;	35 std::string ocsp_data;

36 std::string ca_data;	36 std::string ca_data;

37 std::string cert_data;	37 std::string cert_data;

38 const PemBlockMapping mappings[] = {	38 const PemBlockMapping mappings[] = {

39 {"OCSP RESPONSE", &ocsp_data},	39 {"OCSP RESPONSE", &ocsp_data},

40 {"CA CERTIFICATE", &ca_data},	40 {"CA CERTIFICATE", &ca_data},

41 {"CERTIFICATE", &cert_data},	41 {"CERTIFICATE", &cert_data},

42 };	42 };

43	43

44 if (!ReadTestDataFromPemFile(GetFilePath(file_name), mappings))	44 if (!ReadTestDataFromPemFile(GetFilePath(file_name), mappings))

(...skipping 10 matching lines...) Expand all Loading...
55 if (!ParseCertificate(cert_input, &cert))	55 if (!ParseCertificate(cert_input, &cert))

56 return PARSE_CERT;	56 return PARSE_CERT;

57 OCSPResponse parsed_ocsp;	57 OCSPResponse parsed_ocsp;

58 OCSPResponseData parsed_ocsp_data;	58 OCSPResponseData parsed_ocsp_data;

59 if (!ParseOCSPResponse(ocsp_input, &parsed_ocsp))	59 if (!ParseOCSPResponse(ocsp_input, &parsed_ocsp))

60 return PARSE_OCSP;	60 return PARSE_OCSP;

61 if (parsed_ocsp.status != OCSPResponse::ResponseStatus::SUCCESSFUL)	61 if (parsed_ocsp.status != OCSPResponse::ResponseStatus::SUCCESSFUL)

62 return OCSP_NOT_SUCCESSFUL;	62 return OCSP_NOT_SUCCESSFUL;

63 if (!ParseOCSPResponseData(parsed_ocsp.data, &parsed_ocsp_data))	63 if (!ParseOCSPResponseData(parsed_ocsp.data, &parsed_ocsp_data))

64 return PARSE_OCSP_DATA;	64 return PARSE_OCSP_DATA;

	65 const SimpleSignaturePolicy policy(1024);
	eroman 2016/05/31 19:12:47 Do we need to allow 1024-bit RSA keys in these tes Do we need to allow 1024-bit RSA keys in these tests? (which are known to be weak).
	66 if (!VerifyOCSPResponse(parsed_ocsp, issuer, policy))

	67 return VERIFY_OCSP;

65	68

66 OCSPCertStatus status;	69 OCSPCertStatus status;

67	70

68 if (!GetOCSPCertStatus(parsed_ocsp_data, issuer, cert, &status))	71 if (!GetOCSPCertStatus(parsed_ocsp_data, issuer, cert, &status))

69 return PARSE_OCSP_SINGLE_RESPONSE;	72 return PARSE_OCSP_SINGLE_RESPONSE;

70	73

71 switch (status.status) {	74 switch (status.status) {

72 case OCSPCertStatus::Status::GOOD:	75 case OCSPCertStatus::Status::GOOD:

73 return OCSP_SUCCESS;	76 return OCSP_SUCCESS;

74 case OCSPCertStatus::Status::REVOKED:	77 case OCSPCertStatus::Status::REVOKED:

75 return OCSP_SUCCESS_REVOKED;	78 return OCSP_SUCCESS_REVOKED;

76 case OCSPCertStatus::Status::UNKNOWN:	79 case OCSPCertStatus::Status::UNKNOWN:

77 return OCSP_SUCCESS_UNKNOWN;	80 return OCSP_SUCCESS_UNKNOWN;

78 }	81 }

79	82

80 return OCSP_SUCCESS_UNKNOWN;	83 return OCSP_SUCCESS_UNKNOWN;

81 }	84 }

82	85

83 } // namespace	86 } // namespace

84	87

85 TEST(ParseOCSPTest, OCSPGoodResponse) {	88 TEST(OCSPTest, OCSPGoodResponse) {

86 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("good_response.pem"));	89 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("good_response.pem"));

87 }	90 }

88	91

89 TEST(ParseOCSPTest, OCSPNoResponse) {	92 TEST(OCSPTest, OCSPNoResponse) {

90 ASSERT_EQ(PARSE_OCSP_SINGLE_RESPONSE, ParseOCSP("no_response.pem"));	93 ASSERT_EQ(PARSE_OCSP_SINGLE_RESPONSE, ParseOCSP("no_response.pem"));

91 }	94 }

92	95

93 TEST(ParseOCSPTest, OCSPMalformedStatus) {	96 TEST(OCSPTest, OCSPMalformedStatus) {

94 ASSERT_EQ(OCSP_NOT_SUCCESSFUL, ParseOCSP("malformed_status.pem"));	97 ASSERT_EQ(OCSP_NOT_SUCCESSFUL, ParseOCSP("malformed_status.pem"));

95 }	98 }

96	99

97 TEST(ParseOCSPTest, OCSPBadStatus) {	100 TEST(OCSPTest, OCSPBadStatus) {

98 ASSERT_EQ(PARSE_OCSP, ParseOCSP("bad_status.pem"));	101 ASSERT_EQ(PARSE_OCSP, ParseOCSP("bad_status.pem"));

99 }	102 }

100	103

101 TEST(ParseOCSPTest, OCSPInvalidOCSPOid) {	104 TEST(OCSPTest, OCSPInvalidOCSPOid) {

102 ASSERT_EQ(PARSE_OCSP, ParseOCSP("bad_ocsp_type.pem"));	105 ASSERT_EQ(PARSE_OCSP, ParseOCSP("bad_ocsp_type.pem"));

103 }	106 }

104	107

105 TEST(ParseOCSPTest, OCSPBadSignature) {	108 TEST(OCSPTest, OCSPBadSignature) {

106 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("bad_signature.pem"));	109 ASSERT_EQ(VERIFY_OCSP, ParseOCSP("bad_signature.pem"));

107 }	110 }

108	111

109 TEST(ParseOCSPTest, OCSPDirectSignature) {	112 TEST(OCSPTest, OCSPDirectSignature) {

110 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_sign_direct.pem"));	113 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_sign_direct.pem"));

111 }	114 }

112	115

113 TEST(ParseOCSPTest, OCSPIndirectSignature) {	116 TEST(OCSPTest, OCSPIndirectSignature) {

114 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_sign_indirect.pem"));	117 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_sign_indirect.pem"));

115 }	118 }

116	119

117 TEST(ParseOCSPTest, OCSPMissingIndirectSignature) {	120 TEST(OCSPTest, OCSPMissingIndirectSignature) {

118 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_sign_indirect_missing.pem"));	121 ASSERT_EQ(VERIFY_OCSP, ParseOCSP("ocsp_sign_indirect_missing.pem"));

119 }	122 }

120	123

121 TEST(ParseOCSPTest, OCSPInvalidSignature) {	124 TEST(OCSPTest, OCSPInvalidSignature) {

122 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_sign_bad_indirect.pem"));	125 ASSERT_EQ(VERIFY_OCSP, ParseOCSP("ocsp_sign_bad_indirect.pem"));

123 }	126 }

124	127

125 TEST(ParseOCSPTest, OCSPExtraCerts) {	128 TEST(OCSPTest, OCSPExtraCerts) {

126 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_extra_certs.pem"));	129 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("ocsp_extra_certs.pem"));

127 }	130 }

128	131

129 TEST(ParseOCSPTest, OCSPIncludesVersion) {	132 TEST(OCSPTest, OCSPIncludesVersion) {

130 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("has_version.pem"));	133 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("has_version.pem"));

131 }	134 }

132	135

133 TEST(ParseOCSPTest, OCSPResponderName) {	136 TEST(OCSPTest, OCSPResponderName) {

134 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("responder_name.pem"));	137 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("responder_name.pem"));

135 }	138 }

136	139

137 TEST(ParseOCSPTest, OCSPResponderKeyHash) {	140 TEST(OCSPTest, OCSPResponderKeyHash) {

138 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("responder_id.pem"));	141 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("responder_id.pem"));

139 }	142 }

140	143

141 TEST(ParseOCSPTest, OCSPOCSPExtension) {	144 TEST(OCSPTest, OCSPOCSPExtension) {

142 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("has_extension.pem"));	145 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("has_extension.pem"));

143 }	146 }

144	147

145 TEST(ParseOCSPTest, OCSPIncludeNextUpdate) {	148 TEST(OCSPTest, OCSPIncludeNextUpdate) {

146 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("good_response_next_update.pem"));	149 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("good_response_next_update.pem"));

147 }	150 }

148	151

149 TEST(ParseOCSPTest, OCSPRevokedResponse) {	152 TEST(OCSPTest, OCSPRevokedResponse) {

150 ASSERT_EQ(OCSP_SUCCESS_REVOKED, ParseOCSP("revoke_response.pem"));	153 ASSERT_EQ(OCSP_SUCCESS_REVOKED, ParseOCSP("revoke_response.pem"));

151 }	154 }

152	155

153 TEST(ParseOCSPTest, OCSPRevokedResponseWithReason) {	156 TEST(OCSPTest, OCSPRevokedResponseWithReason) {

154 ASSERT_EQ(OCSP_SUCCESS_REVOKED, ParseOCSP("revoke_response_reason.pem"));	157 ASSERT_EQ(OCSP_SUCCESS_REVOKED, ParseOCSP("revoke_response_reason.pem"));

155 }	158 }

156	159

157 TEST(ParseOCSPTest, OCSPUnknownCertStatus) {	160 TEST(OCSPTest, OCSPUnknownCertStatus) {

158 ASSERT_EQ(OCSP_SUCCESS_UNKNOWN, ParseOCSP("unknown_response.pem"));	161 ASSERT_EQ(OCSP_SUCCESS_UNKNOWN, ParseOCSP("unknown_response.pem"));

159 }	162 }

160	163

161 TEST(ParseOCSPTest, OCSPMultipleCertStatus) {	164 TEST(OCSPTest, OCSPMultipleCertStatus) {

162 ASSERT_EQ(OCSP_SUCCESS_UNKNOWN, ParseOCSP("multiple_response.pem"));	165 ASSERT_EQ(OCSP_SUCCESS_UNKNOWN, ParseOCSP("multiple_response.pem"));

163 }	166 }

164	167

165 TEST(ParseOCSPTest, OCSPWrongCertResponse) {	168 TEST(OCSPTest, OCSPWrongCertResponse) {

166 ASSERT_EQ(PARSE_OCSP_SINGLE_RESPONSE, ParseOCSP("other_response.pem"));	169 ASSERT_EQ(PARSE_OCSP_SINGLE_RESPONSE, ParseOCSP("other_response.pem"));

167 }	170 }

168	171

169 TEST(ParseOCSPTest, OCSPOCSPSingleExtension) {	172 TEST(OCSPTest, OCSPOCSPSingleExtension) {

170 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("has_single_extension.pem"));	173 ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("has_single_extension.pem"));

171 }	174 }

172	175

173 TEST(ParseOCSPTest, OCSPMissingResponse) {	176 TEST(OCSPTest, OCSPMissingResponse) {

174 ASSERT_EQ(PARSE_OCSP_SINGLE_RESPONSE, ParseOCSP("missing_response.pem"));	177 ASSERT_EQ(PARSE_OCSP_SINGLE_RESPONSE, ParseOCSP("missing_response.pem"));

175 }	178 }

176	179

177 } // namespace net	180 } // namespace net

OLD	NEW

« net/cert/internal/ocsp.cc ('K') | « net/cert/internal/ocsp.cc ('k') | net/cert/internal/parse_ocsp.h » ('j') | no next file with comments »