| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 96 #endif | 96 #endif |
| 97 return true; | 97 return true; |
| 98 } | 98 } |
| 99 | 99 |
| 100 bool SupportsDetectingKnownRoots() { | 100 bool SupportsDetectingKnownRoots() { |
| 101 #if defined(OS_ANDROID) | 101 #if defined(OS_ANDROID) |
| 102 // Before API level 17, Android does not expose the APIs necessary to get at | 102 // Before API level 17, Android does not expose the APIs necessary to get at |
| 103 // the verified certificate chain and detect known roots. | 103 // the verified certificate chain and detect known roots. |
| 104 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) | 104 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) |
| 105 return false; | 105 return false; |
| 106 #elif defined(OS_IOS) && defined(USE_OPENSSL) |
| 107 // iOS does not expose the APIs necessary to get the known system roots. |
| 108 return false; |
| 106 #endif | 109 #endif |
| 107 return true; | 110 return true; |
| 108 } | 111 } |
| 109 | 112 |
| 110 // Template helper to load a series of certificate files into a CertificateList. | 113 // Template helper to load a series of certificate files into a CertificateList. |
| 111 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a | 114 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a |
| 112 // series of individual certificates (to make the tests clearer). | 115 // series of individual certificates (to make the tests clearer). |
| 113 template <size_t N> | 116 template <size_t N> |
| 114 void LoadCertificateFiles(const char* const (&cert_files)[N], | 117 void LoadCertificateFiles(const char* const (&cert_files)[N], |
| 115 CertificateList* certs) { | 118 CertificateList* certs) { |
| (...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 216 int flags = 0; | 219 int flags = 0; |
| 217 CertVerifyResult verify_result; | 220 CertVerifyResult verify_result; |
| 218 int error = Verify(paypal_null_cert.get(), | 221 int error = Verify(paypal_null_cert.get(), |
| 219 "www.paypal.com", | 222 "www.paypal.com", |
| 220 flags, | 223 flags, |
| 221 NULL, | 224 NULL, |
| 222 empty_cert_list_, | 225 empty_cert_list_, |
| 223 &verify_result); | 226 &verify_result); |
| 224 #if defined(USE_NSS_VERIFIER) || defined(OS_ANDROID) | 227 #if defined(USE_NSS_VERIFIER) || defined(OS_ANDROID) |
| 225 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); | 228 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); |
| 229 #elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR |
| 230 // iOS returns a ERR_CERT_INVALID error on the simulator, while returning |
| 231 // ERR_CERT_AUTHORITY_INVALID on the real device. |
| 232 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 226 #else | 233 #else |
| 227 // TOOD(bulach): investigate why macosx and win aren't returning | 234 // TOOD(bulach): investigate why macosx and win aren't returning |
| 228 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. | 235 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. |
| 229 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 236 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 230 #endif | 237 #endif |
| 231 // Either the system crypto library should correctly report a certificate | 238 // Either the system crypto library should correctly report a certificate |
| 232 // name mismatch, or our certificate blacklist should cause us to report an | 239 // name mismatch, or our certificate blacklist should cause us to report an |
| 233 // invalid certificate. | 240 // invalid certificate. |
| 234 #if defined(USE_NSS_VERIFIER) || defined(OS_WIN) | 241 #if defined(USE_NSS_VERIFIER) || defined(OS_WIN) |
| 235 EXPECT_TRUE(verify_result.cert_status & | 242 EXPECT_TRUE(verify_result.cert_status & |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 270 int error = Verify(cert.get(), | 277 int error = Verify(cert.get(), |
| 271 "policy_test.example", | 278 "policy_test.example", |
| 272 flags, | 279 flags, |
| 273 NULL, | 280 NULL, |
| 274 empty_cert_list_, | 281 empty_cert_list_, |
| 275 &verify_result); | 282 &verify_result); |
| 276 EXPECT_EQ(OK, error); | 283 EXPECT_EQ(OK, error); |
| 277 EXPECT_EQ(0u, verify_result.cert_status); | 284 EXPECT_EQ(0u, verify_result.cert_status); |
| 278 } | 285 } |
| 279 | 286 |
| 287 TEST_F(CertVerifyProcTest, RejectExpiredCert) { |
| 288 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 289 |
| 290 // Load root_ca_cert.pem into the test root store. |
| 291 ScopedTestRoot test_root( |
| 292 ImportCertFromFile(certs_dir, "root_ca_cert.pem").get()); |
| 293 |
| 294 CertificateList certs = CreateCertificateListFromFile( |
| 295 certs_dir, "expired_cert.pem", X509Certificate::FORMAT_AUTO); |
| 296 ASSERT_EQ(1U, certs.size()); |
| 297 |
| 298 X509Certificate::OSCertHandles intermediates; |
| 299 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
| 300 certs[0]->os_cert_handle(), intermediates); |
| 301 |
| 302 int flags = 0; |
| 303 CertVerifyResult verify_result; |
| 304 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 305 &verify_result); |
| 306 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 307 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID); |
| 308 } |
| 309 |
| 280 // Test that verifying an ECDSA certificate doesn't crash on XP. (See | 310 // Test that verifying an ECDSA certificate doesn't crash on XP. (See |
| 281 // crbug.com/144466). | 311 // crbug.com/144466). |
| 282 TEST_F(CertVerifyProcTest, ECDSA_RSA) { | 312 TEST_F(CertVerifyProcTest, ECDSA_RSA) { |
| 283 base::FilePath certs_dir = GetTestCertsDirectory(); | 313 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 284 | 314 |
| 285 scoped_refptr<X509Certificate> cert = | 315 scoped_refptr<X509Certificate> cert = |
| 286 ImportCertFromFile(certs_dir, | 316 ImportCertFromFile(certs_dir, |
| 287 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); | 317 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); |
| 288 | 318 |
| 289 CertVerifyResult verify_result; | 319 CertVerifyResult verify_result; |
| (...skipping 806 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1096 int flags = 0; | 1126 int flags = 0; |
| 1097 CertVerifyResult verify_result; | 1127 CertVerifyResult verify_result; |
| 1098 int error = Verify( | 1128 int error = Verify( |
| 1099 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); | 1129 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
| 1100 EXPECT_EQ(OK, error); | 1130 EXPECT_EQ(OK, error); |
| 1101 EXPECT_EQ(0U, verify_result.cert_status); | 1131 EXPECT_EQ(0U, verify_result.cert_status); |
| 1102 // But should not be marked as a known root. | 1132 // But should not be marked as a known root. |
| 1103 EXPECT_FALSE(verify_result.is_issued_by_known_root); | 1133 EXPECT_FALSE(verify_result.is_issued_by_known_root); |
| 1104 } | 1134 } |
| 1105 | 1135 |
| 1106 #if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_WIN) || \ | 1136 #if defined(USE_NSS_VERIFIER) || defined(OS_WIN) || \ |
| 1107 defined(OS_MACOSX) | 1137 (defined(OS_MACOSX) && !defined(OS_IOS)) |
| 1108 // Test that CRLSets are effective in making a certificate appear to be | 1138 // Test that CRLSets are effective in making a certificate appear to be |
| 1109 // revoked. | 1139 // revoked. |
| 1110 TEST_F(CertVerifyProcTest, CRLSet) { | 1140 TEST_F(CertVerifyProcTest, CRLSet) { |
| 1111 CertificateList ca_cert_list = | 1141 CertificateList ca_cert_list = |
| 1112 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1142 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 1113 "root_ca_cert.pem", | 1143 "root_ca_cert.pem", |
| 1114 X509Certificate::FORMAT_AUTO); | 1144 X509Certificate::FORMAT_AUTO); |
| 1115 ASSERT_EQ(1U, ca_cert_list.size()); | 1145 ASSERT_EQ(1U, ca_cert_list.size()); |
| 1116 ScopedTestRoot test_root(ca_cert_list[0].get()); | 1146 ScopedTestRoot test_root(ca_cert_list[0].get()); |
| 1117 | 1147 |
| (...skipping 554 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1672 int flags = 0; | 1702 int flags = 0; |
| 1673 CertVerifyResult verify_result; | 1703 CertVerifyResult verify_result; |
| 1674 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1704 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1675 &verify_result); | 1705 &verify_result); |
| 1676 EXPECT_EQ(ERR_CERT_INVALID, error); | 1706 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 1677 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); | 1707 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); |
| 1678 } | 1708 } |
| 1679 #endif // defined(OS_MACOSX) && !defined(OS_IOS) | 1709 #endif // defined(OS_MACOSX) && !defined(OS_IOS) |
| 1680 | 1710 |
| 1681 } // namespace net | 1711 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1871043003:
Fixing BoringSSL on iOS (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master