OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
96 #endif | 96 #endif |
97 return true; | 97 return true; |
98 } | 98 } |
99 | 99 |
100 bool SupportsDetectingKnownRoots() { | 100 bool SupportsDetectingKnownRoots() { |
101 #if defined(OS_ANDROID) | 101 #if defined(OS_ANDROID) |
102 // Before API level 17, Android does not expose the APIs necessary to get at | 102 // Before API level 17, Android does not expose the APIs necessary to get at |
103 // the verified certificate chain and detect known roots. | 103 // the verified certificate chain and detect known roots. |
104 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) | 104 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) |
105 return false; | 105 return false; |
106 #elif defined(OS_IOS) && defined(USE_OPENSSL) | 106 #elif defined(OS_IOS) |
107 // iOS does not expose the APIs necessary to get the known system roots. | 107 // iOS does not expose the APIs necessary to get the known system roots. |
108 return false; | 108 return false; |
109 #endif | 109 #endif |
110 return true; | 110 return true; |
111 } | 111 } |
112 | 112 |
113 // Template helper to load a series of certificate files into a CertificateList. | 113 // Template helper to load a series of certificate files into a CertificateList. |
114 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a | 114 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a |
115 // series of individual certificates (to make the tests clearer). | 115 // series of individual certificates (to make the tests clearer). |
116 template <size_t N> | 116 template <size_t N> |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
217 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); | 217 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); |
218 | 218 |
219 int flags = 0; | 219 int flags = 0; |
220 CertVerifyResult verify_result; | 220 CertVerifyResult verify_result; |
221 int error = Verify(paypal_null_cert.get(), | 221 int error = Verify(paypal_null_cert.get(), |
222 "www.paypal.com", | 222 "www.paypal.com", |
223 flags, | 223 flags, |
224 NULL, | 224 NULL, |
225 empty_cert_list_, | 225 empty_cert_list_, |
226 &verify_result); | 226 &verify_result); |
227 #if defined(USE_NSS_VERIFIER) || defined(OS_ANDROID) | 227 #if defined(USE_NSS_CERTS) || defined(OS_ANDROID) |
228 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); | 228 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); |
229 #elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR | 229 #elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR |
230 // iOS returns a ERR_CERT_INVALID error on the simulator, while returning | 230 // iOS returns a ERR_CERT_INVALID error on the simulator, while returning |
231 // ERR_CERT_AUTHORITY_INVALID on the real device. | 231 // ERR_CERT_AUTHORITY_INVALID on the real device. |
232 EXPECT_EQ(ERR_CERT_INVALID, error); | 232 EXPECT_EQ(ERR_CERT_INVALID, error); |
233 #else | 233 #else |
234 // TOOD(bulach): investigate why macosx and win aren't returning | 234 // TOOD(bulach): investigate why macosx and win aren't returning |
235 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. | 235 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. |
236 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 236 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
237 #endif | 237 #endif |
238 // Either the system crypto library should correctly report a certificate | 238 // Either the system crypto library should correctly report a certificate |
239 // name mismatch, or our certificate blacklist should cause us to report an | 239 // name mismatch, or our certificate blacklist should cause us to report an |
240 // invalid certificate. | 240 // invalid certificate. |
241 #if defined(USE_NSS_VERIFIER) || defined(OS_WIN) | 241 #if defined(USE_NSS_CERTS) || defined(OS_WIN) |
242 EXPECT_TRUE(verify_result.cert_status & | 242 EXPECT_TRUE(verify_result.cert_status & |
243 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); | 243 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); |
244 #endif | 244 #endif |
245 } | 245 } |
246 | 246 |
247 // A regression test for http://crbug.com/31497. | 247 // A regression test for http://crbug.com/31497. |
248 #if defined(OS_ANDROID) | 248 #if defined(OS_ANDROID) |
249 // Disabled on Android, as the Android verification libraries require an | 249 // Disabled on Android, as the Android verification libraries require an |
250 // explicit policy to be specified, even when anyPolicy is permitted. | 250 // explicit policy to be specified, even when anyPolicy is permitted. |
251 #define MAYBE_IntermediateCARequireExplicitPolicy \ | 251 #define MAYBE_IntermediateCARequireExplicitPolicy \ |
(...skipping 874 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1126 int flags = 0; | 1126 int flags = 0; |
1127 CertVerifyResult verify_result; | 1127 CertVerifyResult verify_result; |
1128 int error = Verify( | 1128 int error = Verify( |
1129 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); | 1129 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
1130 EXPECT_EQ(OK, error); | 1130 EXPECT_EQ(OK, error); |
1131 EXPECT_EQ(0U, verify_result.cert_status); | 1131 EXPECT_EQ(0U, verify_result.cert_status); |
1132 // But should not be marked as a known root. | 1132 // But should not be marked as a known root. |
1133 EXPECT_FALSE(verify_result.is_issued_by_known_root); | 1133 EXPECT_FALSE(verify_result.is_issued_by_known_root); |
1134 } | 1134 } |
1135 | 1135 |
1136 #if defined(USE_NSS_VERIFIER) || defined(OS_WIN) || \ | 1136 #if defined(USE_NSS_CERTS) || defined(OS_WIN) || \ |
1137 (defined(OS_MACOSX) && !defined(OS_IOS)) | 1137 (defined(OS_MACOSX) && !defined(OS_IOS)) |
1138 // Test that CRLSets are effective in making a certificate appear to be | 1138 // Test that CRLSets are effective in making a certificate appear to be |
1139 // revoked. | 1139 // revoked. |
1140 TEST_F(CertVerifyProcTest, CRLSet) { | 1140 TEST_F(CertVerifyProcTest, CRLSet) { |
1141 CertificateList ca_cert_list = | 1141 CertificateList ca_cert_list = |
1142 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1142 CreateCertificateListFromFile(GetTestCertsDirectory(), |
1143 "root_ca_cert.pem", | 1143 "root_ca_cert.pem", |
1144 X509Certificate::FORMAT_AUTO); | 1144 X509Certificate::FORMAT_AUTO); |
1145 ASSERT_EQ(1U, ca_cert_list.size()); | 1145 ASSERT_EQ(1U, ca_cert_list.size()); |
1146 ScopedTestRoot test_root(ca_cert_list[0].get()); | 1146 ScopedTestRoot test_root(ca_cert_list[0].get()); |
(...skipping 555 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1702 int flags = 0; | 1702 int flags = 0; |
1703 CertVerifyResult verify_result; | 1703 CertVerifyResult verify_result; |
1704 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1704 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
1705 &verify_result); | 1705 &verify_result); |
1706 EXPECT_EQ(ERR_CERT_INVALID, error); | 1706 EXPECT_EQ(ERR_CERT_INVALID, error); |
1707 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); | 1707 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); |
1708 } | 1708 } |
1709 #endif // defined(OS_MACOSX) && !defined(OS_IOS) | 1709 #endif // defined(OS_MACOSX) && !defined(OS_IOS) |
1710 | 1710 |
1711 } // namespace net | 1711 } // namespace net |
OLD | NEW |