OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/path_builder.h" |
6 | 6 |
| 7 #include "net/base/net_errors.h" |
| 8 #include "net/base/test_completion_callback.h" |
7 #include "net/cert/internal/parse_certificate.h" | 9 #include "net/cert/internal/parse_certificate.h" |
8 #include "net/cert/internal/signature_policy.h" | 10 #include "net/cert/internal/signature_policy.h" |
| 11 #include "net/cert/internal/verify_certificate_chain.h" |
9 #include "net/der/input.h" | 12 #include "net/der/input.h" |
10 | 13 |
11 // Disable tests that require DSA signatures (DSA signatures are intentionally | 14 // Disable tests that require DSA signatures (DSA signatures are intentionally |
12 // unsupported). Custom versions of the DSA tests are defined below which expect | 15 // unsupported). Custom versions of the DSA tests are defined below which expect |
13 // verification to fail. | 16 // verification to fail. |
14 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 | 17 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 |
15 #define Section1ValidDSAParameterInheritanceTest5 \ | 18 #define Section1ValidDSAParameterInheritanceTest5 \ |
16 DISABLED_Section1ValidDSAParameterInheritanceTest5 | 19 DISABLED_Section1ValidDSAParameterInheritanceTest5 |
17 | 20 |
18 // Disable tests that require name constraints with name types that are | 21 // Disable tests that require name constraints with name types that are |
(...skipping 17 matching lines...) Expand all Loading... |
36 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 | 39 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
37 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ | 40 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
38 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 41 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
39 | 42 |
40 #include "net/cert/internal/nist_pkits_unittest.h" | 43 #include "net/cert/internal/nist_pkits_unittest.h" |
41 | 44 |
42 namespace net { | 45 namespace net { |
43 | 46 |
44 namespace { | 47 namespace { |
45 | 48 |
46 class VerifyCertificateChainPkitsTestDelegate { | 49 class PathBuilderPkitsTestDelegate { |
47 public: | 50 public: |
48 static bool Verify(std::vector<std::string> cert_ders, | 51 static bool Verify(std::vector<std::string> cert_ders, |
49 std::vector<std::string> crl_ders) { | 52 std::vector<std::string> crl_ders) { |
50 if (cert_ders.empty()) { | 53 if (cert_ders.empty()) { |
51 ADD_FAILURE() << "cert_ders is empty"; | 54 ADD_FAILURE() << "cert_ders is empty"; |
52 return false; | 55 return false; |
53 } | 56 } |
54 // First entry in the PKITS chain is the trust anchor. | 57 // First entry in the PKITS chain is the trust anchor. |
| 58 // XXX test with all possible trust anchors in the trust store? |
55 TrustStore trust_store; | 59 TrustStore trust_store; |
56 EXPECT_TRUE(trust_store.AddTrustedCertificate(cert_ders[0])); | 60 if (!trust_store.AddTrustedCertificate(cert_ders[0])) { |
| 61 ADD_FAILURE() << "AddTrustedCertificate failed"; |
| 62 return false; |
| 63 } |
57 | 64 |
58 // PKITS lists chains from trust anchor to target, VerifyCertificateChain | 65 // XXX test with other irrelevant certs in cert_sources? |
59 // takes them starting with the target and not including the trust anchor. | 66 // XXX test with async cert_sources? |
60 std::vector<der::Input> input_chain; | 67 std::vector<der::Input> intermediates; |
61 for (size_t i = cert_ders.size() - 1; i > 0; --i) | 68 for (size_t i = 1; i < cert_ders.size() - 1; ++i) |
62 input_chain.push_back(der::Input(&cert_ders[i])); | 69 intermediates.push_back(der::Input(&cert_ders[i])); |
| 70 StaticCertsSource cert_source; |
| 71 if (!cert_source.Init(intermediates)) { |
| 72 ADD_FAILURE() << "StaticCertsSource::Init failed"; |
| 73 return false; |
| 74 } |
| 75 CertPathBuilder::CertSources cert_sources; |
| 76 cert_sources.push_back(&cert_source); |
| 77 |
| 78 std::unique_ptr<CertThing> target_cert( |
| 79 CertThing::CreateFromCertificateCopy(cert_ders.back())); |
| 80 if (!target_cert) { |
| 81 ADD_FAILURE() << "CertThing::CreateFromCertificateCopy failed"; |
| 82 return false; |
| 83 } |
63 | 84 |
64 SimpleSignaturePolicy signature_policy(1024); | 85 SimpleSignaturePolicy signature_policy(1024); |
65 | 86 |
66 // Run all tests at the time the PKITS was published. | 87 // Run all tests at the time the PKITS was published. |
67 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; | 88 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; |
68 | 89 |
69 return VerifyCertificateChain(input_chain, trust_store, &signature_policy, | 90 CertPathBuilder::Result result; |
70 time); | 91 CertPathBuilder path_builder(std::move(target_cert), cert_sources, |
| 92 trust_store, &signature_policy, time, &result); |
| 93 |
| 94 TestCompletionCallback callback; |
| 95 |
| 96 int rv = path_builder.Run(callback.callback()); |
| 97 |
| 98 DVLOG(1) << "path_builder.Run rv=" << ErrorToString(rv); |
| 99 |
| 100 if (rv == ERR_IO_PENDING) { |
| 101 DVLOG(1) << "waiting for async completion..."; |
| 102 rv = callback.WaitForResult(); |
| 103 DVLOG(1) << "async rv=" << ErrorToString(rv); |
| 104 } |
| 105 |
| 106 return rv == OK; |
71 } | 107 } |
72 }; | 108 }; |
73 | 109 |
74 } // namespace | 110 } // namespace |
75 | 111 |
76 class PkitsTest01SignatureVerificationCustom | 112 // XXX reduce duplication with verify_certificate_chain_pkits_unittest.cc |
77 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 113 class PkitsTest01SignatureVerificationCustomPathBuilderFoo |
| 114 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
78 | 115 |
79 // Modified version of 4.1.4 Valid DSA Signatures Test4 | 116 // Modified version of 4.1.4 Valid DSA Signatures Test4 |
80 TEST_F(PkitsTest01SignatureVerificationCustom, | 117 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
81 Section1ValidDSASignaturesTest4Custom) { | 118 Section1ValidDSASignaturesTest4Custom) { |
82 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 119 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
83 "ValidDSASignaturesTest4EE"}; | 120 "ValidDSASignaturesTest4EE"}; |
84 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | 121 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; |
85 // DSA signatures are intentionally unsupported. | 122 // DSA signatures are intentionally unsupported. |
86 ASSERT_FALSE(this->Verify(certs, crls)); | 123 ASSERT_FALSE(this->Verify(certs, crls)); |
87 } | 124 } |
88 | 125 |
89 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | 126 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 |
90 TEST_F(PkitsTest01SignatureVerificationCustom, | 127 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
91 Section1ValidDSAParameterInheritanceTest5Custom) { | 128 Section1ValidDSAParameterInheritanceTest5Custom) { |
92 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 129 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
93 "DSAParametersInheritedCACert", | 130 "DSAParametersInheritedCACert", |
94 "ValidDSAParameterInheritanceTest5EE"}; | 131 "ValidDSAParameterInheritanceTest5EE"}; |
95 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | 132 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", |
96 "DSAParametersInheritedCACRL"}; | 133 "DSAParametersInheritedCACRL"}; |
97 // DSA signatures are intentionally unsupported. | 134 // DSA signatures are intentionally unsupported. |
98 ASSERT_FALSE(this->Verify(certs, crls)); | 135 ASSERT_FALSE(this->Verify(certs, crls)); |
99 } | 136 } |
100 | 137 |
101 class PkitsTest13SignatureVerificationCustom | 138 class PkitsTest13SignatureVerificationCustomPathBuilderFoo |
102 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 139 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
103 | 140 |
104 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | 141 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 |
105 TEST_F(PkitsTest13SignatureVerificationCustom, | 142 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
106 Section13ValidRFC822nameConstraintsTest21Custom) { | 143 Section13ValidRFC822nameConstraintsTest21Custom) { |
107 const char* const certs[] = {"TrustAnchorRootCertificate", | 144 const char* const certs[] = {"TrustAnchorRootCertificate", |
108 "nameConstraintsRFC822CA1Cert", | 145 "nameConstraintsRFC822CA1Cert", |
109 "ValidRFC822nameConstraintsTest21EE"}; | 146 "ValidRFC822nameConstraintsTest21EE"}; |
110 const char* const crls[] = {"TrustAnchorRootCRL", | 147 const char* const crls[] = {"TrustAnchorRootCRL", |
111 "nameConstraintsRFC822CA1CRL"}; | 148 "nameConstraintsRFC822CA1CRL"}; |
112 // Name constraints on rfc822Names are not supported. | 149 // Name constraints on rfc822Names are not supported. |
113 ASSERT_FALSE(this->Verify(certs, crls)); | 150 ASSERT_FALSE(this->Verify(certs, crls)); |
114 } | 151 } |
115 | 152 |
116 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | 153 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 |
117 TEST_F(PkitsTest13SignatureVerificationCustom, | 154 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
118 Section13ValidRFC822nameConstraintsTest23Custom) { | 155 Section13ValidRFC822nameConstraintsTest23Custom) { |
119 const char* const certs[] = {"TrustAnchorRootCertificate", | 156 const char* const certs[] = {"TrustAnchorRootCertificate", |
120 "nameConstraintsRFC822CA2Cert", | 157 "nameConstraintsRFC822CA2Cert", |
121 "ValidRFC822nameConstraintsTest23EE"}; | 158 "ValidRFC822nameConstraintsTest23EE"}; |
122 const char* const crls[] = {"TrustAnchorRootCRL", | 159 const char* const crls[] = {"TrustAnchorRootCRL", |
123 "nameConstraintsRFC822CA2CRL"}; | 160 "nameConstraintsRFC822CA2CRL"}; |
124 // Name constraints on rfc822Names are not supported. | 161 // Name constraints on rfc822Names are not supported. |
125 ASSERT_FALSE(this->Verify(certs, crls)); | 162 ASSERT_FALSE(this->Verify(certs, crls)); |
126 } | 163 } |
127 | 164 |
128 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | 165 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 |
129 TEST_F(PkitsTest13SignatureVerificationCustom, | 166 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
130 Section13ValidRFC822nameConstraintsTest25Custom) { | 167 Section13ValidRFC822nameConstraintsTest25Custom) { |
131 const char* const certs[] = {"TrustAnchorRootCertificate", | 168 const char* const certs[] = {"TrustAnchorRootCertificate", |
132 "nameConstraintsRFC822CA3Cert", | 169 "nameConstraintsRFC822CA3Cert", |
133 "ValidRFC822nameConstraintsTest25EE"}; | 170 "ValidRFC822nameConstraintsTest25EE"}; |
134 const char* const crls[] = {"TrustAnchorRootCRL", | 171 const char* const crls[] = {"TrustAnchorRootCRL", |
135 "nameConstraintsRFC822CA3CRL"}; | 172 "nameConstraintsRFC822CA3CRL"}; |
136 // Name constraints on rfc822Names are not supported. | 173 // Name constraints on rfc822Names are not supported. |
137 ASSERT_FALSE(this->Verify(certs, crls)); | 174 ASSERT_FALSE(this->Verify(certs, crls)); |
138 } | 175 } |
139 | 176 |
140 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | 177 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 |
141 TEST_F(PkitsTest13SignatureVerificationCustom, | 178 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
142 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | 179 Section13ValidDNandRFC822nameConstraintsTest27Custom) { |
143 const char* const certs[] = {"TrustAnchorRootCertificate", | 180 const char* const certs[] = {"TrustAnchorRootCertificate", |
144 "nameConstraintsDN1CACert", | 181 "nameConstraintsDN1CACert", |
145 "nameConstraintsDN1subCA3Cert", | 182 "nameConstraintsDN1subCA3Cert", |
146 "ValidDNandRFC822nameConstraintsTest27EE"}; | 183 "ValidDNandRFC822nameConstraintsTest27EE"}; |
147 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | 184 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", |
148 "nameConstraintsDN1subCA3CRL"}; | 185 "nameConstraintsDN1subCA3CRL"}; |
149 // Name constraints on rfc822Names are not supported. | 186 // Name constraints on rfc822Names are not supported. |
150 ASSERT_FALSE(this->Verify(certs, crls)); | 187 ASSERT_FALSE(this->Verify(certs, crls)); |
151 } | 188 } |
152 | 189 |
153 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | 190 // Modified version of 4.13.34 Valid URI nameConstraints Test34 |
154 TEST_F(PkitsTest13SignatureVerificationCustom, | 191 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
155 Section13ValidURInameConstraintsTest34Custom) { | 192 Section13ValidURInameConstraintsTest34Custom) { |
156 const char* const certs[] = {"TrustAnchorRootCertificate", | 193 const char* const certs[] = {"TrustAnchorRootCertificate", |
157 "nameConstraintsURI1CACert", | 194 "nameConstraintsURI1CACert", |
158 "ValidURInameConstraintsTest34EE"}; | 195 "ValidURInameConstraintsTest34EE"}; |
159 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | 196 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; |
160 // Name constraints on uniformResourceIdentifiers are not supported. | 197 // Name constraints on uniformResourceIdentifiers are not supported. |
161 ASSERT_FALSE(this->Verify(certs, crls)); | 198 ASSERT_FALSE(this->Verify(certs, crls)); |
162 } | 199 } |
163 | 200 |
164 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | 201 // Modified version of 4.13.36 Valid URI nameConstraints Test36 |
165 TEST_F(PkitsTest13SignatureVerificationCustom, | 202 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
166 Section13ValidURInameConstraintsTest36Custom) { | 203 Section13ValidURInameConstraintsTest36Custom) { |
167 const char* const certs[] = {"TrustAnchorRootCertificate", | 204 const char* const certs[] = {"TrustAnchorRootCertificate", |
168 "nameConstraintsURI2CACert", | 205 "nameConstraintsURI2CACert", |
169 "ValidURInameConstraintsTest36EE"}; | 206 "ValidURInameConstraintsTest36EE"}; |
170 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | 207 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; |
171 // Name constraints on uniformResourceIdentifiers are not supported. | 208 // Name constraints on uniformResourceIdentifiers are not supported. |
172 ASSERT_FALSE(this->Verify(certs, crls)); | 209 ASSERT_FALSE(this->Verify(certs, crls)); |
173 } | 210 } |
174 | 211 |
175 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 212 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
176 PkitsTest01SignatureVerification, | 213 PkitsTest01SignatureVerification, |
177 VerifyCertificateChainPkitsTestDelegate); | 214 PathBuilderPkitsTestDelegate); |
178 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 215 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
179 PkitsTest02ValidityPeriods, | 216 PkitsTest02ValidityPeriods, |
180 VerifyCertificateChainPkitsTestDelegate); | 217 PathBuilderPkitsTestDelegate); |
181 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 218 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
182 PkitsTest03VerifyingNameChaining, | 219 PkitsTest03VerifyingNameChaining, |
183 VerifyCertificateChainPkitsTestDelegate); | 220 PathBuilderPkitsTestDelegate); |
184 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 221 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
185 PkitsTest06VerifyingBasicConstraints, | 222 PkitsTest06VerifyingBasicConstraints, |
186 VerifyCertificateChainPkitsTestDelegate); | 223 PathBuilderPkitsTestDelegate); |
187 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 224 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
188 PkitsTest07KeyUsage, | 225 PkitsTest07KeyUsage, |
189 VerifyCertificateChainPkitsTestDelegate); | 226 PathBuilderPkitsTestDelegate); |
190 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 227 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
191 PkitsTest13NameConstraints, | 228 PkitsTest13NameConstraints, |
192 VerifyCertificateChainPkitsTestDelegate); | 229 PathBuilderPkitsTestDelegate); |
193 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 230 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
194 PkitsTest16PrivateCertificateExtensions, | 231 PkitsTest16PrivateCertificateExtensions, |
195 VerifyCertificateChainPkitsTestDelegate); | 232 PathBuilderPkitsTestDelegate); |
196 | 233 |
197 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 234 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
198 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 235 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
199 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 236 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
200 | 237 |
201 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, | 238 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, |
202 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, | 239 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, |
203 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy | 240 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy |
204 | 241 |
205 } // namespace net | 242 } // namespace net |
OLD | NEW |