Chromium Code Reviews Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "net/base/net_errors.h" | |
| 8 #include "net/base/test_completion_callback.h" | |
| 9 #include "net/cert/internal/cert_issuer_source_static.h" | |
| 10 #include "net/cert/internal/parse_certificate.h" | |
| 7 #include "net/cert/internal/parsed_certificate.h" | 11 #include "net/cert/internal/parsed_certificate.h" |
| 8 #include "net/cert/internal/signature_policy.h" | 12 #include "net/cert/internal/signature_policy.h" |
| 9 #include "net/cert/internal/trust_store.h" | 13 #include "net/cert/internal/trust_store.h" |
| 14 #include "net/cert/internal/verify_certificate_chain.h" | |
| 10 #include "net/der/input.h" | 15 #include "net/der/input.h" |
| 11 | 16 |
| 12 // Disable tests that require DSA signatures (DSA signatures are intentionally | 17 // Disable tests that require DSA signatures (DSA signatures are intentionally |
| 13 // unsupported). Custom versions of the DSA tests are defined below which expect | 18 // unsupported). Custom versions of the DSA tests are defined below which expect |
| 14 // verification to fail. | 19 // verification to fail. |
| 15 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 | 20 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 |
| 16 #define Section1ValidDSAParameterInheritanceTest5 \ | 21 #define Section1ValidDSAParameterInheritanceTest5 \ |
| 17 DISABLED_Section1ValidDSAParameterInheritanceTest5 | 22 DISABLED_Section1ValidDSAParameterInheritanceTest5 |
| 18 | 23 |
| 19 // Disable tests that require name constraints with name types that are | 24 // Disable tests that require name constraints with name types that are |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 37 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 | 42 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
| 38 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ | 43 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
| 39 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 44 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
| 40 | 45 |
| 41 #include "net/cert/internal/nist_pkits_unittest.h" | 46 #include "net/cert/internal/nist_pkits_unittest.h" |
| 42 | 47 |
| 43 namespace net { | 48 namespace net { |
| 44 | 49 |
| 45 namespace { | 50 namespace { |
| 46 | 51 |
| 47 class VerifyCertificateChainPkitsTestDelegate { | 52 using CertVector = std::vector<scoped_refptr<ParsedCertificate>>; |
| 53 | |
| 54 class PathBuilderPkitsTestDelegate { | |
| 48 public: | 55 public: |
| 49 static bool Verify(std::vector<std::string> cert_ders, | 56 static bool Verify(std::vector<std::string> cert_ders, |
| 50 std::vector<std::string> crl_ders) { | 57 std::vector<std::string> crl_ders) { |
| 51 if (cert_ders.empty()) { | 58 if (cert_ders.empty()) { |
| 52 ADD_FAILURE() << "cert_ders is empty"; | 59 ADD_FAILURE() << "cert_ders is empty"; |
| 53 return false; | 60 return false; |
| 54 } | 61 } |
| 55 // First entry in the PKITS chain is the trust anchor. | 62 CertVector certs; |
| 56 TrustStore trust_store; | 63 for (const std::string& der : cert_ders) { |
| 57 scoped_refptr<ParsedCertificate> anchor( | 64 certs.push_back(ParsedCertificate::CreateFromCertificateCopy(der)); |
| 58 ParsedCertificate::CreateFromCertificateCopy(cert_ders[0])); | 65 if (!certs.back()) { |
| 59 EXPECT_TRUE(anchor); | 66 ADD_FAILURE() << "ParsedCertificate::CreateFromCertificateCopy failed"; |
| 60 if (anchor) | |
| 61 trust_store.AddTrustedCertificate(std::move(anchor)); | |
| 62 | |
| 63 // PKITS lists chains from trust anchor to target, VerifyCertificateChain | |
| 64 // takes them starting with the target and not including the trust anchor. | |
| 65 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | |
| 66 for (size_t i = cert_ders.size() - 1; i > 0; --i) { | |
| 67 if (!net::ParsedCertificate::CreateAndAddToVector( | |
| 68 reinterpret_cast<const uint8_t*>(cert_ders[i].data()), | |
| 69 cert_ders[i].size(), | |
| 70 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | |
| 71 &input_chain)) { | |
| 72 ADD_FAILURE() << "cert " << i << " failed to parse"; | |
| 73 return false; | 67 return false; |
| 74 } | 68 } |
| 75 } | 69 } |
| 70 // First entry in the PKITS chain is the trust anchor. | |
| 71 // TODO(mattm): test with all possible trust anchors in the trust store? | |
| 72 TrustStore trust_store; | |
| 73 trust_store.AddTrustedCertificate(certs[0]); | |
| 74 | |
| 75 // TODO(mattm): test with other irrelevant certs in cert_issuer_sources? | |
| 76 CertIssuerSourceStatic cert_issuer_source; | |
| 77 for (size_t i = 1; i < cert_ders.size() - 1; ++i) | |
| 78 cert_issuer_source.AddCert(certs[i]); | |
| 79 | |
| 80 scoped_refptr<ParsedCertificate> target_cert(certs.back()); | |
| 76 | 81 |
| 77 SimpleSignaturePolicy signature_policy(1024); | 82 SimpleSignaturePolicy signature_policy(1024); |
| 78 | 83 |
| 79 // Run all tests at the time the PKITS was published. | 84 // Run all tests at the time the PKITS was published. |
| 80 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; | 85 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; |
| 81 | 86 |
| 82 return VerifyCertificateChain(input_chain, trust_store, &signature_policy, | 87 CertPathBuilder::Result result; |
| 83 time); | 88 CertPathBuilder path_builder(std::move(target_cert), &trust_store, |
| 89 &signature_policy, time, &result); | |
| 90 path_builder.AddCertIssuerSource(&cert_issuer_source); | |
| 91 | |
| 92 TestClosure callback; | |
| 93 | |
| 94 CompletionStatus rv = path_builder.Run(callback.closure()); | |
| 95 | |
| 96 if (rv == CompletionStatus::ASYNC) { | |
|
eroman
2016/06/17 01:03:23
Is this exercised currently?
mattm
2016/06/18 04:28:56
nope. Changed to just do synchronous-only in this
| |
| 97 DVLOG(1) << "waiting for async completion..."; | |
| 98 callback.WaitForResult(); | |
| 99 DVLOG(1) << "async completed."; | |
| 100 } | |
| 101 | |
| 102 return result.result() == OK; | |
| 84 } | 103 } |
| 85 }; | 104 }; |
| 86 | 105 |
| 87 } // namespace | 106 } // namespace |
| 88 | 107 |
| 89 class PkitsTest01SignatureVerificationCustom | 108 class PkitsTest01SignatureVerificationCustomPathBuilderFoo |
| 90 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 109 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
| 91 | 110 |
| 92 // Modified version of 4.1.4 Valid DSA Signatures Test4 | 111 // Modified version of 4.1.4 Valid DSA Signatures Test4 |
| 93 TEST_F(PkitsTest01SignatureVerificationCustom, | 112 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
| 94 Section1ValidDSASignaturesTest4Custom) { | 113 Section1ValidDSASignaturesTest4Custom) { |
| 95 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 114 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
| 96 "ValidDSASignaturesTest4EE"}; | 115 "ValidDSASignaturesTest4EE"}; |
| 97 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | 116 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; |
| 98 // DSA signatures are intentionally unsupported. | 117 // DSA signatures are intentionally unsupported. |
| 99 ASSERT_FALSE(this->Verify(certs, crls)); | 118 ASSERT_FALSE(this->Verify(certs, crls)); |
| 100 } | 119 } |
| 101 | 120 |
| 102 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | 121 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 |
| 103 TEST_F(PkitsTest01SignatureVerificationCustom, | 122 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
| 104 Section1ValidDSAParameterInheritanceTest5Custom) { | 123 Section1ValidDSAParameterInheritanceTest5Custom) { |
| 105 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 124 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
| 106 "DSAParametersInheritedCACert", | 125 "DSAParametersInheritedCACert", |
| 107 "ValidDSAParameterInheritanceTest5EE"}; | 126 "ValidDSAParameterInheritanceTest5EE"}; |
| 108 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | 127 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", |
| 109 "DSAParametersInheritedCACRL"}; | 128 "DSAParametersInheritedCACRL"}; |
| 110 // DSA signatures are intentionally unsupported. | 129 // DSA signatures are intentionally unsupported. |
| 111 ASSERT_FALSE(this->Verify(certs, crls)); | 130 ASSERT_FALSE(this->Verify(certs, crls)); |
| 112 } | 131 } |
| 113 | 132 |
| 114 class PkitsTest13SignatureVerificationCustom | 133 class PkitsTest13SignatureVerificationCustomPathBuilderFoo |
| 115 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 134 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
| 116 | 135 |
| 117 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | 136 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 |
| 118 TEST_F(PkitsTest13SignatureVerificationCustom, | 137 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 119 Section13ValidRFC822nameConstraintsTest21Custom) { | 138 Section13ValidRFC822nameConstraintsTest21Custom) { |
| 120 const char* const certs[] = {"TrustAnchorRootCertificate", | 139 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 121 "nameConstraintsRFC822CA1Cert", | 140 "nameConstraintsRFC822CA1Cert", |
| 122 "ValidRFC822nameConstraintsTest21EE"}; | 141 "ValidRFC822nameConstraintsTest21EE"}; |
| 123 const char* const crls[] = {"TrustAnchorRootCRL", | 142 const char* const crls[] = {"TrustAnchorRootCRL", |
| 124 "nameConstraintsRFC822CA1CRL"}; | 143 "nameConstraintsRFC822CA1CRL"}; |
| 125 // Name constraints on rfc822Names are not supported. | 144 // Name constraints on rfc822Names are not supported. |
| 126 ASSERT_FALSE(this->Verify(certs, crls)); | 145 ASSERT_FALSE(this->Verify(certs, crls)); |
| 127 } | 146 } |
| 128 | 147 |
| 129 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | 148 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 |
| 130 TEST_F(PkitsTest13SignatureVerificationCustom, | 149 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 131 Section13ValidRFC822nameConstraintsTest23Custom) { | 150 Section13ValidRFC822nameConstraintsTest23Custom) { |
| 132 const char* const certs[] = {"TrustAnchorRootCertificate", | 151 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 133 "nameConstraintsRFC822CA2Cert", | 152 "nameConstraintsRFC822CA2Cert", |
| 134 "ValidRFC822nameConstraintsTest23EE"}; | 153 "ValidRFC822nameConstraintsTest23EE"}; |
| 135 const char* const crls[] = {"TrustAnchorRootCRL", | 154 const char* const crls[] = {"TrustAnchorRootCRL", |
| 136 "nameConstraintsRFC822CA2CRL"}; | 155 "nameConstraintsRFC822CA2CRL"}; |
| 137 // Name constraints on rfc822Names are not supported. | 156 // Name constraints on rfc822Names are not supported. |
| 138 ASSERT_FALSE(this->Verify(certs, crls)); | 157 ASSERT_FALSE(this->Verify(certs, crls)); |
| 139 } | 158 } |
| 140 | 159 |
| 141 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | 160 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 |
| 142 TEST_F(PkitsTest13SignatureVerificationCustom, | 161 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 143 Section13ValidRFC822nameConstraintsTest25Custom) { | 162 Section13ValidRFC822nameConstraintsTest25Custom) { |
| 144 const char* const certs[] = {"TrustAnchorRootCertificate", | 163 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 145 "nameConstraintsRFC822CA3Cert", | 164 "nameConstraintsRFC822CA3Cert", |
| 146 "ValidRFC822nameConstraintsTest25EE"}; | 165 "ValidRFC822nameConstraintsTest25EE"}; |
| 147 const char* const crls[] = {"TrustAnchorRootCRL", | 166 const char* const crls[] = {"TrustAnchorRootCRL", |
| 148 "nameConstraintsRFC822CA3CRL"}; | 167 "nameConstraintsRFC822CA3CRL"}; |
| 149 // Name constraints on rfc822Names are not supported. | 168 // Name constraints on rfc822Names are not supported. |
| 150 ASSERT_FALSE(this->Verify(certs, crls)); | 169 ASSERT_FALSE(this->Verify(certs, crls)); |
| 151 } | 170 } |
| 152 | 171 |
| 153 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | 172 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 |
| 154 TEST_F(PkitsTest13SignatureVerificationCustom, | 173 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 155 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | 174 Section13ValidDNandRFC822nameConstraintsTest27Custom) { |
| 156 const char* const certs[] = {"TrustAnchorRootCertificate", | 175 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 157 "nameConstraintsDN1CACert", | 176 "nameConstraintsDN1CACert", |
| 158 "nameConstraintsDN1subCA3Cert", | 177 "nameConstraintsDN1subCA3Cert", |
| 159 "ValidDNandRFC822nameConstraintsTest27EE"}; | 178 "ValidDNandRFC822nameConstraintsTest27EE"}; |
| 160 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | 179 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", |
| 161 "nameConstraintsDN1subCA3CRL"}; | 180 "nameConstraintsDN1subCA3CRL"}; |
| 162 // Name constraints on rfc822Names are not supported. | 181 // Name constraints on rfc822Names are not supported. |
| 163 ASSERT_FALSE(this->Verify(certs, crls)); | 182 ASSERT_FALSE(this->Verify(certs, crls)); |
| 164 } | 183 } |
| 165 | 184 |
| 166 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | 185 // Modified version of 4.13.34 Valid URI nameConstraints Test34 |
| 167 TEST_F(PkitsTest13SignatureVerificationCustom, | 186 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 168 Section13ValidURInameConstraintsTest34Custom) { | 187 Section13ValidURInameConstraintsTest34Custom) { |
| 169 const char* const certs[] = {"TrustAnchorRootCertificate", | 188 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 170 "nameConstraintsURI1CACert", | 189 "nameConstraintsURI1CACert", |
| 171 "ValidURInameConstraintsTest34EE"}; | 190 "ValidURInameConstraintsTest34EE"}; |
| 172 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | 191 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; |
| 173 // Name constraints on uniformResourceIdentifiers are not supported. | 192 // Name constraints on uniformResourceIdentifiers are not supported. |
| 174 ASSERT_FALSE(this->Verify(certs, crls)); | 193 ASSERT_FALSE(this->Verify(certs, crls)); |
| 175 } | 194 } |
| 176 | 195 |
| 177 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | 196 // Modified version of 4.13.36 Valid URI nameConstraints Test36 |
| 178 TEST_F(PkitsTest13SignatureVerificationCustom, | 197 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
| 179 Section13ValidURInameConstraintsTest36Custom) { | 198 Section13ValidURInameConstraintsTest36Custom) { |
| 180 const char* const certs[] = {"TrustAnchorRootCertificate", | 199 const char* const certs[] = {"TrustAnchorRootCertificate", |
| 181 "nameConstraintsURI2CACert", | 200 "nameConstraintsURI2CACert", |
| 182 "ValidURInameConstraintsTest36EE"}; | 201 "ValidURInameConstraintsTest36EE"}; |
| 183 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | 202 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; |
| 184 // Name constraints on uniformResourceIdentifiers are not supported. | 203 // Name constraints on uniformResourceIdentifiers are not supported. |
| 185 ASSERT_FALSE(this->Verify(certs, crls)); | 204 ASSERT_FALSE(this->Verify(certs, crls)); |
| 186 } | 205 } |
| 187 | 206 |
| 188 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 207 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 189 PkitsTest01SignatureVerification, | 208 PkitsTest01SignatureVerification, |
| 190 VerifyCertificateChainPkitsTestDelegate); | 209 PathBuilderPkitsTestDelegate); |
| 191 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 210 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 192 PkitsTest02ValidityPeriods, | 211 PkitsTest02ValidityPeriods, |
| 193 VerifyCertificateChainPkitsTestDelegate); | 212 PathBuilderPkitsTestDelegate); |
| 194 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 213 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 195 PkitsTest03VerifyingNameChaining, | 214 PkitsTest03VerifyingNameChaining, |
| 196 VerifyCertificateChainPkitsTestDelegate); | 215 PathBuilderPkitsTestDelegate); |
| 197 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 216 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 198 PkitsTest06VerifyingBasicConstraints, | 217 PkitsTest06VerifyingBasicConstraints, |
| 199 VerifyCertificateChainPkitsTestDelegate); | 218 PathBuilderPkitsTestDelegate); |
| 200 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 219 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 201 PkitsTest07KeyUsage, | 220 PkitsTest07KeyUsage, |
| 202 VerifyCertificateChainPkitsTestDelegate); | 221 PathBuilderPkitsTestDelegate); |
| 203 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 222 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 204 PkitsTest13NameConstraints, | 223 PkitsTest13NameConstraints, |
| 205 VerifyCertificateChainPkitsTestDelegate); | 224 PathBuilderPkitsTestDelegate); |
| 206 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 225 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
| 207 PkitsTest16PrivateCertificateExtensions, | 226 PkitsTest16PrivateCertificateExtensions, |
| 208 VerifyCertificateChainPkitsTestDelegate); | 227 PathBuilderPkitsTestDelegate); |
| 209 | 228 |
| 210 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 229 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
| 211 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 230 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
| 212 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 231 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
| 213 | 232 |
| 214 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, | 233 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, |
| 215 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, | 234 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, |
| 216 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy | 235 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy |
| 217 | 236 |
| 218 } // namespace net | 237 } // namespace net |
| OLD | NEW |
