OLD | NEW |
---|---|
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/path_builder.h" |
6 | 6 |
7 #include "net/base/net_errors.h" | |
8 #include "net/cert/internal/cert_issuer_source_static.h" | |
9 #include "net/cert/internal/parse_certificate.h" | |
7 #include "net/cert/internal/parsed_certificate.h" | 10 #include "net/cert/internal/parsed_certificate.h" |
8 #include "net/cert/internal/signature_policy.h" | 11 #include "net/cert/internal/signature_policy.h" |
9 #include "net/cert/internal/trust_store.h" | 12 #include "net/cert/internal/trust_store.h" |
13 #include "net/cert/internal/verify_certificate_chain.h" | |
10 #include "net/der/input.h" | 14 #include "net/der/input.h" |
11 | 15 |
12 // Disable tests that require DSA signatures (DSA signatures are intentionally | 16 // Disable tests that require DSA signatures (DSA signatures are intentionally |
13 // unsupported). Custom versions of the DSA tests are defined below which expect | 17 // unsupported). Custom versions of the DSA tests are defined below which expect |
14 // verification to fail. | 18 // verification to fail. |
15 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 | 19 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 |
16 #define Section1ValidDSAParameterInheritanceTest5 \ | 20 #define Section1ValidDSAParameterInheritanceTest5 \ |
17 DISABLED_Section1ValidDSAParameterInheritanceTest5 | 21 DISABLED_Section1ValidDSAParameterInheritanceTest5 |
18 | 22 |
19 // Disable tests that require name constraints with name types that are | 23 // Disable tests that require name constraints with name types that are |
(...skipping 17 matching lines...) Expand all Loading... | |
37 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 | 41 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
38 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ | 42 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
39 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 43 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
40 | 44 |
41 #include "net/cert/internal/nist_pkits_unittest.h" | 45 #include "net/cert/internal/nist_pkits_unittest.h" |
42 | 46 |
43 namespace net { | 47 namespace net { |
44 | 48 |
45 namespace { | 49 namespace { |
46 | 50 |
47 class VerifyCertificateChainPkitsTestDelegate { | 51 using CertVector = std::vector<scoped_refptr<ParsedCertificate>>; |
eroman
2016/06/27 19:58:52
This seems generally useful enough to have a net::
mattm
2016/06/27 23:45:45
Done.
| |
52 | |
53 class PathBuilderPkitsTestDelegate { | |
48 public: | 54 public: |
49 static bool Verify(std::vector<std::string> cert_ders, | 55 static bool Verify(std::vector<std::string> cert_ders, |
50 std::vector<std::string> crl_ders) { | 56 std::vector<std::string> crl_ders) { |
51 if (cert_ders.empty()) { | 57 if (cert_ders.empty()) { |
52 ADD_FAILURE() << "cert_ders is empty"; | 58 ADD_FAILURE() << "cert_ders is empty"; |
53 return false; | 59 return false; |
54 } | 60 } |
55 // First entry in the PKITS chain is the trust anchor. | 61 CertVector certs; |
56 TrustStore trust_store; | 62 for (const std::string& der : cert_ders) { |
57 scoped_refptr<ParsedCertificate> anchor( | 63 certs.push_back(ParsedCertificate::CreateFromCertificateCopy(der, {})); |
58 ParsedCertificate::CreateFromCertificateCopy(cert_ders[0], {})); | 64 if (!certs.back()) { |
59 EXPECT_TRUE(anchor); | 65 ADD_FAILURE() << "ParsedCertificate::CreateFromCertificateCopy failed"; |
60 if (anchor) | |
61 trust_store.AddTrustedCertificate(std::move(anchor)); | |
62 | |
63 // PKITS lists chains from trust anchor to target, VerifyCertificateChain | |
64 // takes them starting with the target and not including the trust anchor. | |
65 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | |
66 for (size_t i = cert_ders.size() - 1; i > 0; --i) { | |
67 if (!net::ParsedCertificate::CreateAndAddToVector( | |
68 reinterpret_cast<const uint8_t*>(cert_ders[i].data()), | |
69 cert_ders[i].size(), | |
70 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {}, | |
71 &input_chain)) { | |
72 ADD_FAILURE() << "cert " << i << " failed to parse"; | |
73 return false; | 66 return false; |
74 } | 67 } |
75 } | 68 } |
69 // First entry in the PKITS chain is the trust anchor. | |
70 // TODO(mattm): test with all possible trust anchors in the trust store? | |
71 TrustStore trust_store; | |
72 trust_store.AddTrustedCertificate(certs[0]); | |
73 | |
74 // TODO(mattm): test with other irrelevant certs in cert_issuer_sources? | |
75 CertIssuerSourceStatic cert_issuer_source; | |
76 for (size_t i = 1; i < cert_ders.size() - 1; ++i) | |
77 cert_issuer_source.AddCert(certs[i]); | |
78 | |
79 scoped_refptr<ParsedCertificate> target_cert(certs.back()); | |
76 | 80 |
77 SimpleSignaturePolicy signature_policy(1024); | 81 SimpleSignaturePolicy signature_policy(1024); |
78 | 82 |
79 // Run all tests at the time the PKITS was published. | 83 // Run all tests at the time the PKITS was published. |
80 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; | 84 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; |
81 | 85 |
82 return VerifyCertificateChain(input_chain, trust_store, &signature_policy, | 86 CertPathBuilder::Result result; |
83 time, nullptr); | 87 CertPathBuilder path_builder(std::move(target_cert), &trust_store, |
88 &signature_policy, time, &result); | |
89 path_builder.AddCertIssuerSource(&cert_issuer_source); | |
90 | |
91 CompletionStatus rv = path_builder.Run(base::Closure()); | |
92 EXPECT_EQ(CompletionStatus::SYNC, rv); | |
93 | |
94 return result.is_success(); | |
84 } | 95 } |
85 }; | 96 }; |
86 | 97 |
87 } // namespace | 98 } // namespace |
88 | 99 |
89 class PkitsTest01SignatureVerificationCustom | 100 class PkitsTest01SignatureVerificationCustomPathBuilderFoo |
90 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 101 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
91 | 102 |
92 // Modified version of 4.1.4 Valid DSA Signatures Test4 | 103 // Modified version of 4.1.4 Valid DSA Signatures Test4 |
93 TEST_F(PkitsTest01SignatureVerificationCustom, | 104 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
94 Section1ValidDSASignaturesTest4Custom) { | 105 Section1ValidDSASignaturesTest4Custom) { |
95 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 106 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
96 "ValidDSASignaturesTest4EE"}; | 107 "ValidDSASignaturesTest4EE"}; |
97 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | 108 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; |
98 // DSA signatures are intentionally unsupported. | 109 // DSA signatures are intentionally unsupported. |
99 ASSERT_FALSE(this->Verify(certs, crls)); | 110 ASSERT_FALSE(this->Verify(certs, crls)); |
100 } | 111 } |
101 | 112 |
102 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | 113 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 |
103 TEST_F(PkitsTest01SignatureVerificationCustom, | 114 TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo, |
104 Section1ValidDSAParameterInheritanceTest5Custom) { | 115 Section1ValidDSAParameterInheritanceTest5Custom) { |
105 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 116 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
106 "DSAParametersInheritedCACert", | 117 "DSAParametersInheritedCACert", |
107 "ValidDSAParameterInheritanceTest5EE"}; | 118 "ValidDSAParameterInheritanceTest5EE"}; |
108 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | 119 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", |
109 "DSAParametersInheritedCACRL"}; | 120 "DSAParametersInheritedCACRL"}; |
110 // DSA signatures are intentionally unsupported. | 121 // DSA signatures are intentionally unsupported. |
111 ASSERT_FALSE(this->Verify(certs, crls)); | 122 ASSERT_FALSE(this->Verify(certs, crls)); |
112 } | 123 } |
113 | 124 |
114 class PkitsTest13SignatureVerificationCustom | 125 class PkitsTest13SignatureVerificationCustomPathBuilderFoo |
115 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 126 : public PkitsTest<PathBuilderPkitsTestDelegate> {}; |
116 | 127 |
117 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | 128 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 |
118 TEST_F(PkitsTest13SignatureVerificationCustom, | 129 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
119 Section13ValidRFC822nameConstraintsTest21Custom) { | 130 Section13ValidRFC822nameConstraintsTest21Custom) { |
120 const char* const certs[] = {"TrustAnchorRootCertificate", | 131 const char* const certs[] = {"TrustAnchorRootCertificate", |
121 "nameConstraintsRFC822CA1Cert", | 132 "nameConstraintsRFC822CA1Cert", |
122 "ValidRFC822nameConstraintsTest21EE"}; | 133 "ValidRFC822nameConstraintsTest21EE"}; |
123 const char* const crls[] = {"TrustAnchorRootCRL", | 134 const char* const crls[] = {"TrustAnchorRootCRL", |
124 "nameConstraintsRFC822CA1CRL"}; | 135 "nameConstraintsRFC822CA1CRL"}; |
125 // Name constraints on rfc822Names are not supported. | 136 // Name constraints on rfc822Names are not supported. |
126 ASSERT_FALSE(this->Verify(certs, crls)); | 137 ASSERT_FALSE(this->Verify(certs, crls)); |
127 } | 138 } |
128 | 139 |
129 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | 140 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 |
130 TEST_F(PkitsTest13SignatureVerificationCustom, | 141 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
131 Section13ValidRFC822nameConstraintsTest23Custom) { | 142 Section13ValidRFC822nameConstraintsTest23Custom) { |
132 const char* const certs[] = {"TrustAnchorRootCertificate", | 143 const char* const certs[] = {"TrustAnchorRootCertificate", |
133 "nameConstraintsRFC822CA2Cert", | 144 "nameConstraintsRFC822CA2Cert", |
134 "ValidRFC822nameConstraintsTest23EE"}; | 145 "ValidRFC822nameConstraintsTest23EE"}; |
135 const char* const crls[] = {"TrustAnchorRootCRL", | 146 const char* const crls[] = {"TrustAnchorRootCRL", |
136 "nameConstraintsRFC822CA2CRL"}; | 147 "nameConstraintsRFC822CA2CRL"}; |
137 // Name constraints on rfc822Names are not supported. | 148 // Name constraints on rfc822Names are not supported. |
138 ASSERT_FALSE(this->Verify(certs, crls)); | 149 ASSERT_FALSE(this->Verify(certs, crls)); |
139 } | 150 } |
140 | 151 |
141 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | 152 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 |
142 TEST_F(PkitsTest13SignatureVerificationCustom, | 153 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
143 Section13ValidRFC822nameConstraintsTest25Custom) { | 154 Section13ValidRFC822nameConstraintsTest25Custom) { |
144 const char* const certs[] = {"TrustAnchorRootCertificate", | 155 const char* const certs[] = {"TrustAnchorRootCertificate", |
145 "nameConstraintsRFC822CA3Cert", | 156 "nameConstraintsRFC822CA3Cert", |
146 "ValidRFC822nameConstraintsTest25EE"}; | 157 "ValidRFC822nameConstraintsTest25EE"}; |
147 const char* const crls[] = {"TrustAnchorRootCRL", | 158 const char* const crls[] = {"TrustAnchorRootCRL", |
148 "nameConstraintsRFC822CA3CRL"}; | 159 "nameConstraintsRFC822CA3CRL"}; |
149 // Name constraints on rfc822Names are not supported. | 160 // Name constraints on rfc822Names are not supported. |
150 ASSERT_FALSE(this->Verify(certs, crls)); | 161 ASSERT_FALSE(this->Verify(certs, crls)); |
151 } | 162 } |
152 | 163 |
153 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | 164 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 |
154 TEST_F(PkitsTest13SignatureVerificationCustom, | 165 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
155 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | 166 Section13ValidDNandRFC822nameConstraintsTest27Custom) { |
156 const char* const certs[] = {"TrustAnchorRootCertificate", | 167 const char* const certs[] = {"TrustAnchorRootCertificate", |
157 "nameConstraintsDN1CACert", | 168 "nameConstraintsDN1CACert", |
158 "nameConstraintsDN1subCA3Cert", | 169 "nameConstraintsDN1subCA3Cert", |
159 "ValidDNandRFC822nameConstraintsTest27EE"}; | 170 "ValidDNandRFC822nameConstraintsTest27EE"}; |
160 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | 171 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", |
161 "nameConstraintsDN1subCA3CRL"}; | 172 "nameConstraintsDN1subCA3CRL"}; |
162 // Name constraints on rfc822Names are not supported. | 173 // Name constraints on rfc822Names are not supported. |
163 ASSERT_FALSE(this->Verify(certs, crls)); | 174 ASSERT_FALSE(this->Verify(certs, crls)); |
164 } | 175 } |
165 | 176 |
166 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | 177 // Modified version of 4.13.34 Valid URI nameConstraints Test34 |
167 TEST_F(PkitsTest13SignatureVerificationCustom, | 178 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
168 Section13ValidURInameConstraintsTest34Custom) { | 179 Section13ValidURInameConstraintsTest34Custom) { |
169 const char* const certs[] = {"TrustAnchorRootCertificate", | 180 const char* const certs[] = {"TrustAnchorRootCertificate", |
170 "nameConstraintsURI1CACert", | 181 "nameConstraintsURI1CACert", |
171 "ValidURInameConstraintsTest34EE"}; | 182 "ValidURInameConstraintsTest34EE"}; |
172 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | 183 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; |
173 // Name constraints on uniformResourceIdentifiers are not supported. | 184 // Name constraints on uniformResourceIdentifiers are not supported. |
174 ASSERT_FALSE(this->Verify(certs, crls)); | 185 ASSERT_FALSE(this->Verify(certs, crls)); |
175 } | 186 } |
176 | 187 |
177 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | 188 // Modified version of 4.13.36 Valid URI nameConstraints Test36 |
178 TEST_F(PkitsTest13SignatureVerificationCustom, | 189 TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo, |
179 Section13ValidURInameConstraintsTest36Custom) { | 190 Section13ValidURInameConstraintsTest36Custom) { |
180 const char* const certs[] = {"TrustAnchorRootCertificate", | 191 const char* const certs[] = {"TrustAnchorRootCertificate", |
181 "nameConstraintsURI2CACert", | 192 "nameConstraintsURI2CACert", |
182 "ValidURInameConstraintsTest36EE"}; | 193 "ValidURInameConstraintsTest36EE"}; |
183 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | 194 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; |
184 // Name constraints on uniformResourceIdentifiers are not supported. | 195 // Name constraints on uniformResourceIdentifiers are not supported. |
185 ASSERT_FALSE(this->Verify(certs, crls)); | 196 ASSERT_FALSE(this->Verify(certs, crls)); |
186 } | 197 } |
187 | 198 |
188 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 199 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
189 PkitsTest01SignatureVerification, | 200 PkitsTest01SignatureVerification, |
190 VerifyCertificateChainPkitsTestDelegate); | 201 PathBuilderPkitsTestDelegate); |
191 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 202 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
192 PkitsTest02ValidityPeriods, | 203 PkitsTest02ValidityPeriods, |
193 VerifyCertificateChainPkitsTestDelegate); | 204 PathBuilderPkitsTestDelegate); |
194 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 205 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
195 PkitsTest03VerifyingNameChaining, | 206 PkitsTest03VerifyingNameChaining, |
196 VerifyCertificateChainPkitsTestDelegate); | 207 PathBuilderPkitsTestDelegate); |
197 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 208 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
198 PkitsTest06VerifyingBasicConstraints, | 209 PkitsTest06VerifyingBasicConstraints, |
199 VerifyCertificateChainPkitsTestDelegate); | 210 PathBuilderPkitsTestDelegate); |
200 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 211 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
201 PkitsTest07KeyUsage, | 212 PkitsTest07KeyUsage, |
202 VerifyCertificateChainPkitsTestDelegate); | 213 PathBuilderPkitsTestDelegate); |
203 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 214 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
204 PkitsTest13NameConstraints, | 215 PkitsTest13NameConstraints, |
205 VerifyCertificateChainPkitsTestDelegate); | 216 PathBuilderPkitsTestDelegate); |
206 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 217 INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder, |
207 PkitsTest16PrivateCertificateExtensions, | 218 PkitsTest16PrivateCertificateExtensions, |
208 VerifyCertificateChainPkitsTestDelegate); | 219 PathBuilderPkitsTestDelegate); |
209 | 220 |
210 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 221 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
211 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 222 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
212 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 223 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
213 | 224 |
214 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, | 225 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, |
215 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, | 226 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, |
216 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy | 227 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy |
217 | 228 |
218 } // namespace net | 229 } // namespace net |
OLD | NEW |