| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | |
| 8 #include "base/files/file_util.h" | |
| 9 #include "base/path_service.h" | |
| 10 #include "base/strings/string_split.h" | |
| 11 #include "base/strings/string_util.h" | |
| 12 #include "base/strings/stringprintf.h" | |
| 13 #include "net/cert/internal/parsed_certificate.h" | |
| 14 #include "net/cert/internal/signature_policy.h" | 7 #include "net/cert/internal/signature_policy.h" |
| 15 #include "net/cert/internal/test_helpers.h" | |
| 16 #include "net/cert/internal/trust_store.h" | 8 #include "net/cert/internal/trust_store.h" |
| 17 #include "net/cert/pem_tokenizer.h" | 9 #include "net/cert/internal/verify_certificate_chain_typed_unittest.h" |
| 18 #include "net/der/input.h" | |
| 19 #include "testing/gtest/include/gtest/gtest.h" | |
| 20 | 10 |
| 21 namespace net { | 11 namespace net { |
| 22 | 12 |
| 23 namespace { | 13 namespace { |
| 24 | 14 |
| 25 // Reads a data file from the unit-test data. | 15 class VerifyCertificateChainAssumingTrustedRootDelegate { |
| 26 std::string ReadTestFileToString(const std::string& file_name) { | 16 public: |
| 27 // Compute the full path, relative to the src/ directory. | 17 static void Verify(const std::vector<scoped_refptr<ParsedCertificate>>& chain, |
| 28 base::FilePath src_root; | 18 const std::vector<scoped_refptr<ParsedCertificate>>& roots, |
| 29 PathService::Get(base::DIR_SOURCE_ROOT, &src_root); | 19 const der::GeneralizedTime& time, |
| 30 base::FilePath filepath = src_root.AppendASCII( | 20 bool expected_result) { |
| 31 std::string("net/data/verify_certificate_chain_unittest/") + file_name); | 21 TrustStore trust_store; |
| 22 ASSERT_EQ(1U, roots.size()); |
| 23 trust_store.AddTrustedCertificate(roots[0]); |
| 32 | 24 |
| 33 // Read the full contents of the file. | 25 std::vector<scoped_refptr<ParsedCertificate>> full_chain(chain); |
| 34 std::string file_data; | 26 full_chain.push_back(roots[0]); |
| 35 if (!base::ReadFileToString(filepath, &file_data)) { | 27 |
| 36 ADD_FAILURE() << "Couldn't read file: " << filepath.value(); | 28 SimpleSignaturePolicy signature_policy(1024); |
| 37 return std::string(); | 29 |
| 30 bool result = VerifyCertificateChainAssumingTrustedRoot( |
| 31 full_chain, trust_store, &signature_policy, time); |
| 32 |
| 33 ASSERT_EQ(expected_result, result); |
| 38 } | 34 } |
| 39 | 35 }; |
| 40 return file_data; | |
| 41 } | |
| 42 | |
| 43 // Reads a test case from |file_name|. Test cases are comprised of a | |
| 44 // certificate chain, trust store, a timestamp to validate at, and the | |
| 45 // expected result of verification. | |
| 46 void ReadTestFromFile(const std::string& file_name, | |
| 47 std::vector<std::string>* chain, | |
| 48 TrustStore* trust_store, | |
| 49 der::GeneralizedTime* time, | |
| 50 bool* verify_result) { | |
| 51 chain->clear(); | |
| 52 trust_store->Clear(); | |
| 53 | |
| 54 std::string file_data = ReadTestFileToString(file_name); | |
| 55 | |
| 56 std::vector<std::string> pem_headers; | |
| 57 | |
| 58 const char kCertificateHeader[] = "CERTIFICATE"; | |
| 59 const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE"; | |
| 60 const char kTimeHeader[] = "TIME"; | |
| 61 const char kResultHeader[] = "VERIFY_RESULT"; | |
| 62 | |
| 63 pem_headers.push_back(kCertificateHeader); | |
| 64 pem_headers.push_back(kTrustedCertificateHeader); | |
| 65 pem_headers.push_back(kTimeHeader); | |
| 66 pem_headers.push_back(kResultHeader); | |
| 67 | |
| 68 bool has_time = false; | |
| 69 bool has_result = false; | |
| 70 | |
| 71 PEMTokenizer pem_tokenizer(file_data, pem_headers); | |
| 72 while (pem_tokenizer.GetNext()) { | |
| 73 const std::string& block_type = pem_tokenizer.block_type(); | |
| 74 const std::string& block_data = pem_tokenizer.data(); | |
| 75 | |
| 76 if (block_type == kCertificateHeader) { | |
| 77 chain->push_back(block_data); | |
| 78 } else if (block_type == kTrustedCertificateHeader) { | |
| 79 scoped_refptr<ParsedCertificate> cert( | |
| 80 ParsedCertificate::CreateFromCertificateCopy(block_data, {})); | |
| 81 ASSERT_TRUE(cert); | |
| 82 trust_store->AddTrustedCertificate(std::move(cert)); | |
| 83 } else if (block_type == kTimeHeader) { | |
| 84 ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader; | |
| 85 has_time = true; | |
| 86 ASSERT_TRUE(der::ParseUTCTime(der::Input(&block_data), time)); | |
| 87 } else if (block_type == kResultHeader) { | |
| 88 ASSERT_FALSE(has_result) << "Duplicate " << kResultHeader; | |
| 89 ASSERT_TRUE(block_data == "SUCCESS" || block_data == "FAIL") | |
| 90 << "Unrecognized result: " << block_data; | |
| 91 has_result = true; | |
| 92 *verify_result = block_data == "SUCCESS"; | |
| 93 } | |
| 94 } | |
| 95 | |
| 96 ASSERT_TRUE(has_time); | |
| 97 ASSERT_TRUE(has_result); | |
| 98 } | |
| 99 | |
| 100 void RunTest(const char* file_name) { | |
| 101 std::vector<std::string> chain; | |
| 102 TrustStore trust_store; | |
| 103 der::GeneralizedTime time; | |
| 104 bool expected_result; | |
| 105 | |
| 106 ReadTestFromFile(file_name, &chain, &trust_store, &time, &expected_result); | |
| 107 | |
| 108 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | |
| 109 for (const auto& cert_der : chain) { | |
| 110 ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector( | |
| 111 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), | |
| 112 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {}, | |
| 113 &input_chain)); | |
| 114 } | |
| 115 | |
| 116 SimpleSignaturePolicy signature_policy(1024); | |
| 117 | |
| 118 std::vector<scoped_refptr<ParsedCertificate>> trusted_chain; | |
| 119 bool result = VerifyCertificateChain(input_chain, trust_store, | |
| 120 &signature_policy, time, &trusted_chain); | |
| 121 if (result) { | |
| 122 ASSERT_EQ(trusted_chain.size(), input_chain.size() + 1); | |
| 123 ASSERT_TRUE(std::equal(input_chain.begin(), input_chain.end(), | |
| 124 trusted_chain.begin())); | |
| 125 ASSERT_TRUE(trust_store.IsTrustedCertificate(trusted_chain.back().get())); | |
| 126 } else { | |
| 127 ASSERT_EQ(trusted_chain.size(), 0u); | |
| 128 } | |
| 129 | |
| 130 ASSERT_EQ(expected_result, result); | |
| 131 } | |
| 132 | |
| 133 TEST(VerifyCertificateChainTest, TargetAndIntermediary) { | |
| 134 RunTest("target-and-intermediary.pem"); | |
| 135 } | |
| 136 | |
| 137 TEST(VerifyCertificateChainTest, UnknownRoot) { | |
| 138 RunTest("unknown-root.pem"); | |
| 139 } | |
| 140 | |
| 141 TEST(VerifyCertificateChainTest, IntermediaryLacksBasicConstraints) { | |
| 142 RunTest("intermediary-lacks-basic-constraints.pem"); | |
| 143 } | |
| 144 | |
| 145 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsCaFalse) { | |
| 146 RunTest("intermediary-basic-constraints-ca-false.pem"); | |
| 147 } | |
| 148 | |
| 149 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsNotCritical) { | |
| 150 RunTest("intermediary-basic-constraints-not-critical.pem"); | |
| 151 } | |
| 152 | |
| 153 TEST(VerifyCertificateChainTest, IntermediaryLacksSigningKeyUsage) { | |
| 154 RunTest("intermediary-lacks-signing-key-usage.pem"); | |
| 155 } | |
| 156 | |
| 157 TEST(VerifyCertificateChainTest, IntermediaryUnknownCriticalExtension) { | |
| 158 RunTest("intermediary-unknown-critical-extension.pem"); | |
| 159 } | |
| 160 | |
| 161 TEST(VerifyCertificateChainTest, IntermediaryUnknownNonCriticalExtension) { | |
| 162 RunTest("intermediary-unknown-non-critical-extension.pem"); | |
| 163 } | |
| 164 | |
| 165 TEST(VerifyCertificateChainTest, ViolatesBasicConstraintsPathlen0) { | |
| 166 RunTest("violates-basic-constraints-pathlen-0.pem"); | |
| 167 } | |
| 168 | |
| 169 TEST(VerifyCertificateChainTest, BasicConstraintsPathlen0SelfIssued) { | |
| 170 RunTest("basic-constraints-pathlen-0-self-issued.pem"); | |
| 171 } | |
| 172 | |
| 173 TEST(VerifyCertificateChainTest, TargetSignedWithMd5) { | |
| 174 RunTest("target-signed-with-md5.pem"); | |
| 175 } | |
| 176 | |
| 177 TEST(VerifyCertificateChainTest, IntermediarySignedWithMd5) { | |
| 178 RunTest("intermediary-signed-with-md5.pem"); | |
| 179 } | |
| 180 | |
| 181 TEST(VerifyCertificateChainTest, TargetWrongSignature) { | |
| 182 RunTest("target-wrong-signature.pem"); | |
| 183 } | |
| 184 | |
| 185 TEST(VerifyCertificateChainTest, TargetSignedBy512bitRsa) { | |
| 186 RunTest("target-signed-by-512bit-rsa.pem"); | |
| 187 } | |
| 188 | |
| 189 TEST(VerifyCertificateChainTest, TargetSignedUsingEcdsa) { | |
| 190 RunTest("target-signed-using-ecdsa.pem"); | |
| 191 } | |
| 192 | |
| 193 TEST(VerifyCertificateChainTest, ExpiredIntermediary) { | |
| 194 RunTest("expired-intermediary.pem"); | |
| 195 } | |
| 196 | |
| 197 TEST(VerifyCertificateChainTest, ExpiredTarget) { | |
| 198 RunTest("expired-target.pem"); | |
| 199 } | |
| 200 | |
| 201 TEST(VerifyCertificateChainTest, ExpiredTargetNotBefore) { | |
| 202 RunTest("expired-target-notBefore.pem"); | |
| 203 } | |
| 204 | |
| 205 TEST(VerifyCertificateChainTest, ExpiredRoot) { | |
| 206 RunTest("expired-root.pem"); | |
| 207 } | |
| 208 | |
| 209 TEST(VerifyCertificateChainTest, TargetNotEndEntity) { | |
| 210 RunTest("target-not-end-entity.pem"); | |
| 211 } | |
| 212 | |
| 213 TEST(VerifyCertificateChainTest, TargetHasKeyCertSignButNotCa) { | |
| 214 RunTest("target-has-keycertsign-but-not-ca.pem"); | |
| 215 } | |
| 216 | |
| 217 TEST(VerifyCertificateChainTest, TargetHasPathlenButNotCa) { | |
| 218 RunTest("target-has-pathlen-but-not-ca.pem"); | |
| 219 } | |
| 220 | |
| 221 TEST(VerifyCertificateChainTest, TargetUnknownCriticalExtension) { | |
| 222 RunTest("target-unknown-critical-extension.pem"); | |
| 223 } | |
| 224 | |
| 225 TEST(VerifyCertificateChainTest, IssuerAndSubjectNotByteForByteEqual) { | |
| 226 RunTest("issuer-and-subject-not-byte-for-byte-equal.pem"); | |
| 227 } | |
| 228 | |
| 229 TEST(VerifyCertificateChainTest, IssuerAndSubjectNotByteForByteEqualAnchor) { | |
| 230 RunTest("issuer-and-subject-not-byte-for-byte-equal-anchor.pem"); | |
| 231 } | |
| 232 | |
| 233 TEST(VerifyCertificateChainTest, ViolatesPathlen1Root) { | |
| 234 RunTest("violates-pathlen-1-root.pem"); | |
| 235 } | |
| 236 | |
| 237 TEST(VerifyCertificateChainTest, NonSelfSignedRoot) { | |
| 238 RunTest("non-self-signed-root.pem"); | |
| 239 } | |
| 240 | |
| 241 // Tests that verifying a chain with no certificates fails. | |
| 242 TEST(VerifyCertificateChainTest, EmptyChainIsInvalid) { | |
| 243 TrustStore trust_store; | |
| 244 der::GeneralizedTime time; | |
| 245 std::vector<scoped_refptr<ParsedCertificate>> chain; | |
| 246 SimpleSignaturePolicy signature_policy(2048); | |
| 247 | |
| 248 ASSERT_FALSE(VerifyCertificateChain(chain, trust_store, &signature_policy, | |
| 249 time, nullptr)); | |
| 250 } | |
| 251 | |
| 252 // TODO(eroman): Add test that invalidate validity dates where the day or month | |
| 253 // ordinal not in range, like "March 39, 2016" are rejected. | |
| 254 | 36 |
| 255 } // namespace | 37 } // namespace |
| 256 | 38 |
| 39 INSTANTIATE_TYPED_TEST_CASE_P( |
| 40 VerifyCertificateChainAssumingTrustedRoot, |
| 41 VerifyCertificateChainSingleRootTest, |
| 42 VerifyCertificateChainAssumingTrustedRootDelegate); |
| 43 |
| 257 } // namespace net | 44 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master