OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
6 | 6 |
7 #include "base/base_paths.h" | |
8 #include "base/files/file_util.h" | |
9 #include "base/path_service.h" | |
10 #include "base/strings/string_split.h" | |
11 #include "base/strings/string_util.h" | |
12 #include "base/strings/stringprintf.h" | |
13 #include "net/cert/internal/parsed_certificate.h" | |
14 #include "net/cert/internal/signature_policy.h" | 7 #include "net/cert/internal/signature_policy.h" |
15 #include "net/cert/internal/test_helpers.h" | |
16 #include "net/cert/internal/trust_store.h" | 8 #include "net/cert/internal/trust_store.h" |
17 #include "net/cert/pem_tokenizer.h" | 9 #include "net/cert/internal/verify_certificate_chain_typed_unittest.h" |
18 #include "net/der/input.h" | |
19 #include "testing/gtest/include/gtest/gtest.h" | |
20 | 10 |
21 namespace net { | 11 namespace net { |
22 | 12 |
23 namespace { | 13 namespace { |
24 | 14 |
25 // Reads a data file from the unit-test data. | 15 class VerifyCertificateChainAssumingTrustedRootDelegate { |
26 std::string ReadTestFileToString(const std::string& file_name) { | 16 public: |
27 // Compute the full path, relative to the src/ directory. | 17 static void Verify(const std::vector<scoped_refptr<ParsedCertificate>>& chain, |
28 base::FilePath src_root; | 18 const std::vector<scoped_refptr<ParsedCertificate>>& roots, |
29 PathService::Get(base::DIR_SOURCE_ROOT, &src_root); | 19 const der::GeneralizedTime& time, |
30 base::FilePath filepath = src_root.AppendASCII( | 20 bool expected_result) { |
31 std::string("net/data/verify_certificate_chain_unittest/") + file_name); | 21 TrustStore trust_store; |
| 22 ASSERT_EQ(1U, roots.size()); |
| 23 trust_store.AddTrustedCertificate(roots[0]); |
32 | 24 |
33 // Read the full contents of the file. | 25 std::vector<scoped_refptr<ParsedCertificate>> full_chain(chain); |
34 std::string file_data; | 26 full_chain.push_back(roots[0]); |
35 if (!base::ReadFileToString(filepath, &file_data)) { | 27 |
36 ADD_FAILURE() << "Couldn't read file: " << filepath.value(); | 28 SimpleSignaturePolicy signature_policy(1024); |
37 return std::string(); | 29 |
| 30 bool result = VerifyCertificateChainAssumingTrustedRoot( |
| 31 full_chain, trust_store, &signature_policy, time); |
| 32 |
| 33 ASSERT_EQ(expected_result, result); |
38 } | 34 } |
39 | 35 }; |
40 return file_data; | |
41 } | |
42 | |
43 // Reads a test case from |file_name|. Test cases are comprised of a | |
44 // certificate chain, trust store, a timestamp to validate at, and the | |
45 // expected result of verification. | |
46 void ReadTestFromFile(const std::string& file_name, | |
47 std::vector<std::string>* chain, | |
48 TrustStore* trust_store, | |
49 der::GeneralizedTime* time, | |
50 bool* verify_result) { | |
51 chain->clear(); | |
52 trust_store->Clear(); | |
53 | |
54 std::string file_data = ReadTestFileToString(file_name); | |
55 | |
56 std::vector<std::string> pem_headers; | |
57 | |
58 const char kCertificateHeader[] = "CERTIFICATE"; | |
59 const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE"; | |
60 const char kTimeHeader[] = "TIME"; | |
61 const char kResultHeader[] = "VERIFY_RESULT"; | |
62 | |
63 pem_headers.push_back(kCertificateHeader); | |
64 pem_headers.push_back(kTrustedCertificateHeader); | |
65 pem_headers.push_back(kTimeHeader); | |
66 pem_headers.push_back(kResultHeader); | |
67 | |
68 bool has_time = false; | |
69 bool has_result = false; | |
70 | |
71 PEMTokenizer pem_tokenizer(file_data, pem_headers); | |
72 while (pem_tokenizer.GetNext()) { | |
73 const std::string& block_type = pem_tokenizer.block_type(); | |
74 const std::string& block_data = pem_tokenizer.data(); | |
75 | |
76 if (block_type == kCertificateHeader) { | |
77 chain->push_back(block_data); | |
78 } else if (block_type == kTrustedCertificateHeader) { | |
79 scoped_refptr<ParsedCertificate> cert( | |
80 ParsedCertificate::CreateFromCertificateCopy(block_data, {})); | |
81 ASSERT_TRUE(cert); | |
82 trust_store->AddTrustedCertificate(std::move(cert)); | |
83 } else if (block_type == kTimeHeader) { | |
84 ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader; | |
85 has_time = true; | |
86 ASSERT_TRUE(der::ParseUTCTime(der::Input(&block_data), time)); | |
87 } else if (block_type == kResultHeader) { | |
88 ASSERT_FALSE(has_result) << "Duplicate " << kResultHeader; | |
89 ASSERT_TRUE(block_data == "SUCCESS" || block_data == "FAIL") | |
90 << "Unrecognized result: " << block_data; | |
91 has_result = true; | |
92 *verify_result = block_data == "SUCCESS"; | |
93 } | |
94 } | |
95 | |
96 ASSERT_TRUE(has_time); | |
97 ASSERT_TRUE(has_result); | |
98 } | |
99 | |
100 void RunTest(const char* file_name) { | |
101 std::vector<std::string> chain; | |
102 TrustStore trust_store; | |
103 der::GeneralizedTime time; | |
104 bool expected_result; | |
105 | |
106 ReadTestFromFile(file_name, &chain, &trust_store, &time, &expected_result); | |
107 | |
108 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | |
109 for (const auto& cert_der : chain) { | |
110 ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector( | |
111 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), | |
112 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {}, | |
113 &input_chain)); | |
114 } | |
115 | |
116 SimpleSignaturePolicy signature_policy(1024); | |
117 | |
118 std::vector<scoped_refptr<ParsedCertificate>> trusted_chain; | |
119 bool result = VerifyCertificateChain(input_chain, trust_store, | |
120 &signature_policy, time, &trusted_chain); | |
121 if (result) { | |
122 ASSERT_EQ(trusted_chain.size(), input_chain.size() + 1); | |
123 ASSERT_TRUE(std::equal(input_chain.begin(), input_chain.end(), | |
124 trusted_chain.begin())); | |
125 ASSERT_TRUE(trust_store.IsTrustedCertificate(trusted_chain.back().get())); | |
126 } else { | |
127 ASSERT_EQ(trusted_chain.size(), 0u); | |
128 } | |
129 | |
130 ASSERT_EQ(expected_result, result); | |
131 } | |
132 | |
133 TEST(VerifyCertificateChainTest, TargetAndIntermediary) { | |
134 RunTest("target-and-intermediary.pem"); | |
135 } | |
136 | |
137 TEST(VerifyCertificateChainTest, UnknownRoot) { | |
138 RunTest("unknown-root.pem"); | |
139 } | |
140 | |
141 TEST(VerifyCertificateChainTest, IntermediaryLacksBasicConstraints) { | |
142 RunTest("intermediary-lacks-basic-constraints.pem"); | |
143 } | |
144 | |
145 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsCaFalse) { | |
146 RunTest("intermediary-basic-constraints-ca-false.pem"); | |
147 } | |
148 | |
149 TEST(VerifyCertificateChainTest, IntermediaryBasicConstraintsNotCritical) { | |
150 RunTest("intermediary-basic-constraints-not-critical.pem"); | |
151 } | |
152 | |
153 TEST(VerifyCertificateChainTest, IntermediaryLacksSigningKeyUsage) { | |
154 RunTest("intermediary-lacks-signing-key-usage.pem"); | |
155 } | |
156 | |
157 TEST(VerifyCertificateChainTest, IntermediaryUnknownCriticalExtension) { | |
158 RunTest("intermediary-unknown-critical-extension.pem"); | |
159 } | |
160 | |
161 TEST(VerifyCertificateChainTest, IntermediaryUnknownNonCriticalExtension) { | |
162 RunTest("intermediary-unknown-non-critical-extension.pem"); | |
163 } | |
164 | |
165 TEST(VerifyCertificateChainTest, ViolatesBasicConstraintsPathlen0) { | |
166 RunTest("violates-basic-constraints-pathlen-0.pem"); | |
167 } | |
168 | |
169 TEST(VerifyCertificateChainTest, BasicConstraintsPathlen0SelfIssued) { | |
170 RunTest("basic-constraints-pathlen-0-self-issued.pem"); | |
171 } | |
172 | |
173 TEST(VerifyCertificateChainTest, TargetSignedWithMd5) { | |
174 RunTest("target-signed-with-md5.pem"); | |
175 } | |
176 | |
177 TEST(VerifyCertificateChainTest, IntermediarySignedWithMd5) { | |
178 RunTest("intermediary-signed-with-md5.pem"); | |
179 } | |
180 | |
181 TEST(VerifyCertificateChainTest, TargetWrongSignature) { | |
182 RunTest("target-wrong-signature.pem"); | |
183 } | |
184 | |
185 TEST(VerifyCertificateChainTest, TargetSignedBy512bitRsa) { | |
186 RunTest("target-signed-by-512bit-rsa.pem"); | |
187 } | |
188 | |
189 TEST(VerifyCertificateChainTest, TargetSignedUsingEcdsa) { | |
190 RunTest("target-signed-using-ecdsa.pem"); | |
191 } | |
192 | |
193 TEST(VerifyCertificateChainTest, ExpiredIntermediary) { | |
194 RunTest("expired-intermediary.pem"); | |
195 } | |
196 | |
197 TEST(VerifyCertificateChainTest, ExpiredTarget) { | |
198 RunTest("expired-target.pem"); | |
199 } | |
200 | |
201 TEST(VerifyCertificateChainTest, ExpiredTargetNotBefore) { | |
202 RunTest("expired-target-notBefore.pem"); | |
203 } | |
204 | |
205 TEST(VerifyCertificateChainTest, ExpiredRoot) { | |
206 RunTest("expired-root.pem"); | |
207 } | |
208 | |
209 TEST(VerifyCertificateChainTest, TargetNotEndEntity) { | |
210 RunTest("target-not-end-entity.pem"); | |
211 } | |
212 | |
213 TEST(VerifyCertificateChainTest, TargetHasKeyCertSignButNotCa) { | |
214 RunTest("target-has-keycertsign-but-not-ca.pem"); | |
215 } | |
216 | |
217 TEST(VerifyCertificateChainTest, TargetHasPathlenButNotCa) { | |
218 RunTest("target-has-pathlen-but-not-ca.pem"); | |
219 } | |
220 | |
221 TEST(VerifyCertificateChainTest, TargetUnknownCriticalExtension) { | |
222 RunTest("target-unknown-critical-extension.pem"); | |
223 } | |
224 | |
225 TEST(VerifyCertificateChainTest, IssuerAndSubjectNotByteForByteEqual) { | |
226 RunTest("issuer-and-subject-not-byte-for-byte-equal.pem"); | |
227 } | |
228 | |
229 TEST(VerifyCertificateChainTest, IssuerAndSubjectNotByteForByteEqualAnchor) { | |
230 RunTest("issuer-and-subject-not-byte-for-byte-equal-anchor.pem"); | |
231 } | |
232 | |
233 TEST(VerifyCertificateChainTest, ViolatesPathlen1Root) { | |
234 RunTest("violates-pathlen-1-root.pem"); | |
235 } | |
236 | |
237 TEST(VerifyCertificateChainTest, NonSelfSignedRoot) { | |
238 RunTest("non-self-signed-root.pem"); | |
239 } | |
240 | |
241 // Tests that verifying a chain with no certificates fails. | |
242 TEST(VerifyCertificateChainTest, EmptyChainIsInvalid) { | |
243 TrustStore trust_store; | |
244 der::GeneralizedTime time; | |
245 std::vector<scoped_refptr<ParsedCertificate>> chain; | |
246 SimpleSignaturePolicy signature_policy(2048); | |
247 | |
248 ASSERT_FALSE(VerifyCertificateChain(chain, trust_store, &signature_policy, | |
249 time, nullptr)); | |
250 } | |
251 | |
252 // TODO(eroman): Add test that invalidate validity dates where the day or month | |
253 // ordinal not in range, like "March 39, 2016" are rejected. | |
254 | 36 |
255 } // namespace | 37 } // namespace |
256 | 38 |
| 39 INSTANTIATE_TYPED_TEST_CASE_P( |
| 40 VerifyCertificateChainAssumingTrustedRoot, |
| 41 VerifyCertificateChainSingleRootTest, |
| 42 VerifyCertificateChainAssumingTrustedRootDelegate); |
| 43 |
257 } // namespace net | 44 } // namespace net |
OLD | NEW |