OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_TYPED_UNITTEST_H_ |
| 6 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_TYPED_UNITTEST_H_ |
| 7 |
| 8 #include "base/base_paths.h" |
| 9 #include "base/files/file_util.h" |
| 10 #include "base/path_service.h" |
| 11 #include "net/cert/internal/parsed_certificate.h" |
| 12 #include "net/cert/internal/test_helpers.h" |
| 13 #include "net/cert/pem_tokenizer.h" |
| 14 #include "net/der/input.h" |
| 15 #include "testing/gtest/include/gtest/gtest.h" |
| 16 |
| 17 namespace net { |
| 18 |
| 19 template <typename TestDelegate> |
| 20 class VerifyCertificateChainTest : public ::testing::Test { |
| 21 public: |
| 22 void RunTest(const char* file_name) { |
| 23 ParsedCertificateList chain; |
| 24 ParsedCertificateList roots; |
| 25 der::GeneralizedTime time; |
| 26 bool expected_result; |
| 27 |
| 28 ReadTestFromFile(file_name, &chain, &roots, &time, &expected_result); |
| 29 |
| 30 TestDelegate::Verify(chain, roots, time, expected_result); |
| 31 } |
| 32 |
| 33 private: |
| 34 // Reads a data file from the unit-test data. |
| 35 std::string ReadTestFileToString(const std::string& file_name) { |
| 36 // Compute the full path, relative to the src/ directory. |
| 37 base::FilePath src_root; |
| 38 PathService::Get(base::DIR_SOURCE_ROOT, &src_root); |
| 39 base::FilePath filepath = src_root.AppendASCII( |
| 40 std::string("net/data/verify_certificate_chain_unittest/") + file_name); |
| 41 |
| 42 // Read the full contents of the file. |
| 43 std::string file_data; |
| 44 if (!base::ReadFileToString(filepath, &file_data)) { |
| 45 ADD_FAILURE() << "Couldn't read file: " << filepath.value(); |
| 46 return std::string(); |
| 47 } |
| 48 |
| 49 return file_data; |
| 50 } |
| 51 |
| 52 // Reads a test case from |file_name|. Test cases are comprised of a |
| 53 // certificate chain, trust store, a timestamp to validate at, and the |
| 54 // expected result of verification. |
| 55 void ReadTestFromFile(const std::string& file_name, |
| 56 ParsedCertificateList* chain, |
| 57 ParsedCertificateList* roots, |
| 58 der::GeneralizedTime* time, |
| 59 bool* verify_result) { |
| 60 chain->clear(); |
| 61 roots->clear(); |
| 62 |
| 63 std::string file_data = ReadTestFileToString(file_name); |
| 64 |
| 65 std::vector<std::string> pem_headers; |
| 66 |
| 67 const char kCertificateHeader[] = "CERTIFICATE"; |
| 68 const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE"; |
| 69 const char kTimeHeader[] = "TIME"; |
| 70 const char kResultHeader[] = "VERIFY_RESULT"; |
| 71 |
| 72 pem_headers.push_back(kCertificateHeader); |
| 73 pem_headers.push_back(kTrustedCertificateHeader); |
| 74 pem_headers.push_back(kTimeHeader); |
| 75 pem_headers.push_back(kResultHeader); |
| 76 |
| 77 bool has_time = false; |
| 78 bool has_result = false; |
| 79 |
| 80 PEMTokenizer pem_tokenizer(file_data, pem_headers); |
| 81 while (pem_tokenizer.GetNext()) { |
| 82 const std::string& block_type = pem_tokenizer.block_type(); |
| 83 const std::string& block_data = pem_tokenizer.data(); |
| 84 |
| 85 if (block_type == kCertificateHeader) { |
| 86 ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector( |
| 87 reinterpret_cast<const uint8_t*>(block_data.data()), |
| 88 block_data.size(), |
| 89 net::ParsedCertificate::DataSource::INTERNAL_COPY, {}, chain)); |
| 90 } else if (block_type == kTrustedCertificateHeader) { |
| 91 ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector( |
| 92 reinterpret_cast<const uint8_t*>(block_data.data()), |
| 93 block_data.size(), |
| 94 net::ParsedCertificate::DataSource::INTERNAL_COPY, {}, roots)); |
| 95 } else if (block_type == kTimeHeader) { |
| 96 ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader; |
| 97 has_time = true; |
| 98 ASSERT_TRUE(der::ParseUTCTime(der::Input(&block_data), time)); |
| 99 } else if (block_type == kResultHeader) { |
| 100 ASSERT_FALSE(has_result) << "Duplicate " << kResultHeader; |
| 101 ASSERT_TRUE(block_data == "SUCCESS" || block_data == "FAIL") |
| 102 << "Unrecognized result: " << block_data; |
| 103 has_result = true; |
| 104 *verify_result = block_data == "SUCCESS"; |
| 105 } |
| 106 } |
| 107 |
| 108 ASSERT_TRUE(has_time); |
| 109 ASSERT_TRUE(has_result); |
| 110 } |
| 111 }; |
| 112 |
| 113 // Tests that have only one root. These can be tested without requiring any |
| 114 // path-building ability. |
| 115 template <typename TestDelegate> |
| 116 class VerifyCertificateChainSingleRootTest |
| 117 : public VerifyCertificateChainTest<TestDelegate> {}; |
| 118 |
| 119 TYPED_TEST_CASE_P(VerifyCertificateChainSingleRootTest); |
| 120 |
| 121 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetAndIntermediary) { |
| 122 this->RunTest("target-and-intermediary.pem"); |
| 123 } |
| 124 |
| 125 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 126 IntermediaryLacksBasicConstraints) { |
| 127 this->RunTest("intermediary-lacks-basic-constraints.pem"); |
| 128 } |
| 129 |
| 130 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 131 IntermediaryBasicConstraintsCaFalse) { |
| 132 this->RunTest("intermediary-basic-constraints-ca-false.pem"); |
| 133 } |
| 134 |
| 135 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 136 IntermediaryBasicConstraintsNotCritical) { |
| 137 this->RunTest("intermediary-basic-constraints-not-critical.pem"); |
| 138 } |
| 139 |
| 140 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 141 IntermediaryLacksSigningKeyUsage) { |
| 142 this->RunTest("intermediary-lacks-signing-key-usage.pem"); |
| 143 } |
| 144 |
| 145 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 146 IntermediaryUnknownCriticalExtension) { |
| 147 this->RunTest("intermediary-unknown-critical-extension.pem"); |
| 148 } |
| 149 |
| 150 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 151 IntermediaryUnknownNonCriticalExtension) { |
| 152 this->RunTest("intermediary-unknown-non-critical-extension.pem"); |
| 153 } |
| 154 |
| 155 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 156 ViolatesBasicConstraintsPathlen0) { |
| 157 this->RunTest("violates-basic-constraints-pathlen-0.pem"); |
| 158 } |
| 159 |
| 160 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 161 BasicConstraintsPathlen0SelfIssued) { |
| 162 this->RunTest("basic-constraints-pathlen-0-self-issued.pem"); |
| 163 } |
| 164 |
| 165 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetSignedWithMd5) { |
| 166 this->RunTest("target-signed-with-md5.pem"); |
| 167 } |
| 168 |
| 169 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, IntermediarySignedWithMd5) { |
| 170 this->RunTest("intermediary-signed-with-md5.pem"); |
| 171 } |
| 172 |
| 173 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetWrongSignature) { |
| 174 this->RunTest("target-wrong-signature.pem"); |
| 175 } |
| 176 |
| 177 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetSignedBy512bitRsa) { |
| 178 this->RunTest("target-signed-by-512bit-rsa.pem"); |
| 179 } |
| 180 |
| 181 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetSignedUsingEcdsa) { |
| 182 this->RunTest("target-signed-using-ecdsa.pem"); |
| 183 } |
| 184 |
| 185 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, ExpiredIntermediary) { |
| 186 this->RunTest("expired-intermediary.pem"); |
| 187 } |
| 188 |
| 189 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, ExpiredTarget) { |
| 190 this->RunTest("expired-target.pem"); |
| 191 } |
| 192 |
| 193 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, ExpiredTargetNotBefore) { |
| 194 this->RunTest("expired-target-notBefore.pem"); |
| 195 } |
| 196 |
| 197 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, ExpiredRoot) { |
| 198 this->RunTest("expired-root.pem"); |
| 199 } |
| 200 |
| 201 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetNotEndEntity) { |
| 202 this->RunTest("target-not-end-entity.pem"); |
| 203 } |
| 204 |
| 205 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 206 TargetHasKeyCertSignButNotCa) { |
| 207 this->RunTest("target-has-keycertsign-but-not-ca.pem"); |
| 208 } |
| 209 |
| 210 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetHasPathlenButNotCa) { |
| 211 this->RunTest("target-has-pathlen-but-not-ca.pem"); |
| 212 } |
| 213 |
| 214 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 215 TargetUnknownCriticalExtension) { |
| 216 this->RunTest("target-unknown-critical-extension.pem"); |
| 217 } |
| 218 |
| 219 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 220 IssuerAndSubjectNotByteForByteEqual) { |
| 221 this->RunTest("issuer-and-subject-not-byte-for-byte-equal.pem"); |
| 222 } |
| 223 |
| 224 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 225 IssuerAndSubjectNotByteForByteEqualAnchor) { |
| 226 this->RunTest("issuer-and-subject-not-byte-for-byte-equal-anchor.pem"); |
| 227 } |
| 228 |
| 229 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, ViolatesPathlen1Root) { |
| 230 this->RunTest("violates-pathlen-1-root.pem"); |
| 231 } |
| 232 |
| 233 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, NonSelfSignedRoot) { |
| 234 this->RunTest("non-self-signed-root.pem"); |
| 235 } |
| 236 |
| 237 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, KeyRolloverOldChain) { |
| 238 this->RunTest("key-rollover-oldchain.pem"); |
| 239 } |
| 240 |
| 241 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, KeyRolloverRolloverChain) { |
| 242 this->RunTest("key-rollover-rolloverchain.pem"); |
| 243 } |
| 244 |
| 245 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, |
| 246 KeyRolloverLongRolloverChain) { |
| 247 this->RunTest("key-rollover-longrolloverchain.pem"); |
| 248 } |
| 249 |
| 250 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, KeyRolloverNewChain) { |
| 251 this->RunTest("key-rollover-newchain.pem"); |
| 252 } |
| 253 |
| 254 // TODO(eroman): Add test that invalidate validity dates where the day or month |
| 255 // ordinal not in range, like "March 39, 2016" are rejected. |
| 256 |
| 257 REGISTER_TYPED_TEST_CASE_P(VerifyCertificateChainSingleRootTest, |
| 258 TargetAndIntermediary, |
| 259 IntermediaryLacksBasicConstraints, |
| 260 IntermediaryBasicConstraintsCaFalse, |
| 261 IntermediaryBasicConstraintsNotCritical, |
| 262 IntermediaryLacksSigningKeyUsage, |
| 263 IntermediaryUnknownCriticalExtension, |
| 264 IntermediaryUnknownNonCriticalExtension, |
| 265 ViolatesBasicConstraintsPathlen0, |
| 266 BasicConstraintsPathlen0SelfIssued, |
| 267 TargetSignedWithMd5, |
| 268 IntermediarySignedWithMd5, |
| 269 TargetWrongSignature, |
| 270 TargetSignedBy512bitRsa, |
| 271 TargetSignedUsingEcdsa, |
| 272 ExpiredIntermediary, |
| 273 ExpiredTarget, |
| 274 ExpiredTargetNotBefore, |
| 275 ExpiredRoot, |
| 276 TargetNotEndEntity, |
| 277 TargetHasKeyCertSignButNotCa, |
| 278 TargetHasPathlenButNotCa, |
| 279 TargetUnknownCriticalExtension, |
| 280 IssuerAndSubjectNotByteForByteEqual, |
| 281 IssuerAndSubjectNotByteForByteEqualAnchor, |
| 282 ViolatesPathlen1Root, |
| 283 NonSelfSignedRoot, |
| 284 KeyRolloverOldChain, |
| 285 KeyRolloverRolloverChain, |
| 286 KeyRolloverLongRolloverChain, |
| 287 KeyRolloverNewChain); |
| 288 |
| 289 // Tests that have zero roots or more than one root. |
| 290 template <typename TestDelegate> |
| 291 class VerifyCertificateChainNonSingleRootTest |
| 292 : public VerifyCertificateChainTest<TestDelegate> {}; |
| 293 |
| 294 TYPED_TEST_CASE_P(VerifyCertificateChainNonSingleRootTest); |
| 295 |
| 296 TYPED_TEST_P(VerifyCertificateChainNonSingleRootTest, UnknownRoot) { |
| 297 this->RunTest("unknown-root.pem"); |
| 298 } |
| 299 |
| 300 REGISTER_TYPED_TEST_CASE_P(VerifyCertificateChainNonSingleRootTest, |
| 301 UnknownRoot); |
| 302 |
| 303 } // namespace net |
| 304 |
| 305 #endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_TYPED_UNITTEST_H_ |
OLD | NEW |