net/cert/internal/path_builder_pkits_unittest.cc - Issue 1923433002: Certificate path builder for new certificate verification library

Unified Diff: net/cert/internal/path_builder_pkits_unittest.cc

Issue 1923433002: Certificate path builder for new certificate verification library (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: . Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/internal/path_builder_pkits_unittest.cc

diff --git a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc b/net/cert/internal/path_builder_pkits_unittest.cc

similarity index 70%

copy from net/cert/internal/verify_certificate_chain_pkits_unittest.cc

copy to net/cert/internal/path_builder_pkits_unittest.cc

index 606563708ae98da1df7bc8e0412616eb28a0d9df..c58e27dc3b1445695bc8975c58a562f7421ac0c6 100644

--- a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc

+++ b/net/cert/internal/path_builder_pkits_unittest.cc

@@ -2,10 +2,13 @@

// Use of this source code is governed by a BSD-style license that can be

// found in the LICENSE file.

-#include "net/cert/internal/verify_certificate_chain.h"

+#include "net/cert/internal/path_builder.h"

+#include "net/base/net_errors.h"

+#include "net/base/test_completion_callback.h"

#include "net/cert/internal/parse_certificate.h"

#include "net/cert/internal/signature_policy.h"

+#include "net/cert/internal/verify_certificate_chain.h"

#include "net/der/input.h"

// Disable tests that require DSA signatures (DSA signatures are intentionally

@@ -43,7 +46,7 @@ namespace net {

namespace {

-class VerifyCertificateChainPkitsTestDelegate {

+class PathBuilderPkitsTestDelegate {

public:

static bool Verify(std::vector<std::string> cert_ders,

std::vector<std::string> crl_ders) {

@@ -52,32 +55,66 @@ class VerifyCertificateChainPkitsTestDelegate {

return false;

}

// First entry in the PKITS chain is the trust anchor.

+ // XXX test with all possible trust anchors in the trust store?

TrustStore trust_store;

- EXPECT_TRUE(trust_store.AddTrustedCertificate(cert_ders[0]));

+ if (!trust_store.AddTrustedCertificate(cert_ders[0])) {

+ ADD_FAILURE() << "AddTrustedCertificate failed";

+ return false;

+ }

- // PKITS lists chains from trust anchor to target, VerifyCertificateChain

- // takes them starting with the target and not including the trust anchor.

- std::vector<der::Input> input_chain;

- for (size_t i = cert_ders.size() - 1; i > 0; --i)

- input_chain.push_back(der::Input(&cert_ders[i]));

+ // XXX test with other irrelevant certs in cert_sources?

+ // XXX test with async cert_sources?

+ std::vector<der::Input> intermediates;

+ for (size_t i = 1; i < cert_ders.size() - 1; ++i)

+ intermediates.push_back(der::Input(&cert_ders[i]));

+ StaticCertsSource cert_source;

+ if (!cert_source.Init(intermediates)) {

+ ADD_FAILURE() << "StaticCertsSource::Init failed";

+ return false;

+ }

+ CertPathBuilder::CertSources cert_sources;

+ cert_sources.push_back(&cert_source);

+ std::unique_ptr<CertThing> target_cert(

+ CertThing::CreateFromCertificateCopy(cert_ders.back()));

+ if (!target_cert) {

+ ADD_FAILURE() << "CertThing::CreateFromCertificateCopy failed";

+ return false;

+ }

SimpleSignaturePolicy signature_policy(1024);

// Run all tests at the time the PKITS was published.

der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};

- return VerifyCertificateChain(input_chain, trust_store, &signature_policy,

- time);

+ CertPathBuilder::Result result;

+ CertPathBuilder path_builder(std::move(target_cert), cert_sources,

+ trust_store, &signature_policy, time, &result);

+ TestCompletionCallback callback;

+ int rv = path_builder.Run(callback.callback());

+ DVLOG(1) << "path_builder.Run rv=" << ErrorToString(rv);

+ if (rv == ERR_IO_PENDING) {

+ DVLOG(1) << "waiting for async completion...";

+ rv = callback.WaitForResult();

+ DVLOG(1) << "async rv=" << ErrorToString(rv);

+ }

+ return rv == OK;

}

};

} // namespace

-class PkitsTest01SignatureVerificationCustom

- : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};

+// XXX reduce duplication with verify_certificate_chain_pkits_unittest.cc

+class PkitsTest01SignatureVerificationCustomPathBuilderFoo

+ : public PkitsTest<PathBuilderPkitsTestDelegate> {};

// Modified version of 4.1.4 Valid DSA Signatures Test4

-TEST_F(PkitsTest01SignatureVerificationCustom,

+TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo,

Section1ValidDSASignaturesTest4Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",

"ValidDSASignaturesTest4EE"};

@@ -87,7 +124,7 @@ TEST_F(PkitsTest01SignatureVerificationCustom,

}

// Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5

-TEST_F(PkitsTest01SignatureVerificationCustom,

+TEST_F(PkitsTest01SignatureVerificationCustomPathBuilderFoo,

Section1ValidDSAParameterInheritanceTest5Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",

"DSAParametersInheritedCACert",

@@ -98,11 +135,11 @@ TEST_F(PkitsTest01SignatureVerificationCustom,

ASSERT_FALSE(this->Verify(certs, crls));

}

-class PkitsTest13SignatureVerificationCustom

- : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};

+class PkitsTest13SignatureVerificationCustomPathBuilderFoo

+ : public PkitsTest<PathBuilderPkitsTestDelegate> {};

// Modified version of 4.13.21 Valid RFC822 nameConstraints Test21

-TEST_F(PkitsTest13SignatureVerificationCustom,

+TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,

Section13ValidRFC822nameConstraintsTest21Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate",

"nameConstraintsRFC822CA1Cert",

@@ -114,7 +151,7 @@ TEST_F(PkitsTest13SignatureVerificationCustom,

}

// Modified version of 4.13.23 Valid RFC822 nameConstraints Test23

-TEST_F(PkitsTest13SignatureVerificationCustom,

+TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,

Section13ValidRFC822nameConstraintsTest23Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate",

"nameConstraintsRFC822CA2Cert",

@@ -126,7 +163,7 @@ TEST_F(PkitsTest13SignatureVerificationCustom,

}

// Modified version of 4.13.25 Valid RFC822 nameConstraints Test25

-TEST_F(PkitsTest13SignatureVerificationCustom,

+TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,

Section13ValidRFC822nameConstraintsTest25Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate",

"nameConstraintsRFC822CA3Cert",

@@ -138,7 +175,7 @@ TEST_F(PkitsTest13SignatureVerificationCustom,

}

// Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27

-TEST_F(PkitsTest13SignatureVerificationCustom,

+TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,

Section13ValidDNandRFC822nameConstraintsTest27Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate",

"nameConstraintsDN1CACert",

@@ -151,7 +188,7 @@ TEST_F(PkitsTest13SignatureVerificationCustom,

}

// Modified version of 4.13.34 Valid URI nameConstraints Test34

-TEST_F(PkitsTest13SignatureVerificationCustom,

+TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,

Section13ValidURInameConstraintsTest34Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate",

"nameConstraintsURI1CACert",

@@ -162,7 +199,7 @@ TEST_F(PkitsTest13SignatureVerificationCustom,

}

// Modified version of 4.13.36 Valid URI nameConstraints Test36

-TEST_F(PkitsTest13SignatureVerificationCustom,

+TEST_F(PkitsTest13SignatureVerificationCustomPathBuilderFoo,

Section13ValidURInameConstraintsTest36Custom) {

const char* const certs[] = {"TrustAnchorRootCertificate",

"nameConstraintsURI2CACert",

@@ -172,27 +209,27 @@ TEST_F(PkitsTest13SignatureVerificationCustom,

ASSERT_FALSE(this->Verify(certs, crls));

}

-INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,

+INSTANTIATE_TYPED_TEST_CASE_P(PathBuilder,

PkitsTest01SignatureVerification,