| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 11 matching lines...) Expand all Loading... |
| 22 #include "net/cert/cert_verifier.h" | 22 #include "net/cert/cert_verifier.h" |
| 23 #include "net/cert/cert_verify_result.h" | 23 #include "net/cert/cert_verify_result.h" |
| 24 #include "net/cert/crl_set.h" | 24 #include "net/cert/crl_set.h" |
| 25 #include "net/cert/crl_set_storage.h" | 25 #include "net/cert/crl_set_storage.h" |
| 26 #include "net/cert/test_root_certs.h" | 26 #include "net/cert/test_root_certs.h" |
| 27 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
| 28 #include "net/test/cert_test_util.h" | 28 #include "net/test/cert_test_util.h" |
| 29 #include "net/test/test_certificate_data.h" | 29 #include "net/test/test_certificate_data.h" |
| 30 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
| 31 | 31 |
| 32 #if defined(OS_WIN) | 32 #if defined(OS_ANDROID) |
| 33 #include "base/win/windows_version.h" | |
| 34 #elif defined(OS_ANDROID) | |
| 35 #include "base/android/build_info.h" | 33 #include "base/android/build_info.h" |
| 36 #endif | 34 #endif |
| 37 | 35 |
| 38 using base::HexEncode; | 36 using base::HexEncode; |
| 39 | 37 |
| 40 namespace net { | 38 namespace net { |
| 41 | 39 |
| 42 namespace { | 40 namespace { |
| 43 | 41 |
| 44 // A certificate for www.paypal.com with a NULL byte in the common name. | 42 // A certificate for www.paypal.com with a NULL byte in the common name. |
| (...skipping 260 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 305 certs[0]->os_cert_handle(), intermediates); | 303 certs[0]->os_cert_handle(), intermediates); |
| 306 | 304 |
| 307 int flags = 0; | 305 int flags = 0; |
| 308 CertVerifyResult verify_result; | 306 CertVerifyResult verify_result; |
| 309 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 307 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 310 &verify_result); | 308 &verify_result); |
| 311 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 309 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 312 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID); | 310 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID); |
| 313 } | 311 } |
| 314 | 312 |
| 315 // Test that verifying an ECDSA certificate doesn't crash on XP. (See | |
| 316 // crbug.com/144466). | |
| 317 TEST_F(CertVerifyProcTest, ECDSA_RSA) { | |
| 318 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 319 | |
| 320 scoped_refptr<X509Certificate> cert = | |
| 321 ImportCertFromFile(certs_dir, | |
| 322 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); | |
| 323 | |
| 324 CertVerifyResult verify_result; | |
| 325 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result); | |
| 326 | |
| 327 // We don't check verify_result because the certificate is signed by an | |
| 328 // unknown CA and will be considered invalid on XP because of the ECDSA | |
| 329 // public key. | |
| 330 } | |
| 331 | |
| 332 // Currently, only RSA and DSA keys are checked for weakness, and our example | 313 // Currently, only RSA and DSA keys are checked for weakness, and our example |
| 333 // weak size is 768. These could change in the future. | 314 // weak size is 768. These could change in the future. |
| 334 // | 315 // |
| 335 // Note that this means there may be false negatives: keys for other | 316 // Note that this means there may be false negatives: keys for other |
| 336 // algorithms and which are weak will pass this test. | 317 // algorithms and which are weak will pass this test. |
| 337 static bool IsWeakKeyType(const std::string& key_type) { | 318 static bool IsWeakKeyType(const std::string& key_type) { |
| 338 size_t pos = key_type.find("-"); | 319 size_t pos = key_type.find("-"); |
| 339 std::string size = key_type.substr(0, pos); | 320 std::string size = key_type.substr(0, pos); |
| 340 std::string type = key_type.substr(pos + 1); | 321 std::string type = key_type.substr(pos + 1); |
| 341 | 322 |
| 342 if (type == "rsa" || type == "dsa") | 323 if (type == "rsa" || type == "dsa") |
| 343 return size == "768"; | 324 return size == "768"; |
| 344 | 325 |
| 345 return false; | 326 return false; |
| 346 } | 327 } |
| 347 | 328 |
| 348 TEST_F(CertVerifyProcTest, RejectWeakKeys) { | 329 TEST_F(CertVerifyProcTest, RejectWeakKeys) { |
| 349 base::FilePath certs_dir = GetTestCertsDirectory(); | 330 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 350 typedef std::vector<std::string> Strings; | 331 typedef std::vector<std::string> Strings; |
| 351 Strings key_types; | 332 Strings key_types; |
| 352 | 333 |
| 353 // generate-weak-test-chains.sh currently has: | 334 // generate-weak-test-chains.sh currently has: |
| 354 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" | 335 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" |
| 355 // We must use the same key types here. The filenames generated look like: | 336 // We must use the same key types here. The filenames generated look like: |
| 356 // 2048-rsa-ee-by-768-rsa-intermediate.pem | 337 // 2048-rsa-ee-by-768-rsa-intermediate.pem |
| 357 key_types.push_back("768-rsa"); | 338 key_types.push_back("768-rsa"); |
| 358 key_types.push_back("1024-rsa"); | 339 key_types.push_back("1024-rsa"); |
| 359 key_types.push_back("2048-rsa"); | 340 key_types.push_back("2048-rsa"); |
| 360 | 341 key_types.push_back("prime256v1-ecdsa"); |
| 361 bool use_ecdsa = true; | |
| 362 #if defined(OS_WIN) | |
| 363 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP; | |
| 364 #endif | |
| 365 | |
| 366 if (use_ecdsa) | |
| 367 key_types.push_back("prime256v1-ecdsa"); | |
| 368 | 342 |
| 369 // Add the root that signed the intermediates for this test. | 343 // Add the root that signed the intermediates for this test. |
| 370 scoped_refptr<X509Certificate> root_cert = | 344 scoped_refptr<X509Certificate> root_cert = |
| 371 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | 345 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); |
| 372 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); | 346 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); |
| 373 ScopedTestRoot scoped_root(root_cert.get()); | 347 ScopedTestRoot scoped_root(root_cert.get()); |
| 374 | 348 |
| 375 // Now test each chain. | 349 // Now test each chain. |
| 376 for (Strings::const_iterator ee_type = key_types.begin(); | 350 for (Strings::const_iterator ee_type = key_types.begin(); |
| 377 ee_type != key_types.end(); ++ee_type) { | 351 ee_type != key_types.end(); ++ee_type) { |
| (...skipping 1331 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1709 int flags = 0; | 1683 int flags = 0; |
| 1710 CertVerifyResult verify_result; | 1684 CertVerifyResult verify_result; |
| 1711 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1685 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1712 &verify_result); | 1686 &verify_result); |
| 1713 EXPECT_EQ(ERR_CERT_INVALID, error); | 1687 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 1714 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); | 1688 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); |
| 1715 } | 1689 } |
| 1716 #endif // defined(OS_MACOSX) && !defined(OS_IOS) | 1690 #endif // defined(OS_MACOSX) && !defined(OS_IOS) |
| 1717 | 1691 |
| 1718 } // namespace net | 1692 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1987793002:
Remove Windows Vista/XP specific code from net/cert and net/ssl. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master