OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include <memory> | 9 #include <memory> |
10 | 10 |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
43 // | 43 // |
44 // For fingerprint | 44 // For fingerprint |
45 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der | 45 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der |
46 | 46 |
47 // For valid_start, valid_expiry | 47 // For valid_start, valid_expiry |
48 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | | 48 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | |
49 // grep -A 2 Validity | 49 // grep -A 2 Validity |
50 // $ date +%s -d '<date str>' | 50 // $ date +%s -d '<date str>' |
51 | 51 |
52 // Google's cert. | 52 // Google's cert. |
53 uint8_t google_fingerprint[] = { | 53 SHA256HashValue google_fingerprint = { |
54 0xab, 0xbe, 0x5e, 0xb4, 0x93, 0x88, 0x4e, 0xe4, 0x60, 0xc6, 0xef, 0xf8, | 54 {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, |
55 0xea, 0xd4, 0xb1, 0x55, 0x4b, 0xc9, 0x59, 0x3c | 55 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, |
56 }; | 56 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; |
57 | |
58 // webkit.org's cert. | |
59 uint8_t webkit_fingerprint[] = { | |
60 0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8, | |
61 0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2 | |
62 }; | |
63 | |
64 // thawte.com's cert (it's EV-licious!). | |
65 uint8_t thawte_fingerprint[] = { | |
66 0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6, | |
67 0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37 | |
68 }; | |
69 | |
70 // A certificate for https://www.unosoft.hu/, whose AIA extension contains | |
71 // an LDAP URL without a host name. | |
72 uint8_t unosoft_hu_fingerprint[] = { | |
73 0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd, | |
74 0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8 | |
75 }; | |
Ryan Sleevi
2016/05/20 06:02:32
The three above didn't add any form to correctness
| |
76 | 57 |
77 // The fingerprint of the Google certificate used in the parsing tests, | 58 // The fingerprint of the Google certificate used in the parsing tests, |
78 // which is newer than the one included in the x509_certificate_data.h | 59 // which is newer than the one included in the x509_certificate_data.h |
79 uint8_t google_parse_fingerprint[] = { | 60 SHA256HashValue google_parse_fingerprint = { |
80 0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a, | 61 {0xf6, 0x41, 0xc3, 0x6c, 0xfe, 0xf4, 0x9b, 0xc0, 0x71, 0x35, 0x9e, |
81 0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2 | 62 0xcf, 0x88, 0xee, 0xd9, 0x31, 0x7b, 0x73, 0x8b, 0x59, 0x89, 0x41, |
82 }; | 63 0x6a, 0xd4, 0x01, 0x72, 0x0c, 0x0a, 0x4e, 0x2e, 0x63, 0x52}}; |
83 | 64 |
84 // The fingerprint for the Thawte SGC certificate | 65 // The fingerprint for the Thawte SGC certificate |
85 uint8_t thawte_parse_fingerprint[] = { | 66 SHA256HashValue thawte_parse_fingerprint = { |
86 0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f, | 67 {0x10, 0x85, 0xa6, 0xf4, 0x54, 0xd0, 0xc9, 0x11, 0x98, 0xfd, 0xda, |
87 0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02 | 68 0xb1, 0x1a, 0x31, 0xc7, 0x16, 0xd5, 0xdc, 0xd6, 0x8d, 0xf9, 0x1c, |
88 }; | 69 0x03, 0x9c, 0xe1, 0x8d, 0xca, 0x9b, 0xeb, 0x3c, 0xde, 0x3d}}; |
89 | 70 |
90 // Dec 18 00:00:00 2009 GMT | 71 // Dec 18 00:00:00 2009 GMT |
91 const double kGoogleParseValidFrom = 1261094400; | 72 const double kGoogleParseValidFrom = 1261094400; |
92 // Dec 18 23:59:59 2011 GMT | 73 // Dec 18 23:59:59 2011 GMT |
93 const double kGoogleParseValidTo = 1324252799; | 74 const double kGoogleParseValidTo = 1324252799; |
94 | 75 |
95 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, | 76 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, |
96 uint8_t* expected_fingerprint, | 77 const SHA256HashValue& expected_fingerprint, |
97 double valid_from, double valid_to) { | 78 double valid_from, |
79 double valid_to) { | |
98 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert.get()); | 80 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert.get()); |
99 | 81 |
100 const CertPrincipal& subject = google_cert->subject(); | 82 const CertPrincipal& subject = google_cert->subject(); |
101 EXPECT_EQ("www.google.com", subject.common_name); | 83 EXPECT_EQ("www.google.com", subject.common_name); |
102 EXPECT_EQ("Mountain View", subject.locality_name); | 84 EXPECT_EQ("Mountain View", subject.locality_name); |
103 EXPECT_EQ("California", subject.state_or_province_name); | 85 EXPECT_EQ("California", subject.state_or_province_name); |
104 EXPECT_EQ("US", subject.country_name); | 86 EXPECT_EQ("US", subject.country_name); |
105 EXPECT_EQ(0U, subject.street_addresses.size()); | 87 EXPECT_EQ(0U, subject.street_addresses.size()); |
106 ASSERT_EQ(1U, subject.organization_names.size()); | 88 ASSERT_EQ(1U, subject.organization_names.size()); |
107 EXPECT_EQ("Google Inc", subject.organization_names[0]); | 89 EXPECT_EQ("Google Inc", subject.organization_names[0]); |
(...skipping 11 matching lines...) Expand all Loading... | |
119 EXPECT_EQ(0U, issuer.organization_unit_names.size()); | 101 EXPECT_EQ(0U, issuer.organization_unit_names.size()); |
120 EXPECT_EQ(0U, issuer.domain_components.size()); | 102 EXPECT_EQ(0U, issuer.domain_components.size()); |
121 | 103 |
122 // Use DoubleT because its epoch is the same on all platforms | 104 // Use DoubleT because its epoch is the same on all platforms |
123 const Time& valid_start = google_cert->valid_start(); | 105 const Time& valid_start = google_cert->valid_start(); |
124 EXPECT_EQ(valid_from, valid_start.ToDoubleT()); | 106 EXPECT_EQ(valid_from, valid_start.ToDoubleT()); |
125 | 107 |
126 const Time& valid_expiry = google_cert->valid_expiry(); | 108 const Time& valid_expiry = google_cert->valid_expiry(); |
127 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); | 109 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); |
128 | 110 |
129 const SHA1HashValue& fingerprint = google_cert->fingerprint(); | 111 EXPECT_EQ(expected_fingerprint, X509Certificate::CalculateFingerprint256( |
130 for (size_t i = 0; i < 20; ++i) | 112 google_cert->os_cert_handle())); |
131 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); | |
132 | 113 |
133 std::vector<std::string> dns_names; | 114 std::vector<std::string> dns_names; |
134 google_cert->GetDNSNames(&dns_names); | 115 google_cert->GetDNSNames(&dns_names); |
135 ASSERT_EQ(1U, dns_names.size()); | 116 ASSERT_EQ(1U, dns_names.size()); |
136 EXPECT_EQ("www.google.com", dns_names[0]); | 117 EXPECT_EQ("www.google.com", dns_names[0]); |
137 } | 118 } |
138 | 119 |
139 TEST(X509CertificateTest, GoogleCertParsing) { | 120 TEST(X509CertificateTest, GoogleCertParsing) { |
140 scoped_refptr<X509Certificate> google_cert( | 121 scoped_refptr<X509Certificate> google_cert( |
141 X509Certificate::CreateFromBytes( | 122 X509Certificate::CreateFromBytes( |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
176 issuer.organization_unit_names[0]); | 157 issuer.organization_unit_names[0]); |
177 EXPECT_EQ(0U, issuer.domain_components.size()); | 158 EXPECT_EQ(0U, issuer.domain_components.size()); |
178 | 159 |
179 // Use DoubleT because its epoch is the same on all platforms | 160 // Use DoubleT because its epoch is the same on all platforms |
180 const Time& valid_start = webkit_cert->valid_start(); | 161 const Time& valid_start = webkit_cert->valid_start(); |
181 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT | 162 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT |
182 | 163 |
183 const Time& valid_expiry = webkit_cert->valid_expiry(); | 164 const Time& valid_expiry = webkit_cert->valid_expiry(); |
184 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT | 165 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT |
185 | 166 |
186 const SHA1HashValue& fingerprint = webkit_cert->fingerprint(); | |
187 for (size_t i = 0; i < 20; ++i) | |
188 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); | |
189 | |
190 std::vector<std::string> dns_names; | 167 std::vector<std::string> dns_names; |
191 webkit_cert->GetDNSNames(&dns_names); | 168 webkit_cert->GetDNSNames(&dns_names); |
192 ASSERT_EQ(2U, dns_names.size()); | 169 ASSERT_EQ(2U, dns_names.size()); |
193 EXPECT_EQ("*.webkit.org", dns_names[0]); | 170 EXPECT_EQ("*.webkit.org", dns_names[0]); |
194 EXPECT_EQ("webkit.org", dns_names[1]); | 171 EXPECT_EQ("webkit.org", dns_names[1]); |
195 | 172 |
196 // Test that the wildcard cert matches properly. | 173 // Test that the wildcard cert matches properly. |
197 bool unused = false; | 174 bool unused = false; |
198 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); | 175 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); |
199 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); | 176 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
232 issuer.organization_unit_names[0]); | 209 issuer.organization_unit_names[0]); |
233 EXPECT_EQ(0U, issuer.domain_components.size()); | 210 EXPECT_EQ(0U, issuer.domain_components.size()); |
234 | 211 |
235 // Use DoubleT because its epoch is the same on all platforms | 212 // Use DoubleT because its epoch is the same on all platforms |
236 const Time& valid_start = thawte_cert->valid_start(); | 213 const Time& valid_start = thawte_cert->valid_start(); |
237 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT | 214 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT |
238 | 215 |
239 const Time& valid_expiry = thawte_cert->valid_expiry(); | 216 const Time& valid_expiry = thawte_cert->valid_expiry(); |
240 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT | 217 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT |
241 | 218 |
242 const SHA1HashValue& fingerprint = thawte_cert->fingerprint(); | |
243 for (size_t i = 0; i < 20; ++i) | |
244 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); | |
245 | |
246 std::vector<std::string> dns_names; | 219 std::vector<std::string> dns_names; |
247 thawte_cert->GetDNSNames(&dns_names); | 220 thawte_cert->GetDNSNames(&dns_names); |
248 ASSERT_EQ(1U, dns_names.size()); | 221 ASSERT_EQ(1U, dns_names.size()); |
249 EXPECT_EQ("www.thawte.com", dns_names[0]); | 222 EXPECT_EQ("www.thawte.com", dns_names[0]); |
250 } | 223 } |
251 | 224 |
252 // Test that all desired AttributeAndValue pairs can be extracted when only | 225 // Test that all desired AttributeAndValue pairs can be extracted when only |
253 // a single RelativeDistinguishedName is present. "Normally" there is only | 226 // a single RelativeDistinguishedName is present. "Normally" there is only |
254 // one AVA per RDN, but some CAs place all AVAs within a single RDN. | 227 // one AVA per RDN, but some CAs place all AVAs within a single RDN. |
255 // This is a regression test for http://crbug.com/101009 | 228 // This is a regression test for http://crbug.com/101009 |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
324 ASSERT_EQ(sizeof(paypal_null_serial), | 297 ASSERT_EQ(sizeof(paypal_null_serial), |
325 paypal_null_cert->serial_number().size()); | 298 paypal_null_cert->serial_number().size()); |
326 EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(), | 299 EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(), |
327 paypal_null_serial, sizeof(paypal_null_serial)) == 0); | 300 paypal_null_serial, sizeof(paypal_null_serial)) == 0); |
328 } | 301 } |
329 | 302 |
330 TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { | 303 TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { |
331 scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes( | 304 scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes( |
332 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 305 reinterpret_cast<const char*>(google_der), sizeof(google_der))); |
333 | 306 |
334 static const uint8_t google_sha256_fingerprint[32] = { | 307 const SHA256HashValue google_sha256_fingerprint = { |
335 0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, | 308 {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, |
336 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, | 309 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, |
337 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}; | 310 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; |
338 | 311 |
339 SHA256HashValue fingerprint = | 312 EXPECT_EQ(google_sha256_fingerprint, X509Certificate::CalculateFingerprint256( |
340 X509Certificate::CalculateFingerprint256(google_cert->os_cert_handle()); | 313 google_cert->os_cert_handle())); |
341 | |
342 for (size_t i = 0; i < 32; ++i) | |
343 EXPECT_EQ(google_sha256_fingerprint[i], fingerprint.data[i]); | |
344 } | 314 } |
345 | 315 |
346 TEST(X509CertificateTest, CAFingerprints) { | 316 TEST(X509CertificateTest, CAFingerprints) { |
347 base::FilePath certs_dir = GetTestCertsDirectory(); | 317 base::FilePath certs_dir = GetTestCertsDirectory(); |
348 | 318 |
349 scoped_refptr<X509Certificate> server_cert = | 319 scoped_refptr<X509Certificate> server_cert = |
350 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); | 320 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); |
351 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); | 321 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); |
352 | 322 |
353 scoped_refptr<X509Certificate> intermediate_cert1 = | 323 scoped_refptr<X509Certificate> intermediate_cert1 = |
(...skipping 15 matching lines...) Expand all Loading... | |
369 scoped_refptr<X509Certificate> cert_chain2 = | 339 scoped_refptr<X509Certificate> cert_chain2 = |
370 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 340 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
371 intermediates); | 341 intermediates); |
372 | 342 |
373 // No intermediate CA certicates. | 343 // No intermediate CA certicates. |
374 intermediates.clear(); | 344 intermediates.clear(); |
375 scoped_refptr<X509Certificate> cert_chain3 = | 345 scoped_refptr<X509Certificate> cert_chain3 = |
376 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 346 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
377 intermediates); | 347 intermediates); |
378 | 348 |
379 static const uint8_t cert_chain1_ca_fingerprint[20] = { | 349 SHA256HashValue cert_chain1_ca_fingerprint_256 = { |
380 0xc2, 0xf0, 0x08, 0x7d, 0x01, 0xe6, 0x86, 0x05, 0x3a, 0x4d, | 350 {0x51, 0x15, 0x30, 0x49, 0x97, 0x54, 0xf8, 0xb4, 0x17, 0x41, 0x6b, |
381 0x63, 0x3e, 0x7e, 0x70, 0xd4, 0xef, 0x65, 0xc2, 0xcc, 0x4f | 351 0x58, 0x78, 0xb0, 0x89, 0xd2, 0xc3, 0xae, 0x66, 0xc1, 0x16, 0x80, |
382 }; | 352 0xa0, 0x78, 0xe7, 0x53, 0x45, 0xa2, 0xfb, 0x80, 0xe1, 0x07}}; |
383 static const uint8_t cert_chain2_ca_fingerprint[20] = { | 353 SHA256HashValue cert_chain2_ca_fingerprint_256 = { |
384 0xd5, 0x59, 0xa5, 0x86, 0x66, 0x9b, 0x08, 0xf4, 0x6a, 0x30, | 354 {0x00, 0xbd, 0x2b, 0x0e, 0xdd, 0x83, 0x40, 0xb1, 0x74, 0x6c, 0xc3, |
385 0xa1, 0x33, 0xf8, 0xa9, 0xed, 0x3d, 0x03, 0x8e, 0x2e, 0xa8 | 355 0x95, 0xc0, 0xe3, 0x55, 0xb2, 0x16, 0x58, 0x53, 0xfd, 0xb9, 0x3c, |
386 }; | 356 0x52, 0xda, 0xdd, 0xa8, 0x22, 0x8b, 0x07, 0x00, 0x2d, 0xce}}; |
387 // The SHA-1 hash of nothing. | 357 // The SHA-256 hash of nothing. |
388 static const uint8_t cert_chain3_ca_fingerprint[20] = { | 358 SHA256HashValue cert_chain3_ca_fingerprint_256 = { |
389 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, | 359 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, |
390 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09 | 360 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, |
391 }; | 361 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}}; |
392 EXPECT_TRUE(memcmp(cert_chain1->ca_fingerprint().data, | 362 EXPECT_EQ(cert_chain1_ca_fingerprint_256, |
393 cert_chain1_ca_fingerprint, 20) == 0); | 363 X509Certificate::CalculateCAFingerprint256( |
394 EXPECT_TRUE(memcmp(cert_chain2->ca_fingerprint().data, | 364 cert_chain1->GetIntermediateCertificates())); |
395 cert_chain2_ca_fingerprint, 20) == 0); | 365 EXPECT_EQ(cert_chain2_ca_fingerprint_256, |
396 EXPECT_TRUE(memcmp(cert_chain3->ca_fingerprint().data, | 366 X509Certificate::CalculateCAFingerprint256( |
397 cert_chain3_ca_fingerprint, 20) == 0); | 367 cert_chain2->GetIntermediateCertificates())); |
368 EXPECT_EQ(cert_chain3_ca_fingerprint_256, | |
369 X509Certificate::CalculateCAFingerprint256( | |
370 cert_chain3->GetIntermediateCertificates())); | |
398 | 371 |
399 // Test the SHA-256 hash calculation functions explicitly since they are not | 372 SHA256HashValue cert_chain1_chain_fingerprint_256 = { |
400 // used by X509Certificate internally. | 373 {0xac, 0xff, 0xcc, 0x63, 0x0d, 0xd0, 0xa7, 0x19, 0x78, 0xb5, 0x8a, |
401 static const uint8_t cert_chain1_ca_fingerprint_256[32] = { | 374 0x47, 0x8b, 0x67, 0x97, 0xcb, 0x8d, 0xe1, 0x6a, 0x8a, 0x57, 0x70, |
402 0x51, 0x15, 0x30, 0x49, 0x97, 0x54, 0xf8, 0xb4, 0x17, 0x41, | 375 0xda, 0x9a, 0x53, 0x72, 0xe2, 0xa0, 0x08, 0xab, 0xcc, 0x8f}}; |
403 0x6b, 0x58, 0x78, 0xb0, 0x89, 0xd2, 0xc3, 0xae, 0x66, 0xc1, | 376 SHA256HashValue cert_chain2_chain_fingerprint_256 = { |
404 0x16, 0x80, 0xa0, 0x78, 0xe7, 0x53, 0x45, 0xa2, 0xfb, 0x80, | 377 {0x67, 0x3a, 0x11, 0x20, 0xd6, 0x94, 0x14, 0xe4, 0x16, 0x9f, 0x58, |
405 0xe1, 0x07 | 378 0xe2, 0x8b, 0xf7, 0x27, 0xed, 0xbb, 0xe8, 0xa7, 0xff, 0x1c, 0x8c, |
406 }; | 379 0x0f, 0x21, 0x38, 0x16, 0x7c, 0xad, 0x1f, 0x22, 0x6f, 0x9b}}; |
407 static const uint8_t cert_chain2_ca_fingerprint_256[32] = { | 380 SHA256HashValue cert_chain3_chain_fingerprint_256 = { |
408 0x00, 0xbd, 0x2b, 0x0e, 0xdd, 0x83, 0x40, 0xb1, 0x74, 0x6c, | 381 {0x16, 0x7a, 0xbd, 0xb4, 0x57, 0x04, 0x65, 0x3c, 0x3b, 0xef, 0x6e, |
409 0xc3, 0x95, 0xc0, 0xe3, 0x55, 0xb2, 0x16, 0x58, 0x53, 0xfd, | 382 0x6a, 0xa6, 0x02, 0x73, 0x30, 0x3e, 0x34, 0x1b, 0x43, 0xc2, 0x7c, |
410 0xb9, 0x3c, 0x52, 0xda, 0xdd, 0xa8, 0x22, 0x8b, 0x07, 0x00, | 383 0x98, 0x52, 0x9f, 0x34, 0x7f, 0x55, 0x97, 0xe9, 0x1a, 0x10}}; |
411 0x2d, 0xce | 384 EXPECT_EQ(cert_chain1_chain_fingerprint_256, |
412 }; | 385 X509Certificate::CalculateChainFingerprint256( |
413 // The SHA-256 hash of nothing. | 386 cert_chain1->os_cert_handle(), |
414 static const uint8_t cert_chain3_ca_fingerprint_256[32] = { | 387 cert_chain1->GetIntermediateCertificates())); |
415 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, | 388 EXPECT_EQ(cert_chain2_chain_fingerprint_256, |
416 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, | 389 X509Certificate::CalculateChainFingerprint256( |
417 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, | 390 cert_chain2->os_cert_handle(), |
418 0xb8, 0x55 | 391 cert_chain2->GetIntermediateCertificates())); |
419 }; | 392 EXPECT_EQ(cert_chain3_chain_fingerprint_256, |
420 SHA256HashValue ca_fingerprint_256_1 = | 393 X509Certificate::CalculateChainFingerprint256( |
421 X509Certificate::CalculateCAFingerprint256( | 394 cert_chain3->os_cert_handle(), |
422 cert_chain1->GetIntermediateCertificates()); | 395 cert_chain3->GetIntermediateCertificates())); |
423 SHA256HashValue ca_fingerprint_256_2 = | |
424 X509Certificate::CalculateCAFingerprint256( | |
425 cert_chain2->GetIntermediateCertificates()); | |
426 SHA256HashValue ca_fingerprint_256_3 = | |
427 X509Certificate::CalculateCAFingerprint256( | |
428 cert_chain3->GetIntermediateCertificates()); | |
429 EXPECT_TRUE(memcmp(ca_fingerprint_256_1.data, | |
430 cert_chain1_ca_fingerprint_256, 32) == 0); | |
431 EXPECT_TRUE(memcmp(ca_fingerprint_256_2.data, | |
432 cert_chain2_ca_fingerprint_256, 32) == 0); | |
433 EXPECT_TRUE(memcmp(ca_fingerprint_256_3.data, | |
434 cert_chain3_ca_fingerprint_256, 32) == 0); | |
435 | |
436 static const uint8_t cert_chain1_chain_fingerprint_256[32] = { | |
437 0xac, 0xff, 0xcc, 0x63, 0x0d, 0xd0, 0xa7, 0x19, 0x78, 0xb5, | |
438 0x8a, 0x47, 0x8b, 0x67, 0x97, 0xcb, 0x8d, 0xe1, 0x6a, 0x8a, | |
439 0x57, 0x70, 0xda, 0x9a, 0x53, 0x72, 0xe2, 0xa0, 0x08, 0xab, | |
440 0xcc, 0x8f | |
441 }; | |
442 static const uint8_t cert_chain2_chain_fingerprint_256[32] = { | |
443 0x67, 0x3a, 0x11, 0x20, 0xd6, 0x94, 0x14, 0xe4, 0x16, 0x9f, | |
444 0x58, 0xe2, 0x8b, 0xf7, 0x27, 0xed, 0xbb, 0xe8, 0xa7, 0xff, | |
445 0x1c, 0x8c, 0x0f, 0x21, 0x38, 0x16, 0x7c, 0xad, 0x1f, 0x22, | |
446 0x6f, 0x9b | |
447 }; | |
448 static const uint8_t cert_chain3_chain_fingerprint_256[32] = { | |
449 0x16, 0x7a, 0xbd, 0xb4, 0x57, 0x04, 0x65, 0x3c, 0x3b, 0xef, | |
450 0x6e, 0x6a, 0xa6, 0x02, 0x73, 0x30, 0x3e, 0x34, 0x1b, 0x43, | |
451 0xc2, 0x7c, 0x98, 0x52, 0x9f, 0x34, 0x7f, 0x55, 0x97, 0xe9, | |
452 0x1a, 0x10 | |
453 }; | |
454 SHA256HashValue chain_fingerprint_256_1 = | |
455 X509Certificate::CalculateChainFingerprint256( | |
456 cert_chain1->os_cert_handle(), | |
457 cert_chain1->GetIntermediateCertificates()); | |
458 SHA256HashValue chain_fingerprint_256_2 = | |
459 X509Certificate::CalculateChainFingerprint256( | |
460 cert_chain2->os_cert_handle(), | |
461 cert_chain2->GetIntermediateCertificates()); | |
462 SHA256HashValue chain_fingerprint_256_3 = | |
463 X509Certificate::CalculateChainFingerprint256( | |
464 cert_chain3->os_cert_handle(), | |
465 cert_chain3->GetIntermediateCertificates()); | |
466 EXPECT_TRUE(memcmp(chain_fingerprint_256_1.data, | |
467 cert_chain1_chain_fingerprint_256, 32) == 0); | |
468 EXPECT_TRUE(memcmp(chain_fingerprint_256_2.data, | |
469 cert_chain2_chain_fingerprint_256, 32) == 0); | |
470 EXPECT_TRUE(memcmp(chain_fingerprint_256_3.data, | |
471 cert_chain3_chain_fingerprint_256, 32) == 0); | |
472 } | 396 } |
473 | 397 |
474 TEST(X509CertificateTest, ParseSubjectAltNames) { | 398 TEST(X509CertificateTest, ParseSubjectAltNames) { |
475 base::FilePath certs_dir = GetTestCertsDirectory(); | 399 base::FilePath certs_dir = GetTestCertsDirectory(); |
476 | 400 |
477 scoped_refptr<X509Certificate> san_cert = | 401 scoped_refptr<X509Certificate> san_cert = |
478 ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); | 402 ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); |
479 ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert.get()); | 403 ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert.get()); |
480 | 404 |
481 std::vector<std::string> dns_names; | 405 std::vector<std::string> dns_names; |
(...skipping 350 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
832 | 756 |
833 std::string nickname = test_cert->GetDefaultNickname(USER_CERT); | 757 std::string nickname = test_cert->GetDefaultNickname(USER_CERT); |
834 EXPECT_EQ("wtc@google.com's COMODO Client Authentication and " | 758 EXPECT_EQ("wtc@google.com's COMODO Client Authentication and " |
835 "Secure Email CA ID", nickname); | 759 "Secure Email CA ID", nickname); |
836 } | 760 } |
837 #endif | 761 #endif |
838 | 762 |
839 const struct CertificateFormatTestData { | 763 const struct CertificateFormatTestData { |
840 const char* file_name; | 764 const char* file_name; |
841 X509Certificate::Format format; | 765 X509Certificate::Format format; |
842 uint8_t* chain_fingerprints[3]; | 766 SHA256HashValue* chain_fingerprints[3]; |
843 } kFormatTestData[] = { | 767 } kFormatTestData[] = { |
844 // DER Parsing - single certificate, DER encoded | 768 // DER Parsing - single certificate, DER encoded |
845 { "google.single.der", X509Certificate::FORMAT_SINGLE_CERTIFICATE, | 769 {"google.single.der", |
846 { google_parse_fingerprint, | 770 X509Certificate::FORMAT_SINGLE_CERTIFICATE, |
847 NULL, } }, | 771 { |
848 // DER parsing - single certificate, PEM encoded | 772 &google_parse_fingerprint, NULL, |
849 { "google.single.pem", X509Certificate::FORMAT_SINGLE_CERTIFICATE, | 773 }}, |
850 { google_parse_fingerprint, | 774 // DER parsing - single certificate, PEM encoded |
851 NULL, } }, | 775 {"google.single.pem", |
852 // PEM parsing - single certificate, PEM encoded with a PEB of | 776 X509Certificate::FORMAT_SINGLE_CERTIFICATE, |
853 // "CERTIFICATE" | 777 { |
854 { "google.single.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, | 778 &google_parse_fingerprint, NULL, |
855 { google_parse_fingerprint, | 779 }}, |
856 NULL, } }, | 780 // PEM parsing - single certificate, PEM encoded with a PEB of |
857 // PEM parsing - sequence of certificates, PEM encoded with a PEB of | 781 // "CERTIFICATE" |
858 // "CERTIFICATE" | 782 {"google.single.pem", |
859 { "google.chain.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, | 783 X509Certificate::FORMAT_PEM_CERT_SEQUENCE, |
860 { google_parse_fingerprint, | 784 { |
861 thawte_parse_fingerprint, | 785 &google_parse_fingerprint, NULL, |
862 NULL, } }, | 786 }}, |
863 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER | 787 // PEM parsing - sequence of certificates, PEM encoded with a PEB of |
864 // encoding | 788 // "CERTIFICATE" |
865 { "google.binary.p7b", X509Certificate::FORMAT_PKCS7, | 789 {"google.chain.pem", |
866 { google_parse_fingerprint, | 790 X509Certificate::FORMAT_PEM_CERT_SEQUENCE, |
867 thawte_parse_fingerprint, | 791 { |
868 NULL, } }, | 792 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
869 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM | 793 }}, |
870 // encoded with a PEM PEB of "CERTIFICATE" | 794 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER |
871 { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7, | 795 // encoding |
872 { google_parse_fingerprint, | 796 {"google.binary.p7b", |
873 thawte_parse_fingerprint, | 797 X509Certificate::FORMAT_PKCS7, |
874 NULL, } }, | 798 { |
875 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM | 799 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
876 // encoded with a PEM PEB of "PKCS7" | 800 }}, |
877 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7, | 801 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM |
878 { google_parse_fingerprint, | 802 // encoded with a PEM PEB of "CERTIFICATE" |
879 thawte_parse_fingerprint, | 803 {"google.pem_cert.p7b", |
880 NULL, } }, | 804 X509Certificate::FORMAT_PKCS7, |
881 // All of the above, this time using auto-detection | 805 { |
882 { "google.single.der", X509Certificate::FORMAT_AUTO, | 806 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
883 { google_parse_fingerprint, | 807 }}, |
884 NULL, } }, | 808 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM |
885 { "google.single.pem", X509Certificate::FORMAT_AUTO, | 809 // encoded with a PEM PEB of "PKCS7" |
886 { google_parse_fingerprint, | 810 {"google.pem_pkcs7.p7b", |
887 NULL, } }, | 811 X509Certificate::FORMAT_PKCS7, |
888 { "google.chain.pem", X509Certificate::FORMAT_AUTO, | 812 { |
889 { google_parse_fingerprint, | 813 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
890 thawte_parse_fingerprint, | 814 }}, |
891 NULL, } }, | 815 // All of the above, this time using auto-detection |
892 { "google.binary.p7b", X509Certificate::FORMAT_AUTO, | 816 {"google.single.der", |
893 { google_parse_fingerprint, | 817 X509Certificate::FORMAT_AUTO, |
894 thawte_parse_fingerprint, | 818 { |
895 NULL, } }, | 819 &google_parse_fingerprint, NULL, |
896 { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO, | 820 }}, |
897 { google_parse_fingerprint, | 821 {"google.single.pem", |
898 thawte_parse_fingerprint, | 822 X509Certificate::FORMAT_AUTO, |
899 NULL, } }, | 823 { |
900 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO, | 824 &google_parse_fingerprint, NULL, |
901 { google_parse_fingerprint, | 825 }}, |
902 thawte_parse_fingerprint, | 826 {"google.chain.pem", |
903 NULL, } }, | 827 X509Certificate::FORMAT_AUTO, |
828 { | |
829 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, | |
830 }}, | |
831 {"google.binary.p7b", | |
832 X509Certificate::FORMAT_AUTO, | |
833 { | |
834 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, | |
835 }}, | |
836 {"google.pem_cert.p7b", | |
837 X509Certificate::FORMAT_AUTO, | |
838 { | |
839 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, | |
840 }}, | |
841 {"google.pem_pkcs7.p7b", | |
842 X509Certificate::FORMAT_AUTO, | |
843 { | |
844 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, | |
845 }}, | |
904 }; | 846 }; |
905 | 847 |
906 class X509CertificateParseTest | 848 class X509CertificateParseTest |
907 : public testing::TestWithParam<CertificateFormatTestData> { | 849 : public testing::TestWithParam<CertificateFormatTestData> { |
908 public: | 850 public: |
909 virtual ~X509CertificateParseTest() {} | 851 virtual ~X509CertificateParseTest() {} |
910 void SetUp() override { test_data_ = GetParam(); } | 852 void SetUp() override { test_data_ = GetParam(); } |
911 void TearDown() override {} | 853 void TearDown() override {} |
912 | 854 |
913 protected: | 855 protected: |
(...skipping 16 matching lines...) Expand all Loading... | |
930 // returned before marking this test a success. | 872 // returned before marking this test a success. |
931 EXPECT_EQ(i, certs.size()); | 873 EXPECT_EQ(i, certs.size()); |
932 break; | 874 break; |
933 } | 875 } |
934 | 876 |
935 // A cert is expected - make sure that one was parsed. | 877 // A cert is expected - make sure that one was parsed. |
936 ASSERT_LT(i, certs.size()); | 878 ASSERT_LT(i, certs.size()); |
937 | 879 |
938 // Compare the parsed certificate with the expected certificate, by | 880 // Compare the parsed certificate with the expected certificate, by |
939 // comparing fingerprints. | 881 // comparing fingerprints. |
940 const X509Certificate* cert = certs[i].get(); | 882 EXPECT_EQ( |
941 const SHA1HashValue& actual_fingerprint = cert->fingerprint(); | 883 *test_data_.chain_fingerprints[i], |
942 uint8_t* expected_fingerprint = test_data_.chain_fingerprints[i]; | 884 X509Certificate::CalculateFingerprint256(certs[i]->os_cert_handle())); |
943 | |
944 for (size_t j = 0; j < 20; ++j) | |
945 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); | |
946 } | 885 } |
947 } | 886 } |
948 | 887 |
949 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, | 888 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, |
950 testing::ValuesIn(kFormatTestData)); | 889 testing::ValuesIn(kFormatTestData)); |
951 | 890 |
952 struct CertificateNameVerifyTestData { | 891 struct CertificateNameVerifyTestData { |
953 // true iff we expect hostname to match an entry in cert_names. | 892 // true iff we expect hostname to match an entry in cert_names. |
954 bool expected; | 893 bool expected; |
955 // The hostname to match. | 894 // The hostname to match. |
(...skipping 275 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1231 &actual_type); | 1170 &actual_type); |
1232 | 1171 |
1233 EXPECT_EQ(data.expected_bits, actual_bits); | 1172 EXPECT_EQ(data.expected_bits, actual_bits); |
1234 EXPECT_EQ(data.expected_type, actual_type); | 1173 EXPECT_EQ(data.expected_type, actual_type); |
1235 } | 1174 } |
1236 | 1175 |
1237 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, | 1176 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, |
1238 testing::ValuesIn(kPublicKeyInfoTestData)); | 1177 testing::ValuesIn(kPublicKeyInfoTestData)); |
1239 | 1178 |
1240 } // namespace net | 1179 } // namespace net |
OLD | NEW |