| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <memory> | 9 #include <memory> |
| 10 | 10 |
| (...skipping 28 matching lines...) Expand all Loading... |
| 39 // | 39 // |
| 40 // For fingerprint | 40 // For fingerprint |
| 41 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der | 41 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der |
| 42 | 42 |
| 43 // For valid_start, valid_expiry | 43 // For valid_start, valid_expiry |
| 44 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | | 44 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | |
| 45 // grep -A 2 Validity | 45 // grep -A 2 Validity |
| 46 // $ date +%s -d '<date str>' | 46 // $ date +%s -d '<date str>' |
| 47 | 47 |
| 48 // Google's cert. | 48 // Google's cert. |
| 49 uint8_t google_fingerprint[] = { | 49 SHA256HashValue google_fingerprint = { |
| 50 0xab, 0xbe, 0x5e, 0xb4, 0x93, 0x88, 0x4e, 0xe4, 0x60, 0xc6, 0xef, 0xf8, | 50 {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, |
| 51 0xea, 0xd4, 0xb1, 0x55, 0x4b, 0xc9, 0x59, 0x3c | 51 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, |
| 52 }; | 52 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; |
| 53 | |
| 54 // webkit.org's cert. | |
| 55 uint8_t webkit_fingerprint[] = { | |
| 56 0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8, | |
| 57 0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2 | |
| 58 }; | |
| 59 | |
| 60 // thawte.com's cert (it's EV-licious!). | |
| 61 uint8_t thawte_fingerprint[] = { | |
| 62 0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6, | |
| 63 0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37 | |
| 64 }; | |
| 65 | |
| 66 // A certificate for https://www.unosoft.hu/, whose AIA extension contains | |
| 67 // an LDAP URL without a host name. | |
| 68 uint8_t unosoft_hu_fingerprint[] = { | |
| 69 0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd, | |
| 70 0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8 | |
| 71 }; | |
| 72 | 53 |
| 73 // The fingerprint of the Google certificate used in the parsing tests, | 54 // The fingerprint of the Google certificate used in the parsing tests, |
| 74 // which is newer than the one included in the x509_certificate_data.h | 55 // which is newer than the one included in the x509_certificate_data.h |
| 75 uint8_t google_parse_fingerprint[] = { | 56 SHA256HashValue google_parse_fingerprint = { |
| 76 0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a, | 57 {0xf6, 0x41, 0xc3, 0x6c, 0xfe, 0xf4, 0x9b, 0xc0, 0x71, 0x35, 0x9e, |
| 77 0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2 | 58 0xcf, 0x88, 0xee, 0xd9, 0x31, 0x7b, 0x73, 0x8b, 0x59, 0x89, 0x41, |
| 78 }; | 59 0x6a, 0xd4, 0x01, 0x72, 0x0c, 0x0a, 0x4e, 0x2e, 0x63, 0x52}}; |
| 79 | 60 |
| 80 // The fingerprint for the Thawte SGC certificate | 61 // The fingerprint for the Thawte SGC certificate |
| 81 uint8_t thawte_parse_fingerprint[] = { | 62 SHA256HashValue thawte_parse_fingerprint = { |
| 82 0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f, | 63 {0x10, 0x85, 0xa6, 0xf4, 0x54, 0xd0, 0xc9, 0x11, 0x98, 0xfd, 0xda, |
| 83 0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02 | 64 0xb1, 0x1a, 0x31, 0xc7, 0x16, 0xd5, 0xdc, 0xd6, 0x8d, 0xf9, 0x1c, |
| 84 }; | 65 0x03, 0x9c, 0xe1, 0x8d, 0xca, 0x9b, 0xeb, 0x3c, 0xde, 0x3d}}; |
| 85 | 66 |
| 86 // Dec 18 00:00:00 2009 GMT | 67 // Dec 18 00:00:00 2009 GMT |
| 87 const double kGoogleParseValidFrom = 1261094400; | 68 const double kGoogleParseValidFrom = 1261094400; |
| 88 // Dec 18 23:59:59 2011 GMT | 69 // Dec 18 23:59:59 2011 GMT |
| 89 const double kGoogleParseValidTo = 1324252799; | 70 const double kGoogleParseValidTo = 1324252799; |
| 90 | 71 |
| 91 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, | 72 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, |
| 92 uint8_t* expected_fingerprint, | 73 const SHA256HashValue& expected_fingerprint, |
| 93 double valid_from, double valid_to) { | 74 double valid_from, |
| 75 double valid_to) { |
| 94 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert.get()); | 76 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert.get()); |
| 95 | 77 |
| 96 const CertPrincipal& subject = google_cert->subject(); | 78 const CertPrincipal& subject = google_cert->subject(); |
| 97 EXPECT_EQ("www.google.com", subject.common_name); | 79 EXPECT_EQ("www.google.com", subject.common_name); |
| 98 EXPECT_EQ("Mountain View", subject.locality_name); | 80 EXPECT_EQ("Mountain View", subject.locality_name); |
| 99 EXPECT_EQ("California", subject.state_or_province_name); | 81 EXPECT_EQ("California", subject.state_or_province_name); |
| 100 EXPECT_EQ("US", subject.country_name); | 82 EXPECT_EQ("US", subject.country_name); |
| 101 EXPECT_EQ(0U, subject.street_addresses.size()); | 83 EXPECT_EQ(0U, subject.street_addresses.size()); |
| 102 ASSERT_EQ(1U, subject.organization_names.size()); | 84 ASSERT_EQ(1U, subject.organization_names.size()); |
| 103 EXPECT_EQ("Google Inc", subject.organization_names[0]); | 85 EXPECT_EQ("Google Inc", subject.organization_names[0]); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 115 EXPECT_EQ(0U, issuer.organization_unit_names.size()); | 97 EXPECT_EQ(0U, issuer.organization_unit_names.size()); |
| 116 EXPECT_EQ(0U, issuer.domain_components.size()); | 98 EXPECT_EQ(0U, issuer.domain_components.size()); |
| 117 | 99 |
| 118 // Use DoubleT because its epoch is the same on all platforms | 100 // Use DoubleT because its epoch is the same on all platforms |
| 119 const Time& valid_start = google_cert->valid_start(); | 101 const Time& valid_start = google_cert->valid_start(); |
| 120 EXPECT_EQ(valid_from, valid_start.ToDoubleT()); | 102 EXPECT_EQ(valid_from, valid_start.ToDoubleT()); |
| 121 | 103 |
| 122 const Time& valid_expiry = google_cert->valid_expiry(); | 104 const Time& valid_expiry = google_cert->valid_expiry(); |
| 123 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); | 105 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); |
| 124 | 106 |
| 125 const SHA1HashValue& fingerprint = google_cert->fingerprint(); | 107 EXPECT_EQ(expected_fingerprint, X509Certificate::CalculateFingerprint256( |
| 126 for (size_t i = 0; i < 20; ++i) | 108 google_cert->os_cert_handle())); |
| 127 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); | |
| 128 | 109 |
| 129 std::vector<std::string> dns_names; | 110 std::vector<std::string> dns_names; |
| 130 google_cert->GetDNSNames(&dns_names); | 111 google_cert->GetDNSNames(&dns_names); |
| 131 ASSERT_EQ(1U, dns_names.size()); | 112 ASSERT_EQ(1U, dns_names.size()); |
| 132 EXPECT_EQ("www.google.com", dns_names[0]); | 113 EXPECT_EQ("www.google.com", dns_names[0]); |
| 133 } | 114 } |
| 134 | 115 |
| 135 TEST(X509CertificateTest, GoogleCertParsing) { | 116 TEST(X509CertificateTest, GoogleCertParsing) { |
| 136 scoped_refptr<X509Certificate> google_cert( | 117 scoped_refptr<X509Certificate> google_cert( |
| 137 X509Certificate::CreateFromBytes( | 118 X509Certificate::CreateFromBytes( |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 172 issuer.organization_unit_names[0]); | 153 issuer.organization_unit_names[0]); |
| 173 EXPECT_EQ(0U, issuer.domain_components.size()); | 154 EXPECT_EQ(0U, issuer.domain_components.size()); |
| 174 | 155 |
| 175 // Use DoubleT because its epoch is the same on all platforms | 156 // Use DoubleT because its epoch is the same on all platforms |
| 176 const Time& valid_start = webkit_cert->valid_start(); | 157 const Time& valid_start = webkit_cert->valid_start(); |
| 177 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT | 158 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT |
| 178 | 159 |
| 179 const Time& valid_expiry = webkit_cert->valid_expiry(); | 160 const Time& valid_expiry = webkit_cert->valid_expiry(); |
| 180 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT | 161 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT |
| 181 | 162 |
| 182 const SHA1HashValue& fingerprint = webkit_cert->fingerprint(); | |
| 183 for (size_t i = 0; i < 20; ++i) | |
| 184 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); | |
| 185 | |
| 186 std::vector<std::string> dns_names; | 163 std::vector<std::string> dns_names; |
| 187 webkit_cert->GetDNSNames(&dns_names); | 164 webkit_cert->GetDNSNames(&dns_names); |
| 188 ASSERT_EQ(2U, dns_names.size()); | 165 ASSERT_EQ(2U, dns_names.size()); |
| 189 EXPECT_EQ("*.webkit.org", dns_names[0]); | 166 EXPECT_EQ("*.webkit.org", dns_names[0]); |
| 190 EXPECT_EQ("webkit.org", dns_names[1]); | 167 EXPECT_EQ("webkit.org", dns_names[1]); |
| 191 | 168 |
| 192 // Test that the wildcard cert matches properly. | 169 // Test that the wildcard cert matches properly. |
| 193 bool unused = false; | 170 bool unused = false; |
| 194 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); | 171 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); |
| 195 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); | 172 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 228 issuer.organization_unit_names[0]); | 205 issuer.organization_unit_names[0]); |
| 229 EXPECT_EQ(0U, issuer.domain_components.size()); | 206 EXPECT_EQ(0U, issuer.domain_components.size()); |
| 230 | 207 |
| 231 // Use DoubleT because its epoch is the same on all platforms | 208 // Use DoubleT because its epoch is the same on all platforms |
| 232 const Time& valid_start = thawte_cert->valid_start(); | 209 const Time& valid_start = thawte_cert->valid_start(); |
| 233 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT | 210 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT |
| 234 | 211 |
| 235 const Time& valid_expiry = thawte_cert->valid_expiry(); | 212 const Time& valid_expiry = thawte_cert->valid_expiry(); |
| 236 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT | 213 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT |
| 237 | 214 |
| 238 const SHA1HashValue& fingerprint = thawte_cert->fingerprint(); | |
| 239 for (size_t i = 0; i < 20; ++i) | |
| 240 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); | |
| 241 | |
| 242 std::vector<std::string> dns_names; | 215 std::vector<std::string> dns_names; |
| 243 thawte_cert->GetDNSNames(&dns_names); | 216 thawte_cert->GetDNSNames(&dns_names); |
| 244 ASSERT_EQ(1U, dns_names.size()); | 217 ASSERT_EQ(1U, dns_names.size()); |
| 245 EXPECT_EQ("www.thawte.com", dns_names[0]); | 218 EXPECT_EQ("www.thawte.com", dns_names[0]); |
| 246 } | 219 } |
| 247 | 220 |
| 248 // Test that all desired AttributeAndValue pairs can be extracted when only | 221 // Test that all desired AttributeAndValue pairs can be extracted when only |
| 249 // a single RelativeDistinguishedName is present. "Normally" there is only | 222 // a single RelativeDistinguishedName is present. "Normally" there is only |
| 250 // one AVA per RDN, but some CAs place all AVAs within a single RDN. | 223 // one AVA per RDN, but some CAs place all AVAs within a single RDN. |
| 251 // This is a regression test for http://crbug.com/101009 | 224 // This is a regression test for http://crbug.com/101009 |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 320 ASSERT_EQ(sizeof(paypal_null_serial), | 293 ASSERT_EQ(sizeof(paypal_null_serial), |
| 321 paypal_null_cert->serial_number().size()); | 294 paypal_null_cert->serial_number().size()); |
| 322 EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(), | 295 EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(), |
| 323 paypal_null_serial, sizeof(paypal_null_serial)) == 0); | 296 paypal_null_serial, sizeof(paypal_null_serial)) == 0); |
| 324 } | 297 } |
| 325 | 298 |
| 326 TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { | 299 TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { |
| 327 scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes( | 300 scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes( |
| 328 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 301 reinterpret_cast<const char*>(google_der), sizeof(google_der))); |
| 329 | 302 |
| 330 static const uint8_t google_sha256_fingerprint[32] = { | 303 const SHA256HashValue google_sha256_fingerprint = { |
| 331 0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, | 304 {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, |
| 332 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, | 305 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, |
| 333 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}; | 306 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; |
| 334 | 307 |
| 335 SHA256HashValue fingerprint = | 308 EXPECT_EQ(google_sha256_fingerprint, X509Certificate::CalculateFingerprint256( |
| 336 X509Certificate::CalculateFingerprint256(google_cert->os_cert_handle()); | 309 google_cert->os_cert_handle())); |
| 337 | |
| 338 for (size_t i = 0; i < 32; ++i) | |
| 339 EXPECT_EQ(google_sha256_fingerprint[i], fingerprint.data[i]); | |
| 340 } | 310 } |
| 341 | 311 |
| 342 TEST(X509CertificateTest, CAFingerprints) { | 312 TEST(X509CertificateTest, CAFingerprints) { |
| 343 base::FilePath certs_dir = GetTestCertsDirectory(); | 313 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 344 | 314 |
| 345 scoped_refptr<X509Certificate> server_cert = | 315 scoped_refptr<X509Certificate> server_cert = |
| 346 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); | 316 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); |
| 347 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); | 317 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); |
| 348 | 318 |
| 349 scoped_refptr<X509Certificate> intermediate_cert1 = | 319 scoped_refptr<X509Certificate> intermediate_cert1 = |
| (...skipping 15 matching lines...) Expand all Loading... |
| 365 scoped_refptr<X509Certificate> cert_chain2 = | 335 scoped_refptr<X509Certificate> cert_chain2 = |
| 366 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 336 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 367 intermediates); | 337 intermediates); |
| 368 | 338 |
| 369 // No intermediate CA certicates. | 339 // No intermediate CA certicates. |
| 370 intermediates.clear(); | 340 intermediates.clear(); |
| 371 scoped_refptr<X509Certificate> cert_chain3 = | 341 scoped_refptr<X509Certificate> cert_chain3 = |
| 372 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 342 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 373 intermediates); | 343 intermediates); |
| 374 | 344 |
| 375 static const uint8_t cert_chain1_ca_fingerprint[20] = { | 345 SHA256HashValue cert_chain1_ca_fingerprint_256 = { |
| 376 0xc2, 0xf0, 0x08, 0x7d, 0x01, 0xe6, 0x86, 0x05, 0x3a, 0x4d, | 346 {0x51, 0x15, 0x30, 0x49, 0x97, 0x54, 0xf8, 0xb4, 0x17, 0x41, 0x6b, |
| 377 0x63, 0x3e, 0x7e, 0x70, 0xd4, 0xef, 0x65, 0xc2, 0xcc, 0x4f | 347 0x58, 0x78, 0xb0, 0x89, 0xd2, 0xc3, 0xae, 0x66, 0xc1, 0x16, 0x80, |
| 378 }; | 348 0xa0, 0x78, 0xe7, 0x53, 0x45, 0xa2, 0xfb, 0x80, 0xe1, 0x07}}; |
| 379 static const uint8_t cert_chain2_ca_fingerprint[20] = { | 349 SHA256HashValue cert_chain2_ca_fingerprint_256 = { |
| 380 0xd5, 0x59, 0xa5, 0x86, 0x66, 0x9b, 0x08, 0xf4, 0x6a, 0x30, | 350 {0x00, 0xbd, 0x2b, 0x0e, 0xdd, 0x83, 0x40, 0xb1, 0x74, 0x6c, 0xc3, |
| 381 0xa1, 0x33, 0xf8, 0xa9, 0xed, 0x3d, 0x03, 0x8e, 0x2e, 0xa8 | 351 0x95, 0xc0, 0xe3, 0x55, 0xb2, 0x16, 0x58, 0x53, 0xfd, 0xb9, 0x3c, |
| 382 }; | 352 0x52, 0xda, 0xdd, 0xa8, 0x22, 0x8b, 0x07, 0x00, 0x2d, 0xce}}; |
| 383 // The SHA-1 hash of nothing. | 353 // The SHA-256 hash of nothing. |
| 384 static const uint8_t cert_chain3_ca_fingerprint[20] = { | 354 SHA256HashValue cert_chain3_ca_fingerprint_256 = { |
| 385 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, | 355 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, |
| 386 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09 | 356 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, |
| 387 }; | 357 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}}; |
| 388 EXPECT_TRUE(memcmp(cert_chain1->ca_fingerprint().data, | 358 EXPECT_EQ(cert_chain1_ca_fingerprint_256, |
| 389 cert_chain1_ca_fingerprint, 20) == 0); | 359 X509Certificate::CalculateCAFingerprint256( |
| 390 EXPECT_TRUE(memcmp(cert_chain2->ca_fingerprint().data, | 360 cert_chain1->GetIntermediateCertificates())); |
| 391 cert_chain2_ca_fingerprint, 20) == 0); | 361 EXPECT_EQ(cert_chain2_ca_fingerprint_256, |
| 392 EXPECT_TRUE(memcmp(cert_chain3->ca_fingerprint().data, | 362 X509Certificate::CalculateCAFingerprint256( |
| 393 cert_chain3_ca_fingerprint, 20) == 0); | 363 cert_chain2->GetIntermediateCertificates())); |
| 364 EXPECT_EQ(cert_chain3_ca_fingerprint_256, |
| 365 X509Certificate::CalculateCAFingerprint256( |
| 366 cert_chain3->GetIntermediateCertificates())); |
| 394 | 367 |
| 395 // Test the SHA-256 hash calculation functions explicitly since they are not | 368 SHA256HashValue cert_chain1_chain_fingerprint_256 = { |
| 396 // used by X509Certificate internally. | 369 {0xac, 0xff, 0xcc, 0x63, 0x0d, 0xd0, 0xa7, 0x19, 0x78, 0xb5, 0x8a, |
| 397 static const uint8_t cert_chain1_ca_fingerprint_256[32] = { | 370 0x47, 0x8b, 0x67, 0x97, 0xcb, 0x8d, 0xe1, 0x6a, 0x8a, 0x57, 0x70, |
| 398 0x51, 0x15, 0x30, 0x49, 0x97, 0x54, 0xf8, 0xb4, 0x17, 0x41, | 371 0xda, 0x9a, 0x53, 0x72, 0xe2, 0xa0, 0x08, 0xab, 0xcc, 0x8f}}; |
| 399 0x6b, 0x58, 0x78, 0xb0, 0x89, 0xd2, 0xc3, 0xae, 0x66, 0xc1, | 372 SHA256HashValue cert_chain2_chain_fingerprint_256 = { |
| 400 0x16, 0x80, 0xa0, 0x78, 0xe7, 0x53, 0x45, 0xa2, 0xfb, 0x80, | 373 {0x67, 0x3a, 0x11, 0x20, 0xd6, 0x94, 0x14, 0xe4, 0x16, 0x9f, 0x58, |
| 401 0xe1, 0x07 | 374 0xe2, 0x8b, 0xf7, 0x27, 0xed, 0xbb, 0xe8, 0xa7, 0xff, 0x1c, 0x8c, |
| 402 }; | 375 0x0f, 0x21, 0x38, 0x16, 0x7c, 0xad, 0x1f, 0x22, 0x6f, 0x9b}}; |
| 403 static const uint8_t cert_chain2_ca_fingerprint_256[32] = { | 376 SHA256HashValue cert_chain3_chain_fingerprint_256 = { |
| 404 0x00, 0xbd, 0x2b, 0x0e, 0xdd, 0x83, 0x40, 0xb1, 0x74, 0x6c, | 377 {0x16, 0x7a, 0xbd, 0xb4, 0x57, 0x04, 0x65, 0x3c, 0x3b, 0xef, 0x6e, |
| 405 0xc3, 0x95, 0xc0, 0xe3, 0x55, 0xb2, 0x16, 0x58, 0x53, 0xfd, | 378 0x6a, 0xa6, 0x02, 0x73, 0x30, 0x3e, 0x34, 0x1b, 0x43, 0xc2, 0x7c, |
| 406 0xb9, 0x3c, 0x52, 0xda, 0xdd, 0xa8, 0x22, 0x8b, 0x07, 0x00, | 379 0x98, 0x52, 0x9f, 0x34, 0x7f, 0x55, 0x97, 0xe9, 0x1a, 0x10}}; |
| 407 0x2d, 0xce | 380 EXPECT_EQ(cert_chain1_chain_fingerprint_256, |
| 408 }; | 381 X509Certificate::CalculateChainFingerprint256( |
| 409 // The SHA-256 hash of nothing. | 382 cert_chain1->os_cert_handle(), |
| 410 static const uint8_t cert_chain3_ca_fingerprint_256[32] = { | 383 cert_chain1->GetIntermediateCertificates())); |
| 411 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, | 384 EXPECT_EQ(cert_chain2_chain_fingerprint_256, |
| 412 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, | 385 X509Certificate::CalculateChainFingerprint256( |
| 413 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, | 386 cert_chain2->os_cert_handle(), |
| 414 0xb8, 0x55 | 387 cert_chain2->GetIntermediateCertificates())); |
| 415 }; | 388 EXPECT_EQ(cert_chain3_chain_fingerprint_256, |
| 416 SHA256HashValue ca_fingerprint_256_1 = | 389 X509Certificate::CalculateChainFingerprint256( |
| 417 X509Certificate::CalculateCAFingerprint256( | 390 cert_chain3->os_cert_handle(), |
| 418 cert_chain1->GetIntermediateCertificates()); | 391 cert_chain3->GetIntermediateCertificates())); |
| 419 SHA256HashValue ca_fingerprint_256_2 = | |
| 420 X509Certificate::CalculateCAFingerprint256( | |
| 421 cert_chain2->GetIntermediateCertificates()); | |
| 422 SHA256HashValue ca_fingerprint_256_3 = | |
| 423 X509Certificate::CalculateCAFingerprint256( | |
| 424 cert_chain3->GetIntermediateCertificates()); | |
| 425 EXPECT_TRUE(memcmp(ca_fingerprint_256_1.data, | |
| 426 cert_chain1_ca_fingerprint_256, 32) == 0); | |
| 427 EXPECT_TRUE(memcmp(ca_fingerprint_256_2.data, | |
| 428 cert_chain2_ca_fingerprint_256, 32) == 0); | |
| 429 EXPECT_TRUE(memcmp(ca_fingerprint_256_3.data, | |
| 430 cert_chain3_ca_fingerprint_256, 32) == 0); | |
| 431 | |
| 432 static const uint8_t cert_chain1_chain_fingerprint_256[32] = { | |
| 433 0xac, 0xff, 0xcc, 0x63, 0x0d, 0xd0, 0xa7, 0x19, 0x78, 0xb5, | |
| 434 0x8a, 0x47, 0x8b, 0x67, 0x97, 0xcb, 0x8d, 0xe1, 0x6a, 0x8a, | |
| 435 0x57, 0x70, 0xda, 0x9a, 0x53, 0x72, 0xe2, 0xa0, 0x08, 0xab, | |
| 436 0xcc, 0x8f | |
| 437 }; | |
| 438 static const uint8_t cert_chain2_chain_fingerprint_256[32] = { | |
| 439 0x67, 0x3a, 0x11, 0x20, 0xd6, 0x94, 0x14, 0xe4, 0x16, 0x9f, | |
| 440 0x58, 0xe2, 0x8b, 0xf7, 0x27, 0xed, 0xbb, 0xe8, 0xa7, 0xff, | |
| 441 0x1c, 0x8c, 0x0f, 0x21, 0x38, 0x16, 0x7c, 0xad, 0x1f, 0x22, | |
| 442 0x6f, 0x9b | |
| 443 }; | |
| 444 static const uint8_t cert_chain3_chain_fingerprint_256[32] = { | |
| 445 0x16, 0x7a, 0xbd, 0xb4, 0x57, 0x04, 0x65, 0x3c, 0x3b, 0xef, | |
| 446 0x6e, 0x6a, 0xa6, 0x02, 0x73, 0x30, 0x3e, 0x34, 0x1b, 0x43, | |
| 447 0xc2, 0x7c, 0x98, 0x52, 0x9f, 0x34, 0x7f, 0x55, 0x97, 0xe9, | |
| 448 0x1a, 0x10 | |
| 449 }; | |
| 450 SHA256HashValue chain_fingerprint_256_1 = | |
| 451 X509Certificate::CalculateChainFingerprint256( | |
| 452 cert_chain1->os_cert_handle(), | |
| 453 cert_chain1->GetIntermediateCertificates()); | |
| 454 SHA256HashValue chain_fingerprint_256_2 = | |
| 455 X509Certificate::CalculateChainFingerprint256( | |
| 456 cert_chain2->os_cert_handle(), | |
| 457 cert_chain2->GetIntermediateCertificates()); | |
| 458 SHA256HashValue chain_fingerprint_256_3 = | |
| 459 X509Certificate::CalculateChainFingerprint256( | |
| 460 cert_chain3->os_cert_handle(), | |
| 461 cert_chain3->GetIntermediateCertificates()); | |
| 462 EXPECT_TRUE(memcmp(chain_fingerprint_256_1.data, | |
| 463 cert_chain1_chain_fingerprint_256, 32) == 0); | |
| 464 EXPECT_TRUE(memcmp(chain_fingerprint_256_2.data, | |
| 465 cert_chain2_chain_fingerprint_256, 32) == 0); | |
| 466 EXPECT_TRUE(memcmp(chain_fingerprint_256_3.data, | |
| 467 cert_chain3_chain_fingerprint_256, 32) == 0); | |
| 468 } | 392 } |
| 469 | 393 |
| 470 TEST(X509CertificateTest, ParseSubjectAltNames) { | 394 TEST(X509CertificateTest, ParseSubjectAltNames) { |
| 471 base::FilePath certs_dir = GetTestCertsDirectory(); | 395 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 472 | 396 |
| 473 scoped_refptr<X509Certificate> san_cert = | 397 scoped_refptr<X509Certificate> san_cert = |
| 474 ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); | 398 ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); |
| 475 ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert.get()); | 399 ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert.get()); |
| 476 | 400 |
| 477 std::vector<std::string> dns_names; | 401 std::vector<std::string> dns_names; |
| (...skipping 360 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 838 | 762 |
| 839 std::string nickname = test_cert->GetDefaultNickname(USER_CERT); | 763 std::string nickname = test_cert->GetDefaultNickname(USER_CERT); |
| 840 EXPECT_EQ("wtc@google.com's COMODO Client Authentication and " | 764 EXPECT_EQ("wtc@google.com's COMODO Client Authentication and " |
| 841 "Secure Email CA ID", nickname); | 765 "Secure Email CA ID", nickname); |
| 842 } | 766 } |
| 843 #endif | 767 #endif |
| 844 | 768 |
| 845 const struct CertificateFormatTestData { | 769 const struct CertificateFormatTestData { |
| 846 const char* file_name; | 770 const char* file_name; |
| 847 X509Certificate::Format format; | 771 X509Certificate::Format format; |
| 848 uint8_t* chain_fingerprints[3]; | 772 SHA256HashValue* chain_fingerprints[3]; |
| 849 } kFormatTestData[] = { | 773 } kFormatTestData[] = { |
| 850 // DER Parsing - single certificate, DER encoded | 774 // DER Parsing - single certificate, DER encoded |
| 851 { "google.single.der", X509Certificate::FORMAT_SINGLE_CERTIFICATE, | 775 {"google.single.der", |
| 852 { google_parse_fingerprint, | 776 X509Certificate::FORMAT_SINGLE_CERTIFICATE, |
| 853 NULL, } }, | 777 { |
| 854 // DER parsing - single certificate, PEM encoded | 778 &google_parse_fingerprint, NULL, |
| 855 { "google.single.pem", X509Certificate::FORMAT_SINGLE_CERTIFICATE, | 779 }}, |
| 856 { google_parse_fingerprint, | 780 // DER parsing - single certificate, PEM encoded |
| 857 NULL, } }, | 781 {"google.single.pem", |
| 858 // PEM parsing - single certificate, PEM encoded with a PEB of | 782 X509Certificate::FORMAT_SINGLE_CERTIFICATE, |
| 859 // "CERTIFICATE" | 783 { |
| 860 { "google.single.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, | 784 &google_parse_fingerprint, NULL, |
| 861 { google_parse_fingerprint, | 785 }}, |
| 862 NULL, } }, | 786 // PEM parsing - single certificate, PEM encoded with a PEB of |
| 863 // PEM parsing - sequence of certificates, PEM encoded with a PEB of | 787 // "CERTIFICATE" |
| 864 // "CERTIFICATE" | 788 {"google.single.pem", |
| 865 { "google.chain.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, | 789 X509Certificate::FORMAT_PEM_CERT_SEQUENCE, |
| 866 { google_parse_fingerprint, | 790 { |
| 867 thawte_parse_fingerprint, | 791 &google_parse_fingerprint, NULL, |
| 868 NULL, } }, | 792 }}, |
| 869 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER | 793 // PEM parsing - sequence of certificates, PEM encoded with a PEB of |
| 870 // encoding | 794 // "CERTIFICATE" |
| 871 { "google.binary.p7b", X509Certificate::FORMAT_PKCS7, | 795 {"google.chain.pem", |
| 872 { google_parse_fingerprint, | 796 X509Certificate::FORMAT_PEM_CERT_SEQUENCE, |
| 873 thawte_parse_fingerprint, | 797 { |
| 874 NULL, } }, | 798 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 875 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM | 799 }}, |
| 876 // encoded with a PEM PEB of "CERTIFICATE" | 800 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER |
| 877 { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7, | 801 // encoding |
| 878 { google_parse_fingerprint, | 802 {"google.binary.p7b", |
| 879 thawte_parse_fingerprint, | 803 X509Certificate::FORMAT_PKCS7, |
| 880 NULL, } }, | 804 { |
| 881 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM | 805 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 882 // encoded with a PEM PEB of "PKCS7" | 806 }}, |
| 883 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7, | 807 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM |
| 884 { google_parse_fingerprint, | 808 // encoded with a PEM PEB of "CERTIFICATE" |
| 885 thawte_parse_fingerprint, | 809 {"google.pem_cert.p7b", |
| 886 NULL, } }, | 810 X509Certificate::FORMAT_PKCS7, |
| 887 // All of the above, this time using auto-detection | 811 { |
| 888 { "google.single.der", X509Certificate::FORMAT_AUTO, | 812 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 889 { google_parse_fingerprint, | 813 }}, |
| 890 NULL, } }, | 814 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM |
| 891 { "google.single.pem", X509Certificate::FORMAT_AUTO, | 815 // encoded with a PEM PEB of "PKCS7" |
| 892 { google_parse_fingerprint, | 816 {"google.pem_pkcs7.p7b", |
| 893 NULL, } }, | 817 X509Certificate::FORMAT_PKCS7, |
| 894 { "google.chain.pem", X509Certificate::FORMAT_AUTO, | 818 { |
| 895 { google_parse_fingerprint, | 819 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 896 thawte_parse_fingerprint, | 820 }}, |
| 897 NULL, } }, | 821 // All of the above, this time using auto-detection |
| 898 { "google.binary.p7b", X509Certificate::FORMAT_AUTO, | 822 {"google.single.der", |
| 899 { google_parse_fingerprint, | 823 X509Certificate::FORMAT_AUTO, |
| 900 thawte_parse_fingerprint, | 824 { |
| 901 NULL, } }, | 825 &google_parse_fingerprint, NULL, |
| 902 { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO, | 826 }}, |
| 903 { google_parse_fingerprint, | 827 {"google.single.pem", |
| 904 thawte_parse_fingerprint, | 828 X509Certificate::FORMAT_AUTO, |
| 905 NULL, } }, | 829 { |
| 906 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO, | 830 &google_parse_fingerprint, NULL, |
| 907 { google_parse_fingerprint, | 831 }}, |
| 908 thawte_parse_fingerprint, | 832 {"google.chain.pem", |
| 909 NULL, } }, | 833 X509Certificate::FORMAT_AUTO, |
| 834 { |
| 835 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 836 }}, |
| 837 {"google.binary.p7b", |
| 838 X509Certificate::FORMAT_AUTO, |
| 839 { |
| 840 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 841 }}, |
| 842 {"google.pem_cert.p7b", |
| 843 X509Certificate::FORMAT_AUTO, |
| 844 { |
| 845 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 846 }}, |
| 847 {"google.pem_pkcs7.p7b", |
| 848 X509Certificate::FORMAT_AUTO, |
| 849 { |
| 850 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 851 }}, |
| 910 }; | 852 }; |
| 911 | 853 |
| 912 class X509CertificateParseTest | 854 class X509CertificateParseTest |
| 913 : public testing::TestWithParam<CertificateFormatTestData> { | 855 : public testing::TestWithParam<CertificateFormatTestData> { |
| 914 public: | 856 public: |
| 915 virtual ~X509CertificateParseTest() {} | 857 virtual ~X509CertificateParseTest() {} |
| 916 void SetUp() override { test_data_ = GetParam(); } | 858 void SetUp() override { test_data_ = GetParam(); } |
| 917 void TearDown() override {} | 859 void TearDown() override {} |
| 918 | 860 |
| 919 protected: | 861 protected: |
| (...skipping 16 matching lines...) Expand all Loading... |
| 936 // returned before marking this test a success. | 878 // returned before marking this test a success. |
| 937 EXPECT_EQ(i, certs.size()); | 879 EXPECT_EQ(i, certs.size()); |
| 938 break; | 880 break; |
| 939 } | 881 } |
| 940 | 882 |
| 941 // A cert is expected - make sure that one was parsed. | 883 // A cert is expected - make sure that one was parsed. |
| 942 ASSERT_LT(i, certs.size()); | 884 ASSERT_LT(i, certs.size()); |
| 943 | 885 |
| 944 // Compare the parsed certificate with the expected certificate, by | 886 // Compare the parsed certificate with the expected certificate, by |
| 945 // comparing fingerprints. | 887 // comparing fingerprints. |
| 946 const X509Certificate* cert = certs[i].get(); | 888 EXPECT_EQ( |
| 947 const SHA1HashValue& actual_fingerprint = cert->fingerprint(); | 889 *test_data_.chain_fingerprints[i], |
| 948 uint8_t* expected_fingerprint = test_data_.chain_fingerprints[i]; | 890 X509Certificate::CalculateFingerprint256(certs[i]->os_cert_handle())); |
| 949 | |
| 950 for (size_t j = 0; j < 20; ++j) | |
| 951 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); | |
| 952 } | 891 } |
| 953 } | 892 } |
| 954 | 893 |
| 955 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, | 894 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, |
| 956 testing::ValuesIn(kFormatTestData)); | 895 testing::ValuesIn(kFormatTestData)); |
| 957 | 896 |
| 958 struct CertificateNameVerifyTestData { | 897 struct CertificateNameVerifyTestData { |
| 959 // true iff we expect hostname to match an entry in cert_names. | 898 // true iff we expect hostname to match an entry in cert_names. |
| 960 bool expected; | 899 bool expected; |
| 961 // The hostname to match. | 900 // The hostname to match. |
| (...skipping 267 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1229 &actual_type); | 1168 &actual_type); |
| 1230 | 1169 |
| 1231 EXPECT_EQ(data.expected_bits, actual_bits); | 1170 EXPECT_EQ(data.expected_bits, actual_bits); |
| 1232 EXPECT_EQ(data.expected_type, actual_type); | 1171 EXPECT_EQ(data.expected_type, actual_type); |
| 1233 } | 1172 } |
| 1234 | 1173 |
| 1235 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, | 1174 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, |
| 1236 testing::ValuesIn(kPublicKeyInfoTestData)); | 1175 testing::ValuesIn(kPublicKeyInfoTestData)); |
| 1237 | 1176 |
| 1238 } // namespace net | 1177 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2000503002:
Remove the fingerprint and ca_fingerprint from X509Certificate (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@move_cache