OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include <memory> | 9 #include <memory> |
10 | 10 |
(...skipping 28 matching lines...) Expand all Loading... |
39 // | 39 // |
40 // For fingerprint | 40 // For fingerprint |
41 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der | 41 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der |
42 | 42 |
43 // For valid_start, valid_expiry | 43 // For valid_start, valid_expiry |
44 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | | 44 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | |
45 // grep -A 2 Validity | 45 // grep -A 2 Validity |
46 // $ date +%s -d '<date str>' | 46 // $ date +%s -d '<date str>' |
47 | 47 |
48 // Google's cert. | 48 // Google's cert. |
49 uint8_t google_fingerprint[] = { | 49 SHA256HashValue google_fingerprint = { |
50 0xab, 0xbe, 0x5e, 0xb4, 0x93, 0x88, 0x4e, 0xe4, 0x60, 0xc6, 0xef, 0xf8, | 50 {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, |
51 0xea, 0xd4, 0xb1, 0x55, 0x4b, 0xc9, 0x59, 0x3c | 51 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, |
52 }; | 52 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; |
53 | |
54 // webkit.org's cert. | |
55 uint8_t webkit_fingerprint[] = { | |
56 0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8, | |
57 0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2 | |
58 }; | |
59 | |
60 // thawte.com's cert (it's EV-licious!). | |
61 uint8_t thawte_fingerprint[] = { | |
62 0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6, | |
63 0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37 | |
64 }; | |
65 | |
66 // A certificate for https://www.unosoft.hu/, whose AIA extension contains | |
67 // an LDAP URL without a host name. | |
68 uint8_t unosoft_hu_fingerprint[] = { | |
69 0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd, | |
70 0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8 | |
71 }; | |
72 | 53 |
73 // The fingerprint of the Google certificate used in the parsing tests, | 54 // The fingerprint of the Google certificate used in the parsing tests, |
74 // which is newer than the one included in the x509_certificate_data.h | 55 // which is newer than the one included in the x509_certificate_data.h |
75 uint8_t google_parse_fingerprint[] = { | 56 SHA256HashValue google_parse_fingerprint = { |
76 0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a, | 57 {0xf6, 0x41, 0xc3, 0x6c, 0xfe, 0xf4, 0x9b, 0xc0, 0x71, 0x35, 0x9e, |
77 0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2 | 58 0xcf, 0x88, 0xee, 0xd9, 0x31, 0x7b, 0x73, 0x8b, 0x59, 0x89, 0x41, |
78 }; | 59 0x6a, 0xd4, 0x01, 0x72, 0x0c, 0x0a, 0x4e, 0x2e, 0x63, 0x52}}; |
79 | 60 |
80 // The fingerprint for the Thawte SGC certificate | 61 // The fingerprint for the Thawte SGC certificate |
81 uint8_t thawte_parse_fingerprint[] = { | 62 SHA256HashValue thawte_parse_fingerprint = { |
82 0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f, | 63 {0x10, 0x85, 0xa6, 0xf4, 0x54, 0xd0, 0xc9, 0x11, 0x98, 0xfd, 0xda, |
83 0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02 | 64 0xb1, 0x1a, 0x31, 0xc7, 0x16, 0xd5, 0xdc, 0xd6, 0x8d, 0xf9, 0x1c, |
84 }; | 65 0x03, 0x9c, 0xe1, 0x8d, 0xca, 0x9b, 0xeb, 0x3c, 0xde, 0x3d}}; |
85 | 66 |
86 // Dec 18 00:00:00 2009 GMT | 67 // Dec 18 00:00:00 2009 GMT |
87 const double kGoogleParseValidFrom = 1261094400; | 68 const double kGoogleParseValidFrom = 1261094400; |
88 // Dec 18 23:59:59 2011 GMT | 69 // Dec 18 23:59:59 2011 GMT |
89 const double kGoogleParseValidTo = 1324252799; | 70 const double kGoogleParseValidTo = 1324252799; |
90 | 71 |
91 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, | 72 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, |
92 uint8_t* expected_fingerprint, | 73 const SHA256HashValue& expected_fingerprint, |
93 double valid_from, double valid_to) { | 74 double valid_from, |
| 75 double valid_to) { |
94 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert.get()); | 76 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert.get()); |
95 | 77 |
96 const CertPrincipal& subject = google_cert->subject(); | 78 const CertPrincipal& subject = google_cert->subject(); |
97 EXPECT_EQ("www.google.com", subject.common_name); | 79 EXPECT_EQ("www.google.com", subject.common_name); |
98 EXPECT_EQ("Mountain View", subject.locality_name); | 80 EXPECT_EQ("Mountain View", subject.locality_name); |
99 EXPECT_EQ("California", subject.state_or_province_name); | 81 EXPECT_EQ("California", subject.state_or_province_name); |
100 EXPECT_EQ("US", subject.country_name); | 82 EXPECT_EQ("US", subject.country_name); |
101 EXPECT_EQ(0U, subject.street_addresses.size()); | 83 EXPECT_EQ(0U, subject.street_addresses.size()); |
102 ASSERT_EQ(1U, subject.organization_names.size()); | 84 ASSERT_EQ(1U, subject.organization_names.size()); |
103 EXPECT_EQ("Google Inc", subject.organization_names[0]); | 85 EXPECT_EQ("Google Inc", subject.organization_names[0]); |
(...skipping 11 matching lines...) Expand all Loading... |
115 EXPECT_EQ(0U, issuer.organization_unit_names.size()); | 97 EXPECT_EQ(0U, issuer.organization_unit_names.size()); |
116 EXPECT_EQ(0U, issuer.domain_components.size()); | 98 EXPECT_EQ(0U, issuer.domain_components.size()); |
117 | 99 |
118 // Use DoubleT because its epoch is the same on all platforms | 100 // Use DoubleT because its epoch is the same on all platforms |
119 const Time& valid_start = google_cert->valid_start(); | 101 const Time& valid_start = google_cert->valid_start(); |
120 EXPECT_EQ(valid_from, valid_start.ToDoubleT()); | 102 EXPECT_EQ(valid_from, valid_start.ToDoubleT()); |
121 | 103 |
122 const Time& valid_expiry = google_cert->valid_expiry(); | 104 const Time& valid_expiry = google_cert->valid_expiry(); |
123 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); | 105 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); |
124 | 106 |
125 const SHA1HashValue& fingerprint = google_cert->fingerprint(); | 107 EXPECT_EQ(expected_fingerprint, X509Certificate::CalculateFingerprint256( |
126 for (size_t i = 0; i < 20; ++i) | 108 google_cert->os_cert_handle())); |
127 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); | |
128 | 109 |
129 std::vector<std::string> dns_names; | 110 std::vector<std::string> dns_names; |
130 google_cert->GetDNSNames(&dns_names); | 111 google_cert->GetDNSNames(&dns_names); |
131 ASSERT_EQ(1U, dns_names.size()); | 112 ASSERT_EQ(1U, dns_names.size()); |
132 EXPECT_EQ("www.google.com", dns_names[0]); | 113 EXPECT_EQ("www.google.com", dns_names[0]); |
133 } | 114 } |
134 | 115 |
135 TEST(X509CertificateTest, GoogleCertParsing) { | 116 TEST(X509CertificateTest, GoogleCertParsing) { |
136 scoped_refptr<X509Certificate> google_cert( | 117 scoped_refptr<X509Certificate> google_cert( |
137 X509Certificate::CreateFromBytes( | 118 X509Certificate::CreateFromBytes( |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
172 issuer.organization_unit_names[0]); | 153 issuer.organization_unit_names[0]); |
173 EXPECT_EQ(0U, issuer.domain_components.size()); | 154 EXPECT_EQ(0U, issuer.domain_components.size()); |
174 | 155 |
175 // Use DoubleT because its epoch is the same on all platforms | 156 // Use DoubleT because its epoch is the same on all platforms |
176 const Time& valid_start = webkit_cert->valid_start(); | 157 const Time& valid_start = webkit_cert->valid_start(); |
177 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT | 158 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT |
178 | 159 |
179 const Time& valid_expiry = webkit_cert->valid_expiry(); | 160 const Time& valid_expiry = webkit_cert->valid_expiry(); |
180 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT | 161 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT |
181 | 162 |
182 const SHA1HashValue& fingerprint = webkit_cert->fingerprint(); | |
183 for (size_t i = 0; i < 20; ++i) | |
184 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); | |
185 | |
186 std::vector<std::string> dns_names; | 163 std::vector<std::string> dns_names; |
187 webkit_cert->GetDNSNames(&dns_names); | 164 webkit_cert->GetDNSNames(&dns_names); |
188 ASSERT_EQ(2U, dns_names.size()); | 165 ASSERT_EQ(2U, dns_names.size()); |
189 EXPECT_EQ("*.webkit.org", dns_names[0]); | 166 EXPECT_EQ("*.webkit.org", dns_names[0]); |
190 EXPECT_EQ("webkit.org", dns_names[1]); | 167 EXPECT_EQ("webkit.org", dns_names[1]); |
191 | 168 |
192 // Test that the wildcard cert matches properly. | 169 // Test that the wildcard cert matches properly. |
193 bool unused = false; | 170 bool unused = false; |
194 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); | 171 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); |
195 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); | 172 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
228 issuer.organization_unit_names[0]); | 205 issuer.organization_unit_names[0]); |
229 EXPECT_EQ(0U, issuer.domain_components.size()); | 206 EXPECT_EQ(0U, issuer.domain_components.size()); |
230 | 207 |
231 // Use DoubleT because its epoch is the same on all platforms | 208 // Use DoubleT because its epoch is the same on all platforms |
232 const Time& valid_start = thawte_cert->valid_start(); | 209 const Time& valid_start = thawte_cert->valid_start(); |
233 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT | 210 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT |
234 | 211 |
235 const Time& valid_expiry = thawte_cert->valid_expiry(); | 212 const Time& valid_expiry = thawte_cert->valid_expiry(); |
236 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT | 213 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT |
237 | 214 |
238 const SHA1HashValue& fingerprint = thawte_cert->fingerprint(); | |
239 for (size_t i = 0; i < 20; ++i) | |
240 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); | |
241 | |
242 std::vector<std::string> dns_names; | 215 std::vector<std::string> dns_names; |
243 thawte_cert->GetDNSNames(&dns_names); | 216 thawte_cert->GetDNSNames(&dns_names); |
244 ASSERT_EQ(1U, dns_names.size()); | 217 ASSERT_EQ(1U, dns_names.size()); |
245 EXPECT_EQ("www.thawte.com", dns_names[0]); | 218 EXPECT_EQ("www.thawte.com", dns_names[0]); |
246 } | 219 } |
247 | 220 |
248 // Test that all desired AttributeAndValue pairs can be extracted when only | 221 // Test that all desired AttributeAndValue pairs can be extracted when only |
249 // a single RelativeDistinguishedName is present. "Normally" there is only | 222 // a single RelativeDistinguishedName is present. "Normally" there is only |
250 // one AVA per RDN, but some CAs place all AVAs within a single RDN. | 223 // one AVA per RDN, but some CAs place all AVAs within a single RDN. |
251 // This is a regression test for http://crbug.com/101009 | 224 // This is a regression test for http://crbug.com/101009 |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
320 ASSERT_EQ(sizeof(paypal_null_serial), | 293 ASSERT_EQ(sizeof(paypal_null_serial), |
321 paypal_null_cert->serial_number().size()); | 294 paypal_null_cert->serial_number().size()); |
322 EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(), | 295 EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(), |
323 paypal_null_serial, sizeof(paypal_null_serial)) == 0); | 296 paypal_null_serial, sizeof(paypal_null_serial)) == 0); |
324 } | 297 } |
325 | 298 |
326 TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { | 299 TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { |
327 scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes( | 300 scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes( |
328 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 301 reinterpret_cast<const char*>(google_der), sizeof(google_der))); |
329 | 302 |
330 static const uint8_t google_sha256_fingerprint[32] = { | 303 const SHA256HashValue google_sha256_fingerprint = { |
331 0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, | 304 {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, |
332 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, | 305 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, |
333 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}; | 306 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; |
334 | 307 |
335 SHA256HashValue fingerprint = | 308 EXPECT_EQ(google_sha256_fingerprint, X509Certificate::CalculateFingerprint256( |
336 X509Certificate::CalculateFingerprint256(google_cert->os_cert_handle()); | 309 google_cert->os_cert_handle())); |
337 | |
338 for (size_t i = 0; i < 32; ++i) | |
339 EXPECT_EQ(google_sha256_fingerprint[i], fingerprint.data[i]); | |
340 } | 310 } |
341 | 311 |
342 TEST(X509CertificateTest, CAFingerprints) { | 312 TEST(X509CertificateTest, CAFingerprints) { |
343 base::FilePath certs_dir = GetTestCertsDirectory(); | 313 base::FilePath certs_dir = GetTestCertsDirectory(); |
344 | 314 |
345 scoped_refptr<X509Certificate> server_cert = | 315 scoped_refptr<X509Certificate> server_cert = |
346 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); | 316 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); |
347 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); | 317 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); |
348 | 318 |
349 scoped_refptr<X509Certificate> intermediate_cert1 = | 319 scoped_refptr<X509Certificate> intermediate_cert1 = |
(...skipping 15 matching lines...) Expand all Loading... |
365 scoped_refptr<X509Certificate> cert_chain2 = | 335 scoped_refptr<X509Certificate> cert_chain2 = |
366 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 336 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
367 intermediates); | 337 intermediates); |
368 | 338 |
369 // No intermediate CA certicates. | 339 // No intermediate CA certicates. |
370 intermediates.clear(); | 340 intermediates.clear(); |
371 scoped_refptr<X509Certificate> cert_chain3 = | 341 scoped_refptr<X509Certificate> cert_chain3 = |
372 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 342 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
373 intermediates); | 343 intermediates); |
374 | 344 |
375 static const uint8_t cert_chain1_ca_fingerprint[20] = { | 345 SHA256HashValue cert_chain1_ca_fingerprint_256 = { |
376 0xc2, 0xf0, 0x08, 0x7d, 0x01, 0xe6, 0x86, 0x05, 0x3a, 0x4d, | 346 {0x51, 0x15, 0x30, 0x49, 0x97, 0x54, 0xf8, 0xb4, 0x17, 0x41, 0x6b, |
377 0x63, 0x3e, 0x7e, 0x70, 0xd4, 0xef, 0x65, 0xc2, 0xcc, 0x4f | 347 0x58, 0x78, 0xb0, 0x89, 0xd2, 0xc3, 0xae, 0x66, 0xc1, 0x16, 0x80, |
378 }; | 348 0xa0, 0x78, 0xe7, 0x53, 0x45, 0xa2, 0xfb, 0x80, 0xe1, 0x07}}; |
379 static const uint8_t cert_chain2_ca_fingerprint[20] = { | 349 SHA256HashValue cert_chain2_ca_fingerprint_256 = { |
380 0xd5, 0x59, 0xa5, 0x86, 0x66, 0x9b, 0x08, 0xf4, 0x6a, 0x30, | 350 {0x00, 0xbd, 0x2b, 0x0e, 0xdd, 0x83, 0x40, 0xb1, 0x74, 0x6c, 0xc3, |
381 0xa1, 0x33, 0xf8, 0xa9, 0xed, 0x3d, 0x03, 0x8e, 0x2e, 0xa8 | 351 0x95, 0xc0, 0xe3, 0x55, 0xb2, 0x16, 0x58, 0x53, 0xfd, 0xb9, 0x3c, |
382 }; | 352 0x52, 0xda, 0xdd, 0xa8, 0x22, 0x8b, 0x07, 0x00, 0x2d, 0xce}}; |
383 // The SHA-1 hash of nothing. | 353 // The SHA-256 hash of nothing. |
384 static const uint8_t cert_chain3_ca_fingerprint[20] = { | 354 SHA256HashValue cert_chain3_ca_fingerprint_256 = { |
385 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, | 355 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, |
386 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09 | 356 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, |
387 }; | 357 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}}; |
388 EXPECT_TRUE(memcmp(cert_chain1->ca_fingerprint().data, | 358 EXPECT_EQ(cert_chain1_ca_fingerprint_256, |
389 cert_chain1_ca_fingerprint, 20) == 0); | 359 X509Certificate::CalculateCAFingerprint256( |
390 EXPECT_TRUE(memcmp(cert_chain2->ca_fingerprint().data, | 360 cert_chain1->GetIntermediateCertificates())); |
391 cert_chain2_ca_fingerprint, 20) == 0); | 361 EXPECT_EQ(cert_chain2_ca_fingerprint_256, |
392 EXPECT_TRUE(memcmp(cert_chain3->ca_fingerprint().data, | 362 X509Certificate::CalculateCAFingerprint256( |
393 cert_chain3_ca_fingerprint, 20) == 0); | 363 cert_chain2->GetIntermediateCertificates())); |
| 364 EXPECT_EQ(cert_chain3_ca_fingerprint_256, |
| 365 X509Certificate::CalculateCAFingerprint256( |
| 366 cert_chain3->GetIntermediateCertificates())); |
394 | 367 |
395 // Test the SHA-256 hash calculation functions explicitly since they are not | 368 SHA256HashValue cert_chain1_chain_fingerprint_256 = { |
396 // used by X509Certificate internally. | 369 {0xac, 0xff, 0xcc, 0x63, 0x0d, 0xd0, 0xa7, 0x19, 0x78, 0xb5, 0x8a, |
397 static const uint8_t cert_chain1_ca_fingerprint_256[32] = { | 370 0x47, 0x8b, 0x67, 0x97, 0xcb, 0x8d, 0xe1, 0x6a, 0x8a, 0x57, 0x70, |
398 0x51, 0x15, 0x30, 0x49, 0x97, 0x54, 0xf8, 0xb4, 0x17, 0x41, | 371 0xda, 0x9a, 0x53, 0x72, 0xe2, 0xa0, 0x08, 0xab, 0xcc, 0x8f}}; |
399 0x6b, 0x58, 0x78, 0xb0, 0x89, 0xd2, 0xc3, 0xae, 0x66, 0xc1, | 372 SHA256HashValue cert_chain2_chain_fingerprint_256 = { |
400 0x16, 0x80, 0xa0, 0x78, 0xe7, 0x53, 0x45, 0xa2, 0xfb, 0x80, | 373 {0x67, 0x3a, 0x11, 0x20, 0xd6, 0x94, 0x14, 0xe4, 0x16, 0x9f, 0x58, |
401 0xe1, 0x07 | 374 0xe2, 0x8b, 0xf7, 0x27, 0xed, 0xbb, 0xe8, 0xa7, 0xff, 0x1c, 0x8c, |
402 }; | 375 0x0f, 0x21, 0x38, 0x16, 0x7c, 0xad, 0x1f, 0x22, 0x6f, 0x9b}}; |
403 static const uint8_t cert_chain2_ca_fingerprint_256[32] = { | 376 SHA256HashValue cert_chain3_chain_fingerprint_256 = { |
404 0x00, 0xbd, 0x2b, 0x0e, 0xdd, 0x83, 0x40, 0xb1, 0x74, 0x6c, | 377 {0x16, 0x7a, 0xbd, 0xb4, 0x57, 0x04, 0x65, 0x3c, 0x3b, 0xef, 0x6e, |
405 0xc3, 0x95, 0xc0, 0xe3, 0x55, 0xb2, 0x16, 0x58, 0x53, 0xfd, | 378 0x6a, 0xa6, 0x02, 0x73, 0x30, 0x3e, 0x34, 0x1b, 0x43, 0xc2, 0x7c, |
406 0xb9, 0x3c, 0x52, 0xda, 0xdd, 0xa8, 0x22, 0x8b, 0x07, 0x00, | 379 0x98, 0x52, 0x9f, 0x34, 0x7f, 0x55, 0x97, 0xe9, 0x1a, 0x10}}; |
407 0x2d, 0xce | 380 EXPECT_EQ(cert_chain1_chain_fingerprint_256, |
408 }; | 381 X509Certificate::CalculateChainFingerprint256( |
409 // The SHA-256 hash of nothing. | 382 cert_chain1->os_cert_handle(), |
410 static const uint8_t cert_chain3_ca_fingerprint_256[32] = { | 383 cert_chain1->GetIntermediateCertificates())); |
411 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, | 384 EXPECT_EQ(cert_chain2_chain_fingerprint_256, |
412 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, | 385 X509Certificate::CalculateChainFingerprint256( |
413 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, | 386 cert_chain2->os_cert_handle(), |
414 0xb8, 0x55 | 387 cert_chain2->GetIntermediateCertificates())); |
415 }; | 388 EXPECT_EQ(cert_chain3_chain_fingerprint_256, |
416 SHA256HashValue ca_fingerprint_256_1 = | 389 X509Certificate::CalculateChainFingerprint256( |
417 X509Certificate::CalculateCAFingerprint256( | 390 cert_chain3->os_cert_handle(), |
418 cert_chain1->GetIntermediateCertificates()); | 391 cert_chain3->GetIntermediateCertificates())); |
419 SHA256HashValue ca_fingerprint_256_2 = | |
420 X509Certificate::CalculateCAFingerprint256( | |
421 cert_chain2->GetIntermediateCertificates()); | |
422 SHA256HashValue ca_fingerprint_256_3 = | |
423 X509Certificate::CalculateCAFingerprint256( | |
424 cert_chain3->GetIntermediateCertificates()); | |
425 EXPECT_TRUE(memcmp(ca_fingerprint_256_1.data, | |
426 cert_chain1_ca_fingerprint_256, 32) == 0); | |
427 EXPECT_TRUE(memcmp(ca_fingerprint_256_2.data, | |
428 cert_chain2_ca_fingerprint_256, 32) == 0); | |
429 EXPECT_TRUE(memcmp(ca_fingerprint_256_3.data, | |
430 cert_chain3_ca_fingerprint_256, 32) == 0); | |
431 | |
432 static const uint8_t cert_chain1_chain_fingerprint_256[32] = { | |
433 0xac, 0xff, 0xcc, 0x63, 0x0d, 0xd0, 0xa7, 0x19, 0x78, 0xb5, | |
434 0x8a, 0x47, 0x8b, 0x67, 0x97, 0xcb, 0x8d, 0xe1, 0x6a, 0x8a, | |
435 0x57, 0x70, 0xda, 0x9a, 0x53, 0x72, 0xe2, 0xa0, 0x08, 0xab, | |
436 0xcc, 0x8f | |
437 }; | |
438 static const uint8_t cert_chain2_chain_fingerprint_256[32] = { | |
439 0x67, 0x3a, 0x11, 0x20, 0xd6, 0x94, 0x14, 0xe4, 0x16, 0x9f, | |
440 0x58, 0xe2, 0x8b, 0xf7, 0x27, 0xed, 0xbb, 0xe8, 0xa7, 0xff, | |
441 0x1c, 0x8c, 0x0f, 0x21, 0x38, 0x16, 0x7c, 0xad, 0x1f, 0x22, | |
442 0x6f, 0x9b | |
443 }; | |
444 static const uint8_t cert_chain3_chain_fingerprint_256[32] = { | |
445 0x16, 0x7a, 0xbd, 0xb4, 0x57, 0x04, 0x65, 0x3c, 0x3b, 0xef, | |
446 0x6e, 0x6a, 0xa6, 0x02, 0x73, 0x30, 0x3e, 0x34, 0x1b, 0x43, | |
447 0xc2, 0x7c, 0x98, 0x52, 0x9f, 0x34, 0x7f, 0x55, 0x97, 0xe9, | |
448 0x1a, 0x10 | |
449 }; | |
450 SHA256HashValue chain_fingerprint_256_1 = | |
451 X509Certificate::CalculateChainFingerprint256( | |
452 cert_chain1->os_cert_handle(), | |
453 cert_chain1->GetIntermediateCertificates()); | |
454 SHA256HashValue chain_fingerprint_256_2 = | |
455 X509Certificate::CalculateChainFingerprint256( | |
456 cert_chain2->os_cert_handle(), | |
457 cert_chain2->GetIntermediateCertificates()); | |
458 SHA256HashValue chain_fingerprint_256_3 = | |
459 X509Certificate::CalculateChainFingerprint256( | |
460 cert_chain3->os_cert_handle(), | |
461 cert_chain3->GetIntermediateCertificates()); | |
462 EXPECT_TRUE(memcmp(chain_fingerprint_256_1.data, | |
463 cert_chain1_chain_fingerprint_256, 32) == 0); | |
464 EXPECT_TRUE(memcmp(chain_fingerprint_256_2.data, | |
465 cert_chain2_chain_fingerprint_256, 32) == 0); | |
466 EXPECT_TRUE(memcmp(chain_fingerprint_256_3.data, | |
467 cert_chain3_chain_fingerprint_256, 32) == 0); | |
468 } | 392 } |
469 | 393 |
470 TEST(X509CertificateTest, ParseSubjectAltNames) { | 394 TEST(X509CertificateTest, ParseSubjectAltNames) { |
471 base::FilePath certs_dir = GetTestCertsDirectory(); | 395 base::FilePath certs_dir = GetTestCertsDirectory(); |
472 | 396 |
473 scoped_refptr<X509Certificate> san_cert = | 397 scoped_refptr<X509Certificate> san_cert = |
474 ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); | 398 ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); |
475 ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert.get()); | 399 ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert.get()); |
476 | 400 |
477 std::vector<std::string> dns_names; | 401 std::vector<std::string> dns_names; |
(...skipping 360 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
838 | 762 |
839 std::string nickname = test_cert->GetDefaultNickname(USER_CERT); | 763 std::string nickname = test_cert->GetDefaultNickname(USER_CERT); |
840 EXPECT_EQ("wtc@google.com's COMODO Client Authentication and " | 764 EXPECT_EQ("wtc@google.com's COMODO Client Authentication and " |
841 "Secure Email CA ID", nickname); | 765 "Secure Email CA ID", nickname); |
842 } | 766 } |
843 #endif | 767 #endif |
844 | 768 |
845 const struct CertificateFormatTestData { | 769 const struct CertificateFormatTestData { |
846 const char* file_name; | 770 const char* file_name; |
847 X509Certificate::Format format; | 771 X509Certificate::Format format; |
848 uint8_t* chain_fingerprints[3]; | 772 SHA256HashValue* chain_fingerprints[3]; |
849 } kFormatTestData[] = { | 773 } kFormatTestData[] = { |
850 // DER Parsing - single certificate, DER encoded | 774 // DER Parsing - single certificate, DER encoded |
851 { "google.single.der", X509Certificate::FORMAT_SINGLE_CERTIFICATE, | 775 {"google.single.der", |
852 { google_parse_fingerprint, | 776 X509Certificate::FORMAT_SINGLE_CERTIFICATE, |
853 NULL, } }, | 777 { |
854 // DER parsing - single certificate, PEM encoded | 778 &google_parse_fingerprint, NULL, |
855 { "google.single.pem", X509Certificate::FORMAT_SINGLE_CERTIFICATE, | 779 }}, |
856 { google_parse_fingerprint, | 780 // DER parsing - single certificate, PEM encoded |
857 NULL, } }, | 781 {"google.single.pem", |
858 // PEM parsing - single certificate, PEM encoded with a PEB of | 782 X509Certificate::FORMAT_SINGLE_CERTIFICATE, |
859 // "CERTIFICATE" | 783 { |
860 { "google.single.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, | 784 &google_parse_fingerprint, NULL, |
861 { google_parse_fingerprint, | 785 }}, |
862 NULL, } }, | 786 // PEM parsing - single certificate, PEM encoded with a PEB of |
863 // PEM parsing - sequence of certificates, PEM encoded with a PEB of | 787 // "CERTIFICATE" |
864 // "CERTIFICATE" | 788 {"google.single.pem", |
865 { "google.chain.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, | 789 X509Certificate::FORMAT_PEM_CERT_SEQUENCE, |
866 { google_parse_fingerprint, | 790 { |
867 thawte_parse_fingerprint, | 791 &google_parse_fingerprint, NULL, |
868 NULL, } }, | 792 }}, |
869 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER | 793 // PEM parsing - sequence of certificates, PEM encoded with a PEB of |
870 // encoding | 794 // "CERTIFICATE" |
871 { "google.binary.p7b", X509Certificate::FORMAT_PKCS7, | 795 {"google.chain.pem", |
872 { google_parse_fingerprint, | 796 X509Certificate::FORMAT_PEM_CERT_SEQUENCE, |
873 thawte_parse_fingerprint, | 797 { |
874 NULL, } }, | 798 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
875 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM | 799 }}, |
876 // encoded with a PEM PEB of "CERTIFICATE" | 800 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER |
877 { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7, | 801 // encoding |
878 { google_parse_fingerprint, | 802 {"google.binary.p7b", |
879 thawte_parse_fingerprint, | 803 X509Certificate::FORMAT_PKCS7, |
880 NULL, } }, | 804 { |
881 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM | 805 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
882 // encoded with a PEM PEB of "PKCS7" | 806 }}, |
883 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7, | 807 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM |
884 { google_parse_fingerprint, | 808 // encoded with a PEM PEB of "CERTIFICATE" |
885 thawte_parse_fingerprint, | 809 {"google.pem_cert.p7b", |
886 NULL, } }, | 810 X509Certificate::FORMAT_PKCS7, |
887 // All of the above, this time using auto-detection | 811 { |
888 { "google.single.der", X509Certificate::FORMAT_AUTO, | 812 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
889 { google_parse_fingerprint, | 813 }}, |
890 NULL, } }, | 814 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM |
891 { "google.single.pem", X509Certificate::FORMAT_AUTO, | 815 // encoded with a PEM PEB of "PKCS7" |
892 { google_parse_fingerprint, | 816 {"google.pem_pkcs7.p7b", |
893 NULL, } }, | 817 X509Certificate::FORMAT_PKCS7, |
894 { "google.chain.pem", X509Certificate::FORMAT_AUTO, | 818 { |
895 { google_parse_fingerprint, | 819 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
896 thawte_parse_fingerprint, | 820 }}, |
897 NULL, } }, | 821 // All of the above, this time using auto-detection |
898 { "google.binary.p7b", X509Certificate::FORMAT_AUTO, | 822 {"google.single.der", |
899 { google_parse_fingerprint, | 823 X509Certificate::FORMAT_AUTO, |
900 thawte_parse_fingerprint, | 824 { |
901 NULL, } }, | 825 &google_parse_fingerprint, NULL, |
902 { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO, | 826 }}, |
903 { google_parse_fingerprint, | 827 {"google.single.pem", |
904 thawte_parse_fingerprint, | 828 X509Certificate::FORMAT_AUTO, |
905 NULL, } }, | 829 { |
906 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO, | 830 &google_parse_fingerprint, NULL, |
907 { google_parse_fingerprint, | 831 }}, |
908 thawte_parse_fingerprint, | 832 {"google.chain.pem", |
909 NULL, } }, | 833 X509Certificate::FORMAT_AUTO, |
| 834 { |
| 835 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 836 }}, |
| 837 {"google.binary.p7b", |
| 838 X509Certificate::FORMAT_AUTO, |
| 839 { |
| 840 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 841 }}, |
| 842 {"google.pem_cert.p7b", |
| 843 X509Certificate::FORMAT_AUTO, |
| 844 { |
| 845 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 846 }}, |
| 847 {"google.pem_pkcs7.p7b", |
| 848 X509Certificate::FORMAT_AUTO, |
| 849 { |
| 850 &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, |
| 851 }}, |
910 }; | 852 }; |
911 | 853 |
912 class X509CertificateParseTest | 854 class X509CertificateParseTest |
913 : public testing::TestWithParam<CertificateFormatTestData> { | 855 : public testing::TestWithParam<CertificateFormatTestData> { |
914 public: | 856 public: |
915 virtual ~X509CertificateParseTest() {} | 857 virtual ~X509CertificateParseTest() {} |
916 void SetUp() override { test_data_ = GetParam(); } | 858 void SetUp() override { test_data_ = GetParam(); } |
917 void TearDown() override {} | 859 void TearDown() override {} |
918 | 860 |
919 protected: | 861 protected: |
(...skipping 16 matching lines...) Expand all Loading... |
936 // returned before marking this test a success. | 878 // returned before marking this test a success. |
937 EXPECT_EQ(i, certs.size()); | 879 EXPECT_EQ(i, certs.size()); |
938 break; | 880 break; |
939 } | 881 } |
940 | 882 |
941 // A cert is expected - make sure that one was parsed. | 883 // A cert is expected - make sure that one was parsed. |
942 ASSERT_LT(i, certs.size()); | 884 ASSERT_LT(i, certs.size()); |
943 | 885 |
944 // Compare the parsed certificate with the expected certificate, by | 886 // Compare the parsed certificate with the expected certificate, by |
945 // comparing fingerprints. | 887 // comparing fingerprints. |
946 const X509Certificate* cert = certs[i].get(); | 888 EXPECT_EQ( |
947 const SHA1HashValue& actual_fingerprint = cert->fingerprint(); | 889 *test_data_.chain_fingerprints[i], |
948 uint8_t* expected_fingerprint = test_data_.chain_fingerprints[i]; | 890 X509Certificate::CalculateFingerprint256(certs[i]->os_cert_handle())); |
949 | |
950 for (size_t j = 0; j < 20; ++j) | |
951 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); | |
952 } | 891 } |
953 } | 892 } |
954 | 893 |
955 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, | 894 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, |
956 testing::ValuesIn(kFormatTestData)); | 895 testing::ValuesIn(kFormatTestData)); |
957 | 896 |
958 struct CertificateNameVerifyTestData { | 897 struct CertificateNameVerifyTestData { |
959 // true iff we expect hostname to match an entry in cert_names. | 898 // true iff we expect hostname to match an entry in cert_names. |
960 bool expected; | 899 bool expected; |
961 // The hostname to match. | 900 // The hostname to match. |
(...skipping 267 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1229 &actual_type); | 1168 &actual_type); |
1230 | 1169 |
1231 EXPECT_EQ(data.expected_bits, actual_bits); | 1170 EXPECT_EQ(data.expected_bits, actual_bits); |
1232 EXPECT_EQ(data.expected_type, actual_type); | 1171 EXPECT_EQ(data.expected_type, actual_type); |
1233 } | 1172 } |
1234 | 1173 |
1235 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, | 1174 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, |
1236 testing::ValuesIn(kPublicKeyInfoTestData)); | 1175 testing::ValuesIn(kPublicKeyInfoTestData)); |
1237 | 1176 |
1238 } // namespace net | 1177 } // namespace net |
OLD | NEW |