OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 597 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
608 "test.example.com", | 608 "test.example.com", |
609 flags, | 609 flags, |
610 NULL, | 610 NULL, |
611 empty_cert_list_, | 611 empty_cert_list_, |
612 &verify_result); | 612 &verify_result); |
613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); | 613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); |
614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, | 614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, |
615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); | 615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); |
616 } | 616 } |
617 | 617 |
| 618 TEST_F(CertVerifyProcTest, TestHasTooLongValidity) { |
| 619 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 620 |
| 621 scoped_refptr<X509Certificate> twitter = |
| 622 ImportCertFromFile(certs_dir, "twitter-chain.pem"); |
| 623 EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*twitter)); |
| 624 |
| 625 scoped_refptr<X509Certificate> eleven_years = |
| 626 ImportCertFromFile(certs_dir, "11_year_validity.pem"); |
| 627 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*eleven_years)); |
| 628 |
| 629 scoped_refptr<X509Certificate> forty_months = |
| 630 ImportCertFromFile(certs_dir, "40_months_after_2015_04.pem"); |
| 631 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*forty_months)); |
| 632 |
| 633 scoped_refptr<X509Certificate> sixty_one_months = |
| 634 ImportCertFromFile(certs_dir, "61_months_after_2012_07.pem"); |
| 635 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*sixty_one_months)); |
| 636 } |
| 637 |
618 TEST_F(CertVerifyProcTest, TestKnownRoot) { | 638 TEST_F(CertVerifyProcTest, TestKnownRoot) { |
619 if (!SupportsDetectingKnownRoots()) { | 639 if (!SupportsDetectingKnownRoots()) { |
620 LOG(INFO) << "Skipping this test in this platform."; | 640 LOG(INFO) << "Skipping this test on this platform."; |
621 return; | 641 return; |
622 } | 642 } |
623 | 643 |
624 base::FilePath certs_dir = GetTestCertsDirectory(); | 644 base::FilePath certs_dir = GetTestCertsDirectory(); |
625 CertificateList certs = CreateCertificateListFromFile( | 645 CertificateList certs = CreateCertificateListFromFile( |
626 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 646 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
627 ASSERT_EQ(2U, certs.size()); | 647 ASSERT_EQ(3U, certs.size()); |
628 | 648 |
629 X509Certificate::OSCertHandles intermediates; | 649 X509Certificate::OSCertHandles intermediates; |
630 intermediates.push_back(certs[1]->os_cert_handle()); | 650 intermediates.push_back(certs[1]->os_cert_handle()); |
631 | 651 |
632 scoped_refptr<X509Certificate> cert_chain = | 652 scoped_refptr<X509Certificate> cert_chain = |
633 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 653 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
634 intermediates); | 654 intermediates); |
635 | 655 |
636 int flags = 0; | 656 int flags = 0; |
637 CertVerifyResult verify_result; | 657 CertVerifyResult verify_result; |
638 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 658 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
639 // against agl. See also PublicKeyHashes. | 659 // against agl. See also PublicKeyHashes. |
640 int error = Verify(cert_chain.get(), | 660 int error = Verify(cert_chain.get(), |
641 "satveda.com", | 661 "twitter.com", |
642 flags, | 662 flags, |
643 NULL, | 663 NULL, |
644 empty_cert_list_, | 664 empty_cert_list_, |
645 &verify_result); | 665 &verify_result); |
646 EXPECT_EQ(OK, error); | 666 EXPECT_EQ(OK, error); |
647 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
648 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 667 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
649 } | 668 } |
650 | 669 |
651 // The certse.pem certificate has been revoked. crbug.com/259723. | |
652 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 670 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
653 if (!SupportsReturningVerifiedChain()) { | 671 if (!SupportsReturningVerifiedChain()) { |
654 LOG(INFO) << "Skipping this test in this platform."; | 672 LOG(INFO) << "Skipping this test in this platform."; |
655 return; | 673 return; |
656 } | 674 } |
657 | 675 |
658 base::FilePath certs_dir = GetTestCertsDirectory(); | 676 base::FilePath certs_dir = GetTestCertsDirectory(); |
659 CertificateList certs = CreateCertificateListFromFile( | 677 CertificateList certs = CreateCertificateListFromFile( |
660 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 678 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
661 ASSERT_EQ(2U, certs.size()); | 679 ASSERT_EQ(3U, certs.size()); |
662 | 680 |
663 X509Certificate::OSCertHandles intermediates; | 681 X509Certificate::OSCertHandles intermediates; |
664 intermediates.push_back(certs[1]->os_cert_handle()); | 682 intermediates.push_back(certs[1]->os_cert_handle()); |
665 | 683 |
666 scoped_refptr<X509Certificate> cert_chain = | 684 scoped_refptr<X509Certificate> cert_chain = |
667 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 685 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
668 intermediates); | 686 intermediates); |
669 int flags = 0; | 687 int flags = 0; |
670 CertVerifyResult verify_result; | 688 CertVerifyResult verify_result; |
671 | 689 |
672 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 690 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
673 // against agl. See also TestKnownRoot. | 691 // against agl. See also TestKnownRoot. |
674 int error = Verify(cert_chain.get(), | 692 int error = Verify(cert_chain.get(), |
675 "satveda.com", | 693 "twitter.com", |
676 flags, | 694 flags, |
677 NULL, | 695 NULL, |
678 empty_cert_list_, | 696 empty_cert_list_, |
679 &verify_result); | 697 &verify_result); |
680 EXPECT_EQ(OK, error); | 698 EXPECT_EQ(OK, error); |
681 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | 699 ASSERT_LE(3U, verify_result.public_key_hashes.size()); |
682 ASSERT_LE(2U, verify_result.public_key_hashes.size()); | |
683 | 700 |
684 HashValueVector sha1_hashes; | 701 HashValueVector sha1_hashes; |
685 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 702 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
686 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 703 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
687 continue; | 704 continue; |
688 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 705 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
689 } | 706 } |
690 ASSERT_LE(2u, sha1_hashes.size()); | 707 ASSERT_LE(3u, sha1_hashes.size()); |
691 | 708 |
692 for (size_t i = 0; i < 2; ++i) { | 709 for (size_t i = 0; i < 3; ++i) { |
693 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length), | 710 EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length), |
694 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); | 711 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); |
695 } | 712 } |
696 | 713 |
697 HashValueVector sha256_hashes; | 714 HashValueVector sha256_hashes; |
698 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 715 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
699 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) | 716 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) |
700 continue; | 717 continue; |
701 sha256_hashes.push_back(verify_result.public_key_hashes[i]); | 718 sha256_hashes.push_back(verify_result.public_key_hashes[i]); |
702 } | 719 } |
703 ASSERT_LE(2u, sha256_hashes.size()); | 720 ASSERT_LE(3u, sha256_hashes.size()); |
704 | 721 |
705 for (size_t i = 0; i < 2; ++i) { | 722 for (size_t i = 0; i < 3; ++i) { |
706 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length), | 723 EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length), |
707 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); | 724 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); |
708 } | 725 } |
709 } | 726 } |
710 | 727 |
711 // A regression test for http://crbug.com/70293. | 728 // A regression test for http://crbug.com/70293. |
712 // The Key Usage extension in this RSA SSL server certificate does not have | 729 // The Key Usage extension in this RSA SSL server certificate does not have |
713 // the keyEncipherment bit. | 730 // the keyEncipherment bit. |
714 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 731 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
715 base::FilePath certs_dir = GetTestCertsDirectory(); | 732 base::FilePath certs_dir = GetTestCertsDirectory(); |
716 | 733 |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
803 // known public registry controlled domain information) issued by well-known | 820 // known public registry controlled domain information) issued by well-known |
804 // CAs are flagged appropriately, while certificates that are issued by | 821 // CAs are flagged appropriately, while certificates that are issued by |
805 // internal CAs are not flagged. | 822 // internal CAs are not flagged. |
806 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { | 823 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { |
807 if (!SupportsDetectingKnownRoots()) { | 824 if (!SupportsDetectingKnownRoots()) { |
808 LOG(INFO) << "Skipping this test in this platform."; | 825 LOG(INFO) << "Skipping this test in this platform."; |
809 return; | 826 return; |
810 } | 827 } |
811 | 828 |
812 CertificateList cert_list = CreateCertificateListFromFile( | 829 CertificateList cert_list = CreateCertificateListFromFile( |
813 GetTestCertsDirectory(), "ok_cert.pem", | 830 GetTestCertsDirectory(), "reject_intranet_hosts.pem", |
814 X509Certificate::FORMAT_AUTO); | 831 X509Certificate::FORMAT_AUTO); |
815 ASSERT_EQ(1U, cert_list.size()); | 832 ASSERT_EQ(1U, cert_list.size()); |
816 scoped_refptr<X509Certificate> cert(cert_list[0]); | 833 scoped_refptr<X509Certificate> cert(cert_list[0]); |
817 | 834 |
818 CertVerifyResult verify_result; | 835 CertVerifyResult verify_result; |
819 int error = 0; | 836 int error = 0; |
820 | 837 |
821 // Intranet names for public CAs should be flagged: | 838 // Intranet names for public CAs should be flagged: |
822 verify_proc_ = new WellKnownCaCertVerifyProc(true); | 839 verify_proc_ = new WellKnownCaCertVerifyProc(true); |
823 error = | 840 error = |
(...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1570 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1587 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1571 } | 1588 } |
1572 } | 1589 } |
1573 | 1590 |
1574 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1591 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1575 VerifyName, | 1592 VerifyName, |
1576 CertVerifyProcNameTest, | 1593 CertVerifyProcNameTest, |
1577 testing::ValuesIn(kVerifyNameData)); | 1594 testing::ValuesIn(kVerifyNameData)); |
1578 | 1595 |
1579 } // namespace net | 1596 } // namespace net |
OLD | NEW |