Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(119)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Make a new cert for IntranetHostsRejected. Tests pass now. Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/cert_verify_proc.cc ('k') | net/data/ssl/certificates/11_year_validity.pem » ('j') | net/data/ssl/certificates/61_months_after_2012_07.pem » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 10a880b42ccc3f7b111f256c65c85e2ea5016f7f..a004f98b5b88c863cd2ff88d8c3e2c01091004c4 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -615,16 +615,36 @@ TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
}
+TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
+ base::FilePath certs_dir = GetTestCertsDirectory();
+
+ scoped_refptr<X509Certificate> twitter =
+ ImportCertFromFile(certs_dir, "twitter-chain.pem");
+ EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*twitter));
+
+ scoped_refptr<X509Certificate> eleven_years =
+ ImportCertFromFile(certs_dir, "11_year_validity.pem");
+ EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*eleven_years));
+
+ scoped_refptr<X509Certificate> forty_months =
+ ImportCertFromFile(certs_dir, "40_months_after_2015_04.pem");
+ EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*forty_months));
+
+ scoped_refptr<X509Certificate> sixty_one_months =
+ ImportCertFromFile(certs_dir, "61_months_after_2012_07.pem");
+ EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*sixty_one_months));
+}
+
TEST_F(CertVerifyProcTest, TestKnownRoot) {
if (!SupportsDetectingKnownRoots()) {
- LOG(INFO) << "Skipping this test in this platform.";
+ LOG(INFO) << "Skipping this test on this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
- ASSERT_EQ(2U, certs.size());
+ certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
@@ -635,20 +655,18 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) {
int flags = 0;
CertVerifyResult verify_result;
- // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+ // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
// against agl. See also PublicKeyHashes.
int error = Verify(cert_chain.get(),
- "satveda.com",
+ "twitter.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
- EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
EXPECT_TRUE(verify_result.is_issued_by_known_root);
}
-// The certse.pem certificate has been revoked. crbug.com/259723.
TEST_F(CertVerifyProcTest, PublicKeyHashes) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
@@ -657,8 +675,8 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
- ASSERT_EQ(2U, certs.size());
+ certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
@@ -669,17 +687,16 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
int flags = 0;
CertVerifyResult verify_result;
- // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+ // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
// against agl. See also TestKnownRoot.
int error = Verify(cert_chain.get(),
- "satveda.com",
+ "twitter.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
- EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
- ASSERT_LE(2U, verify_result.public_key_hashes.size());
+ ASSERT_LE(3U, verify_result.public_key_hashes.size());
HashValueVector sha1_hashes;
for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
@@ -687,10 +704,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
continue;
sha1_hashes.push_back(verify_result.public_key_hashes[i]);
}
- ASSERT_LE(2u, sha1_hashes.size());
+ ASSERT_LE(3u, sha1_hashes.size());
- for (size_t i = 0; i < 2; ++i) {
- EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
+ for (size_t i = 0; i < 3; ++i) {
+ EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length),
HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
}
@@ -700,10 +717,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
continue;
sha256_hashes.push_back(verify_result.public_key_hashes[i]);
}
- ASSERT_LE(2u, sha256_hashes.size());
+ ASSERT_LE(3u, sha256_hashes.size());
- for (size_t i = 0; i < 2; ++i) {
- EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
+ for (size_t i = 0; i < 3; ++i) {
+ EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),
HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
}
}
@@ -810,7 +827,7 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
}
CertificateList cert_list = CreateCertificateListFromFile(
- GetTestCertsDirectory(), "ok_cert.pem",
+ GetTestCertsDirectory(), "reject_intranet_hosts.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
« no previous file with comments | « net/cert/cert_verify_proc.cc ('k') | net/data/ssl/certificates/11_year_validity.pem » ('j') | net/data/ssl/certificates/61_months_after_2012_07.pem » ('J')

Powered by Google App Engine
This is Rietveld 408576698