net/cert/cert_verify_proc_unittest.cc - Issue 20628006: Reject certificates that are valid for too long.

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 20628006: Reject certificates that are valid for too long. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Don't use arithmetic expressions in shell script. Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/cert_verify_proc_unittest.cc

diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc

index 10a880b42ccc3f7b111f256c65c85e2ea5016f7f..a004f98b5b88c863cd2ff88d8c3e2c01091004c4 100644

--- a/net/cert/cert_verify_proc_unittest.cc

+++ b/net/cert/cert_verify_proc_unittest.cc

@@ -615,16 +615,36 @@ TEST_F(CertVerifyProcTest, NameConstraintsFailure) {

verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);

}

+TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {

+ base::FilePath certs_dir = GetTestCertsDirectory();

+ scoped_refptr<X509Certificate> twitter =

+ ImportCertFromFile(certs_dir, "twitter-chain.pem");

+ EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*twitter));

+ scoped_refptr<X509Certificate> eleven_years =

+ ImportCertFromFile(certs_dir, "11_year_validity.pem");

+ EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*eleven_years));

+ scoped_refptr<X509Certificate> forty_months =

+ ImportCertFromFile(certs_dir, "40_months_after_2015_04.pem");

+ EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*forty_months));

+ scoped_refptr<X509Certificate> sixty_one_months =

+ ImportCertFromFile(certs_dir, "61_months_after_2012_07.pem");

+ EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*sixty_one_months));

TEST_F(CertVerifyProcTest, TestKnownRoot) {

if (!SupportsDetectingKnownRoots()) {

- LOG(INFO) << "Skipping this test in this platform.";

+ LOG(INFO) << "Skipping this test on this platform.";

return;

}

base::FilePath certs_dir = GetTestCertsDirectory();

CertificateList certs = CreateCertificateListFromFile(

- certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);

- ASSERT_EQ(2U, certs.size());

+ certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);

+ ASSERT_EQ(3U, certs.size());

X509Certificate::OSCertHandles intermediates;

intermediates.push_back(certs[1]->os_cert_handle());

@@ -635,20 +655,18 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) {

int flags = 0;

CertVerifyResult verify_result;

- // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug

+ // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug

// against agl. See also PublicKeyHashes.

int error = Verify(cert_chain.get(),

- "satveda.com",

+ "twitter.com",

flags,

NULL,

empty_cert_list_,

&verify_result);

EXPECT_EQ(OK, error);

- EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);

EXPECT_TRUE(verify_result.is_issued_by_known_root);

}

-// The certse.pem certificate has been revoked. crbug.com/259723.

TEST_F(CertVerifyProcTest, PublicKeyHashes) {

if (!SupportsReturningVerifiedChain()) {

LOG(INFO) << "Skipping this test in this platform.";

@@ -657,8 +675,8 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {

base::FilePath certs_dir = GetTestCertsDirectory();

CertificateList certs = CreateCertificateListFromFile(

- certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);

- ASSERT_EQ(2U, certs.size());

+ certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);

+ ASSERT_EQ(3U, certs.size());

X509Certificate::OSCertHandles intermediates;

intermediates.push_back(certs[1]->os_cert_handle());

@@ -669,17 +687,16 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {

int flags = 0;

CertVerifyResult verify_result;

- // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug

+ // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug

// against agl. See also TestKnownRoot.

int error = Verify(cert_chain.get(),

- "satveda.com",

+ "twitter.com",

flags,

NULL,

empty_cert_list_,

&verify_result);

EXPECT_EQ(OK, error);

- EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);

- ASSERT_LE(2U, verify_result.public_key_hashes.size());

+ ASSERT_LE(3U, verify_result.public_key_hashes.size());

HashValueVector sha1_hashes;

for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {

@@ -687,10 +704,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {

continue;

sha1_hashes.push_back(verify_result.public_key_hashes[i]);

}

- ASSERT_LE(2u, sha1_hashes.size());

+ ASSERT_LE(3u, sha1_hashes.size());

- for (size_t i = 0; i < 2; ++i) {

- EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),

+ for (size_t i = 0; i < 3; ++i) {

+ EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length),

HexEncode(sha1_hashes[i].data(), base::kSHA1Length));

}

@@ -700,10 +717,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {

continue;

sha256_hashes.push_back(verify_result.public_key_hashes[i]);

}

- ASSERT_LE(2u, sha256_hashes.size());

+ ASSERT_LE(3u, sha256_hashes.size());

- for (size_t i = 0; i < 2; ++i) {

- EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),

+ for (size_t i = 0; i < 3; ++i) {

+ EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),

HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));

}

@@ -810,7 +827,7 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {

}

CertificateList cert_list = CreateCertificateListFromFile(

- GetTestCertsDirectory(), "ok_cert.pem",

+ GetTestCertsDirectory(), "reject_intranet_hosts.pem",

X509Certificate::FORMAT_AUTO);

ASSERT_EQ(1U, cert_list.size());

scoped_refptr<X509Certificate> cert(cert_list[0]);

« net/cert/cert_verify_proc.cc ('K') | « net/cert/cert_verify_proc.cc ('k') | net/data/ssl/certificates/11_year_validity.pem » ('j') | no next file with comments »