| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 150 CertVerifyResult verify_result; | 150 CertVerifyResult verify_result; |
| 151 EXPECT_EQ(OK, | 151 EXPECT_EQ(OK, |
| 152 Verify(google_full_chain.get(), | 152 Verify(google_full_chain.get(), |
| 153 "www.google.com", | 153 "www.google.com", |
| 154 0 /* flags */, | 154 0 /* flags */, |
| 155 NULL, | 155 NULL, |
| 156 empty_cert_list_, | 156 empty_cert_list_, |
| 157 &verify_result)); | 157 &verify_result)); |
| 158 } | 158 } |
| 159 | 159 |
| 160 #if defined(OS_ANDROID) || defined(USE_OPENSSL) | 160 #if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS) |
| 161 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 161 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 162 #define MAYBE_EVVerification DISABLED_EVVerification | 162 #define MAYBE_EVVerification DISABLED_EVVerification |
| 163 #else | 163 #else |
| 164 #define MAYBE_EVVerification EVVerification | 164 #define MAYBE_EVVerification EVVerification |
| 165 #endif | 165 #endif |
| 166 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { | 166 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { |
| 167 CertificateList certs = CreateCertificateListFromFile( | 167 CertificateList certs = CreateCertificateListFromFile( |
| 168 GetTestCertsDirectory(), | 168 GetTestCertsDirectory(), |
| 169 "comodo.chain.pem", | 169 "comodo.chain.pem", |
| 170 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 170 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| (...skipping 546 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 717 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 717 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 718 | 718 |
| 719 int flags = 0; | 719 int flags = 0; |
| 720 CertVerifyResult verify_result; | 720 CertVerifyResult verify_result; |
| 721 int error = Verify(server_cert.get(), | 721 int error = Verify(server_cert.get(), |
| 722 "jira.aquameta.com", | 722 "jira.aquameta.com", |
| 723 flags, | 723 flags, |
| 724 NULL, | 724 NULL, |
| 725 empty_cert_list_, | 725 empty_cert_list_, |
| 726 &verify_result); | 726 &verify_result); |
| 727 #if defined(USE_OPENSSL) && !defined(OS_ANDROID) | 727 #if defined(USE_OPENSSL_CERTS) |
| 728 // This certificate has two errors: "invalid key usage" and "untrusted CA". | 728 // This certificate has two errors: "invalid key usage" and "untrusted CA". |
| 729 // However, OpenSSL returns only one (the latter), and we can't detect | 729 // However, OpenSSL returns only one (the latter), and we can't detect |
| 730 // the other errors. | 730 // the other errors. |
| 731 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 731 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 732 #else | 732 #else |
| 733 EXPECT_EQ(ERR_CERT_INVALID, error); | 733 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 734 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | 734 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); |
| 735 #endif | 735 #endif |
| 736 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors | 736 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors |
| 737 // from NSS. | 737 // from NSS. |
| (...skipping 657 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1395 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the | 1395 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the |
| 1396 // pre-processor will expand macros such as MAYBE_test_name before | 1396 // pre-processor will expand macros such as MAYBE_test_name before |
| 1397 // instantiating the test. | 1397 // instantiating the test. |
| 1398 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ | 1398 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ |
| 1399 INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) | 1399 INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) |
| 1400 | 1400 |
| 1401 // The signature algorithm of the root CA should not matter. | 1401 // The signature algorithm of the root CA should not matter. |
| 1402 const WeakDigestTestData kVerifyRootCATestData[] = { | 1402 const WeakDigestTestData kVerifyRootCATestData[] = { |
| 1403 { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem", | 1403 { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem", |
| 1404 "weak_digest_sha1_ee.pem", false, false, false }, | 1404 "weak_digest_sha1_ee.pem", false, false, false }, |
| 1405 #if defined(USE_OPENSSL) || defined(OS_WIN) | 1405 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) || defined(OS_ANDROID) |
| 1406 // MD4 is not supported by OS X / NSS | 1406 // MD4 is not supported by OS X / NSS |
| 1407 { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem", | 1407 { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem", |
| 1408 "weak_digest_sha1_ee.pem", false, false, false }, | 1408 "weak_digest_sha1_ee.pem", false, false, false }, |
| 1409 #endif | 1409 #endif |
| 1410 { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem", | 1410 { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem", |
| 1411 "weak_digest_sha1_ee.pem", false, false, false }, | 1411 "weak_digest_sha1_ee.pem", false, false, false }, |
| 1412 }; | 1412 }; |
| 1413 INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest, | 1413 INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest, |
| 1414 testing::ValuesIn(kVerifyRootCATestData)); | 1414 testing::ValuesIn(kVerifyRootCATestData)); |
| 1415 | 1415 |
| 1416 // The signature algorithm of intermediates should be properly detected. | 1416 // The signature algorithm of intermediates should be properly detected. |
| 1417 const WeakDigestTestData kVerifyIntermediateCATestData[] = { | 1417 const WeakDigestTestData kVerifyIntermediateCATestData[] = { |
| 1418 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", | 1418 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", |
| 1419 "weak_digest_sha1_ee.pem", true, false, false }, | 1419 "weak_digest_sha1_ee.pem", true, false, false }, |
| 1420 #if defined(USE_OPENSSL) || defined(OS_WIN) | 1420 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) || defined(OS_ANDROID) |
| 1421 // MD4 is not supported by OS X / NSS | 1421 // MD4 is not supported by OS X / NSS |
| 1422 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", | 1422 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", |
| 1423 "weak_digest_sha1_ee.pem", false, true, false }, | 1423 "weak_digest_sha1_ee.pem", false, true, false }, |
| 1424 #endif | 1424 #endif |
| 1425 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", | 1425 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", |
| 1426 "weak_digest_sha1_ee.pem", false, false, true }, | 1426 "weak_digest_sha1_ee.pem", false, false, true }, |
| 1427 }; | 1427 }; |
| 1428 // Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled. | 1428 // Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled. |
| 1429 #if defined(USE_NSS) || defined(OS_IOS) | 1429 #if defined(USE_NSS) || defined(OS_IOS) |
| 1430 #define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate | 1430 #define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate |
| 1431 #else | 1431 #else |
| 1432 #define MAYBE_VerifyIntermediate VerifyIntermediate | 1432 #define MAYBE_VerifyIntermediate VerifyIntermediate |
| 1433 #endif | 1433 #endif |
| 1434 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1434 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1435 MAYBE_VerifyIntermediate, | 1435 MAYBE_VerifyIntermediate, |
| 1436 CertVerifyProcWeakDigestTest, | 1436 CertVerifyProcWeakDigestTest, |
| 1437 testing::ValuesIn(kVerifyIntermediateCATestData)); | 1437 testing::ValuesIn(kVerifyIntermediateCATestData)); |
| 1438 | 1438 |
| 1439 // The signature algorithm of end-entity should be properly detected. | 1439 // The signature algorithm of end-entity should be properly detected. |
| 1440 const WeakDigestTestData kVerifyEndEntityTestData[] = { | 1440 const WeakDigestTestData kVerifyEndEntityTestData[] = { |
| 1441 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", | 1441 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", |
| 1442 "weak_digest_md5_ee.pem", true, false, false }, | 1442 "weak_digest_md5_ee.pem", true, false, false }, |
| 1443 #if defined(USE_OPENSSL) || defined(OS_WIN) | 1443 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) || defined(OS_ANDROID) |
| 1444 // MD4 is not supported by OS X / NSS | 1444 // MD4 is not supported by OS X / NSS |
| 1445 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", | 1445 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", |
| 1446 "weak_digest_md4_ee.pem", false, true, false }, | 1446 "weak_digest_md4_ee.pem", false, true, false }, |
| 1447 #endif | 1447 #endif |
| 1448 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", | 1448 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", |
| 1449 "weak_digest_md2_ee.pem", false, false, true }, | 1449 "weak_digest_md2_ee.pem", false, false, true }, |
| 1450 }; | 1450 }; |
| 1451 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot | 1451 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot |
| 1452 // be cleared until NSS is cleanly shutdown, which is not presently supported | 1452 // be cleared until NSS is cleanly shutdown, which is not presently supported |
| 1453 // in Chromium. | 1453 // in Chromium. |
| 1454 #if defined(USE_NSS) || defined(OS_IOS) | 1454 #if defined(USE_NSS) || defined(OS_IOS) |
| 1455 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity | 1455 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity |
| 1456 #else | 1456 #else |
| 1457 #define MAYBE_VerifyEndEntity VerifyEndEntity | 1457 #define MAYBE_VerifyEndEntity VerifyEndEntity |
| 1458 #endif | 1458 #endif |
| 1459 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity, | 1459 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity, |
| 1460 CertVerifyProcWeakDigestTest, | 1460 CertVerifyProcWeakDigestTest, |
| 1461 testing::ValuesIn(kVerifyEndEntityTestData)); | 1461 testing::ValuesIn(kVerifyEndEntityTestData)); |
| 1462 | 1462 |
| 1463 // Incomplete chains should still report the status of the intermediate. | 1463 // Incomplete chains should still report the status of the intermediate. |
| 1464 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = { | 1464 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = { |
| 1465 { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem", | 1465 { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem", |
| 1466 true, false, false }, | 1466 true, false, false }, |
| 1467 #if defined(USE_OPENSSL) || defined(OS_WIN) | 1467 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) || defined(OS_ANDROID) |
| 1468 // MD4 is not supported by OS X / NSS | 1468 // MD4 is not supported by OS X / NSS |
| 1469 { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem", | 1469 { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem", |
| 1470 false, true, false }, | 1470 false, true, false }, |
| 1471 #endif | 1471 #endif |
| 1472 { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem", | 1472 { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem", |
| 1473 false, false, true }, | 1473 false, false, true }, |
| 1474 }; | 1474 }; |
| 1475 // Disabled on NSS - libpkix does not return constructed chains on error, | 1475 // Disabled on NSS - libpkix does not return constructed chains on error, |
| 1476 // preventing us from detecting/inspecting the verified chain. | 1476 // preventing us from detecting/inspecting the verified chain. |
| 1477 #if defined(USE_NSS) || defined(OS_IOS) | 1477 #if defined(USE_NSS) || defined(OS_IOS) |
| 1478 #define MAYBE_VerifyIncompleteIntermediate \ | 1478 #define MAYBE_VerifyIncompleteIntermediate \ |
| 1479 DISABLED_VerifyIncompleteIntermediate | 1479 DISABLED_VerifyIncompleteIntermediate |
| 1480 #else | 1480 #else |
| 1481 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate | 1481 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate |
| 1482 #endif | 1482 #endif |
| 1483 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1483 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1484 MAYBE_VerifyIncompleteIntermediate, | 1484 MAYBE_VerifyIncompleteIntermediate, |
| 1485 CertVerifyProcWeakDigestTest, | 1485 CertVerifyProcWeakDigestTest, |
| 1486 testing::ValuesIn(kVerifyIncompleteIntermediateTestData)); | 1486 testing::ValuesIn(kVerifyIncompleteIntermediateTestData)); |
| 1487 | 1487 |
| 1488 // Incomplete chains should still report the status of the end-entity. | 1488 // Incomplete chains should still report the status of the end-entity. |
| 1489 const WeakDigestTestData kVerifyIncompleteEETestData[] = { | 1489 const WeakDigestTestData kVerifyIncompleteEETestData[] = { |
| 1490 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem", | 1490 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem", |
| 1491 true, false, false }, | 1491 true, false, false }, |
| 1492 #if defined(USE_OPENSSL) || defined(OS_WIN) | 1492 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) || defined(OS_ANDROID) |
| 1493 // MD4 is not supported by OS X / NSS | 1493 // MD4 is not supported by OS X / NSS |
| 1494 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem", | 1494 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem", |
| 1495 false, true, false }, | 1495 false, true, false }, |
| 1496 #endif | 1496 #endif |
| 1497 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem", | 1497 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem", |
| 1498 false, false, true }, | 1498 false, false, true }, |
| 1499 }; | 1499 }; |
| 1500 // Disabled on NSS - libpkix does not return constructed chains on error, | 1500 // Disabled on NSS - libpkix does not return constructed chains on error, |
| 1501 // preventing us from detecting/inspecting the verified chain. | 1501 // preventing us from detecting/inspecting the verified chain. |
| 1502 #if defined(USE_NSS) || defined(OS_IOS) | 1502 #if defined(USE_NSS) || defined(OS_IOS) |
| 1503 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity | 1503 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity |
| 1504 #else | 1504 #else |
| 1505 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity | 1505 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity |
| 1506 #endif | 1506 #endif |
| 1507 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1507 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1508 MAYBE_VerifyIncompleteEndEntity, | 1508 MAYBE_VerifyIncompleteEndEntity, |
| 1509 CertVerifyProcWeakDigestTest, | 1509 CertVerifyProcWeakDigestTest, |
| 1510 testing::ValuesIn(kVerifyIncompleteEETestData)); | 1510 testing::ValuesIn(kVerifyIncompleteEETestData)); |
| 1511 | 1511 |
| 1512 // Differing algorithms between the intermediate and the EE should still be | 1512 // Differing algorithms between the intermediate and the EE should still be |
| 1513 // reported. | 1513 // reported. |
| 1514 const WeakDigestTestData kVerifyMixedTestData[] = { | 1514 const WeakDigestTestData kVerifyMixedTestData[] = { |
| 1515 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", | 1515 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", |
| 1516 "weak_digest_md2_ee.pem", true, false, true }, | 1516 "weak_digest_md2_ee.pem", true, false, true }, |
| 1517 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", | 1517 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", |
| 1518 "weak_digest_md5_ee.pem", true, false, true }, | 1518 "weak_digest_md5_ee.pem", true, false, true }, |
| 1519 #if defined(USE_OPENSSL) || defined(OS_WIN) | 1519 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) || defined(OS_ANDROID) |
| 1520 // MD4 is not supported by OS X / NSS | 1520 // MD4 is not supported by OS X / NSS |
| 1521 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", | 1521 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", |
| 1522 "weak_digest_md2_ee.pem", false, true, true }, | 1522 "weak_digest_md2_ee.pem", false, true, true }, |
| 1523 #endif | 1523 #endif |
| 1524 }; | 1524 }; |
| 1525 // NSS does not support MD4 and does not enable MD2 by default, making all | 1525 // NSS does not support MD4 and does not enable MD2 by default, making all |
| 1526 // permutations invalid. | 1526 // permutations invalid. |
| 1527 #if defined(USE_NSS) || defined(OS_IOS) | 1527 #if defined(USE_NSS) || defined(OS_IOS) |
| 1528 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1528 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1529 #else | 1529 #else |
| (...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1593 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1593 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1594 } | 1594 } |
| 1595 } | 1595 } |
| 1596 | 1596 |
| 1597 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1597 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1598 VerifyName, | 1598 VerifyName, |
| 1599 CertVerifyProcNameTest, | 1599 CertVerifyProcNameTest, |
| 1600 testing::ValuesIn(kVerifyNameData)); | 1600 testing::ValuesIn(kVerifyNameData)); |
| 1601 | 1601 |
| 1602 } // namespace net | 1602 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 206453002:
Introduce USE_OPENSSL_CERTS for certificate handling. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master