| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | |
| 8 #include "base/cancelable_callback.h" | |
| 9 #include "base/files/file_util.h" | |
| 10 #include "base/location.h" | |
| 11 #include "base/path_service.h" | |
| 12 #include "base/threading/thread_task_runner_handle.h" | |
| 13 #include "net/base/net_errors.h" | 7 #include "net/base/net_errors.h" |
| 14 #include "net/base/test_completion_callback.h" | 8 #include "net/base/test_completion_callback.h" |
| 15 #include "net/cert/internal/cert_issuer_source_static.h" | 9 #include "net/cert/internal/cert_issuer_source_static.h" |
| 10 #include "net/cert/internal/cert_issuer_source_test_helpers.h" |
| 16 #include "net/cert/internal/parsed_certificate.h" | 11 #include "net/cert/internal/parsed_certificate.h" |
| 17 #include "net/cert/internal/signature_policy.h" | 12 #include "net/cert/internal/signature_policy.h" |
| 18 #include "net/cert/internal/test_helpers.h" | 13 #include "net/cert/internal/test_helpers.h" |
| 19 #include "net/cert/internal/trust_store.h" | 14 #include "net/cert/internal/trust_store_static.h" |
| 15 #include "net/cert/internal/trust_store_test_helpers.h" |
| 20 #include "net/cert/internal/verify_certificate_chain.h" | 16 #include "net/cert/internal/verify_certificate_chain.h" |
| 21 #include "net/cert/pem_tokenizer.h" | |
| 22 #include "net/der/input.h" | 17 #include "net/der/input.h" |
| 23 #include "net/test/cert_test_util.h" | 18 #include "net/test/cert_test_util.h" |
| 24 #include "net/test/test_certificate_data.h" | 19 #include "net/test/test_certificate_data.h" |
| 25 #include "testing/gmock/include/gmock/gmock.h" | 20 #include "testing/gmock/include/gmock/gmock.h" |
| 26 #include "testing/gtest/include/gtest/gtest.h" | 21 #include "testing/gtest/include/gtest/gtest.h" |
| 27 | 22 |
| 28 namespace net { | 23 namespace net { |
| 29 | 24 |
| 30 namespace { | 25 namespace { |
| 31 | 26 |
| 32 using ::testing::_; | 27 using ::testing::_; |
| 33 using ::testing::Invoke; | 28 using ::testing::Invoke; |
| 34 using ::testing::SaveArg; | 29 using ::testing::SaveArg; |
| 35 using ::testing::StrictMock; | 30 using ::testing::StrictMock; |
| 36 using ::testing::SetArgPointee; | 31 using ::testing::SetArgPointee; |
| 37 using ::testing::Return; | 32 using ::testing::Return; |
| 38 | 33 |
| 39 // AsyncCertIssuerSourceStatic always returns its certs asynchronously. | |
| 40 class AsyncCertIssuerSourceStatic : public CertIssuerSource { | |
| 41 public: | |
| 42 class StaticAsyncRequest : public Request { | |
| 43 public: | |
| 44 StaticAsyncRequest(const IssuerCallback& issuers_callback, | |
| 45 ParsedCertificateList&& issuers) | |
| 46 : cancelable_closure_(base::Bind(&StaticAsyncRequest::RunCallback, | |
| 47 base::Unretained(this))), | |
| 48 issuers_callback_(issuers_callback) { | |
| 49 issuers_.swap(issuers); | |
| 50 issuers_iter_ = issuers_.begin(); | |
| 51 } | |
| 52 ~StaticAsyncRequest() override {} | |
| 53 | |
| 54 CompletionStatus GetNext( | |
| 55 scoped_refptr<ParsedCertificate>* out_cert) override { | |
| 56 if (issuers_iter_ == issuers_.end()) | |
| 57 *out_cert = nullptr; | |
| 58 else | |
| 59 *out_cert = std::move(*issuers_iter_++); | |
| 60 return CompletionStatus::SYNC; | |
| 61 } | |
| 62 | |
| 63 base::Closure callback() { return cancelable_closure_.callback(); } | |
| 64 | |
| 65 private: | |
| 66 void RunCallback() { issuers_callback_.Run(this); } | |
| 67 | |
| 68 base::CancelableClosure cancelable_closure_; | |
| 69 IssuerCallback issuers_callback_; | |
| 70 ParsedCertificateList issuers_; | |
| 71 ParsedCertificateList::iterator issuers_iter_; | |
| 72 | |
| 73 DISALLOW_COPY_AND_ASSIGN(StaticAsyncRequest); | |
| 74 }; | |
| 75 | |
| 76 ~AsyncCertIssuerSourceStatic() override {} | |
| 77 | |
| 78 void AddCert(scoped_refptr<ParsedCertificate> cert) { | |
| 79 static_cert_issuer_source_.AddCert(std::move(cert)); | |
| 80 } | |
| 81 | |
| 82 void SyncGetIssuersOf(const ParsedCertificate* cert, | |
| 83 ParsedCertificateList* issuers) override {} | |
| 84 void AsyncGetIssuersOf(const ParsedCertificate* cert, | |
| 85 const IssuerCallback& issuers_callback, | |
| 86 std::unique_ptr<Request>* out_req) override { | |
| 87 num_async_gets_++; | |
| 88 ParsedCertificateList issuers; | |
| 89 static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers); | |
| 90 std::unique_ptr<StaticAsyncRequest> req( | |
| 91 new StaticAsyncRequest(issuers_callback, std::move(issuers))); | |
| 92 base::ThreadTaskRunnerHandle::Get()->PostTask(FROM_HERE, req->callback()); | |
| 93 *out_req = std::move(req); | |
| 94 } | |
| 95 int num_async_gets() const { return num_async_gets_; } | |
| 96 | |
| 97 private: | |
| 98 CertIssuerSourceStatic static_cert_issuer_source_; | |
| 99 | |
| 100 int num_async_gets_ = 0; | |
| 101 }; | |
| 102 | |
| 103 // Reads a data file from the unit-test data. | |
| 104 std::string ReadTestFileToString(const std::string& file_name) { | |
| 105 // Compute the full path, relative to the src/ directory. | |
| 106 base::FilePath src_root; | |
| 107 PathService::Get(base::DIR_SOURCE_ROOT, &src_root); | |
| 108 base::FilePath filepath = src_root.AppendASCII(file_name); | |
| 109 | |
| 110 // Read the full contents of the file. | |
| 111 std::string file_data; | |
| 112 if (!base::ReadFileToString(filepath, &file_data)) { | |
| 113 ADD_FAILURE() << "Couldn't read file: " << filepath.value(); | |
| 114 return std::string(); | |
| 115 } | |
| 116 | |
| 117 return file_data; | |
| 118 } | |
| 119 | |
| 120 // Reads a verify_certificate_chain_unittest-style test case from |file_name|. | |
| 121 // Test cases are comprised of a certificate chain, trust store, a timestamp to | |
| 122 // validate at, and the expected result of verification (though the expected | |
| 123 // result is ignored here). | |
| 124 void ReadVerifyCertChainTestFromFile(const std::string& file_name, | |
| 125 std::vector<std::string>* chain, | |
| 126 scoped_refptr<ParsedCertificate>* root, | |
| 127 der::GeneralizedTime* time) { | |
| 128 chain->clear(); | |
| 129 | |
| 130 std::string file_data = ReadTestFileToString(file_name); | |
| 131 | |
| 132 std::vector<std::string> pem_headers; | |
| 133 | |
| 134 const char kCertificateHeader[] = "CERTIFICATE"; | |
| 135 const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE"; | |
| 136 const char kTimeHeader[] = "TIME"; | |
| 137 | |
| 138 pem_headers.push_back(kCertificateHeader); | |
| 139 pem_headers.push_back(kTrustedCertificateHeader); | |
| 140 pem_headers.push_back(kTimeHeader); | |
| 141 | |
| 142 bool has_time = false; | |
| 143 | |
| 144 PEMTokenizer pem_tokenizer(file_data, pem_headers); | |
| 145 while (pem_tokenizer.GetNext()) { | |
| 146 const std::string& block_type = pem_tokenizer.block_type(); | |
| 147 const std::string& block_data = pem_tokenizer.data(); | |
| 148 | |
| 149 if (block_type == kCertificateHeader) { | |
| 150 chain->push_back(block_data); | |
| 151 } else if (block_type == kTrustedCertificateHeader) { | |
| 152 *root = ParsedCertificate::CreateFromCertificateCopy(block_data, {}); | |
| 153 ASSERT_TRUE(*root); | |
| 154 } else if (block_type == kTimeHeader) { | |
| 155 ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader; | |
| 156 has_time = true; | |
| 157 ASSERT_TRUE(der::ParseUTCTime(der::Input(&block_data), time)); | |
| 158 } | |
| 159 } | |
| 160 | |
| 161 ASSERT_TRUE(has_time); | |
| 162 } | |
| 163 | |
| 164 ::testing::AssertionResult ReadTestPem(const std::string& file_name, | 34 ::testing::AssertionResult ReadTestPem(const std::string& file_name, |
| 165 const std::string& block_name, | 35 const std::string& block_name, |
| 166 std::string* result) { | 36 std::string* result) { |
| 167 const PemBlockMapping mappings[] = { | 37 const PemBlockMapping mappings[] = { |
| 168 {block_name.c_str(), result}, | 38 {block_name.c_str(), result}, |
| 169 }; | 39 }; |
| 170 | 40 |
| 171 return ReadTestDataFromPemFile(file_name, mappings); | 41 return ReadTestDataFromPemFile(file_name, mappings); |
| 172 } | 42 } |
| 173 | 43 |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 219 scoped_refptr<ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_, | 89 scoped_refptr<ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_, |
| 220 d_by_d_, e_by_e_, f_by_e_; | 90 d_by_d_, e_by_e_, f_by_e_; |
| 221 | 91 |
| 222 SimpleSignaturePolicy signature_policy_; | 92 SimpleSignaturePolicy signature_policy_; |
| 223 der::GeneralizedTime time_ = {2016, 4, 11, 0, 0, 0}; | 93 der::GeneralizedTime time_ = {2016, 4, 11, 0, 0, 0}; |
| 224 }; | 94 }; |
| 225 | 95 |
| 226 // If the target cert is a trust anchor, it should verify and should not include | 96 // If the target cert is a trust anchor, it should verify and should not include |
| 227 // anything else in the path. | 97 // anything else in the path. |
| 228 TEST_F(PathBuilderMultiRootTest, TargetIsTrustAnchor) { | 98 TEST_F(PathBuilderMultiRootTest, TargetIsTrustAnchor) { |
| 229 TrustStore trust_store; | 99 TrustStoreStatic trust_store; |
| 230 trust_store.AddTrustedCertificate(a_by_b_); | 100 trust_store.AddTrustedCertificate(a_by_b_); |
| 231 trust_store.AddTrustedCertificate(b_by_f_); | 101 trust_store.AddTrustedCertificate(b_by_f_); |
| 232 | 102 |
| 233 CertPathBuilder::Result result; | 103 CertPathBuilder::Result result; |
| 234 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 104 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 235 &result); | 105 path_builder.AddTrustStore(&trust_store); |
| 236 | 106 |
| 237 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 107 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 238 | 108 |
| 239 EXPECT_EQ(OK, result.error()); | 109 EXPECT_EQ(OK, result.error()); |
| 240 EXPECT_EQ(1U, result.paths[result.best_result_index]->path.size()); | 110 ASSERT_FALSE(result.paths.empty()); |
| 111 ASSERT_EQ(1U, result.paths[result.best_result_index]->path.size()); |
| 241 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 112 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); |
| 242 } | 113 } |
| 243 | 114 |
| 244 // If the target cert is directly issued by a trust anchor, it should verify | 115 // If the target cert is directly issued by a trust anchor, it should verify |
| 245 // without any intermediate certs being provided. | 116 // without any intermediate certs being provided. |
| 246 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { | 117 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { |
| 247 TrustStore trust_store; | 118 TrustStoreStatic trust_store; |
| 248 trust_store.AddTrustedCertificate(b_by_f_); | 119 trust_store.AddTrustedCertificate(b_by_f_); |
| 249 | 120 |
| 250 CertPathBuilder::Result result; | 121 CertPathBuilder::Result result; |
| 251 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 122 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 252 &result); | 123 path_builder.AddTrustStore(&trust_store); |
| 253 | 124 |
| 254 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 125 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 255 | 126 |
| 256 EXPECT_EQ(OK, result.error()); | 127 EXPECT_EQ(OK, result.error()); |
| 257 EXPECT_EQ(2U, result.paths[result.best_result_index]->path.size()); | 128 ASSERT_FALSE(result.paths.empty()); |
| 129 ASSERT_EQ(2U, result.paths[result.best_result_index]->path.size()); |
| 258 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 130 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); |
| 259 EXPECT_EQ(b_by_f_, result.paths[result.best_result_index]->path[1]); | 131 EXPECT_EQ(b_by_f_, result.paths[result.best_result_index]->path[1]); |
| 260 } | 132 } |
| 261 | 133 |
| 262 // Test that async cert queries are not made if the path can be successfully | 134 // Test that async cert queries are not made if the path can be successfully |
| 263 // built with synchronously available certs. | 135 // built with synchronously available certs. |
| 264 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { | 136 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { |
| 265 TrustStore trust_store; | 137 TrustStoreStatic trust_store; |
| 266 trust_store.AddTrustedCertificate(e_by_e_); | 138 trust_store.AddTrustedCertificate(e_by_e_); |
| 267 | 139 |
| 268 CertIssuerSourceStatic sync_certs; | 140 CertIssuerSourceStatic sync_certs; |
| 269 sync_certs.AddCert(b_by_f_); | 141 sync_certs.AddCert(b_by_f_); |
| 270 sync_certs.AddCert(f_by_e_); | 142 sync_certs.AddCert(f_by_e_); |
| 271 | 143 |
| 272 AsyncCertIssuerSourceStatic async_certs; | 144 AsyncCertIssuerSourceStatic async_certs; |
| 273 async_certs.AddCert(b_by_c_); | 145 async_certs.AddCert(b_by_c_); |
| 274 async_certs.AddCert(c_by_e_); | 146 async_certs.AddCert(c_by_e_); |
| 275 | 147 |
| 276 CertPathBuilder::Result result; | 148 CertPathBuilder::Result result; |
| 277 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 149 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 278 &result); | 150 path_builder.AddTrustStore(&trust_store); |
| 279 path_builder.AddCertIssuerSource(&async_certs); | 151 path_builder.AddCertIssuerSource(&async_certs); |
| 280 path_builder.AddCertIssuerSource(&sync_certs); | 152 path_builder.AddCertIssuerSource(&sync_certs); |
| 281 | 153 |
| 282 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 154 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 283 | 155 |
| 284 EXPECT_EQ(OK, result.error()); | 156 EXPECT_EQ(OK, result.error()); |
| 285 EXPECT_EQ(0, async_certs.num_async_gets()); | 157 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 286 } | 158 } |
| 287 | 159 |
| 288 // Test that async cert queries are not made if no callback is provided. | 160 // Test that async cert queries are not made if no callback is provided. |
| 289 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { | 161 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { |
| 290 TrustStore trust_store; | 162 TrustStoreStatic trust_store; |
| 291 trust_store.AddTrustedCertificate(e_by_e_); | 163 trust_store.AddTrustedCertificate(e_by_e_); |
| 292 | 164 |
| 293 CertIssuerSourceStatic sync_certs; | 165 CertIssuerSourceStatic sync_certs; |
| 294 sync_certs.AddCert(f_by_e_); | 166 sync_certs.AddCert(f_by_e_); |
| 295 | 167 |
| 296 AsyncCertIssuerSourceStatic async_certs; | 168 AsyncCertIssuerSourceStatic async_certs; |
| 297 async_certs.AddCert(b_by_f_); | 169 async_certs.AddCert(b_by_f_); |
| 298 | 170 |
| 299 CertPathBuilder::Result result; | 171 CertPathBuilder::Result result; |
| 300 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 172 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 301 &result); | 173 path_builder.AddTrustStore(&trust_store); |
| 302 path_builder.AddCertIssuerSource(&async_certs); | 174 path_builder.AddCertIssuerSource(&async_certs); |
| 303 path_builder.AddCertIssuerSource(&sync_certs); | 175 path_builder.AddCertIssuerSource(&sync_certs); |
| 304 | 176 |
| 305 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); | 177 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); |
| 306 | 178 |
| 307 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 179 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 308 EXPECT_EQ(0, async_certs.num_async_gets()); | 180 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 309 } | 181 } |
| 310 | 182 |
| 311 // If async queries are needed, all async sources will be queried | 183 // If async queries are needed, all async sources will be queried |
| 312 // simultaneously. | 184 // simultaneously. |
| 313 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { | 185 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { |
| 314 TrustStore trust_store; | 186 TrustStoreStatic trust_store; |
| 315 trust_store.AddTrustedCertificate(e_by_e_); | 187 trust_store.AddTrustedCertificate(e_by_e_); |
| 316 | 188 |
| 317 CertIssuerSourceStatic sync_certs; | 189 CertIssuerSourceStatic sync_certs; |
| 318 sync_certs.AddCert(b_by_c_); | 190 sync_certs.AddCert(b_by_c_); |
| 319 sync_certs.AddCert(b_by_f_); | 191 sync_certs.AddCert(b_by_f_); |
| 320 | 192 |
| 321 AsyncCertIssuerSourceStatic async_certs1; | 193 AsyncCertIssuerSourceStatic async_certs1; |
| 322 async_certs1.AddCert(c_by_e_); | 194 async_certs1.AddCert(c_by_e_); |
| 323 | 195 |
| 324 AsyncCertIssuerSourceStatic async_certs2; | 196 AsyncCertIssuerSourceStatic async_certs2; |
| 325 async_certs2.AddCert(f_by_e_); | 197 async_certs2.AddCert(f_by_e_); |
| 326 | 198 |
| 327 CertPathBuilder::Result result; | 199 CertPathBuilder::Result result; |
| 328 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 200 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 329 &result); | 201 path_builder.AddTrustStore(&trust_store); |
| 330 path_builder.AddCertIssuerSource(&async_certs1); | 202 path_builder.AddCertIssuerSource(&async_certs1); |
| 331 path_builder.AddCertIssuerSource(&async_certs2); | 203 path_builder.AddCertIssuerSource(&async_certs2); |
| 332 path_builder.AddCertIssuerSource(&sync_certs); | 204 path_builder.AddCertIssuerSource(&sync_certs); |
| 333 | 205 |
| 334 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 206 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 335 | 207 |
| 336 EXPECT_EQ(OK, result.error()); | 208 EXPECT_EQ(OK, result.error()); |
| 337 EXPECT_EQ(1, async_certs1.num_async_gets()); | 209 EXPECT_EQ(1, async_certs1.num_async_gets()); |
| 338 EXPECT_EQ(1, async_certs2.num_async_gets()); | 210 EXPECT_EQ(1, async_certs2.num_async_gets()); |
| 339 } | 211 } |
| 340 | 212 |
| 341 // Test that PathBuilder does not generate longer paths than necessary if one of | 213 // Test that PathBuilder does not generate longer paths than necessary if one of |
| 342 // the supplied certs is itself a trust anchor. | 214 // the supplied certs is itself a trust anchor. |
| 343 TEST_F(PathBuilderMultiRootTest, TestLongChain) { | 215 TEST_F(PathBuilderMultiRootTest, TestLongChain) { |
| 344 // Both D(D) and C(D) are trusted roots. | 216 // Both D(D) and C(D) are trusted roots. |
| 345 TrustStore trust_store; | 217 TrustStoreStatic trust_store; |
| 346 trust_store.AddTrustedCertificate(d_by_d_); | 218 trust_store.AddTrustedCertificate(d_by_d_); |
| 347 trust_store.AddTrustedCertificate(c_by_d_); | 219 trust_store.AddTrustedCertificate(c_by_d_); |
| 348 | 220 |
| 349 // Certs B(C), and C(D) are all supplied. | 221 // Certs B(C), and C(D) are all supplied. |
| 350 CertIssuerSourceStatic sync_certs; | 222 CertIssuerSourceStatic sync_certs; |
| 351 sync_certs.AddCert(b_by_c_); | 223 sync_certs.AddCert(b_by_c_); |
| 352 sync_certs.AddCert(c_by_d_); | 224 sync_certs.AddCert(c_by_d_); |
| 353 | 225 |
| 354 CertPathBuilder::Result result; | 226 CertPathBuilder::Result result; |
| 355 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 227 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 356 &result); | 228 path_builder.AddTrustStore(&trust_store); |
| 357 path_builder.AddCertIssuerSource(&sync_certs); | 229 path_builder.AddCertIssuerSource(&sync_certs); |
| 358 | 230 |
| 359 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 231 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 360 | 232 |
| 361 EXPECT_EQ(OK, result.error()); | 233 EXPECT_EQ(OK, result.error()); |
| 362 | 234 |
| 363 // The result path should be A(B) <- B(C) <- C(D) | 235 // The result path should be A(B) <- B(C) <- C(D) |
| 364 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) | 236 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) |
| 237 ASSERT_FALSE(result.paths.empty()); |
| 365 EXPECT_EQ(3U, result.paths[result.best_result_index]->path.size()); | 238 EXPECT_EQ(3U, result.paths[result.best_result_index]->path.size()); |
| 366 } | 239 } |
| 367 | 240 |
| 241 // Test that PathBuilder does not generate longer paths than necessary if one of |
| 242 // the supplied certs is itself a trust anchor. |
| 243 TEST_F(PathBuilderMultiRootTest, TestLongChainAsyncTrust) { |
| 244 // Both D(D) and C(D) are trusted roots. |
| 245 AsyncTrustStoreStatic trust_store; |
| 246 trust_store.AddTrustedCertificate(d_by_d_); |
| 247 trust_store.AddTrustedCertificate(c_by_d_); |
| 248 |
| 249 // Certs A(B), B(C), and C(D) are all supplied. |
| 250 CertIssuerSourceStatic sync_certs; |
| 251 sync_certs.AddCert(a_by_b_); |
| 252 sync_certs.AddCert(b_by_c_); |
| 253 sync_certs.AddCert(c_by_d_); |
| 254 |
| 255 CertPathBuilder::Result result; |
| 256 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 257 path_builder.AddTrustStore(&trust_store); |
| 258 path_builder.AddCertIssuerSource(&sync_certs); |
| 259 |
| 260 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 261 |
| 262 EXPECT_EQ(OK, result.error()); |
| 263 |
| 264 // The result path should be A(B) <- B(C) <- C(D) |
| 265 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) |
| 266 ASSERT_FALSE(result.paths.empty()); |
| 267 EXPECT_EQ(3U, result.paths[result.best_result_index]->path.size()); |
| 268 } |
| 269 |
| 368 // Test that PathBuilder will backtrack and try a different path if the first | 270 // Test that PathBuilder will backtrack and try a different path if the first |
| 369 // one doesn't work out. | 271 // one doesn't work out. |
| 370 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { | 272 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { |
| 371 // Only D(D) is a trusted root. | 273 // Only D(D) is a trusted root. |
| 372 TrustStore trust_store; | 274 TrustStoreStatic trust_store; |
| 373 trust_store.AddTrustedCertificate(d_by_d_); | 275 trust_store.AddTrustedCertificate(d_by_d_); |
| 374 | 276 |
| 375 // Certs B(F) and F(E) are supplied synchronously, thus the path | 277 // Certs B(F) and F(E) are supplied synchronously, thus the path |
| 376 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. | 278 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| 377 CertIssuerSourceStatic sync_certs; | 279 CertIssuerSourceStatic sync_certs; |
| 378 sync_certs.AddCert(b_by_f_); | 280 sync_certs.AddCert(b_by_f_); |
| 379 sync_certs.AddCert(f_by_e_); | 281 sync_certs.AddCert(f_by_e_); |
| 380 | 282 |
| 381 // Certs B(C), and C(D) are supplied asynchronously, so the path | 283 // Certs B(C), and C(D) are supplied asynchronously, so the path |
| 382 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. | 284 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. |
| 383 AsyncCertIssuerSourceStatic async_certs; | 285 AsyncCertIssuerSourceStatic async_certs; |
| 384 async_certs.AddCert(b_by_c_); | 286 async_certs.AddCert(b_by_c_); |
| 385 async_certs.AddCert(c_by_d_); | 287 async_certs.AddCert(c_by_d_); |
| 386 | 288 |
| 387 CertPathBuilder::Result result; | 289 CertPathBuilder::Result result; |
| 388 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 290 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 389 &result); | 291 path_builder.AddTrustStore(&trust_store); |
| 390 path_builder.AddCertIssuerSource(&sync_certs); | 292 path_builder.AddCertIssuerSource(&sync_certs); |
| 391 path_builder.AddCertIssuerSource(&async_certs); | 293 path_builder.AddCertIssuerSource(&async_certs); |
| 392 | 294 |
| 393 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 295 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 394 | 296 |
| 395 EXPECT_EQ(OK, result.error()); | 297 EXPECT_EQ(OK, result.error()); |
| 396 | 298 |
| 397 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 299 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 300 ASSERT_FALSE(result.paths.empty()); |
| 398 ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size()); | 301 ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size()); |
| 399 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 302 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); |
| 400 EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]); | 303 EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]); |
| 401 EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]); | 304 EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]); |
| 402 EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]); | 305 EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]); |
| 403 } | 306 } |
| 404 | 307 |
| 405 // Test that whichever order CertIssuerSource returns the issuers, the path | 308 // Test that whichever order CertIssuerSource returns the issuers, the path |
| 406 // building still succeeds. | 309 // building still succeeds. |
| 407 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { | 310 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { |
| 408 // Only D(D) is a trusted root. | 311 // Only D(D) is a trusted root. |
| 409 TrustStore trust_store; | 312 TrustStoreStatic trust_store; |
| 410 trust_store.AddTrustedCertificate(d_by_d_); | 313 trust_store.AddTrustedCertificate(d_by_d_); |
| 411 | 314 |
| 412 for (bool reverse_order : {false, true}) { | 315 for (bool reverse_order : {false, true}) { |
| 413 SCOPED_TRACE(reverse_order); | 316 SCOPED_TRACE(reverse_order); |
| 414 std::vector<scoped_refptr<ParsedCertificate>> certs = { | 317 std::vector<scoped_refptr<ParsedCertificate>> certs = { |
| 415 b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; | 318 b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; |
| 416 CertIssuerSourceStatic sync_certs; | 319 CertIssuerSourceStatic sync_certs; |
| 417 if (reverse_order) { | 320 if (reverse_order) { |
| 418 for (auto it = certs.rbegin(); it != certs.rend(); ++it) | 321 for (auto it = certs.rbegin(); it != certs.rend(); ++it) |
| 419 sync_certs.AddCert(*it); | 322 sync_certs.AddCert(*it); |
| 420 } else { | 323 } else { |
| 421 for (const auto& cert : certs) | 324 for (const auto& cert : certs) |
| 422 sync_certs.AddCert(cert); | 325 sync_certs.AddCert(cert); |
| 423 } | 326 } |
| 424 | 327 |
| 425 CertPathBuilder::Result result; | 328 CertPathBuilder::Result result; |
| 426 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, | 329 CertPathBuilder path_builder(a_by_b_, &signature_policy_, time_, &result); |
| 427 time_, &result); | 330 path_builder.AddTrustStore(&trust_store); |
| 428 path_builder.AddCertIssuerSource(&sync_certs); | 331 path_builder.AddCertIssuerSource(&sync_certs); |
| 429 | 332 |
| 430 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 333 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 431 | 334 |
| 432 EXPECT_EQ(OK, result.error()); | 335 EXPECT_EQ(OK, result.error()); |
| 433 | 336 |
| 434 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 337 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 435 ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size()); | 338 ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size()); |
| 436 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 339 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); |
| 437 EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]); | 340 EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]); |
| 438 EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]); | 341 EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]); |
| 439 EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]); | 342 EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]); |
| 440 } | 343 } |
| 441 } | 344 } |
| 442 | 345 |
| 443 class PathBuilderKeyRolloverTest : public ::testing::Test { | 346 class PathBuilderKeyRolloverTest : public ::testing::Test { |
| 444 public: | 347 public: |
| 445 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} | 348 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} |
| 446 | 349 |
| 447 void SetUp() override { | 350 void SetUp() override { |
| 448 std::vector<std::string> path; | 351 ParsedCertificateList chain; |
| 352 ParsedCertificateList roots; |
| 353 bool unused_verify_result; |
| 449 | 354 |
| 450 ReadVerifyCertChainTestFromFile( | 355 ReadCertChainTestFromFile( |
| 451 "net/data/verify_certificate_chain_unittest/key-rollover-oldchain.pem", | 356 "net/data/verify_certificate_chain_unittest/key-rollover-oldchain.pem", |
| 452 &path, &oldroot_, &time_); | 357 &chain, &roots, &time_, &unused_verify_result); |
| 453 ASSERT_EQ(2U, path.size()); | 358 ASSERT_EQ(2U, chain.size()); |
| 454 target_ = ParsedCertificate::CreateFromCertificateCopy(path[0], {}); | 359 ASSERT_EQ(1U, roots.size()); |
| 455 oldintermediate_ = | 360 target_ = chain[0]; |
| 456 ParsedCertificate::CreateFromCertificateCopy(path[1], {}); | 361 oldintermediate_ = chain[1]; |
| 362 oldroot_ = roots[0]; |
| 457 ASSERT_TRUE(target_); | 363 ASSERT_TRUE(target_); |
| 458 ASSERT_TRUE(oldintermediate_); | 364 ASSERT_TRUE(oldintermediate_); |
| 365 ASSERT_TRUE(oldroot_); |
| 459 | 366 |
| 460 ReadVerifyCertChainTestFromFile( | 367 ReadCertChainTestFromFile( |
| 461 "net/data/verify_certificate_chain_unittest/" | 368 "net/data/verify_certificate_chain_unittest/" |
| 462 "key-rollover-longrolloverchain.pem", | 369 "key-rollover-longrolloverchain.pem", |
| 463 &path, &oldroot_, &time_); | 370 &chain, &roots, &time_, &unused_verify_result); |
| 464 ASSERT_EQ(4U, path.size()); | 371 ASSERT_EQ(4U, chain.size()); |
| 465 newintermediate_ = | 372 newintermediate_ = chain[1]; |
| 466 ParsedCertificate::CreateFromCertificateCopy(path[1], {}); | 373 newroot_ = chain[2]; |
| 467 newroot_ = ParsedCertificate::CreateFromCertificateCopy(path[2], {}); | 374 newrootrollover_ = chain[3]; |
| 468 newrootrollover_ = | |
| 469 ParsedCertificate::CreateFromCertificateCopy(path[3], {}); | |
| 470 ASSERT_TRUE(newintermediate_); | 375 ASSERT_TRUE(newintermediate_); |
| 471 ASSERT_TRUE(newroot_); | 376 ASSERT_TRUE(newroot_); |
| 472 ASSERT_TRUE(newrootrollover_); | 377 ASSERT_TRUE(newrootrollover_); |
| 473 } | 378 } |
| 474 | 379 |
| 475 protected: | 380 protected: |
| 476 // oldroot-------->newrootrollover newroot | 381 // oldroot-------->newrootrollover newroot |
| 477 // | | | | 382 // | | | |
| 478 // v v v | 383 // v v v |
| 479 // oldintermediate newintermediate | 384 // oldintermediate newintermediate |
| (...skipping 10 matching lines...) Expand all Loading... |
| 490 scoped_refptr<ParsedCertificate> newrootrollover_; | 395 scoped_refptr<ParsedCertificate> newrootrollover_; |
| 491 | 396 |
| 492 SimpleSignaturePolicy signature_policy_; | 397 SimpleSignaturePolicy signature_policy_; |
| 493 der::GeneralizedTime time_; | 398 der::GeneralizedTime time_; |
| 494 }; | 399 }; |
| 495 | 400 |
| 496 // Tests that if only the old root cert is trusted, the path builder can build a | 401 // Tests that if only the old root cert is trusted, the path builder can build a |
| 497 // path through the new intermediate and rollover cert to the old root. | 402 // path through the new intermediate and rollover cert to the old root. |
| 498 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { | 403 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { |
| 499 // Only oldroot is trusted. | 404 // Only oldroot is trusted. |
| 500 TrustStore trust_store; | 405 TrustStoreStatic trust_store; |
| 501 trust_store.AddTrustedCertificate(oldroot_); | 406 trust_store.AddTrustedCertificate(oldroot_); |
| 502 | 407 |
| 503 // Old intermediate cert is not provided, so the pathbuilder will need to go | 408 // Old intermediate cert is not provided, so the pathbuilder will need to go |
| 504 // through the rollover cert. | 409 // through the rollover cert. |
| 505 CertIssuerSourceStatic sync_certs; | 410 CertIssuerSourceStatic sync_certs; |
| 506 sync_certs.AddCert(newintermediate_); | 411 sync_certs.AddCert(newintermediate_); |
| 507 sync_certs.AddCert(newrootrollover_); | 412 sync_certs.AddCert(newrootrollover_); |
| 508 | 413 |
| 509 CertPathBuilder::Result result; | 414 CertPathBuilder::Result result; |
| 510 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 415 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 511 &result); | 416 path_builder.AddTrustStore(&trust_store); |
| 512 path_builder.AddCertIssuerSource(&sync_certs); | 417 path_builder.AddCertIssuerSource(&sync_certs); |
| 513 | 418 |
| 514 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 419 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 515 | 420 |
| 516 EXPECT_EQ(OK, result.error()); | 421 EXPECT_EQ(OK, result.error()); |
| 517 | 422 |
| 518 // Path builder will first attempt: target <- newintermediate <- oldroot | 423 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 519 // but it will fail since newintermediate is signed by newroot. | 424 // but it will fail since newintermediate is signed by newroot. |
| 520 ASSERT_EQ(2U, result.paths.size()); | 425 ASSERT_EQ(2U, result.paths.size()); |
| 521 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 426 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| (...skipping 13 matching lines...) Expand all Loading... |
| 535 EXPECT_EQ(newrootrollover_, result.paths[1]->path[2]); | 440 EXPECT_EQ(newrootrollover_, result.paths[1]->path[2]); |
| 536 EXPECT_EQ(oldroot_, result.paths[1]->path[3]); | 441 EXPECT_EQ(oldroot_, result.paths[1]->path[3]); |
| 537 } | 442 } |
| 538 | 443 |
| 539 // Tests that if both old and new roots are trusted it can build a path through | 444 // Tests that if both old and new roots are trusted it can build a path through |
| 540 // either. | 445 // either. |
| 541 // TODO(mattm): Once prioritization is implemented, it should test that it | 446 // TODO(mattm): Once prioritization is implemented, it should test that it |
| 542 // always builds the path through the new intermediate and new root. | 447 // always builds the path through the new intermediate and new root. |
| 543 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { | 448 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { |
| 544 // Both oldroot and newroot are trusted. | 449 // Both oldroot and newroot are trusted. |
| 545 TrustStore trust_store; | 450 TrustStoreStatic trust_store; |
| 546 trust_store.AddTrustedCertificate(oldroot_); | 451 trust_store.AddTrustedCertificate(oldroot_); |
| 547 trust_store.AddTrustedCertificate(newroot_); | 452 trust_store.AddTrustedCertificate(newroot_); |
| 548 | 453 |
| 549 // Both old and new intermediates + rollover cert are provided. | 454 // Both old and new intermediates + rollover cert are provided. |
| 550 CertIssuerSourceStatic sync_certs; | 455 CertIssuerSourceStatic sync_certs; |
| 551 sync_certs.AddCert(oldintermediate_); | 456 sync_certs.AddCert(oldintermediate_); |
| 552 sync_certs.AddCert(newintermediate_); | 457 sync_certs.AddCert(newintermediate_); |
| 553 sync_certs.AddCert(newrootrollover_); | 458 sync_certs.AddCert(newrootrollover_); |
| 554 | 459 |
| 555 CertPathBuilder::Result result; | 460 CertPathBuilder::Result result; |
| 556 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 461 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 557 &result); | 462 path_builder.AddTrustStore(&trust_store); |
| 558 path_builder.AddCertIssuerSource(&sync_certs); | 463 path_builder.AddCertIssuerSource(&sync_certs); |
| 559 | 464 |
| 560 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 465 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 561 | 466 |
| 562 EXPECT_EQ(OK, result.error()); | 467 EXPECT_EQ(OK, result.error()); |
| 563 | 468 |
| 564 // Path builder willattempt one of: | 469 // Path builder willattempt one of: |
| 565 // target <- oldintermediate <- oldroot | 470 // target <- oldintermediate <- oldroot |
| 566 // target <- newintermediate <- newroot | 471 // target <- newintermediate <- newroot |
| 567 // either will succeed. | 472 // either will succeed. |
| (...skipping 10 matching lines...) Expand all Loading... |
| 578 EXPECT_EQ(newintermediate_, result.paths[0]->path[1]); | 483 EXPECT_EQ(newintermediate_, result.paths[0]->path[1]); |
| 579 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 484 EXPECT_EQ(newroot_, result.paths[0]->path[2]); |
| 580 } | 485 } |
| 581 } | 486 } |
| 582 | 487 |
| 583 // Tests that multiple trust root matches on a single path will be considered. | 488 // Tests that multiple trust root matches on a single path will be considered. |
| 584 // Both roots have the same subject but different keys. Only one of them will | 489 // Both roots have the same subject but different keys. Only one of them will |
| 585 // verify. | 490 // verify. |
| 586 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { | 491 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { |
| 587 // Both newroot and oldroot are trusted. | 492 // Both newroot and oldroot are trusted. |
| 588 TrustStore trust_store; | 493 TrustStoreStatic trust_store; |
| 589 trust_store.AddTrustedCertificate(newroot_); | 494 trust_store.AddTrustedCertificate(newroot_); |
| 590 trust_store.AddTrustedCertificate(oldroot_); | 495 trust_store.AddTrustedCertificate(oldroot_); |
| 591 | 496 |
| 592 // Only oldintermediate is supplied, so the path with newroot should fail, | 497 // Only oldintermediate is supplied, so the path with newroot should fail, |
| 593 // oldroot should succeed. | 498 // oldroot should succeed. |
| 594 CertIssuerSourceStatic sync_certs; | 499 CertIssuerSourceStatic sync_certs; |
| 595 sync_certs.AddCert(oldintermediate_); | 500 sync_certs.AddCert(oldintermediate_); |
| 596 | 501 |
| 597 CertPathBuilder::Result result; | 502 CertPathBuilder::Result result; |
| 598 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 503 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 599 &result); | 504 path_builder.AddTrustStore(&trust_store); |
| 600 path_builder.AddCertIssuerSource(&sync_certs); | 505 path_builder.AddCertIssuerSource(&sync_certs); |
| 601 | 506 |
| 602 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 507 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 603 | 508 |
| 604 EXPECT_EQ(OK, result.error()); | 509 EXPECT_EQ(OK, result.error()); |
| 605 // There may be one or two paths attempted depending if the path builder tried | 510 // There may be one or two paths attempted depending if the path builder tried |
| 606 // using newroot first. | 511 // using newroot first. |
| 607 // TODO(mattm): Once TrustStore is an interface, this could be fixed with a | 512 // TODO(mattm): Once TrustStore is an interface, this could be fixed with a |
| 608 // mock version of TrustStore that returns roots in a deterministic order. | 513 // mock version of TrustStore that returns roots in a deterministic order. |
| 609 ASSERT_LE(1U, result.paths.size()); | 514 ASSERT_LE(1U, result.paths.size()); |
| (...skipping 15 matching lines...) Expand all Loading... |
| 625 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); | 530 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); |
| 626 ASSERT_EQ(3U, result.paths[result.best_result_index]->path.size()); | 531 ASSERT_EQ(3U, result.paths[result.best_result_index]->path.size()); |
| 627 EXPECT_EQ(target_, result.paths[result.best_result_index]->path[0]); | 532 EXPECT_EQ(target_, result.paths[result.best_result_index]->path[0]); |
| 628 EXPECT_EQ(oldintermediate_, result.paths[result.best_result_index]->path[1]); | 533 EXPECT_EQ(oldintermediate_, result.paths[result.best_result_index]->path[1]); |
| 629 EXPECT_EQ(oldroot_, result.paths[result.best_result_index]->path[2]); | 534 EXPECT_EQ(oldroot_, result.paths[result.best_result_index]->path[2]); |
| 630 } | 535 } |
| 631 | 536 |
| 632 // Tests that the path builder doesn't build longer than necessary paths. | 537 // Tests that the path builder doesn't build longer than necessary paths. |
| 633 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { | 538 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { |
| 634 // Only oldroot is trusted. | 539 // Only oldroot is trusted. |
| 635 TrustStore trust_store; | 540 TrustStoreStatic trust_store; |
| 636 trust_store.AddTrustedCertificate(oldroot_); | 541 trust_store.AddTrustedCertificate(oldroot_); |
| 637 | 542 |
| 638 // New intermediate and new root are provided synchronously. | 543 // New intermediate and new root are provided synchronously. |
| 639 CertIssuerSourceStatic sync_certs; | 544 CertIssuerSourceStatic sync_certs; |
| 640 sync_certs.AddCert(newintermediate_); | 545 sync_certs.AddCert(newintermediate_); |
| 641 sync_certs.AddCert(newroot_); | 546 sync_certs.AddCert(newroot_); |
| 642 | 547 |
| 643 // Rollover cert is only provided asynchronously. This will force the | 548 // Rollover cert is only provided asynchronously. This will force the |
| 644 // pathbuilder to first try building a longer than necessary path. | 549 // pathbuilder to first try building a longer than necessary path. |
| 645 AsyncCertIssuerSourceStatic async_certs; | 550 AsyncCertIssuerSourceStatic async_certs; |
| 646 async_certs.AddCert(newrootrollover_); | 551 async_certs.AddCert(newrootrollover_); |
| 647 | 552 |
| 648 CertPathBuilder::Result result; | 553 CertPathBuilder::Result result; |
| 649 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 554 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 650 &result); | 555 path_builder.AddTrustStore(&trust_store); |
| 651 path_builder.AddCertIssuerSource(&sync_certs); | 556 path_builder.AddCertIssuerSource(&sync_certs); |
| 652 path_builder.AddCertIssuerSource(&async_certs); | 557 path_builder.AddCertIssuerSource(&async_certs); |
| 653 | 558 |
| 654 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 559 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 655 | 560 |
| 656 EXPECT_EQ(OK, result.error()); | 561 EXPECT_EQ(OK, result.error()); |
| 657 ASSERT_EQ(3U, result.paths.size()); | 562 ASSERT_EQ(3U, result.paths.size()); |
| 658 | 563 |
| 659 // Path builder will first attempt: target <- newintermediate <- oldroot | 564 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 660 // but it will fail since newintermediate is signed by newroot. | 565 // but it will fail since newintermediate is signed by newroot. |
| (...skipping 24 matching lines...) Expand all Loading... |
| 685 ASSERT_EQ(4U, result.paths[2]->path.size()); | 590 ASSERT_EQ(4U, result.paths[2]->path.size()); |
| 686 EXPECT_EQ(target_, result.paths[2]->path[0]); | 591 EXPECT_EQ(target_, result.paths[2]->path[0]); |
| 687 EXPECT_EQ(newintermediate_, result.paths[2]->path[1]); | 592 EXPECT_EQ(newintermediate_, result.paths[2]->path[1]); |
| 688 EXPECT_EQ(newrootrollover_, result.paths[2]->path[2]); | 593 EXPECT_EQ(newrootrollover_, result.paths[2]->path[2]); |
| 689 EXPECT_EQ(oldroot_, result.paths[2]->path[3]); | 594 EXPECT_EQ(oldroot_, result.paths[2]->path[3]); |
| 690 } | 595 } |
| 691 | 596 |
| 692 // If the target cert is a trust root, that alone is a valid path. | 597 // If the target cert is a trust root, that alone is a valid path. |
| 693 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { | 598 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { |
| 694 // Trust newintermediate. | 599 // Trust newintermediate. |
| 695 TrustStore trust_store; | 600 TrustStoreStatic trust_store; |
| 696 trust_store.AddTrustedCertificate(newintermediate_); | 601 trust_store.AddTrustedCertificate(newintermediate_); |
| 697 | 602 |
| 698 CertPathBuilder::Result result; | 603 CertPathBuilder::Result result; |
| 699 // Newintermediate is also the target cert. | 604 // Newintermediate is also the target cert. |
| 700 CertPathBuilder path_builder(newintermediate_, &trust_store, | 605 CertPathBuilder path_builder(newintermediate_, &signature_policy_, time_, |
| 701 &signature_policy_, time_, &result); | 606 &result); |
| 607 path_builder.AddTrustStore(&trust_store); |
| 702 | 608 |
| 703 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 609 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 704 | 610 |
| 705 EXPECT_EQ(OK, result.error()); | 611 EXPECT_EQ(OK, result.error()); |
| 706 | 612 |
| 707 ASSERT_EQ(1U, result.paths.size()); | 613 ASSERT_EQ(1U, result.paths.size()); |
| 708 EXPECT_EQ(OK, result.paths[0]->error); | 614 EXPECT_EQ(OK, result.paths[0]->error); |
| 709 ASSERT_EQ(1U, result.paths[0]->path.size()); | 615 ASSERT_EQ(1U, result.paths[0]->path.size()); |
| 710 EXPECT_EQ(newintermediate_, result.paths[0]->path[0]); | 616 EXPECT_EQ(newintermediate_, result.paths[0]->path[0]); |
| 711 } | 617 } |
| 712 | 618 |
| 619 // If the target cert is a trust root, but fails verification for some other |
| 620 // reason (eg, bad validity time), path building should fail and no other paths |
| 621 // should be attempted. |
| 622 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRootButFailsVerification)
{ |
| 623 // Trust newintermediate and newroot. |
| 624 TrustStoreStatic trust_store; |
| 625 trust_store.AddTrustedCertificate(newintermediate_); |
| 626 trust_store.AddTrustedCertificate(newroot_); |
| 627 |
| 628 CertPathBuilder::Result result; |
| 629 // Newintermediate is also the target cert. |
| 630 |
| 631 der::GeneralizedTime badtime = {2010, 4, 11, 0, 0, 0}; |
| 632 CertPathBuilder path_builder(newintermediate_, &signature_policy_, badtime, |
| 633 &result); |
| 634 path_builder.AddTrustStore(&trust_store); |
| 635 |
| 636 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 637 |
| 638 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 639 |
| 640 ASSERT_EQ(1U, result.paths.size()); |
| 641 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 642 ASSERT_EQ(1U, result.paths[0]->path.size()); |
| 643 EXPECT_EQ(newintermediate_, result.paths[0]->path[0]); |
| 644 } |
| 645 |
| 713 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path | 646 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path |
| 714 // can still be built. | 647 // can still be built. |
| 715 // Since LoopChecker will prevent the intermediate from being included, this | 648 // Since LoopChecker will prevent the intermediate from being included, this |
| 716 // currently does NOT verify. This case shouldn't occur in the web PKI. | 649 // currently does NOT verify. This case shouldn't occur in the web PKI. |
| 717 TEST_F(PathBuilderKeyRolloverTest, | 650 TEST_F(PathBuilderKeyRolloverTest, |
| 718 TestEndEntityHasSameNameAndSpkiAsIntermediate) { | 651 TestEndEntityHasSameNameAndSpkiAsIntermediate) { |
| 719 // Trust oldroot. | 652 // Trust oldroot. |
| 720 TrustStore trust_store; | 653 TrustStoreStatic trust_store; |
| 721 trust_store.AddTrustedCertificate(oldroot_); | 654 trust_store.AddTrustedCertificate(oldroot_); |
| 722 | 655 |
| 723 // New root rollover is provided synchronously. | 656 // New root rollover is provided synchronously. |
| 724 CertIssuerSourceStatic sync_certs; | 657 CertIssuerSourceStatic sync_certs; |
| 725 sync_certs.AddCert(newrootrollover_); | 658 sync_certs.AddCert(newrootrollover_); |
| 726 | 659 |
| 727 CertPathBuilder::Result result; | 660 CertPathBuilder::Result result; |
| 728 // Newroot is the target cert. | 661 // Newroot is the target cert. |
| 729 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 662 CertPathBuilder path_builder(newroot_, &signature_policy_, time_, &result); |
| 730 time_, &result); | 663 path_builder.AddTrustStore(&trust_store); |
| 731 path_builder.AddCertIssuerSource(&sync_certs); | 664 path_builder.AddCertIssuerSource(&sync_certs); |
| 732 | 665 |
| 733 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 666 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 734 | 667 |
| 735 // This could actually be OK, but CertPathBuilder does not build the | 668 // This could actually be OK, but CertPathBuilder does not build the |
| 736 // newroot <- newrootrollover <- oldroot path. | 669 // newroot <- newrootrollover <- oldroot path. |
| 737 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 670 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 738 } | 671 } |
| 739 | 672 |
| 740 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) | 673 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) |
| 741 // path can still be built. | 674 // path can still be built. |
| 742 TEST_F(PathBuilderKeyRolloverTest, | 675 TEST_F(PathBuilderKeyRolloverTest, |
| 743 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { | 676 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { |
| 744 // Trust newrootrollover. | 677 // Trust newrootrollover. |
| 745 TrustStore trust_store; | 678 TrustStoreStatic trust_store; |
| 746 trust_store.AddTrustedCertificate(newrootrollover_); | 679 trust_store.AddTrustedCertificate(newrootrollover_); |
| 747 | 680 |
| 748 CertPathBuilder::Result result; | 681 CertPathBuilder::Result result; |
| 749 // Newroot is the target cert. | 682 // Newroot is the target cert. |
| 750 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 683 CertPathBuilder path_builder(newroot_, &signature_policy_, time_, &result); |
| 751 time_, &result); | 684 path_builder.AddTrustStore(&trust_store); |
| 752 | 685 |
| 753 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 686 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 754 | 687 |
| 755 EXPECT_EQ(OK, result.error()); | 688 EXPECT_EQ(OK, result.error()); |
| 756 | 689 |
| 757 ASSERT_FALSE(result.paths.empty()); | 690 ASSERT_FALSE(result.paths.empty()); |
| 758 const CertPathBuilder::ResultPath* best_result = | 691 const CertPathBuilder::ResultPath* best_result = |
| 759 result.paths[result.best_result_index].get(); | 692 result.paths[result.best_result_index].get(); |
| 760 | 693 |
| 761 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and | 694 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and |
| 762 // only contains newroot. | 695 // only contains newroot. |
| 763 EXPECT_EQ(OK, best_result->error); | 696 EXPECT_EQ(OK, best_result->error); |
| 764 ASSERT_EQ(1U, best_result->path.size()); | 697 ASSERT_EQ(1U, best_result->path.size()); |
| 765 EXPECT_EQ(newroot_, best_result->path[0]); | 698 EXPECT_EQ(newroot_, best_result->path[0]); |
| 766 } | 699 } |
| 767 | 700 |
| 768 // Test that PathBuilder will not try the same path twice if multiple | 701 // Test that PathBuilder will not try the same path twice if multiple |
| 769 // CertIssuerSources provide the same certificate. | 702 // CertIssuerSources provide the same certificate. |
| 770 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { | 703 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { |
| 771 // Create a separate copy of oldintermediate. | 704 // Create a separate copy of oldintermediate. |
| 772 scoped_refptr<ParsedCertificate> oldintermediate_dupe( | 705 scoped_refptr<ParsedCertificate> oldintermediate_dupe( |
| 773 ParsedCertificate::CreateFromCertificateCopy( | 706 ParsedCertificate::CreateFromCertificateCopy( |
| 774 oldintermediate_->der_cert().AsStringPiece(), {})); | 707 oldintermediate_->der_cert().AsStringPiece(), {})); |
| 775 | 708 |
| 776 // Only newroot is a trusted root. | 709 // Only newroot is a trusted root. |
| 777 TrustStore trust_store; | 710 TrustStoreStatic trust_store; |
| 778 trust_store.AddTrustedCertificate(newroot_); | 711 trust_store.AddTrustedCertificate(newroot_); |
| 779 | 712 |
| 780 // The oldintermediate is supplied synchronously by |sync_certs1| and | 713 // The oldintermediate is supplied synchronously by |sync_certs1| and |
| 781 // another copy of oldintermediate is supplied synchronously by |sync_certs2|. | 714 // another copy of oldintermediate is supplied synchronously by |sync_certs2|. |
| 782 // The path target <- oldintermediate <- newroot should be built first, | 715 // The path target <- oldintermediate <- newroot should be built first, |
| 783 // though it won't verify. It should not be attempted again even though | 716 // though it won't verify. It should not be attempted again even though |
| 784 // oldintermediate was supplied twice. | 717 // oldintermediate was supplied twice. |
| 785 CertIssuerSourceStatic sync_certs1; | 718 CertIssuerSourceStatic sync_certs1; |
| 786 sync_certs1.AddCert(oldintermediate_); | 719 sync_certs1.AddCert(oldintermediate_); |
| 787 CertIssuerSourceStatic sync_certs2; | 720 CertIssuerSourceStatic sync_certs2; |
| 788 sync_certs2.AddCert(oldintermediate_dupe); | 721 sync_certs2.AddCert(oldintermediate_dupe); |
| 789 | 722 |
| 790 // The newintermediate is supplied asynchronously, so the path | 723 // The newintermediate is supplied asynchronously, so the path |
| 791 // target <- newintermediate <- newroot should be tried second. | 724 // target <- newintermediate <- newroot should be tried second. |
| 792 AsyncCertIssuerSourceStatic async_certs; | 725 AsyncCertIssuerSourceStatic async_certs; |
| 793 async_certs.AddCert(newintermediate_); | 726 async_certs.AddCert(newintermediate_); |
| 794 | 727 |
| 795 CertPathBuilder::Result result; | 728 CertPathBuilder::Result result; |
| 796 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 729 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 797 &result); | 730 path_builder.AddTrustStore(&trust_store); |
| 798 path_builder.AddCertIssuerSource(&sync_certs1); | 731 path_builder.AddCertIssuerSource(&sync_certs1); |
| 799 path_builder.AddCertIssuerSource(&sync_certs2); | 732 path_builder.AddCertIssuerSource(&sync_certs2); |
| 800 path_builder.AddCertIssuerSource(&async_certs); | 733 path_builder.AddCertIssuerSource(&async_certs); |
| 801 | 734 |
| 802 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 735 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 803 | 736 |
| 804 EXPECT_EQ(OK, result.error()); | 737 EXPECT_EQ(OK, result.error()); |
| 805 ASSERT_EQ(2U, result.paths.size()); | 738 ASSERT_EQ(2U, result.paths.size()); |
| 806 | 739 |
| 807 // Path builder will first attempt: target <- oldintermediate <- newroot | 740 // Path builder will first attempt: target <- oldintermediate <- newroot |
| (...skipping 18 matching lines...) Expand all Loading... |
| 826 | 759 |
| 827 // Test that PathBuilder will not try the same path twice if the same cert is | 760 // Test that PathBuilder will not try the same path twice if the same cert is |
| 828 // presented via a CertIssuerSources and a TrustAnchor. | 761 // presented via a CertIssuerSources and a TrustAnchor. |
| 829 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { | 762 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { |
| 830 // Create a separate copy of newroot. | 763 // Create a separate copy of newroot. |
| 831 scoped_refptr<ParsedCertificate> newroot_dupe( | 764 scoped_refptr<ParsedCertificate> newroot_dupe( |
| 832 ParsedCertificate::CreateFromCertificateCopy( | 765 ParsedCertificate::CreateFromCertificateCopy( |
| 833 newroot_->der_cert().AsStringPiece(), {})); | 766 newroot_->der_cert().AsStringPiece(), {})); |
| 834 | 767 |
| 835 // Only newroot is a trusted root. | 768 // Only newroot is a trusted root. |
| 836 TrustStore trust_store; | 769 TrustStoreStatic trust_store; |
| 837 trust_store.AddTrustedCertificate(newroot_); | 770 trust_store.AddTrustedCertificate(newroot_); |
| 838 | 771 |
| 839 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. | 772 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. |
| 840 CertIssuerSourceStatic sync_certs; | 773 CertIssuerSourceStatic sync_certs; |
| 841 sync_certs.AddCert(oldintermediate_); | 774 sync_certs.AddCert(oldintermediate_); |
| 842 sync_certs.AddCert(newroot_dupe); | 775 sync_certs.AddCert(newroot_dupe); |
| 843 | 776 |
| 844 CertPathBuilder::Result result; | 777 CertPathBuilder::Result result; |
| 845 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 778 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 846 &result); | 779 path_builder.AddTrustStore(&trust_store); |
| 847 path_builder.AddCertIssuerSource(&sync_certs); | 780 path_builder.AddCertIssuerSource(&sync_certs); |
| 848 | 781 |
| 849 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 782 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 850 | 783 |
| 851 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 784 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 852 ASSERT_EQ(1U, result.paths.size()); | 785 ASSERT_EQ(1U, result.paths.size()); |
| 853 | 786 |
| 854 // Path builder attempt: target <- oldintermediate <- newroot | 787 // Path builder attempt: target <- oldintermediate <- newroot |
| 855 // but it will fail since oldintermediate is signed by oldroot. | 788 // but it will fail since oldintermediate is signed by oldroot. |
| 856 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 789 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 857 ASSERT_EQ(3U, result.paths[0]->path.size()); | 790 ASSERT_EQ(3U, result.paths[0]->path.size()); |
| 858 EXPECT_EQ(target_, result.paths[0]->path[0]); | 791 EXPECT_EQ(target_, result.paths[0]->path[0]); |
| 859 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); | 792 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); |
| 860 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 793 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 861 // of newroot was used in the path. | 794 // of newroot was used in the path. |
| 862 EXPECT_EQ(newroot_->der_cert(), result.paths[0]->path[2]->der_cert()); | 795 EXPECT_EQ(newroot_->der_cert(), result.paths[0]->path[2]->der_cert()); |
| 863 } | 796 } |
| 864 | 797 |
| 865 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { | |
| 866 public: | |
| 867 MOCK_METHOD1(GetNext, CompletionStatus(scoped_refptr<ParsedCertificate>*)); | |
| 868 }; | |
| 869 | |
| 870 class MockCertIssuerSource : public CertIssuerSource { | |
| 871 public: | |
| 872 MOCK_METHOD2(SyncGetIssuersOf, | |
| 873 void(const ParsedCertificate*, ParsedCertificateList*)); | |
| 874 MOCK_METHOD3(AsyncGetIssuersOf, | |
| 875 void(const ParsedCertificate*, | |
| 876 const IssuerCallback&, | |
| 877 std::unique_ptr<Request>*)); | |
| 878 }; | |
| 879 | |
| 880 // Helper class to pass the Request to the PathBuilder when it calls | |
| 881 // AsyncGetIssuersOf. (GoogleMock has a ByMove helper, but it apparently can | |
| 882 // only be used with Return, not SetArgPointee.) | |
| 883 class CertIssuerSourceRequestMover { | |
| 884 public: | |
| 885 CertIssuerSourceRequestMover(std::unique_ptr<CertIssuerSource::Request> req) | |
| 886 : request_(std::move(req)) {} | |
| 887 void MoveIt(const ParsedCertificate* cert, | |
| 888 const CertIssuerSource::IssuerCallback& issuers_callback, | |
| 889 std::unique_ptr<CertIssuerSource::Request>* out_req) { | |
| 890 *out_req = std::move(request_); | |
| 891 } | |
| 892 | |
| 893 private: | |
| 894 std::unique_ptr<CertIssuerSource::Request> request_; | |
| 895 }; | |
| 896 | |
| 897 // Test that a single CertIssuerSource returning multiple async batches of | 798 // Test that a single CertIssuerSource returning multiple async batches of |
| 898 // issuers is handled correctly. Due to the StrictMocks, it also tests that path | 799 // issuers is handled correctly. Due to the StrictMocks, it also tests that path |
| 899 // builder does not request issuers of certs that it shouldn't. | 800 // builder does not request issuers of certs that it shouldn't. |
| 900 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncCallbacksFromSingleSource) { | 801 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncCallbacksFromSingleSource) { |
| 901 StrictMock<MockCertIssuerSource> cert_issuer_source; | 802 StrictMock<MockCertIssuerSource> cert_issuer_source; |
| 902 | 803 |
| 903 // Only newroot is a trusted root. | 804 // Only newroot is a trusted root. |
| 904 TrustStore trust_store; | 805 TrustStoreStatic trust_store; |
| 905 trust_store.AddTrustedCertificate(newroot_); | 806 trust_store.AddTrustedCertificate(newroot_); |
| 906 | 807 |
| 907 CertPathBuilder::Result result; | 808 CertPathBuilder::Result result; |
| 908 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 809 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 909 &result); | 810 path_builder.AddTrustStore(&trust_store); |
| 910 path_builder.AddCertIssuerSource(&cert_issuer_source); | 811 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 911 | 812 |
| 912 CertIssuerSource::IssuerCallback target_issuers_callback; | 813 CertIssuerSource::IssuerCallback target_issuers_callback; |
| 913 // Create the mock CertIssuerSource::Request... | 814 // Create the mock CertIssuerSource::Request... |
| 914 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> | 815 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> |
| 915 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); | 816 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); |
| 916 // Keep a raw pointer to the Request... | 817 // Keep a raw pointer to the Request... |
| 917 StrictMock<MockCertIssuerSourceRequest>* target_issuers_req = | 818 StrictMock<MockCertIssuerSourceRequest>* target_issuers_req = |
| 918 target_issuers_req_owner.get(); | 819 target_issuers_req_owner.get(); |
| 919 // Setup helper class to pass ownership of the Request to the PathBuilder when | 820 // Setup helper class to pass ownership of the Request to the PathBuilder when |
| 920 // it calls AsyncGetIssuersOf. | 821 // it calls AsyncGetIssuersOf. |
| 921 CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); | 822 CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); |
| 922 { | 823 { |
| 923 ::testing::InSequence s; | 824 ::testing::InSequence s; |
| 924 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); | 825 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); |
| 925 EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _, _)) | 826 EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_, _, _)) |
| 926 .WillOnce( | 827 .WillOnce( |
| 927 DoAll(SaveArg<1>(&target_issuers_callback), | 828 DoAll(SaveArg<1>(&target_issuers_callback), |
| 928 Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt))); | 829 Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt))); |
| 929 } | 830 } |
| 930 | 831 |
| 931 TestClosure callback; | 832 TestClosure callback; |
| 932 CompletionStatus rv = path_builder.Run(callback.closure()); | 833 CompletionStatus rv = path_builder.Run(callback.closure()); |
| 933 ASSERT_EQ(CompletionStatus::ASYNC, rv); | 834 ASSERT_EQ(CompletionStatus::ASYNC, rv); |
| 934 | 835 |
| 935 ASSERT_FALSE(target_issuers_callback.is_null()); | 836 ASSERT_FALSE(target_issuers_callback.is_null()); |
| 936 | 837 |
| 937 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 838 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 938 | 839 |
| 939 // First async batch: return oldintermediate_. | 840 // First async batch: return oldintermediate_. |
| 940 EXPECT_CALL(*target_issuers_req, GetNext(_)) | 841 EXPECT_CALL(*target_issuers_req, GetNext(_)) |
| 941 .WillOnce(DoAll(SetArgPointee<0>(oldintermediate_), | 842 .WillOnce(DoAll(SetArgPointee<0>(oldintermediate_), |
| 942 Return(CompletionStatus::SYNC))) | 843 Return(CompletionStatus::SYNC))) |
| 943 .WillOnce( | 844 .WillOnce( |
| 944 DoAll(SetArgPointee<0>(nullptr), Return(CompletionStatus::ASYNC))); | 845 DoAll(SetArgPointee<0>(nullptr), Return(CompletionStatus::ASYNC))); |
| 945 { | 846 { |
| 946 ::testing::InSequence s; | 847 ::testing::InSequence s; |
| 947 // oldintermediate_ does not create a valid path, so both sync and async | 848 // oldintermediate_ does not create a valid path, so both sync and async |
| 948 // lookups are expected. | 849 // lookups are expected. |
| 949 EXPECT_CALL(cert_issuer_source, | 850 EXPECT_CALL(cert_issuer_source, |
| 950 SyncGetIssuersOf(oldintermediate_.get(), _)); | 851 SyncGetIssuersOf(oldintermediate_.get(), _)); |
| 951 EXPECT_CALL(cert_issuer_source, | 852 EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(oldintermediate_, _, _)); |
| 952 AsyncGetIssuersOf(oldintermediate_.get(), _, _)); | |
| 953 } | 853 } |
| 954 target_issuers_callback.Run(target_issuers_req); | 854 target_issuers_callback.Run(target_issuers_req); |
| 955 ::testing::Mock::VerifyAndClearExpectations(target_issuers_req); | 855 ::testing::Mock::VerifyAndClearExpectations(target_issuers_req); |
| 956 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 856 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 957 | 857 |
| 958 // Second async batch: return newintermediate_. | 858 // Second async batch: return newintermediate_. |
| 959 EXPECT_CALL(*target_issuers_req, GetNext(_)) | 859 EXPECT_CALL(*target_issuers_req, GetNext(_)) |
| 960 .WillOnce(DoAll(SetArgPointee<0>(newintermediate_), | 860 .WillOnce(DoAll(SetArgPointee<0>(newintermediate_), |
| 961 Return(CompletionStatus::SYNC))) | 861 Return(CompletionStatus::SYNC))) |
| 962 .WillOnce( | 862 .WillOnce( |
| (...skipping 29 matching lines...) Expand all Loading... |
| 992 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 892 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); |
| 993 EXPECT_EQ(newroot_, result.paths[1]->path[2]); | 893 EXPECT_EQ(newroot_, result.paths[1]->path[2]); |
| 994 } | 894 } |
| 995 | 895 |
| 996 // Test that PathBuilder will not try the same path twice if CertIssuerSources | 896 // Test that PathBuilder will not try the same path twice if CertIssuerSources |
| 997 // asynchronously provide the same certificate multiple times. | 897 // asynchronously provide the same certificate multiple times. |
| 998 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { | 898 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { |
| 999 StrictMock<MockCertIssuerSource> cert_issuer_source; | 899 StrictMock<MockCertIssuerSource> cert_issuer_source; |
| 1000 | 900 |
| 1001 // Only newroot is a trusted root. | 901 // Only newroot is a trusted root. |
| 1002 TrustStore trust_store; | 902 TrustStoreStatic trust_store; |
| 1003 trust_store.AddTrustedCertificate(newroot_); | 903 trust_store.AddTrustedCertificate(newroot_); |
| 1004 | 904 |
| 1005 CertPathBuilder::Result result; | 905 CertPathBuilder::Result result; |
| 1006 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 906 CertPathBuilder path_builder(target_, &signature_policy_, time_, &result); |
| 1007 &result); | 907 path_builder.AddTrustStore(&trust_store); |
| 1008 path_builder.AddCertIssuerSource(&cert_issuer_source); | 908 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 1009 | 909 |
| 1010 CertIssuerSource::IssuerCallback target_issuers_callback; | 910 CertIssuerSource::IssuerCallback target_issuers_callback; |
| 1011 // Create the mock CertIssuerSource::Request... | 911 // Create the mock CertIssuerSource::Request... |
| 1012 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> | 912 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> |
| 1013 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); | 913 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); |
| 1014 // Keep a raw pointer to the Request... | 914 // Keep a raw pointer to the Request... |
| 1015 StrictMock<MockCertIssuerSourceRequest>* target_issuers_req = | 915 StrictMock<MockCertIssuerSourceRequest>* target_issuers_req = |
| 1016 target_issuers_req_owner.get(); | 916 target_issuers_req_owner.get(); |
| 1017 // Setup helper class to pass ownership of the Request to the PathBuilder when | 917 // Setup helper class to pass ownership of the Request to the PathBuilder when |
| 1018 // it calls AsyncGetIssuersOf. | 918 // it calls AsyncGetIssuersOf. |
| 1019 CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); | 919 CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); |
| 1020 { | 920 { |
| 1021 ::testing::InSequence s; | 921 ::testing::InSequence s; |
| 1022 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); | 922 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); |
| 1023 EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _, _)) | 923 EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_, _, _)) |
| 1024 .WillOnce( | 924 .WillOnce( |
| 1025 DoAll(SaveArg<1>(&target_issuers_callback), | 925 DoAll(SaveArg<1>(&target_issuers_callback), |
| 1026 Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt))); | 926 Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt))); |
| 1027 } | 927 } |
| 1028 | 928 |
| 1029 TestClosure callback; | 929 TestClosure callback; |
| 1030 CompletionStatus rv = path_builder.Run(callback.closure()); | 930 CompletionStatus rv = path_builder.Run(callback.closure()); |
| 1031 ASSERT_EQ(CompletionStatus::ASYNC, rv); | 931 ASSERT_EQ(CompletionStatus::ASYNC, rv); |
| 1032 | 932 |
| 1033 ASSERT_FALSE(target_issuers_callback.is_null()); | 933 ASSERT_FALSE(target_issuers_callback.is_null()); |
| 1034 | 934 |
| 1035 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 935 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 1036 | 936 |
| 1037 // First async batch: return oldintermediate_. | 937 // First async batch: return oldintermediate_. |
| 1038 EXPECT_CALL(*target_issuers_req, GetNext(_)) | 938 EXPECT_CALL(*target_issuers_req, GetNext(_)) |
| 1039 .WillOnce(DoAll(SetArgPointee<0>(oldintermediate_), | 939 .WillOnce(DoAll(SetArgPointee<0>(oldintermediate_), |
| 1040 Return(CompletionStatus::SYNC))) | 940 Return(CompletionStatus::SYNC))) |
| 1041 .WillOnce( | 941 .WillOnce( |
| 1042 DoAll(SetArgPointee<0>(nullptr), Return(CompletionStatus::ASYNC))); | 942 DoAll(SetArgPointee<0>(nullptr), Return(CompletionStatus::ASYNC))); |
| 1043 { | 943 { |
| 1044 ::testing::InSequence s; | 944 ::testing::InSequence s; |
| 1045 // oldintermediate_ does not create a valid path, so both sync and async | 945 // oldintermediate_ does not create a valid path, so both sync and async |
| 1046 // lookups are expected. | 946 // lookups are expected. |
| 1047 EXPECT_CALL(cert_issuer_source, | 947 EXPECT_CALL(cert_issuer_source, |
| 1048 SyncGetIssuersOf(oldintermediate_.get(), _)); | 948 SyncGetIssuersOf(oldintermediate_.get(), _)); |
| 1049 EXPECT_CALL(cert_issuer_source, | 949 EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(oldintermediate_, _, _)); |
| 1050 AsyncGetIssuersOf(oldintermediate_.get(), _, _)); | |
| 1051 } | 950 } |
| 1052 target_issuers_callback.Run(target_issuers_req); | 951 target_issuers_callback.Run(target_issuers_req); |
| 1053 ::testing::Mock::VerifyAndClearExpectations(target_issuers_req); | 952 ::testing::Mock::VerifyAndClearExpectations(target_issuers_req); |
| 1054 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 953 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 1055 | 954 |
| 1056 // Second async batch: return a different copy of oldintermediate_ again. | 955 // Second async batch: return a different copy of oldintermediate_ again. |
| 1057 scoped_refptr<ParsedCertificate> oldintermediate_dupe( | 956 scoped_refptr<ParsedCertificate> oldintermediate_dupe( |
| 1058 ParsedCertificate::CreateFromCertificateCopy( | 957 ParsedCertificate::CreateFromCertificateCopy( |
| 1059 oldintermediate_->der_cert().AsStringPiece(), {})); | 958 oldintermediate_->der_cert().AsStringPiece(), {})); |
| 1060 EXPECT_CALL(*target_issuers_req, GetNext(_)) | 959 EXPECT_CALL(*target_issuers_req, GetNext(_)) |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1101 | 1000 |
| 1102 // After the third batch of async results, path builder will attempt: | 1001 // After the third batch of async results, path builder will attempt: |
| 1103 // target <- newintermediate <- newroot which will succeed. | 1002 // target <- newintermediate <- newroot which will succeed. |
| 1104 EXPECT_EQ(OK, result.paths[1]->error); | 1003 EXPECT_EQ(OK, result.paths[1]->error); |
| 1105 ASSERT_EQ(3U, result.paths[1]->path.size()); | 1004 ASSERT_EQ(3U, result.paths[1]->path.size()); |
| 1106 EXPECT_EQ(target_, result.paths[1]->path[0]); | 1005 EXPECT_EQ(target_, result.paths[1]->path[0]); |
| 1107 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 1006 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); |
| 1108 EXPECT_EQ(newroot_, result.paths[1]->path[2]); | 1007 EXPECT_EQ(newroot_, result.paths[1]->path[2]); |
| 1109 } | 1008 } |
| 1110 | 1009 |
| 1010 // XXX Is it worth it to do parametirizenized tests so everything can be tested |
| 1011 // with async trust store? |
| 1012 |
| 1111 } // namespace | 1013 } // namespace |
| 1112 | 1014 |
| 1113 } // namespace net | 1015 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2126803004:
WIP: NSS trust store integration for path builder. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert-command-line-path-builder-add_certpathbuilder