Chromium Code Reviews Chromium Code Reviews
Issue 2183513002:
PathBuilderKeyRolloverTest.TestMultipleRootMatchesOnlyOneWorks shouldn't depend on trust store orde… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/cancelable_callback.h" | 8 #include "base/cancelable_callback.h" |
| 9 #include "base/files/file_util.h" | 9 #include "base/files/file_util.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| (...skipping 568 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 579 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 579 EXPECT_EQ(newroot_, result.paths[0]->path[2]); |
| 580 } | 580 } |
| 581 } | 581 } |
| 582 | 582 |
| 583 // Tests that multiple trust root matches on a single path will be considered. | 583 // Tests that multiple trust root matches on a single path will be considered. |
| 584 // Both roots have the same subject but different keys. Only one of them will | 584 // Both roots have the same subject but different keys. Only one of them will |
| 585 // verify. | 585 // verify. |
| 586 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { | 586 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { |
| 587 // Both newroot and oldroot are trusted. | 587 // Both newroot and oldroot are trusted. |
| 588 TrustStore trust_store; | 588 TrustStore trust_store; |
| 589 // Note: The test assumes newroot will be tried before oldroot. | |
| 590 // Currently this depends on the order the roots are added. | |
| 591 trust_store.AddTrustedCertificate(newroot_); | 589 trust_store.AddTrustedCertificate(newroot_); |
| 592 trust_store.AddTrustedCertificate(oldroot_); | 590 trust_store.AddTrustedCertificate(oldroot_); |
| 593 | 591 |
| 594 // Only oldintermediate is supplied, so the path with newroot should fail, | 592 // Only oldintermediate is supplied, so the path with newroot should fail, |
| 595 // oldroot should succeed. | 593 // oldroot should succeed. |
| 596 CertIssuerSourceStatic sync_certs; | 594 CertIssuerSourceStatic sync_certs; |
| 597 sync_certs.AddCert(oldintermediate_); | 595 sync_certs.AddCert(oldintermediate_); |
| 598 | 596 |
| 599 CertPathBuilder::Result result; | 597 CertPathBuilder::Result result; |
| 600 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 598 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 601 &result); | 599 &result); |
| 602 path_builder.AddCertIssuerSource(&sync_certs); | 600 path_builder.AddCertIssuerSource(&sync_certs); |
| 603 | 601 |
| 604 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 602 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 605 | 603 |
| 606 EXPECT_EQ(OK, result.error()); | 604 EXPECT_EQ(OK, result.error()); |
| 607 ASSERT_EQ(2U, result.paths.size()); | 605 // There may be one or two paths attempted depending if the path builder tried |
| 606 // using newroot first. | |
| 607 // TODO(mattm): Once TrustStore is an interface, this could be fixed with a | |
| 608 // mock version of TrustStore that returns roots in a deterministic order. | |
|
eroman
2016/07/25 22:13:44
As a long term goal I think we want the path build
| |
| 609 ASSERT_LE(1U, result.paths.size()); | |
| 610 ASSERT_GE(2U, result.paths.size()); | |
| 608 | 611 |
| 609 // Path builder will first attempt: target <- oldintermediate <- newroot | 612 if (result.paths.size() == 2) { |
| 610 // but it will fail since oldintermediate is signed by oldroot. | 613 // Path builder may first attempt: target <- oldintermediate <- newroot |
| 611 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 614 // but it will fail since oldintermediate is signed by oldroot. |
| 612 ASSERT_EQ(3U, result.paths[0]->path.size()); | 615 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 613 EXPECT_EQ(target_, result.paths[0]->path[0]); | 616 ASSERT_EQ(3U, result.paths[0]->path.size()); |
| 614 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); | 617 EXPECT_EQ(target_, result.paths[0]->path[0]); |
| 615 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 618 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); |
| 619 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | |
| 620 } | |
| 616 | 621 |
| 617 // Path builder will next attempt: | 622 // Path builder will next attempt: |
| 618 // target <- old intermediate <- oldroot | 623 // target <- old intermediate <- oldroot |
| 619 // which should succeed. | 624 // which should succeed. |
| 620 EXPECT_EQ(OK, result.paths[1]->error); | 625 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); |
| 621 ASSERT_EQ(3U, result.paths[1]->path.size()); | 626 ASSERT_EQ(3U, result.paths[result.best_result_index]->path.size()); |
| 622 EXPECT_EQ(target_, result.paths[1]->path[0]); | 627 EXPECT_EQ(target_, result.paths[result.best_result_index]->path[0]); |
| 623 EXPECT_EQ(oldintermediate_, result.paths[1]->path[1]); | 628 EXPECT_EQ(oldintermediate_, result.paths[result.best_result_index]->path[1]); |
| 624 EXPECT_EQ(oldroot_, result.paths[1]->path[2]); | 629 EXPECT_EQ(oldroot_, result.paths[result.best_result_index]->path[2]); |
| 625 } | 630 } |
| 626 | 631 |
| 627 // Tests that the path builder doesn't build longer than necessary paths. | 632 // Tests that the path builder doesn't build longer than necessary paths. |
| 628 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { | 633 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { |
| 629 // Only oldroot is trusted. | 634 // Only oldroot is trusted. |
| 630 TrustStore trust_store; | 635 TrustStore trust_store; |
| 631 trust_store.AddTrustedCertificate(oldroot_); | 636 trust_store.AddTrustedCertificate(oldroot_); |
| 632 | 637 |
| 633 // New intermediate and new root are provided synchronously. | 638 // New intermediate and new root are provided synchronously. |
| 634 CertIssuerSourceStatic sync_certs; | 639 CertIssuerSourceStatic sync_certs; |
| (...skipping 464 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1099 EXPECT_EQ(OK, result.paths[1]->error); | 1104 EXPECT_EQ(OK, result.paths[1]->error); |
| 1100 ASSERT_EQ(3U, result.paths[1]->path.size()); | 1105 ASSERT_EQ(3U, result.paths[1]->path.size()); |
| 1101 EXPECT_EQ(target_, result.paths[1]->path[0]); | 1106 EXPECT_EQ(target_, result.paths[1]->path[0]); |
| 1102 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 1107 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); |
| 1103 EXPECT_EQ(newroot_, result.paths[1]->path[2]); | 1108 EXPECT_EQ(newroot_, result.paths[1]->path[2]); |
| 1104 } | 1109 } |
| 1105 | 1110 |
| 1106 } // namespace | 1111 } // namespace |
| 1107 | 1112 |
| 1108 } // namespace net | 1113 } // namespace net |
| OLD | NEW |
