Chromium Code Reviews Chromium Code Reviews
Issue 2205403002:
Add production Cast CRL certificate. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/time/time.h" | 5 #include "base/time/time.h" |
| 6 #include "components/cast_certificate/cast_cert_validator.h" | 6 #include "components/cast_certificate/cast_cert_validator.h" |
| 7 #include "components/cast_certificate/cast_cert_validator_test_helpers.h" | 7 #include "components/cast_certificate/cast_cert_validator_test_helpers.h" |
| 8 #include "components/cast_certificate/cast_crl.h" | 8 #include "components/cast_certificate/cast_crl.h" |
| 9 #include "components/cast_certificate/proto/test_suite.pb.h" | 9 #include "components/cast_certificate/proto/test_suite.pb.h" |
| 10 #include "net/cert/internal/trust_store.h" | |
| 10 #include "testing/gtest/include/gtest/gtest.h" | 11 #include "testing/gtest/include/gtest/gtest.h" |
| 11 | 12 |
| 12 namespace cast_certificate { | 13 namespace cast_certificate { |
| 13 namespace { | 14 namespace { |
| 14 | 15 |
| 16 // Adds a trust anchor to the provided trust store. The input is the path of | |
|
eroman
2016/08/04 22:03:12
How about:
Creates a trust store using the test r
ryanchung
2016/08/04 22:17:17
Done.
| |
| 17 // the test trust anchor relative to the test directory. | |
| 18 std::unique_ptr<net::TrustStore> CreateTrustStoreFromFile( | |
| 19 const std::string& path) { | |
| 20 std::unique_ptr<net::TrustStore> trust_store(new net::TrustStore()); | |
| 21 const auto crl_test_root = | |
| 22 cast_certificate::testing::ReadCertificateChainFromFile(path); | |
| 23 EXPECT_EQ(crl_test_root.size(), 1u); | |
|
eroman
2016/08/04 22:03:12
[optional] Seems reasonable to allow more than 1 c
ryanchung
2016/08/04 22:17:17
Done.
| |
| 24 scoped_refptr<net::ParsedCertificate> anchor( | |
| 25 net::ParsedCertificate::CreateFromCertificateCopy(crl_test_root[0], {})); | |
| 26 EXPECT_TRUE(anchor); | |
| 27 trust_store->AddTrustedCertificate(std::move(anchor)); | |
| 28 return trust_store; | |
| 29 } | |
| 30 | |
| 15 // Converts uint64_t unix timestamp in seconds to base::Time. | 31 // Converts uint64_t unix timestamp in seconds to base::Time. |
| 16 base::Time ConvertUnixTimestampSeconds(uint64_t time) { | 32 base::Time ConvertUnixTimestampSeconds(uint64_t time) { |
| 17 return base::Time::UnixEpoch() + | 33 return base::Time::UnixEpoch() + |
| 18 base::TimeDelta::FromMilliseconds(time * 1000); | 34 base::TimeDelta::FromMilliseconds(time * 1000); |
| 19 } | 35 } |
| 20 | 36 |
| 21 // Indicates the expected result of test step's verification. | 37 // Indicates the expected result of test step's verification. |
| 22 enum TestStepResult { | 38 enum TestStepResult { |
| 23 RESULT_SUCCESS, | 39 RESULT_SUCCESS, |
| 24 RESULT_FAIL, | 40 RESULT_FAIL, |
| 25 }; | 41 }; |
| 26 | 42 |
| 27 // Verifies that the provided certificate chain is valid at the specified time | 43 // Verifies that the provided certificate chain is valid at the specified time |
| 28 // and chains up to a trust anchor. | 44 // and chains up to a trust anchor. |
| 29 bool TestVerifyCertificate(TestStepResult expected_result, | 45 bool TestVerifyCertificate(TestStepResult expected_result, |
| 30 const std::vector<std::string>& certificate_chain, | 46 const std::vector<std::string>& certificate_chain, |
| 31 const base::Time& time) { | 47 const base::Time& time, |
| 48 net::TrustStore* cast_trust_store) { | |
| 32 std::unique_ptr<CertVerificationContext> context; | 49 std::unique_ptr<CertVerificationContext> context; |
| 33 CastDeviceCertPolicy policy; | 50 CastDeviceCertPolicy policy; |
| 34 bool result = VerifyDeviceCert(certificate_chain, time, &context, &policy, | 51 int result; |
| 35 nullptr, CRLPolicy::CRL_OPTIONAL); | 52 if (cast_trust_store != nullptr) { |
| 53 result = VerifyDeviceCertForTest(certificate_chain, time, &context, &policy, | |
| 54 nullptr, CRLPolicy::CRL_OPTIONAL, | |
| 55 cast_trust_store); | |
| 56 } else { | |
| 57 result = VerifyDeviceCert(certificate_chain, time, &context, &policy, | |
| 58 nullptr, CRLPolicy::CRL_OPTIONAL); | |
| 59 } | |
| 36 if (expected_result != RESULT_SUCCESS) { | 60 if (expected_result != RESULT_SUCCESS) { |
| 37 EXPECT_FALSE(result); | 61 EXPECT_FALSE(result); |
| 38 return !result; | 62 return !result; |
| 39 } | 63 } |
| 40 EXPECT_TRUE(result); | 64 EXPECT_TRUE(result); |
| 41 return result; | 65 return result; |
| 42 } | 66 } |
| 43 | 67 |
| 44 // Verifies that the provided Cast CRL is signed by a trusted issuer | 68 // Verifies that the provided Cast CRL is signed by a trusted issuer |
| 45 // and that the CRL can be parsed successfully. | 69 // and that the CRL can be parsed successfully. |
| 46 // The validity of the CRL is also checked at the specified time. | 70 // The validity of the CRL is also checked at the specified time. |
| 47 bool TestVerifyCRL(TestStepResult expected_result, | 71 bool TestVerifyCRL(TestStepResult expected_result, |
| 48 const std::string& crl_bundle, | 72 const std::string& crl_bundle, |
| 49 const base::Time& time) { | 73 const base::Time& time, |
| 50 std::unique_ptr<CastCRL> crl = ParseAndVerifyCRL(crl_bundle, time); | 74 net::TrustStore* crl_trust_store) { |
| 75 std::unique_ptr<CastCRL> crl; | |
| 76 if (crl_trust_store != nullptr) { | |
| 77 crl = ParseAndVerifyCRLForTest(crl_bundle, time, crl_trust_store); | |
| 78 } else { | |
| 79 crl = ParseAndVerifyCRL(crl_bundle, time); | |
| 80 } | |
| 51 if (expected_result != RESULT_SUCCESS) { | 81 if (expected_result != RESULT_SUCCESS) { |
| 52 EXPECT_EQ(crl, nullptr); | 82 EXPECT_EQ(crl, nullptr); |
| 53 return crl == nullptr; | 83 return crl == nullptr; |
| 54 } | 84 } |
| 55 EXPECT_NE(crl, nullptr); | 85 EXPECT_NE(crl, nullptr); |
| 56 return crl != nullptr; | 86 return crl != nullptr; |
| 57 } | 87 } |
| 58 | 88 |
| 59 // Verifies that the certificate chain provided is not revoked according to | 89 // Verifies that the certificate chain provided is not revoked according to |
| 60 // the provided Cast CRL at |cert_time|. | 90 // the provided Cast CRL at |cert_time|. |
| 61 // The provided CRL is verified at |crl_time|. | 91 // The provided CRL is verified at |crl_time|. |
| 62 // If |crl_required| is set, then a valid Cast CRL must be provided. | 92 // If |crl_required| is set, then a valid Cast CRL must be provided. |
| 63 // Otherwise, a missing CRL is be ignored. | 93 // Otherwise, a missing CRL is be ignored. |
| 64 bool TestVerifyRevocation(TestStepResult expected_result, | 94 bool TestVerifyRevocation(TestStepResult expected_result, |
| 65 const std::vector<std::string>& certificate_chain, | 95 const std::vector<std::string>& certificate_chain, |
| 66 const std::string& crl_bundle, | 96 const std::string& crl_bundle, |
| 67 const base::Time& crl_time, | 97 const base::Time& crl_time, |
| 68 const base::Time& cert_time, | 98 const base::Time& cert_time, |
| 69 bool crl_required) { | 99 bool crl_required, |
| 100 net::TrustStore* cast_trust_store, | |
| 101 net::TrustStore* crl_trust_store) { | |
| 70 std::unique_ptr<CastCRL> crl; | 102 std::unique_ptr<CastCRL> crl; |
| 71 if (!crl_bundle.empty()) { | 103 if (!crl_bundle.empty()) { |
| 72 crl = ParseAndVerifyCRL(crl_bundle, crl_time); | 104 if (crl_trust_store != nullptr) { |
| 105 crl = ParseAndVerifyCRLForTest(crl_bundle, crl_time, crl_trust_store); | |
| 106 } else { | |
| 107 crl = ParseAndVerifyCRL(crl_bundle, crl_time); | |
| 108 } | |
| 73 EXPECT_NE(crl.get(), nullptr); | 109 EXPECT_NE(crl.get(), nullptr); |
| 74 } | 110 } |
| 75 | 111 |
| 76 std::unique_ptr<CertVerificationContext> context; | 112 std::unique_ptr<CertVerificationContext> context; |
| 77 CastDeviceCertPolicy policy; | 113 CastDeviceCertPolicy policy; |
| 78 CRLPolicy crl_policy = CRLPolicy::CRL_REQUIRED; | 114 CRLPolicy crl_policy = CRLPolicy::CRL_REQUIRED; |
| 79 if (!crl_required) | 115 if (!crl_required) |
| 80 crl_policy = CRLPolicy::CRL_OPTIONAL; | 116 crl_policy = CRLPolicy::CRL_OPTIONAL; |
| 81 int result = VerifyDeviceCert(certificate_chain, cert_time, &context, &policy, | 117 int result; |
| 82 crl.get(), crl_policy); | 118 if (cast_trust_store != nullptr) { |
| 119 result = | |
| 120 VerifyDeviceCertForTest(certificate_chain, cert_time, &context, &policy, | |
| 121 crl.get(), crl_policy, cast_trust_store); | |
| 122 } else { | |
| 123 result = VerifyDeviceCert(certificate_chain, cert_time, &context, &policy, | |
| 124 crl.get(), crl_policy); | |
| 125 } | |
| 83 if (expected_result != RESULT_SUCCESS) { | 126 if (expected_result != RESULT_SUCCESS) { |
| 84 EXPECT_FALSE(result); | 127 EXPECT_FALSE(result); |
| 85 return !result; | 128 return !result; |
| 86 } | 129 } |
| 87 EXPECT_TRUE(result); | 130 EXPECT_TRUE(result); |
| 88 return result; | 131 return result; |
| 89 } | 132 } |
| 90 | 133 |
| 91 // Runs a single test case. | 134 // Runs a single test case. |
| 92 bool RunTest(const DeviceCertTest& test_case) { | 135 bool RunTest(const DeviceCertTest& test_case) { |
| 93 bool use_test_trust_anchors = test_case.use_test_trust_anchors(); | 136 std::unique_ptr<net::TrustStore> crl_trust_store; |
| 94 if (use_test_trust_anchors) { | 137 std::unique_ptr<net::TrustStore> cast_trust_store; |
| 95 const auto crl_test_root = | 138 if (test_case.use_test_trust_anchors()) { |
| 96 cast_certificate::testing::ReadCertificateChainFromFile( | 139 crl_trust_store = |
| 97 "certificates/cast_crl_test_root_ca.pem"); | 140 CreateTrustStoreFromFile("certificates/cast_crl_test_root_ca.pem"); |
| 98 EXPECT_EQ(crl_test_root.size(), 1u); | 141 cast_trust_store = |
| 99 EXPECT_TRUE(SetCRLTrustAnchorForTest(crl_test_root[0])); | 142 CreateTrustStoreFromFile("certificates/cast_test_root_ca.pem"); |
| 100 const auto cast_test_root = | 143 |
| 101 cast_certificate::testing::ReadCertificateChainFromFile( | 144 EXPECT_TRUE(crl_trust_store.get()); |
| 102 "certificates/cast_test_root_ca.pem"); | 145 EXPECT_TRUE(cast_trust_store.get()); |
| 103 EXPECT_EQ(cast_test_root.size(), 1u); | |
| 104 EXPECT_TRUE(SetTrustAnchorForTest(cast_test_root[0])); | |
| 105 } | 146 } |
| 106 | 147 |
| 107 VerificationResult expected_result = test_case.expected_result(); | |
| 108 | |
| 109 std::vector<std::string> certificate_chain; | 148 std::vector<std::string> certificate_chain; |
| 110 for (auto const& cert : test_case.der_cert_path()) { | 149 for (auto const& cert : test_case.der_cert_path()) { |
| 111 certificate_chain.push_back(cert); | 150 certificate_chain.push_back(cert); |
| 112 } | 151 } |
| 113 | 152 |
| 114 base::Time cert_verification_time = | 153 base::Time cert_verification_time = |
| 115 ConvertUnixTimestampSeconds(test_case.cert_verification_time_seconds()); | 154 ConvertUnixTimestampSeconds(test_case.cert_verification_time_seconds()); |
| 116 | 155 |
| 117 uint64_t crl_verify_time = test_case.crl_verification_time_seconds(); | 156 uint64_t crl_verify_time = test_case.crl_verification_time_seconds(); |
| 118 base::Time crl_verification_time = | 157 base::Time crl_verification_time = |
| 119 ConvertUnixTimestampSeconds(crl_verify_time); | 158 ConvertUnixTimestampSeconds(crl_verify_time); |
| 120 if (crl_verify_time == 0) | 159 if (crl_verify_time == 0) |
| 121 crl_verification_time = cert_verification_time; | 160 crl_verification_time = cert_verification_time; |
| 122 | 161 |
| 123 std::string crl_bundle = test_case.crl_bundle(); | 162 std::string crl_bundle = test_case.crl_bundle(); |
| 124 switch (expected_result) { | 163 switch (test_case.expected_result()) { |
| 125 case PATH_VERIFICATION_FAILED: | 164 case PATH_VERIFICATION_FAILED: |
| 126 return TestVerifyCertificate(RESULT_FAIL, certificate_chain, | 165 return TestVerifyCertificate(RESULT_FAIL, certificate_chain, |
| 127 cert_verification_time); | 166 cert_verification_time, |
| 167 cast_trust_store.get()); | |
| 128 break; | 168 break; |
| 129 case CRL_VERIFICATION_FAILED: | 169 case CRL_VERIFICATION_FAILED: |
| 130 return TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_verification_time); | 170 return TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_verification_time, |
| 171 crl_trust_store.get()); | |
| 131 break; | 172 break; |
| 132 case REVOCATION_CHECK_FAILED_WITHOUT_CRL: | 173 case REVOCATION_CHECK_FAILED_WITHOUT_CRL: |
| 133 return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain, | 174 return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain, |
| 134 cert_verification_time) && | 175 cert_verification_time, |
| 135 TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_verification_time) && | 176 cast_trust_store.get()) && |
| 177 TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_verification_time, | |
| 178 crl_trust_store.get()) && | |
| 136 TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle, | 179 TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle, |
| 137 crl_verification_time, cert_verification_time, | 180 crl_verification_time, cert_verification_time, |
| 138 true); | 181 true, cast_trust_store.get(), |
| 182 crl_trust_store.get()); | |
| 139 break; | 183 break; |
| 140 case REVOCATION_CHECK_FAILED: | 184 case REVOCATION_CHECK_FAILED: |
| 141 return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain, | 185 return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain, |
| 142 cert_verification_time) && | 186 cert_verification_time, |
| 143 TestVerifyCRL(RESULT_SUCCESS, crl_bundle, crl_verification_time) && | 187 cast_trust_store.get()) && |
| 188 TestVerifyCRL(RESULT_SUCCESS, crl_bundle, crl_verification_time, | |
| 189 crl_trust_store.get()) && | |
| 144 TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle, | 190 TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle, |
| 145 crl_verification_time, cert_verification_time, | 191 crl_verification_time, cert_verification_time, |
| 146 false); | 192 false, cast_trust_store.get(), |
| 193 crl_trust_store.get()); | |
| 147 break; | 194 break; |
| 148 case SUCCESS: | 195 case SUCCESS: |
| 149 return (crl_bundle.empty() || TestVerifyCRL(RESULT_SUCCESS, crl_bundle, | 196 return (crl_bundle.empty() || |
| 150 crl_verification_time)) && | 197 TestVerifyCRL(RESULT_SUCCESS, crl_bundle, crl_verification_time, |
| 198 crl_trust_store.get())) && | |
| 151 TestVerifyCertificate(RESULT_SUCCESS, certificate_chain, | 199 TestVerifyCertificate(RESULT_SUCCESS, certificate_chain, |
| 152 cert_verification_time) && | 200 cert_verification_time, |
| 201 cast_trust_store.get()) && | |
| 153 TestVerifyRevocation(RESULT_SUCCESS, certificate_chain, crl_bundle, | 202 TestVerifyRevocation(RESULT_SUCCESS, certificate_chain, crl_bundle, |
| 154 crl_verification_time, cert_verification_time, | 203 crl_verification_time, cert_verification_time, |
| 155 !crl_bundle.empty()); | 204 !crl_bundle.empty(), cast_trust_store.get(), |
| 205 crl_trust_store.get()); | |
| 156 break; | 206 break; |
| 157 case UNSPECIFIED: | 207 case UNSPECIFIED: |
| 158 return false; | 208 return false; |
| 159 break; | 209 break; |
| 160 } | 210 } |
| 161 return false; | 211 return false; |
| 162 } | 212 } |
| 163 | 213 |
| 164 // Parses the provided test suite provided in wire-format proto. | 214 // Parses the provided test suite provided in wire-format proto. |
| 165 // Each test contains the inputs and the expected output. | 215 // Each test contains the inputs and the expected output. |
| (...skipping 30 matching lines...) Expand all Loading... | |
| 196 } | 246 } |
| 197 } | 247 } |
| 198 | 248 |
| 199 TEST(CastCertificateTest, TestSuite1) { | 249 TEST(CastCertificateTest, TestSuite1) { |
| 200 RunTestSuite("testsuite/testsuite1.pb"); | 250 RunTestSuite("testsuite/testsuite1.pb"); |
| 201 } | 251 } |
| 202 | 252 |
| 203 } // namespace | 253 } // namespace |
| 204 | 254 |
| 205 } // namespace cast_certificate | 255 } // namespace cast_certificate |
| OLD | NEW |
