Chromium Code Reviews Chromium Code Reviews
Issue 2225493003:
Don't treat trust anchors as certificates during path building. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/cancelable_callback.h" | 8 #include "base/cancelable_callback.h" |
| 9 #include "base/files/file_util.h" | 9 #include "base/files/file_util.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| (...skipping 205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 216 } | 216 } |
| 217 | 217 |
| 218 protected: | 218 protected: |
| 219 scoped_refptr<ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_, | 219 scoped_refptr<ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_, |
| 220 d_by_d_, e_by_e_, f_by_e_; | 220 d_by_d_, e_by_e_, f_by_e_; |
| 221 | 221 |
| 222 SimpleSignaturePolicy signature_policy_; | 222 SimpleSignaturePolicy signature_policy_; |
| 223 der::GeneralizedTime time_ = {2016, 4, 11, 0, 0, 0}; | 223 der::GeneralizedTime time_ = {2016, 4, 11, 0, 0, 0}; |
| 224 }; | 224 }; |
| 225 | 225 |
| 226 // If the target cert is a trust anchor, it should verify and should not include | 226 void AddTrustedCertificate(scoped_refptr<ParsedCertificate> cert, |
| 227 // anything else in the path. | 227 TrustStore* trust_store) { |
| 228 TEST_F(PathBuilderMultiRootTest, TargetIsTrustAnchor) { | 228 ASSERT_TRUE(cert.get()); |
| 229 scoped_refptr<TrustAnchor> anchor = | |
| 230 TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert)); | |
| 231 ASSERT_TRUE(anchor.get()); | |
| 232 trust_store->AddTrustAnchor(std::move(anchor)); | |
| 233 } | |
| 234 | |
| 235 // If the target cert is has the same name and key as a trust anchor, however | |
| 236 // is signed but a different trust anchor. This should successfully build a | |
| 237 // path, however the trust anchor will be the signer of this cert. | |
| 238 // | |
| 239 // (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor | |
| 240 // but with different data). | |
|
mattm
2016/08/10 19:46:00
Maybe mention that the difference here is that the
eroman
2016/08/10 20:39:05
Done.
| |
| 241 TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) { | |
| 229 TrustStore trust_store; | 242 TrustStore trust_store; |
| 230 trust_store.AddTrustedCertificate(a_by_b_); | 243 AddTrustedCertificate(a_by_b_, &trust_store); |
| 231 trust_store.AddTrustedCertificate(b_by_f_); | 244 AddTrustedCertificate(b_by_f_, &trust_store); |
| 232 | 245 |
| 233 CertPathBuilder::Result result; | 246 CertPathBuilder::Result result; |
| 234 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 247 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 235 &result); | 248 &result); |
| 236 | 249 |
| 237 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 250 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 238 | 251 |
| 239 EXPECT_EQ(OK, result.error()); | 252 EXPECT_EQ(OK, result.error()); |
| 240 EXPECT_EQ(1U, result.paths[result.best_result_index]->path.size()); | 253 const auto& path = result.paths[result.best_result_index]->path; |
| 241 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 254 EXPECT_EQ(1U, path.certs.size()); |
| 255 EXPECT_EQ(a_by_b_, path.certs[0]); | |
| 256 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | |
| 257 } | |
| 258 | |
| 259 // If the target cert is has the same name and key as a trust anchor, however | |
| 260 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI | |
| 261 // is trusted, the certificate contents cannot be verified. | |
| 262 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { | |
| 263 TrustStore trust_store; | |
| 264 AddTrustedCertificate(a_by_b_, &trust_store); | |
| 265 | |
| 266 CertPathBuilder::Result result; | |
| 267 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | |
| 268 &result); | |
| 269 | |
| 270 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | |
| 271 | |
| 272 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | |
| 273 } | |
| 274 | |
| 275 // Test a failed path building when the trust anchor is provided as a | |
| 276 // supplemental certificate. Conceptually the following paths can be built: | |
| 277 // | |
| 278 // B(C) <- C(D) <- [Trust anchor D] | |
| 279 // B(C) <- C(D) <- D(D) <- [Trust anchor D] | |
| 280 // | |
| 281 // The second one is extraneous given the shorter one, however path building | |
| 282 // will enumerate it if the shorter one failed validation. | |
| 283 TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) { | |
| 284 TrustStore trust_store; | |
| 285 AddTrustedCertificate(d_by_d_, &trust_store); | |
| 286 | |
| 287 // The (exraneous) trust anchor D(D) is supplied as a certificate, as is the | |
|
mattm
2016/08/10 19:46:00
s/exraneous/extraneous
eroman
2016/08/10 20:39:05
Done.
| |
| 288 // intermediate needed for path building C(D). | |
| 289 CertIssuerSourceStatic sync_certs; | |
| 290 sync_certs.AddCert(d_by_d_); | |
| 291 sync_certs.AddCert(c_by_d_); | |
| 292 | |
| 293 // C(D) is not valid at this time, so path building will fail. | |
| 294 der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; | |
| 295 | |
| 296 CertPathBuilder::Result result; | |
| 297 CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_, | |
| 298 expired_time, &result); | |
| 299 path_builder.AddCertIssuerSource(&sync_certs); | |
| 300 | |
| 301 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | |
| 302 | |
| 303 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | |
| 304 ASSERT_EQ(2U, result.paths.size()); | |
| 305 | |
| 306 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | |
| 307 const auto& path0 = result.paths[0]->path; | |
| 308 ASSERT_EQ(2U, path0.certs.size()); | |
| 309 EXPECT_EQ(b_by_c_, path0.certs[0]); | |
| 310 EXPECT_EQ(c_by_d_, path0.certs[1]); | |
| 311 EXPECT_EQ(d_by_d_, path0.trust_anchor->cert()); | |
| 312 | |
| 313 const auto& path1 = result.paths[1]->path; | |
| 314 ASSERT_EQ(3U, path1.certs.size()); | |
| 315 EXPECT_EQ(b_by_c_, path1.certs[0]); | |
| 316 EXPECT_EQ(c_by_d_, path1.certs[1]); | |
| 317 EXPECT_EQ(d_by_d_, path1.certs[2]); | |
| 318 EXPECT_EQ(d_by_d_, path1.trust_anchor->cert()); | |
| 319 } | |
| 320 | |
| 321 // If the target cert is a self-signed cert whose key is a trust anchor, it | |
| 322 // should verify. | |
| 323 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { | |
| 324 TrustStore trust_store; | |
| 325 AddTrustedCertificate(e_by_e_, &trust_store); | |
| 326 // This is not necessary for the test, just an extra... | |
| 327 AddTrustedCertificate(f_by_e_, &trust_store); | |
| 328 | |
| 329 CertPathBuilder::Result result; | |
| 330 CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_, | |
| 331 &result); | |
| 332 | |
| 333 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | |
| 334 | |
| 335 EXPECT_EQ(OK, result.error()); | |
| 336 const auto& path = result.paths[result.best_result_index]->path; | |
| 337 EXPECT_EQ(1U, path.certs.size()); | |
| 338 EXPECT_EQ(e_by_e_, path.certs[0]); | |
| 339 EXPECT_EQ(e_by_e_, path.trust_anchor->cert()); | |
| 242 } | 340 } |
| 243 | 341 |
| 244 // If the target cert is directly issued by a trust anchor, it should verify | 342 // If the target cert is directly issued by a trust anchor, it should verify |
| 245 // without any intermediate certs being provided. | 343 // without any intermediate certs being provided. |
| 246 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { | 344 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { |
| 247 TrustStore trust_store; | 345 TrustStore trust_store; |
| 248 trust_store.AddTrustedCertificate(b_by_f_); | 346 AddTrustedCertificate(b_by_f_, &trust_store); |
| 249 | 347 |
| 250 CertPathBuilder::Result result; | 348 CertPathBuilder::Result result; |
| 251 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 349 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 252 &result); | 350 &result); |
| 253 | 351 |
| 254 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 352 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 255 | 353 |
| 256 EXPECT_EQ(OK, result.error()); | 354 ASSERT_EQ(OK, result.error()); |
| 257 EXPECT_EQ(2U, result.paths[result.best_result_index]->path.size()); | 355 const auto& path = result.paths[result.best_result_index]->path; |
| 258 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 356 EXPECT_EQ(1U, path.certs.size()); |
| 259 EXPECT_EQ(b_by_f_, result.paths[result.best_result_index]->path[1]); | 357 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 358 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | |
| 260 } | 359 } |
| 261 | 360 |
| 262 // Test that async cert queries are not made if the path can be successfully | 361 // Test that async cert queries are not made if the path can be successfully |
| 263 // built with synchronously available certs. | 362 // built with synchronously available certs. |
| 264 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { | 363 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { |
| 265 TrustStore trust_store; | 364 TrustStore trust_store; |
| 266 trust_store.AddTrustedCertificate(e_by_e_); | 365 AddTrustedCertificate(e_by_e_, &trust_store); |
| 267 | 366 |
| 268 CertIssuerSourceStatic sync_certs; | 367 CertIssuerSourceStatic sync_certs; |
| 269 sync_certs.AddCert(b_by_f_); | 368 sync_certs.AddCert(b_by_f_); |
| 270 sync_certs.AddCert(f_by_e_); | 369 sync_certs.AddCert(f_by_e_); |
| 271 | 370 |
| 272 AsyncCertIssuerSourceStatic async_certs; | 371 AsyncCertIssuerSourceStatic async_certs; |
| 273 async_certs.AddCert(b_by_c_); | 372 async_certs.AddCert(b_by_c_); |
| 274 async_certs.AddCert(c_by_e_); | 373 async_certs.AddCert(c_by_e_); |
| 275 | 374 |
| 276 CertPathBuilder::Result result; | 375 CertPathBuilder::Result result; |
| 277 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 376 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 278 &result); | 377 &result); |
| 279 path_builder.AddCertIssuerSource(&async_certs); | 378 path_builder.AddCertIssuerSource(&async_certs); |
| 280 path_builder.AddCertIssuerSource(&sync_certs); | 379 path_builder.AddCertIssuerSource(&sync_certs); |
| 281 | 380 |
| 282 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 381 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 283 | 382 |
| 284 EXPECT_EQ(OK, result.error()); | 383 EXPECT_EQ(OK, result.error()); |
| 285 EXPECT_EQ(0, async_certs.num_async_gets()); | 384 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 286 } | 385 } |
| 287 | 386 |
| 288 // Test that async cert queries are not made if no callback is provided. | 387 // Test that async cert queries are not made if no callback is provided. |
| 289 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { | 388 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { |
| 290 TrustStore trust_store; | 389 TrustStore trust_store; |
| 291 trust_store.AddTrustedCertificate(e_by_e_); | 390 AddTrustedCertificate(e_by_e_, &trust_store); |
| 292 | 391 |
| 293 CertIssuerSourceStatic sync_certs; | 392 CertIssuerSourceStatic sync_certs; |
| 294 sync_certs.AddCert(f_by_e_); | 393 sync_certs.AddCert(f_by_e_); |
| 295 | 394 |
| 296 AsyncCertIssuerSourceStatic async_certs; | 395 AsyncCertIssuerSourceStatic async_certs; |
| 297 async_certs.AddCert(b_by_f_); | 396 async_certs.AddCert(b_by_f_); |
| 298 | 397 |
| 299 CertPathBuilder::Result result; | 398 CertPathBuilder::Result result; |
| 300 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 399 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 301 &result); | 400 &result); |
| 302 path_builder.AddCertIssuerSource(&async_certs); | 401 path_builder.AddCertIssuerSource(&async_certs); |
| 303 path_builder.AddCertIssuerSource(&sync_certs); | 402 path_builder.AddCertIssuerSource(&sync_certs); |
| 304 | 403 |
| 305 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); | 404 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); |
| 306 | 405 |
| 307 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 406 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 308 EXPECT_EQ(0, async_certs.num_async_gets()); | 407 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 309 } | 408 } |
| 310 | 409 |
| 311 // If async queries are needed, all async sources will be queried | 410 // If async queries are needed, all async sources will be queried |
| 312 // simultaneously. | 411 // simultaneously. |
| 313 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { | 412 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { |
| 314 TrustStore trust_store; | 413 TrustStore trust_store; |
| 315 trust_store.AddTrustedCertificate(e_by_e_); | 414 AddTrustedCertificate(e_by_e_, &trust_store); |
| 316 | 415 |
| 317 CertIssuerSourceStatic sync_certs; | 416 CertIssuerSourceStatic sync_certs; |
| 318 sync_certs.AddCert(b_by_c_); | 417 sync_certs.AddCert(b_by_c_); |
| 319 sync_certs.AddCert(b_by_f_); | 418 sync_certs.AddCert(b_by_f_); |
| 320 | 419 |
| 321 AsyncCertIssuerSourceStatic async_certs1; | 420 AsyncCertIssuerSourceStatic async_certs1; |
| 322 async_certs1.AddCert(c_by_e_); | 421 async_certs1.AddCert(c_by_e_); |
| 323 | 422 |
| 324 AsyncCertIssuerSourceStatic async_certs2; | 423 AsyncCertIssuerSourceStatic async_certs2; |
| 325 async_certs2.AddCert(f_by_e_); | 424 async_certs2.AddCert(f_by_e_); |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 336 EXPECT_EQ(OK, result.error()); | 435 EXPECT_EQ(OK, result.error()); |
| 337 EXPECT_EQ(1, async_certs1.num_async_gets()); | 436 EXPECT_EQ(1, async_certs1.num_async_gets()); |
| 338 EXPECT_EQ(1, async_certs2.num_async_gets()); | 437 EXPECT_EQ(1, async_certs2.num_async_gets()); |
| 339 } | 438 } |
| 340 | 439 |
| 341 // Test that PathBuilder does not generate longer paths than necessary if one of | 440 // Test that PathBuilder does not generate longer paths than necessary if one of |
| 342 // the supplied certs is itself a trust anchor. | 441 // the supplied certs is itself a trust anchor. |
| 343 TEST_F(PathBuilderMultiRootTest, TestLongChain) { | 442 TEST_F(PathBuilderMultiRootTest, TestLongChain) { |
| 344 // Both D(D) and C(D) are trusted roots. | 443 // Both D(D) and C(D) are trusted roots. |
| 345 TrustStore trust_store; | 444 TrustStore trust_store; |
| 346 trust_store.AddTrustedCertificate(d_by_d_); | 445 AddTrustedCertificate(d_by_d_, &trust_store); |
| 347 trust_store.AddTrustedCertificate(c_by_d_); | 446 AddTrustedCertificate(c_by_d_, &trust_store); |
| 348 | 447 |
| 349 // Certs B(C), and C(D) are all supplied. | 448 // Certs B(C), and C(D) are all supplied. |
| 350 CertIssuerSourceStatic sync_certs; | 449 CertIssuerSourceStatic sync_certs; |
| 351 sync_certs.AddCert(b_by_c_); | 450 sync_certs.AddCert(b_by_c_); |
| 352 sync_certs.AddCert(c_by_d_); | 451 sync_certs.AddCert(c_by_d_); |
| 353 | 452 |
| 354 CertPathBuilder::Result result; | 453 CertPathBuilder::Result result; |
| 355 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 454 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 356 &result); | 455 &result); |
| 357 path_builder.AddCertIssuerSource(&sync_certs); | 456 path_builder.AddCertIssuerSource(&sync_certs); |
| 358 | 457 |
| 359 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 458 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 360 | 459 |
| 361 EXPECT_EQ(OK, result.error()); | 460 EXPECT_EQ(OK, result.error()); |
| 362 | 461 |
| 363 // The result path should be A(B) <- B(C) <- C(D) | 462 // The result path should be A(B) <- B(C) <- C(D) |
| 364 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) | 463 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) |
| 365 EXPECT_EQ(3U, result.paths[result.best_result_index]->path.size()); | 464 const auto& path = result.paths[result.best_result_index]->path; |
| 465 EXPECT_EQ(2U, path.certs.size()); | |
| 366 } | 466 } |
| 367 | 467 |
| 368 // Test that PathBuilder will backtrack and try a different path if the first | 468 // Test that PathBuilder will backtrack and try a different path if the first |
| 369 // one doesn't work out. | 469 // one doesn't work out. |
| 370 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { | 470 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { |
| 371 // Only D(D) is a trusted root. | 471 // Only D(D) is a trusted root. |
| 372 TrustStore trust_store; | 472 TrustStore trust_store; |
| 373 trust_store.AddTrustedCertificate(d_by_d_); | 473 AddTrustedCertificate(d_by_d_, &trust_store); |
| 374 | 474 |
| 375 // Certs B(F) and F(E) are supplied synchronously, thus the path | 475 // Certs B(F) and F(E) are supplied synchronously, thus the path |
| 376 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. | 476 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| 377 CertIssuerSourceStatic sync_certs; | 477 CertIssuerSourceStatic sync_certs; |
| 378 sync_certs.AddCert(b_by_f_); | 478 sync_certs.AddCert(b_by_f_); |
| 379 sync_certs.AddCert(f_by_e_); | 479 sync_certs.AddCert(f_by_e_); |
| 380 | 480 |
| 381 // Certs B(C), and C(D) are supplied asynchronously, so the path | 481 // Certs B(C), and C(D) are supplied asynchronously, so the path |
| 382 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. | 482 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. |
| 383 AsyncCertIssuerSourceStatic async_certs; | 483 AsyncCertIssuerSourceStatic async_certs; |
| 384 async_certs.AddCert(b_by_c_); | 484 async_certs.AddCert(b_by_c_); |
| 385 async_certs.AddCert(c_by_d_); | 485 async_certs.AddCert(c_by_d_); |
| 386 | 486 |
| 387 CertPathBuilder::Result result; | 487 CertPathBuilder::Result result; |
| 388 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 488 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 389 &result); | 489 &result); |
| 390 path_builder.AddCertIssuerSource(&sync_certs); | 490 path_builder.AddCertIssuerSource(&sync_certs); |
| 391 path_builder.AddCertIssuerSource(&async_certs); | 491 path_builder.AddCertIssuerSource(&async_certs); |
| 392 | 492 |
| 393 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 493 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 394 | 494 |
| 395 EXPECT_EQ(OK, result.error()); | 495 EXPECT_EQ(OK, result.error()); |
| 396 | 496 |
| 397 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 497 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 398 ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size()); | 498 const auto& path = result.paths[result.best_result_index]->path; |
| 399 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 499 ASSERT_EQ(3U, path.certs.size()); |
| 400 EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]); | 500 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 401 EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]); | 501 EXPECT_EQ(b_by_c_, path.certs[1]); |
| 402 EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]); | 502 EXPECT_EQ(c_by_d_, path.certs[2]); |
| 503 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); | |
| 403 } | 504 } |
| 404 | 505 |
| 405 // Test that whichever order CertIssuerSource returns the issuers, the path | 506 // Test that whichever order CertIssuerSource returns the issuers, the path |
| 406 // building still succeeds. | 507 // building still succeeds. |
| 407 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { | 508 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { |
| 408 // Only D(D) is a trusted root. | 509 // Only D(D) is a trusted root. |
| 409 TrustStore trust_store; | 510 TrustStore trust_store; |
| 410 trust_store.AddTrustedCertificate(d_by_d_); | 511 AddTrustedCertificate(d_by_d_, &trust_store); |
| 411 | 512 |
| 412 for (bool reverse_order : {false, true}) { | 513 for (bool reverse_order : {false, true}) { |
| 413 SCOPED_TRACE(reverse_order); | 514 SCOPED_TRACE(reverse_order); |
| 414 std::vector<scoped_refptr<ParsedCertificate>> certs = { | 515 std::vector<scoped_refptr<ParsedCertificate>> certs = { |
| 415 b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; | 516 b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; |
| 416 CertIssuerSourceStatic sync_certs; | 517 CertIssuerSourceStatic sync_certs; |
| 417 if (reverse_order) { | 518 if (reverse_order) { |
| 418 for (auto it = certs.rbegin(); it != certs.rend(); ++it) | 519 for (auto it = certs.rbegin(); it != certs.rend(); ++it) |
| 419 sync_certs.AddCert(*it); | 520 sync_certs.AddCert(*it); |
| 420 } else { | 521 } else { |
| 421 for (const auto& cert : certs) | 522 for (const auto& cert : certs) |
| 422 sync_certs.AddCert(cert); | 523 sync_certs.AddCert(cert); |
| 423 } | 524 } |
| 424 | 525 |
| 425 CertPathBuilder::Result result; | 526 CertPathBuilder::Result result; |
| 426 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, | 527 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, |
| 427 time_, &result); | 528 time_, &result); |
| 428 path_builder.AddCertIssuerSource(&sync_certs); | 529 path_builder.AddCertIssuerSource(&sync_certs); |
| 429 | 530 |
| 430 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 531 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 431 | 532 |
| 432 EXPECT_EQ(OK, result.error()); | 533 EXPECT_EQ(OK, result.error()); |
| 433 | 534 |
| 434 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 535 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 435 ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size()); | 536 const auto& path = result.paths[result.best_result_index]->path; |
| 436 EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]); | 537 ASSERT_EQ(3U, path.certs.size()); |
| 437 EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]); | 538 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 438 EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]); | 539 EXPECT_EQ(b_by_c_, path.certs[1]); |
| 439 EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]); | 540 EXPECT_EQ(c_by_d_, path.certs[2]); |
| 541 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); | |
| 440 } | 542 } |
| 441 } | 543 } |
| 442 | 544 |
| 443 class PathBuilderKeyRolloverTest : public ::testing::Test { | 545 class PathBuilderKeyRolloverTest : public ::testing::Test { |
| 444 public: | 546 public: |
| 445 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} | 547 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} |
| 446 | 548 |
| 447 void SetUp() override { | 549 void SetUp() override { |
| 448 std::vector<std::string> path; | 550 std::vector<std::string> path; |
| 449 | 551 |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 491 | 593 |
| 492 SimpleSignaturePolicy signature_policy_; | 594 SimpleSignaturePolicy signature_policy_; |
| 493 der::GeneralizedTime time_; | 595 der::GeneralizedTime time_; |
| 494 }; | 596 }; |
| 495 | 597 |
| 496 // Tests that if only the old root cert is trusted, the path builder can build a | 598 // Tests that if only the old root cert is trusted, the path builder can build a |
| 497 // path through the new intermediate and rollover cert to the old root. | 599 // path through the new intermediate and rollover cert to the old root. |
| 498 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { | 600 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { |
| 499 // Only oldroot is trusted. | 601 // Only oldroot is trusted. |
| 500 TrustStore trust_store; | 602 TrustStore trust_store; |
| 501 trust_store.AddTrustedCertificate(oldroot_); | 603 AddTrustedCertificate(oldroot_, &trust_store); |
| 502 | 604 |
| 503 // Old intermediate cert is not provided, so the pathbuilder will need to go | 605 // Old intermediate cert is not provided, so the pathbuilder will need to go |
| 504 // through the rollover cert. | 606 // through the rollover cert. |
| 505 CertIssuerSourceStatic sync_certs; | 607 CertIssuerSourceStatic sync_certs; |
| 506 sync_certs.AddCert(newintermediate_); | 608 sync_certs.AddCert(newintermediate_); |
| 507 sync_certs.AddCert(newrootrollover_); | 609 sync_certs.AddCert(newrootrollover_); |
| 508 | 610 |
| 509 CertPathBuilder::Result result; | 611 CertPathBuilder::Result result; |
| 510 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 612 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 511 &result); | 613 &result); |
| 512 path_builder.AddCertIssuerSource(&sync_certs); | 614 path_builder.AddCertIssuerSource(&sync_certs); |
| 513 | 615 |
| 514 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 616 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 515 | 617 |
| 516 EXPECT_EQ(OK, result.error()); | 618 EXPECT_EQ(OK, result.error()); |
| 517 | 619 |
| 518 // Path builder will first attempt: target <- newintermediate <- oldroot | 620 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 519 // but it will fail since newintermediate is signed by newroot. | 621 // but it will fail since newintermediate is signed by newroot. |
| 520 ASSERT_EQ(2U, result.paths.size()); | 622 ASSERT_EQ(2U, result.paths.size()); |
| 623 const auto& path0 = result.paths[0]->path; | |
| 521 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 624 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 522 ASSERT_EQ(3U, result.paths[0]->path.size()); | 625 ASSERT_EQ(2U, path0.certs.size()); |
| 523 EXPECT_EQ(target_, result.paths[0]->path[0]); | 626 EXPECT_EQ(target_, path0.certs[0]); |
| 524 EXPECT_EQ(newintermediate_, result.paths[0]->path[1]); | 627 EXPECT_EQ(newintermediate_, path0.certs[1]); |
| 525 EXPECT_EQ(oldroot_, result.paths[0]->path[2]); | 628 EXPECT_EQ(oldroot_, path0.trust_anchor->cert()); |
| 526 | 629 |
| 527 // Path builder will next attempt: | 630 // Path builder will next attempt: |
| 528 // target <- newintermediate <- newrootrollover <- oldroot | 631 // target <- newintermediate <- newrootrollover <- oldroot |
| 529 // which will succeed. | 632 // which will succeed. |
| 633 const auto& path1 = result.paths[1]->path; | |
| 530 EXPECT_EQ(1U, result.best_result_index); | 634 EXPECT_EQ(1U, result.best_result_index); |
| 531 EXPECT_EQ(OK, result.paths[1]->error); | 635 EXPECT_EQ(OK, result.paths[1]->error); |
| 532 ASSERT_EQ(4U, result.paths[1]->path.size()); | 636 ASSERT_EQ(3U, path1.certs.size()); |
| 533 EXPECT_EQ(target_, result.paths[1]->path[0]); | 637 EXPECT_EQ(target_, path1.certs[0]); |
| 534 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 638 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 535 EXPECT_EQ(newrootrollover_, result.paths[1]->path[2]); | 639 EXPECT_EQ(newrootrollover_, path1.certs[2]); |
| 536 EXPECT_EQ(oldroot_, result.paths[1]->path[3]); | 640 EXPECT_EQ(oldroot_, path1.trust_anchor->cert()); |
| 537 } | 641 } |
| 538 | 642 |
| 539 // Tests that if both old and new roots are trusted it can build a path through | 643 // Tests that if both old and new roots are trusted it can build a path through |
| 540 // either. | 644 // either. |
| 541 // TODO(mattm): Once prioritization is implemented, it should test that it | 645 // TODO(mattm): Once prioritization is implemented, it should test that it |
| 542 // always builds the path through the new intermediate and new root. | 646 // always builds the path through the new intermediate and new root. |
| 543 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { | 647 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { |
| 544 // Both oldroot and newroot are trusted. | 648 // Both oldroot and newroot are trusted. |
| 545 TrustStore trust_store; | 649 TrustStore trust_store; |
| 546 trust_store.AddTrustedCertificate(oldroot_); | 650 AddTrustedCertificate(oldroot_, &trust_store); |
| 547 trust_store.AddTrustedCertificate(newroot_); | 651 AddTrustedCertificate(newroot_, &trust_store); |
| 548 | 652 |
| 549 // Both old and new intermediates + rollover cert are provided. | 653 // Both old and new intermediates + rollover cert are provided. |
| 550 CertIssuerSourceStatic sync_certs; | 654 CertIssuerSourceStatic sync_certs; |
| 551 sync_certs.AddCert(oldintermediate_); | 655 sync_certs.AddCert(oldintermediate_); |
| 552 sync_certs.AddCert(newintermediate_); | 656 sync_certs.AddCert(newintermediate_); |
| 553 sync_certs.AddCert(newrootrollover_); | 657 sync_certs.AddCert(newrootrollover_); |
| 554 | 658 |
| 555 CertPathBuilder::Result result; | 659 CertPathBuilder::Result result; |
| 556 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 660 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 557 &result); | 661 &result); |
| 558 path_builder.AddCertIssuerSource(&sync_certs); | 662 path_builder.AddCertIssuerSource(&sync_certs); |
| 559 | 663 |
| 560 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 664 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 561 | 665 |
| 562 EXPECT_EQ(OK, result.error()); | 666 EXPECT_EQ(OK, result.error()); |
| 563 | 667 |
| 564 // Path builder willattempt one of: | 668 // Path builder willattempt one of: |
| 565 // target <- oldintermediate <- oldroot | 669 // target <- oldintermediate <- oldroot |
| 566 // target <- newintermediate <- newroot | 670 // target <- newintermediate <- newroot |
| 567 // either will succeed. | 671 // either will succeed. |
| 568 ASSERT_EQ(1U, result.paths.size()); | 672 ASSERT_EQ(1U, result.paths.size()); |
| 673 const auto& path = result.paths[0]->path; | |
| 569 EXPECT_EQ(OK, result.paths[0]->error); | 674 EXPECT_EQ(OK, result.paths[0]->error); |
| 570 ASSERT_EQ(3U, result.paths[0]->path.size()); | 675 ASSERT_EQ(2U, path.certs.size()); |
| 571 EXPECT_EQ(target_, result.paths[0]->path[0]); | 676 EXPECT_EQ(target_, path.certs[0]); |
| 572 if (result.paths[0]->path[1] != newintermediate_) { | 677 if (path.certs[1] != newintermediate_) { |
| 573 DVLOG(1) << "USED OLD"; | 678 DVLOG(1) << "USED OLD"; |
| 574 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); | 679 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 575 EXPECT_EQ(oldroot_, result.paths[0]->path[2]); | 680 EXPECT_EQ(oldroot_, path.trust_anchor->cert()); |
| 576 } else { | 681 } else { |
| 577 DVLOG(1) << "USED NEW"; | 682 DVLOG(1) << "USED NEW"; |
| 578 EXPECT_EQ(newintermediate_, result.paths[0]->path[1]); | 683 EXPECT_EQ(newintermediate_, path.certs[1]); |
| 579 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 684 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 580 } | 685 } |
| 581 } | 686 } |
| 582 | 687 |
| 583 // Tests that multiple trust root matches on a single path will be considered. | 688 // Tests that multiple trust root matches on a single path will be considered. |
| 584 // Both roots have the same subject but different keys. Only one of them will | 689 // Both roots have the same subject but different keys. Only one of them will |
| 585 // verify. | 690 // verify. |
| 586 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { | 691 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { |
| 587 // Both newroot and oldroot are trusted. | 692 // Both newroot and oldroot are trusted. |
| 588 TrustStore trust_store; | 693 TrustStore trust_store; |
| 589 trust_store.AddTrustedCertificate(newroot_); | 694 AddTrustedCertificate(newroot_, &trust_store); |
| 590 trust_store.AddTrustedCertificate(oldroot_); | 695 AddTrustedCertificate(oldroot_, &trust_store); |
| 591 | 696 |
| 592 // Only oldintermediate is supplied, so the path with newroot should fail, | 697 // Only oldintermediate is supplied, so the path with newroot should fail, |
| 593 // oldroot should succeed. | 698 // oldroot should succeed. |
| 594 CertIssuerSourceStatic sync_certs; | 699 CertIssuerSourceStatic sync_certs; |
| 595 sync_certs.AddCert(oldintermediate_); | 700 sync_certs.AddCert(oldintermediate_); |
| 596 | 701 |
| 597 CertPathBuilder::Result result; | 702 CertPathBuilder::Result result; |
| 598 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 703 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 599 &result); | 704 &result); |
| 600 path_builder.AddCertIssuerSource(&sync_certs); | 705 path_builder.AddCertIssuerSource(&sync_certs); |
| 601 | 706 |
| 602 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 707 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 603 | 708 |
| 604 EXPECT_EQ(OK, result.error()); | 709 EXPECT_EQ(OK, result.error()); |
| 605 // There may be one or two paths attempted depending if the path builder tried | 710 // There may be one or two paths attempted depending if the path builder tried |
| 606 // using newroot first. | 711 // using newroot first. |
| 607 // TODO(mattm): Once TrustStore is an interface, this could be fixed with a | 712 // TODO(mattm): Once TrustStore is an interface, this could be fixed with a |
| 608 // mock version of TrustStore that returns roots in a deterministic order. | 713 // mock version of TrustStore that returns roots in a deterministic order. |
| 609 ASSERT_LE(1U, result.paths.size()); | 714 ASSERT_LE(1U, result.paths.size()); |
| 610 ASSERT_GE(2U, result.paths.size()); | 715 ASSERT_GE(2U, result.paths.size()); |
| 611 | 716 |
| 612 if (result.paths.size() == 2) { | 717 if (result.paths.size() == 2) { |
| 613 // Path builder may first attempt: target <- oldintermediate <- newroot | 718 // Path builder may first attempt: target <- oldintermediate <- newroot |
| 614 // but it will fail since oldintermediate is signed by oldroot. | 719 // but it will fail since oldintermediate is signed by oldroot. |
| 615 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 720 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 616 ASSERT_EQ(3U, result.paths[0]->path.size()); | 721 const auto& path = result.paths[0]->path; |
| 617 EXPECT_EQ(target_, result.paths[0]->path[0]); | 722 ASSERT_EQ(2U, path.certs.size()); |
| 618 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); | 723 EXPECT_EQ(target_, path.certs[0]); |
| 619 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 724 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 725 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | |
| 620 } | 726 } |
| 621 | 727 |
| 622 // Path builder will next attempt: | 728 // Path builder will next attempt: |
| 623 // target <- old intermediate <- oldroot | 729 // target <- old intermediate <- oldroot |
| 624 // which should succeed. | 730 // which should succeed. |
| 625 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); | 731 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); |
| 626 ASSERT_EQ(3U, result.paths[result.best_result_index]->path.size()); | 732 const auto& path = result.paths[result.best_result_index]->path; |
| 627 EXPECT_EQ(target_, result.paths[result.best_result_index]->path[0]); | 733 ASSERT_EQ(2U, path.certs.size()); |
| 628 EXPECT_EQ(oldintermediate_, result.paths[result.best_result_index]->path[1]); | 734 EXPECT_EQ(target_, path.certs[0]); |
| 629 EXPECT_EQ(oldroot_, result.paths[result.best_result_index]->path[2]); | 735 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 736 EXPECT_EQ(oldroot_, path.trust_anchor->cert()); | |
| 630 } | 737 } |
| 631 | 738 |
| 632 // Tests that the path builder doesn't build longer than necessary paths. | 739 // Tests that the path builder doesn't build longer than necessary paths. |
| 633 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { | 740 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { |
| 634 // Only oldroot is trusted. | 741 // Only oldroot is trusted. |
| 635 TrustStore trust_store; | 742 TrustStore trust_store; |
| 636 trust_store.AddTrustedCertificate(oldroot_); | 743 AddTrustedCertificate(oldroot_, &trust_store); |
| 637 | 744 |
| 638 // New intermediate and new root are provided synchronously. | 745 // New intermediate and new root are provided synchronously. |
| 639 CertIssuerSourceStatic sync_certs; | 746 CertIssuerSourceStatic sync_certs; |
| 640 sync_certs.AddCert(newintermediate_); | 747 sync_certs.AddCert(newintermediate_); |
| 641 sync_certs.AddCert(newroot_); | 748 sync_certs.AddCert(newroot_); |
| 642 | 749 |
| 643 // Rollover cert is only provided asynchronously. This will force the | 750 // Rollover cert is only provided asynchronously. This will force the |
| 644 // pathbuilder to first try building a longer than necessary path. | 751 // pathbuilder to first try building a longer than necessary path. |
| 645 AsyncCertIssuerSourceStatic async_certs; | 752 AsyncCertIssuerSourceStatic async_certs; |
| 646 async_certs.AddCert(newrootrollover_); | 753 async_certs.AddCert(newrootrollover_); |
| 647 | 754 |
| 648 CertPathBuilder::Result result; | 755 CertPathBuilder::Result result; |
| 649 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 756 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 650 &result); | 757 &result); |
| 651 path_builder.AddCertIssuerSource(&sync_certs); | 758 path_builder.AddCertIssuerSource(&sync_certs); |
| 652 path_builder.AddCertIssuerSource(&async_certs); | 759 path_builder.AddCertIssuerSource(&async_certs); |
| 653 | 760 |
| 654 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 761 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 655 | 762 |
| 656 EXPECT_EQ(OK, result.error()); | 763 EXPECT_EQ(OK, result.error()); |
| 657 ASSERT_EQ(3U, result.paths.size()); | 764 ASSERT_EQ(3U, result.paths.size()); |
| 658 | 765 |
| 659 // Path builder will first attempt: target <- newintermediate <- oldroot | 766 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 660 // but it will fail since newintermediate is signed by newroot. | 767 // but it will fail since newintermediate is signed by newroot. |
| 661 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 768 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 662 ASSERT_EQ(3U, result.paths[0]->path.size()); | 769 const auto& path0 = result.paths[0]->path; |
| 663 EXPECT_EQ(target_, result.paths[0]->path[0]); | 770 ASSERT_EQ(2U, path0.certs.size()); |
| 664 EXPECT_EQ(newintermediate_, result.paths[0]->path[1]); | 771 EXPECT_EQ(target_, path0.certs[0]); |
| 665 EXPECT_EQ(oldroot_, result.paths[0]->path[2]); | 772 EXPECT_EQ(newintermediate_, path0.certs[1]); |
| 773 EXPECT_EQ(oldroot_, path0.trust_anchor->cert()); | |
| 666 | 774 |
| 667 // Path builder will next attempt: | 775 // Path builder will next attempt: |
| 668 // target <- newintermediate <- newroot <- oldroot | 776 // target <- newintermediate <- newroot <- oldroot |
| 669 // but it will fail since newroot is self-signed. | 777 // but it will fail since newroot is self-signed. |
| 670 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[1]->error); | 778 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[1]->error); |
| 671 ASSERT_EQ(4U, result.paths[1]->path.size()); | 779 const auto& path1 = result.paths[1]->path; |
| 672 EXPECT_EQ(target_, result.paths[1]->path[0]); | 780 ASSERT_EQ(3U, path1.certs.size()); |
| 673 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 781 EXPECT_EQ(target_, path1.certs[0]); |
| 674 EXPECT_EQ(newroot_, result.paths[1]->path[2]); | 782 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 675 EXPECT_EQ(oldroot_, result.paths[1]->path[3]); | 783 EXPECT_EQ(newroot_, path1.certs[2]); |
| 784 EXPECT_EQ(oldroot_, path1.trust_anchor->cert()); | |
| 676 | 785 |
| 677 // Path builder will skip: | 786 // Path builder will skip: |
| 678 // target <- newintermediate <- newroot <- newrootrollover <- ... | 787 // target <- newintermediate <- newroot <- newrootrollover <- ... |
| 679 // Since newroot and newrootrollover have the same Name+SAN+SPKI. | 788 // Since newroot and newrootrollover have the same Name+SAN+SPKI. |
| 680 | 789 |
| 681 // Finally path builder will use: | 790 // Finally path builder will use: |
| 682 // target <- newintermediate <- newrootrollover <- oldroot | 791 // target <- newintermediate <- newrootrollover <- oldroot |
| 683 EXPECT_EQ(2U, result.best_result_index); | 792 EXPECT_EQ(2U, result.best_result_index); |
| 684 EXPECT_EQ(OK, result.paths[2]->error); | 793 EXPECT_EQ(OK, result.paths[2]->error); |
| 685 ASSERT_EQ(4U, result.paths[2]->path.size()); | 794 const auto& path2 = result.paths[2]->path; |
| 686 EXPECT_EQ(target_, result.paths[2]->path[0]); | 795 ASSERT_EQ(3U, path2.certs.size()); |
| 687 EXPECT_EQ(newintermediate_, result.paths[2]->path[1]); | 796 EXPECT_EQ(target_, path2.certs[0]); |
| 688 EXPECT_EQ(newrootrollover_, result.paths[2]->path[2]); | 797 EXPECT_EQ(newintermediate_, path2.certs[1]); |
| 689 EXPECT_EQ(oldroot_, result.paths[2]->path[3]); | 798 EXPECT_EQ(newrootrollover_, path2.certs[2]); |
| 799 EXPECT_EQ(oldroot_, path2.trust_anchor->cert()); | |
| 690 } | 800 } |
| 691 | 801 |
| 692 // If the target cert is a trust root, that alone is a valid path. | 802 // If the target cert is a trust anchor, however is not itself *signed* by a |
| 803 // trust anchor, then it is not considered valid (the SPKI and name of the | |
| 804 // trust anchor matches the SPKI and subject of the targe certificate, but the | |
| 805 // rest of the certificate cannot be verified). | |
| 693 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { | 806 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { |
| 694 // Trust newintermediate. | 807 // Trust newintermediate. |
| 695 TrustStore trust_store; | 808 TrustStore trust_store; |
| 696 trust_store.AddTrustedCertificate(newintermediate_); | 809 AddTrustedCertificate(newintermediate_, &trust_store); |
| 697 | 810 |
| 698 CertPathBuilder::Result result; | 811 CertPathBuilder::Result result; |
| 699 // Newintermediate is also the target cert. | 812 // Newintermediate is also the target cert. |
| 700 CertPathBuilder path_builder(newintermediate_, &trust_store, | 813 CertPathBuilder path_builder(newintermediate_, &trust_store, |
| 701 &signature_policy_, time_, &result); | 814 &signature_policy_, time_, &result); |
| 702 | 815 |
| 703 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 816 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 704 | 817 |
| 705 EXPECT_EQ(OK, result.error()); | 818 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 706 | |
| 707 ASSERT_EQ(1U, result.paths.size()); | |
| 708 EXPECT_EQ(OK, result.paths[0]->error); | |
| 709 ASSERT_EQ(1U, result.paths[0]->path.size()); | |
| 710 EXPECT_EQ(newintermediate_, result.paths[0]->path[0]); | |
| 711 } | 819 } |
| 712 | 820 |
| 713 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path | 821 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path |
| 714 // can still be built. | 822 // can still be built. |
| 715 // Since LoopChecker will prevent the intermediate from being included, this | 823 // Since LoopChecker will prevent the intermediate from being included, this |
| 716 // currently does NOT verify. This case shouldn't occur in the web PKI. | 824 // currently does NOT verify. This case shouldn't occur in the web PKI. |
| 717 TEST_F(PathBuilderKeyRolloverTest, | 825 TEST_F(PathBuilderKeyRolloverTest, |
| 718 TestEndEntityHasSameNameAndSpkiAsIntermediate) { | 826 TestEndEntityHasSameNameAndSpkiAsIntermediate) { |
| 719 // Trust oldroot. | 827 // Trust oldroot. |
| 720 TrustStore trust_store; | 828 TrustStore trust_store; |
| 721 trust_store.AddTrustedCertificate(oldroot_); | 829 AddTrustedCertificate(oldroot_, &trust_store); |
| 722 | 830 |
| 723 // New root rollover is provided synchronously. | 831 // New root rollover is provided synchronously. |
| 724 CertIssuerSourceStatic sync_certs; | 832 CertIssuerSourceStatic sync_certs; |
| 725 sync_certs.AddCert(newrootrollover_); | 833 sync_certs.AddCert(newrootrollover_); |
| 726 | 834 |
| 727 CertPathBuilder::Result result; | 835 CertPathBuilder::Result result; |
| 728 // Newroot is the target cert. | 836 // Newroot is the target cert. |
| 729 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 837 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 730 time_, &result); | 838 time_, &result); |
| 731 path_builder.AddCertIssuerSource(&sync_certs); | 839 path_builder.AddCertIssuerSource(&sync_certs); |
| 732 | 840 |
| 733 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 841 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 734 | 842 |
| 735 // This could actually be OK, but CertPathBuilder does not build the | 843 // This could actually be OK, but CertPathBuilder does not build the |
| 736 // newroot <- newrootrollover <- oldroot path. | 844 // newroot <- newrootrollover <- oldroot path. |
| 737 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 845 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 738 } | 846 } |
| 739 | 847 |
| 740 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) | 848 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) |
| 741 // path can still be built. | 849 // path can still be built. |
| 742 TEST_F(PathBuilderKeyRolloverTest, | 850 TEST_F(PathBuilderKeyRolloverTest, |
| 743 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { | 851 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { |
| 744 // Trust newrootrollover. | 852 // Trust newrootrollover. |
| 745 TrustStore trust_store; | 853 TrustStore trust_store; |
| 746 trust_store.AddTrustedCertificate(newrootrollover_); | 854 AddTrustedCertificate(newrootrollover_, &trust_store); |
| 747 | 855 |
| 748 CertPathBuilder::Result result; | 856 CertPathBuilder::Result result; |
| 749 // Newroot is the target cert. | 857 // Newroot is the target cert. |
| 750 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 858 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 751 time_, &result); | 859 time_, &result); |
| 752 | 860 |
| 753 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 861 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 754 | 862 |
| 755 EXPECT_EQ(OK, result.error()); | 863 EXPECT_EQ(OK, result.error()); |
| 756 | 864 |
| 757 ASSERT_FALSE(result.paths.empty()); | 865 ASSERT_FALSE(result.paths.empty()); |
| 758 const CertPathBuilder::ResultPath* best_result = | 866 const CertPathBuilder::ResultPath* best_result = |
| 759 result.paths[result.best_result_index].get(); | 867 result.paths[result.best_result_index].get(); |
| 760 | 868 |
| 761 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and | 869 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and |
| 762 // only contains newroot. | 870 // only contains newroot. |
| 763 EXPECT_EQ(OK, best_result->error); | 871 EXPECT_EQ(OK, best_result->error); |
| 764 ASSERT_EQ(1U, best_result->path.size()); | 872 ASSERT_EQ(1U, best_result->path.certs.size()); |
| 765 EXPECT_EQ(newroot_, best_result->path[0]); | 873 EXPECT_EQ(newroot_, best_result->path.certs[0]); |
| 874 EXPECT_EQ(newrootrollover_, best_result->path.trust_anchor->cert()); | |
| 766 } | 875 } |
| 767 | 876 |
| 768 // Test that PathBuilder will not try the same path twice if multiple | 877 // Test that PathBuilder will not try the same path twice if multiple |
| 769 // CertIssuerSources provide the same certificate. | 878 // CertIssuerSources provide the same certificate. |
| 770 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { | 879 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { |
| 771 // Create a separate copy of oldintermediate. | 880 // Create a separate copy of oldintermediate. |
| 772 scoped_refptr<ParsedCertificate> oldintermediate_dupe( | 881 scoped_refptr<ParsedCertificate> oldintermediate_dupe( |
| 773 ParsedCertificate::CreateFromCertificateCopy( | 882 ParsedCertificate::CreateFromCertificateCopy( |
| 774 oldintermediate_->der_cert().AsStringPiece(), {})); | 883 oldintermediate_->der_cert().AsStringPiece(), {})); |
| 775 | 884 |
| 776 // Only newroot is a trusted root. | 885 // Only newroot is a trusted root. |
| 777 TrustStore trust_store; | 886 TrustStore trust_store; |
| 778 trust_store.AddTrustedCertificate(newroot_); | 887 AddTrustedCertificate(newroot_, &trust_store); |
| 779 | 888 |
| 780 // The oldintermediate is supplied synchronously by |sync_certs1| and | 889 // The oldintermediate is supplied synchronously by |sync_certs1| and |
| 781 // another copy of oldintermediate is supplied synchronously by |sync_certs2|. | 890 // another copy of oldintermediate is supplied synchronously by |sync_certs2|. |
| 782 // The path target <- oldintermediate <- newroot should be built first, | 891 // The path target <- oldintermediate <- newroot should be built first, |
| 783 // though it won't verify. It should not be attempted again even though | 892 // though it won't verify. It should not be attempted again even though |
| 784 // oldintermediate was supplied twice. | 893 // oldintermediate was supplied twice. |
| 785 CertIssuerSourceStatic sync_certs1; | 894 CertIssuerSourceStatic sync_certs1; |
| 786 sync_certs1.AddCert(oldintermediate_); | 895 sync_certs1.AddCert(oldintermediate_); |
| 787 CertIssuerSourceStatic sync_certs2; | 896 CertIssuerSourceStatic sync_certs2; |
| 788 sync_certs2.AddCert(oldintermediate_dupe); | 897 sync_certs2.AddCert(oldintermediate_dupe); |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 800 path_builder.AddCertIssuerSource(&async_certs); | 909 path_builder.AddCertIssuerSource(&async_certs); |
| 801 | 910 |
| 802 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 911 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 803 | 912 |
| 804 EXPECT_EQ(OK, result.error()); | 913 EXPECT_EQ(OK, result.error()); |
| 805 ASSERT_EQ(2U, result.paths.size()); | 914 ASSERT_EQ(2U, result.paths.size()); |
| 806 | 915 |
| 807 // Path builder will first attempt: target <- oldintermediate <- newroot | 916 // Path builder will first attempt: target <- oldintermediate <- newroot |
| 808 // but it will fail since oldintermediate is signed by oldroot. | 917 // but it will fail since oldintermediate is signed by oldroot. |
| 809 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 918 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 810 ASSERT_EQ(3U, result.paths[0]->path.size()); | 919 const auto& path0 = result.paths[0]->path; |
| 811 EXPECT_EQ(target_, result.paths[0]->path[0]); | 920 |
| 921 ASSERT_EQ(2U, path0.certs.size()); | |
| 922 EXPECT_EQ(target_, path0.certs[0]); | |
| 812 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 923 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 813 // of oldintermediate was used in the path. | 924 // of oldintermediate was used in the path. |
| 814 EXPECT_EQ(oldintermediate_->der_cert(), result.paths[0]->path[1]->der_cert()); | 925 EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert()); |
| 815 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 926 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); |
| 816 | 927 |
| 817 // Path builder will next attempt: target <- newintermediate <- newroot | 928 // Path builder will next attempt: target <- newintermediate <- newroot |
| 818 // which will succeed. | 929 // which will succeed. |
| 819 EXPECT_EQ(1U, result.best_result_index); | 930 EXPECT_EQ(1U, result.best_result_index); |
| 820 EXPECT_EQ(OK, result.paths[1]->error); | 931 EXPECT_EQ(OK, result.paths[1]->error); |
| 821 ASSERT_EQ(3U, result.paths[1]->path.size()); | 932 const auto& path1 = result.paths[1]->path; |
| 822 EXPECT_EQ(target_, result.paths[1]->path[0]); | 933 ASSERT_EQ(2U, path1.certs.size()); |
| 823 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 934 EXPECT_EQ(target_, path1.certs[0]); |
| 824 EXPECT_EQ(newroot_, result.paths[1]->path[2]); | 935 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 936 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | |
| 825 } | 937 } |
| 826 | 938 |
| 827 // Test that PathBuilder will not try the same path twice if the same cert is | 939 // Test when PathBuilder is given a cert CertIssuerSources that has the same |
| 828 // presented via a CertIssuerSources and a TrustAnchor. | 940 // SPKI as a TrustAnchor. |
| 829 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { | 941 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { |
| 830 // Create a separate copy of newroot. | 942 // Create a separate copy of newroot. |
| 831 scoped_refptr<ParsedCertificate> newroot_dupe( | 943 scoped_refptr<ParsedCertificate> newroot_dupe( |
| 832 ParsedCertificate::CreateFromCertificateCopy( | 944 ParsedCertificate::CreateFromCertificateCopy( |
| 833 newroot_->der_cert().AsStringPiece(), {})); | 945 newroot_->der_cert().AsStringPiece(), {})); |
| 834 | 946 |
| 835 // Only newroot is a trusted root. | 947 // Only newroot is a trusted root. |
| 836 TrustStore trust_store; | 948 TrustStore trust_store; |
| 837 trust_store.AddTrustedCertificate(newroot_); | 949 AddTrustedCertificate(newroot_, &trust_store); |
| 838 | 950 |
| 839 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. | 951 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. |
| 840 CertIssuerSourceStatic sync_certs; | 952 CertIssuerSourceStatic sync_certs; |
| 841 sync_certs.AddCert(oldintermediate_); | 953 sync_certs.AddCert(oldintermediate_); |
| 842 sync_certs.AddCert(newroot_dupe); | 954 sync_certs.AddCert(newroot_dupe); |
| 843 | 955 |
| 844 CertPathBuilder::Result result; | 956 CertPathBuilder::Result result; |
| 845 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 957 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 846 &result); | 958 &result); |
| 847 path_builder.AddCertIssuerSource(&sync_certs); | 959 path_builder.AddCertIssuerSource(&sync_certs); |
| 848 | 960 |
| 849 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 961 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 850 | 962 |
| 851 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 963 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 852 ASSERT_EQ(1U, result.paths.size()); | 964 ASSERT_EQ(2U, result.paths.size()); |
| 965 // TODO(eroman): Is this right? | |
| 853 | 966 |
| 854 // Path builder attempt: target <- oldintermediate <- newroot | 967 // Path builder attempt: target <- oldintermediate <- newroot |
| 855 // but it will fail since oldintermediate is signed by oldroot. | 968 // but it will fail since oldintermediate is signed by oldroot. |
| 856 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 969 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 857 ASSERT_EQ(3U, result.paths[0]->path.size()); | 970 const auto& path = result.paths[0]->path; |
| 858 EXPECT_EQ(target_, result.paths[0]->path[0]); | 971 ASSERT_EQ(2U, path.certs.size()); |
| 859 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); | 972 EXPECT_EQ(target_, path.certs[0]); |
| 973 EXPECT_EQ(oldintermediate_, path.certs[1]); | |
| 860 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 974 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 861 // of newroot was used in the path. | 975 // of newroot was used in the path. |
| 862 EXPECT_EQ(newroot_->der_cert(), result.paths[0]->path[2]->der_cert()); | 976 EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert()); |
| 863 } | 977 } |
| 864 | 978 |
| 865 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { | 979 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { |
| 866 public: | 980 public: |
| 867 MOCK_METHOD1(GetNext, CompletionStatus(scoped_refptr<ParsedCertificate>*)); | 981 MOCK_METHOD1(GetNext, CompletionStatus(scoped_refptr<ParsedCertificate>*)); |
| 868 }; | 982 }; |
| 869 | 983 |
| 870 class MockCertIssuerSource : public CertIssuerSource { | 984 class MockCertIssuerSource : public CertIssuerSource { |
| 871 public: | 985 public: |
| 872 MOCK_METHOD2(SyncGetIssuersOf, | 986 MOCK_METHOD2(SyncGetIssuersOf, |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 895 }; | 1009 }; |
| 896 | 1010 |
| 897 // Test that a single CertIssuerSource returning multiple async batches of | 1011 // Test that a single CertIssuerSource returning multiple async batches of |
| 898 // issuers is handled correctly. Due to the StrictMocks, it also tests that path | 1012 // issuers is handled correctly. Due to the StrictMocks, it also tests that path |
| 899 // builder does not request issuers of certs that it shouldn't. | 1013 // builder does not request issuers of certs that it shouldn't. |
| 900 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncCallbacksFromSingleSource) { | 1014 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncCallbacksFromSingleSource) { |
| 901 StrictMock<MockCertIssuerSource> cert_issuer_source; | 1015 StrictMock<MockCertIssuerSource> cert_issuer_source; |
| 902 | 1016 |
| 903 // Only newroot is a trusted root. | 1017 // Only newroot is a trusted root. |
| 904 TrustStore trust_store; | 1018 TrustStore trust_store; |
| 905 trust_store.AddTrustedCertificate(newroot_); | 1019 AddTrustedCertificate(newroot_, &trust_store); |
| 906 | 1020 |
| 907 CertPathBuilder::Result result; | 1021 CertPathBuilder::Result result; |
| 908 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 1022 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 909 &result); | 1023 &result); |
| 910 path_builder.AddCertIssuerSource(&cert_issuer_source); | 1024 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 911 | 1025 |
| 912 CertIssuerSource::IssuerCallback target_issuers_callback; | 1026 CertIssuerSource::IssuerCallback target_issuers_callback; |
| 913 // Create the mock CertIssuerSource::Request... | 1027 // Create the mock CertIssuerSource::Request... |
| 914 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> | 1028 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> |
| 915 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); | 1029 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 972 | 1086 |
| 973 // Ensure pathbuilder finished and filled result. | 1087 // Ensure pathbuilder finished and filled result. |
| 974 callback.WaitForResult(); | 1088 callback.WaitForResult(); |
| 975 | 1089 |
| 976 EXPECT_EQ(OK, result.error()); | 1090 EXPECT_EQ(OK, result.error()); |
| 977 ASSERT_EQ(2U, result.paths.size()); | 1091 ASSERT_EQ(2U, result.paths.size()); |
| 978 | 1092 |
| 979 // Path builder first attempts: target <- oldintermediate <- newroot | 1093 // Path builder first attempts: target <- oldintermediate <- newroot |
| 980 // but it will fail since oldintermediate is signed by oldroot. | 1094 // but it will fail since oldintermediate is signed by oldroot. |
| 981 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 1095 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 982 ASSERT_EQ(3U, result.paths[0]->path.size()); | 1096 const auto& path0 = result.paths[0]->path; |
| 983 EXPECT_EQ(target_, result.paths[0]->path[0]); | 1097 ASSERT_EQ(2U, path0.certs.size()); |
| 984 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); | 1098 EXPECT_EQ(target_, path0.certs[0]); |
| 985 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 1099 EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| 1100 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | |
| 986 | 1101 |
| 987 // After the second batch of async results, path builder will attempt: | 1102 // After the second batch of async results, path builder will attempt: |
| 988 // target <- newintermediate <- newroot which will succeed. | 1103 // target <- newintermediate <- newroot which will succeed. |
| 989 EXPECT_EQ(OK, result.paths[1]->error); | 1104 EXPECT_EQ(OK, result.paths[1]->error); |
| 990 ASSERT_EQ(3U, result.paths[1]->path.size()); | 1105 const auto& path1 = result.paths[1]->path; |
| 991 EXPECT_EQ(target_, result.paths[1]->path[0]); | 1106 ASSERT_EQ(2U, path1.certs.size()); |
| 992 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 1107 EXPECT_EQ(target_, path1.certs[0]); |
| 993 EXPECT_EQ(newroot_, result.paths[1]->path[2]); | 1108 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1109 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | |
| 994 } | 1110 } |
| 995 | 1111 |
| 996 // Test that PathBuilder will not try the same path twice if CertIssuerSources | 1112 // Test that PathBuilder will not try the same path twice if CertIssuerSources |
| 997 // asynchronously provide the same certificate multiple times. | 1113 // asynchronously provide the same certificate multiple times. |
| 998 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { | 1114 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { |
| 999 StrictMock<MockCertIssuerSource> cert_issuer_source; | 1115 StrictMock<MockCertIssuerSource> cert_issuer_source; |
| 1000 | 1116 |
| 1001 // Only newroot is a trusted root. | 1117 // Only newroot is a trusted root. |
| 1002 TrustStore trust_store; | 1118 TrustStore trust_store; |
| 1003 trust_store.AddTrustedCertificate(newroot_); | 1119 AddTrustedCertificate(newroot_, &trust_store); |
| 1004 | 1120 |
| 1005 CertPathBuilder::Result result; | 1121 CertPathBuilder::Result result; |
| 1006 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 1122 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 1007 &result); | 1123 &result); |
| 1008 path_builder.AddCertIssuerSource(&cert_issuer_source); | 1124 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 1009 | 1125 |
| 1010 CertIssuerSource::IssuerCallback target_issuers_callback; | 1126 CertIssuerSource::IssuerCallback target_issuers_callback; |
| 1011 // Create the mock CertIssuerSource::Request... | 1127 // Create the mock CertIssuerSource::Request... |
| 1012 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> | 1128 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> |
| 1013 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); | 1129 target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>()); |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1085 | 1201 |
| 1086 // Ensure pathbuilder finished and filled result. | 1202 // Ensure pathbuilder finished and filled result. |
| 1087 callback.WaitForResult(); | 1203 callback.WaitForResult(); |
| 1088 | 1204 |
| 1089 EXPECT_EQ(OK, result.error()); | 1205 EXPECT_EQ(OK, result.error()); |
| 1090 ASSERT_EQ(2U, result.paths.size()); | 1206 ASSERT_EQ(2U, result.paths.size()); |
| 1091 | 1207 |
| 1092 // Path builder first attempts: target <- oldintermediate <- newroot | 1208 // Path builder first attempts: target <- oldintermediate <- newroot |
| 1093 // but it will fail since oldintermediate is signed by oldroot. | 1209 // but it will fail since oldintermediate is signed by oldroot. |
| 1094 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 1210 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 1095 ASSERT_EQ(3U, result.paths[0]->path.size()); | 1211 const auto& path0 = result.paths[0]->path; |
| 1096 EXPECT_EQ(target_, result.paths[0]->path[0]); | 1212 ASSERT_EQ(2U, path0.certs.size()); |
| 1097 EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]); | 1213 EXPECT_EQ(target_, path0.certs[0]); |
| 1098 EXPECT_EQ(newroot_, result.paths[0]->path[2]); | 1214 EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| 1215 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | |
| 1099 | 1216 |
| 1100 // The second async result does not generate any path. | 1217 // The second async result does not generate any path. |
| 1101 | 1218 |
| 1102 // After the third batch of async results, path builder will attempt: | 1219 // After the third batch of async results, path builder will attempt: |
| 1103 // target <- newintermediate <- newroot which will succeed. | 1220 // target <- newintermediate <- newroot which will succeed. |
| 1104 EXPECT_EQ(OK, result.paths[1]->error); | 1221 EXPECT_EQ(OK, result.paths[1]->error); |
| 1105 ASSERT_EQ(3U, result.paths[1]->path.size()); | 1222 const auto& path1 = result.paths[1]->path; |
| 1106 EXPECT_EQ(target_, result.paths[1]->path[0]); | 1223 ASSERT_EQ(2U, path1.certs.size()); |
| 1107 EXPECT_EQ(newintermediate_, result.paths[1]->path[1]); | 1224 EXPECT_EQ(target_, path1.certs[0]); |
| 1108 EXPECT_EQ(newroot_, result.paths[1]->path[2]); | 1225 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1226 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | |
| 1109 } | 1227 } |
| 1110 | 1228 |
| 1111 } // namespace | 1229 } // namespace |
| 1112 | 1230 |
| 1113 } // namespace net | 1231 } // namespace net |
| OLD | NEW |
