| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/cancelable_callback.h" | 8 #include "base/cancelable_callback.h" |
| 9 #include "base/files/file_util.h" | 9 #include "base/files/file_util.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| 11 #include "base/path_service.h" | 11 #include "base/path_service.h" |
| 12 #include "base/threading/thread_task_runner_handle.h" | 12 #include "base/threading/thread_task_runner_handle.h" |
| 13 #include "net/base/net_errors.h" | 13 #include "net/base/net_errors.h" |
| 14 #include "net/base/test_completion_callback.h" | 14 #include "net/base/test_completion_callback.h" |
| 15 #include "net/cert/internal/cert_issuer_source_static.h" | 15 #include "net/cert/internal/cert_issuer_source_static.h" |
| 16 #include "net/cert/internal/parsed_certificate.h" | 16 #include "net/cert/internal/parsed_certificate.h" |
| 17 #include "net/cert/internal/signature_policy.h" | 17 #include "net/cert/internal/signature_policy.h" |
| 18 #include "net/cert/internal/test_helpers.h" | 18 #include "net/cert/internal/test_helpers.h" |
| 19 #include "net/cert/internal/trust_store.h" | 19 #include "net/cert/internal/trust_store_in_memory.h" |
| 20 #include "net/cert/internal/verify_certificate_chain.h" | 20 #include "net/cert/internal/verify_certificate_chain.h" |
| 21 #include "net/cert/pem_tokenizer.h" | 21 #include "net/cert/pem_tokenizer.h" |
| 22 #include "net/der/input.h" | 22 #include "net/der/input.h" |
| 23 #include "net/test/cert_test_util.h" | 23 #include "net/test/cert_test_util.h" |
| 24 #include "net/test/test_certificate_data.h" | 24 #include "net/test/test_certificate_data.h" |
| 25 #include "testing/gmock/include/gmock/gmock.h" | 25 #include "testing/gmock/include/gmock/gmock.h" |
| 26 #include "testing/gtest/include/gtest/gtest.h" | 26 #include "testing/gtest/include/gtest/gtest.h" |
| 27 | 27 |
| 28 namespace net { | 28 namespace net { |
| 29 | 29 |
| 30 namespace { | 30 namespace { |
| 31 | 31 |
| 32 using ::testing::_; | 32 using ::testing::_; |
| 33 using ::testing::Invoke; | 33 using ::testing::Invoke; |
| 34 using ::testing::NiceMock; |
| 35 using ::testing::Return; |
| 34 using ::testing::SaveArg; | 36 using ::testing::SaveArg; |
| 37 using ::testing::SetArgPointee; |
| 35 using ::testing::StrictMock; | 38 using ::testing::StrictMock; |
| 36 using ::testing::SetArgPointee; | |
| 37 using ::testing::Return; | |
| 38 | 39 |
| 39 // AsyncCertIssuerSourceStatic always returns its certs asynchronously. | 40 // AsyncCertIssuerSourceStatic always returns its certs asynchronously. |
| 40 class AsyncCertIssuerSourceStatic : public CertIssuerSource { | 41 class AsyncCertIssuerSourceStatic : public CertIssuerSource { |
| 41 public: | 42 public: |
| 42 class StaticAsyncRequest : public Request { | 43 class StaticAsyncRequest : public Request { |
| 43 public: | 44 public: |
| 44 StaticAsyncRequest(const IssuerCallback& issuers_callback, | 45 StaticAsyncRequest(const IssuerCallback& issuers_callback, |
| 45 ParsedCertificateList&& issuers) | 46 ParsedCertificateList&& issuers) |
| 46 : cancelable_closure_(base::Bind(&StaticAsyncRequest::RunCallback, | 47 : cancelable_closure_(base::Bind(&StaticAsyncRequest::RunCallback, |
| 47 base::Unretained(this))), | 48 base::Unretained(this))), |
| (...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 156 | 157 |
| 157 protected: | 158 protected: |
| 158 scoped_refptr<ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_, | 159 scoped_refptr<ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_, |
| 159 d_by_d_, e_by_e_, f_by_e_; | 160 d_by_d_, e_by_e_, f_by_e_; |
| 160 | 161 |
| 161 SimpleSignaturePolicy signature_policy_; | 162 SimpleSignaturePolicy signature_policy_; |
| 162 der::GeneralizedTime time_ = {2016, 4, 11, 0, 0, 0}; | 163 der::GeneralizedTime time_ = {2016, 4, 11, 0, 0, 0}; |
| 163 }; | 164 }; |
| 164 | 165 |
| 165 void AddTrustedCertificate(scoped_refptr<ParsedCertificate> cert, | 166 void AddTrustedCertificate(scoped_refptr<ParsedCertificate> cert, |
| 166 TrustStore* trust_store) { | 167 TrustStoreInMemory* trust_store) { |
| 167 ASSERT_TRUE(cert.get()); | 168 ASSERT_TRUE(cert.get()); |
| 168 scoped_refptr<TrustAnchor> anchor = | 169 scoped_refptr<TrustAnchor> anchor = |
| 169 TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert)); | 170 TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert)); |
| 170 ASSERT_TRUE(anchor.get()); | 171 ASSERT_TRUE(anchor.get()); |
| 171 trust_store->AddTrustAnchor(std::move(anchor)); | 172 trust_store->AddTrustAnchor(std::move(anchor)); |
| 172 } | 173 } |
| 173 | 174 |
| 174 // If the target cert is has the same name and key as a trust anchor, however | 175 // If the target cert is has the same name and key as a trust anchor, however |
| 175 // is signed but a different trust anchor. This should successfully build a | 176 // is signed but a different trust anchor. This should successfully build a |
| 176 // path, however the trust anchor will be the signer of this cert. | 177 // path, however the trust anchor will be the signer of this cert. |
| 177 // | 178 // |
| 178 // (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor | 179 // (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor |
| 179 // but with different data; also in this test the target cert itself is in the | 180 // but with different data; also in this test the target cert itself is in the |
| 180 // trust store). | 181 // trust store). |
| 181 TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) { | 182 TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) { |
| 182 TrustStore trust_store; | 183 TrustStoreInMemory trust_store; |
| 183 AddTrustedCertificate(a_by_b_, &trust_store); | 184 AddTrustedCertificate(a_by_b_, &trust_store); |
| 184 AddTrustedCertificate(b_by_f_, &trust_store); | 185 AddTrustedCertificate(b_by_f_, &trust_store); |
| 185 | 186 |
| 186 CertPathBuilder::Result result; | 187 CertPathBuilder::Result result; |
| 187 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 188 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 188 &result); | 189 &result); |
| 189 | 190 |
| 190 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 191 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 191 | 192 |
| 192 EXPECT_EQ(OK, result.error()); | 193 EXPECT_EQ(OK, result.error()); |
| 193 ASSERT_FALSE(result.paths.empty()); | 194 ASSERT_FALSE(result.paths.empty()); |
| 194 const auto& path = result.paths[result.best_result_index]->path; | 195 const auto& path = result.paths[result.best_result_index]->path; |
| 195 ASSERT_EQ(1U, path.certs.size()); | 196 ASSERT_EQ(1U, path.certs.size()); |
| 196 EXPECT_EQ(a_by_b_, path.certs[0]); | 197 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 197 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | 198 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); |
| 198 } | 199 } |
| 199 | 200 |
| 200 // If the target cert is has the same name and key as a trust anchor, however | 201 // If the target cert is has the same name and key as a trust anchor, however |
| 201 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI | 202 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI |
| 202 // is trusted, the certificate contents cannot be verified. | 203 // is trusted, the certificate contents cannot be verified. |
| 203 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { | 204 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { |
| 204 TrustStore trust_store; | 205 TrustStoreInMemory trust_store; |
| 205 AddTrustedCertificate(a_by_b_, &trust_store); | 206 AddTrustedCertificate(a_by_b_, &trust_store); |
| 206 | 207 |
| 207 CertPathBuilder::Result result; | 208 CertPathBuilder::Result result; |
| 208 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 209 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 209 &result); | 210 &result); |
| 210 | 211 |
| 211 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 212 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 212 | 213 |
| 213 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 214 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 214 } | 215 } |
| 215 | 216 |
| 216 // Test a failed path building when the trust anchor is provided as a | 217 // Test a failed path building when the trust anchor is provided as a |
| 217 // supplemental certificate. Conceptually the following paths can be built: | 218 // supplemental certificate. Conceptually the following paths can be built: |
| 218 // | 219 // |
| 219 // B(C) <- C(D) <- [Trust anchor D] | 220 // B(C) <- C(D) <- [Trust anchor D] |
| 220 // B(C) <- C(D) <- D(D) <- [Trust anchor D] | 221 // B(C) <- C(D) <- D(D) <- [Trust anchor D] |
| 221 // | 222 // |
| 222 // The second one is extraneous given the shorter one, however path building | 223 // The second one is extraneous given the shorter one, however path building |
| 223 // will enumerate it if the shorter one failed validation. | 224 // will enumerate it if the shorter one failed validation. |
| 224 TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) { | 225 TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) { |
| 225 TrustStore trust_store; | 226 TrustStoreInMemory trust_store; |
| 226 AddTrustedCertificate(d_by_d_, &trust_store); | 227 AddTrustedCertificate(d_by_d_, &trust_store); |
| 227 | 228 |
| 228 // The (extraneous) trust anchor D(D) is supplied as a certificate, as is the | 229 // The (extraneous) trust anchor D(D) is supplied as a certificate, as is the |
| 229 // intermediate needed for path building C(D). | 230 // intermediate needed for path building C(D). |
| 230 CertIssuerSourceStatic sync_certs; | 231 CertIssuerSourceStatic sync_certs; |
| 231 sync_certs.AddCert(d_by_d_); | 232 sync_certs.AddCert(d_by_d_); |
| 232 sync_certs.AddCert(c_by_d_); | 233 sync_certs.AddCert(c_by_d_); |
| 233 | 234 |
| 234 // C(D) is not valid at this time, so path building will fail. | 235 // C(D) is not valid at this time, so path building will fail. |
| 235 der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; | 236 der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; |
| (...skipping 19 matching lines...) Expand all Loading... |
| 255 ASSERT_EQ(3U, path1.certs.size()); | 256 ASSERT_EQ(3U, path1.certs.size()); |
| 256 EXPECT_EQ(b_by_c_, path1.certs[0]); | 257 EXPECT_EQ(b_by_c_, path1.certs[0]); |
| 257 EXPECT_EQ(c_by_d_, path1.certs[1]); | 258 EXPECT_EQ(c_by_d_, path1.certs[1]); |
| 258 EXPECT_EQ(d_by_d_, path1.certs[2]); | 259 EXPECT_EQ(d_by_d_, path1.certs[2]); |
| 259 EXPECT_EQ(d_by_d_, path1.trust_anchor->cert()); | 260 EXPECT_EQ(d_by_d_, path1.trust_anchor->cert()); |
| 260 } | 261 } |
| 261 | 262 |
| 262 // If the target cert is a self-signed cert whose key is a trust anchor, it | 263 // If the target cert is a self-signed cert whose key is a trust anchor, it |
| 263 // should verify. | 264 // should verify. |
| 264 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { | 265 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { |
| 265 TrustStore trust_store; | 266 TrustStoreInMemory trust_store; |
| 266 AddTrustedCertificate(e_by_e_, &trust_store); | 267 AddTrustedCertificate(e_by_e_, &trust_store); |
| 267 // This is not necessary for the test, just an extra... | 268 // This is not necessary for the test, just an extra... |
| 268 AddTrustedCertificate(f_by_e_, &trust_store); | 269 AddTrustedCertificate(f_by_e_, &trust_store); |
| 269 | 270 |
| 270 CertPathBuilder::Result result; | 271 CertPathBuilder::Result result; |
| 271 CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_, | 272 CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_, |
| 272 &result); | 273 &result); |
| 273 | 274 |
| 274 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 275 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 275 | 276 |
| 276 EXPECT_EQ(OK, result.error()); | 277 EXPECT_EQ(OK, result.error()); |
| 277 ASSERT_FALSE(result.paths.empty()); | 278 ASSERT_FALSE(result.paths.empty()); |
| 278 const auto& path = result.paths[result.best_result_index]->path; | 279 const auto& path = result.paths[result.best_result_index]->path; |
| 279 ASSERT_EQ(1U, path.certs.size()); | 280 ASSERT_EQ(1U, path.certs.size()); |
| 280 EXPECT_EQ(e_by_e_, path.certs[0]); | 281 EXPECT_EQ(e_by_e_, path.certs[0]); |
| 281 EXPECT_EQ(e_by_e_, path.trust_anchor->cert()); | 282 EXPECT_EQ(e_by_e_, path.trust_anchor->cert()); |
| 282 } | 283 } |
| 283 | 284 |
| 284 // If the target cert is directly issued by a trust anchor, it should verify | 285 // If the target cert is directly issued by a trust anchor, it should verify |
| 285 // without any intermediate certs being provided. | 286 // without any intermediate certs being provided. |
| 286 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { | 287 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { |
| 287 TrustStore trust_store; | 288 TrustStoreInMemory trust_store; |
| 288 AddTrustedCertificate(b_by_f_, &trust_store); | 289 AddTrustedCertificate(b_by_f_, &trust_store); |
| 289 | 290 |
| 290 CertPathBuilder::Result result; | 291 CertPathBuilder::Result result; |
| 291 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 292 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 292 &result); | 293 &result); |
| 293 | 294 |
| 294 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 295 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 295 | 296 |
| 296 ASSERT_EQ(OK, result.error()); | 297 ASSERT_EQ(OK, result.error()); |
| 297 ASSERT_FALSE(result.paths.empty()); | 298 ASSERT_FALSE(result.paths.empty()); |
| 298 const auto& path = result.paths[result.best_result_index]->path; | 299 const auto& path = result.paths[result.best_result_index]->path; |
| 299 ASSERT_EQ(1U, path.certs.size()); | 300 ASSERT_EQ(1U, path.certs.size()); |
| 300 EXPECT_EQ(a_by_b_, path.certs[0]); | 301 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 301 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | 302 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); |
| 302 } | 303 } |
| 303 | 304 |
| 304 // Test that async cert queries are not made if the path can be successfully | 305 // Test that async cert queries are not made if the path can be successfully |
| 305 // built with synchronously available certs. | 306 // built with synchronously available certs. |
| 306 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { | 307 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { |
| 307 TrustStore trust_store; | 308 TrustStoreInMemory trust_store; |
| 308 AddTrustedCertificate(e_by_e_, &trust_store); | 309 AddTrustedCertificate(e_by_e_, &trust_store); |
| 309 | 310 |
| 310 CertIssuerSourceStatic sync_certs; | 311 CertIssuerSourceStatic sync_certs; |
| 311 sync_certs.AddCert(b_by_f_); | 312 sync_certs.AddCert(b_by_f_); |
| 312 sync_certs.AddCert(f_by_e_); | 313 sync_certs.AddCert(f_by_e_); |
| 313 | 314 |
| 314 AsyncCertIssuerSourceStatic async_certs; | 315 AsyncCertIssuerSourceStatic async_certs; |
| 315 async_certs.AddCert(b_by_c_); | 316 async_certs.AddCert(b_by_c_); |
| 316 async_certs.AddCert(c_by_e_); | 317 async_certs.AddCert(c_by_e_); |
| 317 | 318 |
| 318 CertPathBuilder::Result result; | 319 CertPathBuilder::Result result; |
| 319 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 320 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 320 &result); | 321 &result); |
| 321 path_builder.AddCertIssuerSource(&async_certs); | 322 path_builder.AddCertIssuerSource(&async_certs); |
| 322 path_builder.AddCertIssuerSource(&sync_certs); | 323 path_builder.AddCertIssuerSource(&sync_certs); |
| 323 | 324 |
| 324 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 325 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 325 | 326 |
| 326 EXPECT_EQ(OK, result.error()); | 327 EXPECT_EQ(OK, result.error()); |
| 327 EXPECT_EQ(0, async_certs.num_async_gets()); | 328 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 328 } | 329 } |
| 329 | 330 |
| 330 // Test that async cert queries are not made if no callback is provided. | 331 // Test that async cert queries are not made if no callback is provided. |
| 331 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { | 332 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { |
| 332 TrustStore trust_store; | 333 TrustStoreInMemory trust_store; |
| 333 AddTrustedCertificate(e_by_e_, &trust_store); | 334 AddTrustedCertificate(e_by_e_, &trust_store); |
| 334 | 335 |
| 335 CertIssuerSourceStatic sync_certs; | 336 CertIssuerSourceStatic sync_certs; |
| 336 sync_certs.AddCert(f_by_e_); | 337 sync_certs.AddCert(f_by_e_); |
| 337 | 338 |
| 338 AsyncCertIssuerSourceStatic async_certs; | 339 AsyncCertIssuerSourceStatic async_certs; |
| 339 async_certs.AddCert(b_by_f_); | 340 async_certs.AddCert(b_by_f_); |
| 340 | 341 |
| 341 CertPathBuilder::Result result; | 342 CertPathBuilder::Result result; |
| 342 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 343 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 343 &result); | 344 &result); |
| 344 path_builder.AddCertIssuerSource(&async_certs); | 345 path_builder.AddCertIssuerSource(&async_certs); |
| 345 path_builder.AddCertIssuerSource(&sync_certs); | 346 path_builder.AddCertIssuerSource(&sync_certs); |
| 346 | 347 |
| 347 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); | 348 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); |
| 348 | 349 |
| 349 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 350 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 350 EXPECT_EQ(0, async_certs.num_async_gets()); | 351 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 351 } | 352 } |
| 352 | 353 |
| 353 // If async queries are needed, all async sources will be queried | 354 // If async queries are needed, all async sources will be queried |
| 354 // simultaneously. | 355 // simultaneously. |
| 355 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { | 356 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { |
| 356 TrustStore trust_store; | 357 TrustStoreInMemory trust_store; |
| 357 AddTrustedCertificate(e_by_e_, &trust_store); | 358 AddTrustedCertificate(e_by_e_, &trust_store); |
| 358 | 359 |
| 359 CertIssuerSourceStatic sync_certs; | 360 CertIssuerSourceStatic sync_certs; |
| 360 sync_certs.AddCert(b_by_c_); | 361 sync_certs.AddCert(b_by_c_); |
| 361 sync_certs.AddCert(b_by_f_); | 362 sync_certs.AddCert(b_by_f_); |
| 362 | 363 |
| 363 AsyncCertIssuerSourceStatic async_certs1; | 364 AsyncCertIssuerSourceStatic async_certs1; |
| 364 async_certs1.AddCert(c_by_e_); | 365 async_certs1.AddCert(c_by_e_); |
| 365 | 366 |
| 366 AsyncCertIssuerSourceStatic async_certs2; | 367 AsyncCertIssuerSourceStatic async_certs2; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 377 | 378 |
| 378 EXPECT_EQ(OK, result.error()); | 379 EXPECT_EQ(OK, result.error()); |
| 379 EXPECT_EQ(1, async_certs1.num_async_gets()); | 380 EXPECT_EQ(1, async_certs1.num_async_gets()); |
| 380 EXPECT_EQ(1, async_certs2.num_async_gets()); | 381 EXPECT_EQ(1, async_certs2.num_async_gets()); |
| 381 } | 382 } |
| 382 | 383 |
| 383 // Test that PathBuilder does not generate longer paths than necessary if one of | 384 // Test that PathBuilder does not generate longer paths than necessary if one of |
| 384 // the supplied certs is itself a trust anchor. | 385 // the supplied certs is itself a trust anchor. |
| 385 TEST_F(PathBuilderMultiRootTest, TestLongChain) { | 386 TEST_F(PathBuilderMultiRootTest, TestLongChain) { |
| 386 // Both D(D) and C(D) are trusted roots. | 387 // Both D(D) and C(D) are trusted roots. |
| 387 TrustStore trust_store; | 388 TrustStoreInMemory trust_store; |
| 388 AddTrustedCertificate(d_by_d_, &trust_store); | 389 AddTrustedCertificate(d_by_d_, &trust_store); |
| 389 AddTrustedCertificate(c_by_d_, &trust_store); | 390 AddTrustedCertificate(c_by_d_, &trust_store); |
| 390 | 391 |
| 391 // Certs B(C), and C(D) are all supplied. | 392 // Certs B(C), and C(D) are all supplied. |
| 392 CertIssuerSourceStatic sync_certs; | 393 CertIssuerSourceStatic sync_certs; |
| 393 sync_certs.AddCert(b_by_c_); | 394 sync_certs.AddCert(b_by_c_); |
| 394 sync_certs.AddCert(c_by_d_); | 395 sync_certs.AddCert(c_by_d_); |
| 395 | 396 |
| 396 CertPathBuilder::Result result; | 397 CertPathBuilder::Result result; |
| 397 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 398 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 398 &result); | 399 &result); |
| 399 path_builder.AddCertIssuerSource(&sync_certs); | 400 path_builder.AddCertIssuerSource(&sync_certs); |
| 400 | 401 |
| 401 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 402 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 402 | 403 |
| 403 EXPECT_EQ(OK, result.error()); | 404 EXPECT_EQ(OK, result.error()); |
| 404 | 405 |
| 405 // The result path should be A(B) <- B(C) <- C(D) | 406 // The result path should be A(B) <- B(C) <- C(D) |
| 406 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) | 407 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) |
| 407 ASSERT_FALSE(result.paths.empty()); | 408 ASSERT_FALSE(result.paths.empty()); |
| 408 const auto& path = result.paths[result.best_result_index]->path; | 409 const auto& path = result.paths[result.best_result_index]->path; |
| 409 EXPECT_EQ(2U, path.certs.size()); | 410 EXPECT_EQ(2U, path.certs.size()); |
| 410 } | 411 } |
| 411 | 412 |
| 412 // Test that PathBuilder will backtrack and try a different path if the first | 413 // Test that PathBuilder will backtrack and try a different path if the first |
| 413 // one doesn't work out. | 414 // one doesn't work out. |
| 414 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { | 415 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { |
| 415 // Only D(D) is a trusted root. | 416 // Only D(D) is a trusted root. |
| 416 TrustStore trust_store; | 417 TrustStoreInMemory trust_store; |
| 417 AddTrustedCertificate(d_by_d_, &trust_store); | 418 AddTrustedCertificate(d_by_d_, &trust_store); |
| 418 | 419 |
| 419 // Certs B(F) and F(E) are supplied synchronously, thus the path | 420 // Certs B(F) and F(E) are supplied synchronously, thus the path |
| 420 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. | 421 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| 421 CertIssuerSourceStatic sync_certs; | 422 CertIssuerSourceStatic sync_certs; |
| 422 sync_certs.AddCert(b_by_f_); | 423 sync_certs.AddCert(b_by_f_); |
| 423 sync_certs.AddCert(f_by_e_); | 424 sync_certs.AddCert(f_by_e_); |
| 424 | 425 |
| 425 // Certs B(C), and C(D) are supplied asynchronously, so the path | 426 // Certs B(C), and C(D) are supplied asynchronously, so the path |
| 426 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. | 427 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. |
| (...skipping 18 matching lines...) Expand all Loading... |
| 445 EXPECT_EQ(a_by_b_, path.certs[0]); | 446 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 446 EXPECT_EQ(b_by_c_, path.certs[1]); | 447 EXPECT_EQ(b_by_c_, path.certs[1]); |
| 447 EXPECT_EQ(c_by_d_, path.certs[2]); | 448 EXPECT_EQ(c_by_d_, path.certs[2]); |
| 448 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); | 449 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); |
| 449 } | 450 } |
| 450 | 451 |
| 451 // Test that whichever order CertIssuerSource returns the issuers, the path | 452 // Test that whichever order CertIssuerSource returns the issuers, the path |
| 452 // building still succeeds. | 453 // building still succeeds. |
| 453 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { | 454 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { |
| 454 // Only D(D) is a trusted root. | 455 // Only D(D) is a trusted root. |
| 455 TrustStore trust_store; | 456 TrustStoreInMemory trust_store; |
| 456 AddTrustedCertificate(d_by_d_, &trust_store); | 457 AddTrustedCertificate(d_by_d_, &trust_store); |
| 457 | 458 |
| 458 for (bool reverse_order : {false, true}) { | 459 for (bool reverse_order : {false, true}) { |
| 459 SCOPED_TRACE(reverse_order); | 460 SCOPED_TRACE(reverse_order); |
| 460 std::vector<scoped_refptr<ParsedCertificate>> certs = { | 461 std::vector<scoped_refptr<ParsedCertificate>> certs = { |
| 461 b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; | 462 b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; |
| 462 CertIssuerSourceStatic sync_certs; | 463 CertIssuerSourceStatic sync_certs; |
| 463 if (reverse_order) { | 464 if (reverse_order) { |
| 464 for (auto it = certs.rbegin(); it != certs.rend(); ++it) | 465 for (auto it = certs.rbegin(); it != certs.rend(); ++it) |
| 465 sync_certs.AddCert(*it); | 466 sync_certs.AddCert(*it); |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 533 scoped_refptr<ParsedCertificate> newrootrollover_; | 534 scoped_refptr<ParsedCertificate> newrootrollover_; |
| 534 | 535 |
| 535 SimpleSignaturePolicy signature_policy_; | 536 SimpleSignaturePolicy signature_policy_; |
| 536 der::GeneralizedTime time_; | 537 der::GeneralizedTime time_; |
| 537 }; | 538 }; |
| 538 | 539 |
| 539 // Tests that if only the old root cert is trusted, the path builder can build a | 540 // Tests that if only the old root cert is trusted, the path builder can build a |
| 540 // path through the new intermediate and rollover cert to the old root. | 541 // path through the new intermediate and rollover cert to the old root. |
| 541 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { | 542 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { |
| 542 // Only oldroot is trusted. | 543 // Only oldroot is trusted. |
| 543 TrustStore trust_store; | 544 TrustStoreInMemory trust_store; |
| 544 trust_store.AddTrustAnchor(oldroot_); | 545 trust_store.AddTrustAnchor(oldroot_); |
| 545 | 546 |
| 546 // Old intermediate cert is not provided, so the pathbuilder will need to go | 547 // Old intermediate cert is not provided, so the pathbuilder will need to go |
| 547 // through the rollover cert. | 548 // through the rollover cert. |
| 548 CertIssuerSourceStatic sync_certs; | 549 CertIssuerSourceStatic sync_certs; |
| 549 sync_certs.AddCert(newintermediate_); | 550 sync_certs.AddCert(newintermediate_); |
| 550 sync_certs.AddCert(newrootrollover_); | 551 sync_certs.AddCert(newrootrollover_); |
| 551 | 552 |
| 552 CertPathBuilder::Result result; | 553 CertPathBuilder::Result result; |
| 553 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 554 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| (...skipping 26 matching lines...) Expand all Loading... |
| 580 EXPECT_EQ(newrootrollover_, path1.certs[2]); | 581 EXPECT_EQ(newrootrollover_, path1.certs[2]); |
| 581 EXPECT_EQ(oldroot_, path1.trust_anchor); | 582 EXPECT_EQ(oldroot_, path1.trust_anchor); |
| 582 } | 583 } |
| 583 | 584 |
| 584 // Tests that if both old and new roots are trusted it can build a path through | 585 // Tests that if both old and new roots are trusted it can build a path through |
| 585 // either. | 586 // either. |
| 586 // TODO(mattm): Once prioritization is implemented, it should test that it | 587 // TODO(mattm): Once prioritization is implemented, it should test that it |
| 587 // always builds the path through the new intermediate and new root. | 588 // always builds the path through the new intermediate and new root. |
| 588 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { | 589 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { |
| 589 // Both oldroot and newroot are trusted. | 590 // Both oldroot and newroot are trusted. |
| 590 TrustStore trust_store; | 591 TrustStoreInMemory trust_store; |
| 591 trust_store.AddTrustAnchor(oldroot_); | 592 trust_store.AddTrustAnchor(oldroot_); |
| 592 AddTrustedCertificate(newroot_, &trust_store); | 593 AddTrustedCertificate(newroot_, &trust_store); |
| 593 | 594 |
| 594 // Both old and new intermediates + rollover cert are provided. | 595 // Both old and new intermediates + rollover cert are provided. |
| 595 CertIssuerSourceStatic sync_certs; | 596 CertIssuerSourceStatic sync_certs; |
| 596 sync_certs.AddCert(oldintermediate_); | 597 sync_certs.AddCert(oldintermediate_); |
| 597 sync_certs.AddCert(newintermediate_); | 598 sync_certs.AddCert(newintermediate_); |
| 598 sync_certs.AddCert(newrootrollover_); | 599 sync_certs.AddCert(newrootrollover_); |
| 599 | 600 |
| 600 CertPathBuilder::Result result; | 601 CertPathBuilder::Result result; |
| (...skipping 18 matching lines...) Expand all Loading... |
| 619 DVLOG(1) << "USED OLD"; | 620 DVLOG(1) << "USED OLD"; |
| 620 EXPECT_EQ(oldintermediate_, path.certs[1]); | 621 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 621 EXPECT_EQ(oldroot_, path.trust_anchor); | 622 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 622 } else { | 623 } else { |
| 623 DVLOG(1) << "USED NEW"; | 624 DVLOG(1) << "USED NEW"; |
| 624 EXPECT_EQ(newintermediate_, path.certs[1]); | 625 EXPECT_EQ(newintermediate_, path.certs[1]); |
| 625 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 626 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 626 } | 627 } |
| 627 } | 628 } |
| 628 | 629 |
| 630 class MockTrustStore : public TrustStore { |
| 631 public: |
| 632 MOCK_CONST_METHOD2(FindTrustAnchorsByNormalizedName, |
| 633 void(const der::Input& normalized_name, |
| 634 TrustAnchors* matches)); |
| 635 }; |
| 636 |
| 629 // Tests that multiple trust root matches on a single path will be considered. | 637 // Tests that multiple trust root matches on a single path will be considered. |
| 630 // Both roots have the same subject but different keys. Only one of them will | 638 // Both roots have the same subject but different keys. Only one of them will |
| 631 // verify. | 639 // verify. |
| 632 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { | 640 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { |
| 633 // Both newroot and oldroot are trusted. | 641 NiceMock<MockTrustStore> trust_store; |
| 634 TrustStore trust_store; | 642 // Default handler for any other TrustStore requests. |
| 635 AddTrustedCertificate(newroot_, &trust_store); | 643 EXPECT_CALL(trust_store, FindTrustAnchorsByNormalizedName(_, _)) |
| 636 trust_store.AddTrustAnchor(oldroot_); | 644 .WillRepeatedly(Return()); |
| 645 // Both newroot and oldroot are trusted, and newroot is returned first in the |
| 646 // matches vector. |
| 647 EXPECT_CALL(trust_store, FindTrustAnchorsByNormalizedName( |
| 648 newroot_->normalized_subject(), _)) |
| 649 .WillRepeatedly(Invoke( |
| 650 [this](const der::Input& normalized_name, TrustAnchors* matches) { |
| 651 matches->push_back( |
| 652 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); |
| 653 matches->push_back(oldroot_); |
| 654 })); |
| 637 | 655 |
| 638 // Only oldintermediate is supplied, so the path with newroot should fail, | 656 // Only oldintermediate is supplied, so the path with newroot should fail, |
| 639 // oldroot should succeed. | 657 // oldroot should succeed. |
| 640 CertIssuerSourceStatic sync_certs; | 658 CertIssuerSourceStatic sync_certs; |
| 641 sync_certs.AddCert(oldintermediate_); | 659 sync_certs.AddCert(oldintermediate_); |
| 642 | 660 |
| 643 CertPathBuilder::Result result; | 661 CertPathBuilder::Result result; |
| 644 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 662 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 645 &result); | 663 &result); |
| 646 path_builder.AddCertIssuerSource(&sync_certs); | 664 path_builder.AddCertIssuerSource(&sync_certs); |
| 647 | 665 |
| 648 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 666 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 649 | 667 |
| 650 EXPECT_EQ(OK, result.error()); | 668 EXPECT_EQ(OK, result.error()); |
| 651 // There may be one or two paths attempted depending if the path builder tried | 669 // Since FindTrustAnchorsByNormalizedName returns newroot first, it should be |
| 652 // using newroot first. | 670 // tried first. (Note: this may change if PathBuilder starts prioritizing the |
| 653 // TODO(mattm): Once TrustStore is an interface, this could be fixed with a | 671 // path building order.) |
| 654 // mock version of TrustStore that returns roots in a deterministic order. | 672 ASSERT_EQ(2U, result.paths.size()); |
| 655 ASSERT_LE(1U, result.paths.size()); | |
| 656 ASSERT_GE(2U, result.paths.size()); | |
| 657 | 673 |
| 658 if (result.paths.size() == 2) { | 674 { |
| 659 // Path builder may first attempt: target <- oldintermediate <- newroot | 675 // Path builder may first attempt: target <- oldintermediate <- newroot |
| 660 // but it will fail since oldintermediate is signed by oldroot. | 676 // but it will fail since oldintermediate is signed by oldroot. |
| 661 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 677 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); |
| 662 const auto& path = result.paths[0]->path; | 678 const auto& path = result.paths[0]->path; |
| 663 ASSERT_EQ(2U, path.certs.size()); | 679 ASSERT_EQ(2U, path.certs.size()); |
| 664 EXPECT_EQ(target_, path.certs[0]); | 680 EXPECT_EQ(target_, path.certs[0]); |
| 665 EXPECT_EQ(oldintermediate_, path.certs[1]); | 681 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 666 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 682 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 667 } | 683 } |
| 668 | 684 |
| 669 // Path builder will next attempt: | 685 { |
| 670 // target <- old intermediate <- oldroot | 686 // Path builder will next attempt: |
| 671 // which should succeed. | 687 // target <- old intermediate <- oldroot |
| 672 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); | 688 // which should succeed. |
| 673 const auto& path = result.paths[result.best_result_index]->path; | 689 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); |
| 674 ASSERT_EQ(2U, path.certs.size()); | 690 const auto& path = result.paths[result.best_result_index]->path; |
| 675 EXPECT_EQ(target_, path.certs[0]); | 691 ASSERT_EQ(2U, path.certs.size()); |
| 676 EXPECT_EQ(oldintermediate_, path.certs[1]); | 692 EXPECT_EQ(target_, path.certs[0]); |
| 677 EXPECT_EQ(oldroot_, path.trust_anchor); | 693 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 694 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 695 } |
| 678 } | 696 } |
| 679 | 697 |
| 680 // Tests that the path builder doesn't build longer than necessary paths. | 698 // Tests that the path builder doesn't build longer than necessary paths. |
| 681 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { | 699 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { |
| 682 // Only oldroot is trusted. | 700 // Only oldroot is trusted. |
| 683 TrustStore trust_store; | 701 TrustStoreInMemory trust_store; |
| 684 trust_store.AddTrustAnchor(oldroot_); | 702 trust_store.AddTrustAnchor(oldroot_); |
| 685 | 703 |
| 686 // New intermediate and new root are provided synchronously. | 704 // New intermediate and new root are provided synchronously. |
| 687 CertIssuerSourceStatic sync_certs; | 705 CertIssuerSourceStatic sync_certs; |
| 688 sync_certs.AddCert(newintermediate_); | 706 sync_certs.AddCert(newintermediate_); |
| 689 sync_certs.AddCert(newroot_); | 707 sync_certs.AddCert(newroot_); |
| 690 | 708 |
| 691 // Rollover cert is only provided asynchronously. This will force the | 709 // Rollover cert is only provided asynchronously. This will force the |
| 692 // pathbuilder to first try building a longer than necessary path. | 710 // pathbuilder to first try building a longer than necessary path. |
| 693 AsyncCertIssuerSourceStatic async_certs; | 711 AsyncCertIssuerSourceStatic async_certs; |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 739 EXPECT_EQ(newrootrollover_, path2.certs[2]); | 757 EXPECT_EQ(newrootrollover_, path2.certs[2]); |
| 740 EXPECT_EQ(oldroot_, path2.trust_anchor); | 758 EXPECT_EQ(oldroot_, path2.trust_anchor); |
| 741 } | 759 } |
| 742 | 760 |
| 743 // If the target cert is a trust anchor, however is not itself *signed* by a | 761 // If the target cert is a trust anchor, however is not itself *signed* by a |
| 744 // trust anchor, then it is not considered valid (the SPKI and name of the | 762 // trust anchor, then it is not considered valid (the SPKI and name of the |
| 745 // trust anchor matches the SPKI and subject of the targe certificate, but the | 763 // trust anchor matches the SPKI and subject of the targe certificate, but the |
| 746 // rest of the certificate cannot be verified). | 764 // rest of the certificate cannot be verified). |
| 747 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { | 765 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { |
| 748 // Trust newintermediate. | 766 // Trust newintermediate. |
| 749 TrustStore trust_store; | 767 TrustStoreInMemory trust_store; |
| 750 AddTrustedCertificate(newintermediate_, &trust_store); | 768 AddTrustedCertificate(newintermediate_, &trust_store); |
| 751 | 769 |
| 752 CertPathBuilder::Result result; | 770 CertPathBuilder::Result result; |
| 753 // Newintermediate is also the target cert. | 771 // Newintermediate is also the target cert. |
| 754 CertPathBuilder path_builder(newintermediate_, &trust_store, | 772 CertPathBuilder path_builder(newintermediate_, &trust_store, |
| 755 &signature_policy_, time_, &result); | 773 &signature_policy_, time_, &result); |
| 756 | 774 |
| 757 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 775 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 758 | 776 |
| 759 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 777 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 760 } | 778 } |
| 761 | 779 |
| 762 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path | 780 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path |
| 763 // can still be built. | 781 // can still be built. |
| 764 // Since LoopChecker will prevent the intermediate from being included, this | 782 // Since LoopChecker will prevent the intermediate from being included, this |
| 765 // currently does NOT verify. This case shouldn't occur in the web PKI. | 783 // currently does NOT verify. This case shouldn't occur in the web PKI. |
| 766 TEST_F(PathBuilderKeyRolloverTest, | 784 TEST_F(PathBuilderKeyRolloverTest, |
| 767 TestEndEntityHasSameNameAndSpkiAsIntermediate) { | 785 TestEndEntityHasSameNameAndSpkiAsIntermediate) { |
| 768 // Trust oldroot. | 786 // Trust oldroot. |
| 769 TrustStore trust_store; | 787 TrustStoreInMemory trust_store; |
| 770 trust_store.AddTrustAnchor(oldroot_); | 788 trust_store.AddTrustAnchor(oldroot_); |
| 771 | 789 |
| 772 // New root rollover is provided synchronously. | 790 // New root rollover is provided synchronously. |
| 773 CertIssuerSourceStatic sync_certs; | 791 CertIssuerSourceStatic sync_certs; |
| 774 sync_certs.AddCert(newrootrollover_); | 792 sync_certs.AddCert(newrootrollover_); |
| 775 | 793 |
| 776 CertPathBuilder::Result result; | 794 CertPathBuilder::Result result; |
| 777 // Newroot is the target cert. | 795 // Newroot is the target cert. |
| 778 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 796 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 779 time_, &result); | 797 time_, &result); |
| 780 path_builder.AddCertIssuerSource(&sync_certs); | 798 path_builder.AddCertIssuerSource(&sync_certs); |
| 781 | 799 |
| 782 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 800 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 783 | 801 |
| 784 // This could actually be OK, but CertPathBuilder does not build the | 802 // This could actually be OK, but CertPathBuilder does not build the |
| 785 // newroot <- newrootrollover <- oldroot path. | 803 // newroot <- newrootrollover <- oldroot path. |
| 786 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 804 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); |
| 787 } | 805 } |
| 788 | 806 |
| 789 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) | 807 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) |
| 790 // path can still be built. | 808 // path can still be built. |
| 791 TEST_F(PathBuilderKeyRolloverTest, | 809 TEST_F(PathBuilderKeyRolloverTest, |
| 792 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { | 810 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { |
| 793 // Trust newrootrollover. | 811 // Trust newrootrollover. |
| 794 TrustStore trust_store; | 812 TrustStoreInMemory trust_store; |
| 795 AddTrustedCertificate(newrootrollover_, &trust_store); | 813 AddTrustedCertificate(newrootrollover_, &trust_store); |
| 796 | 814 |
| 797 CertPathBuilder::Result result; | 815 CertPathBuilder::Result result; |
| 798 // Newroot is the target cert. | 816 // Newroot is the target cert. |
| 799 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 817 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 800 time_, &result); | 818 time_, &result); |
| 801 | 819 |
| 802 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 820 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 803 | 821 |
| 804 EXPECT_EQ(OK, result.error()); | 822 EXPECT_EQ(OK, result.error()); |
| (...skipping 12 matching lines...) Expand all Loading... |
| 817 | 835 |
| 818 // Test that PathBuilder will not try the same path twice if multiple | 836 // Test that PathBuilder will not try the same path twice if multiple |
| 819 // CertIssuerSources provide the same certificate. | 837 // CertIssuerSources provide the same certificate. |
| 820 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { | 838 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { |
| 821 // Create a separate copy of oldintermediate. | 839 // Create a separate copy of oldintermediate. |
| 822 scoped_refptr<ParsedCertificate> oldintermediate_dupe( | 840 scoped_refptr<ParsedCertificate> oldintermediate_dupe( |
| 823 ParsedCertificate::CreateFromCertificateCopy( | 841 ParsedCertificate::CreateFromCertificateCopy( |
| 824 oldintermediate_->der_cert().AsStringPiece(), {})); | 842 oldintermediate_->der_cert().AsStringPiece(), {})); |
| 825 | 843 |
| 826 // Only newroot is a trusted root. | 844 // Only newroot is a trusted root. |
| 827 TrustStore trust_store; | 845 TrustStoreInMemory trust_store; |
| 828 AddTrustedCertificate(newroot_, &trust_store); | 846 AddTrustedCertificate(newroot_, &trust_store); |
| 829 | 847 |
| 830 // The oldintermediate is supplied synchronously by |sync_certs1| and | 848 // The oldintermediate is supplied synchronously by |sync_certs1| and |
| 831 // another copy of oldintermediate is supplied synchronously by |sync_certs2|. | 849 // another copy of oldintermediate is supplied synchronously by |sync_certs2|. |
| 832 // The path target <- oldintermediate <- newroot should be built first, | 850 // The path target <- oldintermediate <- newroot should be built first, |
| 833 // though it won't verify. It should not be attempted again even though | 851 // though it won't verify. It should not be attempted again even though |
| 834 // oldintermediate was supplied twice. | 852 // oldintermediate was supplied twice. |
| 835 CertIssuerSourceStatic sync_certs1; | 853 CertIssuerSourceStatic sync_certs1; |
| 836 sync_certs1.AddCert(oldintermediate_); | 854 sync_certs1.AddCert(oldintermediate_); |
| 837 CertIssuerSourceStatic sync_certs2; | 855 CertIssuerSourceStatic sync_certs2; |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 879 | 897 |
| 880 // Test when PathBuilder is given a cert CertIssuerSources that has the same | 898 // Test when PathBuilder is given a cert CertIssuerSources that has the same |
| 881 // SPKI as a TrustAnchor. | 899 // SPKI as a TrustAnchor. |
| 882 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { | 900 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { |
| 883 // Create a separate copy of newroot. | 901 // Create a separate copy of newroot. |
| 884 scoped_refptr<ParsedCertificate> newroot_dupe( | 902 scoped_refptr<ParsedCertificate> newroot_dupe( |
| 885 ParsedCertificate::CreateFromCertificateCopy( | 903 ParsedCertificate::CreateFromCertificateCopy( |
| 886 newroot_->der_cert().AsStringPiece(), {})); | 904 newroot_->der_cert().AsStringPiece(), {})); |
| 887 | 905 |
| 888 // Only newroot is a trusted root. | 906 // Only newroot is a trusted root. |
| 889 TrustStore trust_store; | 907 TrustStoreInMemory trust_store; |
| 890 AddTrustedCertificate(newroot_, &trust_store); | 908 AddTrustedCertificate(newroot_, &trust_store); |
| 891 | 909 |
| 892 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. | 910 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. |
| 893 CertIssuerSourceStatic sync_certs; | 911 CertIssuerSourceStatic sync_certs; |
| 894 sync_certs.AddCert(oldintermediate_); | 912 sync_certs.AddCert(oldintermediate_); |
| 895 sync_certs.AddCert(newroot_dupe); | 913 sync_certs.AddCert(newroot_dupe); |
| 896 | 914 |
| 897 CertPathBuilder::Result result; | 915 CertPathBuilder::Result result; |
| 898 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 916 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 899 &result); | 917 &result); |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 949 std::unique_ptr<CertIssuerSource::Request> request_; | 967 std::unique_ptr<CertIssuerSource::Request> request_; |
| 950 }; | 968 }; |
| 951 | 969 |
| 952 // Test that a single CertIssuerSource returning multiple async batches of | 970 // Test that a single CertIssuerSource returning multiple async batches of |
| 953 // issuers is handled correctly. Due to the StrictMocks, it also tests that path | 971 // issuers is handled correctly. Due to the StrictMocks, it also tests that path |
| 954 // builder does not request issuers of certs that it shouldn't. | 972 // builder does not request issuers of certs that it shouldn't. |
| 955 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncCallbacksFromSingleSource) { | 973 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncCallbacksFromSingleSource) { |
| 956 StrictMock<MockCertIssuerSource> cert_issuer_source; | 974 StrictMock<MockCertIssuerSource> cert_issuer_source; |
| 957 | 975 |
| 958 // Only newroot is a trusted root. | 976 // Only newroot is a trusted root. |
| 959 TrustStore trust_store; | 977 TrustStoreInMemory trust_store; |
| 960 AddTrustedCertificate(newroot_, &trust_store); | 978 AddTrustedCertificate(newroot_, &trust_store); |
| 961 | 979 |
| 962 CertPathBuilder::Result result; | 980 CertPathBuilder::Result result; |
| 963 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 981 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 964 &result); | 982 &result); |
| 965 path_builder.AddCertIssuerSource(&cert_issuer_source); | 983 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 966 | 984 |
| 967 CertIssuerSource::IssuerCallback target_issuers_callback; | 985 CertIssuerSource::IssuerCallback target_issuers_callback; |
| 968 // Create the mock CertIssuerSource::Request... | 986 // Create the mock CertIssuerSource::Request... |
| 969 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> | 987 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1049 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1067 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1050 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 1068 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1051 } | 1069 } |
| 1052 | 1070 |
| 1053 // Test that PathBuilder will not try the same path twice if CertIssuerSources | 1071 // Test that PathBuilder will not try the same path twice if CertIssuerSources |
| 1054 // asynchronously provide the same certificate multiple times. | 1072 // asynchronously provide the same certificate multiple times. |
| 1055 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { | 1073 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { |
| 1056 StrictMock<MockCertIssuerSource> cert_issuer_source; | 1074 StrictMock<MockCertIssuerSource> cert_issuer_source; |
| 1057 | 1075 |
| 1058 // Only newroot is a trusted root. | 1076 // Only newroot is a trusted root. |
| 1059 TrustStore trust_store; | 1077 TrustStoreInMemory trust_store; |
| 1060 AddTrustedCertificate(newroot_, &trust_store); | 1078 AddTrustedCertificate(newroot_, &trust_store); |
| 1061 | 1079 |
| 1062 CertPathBuilder::Result result; | 1080 CertPathBuilder::Result result; |
| 1063 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 1081 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 1064 &result); | 1082 &result); |
| 1065 path_builder.AddCertIssuerSource(&cert_issuer_source); | 1083 path_builder.AddCertIssuerSource(&cert_issuer_source); |
| 1066 | 1084 |
| 1067 CertIssuerSource::IssuerCallback target_issuers_callback; | 1085 CertIssuerSource::IssuerCallback target_issuers_callback; |
| 1068 // Create the mock CertIssuerSource::Request... | 1086 // Create the mock CertIssuerSource::Request... |
| 1069 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> | 1087 std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>> |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1163 const auto& path1 = result.paths[1]->path; | 1181 const auto& path1 = result.paths[1]->path; |
| 1164 ASSERT_EQ(2U, path1.certs.size()); | 1182 ASSERT_EQ(2U, path1.certs.size()); |
| 1165 EXPECT_EQ(target_, path1.certs[0]); | 1183 EXPECT_EQ(target_, path1.certs[0]); |
| 1166 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1184 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1167 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 1185 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1168 } | 1186 } |
| 1169 | 1187 |
| 1170 } // namespace | 1188 } // namespace |
| 1171 | 1189 |
| 1172 } // namespace net | 1190 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2252933002:
Make TrustStore into an interface, move impl to TrustStoreInMemory. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master