net/cert/cert_verify_proc_unittest.cc - Issue 22893021: Normalize certificate name verification across all platforms

Side by Side Diff: net/cert/cert_verify_proc_unittest.cc

Issue 22893021: Normalize certificate name verification across all platforms (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Update cert Created 7 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <vector>	7 #include <vector>

8	8

9 #include "base/files/file_path.h"	9 #include "base/files/file_path.h"

10 #include "base/logging.h"	10 #include "base/logging.h"

(...skipping 227 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
238 int error = Verify(cert.get(),	238 int error = Verify(cert.get(),

239 "policy_test.example",	239 "policy_test.example",

240 flags,	240 flags,

241 NULL,	241 NULL,

242 empty_cert_list_,	242 empty_cert_list_,

243 &verify_result);	243 &verify_result);

244 EXPECT_EQ(OK, error);	244 EXPECT_EQ(OK, error);

245 EXPECT_EQ(0u, verify_result.cert_status);	245 EXPECT_EQ(0u, verify_result.cert_status);

246 }	246 }

247	247

248

249 // Test for bug 58437.	248 // Test for bug 58437.

250 // This certificate will expire on 2011-12-21. The test will still	249 // This certificate will expire on 2011-12-21. The test will still

251 // pass if error == ERR_CERT_DATE_INVALID.	250 // pass if error == ERR_CERT_DATE_INVALID.

252 // This test is DISABLED because it appears that we cannot do	251 // This test is DISABLED because it appears that we cannot do

253 // certificate revocation checking when running all of the net unit tests.	252 // certificate revocation checking when running all of the net unit tests.

254 // This test passes when run individually, but when run with all of the net	253 // This test passes when run individually, but when run with all of the net

255 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is	254 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is

256 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation	255 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation

257 // status, i.e. that the revocation check is failing for some reason.	256 // status, i.e. that the revocation check is failing for some reason.

258 TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) {	257 TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) {

(...skipping 1090 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1349 #if defined(USE_NSS) \|\| defined(OS_IOS)	1348 #if defined(USE_NSS) \|\| defined(OS_IOS)

1350 #define MAYBE_VerifyMixed DISABLED_VerifyMixed	1349 #define MAYBE_VerifyMixed DISABLED_VerifyMixed

1351 #else	1350 #else

1352 #define MAYBE_VerifyMixed VerifyMixed	1351 #define MAYBE_VerifyMixed VerifyMixed

1353 #endif	1352 #endif

1354 WRAPPED_INSTANTIATE_TEST_CASE_P(	1353 WRAPPED_INSTANTIATE_TEST_CASE_P(

1355 MAYBE_VerifyMixed,	1354 MAYBE_VerifyMixed,

1356 CertVerifyProcWeakDigestTest,	1355 CertVerifyProcWeakDigestTest,

1357 testing::ValuesIn(kVerifyMixedTestData));	1356 testing::ValuesIn(kVerifyMixedTestData));

1358	1357

	1358 static const struct CertVerifyProcNameData {

	1359 const char* hostname;

	1360 bool valid;

	1361 } kVerifyNameData[] = {

	1362 { "127.0.0.1", false }, // Don't match the common name

	1363 { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4)

	1364 { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6)

	1365 { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN

	1366 { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6)

	1367 { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN

	1368 { "test.example", true }, // Matches the dNSName SAN

	1369 { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored)

	1370 { "www.test.example", false }, // Should not match the dNSName SAN

	1371 { "test..example", false }, // Should not match the dNSName SAN

	1372 { "test.example..", false }, // Should not match the dNSName SAN

	1373 { ".test.example.", false }, // Should not match the dNSName SAN

	1374 { ".test.example", false }, // Should not match the dNSName SAN
	wtc 2013/08/16 19:59:19 It would be nice to document what subject CN and a It would be nice to document what subject CN and alternative names the test certificate has. This will allow a reader to verify these expected test results are correct. Could you document what \|valid\| means? Does it mean "matches vs. doesn't match"?
	1375 };

	1376

	1377 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how

	1378 // to output the parameter that was passed. Without this, it will simply

	1379 // attempt to print out the first twenty bytes of the object, which depending

	1380 // on platform and alignment, may result in an invalid read.

	1381 void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {

	1382 *os << "Hostname: " << data.hostname << "; valid=" << data.valid;

	1383 }

	1384

	1385 class CertVerifyProcNameTest

	1386 : public CertVerifyProcTest,

	1387 public testing::WithParamInterface<CertVerifyProcNameData> {

	1388 public:

	1389 CertVerifyProcNameTest() {}

	1390 virtual ~CertVerifyProcNameTest() {}

	1391 };

	1392

	1393 TEST_P(CertVerifyProcNameTest, VerifyCertName) {

	1394 CertVerifyProcNameData data = GetParam();

	1395

	1396 CertificateList cert_list = CreateCertificateListFromFile(

	1397 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",

	1398 X509Certificate::FORMAT_AUTO);

	1399 ASSERT_EQ(1U, cert_list.size());

	1400 scoped_refptr<X509Certificate> cert(cert_list[0]);

	1401

	1402 ScopedTestRoot scoped_root(cert.get());

	1403

	1404 CertVerifyResult verify_result;

	1405 int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,

	1406 &verify_result);

	1407 if (data.valid) {

	1408 EXPECT_EQ(OK, error);

	1409 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);

	1410 } else {

	1411 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);

	1412 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);

	1413 }

	1414 }

	1415

	1416 WRAPPED_INSTANTIATE_TEST_CASE_P(

	1417 VerifyName,

	1418 CertVerifyProcNameTest,

	1419 testing::ValuesIn(kVerifyNameData));

	1420

1359 } // namespace net	1421 } // namespace net

OLD	NEW

« no previous file with comments | « net/cert/cert_verify_proc_nss.cc ('k') | net/cert/cert_verify_proc_win.cc » ('j') | net/cert/cert_verify_proc_win.cc » ('J')