| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/verify_signed_data.h" | 5 #include "net/cert/internal/verify_signed_data.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <set> | 8 #include <set> |
| 9 | 9 |
| 10 #include "net/cert/internal/cert_errors.h" |
| 10 #include "net/cert/internal/signature_algorithm.h" | 11 #include "net/cert/internal/signature_algorithm.h" |
| 11 #include "net/cert/internal/signature_policy.h" | 12 #include "net/cert/internal/signature_policy.h" |
| 12 #include "net/cert/internal/test_helpers.h" | 13 #include "net/cert/internal/test_helpers.h" |
| 13 #include "net/der/input.h" | 14 #include "net/der/input.h" |
| 14 #include "net/der/parse_values.h" | 15 #include "net/der/parse_values.h" |
| 15 #include "net/der/parser.h" | 16 #include "net/der/parser.h" |
| 16 #include "testing/gtest/include/gtest/gtest.h" | 17 #include "testing/gtest/include/gtest/gtest.h" |
| 17 | 18 |
| 18 #include <openssl/obj.h> | 19 #include <openssl/obj.h> |
| 19 | 20 |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 58 SignatureAlgorithm::CreateFromDer(der::Input(&algorithm)); | 59 SignatureAlgorithm::CreateFromDer(der::Input(&algorithm)); |
| 59 ASSERT_TRUE(signature_algorithm); | 60 ASSERT_TRUE(signature_algorithm); |
| 60 | 61 |
| 61 der::BitString signature_value_bit_string; | 62 der::BitString signature_value_bit_string; |
| 62 der::Parser signature_value_parser((der::Input(&signature_value))); | 63 der::Parser signature_value_parser((der::Input(&signature_value))); |
| 63 ASSERT_TRUE(signature_value_parser.ReadBitString(&signature_value_bit_string)) | 64 ASSERT_TRUE(signature_value_parser.ReadBitString(&signature_value_bit_string)) |
| 64 << "The signature value is not a valid BIT STRING"; | 65 << "The signature value is not a valid BIT STRING"; |
| 65 | 66 |
| 66 bool expected_result_bool = expected_result == SUCCESS; | 67 bool expected_result_bool = expected_result == SUCCESS; |
| 67 | 68 |
| 69 // TODO(crbug.com/634443): Verify the returned errors. |
| 70 CertErrors errors; |
| 68 EXPECT_EQ(expected_result_bool, | 71 EXPECT_EQ(expected_result_bool, |
| 69 VerifySignedData(*signature_algorithm, der::Input(&signed_data), | 72 VerifySignedData(*signature_algorithm, der::Input(&signed_data), |
| 70 signature_value_bit_string, | 73 signature_value_bit_string, |
| 71 der::Input(&public_key), policy)); | 74 der::Input(&public_key), policy, &errors)); |
| 72 } | 75 } |
| 73 | 76 |
| 74 // RunTestCase() is the same as RunTestCaseUsingPolicy(), only it uses a | 77 // RunTestCase() is the same as RunTestCaseUsingPolicy(), only it uses a |
| 75 // default policy. This policy will accept a basic profile of signature | 78 // default policy. This policy will accept a basic profile of signature |
| 76 // algorithms (including ANY sized RSA key >= 1024). | 79 // algorithms (including ANY sized RSA key >= 1024). |
| 77 void RunTestCase(VerifyResult expected_result, const char* file_name) { | 80 void RunTestCase(VerifyResult expected_result, const char* file_name) { |
| 78 SimpleSignaturePolicy policy(1024); | 81 SimpleSignaturePolicy policy(1024); |
| 79 return RunTestCaseUsingPolicy(expected_result, file_name, &policy); | 82 return RunTestCaseUsingPolicy(expected_result, file_name, &policy); |
| 80 } | 83 } |
| 81 | 84 |
| (...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 208 RunTestCase(FAILURE, "rsa-pkcs1-sha256-spki-non-null-params.pem"); | 211 RunTestCase(FAILURE, "rsa-pkcs1-sha256-spki-non-null-params.pem"); |
| 209 } | 212 } |
| 210 | 213 |
| 211 TEST(VerifySignedDataTest, EcdsaPrime256v1Sha512UnusedBitsSignature) { | 214 TEST(VerifySignedDataTest, EcdsaPrime256v1Sha512UnusedBitsSignature) { |
| 212 RunTestCase(FAILURE, "ecdsa-prime256v1-sha512-unused-bits-signature.pem"); | 215 RunTestCase(FAILURE, "ecdsa-prime256v1-sha512-unused-bits-signature.pem"); |
| 213 } | 216 } |
| 214 | 217 |
| 215 // This policy rejects specifically secp384r1 curves. | 218 // This policy rejects specifically secp384r1 curves. |
| 216 class RejectSecp384r1Policy : public SignaturePolicy { | 219 class RejectSecp384r1Policy : public SignaturePolicy { |
| 217 public: | 220 public: |
| 218 bool IsAcceptableCurveForEcdsa(int curve_nid) const override { | 221 bool IsAcceptableCurveForEcdsa(int curve_nid, |
| 222 CertErrors* errors) const override { |
| 219 if (curve_nid == NID_secp384r1) | 223 if (curve_nid == NID_secp384r1) |
| 220 return false; | 224 return false; |
| 221 return true; | 225 return true; |
| 222 } | 226 } |
| 223 }; | 227 }; |
| 224 | 228 |
| 225 TEST(VerifySignedDataTest, PolicyIsAcceptableCurveForEcdsa) { | 229 TEST(VerifySignedDataTest, PolicyIsAcceptableCurveForEcdsa) { |
| 226 // Using the regular policy both secp384r1 and secp256r1 should be accepted. | 230 // Using the regular policy both secp384r1 and secp256r1 should be accepted. |
| 227 RunTestCase(SUCCESS, "ecdsa-secp384r1-sha256.pem"); | 231 RunTestCase(SUCCESS, "ecdsa-secp384r1-sha256.pem"); |
| 228 RunTestCase(SUCCESS, "ecdsa-prime256v1-sha512.pem"); | 232 RunTestCase(SUCCESS, "ecdsa-prime256v1-sha512.pem"); |
| (...skipping 17 matching lines...) Expand all Loading... |
| 246 SimpleSignaturePolicy policy_2048(2048); | 250 SimpleSignaturePolicy policy_2048(2048); |
| 247 RunTestCaseUsingPolicy(FAILURE, "rsa-pkcs1-sha256.pem", &policy_2048); | 251 RunTestCaseUsingPolicy(FAILURE, "rsa-pkcs1-sha256.pem", &policy_2048); |
| 248 RunTestCaseUsingPolicy(SUCCESS, "rsa2048-pkcs1-sha512.pem", &policy_2048); | 252 RunTestCaseUsingPolicy(SUCCESS, "rsa2048-pkcs1-sha512.pem", &policy_2048); |
| 249 } | 253 } |
| 250 | 254 |
| 251 // This policy rejects the use of SHA-512. | 255 // This policy rejects the use of SHA-512. |
| 252 class RejectSha512 : public SignaturePolicy { | 256 class RejectSha512 : public SignaturePolicy { |
| 253 public: | 257 public: |
| 254 RejectSha512() : SignaturePolicy() {} | 258 RejectSha512() : SignaturePolicy() {} |
| 255 | 259 |
| 256 bool IsAcceptableSignatureAlgorithm( | 260 bool IsAcceptableSignatureAlgorithm(const SignatureAlgorithm& algorithm, |
| 257 const SignatureAlgorithm& algorithm) const override { | 261 CertErrors* errors) const override { |
| 258 if (algorithm.algorithm() == SignatureAlgorithmId::RsaPss && | 262 if (algorithm.algorithm() == SignatureAlgorithmId::RsaPss && |
| 259 algorithm.ParamsForRsaPss()->mgf1_hash() == DigestAlgorithm::Sha512) { | 263 algorithm.ParamsForRsaPss()->mgf1_hash() == DigestAlgorithm::Sha512) { |
| 260 return false; | 264 return false; |
| 261 } | 265 } |
| 262 | 266 |
| 263 return algorithm.digest() != DigestAlgorithm::Sha512; | 267 return algorithm.digest() != DigestAlgorithm::Sha512; |
| 264 } | 268 } |
| 265 | 269 |
| 266 bool IsAcceptableModulusLengthForRsa( | 270 bool IsAcceptableModulusLengthForRsa(size_t modulus_length_bits, |
| 267 size_t modulus_length_bits) const override { | 271 CertErrors* errors) const override { |
| 268 return true; | 272 return true; |
| 269 } | 273 } |
| 270 }; | 274 }; |
| 271 | 275 |
| 272 TEST(VerifySignedDataTest, PolicyIsAcceptableDigestAlgorithm) { | 276 TEST(VerifySignedDataTest, PolicyIsAcceptableDigestAlgorithm) { |
| 273 // Using the regular policy use of either SHA256 or SHA512 should work | 277 // Using the regular policy use of either SHA256 or SHA512 should work |
| 274 // (whether as the main digest, or the MGF1 for RSASSA-PSS) | 278 // (whether as the main digest, or the MGF1 for RSASSA-PSS) |
| 275 RunTestCase(SUCCESS, "rsa2048-pkcs1-sha512.pem"); | 279 RunTestCase(SUCCESS, "rsa2048-pkcs1-sha512.pem"); |
| 276 RunTestCase(SUCCESS, "ecdsa-prime256v1-sha512.pem"); | 280 RunTestCase(SUCCESS, "ecdsa-prime256v1-sha512.pem"); |
| 277 RunTestCase(SUCCESS, "ecdsa-secp384r1-sha256.pem"); | 281 RunTestCase(SUCCESS, "ecdsa-secp384r1-sha256.pem"); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 288 RunTestCaseUsingPolicy(SUCCESS, "ecdsa-secp384r1-sha256.pem", &policy); | 292 RunTestCaseUsingPolicy(SUCCESS, "ecdsa-secp384r1-sha256.pem", &policy); |
| 289 RunTestCaseUsingPolicy(SUCCESS, "rsa-pkcs1-sha256.pem", &policy); | 293 RunTestCaseUsingPolicy(SUCCESS, "rsa-pkcs1-sha256.pem", &policy); |
| 290 RunTestCaseUsingPolicy(SUCCESS, "rsa-pss-sha256-salt10.pem", &policy); | 294 RunTestCaseUsingPolicy(SUCCESS, "rsa-pss-sha256-salt10.pem", &policy); |
| 291 RunTestCaseUsingPolicy(FAILURE, "rsa-pss-sha256-mgf1-sha512-salt33.pem", | 295 RunTestCaseUsingPolicy(FAILURE, "rsa-pss-sha256-mgf1-sha512-salt33.pem", |
| 292 &policy); | 296 &policy); |
| 293 } | 297 } |
| 294 | 298 |
| 295 } // namespace | 299 } // namespace |
| 296 | 300 |
| 297 } // namespace net | 301 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2289363004:
Add error information to VerifySignedData(). (Closed)
