| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/cancelable_callback.h" | 8 #include "base/cancelable_callback.h" |
| 9 #include "base/files/file_util.h" | 9 #include "base/files/file_util.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| 11 #include "base/path_service.h" | 11 #include "base/path_service.h" |
| 12 #include "base/threading/thread_task_runner_handle.h" | 12 #include "base/threading/thread_task_runner_handle.h" |
| 13 #include "net/base/net_errors.h" | |
| 14 #include "net/base/test_completion_callback.h" | 13 #include "net/base/test_completion_callback.h" |
| 15 #include "net/cert/internal/cert_issuer_source_static.h" | 14 #include "net/cert/internal/cert_issuer_source_static.h" |
| 16 #include "net/cert/internal/parsed_certificate.h" | 15 #include "net/cert/internal/parsed_certificate.h" |
| 17 #include "net/cert/internal/signature_policy.h" | 16 #include "net/cert/internal/signature_policy.h" |
| 18 #include "net/cert/internal/test_helpers.h" | 17 #include "net/cert/internal/test_helpers.h" |
| 19 #include "net/cert/internal/trust_store_in_memory.h" | 18 #include "net/cert/internal/trust_store_in_memory.h" |
| 20 #include "net/cert/internal/trust_store_test_helpers.h" | 19 #include "net/cert/internal/trust_store_test_helpers.h" |
| 21 #include "net/cert/internal/verify_certificate_chain.h" | 20 #include "net/cert/internal/verify_certificate_chain.h" |
| 22 #include "net/cert/pem_tokenizer.h" | 21 #include "net/cert/pem_tokenizer.h" |
| 23 #include "net/der/input.h" | 22 #include "net/der/input.h" |
| 24 #include "net/test/cert_test_util.h" | 23 #include "net/test/cert_test_util.h" |
| 25 #include "net/test/test_certificate_data.h" | 24 #include "net/test/test_certificate_data.h" |
| 26 #include "testing/gmock/include/gmock/gmock.h" | 25 #include "testing/gmock/include/gmock/gmock.h" |
| 27 #include "testing/gtest/include/gtest/gtest.h" | 26 #include "testing/gtest/include/gtest/gtest.h" |
| 28 | 27 |
| 29 namespace net { | 28 namespace net { |
| 30 | 29 |
| 30 // TODO(crbug.com/634443): Assert the errors for each ResultPath. |
| 31 |
| 31 namespace { | 32 namespace { |
| 32 | 33 |
| 33 using ::testing::_; | 34 using ::testing::_; |
| 34 using ::testing::Invoke; | 35 using ::testing::Invoke; |
| 35 using ::testing::NiceMock; | 36 using ::testing::NiceMock; |
| 36 using ::testing::Return; | 37 using ::testing::Return; |
| 37 using ::testing::SaveArg; | 38 using ::testing::SaveArg; |
| 38 using ::testing::SetArgPointee; | 39 using ::testing::SetArgPointee; |
| 39 using ::testing::StrictMock; | 40 using ::testing::StrictMock; |
| 40 | 41 |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 184 TrustStoreInMemory trust_store; | 185 TrustStoreInMemory trust_store; |
| 185 AddTrustedCertificate(a_by_b_, &trust_store); | 186 AddTrustedCertificate(a_by_b_, &trust_store); |
| 186 AddTrustedCertificate(b_by_f_, &trust_store); | 187 AddTrustedCertificate(b_by_f_, &trust_store); |
| 187 | 188 |
| 188 CertPathBuilder::Result result; | 189 CertPathBuilder::Result result; |
| 189 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 190 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 190 &result); | 191 &result); |
| 191 | 192 |
| 192 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 193 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 193 | 194 |
| 194 EXPECT_EQ(OK, result.error()); | 195 ASSERT_TRUE(result.HasValidPath()); |
| 195 ASSERT_FALSE(result.paths.empty()); | 196 const auto& path = result.GetBestValidPath()->path; |
| 196 const auto& path = result.paths[result.best_result_index]->path; | |
| 197 ASSERT_EQ(1U, path.certs.size()); | 197 ASSERT_EQ(1U, path.certs.size()); |
| 198 EXPECT_EQ(a_by_b_, path.certs[0]); | 198 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 199 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | 199 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); |
| 200 } | 200 } |
| 201 | 201 |
| 202 // If the target cert is has the same name and key as a trust anchor, however | 202 // If the target cert is has the same name and key as a trust anchor, however |
| 203 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI | 203 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI |
| 204 // is trusted, the certificate contents cannot be verified. | 204 // is trusted, the certificate contents cannot be verified. |
| 205 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { | 205 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { |
| 206 TrustStoreInMemory trust_store; | 206 TrustStoreInMemory trust_store; |
| 207 AddTrustedCertificate(a_by_b_, &trust_store); | 207 AddTrustedCertificate(a_by_b_, &trust_store); |
| 208 | 208 |
| 209 CertPathBuilder::Result result; | 209 CertPathBuilder::Result result; |
| 210 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 210 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 211 &result); | 211 &result); |
| 212 | 212 |
| 213 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 213 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 214 | 214 |
| 215 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 215 EXPECT_FALSE(result.HasValidPath()); |
| 216 } | 216 } |
| 217 | 217 |
| 218 // Test a failed path building when the trust anchor is provided as a | 218 // Test a failed path building when the trust anchor is provided as a |
| 219 // supplemental certificate. Conceptually the following paths can be built: | 219 // supplemental certificate. Conceptually the following paths can be built: |
| 220 // | 220 // |
| 221 // B(C) <- C(D) <- [Trust anchor D] | 221 // B(C) <- C(D) <- [Trust anchor D] |
| 222 // B(C) <- C(D) <- D(D) <- [Trust anchor D] | 222 // B(C) <- C(D) <- D(D) <- [Trust anchor D] |
| 223 // | 223 // |
| 224 // The second one is extraneous given the shorter one, however path building | 224 // The second one is extraneous given the shorter one, however path building |
| 225 // will enumerate it if the shorter one failed validation. | 225 // will enumerate it if the shorter one failed validation. |
| (...skipping 10 matching lines...) Expand all Loading... |
| 236 // C(D) is not valid at this time, so path building will fail. | 236 // C(D) is not valid at this time, so path building will fail. |
| 237 der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; | 237 der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; |
| 238 | 238 |
| 239 CertPathBuilder::Result result; | 239 CertPathBuilder::Result result; |
| 240 CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_, | 240 CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_, |
| 241 expired_time, &result); | 241 expired_time, &result); |
| 242 path_builder.AddCertIssuerSource(&sync_certs); | 242 path_builder.AddCertIssuerSource(&sync_certs); |
| 243 | 243 |
| 244 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 244 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 245 | 245 |
| 246 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 246 EXPECT_FALSE(result.HasValidPath()); |
| 247 ASSERT_EQ(2U, result.paths.size()); | 247 ASSERT_EQ(2U, result.paths.size()); |
| 248 | 248 |
| 249 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 249 EXPECT_FALSE(result.paths[0]->valid); |
| 250 const auto& path0 = result.paths[0]->path; | 250 const auto& path0 = result.paths[0]->path; |
| 251 ASSERT_EQ(2U, path0.certs.size()); | 251 ASSERT_EQ(2U, path0.certs.size()); |
| 252 EXPECT_EQ(b_by_c_, path0.certs[0]); | 252 EXPECT_EQ(b_by_c_, path0.certs[0]); |
| 253 EXPECT_EQ(c_by_d_, path0.certs[1]); | 253 EXPECT_EQ(c_by_d_, path0.certs[1]); |
| 254 EXPECT_EQ(d_by_d_, path0.trust_anchor->cert()); | 254 EXPECT_EQ(d_by_d_, path0.trust_anchor->cert()); |
| 255 | 255 |
| 256 const auto& path1 = result.paths[1]->path; | 256 const auto& path1 = result.paths[1]->path; |
| 257 ASSERT_EQ(3U, path1.certs.size()); | 257 ASSERT_EQ(3U, path1.certs.size()); |
| 258 EXPECT_EQ(b_by_c_, path1.certs[0]); | 258 EXPECT_EQ(b_by_c_, path1.certs[0]); |
| 259 EXPECT_EQ(c_by_d_, path1.certs[1]); | 259 EXPECT_EQ(c_by_d_, path1.certs[1]); |
| 260 EXPECT_EQ(d_by_d_, path1.certs[2]); | 260 EXPECT_EQ(d_by_d_, path1.certs[2]); |
| 261 EXPECT_EQ(d_by_d_, path1.trust_anchor->cert()); | 261 EXPECT_EQ(d_by_d_, path1.trust_anchor->cert()); |
| 262 } | 262 } |
| 263 | 263 |
| 264 // If the target cert is a self-signed cert whose key is a trust anchor, it | 264 // If the target cert is a self-signed cert whose key is a trust anchor, it |
| 265 // should verify. | 265 // should verify. |
| 266 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { | 266 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { |
| 267 TrustStoreInMemory trust_store; | 267 TrustStoreInMemory trust_store; |
| 268 AddTrustedCertificate(e_by_e_, &trust_store); | 268 AddTrustedCertificate(e_by_e_, &trust_store); |
| 269 // This is not necessary for the test, just an extra... | 269 // This is not necessary for the test, just an extra... |
| 270 AddTrustedCertificate(f_by_e_, &trust_store); | 270 AddTrustedCertificate(f_by_e_, &trust_store); |
| 271 | 271 |
| 272 CertPathBuilder::Result result; | 272 CertPathBuilder::Result result; |
| 273 CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_, | 273 CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_, |
| 274 &result); | 274 &result); |
| 275 | 275 |
| 276 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 276 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 277 | 277 |
| 278 EXPECT_EQ(OK, result.error()); | 278 ASSERT_TRUE(result.HasValidPath()); |
| 279 ASSERT_FALSE(result.paths.empty()); | 279 const auto& path = result.GetBestValidPath()->path; |
| 280 const auto& path = result.paths[result.best_result_index]->path; | |
| 281 ASSERT_EQ(1U, path.certs.size()); | 280 ASSERT_EQ(1U, path.certs.size()); |
| 282 EXPECT_EQ(e_by_e_, path.certs[0]); | 281 EXPECT_EQ(e_by_e_, path.certs[0]); |
| 283 EXPECT_EQ(e_by_e_, path.trust_anchor->cert()); | 282 EXPECT_EQ(e_by_e_, path.trust_anchor->cert()); |
| 284 } | 283 } |
| 285 | 284 |
| 286 // If the target cert is directly issued by a trust anchor, it should verify | 285 // If the target cert is directly issued by a trust anchor, it should verify |
| 287 // without any intermediate certs being provided. | 286 // without any intermediate certs being provided. |
| 288 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { | 287 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { |
| 289 TrustStoreInMemory trust_store; | 288 TrustStoreInMemory trust_store; |
| 290 AddTrustedCertificate(b_by_f_, &trust_store); | 289 AddTrustedCertificate(b_by_f_, &trust_store); |
| 291 | 290 |
| 292 CertPathBuilder::Result result; | 291 CertPathBuilder::Result result; |
| 293 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 292 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 294 &result); | 293 &result); |
| 295 | 294 |
| 296 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 295 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 297 | 296 |
| 298 ASSERT_EQ(OK, result.error()); | 297 ASSERT_TRUE(result.HasValidPath()); |
| 299 ASSERT_FALSE(result.paths.empty()); | 298 const auto& path = result.GetBestValidPath()->path; |
| 300 const auto& path = result.paths[result.best_result_index]->path; | |
| 301 ASSERT_EQ(1U, path.certs.size()); | 299 ASSERT_EQ(1U, path.certs.size()); |
| 302 EXPECT_EQ(a_by_b_, path.certs[0]); | 300 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 303 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | 301 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); |
| 304 } | 302 } |
| 305 | 303 |
| 306 // Test that async cert queries are not made if the path can be successfully | 304 // Test that async cert queries are not made if the path can be successfully |
| 307 // built with synchronously available certs. | 305 // built with synchronously available certs. |
| 308 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { | 306 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { |
| 309 TrustStoreInMemory trust_store; | 307 TrustStoreInMemory trust_store; |
| 310 AddTrustedCertificate(e_by_e_, &trust_store); | 308 AddTrustedCertificate(e_by_e_, &trust_store); |
| 311 | 309 |
| 312 CertIssuerSourceStatic sync_certs; | 310 CertIssuerSourceStatic sync_certs; |
| 313 sync_certs.AddCert(b_by_f_); | 311 sync_certs.AddCert(b_by_f_); |
| 314 sync_certs.AddCert(f_by_e_); | 312 sync_certs.AddCert(f_by_e_); |
| 315 | 313 |
| 316 AsyncCertIssuerSourceStatic async_certs; | 314 AsyncCertIssuerSourceStatic async_certs; |
| 317 async_certs.AddCert(b_by_c_); | 315 async_certs.AddCert(b_by_c_); |
| 318 async_certs.AddCert(c_by_e_); | 316 async_certs.AddCert(c_by_e_); |
| 319 | 317 |
| 320 CertPathBuilder::Result result; | 318 CertPathBuilder::Result result; |
| 321 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 319 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 322 &result); | 320 &result); |
| 323 path_builder.AddCertIssuerSource(&async_certs); | 321 path_builder.AddCertIssuerSource(&async_certs); |
| 324 path_builder.AddCertIssuerSource(&sync_certs); | 322 path_builder.AddCertIssuerSource(&sync_certs); |
| 325 | 323 |
| 326 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 324 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 327 | 325 |
| 328 EXPECT_EQ(OK, result.error()); | 326 EXPECT_TRUE(result.HasValidPath()); |
| 329 EXPECT_EQ(0, async_certs.num_async_gets()); | 327 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 330 } | 328 } |
| 331 | 329 |
| 332 // Test that async cert queries are not made if no callback is provided. | 330 // Test that async cert queries are not made if no callback is provided. |
| 333 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { | 331 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { |
| 334 TrustStoreInMemory trust_store; | 332 TrustStoreInMemory trust_store; |
| 335 AddTrustedCertificate(e_by_e_, &trust_store); | 333 AddTrustedCertificate(e_by_e_, &trust_store); |
| 336 | 334 |
| 337 CertIssuerSourceStatic sync_certs; | 335 CertIssuerSourceStatic sync_certs; |
| 338 sync_certs.AddCert(f_by_e_); | 336 sync_certs.AddCert(f_by_e_); |
| 339 | 337 |
| 340 AsyncCertIssuerSourceStatic async_certs; | 338 AsyncCertIssuerSourceStatic async_certs; |
| 341 async_certs.AddCert(b_by_f_); | 339 async_certs.AddCert(b_by_f_); |
| 342 | 340 |
| 343 CertPathBuilder::Result result; | 341 CertPathBuilder::Result result; |
| 344 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 342 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 345 &result); | 343 &result); |
| 346 path_builder.AddCertIssuerSource(&async_certs); | 344 path_builder.AddCertIssuerSource(&async_certs); |
| 347 path_builder.AddCertIssuerSource(&sync_certs); | 345 path_builder.AddCertIssuerSource(&sync_certs); |
| 348 | 346 |
| 349 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); | 347 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); |
| 350 | 348 |
| 351 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 349 EXPECT_FALSE(result.HasValidPath()); |
| 352 EXPECT_EQ(0, async_certs.num_async_gets()); | 350 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 353 } | 351 } |
| 354 | 352 |
| 355 // If async queries are needed, all async sources will be queried | 353 // If async queries are needed, all async sources will be queried |
| 356 // simultaneously. | 354 // simultaneously. |
| 357 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { | 355 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { |
| 358 TrustStoreInMemory trust_store; | 356 TrustStoreInMemory trust_store; |
| 359 AddTrustedCertificate(e_by_e_, &trust_store); | 357 AddTrustedCertificate(e_by_e_, &trust_store); |
| 360 | 358 |
| 361 CertIssuerSourceStatic sync_certs; | 359 CertIssuerSourceStatic sync_certs; |
| 362 sync_certs.AddCert(b_by_c_); | 360 sync_certs.AddCert(b_by_c_); |
| 363 sync_certs.AddCert(b_by_f_); | 361 sync_certs.AddCert(b_by_f_); |
| 364 | 362 |
| 365 AsyncCertIssuerSourceStatic async_certs1; | 363 AsyncCertIssuerSourceStatic async_certs1; |
| 366 async_certs1.AddCert(c_by_e_); | 364 async_certs1.AddCert(c_by_e_); |
| 367 | 365 |
| 368 AsyncCertIssuerSourceStatic async_certs2; | 366 AsyncCertIssuerSourceStatic async_certs2; |
| 369 async_certs2.AddCert(f_by_e_); | 367 async_certs2.AddCert(f_by_e_); |
| 370 | 368 |
| 371 CertPathBuilder::Result result; | 369 CertPathBuilder::Result result; |
| 372 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 370 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 373 &result); | 371 &result); |
| 374 path_builder.AddCertIssuerSource(&async_certs1); | 372 path_builder.AddCertIssuerSource(&async_certs1); |
| 375 path_builder.AddCertIssuerSource(&async_certs2); | 373 path_builder.AddCertIssuerSource(&async_certs2); |
| 376 path_builder.AddCertIssuerSource(&sync_certs); | 374 path_builder.AddCertIssuerSource(&sync_certs); |
| 377 | 375 |
| 378 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 376 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 379 | 377 |
| 380 EXPECT_EQ(OK, result.error()); | 378 EXPECT_TRUE(result.HasValidPath()); |
| 381 EXPECT_EQ(1, async_certs1.num_async_gets()); | 379 EXPECT_EQ(1, async_certs1.num_async_gets()); |
| 382 EXPECT_EQ(1, async_certs2.num_async_gets()); | 380 EXPECT_EQ(1, async_certs2.num_async_gets()); |
| 383 } | 381 } |
| 384 | 382 |
| 385 // Test that PathBuilder does not generate longer paths than necessary if one of | 383 // Test that PathBuilder does not generate longer paths than necessary if one of |
| 386 // the supplied certs is itself a trust anchor. | 384 // the supplied certs is itself a trust anchor. |
| 387 TEST_F(PathBuilderMultiRootTest, TestLongChain) { | 385 TEST_F(PathBuilderMultiRootTest, TestLongChain) { |
| 388 // Both D(D) and C(D) are trusted roots. | 386 // Both D(D) and C(D) are trusted roots. |
| 389 TrustStoreInMemory trust_store; | 387 TrustStoreInMemory trust_store; |
| 390 AddTrustedCertificate(d_by_d_, &trust_store); | 388 AddTrustedCertificate(d_by_d_, &trust_store); |
| 391 AddTrustedCertificate(c_by_d_, &trust_store); | 389 AddTrustedCertificate(c_by_d_, &trust_store); |
| 392 | 390 |
| 393 // Certs B(C), and C(D) are all supplied. | 391 // Certs B(C), and C(D) are all supplied. |
| 394 CertIssuerSourceStatic sync_certs; | 392 CertIssuerSourceStatic sync_certs; |
| 395 sync_certs.AddCert(b_by_c_); | 393 sync_certs.AddCert(b_by_c_); |
| 396 sync_certs.AddCert(c_by_d_); | 394 sync_certs.AddCert(c_by_d_); |
| 397 | 395 |
| 398 CertPathBuilder::Result result; | 396 CertPathBuilder::Result result; |
| 399 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 397 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 400 &result); | 398 &result); |
| 401 path_builder.AddCertIssuerSource(&sync_certs); | 399 path_builder.AddCertIssuerSource(&sync_certs); |
| 402 | 400 |
| 403 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 401 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 404 | 402 |
| 405 EXPECT_EQ(OK, result.error()); | 403 ASSERT_TRUE(result.HasValidPath()); |
| 406 | 404 |
| 407 // The result path should be A(B) <- B(C) <- C(D) | 405 // The result path should be A(B) <- B(C) <- C(D) |
| 408 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) | 406 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) |
| 409 ASSERT_FALSE(result.paths.empty()); | 407 EXPECT_EQ(2U, result.GetBestValidPath()->path.certs.size()); |
| 410 const auto& path = result.paths[result.best_result_index]->path; | |
| 411 EXPECT_EQ(2U, path.certs.size()); | |
| 412 } | 408 } |
| 413 | 409 |
| 414 // Test that PathBuilder will backtrack and try a different path if the first | 410 // Test that PathBuilder will backtrack and try a different path if the first |
| 415 // one doesn't work out. | 411 // one doesn't work out. |
| 416 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { | 412 TEST_F(PathBuilderMultiRootTest, TestBacktracking) { |
| 417 // Only D(D) is a trusted root. | 413 // Only D(D) is a trusted root. |
| 418 TrustStoreInMemory trust_store; | 414 TrustStoreInMemory trust_store; |
| 419 AddTrustedCertificate(d_by_d_, &trust_store); | 415 AddTrustedCertificate(d_by_d_, &trust_store); |
| 420 | 416 |
| 421 // Certs B(F) and F(E) are supplied synchronously, thus the path | 417 // Certs B(F) and F(E) are supplied synchronously, thus the path |
| 422 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. | 418 // A(B) <- B(F) <- F(E) should be built first, though it won't verify. |
| 423 CertIssuerSourceStatic sync_certs; | 419 CertIssuerSourceStatic sync_certs; |
| 424 sync_certs.AddCert(b_by_f_); | 420 sync_certs.AddCert(b_by_f_); |
| 425 sync_certs.AddCert(f_by_e_); | 421 sync_certs.AddCert(f_by_e_); |
| 426 | 422 |
| 427 // Certs B(C), and C(D) are supplied asynchronously, so the path | 423 // Certs B(C), and C(D) are supplied asynchronously, so the path |
| 428 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. | 424 // A(B) <- B(C) <- C(D) <- D(D) should be tried second. |
| 429 AsyncCertIssuerSourceStatic async_certs; | 425 AsyncCertIssuerSourceStatic async_certs; |
| 430 async_certs.AddCert(b_by_c_); | 426 async_certs.AddCert(b_by_c_); |
| 431 async_certs.AddCert(c_by_d_); | 427 async_certs.AddCert(c_by_d_); |
| 432 | 428 |
| 433 CertPathBuilder::Result result; | 429 CertPathBuilder::Result result; |
| 434 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 430 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 435 &result); | 431 &result); |
| 436 path_builder.AddCertIssuerSource(&sync_certs); | 432 path_builder.AddCertIssuerSource(&sync_certs); |
| 437 path_builder.AddCertIssuerSource(&async_certs); | 433 path_builder.AddCertIssuerSource(&async_certs); |
| 438 | 434 |
| 439 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 435 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 440 | 436 |
| 441 EXPECT_EQ(OK, result.error()); | 437 ASSERT_TRUE(result.HasValidPath()); |
| 442 | 438 |
| 443 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 439 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 444 ASSERT_FALSE(result.paths.empty()); | 440 const auto& path = result.GetBestValidPath()->path; |
| 445 const auto& path = result.paths[result.best_result_index]->path; | |
| 446 ASSERT_EQ(3U, path.certs.size()); | 441 ASSERT_EQ(3U, path.certs.size()); |
| 447 EXPECT_EQ(a_by_b_, path.certs[0]); | 442 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 448 EXPECT_EQ(b_by_c_, path.certs[1]); | 443 EXPECT_EQ(b_by_c_, path.certs[1]); |
| 449 EXPECT_EQ(c_by_d_, path.certs[2]); | 444 EXPECT_EQ(c_by_d_, path.certs[2]); |
| 450 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); | 445 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); |
| 451 } | 446 } |
| 452 | 447 |
| 453 // Test that whichever order CertIssuerSource returns the issuers, the path | 448 // Test that whichever order CertIssuerSource returns the issuers, the path |
| 454 // building still succeeds. | 449 // building still succeeds. |
| 455 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { | 450 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { |
| (...skipping 14 matching lines...) Expand all Loading... |
| 470 sync_certs.AddCert(cert); | 465 sync_certs.AddCert(cert); |
| 471 } | 466 } |
| 472 | 467 |
| 473 CertPathBuilder::Result result; | 468 CertPathBuilder::Result result; |
| 474 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, | 469 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, |
| 475 time_, &result); | 470 time_, &result); |
| 476 path_builder.AddCertIssuerSource(&sync_certs); | 471 path_builder.AddCertIssuerSource(&sync_certs); |
| 477 | 472 |
| 478 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 473 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 479 | 474 |
| 480 EXPECT_EQ(OK, result.error()); | 475 ASSERT_TRUE(result.HasValidPath()); |
| 481 | 476 |
| 482 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 477 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 483 ASSERT_FALSE(result.paths.empty()); | 478 const auto& path = result.GetBestValidPath()->path; |
| 484 const auto& path = result.paths[result.best_result_index]->path; | |
| 485 ASSERT_EQ(3U, path.certs.size()); | 479 ASSERT_EQ(3U, path.certs.size()); |
| 486 EXPECT_EQ(a_by_b_, path.certs[0]); | 480 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 487 EXPECT_EQ(b_by_c_, path.certs[1]); | 481 EXPECT_EQ(b_by_c_, path.certs[1]); |
| 488 EXPECT_EQ(c_by_d_, path.certs[2]); | 482 EXPECT_EQ(c_by_d_, path.certs[2]); |
| 489 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); | 483 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); |
| 490 } | 484 } |
| 491 } | 485 } |
| 492 | 486 |
| 493 class PathBuilderKeyRolloverTest : public ::testing::Test { | 487 class PathBuilderKeyRolloverTest : public ::testing::Test { |
| 494 public: | 488 public: |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 554 sync_certs.AddCert(newintermediate_); | 548 sync_certs.AddCert(newintermediate_); |
| 555 sync_certs.AddCert(newrootrollover_); | 549 sync_certs.AddCert(newrootrollover_); |
| 556 | 550 |
| 557 CertPathBuilder::Result result; | 551 CertPathBuilder::Result result; |
| 558 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 552 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 559 &result); | 553 &result); |
| 560 path_builder.AddCertIssuerSource(&sync_certs); | 554 path_builder.AddCertIssuerSource(&sync_certs); |
| 561 | 555 |
| 562 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 556 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 563 | 557 |
| 564 EXPECT_EQ(OK, result.error()); | 558 EXPECT_TRUE(result.HasValidPath()); |
| 565 | 559 |
| 566 // Path builder will first attempt: target <- newintermediate <- oldroot | 560 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 567 // but it will fail since newintermediate is signed by newroot. | 561 // but it will fail since newintermediate is signed by newroot. |
| 568 ASSERT_EQ(2U, result.paths.size()); | 562 ASSERT_EQ(2U, result.paths.size()); |
| 569 const auto& path0 = result.paths[0]->path; | 563 const auto& path0 = result.paths[0]->path; |
| 570 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 564 EXPECT_FALSE(result.paths[0]->valid); |
| 571 ASSERT_EQ(2U, path0.certs.size()); | 565 ASSERT_EQ(2U, path0.certs.size()); |
| 572 EXPECT_EQ(target_, path0.certs[0]); | 566 EXPECT_EQ(target_, path0.certs[0]); |
| 573 EXPECT_EQ(newintermediate_, path0.certs[1]); | 567 EXPECT_EQ(newintermediate_, path0.certs[1]); |
| 574 EXPECT_EQ(oldroot_, path0.trust_anchor); | 568 EXPECT_EQ(oldroot_, path0.trust_anchor); |
| 575 | 569 |
| 576 // Path builder will next attempt: | 570 // Path builder will next attempt: |
| 577 // target <- newintermediate <- newrootrollover <- oldroot | 571 // target <- newintermediate <- newrootrollover <- oldroot |
| 578 // which will succeed. | 572 // which will succeed. |
| 579 const auto& path1 = result.paths[1]->path; | 573 const auto& path1 = result.paths[1]->path; |
| 580 EXPECT_EQ(1U, result.best_result_index); | 574 EXPECT_EQ(1U, result.best_result_index); |
| 581 EXPECT_EQ(OK, result.paths[1]->error); | 575 EXPECT_TRUE(result.paths[1]->valid); |
| 582 ASSERT_EQ(3U, path1.certs.size()); | 576 ASSERT_EQ(3U, path1.certs.size()); |
| 583 EXPECT_EQ(target_, path1.certs[0]); | 577 EXPECT_EQ(target_, path1.certs[0]); |
| 584 EXPECT_EQ(newintermediate_, path1.certs[1]); | 578 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 585 EXPECT_EQ(newrootrollover_, path1.certs[2]); | 579 EXPECT_EQ(newrootrollover_, path1.certs[2]); |
| 586 EXPECT_EQ(oldroot_, path1.trust_anchor); | 580 EXPECT_EQ(oldroot_, path1.trust_anchor); |
| 587 } | 581 } |
| 588 | 582 |
| 589 // Tests that if both old and new roots are trusted it can build a path through | 583 // Tests that if both old and new roots are trusted it can build a path through |
| 590 // either. | 584 // either. |
| 591 // TODO(mattm): Once prioritization is implemented, it should test that it | 585 // TODO(mattm): Once prioritization is implemented, it should test that it |
| (...skipping 10 matching lines...) Expand all Loading... |
| 602 sync_certs.AddCert(newintermediate_); | 596 sync_certs.AddCert(newintermediate_); |
| 603 sync_certs.AddCert(newrootrollover_); | 597 sync_certs.AddCert(newrootrollover_); |
| 604 | 598 |
| 605 CertPathBuilder::Result result; | 599 CertPathBuilder::Result result; |
| 606 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 600 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 607 &result); | 601 &result); |
| 608 path_builder.AddCertIssuerSource(&sync_certs); | 602 path_builder.AddCertIssuerSource(&sync_certs); |
| 609 | 603 |
| 610 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 604 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 611 | 605 |
| 612 EXPECT_EQ(OK, result.error()); | 606 EXPECT_TRUE(result.HasValidPath()); |
| 613 | 607 |
| 614 // Path builder willattempt one of: | 608 // Path builder willattempt one of: |
| 615 // target <- oldintermediate <- oldroot | 609 // target <- oldintermediate <- oldroot |
| 616 // target <- newintermediate <- newroot | 610 // target <- newintermediate <- newroot |
| 617 // either will succeed. | 611 // either will succeed. |
| 618 ASSERT_EQ(1U, result.paths.size()); | 612 ASSERT_EQ(1U, result.paths.size()); |
| 619 const auto& path = result.paths[0]->path; | 613 const auto& path = result.paths[0]->path; |
| 620 EXPECT_EQ(OK, result.paths[0]->error); | 614 EXPECT_TRUE(result.paths[0]->valid); |
| 621 ASSERT_EQ(2U, path.certs.size()); | 615 ASSERT_EQ(2U, path.certs.size()); |
| 622 EXPECT_EQ(target_, path.certs[0]); | 616 EXPECT_EQ(target_, path.certs[0]); |
| 623 if (path.certs[1] != newintermediate_) { | 617 if (path.certs[1] != newintermediate_) { |
| 624 DVLOG(1) << "USED OLD"; | 618 DVLOG(1) << "USED OLD"; |
| 625 EXPECT_EQ(oldintermediate_, path.certs[1]); | 619 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 626 EXPECT_EQ(oldroot_, path.trust_anchor); | 620 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 627 } else { | 621 } else { |
| 628 DVLOG(1) << "USED NEW"; | 622 DVLOG(1) << "USED NEW"; |
| 629 EXPECT_EQ(newintermediate_, path.certs[1]); | 623 EXPECT_EQ(newintermediate_, path.certs[1]); |
| 630 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 624 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 642 TrustAnchor::CreateFromCertificateNoConstraints(oldintermediate_)); | 636 TrustAnchor::CreateFromCertificateNoConstraints(oldintermediate_)); |
| 643 trust_store.AddAsyncTrustAnchor( | 637 trust_store.AddAsyncTrustAnchor( |
| 644 TrustAnchor::CreateFromCertificateNoConstraints(newintermediate_)); | 638 TrustAnchor::CreateFromCertificateNoConstraints(newintermediate_)); |
| 645 | 639 |
| 646 CertPathBuilder::Result result; | 640 CertPathBuilder::Result result; |
| 647 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 641 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 648 &result); | 642 &result); |
| 649 | 643 |
| 650 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 644 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 651 | 645 |
| 652 EXPECT_EQ(OK, result.error()); | 646 EXPECT_TRUE(result.HasValidPath()); |
| 653 | 647 |
| 654 ASSERT_EQ(1U, result.paths.size()); | 648 ASSERT_EQ(1U, result.paths.size()); |
| 655 const auto& path = result.paths[0]->path; | 649 const auto& path = result.paths[0]->path; |
| 656 EXPECT_EQ(OK, result.paths[0]->error); | 650 EXPECT_TRUE(result.paths[0]->valid); |
| 657 ASSERT_EQ(1U, path.certs.size()); | 651 ASSERT_EQ(1U, path.certs.size()); |
| 658 EXPECT_EQ(target_, path.certs[0]); | 652 EXPECT_EQ(target_, path.certs[0]); |
| 659 EXPECT_EQ(oldintermediate_, path.trust_anchor->cert()); | 653 EXPECT_EQ(oldintermediate_, path.trust_anchor->cert()); |
| 660 } | 654 } |
| 661 | 655 |
| 662 // Async trust anchor checks should be done before synchronous issuer checks are | 656 // Async trust anchor checks should be done before synchronous issuer checks are |
| 663 // considered. (Avoiding creating unnecessarily long paths.) | 657 // considered. (Avoiding creating unnecessarily long paths.) |
| 664 // | 658 // |
| 665 // Two valid paths could be built: | 659 // Two valid paths could be built: |
| 666 // newintermediate <- newrootrollover <- oldroot | 660 // newintermediate <- newrootrollover <- oldroot |
| (...skipping 15 matching lines...) Expand all Loading... |
| 682 CertIssuerSourceStatic sync_certs; | 676 CertIssuerSourceStatic sync_certs; |
| 683 sync_certs.AddCert(newrootrollover_); | 677 sync_certs.AddCert(newrootrollover_); |
| 684 | 678 |
| 685 CertPathBuilder::Result result; | 679 CertPathBuilder::Result result; |
| 686 CertPathBuilder path_builder(newintermediate_, &trust_store, | 680 CertPathBuilder path_builder(newintermediate_, &trust_store, |
| 687 &signature_policy_, time_, &result); | 681 &signature_policy_, time_, &result); |
| 688 path_builder.AddCertIssuerSource(&sync_certs); | 682 path_builder.AddCertIssuerSource(&sync_certs); |
| 689 | 683 |
| 690 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 684 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 691 | 685 |
| 692 EXPECT_EQ(OK, result.error()); | 686 EXPECT_TRUE(result.HasValidPath()); |
| 693 | 687 |
| 694 ASSERT_EQ(2U, result.paths.size()); | 688 ASSERT_EQ(2U, result.paths.size()); |
| 695 { | 689 { |
| 696 const auto& path = result.paths[0]->path; | 690 const auto& path = result.paths[0]->path; |
| 697 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 691 EXPECT_FALSE(result.paths[0]->valid); |
| 698 ASSERT_EQ(1U, path.certs.size()); | 692 ASSERT_EQ(1U, path.certs.size()); |
| 699 EXPECT_EQ(newintermediate_, path.certs[0]); | 693 EXPECT_EQ(newintermediate_, path.certs[0]); |
| 700 EXPECT_EQ(oldroot_, path.trust_anchor); | 694 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 701 } | 695 } |
| 702 { | 696 { |
| 703 const auto& path = result.paths[1]->path; | 697 const auto& path = result.paths[1]->path; |
| 704 EXPECT_EQ(OK, result.paths[1]->error); | 698 EXPECT_TRUE(result.paths[1]->valid); |
| 705 ASSERT_EQ(1U, path.certs.size()); | 699 ASSERT_EQ(1U, path.certs.size()); |
| 706 EXPECT_EQ(newintermediate_, path.certs[0]); | 700 EXPECT_EQ(newintermediate_, path.certs[0]); |
| 707 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 701 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 708 } | 702 } |
| 709 } | 703 } |
| 710 | 704 |
| 711 // If async trust anchor query returned no results, and there are no issuer | 705 // If async trust anchor query returned no results, and there are no issuer |
| 712 // sources, path building should fail at that point. | 706 // sources, path building should fail at that point. |
| 713 TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsNoMatchAndNoIssuerSources) { | 707 TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsNoMatchAndNoIssuerSources) { |
| 714 TrustStoreInMemoryAsync trust_store; | 708 TrustStoreInMemoryAsync trust_store; |
| 715 trust_store.AddAsyncTrustAnchor( | 709 trust_store.AddAsyncTrustAnchor( |
| 716 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); | 710 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); |
| 717 | 711 |
| 718 CertPathBuilder::Result result; | 712 CertPathBuilder::Result result; |
| 719 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 713 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 720 &result); | 714 &result); |
| 721 | 715 |
| 722 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 716 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 723 | 717 |
| 724 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 718 EXPECT_FALSE(result.HasValidPath()); |
| 725 | 719 |
| 726 ASSERT_EQ(0U, result.paths.size()); | 720 ASSERT_EQ(0U, result.paths.size()); |
| 727 } | 721 } |
| 728 | 722 |
| 729 // Both trust store and issuer source are async. Should successfully build a | 723 // Both trust store and issuer source are async. Should successfully build a |
| 730 // path. | 724 // path. |
| 731 TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsAndAsyncIssuers) { | 725 TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsAndAsyncIssuers) { |
| 732 TrustStoreInMemoryAsync trust_store; | 726 TrustStoreInMemoryAsync trust_store; |
| 733 trust_store.AddAsyncTrustAnchor( | 727 trust_store.AddAsyncTrustAnchor( |
| 734 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); | 728 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); |
| 735 | 729 |
| 736 AsyncCertIssuerSourceStatic async_certs; | 730 AsyncCertIssuerSourceStatic async_certs; |
| 737 async_certs.AddCert(newintermediate_); | 731 async_certs.AddCert(newintermediate_); |
| 738 | 732 |
| 739 CertPathBuilder::Result result; | 733 CertPathBuilder::Result result; |
| 740 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 734 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 741 &result); | 735 &result); |
| 742 path_builder.AddCertIssuerSource(&async_certs); | 736 path_builder.AddCertIssuerSource(&async_certs); |
| 743 | 737 |
| 744 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 738 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 745 | 739 |
| 746 EXPECT_EQ(OK, result.error()); | 740 EXPECT_TRUE(result.HasValidPath()); |
| 747 | 741 |
| 748 ASSERT_EQ(1U, result.paths.size()); | 742 ASSERT_EQ(1U, result.paths.size()); |
| 749 const auto& path = result.paths[0]->path; | 743 const auto& path = result.paths[0]->path; |
| 750 EXPECT_EQ(OK, result.paths[0]->error); | 744 EXPECT_TRUE(result.paths[0]->valid); |
| 751 ASSERT_EQ(2U, path.certs.size()); | 745 ASSERT_EQ(2U, path.certs.size()); |
| 752 EXPECT_EQ(target_, path.certs[0]); | 746 EXPECT_EQ(target_, path.certs[0]); |
| 753 EXPECT_EQ(newintermediate_, path.certs[1]); | 747 EXPECT_EQ(newintermediate_, path.certs[1]); |
| 754 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 748 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 755 } | 749 } |
| 756 | 750 |
| 757 // Tests that multiple trust root matches on a single path will be considered. | 751 // Tests that multiple trust root matches on a single path will be considered. |
| 758 // Both roots have the same subject but different keys. Only one of them will | 752 // Both roots have the same subject but different keys. Only one of them will |
| 759 // verify. | 753 // verify. |
| 760 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { | 754 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { |
| (...skipping 11 matching lines...) Expand all Loading... |
| 772 CertIssuerSourceStatic sync_certs; | 766 CertIssuerSourceStatic sync_certs; |
| 773 sync_certs.AddCert(oldintermediate_); | 767 sync_certs.AddCert(oldintermediate_); |
| 774 | 768 |
| 775 CertPathBuilder::Result result; | 769 CertPathBuilder::Result result; |
| 776 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 770 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 777 &result); | 771 &result); |
| 778 path_builder.AddCertIssuerSource(&sync_certs); | 772 path_builder.AddCertIssuerSource(&sync_certs); |
| 779 | 773 |
| 780 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 774 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 781 | 775 |
| 782 EXPECT_EQ(OK, result.error()); | 776 EXPECT_TRUE(result.HasValidPath()); |
| 783 ASSERT_EQ(2U, result.paths.size()); | 777 ASSERT_EQ(2U, result.paths.size()); |
| 784 | 778 |
| 785 { | 779 { |
| 786 // Path builder may first attempt: target <- oldintermediate <- newroot | 780 // Path builder may first attempt: target <- oldintermediate <- newroot |
| 787 // but it will fail since oldintermediate is signed by oldroot. | 781 // but it will fail since oldintermediate is signed by oldroot. |
| 788 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 782 EXPECT_FALSE(result.paths[0]->valid); |
| 789 const auto& path = result.paths[0]->path; | 783 const auto& path = result.paths[0]->path; |
| 790 ASSERT_EQ(2U, path.certs.size()); | 784 ASSERT_EQ(2U, path.certs.size()); |
| 791 EXPECT_EQ(target_, path.certs[0]); | 785 EXPECT_EQ(target_, path.certs[0]); |
| 792 EXPECT_EQ(oldintermediate_, path.certs[1]); | 786 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 793 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 787 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 794 } | 788 } |
| 795 | 789 |
| 796 { | 790 { |
| 797 // Path builder will next attempt: | 791 // Path builder will next attempt: |
| 798 // target <- old intermediate <- oldroot | 792 // target <- old intermediate <- oldroot |
| 799 // which should succeed. | 793 // which should succeed. |
| 800 EXPECT_EQ(OK, result.paths[result.best_result_index]->error); | 794 EXPECT_TRUE(result.paths[result.best_result_index]->valid); |
| 801 const auto& path = result.paths[result.best_result_index]->path; | 795 const auto& path = result.paths[result.best_result_index]->path; |
| 802 ASSERT_EQ(2U, path.certs.size()); | 796 ASSERT_EQ(2U, path.certs.size()); |
| 803 EXPECT_EQ(target_, path.certs[0]); | 797 EXPECT_EQ(target_, path.certs[0]); |
| 804 EXPECT_EQ(oldintermediate_, path.certs[1]); | 798 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 805 EXPECT_EQ(oldroot_, path.trust_anchor); | 799 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 806 } | 800 } |
| 807 } | 801 } |
| 808 | 802 |
| 809 // Tests that the path builder doesn't build longer than necessary paths. | 803 // Tests that the path builder doesn't build longer than necessary paths. |
| 810 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { | 804 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { |
| (...skipping 12 matching lines...) Expand all Loading... |
| 823 async_certs.AddCert(newrootrollover_); | 817 async_certs.AddCert(newrootrollover_); |
| 824 | 818 |
| 825 CertPathBuilder::Result result; | 819 CertPathBuilder::Result result; |
| 826 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 820 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 827 &result); | 821 &result); |
| 828 path_builder.AddCertIssuerSource(&sync_certs); | 822 path_builder.AddCertIssuerSource(&sync_certs); |
| 829 path_builder.AddCertIssuerSource(&async_certs); | 823 path_builder.AddCertIssuerSource(&async_certs); |
| 830 | 824 |
| 831 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 825 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 832 | 826 |
| 833 EXPECT_EQ(OK, result.error()); | 827 EXPECT_TRUE(result.HasValidPath()); |
| 834 ASSERT_EQ(3U, result.paths.size()); | 828 ASSERT_EQ(3U, result.paths.size()); |
| 835 | 829 |
| 836 // Path builder will first attempt: target <- newintermediate <- oldroot | 830 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 837 // but it will fail since newintermediate is signed by newroot. | 831 // but it will fail since newintermediate is signed by newroot. |
| 838 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 832 EXPECT_FALSE(result.paths[0]->valid); |
| 839 const auto& path0 = result.paths[0]->path; | 833 const auto& path0 = result.paths[0]->path; |
| 840 ASSERT_EQ(2U, path0.certs.size()); | 834 ASSERT_EQ(2U, path0.certs.size()); |
| 841 EXPECT_EQ(target_, path0.certs[0]); | 835 EXPECT_EQ(target_, path0.certs[0]); |
| 842 EXPECT_EQ(newintermediate_, path0.certs[1]); | 836 EXPECT_EQ(newintermediate_, path0.certs[1]); |
| 843 EXPECT_EQ(oldroot_, path0.trust_anchor); | 837 EXPECT_EQ(oldroot_, path0.trust_anchor); |
| 844 | 838 |
| 845 // Path builder will next attempt: | 839 // Path builder will next attempt: |
| 846 // target <- newintermediate <- newroot <- oldroot | 840 // target <- newintermediate <- newroot <- oldroot |
| 847 // but it will fail since newroot is self-signed. | 841 // but it will fail since newroot is self-signed. |
| 848 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[1]->error); | 842 EXPECT_FALSE(result.paths[1]->valid); |
| 849 const auto& path1 = result.paths[1]->path; | 843 const auto& path1 = result.paths[1]->path; |
| 850 ASSERT_EQ(3U, path1.certs.size()); | 844 ASSERT_EQ(3U, path1.certs.size()); |
| 851 EXPECT_EQ(target_, path1.certs[0]); | 845 EXPECT_EQ(target_, path1.certs[0]); |
| 852 EXPECT_EQ(newintermediate_, path1.certs[1]); | 846 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 853 EXPECT_EQ(newroot_, path1.certs[2]); | 847 EXPECT_EQ(newroot_, path1.certs[2]); |
| 854 EXPECT_EQ(oldroot_, path1.trust_anchor); | 848 EXPECT_EQ(oldroot_, path1.trust_anchor); |
| 855 | 849 |
| 856 // Path builder will skip: | 850 // Path builder will skip: |
| 857 // target <- newintermediate <- newroot <- newrootrollover <- ... | 851 // target <- newintermediate <- newroot <- newrootrollover <- ... |
| 858 // Since newroot and newrootrollover have the same Name+SAN+SPKI. | 852 // Since newroot and newrootrollover have the same Name+SAN+SPKI. |
| 859 | 853 |
| 860 // Finally path builder will use: | 854 // Finally path builder will use: |
| 861 // target <- newintermediate <- newrootrollover <- oldroot | 855 // target <- newintermediate <- newrootrollover <- oldroot |
| 862 EXPECT_EQ(2U, result.best_result_index); | 856 EXPECT_EQ(2U, result.best_result_index); |
| 863 EXPECT_EQ(OK, result.paths[2]->error); | 857 EXPECT_TRUE(result.paths[2]->valid); |
| 864 const auto& path2 = result.paths[2]->path; | 858 const auto& path2 = result.paths[2]->path; |
| 865 ASSERT_EQ(3U, path2.certs.size()); | 859 ASSERT_EQ(3U, path2.certs.size()); |
| 866 EXPECT_EQ(target_, path2.certs[0]); | 860 EXPECT_EQ(target_, path2.certs[0]); |
| 867 EXPECT_EQ(newintermediate_, path2.certs[1]); | 861 EXPECT_EQ(newintermediate_, path2.certs[1]); |
| 868 EXPECT_EQ(newrootrollover_, path2.certs[2]); | 862 EXPECT_EQ(newrootrollover_, path2.certs[2]); |
| 869 EXPECT_EQ(oldroot_, path2.trust_anchor); | 863 EXPECT_EQ(oldroot_, path2.trust_anchor); |
| 870 } | 864 } |
| 871 | 865 |
| 872 // If the target cert is a trust anchor, however is not itself *signed* by a | 866 // If the target cert is a trust anchor, however is not itself *signed* by a |
| 873 // trust anchor, then it is not considered valid (the SPKI and name of the | 867 // trust anchor, then it is not considered valid (the SPKI and name of the |
| 874 // trust anchor matches the SPKI and subject of the targe certificate, but the | 868 // trust anchor matches the SPKI and subject of the targe certificate, but the |
| 875 // rest of the certificate cannot be verified). | 869 // rest of the certificate cannot be verified). |
| 876 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { | 870 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { |
| 877 // Trust newintermediate. | 871 // Trust newintermediate. |
| 878 TrustStoreInMemory trust_store; | 872 TrustStoreInMemory trust_store; |
| 879 AddTrustedCertificate(newintermediate_, &trust_store); | 873 AddTrustedCertificate(newintermediate_, &trust_store); |
| 880 | 874 |
| 881 CertPathBuilder::Result result; | 875 CertPathBuilder::Result result; |
| 882 // Newintermediate is also the target cert. | 876 // Newintermediate is also the target cert. |
| 883 CertPathBuilder path_builder(newintermediate_, &trust_store, | 877 CertPathBuilder path_builder(newintermediate_, &trust_store, |
| 884 &signature_policy_, time_, &result); | 878 &signature_policy_, time_, &result); |
| 885 | 879 |
| 886 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 880 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 887 | 881 |
| 888 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 882 EXPECT_FALSE(result.HasValidPath()); |
| 889 } | 883 } |
| 890 | 884 |
| 891 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path | 885 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path |
| 892 // can still be built. | 886 // can still be built. |
| 893 // Since LoopChecker will prevent the intermediate from being included, this | 887 // Since LoopChecker will prevent the intermediate from being included, this |
| 894 // currently does NOT verify. This case shouldn't occur in the web PKI. | 888 // currently does NOT verify. This case shouldn't occur in the web PKI. |
| 895 TEST_F(PathBuilderKeyRolloverTest, | 889 TEST_F(PathBuilderKeyRolloverTest, |
| 896 TestEndEntityHasSameNameAndSpkiAsIntermediate) { | 890 TestEndEntityHasSameNameAndSpkiAsIntermediate) { |
| 897 // Trust oldroot. | 891 // Trust oldroot. |
| 898 TrustStoreInMemory trust_store; | 892 TrustStoreInMemory trust_store; |
| 899 trust_store.AddTrustAnchor(oldroot_); | 893 trust_store.AddTrustAnchor(oldroot_); |
| 900 | 894 |
| 901 // New root rollover is provided synchronously. | 895 // New root rollover is provided synchronously. |
| 902 CertIssuerSourceStatic sync_certs; | 896 CertIssuerSourceStatic sync_certs; |
| 903 sync_certs.AddCert(newrootrollover_); | 897 sync_certs.AddCert(newrootrollover_); |
| 904 | 898 |
| 905 CertPathBuilder::Result result; | 899 CertPathBuilder::Result result; |
| 906 // Newroot is the target cert. | 900 // Newroot is the target cert. |
| 907 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 901 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 908 time_, &result); | 902 time_, &result); |
| 909 path_builder.AddCertIssuerSource(&sync_certs); | 903 path_builder.AddCertIssuerSource(&sync_certs); |
| 910 | 904 |
| 911 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 905 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 912 | 906 |
| 913 // This could actually be OK, but CertPathBuilder does not build the | 907 // This could actually be OK, but CertPathBuilder does not build the |
| 914 // newroot <- newrootrollover <- oldroot path. | 908 // newroot <- newrootrollover <- oldroot path. |
| 915 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 909 EXPECT_FALSE(result.HasValidPath()); |
| 916 } | 910 } |
| 917 | 911 |
| 918 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) | 912 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) |
| 919 // path can still be built. | 913 // path can still be built. |
| 920 TEST_F(PathBuilderKeyRolloverTest, | 914 TEST_F(PathBuilderKeyRolloverTest, |
| 921 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { | 915 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { |
| 922 // Trust newrootrollover. | 916 // Trust newrootrollover. |
| 923 TrustStoreInMemory trust_store; | 917 TrustStoreInMemory trust_store; |
| 924 AddTrustedCertificate(newrootrollover_, &trust_store); | 918 AddTrustedCertificate(newrootrollover_, &trust_store); |
| 925 | 919 |
| 926 CertPathBuilder::Result result; | 920 CertPathBuilder::Result result; |
| 927 // Newroot is the target cert. | 921 // Newroot is the target cert. |
| 928 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 922 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 929 time_, &result); | 923 time_, &result); |
| 930 | 924 |
| 931 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 925 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 932 | 926 |
| 933 EXPECT_EQ(OK, result.error()); | 927 ASSERT_TRUE(result.HasValidPath()); |
| 934 | 928 |
| 935 ASSERT_FALSE(result.paths.empty()); | 929 const CertPathBuilder::ResultPath* best_result = result.GetBestValidPath(); |
| 936 const CertPathBuilder::ResultPath* best_result = | |
| 937 result.paths[result.best_result_index].get(); | |
| 938 | 930 |
| 939 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and | 931 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and |
| 940 // only contains newroot. | 932 // only contains newroot. |
| 941 EXPECT_EQ(OK, best_result->error); | 933 EXPECT_TRUE(best_result->valid); |
| 942 ASSERT_EQ(1U, best_result->path.certs.size()); | 934 ASSERT_EQ(1U, best_result->path.certs.size()); |
| 943 EXPECT_EQ(newroot_, best_result->path.certs[0]); | 935 EXPECT_EQ(newroot_, best_result->path.certs[0]); |
| 944 EXPECT_EQ(newrootrollover_, best_result->path.trust_anchor->cert()); | 936 EXPECT_EQ(newrootrollover_, best_result->path.trust_anchor->cert()); |
| 945 } | 937 } |
| 946 | 938 |
| 947 // Test that PathBuilder will not try the same path twice if multiple | 939 // Test that PathBuilder will not try the same path twice if multiple |
| 948 // CertIssuerSources provide the same certificate. | 940 // CertIssuerSources provide the same certificate. |
| 949 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { | 941 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { |
| 950 // Create a separate copy of oldintermediate. | 942 // Create a separate copy of oldintermediate. |
| 951 scoped_refptr<ParsedCertificate> oldintermediate_dupe( | 943 scoped_refptr<ParsedCertificate> oldintermediate_dupe( |
| (...skipping 21 matching lines...) Expand all Loading... |
| 973 | 965 |
| 974 CertPathBuilder::Result result; | 966 CertPathBuilder::Result result; |
| 975 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 967 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 976 &result); | 968 &result); |
| 977 path_builder.AddCertIssuerSource(&sync_certs1); | 969 path_builder.AddCertIssuerSource(&sync_certs1); |
| 978 path_builder.AddCertIssuerSource(&sync_certs2); | 970 path_builder.AddCertIssuerSource(&sync_certs2); |
| 979 path_builder.AddCertIssuerSource(&async_certs); | 971 path_builder.AddCertIssuerSource(&async_certs); |
| 980 | 972 |
| 981 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 973 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); |
| 982 | 974 |
| 983 EXPECT_EQ(OK, result.error()); | 975 EXPECT_TRUE(result.HasValidPath()); |
| 984 ASSERT_EQ(2U, result.paths.size()); | 976 ASSERT_EQ(2U, result.paths.size()); |
| 985 | 977 |
| 986 // Path builder will first attempt: target <- oldintermediate <- newroot | 978 // Path builder will first attempt: target <- oldintermediate <- newroot |
| 987 // but it will fail since oldintermediate is signed by oldroot. | 979 // but it will fail since oldintermediate is signed by oldroot. |
| 988 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 980 EXPECT_FALSE(result.paths[0]->valid); |
| 989 const auto& path0 = result.paths[0]->path; | 981 const auto& path0 = result.paths[0]->path; |
| 990 | 982 |
| 991 ASSERT_EQ(2U, path0.certs.size()); | 983 ASSERT_EQ(2U, path0.certs.size()); |
| 992 EXPECT_EQ(target_, path0.certs[0]); | 984 EXPECT_EQ(target_, path0.certs[0]); |
| 993 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 985 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 994 // of oldintermediate was used in the path. | 986 // of oldintermediate was used in the path. |
| 995 EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert()); | 987 EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert()); |
| 996 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | 988 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); |
| 997 | 989 |
| 998 // Path builder will next attempt: target <- newintermediate <- newroot | 990 // Path builder will next attempt: target <- newintermediate <- newroot |
| 999 // which will succeed. | 991 // which will succeed. |
| 1000 EXPECT_EQ(1U, result.best_result_index); | 992 EXPECT_EQ(1U, result.best_result_index); |
| 1001 EXPECT_EQ(OK, result.paths[1]->error); | 993 EXPECT_TRUE(result.paths[1]->valid); |
| 1002 const auto& path1 = result.paths[1]->path; | 994 const auto& path1 = result.paths[1]->path; |
| 1003 ASSERT_EQ(2U, path1.certs.size()); | 995 ASSERT_EQ(2U, path1.certs.size()); |
| 1004 EXPECT_EQ(target_, path1.certs[0]); | 996 EXPECT_EQ(target_, path1.certs[0]); |
| 1005 EXPECT_EQ(newintermediate_, path1.certs[1]); | 997 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1006 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 998 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1007 } | 999 } |
| 1008 | 1000 |
| 1009 // Test when PathBuilder is given a cert CertIssuerSources that has the same | 1001 // Test when PathBuilder is given a cert CertIssuerSources that has the same |
| 1010 // SPKI as a TrustAnchor. | 1002 // SPKI as a TrustAnchor. |
| 1011 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { | 1003 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { |
| (...skipping 11 matching lines...) Expand all Loading... |
| 1023 sync_certs.AddCert(oldintermediate_); | 1015 sync_certs.AddCert(oldintermediate_); |
| 1024 sync_certs.AddCert(newroot_dupe); | 1016 sync_certs.AddCert(newroot_dupe); |
| 1025 | 1017 |
| 1026 CertPathBuilder::Result result; | 1018 CertPathBuilder::Result result; |
| 1027 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 1019 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 1028 &result); | 1020 &result); |
| 1029 path_builder.AddCertIssuerSource(&sync_certs); | 1021 path_builder.AddCertIssuerSource(&sync_certs); |
| 1030 | 1022 |
| 1031 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 1023 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); |
| 1032 | 1024 |
| 1033 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error()); | 1025 EXPECT_FALSE(result.HasValidPath()); |
| 1034 ASSERT_EQ(2U, result.paths.size()); | 1026 ASSERT_EQ(2U, result.paths.size()); |
| 1035 // TODO(eroman): Is this right? | 1027 // TODO(eroman): Is this right? |
| 1036 | 1028 |
| 1037 // Path builder attempt: target <- oldintermediate <- newroot | 1029 // Path builder attempt: target <- oldintermediate <- newroot |
| 1038 // but it will fail since oldintermediate is signed by oldroot. | 1030 // but it will fail since oldintermediate is signed by oldroot. |
| 1039 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 1031 EXPECT_FALSE(result.paths[0]->valid); |
| 1040 const auto& path = result.paths[0]->path; | 1032 const auto& path = result.paths[0]->path; |
| 1041 ASSERT_EQ(2U, path.certs.size()); | 1033 ASSERT_EQ(2U, path.certs.size()); |
| 1042 EXPECT_EQ(target_, path.certs[0]); | 1034 EXPECT_EQ(target_, path.certs[0]); |
| 1043 EXPECT_EQ(oldintermediate_, path.certs[1]); | 1035 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 1044 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 1036 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 1045 // of newroot was used in the path. | 1037 // of newroot was used in the path. |
| 1046 EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert()); | 1038 EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert()); |
| 1047 } | 1039 } |
| 1048 | 1040 |
| 1049 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { | 1041 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { |
| (...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1150 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); | 1142 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); |
| 1151 target_issuers_callback.Run(target_issuers_req); | 1143 target_issuers_callback.Run(target_issuers_req); |
| 1152 // Note that VerifyAndClearExpectations(target_issuers_req) is not called | 1144 // Note that VerifyAndClearExpectations(target_issuers_req) is not called |
| 1153 // here. PathBuilder could have destroyed it already, so just let the | 1145 // here. PathBuilder could have destroyed it already, so just let the |
| 1154 // expectations get checked by the destructor. | 1146 // expectations get checked by the destructor. |
| 1155 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 1147 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 1156 | 1148 |
| 1157 // Ensure pathbuilder finished and filled result. | 1149 // Ensure pathbuilder finished and filled result. |
| 1158 callback.WaitForResult(); | 1150 callback.WaitForResult(); |
| 1159 | 1151 |
| 1160 EXPECT_EQ(OK, result.error()); | 1152 EXPECT_TRUE(result.HasValidPath()); |
| 1161 ASSERT_EQ(2U, result.paths.size()); | 1153 ASSERT_EQ(2U, result.paths.size()); |
| 1162 | 1154 |
| 1163 // Path builder first attempts: target <- oldintermediate <- newroot | 1155 // Path builder first attempts: target <- oldintermediate <- newroot |
| 1164 // but it will fail since oldintermediate is signed by oldroot. | 1156 // but it will fail since oldintermediate is signed by oldroot. |
| 1165 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 1157 EXPECT_FALSE(result.paths[0]->valid); |
| 1166 const auto& path0 = result.paths[0]->path; | 1158 const auto& path0 = result.paths[0]->path; |
| 1167 ASSERT_EQ(2U, path0.certs.size()); | 1159 ASSERT_EQ(2U, path0.certs.size()); |
| 1168 EXPECT_EQ(target_, path0.certs[0]); | 1160 EXPECT_EQ(target_, path0.certs[0]); |
| 1169 EXPECT_EQ(oldintermediate_, path0.certs[1]); | 1161 EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| 1170 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | 1162 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); |
| 1171 | 1163 |
| 1172 // After the second batch of async results, path builder will attempt: | 1164 // After the second batch of async results, path builder will attempt: |
| 1173 // target <- newintermediate <- newroot which will succeed. | 1165 // target <- newintermediate <- newroot which will succeed. |
| 1174 EXPECT_EQ(OK, result.paths[1]->error); | 1166 EXPECT_TRUE(result.paths[1]->valid); |
| 1175 const auto& path1 = result.paths[1]->path; | 1167 const auto& path1 = result.paths[1]->path; |
| 1176 ASSERT_EQ(2U, path1.certs.size()); | 1168 ASSERT_EQ(2U, path1.certs.size()); |
| 1177 EXPECT_EQ(target_, path1.certs[0]); | 1169 EXPECT_EQ(target_, path1.certs[0]); |
| 1178 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1170 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1179 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 1171 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1180 } | 1172 } |
| 1181 | 1173 |
| 1182 // Test that PathBuilder will not try the same path twice if CertIssuerSources | 1174 // Test that PathBuilder will not try the same path twice if CertIssuerSources |
| 1183 // asynchronously provide the same certificate multiple times. | 1175 // asynchronously provide the same certificate multiple times. |
| 1184 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { | 1176 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { |
| (...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1265 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); | 1257 EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); |
| 1266 target_issuers_callback.Run(target_issuers_req); | 1258 target_issuers_callback.Run(target_issuers_req); |
| 1267 // Note that VerifyAndClearExpectations(target_issuers_req) is not called | 1259 // Note that VerifyAndClearExpectations(target_issuers_req) is not called |
| 1268 // here. PathBuilder could have destroyed it already, so just let the | 1260 // here. PathBuilder could have destroyed it already, so just let the |
| 1269 // expectations get checked by the destructor. | 1261 // expectations get checked by the destructor. |
| 1270 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 1262 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 1271 | 1263 |
| 1272 // Ensure pathbuilder finished and filled result. | 1264 // Ensure pathbuilder finished and filled result. |
| 1273 callback.WaitForResult(); | 1265 callback.WaitForResult(); |
| 1274 | 1266 |
| 1275 EXPECT_EQ(OK, result.error()); | 1267 EXPECT_TRUE(result.HasValidPath()); |
| 1276 ASSERT_EQ(2U, result.paths.size()); | 1268 ASSERT_EQ(2U, result.paths.size()); |
| 1277 | 1269 |
| 1278 // Path builder first attempts: target <- oldintermediate <- newroot | 1270 // Path builder first attempts: target <- oldintermediate <- newroot |
| 1279 // but it will fail since oldintermediate is signed by oldroot. | 1271 // but it will fail since oldintermediate is signed by oldroot. |
| 1280 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error); | 1272 EXPECT_FALSE(result.paths[0]->valid); |
| 1281 const auto& path0 = result.paths[0]->path; | 1273 const auto& path0 = result.paths[0]->path; |
| 1282 ASSERT_EQ(2U, path0.certs.size()); | 1274 ASSERT_EQ(2U, path0.certs.size()); |
| 1283 EXPECT_EQ(target_, path0.certs[0]); | 1275 EXPECT_EQ(target_, path0.certs[0]); |
| 1284 EXPECT_EQ(oldintermediate_, path0.certs[1]); | 1276 EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| 1285 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | 1277 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); |
| 1286 | 1278 |
| 1287 // The second async result does not generate any path. | 1279 // The second async result does not generate any path. |
| 1288 | 1280 |
| 1289 // After the third batch of async results, path builder will attempt: | 1281 // After the third batch of async results, path builder will attempt: |
| 1290 // target <- newintermediate <- newroot which will succeed. | 1282 // target <- newintermediate <- newroot which will succeed. |
| 1291 EXPECT_EQ(OK, result.paths[1]->error); | 1283 EXPECT_TRUE(result.paths[1]->valid); |
| 1292 const auto& path1 = result.paths[1]->path; | 1284 const auto& path1 = result.paths[1]->path; |
| 1293 ASSERT_EQ(2U, path1.certs.size()); | 1285 ASSERT_EQ(2U, path1.certs.size()); |
| 1294 EXPECT_EQ(target_, path1.certs[0]); | 1286 EXPECT_EQ(target_, path1.certs[0]); |
| 1295 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1287 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1296 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 1288 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1297 } | 1289 } |
| 1298 | 1290 |
| 1299 } // namespace | 1291 } // namespace |
| 1300 | 1292 |
| 1301 } // namespace net | 1293 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2292333002:
Add errors per ResultPath for CertPathBuilder. (Closed)
