| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/cancelable_callback.h" | |
| 9 #include "base/files/file_util.h" | 8 #include "base/files/file_util.h" |
| 10 #include "base/location.h" | |
| 11 #include "base/path_service.h" | 9 #include "base/path_service.h" |
| 12 #include "base/threading/thread_task_runner_handle.h" | |
| 13 #include "net/base/test_completion_callback.h" | |
| 14 #include "net/cert/internal/cert_issuer_source_static.h" | 10 #include "net/cert/internal/cert_issuer_source_static.h" |
| 15 #include "net/cert/internal/parsed_certificate.h" | 11 #include "net/cert/internal/parsed_certificate.h" |
| 16 #include "net/cert/internal/signature_policy.h" | 12 #include "net/cert/internal/signature_policy.h" |
| 17 #include "net/cert/internal/test_helpers.h" | 13 #include "net/cert/internal/test_helpers.h" |
| 18 #include "net/cert/internal/trust_store_in_memory.h" | 14 #include "net/cert/internal/trust_store_in_memory.h" |
| 19 #include "net/cert/internal/trust_store_test_helpers.h" | |
| 20 #include "net/cert/internal/verify_certificate_chain.h" | 15 #include "net/cert/internal/verify_certificate_chain.h" |
| 21 #include "net/cert/pem_tokenizer.h" | 16 #include "net/cert/pem_tokenizer.h" |
| 22 #include "net/der/input.h" | 17 #include "net/der/input.h" |
| 23 #include "net/test/cert_test_util.h" | 18 #include "net/test/cert_test_util.h" |
| 24 #include "net/test/test_certificate_data.h" | 19 #include "net/test/test_certificate_data.h" |
| 25 #include "testing/gmock/include/gmock/gmock.h" | 20 #include "testing/gmock/include/gmock/gmock.h" |
| 26 #include "testing/gtest/include/gtest/gtest.h" | 21 #include "testing/gtest/include/gtest/gtest.h" |
| 27 | 22 |
| 28 namespace net { | 23 namespace net { |
| 29 | 24 |
| 30 // TODO(crbug.com/634443): Assert the errors for each ResultPath. | 25 // TODO(crbug.com/634443): Assert the errors for each ResultPath. |
| 31 | 26 |
| 32 namespace { | 27 namespace { |
| 33 | 28 |
| 34 using ::testing::_; | 29 using ::testing::_; |
| 35 using ::testing::Invoke; | 30 using ::testing::Invoke; |
| 36 using ::testing::NiceMock; | 31 using ::testing::NiceMock; |
| 37 using ::testing::Return; | 32 using ::testing::Return; |
| 38 using ::testing::SaveArg; | 33 using ::testing::SaveArg; |
| 39 using ::testing::SetArgPointee; | 34 using ::testing::SetArgPointee; |
| 40 using ::testing::StrictMock; | 35 using ::testing::StrictMock; |
| 41 | 36 |
| 42 // AsyncCertIssuerSourceStatic always returns its certs asynchronously. | 37 // AsyncCertIssuerSourceStatic always returns its certs asynchronously. |
| 43 class AsyncCertIssuerSourceStatic : public CertIssuerSource { | 38 class AsyncCertIssuerSourceStatic : public CertIssuerSource { |
| 44 public: | 39 public: |
| 45 class StaticAsyncRequest : public Request { | 40 class StaticAsyncRequest : public Request { |
| 46 public: | 41 public: |
| 47 StaticAsyncRequest(const IssuerCallback& issuers_callback, | 42 StaticAsyncRequest(ParsedCertificateList&& issuers) { |
| 48 ParsedCertificateList&& issuers) | |
| 49 : cancelable_closure_(base::Bind(&StaticAsyncRequest::RunCallback, | |
| 50 base::Unretained(this))), | |
| 51 issuers_callback_(issuers_callback) { | |
| 52 issuers_.swap(issuers); | 43 issuers_.swap(issuers); |
| 53 issuers_iter_ = issuers_.begin(); | 44 issuers_iter_ = issuers_.begin(); |
| 54 } | 45 } |
| 55 ~StaticAsyncRequest() override {} | 46 ~StaticAsyncRequest() override {} |
| 56 | 47 |
| 57 CompletionStatus GetNext( | 48 void GetNext(ParsedCertificateList* out_certs) override { |
| 58 scoped_refptr<ParsedCertificate>* out_cert) override { | 49 if (issuers_iter_ != issuers_.end()) |
| 59 if (issuers_iter_ == issuers_.end()) | 50 out_certs->push_back(std::move(*issuers_iter_++)); |
| 60 *out_cert = nullptr; | |
| 61 else | |
| 62 *out_cert = std::move(*issuers_iter_++); | |
| 63 return CompletionStatus::SYNC; | |
| 64 } | 51 } |
| 65 | 52 |
| 66 base::Closure callback() { return cancelable_closure_.callback(); } | |
| 67 | |
| 68 private: | |
| 69 void RunCallback() { issuers_callback_.Run(this); } | |
| 70 | |
| 71 base::CancelableClosure cancelable_closure_; | |
| 72 IssuerCallback issuers_callback_; | |
| 73 ParsedCertificateList issuers_; | 53 ParsedCertificateList issuers_; |
| 74 ParsedCertificateList::iterator issuers_iter_; | 54 ParsedCertificateList::iterator issuers_iter_; |
| 75 | 55 |
| 76 DISALLOW_COPY_AND_ASSIGN(StaticAsyncRequest); | 56 DISALLOW_COPY_AND_ASSIGN(StaticAsyncRequest); |
| 77 }; | 57 }; |
| 78 | 58 |
| 79 ~AsyncCertIssuerSourceStatic() override {} | 59 ~AsyncCertIssuerSourceStatic() override {} |
| 80 | 60 |
| 81 void AddCert(scoped_refptr<ParsedCertificate> cert) { | 61 void AddCert(scoped_refptr<ParsedCertificate> cert) { |
| 82 static_cert_issuer_source_.AddCert(std::move(cert)); | 62 static_cert_issuer_source_.AddCert(std::move(cert)); |
| 83 } | 63 } |
| 84 | 64 |
| 85 void SyncGetIssuersOf(const ParsedCertificate* cert, | 65 void SyncGetIssuersOf(const ParsedCertificate* cert, |
| 86 ParsedCertificateList* issuers) override {} | 66 ParsedCertificateList* issuers) override {} |
| 87 void AsyncGetIssuersOf(const ParsedCertificate* cert, | 67 void AsyncGetIssuersOf(const ParsedCertificate* cert, |
| 88 const IssuerCallback& issuers_callback, | |
| 89 std::unique_ptr<Request>* out_req) override { | 68 std::unique_ptr<Request>* out_req) override { |
| 90 num_async_gets_++; | 69 num_async_gets_++; |
| 91 ParsedCertificateList issuers; | 70 ParsedCertificateList issuers; |
| 92 static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers); | 71 static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers); |
| 93 std::unique_ptr<StaticAsyncRequest> req( | 72 std::unique_ptr<StaticAsyncRequest> req( |
| 94 new StaticAsyncRequest(issuers_callback, std::move(issuers))); | 73 new StaticAsyncRequest(std::move(issuers))); |
| 95 base::ThreadTaskRunnerHandle::Get()->PostTask(FROM_HERE, req->callback()); | |
| 96 *out_req = std::move(req); | 74 *out_req = std::move(req); |
| 97 } | 75 } |
| 98 int num_async_gets() const { return num_async_gets_; } | 76 int num_async_gets() const { return num_async_gets_; } |
| 99 | 77 |
| 100 private: | 78 private: |
| 101 CertIssuerSourceStatic static_cert_issuer_source_; | 79 CertIssuerSourceStatic static_cert_issuer_source_; |
| 102 | 80 |
| 103 int num_async_gets_ = 0; | 81 int num_async_gets_ = 0; |
| 104 }; | 82 }; |
| 105 | 83 |
| (...skipping 18 matching lines...) Expand all Loading... |
| 124 CertErrors errors; | 102 CertErrors errors; |
| 125 *result = ParsedCertificate::Create(der, {}, &errors); | 103 *result = ParsedCertificate::Create(der, {}, &errors); |
| 126 if (!*result) { | 104 if (!*result) { |
| 127 return ::testing::AssertionFailure() | 105 return ::testing::AssertionFailure() |
| 128 << "ParseCertificate::Create() failed:\n" | 106 << "ParseCertificate::Create() failed:\n" |
| 129 << errors.ToDebugString(); | 107 << errors.ToDebugString(); |
| 130 } | 108 } |
| 131 return ::testing::AssertionSuccess(); | 109 return ::testing::AssertionSuccess(); |
| 132 } | 110 } |
| 133 | 111 |
| 134 // Run the path builder, and wait for async completion if necessary. The return | |
| 135 // value signifies whether the path builder completed synchronously or | |
| 136 // asynchronously, not that RunPathBuilder itself is asynchronous. | |
| 137 CompletionStatus RunPathBuilder(CertPathBuilder* path_builder) { | |
| 138 TestClosure callback; | |
| 139 CompletionStatus rv = path_builder->Run(callback.closure()); | |
| 140 | |
| 141 if (rv == CompletionStatus::ASYNC) { | |
| 142 DVLOG(1) << "waiting for async completion..."; | |
| 143 callback.WaitForResult(); | |
| 144 DVLOG(1) << "async completed."; | |
| 145 } | |
| 146 return rv; | |
| 147 } | |
| 148 | |
| 149 class PathBuilderMultiRootTest : public ::testing::Test { | 112 class PathBuilderMultiRootTest : public ::testing::Test { |
| 150 public: | 113 public: |
| 151 PathBuilderMultiRootTest() : signature_policy_(1024) {} | 114 PathBuilderMultiRootTest() : signature_policy_(1024) {} |
| 152 | 115 |
| 153 void SetUp() override { | 116 void SetUp() override { |
| 154 ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b_)); | 117 ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b_)); |
| 155 ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c_)); | 118 ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c_)); |
| 156 ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f_)); | 119 ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f_)); |
| 157 ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d_)); | 120 ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d_)); |
| 158 ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e_)); | 121 ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e_)); |
| (...skipping 28 matching lines...) Expand all Loading... |
| 187 // trust store). | 150 // trust store). |
| 188 TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) { | 151 TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) { |
| 189 TrustStoreInMemory trust_store; | 152 TrustStoreInMemory trust_store; |
| 190 AddTrustedCertificate(a_by_b_, &trust_store); | 153 AddTrustedCertificate(a_by_b_, &trust_store); |
| 191 AddTrustedCertificate(b_by_f_, &trust_store); | 154 AddTrustedCertificate(b_by_f_, &trust_store); |
| 192 | 155 |
| 193 CertPathBuilder::Result result; | 156 CertPathBuilder::Result result; |
| 194 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 157 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 195 &result); | 158 &result); |
| 196 | 159 |
| 197 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 160 path_builder.Run(); |
| 198 | 161 |
| 199 ASSERT_TRUE(result.HasValidPath()); | 162 ASSERT_TRUE(result.HasValidPath()); |
| 200 const auto& path = result.GetBestValidPath()->path; | 163 const auto& path = result.GetBestValidPath()->path; |
| 201 ASSERT_EQ(1U, path.certs.size()); | 164 ASSERT_EQ(1U, path.certs.size()); |
| 202 EXPECT_EQ(a_by_b_, path.certs[0]); | 165 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 203 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | 166 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); |
| 204 } | 167 } |
| 205 | 168 |
| 206 // If the target cert is has the same name and key as a trust anchor, however | 169 // If the target cert is has the same name and key as a trust anchor, however |
| 207 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI | 170 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI |
| 208 // is trusted, the certificate contents cannot be verified. | 171 // is trusted, the certificate contents cannot be verified. |
| 209 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { | 172 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { |
| 210 TrustStoreInMemory trust_store; | 173 TrustStoreInMemory trust_store; |
| 211 AddTrustedCertificate(a_by_b_, &trust_store); | 174 AddTrustedCertificate(a_by_b_, &trust_store); |
| 212 | 175 |
| 213 CertPathBuilder::Result result; | 176 CertPathBuilder::Result result; |
| 214 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 177 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 215 &result); | 178 &result); |
| 216 | 179 |
| 217 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 180 path_builder.Run(); |
| 218 | 181 |
| 219 EXPECT_FALSE(result.HasValidPath()); | 182 EXPECT_FALSE(result.HasValidPath()); |
| 220 } | 183 } |
| 221 | 184 |
| 222 // Test a failed path building when the trust anchor is provided as a | 185 // Test a failed path building when the trust anchor is provided as a |
| 223 // supplemental certificate. Conceptually the following paths can be built: | 186 // supplemental certificate. Conceptually the following paths can be built: |
| 224 // | 187 // |
| 225 // B(C) <- C(D) <- [Trust anchor D] | 188 // B(C) <- C(D) <- [Trust anchor D] |
| 226 // B(C) <- C(D) <- D(D) <- [Trust anchor D] | 189 // B(C) <- C(D) <- D(D) <- [Trust anchor D] |
| 227 // | 190 // |
| (...skipping 10 matching lines...) Expand all Loading... |
| 238 sync_certs.AddCert(c_by_d_); | 201 sync_certs.AddCert(c_by_d_); |
| 239 | 202 |
| 240 // C(D) is not valid at this time, so path building will fail. | 203 // C(D) is not valid at this time, so path building will fail. |
| 241 der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; | 204 der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; |
| 242 | 205 |
| 243 CertPathBuilder::Result result; | 206 CertPathBuilder::Result result; |
| 244 CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_, | 207 CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_, |
| 245 expired_time, &result); | 208 expired_time, &result); |
| 246 path_builder.AddCertIssuerSource(&sync_certs); | 209 path_builder.AddCertIssuerSource(&sync_certs); |
| 247 | 210 |
| 248 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 211 path_builder.Run(); |
| 249 | 212 |
| 250 EXPECT_FALSE(result.HasValidPath()); | 213 EXPECT_FALSE(result.HasValidPath()); |
| 251 ASSERT_EQ(2U, result.paths.size()); | 214 ASSERT_EQ(2U, result.paths.size()); |
| 252 | 215 |
| 253 EXPECT_FALSE(result.paths[0]->valid); | 216 EXPECT_FALSE(result.paths[0]->valid); |
| 254 const auto& path0 = result.paths[0]->path; | 217 const auto& path0 = result.paths[0]->path; |
| 255 ASSERT_EQ(2U, path0.certs.size()); | 218 ASSERT_EQ(2U, path0.certs.size()); |
| 256 EXPECT_EQ(b_by_c_, path0.certs[0]); | 219 EXPECT_EQ(b_by_c_, path0.certs[0]); |
| 257 EXPECT_EQ(c_by_d_, path0.certs[1]); | 220 EXPECT_EQ(c_by_d_, path0.certs[1]); |
| 258 EXPECT_EQ(d_by_d_, path0.trust_anchor->cert()); | 221 EXPECT_EQ(d_by_d_, path0.trust_anchor->cert()); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 270 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { | 233 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { |
| 271 TrustStoreInMemory trust_store; | 234 TrustStoreInMemory trust_store; |
| 272 AddTrustedCertificate(e_by_e_, &trust_store); | 235 AddTrustedCertificate(e_by_e_, &trust_store); |
| 273 // This is not necessary for the test, just an extra... | 236 // This is not necessary for the test, just an extra... |
| 274 AddTrustedCertificate(f_by_e_, &trust_store); | 237 AddTrustedCertificate(f_by_e_, &trust_store); |
| 275 | 238 |
| 276 CertPathBuilder::Result result; | 239 CertPathBuilder::Result result; |
| 277 CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_, | 240 CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_, |
| 278 &result); | 241 &result); |
| 279 | 242 |
| 280 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 243 path_builder.Run(); |
| 281 | 244 |
| 282 ASSERT_TRUE(result.HasValidPath()); | 245 ASSERT_TRUE(result.HasValidPath()); |
| 283 const auto& path = result.GetBestValidPath()->path; | 246 const auto& path = result.GetBestValidPath()->path; |
| 284 ASSERT_EQ(1U, path.certs.size()); | 247 ASSERT_EQ(1U, path.certs.size()); |
| 285 EXPECT_EQ(e_by_e_, path.certs[0]); | 248 EXPECT_EQ(e_by_e_, path.certs[0]); |
| 286 EXPECT_EQ(e_by_e_, path.trust_anchor->cert()); | 249 EXPECT_EQ(e_by_e_, path.trust_anchor->cert()); |
| 287 } | 250 } |
| 288 | 251 |
| 289 // If the target cert is directly issued by a trust anchor, it should verify | 252 // If the target cert is directly issued by a trust anchor, it should verify |
| 290 // without any intermediate certs being provided. | 253 // without any intermediate certs being provided. |
| 291 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { | 254 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { |
| 292 TrustStoreInMemory trust_store; | 255 TrustStoreInMemory trust_store; |
| 293 AddTrustedCertificate(b_by_f_, &trust_store); | 256 AddTrustedCertificate(b_by_f_, &trust_store); |
| 294 | 257 |
| 295 CertPathBuilder::Result result; | 258 CertPathBuilder::Result result; |
| 296 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 259 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 297 &result); | 260 &result); |
| 298 | 261 |
| 299 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 262 path_builder.Run(); |
| 300 | 263 |
| 301 ASSERT_TRUE(result.HasValidPath()); | 264 ASSERT_TRUE(result.HasValidPath()); |
| 302 const auto& path = result.GetBestValidPath()->path; | 265 const auto& path = result.GetBestValidPath()->path; |
| 303 ASSERT_EQ(1U, path.certs.size()); | 266 ASSERT_EQ(1U, path.certs.size()); |
| 304 EXPECT_EQ(a_by_b_, path.certs[0]); | 267 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 305 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); | 268 EXPECT_EQ(b_by_f_, path.trust_anchor->cert()); |
| 306 } | 269 } |
| 307 | 270 |
| 308 // Test that async cert queries are not made if the path can be successfully | 271 // Test that async cert queries are not made if the path can be successfully |
| 309 // built with synchronously available certs. | 272 // built with synchronously available certs. |
| 310 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { | 273 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { |
| 311 TrustStoreInMemory trust_store; | 274 TrustStoreInMemory trust_store; |
| 312 AddTrustedCertificate(e_by_e_, &trust_store); | 275 AddTrustedCertificate(e_by_e_, &trust_store); |
| 313 | 276 |
| 314 CertIssuerSourceStatic sync_certs; | 277 CertIssuerSourceStatic sync_certs; |
| 315 sync_certs.AddCert(b_by_f_); | 278 sync_certs.AddCert(b_by_f_); |
| 316 sync_certs.AddCert(f_by_e_); | 279 sync_certs.AddCert(f_by_e_); |
| 317 | 280 |
| 318 AsyncCertIssuerSourceStatic async_certs; | 281 AsyncCertIssuerSourceStatic async_certs; |
| 319 async_certs.AddCert(b_by_c_); | 282 async_certs.AddCert(b_by_c_); |
| 320 async_certs.AddCert(c_by_e_); | 283 async_certs.AddCert(c_by_e_); |
| 321 | 284 |
| 322 CertPathBuilder::Result result; | 285 CertPathBuilder::Result result; |
| 323 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 286 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 324 &result); | 287 &result); |
| 325 path_builder.AddCertIssuerSource(&async_certs); | 288 path_builder.AddCertIssuerSource(&async_certs); |
| 326 path_builder.AddCertIssuerSource(&sync_certs); | 289 path_builder.AddCertIssuerSource(&sync_certs); |
| 327 | 290 |
| 328 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 291 path_builder.Run(); |
| 329 | 292 |
| 330 EXPECT_TRUE(result.HasValidPath()); | 293 EXPECT_TRUE(result.HasValidPath()); |
| 331 EXPECT_EQ(0, async_certs.num_async_gets()); | 294 EXPECT_EQ(0, async_certs.num_async_gets()); |
| 332 } | 295 } |
| 333 | 296 |
| 334 // Test that async cert queries are not made if no callback is provided. | |
| 335 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) { | |
| 336 TrustStoreInMemory trust_store; | |
| 337 AddTrustedCertificate(e_by_e_, &trust_store); | |
| 338 | |
| 339 CertIssuerSourceStatic sync_certs; | |
| 340 sync_certs.AddCert(f_by_e_); | |
| 341 | |
| 342 AsyncCertIssuerSourceStatic async_certs; | |
| 343 async_certs.AddCert(b_by_f_); | |
| 344 | |
| 345 CertPathBuilder::Result result; | |
| 346 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | |
| 347 &result); | |
| 348 path_builder.AddCertIssuerSource(&async_certs); | |
| 349 path_builder.AddCertIssuerSource(&sync_certs); | |
| 350 | |
| 351 EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure())); | |
| 352 | |
| 353 EXPECT_FALSE(result.HasValidPath()); | |
| 354 EXPECT_EQ(0, async_certs.num_async_gets()); | |
| 355 } | |
| 356 | |
| 357 // If async queries are needed, all async sources will be queried | 297 // If async queries are needed, all async sources will be queried |
| 358 // simultaneously. | 298 // simultaneously. |
| 359 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { | 299 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { |
| 360 TrustStoreInMemory trust_store; | 300 TrustStoreInMemory trust_store; |
| 361 AddTrustedCertificate(e_by_e_, &trust_store); | 301 AddTrustedCertificate(e_by_e_, &trust_store); |
| 362 | 302 |
| 363 CertIssuerSourceStatic sync_certs; | 303 CertIssuerSourceStatic sync_certs; |
| 364 sync_certs.AddCert(b_by_c_); | 304 sync_certs.AddCert(b_by_c_); |
| 365 sync_certs.AddCert(b_by_f_); | 305 sync_certs.AddCert(b_by_f_); |
| 366 | 306 |
| 367 AsyncCertIssuerSourceStatic async_certs1; | 307 AsyncCertIssuerSourceStatic async_certs1; |
| 368 async_certs1.AddCert(c_by_e_); | 308 async_certs1.AddCert(c_by_e_); |
| 369 | 309 |
| 370 AsyncCertIssuerSourceStatic async_certs2; | 310 AsyncCertIssuerSourceStatic async_certs2; |
| 371 async_certs2.AddCert(f_by_e_); | 311 async_certs2.AddCert(f_by_e_); |
| 372 | 312 |
| 373 CertPathBuilder::Result result; | 313 CertPathBuilder::Result result; |
| 374 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 314 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 375 &result); | 315 &result); |
| 376 path_builder.AddCertIssuerSource(&async_certs1); | 316 path_builder.AddCertIssuerSource(&async_certs1); |
| 377 path_builder.AddCertIssuerSource(&async_certs2); | 317 path_builder.AddCertIssuerSource(&async_certs2); |
| 378 path_builder.AddCertIssuerSource(&sync_certs); | 318 path_builder.AddCertIssuerSource(&sync_certs); |
| 379 | 319 |
| 380 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 320 path_builder.Run(); |
| 381 | 321 |
| 382 EXPECT_TRUE(result.HasValidPath()); | 322 EXPECT_TRUE(result.HasValidPath()); |
| 383 EXPECT_EQ(1, async_certs1.num_async_gets()); | 323 EXPECT_EQ(1, async_certs1.num_async_gets()); |
| 384 EXPECT_EQ(1, async_certs2.num_async_gets()); | 324 EXPECT_EQ(1, async_certs2.num_async_gets()); |
| 385 } | 325 } |
| 386 | 326 |
| 387 // Test that PathBuilder does not generate longer paths than necessary if one of | 327 // Test that PathBuilder does not generate longer paths than necessary if one of |
| 388 // the supplied certs is itself a trust anchor. | 328 // the supplied certs is itself a trust anchor. |
| 389 TEST_F(PathBuilderMultiRootTest, TestLongChain) { | 329 TEST_F(PathBuilderMultiRootTest, TestLongChain) { |
| 390 // Both D(D) and C(D) are trusted roots. | 330 // Both D(D) and C(D) are trusted roots. |
| 391 TrustStoreInMemory trust_store; | 331 TrustStoreInMemory trust_store; |
| 392 AddTrustedCertificate(d_by_d_, &trust_store); | 332 AddTrustedCertificate(d_by_d_, &trust_store); |
| 393 AddTrustedCertificate(c_by_d_, &trust_store); | 333 AddTrustedCertificate(c_by_d_, &trust_store); |
| 394 | 334 |
| 395 // Certs B(C), and C(D) are all supplied. | 335 // Certs B(C), and C(D) are all supplied. |
| 396 CertIssuerSourceStatic sync_certs; | 336 CertIssuerSourceStatic sync_certs; |
| 397 sync_certs.AddCert(b_by_c_); | 337 sync_certs.AddCert(b_by_c_); |
| 398 sync_certs.AddCert(c_by_d_); | 338 sync_certs.AddCert(c_by_d_); |
| 399 | 339 |
| 400 CertPathBuilder::Result result; | 340 CertPathBuilder::Result result; |
| 401 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 341 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 402 &result); | 342 &result); |
| 403 path_builder.AddCertIssuerSource(&sync_certs); | 343 path_builder.AddCertIssuerSource(&sync_certs); |
| 404 | 344 |
| 405 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 345 path_builder.Run(); |
| 406 | 346 |
| 407 ASSERT_TRUE(result.HasValidPath()); | 347 ASSERT_TRUE(result.HasValidPath()); |
| 408 | 348 |
| 409 // The result path should be A(B) <- B(C) <- C(D) | 349 // The result path should be A(B) <- B(C) <- C(D) |
| 410 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) | 350 // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) |
| 411 EXPECT_EQ(2U, result.GetBestValidPath()->path.certs.size()); | 351 EXPECT_EQ(2U, result.GetBestValidPath()->path.certs.size()); |
| 412 } | 352 } |
| 413 | 353 |
| 414 // Test that PathBuilder will backtrack and try a different path if the first | 354 // Test that PathBuilder will backtrack and try a different path if the first |
| 415 // one doesn't work out. | 355 // one doesn't work out. |
| (...skipping 13 matching lines...) Expand all Loading... |
| 429 AsyncCertIssuerSourceStatic async_certs; | 369 AsyncCertIssuerSourceStatic async_certs; |
| 430 async_certs.AddCert(b_by_c_); | 370 async_certs.AddCert(b_by_c_); |
| 431 async_certs.AddCert(c_by_d_); | 371 async_certs.AddCert(c_by_d_); |
| 432 | 372 |
| 433 CertPathBuilder::Result result; | 373 CertPathBuilder::Result result; |
| 434 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, | 374 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_, |
| 435 &result); | 375 &result); |
| 436 path_builder.AddCertIssuerSource(&sync_certs); | 376 path_builder.AddCertIssuerSource(&sync_certs); |
| 437 path_builder.AddCertIssuerSource(&async_certs); | 377 path_builder.AddCertIssuerSource(&async_certs); |
| 438 | 378 |
| 439 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 379 path_builder.Run(); |
| 440 | 380 |
| 441 ASSERT_TRUE(result.HasValidPath()); | 381 ASSERT_TRUE(result.HasValidPath()); |
| 442 | 382 |
| 443 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 383 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 444 const auto& path = result.GetBestValidPath()->path; | 384 const auto& path = result.GetBestValidPath()->path; |
| 445 ASSERT_EQ(3U, path.certs.size()); | 385 ASSERT_EQ(3U, path.certs.size()); |
| 446 EXPECT_EQ(a_by_b_, path.certs[0]); | 386 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 447 EXPECT_EQ(b_by_c_, path.certs[1]); | 387 EXPECT_EQ(b_by_c_, path.certs[1]); |
| 448 EXPECT_EQ(c_by_d_, path.certs[2]); | 388 EXPECT_EQ(c_by_d_, path.certs[2]); |
| 449 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); | 389 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); |
| (...skipping 17 matching lines...) Expand all Loading... |
| 467 } else { | 407 } else { |
| 468 for (const auto& cert : certs) | 408 for (const auto& cert : certs) |
| 469 sync_certs.AddCert(cert); | 409 sync_certs.AddCert(cert); |
| 470 } | 410 } |
| 471 | 411 |
| 472 CertPathBuilder::Result result; | 412 CertPathBuilder::Result result; |
| 473 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, | 413 CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, |
| 474 time_, &result); | 414 time_, &result); |
| 475 path_builder.AddCertIssuerSource(&sync_certs); | 415 path_builder.AddCertIssuerSource(&sync_certs); |
| 476 | 416 |
| 477 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 417 path_builder.Run(); |
| 478 | 418 |
| 479 ASSERT_TRUE(result.HasValidPath()); | 419 ASSERT_TRUE(result.HasValidPath()); |
| 480 | 420 |
| 481 // The result path should be A(B) <- B(C) <- C(D) <- D(D) | 421 // The result path should be A(B) <- B(C) <- C(D) <- D(D) |
| 482 const auto& path = result.GetBestValidPath()->path; | 422 const auto& path = result.GetBestValidPath()->path; |
| 483 ASSERT_EQ(3U, path.certs.size()); | 423 ASSERT_EQ(3U, path.certs.size()); |
| 484 EXPECT_EQ(a_by_b_, path.certs[0]); | 424 EXPECT_EQ(a_by_b_, path.certs[0]); |
| 485 EXPECT_EQ(b_by_c_, path.certs[1]); | 425 EXPECT_EQ(b_by_c_, path.certs[1]); |
| 486 EXPECT_EQ(c_by_d_, path.certs[2]); | 426 EXPECT_EQ(c_by_d_, path.certs[2]); |
| 487 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); | 427 EXPECT_EQ(d_by_d_, path.trust_anchor->cert()); |
| (...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 551 // through the rollover cert. | 491 // through the rollover cert. |
| 552 CertIssuerSourceStatic sync_certs; | 492 CertIssuerSourceStatic sync_certs; |
| 553 sync_certs.AddCert(newintermediate_); | 493 sync_certs.AddCert(newintermediate_); |
| 554 sync_certs.AddCert(newrootrollover_); | 494 sync_certs.AddCert(newrootrollover_); |
| 555 | 495 |
| 556 CertPathBuilder::Result result; | 496 CertPathBuilder::Result result; |
| 557 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 497 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 558 &result); | 498 &result); |
| 559 path_builder.AddCertIssuerSource(&sync_certs); | 499 path_builder.AddCertIssuerSource(&sync_certs); |
| 560 | 500 |
| 561 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 501 path_builder.Run(); |
| 562 | 502 |
| 563 EXPECT_TRUE(result.HasValidPath()); | 503 EXPECT_TRUE(result.HasValidPath()); |
| 564 | 504 |
| 565 // Path builder will first attempt: target <- newintermediate <- oldroot | 505 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 566 // but it will fail since newintermediate is signed by newroot. | 506 // but it will fail since newintermediate is signed by newroot. |
| 567 ASSERT_EQ(2U, result.paths.size()); | 507 ASSERT_EQ(2U, result.paths.size()); |
| 568 const auto& path0 = result.paths[0]->path; | 508 const auto& path0 = result.paths[0]->path; |
| 569 EXPECT_FALSE(result.paths[0]->valid); | 509 EXPECT_FALSE(result.paths[0]->valid); |
| 570 ASSERT_EQ(2U, path0.certs.size()); | 510 ASSERT_EQ(2U, path0.certs.size()); |
| 571 EXPECT_EQ(target_, path0.certs[0]); | 511 EXPECT_EQ(target_, path0.certs[0]); |
| (...skipping 27 matching lines...) Expand all Loading... |
| 599 CertIssuerSourceStatic sync_certs; | 539 CertIssuerSourceStatic sync_certs; |
| 600 sync_certs.AddCert(oldintermediate_); | 540 sync_certs.AddCert(oldintermediate_); |
| 601 sync_certs.AddCert(newintermediate_); | 541 sync_certs.AddCert(newintermediate_); |
| 602 sync_certs.AddCert(newrootrollover_); | 542 sync_certs.AddCert(newrootrollover_); |
| 603 | 543 |
| 604 CertPathBuilder::Result result; | 544 CertPathBuilder::Result result; |
| 605 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 545 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 606 &result); | 546 &result); |
| 607 path_builder.AddCertIssuerSource(&sync_certs); | 547 path_builder.AddCertIssuerSource(&sync_certs); |
| 608 | 548 |
| 609 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 549 path_builder.Run(); |
| 610 | 550 |
| 611 EXPECT_TRUE(result.HasValidPath()); | 551 EXPECT_TRUE(result.HasValidPath()); |
| 612 | 552 |
| 613 // Path builder willattempt one of: | 553 // Path builder willattempt one of: |
| 614 // target <- oldintermediate <- oldroot | 554 // target <- oldintermediate <- oldroot |
| 615 // target <- newintermediate <- newroot | 555 // target <- newintermediate <- newroot |
| 616 // either will succeed. | 556 // either will succeed. |
| 617 ASSERT_EQ(1U, result.paths.size()); | 557 ASSERT_EQ(1U, result.paths.size()); |
| 618 const auto& path = result.paths[0]->path; | 558 const auto& path = result.paths[0]->path; |
| 619 EXPECT_TRUE(result.paths[0]->valid); | 559 EXPECT_TRUE(result.paths[0]->valid); |
| 620 ASSERT_EQ(2U, path.certs.size()); | 560 ASSERT_EQ(2U, path.certs.size()); |
| 621 EXPECT_EQ(target_, path.certs[0]); | 561 EXPECT_EQ(target_, path.certs[0]); |
| 622 if (path.certs[1] != newintermediate_) { | 562 if (path.certs[1] != newintermediate_) { |
| 623 DVLOG(1) << "USED OLD"; | 563 DVLOG(1) << "USED OLD"; |
| 624 EXPECT_EQ(oldintermediate_, path.certs[1]); | 564 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 625 EXPECT_EQ(oldroot_, path.trust_anchor); | 565 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 626 } else { | 566 } else { |
| 627 DVLOG(1) << "USED NEW"; | 567 DVLOG(1) << "USED NEW"; |
| 628 EXPECT_EQ(newintermediate_, path.certs[1]); | 568 EXPECT_EQ(newintermediate_, path.certs[1]); |
| 629 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 569 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 630 } | 570 } |
| 631 } | 571 } |
| 632 | 572 |
| 633 // If trust anchors are provided both synchronously and asynchronously for the | 573 // If trust anchor query returned no results, and there are no issuer |
| 634 // same cert, the synchronously provided ones should be tried first, and | |
| 635 // pathbuilder should finish synchronously. | |
| 636 TEST_F(PathBuilderKeyRolloverTest, TestSyncAnchorsPreferred) { | |
| 637 TrustStoreInMemoryAsync trust_store; | |
| 638 // Both oldintermediate and newintermediate are trusted, but oldintermediate | |
| 639 // is returned synchronously and newintermediate asynchronously. | |
| 640 trust_store.AddSyncTrustAnchor( | |
| 641 TrustAnchor::CreateFromCertificateNoConstraints(oldintermediate_)); | |
| 642 trust_store.AddAsyncTrustAnchor( | |
| 643 TrustAnchor::CreateFromCertificateNoConstraints(newintermediate_)); | |
| 644 | |
| 645 CertPathBuilder::Result result; | |
| 646 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | |
| 647 &result); | |
| 648 | |
| 649 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | |
| 650 | |
| 651 EXPECT_TRUE(result.HasValidPath()); | |
| 652 | |
| 653 ASSERT_EQ(1U, result.paths.size()); | |
| 654 const auto& path = result.paths[0]->path; | |
| 655 EXPECT_TRUE(result.paths[0]->valid); | |
| 656 ASSERT_EQ(1U, path.certs.size()); | |
| 657 EXPECT_EQ(target_, path.certs[0]); | |
| 658 EXPECT_EQ(oldintermediate_, path.trust_anchor->cert()); | |
| 659 } | |
| 660 | |
| 661 // Async trust anchor checks should be done before synchronous issuer checks are | |
| 662 // considered. (Avoiding creating unnecessarily long paths.) | |
| 663 // | |
| 664 // Two valid paths could be built: | |
| 665 // newintermediate <- newrootrollover <- oldroot | |
| 666 // newintermediate <- newroot | |
| 667 // One invalid path could be built: | |
| 668 // newintermediate <- oldroot | |
| 669 // | |
| 670 // First: newintermediate <- oldroot will be tried, since oldroot is | |
| 671 // available synchronously, but this path will not verify. | |
| 672 // Second: newintermediate <- newroot should be built, even though | |
| 673 // newrootrollover issuer is available synchronously and newroot is async. This | |
| 674 // path should verify and pathbuilder will stop. | |
| 675 TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsBeforeSyncIssuers) { | |
| 676 TrustStoreInMemoryAsync trust_store; | |
| 677 trust_store.AddSyncTrustAnchor(oldroot_); | |
| 678 trust_store.AddAsyncTrustAnchor( | |
| 679 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); | |
| 680 | |
| 681 CertIssuerSourceStatic sync_certs; | |
| 682 sync_certs.AddCert(newrootrollover_); | |
| 683 | |
| 684 CertPathBuilder::Result result; | |
| 685 CertPathBuilder path_builder(newintermediate_, &trust_store, | |
| 686 &signature_policy_, time_, &result); | |
| 687 path_builder.AddCertIssuerSource(&sync_certs); | |
| 688 | |
| 689 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | |
| 690 | |
| 691 EXPECT_TRUE(result.HasValidPath()); | |
| 692 | |
| 693 ASSERT_EQ(2U, result.paths.size()); | |
| 694 { | |
| 695 const auto& path = result.paths[0]->path; | |
| 696 EXPECT_FALSE(result.paths[0]->valid); | |
| 697 ASSERT_EQ(1U, path.certs.size()); | |
| 698 EXPECT_EQ(newintermediate_, path.certs[0]); | |
| 699 EXPECT_EQ(oldroot_, path.trust_anchor); | |
| 700 } | |
| 701 { | |
| 702 const auto& path = result.paths[1]->path; | |
| 703 EXPECT_TRUE(result.paths[1]->valid); | |
| 704 ASSERT_EQ(1U, path.certs.size()); | |
| 705 EXPECT_EQ(newintermediate_, path.certs[0]); | |
| 706 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | |
| 707 } | |
| 708 } | |
| 709 | |
| 710 // If async trust anchor query returned no results, and there are no issuer | |
| 711 // sources, path building should fail at that point. | 574 // sources, path building should fail at that point. |
| 712 TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsNoMatchAndNoIssuerSources) { | 575 TEST_F(PathBuilderKeyRolloverTest, TestAnchorsNoMatchAndNoIssuerSources) { |
| 713 TrustStoreInMemoryAsync trust_store; | 576 TrustStoreInMemory trust_store; |
| 714 trust_store.AddAsyncTrustAnchor( | 577 trust_store.AddTrustAnchor( |
| 715 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); | 578 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); |
| 716 | 579 |
| 717 CertPathBuilder::Result result; | 580 CertPathBuilder::Result result; |
| 718 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 581 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 719 &result); | 582 &result); |
| 720 | 583 |
| 721 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 584 path_builder.Run(); |
| 722 | 585 |
| 723 EXPECT_FALSE(result.HasValidPath()); | 586 EXPECT_FALSE(result.HasValidPath()); |
| 724 | 587 |
| 725 ASSERT_EQ(0U, result.paths.size()); | 588 ASSERT_EQ(0U, result.paths.size()); |
| 726 } | 589 } |
| 727 | 590 |
| 728 // Both trust store and issuer source are async. Should successfully build a | |
| 729 // path. | |
| 730 TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsAndAsyncIssuers) { | |
| 731 TrustStoreInMemoryAsync trust_store; | |
| 732 trust_store.AddAsyncTrustAnchor( | |
| 733 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); | |
| 734 | |
| 735 AsyncCertIssuerSourceStatic async_certs; | |
| 736 async_certs.AddCert(newintermediate_); | |
| 737 | |
| 738 CertPathBuilder::Result result; | |
| 739 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | |
| 740 &result); | |
| 741 path_builder.AddCertIssuerSource(&async_certs); | |
| 742 | |
| 743 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | |
| 744 | |
| 745 EXPECT_TRUE(result.HasValidPath()); | |
| 746 | |
| 747 ASSERT_EQ(1U, result.paths.size()); | |
| 748 const auto& path = result.paths[0]->path; | |
| 749 EXPECT_TRUE(result.paths[0]->valid); | |
| 750 ASSERT_EQ(2U, path.certs.size()); | |
| 751 EXPECT_EQ(target_, path.certs[0]); | |
| 752 EXPECT_EQ(newintermediate_, path.certs[1]); | |
| 753 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | |
| 754 } | |
| 755 | |
| 756 // Tests that multiple trust root matches on a single path will be considered. | 591 // Tests that multiple trust root matches on a single path will be considered. |
| 757 // Both roots have the same subject but different keys. Only one of them will | 592 // Both roots have the same subject but different keys. Only one of them will |
| 758 // verify. | 593 // verify. |
| 759 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { | 594 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { |
| 760 TrustStoreInMemoryAsync trust_store; | 595 TrustStoreInMemory trust_store; |
| 761 // Since FindTrustAnchorsByNormalizedName returns newroot synchronously, it | 596 // Add two trust anchors (newroot_ and oldroot_). Path building will attempt |
| 762 // should be tried first. | 597 // them in this same order. |
| 763 trust_store.AddSyncTrustAnchor( | 598 trust_store.AddTrustAnchor( |
| 764 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); | 599 TrustAnchor::CreateFromCertificateNoConstraints(newroot_)); |
| 765 // oldroot is returned asynchronously, so it should only be tried after the | 600 trust_store.AddTrustAnchor(oldroot_); |
| 766 // path built with newroot fails. | |
| 767 trust_store.AddAsyncTrustAnchor(oldroot_); | |
| 768 | 601 |
| 769 // Only oldintermediate is supplied, so the path with newroot should fail, | 602 // Only oldintermediate is supplied, so the path with newroot should fail, |
| 770 // oldroot should succeed. | 603 // oldroot should succeed. |
| 771 CertIssuerSourceStatic sync_certs; | 604 CertIssuerSourceStatic sync_certs; |
| 772 sync_certs.AddCert(oldintermediate_); | 605 sync_certs.AddCert(oldintermediate_); |
| 773 | 606 |
| 774 CertPathBuilder::Result result; | 607 CertPathBuilder::Result result; |
| 775 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 608 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 776 &result); | 609 &result); |
| 777 path_builder.AddCertIssuerSource(&sync_certs); | 610 path_builder.AddCertIssuerSource(&sync_certs); |
| 778 | 611 |
| 779 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 612 path_builder.Run(); |
| 780 | 613 |
| 781 EXPECT_TRUE(result.HasValidPath()); | 614 EXPECT_TRUE(result.HasValidPath()); |
| 782 ASSERT_EQ(2U, result.paths.size()); | 615 ASSERT_EQ(2U, result.paths.size()); |
| 783 | 616 |
| 784 { | 617 { |
| 785 // Path builder may first attempt: target <- oldintermediate <- newroot | 618 // Path builder may first attempt: target <- oldintermediate <- newroot |
| 786 // but it will fail since oldintermediate is signed by oldroot. | 619 // but it will fail since oldintermediate is signed by oldroot. |
| 787 EXPECT_FALSE(result.paths[0]->valid); | 620 EXPECT_FALSE(result.paths[0]->valid); |
| 788 const auto& path = result.paths[0]->path; | 621 const auto& path = result.paths[0]->path; |
| 789 ASSERT_EQ(2U, path.certs.size()); | 622 ASSERT_EQ(2U, path.certs.size()); |
| (...skipping 30 matching lines...) Expand all Loading... |
| 820 // pathbuilder to first try building a longer than necessary path. | 653 // pathbuilder to first try building a longer than necessary path. |
| 821 AsyncCertIssuerSourceStatic async_certs; | 654 AsyncCertIssuerSourceStatic async_certs; |
| 822 async_certs.AddCert(newrootrollover_); | 655 async_certs.AddCert(newrootrollover_); |
| 823 | 656 |
| 824 CertPathBuilder::Result result; | 657 CertPathBuilder::Result result; |
| 825 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 658 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 826 &result); | 659 &result); |
| 827 path_builder.AddCertIssuerSource(&sync_certs); | 660 path_builder.AddCertIssuerSource(&sync_certs); |
| 828 path_builder.AddCertIssuerSource(&async_certs); | 661 path_builder.AddCertIssuerSource(&async_certs); |
| 829 | 662 |
| 830 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 663 path_builder.Run(); |
| 831 | 664 |
| 832 EXPECT_TRUE(result.HasValidPath()); | 665 EXPECT_TRUE(result.HasValidPath()); |
| 833 ASSERT_EQ(3U, result.paths.size()); | 666 ASSERT_EQ(3U, result.paths.size()); |
| 834 | 667 |
| 835 // Path builder will first attempt: target <- newintermediate <- oldroot | 668 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 836 // but it will fail since newintermediate is signed by newroot. | 669 // but it will fail since newintermediate is signed by newroot. |
| 837 EXPECT_FALSE(result.paths[0]->valid); | 670 EXPECT_FALSE(result.paths[0]->valid); |
| 838 const auto& path0 = result.paths[0]->path; | 671 const auto& path0 = result.paths[0]->path; |
| 839 ASSERT_EQ(2U, path0.certs.size()); | 672 ASSERT_EQ(2U, path0.certs.size()); |
| 840 EXPECT_EQ(target_, path0.certs[0]); | 673 EXPECT_EQ(target_, path0.certs[0]); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 875 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { | 708 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { |
| 876 // Trust newintermediate. | 709 // Trust newintermediate. |
| 877 TrustStoreInMemory trust_store; | 710 TrustStoreInMemory trust_store; |
| 878 AddTrustedCertificate(newintermediate_, &trust_store); | 711 AddTrustedCertificate(newintermediate_, &trust_store); |
| 879 | 712 |
| 880 CertPathBuilder::Result result; | 713 CertPathBuilder::Result result; |
| 881 // Newintermediate is also the target cert. | 714 // Newintermediate is also the target cert. |
| 882 CertPathBuilder path_builder(newintermediate_, &trust_store, | 715 CertPathBuilder path_builder(newintermediate_, &trust_store, |
| 883 &signature_policy_, time_, &result); | 716 &signature_policy_, time_, &result); |
| 884 | 717 |
| 885 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 718 path_builder.Run(); |
| 886 | 719 |
| 887 EXPECT_FALSE(result.HasValidPath()); | 720 EXPECT_FALSE(result.HasValidPath()); |
| 888 } | 721 } |
| 889 | 722 |
| 890 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path | 723 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path |
| 891 // can still be built. | 724 // can still be built. |
| 892 // Since LoopChecker will prevent the intermediate from being included, this | 725 // Since LoopChecker will prevent the intermediate from being included, this |
| 893 // currently does NOT verify. This case shouldn't occur in the web PKI. | 726 // currently does NOT verify. This case shouldn't occur in the web PKI. |
| 894 TEST_F(PathBuilderKeyRolloverTest, | 727 TEST_F(PathBuilderKeyRolloverTest, |
| 895 TestEndEntityHasSameNameAndSpkiAsIntermediate) { | 728 TestEndEntityHasSameNameAndSpkiAsIntermediate) { |
| 896 // Trust oldroot. | 729 // Trust oldroot. |
| 897 TrustStoreInMemory trust_store; | 730 TrustStoreInMemory trust_store; |
| 898 trust_store.AddTrustAnchor(oldroot_); | 731 trust_store.AddTrustAnchor(oldroot_); |
| 899 | 732 |
| 900 // New root rollover is provided synchronously. | 733 // New root rollover is provided synchronously. |
| 901 CertIssuerSourceStatic sync_certs; | 734 CertIssuerSourceStatic sync_certs; |
| 902 sync_certs.AddCert(newrootrollover_); | 735 sync_certs.AddCert(newrootrollover_); |
| 903 | 736 |
| 904 CertPathBuilder::Result result; | 737 CertPathBuilder::Result result; |
| 905 // Newroot is the target cert. | 738 // Newroot is the target cert. |
| 906 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 739 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 907 time_, &result); | 740 time_, &result); |
| 908 path_builder.AddCertIssuerSource(&sync_certs); | 741 path_builder.AddCertIssuerSource(&sync_certs); |
| 909 | 742 |
| 910 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 743 path_builder.Run(); |
| 911 | 744 |
| 912 // This could actually be OK, but CertPathBuilder does not build the | 745 // This could actually be OK, but CertPathBuilder does not build the |
| 913 // newroot <- newrootrollover <- oldroot path. | 746 // newroot <- newrootrollover <- oldroot path. |
| 914 EXPECT_FALSE(result.HasValidPath()); | 747 EXPECT_FALSE(result.HasValidPath()); |
| 915 } | 748 } |
| 916 | 749 |
| 917 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) | 750 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) |
| 918 // path can still be built. | 751 // path can still be built. |
| 919 TEST_F(PathBuilderKeyRolloverTest, | 752 TEST_F(PathBuilderKeyRolloverTest, |
| 920 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { | 753 TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { |
| 921 // Trust newrootrollover. | 754 // Trust newrootrollover. |
| 922 TrustStoreInMemory trust_store; | 755 TrustStoreInMemory trust_store; |
| 923 AddTrustedCertificate(newrootrollover_, &trust_store); | 756 AddTrustedCertificate(newrootrollover_, &trust_store); |
| 924 | 757 |
| 925 CertPathBuilder::Result result; | 758 CertPathBuilder::Result result; |
| 926 // Newroot is the target cert. | 759 // Newroot is the target cert. |
| 927 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, | 760 CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_, |
| 928 time_, &result); | 761 time_, &result); |
| 929 | 762 |
| 930 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 763 path_builder.Run(); |
| 931 | 764 |
| 932 ASSERT_TRUE(result.HasValidPath()); | 765 ASSERT_TRUE(result.HasValidPath()); |
| 933 | 766 |
| 934 const CertPathBuilder::ResultPath* best_result = result.GetBestValidPath(); | 767 const CertPathBuilder::ResultPath* best_result = result.GetBestValidPath(); |
| 935 | 768 |
| 936 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and | 769 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and |
| 937 // only contains newroot. | 770 // only contains newroot. |
| 938 EXPECT_TRUE(best_result->valid); | 771 EXPECT_TRUE(best_result->valid); |
| 939 ASSERT_EQ(1U, best_result->path.certs.size()); | 772 ASSERT_EQ(1U, best_result->path.certs.size()); |
| 940 EXPECT_EQ(newroot_, best_result->path.certs[0]); | 773 EXPECT_EQ(newroot_, best_result->path.certs[0]); |
| (...skipping 27 matching lines...) Expand all Loading... |
| 968 AsyncCertIssuerSourceStatic async_certs; | 801 AsyncCertIssuerSourceStatic async_certs; |
| 969 async_certs.AddCert(newintermediate_); | 802 async_certs.AddCert(newintermediate_); |
| 970 | 803 |
| 971 CertPathBuilder::Result result; | 804 CertPathBuilder::Result result; |
| 972 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 805 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 973 &result); | 806 &result); |
| 974 path_builder.AddCertIssuerSource(&sync_certs1); | 807 path_builder.AddCertIssuerSource(&sync_certs1); |
| 975 path_builder.AddCertIssuerSource(&sync_certs2); | 808 path_builder.AddCertIssuerSource(&sync_certs2); |
| 976 path_builder.AddCertIssuerSource(&async_certs); | 809 path_builder.AddCertIssuerSource(&async_certs); |
| 977 | 810 |
| 978 EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder)); | 811 path_builder.Run(); |
| 979 | 812 |
| 980 EXPECT_TRUE(result.HasValidPath()); | 813 EXPECT_TRUE(result.HasValidPath()); |
| 981 ASSERT_EQ(2U, result.paths.size()); | 814 ASSERT_EQ(2U, result.paths.size()); |
| 982 | 815 |
| 983 // Path builder will first attempt: target <- oldintermediate <- newroot | 816 // Path builder will first attempt: target <- oldintermediate <- newroot |
| 984 // but it will fail since oldintermediate is signed by oldroot. | 817 // but it will fail since oldintermediate is signed by oldroot. |
| 985 EXPECT_FALSE(result.paths[0]->valid); | 818 EXPECT_FALSE(result.paths[0]->valid); |
| 986 const auto& path0 = result.paths[0]->path; | 819 const auto& path0 = result.paths[0]->path; |
| 987 | 820 |
| 988 ASSERT_EQ(2U, path0.certs.size()); | 821 ASSERT_EQ(2U, path0.certs.size()); |
| (...skipping 28 matching lines...) Expand all Loading... |
| 1017 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. | 850 // The oldintermediate and newroot are supplied synchronously by |sync_certs|. |
| 1018 CertIssuerSourceStatic sync_certs; | 851 CertIssuerSourceStatic sync_certs; |
| 1019 sync_certs.AddCert(oldintermediate_); | 852 sync_certs.AddCert(oldintermediate_); |
| 1020 sync_certs.AddCert(newroot_dupe); | 853 sync_certs.AddCert(newroot_dupe); |
| 1021 | 854 |
| 1022 CertPathBuilder::Result result; | 855 CertPathBuilder::Result result; |
| 1023 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, | 856 CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_, |
| 1024 &result); | 857 &result); |
| 1025 path_builder.AddCertIssuerSource(&sync_certs); | 858 path_builder.AddCertIssuerSource(&sync_certs); |
| 1026 | 859 |
| 1027 EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder)); | 860 path_builder.Run(); |
| 1028 | 861 |
| 1029 EXPECT_FALSE(result.HasValidPath()); | 862 EXPECT_FALSE(result.HasValidPath()); |
| 1030 ASSERT_EQ(2U, result.paths.size()); | 863 ASSERT_EQ(2U, result.paths.size()); |
| 1031 // TODO(eroman): Is this right? | 864 // TODO(eroman): Is this right? |
| 1032 | 865 |
| 1033 // Path builder attempt: target <- oldintermediate <- newroot | 866 // Path builder attempt: target <- oldintermediate <- newroot |
| 1034 // but it will fail since oldintermediate is signed by oldroot. | 867 // but it will fail since oldintermediate is signed by oldroot. |
| 1035 EXPECT_FALSE(result.paths[0]->valid); | 868 EXPECT_FALSE(result.paths[0]->valid); |
| 1036 const auto& path = result.paths[0]->path; | 869 const auto& path = result.paths[0]->path; |
| 1037 ASSERT_EQ(2U, path.certs.size()); | 870 ASSERT_EQ(2U, path.certs.size()); |
| 1038 EXPECT_EQ(target_, path.certs[0]); | 871 EXPECT_EQ(target_, path.certs[0]); |
| 1039 EXPECT_EQ(oldintermediate_, path.certs[1]); | 872 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 1040 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 873 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 1041 // of newroot was used in the path. | 874 // of newroot was used in the path. |
| 1042 EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert()); | 875 EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert()); |
| 1043 } | 876 } |
| 1044 | 877 |
| 878 // TODO(eroman): Re-enable these tests |
| 879 #if 0 |
| 1045 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { | 880 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { |
| 1046 public: | 881 public: |
| 1047 MOCK_METHOD1(GetNext, CompletionStatus(scoped_refptr<ParsedCertificate>*)); | 882 MOCK_METHOD1(GetNext, void(ParsedCertificateList*)); |
| 1048 }; | 883 }; |
| 1049 | 884 |
| 1050 class MockCertIssuerSource : public CertIssuerSource { | 885 class MockCertIssuerSource : public CertIssuerSource { |
| 1051 public: | 886 public: |
| 1052 MOCK_METHOD2(SyncGetIssuersOf, | 887 MOCK_METHOD2(SyncGetIssuersOf, |
| 1053 void(const ParsedCertificate*, ParsedCertificateList*)); | 888 void(const ParsedCertificate*, ParsedCertificateList*)); |
| 1054 MOCK_METHOD3(AsyncGetIssuersOf, | 889 MOCK_METHOD3(AsyncGetIssuersOf, |
| 1055 void(const ParsedCertificate*, | 890 void(const ParsedCertificate*, |
| 1056 const IssuerCallback&, | |
| 1057 std::unique_ptr<Request>*)); | 891 std::unique_ptr<Request>*)); |
| 1058 }; | 892 }; |
| 1059 | 893 |
| 1060 // Helper class to pass the Request to the PathBuilder when it calls | 894 // Helper class to pass the Request to the PathBuilder when it calls |
| 1061 // AsyncGetIssuersOf. (GoogleMock has a ByMove helper, but it apparently can | 895 // AsyncGetIssuersOf. (GoogleMock has a ByMove helper, but it apparently can |
| 1062 // only be used with Return, not SetArgPointee.) | 896 // only be used with Return, not SetArgPointee.) |
| 1063 class CertIssuerSourceRequestMover { | 897 class CertIssuerSourceRequestMover { |
| 1064 public: | 898 public: |
| 1065 CertIssuerSourceRequestMover(std::unique_ptr<CertIssuerSource::Request> req) | 899 CertIssuerSourceRequestMover(std::unique_ptr<CertIssuerSource::Request> req) |
| 1066 : request_(std::move(req)) {} | 900 : request_(std::move(req)) {} |
| (...skipping 218 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1285 // After the third batch of async results, path builder will attempt: | 1119 // After the third batch of async results, path builder will attempt: |
| 1286 // target <- newintermediate <- newroot which will succeed. | 1120 // target <- newintermediate <- newroot which will succeed. |
| 1287 EXPECT_TRUE(result.paths[1]->valid); | 1121 EXPECT_TRUE(result.paths[1]->valid); |
| 1288 const auto& path1 = result.paths[1]->path; | 1122 const auto& path1 = result.paths[1]->path; |
| 1289 ASSERT_EQ(2U, path1.certs.size()); | 1123 ASSERT_EQ(2U, path1.certs.size()); |
| 1290 EXPECT_EQ(target_, path1.certs[0]); | 1124 EXPECT_EQ(target_, path1.certs[0]); |
| 1291 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1125 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1292 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 1126 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1293 } | 1127 } |
| 1294 | 1128 |
| 1129 #endif |
| 1130 |
| 1295 } // namespace | 1131 } // namespace |
| 1296 | 1132 |
| 1297 } // namespace net | 1133 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2453093004:
Remove dependence on a message loop for net::PathBuilder. (Closed)
