Chromium Code Reviews Chromium Code Reviews
Issue 2483783003:
Distrust publicly trusted SHA-1 certs (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| 11 #include "base/files/file_util.h" | 11 #include "base/files/file_util.h" |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/macros.h" | 13 #include "base/macros.h" |
| 14 #include "base/sha1.h" | 14 #include "base/sha1.h" |
| 15 #include "base/strings/string_number_conversions.h" | 15 #include "base/strings/string_number_conversions.h" |
| 16 #include "base/test/histogram_tester.h" | 16 #include "base/test/histogram_tester.h" |
| 17 #include "base/test/scoped_feature_list.h" | |
| 17 #include "build/build_config.h" | 18 #include "build/build_config.h" |
| 18 #include "crypto/sha2.h" | 19 #include "crypto/sha2.h" |
| 19 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
| 20 #include "net/cert/asn1_util.h" | 21 #include "net/cert/asn1_util.h" |
| 21 #include "net/cert/cert_status_flags.h" | 22 #include "net/cert/cert_status_flags.h" |
| 22 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
| 23 #include "net/cert/cert_verify_result.h" | 24 #include "net/cert/cert_verify_result.h" |
| 24 #include "net/cert/crl_set.h" | 25 #include "net/cert/crl_set.h" |
| 25 #include "net/cert/crl_set_storage.h" | 26 #include "net/cert/crl_set_storage.h" |
| 26 #include "net/cert/test_root_certs.h" | 27 #include "net/cert/test_root_certs.h" |
| 27 #include "net/cert/x509_certificate.h" | 28 #include "net/cert/x509_certificate.h" |
| 28 #include "net/test/cert_test_util.h" | 29 #include "net/test/cert_test_util.h" |
| 29 #include "net/test/gtest_util.h" | 30 #include "net/test/gtest_util.h" |
| 30 #include "net/test/test_certificate_data.h" | 31 #include "net/test/test_certificate_data.h" |
| 31 #include "net/test/test_data_directory.h" | 32 #include "net/test/test_data_directory.h" |
| 32 #include "testing/gmock/include/gmock/gmock.h" | 33 #include "testing/gmock/include/gmock/gmock.h" |
| 33 #include "testing/gtest/include/gtest/gtest.h" | 34 #include "testing/gtest/include/gtest/gtest.h" |
| 34 | 35 |
| 35 #if defined(OS_ANDROID) | 36 #if defined(OS_ANDROID) |
| 36 #include "base/android/build_info.h" | 37 #include "base/android/build_info.h" |
| 37 #endif | 38 #endif |
| 38 | 39 |
| 39 #if defined(OS_MACOSX) && !defined(OS_IOS) | 40 #if defined(OS_MACOSX) && !defined(OS_IOS) |
| 40 #include "net/cert/test_keychain_search_list_mac.h" | 41 #include "net/cert/test_keychain_search_list_mac.h" |
| 41 #endif | 42 #endif |
| 42 | 43 |
| 44 #if defined(OS_WIN) | |
| 45 #include "base/win/windows_version.h" | |
| 46 #endif | |
| 47 | |
| 43 using net::test::IsError; | 48 using net::test::IsError; |
| 44 using net::test::IsOk; | 49 using net::test::IsOk; |
| 45 | 50 |
| 46 using base::HexEncode; | 51 using base::HexEncode; |
| 47 | 52 |
| 48 namespace net { | 53 namespace net { |
| 49 | 54 |
| 50 namespace { | 55 namespace { |
| 51 | 56 |
| 52 const char kTLSFeatureExtensionHistogram[] = | 57 const char kTLSFeatureExtensionHistogram[] = |
| (...skipping 811 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 864 // However, if the CA is not well known, these should not be flagged: | 869 // However, if the CA is not well known, these should not be flagged: |
| 865 dummy_result.Reset(); | 870 dummy_result.Reset(); |
| 866 dummy_result.is_issued_by_known_root = false; | 871 dummy_result.is_issued_by_known_root = false; |
| 867 verify_proc_ = new MockCertVerifyProc(dummy_result); | 872 verify_proc_ = new MockCertVerifyProc(dummy_result); |
| 868 error = | 873 error = |
| 869 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); | 874 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); |
| 870 EXPECT_THAT(error, IsOk()); | 875 EXPECT_THAT(error, IsOk()); |
| 871 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 876 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 872 } | 877 } |
| 873 | 878 |
| 874 // Test that a SHA-1 certificate from a publicly trusted CA issued after | 879 // While all SHA-1 certificates should be rejected, in the event that there |
| 875 // 1 January 2016 is rejected, but those issued before that date, or with | 880 // emerges some unexpected bug, test that the 'legacy' behaviour works |
| 876 // SHA-1 in the intermediate, is not rejected. | 881 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs |
| 877 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecation) { | 882 // that were issued after 1 January 2016, while still allowing those from |
| 883 // before that date, with SHA-1 in the intermediate, or from an enterprise | |
| 884 // CA. | |
| 885 // | |
| 886 // TODO(rsleevi): This code should be removed in M57. | |
| 887 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) { | |
| 888 base::test::ScopedFeatureList scoped_feature_list; | |
| 889 scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode); | |
| 890 | |
| 878 CertVerifyResult dummy_result; | 891 CertVerifyResult dummy_result; |
| 879 CertVerifyResult verify_result; | 892 CertVerifyResult verify_result; |
| 880 int error = 0; | 893 int error = 0; |
| 881 scoped_refptr<X509Certificate> cert; | 894 scoped_refptr<X509Certificate> cert; |
| 882 | 895 |
| 883 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 | 896 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 |
| 884 // are accepted. | 897 // are accepted. |
| 885 verify_result.Reset(); | 898 verify_result.Reset(); |
| 886 dummy_result.Reset(); | 899 dummy_result.Reset(); |
| 887 dummy_result.is_issued_by_known_root = true; | 900 dummy_result.is_issued_by_known_root = true; |
| (...skipping 617 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1505 "/System/Library/Keychains/SystemRootCertificates.keychain"; | 1518 "/System/Library/Keychains/SystemRootCertificates.keychain"; |
| 1506 ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path))); | 1519 ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path))); |
| 1507 | 1520 |
| 1508 SecKeychainRef keychain; | 1521 SecKeychainRef keychain; |
| 1509 OSStatus status = SecKeychainOpen(root_keychain_path, &keychain); | 1522 OSStatus status = SecKeychainOpen(root_keychain_path, &keychain); |
| 1510 ASSERT_EQ(errSecSuccess, status); | 1523 ASSERT_EQ(errSecSuccess, status); |
| 1511 CFRelease(keychain); | 1524 CFRelease(keychain); |
| 1512 } | 1525 } |
| 1513 #endif | 1526 #endif |
| 1514 | 1527 |
| 1528 bool AreSHA1IntermediatesAllowed() { | |
| 1529 #if defined(OS_WIN) | |
| 1530 // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved | |
| 1531 // for Windows 7/2008 users. | |
| 1532 // Note: This must be kept in sync with cert_verify_proc.cc | |
| 1533 return base::win::GetVersion() < base::win::VERSION_WIN8; | |
|
Ryan Sleevi
2016/11/09 01:02:14
This is why it made it past bots
davidben
2016/11/09 01:04:28
Oops. I should have been paying more attention. :-
| |
| 1534 #else | |
| 1535 return false; | |
| 1536 #endif | |
| 1537 } | |
| 1538 | |
| 1539 TEST_F(CertVerifyProcTest, RejectsMD2) { | |
| 1540 scoped_refptr<X509Certificate> cert( | |
| 1541 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1542 ASSERT_TRUE(cert); | |
| 1543 | |
| 1544 CertVerifyResult result; | |
| 1545 result.has_md2 = true; | |
| 1546 verify_proc_ = new MockCertVerifyProc(result); | |
| 1547 | |
| 1548 int flags = 0; | |
| 1549 CertVerifyResult verify_result; | |
| 1550 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1551 empty_cert_list_, &verify_result); | |
| 1552 EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); | |
| 1553 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | |
| 1554 } | |
| 1555 | |
| 1556 TEST_F(CertVerifyProcTest, RejectsMD4) { | |
| 1557 scoped_refptr<X509Certificate> cert( | |
| 1558 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1559 ASSERT_TRUE(cert); | |
| 1560 | |
| 1561 CertVerifyResult result; | |
| 1562 result.has_md4 = true; | |
| 1563 verify_proc_ = new MockCertVerifyProc(result); | |
| 1564 | |
| 1565 int flags = 0; | |
| 1566 CertVerifyResult verify_result; | |
| 1567 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1568 empty_cert_list_, &verify_result); | |
| 1569 EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); | |
| 1570 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | |
| 1571 } | |
| 1572 | |
| 1573 TEST_F(CertVerifyProcTest, RejectsMD5) { | |
| 1574 scoped_refptr<X509Certificate> cert( | |
| 1575 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1576 ASSERT_TRUE(cert); | |
| 1577 | |
| 1578 CertVerifyResult result; | |
| 1579 result.has_md5 = true; | |
| 1580 verify_proc_ = new MockCertVerifyProc(result); | |
| 1581 | |
| 1582 int flags = 0; | |
| 1583 CertVerifyResult verify_result; | |
| 1584 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1585 empty_cert_list_, &verify_result); | |
| 1586 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
| 1587 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | |
| 1588 } | |
| 1589 | |
| 1590 TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) { | |
| 1591 scoped_refptr<X509Certificate> cert( | |
| 1592 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1593 ASSERT_TRUE(cert); | |
| 1594 | |
| 1595 CertVerifyResult result; | |
| 1596 result.has_sha1 = true; | |
| 1597 result.has_sha1_leaf = true; | |
| 1598 result.is_issued_by_known_root = true; | |
| 1599 verify_proc_ = new MockCertVerifyProc(result); | |
| 1600 | |
| 1601 int flags = 0; | |
| 1602 CertVerifyResult verify_result; | |
| 1603 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1604 empty_cert_list_, &verify_result); | |
| 1605 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
| 1606 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | |
| 1607 } | |
| 1608 | |
| 1609 TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) { | |
| 1610 scoped_refptr<X509Certificate> cert(ImportCertFromFile( | |
| 1611 GetTestCertsDirectory(), "39_months_after_2015_04.pem")); | |
|
Ryan Sleevi
2016/11/09 01:02:14
I only changed this test, because the hope is for
| |
| 1612 ASSERT_TRUE(cert); | |
| 1613 | |
| 1614 CertVerifyResult result; | |
| 1615 result.has_sha1 = true; | |
| 1616 result.has_sha1_leaf = false; | |
| 1617 result.is_issued_by_known_root = true; | |
| 1618 verify_proc_ = new MockCertVerifyProc(result); | |
| 1619 | |
| 1620 int flags = 0; | |
| 1621 CertVerifyResult verify_result; | |
| 1622 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1623 empty_cert_list_, &verify_result); | |
| 1624 if (AreSHA1IntermediatesAllowed()) { | |
| 1625 EXPECT_THAT(error, IsOk()); | |
| 1626 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | |
| 1627 } else { | |
| 1628 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
| 1629 EXPECT_TRUE(verify_result.cert_status & | |
| 1630 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | |
| 1631 } | |
| 1632 } | |
| 1633 | |
| 1634 TEST_F(CertVerifyProcTest, AcceptsPrivateSHA1) { | |
| 1635 scoped_refptr<X509Certificate> cert( | |
| 1636 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1637 ASSERT_TRUE(cert); | |
| 1638 | |
| 1639 CertVerifyResult result; | |
| 1640 result.has_sha1 = true; | |
| 1641 result.has_sha1_leaf = true; | |
| 1642 result.is_issued_by_known_root = false; | |
| 1643 verify_proc_ = new MockCertVerifyProc(result); | |
| 1644 | |
| 1645 int flags = 0; | |
| 1646 CertVerifyResult verify_result; | |
| 1647 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1648 empty_cert_list_, &verify_result); | |
| 1649 EXPECT_THAT(error, IsOk()); | |
| 1650 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | |
| 1651 } | |
| 1652 | |
| 1515 enum ExpectedAlgorithms { | 1653 enum ExpectedAlgorithms { |
| 1516 EXPECT_MD2 = 1 << 0, | 1654 EXPECT_MD2 = 1 << 0, |
| 1517 EXPECT_MD4 = 1 << 1, | 1655 EXPECT_MD4 = 1 << 1, |
| 1518 EXPECT_MD5 = 1 << 2, | 1656 EXPECT_MD5 = 1 << 2, |
| 1519 EXPECT_SHA1 = 1 << 3, | 1657 EXPECT_SHA1 = 1 << 3, |
| 1520 EXPECT_SHA1_LEAF = 1 << 4, | 1658 EXPECT_SHA1_LEAF = 1 << 4, |
| 1521 }; | 1659 }; |
| 1522 | 1660 |
| 1523 struct WeakDigestTestData { | 1661 struct WeakDigestTestData { |
| 1524 const char* root_cert_filename; | 1662 const char* root_cert_filename; |
| (...skipping 14 matching lines...) Expand all Loading... | |
| 1539 } | 1677 } |
| 1540 | 1678 |
| 1541 class CertVerifyProcWeakDigestTest | 1679 class CertVerifyProcWeakDigestTest |
| 1542 : public CertVerifyProcTest, | 1680 : public CertVerifyProcTest, |
| 1543 public testing::WithParamInterface<WeakDigestTestData> { | 1681 public testing::WithParamInterface<WeakDigestTestData> { |
| 1544 public: | 1682 public: |
| 1545 CertVerifyProcWeakDigestTest() {} | 1683 CertVerifyProcWeakDigestTest() {} |
| 1546 virtual ~CertVerifyProcWeakDigestTest() {} | 1684 virtual ~CertVerifyProcWeakDigestTest() {} |
| 1547 }; | 1685 }; |
| 1548 | 1686 |
| 1549 TEST_P(CertVerifyProcWeakDigestTest, Verify) { | 1687 // Test that the underlying cryptographic library properly surfaces the |
| 1688 // algorithms used in the chain. Some libraries, like NSS, don't return | |
| 1689 // the failing chain on error, and thus not all tests can be run. | |
| 1690 TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) { | |
| 1550 WeakDigestTestData data = GetParam(); | 1691 WeakDigestTestData data = GetParam(); |
| 1551 base::FilePath certs_dir = GetTestCertsDirectory(); | 1692 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 1552 | 1693 |
| 1553 ScopedTestRoot test_root; | 1694 ScopedTestRoot test_root; |
| 1554 if (data.root_cert_filename) { | 1695 if (data.root_cert_filename) { |
| 1555 scoped_refptr<X509Certificate> root_cert = | 1696 scoped_refptr<X509Certificate> root_cert = |
| 1556 ImportCertFromFile(certs_dir, data.root_cert_filename); | 1697 ImportCertFromFile(certs_dir, data.root_cert_filename); |
| 1557 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); | 1698 ASSERT_TRUE(root_cert); |
| 1558 test_root.Reset(root_cert.get()); | 1699 test_root.Reset(root_cert.get()); |
| 1559 } | 1700 } |
| 1560 | 1701 |
| 1561 scoped_refptr<X509Certificate> intermediate_cert = | 1702 scoped_refptr<X509Certificate> intermediate_cert = |
| 1562 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); | 1703 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); |
| 1563 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get()); | 1704 ASSERT_TRUE(intermediate_cert); |
| 1564 scoped_refptr<X509Certificate> ee_cert = | 1705 scoped_refptr<X509Certificate> ee_cert = |
| 1565 ImportCertFromFile(certs_dir, data.ee_cert_filename); | 1706 ImportCertFromFile(certs_dir, data.ee_cert_filename); |
| 1566 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert.get()); | 1707 ASSERT_TRUE(ee_cert); |
| 1567 | 1708 |
| 1568 X509Certificate::OSCertHandles intermediates; | 1709 X509Certificate::OSCertHandles intermediates; |
| 1569 intermediates.push_back(intermediate_cert->os_cert_handle()); | 1710 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 1570 | 1711 |
| 1571 scoped_refptr<X509Certificate> ee_chain = | 1712 scoped_refptr<X509Certificate> ee_chain = |
| 1572 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 1713 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
| 1573 intermediates); | 1714 intermediates); |
| 1574 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain.get()); | 1715 ASSERT_TRUE(ee_chain); |
| 1575 | 1716 |
| 1576 int flags = 0; | 1717 int flags = 0; |
| 1577 CertVerifyResult verify_result; | 1718 CertVerifyResult verify_result; |
| 1578 int rv = Verify(ee_chain.get(), | 1719 Verify(ee_chain.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1579 "127.0.0.1", | 1720 &verify_result); |
| 1580 flags, | |
| 1581 NULL, | |
| 1582 empty_cert_list_, | |
| 1583 &verify_result); | |
| 1584 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2); | 1721 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2); |
| 1585 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4); | 1722 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4); |
| 1586 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5); | 1723 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5); |
| 1587 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1); | 1724 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1); |
| 1588 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1_LEAF), | 1725 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1_LEAF), |
| 1589 verify_result.has_sha1_leaf); | 1726 verify_result.has_sha1_leaf); |
| 1590 | |
| 1591 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | |
| 1592 | |
| 1593 // Ensure that MD4 and MD2 are tagged as invalid. | |
| 1594 if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) { | |
| 1595 EXPECT_EQ(CERT_STATUS_INVALID, | |
| 1596 verify_result.cert_status & CERT_STATUS_INVALID); | |
| 1597 } | |
| 1598 | |
| 1599 // Ensure that MD5 is flagged as weak. | |
| 1600 if (data.expected_algorithms & EXPECT_MD5) { | |
| 1601 EXPECT_EQ( | |
| 1602 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, | |
| 1603 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | |
| 1604 } | |
| 1605 | |
| 1606 // If a root cert is present, then check that the chain was rejected if any | |
| 1607 // weak algorithms are present. This is only checked when a root cert is | |
| 1608 // present because the error reported for incomplete chains with weak | |
| 1609 // algorithms depends on which implementation was used to validate (NSS, | |
| 1610 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm | |
| 1611 // present (MD2, MD4, MD5). | |
| 1612 if (data.root_cert_filename) { | |
| 1613 if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) { | |
| 1614 EXPECT_THAT(rv, IsError(ERR_CERT_INVALID)); | |
| 1615 } else if (data.expected_algorithms & EXPECT_MD5) { | |
| 1616 EXPECT_THAT(rv, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
| 1617 } else { | |
| 1618 EXPECT_THAT(rv, IsOk()); | |
| 1619 } | |
| 1620 } | |
| 1621 } | 1727 } |
| 1622 | 1728 |
| 1623 // Unlike TEST/TEST_F, which are macros that expand to further macros, | 1729 // Unlike TEST/TEST_F, which are macros that expand to further macros, |
| 1624 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that | 1730 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that |
| 1625 // stringizes the arguments. As a result, macros passed as parameters (such as | 1731 // stringizes the arguments. As a result, macros passed as parameters (such as |
| 1626 // prefix or test_case_name) will not be expanded by the preprocessor. To work | 1732 // prefix or test_case_name) will not be expanded by the preprocessor. To work |
| 1627 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the | 1733 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the |
| 1628 // pre-processor will expand macros such as MAYBE_test_name before | 1734 // pre-processor will expand macros such as MAYBE_test_name before |
| 1629 // instantiating the test. | 1735 // instantiating the test. |
| 1630 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ | 1736 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ |
| (...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1861 } | 1967 } |
| 1862 #endif // defined(OS_MACOSX) && !defined(OS_IOS) | 1968 #endif // defined(OS_MACOSX) && !defined(OS_IOS) |
| 1863 | 1969 |
| 1864 // Tests that CertVerifyProc records a histogram correctly when a | 1970 // Tests that CertVerifyProc records a histogram correctly when a |
| 1865 // certificate chaining to a private root contains the TLS feature | 1971 // certificate chaining to a private root contains the TLS feature |
| 1866 // extension and does not have a stapled OCSP response. | 1972 // extension and does not have a stapled OCSP response. |
| 1867 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { | 1973 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
| 1868 base::HistogramTester histograms; | 1974 base::HistogramTester histograms; |
| 1869 scoped_refptr<X509Certificate> cert( | 1975 scoped_refptr<X509Certificate> cert( |
| 1870 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1976 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 1977 ASSERT_TRUE(cert); | |
| 1871 CertVerifyResult result; | 1978 CertVerifyResult result; |
| 1872 result.is_issued_by_known_root = false; | 1979 result.is_issued_by_known_root = false; |
| 1873 result.verified_cert = cert; | |
| 1874 verify_proc_ = new MockCertVerifyProc(result); | 1980 verify_proc_ = new MockCertVerifyProc(result); |
| 1875 | 1981 |
| 1876 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1982 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1877 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1983 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1878 | 1984 |
| 1879 int flags = 0; | 1985 int flags = 0; |
| 1880 CertVerifyResult verify_result; | 1986 CertVerifyResult verify_result; |
| 1881 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1987 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1882 &verify_result); | 1988 &verify_result); |
| 1883 EXPECT_EQ(OK, error); | 1989 EXPECT_EQ(OK, error); |
| 1884 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); | 1990 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 1885 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); | 1991 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); |
| 1886 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); | 1992 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); |
| 1887 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, false, 1); | 1993 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, false, 1); |
| 1888 } | 1994 } |
| 1889 | 1995 |
| 1890 // Tests that CertVerifyProc records a histogram correctly when a | 1996 // Tests that CertVerifyProc records a histogram correctly when a |
| 1891 // certificate chaining to a private root contains the TLS feature | 1997 // certificate chaining to a private root contains the TLS feature |
| 1892 // extension and does have a stapled OCSP response. | 1998 // extension and does have a stapled OCSP response. |
| 1893 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) { | 1999 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) { |
| 1894 base::HistogramTester histograms; | 2000 base::HistogramTester histograms; |
| 1895 scoped_refptr<X509Certificate> cert( | 2001 scoped_refptr<X509Certificate> cert( |
| 1896 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 2002 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 2003 ASSERT_TRUE(cert); | |
| 1897 CertVerifyResult result; | 2004 CertVerifyResult result; |
| 1898 result.is_issued_by_known_root = false; | 2005 result.is_issued_by_known_root = false; |
| 1899 result.verified_cert = cert; | |
| 1900 verify_proc_ = new MockCertVerifyProc(result); | 2006 verify_proc_ = new MockCertVerifyProc(result); |
| 1901 | 2007 |
| 1902 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2008 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1903 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2009 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1904 | 2010 |
| 1905 int flags = 0; | 2011 int flags = 0; |
| 1906 CertVerifyResult verify_result; | 2012 CertVerifyResult verify_result; |
| 1907 int error = | 2013 int error = |
| 1908 VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags, | 2014 VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags, |
| 1909 NULL, empty_cert_list_, &verify_result); | 2015 NULL, empty_cert_list_, &verify_result); |
| 1910 EXPECT_EQ(OK, error); | 2016 EXPECT_EQ(OK, error); |
| 1911 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); | 2017 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 1912 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); | 2018 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); |
| 1913 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); | 2019 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); |
| 1914 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, true, 1); | 2020 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, true, 1); |
| 1915 } | 2021 } |
| 1916 | 2022 |
| 1917 // Tests that CertVerifyProc records a histogram correctly when a | 2023 // Tests that CertVerifyProc records a histogram correctly when a |
| 1918 // certificate chaining to a private root does not contain the TLS feature | 2024 // certificate chaining to a private root does not contain the TLS feature |
| 1919 // extension. | 2025 // extension. |
| 1920 TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) { | 2026 TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) { |
| 1921 base::HistogramTester histograms; | 2027 base::HistogramTester histograms; |
| 1922 scoped_refptr<X509Certificate> cert( | 2028 scoped_refptr<X509Certificate> cert( |
| 1923 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | 2029 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); |
| 2030 ASSERT_TRUE(cert); | |
| 1924 CertVerifyResult result; | 2031 CertVerifyResult result; |
| 1925 result.is_issued_by_known_root = false; | 2032 result.is_issued_by_known_root = false; |
| 1926 result.verified_cert = cert; | |
| 1927 verify_proc_ = new MockCertVerifyProc(result); | 2033 verify_proc_ = new MockCertVerifyProc(result); |
| 1928 | 2034 |
| 1929 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2035 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1930 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2036 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1931 | 2037 |
| 1932 int flags = 0; | 2038 int flags = 0; |
| 1933 CertVerifyResult verify_result; | 2039 CertVerifyResult verify_result; |
| 1934 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 2040 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1935 &verify_result); | 2041 &verify_result); |
| 1936 EXPECT_EQ(OK, error); | 2042 EXPECT_EQ(OK, error); |
| 1937 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); | 2043 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 1938 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1); | 2044 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1); |
| 1939 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2045 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1940 } | 2046 } |
| 1941 | 2047 |
| 1942 // Tests that CertVerifyProc does not record a histogram when a | 2048 // Tests that CertVerifyProc does not record a histogram when a |
| 1943 // certificate contains the TLS feature extension but chains to a public | 2049 // certificate contains the TLS feature extension but chains to a public |
| 1944 // root. | 2050 // root. |
| 1945 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) { | 2051 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) { |
| 1946 base::HistogramTester histograms; | 2052 base::HistogramTester histograms; |
| 1947 scoped_refptr<X509Certificate> cert( | 2053 scoped_refptr<X509Certificate> cert( |
| 1948 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 2054 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 2055 ASSERT_TRUE(cert); | |
| 1949 CertVerifyResult result; | 2056 CertVerifyResult result; |
| 1950 result.is_issued_by_known_root = true; | 2057 result.is_issued_by_known_root = true; |
| 1951 result.verified_cert = cert; | |
| 1952 verify_proc_ = new MockCertVerifyProc(result); | 2058 verify_proc_ = new MockCertVerifyProc(result); |
| 1953 | 2059 |
| 1954 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2060 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1955 | 2061 |
| 1956 int flags = 0; | 2062 int flags = 0; |
| 1957 CertVerifyResult verify_result; | 2063 CertVerifyResult verify_result; |
| 1958 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 2064 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1959 &verify_result); | 2065 &verify_result); |
| 1960 EXPECT_EQ(OK, error); | 2066 EXPECT_EQ(OK, error); |
| 1961 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2067 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1962 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2068 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1963 } | 2069 } |
| 1964 | 2070 |
| 1965 } // namespace net | 2071 } // namespace net |
| OLD | NEW |
