| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| 11 #include "base/files/file_util.h" | 11 #include "base/files/file_util.h" |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/macros.h" | 13 #include "base/macros.h" |
| 14 #include "base/sha1.h" | 14 #include "base/sha1.h" |
| 15 #include "base/strings/string_number_conversions.h" | 15 #include "base/strings/string_number_conversions.h" |
| 16 #include "base/test/histogram_tester.h" | 16 #include "base/test/histogram_tester.h" |
| 17 #include "base/test/scoped_feature_list.h" | |
| 18 #include "build/build_config.h" | 17 #include "build/build_config.h" |
| 19 #include "crypto/sha2.h" | 18 #include "crypto/sha2.h" |
| 20 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 21 #include "net/cert/asn1_util.h" | 20 #include "net/cert/asn1_util.h" |
| 22 #include "net/cert/cert_status_flags.h" | 21 #include "net/cert/cert_status_flags.h" |
| 23 #include "net/cert/cert_verifier.h" | 22 #include "net/cert/cert_verifier.h" |
| 24 #include "net/cert/cert_verify_result.h" | 23 #include "net/cert/cert_verify_result.h" |
| 25 #include "net/cert/crl_set.h" | 24 #include "net/cert/crl_set.h" |
| 26 #include "net/cert/crl_set_storage.h" | 25 #include "net/cert/crl_set_storage.h" |
| 27 #include "net/cert/test_root_certs.h" | 26 #include "net/cert/test_root_certs.h" |
| 28 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
| 29 #include "net/test/cert_test_util.h" | 28 #include "net/test/cert_test_util.h" |
| 30 #include "net/test/gtest_util.h" | 29 #include "net/test/gtest_util.h" |
| 31 #include "net/test/test_certificate_data.h" | 30 #include "net/test/test_certificate_data.h" |
| 32 #include "net/test/test_data_directory.h" | 31 #include "net/test/test_data_directory.h" |
| 33 #include "testing/gmock/include/gmock/gmock.h" | 32 #include "testing/gmock/include/gmock/gmock.h" |
| 34 #include "testing/gtest/include/gtest/gtest.h" | 33 #include "testing/gtest/include/gtest/gtest.h" |
| 35 | 34 |
| 36 #if defined(OS_ANDROID) | 35 #if defined(OS_ANDROID) |
| 37 #include "base/android/build_info.h" | 36 #include "base/android/build_info.h" |
| 38 #endif | 37 #endif |
| 39 | 38 |
| 40 #if defined(OS_MACOSX) && !defined(OS_IOS) | 39 #if defined(OS_MACOSX) && !defined(OS_IOS) |
| 41 #include "net/cert/test_keychain_search_list_mac.h" | 40 #include "net/cert/test_keychain_search_list_mac.h" |
| 42 #endif | 41 #endif |
| 43 | 42 |
| 44 #if defined(OS_WIN) | |
| 45 #include "base/win/windows_version.h" | |
| 46 #endif | |
| 47 | |
| 48 using net::test::IsError; | 43 using net::test::IsError; |
| 49 using net::test::IsOk; | 44 using net::test::IsOk; |
| 50 | 45 |
| 51 using base::HexEncode; | 46 using base::HexEncode; |
| 52 | 47 |
| 53 namespace net { | 48 namespace net { |
| 54 | 49 |
| 55 namespace { | 50 namespace { |
| 56 | 51 |
| 57 const char kTLSFeatureExtensionHistogram[] = | 52 const char kTLSFeatureExtensionHistogram[] = |
| (...skipping 811 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 869 // However, if the CA is not well known, these should not be flagged: | 864 // However, if the CA is not well known, these should not be flagged: |
| 870 dummy_result.Reset(); | 865 dummy_result.Reset(); |
| 871 dummy_result.is_issued_by_known_root = false; | 866 dummy_result.is_issued_by_known_root = false; |
| 872 verify_proc_ = new MockCertVerifyProc(dummy_result); | 867 verify_proc_ = new MockCertVerifyProc(dummy_result); |
| 873 error = | 868 error = |
| 874 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); | 869 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); |
| 875 EXPECT_THAT(error, IsOk()); | 870 EXPECT_THAT(error, IsOk()); |
| 876 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 871 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 877 } | 872 } |
| 878 | 873 |
| 879 // While all SHA-1 certificates should be rejected, in the event that there | 874 // Test that a SHA-1 certificate from a publicly trusted CA issued after |
| 880 // emerges some unexpected bug, test that the 'legacy' behaviour works | 875 // 1 January 2016 is rejected, but those issued before that date, or with |
| 881 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs | 876 // SHA-1 in the intermediate, is not rejected. |
| 882 // that were issued after 1 January 2016, while still allowing those from | 877 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecation) { |
| 883 // before that date, with SHA-1 in the intermediate, or from an enterprise | |
| 884 // CA. | |
| 885 // | |
| 886 // TODO(rsleevi): This code should be removed in M57. | |
| 887 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) { | |
| 888 base::test::ScopedFeatureList scoped_feature_list; | |
| 889 scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode); | |
| 890 | |
| 891 CertVerifyResult dummy_result; | 878 CertVerifyResult dummy_result; |
| 892 CertVerifyResult verify_result; | 879 CertVerifyResult verify_result; |
| 893 int error = 0; | 880 int error = 0; |
| 894 scoped_refptr<X509Certificate> cert; | 881 scoped_refptr<X509Certificate> cert; |
| 895 | 882 |
| 896 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 | 883 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 |
| 897 // are accepted. | 884 // are accepted. |
| 898 verify_result.Reset(); | 885 verify_result.Reset(); |
| 899 dummy_result.Reset(); | 886 dummy_result.Reset(); |
| 900 dummy_result.is_issued_by_known_root = true; | 887 dummy_result.is_issued_by_known_root = true; |
| (...skipping 617 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1518 "/System/Library/Keychains/SystemRootCertificates.keychain"; | 1505 "/System/Library/Keychains/SystemRootCertificates.keychain"; |
| 1519 ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path))); | 1506 ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path))); |
| 1520 | 1507 |
| 1521 SecKeychainRef keychain; | 1508 SecKeychainRef keychain; |
| 1522 OSStatus status = SecKeychainOpen(root_keychain_path, &keychain); | 1509 OSStatus status = SecKeychainOpen(root_keychain_path, &keychain); |
| 1523 ASSERT_EQ(errSecSuccess, status); | 1510 ASSERT_EQ(errSecSuccess, status); |
| 1524 CFRelease(keychain); | 1511 CFRelease(keychain); |
| 1525 } | 1512 } |
| 1526 #endif | 1513 #endif |
| 1527 | 1514 |
| 1528 bool AreSHA1IntermediatesAllowed() { | |
| 1529 #if defined(OS_WIN) | |
| 1530 // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved | |
| 1531 // for Windows 7/2008 users. | |
| 1532 // Note: This must be kept in sync with cert_verify_proc.cc | |
| 1533 return base::win::GetVersion() >= base::win::VERSION_WIN8; | |
| 1534 #else | |
| 1535 return false; | |
| 1536 #endif | |
| 1537 } | |
| 1538 | |
| 1539 TEST_F(CertVerifyProcTest, RejectsMD2) { | |
| 1540 scoped_refptr<X509Certificate> cert( | |
| 1541 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1542 ASSERT_TRUE(cert); | |
| 1543 | |
| 1544 CertVerifyResult result; | |
| 1545 result.has_md2 = true; | |
| 1546 verify_proc_ = new MockCertVerifyProc(result); | |
| 1547 | |
| 1548 int flags = 0; | |
| 1549 CertVerifyResult verify_result; | |
| 1550 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1551 empty_cert_list_, &verify_result); | |
| 1552 EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); | |
| 1553 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | |
| 1554 } | |
| 1555 | |
| 1556 TEST_F(CertVerifyProcTest, RejectsMD4) { | |
| 1557 scoped_refptr<X509Certificate> cert( | |
| 1558 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1559 ASSERT_TRUE(cert); | |
| 1560 | |
| 1561 CertVerifyResult result; | |
| 1562 result.has_md4 = true; | |
| 1563 verify_proc_ = new MockCertVerifyProc(result); | |
| 1564 | |
| 1565 int flags = 0; | |
| 1566 CertVerifyResult verify_result; | |
| 1567 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1568 empty_cert_list_, &verify_result); | |
| 1569 EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); | |
| 1570 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | |
| 1571 } | |
| 1572 | |
| 1573 TEST_F(CertVerifyProcTest, RejectsMD5) { | |
| 1574 scoped_refptr<X509Certificate> cert( | |
| 1575 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1576 ASSERT_TRUE(cert); | |
| 1577 | |
| 1578 CertVerifyResult result; | |
| 1579 result.has_md5 = true; | |
| 1580 verify_proc_ = new MockCertVerifyProc(result); | |
| 1581 | |
| 1582 int flags = 0; | |
| 1583 CertVerifyResult verify_result; | |
| 1584 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1585 empty_cert_list_, &verify_result); | |
| 1586 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
| 1587 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | |
| 1588 } | |
| 1589 | |
| 1590 TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) { | |
| 1591 scoped_refptr<X509Certificate> cert( | |
| 1592 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1593 ASSERT_TRUE(cert); | |
| 1594 | |
| 1595 CertVerifyResult result; | |
| 1596 result.has_sha1 = true; | |
| 1597 result.has_sha1_leaf = true; | |
| 1598 result.is_issued_by_known_root = true; | |
| 1599 verify_proc_ = new MockCertVerifyProc(result); | |
| 1600 | |
| 1601 int flags = 0; | |
| 1602 CertVerifyResult verify_result; | |
| 1603 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1604 empty_cert_list_, &verify_result); | |
| 1605 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
| 1606 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | |
| 1607 } | |
| 1608 | |
| 1609 TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) { | |
| 1610 scoped_refptr<X509Certificate> cert( | |
| 1611 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1612 ASSERT_TRUE(cert); | |
| 1613 | |
| 1614 CertVerifyResult result; | |
| 1615 result.has_sha1 = true; | |
| 1616 result.has_sha1_leaf = false; | |
| 1617 result.is_issued_by_known_root = true; | |
| 1618 verify_proc_ = new MockCertVerifyProc(result); | |
| 1619 | |
| 1620 int flags = 0; | |
| 1621 CertVerifyResult verify_result; | |
| 1622 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1623 empty_cert_list_, &verify_result); | |
| 1624 if (AreSHA1IntermediatesAllowed()) { | |
| 1625 EXPECT_THAT(error, IsOk()); | |
| 1626 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | |
| 1627 } else { | |
| 1628 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
| 1629 EXPECT_TRUE(verify_result.cert_status & | |
| 1630 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | |
| 1631 } | |
| 1632 } | |
| 1633 | |
| 1634 TEST_F(CertVerifyProcTest, AcceptsPrivateSHA1) { | |
| 1635 scoped_refptr<X509Certificate> cert( | |
| 1636 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | |
| 1637 ASSERT_TRUE(cert); | |
| 1638 | |
| 1639 CertVerifyResult result; | |
| 1640 result.has_sha1 = true; | |
| 1641 result.has_sha1_leaf = true; | |
| 1642 result.is_issued_by_known_root = false; | |
| 1643 verify_proc_ = new MockCertVerifyProc(result); | |
| 1644 | |
| 1645 int flags = 0; | |
| 1646 CertVerifyResult verify_result; | |
| 1647 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | |
| 1648 empty_cert_list_, &verify_result); | |
| 1649 EXPECT_THAT(error, IsOk()); | |
| 1650 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | |
| 1651 } | |
| 1652 | |
| 1653 enum ExpectedAlgorithms { | 1515 enum ExpectedAlgorithms { |
| 1654 EXPECT_MD2 = 1 << 0, | 1516 EXPECT_MD2 = 1 << 0, |
| 1655 EXPECT_MD4 = 1 << 1, | 1517 EXPECT_MD4 = 1 << 1, |
| 1656 EXPECT_MD5 = 1 << 2, | 1518 EXPECT_MD5 = 1 << 2, |
| 1657 EXPECT_SHA1 = 1 << 3, | 1519 EXPECT_SHA1 = 1 << 3, |
| 1658 EXPECT_SHA1_LEAF = 1 << 4, | 1520 EXPECT_SHA1_LEAF = 1 << 4, |
| 1659 }; | 1521 }; |
| 1660 | 1522 |
| 1661 struct WeakDigestTestData { | 1523 struct WeakDigestTestData { |
| 1662 const char* root_cert_filename; | 1524 const char* root_cert_filename; |
| (...skipping 14 matching lines...) Expand all Loading... |
| 1677 } | 1539 } |
| 1678 | 1540 |
| 1679 class CertVerifyProcWeakDigestTest | 1541 class CertVerifyProcWeakDigestTest |
| 1680 : public CertVerifyProcTest, | 1542 : public CertVerifyProcTest, |
| 1681 public testing::WithParamInterface<WeakDigestTestData> { | 1543 public testing::WithParamInterface<WeakDigestTestData> { |
| 1682 public: | 1544 public: |
| 1683 CertVerifyProcWeakDigestTest() {} | 1545 CertVerifyProcWeakDigestTest() {} |
| 1684 virtual ~CertVerifyProcWeakDigestTest() {} | 1546 virtual ~CertVerifyProcWeakDigestTest() {} |
| 1685 }; | 1547 }; |
| 1686 | 1548 |
| 1687 // Test that the underlying cryptographic library properly surfaces the | 1549 TEST_P(CertVerifyProcWeakDigestTest, Verify) { |
| 1688 // algorithms used in the chain. Some libraries, like NSS, don't return | |
| 1689 // the failing chain on error, and thus not all tests can be run. | |
| 1690 TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) { | |
| 1691 WeakDigestTestData data = GetParam(); | 1550 WeakDigestTestData data = GetParam(); |
| 1692 base::FilePath certs_dir = GetTestCertsDirectory(); | 1551 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 1693 | 1552 |
| 1694 ScopedTestRoot test_root; | 1553 ScopedTestRoot test_root; |
| 1695 if (data.root_cert_filename) { | 1554 if (data.root_cert_filename) { |
| 1696 scoped_refptr<X509Certificate> root_cert = | 1555 scoped_refptr<X509Certificate> root_cert = |
| 1697 ImportCertFromFile(certs_dir, data.root_cert_filename); | 1556 ImportCertFromFile(certs_dir, data.root_cert_filename); |
| 1698 ASSERT_TRUE(root_cert); | 1557 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); |
| 1699 test_root.Reset(root_cert.get()); | 1558 test_root.Reset(root_cert.get()); |
| 1700 } | 1559 } |
| 1701 | 1560 |
| 1702 scoped_refptr<X509Certificate> intermediate_cert = | 1561 scoped_refptr<X509Certificate> intermediate_cert = |
| 1703 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); | 1562 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); |
| 1704 ASSERT_TRUE(intermediate_cert); | 1563 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get()); |
| 1705 scoped_refptr<X509Certificate> ee_cert = | 1564 scoped_refptr<X509Certificate> ee_cert = |
| 1706 ImportCertFromFile(certs_dir, data.ee_cert_filename); | 1565 ImportCertFromFile(certs_dir, data.ee_cert_filename); |
| 1707 ASSERT_TRUE(ee_cert); | 1566 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert.get()); |
| 1708 | 1567 |
| 1709 X509Certificate::OSCertHandles intermediates; | 1568 X509Certificate::OSCertHandles intermediates; |
| 1710 intermediates.push_back(intermediate_cert->os_cert_handle()); | 1569 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 1711 | 1570 |
| 1712 scoped_refptr<X509Certificate> ee_chain = | 1571 scoped_refptr<X509Certificate> ee_chain = |
| 1713 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 1572 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
| 1714 intermediates); | 1573 intermediates); |
| 1715 ASSERT_TRUE(ee_chain); | 1574 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain.get()); |
| 1716 | 1575 |
| 1717 int flags = 0; | 1576 int flags = 0; |
| 1718 CertVerifyResult verify_result; | 1577 CertVerifyResult verify_result; |
| 1719 Verify(ee_chain.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1578 int rv = Verify(ee_chain.get(), |
| 1720 &verify_result); | 1579 "127.0.0.1", |
| 1580 flags, |
| 1581 NULL, |
| 1582 empty_cert_list_, |
| 1583 &verify_result); |
| 1721 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2); | 1584 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2); |
| 1722 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4); | 1585 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4); |
| 1723 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5); | 1586 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5); |
| 1724 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1); | 1587 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1); |
| 1725 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1_LEAF), | 1588 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1_LEAF), |
| 1726 verify_result.has_sha1_leaf); | 1589 verify_result.has_sha1_leaf); |
| 1590 |
| 1591 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
| 1592 |
| 1593 // Ensure that MD4 and MD2 are tagged as invalid. |
| 1594 if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) { |
| 1595 EXPECT_EQ(CERT_STATUS_INVALID, |
| 1596 verify_result.cert_status & CERT_STATUS_INVALID); |
| 1597 } |
| 1598 |
| 1599 // Ensure that MD5 is flagged as weak. |
| 1600 if (data.expected_algorithms & EXPECT_MD5) { |
| 1601 EXPECT_EQ( |
| 1602 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, |
| 1603 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
| 1604 } |
| 1605 |
| 1606 // If a root cert is present, then check that the chain was rejected if any |
| 1607 // weak algorithms are present. This is only checked when a root cert is |
| 1608 // present because the error reported for incomplete chains with weak |
| 1609 // algorithms depends on which implementation was used to validate (NSS, |
| 1610 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm |
| 1611 // present (MD2, MD4, MD5). |
| 1612 if (data.root_cert_filename) { |
| 1613 if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) { |
| 1614 EXPECT_THAT(rv, IsError(ERR_CERT_INVALID)); |
| 1615 } else if (data.expected_algorithms & EXPECT_MD5) { |
| 1616 EXPECT_THAT(rv, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 1617 } else { |
| 1618 EXPECT_THAT(rv, IsOk()); |
| 1619 } |
| 1620 } |
| 1727 } | 1621 } |
| 1728 | 1622 |
| 1729 // Unlike TEST/TEST_F, which are macros that expand to further macros, | 1623 // Unlike TEST/TEST_F, which are macros that expand to further macros, |
| 1730 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that | 1624 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that |
| 1731 // stringizes the arguments. As a result, macros passed as parameters (such as | 1625 // stringizes the arguments. As a result, macros passed as parameters (such as |
| 1732 // prefix or test_case_name) will not be expanded by the preprocessor. To work | 1626 // prefix or test_case_name) will not be expanded by the preprocessor. To work |
| 1733 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the | 1627 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the |
| 1734 // pre-processor will expand macros such as MAYBE_test_name before | 1628 // pre-processor will expand macros such as MAYBE_test_name before |
| 1735 // instantiating the test. | 1629 // instantiating the test. |
| 1736 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ | 1630 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ |
| (...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1967 } | 1861 } |
| 1968 #endif // defined(OS_MACOSX) && !defined(OS_IOS) | 1862 #endif // defined(OS_MACOSX) && !defined(OS_IOS) |
| 1969 | 1863 |
| 1970 // Tests that CertVerifyProc records a histogram correctly when a | 1864 // Tests that CertVerifyProc records a histogram correctly when a |
| 1971 // certificate chaining to a private root contains the TLS feature | 1865 // certificate chaining to a private root contains the TLS feature |
| 1972 // extension and does not have a stapled OCSP response. | 1866 // extension and does not have a stapled OCSP response. |
| 1973 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { | 1867 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
| 1974 base::HistogramTester histograms; | 1868 base::HistogramTester histograms; |
| 1975 scoped_refptr<X509Certificate> cert( | 1869 scoped_refptr<X509Certificate> cert( |
| 1976 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1870 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 1977 ASSERT_TRUE(cert); | |
| 1978 CertVerifyResult result; | 1871 CertVerifyResult result; |
| 1979 result.is_issued_by_known_root = false; | 1872 result.is_issued_by_known_root = false; |
| 1873 result.verified_cert = cert; |
| 1980 verify_proc_ = new MockCertVerifyProc(result); | 1874 verify_proc_ = new MockCertVerifyProc(result); |
| 1981 | 1875 |
| 1982 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1876 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1983 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1877 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1984 | 1878 |
| 1985 int flags = 0; | 1879 int flags = 0; |
| 1986 CertVerifyResult verify_result; | 1880 CertVerifyResult verify_result; |
| 1987 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1881 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1988 &verify_result); | 1882 &verify_result); |
| 1989 EXPECT_EQ(OK, error); | 1883 EXPECT_EQ(OK, error); |
| 1990 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); | 1884 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 1991 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); | 1885 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); |
| 1992 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); | 1886 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); |
| 1993 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, false, 1); | 1887 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, false, 1); |
| 1994 } | 1888 } |
| 1995 | 1889 |
| 1996 // Tests that CertVerifyProc records a histogram correctly when a | 1890 // Tests that CertVerifyProc records a histogram correctly when a |
| 1997 // certificate chaining to a private root contains the TLS feature | 1891 // certificate chaining to a private root contains the TLS feature |
| 1998 // extension and does have a stapled OCSP response. | 1892 // extension and does have a stapled OCSP response. |
| 1999 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) { | 1893 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) { |
| 2000 base::HistogramTester histograms; | 1894 base::HistogramTester histograms; |
| 2001 scoped_refptr<X509Certificate> cert( | 1895 scoped_refptr<X509Certificate> cert( |
| 2002 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1896 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 2003 ASSERT_TRUE(cert); | |
| 2004 CertVerifyResult result; | 1897 CertVerifyResult result; |
| 2005 result.is_issued_by_known_root = false; | 1898 result.is_issued_by_known_root = false; |
| 1899 result.verified_cert = cert; |
| 2006 verify_proc_ = new MockCertVerifyProc(result); | 1900 verify_proc_ = new MockCertVerifyProc(result); |
| 2007 | 1901 |
| 2008 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1902 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 2009 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1903 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 2010 | 1904 |
| 2011 int flags = 0; | 1905 int flags = 0; |
| 2012 CertVerifyResult verify_result; | 1906 CertVerifyResult verify_result; |
| 2013 int error = | 1907 int error = |
| 2014 VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags, | 1908 VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags, |
| 2015 NULL, empty_cert_list_, &verify_result); | 1909 NULL, empty_cert_list_, &verify_result); |
| 2016 EXPECT_EQ(OK, error); | 1910 EXPECT_EQ(OK, error); |
| 2017 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); | 1911 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 2018 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); | 1912 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); |
| 2019 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); | 1913 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); |
| 2020 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, true, 1); | 1914 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, true, 1); |
| 2021 } | 1915 } |
| 2022 | 1916 |
| 2023 // Tests that CertVerifyProc records a histogram correctly when a | 1917 // Tests that CertVerifyProc records a histogram correctly when a |
| 2024 // certificate chaining to a private root does not contain the TLS feature | 1918 // certificate chaining to a private root does not contain the TLS feature |
| 2025 // extension. | 1919 // extension. |
| 2026 TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) { | 1920 TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) { |
| 2027 base::HistogramTester histograms; | 1921 base::HistogramTester histograms; |
| 2028 scoped_refptr<X509Certificate> cert( | 1922 scoped_refptr<X509Certificate> cert( |
| 2029 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | 1923 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); |
| 2030 ASSERT_TRUE(cert); | |
| 2031 CertVerifyResult result; | 1924 CertVerifyResult result; |
| 2032 result.is_issued_by_known_root = false; | 1925 result.is_issued_by_known_root = false; |
| 1926 result.verified_cert = cert; |
| 2033 verify_proc_ = new MockCertVerifyProc(result); | 1927 verify_proc_ = new MockCertVerifyProc(result); |
| 2034 | 1928 |
| 2035 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1929 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 2036 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1930 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 2037 | 1931 |
| 2038 int flags = 0; | 1932 int flags = 0; |
| 2039 CertVerifyResult verify_result; | 1933 CertVerifyResult verify_result; |
| 2040 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1934 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 2041 &verify_result); | 1935 &verify_result); |
| 2042 EXPECT_EQ(OK, error); | 1936 EXPECT_EQ(OK, error); |
| 2043 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); | 1937 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 2044 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1); | 1938 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1); |
| 2045 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1939 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 2046 } | 1940 } |
| 2047 | 1941 |
| 2048 // Tests that CertVerifyProc does not record a histogram when a | 1942 // Tests that CertVerifyProc does not record a histogram when a |
| 2049 // certificate contains the TLS feature extension but chains to a public | 1943 // certificate contains the TLS feature extension but chains to a public |
| 2050 // root. | 1944 // root. |
| 2051 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) { | 1945 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) { |
| 2052 base::HistogramTester histograms; | 1946 base::HistogramTester histograms; |
| 2053 scoped_refptr<X509Certificate> cert( | 1947 scoped_refptr<X509Certificate> cert( |
| 2054 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1948 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 2055 ASSERT_TRUE(cert); | |
| 2056 CertVerifyResult result; | 1949 CertVerifyResult result; |
| 2057 result.is_issued_by_known_root = true; | 1950 result.is_issued_by_known_root = true; |
| 1951 result.verified_cert = cert; |
| 2058 verify_proc_ = new MockCertVerifyProc(result); | 1952 verify_proc_ = new MockCertVerifyProc(result); |
| 2059 | 1953 |
| 2060 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1954 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 2061 | 1955 |
| 2062 int flags = 0; | 1956 int flags = 0; |
| 2063 CertVerifyResult verify_result; | 1957 CertVerifyResult verify_result; |
| 2064 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1958 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 2065 &verify_result); | 1959 &verify_result); |
| 2066 EXPECT_EQ(OK, error); | 1960 EXPECT_EQ(OK, error); |
| 2067 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1961 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 2068 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1962 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 2069 } | 1963 } |
| 2070 | 1964 |
| 2071 } // namespace net | 1965 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2487063003:
Revert of Distrust publicly trusted SHA-1 certs (Closed)
