| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 875 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 886 EXPECT_THAT(error, IsOk()); | 886 EXPECT_THAT(error, IsOk()); |
| 887 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 887 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 888 } | 888 } |
| 889 | 889 |
| 890 // While all SHA-1 certificates should be rejected, in the event that there | 890 // While all SHA-1 certificates should be rejected, in the event that there |
| 891 // emerges some unexpected bug, test that the 'legacy' behaviour works | 891 // emerges some unexpected bug, test that the 'legacy' behaviour works |
| 892 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs | 892 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs |
| 893 // that were issued after 1 January 2016, while still allowing those from | 893 // that were issued after 1 January 2016, while still allowing those from |
| 894 // before that date, with SHA-1 in the intermediate, or from an enterprise | 894 // before that date, with SHA-1 in the intermediate, or from an enterprise |
| 895 // CA. | 895 // CA. |
| 896 // | |
| 897 // TODO(rsleevi): This code should be removed in M57. | |
| 898 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) { | 896 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) { |
| 899 base::test::ScopedFeatureList scoped_feature_list; | 897 base::test::ScopedFeatureList scoped_feature_list; |
| 900 scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode); | 898 scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode); |
| 901 | 899 |
| 902 CertVerifyResult dummy_result; | 900 CertVerifyResult dummy_result; |
| 903 CertVerifyResult verify_result; | 901 CertVerifyResult verify_result; |
| 904 int error = 0; | 902 int error = 0; |
| 905 scoped_refptr<X509Certificate> cert; | 903 scoped_refptr<X509Certificate> cert; |
| 906 | 904 |
| 907 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 | 905 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 |
| (...skipping 24 matching lines...) Expand all Loading... |
| 932 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), | 930 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| 933 "sha1_jan_2016.pem", | 931 "sha1_jan_2016.pem", |
| 934 X509Certificate::FORMAT_AUTO); | 932 X509Certificate::FORMAT_AUTO); |
| 935 ASSERT_TRUE(cert); | 933 ASSERT_TRUE(cert); |
| 936 error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, | 934 error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, |
| 937 &verify_result); | 935 &verify_result); |
| 938 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | 936 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 939 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | 937 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
| 940 | 938 |
| 941 // Enterprise issued SHA-1 leaf certificates issued on/after 1 January 2016 | 939 // Enterprise issued SHA-1 leaf certificates issued on/after 1 January 2016 |
| 942 // remain accepted until SHA-1 is disabled. | 940 // remain blocked unless explicitly enabled. |
| 943 verify_result.Reset(); | 941 verify_result.Reset(); |
| 944 dummy_result.Reset(); | 942 dummy_result.Reset(); |
| 945 dummy_result.is_issued_by_known_root = false; | 943 dummy_result.is_issued_by_known_root = false; |
| 946 dummy_result.has_sha1 = true; | 944 dummy_result.has_sha1 = true; |
| 947 dummy_result.has_sha1_leaf = true; | 945 dummy_result.has_sha1_leaf = true; |
| 948 verify_proc_ = new MockCertVerifyProc(dummy_result); | 946 verify_proc_ = new MockCertVerifyProc(dummy_result); |
| 949 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), | 947 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| 950 "sha1_jan_2016.pem", | 948 "sha1_jan_2016.pem", |
| 951 X509Certificate::FORMAT_AUTO); | 949 X509Certificate::FORMAT_AUTO); |
| 952 ASSERT_TRUE(cert); | 950 ASSERT_TRUE(cert); |
| 953 error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, | 951 error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, |
| 954 &verify_result); | 952 &verify_result); |
| 953 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 954 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
| 955 |
| 956 verify_result.Reset(); |
| 957 dummy_result.Reset(); |
| 958 dummy_result.is_issued_by_known_root = false; |
| 959 dummy_result.has_sha1 = true; |
| 960 dummy_result.has_sha1_leaf = true; |
| 961 verify_proc_ = new MockCertVerifyProc(dummy_result); |
| 962 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| 963 "sha1_jan_2016.pem", |
| 964 X509Certificate::FORMAT_AUTO); |
| 965 ASSERT_TRUE(cert); |
| 966 error = Verify(cert.get(), "127.0.0.1", |
| 967 CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS, NULL, |
| 968 empty_cert_list_, &verify_result); |
| 955 EXPECT_THAT(error, IsOk()); | 969 EXPECT_THAT(error, IsOk()); |
| 956 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | 970 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 957 | 971 |
| 958 // Publicly trusted SHA-1 intermediates issued on/after 1 January 2016 are, | 972 // Publicly trusted SHA-1 intermediates issued on/after 1 January 2016 are, |
| 959 // unfortunately, accepted. This can arise due to OS path building quirks. | 973 // unfortunately, accepted. This can arise due to OS path building quirks. |
| 960 verify_result.Reset(); | 974 verify_result.Reset(); |
| 961 dummy_result.Reset(); | 975 dummy_result.Reset(); |
| 962 dummy_result.is_issued_by_known_root = true; | 976 dummy_result.is_issued_by_known_root = true; |
| 963 dummy_result.has_sha1 = true; | 977 dummy_result.has_sha1 = true; |
| 964 dummy_result.has_sha1_leaf = false; | 978 dummy_result.has_sha1_leaf = false; |
| (...skipping 247 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1212 "127.0.0.1", | 1226 "127.0.0.1", |
| 1213 flags, | 1227 flags, |
| 1214 crl_set.get(), | 1228 crl_set.get(), |
| 1215 empty_cert_list_, | 1229 empty_cert_list_, |
| 1216 &verify_result); | 1230 &verify_result); |
| 1217 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); | 1231 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); |
| 1218 } | 1232 } |
| 1219 | 1233 |
| 1220 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) { | 1234 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) { |
| 1221 CertificateList ca_cert_list = | 1235 CertificateList ca_cert_list = |
| 1222 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1236 CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", |
| 1223 "quic_root.crt", | |
| 1224 X509Certificate::FORMAT_AUTO); | 1237 X509Certificate::FORMAT_AUTO); |
| 1225 ASSERT_EQ(1U, ca_cert_list.size()); | 1238 ASSERT_EQ(1U, ca_cert_list.size()); |
| 1226 ScopedTestRoot test_root(ca_cert_list[0].get()); | 1239 ScopedTestRoot test_root(ca_cert_list[0].get()); |
| 1227 | 1240 |
| 1228 CertificateList intermediate_cert_list = | 1241 CertificateList intermediate_cert_list = CreateCertificateListFromFile( |
| 1229 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1242 GetTestCertsDirectory(), "intermediate_ca_cert.pem", |
| 1230 "quic_intermediate.crt", | 1243 X509Certificate::FORMAT_AUTO); |
| 1231 X509Certificate::FORMAT_AUTO); | |
| 1232 ASSERT_EQ(1U, intermediate_cert_list.size()); | 1244 ASSERT_EQ(1U, intermediate_cert_list.size()); |
| 1233 X509Certificate::OSCertHandles intermediates; | 1245 X509Certificate::OSCertHandles intermediates; |
| 1234 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle()); | 1246 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle()); |
| 1235 | 1247 |
| 1236 CertificateList cert_list = CreateCertificateListFromFile( | 1248 CertificateList cert_list = CreateCertificateListFromFile( |
| 1237 GetTestCertsDirectory(), "quic_test.example.com.crt", | 1249 GetTestCertsDirectory(), "ok_cert_by_intermediate.pem", |
| 1238 X509Certificate::FORMAT_AUTO); | 1250 X509Certificate::FORMAT_AUTO); |
| 1239 ASSERT_EQ(1U, cert_list.size()); | 1251 ASSERT_EQ(1U, cert_list.size()); |
| 1240 | 1252 |
| 1241 scoped_refptr<X509Certificate> leaf = | 1253 scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle( |
| 1242 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), | 1254 cert_list[0]->os_cert_handle(), intermediates); |
| 1243 intermediates); | 1255 ASSERT_TRUE(leaf); |
| 1244 | 1256 |
| 1245 int flags = 0; | 1257 int flags = 0; |
| 1246 CertVerifyResult verify_result; | 1258 CertVerifyResult verify_result; |
| 1247 int error = Verify(leaf.get(), | 1259 int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1248 "test.example.com", | |
| 1249 flags, | |
| 1250 NULL, | |
| 1251 empty_cert_list_, | |
| 1252 &verify_result); | 1260 &verify_result); |
| 1253 EXPECT_THAT(error, IsOk()); | 1261 EXPECT_THAT(error, IsOk()); |
| 1254 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
| 1255 | 1262 |
| 1256 // Test revocation by serial number of a certificate not under the root. | 1263 // Test revocation by serial number of a certificate not under the root. |
| 1257 scoped_refptr<CRLSet> crl_set; | 1264 scoped_refptr<CRLSet> crl_set; |
| 1258 std::string crl_set_bytes; | 1265 std::string crl_set_bytes; |
| 1259 ASSERT_TRUE(base::ReadFileToString( | 1266 ASSERT_TRUE(base::ReadFileToString( |
| 1260 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), | 1267 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), |
| 1261 &crl_set_bytes)); | 1268 &crl_set_bytes)); |
| 1262 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); | 1269 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); |
| 1263 | 1270 |
| 1264 error = Verify(leaf.get(), | 1271 error = Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(), |
| 1265 "test.example.com", | 1272 empty_cert_list_, &verify_result); |
| 1266 flags, | |
| 1267 crl_set.get(), | |
| 1268 empty_cert_list_, | |
| 1269 &verify_result); | |
| 1270 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); | 1273 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); |
| 1271 } | 1274 } |
| 1272 | 1275 |
| 1273 // Tests that CRLSets participate in path building functions, and that as | 1276 // Tests that CRLSets participate in path building functions, and that as |
| 1274 // long as a valid path exists within the verification graph, verification | 1277 // long as a valid path exists within the verification graph, verification |
| 1275 // succeeds. | 1278 // succeeds. |
| 1276 // | 1279 // |
| 1277 // In this test, there are two roots (D and E), and three possible paths | 1280 // In this test, there are two roots (D and E), and three possible paths |
| 1278 // to validate a leaf (A): | 1281 // to validate a leaf (A): |
| 1279 // 1. A(B) -> B(C) -> C(D) -> D(D) | 1282 // 1. A(B) -> B(C) -> C(D) -> D(D) |
| (...skipping 360 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1640 if (AreSHA1IntermediatesAllowed()) { | 1643 if (AreSHA1IntermediatesAllowed()) { |
| 1641 EXPECT_THAT(error, IsOk()); | 1644 EXPECT_THAT(error, IsOk()); |
| 1642 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | 1645 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 1643 } else { | 1646 } else { |
| 1644 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | 1647 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 1645 EXPECT_TRUE(verify_result.cert_status & | 1648 EXPECT_TRUE(verify_result.cert_status & |
| 1646 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | 1649 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
| 1647 } | 1650 } |
| 1648 } | 1651 } |
| 1649 | 1652 |
| 1650 TEST_F(CertVerifyProcTest, AcceptsPrivateSHA1) { | 1653 TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) { |
| 1651 scoped_refptr<X509Certificate> cert( | 1654 scoped_refptr<X509Certificate> cert( |
| 1652 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | 1655 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); |
| 1653 ASSERT_TRUE(cert); | 1656 ASSERT_TRUE(cert); |
| 1654 | 1657 |
| 1655 CertVerifyResult result; | 1658 CertVerifyResult result; |
| 1656 result.has_sha1 = true; | 1659 result.has_sha1 = true; |
| 1657 result.has_sha1_leaf = true; | 1660 result.has_sha1_leaf = true; |
| 1658 result.is_issued_by_known_root = false; | 1661 result.is_issued_by_known_root = false; |
| 1659 verify_proc_ = new MockCertVerifyProc(result); | 1662 verify_proc_ = new MockCertVerifyProc(result); |
| 1660 | 1663 |
| 1664 // SHA-1 should be rejected by default for private roots... |
| 1661 int flags = 0; | 1665 int flags = 0; |
| 1662 CertVerifyResult verify_result; | 1666 CertVerifyResult verify_result; |
| 1663 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | 1667 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, |
| 1664 empty_cert_list_, &verify_result); | 1668 empty_cert_list_, &verify_result); |
| 1669 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 1670 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 1671 |
| 1672 // ... unless VERIFY_ENABLE_SHA1_LOCAL_ANCHORS was supplied. |
| 1673 flags = CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS; |
| 1674 verify_result.Reset(); |
| 1675 error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, |
| 1676 empty_cert_list_, &verify_result); |
| 1665 EXPECT_THAT(error, IsOk()); | 1677 EXPECT_THAT(error, IsOk()); |
| 1666 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | 1678 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 1667 } | 1679 } |
| 1668 | 1680 |
| 1669 enum ExpectedAlgorithms { | 1681 enum ExpectedAlgorithms { |
| 1670 EXPECT_MD2 = 1 << 0, | 1682 EXPECT_MD2 = 1 << 0, |
| 1671 EXPECT_MD4 = 1 << 1, | 1683 EXPECT_MD4 = 1 << 1, |
| 1672 EXPECT_MD5 = 1 << 2, | 1684 EXPECT_MD5 = 1 << 2, |
| 1673 EXPECT_SHA1 = 1 << 3, | 1685 EXPECT_SHA1 = 1 << 3, |
| 1674 EXPECT_SHA1_LEAF = 1 << 4, | 1686 EXPECT_SHA1_LEAF = 1 << 4, |
| (...skipping 401 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2076 int flags = 0; | 2088 int flags = 0; |
| 2077 CertVerifyResult verify_result; | 2089 CertVerifyResult verify_result; |
| 2078 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 2090 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 2079 &verify_result); | 2091 &verify_result); |
| 2080 EXPECT_EQ(OK, error); | 2092 EXPECT_EQ(OK, error); |
| 2081 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2093 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 2082 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2094 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 2083 } | 2095 } |
| 2084 | 2096 |
| 2085 } // namespace net | 2097 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2560343002:
Disable SHA-1 for Enterprise Certs (Closed)
