| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 875 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 886 EXPECT_THAT(error, IsOk()); | 886 EXPECT_THAT(error, IsOk()); |
| 887 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 887 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 888 } | 888 } |
| 889 | 889 |
| 890 // While all SHA-1 certificates should be rejected, in the event that there | 890 // While all SHA-1 certificates should be rejected, in the event that there |
| 891 // emerges some unexpected bug, test that the 'legacy' behaviour works | 891 // emerges some unexpected bug, test that the 'legacy' behaviour works |
| 892 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs | 892 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs |
| 893 // that were issued after 1 January 2016, while still allowing those from | 893 // that were issued after 1 January 2016, while still allowing those from |
| 894 // before that date, with SHA-1 in the intermediate, or from an enterprise | 894 // before that date, with SHA-1 in the intermediate, or from an enterprise |
| 895 // CA. | 895 // CA. |
| 896 // | |
| 897 // TODO(rsleevi): This code should be removed in M57. | |
| 898 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) { | 896 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) { |
| 899 base::test::ScopedFeatureList scoped_feature_list; | 897 base::test::ScopedFeatureList scoped_feature_list; |
| 900 scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode); | 898 scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode); |
| 901 | 899 |
| 902 CertVerifyResult dummy_result; | 900 CertVerifyResult dummy_result; |
| 903 CertVerifyResult verify_result; | 901 CertVerifyResult verify_result; |
| 904 int error = 0; | 902 int error = 0; |
| 905 scoped_refptr<X509Certificate> cert; | 903 scoped_refptr<X509Certificate> cert; |
| 906 | 904 |
| 907 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 | 905 // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016 |
| (...skipping 24 matching lines...) Expand all Loading... |
| 932 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), | 930 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| 933 "sha1_jan_2016.pem", | 931 "sha1_jan_2016.pem", |
| 934 X509Certificate::FORMAT_AUTO); | 932 X509Certificate::FORMAT_AUTO); |
| 935 ASSERT_TRUE(cert); | 933 ASSERT_TRUE(cert); |
| 936 error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, | 934 error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, |
| 937 &verify_result); | 935 &verify_result); |
| 938 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | 936 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 939 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | 937 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
| 940 | 938 |
| 941 // Enterprise issued SHA-1 leaf certificates issued on/after 1 January 2016 | 939 // Enterprise issued SHA-1 leaf certificates issued on/after 1 January 2016 |
| 942 // remain accepted until SHA-1 is disabled. | 940 // remain accepted. |
| 943 verify_result.Reset(); | 941 verify_result.Reset(); |
| 944 dummy_result.Reset(); | 942 dummy_result.Reset(); |
| 945 dummy_result.is_issued_by_known_root = false; | 943 dummy_result.is_issued_by_known_root = false; |
| 946 dummy_result.has_sha1 = true; | 944 dummy_result.has_sha1 = true; |
| 947 dummy_result.has_sha1_leaf = true; | 945 dummy_result.has_sha1_leaf = true; |
| 948 verify_proc_ = new MockCertVerifyProc(dummy_result); | 946 verify_proc_ = new MockCertVerifyProc(dummy_result); |
| 949 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), | 947 cert = CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| 950 "sha1_jan_2016.pem", | 948 "sha1_jan_2016.pem", |
| 951 X509Certificate::FORMAT_AUTO); | 949 X509Certificate::FORMAT_AUTO); |
| 952 ASSERT_TRUE(cert); | 950 ASSERT_TRUE(cert); |
| (...skipping 259 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1212 "127.0.0.1", | 1210 "127.0.0.1", |
| 1213 flags, | 1211 flags, |
| 1214 crl_set.get(), | 1212 crl_set.get(), |
| 1215 empty_cert_list_, | 1213 empty_cert_list_, |
| 1216 &verify_result); | 1214 &verify_result); |
| 1217 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); | 1215 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); |
| 1218 } | 1216 } |
| 1219 | 1217 |
| 1220 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) { | 1218 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) { |
| 1221 CertificateList ca_cert_list = | 1219 CertificateList ca_cert_list = |
| 1222 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1220 CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", |
| 1223 "quic_root.crt", | |
| 1224 X509Certificate::FORMAT_AUTO); | 1221 X509Certificate::FORMAT_AUTO); |
| 1225 ASSERT_EQ(1U, ca_cert_list.size()); | 1222 ASSERT_EQ(1U, ca_cert_list.size()); |
| 1226 ScopedTestRoot test_root(ca_cert_list[0].get()); | 1223 ScopedTestRoot test_root(ca_cert_list[0].get()); |
| 1227 | 1224 |
| 1228 CertificateList intermediate_cert_list = | 1225 CertificateList intermediate_cert_list = CreateCertificateListFromFile( |
| 1229 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1226 GetTestCertsDirectory(), "intermediate_ca_cert.pem", |
| 1230 "quic_intermediate.crt", | 1227 X509Certificate::FORMAT_AUTO); |
| 1231 X509Certificate::FORMAT_AUTO); | |
| 1232 ASSERT_EQ(1U, intermediate_cert_list.size()); | 1228 ASSERT_EQ(1U, intermediate_cert_list.size()); |
| 1233 X509Certificate::OSCertHandles intermediates; | 1229 X509Certificate::OSCertHandles intermediates; |
| 1234 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle()); | 1230 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle()); |
| 1235 | 1231 |
| 1236 CertificateList cert_list = CreateCertificateListFromFile( | 1232 CertificateList cert_list = CreateCertificateListFromFile( |
| 1237 GetTestCertsDirectory(), "quic_test.example.com.crt", | 1233 GetTestCertsDirectory(), "ok_cert_by_intermediate.pem", |
| 1238 X509Certificate::FORMAT_AUTO); | 1234 X509Certificate::FORMAT_AUTO); |
| 1239 ASSERT_EQ(1U, cert_list.size()); | 1235 ASSERT_EQ(1U, cert_list.size()); |
| 1240 | 1236 |
| 1241 scoped_refptr<X509Certificate> leaf = | 1237 scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle( |
| 1242 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), | 1238 cert_list[0]->os_cert_handle(), intermediates); |
| 1243 intermediates); | 1239 ASSERT_TRUE(leaf); |
| 1244 | 1240 |
| 1245 int flags = 0; | 1241 int flags = 0; |
| 1246 CertVerifyResult verify_result; | 1242 CertVerifyResult verify_result; |
| 1247 int error = Verify(leaf.get(), | 1243 int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1248 "test.example.com", | |
| 1249 flags, | |
| 1250 NULL, | |
| 1251 empty_cert_list_, | |
| 1252 &verify_result); | 1244 &verify_result); |
| 1253 EXPECT_THAT(error, IsOk()); | 1245 EXPECT_THAT(error, IsOk()); |
| 1254 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
| 1255 | 1246 |
| 1256 // Test revocation by serial number of a certificate not under the root. | 1247 // Test revocation by serial number of a certificate not under the root. |
| 1257 scoped_refptr<CRLSet> crl_set; | 1248 scoped_refptr<CRLSet> crl_set; |
| 1258 std::string crl_set_bytes; | 1249 std::string crl_set_bytes; |
| 1259 ASSERT_TRUE(base::ReadFileToString( | 1250 ASSERT_TRUE(base::ReadFileToString( |
| 1260 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), | 1251 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), |
| 1261 &crl_set_bytes)); | 1252 &crl_set_bytes)); |
| 1262 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); | 1253 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); |
| 1263 | 1254 |
| 1264 error = Verify(leaf.get(), | 1255 error = Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(), |
| 1265 "test.example.com", | 1256 empty_cert_list_, &verify_result); |
| 1266 flags, | |
| 1267 crl_set.get(), | |
| 1268 empty_cert_list_, | |
| 1269 &verify_result); | |
| 1270 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); | 1257 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); |
| 1271 } | 1258 } |
| 1272 | 1259 |
| 1273 // Tests that CRLSets participate in path building functions, and that as | 1260 // Tests that CRLSets participate in path building functions, and that as |
| 1274 // long as a valid path exists within the verification graph, verification | 1261 // long as a valid path exists within the verification graph, verification |
| 1275 // succeeds. | 1262 // succeeds. |
| 1276 // | 1263 // |
| 1277 // In this test, there are two roots (D and E), and three possible paths | 1264 // In this test, there are two roots (D and E), and three possible paths |
| 1278 // to validate a leaf (A): | 1265 // to validate a leaf (A): |
| 1279 // 1. A(B) -> B(C) -> C(D) -> D(D) | 1266 // 1. A(B) -> B(C) -> C(D) -> D(D) |
| (...skipping 360 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1640 if (AreSHA1IntermediatesAllowed()) { | 1627 if (AreSHA1IntermediatesAllowed()) { |
| 1641 EXPECT_THAT(error, IsOk()); | 1628 EXPECT_THAT(error, IsOk()); |
| 1642 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | 1629 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 1643 } else { | 1630 } else { |
| 1644 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | 1631 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 1645 EXPECT_TRUE(verify_result.cert_status & | 1632 EXPECT_TRUE(verify_result.cert_status & |
| 1646 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); | 1633 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
| 1647 } | 1634 } |
| 1648 } | 1635 } |
| 1649 | 1636 |
| 1650 TEST_F(CertVerifyProcTest, AcceptsPrivateSHA1) { | 1637 TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) { |
| 1651 scoped_refptr<X509Certificate> cert( | 1638 scoped_refptr<X509Certificate> cert( |
| 1652 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); | 1639 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); |
| 1653 ASSERT_TRUE(cert); | 1640 ASSERT_TRUE(cert); |
| 1654 | 1641 |
| 1655 CertVerifyResult result; | 1642 CertVerifyResult result; |
| 1656 result.has_sha1 = true; | 1643 result.has_sha1 = true; |
| 1657 result.has_sha1_leaf = true; | 1644 result.has_sha1_leaf = true; |
| 1658 result.is_issued_by_known_root = false; | 1645 result.is_issued_by_known_root = false; |
| 1659 verify_proc_ = new MockCertVerifyProc(result); | 1646 verify_proc_ = new MockCertVerifyProc(result); |
| 1660 | 1647 |
| 1648 // SHA-1 should be rejected by default for private roots... |
| 1661 int flags = 0; | 1649 int flags = 0; |
| 1662 CertVerifyResult verify_result; | 1650 CertVerifyResult verify_result; |
| 1663 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, | 1651 int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, |
| 1664 empty_cert_list_, &verify_result); | 1652 empty_cert_list_, &verify_result); |
| 1653 EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); |
| 1654 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 1655 |
| 1656 // ... unless VERIFY_ENABLE_SHA1_LOCAL_ANCHORS was supplied. |
| 1657 flags = CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS; |
| 1658 verify_result.Reset(); |
| 1659 error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */, |
| 1660 empty_cert_list_, &verify_result); |
| 1665 EXPECT_THAT(error, IsOk()); | 1661 EXPECT_THAT(error, IsOk()); |
| 1666 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); | 1662 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 1667 } | 1663 } |
| 1668 | 1664 |
| 1669 enum ExpectedAlgorithms { | 1665 enum ExpectedAlgorithms { |
| 1670 EXPECT_MD2 = 1 << 0, | 1666 EXPECT_MD2 = 1 << 0, |
| 1671 EXPECT_MD4 = 1 << 1, | 1667 EXPECT_MD4 = 1 << 1, |
| 1672 EXPECT_MD5 = 1 << 2, | 1668 EXPECT_MD5 = 1 << 2, |
| 1673 EXPECT_SHA1 = 1 << 3, | 1669 EXPECT_SHA1 = 1 << 3, |
| 1674 EXPECT_SHA1_LEAF = 1 << 4, | 1670 EXPECT_SHA1_LEAF = 1 << 4, |
| (...skipping 401 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2076 int flags = 0; | 2072 int flags = 0; |
| 2077 CertVerifyResult verify_result; | 2073 CertVerifyResult verify_result; |
| 2078 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 2074 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 2079 &verify_result); | 2075 &verify_result); |
| 2080 EXPECT_EQ(OK, error); | 2076 EXPECT_EQ(OK, error); |
| 2081 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2077 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 2082 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2078 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 2083 } | 2079 } |
| 2084 | 2080 |
| 2085 } // namespace net | 2081 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2560343002:
Disable SHA-1 for Enterprise Certs (Closed)
