Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(350)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_whitelist_unittest.cc

Issue 2565743004: Remove the CNNIC whitelist (Closed)
Patch Set: Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/cert_verify_proc_whitelist.cc ('k') | net/data/ssl/blacklist/1c01c6f4dbb2fefc22558b2bca32563f49844acfc32b7be4b0ff599f9e8c7af7.pem » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_whitelist.h" 5 #include "net/cert/cert_verify_proc_whitelist.h"
6 6
7 #include "base/memory/ref_counted.h" 7 #include "base/memory/ref_counted.h"
8 #include "net/cert/x509_certificate.h" 8 #include "net/cert/x509_certificate.h"
9 #include "net/test/cert_test_util.h" 9 #include "net/test/cert_test_util.h"
10 #include "net/test/test_data_directory.h" 10 #include "net/test/test_data_directory.h"
11 #include "testing/gtest/include/gtest/gtest.h" 11 #include "testing/gtest/include/gtest/gtest.h"
12 12
13 namespace net { 13 namespace net {
14 14
15 namespace { 15 namespace {
16 16
17 HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {
18 HashValue hash_value(tag);
19 memset(hash_value.data(), label, hash_value.size());
20 return hash_value;
21 }
22
23 HashValueVector GetFakeHashValues() {
24 HashValueVector public_key_hashes;
25
26 // Fake "root" hash
27 public_key_hashes.push_back(GetTestHashValue(0x00, HASH_VALUE_SHA256));
28 public_key_hashes.push_back(GetTestHashValue(0x01, HASH_VALUE_SHA1));
29 // Fake "intermediate" hash
30 public_key_hashes.push_back(GetTestHashValue(0x02, HASH_VALUE_SHA256));
31 public_key_hashes.push_back(GetTestHashValue(0x03, HASH_VALUE_SHA1));
32 // Fake "leaf" hash
33 public_key_hashes.push_back(GetTestHashValue(0x04, HASH_VALUE_SHA256));
34 public_key_hashes.push_back(GetTestHashValue(0x05, HASH_VALUE_SHA1));
35
36 return public_key_hashes;
37 }
38
39 // The SHA-256 hash of the leaf cert "ok_cert.pem"; obtainable either
40 // via X509Certificate::CalculateFingerprint256 or
41 // openssl x509 -inform pem -in ok_cert.pem -outform der | openssl
42 // dgst -sha256 -c
43 const uint8_t kWhitelistCerts[][crypto::kSHA256Length] = {
44 /* clang-format off */
45 { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
46 0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
47 0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
48 0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
49 /* clang-format on */
50 };
51
52 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByRoot) {
53 scoped_refptr<X509Certificate> cert =
54 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
55 ASSERT_TRUE(cert);
56
57 // clang-format off
58 const PublicKeyWhitelist kWhitelist[] = {
59 { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
60 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
63 kWhitelistCerts, arraysize(kWhitelistCerts)
64 },
65 };
66 // clang-format on
67
68 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
69
70 HashValueVector public_key_hashes = GetFakeHashValues();
71
72 // Should return false, indicating this cert is acceptable because of
73 // it being whitelisted.
74 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
75
76 SetCertificateWhitelistForTesting(nullptr, 0);
77 }
78
79 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByIntermediate) {
80 scoped_refptr<X509Certificate> cert =
81 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
82 ASSERT_TRUE(cert);
83
84 // clang-format off
85 const PublicKeyWhitelist kWhitelist[] = {
86 { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
87 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
88 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
89 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
90 kWhitelistCerts, arraysize(kWhitelistCerts)
91 },
92 };
93 // clang-format on
94
95 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
96
97 HashValueVector public_key_hashes = GetFakeHashValues();
98
99 // Should return false, indicating this cert is acceptable because of
100 // it being whitelisted.
101 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
102
103 SetCertificateWhitelistForTesting(nullptr, 0);
104 }
105
106 TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEE) {
107 scoped_refptr<X509Certificate> cert =
108 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
109 ASSERT_TRUE(cert);
110
111 // clang-format off
112 const PublicKeyWhitelist kWhitelist[] = {
113 { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
115 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
117 kWhitelistCerts, arraysize(kWhitelistCerts)
118 },
119 };
120 // clang-format on
121
122 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
123
124 HashValueVector public_key_hashes = GetFakeHashValues();
125
126 // Should return true, indicating this certificate chains to a constrained
127 // root and is not whitelisted.
128 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
129
130 SetCertificateWhitelistForTesting(nullptr, 0);
131 }
132
133 TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEEByIntermediate) {
134 scoped_refptr<X509Certificate> cert =
135 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
136 ASSERT_TRUE(cert);
137
138 // clang-format off
139 const PublicKeyWhitelist kWhitelist[] = {
140 { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
141 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
142 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
143 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
144 kWhitelistCerts, arraysize(kWhitelistCerts)
145 },
146 };
147 // clang-format on
148
149 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
150
151 HashValueVector public_key_hashes = GetFakeHashValues();
152
153 // Should return true, indicating this certificate chains to a constrained
154 // root and is not whitelisted.
155 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
156
157 SetCertificateWhitelistForTesting(nullptr, 0);
158 }
159
160 TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {
161 scoped_refptr<X509Certificate> cert =
162 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
163 ASSERT_TRUE(cert);
164
165 // clang-format off
166 const PublicKeyWhitelist kWhitelist[] = {
167 { { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
168 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
169 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
170 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 },
171 kWhitelistCerts, arraysize(kWhitelistCerts)
172 },
173 };
174 // clang-format on
175
176 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
177
178 HashValueVector public_key_hashes = GetFakeHashValues();
179
180 // Should return false, because the chain (as indicated by
181 // public_key_hashes) is not constrained.
182 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
183
184 SetCertificateWhitelistForTesting(nullptr, 0);
185 }
186
187 TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) { 17 TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) {
188 scoped_refptr<X509Certificate> cert = 18 scoped_refptr<X509Certificate> cert =
189 ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem"); 19 ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem");
190 ASSERT_TRUE(cert); 20 ASSERT_TRUE(cert);
191 21
192 HashValueVector public_key_hashes; 22 HashValueVector public_key_hashes;
193 public_key_hashes.emplace_back(SHA256HashValue{ 23 public_key_hashes.emplace_back(SHA256HashValue{
194 {0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a, 0x83, 0x0b, 0x0b, 24 {0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a, 0x83, 0x0b, 0x0b,
195 0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf, 25 0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf,
196 0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65}}); 26 0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65}});
197 27
198 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes)); 28 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
199 29
200 cert = ImportCertFromFile(GetTestCertsDirectory(), "wosign_after_oct_21.pem"); 30 cert = ImportCertFromFile(GetTestCertsDirectory(), "wosign_after_oct_21.pem");
201 ASSERT_TRUE(cert); 31 ASSERT_TRUE(cert);
202 32
203 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes)); 33 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
204 } 34 }
205 35
206 } // namespace 36 } // namespace
207 37
208 } // namespace net 38 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/cert_verify_proc_whitelist.cc ('k') | net/data/ssl/blacklist/1c01c6f4dbb2fefc22558b2bca32563f49844acfc32b7be4b0ff599f9e8c7af7.pem » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698