| Index: net/cert/internal/trust_store_mac_unittest.cc
|
| diff --git a/net/cert/internal/trust_store_mac_unittest.cc b/net/cert/internal/trust_store_mac_unittest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..1d1bc4916d90f207d6ac8ed759bc6de6fa92b4cd
|
| --- /dev/null
|
| +++ b/net/cert/internal/trust_store_mac_unittest.cc
|
| @@ -0,0 +1,319 @@
|
| +// Copyright 2017 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "net/cert/internal/trust_store_mac.h"
|
| +
|
| +#include "base/base_paths.h"
|
| +#include "base/files/file_util.h"
|
| +#include "base/files/scoped_temp_dir.h"
|
| +#include "base/path_service.h"
|
| +#include "base/process/launch.h"
|
| +#include "base/strings/string_split.h"
|
| +#include "base/synchronization/lock.h"
|
| +#include "crypto/mac_security_services_lock.h"
|
| +#include "net/cert/internal/cert_errors.h"
|
| +#include "net/cert/internal/test_helpers.h"
|
| +#include "net/cert/pem_tokenizer.h"
|
| +#include "net/cert/test_keychain_search_list_mac.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +#include "net/cert/x509_util.h"
|
| +#include "net/test/test_data_directory.h"
|
| +#include "testing/gmock/include/gmock/gmock.h"
|
| +#include "testing/gtest/include/gtest/gtest.h"
|
| +
|
| +using ::testing::UnorderedElementsAreArray;
|
| +
|
| +namespace net {
|
| +
|
| +namespace {
|
| +
|
| +// The PEM block header used for DER certificates
|
| +const char kCertificateHeader[] = "CERTIFICATE";
|
| +
|
| +// Parses a PEM encoded certificate from |file_name| and stores in |result|.
|
| +::testing::AssertionResult ReadTestCert(
|
| + const std::string& file_name,
|
| + scoped_refptr<ParsedCertificate>* result) {
|
| + std::string der;
|
| + const PemBlockMapping mappings[] = {
|
| + {kCertificateHeader, &der},
|
| + };
|
| +
|
| + ::testing::AssertionResult r = ReadTestDataFromPemFile(
|
| + "net/data/ssl/certificates/" + file_name, mappings);
|
| + if (!r)
|
| + return r;
|
| +
|
| + CertErrors errors;
|
| + *result = ParsedCertificate::Create(x509_util::CreateCryptoBuffer(der), {},
|
| + &errors);
|
| + if (!*result) {
|
| + return ::testing::AssertionFailure()
|
| + << "ParseCertificate::Create() failed:\n"
|
| + << errors.ToDebugString();
|
| + }
|
| + return ::testing::AssertionSuccess();
|
| +}
|
| +
|
| +// Returns the DER encodings of the SecCertificates in |array|.
|
| +std::vector<std::string> SecCertificateArrayAsDER(CFArrayRef array) {
|
| + std::vector<std::string> result;
|
| +
|
| + for (CFIndex i = 0, item_count = CFArrayGetCount(array); i < item_count;
|
| + ++i) {
|
| + SecCertificateRef match_cert_handle = reinterpret_cast<SecCertificateRef>(
|
| + const_cast<void*>(CFArrayGetValueAtIndex(array, i)));
|
| + if (!match_cert_handle) {
|
| + ADD_FAILURE() << "null item " << i;
|
| + continue;
|
| + }
|
| + base::ScopedCFTypeRef<CFDataRef> der_data(
|
| + SecCertificateCopyData(match_cert_handle));
|
| + if (!der_data) {
|
| + ADD_FAILURE() << "SecCertificateCopyData error";
|
| + continue;
|
| + }
|
| + result.push_back(std::string(
|
| + reinterpret_cast<const char*>(CFDataGetBytePtr(der_data.get())),
|
| + CFDataGetLength(der_data.get())));
|
| + }
|
| +
|
| + return result;
|
| +}
|
| +
|
| +// Returns the DER encodings of the ParsedCertificates in |list|.
|
| +std::vector<std::string> ParsedCertificateListAsDER(
|
| + ParsedCertificateList list) {
|
| + std::vector<std::string> result;
|
| + for (const auto& it : list)
|
| + result.push_back(it->der_cert().AsString());
|
| + return result;
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +// Test the trust store using known test certificates in a keychain. Tests
|
| +// that issuer searching returns the expected certificates, and that none of
|
| +// the certificates are trusted.
|
| +TEST(TrustStoreMacTest, MultiRootNotTrusted) {
|
| + std::unique_ptr<TestKeychainSearchList> test_keychain_search_list(
|
| + TestKeychainSearchList::Create());
|
| + ASSERT_TRUE(test_keychain_search_list);
|
| + base::FilePath keychain_path(
|
| + GetTestCertsDirectory().AppendASCII("multi-root.keychain"));
|
| + // SecKeychainOpen does not fail if the file doesn't exist, so assert it here
|
| + // for easier debugging.
|
| + ASSERT_TRUE(base::PathExists(keychain_path));
|
| + base::ScopedCFTypeRef<SecKeychainRef> keychain;
|
| + OSStatus status = SecKeychainOpen(keychain_path.MaybeAsASCII().c_str(),
|
| + keychain.InitializeInto());
|
| + ASSERT_EQ(errSecSuccess, status);
|
| + ASSERT_TRUE(keychain);
|
| + test_keychain_search_list->AddKeychain(keychain);
|
| +
|
| + TrustStoreMac trust_store(kSecPolicyAppleSSL);
|
| +
|
| + scoped_refptr<ParsedCertificate> a_by_b, b_by_c, b_by_f, c_by_d, c_by_e,
|
| + f_by_e, d_by_d, e_by_e;
|
| + ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b));
|
| + ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c));
|
| + ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f));
|
| + ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d));
|
| + ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e));
|
| + ASSERT_TRUE(ReadTestCert("multi-root-F-by-E.pem", &f_by_e));
|
| + ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d));
|
| + ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e));
|
| +
|
| + base::ScopedCFTypeRef<CFDataRef> normalized_name_b =
|
| + TrustStoreMac::GetMacNormalizedIssuer(a_by_b);
|
| + ASSERT_TRUE(normalized_name_b);
|
| + base::ScopedCFTypeRef<CFDataRef> normalized_name_c =
|
| + TrustStoreMac::GetMacNormalizedIssuer(b_by_c);
|
| + ASSERT_TRUE(normalized_name_c);
|
| + base::ScopedCFTypeRef<CFDataRef> normalized_name_f =
|
| + TrustStoreMac::GetMacNormalizedIssuer(b_by_f);
|
| + ASSERT_TRUE(normalized_name_f);
|
| + base::ScopedCFTypeRef<CFDataRef> normalized_name_d =
|
| + TrustStoreMac::GetMacNormalizedIssuer(c_by_d);
|
| + ASSERT_TRUE(normalized_name_d);
|
| + base::ScopedCFTypeRef<CFDataRef> normalized_name_e =
|
| + TrustStoreMac::GetMacNormalizedIssuer(f_by_e);
|
| + ASSERT_TRUE(normalized_name_e);
|
| +
|
| + // Test that the matching keychain items are found, even though they aren't
|
| + // trusted.
|
| + {
|
| + base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
|
| + TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
|
| + normalized_name_b.get());
|
| +
|
| + EXPECT_THAT(SecCertificateArrayAsDER(scoped_matching_items),
|
| + UnorderedElementsAreArray(
|
| + ParsedCertificateListAsDER({b_by_c, b_by_f})));
|
| + }
|
| +
|
| + {
|
| + base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
|
| + TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
|
| + normalized_name_c.get());
|
| + EXPECT_THAT(SecCertificateArrayAsDER(scoped_matching_items),
|
| + UnorderedElementsAreArray(
|
| + ParsedCertificateListAsDER({c_by_d, c_by_e})));
|
| + }
|
| +
|
| + {
|
| + base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
|
| + TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
|
| + normalized_name_f.get());
|
| + EXPECT_THAT(
|
| + SecCertificateArrayAsDER(scoped_matching_items),
|
| + UnorderedElementsAreArray(ParsedCertificateListAsDER({f_by_e})));
|
| + }
|
| +
|
| + {
|
| + base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
|
| + TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
|
| + normalized_name_d.get());
|
| + EXPECT_THAT(
|
| + SecCertificateArrayAsDER(scoped_matching_items),
|
| + UnorderedElementsAreArray(ParsedCertificateListAsDER({d_by_d})));
|
| + }
|
| +
|
| + {
|
| + base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
|
| + TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
|
| + normalized_name_e.get());
|
| + EXPECT_THAT(
|
| + SecCertificateArrayAsDER(scoped_matching_items),
|
| + UnorderedElementsAreArray(ParsedCertificateListAsDER({e_by_e})));
|
| + }
|
| +
|
| + // None of the certs should return any matching TrustAnchors, since the test
|
| + // certs in the keychain aren't trusted (unless someone manually added and
|
| + // trusted the test certs on the machine the test is being run on).
|
| + for (const auto& cert :
|
| + {a_by_b, b_by_c, b_by_f, c_by_d, c_by_e, f_by_e, d_by_d, e_by_e}) {
|
| + TrustAnchors matching_anchors;
|
| + trust_store.FindTrustAnchorsForCert(cert, &matching_anchors);
|
| + EXPECT_EQ(0u, matching_anchors.size());
|
| + }
|
| +}
|
| +
|
| +// Test against all the certificates in the default keychains. Confirms that
|
| +// the computed trust value matches that of SecTrustEvaluate.
|
| +TEST(TrustStoreMacTest, SystemCerts) {
|
| + // Get the list of all certificates in the user & system keychains.
|
| + // This may include both trusted and untrusted certificates.
|
| + //
|
| + // The output contains zero or more repetitions of:
|
| + // "SHA-1 hash: <hash>\n<PEM encoded cert>\n"
|
| + std::string find_certificate_default_search_list_output;
|
| + ASSERT_TRUE(
|
| + base::GetAppOutput({"security", "find-certificate", "-a", "-p", "-Z"},
|
| + &find_certificate_default_search_list_output));
|
| + // Get the list of all certificates in the system roots keychain.
|
| + // (Same details as above.)
|
| + std::string find_certificate_system_roots_output;
|
| + ASSERT_TRUE(base::GetAppOutput(
|
| + {"security", "find-certificate", "-a", "-p", "-Z",
|
| + "/System/Library/Keychains/SystemRootCertificates.keychain"},
|
| + &find_certificate_system_roots_output));
|
| +
|
| + TrustStoreMac trust_store(kSecPolicyAppleX509Basic);
|
| +
|
| + base::ScopedCFTypeRef<SecPolicyRef> sec_policy(SecPolicyCreateBasicX509());
|
| + ASSERT_TRUE(sec_policy);
|
| +
|
| + for (const std::string& hash_and_pem : base::SplitStringUsingSubstr(
|
| + find_certificate_system_roots_output +
|
| + find_certificate_default_search_list_output,
|
| + "SHA-1 hash: ", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY)) {
|
| + std::string::size_type eol_pos = hash_and_pem.find_first_of("\r\n");
|
| + ASSERT_NE(std::string::npos, eol_pos);
|
| + // Extract the SHA-1 hash of the certificate. This isn't necessary for the
|
| + // test, but is a convenient identifier to use in any error messages.
|
| + std::string hash_text = hash_and_pem.substr(0, eol_pos);
|
| +
|
| + SCOPED_TRACE(hash_text);
|
| + // TODO(mattm): The same cert might exist in both lists, could de-dupe
|
| + // before testing?
|
| +
|
| + // Parse the PEM encoded text to DER bytes.
|
| + PEMTokenizer pem_tokenizer(hash_and_pem, {kCertificateHeader});
|
| + ASSERT_TRUE(pem_tokenizer.GetNext());
|
| + std::string cert_der(pem_tokenizer.data());
|
| + ASSERT_FALSE(pem_tokenizer.GetNext());
|
| +
|
| + CertErrors errors;
|
| + // Note: don't actually need to make a ParsedCertificate here, just need
|
| + // the DER bytes. But parsing it here ensures the test can skip any certs
|
| + // that won't be returned due to parsing failures inside TrustStoreMac.
|
| + // The parsing options set here need to match the ones used in
|
| + // trust_store_mac.cc.
|
| + ParseCertificateOptions options;
|
| + // For https://crt.sh/?q=D3EEFBCBBCF49867838626E23BB59CA01E305DB7:
|
| + options.allow_invalid_serial_numbers = true;
|
| + scoped_refptr<ParsedCertificate> cert = ParsedCertificate::Create(
|
| + x509_util::CreateCryptoBuffer(cert_der), options, &errors);
|
| + if (!cert) {
|
| + LOG(WARNING) << "ParseCertificate::Create " << hash_text << " failed:\n"
|
| + << errors.ToDebugString();
|
| + continue;
|
| + }
|
| +
|
| + base::ScopedCFTypeRef<SecCertificateRef> cert_handle(
|
| + X509Certificate::CreateOSCertHandleFromBytes(
|
| + cert->der_cert().AsStringPiece().data(),
|
| + cert->der_cert().Length()));
|
| + if (!cert_handle) {
|
| + ADD_FAILURE() << "CreateOSCertHandleFromBytes " << hash_text;
|
| + continue;
|
| + }
|
| + base::ScopedCFTypeRef<CFDataRef> mac_normalized_subject;
|
| + {
|
| + base::AutoLock lock(crypto::GetMacSecurityServicesLock());
|
| + mac_normalized_subject.reset(
|
| + SecCertificateCopyNormalizedSubjectContent(cert_handle, nullptr));
|
| + }
|
| + if (!mac_normalized_subject) {
|
| + ADD_FAILURE() << "SecCertificateCopyNormalizedSubjectContent "
|
| + << hash_text;
|
| + continue;
|
| + }
|
| +
|
| + // Check if this cert is considered a trust anchor by TrustStoreMac.
|
| + TrustAnchors trust_anchors;
|
| + trust_store.FindTrustAnchorsByMacNormalizedSubject(mac_normalized_subject,
|
| + &trust_anchors);
|
| + bool is_trust_anchor = false;
|
| + for (const auto& anchor : trust_anchors) {
|
| + ASSERT_TRUE(anchor->cert());
|
| + if (anchor->cert()->der_cert() == cert->der_cert())
|
| + is_trust_anchor = true;
|
| + }
|
| +
|
| + // Check if this cert is considered a trust anchor by the OS.
|
| + base::ScopedCFTypeRef<SecTrustRef> trust;
|
| + {
|
| + base::AutoLock lock(crypto::GetMacSecurityServicesLock());
|
| + ASSERT_EQ(noErr,
|
| + SecTrustCreateWithCertificates(cert_handle, sec_policy,
|
| + trust.InitializeInto()));
|
| + ASSERT_EQ(noErr,
|
| + SecTrustSetOptions(
|
| + trust,
|
| + kSecTrustOptionLeafIsCA | kSecTrustOptionAllowExpiredRoot));
|
| +
|
| + SecTrustResultType trust_result;
|
| + ASSERT_EQ(noErr, SecTrustEvaluate(trust, &trust_result));
|
| + bool expected_trust_anchor =
|
| + ((trust_result == kSecTrustResultProceed) ||
|
| + (trust_result == kSecTrustResultUnspecified)) &&
|
| + (SecTrustGetCertificateCount(trust) == 1);
|
| + EXPECT_EQ(expected_trust_anchor, is_trust_anchor);
|
| + }
|
| + }
|
| +}
|
| +
|
| +} // namespace net
|
|
|
Chromium Code Reviews
Issue 2585963003:
PKI library Mac trust store integration (Closed)
