Chromium Code Reviews Chromium Code Reviews
Issue 2613833002:
Restrict the set of WoSign/StartCom certs to the Alexa Top 1M (Closed)
| Index: net/cert/cert_verify_proc_whitelist_unittest.cc |
| diff --git a/net/cert/cert_verify_proc_whitelist_unittest.cc b/net/cert/cert_verify_proc_whitelist_unittest.cc |
| index 27320356cb28cd1fd3e9e2bef5be1bf0858a0ba1..8bed3978e528efc914c02a1df6a662c0b5f6a6d5 100644 |
| --- a/net/cert/cert_verify_proc_whitelist_unittest.cc |
| +++ b/net/cert/cert_verify_proc_whitelist_unittest.cc |
| @@ -14,7 +14,15 @@ namespace net { |
| namespace { |
| +namespace test1 { |
|
svaldez
2017/01/26 20:54:48
Slightly ugly of a namespace for test data, though
|
| +#include "net/cert/cert_verify_proc_whitelist_unittest1-inc.cc" |
| +} // namespace test |
| + |
| TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) { |
| + // The domain must be in the whitelist from |
| + // //net/data/ssl/wosign/wosign_domains.gperf |
| + const char kWhitelistedDomain[] = "005.tv"; |
|
svaldez
2017/01/26 20:54:48
Add a sanity check for a nonwhitelisted domain fro
|
| + |
| scoped_refptr<X509Certificate> cert = |
| ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem"); |
| ASSERT_TRUE(cert); |
| @@ -25,12 +33,44 @@ TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) { |
| 0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf, |
| 0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65}}); |
| - EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes)); |
| + EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes, |
| + kWhitelistedDomain)); |
| cert = ImportCertFromFile(GetTestCertsDirectory(), "wosign_after_oct_21.pem"); |
| ASSERT_TRUE(cert); |
| - EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes)); |
| + EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes, |
| + kWhitelistedDomain)); |
| +} |
| + |
| +TEST(CertVerifyProcWhitelistTest, IsWhitelistedHost) { |
| + const unsigned char* graph = test1::kDafsa; |
| + size_t graph_size = arraysize(test1::kDafsa); |
| + |
| + // Test malformed inputs. |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "")); |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, ".")); |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "..")); |
| + |
| + // Make sure that TLDs aren't accepted just because a subdomain is. |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "com")); |
| + |
| + // Test various forms of domain names that GURL will accept for entries in |
| + // the graph. |
| + EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com")); |
| + EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "subdomain.example.com")); |
| + EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".subdomain.example.com")); |
| + EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com.")); |
| + EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".example.com.")); |
| + EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "www.example.bar.jp")); |
| + |
|
svaldez
2017/01/26 20:54:48
Add tests for pre/postfix of whitelisted domains.
|
| + // Test various forms of domain names that GURL will accept for entries not |
| + // in the graph. |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "anotherexample.com")); |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "domain.com")); |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "example..com")); |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www.co.uk")); |
| + EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www..co.uk")); |
| } |
| } // namespace |
