Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1422)

Unified Diff: net/cert/cert_verify_proc_whitelist_unittest.cc

Issue 2613833002: Restrict the set of WoSign/StartCom certs to the Alexa Top 1M (Closed)
Patch Set: Review feedback Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/cert_verify_proc_whitelist.cc ('k') | net/cert/cert_verify_proc_whitelist_unittest1.gperf » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_whitelist_unittest.cc
diff --git a/net/cert/cert_verify_proc_whitelist_unittest.cc b/net/cert/cert_verify_proc_whitelist_unittest.cc
index 27320356cb28cd1fd3e9e2bef5be1bf0858a0ba1..1ad6a1c531661336686f880d6a637dc9da1e2d6a 100644
--- a/net/cert/cert_verify_proc_whitelist_unittest.cc
+++ b/net/cert/cert_verify_proc_whitelist_unittest.cc
@@ -14,7 +14,16 @@ namespace net {
namespace {
+namespace test1 {
+#include "net/cert/cert_verify_proc_whitelist_unittest1-inc.cc"
+} // namespace test
+
TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) {
+ // The domain must be in the whitelist from
+ // //net/data/ssl/wosign/wosign_domains.gperf
+ const char kWhitelistedDomain[] = "005.tv";
+ const char kNonWhitelistedDomain[] = "006.tv";
+
scoped_refptr<X509Certificate> cert =
ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem");
ASSERT_TRUE(cert);
@@ -25,12 +34,68 @@ TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) {
0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf,
0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65}});
- EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+ // Domains on the whitelist are allowed, as long as their certificates were
+ // pre-existing before Oct 21, 2016.
+ EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
+ kWhitelistedDomain));
+ // Domains not on the whitelist are not allowed, regardless of the validity
+ // period of the certificate.
+ EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
+ kNonWhitelistedDomain));
cert = ImportCertFromFile(GetTestCertsDirectory(), "wosign_after_oct_21.pem");
ASSERT_TRUE(cert);
- EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+ // No new certificates (after Oct 21, 2016) are all allowed, regardless
+ // of the domain.
+ EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
+ kWhitelistedDomain));
+ EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
+ kNonWhitelistedDomain));
+
+ // Certificates that aren't issued by WoSign are allowed, regardless of
+ // domain.
+ public_key_hashes[0].data()[0] = 0x14;
+ EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
+ kWhitelistedDomain));
+ EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes,
+ kNonWhitelistedDomain));
+}
+
+TEST(CertVerifyProcWhitelistTest, IsWhitelistedHost) {
+ const unsigned char* graph = test1::kDafsa;
+ size_t graph_size = arraysize(test1::kDafsa);
+
+ // Test malformed inputs.
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, ""));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "."));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, ".."));
+
+ // Make sure that TLDs aren't accepted just because a subdomain is.
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "com"));
+
+ // Test various forms of domain names that GURL will accept for entries in
+ // the graph.
+ EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com"));
+ EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "subdomain.example.com"));
+ EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".subdomain.example.com"));
+ EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com."));
+ EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".example.com."));
+ EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "www.example.bar.jp"));
+
+ // Test various prefix/suffices of entries in the graph, but that aren't
+ // themselves domain matches.
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "anotherexample.com"));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "bar.jp"));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "example.bar.jp.junk"));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "foo.example.bar.jp.junk"));
+
+ // Test various forms of domain names that GURL will accept for entries not
+ // in the graph.
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "domain.com"));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "example..com"));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www.co.uk"));
+ EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www..co.uk"));
}
} // namespace
« no previous file with comments | « net/cert/cert_verify_proc_whitelist.cc ('k') | net/cert/cert_verify_proc_whitelist_unittest1.gperf » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698