| Index: net/cert/cert_verify_proc_unittest.cc
|
| diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
|
| index 2e3a0f5d458f3e649789168ea481adc01e33a9e1..86fce4961de1c3d301270a51722e43db87ea53a8 100644
|
| --- a/net/cert/cert_verify_proc_unittest.cc
|
| +++ b/net/cert/cert_verify_proc_unittest.cc
|
| @@ -100,38 +100,47 @@ int MockCertVerifyProc::VerifyInternal(
|
| return OK;
|
| }
|
|
|
| -bool SupportsReturningVerifiedChain() {
|
| -#if defined(OS_ANDROID)
|
| - // Before API level 17, Android does not expose the APIs necessary to get at
|
| - // the verified certificate chain.
|
| - if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
|
| - return false;
|
| -#endif
|
| - return true;
|
| -}
|
| +// This enum identifies a concrete implemenation of CertVerifyProc.
|
| +//
|
| +// The type is erased by CertVerifyProc::CreateDefault(), however
|
| +// needs to be known for some of the test expectations.
|
| +enum CertVerifyProcType {
|
| + CERT_VERIFY_PROC_NSS,
|
| + CERT_VERIFY_PROC_OPENSSL,
|
| + CERT_VERIFY_PROC_ANDROID,
|
| + CERT_VERIFY_PROC_IOS,
|
| + CERT_VERIFY_PROC_MAC,
|
| + CERT_VERIFY_PROC_WIN,
|
| +};
|
|
|
| -bool SupportsDetectingKnownRoots() {
|
| -#if defined(OS_ANDROID)
|
| - // Before API level 17, Android does not expose the APIs necessary to get at
|
| - // the verified certificate chain and detect known roots.
|
| - if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
|
| - return false;
|
| +// Returns the CertVerifyProcType corresponding to what
|
| +// CertVerifyProc::CreateDefault() returns. This needs to be kept in sync with
|
| +// CreateDefault().
|
| +CertVerifyProcType GetDefaultCertVerifyProcType() {
|
| +#if defined(USE_NSS_CERTS)
|
| + return CERT_VERIFY_PROC_NSS;
|
| +#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
|
| + return CERT_VERIFY_PROC_OPENSSL;
|
| +#elif defined(OS_ANDROID)
|
| + return CERT_VERIFY_PROC_ANDROID;
|
| #elif defined(OS_IOS)
|
| - // iOS does not expose the APIs necessary to get the known system roots.
|
| - return false;
|
| + return CERT_VERIFY_PROC_IOS;
|
| +#elif defined(OS_MACOSX)
|
| + return CERT_VERIFY_PROC_MAC;
|
| +#elif defined(OS_WIN)
|
| + return CERT_VERIFY_PROC_WIN;
|
| +#else
|
| +// Will fail to compile.
|
| #endif
|
| - return true;
|
| }
|
|
|
| -bool WeakKeysAreInvalid() {
|
| -#if defined(OS_MACOSX) && !defined(OS_IOS)
|
| - // Starting with Mac OS 10.12, certs with weak keys are treated as
|
| - // (recoverable) invalid certificate errors.
|
| - return base::mac::IsAtLeastOS10_12();
|
| +// Whether the test is running within the iphone simulator.
|
| +const bool kTargetIsIphoneSimulator =
|
| +#if TARGET_IPHONE_SIMULATOR
|
| + true;
|
| #else
|
| - return false;
|
| + false;
|
| #endif
|
| -}
|
|
|
| // Template helper to load a series of certificate files into a CertificateList.
|
| // Like CertTestUtil's CreateCertificateListFromFile, except it can load a
|
| @@ -149,31 +158,48 @@ void LoadCertificateFiles(const char* const (&cert_files)[N],
|
| }
|
| }
|
|
|
| -} // namespace
|
| -
|
| -class CertVerifyProcTest : public testing::Test {
|
| - public:
|
| - CertVerifyProcTest()
|
| - : verify_proc_(CertVerifyProc::CreateDefault()) {
|
| +// Returns a textual description of the CertVerifyProc implementation
|
| +// that is being tested, used to give better names to parameterized
|
| +// tests.
|
| +std::string VerifyProcTypeToName(
|
| + const testing::TestParamInfo<CertVerifyProcType>& params) {
|
| + switch (params.param) {
|
| + case CERT_VERIFY_PROC_NSS:
|
| + return "CertVerifyProcNSS";
|
| + case CERT_VERIFY_PROC_OPENSSL:
|
| + return "CertVerifyProcOpenSSL";
|
| + case CERT_VERIFY_PROC_ANDROID:
|
| + return "CertVerifyProcAndroid";
|
| + case CERT_VERIFY_PROC_IOS:
|
| + return "CertVerifyProcIOS";
|
| + case CERT_VERIFY_PROC_MAC:
|
| + return "CertVerifyProcMac";
|
| + case CERT_VERIFY_PROC_WIN:
|
| + return "CertVerifyProcWin";
|
| }
|
| - ~CertVerifyProcTest() override {}
|
|
|
| - protected:
|
| - bool SupportsAdditionalTrustAnchors() {
|
| - return verify_proc_->SupportsAdditionalTrustAnchors();
|
| - }
|
| + return nullptr;
|
| +}
|
|
|
| - // Returns true if the underlying CertVerifyProc supports integrating CRLSets
|
| - // into path building logic, such as allowing the selection of alternatively
|
| - // valid paths when one or more are revoked. As the goal is to integrate this
|
| - // into all platforms, this is a temporary, test-only flag to centralize the
|
| - // conditionals in tests.
|
| - bool SupportsCRLSetsInPathBuilding() {
|
| -#if defined(OS_WIN) || defined(USE_NSS_CERTS)
|
| - return true;
|
| -#else
|
| - return false;
|
| -#endif
|
| +// The set of all CertVerifyProcTypes that tests should be
|
| +// parameterized on.
|
| +const std::vector<CertVerifyProcType> kAllCertVerifiers = {
|
| + GetDefaultCertVerifyProcType()};
|
| +
|
| +} // namespace
|
| +
|
| +// This fixture is for tests that apply to concrete implementations of
|
| +// CertVerifyProc. It will be run for all of the concrete
|
| +// CertVerifyProc types.
|
| +//
|
| +// It is called "Internal" as it tests the internal methods like
|
| +// "VerifyInternal()".
|
| +class CertVerifyProcInternalTest
|
| + : public testing::TestWithParam<CertVerifyProcType> {
|
| + protected:
|
| + void SetUp() override {
|
| + EXPECT_EQ(verify_proc_type(), GetDefaultCertVerifyProcType());
|
| + verify_proc_ = CertVerifyProc::CreateDefault();
|
| }
|
|
|
| int Verify(X509Certificate* cert,
|
| @@ -186,34 +212,86 @@ class CertVerifyProcTest : public testing::Test {
|
| additional_trust_anchors, verify_result);
|
| }
|
|
|
| - int VerifyWithOCSPResponse(X509Certificate* cert,
|
| - const std::string& hostname,
|
| - const std::string& ocsp_response,
|
| - int flags,
|
| - CRLSet* crl_set,
|
| - const CertificateList& additional_trust_anchors,
|
| - CertVerifyResult* verify_result) {
|
| - return verify_proc_->Verify(cert, hostname, ocsp_response, flags, crl_set,
|
| - additional_trust_anchors, verify_result);
|
| + CertVerifyProcType verify_proc_type() const { return GetParam(); }
|
| +
|
| + bool SupportsAdditionalTrustAnchors() const {
|
| + return verify_proc_->SupportsAdditionalTrustAnchors();
|
| + }
|
| +
|
| + bool SupportsReturningVerifiedChain() const {
|
| +#if defined(OS_ANDROID)
|
| + // Before API level 17, Android does not expose the APIs necessary to get at
|
| + // the verified certificate chain.
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID &&
|
| + base::android::BuildInfo::GetInstance()->sdk_int() < 17)
|
| + return false;
|
| +#endif
|
| + return true;
|
| }
|
|
|
| - const CertificateList empty_cert_list_;
|
| + bool SupportsDetectingKnownRoots() const {
|
| +#if defined(OS_ANDROID)
|
| + // Before API level 17, Android does not expose the APIs necessary to get at
|
| + // the verified certificate chain and detect known roots.
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID)
|
| + return base::android::BuildInfo::GetInstance()->sdk_int() >= 17;
|
| +#endif
|
| +
|
| + // iOS does not expose the APIs necessary to get the known system roots.
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_IOS)
|
| + return false;
|
| +
|
| + return true;
|
| + }
|
| +
|
| + bool WeakKeysAreInvalid() const {
|
| +#if defined(OS_MACOSX) && !defined(OS_IOS)
|
| + // Starting with Mac OS 10.12, certs with weak keys are treated as
|
| + // (recoverable) invalid certificate errors.
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_MAC &&
|
| + base::mac::IsAtLeastOS10_12()) {
|
| + return true;
|
| + }
|
| +#endif
|
| + return false;
|
| + }
|
| +
|
| + bool SupportsCRLSet() const {
|
| + return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
|
| + verify_proc_type() == CERT_VERIFY_PROC_WIN ||
|
| + verify_proc_type() == CERT_VERIFY_PROC_MAC;
|
| + }
|
| +
|
| + bool SupportsCRLSetsInPathBuilding() const {
|
| + return verify_proc_type() == CERT_VERIFY_PROC_WIN ||
|
| + verify_proc_type() == CERT_VERIFY_PROC_NSS;
|
| + }
|
| +
|
| + CertVerifyProc* verify_proc() const { return verify_proc_.get(); }
|
| +
|
| + private:
|
| scoped_refptr<CertVerifyProc> verify_proc_;
|
| };
|
|
|
| -#if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
|
| -// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
|
| -#define MAYBE_EVVerification DISABLED_EVVerification
|
| -#else
|
| +INSTANTIATE_TEST_CASE_P(,
|
| + CertVerifyProcInternalTest,
|
| + testing::ValuesIn(kAllCertVerifiers),
|
| + VerifyProcTypeToName);
|
| +
|
| // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
|
| // expired, http://crbug.com/502818
|
| -#define MAYBE_EVVerification DISABLED_EVVerification
|
| -#endif
|
| -TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
|
| - CertificateList certs = CreateCertificateListFromFile(
|
| - GetTestCertsDirectory(),
|
| - "comodo.chain.pem",
|
| - X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
|
| +TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) {
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID ||
|
| + verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
|
| + // TODO(jnd): http://crbug.com/117478 - EV verification is not yet
|
| + // supported.
|
| + LOG(INFO) << "Skipping test as EV verification is not yet supported";
|
| + return;
|
| + }
|
| +
|
| + CertificateList certs =
|
| + CreateCertificateListFromFile(GetTestCertsDirectory(), "comodo.chain.pem",
|
| + X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
|
| ASSERT_EQ(3U, certs.size());
|
|
|
| X509Certificate::OSCertHandles intermediates;
|
| @@ -227,12 +305,8 @@ TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
|
| scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
|
| CertVerifyResult verify_result;
|
| int flags = CertVerifier::VERIFY_EV_CERT;
|
| - int error = Verify(comodo_chain.get(),
|
| - "comodo.com",
|
| - flags,
|
| - crl_set.get(),
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(comodo_chain.get(), "comodo.com", flags, crl_set.get(),
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
|
| }
|
| @@ -241,7 +315,7 @@ TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
|
| // configurations, so disable the test until it is fixed (better to have
|
| // a bug to track a failing test than a false sense of security due to
|
| // false positive).
|
| -TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
|
| +TEST_P(CertVerifyProcInternalTest, DISABLED_PaypalNullCertParsing) {
|
| // A certificate for www.paypal.com with a NULL byte in the common name.
|
| // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
|
| SHA256HashValue paypal_null_fingerprint = {{0x00}};
|
| @@ -258,73 +332,68 @@ TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(paypal_null_cert.get(),
|
| - "www.paypal.com",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| -#if defined(USE_NSS_CERTS) || defined(OS_ANDROID)
|
| - EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
|
| -#elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR
|
| - // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
|
| - // ERR_CERT_AUTHORITY_INVALID on the real device.
|
| - EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
|
| -#else
|
| - // TOOD(bulach): investigate why macosx and win aren't returning
|
| - // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
|
| - EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
|
| -#endif
|
| + int error = Verify(paypal_null_cert.get(), "www.paypal.com", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| +
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_NSS ||
|
| + verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
|
| + EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
|
| + } else if (verify_proc_type() == CERT_VERIFY_PROC_IOS &&
|
| + kTargetIsIphoneSimulator) {
|
| + // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
|
| + // ERR_CERT_AUTHORITY_INVALID on the real device.
|
| + EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
|
| + } else {
|
| + // TOOD(bulach): investigate why macosx and win aren't returning
|
| + // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
|
| + EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
|
| + }
|
| +
|
| // Either the system crypto library should correctly report a certificate
|
| // name mismatch, or our certificate blacklist should cause us to report an
|
| // invalid certificate.
|
| -#if defined(USE_NSS_CERTS) || defined(OS_WIN)
|
| - EXPECT_TRUE(verify_result.cert_status &
|
| - (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
|
| -#endif
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_NSS ||
|
| + verify_proc_type() == CERT_VERIFY_PROC_WIN) {
|
| + EXPECT_TRUE(verify_result.cert_status &
|
| + (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
|
| + }
|
| +
|
| + // TODO(crbug.com/649017): What expectations to use for the other verifiers?
|
| }
|
|
|
| // A regression test for http://crbug.com/31497.
|
| -#if defined(OS_ANDROID)
|
| -// Disabled on Android, as the Android verification libraries require an
|
| -// explicit policy to be specified, even when anyPolicy is permitted.
|
| -#define MAYBE_IntermediateCARequireExplicitPolicy \
|
| - DISABLED_IntermediateCARequireExplicitPolicy
|
| -#else
|
| -#define MAYBE_IntermediateCARequireExplicitPolicy \
|
| - IntermediateCARequireExplicitPolicy
|
| -#endif
|
| -TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
|
| +TEST_P(CertVerifyProcInternalTest, IntermediateCARequireExplicitPolicy) {
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
|
| + // Disabled on Android, as the Android verification libraries require an
|
| + // explicit policy to be specified, even when anyPolicy is permitted.
|
| + LOG(INFO) << "Skipping test on Android";
|
| + return;
|
| + }
|
| +
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
|
|
| CertificateList certs = CreateCertificateListFromFile(
|
| - certs_dir, "explicit-policy-chain.pem",
|
| - X509Certificate::FORMAT_AUTO);
|
| + certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(3U, certs.size());
|
|
|
| X509Certificate::OSCertHandles intermediates;
|
| intermediates.push_back(certs[1]->os_cert_handle());
|
|
|
| - scoped_refptr<X509Certificate> cert =
|
| - X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
|
| + certs[0]->os_cert_handle(), intermediates);
|
| ASSERT_TRUE(cert.get());
|
|
|
| ScopedTestRoot scoped_root(certs[2].get());
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(),
|
| - "policy_test.example",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(cert.get(), "policy_test.example", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_EQ(0u, verify_result.cert_status);
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectExpiredCert) {
|
| +TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) {
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
|
|
| // Load root_ca_cert.pem into the test root store.
|
| @@ -341,7 +410,7 @@ TEST_F(CertVerifyProcTest, RejectExpiredCert) {
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
|
| + int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
|
| &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_DATE_INVALID));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
|
| @@ -363,7 +432,7 @@ static bool IsWeakKeyType(const std::string& key_type) {
|
| return false;
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectWeakKeys) {
|
| +TEST_P(CertVerifyProcInternalTest, RejectWeakKeys) {
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
| typedef std::vector<std::string> Strings;
|
| Strings key_types;
|
| @@ -388,8 +457,8 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
|
| ee_type != key_types.end(); ++ee_type) {
|
| for (Strings::const_iterator signer_type = key_types.begin();
|
| signer_type != key_types.end(); ++signer_type) {
|
| - std::string basename = *ee_type + "-ee-by-" + *signer_type +
|
| - "-intermediate.pem";
|
| + std::string basename =
|
| + *ee_type + "-ee-by-" + *signer_type + "-intermediate.pem";
|
| SCOPED_TRACE(basename);
|
| scoped_refptr<X509Certificate> ee_cert =
|
| ImportCertFromFile(certs_dir, basename);
|
| @@ -407,12 +476,8 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
|
| intermediates);
|
|
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert_chain.get(),
|
| - "127.0.0.1",
|
| - 0,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(cert_chain.get(), "127.0.0.1", 0, NULL,
|
| + CertificateList(), &verify_result);
|
|
|
| if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
|
| EXPECT_NE(OK, error);
|
| @@ -429,20 +494,21 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
|
| }
|
|
|
| // Regression test for http://crbug.com/108514.
|
| -#if defined(OS_MACOSX) && !defined(OS_IOS)
|
| -// Disabled on OS X - Security.framework doesn't ignore superflous certificates
|
| -// provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
|
| -// details.
|
| -#define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
|
| -#else
|
| -#define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
|
| -#endif
|
| -TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
|
| +TEST_P(CertVerifyProcInternalTest, ExtraneousMD5RootCert) {
|
| if (!SupportsReturningVerifiedChain()) {
|
| LOG(INFO) << "Skipping this test in this platform.";
|
| return;
|
| }
|
|
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_MAC) {
|
| + // Disabled on OS X - Security.framework doesn't ignore superflous
|
| + // certificates provided by servers.
|
| + // TODO(eroman): Is this still needed?
|
| + LOG(INFO) << "Skipping this test as Security.framework doesn't ignore "
|
| + "superflous certificates provided by servers.";
|
| + return;
|
| + }
|
| +
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
|
|
| scoped_refptr<X509Certificate> server_cert =
|
| @@ -461,18 +527,13 @@ TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
|
|
|
| X509Certificate::OSCertHandles intermediates;
|
| intermediates.push_back(extra_cert->os_cert_handle());
|
| - scoped_refptr<X509Certificate> cert_chain =
|
| - X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
|
| + server_cert->os_cert_handle(), intermediates);
|
|
|
| CertVerifyResult verify_result;
|
| int flags = 0;
|
| - int error = Verify(cert_chain.get(),
|
| - "127.0.0.1",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(cert_chain.get(), "127.0.0.1", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
|
|
| // The extra MD5 root should be discarded
|
| @@ -480,14 +541,14 @@ TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
|
| ASSERT_EQ(1u,
|
| verify_result.verified_cert->GetIntermediateCertificates().size());
|
| EXPECT_TRUE(X509Certificate::IsSameOSCert(
|
| - verify_result.verified_cert->GetIntermediateCertificates().front(),
|
| - root_cert->os_cert_handle()));
|
| + verify_result.verified_cert->GetIntermediateCertificates().front(),
|
| + root_cert->os_cert_handle()));
|
|
|
| EXPECT_FALSE(verify_result.has_md5);
|
| }
|
|
|
| // Test for bug 94673.
|
| -TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
|
| +TEST_P(CertVerifyProcInternalTest, GoogleDigiNotarTest) {
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
|
|
| scoped_refptr<X509Certificate> server_cert =
|
| @@ -500,35 +561,26 @@ TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
|
|
|
| X509Certificate::OSCertHandles intermediates;
|
| intermediates.push_back(intermediate_cert->os_cert_handle());
|
| - scoped_refptr<X509Certificate> cert_chain =
|
| - X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
|
| + server_cert->os_cert_handle(), intermediates);
|
|
|
| CertVerifyResult verify_result;
|
| int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
|
| - int error = Verify(cert_chain.get(),
|
| - "mail.google.com",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(cert_chain.get(), "mail.google.com", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_NE(OK, error);
|
|
|
| // Now turn off revocation checking. Certificate verification should still
|
| // fail.
|
| flags = 0;
|
| - error = Verify(cert_chain.get(),
|
| - "mail.google.com",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + error = Verify(cert_chain.get(), "mail.google.com", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_NE(OK, error);
|
| }
|
|
|
| // Ensures the CertVerifyProc blacklist remains in sorted order, so that it
|
| // can be binary-searched.
|
| -TEST_F(CertVerifyProcTest, BlacklistIsSorted) {
|
| +TEST(CertVerifyProcTest, BlacklistIsSorted) {
|
| // Defines kBlacklistedSPKIs.
|
| #include "net/cert/cert_verify_proc_blacklist.inc"
|
| for (size_t i = 0; i < arraysize(kBlacklistedSPKIs) - 1; ++i) {
|
| @@ -538,14 +590,11 @@ TEST_F(CertVerifyProcTest, BlacklistIsSorted) {
|
| }
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, DigiNotarCerts) {
|
| +TEST(CertVerifyProcTest, DigiNotarCerts) {
|
| static const char* const kDigiNotarFilenames[] = {
|
| - "diginotar_root_ca.pem",
|
| - "diginotar_cyber_ca.pem",
|
| - "diginotar_services_1024_ca.pem",
|
| - "diginotar_pkioverheid.pem",
|
| - "diginotar_pkioverheid_g2.pem",
|
| - NULL,
|
| + "diginotar_root_ca.pem", "diginotar_cyber_ca.pem",
|
| + "diginotar_services_1024_ca.pem", "diginotar_pkioverheid.pem",
|
| + "diginotar_pkioverheid_g2.pem", NULL,
|
| };
|
|
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
| @@ -554,8 +603,8 @@ TEST_F(CertVerifyProcTest, DigiNotarCerts) {
|
| scoped_refptr<X509Certificate> diginotar_cert =
|
| ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
|
| std::string der_bytes;
|
| - ASSERT_TRUE(X509Certificate::GetDEREncoded(
|
| - diginotar_cert->os_cert_handle(), &der_bytes));
|
| + ASSERT_TRUE(X509Certificate::GetDEREncoded(diginotar_cert->os_cert_handle(),
|
| + &der_bytes));
|
|
|
| base::StringPiece spki;
|
| ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
|
| @@ -568,15 +617,14 @@ TEST_F(CertVerifyProcTest, DigiNotarCerts) {
|
| memcpy(hash.data(), spki_sha256.data(), spki_sha256.size());
|
| public_keys.push_back(hash);
|
|
|
| - EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
|
| - "Public key not blocked for " << kDigiNotarFilenames[i];
|
| + EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys))
|
| + << "Public key not blocked for " << kDigiNotarFilenames[i];
|
| }
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, NameConstraintsOk) {
|
| +TEST_P(CertVerifyProcInternalTest, NameConstraintsOk) {
|
| CertificateList ca_cert_list =
|
| - CreateCertificateListFromFile(GetTestCertsDirectory(),
|
| - "root_ca_cert.pem",
|
| + CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1U, ca_cert_list.size());
|
| ScopedTestRoot test_root(ca_cert_list[0].get());
|
| @@ -587,36 +635,30 @@ TEST_F(CertVerifyProcTest, NameConstraintsOk) {
|
| ASSERT_EQ(1U, cert_list.size());
|
|
|
| X509Certificate::OSCertHandles intermediates;
|
| - scoped_refptr<X509Certificate> leaf =
|
| - X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
|
| + cert_list[0]->os_cert_handle(), intermediates);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(leaf.get(),
|
| - "test.example.com",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(leaf.get(), "test.example.com", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_EQ(0U, verify_result.cert_status);
|
|
|
| error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
|
| - empty_cert_list_, &verify_result);
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_EQ(0U, verify_result.cert_status);
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
|
| +TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) {
|
| if (!SupportsReturningVerifiedChain()) {
|
| LOG(INFO) << "Skipping this test in this platform.";
|
| return;
|
| }
|
|
|
| CertificateList ca_cert_list =
|
| - CreateCertificateListFromFile(GetTestCertsDirectory(),
|
| - "root_ca_cert.pem",
|
| + CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1U, ca_cert_list.size());
|
| ScopedTestRoot test_root(ca_cert_list[0].get());
|
| @@ -627,24 +669,19 @@ TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
|
| ASSERT_EQ(1U, cert_list.size());
|
|
|
| X509Certificate::OSCertHandles intermediates;
|
| - scoped_refptr<X509Certificate> leaf =
|
| - X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
|
| + cert_list[0]->os_cert_handle(), intermediates);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(leaf.get(),
|
| - "test.example.com",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(leaf.get(), "test.example.com", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
|
| EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
|
| verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
|
| +TEST(CertVerifyProcTest, TestHasTooLongValidity) {
|
| struct {
|
| const char* const file;
|
| bool is_valid_too_long;
|
| @@ -675,7 +712,7 @@ TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
|
| }
|
|
|
| // TODO(crbug.com/610546): Fix and re-enable this test.
|
| -TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) {
|
| +TEST_P(CertVerifyProcInternalTest, DISABLED_TestKnownRoot) {
|
| if (!SupportsDetectingKnownRoots()) {
|
| LOG(INFO) << "Skipping this test on this platform.";
|
| return;
|
| @@ -689,22 +726,21 @@ TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) {
|
| X509Certificate::OSCertHandles intermediates;
|
| intermediates.push_back(certs[1]->os_cert_handle());
|
|
|
| - scoped_refptr<X509Certificate> cert_chain =
|
| - X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
|
| + certs[0]->os_cert_handle(), intermediates);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
|
| // against agl. See also PublicKeyHashes.
|
| int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
|
| - empty_cert_list_, &verify_result);
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.is_issued_by_known_root);
|
| }
|
|
|
| // TODO(crbug.com/610546): Fix and re-enable this test.
|
| -TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
|
| +TEST_P(CertVerifyProcInternalTest, DISABLED_PublicKeyHashes) {
|
| if (!SupportsReturningVerifiedChain()) {
|
| LOG(INFO) << "Skipping this test in this platform.";
|
| return;
|
| @@ -718,16 +754,15 @@ TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
|
| X509Certificate::OSCertHandles intermediates;
|
| intermediates.push_back(certs[1]->os_cert_handle());
|
|
|
| - scoped_refptr<X509Certificate> cert_chain =
|
| - X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
|
| + certs[0]->os_cert_handle(), intermediates);
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
|
|
| // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
|
| // against agl. See also TestKnownRoot.
|
| int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
|
| - empty_cert_list_, &verify_result);
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| ASSERT_LE(3U, verify_result.public_key_hashes.size());
|
|
|
| @@ -761,7 +796,7 @@ TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
|
| // A regression test for http://crbug.com/70293.
|
| // The Key Usage extension in this RSA SSL server certificate does not have
|
| // the keyEncipherment bit.
|
| -TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
|
| +TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) {
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
|
|
| scoped_refptr<X509Certificate> server_cert =
|
| @@ -770,27 +805,28 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(server_cert.get(),
|
| - "jira.aquameta.com",
|
| - flags,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| -#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
|
| - // This certificate has two errors: "invalid key usage" and "untrusted CA".
|
| - // However, OpenSSL returns only one (the latter), and we can't detect
|
| - // the other errors.
|
| - EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
|
| -#else
|
| - EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
|
| - EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
|
| -#endif
|
| + int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL,
|
| + CertificateList(), &verify_result);
|
| +
|
| + // TODO(eroman): Change the test data so results are consistent across
|
| + // verifiers.
|
| + if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
|
| + // This certificate has two errors: "invalid key usage" and "untrusted CA".
|
| + // However, OpenSSL returns only one (the latter), and we can't detect
|
| + // the other errors.
|
| + EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
|
| + } else {
|
| + EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
|
| + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
|
| + }
|
| // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
|
| // from NSS.
|
| -#if !defined(USE_NSS_CERTS) && !defined(OS_IOS) && !defined(OS_ANDROID)
|
| - // The certificate is issued by an unknown CA.
|
| - EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
|
| -#endif
|
| + if (verify_proc_type() != CERT_VERIFY_PROC_NSS &&
|
| + verify_proc_type() != CERT_VERIFY_PROC_IOS &&
|
| + verify_proc_type() != CERT_VERIFY_PROC_ANDROID) {
|
| + // The certificate is issued by an unknown CA.
|
| + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
|
| + }
|
| }
|
|
|
| // Basic test for returning the chain in CertVerifyResult. Note that the
|
| @@ -799,7 +835,7 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
|
| // of the certificate to be verified. The remaining VerifyReturn* tests are
|
| // used to ensure that the actual, verified chain is being returned by
|
| // Verify().
|
| -TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
|
| +TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) {
|
| if (!SupportsReturningVerifiedChain()) {
|
| LOG(INFO) << "Skipping this test in this platform.";
|
| return;
|
| @@ -807,8 +843,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
|
|
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
| CertificateList certs = CreateCertificateListFromFile(
|
| - certs_dir, "x509_verify_results.chain.pem",
|
| - X509Certificate::FORMAT_AUTO);
|
| + certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(3U, certs.size());
|
|
|
| X509Certificate::OSCertHandles intermediates;
|
| @@ -826,12 +861,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
|
| CertVerifyResult verify_result;
|
| EXPECT_EQ(static_cast<X509Certificate*>(NULL),
|
| verify_result.verified_cert.get());
|
| - int error = Verify(google_full_chain.get(),
|
| - "127.0.0.1",
|
| - 0,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| ASSERT_NE(static_cast<X509Certificate*>(NULL),
|
| verify_result.verified_cert.get());
|
| @@ -853,12 +884,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
|
| // known public registry controlled domain information) issued by well-known
|
| // CAs are flagged appropriately, while certificates that are issued by
|
| // internal CAs are not flagged.
|
| -TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
|
| - if (!SupportsDetectingKnownRoots()) {
|
| - LOG(INFO) << "Skipping this test in this platform.";
|
| - return;
|
| - }
|
| -
|
| +TEST(CertVerifyProcTest, IntranetHostsRejected) {
|
| CertificateList cert_list = CreateCertificateListFromFile(
|
| GetTestCertsDirectory(), "reject_intranet_hosts.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| @@ -871,18 +897,19 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
|
| // Intranet names for public CAs should be flagged:
|
| CertVerifyResult dummy_result;
|
| dummy_result.is_issued_by_known_root = true;
|
| - verify_proc_ = new MockCertVerifyProc(dummy_result);
|
| - error =
|
| - Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
|
| + scoped_refptr<CertVerifyProc> verify_proc =
|
| + new MockCertVerifyProc(dummy_result);
|
| + error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
|
|
|
| // However, if the CA is not well known, these should not be flagged:
|
| dummy_result.Reset();
|
| dummy_result.is_issued_by_known_root = false;
|
| - verify_proc_ = new MockCertVerifyProc(dummy_result);
|
| - error =
|
| - Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
|
| + verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
|
| + error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
|
| }
|
| @@ -893,7 +920,7 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
|
| // that were issued after 1 January 2016, while still allowing those from
|
| // before that date, with SHA-1 in the intermediate, or from an enterprise
|
| // CA.
|
| -TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
|
| +TEST(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
|
| base::test::ScopedFeatureList scoped_feature_list;
|
| scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode);
|
|
|
| @@ -909,13 +936,14 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
|
| dummy_result.is_issued_by_known_root = true;
|
| dummy_result.has_sha1 = true;
|
| dummy_result.has_sha1_leaf = true;
|
| - verify_proc_ = new MockCertVerifyProc(dummy_result);
|
| + scoped_refptr<CertVerifyProc> verify_proc =
|
| + new MockCertVerifyProc(dummy_result);
|
| cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
|
| "sha1_dec_2015.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_TRUE(cert);
|
| - error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
|
|
|
| @@ -926,13 +954,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
|
| dummy_result.is_issued_by_known_root = true;
|
| dummy_result.has_sha1 = true;
|
| dummy_result.has_sha1_leaf = true;
|
| - verify_proc_ = new MockCertVerifyProc(dummy_result);
|
| + verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
|
| cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
|
| "sha1_jan_2016.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_TRUE(cert);
|
| - error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
|
|
|
| @@ -943,13 +971,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
|
| dummy_result.is_issued_by_known_root = false;
|
| dummy_result.has_sha1 = true;
|
| dummy_result.has_sha1_leaf = true;
|
| - verify_proc_ = new MockCertVerifyProc(dummy_result);
|
| + verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
|
| cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
|
| "sha1_jan_2016.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_TRUE(cert);
|
| - error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
|
|
|
| @@ -960,13 +988,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
|
| dummy_result.is_issued_by_known_root = true;
|
| dummy_result.has_sha1 = true;
|
| dummy_result.has_sha1_leaf = false;
|
| - verify_proc_ = new MockCertVerifyProc(dummy_result);
|
| + verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
|
| cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
|
| "sha1_jan_2016.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_TRUE(cert);
|
| - error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
|
| }
|
| @@ -976,7 +1004,7 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
|
| // a protocol violation if sent during a TLS handshake, if multiple sources
|
| // of intermediate certificates are combined, it's possible that order may
|
| // not be maintained.
|
| -TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
|
| +TEST_P(CertVerifyProcInternalTest, VerifyReturnChainProperlyOrdered) {
|
| if (!SupportsReturningVerifiedChain()) {
|
| LOG(INFO) << "Skipping this test in this platform.";
|
| return;
|
| @@ -984,8 +1012,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
|
|
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
| CertificateList certs = CreateCertificateListFromFile(
|
| - certs_dir, "x509_verify_results.chain.pem",
|
| - X509Certificate::FORMAT_AUTO);
|
| + certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(3U, certs.size());
|
|
|
| // Construct the chain out of order.
|
| @@ -1004,12 +1031,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
|
| CertVerifyResult verify_result;
|
| EXPECT_EQ(static_cast<X509Certificate*>(NULL),
|
| verify_result.verified_cert.get());
|
| - int error = Verify(google_full_chain.get(),
|
| - "127.0.0.1",
|
| - 0,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| ASSERT_NE(static_cast<X509Certificate*>(NULL),
|
| verify_result.verified_cert.get());
|
| @@ -1029,7 +1052,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
|
|
|
| // Test that Verify() filters out certificates which are not related to
|
| // or part of the certificate chain being verified.
|
| -TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
|
| +TEST_P(CertVerifyProcInternalTest, VerifyReturnChainFiltersUnrelatedCerts) {
|
| if (!SupportsReturningVerifiedChain()) {
|
| LOG(INFO) << "Skipping this test in this platform.";
|
| return;
|
| @@ -1037,8 +1060,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
|
|
|
| base::FilePath certs_dir = GetTestCertsDirectory();
|
| CertificateList certs = CreateCertificateListFromFile(
|
| - certs_dir, "x509_verify_results.chain.pem",
|
| - X509Certificate::FORMAT_AUTO);
|
| + certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(3U, certs.size());
|
| ScopedTestRoot scoped_root(certs[2].get());
|
|
|
| @@ -1065,12 +1087,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
|
| CertVerifyResult verify_result;
|
| EXPECT_EQ(static_cast<X509Certificate*>(NULL),
|
| verify_result.verified_cert.get());
|
| - int error = Verify(google_full_chain.get(),
|
| - "127.0.0.1",
|
| - 0,
|
| - NULL,
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| ASSERT_NE(static_cast<X509Certificate*>(NULL),
|
| verify_result.verified_cert.get());
|
| @@ -1088,22 +1106,21 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
|
| certs[2]->os_cert_handle()));
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
|
| +TEST_P(CertVerifyProcInternalTest, AdditionalTrustAnchors) {
|
| if (!SupportsAdditionalTrustAnchors()) {
|
| LOG(INFO) << "Skipping this test in this platform.";
|
| return;
|
| }
|
|
|
| // |ca_cert| is the issuer of |cert|.
|
| - CertificateList ca_cert_list = CreateCertificateListFromFile(
|
| - GetTestCertsDirectory(), "root_ca_cert.pem",
|
| - X509Certificate::FORMAT_AUTO);
|
| + CertificateList ca_cert_list =
|
| + CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
|
| + X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1U, ca_cert_list.size());
|
| scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
|
|
|
| CertificateList cert_list = CreateCertificateListFromFile(
|
| - GetTestCertsDirectory(), "ok_cert.pem",
|
| - X509Certificate::FORMAT_AUTO);
|
| + GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1U, cert_list.size());
|
| scoped_refptr<X509Certificate> cert(cert_list[0]);
|
|
|
| @@ -1111,8 +1128,8 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
|
| // list.
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(
|
| - cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
|
| + int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
|
| EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
|
| EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
|
| @@ -1120,16 +1137,16 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
|
| // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
|
| CertificateList trust_anchors;
|
| trust_anchors.push_back(ca_cert);
|
| - error = Verify(
|
| - cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
|
| + error = Verify(cert.get(), "127.0.0.1", flags, NULL, trust_anchors,
|
| + &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_EQ(0U, verify_result.cert_status);
|
| EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
|
|
|
| // Clearing the |trust_anchors| makes verification fail again (the cache
|
| // should be skipped).
|
| - error = Verify(
|
| - cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
|
| + error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
|
| EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
|
| EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
|
| @@ -1138,7 +1155,7 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
|
| // Tests that certificates issued by user-supplied roots are not flagged as
|
| // issued by a known root. This should pass whether or not the platform supports
|
| // detecting known roots.
|
| -TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
|
| +TEST_P(CertVerifyProcInternalTest, IsIssuedByKnownRootIgnoresTestRoots) {
|
| // Load root_ca_cert.pem into the test root store.
|
| ScopedTestRoot test_root(
|
| ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
|
| @@ -1149,22 +1166,24 @@ TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
|
| // Verification should pass.
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(
|
| - cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
|
| + int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_EQ(0U, verify_result.cert_status);
|
| // But should not be marked as a known root.
|
| EXPECT_FALSE(verify_result.is_issued_by_known_root);
|
| }
|
|
|
| -#if defined(USE_NSS_CERTS) || defined(OS_WIN) || \
|
| - (defined(OS_MACOSX) && !defined(OS_IOS))
|
| // Test that CRLSets are effective in making a certificate appear to be
|
| // revoked.
|
| -TEST_F(CertVerifyProcTest, CRLSet) {
|
| +TEST_P(CertVerifyProcInternalTest, CRLSet) {
|
| + if (!SupportsCRLSet()) {
|
| + LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
|
| + return;
|
| + }
|
| +
|
| CertificateList ca_cert_list =
|
| - CreateCertificateListFromFile(GetTestCertsDirectory(),
|
| - "root_ca_cert.pem",
|
| + CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1U, ca_cert_list.size());
|
| ScopedTestRoot test_root(ca_cert_list[0].get());
|
| @@ -1176,8 +1195,8 @@ TEST_F(CertVerifyProcTest, CRLSet) {
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(
|
| - cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
|
| + int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_EQ(0U, verify_result.cert_status);
|
|
|
| @@ -1190,12 +1209,8 @@ TEST_F(CertVerifyProcTest, CRLSet) {
|
| &crl_set_bytes));
|
| ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
|
|
|
| - error = Verify(cert.get(),
|
| - "127.0.0.1",
|
| - flags,
|
| - crl_set.get(),
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
|
|
|
| // Second, test revocation by serial number of a cert directly under the
|
| @@ -1206,16 +1221,17 @@ TEST_F(CertVerifyProcTest, CRLSet) {
|
| &crl_set_bytes));
|
| ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
|
|
|
| - error = Verify(cert.get(),
|
| - "127.0.0.1",
|
| - flags,
|
| - crl_set.get(),
|
| - empty_cert_list_,
|
| - &verify_result);
|
| + error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
|
| +TEST_P(CertVerifyProcInternalTest, CRLSetLeafSerial) {
|
| + if (!SupportsCRLSet()) {
|
| + LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
|
| + return;
|
| + }
|
| +
|
| CertificateList ca_cert_list =
|
| CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| @@ -1240,7 +1256,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
|
| + int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, CertificateList(),
|
| &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
|
|
| @@ -1253,7 +1269,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
|
| ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
|
|
|
| error = Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(),
|
| - empty_cert_list_, &verify_result);
|
| + CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
|
| }
|
|
|
| @@ -1271,7 +1287,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
|
| // 1. Revoking E by SPKI, so that only Path 1 is valid (as E is in Paths 2 & 3)
|
| // 2. Revoking C(D) and F(E) by serial, so that only Path 2 is valid.
|
| // 3. Revoking C by SPKI, so that only Path 3 is valid (as C is in Paths 1 & 2)
|
| -TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
|
| +TEST_P(CertVerifyProcInternalTest, CRLSetDuringPathBuilding) {
|
| if (!SupportsCRLSetsInPathBuilding()) {
|
| LOG(INFO) << "Skipping this test on this platform.";
|
| return;
|
| @@ -1301,7 +1317,7 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
|
| ScopedTestRoot test_root_E(path_2_certs[3].get()); // E-by-E
|
|
|
| // Create a chain that contains all the certificate paths possible.
|
| - // CertVerifyProcTest.VerifyReturnChainFiltersUnrelatedCerts already
|
| + // CertVerifyProcInternalTest.VerifyReturnChainFiltersUnrelatedCerts already
|
| // ensures that it's safe to send additional certificates as inputs, and
|
| // that they're ignored if not necessary.
|
| // This is to avoid relying on AIA or internal object caches when
|
| @@ -1338,7 +1354,7 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
|
| - empty_cert_list_, &verify_result);
|
| + CertificateList(), &verify_result);
|
|
|
| if (!testcase.expect_valid) {
|
| EXPECT_NE(OK, error);
|
| @@ -1370,8 +1386,6 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
|
| }
|
| }
|
|
|
| -#endif
|
| -
|
| #if defined(OS_MACOSX) && !defined(OS_IOS)
|
| // Test that a CRLSet blocking one of the intermediates supplied by the server
|
| // can be worked around by the chopping workaround for path building. (Once the
|
| @@ -1389,7 +1403,7 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
|
| //
|
| // The verifier should rollback until it just tries A(B) alone, at which point
|
| // it will pull B(F) & F(E) from the keychain and succeed.
|
| -TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
|
| +TEST(CertVerifyProcMacTest, MacCRLIntermediate) {
|
| if (base::mac::IsAtLeastOS10_12()) {
|
| // TODO(crbug.com/671889): Investigate SecTrustSetKeychains issue on Sierra.
|
| LOG(INFO) << "Skipping test, SecTrustSetKeychains does not work on 10.12";
|
| @@ -1445,8 +1459,11 @@ TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
|
| - empty_cert_list_, &verify_result);
|
| +
|
| + scoped_refptr<CertVerifyProc> verify_proc = CertVerifyProc::CreateDefault();
|
| + int error =
|
| + verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + crl_set.get(), CertificateList(), &verify_result);
|
|
|
| ASSERT_EQ(OK, error);
|
| ASSERT_EQ(0U, verify_result.cert_status);
|
| @@ -1472,7 +1489,7 @@ TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
|
| // Test that if a keychain is present which trusts a less-desirable root (ex,
|
| // one using SHA1), that the keychain reordering hack will cause the better
|
| // root in the System Roots to be used instead.
|
| -TEST_F(CertVerifyProcTest, MacKeychainReordering) {
|
| +TEST(CertVerifyProcMacTest, MacKeychainReordering) {
|
| // Note: target cert expires Apr 2 23:59:59 2018 GMT
|
| scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
|
| GetTestCertsDirectory(), "tripadvisor-verisign-chain.pem",
|
| @@ -1500,8 +1517,10 @@ TEST_F(CertVerifyProcTest, MacKeychainReordering) {
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "www.tripadvisor.com", flags,
|
| - nullptr /* crl_set */, empty_cert_list_, &verify_result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = CertVerifyProc::CreateDefault();
|
| + int error = verify_proc->Verify(cert.get(), "www.tripadvisor.com",
|
| + std::string(), flags, nullptr /* crl_set */,
|
| + CertificateList(), &verify_result);
|
|
|
| ASSERT_EQ(OK, error);
|
| EXPECT_EQ(0U, verify_result.cert_status);
|
| @@ -1516,7 +1535,7 @@ TEST_F(CertVerifyProcTest, MacKeychainReordering) {
|
| // Test that the system root certificate keychain is in the expected location
|
| // and can be opened. Other tests would fail if this was not true, but this
|
| // test makes the reason for the failure obvious.
|
| -TEST_F(CertVerifyProcTest, MacSystemRootCertificateKeychainLocation) {
|
| +TEST(CertVerifyProcMacTest, MacSystemRootCertificateKeychainLocation) {
|
| const char* root_keychain_path =
|
| "/System/Library/Keychains/SystemRootCertificates.keychain";
|
| ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path)));
|
| @@ -1526,8 +1545,11 @@ TEST_F(CertVerifyProcTest, MacSystemRootCertificateKeychainLocation) {
|
| ASSERT_EQ(errSecSuccess, status);
|
| CFRelease(keychain);
|
| }
|
| -#endif
|
| +#endif // defined(OS_MACOSX) && !defined(OS_IOS)
|
|
|
| +// TODO(crbug.com/649017): This is not parameterized by the CertVerifyProc
|
| +// because the CertVerifyProc::Verify() does this unconditionally based on the
|
| +// platform.
|
| bool AreSHA1IntermediatesAllowed() {
|
| #if defined(OS_WIN)
|
| // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved
|
| @@ -1539,58 +1561,61 @@ bool AreSHA1IntermediatesAllowed() {
|
| #endif
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectsMD2) {
|
| +TEST(CertVerifyProcTest, RejectsMD2) {
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
|
| ASSERT_TRUE(cert);
|
|
|
| CertVerifyResult result;
|
| result.has_md2 = true;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
|
| - empty_cert_list_, &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + nullptr /* crl_set */, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectsMD4) {
|
| +TEST(CertVerifyProcTest, RejectsMD4) {
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
|
| ASSERT_TRUE(cert);
|
|
|
| CertVerifyResult result;
|
| result.has_md4 = true;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
|
| - empty_cert_list_, &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + nullptr /* crl_set */, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectsMD5) {
|
| +TEST(CertVerifyProcTest, RejectsMD5) {
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
|
| ASSERT_TRUE(cert);
|
|
|
| CertVerifyResult result;
|
| result.has_md5 = true;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
|
| - empty_cert_list_, &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + nullptr /* crl_set */, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
|
| +TEST(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
|
| ASSERT_TRUE(cert);
|
| @@ -1599,17 +1624,18 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
|
| result.has_sha1 = true;
|
| result.has_sha1_leaf = true;
|
| result.is_issued_by_known_root = true;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
|
| - empty_cert_list_, &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + nullptr /* crl_set */, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
|
| +TEST(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
|
| scoped_refptr<X509Certificate> cert(ImportCertFromFile(
|
| GetTestCertsDirectory(), "39_months_after_2015_04.pem"));
|
| ASSERT_TRUE(cert);
|
| @@ -1618,12 +1644,13 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
|
| result.has_sha1 = true;
|
| result.has_sha1_leaf = false;
|
| result.is_issued_by_known_root = true;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
|
| - empty_cert_list_, &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + nullptr /* crl_set */, CertificateList(),
|
| + &verify_result);
|
| if (AreSHA1IntermediatesAllowed()) {
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
|
| @@ -1634,7 +1661,7 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
|
| }
|
| }
|
|
|
| -TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
|
| +TEST(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
|
| ASSERT_TRUE(cert);
|
| @@ -1643,21 +1670,23 @@ TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
|
| result.has_sha1 = true;
|
| result.has_sha1_leaf = true;
|
| result.is_issued_by_known_root = false;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| // SHA-1 should be rejected by default for private roots...
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
|
| - empty_cert_list_, &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + nullptr /* crl_set */, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
|
|
|
| // ... unless VERIFY_ENABLE_SHA1_LOCAL_ANCHORS was supplied.
|
| flags = CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS;
|
| verify_result.Reset();
|
| - error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
|
| - empty_cert_list_, &verify_result);
|
| + error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + nullptr /* crl_set */, CertificateList(),
|
| + &verify_result);
|
| EXPECT_THAT(error, IsOk());
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
|
| }
|
| @@ -1695,14 +1724,13 @@ void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
|
| }
|
|
|
| class CertVerifyProcWeakDigestTest
|
| - : public CertVerifyProcTest,
|
| - public testing::WithParamInterface<WeakDigestTestData> {
|
| + : public testing::TestWithParam<WeakDigestTestData> {
|
| public:
|
| CertVerifyProcWeakDigestTest() {}
|
| virtual ~CertVerifyProcWeakDigestTest() {}
|
| };
|
|
|
| -// Test that the CertVerifyProc::Verify() properly surfaces the (weak) hashing
|
| +// Tests that the CertVerifyProc::Verify() properly surfaces the (weak) hash
|
| // algorithms used in the chain.
|
| TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
|
| WeakDigestTestData data = GetParam();
|
| @@ -1731,9 +1759,8 @@ TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
|
| ImportCertFromFile(certs_dir, data.ee_cert_filename);
|
| ASSERT_TRUE(ee_cert);
|
|
|
| - scoped_refptr<X509Certificate> ee_chain =
|
| - X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
|
| - intermediates);
|
| + scoped_refptr<X509Certificate> ee_chain = X509Certificate::CreateFromHandle(
|
| + ee_cert->os_cert_handle(), intermediates);
|
| ASSERT_TRUE(ee_chain);
|
|
|
| int flags = 0;
|
| @@ -1743,11 +1770,11 @@ TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
|
| // |ee_chain|.
|
| //
|
| // This is sufficient for the purposes of this test, as the checking for weak
|
| - // hashing algorithms is done by CertVerifyProc::Verify().
|
| + // hash algorithms is done by CertVerifyProc::Verify().
|
| scoped_refptr<CertVerifyProc> proc =
|
| new MockCertVerifyProc(CertVerifyResult());
|
| proc->Verify(ee_chain.get(), "127.0.0.1", std::string(), flags, nullptr,
|
| - empty_cert_list_, &verify_result);
|
| + CertificateList(), &verify_result);
|
| EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2);
|
| EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4);
|
| EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5);
|
| @@ -1785,12 +1812,12 @@ INSTANTIATE_TEST_CASE_P(VerifyIntermediate,
|
|
|
| // The signature algorithm of end-entity should be properly detected.
|
| const WeakDigestTestData kVerifyEndEntityTestData[] = {
|
| - { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
|
| - "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1 },
|
| - { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
|
| - "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1 },
|
| - { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
|
| - "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1 },
|
| + {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
|
| + "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1},
|
| + {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
|
| + "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1},
|
| + {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
|
| + "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1},
|
| };
|
|
|
| INSTANTIATE_TEST_CASE_P(VerifyEndEntity,
|
| @@ -1837,12 +1864,12 @@ INSTANTIATE_TEST_CASE_P(VerifyIncompleteEndEntity,
|
| // Differing algorithms between the intermediate and the EE should still be
|
| // reported.
|
| const WeakDigestTestData kVerifyMixedTestData[] = {
|
| - { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
|
| - "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
|
| - { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
|
| - "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
|
| - { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
|
| - "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4 },
|
| + {"weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
|
| + "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5},
|
| + {"weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
|
| + "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5},
|
| + {"weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
|
| + "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4},
|
| };
|
|
|
| INSTANTIATE_TEST_CASE_P(VerifyMixed,
|
| @@ -1864,67 +1891,110 @@ INSTANTIATE_TEST_CASE_P(VerifyTrustedEE,
|
|
|
| // For the list of valid hostnames, see
|
| // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
|
| -static const struct CertVerifyProcNameData {
|
| +struct CertVerifyProcNameData {
|
| const char* hostname;
|
| bool valid; // Whether or not |hostname| matches a subjectAltName.
|
| -} kVerifyNameData[] = {
|
| - { "127.0.0.1", false }, // Don't match the common name
|
| - { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4)
|
| - { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6)
|
| - { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN
|
| - { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6)
|
| - { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN
|
| - { "test.example", true }, // Matches the dNSName SAN
|
| - { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored)
|
| - { "www.test.example", false }, // Should not match the dNSName SAN
|
| - { "test..example", false }, // Should not match the dNSName SAN
|
| - { "test.example..", false }, // Should not match the dNSName SAN
|
| - { ".test.example.", false }, // Should not match the dNSName SAN
|
| - { ".test.example", false }, // Should not match the dNSName SAN
|
| };
|
|
|
| -// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
|
| -// to output the parameter that was passed. Without this, it will simply
|
| -// attempt to print out the first twenty bytes of the object, which depending
|
| -// on platform and alignment, may result in an invalid read.
|
| -void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
|
| - *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
|
| -}
|
| -
|
| -class CertVerifyProcNameTest
|
| - : public CertVerifyProcTest,
|
| - public testing::WithParamInterface<CertVerifyProcNameData> {
|
| +// Test fixture for verifying certificate names. These tests are run for each
|
| +// of the CertVerify implementations.
|
| +class CertVerifyProcNameTest : public CertVerifyProcInternalTest {
|
| public:
|
| CertVerifyProcNameTest() {}
|
| virtual ~CertVerifyProcNameTest() {}
|
| +
|
| + protected:
|
| + void VerifyCertName(const char* hostname, bool valid) {
|
| + CertificateList cert_list = CreateCertificateListFromFile(
|
| + GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
|
| + X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(1U, cert_list.size());
|
| + scoped_refptr<X509Certificate> cert(cert_list[0]);
|
| +
|
| + ScopedTestRoot scoped_root(cert.get());
|
| +
|
| + CertVerifyResult verify_result;
|
| + int error = Verify(cert.get(), hostname, 0, NULL, CertificateList(),
|
| + &verify_result);
|
| + if (valid) {
|
| + EXPECT_THAT(error, IsOk());
|
| + EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| + } else {
|
| + EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
|
| + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| + }
|
| + }
|
| };
|
|
|
| -TEST_P(CertVerifyProcNameTest, VerifyCertName) {
|
| - CertVerifyProcNameData data = GetParam();
|
| +// Don't match the common name
|
| +TEST_P(CertVerifyProcNameTest, DontMatchCommonName) {
|
| + VerifyCertName("127.0.0.1", false);
|
| +}
|
|
|
| - CertificateList cert_list = CreateCertificateListFromFile(
|
| - GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
|
| - X509Certificate::FORMAT_AUTO);
|
| - ASSERT_EQ(1U, cert_list.size());
|
| - scoped_refptr<X509Certificate> cert(cert_list[0]);
|
| +// Matches the iPAddress SAN (IPv4)
|
| +TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv4) {
|
| + VerifyCertName("127.0.0.2", true);
|
| +}
|
|
|
| - ScopedTestRoot scoped_root(cert.get());
|
| +// Matches the iPAddress SAN (IPv6)
|
| +TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv6) {
|
| + VerifyCertName("FE80:0:0:0:0:0:0:1", true);
|
| +}
|
|
|
| - CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
|
| - &verify_result);
|
| - if (data.valid) {
|
| - EXPECT_THAT(error, IsOk());
|
| - EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| - } else {
|
| - EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
|
| - EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| - }
|
| +// Should not match the iPAddress SAN
|
| +TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) {
|
| + VerifyCertName("[FE80:0:0:0:0:0:0:1]", false);
|
| +}
|
| +
|
| +// Compressed form matches the iPAddress SAN (IPv6)
|
| +TEST_P(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) {
|
| + VerifyCertName("FE80::1", true);
|
| +}
|
| +
|
| +// IPv6 mapped form should NOT match iPAddress SAN
|
| +TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) {
|
| + VerifyCertName("::127.0.0.2", false);
|
| +}
|
| +
|
| +// Matches the dNSName SAN
|
| +TEST_P(CertVerifyProcNameTest, MatchesDnsSan) {
|
| + VerifyCertName("test.example", true);
|
| +}
|
| +
|
| +// Matches the dNSName SAN (trailing . ignored)
|
| +TEST_P(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) {
|
| + VerifyCertName("test.example.", true);
|
| +}
|
| +
|
| +// Should not match the dNSName SAN
|
| +TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSan) {
|
| + VerifyCertName("www.test.example", false);
|
| +}
|
| +
|
| +// Should not match the dNSName SAN
|
| +TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) {
|
| + VerifyCertName("test..example", false);
|
| +}
|
| +
|
| +// Should not match the dNSName SAN
|
| +TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) {
|
| + VerifyCertName("test.example..", false);
|
| +}
|
| +
|
| +// Should not match the dNSName SAN
|
| +TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) {
|
| + VerifyCertName(".test.example.", false);
|
| +}
|
| +
|
| +// Should not match the dNSName SAN
|
| +TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {
|
| + VerifyCertName(".test.example", false);
|
| }
|
|
|
| INSTANTIATE_TEST_CASE_P(VerifyName,
|
| CertVerifyProcNameTest,
|
| - testing::ValuesIn(kVerifyNameData));
|
| + testing::ValuesIn(kAllCertVerifiers),
|
| + VerifyProcTypeToName);
|
|
|
| #if defined(OS_MACOSX) && !defined(OS_IOS)
|
| // Test that CertVerifyProcMac reacts appropriately when Apple's certificate
|
| @@ -1933,7 +2003,7 @@ INSTANTIATE_TEST_CASE_P(VerifyName,
|
| // (Since 10.12, this causes a recoverable error instead of a fatal one.)
|
| // TODO(mattm): Try to find a different way to cause a fatal error that works
|
| // on 10.12.
|
| -TEST_F(CertVerifyProcTest, LargeKey) {
|
| +TEST(CertVerifyProcMacTest, LargeKey) {
|
| // Load root_ca_cert.pem into the test root store.
|
| ScopedTestRoot test_root(
|
| ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
|
| @@ -1946,8 +2016,9 @@ TEST_F(CertVerifyProcTest, LargeKey) {
|
| // large_key.pem may need to be regenerated with a larger key.
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = CertVerifyProc::CreateDefault();
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + NULL, CertificateList(), &verify_result);
|
| EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
|
| EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
|
| }
|
| @@ -1956,22 +2027,22 @@ TEST_F(CertVerifyProcTest, LargeKey) {
|
| // Tests that CertVerifyProc records a histogram correctly when a
|
| // certificate chaining to a private root contains the TLS feature
|
| // extension and does not have a stapled OCSP response.
|
| -TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
|
| +TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
|
| base::HistogramTester histograms;
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
|
| ASSERT_TRUE(cert);
|
| CertVerifyResult result;
|
| result.is_issued_by_known_root = false;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + NULL, CertificateList(), &verify_result);
|
| EXPECT_EQ(OK, error);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
|
| histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
|
| @@ -1982,14 +2053,14 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
|
| // Tests that CertVerifyProc records a histogram correctly when a
|
| // certificate chaining to a private root contains the TLS feature
|
| // extension and does have a stapled OCSP response.
|
| -TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
|
| +TEST(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
|
| base::HistogramTester histograms;
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
|
| ASSERT_TRUE(cert);
|
| CertVerifyResult result;
|
| result.is_issued_by_known_root = false;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
|
| @@ -1997,8 +2068,8 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| int error =
|
| - VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags,
|
| - NULL, empty_cert_list_, &verify_result);
|
| + verify_proc->Verify(cert.get(), "127.0.0.1", "dummy response", flags,
|
| + nullptr, CertificateList(), &verify_result);
|
| EXPECT_EQ(OK, error);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
|
| histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
|
| @@ -2009,22 +2080,22 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
|
| // Tests that CertVerifyProc records a histogram correctly when a
|
| // certificate chaining to a private root does not contain the TLS feature
|
| // extension.
|
| -TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
|
| +TEST(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
|
| base::HistogramTester histograms;
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
|
| ASSERT_TRUE(cert);
|
| CertVerifyResult result;
|
| result.is_issued_by_known_root = false;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + NULL, CertificateList(), &verify_result);
|
| EXPECT_EQ(OK, error);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
|
| histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1);
|
| @@ -2034,21 +2105,21 @@ TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
|
| // Tests that CertVerifyProc does not record a histogram when a
|
| // certificate contains the TLS feature extension but chains to a public
|
| // root.
|
| -TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) {
|
| +TEST(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) {
|
| base::HistogramTester histograms;
|
| scoped_refptr<X509Certificate> cert(
|
| ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
|
| ASSERT_TRUE(cert);
|
| CertVerifyResult result;
|
| result.is_issued_by_known_root = true;
|
| - verify_proc_ = new MockCertVerifyProc(result);
|
| + scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
|
|
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
|
|
|
| int flags = 0;
|
| CertVerifyResult verify_result;
|
| - int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
|
| - &verify_result);
|
| + int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
|
| + NULL, CertificateList(), &verify_result);
|
| EXPECT_EQ(OK, error);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
|
| histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
|
|
|
Chromium Code Reviews
Issue 2629093002:
Parameterize the CertVerifyProc tests so they can be run with (Closed)
