Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(376)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 2629093002: Parameterize the CertVerifyProc tests so they can be run with (Closed)
Patch Set: Fix headers Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/cert_verify_proc_openssl.h ('k') | net/cert/cert_verify_proc_win.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 2e3a0f5d458f3e649789168ea481adc01e33a9e1..d8b9d83956f13a80c31bb94d16dff536a2303cdc 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -33,17 +33,24 @@
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
-#if defined(OS_ANDROID)
+#if defined(USE_NSS_CERTS)
+#include "net/cert/cert_verify_proc_nss.h"
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
+#include "net/cert/cert_verify_proc_openssl.h"
+#elif defined(OS_ANDROID)
#include "base/android/build_info.h"
-#endif
-
-#if defined(OS_MACOSX) && !defined(OS_IOS)
+#include "net/cert/cert_verify_proc_android.h"
+#elif defined(OS_IOS)
+#include "net/cert/cert_verify_proc_ios.h"
+#elif defined(OS_MACOSX)
#include "base/mac/mac_util.h"
+#include "net/cert/cert_verify_proc_mac.h"
#include "net/cert/test_keychain_search_list_mac.h"
-#endif
-
-#if defined(OS_WIN)
+#elif defined(OS_WIN)
#include "base/win/windows_version.h"
+#include "net/cert/cert_verify_proc_win.h"
+#else
+#error Implement certificate verification.
#endif
using net::test::IsError;
@@ -100,38 +107,135 @@ int MockCertVerifyProc::VerifyInternal(
return OK;
}
-bool SupportsReturningVerifiedChain() {
+template <typename T>
+bool IsCertVerifyProcNSS(T* verify_proc) {
+ return false;
+}
Ryan Sleevi 2017/01/14 01:50:28 As mentioned in the other review, the naming here
+
+#if defined(USE_NSS_CERTS)
+template <>
+bool IsCertVerifyProcNSS(CertVerifyProcNSS* verify_proc) {
+ return true;
+}
+#endif
+
+template <typename T>
+bool IsCertVerifyProcOpenSSL(T* verify_proc) {
+ return false;
+}
+
+#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
+template <>
+bool IsCertVerifyProcOpenSSL(CertVerifyProcOpenSSL* verify_proc) {
+ return true;
+}
+#endif
+
+template <typename T>
+bool IsCertVerifyProcAndroid(T* verify_proc) {
+ return false;
+}
+
+#if defined(OS_ANDROID)
+template <>
+bool IsCertVerifyProcAndroid(CertVerifyProcAndroid* verify_proc) {
+ return true;
+}
+#endif
+
+template <typename T>
+bool IsCertVerifyProcMac(T* verify_proc) {
+ return false;
+}
+
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+template <>
+bool IsCertVerifyProcMac(CertVerifyProcMac* verify_proc) {
+ return true;
+}
+#endif
+
+template <typename T>
+bool IsCertVerifyProcIOS(T* verify_proc) {
+ return false;
+}
+
+#if defined(OS_IOS)
+template <>
+bool IsCertVerifyProcIOS(CertVerifyProcIOS* verify_proc) {
+ return true;
+}
+#endif
+
+template <typename T>
+bool IsCertVerifyProcWin(T* verify_proc) {
+ return false;
+}
+
+#if defined(OS_WIN)
+template <>
+bool IsCertVerifyProcWin(CertVerifyProcWin* verify_proc) {
+ return true;
+}
+#endif
+
+bool TargetIsIphoneSimulator() {
+#if TARGET_IPHONE_SIMULATOR
+ return true;
+#else
+ return false;
+#endif
+}
+
+template <typename T>
+bool SupportsReturningVerifiedChain(T* verify_proc) {
+ return true;
+}
+
#if defined(OS_ANDROID)
+template <>
+bool SupportsReturningVerifiedChain(CertVerifyProcAndroid* verify_proc) {
// Before API level 17, Android does not expose the APIs necessary to get at
// the verified certificate chain.
- if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
- return false;
+ return base::android::BuildInfo::GetInstance()->sdk_int() >= 17;
+}
#endif
+
+template <typename T>
+bool SupportsDetectingKnownRoots(T* verify_proc) {
return true;
}
-bool SupportsDetectingKnownRoots() {
#if defined(OS_ANDROID)
+template <>
+bool SupportsDetectingKnownRoots(CertVerifyProcAndroid* verify_proc) {
// Before API level 17, Android does not expose the APIs necessary to get at
// the verified certificate chain and detect known roots.
- if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
- return false;
-#elif defined(OS_IOS)
- // iOS does not expose the APIs necessary to get the known system roots.
+ return base::android::BuildInfo::GetInstance()->sdk_int() >= 17;
+}
+#endif
+
+#if defined(OS_IOS)
+// iOS does not expose the APIs necessary to get the known system roots.
+template <>
+bool SupportsDetectingKnownRoots(CertVerifyProcIOS* verify_proc) {
return false;
+}
#endif
- return true;
+
+template <typename T>
+bool WeakKeysAreInvalid(T* verify_proc) {
+ return false;
}
-bool WeakKeysAreInvalid() {
#if defined(OS_MACOSX) && !defined(OS_IOS)
+template <>
+bool WeakKeysAreInvalid(CertVerifyProcMac* verify_proc) {
// Starting with Mac OS 10.12, certs with weak keys are treated as
// (recoverable) invalid certificate errors.
return base::mac::IsAtLeastOS10_12();
-#else
- return false;
-#endif
}
+#endif
// Template helper to load a series of certificate files into a CertificateList.
// Like CertTestUtil's CreateCertificateListFromFile, except it can load a
@@ -149,31 +253,49 @@ void LoadCertificateFiles(const char* const (&cert_files)[N],
}
}
+template <typename T>
+bool SupportsCRLSetsInPathBuilding(T* verify_proc) {
+ return false;
+}
+
+#if defined(OS_WIN)
+template <>
+bool SupportsCRLSetsInPathBuilding(CertVerifyProcWin* verify_proc) {
+ return true;
+}
+#endif
+
+#if defined(USE_NSS_CERTS)
+template <>
+bool SupportsCRLSetsInPathBuilding(CertVerifyProcNSS* verify_proc) {
+ return true;
+}
+#endif
+
+const CertificateList& EmptyCertList() {
+ static CertificateList empty;
+ return empty;
+}
+
} // namespace
-class CertVerifyProcTest : public testing::Test {
- public:
- CertVerifyProcTest()
- : verify_proc_(CertVerifyProc::CreateDefault()) {
- }
- ~CertVerifyProcTest() override {}
+// Fixture for tests that don't test a concrete CertVerifyProc implementation,
+// but rather test methods of the base class CertVerifyProc.
+//
+// Mainly its own fixture to have a central place to describe it.
+class CertVerifyProcBaseClassTest : public testing::Test {};
+// Fixture for tests that are to be run for each of the concrete CertVerifyProc
+// subclasses.
+template <typename VerifyProcType>
+class CertVerifyProcTypedTest : public testing::Test {
protected:
- bool SupportsAdditionalTrustAnchors() {
- return verify_proc_->SupportsAdditionalTrustAnchors();
+ void SetUp() override {
+ verify_proc_ = make_scoped_refptr(new VerifyProcType());
}
- // Returns true if the underlying CertVerifyProc supports integrating CRLSets
- // into path building logic, such as allowing the selection of alternatively
- // valid paths when one or more are revoked. As the goal is to integrate this
- // into all platforms, this is a temporary, test-only flag to centralize the
- // conditionals in tests.
- bool SupportsCRLSetsInPathBuilding() {
-#if defined(OS_WIN) || defined(USE_NSS_CERTS)
- return true;
-#else
- return false;
-#endif
+ bool SupportsAdditionalTrustAnchors() {
+ return verify_proc_->SupportsAdditionalTrustAnchors();
}
int Verify(X509Certificate* cert,
@@ -186,34 +308,87 @@ class CertVerifyProcTest : public testing::Test {
additional_trust_anchors, verify_result);
}
- int VerifyWithOCSPResponse(X509Certificate* cert,
- const std::string& hostname,
- const std::string& ocsp_response,
- int flags,
- CRLSet* crl_set,
- const CertificateList& additional_trust_anchors,
- CertVerifyResult* verify_result) {
- return verify_proc_->Verify(cert, hostname, ocsp_response, flags, crl_set,
- additional_trust_anchors, verify_result);
+ bool UsingCertVerifyProcAndroid() const {
+ return IsCertVerifyProcAndroid(verify_proc_.get());
+ }
+
+ bool UsingCertVerifyProcNSS() const {
+ return IsCertVerifyProcNSS(verify_proc_.get());
}
- const CertificateList empty_cert_list_;
- scoped_refptr<CertVerifyProc> verify_proc_;
+ bool UsingCertVerifyProcOpenSSL() const {
+ return IsCertVerifyProcOpenSSL(verify_proc_.get());
+ }
+
+ bool UsingCertVerifyProcIOS() const {
+ return IsCertVerifyProcIOS(verify_proc_.get());
+ }
+
+ bool UsingCertVerifyProcWin() const {
+ return IsCertVerifyProcWin(verify_proc_.get());
+ }
+
+ bool UsingCertVerifyProcMac() const {
+ return IsCertVerifyProcMac(verify_proc_.get());
+ }
+
+ void VerifyCertName(const char* hostname, bool valid) {
+ CertificateList cert_list = CreateCertificateListFromFile(
+ GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
+ X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(1U, cert_list.size());
+ scoped_refptr<X509Certificate> cert(cert_list[0]);
+
+ ScopedTestRoot scoped_root(cert.get());
+
+ CertVerifyResult verify_result;
+ int error =
+ Verify(cert.get(), hostname, 0, NULL, EmptyCertList(), &verify_result);
+ if (valid) {
+ EXPECT_THAT(error, IsOk());
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+ } else {
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+ }
+ }
+
+ scoped_refptr<VerifyProcType> verify_proc_;
};
-#if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
-// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
-#define MAYBE_EVVerification DISABLED_EVVerification
+// InstantiateCertVerifyProcTypedTest with the supported concrete type(s)
+// for the current platform.
+#if defined(USE_NSS_CERTS)
+typedef ::testing::Types<CertVerifyProcNSS> CertVerifyProcTypes;
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
+typedef ::testing::Types<CertVerifyProcOpenSSL> CertVerifyProcTypes;
+#elif defined(OS_ANDROID)
+typedef ::testing::Types<CertVerifyProcAndroid> CertVerifyProcTypes;
+#elif defined(OS_IOS)
+typedef ::testing::Types<CertVerifyProcIOS> CertVerifyProcTypes;
+#elif defined(OS_MACOSX)
+typedef ::testing::Types<CertVerifyProcMac> CertVerifyProcTypes;
+#elif defined(OS_WIN)
+typedef ::testing::Types<CertVerifyProcWin> CertVerifyProcTypes;
#else
+#error Implement certificate verification.
+#endif
+TYPED_TEST_CASE(CertVerifyProcTypedTest, CertVerifyProcTypes);
+
// TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
// expired, http://crbug.com/502818
-#define MAYBE_EVVerification DISABLED_EVVerification
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
- CertificateList certs = CreateCertificateListFromFile(
- GetTestCertsDirectory(),
- "comodo.chain.pem",
- X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
+TYPED_TEST(CertVerifyProcTypedTest, DISABLED_EVVerification) {
+ if (this->UsingCertVerifyProcAndroid() ||
+ this->UsingCertVerifyProcOpenSSL()) {
+ // TODO(jnd): http://crbug.com/117478 - EV verification is not yet
+ // supported.
+ LOG(INFO) << "Skipping test as EV verification is not yet supported";
+ return;
+ }
+
+ CertificateList certs =
+ CreateCertificateListFromFile(GetTestCertsDirectory(), "comodo.chain.pem",
+ X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
@@ -227,12 +402,8 @@ TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
CertVerifyResult verify_result;
int flags = CertVerifier::VERIFY_EV_CERT;
- int error = Verify(comodo_chain.get(),
- "comodo.com",
- flags,
- crl_set.get(),
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(comodo_chain.get(), "comodo.com", flags,
+ crl_set.get(), EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
}
@@ -241,7 +412,7 @@ TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
// configurations, so disable the test until it is fixed (better to have
// a bug to track a failing test than a false sense of security due to
// false positive).
-TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
+TYPED_TEST(CertVerifyProcTypedTest, DISABLED_PaypalNullCertParsing) {
// A certificate for www.paypal.com with a NULL byte in the common name.
// From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
SHA256HashValue paypal_null_fingerprint = {{0x00}};
@@ -258,73 +429,65 @@ TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(paypal_null_cert.get(),
- "www.paypal.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
-#if defined(USE_NSS_CERTS) || defined(OS_ANDROID)
- EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
-#elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR
- // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
- // ERR_CERT_AUTHORITY_INVALID on the real device.
- EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-#else
- // TOOD(bulach): investigate why macosx and win aren't returning
- // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
- EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-#endif
+ int error = this->Verify(paypal_null_cert.get(), "www.paypal.com", flags,
+ NULL, EmptyCertList(), &verify_result);
+
+ if (this->UsingCertVerifyProcNSS() || this->UsingCertVerifyProcAndroid()) {
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+ } else if (this->UsingCertVerifyProcIOS() && TargetIsIphoneSimulator()) {
+ // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
+ // ERR_CERT_AUTHORITY_INVALID on the real device.
+ EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+ } else {
+ // TOOD(bulach): investigate why macosx and win aren't returning
+ // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
+ EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+ }
+
// Either the system crypto library should correctly report a certificate
// name mismatch, or our certificate blacklist should cause us to report an
// invalid certificate.
-#if defined(USE_NSS_CERTS) || defined(OS_WIN)
- EXPECT_TRUE(verify_result.cert_status &
- (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
-#endif
+ if (this->UsingCertVerifyProcNSS() || this->UsingCertVerifyProcWin()) {
+ EXPECT_TRUE(verify_result.cert_status &
+ (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
+ }
+
+ // TODO(crbug.com/649017): What expectations to use for the other verifiers?
}
// A regression test for http://crbug.com/31497.
-#if defined(OS_ANDROID)
-// Disabled on Android, as the Android verification libraries require an
-// explicit policy to be specified, even when anyPolicy is permitted.
-#define MAYBE_IntermediateCARequireExplicitPolicy \
- DISABLED_IntermediateCARequireExplicitPolicy
-#else
-#define MAYBE_IntermediateCARequireExplicitPolicy \
- IntermediateCARequireExplicitPolicy
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
+TYPED_TEST(CertVerifyProcTypedTest, IntermediateCARequireExplicitPolicy) {
+ if (this->UsingCertVerifyProcAndroid()) {
+ // Disabled on Android, as the Android verification libraries require an
+ // explicit policy to be specified, even when anyPolicy is permitted.
+ LOG(INFO) << "Skipping test on Android";
+ return;
+ }
+
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "explicit-policy-chain.pem",
- X509Certificate::FORMAT_AUTO);
+ certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
- scoped_refptr<X509Certificate> cert =
- X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
+ certs[0]->os_cert_handle(), intermediates);
ASSERT_TRUE(cert.get());
ScopedTestRoot scoped_root(certs[2].get());
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(),
- "policy_test.example",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(cert.get(), "policy_test.example", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_EQ(0u, verify_result.cert_status);
}
-TEST_F(CertVerifyProcTest, RejectExpiredCert) {
+TYPED_TEST(CertVerifyProcTypedTest, RejectExpiredCert) {
base::FilePath certs_dir = GetTestCertsDirectory();
// Load root_ca_cert.pem into the test root store.
@@ -341,8 +504,8 @@ TEST_F(CertVerifyProcTest, RejectExpiredCert) {
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
- &verify_result);
+ int error = this->Verify(cert.get(), "127.0.0.1", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_DATE_INVALID));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
}
@@ -363,7 +526,7 @@ static bool IsWeakKeyType(const std::string& key_type) {
return false;
}
-TEST_F(CertVerifyProcTest, RejectWeakKeys) {
+TYPED_TEST(CertVerifyProcTypedTest, RejectWeakKeys) {
base::FilePath certs_dir = GetTestCertsDirectory();
typedef std::vector<std::string> Strings;
Strings key_types;
@@ -388,8 +551,8 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
ee_type != key_types.end(); ++ee_type) {
for (Strings::const_iterator signer_type = key_types.begin();
signer_type != key_types.end(); ++signer_type) {
- std::string basename = *ee_type + "-ee-by-" + *signer_type +
- "-intermediate.pem";
+ std::string basename =
+ *ee_type + "-ee-by-" + *signer_type + "-intermediate.pem";
SCOPED_TRACE(basename);
scoped_refptr<X509Certificate> ee_cert =
ImportCertFromFile(certs_dir, basename);
@@ -407,18 +570,16 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
intermediates);
CertVerifyResult verify_result;
- int error = Verify(cert_chain.get(),
- "127.0.0.1",
- 0,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(cert_chain.get(), "127.0.0.1", 0, NULL,
+ EmptyCertList(), &verify_result);
if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
EXPECT_NE(OK, error);
EXPECT_EQ(CERT_STATUS_WEAK_KEY,
verify_result.cert_status & CERT_STATUS_WEAK_KEY);
- EXPECT_EQ(WeakKeysAreInvalid() ? CERT_STATUS_INVALID : 0,
+ EXPECT_EQ(WeakKeysAreInvalid(this->verify_proc_.get())
+ ? CERT_STATUS_INVALID
+ : 0,
verify_result.cert_status & CERT_STATUS_INVALID);
} else {
EXPECT_THAT(error, IsOk());
@@ -429,20 +590,20 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
}
// Regression test for http://crbug.com/108514.
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-// Disabled on OS X - Security.framework doesn't ignore superflous certificates
-// provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
-// details.
-#define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
-#else
-#define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
- if (!SupportsReturningVerifiedChain()) {
+TYPED_TEST(CertVerifyProcTypedTest, ExtraneousMD5RootCert) {
+ if (!SupportsReturningVerifiedChain(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
+ if (this->UsingCertVerifyProcMac()) {
+ // Disabled on OS X - Security.framework doesn't ignore superflous
+ // certificates provided by servers.
+ LOG(INFO) << "Skipping this test as Security.framework doesn't ignore "
+ "superflous certificates provided by servers.";
+ return;
+ }
+
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> server_cert =
@@ -461,18 +622,13 @@ TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(extra_cert->os_cert_handle());
- scoped_refptr<X509Certificate> cert_chain =
- X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+ server_cert->os_cert_handle(), intermediates);
CertVerifyResult verify_result;
int flags = 0;
- int error = Verify(cert_chain.get(),
- "127.0.0.1",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(cert_chain.get(), "127.0.0.1", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
// The extra MD5 root should be discarded
@@ -480,14 +636,14 @@ TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
ASSERT_EQ(1u,
verify_result.verified_cert->GetIntermediateCertificates().size());
EXPECT_TRUE(X509Certificate::IsSameOSCert(
- verify_result.verified_cert->GetIntermediateCertificates().front(),
- root_cert->os_cert_handle()));
+ verify_result.verified_cert->GetIntermediateCertificates().front(),
+ root_cert->os_cert_handle()));
EXPECT_FALSE(verify_result.has_md5);
}
// Test for bug 94673.
-TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
+TYPED_TEST(CertVerifyProcTypedTest, GoogleDigiNotarTest) {
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> server_cert =
@@ -500,35 +656,26 @@ TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(intermediate_cert->os_cert_handle());
- scoped_refptr<X509Certificate> cert_chain =
- X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+ server_cert->os_cert_handle(), intermediates);
CertVerifyResult verify_result;
int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
- int error = Verify(cert_chain.get(),
- "mail.google.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(cert_chain.get(), "mail.google.com", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_NE(OK, error);
// Now turn off revocation checking. Certificate verification should still
// fail.
flags = 0;
- error = Verify(cert_chain.get(),
- "mail.google.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ error = this->Verify(cert_chain.get(), "mail.google.com", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_NE(OK, error);
}
// Ensures the CertVerifyProc blacklist remains in sorted order, so that it
// can be binary-searched.
-TEST_F(CertVerifyProcTest, BlacklistIsSorted) {
+TEST_F(CertVerifyProcBaseClassTest, BlacklistIsSorted) {
// Defines kBlacklistedSPKIs.
#include "net/cert/cert_verify_proc_blacklist.inc"
for (size_t i = 0; i < arraysize(kBlacklistedSPKIs) - 1; ++i) {
@@ -538,14 +685,11 @@ TEST_F(CertVerifyProcTest, BlacklistIsSorted) {
}
}
-TEST_F(CertVerifyProcTest, DigiNotarCerts) {
+TEST_F(CertVerifyProcBaseClassTest, DigiNotarCerts) {
static const char* const kDigiNotarFilenames[] = {
- "diginotar_root_ca.pem",
- "diginotar_cyber_ca.pem",
- "diginotar_services_1024_ca.pem",
- "diginotar_pkioverheid.pem",
- "diginotar_pkioverheid_g2.pem",
- NULL,
+ "diginotar_root_ca.pem", "diginotar_cyber_ca.pem",
+ "diginotar_services_1024_ca.pem", "diginotar_pkioverheid.pem",
+ "diginotar_pkioverheid_g2.pem", NULL,
};
base::FilePath certs_dir = GetTestCertsDirectory();
@@ -554,8 +698,8 @@ TEST_F(CertVerifyProcTest, DigiNotarCerts) {
scoped_refptr<X509Certificate> diginotar_cert =
ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
std::string der_bytes;
- ASSERT_TRUE(X509Certificate::GetDEREncoded(
- diginotar_cert->os_cert_handle(), &der_bytes));
+ ASSERT_TRUE(X509Certificate::GetDEREncoded(diginotar_cert->os_cert_handle(),
+ &der_bytes));
base::StringPiece spki;
ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
@@ -568,15 +712,14 @@ TEST_F(CertVerifyProcTest, DigiNotarCerts) {
memcpy(hash.data(), spki_sha256.data(), spki_sha256.size());
public_keys.push_back(hash);
- EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
- "Public key not blocked for " << kDigiNotarFilenames[i];
+ EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys))
+ << "Public key not blocked for " << kDigiNotarFilenames[i];
}
}
-TEST_F(CertVerifyProcTest, NameConstraintsOk) {
+TYPED_TEST(CertVerifyProcTypedTest, NameConstraintsOk) {
CertificateList ca_cert_list =
- CreateCertificateListFromFile(GetTestCertsDirectory(),
- "root_ca_cert.pem",
+ CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
ScopedTestRoot test_root(ca_cert_list[0].get());
@@ -587,36 +730,30 @@ TEST_F(CertVerifyProcTest, NameConstraintsOk) {
ASSERT_EQ(1U, cert_list.size());
X509Certificate::OSCertHandles intermediates;
- scoped_refptr<X509Certificate> leaf =
- X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
+ cert_list[0]->os_cert_handle(), intermediates);
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(leaf.get(),
- "test.example.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(leaf.get(), "test.example.com", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_EQ(0U, verify_result.cert_status);
- error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
- empty_cert_list_, &verify_result);
+ error = this->Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_EQ(0U, verify_result.cert_status);
}
-TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
- if (!SupportsReturningVerifiedChain()) {
+TYPED_TEST(CertVerifyProcTypedTest, NameConstraintsFailure) {
+ if (!SupportsReturningVerifiedChain(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
CertificateList ca_cert_list =
- CreateCertificateListFromFile(GetTestCertsDirectory(),
- "root_ca_cert.pem",
+ CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
ScopedTestRoot test_root(ca_cert_list[0].get());
@@ -627,24 +764,19 @@ TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
ASSERT_EQ(1U, cert_list.size());
X509Certificate::OSCertHandles intermediates;
- scoped_refptr<X509Certificate> leaf =
- X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
+ cert_list[0]->os_cert_handle(), intermediates);
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(leaf.get(),
- "test.example.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(leaf.get(), "test.example.com", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
}
-TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
+TEST_F(CertVerifyProcBaseClassTest, TestHasTooLongValidity) {
struct {
const char* const file;
bool is_valid_too_long;
@@ -675,8 +807,8 @@ TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
}
// TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) {
- if (!SupportsDetectingKnownRoots()) {
+TYPED_TEST(CertVerifyProcTypedTest, DISABLED_TestKnownRoot) {
+ if (!SupportsDetectingKnownRoots(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test on this platform.";
return;
}
@@ -689,23 +821,22 @@ TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) {
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
- scoped_refptr<X509Certificate> cert_chain =
- X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+ certs[0]->os_cert_handle(), intermediates);
int flags = 0;
CertVerifyResult verify_result;
// This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
// against agl. See also PublicKeyHashes.
- int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
- empty_cert_list_, &verify_result);
+ int error = this->Verify(cert_chain.get(), "twitter.com", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.is_issued_by_known_root);
}
// TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
- if (!SupportsReturningVerifiedChain()) {
+TYPED_TEST(CertVerifyProcTypedTest, DISABLED_PublicKeyHashes) {
+ if (!SupportsReturningVerifiedChain(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
@@ -718,16 +849,15 @@ TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
- scoped_refptr<X509Certificate> cert_chain =
- X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+ certs[0]->os_cert_handle(), intermediates);
int flags = 0;
CertVerifyResult verify_result;
// This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
// against agl. See also TestKnownRoot.
- int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
- empty_cert_list_, &verify_result);
+ int error = this->Verify(cert_chain.get(), "twitter.com", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
ASSERT_LE(3U, verify_result.public_key_hashes.size());
@@ -761,7 +891,7 @@ TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
// A regression test for http://crbug.com/70293.
// The Key Usage extension in this RSA SSL server certificate does not have
// the keyEncipherment bit.
-TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
+TYPED_TEST(CertVerifyProcTypedTest, InvalidKeyUsage) {
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> server_cert =
@@ -770,27 +900,27 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(server_cert.get(),
- "jira.aquameta.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
-#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
- // This certificate has two errors: "invalid key usage" and "untrusted CA".
- // However, OpenSSL returns only one (the latter), and we can't detect
- // the other errors.
- EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-#else
- EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
- EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
-#endif
+ int error = this->Verify(server_cert.get(), "jira.aquameta.com", flags, NULL,
+ EmptyCertList(), &verify_result);
+
+ if (this->UsingCertVerifyProcOpenSSL()) {
+ // This certificate has two errors: "invalid key usage" and "untrusted CA".
+ // However, OpenSSL returns only one (the latter), and we can't detect
+ // the other errors.
+ EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+ } else {
+ EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+ }
// TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
// from NSS.
-#if !defined(USE_NSS_CERTS) && !defined(OS_IOS) && !defined(OS_ANDROID)
- // The certificate is issued by an unknown CA.
- EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
-#endif
+ if (!this->UsingCertVerifyProcNSS() && !this->UsingCertVerifyProcIOS() &&
+ !this->UsingCertVerifyProcAndroid()) {
+ // The certificate is issued by an unknown CA.
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+ }
+
+ // TODO(crbug.com/649017): What expectations to use for the other verifiers?
}
// Basic test for returning the chain in CertVerifyResult. Note that the
@@ -799,16 +929,15 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
// of the certificate to be verified. The remaining VerifyReturn* tests are
// used to ensure that the actual, verified chain is being returned by
// Verify().
-TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
- if (!SupportsReturningVerifiedChain()) {
+TYPED_TEST(CertVerifyProcTypedTest, VerifyReturnChainBasic) {
+ if (!SupportsReturningVerifiedChain(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "x509_verify_results.chain.pem",
- X509Certificate::FORMAT_AUTO);
+ certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
@@ -826,12 +955,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
CertVerifyResult verify_result;
EXPECT_EQ(static_cast<X509Certificate*>(NULL),
verify_result.verified_cert.get());
- int error = Verify(google_full_chain.get(),
- "127.0.0.1",
- 0,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
ASSERT_NE(static_cast<X509Certificate*>(NULL),
verify_result.verified_cert.get());
@@ -853,11 +978,13 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
// known public registry controlled domain information) issued by well-known
// CAs are flagged appropriately, while certificates that are issued by
// internal CAs are not flagged.
-TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
- if (!SupportsDetectingKnownRoots()) {
- LOG(INFO) << "Skipping this test in this platform.";
- return;
- }
+TEST_F(CertVerifyProcBaseClassTest, IntranetHostsRejected) {
+ // TODO(eroman): Why the below cdoe? It doesn't depend on
+ // the CertVerifyProc concrete class.
+ // if (!SupportsDetectingKnownRoots(verify_proc_name_)) {
+ // LOG(INFO) << "Skipping this test in this platform.";
+ // return;
+ //}
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "reject_intranet_hosts.pem",
@@ -871,18 +998,18 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
// Intranet names for public CAs should be flagged:
CertVerifyResult dummy_result;
dummy_result.is_issued_by_known_root = true;
- verify_proc_ = new MockCertVerifyProc(dummy_result);
- error =
- Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
+ error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
+ CertificateList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
// However, if the CA is not well known, these should not be flagged:
dummy_result.Reset();
dummy_result.is_issued_by_known_root = false;
- verify_proc_ = new MockCertVerifyProc(dummy_result);
- error =
- Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
+ verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
+ error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
+ CertificateList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
}
@@ -893,7 +1020,8 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
// that were issued after 1 January 2016, while still allowing those from
// before that date, with SHA-1 in the intermediate, or from an enterprise
// CA.
-TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
+TEST_F(CertVerifyProcBaseClassTest,
+ VerifyRejectsSHA1AfterDeprecationLegacyMode) {
base::test::ScopedFeatureList scoped_feature_list;
scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode);
@@ -909,13 +1037,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
dummy_result.is_issued_by_known_root = true;
dummy_result.has_sha1 = true;
dummy_result.has_sha1_leaf = true;
- verify_proc_ = new MockCertVerifyProc(dummy_result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
"sha1_dec_2015.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_TRUE(cert);
- error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
- &verify_result);
+ error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+ CertificateList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
@@ -926,13 +1054,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
dummy_result.is_issued_by_known_root = true;
dummy_result.has_sha1 = true;
dummy_result.has_sha1_leaf = true;
- verify_proc_ = new MockCertVerifyProc(dummy_result);
+ verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
"sha1_jan_2016.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_TRUE(cert);
- error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
- &verify_result);
+ error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+ CertificateList(), &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
@@ -943,13 +1071,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
dummy_result.is_issued_by_known_root = false;
dummy_result.has_sha1 = true;
dummy_result.has_sha1_leaf = true;
- verify_proc_ = new MockCertVerifyProc(dummy_result);
+ verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
"sha1_jan_2016.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_TRUE(cert);
- error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
- &verify_result);
+ error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+ CertificateList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
@@ -960,13 +1088,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
dummy_result.is_issued_by_known_root = true;
dummy_result.has_sha1 = true;
dummy_result.has_sha1_leaf = false;
- verify_proc_ = new MockCertVerifyProc(dummy_result);
+ verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
"sha1_jan_2016.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_TRUE(cert);
- error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
- &verify_result);
+ error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+ CertificateList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
}
@@ -976,16 +1104,15 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
// a protocol violation if sent during a TLS handshake, if multiple sources
// of intermediate certificates are combined, it's possible that order may
// not be maintained.
-TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
- if (!SupportsReturningVerifiedChain()) {
+TYPED_TEST(CertVerifyProcTypedTest, VerifyReturnChainProperlyOrdered) {
+ if (!SupportsReturningVerifiedChain(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "x509_verify_results.chain.pem",
- X509Certificate::FORMAT_AUTO);
+ certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
// Construct the chain out of order.
@@ -1004,12 +1131,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
CertVerifyResult verify_result;
EXPECT_EQ(static_cast<X509Certificate*>(NULL),
verify_result.verified_cert.get());
- int error = Verify(google_full_chain.get(),
- "127.0.0.1",
- 0,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
ASSERT_NE(static_cast<X509Certificate*>(NULL),
verify_result.verified_cert.get());
@@ -1029,16 +1152,15 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
// Test that Verify() filters out certificates which are not related to
// or part of the certificate chain being verified.
-TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
- if (!SupportsReturningVerifiedChain()) {
+TYPED_TEST(CertVerifyProcTypedTest, VerifyReturnChainFiltersUnrelatedCerts) {
+ if (!SupportsReturningVerifiedChain(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "x509_verify_results.chain.pem",
- X509Certificate::FORMAT_AUTO);
+ certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
ScopedTestRoot scoped_root(certs[2].get());
@@ -1065,12 +1187,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
CertVerifyResult verify_result;
EXPECT_EQ(static_cast<X509Certificate*>(NULL),
verify_result.verified_cert.get());
- int error = Verify(google_full_chain.get(),
- "127.0.0.1",
- 0,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = this->Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
ASSERT_NE(static_cast<X509Certificate*>(NULL),
verify_result.verified_cert.get());
@@ -1088,22 +1206,21 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
certs[2]->os_cert_handle()));
}
-TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
- if (!SupportsAdditionalTrustAnchors()) {
+TYPED_TEST(CertVerifyProcTypedTest, AdditionalTrustAnchors) {
+ if (!this->SupportsAdditionalTrustAnchors()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
// |ca_cert| is the issuer of |cert|.
- CertificateList ca_cert_list = CreateCertificateListFromFile(
- GetTestCertsDirectory(), "root_ca_cert.pem",
- X509Certificate::FORMAT_AUTO);
+ CertificateList ca_cert_list =
+ CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
+ X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
CertificateList cert_list = CreateCertificateListFromFile(
- GetTestCertsDirectory(), "ok_cert.pem",
- X509Certificate::FORMAT_AUTO);
+ GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
@@ -1111,8 +1228,8 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
// list.
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(
- cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+ int error = this->Verify(cert.get(), "127.0.0.1", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
@@ -1120,16 +1237,16 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
// Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
CertificateList trust_anchors;
trust_anchors.push_back(ca_cert);
- error = Verify(
- cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
+ error = this->Verify(cert.get(), "127.0.0.1", flags, NULL, trust_anchors,
+ &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
// Clearing the |trust_anchors| makes verification fail again (the cache
// should be skipped).
- error = Verify(
- cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+ error = this->Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
+ &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
@@ -1138,7 +1255,7 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
// Tests that certificates issued by user-supplied roots are not flagged as
// issued by a known root. This should pass whether or not the platform supports
// detecting known roots.
-TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
+TYPED_TEST(CertVerifyProcTypedTest, IsIssuedByKnownRootIgnoresTestRoots) {
// Load root_ca_cert.pem into the test root store.
ScopedTestRoot test_root(
ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
@@ -1149,22 +1266,50 @@ TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
// Verification should pass.
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(
- cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+ int error = this->Verify(cert.get(), "127.0.0.1", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_EQ(0U, verify_result.cert_status);
// But should not be marked as a known root.
EXPECT_FALSE(verify_result.is_issued_by_known_root);
}
-#if defined(USE_NSS_CERTS) || defined(OS_WIN) || \
- (defined(OS_MACOSX) && !defined(OS_IOS))
+template <typename T>
+bool SupportsCRLSet(T* verify_proc) {
+ return false;
+}
+
+#if defined(USE_NSS_CERTS)
+template <>
+bool SupportsCRLSet(CertVerifyProcNSS* verify_proc) {
+ return true;
+}
+#endif
+
+#if defined(OS_WIN)
+template <>
+bool SupportsCRLSet(CertVerifyProcWin* verify_proc) {
+ return true;
+}
+#endif
+
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+template <>
+bool SupportsCRLSet(CertVerifyProcMac* verify_proc) {
+ return true;
+}
+#endif
+
// Test that CRLSets are effective in making a certificate appear to be
// revoked.
-TEST_F(CertVerifyProcTest, CRLSet) {
+TYPED_TEST(CertVerifyProcTypedTest, CRLSet) {
+ if (!SupportsCRLSet(this->verify_proc_.get())) {
+ LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
+ return;
+ }
+
CertificateList ca_cert_list =
- CreateCertificateListFromFile(GetTestCertsDirectory(),
- "root_ca_cert.pem",
+ CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
ScopedTestRoot test_root(ca_cert_list[0].get());
@@ -1176,8 +1321,8 @@ TEST_F(CertVerifyProcTest, CRLSet) {
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(
- cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+ int error = this->Verify(cert.get(), "127.0.0.1", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_EQ(0U, verify_result.cert_status);
@@ -1190,12 +1335,8 @@ TEST_F(CertVerifyProcTest, CRLSet) {
&crl_set_bytes));
ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
- error = Verify(cert.get(),
- "127.0.0.1",
- flags,
- crl_set.get(),
- empty_cert_list_,
- &verify_result);
+ error = this->Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
// Second, test revocation by serial number of a cert directly under the
@@ -1206,16 +1347,17 @@ TEST_F(CertVerifyProcTest, CRLSet) {
&crl_set_bytes));
ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
- error = Verify(cert.get(),
- "127.0.0.1",
- flags,
- crl_set.get(),
- empty_cert_list_,
- &verify_result);
+ error = this->Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
}
-TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
+TYPED_TEST(CertVerifyProcTypedTest, CRLSetLeafSerial) {
+ if (!SupportsCRLSet(this->verify_proc_.get())) {
+ LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
+ return;
+ }
+
CertificateList ca_cert_list =
CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
@@ -1240,8 +1382,8 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
- &verify_result);
+ int error = this->Verify(leaf.get(), "127.0.0.1", flags, NULL,
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsOk());
// Test revocation by serial number of a certificate not under the root.
@@ -1252,8 +1394,8 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
&crl_set_bytes));
ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
- error = Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(),
- empty_cert_list_, &verify_result);
+ error = this->Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(),
+ EmptyCertList(), &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
}
@@ -1271,8 +1413,8 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
// 1. Revoking E by SPKI, so that only Path 1 is valid (as E is in Paths 2 & 3)
// 2. Revoking C(D) and F(E) by serial, so that only Path 2 is valid.
// 3. Revoking C by SPKI, so that only Path 3 is valid (as C is in Paths 1 & 2)
-TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
- if (!SupportsCRLSetsInPathBuilding()) {
+TYPED_TEST(CertVerifyProcTypedTest, CRLSetDuringPathBuilding) {
+ if (!SupportsCRLSetsInPathBuilding(this->verify_proc_.get())) {
LOG(INFO) << "Skipping this test on this platform.";
return;
}
@@ -1301,7 +1443,7 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
ScopedTestRoot test_root_E(path_2_certs[3].get()); // E-by-E
// Create a chain that contains all the certificate paths possible.
- // CertVerifyProcTest.VerifyReturnChainFiltersUnrelatedCerts already
+ // CertVerifyProcTypedTest.VerifyReturnChainFiltersUnrelatedCerts already
// ensures that it's safe to send additional certificates as inputs, and
// that they're ignored if not necessary.
// This is to avoid relying on AIA or internal object caches when
@@ -1337,8 +1479,8 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
- empty_cert_list_, &verify_result);
+ int error = this->Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+ EmptyCertList(), &verify_result);
if (!testcase.expect_valid) {
EXPECT_NE(OK, error);
@@ -1370,9 +1512,10 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
}
}
-#endif
-
#if defined(OS_MACOSX) && !defined(OS_IOS)
+class CertVerifyProcMacTest
+ : public CertVerifyProcTypedTest<CertVerifyProcMac> {};
+
// Test that a CRLSet blocking one of the intermediates supplied by the server
// can be worked around by the chopping workaround for path building. (Once the
// supplied chain is chopped back to just the target, a better path can be
@@ -1389,7 +1532,7 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
//
// The verifier should rollback until it just tries A(B) alone, at which point
// it will pull B(F) & F(E) from the keychain and succeed.
-TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
+TEST_F(CertVerifyProcMacTest, MacCRLIntermediate) {
if (base::mac::IsAtLeastOS10_12()) {
// TODO(crbug.com/671889): Investigate SecTrustSetKeychains issue on Sierra.
LOG(INFO) << "Skipping test, SecTrustSetKeychains does not work on 10.12";
@@ -1446,7 +1589,7 @@ TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
- empty_cert_list_, &verify_result);
+ EmptyCertList(), &verify_result);
ASSERT_EQ(OK, error);
ASSERT_EQ(0U, verify_result.cert_status);
@@ -1472,7 +1615,7 @@ TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
// Test that if a keychain is present which trusts a less-desirable root (ex,
// one using SHA1), that the keychain reordering hack will cause the better
// root in the System Roots to be used instead.
-TEST_F(CertVerifyProcTest, MacKeychainReordering) {
+TEST_F(CertVerifyProcMacTest, MacKeychainReordering) {
// Note: target cert expires Apr 2 23:59:59 2018 GMT
scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
GetTestCertsDirectory(), "tripadvisor-verisign-chain.pem",
@@ -1501,7 +1644,7 @@ TEST_F(CertVerifyProcTest, MacKeychainReordering) {
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(cert.get(), "www.tripadvisor.com", flags,
- nullptr /* crl_set */, empty_cert_list_, &verify_result);
+ nullptr /* crl_set */, EmptyCertList(), &verify_result);
ASSERT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
@@ -1516,7 +1659,7 @@ TEST_F(CertVerifyProcTest, MacKeychainReordering) {
// Test that the system root certificate keychain is in the expected location
// and can be opened. Other tests would fail if this was not true, but this
// test makes the reason for the failure obvious.
-TEST_F(CertVerifyProcTest, MacSystemRootCertificateKeychainLocation) {
+TEST_F(CertVerifyProcMacTest, MacSystemRootCertificateKeychainLocation) {
const char* root_keychain_path =
"/System/Library/Keychains/SystemRootCertificates.keychain";
ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path)));
@@ -1526,8 +1669,11 @@ TEST_F(CertVerifyProcTest, MacSystemRootCertificateKeychainLocation) {
ASSERT_EQ(errSecSuccess, status);
CFRelease(keychain);
}
-#endif
+#endif // defined(OS_MACOSX) && !defined(OS_IOS)
+// TODO(crbug.com/649017): This is not parameterized by the CertVerifyProc
+// because the CertVerifyProc::Verify() does this unconditionally based on the
+// platform.
bool AreSHA1IntermediatesAllowed() {
#if defined(OS_WIN)
// TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved
@@ -1539,58 +1685,61 @@ bool AreSHA1IntermediatesAllowed() {
#endif
}
-TEST_F(CertVerifyProcTest, RejectsMD2) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsMD2) {
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
ASSERT_TRUE(cert);
CertVerifyResult result;
result.has_md2 = true;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
- empty_cert_list_, &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ nullptr /* crl_set */, CertificateList(),
+ &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
}
-TEST_F(CertVerifyProcTest, RejectsMD4) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsMD4) {
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
ASSERT_TRUE(cert);
CertVerifyResult result;
result.has_md4 = true;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
- empty_cert_list_, &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ nullptr /* crl_set */, CertificateList(),
+ &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
}
-TEST_F(CertVerifyProcTest, RejectsMD5) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsMD5) {
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
ASSERT_TRUE(cert);
CertVerifyResult result;
result.has_md5 = true;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
- empty_cert_list_, &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ nullptr /* crl_set */, CertificateList(),
+ &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
}
-TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsPublicSHA1Leaves) {
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
ASSERT_TRUE(cert);
@@ -1599,17 +1748,19 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
result.has_sha1 = true;
result.has_sha1_leaf = true;
result.is_issued_by_known_root = true;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
- empty_cert_list_, &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ nullptr /* crl_set */, CertificateList(),
+ &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
}
-TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
+TEST_F(CertVerifyProcBaseClassTest,
+ RejectsPublicSHA1IntermediatesUnlessAllowed) {
scoped_refptr<X509Certificate> cert(ImportCertFromFile(
GetTestCertsDirectory(), "39_months_after_2015_04.pem"));
ASSERT_TRUE(cert);
@@ -1618,12 +1769,13 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
result.has_sha1 = true;
result.has_sha1_leaf = false;
result.is_issued_by_known_root = true;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
- empty_cert_list_, &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ nullptr /* crl_set */, CertificateList(),
+ &verify_result);
if (AreSHA1IntermediatesAllowed()) {
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
@@ -1634,7 +1786,7 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
}
}
-TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsPrivateSHA1UnlessFlag) {
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
ASSERT_TRUE(cert);
@@ -1643,21 +1795,23 @@ TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
result.has_sha1 = true;
result.has_sha1_leaf = true;
result.is_issued_by_known_root = false;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
// SHA-1 should be rejected by default for private roots...
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
- empty_cert_list_, &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ nullptr /* crl_set */, CertificateList(),
+ &verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
// ... unless VERIFY_ENABLE_SHA1_LOCAL_ANCHORS was supplied.
flags = CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS;
verify_result.Reset();
- error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
- empty_cert_list_, &verify_result);
+ error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ nullptr /* crl_set */, CertificateList(),
+ &verify_result);
EXPECT_THAT(error, IsOk());
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
}
@@ -1694,15 +1848,17 @@ void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
<< "; end-entity: " << data.ee_cert_filename;
}
+// Tests to ensure that CertVerifyProc::Verify() sets the has_* members for
+// hash algorithms.
class CertVerifyProcWeakDigestTest
- : public CertVerifyProcTest,
+ : public CertVerifyProcBaseClassTest,
public testing::WithParamInterface<WeakDigestTestData> {
public:
CertVerifyProcWeakDigestTest() {}
virtual ~CertVerifyProcWeakDigestTest() {}
};
-// Test that the CertVerifyProc::Verify() properly surfaces the (weak) hashing
+// Tests that the CertVerifyProc::Verify() properly surfaces the (weak) hash
// algorithms used in the chain.
TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
WeakDigestTestData data = GetParam();
@@ -1731,9 +1887,8 @@ TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
ImportCertFromFile(certs_dir, data.ee_cert_filename);
ASSERT_TRUE(ee_cert);
- scoped_refptr<X509Certificate> ee_chain =
- X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
- intermediates);
+ scoped_refptr<X509Certificate> ee_chain = X509Certificate::CreateFromHandle(
+ ee_cert->os_cert_handle(), intermediates);
ASSERT_TRUE(ee_chain);
int flags = 0;
@@ -1743,11 +1898,11 @@ TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
// |ee_chain|.
//
// This is sufficient for the purposes of this test, as the checking for weak
- // hashing algorithms is done by CertVerifyProc::Verify().
+ // hash algorithms is done by CertVerifyProc::Verify().
scoped_refptr<CertVerifyProc> proc =
new MockCertVerifyProc(CertVerifyResult());
proc->Verify(ee_chain.get(), "127.0.0.1", std::string(), flags, nullptr,
- empty_cert_list_, &verify_result);
+ CertificateList(), &verify_result);
EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2);
EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4);
EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5);
@@ -1785,12 +1940,12 @@ INSTANTIATE_TEST_CASE_P(VerifyIntermediate,
// The signature algorithm of end-entity should be properly detected.
const WeakDigestTestData kVerifyEndEntityTestData[] = {
- { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1 },
- { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1 },
- { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1 },
+ {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+ "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1},
+ {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+ "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1},
+ {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+ "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1},
};
INSTANTIATE_TEST_CASE_P(VerifyEndEntity,
@@ -1837,12 +1992,12 @@ INSTANTIATE_TEST_CASE_P(VerifyIncompleteEndEntity,
// Differing algorithms between the intermediate and the EE should still be
// reported.
const WeakDigestTestData kVerifyMixedTestData[] = {
- { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
- "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
- { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
- "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
- { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
- "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4 },
+ {"weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
+ "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5},
+ {"weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
+ "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5},
+ {"weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
+ "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4},
};
INSTANTIATE_TEST_CASE_P(VerifyMixed,
@@ -1864,67 +2019,75 @@ INSTANTIATE_TEST_CASE_P(VerifyTrustedEE,
// For the list of valid hostnames, see
// net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
-static const struct CertVerifyProcNameData {
+struct CertVerifyProcNameData {
const char* hostname;
bool valid; // Whether or not |hostname| matches a subjectAltName.
-} kVerifyNameData[] = {
- { "127.0.0.1", false }, // Don't match the common name
- { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4)
- { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6)
- { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN
- { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6)
- { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN
- { "test.example", true }, // Matches the dNSName SAN
- { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored)
- { "www.test.example", false }, // Should not match the dNSName SAN
- { "test..example", false }, // Should not match the dNSName SAN
- { "test.example..", false }, // Should not match the dNSName SAN
- { ".test.example.", false }, // Should not match the dNSName SAN
- { ".test.example", false }, // Should not match the dNSName SAN
};
-// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
-// to output the parameter that was passed. Without this, it will simply
-// attempt to print out the first twenty bytes of the object, which depending
-// on platform and alignment, may result in an invalid read.
-void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
- *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
+// Don't match the common name
+TYPED_TEST(CertVerifyProcTypedTest, DontMatchCommonName) {
+ this->VerifyCertName("127.0.0.1", false);
}
-class CertVerifyProcNameTest
- : public CertVerifyProcTest,
- public testing::WithParamInterface<CertVerifyProcNameData> {
- public:
- CertVerifyProcNameTest() {}
- virtual ~CertVerifyProcNameTest() {}
-};
+// Matches the iPAddress SAN (IPv4)
+TYPED_TEST(CertVerifyProcTypedTest, MatchesIpSanIpv4) {
+ this->VerifyCertName("127.0.0.2", true);
+}
-TEST_P(CertVerifyProcNameTest, VerifyCertName) {
- CertVerifyProcNameData data = GetParam();
+// Matches the iPAddress SAN (IPv6)
+TYPED_TEST(CertVerifyProcTypedTest, MatchesIpSanIpv6) {
+ this->VerifyCertName("FE80:0:0:0:0:0:0:1", true);
+}
- CertificateList cert_list = CreateCertificateListFromFile(
- GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
- X509Certificate::FORMAT_AUTO);
- ASSERT_EQ(1U, cert_list.size());
- scoped_refptr<X509Certificate> cert(cert_list[0]);
+// Should not match the iPAddress SAN
+TYPED_TEST(CertVerifyProcTypedTest, DoesntMatchIpSanIpv6) {
+ this->VerifyCertName("[FE80:0:0:0:0:0:0:1]", false);
+}
- ScopedTestRoot scoped_root(cert.get());
+// Compressed form matches the iPAddress SAN (IPv6)
+TYPED_TEST(CertVerifyProcTypedTest, MatchesIpSanCompressedIpv6) {
+ this->VerifyCertName("FE80::1", true);
+}
- CertVerifyResult verify_result;
- int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
- &verify_result);
- if (data.valid) {
- EXPECT_THAT(error, IsOk());
- EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
- } else {
- EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
- EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
- }
+// IPv6 mapped form should NOT match iPAddress SAN
+TYPED_TEST(CertVerifyProcTypedTest, DoesntMatchIpSanIPv6Mapped) {
+ this->VerifyCertName("::127.0.0.2", false);
}
-INSTANTIATE_TEST_CASE_P(VerifyName,
- CertVerifyProcNameTest,
- testing::ValuesIn(kVerifyNameData));
+// Matches the dNSName SAN
+TYPED_TEST(CertVerifyProcTypedTest, MatchesDnsSan) {
+ this->VerifyCertName("test.example", true);
+}
+
+// Matches the dNSName SAN (trailing . ignored)
+TYPED_TEST(CertVerifyProcTypedTest, MatchesDnsSanTrailingDot) {
+ this->VerifyCertName("test.example.", true);
+}
+
+// Should not match the dNSName SAN
+TYPED_TEST(CertVerifyProcTypedTest, DoesntMatchDnsSan) {
+ this->VerifyCertName("www.test.example", false);
+}
+
+// Should not match the dNSName SAN
+TYPED_TEST(CertVerifyProcTypedTest, DoesntMatchDnsSanInvalid) {
+ this->VerifyCertName("test..example", false);
+}
+
+// Should not match the dNSName SAN
+TYPED_TEST(CertVerifyProcTypedTest, DoesntMatchDnsSanTwoTrailingDots) {
+ this->VerifyCertName("test.example..", false);
+}
+
+// Should not match the dNSName SAN
+TYPED_TEST(CertVerifyProcTypedTest, DoesntMatchDnsSanLeadingAndTrailingDot) {
+ this->VerifyCertName(".test.example.", false);
+}
+
+// Should not match the dNSName SAN
+TYPED_TEST(CertVerifyProcTypedTest, DoesntMatchDnsSanTrailingDot) {
+ this->VerifyCertName(".test.example", false);
+}
#if defined(OS_MACOSX) && !defined(OS_IOS)
// Test that CertVerifyProcMac reacts appropriately when Apple's certificate
@@ -1933,7 +2096,7 @@ INSTANTIATE_TEST_CASE_P(VerifyName,
// (Since 10.12, this causes a recoverable error instead of a fatal one.)
// TODO(mattm): Try to find a different way to cause a fatal error that works
// on 10.12.
-TEST_F(CertVerifyProcTest, LargeKey) {
+TEST_F(CertVerifyProcMacTest, LargeKey) {
// Load root_ca_cert.pem into the test root store.
ScopedTestRoot test_root(
ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
@@ -1946,7 +2109,7 @@ TEST_F(CertVerifyProcTest, LargeKey) {
// large_key.pem may need to be regenerated with a larger key.
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+ int error = Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
&verify_result);
EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
@@ -1956,22 +2119,22 @@ TEST_F(CertVerifyProcTest, LargeKey) {
// Tests that CertVerifyProc records a histogram correctly when a
// certificate chaining to a private root contains the TLS feature
// extension and does not have a stapled OCSP response.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
+TEST_F(CertVerifyProcBaseClassTest, HasTLSFeatureExtensionUMA) {
base::HistogramTester histograms;
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
ASSERT_TRUE(cert);
CertVerifyResult result;
result.is_issued_by_known_root = false;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
- &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ NULL, EmptyCertList(), &verify_result);
EXPECT_EQ(OK, error);
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
@@ -1982,14 +2145,14 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
// Tests that CertVerifyProc records a histogram correctly when a
// certificate chaining to a private root contains the TLS feature
// extension and does have a stapled OCSP response.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
+TEST_F(CertVerifyProcBaseClassTest, HasTLSFeatureExtensionWithStapleUMA) {
base::HistogramTester histograms;
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
ASSERT_TRUE(cert);
CertVerifyResult result;
result.is_issued_by_known_root = false;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
@@ -1997,8 +2160,8 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
int flags = 0;
CertVerifyResult verify_result;
int error =
- VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags,
- NULL, empty_cert_list_, &verify_result);
+ verify_proc->Verify(cert.get(), "127.0.0.1", "dummy response", flags,
+ nullptr, EmptyCertList(), &verify_result);
EXPECT_EQ(OK, error);
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
@@ -2009,22 +2172,22 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
// Tests that CertVerifyProc records a histogram correctly when a
// certificate chaining to a private root does not contain the TLS feature
// extension.
-TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
+TEST_F(CertVerifyProcBaseClassTest, DoesNotHaveTLSFeatureExtensionUMA) {
base::HistogramTester histograms;
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
ASSERT_TRUE(cert);
CertVerifyResult result;
result.is_issued_by_known_root = false;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
- &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ NULL, EmptyCertList(), &verify_result);
EXPECT_EQ(OK, error);
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1);
@@ -2034,21 +2197,21 @@ TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
// Tests that CertVerifyProc does not record a histogram when a
// certificate contains the TLS feature extension but chains to a public
// root.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) {
+TEST_F(CertVerifyProcBaseClassTest, HasTLSFeatureExtensionWithPublicRootUMA) {
base::HistogramTester histograms;
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
ASSERT_TRUE(cert);
CertVerifyResult result;
result.is_issued_by_known_root = true;
- verify_proc_ = new MockCertVerifyProc(result);
+ auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
int flags = 0;
CertVerifyResult verify_result;
- int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
- &verify_result);
+ int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+ NULL, EmptyCertList(), &verify_result);
EXPECT_EQ(OK, error);
histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
« no previous file with comments | « net/cert/cert_verify_proc_openssl.h ('k') | net/cert/cert_verify_proc_win.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698