OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 1783 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1794 // Should not match the dNSName SAN | 1794 // Should not match the dNSName SAN |
1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { | 1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { |
1796 VerifyCertName(".test.example.", false); | 1796 VerifyCertName(".test.example.", false); |
1797 } | 1797 } |
1798 | 1798 |
1799 // Should not match the dNSName SAN | 1799 // Should not match the dNSName SAN |
1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { | 1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { |
1801 VerifyCertName(".test.example", false); | 1801 VerifyCertName(".test.example", false); |
1802 } | 1802 } |
1803 | 1803 |
1804 // Tests that commonName-fallback is handled correctly: | |
mattm
2017/03/01 23:56:47
The comment here mentions more cases than are actu
Ryan Sleevi
2017/03/02 00:15:31
Yeah, I ended up moving them into the X509Certific
| |
1805 // - If it's a publicly trusted certificate, the commonName should never | |
1806 // match, both with a subjectAltName is present and when it is absent. | |
1807 // - If it chains to a private root, the commonName should not match if | |
1808 // the subjectAltName is present. | |
1809 // - If it chains to a private root, the commonName should not match if | |
1810 // the subjectAltName is absent, and the flags don't allow fallback. | |
1811 // - If it chains to a private root, the commonName SHOULD match iff the | |
1812 // subjectAltName is absent and the flags allow a fallback. | |
1813 TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) { | |
1814 scoped_refptr<X509Certificate> cert( | |
1815 ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem")); | |
1816 ASSERT_TRUE(cert); | |
1817 | |
1818 CertVerifyResult result; | |
1819 scoped_refptr<CertVerifyProc> verify_proc; | |
1820 CertVerifyResult verify_result; | |
1821 int error; | |
1822 | |
1823 // Publicly trusted: Always ignores commonName, regardless of flags. | |
1824 result = CertVerifyResult(); | |
1825 verify_result = CertVerifyResult(); | |
1826 error = 0; | |
1827 result.is_issued_by_known_root = true; | |
1828 verify_proc = new MockCertVerifyProc(result); | |
1829 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", | |
1830 std::string(), 0, nullptr, CertificateList(), | |
1831 &verify_result); | |
1832 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); | |
1833 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | |
1834 | |
1835 result = CertVerifyResult(); | |
1836 verify_result = CertVerifyResult(); | |
1837 error = 0; | |
1838 result.is_issued_by_known_root = true; | |
1839 verify_proc = new MockCertVerifyProc(result); | |
1840 error = verify_proc->Verify( | |
1841 cert.get(), "prerelna1.pre.salesforce.com", std::string(), | |
1842 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, | |
1843 CertificateList(), &verify_result); | |
1844 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); | |
1845 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | |
1846 | |
1847 // Privately trusted: Ignores commonName by default. | |
1848 result = CertVerifyResult(); | |
1849 verify_result = CertVerifyResult(); | |
1850 error = 0; | |
1851 result.is_issued_by_known_root = false; | |
1852 verify_proc = new MockCertVerifyProc(result); | |
1853 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", | |
1854 std::string(), 0, nullptr, CertificateList(), | |
1855 &verify_result); | |
1856 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); | |
1857 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | |
1858 | |
1859 // Privately trusted: Falls back to common name if flags allow. | |
1860 result = CertVerifyResult(); | |
1861 verify_result = CertVerifyResult(); | |
1862 error = 0; | |
1863 result.is_issued_by_known_root = false; | |
1864 verify_proc = new MockCertVerifyProc(result); | |
1865 error = verify_proc->Verify( | |
1866 cert.get(), "prerelna1.pre.salesforce.com", std::string(), | |
1867 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, | |
1868 CertificateList(), &verify_result); | |
1869 EXPECT_THAT(error, IsOk()); | |
1870 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | |
1871 } | |
1872 | |
1804 // Tests that CertVerifyProc records a histogram correctly when a | 1873 // Tests that CertVerifyProc records a histogram correctly when a |
1805 // certificate chaining to a private root contains the TLS feature | 1874 // certificate chaining to a private root contains the TLS feature |
1806 // extension and does not have a stapled OCSP response. | 1875 // extension and does not have a stapled OCSP response. |
1807 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { | 1876 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
1808 base::HistogramTester histograms; | 1877 base::HistogramTester histograms; |
1809 scoped_refptr<X509Certificate> cert( | 1878 scoped_refptr<X509Certificate> cert( |
1810 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1879 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
1811 ASSERT_TRUE(cert); | 1880 ASSERT_TRUE(cert); |
1812 CertVerifyResult result; | 1881 CertVerifyResult result; |
1813 result.is_issued_by_known_root = false; | 1882 result.is_issued_by_known_root = false; |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1896 int flags = 0; | 1965 int flags = 0; |
1897 CertVerifyResult verify_result; | 1966 CertVerifyResult verify_result; |
1898 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, | 1967 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, |
1899 NULL, CertificateList(), &verify_result); | 1968 NULL, CertificateList(), &verify_result); |
1900 EXPECT_EQ(OK, error); | 1969 EXPECT_EQ(OK, error); |
1901 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1970 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
1902 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1971 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
1903 } | 1972 } |
1904 | 1973 |
1905 } // namespace net | 1974 } // namespace net |
OLD | NEW |