net/cert/cert_verify_proc_unittest.cc - Issue 2719273002: Disable commonName matching for certificates

Side by Side Diff: net/cert/cert_verify_proc_unittest.cc

Issue 2719273002: Disable commonName matching for certificates (Closed)

Patch Set: Update macOS Keychain Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <vector>	7 #include <vector>

8	8

9 #include "base/callback_helpers.h"	9 #include "base/callback_helpers.h"

10 #include "base/files/file_path.h"	10 #include "base/files/file_path.h"

(...skipping 1783 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1794 // Should not match the dNSName SAN	1794 // Should not match the dNSName SAN

1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) {	1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) {

1796 VerifyCertName(".test.example.", false);	1796 VerifyCertName(".test.example.", false);

1797 }	1797 }

1798	1798

1799 // Should not match the dNSName SAN	1799 // Should not match the dNSName SAN

1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {	1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {

1801 VerifyCertName(".test.example", false);	1801 VerifyCertName(".test.example", false);

1802 }	1802 }

1803	1803

	1804 // Tests that commonName-fallback is handled correctly:
	mattm 2017/03/01 23:56:47 The comment here mentions more cases than are actu The comment here mentions more cases than are actually tested (the cases with subjectAltName being present aren't tested here). Ryan Sleevi 2017/03/02 00:15:31 Yeah, I ended up moving them into the X509Certific Show quoted text On 2017/03/01 23:56:47, mattm wrote: > The comment here mentions more cases than are actually tested (the cases with > subjectAltName being present aren't tested here). Yeah, I ended up moving them into the X509Certificate test to be more comprehensive, so updated the description.
	1805 // - If it's a publicly trusted certificate, the commonName should never

	1806 // match, both with a subjectAltName is present and when it is absent.

	1807 // - If it chains to a private root, the commonName should not match if

	1808 // the subjectAltName is present.

	1809 // - If it chains to a private root, the commonName should not match if

	1810 // the subjectAltName is absent, and the flags don't allow fallback.

	1811 // - If it chains to a private root, the commonName SHOULD match iff the

	1812 // subjectAltName is absent and the flags allow a fallback.

	1813 TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) {

	1814 scoped_refptr<X509Certificate> cert(

	1815 ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem"));

	1816 ASSERT_TRUE(cert);

	1817

	1818 CertVerifyResult result;

	1819 scoped_refptr<CertVerifyProc> verify_proc;

	1820 CertVerifyResult verify_result;

	1821 int error;

	1822

	1823 // Publicly trusted: Always ignores commonName, regardless of flags.

	1824 result = CertVerifyResult();

	1825 verify_result = CertVerifyResult();

	1826 error = 0;

	1827 result.is_issued_by_known_root = true;

	1828 verify_proc = new MockCertVerifyProc(result);

	1829 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",

	1830 std::string(), 0, nullptr, CertificateList(),

	1831 &verify_result);

	1832 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));

	1833 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);

	1834

	1835 result = CertVerifyResult();

	1836 verify_result = CertVerifyResult();

	1837 error = 0;

	1838 result.is_issued_by_known_root = true;

	1839 verify_proc = new MockCertVerifyProc(result);

	1840 error = verify_proc->Verify(

	1841 cert.get(), "prerelna1.pre.salesforce.com", std::string(),

	1842 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,

	1843 CertificateList(), &verify_result);

	1844 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));

	1845 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);

	1846

	1847 // Privately trusted: Ignores commonName by default.

	1848 result = CertVerifyResult();

	1849 verify_result = CertVerifyResult();

	1850 error = 0;

	1851 result.is_issued_by_known_root = false;

	1852 verify_proc = new MockCertVerifyProc(result);

	1853 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",

	1854 std::string(), 0, nullptr, CertificateList(),

	1855 &verify_result);

	1856 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));

	1857 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);

	1858

	1859 // Privately trusted: Falls back to common name if flags allow.

	1860 result = CertVerifyResult();

	1861 verify_result = CertVerifyResult();

	1862 error = 0;

	1863 result.is_issued_by_known_root = false;

	1864 verify_proc = new MockCertVerifyProc(result);

	1865 error = verify_proc->Verify(

	1866 cert.get(), "prerelna1.pre.salesforce.com", std::string(),

	1867 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,

	1868 CertificateList(), &verify_result);

	1869 EXPECT_THAT(error, IsOk());

	1870 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);

	1871 }

	1872

1804 // Tests that CertVerifyProc records a histogram correctly when a	1873 // Tests that CertVerifyProc records a histogram correctly when a

1805 // certificate chaining to a private root contains the TLS feature	1874 // certificate chaining to a private root contains the TLS feature

1806 // extension and does not have a stapled OCSP response.	1875 // extension and does not have a stapled OCSP response.

1807 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {	1876 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {

1808 base::HistogramTester histograms;	1877 base::HistogramTester histograms;

1809 scoped_refptr<X509Certificate> cert(	1878 scoped_refptr<X509Certificate> cert(

1810 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));	1879 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));

1811 ASSERT_TRUE(cert);	1880 ASSERT_TRUE(cert);

1812 CertVerifyResult result;	1881 CertVerifyResult result;

1813 result.is_issued_by_known_root = false;	1882 result.is_issued_by_known_root = false;

(...skipping 82 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1896 int flags = 0;	1965 int flags = 0;

1897 CertVerifyResult verify_result;	1966 CertVerifyResult verify_result;

1898 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,	1967 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,

1899 NULL, CertificateList(), &verify_result);	1968 NULL, CertificateList(), &verify_result);

1900 EXPECT_EQ(OK, error);	1969 EXPECT_EQ(OK, error);

1901 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);	1970 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);

1902 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);	1971 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);

1903 }	1972 }

1904	1973

1905 } // namespace net	1974 } // namespace net

OLD	NEW

« net/cert/cert_verify_proc_mac.cc ('K') | « net/cert/cert_verify_proc_openssl.cc ('k') | net/cert/internal/path_builder_unittest.cc » ('j') | net/cert/x509_certificate.h » ('J')