OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 1783 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1794 // Should not match the dNSName SAN | 1794 // Should not match the dNSName SAN |
1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { | 1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { |
1796 VerifyCertName(".test.example.", false); | 1796 VerifyCertName(".test.example.", false); |
1797 } | 1797 } |
1798 | 1798 |
1799 // Should not match the dNSName SAN | 1799 // Should not match the dNSName SAN |
1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { | 1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { |
1801 VerifyCertName(".test.example", false); | 1801 VerifyCertName(".test.example", false); |
1802 } | 1802 } |
1803 | 1803 |
| 1804 // Tests that commonName-fallback is handled correctly: |
| 1805 // - If it's a publicly trusted certificate, the commonName should never |
| 1806 // match. |
| 1807 // - If it chains to a private root, the commonName should not match if |
| 1808 // the subjectAltName is absent, and the flags don't allow fallback. |
| 1809 // - If it chains to a private root, the commonName SHOULD match iff the |
| 1810 // subjectAltName is absent and the flags allow a fallback. |
| 1811 TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) { |
| 1812 scoped_refptr<X509Certificate> cert( |
| 1813 ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem")); |
| 1814 ASSERT_TRUE(cert); |
| 1815 |
| 1816 CertVerifyResult result; |
| 1817 scoped_refptr<CertVerifyProc> verify_proc; |
| 1818 CertVerifyResult verify_result; |
| 1819 int error; |
| 1820 |
| 1821 // Publicly trusted: Always ignores commonName, regardless of flags. |
| 1822 result = CertVerifyResult(); |
| 1823 verify_result = CertVerifyResult(); |
| 1824 error = 0; |
| 1825 result.is_issued_by_known_root = true; |
| 1826 verify_proc = new MockCertVerifyProc(result); |
| 1827 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", |
| 1828 std::string(), 0, nullptr, CertificateList(), |
| 1829 &verify_result); |
| 1830 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
| 1831 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1832 |
| 1833 result = CertVerifyResult(); |
| 1834 verify_result = CertVerifyResult(); |
| 1835 error = 0; |
| 1836 result.is_issued_by_known_root = true; |
| 1837 verify_proc = new MockCertVerifyProc(result); |
| 1838 error = verify_proc->Verify( |
| 1839 cert.get(), "prerelna1.pre.salesforce.com", std::string(), |
| 1840 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, |
| 1841 CertificateList(), &verify_result); |
| 1842 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
| 1843 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1844 |
| 1845 // Privately trusted: Ignores commonName by default. |
| 1846 result = CertVerifyResult(); |
| 1847 verify_result = CertVerifyResult(); |
| 1848 error = 0; |
| 1849 result.is_issued_by_known_root = false; |
| 1850 verify_proc = new MockCertVerifyProc(result); |
| 1851 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", |
| 1852 std::string(), 0, nullptr, CertificateList(), |
| 1853 &verify_result); |
| 1854 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
| 1855 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1856 |
| 1857 // Privately trusted: Falls back to common name if flags allow. |
| 1858 result = CertVerifyResult(); |
| 1859 verify_result = CertVerifyResult(); |
| 1860 error = 0; |
| 1861 result.is_issued_by_known_root = false; |
| 1862 verify_proc = new MockCertVerifyProc(result); |
| 1863 error = verify_proc->Verify( |
| 1864 cert.get(), "prerelna1.pre.salesforce.com", std::string(), |
| 1865 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, |
| 1866 CertificateList(), &verify_result); |
| 1867 EXPECT_THAT(error, IsOk()); |
| 1868 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1869 } |
| 1870 |
1804 // Tests that CertVerifyProc records a histogram correctly when a | 1871 // Tests that CertVerifyProc records a histogram correctly when a |
1805 // certificate chaining to a private root contains the TLS feature | 1872 // certificate chaining to a private root contains the TLS feature |
1806 // extension and does not have a stapled OCSP response. | 1873 // extension and does not have a stapled OCSP response. |
1807 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { | 1874 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
1808 base::HistogramTester histograms; | 1875 base::HistogramTester histograms; |
1809 scoped_refptr<X509Certificate> cert( | 1876 scoped_refptr<X509Certificate> cert( |
1810 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1877 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
1811 ASSERT_TRUE(cert); | 1878 ASSERT_TRUE(cert); |
1812 CertVerifyResult result; | 1879 CertVerifyResult result; |
1813 result.is_issued_by_known_root = false; | 1880 result.is_issued_by_known_root = false; |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1896 int flags = 0; | 1963 int flags = 0; |
1897 CertVerifyResult verify_result; | 1964 CertVerifyResult verify_result; |
1898 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, | 1965 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, |
1899 NULL, CertificateList(), &verify_result); | 1966 NULL, CertificateList(), &verify_result); |
1900 EXPECT_EQ(OK, error); | 1967 EXPECT_EQ(OK, error); |
1901 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1968 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
1902 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1969 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
1903 } | 1970 } |
1904 | 1971 |
1905 } // namespace net | 1972 } // namespace net |
OLD | NEW |