OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include <memory> | 9 #include <memory> |
10 | 10 |
(...skipping 149 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
160 const Time& valid_expiry = webkit_cert->valid_expiry(); | 160 const Time& valid_expiry = webkit_cert->valid_expiry(); |
161 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT | 161 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT |
162 | 162 |
163 std::vector<std::string> dns_names; | 163 std::vector<std::string> dns_names; |
164 webkit_cert->GetDNSNames(&dns_names); | 164 webkit_cert->GetDNSNames(&dns_names); |
165 ASSERT_EQ(2U, dns_names.size()); | 165 ASSERT_EQ(2U, dns_names.size()); |
166 EXPECT_EQ("*.webkit.org", dns_names[0]); | 166 EXPECT_EQ("*.webkit.org", dns_names[0]); |
167 EXPECT_EQ("webkit.org", dns_names[1]); | 167 EXPECT_EQ("webkit.org", dns_names[1]); |
168 | 168 |
169 // Test that the wildcard cert matches properly. | 169 // Test that the wildcard cert matches properly. |
170 bool unused = false; | 170 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", false)); |
171 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); | 171 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", false)); |
172 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); | 172 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org", false)); |
173 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org", &unused)); | 173 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com", false)); |
174 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com", &unused)); | 174 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com", false)); |
175 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com", &unused)); | |
176 } | 175 } |
177 | 176 |
178 TEST(X509CertificateTest, ThawteCertParsing) { | 177 TEST(X509CertificateTest, ThawteCertParsing) { |
179 scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes( | 178 scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes( |
180 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); | 179 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); |
181 | 180 |
182 ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert.get()); | 181 ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert.get()); |
183 | 182 |
184 const CertPrincipal& subject = thawte_cert->subject(); | 183 const CertPrincipal& subject = thawte_cert->subject(); |
185 EXPECT_EQ("www.thawte.com", subject.common_name); | 184 EXPECT_EQ("www.thawte.com", subject.common_name); |
(...skipping 740 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
926 // The hostname to match. | 925 // The hostname to match. |
927 const char* hostname; | 926 const char* hostname; |
928 // Common name, may be used if |dns_names| or |ip_addrs| are empty. | 927 // Common name, may be used if |dns_names| or |ip_addrs| are empty. |
929 const char* common_name; | 928 const char* common_name; |
930 // Comma separated list of certificate names to match against. Any occurrence | 929 // Comma separated list of certificate names to match against. Any occurrence |
931 // of '#' will be replaced with a null character before processing. | 930 // of '#' will be replaced with a null character before processing. |
932 const char* dns_names; | 931 const char* dns_names; |
933 // Comma separated list of certificate IP Addresses to match against. Each | 932 // Comma separated list of certificate IP Addresses to match against. Each |
934 // address is x prefixed 16 byte hex code for v6 or dotted-decimals for v4. | 933 // address is x prefixed 16 byte hex code for v6 or dotted-decimals for v4. |
935 const char* ip_addrs; | 934 const char* ip_addrs; |
| 935 // Whether to disable matching against the commonName. This is a negative |
| 936 // condition so that tests can omit one or more of the above fields and |
| 937 // allow default initialization to handle this case. |
| 938 bool disable_fallback; |
936 }; | 939 }; |
937 | 940 |
938 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how | 941 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how |
939 // to output the parameter that was passed. Without this, it will simply | 942 // to output the parameter that was passed. Without this, it will simply |
940 // attempt to print out the first twenty bytes of the object, which depending | 943 // attempt to print out the first twenty bytes of the object, which depending |
941 // on platform and alignment, may result in an invalid read. | 944 // on platform and alignment, may result in an invalid read. |
942 void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { | 945 void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { |
943 ASSERT_TRUE(data.hostname && data.common_name); | 946 ASSERT_TRUE(data.hostname && data.common_name); |
944 // Using StringPiece to allow for optional fields being NULL. | 947 // Using StringPiece to allow for optional fields being NULL. |
945 *os << " expected: " << data.expected | 948 *os << " expected: " << data.expected |
946 << "; hostname: " << data.hostname | 949 << "; hostname: " << data.hostname |
947 << "; common_name: " << data.common_name | 950 << "; common_name: " << data.common_name |
948 << "; dns_names: " << base::StringPiece(data.dns_names) | 951 << "; dns_names: " << base::StringPiece(data.dns_names) |
949 << "; ip_addrs: " << base::StringPiece(data.ip_addrs); | 952 << "; ip_addrs: " << base::StringPiece(data.ip_addrs) |
| 953 << "; disable_fallback: " << data.disable_fallback; |
950 } | 954 } |
951 | 955 |
952 const CertificateNameVerifyTestData kNameVerifyTestData[] = { | 956 const CertificateNameVerifyTestData kNameVerifyTestData[] = { |
953 { true, "foo.com", "foo.com" }, | 957 { true, "foo.com", "foo.com" }, |
954 { true, "f", "f" }, | 958 { true, "f", "f" }, |
955 { false, "h", "i" }, | 959 { false, "h", "i" }, |
956 { true, "bar.foo.com", "*.foo.com" }, | 960 { true, "bar.foo.com", "*.foo.com" }, |
957 { true, "www.test.fr", "common.name", | 961 { true, "www.test.fr", "common.name", |
958 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, | 962 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, |
959 { true, "wwW.tESt.fr", "common.name", | 963 { true, "wwW.tESt.fr", "common.name", |
960 ",*.*,*.test.de,*.test.FR,www" }, | 964 ",*.*,*.test.de,*.test.FR,www" }, |
961 { false, "f.uk", ".uk" }, | 965 { false, "f.uk", ".uk" }, |
962 { false, "w.bar.foo.com", "?.bar.foo.com" }, | 966 { false, "w.bar.foo.com", "?.bar.foo.com" }, |
963 { false, "www.foo.com", "(www|ftp).foo.com" }, | 967 { false, "www.foo.com", "(www|ftp).foo.com" }, |
964 { false, "www.foo.com", "www.foo.com#" }, // # = null char. | 968 { false, "www.foo.com", "www.foo.com#" }, // # = null char. |
965 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, | 969 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, |
966 { false, "www.house.example", "ww.house.example" }, | 970 { false, "www.house.example", "ww.house.example" }, |
967 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, | 971 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, |
968 { false, "w.bar.foo.com", "w*.bar.foo.com" }, | 972 { false, "w.bar.foo.com", "w*.bar.foo.com" }, |
969 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, | 973 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, |
970 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, | 974 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, |
971 { false, "wwww.bar.foo.com", "w*w.bar.foo.com" }, | 975 { false, "wwww.bar.foo.com", "w*w.bar.foo.com" }, |
972 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, | 976 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, |
973 { false, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, | 977 { false, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, |
974 { false, "wally.bar.foo.com", "*Ly.bar.foo.com" }, | 978 { false, "wally.bar.foo.com", "*Ly.bar.foo.com" }, |
975 { true, "ww%57.foo.com", "", "www.foo.com" }, | 979 { true, "ww%57.foo.com", "", "www.foo.com" }, |
976 { true, "www&.foo.com", "www%26.foo.com" }, | 980 { true, "www&.foo.com", "www%26.foo.com" }, |
977 // Common name must not be used if subject alternative name was provided. | 981 // Common name must not be used if subject alternative name was provided. |
978 { false, "www.test.co.jp", "www.test.co.jp", | 982 { false, "www.test.co.jp", "www.test.co.jp", |
979 "*.test.de,*.jp,www.test.co.uk,www.*.co.jp" }, | 983 "*.test.de,*.jp,www.test.co.uk,www.*.co.jp" }, |
980 { false, "www.bar.foo.com", "www.bar.foo.com", | 984 { false, "www.bar.foo.com", "www.bar.foo.com", |
981 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, | 985 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, |
982 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, | 986 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, |
983 { false, "66.77.88.99", "www.bath.org", "www.bath.org" }, | 987 { false, "66.77.88.99", "66.77.88.99", "www.bath.org" }, |
| 988 // Common name must not be used if fallback is disabled. |
| 989 { false, "www.test.com", "www.test.com", nullptr, nullptr, true }, |
| 990 { false, "127.0.0.1", "127.0.0.1", nullptr, nullptr, true }, |
984 // IDN tests | 991 // IDN tests |
985 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, | 992 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, |
986 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, | 993 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, |
987 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," | 994 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," |
988 "xn--poema-*.com.br," | 995 "xn--poema-*.com.br," |
989 "xn--*-9qae5a.com.br," | 996 "xn--*-9qae5a.com.br," |
990 "*--poema-9qae5a.com.br" }, | 997 "*--poema-9qae5a.com.br" }, |
991 // The following are adapted from the examples quoted from | 998 // The following are adapted from the examples quoted from |
992 // http://tools.ietf.org/html/rfc6125#section-6.4.3 | 999 // http://tools.ietf.org/html/rfc6125#section-6.4.3 |
993 // (e.g., *.example.com would match foo.example.com but | 1000 // (e.g., *.example.com would match foo.example.com but |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1136 EXPECT_GE(decimal_value, 0); | 1143 EXPECT_GE(decimal_value, 0); |
1137 EXPECT_LE(decimal_value, 255); | 1144 EXPECT_LE(decimal_value, 255); |
1138 addr_bytes.push_back(static_cast<char>(decimal_value)); | 1145 addr_bytes.push_back(static_cast<char>(decimal_value)); |
1139 } | 1146 } |
1140 ip_addressses.push_back(addr_bytes); | 1147 ip_addressses.push_back(addr_bytes); |
1141 ASSERT_EQ(4U, ip_addressses.back().size()) << i; | 1148 ASSERT_EQ(4U, ip_addressses.back().size()) << i; |
1142 } | 1149 } |
1143 } | 1150 } |
1144 } | 1151 } |
1145 | 1152 |
1146 bool unused = false; | 1153 EXPECT_EQ(test_data.expected, |
1147 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( | 1154 X509Certificate::VerifyHostname(test_data.hostname, common_name, |
1148 test_data.hostname, common_name, dns_names, ip_addressses, &unused)); | 1155 dns_names, ip_addressses, |
| 1156 !test_data.disable_fallback)); |
1149 } | 1157 } |
1150 | 1158 |
1151 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | 1159 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, |
1152 testing::ValuesIn(kNameVerifyTestData)); | 1160 testing::ValuesIn(kNameVerifyTestData)); |
1153 | 1161 |
1154 const struct PublicKeyInfoTestData { | 1162 const struct PublicKeyInfoTestData { |
1155 const char* cert_file; | 1163 const char* cert_file; |
1156 size_t expected_bits; | 1164 size_t expected_bits; |
1157 X509Certificate::PublicKeyType expected_type; | 1165 X509Certificate::PublicKeyType expected_type; |
1158 } kPublicKeyInfoTestData[] = { | 1166 } kPublicKeyInfoTestData[] = { |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1194 &actual_type); | 1202 &actual_type); |
1195 | 1203 |
1196 EXPECT_EQ(data.expected_bits, actual_bits); | 1204 EXPECT_EQ(data.expected_bits, actual_bits); |
1197 EXPECT_EQ(data.expected_type, actual_type); | 1205 EXPECT_EQ(data.expected_type, actual_type); |
1198 } | 1206 } |
1199 | 1207 |
1200 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, | 1208 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, |
1201 testing::ValuesIn(kPublicKeyInfoTestData)); | 1209 testing::ValuesIn(kPublicKeyInfoTestData)); |
1202 | 1210 |
1203 } // namespace net | 1211 } // namespace net |
OLD | NEW |