OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 1694 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1705 {NULL, NULL, "weak_digest_md5_ee.pem", 0}, | 1705 {NULL, NULL, "weak_digest_md5_ee.pem", 0}, |
1706 {NULL, NULL, "weak_digest_md4_ee.pem", 0}, | 1706 {NULL, NULL, "weak_digest_md4_ee.pem", 0}, |
1707 {NULL, NULL, "weak_digest_md2_ee.pem", 0}, | 1707 {NULL, NULL, "weak_digest_md2_ee.pem", 0}, |
1708 {NULL, NULL, "weak_digest_sha1_ee.pem", 0}, | 1708 {NULL, NULL, "weak_digest_sha1_ee.pem", 0}, |
1709 }; | 1709 }; |
1710 | 1710 |
1711 INSTANTIATE_TEST_CASE_P(VerifyTrustedEE, | 1711 INSTANTIATE_TEST_CASE_P(VerifyTrustedEE, |
1712 CertVerifyProcWeakDigestTest, | 1712 CertVerifyProcWeakDigestTest, |
1713 testing::ValuesIn(kVerifyTrustedEETestData)); | 1713 testing::ValuesIn(kVerifyTrustedEETestData)); |
1714 | 1714 |
1715 // For the list of valid hostnames, see | |
1716 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem | |
1717 struct CertVerifyProcNameData { | |
1718 const char* hostname; | |
1719 bool valid; // Whether or not |hostname| matches a subjectAltName. | |
1720 }; | |
1721 | |
1722 // Test fixture for verifying certificate names. These tests are run for each | 1715 // Test fixture for verifying certificate names. These tests are run for each |
1723 // of the CertVerify implementations. | 1716 // of the CertVerify implementations. |
1724 class CertVerifyProcNameTest : public CertVerifyProcInternalTest { | 1717 class CertVerifyProcNameTest : public ::testing::Test { |
1725 public: | |
1726 CertVerifyProcNameTest() {} | |
1727 virtual ~CertVerifyProcNameTest() {} | |
1728 | |
1729 protected: | 1718 protected: |
1730 void VerifyCertName(const char* hostname, bool valid) { | 1719 void VerifyCertName(const char* hostname, bool valid) { |
1731 CertificateList cert_list = CreateCertificateListFromFile( | 1720 scoped_refptr<X509Certificate> cert(ImportCertFromFile( |
1732 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem", | 1721 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem")); |
1733 X509Certificate::FORMAT_AUTO); | 1722 ASSERT_TRUE(cert); |
1734 ASSERT_EQ(1U, cert_list.size()); | 1723 CertVerifyResult result; |
1735 scoped_refptr<X509Certificate> cert(cert_list[0]); | 1724 result.is_issued_by_known_root = false; |
1736 | 1725 scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result); |
1737 ScopedTestRoot scoped_root(cert.get()); | |
1738 | 1726 |
1739 CertVerifyResult verify_result; | 1727 CertVerifyResult verify_result; |
1740 int error = Verify(cert.get(), hostname, 0, NULL, CertificateList(), | 1728 int error = verify_proc->Verify(cert.get(), hostname, std::string(), 0, |
1741 &verify_result); | 1729 nullptr, CertificateList(), &verify_result); |
1742 if (valid) { | 1730 if (valid) { |
1743 EXPECT_THAT(error, IsOk()); | 1731 EXPECT_THAT(error, IsOk()); |
1744 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1732 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1745 } else { | 1733 } else { |
1746 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); | 1734 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
1747 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1735 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1748 } | 1736 } |
1749 } | 1737 } |
1750 }; | 1738 }; |
1751 | 1739 |
1752 // Don't match the common name | 1740 // Don't match the common name |
1753 TEST_P(CertVerifyProcNameTest, DontMatchCommonName) { | 1741 TEST_F(CertVerifyProcNameTest, DontMatchCommonName) { |
1754 VerifyCertName("127.0.0.1", false); | 1742 VerifyCertName("127.0.0.1", false); |
1755 } | 1743 } |
1756 | 1744 |
1757 // Matches the iPAddress SAN (IPv4) | 1745 // Matches the iPAddress SAN (IPv4) |
1758 TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv4) { | 1746 TEST_F(CertVerifyProcNameTest, MatchesIpSanIpv4) { |
1759 VerifyCertName("127.0.0.2", true); | 1747 VerifyCertName("127.0.0.2", true); |
1760 } | 1748 } |
1761 | 1749 |
1762 // Matches the iPAddress SAN (IPv6) | 1750 // Matches the iPAddress SAN (IPv6) |
1763 TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv6) { | 1751 TEST_F(CertVerifyProcNameTest, MatchesIpSanIpv6) { |
1764 VerifyCertName("FE80:0:0:0:0:0:0:1", true); | 1752 VerifyCertName("FE80:0:0:0:0:0:0:1", true); |
1765 } | 1753 } |
1766 | 1754 |
1767 // Should not match the iPAddress SAN | 1755 // Should not match the iPAddress SAN |
1768 TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) { | 1756 TEST_F(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) { |
1769 VerifyCertName("[FE80:0:0:0:0:0:0:1]", false); | 1757 VerifyCertName("[FE80:0:0:0:0:0:0:1]", false); |
1770 } | 1758 } |
1771 | 1759 |
1772 // Compressed form matches the iPAddress SAN (IPv6) | 1760 // Compressed form matches the iPAddress SAN (IPv6) |
1773 TEST_P(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) { | 1761 TEST_F(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) { |
1774 VerifyCertName("FE80::1", true); | 1762 VerifyCertName("FE80::1", true); |
1775 } | 1763 } |
1776 | 1764 |
1777 // IPv6 mapped form should NOT match iPAddress SAN | 1765 // IPv6 mapped form should NOT match iPAddress SAN |
1778 TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) { | 1766 TEST_F(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) { |
1779 VerifyCertName("::127.0.0.2", false); | 1767 VerifyCertName("::127.0.0.2", false); |
1780 } | 1768 } |
1781 | 1769 |
1782 // Matches the dNSName SAN | 1770 // Matches the dNSName SAN |
1783 TEST_P(CertVerifyProcNameTest, MatchesDnsSan) { | 1771 TEST_F(CertVerifyProcNameTest, MatchesDnsSan) { |
1784 VerifyCertName("test.example", true); | 1772 VerifyCertName("test.example", true); |
1785 } | 1773 } |
1786 | 1774 |
1787 // Matches the dNSName SAN (trailing . ignored) | 1775 // Matches the dNSName SAN (trailing . ignored) |
1788 TEST_P(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) { | 1776 TEST_F(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) { |
1789 VerifyCertName("test.example.", true); | 1777 VerifyCertName("test.example.", true); |
1790 } | 1778 } |
1791 | 1779 |
1792 // Should not match the dNSName SAN | 1780 // Should not match the dNSName SAN |
1793 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSan) { | 1781 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSan) { |
1794 VerifyCertName("www.test.example", false); | 1782 VerifyCertName("www.test.example", false); |
1795 } | 1783 } |
1796 | 1784 |
1797 // Should not match the dNSName SAN | 1785 // Should not match the dNSName SAN |
1798 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) { | 1786 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) { |
1799 VerifyCertName("test..example", false); | 1787 VerifyCertName("test..example", false); |
1800 } | 1788 } |
1801 | 1789 |
1802 // Should not match the dNSName SAN | 1790 // Should not match the dNSName SAN |
1803 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) { | 1791 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) { |
1804 VerifyCertName("test.example..", false); | 1792 VerifyCertName("test.example..", false); |
1805 } | 1793 } |
1806 | 1794 |
1807 // Should not match the dNSName SAN | 1795 // Should not match the dNSName SAN |
1808 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { | 1796 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { |
1809 VerifyCertName(".test.example.", false); | 1797 VerifyCertName(".test.example.", false); |
1810 } | 1798 } |
1811 | 1799 |
1812 // Should not match the dNSName SAN | 1800 // Should not match the dNSName SAN |
1813 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { | 1801 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { |
1814 VerifyCertName(".test.example", false); | 1802 VerifyCertName(".test.example", false); |
1815 } | 1803 } |
1816 | 1804 |
1817 INSTANTIATE_TEST_CASE_P(VerifyName, | 1805 // Tests that commonName-fallback is handled correctly: |
1818 CertVerifyProcNameTest, | 1806 // - If it's a publicly trusted certificate, the commonName should never |
1819 testing::ValuesIn(kAllCertVerifiers), | 1807 // match, both with a subjectAltName is present and when it is absent. |
1820 VerifyProcTypeToName); | 1808 // - If it chains to a private root, the commonName should not match if |
| 1809 // the subjectAltName is present. |
| 1810 // - If it chains to a private root, the commonName should not match if |
| 1811 // the subjectAltName is absent, and the flags don't allow fallback. |
| 1812 // - If it chains to a private root, the commonName SHOULD match iff the |
| 1813 // subjectAltName is absent and the flags allow a fallback. |
| 1814 TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) { |
| 1815 scoped_refptr<X509Certificate> cert( |
| 1816 ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem")); |
| 1817 ASSERT_TRUE(cert); |
| 1818 |
| 1819 CertVerifyResult result; |
| 1820 scoped_refptr<CertVerifyProc> verify_proc; |
| 1821 CertVerifyResult verify_result; |
| 1822 int error; |
| 1823 |
| 1824 // Publicly trusted: Always ignores commonName, regardless of flags. |
| 1825 result = CertVerifyResult(); |
| 1826 verify_result = CertVerifyResult(); |
| 1827 error = 0; |
| 1828 result.is_issued_by_known_root = true; |
| 1829 verify_proc = new MockCertVerifyProc(result); |
| 1830 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", |
| 1831 std::string(), 0, nullptr, CertificateList(), |
| 1832 &verify_result); |
| 1833 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
| 1834 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1835 |
| 1836 result = CertVerifyResult(); |
| 1837 verify_result = CertVerifyResult(); |
| 1838 error = 0; |
| 1839 result.is_issued_by_known_root = true; |
| 1840 verify_proc = new MockCertVerifyProc(result); |
| 1841 error = verify_proc->Verify( |
| 1842 cert.get(), "prerelna1.pre.salesforce.com", std::string(), |
| 1843 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, |
| 1844 CertificateList(), &verify_result); |
| 1845 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
| 1846 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1847 |
| 1848 // Privately trusted: Ignores commonName by default. |
| 1849 result = CertVerifyResult(); |
| 1850 verify_result = CertVerifyResult(); |
| 1851 error = 0; |
| 1852 result.is_issued_by_known_root = false; |
| 1853 verify_proc = new MockCertVerifyProc(result); |
| 1854 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", |
| 1855 std::string(), 0, nullptr, CertificateList(), |
| 1856 &verify_result); |
| 1857 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
| 1858 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1859 |
| 1860 // Privately trusted: Falls back to common name if flags allow. |
| 1861 result = CertVerifyResult(); |
| 1862 verify_result = CertVerifyResult(); |
| 1863 error = 0; |
| 1864 result.is_issued_by_known_root = false; |
| 1865 verify_proc = new MockCertVerifyProc(result); |
| 1866 error = verify_proc->Verify( |
| 1867 cert.get(), "prerelna1.pre.salesforce.com", std::string(), |
| 1868 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, |
| 1869 CertificateList(), &verify_result); |
| 1870 EXPECT_THAT(error, IsOk()); |
| 1871 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1872 } |
1821 | 1873 |
1822 // Tests that CertVerifyProc records a histogram correctly when a | 1874 // Tests that CertVerifyProc records a histogram correctly when a |
1823 // certificate chaining to a private root contains the TLS feature | 1875 // certificate chaining to a private root contains the TLS feature |
1824 // extension and does not have a stapled OCSP response. | 1876 // extension and does not have a stapled OCSP response. |
1825 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { | 1877 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
1826 base::HistogramTester histograms; | 1878 base::HistogramTester histograms; |
1827 scoped_refptr<X509Certificate> cert( | 1879 scoped_refptr<X509Certificate> cert( |
1828 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1880 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
1829 ASSERT_TRUE(cert); | 1881 ASSERT_TRUE(cert); |
1830 CertVerifyResult result; | 1882 CertVerifyResult result; |
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1914 int flags = 0; | 1966 int flags = 0; |
1915 CertVerifyResult verify_result; | 1967 CertVerifyResult verify_result; |
1916 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, | 1968 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, |
1917 NULL, CertificateList(), &verify_result); | 1969 NULL, CertificateList(), &verify_result); |
1918 EXPECT_EQ(OK, error); | 1970 EXPECT_EQ(OK, error); |
1919 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1971 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
1920 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1972 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
1921 } | 1973 } |
1922 | 1974 |
1923 } // namespace net | 1975 } // namespace net |
OLD | NEW |