| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <memory> | 9 #include <memory> |
| 10 | 10 |
| (...skipping 149 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 160 const Time& valid_expiry = webkit_cert->valid_expiry(); | 160 const Time& valid_expiry = webkit_cert->valid_expiry(); |
| 161 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT | 161 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT |
| 162 | 162 |
| 163 std::vector<std::string> dns_names; | 163 std::vector<std::string> dns_names; |
| 164 webkit_cert->GetDNSNames(&dns_names); | 164 webkit_cert->GetDNSNames(&dns_names); |
| 165 ASSERT_EQ(2U, dns_names.size()); | 165 ASSERT_EQ(2U, dns_names.size()); |
| 166 EXPECT_EQ("*.webkit.org", dns_names[0]); | 166 EXPECT_EQ("*.webkit.org", dns_names[0]); |
| 167 EXPECT_EQ("webkit.org", dns_names[1]); | 167 EXPECT_EQ("webkit.org", dns_names[1]); |
| 168 | 168 |
| 169 // Test that the wildcard cert matches properly. | 169 // Test that the wildcard cert matches properly. |
| 170 bool unused = false; | 170 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", false)); |
| 171 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused)); | 171 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", false)); |
| 172 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused)); | 172 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org", false)); |
| 173 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org", &unused)); | 173 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com", false)); |
| 174 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com", &unused)); | 174 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com", false)); |
| 175 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com", &unused)); | |
| 176 } | 175 } |
| 177 | 176 |
| 178 TEST(X509CertificateTest, ThawteCertParsing) { | 177 TEST(X509CertificateTest, ThawteCertParsing) { |
| 179 scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes( | 178 scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes( |
| 180 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); | 179 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); |
| 181 | 180 |
| 182 ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert.get()); | 181 ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert.get()); |
| 183 | 182 |
| 184 const CertPrincipal& subject = thawte_cert->subject(); | 183 const CertPrincipal& subject = thawte_cert->subject(); |
| 185 EXPECT_EQ("www.thawte.com", subject.common_name); | 184 EXPECT_EQ("www.thawte.com", subject.common_name); |
| (...skipping 740 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 926 // The hostname to match. | 925 // The hostname to match. |
| 927 const char* hostname; | 926 const char* hostname; |
| 928 // Common name, may be used if |dns_names| or |ip_addrs| are empty. | 927 // Common name, may be used if |dns_names| or |ip_addrs| are empty. |
| 929 const char* common_name; | 928 const char* common_name; |
| 930 // Comma separated list of certificate names to match against. Any occurrence | 929 // Comma separated list of certificate names to match against. Any occurrence |
| 931 // of '#' will be replaced with a null character before processing. | 930 // of '#' will be replaced with a null character before processing. |
| 932 const char* dns_names; | 931 const char* dns_names; |
| 933 // Comma separated list of certificate IP Addresses to match against. Each | 932 // Comma separated list of certificate IP Addresses to match against. Each |
| 934 // address is x prefixed 16 byte hex code for v6 or dotted-decimals for v4. | 933 // address is x prefixed 16 byte hex code for v6 or dotted-decimals for v4. |
| 935 const char* ip_addrs; | 934 const char* ip_addrs; |
| 935 // Whether to disable matching against the commonName. This is a negative |
| 936 // condition so that tests can omit one or more of the above fields and |
| 937 // allow default initialization to handle this case. |
| 938 bool disable_fallback; |
| 936 }; | 939 }; |
| 937 | 940 |
| 938 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how | 941 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how |
| 939 // to output the parameter that was passed. Without this, it will simply | 942 // to output the parameter that was passed. Without this, it will simply |
| 940 // attempt to print out the first twenty bytes of the object, which depending | 943 // attempt to print out the first twenty bytes of the object, which depending |
| 941 // on platform and alignment, may result in an invalid read. | 944 // on platform and alignment, may result in an invalid read. |
| 942 void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { | 945 void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { |
| 943 ASSERT_TRUE(data.hostname && data.common_name); | 946 ASSERT_TRUE(data.hostname && data.common_name); |
| 944 // Using StringPiece to allow for optional fields being NULL. | 947 // Using StringPiece to allow for optional fields being NULL. |
| 945 *os << " expected: " << data.expected | 948 *os << " expected: " << data.expected |
| 946 << "; hostname: " << data.hostname | 949 << "; hostname: " << data.hostname |
| 947 << "; common_name: " << data.common_name | 950 << "; common_name: " << data.common_name |
| 948 << "; dns_names: " << base::StringPiece(data.dns_names) | 951 << "; dns_names: " << base::StringPiece(data.dns_names) |
| 949 << "; ip_addrs: " << base::StringPiece(data.ip_addrs); | 952 << "; ip_addrs: " << base::StringPiece(data.ip_addrs) |
| 953 << "; disable_fallback: " << data.disable_fallback; |
| 950 } | 954 } |
| 951 | 955 |
| 952 const CertificateNameVerifyTestData kNameVerifyTestData[] = { | 956 const CertificateNameVerifyTestData kNameVerifyTestData[] = { |
| 953 { true, "foo.com", "foo.com" }, | 957 { true, "foo.com", "foo.com" }, |
| 954 { true, "f", "f" }, | 958 { true, "f", "f" }, |
| 955 { false, "h", "i" }, | 959 { false, "h", "i" }, |
| 956 { true, "bar.foo.com", "*.foo.com" }, | 960 { true, "bar.foo.com", "*.foo.com" }, |
| 957 { true, "www.test.fr", "common.name", | 961 { true, "www.test.fr", "common.name", |
| 958 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, | 962 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, |
| 959 { true, "wwW.tESt.fr", "common.name", | 963 { true, "wwW.tESt.fr", "common.name", |
| 960 ",*.*,*.test.de,*.test.FR,www" }, | 964 ",*.*,*.test.de,*.test.FR,www" }, |
| 961 { false, "f.uk", ".uk" }, | 965 { false, "f.uk", ".uk" }, |
| 962 { false, "w.bar.foo.com", "?.bar.foo.com" }, | 966 { false, "w.bar.foo.com", "?.bar.foo.com" }, |
| 963 { false, "www.foo.com", "(www|ftp).foo.com" }, | 967 { false, "www.foo.com", "(www|ftp).foo.com" }, |
| 964 { false, "www.foo.com", "www.foo.com#" }, // # = null char. | 968 { false, "www.foo.com", "www.foo.com#" }, // # = null char. |
| 965 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, | 969 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, |
| 966 { false, "www.house.example", "ww.house.example" }, | 970 { false, "www.house.example", "ww.house.example" }, |
| 967 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, | 971 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, |
| 968 { false, "w.bar.foo.com", "w*.bar.foo.com" }, | 972 { false, "w.bar.foo.com", "w*.bar.foo.com" }, |
| 969 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, | 973 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, |
| 970 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, | 974 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, |
| 971 { false, "wwww.bar.foo.com", "w*w.bar.foo.com" }, | 975 { false, "wwww.bar.foo.com", "w*w.bar.foo.com" }, |
| 972 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, | 976 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, |
| 973 { false, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, | 977 { false, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, |
| 974 { false, "wally.bar.foo.com", "*Ly.bar.foo.com" }, | 978 { false, "wally.bar.foo.com", "*Ly.bar.foo.com" }, |
| 975 { true, "ww%57.foo.com", "", "www.foo.com" }, | 979 { true, "ww%57.foo.com", "", "www.foo.com" }, |
| 976 { true, "www&.foo.com", "www%26.foo.com" }, | 980 { true, "www&.foo.com", "www%26.foo.com" }, |
| 977 // Common name must not be used if subject alternative name was provided. | 981 // Common name must not be used if subject alternative name was provided. |
| 978 { false, "www.test.co.jp", "www.test.co.jp", | 982 { false, "www.test.co.jp", "www.test.co.jp", |
| 979 "*.test.de,*.jp,www.test.co.uk,www.*.co.jp" }, | 983 "*.test.de,*.jp,www.test.co.uk,www.*.co.jp" }, |
| 980 { false, "www.bar.foo.com", "www.bar.foo.com", | 984 { false, "www.bar.foo.com", "www.bar.foo.com", |
| 981 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, | 985 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, |
| 982 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, | 986 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, |
| 983 { false, "66.77.88.99", "www.bath.org", "www.bath.org" }, | 987 { false, "66.77.88.99", "66.77.88.99", "www.bath.org" }, |
| 988 // Common name must not be used if fallback is disabled. |
| 989 { false, "www.test.com", "www.test.com", nullptr, nullptr, true }, |
| 990 { false, "127.0.0.1", "127.0.0.1", nullptr, nullptr, true }, |
| 984 // IDN tests | 991 // IDN tests |
| 985 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, | 992 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, |
| 986 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, | 993 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, |
| 987 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," | 994 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," |
| 988 "xn--poema-*.com.br," | 995 "xn--poema-*.com.br," |
| 989 "xn--*-9qae5a.com.br," | 996 "xn--*-9qae5a.com.br," |
| 990 "*--poema-9qae5a.com.br" }, | 997 "*--poema-9qae5a.com.br" }, |
| 991 // The following are adapted from the examples quoted from | 998 // The following are adapted from the examples quoted from |
| 992 // http://tools.ietf.org/html/rfc6125#section-6.4.3 | 999 // http://tools.ietf.org/html/rfc6125#section-6.4.3 |
| 993 // (e.g., *.example.com would match foo.example.com but | 1000 // (e.g., *.example.com would match foo.example.com but |
| (...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1136 EXPECT_GE(decimal_value, 0); | 1143 EXPECT_GE(decimal_value, 0); |
| 1137 EXPECT_LE(decimal_value, 255); | 1144 EXPECT_LE(decimal_value, 255); |
| 1138 addr_bytes.push_back(static_cast<char>(decimal_value)); | 1145 addr_bytes.push_back(static_cast<char>(decimal_value)); |
| 1139 } | 1146 } |
| 1140 ip_addressses.push_back(addr_bytes); | 1147 ip_addressses.push_back(addr_bytes); |
| 1141 ASSERT_EQ(4U, ip_addressses.back().size()) << i; | 1148 ASSERT_EQ(4U, ip_addressses.back().size()) << i; |
| 1142 } | 1149 } |
| 1143 } | 1150 } |
| 1144 } | 1151 } |
| 1145 | 1152 |
| 1146 bool unused = false; | 1153 EXPECT_EQ(test_data.expected, |
| 1147 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( | 1154 X509Certificate::VerifyHostname(test_data.hostname, common_name, |
| 1148 test_data.hostname, common_name, dns_names, ip_addressses, &unused)); | 1155 dns_names, ip_addressses, |
| 1156 !test_data.disable_fallback)); |
| 1149 } | 1157 } |
| 1150 | 1158 |
| 1151 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | 1159 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, |
| 1152 testing::ValuesIn(kNameVerifyTestData)); | 1160 testing::ValuesIn(kNameVerifyTestData)); |
| 1153 | 1161 |
| 1154 const struct PublicKeyInfoTestData { | 1162 const struct PublicKeyInfoTestData { |
| 1155 const char* cert_file; | 1163 const char* cert_file; |
| 1156 size_t expected_bits; | 1164 size_t expected_bits; |
| 1157 X509Certificate::PublicKeyType expected_type; | 1165 X509Certificate::PublicKeyType expected_type; |
| 1158 } kPublicKeyInfoTestData[] = { | 1166 } kPublicKeyInfoTestData[] = { |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1194 &actual_type); | 1202 &actual_type); |
| 1195 | 1203 |
| 1196 EXPECT_EQ(data.expected_bits, actual_bits); | 1204 EXPECT_EQ(data.expected_bits, actual_bits); |
| 1197 EXPECT_EQ(data.expected_type, actual_type); | 1205 EXPECT_EQ(data.expected_type, actual_type); |
| 1198 } | 1206 } |
| 1199 | 1207 |
| 1200 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, | 1208 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, |
| 1201 testing::ValuesIn(kPublicKeyInfoTestData)); | 1209 testing::ValuesIn(kPublicKeyInfoTestData)); |
| 1202 | 1210 |
| 1203 } // namespace net | 1211 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2719273002:
Disable commonName matching for certificates (Closed)
