Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(150)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 2719273002: Disable commonName matching for certificates (Closed)
Patch Set: Update macOS Keychain Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/cert_verify_proc_mac.cc ('K') | « net/cert/cert_verify_proc_openssl.cc ('k') | net/cert/internal/path_builder_unittest.cc » ('j') | net/cert/x509_certificate.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 18596457988892f3a1d8276f2760e09fc49a1b7f..ef3bb4c5998c8dbe006aa83b6030dd7e4e837fb3 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -1801,6 +1801,75 @@ TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {
VerifyCertName(".test.example", false);
}
+// Tests that commonName-fallback is handled correctly:
mattm 2017/03/01 23:56:47 The comment here mentions more cases than are actu
Ryan Sleevi 2017/03/02 00:15:31 Yeah, I ended up moving them into the X509Certific
+// - If it's a publicly trusted certificate, the commonName should never
+// match, both with a subjectAltName is present and when it is absent.
+// - If it chains to a private root, the commonName should not match if
+// the subjectAltName is present.
+// - If it chains to a private root, the commonName should not match if
+// the subjectAltName is absent, and the flags don't allow fallback.
+// - If it chains to a private root, the commonName SHOULD match iff the
+// subjectAltName is absent and the flags allow a fallback.
+TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) {
+ scoped_refptr<X509Certificate> cert(
+ ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem"));
+ ASSERT_TRUE(cert);
+
+ CertVerifyResult result;
+ scoped_refptr<CertVerifyProc> verify_proc;
+ CertVerifyResult verify_result;
+ int error;
+
+ // Publicly trusted: Always ignores commonName, regardless of flags.
+ result = CertVerifyResult();
+ verify_result = CertVerifyResult();
+ error = 0;
+ result.is_issued_by_known_root = true;
+ verify_proc = new MockCertVerifyProc(result);
+ error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",
+ std::string(), 0, nullptr, CertificateList(),
+ &verify_result);
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+
+ result = CertVerifyResult();
+ verify_result = CertVerifyResult();
+ error = 0;
+ result.is_issued_by_known_root = true;
+ verify_proc = new MockCertVerifyProc(result);
+ error = verify_proc->Verify(
+ cert.get(), "prerelna1.pre.salesforce.com", std::string(),
+ CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,
+ CertificateList(), &verify_result);
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+
+ // Privately trusted: Ignores commonName by default.
+ result = CertVerifyResult();
+ verify_result = CertVerifyResult();
+ error = 0;
+ result.is_issued_by_known_root = false;
+ verify_proc = new MockCertVerifyProc(result);
+ error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",
+ std::string(), 0, nullptr, CertificateList(),
+ &verify_result);
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+
+ // Privately trusted: Falls back to common name if flags allow.
+ result = CertVerifyResult();
+ verify_result = CertVerifyResult();
+ error = 0;
+ result.is_issued_by_known_root = false;
+ verify_proc = new MockCertVerifyProc(result);
+ error = verify_proc->Verify(
+ cert.get(), "prerelna1.pre.salesforce.com", std::string(),
+ CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,
+ CertificateList(), &verify_result);
+ EXPECT_THAT(error, IsOk());
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+}
+
// Tests that CertVerifyProc records a histogram correctly when a
// certificate chaining to a private root contains the TLS feature
// extension and does not have a stapled OCSP response.
« net/cert/cert_verify_proc_mac.cc ('K') | « net/cert/cert_verify_proc_openssl.cc ('k') | net/cert/internal/path_builder_unittest.cc » ('j') | net/cert/x509_certificate.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698