| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 866 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 877 scoped_refptr<X509Certificate> cert(cert_list[0]); | 877 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 878 | 878 |
| 879 CertVerifyResult verify_result; | 879 CertVerifyResult verify_result; |
| 880 int error = 0; | 880 int error = 0; |
| 881 | 881 |
| 882 // Intranet names for public CAs should be flagged: | 882 // Intranet names for public CAs should be flagged: |
| 883 CertVerifyResult dummy_result; | 883 CertVerifyResult dummy_result; |
| 884 dummy_result.is_issued_by_known_root = true; | 884 dummy_result.is_issued_by_known_root = true; |
| 885 scoped_refptr<CertVerifyProc> verify_proc = | 885 scoped_refptr<CertVerifyProc> verify_proc = |
| 886 new MockCertVerifyProc(dummy_result); | 886 new MockCertVerifyProc(dummy_result); |
| 887 error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL, | 887 error = verify_proc->Verify(cert.get(), "webmail", std::string(), 0, nullptr, |
| 888 CertificateList(), &verify_result); | 888 CertificateList(), &verify_result); |
| 889 EXPECT_THAT(error, IsOk()); | 889 EXPECT_THAT(error, IsOk()); |
| 890 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 890 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 891 | 891 |
| 892 // However, if the CA is not well known, these should not be flagged: | 892 // However, if the CA is not well known, these should not be flagged: |
| 893 dummy_result.Reset(); | 893 dummy_result.Reset(); |
| 894 dummy_result.is_issued_by_known_root = false; | 894 dummy_result.is_issued_by_known_root = false; |
| 895 verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result)); | 895 verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result)); |
| 896 error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL, | 896 error = verify_proc->Verify(cert.get(), "webmail", std::string(), 0, nullptr, |
| 897 CertificateList(), &verify_result); | 897 CertificateList(), &verify_result); |
| 898 EXPECT_THAT(error, IsOk()); | 898 EXPECT_THAT(error, IsOk()); |
| 899 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 899 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 900 } | 900 } |
| 901 | 901 |
| 902 // While all SHA-1 certificates should be rejected, in the event that there | 902 // While all SHA-1 certificates should be rejected, in the event that there |
| 903 // emerges some unexpected bug, test that the 'legacy' behaviour works | 903 // emerges some unexpected bug, test that the 'legacy' behaviour works |
| 904 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs | 904 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs |
| 905 // that were issued after 1 January 2016, while still allowing those from | 905 // that were issued after 1 January 2016, while still allowing those from |
| 906 // before that date, with SHA-1 in the intermediate, or from an enterprise | 906 // before that date, with SHA-1 in the intermediate, or from an enterprise |
| (...skipping 798 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1705 {NULL, NULL, "weak_digest_md5_ee.pem", 0}, | 1705 {NULL, NULL, "weak_digest_md5_ee.pem", 0}, |
| 1706 {NULL, NULL, "weak_digest_md4_ee.pem", 0}, | 1706 {NULL, NULL, "weak_digest_md4_ee.pem", 0}, |
| 1707 {NULL, NULL, "weak_digest_md2_ee.pem", 0}, | 1707 {NULL, NULL, "weak_digest_md2_ee.pem", 0}, |
| 1708 {NULL, NULL, "weak_digest_sha1_ee.pem", 0}, | 1708 {NULL, NULL, "weak_digest_sha1_ee.pem", 0}, |
| 1709 }; | 1709 }; |
| 1710 | 1710 |
| 1711 INSTANTIATE_TEST_CASE_P(VerifyTrustedEE, | 1711 INSTANTIATE_TEST_CASE_P(VerifyTrustedEE, |
| 1712 CertVerifyProcWeakDigestTest, | 1712 CertVerifyProcWeakDigestTest, |
| 1713 testing::ValuesIn(kVerifyTrustedEETestData)); | 1713 testing::ValuesIn(kVerifyTrustedEETestData)); |
| 1714 | 1714 |
| 1715 // For the list of valid hostnames, see | 1715 // Test fixture for verifying certificate names. |
| 1716 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem | 1716 class CertVerifyProcNameTest : public ::testing::Test { |
| 1717 struct CertVerifyProcNameData { | |
| 1718 const char* hostname; | |
| 1719 bool valid; // Whether or not |hostname| matches a subjectAltName. | |
| 1720 }; | |
| 1721 | |
| 1722 // Test fixture for verifying certificate names. These tests are run for each | |
| 1723 // of the CertVerify implementations. | |
| 1724 class CertVerifyProcNameTest : public CertVerifyProcInternalTest { | |
| 1725 public: | |
| 1726 CertVerifyProcNameTest() {} | |
| 1727 virtual ~CertVerifyProcNameTest() {} | |
| 1728 | |
| 1729 protected: | 1717 protected: |
| 1730 void VerifyCertName(const char* hostname, bool valid) { | 1718 void VerifyCertName(const char* hostname, bool valid) { |
| 1731 CertificateList cert_list = CreateCertificateListFromFile( | 1719 scoped_refptr<X509Certificate> cert(ImportCertFromFile( |
| 1732 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem", | 1720 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem")); |
| 1733 X509Certificate::FORMAT_AUTO); | 1721 ASSERT_TRUE(cert); |
| 1734 ASSERT_EQ(1U, cert_list.size()); | 1722 CertVerifyResult result; |
| 1735 scoped_refptr<X509Certificate> cert(cert_list[0]); | 1723 result.is_issued_by_known_root = false; |
| 1736 | 1724 scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result); |
| 1737 ScopedTestRoot scoped_root(cert.get()); | |
| 1738 | 1725 |
| 1739 CertVerifyResult verify_result; | 1726 CertVerifyResult verify_result; |
| 1740 int error = Verify(cert.get(), hostname, 0, NULL, CertificateList(), | 1727 int error = verify_proc->Verify(cert.get(), hostname, std::string(), 0, |
| 1741 &verify_result); | 1728 nullptr, CertificateList(), &verify_result); |
| 1742 if (valid) { | 1729 if (valid) { |
| 1743 EXPECT_THAT(error, IsOk()); | 1730 EXPECT_THAT(error, IsOk()); |
| 1744 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1731 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1745 } else { | 1732 } else { |
| 1746 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); | 1733 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
| 1747 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1734 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1748 } | 1735 } |
| 1749 } | 1736 } |
| 1750 }; | 1737 }; |
| 1751 | 1738 |
| 1752 // Don't match the common name | 1739 // Don't match the common name |
| 1753 TEST_P(CertVerifyProcNameTest, DontMatchCommonName) { | 1740 TEST_F(CertVerifyProcNameTest, DontMatchCommonName) { |
| 1754 VerifyCertName("127.0.0.1", false); | 1741 VerifyCertName("127.0.0.1", false); |
| 1755 } | 1742 } |
| 1756 | 1743 |
| 1757 // Matches the iPAddress SAN (IPv4) | 1744 // Matches the iPAddress SAN (IPv4) |
| 1758 TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv4) { | 1745 TEST_F(CertVerifyProcNameTest, MatchesIpSanIpv4) { |
| 1759 VerifyCertName("127.0.0.2", true); | 1746 VerifyCertName("127.0.0.2", true); |
| 1760 } | 1747 } |
| 1761 | 1748 |
| 1762 // Matches the iPAddress SAN (IPv6) | 1749 // Matches the iPAddress SAN (IPv6) |
| 1763 TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv6) { | 1750 TEST_F(CertVerifyProcNameTest, MatchesIpSanIpv6) { |
| 1764 VerifyCertName("FE80:0:0:0:0:0:0:1", true); | 1751 VerifyCertName("FE80:0:0:0:0:0:0:1", true); |
| 1765 } | 1752 } |
| 1766 | 1753 |
| 1767 // Should not match the iPAddress SAN | 1754 // Should not match the iPAddress SAN |
| 1768 TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) { | 1755 TEST_F(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) { |
| 1769 VerifyCertName("[FE80:0:0:0:0:0:0:1]", false); | 1756 VerifyCertName("[FE80:0:0:0:0:0:0:1]", false); |
| 1770 } | 1757 } |
| 1771 | 1758 |
| 1772 // Compressed form matches the iPAddress SAN (IPv6) | 1759 // Compressed form matches the iPAddress SAN (IPv6) |
| 1773 TEST_P(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) { | 1760 TEST_F(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) { |
| 1774 VerifyCertName("FE80::1", true); | 1761 VerifyCertName("FE80::1", true); |
| 1775 } | 1762 } |
| 1776 | 1763 |
| 1777 // IPv6 mapped form should NOT match iPAddress SAN | 1764 // IPv6 mapped form should NOT match iPAddress SAN |
| 1778 TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) { | 1765 TEST_F(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) { |
| 1779 VerifyCertName("::127.0.0.2", false); | 1766 VerifyCertName("::127.0.0.2", false); |
| 1780 } | 1767 } |
| 1781 | 1768 |
| 1782 // Matches the dNSName SAN | 1769 // Matches the dNSName SAN |
| 1783 TEST_P(CertVerifyProcNameTest, MatchesDnsSan) { | 1770 TEST_F(CertVerifyProcNameTest, MatchesDnsSan) { |
| 1784 VerifyCertName("test.example", true); | 1771 VerifyCertName("test.example", true); |
| 1785 } | 1772 } |
| 1786 | 1773 |
| 1787 // Matches the dNSName SAN (trailing . ignored) | 1774 // Matches the dNSName SAN (trailing . ignored) |
| 1788 TEST_P(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) { | 1775 TEST_F(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) { |
| 1789 VerifyCertName("test.example.", true); | 1776 VerifyCertName("test.example.", true); |
| 1790 } | 1777 } |
| 1791 | 1778 |
| 1792 // Should not match the dNSName SAN | 1779 // Should not match the dNSName SAN |
| 1793 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSan) { | 1780 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSan) { |
| 1794 VerifyCertName("www.test.example", false); | 1781 VerifyCertName("www.test.example", false); |
| 1795 } | 1782 } |
| 1796 | 1783 |
| 1797 // Should not match the dNSName SAN | 1784 // Should not match the dNSName SAN |
| 1798 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) { | 1785 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) { |
| 1799 VerifyCertName("test..example", false); | 1786 VerifyCertName("test..example", false); |
| 1800 } | 1787 } |
| 1801 | 1788 |
| 1802 // Should not match the dNSName SAN | 1789 // Should not match the dNSName SAN |
| 1803 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) { | 1790 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) { |
| 1804 VerifyCertName("test.example..", false); | 1791 VerifyCertName("test.example..", false); |
| 1805 } | 1792 } |
| 1806 | 1793 |
| 1807 // Should not match the dNSName SAN | 1794 // Should not match the dNSName SAN |
| 1808 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { | 1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { |
| 1809 VerifyCertName(".test.example.", false); | 1796 VerifyCertName(".test.example.", false); |
| 1810 } | 1797 } |
| 1811 | 1798 |
| 1812 // Should not match the dNSName SAN | 1799 // Should not match the dNSName SAN |
| 1813 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { | 1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { |
| 1814 VerifyCertName(".test.example", false); | 1801 VerifyCertName(".test.example", false); |
| 1815 } | 1802 } |
| 1816 | 1803 |
| 1817 INSTANTIATE_TEST_CASE_P(VerifyName, | |
| 1818 CertVerifyProcNameTest, | |
| 1819 testing::ValuesIn(kAllCertVerifiers), | |
| 1820 VerifyProcTypeToName); | |
| 1821 | |
| 1822 // Tests that CertVerifyProc records a histogram correctly when a | 1804 // Tests that CertVerifyProc records a histogram correctly when a |
| 1823 // certificate chaining to a private root contains the TLS feature | 1805 // certificate chaining to a private root contains the TLS feature |
| 1824 // extension and does not have a stapled OCSP response. | 1806 // extension and does not have a stapled OCSP response. |
| 1825 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { | 1807 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
| 1826 base::HistogramTester histograms; | 1808 base::HistogramTester histograms; |
| 1827 scoped_refptr<X509Certificate> cert( | 1809 scoped_refptr<X509Certificate> cert( |
| 1828 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1810 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 1829 ASSERT_TRUE(cert); | 1811 ASSERT_TRUE(cert); |
| 1830 CertVerifyResult result; | 1812 CertVerifyResult result; |
| 1831 result.is_issued_by_known_root = false; | 1813 result.is_issued_by_known_root = false; |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1914 int flags = 0; | 1896 int flags = 0; |
| 1915 CertVerifyResult verify_result; | 1897 CertVerifyResult verify_result; |
| 1916 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, | 1898 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, |
| 1917 NULL, CertificateList(), &verify_result); | 1899 NULL, CertificateList(), &verify_result); |
| 1918 EXPECT_EQ(OK, error); | 1900 EXPECT_EQ(OK, error); |
| 1919 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1901 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1920 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1902 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1921 } | 1903 } |
| 1922 | 1904 |
| 1923 } // namespace net | 1905 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2725683002:
Move name matching into the shared certificate validator (Closed)
