OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 866 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
877 scoped_refptr<X509Certificate> cert(cert_list[0]); | 877 scoped_refptr<X509Certificate> cert(cert_list[0]); |
878 | 878 |
879 CertVerifyResult verify_result; | 879 CertVerifyResult verify_result; |
880 int error = 0; | 880 int error = 0; |
881 | 881 |
882 // Intranet names for public CAs should be flagged: | 882 // Intranet names for public CAs should be flagged: |
883 CertVerifyResult dummy_result; | 883 CertVerifyResult dummy_result; |
884 dummy_result.is_issued_by_known_root = true; | 884 dummy_result.is_issued_by_known_root = true; |
885 scoped_refptr<CertVerifyProc> verify_proc = | 885 scoped_refptr<CertVerifyProc> verify_proc = |
886 new MockCertVerifyProc(dummy_result); | 886 new MockCertVerifyProc(dummy_result); |
887 error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL, | 887 error = verify_proc->Verify(cert.get(), "webmail", std::string(), 0, nullptr, |
888 CertificateList(), &verify_result); | 888 CertificateList(), &verify_result); |
889 EXPECT_THAT(error, IsOk()); | 889 EXPECT_THAT(error, IsOk()); |
890 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 890 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
891 | 891 |
892 // However, if the CA is not well known, these should not be flagged: | 892 // However, if the CA is not well known, these should not be flagged: |
893 dummy_result.Reset(); | 893 dummy_result.Reset(); |
894 dummy_result.is_issued_by_known_root = false; | 894 dummy_result.is_issued_by_known_root = false; |
895 verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result)); | 895 verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result)); |
896 error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL, | 896 error = verify_proc->Verify(cert.get(), "webmail", std::string(), 0, nullptr, |
897 CertificateList(), &verify_result); | 897 CertificateList(), &verify_result); |
898 EXPECT_THAT(error, IsOk()); | 898 EXPECT_THAT(error, IsOk()); |
899 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 899 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
900 } | 900 } |
901 | 901 |
902 // While all SHA-1 certificates should be rejected, in the event that there | 902 // While all SHA-1 certificates should be rejected, in the event that there |
903 // emerges some unexpected bug, test that the 'legacy' behaviour works | 903 // emerges some unexpected bug, test that the 'legacy' behaviour works |
904 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs | 904 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs |
905 // that were issued after 1 January 2016, while still allowing those from | 905 // that were issued after 1 January 2016, while still allowing those from |
906 // before that date, with SHA-1 in the intermediate, or from an enterprise | 906 // before that date, with SHA-1 in the intermediate, or from an enterprise |
(...skipping 798 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1705 {NULL, NULL, "weak_digest_md5_ee.pem", 0}, | 1705 {NULL, NULL, "weak_digest_md5_ee.pem", 0}, |
1706 {NULL, NULL, "weak_digest_md4_ee.pem", 0}, | 1706 {NULL, NULL, "weak_digest_md4_ee.pem", 0}, |
1707 {NULL, NULL, "weak_digest_md2_ee.pem", 0}, | 1707 {NULL, NULL, "weak_digest_md2_ee.pem", 0}, |
1708 {NULL, NULL, "weak_digest_sha1_ee.pem", 0}, | 1708 {NULL, NULL, "weak_digest_sha1_ee.pem", 0}, |
1709 }; | 1709 }; |
1710 | 1710 |
1711 INSTANTIATE_TEST_CASE_P(VerifyTrustedEE, | 1711 INSTANTIATE_TEST_CASE_P(VerifyTrustedEE, |
1712 CertVerifyProcWeakDigestTest, | 1712 CertVerifyProcWeakDigestTest, |
1713 testing::ValuesIn(kVerifyTrustedEETestData)); | 1713 testing::ValuesIn(kVerifyTrustedEETestData)); |
1714 | 1714 |
1715 // For the list of valid hostnames, see | 1715 // Test fixture for verifying certificate names. |
1716 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem | 1716 class CertVerifyProcNameTest : public ::testing::Test { |
1717 struct CertVerifyProcNameData { | |
1718 const char* hostname; | |
1719 bool valid; // Whether or not |hostname| matches a subjectAltName. | |
1720 }; | |
1721 | |
1722 // Test fixture for verifying certificate names. These tests are run for each | |
1723 // of the CertVerify implementations. | |
1724 class CertVerifyProcNameTest : public CertVerifyProcInternalTest { | |
1725 public: | |
1726 CertVerifyProcNameTest() {} | |
1727 virtual ~CertVerifyProcNameTest() {} | |
1728 | |
1729 protected: | 1717 protected: |
1730 void VerifyCertName(const char* hostname, bool valid) { | 1718 void VerifyCertName(const char* hostname, bool valid) { |
1731 CertificateList cert_list = CreateCertificateListFromFile( | 1719 scoped_refptr<X509Certificate> cert(ImportCertFromFile( |
1732 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem", | 1720 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem")); |
1733 X509Certificate::FORMAT_AUTO); | 1721 ASSERT_TRUE(cert); |
1734 ASSERT_EQ(1U, cert_list.size()); | 1722 CertVerifyResult result; |
1735 scoped_refptr<X509Certificate> cert(cert_list[0]); | 1723 result.is_issued_by_known_root = false; |
1736 | 1724 scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result); |
1737 ScopedTestRoot scoped_root(cert.get()); | |
1738 | 1725 |
1739 CertVerifyResult verify_result; | 1726 CertVerifyResult verify_result; |
1740 int error = Verify(cert.get(), hostname, 0, NULL, CertificateList(), | 1727 int error = verify_proc->Verify(cert.get(), hostname, std::string(), 0, |
1741 &verify_result); | 1728 nullptr, CertificateList(), &verify_result); |
1742 if (valid) { | 1729 if (valid) { |
1743 EXPECT_THAT(error, IsOk()); | 1730 EXPECT_THAT(error, IsOk()); |
1744 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1731 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1745 } else { | 1732 } else { |
1746 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); | 1733 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
1747 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1734 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1748 } | 1735 } |
1749 } | 1736 } |
1750 }; | 1737 }; |
1751 | 1738 |
1752 // Don't match the common name | 1739 // Don't match the common name |
1753 TEST_P(CertVerifyProcNameTest, DontMatchCommonName) { | 1740 TEST_F(CertVerifyProcNameTest, DontMatchCommonName) { |
1754 VerifyCertName("127.0.0.1", false); | 1741 VerifyCertName("127.0.0.1", false); |
1755 } | 1742 } |
1756 | 1743 |
1757 // Matches the iPAddress SAN (IPv4) | 1744 // Matches the iPAddress SAN (IPv4) |
1758 TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv4) { | 1745 TEST_F(CertVerifyProcNameTest, MatchesIpSanIpv4) { |
1759 VerifyCertName("127.0.0.2", true); | 1746 VerifyCertName("127.0.0.2", true); |
1760 } | 1747 } |
1761 | 1748 |
1762 // Matches the iPAddress SAN (IPv6) | 1749 // Matches the iPAddress SAN (IPv6) |
1763 TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv6) { | 1750 TEST_F(CertVerifyProcNameTest, MatchesIpSanIpv6) { |
1764 VerifyCertName("FE80:0:0:0:0:0:0:1", true); | 1751 VerifyCertName("FE80:0:0:0:0:0:0:1", true); |
1765 } | 1752 } |
1766 | 1753 |
1767 // Should not match the iPAddress SAN | 1754 // Should not match the iPAddress SAN |
1768 TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) { | 1755 TEST_F(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) { |
1769 VerifyCertName("[FE80:0:0:0:0:0:0:1]", false); | 1756 VerifyCertName("[FE80:0:0:0:0:0:0:1]", false); |
1770 } | 1757 } |
1771 | 1758 |
1772 // Compressed form matches the iPAddress SAN (IPv6) | 1759 // Compressed form matches the iPAddress SAN (IPv6) |
1773 TEST_P(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) { | 1760 TEST_F(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) { |
1774 VerifyCertName("FE80::1", true); | 1761 VerifyCertName("FE80::1", true); |
1775 } | 1762 } |
1776 | 1763 |
1777 // IPv6 mapped form should NOT match iPAddress SAN | 1764 // IPv6 mapped form should NOT match iPAddress SAN |
1778 TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) { | 1765 TEST_F(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) { |
1779 VerifyCertName("::127.0.0.2", false); | 1766 VerifyCertName("::127.0.0.2", false); |
1780 } | 1767 } |
1781 | 1768 |
1782 // Matches the dNSName SAN | 1769 // Matches the dNSName SAN |
1783 TEST_P(CertVerifyProcNameTest, MatchesDnsSan) { | 1770 TEST_F(CertVerifyProcNameTest, MatchesDnsSan) { |
1784 VerifyCertName("test.example", true); | 1771 VerifyCertName("test.example", true); |
1785 } | 1772 } |
1786 | 1773 |
1787 // Matches the dNSName SAN (trailing . ignored) | 1774 // Matches the dNSName SAN (trailing . ignored) |
1788 TEST_P(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) { | 1775 TEST_F(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) { |
1789 VerifyCertName("test.example.", true); | 1776 VerifyCertName("test.example.", true); |
1790 } | 1777 } |
1791 | 1778 |
1792 // Should not match the dNSName SAN | 1779 // Should not match the dNSName SAN |
1793 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSan) { | 1780 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSan) { |
1794 VerifyCertName("www.test.example", false); | 1781 VerifyCertName("www.test.example", false); |
1795 } | 1782 } |
1796 | 1783 |
1797 // Should not match the dNSName SAN | 1784 // Should not match the dNSName SAN |
1798 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) { | 1785 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) { |
1799 VerifyCertName("test..example", false); | 1786 VerifyCertName("test..example", false); |
1800 } | 1787 } |
1801 | 1788 |
1802 // Should not match the dNSName SAN | 1789 // Should not match the dNSName SAN |
1803 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) { | 1790 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) { |
1804 VerifyCertName("test.example..", false); | 1791 VerifyCertName("test.example..", false); |
1805 } | 1792 } |
1806 | 1793 |
1807 // Should not match the dNSName SAN | 1794 // Should not match the dNSName SAN |
1808 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { | 1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { |
1809 VerifyCertName(".test.example.", false); | 1796 VerifyCertName(".test.example.", false); |
1810 } | 1797 } |
1811 | 1798 |
1812 // Should not match the dNSName SAN | 1799 // Should not match the dNSName SAN |
1813 TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { | 1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { |
1814 VerifyCertName(".test.example", false); | 1801 VerifyCertName(".test.example", false); |
1815 } | 1802 } |
1816 | 1803 |
1817 INSTANTIATE_TEST_CASE_P(VerifyName, | |
1818 CertVerifyProcNameTest, | |
1819 testing::ValuesIn(kAllCertVerifiers), | |
1820 VerifyProcTypeToName); | |
1821 | |
1822 // Tests that CertVerifyProc records a histogram correctly when a | 1804 // Tests that CertVerifyProc records a histogram correctly when a |
1823 // certificate chaining to a private root contains the TLS feature | 1805 // certificate chaining to a private root contains the TLS feature |
1824 // extension and does not have a stapled OCSP response. | 1806 // extension and does not have a stapled OCSP response. |
1825 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { | 1807 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
1826 base::HistogramTester histograms; | 1808 base::HistogramTester histograms; |
1827 scoped_refptr<X509Certificate> cert( | 1809 scoped_refptr<X509Certificate> cert( |
1828 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); | 1810 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
1829 ASSERT_TRUE(cert); | 1811 ASSERT_TRUE(cert); |
1830 CertVerifyResult result; | 1812 CertVerifyResult result; |
1831 result.is_issued_by_known_root = false; | 1813 result.is_issued_by_known_root = false; |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1914 int flags = 0; | 1896 int flags = 0; |
1915 CertVerifyResult verify_result; | 1897 CertVerifyResult verify_result; |
1916 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, | 1898 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, |
1917 NULL, CertificateList(), &verify_result); | 1899 NULL, CertificateList(), &verify_result); |
1918 EXPECT_EQ(OK, error); | 1900 EXPECT_EQ(OK, error); |
1919 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 1901 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
1920 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 1902 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
1921 } | 1903 } |
1922 | 1904 |
1923 } // namespace net | 1905 } // namespace net |
OLD | NEW |