OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
11 #include "base/files/file_util.h" | 11 #include "base/files/file_util.h" |
12 #include "base/logging.h" | 12 #include "base/logging.h" |
13 #include "base/macros.h" | 13 #include "base/macros.h" |
14 #include "base/sha1.h" | 14 #include "base/sha1.h" |
15 #include "base/strings/string_number_conversions.h" | 15 #include "base/strings/string_number_conversions.h" |
16 #include "base/test/histogram_tester.h" | 16 #include "base/test/histogram_tester.h" |
17 #include "base/test/scoped_feature_list.h" | 17 #include "base/test/scoped_feature_list.h" |
18 #include "build/build_config.h" | 18 #include "build/build_config.h" |
19 #include "crypto/sha2.h" | 19 #include "crypto/sha2.h" |
20 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
21 #include "net/cert/asn1_util.h" | 21 #include "net/cert/asn1_util.h" |
22 #include "net/cert/cert_status_flags.h" | 22 #include "net/cert/cert_status_flags.h" |
23 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
24 #include "net/cert/cert_verify_result.h" | 24 #include "net/cert/cert_verify_result.h" |
25 #include "net/cert/crl_set.h" | 25 #include "net/cert/crl_set.h" |
26 #include "net/cert/crl_set_storage.h" | 26 #include "net/cert/crl_set_storage.h" |
27 #include "net/cert/internal/signature_algorithm.h" | |
27 #include "net/cert/test_root_certs.h" | 28 #include "net/cert/test_root_certs.h" |
28 #include "net/cert/x509_certificate.h" | 29 #include "net/cert/x509_certificate.h" |
30 #include "net/der/input.h" | |
31 #include "net/der/parser.h" | |
29 #include "net/test/cert_test_util.h" | 32 #include "net/test/cert_test_util.h" |
30 #include "net/test/gtest_util.h" | 33 #include "net/test/gtest_util.h" |
31 #include "net/test/test_certificate_data.h" | 34 #include "net/test/test_certificate_data.h" |
32 #include "net/test/test_data_directory.h" | 35 #include "net/test/test_data_directory.h" |
33 #include "testing/gmock/include/gmock/gmock.h" | 36 #include "testing/gmock/include/gmock/gmock.h" |
34 #include "testing/gtest/include/gtest/gtest.h" | 37 #include "testing/gtest/include/gtest/gtest.h" |
35 | 38 |
36 #if defined(OS_ANDROID) | 39 #if defined(OS_ANDROID) |
37 #include "base/android/build_info.h" | 40 #include "base/android/build_info.h" |
38 #endif | 41 #endif |
(...skipping 226 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
265 // expired, http://crbug.com/502818 | 268 // expired, http://crbug.com/502818 |
266 TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) { | 269 TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) { |
267 if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID || | 270 if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID || |
268 verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) { | 271 verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) { |
269 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet | 272 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet |
270 // supported. | 273 // supported. |
271 LOG(INFO) << "Skipping test as EV verification is not yet supported"; | 274 LOG(INFO) << "Skipping test as EV verification is not yet supported"; |
272 return; | 275 return; |
273 } | 276 } |
274 | 277 |
275 CertificateList certs = | 278 auto comodo_chain = CreateCertificateChainFromFile( |
276 CreateCertificateListFromFile(GetTestCertsDirectory(), "comodo.chain.pem", | 279 GetTestCertsDirectory(), "comodo.chain.pem", |
277 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 280 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
278 ASSERT_EQ(3U, certs.size()); | 281 ASSERT_TRUE(comodo_chain); |
279 | 282 ASSERT_EQ(2U, comodo_chain->GetIntermediateCertificates().size()); |
280 X509Certificate::OSCertHandles intermediates; | |
281 intermediates.push_back(certs[1]->os_cert_handle()); | |
282 intermediates.push_back(certs[2]->os_cert_handle()); | |
283 | |
284 scoped_refptr<X509Certificate> comodo_chain = | |
285 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | |
286 intermediates); | |
287 | 283 |
288 scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, "")); | 284 scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, "")); |
289 CertVerifyResult verify_result; | 285 CertVerifyResult verify_result; |
290 int flags = CertVerifier::VERIFY_EV_CERT; | 286 int flags = CertVerifier::VERIFY_EV_CERT; |
291 int error = Verify(comodo_chain.get(), "comodo.com", flags, crl_set.get(), | 287 int error = Verify(comodo_chain.get(), "comodo.com", flags, crl_set.get(), |
292 CertificateList(), &verify_result); | 288 CertificateList(), &verify_result); |
293 EXPECT_THAT(error, IsOk()); | 289 EXPECT_THAT(error, IsOk()); |
294 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 290 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
295 } | 291 } |
296 | 292 |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
376 EXPECT_EQ(0u, verify_result.cert_status); | 372 EXPECT_EQ(0u, verify_result.cert_status); |
377 } | 373 } |
378 | 374 |
379 TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) { | 375 TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) { |
380 base::FilePath certs_dir = GetTestCertsDirectory(); | 376 base::FilePath certs_dir = GetTestCertsDirectory(); |
381 | 377 |
382 // Load root_ca_cert.pem into the test root store. | 378 // Load root_ca_cert.pem into the test root store. |
383 ScopedTestRoot test_root( | 379 ScopedTestRoot test_root( |
384 ImportCertFromFile(certs_dir, "root_ca_cert.pem").get()); | 380 ImportCertFromFile(certs_dir, "root_ca_cert.pem").get()); |
385 | 381 |
386 CertificateList certs = CreateCertificateListFromFile( | 382 auto cert = CreateCertificateChainFromFile(certs_dir, "expired_cert.pem", |
387 certs_dir, "expired_cert.pem", X509Certificate::FORMAT_AUTO); | 383 X509Certificate::FORMAT_AUTO); |
mattm
2017/03/04 02:34:26
ASSERT_TRUE(cert)
eroman
2017/03/07 23:43:00
Sorry for including these unrelated refactors -- I
| |
388 ASSERT_EQ(1U, certs.size()); | 384 ASSERT_EQ(0U, cert->GetIntermediateCertificates().size()); |
389 | |
390 X509Certificate::OSCertHandles intermediates; | |
391 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | |
392 certs[0]->os_cert_handle(), intermediates); | |
393 | 385 |
394 int flags = 0; | 386 int flags = 0; |
395 CertVerifyResult verify_result; | 387 CertVerifyResult verify_result; |
396 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(), | 388 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(), |
397 &verify_result); | 389 &verify_result); |
398 EXPECT_THAT(error, IsError(ERR_CERT_DATE_INVALID)); | 390 EXPECT_THAT(error, IsError(ERR_CERT_DATE_INVALID)); |
399 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID); | 391 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID); |
400 } | 392 } |
401 | 393 |
402 // Currently, only RSA and DSA keys are checked for weakness, and our example | 394 // Currently, only RSA and DSA keys are checked for weakness, and our example |
(...skipping 202 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
605 } | 597 } |
606 } | 598 } |
607 | 599 |
608 TEST_P(CertVerifyProcInternalTest, NameConstraintsOk) { | 600 TEST_P(CertVerifyProcInternalTest, NameConstraintsOk) { |
609 CertificateList ca_cert_list = | 601 CertificateList ca_cert_list = |
610 CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", | 602 CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", |
611 X509Certificate::FORMAT_AUTO); | 603 X509Certificate::FORMAT_AUTO); |
612 ASSERT_EQ(1U, ca_cert_list.size()); | 604 ASSERT_EQ(1U, ca_cert_list.size()); |
613 ScopedTestRoot test_root(ca_cert_list[0].get()); | 605 ScopedTestRoot test_root(ca_cert_list[0].get()); |
614 | 606 |
615 CertificateList cert_list = CreateCertificateListFromFile( | 607 auto leaf = CreateCertificateChainFromFile(GetTestCertsDirectory(), |
616 GetTestCertsDirectory(), "name_constraint_good.pem", | 608 "name_constraint_good.pem", |
617 X509Certificate::FORMAT_AUTO); | 609 X509Certificate::FORMAT_AUTO); |
mattm
2017/03/04 02:34:26
ASSERT_TRUE(leaf)
eroman
2017/03/07 23:43:00
Ditto.
| |
618 ASSERT_EQ(1U, cert_list.size()); | 610 ASSERT_EQ(0U, leaf->GetIntermediateCertificates().size()); |
619 | |
620 X509Certificate::OSCertHandles intermediates; | |
621 scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle( | |
622 cert_list[0]->os_cert_handle(), intermediates); | |
623 | 611 |
624 int flags = 0; | 612 int flags = 0; |
625 CertVerifyResult verify_result; | 613 CertVerifyResult verify_result; |
626 int error = Verify(leaf.get(), "test.example.com", flags, NULL, | 614 int error = Verify(leaf.get(), "test.example.com", flags, NULL, |
627 CertificateList(), &verify_result); | 615 CertificateList(), &verify_result); |
628 EXPECT_THAT(error, IsOk()); | 616 EXPECT_THAT(error, IsOk()); |
629 EXPECT_EQ(0U, verify_result.cert_status); | 617 EXPECT_EQ(0U, verify_result.cert_status); |
630 | 618 |
631 error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL, | 619 error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL, |
632 CertificateList(), &verify_result); | 620 CertificateList(), &verify_result); |
633 EXPECT_THAT(error, IsOk()); | 621 EXPECT_THAT(error, IsOk()); |
634 EXPECT_EQ(0U, verify_result.cert_status); | 622 EXPECT_EQ(0U, verify_result.cert_status); |
635 } | 623 } |
636 | 624 |
625 // This fixture is for testing the verification of a certificate chain which | |
626 // has some sort of mismatched signature algorithm (i.e. | |
627 // Certificate.signatureAlgorithm and TBSCertificate.algorithm are different). | |
628 // | |
629 // X509 certificates contain two redundant descriptors for the signature | |
630 // algorithm. Although RFC 5280 states that they must be the same, in practice | |
631 // system verifiers don't check this. This can lead to confusion as the | |
632 // signature itself may be checked using algorithm A, but then subsequent | |
633 // consumers may inspect the certificate and look at signature algorithm B when | |
634 // making policy choices. | |
635 class CertVerifyProcInspectSignatureAlgorithmsTest : public ::testing::Test { | |
636 protected: | |
637 // In the test setup, SHA384 is given special treatment as an unkown | |
mattm
2017/03/04 02:34:26
unknown
eroman
2017/03/07 23:43:00
Done.
| |
638 // algorithm. | |
639 static constexpr DigestAlgorithm kUnknownDigestAlgorithm = | |
640 DigestAlgorithm::Sha384; | |
641 | |
642 struct CertParams { | |
643 DigestAlgorithm cert_algorithm; | |
644 DigestAlgorithm tbs_algorithm; | |
645 | |
646 static CertParams Sha256() { | |
647 return { | |
648 DigestAlgorithm::Sha256, DigestAlgorithm::Sha256, | |
649 }; | |
650 } | |
651 }; | |
652 | |
653 // Shorthand for VerifyChain() where only the leaf parameters need | |
654 // to be specified. | |
655 WARN_UNUSED_RESULT int VerifyLeaf(DigestAlgorithm cert_algorithm, | |
656 DigestAlgorithm tbs_algorithm) { | |
657 return VerifyChain({{cert_algorithm, tbs_algorithm}, | |
658 // Shouldn't matter what root uses. | |
659 {DigestAlgorithm::Sha1, DigestAlgorithm::Sha256}}); | |
660 } | |
661 | |
662 // Manufactures a certificate chain where each certificate has the indicated | |
663 // signature algorithms, and then returns the result of verifying this chain. | |
664 WARN_UNUSED_RESULT int VerifyChain( | |
665 const std::vector<CertParams>& chain_params) { | |
666 auto chain = CreateChain(chain_params); | |
667 if (!chain) { | |
668 ADD_FAILURE() << "Failed creating certificate chain"; | |
669 return ERR_UNEXPECTED; | |
670 } | |
671 | |
672 int flags = 0; | |
673 CertVerifyResult verify_result; | |
674 verify_result.verified_cert = chain; | |
mattm
2017/03/04 02:34:27
MockCertVerifyProc already sets verified_cert
eroman
2017/03/07 23:43:00
Done -- thanks!
| |
675 | |
676 scoped_refptr<CertVerifyProc> verify_proc = | |
677 new MockCertVerifyProc(verify_result); | |
678 | |
679 return verify_proc->Verify(chain.get(), "test.example.com", std::string(), | |
680 flags, NULL, CertificateList(), &verify_result); | |
mattm
2017/03/04 02:34:26
Using the same CertVerifyResult object as was used
eroman
2017/03/07 23:43:00
Done.
| |
681 } | |
682 | |
683 private: | |
684 // Overwrites the AlgorithmIdentifier pointed to by |algorithm_sequence| with | |
685 // |algorithm|. Note this violates the constness of StringPiece. | |
686 WARN_UNUSED_RESULT static bool SetAlgorithmSequence( | |
687 DigestAlgorithm algorithm, | |
688 base::StringPiece* algorithm_sequence) { | |
689 // This string of bytes is the full SEQUENCE for an AlgorithmIdentifier. | |
690 std::vector<uint8_t> replacement_sequence; | |
691 switch (algorithm) { | |
692 case DigestAlgorithm::Sha1: | |
693 // sha1WithRSAEncryption | |
694 replacement_sequence = {0x30, 0x0D, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, | |
695 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00}; | |
696 break; | |
697 case DigestAlgorithm::Sha256: | |
698 // sha256WithRSAEncryption | |
699 replacement_sequence = {0x30, 0x0D, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, | |
700 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00}; | |
701 break; | |
702 case kUnknownDigestAlgorithm: | |
703 // This shouldn't be anything meaningful (modified numbers at random). | |
704 replacement_sequence = {0x30, 0x0D, 0x06, 0x09, 0x8a, 0x87, 0x18, 0x46, | |
705 0xd7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00}; | |
706 break; | |
707 default: | |
708 ADD_FAILURE() << "Unsupported digest algorithm"; | |
709 return false; | |
710 } | |
711 | |
712 // For this simple replacement to work (without modifying any | |
713 // other sequence lengths) the original algorithm and replacement | |
714 // algorithm must have the same encoded length. | |
715 if (algorithm_sequence->size() != replacement_sequence.size()) { | |
716 ADD_FAILURE() << "AlgorithmIdentifier must have length " | |
717 << replacement_sequence.size(); | |
718 return false; | |
719 } | |
720 | |
721 memcpy(const_cast<char*>(algorithm_sequence->data()), | |
722 replacement_sequence.data(), replacement_sequence.size()); | |
723 return true; | |
724 } | |
725 | |
726 // Locate the serial number bytes. | |
727 WARN_UNUSED_RESULT static bool ExtractSerialNumberFromDERCert( | |
728 base::StringPiece der_cert, | |
729 base::StringPiece* serial_value) { | |
730 der::Parser parser((der::Input(der_cert))); | |
731 der::Parser certificate; | |
732 if (!parser.ReadSequence(&certificate)) | |
733 return false; | |
734 | |
735 der::Parser tbs_certificate; | |
736 if (!certificate.ReadSequence(&tbs_certificate)) | |
737 return false; | |
738 | |
739 bool unused; | |
740 if (!tbs_certificate.SkipOptionalTag( | |
741 der::kTagConstructed | der::kTagContextSpecific | 0, &unused)) { | |
742 return false; | |
743 } | |
744 | |
745 // serialNumber | |
746 der::Input serial_value_der; | |
747 if (!tbs_certificate.ReadTag(der::kInteger, &serial_value_der)) | |
748 return false; | |
749 | |
750 *serial_value = serial_value_der.AsStringPiece(); | |
751 return true; | |
752 } | |
753 | |
754 // Creates a certificate (based on some base certificate file) using the | |
755 // specified signature algorithms. | |
756 static scoped_refptr<X509Certificate> CreateCertificate( | |
757 const CertParams& params) { | |
758 // Dosn't really matter which base certificate is used, so long as it is | |
759 // valid and uses a signature AlgorithmIdentifier with the same encoded | |
760 // length as sha1WithRSASignature. | |
761 const char* kLeafFilename = "name_constraint_good.pem"; | |
762 | |
763 auto cert = CreateCertificateChainFromFile( | |
764 GetTestCertsDirectory(), kLeafFilename, X509Certificate::FORMAT_AUTO); | |
765 if (!cert) { | |
766 ADD_FAILURE() << "Failed to load certificate: " << kLeafFilename; | |
767 return nullptr; | |
768 } | |
769 | |
770 // Start with the DER bytes of a valid certificate. This will be the basis | |
771 // for building a modified certificate. | |
772 std::string cert_der; | |
773 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &cert_der)) { | |
774 ADD_FAILURE() << "Failed getting DER bytes"; | |
775 return nullptr; | |
776 } | |
777 | |
778 // Parse the certificate and identify the locations of interest within | |
779 // |cert_der|. | |
780 base::StringPiece cert_algorithm_sequence; | |
781 base::StringPiece tbs_algorithm_sequence; | |
782 if (!asn1::ExtractSignatureAlgorithmsFromDERCert( | |
783 cert_der, &cert_algorithm_sequence, &tbs_algorithm_sequence)) { | |
784 ADD_FAILURE() << "Failed parsing certificate algorithms"; | |
785 return nullptr; | |
786 } | |
787 | |
788 base::StringPiece serial_value; | |
789 if (!ExtractSerialNumberFromDERCert(cert_der, &serial_value)) { | |
790 ADD_FAILURE() << "Failed parsing certificate serial number"; | |
791 return nullptr; | |
792 } | |
793 | |
794 // Give the certificate a new serial number -- this is necessary because | |
795 // otherwise importing it may fail. Changing the high order byte is good | |
796 // enough for these tests. | |
797 *const_cast<char*>(serial_value.data()) = next_serial_number_++; | |
mattm
2017/03/04 02:34:26
what happens if you run the test under gtest_repea
eroman
2017/03/07 23:43:00
I expect that once it has created around 255 certi
mattm
2017/03/08 01:41:34
Hmm. I would say it's worth avoiding that. I guess
eroman
2017/03/08 01:59:28
Here are two possible routes forward:
(1) I can m
eroman
2017/03/08 17:09:24
Done.
I went with static serial numbers, and may
| |
798 | |
799 // Change the signature AlgorithmIdentifiers. | |
800 if (!SetAlgorithmSequence(params.cert_algorithm, | |
801 &cert_algorithm_sequence) || | |
802 !SetAlgorithmSequence(params.tbs_algorithm, &tbs_algorithm_sequence)) { | |
803 return nullptr; | |
804 } | |
805 | |
806 // NOTE: The signature is NOT recomputed over TBSCertificate -- for these | |
807 // tests it isn't needed. | |
808 return X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size()); | |
809 } | |
810 | |
811 static scoped_refptr<X509Certificate> CreateChain( | |
812 const std::vector<CertParams>& params) { | |
813 // Manufacture a chain with the given combinations of signature algorithms. | |
814 // This chain isn't actually a valid chain, but it is good enough for | |
815 // testing the base CertVerifyProc. | |
816 CertificateList certs; | |
817 for (const auto& cert_params : params) { | |
818 certs.push_back(CreateCertificate(cert_params)); | |
819 if (!certs.back()) | |
820 return nullptr; | |
821 } | |
822 | |
823 X509Certificate::OSCertHandles intermediates; | |
824 for (size_t i = 1; i < certs.size(); ++i) | |
825 intermediates.push_back(certs[i]->os_cert_handle()); | |
826 | |
827 return X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | |
828 intermediates); | |
829 } | |
830 | |
831 static int next_serial_number_; | |
832 }; | |
833 | |
834 // Global counter to ensure that during test runs the same issuer/serialnumber | |
835 // isn't used when manufacturing certificates. | |
836 int CertVerifyProcInspectSignatureAlgorithmsTest::next_serial_number_ = 9; | |
837 | |
838 // This is a control test to make sure that the test helper | |
839 // VerifyLeaf() works as expected. There is no actual mismatch in the | |
840 // algorithms used here. | |
841 // | |
842 // Certificate.signatureAlgorithm: sha1WithRSASignature | |
843 // TBSCertificate.algorithm: sha1WithRSAEncryption | |
844 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, LeafSha1Sha1) { | |
845 int rv = VerifyLeaf(DigestAlgorithm::Sha1, DigestAlgorithm::Sha1); | |
846 ASSERT_THAT(rv, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM)); | |
847 } | |
848 | |
849 // This is a control test to make sure that the test helper | |
850 // VerifyLeaf() works as expected. There is no actual mismatch in the | |
851 // algorithms used here. | |
852 // | |
853 // Certificate.signatureAlgorithm: sha256WithRSASignature | |
854 // TBSCertificate.algorithm: sha256WithRSAEncryption | |
855 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, LeafSha256Sha256) { | |
856 int rv = VerifyLeaf(DigestAlgorithm::Sha256, DigestAlgorithm::Sha256); | |
857 ASSERT_THAT(rv, IsOk()); | |
858 } | |
859 | |
860 // Mismatched signature algorithms in the leaf certificate. | |
861 // | |
862 // Certificate.signatureAlgorithm: sha1WithRSASignature | |
863 // TBSCertificate.algorithm: sha256WithRSAEncryption | |
864 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, LeafSha1Sha256) { | |
865 int rv = VerifyLeaf(DigestAlgorithm::Sha1, DigestAlgorithm::Sha256); | |
866 ASSERT_THAT(rv, IsError(ERR_CERT_INVALID)); | |
867 } | |
868 | |
869 // Mismatched signature algorithms in the leaf certificate. | |
870 // | |
871 // Certificate.signatureAlgorithm: sha256WithRSAEncryption | |
872 // TBSCertificate.algorithm: sha1WithRSASignature | |
873 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, LeafSha256Sha1) { | |
874 int rv = VerifyLeaf(DigestAlgorithm::Sha256, DigestAlgorithm::Sha1); | |
875 ASSERT_THAT(rv, IsError(ERR_CERT_INVALID)); | |
876 } | |
877 | |
878 // Mismatched signature algorithms in the intermediate certificate. | |
879 // | |
880 // Certificate.signatureAlgorithm: sha1WithRSASignature | |
881 // TBSCertificate.algorithm: sha256WithRSAEncryption | |
882 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, IntermediateSha1Sha256) { | |
883 int rv = VerifyChain({CertParams::Sha256(), | |
mattm
2017/03/04 02:34:26
imo this is more confusing than just putting {Dige
eroman
2017/03/07 23:43:00
Done.
| |
884 {DigestAlgorithm::Sha1, DigestAlgorithm::Sha256}, | |
885 CertParams::Sha256()}); | |
886 ASSERT_THAT(rv, IsError(ERR_CERT_INVALID)); | |
887 } | |
888 | |
889 // Mismatched signature algorithms in the intermediate certificate. | |
890 // | |
891 // Certificate.signatureAlgorithm: sha256WithRSAEncryption | |
892 // TBSCertificate.algorithm: sha1WithRSASignature | |
893 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, IntermediateSha256Sha1) { | |
894 int rv = VerifyChain({CertParams::Sha256(), | |
895 {DigestAlgorithm::Sha256, DigestAlgorithm::Sha1}, | |
896 CertParams::Sha256()}); | |
897 ASSERT_THAT(rv, IsError(ERR_CERT_INVALID)); | |
898 } | |
899 | |
900 // Unrecognized signature algorithm in the leaf certificate. | |
901 // | |
902 // Certificate.signatureAlgorithm: sha256WithRSAEncryption | |
903 // TBSCertificate.algorithm: ? | |
904 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, LeafSha256Unknown) { | |
905 int rv = VerifyLeaf(DigestAlgorithm::Sha256, kUnknownDigestAlgorithm); | |
906 ASSERT_THAT(rv, IsError(ERR_CERT_INVALID)); | |
907 } | |
908 | |
909 // Unrecognized signature algorithm in the leaf certificate. | |
910 // | |
911 // Certificate.signatureAlgorithm: ? | |
912 // TBSCertificate.algorithm: sha256WithRSAEncryption | |
913 TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, LeafUnknownSha256) { | |
914 int rv = VerifyLeaf(kUnknownDigestAlgorithm, DigestAlgorithm::Sha256); | |
915 ASSERT_THAT(rv, IsError(ERR_CERT_INVALID)); | |
916 } | |
917 | |
637 TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) { | 918 TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) { |
638 if (!SupportsReturningVerifiedChain()) { | 919 if (!SupportsReturningVerifiedChain()) { |
639 LOG(INFO) << "Skipping this test in this platform."; | 920 LOG(INFO) << "Skipping this test in this platform."; |
640 return; | 921 return; |
641 } | 922 } |
642 | 923 |
643 CertificateList ca_cert_list = | 924 CertificateList ca_cert_list = |
644 CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", | 925 CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", |
645 X509Certificate::FORMAT_AUTO); | 926 X509Certificate::FORMAT_AUTO); |
646 ASSERT_EQ(1U, ca_cert_list.size()); | 927 ASSERT_EQ(1U, ca_cert_list.size()); |
(...skipping 1249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1896 int flags = 0; | 2177 int flags = 0; |
1897 CertVerifyResult verify_result; | 2178 CertVerifyResult verify_result; |
1898 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, | 2179 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, |
1899 NULL, CertificateList(), &verify_result); | 2180 NULL, CertificateList(), &verify_result); |
1900 EXPECT_EQ(OK, error); | 2181 EXPECT_EQ(OK, error); |
1901 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2182 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
1902 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2183 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
1903 } | 2184 } |
1904 | 2185 |
1905 } // namespace net | 2186 } // namespace net |
OLD | NEW |