Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(226)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_unittest.cc

Issue 2735733003: Disable commonName matching for certificates (Closed)
Patch Set: Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/cert_verify_proc_openssl.cc ('k') | net/cert/internal/path_builder_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc.h" 5 #include "net/cert/cert_verify_proc.h"
6 6
7 #include <vector> 7 #include <vector>
8 8
9 #include "base/callback_helpers.h" 9 #include "base/callback_helpers.h"
10 #include "base/files/file_path.h" 10 #include "base/files/file_path.h"
(...skipping 1783 matching lines...) Expand 10 before | Expand all | Expand 10 after
1794 // Should not match the dNSName SAN 1794 // Should not match the dNSName SAN
1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) { 1795 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) {
1796 VerifyCertName(".test.example.", false); 1796 VerifyCertName(".test.example.", false);
1797 } 1797 }
1798 1798
1799 // Should not match the dNSName SAN 1799 // Should not match the dNSName SAN
1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { 1800 TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {
1801 VerifyCertName(".test.example", false); 1801 VerifyCertName(".test.example", false);
1802 } 1802 }
1803 1803
1804 // Tests that commonName-fallback is handled correctly:
1805 // - If it's a publicly trusted certificate, the commonName should never
1806 // match.
1807 // - If it chains to a private root, the commonName should not match if
1808 // the subjectAltName is absent, and the flags don't allow fallback.
1809 // - If it chains to a private root, the commonName SHOULD match iff the
1810 // subjectAltName is absent and the flags allow a fallback.
1811 TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) {
1812 scoped_refptr<X509Certificate> cert(
1813 ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem"));
1814 ASSERT_TRUE(cert);
1815
1816 CertVerifyResult result;
1817 scoped_refptr<CertVerifyProc> verify_proc;
1818 CertVerifyResult verify_result;
1819 int error;
1820
1821 // Publicly trusted: Always ignores commonName, regardless of flags.
1822 result = CertVerifyResult();
1823 verify_result = CertVerifyResult();
1824 error = 0;
1825 result.is_issued_by_known_root = true;
1826 verify_proc = new MockCertVerifyProc(result);
1827 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",
1828 std::string(), 0, nullptr, CertificateList(),
1829 &verify_result);
1830 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
1831 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1832
1833 result = CertVerifyResult();
1834 verify_result = CertVerifyResult();
1835 error = 0;
1836 result.is_issued_by_known_root = true;
1837 verify_proc = new MockCertVerifyProc(result);
1838 error = verify_proc->Verify(
1839 cert.get(), "prerelna1.pre.salesforce.com", std::string(),
1840 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,
1841 CertificateList(), &verify_result);
1842 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
1843 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1844
1845 // Privately trusted: Ignores commonName by default.
1846 result = CertVerifyResult();
1847 verify_result = CertVerifyResult();
1848 error = 0;
1849 result.is_issued_by_known_root = false;
1850 verify_proc = new MockCertVerifyProc(result);
1851 error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",
1852 std::string(), 0, nullptr, CertificateList(),
1853 &verify_result);
1854 EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
1855 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1856
1857 // Privately trusted: Falls back to common name if flags allow.
1858 result = CertVerifyResult();
1859 verify_result = CertVerifyResult();
1860 error = 0;
1861 result.is_issued_by_known_root = false;
1862 verify_proc = new MockCertVerifyProc(result);
1863 error = verify_proc->Verify(
1864 cert.get(), "prerelna1.pre.salesforce.com", std::string(),
1865 CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,
1866 CertificateList(), &verify_result);
1867 EXPECT_THAT(error, IsOk());
1868 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1869 }
1870
1804 // Tests that CertVerifyProc records a histogram correctly when a 1871 // Tests that CertVerifyProc records a histogram correctly when a
1805 // certificate chaining to a private root contains the TLS feature 1872 // certificate chaining to a private root contains the TLS feature
1806 // extension and does not have a stapled OCSP response. 1873 // extension and does not have a stapled OCSP response.
1807 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { 1874 TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
1808 base::HistogramTester histograms; 1875 base::HistogramTester histograms;
1809 scoped_refptr<X509Certificate> cert( 1876 scoped_refptr<X509Certificate> cert(
1810 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); 1877 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
1811 ASSERT_TRUE(cert); 1878 ASSERT_TRUE(cert);
1812 CertVerifyResult result; 1879 CertVerifyResult result;
1813 result.is_issued_by_known_root = false; 1880 result.is_issued_by_known_root = false;
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after
1896 int flags = 0; 1963 int flags = 0;
1897 CertVerifyResult verify_result; 1964 CertVerifyResult verify_result;
1898 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, 1965 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
1899 NULL, CertificateList(), &verify_result); 1966 NULL, CertificateList(), &verify_result);
1900 EXPECT_EQ(OK, error); 1967 EXPECT_EQ(OK, error);
1901 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); 1968 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
1902 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); 1969 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
1903 } 1970 }
1904 1971
1905 } // namespace net 1972 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/cert_verify_proc_openssl.cc ('k') | net/cert/internal/path_builder_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698