OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/ssl/ignore_errors_cert_verifier.h" |
| 6 |
| 7 #include "base/base64.h" |
| 8 #include "base/files/file_path.h" |
| 9 #include "base/memory/ptr_util.h" |
| 10 #include "base/memory/ref_counted.h" |
| 11 #include "base/strings/string_piece.h" |
| 12 #include "crypto/sha2.h" |
| 13 #include "net/base/net_errors.h" |
| 14 #include "net/base/test_completion_callback.h" |
| 15 #include "net/cert/asn1_util.h" |
| 16 #include "net/cert/mock_cert_verifier.h" |
| 17 #include "net/cert/x509_certificate.h" |
| 18 #include "net/log/net_log_with_source.h" |
| 19 #include "net/test/cert_test_util.h" |
| 20 #include "net/test/gtest_util.h" |
| 21 #include "net/test/test_data_directory.h" |
| 22 #include "testing/gmock/include/gmock/gmock.h" |
| 23 #include "testing/gtest/include/gtest/gtest.h" |
| 24 |
| 25 using net::CertVerifier; |
| 26 using net::MockCertVerifier; |
| 27 using net::CompletionCallback; |
| 28 using net::HashValue; |
| 29 using net::SHA256HashValue; |
| 30 using net::SHA256HashValueLessThan; |
| 31 using net::X509Certificate; |
| 32 using net::TestCompletionCallback; |
| 33 using net::CertVerifyResult; |
| 34 using net::NetLogWithSource; |
| 35 |
| 36 using net::ERR_CERT_INVALID; |
| 37 using net::ERR_IO_PENDING; |
| 38 using net::OK; |
| 39 |
| 40 using net::test::IsError; |
| 41 using net::test::IsOk; |
| 42 |
| 43 // MakeWhitelist returns a IgnoreCertsVerifier whitelist containing the SPKI |
| 44 // fingerprint of the intermediate from x509_verify_results.chain.pem. |
| 45 static IgnoreErrorsCertVerifier::SPKIHashSet MakeWhitelist() { |
| 46 base::FilePath certs_dir = net::GetTestCertsDirectory(); |
| 47 net::CertificateList certs = net::CreateCertificateListFromFile( |
| 48 certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO); |
| 49 std::string cert_der, hash_base64; |
| 50 base::StringPiece cert_spki; |
| 51 SHA256HashValue hash; |
| 52 if (X509Certificate::GetDEREncoded(certs[1]->os_cert_handle(), &cert_der) && |
| 53 net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { |
| 54 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); |
| 55 } |
| 56 base::Base64Encode(base::StringPiece(reinterpret_cast<const char*>(hash.data), |
| 57 sizeof(hash.data)), |
| 58 &hash_base64); |
| 59 std::vector<std::string> fingerprints{ |
| 60 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "foobar", hash_base64, |
| 61 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="}; |
| 62 return IgnoreErrorsCertVerifier::MakeWhitelist(fingerprints); |
| 63 } |
| 64 |
| 65 class IgnoreErrorsCertVerifierTest : public ::testing::Test { |
| 66 public: |
| 67 IgnoreErrorsCertVerifierTest() |
| 68 : mock_verifier_(new MockCertVerifier()), |
| 69 verifier_(base::WrapUnique(mock_verifier_), MakeWhitelist()) {} |
| 70 ~IgnoreErrorsCertVerifierTest() override {} |
| 71 |
| 72 protected: |
| 73 // The wrapped CertVerifier. Defaults to returning ERR_CERT_INVALID. Owned by |
| 74 // verifier_. |
| 75 MockCertVerifier* mock_verifier_; |
| 76 IgnoreErrorsCertVerifier verifier_; |
| 77 }; |
| 78 |
| 79 static void GetNonWhitelistedTestCert(scoped_refptr<X509Certificate>* out) { |
| 80 base::FilePath certs_dir = net::GetTestCertsDirectory(); |
| 81 scoped_refptr<X509Certificate> test_cert( |
| 82 net::ImportCertFromFile(certs_dir, "ok_cert.pem")); |
| 83 ASSERT_TRUE(test_cert); |
| 84 out->swap(test_cert); |
| 85 } |
| 86 |
| 87 static CertVerifier::RequestParams MakeRequestParams( |
| 88 const scoped_refptr<X509Certificate>& cert) { |
| 89 return CertVerifier::RequestParams(cert, "example.com", 0, "", |
| 90 net::CertificateList()); |
| 91 } |
| 92 |
| 93 static void GetWhitelistedTestCert(scoped_refptr<X509Certificate>* out) { |
| 94 base::FilePath certs_dir = net::GetTestCertsDirectory(); |
| 95 net::CertificateList certs = net::CreateCertificateListFromFile( |
| 96 certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO); |
| 97 ASSERT_EQ(3U, certs.size()); |
| 98 X509Certificate::OSCertHandles intermediates; |
| 99 intermediates.push_back(certs[1]->os_cert_handle()); |
| 100 intermediates.push_back(certs[2]->os_cert_handle()); |
| 101 scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle( |
| 102 certs[0]->os_cert_handle(), intermediates); |
| 103 ASSERT_TRUE(cert_chain); |
| 104 ASSERT_EQ(2U, cert_chain->GetIntermediateCertificates().size()); |
| 105 out->swap(cert_chain); |
| 106 } |
| 107 |
| 108 TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertOk) { |
| 109 mock_verifier_->set_default_result(OK); |
| 110 |
| 111 scoped_refptr<X509Certificate> test_cert; |
| 112 ASSERT_NO_FATAL_FAILURE(GetNonWhitelistedTestCert(&test_cert)); |
| 113 CertVerifyResult verify_result; |
| 114 TestCompletionCallback callback; |
| 115 std::unique_ptr<CertVerifier::Request> request; |
| 116 |
| 117 EXPECT_THAT(callback.GetResult(verifier_.Verify( |
| 118 MakeRequestParams(test_cert), nullptr, &verify_result, |
| 119 callback.callback(), &request, NetLogWithSource())), |
| 120 IsOk()); |
| 121 } |
| 122 |
| 123 TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertError) { |
| 124 scoped_refptr<X509Certificate> test_cert; |
| 125 ASSERT_NO_FATAL_FAILURE(GetNonWhitelistedTestCert(&test_cert)); |
| 126 CertVerifyResult verify_result; |
| 127 TestCompletionCallback callback; |
| 128 std::unique_ptr<CertVerifier::Request> request; |
| 129 |
| 130 EXPECT_THAT(callback.GetResult(verifier_.Verify( |
| 131 MakeRequestParams(test_cert), nullptr, &verify_result, |
| 132 callback.callback(), &request, NetLogWithSource())), |
| 133 IsError(ERR_CERT_INVALID)); |
| 134 } |
| 135 |
| 136 TEST_F(IgnoreErrorsCertVerifierTest, TestMatch) { |
| 137 scoped_refptr<X509Certificate> test_cert; |
| 138 ASSERT_NO_FATAL_FAILURE(GetWhitelistedTestCert(&test_cert)); |
| 139 CertVerifyResult verify_result; |
| 140 TestCompletionCallback callback; |
| 141 std::unique_ptr<CertVerifier::Request> request; |
| 142 |
| 143 EXPECT_THAT(callback.GetResult(verifier_.Verify( |
| 144 MakeRequestParams(test_cert), nullptr, &verify_result, |
| 145 callback.callback(), &request, NetLogWithSource())), |
| 146 IsOk()); |
| 147 } |
OLD | NEW |