| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| 11 #include "base/files/file_util.h" | 11 #include "base/files/file_util.h" |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/macros.h" | 13 #include "base/macros.h" |
| 14 #include "base/sha1.h" | 14 #include "base/sha1.h" |
| 15 #include "base/strings/string_number_conversions.h" | 15 #include "base/strings/string_number_conversions.h" |
| 16 #include "base/test/histogram_tester.h" | 16 #include "base/test/histogram_tester.h" |
| 17 #include "base/test/scoped_feature_list.h" | 17 #include "base/test/scoped_feature_list.h" |
| 18 #include "build/build_config.h" | 18 #include "build/build_config.h" |
| 19 #include "crypto/sha2.h" | 19 #include "crypto/sha2.h" |
| 20 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
| 21 #include "net/cert/asn1_util.h" | 21 #include "net/cert/asn1_util.h" |
| 22 #include "net/cert/cert_status_flags.h" | 22 #include "net/cert/cert_status_flags.h" |
| 23 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
| 24 #include "net/cert/cert_verify_proc_builtin.h" |
| 24 #include "net/cert/cert_verify_result.h" | 25 #include "net/cert/cert_verify_result.h" |
| 25 #include "net/cert/crl_set.h" | 26 #include "net/cert/crl_set.h" |
| 26 #include "net/cert/crl_set_storage.h" | 27 #include "net/cert/crl_set_storage.h" |
| 27 #include "net/cert/internal/signature_algorithm.h" | 28 #include "net/cert/internal/signature_algorithm.h" |
| 28 #include "net/cert/test_root_certs.h" | 29 #include "net/cert/test_root_certs.h" |
| 29 #include "net/cert/x509_certificate.h" | 30 #include "net/cert/x509_certificate.h" |
| 30 #include "net/der/input.h" | 31 #include "net/der/input.h" |
| 31 #include "net/der/parser.h" | 32 #include "net/der/parser.h" |
| 32 #include "net/test/cert_test_util.h" | 33 #include "net/test/cert_test_util.h" |
| 33 #include "net/test/gtest_util.h" | 34 #include "net/test/gtest_util.h" |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 106 // | 107 // |
| 107 // The type is erased by CertVerifyProc::CreateDefault(), however | 108 // The type is erased by CertVerifyProc::CreateDefault(), however |
| 108 // needs to be known for some of the test expectations. | 109 // needs to be known for some of the test expectations. |
| 109 enum CertVerifyProcType { | 110 enum CertVerifyProcType { |
| 110 CERT_VERIFY_PROC_NSS, | 111 CERT_VERIFY_PROC_NSS, |
| 111 CERT_VERIFY_PROC_OPENSSL, | 112 CERT_VERIFY_PROC_OPENSSL, |
| 112 CERT_VERIFY_PROC_ANDROID, | 113 CERT_VERIFY_PROC_ANDROID, |
| 113 CERT_VERIFY_PROC_IOS, | 114 CERT_VERIFY_PROC_IOS, |
| 114 CERT_VERIFY_PROC_MAC, | 115 CERT_VERIFY_PROC_MAC, |
| 115 CERT_VERIFY_PROC_WIN, | 116 CERT_VERIFY_PROC_WIN, |
| 117 CERT_VERIFY_PROC_BUILTIN, |
| 116 }; | 118 }; |
| 117 | 119 |
| 118 // Returns the CertVerifyProcType corresponding to what | 120 // Returns the CertVerifyProcType corresponding to what |
| 119 // CertVerifyProc::CreateDefault() returns. This needs to be kept in sync with | 121 // CertVerifyProc::CreateDefault() returns. This needs to be kept in sync with |
| 120 // CreateDefault(). | 122 // CreateDefault(). |
| 121 CertVerifyProcType GetDefaultCertVerifyProcType() { | 123 CertVerifyProcType GetDefaultCertVerifyProcType() { |
| 122 #if defined(USE_NSS_CERTS) | 124 #if defined(USE_NSS_CERTS) |
| 123 return CERT_VERIFY_PROC_NSS; | 125 return CERT_VERIFY_PROC_NSS; |
| 124 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) | 126 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) |
| 125 return CERT_VERIFY_PROC_OPENSSL; | 127 return CERT_VERIFY_PROC_OPENSSL; |
| (...skipping 29 matching lines...) Expand all Loading... |
| 155 case CERT_VERIFY_PROC_OPENSSL: | 157 case CERT_VERIFY_PROC_OPENSSL: |
| 156 return "CertVerifyProcOpenSSL"; | 158 return "CertVerifyProcOpenSSL"; |
| 157 case CERT_VERIFY_PROC_ANDROID: | 159 case CERT_VERIFY_PROC_ANDROID: |
| 158 return "CertVerifyProcAndroid"; | 160 return "CertVerifyProcAndroid"; |
| 159 case CERT_VERIFY_PROC_IOS: | 161 case CERT_VERIFY_PROC_IOS: |
| 160 return "CertVerifyProcIOS"; | 162 return "CertVerifyProcIOS"; |
| 161 case CERT_VERIFY_PROC_MAC: | 163 case CERT_VERIFY_PROC_MAC: |
| 162 return "CertVerifyProcMac"; | 164 return "CertVerifyProcMac"; |
| 163 case CERT_VERIFY_PROC_WIN: | 165 case CERT_VERIFY_PROC_WIN: |
| 164 return "CertVerifyProcWin"; | 166 return "CertVerifyProcWin"; |
| 167 case CERT_VERIFY_PROC_BUILTIN: |
| 168 return "CertVerifyProcBuiltin"; |
| 165 } | 169 } |
| 166 | 170 |
| 167 return nullptr; | 171 return nullptr; |
| 168 } | 172 } |
| 169 | 173 |
| 170 // The set of all CertVerifyProcTypes that tests should be | 174 // The set of all CertVerifyProcTypes that tests should be |
| 171 // parameterized on. | 175 // parameterized on. |
| 172 const std::vector<CertVerifyProcType> kAllCertVerifiers = { | 176 const std::vector<CertVerifyProcType> kAllCertVerifiers = { |
| 173 GetDefaultCertVerifyProcType()}; | 177 GetDefaultCertVerifyProcType() |
| 178 |
| 179 // TODO(crbug.com/649017): Enable this everywhere. Right now this is |
| 180 // gated on having CertVerifyProcBuiltin understand the roots added |
| 181 // via TestRootCerts. |
| 182 #if defined(USE_NSS_CERTS) |
| 183 , |
| 184 CERT_VERIFY_PROC_BUILTIN |
| 185 #endif |
| 186 }; |
| 174 | 187 |
| 175 } // namespace | 188 } // namespace |
| 176 | 189 |
| 177 // This fixture is for tests that apply to concrete implementations of | 190 // This fixture is for tests that apply to concrete implementations of |
| 178 // CertVerifyProc. It will be run for all of the concrete | 191 // CertVerifyProc. It will be run for all of the concrete CertVerifyProc types. |
| 179 // CertVerifyProc types. | |
| 180 // | 192 // |
| 181 // It is called "Internal" as it tests the internal methods like | 193 // It is called "Internal" as it tests the internal methods like |
| 182 // "VerifyInternal()". | 194 // "VerifyInternal()". |
| 183 class CertVerifyProcInternalTest | 195 class CertVerifyProcInternalTest |
| 184 : public testing::TestWithParam<CertVerifyProcType> { | 196 : public testing::TestWithParam<CertVerifyProcType> { |
| 185 protected: | 197 protected: |
| 186 void SetUp() override { | 198 void SetUp() override { |
| 187 EXPECT_EQ(verify_proc_type(), GetDefaultCertVerifyProcType()); | 199 CertVerifyProcType type = verify_proc_type(); |
| 188 verify_proc_ = CertVerifyProc::CreateDefault(); | 200 if (type == CERT_VERIFY_PROC_BUILTIN) { |
| 201 verify_proc_ = CreateCertVerifyProcBuiltin(); |
| 202 } else if (type == GetDefaultCertVerifyProcType()) { |
| 203 verify_proc_ = CertVerifyProc::CreateDefault(); |
| 204 } else { |
| 205 ADD_FAILURE() << "Unhandled CertVerifyProcType"; |
| 206 } |
| 189 } | 207 } |
| 190 | 208 |
| 191 int Verify(X509Certificate* cert, | 209 int Verify(X509Certificate* cert, |
| 192 const std::string& hostname, | 210 const std::string& hostname, |
| 193 int flags, | 211 int flags, |
| 194 CRLSet* crl_set, | 212 CRLSet* crl_set, |
| 195 const CertificateList& additional_trust_anchors, | 213 const CertificateList& additional_trust_anchors, |
| 196 CertVerifyResult* verify_result) { | 214 CertVerifyResult* verify_result) { |
| 197 return verify_proc_->Verify(cert, hostname, std::string(), flags, crl_set, | 215 return verify_proc_->Verify(cert, hostname, std::string(), flags, crl_set, |
| 198 additional_trust_anchors, verify_result); | 216 additional_trust_anchors, verify_result); |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 236 // (recoverable) invalid certificate errors. | 254 // (recoverable) invalid certificate errors. |
| 237 if (verify_proc_type() == CERT_VERIFY_PROC_MAC && | 255 if (verify_proc_type() == CERT_VERIFY_PROC_MAC && |
| 238 base::mac::IsAtLeastOS10_12()) { | 256 base::mac::IsAtLeastOS10_12()) { |
| 239 return true; | 257 return true; |
| 240 } | 258 } |
| 241 #endif | 259 #endif |
| 242 return false; | 260 return false; |
| 243 } | 261 } |
| 244 | 262 |
| 245 bool SupportsCRLSet() const { | 263 bool SupportsCRLSet() const { |
| 264 // TODO(crbug.com/649017): Return true for CERT_VERIFY_PROC_BUILTIN. |
| 246 return verify_proc_type() == CERT_VERIFY_PROC_NSS || | 265 return verify_proc_type() == CERT_VERIFY_PROC_NSS || |
| 247 verify_proc_type() == CERT_VERIFY_PROC_WIN || | 266 verify_proc_type() == CERT_VERIFY_PROC_WIN || |
| 248 verify_proc_type() == CERT_VERIFY_PROC_MAC; | 267 verify_proc_type() == CERT_VERIFY_PROC_MAC; |
| 249 } | 268 } |
| 250 | 269 |
| 251 bool SupportsCRLSetsInPathBuilding() const { | 270 bool SupportsCRLSetsInPathBuilding() const { |
| 271 // TODO(crbug.com/649017): Return true for CERT_VERIFY_PROC_BUILTIN. |
| 252 return verify_proc_type() == CERT_VERIFY_PROC_WIN || | 272 return verify_proc_type() == CERT_VERIFY_PROC_WIN || |
| 253 verify_proc_type() == CERT_VERIFY_PROC_NSS; | 273 verify_proc_type() == CERT_VERIFY_PROC_NSS; |
| 254 } | 274 } |
| 255 | 275 |
| 256 CertVerifyProc* verify_proc() const { return verify_proc_.get(); } | 276 CertVerifyProc* verify_proc() const { return verify_proc_.get(); } |
| 257 | 277 |
| 258 private: | 278 private: |
| 259 scoped_refptr<CertVerifyProc> verify_proc_; | 279 scoped_refptr<CertVerifyProc> verify_proc_; |
| 260 }; | 280 }; |
| 261 | 281 |
| (...skipping 860 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1122 | 1142 |
| 1123 // |public_key_hashes| does not have an ordering guarantee. | 1143 // |public_key_hashes| does not have an ordering guarantee. |
| 1124 EXPECT_THAT(expected_public_key_hashes, | 1144 EXPECT_THAT(expected_public_key_hashes, |
| 1125 testing::UnorderedElementsAreArray(public_key_hash_strings)); | 1145 testing::UnorderedElementsAreArray(public_key_hash_strings)); |
| 1126 } | 1146 } |
| 1127 | 1147 |
| 1128 // A regression test for http://crbug.com/70293. | 1148 // A regression test for http://crbug.com/70293. |
| 1129 // The Key Usage extension in this RSA SSL server certificate does not have | 1149 // The Key Usage extension in this RSA SSL server certificate does not have |
| 1130 // the keyEncipherment bit. | 1150 // the keyEncipherment bit. |
| 1131 TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) { | 1151 TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) { |
| 1152 if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) { |
| 1153 LOG(INFO) << "TODO(crbug.com/649017): Skipping test as not yet implemented " |
| 1154 "in builting verifier"; |
| 1155 return; |
| 1156 } |
| 1132 base::FilePath certs_dir = GetTestCertsDirectory(); | 1157 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 1133 | 1158 |
| 1134 scoped_refptr<X509Certificate> server_cert = | 1159 scoped_refptr<X509Certificate> server_cert = |
| 1135 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); | 1160 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); |
| 1136 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); | 1161 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); |
| 1137 | 1162 |
| 1138 int flags = 0; | 1163 int flags = 0; |
| 1139 CertVerifyResult verify_result; | 1164 CertVerifyResult verify_result; |
| 1140 int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL, | 1165 int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL, |
| 1141 CertificateList(), &verify_result); | 1166 CertificateList(), &verify_result); |
| (...skipping 1168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2310 int flags = 0; | 2335 int flags = 0; |
| 2311 CertVerifyResult verify_result; | 2336 CertVerifyResult verify_result; |
| 2312 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, | 2337 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, |
| 2313 NULL, CertificateList(), &verify_result); | 2338 NULL, CertificateList(), &verify_result); |
| 2314 EXPECT_EQ(OK, error); | 2339 EXPECT_EQ(OK, error); |
| 2315 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); | 2340 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 2316 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); | 2341 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 2317 } | 2342 } |
| 2318 | 2343 |
| 2319 } // namespace net | 2344 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2755483008:
Add initial CertVerifyProcBuiltin. (Closed)
