| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/files/file_util.h" | 8 #include "base/files/file_util.h" |
| 9 #include "base/path_service.h" | 9 #include "base/path_service.h" |
| 10 #include "net/cert/internal/cert_issuer_source_static.h" | 10 #include "net/cert/internal/cert_issuer_source_static.h" |
| (...skipping 200 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 211 CertPathBuilder::Result result; | 211 CertPathBuilder::Result result; |
| 212 CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_, | 212 CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_, |
| 213 expired_time, &result); | 213 expired_time, &result); |
| 214 path_builder.AddCertIssuerSource(&sync_certs); | 214 path_builder.AddCertIssuerSource(&sync_certs); |
| 215 | 215 |
| 216 path_builder.Run(); | 216 path_builder.Run(); |
| 217 | 217 |
| 218 EXPECT_FALSE(result.HasValidPath()); | 218 EXPECT_FALSE(result.HasValidPath()); |
| 219 ASSERT_EQ(2U, result.paths.size()); | 219 ASSERT_EQ(2U, result.paths.size()); |
| 220 | 220 |
| 221 EXPECT_FALSE(result.paths[0]->valid); | 221 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 222 const auto& path0 = result.paths[0]->path; | 222 const auto& path0 = result.paths[0]->path; |
| 223 ASSERT_EQ(2U, path0.certs.size()); | 223 ASSERT_EQ(2U, path0.certs.size()); |
| 224 EXPECT_EQ(b_by_c_, path0.certs[0]); | 224 EXPECT_EQ(b_by_c_, path0.certs[0]); |
| 225 EXPECT_EQ(c_by_d_, path0.certs[1]); | 225 EXPECT_EQ(c_by_d_, path0.certs[1]); |
| 226 EXPECT_EQ(d_by_d_, path0.trust_anchor->cert()); | 226 EXPECT_EQ(d_by_d_, path0.trust_anchor->cert()); |
| 227 | 227 |
| 228 const auto& path1 = result.paths[1]->path; | 228 const auto& path1 = result.paths[1]->path; |
| 229 ASSERT_EQ(3U, path1.certs.size()); | 229 ASSERT_EQ(3U, path1.certs.size()); |
| 230 EXPECT_EQ(b_by_c_, path1.certs[0]); | 230 EXPECT_EQ(b_by_c_, path1.certs[0]); |
| 231 EXPECT_EQ(c_by_d_, path1.certs[1]); | 231 EXPECT_EQ(c_by_d_, path1.certs[1]); |
| (...skipping 272 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 504 path_builder.AddCertIssuerSource(&sync_certs); | 504 path_builder.AddCertIssuerSource(&sync_certs); |
| 505 | 505 |
| 506 path_builder.Run(); | 506 path_builder.Run(); |
| 507 | 507 |
| 508 EXPECT_TRUE(result.HasValidPath()); | 508 EXPECT_TRUE(result.HasValidPath()); |
| 509 | 509 |
| 510 // Path builder will first attempt: target <- newintermediate <- oldroot | 510 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 511 // but it will fail since newintermediate is signed by newroot. | 511 // but it will fail since newintermediate is signed by newroot. |
| 512 ASSERT_EQ(2U, result.paths.size()); | 512 ASSERT_EQ(2U, result.paths.size()); |
| 513 const auto& path0 = result.paths[0]->path; | 513 const auto& path0 = result.paths[0]->path; |
| 514 EXPECT_FALSE(result.paths[0]->valid); | 514 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 515 ASSERT_EQ(2U, path0.certs.size()); | 515 ASSERT_EQ(2U, path0.certs.size()); |
| 516 EXPECT_EQ(target_, path0.certs[0]); | 516 EXPECT_EQ(target_, path0.certs[0]); |
| 517 EXPECT_EQ(newintermediate_, path0.certs[1]); | 517 EXPECT_EQ(newintermediate_, path0.certs[1]); |
| 518 EXPECT_EQ(oldroot_, path0.trust_anchor); | 518 EXPECT_EQ(oldroot_, path0.trust_anchor); |
| 519 | 519 |
| 520 // Path builder will next attempt: | 520 // Path builder will next attempt: |
| 521 // target <- newintermediate <- newrootrollover <- oldroot | 521 // target <- newintermediate <- newrootrollover <- oldroot |
| 522 // which will succeed. | 522 // which will succeed. |
| 523 const auto& path1 = result.paths[1]->path; | 523 const auto& path1 = result.paths[1]->path; |
| 524 EXPECT_EQ(1U, result.best_result_index); | 524 EXPECT_EQ(1U, result.best_result_index); |
| 525 EXPECT_TRUE(result.paths[1]->valid); | 525 EXPECT_TRUE(result.paths[1]->IsValid()); |
| 526 ASSERT_EQ(3U, path1.certs.size()); | 526 ASSERT_EQ(3U, path1.certs.size()); |
| 527 EXPECT_EQ(target_, path1.certs[0]); | 527 EXPECT_EQ(target_, path1.certs[0]); |
| 528 EXPECT_EQ(newintermediate_, path1.certs[1]); | 528 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 529 EXPECT_EQ(newrootrollover_, path1.certs[2]); | 529 EXPECT_EQ(newrootrollover_, path1.certs[2]); |
| 530 EXPECT_EQ(oldroot_, path1.trust_anchor); | 530 EXPECT_EQ(oldroot_, path1.trust_anchor); |
| 531 } | 531 } |
| 532 | 532 |
| 533 // Tests that if both old and new roots are trusted it can build a path through | 533 // Tests that if both old and new roots are trusted it can build a path through |
| 534 // either. | 534 // either. |
| 535 // TODO(mattm): Once prioritization is implemented, it should test that it | 535 // TODO(mattm): Once prioritization is implemented, it should test that it |
| (...skipping 18 matching lines...) Expand all Loading... |
| 554 path_builder.Run(); | 554 path_builder.Run(); |
| 555 | 555 |
| 556 EXPECT_TRUE(result.HasValidPath()); | 556 EXPECT_TRUE(result.HasValidPath()); |
| 557 | 557 |
| 558 // Path builder willattempt one of: | 558 // Path builder willattempt one of: |
| 559 // target <- oldintermediate <- oldroot | 559 // target <- oldintermediate <- oldroot |
| 560 // target <- newintermediate <- newroot | 560 // target <- newintermediate <- newroot |
| 561 // either will succeed. | 561 // either will succeed. |
| 562 ASSERT_EQ(1U, result.paths.size()); | 562 ASSERT_EQ(1U, result.paths.size()); |
| 563 const auto& path = result.paths[0]->path; | 563 const auto& path = result.paths[0]->path; |
| 564 EXPECT_TRUE(result.paths[0]->valid); | 564 EXPECT_TRUE(result.paths[0]->IsValid()); |
| 565 ASSERT_EQ(2U, path.certs.size()); | 565 ASSERT_EQ(2U, path.certs.size()); |
| 566 EXPECT_EQ(target_, path.certs[0]); | 566 EXPECT_EQ(target_, path.certs[0]); |
| 567 if (path.certs[1] != newintermediate_) { | 567 if (path.certs[1] != newintermediate_) { |
| 568 DVLOG(1) << "USED OLD"; | 568 DVLOG(1) << "USED OLD"; |
| 569 EXPECT_EQ(oldintermediate_, path.certs[1]); | 569 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 570 EXPECT_EQ(oldroot_, path.trust_anchor); | 570 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 571 } else { | 571 } else { |
| 572 DVLOG(1) << "USED NEW"; | 572 DVLOG(1) << "USED NEW"; |
| 573 EXPECT_EQ(newintermediate_, path.certs[1]); | 573 EXPECT_EQ(newintermediate_, path.certs[1]); |
| 574 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 574 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 620 path_builder.AddCertIssuerSource(&sync_certs); | 620 path_builder.AddCertIssuerSource(&sync_certs); |
| 621 | 621 |
| 622 path_builder.Run(); | 622 path_builder.Run(); |
| 623 | 623 |
| 624 EXPECT_TRUE(result.HasValidPath()); | 624 EXPECT_TRUE(result.HasValidPath()); |
| 625 ASSERT_EQ(2U, result.paths.size()); | 625 ASSERT_EQ(2U, result.paths.size()); |
| 626 | 626 |
| 627 { | 627 { |
| 628 // Path builder may first attempt: target <- oldintermediate <- newroot | 628 // Path builder may first attempt: target <- oldintermediate <- newroot |
| 629 // but it will fail since oldintermediate is signed by oldroot. | 629 // but it will fail since oldintermediate is signed by oldroot. |
| 630 EXPECT_FALSE(result.paths[0]->valid); | 630 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 631 const auto& path = result.paths[0]->path; | 631 const auto& path = result.paths[0]->path; |
| 632 ASSERT_EQ(2U, path.certs.size()); | 632 ASSERT_EQ(2U, path.certs.size()); |
| 633 EXPECT_EQ(target_, path.certs[0]); | 633 EXPECT_EQ(target_, path.certs[0]); |
| 634 EXPECT_EQ(oldintermediate_, path.certs[1]); | 634 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 635 EXPECT_EQ(newroot_, path.trust_anchor->cert()); | 635 EXPECT_EQ(newroot_, path.trust_anchor->cert()); |
| 636 } | 636 } |
| 637 | 637 |
| 638 { | 638 { |
| 639 // Path builder will next attempt: | 639 // Path builder will next attempt: |
| 640 // target <- old intermediate <- oldroot | 640 // target <- old intermediate <- oldroot |
| 641 // which should succeed. | 641 // which should succeed. |
| 642 EXPECT_TRUE(result.paths[result.best_result_index]->valid); | 642 EXPECT_TRUE(result.paths[result.best_result_index]->IsValid()); |
| 643 const auto& path = result.paths[result.best_result_index]->path; | 643 const auto& path = result.paths[result.best_result_index]->path; |
| 644 ASSERT_EQ(2U, path.certs.size()); | 644 ASSERT_EQ(2U, path.certs.size()); |
| 645 EXPECT_EQ(target_, path.certs[0]); | 645 EXPECT_EQ(target_, path.certs[0]); |
| 646 EXPECT_EQ(oldintermediate_, path.certs[1]); | 646 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 647 EXPECT_EQ(oldroot_, path.trust_anchor); | 647 EXPECT_EQ(oldroot_, path.trust_anchor); |
| 648 } | 648 } |
| 649 } | 649 } |
| 650 | 650 |
| 651 // Tests that the path builder doesn't build longer than necessary paths. | 651 // Tests that the path builder doesn't build longer than necessary paths. |
| 652 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { | 652 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { |
| (...skipping 17 matching lines...) Expand all Loading... |
| 670 path_builder.AddCertIssuerSource(&sync_certs); | 670 path_builder.AddCertIssuerSource(&sync_certs); |
| 671 path_builder.AddCertIssuerSource(&async_certs); | 671 path_builder.AddCertIssuerSource(&async_certs); |
| 672 | 672 |
| 673 path_builder.Run(); | 673 path_builder.Run(); |
| 674 | 674 |
| 675 EXPECT_TRUE(result.HasValidPath()); | 675 EXPECT_TRUE(result.HasValidPath()); |
| 676 ASSERT_EQ(3U, result.paths.size()); | 676 ASSERT_EQ(3U, result.paths.size()); |
| 677 | 677 |
| 678 // Path builder will first attempt: target <- newintermediate <- oldroot | 678 // Path builder will first attempt: target <- newintermediate <- oldroot |
| 679 // but it will fail since newintermediate is signed by newroot. | 679 // but it will fail since newintermediate is signed by newroot. |
| 680 EXPECT_FALSE(result.paths[0]->valid); | 680 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 681 const auto& path0 = result.paths[0]->path; | 681 const auto& path0 = result.paths[0]->path; |
| 682 ASSERT_EQ(2U, path0.certs.size()); | 682 ASSERT_EQ(2U, path0.certs.size()); |
| 683 EXPECT_EQ(target_, path0.certs[0]); | 683 EXPECT_EQ(target_, path0.certs[0]); |
| 684 EXPECT_EQ(newintermediate_, path0.certs[1]); | 684 EXPECT_EQ(newintermediate_, path0.certs[1]); |
| 685 EXPECT_EQ(oldroot_, path0.trust_anchor); | 685 EXPECT_EQ(oldroot_, path0.trust_anchor); |
| 686 | 686 |
| 687 // Path builder will next attempt: | 687 // Path builder will next attempt: |
| 688 // target <- newintermediate <- newroot <- oldroot | 688 // target <- newintermediate <- newroot <- oldroot |
| 689 // but it will fail since newroot is self-signed. | 689 // but it will fail since newroot is self-signed. |
| 690 EXPECT_FALSE(result.paths[1]->valid); | 690 EXPECT_FALSE(result.paths[1]->IsValid()); |
| 691 const auto& path1 = result.paths[1]->path; | 691 const auto& path1 = result.paths[1]->path; |
| 692 ASSERT_EQ(3U, path1.certs.size()); | 692 ASSERT_EQ(3U, path1.certs.size()); |
| 693 EXPECT_EQ(target_, path1.certs[0]); | 693 EXPECT_EQ(target_, path1.certs[0]); |
| 694 EXPECT_EQ(newintermediate_, path1.certs[1]); | 694 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 695 EXPECT_EQ(newroot_, path1.certs[2]); | 695 EXPECT_EQ(newroot_, path1.certs[2]); |
| 696 EXPECT_EQ(oldroot_, path1.trust_anchor); | 696 EXPECT_EQ(oldroot_, path1.trust_anchor); |
| 697 | 697 |
| 698 // Path builder will skip: | 698 // Path builder will skip: |
| 699 // target <- newintermediate <- newroot <- newrootrollover <- ... | 699 // target <- newintermediate <- newroot <- newrootrollover <- ... |
| 700 // Since newroot and newrootrollover have the same Name+SAN+SPKI. | 700 // Since newroot and newrootrollover have the same Name+SAN+SPKI. |
| 701 | 701 |
| 702 // Finally path builder will use: | 702 // Finally path builder will use: |
| 703 // target <- newintermediate <- newrootrollover <- oldroot | 703 // target <- newintermediate <- newrootrollover <- oldroot |
| 704 EXPECT_EQ(2U, result.best_result_index); | 704 EXPECT_EQ(2U, result.best_result_index); |
| 705 EXPECT_TRUE(result.paths[2]->valid); | 705 EXPECT_TRUE(result.paths[2]->IsValid()); |
| 706 const auto& path2 = result.paths[2]->path; | 706 const auto& path2 = result.paths[2]->path; |
| 707 ASSERT_EQ(3U, path2.certs.size()); | 707 ASSERT_EQ(3U, path2.certs.size()); |
| 708 EXPECT_EQ(target_, path2.certs[0]); | 708 EXPECT_EQ(target_, path2.certs[0]); |
| 709 EXPECT_EQ(newintermediate_, path2.certs[1]); | 709 EXPECT_EQ(newintermediate_, path2.certs[1]); |
| 710 EXPECT_EQ(newrootrollover_, path2.certs[2]); | 710 EXPECT_EQ(newrootrollover_, path2.certs[2]); |
| 711 EXPECT_EQ(oldroot_, path2.trust_anchor); | 711 EXPECT_EQ(oldroot_, path2.trust_anchor); |
| 712 } | 712 } |
| 713 | 713 |
| 714 // If the target cert is a trust anchor, however is not itself *signed* by a | 714 // If the target cert is a trust anchor, however is not itself *signed* by a |
| 715 // trust anchor, then it is not considered valid (the SPKI and name of the | 715 // trust anchor, then it is not considered valid (the SPKI and name of the |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 771 time_, &result); | 771 time_, &result); |
| 772 | 772 |
| 773 path_builder.Run(); | 773 path_builder.Run(); |
| 774 | 774 |
| 775 ASSERT_TRUE(result.HasValidPath()); | 775 ASSERT_TRUE(result.HasValidPath()); |
| 776 | 776 |
| 777 const CertPathBuilder::ResultPath* best_result = result.GetBestValidPath(); | 777 const CertPathBuilder::ResultPath* best_result = result.GetBestValidPath(); |
| 778 | 778 |
| 779 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and | 779 // Newroot has same name+SPKI as newrootrollover, thus the path is valid and |
| 780 // only contains newroot. | 780 // only contains newroot. |
| 781 EXPECT_TRUE(best_result->valid); | 781 EXPECT_TRUE(best_result->IsValid()); |
| 782 ASSERT_EQ(1U, best_result->path.certs.size()); | 782 ASSERT_EQ(1U, best_result->path.certs.size()); |
| 783 EXPECT_EQ(newroot_, best_result->path.certs[0]); | 783 EXPECT_EQ(newroot_, best_result->path.certs[0]); |
| 784 EXPECT_EQ(newrootrollover_, best_result->path.trust_anchor->cert()); | 784 EXPECT_EQ(newrootrollover_, best_result->path.trust_anchor->cert()); |
| 785 } | 785 } |
| 786 | 786 |
| 787 // Test that PathBuilder will not try the same path twice if multiple | 787 // Test that PathBuilder will not try the same path twice if multiple |
| 788 // CertIssuerSources provide the same certificate. | 788 // CertIssuerSources provide the same certificate. |
| 789 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { | 789 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { |
| 790 // Create a separate copy of oldintermediate. | 790 // Create a separate copy of oldintermediate. |
| 791 scoped_refptr<ParsedCertificate> oldintermediate_dupe( | 791 scoped_refptr<ParsedCertificate> oldintermediate_dupe( |
| (...skipping 29 matching lines...) Expand all Loading... |
| 821 path_builder.AddCertIssuerSource(&sync_certs2); | 821 path_builder.AddCertIssuerSource(&sync_certs2); |
| 822 path_builder.AddCertIssuerSource(&async_certs); | 822 path_builder.AddCertIssuerSource(&async_certs); |
| 823 | 823 |
| 824 path_builder.Run(); | 824 path_builder.Run(); |
| 825 | 825 |
| 826 EXPECT_TRUE(result.HasValidPath()); | 826 EXPECT_TRUE(result.HasValidPath()); |
| 827 ASSERT_EQ(2U, result.paths.size()); | 827 ASSERT_EQ(2U, result.paths.size()); |
| 828 | 828 |
| 829 // Path builder will first attempt: target <- oldintermediate <- newroot | 829 // Path builder will first attempt: target <- oldintermediate <- newroot |
| 830 // but it will fail since oldintermediate is signed by oldroot. | 830 // but it will fail since oldintermediate is signed by oldroot. |
| 831 EXPECT_FALSE(result.paths[0]->valid); | 831 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 832 const auto& path0 = result.paths[0]->path; | 832 const auto& path0 = result.paths[0]->path; |
| 833 | 833 |
| 834 ASSERT_EQ(2U, path0.certs.size()); | 834 ASSERT_EQ(2U, path0.certs.size()); |
| 835 EXPECT_EQ(target_, path0.certs[0]); | 835 EXPECT_EQ(target_, path0.certs[0]); |
| 836 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 836 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 837 // of oldintermediate was used in the path. | 837 // of oldintermediate was used in the path. |
| 838 EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert()); | 838 EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert()); |
| 839 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | 839 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); |
| 840 | 840 |
| 841 // Path builder will next attempt: target <- newintermediate <- newroot | 841 // Path builder will next attempt: target <- newintermediate <- newroot |
| 842 // which will succeed. | 842 // which will succeed. |
| 843 EXPECT_EQ(1U, result.best_result_index); | 843 EXPECT_EQ(1U, result.best_result_index); |
| 844 EXPECT_TRUE(result.paths[1]->valid); | 844 EXPECT_TRUE(result.paths[1]->IsValid()); |
| 845 const auto& path1 = result.paths[1]->path; | 845 const auto& path1 = result.paths[1]->path; |
| 846 ASSERT_EQ(2U, path1.certs.size()); | 846 ASSERT_EQ(2U, path1.certs.size()); |
| 847 EXPECT_EQ(target_, path1.certs[0]); | 847 EXPECT_EQ(target_, path1.certs[0]); |
| 848 EXPECT_EQ(newintermediate_, path1.certs[1]); | 848 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 849 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 849 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 850 } | 850 } |
| 851 | 851 |
| 852 // Test when PathBuilder is given a cert CertIssuerSources that has the same | 852 // Test when PathBuilder is given a cert CertIssuerSources that has the same |
| 853 // SPKI as a TrustAnchor. | 853 // SPKI as a TrustAnchor. |
| 854 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { | 854 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { |
| (...skipping 19 matching lines...) Expand all Loading... |
| 874 path_builder.AddCertIssuerSource(&sync_certs); | 874 path_builder.AddCertIssuerSource(&sync_certs); |
| 875 | 875 |
| 876 path_builder.Run(); | 876 path_builder.Run(); |
| 877 | 877 |
| 878 EXPECT_FALSE(result.HasValidPath()); | 878 EXPECT_FALSE(result.HasValidPath()); |
| 879 ASSERT_EQ(2U, result.paths.size()); | 879 ASSERT_EQ(2U, result.paths.size()); |
| 880 // TODO(eroman): Is this right? | 880 // TODO(eroman): Is this right? |
| 881 | 881 |
| 882 // Path builder attempt: target <- oldintermediate <- newroot | 882 // Path builder attempt: target <- oldintermediate <- newroot |
| 883 // but it will fail since oldintermediate is signed by oldroot. | 883 // but it will fail since oldintermediate is signed by oldroot. |
| 884 EXPECT_FALSE(result.paths[0]->valid); | 884 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 885 const auto& path = result.paths[0]->path; | 885 const auto& path = result.paths[0]->path; |
| 886 ASSERT_EQ(2U, path.certs.size()); | 886 ASSERT_EQ(2U, path.certs.size()); |
| 887 EXPECT_EQ(target_, path.certs[0]); | 887 EXPECT_EQ(target_, path.certs[0]); |
| 888 EXPECT_EQ(oldintermediate_, path.certs[1]); | 888 EXPECT_EQ(oldintermediate_, path.certs[1]); |
| 889 // Compare the DER instead of ParsedCertificate pointer, don't care which copy | 889 // Compare the DER instead of ParsedCertificate pointer, don't care which copy |
| 890 // of newroot was used in the path. | 890 // of newroot was used in the path. |
| 891 EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert()); | 891 EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert()); |
| 892 } | 892 } |
| 893 | 893 |
| 894 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { | 894 class MockCertIssuerSourceRequest : public CertIssuerSource::Request { |
| (...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 989 // Note that VerifyAndClearExpectations(target_issuers_req) is not called | 989 // Note that VerifyAndClearExpectations(target_issuers_req) is not called |
| 990 // here. PathBuilder could have destroyed it already, so just let the | 990 // here. PathBuilder could have destroyed it already, so just let the |
| 991 // expectations get checked by the destructor. | 991 // expectations get checked by the destructor. |
| 992 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 992 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 993 | 993 |
| 994 EXPECT_TRUE(result.HasValidPath()); | 994 EXPECT_TRUE(result.HasValidPath()); |
| 995 ASSERT_EQ(2U, result.paths.size()); | 995 ASSERT_EQ(2U, result.paths.size()); |
| 996 | 996 |
| 997 // Path builder first attempts: target <- oldintermediate <- newroot | 997 // Path builder first attempts: target <- oldintermediate <- newroot |
| 998 // but it will fail since oldintermediate is signed by oldroot. | 998 // but it will fail since oldintermediate is signed by oldroot. |
| 999 EXPECT_FALSE(result.paths[0]->valid); | 999 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 1000 const auto& path0 = result.paths[0]->path; | 1000 const auto& path0 = result.paths[0]->path; |
| 1001 ASSERT_EQ(2U, path0.certs.size()); | 1001 ASSERT_EQ(2U, path0.certs.size()); |
| 1002 EXPECT_EQ(target_, path0.certs[0]); | 1002 EXPECT_EQ(target_, path0.certs[0]); |
| 1003 EXPECT_EQ(oldintermediate_, path0.certs[1]); | 1003 EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| 1004 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | 1004 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); |
| 1005 | 1005 |
| 1006 // After the second batch of async results, path builder will attempt: | 1006 // After the second batch of async results, path builder will attempt: |
| 1007 // target <- newintermediate <- newroot which will succeed. | 1007 // target <- newintermediate <- newroot which will succeed. |
| 1008 EXPECT_TRUE(result.paths[1]->valid); | 1008 EXPECT_TRUE(result.paths[1]->IsValid()); |
| 1009 const auto& path1 = result.paths[1]->path; | 1009 const auto& path1 = result.paths[1]->path; |
| 1010 ASSERT_EQ(2U, path1.certs.size()); | 1010 ASSERT_EQ(2U, path1.certs.size()); |
| 1011 EXPECT_EQ(target_, path1.certs[0]); | 1011 EXPECT_EQ(target_, path1.certs[0]); |
| 1012 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1012 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1013 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 1013 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1014 } | 1014 } |
| 1015 | 1015 |
| 1016 // Test that PathBuilder will not try the same path twice if CertIssuerSources | 1016 // Test that PathBuilder will not try the same path twice if CertIssuerSources |
| 1017 // asynchronously provide the same certificate multiple times. | 1017 // asynchronously provide the same certificate multiple times. |
| 1018 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { | 1018 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1075 // Ensure pathbuilder finished and filled result. | 1075 // Ensure pathbuilder finished and filled result. |
| 1076 path_builder.Run(); | 1076 path_builder.Run(); |
| 1077 | 1077 |
| 1078 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); | 1078 ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); |
| 1079 | 1079 |
| 1080 EXPECT_TRUE(result.HasValidPath()); | 1080 EXPECT_TRUE(result.HasValidPath()); |
| 1081 ASSERT_EQ(2U, result.paths.size()); | 1081 ASSERT_EQ(2U, result.paths.size()); |
| 1082 | 1082 |
| 1083 // Path builder first attempts: target <- oldintermediate <- newroot | 1083 // Path builder first attempts: target <- oldintermediate <- newroot |
| 1084 // but it will fail since oldintermediate is signed by oldroot. | 1084 // but it will fail since oldintermediate is signed by oldroot. |
| 1085 EXPECT_FALSE(result.paths[0]->valid); | 1085 EXPECT_FALSE(result.paths[0]->IsValid()); |
| 1086 const auto& path0 = result.paths[0]->path; | 1086 const auto& path0 = result.paths[0]->path; |
| 1087 ASSERT_EQ(2U, path0.certs.size()); | 1087 ASSERT_EQ(2U, path0.certs.size()); |
| 1088 EXPECT_EQ(target_, path0.certs[0]); | 1088 EXPECT_EQ(target_, path0.certs[0]); |
| 1089 EXPECT_EQ(oldintermediate_, path0.certs[1]); | 1089 EXPECT_EQ(oldintermediate_, path0.certs[1]); |
| 1090 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); | 1090 EXPECT_EQ(newroot_, path0.trust_anchor->cert()); |
| 1091 | 1091 |
| 1092 // The second async result does not generate any path. | 1092 // The second async result does not generate any path. |
| 1093 | 1093 |
| 1094 // After the third batch of async results, path builder will attempt: | 1094 // After the third batch of async results, path builder will attempt: |
| 1095 // target <- newintermediate <- newroot which will succeed. | 1095 // target <- newintermediate <- newroot which will succeed. |
| 1096 EXPECT_TRUE(result.paths[1]->valid); | 1096 EXPECT_TRUE(result.paths[1]->IsValid()); |
| 1097 const auto& path1 = result.paths[1]->path; | 1097 const auto& path1 = result.paths[1]->path; |
| 1098 ASSERT_EQ(2U, path1.certs.size()); | 1098 ASSERT_EQ(2U, path1.certs.size()); |
| 1099 EXPECT_EQ(target_, path1.certs[0]); | 1099 EXPECT_EQ(target_, path1.certs[0]); |
| 1100 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1100 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1101 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); | 1101 EXPECT_EQ(newroot_, path1.trust_anchor->cert()); |
| 1102 } | 1102 } |
| 1103 | 1103 |
| 1104 } // namespace | 1104 } // namespace |
| 1105 | 1105 |
| 1106 } // namespace net | 1106 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2759023002:
Improvements to the net/cert/internal error handling. (Closed)
