Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(719)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_unittest.cc

Issue 2813043002: Add tests for keyUsage to the built-in cert verifier. (Closed)
Patch Set: rebase and add test files for ios Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/BUILD.gn ('k') | net/cert/internal/verify_certificate_chain.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc.h" 5 #include "net/cert/cert_verify_proc.h"
6 6
7 #include <vector> 7 #include <vector>
8 8
9 #include "base/callback_helpers.h" 9 #include "base/callback_helpers.h"
10 #include "base/files/file_path.h" 10 #include "base/files/file_path.h"
(...skipping 1181 matching lines...) Expand 10 before | Expand all | Expand 10 after
1192 // Trust anchor 1192 // Trust anchor
1193 "sha1/dJwvO4gEVIZvretArGyBNggjlrQ=", 1193 "sha1/dJwvO4gEVIZvretArGyBNggjlrQ=",
1194 "sha256/z7x1Szes+eQOqJp6rBK3u/tQMs55FYojZHUCFiBcjuc="}; 1194 "sha256/z7x1Szes+eQOqJp6rBK3u/tQMs55FYojZHUCFiBcjuc="};
1195 1195
1196 // |public_key_hashes| does not have an ordering guarantee. 1196 // |public_key_hashes| does not have an ordering guarantee.
1197 EXPECT_THAT(expected_public_key_hashes, 1197 EXPECT_THAT(expected_public_key_hashes,
1198 testing::UnorderedElementsAreArray(public_key_hash_strings)); 1198 testing::UnorderedElementsAreArray(public_key_hash_strings));
1199 } 1199 }
1200 1200
1201 // A regression test for http://crbug.com/70293. 1201 // A regression test for http://crbug.com/70293.
1202 // The Key Usage extension in this RSA SSL server certificate does not have 1202 // The certificate in question has a key purpose of clientAuth, and also lacks
1203 // the keyEncipherment bit. 1203 // the required key usage for serverAuth.
1204 TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) { 1204 TEST_P(CertVerifyProcInternalTest, WrongKeyPurpose) {
1205 if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {
1206 LOG(INFO) << "TODO(crbug.com/649017): Skipping test as not yet implemented "
1207 "in builting verifier";
1208 return;
1209 }
1210 base::FilePath certs_dir = GetTestCertsDirectory(); 1205 base::FilePath certs_dir = GetTestCertsDirectory();
1211 1206
1212 scoped_refptr<X509Certificate> server_cert = 1207 scoped_refptr<X509Certificate> server_cert =
1213 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); 1208 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
1214 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); 1209 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
1215 1210
1216 int flags = 0; 1211 int flags = 0;
1217 CertVerifyResult verify_result; 1212 CertVerifyResult verify_result;
1218 int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL, 1213 int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL,
1219 CertificateList(), &verify_result); 1214 CertificateList(), &verify_result);
1220 1215
1221 // TODO(eroman): Change the test data so results are consistent across 1216 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1222 // verifiers. 1217
1223 if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) { 1218 // TODO(crbug.com/649017): Don't special-case builtin verifier.
1224 // This certificate has two errors: "invalid key usage" and "untrusted CA". 1219 if (verify_proc_type() != CERT_VERIFY_PROC_BUILTIN)
1225 // However, OpenSSL returns only one (the latter), and we can't detect
1226 // the other errors.
1227 EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
1228 } else {
1229 EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
1230 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); 1220 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
1231 } 1221
1232 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors 1222 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
1233 // from NSS. 1223 // from NSS.
1234 if (verify_proc_type() != CERT_VERIFY_PROC_NSS && 1224 if (verify_proc_type() != CERT_VERIFY_PROC_NSS &&
1235 verify_proc_type() != CERT_VERIFY_PROC_IOS &&
1236 verify_proc_type() != CERT_VERIFY_PROC_ANDROID) { 1225 verify_proc_type() != CERT_VERIFY_PROC_ANDROID) {
1237 // The certificate is issued by an unknown CA. 1226 // The certificate is issued by an unknown CA.
1238 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); 1227 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
1239 } 1228 }
1229
1230 // TODO(crbug.com/649017): Don't special-case builtin verifier.
1231 if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL ||
1232 verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {
1233 EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
1234 } else {
1235 EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
1236 }
1240 } 1237 }
1241 1238
1242 // Basic test for returning the chain in CertVerifyResult. Note that the 1239 // Basic test for returning the chain in CertVerifyResult. Note that the
1243 // returned chain may just be a reflection of the originally supplied chain; 1240 // returned chain may just be a reflection of the originally supplied chain;
1244 // that is, if any errors occur, the default chain returned is an exact copy 1241 // that is, if any errors occur, the default chain returned is an exact copy
1245 // of the certificate to be verified. The remaining VerifyReturn* tests are 1242 // of the certificate to be verified. The remaining VerifyReturn* tests are
1246 // used to ensure that the actual, verified chain is being returned by 1243 // used to ensure that the actual, verified chain is being returned by
1247 // Verify(). 1244 // Verify().
1248 TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) { 1245 TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) {
1249 if (!SupportsReturningVerifiedChain()) { 1246 if (!SupportsReturningVerifiedChain()) {
(...skipping 1138 matching lines...) Expand 10 before | Expand all | Expand 10 after
2388 int flags = 0; 2385 int flags = 0;
2389 CertVerifyResult verify_result; 2386 CertVerifyResult verify_result;
2390 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags, 2387 int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
2391 NULL, CertificateList(), &verify_result); 2388 NULL, CertificateList(), &verify_result);
2392 EXPECT_EQ(OK, error); 2389 EXPECT_EQ(OK, error);
2393 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); 2390 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
2394 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); 2391 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
2395 } 2392 }
2396 2393
2397 } // namespace net 2394 } // namespace net
OLDNEW
« no previous file with comments | « net/BUILD.gn ('k') | net/cert/internal/verify_certificate_chain.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698