Chromium Code Reviews Chromium Code Reviews
Issue 2854263004:
Add tests for PathBuilder when certificates are distrusted. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/files/file_util.h" | 8 #include "base/files/file_util.h" |
| 9 #include "base/path_service.h" | 9 #include "base/path_service.h" |
| 10 #include "net/cert/internal/cert_issuer_source_static.h" | 10 #include "net/cert/internal/cert_issuer_source_static.h" |
| (...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 426 } | 426 } |
| 427 | 427 |
| 428 class PathBuilderKeyRolloverTest : public ::testing::Test { | 428 class PathBuilderKeyRolloverTest : public ::testing::Test { |
| 429 public: | 429 public: |
| 430 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} | 430 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} |
| 431 | 431 |
| 432 void SetUp() override { | 432 void SetUp() override { |
| 433 ParsedCertificateList path; | 433 ParsedCertificateList path; |
| 434 | 434 |
| 435 VerifyCertChainTest test; | 435 VerifyCertChainTest test; |
| 436 ReadVerifyCertChainTestFromFile( | 436 ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| 437 "net/data/verify_certificate_chain_unittest/key-rollover/oldchain.test", | 437 "net/data/verify_certificate_chain_unittest/key-rollover/oldchain.test", |
| 438 &test); | 438 &test)); |
| 439 path = test.chain; | 439 path = test.chain; |
| 440 ASSERT_EQ(3U, path.size()); | 440 ASSERT_EQ(3U, path.size()); |
| 441 target_ = path[0]; | 441 target_ = path[0]; |
| 442 oldintermediate_ = path[1]; | 442 oldintermediate_ = path[1]; |
| 443 oldroot_ = path[2]; | 443 oldroot_ = path[2]; |
| 444 time_ = test.time; | 444 time_ = test.time; |
| 445 | 445 |
| 446 ASSERT_TRUE(target_); | 446 ASSERT_TRUE(target_); |
| 447 ASSERT_TRUE(oldintermediate_); | 447 ASSERT_TRUE(oldintermediate_); |
| 448 | 448 |
| 449 ReadVerifyCertChainTestFromFile( | 449 ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| 450 "net/data/verify_certificate_chain_unittest/" | 450 "net/data/verify_certificate_chain_unittest/" |
| 451 "key-rollover/longrolloverchain.test", | 451 "key-rollover/longrolloverchain.test", |
| 452 &test); | 452 &test)); |
| 453 path = test.chain; | 453 path = test.chain; |
| 454 | 454 |
| 455 ASSERT_EQ(5U, path.size()); | 455 ASSERT_EQ(5U, path.size()); |
| 456 newintermediate_ = path[1]; | 456 newintermediate_ = path[1]; |
| 457 newroot_ = path[2]; | 457 newroot_ = path[2]; |
| 458 newrootrollover_ = path[3]; | 458 newrootrollover_ = path[3]; |
| 459 ASSERT_TRUE(newintermediate_); | 459 ASSERT_TRUE(newintermediate_); |
| 460 ASSERT_TRUE(newroot_); | 460 ASSERT_TRUE(newroot_); |
| 461 ASSERT_TRUE(newrootrollover_); | 461 ASSERT_TRUE(newrootrollover_); |
| 462 } | 462 } |
| (...skipping 627 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1090 // After the third batch of async results, path builder will attempt: | 1090 // After the third batch of async results, path builder will attempt: |
| 1091 // target <- newintermediate <- newroot which will succeed. | 1091 // target <- newintermediate <- newroot which will succeed. |
| 1092 EXPECT_TRUE(result.paths[1]->IsValid()); | 1092 EXPECT_TRUE(result.paths[1]->IsValid()); |
| 1093 const auto& path1 = result.paths[1]->path; | 1093 const auto& path1 = result.paths[1]->path; |
| 1094 ASSERT_EQ(3U, path1.certs.size()); | 1094 ASSERT_EQ(3U, path1.certs.size()); |
| 1095 EXPECT_EQ(target_, path1.certs[0]); | 1095 EXPECT_EQ(target_, path1.certs[0]); |
| 1096 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1096 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1097 EXPECT_EQ(newroot_, path1.certs[2]); | 1097 EXPECT_EQ(newroot_, path1.certs[2]); |
| 1098 } | 1098 } |
| 1099 | 1099 |
| 1100 // Test fixture for running the path builder over a simple chain, while varying | |
| 1101 // the trustedness of certain certificates. | |
| 1102 class PathBuilderDistrustTest : public ::testing::Test { | |
| 1103 public: | |
| 1104 PathBuilderDistrustTest() {} | |
| 1105 | |
| 1106 protected: | |
| 1107 void SetUp() override { | |
| 1108 // Read a simple test chain comprised of a target, intermediate, and root. | |
| 1109 ASSERT_TRUE(ReadVerifyCertChainTestFromFile( | |
| 1110 "net/data/verify_certificate_chain_unittest/target-and-intermediate/" | |
| 1111 "main.test", | |
| 1112 &test_)); | |
| 1113 ASSERT_EQ(3u, test_.chain.size()); | |
| 1114 } | |
| 1115 | |
| 1116 // Runs the path builder for the target certificate while |distrusted_cert| is | |
| 1117 // blacklisted. | |
| 1118 void RunPathBuilder(const scoped_refptr<ParsedCertificate>& distrusted_cert, | |
|
mattm
2017/05/04 02:30:01
tests might read more naturally if this was named
eroman
2017/05/04 16:34:52
Done.
| |
| 1119 CertPathBuilder::Result* result) { | |
| 1120 ASSERT_EQ(3u, test_.chain.size()); | |
| 1121 | |
| 1122 // Set up the trust store such that |distrusted_cert| is blacklisted, and | |
| 1123 // the root is trusted (except if it was |distrusted_cert|). | |
| 1124 TrustStoreInMemory trust_store; | |
| 1125 if (distrusted_cert != test_.chain.back()) | |
| 1126 trust_store.AddTrustAnchor(test_.chain.back()); | |
| 1127 if (distrusted_cert) | |
| 1128 trust_store.AddDistrustedCertificateForTest(distrusted_cert); | |
| 1129 | |
| 1130 // Add the single intermediate. | |
| 1131 CertIssuerSourceStatic intermediates; | |
| 1132 intermediates.AddCert(test_.chain[1]); | |
| 1133 | |
| 1134 SimpleSignaturePolicy signature_policy(1024); | |
| 1135 | |
| 1136 CertPathBuilder path_builder(test_.chain.front(), &trust_store, | |
| 1137 &signature_policy, test_.time, | |
| 1138 KeyPurpose::ANY_EKU, result); | |
| 1139 path_builder.AddCertIssuerSource(&intermediates); | |
| 1140 path_builder.Run(); | |
| 1141 } | |
| 1142 | |
| 1143 protected: | |
| 1144 VerifyCertChainTest test_; | |
| 1145 }; | |
| 1146 | |
| 1147 // Tests that path building fails when the target, intermediate, or root are | |
| 1148 // distrusted (but the path is otherwise valid). | |
| 1149 TEST_F(PathBuilderDistrustTest, TargetIntermediateRoot) { | |
| 1150 CertPathBuilder::Result result; | |
| 1151 // First do a control test -- path building without any blacklisted | |
| 1152 // certificates should work. | |
| 1153 RunPathBuilder(nullptr, &result); | |
| 1154 EXPECT_TRUE(result.HasValidPath()); | |
| 1155 { | |
| 1156 // The built path should be identical the the one read from disk. | |
| 1157 const auto& path = result.GetBestValidPath()->path; | |
| 1158 ASSERT_EQ(test_.chain.size(), path.certs.size()); | |
| 1159 for (size_t i = 0; i < test_.chain.size(); ++i) | |
| 1160 EXPECT_EQ(test_.chain[i], path.certs[i]); | |
| 1161 } | |
| 1162 | |
| 1163 // Try path building when only the target is blacklisted - should fail. | |
| 1164 RunPathBuilder(test_.chain[0], &result); | |
| 1165 { | |
| 1166 EXPECT_FALSE(result.HasValidPath()); | |
| 1167 ASSERT_LT(result.best_result_index, result.paths.size()); | |
| 1168 const auto& best_path = result.paths[result.best_result_index]; | |
| 1169 | |
| 1170 // The built chain has length 1 since path building stopped once | |
| 1171 // it encountered the blacklisted certificate (target). | |
| 1172 ASSERT_EQ(1u, best_path->path.certs.size()); | |
| 1173 EXPECT_EQ(best_path->path.certs[0], test_.chain[0]); | |
| 1174 EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); | |
| 1175 best_path->errors.ContainsError(kCertIsDistrusted); | |
| 1176 } | |
| 1177 | |
| 1178 // Try path building when only the intermediate is blacklisted - should fail. | |
| 1179 RunPathBuilder(test_.chain[1], &result); | |
| 1180 { | |
| 1181 EXPECT_FALSE(result.HasValidPath()); | |
| 1182 ASSERT_LT(result.best_result_index, result.paths.size()); | |
| 1183 const auto& best_path = result.paths[result.best_result_index]; | |
| 1184 | |
| 1185 // The built chain has length 2 since path building stopped once | |
| 1186 // it encountered the blacklisted certificate (intermediate). | |
| 1187 ASSERT_EQ(2u, best_path->path.certs.size()); | |
| 1188 EXPECT_EQ(best_path->path.certs[0], test_.chain[0]); | |
| 1189 EXPECT_EQ(best_path->path.certs[1], test_.chain[1]); | |
| 1190 EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); | |
| 1191 best_path->errors.ContainsError(kCertIsDistrusted); | |
| 1192 } | |
| 1193 | |
| 1194 // Try path building when only the root is blacklisted - should fail. | |
| 1195 RunPathBuilder(test_.chain[2], &result); | |
| 1196 { | |
| 1197 EXPECT_FALSE(result.HasValidPath()); | |
| 1198 ASSERT_LT(result.best_result_index, result.paths.size()); | |
| 1199 const auto& best_path = result.paths[result.best_result_index]; | |
| 1200 | |
| 1201 // The built chain has length 3 since path building stopped once | |
| 1202 // it encountered the blacklisted certificate (root). | |
| 1203 ASSERT_EQ(3u, best_path->path.certs.size()); | |
| 1204 EXPECT_EQ(best_path->path.certs[0], test_.chain[0]); | |
| 1205 EXPECT_EQ(best_path->path.certs[1], test_.chain[1]); | |
| 1206 EXPECT_EQ(best_path->path.certs[2], test_.chain[2]); | |
| 1207 EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); | |
| 1208 best_path->errors.ContainsError(kCertIsDistrusted); | |
| 1209 } | |
| 1210 } | |
| 1211 | |
| 1100 } // namespace | 1212 } // namespace |
| 1101 | 1213 |
| 1102 } // namespace net | 1214 } // namespace net |
| OLD | NEW |
