| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include "base/base_paths.h" | 7 #include "base/base_paths.h" |
| 8 #include "base/files/file_util.h" | 8 #include "base/files/file_util.h" |
| 9 #include "base/path_service.h" | 9 #include "base/path_service.h" |
| 10 #include "net/cert/internal/cert_issuer_source_static.h" | 10 #include "net/cert/internal/cert_issuer_source_static.h" |
| (...skipping 415 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 426 } | 426 } |
| 427 | 427 |
| 428 class PathBuilderKeyRolloverTest : public ::testing::Test { | 428 class PathBuilderKeyRolloverTest : public ::testing::Test { |
| 429 public: | 429 public: |
| 430 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} | 430 PathBuilderKeyRolloverTest() : signature_policy_(1024) {} |
| 431 | 431 |
| 432 void SetUp() override { | 432 void SetUp() override { |
| 433 ParsedCertificateList path; | 433 ParsedCertificateList path; |
| 434 | 434 |
| 435 VerifyCertChainTest test; | 435 VerifyCertChainTest test; |
| 436 ReadVerifyCertChainTestFromFile( | 436 ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| 437 "net/data/verify_certificate_chain_unittest/key-rollover/oldchain.test", | 437 "net/data/verify_certificate_chain_unittest/key-rollover/oldchain.test", |
| 438 &test); | 438 &test)); |
| 439 path = test.chain; | 439 path = test.chain; |
| 440 ASSERT_EQ(3U, path.size()); | 440 ASSERT_EQ(3U, path.size()); |
| 441 target_ = path[0]; | 441 target_ = path[0]; |
| 442 oldintermediate_ = path[1]; | 442 oldintermediate_ = path[1]; |
| 443 oldroot_ = path[2]; | 443 oldroot_ = path[2]; |
| 444 time_ = test.time; | 444 time_ = test.time; |
| 445 | 445 |
| 446 ASSERT_TRUE(target_); | 446 ASSERT_TRUE(target_); |
| 447 ASSERT_TRUE(oldintermediate_); | 447 ASSERT_TRUE(oldintermediate_); |
| 448 | 448 |
| 449 ReadVerifyCertChainTestFromFile( | 449 ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| 450 "net/data/verify_certificate_chain_unittest/" | 450 "net/data/verify_certificate_chain_unittest/" |
| 451 "key-rollover/longrolloverchain.test", | 451 "key-rollover/longrolloverchain.test", |
| 452 &test); | 452 &test)); |
| 453 path = test.chain; | 453 path = test.chain; |
| 454 | 454 |
| 455 ASSERT_EQ(5U, path.size()); | 455 ASSERT_EQ(5U, path.size()); |
| 456 newintermediate_ = path[1]; | 456 newintermediate_ = path[1]; |
| 457 newroot_ = path[2]; | 457 newroot_ = path[2]; |
| 458 newrootrollover_ = path[3]; | 458 newrootrollover_ = path[3]; |
| 459 ASSERT_TRUE(newintermediate_); | 459 ASSERT_TRUE(newintermediate_); |
| 460 ASSERT_TRUE(newroot_); | 460 ASSERT_TRUE(newroot_); |
| 461 ASSERT_TRUE(newrootrollover_); | 461 ASSERT_TRUE(newrootrollover_); |
| 462 } | 462 } |
| (...skipping 627 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1090 // After the third batch of async results, path builder will attempt: | 1090 // After the third batch of async results, path builder will attempt: |
| 1091 // target <- newintermediate <- newroot which will succeed. | 1091 // target <- newintermediate <- newroot which will succeed. |
| 1092 EXPECT_TRUE(result.paths[1]->IsValid()); | 1092 EXPECT_TRUE(result.paths[1]->IsValid()); |
| 1093 const auto& path1 = result.paths[1]->path; | 1093 const auto& path1 = result.paths[1]->path; |
| 1094 ASSERT_EQ(3U, path1.certs.size()); | 1094 ASSERT_EQ(3U, path1.certs.size()); |
| 1095 EXPECT_EQ(target_, path1.certs[0]); | 1095 EXPECT_EQ(target_, path1.certs[0]); |
| 1096 EXPECT_EQ(newintermediate_, path1.certs[1]); | 1096 EXPECT_EQ(newintermediate_, path1.certs[1]); |
| 1097 EXPECT_EQ(newroot_, path1.certs[2]); | 1097 EXPECT_EQ(newroot_, path1.certs[2]); |
| 1098 } | 1098 } |
| 1099 | 1099 |
| 1100 // Test fixture for running the path builder over a simple chain, while varying |
| 1101 // the trustedness of certain certificates. |
| 1102 class PathBuilderDistrustTest : public ::testing::Test { |
| 1103 public: |
| 1104 PathBuilderDistrustTest() {} |
| 1105 |
| 1106 protected: |
| 1107 void SetUp() override { |
| 1108 // Read a simple test chain comprised of a target, intermediate, and root. |
| 1109 ASSERT_TRUE(ReadVerifyCertChainTestFromFile( |
| 1110 "net/data/verify_certificate_chain_unittest/target-and-intermediate/" |
| 1111 "main.test", |
| 1112 &test_)); |
| 1113 ASSERT_EQ(3u, test_.chain.size()); |
| 1114 } |
| 1115 |
| 1116 // Runs the path builder for the target certificate while |distrusted_cert| is |
| 1117 // blacklisted. |
| 1118 void RunPathBuilderWithDistrustedCert( |
| 1119 const scoped_refptr<ParsedCertificate>& distrusted_cert, |
| 1120 CertPathBuilder::Result* result) { |
| 1121 ASSERT_EQ(3u, test_.chain.size()); |
| 1122 |
| 1123 // Set up the trust store such that |distrusted_cert| is blacklisted, and |
| 1124 // the root is trusted (except if it was |distrusted_cert|). |
| 1125 TrustStoreInMemory trust_store; |
| 1126 if (distrusted_cert != test_.chain.back()) |
| 1127 trust_store.AddTrustAnchor(test_.chain.back()); |
| 1128 if (distrusted_cert) |
| 1129 trust_store.AddDistrustedCertificateForTest(distrusted_cert); |
| 1130 |
| 1131 // Add the single intermediate. |
| 1132 CertIssuerSourceStatic intermediates; |
| 1133 intermediates.AddCert(test_.chain[1]); |
| 1134 |
| 1135 SimpleSignaturePolicy signature_policy(1024); |
| 1136 |
| 1137 CertPathBuilder path_builder(test_.chain.front(), &trust_store, |
| 1138 &signature_policy, test_.time, |
| 1139 KeyPurpose::ANY_EKU, result); |
| 1140 path_builder.AddCertIssuerSource(&intermediates); |
| 1141 path_builder.Run(); |
| 1142 } |
| 1143 |
| 1144 protected: |
| 1145 VerifyCertChainTest test_; |
| 1146 }; |
| 1147 |
| 1148 // Tests that path building fails when the target, intermediate, or root are |
| 1149 // distrusted (but the path is otherwise valid). |
| 1150 TEST_F(PathBuilderDistrustTest, TargetIntermediateRoot) { |
| 1151 CertPathBuilder::Result result; |
| 1152 // First do a control test -- path building without any blacklisted |
| 1153 // certificates should work. |
| 1154 RunPathBuilderWithDistrustedCert(nullptr, &result); |
| 1155 { |
| 1156 EXPECT_TRUE(result.HasValidPath()); |
| 1157 // The built path should be identical the the one read from disk. |
| 1158 const auto& path = result.GetBestValidPath()->path; |
| 1159 ASSERT_EQ(test_.chain.size(), path.certs.size()); |
| 1160 for (size_t i = 0; i < test_.chain.size(); ++i) |
| 1161 EXPECT_EQ(test_.chain[i], path.certs[i]); |
| 1162 } |
| 1163 |
| 1164 // Try path building when only the target is blacklisted - should fail. |
| 1165 RunPathBuilderWithDistrustedCert(test_.chain[0], &result); |
| 1166 { |
| 1167 EXPECT_FALSE(result.HasValidPath()); |
| 1168 ASSERT_LT(result.best_result_index, result.paths.size()); |
| 1169 const auto& best_path = result.paths[result.best_result_index]; |
| 1170 |
| 1171 // The built chain has length 1 since path building stopped once |
| 1172 // it encountered the blacklisted certificate (target). |
| 1173 ASSERT_EQ(1u, best_path->path.certs.size()); |
| 1174 EXPECT_EQ(best_path->path.certs[0], test_.chain[0]); |
| 1175 EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); |
| 1176 best_path->errors.ContainsError(kCertIsDistrusted); |
| 1177 } |
| 1178 |
| 1179 // Try path building when only the intermediate is blacklisted - should fail. |
| 1180 RunPathBuilderWithDistrustedCert(test_.chain[1], &result); |
| 1181 { |
| 1182 EXPECT_FALSE(result.HasValidPath()); |
| 1183 ASSERT_LT(result.best_result_index, result.paths.size()); |
| 1184 const auto& best_path = result.paths[result.best_result_index]; |
| 1185 |
| 1186 // The built chain has length 2 since path building stopped once |
| 1187 // it encountered the blacklisted certificate (intermediate). |
| 1188 ASSERT_EQ(2u, best_path->path.certs.size()); |
| 1189 EXPECT_EQ(best_path->path.certs[0], test_.chain[0]); |
| 1190 EXPECT_EQ(best_path->path.certs[1], test_.chain[1]); |
| 1191 EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); |
| 1192 best_path->errors.ContainsError(kCertIsDistrusted); |
| 1193 } |
| 1194 |
| 1195 // Try path building when only the root is blacklisted - should fail. |
| 1196 RunPathBuilderWithDistrustedCert(test_.chain[2], &result); |
| 1197 { |
| 1198 EXPECT_FALSE(result.HasValidPath()); |
| 1199 ASSERT_LT(result.best_result_index, result.paths.size()); |
| 1200 const auto& best_path = result.paths[result.best_result_index]; |
| 1201 |
| 1202 // The built chain has length 3 since path building stopped once |
| 1203 // it encountered the blacklisted certificate (root). |
| 1204 ASSERT_EQ(3u, best_path->path.certs.size()); |
| 1205 EXPECT_EQ(best_path->path.certs[0], test_.chain[0]); |
| 1206 EXPECT_EQ(best_path->path.certs[1], test_.chain[1]); |
| 1207 EXPECT_EQ(best_path->path.certs[2], test_.chain[2]); |
| 1208 EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); |
| 1209 best_path->errors.ContainsError(kCertIsDistrusted); |
| 1210 } |
| 1211 } |
| 1212 |
| 1100 } // namespace | 1213 } // namespace |
| 1101 | 1214 |
| 1102 } // namespace net | 1215 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2854263004:
Add tests for PathBuilder when certificates are distrusted. (Closed)
