OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
6 | 6 |
7 #include "net/cert/internal/parsed_certificate.h" | 7 #include "net/cert/internal/parsed_certificate.h" |
8 #include "net/cert/internal/signature_policy.h" | 8 #include "net/cert/internal/signature_policy.h" |
9 #include "net/cert/internal/trust_store.h" | 9 #include "net/cert/internal/trust_store.h" |
10 #include "net/der/input.h" | 10 #include "net/der/input.h" |
(...skipping 29 matching lines...) Expand all Loading... |
40 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 40 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
41 | 41 |
42 #include "net/cert/internal/nist_pkits_unittest.h" | 42 #include "net/cert/internal/nist_pkits_unittest.h" |
43 | 43 |
44 namespace net { | 44 namespace net { |
45 | 45 |
46 namespace { | 46 namespace { |
47 | 47 |
48 class VerifyCertificateChainPkitsTestDelegate { | 48 class VerifyCertificateChainPkitsTestDelegate { |
49 public: | 49 public: |
50 static bool Verify(std::vector<std::string> cert_ders, | 50 static void RunTest(std::vector<std::string> cert_ders, |
51 std::vector<std::string> crl_ders, | 51 std::vector<std::string> crl_ders, |
52 const PkitsTestSettings& settings) { | 52 const PkitsTestInfo& info) { |
53 if (cert_ders.empty()) { | 53 ASSERT_FALSE(cert_ders.empty()); |
54 ADD_FAILURE() << "cert_ders is empty"; | |
55 return false; | |
56 } | |
57 | 54 |
58 // PKITS lists chains from trust anchor to target, whereas | 55 // PKITS lists chains from trust anchor to target, whereas |
59 // VerifyCertificateChain takes them starting with the target and ending | 56 // VerifyCertificateChain takes them starting with the target and ending |
60 // with the trust anchor. | 57 // with the trust anchor. |
61 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | 58 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; |
62 CertErrors parsing_errors; | 59 CertErrors parsing_errors; |
63 for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) { | 60 for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) { |
64 if (!net::ParsedCertificate::CreateAndAddToVector( | 61 ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector( |
65 bssl::UniquePtr<CRYPTO_BUFFER>( | 62 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( |
66 CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(i->data()), | 63 reinterpret_cast<const uint8_t*>(i->data()), i->size(), nullptr)), |
67 i->size(), nullptr)), | 64 {}, &input_chain, &parsing_errors)) |
68 {}, &input_chain, &parsing_errors)) { | 65 << parsing_errors.ToDebugString(); |
69 ADD_FAILURE() << "Cert failed to parse:\n" | |
70 << parsing_errors.ToDebugString(); | |
71 return false; | |
72 } | |
73 } | 66 } |
74 | 67 |
75 SimpleSignaturePolicy signature_policy(1024); | 68 SimpleSignaturePolicy signature_policy(1024); |
76 | 69 |
77 // Run all tests at the time the PKITS was published. | |
78 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; | |
79 | |
80 CertPathErrors path_errors; | 70 CertPathErrors path_errors; |
81 VerifyCertificateChain(input_chain, CertificateTrust::ForTrustAnchor(), | 71 VerifyCertificateChain(input_chain, CertificateTrust::ForTrustAnchor(), |
82 &signature_policy, time, KeyPurpose::ANY_EKU, | 72 &signature_policy, info.time, KeyPurpose::ANY_EKU, |
83 &path_errors); | 73 &path_errors); |
| 74 bool did_succeed = !path_errors.ContainsHighSeverityErrors(); |
84 | 75 |
85 // TODO(crbug.com/634443): Test errors on failure? | 76 // TODO(crbug.com/634443): Test errors on failure? |
86 return !path_errors.ContainsHighSeverityErrors(); | 77 if (info.should_validate != did_succeed) { |
| 78 ASSERT_EQ(info.should_validate, did_succeed) |
| 79 << path_errors.ToDebugString(input_chain); |
| 80 } |
87 } | 81 } |
88 }; | 82 }; |
89 | 83 |
90 } // namespace | 84 } // namespace |
91 | 85 |
92 class PkitsTest01SignatureVerificationCustom | 86 class PkitsTest01SignatureVerificationCustom |
93 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 87 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; |
94 | 88 |
95 // Modified version of 4.1.4 Valid DSA Signatures Test4 | 89 // Modified version of 4.1.4 Valid DSA Signatures Test4 |
96 TEST_F(PkitsTest01SignatureVerificationCustom, | 90 TEST_F(PkitsTest01SignatureVerificationCustom, |
97 Section1ValidDSASignaturesTest4Custom) { | 91 Section1ValidDSASignaturesTest4Custom) { |
98 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 92 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
99 "ValidDSASignaturesTest4EE"}; | 93 "ValidDSASignaturesTest4EE"}; |
100 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | 94 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; |
101 // DSA signatures are intentionally unsupported. | 95 // DSA signatures are intentionally unsupported. |
102 ASSERT_FALSE(this->Verify(certs, crls, {})); | 96 PkitsTestInfo info; |
| 97 info.should_validate = false; |
| 98 |
| 99 this->RunTest(certs, crls, info); |
103 } | 100 } |
104 | 101 |
105 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | 102 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 |
106 TEST_F(PkitsTest01SignatureVerificationCustom, | 103 TEST_F(PkitsTest01SignatureVerificationCustom, |
107 Section1ValidDSAParameterInheritanceTest5Custom) { | 104 Section1ValidDSAParameterInheritanceTest5Custom) { |
108 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | 105 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
109 "DSAParametersInheritedCACert", | 106 "DSAParametersInheritedCACert", |
110 "ValidDSAParameterInheritanceTest5EE"}; | 107 "ValidDSAParameterInheritanceTest5EE"}; |
111 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | 108 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", |
112 "DSAParametersInheritedCACRL"}; | 109 "DSAParametersInheritedCACRL"}; |
113 // DSA signatures are intentionally unsupported. | 110 // DSA signatures are intentionally unsupported. |
114 ASSERT_FALSE(this->Verify(certs, crls, {})); | 111 PkitsTestInfo info; |
| 112 info.should_validate = false; |
| 113 |
| 114 this->RunTest(certs, crls, info); |
115 } | 115 } |
116 | 116 |
117 class PkitsTest13SignatureVerificationCustom | 117 class PkitsTest13SignatureVerificationCustom |
118 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 118 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; |
119 | 119 |
120 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | 120 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 |
121 TEST_F(PkitsTest13SignatureVerificationCustom, | 121 TEST_F(PkitsTest13SignatureVerificationCustom, |
122 Section13ValidRFC822nameConstraintsTest21Custom) { | 122 Section13ValidRFC822nameConstraintsTest21Custom) { |
123 const char* const certs[] = {"TrustAnchorRootCertificate", | 123 const char* const certs[] = {"TrustAnchorRootCertificate", |
124 "nameConstraintsRFC822CA1Cert", | 124 "nameConstraintsRFC822CA1Cert", |
125 "ValidRFC822nameConstraintsTest21EE"}; | 125 "ValidRFC822nameConstraintsTest21EE"}; |
126 const char* const crls[] = {"TrustAnchorRootCRL", | 126 const char* const crls[] = {"TrustAnchorRootCRL", |
127 "nameConstraintsRFC822CA1CRL"}; | 127 "nameConstraintsRFC822CA1CRL"}; |
128 // Name constraints on rfc822Names are not supported. | 128 // Name constraints on rfc822Names are not supported. |
129 ASSERT_FALSE(this->Verify(certs, crls, {})); | 129 PkitsTestInfo info; |
| 130 info.should_validate = false; |
| 131 |
| 132 this->RunTest(certs, crls, info); |
130 } | 133 } |
131 | 134 |
132 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | 135 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 |
133 TEST_F(PkitsTest13SignatureVerificationCustom, | 136 TEST_F(PkitsTest13SignatureVerificationCustom, |
134 Section13ValidRFC822nameConstraintsTest23Custom) { | 137 Section13ValidRFC822nameConstraintsTest23Custom) { |
135 const char* const certs[] = {"TrustAnchorRootCertificate", | 138 const char* const certs[] = {"TrustAnchorRootCertificate", |
136 "nameConstraintsRFC822CA2Cert", | 139 "nameConstraintsRFC822CA2Cert", |
137 "ValidRFC822nameConstraintsTest23EE"}; | 140 "ValidRFC822nameConstraintsTest23EE"}; |
138 const char* const crls[] = {"TrustAnchorRootCRL", | 141 const char* const crls[] = {"TrustAnchorRootCRL", |
139 "nameConstraintsRFC822CA2CRL"}; | 142 "nameConstraintsRFC822CA2CRL"}; |
140 // Name constraints on rfc822Names are not supported. | 143 // Name constraints on rfc822Names are not supported. |
141 ASSERT_FALSE(this->Verify(certs, crls, {})); | 144 PkitsTestInfo info; |
| 145 info.should_validate = false; |
| 146 |
| 147 this->RunTest(certs, crls, info); |
142 } | 148 } |
143 | 149 |
144 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | 150 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 |
145 TEST_F(PkitsTest13SignatureVerificationCustom, | 151 TEST_F(PkitsTest13SignatureVerificationCustom, |
146 Section13ValidRFC822nameConstraintsTest25Custom) { | 152 Section13ValidRFC822nameConstraintsTest25Custom) { |
147 const char* const certs[] = {"TrustAnchorRootCertificate", | 153 const char* const certs[] = {"TrustAnchorRootCertificate", |
148 "nameConstraintsRFC822CA3Cert", | 154 "nameConstraintsRFC822CA3Cert", |
149 "ValidRFC822nameConstraintsTest25EE"}; | 155 "ValidRFC822nameConstraintsTest25EE"}; |
150 const char* const crls[] = {"TrustAnchorRootCRL", | 156 const char* const crls[] = {"TrustAnchorRootCRL", |
151 "nameConstraintsRFC822CA3CRL"}; | 157 "nameConstraintsRFC822CA3CRL"}; |
152 // Name constraints on rfc822Names are not supported. | 158 // Name constraints on rfc822Names are not supported. |
153 ASSERT_FALSE(this->Verify(certs, crls, {})); | 159 PkitsTestInfo info; |
| 160 info.should_validate = false; |
| 161 |
| 162 this->RunTest(certs, crls, info); |
154 } | 163 } |
155 | 164 |
156 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | 165 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 |
157 TEST_F(PkitsTest13SignatureVerificationCustom, | 166 TEST_F(PkitsTest13SignatureVerificationCustom, |
158 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | 167 Section13ValidDNandRFC822nameConstraintsTest27Custom) { |
159 const char* const certs[] = {"TrustAnchorRootCertificate", | 168 const char* const certs[] = {"TrustAnchorRootCertificate", |
160 "nameConstraintsDN1CACert", | 169 "nameConstraintsDN1CACert", |
161 "nameConstraintsDN1subCA3Cert", | 170 "nameConstraintsDN1subCA3Cert", |
162 "ValidDNandRFC822nameConstraintsTest27EE"}; | 171 "ValidDNandRFC822nameConstraintsTest27EE"}; |
163 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | 172 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", |
164 "nameConstraintsDN1subCA3CRL"}; | 173 "nameConstraintsDN1subCA3CRL"}; |
165 // Name constraints on rfc822Names are not supported. | 174 // Name constraints on rfc822Names are not supported. |
166 ASSERT_FALSE(this->Verify(certs, crls, {})); | 175 PkitsTestInfo info; |
| 176 info.should_validate = false; |
| 177 |
| 178 this->RunTest(certs, crls, info); |
167 } | 179 } |
168 | 180 |
169 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | 181 // Modified version of 4.13.34 Valid URI nameConstraints Test34 |
170 TEST_F(PkitsTest13SignatureVerificationCustom, | 182 TEST_F(PkitsTest13SignatureVerificationCustom, |
171 Section13ValidURInameConstraintsTest34Custom) { | 183 Section13ValidURInameConstraintsTest34Custom) { |
172 const char* const certs[] = {"TrustAnchorRootCertificate", | 184 const char* const certs[] = {"TrustAnchorRootCertificate", |
173 "nameConstraintsURI1CACert", | 185 "nameConstraintsURI1CACert", |
174 "ValidURInameConstraintsTest34EE"}; | 186 "ValidURInameConstraintsTest34EE"}; |
175 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | 187 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; |
176 // Name constraints on uniformResourceIdentifiers are not supported. | 188 // Name constraints on uniformResourceIdentifiers are not supported. |
177 ASSERT_FALSE(this->Verify(certs, crls, {})); | 189 PkitsTestInfo info; |
| 190 info.should_validate = false; |
| 191 |
| 192 this->RunTest(certs, crls, info); |
178 } | 193 } |
179 | 194 |
180 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | 195 // Modified version of 4.13.36 Valid URI nameConstraints Test36 |
181 TEST_F(PkitsTest13SignatureVerificationCustom, | 196 TEST_F(PkitsTest13SignatureVerificationCustom, |
182 Section13ValidURInameConstraintsTest36Custom) { | 197 Section13ValidURInameConstraintsTest36Custom) { |
183 const char* const certs[] = {"TrustAnchorRootCertificate", | 198 const char* const certs[] = {"TrustAnchorRootCertificate", |
184 "nameConstraintsURI2CACert", | 199 "nameConstraintsURI2CACert", |
185 "ValidURInameConstraintsTest36EE"}; | 200 "ValidURInameConstraintsTest36EE"}; |
186 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | 201 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; |
187 // Name constraints on uniformResourceIdentifiers are not supported. | 202 // Name constraints on uniformResourceIdentifiers are not supported. |
188 ASSERT_FALSE(this->Verify(certs, crls, {})); | 203 PkitsTestInfo info; |
| 204 info.should_validate = false; |
| 205 |
| 206 this->RunTest(certs, crls, info); |
189 } | 207 } |
190 | 208 |
191 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 209 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
192 PkitsTest01SignatureVerification, | 210 PkitsTest01SignatureVerification, |
193 VerifyCertificateChainPkitsTestDelegate); | 211 VerifyCertificateChainPkitsTestDelegate); |
194 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 212 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
195 PkitsTest02ValidityPeriods, | 213 PkitsTest02ValidityPeriods, |
196 VerifyCertificateChainPkitsTestDelegate); | 214 VerifyCertificateChainPkitsTestDelegate); |
197 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 215 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
198 PkitsTest03VerifyingNameChaining, | 216 PkitsTest03VerifyingNameChaining, |
(...skipping 13 matching lines...) Expand all Loading... |
212 | 230 |
213 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 231 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
214 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 232 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
215 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 233 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
216 | 234 |
217 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, | 235 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, |
218 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, | 236 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, |
219 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy | 237 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy |
220 | 238 |
221 } // namespace net | 239 } // namespace net |
OLD | NEW |