| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
| 6 | 6 |
| 7 #include "net/cert/internal/parsed_certificate.h" | 7 #include "net/cert/internal/parsed_certificate.h" |
| 8 #include "net/cert/internal/signature_policy.h" | 8 #include "net/cert/internal/signature_policy.h" |
| 9 #include "net/cert/internal/trust_store.h" | 9 #include "net/cert/internal/trust_store.h" |
| 10 #include "net/der/input.h" | 10 #include "net/der/input.h" |
| 11 #include "third_party/boringssl/src/include/openssl/pool.h" | 11 #include "third_party/boringssl/src/include/openssl/pool.h" |
| 12 | 12 |
| 13 // Disable tests that require DSA signatures (DSA signatures are intentionally | |
| 14 // unsupported). Custom versions of the DSA tests are defined below which expect | |
| 15 // verification to fail. | |
| 16 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 | |
| 17 #define Section1ValidDSAParameterInheritanceTest5 \ | |
| 18 DISABLED_Section1ValidDSAParameterInheritanceTest5 | |
| 19 | |
| 20 // Disable tests that require name constraints with name types that are | |
| 21 // intentionally unsupported. Custom versions of the tests are defined below | |
| 22 // which expect verification to fail. | |
| 23 #define Section13ValidRFC822nameConstraintsTest21 \ | |
| 24 DISABLED_Section13ValidRFC822nameConstraintsTest21 | |
| 25 #define Section13ValidRFC822nameConstraintsTest23 \ | |
| 26 DISABLED_Section13ValidRFC822nameConstraintsTest23 | |
| 27 #define Section13ValidRFC822nameConstraintsTest25 \ | |
| 28 DISABLED_Section13ValidRFC822nameConstraintsTest25 | |
| 29 #define Section13ValidDNandRFC822nameConstraintsTest27 \ | |
| 30 DISABLED_Section13ValidDNandRFC822nameConstraintsTest27 | |
| 31 #define Section13ValidURInameConstraintsTest34 \ | |
| 32 DISABLED_Section13ValidURInameConstraintsTest34 | |
| 33 #define Section13ValidURInameConstraintsTest36 \ | |
| 34 DISABLED_Section13ValidURInameConstraintsTest36 | |
| 35 | |
| 36 // TODO(mattm): these require CRL support: | 13 // TODO(mattm): these require CRL support: |
| 37 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ | 14 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ |
| 38 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 | 15 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
| 39 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ | 16 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
| 40 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 17 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
| 41 | 18 |
| 42 #include "net/cert/internal/nist_pkits_unittest.h" | 19 #include "net/cert/internal/nist_pkits_unittest.h" |
| 43 | 20 |
| 44 namespace net { | 21 namespace net { |
| 45 | 22 |
| (...skipping 25 matching lines...) Expand all Loading... |
| 71 | 48 |
| 72 CertPathErrors path_errors; | 49 CertPathErrors path_errors; |
| 73 VerifyCertificateChain( | 50 VerifyCertificateChain( |
| 74 input_chain, CertificateTrust::ForTrustAnchor(), &signature_policy, | 51 input_chain, CertificateTrust::ForTrustAnchor(), &signature_policy, |
| 75 info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy, | 52 info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy, |
| 76 info.initial_policy_set, info.initial_policy_mapping_inhibit, | 53 info.initial_policy_set, info.initial_policy_mapping_inhibit, |
| 77 info.initial_inhibit_any_policy, &user_constrained_policy_set, | 54 info.initial_inhibit_any_policy, &user_constrained_policy_set, |
| 78 &path_errors); | 55 &path_errors); |
| 79 bool did_succeed = !path_errors.ContainsHighSeverityErrors(); | 56 bool did_succeed = !path_errors.ContainsHighSeverityErrors(); |
| 80 | 57 |
| 58 EXPECT_EQ(info.should_validate, did_succeed); |
| 81 EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set); | 59 EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set); |
| 82 | 60 |
| 83 // TODO(crbug.com/634443): Test errors on failure? | 61 // Check that the errors match expectations. The errors are saved in a |
| 84 if (info.should_validate != did_succeed) { | 62 // parallel file, as they don't apply generically to the third_party |
| 85 ASSERT_EQ(info.should_validate, did_succeed) | 63 // PKITS data. |
| 86 << path_errors.ToDebugString(input_chain); | 64 if (!info.should_validate && !did_succeed) { |
| 65 std::string errors_file_path = |
| 66 std::string( |
| 67 "net/data/verify_certificate_chain_unittest/pkits_errors/") + |
| 68 info.test_number + std::string(".txt"); |
| 69 |
| 70 std::string expected_errors = ReadTestFileToString(errors_file_path); |
| 71 |
| 72 // Check that the errors match. |
| 73 VerifyCertPathErrors(expected_errors, path_errors, input_chain, |
| 74 errors_file_path); |
| 75 } else if (!did_succeed) { |
| 76 // If it failed and wasn't supposed to fail, print the errors. |
| 77 EXPECT_EQ("", path_errors.ToDebugString(input_chain)); |
| 87 } | 78 } |
| 88 } | 79 } |
| 89 }; | 80 }; |
| 90 | 81 |
| 91 } // namespace | 82 } // namespace |
| 92 | 83 |
| 93 class PkitsTest01SignatureVerificationCustom | |
| 94 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | |
| 95 | |
| 96 // Modified version of 4.1.4 Valid DSA Signatures Test4 | |
| 97 TEST_F(PkitsTest01SignatureVerificationCustom, | |
| 98 Section1ValidDSASignaturesTest4Custom) { | |
| 99 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
| 100 "ValidDSASignaturesTest4EE"}; | |
| 101 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | |
| 102 // DSA signatures are intentionally unsupported. | |
| 103 PkitsTestInfo info; | |
| 104 info.should_validate = false; | |
| 105 | |
| 106 this->RunTest(certs, crls, info); | |
| 107 } | |
| 108 | |
| 109 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | |
| 110 TEST_F(PkitsTest01SignatureVerificationCustom, | |
| 111 Section1ValidDSAParameterInheritanceTest5Custom) { | |
| 112 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
| 113 "DSAParametersInheritedCACert", | |
| 114 "ValidDSAParameterInheritanceTest5EE"}; | |
| 115 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | |
| 116 "DSAParametersInheritedCACRL"}; | |
| 117 // DSA signatures are intentionally unsupported. | |
| 118 PkitsTestInfo info; | |
| 119 info.should_validate = false; | |
| 120 | |
| 121 this->RunTest(certs, crls, info); | |
| 122 } | |
| 123 | |
| 124 class PkitsTest13SignatureVerificationCustom | |
| 125 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | |
| 126 | |
| 127 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | |
| 128 TEST_F(PkitsTest13SignatureVerificationCustom, | |
| 129 Section13ValidRFC822nameConstraintsTest21Custom) { | |
| 130 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 131 "nameConstraintsRFC822CA1Cert", | |
| 132 "ValidRFC822nameConstraintsTest21EE"}; | |
| 133 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 134 "nameConstraintsRFC822CA1CRL"}; | |
| 135 // Name constraints on rfc822Names are not supported. | |
| 136 PkitsTestInfo info; | |
| 137 info.should_validate = false; | |
| 138 | |
| 139 this->RunTest(certs, crls, info); | |
| 140 } | |
| 141 | |
| 142 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | |
| 143 TEST_F(PkitsTest13SignatureVerificationCustom, | |
| 144 Section13ValidRFC822nameConstraintsTest23Custom) { | |
| 145 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 146 "nameConstraintsRFC822CA2Cert", | |
| 147 "ValidRFC822nameConstraintsTest23EE"}; | |
| 148 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 149 "nameConstraintsRFC822CA2CRL"}; | |
| 150 // Name constraints on rfc822Names are not supported. | |
| 151 PkitsTestInfo info; | |
| 152 info.should_validate = false; | |
| 153 | |
| 154 this->RunTest(certs, crls, info); | |
| 155 } | |
| 156 | |
| 157 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | |
| 158 TEST_F(PkitsTest13SignatureVerificationCustom, | |
| 159 Section13ValidRFC822nameConstraintsTest25Custom) { | |
| 160 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 161 "nameConstraintsRFC822CA3Cert", | |
| 162 "ValidRFC822nameConstraintsTest25EE"}; | |
| 163 const char* const crls[] = {"TrustAnchorRootCRL", | |
| 164 "nameConstraintsRFC822CA3CRL"}; | |
| 165 // Name constraints on rfc822Names are not supported. | |
| 166 PkitsTestInfo info; | |
| 167 info.should_validate = false; | |
| 168 | |
| 169 this->RunTest(certs, crls, info); | |
| 170 } | |
| 171 | |
| 172 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | |
| 173 TEST_F(PkitsTest13SignatureVerificationCustom, | |
| 174 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | |
| 175 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 176 "nameConstraintsDN1CACert", | |
| 177 "nameConstraintsDN1subCA3Cert", | |
| 178 "ValidDNandRFC822nameConstraintsTest27EE"}; | |
| 179 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | |
| 180 "nameConstraintsDN1subCA3CRL"}; | |
| 181 // Name constraints on rfc822Names are not supported. | |
| 182 PkitsTestInfo info; | |
| 183 info.should_validate = false; | |
| 184 | |
| 185 this->RunTest(certs, crls, info); | |
| 186 } | |
| 187 | |
| 188 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | |
| 189 TEST_F(PkitsTest13SignatureVerificationCustom, | |
| 190 Section13ValidURInameConstraintsTest34Custom) { | |
| 191 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 192 "nameConstraintsURI1CACert", | |
| 193 "ValidURInameConstraintsTest34EE"}; | |
| 194 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | |
| 195 // Name constraints on uniformResourceIdentifiers are not supported. | |
| 196 PkitsTestInfo info; | |
| 197 info.should_validate = false; | |
| 198 | |
| 199 this->RunTest(certs, crls, info); | |
| 200 } | |
| 201 | |
| 202 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | |
| 203 TEST_F(PkitsTest13SignatureVerificationCustom, | |
| 204 Section13ValidURInameConstraintsTest36Custom) { | |
| 205 const char* const certs[] = {"TrustAnchorRootCertificate", | |
| 206 "nameConstraintsURI2CACert", | |
| 207 "ValidURInameConstraintsTest36EE"}; | |
| 208 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | |
| 209 // Name constraints on uniformResourceIdentifiers are not supported. | |
| 210 PkitsTestInfo info; | |
| 211 info.should_validate = false; | |
| 212 | |
| 213 this->RunTest(certs, crls, info); | |
| 214 } | |
| 215 | |
| 216 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 84 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
| 217 PkitsTest01SignatureVerification, | 85 PkitsTest01SignatureVerification, |
| 218 VerifyCertificateChainPkitsTestDelegate); | 86 VerifyCertificateChainPkitsTestDelegate); |
| 219 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 87 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
| 220 PkitsTest02ValidityPeriods, | 88 PkitsTest02ValidityPeriods, |
| 221 VerifyCertificateChainPkitsTestDelegate); | 89 VerifyCertificateChainPkitsTestDelegate); |
| 222 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 90 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
| 223 PkitsTest03VerifyingNameChaining, | 91 PkitsTest03VerifyingNameChaining, |
| 224 VerifyCertificateChainPkitsTestDelegate); | 92 VerifyCertificateChainPkitsTestDelegate); |
| 225 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 93 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
| (...skipping 22 matching lines...) Expand all Loading... |
| 248 VerifyCertificateChainPkitsTestDelegate); | 116 VerifyCertificateChainPkitsTestDelegate); |
| 249 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 117 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
| 250 PkitsTest16PrivateCertificateExtensions, | 118 PkitsTest16PrivateCertificateExtensions, |
| 251 VerifyCertificateChainPkitsTestDelegate); | 119 VerifyCertificateChainPkitsTestDelegate); |
| 252 | 120 |
| 253 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 121 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
| 254 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 122 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
| 255 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 123 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
| 256 | 124 |
| 257 } // namespace net | 125 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2918913002:
Add path validation error expectations for PKITS tests. (Closed)
