OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
6 | 6 |
7 #include "net/cert/internal/parsed_certificate.h" | 7 #include "net/cert/internal/parsed_certificate.h" |
8 #include "net/cert/internal/signature_policy.h" | 8 #include "net/cert/internal/signature_policy.h" |
9 #include "net/cert/internal/trust_store.h" | 9 #include "net/cert/internal/trust_store.h" |
10 #include "net/der/input.h" | 10 #include "net/der/input.h" |
11 #include "third_party/boringssl/src/include/openssl/pool.h" | 11 #include "third_party/boringssl/src/include/openssl/pool.h" |
12 | 12 |
13 // Disable tests that require DSA signatures (DSA signatures are intentionally | |
14 // unsupported). Custom versions of the DSA tests are defined below which expect | |
15 // verification to fail. | |
16 #define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 | |
17 #define Section1ValidDSAParameterInheritanceTest5 \ | |
18 DISABLED_Section1ValidDSAParameterInheritanceTest5 | |
19 | |
20 // Disable tests that require name constraints with name types that are | |
21 // intentionally unsupported. Custom versions of the tests are defined below | |
22 // which expect verification to fail. | |
23 #define Section13ValidRFC822nameConstraintsTest21 \ | |
24 DISABLED_Section13ValidRFC822nameConstraintsTest21 | |
25 #define Section13ValidRFC822nameConstraintsTest23 \ | |
26 DISABLED_Section13ValidRFC822nameConstraintsTest23 | |
27 #define Section13ValidRFC822nameConstraintsTest25 \ | |
28 DISABLED_Section13ValidRFC822nameConstraintsTest25 | |
29 #define Section13ValidDNandRFC822nameConstraintsTest27 \ | |
30 DISABLED_Section13ValidDNandRFC822nameConstraintsTest27 | |
31 #define Section13ValidURInameConstraintsTest34 \ | |
32 DISABLED_Section13ValidURInameConstraintsTest34 | |
33 #define Section13ValidURInameConstraintsTest36 \ | |
34 DISABLED_Section13ValidURInameConstraintsTest36 | |
35 | |
36 // TODO(mattm): these require CRL support: | 13 // TODO(mattm): these require CRL support: |
37 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ | 14 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ |
38 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 | 15 DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
39 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ | 16 #define Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 \ |
40 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 | 17 DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5 |
41 | 18 |
42 #include "net/cert/internal/nist_pkits_unittest.h" | 19 #include "net/cert/internal/nist_pkits_unittest.h" |
43 | 20 |
44 namespace net { | 21 namespace net { |
45 | 22 |
(...skipping 25 matching lines...) Expand all Loading... |
71 | 48 |
72 CertPathErrors path_errors; | 49 CertPathErrors path_errors; |
73 VerifyCertificateChain( | 50 VerifyCertificateChain( |
74 input_chain, CertificateTrust::ForTrustAnchor(), &signature_policy, | 51 input_chain, CertificateTrust::ForTrustAnchor(), &signature_policy, |
75 info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy, | 52 info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy, |
76 info.initial_policy_set, info.initial_policy_mapping_inhibit, | 53 info.initial_policy_set, info.initial_policy_mapping_inhibit, |
77 info.initial_inhibit_any_policy, &user_constrained_policy_set, | 54 info.initial_inhibit_any_policy, &user_constrained_policy_set, |
78 &path_errors); | 55 &path_errors); |
79 bool did_succeed = !path_errors.ContainsHighSeverityErrors(); | 56 bool did_succeed = !path_errors.ContainsHighSeverityErrors(); |
80 | 57 |
| 58 EXPECT_EQ(info.should_validate, did_succeed); |
81 EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set); | 59 EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set); |
82 | 60 |
83 // TODO(crbug.com/634443): Test errors on failure? | 61 // Check that the errors match expectations. The errors are saved in a |
84 if (info.should_validate != did_succeed) { | 62 // parallel file, as they don't apply generically to the third_party |
85 ASSERT_EQ(info.should_validate, did_succeed) | 63 // PKITS data. |
86 << path_errors.ToDebugString(input_chain); | 64 if (!info.should_validate && !did_succeed) { |
| 65 std::string errors_file_path = |
| 66 std::string( |
| 67 "net/data/verify_certificate_chain_unittest/pkits_errors/") + |
| 68 info.test_number + std::string(".txt"); |
| 69 |
| 70 std::string expected_errors = ReadTestFileToString(errors_file_path); |
| 71 |
| 72 // Check that the errors match. |
| 73 VerifyCertPathErrors(expected_errors, path_errors, input_chain, |
| 74 errors_file_path); |
| 75 } else if (!did_succeed) { |
| 76 // If it failed and wasn't supposed to fail, print the errors. |
| 77 EXPECT_EQ("", path_errors.ToDebugString(input_chain)); |
87 } | 78 } |
88 } | 79 } |
89 }; | 80 }; |
90 | 81 |
91 } // namespace | 82 } // namespace |
92 | 83 |
93 class PkitsTest01SignatureVerificationCustom | |
94 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | |
95 | |
96 // Modified version of 4.1.4 Valid DSA Signatures Test4 | |
97 TEST_F(PkitsTest01SignatureVerificationCustom, | |
98 Section1ValidDSASignaturesTest4Custom) { | |
99 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
100 "ValidDSASignaturesTest4EE"}; | |
101 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; | |
102 // DSA signatures are intentionally unsupported. | |
103 PkitsTestInfo info; | |
104 info.should_validate = false; | |
105 | |
106 this->RunTest(certs, crls, info); | |
107 } | |
108 | |
109 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 | |
110 TEST_F(PkitsTest01SignatureVerificationCustom, | |
111 Section1ValidDSAParameterInheritanceTest5Custom) { | |
112 const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", | |
113 "DSAParametersInheritedCACert", | |
114 "ValidDSAParameterInheritanceTest5EE"}; | |
115 const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", | |
116 "DSAParametersInheritedCACRL"}; | |
117 // DSA signatures are intentionally unsupported. | |
118 PkitsTestInfo info; | |
119 info.should_validate = false; | |
120 | |
121 this->RunTest(certs, crls, info); | |
122 } | |
123 | |
124 class PkitsTest13SignatureVerificationCustom | |
125 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | |
126 | |
127 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 | |
128 TEST_F(PkitsTest13SignatureVerificationCustom, | |
129 Section13ValidRFC822nameConstraintsTest21Custom) { | |
130 const char* const certs[] = {"TrustAnchorRootCertificate", | |
131 "nameConstraintsRFC822CA1Cert", | |
132 "ValidRFC822nameConstraintsTest21EE"}; | |
133 const char* const crls[] = {"TrustAnchorRootCRL", | |
134 "nameConstraintsRFC822CA1CRL"}; | |
135 // Name constraints on rfc822Names are not supported. | |
136 PkitsTestInfo info; | |
137 info.should_validate = false; | |
138 | |
139 this->RunTest(certs, crls, info); | |
140 } | |
141 | |
142 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 | |
143 TEST_F(PkitsTest13SignatureVerificationCustom, | |
144 Section13ValidRFC822nameConstraintsTest23Custom) { | |
145 const char* const certs[] = {"TrustAnchorRootCertificate", | |
146 "nameConstraintsRFC822CA2Cert", | |
147 "ValidRFC822nameConstraintsTest23EE"}; | |
148 const char* const crls[] = {"TrustAnchorRootCRL", | |
149 "nameConstraintsRFC822CA2CRL"}; | |
150 // Name constraints on rfc822Names are not supported. | |
151 PkitsTestInfo info; | |
152 info.should_validate = false; | |
153 | |
154 this->RunTest(certs, crls, info); | |
155 } | |
156 | |
157 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 | |
158 TEST_F(PkitsTest13SignatureVerificationCustom, | |
159 Section13ValidRFC822nameConstraintsTest25Custom) { | |
160 const char* const certs[] = {"TrustAnchorRootCertificate", | |
161 "nameConstraintsRFC822CA3Cert", | |
162 "ValidRFC822nameConstraintsTest25EE"}; | |
163 const char* const crls[] = {"TrustAnchorRootCRL", | |
164 "nameConstraintsRFC822CA3CRL"}; | |
165 // Name constraints on rfc822Names are not supported. | |
166 PkitsTestInfo info; | |
167 info.should_validate = false; | |
168 | |
169 this->RunTest(certs, crls, info); | |
170 } | |
171 | |
172 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 | |
173 TEST_F(PkitsTest13SignatureVerificationCustom, | |
174 Section13ValidDNandRFC822nameConstraintsTest27Custom) { | |
175 const char* const certs[] = {"TrustAnchorRootCertificate", | |
176 "nameConstraintsDN1CACert", | |
177 "nameConstraintsDN1subCA3Cert", | |
178 "ValidDNandRFC822nameConstraintsTest27EE"}; | |
179 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", | |
180 "nameConstraintsDN1subCA3CRL"}; | |
181 // Name constraints on rfc822Names are not supported. | |
182 PkitsTestInfo info; | |
183 info.should_validate = false; | |
184 | |
185 this->RunTest(certs, crls, info); | |
186 } | |
187 | |
188 // Modified version of 4.13.34 Valid URI nameConstraints Test34 | |
189 TEST_F(PkitsTest13SignatureVerificationCustom, | |
190 Section13ValidURInameConstraintsTest34Custom) { | |
191 const char* const certs[] = {"TrustAnchorRootCertificate", | |
192 "nameConstraintsURI1CACert", | |
193 "ValidURInameConstraintsTest34EE"}; | |
194 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; | |
195 // Name constraints on uniformResourceIdentifiers are not supported. | |
196 PkitsTestInfo info; | |
197 info.should_validate = false; | |
198 | |
199 this->RunTest(certs, crls, info); | |
200 } | |
201 | |
202 // Modified version of 4.13.36 Valid URI nameConstraints Test36 | |
203 TEST_F(PkitsTest13SignatureVerificationCustom, | |
204 Section13ValidURInameConstraintsTest36Custom) { | |
205 const char* const certs[] = {"TrustAnchorRootCertificate", | |
206 "nameConstraintsURI2CACert", | |
207 "ValidURInameConstraintsTest36EE"}; | |
208 const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; | |
209 // Name constraints on uniformResourceIdentifiers are not supported. | |
210 PkitsTestInfo info; | |
211 info.should_validate = false; | |
212 | |
213 this->RunTest(certs, crls, info); | |
214 } | |
215 | |
216 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 84 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
217 PkitsTest01SignatureVerification, | 85 PkitsTest01SignatureVerification, |
218 VerifyCertificateChainPkitsTestDelegate); | 86 VerifyCertificateChainPkitsTestDelegate); |
219 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 87 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
220 PkitsTest02ValidityPeriods, | 88 PkitsTest02ValidityPeriods, |
221 VerifyCertificateChainPkitsTestDelegate); | 89 VerifyCertificateChainPkitsTestDelegate); |
222 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 90 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
223 PkitsTest03VerifyingNameChaining, | 91 PkitsTest03VerifyingNameChaining, |
224 VerifyCertificateChainPkitsTestDelegate); | 92 VerifyCertificateChainPkitsTestDelegate); |
225 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 93 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
(...skipping 22 matching lines...) Expand all Loading... |
248 VerifyCertificateChainPkitsTestDelegate); | 116 VerifyCertificateChainPkitsTestDelegate); |
249 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, | 117 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
250 PkitsTest16PrivateCertificateExtensions, | 118 PkitsTest16PrivateCertificateExtensions, |
251 VerifyCertificateChainPkitsTestDelegate); | 119 VerifyCertificateChainPkitsTestDelegate); |
252 | 120 |
253 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 121 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
254 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 122 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
255 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 123 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
256 | 124 |
257 } // namespace net | 125 } // namespace net |
OLD | NEW |