| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/cert_verify_proc_whitelist.h" | |
| 6 | |
| 7 #include "base/memory/ref_counted.h" | |
| 8 #include "net/cert/x509_certificate.h" | |
| 9 #include "net/test/cert_test_util.h" | |
| 10 #include "net/test/test_data_directory.h" | |
| 11 #include "testing/gtest/include/gtest/gtest.h" | |
| 12 | |
| 13 namespace net { | |
| 14 | |
| 15 namespace { | |
| 16 | |
| 17 namespace test1 { | |
| 18 #include "net/cert/cert_verify_proc_whitelist_unittest1-inc.cc" | |
| 19 } // namespace test1 | |
| 20 | |
| 21 TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) { | |
| 22 // The domain must be in the whitelist from | |
| 23 // //net/data/ssl/wosign/wosign_domains.gperf | |
| 24 const char kWhitelistedDomain[] = "005.tv"; | |
| 25 const char kNonWhitelistedDomain[] = "006.tv"; | |
| 26 | |
| 27 scoped_refptr<X509Certificate> cert = | |
| 28 ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem"); | |
| 29 ASSERT_TRUE(cert); | |
| 30 | |
| 31 HashValueVector public_key_hashes; | |
| 32 public_key_hashes.emplace_back(SHA256HashValue{ | |
| 33 {0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a, 0x83, 0x0b, 0x0b, | |
| 34 0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf, | |
| 35 0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65}}); | |
| 36 | |
| 37 // Domains on the whitelist are allowed, as long as their certificates were | |
| 38 // pre-existing before Oct 21, 2016. | |
| 39 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes, | |
| 40 kWhitelistedDomain)); | |
| 41 // Domains not on the whitelist are not allowed, regardless of the validity | |
| 42 // period of the certificate. | |
| 43 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes, | |
| 44 kNonWhitelistedDomain)); | |
| 45 | |
| 46 cert = ImportCertFromFile(GetTestCertsDirectory(), "wosign_after_oct_21.pem"); | |
| 47 ASSERT_TRUE(cert); | |
| 48 | |
| 49 // No new certificates (after Oct 21, 2016) are all allowed, regardless | |
| 50 // of the domain. | |
| 51 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes, | |
| 52 kWhitelistedDomain)); | |
| 53 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes, | |
| 54 kNonWhitelistedDomain)); | |
| 55 | |
| 56 // Certificates that aren't issued by WoSign are allowed, regardless of | |
| 57 // domain. | |
| 58 public_key_hashes[0].data()[0] = 0x14; | |
| 59 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes, | |
| 60 kWhitelistedDomain)); | |
| 61 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes, | |
| 62 kNonWhitelistedDomain)); | |
| 63 } | |
| 64 | |
| 65 TEST(CertVerifyProcWhitelistTest, IsWhitelistedHost) { | |
| 66 const unsigned char* graph = test1::kDafsa; | |
| 67 size_t graph_size = arraysize(test1::kDafsa); | |
| 68 | |
| 69 // Test malformed inputs. | |
| 70 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "")); | |
| 71 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, ".")); | |
| 72 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "..")); | |
| 73 | |
| 74 // Make sure that TLDs aren't accepted just because a subdomain is. | |
| 75 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "com")); | |
| 76 | |
| 77 // Test various forms of domain names that GURL will accept for entries in | |
| 78 // the graph. | |
| 79 EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com")); | |
| 80 EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "subdomain.example.com")); | |
| 81 EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".subdomain.example.com")); | |
| 82 EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "example.com.")); | |
| 83 EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, ".example.com.")); | |
| 84 EXPECT_TRUE(IsWhitelistedHost(graph, graph_size, "www.example.bar.jp")); | |
| 85 | |
| 86 // Test various prefix/suffices of entries in the graph, but that aren't | |
| 87 // themselves domain matches. | |
| 88 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "anotherexample.com")); | |
| 89 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "bar.jp")); | |
| 90 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "example.bar.jp.junk")); | |
| 91 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "foo.example.bar.jp.junk")); | |
| 92 | |
| 93 // Test various forms of domain names that GURL will accept for entries not | |
| 94 // in the graph. | |
| 95 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "domain.com")); | |
| 96 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "example..com")); | |
| 97 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www.co.uk")); | |
| 98 EXPECT_FALSE(IsWhitelistedHost(graph, graph_size, "www..co.uk")); | |
| 99 } | |
| 100 | |
| 101 } // namespace | |
| 102 | |
| 103 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2927383002:
Remove the StartCom/WoSign whitelist (Closed)
