| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/file_util.h" | 10 #include "base/file_util.h" |
| (...skipping 626 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 637 CertVerifyResult verify_result; | 637 CertVerifyResult verify_result; |
| 638 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 638 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug |
| 639 // against agl. See also PublicKeyHashes. | 639 // against agl. See also PublicKeyHashes. |
| 640 int error = Verify(cert_chain.get(), | 640 int error = Verify(cert_chain.get(), |
| 641 "satveda.com", | 641 "satveda.com", |
| 642 flags, | 642 flags, |
| 643 NULL, | 643 NULL, |
| 644 empty_cert_list_, | 644 empty_cert_list_, |
| 645 &verify_result); | 645 &verify_result); |
| 646 EXPECT_EQ(OK, error); | 646 EXPECT_EQ(OK, error); |
| 647 EXPECT_EQ(0U, verify_result.cert_status); | 647 EXPECT_EQ(CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM, |
| 648 verify_result.cert_status); |
| 648 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 649 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
| 649 } | 650 } |
| 650 | 651 |
| 651 // The certse.pem certificate has been revoked. crbug.com/259723. | 652 // The certse.pem certificate has been revoked. crbug.com/259723. |
| 652 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 653 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
| 653 if (!SupportsReturningVerifiedChain()) { | 654 if (!SupportsReturningVerifiedChain()) { |
| 654 LOG(INFO) << "Skipping this test in this platform."; | 655 LOG(INFO) << "Skipping this test in this platform."; |
| 655 return; | 656 return; |
| 656 } | 657 } |
| 657 | 658 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 671 | 672 |
| 672 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 673 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug |
| 673 // against agl. See also TestKnownRoot. | 674 // against agl. See also TestKnownRoot. |
| 674 int error = Verify(cert_chain.get(), | 675 int error = Verify(cert_chain.get(), |
| 675 "satveda.com", | 676 "satveda.com", |
| 676 flags, | 677 flags, |
| 677 NULL, | 678 NULL, |
| 678 empty_cert_list_, | 679 empty_cert_list_, |
| 679 &verify_result); | 680 &verify_result); |
| 680 EXPECT_EQ(OK, error); | 681 EXPECT_EQ(OK, error); |
| 681 EXPECT_EQ(0U, verify_result.cert_status); | 682 EXPECT_EQ(CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM, |
| 683 verify_result.cert_status); |
| 682 ASSERT_LE(2U, verify_result.public_key_hashes.size()); | 684 ASSERT_LE(2U, verify_result.public_key_hashes.size()); |
| 683 | 685 |
| 684 HashValueVector sha1_hashes; | 686 HashValueVector sha1_hashes; |
| 685 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 687 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
| 686 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 688 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
| 687 continue; | 689 continue; |
| 688 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 690 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
| 689 } | 691 } |
| 690 ASSERT_LE(2u, sha1_hashes.size()); | 692 ASSERT_LE(2u, sha1_hashes.size()); |
| 691 | 693 |
| (...skipping 377 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1069 // works. Only the first two certificates are included in the chain. | 1071 // works. Only the first two certificates are included in the chain. |
| 1070 int flags = 0; | 1072 int flags = 0; |
| 1071 CertVerifyResult verify_result; | 1073 CertVerifyResult verify_result; |
| 1072 int error = Verify(cybertrust_basic.get(), | 1074 int error = Verify(cybertrust_basic.get(), |
| 1073 "cacert.omniroot.com", | 1075 "cacert.omniroot.com", |
| 1074 flags, | 1076 flags, |
| 1075 NULL, | 1077 NULL, |
| 1076 empty_cert_list_, | 1078 empty_cert_list_, |
| 1077 &verify_result); | 1079 &verify_result); |
| 1078 EXPECT_EQ(OK, error); | 1080 EXPECT_EQ(OK, error); |
| 1079 EXPECT_EQ(0U, verify_result.cert_status); | 1081 EXPECT_EQ(CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM, |
| 1082 verify_result.cert_status); |
| 1080 | 1083 |
| 1081 // Attempt to verify with the first known cross-certified intermediate | 1084 // Attempt to verify with the first known cross-certified intermediate |
| 1082 // provided. | 1085 // provided. |
| 1083 scoped_refptr<X509Certificate> baltimore_intermediate_1 = | 1086 scoped_refptr<X509Certificate> baltimore_intermediate_1 = |
| 1084 ImportCertFromFile(GetTestCertsDirectory(), | 1087 ImportCertFromFile(GetTestCertsDirectory(), |
| 1085 "cybertrust_baltimore_cross_certified_1.pem"); | 1088 "cybertrust_baltimore_cross_certified_1.pem"); |
| 1086 ASSERT_TRUE(baltimore_intermediate_1.get()); | 1089 ASSERT_TRUE(baltimore_intermediate_1.get()); |
| 1087 | 1090 |
| 1088 X509Certificate::OSCertHandles intermediate_chain_1 = | 1091 X509Certificate::OSCertHandles intermediate_chain_1 = |
| 1089 cybertrust_basic->GetIntermediateCertificates(); | 1092 cybertrust_basic->GetIntermediateCertificates(); |
| 1090 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle()); | 1093 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle()); |
| 1091 | 1094 |
| 1092 scoped_refptr<X509Certificate> baltimore_chain_1 = | 1095 scoped_refptr<X509Certificate> baltimore_chain_1 = |
| 1093 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), | 1096 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 1094 intermediate_chain_1); | 1097 intermediate_chain_1); |
| 1095 error = Verify(baltimore_chain_1.get(), | 1098 error = Verify(baltimore_chain_1.get(), |
| 1096 "cacert.omniroot.com", | 1099 "cacert.omniroot.com", |
| 1097 flags, | 1100 flags, |
| 1098 NULL, | 1101 NULL, |
| 1099 empty_cert_list_, | 1102 empty_cert_list_, |
| 1100 &verify_result); | 1103 &verify_result); |
| 1101 EXPECT_EQ(OK, error); | 1104 EXPECT_EQ(OK, error); |
| 1102 EXPECT_EQ(0U, verify_result.cert_status); | 1105 EXPECT_EQ(CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM, |
| 1106 verify_result.cert_status); |
| 1103 | 1107 |
| 1104 // Attempt to verify with the second known cross-certified intermediate | 1108 // Attempt to verify with the second known cross-certified intermediate |
| 1105 // provided. | 1109 // provided. |
| 1106 scoped_refptr<X509Certificate> baltimore_intermediate_2 = | 1110 scoped_refptr<X509Certificate> baltimore_intermediate_2 = |
| 1107 ImportCertFromFile(GetTestCertsDirectory(), | 1111 ImportCertFromFile(GetTestCertsDirectory(), |
| 1108 "cybertrust_baltimore_cross_certified_2.pem"); | 1112 "cybertrust_baltimore_cross_certified_2.pem"); |
| 1109 ASSERT_TRUE(baltimore_intermediate_2.get()); | 1113 ASSERT_TRUE(baltimore_intermediate_2.get()); |
| 1110 | 1114 |
| 1111 X509Certificate::OSCertHandles intermediate_chain_2 = | 1115 X509Certificate::OSCertHandles intermediate_chain_2 = |
| 1112 cybertrust_basic->GetIntermediateCertificates(); | 1116 cybertrust_basic->GetIntermediateCertificates(); |
| 1113 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle()); | 1117 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle()); |
| 1114 | 1118 |
| 1115 scoped_refptr<X509Certificate> baltimore_chain_2 = | 1119 scoped_refptr<X509Certificate> baltimore_chain_2 = |
| 1116 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), | 1120 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 1117 intermediate_chain_2); | 1121 intermediate_chain_2); |
| 1118 error = Verify(baltimore_chain_2.get(), | 1122 error = Verify(baltimore_chain_2.get(), |
| 1119 "cacert.omniroot.com", | 1123 "cacert.omniroot.com", |
| 1120 flags, | 1124 flags, |
| 1121 NULL, | 1125 NULL, |
| 1122 empty_cert_list_, | 1126 empty_cert_list_, |
| 1123 &verify_result); | 1127 &verify_result); |
| 1124 EXPECT_EQ(OK, error); | 1128 EXPECT_EQ(OK, error); |
| 1125 EXPECT_EQ(0U, verify_result.cert_status); | 1129 EXPECT_EQ(CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM, |
| 1130 verify_result.cert_status); |
| 1126 | 1131 |
| 1127 // Attempt to verify when both a cross-certified intermediate AND | 1132 // Attempt to verify when both a cross-certified intermediate AND |
| 1128 // the legacy GTE root are provided. | 1133 // the legacy GTE root are provided. |
| 1129 scoped_refptr<X509Certificate> cybertrust_root = | 1134 scoped_refptr<X509Certificate> cybertrust_root = |
| 1130 ImportCertFromFile(GetTestCertsDirectory(), | 1135 ImportCertFromFile(GetTestCertsDirectory(), |
| 1131 "cybertrust_gte_root.pem"); | 1136 "cybertrust_gte_root.pem"); |
| 1132 ASSERT_TRUE(cybertrust_root.get()); | 1137 ASSERT_TRUE(cybertrust_root.get()); |
| 1133 | 1138 |
| 1134 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle()); | 1139 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle()); |
| 1135 scoped_refptr<X509Certificate> baltimore_chain_with_root = | 1140 scoped_refptr<X509Certificate> baltimore_chain_with_root = |
| 1136 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), | 1141 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 1137 intermediate_chain_2); | 1142 intermediate_chain_2); |
| 1138 error = Verify(baltimore_chain_with_root.get(), | 1143 error = Verify(baltimore_chain_with_root.get(), |
| 1139 "cacert.omniroot.com", | 1144 "cacert.omniroot.com", |
| 1140 flags, | 1145 flags, |
| 1141 NULL, | 1146 NULL, |
| 1142 empty_cert_list_, | 1147 empty_cert_list_, |
| 1143 &verify_result); | 1148 &verify_result); |
| 1144 EXPECT_EQ(OK, error); | 1149 EXPECT_EQ(OK, error); |
| 1145 EXPECT_EQ(0U, verify_result.cert_status); | 1150 EXPECT_EQ(CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM, |
| 1151 verify_result.cert_status); |
| 1146 | 1152 |
| 1147 TestRootCerts::GetInstance()->Clear(); | 1153 TestRootCerts::GetInstance()->Clear(); |
| 1148 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty()); | 1154 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty()); |
| 1149 } | 1155 } |
| 1150 #endif | 1156 #endif |
| 1151 | 1157 |
| 1152 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) | 1158 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) |
| 1153 // Test that CRLSets are effective in making a certificate appear to be | 1159 // Test that CRLSets are effective in making a certificate appear to be |
| 1154 // revoked. | 1160 // revoked. |
| 1155 TEST_F(CertVerifyProcTest, CRLSet) { | 1161 TEST_F(CertVerifyProcTest, CRLSet) { |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1233 | 1239 |
| 1234 int flags = 0; | 1240 int flags = 0; |
| 1235 CertVerifyResult verify_result; | 1241 CertVerifyResult verify_result; |
| 1236 int error = Verify(leaf.get(), | 1242 int error = Verify(leaf.get(), |
| 1237 "test.example.com", | 1243 "test.example.com", |
| 1238 flags, | 1244 flags, |
| 1239 NULL, | 1245 NULL, |
| 1240 empty_cert_list_, | 1246 empty_cert_list_, |
| 1241 &verify_result); | 1247 &verify_result); |
| 1242 EXPECT_EQ(OK, error); | 1248 EXPECT_EQ(OK, error); |
| 1243 EXPECT_EQ(0U, verify_result.cert_status); | 1249 EXPECT_EQ(CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM, |
| 1250 verify_result.cert_status); |
| 1244 | 1251 |
| 1245 // Test revocation by serial number of a certificate not under the root. | 1252 // Test revocation by serial number of a certificate not under the root. |
| 1246 scoped_refptr<CRLSet> crl_set; | 1253 scoped_refptr<CRLSet> crl_set; |
| 1247 std::string crl_set_bytes; | 1254 std::string crl_set_bytes; |
| 1248 ASSERT_TRUE(base::ReadFileToString( | 1255 ASSERT_TRUE(base::ReadFileToString( |
| 1249 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), | 1256 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), |
| 1250 &crl_set_bytes)); | 1257 &crl_set_bytes)); |
| 1251 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); | 1258 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); |
| 1252 | 1259 |
| 1253 error = Verify(leaf.get(), | 1260 error = Verify(leaf.get(), |
| (...skipping 316 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1570 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1577 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1571 } | 1578 } |
| 1572 } | 1579 } |
| 1573 | 1580 |
| 1574 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1581 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1575 VerifyName, | 1582 VerifyName, |
| 1576 CertVerifyProcNameTest, | 1583 CertVerifyProcNameTest, |
| 1577 testing::ValuesIn(kVerifyNameData)); | 1584 testing::ValuesIn(kVerifyNameData)); |
| 1578 | 1585 |
| 1579 } // namespace net | 1586 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 508823009:
Mark SHA-1 as deprecated (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert_verify_result_sha1