Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(157)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 509273002: Detect SHA-1 when it appears in certificate chains (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_status_extended
Patch Set: Correct Android comment Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/cert_verify_proc_openssl.cc ('k') | net/cert/cert_verify_proc_win.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 5e139771c66792b34ff7f1861ed653df1a0f430e..858c0dea89aff10e1e316e1db31cbee81d217e00 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -1260,13 +1260,18 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
}
#endif
+enum ExpectedAlgorithms {
+ EXPECT_MD2 = 1 << 0,
+ EXPECT_MD4 = 1 << 1,
+ EXPECT_MD5 = 1 << 2,
+ EXPECT_SHA1 = 1 << 3
+};
+
struct WeakDigestTestData {
const char* root_cert_filename;
const char* intermediate_cert_filename;
const char* ee_cert_filename;
- bool expected_has_md5;
- bool expected_has_md4;
- bool expected_has_md2;
+ int expected_algorithms;
};
// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
@@ -1323,19 +1328,21 @@ TEST_P(CertVerifyProcWeakDigestTest, Verify) {
NULL,
empty_cert_list_,
&verify_result);
- EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
- EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
- EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
+ EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2);
+ EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4);
+ EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5);
+ EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1);
+
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
// Ensure that MD4 and MD2 are tagged as invalid.
- if (data.expected_has_md4 || data.expected_has_md2) {
+ if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) {
EXPECT_EQ(CERT_STATUS_INVALID,
verify_result.cert_status & CERT_STATUS_INVALID);
}
// Ensure that MD5 is flagged as weak.
- if (data.expected_has_md5) {
+ if (data.expected_algorithms & EXPECT_MD5) {
EXPECT_EQ(
CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
@@ -1348,9 +1355,9 @@ TEST_P(CertVerifyProcWeakDigestTest, Verify) {
// OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
// present (MD2, MD4, MD5).
if (data.root_cert_filename) {
- if (data.expected_has_md4 || data.expected_has_md2) {
+ if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) {
EXPECT_EQ(ERR_CERT_INVALID, rv);
- } else if (data.expected_has_md5) {
+ } else if (data.expected_algorithms & EXPECT_MD5) {
EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
} else {
EXPECT_EQ(OK, rv);
@@ -1371,14 +1378,14 @@ TEST_P(CertVerifyProcWeakDigestTest, Verify) {
// The signature algorithm of the root CA should not matter.
const WeakDigestTestData kVerifyRootCATestData[] = {
{ "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_sha1_ee.pem", false, false, false },
+ "weak_digest_sha1_ee.pem", EXPECT_SHA1 },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS
{ "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_sha1_ee.pem", false, false, false },
+ "weak_digest_sha1_ee.pem", EXPECT_SHA1 },
#endif
{ "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_sha1_ee.pem", false, false, false },
+ "weak_digest_sha1_ee.pem", EXPECT_SHA1 },
};
INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
testing::ValuesIn(kVerifyRootCATestData));
@@ -1386,14 +1393,14 @@ INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
// The signature algorithm of intermediates should be properly detected.
const WeakDigestTestData kVerifyIntermediateCATestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
- "weak_digest_sha1_ee.pem", true, false, false },
+ "weak_digest_sha1_ee.pem", EXPECT_MD5 | EXPECT_SHA1 },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS
{ "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
- "weak_digest_sha1_ee.pem", false, true, false },
+ "weak_digest_sha1_ee.pem", EXPECT_MD4 | EXPECT_SHA1 },
#endif
{ "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
- "weak_digest_sha1_ee.pem", false, false, true },
+ "weak_digest_sha1_ee.pem", EXPECT_MD2 | EXPECT_SHA1 },
};
// Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled.
#if defined(USE_NSS) || defined(OS_IOS)
@@ -1409,14 +1416,14 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
// The signature algorithm of end-entity should be properly detected.
const WeakDigestTestData kVerifyEndEntityTestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_md5_ee.pem", true, false, false },
+ "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1 },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_md4_ee.pem", false, true, false },
+ "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1 },
#endif
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
- "weak_digest_md2_ee.pem", false, false, true },
+ "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1 },
};
// Disabled on NSS - NSS caches chains/signatures in such a way that cannot
// be cleared until NSS is cleanly shutdown, which is not presently supported
@@ -1433,14 +1440,14 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
// Incomplete chains should still report the status of the intermediate.
const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
{ NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
- true, false, false },
+ EXPECT_MD5 | EXPECT_SHA1 },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS
{ NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
- false, true, false },
+ EXPECT_MD4 | EXPECT_SHA1 },
#endif
{ NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
- false, false, true },
+ EXPECT_MD2 | EXPECT_SHA1 },
};
// Disabled on NSS - libpkix does not return constructed chains on error,
// preventing us from detecting/inspecting the verified chain.
@@ -1458,14 +1465,14 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
// Incomplete chains should still report the status of the end-entity.
const WeakDigestTestData kVerifyIncompleteEETestData[] = {
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
- true, false, false },
+ EXPECT_MD5 | EXPECT_SHA1 },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
- false, true, false },
+ EXPECT_MD4 | EXPECT_SHA1 },
#endif
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
- false, false, true },
+ EXPECT_MD2 | EXPECT_SHA1 },
};
// Disabled on NSS - libpkix does not return constructed chains on error,
// preventing us from detecting/inspecting the verified chain.
@@ -1483,13 +1490,13 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
// reported.
const WeakDigestTestData kVerifyMixedTestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
- "weak_digest_md2_ee.pem", true, false, true },
+ "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
{ "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
- "weak_digest_md5_ee.pem", true, false, true },
+ "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS
{ "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
- "weak_digest_md2_ee.pem", false, true, true },
+ "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4 },
#endif
};
// NSS does not support MD4 and does not enable MD2 by default, making all
« no previous file with comments | « net/cert/cert_verify_proc_openssl.cc ('k') | net/cert/cert_verify_proc_win.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698