OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
| 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" |
5 #include "base/pickle.h" | 8 #include "base/pickle.h" |
6 #include "net/base/cert_status_flags.h" | 9 #include "net/base/cert_status_flags.h" |
| 10 #include "net/base/cert_test_util.h" |
7 #include "net/base/cert_verify_result.h" | 11 #include "net/base/cert_verify_result.h" |
8 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
9 #include "net/base/test_certificate_data.h" | 13 #include "net/base/test_certificate_data.h" |
10 #include "net/base/x509_certificate.h" | 14 #include "net/base/x509_certificate.h" |
11 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
12 | 16 |
13 // Unit tests aren't allowed to access external resources. Unfortunately, to | 17 // Unit tests aren't allowed to access external resources. Unfortunately, to |
14 // properly verify the EV-ness of a cert, we need to check for its revocation | 18 // properly verify the EV-ness of a cert, we need to check for its revocation |
15 // through online servers. If you're manually running unit tests, feel free to | 19 // through online servers. If you're manually running unit tests, feel free to |
16 // turn this on to test EV certs. But leave it turned off for the automated | 20 // turn this on to test EV certs. But leave it turned off for the automated |
17 // testing. | 21 // testing. |
18 #define ALLOW_EXTERNAL_ACCESS 0 | 22 #define ALLOW_EXTERNAL_ACCESS 0 |
19 | 23 |
20 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN) | 24 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN) |
21 #define TEST_EV 1 // Test CERT_STATUS_IS_EV | 25 #define TEST_EV 1 // Test CERT_STATUS_IS_EV |
22 #endif | 26 #endif |
23 | 27 |
24 using base::Time; | 28 using base::Time; |
25 | 29 |
| 30 namespace net { |
| 31 |
26 namespace { | 32 namespace { |
27 | 33 |
28 // Certificates for test data. They're obtained with: | 34 // Certificates for test data. They're obtained with: |
29 // | 35 // |
30 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null | 36 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null |
31 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der | 37 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der |
32 // | 38 // |
33 // For fingerprint | 39 // For fingerprint |
34 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der | 40 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der |
35 | 41 |
(...skipping 27 matching lines...) Expand all Loading... |
63 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 | 69 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 |
64 }; | 70 }; |
65 | 71 |
66 // A certificate for https://www.unosoft.hu/, whose AIA extension contains | 72 // A certificate for https://www.unosoft.hu/, whose AIA extension contains |
67 // an LDAP URL without a host name. | 73 // an LDAP URL without a host name. |
68 unsigned char unosoft_hu_fingerprint[] = { | 74 unsigned char unosoft_hu_fingerprint[] = { |
69 0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd, | 75 0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd, |
70 0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8 | 76 0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8 |
71 }; | 77 }; |
72 | 78 |
| 79 // Returns a FilePath object representing the src/net/data/ssl/certificates |
| 80 // directory in the source tree. |
| 81 FilePath GetTestCertsDirectory() { |
| 82 FilePath certs_dir; |
| 83 PathService::Get(base::DIR_SOURCE_ROOT, &certs_dir); |
| 84 certs_dir = certs_dir.AppendASCII("net"); |
| 85 certs_dir = certs_dir.AppendASCII("data"); |
| 86 certs_dir = certs_dir.AppendASCII("ssl"); |
| 87 certs_dir = certs_dir.AppendASCII("certificates"); |
| 88 return certs_dir; |
| 89 } |
| 90 |
| 91 // Imports a certificate file in the src/net/data/ssl/certificates directory. |
| 92 // certs_dir represents the test certificates directory. cert_file is the |
| 93 // name of the certificate file. |
| 94 X509Certificate* ImportCertFromFile(const FilePath& certs_dir, |
| 95 const std::string& cert_file) { |
| 96 FilePath cert_path = certs_dir.AppendASCII(cert_file); |
| 97 std::string cert_data; |
| 98 if (!file_util::ReadFileToString(cert_path, &cert_data)) |
| 99 return NULL; |
| 100 return X509Certificate::CreateFromBytes(cert_data.data(), cert_data.size()); |
| 101 } |
| 102 |
73 } // namespace | 103 } // namespace |
74 | 104 |
75 namespace net { | |
76 | |
77 TEST(X509CertificateTest, GoogleCertParsing) { | 105 TEST(X509CertificateTest, GoogleCertParsing) { |
78 scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes( | 106 scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes( |
79 reinterpret_cast<const char*>(google_der), sizeof(google_der)); | 107 reinterpret_cast<const char*>(google_der), sizeof(google_der)); |
80 | 108 |
81 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert); | 109 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert); |
82 | 110 |
83 const X509Certificate::Principal& subject = google_cert->subject(); | 111 const X509Certificate::Principal& subject = google_cert->subject(); |
84 EXPECT_EQ("www.google.com", subject.common_name); | 112 EXPECT_EQ("www.google.com", subject.common_name); |
85 EXPECT_EQ("Mountain View", subject.locality_name); | 113 EXPECT_EQ("Mountain View", subject.locality_name); |
86 EXPECT_EQ("California", subject.state_or_province_name); | 114 EXPECT_EQ("California", subject.state_or_province_name); |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
265 EXPECT_NE(OK, error); | 293 EXPECT_NE(OK, error); |
266 // Either the system crypto library should correctly report a certificate | 294 // Either the system crypto library should correctly report a certificate |
267 // name mismatch, or our certificate blacklist should cause us to report an | 295 // name mismatch, or our certificate blacklist should cause us to report an |
268 // invalid certificate. | 296 // invalid certificate. |
269 #if defined(OS_LINUX) || defined(OS_WIN) | 297 #if defined(OS_LINUX) || defined(OS_WIN) |
270 EXPECT_NE(0, verify_result.cert_status & | 298 EXPECT_NE(0, verify_result.cert_status & |
271 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); | 299 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); |
272 #endif | 300 #endif |
273 } | 301 } |
274 | 302 |
| 303 // A certificate whose AIA extension contains an LDAP URL without a host name. |
275 // This certificate will expire on 2011-09-08. | 304 // This certificate will expire on 2011-09-08. |
276 TEST(X509CertificateTest, UnoSoftCertParsing) { | 305 TEST(X509CertificateTest, UnoSoftCertParsing) { |
| 306 FilePath certs_dir = GetTestCertsDirectory(); |
277 scoped_refptr<X509Certificate> unosoft_hu_cert = | 307 scoped_refptr<X509Certificate> unosoft_hu_cert = |
278 X509Certificate::CreateFromBytes( | 308 ImportCertFromFile(certs_dir, "unosoft_hu_cert.der"); |
279 reinterpret_cast<const char*>(unosoft_hu_der), | |
280 sizeof(unosoft_hu_der)); | |
281 | 309 |
282 ASSERT_NE(static_cast<X509Certificate*>(NULL), unosoft_hu_cert); | 310 ASSERT_NE(static_cast<X509Certificate*>(NULL), unosoft_hu_cert); |
283 | 311 |
284 const X509Certificate::Fingerprint& fingerprint = | 312 const X509Certificate::Fingerprint& fingerprint = |
285 unosoft_hu_cert->fingerprint(); | 313 unosoft_hu_cert->fingerprint(); |
286 for (size_t i = 0; i < 20; ++i) | 314 for (size_t i = 0; i < 20; ++i) |
287 EXPECT_EQ(unosoft_hu_fingerprint[i], fingerprint.data[i]); | 315 EXPECT_EQ(unosoft_hu_fingerprint[i], fingerprint.data[i]); |
288 | 316 |
289 int flags = 0; | 317 int flags = 0; |
290 CertVerifyResult verify_result; | 318 CertVerifyResult verify_result; |
291 int error = unosoft_hu_cert->Verify("www.unosoft.hu", flags, | 319 int error = unosoft_hu_cert->Verify("www.unosoft.hu", flags, |
292 &verify_result); | 320 &verify_result); |
293 EXPECT_NE(OK, error); | 321 EXPECT_NE(OK, error); |
294 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); | 322 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); |
295 } | 323 } |
296 | 324 |
| 325 #if defined(USE_NSS) |
| 326 // A regression test for http://crbug.com/31497. |
| 327 // This certificate will expire on 2012-04-08. |
| 328 // TODO(wtc): we can't run this test on Mac because MacTrustedCertificates |
| 329 // can hold only one additional trusted root certificate for unit tests. |
| 330 // TODO(wtc): we can't run this test on Windows because LoadTemporaryRootCert |
| 331 // isn't implemented (http//crbug.com/8470). |
| 332 TEST(X509CertificateTest, IntermediateCARequireExplicitPolicy) { |
| 333 FilePath certs_dir = GetTestCertsDirectory(); |
| 334 |
| 335 scoped_refptr<X509Certificate> server_cert = |
| 336 ImportCertFromFile(certs_dir, "www_us_army_mil_cert.der"); |
| 337 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 338 |
| 339 // The intermediate CA certificate's policyConstraints extension has a |
| 340 // requireExplicitPolicy field with SkipCerts=0. |
| 341 scoped_refptr<X509Certificate> intermediate_cert = |
| 342 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); |
| 343 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
| 344 |
| 345 FilePath root_cert_path = certs_dir.AppendASCII("dod_root_ca_2_cert.der"); |
| 346 scoped_refptr<X509Certificate> root_cert = |
| 347 LoadTemporaryRootCert(root_cert_path); |
| 348 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
| 349 |
| 350 int flags = 0; |
| 351 CertVerifyResult verify_result; |
| 352 int error = server_cert->Verify("www.us.army.mil", flags, &verify_result); |
| 353 EXPECT_EQ(OK, error); |
| 354 EXPECT_EQ(0, verify_result.cert_status); |
| 355 } |
| 356 #endif |
| 357 |
297 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle. We | 358 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle. We |
298 // call X509Certificate::CreateFromHandle several times and observe whether | 359 // call X509Certificate::CreateFromHandle several times and observe whether |
299 // it returns a cached or new X509Certificate object. | 360 // it returns a cached or new X509Certificate object. |
300 // | 361 // |
301 // All the OS certificate handles in this test are actually from the same | 362 // All the OS certificate handles in this test are actually from the same |
302 // source (the bytes of a lone certificate), but we pretend that some of them | 363 // source (the bytes of a lone certificate), but we pretend that some of them |
303 // come from the network. | 364 // come from the network. |
304 TEST(X509CertificateTest, Cache) { | 365 TEST(X509CertificateTest, Cache) { |
305 X509Certificate::OSCertHandle google_cert_handle; | 366 X509Certificate::OSCertHandle google_cert_handle; |
306 | 367 |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
452 X509Certificate::DupOSCertHandle(handle1), | 513 X509Certificate::DupOSCertHandle(handle1), |
453 X509Certificate::SOURCE_FROM_NETWORK, | 514 X509Certificate::SOURCE_FROM_NETWORK, |
454 intermediates3); | 515 intermediates3); |
455 | 516 |
456 // The cache should have returned cert2 'cause it has more intermediates: | 517 // The cache should have returned cert2 'cause it has more intermediates: |
457 EXPECT_EQ(cert3, cert2); | 518 EXPECT_EQ(cert3, cert2); |
458 } | 519 } |
459 #endif | 520 #endif |
460 | 521 |
461 } // namespace net | 522 } // namespace net |
OLD | NEW |