OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 540 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
551 | 551 |
552 TEST_F(CertVerifyProcTest, NameConstraintsOk) { | 552 TEST_F(CertVerifyProcTest, NameConstraintsOk) { |
553 CertificateList ca_cert_list = | 553 CertificateList ca_cert_list = |
554 CreateCertificateListFromFile(GetTestCertsDirectory(), | 554 CreateCertificateListFromFile(GetTestCertsDirectory(), |
555 "root_ca_cert.pem", | 555 "root_ca_cert.pem", |
556 X509Certificate::FORMAT_AUTO); | 556 X509Certificate::FORMAT_AUTO); |
557 ASSERT_EQ(1U, ca_cert_list.size()); | 557 ASSERT_EQ(1U, ca_cert_list.size()); |
558 ScopedTestRoot test_root(ca_cert_list[0].get()); | 558 ScopedTestRoot test_root(ca_cert_list[0].get()); |
559 | 559 |
560 CertificateList cert_list = CreateCertificateListFromFile( | 560 CertificateList cert_list = CreateCertificateListFromFile( |
561 GetTestCertsDirectory(), "name_constraint_ok.crt", | 561 GetTestCertsDirectory(), "name_constraint_good.pem", |
562 X509Certificate::FORMAT_AUTO); | 562 X509Certificate::FORMAT_AUTO); |
563 ASSERT_EQ(1U, cert_list.size()); | 563 ASSERT_EQ(1U, cert_list.size()); |
564 | 564 |
565 X509Certificate::OSCertHandles intermediates; | 565 X509Certificate::OSCertHandles intermediates; |
566 scoped_refptr<X509Certificate> leaf = | 566 scoped_refptr<X509Certificate> leaf = |
567 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), | 567 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), |
568 intermediates); | 568 intermediates); |
569 | 569 |
570 int flags = 0; | 570 int flags = 0; |
571 CertVerifyResult verify_result; | 571 CertVerifyResult verify_result; |
(...skipping 14 matching lines...) Expand all Loading... |
586 } | 586 } |
587 | 587 |
588 CertificateList ca_cert_list = | 588 CertificateList ca_cert_list = |
589 CreateCertificateListFromFile(GetTestCertsDirectory(), | 589 CreateCertificateListFromFile(GetTestCertsDirectory(), |
590 "root_ca_cert.pem", | 590 "root_ca_cert.pem", |
591 X509Certificate::FORMAT_AUTO); | 591 X509Certificate::FORMAT_AUTO); |
592 ASSERT_EQ(1U, ca_cert_list.size()); | 592 ASSERT_EQ(1U, ca_cert_list.size()); |
593 ScopedTestRoot test_root(ca_cert_list[0].get()); | 593 ScopedTestRoot test_root(ca_cert_list[0].get()); |
594 | 594 |
595 CertificateList cert_list = CreateCertificateListFromFile( | 595 CertificateList cert_list = CreateCertificateListFromFile( |
596 GetTestCertsDirectory(), "name_constraint_bad.crt", | 596 GetTestCertsDirectory(), "name_constraint_bad.pem", |
597 X509Certificate::FORMAT_AUTO); | 597 X509Certificate::FORMAT_AUTO); |
598 ASSERT_EQ(1U, cert_list.size()); | 598 ASSERT_EQ(1U, cert_list.size()); |
599 | 599 |
600 X509Certificate::OSCertHandles intermediates; | 600 X509Certificate::OSCertHandles intermediates; |
601 scoped_refptr<X509Certificate> leaf = | 601 scoped_refptr<X509Certificate> leaf = |
602 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), | 602 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), |
603 intermediates); | 603 intermediates); |
604 | 604 |
605 int flags = 0; | 605 int flags = 0; |
606 CertVerifyResult verify_result; | 606 CertVerifyResult verify_result; |
(...skipping 536 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1143 &verify_result); | 1143 &verify_result); |
1144 EXPECT_EQ(OK, error); | 1144 EXPECT_EQ(OK, error); |
1145 EXPECT_EQ(0U, verify_result.cert_status); | 1145 EXPECT_EQ(0U, verify_result.cert_status); |
1146 | 1146 |
1147 TestRootCerts::GetInstance()->Clear(); | 1147 TestRootCerts::GetInstance()->Clear(); |
1148 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty()); | 1148 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty()); |
1149 } | 1149 } |
1150 #endif | 1150 #endif |
1151 | 1151 |
1152 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) | 1152 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) |
1153 static const uint8 kCRLSetLeafSPKIBlocked[] = { | |
1154 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, | |
1155 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, | |
1156 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, | |
1157 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, | |
1158 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, | |
1159 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, | |
1160 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, | |
1161 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x43, 0x38, 0x4d, 0x4a, 0x46, 0x55, 0x55, | |
1162 0x5a, 0x38, 0x43, 0x79, 0x54, 0x2b, 0x4e, 0x57, 0x64, 0x68, 0x69, 0x7a, 0x51, | |
1163 0x68, 0x54, 0x49, 0x65, 0x46, 0x49, 0x37, 0x76, 0x41, 0x77, 0x7a, 0x64, 0x54, | |
1164 0x79, 0x52, 0x59, 0x45, 0x6e, 0x78, 0x6c, 0x33, 0x62, 0x67, 0x3d, 0x22, 0x5d, | |
1165 0x7d, | |
1166 }; | |
1167 | |
1168 static const uint8 kCRLSetLeafSerialBlocked[] = { | |
1169 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, | |
1170 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, | |
1171 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, | |
1172 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, | |
1173 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, | |
1174 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, | |
1175 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, | |
1176 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0x0f, 0x87, 0xe4, 0xc7, 0x75, 0xea, | |
1177 0x46, 0x7e, 0xf3, 0xfd, 0x82, 0xb7, 0x46, 0x7b, 0x10, 0xda, 0xc5, 0xbf, 0xd8, | |
1178 0xd1, 0x29, 0xb2, 0xc6, 0xac, 0x7f, 0x51, 0x42, 0x15, 0x28, 0x51, 0x06, 0x7f, | |
1179 0x01, 0x00, 0x00, 0x00, // number of serials | |
1180 0x01, 0xed, // serial 0xed | |
1181 }; | |
1182 | |
1183 static const uint8 kCRLSetQUICSerialBlocked[] = { | |
1184 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, | |
1185 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, | |
1186 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, | |
1187 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, | |
1188 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, | |
1189 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, | |
1190 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, | |
1191 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, | |
1192 // Issuer SPKI SHA-256 hash: | |
1193 0xe4, 0x3a, 0xa3, 0xdb, 0x98, 0x31, 0x61, 0x05, 0xdd, 0x57, 0x6d, 0xc6, 0x2f, | |
1194 0x71, 0x26, 0xba, 0xdd, 0xf4, 0x98, 0x3e, 0x62, 0x22, 0xf8, 0xf9, 0xe4, 0x18, | |
1195 0x62, 0x77, 0x79, 0xdb, 0x9b, 0x31, | |
1196 0x01, 0x00, 0x00, 0x00, // number of serials | |
1197 0x01, 0x03, // serial 3 | |
1198 }; | |
1199 | |
1200 // Test that CRLSets are effective in making a certificate appear to be | 1153 // Test that CRLSets are effective in making a certificate appear to be |
1201 // revoked. | 1154 // revoked. |
1202 TEST_F(CertVerifyProcTest, CRLSet) { | 1155 TEST_F(CertVerifyProcTest, CRLSet) { |
1203 CertificateList ca_cert_list = | 1156 CertificateList ca_cert_list = |
1204 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1157 CreateCertificateListFromFile(GetTestCertsDirectory(), |
1205 "root_ca_cert.pem", | 1158 "root_ca_cert.pem", |
1206 X509Certificate::FORMAT_AUTO); | 1159 X509Certificate::FORMAT_AUTO); |
1207 ASSERT_EQ(1U, ca_cert_list.size()); | 1160 ASSERT_EQ(1U, ca_cert_list.size()); |
1208 ScopedTestRoot test_root(ca_cert_list[0].get()); | 1161 ScopedTestRoot test_root(ca_cert_list[0].get()); |
1209 | 1162 |
1210 CertificateList cert_list = CreateCertificateListFromFile( | 1163 CertificateList cert_list = CreateCertificateListFromFile( |
1211 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); | 1164 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); |
1212 ASSERT_EQ(1U, cert_list.size()); | 1165 ASSERT_EQ(1U, cert_list.size()); |
1213 scoped_refptr<X509Certificate> cert(cert_list[0]); | 1166 scoped_refptr<X509Certificate> cert(cert_list[0]); |
1214 | 1167 |
1215 int flags = 0; | 1168 int flags = 0; |
1216 CertVerifyResult verify_result; | 1169 CertVerifyResult verify_result; |
1217 int error = Verify( | 1170 int error = Verify( |
1218 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); | 1171 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
1219 EXPECT_EQ(OK, error); | 1172 EXPECT_EQ(OK, error); |
1220 EXPECT_EQ(0U, verify_result.cert_status); | 1173 EXPECT_EQ(0U, verify_result.cert_status); |
1221 | 1174 |
| 1175 scoped_refptr<CRLSet> crl_set; |
| 1176 std::string crl_set_bytes; |
| 1177 |
1222 // First test blocking by SPKI. | 1178 // First test blocking by SPKI. |
1223 base::StringPiece crl_set_bytes( | 1179 EXPECT_TRUE(base::ReadFileToString( |
1224 reinterpret_cast<const char*>(kCRLSetLeafSPKIBlocked), | 1180 GetTestCertsDirectory().AppendASCII("crlset_by_leaf_spki.raw"), |
1225 sizeof(kCRLSetLeafSPKIBlocked)); | 1181 &crl_set_bytes)); |
1226 scoped_refptr<CRLSet> crl_set; | |
1227 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); | 1182 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); |
1228 | 1183 |
1229 error = Verify(cert.get(), | 1184 error = Verify(cert.get(), |
1230 "127.0.0.1", | 1185 "127.0.0.1", |
1231 flags, | 1186 flags, |
1232 crl_set.get(), | 1187 crl_set.get(), |
1233 empty_cert_list_, | 1188 empty_cert_list_, |
1234 &verify_result); | 1189 &verify_result); |
1235 EXPECT_EQ(ERR_CERT_REVOKED, error); | 1190 EXPECT_EQ(ERR_CERT_REVOKED, error); |
1236 | 1191 |
1237 // Second, test revocation by serial number of a cert directly under the | 1192 // Second, test revocation by serial number of a cert directly under the |
1238 // root. | 1193 // root. |
1239 crl_set_bytes = | 1194 crl_set_bytes.clear(); |
1240 base::StringPiece(reinterpret_cast<const char*>(kCRLSetLeafSerialBlocked), | 1195 EXPECT_TRUE(base::ReadFileToString( |
1241 sizeof(kCRLSetLeafSerialBlocked)); | 1196 GetTestCertsDirectory().AppendASCII("crlset_by_root_serial.raw"), |
| 1197 &crl_set_bytes)); |
1242 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); | 1198 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); |
1243 | 1199 |
1244 error = Verify(cert.get(), | 1200 error = Verify(cert.get(), |
1245 "127.0.0.1", | 1201 "127.0.0.1", |
1246 flags, | 1202 flags, |
1247 crl_set.get(), | 1203 crl_set.get(), |
1248 empty_cert_list_, | 1204 empty_cert_list_, |
1249 &verify_result); | 1205 &verify_result); |
1250 EXPECT_EQ(ERR_CERT_REVOKED, error); | 1206 EXPECT_EQ(ERR_CERT_REVOKED, error); |
1251 } | 1207 } |
(...skipping 29 matching lines...) Expand all Loading... |
1281 "test.example.com", | 1237 "test.example.com", |
1282 flags, | 1238 flags, |
1283 NULL, | 1239 NULL, |
1284 empty_cert_list_, | 1240 empty_cert_list_, |
1285 &verify_result); | 1241 &verify_result); |
1286 EXPECT_EQ(OK, error); | 1242 EXPECT_EQ(OK, error); |
1287 EXPECT_EQ(0U, verify_result.cert_status); | 1243 EXPECT_EQ(0U, verify_result.cert_status); |
1288 | 1244 |
1289 // Test revocation by serial number of a certificate not under the root. | 1245 // Test revocation by serial number of a certificate not under the root. |
1290 scoped_refptr<CRLSet> crl_set; | 1246 scoped_refptr<CRLSet> crl_set; |
1291 base::StringPiece crl_set_bytes = | 1247 std::string crl_set_bytes; |
1292 base::StringPiece(reinterpret_cast<const char*>(kCRLSetQUICSerialBlocked), | 1248 ASSERT_TRUE(base::ReadFileToString( |
1293 sizeof(kCRLSetQUICSerialBlocked)); | 1249 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), |
| 1250 &crl_set_bytes)); |
1294 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); | 1251 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); |
1295 | 1252 |
1296 error = Verify(leaf.get(), | 1253 error = Verify(leaf.get(), |
1297 "test.example.com", | 1254 "test.example.com", |
1298 flags, | 1255 flags, |
1299 crl_set.get(), | 1256 crl_set.get(), |
1300 empty_cert_list_, | 1257 empty_cert_list_, |
1301 &verify_result); | 1258 &verify_result); |
1302 EXPECT_EQ(ERR_CERT_REVOKED, error); | 1259 EXPECT_EQ(ERR_CERT_REVOKED, error); |
1303 } | 1260 } |
(...skipping 302 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1606 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1563 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1607 } | 1564 } |
1608 } | 1565 } |
1609 | 1566 |
1610 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1567 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1611 VerifyName, | 1568 VerifyName, |
1612 CertVerifyProcNameTest, | 1569 CertVerifyProcNameTest, |
1613 testing::ValuesIn(kVerifyNameData)); | 1570 testing::ValuesIn(kVerifyNameData)); |
1614 | 1571 |
1615 } // namespace net | 1572 } // namespace net |
OLD | NEW |