net/base/x509_certificate_unittest.cc - Issue 6793041: net: add ability to distinguish user-added root CAs.

Side by Side Diff: net/base/x509_certificate_unittest.cc

Issue 6793041: net: add ability to distinguish user-added root CAs. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 9 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "base/crypto/rsa_private_key.h"	5 #include "base/crypto/rsa_private_key.h"

6 #include "base/file_path.h"	6 #include "base/file_path.h"

7 #include "base/file_util.h"	7 #include "base/file_util.h"

8 #include "base/path_service.h"	8 #include "base/path_service.h"

9 #include "base/pickle.h"	9 #include "base/pickle.h"

10 #include "base/string_split.h"	10 #include "base/string_split.h"

(...skipping 463 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
474 intermediates);	474 intermediates);

475	475

476 int flags = 0;	476 int flags = 0;

477 CertVerifyResult verify_result;	477 CertVerifyResult verify_result;

478 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result);	478 int error = cert_chain->Verify("www.us.army.mil", flags, &verify_result);

479 EXPECT_EQ(OK, error);	479 EXPECT_EQ(OK, error);

480 EXPECT_EQ(0, verify_result.cert_status);	480 EXPECT_EQ(0, verify_result.cert_status);

481 root_certs->Clear();	481 root_certs->Clear();

482 }	482 }

483	483

	484 TEST(X509CertificateTest, TestKnownRoot) {

	485 FilePath certs_dir = GetTestCertsDirectory();

	486 scoped_refptr<X509Certificate> cert =

	487 ImportCertFromFile(certs_dir, "nist.der");

	488 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);

	489

	490 int flags = 0;

	491 CertVerifyResult verify_result;

	492 cert->Verify("www.nist.gov", flags, &verify_result);

	493 // We don't check the error because the certificate will expire eventually.

	494 EXPECT_TRUE(verify_result.is_issued_by_known_root);
	wtc 2011/04/07 05:01:54 BUG (FUTURE): cert->Verify() sets verify_result.is BUG (FUTURE): cert->Verify() sets verify_result.is_issued_by_known_root only if the certificate is good. So when this certificate expires, verify_result.is_issued_by_known_root will be false. agl 2011/04/07 15:02:49 I've moved the code which sets \|is_issued_by_known Show quoted text On 2011/04/07 05:01:54, wtc wrote: > BUG (FUTURE): cert->Verify() sets > verify_result.is_issued_by_known_root only if the certificate > is good. So when this certificate expires, > verify_result.is_issued_by_known_root will be false. I've moved the code which sets \|is_issued_by_known_root\| down in each case so that it's only set in the event of a valid certificate. Now, expiry is a problem here but I can't find a way around it :( The test will blow up in the future. wtc 2011/04/08 00:39:17 Yes. The X509CertificateTest unit tests that use Show quoted text On 2011/04/07 15:02:49, agl wrote: > Now, expiry is a problem > here but I can't find a way around it :( The test will blow up in the future. Yes. The X509CertificateTest unit tests that use real certificates all have this problem. We should at least document when the certificate will expire so that build sheriffs will know they can disable the test safely when the test blows up.
	495 }

	496

484 // A regression test for http://crbug.com/70293.	497 // A regression test for http://crbug.com/70293.

485 // The Key Usage extension in this RSA SSL server certificate does not have	498 // The Key Usage extension in this RSA SSL server certificate does not have

486 // the keyEncipherment bit.	499 // the keyEncipherment bit.

487 TEST(X509CertificateTest, InvalidKeyUsage) {	500 TEST(X509CertificateTest, InvalidKeyUsage) {

488 FilePath certs_dir = GetTestCertsDirectory();	501 FilePath certs_dir = GetTestCertsDirectory();

489	502

490 scoped_refptr<X509Certificate> server_cert =	503 scoped_refptr<X509Certificate> server_cert =

491 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");	504 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");

492 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);	505 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);

493	506

(...skipping 499 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
993 EXPECT_EQ(test_data.expected,	1006 EXPECT_EQ(test_data.expected,

994 X509Certificate::VerifyHostname(test_data.hostname, cert_names))	1007 X509Certificate::VerifyHostname(test_data.hostname, cert_names))

995 << "Host [" << test_data.hostname	1008 << "Host [" << test_data.hostname

996 << "], cert name [" << test_data.cert_names << "]";	1009 << "], cert name [" << test_data.cert_names << "]";

997 }	1010 }

998	1011

999 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,	1012 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,

1000 testing::ValuesIn(kNameVerifyTestData));	1013 testing::ValuesIn(kNameVerifyTestData));

1001	1014

1002 } // namespace net	1015 } // namespace net

OLD	NEW

« net/base/x509_certificate_nss.cc ('K') | « net/base/x509_certificate_nss.cc ('k') | net/base/x509_certificate_win.cc » ('j') | net/base/x509_certificate_win.cc » ('J')