OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
(...skipping 802 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
813 webkit_cert->os_cert_handle())); | 813 webkit_cert->os_cert_handle())); |
814 EXPECT_TRUE(cert2->HasIntermediateCertificate( | 814 EXPECT_TRUE(cert2->HasIntermediateCertificate( |
815 thawte_cert->os_cert_handle())); | 815 thawte_cert->os_cert_handle())); |
816 EXPECT_FALSE(cert2->HasIntermediateCertificate( | 816 EXPECT_FALSE(cert2->HasIntermediateCertificate( |
817 paypal_cert->os_cert_handle())); | 817 paypal_cert->os_cert_handle())); |
818 | 818 |
819 // Cleanup | 819 // Cleanup |
820 X509Certificate::FreeOSCertHandle(google_handle); | 820 X509Certificate::FreeOSCertHandle(google_handle); |
821 } | 821 } |
822 | 822 |
| 823 // Basic test for returning the chain in CertVerifyResult. Note that the |
| 824 // returned chain may just be a reflection of the originally supplied chain; |
| 825 // that is, if any errors occur, the default chain returned is an exact copy |
| 826 // of the certificate to be verified. The remaining VerifyReturn* tests are |
| 827 // used to ensure that the actual, verified chain is being returned by |
| 828 // Verify(). |
| 829 TEST(X509CertificateTest, VerifyReturnChainBasic) { |
| 830 FilePath certs_dir = GetTestCertsDirectory(); |
| 831 CertificateList certs = CreateCertificateListFromFile( |
| 832 certs_dir, "x509_verify_results.chain.pem", |
| 833 X509Certificate::FORMAT_AUTO); |
| 834 ASSERT_EQ(3U, certs.size()); |
| 835 |
| 836 X509Certificate::OSCertHandles intermediates; |
| 837 intermediates.push_back(certs[1]->os_cert_handle()); |
| 838 intermediates.push_back(certs[2]->os_cert_handle()); |
| 839 |
| 840 TestRootCerts::GetInstance()->Add(certs[2]); |
| 841 |
| 842 scoped_refptr<X509Certificate> google_full_chain = |
| 843 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 844 intermediates); |
| 845 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 846 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 847 |
| 848 CertVerifyResult verify_result; |
| 849 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 850 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); |
| 851 EXPECT_EQ(OK, error); |
| 852 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 853 |
| 854 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 855 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 856 google_full_chain->os_cert_handle(), |
| 857 verify_result.verified_cert->os_cert_handle())); |
| 858 const X509Certificate::OSCertHandles& return_intermediates = |
| 859 verify_result.verified_cert->GetIntermediateCertificates(); |
| 860 ASSERT_EQ(2U, return_intermediates.size()); |
| 861 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 862 certs[1]->os_cert_handle())); |
| 863 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 864 certs[2]->os_cert_handle())); |
| 865 |
| 866 TestRootCerts::GetInstance()->Clear(); |
| 867 } |
| 868 |
| 869 // Test that the certificate returned in CertVerifyResult is able to reorder |
| 870 // certificates that are not ordered from end-entity to root. While this is |
| 871 // a protocol violation if sent during a TLS handshake, if multiple sources |
| 872 // of intermediate certificates are combined, it's possible that order may |
| 873 // not be maintained. |
| 874 TEST(X509CertificateTest, VerifyReturnChainProperlyOrdered) { |
| 875 FilePath certs_dir = GetTestCertsDirectory(); |
| 876 CertificateList certs = CreateCertificateListFromFile( |
| 877 certs_dir, "x509_verify_results.chain.pem", |
| 878 X509Certificate::FORMAT_AUTO); |
| 879 ASSERT_EQ(3U, certs.size()); |
| 880 |
| 881 // Construct the chain out of order. |
| 882 X509Certificate::OSCertHandles intermediates; |
| 883 intermediates.push_back(certs[2]->os_cert_handle()); |
| 884 intermediates.push_back(certs[1]->os_cert_handle()); |
| 885 |
| 886 TestRootCerts::GetInstance()->Add(certs[2]); |
| 887 |
| 888 scoped_refptr<X509Certificate> google_full_chain = |
| 889 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 890 intermediates); |
| 891 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 892 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 893 |
| 894 CertVerifyResult verify_result; |
| 895 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 896 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); |
| 897 EXPECT_EQ(OK, error); |
| 898 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 899 |
| 900 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 901 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 902 google_full_chain->os_cert_handle(), |
| 903 verify_result.verified_cert->os_cert_handle())); |
| 904 const X509Certificate::OSCertHandles& return_intermediates = |
| 905 verify_result.verified_cert->GetIntermediateCertificates(); |
| 906 ASSERT_EQ(2U, return_intermediates.size()); |
| 907 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 908 certs[1]->os_cert_handle())); |
| 909 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 910 certs[2]->os_cert_handle())); |
| 911 |
| 912 TestRootCerts::GetInstance()->Clear(); |
| 913 } |
| 914 |
| 915 // Test that Verify() filters out certificates which are not related to |
| 916 // or part of the certificate chain being verified. |
| 917 TEST(X509CertificateTest, VerifyReturnChainFiltersUnrelatedCerts) { |
| 918 FilePath certs_dir = GetTestCertsDirectory(); |
| 919 CertificateList certs = CreateCertificateListFromFile( |
| 920 certs_dir, "x509_verify_results.chain.pem", |
| 921 X509Certificate::FORMAT_AUTO); |
| 922 ASSERT_EQ(3U, certs.size()); |
| 923 TestRootCerts::GetInstance()->Add(certs[2]); |
| 924 |
| 925 scoped_refptr<X509Certificate> unrelated_dod_certificate = |
| 926 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); |
| 927 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = |
| 928 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); |
| 929 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); |
| 930 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); |
| 931 |
| 932 // Interject unrelated certificates into the list of intermediates. |
| 933 X509Certificate::OSCertHandles intermediates; |
| 934 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); |
| 935 intermediates.push_back(certs[1]->os_cert_handle()); |
| 936 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); |
| 937 intermediates.push_back(certs[2]->os_cert_handle()); |
| 938 |
| 939 scoped_refptr<X509Certificate> google_full_chain = |
| 940 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 941 intermediates); |
| 942 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 943 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); |
| 944 |
| 945 CertVerifyResult verify_result; |
| 946 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 947 int error = google_full_chain->Verify("127.0.0.1", 0, &verify_result); |
| 948 EXPECT_EQ(OK, error); |
| 949 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 950 |
| 951 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 952 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 953 google_full_chain->os_cert_handle(), |
| 954 verify_result.verified_cert->os_cert_handle())); |
| 955 const X509Certificate::OSCertHandles& return_intermediates = |
| 956 verify_result.verified_cert->GetIntermediateCertificates(); |
| 957 ASSERT_EQ(2U, return_intermediates.size()); |
| 958 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 959 certs[1]->os_cert_handle())); |
| 960 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 961 certs[2]->os_cert_handle())); |
| 962 TestRootCerts::GetInstance()->Clear(); |
| 963 } |
| 964 |
823 #if defined(OS_MACOSX) | 965 #if defined(OS_MACOSX) |
824 TEST(X509CertificateTest, IsIssuedBy) { | 966 TEST(X509CertificateTest, IsIssuedBy) { |
825 FilePath certs_dir = GetTestCertsDirectory(); | 967 FilePath certs_dir = GetTestCertsDirectory(); |
826 | 968 |
827 // Test a client certificate from MIT. | 969 // Test a client certificate from MIT. |
828 scoped_refptr<X509Certificate> mit_davidben_cert( | 970 scoped_refptr<X509Certificate> mit_davidben_cert( |
829 ImportCertFromFile(certs_dir, "mit.davidben.der")); | 971 ImportCertFromFile(certs_dir, "mit.davidben.der")); |
830 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); | 972 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); |
831 | 973 |
832 CertPrincipal mit_issuer; | 974 CertPrincipal mit_issuer; |
(...skipping 398 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1231 } | 1373 } |
1232 | 1374 |
1233 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( | 1375 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( |
1234 test_data.hostname, common_name, dns_names, ip_addressses)); | 1376 test_data.hostname, common_name, dns_names, ip_addressses)); |
1235 } | 1377 } |
1236 | 1378 |
1237 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | 1379 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, |
1238 testing::ValuesIn(kNameVerifyTestData)); | 1380 testing::ValuesIn(kNameVerifyTestData)); |
1239 | 1381 |
1240 } // namespace net | 1382 } // namespace net |
OLD | NEW |