| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 597 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 608 "test.example.com", | 608 "test.example.com", |
| 609 flags, | 609 flags, |
| 610 NULL, | 610 NULL, |
| 611 empty_cert_list_, | 611 empty_cert_list_, |
| 612 &verify_result); | 612 &verify_result); |
| 613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); | 613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); |
| 614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, | 614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, |
| 615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); | 615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); |
| 616 } | 616 } |
| 617 | 617 |
| 618 TEST_F(CertVerifyProcTest, TestHasTooLongValidity) { | |
| 619 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 620 | |
| 621 scoped_refptr<X509Certificate> twitter = | |
| 622 ImportCertFromFile(certs_dir, "twitter-chain.pem"); | |
| 623 EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*twitter)); | |
| 624 | |
| 625 scoped_refptr<X509Certificate> eleven_years = | |
| 626 ImportCertFromFile(certs_dir, "11_year_validity.pem"); | |
| 627 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*eleven_years)); | |
| 628 | |
| 629 scoped_refptr<X509Certificate> forty_months = | |
| 630 ImportCertFromFile(certs_dir, "40_months_after_2015_04.pem"); | |
| 631 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*forty_months)); | |
| 632 | |
| 633 scoped_refptr<X509Certificate> sixty_one_months = | |
| 634 ImportCertFromFile(certs_dir, "61_months_after_2012_07.pem"); | |
| 635 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*sixty_one_months)); | |
| 636 } | |
| 637 | |
| 638 TEST_F(CertVerifyProcTest, TestKnownRoot) { | 618 TEST_F(CertVerifyProcTest, TestKnownRoot) { |
| 639 if (!SupportsDetectingKnownRoots()) { | 619 if (!SupportsDetectingKnownRoots()) { |
| 640 LOG(INFO) << "Skipping this test on this platform."; | 620 LOG(INFO) << "Skipping this test in this platform."; |
| 641 return; | 621 return; |
| 642 } | 622 } |
| 643 | 623 |
| 644 base::FilePath certs_dir = GetTestCertsDirectory(); | 624 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 645 CertificateList certs = CreateCertificateListFromFile( | 625 CertificateList certs = CreateCertificateListFromFile( |
| 646 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); | 626 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); |
| 647 ASSERT_EQ(3U, certs.size()); | 627 ASSERT_EQ(2U, certs.size()); |
| 648 | 628 |
| 649 X509Certificate::OSCertHandles intermediates; | 629 X509Certificate::OSCertHandles intermediates; |
| 650 intermediates.push_back(certs[1]->os_cert_handle()); | 630 intermediates.push_back(certs[1]->os_cert_handle()); |
| 651 | 631 |
| 652 scoped_refptr<X509Certificate> cert_chain = | 632 scoped_refptr<X509Certificate> cert_chain = |
| 653 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 633 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 654 intermediates); | 634 intermediates); |
| 655 | 635 |
| 656 int flags = 0; | 636 int flags = 0; |
| 657 CertVerifyResult verify_result; | 637 CertVerifyResult verify_result; |
| 658 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug | 638 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug |
| 659 // against agl. See also PublicKeyHashes. | 639 // against agl. See also PublicKeyHashes. |
| 660 int error = Verify(cert_chain.get(), | 640 int error = Verify(cert_chain.get(), |
| 661 "twitter.com", | 641 "satveda.com", |
| 662 flags, | 642 flags, |
| 663 NULL, | 643 NULL, |
| 664 empty_cert_list_, | 644 empty_cert_list_, |
| 665 &verify_result); | 645 &verify_result); |
| 666 EXPECT_EQ(OK, error); | 646 EXPECT_EQ(OK, error); |
| 647 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); |
| 667 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 648 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
| 668 } | 649 } |
| 669 | 650 |
| 651 // The certse.pem certificate has been revoked. crbug.com/259723. |
| 670 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 652 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
| 671 if (!SupportsReturningVerifiedChain()) { | 653 if (!SupportsReturningVerifiedChain()) { |
| 672 LOG(INFO) << "Skipping this test in this platform."; | 654 LOG(INFO) << "Skipping this test in this platform."; |
| 673 return; | 655 return; |
| 674 } | 656 } |
| 675 | 657 |
| 676 base::FilePath certs_dir = GetTestCertsDirectory(); | 658 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 677 CertificateList certs = CreateCertificateListFromFile( | 659 CertificateList certs = CreateCertificateListFromFile( |
| 678 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); | 660 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); |
| 679 ASSERT_EQ(3U, certs.size()); | 661 ASSERT_EQ(2U, certs.size()); |
| 680 | 662 |
| 681 X509Certificate::OSCertHandles intermediates; | 663 X509Certificate::OSCertHandles intermediates; |
| 682 intermediates.push_back(certs[1]->os_cert_handle()); | 664 intermediates.push_back(certs[1]->os_cert_handle()); |
| 683 | 665 |
| 684 scoped_refptr<X509Certificate> cert_chain = | 666 scoped_refptr<X509Certificate> cert_chain = |
| 685 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 667 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 686 intermediates); | 668 intermediates); |
| 687 int flags = 0; | 669 int flags = 0; |
| 688 CertVerifyResult verify_result; | 670 CertVerifyResult verify_result; |
| 689 | 671 |
| 690 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug | 672 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug |
| 691 // against agl. See also TestKnownRoot. | 673 // against agl. See also TestKnownRoot. |
| 692 int error = Verify(cert_chain.get(), | 674 int error = Verify(cert_chain.get(), |
| 693 "twitter.com", | 675 "satveda.com", |
| 694 flags, | 676 flags, |
| 695 NULL, | 677 NULL, |
| 696 empty_cert_list_, | 678 empty_cert_list_, |
| 697 &verify_result); | 679 &verify_result); |
| 698 EXPECT_EQ(OK, error); | 680 EXPECT_EQ(OK, error); |
| 699 ASSERT_LE(3U, verify_result.public_key_hashes.size()); | 681 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); |
| 682 ASSERT_LE(2U, verify_result.public_key_hashes.size()); |
| 700 | 683 |
| 701 HashValueVector sha1_hashes; | 684 HashValueVector sha1_hashes; |
| 702 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 685 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
| 703 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 686 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
| 704 continue; | 687 continue; |
| 705 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 688 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
| 706 } | 689 } |
| 707 ASSERT_LE(3u, sha1_hashes.size()); | 690 ASSERT_LE(2u, sha1_hashes.size()); |
| 708 | 691 |
| 709 for (size_t i = 0; i < 3; ++i) { | 692 for (size_t i = 0; i < 2; ++i) { |
| 710 EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length), | 693 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length), |
| 711 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); | 694 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); |
| 712 } | 695 } |
| 713 | 696 |
| 714 HashValueVector sha256_hashes; | 697 HashValueVector sha256_hashes; |
| 715 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 698 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
| 716 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) | 699 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) |
| 717 continue; | 700 continue; |
| 718 sha256_hashes.push_back(verify_result.public_key_hashes[i]); | 701 sha256_hashes.push_back(verify_result.public_key_hashes[i]); |
| 719 } | 702 } |
| 720 ASSERT_LE(3u, sha256_hashes.size()); | 703 ASSERT_LE(2u, sha256_hashes.size()); |
| 721 | 704 |
| 722 for (size_t i = 0; i < 3; ++i) { | 705 for (size_t i = 0; i < 2; ++i) { |
| 723 EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length), | 706 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length), |
| 724 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); | 707 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); |
| 725 } | 708 } |
| 726 } | 709 } |
| 727 | 710 |
| 728 // A regression test for http://crbug.com/70293. | 711 // A regression test for http://crbug.com/70293. |
| 729 // The Key Usage extension in this RSA SSL server certificate does not have | 712 // The Key Usage extension in this RSA SSL server certificate does not have |
| 730 // the keyEncipherment bit. | 713 // the keyEncipherment bit. |
| 731 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 714 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
| 732 base::FilePath certs_dir = GetTestCertsDirectory(); | 715 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 733 | 716 |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 820 // known public registry controlled domain information) issued by well-known | 803 // known public registry controlled domain information) issued by well-known |
| 821 // CAs are flagged appropriately, while certificates that are issued by | 804 // CAs are flagged appropriately, while certificates that are issued by |
| 822 // internal CAs are not flagged. | 805 // internal CAs are not flagged. |
| 823 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { | 806 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { |
| 824 if (!SupportsDetectingKnownRoots()) { | 807 if (!SupportsDetectingKnownRoots()) { |
| 825 LOG(INFO) << "Skipping this test in this platform."; | 808 LOG(INFO) << "Skipping this test in this platform."; |
| 826 return; | 809 return; |
| 827 } | 810 } |
| 828 | 811 |
| 829 CertificateList cert_list = CreateCertificateListFromFile( | 812 CertificateList cert_list = CreateCertificateListFromFile( |
| 830 GetTestCertsDirectory(), "reject_intranet_hosts.pem", | 813 GetTestCertsDirectory(), "ok_cert.pem", |
| 831 X509Certificate::FORMAT_AUTO); | 814 X509Certificate::FORMAT_AUTO); |
| 832 ASSERT_EQ(1U, cert_list.size()); | 815 ASSERT_EQ(1U, cert_list.size()); |
| 833 scoped_refptr<X509Certificate> cert(cert_list[0]); | 816 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 834 | 817 |
| 835 CertVerifyResult verify_result; | 818 CertVerifyResult verify_result; |
| 836 int error = 0; | 819 int error = 0; |
| 837 | 820 |
| 838 // Intranet names for public CAs should be flagged: | 821 // Intranet names for public CAs should be flagged: |
| 839 verify_proc_ = new WellKnownCaCertVerifyProc(true); | 822 verify_proc_ = new WellKnownCaCertVerifyProc(true); |
| 840 error = | 823 error = |
| (...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1587 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1570 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
| 1588 } | 1571 } |
| 1589 } | 1572 } |
| 1590 | 1573 |
| 1591 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1574 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1592 VerifyName, | 1575 VerifyName, |
| 1593 CertVerifyProcNameTest, | 1576 CertVerifyProcNameTest, |
| 1594 testing::ValuesIn(kVerifyNameData)); | 1577 testing::ValuesIn(kVerifyNameData)); |
| 1595 | 1578 |
| 1596 } // namespace net | 1579 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 717653002:
Revert "Reject certificates that are valid for too long." (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master