OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 597 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
608 "test.example.com", | 608 "test.example.com", |
609 flags, | 609 flags, |
610 NULL, | 610 NULL, |
611 empty_cert_list_, | 611 empty_cert_list_, |
612 &verify_result); | 612 &verify_result); |
613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); | 613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); |
614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, | 614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, |
615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); | 615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); |
616 } | 616 } |
617 | 617 |
618 TEST_F(CertVerifyProcTest, TestHasTooLongValidity) { | |
619 struct { | |
620 const char* file; | |
Ryan Sleevi
2015/01/22 02:04:40
nit: const char* const
palmer
2015/01/22 20:05:05
Done.
| |
621 bool is_valid_too_long; | |
622 } tests[] = { | |
623 {"twitter-chain.pem", false}, | |
624 {"start_after_expiry.pem", true}, | |
625 {"pre_br_validity_ok.pem", false}, | |
626 {"pre_br_validity_bad_121.pem", true}, | |
627 {"pre_br_validity_bad_2020.pem", true}, | |
628 {"10_year_validity.pem", false}, | |
629 {"11_year_validity.pem", true}, | |
630 {"39_months_after_2015_04.pem", false}, | |
631 {"40_months_after_2015_04.pem", true}, | |
632 {"60_months_after_2012_07.pem", false}, | |
633 {"61_months_after_2012_07.pem", true}, | |
634 }; | |
635 | |
636 base::FilePath certs_dir = GetTestCertsDirectory(); | |
637 | |
638 for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); ++i) { | |
Ryan Sleevi
2015/01/22 02:04:40
size_t i = 0; i < arraysize(tests); ++i
palmer
2015/01/22 20:05:05
Done.
| |
639 scoped_refptr<X509Certificate> certificate = | |
640 ImportCertFromFile(certs_dir, tests[i].file); | |
641 SCOPED_TRACE(tests[i].file); | |
642 ASSERT_TRUE(certificate); | |
643 EXPECT_EQ(tests[i].is_valid_too_long, | |
644 CertVerifyProc::HasTooLongValidity(*certificate)); | |
645 } | |
646 } | |
647 | |
618 TEST_F(CertVerifyProcTest, TestKnownRoot) { | 648 TEST_F(CertVerifyProcTest, TestKnownRoot) { |
619 if (!SupportsDetectingKnownRoots()) { | 649 if (!SupportsDetectingKnownRoots()) { |
620 LOG(INFO) << "Skipping this test in this platform."; | 650 LOG(INFO) << "Skipping this test on this platform."; |
621 return; | 651 return; |
622 } | 652 } |
623 | 653 |
624 base::FilePath certs_dir = GetTestCertsDirectory(); | 654 base::FilePath certs_dir = GetTestCertsDirectory(); |
625 CertificateList certs = CreateCertificateListFromFile( | 655 CertificateList certs = CreateCertificateListFromFile( |
626 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 656 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
627 ASSERT_EQ(2U, certs.size()); | 657 ASSERT_EQ(3U, certs.size()); |
628 | 658 |
629 X509Certificate::OSCertHandles intermediates; | 659 X509Certificate::OSCertHandles intermediates; |
630 intermediates.push_back(certs[1]->os_cert_handle()); | 660 intermediates.push_back(certs[1]->os_cert_handle()); |
631 | 661 |
632 scoped_refptr<X509Certificate> cert_chain = | 662 scoped_refptr<X509Certificate> cert_chain = |
633 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 663 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
634 intermediates); | 664 intermediates); |
635 | 665 |
636 int flags = 0; | 666 int flags = 0; |
637 CertVerifyResult verify_result; | 667 CertVerifyResult verify_result; |
638 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 668 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
639 // against agl. See also PublicKeyHashes. | 669 // against agl. See also PublicKeyHashes. |
640 int error = Verify(cert_chain.get(), | 670 int error = Verify(cert_chain.get(), "twitter.com", flags, NULL, |
641 "satveda.com", | 671 empty_cert_list_, &verify_result); |
642 flags, | |
643 NULL, | |
644 empty_cert_list_, | |
645 &verify_result); | |
646 EXPECT_EQ(OK, error); | 672 EXPECT_EQ(OK, error); |
647 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
648 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 673 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
649 } | 674 } |
650 | 675 |
651 // The certse.pem certificate has been revoked. crbug.com/259723. | |
652 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 676 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
653 if (!SupportsReturningVerifiedChain()) { | 677 if (!SupportsReturningVerifiedChain()) { |
654 LOG(INFO) << "Skipping this test in this platform."; | 678 LOG(INFO) << "Skipping this test in this platform."; |
655 return; | 679 return; |
656 } | 680 } |
657 | 681 |
658 base::FilePath certs_dir = GetTestCertsDirectory(); | 682 base::FilePath certs_dir = GetTestCertsDirectory(); |
659 CertificateList certs = CreateCertificateListFromFile( | 683 CertificateList certs = CreateCertificateListFromFile( |
660 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 684 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
661 ASSERT_EQ(2U, certs.size()); | 685 ASSERT_EQ(3U, certs.size()); |
662 | 686 |
663 X509Certificate::OSCertHandles intermediates; | 687 X509Certificate::OSCertHandles intermediates; |
664 intermediates.push_back(certs[1]->os_cert_handle()); | 688 intermediates.push_back(certs[1]->os_cert_handle()); |
665 | 689 |
666 scoped_refptr<X509Certificate> cert_chain = | 690 scoped_refptr<X509Certificate> cert_chain = |
667 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 691 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
668 intermediates); | 692 intermediates); |
669 int flags = 0; | 693 int flags = 0; |
670 CertVerifyResult verify_result; | 694 CertVerifyResult verify_result; |
671 | 695 |
672 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 696 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
673 // against agl. See also TestKnownRoot. | 697 // against agl. See also TestKnownRoot. |
674 int error = Verify(cert_chain.get(), | 698 int error = Verify(cert_chain.get(), "twitter.com", flags, NULL, |
675 "satveda.com", | 699 empty_cert_list_, &verify_result); |
676 flags, | |
677 NULL, | |
678 empty_cert_list_, | |
679 &verify_result); | |
680 EXPECT_EQ(OK, error); | 700 EXPECT_EQ(OK, error); |
681 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | 701 ASSERT_LE(3U, verify_result.public_key_hashes.size()); |
682 ASSERT_LE(2U, verify_result.public_key_hashes.size()); | |
683 | 702 |
684 HashValueVector sha1_hashes; | 703 HashValueVector sha1_hashes; |
685 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 704 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
686 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 705 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
687 continue; | 706 continue; |
688 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 707 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
689 } | 708 } |
690 ASSERT_LE(2u, sha1_hashes.size()); | 709 ASSERT_LE(3u, sha1_hashes.size()); |
691 | 710 |
692 for (size_t i = 0; i < 2; ++i) { | 711 for (size_t i = 0; i < 3; ++i) { |
693 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length), | 712 EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length), |
694 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); | 713 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); |
695 } | 714 } |
696 | 715 |
697 HashValueVector sha256_hashes; | 716 HashValueVector sha256_hashes; |
698 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 717 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
699 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) | 718 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) |
700 continue; | 719 continue; |
701 sha256_hashes.push_back(verify_result.public_key_hashes[i]); | 720 sha256_hashes.push_back(verify_result.public_key_hashes[i]); |
702 } | 721 } |
703 ASSERT_LE(2u, sha256_hashes.size()); | 722 ASSERT_LE(3u, sha256_hashes.size()); |
704 | 723 |
705 for (size_t i = 0; i < 2; ++i) { | 724 for (size_t i = 0; i < 3; ++i) { |
706 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length), | 725 EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length), |
707 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); | 726 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); |
708 } | 727 } |
709 } | 728 } |
710 | 729 |
711 // A regression test for http://crbug.com/70293. | 730 // A regression test for http://crbug.com/70293. |
712 // The Key Usage extension in this RSA SSL server certificate does not have | 731 // The Key Usage extension in this RSA SSL server certificate does not have |
713 // the keyEncipherment bit. | 732 // the keyEncipherment bit. |
714 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 733 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
715 base::FilePath certs_dir = GetTestCertsDirectory(); | 734 base::FilePath certs_dir = GetTestCertsDirectory(); |
716 | 735 |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
803 // known public registry controlled domain information) issued by well-known | 822 // known public registry controlled domain information) issued by well-known |
804 // CAs are flagged appropriately, while certificates that are issued by | 823 // CAs are flagged appropriately, while certificates that are issued by |
805 // internal CAs are not flagged. | 824 // internal CAs are not flagged. |
806 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { | 825 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { |
807 if (!SupportsDetectingKnownRoots()) { | 826 if (!SupportsDetectingKnownRoots()) { |
808 LOG(INFO) << "Skipping this test in this platform."; | 827 LOG(INFO) << "Skipping this test in this platform."; |
809 return; | 828 return; |
810 } | 829 } |
811 | 830 |
812 CertificateList cert_list = CreateCertificateListFromFile( | 831 CertificateList cert_list = CreateCertificateListFromFile( |
813 GetTestCertsDirectory(), "ok_cert.pem", | 832 GetTestCertsDirectory(), "reject_intranet_hosts.pem", |
814 X509Certificate::FORMAT_AUTO); | 833 X509Certificate::FORMAT_AUTO); |
815 ASSERT_EQ(1U, cert_list.size()); | 834 ASSERT_EQ(1U, cert_list.size()); |
816 scoped_refptr<X509Certificate> cert(cert_list[0]); | 835 scoped_refptr<X509Certificate> cert(cert_list[0]); |
817 | 836 |
818 CertVerifyResult verify_result; | 837 CertVerifyResult verify_result; |
819 int error = 0; | 838 int error = 0; |
820 | 839 |
821 // Intranet names for public CAs should be flagged: | 840 // Intranet names for public CAs should be flagged: |
822 verify_proc_ = new WellKnownCaCertVerifyProc(true); | 841 verify_proc_ = new WellKnownCaCertVerifyProc(true); |
823 error = | 842 error = |
(...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1570 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1589 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1571 } | 1590 } |
1572 } | 1591 } |
1573 | 1592 |
1574 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1593 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1575 VerifyName, | 1594 VerifyName, |
1576 CertVerifyProcNameTest, | 1595 CertVerifyProcNameTest, |
1577 testing::ValuesIn(kVerifyNameData)); | 1596 testing::ValuesIn(kVerifyNameData)); |
1578 | 1597 |
1579 } // namespace net | 1598 } // namespace net |
OLD | NEW |