OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 595 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
606 "test.example.com", | 606 "test.example.com", |
607 flags, | 607 flags, |
608 NULL, | 608 NULL, |
609 empty_cert_list_, | 609 empty_cert_list_, |
610 &verify_result); | 610 &verify_result); |
611 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); | 611 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); |
612 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, | 612 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, |
613 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); | 613 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); |
614 } | 614 } |
615 | 615 |
| 616 TEST_F(CertVerifyProcTest, TestHasTooLongValidity) { |
| 617 struct { |
| 618 const char* const file; |
| 619 bool is_valid_too_long; |
| 620 } tests[] = { |
| 621 {"twitter-chain.pem", false}, |
| 622 {"start_after_expiry.pem", true}, |
| 623 {"pre_br_validity_ok.pem", false}, |
| 624 {"pre_br_validity_bad_121.pem", true}, |
| 625 {"pre_br_validity_bad_2020.pem", true}, |
| 626 {"10_year_validity.pem", false}, |
| 627 {"11_year_validity.pem", true}, |
| 628 {"39_months_after_2015_04.pem", false}, |
| 629 {"40_months_after_2015_04.pem", true}, |
| 630 {"60_months_after_2012_07.pem", false}, |
| 631 {"61_months_after_2012_07.pem", true}, |
| 632 }; |
| 633 |
| 634 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 635 |
| 636 for (size_t i = 0; i < arraysize(tests); ++i) { |
| 637 scoped_refptr<X509Certificate> certificate = |
| 638 ImportCertFromFile(certs_dir, tests[i].file); |
| 639 SCOPED_TRACE(tests[i].file); |
| 640 ASSERT_TRUE(certificate); |
| 641 EXPECT_EQ(tests[i].is_valid_too_long, |
| 642 CertVerifyProc::HasTooLongValidity(*certificate)); |
| 643 } |
| 644 } |
| 645 |
616 TEST_F(CertVerifyProcTest, TestKnownRoot) { | 646 TEST_F(CertVerifyProcTest, TestKnownRoot) { |
617 if (!SupportsDetectingKnownRoots()) { | 647 if (!SupportsDetectingKnownRoots()) { |
618 LOG(INFO) << "Skipping this test in this platform."; | 648 LOG(INFO) << "Skipping this test on this platform."; |
619 return; | 649 return; |
620 } | 650 } |
621 | 651 |
622 base::FilePath certs_dir = GetTestCertsDirectory(); | 652 base::FilePath certs_dir = GetTestCertsDirectory(); |
623 CertificateList certs = CreateCertificateListFromFile( | 653 CertificateList certs = CreateCertificateListFromFile( |
624 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 654 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
625 ASSERT_EQ(2U, certs.size()); | 655 ASSERT_EQ(3U, certs.size()); |
626 | 656 |
627 X509Certificate::OSCertHandles intermediates; | 657 X509Certificate::OSCertHandles intermediates; |
628 intermediates.push_back(certs[1]->os_cert_handle()); | 658 intermediates.push_back(certs[1]->os_cert_handle()); |
629 | 659 |
630 scoped_refptr<X509Certificate> cert_chain = | 660 scoped_refptr<X509Certificate> cert_chain = |
631 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 661 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
632 intermediates); | 662 intermediates); |
633 | 663 |
634 int flags = 0; | 664 int flags = 0; |
635 CertVerifyResult verify_result; | 665 CertVerifyResult verify_result; |
636 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 666 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
637 // against agl. See also PublicKeyHashes. | 667 // against agl. See also PublicKeyHashes. |
638 int error = Verify(cert_chain.get(), | 668 int error = Verify(cert_chain.get(), "twitter.com", flags, NULL, |
639 "satveda.com", | 669 empty_cert_list_, &verify_result); |
640 flags, | |
641 NULL, | |
642 empty_cert_list_, | |
643 &verify_result); | |
644 EXPECT_EQ(OK, error); | 670 EXPECT_EQ(OK, error); |
645 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
646 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 671 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
647 } | 672 } |
648 | 673 |
649 // The certse.pem certificate has been revoked. crbug.com/259723. | |
650 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 674 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
651 if (!SupportsReturningVerifiedChain()) { | 675 if (!SupportsReturningVerifiedChain()) { |
652 LOG(INFO) << "Skipping this test in this platform."; | 676 LOG(INFO) << "Skipping this test in this platform."; |
653 return; | 677 return; |
654 } | 678 } |
655 | 679 |
656 base::FilePath certs_dir = GetTestCertsDirectory(); | 680 base::FilePath certs_dir = GetTestCertsDirectory(); |
657 CertificateList certs = CreateCertificateListFromFile( | 681 CertificateList certs = CreateCertificateListFromFile( |
658 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 682 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
659 ASSERT_EQ(2U, certs.size()); | 683 ASSERT_EQ(3U, certs.size()); |
660 | 684 |
661 X509Certificate::OSCertHandles intermediates; | 685 X509Certificate::OSCertHandles intermediates; |
662 intermediates.push_back(certs[1]->os_cert_handle()); | 686 intermediates.push_back(certs[1]->os_cert_handle()); |
663 | 687 |
664 scoped_refptr<X509Certificate> cert_chain = | 688 scoped_refptr<X509Certificate> cert_chain = |
665 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 689 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
666 intermediates); | 690 intermediates); |
667 int flags = 0; | 691 int flags = 0; |
668 CertVerifyResult verify_result; | 692 CertVerifyResult verify_result; |
669 | 693 |
670 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 694 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
671 // against agl. See also TestKnownRoot. | 695 // against agl. See also TestKnownRoot. |
672 int error = Verify(cert_chain.get(), | 696 int error = Verify(cert_chain.get(), "twitter.com", flags, NULL, |
673 "satveda.com", | 697 empty_cert_list_, &verify_result); |
674 flags, | |
675 NULL, | |
676 empty_cert_list_, | |
677 &verify_result); | |
678 EXPECT_EQ(OK, error); | 698 EXPECT_EQ(OK, error); |
679 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | 699 ASSERT_LE(3U, verify_result.public_key_hashes.size()); |
680 ASSERT_LE(2U, verify_result.public_key_hashes.size()); | |
681 | 700 |
682 HashValueVector sha1_hashes; | 701 HashValueVector sha1_hashes; |
683 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 702 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
684 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 703 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
685 continue; | 704 continue; |
686 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 705 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
687 } | 706 } |
688 ASSERT_LE(2u, sha1_hashes.size()); | 707 ASSERT_LE(3u, sha1_hashes.size()); |
689 | 708 |
690 for (size_t i = 0; i < 2; ++i) { | 709 for (size_t i = 0; i < 3; ++i) { |
691 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length), | 710 EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length), |
692 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); | 711 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); |
693 } | 712 } |
694 | 713 |
695 HashValueVector sha256_hashes; | 714 HashValueVector sha256_hashes; |
696 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 715 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
697 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) | 716 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) |
698 continue; | 717 continue; |
699 sha256_hashes.push_back(verify_result.public_key_hashes[i]); | 718 sha256_hashes.push_back(verify_result.public_key_hashes[i]); |
700 } | 719 } |
701 ASSERT_LE(2u, sha256_hashes.size()); | 720 ASSERT_LE(3u, sha256_hashes.size()); |
702 | 721 |
703 for (size_t i = 0; i < 2; ++i) { | 722 for (size_t i = 0; i < 3; ++i) { |
704 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length), | 723 EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length), |
705 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); | 724 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); |
706 } | 725 } |
707 } | 726 } |
708 | 727 |
709 // A regression test for http://crbug.com/70293. | 728 // A regression test for http://crbug.com/70293. |
710 // The Key Usage extension in this RSA SSL server certificate does not have | 729 // The Key Usage extension in this RSA SSL server certificate does not have |
711 // the keyEncipherment bit. | 730 // the keyEncipherment bit. |
712 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 731 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
713 base::FilePath certs_dir = GetTestCertsDirectory(); | 732 base::FilePath certs_dir = GetTestCertsDirectory(); |
714 | 733 |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
801 // known public registry controlled domain information) issued by well-known | 820 // known public registry controlled domain information) issued by well-known |
802 // CAs are flagged appropriately, while certificates that are issued by | 821 // CAs are flagged appropriately, while certificates that are issued by |
803 // internal CAs are not flagged. | 822 // internal CAs are not flagged. |
804 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { | 823 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { |
805 if (!SupportsDetectingKnownRoots()) { | 824 if (!SupportsDetectingKnownRoots()) { |
806 LOG(INFO) << "Skipping this test in this platform."; | 825 LOG(INFO) << "Skipping this test in this platform."; |
807 return; | 826 return; |
808 } | 827 } |
809 | 828 |
810 CertificateList cert_list = CreateCertificateListFromFile( | 829 CertificateList cert_list = CreateCertificateListFromFile( |
811 GetTestCertsDirectory(), "ok_cert.pem", | 830 GetTestCertsDirectory(), "reject_intranet_hosts.pem", |
812 X509Certificate::FORMAT_AUTO); | 831 X509Certificate::FORMAT_AUTO); |
813 ASSERT_EQ(1U, cert_list.size()); | 832 ASSERT_EQ(1U, cert_list.size()); |
814 scoped_refptr<X509Certificate> cert(cert_list[0]); | 833 scoped_refptr<X509Certificate> cert(cert_list[0]); |
815 | 834 |
816 CertVerifyResult verify_result; | 835 CertVerifyResult verify_result; |
817 int error = 0; | 836 int error = 0; |
818 | 837 |
819 // Intranet names for public CAs should be flagged: | 838 // Intranet names for public CAs should be flagged: |
820 verify_proc_ = new WellKnownCaCertVerifyProc(true); | 839 verify_proc_ = new WellKnownCaCertVerifyProc(true); |
821 error = | 840 error = |
(...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1568 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1587 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1569 } | 1588 } |
1570 } | 1589 } |
1571 | 1590 |
1572 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1591 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1573 VerifyName, | 1592 VerifyName, |
1574 CertVerifyProcNameTest, | 1593 CertVerifyProcNameTest, |
1575 testing::ValuesIn(kVerifyNameData)); | 1594 testing::ValuesIn(kVerifyNameData)); |
1576 | 1595 |
1577 } // namespace net | 1596 } // namespace net |
OLD | NEW |