OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 597 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
608 "test.example.com", | 608 "test.example.com", |
609 flags, | 609 flags, |
610 NULL, | 610 NULL, |
611 empty_cert_list_, | 611 empty_cert_list_, |
612 &verify_result); | 612 &verify_result); |
613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); | 613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); |
614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, | 614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, |
615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); | 615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); |
616 } | 616 } |
617 | 617 |
618 TEST_F(CertVerifyProcTest, TestHasTooLongValidity) { | |
619 base::FilePath certs_dir = GetTestCertsDirectory(); | |
620 | |
621 DLOG(INFO) << "twitter-chain.pem"; | |
622 scoped_refptr<X509Certificate> twitter = | |
623 ImportCertFromFile(certs_dir, "twitter-chain.pem"); | |
624 EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*twitter)); | |
625 | |
626 DLOG(INFO) << "start_after_expiry.pem"; | |
Ryan Sleevi
2014/11/26 12:25:36
spam dvlogs are bad, mkay :)
You can use a TEST_P
palmer
2014/12/15 22:55:58
Oh, I didn't mean to leave them in. Removed.
| |
627 scoped_refptr<X509Certificate> start_after_expiry = | |
628 ImportCertFromFile(certs_dir, "start_after_expiry.pem"); | |
629 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*start_after_expiry)); | |
630 | |
631 DLOG(INFO) << "pre_br_validity_ok.pem"; | |
632 scoped_refptr<X509Certificate> pre_br_validity_ok = | |
633 ImportCertFromFile(certs_dir, "pre_br_validity_ok.pem"); | |
634 EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*pre_br_validity_ok)); | |
635 | |
636 DLOG(INFO) << "pre_br_validity_bad_121.pem"; | |
637 scoped_refptr<X509Certificate> pre_br_validity_bad_121 = | |
638 ImportCertFromFile(certs_dir, "pre_br_validity_bad_121.pem"); | |
639 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*pre_br_validity_bad_121)); | |
640 | |
641 DLOG(INFO) << "pre_br_validity_bad_2020.pem"; | |
642 scoped_refptr<X509Certificate> pre_br_validity_bad_2020 = | |
643 ImportCertFromFile(certs_dir, "pre_br_validity_bad_2020.pem"); | |
644 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*pre_br_validity_bad_2020)); | |
645 | |
646 DLOG(INFO) << "11_year_validity.pem"; | |
Ryan Sleevi
2014/11/26 12:25:36
add test for 10 year validity == good
palmer
2014/12/15 22:55:58
Done.
| |
647 scoped_refptr<X509Certificate> eleven_years = | |
648 ImportCertFromFile(certs_dir, "11_year_validity.pem"); | |
649 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*eleven_years)); | |
650 | |
651 DLOG(INFO) << "40_months_after_2015_04.pem"; | |
652 scoped_refptr<X509Certificate> forty_months = | |
653 ImportCertFromFile(certs_dir, "40_months_after_2015_04.pem"); | |
654 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*forty_months)); | |
Ryan Sleevi
2014/11/26 12:25:36
add test for 39 months after 2015_04 == good
palmer
2014/12/15 22:55:58
Done.
| |
655 | |
656 DLOG(INFO) << "61_months_after_2012_07.pem"; | |
657 scoped_refptr<X509Certificate> sixty_one_months = | |
658 ImportCertFromFile(certs_dir, "61_months_after_2012_07.pem"); | |
659 EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*sixty_one_months)); | |
Ryan Sleevi
2014/11/26 12:25:36
add test for 60 months after 2012_07 == good
palmer
2014/12/15 22:55:58
Done.
| |
660 } | |
661 | |
618 TEST_F(CertVerifyProcTest, TestKnownRoot) { | 662 TEST_F(CertVerifyProcTest, TestKnownRoot) { |
619 if (!SupportsDetectingKnownRoots()) { | 663 if (!SupportsDetectingKnownRoots()) { |
620 LOG(INFO) << "Skipping this test in this platform."; | 664 LOG(INFO) << "Skipping this test on this platform."; |
621 return; | 665 return; |
622 } | 666 } |
623 | 667 |
624 base::FilePath certs_dir = GetTestCertsDirectory(); | 668 base::FilePath certs_dir = GetTestCertsDirectory(); |
625 CertificateList certs = CreateCertificateListFromFile( | 669 CertificateList certs = CreateCertificateListFromFile( |
626 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 670 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
627 ASSERT_EQ(2U, certs.size()); | 671 ASSERT_EQ(3U, certs.size()); |
628 | 672 |
629 X509Certificate::OSCertHandles intermediates; | 673 X509Certificate::OSCertHandles intermediates; |
630 intermediates.push_back(certs[1]->os_cert_handle()); | 674 intermediates.push_back(certs[1]->os_cert_handle()); |
631 | 675 |
632 scoped_refptr<X509Certificate> cert_chain = | 676 scoped_refptr<X509Certificate> cert_chain = |
633 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 677 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
634 intermediates); | 678 intermediates); |
635 | 679 |
636 int flags = 0; | 680 int flags = 0; |
637 CertVerifyResult verify_result; | 681 CertVerifyResult verify_result; |
638 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 682 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
639 // against agl. See also PublicKeyHashes. | 683 // against agl. See also PublicKeyHashes. |
640 int error = Verify(cert_chain.get(), | 684 int error = Verify(cert_chain.get(), |
641 "satveda.com", | 685 "twitter.com", |
642 flags, | 686 flags, |
643 NULL, | 687 NULL, |
644 empty_cert_list_, | 688 empty_cert_list_, |
645 &verify_result); | 689 &verify_result); |
646 EXPECT_EQ(OK, error); | 690 EXPECT_EQ(OK, error); |
647 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | |
648 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 691 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
649 } | 692 } |
650 | 693 |
651 // The certse.pem certificate has been revoked. crbug.com/259723. | |
652 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 694 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
653 if (!SupportsReturningVerifiedChain()) { | 695 if (!SupportsReturningVerifiedChain()) { |
654 LOG(INFO) << "Skipping this test in this platform."; | 696 LOG(INFO) << "Skipping this test in this platform."; |
655 return; | 697 return; |
656 } | 698 } |
657 | 699 |
658 base::FilePath certs_dir = GetTestCertsDirectory(); | 700 base::FilePath certs_dir = GetTestCertsDirectory(); |
659 CertificateList certs = CreateCertificateListFromFile( | 701 CertificateList certs = CreateCertificateListFromFile( |
660 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); | 702 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO); |
661 ASSERT_EQ(2U, certs.size()); | 703 ASSERT_EQ(3U, certs.size()); |
662 | 704 |
663 X509Certificate::OSCertHandles intermediates; | 705 X509Certificate::OSCertHandles intermediates; |
664 intermediates.push_back(certs[1]->os_cert_handle()); | 706 intermediates.push_back(certs[1]->os_cert_handle()); |
665 | 707 |
666 scoped_refptr<X509Certificate> cert_chain = | 708 scoped_refptr<X509Certificate> cert_chain = |
667 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 709 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
668 intermediates); | 710 intermediates); |
669 int flags = 0; | 711 int flags = 0; |
670 CertVerifyResult verify_result; | 712 CertVerifyResult verify_result; |
671 | 713 |
672 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug | 714 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug |
673 // against agl. See also TestKnownRoot. | 715 // against agl. See also TestKnownRoot. |
674 int error = Verify(cert_chain.get(), | 716 int error = Verify(cert_chain.get(), |
675 "satveda.com", | 717 "twitter.com", |
676 flags, | 718 flags, |
677 NULL, | 719 NULL, |
678 empty_cert_list_, | 720 empty_cert_list_, |
679 &verify_result); | 721 &verify_result); |
680 EXPECT_EQ(OK, error); | 722 EXPECT_EQ(OK, error); |
681 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); | 723 ASSERT_LE(3U, verify_result.public_key_hashes.size()); |
682 ASSERT_LE(2U, verify_result.public_key_hashes.size()); | |
683 | 724 |
684 HashValueVector sha1_hashes; | 725 HashValueVector sha1_hashes; |
685 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 726 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
686 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 727 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
687 continue; | 728 continue; |
688 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 729 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
689 } | 730 } |
690 ASSERT_LE(2u, sha1_hashes.size()); | 731 ASSERT_LE(3u, sha1_hashes.size()); |
691 | 732 |
692 for (size_t i = 0; i < 2; ++i) { | 733 for (size_t i = 0; i < 3; ++i) { |
693 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length), | 734 EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length), |
694 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); | 735 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); |
695 } | 736 } |
696 | 737 |
697 HashValueVector sha256_hashes; | 738 HashValueVector sha256_hashes; |
698 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 739 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
699 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) | 740 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) |
700 continue; | 741 continue; |
701 sha256_hashes.push_back(verify_result.public_key_hashes[i]); | 742 sha256_hashes.push_back(verify_result.public_key_hashes[i]); |
702 } | 743 } |
703 ASSERT_LE(2u, sha256_hashes.size()); | 744 ASSERT_LE(3u, sha256_hashes.size()); |
704 | 745 |
705 for (size_t i = 0; i < 2; ++i) { | 746 for (size_t i = 0; i < 3; ++i) { |
706 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length), | 747 EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length), |
707 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); | 748 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); |
708 } | 749 } |
709 } | 750 } |
710 | 751 |
711 // A regression test for http://crbug.com/70293. | 752 // A regression test for http://crbug.com/70293. |
712 // The Key Usage extension in this RSA SSL server certificate does not have | 753 // The Key Usage extension in this RSA SSL server certificate does not have |
713 // the keyEncipherment bit. | 754 // the keyEncipherment bit. |
714 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 755 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
715 base::FilePath certs_dir = GetTestCertsDirectory(); | 756 base::FilePath certs_dir = GetTestCertsDirectory(); |
716 | 757 |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
803 // known public registry controlled domain information) issued by well-known | 844 // known public registry controlled domain information) issued by well-known |
804 // CAs are flagged appropriately, while certificates that are issued by | 845 // CAs are flagged appropriately, while certificates that are issued by |
805 // internal CAs are not flagged. | 846 // internal CAs are not flagged. |
806 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { | 847 TEST_F(CertVerifyProcTest, IntranetHostsRejected) { |
807 if (!SupportsDetectingKnownRoots()) { | 848 if (!SupportsDetectingKnownRoots()) { |
808 LOG(INFO) << "Skipping this test in this platform."; | 849 LOG(INFO) << "Skipping this test in this platform."; |
809 return; | 850 return; |
810 } | 851 } |
811 | 852 |
812 CertificateList cert_list = CreateCertificateListFromFile( | 853 CertificateList cert_list = CreateCertificateListFromFile( |
813 GetTestCertsDirectory(), "ok_cert.pem", | 854 GetTestCertsDirectory(), "reject_intranet_hosts.pem", |
814 X509Certificate::FORMAT_AUTO); | 855 X509Certificate::FORMAT_AUTO); |
815 ASSERT_EQ(1U, cert_list.size()); | 856 ASSERT_EQ(1U, cert_list.size()); |
816 scoped_refptr<X509Certificate> cert(cert_list[0]); | 857 scoped_refptr<X509Certificate> cert(cert_list[0]); |
817 | 858 |
818 CertVerifyResult verify_result; | 859 CertVerifyResult verify_result; |
819 int error = 0; | 860 int error = 0; |
820 | 861 |
821 // Intranet names for public CAs should be flagged: | 862 // Intranet names for public CAs should be flagged: |
822 verify_proc_ = new WellKnownCaCertVerifyProc(true); | 863 verify_proc_ = new WellKnownCaCertVerifyProc(true); |
823 error = | 864 error = |
(...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1570 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); | 1611 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
1571 } | 1612 } |
1572 } | 1613 } |
1573 | 1614 |
1574 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1615 WRAPPED_INSTANTIATE_TEST_CASE_P( |
1575 VerifyName, | 1616 VerifyName, |
1576 CertVerifyProcNameTest, | 1617 CertVerifyProcNameTest, |
1577 testing::ValuesIn(kVerifyNameData)); | 1618 testing::ValuesIn(kVerifyNameData)); |
1578 | 1619 |
1579 } // namespace net | 1620 } // namespace net |
OLD | NEW |