Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(407)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 724543002: Reject certificates that are valid for too long. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Data-driven test; fix the test certs. Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/ssl/ssl_error_info.h ('K') | « net/cert/cert_verify_proc.cc ('k') | net/data/ssl/certificates/10_year_validity.pem » ('j') | net/data/ssl/certificates/README » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 10a880b42ccc3f7b111f256c65c85e2ea5016f7f..3224086a3c905d7044f2db48674ca86fe15aaaf6 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -615,16 +615,46 @@ TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
}
+TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
+ struct {
+ const char* file;
Ryan Sleevi 2015/01/22 02:04:40 nit: const char* const
palmer 2015/01/22 20:05:05 Done.
+ bool is_valid_too_long;
+ } tests[] = {
+ {"twitter-chain.pem", false},
+ {"start_after_expiry.pem", true},
+ {"pre_br_validity_ok.pem", false},
+ {"pre_br_validity_bad_121.pem", true},
+ {"pre_br_validity_bad_2020.pem", true},
+ {"10_year_validity.pem", false},
+ {"11_year_validity.pem", true},
+ {"39_months_after_2015_04.pem", false},
+ {"40_months_after_2015_04.pem", true},
+ {"60_months_after_2012_07.pem", false},
+ {"61_months_after_2012_07.pem", true},
+ };
+
+ base::FilePath certs_dir = GetTestCertsDirectory();
+
+ for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); ++i) {
Ryan Sleevi 2015/01/22 02:04:40 size_t i = 0; i < arraysize(tests); ++i
palmer 2015/01/22 20:05:05 Done.
+ scoped_refptr<X509Certificate> certificate =
+ ImportCertFromFile(certs_dir, tests[i].file);
+ SCOPED_TRACE(tests[i].file);
+ ASSERT_TRUE(certificate);
+ EXPECT_EQ(tests[i].is_valid_too_long,
+ CertVerifyProc::HasTooLongValidity(*certificate));
+ }
+}
+
TEST_F(CertVerifyProcTest, TestKnownRoot) {
if (!SupportsDetectingKnownRoots()) {
- LOG(INFO) << "Skipping this test in this platform.";
+ LOG(INFO) << "Skipping this test on this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
- ASSERT_EQ(2U, certs.size());
+ certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
@@ -635,20 +665,14 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) {
int flags = 0;
CertVerifyResult verify_result;
- // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+ // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
// against agl. See also PublicKeyHashes.
- int error = Verify(cert_chain.get(),
- "satveda.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
+ empty_cert_list_, &verify_result);
EXPECT_EQ(OK, error);
- EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
EXPECT_TRUE(verify_result.is_issued_by_known_root);
}
-// The certse.pem certificate has been revoked. crbug.com/259723.
TEST_F(CertVerifyProcTest, PublicKeyHashes) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
@@ -657,8 +681,8 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
- certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
- ASSERT_EQ(2U, certs.size());
+ certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
@@ -669,17 +693,12 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
int flags = 0;
CertVerifyResult verify_result;
- // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+ // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
// against agl. See also TestKnownRoot.
- int error = Verify(cert_chain.get(),
- "satveda.com",
- flags,
- NULL,
- empty_cert_list_,
- &verify_result);
+ int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
+ empty_cert_list_, &verify_result);
EXPECT_EQ(OK, error);
- EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
- ASSERT_LE(2U, verify_result.public_key_hashes.size());
+ ASSERT_LE(3U, verify_result.public_key_hashes.size());
HashValueVector sha1_hashes;
for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
@@ -687,10 +706,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
continue;
sha1_hashes.push_back(verify_result.public_key_hashes[i]);
}
- ASSERT_LE(2u, sha1_hashes.size());
+ ASSERT_LE(3u, sha1_hashes.size());
- for (size_t i = 0; i < 2; ++i) {
- EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
+ for (size_t i = 0; i < 3; ++i) {
+ EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length),
HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
}
@@ -700,10 +719,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
continue;
sha256_hashes.push_back(verify_result.public_key_hashes[i]);
}
- ASSERT_LE(2u, sha256_hashes.size());
+ ASSERT_LE(3u, sha256_hashes.size());
- for (size_t i = 0; i < 2; ++i) {
- EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
+ for (size_t i = 0; i < 3; ++i) {
+ EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),
HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
}
}
@@ -810,7 +829,7 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
}
CertificateList cert_list = CreateCertificateListFromFile(
- GetTestCertsDirectory(), "ok_cert.pem",
+ GetTestCertsDirectory(), "reject_intranet_hosts.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
« chrome/browser/ssl/ssl_error_info.h ('K') | « net/cert/cert_verify_proc.cc ('k') | net/data/ssl/certificates/10_year_validity.pem » ('j') | net/data/ssl/certificates/README » ('J')

Powered by Google App Engine
This is Rietveld 408576698