This source file includes following definitions.
- SupportsAdditionalTrustAnchors
- VerifyInternal
- SupportsReturningVerifiedChain
- SupportsDetectingKnownRoots
- SupportsAdditionalTrustAnchors
- Verify
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- IsWeakKeyType
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- PrintTo
- TEST_P
- PrintTo
- TEST_P
#include "net/cert/cert_verify_proc.h"
#include <vector>
#include "base/callback_helpers.h"
#include "base/files/file_path.h"
#include "base/logging.h"
#include "base/sha1.h"
#include "base/strings/string_number_conversions.h"
#include "crypto/sha2.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
#include "net/cert/asn1_util.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/crl_set.h"
#include "net/cert/test_root_certs.h"
#include "net/cert/x509_certificate.h"
#include "net/test/cert_test_util.h"
#include "net/test/test_certificate_data.h"
#include "testing/gtest/include/gtest/gtest.h"
#if defined(OS_WIN)
#include "base/win/windows_version.h"
#elif defined(OS_MACOSX) && !defined(OS_IOS)
#include "base/mac/mac_util.h"
#elif defined(OS_ANDROID)
#include "base/android/build_info.h"
#endif
using base::HexEncode;
namespace net {
namespace {
unsigned char paypal_null_fingerprint[] = {
0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba,
0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7
};
class WellKnownCaCertVerifyProc : public CertVerifyProc {
public:
explicit WellKnownCaCertVerifyProc(bool is_well_known)
: is_well_known_(is_well_known) {}
virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; }
protected:
virtual ~WellKnownCaCertVerifyProc() {}
private:
virtual int VerifyInternal(X509Certificate* cert,
const std::string& hostname,
int flags,
CRLSet* crl_set,
const CertificateList& additional_trust_anchors,
CertVerifyResult* verify_result) OVERRIDE;
const bool is_well_known_;
DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc);
};
int WellKnownCaCertVerifyProc::VerifyInternal(
X509Certificate* cert,
const std::string& hostname,
int flags,
CRLSet* crl_set,
const CertificateList& additional_trust_anchors,
CertVerifyResult* verify_result) {
verify_result->is_issued_by_known_root = is_well_known_;
return OK;
}
bool SupportsReturningVerifiedChain() {
#if defined(OS_ANDROID)
if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
return false;
#endif
return true;
}
bool SupportsDetectingKnownRoots() {
#if defined(OS_ANDROID)
if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
return false;
#endif
return true;
}
}
class CertVerifyProcTest : public testing::Test {
public:
CertVerifyProcTest()
: verify_proc_(CertVerifyProc::CreateDefault()) {
}
virtual ~CertVerifyProcTest() {}
protected:
bool SupportsAdditionalTrustAnchors() {
return verify_proc_->SupportsAdditionalTrustAnchors();
}
int Verify(X509Certificate* cert,
const std::string& hostname,
int flags,
CRLSet* crl_set,
const CertificateList& additional_trust_anchors,
CertVerifyResult* verify_result) {
return verify_proc_->Verify(cert, hostname, flags, crl_set,
additional_trust_anchors, verify_result);
}
const CertificateList empty_cert_list_;
scoped_refptr<CertVerifyProc> verify_proc_;
};
TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(),
"googlenew.chain.pem",
X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
scoped_refptr<X509Certificate> google_full_chain =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
CertVerifyResult verify_result;
EXPECT_EQ(OK,
Verify(google_full_chain.get(),
"www.google.com",
0 ,
NULL,
empty_cert_list_,
&verify_result));
}
#if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
#define MAYBE_EVVerification DISABLED_EVVerification
#else
#define MAYBE_EVVerification EVVerification
#endif
TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(),
"comodo.chain.pem",
X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
intermediates.push_back(certs[2]->os_cert_handle());
scoped_refptr<X509Certificate> comodo_chain =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
CertVerifyResult verify_result;
int flags = CertVerifier::VERIFY_EV_CERT;
int error = Verify(comodo_chain.get(),
"comodo.com",
flags,
crl_set.get(),
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
}
TEST_F(CertVerifyProcTest, PaypalNullCertParsing) {
scoped_refptr<X509Certificate> paypal_null_cert(
X509Certificate::CreateFromBytes(
reinterpret_cast<const char*>(paypal_null_der),
sizeof(paypal_null_der)));
ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert);
const SHA1HashValue& fingerprint =
paypal_null_cert->fingerprint();
for (size_t i = 0; i < 20; ++i)
EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(paypal_null_cert.get(),
"www.paypal.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
#if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID)
EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
#else
EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
#endif
#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS)
EXPECT_TRUE(verify_result.cert_status &
(CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
#endif
}
#if defined(OS_ANDROID)
#define MAYBE_IntermediateCARequireExplicitPolicy \
DISABLED_IntermediateCARequireExplicitPolicy
#else
#define MAYBE_IntermediateCARequireExplicitPolicy \
IntermediateCARequireExplicitPolicy
#endif
TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
certs_dir, "explicit-policy-chain.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
scoped_refptr<X509Certificate> cert =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
ASSERT_TRUE(cert.get());
ScopedTestRoot scoped_root(certs[2].get());
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(cert.get(),
"policy_test.example",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0u, verify_result.cert_status);
}
TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) {
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> server_cert =
ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
scoped_refptr<X509Certificate> intermediate_cert =
ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(intermediate_cert->os_cert_handle());
scoped_refptr<X509Certificate> cert_chain =
X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
intermediates);
CertVerifyResult verify_result;
int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED |
CertVerifier::VERIFY_EV_CERT;
int error = Verify(cert_chain.get(),
"2029.globalsign.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
if (error == OK)
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
else
EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
}
TEST_F(CertVerifyProcTest, ECDSA_RSA) {
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> cert =
ImportCertFromFile(certs_dir,
"prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem");
CertVerifyResult verify_result;
Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result);
}
static bool IsWeakKeyType(const std::string& key_type) {
size_t pos = key_type.find("-");
std::string size = key_type.substr(0, pos);
std::string type = key_type.substr(pos + 1);
if (type == "rsa" || type == "dsa")
return size == "768";
return false;
}
TEST_F(CertVerifyProcTest, RejectWeakKeys) {
base::FilePath certs_dir = GetTestCertsDirectory();
typedef std::vector<std::string> Strings;
Strings key_types;
key_types.push_back("768-rsa");
key_types.push_back("1024-rsa");
key_types.push_back("2048-rsa");
bool use_ecdsa = true;
#if defined(OS_WIN)
use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP;
#endif
if (use_ecdsa)
key_types.push_back("prime256v1-ecdsa");
scoped_refptr<X509Certificate> root_cert =
ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
ScopedTestRoot scoped_root(root_cert.get());
for (Strings::const_iterator ee_type = key_types.begin();
ee_type != key_types.end(); ++ee_type) {
for (Strings::const_iterator signer_type = key_types.begin();
signer_type != key_types.end(); ++signer_type) {
std::string basename = *ee_type + "-ee-by-" + *signer_type +
"-intermediate.pem";
SCOPED_TRACE(basename);
scoped_refptr<X509Certificate> ee_cert =
ImportCertFromFile(certs_dir, basename);
ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
basename = *signer_type + "-intermediate.pem";
scoped_refptr<X509Certificate> intermediate =
ImportCertFromFile(certs_dir, basename);
ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate);
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(intermediate->os_cert_handle());
scoped_refptr<X509Certificate> cert_chain =
X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
intermediates);
CertVerifyResult verify_result;
int error = Verify(cert_chain.get(),
"127.0.0.1",
0,
NULL,
empty_cert_list_,
&verify_result);
if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
EXPECT_NE(OK, error);
EXPECT_EQ(CERT_STATUS_WEAK_KEY,
verify_result.cert_status & CERT_STATUS_WEAK_KEY);
EXPECT_NE(CERT_STATUS_INVALID,
verify_result.cert_status & CERT_STATUS_INVALID);
} else {
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
}
}
}
}
#if defined(OS_MACOSX) && !defined(OS_IOS)
#define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
#else
#define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
#endif
TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> server_cert =
ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
scoped_refptr<X509Certificate> extra_cert =
ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
scoped_refptr<X509Certificate> root_cert =
ImportCertFromFile(certs_dir, "cross-signed-root-sha1.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
ScopedTestRoot scoped_root(root_cert.get());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(extra_cert->os_cert_handle());
scoped_refptr<X509Certificate> cert_chain =
X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
intermediates);
CertVerifyResult verify_result;
int flags = 0;
int error = Verify(cert_chain.get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
ASSERT_TRUE(verify_result.verified_cert.get());
ASSERT_EQ(1u,
verify_result.verified_cert->GetIntermediateCertificates().size());
EXPECT_TRUE(X509Certificate::IsSameOSCert(
verify_result.verified_cert->GetIntermediateCertificates().front(),
root_cert->os_cert_handle()));
EXPECT_FALSE(verify_result.has_md5);
}
TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> server_cert =
ImportCertFromFile(certs_dir, "google_diginotar.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
scoped_refptr<X509Certificate> intermediate_cert =
ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(intermediate_cert->os_cert_handle());
scoped_refptr<X509Certificate> cert_chain =
X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
intermediates);
CertVerifyResult verify_result;
int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
int error = Verify(cert_chain.get(),
"mail.google.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_NE(OK, error);
flags = 0;
error = Verify(cert_chain.get(),
"mail.google.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_NE(OK, error);
}
TEST_F(CertVerifyProcTest, DigiNotarCerts) {
static const char* const kDigiNotarFilenames[] = {
"diginotar_root_ca.pem",
"diginotar_cyber_ca.pem",
"diginotar_services_1024_ca.pem",
"diginotar_pkioverheid.pem",
"diginotar_pkioverheid_g2.pem",
NULL,
};
base::FilePath certs_dir = GetTestCertsDirectory();
for (size_t i = 0; kDigiNotarFilenames[i]; i++) {
scoped_refptr<X509Certificate> diginotar_cert =
ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
std::string der_bytes;
ASSERT_TRUE(X509Certificate::GetDEREncoded(
diginotar_cert->os_cert_handle(), &der_bytes));
base::StringPiece spki;
ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
std::string spki_sha1 = base::SHA1HashString(spki.as_string());
HashValueVector public_keys;
HashValue hash(HASH_VALUE_SHA1);
ASSERT_EQ(hash.size(), spki_sha1.size());
memcpy(hash.data(), spki_sha1.data(), spki_sha1.size());
public_keys.push_back(hash);
EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
"Public key not blocked for " << kDigiNotarFilenames[i];
}
}
TEST_F(CertVerifyProcTest, NameConstraintsOk) {
CertificateList ca_cert_list =
CreateCertificateListFromFile(GetTestCertsDirectory(),
"root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
ScopedTestRoot test_root(ca_cert_list[0]);
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "name_constraint_ok.crt",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
X509Certificate::OSCertHandles intermediates;
scoped_refptr<X509Certificate> leaf =
X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
intermediates);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(leaf.get(),
"test.example.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
}
TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
CertificateList ca_cert_list =
CreateCertificateListFromFile(GetTestCertsDirectory(),
"root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
ScopedTestRoot test_root(ca_cert_list[0]);
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "name_constraint_bad.crt",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
X509Certificate::OSCertHandles intermediates;
scoped_refptr<X509Certificate> leaf =
X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
intermediates);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(leaf.get(),
"test.example.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error);
EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
}
TEST_F(CertVerifyProcTest, TestKnownRoot) {
if (!SupportsDetectingKnownRoots()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(2U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
scoped_refptr<X509Certificate> cert_chain =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(cert_chain.get(),
"satveda.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_TRUE(verify_result.is_issued_by_known_root);
}
TEST_F(CertVerifyProcTest, PublicKeyHashes) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(2U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
scoped_refptr<X509Certificate> cert_chain =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(cert_chain.get(),
"satveda.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
ASSERT_LE(2U, verify_result.public_key_hashes.size());
HashValueVector sha1_hashes;
for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1)
continue;
sha1_hashes.push_back(verify_result.public_key_hashes[i]);
}
ASSERT_LE(2u, sha1_hashes.size());
for (size_t i = 0; i < 2; ++i) {
EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
}
HashValueVector sha256_hashes;
for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256)
continue;
sha256_hashes.push_back(verify_result.public_key_hashes[i]);
}
ASSERT_LE(2u, sha256_hashes.size());
for (size_t i = 0; i < 2; ++i) {
EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
}
}
TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
base::FilePath certs_dir = GetTestCertsDirectory();
scoped_refptr<X509Certificate> server_cert =
ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(server_cert.get(),
"jira.aquameta.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
#else
EXPECT_EQ(ERR_CERT_INVALID, error);
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
#endif
#if !defined(USE_NSS) && !defined(OS_IOS) && !defined(OS_ANDROID)
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
#endif
}
TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
certs_dir, "x509_verify_results.chain.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
intermediates.push_back(certs[2]->os_cert_handle());
ScopedTestRoot scoped_root(certs[2].get());
scoped_refptr<X509Certificate> google_full_chain =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
CertVerifyResult verify_result;
EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
int error = Verify(google_full_chain.get(),
"127.0.0.1",
0,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
EXPECT_NE(google_full_chain, verify_result.verified_cert);
EXPECT_TRUE(X509Certificate::IsSameOSCert(
google_full_chain->os_cert_handle(),
verify_result.verified_cert->os_cert_handle()));
const X509Certificate::OSCertHandles& return_intermediates =
verify_result.verified_cert->GetIntermediateCertificates();
ASSERT_EQ(2U, return_intermediates.size());
EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
certs[1]->os_cert_handle()));
EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
certs[2]->os_cert_handle()));
}
TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
if (!SupportsDetectingKnownRoots()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "ok_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
CertVerifyResult verify_result;
int error = 0;
verify_proc_ = new WellKnownCaCertVerifyProc(true);
error =
Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
EXPECT_EQ(OK, error);
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
verify_proc_ = new WellKnownCaCertVerifyProc(false);
error =
Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
EXPECT_EQ(OK, error);
EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
}
TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
certs_dir, "x509_verify_results.chain.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[2]->os_cert_handle());
intermediates.push_back(certs[1]->os_cert_handle());
ScopedTestRoot scoped_root(certs[2].get());
scoped_refptr<X509Certificate> google_full_chain =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
CertVerifyResult verify_result;
EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
int error = Verify(google_full_chain.get(),
"127.0.0.1",
0,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
EXPECT_NE(google_full_chain, verify_result.verified_cert);
EXPECT_TRUE(X509Certificate::IsSameOSCert(
google_full_chain->os_cert_handle(),
verify_result.verified_cert->os_cert_handle()));
const X509Certificate::OSCertHandles& return_intermediates =
verify_result.verified_cert->GetIntermediateCertificates();
ASSERT_EQ(2U, return_intermediates.size());
EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
certs[1]->os_cert_handle()));
EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
certs[2]->os_cert_handle()));
}
TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
if (!SupportsReturningVerifiedChain()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
base::FilePath certs_dir = GetTestCertsDirectory();
CertificateList certs = CreateCertificateListFromFile(
certs_dir, "x509_verify_results.chain.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(3U, certs.size());
ScopedTestRoot scoped_root(certs[2].get());
scoped_refptr<X509Certificate> unrelated_certificate =
ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
scoped_refptr<X509Certificate> unrelated_certificate2 =
ImportCertFromFile(certs_dir, "aia-cert.pem");
ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate);
ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2);
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(unrelated_certificate->os_cert_handle());
intermediates.push_back(certs[1]->os_cert_handle());
intermediates.push_back(unrelated_certificate2->os_cert_handle());
intermediates.push_back(certs[2]->os_cert_handle());
scoped_refptr<X509Certificate> google_full_chain =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
CertVerifyResult verify_result;
EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
int error = Verify(google_full_chain.get(),
"127.0.0.1",
0,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
EXPECT_NE(google_full_chain, verify_result.verified_cert);
EXPECT_TRUE(X509Certificate::IsSameOSCert(
google_full_chain->os_cert_handle(),
verify_result.verified_cert->os_cert_handle()));
const X509Certificate::OSCertHandles& return_intermediates =
verify_result.verified_cert->GetIntermediateCertificates();
ASSERT_EQ(2U, return_intermediates.size());
EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
certs[1]->os_cert_handle()));
EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
certs[2]->os_cert_handle()));
}
TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
if (!SupportsAdditionalTrustAnchors()) {
LOG(INFO) << "Skipping this test in this platform.";
return;
}
CertificateList ca_cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "ok_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(
cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
CertificateList trust_anchors;
trust_anchors.push_back(ca_cert);
error = Verify(
cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
error = Verify(
cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
}
TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
TestRootCerts* root_certs = TestRootCerts::GetInstance();
root_certs->AddFromFile(
GetTestCertsDirectory().AppendASCII("root_ca_cert.pem"));
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "ok_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(
cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_FALSE(verify_result.is_issued_by_known_root);
root_certs->Clear();
EXPECT_TRUE(root_certs->IsEmpty());
}
#if defined(OS_MACOSX) && !defined(OS_IOS)
TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(),
"cybertrust_omniroot_chain.pem",
X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
ASSERT_EQ(2U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
scoped_refptr<X509Certificate> cybertrust_basic =
X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
intermediates);
ASSERT_TRUE(cybertrust_basic.get());
scoped_refptr<X509Certificate> baltimore_root =
ImportCertFromFile(GetTestCertsDirectory(),
"cybertrust_baltimore_root.pem");
ASSERT_TRUE(baltimore_root.get());
ScopedTestRoot scoped_root(baltimore_root.get());
TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
base::ScopedClosureRunner reset_system_trust(
base::Bind(&TestRootCerts::SetAllowSystemTrust,
base::Unretained(TestRootCerts::GetInstance()),
true));
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(cybertrust_basic.get(),
"cacert.omniroot.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
scoped_refptr<X509Certificate> baltimore_intermediate_1 =
ImportCertFromFile(GetTestCertsDirectory(),
"cybertrust_baltimore_cross_certified_1.pem");
ASSERT_TRUE(baltimore_intermediate_1.get());
X509Certificate::OSCertHandles intermediate_chain_1 =
cybertrust_basic->GetIntermediateCertificates();
intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
scoped_refptr<X509Certificate> baltimore_chain_1 =
X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
intermediate_chain_1);
error = Verify(baltimore_chain_1.get(),
"cacert.omniroot.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
scoped_refptr<X509Certificate> baltimore_intermediate_2 =
ImportCertFromFile(GetTestCertsDirectory(),
"cybertrust_baltimore_cross_certified_2.pem");
ASSERT_TRUE(baltimore_intermediate_2.get());
X509Certificate::OSCertHandles intermediate_chain_2 =
cybertrust_basic->GetIntermediateCertificates();
intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
scoped_refptr<X509Certificate> baltimore_chain_2 =
X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
intermediate_chain_2);
error = Verify(baltimore_chain_2.get(),
"cacert.omniroot.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
scoped_refptr<X509Certificate> cybertrust_root =
ImportCertFromFile(GetTestCertsDirectory(),
"cybertrust_gte_root.pem");
ASSERT_TRUE(cybertrust_root.get());
intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
scoped_refptr<X509Certificate> baltimore_chain_with_root =
X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
intermediate_chain_2);
error = Verify(baltimore_chain_with_root.get(),
"cacert.omniroot.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
TestRootCerts::GetInstance()->Clear();
EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty());
}
#endif
#if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
static const uint8 kCRLSetLeafSPKIBlocked[] = {
0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x43, 0x38, 0x4d, 0x4a, 0x46, 0x55, 0x55,
0x5a, 0x38, 0x43, 0x79, 0x54, 0x2b, 0x4e, 0x57, 0x64, 0x68, 0x69, 0x7a, 0x51,
0x68, 0x54, 0x49, 0x65, 0x46, 0x49, 0x37, 0x76, 0x41, 0x77, 0x7a, 0x64, 0x54,
0x79, 0x52, 0x59, 0x45, 0x6e, 0x78, 0x6c, 0x33, 0x62, 0x67, 0x3d, 0x22, 0x5d,
0x7d,
};
static const uint8 kCRLSetLeafSerialBlocked[] = {
0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0x0f, 0x87, 0xe4, 0xc7, 0x75, 0xea,
0x46, 0x7e, 0xf3, 0xfd, 0x82, 0xb7, 0x46, 0x7b, 0x10, 0xda, 0xc5, 0xbf, 0xd8,
0xd1, 0x29, 0xb2, 0xc6, 0xac, 0x7f, 0x51, 0x42, 0x15, 0x28, 0x51, 0x06, 0x7f,
0x01, 0x00, 0x00, 0x00,
0x01, 0xed,
};
static const uint8 kCRLSetQUICSerialBlocked[] = {
0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d,
0xe4, 0x3a, 0xa3, 0xdb, 0x98, 0x31, 0x61, 0x05, 0xdd, 0x57, 0x6d, 0xc6, 0x2f,
0x71, 0x26, 0xba, 0xdd, 0xf4, 0x98, 0x3e, 0x62, 0x22, 0xf8, 0xf9, 0xe4, 0x18,
0x62, 0x77, 0x79, 0xdb, 0x9b, 0x31,
0x01, 0x00, 0x00, 0x00,
0x01, 0x03,
};
TEST_F(CertVerifyProcTest, CRLSet) {
CertificateList ca_cert_list =
CreateCertificateListFromFile(GetTestCertsDirectory(),
"root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
ScopedTestRoot test_root(ca_cert_list[0]);
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(
cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
base::StringPiece crl_set_bytes(
reinterpret_cast<const char*>(kCRLSetLeafSPKIBlocked),
sizeof(kCRLSetLeafSPKIBlocked));
scoped_refptr<CRLSet> crl_set;
ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
error = Verify(cert.get(),
"127.0.0.1",
flags,
crl_set.get(),
empty_cert_list_,
&verify_result);
EXPECT_EQ(ERR_CERT_REVOKED, error);
crl_set_bytes =
base::StringPiece(reinterpret_cast<const char*>(kCRLSetLeafSerialBlocked),
sizeof(kCRLSetLeafSerialBlocked));
ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
error = Verify(cert.get(),
"127.0.0.1",
flags,
crl_set.get(),
empty_cert_list_,
&verify_result);
EXPECT_EQ(ERR_CERT_REVOKED, error);
}
TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
CertificateList ca_cert_list =
CreateCertificateListFromFile(GetTestCertsDirectory(),
"quic_root.crt",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_cert_list.size());
ScopedTestRoot test_root(ca_cert_list[0]);
CertificateList intermediate_cert_list =
CreateCertificateListFromFile(GetTestCertsDirectory(),
"quic_intermediate.crt",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, intermediate_cert_list.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(intermediate_cert_list[0]->os_cert_handle());
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "quic_test.example.com.crt",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> leaf =
X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
intermediates);
int flags = 0;
CertVerifyResult verify_result;
int error = Verify(leaf.get(),
"test.example.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
scoped_refptr<CRLSet> crl_set;
base::StringPiece crl_set_bytes =
base::StringPiece(reinterpret_cast<const char*>(kCRLSetQUICSerialBlocked),
sizeof(kCRLSetQUICSerialBlocked));
ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
error = Verify(leaf.get(),
"test.example.com",
flags,
crl_set.get(),
empty_cert_list_,
&verify_result);
EXPECT_EQ(ERR_CERT_REVOKED, error);
}
#endif
struct WeakDigestTestData {
const char* root_cert_filename;
const char* intermediate_cert_filename;
const char* ee_cert_filename;
bool expected_has_md5;
bool expected_has_md4;
bool expected_has_md2;
};
void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
*os << "root: "
<< (data.root_cert_filename ? data.root_cert_filename : "none")
<< "; intermediate: " << data.intermediate_cert_filename
<< "; end-entity: " << data.ee_cert_filename;
}
class CertVerifyProcWeakDigestTest
: public CertVerifyProcTest,
public testing::WithParamInterface<WeakDigestTestData> {
public:
CertVerifyProcWeakDigestTest() {}
virtual ~CertVerifyProcWeakDigestTest() {}
};
TEST_P(CertVerifyProcWeakDigestTest, Verify) {
WeakDigestTestData data = GetParam();
base::FilePath certs_dir = GetTestCertsDirectory();
ScopedTestRoot test_root;
if (data.root_cert_filename) {
scoped_refptr<X509Certificate> root_cert =
ImportCertFromFile(certs_dir, data.root_cert_filename);
ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
test_root.Reset(root_cert.get());
}
scoped_refptr<X509Certificate> intermediate_cert =
ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
scoped_refptr<X509Certificate> ee_cert =
ImportCertFromFile(certs_dir, data.ee_cert_filename);
ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(intermediate_cert->os_cert_handle());
scoped_refptr<X509Certificate> ee_chain =
X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
intermediates);
ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain);
int flags = 0;
CertVerifyResult verify_result;
int rv = Verify(ee_chain.get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
if (data.expected_has_md4 || data.expected_has_md2) {
EXPECT_EQ(CERT_STATUS_INVALID,
verify_result.cert_status & CERT_STATUS_INVALID);
}
if (data.expected_has_md5) {
EXPECT_EQ(
CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
}
if (data.root_cert_filename) {
if (data.expected_has_md4 || data.expected_has_md2) {
EXPECT_EQ(ERR_CERT_INVALID, rv);
} else if (data.expected_has_md5) {
EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
} else {
EXPECT_EQ(OK, rv);
}
}
}
#define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator)
const WeakDigestTestData kVerifyRootCATestData[] = {
{ "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_sha1_ee.pem", false, false, false },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
{ "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_sha1_ee.pem", false, false, false },
#endif
{ "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_sha1_ee.pem", false, false, false },
};
INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
testing::ValuesIn(kVerifyRootCATestData));
const WeakDigestTestData kVerifyIntermediateCATestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
"weak_digest_sha1_ee.pem", true, false, false },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
{ "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
"weak_digest_sha1_ee.pem", false, true, false },
#endif
{ "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
"weak_digest_sha1_ee.pem", false, false, true },
};
#if defined(USE_NSS) || defined(OS_IOS)
#define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate
#else
#define MAYBE_VerifyIntermediate VerifyIntermediate
#endif
WRAPPED_INSTANTIATE_TEST_CASE_P(
MAYBE_VerifyIntermediate,
CertVerifyProcWeakDigestTest,
testing::ValuesIn(kVerifyIntermediateCATestData));
const WeakDigestTestData kVerifyEndEntityTestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_md5_ee.pem", true, false, false },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_md4_ee.pem", false, true, false },
#endif
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_md2_ee.pem", false, false, true },
};
#if defined(USE_NSS) || defined(OS_IOS)
#define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity
#else
#define MAYBE_VerifyEndEntity VerifyEndEntity
#endif
WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
CertVerifyProcWeakDigestTest,
testing::ValuesIn(kVerifyEndEntityTestData));
const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
{ NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
true, false, false },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
{ NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
false, true, false },
#endif
{ NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
false, false, true },
};
#if defined(USE_NSS) || defined(OS_IOS)
#define MAYBE_VerifyIncompleteIntermediate \
DISABLED_VerifyIncompleteIntermediate
#else
#define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate
#endif
WRAPPED_INSTANTIATE_TEST_CASE_P(
MAYBE_VerifyIncompleteIntermediate,
CertVerifyProcWeakDigestTest,
testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
const WeakDigestTestData kVerifyIncompleteEETestData[] = {
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
true, false, false },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
false, true, false },
#endif
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
false, false, true },
};
#if defined(USE_NSS) || defined(OS_IOS)
#define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity
#else
#define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity
#endif
WRAPPED_INSTANTIATE_TEST_CASE_P(
MAYBE_VerifyIncompleteEndEntity,
CertVerifyProcWeakDigestTest,
testing::ValuesIn(kVerifyIncompleteEETestData));
const WeakDigestTestData kVerifyMixedTestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
"weak_digest_md2_ee.pem", true, false, true },
{ "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
"weak_digest_md5_ee.pem", true, false, true },
#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
{ "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
"weak_digest_md2_ee.pem", false, true, true },
#endif
};
#if defined(USE_NSS) || defined(OS_IOS)
#define MAYBE_VerifyMixed DISABLED_VerifyMixed
#else
#define MAYBE_VerifyMixed VerifyMixed
#endif
WRAPPED_INSTANTIATE_TEST_CASE_P(
MAYBE_VerifyMixed,
CertVerifyProcWeakDigestTest,
testing::ValuesIn(kVerifyMixedTestData));
static const struct CertVerifyProcNameData {
const char* hostname;
bool valid;
} kVerifyNameData[] = {
{ "127.0.0.1", false },
{ "127.0.0.2", true },
{ "FE80:0:0:0:0:0:0:1", true },
{ "[FE80:0:0:0:0:0:0:1]", false },
{ "FE80::1", true },
{ "::127.0.0.2", false },
{ "test.example", true },
{ "test.example.", true },
{ "www.test.example", false },
{ "test..example", false },
{ "test.example..", false },
{ ".test.example.", false },
{ ".test.example", false },
};
void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
*os << "Hostname: " << data.hostname << "; valid=" << data.valid;
}
class CertVerifyProcNameTest
: public CertVerifyProcTest,
public testing::WithParamInterface<CertVerifyProcNameData> {
public:
CertVerifyProcNameTest() {}
virtual ~CertVerifyProcNameTest() {}
};
TEST_P(CertVerifyProcNameTest, VerifyCertName) {
CertVerifyProcNameData data = GetParam();
CertificateList cert_list = CreateCertificateListFromFile(
GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
ScopedTestRoot scoped_root(cert.get());
CertVerifyResult verify_result;
int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
&verify_result);
if (data.valid) {
EXPECT_EQ(OK, error);
EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
} else {
EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
}
}
WRAPPED_INSTANTIATE_TEST_CASE_P(
VerifyName,
CertVerifyProcNameTest,
testing::ValuesIn(kVerifyNameData));
}