Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_verify_proc.h" | 5 #include "net/base/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/file_path.h" | 9 #include "base/file_path.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 390 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 401 SHA1Fingerprint fingerprint; | 401 SHA1Fingerprint fingerprint; |
| 402 ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size()); | 402 ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size()); |
| 403 memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size()); | 403 memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size()); |
| 404 public_keys.push_back(fingerprint); | 404 public_keys.push_back(fingerprint); |
| 405 | 405 |
| 406 EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) << | 406 EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) << |
| 407 "Public key not blocked for " << kDigiNotarFilenames[i]; | 407 "Public key not blocked for " << kDigiNotarFilenames[i]; |
| 408 } | 408 } |
| 409 } | 409 } |
| 410 | 410 |
| 411 // Bug 111893: This test needs a new certificate. | 411 // Bug 111893: This test needs a new certificate. |
|
Ryan Sleevi
2012/07/23 21:45:05
Seems like you should remove this BUG and should u
agl
2012/07/23 22:14:18
Ah, good point. Thanks.
| |
| 412 TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) { | 412 TEST_F(CertVerifyProcTest, TestKnownRoot) { |
| 413 FilePath certs_dir = GetTestCertsDirectory(); | 413 FilePath certs_dir = GetTestCertsDirectory(); |
| 414 scoped_refptr<X509Certificate> cert = | 414 CertificateList certs = CreateCertificateListFromFile( |
| 415 ImportCertFromFile(certs_dir, "nist.der"); | 415 certs_dir, "certse.pem", |
| 416 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | 416 X509Certificate::FORMAT_AUTO); |
|
Ryan Sleevi
2012/07/23 21:45:05
nit: move this to the previous line?
agl
2012/07/23 22:14:18
Done.
| |
| 417 | 417 ASSERT_EQ(3U, certs.size()); |
| 418 // This intermediate is only needed for old Linux machines. Modern NSS | |
| 419 // includes it as a root already. | |
| 420 scoped_refptr<X509Certificate> intermediate_cert = | |
| 421 ImportCertFromFile(certs_dir, "nist_intermediate.der"); | |
| 422 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | |
| 423 | 418 |
| 424 X509Certificate::OSCertHandles intermediates; | 419 X509Certificate::OSCertHandles intermediates; |
| 425 intermediates.push_back(intermediate_cert->os_cert_handle()); | 420 intermediates.push_back(certs[1]->os_cert_handle()); |
| 421 intermediates.push_back(certs[2]->os_cert_handle()); | |
| 422 | |
| 426 scoped_refptr<X509Certificate> cert_chain = | 423 scoped_refptr<X509Certificate> cert_chain = |
| 427 X509Certificate::CreateFromHandle(cert->os_cert_handle(), | 424 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 428 intermediates); | 425 intermediates); |
| 429 | 426 |
| 430 int flags = 0; | 427 int flags = 0; |
| 431 CertVerifyResult verify_result; | 428 CertVerifyResult verify_result; |
| 432 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug | 429 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug |
| 433 // against agl. Also see PublicKeyHashes in this file. | 430 // against agl. See also PublicKeyHashes. |
| 434 int error = Verify(cert_chain, "www.nist.gov", flags, NULL, &verify_result); | 431 int error = Verify(cert_chain, "cert.se", flags, NULL, &verify_result); |
| 435 EXPECT_EQ(OK, error); | 432 EXPECT_EQ(OK, error); |
| 436 EXPECT_EQ(0U, verify_result.cert_status); | 433 EXPECT_EQ(0U, verify_result.cert_status); |
| 437 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 434 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
| 438 } | 435 } |
| 439 | 436 |
| 440 // Bug 111893: This test needs a new certificate. | 437 // Bug 111893: This test needs a new certificate. |
|
Ryan Sleevi
2012/07/23 21:45:05
Same here
agl
2012/07/23 22:14:18
Done.
| |
| 441 TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) { | 438 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
| 442 FilePath certs_dir = GetTestCertsDirectory(); | 439 FilePath certs_dir = GetTestCertsDirectory(); |
| 443 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug | 440 CertificateList certs = CreateCertificateListFromFile( |
| 444 // against agl. Also see TestKnownRoot in this file. | 441 certs_dir, "certse.pem", |
| 445 scoped_refptr<X509Certificate> cert = | 442 X509Certificate::FORMAT_AUTO); |
|
Ryan Sleevi
2012/07/23 21:45:05
nit: same here
agl
2012/07/23 22:14:18
Done.
| |
| 446 ImportCertFromFile(certs_dir, "nist.der"); | 443 ASSERT_EQ(3U, certs.size()); |
| 447 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | |
| 448 | |
| 449 // This intermediate is only needed for old Linux machines. Modern NSS | |
| 450 // includes it as a root already. | |
| 451 scoped_refptr<X509Certificate> intermediate_cert = | |
| 452 ImportCertFromFile(certs_dir, "nist_intermediate.der"); | |
| 453 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | |
| 454 | |
| 455 ScopedTestRoot scoped_intermediate(intermediate_cert); | |
| 456 | 444 |
| 457 X509Certificate::OSCertHandles intermediates; | 445 X509Certificate::OSCertHandles intermediates; |
| 458 intermediates.push_back(intermediate_cert->os_cert_handle()); | 446 intermediates.push_back(certs[1]->os_cert_handle()); |
| 447 intermediates.push_back(certs[2]->os_cert_handle()); | |
| 448 | |
| 459 scoped_refptr<X509Certificate> cert_chain = | 449 scoped_refptr<X509Certificate> cert_chain = |
| 460 X509Certificate::CreateFromHandle(cert->os_cert_handle(), | 450 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 461 intermediates); | 451 intermediates); |
| 462 | |
| 463 int flags = 0; | 452 int flags = 0; |
| 464 CertVerifyResult verify_result; | 453 CertVerifyResult verify_result; |
| 465 | 454 |
| 466 int error = Verify(cert_chain, "www.nist.gov", flags, NULL, &verify_result); | 455 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug |
| 456 // against agl. See also TestKnownRoot. | |
| 457 int error = Verify(cert_chain, "cert.se", flags, NULL, &verify_result); | |
| 467 EXPECT_EQ(OK, error); | 458 EXPECT_EQ(OK, error); |
| 468 EXPECT_EQ(0U, verify_result.cert_status); | 459 EXPECT_EQ(0U, verify_result.cert_status); |
| 469 ASSERT_LE(2u, verify_result.public_key_hashes.size()); | 460 ASSERT_LE(3u, verify_result.public_key_hashes.size()); |
| 470 EXPECT_EQ(HexEncode(kNistSPKIHash, base::kSHA1Length), | 461 for (unsigned i = 0; i < 3; i++) { |
| 471 HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length)); | 462 EXPECT_EQ(HexEncode(kCertSESPKIs[i], base::kSHA1Length), |
| 472 EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD", | 463 HexEncode(verify_result.public_key_hashes[i].data, base::kSHA1Length)); |
| 473 HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length)); | 464 } |
| 474 } | 465 } |
| 475 | 466 |
| 476 // A regression test for http://crbug.com/70293. | 467 // A regression test for http://crbug.com/70293. |
| 477 // The Key Usage extension in this RSA SSL server certificate does not have | 468 // The Key Usage extension in this RSA SSL server certificate does not have |
| 478 // the keyEncipherment bit. | 469 // the keyEncipherment bit. |
| 479 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 470 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
| 480 FilePath certs_dir = GetTestCertsDirectory(); | 471 FilePath certs_dir = GetTestCertsDirectory(); |
| 481 | 472 |
| 482 scoped_refptr<X509Certificate> server_cert = | 473 scoped_refptr<X509Certificate> server_cert = |
| 483 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); | 474 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); |
| (...skipping 493 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 977 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 968 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 978 #else | 969 #else |
| 979 #define MAYBE_VerifyMixed VerifyMixed | 970 #define MAYBE_VerifyMixed VerifyMixed |
| 980 #endif | 971 #endif |
| 981 WRAPPED_INSTANTIATE_TEST_CASE_P( | 972 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 982 MAYBE_VerifyMixed, | 973 MAYBE_VerifyMixed, |
| 983 CertVerifyProcWeakDigestTest, | 974 CertVerifyProcWeakDigestTest, |
| 984 testing::ValuesIn(kVerifyMixedTestData)); | 975 testing::ValuesIn(kVerifyMixedTestData)); |
| 985 | 976 |
| 986 } // namespace net | 977 } // namespace net |
| OLD | NEW |