| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 841 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 852 | 852 |
| 853 // Clearing the |trust_anchors| makes verification fail again (the cache | 853 // Clearing the |trust_anchors| makes verification fail again (the cache |
| 854 // should be skipped). | 854 // should be skipped). |
| 855 error = Verify( | 855 error = Verify( |
| 856 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); | 856 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
| 857 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 857 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 858 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 858 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 859 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 859 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
| 860 } | 860 } |
| 861 | 861 |
| 862 #if defined(OS_MACOSX) && !defined(OS_IOS) |
| 863 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust |
| 864 // Root can be successfully worked around once Apple completes removing the |
| 865 // older GTE CyberTrust Root from its trusted root store. |
| 866 // |
| 867 // The issue is caused by servers supplying the cross-certified intermediate |
| 868 // (necessary for certain mobile platforms), which OS X does not recognize |
| 869 // as already existing within its trust store. |
| 870 TEST_F(CertVerifyProcTest, CybertrustGTERoot) { |
| 871 CertificateList certs = CreateCertificateListFromFile( |
| 872 GetTestCertsDirectory(), |
| 873 "cybertrust_omniroot_chain.pem", |
| 874 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| 875 ASSERT_EQ(2U, certs.size()); |
| 876 |
| 877 X509Certificate::OSCertHandles intermediates; |
| 878 intermediates.push_back(certs[1]->os_cert_handle()); |
| 879 |
| 880 scoped_refptr<X509Certificate> cybertrust_basic = |
| 881 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 882 intermediates); |
| 883 ASSERT_TRUE(cybertrust_basic.get()); |
| 884 |
| 885 scoped_refptr<X509Certificate> baltimore_root = |
| 886 ImportCertFromFile(GetTestCertsDirectory(), |
| 887 "cybertrust_baltimore_root.pem"); |
| 888 ASSERT_TRUE(baltimore_root.get()); |
| 889 |
| 890 ScopedTestRoot scoped_root(baltimore_root); |
| 891 |
| 892 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This |
| 893 // simulates Keychain removing support for the GTE CyberTrust Root. |
| 894 TestRootCerts::GetInstance()->SetAllowSystemTrust(false); |
| 895 base::ScopedClosureRunner reset_system_trust( |
| 896 base::Bind(&TestRootCerts::SetAllowSystemTrust, |
| 897 base::Unretained(TestRootCerts::GetInstance()), |
| 898 true)); |
| 899 |
| 900 // First, make sure a simple certificate chain from |
| 901 // EE -> Public SureServer SV -> Baltimore CyberTrust |
| 902 // works. Only the first two certificates are included in the chain. |
| 903 int flags = 0; |
| 904 CertVerifyResult verify_result; |
| 905 int error = Verify(cybertrust_basic, "cacert.omniroot.com", flags, NULL, |
| 906 empty_cert_list_, &verify_result); |
| 907 EXPECT_EQ(OK, error); |
| 908 EXPECT_EQ(0U, verify_result.cert_status); |
| 909 |
| 910 // Attempt to verify with the first known cross-certified intermediate |
| 911 // provided. |
| 912 scoped_refptr<X509Certificate> baltimore_intermediate_1 = |
| 913 ImportCertFromFile(GetTestCertsDirectory(), |
| 914 "cybertrust_baltimore_cross_certified_1.pem"); |
| 915 ASSERT_TRUE(baltimore_intermediate_1.get()); |
| 916 |
| 917 X509Certificate::OSCertHandles intermediate_chain_1 = |
| 918 cybertrust_basic->GetIntermediateCertificates(); |
| 919 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle()); |
| 920 |
| 921 scoped_refptr<X509Certificate> baltimore_chain_1 = |
| 922 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 923 intermediate_chain_1); |
| 924 error = Verify(baltimore_chain_1, "cacert.omniroot.com", flags, NULL, |
| 925 empty_cert_list_, &verify_result); |
| 926 EXPECT_EQ(OK, error); |
| 927 EXPECT_EQ(0U, verify_result.cert_status); |
| 928 |
| 929 // Attempt to verify with the second known cross-certified intermediate |
| 930 // provided. |
| 931 scoped_refptr<X509Certificate> baltimore_intermediate_2 = |
| 932 ImportCertFromFile(GetTestCertsDirectory(), |
| 933 "cybertrust_baltimore_cross_certified_2.pem"); |
| 934 ASSERT_TRUE(baltimore_intermediate_2.get()); |
| 935 |
| 936 X509Certificate::OSCertHandles intermediate_chain_2 = |
| 937 cybertrust_basic->GetIntermediateCertificates(); |
| 938 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle()); |
| 939 |
| 940 scoped_refptr<X509Certificate> baltimore_chain_2 = |
| 941 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 942 intermediate_chain_2); |
| 943 error = Verify(baltimore_chain_2, "cacert.omniroot.com", flags, NULL, |
| 944 empty_cert_list_, &verify_result); |
| 945 EXPECT_EQ(OK, error); |
| 946 EXPECT_EQ(0U, verify_result.cert_status); |
| 947 |
| 948 // Attempt to verify when both a cross-certified intermediate AND |
| 949 // the legacy GTE root are provided. |
| 950 scoped_refptr<X509Certificate> cybertrust_root = |
| 951 ImportCertFromFile(GetTestCertsDirectory(), |
| 952 "cybertrust_gte_root.pem"); |
| 953 ASSERT_TRUE(cybertrust_root.get()); |
| 954 |
| 955 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle()); |
| 956 scoped_refptr<X509Certificate> baltimore_chain_with_root = |
| 957 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), |
| 958 intermediate_chain_2); |
| 959 error = Verify(baltimore_chain_with_root, "cacert.omniroot.com", flags, |
| 960 NULL, empty_cert_list_, &verify_result); |
| 961 EXPECT_EQ(OK, error); |
| 962 EXPECT_EQ(0U, verify_result.cert_status); |
| 963 |
| 964 } |
| 965 #endif |
| 966 |
| 862 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) | 967 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) |
| 863 static const uint8 kCRLSetThawteSPKIBlocked[] = { | 968 static const uint8 kCRLSetThawteSPKIBlocked[] = { |
| 864 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, | 969 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, |
| 865 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, | 970 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, |
| 866 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, | 971 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, |
| 867 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, | 972 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, |
| 868 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, | 973 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, |
| 869 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, | 974 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, |
| 870 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, | 975 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, |
| 871 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37, | 976 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37, |
| (...skipping 417 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1289 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { | 1394 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { |
| 1290 const NonUniqueNameTestData& test_data = GetParam(); | 1395 const NonUniqueNameTestData& test_data = GetParam(); |
| 1291 | 1396 |
| 1292 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); | 1397 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); |
| 1293 } | 1398 } |
| 1294 | 1399 |
| 1295 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, | 1400 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, |
| 1296 testing::ValuesIn(kNonUniqueNameTestData)); | 1401 testing::ValuesIn(kNonUniqueNameTestData)); |
| 1297 | 1402 |
| 1298 } // namespace net | 1403 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14492003:
Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src