| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 118 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 118 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| 119 | 119 |
| 120 X509Certificate::OSCertHandles intermediates; | 120 X509Certificate::OSCertHandles intermediates; |
| 121 intermediates.push_back(certs[1]->os_cert_handle()); | 121 intermediates.push_back(certs[1]->os_cert_handle()); |
| 122 | 122 |
| 123 scoped_refptr<X509Certificate> google_full_chain = | 123 scoped_refptr<X509Certificate> google_full_chain = |
| 124 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 124 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 125 intermediates); | 125 intermediates); |
| 126 | 126 |
| 127 CertVerifyResult verify_result; | 127 CertVerifyResult verify_result; |
| 128 EXPECT_EQ(OK, Verify(google_full_chain, "www.google.com", 0 /* flags */, | 128 EXPECT_EQ(OK, |
| 129 NULL, empty_cert_list_, &verify_result)); | 129 Verify(google_full_chain.get(), |
| 130 "www.google.com", |
| 131 0 /* flags */, |
| 132 NULL, |
| 133 empty_cert_list_, |
| 134 &verify_result)); |
| 130 } | 135 } |
| 131 | 136 |
| 132 #if defined(OS_ANDROID) || defined(USE_OPENSSL) | 137 #if defined(OS_ANDROID) || defined(USE_OPENSSL) |
| 133 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 138 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 134 #define MAYBE_EVVerification DISABLED_EVVerification | 139 #define MAYBE_EVVerification DISABLED_EVVerification |
| 135 #else | 140 #else |
| 136 #define MAYBE_EVVerification EVVerification | 141 #define MAYBE_EVVerification EVVerification |
| 137 #endif | 142 #endif |
| 138 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { | 143 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { |
| 139 // This certificate will expire Jun 21, 2013. | 144 // This certificate will expire Jun 21, 2013. |
| 140 CertificateList certs = CreateCertificateListFromFile( | 145 CertificateList certs = CreateCertificateListFromFile( |
| 141 GetTestCertsDirectory(), | 146 GetTestCertsDirectory(), |
| 142 "comodo.chain.pem", | 147 "comodo.chain.pem", |
| 143 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 148 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| 144 ASSERT_EQ(3U, certs.size()); | 149 ASSERT_EQ(3U, certs.size()); |
| 145 | 150 |
| 146 X509Certificate::OSCertHandles intermediates; | 151 X509Certificate::OSCertHandles intermediates; |
| 147 intermediates.push_back(certs[1]->os_cert_handle()); | 152 intermediates.push_back(certs[1]->os_cert_handle()); |
| 148 intermediates.push_back(certs[2]->os_cert_handle()); | 153 intermediates.push_back(certs[2]->os_cert_handle()); |
| 149 | 154 |
| 150 scoped_refptr<X509Certificate> comodo_chain = | 155 scoped_refptr<X509Certificate> comodo_chain = |
| 151 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 156 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 152 intermediates); | 157 intermediates); |
| 153 | 158 |
| 154 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting()); | 159 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting()); |
| 155 CertVerifyResult verify_result; | 160 CertVerifyResult verify_result; |
| 156 int flags = CertVerifier::VERIFY_EV_CERT; | 161 int flags = CertVerifier::VERIFY_EV_CERT; |
| 157 int error = Verify(comodo_chain, "comodo.com", flags, crl_set.get(), | 162 int error = Verify(comodo_chain.get(), |
| 158 empty_cert_list_, &verify_result); | 163 "comodo.com", |
| 164 flags, |
| 165 crl_set.get(), |
| 166 empty_cert_list_, |
| 167 &verify_result); |
| 159 EXPECT_EQ(OK, error); | 168 EXPECT_EQ(OK, error); |
| 160 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 169 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 161 } | 170 } |
| 162 | 171 |
| 163 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { | 172 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { |
| 164 scoped_refptr<X509Certificate> paypal_null_cert( | 173 scoped_refptr<X509Certificate> paypal_null_cert( |
| 165 X509Certificate::CreateFromBytes( | 174 X509Certificate::CreateFromBytes( |
| 166 reinterpret_cast<const char*>(paypal_null_der), | 175 reinterpret_cast<const char*>(paypal_null_der), |
| 167 sizeof(paypal_null_der))); | 176 sizeof(paypal_null_der))); |
| 168 | 177 |
| 169 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); | 178 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); |
| 170 | 179 |
| 171 const SHA1HashValue& fingerprint = | 180 const SHA1HashValue& fingerprint = |
| 172 paypal_null_cert->fingerprint(); | 181 paypal_null_cert->fingerprint(); |
| 173 for (size_t i = 0; i < 20; ++i) | 182 for (size_t i = 0; i < 20; ++i) |
| 174 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); | 183 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); |
| 175 | 184 |
| 176 int flags = 0; | 185 int flags = 0; |
| 177 CertVerifyResult verify_result; | 186 CertVerifyResult verify_result; |
| 178 int error = Verify(paypal_null_cert, "www.paypal.com", flags, NULL, | 187 int error = Verify(paypal_null_cert.get(), |
| 179 empty_cert_list_, &verify_result); | 188 "www.paypal.com", |
| 189 flags, |
| 190 NULL, |
| 191 empty_cert_list_, |
| 192 &verify_result); |
| 180 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID) | 193 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID) |
| 181 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); | 194 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); |
| 182 #else | 195 #else |
| 183 // TOOD(bulach): investigate why macosx and win aren't returning | 196 // TOOD(bulach): investigate why macosx and win aren't returning |
| 184 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. | 197 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. |
| 185 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 198 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 186 #endif | 199 #endif |
| 187 // Either the system crypto library should correctly report a certificate | 200 // Either the system crypto library should correctly report a certificate |
| 188 // name mismatch, or our certificate blacklist should cause us to report an | 201 // name mismatch, or our certificate blacklist should cause us to report an |
| 189 // invalid certificate. | 202 // invalid certificate. |
| (...skipping 15 matching lines...) Expand all Loading... |
| 205 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 218 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 206 | 219 |
| 207 // The intermediate CA certificate's policyConstraints extension has a | 220 // The intermediate CA certificate's policyConstraints extension has a |
| 208 // requireExplicitPolicy field with SkipCerts=0. | 221 // requireExplicitPolicy field with SkipCerts=0. |
| 209 scoped_refptr<X509Certificate> intermediate_cert = | 222 scoped_refptr<X509Certificate> intermediate_cert = |
| 210 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | 223 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); |
| 211 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 224 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
| 212 | 225 |
| 213 scoped_refptr<X509Certificate> root_cert = | 226 scoped_refptr<X509Certificate> root_cert = |
| 214 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | 227 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); |
| 215 ScopedTestRoot scoped_root(root_cert); | 228 ScopedTestRoot scoped_root(root_cert.get()); |
| 216 | 229 |
| 217 X509Certificate::OSCertHandles intermediates; | 230 X509Certificate::OSCertHandles intermediates; |
| 218 intermediates.push_back(intermediate_cert->os_cert_handle()); | 231 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 219 scoped_refptr<X509Certificate> cert_chain = | 232 scoped_refptr<X509Certificate> cert_chain = |
| 220 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 233 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 221 intermediates); | 234 intermediates); |
| 222 | 235 |
| 223 int flags = 0; | 236 int flags = 0; |
| 224 CertVerifyResult verify_result; | 237 CertVerifyResult verify_result; |
| 225 int error = Verify(cert_chain, "www.us.army.mil", flags, NULL, | 238 int error = Verify(cert_chain.get(), |
| 226 empty_cert_list_, &verify_result); | 239 "www.us.army.mil", |
| 240 flags, |
| 241 NULL, |
| 242 empty_cert_list_, |
| 243 &verify_result); |
| 227 if (error == OK) { | 244 if (error == OK) { |
| 228 EXPECT_EQ(0U, verify_result.cert_status); | 245 EXPECT_EQ(0U, verify_result.cert_status); |
| 229 } else { | 246 } else { |
| 230 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 247 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 231 EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status); | 248 EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status); |
| 232 } | 249 } |
| 233 } | 250 } |
| 234 | 251 |
| 235 | 252 |
| 236 // Test for bug 58437. | 253 // Test for bug 58437. |
| (...skipping 18 matching lines...) Expand all Loading... |
| 255 | 272 |
| 256 X509Certificate::OSCertHandles intermediates; | 273 X509Certificate::OSCertHandles intermediates; |
| 257 intermediates.push_back(intermediate_cert->os_cert_handle()); | 274 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 258 scoped_refptr<X509Certificate> cert_chain = | 275 scoped_refptr<X509Certificate> cert_chain = |
| 259 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 276 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 260 intermediates); | 277 intermediates); |
| 261 | 278 |
| 262 CertVerifyResult verify_result; | 279 CertVerifyResult verify_result; |
| 263 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED | | 280 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED | |
| 264 CertVerifier::VERIFY_EV_CERT; | 281 CertVerifier::VERIFY_EV_CERT; |
| 265 int error = Verify(cert_chain, "2029.globalsign.com", flags, NULL, | 282 int error = Verify(cert_chain.get(), |
| 266 empty_cert_list_, &verify_result); | 283 "2029.globalsign.com", |
| 284 flags, |
| 285 NULL, |
| 286 empty_cert_list_, |
| 287 &verify_result); |
| 267 if (error == OK) | 288 if (error == OK) |
| 268 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 289 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 269 else | 290 else |
| 270 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 291 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 271 } | 292 } |
| 272 | 293 |
| 273 // Test that verifying an ECDSA certificate doesn't crash on XP. (See | 294 // Test that verifying an ECDSA certificate doesn't crash on XP. (See |
| 274 // crbug.com/144466). | 295 // crbug.com/144466). |
| 275 TEST_F(CertVerifyProcTest, ECDSA_RSA) { | 296 TEST_F(CertVerifyProcTest, ECDSA_RSA) { |
| 276 base::FilePath certs_dir = GetTestCertsDirectory(); | 297 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 277 | 298 |
| 278 scoped_refptr<X509Certificate> cert = | 299 scoped_refptr<X509Certificate> cert = |
| 279 ImportCertFromFile(certs_dir, | 300 ImportCertFromFile(certs_dir, |
| 280 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); | 301 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); |
| 281 | 302 |
| 282 CertVerifyResult verify_result; | 303 CertVerifyResult verify_result; |
| 283 Verify(cert, "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result); | 304 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result); |
| 284 | 305 |
| 285 // We don't check verify_result because the certificate is signed by an | 306 // We don't check verify_result because the certificate is signed by an |
| 286 // unknown CA and will be considered invalid on XP because of the ECDSA | 307 // unknown CA and will be considered invalid on XP because of the ECDSA |
| 287 // public key. | 308 // public key. |
| 288 } | 309 } |
| 289 | 310 |
| 290 // Currently, only RSA and DSA keys are checked for weakness, and our example | 311 // Currently, only RSA and DSA keys are checked for weakness, and our example |
| 291 // weak size is 768. These could change in the future. | 312 // weak size is 768. These could change in the future. |
| 292 // | 313 // |
| 293 // Note that this means there may be false negatives: keys for other | 314 // Note that this means there may be false negatives: keys for other |
| (...skipping 27 matching lines...) Expand all Loading... |
| 321 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP; | 342 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP; |
| 322 #endif | 343 #endif |
| 323 | 344 |
| 324 if (use_ecdsa) | 345 if (use_ecdsa) |
| 325 key_types.push_back("prime256v1-ecdsa"); | 346 key_types.push_back("prime256v1-ecdsa"); |
| 326 | 347 |
| 327 // Add the root that signed the intermediates for this test. | 348 // Add the root that signed the intermediates for this test. |
| 328 scoped_refptr<X509Certificate> root_cert = | 349 scoped_refptr<X509Certificate> root_cert = |
| 329 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | 350 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); |
| 330 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | 351 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
| 331 ScopedTestRoot scoped_root(root_cert); | 352 ScopedTestRoot scoped_root(root_cert.get()); |
| 332 | 353 |
| 333 // Now test each chain. | 354 // Now test each chain. |
| 334 for (Strings::const_iterator ee_type = key_types.begin(); | 355 for (Strings::const_iterator ee_type = key_types.begin(); |
| 335 ee_type != key_types.end(); ++ee_type) { | 356 ee_type != key_types.end(); ++ee_type) { |
| 336 for (Strings::const_iterator signer_type = key_types.begin(); | 357 for (Strings::const_iterator signer_type = key_types.begin(); |
| 337 signer_type != key_types.end(); ++signer_type) { | 358 signer_type != key_types.end(); ++signer_type) { |
| 338 std::string basename = *ee_type + "-ee-by-" + *signer_type + | 359 std::string basename = *ee_type + "-ee-by-" + *signer_type + |
| 339 "-intermediate.pem"; | 360 "-intermediate.pem"; |
| 340 SCOPED_TRACE(basename); | 361 SCOPED_TRACE(basename); |
| 341 scoped_refptr<X509Certificate> ee_cert = | 362 scoped_refptr<X509Certificate> ee_cert = |
| 342 ImportCertFromFile(certs_dir, basename); | 363 ImportCertFromFile(certs_dir, basename); |
| 343 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | 364 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); |
| 344 | 365 |
| 345 basename = *signer_type + "-intermediate.pem"; | 366 basename = *signer_type + "-intermediate.pem"; |
| 346 scoped_refptr<X509Certificate> intermediate = | 367 scoped_refptr<X509Certificate> intermediate = |
| 347 ImportCertFromFile(certs_dir, basename); | 368 ImportCertFromFile(certs_dir, basename); |
| 348 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); | 369 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); |
| 349 | 370 |
| 350 X509Certificate::OSCertHandles intermediates; | 371 X509Certificate::OSCertHandles intermediates; |
| 351 intermediates.push_back(intermediate->os_cert_handle()); | 372 intermediates.push_back(intermediate->os_cert_handle()); |
| 352 scoped_refptr<X509Certificate> cert_chain = | 373 scoped_refptr<X509Certificate> cert_chain = |
| 353 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 374 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
| 354 intermediates); | 375 intermediates); |
| 355 | 376 |
| 356 CertVerifyResult verify_result; | 377 CertVerifyResult verify_result; |
| 357 int error = Verify(cert_chain, "127.0.0.1", 0, NULL, | 378 int error = Verify(cert_chain.get(), |
| 358 empty_cert_list_, &verify_result); | 379 "127.0.0.1", |
| 380 0, |
| 381 NULL, |
| 382 empty_cert_list_, |
| 383 &verify_result); |
| 359 | 384 |
| 360 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { | 385 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { |
| 361 EXPECT_NE(OK, error); | 386 EXPECT_NE(OK, error); |
| 362 EXPECT_EQ(CERT_STATUS_WEAK_KEY, | 387 EXPECT_EQ(CERT_STATUS_WEAK_KEY, |
| 363 verify_result.cert_status & CERT_STATUS_WEAK_KEY); | 388 verify_result.cert_status & CERT_STATUS_WEAK_KEY); |
| 364 EXPECT_NE(CERT_STATUS_INVALID, | 389 EXPECT_NE(CERT_STATUS_INVALID, |
| 365 verify_result.cert_status & CERT_STATUS_INVALID); | 390 verify_result.cert_status & CERT_STATUS_INVALID); |
| 366 } else { | 391 } else { |
| 367 EXPECT_EQ(OK, error); | 392 EXPECT_EQ(OK, error); |
| 368 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); | 393 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); |
| (...skipping 23 matching lines...) Expand all Loading... |
| 392 | 417 |
| 393 X509Certificate::OSCertHandles intermediates; | 418 X509Certificate::OSCertHandles intermediates; |
| 394 intermediates.push_back(intermediate_cert->os_cert_handle()); | 419 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 395 intermediates.push_back(md5_root_cert->os_cert_handle()); | 420 intermediates.push_back(md5_root_cert->os_cert_handle()); |
| 396 scoped_refptr<X509Certificate> cert_chain = | 421 scoped_refptr<X509Certificate> cert_chain = |
| 397 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 422 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 398 intermediates); | 423 intermediates); |
| 399 | 424 |
| 400 CertVerifyResult verify_result; | 425 CertVerifyResult verify_result; |
| 401 int flags = 0; | 426 int flags = 0; |
| 402 int error = Verify(cert_chain, "images.etrade.wallst.com", flags, NULL, | 427 int error = Verify(cert_chain.get(), |
| 403 empty_cert_list_, &verify_result); | 428 "images.etrade.wallst.com", |
| 429 flags, |
| 430 NULL, |
| 431 empty_cert_list_, |
| 432 &verify_result); |
| 404 if (error != OK) | 433 if (error != OK) |
| 405 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 434 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 406 | 435 |
| 407 EXPECT_FALSE(verify_result.has_md5); | 436 EXPECT_FALSE(verify_result.has_md5); |
| 408 EXPECT_FALSE(verify_result.has_md5_ca); | 437 EXPECT_FALSE(verify_result.has_md5_ca); |
| 409 } | 438 } |
| 410 | 439 |
| 411 // Test for bug 94673. | 440 // Test for bug 94673. |
| 412 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) { | 441 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) { |
| 413 base::FilePath certs_dir = GetTestCertsDirectory(); | 442 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 414 | 443 |
| 415 scoped_refptr<X509Certificate> server_cert = | 444 scoped_refptr<X509Certificate> server_cert = |
| 416 ImportCertFromFile(certs_dir, "google_diginotar.pem"); | 445 ImportCertFromFile(certs_dir, "google_diginotar.pem"); |
| 417 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 446 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 418 | 447 |
| 419 scoped_refptr<X509Certificate> intermediate_cert = | 448 scoped_refptr<X509Certificate> intermediate_cert = |
| 420 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); | 449 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); |
| 421 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 450 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
| 422 | 451 |
| 423 X509Certificate::OSCertHandles intermediates; | 452 X509Certificate::OSCertHandles intermediates; |
| 424 intermediates.push_back(intermediate_cert->os_cert_handle()); | 453 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 425 scoped_refptr<X509Certificate> cert_chain = | 454 scoped_refptr<X509Certificate> cert_chain = |
| 426 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 455 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
| 427 intermediates); | 456 intermediates); |
| 428 | 457 |
| 429 CertVerifyResult verify_result; | 458 CertVerifyResult verify_result; |
| 430 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED; | 459 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED; |
| 431 int error = Verify(cert_chain, "mail.google.com", flags, NULL, | 460 int error = Verify(cert_chain.get(), |
| 432 empty_cert_list_, &verify_result); | 461 "mail.google.com", |
| 462 flags, |
| 463 NULL, |
| 464 empty_cert_list_, |
| 465 &verify_result); |
| 433 EXPECT_NE(OK, error); | 466 EXPECT_NE(OK, error); |
| 434 | 467 |
| 435 // Now turn off revocation checking. Certificate verification should still | 468 // Now turn off revocation checking. Certificate verification should still |
| 436 // fail. | 469 // fail. |
| 437 flags = 0; | 470 flags = 0; |
| 438 error = Verify(cert_chain, "mail.google.com", flags, NULL, | 471 error = Verify(cert_chain.get(), |
| 439 empty_cert_list_, &verify_result); | 472 "mail.google.com", |
| 473 flags, |
| 474 NULL, |
| 475 empty_cert_list_, |
| 476 &verify_result); |
| 440 EXPECT_NE(OK, error); | 477 EXPECT_NE(OK, error); |
| 441 } | 478 } |
| 442 | 479 |
| 443 TEST_F(CertVerifyProcTest, DigiNotarCerts) { | 480 TEST_F(CertVerifyProcTest, DigiNotarCerts) { |
| 444 static const char* const kDigiNotarFilenames[] = { | 481 static const char* const kDigiNotarFilenames[] = { |
| 445 "diginotar_root_ca.pem", | 482 "diginotar_root_ca.pem", |
| 446 "diginotar_cyber_ca.pem", | 483 "diginotar_cyber_ca.pem", |
| 447 "diginotar_services_1024_ca.pem", | 484 "diginotar_services_1024_ca.pem", |
| 448 "diginotar_pkioverheid.pem", | 485 "diginotar_pkioverheid.pem", |
| 449 "diginotar_pkioverheid_g2.pem", | 486 "diginotar_pkioverheid_g2.pem", |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 486 intermediates.push_back(certs[2]->os_cert_handle()); | 523 intermediates.push_back(certs[2]->os_cert_handle()); |
| 487 | 524 |
| 488 scoped_refptr<X509Certificate> cert_chain = | 525 scoped_refptr<X509Certificate> cert_chain = |
| 489 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 526 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 490 intermediates); | 527 intermediates); |
| 491 | 528 |
| 492 int flags = 0; | 529 int flags = 0; |
| 493 CertVerifyResult verify_result; | 530 CertVerifyResult verify_result; |
| 494 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug | 531 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug |
| 495 // against agl. See also PublicKeyHashes. | 532 // against agl. See also PublicKeyHashes. |
| 496 int error = Verify(cert_chain, "cert.se", flags, NULL, | 533 int error = Verify(cert_chain.get(), |
| 497 empty_cert_list_, &verify_result); | 534 "cert.se", |
| 535 flags, |
| 536 NULL, |
| 537 empty_cert_list_, |
| 538 &verify_result); |
| 498 EXPECT_EQ(OK, error); | 539 EXPECT_EQ(OK, error); |
| 499 EXPECT_EQ(0U, verify_result.cert_status); | 540 EXPECT_EQ(0U, verify_result.cert_status); |
| 500 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 541 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
| 501 } | 542 } |
| 502 | 543 |
| 503 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 544 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
| 504 base::FilePath certs_dir = GetTestCertsDirectory(); | 545 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 505 CertificateList certs = CreateCertificateListFromFile( | 546 CertificateList certs = CreateCertificateListFromFile( |
| 506 certs_dir, "certse.pem", X509Certificate::FORMAT_AUTO); | 547 certs_dir, "certse.pem", X509Certificate::FORMAT_AUTO); |
| 507 ASSERT_EQ(3U, certs.size()); | 548 ASSERT_EQ(3U, certs.size()); |
| 508 | 549 |
| 509 X509Certificate::OSCertHandles intermediates; | 550 X509Certificate::OSCertHandles intermediates; |
| 510 intermediates.push_back(certs[1]->os_cert_handle()); | 551 intermediates.push_back(certs[1]->os_cert_handle()); |
| 511 intermediates.push_back(certs[2]->os_cert_handle()); | 552 intermediates.push_back(certs[2]->os_cert_handle()); |
| 512 | 553 |
| 513 scoped_refptr<X509Certificate> cert_chain = | 554 scoped_refptr<X509Certificate> cert_chain = |
| 514 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 555 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 515 intermediates); | 556 intermediates); |
| 516 int flags = 0; | 557 int flags = 0; |
| 517 CertVerifyResult verify_result; | 558 CertVerifyResult verify_result; |
| 518 | 559 |
| 519 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug | 560 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug |
| 520 // against agl. See also TestKnownRoot. | 561 // against agl. See also TestKnownRoot. |
| 521 int error = Verify(cert_chain, "cert.se", flags, NULL, | 562 int error = Verify(cert_chain.get(), |
| 522 empty_cert_list_, &verify_result); | 563 "cert.se", |
| 564 flags, |
| 565 NULL, |
| 566 empty_cert_list_, |
| 567 &verify_result); |
| 523 EXPECT_EQ(OK, error); | 568 EXPECT_EQ(OK, error); |
| 524 EXPECT_EQ(0U, verify_result.cert_status); | 569 EXPECT_EQ(0U, verify_result.cert_status); |
| 525 ASSERT_LE(3u, verify_result.public_key_hashes.size()); | 570 ASSERT_LE(3u, verify_result.public_key_hashes.size()); |
| 526 | 571 |
| 527 HashValueVector sha1_hashes; | 572 HashValueVector sha1_hashes; |
| 528 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 573 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
| 529 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 574 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
| 530 continue; | 575 continue; |
| 531 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 576 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
| 532 } | 577 } |
| (...skipping 23 matching lines...) Expand all Loading... |
| 556 // the keyEncipherment bit. | 601 // the keyEncipherment bit. |
| 557 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 602 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
| 558 base::FilePath certs_dir = GetTestCertsDirectory(); | 603 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 559 | 604 |
| 560 scoped_refptr<X509Certificate> server_cert = | 605 scoped_refptr<X509Certificate> server_cert = |
| 561 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); | 606 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); |
| 562 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 607 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 563 | 608 |
| 564 int flags = 0; | 609 int flags = 0; |
| 565 CertVerifyResult verify_result; | 610 CertVerifyResult verify_result; |
| 566 int error = Verify(server_cert, "jira.aquameta.com", flags, NULL, | 611 int error = Verify(server_cert.get(), |
| 567 empty_cert_list_, &verify_result); | 612 "jira.aquameta.com", |
| 613 flags, |
| 614 NULL, |
| 615 empty_cert_list_, |
| 616 &verify_result); |
| 568 #if defined(USE_OPENSSL) && !defined(OS_ANDROID) | 617 #if defined(USE_OPENSSL) && !defined(OS_ANDROID) |
| 569 // This certificate has two errors: "invalid key usage" and "untrusted CA". | 618 // This certificate has two errors: "invalid key usage" and "untrusted CA". |
| 570 // However, OpenSSL returns only one (the latter), and we can't detect | 619 // However, OpenSSL returns only one (the latter), and we can't detect |
| 571 // the other errors. | 620 // the other errors. |
| 572 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 621 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 573 #else | 622 #else |
| 574 EXPECT_EQ(ERR_CERT_INVALID, error); | 623 EXPECT_EQ(ERR_CERT_INVALID, error); |
| 575 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | 624 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); |
| 576 #endif | 625 #endif |
| 577 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors | 626 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors |
| (...skipping 14 matching lines...) Expand all Loading... |
| 592 base::FilePath certs_dir = GetTestCertsDirectory(); | 641 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 593 CertificateList certs = CreateCertificateListFromFile( | 642 CertificateList certs = CreateCertificateListFromFile( |
| 594 certs_dir, "x509_verify_results.chain.pem", | 643 certs_dir, "x509_verify_results.chain.pem", |
| 595 X509Certificate::FORMAT_AUTO); | 644 X509Certificate::FORMAT_AUTO); |
| 596 ASSERT_EQ(3U, certs.size()); | 645 ASSERT_EQ(3U, certs.size()); |
| 597 | 646 |
| 598 X509Certificate::OSCertHandles intermediates; | 647 X509Certificate::OSCertHandles intermediates; |
| 599 intermediates.push_back(certs[1]->os_cert_handle()); | 648 intermediates.push_back(certs[1]->os_cert_handle()); |
| 600 intermediates.push_back(certs[2]->os_cert_handle()); | 649 intermediates.push_back(certs[2]->os_cert_handle()); |
| 601 | 650 |
| 602 ScopedTestRoot scoped_root(certs[2]); | 651 ScopedTestRoot scoped_root(certs[2].get()); |
| 603 | 652 |
| 604 scoped_refptr<X509Certificate> google_full_chain = | 653 scoped_refptr<X509Certificate> google_full_chain = |
| 605 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 654 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 606 intermediates); | 655 intermediates); |
| 607 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 656 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 608 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); | 657 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 609 | 658 |
| 610 CertVerifyResult verify_result; | 659 CertVerifyResult verify_result; |
| 611 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 660 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 612 int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, | 661 int error = Verify(google_full_chain.get(), |
| 613 empty_cert_list_, &verify_result); | 662 "127.0.0.1", |
| 663 0, |
| 664 NULL, |
| 665 empty_cert_list_, |
| 666 &verify_result); |
| 614 EXPECT_EQ(OK, error); | 667 EXPECT_EQ(OK, error); |
| 615 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 668 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 616 | 669 |
| 617 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 670 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 618 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 671 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 619 google_full_chain->os_cert_handle(), | 672 google_full_chain->os_cert_handle(), |
| 620 verify_result.verified_cert->os_cert_handle())); | 673 verify_result.verified_cert->os_cert_handle())); |
| 621 const X509Certificate::OSCertHandles& return_intermediates = | 674 const X509Certificate::OSCertHandles& return_intermediates = |
| 622 verify_result.verified_cert->GetIntermediateCertificates(); | 675 verify_result.verified_cert->GetIntermediateCertificates(); |
| 623 ASSERT_EQ(2U, return_intermediates.size()); | 676 ASSERT_EQ(2U, return_intermediates.size()); |
| (...skipping 12 matching lines...) Expand all Loading... |
| 636 GetTestCertsDirectory(), "ok_cert.pem", | 689 GetTestCertsDirectory(), "ok_cert.pem", |
| 637 X509Certificate::FORMAT_AUTO); | 690 X509Certificate::FORMAT_AUTO); |
| 638 ASSERT_EQ(1U, cert_list.size()); | 691 ASSERT_EQ(1U, cert_list.size()); |
| 639 scoped_refptr<X509Certificate> cert(cert_list[0]); | 692 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 640 | 693 |
| 641 CertVerifyResult verify_result; | 694 CertVerifyResult verify_result; |
| 642 int error = 0; | 695 int error = 0; |
| 643 | 696 |
| 644 // Intranet names for public CAs should be flagged: | 697 // Intranet names for public CAs should be flagged: |
| 645 verify_proc_ = new WellKnownCaCertVerifyProc(true); | 698 verify_proc_ = new WellKnownCaCertVerifyProc(true); |
| 646 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | 699 error = |
| 647 &verify_result); | 700 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); |
| 648 EXPECT_EQ(OK, error); | 701 EXPECT_EQ(OK, error); |
| 649 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 702 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 650 | 703 |
| 651 // However, if the CA is not well known, these should not be flagged: | 704 // However, if the CA is not well known, these should not be flagged: |
| 652 verify_proc_ = new WellKnownCaCertVerifyProc(false); | 705 verify_proc_ = new WellKnownCaCertVerifyProc(false); |
| 653 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | 706 error = |
| 654 &verify_result); | 707 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); |
| 655 EXPECT_EQ(OK, error); | 708 EXPECT_EQ(OK, error); |
| 656 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 709 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
| 657 } | 710 } |
| 658 | 711 |
| 659 // Test that the certificate returned in CertVerifyResult is able to reorder | 712 // Test that the certificate returned in CertVerifyResult is able to reorder |
| 660 // certificates that are not ordered from end-entity to root. While this is | 713 // certificates that are not ordered from end-entity to root. While this is |
| 661 // a protocol violation if sent during a TLS handshake, if multiple sources | 714 // a protocol violation if sent during a TLS handshake, if multiple sources |
| 662 // of intermediate certificates are combined, it's possible that order may | 715 // of intermediate certificates are combined, it's possible that order may |
| 663 // not be maintained. | 716 // not be maintained. |
| 664 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { | 717 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { |
| 665 base::FilePath certs_dir = GetTestCertsDirectory(); | 718 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 666 CertificateList certs = CreateCertificateListFromFile( | 719 CertificateList certs = CreateCertificateListFromFile( |
| 667 certs_dir, "x509_verify_results.chain.pem", | 720 certs_dir, "x509_verify_results.chain.pem", |
| 668 X509Certificate::FORMAT_AUTO); | 721 X509Certificate::FORMAT_AUTO); |
| 669 ASSERT_EQ(3U, certs.size()); | 722 ASSERT_EQ(3U, certs.size()); |
| 670 | 723 |
| 671 // Construct the chain out of order. | 724 // Construct the chain out of order. |
| 672 X509Certificate::OSCertHandles intermediates; | 725 X509Certificate::OSCertHandles intermediates; |
| 673 intermediates.push_back(certs[2]->os_cert_handle()); | 726 intermediates.push_back(certs[2]->os_cert_handle()); |
| 674 intermediates.push_back(certs[1]->os_cert_handle()); | 727 intermediates.push_back(certs[1]->os_cert_handle()); |
| 675 | 728 |
| 676 ScopedTestRoot scoped_root(certs[2]); | 729 ScopedTestRoot scoped_root(certs[2].get()); |
| 677 | 730 |
| 678 scoped_refptr<X509Certificate> google_full_chain = | 731 scoped_refptr<X509Certificate> google_full_chain = |
| 679 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 732 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 680 intermediates); | 733 intermediates); |
| 681 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 734 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 682 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); | 735 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
| 683 | 736 |
| 684 CertVerifyResult verify_result; | 737 CertVerifyResult verify_result; |
| 685 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 738 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 686 int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, | 739 int error = Verify(google_full_chain.get(), |
| 687 empty_cert_list_, &verify_result); | 740 "127.0.0.1", |
| 741 0, |
| 742 NULL, |
| 743 empty_cert_list_, |
| 744 &verify_result); |
| 688 EXPECT_EQ(OK, error); | 745 EXPECT_EQ(OK, error); |
| 689 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 746 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 690 | 747 |
| 691 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 748 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 692 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 749 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 693 google_full_chain->os_cert_handle(), | 750 google_full_chain->os_cert_handle(), |
| 694 verify_result.verified_cert->os_cert_handle())); | 751 verify_result.verified_cert->os_cert_handle())); |
| 695 const X509Certificate::OSCertHandles& return_intermediates = | 752 const X509Certificate::OSCertHandles& return_intermediates = |
| 696 verify_result.verified_cert->GetIntermediateCertificates(); | 753 verify_result.verified_cert->GetIntermediateCertificates(); |
| 697 ASSERT_EQ(2U, return_intermediates.size()); | 754 ASSERT_EQ(2U, return_intermediates.size()); |
| 698 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], | 755 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
| 699 certs[1]->os_cert_handle())); | 756 certs[1]->os_cert_handle())); |
| 700 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], | 757 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
| 701 certs[2]->os_cert_handle())); | 758 certs[2]->os_cert_handle())); |
| 702 } | 759 } |
| 703 | 760 |
| 704 // Test that Verify() filters out certificates which are not related to | 761 // Test that Verify() filters out certificates which are not related to |
| 705 // or part of the certificate chain being verified. | 762 // or part of the certificate chain being verified. |
| 706 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { | 763 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { |
| 707 base::FilePath certs_dir = GetTestCertsDirectory(); | 764 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 708 CertificateList certs = CreateCertificateListFromFile( | 765 CertificateList certs = CreateCertificateListFromFile( |
| 709 certs_dir, "x509_verify_results.chain.pem", | 766 certs_dir, "x509_verify_results.chain.pem", |
| 710 X509Certificate::FORMAT_AUTO); | 767 X509Certificate::FORMAT_AUTO); |
| 711 ASSERT_EQ(3U, certs.size()); | 768 ASSERT_EQ(3U, certs.size()); |
| 712 ScopedTestRoot scoped_root(certs[2]); | 769 ScopedTestRoot scoped_root(certs[2].get()); |
| 713 | 770 |
| 714 scoped_refptr<X509Certificate> unrelated_dod_certificate = | 771 scoped_refptr<X509Certificate> unrelated_dod_certificate = |
| 715 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | 772 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); |
| 716 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = | 773 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = |
| 717 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | 774 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); |
| 718 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); | 775 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); |
| 719 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); | 776 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); |
| 720 | 777 |
| 721 // Interject unrelated certificates into the list of intermediates. | 778 // Interject unrelated certificates into the list of intermediates. |
| 722 X509Certificate::OSCertHandles intermediates; | 779 X509Certificate::OSCertHandles intermediates; |
| 723 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); | 780 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); |
| 724 intermediates.push_back(certs[1]->os_cert_handle()); | 781 intermediates.push_back(certs[1]->os_cert_handle()); |
| 725 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); | 782 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); |
| 726 intermediates.push_back(certs[2]->os_cert_handle()); | 783 intermediates.push_back(certs[2]->os_cert_handle()); |
| 727 | 784 |
| 728 scoped_refptr<X509Certificate> google_full_chain = | 785 scoped_refptr<X509Certificate> google_full_chain = |
| 729 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 786 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 730 intermediates); | 787 intermediates); |
| 731 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 788 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
| 732 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); | 789 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); |
| 733 | 790 |
| 734 CertVerifyResult verify_result; | 791 CertVerifyResult verify_result; |
| 735 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 792 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 736 int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, | 793 int error = Verify(google_full_chain.get(), |
| 737 empty_cert_list_, &verify_result); | 794 "127.0.0.1", |
| 795 0, |
| 796 NULL, |
| 797 empty_cert_list_, |
| 798 &verify_result); |
| 738 EXPECT_EQ(OK, error); | 799 EXPECT_EQ(OK, error); |
| 739 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 800 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
| 740 | 801 |
| 741 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 802 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
| 742 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 803 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
| 743 google_full_chain->os_cert_handle(), | 804 google_full_chain->os_cert_handle(), |
| 744 verify_result.verified_cert->os_cert_handle())); | 805 verify_result.verified_cert->os_cert_handle())); |
| 745 const X509Certificate::OSCertHandles& return_intermediates = | 806 const X509Certificate::OSCertHandles& return_intermediates = |
| 746 verify_result.verified_cert->GetIntermediateCertificates(); | 807 verify_result.verified_cert->GetIntermediateCertificates(); |
| 747 ASSERT_EQ(2U, return_intermediates.size()); | 808 ASSERT_EQ(2U, return_intermediates.size()); |
| (...skipping 19 matching lines...) Expand all Loading... |
| 767 CertificateList cert_list = CreateCertificateListFromFile( | 828 CertificateList cert_list = CreateCertificateListFromFile( |
| 768 GetTestCertsDirectory(), "ok_cert.pem", | 829 GetTestCertsDirectory(), "ok_cert.pem", |
| 769 X509Certificate::FORMAT_AUTO); | 830 X509Certificate::FORMAT_AUTO); |
| 770 ASSERT_EQ(1U, cert_list.size()); | 831 ASSERT_EQ(1U, cert_list.size()); |
| 771 scoped_refptr<X509Certificate> cert(cert_list[0]); | 832 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 772 | 833 |
| 773 // Verification of |cert| fails when |ca_cert| is not in the trust anchors | 834 // Verification of |cert| fails when |ca_cert| is not in the trust anchors |
| 774 // list. | 835 // list. |
| 775 int flags = 0; | 836 int flags = 0; |
| 776 CertVerifyResult verify_result; | 837 CertVerifyResult verify_result; |
| 777 int error = Verify(cert, "127.0.0.1", flags, NULL, | 838 int error = Verify( |
| 778 empty_cert_list_, &verify_result); | 839 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
| 779 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 840 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 780 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 841 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 781 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 842 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
| 782 | 843 |
| 783 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass. | 844 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass. |
| 784 CertificateList trust_anchors; | 845 CertificateList trust_anchors; |
| 785 trust_anchors.push_back(ca_cert); | 846 trust_anchors.push_back(ca_cert); |
| 786 error = Verify(cert, "127.0.0.1", flags, NULL, trust_anchors, &verify_result); | 847 error = Verify( |
| 848 cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result); |
| 787 EXPECT_EQ(OK, error); | 849 EXPECT_EQ(OK, error); |
| 788 EXPECT_EQ(0U, verify_result.cert_status); | 850 EXPECT_EQ(0U, verify_result.cert_status); |
| 789 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor); | 851 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor); |
| 790 | 852 |
| 791 // Clearing the |trust_anchors| makes verification fail again (the cache | 853 // Clearing the |trust_anchors| makes verification fail again (the cache |
| 792 // should be skipped). | 854 // should be skipped). |
| 793 error = Verify(cert, "127.0.0.1", flags, NULL, | 855 error = Verify( |
| 794 empty_cert_list_, &verify_result); | 856 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
| 795 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 857 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 796 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 858 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 797 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 859 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
| 798 } | 860 } |
| 799 | 861 |
| 800 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) | 862 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) |
| 801 static const uint8 kCRLSetThawteSPKIBlocked[] = { | 863 static const uint8 kCRLSetThawteSPKIBlocked[] = { |
| 802 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, | 864 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, |
| 803 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, | 865 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, |
| 804 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, | 866 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 855 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 917 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
| 856 | 918 |
| 857 X509Certificate::OSCertHandles intermediates; | 919 X509Certificate::OSCertHandles intermediates; |
| 858 intermediates.push_back(certs[1]->os_cert_handle()); | 920 intermediates.push_back(certs[1]->os_cert_handle()); |
| 859 | 921 |
| 860 scoped_refptr<X509Certificate> google_full_chain = | 922 scoped_refptr<X509Certificate> google_full_chain = |
| 861 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 923 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
| 862 intermediates); | 924 intermediates); |
| 863 | 925 |
| 864 CertVerifyResult verify_result; | 926 CertVerifyResult verify_result; |
| 865 int error = Verify(google_full_chain, "www.google.com", 0, NULL, | 927 int error = Verify(google_full_chain.get(), |
| 866 empty_cert_list_, &verify_result); | 928 "www.google.com", |
| 929 0, |
| 930 NULL, |
| 931 empty_cert_list_, |
| 932 &verify_result); |
| 867 EXPECT_EQ(OK, error); | 933 EXPECT_EQ(OK, error); |
| 868 | 934 |
| 869 // First test blocking by SPKI. | 935 // First test blocking by SPKI. |
| 870 base::StringPiece crl_set_bytes( | 936 base::StringPiece crl_set_bytes( |
| 871 reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked), | 937 reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked), |
| 872 sizeof(kCRLSetThawteSPKIBlocked)); | 938 sizeof(kCRLSetThawteSPKIBlocked)); |
| 873 scoped_refptr<CRLSet> crl_set; | 939 scoped_refptr<CRLSet> crl_set; |
| 874 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); | 940 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
| 875 | 941 |
| 876 error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(), | 942 error = Verify(google_full_chain.get(), |
| 877 empty_cert_list_, &verify_result); | 943 "www.google.com", |
| 944 0, |
| 945 crl_set.get(), |
| 946 empty_cert_list_, |
| 947 &verify_result); |
| 878 EXPECT_EQ(ERR_CERT_REVOKED, error); | 948 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 879 | 949 |
| 880 // Second, test revocation by serial number of a cert directly under the | 950 // Second, test revocation by serial number of a cert directly under the |
| 881 // root. | 951 // root. |
| 882 crl_set_bytes = base::StringPiece( | 952 crl_set_bytes = base::StringPiece( |
| 883 reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked), | 953 reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked), |
| 884 sizeof(kCRLSetThawteSerialBlocked)); | 954 sizeof(kCRLSetThawteSerialBlocked)); |
| 885 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); | 955 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
| 886 | 956 |
| 887 error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(), | 957 error = Verify(google_full_chain.get(), |
| 888 empty_cert_list_, &verify_result); | 958 "www.google.com", |
| 959 0, |
| 960 crl_set.get(), |
| 961 empty_cert_list_, |
| 962 &verify_result); |
| 889 EXPECT_EQ(ERR_CERT_REVOKED, error); | 963 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 890 | 964 |
| 891 // Lastly, test revocation by serial number of a certificate not under the | 965 // Lastly, test revocation by serial number of a certificate not under the |
| 892 // root. | 966 // root. |
| 893 crl_set_bytes = base::StringPiece( | 967 crl_set_bytes = base::StringPiece( |
| 894 reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked), | 968 reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked), |
| 895 sizeof(kCRLSetGoogleSerialBlocked)); | 969 sizeof(kCRLSetGoogleSerialBlocked)); |
| 896 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); | 970 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
| 897 | 971 |
| 898 error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(), | 972 error = Verify(google_full_chain.get(), |
| 899 empty_cert_list_, &verify_result); | 973 "www.google.com", |
| 974 0, |
| 975 crl_set.get(), |
| 976 empty_cert_list_, |
| 977 &verify_result); |
| 900 EXPECT_EQ(ERR_CERT_REVOKED, error); | 978 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 901 } | 979 } |
| 902 #endif | 980 #endif |
| 903 | 981 |
| 904 struct WeakDigestTestData { | 982 struct WeakDigestTestData { |
| 905 const char* root_cert_filename; | 983 const char* root_cert_filename; |
| 906 const char* intermediate_cert_filename; | 984 const char* intermediate_cert_filename; |
| 907 const char* ee_cert_filename; | 985 const char* ee_cert_filename; |
| 908 bool expected_has_md5; | 986 bool expected_has_md5; |
| 909 bool expected_has_md4; | 987 bool expected_has_md4; |
| (...skipping 23 matching lines...) Expand all Loading... |
| 933 | 1011 |
| 934 TEST_P(CertVerifyProcWeakDigestTest, Verify) { | 1012 TEST_P(CertVerifyProcWeakDigestTest, Verify) { |
| 935 WeakDigestTestData data = GetParam(); | 1013 WeakDigestTestData data = GetParam(); |
| 936 base::FilePath certs_dir = GetTestCertsDirectory(); | 1014 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 937 | 1015 |
| 938 ScopedTestRoot test_root; | 1016 ScopedTestRoot test_root; |
| 939 if (data.root_cert_filename) { | 1017 if (data.root_cert_filename) { |
| 940 scoped_refptr<X509Certificate> root_cert = | 1018 scoped_refptr<X509Certificate> root_cert = |
| 941 ImportCertFromFile(certs_dir, data.root_cert_filename); | 1019 ImportCertFromFile(certs_dir, data.root_cert_filename); |
| 942 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | 1020 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
| 943 test_root.Reset(root_cert); | 1021 test_root.Reset(root_cert.get()); |
| 944 } | 1022 } |
| 945 | 1023 |
| 946 scoped_refptr<X509Certificate> intermediate_cert = | 1024 scoped_refptr<X509Certificate> intermediate_cert = |
| 947 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); | 1025 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); |
| 948 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 1026 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
| 949 scoped_refptr<X509Certificate> ee_cert = | 1027 scoped_refptr<X509Certificate> ee_cert = |
| 950 ImportCertFromFile(certs_dir, data.ee_cert_filename); | 1028 ImportCertFromFile(certs_dir, data.ee_cert_filename); |
| 951 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | 1029 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); |
| 952 | 1030 |
| 953 X509Certificate::OSCertHandles intermediates; | 1031 X509Certificate::OSCertHandles intermediates; |
| 954 intermediates.push_back(intermediate_cert->os_cert_handle()); | 1032 intermediates.push_back(intermediate_cert->os_cert_handle()); |
| 955 | 1033 |
| 956 scoped_refptr<X509Certificate> ee_chain = | 1034 scoped_refptr<X509Certificate> ee_chain = |
| 957 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 1035 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
| 958 intermediates); | 1036 intermediates); |
| 959 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); | 1037 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); |
| 960 | 1038 |
| 961 int flags = 0; | 1039 int flags = 0; |
| 962 CertVerifyResult verify_result; | 1040 CertVerifyResult verify_result; |
| 963 int rv = Verify(ee_chain, "127.0.0.1", flags, NULL, | 1041 int rv = Verify(ee_chain.get(), |
| 964 empty_cert_list_, &verify_result); | 1042 "127.0.0.1", |
| 1043 flags, |
| 1044 NULL, |
| 1045 empty_cert_list_, |
| 1046 &verify_result); |
| 965 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); | 1047 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); |
| 966 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); | 1048 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); |
| 967 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); | 1049 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); |
| 968 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); | 1050 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); |
| 969 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); | 1051 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); |
| 970 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 1052 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
| 971 | 1053 |
| 972 // Ensure that MD4 and MD2 are tagged as invalid. | 1054 // Ensure that MD4 and MD2 are tagged as invalid. |
| 973 if (data.expected_has_md4 || data.expected_has_md2) { | 1055 if (data.expected_has_md4 || data.expected_has_md2) { |
| 974 EXPECT_EQ(CERT_STATUS_INVALID, | 1056 EXPECT_EQ(CERT_STATUS_INVALID, |
| (...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1207 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { | 1289 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { |
| 1208 const NonUniqueNameTestData& test_data = GetParam(); | 1290 const NonUniqueNameTestData& test_data = GetParam(); |
| 1209 | 1291 |
| 1210 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); | 1292 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); |
| 1211 } | 1293 } |
| 1212 | 1294 |
| 1213 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, | 1295 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, |
| 1214 testing::ValuesIn(kNonUniqueNameTestData)); | 1296 testing::ValuesIn(kNonUniqueNameTestData)); |
| 1215 | 1297 |
| 1216 } // namespace net | 1298 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 15829004:
Update net/ to use scoped_refptr<T>::get() rather than implicit "operator T*" (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src