OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
118 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 118 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
119 | 119 |
120 X509Certificate::OSCertHandles intermediates; | 120 X509Certificate::OSCertHandles intermediates; |
121 intermediates.push_back(certs[1]->os_cert_handle()); | 121 intermediates.push_back(certs[1]->os_cert_handle()); |
122 | 122 |
123 scoped_refptr<X509Certificate> google_full_chain = | 123 scoped_refptr<X509Certificate> google_full_chain = |
124 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 124 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
125 intermediates); | 125 intermediates); |
126 | 126 |
127 CertVerifyResult verify_result; | 127 CertVerifyResult verify_result; |
128 EXPECT_EQ(OK, Verify(google_full_chain, "www.google.com", 0 /* flags */, | 128 EXPECT_EQ(OK, |
129 NULL, empty_cert_list_, &verify_result)); | 129 Verify(google_full_chain.get(), |
| 130 "www.google.com", |
| 131 0 /* flags */, |
| 132 NULL, |
| 133 empty_cert_list_, |
| 134 &verify_result)); |
130 } | 135 } |
131 | 136 |
132 #if defined(OS_ANDROID) || defined(USE_OPENSSL) | 137 #if defined(OS_ANDROID) || defined(USE_OPENSSL) |
133 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 138 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
134 #define MAYBE_EVVerification DISABLED_EVVerification | 139 #define MAYBE_EVVerification DISABLED_EVVerification |
135 #else | 140 #else |
136 #define MAYBE_EVVerification EVVerification | 141 #define MAYBE_EVVerification EVVerification |
137 #endif | 142 #endif |
138 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { | 143 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { |
139 // This certificate will expire Jun 21, 2013. | 144 // This certificate will expire Jun 21, 2013. |
140 CertificateList certs = CreateCertificateListFromFile( | 145 CertificateList certs = CreateCertificateListFromFile( |
141 GetTestCertsDirectory(), | 146 GetTestCertsDirectory(), |
142 "comodo.chain.pem", | 147 "comodo.chain.pem", |
143 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 148 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
144 ASSERT_EQ(3U, certs.size()); | 149 ASSERT_EQ(3U, certs.size()); |
145 | 150 |
146 X509Certificate::OSCertHandles intermediates; | 151 X509Certificate::OSCertHandles intermediates; |
147 intermediates.push_back(certs[1]->os_cert_handle()); | 152 intermediates.push_back(certs[1]->os_cert_handle()); |
148 intermediates.push_back(certs[2]->os_cert_handle()); | 153 intermediates.push_back(certs[2]->os_cert_handle()); |
149 | 154 |
150 scoped_refptr<X509Certificate> comodo_chain = | 155 scoped_refptr<X509Certificate> comodo_chain = |
151 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 156 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
152 intermediates); | 157 intermediates); |
153 | 158 |
154 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting()); | 159 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting()); |
155 CertVerifyResult verify_result; | 160 CertVerifyResult verify_result; |
156 int flags = CertVerifier::VERIFY_EV_CERT; | 161 int flags = CertVerifier::VERIFY_EV_CERT; |
157 int error = Verify(comodo_chain, "comodo.com", flags, crl_set.get(), | 162 int error = Verify(comodo_chain.get(), |
158 empty_cert_list_, &verify_result); | 163 "comodo.com", |
| 164 flags, |
| 165 crl_set.get(), |
| 166 empty_cert_list_, |
| 167 &verify_result); |
159 EXPECT_EQ(OK, error); | 168 EXPECT_EQ(OK, error); |
160 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 169 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
161 } | 170 } |
162 | 171 |
163 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { | 172 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { |
164 scoped_refptr<X509Certificate> paypal_null_cert( | 173 scoped_refptr<X509Certificate> paypal_null_cert( |
165 X509Certificate::CreateFromBytes( | 174 X509Certificate::CreateFromBytes( |
166 reinterpret_cast<const char*>(paypal_null_der), | 175 reinterpret_cast<const char*>(paypal_null_der), |
167 sizeof(paypal_null_der))); | 176 sizeof(paypal_null_der))); |
168 | 177 |
169 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); | 178 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); |
170 | 179 |
171 const SHA1HashValue& fingerprint = | 180 const SHA1HashValue& fingerprint = |
172 paypal_null_cert->fingerprint(); | 181 paypal_null_cert->fingerprint(); |
173 for (size_t i = 0; i < 20; ++i) | 182 for (size_t i = 0; i < 20; ++i) |
174 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); | 183 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); |
175 | 184 |
176 int flags = 0; | 185 int flags = 0; |
177 CertVerifyResult verify_result; | 186 CertVerifyResult verify_result; |
178 int error = Verify(paypal_null_cert, "www.paypal.com", flags, NULL, | 187 int error = Verify(paypal_null_cert.get(), |
179 empty_cert_list_, &verify_result); | 188 "www.paypal.com", |
| 189 flags, |
| 190 NULL, |
| 191 empty_cert_list_, |
| 192 &verify_result); |
180 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID) | 193 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID) |
181 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); | 194 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); |
182 #else | 195 #else |
183 // TOOD(bulach): investigate why macosx and win aren't returning | 196 // TOOD(bulach): investigate why macosx and win aren't returning |
184 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. | 197 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. |
185 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 198 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
186 #endif | 199 #endif |
187 // Either the system crypto library should correctly report a certificate | 200 // Either the system crypto library should correctly report a certificate |
188 // name mismatch, or our certificate blacklist should cause us to report an | 201 // name mismatch, or our certificate blacklist should cause us to report an |
189 // invalid certificate. | 202 // invalid certificate. |
(...skipping 15 matching lines...) Expand all Loading... |
205 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 218 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
206 | 219 |
207 // The intermediate CA certificate's policyConstraints extension has a | 220 // The intermediate CA certificate's policyConstraints extension has a |
208 // requireExplicitPolicy field with SkipCerts=0. | 221 // requireExplicitPolicy field with SkipCerts=0. |
209 scoped_refptr<X509Certificate> intermediate_cert = | 222 scoped_refptr<X509Certificate> intermediate_cert = |
210 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | 223 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); |
211 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 224 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
212 | 225 |
213 scoped_refptr<X509Certificate> root_cert = | 226 scoped_refptr<X509Certificate> root_cert = |
214 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | 227 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); |
215 ScopedTestRoot scoped_root(root_cert); | 228 ScopedTestRoot scoped_root(root_cert.get()); |
216 | 229 |
217 X509Certificate::OSCertHandles intermediates; | 230 X509Certificate::OSCertHandles intermediates; |
218 intermediates.push_back(intermediate_cert->os_cert_handle()); | 231 intermediates.push_back(intermediate_cert->os_cert_handle()); |
219 scoped_refptr<X509Certificate> cert_chain = | 232 scoped_refptr<X509Certificate> cert_chain = |
220 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 233 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
221 intermediates); | 234 intermediates); |
222 | 235 |
223 int flags = 0; | 236 int flags = 0; |
224 CertVerifyResult verify_result; | 237 CertVerifyResult verify_result; |
225 int error = Verify(cert_chain, "www.us.army.mil", flags, NULL, | 238 int error = Verify(cert_chain.get(), |
226 empty_cert_list_, &verify_result); | 239 "www.us.army.mil", |
| 240 flags, |
| 241 NULL, |
| 242 empty_cert_list_, |
| 243 &verify_result); |
227 if (error == OK) { | 244 if (error == OK) { |
228 EXPECT_EQ(0U, verify_result.cert_status); | 245 EXPECT_EQ(0U, verify_result.cert_status); |
229 } else { | 246 } else { |
230 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 247 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
231 EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status); | 248 EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status); |
232 } | 249 } |
233 } | 250 } |
234 | 251 |
235 | 252 |
236 // Test for bug 58437. | 253 // Test for bug 58437. |
(...skipping 18 matching lines...) Expand all Loading... |
255 | 272 |
256 X509Certificate::OSCertHandles intermediates; | 273 X509Certificate::OSCertHandles intermediates; |
257 intermediates.push_back(intermediate_cert->os_cert_handle()); | 274 intermediates.push_back(intermediate_cert->os_cert_handle()); |
258 scoped_refptr<X509Certificate> cert_chain = | 275 scoped_refptr<X509Certificate> cert_chain = |
259 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 276 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
260 intermediates); | 277 intermediates); |
261 | 278 |
262 CertVerifyResult verify_result; | 279 CertVerifyResult verify_result; |
263 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED | | 280 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED | |
264 CertVerifier::VERIFY_EV_CERT; | 281 CertVerifier::VERIFY_EV_CERT; |
265 int error = Verify(cert_chain, "2029.globalsign.com", flags, NULL, | 282 int error = Verify(cert_chain.get(), |
266 empty_cert_list_, &verify_result); | 283 "2029.globalsign.com", |
| 284 flags, |
| 285 NULL, |
| 286 empty_cert_list_, |
| 287 &verify_result); |
267 if (error == OK) | 288 if (error == OK) |
268 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 289 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
269 else | 290 else |
270 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 291 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
271 } | 292 } |
272 | 293 |
273 // Test that verifying an ECDSA certificate doesn't crash on XP. (See | 294 // Test that verifying an ECDSA certificate doesn't crash on XP. (See |
274 // crbug.com/144466). | 295 // crbug.com/144466). |
275 TEST_F(CertVerifyProcTest, ECDSA_RSA) { | 296 TEST_F(CertVerifyProcTest, ECDSA_RSA) { |
276 base::FilePath certs_dir = GetTestCertsDirectory(); | 297 base::FilePath certs_dir = GetTestCertsDirectory(); |
277 | 298 |
278 scoped_refptr<X509Certificate> cert = | 299 scoped_refptr<X509Certificate> cert = |
279 ImportCertFromFile(certs_dir, | 300 ImportCertFromFile(certs_dir, |
280 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); | 301 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); |
281 | 302 |
282 CertVerifyResult verify_result; | 303 CertVerifyResult verify_result; |
283 Verify(cert, "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result); | 304 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result); |
284 | 305 |
285 // We don't check verify_result because the certificate is signed by an | 306 // We don't check verify_result because the certificate is signed by an |
286 // unknown CA and will be considered invalid on XP because of the ECDSA | 307 // unknown CA and will be considered invalid on XP because of the ECDSA |
287 // public key. | 308 // public key. |
288 } | 309 } |
289 | 310 |
290 // Currently, only RSA and DSA keys are checked for weakness, and our example | 311 // Currently, only RSA and DSA keys are checked for weakness, and our example |
291 // weak size is 768. These could change in the future. | 312 // weak size is 768. These could change in the future. |
292 // | 313 // |
293 // Note that this means there may be false negatives: keys for other | 314 // Note that this means there may be false negatives: keys for other |
(...skipping 27 matching lines...) Expand all Loading... |
321 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP; | 342 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP; |
322 #endif | 343 #endif |
323 | 344 |
324 if (use_ecdsa) | 345 if (use_ecdsa) |
325 key_types.push_back("prime256v1-ecdsa"); | 346 key_types.push_back("prime256v1-ecdsa"); |
326 | 347 |
327 // Add the root that signed the intermediates for this test. | 348 // Add the root that signed the intermediates for this test. |
328 scoped_refptr<X509Certificate> root_cert = | 349 scoped_refptr<X509Certificate> root_cert = |
329 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | 350 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); |
330 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | 351 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
331 ScopedTestRoot scoped_root(root_cert); | 352 ScopedTestRoot scoped_root(root_cert.get()); |
332 | 353 |
333 // Now test each chain. | 354 // Now test each chain. |
334 for (Strings::const_iterator ee_type = key_types.begin(); | 355 for (Strings::const_iterator ee_type = key_types.begin(); |
335 ee_type != key_types.end(); ++ee_type) { | 356 ee_type != key_types.end(); ++ee_type) { |
336 for (Strings::const_iterator signer_type = key_types.begin(); | 357 for (Strings::const_iterator signer_type = key_types.begin(); |
337 signer_type != key_types.end(); ++signer_type) { | 358 signer_type != key_types.end(); ++signer_type) { |
338 std::string basename = *ee_type + "-ee-by-" + *signer_type + | 359 std::string basename = *ee_type + "-ee-by-" + *signer_type + |
339 "-intermediate.pem"; | 360 "-intermediate.pem"; |
340 SCOPED_TRACE(basename); | 361 SCOPED_TRACE(basename); |
341 scoped_refptr<X509Certificate> ee_cert = | 362 scoped_refptr<X509Certificate> ee_cert = |
342 ImportCertFromFile(certs_dir, basename); | 363 ImportCertFromFile(certs_dir, basename); |
343 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | 364 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); |
344 | 365 |
345 basename = *signer_type + "-intermediate.pem"; | 366 basename = *signer_type + "-intermediate.pem"; |
346 scoped_refptr<X509Certificate> intermediate = | 367 scoped_refptr<X509Certificate> intermediate = |
347 ImportCertFromFile(certs_dir, basename); | 368 ImportCertFromFile(certs_dir, basename); |
348 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); | 369 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); |
349 | 370 |
350 X509Certificate::OSCertHandles intermediates; | 371 X509Certificate::OSCertHandles intermediates; |
351 intermediates.push_back(intermediate->os_cert_handle()); | 372 intermediates.push_back(intermediate->os_cert_handle()); |
352 scoped_refptr<X509Certificate> cert_chain = | 373 scoped_refptr<X509Certificate> cert_chain = |
353 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 374 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
354 intermediates); | 375 intermediates); |
355 | 376 |
356 CertVerifyResult verify_result; | 377 CertVerifyResult verify_result; |
357 int error = Verify(cert_chain, "127.0.0.1", 0, NULL, | 378 int error = Verify(cert_chain.get(), |
358 empty_cert_list_, &verify_result); | 379 "127.0.0.1", |
| 380 0, |
| 381 NULL, |
| 382 empty_cert_list_, |
| 383 &verify_result); |
359 | 384 |
360 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { | 385 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { |
361 EXPECT_NE(OK, error); | 386 EXPECT_NE(OK, error); |
362 EXPECT_EQ(CERT_STATUS_WEAK_KEY, | 387 EXPECT_EQ(CERT_STATUS_WEAK_KEY, |
363 verify_result.cert_status & CERT_STATUS_WEAK_KEY); | 388 verify_result.cert_status & CERT_STATUS_WEAK_KEY); |
364 EXPECT_NE(CERT_STATUS_INVALID, | 389 EXPECT_NE(CERT_STATUS_INVALID, |
365 verify_result.cert_status & CERT_STATUS_INVALID); | 390 verify_result.cert_status & CERT_STATUS_INVALID); |
366 } else { | 391 } else { |
367 EXPECT_EQ(OK, error); | 392 EXPECT_EQ(OK, error); |
368 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); | 393 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); |
(...skipping 23 matching lines...) Expand all Loading... |
392 | 417 |
393 X509Certificate::OSCertHandles intermediates; | 418 X509Certificate::OSCertHandles intermediates; |
394 intermediates.push_back(intermediate_cert->os_cert_handle()); | 419 intermediates.push_back(intermediate_cert->os_cert_handle()); |
395 intermediates.push_back(md5_root_cert->os_cert_handle()); | 420 intermediates.push_back(md5_root_cert->os_cert_handle()); |
396 scoped_refptr<X509Certificate> cert_chain = | 421 scoped_refptr<X509Certificate> cert_chain = |
397 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 422 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
398 intermediates); | 423 intermediates); |
399 | 424 |
400 CertVerifyResult verify_result; | 425 CertVerifyResult verify_result; |
401 int flags = 0; | 426 int flags = 0; |
402 int error = Verify(cert_chain, "images.etrade.wallst.com", flags, NULL, | 427 int error = Verify(cert_chain.get(), |
403 empty_cert_list_, &verify_result); | 428 "images.etrade.wallst.com", |
| 429 flags, |
| 430 NULL, |
| 431 empty_cert_list_, |
| 432 &verify_result); |
404 if (error != OK) | 433 if (error != OK) |
405 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 434 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
406 | 435 |
407 EXPECT_FALSE(verify_result.has_md5); | 436 EXPECT_FALSE(verify_result.has_md5); |
408 EXPECT_FALSE(verify_result.has_md5_ca); | 437 EXPECT_FALSE(verify_result.has_md5_ca); |
409 } | 438 } |
410 | 439 |
411 // Test for bug 94673. | 440 // Test for bug 94673. |
412 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) { | 441 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) { |
413 base::FilePath certs_dir = GetTestCertsDirectory(); | 442 base::FilePath certs_dir = GetTestCertsDirectory(); |
414 | 443 |
415 scoped_refptr<X509Certificate> server_cert = | 444 scoped_refptr<X509Certificate> server_cert = |
416 ImportCertFromFile(certs_dir, "google_diginotar.pem"); | 445 ImportCertFromFile(certs_dir, "google_diginotar.pem"); |
417 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 446 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
418 | 447 |
419 scoped_refptr<X509Certificate> intermediate_cert = | 448 scoped_refptr<X509Certificate> intermediate_cert = |
420 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); | 449 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); |
421 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 450 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
422 | 451 |
423 X509Certificate::OSCertHandles intermediates; | 452 X509Certificate::OSCertHandles intermediates; |
424 intermediates.push_back(intermediate_cert->os_cert_handle()); | 453 intermediates.push_back(intermediate_cert->os_cert_handle()); |
425 scoped_refptr<X509Certificate> cert_chain = | 454 scoped_refptr<X509Certificate> cert_chain = |
426 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | 455 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), |
427 intermediates); | 456 intermediates); |
428 | 457 |
429 CertVerifyResult verify_result; | 458 CertVerifyResult verify_result; |
430 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED; | 459 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED; |
431 int error = Verify(cert_chain, "mail.google.com", flags, NULL, | 460 int error = Verify(cert_chain.get(), |
432 empty_cert_list_, &verify_result); | 461 "mail.google.com", |
| 462 flags, |
| 463 NULL, |
| 464 empty_cert_list_, |
| 465 &verify_result); |
433 EXPECT_NE(OK, error); | 466 EXPECT_NE(OK, error); |
434 | 467 |
435 // Now turn off revocation checking. Certificate verification should still | 468 // Now turn off revocation checking. Certificate verification should still |
436 // fail. | 469 // fail. |
437 flags = 0; | 470 flags = 0; |
438 error = Verify(cert_chain, "mail.google.com", flags, NULL, | 471 error = Verify(cert_chain.get(), |
439 empty_cert_list_, &verify_result); | 472 "mail.google.com", |
| 473 flags, |
| 474 NULL, |
| 475 empty_cert_list_, |
| 476 &verify_result); |
440 EXPECT_NE(OK, error); | 477 EXPECT_NE(OK, error); |
441 } | 478 } |
442 | 479 |
443 TEST_F(CertVerifyProcTest, DigiNotarCerts) { | 480 TEST_F(CertVerifyProcTest, DigiNotarCerts) { |
444 static const char* const kDigiNotarFilenames[] = { | 481 static const char* const kDigiNotarFilenames[] = { |
445 "diginotar_root_ca.pem", | 482 "diginotar_root_ca.pem", |
446 "diginotar_cyber_ca.pem", | 483 "diginotar_cyber_ca.pem", |
447 "diginotar_services_1024_ca.pem", | 484 "diginotar_services_1024_ca.pem", |
448 "diginotar_pkioverheid.pem", | 485 "diginotar_pkioverheid.pem", |
449 "diginotar_pkioverheid_g2.pem", | 486 "diginotar_pkioverheid_g2.pem", |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
486 intermediates.push_back(certs[2]->os_cert_handle()); | 523 intermediates.push_back(certs[2]->os_cert_handle()); |
487 | 524 |
488 scoped_refptr<X509Certificate> cert_chain = | 525 scoped_refptr<X509Certificate> cert_chain = |
489 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 526 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
490 intermediates); | 527 intermediates); |
491 | 528 |
492 int flags = 0; | 529 int flags = 0; |
493 CertVerifyResult verify_result; | 530 CertVerifyResult verify_result; |
494 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug | 531 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug |
495 // against agl. See also PublicKeyHashes. | 532 // against agl. See also PublicKeyHashes. |
496 int error = Verify(cert_chain, "cert.se", flags, NULL, | 533 int error = Verify(cert_chain.get(), |
497 empty_cert_list_, &verify_result); | 534 "cert.se", |
| 535 flags, |
| 536 NULL, |
| 537 empty_cert_list_, |
| 538 &verify_result); |
498 EXPECT_EQ(OK, error); | 539 EXPECT_EQ(OK, error); |
499 EXPECT_EQ(0U, verify_result.cert_status); | 540 EXPECT_EQ(0U, verify_result.cert_status); |
500 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 541 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
501 } | 542 } |
502 | 543 |
503 TEST_F(CertVerifyProcTest, PublicKeyHashes) { | 544 TEST_F(CertVerifyProcTest, PublicKeyHashes) { |
504 base::FilePath certs_dir = GetTestCertsDirectory(); | 545 base::FilePath certs_dir = GetTestCertsDirectory(); |
505 CertificateList certs = CreateCertificateListFromFile( | 546 CertificateList certs = CreateCertificateListFromFile( |
506 certs_dir, "certse.pem", X509Certificate::FORMAT_AUTO); | 547 certs_dir, "certse.pem", X509Certificate::FORMAT_AUTO); |
507 ASSERT_EQ(3U, certs.size()); | 548 ASSERT_EQ(3U, certs.size()); |
508 | 549 |
509 X509Certificate::OSCertHandles intermediates; | 550 X509Certificate::OSCertHandles intermediates; |
510 intermediates.push_back(certs[1]->os_cert_handle()); | 551 intermediates.push_back(certs[1]->os_cert_handle()); |
511 intermediates.push_back(certs[2]->os_cert_handle()); | 552 intermediates.push_back(certs[2]->os_cert_handle()); |
512 | 553 |
513 scoped_refptr<X509Certificate> cert_chain = | 554 scoped_refptr<X509Certificate> cert_chain = |
514 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 555 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
515 intermediates); | 556 intermediates); |
516 int flags = 0; | 557 int flags = 0; |
517 CertVerifyResult verify_result; | 558 CertVerifyResult verify_result; |
518 | 559 |
519 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug | 560 // This will blow up, June 8th, 2014. Sorry! Please disable and file a bug |
520 // against agl. See also TestKnownRoot. | 561 // against agl. See also TestKnownRoot. |
521 int error = Verify(cert_chain, "cert.se", flags, NULL, | 562 int error = Verify(cert_chain.get(), |
522 empty_cert_list_, &verify_result); | 563 "cert.se", |
| 564 flags, |
| 565 NULL, |
| 566 empty_cert_list_, |
| 567 &verify_result); |
523 EXPECT_EQ(OK, error); | 568 EXPECT_EQ(OK, error); |
524 EXPECT_EQ(0U, verify_result.cert_status); | 569 EXPECT_EQ(0U, verify_result.cert_status); |
525 ASSERT_LE(3u, verify_result.public_key_hashes.size()); | 570 ASSERT_LE(3u, verify_result.public_key_hashes.size()); |
526 | 571 |
527 HashValueVector sha1_hashes; | 572 HashValueVector sha1_hashes; |
528 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { | 573 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { |
529 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) | 574 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) |
530 continue; | 575 continue; |
531 sha1_hashes.push_back(verify_result.public_key_hashes[i]); | 576 sha1_hashes.push_back(verify_result.public_key_hashes[i]); |
532 } | 577 } |
(...skipping 23 matching lines...) Expand all Loading... |
556 // the keyEncipherment bit. | 601 // the keyEncipherment bit. |
557 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { | 602 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { |
558 base::FilePath certs_dir = GetTestCertsDirectory(); | 603 base::FilePath certs_dir = GetTestCertsDirectory(); |
559 | 604 |
560 scoped_refptr<X509Certificate> server_cert = | 605 scoped_refptr<X509Certificate> server_cert = |
561 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); | 606 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); |
562 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 607 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
563 | 608 |
564 int flags = 0; | 609 int flags = 0; |
565 CertVerifyResult verify_result; | 610 CertVerifyResult verify_result; |
566 int error = Verify(server_cert, "jira.aquameta.com", flags, NULL, | 611 int error = Verify(server_cert.get(), |
567 empty_cert_list_, &verify_result); | 612 "jira.aquameta.com", |
| 613 flags, |
| 614 NULL, |
| 615 empty_cert_list_, |
| 616 &verify_result); |
568 #if defined(USE_OPENSSL) && !defined(OS_ANDROID) | 617 #if defined(USE_OPENSSL) && !defined(OS_ANDROID) |
569 // This certificate has two errors: "invalid key usage" and "untrusted CA". | 618 // This certificate has two errors: "invalid key usage" and "untrusted CA". |
570 // However, OpenSSL returns only one (the latter), and we can't detect | 619 // However, OpenSSL returns only one (the latter), and we can't detect |
571 // the other errors. | 620 // the other errors. |
572 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 621 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
573 #else | 622 #else |
574 EXPECT_EQ(ERR_CERT_INVALID, error); | 623 EXPECT_EQ(ERR_CERT_INVALID, error); |
575 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); | 624 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); |
576 #endif | 625 #endif |
577 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors | 626 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors |
(...skipping 14 matching lines...) Expand all Loading... |
592 base::FilePath certs_dir = GetTestCertsDirectory(); | 641 base::FilePath certs_dir = GetTestCertsDirectory(); |
593 CertificateList certs = CreateCertificateListFromFile( | 642 CertificateList certs = CreateCertificateListFromFile( |
594 certs_dir, "x509_verify_results.chain.pem", | 643 certs_dir, "x509_verify_results.chain.pem", |
595 X509Certificate::FORMAT_AUTO); | 644 X509Certificate::FORMAT_AUTO); |
596 ASSERT_EQ(3U, certs.size()); | 645 ASSERT_EQ(3U, certs.size()); |
597 | 646 |
598 X509Certificate::OSCertHandles intermediates; | 647 X509Certificate::OSCertHandles intermediates; |
599 intermediates.push_back(certs[1]->os_cert_handle()); | 648 intermediates.push_back(certs[1]->os_cert_handle()); |
600 intermediates.push_back(certs[2]->os_cert_handle()); | 649 intermediates.push_back(certs[2]->os_cert_handle()); |
601 | 650 |
602 ScopedTestRoot scoped_root(certs[2]); | 651 ScopedTestRoot scoped_root(certs[2].get()); |
603 | 652 |
604 scoped_refptr<X509Certificate> google_full_chain = | 653 scoped_refptr<X509Certificate> google_full_chain = |
605 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 654 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
606 intermediates); | 655 intermediates); |
607 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 656 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
608 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); | 657 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
609 | 658 |
610 CertVerifyResult verify_result; | 659 CertVerifyResult verify_result; |
611 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 660 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
612 int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, | 661 int error = Verify(google_full_chain.get(), |
613 empty_cert_list_, &verify_result); | 662 "127.0.0.1", |
| 663 0, |
| 664 NULL, |
| 665 empty_cert_list_, |
| 666 &verify_result); |
614 EXPECT_EQ(OK, error); | 667 EXPECT_EQ(OK, error); |
615 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 668 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
616 | 669 |
617 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 670 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
618 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 671 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
619 google_full_chain->os_cert_handle(), | 672 google_full_chain->os_cert_handle(), |
620 verify_result.verified_cert->os_cert_handle())); | 673 verify_result.verified_cert->os_cert_handle())); |
621 const X509Certificate::OSCertHandles& return_intermediates = | 674 const X509Certificate::OSCertHandles& return_intermediates = |
622 verify_result.verified_cert->GetIntermediateCertificates(); | 675 verify_result.verified_cert->GetIntermediateCertificates(); |
623 ASSERT_EQ(2U, return_intermediates.size()); | 676 ASSERT_EQ(2U, return_intermediates.size()); |
(...skipping 12 matching lines...) Expand all Loading... |
636 GetTestCertsDirectory(), "ok_cert.pem", | 689 GetTestCertsDirectory(), "ok_cert.pem", |
637 X509Certificate::FORMAT_AUTO); | 690 X509Certificate::FORMAT_AUTO); |
638 ASSERT_EQ(1U, cert_list.size()); | 691 ASSERT_EQ(1U, cert_list.size()); |
639 scoped_refptr<X509Certificate> cert(cert_list[0]); | 692 scoped_refptr<X509Certificate> cert(cert_list[0]); |
640 | 693 |
641 CertVerifyResult verify_result; | 694 CertVerifyResult verify_result; |
642 int error = 0; | 695 int error = 0; |
643 | 696 |
644 // Intranet names for public CAs should be flagged: | 697 // Intranet names for public CAs should be flagged: |
645 verify_proc_ = new WellKnownCaCertVerifyProc(true); | 698 verify_proc_ = new WellKnownCaCertVerifyProc(true); |
646 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | 699 error = |
647 &verify_result); | 700 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); |
648 EXPECT_EQ(OK, error); | 701 EXPECT_EQ(OK, error); |
649 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 702 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
650 | 703 |
651 // However, if the CA is not well known, these should not be flagged: | 704 // However, if the CA is not well known, these should not be flagged: |
652 verify_proc_ = new WellKnownCaCertVerifyProc(false); | 705 verify_proc_ = new WellKnownCaCertVerifyProc(false); |
653 error = Verify(cert, "intranet", 0, NULL, empty_cert_list_, | 706 error = |
654 &verify_result); | 707 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); |
655 EXPECT_EQ(OK, error); | 708 EXPECT_EQ(OK, error); |
656 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); | 709 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); |
657 } | 710 } |
658 | 711 |
659 // Test that the certificate returned in CertVerifyResult is able to reorder | 712 // Test that the certificate returned in CertVerifyResult is able to reorder |
660 // certificates that are not ordered from end-entity to root. While this is | 713 // certificates that are not ordered from end-entity to root. While this is |
661 // a protocol violation if sent during a TLS handshake, if multiple sources | 714 // a protocol violation if sent during a TLS handshake, if multiple sources |
662 // of intermediate certificates are combined, it's possible that order may | 715 // of intermediate certificates are combined, it's possible that order may |
663 // not be maintained. | 716 // not be maintained. |
664 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { | 717 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { |
665 base::FilePath certs_dir = GetTestCertsDirectory(); | 718 base::FilePath certs_dir = GetTestCertsDirectory(); |
666 CertificateList certs = CreateCertificateListFromFile( | 719 CertificateList certs = CreateCertificateListFromFile( |
667 certs_dir, "x509_verify_results.chain.pem", | 720 certs_dir, "x509_verify_results.chain.pem", |
668 X509Certificate::FORMAT_AUTO); | 721 X509Certificate::FORMAT_AUTO); |
669 ASSERT_EQ(3U, certs.size()); | 722 ASSERT_EQ(3U, certs.size()); |
670 | 723 |
671 // Construct the chain out of order. | 724 // Construct the chain out of order. |
672 X509Certificate::OSCertHandles intermediates; | 725 X509Certificate::OSCertHandles intermediates; |
673 intermediates.push_back(certs[2]->os_cert_handle()); | 726 intermediates.push_back(certs[2]->os_cert_handle()); |
674 intermediates.push_back(certs[1]->os_cert_handle()); | 727 intermediates.push_back(certs[1]->os_cert_handle()); |
675 | 728 |
676 ScopedTestRoot scoped_root(certs[2]); | 729 ScopedTestRoot scoped_root(certs[2].get()); |
677 | 730 |
678 scoped_refptr<X509Certificate> google_full_chain = | 731 scoped_refptr<X509Certificate> google_full_chain = |
679 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 732 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
680 intermediates); | 733 intermediates); |
681 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 734 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
682 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); | 735 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); |
683 | 736 |
684 CertVerifyResult verify_result; | 737 CertVerifyResult verify_result; |
685 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 738 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
686 int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, | 739 int error = Verify(google_full_chain.get(), |
687 empty_cert_list_, &verify_result); | 740 "127.0.0.1", |
| 741 0, |
| 742 NULL, |
| 743 empty_cert_list_, |
| 744 &verify_result); |
688 EXPECT_EQ(OK, error); | 745 EXPECT_EQ(OK, error); |
689 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 746 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
690 | 747 |
691 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 748 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
692 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 749 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
693 google_full_chain->os_cert_handle(), | 750 google_full_chain->os_cert_handle(), |
694 verify_result.verified_cert->os_cert_handle())); | 751 verify_result.verified_cert->os_cert_handle())); |
695 const X509Certificate::OSCertHandles& return_intermediates = | 752 const X509Certificate::OSCertHandles& return_intermediates = |
696 verify_result.verified_cert->GetIntermediateCertificates(); | 753 verify_result.verified_cert->GetIntermediateCertificates(); |
697 ASSERT_EQ(2U, return_intermediates.size()); | 754 ASSERT_EQ(2U, return_intermediates.size()); |
698 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], | 755 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], |
699 certs[1]->os_cert_handle())); | 756 certs[1]->os_cert_handle())); |
700 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], | 757 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], |
701 certs[2]->os_cert_handle())); | 758 certs[2]->os_cert_handle())); |
702 } | 759 } |
703 | 760 |
704 // Test that Verify() filters out certificates which are not related to | 761 // Test that Verify() filters out certificates which are not related to |
705 // or part of the certificate chain being verified. | 762 // or part of the certificate chain being verified. |
706 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { | 763 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { |
707 base::FilePath certs_dir = GetTestCertsDirectory(); | 764 base::FilePath certs_dir = GetTestCertsDirectory(); |
708 CertificateList certs = CreateCertificateListFromFile( | 765 CertificateList certs = CreateCertificateListFromFile( |
709 certs_dir, "x509_verify_results.chain.pem", | 766 certs_dir, "x509_verify_results.chain.pem", |
710 X509Certificate::FORMAT_AUTO); | 767 X509Certificate::FORMAT_AUTO); |
711 ASSERT_EQ(3U, certs.size()); | 768 ASSERT_EQ(3U, certs.size()); |
712 ScopedTestRoot scoped_root(certs[2]); | 769 ScopedTestRoot scoped_root(certs[2].get()); |
713 | 770 |
714 scoped_refptr<X509Certificate> unrelated_dod_certificate = | 771 scoped_refptr<X509Certificate> unrelated_dod_certificate = |
715 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); | 772 ImportCertFromFile(certs_dir, "dod_ca_17_cert.der"); |
716 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = | 773 scoped_refptr<X509Certificate> unrelated_dod_certificate2 = |
717 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); | 774 ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der"); |
718 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); | 775 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate); |
719 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); | 776 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2); |
720 | 777 |
721 // Interject unrelated certificates into the list of intermediates. | 778 // Interject unrelated certificates into the list of intermediates. |
722 X509Certificate::OSCertHandles intermediates; | 779 X509Certificate::OSCertHandles intermediates; |
723 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); | 780 intermediates.push_back(unrelated_dod_certificate->os_cert_handle()); |
724 intermediates.push_back(certs[1]->os_cert_handle()); | 781 intermediates.push_back(certs[1]->os_cert_handle()); |
725 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); | 782 intermediates.push_back(unrelated_dod_certificate2->os_cert_handle()); |
726 intermediates.push_back(certs[2]->os_cert_handle()); | 783 intermediates.push_back(certs[2]->os_cert_handle()); |
727 | 784 |
728 scoped_refptr<X509Certificate> google_full_chain = | 785 scoped_refptr<X509Certificate> google_full_chain = |
729 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 786 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
730 intermediates); | 787 intermediates); |
731 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); | 788 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); |
732 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); | 789 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); |
733 | 790 |
734 CertVerifyResult verify_result; | 791 CertVerifyResult verify_result; |
735 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 792 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
736 int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, | 793 int error = Verify(google_full_chain.get(), |
737 empty_cert_list_, &verify_result); | 794 "127.0.0.1", |
| 795 0, |
| 796 NULL, |
| 797 empty_cert_list_, |
| 798 &verify_result); |
738 EXPECT_EQ(OK, error); | 799 EXPECT_EQ(OK, error); |
739 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); | 800 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); |
740 | 801 |
741 EXPECT_NE(google_full_chain, verify_result.verified_cert); | 802 EXPECT_NE(google_full_chain, verify_result.verified_cert); |
742 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 803 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
743 google_full_chain->os_cert_handle(), | 804 google_full_chain->os_cert_handle(), |
744 verify_result.verified_cert->os_cert_handle())); | 805 verify_result.verified_cert->os_cert_handle())); |
745 const X509Certificate::OSCertHandles& return_intermediates = | 806 const X509Certificate::OSCertHandles& return_intermediates = |
746 verify_result.verified_cert->GetIntermediateCertificates(); | 807 verify_result.verified_cert->GetIntermediateCertificates(); |
747 ASSERT_EQ(2U, return_intermediates.size()); | 808 ASSERT_EQ(2U, return_intermediates.size()); |
(...skipping 19 matching lines...) Expand all Loading... |
767 CertificateList cert_list = CreateCertificateListFromFile( | 828 CertificateList cert_list = CreateCertificateListFromFile( |
768 GetTestCertsDirectory(), "ok_cert.pem", | 829 GetTestCertsDirectory(), "ok_cert.pem", |
769 X509Certificate::FORMAT_AUTO); | 830 X509Certificate::FORMAT_AUTO); |
770 ASSERT_EQ(1U, cert_list.size()); | 831 ASSERT_EQ(1U, cert_list.size()); |
771 scoped_refptr<X509Certificate> cert(cert_list[0]); | 832 scoped_refptr<X509Certificate> cert(cert_list[0]); |
772 | 833 |
773 // Verification of |cert| fails when |ca_cert| is not in the trust anchors | 834 // Verification of |cert| fails when |ca_cert| is not in the trust anchors |
774 // list. | 835 // list. |
775 int flags = 0; | 836 int flags = 0; |
776 CertVerifyResult verify_result; | 837 CertVerifyResult verify_result; |
777 int error = Verify(cert, "127.0.0.1", flags, NULL, | 838 int error = Verify( |
778 empty_cert_list_, &verify_result); | 839 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
779 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 840 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
780 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 841 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
781 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 842 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
782 | 843 |
783 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass. | 844 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass. |
784 CertificateList trust_anchors; | 845 CertificateList trust_anchors; |
785 trust_anchors.push_back(ca_cert); | 846 trust_anchors.push_back(ca_cert); |
786 error = Verify(cert, "127.0.0.1", flags, NULL, trust_anchors, &verify_result); | 847 error = Verify( |
| 848 cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result); |
787 EXPECT_EQ(OK, error); | 849 EXPECT_EQ(OK, error); |
788 EXPECT_EQ(0U, verify_result.cert_status); | 850 EXPECT_EQ(0U, verify_result.cert_status); |
789 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor); | 851 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor); |
790 | 852 |
791 // Clearing the |trust_anchors| makes verification fail again (the cache | 853 // Clearing the |trust_anchors| makes verification fail again (the cache |
792 // should be skipped). | 854 // should be skipped). |
793 error = Verify(cert, "127.0.0.1", flags, NULL, | 855 error = Verify( |
794 empty_cert_list_, &verify_result); | 856 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); |
795 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 857 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
796 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 858 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
797 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 859 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
798 } | 860 } |
799 | 861 |
800 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) | 862 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) |
801 static const uint8 kCRLSetThawteSPKIBlocked[] = { | 863 static const uint8 kCRLSetThawteSPKIBlocked[] = { |
802 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, | 864 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, |
803 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, | 865 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, |
804 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, | 866 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
855 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | 917 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
856 | 918 |
857 X509Certificate::OSCertHandles intermediates; | 919 X509Certificate::OSCertHandles intermediates; |
858 intermediates.push_back(certs[1]->os_cert_handle()); | 920 intermediates.push_back(certs[1]->os_cert_handle()); |
859 | 921 |
860 scoped_refptr<X509Certificate> google_full_chain = | 922 scoped_refptr<X509Certificate> google_full_chain = |
861 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | 923 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), |
862 intermediates); | 924 intermediates); |
863 | 925 |
864 CertVerifyResult verify_result; | 926 CertVerifyResult verify_result; |
865 int error = Verify(google_full_chain, "www.google.com", 0, NULL, | 927 int error = Verify(google_full_chain.get(), |
866 empty_cert_list_, &verify_result); | 928 "www.google.com", |
| 929 0, |
| 930 NULL, |
| 931 empty_cert_list_, |
| 932 &verify_result); |
867 EXPECT_EQ(OK, error); | 933 EXPECT_EQ(OK, error); |
868 | 934 |
869 // First test blocking by SPKI. | 935 // First test blocking by SPKI. |
870 base::StringPiece crl_set_bytes( | 936 base::StringPiece crl_set_bytes( |
871 reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked), | 937 reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked), |
872 sizeof(kCRLSetThawteSPKIBlocked)); | 938 sizeof(kCRLSetThawteSPKIBlocked)); |
873 scoped_refptr<CRLSet> crl_set; | 939 scoped_refptr<CRLSet> crl_set; |
874 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); | 940 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
875 | 941 |
876 error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(), | 942 error = Verify(google_full_chain.get(), |
877 empty_cert_list_, &verify_result); | 943 "www.google.com", |
| 944 0, |
| 945 crl_set.get(), |
| 946 empty_cert_list_, |
| 947 &verify_result); |
878 EXPECT_EQ(ERR_CERT_REVOKED, error); | 948 EXPECT_EQ(ERR_CERT_REVOKED, error); |
879 | 949 |
880 // Second, test revocation by serial number of a cert directly under the | 950 // Second, test revocation by serial number of a cert directly under the |
881 // root. | 951 // root. |
882 crl_set_bytes = base::StringPiece( | 952 crl_set_bytes = base::StringPiece( |
883 reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked), | 953 reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked), |
884 sizeof(kCRLSetThawteSerialBlocked)); | 954 sizeof(kCRLSetThawteSerialBlocked)); |
885 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); | 955 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
886 | 956 |
887 error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(), | 957 error = Verify(google_full_chain.get(), |
888 empty_cert_list_, &verify_result); | 958 "www.google.com", |
| 959 0, |
| 960 crl_set.get(), |
| 961 empty_cert_list_, |
| 962 &verify_result); |
889 EXPECT_EQ(ERR_CERT_REVOKED, error); | 963 EXPECT_EQ(ERR_CERT_REVOKED, error); |
890 | 964 |
891 // Lastly, test revocation by serial number of a certificate not under the | 965 // Lastly, test revocation by serial number of a certificate not under the |
892 // root. | 966 // root. |
893 crl_set_bytes = base::StringPiece( | 967 crl_set_bytes = base::StringPiece( |
894 reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked), | 968 reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked), |
895 sizeof(kCRLSetGoogleSerialBlocked)); | 969 sizeof(kCRLSetGoogleSerialBlocked)); |
896 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); | 970 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); |
897 | 971 |
898 error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(), | 972 error = Verify(google_full_chain.get(), |
899 empty_cert_list_, &verify_result); | 973 "www.google.com", |
| 974 0, |
| 975 crl_set.get(), |
| 976 empty_cert_list_, |
| 977 &verify_result); |
900 EXPECT_EQ(ERR_CERT_REVOKED, error); | 978 EXPECT_EQ(ERR_CERT_REVOKED, error); |
901 } | 979 } |
902 #endif | 980 #endif |
903 | 981 |
904 struct WeakDigestTestData { | 982 struct WeakDigestTestData { |
905 const char* root_cert_filename; | 983 const char* root_cert_filename; |
906 const char* intermediate_cert_filename; | 984 const char* intermediate_cert_filename; |
907 const char* ee_cert_filename; | 985 const char* ee_cert_filename; |
908 bool expected_has_md5; | 986 bool expected_has_md5; |
909 bool expected_has_md4; | 987 bool expected_has_md4; |
(...skipping 23 matching lines...) Expand all Loading... |
933 | 1011 |
934 TEST_P(CertVerifyProcWeakDigestTest, Verify) { | 1012 TEST_P(CertVerifyProcWeakDigestTest, Verify) { |
935 WeakDigestTestData data = GetParam(); | 1013 WeakDigestTestData data = GetParam(); |
936 base::FilePath certs_dir = GetTestCertsDirectory(); | 1014 base::FilePath certs_dir = GetTestCertsDirectory(); |
937 | 1015 |
938 ScopedTestRoot test_root; | 1016 ScopedTestRoot test_root; |
939 if (data.root_cert_filename) { | 1017 if (data.root_cert_filename) { |
940 scoped_refptr<X509Certificate> root_cert = | 1018 scoped_refptr<X509Certificate> root_cert = |
941 ImportCertFromFile(certs_dir, data.root_cert_filename); | 1019 ImportCertFromFile(certs_dir, data.root_cert_filename); |
942 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | 1020 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
943 test_root.Reset(root_cert); | 1021 test_root.Reset(root_cert.get()); |
944 } | 1022 } |
945 | 1023 |
946 scoped_refptr<X509Certificate> intermediate_cert = | 1024 scoped_refptr<X509Certificate> intermediate_cert = |
947 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); | 1025 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); |
948 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | 1026 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); |
949 scoped_refptr<X509Certificate> ee_cert = | 1027 scoped_refptr<X509Certificate> ee_cert = |
950 ImportCertFromFile(certs_dir, data.ee_cert_filename); | 1028 ImportCertFromFile(certs_dir, data.ee_cert_filename); |
951 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | 1029 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); |
952 | 1030 |
953 X509Certificate::OSCertHandles intermediates; | 1031 X509Certificate::OSCertHandles intermediates; |
954 intermediates.push_back(intermediate_cert->os_cert_handle()); | 1032 intermediates.push_back(intermediate_cert->os_cert_handle()); |
955 | 1033 |
956 scoped_refptr<X509Certificate> ee_chain = | 1034 scoped_refptr<X509Certificate> ee_chain = |
957 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | 1035 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), |
958 intermediates); | 1036 intermediates); |
959 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); | 1037 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); |
960 | 1038 |
961 int flags = 0; | 1039 int flags = 0; |
962 CertVerifyResult verify_result; | 1040 CertVerifyResult verify_result; |
963 int rv = Verify(ee_chain, "127.0.0.1", flags, NULL, | 1041 int rv = Verify(ee_chain.get(), |
964 empty_cert_list_, &verify_result); | 1042 "127.0.0.1", |
| 1043 flags, |
| 1044 NULL, |
| 1045 empty_cert_list_, |
| 1046 &verify_result); |
965 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); | 1047 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); |
966 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); | 1048 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); |
967 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); | 1049 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); |
968 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); | 1050 EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); |
969 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); | 1051 EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); |
970 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); | 1052 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); |
971 | 1053 |
972 // Ensure that MD4 and MD2 are tagged as invalid. | 1054 // Ensure that MD4 and MD2 are tagged as invalid. |
973 if (data.expected_has_md4 || data.expected_has_md2) { | 1055 if (data.expected_has_md4 || data.expected_has_md2) { |
974 EXPECT_EQ(CERT_STATUS_INVALID, | 1056 EXPECT_EQ(CERT_STATUS_INVALID, |
(...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1207 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { | 1289 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) { |
1208 const NonUniqueNameTestData& test_data = GetParam(); | 1290 const NonUniqueNameTestData& test_data = GetParam(); |
1209 | 1291 |
1210 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); | 1292 EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname)); |
1211 } | 1293 } |
1212 | 1294 |
1213 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, | 1295 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest, |
1214 testing::ValuesIn(kNonUniqueNameTestData)); | 1296 testing::ValuesIn(kNonUniqueNameTestData)); |
1215 | 1297 |
1216 } // namespace net | 1298 } // namespace net |
OLD | NEW |