net/base/cert_verifier_unittest.cc - Issue 9476035: Make CertVerifier a pure virtual interface.

Side by Side Diff: net/base/cert_verifier_unittest.cc

Issue 9476035: Make CertVerifier a pure virtual interface. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Win shared fix Created 8 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
	(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "net/base/cert_verifier.h"

6

7 #include "base/bind.h"

8 #include "base/file_path.h"

9 #include "base/format_macros.h"

10 #include "base/stringprintf.h"

11 #include "net/base/cert_test_util.h"

12 #include "net/base/net_errors.h"

13 #include "net/base/net_log.h"

14 #include "net/base/test_completion_callback.h"

15 #include "net/base/x509_certificate.h"

16 #include "testing/gtest/include/gtest/gtest.h"

17

18 namespace net {

19

20 namespace {

21

22 void FailTest(int /* result */) {

23 FAIL();

24 }

25

26 } // namespace;

27

28 // Tests a cache hit, which should result in synchronous completion.

29 #if defined(OS_MACOSX)

30 // http://crbug.com/117372

31 #define MAYBE_CacheHit FAILS_CacheHit

32 #else

33 #define MAYBE_CacheHit CacheHit

34 #endif // defined(OS_MACOSX)

35 TEST(CertVerifierTest, MAYBE_CacheHit) {

36 CertVerifier verifier;

37

38 FilePath certs_dir = GetTestCertsDirectory();

39 scoped_refptr<X509Certificate> test_cert(

40 ImportCertFromFile(certs_dir, "ok_cert.pem"));

41 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

42

43 int error;

44 CertVerifyResult verify_result;

45 TestCompletionCallback callback;

46 CertVerifier::RequestHandle request_handle;

47

48 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

49 callback.callback(), &request_handle, BoundNetLog());

50 ASSERT_EQ(ERR_IO_PENDING, error);

51 ASSERT_TRUE(request_handle != NULL);

52 error = callback.WaitForResult();

53 ASSERT_TRUE(IsCertificateError(error));

54 ASSERT_EQ(1u, verifier.requests());

55 ASSERT_EQ(0u, verifier.cache_hits());

56 ASSERT_EQ(0u, verifier.inflight_joins());

57 ASSERT_EQ(1u, verifier.GetCacheSize());

58

59 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

60 callback.callback(), &request_handle, BoundNetLog());

61 // Synchronous completion.

62 ASSERT_NE(ERR_IO_PENDING, error);

63 ASSERT_TRUE(IsCertificateError(error));

64 ASSERT_TRUE(request_handle == NULL);

65 ASSERT_EQ(2u, verifier.requests());

66 ASSERT_EQ(1u, verifier.cache_hits());

67 ASSERT_EQ(0u, verifier.inflight_joins());

68 ASSERT_EQ(1u, verifier.GetCacheSize());

69 }

70

71 // Tests the same server certificate with different intermediate CA

72 // certificates. These should be treated as different certificate chains even

73 // though the two X509Certificate objects contain the same server certificate.

74 TEST(CertVerifierTest, DifferentCACerts) {

75 CertVerifier verifier;

76

77 FilePath certs_dir = GetTestCertsDirectory();

78

79 scoped_refptr<X509Certificate> server_cert =

80 ImportCertFromFile(certs_dir, "salesforce_com_test.pem");

81 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);

82

83 scoped_refptr<X509Certificate> intermediate_cert1 =

84 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem");

85 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1);

86

87 scoped_refptr<X509Certificate> intermediate_cert2 =

88 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem");

89 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert2);

90

91 X509Certificate::OSCertHandles intermediates;

92 intermediates.push_back(intermediate_cert1->os_cert_handle());

93 scoped_refptr<X509Certificate> cert_chain1 =

94 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),

95 intermediates);

96

97 intermediates.clear();

98 intermediates.push_back(intermediate_cert2->os_cert_handle());

99 scoped_refptr<X509Certificate> cert_chain2 =

100 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),

101 intermediates);

102

103 int error;

104 CertVerifyResult verify_result;

105 TestCompletionCallback callback;

106 CertVerifier::RequestHandle request_handle;

107

108 error = verifier.Verify(cert_chain1, "www.example.com", 0, NULL,

109 &verify_result, callback.callback(),

110 &request_handle, BoundNetLog());

111 ASSERT_EQ(ERR_IO_PENDING, error);

112 ASSERT_TRUE(request_handle != NULL);

113 error = callback.WaitForResult();

114 ASSERT_TRUE(IsCertificateError(error));

115 ASSERT_EQ(1u, verifier.requests());

116 ASSERT_EQ(0u, verifier.cache_hits());

117 ASSERT_EQ(0u, verifier.inflight_joins());

118 ASSERT_EQ(1u, verifier.GetCacheSize());

119

120 error = verifier.Verify(cert_chain2, "www.example.com", 0, NULL,

121 &verify_result, callback.callback(),

122 &request_handle, BoundNetLog());

123 ASSERT_EQ(ERR_IO_PENDING, error);

124 ASSERT_TRUE(request_handle != NULL);

125 error = callback.WaitForResult();

126 ASSERT_TRUE(IsCertificateError(error));

127 ASSERT_EQ(2u, verifier.requests());

128 ASSERT_EQ(0u, verifier.cache_hits());

129 ASSERT_EQ(0u, verifier.inflight_joins());

130 ASSERT_EQ(2u, verifier.GetCacheSize());

131 }

132

133 // Tests an inflight join.

134 TEST(CertVerifierTest, InflightJoin) {

135 CertVerifier verifier;

136

137 FilePath certs_dir = GetTestCertsDirectory();

138 scoped_refptr<X509Certificate> test_cert(

139 ImportCertFromFile(certs_dir, "ok_cert.pem"));

140 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

141

142 int error;

143 CertVerifyResult verify_result;

144 TestCompletionCallback callback;

145 CertVerifier::RequestHandle request_handle;

146 CertVerifyResult verify_result2;

147 TestCompletionCallback callback2;

148 CertVerifier::RequestHandle request_handle2;

149

150 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

151 callback.callback(), &request_handle, BoundNetLog());

152 ASSERT_EQ(ERR_IO_PENDING, error);

153 ASSERT_TRUE(request_handle != NULL);

154 error = verifier.Verify(

155 test_cert, "www.example.com", 0, NULL, &verify_result2,

156 callback2.callback(), &request_handle2, BoundNetLog());

157 ASSERT_EQ(ERR_IO_PENDING, error);

158 ASSERT_TRUE(request_handle2 != NULL);

159 error = callback.WaitForResult();

160 ASSERT_TRUE(IsCertificateError(error));

161 error = callback2.WaitForResult();

162 ASSERT_TRUE(IsCertificateError(error));

163 ASSERT_EQ(2u, verifier.requests());

164 ASSERT_EQ(0u, verifier.cache_hits());

165 ASSERT_EQ(1u, verifier.inflight_joins());

166 }

167

168 // Tests that the callback of a canceled request is never made.

169 TEST(CertVerifierTest, CancelRequest) {

170 CertVerifier verifier;

171

172 FilePath certs_dir = GetTestCertsDirectory();

173 scoped_refptr<X509Certificate> test_cert(

174 ImportCertFromFile(certs_dir, "ok_cert.pem"));

175 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

176

177 int error;

178 CertVerifyResult verify_result;

179 CertVerifier::RequestHandle request_handle;

180

181 error = verifier.Verify(

182 test_cert, "www.example.com", 0, NULL, &verify_result,

183 base::Bind(&FailTest), &request_handle, BoundNetLog());

184 ASSERT_EQ(ERR_IO_PENDING, error);

185 ASSERT_TRUE(request_handle != NULL);

186 verifier.CancelRequest(request_handle);

187

188 // Issue a few more requests to the worker pool and wait for their

189 // completion, so that the task of the canceled request (which runs on a

190 // worker thread) is likely to complete by the end of this test.

191 TestCompletionCallback callback;

192 for (int i = 0; i < 5; ++i) {

193 error = verifier.Verify(

194 test_cert, "www2.example.com", 0, NULL, &verify_result,

195 callback.callback(), &request_handle, BoundNetLog());

196 ASSERT_EQ(ERR_IO_PENDING, error);

197 ASSERT_TRUE(request_handle != NULL);

198 error = callback.WaitForResult();

199 verifier.ClearCache();

200 }

201 }

202

203 // Tests that a canceled request is not leaked.

204 TEST(CertVerifierTest, CancelRequestThenQuit) {

205 CertVerifier verifier;

206

207 FilePath certs_dir = GetTestCertsDirectory();

208 scoped_refptr<X509Certificate> test_cert(

209 ImportCertFromFile(certs_dir, "ok_cert.pem"));

210 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);

211

212 int error;

213 CertVerifyResult verify_result;

214 TestCompletionCallback callback;

215 CertVerifier::RequestHandle request_handle;

216

217 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result,

218 callback.callback(), &request_handle, BoundNetLog());

219 ASSERT_EQ(ERR_IO_PENDING, error);

220 ASSERT_TRUE(request_handle != NULL);

221 verifier.CancelRequest(request_handle);

222 // Destroy \|verifier\| by going out of scope.

223 }

224

225 TEST(CertVerifierTest, RequestParamsComparators) {

226 SHA1Fingerprint a_key;

227 memset(a_key.data, 'a', sizeof(a_key.data));

228

229 SHA1Fingerprint z_key;

230 memset(z_key.data, 'z', sizeof(z_key.data));

231

232 struct {

233 // Keys to test

234 CertVerifier::RequestParams key1;

235 CertVerifier::RequestParams key2;

236

237 // Expectation:

238 // -1 means key1 is less than key2

239 // 0 means key1 equals key2

240 // 1 means key1 is greater than key2

241 int expected_result;

242 } tests[] = {

243 { // Test for basic equivalence.

244 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

245 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

246 0,

247 },

248 { // Test that different certificates but with the same CA and for

249 // the same host are different validation keys.

250 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

251 CertVerifier::RequestParams(z_key, a_key, "www.example.test", 0),

252 -1,

253 },

254 { // Test that the same EE certificate for the same host, but with

255 // different chains are different validation keys.

256 CertVerifier::RequestParams(a_key, z_key, "www.example.test", 0),

257 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

258 1,

259 },

260 { // The same certificate, with the same chain, but for different

261 // hosts are different validation keys.

262 CertVerifier::RequestParams(a_key, a_key, "www1.example.test", 0),

263 CertVerifier::RequestParams(a_key, a_key, "www2.example.test", 0),

264 -1,

265 },

266 { // The same certificate, chain, and host, but with different flags

267 // are different validation keys.

268 CertVerifier::RequestParams(a_key, a_key, "www.example.test",

269 X509Certificate::VERIFY_EV_CERT),

270 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0),

271 1,

272 }

273 };

274 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) {

275 SCOPED_TRACE(base::StringPrintf("Test[%" PRIuS "]", i));

276

277 const CertVerifier::RequestParams& key1 = tests[i].key1;

278 const CertVerifier::RequestParams& key2 = tests[i].key2;

279

280 switch (tests[i].expected_result) {

281 case -1:

282 EXPECT_TRUE(key1 < key2);

283 EXPECT_FALSE(key2 < key1);

284 break;

285 case 0:

286 EXPECT_FALSE(key1 < key2);

287 EXPECT_FALSE(key2 < key1);

288 break;

289 case 1:

290 EXPECT_FALSE(key1 < key2);

291 EXPECT_TRUE(key2 < key1);

292 break;

293 default:

294 FAIL() << "Invalid expectation. Can be only -1, 0, 1";

295 }

296 }

297 }

298

299 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/cert_verifier.cc ('k') | net/base/multi_threaded_cert_verifier.h » ('j') | no next file with comments »