OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/cert_verifier.h" | |
6 | |
7 #include "base/bind.h" | |
8 #include "base/file_path.h" | |
9 #include "base/format_macros.h" | |
10 #include "base/stringprintf.h" | |
11 #include "net/base/cert_test_util.h" | |
12 #include "net/base/net_errors.h" | |
13 #include "net/base/net_log.h" | |
14 #include "net/base/test_completion_callback.h" | |
15 #include "net/base/x509_certificate.h" | |
16 #include "testing/gtest/include/gtest/gtest.h" | |
17 | |
18 namespace net { | |
19 | |
20 namespace { | |
21 | |
22 void FailTest(int /* result */) { | |
23 FAIL(); | |
24 } | |
25 | |
26 } // namespace; | |
27 | |
28 // Tests a cache hit, which should result in synchronous completion. | |
29 #if defined(OS_MACOSX) | |
30 // http://crbug.com/117372 | |
31 #define MAYBE_CacheHit FAILS_CacheHit | |
32 #else | |
33 #define MAYBE_CacheHit CacheHit | |
34 #endif // defined(OS_MACOSX) | |
35 TEST(CertVerifierTest, MAYBE_CacheHit) { | |
36 CertVerifier verifier; | |
37 | |
38 FilePath certs_dir = GetTestCertsDirectory(); | |
39 scoped_refptr<X509Certificate> test_cert( | |
40 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
41 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
42 | |
43 int error; | |
44 CertVerifyResult verify_result; | |
45 TestCompletionCallback callback; | |
46 CertVerifier::RequestHandle request_handle; | |
47 | |
48 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
49 callback.callback(), &request_handle, BoundNetLog()); | |
50 ASSERT_EQ(ERR_IO_PENDING, error); | |
51 ASSERT_TRUE(request_handle != NULL); | |
52 error = callback.WaitForResult(); | |
53 ASSERT_TRUE(IsCertificateError(error)); | |
54 ASSERT_EQ(1u, verifier.requests()); | |
55 ASSERT_EQ(0u, verifier.cache_hits()); | |
56 ASSERT_EQ(0u, verifier.inflight_joins()); | |
57 ASSERT_EQ(1u, verifier.GetCacheSize()); | |
58 | |
59 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
60 callback.callback(), &request_handle, BoundNetLog()); | |
61 // Synchronous completion. | |
62 ASSERT_NE(ERR_IO_PENDING, error); | |
63 ASSERT_TRUE(IsCertificateError(error)); | |
64 ASSERT_TRUE(request_handle == NULL); | |
65 ASSERT_EQ(2u, verifier.requests()); | |
66 ASSERT_EQ(1u, verifier.cache_hits()); | |
67 ASSERT_EQ(0u, verifier.inflight_joins()); | |
68 ASSERT_EQ(1u, verifier.GetCacheSize()); | |
69 } | |
70 | |
71 // Tests the same server certificate with different intermediate CA | |
72 // certificates. These should be treated as different certificate chains even | |
73 // though the two X509Certificate objects contain the same server certificate. | |
74 TEST(CertVerifierTest, DifferentCACerts) { | |
75 CertVerifier verifier; | |
76 | |
77 FilePath certs_dir = GetTestCertsDirectory(); | |
78 | |
79 scoped_refptr<X509Certificate> server_cert = | |
80 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); | |
81 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | |
82 | |
83 scoped_refptr<X509Certificate> intermediate_cert1 = | |
84 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem"); | |
85 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1); | |
86 | |
87 scoped_refptr<X509Certificate> intermediate_cert2 = | |
88 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem"); | |
89 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert2); | |
90 | |
91 X509Certificate::OSCertHandles intermediates; | |
92 intermediates.push_back(intermediate_cert1->os_cert_handle()); | |
93 scoped_refptr<X509Certificate> cert_chain1 = | |
94 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | |
95 intermediates); | |
96 | |
97 intermediates.clear(); | |
98 intermediates.push_back(intermediate_cert2->os_cert_handle()); | |
99 scoped_refptr<X509Certificate> cert_chain2 = | |
100 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), | |
101 intermediates); | |
102 | |
103 int error; | |
104 CertVerifyResult verify_result; | |
105 TestCompletionCallback callback; | |
106 CertVerifier::RequestHandle request_handle; | |
107 | |
108 error = verifier.Verify(cert_chain1, "www.example.com", 0, NULL, | |
109 &verify_result, callback.callback(), | |
110 &request_handle, BoundNetLog()); | |
111 ASSERT_EQ(ERR_IO_PENDING, error); | |
112 ASSERT_TRUE(request_handle != NULL); | |
113 error = callback.WaitForResult(); | |
114 ASSERT_TRUE(IsCertificateError(error)); | |
115 ASSERT_EQ(1u, verifier.requests()); | |
116 ASSERT_EQ(0u, verifier.cache_hits()); | |
117 ASSERT_EQ(0u, verifier.inflight_joins()); | |
118 ASSERT_EQ(1u, verifier.GetCacheSize()); | |
119 | |
120 error = verifier.Verify(cert_chain2, "www.example.com", 0, NULL, | |
121 &verify_result, callback.callback(), | |
122 &request_handle, BoundNetLog()); | |
123 ASSERT_EQ(ERR_IO_PENDING, error); | |
124 ASSERT_TRUE(request_handle != NULL); | |
125 error = callback.WaitForResult(); | |
126 ASSERT_TRUE(IsCertificateError(error)); | |
127 ASSERT_EQ(2u, verifier.requests()); | |
128 ASSERT_EQ(0u, verifier.cache_hits()); | |
129 ASSERT_EQ(0u, verifier.inflight_joins()); | |
130 ASSERT_EQ(2u, verifier.GetCacheSize()); | |
131 } | |
132 | |
133 // Tests an inflight join. | |
134 TEST(CertVerifierTest, InflightJoin) { | |
135 CertVerifier verifier; | |
136 | |
137 FilePath certs_dir = GetTestCertsDirectory(); | |
138 scoped_refptr<X509Certificate> test_cert( | |
139 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
140 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
141 | |
142 int error; | |
143 CertVerifyResult verify_result; | |
144 TestCompletionCallback callback; | |
145 CertVerifier::RequestHandle request_handle; | |
146 CertVerifyResult verify_result2; | |
147 TestCompletionCallback callback2; | |
148 CertVerifier::RequestHandle request_handle2; | |
149 | |
150 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
151 callback.callback(), &request_handle, BoundNetLog()); | |
152 ASSERT_EQ(ERR_IO_PENDING, error); | |
153 ASSERT_TRUE(request_handle != NULL); | |
154 error = verifier.Verify( | |
155 test_cert, "www.example.com", 0, NULL, &verify_result2, | |
156 callback2.callback(), &request_handle2, BoundNetLog()); | |
157 ASSERT_EQ(ERR_IO_PENDING, error); | |
158 ASSERT_TRUE(request_handle2 != NULL); | |
159 error = callback.WaitForResult(); | |
160 ASSERT_TRUE(IsCertificateError(error)); | |
161 error = callback2.WaitForResult(); | |
162 ASSERT_TRUE(IsCertificateError(error)); | |
163 ASSERT_EQ(2u, verifier.requests()); | |
164 ASSERT_EQ(0u, verifier.cache_hits()); | |
165 ASSERT_EQ(1u, verifier.inflight_joins()); | |
166 } | |
167 | |
168 // Tests that the callback of a canceled request is never made. | |
169 TEST(CertVerifierTest, CancelRequest) { | |
170 CertVerifier verifier; | |
171 | |
172 FilePath certs_dir = GetTestCertsDirectory(); | |
173 scoped_refptr<X509Certificate> test_cert( | |
174 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
175 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
176 | |
177 int error; | |
178 CertVerifyResult verify_result; | |
179 CertVerifier::RequestHandle request_handle; | |
180 | |
181 error = verifier.Verify( | |
182 test_cert, "www.example.com", 0, NULL, &verify_result, | |
183 base::Bind(&FailTest), &request_handle, BoundNetLog()); | |
184 ASSERT_EQ(ERR_IO_PENDING, error); | |
185 ASSERT_TRUE(request_handle != NULL); | |
186 verifier.CancelRequest(request_handle); | |
187 | |
188 // Issue a few more requests to the worker pool and wait for their | |
189 // completion, so that the task of the canceled request (which runs on a | |
190 // worker thread) is likely to complete by the end of this test. | |
191 TestCompletionCallback callback; | |
192 for (int i = 0; i < 5; ++i) { | |
193 error = verifier.Verify( | |
194 test_cert, "www2.example.com", 0, NULL, &verify_result, | |
195 callback.callback(), &request_handle, BoundNetLog()); | |
196 ASSERT_EQ(ERR_IO_PENDING, error); | |
197 ASSERT_TRUE(request_handle != NULL); | |
198 error = callback.WaitForResult(); | |
199 verifier.ClearCache(); | |
200 } | |
201 } | |
202 | |
203 // Tests that a canceled request is not leaked. | |
204 TEST(CertVerifierTest, CancelRequestThenQuit) { | |
205 CertVerifier verifier; | |
206 | |
207 FilePath certs_dir = GetTestCertsDirectory(); | |
208 scoped_refptr<X509Certificate> test_cert( | |
209 ImportCertFromFile(certs_dir, "ok_cert.pem")); | |
210 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
211 | |
212 int error; | |
213 CertVerifyResult verify_result; | |
214 TestCompletionCallback callback; | |
215 CertVerifier::RequestHandle request_handle; | |
216 | |
217 error = verifier.Verify(test_cert, "www.example.com", 0, NULL, &verify_result, | |
218 callback.callback(), &request_handle, BoundNetLog()); | |
219 ASSERT_EQ(ERR_IO_PENDING, error); | |
220 ASSERT_TRUE(request_handle != NULL); | |
221 verifier.CancelRequest(request_handle); | |
222 // Destroy |verifier| by going out of scope. | |
223 } | |
224 | |
225 TEST(CertVerifierTest, RequestParamsComparators) { | |
226 SHA1Fingerprint a_key; | |
227 memset(a_key.data, 'a', sizeof(a_key.data)); | |
228 | |
229 SHA1Fingerprint z_key; | |
230 memset(z_key.data, 'z', sizeof(z_key.data)); | |
231 | |
232 struct { | |
233 // Keys to test | |
234 CertVerifier::RequestParams key1; | |
235 CertVerifier::RequestParams key2; | |
236 | |
237 // Expectation: | |
238 // -1 means key1 is less than key2 | |
239 // 0 means key1 equals key2 | |
240 // 1 means key1 is greater than key2 | |
241 int expected_result; | |
242 } tests[] = { | |
243 { // Test for basic equivalence. | |
244 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
245 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
246 0, | |
247 }, | |
248 { // Test that different certificates but with the same CA and for | |
249 // the same host are different validation keys. | |
250 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
251 CertVerifier::RequestParams(z_key, a_key, "www.example.test", 0), | |
252 -1, | |
253 }, | |
254 { // Test that the same EE certificate for the same host, but with | |
255 // different chains are different validation keys. | |
256 CertVerifier::RequestParams(a_key, z_key, "www.example.test", 0), | |
257 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
258 1, | |
259 }, | |
260 { // The same certificate, with the same chain, but for different | |
261 // hosts are different validation keys. | |
262 CertVerifier::RequestParams(a_key, a_key, "www1.example.test", 0), | |
263 CertVerifier::RequestParams(a_key, a_key, "www2.example.test", 0), | |
264 -1, | |
265 }, | |
266 { // The same certificate, chain, and host, but with different flags | |
267 // are different validation keys. | |
268 CertVerifier::RequestParams(a_key, a_key, "www.example.test", | |
269 X509Certificate::VERIFY_EV_CERT), | |
270 CertVerifier::RequestParams(a_key, a_key, "www.example.test", 0), | |
271 1, | |
272 } | |
273 }; | |
274 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) { | |
275 SCOPED_TRACE(base::StringPrintf("Test[%" PRIuS "]", i)); | |
276 | |
277 const CertVerifier::RequestParams& key1 = tests[i].key1; | |
278 const CertVerifier::RequestParams& key2 = tests[i].key2; | |
279 | |
280 switch (tests[i].expected_result) { | |
281 case -1: | |
282 EXPECT_TRUE(key1 < key2); | |
283 EXPECT_FALSE(key2 < key1); | |
284 break; | |
285 case 0: | |
286 EXPECT_FALSE(key1 < key2); | |
287 EXPECT_FALSE(key2 < key1); | |
288 break; | |
289 case 1: | |
290 EXPECT_FALSE(key1 < key2); | |
291 EXPECT_TRUE(key2 < key1); | |
292 break; | |
293 default: | |
294 FAIL() << "Invalid expectation. Can be only -1, 0, 1"; | |
295 } | |
296 } | |
297 } | |
298 | |
299 } // namespace net | |
OLD | NEW |