Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 24 #if defined(USE_NSS) | 24 #if defined(USE_NSS) |
| 25 #include <cert.h> | 25 #include <cert.h> |
| 26 #endif | 26 #endif |
| 27 | 27 |
| 28 #if defined(OS_WIN) | 28 #if defined(OS_WIN) |
| 29 #include "base/win/windows_version.h" | 29 #include "base/win/windows_version.h" |
| 30 #elif defined(OS_MACOSX) | 30 #elif defined(OS_MACOSX) |
| 31 #include "base/mac/mac_util.h" | 31 #include "base/mac/mac_util.h" |
| 32 #endif | 32 #endif |
| 33 | 33 |
| 34 // Unit tests aren't allowed to access external resources. Unfortunately, to | |
| 35 // properly verify the EV-ness of a cert, we need to check for its revocation | |
| 36 // through online servers. If you're manually running unit tests, feel free to | |
| 37 // turn this on to test EV certs. But leave it turned off for the automated | |
| 38 // testing. | |
| 39 #define ALLOW_EXTERNAL_ACCESS 0 | |
| 40 | |
| 41 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN) | |
| 42 #define TEST_EV 1 // Test CERT_STATUS_IS_EV | |
| 43 #endif | |
| 44 | |
| 45 using base::HexEncode; | 34 using base::HexEncode; |
| 46 using base::Time; | 35 using base::Time; |
| 47 | 36 |
| 48 namespace net { | 37 namespace net { |
| 49 | 38 |
| 50 // Certificates for test data. They're obtained with: | 39 // Certificates for test data. They're obtained with: |
| 51 // | 40 // |
| 52 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null | 41 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null |
| 53 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der | 42 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der |
| 54 // | 43 // |
| (...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 214 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); | 203 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); |
| 215 | 204 |
| 216 const SHA1Fingerprint& fingerprint = google_cert->fingerprint(); | 205 const SHA1Fingerprint& fingerprint = google_cert->fingerprint(); |
| 217 for (size_t i = 0; i < 20; ++i) | 206 for (size_t i = 0; i < 20; ++i) |
| 218 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); | 207 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); |
| 219 | 208 |
| 220 std::vector<std::string> dns_names; | 209 std::vector<std::string> dns_names; |
| 221 google_cert->GetDNSNames(&dns_names); | 210 google_cert->GetDNSNames(&dns_names); |
| 222 ASSERT_EQ(1U, dns_names.size()); | 211 ASSERT_EQ(1U, dns_names.size()); |
| 223 EXPECT_EQ("www.google.com", dns_names[0]); | 212 EXPECT_EQ("www.google.com", dns_names[0]); |
| 224 | |
| 225 #if TEST_EV | |
|
agl
2012/03/07 15:38:16
These certificates have expired and so are no long
Ryan Sleevi
2012/03/07 16:57:01
Yeah, I noticed the same thing as well, and made t
| |
| 226 // TODO(avi): turn this on for the Mac once EV checking is implemented. | |
| 227 CertVerifyResult verify_result; | |
| 228 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | |
| 229 X509Certificate::VERIFY_EV_CERT; | |
| 230 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, NULL, | |
| 231 &verify_result); | |
| 232 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); | |
| 233 #endif | |
| 234 } | 213 } |
| 235 | 214 |
| 236 TEST(X509CertificateTest, GoogleCertParsing) { | 215 TEST(X509CertificateTest, GoogleCertParsing) { |
| 237 scoped_refptr<X509Certificate> google_cert( | 216 scoped_refptr<X509Certificate> google_cert( |
| 238 X509Certificate::CreateFromBytes( | 217 X509Certificate::CreateFromBytes( |
| 239 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 218 reinterpret_cast<const char*>(google_der), sizeof(google_der))); |
| 240 | 219 |
| 241 CheckGoogleCert(google_cert, google_fingerprint, | 220 CheckGoogleCert(google_cert, google_fingerprint, |
| 242 1238192407, // Mar 27 22:20:07 2009 GMT | 221 1238192407, // Mar 27 22:20:07 2009 GMT |
| 243 1269728407); // Mar 27 22:20:07 2010 GMT | 222 1269728407); // Mar 27 22:20:07 2010 GMT |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 283 const SHA1Fingerprint& fingerprint = webkit_cert->fingerprint(); | 262 const SHA1Fingerprint& fingerprint = webkit_cert->fingerprint(); |
| 284 for (size_t i = 0; i < 20; ++i) | 263 for (size_t i = 0; i < 20; ++i) |
| 285 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); | 264 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); |
| 286 | 265 |
| 287 std::vector<std::string> dns_names; | 266 std::vector<std::string> dns_names; |
| 288 webkit_cert->GetDNSNames(&dns_names); | 267 webkit_cert->GetDNSNames(&dns_names); |
| 289 ASSERT_EQ(2U, dns_names.size()); | 268 ASSERT_EQ(2U, dns_names.size()); |
| 290 EXPECT_EQ("*.webkit.org", dns_names[0]); | 269 EXPECT_EQ("*.webkit.org", dns_names[0]); |
| 291 EXPECT_EQ("webkit.org", dns_names[1]); | 270 EXPECT_EQ("webkit.org", dns_names[1]); |
| 292 | 271 |
| 293 #if TEST_EV | |
| 294 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | |
| 295 X509Certificate::VERIFY_EV_CERT; | |
| 296 CertVerifyResult verify_result; | |
| 297 EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, NULL, &verify_result)); | |
| 298 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); | |
| 299 #endif | |
| 300 | |
| 301 // Test that the wildcard cert matches properly. | 272 // Test that the wildcard cert matches properly. |
| 302 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); | 273 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); |
| 303 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); | 274 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); |
| 304 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); | 275 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); |
| 305 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); | 276 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); |
| 306 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); | 277 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); |
| 307 } | 278 } |
| 308 | 279 |
| 309 TEST(X509CertificateTest, WithoutRevocationChecking) { | 280 TEST(X509CertificateTest, WithoutRevocationChecking) { |
| 310 // Check that verification without revocation checking works. | 281 // Check that verification without revocation checking works. |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 363 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT | 334 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT |
| 364 | 335 |
| 365 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); | 336 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); |
| 366 for (size_t i = 0; i < 20; ++i) | 337 for (size_t i = 0; i < 20; ++i) |
| 367 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); | 338 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); |
| 368 | 339 |
| 369 std::vector<std::string> dns_names; | 340 std::vector<std::string> dns_names; |
| 370 thawte_cert->GetDNSNames(&dns_names); | 341 thawte_cert->GetDNSNames(&dns_names); |
| 371 ASSERT_EQ(1U, dns_names.size()); | 342 ASSERT_EQ(1U, dns_names.size()); |
| 372 EXPECT_EQ("www.thawte.com", dns_names[0]); | 343 EXPECT_EQ("www.thawte.com", dns_names[0]); |
| 344 } | |
| 373 | 345 |
| 374 #if TEST_EV | 346 TEST(X509CertificateTest, EVVerification) { |
| 375 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 347 // This certificate will expire Jun 21, 2013. |
| 376 X509Certificate::VERIFY_EV_CERT; | 348 CertificateList certs = CreateCertificateListFromFile( |
| 349 GetTestCertsDirectory(), | |
| 350 "comodo.chain.pem", | |
| 351 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | |
| 352 | |
|
Ryan Sleevi
2012/03/07 16:57:01
ASSERT_EQ(3U, certs.size()) ? (I noticed this yest
agl
2012/03/07 17:31:24
Done.
| |
| 353 X509Certificate::OSCertHandles intermediates; | |
| 354 intermediates.push_back(certs[1]->os_cert_handle()); | |
| 355 intermediates.push_back(certs[2]->os_cert_handle()); | |
| 356 | |
| 357 scoped_refptr<X509Certificate> comodo_chain = | |
| 358 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | |
| 359 intermediates); | |
| 360 | |
| 377 CertVerifyResult verify_result; | 361 CertVerifyResult verify_result; |
| 378 // EV cert verification requires revocation checking. | 362 int flags = X509Certificate::VERIFY_EV_CERT; |
| 379 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL, | 363 int error = comodo_chain->Verify( |
| 380 &verify_result); | 364 "comodo.com", flags, NULL, &verify_result); |
|
Ryan Sleevi
2012/03/07 16:57:01
In the past we didn't turn these on for the bots b
agl
2012/03/07 17:31:24
I don't believe that this will cause any network f
wtc
2012/03/08 01:02:20
Hmm... if we report CERT_STATUS_IS_EV without gett
| |
| 365 EXPECT_EQ(OK, error); | |
| 381 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 366 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 382 // Consequently, if we don't have revocation checking enabled, we can't claim | |
| 383 // any cert is EV. | |
| 384 flags = X509Certificate::VERIFY_EV_CERT; | |
| 385 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL, | |
| 386 &verify_result)); | |
| 387 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV); | |
| 388 #endif | |
| 389 } | 367 } |
| 390 | 368 |
| 391 // Test that all desired AttributeAndValue pairs can be extracted when only | 369 // Test that all desired AttributeAndValue pairs can be extracted when only |
| 392 // a single RelativeDistinguishedName is present. "Normally" there is only | 370 // a single RelativeDistinguishedName is present. "Normally" there is only |
| 393 // one AVA per RDN, but some CAs place all AVAs within a single RDN. | 371 // one AVA per RDN, but some CAs place all AVAs within a single RDN. |
| 394 // This is a regression test for http://crbug.com/101009 | 372 // This is a regression test for http://crbug.com/101009 |
| 395 TEST(X509CertificateTest, MultivalueRDN) { | 373 TEST(X509CertificateTest, MultivalueRDN) { |
| 396 FilePath certs_dir = GetTestCertsDirectory(); | 374 FilePath certs_dir = GetTestCertsDirectory(); |
| 397 | 375 |
| 398 scoped_refptr<X509Certificate> multivalue_rdn_cert = | 376 scoped_refptr<X509Certificate> multivalue_rdn_cert = |
| (...skipping 1628 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2027 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 2005 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 2028 #else | 2006 #else |
| 2029 #define MAYBE_VerifyMixed VerifyMixed | 2007 #define MAYBE_VerifyMixed VerifyMixed |
| 2030 #endif | 2008 #endif |
| 2031 WRAPPED_INSTANTIATE_TEST_CASE_P( | 2009 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 2032 MAYBE_VerifyMixed, | 2010 MAYBE_VerifyMixed, |
| 2033 X509CertificateWeakDigestTest, | 2011 X509CertificateWeakDigestTest, |
| 2034 testing::ValuesIn(kVerifyMixedTestData)); | 2012 testing::ValuesIn(kVerifyMixedTestData)); |
| 2035 | 2013 |
| 2036 } // namespace net | 2014 } // namespace net |
| OLD | NEW |