Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(424)

Side by Side Diff: net/base/x509_certificate_unittest.cc

Issue 9619007: net: allow EV indication on Windows when the local OCSP/CRL cache is stale. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "base/file_path.h" 5 #include "base/file_path.h"
6 #include "base/file_util.h" 6 #include "base/file_util.h"
7 #include "base/path_service.h" 7 #include "base/path_service.h"
8 #include "base/pickle.h" 8 #include "base/pickle.h"
9 #include "base/sha1.h" 9 #include "base/sha1.h"
10 #include "base/string_number_conversions.h" 10 #include "base/string_number_conversions.h"
(...skipping 13 matching lines...) Expand all
24 #if defined(USE_NSS) 24 #if defined(USE_NSS)
25 #include <cert.h> 25 #include <cert.h>
26 #endif 26 #endif
27 27
28 #if defined(OS_WIN) 28 #if defined(OS_WIN)
29 #include "base/win/windows_version.h" 29 #include "base/win/windows_version.h"
30 #elif defined(OS_MACOSX) 30 #elif defined(OS_MACOSX)
31 #include "base/mac/mac_util.h" 31 #include "base/mac/mac_util.h"
32 #endif 32 #endif
33 33
34 // Unit tests aren't allowed to access external resources. Unfortunately, to
35 // properly verify the EV-ness of a cert, we need to check for its revocation
36 // through online servers. If you're manually running unit tests, feel free to
37 // turn this on to test EV certs. But leave it turned off for the automated
38 // testing.
39 #define ALLOW_EXTERNAL_ACCESS 0
40
41 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN)
42 #define TEST_EV 1 // Test CERT_STATUS_IS_EV
43 #endif
44
45 using base::HexEncode; 34 using base::HexEncode;
46 using base::Time; 35 using base::Time;
47 36
48 namespace net { 37 namespace net {
49 38
50 // Certificates for test data. They're obtained with: 39 // Certificates for test data. They're obtained with:
51 // 40 //
52 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null 41 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null
53 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der 42 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der
54 // 43 //
(...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after
214 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); 203 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT());
215 204
216 const SHA1Fingerprint& fingerprint = google_cert->fingerprint(); 205 const SHA1Fingerprint& fingerprint = google_cert->fingerprint();
217 for (size_t i = 0; i < 20; ++i) 206 for (size_t i = 0; i < 20; ++i)
218 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); 207 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]);
219 208
220 std::vector<std::string> dns_names; 209 std::vector<std::string> dns_names;
221 google_cert->GetDNSNames(&dns_names); 210 google_cert->GetDNSNames(&dns_names);
222 ASSERT_EQ(1U, dns_names.size()); 211 ASSERT_EQ(1U, dns_names.size());
223 EXPECT_EQ("www.google.com", dns_names[0]); 212 EXPECT_EQ("www.google.com", dns_names[0]);
224
225 #if TEST_EV
226 // TODO(avi): turn this on for the Mac once EV checking is implemented.
227 CertVerifyResult verify_result;
228 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
229 X509Certificate::VERIFY_EV_CERT;
230 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, NULL,
231 &verify_result);
232 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
233 #endif
234 } 213 }
235 214
236 TEST(X509CertificateTest, GoogleCertParsing) { 215 TEST(X509CertificateTest, GoogleCertParsing) {
237 scoped_refptr<X509Certificate> google_cert( 216 scoped_refptr<X509Certificate> google_cert(
238 X509Certificate::CreateFromBytes( 217 X509Certificate::CreateFromBytes(
239 reinterpret_cast<const char*>(google_der), sizeof(google_der))); 218 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
240 219
241 CheckGoogleCert(google_cert, google_fingerprint, 220 CheckGoogleCert(google_cert, google_fingerprint,
242 1238192407, // Mar 27 22:20:07 2009 GMT 221 1238192407, // Mar 27 22:20:07 2009 GMT
243 1269728407); // Mar 27 22:20:07 2010 GMT 222 1269728407); // Mar 27 22:20:07 2010 GMT
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
283 const SHA1Fingerprint& fingerprint = webkit_cert->fingerprint(); 262 const SHA1Fingerprint& fingerprint = webkit_cert->fingerprint();
284 for (size_t i = 0; i < 20; ++i) 263 for (size_t i = 0; i < 20; ++i)
285 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); 264 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]);
286 265
287 std::vector<std::string> dns_names; 266 std::vector<std::string> dns_names;
288 webkit_cert->GetDNSNames(&dns_names); 267 webkit_cert->GetDNSNames(&dns_names);
289 ASSERT_EQ(2U, dns_names.size()); 268 ASSERT_EQ(2U, dns_names.size());
290 EXPECT_EQ("*.webkit.org", dns_names[0]); 269 EXPECT_EQ("*.webkit.org", dns_names[0]);
291 EXPECT_EQ("webkit.org", dns_names[1]); 270 EXPECT_EQ("webkit.org", dns_names[1]);
292 271
293 #if TEST_EV
294 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
295 X509Certificate::VERIFY_EV_CERT;
296 CertVerifyResult verify_result;
297 EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, NULL, &verify_result));
298 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
299 #endif
300
301 // Test that the wildcard cert matches properly. 272 // Test that the wildcard cert matches properly.
302 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); 273 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org"));
303 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); 274 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org"));
304 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); 275 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org"));
305 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); 276 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com"));
306 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); 277 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com"));
307 } 278 }
308 279
309 TEST(X509CertificateTest, WithoutRevocationChecking) { 280 TEST(X509CertificateTest, WithoutRevocationChecking) {
310 // Check that verification without revocation checking works. 281 // Check that verification without revocation checking works.
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after
363 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT 334 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT
364 335
365 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); 336 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint();
366 for (size_t i = 0; i < 20; ++i) 337 for (size_t i = 0; i < 20; ++i)
367 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); 338 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]);
368 339
369 std::vector<std::string> dns_names; 340 std::vector<std::string> dns_names;
370 thawte_cert->GetDNSNames(&dns_names); 341 thawte_cert->GetDNSNames(&dns_names);
371 ASSERT_EQ(1U, dns_names.size()); 342 ASSERT_EQ(1U, dns_names.size());
372 EXPECT_EQ("www.thawte.com", dns_names[0]); 343 EXPECT_EQ("www.thawte.com", dns_names[0]);
344 }
373 345
374 #if TEST_EV 346 TEST(X509CertificateTest, EVVerification) {
375 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | 347 // This certificate will expire Jun 21, 2013.
376 X509Certificate::VERIFY_EV_CERT; 348 CertificateList certs = CreateCertificateListFromFile(
349 GetTestCertsDirectory(),
350 "comodo.chain.pem",
351 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
352 ASSERT_EQ(3U, certs.size());
353
354 X509Certificate::OSCertHandles intermediates;
355 intermediates.push_back(certs[1]->os_cert_handle());
356 intermediates.push_back(certs[2]->os_cert_handle());
357
358 scoped_refptr<X509Certificate> comodo_chain =
359 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
360 intermediates);
361
377 CertVerifyResult verify_result; 362 CertVerifyResult verify_result;
378 // EV cert verification requires revocation checking. 363 int flags = X509Certificate::VERIFY_EV_CERT;
379 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL, 364 int error = comodo_chain->Verify(
380 &verify_result); 365 "comodo.com", flags, NULL, &verify_result);
366 EXPECT_EQ(OK, error);
wtc 2012/03/08 00:55:26 We need to allow error to be ERR_CERT_DATE_INVALID
381 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); 367 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
382 // Consequently, if we don't have revocation checking enabled, we can't claim
383 // any cert is EV.
384 flags = X509Certificate::VERIFY_EV_CERT;
385 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL,
386 &verify_result));
387 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
388 #endif
389 } 368 }
390 369
391 // Test that all desired AttributeAndValue pairs can be extracted when only 370 // Test that all desired AttributeAndValue pairs can be extracted when only
392 // a single RelativeDistinguishedName is present. "Normally" there is only 371 // a single RelativeDistinguishedName is present. "Normally" there is only
393 // one AVA per RDN, but some CAs place all AVAs within a single RDN. 372 // one AVA per RDN, but some CAs place all AVAs within a single RDN.
394 // This is a regression test for http://crbug.com/101009 373 // This is a regression test for http://crbug.com/101009
395 TEST(X509CertificateTest, MultivalueRDN) { 374 TEST(X509CertificateTest, MultivalueRDN) {
396 FilePath certs_dir = GetTestCertsDirectory(); 375 FilePath certs_dir = GetTestCertsDirectory();
397 376
398 scoped_refptr<X509Certificate> multivalue_rdn_cert = 377 scoped_refptr<X509Certificate> multivalue_rdn_cert =
(...skipping 1616 matching lines...) Expand 10 before | Expand all | Expand 10 after
2015 #define MAYBE_VerifyMixed DISABLED_VerifyMixed 1994 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
2016 #else 1995 #else
2017 #define MAYBE_VerifyMixed VerifyMixed 1996 #define MAYBE_VerifyMixed VerifyMixed
2018 #endif 1997 #endif
2019 WRAPPED_INSTANTIATE_TEST_CASE_P( 1998 WRAPPED_INSTANTIATE_TEST_CASE_P(
2020 MAYBE_VerifyMixed, 1999 MAYBE_VerifyMixed,
2021 X509CertificateWeakDigestTest, 2000 X509CertificateWeakDigestTest,
2022 testing::ValuesIn(kVerifyMixedTestData)); 2001 testing::ValuesIn(kVerifyMixedTestData));
2023 2002
2024 } // namespace net 2003 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698