Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 336 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); | 336 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); |
| 337 for (size_t i = 0; i < 20; ++i) | 337 for (size_t i = 0; i < 20; ++i) |
| 338 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); | 338 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); |
| 339 | 339 |
| 340 std::vector<std::string> dns_names; | 340 std::vector<std::string> dns_names; |
| 341 thawte_cert->GetDNSNames(&dns_names); | 341 thawte_cert->GetDNSNames(&dns_names); |
| 342 ASSERT_EQ(1U, dns_names.size()); | 342 ASSERT_EQ(1U, dns_names.size()); |
| 343 EXPECT_EQ("www.thawte.com", dns_names[0]); | 343 EXPECT_EQ("www.thawte.com", dns_names[0]); |
| 344 } | 344 } |
| 345 | 345 |
| 346 scoped_refptr<X509Certificate> LoadComodoChain() { | |
| 347 // This certificate will expire Jun 21, 2013. | |
| 348 CertificateList certs = CreateCertificateListFromFile( | |
| 349 GetTestCertsDirectory(), | |
| 350 "comodo.chain.pem", | |
| 351 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | |
| 352 CHECK_EQ(3U, certs.size()); | |
| 353 | |
| 354 X509Certificate::OSCertHandles intermediates; | |
| 355 intermediates.push_back(certs[1]->os_cert_handle()); | |
| 356 intermediates.push_back(certs[2]->os_cert_handle()); | |
| 357 | |
| 358 return X509Certificate::CreateFromHandle( | |
| 359 certs[0]->os_cert_handle(), intermediates); | |
| 360 } | |
| 361 | |
| 362 #if defined(OS_ANDROID) || defined(USE_OPENSSL) | 346 #if defined(OS_ANDROID) || defined(USE_OPENSSL) |
| 363 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 347 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 364 #define MAYBE_EVVerification DISABLED_EVVerification | 348 #define MAYBE_EVVerification DISABLED_EVVerification |
| 365 #else | 349 #else |
| 366 #define MAYBE_EVVerification EVVerification | 350 #define MAYBE_EVVerification EVVerification |
| 367 #endif | 351 #endif |
| 368 TEST(X509CertificateTest, MAYBE_EVVerification) { | 352 TEST(X509CertificateTest, MAYBE_EVVerification) { |
| 369 scoped_refptr<X509Certificate> comodo_chain = LoadComodoChain(); | 353 // This certificate will expire Jun 21, 2013. |
| 354 CertificateList certs = CreateCertificateListFromFile( | |
| 355 GetTestCertsDirectory(), | |
| 356 "comodo.chain.pem", | |
| 357 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); | |
| 358 ASSERT_EQ(3U, certs.size()); | |
| 359 | |
| 360 X509Certificate::OSCertHandles intermediates; | |
| 361 intermediates.push_back(certs[1]->os_cert_handle()); | |
| 362 intermediates.push_back(certs[2]->os_cert_handle()); | |
| 363 | |
| 364 scoped_refptr<X509Certificate> comodo_chain = | |
| 365 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), | |
| 366 intermediates); | |
| 370 | 367 |
| 371 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting()); | 368 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting()); |
| 372 CertVerifyResult verify_result; | 369 CertVerifyResult verify_result; |
| 373 int flags = X509Certificate::VERIFY_EV_CERT; | 370 int flags = X509Certificate::VERIFY_EV_CERT; |
| 374 int error = comodo_chain->Verify( | 371 int error = comodo_chain->Verify( |
| 375 "comodo.com", flags, crl_set.get(), &verify_result); | 372 "comodo.com", flags, crl_set.get(), &verify_result); |
| 376 EXPECT_EQ(OK, error); | 373 EXPECT_EQ(OK, error); |
| 377 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 374 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 378 } | 375 } |
| 379 | 376 |
| (...skipping 417 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 797 SHA1Fingerprint fingerprint; | 794 SHA1Fingerprint fingerprint; |
| 798 ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size()); | 795 ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size()); |
| 799 memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size()); | 796 memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size()); |
| 800 public_keys.push_back(fingerprint); | 797 public_keys.push_back(fingerprint); |
| 801 | 798 |
| 802 EXPECT_TRUE(X509Certificate::IsPublicKeyBlacklisted(public_keys)) << | 799 EXPECT_TRUE(X509Certificate::IsPublicKeyBlacklisted(public_keys)) << |
| 803 "Public key not blocked for " << kDigiNotarFilenames[i]; | 800 "Public key not blocked for " << kDigiNotarFilenames[i]; |
| 804 } | 801 } |
| 805 } | 802 } |
| 806 | 803 |
| 807 TEST(X509CertificateTest, TestKnownRoot) { | 804 // Bug 111893: This test needs a new certificate. |
| 808 // This certificate will expire Jun 21, 2013. | 805 TEST(X509CertificateTest, DISABLED_TestKnownRoot) { |
| 809 scoped_refptr<X509Certificate> comodo_chain = LoadComodoChain(); | 806 FilePath certs_dir = GetTestCertsDirectory(); |
| 807 scoped_refptr<X509Certificate> cert = | |
| 808 ImportCertFromFile(certs_dir, "nist.der"); | |
| 809 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | |
| 810 | 810 |
| 811 // This intermediate is only needed for old Linux machines. Modern NSS | |
| 812 // includes it as a root already. | |
| 813 scoped_refptr<X509Certificate> intermediate_cert = | |
| 814 ImportCertFromFile(certs_dir, "nist_intermediate.der"); | |
| 815 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | |
| 816 | |
| 817 X509Certificate::OSCertHandles intermediates; | |
| 818 intermediates.push_back(intermediate_cert->os_cert_handle()); | |
| 819 scoped_refptr<X509Certificate> cert_chain = | |
| 820 X509Certificate::CreateFromHandle(cert->os_cert_handle(), | |
| 821 intermediates); | |
| 822 | |
| 823 int flags = 0; | |
| 811 CertVerifyResult verify_result; | 824 CertVerifyResult verify_result; |
| 812 int flags = 0; | 825 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug |
| 813 int error = comodo_chain->Verify( | 826 // against agl. Also see PublicKeyHashes in this file. |
| 814 "comodo.com", flags, NULL, &verify_result); | 827 int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result); |
| 815 EXPECT_EQ(OK, error); | 828 EXPECT_EQ(OK, error); |
| 816 EXPECT_EQ(0U, verify_result.cert_status); | 829 EXPECT_EQ(0U, verify_result.cert_status); |
| 817 EXPECT_TRUE(verify_result.is_issued_by_known_root); | 830 EXPECT_TRUE(verify_result.is_issued_by_known_root); |
| 818 } | 831 } |
| 819 | 832 |
| 833 // This is the SHA1 hash of the SubjectPublicKeyInfo of nist.der. | |
| 834 static const char nistSPKIHash[] = | |
| 835 "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82" | |
| 836 "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35"; | |
| 837 | |
| 820 TEST(X509CertificateTest, ExtractSPKIFromDERCert) { | 838 TEST(X509CertificateTest, ExtractSPKIFromDERCert) { |
| 821 scoped_refptr<X509Certificate> cert = LoadComodoChain(); | 839 FilePath certs_dir = GetTestCertsDirectory(); |
| 840 scoped_refptr<X509Certificate> cert = | |
| 841 ImportCertFromFile(certs_dir, "nist.der"); | |
| 842 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | |
| 822 | 843 |
| 823 std::string derBytes; | 844 std::string derBytes; |
| 824 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 845 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
| 825 &derBytes)); | 846 &derBytes)); |
| 826 | 847 |
| 827 base::StringPiece spkiBytes; | 848 base::StringPiece spkiBytes; |
| 828 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); | 849 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); |
| 829 | 850 |
| 830 uint8 hash[base::kSHA1Length]; | 851 uint8 hash[base::kSHA1Length]; |
| 831 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), | 852 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), |
| 832 spkiBytes.size(), hash); | 853 spkiBytes.size(), hash); |
| 833 | 854 |
| 834 EXPECT_EQ(0, memcmp(hash, kComodoSPKIHash, sizeof(hash))); | 855 EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash))); |
| 835 } | 856 } |
| 836 | 857 |
| 837 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { | 858 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { |
| 838 scoped_refptr<X509Certificate> cert = LoadComodoChain(); | 859 FilePath certs_dir = GetTestCertsDirectory(); |
| 860 scoped_refptr<X509Certificate> cert = | |
| 861 ImportCertFromFile(certs_dir, "nist.der"); | |
| 862 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | |
| 839 | 863 |
| 840 std::string derBytes; | 864 std::string derBytes; |
| 841 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 865 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
| 842 &derBytes)); | 866 &derBytes)); |
| 843 | 867 |
| 844 std::vector<base::StringPiece> crl_urls; | 868 std::vector<base::StringPiece> crl_urls; |
| 845 EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls)); | 869 EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls)); |
| 846 | 870 |
| 847 EXPECT_EQ(1u, crl_urls.size()); | 871 EXPECT_EQ(1u, crl_urls.size()); |
| 848 if (crl_urls.size() > 0) { | 872 if (crl_urls.size() > 0) { |
| 849 EXPECT_EQ( | 873 EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl", |
| 850 "http://crl.comodoca.com/COMODOExtendedValidationSecureServerCA.crl", | 874 crl_urls[0].as_string()); |
| 851 crl_urls[0].as_string()); | |
| 852 } | 875 } |
| 853 } | 876 } |
| 854 | 877 |
| 855 // Bug 111893: This test needs a new certificate. | 878 // Bug 111893: This test needs a new certificate. |
|
Ryan Sleevi
2012/03/21 19:47:36
agl: When you reland, can you nuke this line as we
| |
| 856 TEST(X509CertificateTest, PublicKeyHashes) { | 879 TEST(X509CertificateTest, DISABLED_PublicKeyHashes) { |
| 857 // This certificate will expire Jun 21, 2013. | 880 FilePath certs_dir = GetTestCertsDirectory(); |
| 858 scoped_refptr<X509Certificate> cert_chain = LoadComodoChain(); | 881 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug |
| 882 // against agl. Also see TestKnownRoot in this file. | |
| 883 scoped_refptr<X509Certificate> cert = | |
| 884 ImportCertFromFile(certs_dir, "nist.der"); | |
| 885 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | |
| 886 | |
| 887 // This intermediate is only needed for old Linux machines. Modern NSS | |
| 888 // includes it as a root already. | |
| 889 scoped_refptr<X509Certificate> intermediate_cert = | |
| 890 ImportCertFromFile(certs_dir, "nist_intermediate.der"); | |
| 891 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); | |
| 892 | |
| 893 ScopedTestRoot scoped_intermediate(intermediate_cert); | |
| 894 | |
| 895 X509Certificate::OSCertHandles intermediates; | |
| 896 intermediates.push_back(intermediate_cert->os_cert_handle()); | |
| 897 scoped_refptr<X509Certificate> cert_chain = | |
| 898 X509Certificate::CreateFromHandle(cert->os_cert_handle(), | |
| 899 intermediates); | |
| 900 | |
| 859 int flags = 0; | 901 int flags = 0; |
| 860 CertVerifyResult verify_result; | 902 CertVerifyResult verify_result; |
| 861 | 903 |
| 862 int error = cert_chain->Verify("www.comodo.com", flags, NULL, &verify_result); | 904 int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result); |
| 863 EXPECT_EQ(OK, error); | 905 EXPECT_EQ(OK, error); |
| 864 EXPECT_EQ(0U, verify_result.cert_status); | 906 EXPECT_EQ(0U, verify_result.cert_status); |
| 865 ASSERT_LE(2u, verify_result.public_key_hashes.size()); | 907 ASSERT_LE(2u, verify_result.public_key_hashes.size()); |
| 866 EXPECT_EQ(HexEncode(kComodoSPKIHash, base::kSHA1Length), | 908 EXPECT_EQ(HexEncode(nistSPKIHash, base::kSHA1Length), |
| 867 HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length)); | 909 HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length)); |
| 868 EXPECT_EQ("43B45EFA6EAF6E116CDCE2F579F21607A5EA5179", | 910 EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD", |
| 869 HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length)); | 911 HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length)); |
| 870 } | 912 } |
| 871 | 913 |
| 872 // A regression test for http://crbug.com/70293. | 914 // A regression test for http://crbug.com/70293. |
| 873 // The Key Usage extension in this RSA SSL server certificate does not have | 915 // The Key Usage extension in this RSA SSL server certificate does not have |
| 874 // the keyEncipherment bit. | 916 // the keyEncipherment bit. |
| 875 TEST(X509CertificateTest, InvalidKeyUsage) { | 917 TEST(X509CertificateTest, InvalidKeyUsage) { |
| 876 FilePath certs_dir = GetTestCertsDirectory(); | 918 FilePath certs_dir = GetTestCertsDirectory(); |
| 877 | 919 |
| 878 scoped_refptr<X509Certificate> server_cert = | 920 scoped_refptr<X509Certificate> server_cert = |
| (...skipping 1080 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1959 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 2001 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1960 #else | 2002 #else |
| 1961 #define MAYBE_VerifyMixed VerifyMixed | 2003 #define MAYBE_VerifyMixed VerifyMixed |
| 1962 #endif | 2004 #endif |
| 1963 WRAPPED_INSTANTIATE_TEST_CASE_P( | 2005 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1964 MAYBE_VerifyMixed, | 2006 MAYBE_VerifyMixed, |
| 1965 X509CertificateWeakDigestTest, | 2007 X509CertificateWeakDigestTest, |
| 1966 testing::ValuesIn(kVerifyMixedTestData)); | 2008 testing::ValuesIn(kVerifyMixedTestData)); |
| 1967 | 2009 |
| 1968 } // namespace net | 2010 } // namespace net |
| OLD | NEW |