Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(582)

Side by Side Diff: net/base/x509_certificate_unittest.cc

Issue 9815015: Revert 127988 - net: update certificates for TestKnownRoot and PublicKeyHashes. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "base/file_path.h" 5 #include "base/file_path.h"
6 #include "base/file_util.h" 6 #include "base/file_util.h"
7 #include "base/path_service.h" 7 #include "base/path_service.h"
8 #include "base/pickle.h" 8 #include "base/pickle.h"
9 #include "base/sha1.h" 9 #include "base/sha1.h"
10 #include "base/string_number_conversions.h" 10 #include "base/string_number_conversions.h"
(...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after
336 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); 336 const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint();
337 for (size_t i = 0; i < 20; ++i) 337 for (size_t i = 0; i < 20; ++i)
338 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); 338 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]);
339 339
340 std::vector<std::string> dns_names; 340 std::vector<std::string> dns_names;
341 thawte_cert->GetDNSNames(&dns_names); 341 thawte_cert->GetDNSNames(&dns_names);
342 ASSERT_EQ(1U, dns_names.size()); 342 ASSERT_EQ(1U, dns_names.size());
343 EXPECT_EQ("www.thawte.com", dns_names[0]); 343 EXPECT_EQ("www.thawte.com", dns_names[0]);
344 } 344 }
345 345
346 scoped_refptr<X509Certificate> LoadComodoChain() {
347 // This certificate will expire Jun 21, 2013.
348 CertificateList certs = CreateCertificateListFromFile(
349 GetTestCertsDirectory(),
350 "comodo.chain.pem",
351 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
352 CHECK_EQ(3U, certs.size());
353
354 X509Certificate::OSCertHandles intermediates;
355 intermediates.push_back(certs[1]->os_cert_handle());
356 intermediates.push_back(certs[2]->os_cert_handle());
357
358 return X509Certificate::CreateFromHandle(
359 certs[0]->os_cert_handle(), intermediates);
360 }
361
362 #if defined(OS_ANDROID) || defined(USE_OPENSSL) 346 #if defined(OS_ANDROID) || defined(USE_OPENSSL)
363 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. 347 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
364 #define MAYBE_EVVerification DISABLED_EVVerification 348 #define MAYBE_EVVerification DISABLED_EVVerification
365 #else 349 #else
366 #define MAYBE_EVVerification EVVerification 350 #define MAYBE_EVVerification EVVerification
367 #endif 351 #endif
368 TEST(X509CertificateTest, MAYBE_EVVerification) { 352 TEST(X509CertificateTest, MAYBE_EVVerification) {
369 scoped_refptr<X509Certificate> comodo_chain = LoadComodoChain(); 353 // This certificate will expire Jun 21, 2013.
354 CertificateList certs = CreateCertificateListFromFile(
355 GetTestCertsDirectory(),
356 "comodo.chain.pem",
357 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
358 ASSERT_EQ(3U, certs.size());
359
360 X509Certificate::OSCertHandles intermediates;
361 intermediates.push_back(certs[1]->os_cert_handle());
362 intermediates.push_back(certs[2]->os_cert_handle());
363
364 scoped_refptr<X509Certificate> comodo_chain =
365 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
366 intermediates);
370 367
371 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting()); 368 scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting());
372 CertVerifyResult verify_result; 369 CertVerifyResult verify_result;
373 int flags = X509Certificate::VERIFY_EV_CERT; 370 int flags = X509Certificate::VERIFY_EV_CERT;
374 int error = comodo_chain->Verify( 371 int error = comodo_chain->Verify(
375 "comodo.com", flags, crl_set.get(), &verify_result); 372 "comodo.com", flags, crl_set.get(), &verify_result);
376 EXPECT_EQ(OK, error); 373 EXPECT_EQ(OK, error);
377 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); 374 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
378 } 375 }
379 376
(...skipping 417 matching lines...) Expand 10 before | Expand all | Expand 10 after
797 SHA1Fingerprint fingerprint; 794 SHA1Fingerprint fingerprint;
798 ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size()); 795 ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size());
799 memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size()); 796 memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size());
800 public_keys.push_back(fingerprint); 797 public_keys.push_back(fingerprint);
801 798
802 EXPECT_TRUE(X509Certificate::IsPublicKeyBlacklisted(public_keys)) << 799 EXPECT_TRUE(X509Certificate::IsPublicKeyBlacklisted(public_keys)) <<
803 "Public key not blocked for " << kDigiNotarFilenames[i]; 800 "Public key not blocked for " << kDigiNotarFilenames[i];
804 } 801 }
805 } 802 }
806 803
807 TEST(X509CertificateTest, TestKnownRoot) { 804 // Bug 111893: This test needs a new certificate.
808 // This certificate will expire Jun 21, 2013. 805 TEST(X509CertificateTest, DISABLED_TestKnownRoot) {
809 scoped_refptr<X509Certificate> comodo_chain = LoadComodoChain(); 806 FilePath certs_dir = GetTestCertsDirectory();
807 scoped_refptr<X509Certificate> cert =
808 ImportCertFromFile(certs_dir, "nist.der");
809 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
810 810
811 // This intermediate is only needed for old Linux machines. Modern NSS
812 // includes it as a root already.
813 scoped_refptr<X509Certificate> intermediate_cert =
814 ImportCertFromFile(certs_dir, "nist_intermediate.der");
815 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
816
817 X509Certificate::OSCertHandles intermediates;
818 intermediates.push_back(intermediate_cert->os_cert_handle());
819 scoped_refptr<X509Certificate> cert_chain =
820 X509Certificate::CreateFromHandle(cert->os_cert_handle(),
821 intermediates);
822
823 int flags = 0;
811 CertVerifyResult verify_result; 824 CertVerifyResult verify_result;
812 int flags = 0; 825 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
813 int error = comodo_chain->Verify( 826 // against agl. Also see PublicKeyHashes in this file.
814 "comodo.com", flags, NULL, &verify_result); 827 int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
815 EXPECT_EQ(OK, error); 828 EXPECT_EQ(OK, error);
816 EXPECT_EQ(0U, verify_result.cert_status); 829 EXPECT_EQ(0U, verify_result.cert_status);
817 EXPECT_TRUE(verify_result.is_issued_by_known_root); 830 EXPECT_TRUE(verify_result.is_issued_by_known_root);
818 } 831 }
819 832
833 // This is the SHA1 hash of the SubjectPublicKeyInfo of nist.der.
834 static const char nistSPKIHash[] =
835 "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82"
836 "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35";
837
820 TEST(X509CertificateTest, ExtractSPKIFromDERCert) { 838 TEST(X509CertificateTest, ExtractSPKIFromDERCert) {
821 scoped_refptr<X509Certificate> cert = LoadComodoChain(); 839 FilePath certs_dir = GetTestCertsDirectory();
840 scoped_refptr<X509Certificate> cert =
841 ImportCertFromFile(certs_dir, "nist.der");
842 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
822 843
823 std::string derBytes; 844 std::string derBytes;
824 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), 845 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
825 &derBytes)); 846 &derBytes));
826 847
827 base::StringPiece spkiBytes; 848 base::StringPiece spkiBytes;
828 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); 849 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes));
829 850
830 uint8 hash[base::kSHA1Length]; 851 uint8 hash[base::kSHA1Length];
831 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), 852 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
832 spkiBytes.size(), hash); 853 spkiBytes.size(), hash);
833 854
834 EXPECT_EQ(0, memcmp(hash, kComodoSPKIHash, sizeof(hash))); 855 EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash)));
835 } 856 }
836 857
837 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { 858 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
838 scoped_refptr<X509Certificate> cert = LoadComodoChain(); 859 FilePath certs_dir = GetTestCertsDirectory();
860 scoped_refptr<X509Certificate> cert =
861 ImportCertFromFile(certs_dir, "nist.der");
862 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
839 863
840 std::string derBytes; 864 std::string derBytes;
841 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), 865 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
842 &derBytes)); 866 &derBytes));
843 867
844 std::vector<base::StringPiece> crl_urls; 868 std::vector<base::StringPiece> crl_urls;
845 EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls)); 869 EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls));
846 870
847 EXPECT_EQ(1u, crl_urls.size()); 871 EXPECT_EQ(1u, crl_urls.size());
848 if (crl_urls.size() > 0) { 872 if (crl_urls.size() > 0) {
849 EXPECT_EQ( 873 EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl",
850 "http://crl.comodoca.com/COMODOExtendedValidationSecureServerCA.crl", 874 crl_urls[0].as_string());
851 crl_urls[0].as_string());
852 } 875 }
853 } 876 }
854 877
855 // Bug 111893: This test needs a new certificate. 878 // Bug 111893: This test needs a new certificate.
Ryan Sleevi 2012/03/21 19:47:36 agl: When you reland, can you nuke this line as we
856 TEST(X509CertificateTest, PublicKeyHashes) { 879 TEST(X509CertificateTest, DISABLED_PublicKeyHashes) {
857 // This certificate will expire Jun 21, 2013. 880 FilePath certs_dir = GetTestCertsDirectory();
858 scoped_refptr<X509Certificate> cert_chain = LoadComodoChain(); 881 // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
882 // against agl. Also see TestKnownRoot in this file.
883 scoped_refptr<X509Certificate> cert =
884 ImportCertFromFile(certs_dir, "nist.der");
885 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
886
887 // This intermediate is only needed for old Linux machines. Modern NSS
888 // includes it as a root already.
889 scoped_refptr<X509Certificate> intermediate_cert =
890 ImportCertFromFile(certs_dir, "nist_intermediate.der");
891 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
892
893 ScopedTestRoot scoped_intermediate(intermediate_cert);
894
895 X509Certificate::OSCertHandles intermediates;
896 intermediates.push_back(intermediate_cert->os_cert_handle());
897 scoped_refptr<X509Certificate> cert_chain =
898 X509Certificate::CreateFromHandle(cert->os_cert_handle(),
899 intermediates);
900
859 int flags = 0; 901 int flags = 0;
860 CertVerifyResult verify_result; 902 CertVerifyResult verify_result;
861 903
862 int error = cert_chain->Verify("www.comodo.com", flags, NULL, &verify_result); 904 int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
863 EXPECT_EQ(OK, error); 905 EXPECT_EQ(OK, error);
864 EXPECT_EQ(0U, verify_result.cert_status); 906 EXPECT_EQ(0U, verify_result.cert_status);
865 ASSERT_LE(2u, verify_result.public_key_hashes.size()); 907 ASSERT_LE(2u, verify_result.public_key_hashes.size());
866 EXPECT_EQ(HexEncode(kComodoSPKIHash, base::kSHA1Length), 908 EXPECT_EQ(HexEncode(nistSPKIHash, base::kSHA1Length),
867 HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length)); 909 HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length));
868 EXPECT_EQ("43B45EFA6EAF6E116CDCE2F579F21607A5EA5179", 910 EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD",
869 HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length)); 911 HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length));
870 } 912 }
871 913
872 // A regression test for http://crbug.com/70293. 914 // A regression test for http://crbug.com/70293.
873 // The Key Usage extension in this RSA SSL server certificate does not have 915 // The Key Usage extension in this RSA SSL server certificate does not have
874 // the keyEncipherment bit. 916 // the keyEncipherment bit.
875 TEST(X509CertificateTest, InvalidKeyUsage) { 917 TEST(X509CertificateTest, InvalidKeyUsage) {
876 FilePath certs_dir = GetTestCertsDirectory(); 918 FilePath certs_dir = GetTestCertsDirectory();
877 919
878 scoped_refptr<X509Certificate> server_cert = 920 scoped_refptr<X509Certificate> server_cert =
(...skipping 1080 matching lines...) Expand 10 before | Expand all | Expand 10 after
1959 #define MAYBE_VerifyMixed DISABLED_VerifyMixed 2001 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
1960 #else 2002 #else
1961 #define MAYBE_VerifyMixed VerifyMixed 2003 #define MAYBE_VerifyMixed VerifyMixed
1962 #endif 2004 #endif
1963 WRAPPED_INSTANTIATE_TEST_CASE_P( 2005 WRAPPED_INSTANTIATE_TEST_CASE_P(
1964 MAYBE_VerifyMixed, 2006 MAYBE_VerifyMixed,
1965 X509CertificateWeakDigestTest, 2007 X509CertificateWeakDigestTest,
1966 testing::ValuesIn(kVerifyMixedTestData)); 2008 testing::ValuesIn(kVerifyMixedTestData));
1967 2009
1968 } // namespace net 2010 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698