Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(347)

Unified Diff: net/base/x509_certificate_unittest.cc

Issue 9815015: Revert 127988 - net: update certificates for TestKnownRoot and PublicKeyHashes. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/base/x509_certificate_unittest.cc
===================================================================
--- net/base/x509_certificate_unittest.cc (revision 127992)
+++ net/base/x509_certificate_unittest.cc (working copy)
@@ -343,31 +343,28 @@
EXPECT_EQ("www.thawte.com", dns_names[0]);
}
-scoped_refptr<X509Certificate> LoadComodoChain() {
+#if defined(OS_ANDROID) || defined(USE_OPENSSL)
+// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
+#define MAYBE_EVVerification DISABLED_EVVerification
+#else
+#define MAYBE_EVVerification EVVerification
+#endif
+TEST(X509CertificateTest, MAYBE_EVVerification) {
// This certificate will expire Jun 21, 2013.
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(),
"comodo.chain.pem",
X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
- CHECK_EQ(3U, certs.size());
+ ASSERT_EQ(3U, certs.size());
X509Certificate::OSCertHandles intermediates;
intermediates.push_back(certs[1]->os_cert_handle());
intermediates.push_back(certs[2]->os_cert_handle());
- return X509Certificate::CreateFromHandle(
- certs[0]->os_cert_handle(), intermediates);
-}
+ scoped_refptr<X509Certificate> comodo_chain =
+ X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+ intermediates);
-#if defined(OS_ANDROID) || defined(USE_OPENSSL)
-// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
-#define MAYBE_EVVerification DISABLED_EVVerification
-#else
-#define MAYBE_EVVerification EVVerification
-#endif
-TEST(X509CertificateTest, MAYBE_EVVerification) {
- scoped_refptr<X509Certificate> comodo_chain = LoadComodoChain();
-
scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting());
CertVerifyResult verify_result;
int flags = X509Certificate::VERIFY_EV_CERT;
@@ -804,21 +801,45 @@
}
}
-TEST(X509CertificateTest, TestKnownRoot) {
- // This certificate will expire Jun 21, 2013.
- scoped_refptr<X509Certificate> comodo_chain = LoadComodoChain();
+// Bug 111893: This test needs a new certificate.
+TEST(X509CertificateTest, DISABLED_TestKnownRoot) {
+ FilePath certs_dir = GetTestCertsDirectory();
+ scoped_refptr<X509Certificate> cert =
+ ImportCertFromFile(certs_dir, "nist.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
+ // This intermediate is only needed for old Linux machines. Modern NSS
+ // includes it as a root already.
+ scoped_refptr<X509Certificate> intermediate_cert =
+ ImportCertFromFile(certs_dir, "nist_intermediate.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
+
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(intermediate_cert->os_cert_handle());
+ scoped_refptr<X509Certificate> cert_chain =
+ X509Certificate::CreateFromHandle(cert->os_cert_handle(),
+ intermediates);
+
+ int flags = 0;
CertVerifyResult verify_result;
- int flags = 0;
- int error = comodo_chain->Verify(
- "comodo.com", flags, NULL, &verify_result);
+ // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
+ // against agl. Also see PublicKeyHashes in this file.
+ int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_TRUE(verify_result.is_issued_by_known_root);
}
+// This is the SHA1 hash of the SubjectPublicKeyInfo of nist.der.
+static const char nistSPKIHash[] =
+ "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82"
+ "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35";
+
TEST(X509CertificateTest, ExtractSPKIFromDERCert) {
- scoped_refptr<X509Certificate> cert = LoadComodoChain();
+ FilePath certs_dir = GetTestCertsDirectory();
+ scoped_refptr<X509Certificate> cert =
+ ImportCertFromFile(certs_dir, "nist.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
std::string derBytes;
EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
@@ -831,11 +852,14 @@
base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
spkiBytes.size(), hash);
- EXPECT_EQ(0, memcmp(hash, kComodoSPKIHash, sizeof(hash)));
+ EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash)));
}
TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
- scoped_refptr<X509Certificate> cert = LoadComodoChain();
+ FilePath certs_dir = GetTestCertsDirectory();
+ scoped_refptr<X509Certificate> cert =
+ ImportCertFromFile(certs_dir, "nist.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
std::string derBytes;
EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
@@ -846,26 +870,44 @@
EXPECT_EQ(1u, crl_urls.size());
if (crl_urls.size() > 0) {
- EXPECT_EQ(
- "http://crl.comodoca.com/COMODOExtendedValidationSecureServerCA.crl",
- crl_urls[0].as_string());
+ EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl",
+ crl_urls[0].as_string());
}
}
// Bug 111893: This test needs a new certificate.
Ryan Sleevi 2012/03/21 19:47:36 agl: When you reland, can you nuke this line as we
-TEST(X509CertificateTest, PublicKeyHashes) {
- // This certificate will expire Jun 21, 2013.
- scoped_refptr<X509Certificate> cert_chain = LoadComodoChain();
+TEST(X509CertificateTest, DISABLED_PublicKeyHashes) {
+ FilePath certs_dir = GetTestCertsDirectory();
+ // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
+ // against agl. Also see TestKnownRoot in this file.
+ scoped_refptr<X509Certificate> cert =
+ ImportCertFromFile(certs_dir, "nist.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
+
+ // This intermediate is only needed for old Linux machines. Modern NSS
+ // includes it as a root already.
+ scoped_refptr<X509Certificate> intermediate_cert =
+ ImportCertFromFile(certs_dir, "nist_intermediate.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
+
+ ScopedTestRoot scoped_intermediate(intermediate_cert);
+
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(intermediate_cert->os_cert_handle());
+ scoped_refptr<X509Certificate> cert_chain =
+ X509Certificate::CreateFromHandle(cert->os_cert_handle(),
+ intermediates);
+
int flags = 0;
CertVerifyResult verify_result;
- int error = cert_chain->Verify("www.comodo.com", flags, NULL, &verify_result);
+ int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
ASSERT_LE(2u, verify_result.public_key_hashes.size());
- EXPECT_EQ(HexEncode(kComodoSPKIHash, base::kSHA1Length),
+ EXPECT_EQ(HexEncode(nistSPKIHash, base::kSHA1Length),
HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length));
- EXPECT_EQ("43B45EFA6EAF6E116CDCE2F579F21607A5EA5179",
+ EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD",
HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length));
}

Powered by Google App Engine
This is Rietveld 408576698