15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_verify_proc.h" 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <vector> 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles)#include "base/callback_helpers.h" 102a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/files/file_path.h" 111320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci#include "base/files/file_util.h" 122a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/logging.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/sha1.h" 145e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles)#include "base/strings/string_number_conversions.h" 15c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "crypto/sha2.h" 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/base/net_errors.h" 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/base/test_data_directory.h" 18c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/asn1_util.h" 19c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_status_flags.h" 20c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_verifier.h" 21c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_verify_result.h" 22c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/crl_set.h" 23116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch#include "net/cert/crl_set_storage.h" 24c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/test_root_certs.h" 25c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/x509_certificate.h" 26c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/test/cert_test_util.h" 27c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/test/test_certificate_data.h" 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "testing/gtest/include/gtest/gtest.h" 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(OS_WIN) 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/win/windows_version.h" 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(OS_MACOSX) && !defined(OS_IOS) 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/mac/mac_util.h" 345d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#elif defined(OS_ANDROID) 355d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/android/build_info.h" 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)using base::HexEncode; 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace net { 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace { 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// A certificate for www.paypal.com with a NULL byte in the common name. 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)unsigned char paypal_null_fingerprint[] = { 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba, 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root| 5290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// for all certificates that are Verified. 5390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)class WellKnownCaCertVerifyProc : public CertVerifyProc { 5490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) public: 5590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Initialize a CertVerifyProc that will set 5690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // |verify_result->is_issued_by_known_root| to |is_well_known|. 5790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) explicit WellKnownCaCertVerifyProc(bool is_well_known) 5890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) : is_well_known_(is_well_known) {} 5990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 6090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // CertVerifyProc implementation: 6190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; } 6290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 6390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) protected: 6490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) virtual ~WellKnownCaCertVerifyProc() {} 6590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 6690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) private: 6790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) virtual int VerifyInternal(X509Certificate* cert, 6890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) const std::string& hostname, 6990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) int flags, 7090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CRLSet* crl_set, 7190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) const CertificateList& additional_trust_anchors, 7290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CertVerifyResult* verify_result) OVERRIDE; 7390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 7490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) const bool is_well_known_; 7590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 7690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc); 7790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)}; 7890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 7990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)int WellKnownCaCertVerifyProc::VerifyInternal( 8090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) X509Certificate* cert, 8190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) const std::string& hostname, 8290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) int flags, 8390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CRLSet* crl_set, 8490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) const CertificateList& additional_trust_anchors, 8590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CertVerifyResult* verify_result) { 8690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) verify_result->is_issued_by_known_root = is_well_known_; 8790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return OK; 8890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)} 8990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 905d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)bool SupportsReturningVerifiedChain() { 915d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#if defined(OS_ANDROID) 925d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Before API level 17, Android does not expose the APIs necessary to get at 935d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // the verified certificate chain. 945d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) 955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return false; 965d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#endif 975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return true; 985d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 995d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)bool SupportsDetectingKnownRoots() { 1015d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#if defined(OS_ANDROID) 102cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // Before API level 17, Android does not expose the APIs necessary to get at 103cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // the verified certificate chain and detect known roots. 104cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) 105cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) return false; 1065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#endif 1075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return true; 1085d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 1095d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class CertVerifyProcTest : public testing::Test { 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyProcTest() 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) : verify_proc_(CertVerifyProc::CreateDefault()) { 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual ~CertVerifyProcTest() {} 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) protected: 1202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool SupportsAdditionalTrustAnchors() { 1212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return verify_proc_->SupportsAdditionalTrustAnchors(); 1222a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 1232a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int Verify(X509Certificate* cert, 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& hostname, 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags, 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CRLSet* crl_set, 1282a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const CertificateList& additional_trust_anchors, 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult* verify_result) { 1305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return verify_proc_->Verify(cert, hostname, flags, crl_set, 1312a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) additional_trust_anchors, verify_result); 1325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1342a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const CertificateList empty_cert_list_; 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc_; 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1384e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles)TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) { 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Check that verification without revocation checking works. 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "googlenew.chain.pem", 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_PEM_CERT_SEQUENCE); 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> google_full_chain = 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 153868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) EXPECT_EQ(OK, 154868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) Verify(google_full_chain.get(), 155868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "www.google.com", 156868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 0 /* flags */, 157868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 158868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 159868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result)); 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 162effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS) 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_EVVerification DISABLED_EVVerification 1655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_EVVerification EVVerification 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "comodo.chain.pem", 1725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_PEM_CERT_SEQUENCE); 1735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(3U, certs.size()); 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[2]->os_cert_handle()); 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> comodo_chain = 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 1815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 1825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 183a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, "")); 1845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 1855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = CertVerifier::VERIFY_EV_CERT; 186868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(comodo_chain.get(), 187868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "comodo.com", 188868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 189868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) crl_set.get(), 190868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 191868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 1925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 1935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); 1945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { 1975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> paypal_null_cert( 1985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromBytes( 1995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) reinterpret_cast<const char*>(paypal_null_der), 2005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sizeof(paypal_null_der))); 2015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2021320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert.get()); 2035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const SHA1HashValue& fingerprint = 2055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) paypal_null_cert->fingerprint(); 2065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (size_t i = 0; i < 20; ++i) 2075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); 2085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 2105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 211868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(paypal_null_cert.get(), 212868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "www.paypal.com", 213868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 214868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 215868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 216868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 2172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID) 2185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); 2195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 2205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TOOD(bulach): investigate why macosx and win aren't returning 2215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. 2225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 2235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 2245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Either the system crypto library should correctly report a certificate 2255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // name mismatch, or our certificate blacklist should cause us to report an 2265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // invalid certificate. 2275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS) 2285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(verify_result.cert_status & 2295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); 2305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 2315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// A regression test for http://crbug.com/31497. 234558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#if defined(OS_ANDROID) 235558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// Disabled on Android, as the Android verification libraries require an 236558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// explicit policy to be specified, even when anyPolicy is permitted. 237558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#define MAYBE_IntermediateCARequireExplicitPolicy \ 238558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch DISABLED_IntermediateCARequireExplicitPolicy 239558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#else 240558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#define MAYBE_IntermediateCARequireExplicitPolicy \ 241558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch IntermediateCARequireExplicitPolicy 242558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#endif 243558790d6acca3451cf3a6b497803a5f07d0bec58Ben MurdochTEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) { 2442a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 2455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 246558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch CertificateList certs = CreateCertificateListFromFile( 247558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch certs_dir, "explicit-policy-chain.pem", 248558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch X509Certificate::FORMAT_AUTO); 249558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch ASSERT_EQ(3U, certs.size()); 2505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 252558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch intermediates.push_back(certs[1]->os_cert_handle()); 253558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 254558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch scoped_refptr<X509Certificate> cert = 255558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 2565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 257558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch ASSERT_TRUE(cert.get()); 258558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 259558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch ScopedTestRoot scoped_root(certs[2].get()); 2605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 2625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 263558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch int error = Verify(cert.get(), 264558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch "policy_test.example", 265868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 266868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 267868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 268868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 269558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch EXPECT_EQ(OK, error); 270558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch EXPECT_EQ(0u, verify_result.cert_status); 2715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Test for bug 58437. 2745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// This certificate will expire on 2011-12-21. The test will still 2755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// pass if error == ERR_CERT_DATE_INVALID. 2765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// This test is DISABLED because it appears that we cannot do 2775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// certificate revocation checking when running all of the net unit tests. 2785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// This test passes when run individually, but when run with all of the net 2795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is 2805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation 2815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// status, i.e. that the revocation check is failing for some reason. 2825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) { 2832a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 2845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> server_cert = 2865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem"); 2871320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); 2885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> intermediate_cert = 2905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem"); 2911320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get()); 2925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 2945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(intermediate_cert->os_cert_handle()); 2955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert_chain = 2965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 2975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 2985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 3005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED | 3015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifier::VERIFY_EV_CERT; 302868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(cert_chain.get(), 303868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "2029.globalsign.com", 304868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 305868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 306868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 307868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 3085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (error == OK) 3095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); 3105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) else 3115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_DATE_INVALID, error); 3125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Test that verifying an ECDSA certificate doesn't crash on XP. (See 3155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// crbug.com/144466). 3165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, ECDSA_RSA) { 3172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 3185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert = 3205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, 3215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); 3225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 324868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result); 3255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // We don't check verify_result because the certificate is signed by an 3275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // unknown CA and will be considered invalid on XP because of the ECDSA 3285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // public key. 3295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Currently, only RSA and DSA keys are checked for weakness, and our example 3325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// weak size is 768. These could change in the future. 3335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 3345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Note that this means there may be false negatives: keys for other 3355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// algorithms and which are weak will pass this test. 3365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)static bool IsWeakKeyType(const std::string& key_type) { 3375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) size_t pos = key_type.find("-"); 3385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string size = key_type.substr(0, pos); 3395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string type = key_type.substr(pos + 1); 3405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (type == "rsa" || type == "dsa") 3425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return size == "768"; 3435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 3455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, RejectWeakKeys) { 3482a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 3495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef std::vector<std::string> Strings; 3505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) Strings key_types; 3515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // generate-weak-test-chains.sh currently has: 3535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" 3545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // We must use the same key types here. The filenames generated look like: 3555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 2048-rsa-ee-by-768-rsa-intermediate.pem 3565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) key_types.push_back("768-rsa"); 3575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) key_types.push_back("1024-rsa"); 3585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) key_types.push_back("2048-rsa"); 3595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool use_ecdsa = true; 3615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(OS_WIN) 3625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP; 3635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (use_ecdsa) 3665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) key_types.push_back("prime256v1-ecdsa"); 3675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Add the root that signed the intermediates for this test. 3695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> root_cert = 3705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); 3711320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); 372868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ScopedTestRoot scoped_root(root_cert.get()); 3735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Now test each chain. 3755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (Strings::const_iterator ee_type = key_types.begin(); 3765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ee_type != key_types.end(); ++ee_type) { 3775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (Strings::const_iterator signer_type = key_types.begin(); 3785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) signer_type != key_types.end(); ++signer_type) { 3795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string basename = *ee_type + "-ee-by-" + *signer_type + 3805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "-intermediate.pem"; 3815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SCOPED_TRACE(basename); 3825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> ee_cert = 3835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, basename); 3841320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert.get()); 3855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) basename = *signer_type + "-intermediate.pem"; 3875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> intermediate = 3885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, basename); 3891320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate.get()); 3905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 3925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(intermediate->os_cert_handle()); 3935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert_chain = 3945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), 3955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 3965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 398868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(cert_chain.get(), 399868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 400868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 0, 401868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 402868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 403868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 4045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { 4065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_NE(OK, error); 4075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_WEAK_KEY, 4085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.cert_status & CERT_STATUS_WEAK_KEY); 4095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_NE(CERT_STATUS_INVALID, 4105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.cert_status & CERT_STATUS_INVALID); 4115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } else { 4125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 4135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); 4145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 4155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 4165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 4175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 419eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// Regression test for http://crbug.com/108514. 420eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#if defined(OS_MACOSX) && !defined(OS_IOS) 421eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// Disabled on OS X - Security.framework doesn't ignore superflous certificates 422eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further 423eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch// details. 424eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert 425eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#else 426eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert 427eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch#endif 428eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen MurdochTEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) { 4295d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsReturningVerifiedChain()) { 4305d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 4315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 4325d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 4335d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 4342a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 4355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> server_cert = 437eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ImportCertFromFile(certs_dir, "cross-signed-leaf.pem"); 438eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); 4395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 440eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch scoped_refptr<X509Certificate> extra_cert = 441eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem"); 442eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get()); 443eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 444eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch scoped_refptr<X509Certificate> root_cert = 445eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ImportCertFromFile(certs_dir, "cross-signed-root-sha1.pem"); 446eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); 4475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 448eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ScopedTestRoot scoped_root(root_cert.get()); 4495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 451eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch intermediates.push_back(extra_cert->os_cert_handle()); 4525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert_chain = 4535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 4545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 4555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 4575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 458868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(cert_chain.get(), 459eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch "127.0.0.1", 460868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 461868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 462868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 463868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 464eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch EXPECT_EQ(OK, error); 465eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 466eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch // The extra MD5 root should be discarded 467eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ASSERT_TRUE(verify_result.verified_cert.get()); 468eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ASSERT_EQ(1u, 469eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch verify_result.verified_cert->GetIntermediateCertificates().size()); 470eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch EXPECT_TRUE(X509Certificate::IsSameOSCert( 471eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch verify_result.verified_cert->GetIntermediateCertificates().front(), 472eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch root_cert->os_cert_handle())); 4735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(verify_result.has_md5); 4755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Test for bug 94673. 4785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) { 4792a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 4805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> server_cert = 4825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, "google_diginotar.pem"); 4831320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); 4845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> intermediate_cert = 4865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); 4871320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get()); 4885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 4905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(intermediate_cert->os_cert_handle()); 4915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert_chain = 4925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 4935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 4945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 4965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED; 497868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(cert_chain.get(), 498868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "mail.google.com", 499868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 500868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 501868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 502868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 5035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_NE(OK, error); 5045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Now turn off revocation checking. Certificate verification should still 5065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // fail. 5075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) flags = 0; 508868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = Verify(cert_chain.get(), 509868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "mail.google.com", 510868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 511868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 512868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 513868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 5145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_NE(OK, error); 5155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, DigiNotarCerts) { 5185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static const char* const kDigiNotarFilenames[] = { 5195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "diginotar_root_ca.pem", 5205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "diginotar_cyber_ca.pem", 5215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "diginotar_services_1024_ca.pem", 5225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "diginotar_pkioverheid.pem", 5235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "diginotar_pkioverheid_g2.pem", 5245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NULL, 5255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) }; 5265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5272a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 5285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (size_t i = 0; kDigiNotarFilenames[i]; i++) { 5305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> diginotar_cert = 5315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]); 5325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string der_bytes; 5335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(X509Certificate::GetDEREncoded( 5345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) diginotar_cert->os_cert_handle(), &der_bytes)); 5355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::StringPiece spki; 5375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki)); 5385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string spki_sha1 = base::SHA1HashString(spki.as_string()); 5405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HashValueVector public_keys; 5425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HashValue hash(HASH_VALUE_SHA1); 5435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(hash.size(), spki_sha1.size()); 5445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) memcpy(hash.data(), spki_sha1.data(), spki_sha1.size()); 5455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public_keys.push_back(hash); 5465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) << 5485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) "Public key not blocked for " << kDigiNotarFilenames[i]; 5495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 5505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5525d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)TEST_F(CertVerifyProcTest, NameConstraintsOk) { 5535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertificateList ca_cert_list = 5545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CreateCertificateListFromFile(GetTestCertsDirectory(), 5555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "root_ca_cert.pem", 5565d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 5575d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ASSERT_EQ(1U, ca_cert_list.size()); 5581320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ScopedTestRoot test_root(ca_cert_list[0].get()); 5595d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 5605d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 56134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) GetTestCertsDirectory(), "name_constraint_good.pem", 5625d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 5635d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 5645d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 5655d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 5665d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) scoped_refptr<X509Certificate> leaf = 5675d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), 5685d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) intermediates); 5695d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 5705d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) int flags = 0; 5715d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertVerifyResult verify_result; 5725d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) int error = Verify(leaf.get(), 5735d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "test.example.com", 5745d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) flags, 5755d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) NULL, 5765d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) empty_cert_list_, 5775d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) &verify_result); 5785d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(OK, error); 5795d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 5805d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 5815d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 5825d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)TEST_F(CertVerifyProcTest, NameConstraintsFailure) { 5835d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsReturningVerifiedChain()) { 5845d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 5855d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 5865d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 5875d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 5885d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertificateList ca_cert_list = 5895d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CreateCertificateListFromFile(GetTestCertsDirectory(), 5905d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "root_ca_cert.pem", 5915d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 5925d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ASSERT_EQ(1U, ca_cert_list.size()); 5931320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ScopedTestRoot test_root(ca_cert_list[0].get()); 5945d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 5955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 59634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) GetTestCertsDirectory(), "name_constraint_bad.pem", 5975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 5985d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 5995d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 6005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 6015d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) scoped_refptr<X509Certificate> leaf = 6025d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), 6035d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) intermediates); 6045d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 6055d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) int flags = 0; 6065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertVerifyResult verify_result; 6075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) int error = Verify(leaf.get(), 6085d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) "test.example.com", 6095d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) flags, 6105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) NULL, 6115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) empty_cert_list_, 6125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) &verify_result); 6135d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); 6145d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, 6155d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); 6165d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 6175d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 6189ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben MurdochTEST_F(CertVerifyProcTest, TestKnownRoot) { 6195d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsDetectingKnownRoots()) { 6205d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 6215d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 6225d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 6235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 6242a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 6255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 6269ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); 6279ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch ASSERT_EQ(2U, certs.size()); 6285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 6305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 6315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert_chain = 6335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 6345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 6355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 6375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 6389ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug 6395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // against agl. See also PublicKeyHashes. 640868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(cert_chain.get(), 6419ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch "satveda.com", 642868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 643868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 644868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 645868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 6465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 64734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); 6485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(verify_result.is_issued_by_known_root); 6495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6517dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch// The certse.pem certificate has been revoked. crbug.com/259723. 6529ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben MurdochTEST_F(CertVerifyProcTest, PublicKeyHashes) { 6535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsReturningVerifiedChain()) { 6545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 6555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 6565d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 6575d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 6582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 6595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 6609ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); 6619ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch ASSERT_EQ(2U, certs.size()); 6625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 6645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 6655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert_chain = 6675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 6685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 6695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 6705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 6715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6729ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug 6735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // against agl. See also TestKnownRoot. 674868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(cert_chain.get(), 6759ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch "satveda.com", 676868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 677868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 678868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 679868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 6805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 68134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); 6829ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch ASSERT_LE(2U, verify_result.public_key_hashes.size()); 6835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HashValueVector sha1_hashes; 685c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { 6865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) 6875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) continue; 6885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sha1_hashes.push_back(verify_result.public_key_hashes[i]); 6895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 6909ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch ASSERT_LE(2u, sha1_hashes.size()); 6915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6929ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch for (size_t i = 0; i < 2; ++i) { 6939ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length), 6945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); 6955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 696c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 697c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) HashValueVector sha256_hashes; 698c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { 699c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) 700c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) continue; 701c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) sha256_hashes.push_back(verify_result.public_key_hashes[i]); 702c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) } 7039ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch ASSERT_LE(2u, sha256_hashes.size()); 704c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 7059ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch for (size_t i = 0; i < 2; ++i) { 7069ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length), 707c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); 708c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) } 7095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 7105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// A regression test for http://crbug.com/70293. 7125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The Key Usage extension in this RSA SSL server certificate does not have 7135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// the keyEncipherment bit. 7145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, InvalidKeyUsage) { 7152a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 7165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> server_cert = 7185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); 7191320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); 7205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 7225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 723868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(server_cert.get(), 724868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "jira.aquameta.com", 725868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 726868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 727868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 728868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 729effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) 7305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This certificate has two errors: "invalid key usage" and "untrusted CA". 7315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // However, OpenSSL returns only one (the latter), and we can't detect 7325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the other errors. 7335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 7345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 7355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_INVALID, error); 7365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); 7375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors 7395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // from NSS. 740c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#if !defined(USE_NSS) && !defined(OS_IOS) && !defined(OS_ANDROID) 7415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The certificate is issued by an unknown CA. 7425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); 7435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 7455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Basic test for returning the chain in CertVerifyResult. Note that the 7475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// returned chain may just be a reflection of the originally supplied chain; 7485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// that is, if any errors occur, the default chain returned is an exact copy 7495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// of the certificate to be verified. The remaining VerifyReturn* tests are 7505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// used to ensure that the actual, verified chain is being returned by 7515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Verify(). 7525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) { 7535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsReturningVerifiedChain()) { 7545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 7555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 7565d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 7575d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 7582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 7595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 7605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs_dir, "x509_verify_results.chain.pem", 7615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 7625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(3U, certs.size()); 7635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 7655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 7665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[2]->os_cert_handle()); 7675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 768868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ScopedTestRoot scoped_root(certs[2].get()); 7695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> google_full_chain = 7715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 7725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 7731320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get()); 7745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); 7755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 7771320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci EXPECT_EQ(static_cast<X509Certificate*>(NULL), 7781320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci verify_result.verified_cert.get()); 779868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(google_full_chain.get(), 780868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 781868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 0, 782868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 783868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 784868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 7855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 7861320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), 7871320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci verify_result.verified_cert.get()); 7885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_NE(google_full_chain, verify_result.verified_cert); 7905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert( 7915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) google_full_chain->os_cert_handle(), 7925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.verified_cert->os_cert_handle())); 7935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const X509Certificate::OSCertHandles& return_intermediates = 7945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.verified_cert->GetIntermediateCertificates(); 7955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, return_intermediates.size()); 7965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], 7975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs[1]->os_cert_handle())); 7985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], 7995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs[2]->os_cert_handle())); 8005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 80290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// Test that certificates issued for 'intranet' names (that is, containing no 80390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// known public registry controlled domain information) issued by well-known 80490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// CAs are flagged appropriately, while certificates that are issued by 80590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// internal CAs are not flagged. 8065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)TEST_F(CertVerifyProcTest, IntranetHostsRejected) { 8075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsDetectingKnownRoots()) { 8085d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 8095d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 8105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 8115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 81290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 81390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) GetTestCertsDirectory(), "ok_cert.pem", 81490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 81590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 81690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 81790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 81890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CertVerifyResult verify_result; 81990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) int error = 0; 82090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 82190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Intranet names for public CAs should be flagged: 82290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) verify_proc_ = new WellKnownCaCertVerifyProc(true); 823868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = 824868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); 82590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_EQ(OK, error); 82690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); 82790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 82890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // However, if the CA is not well known, these should not be flagged: 82990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) verify_proc_ = new WellKnownCaCertVerifyProc(false); 830868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = 831868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); 83290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_EQ(OK, error); 83390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); 83490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)} 83590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 8365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Test that the certificate returned in CertVerifyResult is able to reorder 8375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// certificates that are not ordered from end-entity to root. While this is 8385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// a protocol violation if sent during a TLS handshake, if multiple sources 8395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// of intermediate certificates are combined, it's possible that order may 8405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// not be maintained. 8415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { 8425d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsReturningVerifiedChain()) { 8435d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 8445d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 8455d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 8465d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 8472a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 8485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 8495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs_dir, "x509_verify_results.chain.pem", 8505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 8515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(3U, certs.size()); 8525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Construct the chain out of order. 8545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 8555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[2]->os_cert_handle()); 8565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 8575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 858868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ScopedTestRoot scoped_root(certs[2].get()); 8595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> google_full_chain = 8615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 8625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 8631320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get()); 8645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); 8655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 8671320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci EXPECT_EQ(static_cast<X509Certificate*>(NULL), 8681320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci verify_result.verified_cert.get()); 869868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(google_full_chain.get(), 870868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 871868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 0, 872868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 873868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 874868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 8755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 8761320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), 8771320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci verify_result.verified_cert.get()); 8785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_NE(google_full_chain, verify_result.verified_cert); 8805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert( 8815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) google_full_chain->os_cert_handle(), 8825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.verified_cert->os_cert_handle())); 8835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const X509Certificate::OSCertHandles& return_intermediates = 8845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.verified_cert->GetIntermediateCertificates(); 8855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, return_intermediates.size()); 8865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], 8875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs[1]->os_cert_handle())); 8885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], 8895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs[2]->os_cert_handle())); 8905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Test that Verify() filters out certificates which are not related to 8935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// or part of the certificate chain being verified. 8945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { 8955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!SupportsReturningVerifiedChain()) { 8965d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 8975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 8985d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 8995d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 9002a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 9015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 9025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs_dir, "x509_verify_results.chain.pem", 9035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 9045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(3U, certs.size()); 905868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ScopedTestRoot scoped_root(certs[2].get()); 9065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 907558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch scoped_refptr<X509Certificate> unrelated_certificate = 908558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch ImportCertFromFile(certs_dir, "duplicate_cn_1.pem"); 909558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch scoped_refptr<X509Certificate> unrelated_certificate2 = 910558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch ImportCertFromFile(certs_dir, "aia-cert.pem"); 9111320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate.get()); 9121320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2.get()); 9135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Interject unrelated certificates into the list of intermediates. 9155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 916558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch intermediates.push_back(unrelated_certificate->os_cert_handle()); 9175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 918558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch intermediates.push_back(unrelated_certificate2->os_cert_handle()); 9195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(certs[2]->os_cert_handle()); 9205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> google_full_chain = 9225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 9235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 9241320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get()); 9255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); 9265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 9281320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci EXPECT_EQ(static_cast<X509Certificate*>(NULL), 9291320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci verify_result.verified_cert.get()); 930868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify(google_full_chain.get(), 931868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 932868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 0, 933868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 934868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 935868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 9365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 9371320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), 9381320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci verify_result.verified_cert.get()); 9395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_NE(google_full_chain, verify_result.verified_cert); 9415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert( 9425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) google_full_chain->os_cert_handle(), 9435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.verified_cert->os_cert_handle())); 9445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const X509Certificate::OSCertHandles& return_intermediates = 9455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.verified_cert->GetIntermediateCertificates(); 9465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, return_intermediates.size()); 9475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], 9485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs[1]->os_cert_handle())); 9495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], 9505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs[2]->os_cert_handle())); 9515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9532a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) { 9542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (!SupportsAdditionalTrustAnchors()) { 9552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) LOG(INFO) << "Skipping this test in this platform."; 9562a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return; 9572a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 9582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 9592a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // |ca_cert| is the issuer of |cert|. 9602a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CertificateList ca_cert_list = CreateCertificateListFromFile( 961eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "root_ca_cert.pem", 9622a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 9632a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ASSERT_EQ(1U, ca_cert_list.size()); 9642a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]); 9652a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 9662a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 9672a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) GetTestCertsDirectory(), "ok_cert.pem", 9682a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 9692a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 9702a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 9712a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 9722a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Verification of |cert| fails when |ca_cert| is not in the trust anchors 9732a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // list. 9742a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) int flags = 0; 9752a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CertVerifyResult verify_result; 976868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = Verify( 977868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); 9782a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 9792a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); 9802a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); 9812a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 9822a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Now add the |ca_cert| to the |trust_anchors|, and verification should pass. 9832a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CertificateList trust_anchors; 9842a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) trust_anchors.push_back(ca_cert); 985868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = Verify( 986868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result); 9872a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_EQ(OK, error); 9882a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 9892a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor); 9902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 9912a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Clearing the |trust_anchors| makes verification fail again (the cache 9922a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // should be skipped). 993868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = Verify( 994868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); 9952a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 9962a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); 9972a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); 9982a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 9992a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 10005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// Tests that certificates issued by user-supplied roots are not flagged as 10015d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// issued by a known root. This should pass whether or not the platform supports 10025d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// detecting known roots. 10035d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) { 10045d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Load root_ca_cert.pem into the test root store. 10055d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) TestRootCerts* root_certs = TestRootCerts::GetInstance(); 10065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) root_certs->AddFromFile( 10075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) GetTestCertsDirectory().AppendASCII("root_ca_cert.pem")); 10085d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 10095d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 10105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) GetTestCertsDirectory(), "ok_cert.pem", 10115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 10125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 10135d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 10145d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 10155d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Verification should pass. 10165d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) int flags = 0; 10175d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertVerifyResult verify_result; 10185d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) int error = Verify( 10195d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); 10205d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(OK, error); 10215d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 10225d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // But should not be marked as a known root. 10235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_FALSE(verify_result.is_issued_by_known_root); 1024effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch 1025effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch root_certs->Clear(); 1026effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch EXPECT_TRUE(root_certs->IsEmpty()); 10275d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 10285d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 10297d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#if defined(OS_MACOSX) && !defined(OS_IOS) 10307d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust 10317d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// Root can be successfully worked around once Apple completes removing the 10327d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// older GTE CyberTrust Root from its trusted root store. 10337d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// 10347d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// The issue is caused by servers supplying the cross-certified intermediate 10357d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// (necessary for certain mobile platforms), which OS X does not recognize 10367d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// as already existing within its trust store. 10377d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)TEST_F(CertVerifyProcTest, CybertrustGTERoot) { 10387d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 10397d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) GetTestCertsDirectory(), 10407d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) "cybertrust_omniroot_chain.pem", 10417d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::FORMAT_PEM_CERT_SEQUENCE); 10427d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ASSERT_EQ(2U, certs.size()); 10437d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10447d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 10457d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediates.push_back(certs[1]->os_cert_handle()); 10467d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10477d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> cybertrust_basic = 10487d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 10497d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediates); 10507d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ASSERT_TRUE(cybertrust_basic.get()); 10517d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10527d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> baltimore_root = 10537d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ImportCertFromFile(GetTestCertsDirectory(), 10547d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) "cybertrust_baltimore_root.pem"); 10557d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ASSERT_TRUE(baltimore_root.get()); 10567d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 1057eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ScopedTestRoot scoped_root(baltimore_root.get()); 10587d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10597d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This 10607d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // simulates Keychain removing support for the GTE CyberTrust Root. 10617d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) TestRootCerts::GetInstance()->SetAllowSystemTrust(false); 10627d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) base::ScopedClosureRunner reset_system_trust( 10637d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) base::Bind(&TestRootCerts::SetAllowSystemTrust, 10647d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) base::Unretained(TestRootCerts::GetInstance()), 10657d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) true)); 10667d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10677d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // First, make sure a simple certificate chain from 10687d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // EE -> Public SureServer SV -> Baltimore CyberTrust 10697d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // works. Only the first two certificates are included in the chain. 10707d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) int flags = 0; 10717d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) CertVerifyResult verify_result; 1072eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch int error = Verify(cybertrust_basic.get(), 1073eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch "cacert.omniroot.com", 1074eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch flags, 1075eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch NULL, 1076eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch empty_cert_list_, 1077eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch &verify_result); 10787d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) EXPECT_EQ(OK, error); 107934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); 10807d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10817d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // Attempt to verify with the first known cross-certified intermediate 10827d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // provided. 10837d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> baltimore_intermediate_1 = 10847d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ImportCertFromFile(GetTestCertsDirectory(), 10857d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) "cybertrust_baltimore_cross_certified_1.pem"); 10867d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ASSERT_TRUE(baltimore_intermediate_1.get()); 10877d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10887d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::OSCertHandles intermediate_chain_1 = 10897d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) cybertrust_basic->GetIntermediateCertificates(); 10907d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle()); 10917d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 10927d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> baltimore_chain_1 = 10937d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), 10947d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediate_chain_1); 1095eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch error = Verify(baltimore_chain_1.get(), 1096eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch "cacert.omniroot.com", 1097eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch flags, 1098eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch NULL, 1099eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch empty_cert_list_, 1100eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch &verify_result); 11017d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) EXPECT_EQ(OK, error); 110234680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); 11037d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 11047d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // Attempt to verify with the second known cross-certified intermediate 11057d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // provided. 11067d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> baltimore_intermediate_2 = 11077d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ImportCertFromFile(GetTestCertsDirectory(), 11087d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) "cybertrust_baltimore_cross_certified_2.pem"); 11097d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ASSERT_TRUE(baltimore_intermediate_2.get()); 11107d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 11117d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::OSCertHandles intermediate_chain_2 = 11127d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) cybertrust_basic->GetIntermediateCertificates(); 11137d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle()); 11147d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 11157d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> baltimore_chain_2 = 11167d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), 11177d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediate_chain_2); 1118eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch error = Verify(baltimore_chain_2.get(), 1119eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch "cacert.omniroot.com", 1120eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch flags, 1121eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch NULL, 1122eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch empty_cert_list_, 1123eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch &verify_result); 11247d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) EXPECT_EQ(OK, error); 112534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); 11267d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 11277d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // Attempt to verify when both a cross-certified intermediate AND 11287d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) // the legacy GTE root are provided. 11297d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> cybertrust_root = 11307d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ImportCertFromFile(GetTestCertsDirectory(), 11317d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) "cybertrust_gte_root.pem"); 11327d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) ASSERT_TRUE(cybertrust_root.get()); 11337d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 11347d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediate_chain_2.push_back(cybertrust_root->os_cert_handle()); 11357d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) scoped_refptr<X509Certificate> baltimore_chain_with_root = 11367d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), 11377d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) intermediate_chain_2); 1138eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch error = Verify(baltimore_chain_with_root.get(), 1139eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch "cacert.omniroot.com", 1140eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch flags, 1141eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch NULL, 1142eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch empty_cert_list_, 1143eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch &verify_result); 11447d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) EXPECT_EQ(OK, error); 114534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); 11467d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 1147effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch TestRootCerts::GetInstance()->Clear(); 1148effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty()); 11497d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)} 11507d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#endif 11517d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 11525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) 11535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Test that CRLSets are effective in making a certificate appear to be 11545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// revoked. 1155f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)TEST_F(CertVerifyProcTest, CRLSet) { 1156f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CertificateList ca_cert_list = 1157f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CreateCertificateListFromFile(GetTestCertsDirectory(), 1158f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "root_ca_cert.pem", 1159f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 1160f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ASSERT_EQ(1U, ca_cert_list.size()); 11611320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ScopedTestRoot test_root(ca_cert_list[0].get()); 11625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1163f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 1164f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); 1165f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 1166f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 11675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1168f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) int flags = 0; 11695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 1170f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) int error = Verify( 1171f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); 11725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 1173f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 11745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 11755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CRLSet> crl_set; 117634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) std::string crl_set_bytes; 117734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) 117834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // First test blocking by SPKI. 117934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_TRUE(base::ReadFileToString( 118034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) GetTestCertsDirectory().AppendASCII("crlset_by_leaf_spki.raw"), 118134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) &crl_set_bytes)); 1182116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); 11835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1184f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) error = Verify(cert.get(), 1185f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "127.0.0.1", 1186f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) flags, 1187868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) crl_set.get(), 1188868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 1189868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 11905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_REVOKED, error); 11915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 11925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Second, test revocation by serial number of a cert directly under the 11935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // root. 119434680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) crl_set_bytes.clear(); 119534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_TRUE(base::ReadFileToString( 119634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) GetTestCertsDirectory().AppendASCII("crlset_by_root_serial.raw"), 119734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) &crl_set_bytes)); 1198116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); 11995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1200f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) error = Verify(cert.get(), 1201f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "127.0.0.1", 1202f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) flags, 1203868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) crl_set.get(), 1204868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 1205868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 12065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_REVOKED, error); 1207f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 12085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1209f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)TEST_F(CertVerifyProcTest, CRLSetLeafSerial) { 1210f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CertificateList ca_cert_list = 1211f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CreateCertificateListFromFile(GetTestCertsDirectory(), 1212f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "quic_root.crt", 1213f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 1214f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ASSERT_EQ(1U, ca_cert_list.size()); 12151320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ScopedTestRoot test_root(ca_cert_list[0].get()); 1216f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 1217f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CertificateList intermediate_cert_list = 1218f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CreateCertificateListFromFile(GetTestCertsDirectory(), 1219f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "quic_intermediate.crt", 1220f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 1221f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ASSERT_EQ(1U, intermediate_cert_list.size()); 1222f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) X509Certificate::OSCertHandles intermediates; 1223f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) intermediates.push_back(intermediate_cert_list[0]->os_cert_handle()); 1224f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 1225f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 1226f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) GetTestCertsDirectory(), "quic_test.example.com.crt", 1227f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 1228f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 1229f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 1230f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) scoped_refptr<X509Certificate> leaf = 1231f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), 1232f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) intermediates); 1233f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 1234f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) int flags = 0; 1235f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CertVerifyResult verify_result; 1236f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) int error = Verify(leaf.get(), 1237f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "test.example.com", 1238f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) flags, 1239f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) NULL, 1240f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) empty_cert_list_, 1241f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) &verify_result); 1242f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) EXPECT_EQ(OK, error); 124334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status); 1244f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 1245f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // Test revocation by serial number of a certificate not under the root. 1246f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) scoped_refptr<CRLSet> crl_set; 124734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) std::string crl_set_bytes; 124834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) ASSERT_TRUE(base::ReadFileToString( 124934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"), 125034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) &crl_set_bytes)); 1251116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set)); 12525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1253f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) error = Verify(leaf.get(), 1254f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "test.example.com", 1255f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) flags, 1256868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) crl_set.get(), 1257868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 1258868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 12595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_REVOKED, error); 12605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 12615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 12625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 126334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles)enum ExpectedAlgorithms { 126434680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD2 = 1 << 0, 126534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD4 = 1 << 1, 126634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD5 = 1 << 2, 126734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_SHA1 = 1 << 3 126834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles)}; 126934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) 12705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)struct WeakDigestTestData { 12715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char* root_cert_filename; 12725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char* intermediate_cert_filename; 12735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char* ee_cert_filename; 127434680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) int expected_algorithms; 12755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 12765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how 12785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// to output the parameter that was passed. Without this, it will simply 12795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// attempt to print out the first twenty bytes of the object, which depending 12805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// on platform and alignment, may result in an invalid read. 12815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void PrintTo(const WeakDigestTestData& data, std::ostream* os) { 12825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) *os << "root: " 12835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) << (data.root_cert_filename ? data.root_cert_filename : "none") 12845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) << "; intermediate: " << data.intermediate_cert_filename 12855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) << "; end-entity: " << data.ee_cert_filename; 12865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 12875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class CertVerifyProcWeakDigestTest 12895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) : public CertVerifyProcTest, 12905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public testing::WithParamInterface<WeakDigestTestData> { 12915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 12925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyProcWeakDigestTest() {} 12935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual ~CertVerifyProcWeakDigestTest() {} 12945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 12955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_P(CertVerifyProcWeakDigestTest, Verify) { 12975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) WeakDigestTestData data = GetParam(); 12982a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath certs_dir = GetTestCertsDirectory(); 12995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ScopedTestRoot test_root; 13015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (data.root_cert_filename) { 13025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> root_cert = 13035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, data.root_cert_filename); 13041320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); 1305868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) test_root.Reset(root_cert.get()); 13065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 13075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> intermediate_cert = 13095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, data.intermediate_cert_filename); 13101320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get()); 13115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> ee_cert = 13125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(certs_dir, data.ee_cert_filename); 13131320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert.get()); 13145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::OSCertHandles intermediates; 13165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates.push_back(intermediate_cert->os_cert_handle()); 13175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> ee_chain = 13195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), 13205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediates); 13211320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain.get()); 13225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 13245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 1325868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int rv = Verify(ee_chain.get(), 1326868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 1327868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 1328868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 1329868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 1330868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 133134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2); 133234680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4); 133334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5); 133434680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1); 133534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) 13362a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); 13375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Ensure that MD4 and MD2 are tagged as invalid. 133934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) { 13405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_INVALID, 13415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.cert_status & CERT_STATUS_INVALID); 13425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 13435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Ensure that MD5 is flagged as weak. 134534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) if (data.expected_algorithms & EXPECT_MD5) { 13465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ( 13475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, 13485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); 13495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 13505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If a root cert is present, then check that the chain was rejected if any 13525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // weak algorithms are present. This is only checked when a root cert is 13535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // present because the error reported for incomplete chains with weak 13545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // algorithms depends on which implementation was used to validate (NSS, 13555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm 13565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // present (MD2, MD4, MD5). 13575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (data.root_cert_filename) { 135834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) { 13595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_INVALID, rv); 136034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) } else if (data.expected_algorithms & EXPECT_MD5) { 13615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv); 13625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } else { 13635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, rv); 13645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 13655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 13665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 13675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Unlike TEST/TEST_F, which are macros that expand to further macros, 13695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that 13705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// stringizes the arguments. As a result, macros passed as parameters (such as 13715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// prefix or test_case_name) will not be expanded by the preprocessor. To work 13725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the 13735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// pre-processor will expand macros such as MAYBE_test_name before 13745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// instantiating the test. 13755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ 13765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) 13775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The signature algorithm of the root CA should not matter. 13795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)const WeakDigestTestData kVerifyRootCATestData[] = { 13805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem", 138134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_sha1_ee.pem", EXPECT_SHA1 }, 1382effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) 13835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // MD4 is not supported by OS X / NSS 13845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem", 138534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_sha1_ee.pem", EXPECT_SHA1 }, 13865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 13875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem", 138834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_sha1_ee.pem", EXPECT_SHA1 }, 13895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 13905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest, 13915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) testing::ValuesIn(kVerifyRootCATestData)); 13925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 13935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The signature algorithm of intermediates should be properly detected. 13945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)const WeakDigestTestData kVerifyIntermediateCATestData[] = { 13955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", 139634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_sha1_ee.pem", EXPECT_MD5 | EXPECT_SHA1 }, 1397effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) 13985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // MD4 is not supported by OS X / NSS 13995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", 140034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_sha1_ee.pem", EXPECT_MD4 | EXPECT_SHA1 }, 14015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 14025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", 140334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_sha1_ee.pem", EXPECT_MD2 | EXPECT_SHA1 }, 14045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 14052a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled. 14062a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(USE_NSS) || defined(OS_IOS) 14072a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate 14082a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#else 14092a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#define MAYBE_VerifyIntermediate VerifyIntermediate 14102a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 14112a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)WRAPPED_INSTANTIATE_TEST_CASE_P( 14122a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) MAYBE_VerifyIntermediate, 14132a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CertVerifyProcWeakDigestTest, 14142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) testing::ValuesIn(kVerifyIntermediateCATestData)); 14155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 14165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The signature algorithm of end-entity should be properly detected. 14175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)const WeakDigestTestData kVerifyEndEntityTestData[] = { 14185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", 141934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1 }, 1420effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) 14215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // MD4 is not supported by OS X / NSS 14225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", 142334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1 }, 14245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 14255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", 142634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1 }, 14275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 14285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Disabled on NSS - NSS caches chains/signatures in such a way that cannot 14295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// be cleared until NSS is cleanly shutdown, which is not presently supported 14305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// in Chromium. 14315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) || defined(OS_IOS) 14325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity 14335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 14345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyEndEntity VerifyEndEntity 14355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 14365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity, 14375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyProcWeakDigestTest, 14385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) testing::ValuesIn(kVerifyEndEntityTestData)); 14395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 14405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Incomplete chains should still report the status of the intermediate. 14415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = { 14425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem", 144334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD5 | EXPECT_SHA1 }, 1444effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) 14455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // MD4 is not supported by OS X / NSS 14465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem", 144734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD4 | EXPECT_SHA1 }, 14485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 14495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem", 145034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD2 | EXPECT_SHA1 }, 14515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 14525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Disabled on NSS - libpkix does not return constructed chains on error, 14535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// preventing us from detecting/inspecting the verified chain. 14545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) || defined(OS_IOS) 14555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyIncompleteIntermediate \ 14565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DISABLED_VerifyIncompleteIntermediate 14575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 14585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate 14595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 14605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)WRAPPED_INSTANTIATE_TEST_CASE_P( 14615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) MAYBE_VerifyIncompleteIntermediate, 14625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyProcWeakDigestTest, 14635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) testing::ValuesIn(kVerifyIncompleteIntermediateTestData)); 14645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 14655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Incomplete chains should still report the status of the end-entity. 14665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)const WeakDigestTestData kVerifyIncompleteEETestData[] = { 14675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem", 146834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD5 | EXPECT_SHA1 }, 1469effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) 14705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // MD4 is not supported by OS X / NSS 14715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem", 147234680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD4 | EXPECT_SHA1 }, 14735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 14745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem", 147534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) EXPECT_MD2 | EXPECT_SHA1 }, 14765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 14775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Disabled on NSS - libpkix does not return constructed chains on error, 14785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// preventing us from detecting/inspecting the verified chain. 14795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) || defined(OS_IOS) 14805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity 14815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 14825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity 14835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 14845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)WRAPPED_INSTANTIATE_TEST_CASE_P( 14855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) MAYBE_VerifyIncompleteEndEntity, 14865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyProcWeakDigestTest, 14875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) testing::ValuesIn(kVerifyIncompleteEETestData)); 14885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 14895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Differing algorithms between the intermediate and the EE should still be 14905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// reported. 14915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)const WeakDigestTestData kVerifyMixedTestData[] = { 14925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", 149334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5 }, 14945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", 149534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5 }, 1496effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN) 14975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // MD4 is not supported by OS X / NSS 14985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", 149934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4 }, 15005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 15015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 15025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// NSS does not support MD4 and does not enable MD2 by default, making all 15035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// permutations invalid. 15045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(USE_NSS) || defined(OS_IOS) 15055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyMixed DISABLED_VerifyMixed 15065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 15075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define MAYBE_VerifyMixed VerifyMixed 15085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 15095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)WRAPPED_INSTANTIATE_TEST_CASE_P( 15105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) MAYBE_VerifyMixed, 15115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyProcWeakDigestTest, 15125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) testing::ValuesIn(kVerifyMixedTestData)); 15135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 15143551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)// For the list of valid hostnames, see 15153551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)// net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem 15163551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)static const struct CertVerifyProcNameData { 15173551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) const char* hostname; 15183551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) bool valid; // Whether or not |hostname| matches a subjectAltName. 15193551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)} kVerifyNameData[] = { 15203551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "127.0.0.1", false }, // Don't match the common name 15213551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4) 15223551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6) 15233551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN 15243551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6) 15253551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN 15263551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "test.example", true }, // Matches the dNSName SAN 15273551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored) 15283551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "www.test.example", false }, // Should not match the dNSName SAN 15293551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "test..example", false }, // Should not match the dNSName SAN 15303551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { "test.example..", false }, // Should not match the dNSName SAN 15313551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { ".test.example.", false }, // Should not match the dNSName SAN 15323551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) { ".test.example", false }, // Should not match the dNSName SAN 15333551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)}; 15343551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15353551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how 15363551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)// to output the parameter that was passed. Without this, it will simply 15373551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)// attempt to print out the first twenty bytes of the object, which depending 15383551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)// on platform and alignment, may result in an invalid read. 15393551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) { 15403551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) *os << "Hostname: " << data.hostname << "; valid=" << data.valid; 15413551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)} 15423551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15433551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)class CertVerifyProcNameTest 15443551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) : public CertVerifyProcTest, 15453551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) public testing::WithParamInterface<CertVerifyProcNameData> { 15463551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) public: 15473551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) CertVerifyProcNameTest() {} 15483551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) virtual ~CertVerifyProcNameTest() {} 15493551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)}; 15503551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15513551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)TEST_P(CertVerifyProcNameTest, VerifyCertName) { 15523551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) CertVerifyProcNameData data = GetParam(); 15533551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15543551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) CertificateList cert_list = CreateCertificateListFromFile( 15553551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) GetTestCertsDirectory(), "subjectAltName_sanity_check.pem", 15563551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 15573551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 15583551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 15593551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15603551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) ScopedTestRoot scoped_root(cert.get()); 15613551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15623551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) CertVerifyResult verify_result; 15633551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_, 15643551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) &verify_result); 15653551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) if (data.valid) { 15663551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) EXPECT_EQ(OK, error); 15673551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); 15683551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) } else { 15693551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); 15703551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); 15713551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) } 15723551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)} 15733551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15743551c9c881056c480085172ff9840cab31610854Torne (Richard Coles)WRAPPED_INSTANTIATE_TEST_CASE_P( 15753551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) VerifyName, 15763551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) CertVerifyProcNameTest, 15773551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) testing::ValuesIn(kVerifyNameData)); 15783551c9c881056c480085172ff9840cab31610854Torne (Richard Coles) 15795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace net 1580