1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/pickle.h" 6 #include "net/base/cert_status_flags.h" 7 #include "net/base/cert_verify_result.h" 8 #include "net/base/net_errors.h" 9 #include "net/base/test_certificate_data.h" 10 #include "net/base/x509_certificate.h" 11 #include "testing/gtest/include/gtest/gtest.h" 12 13 // Unit tests aren't allowed to access external resources. Unfortunately, to 14 // properly verify the EV-ness of a cert, we need to check for its revocation 15 // through online servers. If you're manually running unit tests, feel free to 16 // turn this on to test EV certs. But leave it turned off for the automated 17 // testing. 18 #define ALLOW_EXTERNAL_ACCESS 0 19 20 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN) 21 #define TEST_EV 1 // Test CERT_STATUS_IS_EV 22 #endif 23 24 using base::Time; 25 26 namespace { 27 28 // Certificates for test data. They're obtained with: 29 // 30 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null 31 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der 32 // 33 // For fingerprint 34 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der 35 36 // For valid_start, valid_expiry 37 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | 38 // grep -A 2 Validity 39 // $ date +%s -d '<date str>' 40 41 // Google's cert. 42 unsigned char google_fingerprint[] = { 43 0xab, 0xbe, 0x5e, 0xb4, 0x93, 0x88, 0x4e, 0xe4, 0x60, 0xc6, 0xef, 0xf8, 44 0xea, 0xd4, 0xb1, 0x55, 0x4b, 0xc9, 0x59, 0x3c 45 }; 46 47 // webkit.org's cert. 48 unsigned char webkit_fingerprint[] = { 49 0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8, 50 0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2 51 }; 52 53 // thawte.com's cert (it's EV-licious!). 54 unsigned char thawte_fingerprint[] = { 55 0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6, 56 0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37 57 }; 58 59 // A certificate for www.paypal.com with a NULL byte in the common name. 60 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 61 unsigned char paypal_null_fingerprint[] = { 62 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba, 63 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 64 }; 65 66 // A certificate for https://www.unosoft.hu/, whose AIA extension contains 67 // an LDAP URL without a host name. 68 unsigned char unosoft_hu_fingerprint[] = { 69 0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd, 70 0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8 71 }; 72 73 } // namespace 74 75 namespace net { 76 77 TEST(X509CertificateTest, GoogleCertParsing) { 78 scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes( 79 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 80 81 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert); 82 83 const X509Certificate::Principal& subject = google_cert->subject(); 84 EXPECT_EQ("www.google.com", subject.common_name); 85 EXPECT_EQ("Mountain View", subject.locality_name); 86 EXPECT_EQ("California", subject.state_or_province_name); 87 EXPECT_EQ("US", subject.country_name); 88 EXPECT_EQ(0U, subject.street_addresses.size()); 89 EXPECT_EQ(1U, subject.organization_names.size()); 90 EXPECT_EQ("Google Inc", subject.organization_names[0]); 91 EXPECT_EQ(0U, subject.organization_unit_names.size()); 92 EXPECT_EQ(0U, subject.domain_components.size()); 93 94 const X509Certificate::Principal& issuer = google_cert->issuer(); 95 EXPECT_EQ("Thawte SGC CA", issuer.common_name); 96 EXPECT_EQ("", issuer.locality_name); 97 EXPECT_EQ("", issuer.state_or_province_name); 98 EXPECT_EQ("ZA", issuer.country_name); 99 EXPECT_EQ(0U, issuer.street_addresses.size()); 100 EXPECT_EQ(1U, issuer.organization_names.size()); 101 EXPECT_EQ("Thawte Consulting (Pty) Ltd.", issuer.organization_names[0]); 102 EXPECT_EQ(0U, issuer.organization_unit_names.size()); 103 EXPECT_EQ(0U, issuer.domain_components.size()); 104 105 // Use DoubleT because its epoch is the same on all platforms 106 const Time& valid_start = google_cert->valid_start(); 107 EXPECT_EQ(1238192407, valid_start.ToDoubleT()); // Mar 27 22:20:07 2009 GMT 108 109 const Time& valid_expiry = google_cert->valid_expiry(); 110 EXPECT_EQ(1269728407, valid_expiry.ToDoubleT()); // Mar 27 22:20:07 2010 GMT 111 112 const X509Certificate::Fingerprint& fingerprint = google_cert->fingerprint(); 113 for (size_t i = 0; i < 20; ++i) 114 EXPECT_EQ(google_fingerprint[i], fingerprint.data[i]); 115 116 std::vector<std::string> dns_names; 117 google_cert->GetDNSNames(&dns_names); 118 EXPECT_EQ(1U, dns_names.size()); 119 EXPECT_EQ("www.google.com", dns_names[0]); 120 121 #if TEST_EV 122 // TODO(avi): turn this on for the Mac once EV checking is implemented. 123 CertVerifyResult verify_result; 124 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | 125 X509Certificate::VERIFY_EV_CERT; 126 EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result)); 127 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); 128 #endif 129 } 130 131 TEST(X509CertificateTest, WebkitCertParsing) { 132 scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes( 133 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)); 134 135 ASSERT_NE(static_cast<X509Certificate*>(NULL), webkit_cert); 136 137 const X509Certificate::Principal& subject = webkit_cert->subject(); 138 EXPECT_EQ("Cupertino", subject.locality_name); 139 EXPECT_EQ("California", subject.state_or_province_name); 140 EXPECT_EQ("US", subject.country_name); 141 EXPECT_EQ(0U, subject.street_addresses.size()); 142 EXPECT_EQ(1U, subject.organization_names.size()); 143 EXPECT_EQ("Apple Inc.", subject.organization_names[0]); 144 EXPECT_EQ(1U, subject.organization_unit_names.size()); 145 EXPECT_EQ("Mac OS Forge", subject.organization_unit_names[0]); 146 EXPECT_EQ(0U, subject.domain_components.size()); 147 148 const X509Certificate::Principal& issuer = webkit_cert->issuer(); 149 EXPECT_EQ("Go Daddy Secure Certification Authority", issuer.common_name); 150 EXPECT_EQ("Scottsdale", issuer.locality_name); 151 EXPECT_EQ("Arizona", issuer.state_or_province_name); 152 EXPECT_EQ("US", issuer.country_name); 153 EXPECT_EQ(0U, issuer.street_addresses.size()); 154 EXPECT_EQ(1U, issuer.organization_names.size()); 155 EXPECT_EQ("GoDaddy.com, Inc.", issuer.organization_names[0]); 156 EXPECT_EQ(1U, issuer.organization_unit_names.size()); 157 EXPECT_EQ("http://certificates.godaddy.com/repository", 158 issuer.organization_unit_names[0]); 159 EXPECT_EQ(0U, issuer.domain_components.size()); 160 161 // Use DoubleT because its epoch is the same on all platforms 162 const Time& valid_start = webkit_cert->valid_start(); 163 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT 164 165 const Time& valid_expiry = webkit_cert->valid_expiry(); 166 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT 167 168 const X509Certificate::Fingerprint& fingerprint = webkit_cert->fingerprint(); 169 for (size_t i = 0; i < 20; ++i) 170 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); 171 172 std::vector<std::string> dns_names; 173 webkit_cert->GetDNSNames(&dns_names); 174 EXPECT_EQ(2U, dns_names.size()); 175 EXPECT_EQ("*.webkit.org", dns_names[0]); 176 EXPECT_EQ("webkit.org", dns_names[1]); 177 178 #if TEST_EV 179 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | 180 X509Certificate::VERIFY_EV_CERT; 181 CertVerifyResult verify_result; 182 EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, &verify_result)); 183 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); 184 #endif 185 } 186 187 TEST(X509CertificateTest, ThawteCertParsing) { 188 scoped_refptr<X509Certificate> thawte_cert = X509Certificate::CreateFromBytes( 189 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)); 190 191 ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert); 192 193 const X509Certificate::Principal& subject = thawte_cert->subject(); 194 EXPECT_EQ("www.thawte.com", subject.common_name); 195 EXPECT_EQ("Mountain View", subject.locality_name); 196 EXPECT_EQ("California", subject.state_or_province_name); 197 EXPECT_EQ("US", subject.country_name); 198 EXPECT_EQ(0U, subject.street_addresses.size()); 199 EXPECT_EQ(1U, subject.organization_names.size()); 200 EXPECT_EQ("Thawte Inc", subject.organization_names[0]); 201 EXPECT_EQ(0U, subject.organization_unit_names.size()); 202 EXPECT_EQ(0U, subject.domain_components.size()); 203 204 const X509Certificate::Principal& issuer = thawte_cert->issuer(); 205 EXPECT_EQ("thawte Extended Validation SSL CA", issuer.common_name); 206 EXPECT_EQ("", issuer.locality_name); 207 EXPECT_EQ("", issuer.state_or_province_name); 208 EXPECT_EQ("US", issuer.country_name); 209 EXPECT_EQ(0U, issuer.street_addresses.size()); 210 EXPECT_EQ(1U, issuer.organization_names.size()); 211 EXPECT_EQ("thawte, Inc.", issuer.organization_names[0]); 212 EXPECT_EQ(1U, issuer.organization_unit_names.size()); 213 EXPECT_EQ("Terms of use at https://www.thawte.com/cps (c)06", 214 issuer.organization_unit_names[0]); 215 EXPECT_EQ(0U, issuer.domain_components.size()); 216 217 // Use DoubleT because its epoch is the same on all platforms 218 const Time& valid_start = thawte_cert->valid_start(); 219 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT 220 221 const Time& valid_expiry = thawte_cert->valid_expiry(); 222 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT 223 224 const X509Certificate::Fingerprint& fingerprint = thawte_cert->fingerprint(); 225 for (size_t i = 0; i < 20; ++i) 226 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); 227 228 std::vector<std::string> dns_names; 229 thawte_cert->GetDNSNames(&dns_names); 230 EXPECT_EQ(1U, dns_names.size()); 231 EXPECT_EQ("www.thawte.com", dns_names[0]); 232 233 #if TEST_EV 234 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | 235 X509Certificate::VERIFY_EV_CERT; 236 CertVerifyResult verify_result; 237 // EV cert verification requires revocation checking. 238 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); 239 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV); 240 // Consequently, if we don't have revocation checking enabled, we can't claim 241 // any cert is EV. 242 flags = X509Certificate::VERIFY_EV_CERT; 243 EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result)); 244 EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV); 245 #endif 246 } 247 248 TEST(X509CertificateTest, PaypalNullCertParsing) { 249 scoped_refptr<X509Certificate> paypal_null_cert = 250 X509Certificate::CreateFromBytes( 251 reinterpret_cast<const char*>(paypal_null_der), 252 sizeof(paypal_null_der)); 253 254 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); 255 256 const X509Certificate::Fingerprint& fingerprint = 257 paypal_null_cert->fingerprint(); 258 for (size_t i = 0; i < 20; ++i) 259 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); 260 261 int flags = 0; 262 CertVerifyResult verify_result; 263 int error = paypal_null_cert->Verify("www.paypal.com", flags, 264 &verify_result); 265 EXPECT_NE(OK, error); 266 // Either the system crypto library should correctly report a certificate 267 // name mismatch, or our certificate blacklist should cause us to report an 268 // invalid certificate. 269 #if defined(OS_LINUX) || defined(OS_WIN) 270 EXPECT_NE(0, verify_result.cert_status & 271 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); 272 #endif 273 } 274 275 // This certificate will expire on 2011-09-08. 276 TEST(X509CertificateTest, UnoSoftCertParsing) { 277 scoped_refptr<X509Certificate> unosoft_hu_cert = 278 X509Certificate::CreateFromBytes( 279 reinterpret_cast<const char*>(unosoft_hu_der), 280 sizeof(unosoft_hu_der)); 281 282 ASSERT_NE(static_cast<X509Certificate*>(NULL), unosoft_hu_cert); 283 284 const X509Certificate::Fingerprint& fingerprint = 285 unosoft_hu_cert->fingerprint(); 286 for (size_t i = 0; i < 20; ++i) 287 EXPECT_EQ(unosoft_hu_fingerprint[i], fingerprint.data[i]); 288 289 int flags = 0; 290 CertVerifyResult verify_result; 291 int error = unosoft_hu_cert->Verify("www.unosoft.hu", flags, 292 &verify_result); 293 EXPECT_NE(OK, error); 294 EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); 295 } 296 297 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle. We 298 // call X509Certificate::CreateFromHandle several times and observe whether 299 // it returns a cached or new X509Certificate object. 300 // 301 // All the OS certificate handles in this test are actually from the same 302 // source (the bytes of a lone certificate), but we pretend that some of them 303 // come from the network. 304 TEST(X509CertificateTest, Cache) { 305 X509Certificate::OSCertHandle google_cert_handle; 306 307 // Add a certificate from the source SOURCE_LONE_CERT_IMPORT to our 308 // certificate cache. 309 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 310 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 311 scoped_refptr<X509Certificate> cert1 = X509Certificate::CreateFromHandle( 312 google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT); 313 314 // Add a certificate from the same source (SOURCE_LONE_CERT_IMPORT). This 315 // should return the cached certificate (cert1). 316 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 317 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 318 scoped_refptr<X509Certificate> cert2 = X509Certificate::CreateFromHandle( 319 google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT); 320 321 EXPECT_EQ(cert1, cert2); 322 323 // Add a certificate from the network. This should kick out the original 324 // cached certificate (cert1) and return a new certificate. 325 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 326 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 327 scoped_refptr<X509Certificate> cert3 = X509Certificate::CreateFromHandle( 328 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK); 329 330 EXPECT_NE(cert1, cert3); 331 332 // Add one certificate from each source. Both should return the new cached 333 // certificate (cert3). 334 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 335 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 336 scoped_refptr<X509Certificate> cert4 = X509Certificate::CreateFromHandle( 337 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK); 338 339 EXPECT_EQ(cert3, cert4); 340 341 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 342 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 343 scoped_refptr<X509Certificate> cert5 = X509Certificate::CreateFromHandle( 344 google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK); 345 346 EXPECT_EQ(cert3, cert5); 347 } 348 349 TEST(X509CertificateTest, Pickle) { 350 scoped_refptr<X509Certificate> cert1 = X509Certificate::CreateFromBytes( 351 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 352 353 Pickle pickle; 354 cert1->Persist(&pickle); 355 356 void* iter = NULL; 357 scoped_refptr<X509Certificate> cert2 = 358 X509Certificate::CreateFromPickle(pickle, &iter); 359 360 EXPECT_EQ(cert1, cert2); 361 } 362 363 TEST(X509CertificateTest, Policy) { 364 scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes( 365 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 366 367 scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes( 368 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)); 369 370 X509Certificate::Policy policy; 371 372 EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::UNKNOWN); 373 EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN); 374 EXPECT_FALSE(policy.HasAllowedCert()); 375 EXPECT_FALSE(policy.HasDeniedCert()); 376 377 policy.Allow(google_cert.get()); 378 379 EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::ALLOWED); 380 EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN); 381 EXPECT_TRUE(policy.HasAllowedCert()); 382 EXPECT_FALSE(policy.HasDeniedCert()); 383 384 policy.Deny(google_cert.get()); 385 386 EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::DENIED); 387 EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN); 388 EXPECT_FALSE(policy.HasAllowedCert()); 389 EXPECT_TRUE(policy.HasDeniedCert()); 390 391 policy.Allow(webkit_cert.get()); 392 393 EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::DENIED); 394 EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::ALLOWED); 395 EXPECT_TRUE(policy.HasAllowedCert()); 396 EXPECT_TRUE(policy.HasDeniedCert()); 397 } 398 399 } // namespace net 400