1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/cert/x509_certificate.h" 6 7 #include "base/basictypes.h" 8 #include "base/files/file_path.h" 9 #include "base/memory/scoped_ptr.h" 10 #include "base/pickle.h" 11 #include "base/sha1.h" 12 #include "base/strings/string_number_conversions.h" 13 #include "base/strings/string_split.h" 14 #include "crypto/rsa_private_key.h" 15 #include "net/base/net_errors.h" 16 #include "net/base/test_data_directory.h" 17 #include "net/cert/asn1_util.h" 18 #include "net/test/cert_test_util.h" 19 #include "net/test/test_certificate_data.h" 20 #include "testing/gtest/include/gtest/gtest.h" 21 22 #if defined(USE_NSS) 23 #include <cert.h> 24 #endif 25 26 using base::HexEncode; 27 using base::Time; 28 29 namespace net { 30 31 // Certificates for test data. They're obtained with: 32 // 33 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null 34 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der 35 // 36 // For fingerprint 37 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der 38 39 // For valid_start, valid_expiry 40 // $ openssl x509 -inform DER -text -noout < /tmp/host.der | 41 // grep -A 2 Validity 42 // $ date +%s -d '<date str>' 43 44 // Google's cert. 45 uint8 google_fingerprint[] = { 46 0xab, 0xbe, 0x5e, 0xb4, 0x93, 0x88, 0x4e, 0xe4, 0x60, 0xc6, 0xef, 0xf8, 47 0xea, 0xd4, 0xb1, 0x55, 0x4b, 0xc9, 0x59, 0x3c 48 }; 49 50 // webkit.org's cert. 51 uint8 webkit_fingerprint[] = { 52 0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8, 53 0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2 54 }; 55 56 // thawte.com's cert (it's EV-licious!). 57 uint8 thawte_fingerprint[] = { 58 0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6, 59 0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37 60 }; 61 62 // A certificate for https://www.unosoft.hu/, whose AIA extension contains 63 // an LDAP URL without a host name. 64 uint8 unosoft_hu_fingerprint[] = { 65 0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd, 66 0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8 67 }; 68 69 // The fingerprint of the Google certificate used in the parsing tests, 70 // which is newer than the one included in the x509_certificate_data.h 71 uint8 google_parse_fingerprint[] = { 72 0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a, 73 0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2 74 }; 75 76 // The fingerprint for the Thawte SGC certificate 77 uint8 thawte_parse_fingerprint[] = { 78 0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f, 79 0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02 80 }; 81 82 // Dec 18 00:00:00 2009 GMT 83 const double kGoogleParseValidFrom = 1261094400; 84 // Dec 18 23:59:59 2011 GMT 85 const double kGoogleParseValidTo = 1324252799; 86 87 struct CertificateFormatTestData { 88 const char* file_name; 89 X509Certificate::Format format; 90 uint8* chain_fingerprints[3]; 91 }; 92 93 const CertificateFormatTestData FormatTestData[] = { 94 // DER Parsing - single certificate, DER encoded 95 { "google.single.der", X509Certificate::FORMAT_SINGLE_CERTIFICATE, 96 { google_parse_fingerprint, 97 NULL, } }, 98 // DER parsing - single certificate, PEM encoded 99 { "google.single.pem", X509Certificate::FORMAT_SINGLE_CERTIFICATE, 100 { google_parse_fingerprint, 101 NULL, } }, 102 // PEM parsing - single certificate, PEM encoded with a PEB of 103 // "CERTIFICATE" 104 { "google.single.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, 105 { google_parse_fingerprint, 106 NULL, } }, 107 // PEM parsing - sequence of certificates, PEM encoded with a PEB of 108 // "CERTIFICATE" 109 { "google.chain.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, 110 { google_parse_fingerprint, 111 thawte_parse_fingerprint, 112 NULL, } }, 113 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER 114 // encoding 115 { "google.binary.p7b", X509Certificate::FORMAT_PKCS7, 116 { google_parse_fingerprint, 117 thawte_parse_fingerprint, 118 NULL, } }, 119 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM 120 // encoded with a PEM PEB of "CERTIFICATE" 121 { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7, 122 { google_parse_fingerprint, 123 thawte_parse_fingerprint, 124 NULL, } }, 125 // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM 126 // encoded with a PEM PEB of "PKCS7" 127 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7, 128 { google_parse_fingerprint, 129 thawte_parse_fingerprint, 130 NULL, } }, 131 // All of the above, this time using auto-detection 132 { "google.single.der", X509Certificate::FORMAT_AUTO, 133 { google_parse_fingerprint, 134 NULL, } }, 135 { "google.single.pem", X509Certificate::FORMAT_AUTO, 136 { google_parse_fingerprint, 137 NULL, } }, 138 { "google.chain.pem", X509Certificate::FORMAT_AUTO, 139 { google_parse_fingerprint, 140 thawte_parse_fingerprint, 141 NULL, } }, 142 { "google.binary.p7b", X509Certificate::FORMAT_AUTO, 143 { google_parse_fingerprint, 144 thawte_parse_fingerprint, 145 NULL, } }, 146 { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO, 147 { google_parse_fingerprint, 148 thawte_parse_fingerprint, 149 NULL, } }, 150 { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO, 151 { google_parse_fingerprint, 152 thawte_parse_fingerprint, 153 NULL, } }, 154 }; 155 156 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, 157 uint8* expected_fingerprint, 158 double valid_from, double valid_to) { 159 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert); 160 161 const CertPrincipal& subject = google_cert->subject(); 162 EXPECT_EQ("www.google.com", subject.common_name); 163 EXPECT_EQ("Mountain View", subject.locality_name); 164 EXPECT_EQ("California", subject.state_or_province_name); 165 EXPECT_EQ("US", subject.country_name); 166 EXPECT_EQ(0U, subject.street_addresses.size()); 167 ASSERT_EQ(1U, subject.organization_names.size()); 168 EXPECT_EQ("Google Inc", subject.organization_names[0]); 169 EXPECT_EQ(0U, subject.organization_unit_names.size()); 170 EXPECT_EQ(0U, subject.domain_components.size()); 171 172 const CertPrincipal& issuer = google_cert->issuer(); 173 EXPECT_EQ("Thawte SGC CA", issuer.common_name); 174 EXPECT_EQ("", issuer.locality_name); 175 EXPECT_EQ("", issuer.state_or_province_name); 176 EXPECT_EQ("ZA", issuer.country_name); 177 EXPECT_EQ(0U, issuer.street_addresses.size()); 178 ASSERT_EQ(1U, issuer.organization_names.size()); 179 EXPECT_EQ("Thawte Consulting (Pty) Ltd.", issuer.organization_names[0]); 180 EXPECT_EQ(0U, issuer.organization_unit_names.size()); 181 EXPECT_EQ(0U, issuer.domain_components.size()); 182 183 // Use DoubleT because its epoch is the same on all platforms 184 const Time& valid_start = google_cert->valid_start(); 185 EXPECT_EQ(valid_from, valid_start.ToDoubleT()); 186 187 const Time& valid_expiry = google_cert->valid_expiry(); 188 EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); 189 190 const SHA1HashValue& fingerprint = google_cert->fingerprint(); 191 for (size_t i = 0; i < 20; ++i) 192 EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]); 193 194 std::vector<std::string> dns_names; 195 google_cert->GetDNSNames(&dns_names); 196 ASSERT_EQ(1U, dns_names.size()); 197 EXPECT_EQ("www.google.com", dns_names[0]); 198 } 199 200 TEST(X509CertificateTest, GoogleCertParsing) { 201 scoped_refptr<X509Certificate> google_cert( 202 X509Certificate::CreateFromBytes( 203 reinterpret_cast<const char*>(google_der), sizeof(google_der))); 204 205 CheckGoogleCert(google_cert, google_fingerprint, 206 1238192407, // Mar 27 22:20:07 2009 GMT 207 1269728407); // Mar 27 22:20:07 2010 GMT 208 } 209 210 TEST(X509CertificateTest, WebkitCertParsing) { 211 scoped_refptr<X509Certificate> webkit_cert(X509Certificate::CreateFromBytes( 212 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); 213 214 ASSERT_NE(static_cast<X509Certificate*>(NULL), webkit_cert); 215 216 const CertPrincipal& subject = webkit_cert->subject(); 217 EXPECT_EQ("Cupertino", subject.locality_name); 218 EXPECT_EQ("California", subject.state_or_province_name); 219 EXPECT_EQ("US", subject.country_name); 220 EXPECT_EQ(0U, subject.street_addresses.size()); 221 ASSERT_EQ(1U, subject.organization_names.size()); 222 EXPECT_EQ("Apple Inc.", subject.organization_names[0]); 223 ASSERT_EQ(1U, subject.organization_unit_names.size()); 224 EXPECT_EQ("Mac OS Forge", subject.organization_unit_names[0]); 225 EXPECT_EQ(0U, subject.domain_components.size()); 226 227 const CertPrincipal& issuer = webkit_cert->issuer(); 228 EXPECT_EQ("Go Daddy Secure Certification Authority", issuer.common_name); 229 EXPECT_EQ("Scottsdale", issuer.locality_name); 230 EXPECT_EQ("Arizona", issuer.state_or_province_name); 231 EXPECT_EQ("US", issuer.country_name); 232 EXPECT_EQ(0U, issuer.street_addresses.size()); 233 ASSERT_EQ(1U, issuer.organization_names.size()); 234 EXPECT_EQ("GoDaddy.com, Inc.", issuer.organization_names[0]); 235 ASSERT_EQ(1U, issuer.organization_unit_names.size()); 236 EXPECT_EQ("http://certificates.godaddy.com/repository", 237 issuer.organization_unit_names[0]); 238 EXPECT_EQ(0U, issuer.domain_components.size()); 239 240 // Use DoubleT because its epoch is the same on all platforms 241 const Time& valid_start = webkit_cert->valid_start(); 242 EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT 243 244 const Time& valid_expiry = webkit_cert->valid_expiry(); 245 EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT 246 247 const SHA1HashValue& fingerprint = webkit_cert->fingerprint(); 248 for (size_t i = 0; i < 20; ++i) 249 EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); 250 251 std::vector<std::string> dns_names; 252 webkit_cert->GetDNSNames(&dns_names); 253 ASSERT_EQ(2U, dns_names.size()); 254 EXPECT_EQ("*.webkit.org", dns_names[0]); 255 EXPECT_EQ("webkit.org", dns_names[1]); 256 257 // Test that the wildcard cert matches properly. 258 EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org")); 259 EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org")); 260 EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org")); 261 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com")); 262 EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com")); 263 } 264 265 TEST(X509CertificateTest, ThawteCertParsing) { 266 scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes( 267 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); 268 269 ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert); 270 271 const CertPrincipal& subject = thawte_cert->subject(); 272 EXPECT_EQ("www.thawte.com", subject.common_name); 273 EXPECT_EQ("Mountain View", subject.locality_name); 274 EXPECT_EQ("California", subject.state_or_province_name); 275 EXPECT_EQ("US", subject.country_name); 276 EXPECT_EQ(0U, subject.street_addresses.size()); 277 ASSERT_EQ(1U, subject.organization_names.size()); 278 EXPECT_EQ("Thawte Inc", subject.organization_names[0]); 279 EXPECT_EQ(0U, subject.organization_unit_names.size()); 280 EXPECT_EQ(0U, subject.domain_components.size()); 281 282 const CertPrincipal& issuer = thawte_cert->issuer(); 283 EXPECT_EQ("thawte Extended Validation SSL CA", issuer.common_name); 284 EXPECT_EQ("", issuer.locality_name); 285 EXPECT_EQ("", issuer.state_or_province_name); 286 EXPECT_EQ("US", issuer.country_name); 287 EXPECT_EQ(0U, issuer.street_addresses.size()); 288 ASSERT_EQ(1U, issuer.organization_names.size()); 289 EXPECT_EQ("thawte, Inc.", issuer.organization_names[0]); 290 ASSERT_EQ(1U, issuer.organization_unit_names.size()); 291 EXPECT_EQ("Terms of use at https://www.thawte.com/cps (c)06", 292 issuer.organization_unit_names[0]); 293 EXPECT_EQ(0U, issuer.domain_components.size()); 294 295 // Use DoubleT because its epoch is the same on all platforms 296 const Time& valid_start = thawte_cert->valid_start(); 297 EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT 298 299 const Time& valid_expiry = thawte_cert->valid_expiry(); 300 EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT 301 302 const SHA1HashValue& fingerprint = thawte_cert->fingerprint(); 303 for (size_t i = 0; i < 20; ++i) 304 EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); 305 306 std::vector<std::string> dns_names; 307 thawte_cert->GetDNSNames(&dns_names); 308 ASSERT_EQ(1U, dns_names.size()); 309 EXPECT_EQ("www.thawte.com", dns_names[0]); 310 } 311 312 // Test that all desired AttributeAndValue pairs can be extracted when only 313 // a single RelativeDistinguishedName is present. "Normally" there is only 314 // one AVA per RDN, but some CAs place all AVAs within a single RDN. 315 // This is a regression test for http://crbug.com/101009 316 TEST(X509CertificateTest, MultivalueRDN) { 317 base::FilePath certs_dir = GetTestCertsDirectory(); 318 319 scoped_refptr<X509Certificate> multivalue_rdn_cert = 320 ImportCertFromFile(certs_dir, "multivalue_rdn.pem"); 321 ASSERT_NE(static_cast<X509Certificate*>(NULL), multivalue_rdn_cert); 322 323 const CertPrincipal& subject = multivalue_rdn_cert->subject(); 324 EXPECT_EQ("Multivalue RDN Test", subject.common_name); 325 EXPECT_EQ("", subject.locality_name); 326 EXPECT_EQ("", subject.state_or_province_name); 327 EXPECT_EQ("US", subject.country_name); 328 EXPECT_EQ(0U, subject.street_addresses.size()); 329 ASSERT_EQ(1U, subject.organization_names.size()); 330 EXPECT_EQ("Chromium", subject.organization_names[0]); 331 ASSERT_EQ(1U, subject.organization_unit_names.size()); 332 EXPECT_EQ("Chromium net_unittests", subject.organization_unit_names[0]); 333 ASSERT_EQ(1U, subject.domain_components.size()); 334 EXPECT_EQ("Chromium", subject.domain_components[0]); 335 } 336 337 // Test that characters which would normally be escaped in the string form, 338 // such as '=' or '"', are not escaped when parsed as individual components. 339 // This is a regression test for http://crbug.com/102839 340 TEST(X509CertificateTest, UnescapedSpecialCharacters) { 341 base::FilePath certs_dir = GetTestCertsDirectory(); 342 343 scoped_refptr<X509Certificate> unescaped_cert = 344 ImportCertFromFile(certs_dir, "unescaped.pem"); 345 ASSERT_NE(static_cast<X509Certificate*>(NULL), unescaped_cert); 346 347 const CertPrincipal& subject = unescaped_cert->subject(); 348 EXPECT_EQ("127.0.0.1", subject.common_name); 349 EXPECT_EQ("Mountain View", subject.locality_name); 350 EXPECT_EQ("California", subject.state_or_province_name); 351 EXPECT_EQ("US", subject.country_name); 352 ASSERT_EQ(1U, subject.street_addresses.size()); 353 EXPECT_EQ("1600 Amphitheatre Parkway", subject.street_addresses[0]); 354 ASSERT_EQ(1U, subject.organization_names.size()); 355 EXPECT_EQ("Chromium = \"net_unittests\"", subject.organization_names[0]); 356 ASSERT_EQ(2U, subject.organization_unit_names.size()); 357 EXPECT_EQ("net_unittests", subject.organization_unit_names[0]); 358 EXPECT_EQ("Chromium", subject.organization_unit_names[1]); 359 EXPECT_EQ(0U, subject.domain_components.size()); 360 } 361 362 TEST(X509CertificateTest, SerialNumbers) { 363 scoped_refptr<X509Certificate> google_cert( 364 X509Certificate::CreateFromBytes( 365 reinterpret_cast<const char*>(google_der), sizeof(google_der))); 366 367 static const uint8 google_serial[16] = { 368 0x01,0x2a,0x39,0x76,0x0d,0x3f,0x4f,0xc9, 369 0x0b,0xe7,0xbd,0x2b,0xcf,0x95,0x2e,0x7a, 370 }; 371 372 ASSERT_EQ(sizeof(google_serial), google_cert->serial_number().size()); 373 EXPECT_TRUE(memcmp(google_cert->serial_number().data(), google_serial, 374 sizeof(google_serial)) == 0); 375 376 // We also want to check a serial number where the first byte is >= 0x80 in 377 // case the underlying library tries to pad it. 378 scoped_refptr<X509Certificate> paypal_null_cert( 379 X509Certificate::CreateFromBytes( 380 reinterpret_cast<const char*>(paypal_null_der), 381 sizeof(paypal_null_der))); 382 383 static const uint8 paypal_null_serial[3] = {0x00, 0xf0, 0x9b}; 384 ASSERT_EQ(sizeof(paypal_null_serial), 385 paypal_null_cert->serial_number().size()); 386 EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(), 387 paypal_null_serial, sizeof(paypal_null_serial)) == 0); 388 } 389 390 TEST(X509CertificateTest, CAFingerprints) { 391 base::FilePath certs_dir = GetTestCertsDirectory(); 392 393 scoped_refptr<X509Certificate> server_cert = 394 ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); 395 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); 396 397 scoped_refptr<X509Certificate> intermediate_cert1 = 398 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem"); 399 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1); 400 401 scoped_refptr<X509Certificate> intermediate_cert2 = 402 ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem"); 403 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert2); 404 405 X509Certificate::OSCertHandles intermediates; 406 intermediates.push_back(intermediate_cert1->os_cert_handle()); 407 scoped_refptr<X509Certificate> cert_chain1 = 408 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 409 intermediates); 410 411 intermediates.clear(); 412 intermediates.push_back(intermediate_cert2->os_cert_handle()); 413 scoped_refptr<X509Certificate> cert_chain2 = 414 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 415 intermediates); 416 417 // No intermediate CA certicates. 418 intermediates.clear(); 419 scoped_refptr<X509Certificate> cert_chain3 = 420 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 421 intermediates); 422 423 static const uint8 cert_chain1_ca_fingerprint[20] = { 424 0xc2, 0xf0, 0x08, 0x7d, 0x01, 0xe6, 0x86, 0x05, 0x3a, 0x4d, 425 0x63, 0x3e, 0x7e, 0x70, 0xd4, 0xef, 0x65, 0xc2, 0xcc, 0x4f 426 }; 427 static const uint8 cert_chain2_ca_fingerprint[20] = { 428 0xd5, 0x59, 0xa5, 0x86, 0x66, 0x9b, 0x08, 0xf4, 0x6a, 0x30, 429 0xa1, 0x33, 0xf8, 0xa9, 0xed, 0x3d, 0x03, 0x8e, 0x2e, 0xa8 430 }; 431 // The SHA-1 hash of nothing. 432 static const uint8 cert_chain3_ca_fingerprint[20] = { 433 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, 434 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09 435 }; 436 EXPECT_TRUE(memcmp(cert_chain1->ca_fingerprint().data, 437 cert_chain1_ca_fingerprint, 20) == 0); 438 EXPECT_TRUE(memcmp(cert_chain2->ca_fingerprint().data, 439 cert_chain2_ca_fingerprint, 20) == 0); 440 EXPECT_TRUE(memcmp(cert_chain3->ca_fingerprint().data, 441 cert_chain3_ca_fingerprint, 20) == 0); 442 } 443 444 TEST(X509CertificateTest, ParseSubjectAltNames) { 445 base::FilePath certs_dir = GetTestCertsDirectory(); 446 447 scoped_refptr<X509Certificate> san_cert = 448 ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); 449 ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert); 450 451 std::vector<std::string> dns_names; 452 std::vector<std::string> ip_addresses; 453 san_cert->GetSubjectAltName(&dns_names, &ip_addresses); 454 455 // Ensure that DNS names are correctly parsed. 456 ASSERT_EQ(1U, dns_names.size()); 457 EXPECT_EQ("test.example", dns_names[0]); 458 459 // Ensure that both IPv4 and IPv6 addresses are correctly parsed. 460 ASSERT_EQ(2U, ip_addresses.size()); 461 462 static const uint8 kIPv4Address[] = { 463 0x7F, 0x00, 0x00, 0x02 464 }; 465 ASSERT_EQ(arraysize(kIPv4Address), ip_addresses[0].size()); 466 EXPECT_EQ(0, memcmp(ip_addresses[0].data(), kIPv4Address, 467 arraysize(kIPv4Address))); 468 469 static const uint8 kIPv6Address[] = { 470 0xFE, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 472 }; 473 ASSERT_EQ(arraysize(kIPv6Address), ip_addresses[1].size()); 474 EXPECT_EQ(0, memcmp(ip_addresses[1].data(), kIPv6Address, 475 arraysize(kIPv6Address))); 476 477 // Ensure the subjectAltName dirName has not influenced the handling of 478 // the subject commonName. 479 EXPECT_EQ("127.0.0.1", san_cert->subject().common_name); 480 } 481 482 TEST(X509CertificateTest, ExtractSPKIFromDERCert) { 483 base::FilePath certs_dir = GetTestCertsDirectory(); 484 scoped_refptr<X509Certificate> cert = 485 ImportCertFromFile(certs_dir, "nist.der"); 486 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); 487 488 std::string derBytes; 489 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), 490 &derBytes)); 491 492 base::StringPiece spkiBytes; 493 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); 494 495 uint8 hash[base::kSHA1Length]; 496 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), 497 spkiBytes.size(), hash); 498 499 EXPECT_EQ(0, memcmp(hash, kNistSPKIHash, sizeof(hash))); 500 } 501 502 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { 503 base::FilePath certs_dir = GetTestCertsDirectory(); 504 scoped_refptr<X509Certificate> cert = 505 ImportCertFromFile(certs_dir, "nist.der"); 506 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); 507 508 std::string derBytes; 509 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), 510 &derBytes)); 511 512 std::vector<base::StringPiece> crl_urls; 513 EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls)); 514 515 EXPECT_EQ(1u, crl_urls.size()); 516 if (crl_urls.size() > 0) { 517 EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl", 518 crl_urls[0].as_string()); 519 } 520 } 521 522 // Tests X509CertificateCache via X509Certificate::CreateFromHandle. We 523 // call X509Certificate::CreateFromHandle several times and observe whether 524 // it returns a cached or new OSCertHandle. 525 TEST(X509CertificateTest, Cache) { 526 X509Certificate::OSCertHandle google_cert_handle; 527 X509Certificate::OSCertHandle thawte_cert_handle; 528 529 // Add a single certificate to the certificate cache. 530 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 531 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 532 scoped_refptr<X509Certificate> cert1(X509Certificate::CreateFromHandle( 533 google_cert_handle, X509Certificate::OSCertHandles())); 534 X509Certificate::FreeOSCertHandle(google_cert_handle); 535 536 // Add the same certificate, but as a new handle. 537 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 538 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 539 scoped_refptr<X509Certificate> cert2(X509Certificate::CreateFromHandle( 540 google_cert_handle, X509Certificate::OSCertHandles())); 541 X509Certificate::FreeOSCertHandle(google_cert_handle); 542 543 // A new X509Certificate should be returned. 544 EXPECT_NE(cert1.get(), cert2.get()); 545 // But both instances should share the underlying OS certificate handle. 546 EXPECT_EQ(cert1->os_cert_handle(), cert2->os_cert_handle()); 547 EXPECT_EQ(0u, cert1->GetIntermediateCertificates().size()); 548 EXPECT_EQ(0u, cert2->GetIntermediateCertificates().size()); 549 550 // Add the same certificate, but this time with an intermediate. This 551 // should result in the intermediate being cached. Note that this is not 552 // a legitimate chain, but is suitable for testing. 553 google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 554 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 555 thawte_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( 556 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)); 557 X509Certificate::OSCertHandles intermediates; 558 intermediates.push_back(thawte_cert_handle); 559 scoped_refptr<X509Certificate> cert3(X509Certificate::CreateFromHandle( 560 google_cert_handle, intermediates)); 561 X509Certificate::FreeOSCertHandle(google_cert_handle); 562 X509Certificate::FreeOSCertHandle(thawte_cert_handle); 563 564 // Test that the new certificate, even with intermediates, results in the 565 // same underlying handle being used. 566 EXPECT_EQ(cert1->os_cert_handle(), cert3->os_cert_handle()); 567 // Though they use the same OS handle, the intermediates should be different. 568 EXPECT_NE(cert1->GetIntermediateCertificates().size(), 569 cert3->GetIntermediateCertificates().size()); 570 } 571 572 TEST(X509CertificateTest, Pickle) { 573 X509Certificate::OSCertHandle google_cert_handle = 574 X509Certificate::CreateOSCertHandleFromBytes( 575 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 576 X509Certificate::OSCertHandle thawte_cert_handle = 577 X509Certificate::CreateOSCertHandleFromBytes( 578 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)); 579 580 X509Certificate::OSCertHandles intermediates; 581 intermediates.push_back(thawte_cert_handle); 582 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( 583 google_cert_handle, intermediates); 584 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert.get()); 585 586 X509Certificate::FreeOSCertHandle(google_cert_handle); 587 X509Certificate::FreeOSCertHandle(thawte_cert_handle); 588 589 Pickle pickle; 590 cert->Persist(&pickle); 591 592 PickleIterator iter(pickle); 593 scoped_refptr<X509Certificate> cert_from_pickle = 594 X509Certificate::CreateFromPickle( 595 pickle, &iter, X509Certificate::PICKLETYPE_CERTIFICATE_CHAIN_V3); 596 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert_from_pickle); 597 EXPECT_TRUE(X509Certificate::IsSameOSCert( 598 cert->os_cert_handle(), cert_from_pickle->os_cert_handle())); 599 const X509Certificate::OSCertHandles& cert_intermediates = 600 cert->GetIntermediateCertificates(); 601 const X509Certificate::OSCertHandles& pickle_intermediates = 602 cert_from_pickle->GetIntermediateCertificates(); 603 ASSERT_EQ(cert_intermediates.size(), pickle_intermediates.size()); 604 for (size_t i = 0; i < cert_intermediates.size(); ++i) { 605 EXPECT_TRUE(X509Certificate::IsSameOSCert(cert_intermediates[i], 606 pickle_intermediates[i])); 607 } 608 } 609 610 TEST(X509CertificateTest, Policy) { 611 scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes( 612 reinterpret_cast<const char*>(google_der), sizeof(google_der))); 613 614 scoped_refptr<X509Certificate> webkit_cert(X509Certificate::CreateFromBytes( 615 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); 616 617 CertPolicy policy; 618 619 // To begin with, everything should be unknown. 620 EXPECT_EQ(CertPolicy::UNKNOWN, 621 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 622 EXPECT_EQ(CertPolicy::UNKNOWN, 623 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 624 EXPECT_FALSE(policy.HasAllowedCert()); 625 EXPECT_FALSE(policy.HasDeniedCert()); 626 627 // Test adding one certificate with one error. 628 policy.Allow(google_cert.get(), CERT_STATUS_DATE_INVALID); 629 EXPECT_EQ(CertPolicy::ALLOWED, 630 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 631 EXPECT_EQ(CertPolicy::UNKNOWN, 632 policy.Check(google_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 633 EXPECT_EQ(CertPolicy::UNKNOWN, 634 policy.Check(google_cert.get(), 635 CERT_STATUS_DATE_INVALID | CERT_STATUS_COMMON_NAME_INVALID)); 636 EXPECT_EQ(CertPolicy::UNKNOWN, 637 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 638 EXPECT_TRUE(policy.HasAllowedCert()); 639 EXPECT_FALSE(policy.HasDeniedCert()); 640 641 // Test saving the same certificate with a new error. 642 policy.Allow(google_cert.get(), CERT_STATUS_AUTHORITY_INVALID); 643 EXPECT_EQ(CertPolicy::UNKNOWN, 644 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 645 EXPECT_EQ(CertPolicy::ALLOWED, 646 policy.Check(google_cert.get(), CERT_STATUS_AUTHORITY_INVALID)); 647 EXPECT_EQ(CertPolicy::UNKNOWN, 648 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 649 EXPECT_TRUE(policy.HasAllowedCert()); 650 EXPECT_FALSE(policy.HasDeniedCert()); 651 652 // Test adding one certificate with two errors. 653 policy.Allow(google_cert.get(), 654 CERT_STATUS_DATE_INVALID | CERT_STATUS_AUTHORITY_INVALID); 655 EXPECT_EQ(CertPolicy::ALLOWED, 656 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 657 EXPECT_EQ(CertPolicy::ALLOWED, 658 policy.Check(google_cert.get(), CERT_STATUS_AUTHORITY_INVALID)); 659 EXPECT_EQ(CertPolicy::UNKNOWN, 660 policy.Check(google_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 661 EXPECT_EQ(CertPolicy::UNKNOWN, 662 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 663 EXPECT_TRUE(policy.HasAllowedCert()); 664 EXPECT_FALSE(policy.HasDeniedCert()); 665 666 // Test removing a certificate that was previously allowed. 667 policy.Deny(google_cert.get(), CERT_STATUS_DATE_INVALID); 668 EXPECT_EQ(CertPolicy::DENIED, 669 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 670 EXPECT_EQ(CertPolicy::UNKNOWN, 671 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 672 EXPECT_FALSE(policy.HasAllowedCert()); 673 EXPECT_TRUE(policy.HasDeniedCert()); 674 675 // Test removing a certificate that was previously unknown. 676 policy.Deny(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID); 677 EXPECT_EQ(CertPolicy::DENIED, 678 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 679 EXPECT_EQ(CertPolicy::DENIED, 680 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 681 EXPECT_FALSE(policy.HasAllowedCert()); 682 EXPECT_TRUE(policy.HasDeniedCert()); 683 684 // Test saving a certificate that was previously denied. 685 policy.Allow(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID); 686 EXPECT_EQ(CertPolicy::DENIED, 687 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 688 EXPECT_EQ(CertPolicy::ALLOWED, 689 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 690 EXPECT_TRUE(policy.HasAllowedCert()); 691 EXPECT_TRUE(policy.HasDeniedCert()); 692 693 // Test denying an overlapping certificate. 694 policy.Allow(google_cert.get(), 695 CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_DATE_INVALID); 696 policy.Deny(google_cert.get(), CERT_STATUS_DATE_INVALID); 697 EXPECT_EQ(CertPolicy::DENIED, 698 policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID)); 699 EXPECT_EQ(CertPolicy::UNKNOWN, 700 policy.Check(google_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 701 EXPECT_EQ(CertPolicy::DENIED, 702 policy.Check(google_cert.get(), 703 CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_DATE_INVALID)); 704 705 // Test denying an overlapping certificate (other direction). 706 policy.Allow(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID); 707 policy.Deny(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID); 708 policy.Deny(webkit_cert.get(), CERT_STATUS_DATE_INVALID); 709 EXPECT_EQ(CertPolicy::DENIED, 710 policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID)); 711 EXPECT_EQ(CertPolicy::DENIED, 712 policy.Check(webkit_cert.get(), CERT_STATUS_DATE_INVALID)); 713 } 714 715 TEST(X509CertificateTest, IntermediateCertificates) { 716 scoped_refptr<X509Certificate> webkit_cert( 717 X509Certificate::CreateFromBytes( 718 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); 719 720 scoped_refptr<X509Certificate> thawte_cert( 721 X509Certificate::CreateFromBytes( 722 reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der))); 723 724 X509Certificate::OSCertHandle google_handle; 725 // Create object with no intermediates: 726 google_handle = X509Certificate::CreateOSCertHandleFromBytes( 727 reinterpret_cast<const char*>(google_der), sizeof(google_der)); 728 X509Certificate::OSCertHandles intermediates1; 729 scoped_refptr<X509Certificate> cert1; 730 cert1 = X509Certificate::CreateFromHandle(google_handle, intermediates1); 731 EXPECT_EQ(0u, cert1->GetIntermediateCertificates().size()); 732 733 // Create object with 2 intermediates: 734 X509Certificate::OSCertHandles intermediates2; 735 intermediates2.push_back(webkit_cert->os_cert_handle()); 736 intermediates2.push_back(thawte_cert->os_cert_handle()); 737 scoped_refptr<X509Certificate> cert2; 738 cert2 = X509Certificate::CreateFromHandle(google_handle, intermediates2); 739 740 // Verify it has all the intermediates: 741 const X509Certificate::OSCertHandles& cert2_intermediates = 742 cert2->GetIntermediateCertificates(); 743 ASSERT_EQ(2u, cert2_intermediates.size()); 744 EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[0], 745 webkit_cert->os_cert_handle())); 746 EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[1], 747 thawte_cert->os_cert_handle())); 748 749 // Cleanup 750 X509Certificate::FreeOSCertHandle(google_handle); 751 } 752 753 TEST(X509CertificateTest, IsIssuedByEncoded) { 754 base::FilePath certs_dir = GetTestCertsDirectory(); 755 756 // Test a client certificate from MIT. 757 scoped_refptr<X509Certificate> mit_davidben_cert( 758 ImportCertFromFile(certs_dir, "mit.davidben.der")); 759 ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert); 760 761 std::string mit_issuer(reinterpret_cast<const char*>(MITDN), 762 sizeof(MITDN)); 763 764 // Test a certificate from Google, issued by Thawte 765 scoped_refptr<X509Certificate> google_cert( 766 ImportCertFromFile(certs_dir, "google.single.der")); 767 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert); 768 769 std::string thawte_issuer(reinterpret_cast<const char*>(ThawteDN), 770 sizeof(ThawteDN)); 771 772 // Check that the David Ben certificate is issued by MIT, but not 773 // by Thawte. 774 std::vector<std::string> issuers; 775 issuers.clear(); 776 issuers.push_back(mit_issuer); 777 EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers)); 778 EXPECT_FALSE(google_cert->IsIssuedByEncoded(issuers)); 779 780 // Check that the Google certificate is issued by Thawte and not 781 // by MIT. 782 issuers.clear(); 783 issuers.push_back(thawte_issuer); 784 EXPECT_FALSE(mit_davidben_cert->IsIssuedByEncoded(issuers)); 785 EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers)); 786 787 // Check that they both pass when given a list of the two issuers. 788 issuers.clear(); 789 issuers.push_back(mit_issuer); 790 issuers.push_back(thawte_issuer); 791 EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers)); 792 EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers)); 793 } 794 795 TEST(X509CertificateTest, IsIssuedByEncodedWithIntermediates) { 796 static const unsigned char kPolicyRootDN[] = { 797 0x30, 0x1e, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 798 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 799 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41 800 }; 801 static const unsigned char kPolicyIntermediateDN[] = { 802 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 803 0x1b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 804 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 805 0x65, 0x20, 0x43, 0x41 806 }; 807 808 base::FilePath certs_dir = GetTestCertsDirectory(); 809 810 CertificateList policy_chain = CreateCertificateListFromFile( 811 certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO); 812 ASSERT_EQ(3u, policy_chain.size()); 813 814 // The intermediate CA certificate's policyConstraints extension has a 815 // requireExplicitPolicy field with SkipCerts=0. 816 std::string policy_intermediate_dn( 817 reinterpret_cast<const char*>(kPolicyIntermediateDN), 818 sizeof(kPolicyIntermediateDN)); 819 std::string policy_root_dn(reinterpret_cast<const char*>(kPolicyRootDN), 820 sizeof(kPolicyRootDN)); 821 822 X509Certificate::OSCertHandles intermediates; 823 intermediates.push_back(policy_chain[1]->os_cert_handle()); 824 scoped_refptr<X509Certificate> cert_chain = 825 X509Certificate::CreateFromHandle(policy_chain[0]->os_cert_handle(), 826 intermediates); 827 828 std::vector<std::string> issuers; 829 830 // Check that the chain is issued by the intermediate. 831 issuers.clear(); 832 issuers.push_back(policy_intermediate_dn); 833 EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); 834 835 // Check that the chain is also issued by the root. 836 issuers.clear(); 837 issuers.push_back(policy_root_dn); 838 EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); 839 840 // Check that the chain is issued by either the intermediate or the root. 841 issuers.clear(); 842 issuers.push_back(policy_intermediate_dn); 843 issuers.push_back(policy_root_dn); 844 EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); 845 846 // Check that an empty issuers list returns false. 847 issuers.clear(); 848 EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers)); 849 850 // Check that the chain is not issued by Verisign 851 std::string mit_issuer(reinterpret_cast<const char*>(VerisignDN), 852 sizeof(VerisignDN)); 853 issuers.clear(); 854 issuers.push_back(mit_issuer); 855 EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers)); 856 } 857 858 #if defined(USE_NSS) 859 TEST(X509CertificateTest, GetDefaultNickname) { 860 base::FilePath certs_dir = GetTestCertsDirectory(); 861 862 scoped_refptr<X509Certificate> test_cert( 863 ImportCertFromFile(certs_dir, "no_subject_common_name_cert.pem")); 864 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); 865 866 std::string nickname = test_cert->GetDefaultNickname(USER_CERT); 867 EXPECT_EQ("wtc (at) google.com's COMODO Client Authentication and " 868 "Secure Email CA ID", nickname); 869 } 870 #endif 871 872 class X509CertificateParseTest 873 : public testing::TestWithParam<CertificateFormatTestData> { 874 public: 875 virtual ~X509CertificateParseTest() {} 876 virtual void SetUp() { 877 test_data_ = GetParam(); 878 } 879 virtual void TearDown() {} 880 881 protected: 882 CertificateFormatTestData test_data_; 883 }; 884 885 TEST_P(X509CertificateParseTest, CanParseFormat) { 886 base::FilePath certs_dir = GetTestCertsDirectory(); 887 CertificateList certs = CreateCertificateListFromFile( 888 certs_dir, test_data_.file_name, test_data_.format); 889 ASSERT_FALSE(certs.empty()); 890 ASSERT_LE(certs.size(), arraysize(test_data_.chain_fingerprints)); 891 CheckGoogleCert(certs.front(), google_parse_fingerprint, 892 kGoogleParseValidFrom, kGoogleParseValidTo); 893 894 size_t i; 895 for (i = 0; i < arraysize(test_data_.chain_fingerprints); ++i) { 896 if (test_data_.chain_fingerprints[i] == NULL) { 897 // No more test certificates expected - make sure no more were 898 // returned before marking this test a success. 899 EXPECT_EQ(i, certs.size()); 900 break; 901 } 902 903 // A cert is expected - make sure that one was parsed. 904 ASSERT_LT(i, certs.size()); 905 906 // Compare the parsed certificate with the expected certificate, by 907 // comparing fingerprints. 908 const X509Certificate* cert = certs[i].get(); 909 const SHA1HashValue& actual_fingerprint = cert->fingerprint(); 910 uint8* expected_fingerprint = test_data_.chain_fingerprints[i]; 911 912 for (size_t j = 0; j < 20; ++j) 913 EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]); 914 } 915 } 916 917 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, 918 testing::ValuesIn(FormatTestData)); 919 920 struct CertificateNameVerifyTestData { 921 // true iff we expect hostname to match an entry in cert_names. 922 bool expected; 923 // The hostname to match. 924 const char* hostname; 925 // Common name, may be used if |dns_names| or |ip_addrs| are empty. 926 const char* common_name; 927 // Comma separated list of certificate names to match against. Any occurrence 928 // of '#' will be replaced with a null character before processing. 929 const char* dns_names; 930 // Comma separated list of certificate IP Addresses to match against. Each 931 // address is x prefixed 16 byte hex code for v6 or dotted-decimals for v4. 932 const char* ip_addrs; 933 }; 934 935 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how 936 // to output the parameter that was passed. Without this, it will simply 937 // attempt to print out the first twenty bytes of the object, which depending 938 // on platform and alignment, may result in an invalid read. 939 void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { 940 ASSERT_TRUE(data.hostname && data.common_name); 941 // Using StringPiece to allow for optional fields being NULL. 942 *os << " expected: " << data.expected 943 << "; hostname: " << data.hostname 944 << "; common_name: " << data.common_name 945 << "; dns_names: " << base::StringPiece(data.dns_names) 946 << "; ip_addrs: " << base::StringPiece(data.ip_addrs); 947 } 948 949 const CertificateNameVerifyTestData kNameVerifyTestData[] = { 950 { true, "foo.com", "foo.com" }, 951 { true, "f", "f" }, 952 { false, "h", "i" }, 953 { true, "bar.foo.com", "*.foo.com" }, 954 { true, "www.test.fr", "common.name", 955 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, 956 { true, "wwW.tESt.fr", "common.name", 957 ",*.*,*.test.de,*.test.FR,www" }, 958 { false, "f.uk", ".uk" }, 959 { false, "w.bar.foo.com", "?.bar.foo.com" }, 960 { false, "www.foo.com", "(www|ftp).foo.com" }, 961 { false, "www.foo.com", "www.foo.com#" }, // # = null char. 962 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, 963 { false, "www.house.example", "ww.house.example" }, 964 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, 965 { false, "w.bar.foo.com", "w*.bar.foo.com" }, 966 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, 967 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, 968 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, 969 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, 970 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, 971 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, 972 { true, "ww%57.foo.com", "", "www.foo.com" }, 973 { true, "www&.foo.com", "www%26.foo.com" }, 974 // Common name must not be used if subject alternative name was provided. 975 { false, "www.test.co.jp", "www.test.co.jp", 976 "*.test.de,*.jp,www.test.co.uk,www.*.co.jp" }, 977 { false, "www.bar.foo.com", "www.bar.foo.com", 978 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, 979 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, 980 { false, "66.77.88.99", "www.bath.org", "www.bath.org" }, 981 // IDN tests 982 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, 983 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, 984 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," 985 "xn--poema-*.com.br," 986 "xn--*-9qae5a.com.br," 987 "*--poema-9qae5a.com.br" }, 988 // The following are adapted from the examples quoted from 989 // http://tools.ietf.org/html/rfc6125#section-6.4.3 990 // (e.g., *.example.com would match foo.example.com but 991 // not bar.foo.example.com or example.com). 992 { true, "foo.example.com", "*.example.com" }, 993 { false, "bar.foo.example.com", "*.example.com" }, 994 { false, "example.com", "*.example.com" }, 995 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would 996 // be taken to match baz1.example.net and foobaz.example.net and 997 // buzz.example.net, respectively 998 { true, "baz1.example.net", "baz*.example.net" }, 999 { true, "foobaz.example.net", "*baz.example.net" }, 1000 { true, "buzz.example.net", "b*z.example.net" }, 1001 // Wildcards should not be valid for public registry controlled domains, 1002 // and unknown/unrecognized domains, at least three domain components must 1003 // be present. 1004 { true, "www.test.example", "*.test.example" }, 1005 { true, "test.example.co.uk", "*.example.co.uk" }, 1006 { false, "test.example", "*.exmaple" }, 1007 { false, "example.co.uk", "*.co.uk" }, 1008 { false, "foo.com", "*.com" }, 1009 { false, "foo.us", "*.us" }, 1010 { false, "foo", "*" }, 1011 // IDN variants of wildcards and registry controlled domains. 1012 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, 1013 { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" }, 1014 { false, "xn--poema-9qae5a.com.br", "*.com.br" }, 1015 { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" }, 1016 // Wildcards should be permissible for 'private' registry controlled 1017 // domains. 1018 { true, "www.appspot.com", "*.appspot.com" }, 1019 { true, "foo.s3.amazonaws.com", "*.s3.amazonaws.com" }, 1020 // Multiple wildcards are not valid. 1021 { false, "foo.example.com", "*.*.com" }, 1022 { false, "foo.bar.example.com", "*.bar.*.com" }, 1023 // Absolute vs relative DNS name tests. Although not explicitly specified 1024 // in RFC 6125, absolute reference names (those ending in a .) should 1025 // match either absolute or relative presented names. 1026 { true, "foo.com", "foo.com." }, 1027 { true, "foo.com.", "foo.com" }, 1028 { true, "foo.com.", "foo.com." }, 1029 { true, "f", "f." }, 1030 { true, "f.", "f" }, 1031 { true, "f.", "f." }, 1032 { true, "www-3.bar.foo.com", "*.bar.foo.com." }, 1033 { true, "www-3.bar.foo.com.", "*.bar.foo.com" }, 1034 { true, "www-3.bar.foo.com.", "*.bar.foo.com." }, 1035 { false, ".", "." }, 1036 { false, "example.com", "*.com." }, 1037 { false, "example.com.", "*.com" }, 1038 { false, "example.com.", "*.com." }, 1039 { false, "foo.", "*." }, 1040 { false, "foo", "*." }, 1041 { false, "foo.co.uk", "*.co.uk." }, 1042 { false, "foo.co.uk.", "*.co.uk." }, 1043 // IP addresses in common name; IPv4 only. 1044 { true, "127.0.0.1", "127.0.0.1" }, 1045 { true, "192.168.1.1", "192.168.1.1" }, 1046 { true, "676768", "0.10.83.160" }, 1047 { true, "1.2.3", "1.2.0.3" }, 1048 { false, "192.169.1.1", "192.168.1.1" }, 1049 { false, "12.19.1.1", "12.19.1.1/255.255.255.0" }, 1050 { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210", 1051 "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" }, 1052 { false, "1111:2222:3333:4444:5555:6666:7777:8888", 1053 "1111:2222:3333:4444:5555:6666:7777:8888" }, 1054 { false, "::192.9.5.5", "[::192.9.5.5]" }, 1055 // No wildcard matching in valid IP addresses 1056 { false, "::192.9.5.5", "*.9.5.5" }, 1057 { false, "2010:836B:4179::836B:4179", "*:836B:4179::836B:4179" }, 1058 { false, "192.168.1.11", "*.168.1.11" }, 1059 { false, "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210", "*.]" }, 1060 // IP addresses in subject alternative name (common name ignored) 1061 { true, "10.1.2.3", "", "", "10.1.2.3" }, 1062 { true, "14.15", "", "", "14.0.0.15" }, 1063 { false, "10.1.2.7", "10.1.2.7", "", "10.1.2.6,10.1.2.8" }, 1064 { false, "10.1.2.8", "10.20.2.8", "foo" }, 1065 { true, "::4.5.6.7", "", "", "x00000000000000000000000004050607" }, 1066 { false, "::6.7.8.9", "::6.7.8.9", "::6.7.8.9", 1067 "x00000000000000000000000006070808,x0000000000000000000000000607080a," 1068 "xff000000000000000000000006070809,6.7.8.9" }, 1069 { true, "FE80::200:f8ff:fe21:67cf", "no.common.name", "", 1070 "x00000000000000000000000006070808,xfe800000000000000200f8fffe2167cf," 1071 "xff0000000000000000000000060708ff,10.0.0.1" }, 1072 // Numeric only hostnames (none of these are considered valid IP addresses). 1073 { false, "12345.6", "12345.6" }, 1074 { false, "121.2.3.512", "", "1*1.2.3.512,*1.2.3.512,1*.2.3.512,*.2.3.512", 1075 "121.2.3.0"}, 1076 { false, "1.2.3.4.5.6", "*.2.3.4.5.6" }, 1077 { true, "1.2.3.4.5", "", "1.2.3.4.5" }, 1078 // Invalid host names. 1079 { false, "junk)()$*!@~#", "junk)()$*!@~#" }, 1080 { false, "www.*.com", "www.*.com" }, 1081 { false, "w$w.f.com", "w$w.f.com" }, 1082 { false, "nocolonallowed:example", "", "nocolonallowed:example" }, 1083 { false, "www-1.[::FFFF:129.144.52.38]", "*.[::FFFF:129.144.52.38]" }, 1084 { false, "[::4.5.6.9]", "", "", "x00000000000000000000000004050609" }, 1085 }; 1086 1087 class X509CertificateNameVerifyTest 1088 : public testing::TestWithParam<CertificateNameVerifyTestData> { 1089 }; 1090 1091 TEST_P(X509CertificateNameVerifyTest, VerifyHostname) { 1092 CertificateNameVerifyTestData test_data = GetParam(); 1093 1094 std::string common_name(test_data.common_name); 1095 ASSERT_EQ(std::string::npos, common_name.find(',')); 1096 std::replace(common_name.begin(), common_name.end(), '#', '\0'); 1097 1098 std::vector<std::string> dns_names, ip_addressses; 1099 if (test_data.dns_names) { 1100 // Build up the certificate DNS names list. 1101 std::string dns_name_line(test_data.dns_names); 1102 std::replace(dns_name_line.begin(), dns_name_line.end(), '#', '\0'); 1103 base::SplitString(dns_name_line, ',', &dns_names); 1104 } 1105 1106 if (test_data.ip_addrs) { 1107 // Build up the certificate IP address list. 1108 std::string ip_addrs_line(test_data.ip_addrs); 1109 std::vector<std::string> ip_addressses_ascii; 1110 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); 1111 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { 1112 std::string& addr_ascii = ip_addressses_ascii[i]; 1113 ASSERT_NE(0U, addr_ascii.length()); 1114 if (addr_ascii[0] == 'x') { // Hex encoded address 1115 addr_ascii.erase(0, 1); 1116 std::vector<uint8> bytes; 1117 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) 1118 << "Could not parse hex address " << addr_ascii << " i = " << i; 1119 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), 1120 bytes.size())); 1121 ASSERT_EQ(16U, ip_addressses.back().size()) << i; 1122 } else { // Decimal groups 1123 std::vector<std::string> decimals_ascii; 1124 base::SplitString(addr_ascii, '.', &decimals_ascii); 1125 EXPECT_EQ(4U, decimals_ascii.size()) << i; 1126 std::string addr_bytes; 1127 for (size_t j = 0; j < decimals_ascii.size(); ++j) { 1128 int decimal_value; 1129 EXPECT_TRUE(base::StringToInt(decimals_ascii[j], &decimal_value)); 1130 EXPECT_GE(decimal_value, 0); 1131 EXPECT_LE(decimal_value, 255); 1132 addr_bytes.push_back(static_cast<char>(decimal_value)); 1133 } 1134 ip_addressses.push_back(addr_bytes); 1135 ASSERT_EQ(4U, ip_addressses.back().size()) << i; 1136 } 1137 } 1138 } 1139 1140 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( 1141 test_data.hostname, common_name, dns_names, ip_addressses)); 1142 } 1143 1144 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, 1145 testing::ValuesIn(kNameVerifyTestData)); 1146 1147 } // namespace net 1148
