Home | History | Annotate | Download | only in cert
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "net/cert/x509_certificate.h"
      6 
      7 #include "base/basictypes.h"
      8 #include "base/files/file_path.h"
      9 #include "base/memory/scoped_ptr.h"
     10 #include "base/pickle.h"
     11 #include "base/sha1.h"
     12 #include "base/strings/string_number_conversions.h"
     13 #include "base/strings/string_split.h"
     14 #include "crypto/rsa_private_key.h"
     15 #include "net/base/net_errors.h"
     16 #include "net/base/test_data_directory.h"
     17 #include "net/cert/asn1_util.h"
     18 #include "net/test/cert_test_util.h"
     19 #include "net/test/test_certificate_data.h"
     20 #include "testing/gtest/include/gtest/gtest.h"
     21 
     22 #if defined(USE_NSS)
     23 #include <cert.h>
     24 #endif
     25 
     26 #if defined(OS_WIN)
     27 #include "base/win/windows_version.h"
     28 #endif
     29 
     30 using base::HexEncode;
     31 using base::Time;
     32 
     33 namespace net {
     34 
     35 // Certificates for test data. They're obtained with:
     36 //
     37 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null
     38 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der
     39 //
     40 // For fingerprint
     41 // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der
     42 
     43 // For valid_start, valid_expiry
     44 // $ openssl x509 -inform DER -text -noout < /tmp/host.der |
     45 //    grep -A 2 Validity
     46 // $ date +%s -d '<date str>'
     47 
     48 // Google's cert.
     49 uint8 google_fingerprint[] = {
     50   0xab, 0xbe, 0x5e, 0xb4, 0x93, 0x88, 0x4e, 0xe4, 0x60, 0xc6, 0xef, 0xf8,
     51   0xea, 0xd4, 0xb1, 0x55, 0x4b, 0xc9, 0x59, 0x3c
     52 };
     53 
     54 // webkit.org's cert.
     55 uint8 webkit_fingerprint[] = {
     56   0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8,
     57   0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2
     58 };
     59 
     60 // thawte.com's cert (it's EV-licious!).
     61 uint8 thawte_fingerprint[] = {
     62   0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6,
     63   0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37
     64 };
     65 
     66 // A certificate for https://www.unosoft.hu/, whose AIA extension contains
     67 // an LDAP URL without a host name.
     68 uint8 unosoft_hu_fingerprint[] = {
     69   0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd,
     70   0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8
     71 };
     72 
     73 // The fingerprint of the Google certificate used in the parsing tests,
     74 // which is newer than the one included in the x509_certificate_data.h
     75 uint8 google_parse_fingerprint[] = {
     76   0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a,
     77   0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2
     78 };
     79 
     80 // The fingerprint for the Thawte SGC certificate
     81 uint8 thawte_parse_fingerprint[] = {
     82   0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f,
     83   0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02
     84 };
     85 
     86 // Dec 18 00:00:00 2009 GMT
     87 const double kGoogleParseValidFrom = 1261094400;
     88 // Dec 18 23:59:59 2011 GMT
     89 const double kGoogleParseValidTo = 1324252799;
     90 
     91 void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
     92                      uint8* expected_fingerprint,
     93                      double valid_from, double valid_to) {
     94   ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
     95 
     96   const CertPrincipal& subject = google_cert->subject();
     97   EXPECT_EQ("www.google.com", subject.common_name);
     98   EXPECT_EQ("Mountain View", subject.locality_name);
     99   EXPECT_EQ("California", subject.state_or_province_name);
    100   EXPECT_EQ("US", subject.country_name);
    101   EXPECT_EQ(0U, subject.street_addresses.size());
    102   ASSERT_EQ(1U, subject.organization_names.size());
    103   EXPECT_EQ("Google Inc", subject.organization_names[0]);
    104   EXPECT_EQ(0U, subject.organization_unit_names.size());
    105   EXPECT_EQ(0U, subject.domain_components.size());
    106 
    107   const CertPrincipal& issuer = google_cert->issuer();
    108   EXPECT_EQ("Thawte SGC CA", issuer.common_name);
    109   EXPECT_EQ("", issuer.locality_name);
    110   EXPECT_EQ("", issuer.state_or_province_name);
    111   EXPECT_EQ("ZA", issuer.country_name);
    112   EXPECT_EQ(0U, issuer.street_addresses.size());
    113   ASSERT_EQ(1U, issuer.organization_names.size());
    114   EXPECT_EQ("Thawte Consulting (Pty) Ltd.", issuer.organization_names[0]);
    115   EXPECT_EQ(0U, issuer.organization_unit_names.size());
    116   EXPECT_EQ(0U, issuer.domain_components.size());
    117 
    118   // Use DoubleT because its epoch is the same on all platforms
    119   const Time& valid_start = google_cert->valid_start();
    120   EXPECT_EQ(valid_from, valid_start.ToDoubleT());
    121 
    122   const Time& valid_expiry = google_cert->valid_expiry();
    123   EXPECT_EQ(valid_to, valid_expiry.ToDoubleT());
    124 
    125   const SHA1HashValue& fingerprint = google_cert->fingerprint();
    126   for (size_t i = 0; i < 20; ++i)
    127     EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]);
    128 
    129   std::vector<std::string> dns_names;
    130   google_cert->GetDNSNames(&dns_names);
    131   ASSERT_EQ(1U, dns_names.size());
    132   EXPECT_EQ("www.google.com", dns_names[0]);
    133 }
    134 
    135 TEST(X509CertificateTest, GoogleCertParsing) {
    136   scoped_refptr<X509Certificate> google_cert(
    137       X509Certificate::CreateFromBytes(
    138           reinterpret_cast<const char*>(google_der), sizeof(google_der)));
    139 
    140   CheckGoogleCert(google_cert, google_fingerprint,
    141                   1238192407,   // Mar 27 22:20:07 2009 GMT
    142                   1269728407);  // Mar 27 22:20:07 2010 GMT
    143 }
    144 
    145 TEST(X509CertificateTest, WebkitCertParsing) {
    146   scoped_refptr<X509Certificate> webkit_cert(X509Certificate::CreateFromBytes(
    147       reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
    148 
    149   ASSERT_NE(static_cast<X509Certificate*>(NULL), webkit_cert);
    150 
    151   const CertPrincipal& subject = webkit_cert->subject();
    152   EXPECT_EQ("Cupertino", subject.locality_name);
    153   EXPECT_EQ("California", subject.state_or_province_name);
    154   EXPECT_EQ("US", subject.country_name);
    155   EXPECT_EQ(0U, subject.street_addresses.size());
    156   ASSERT_EQ(1U, subject.organization_names.size());
    157   EXPECT_EQ("Apple Inc.", subject.organization_names[0]);
    158   ASSERT_EQ(1U, subject.organization_unit_names.size());
    159   EXPECT_EQ("Mac OS Forge", subject.organization_unit_names[0]);
    160   EXPECT_EQ(0U, subject.domain_components.size());
    161 
    162   const CertPrincipal& issuer = webkit_cert->issuer();
    163   EXPECT_EQ("Go Daddy Secure Certification Authority", issuer.common_name);
    164   EXPECT_EQ("Scottsdale", issuer.locality_name);
    165   EXPECT_EQ("Arizona", issuer.state_or_province_name);
    166   EXPECT_EQ("US", issuer.country_name);
    167   EXPECT_EQ(0U, issuer.street_addresses.size());
    168   ASSERT_EQ(1U, issuer.organization_names.size());
    169   EXPECT_EQ("GoDaddy.com, Inc.", issuer.organization_names[0]);
    170   ASSERT_EQ(1U, issuer.organization_unit_names.size());
    171   EXPECT_EQ("http://certificates.godaddy.com/repository",
    172       issuer.organization_unit_names[0]);
    173   EXPECT_EQ(0U, issuer.domain_components.size());
    174 
    175   // Use DoubleT because its epoch is the same on all platforms
    176   const Time& valid_start = webkit_cert->valid_start();
    177   EXPECT_EQ(1205883319, valid_start.ToDoubleT());  // Mar 18 23:35:19 2008 GMT
    178 
    179   const Time& valid_expiry = webkit_cert->valid_expiry();
    180   EXPECT_EQ(1300491319, valid_expiry.ToDoubleT());  // Mar 18 23:35:19 2011 GMT
    181 
    182   const SHA1HashValue& fingerprint = webkit_cert->fingerprint();
    183   for (size_t i = 0; i < 20; ++i)
    184     EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]);
    185 
    186   std::vector<std::string> dns_names;
    187   webkit_cert->GetDNSNames(&dns_names);
    188   ASSERT_EQ(2U, dns_names.size());
    189   EXPECT_EQ("*.webkit.org", dns_names[0]);
    190   EXPECT_EQ("webkit.org", dns_names[1]);
    191 
    192   // Test that the wildcard cert matches properly.
    193   bool unused = false;
    194   EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", &unused));
    195   EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", &unused));
    196   EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org", &unused));
    197   EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com", &unused));
    198   EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com", &unused));
    199 }
    200 
    201 TEST(X509CertificateTest, ThawteCertParsing) {
    202   scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes(
    203       reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)));
    204 
    205   ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert);
    206 
    207   const CertPrincipal& subject = thawte_cert->subject();
    208   EXPECT_EQ("www.thawte.com", subject.common_name);
    209   EXPECT_EQ("Mountain View", subject.locality_name);
    210   EXPECT_EQ("California", subject.state_or_province_name);
    211   EXPECT_EQ("US", subject.country_name);
    212   EXPECT_EQ(0U, subject.street_addresses.size());
    213   ASSERT_EQ(1U, subject.organization_names.size());
    214   EXPECT_EQ("Thawte Inc", subject.organization_names[0]);
    215   EXPECT_EQ(0U, subject.organization_unit_names.size());
    216   EXPECT_EQ(0U, subject.domain_components.size());
    217 
    218   const CertPrincipal& issuer = thawte_cert->issuer();
    219   EXPECT_EQ("thawte Extended Validation SSL CA", issuer.common_name);
    220   EXPECT_EQ("", issuer.locality_name);
    221   EXPECT_EQ("", issuer.state_or_province_name);
    222   EXPECT_EQ("US", issuer.country_name);
    223   EXPECT_EQ(0U, issuer.street_addresses.size());
    224   ASSERT_EQ(1U, issuer.organization_names.size());
    225   EXPECT_EQ("thawte, Inc.", issuer.organization_names[0]);
    226   ASSERT_EQ(1U, issuer.organization_unit_names.size());
    227   EXPECT_EQ("Terms of use at https://www.thawte.com/cps (c)06",
    228             issuer.organization_unit_names[0]);
    229   EXPECT_EQ(0U, issuer.domain_components.size());
    230 
    231   // Use DoubleT because its epoch is the same on all platforms
    232   const Time& valid_start = thawte_cert->valid_start();
    233   EXPECT_EQ(1227052800, valid_start.ToDoubleT());  // Nov 19 00:00:00 2008 GMT
    234 
    235   const Time& valid_expiry = thawte_cert->valid_expiry();
    236   EXPECT_EQ(1263772799, valid_expiry.ToDoubleT());  // Jan 17 23:59:59 2010 GMT
    237 
    238   const SHA1HashValue& fingerprint = thawte_cert->fingerprint();
    239   for (size_t i = 0; i < 20; ++i)
    240     EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]);
    241 
    242   std::vector<std::string> dns_names;
    243   thawte_cert->GetDNSNames(&dns_names);
    244   ASSERT_EQ(1U, dns_names.size());
    245   EXPECT_EQ("www.thawte.com", dns_names[0]);
    246 }
    247 
    248 // Test that all desired AttributeAndValue pairs can be extracted when only
    249 // a single RelativeDistinguishedName is present. "Normally" there is only
    250 // one AVA per RDN, but some CAs place all AVAs within a single RDN.
    251 // This is a regression test for http://crbug.com/101009
    252 TEST(X509CertificateTest, MultivalueRDN) {
    253   base::FilePath certs_dir = GetTestCertsDirectory();
    254 
    255   scoped_refptr<X509Certificate> multivalue_rdn_cert =
    256       ImportCertFromFile(certs_dir, "multivalue_rdn.pem");
    257   ASSERT_NE(static_cast<X509Certificate*>(NULL), multivalue_rdn_cert);
    258 
    259   const CertPrincipal& subject = multivalue_rdn_cert->subject();
    260   EXPECT_EQ("Multivalue RDN Test", subject.common_name);
    261   EXPECT_EQ("", subject.locality_name);
    262   EXPECT_EQ("", subject.state_or_province_name);
    263   EXPECT_EQ("US", subject.country_name);
    264   EXPECT_EQ(0U, subject.street_addresses.size());
    265   ASSERT_EQ(1U, subject.organization_names.size());
    266   EXPECT_EQ("Chromium", subject.organization_names[0]);
    267   ASSERT_EQ(1U, subject.organization_unit_names.size());
    268   EXPECT_EQ("Chromium net_unittests", subject.organization_unit_names[0]);
    269   ASSERT_EQ(1U, subject.domain_components.size());
    270   EXPECT_EQ("Chromium", subject.domain_components[0]);
    271 }
    272 
    273 // Test that characters which would normally be escaped in the string form,
    274 // such as '=' or '"', are not escaped when parsed as individual components.
    275 // This is a regression test for http://crbug.com/102839
    276 TEST(X509CertificateTest, UnescapedSpecialCharacters) {
    277   base::FilePath certs_dir = GetTestCertsDirectory();
    278 
    279   scoped_refptr<X509Certificate> unescaped_cert =
    280       ImportCertFromFile(certs_dir, "unescaped.pem");
    281   ASSERT_NE(static_cast<X509Certificate*>(NULL), unescaped_cert);
    282 
    283   const CertPrincipal& subject = unescaped_cert->subject();
    284   EXPECT_EQ("127.0.0.1", subject.common_name);
    285   EXPECT_EQ("Mountain View", subject.locality_name);
    286   EXPECT_EQ("California", subject.state_or_province_name);
    287   EXPECT_EQ("US", subject.country_name);
    288   ASSERT_EQ(1U, subject.street_addresses.size());
    289   EXPECT_EQ("1600 Amphitheatre Parkway", subject.street_addresses[0]);
    290   ASSERT_EQ(1U, subject.organization_names.size());
    291   EXPECT_EQ("Chromium = \"net_unittests\"", subject.organization_names[0]);
    292   ASSERT_EQ(2U, subject.organization_unit_names.size());
    293   EXPECT_EQ("net_unittests", subject.organization_unit_names[0]);
    294   EXPECT_EQ("Chromium", subject.organization_unit_names[1]);
    295   EXPECT_EQ(0U, subject.domain_components.size());
    296 }
    297 
    298 TEST(X509CertificateTest, SerialNumbers) {
    299   scoped_refptr<X509Certificate> google_cert(
    300       X509Certificate::CreateFromBytes(
    301           reinterpret_cast<const char*>(google_der), sizeof(google_der)));
    302 
    303   static const uint8 google_serial[16] = {
    304     0x01,0x2a,0x39,0x76,0x0d,0x3f,0x4f,0xc9,
    305     0x0b,0xe7,0xbd,0x2b,0xcf,0x95,0x2e,0x7a,
    306   };
    307 
    308   ASSERT_EQ(sizeof(google_serial), google_cert->serial_number().size());
    309   EXPECT_TRUE(memcmp(google_cert->serial_number().data(), google_serial,
    310                      sizeof(google_serial)) == 0);
    311 
    312   // We also want to check a serial number where the first byte is >= 0x80 in
    313   // case the underlying library tries to pad it.
    314   scoped_refptr<X509Certificate> paypal_null_cert(
    315       X509Certificate::CreateFromBytes(
    316           reinterpret_cast<const char*>(paypal_null_der),
    317           sizeof(paypal_null_der)));
    318 
    319   static const uint8 paypal_null_serial[3] = {0x00, 0xf0, 0x9b};
    320   ASSERT_EQ(sizeof(paypal_null_serial),
    321             paypal_null_cert->serial_number().size());
    322   EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(),
    323                      paypal_null_serial, sizeof(paypal_null_serial)) == 0);
    324 }
    325 
    326 TEST(X509CertificateTest, CAFingerprints) {
    327   base::FilePath certs_dir = GetTestCertsDirectory();
    328 
    329   scoped_refptr<X509Certificate> server_cert =
    330       ImportCertFromFile(certs_dir, "salesforce_com_test.pem");
    331   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
    332 
    333   scoped_refptr<X509Certificate> intermediate_cert1 =
    334       ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem");
    335   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1);
    336 
    337   scoped_refptr<X509Certificate> intermediate_cert2 =
    338       ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem");
    339   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert2);
    340 
    341   X509Certificate::OSCertHandles intermediates;
    342   intermediates.push_back(intermediate_cert1->os_cert_handle());
    343   scoped_refptr<X509Certificate> cert_chain1 =
    344       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
    345                                         intermediates);
    346 
    347   intermediates.clear();
    348   intermediates.push_back(intermediate_cert2->os_cert_handle());
    349   scoped_refptr<X509Certificate> cert_chain2 =
    350       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
    351                                         intermediates);
    352 
    353   // No intermediate CA certicates.
    354   intermediates.clear();
    355   scoped_refptr<X509Certificate> cert_chain3 =
    356       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
    357                                         intermediates);
    358 
    359   static const uint8 cert_chain1_ca_fingerprint[20] = {
    360     0xc2, 0xf0, 0x08, 0x7d, 0x01, 0xe6, 0x86, 0x05, 0x3a, 0x4d,
    361     0x63, 0x3e, 0x7e, 0x70, 0xd4, 0xef, 0x65, 0xc2, 0xcc, 0x4f
    362   };
    363   static const uint8 cert_chain2_ca_fingerprint[20] = {
    364     0xd5, 0x59, 0xa5, 0x86, 0x66, 0x9b, 0x08, 0xf4, 0x6a, 0x30,
    365     0xa1, 0x33, 0xf8, 0xa9, 0xed, 0x3d, 0x03, 0x8e, 0x2e, 0xa8
    366   };
    367   // The SHA-1 hash of nothing.
    368   static const uint8 cert_chain3_ca_fingerprint[20] = {
    369     0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
    370     0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09
    371   };
    372   EXPECT_TRUE(memcmp(cert_chain1->ca_fingerprint().data,
    373                      cert_chain1_ca_fingerprint, 20) == 0);
    374   EXPECT_TRUE(memcmp(cert_chain2->ca_fingerprint().data,
    375                      cert_chain2_ca_fingerprint, 20) == 0);
    376   EXPECT_TRUE(memcmp(cert_chain3->ca_fingerprint().data,
    377                      cert_chain3_ca_fingerprint, 20) == 0);
    378 }
    379 
    380 TEST(X509CertificateTest, ParseSubjectAltNames) {
    381   base::FilePath certs_dir = GetTestCertsDirectory();
    382 
    383   scoped_refptr<X509Certificate> san_cert =
    384       ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem");
    385   ASSERT_NE(static_cast<X509Certificate*>(NULL), san_cert);
    386 
    387   std::vector<std::string> dns_names;
    388   std::vector<std::string> ip_addresses;
    389   san_cert->GetSubjectAltName(&dns_names, &ip_addresses);
    390 
    391   // Ensure that DNS names are correctly parsed.
    392   ASSERT_EQ(1U, dns_names.size());
    393   EXPECT_EQ("test.example", dns_names[0]);
    394 
    395   // Ensure that both IPv4 and IPv6 addresses are correctly parsed.
    396   ASSERT_EQ(2U, ip_addresses.size());
    397 
    398   static const uint8 kIPv4Address[] = {
    399       0x7F, 0x00, 0x00, 0x02
    400   };
    401   ASSERT_EQ(arraysize(kIPv4Address), ip_addresses[0].size());
    402   EXPECT_EQ(0, memcmp(ip_addresses[0].data(), kIPv4Address,
    403                       arraysize(kIPv4Address)));
    404 
    405   static const uint8 kIPv6Address[] = {
    406       0xFE, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    407       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
    408   };
    409   ASSERT_EQ(arraysize(kIPv6Address), ip_addresses[1].size());
    410   EXPECT_EQ(0, memcmp(ip_addresses[1].data(), kIPv6Address,
    411                       arraysize(kIPv6Address)));
    412 
    413   // Ensure the subjectAltName dirName has not influenced the handling of
    414   // the subject commonName.
    415   EXPECT_EQ("127.0.0.1", san_cert->subject().common_name);
    416 }
    417 
    418 TEST(X509CertificateTest, ExtractSPKIFromDERCert) {
    419   base::FilePath certs_dir = GetTestCertsDirectory();
    420   scoped_refptr<X509Certificate> cert =
    421       ImportCertFromFile(certs_dir, "nist.der");
    422   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
    423 
    424   std::string derBytes;
    425   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
    426                                              &derBytes));
    427 
    428   base::StringPiece spkiBytes;
    429   EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes));
    430 
    431   uint8 hash[base::kSHA1Length];
    432   base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
    433                       spkiBytes.size(), hash);
    434 
    435   EXPECT_EQ(0, memcmp(hash, kNistSPKIHash, sizeof(hash)));
    436 }
    437 
    438 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
    439   base::FilePath certs_dir = GetTestCertsDirectory();
    440   scoped_refptr<X509Certificate> cert =
    441       ImportCertFromFile(certs_dir, "nist.der");
    442   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
    443 
    444   std::string derBytes;
    445   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
    446                                              &derBytes));
    447 
    448   std::vector<base::StringPiece> crl_urls;
    449   EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls));
    450 
    451   EXPECT_EQ(1u, crl_urls.size());
    452   if (crl_urls.size() > 0) {
    453     EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl",
    454               crl_urls[0].as_string());
    455   }
    456 }
    457 
    458 // Tests X509CertificateCache via X509Certificate::CreateFromHandle.  We
    459 // call X509Certificate::CreateFromHandle several times and observe whether
    460 // it returns a cached or new OSCertHandle.
    461 TEST(X509CertificateTest, Cache) {
    462   X509Certificate::OSCertHandle google_cert_handle;
    463   X509Certificate::OSCertHandle thawte_cert_handle;
    464 
    465   // Add a single certificate to the certificate cache.
    466   google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
    467       reinterpret_cast<const char*>(google_der), sizeof(google_der));
    468   scoped_refptr<X509Certificate> cert1(X509Certificate::CreateFromHandle(
    469       google_cert_handle, X509Certificate::OSCertHandles()));
    470   X509Certificate::FreeOSCertHandle(google_cert_handle);
    471 
    472   // Add the same certificate, but as a new handle.
    473   google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
    474       reinterpret_cast<const char*>(google_der), sizeof(google_der));
    475   scoped_refptr<X509Certificate> cert2(X509Certificate::CreateFromHandle(
    476       google_cert_handle, X509Certificate::OSCertHandles()));
    477   X509Certificate::FreeOSCertHandle(google_cert_handle);
    478 
    479   // A new X509Certificate should be returned.
    480   EXPECT_NE(cert1.get(), cert2.get());
    481   // But both instances should share the underlying OS certificate handle.
    482   EXPECT_EQ(cert1->os_cert_handle(), cert2->os_cert_handle());
    483   EXPECT_EQ(0u, cert1->GetIntermediateCertificates().size());
    484   EXPECT_EQ(0u, cert2->GetIntermediateCertificates().size());
    485 
    486   // Add the same certificate, but this time with an intermediate. This
    487   // should result in the intermediate being cached. Note that this is not
    488   // a legitimate chain, but is suitable for testing.
    489   google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
    490       reinterpret_cast<const char*>(google_der), sizeof(google_der));
    491   thawte_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
    492       reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
    493   X509Certificate::OSCertHandles intermediates;
    494   intermediates.push_back(thawte_cert_handle);
    495   scoped_refptr<X509Certificate> cert3(X509Certificate::CreateFromHandle(
    496       google_cert_handle, intermediates));
    497   X509Certificate::FreeOSCertHandle(google_cert_handle);
    498   X509Certificate::FreeOSCertHandle(thawte_cert_handle);
    499 
    500   // Test that the new certificate, even with intermediates, results in the
    501   // same underlying handle being used.
    502   EXPECT_EQ(cert1->os_cert_handle(), cert3->os_cert_handle());
    503   // Though they use the same OS handle, the intermediates should be different.
    504   EXPECT_NE(cert1->GetIntermediateCertificates().size(),
    505       cert3->GetIntermediateCertificates().size());
    506 }
    507 
    508 TEST(X509CertificateTest, Pickle) {
    509   X509Certificate::OSCertHandle google_cert_handle =
    510       X509Certificate::CreateOSCertHandleFromBytes(
    511           reinterpret_cast<const char*>(google_der), sizeof(google_der));
    512   X509Certificate::OSCertHandle thawte_cert_handle =
    513       X509Certificate::CreateOSCertHandleFromBytes(
    514           reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
    515 
    516   X509Certificate::OSCertHandles intermediates;
    517   intermediates.push_back(thawte_cert_handle);
    518   scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
    519       google_cert_handle, intermediates);
    520   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert.get());
    521 
    522   X509Certificate::FreeOSCertHandle(google_cert_handle);
    523   X509Certificate::FreeOSCertHandle(thawte_cert_handle);
    524 
    525   Pickle pickle;
    526   cert->Persist(&pickle);
    527 
    528   PickleIterator iter(pickle);
    529   scoped_refptr<X509Certificate> cert_from_pickle =
    530       X509Certificate::CreateFromPickle(
    531           pickle, &iter, X509Certificate::PICKLETYPE_CERTIFICATE_CHAIN_V3);
    532   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert_from_pickle);
    533   EXPECT_TRUE(X509Certificate::IsSameOSCert(
    534       cert->os_cert_handle(), cert_from_pickle->os_cert_handle()));
    535   const X509Certificate::OSCertHandles& cert_intermediates =
    536       cert->GetIntermediateCertificates();
    537   const X509Certificate::OSCertHandles& pickle_intermediates =
    538       cert_from_pickle->GetIntermediateCertificates();
    539   ASSERT_EQ(cert_intermediates.size(), pickle_intermediates.size());
    540   for (size_t i = 0; i < cert_intermediates.size(); ++i) {
    541     EXPECT_TRUE(X509Certificate::IsSameOSCert(cert_intermediates[i],
    542                                               pickle_intermediates[i]));
    543   }
    544 }
    545 
    546 TEST(X509CertificateTest, Policy) {
    547   scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes(
    548       reinterpret_cast<const char*>(google_der), sizeof(google_der)));
    549 
    550   scoped_refptr<X509Certificate> webkit_cert(X509Certificate::CreateFromBytes(
    551       reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
    552 
    553   CertPolicy policy;
    554 
    555   // To begin with, everything should be unknown.
    556   EXPECT_EQ(CertPolicy::UNKNOWN,
    557             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    558   EXPECT_EQ(CertPolicy::UNKNOWN,
    559             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    560   EXPECT_FALSE(policy.HasAllowedCert());
    561   EXPECT_FALSE(policy.HasDeniedCert());
    562 
    563   // Test adding one certificate with one error.
    564   policy.Allow(google_cert.get(), CERT_STATUS_DATE_INVALID);
    565   EXPECT_EQ(CertPolicy::ALLOWED,
    566             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    567   EXPECT_EQ(CertPolicy::UNKNOWN,
    568             policy.Check(google_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    569   EXPECT_EQ(CertPolicy::UNKNOWN,
    570             policy.Check(google_cert.get(),
    571                 CERT_STATUS_DATE_INVALID | CERT_STATUS_COMMON_NAME_INVALID));
    572   EXPECT_EQ(CertPolicy::UNKNOWN,
    573             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    574   EXPECT_TRUE(policy.HasAllowedCert());
    575   EXPECT_FALSE(policy.HasDeniedCert());
    576 
    577   // Test saving the same certificate with a new error.
    578   policy.Allow(google_cert.get(), CERT_STATUS_AUTHORITY_INVALID);
    579   EXPECT_EQ(CertPolicy::UNKNOWN,
    580             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    581   EXPECT_EQ(CertPolicy::ALLOWED,
    582             policy.Check(google_cert.get(), CERT_STATUS_AUTHORITY_INVALID));
    583   EXPECT_EQ(CertPolicy::UNKNOWN,
    584             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    585   EXPECT_TRUE(policy.HasAllowedCert());
    586   EXPECT_FALSE(policy.HasDeniedCert());
    587 
    588   // Test adding one certificate with two errors.
    589   policy.Allow(google_cert.get(),
    590                CERT_STATUS_DATE_INVALID | CERT_STATUS_AUTHORITY_INVALID);
    591   EXPECT_EQ(CertPolicy::ALLOWED,
    592             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    593   EXPECT_EQ(CertPolicy::ALLOWED,
    594             policy.Check(google_cert.get(), CERT_STATUS_AUTHORITY_INVALID));
    595   EXPECT_EQ(CertPolicy::UNKNOWN,
    596             policy.Check(google_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    597   EXPECT_EQ(CertPolicy::UNKNOWN,
    598             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    599   EXPECT_TRUE(policy.HasAllowedCert());
    600   EXPECT_FALSE(policy.HasDeniedCert());
    601 
    602   // Test removing a certificate that was previously allowed.
    603   policy.Deny(google_cert.get(), CERT_STATUS_DATE_INVALID);
    604   EXPECT_EQ(CertPolicy::DENIED,
    605             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    606   EXPECT_EQ(CertPolicy::UNKNOWN,
    607             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    608   EXPECT_FALSE(policy.HasAllowedCert());
    609   EXPECT_TRUE(policy.HasDeniedCert());
    610 
    611   // Test removing a certificate that was previously unknown.
    612   policy.Deny(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID);
    613   EXPECT_EQ(CertPolicy::DENIED,
    614             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    615   EXPECT_EQ(CertPolicy::DENIED,
    616             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    617   EXPECT_FALSE(policy.HasAllowedCert());
    618   EXPECT_TRUE(policy.HasDeniedCert());
    619 
    620   // Test saving a certificate that was previously denied.
    621   policy.Allow(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID);
    622   EXPECT_EQ(CertPolicy::DENIED,
    623             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    624   EXPECT_EQ(CertPolicy::ALLOWED,
    625             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    626   EXPECT_TRUE(policy.HasAllowedCert());
    627   EXPECT_TRUE(policy.HasDeniedCert());
    628 
    629   // Test denying an overlapping certificate.
    630   policy.Allow(google_cert.get(),
    631                CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_DATE_INVALID);
    632   policy.Deny(google_cert.get(), CERT_STATUS_DATE_INVALID);
    633   EXPECT_EQ(CertPolicy::DENIED,
    634             policy.Check(google_cert.get(), CERT_STATUS_DATE_INVALID));
    635   EXPECT_EQ(CertPolicy::UNKNOWN,
    636             policy.Check(google_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    637   EXPECT_EQ(CertPolicy::DENIED,
    638             policy.Check(google_cert.get(),
    639                 CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_DATE_INVALID));
    640 
    641   // Test denying an overlapping certificate (other direction).
    642   policy.Allow(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID);
    643   policy.Deny(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID);
    644   policy.Deny(webkit_cert.get(), CERT_STATUS_DATE_INVALID);
    645   EXPECT_EQ(CertPolicy::DENIED,
    646             policy.Check(webkit_cert.get(), CERT_STATUS_COMMON_NAME_INVALID));
    647   EXPECT_EQ(CertPolicy::DENIED,
    648             policy.Check(webkit_cert.get(), CERT_STATUS_DATE_INVALID));
    649 }
    650 
    651 TEST(X509CertificateTest, IntermediateCertificates) {
    652   scoped_refptr<X509Certificate> webkit_cert(
    653       X509Certificate::CreateFromBytes(
    654           reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
    655 
    656   scoped_refptr<X509Certificate> thawte_cert(
    657       X509Certificate::CreateFromBytes(
    658           reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)));
    659 
    660   X509Certificate::OSCertHandle google_handle;
    661   // Create object with no intermediates:
    662   google_handle = X509Certificate::CreateOSCertHandleFromBytes(
    663       reinterpret_cast<const char*>(google_der), sizeof(google_der));
    664   X509Certificate::OSCertHandles intermediates1;
    665   scoped_refptr<X509Certificate> cert1;
    666   cert1 = X509Certificate::CreateFromHandle(google_handle, intermediates1);
    667   EXPECT_EQ(0u, cert1->GetIntermediateCertificates().size());
    668 
    669   // Create object with 2 intermediates:
    670   X509Certificate::OSCertHandles intermediates2;
    671   intermediates2.push_back(webkit_cert->os_cert_handle());
    672   intermediates2.push_back(thawte_cert->os_cert_handle());
    673   scoped_refptr<X509Certificate> cert2;
    674   cert2 = X509Certificate::CreateFromHandle(google_handle, intermediates2);
    675 
    676   // Verify it has all the intermediates:
    677   const X509Certificate::OSCertHandles& cert2_intermediates =
    678       cert2->GetIntermediateCertificates();
    679   ASSERT_EQ(2u, cert2_intermediates.size());
    680   EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[0],
    681                                             webkit_cert->os_cert_handle()));
    682   EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[1],
    683                                             thawte_cert->os_cert_handle()));
    684 
    685   // Cleanup
    686   X509Certificate::FreeOSCertHandle(google_handle);
    687 }
    688 
    689 TEST(X509CertificateTest, IsIssuedByEncoded) {
    690   base::FilePath certs_dir = GetTestCertsDirectory();
    691 
    692   // Test a client certificate from MIT.
    693   scoped_refptr<X509Certificate> mit_davidben_cert(
    694       ImportCertFromFile(certs_dir, "mit.davidben.der"));
    695   ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert);
    696 
    697   std::string mit_issuer(reinterpret_cast<const char*>(MITDN),
    698                          sizeof(MITDN));
    699 
    700   // Test a certificate from Google, issued by Thawte
    701   scoped_refptr<X509Certificate> google_cert(
    702       ImportCertFromFile(certs_dir, "google.single.der"));
    703   ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
    704 
    705   std::string thawte_issuer(reinterpret_cast<const char*>(ThawteDN),
    706                             sizeof(ThawteDN));
    707 
    708   // Check that the David Ben certificate is issued by MIT, but not
    709   // by Thawte.
    710   std::vector<std::string> issuers;
    711   issuers.clear();
    712   issuers.push_back(mit_issuer);
    713   EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers));
    714   EXPECT_FALSE(google_cert->IsIssuedByEncoded(issuers));
    715 
    716   // Check that the Google certificate is issued by Thawte and not
    717   // by MIT.
    718   issuers.clear();
    719   issuers.push_back(thawte_issuer);
    720   EXPECT_FALSE(mit_davidben_cert->IsIssuedByEncoded(issuers));
    721   EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers));
    722 
    723   // Check that they both pass when given a list of the two issuers.
    724   issuers.clear();
    725   issuers.push_back(mit_issuer);
    726   issuers.push_back(thawte_issuer);
    727   EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers));
    728   EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers));
    729 }
    730 
    731 TEST(X509CertificateTest, IsIssuedByEncodedWithIntermediates) {
    732   static const unsigned char kPolicyRootDN[] = {
    733     0x30, 0x1e, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
    734     0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74,
    735     0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41
    736   };
    737   static const unsigned char kPolicyIntermediateDN[] = {
    738     0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
    739     0x1b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74,
    740     0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74,
    741     0x65, 0x20, 0x43, 0x41
    742   };
    743 
    744   base::FilePath certs_dir = GetTestCertsDirectory();
    745 
    746   CertificateList policy_chain = CreateCertificateListFromFile(
    747       certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO);
    748   ASSERT_EQ(3u, policy_chain.size());
    749 
    750   // The intermediate CA certificate's policyConstraints extension has a
    751   // requireExplicitPolicy field with SkipCerts=0.
    752   std::string policy_intermediate_dn(
    753       reinterpret_cast<const char*>(kPolicyIntermediateDN),
    754       sizeof(kPolicyIntermediateDN));
    755   std::string policy_root_dn(reinterpret_cast<const char*>(kPolicyRootDN),
    756                              sizeof(kPolicyRootDN));
    757 
    758   X509Certificate::OSCertHandles intermediates;
    759   intermediates.push_back(policy_chain[1]->os_cert_handle());
    760   scoped_refptr<X509Certificate> cert_chain =
    761       X509Certificate::CreateFromHandle(policy_chain[0]->os_cert_handle(),
    762                                         intermediates);
    763 
    764   std::vector<std::string> issuers;
    765 
    766   // Check that the chain is issued by the intermediate.
    767   issuers.clear();
    768   issuers.push_back(policy_intermediate_dn);
    769   EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
    770 
    771   // Check that the chain is also issued by the root.
    772   issuers.clear();
    773   issuers.push_back(policy_root_dn);
    774   EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
    775 
    776   // Check that the chain is issued by either the intermediate or the root.
    777   issuers.clear();
    778   issuers.push_back(policy_intermediate_dn);
    779   issuers.push_back(policy_root_dn);
    780   EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
    781 
    782   // Check that an empty issuers list returns false.
    783   issuers.clear();
    784   EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers));
    785 
    786   // Check that the chain is not issued by Verisign
    787   std::string mit_issuer(reinterpret_cast<const char*>(VerisignDN),
    788                          sizeof(VerisignDN));
    789   issuers.clear();
    790   issuers.push_back(mit_issuer);
    791   EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers));
    792 }
    793 
    794 #if defined(USE_NSS)
    795 TEST(X509CertificateTest, GetDefaultNickname) {
    796   base::FilePath certs_dir = GetTestCertsDirectory();
    797 
    798   scoped_refptr<X509Certificate> test_cert(
    799       ImportCertFromFile(certs_dir, "no_subject_common_name_cert.pem"));
    800   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);
    801 
    802   std::string nickname = test_cert->GetDefaultNickname(USER_CERT);
    803   EXPECT_EQ("wtc (at) google.com's COMODO Client Authentication and "
    804             "Secure Email CA ID", nickname);
    805 }
    806 #endif
    807 
    808 const struct CertificateFormatTestData {
    809   const char* file_name;
    810   X509Certificate::Format format;
    811   uint8* chain_fingerprints[3];
    812 } kFormatTestData[] = {
    813   // DER Parsing - single certificate, DER encoded
    814   { "google.single.der", X509Certificate::FORMAT_SINGLE_CERTIFICATE,
    815     { google_parse_fingerprint,
    816       NULL, } },
    817   // DER parsing - single certificate, PEM encoded
    818   { "google.single.pem", X509Certificate::FORMAT_SINGLE_CERTIFICATE,
    819     { google_parse_fingerprint,
    820       NULL, } },
    821   // PEM parsing - single certificate, PEM encoded with a PEB of
    822   // "CERTIFICATE"
    823   { "google.single.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE,
    824     { google_parse_fingerprint,
    825       NULL, } },
    826   // PEM parsing - sequence of certificates, PEM encoded with a PEB of
    827   // "CERTIFICATE"
    828   { "google.chain.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE,
    829     { google_parse_fingerprint,
    830       thawte_parse_fingerprint,
    831       NULL, } },
    832   // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER
    833   // encoding
    834   { "google.binary.p7b", X509Certificate::FORMAT_PKCS7,
    835     { google_parse_fingerprint,
    836       thawte_parse_fingerprint,
    837       NULL, } },
    838   // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
    839   // encoded with a PEM PEB of "CERTIFICATE"
    840   { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7,
    841     { google_parse_fingerprint,
    842       thawte_parse_fingerprint,
    843       NULL, } },
    844   // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
    845   // encoded with a PEM PEB of "PKCS7"
    846   { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7,
    847     { google_parse_fingerprint,
    848       thawte_parse_fingerprint,
    849       NULL, } },
    850   // All of the above, this time using auto-detection
    851   { "google.single.der", X509Certificate::FORMAT_AUTO,
    852     { google_parse_fingerprint,
    853       NULL, } },
    854   { "google.single.pem", X509Certificate::FORMAT_AUTO,
    855     { google_parse_fingerprint,
    856       NULL, } },
    857   { "google.chain.pem", X509Certificate::FORMAT_AUTO,
    858     { google_parse_fingerprint,
    859       thawte_parse_fingerprint,
    860       NULL, } },
    861   { "google.binary.p7b", X509Certificate::FORMAT_AUTO,
    862     { google_parse_fingerprint,
    863       thawte_parse_fingerprint,
    864       NULL, } },
    865   { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO,
    866     { google_parse_fingerprint,
    867       thawte_parse_fingerprint,
    868       NULL, } },
    869   { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO,
    870     { google_parse_fingerprint,
    871       thawte_parse_fingerprint,
    872       NULL, } },
    873 };
    874 
    875 class X509CertificateParseTest
    876     : public testing::TestWithParam<CertificateFormatTestData> {
    877  public:
    878   virtual ~X509CertificateParseTest() {}
    879   virtual void SetUp() {
    880     test_data_ = GetParam();
    881   }
    882   virtual void TearDown() {}
    883 
    884  protected:
    885   CertificateFormatTestData test_data_;
    886 };
    887 
    888 TEST_P(X509CertificateParseTest, CanParseFormat) {
    889   base::FilePath certs_dir = GetTestCertsDirectory();
    890   CertificateList certs = CreateCertificateListFromFile(
    891       certs_dir, test_data_.file_name, test_data_.format);
    892   ASSERT_FALSE(certs.empty());
    893   ASSERT_LE(certs.size(), arraysize(test_data_.chain_fingerprints));
    894   CheckGoogleCert(certs.front(), google_parse_fingerprint,
    895                   kGoogleParseValidFrom, kGoogleParseValidTo);
    896 
    897   size_t i;
    898   for (i = 0; i < arraysize(test_data_.chain_fingerprints); ++i) {
    899     if (test_data_.chain_fingerprints[i] == NULL) {
    900       // No more test certificates expected - make sure no more were
    901       // returned before marking this test a success.
    902       EXPECT_EQ(i, certs.size());
    903       break;
    904     }
    905 
    906     // A cert is expected - make sure that one was parsed.
    907     ASSERT_LT(i, certs.size());
    908 
    909     // Compare the parsed certificate with the expected certificate, by
    910     // comparing fingerprints.
    911     const X509Certificate* cert = certs[i].get();
    912     const SHA1HashValue& actual_fingerprint = cert->fingerprint();
    913     uint8* expected_fingerprint = test_data_.chain_fingerprints[i];
    914 
    915     for (size_t j = 0; j < 20; ++j)
    916       EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]);
    917   }
    918 }
    919 
    920 INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest,
    921                         testing::ValuesIn(kFormatTestData));
    922 
    923 struct CertificateNameVerifyTestData {
    924   // true iff we expect hostname to match an entry in cert_names.
    925   bool expected;
    926   // The hostname to match.
    927   const char* hostname;
    928   // Common name, may be used if |dns_names| or |ip_addrs| are empty.
    929   const char* common_name;
    930   // Comma separated list of certificate names to match against. Any occurrence
    931   // of '#' will be replaced with a null character before processing.
    932   const char* dns_names;
    933   // Comma separated list of certificate IP Addresses to match against. Each
    934   // address is x prefixed 16 byte hex code for v6 or dotted-decimals for v4.
    935   const char* ip_addrs;
    936 };
    937 
    938 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
    939 // to output the parameter that was passed. Without this, it will simply
    940 // attempt to print out the first twenty bytes of the object, which depending
    941 // on platform and alignment, may result in an invalid read.
    942 void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) {
    943   ASSERT_TRUE(data.hostname && data.common_name);
    944   // Using StringPiece to allow for optional fields being NULL.
    945   *os << " expected: " << data.expected
    946       << "; hostname: " << data.hostname
    947       << "; common_name: " << data.common_name
    948       << "; dns_names: " << base::StringPiece(data.dns_names)
    949       << "; ip_addrs: " << base::StringPiece(data.ip_addrs);
    950 }
    951 
    952 const CertificateNameVerifyTestData kNameVerifyTestData[] = {
    953     { true, "foo.com", "foo.com" },
    954     { true, "f", "f" },
    955     { false, "h", "i" },
    956     { true, "bar.foo.com", "*.foo.com" },
    957     { true, "www.test.fr", "common.name",
    958         "*.test.com,*.test.co.uk,*.test.de,*.test.fr" },
    959     { true, "wwW.tESt.fr",  "common.name",
    960         ",*.*,*.test.de,*.test.FR,www" },
    961     { false, "f.uk", ".uk" },
    962     { false, "w.bar.foo.com", "?.bar.foo.com" },
    963     { false, "www.foo.com", "(www|ftp).foo.com" },
    964     { false, "www.foo.com", "www.foo.com#" },  // # = null char.
    965     { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" },
    966     { false, "www.house.example", "ww.house.example" },
    967     { false, "test.org", "", "www.test.org,*.test.org,*.org" },
    968     { false, "w.bar.foo.com", "w*.bar.foo.com" },
    969     { false, "www.bar.foo.com", "ww*ww.bar.foo.com" },
    970     { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" },
    971     { true, "wwww.bar.foo.com", "w*w.bar.foo.com" },
    972     { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" },
    973     { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" },
    974     { true, "wally.bar.foo.com", "*Ly.bar.foo.com" },
    975     { true, "ww%57.foo.com", "", "www.foo.com" },
    976     { true, "www&.foo.com", "www%26.foo.com" },
    977     // Common name must not be used if subject alternative name was provided.
    978     { false, "www.test.co.jp",  "www.test.co.jp",
    979         "*.test.de,*.jp,www.test.co.uk,www.*.co.jp" },
    980     { false, "www.bar.foo.com", "www.bar.foo.com",
    981       "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," },
    982     { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" },
    983     { false, "66.77.88.99", "www.bath.org", "www.bath.org" },
    984     // IDN tests
    985     { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" },
    986     { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
    987     { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br,"
    988                                             "xn--poema-*.com.br,"
    989                                             "xn--*-9qae5a.com.br,"
    990                                             "*--poema-9qae5a.com.br" },
    991     // The following are adapted from the  examples quoted from
    992     // http://tools.ietf.org/html/rfc6125#section-6.4.3
    993     //  (e.g., *.example.com would match foo.example.com but
    994     //   not bar.foo.example.com or example.com).
    995     { true, "foo.example.com", "*.example.com" },
    996     { false, "bar.foo.example.com", "*.example.com" },
    997     { false, "example.com", "*.example.com" },
    998     //   (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
    999     //   be taken to match baz1.example.net and foobaz.example.net and
   1000     //   buzz.example.net, respectively
   1001     { true, "baz1.example.net", "baz*.example.net" },
   1002     { true, "foobaz.example.net", "*baz.example.net" },
   1003     { true, "buzz.example.net", "b*z.example.net" },
   1004     // Wildcards should not be valid for public registry controlled domains,
   1005     // and unknown/unrecognized domains, at least three domain components must
   1006     // be present.
   1007     { true, "www.test.example", "*.test.example" },
   1008     { true, "test.example.co.uk", "*.example.co.uk" },
   1009     { false, "test.example", "*.exmaple" },
   1010     { false, "example.co.uk", "*.co.uk" },
   1011     { false, "foo.com", "*.com" },
   1012     { false, "foo.us", "*.us" },
   1013     { false, "foo", "*" },
   1014     // IDN variants of wildcards and registry controlled domains.
   1015     { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
   1016     { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },
   1017     { false, "xn--poema-9qae5a.com.br", "*.com.br" },
   1018     { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },
   1019     // Wildcards should be permissible for 'private' registry controlled
   1020     // domains.
   1021     { true, "www.appspot.com", "*.appspot.com" },
   1022     { true, "foo.s3.amazonaws.com", "*.s3.amazonaws.com" },
   1023     // Multiple wildcards are not valid.
   1024     { false, "foo.example.com", "*.*.com" },
   1025     { false, "foo.bar.example.com", "*.bar.*.com" },
   1026     // Absolute vs relative DNS name tests. Although not explicitly specified
   1027     // in RFC 6125, absolute reference names (those ending in a .) should
   1028     // match either absolute or relative presented names.
   1029     { true, "foo.com", "foo.com." },
   1030     { true, "foo.com.", "foo.com" },
   1031     { true, "foo.com.", "foo.com." },
   1032     { true, "f", "f." },
   1033     { true, "f.", "f" },
   1034     { true, "f.", "f." },
   1035     { true, "www-3.bar.foo.com", "*.bar.foo.com." },
   1036     { true, "www-3.bar.foo.com.", "*.bar.foo.com" },
   1037     { true, "www-3.bar.foo.com.", "*.bar.foo.com." },
   1038     { false, ".", "." },
   1039     { false, "example.com", "*.com." },
   1040     { false, "example.com.", "*.com" },
   1041     { false, "example.com.", "*.com." },
   1042     { false, "foo.", "*." },
   1043     { false, "foo", "*." },
   1044     { false, "foo.co.uk", "*.co.uk." },
   1045     { false, "foo.co.uk.", "*.co.uk." },
   1046     // IP addresses in common name; IPv4 only.
   1047     { true, "127.0.0.1", "127.0.0.1" },
   1048     { true, "192.168.1.1", "192.168.1.1" },
   1049     { true,  "676768", "0.10.83.160" },
   1050     { true,  "1.2.3", "1.2.0.3" },
   1051     { false, "192.169.1.1", "192.168.1.1" },
   1052     { false, "12.19.1.1", "12.19.1.1/255.255.255.0" },
   1053     { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210",
   1054       "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" },
   1055     { false, "1111:2222:3333:4444:5555:6666:7777:8888",
   1056       "1111:2222:3333:4444:5555:6666:7777:8888" },
   1057     { false, "::192.9.5.5", "[::192.9.5.5]" },
   1058     // No wildcard matching in valid IP addresses
   1059     { false, "::192.9.5.5", "*.9.5.5" },
   1060     { false, "2010:836B:4179::836B:4179", "*:836B:4179::836B:4179" },
   1061     { false, "192.168.1.11", "*.168.1.11" },
   1062     { false, "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210", "*.]" },
   1063     // IP addresses in subject alternative name (common name ignored)
   1064     { true, "10.1.2.3", "", "", "10.1.2.3" },
   1065     { true,  "14.15", "", "", "14.0.0.15" },
   1066     { false, "10.1.2.7", "10.1.2.7", "", "10.1.2.6,10.1.2.8" },
   1067     { false, "10.1.2.8", "10.20.2.8", "foo" },
   1068     { true, "::4.5.6.7", "", "", "x00000000000000000000000004050607" },
   1069     { false, "::6.7.8.9", "::6.7.8.9", "::6.7.8.9",
   1070         "x00000000000000000000000006070808,x0000000000000000000000000607080a,"
   1071         "xff000000000000000000000006070809,6.7.8.9" },
   1072     { true, "FE80::200:f8ff:fe21:67cf", "no.common.name", "",
   1073         "x00000000000000000000000006070808,xfe800000000000000200f8fffe2167cf,"
   1074         "xff0000000000000000000000060708ff,10.0.0.1" },
   1075     // Numeric only hostnames (none of these are considered valid IP addresses).
   1076     { false,  "12345.6", "12345.6" },
   1077     { false, "121.2.3.512", "", "1*1.2.3.512,*1.2.3.512,1*.2.3.512,*.2.3.512",
   1078         "121.2.3.0"},
   1079     { false, "1.2.3.4.5.6", "*.2.3.4.5.6" },
   1080     { true, "1.2.3.4.5", "", "1.2.3.4.5" },
   1081     // Invalid host names.
   1082     { false, "junk)()$*!@~#", "junk)()$*!@~#" },
   1083     { false, "www.*.com", "www.*.com" },
   1084     { false, "w$w.f.com", "w$w.f.com" },
   1085     { false, "nocolonallowed:example", "", "nocolonallowed:example" },
   1086     { false, "www-1.[::FFFF:129.144.52.38]", "*.[::FFFF:129.144.52.38]" },
   1087     { false, "[::4.5.6.9]", "", "", "x00000000000000000000000004050609" },
   1088 };
   1089 
   1090 class X509CertificateNameVerifyTest
   1091     : public testing::TestWithParam<CertificateNameVerifyTestData> {
   1092 };
   1093 
   1094 TEST_P(X509CertificateNameVerifyTest, VerifyHostname) {
   1095   CertificateNameVerifyTestData test_data = GetParam();
   1096 
   1097   std::string common_name(test_data.common_name);
   1098   ASSERT_EQ(std::string::npos, common_name.find(','));
   1099   std::replace(common_name.begin(), common_name.end(), '#', '\0');
   1100 
   1101   std::vector<std::string> dns_names, ip_addressses;
   1102   if (test_data.dns_names) {
   1103     // Build up the certificate DNS names list.
   1104     std::string dns_name_line(test_data.dns_names);
   1105     std::replace(dns_name_line.begin(), dns_name_line.end(), '#', '\0');
   1106     base::SplitString(dns_name_line, ',', &dns_names);
   1107   }
   1108 
   1109   if (test_data.ip_addrs) {
   1110     // Build up the certificate IP address list.
   1111     std::string ip_addrs_line(test_data.ip_addrs);
   1112     std::vector<std::string> ip_addressses_ascii;
   1113     base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii);
   1114     for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) {
   1115       std::string& addr_ascii = ip_addressses_ascii[i];
   1116       ASSERT_NE(0U, addr_ascii.length());
   1117       if (addr_ascii[0] == 'x') {  // Hex encoded address
   1118         addr_ascii.erase(0, 1);
   1119         std::vector<uint8> bytes;
   1120         EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes))
   1121             << "Could not parse hex address " << addr_ascii << " i = " << i;
   1122         ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]),
   1123                                             bytes.size()));
   1124         ASSERT_EQ(16U, ip_addressses.back().size()) << i;
   1125       } else {  // Decimal groups
   1126         std::vector<std::string> decimals_ascii;
   1127         base::SplitString(addr_ascii, '.', &decimals_ascii);
   1128         EXPECT_EQ(4U, decimals_ascii.size()) << i;
   1129         std::string addr_bytes;
   1130         for (size_t j = 0; j < decimals_ascii.size(); ++j) {
   1131           int decimal_value;
   1132           EXPECT_TRUE(base::StringToInt(decimals_ascii[j], &decimal_value));
   1133           EXPECT_GE(decimal_value, 0);
   1134           EXPECT_LE(decimal_value, 255);
   1135           addr_bytes.push_back(static_cast<char>(decimal_value));
   1136         }
   1137         ip_addressses.push_back(addr_bytes);
   1138         ASSERT_EQ(4U, ip_addressses.back().size()) << i;
   1139       }
   1140     }
   1141   }
   1142 
   1143   bool unused = false;
   1144   EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname(
   1145       test_data.hostname, common_name, dns_names, ip_addressses, &unused));
   1146 }
   1147 
   1148 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,
   1149                         testing::ValuesIn(kNameVerifyTestData));
   1150 
   1151 const struct PublicKeyInfoTestData {
   1152   const char* cert_file;
   1153   size_t expected_bits;
   1154   X509Certificate::PublicKeyType expected_type;
   1155 } kPublicKeyInfoTestData[] = {
   1156   { "768-rsa-ee-by-768-rsa-intermediate.pem", 768,
   1157     X509Certificate::kPublicKeyTypeRSA },
   1158   { "1024-rsa-ee-by-768-rsa-intermediate.pem", 1024,
   1159     X509Certificate::kPublicKeyTypeRSA },
   1160   { "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem", 256,
   1161     X509Certificate::kPublicKeyTypeECDSA },
   1162 };
   1163 
   1164 class X509CertificatePublicKeyInfoTest
   1165     : public testing::TestWithParam<PublicKeyInfoTestData> {
   1166 };
   1167 
   1168 TEST_P(X509CertificatePublicKeyInfoTest, GetPublicKeyInfo) {
   1169   PublicKeyInfoTestData data = GetParam();
   1170 
   1171 #if defined(OS_WIN)
   1172   if (base::win::GetVersion() < base::win::VERSION_VISTA &&
   1173       data.expected_type == X509Certificate::kPublicKeyTypeECDSA) {
   1174     // ECC is only supported on Vista+. Skip the test.
   1175     return;
   1176   }
   1177 #endif
   1178 
   1179   scoped_refptr<X509Certificate> cert(
   1180       ImportCertFromFile(GetTestCertsDirectory(), data.cert_file));
   1181   ASSERT_TRUE(cert.get());
   1182 
   1183   size_t actual_bits = 0;
   1184   X509Certificate::PublicKeyType actual_type =
   1185       X509Certificate::kPublicKeyTypeUnknown;
   1186 
   1187   X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(), &actual_bits,
   1188                                     &actual_type);
   1189 
   1190   EXPECT_EQ(data.expected_bits, actual_bits);
   1191   EXPECT_EQ(data.expected_type, actual_type);
   1192 }
   1193 
   1194 INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest,
   1195                         testing::ValuesIn(kPublicKeyInfoTestData));
   1196 
   1197 }  // namespace net
   1198