1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/cert/cert_verify_proc.h" 6 7 #include <vector> 8 9 #include "base/callback_helpers.h" 10 #include "base/files/file_path.h" 11 #include "base/logging.h" 12 #include "base/sha1.h" 13 #include "base/strings/string_number_conversions.h" 14 #include "crypto/sha2.h" 15 #include "net/base/net_errors.h" 16 #include "net/base/test_data_directory.h" 17 #include "net/cert/asn1_util.h" 18 #include "net/cert/cert_status_flags.h" 19 #include "net/cert/cert_verifier.h" 20 #include "net/cert/cert_verify_result.h" 21 #include "net/cert/crl_set.h" 22 #include "net/cert/test_root_certs.h" 23 #include "net/cert/x509_certificate.h" 24 #include "net/test/cert_test_util.h" 25 #include "net/test/test_certificate_data.h" 26 #include "testing/gtest/include/gtest/gtest.h" 27 28 #if defined(OS_WIN) 29 #include "base/win/windows_version.h" 30 #elif defined(OS_MACOSX) && !defined(OS_IOS) 31 #include "base/mac/mac_util.h" 32 #endif 33 34 using base::HexEncode; 35 36 namespace net { 37 38 namespace { 39 40 // A certificate for www.paypal.com with a NULL byte in the common name. 41 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363 42 unsigned char paypal_null_fingerprint[] = { 43 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba, 44 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7 45 }; 46 47 // Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root| 48 // for all certificates that are Verified. 49 class WellKnownCaCertVerifyProc : public CertVerifyProc { 50 public: 51 // Initialize a CertVerifyProc that will set 52 // |verify_result->is_issued_by_known_root| to |is_well_known|. 53 explicit WellKnownCaCertVerifyProc(bool is_well_known) 54 : is_well_known_(is_well_known) {} 55 56 // CertVerifyProc implementation: 57 virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; } 58 59 protected: 60 virtual ~WellKnownCaCertVerifyProc() {} 61 62 private: 63 virtual int VerifyInternal(X509Certificate* cert, 64 const std::string& hostname, 65 int flags, 66 CRLSet* crl_set, 67 const CertificateList& additional_trust_anchors, 68 CertVerifyResult* verify_result) OVERRIDE; 69 70 const bool is_well_known_; 71 72 DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc); 73 }; 74 75 int WellKnownCaCertVerifyProc::VerifyInternal( 76 X509Certificate* cert, 77 const std::string& hostname, 78 int flags, 79 CRLSet* crl_set, 80 const CertificateList& additional_trust_anchors, 81 CertVerifyResult* verify_result) { 82 verify_result->is_issued_by_known_root = is_well_known_; 83 return OK; 84 } 85 86 } // namespace 87 88 class CertVerifyProcTest : public testing::Test { 89 public: 90 CertVerifyProcTest() 91 : verify_proc_(CertVerifyProc::CreateDefault()) { 92 } 93 virtual ~CertVerifyProcTest() {} 94 95 protected: 96 bool SupportsAdditionalTrustAnchors() { 97 return verify_proc_->SupportsAdditionalTrustAnchors(); 98 } 99 100 int Verify(X509Certificate* cert, 101 const std::string& hostname, 102 int flags, 103 CRLSet* crl_set, 104 const CertificateList& additional_trust_anchors, 105 CertVerifyResult* verify_result) { 106 return verify_proc_->Verify(cert, hostname, flags, crl_set, 107 additional_trust_anchors, verify_result); 108 } 109 110 const CertificateList empty_cert_list_; 111 scoped_refptr<CertVerifyProc> verify_proc_; 112 }; 113 114 TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) { 115 // Check that verification without revocation checking works. 116 CertificateList certs = CreateCertificateListFromFile( 117 GetTestCertsDirectory(), 118 "googlenew.chain.pem", 119 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); 120 121 X509Certificate::OSCertHandles intermediates; 122 intermediates.push_back(certs[1]->os_cert_handle()); 123 124 scoped_refptr<X509Certificate> google_full_chain = 125 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 126 intermediates); 127 128 CertVerifyResult verify_result; 129 EXPECT_EQ(OK, 130 Verify(google_full_chain.get(), 131 "www.google.com", 132 0 /* flags */, 133 NULL, 134 empty_cert_list_, 135 &verify_result)); 136 } 137 138 #if defined(OS_ANDROID) || defined(USE_OPENSSL) 139 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. 140 #define MAYBE_EVVerification DISABLED_EVVerification 141 #else 142 #define MAYBE_EVVerification EVVerification 143 #endif 144 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) { 145 CertificateList certs = CreateCertificateListFromFile( 146 GetTestCertsDirectory(), 147 "comodo.chain.pem", 148 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); 149 ASSERT_EQ(3U, certs.size()); 150 151 X509Certificate::OSCertHandles intermediates; 152 intermediates.push_back(certs[1]->os_cert_handle()); 153 intermediates.push_back(certs[2]->os_cert_handle()); 154 155 scoped_refptr<X509Certificate> comodo_chain = 156 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 157 intermediates); 158 159 scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, "")); 160 CertVerifyResult verify_result; 161 int flags = CertVerifier::VERIFY_EV_CERT; 162 int error = Verify(comodo_chain.get(), 163 "comodo.com", 164 flags, 165 crl_set.get(), 166 empty_cert_list_, 167 &verify_result); 168 EXPECT_EQ(OK, error); 169 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); 170 } 171 172 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { 173 scoped_refptr<X509Certificate> paypal_null_cert( 174 X509Certificate::CreateFromBytes( 175 reinterpret_cast<const char*>(paypal_null_der), 176 sizeof(paypal_null_der))); 177 178 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); 179 180 const SHA1HashValue& fingerprint = 181 paypal_null_cert->fingerprint(); 182 for (size_t i = 0; i < 20; ++i) 183 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); 184 185 int flags = 0; 186 CertVerifyResult verify_result; 187 int error = Verify(paypal_null_cert.get(), 188 "www.paypal.com", 189 flags, 190 NULL, 191 empty_cert_list_, 192 &verify_result); 193 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID) 194 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); 195 #else 196 // TOOD(bulach): investigate why macosx and win aren't returning 197 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID. 198 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 199 #endif 200 // Either the system crypto library should correctly report a certificate 201 // name mismatch, or our certificate blacklist should cause us to report an 202 // invalid certificate. 203 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS) 204 EXPECT_TRUE(verify_result.cert_status & 205 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); 206 #endif 207 } 208 209 // A regression test for http://crbug.com/31497. 210 #if defined(OS_ANDROID) 211 // Disabled on Android, as the Android verification libraries require an 212 // explicit policy to be specified, even when anyPolicy is permitted. 213 #define MAYBE_IntermediateCARequireExplicitPolicy \ 214 DISABLED_IntermediateCARequireExplicitPolicy 215 #else 216 #define MAYBE_IntermediateCARequireExplicitPolicy \ 217 IntermediateCARequireExplicitPolicy 218 #endif 219 TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) { 220 base::FilePath certs_dir = GetTestCertsDirectory(); 221 222 CertificateList certs = CreateCertificateListFromFile( 223 certs_dir, "explicit-policy-chain.pem", 224 X509Certificate::FORMAT_AUTO); 225 ASSERT_EQ(3U, certs.size()); 226 227 X509Certificate::OSCertHandles intermediates; 228 intermediates.push_back(certs[1]->os_cert_handle()); 229 230 scoped_refptr<X509Certificate> cert = 231 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 232 intermediates); 233 ASSERT_TRUE(cert.get()); 234 235 ScopedTestRoot scoped_root(certs[2].get()); 236 237 int flags = 0; 238 CertVerifyResult verify_result; 239 int error = Verify(cert.get(), 240 "policy_test.example", 241 flags, 242 NULL, 243 empty_cert_list_, 244 &verify_result); 245 EXPECT_EQ(OK, error); 246 EXPECT_EQ(0u, verify_result.cert_status); 247 } 248 249 // Test for bug 58437. 250 // This certificate will expire on 2011-12-21. The test will still 251 // pass if error == ERR_CERT_DATE_INVALID. 252 // This test is DISABLED because it appears that we cannot do 253 // certificate revocation checking when running all of the net unit tests. 254 // This test passes when run individually, but when run with all of the net 255 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is 256 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation 257 // status, i.e. that the revocation check is failing for some reason. 258 TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) { 259 base::FilePath certs_dir = GetTestCertsDirectory(); 260 261 scoped_refptr<X509Certificate> server_cert = 262 ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem"); 263 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); 264 265 scoped_refptr<X509Certificate> intermediate_cert = 266 ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem"); 267 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); 268 269 X509Certificate::OSCertHandles intermediates; 270 intermediates.push_back(intermediate_cert->os_cert_handle()); 271 scoped_refptr<X509Certificate> cert_chain = 272 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 273 intermediates); 274 275 CertVerifyResult verify_result; 276 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED | 277 CertVerifier::VERIFY_EV_CERT; 278 int error = Verify(cert_chain.get(), 279 "2029.globalsign.com", 280 flags, 281 NULL, 282 empty_cert_list_, 283 &verify_result); 284 if (error == OK) 285 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); 286 else 287 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); 288 } 289 290 // Test that verifying an ECDSA certificate doesn't crash on XP. (See 291 // crbug.com/144466). 292 TEST_F(CertVerifyProcTest, ECDSA_RSA) { 293 base::FilePath certs_dir = GetTestCertsDirectory(); 294 295 scoped_refptr<X509Certificate> cert = 296 ImportCertFromFile(certs_dir, 297 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem"); 298 299 CertVerifyResult verify_result; 300 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result); 301 302 // We don't check verify_result because the certificate is signed by an 303 // unknown CA and will be considered invalid on XP because of the ECDSA 304 // public key. 305 } 306 307 // Currently, only RSA and DSA keys are checked for weakness, and our example 308 // weak size is 768. These could change in the future. 309 // 310 // Note that this means there may be false negatives: keys for other 311 // algorithms and which are weak will pass this test. 312 static bool IsWeakKeyType(const std::string& key_type) { 313 size_t pos = key_type.find("-"); 314 std::string size = key_type.substr(0, pos); 315 std::string type = key_type.substr(pos + 1); 316 317 if (type == "rsa" || type == "dsa") 318 return size == "768"; 319 320 return false; 321 } 322 323 TEST_F(CertVerifyProcTest, RejectWeakKeys) { 324 base::FilePath certs_dir = GetTestCertsDirectory(); 325 typedef std::vector<std::string> Strings; 326 Strings key_types; 327 328 // generate-weak-test-chains.sh currently has: 329 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" 330 // We must use the same key types here. The filenames generated look like: 331 // 2048-rsa-ee-by-768-rsa-intermediate.pem 332 key_types.push_back("768-rsa"); 333 key_types.push_back("1024-rsa"); 334 key_types.push_back("2048-rsa"); 335 336 bool use_ecdsa = true; 337 #if defined(OS_WIN) 338 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP; 339 #endif 340 341 if (use_ecdsa) 342 key_types.push_back("prime256v1-ecdsa"); 343 344 // Add the root that signed the intermediates for this test. 345 scoped_refptr<X509Certificate> root_cert = 346 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); 347 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); 348 ScopedTestRoot scoped_root(root_cert.get()); 349 350 // Now test each chain. 351 for (Strings::const_iterator ee_type = key_types.begin(); 352 ee_type != key_types.end(); ++ee_type) { 353 for (Strings::const_iterator signer_type = key_types.begin(); 354 signer_type != key_types.end(); ++signer_type) { 355 std::string basename = *ee_type + "-ee-by-" + *signer_type + 356 "-intermediate.pem"; 357 SCOPED_TRACE(basename); 358 scoped_refptr<X509Certificate> ee_cert = 359 ImportCertFromFile(certs_dir, basename); 360 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); 361 362 basename = *signer_type + "-intermediate.pem"; 363 scoped_refptr<X509Certificate> intermediate = 364 ImportCertFromFile(certs_dir, basename); 365 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); 366 367 X509Certificate::OSCertHandles intermediates; 368 intermediates.push_back(intermediate->os_cert_handle()); 369 scoped_refptr<X509Certificate> cert_chain = 370 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), 371 intermediates); 372 373 CertVerifyResult verify_result; 374 int error = Verify(cert_chain.get(), 375 "127.0.0.1", 376 0, 377 NULL, 378 empty_cert_list_, 379 &verify_result); 380 381 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { 382 EXPECT_NE(OK, error); 383 EXPECT_EQ(CERT_STATUS_WEAK_KEY, 384 verify_result.cert_status & CERT_STATUS_WEAK_KEY); 385 EXPECT_NE(CERT_STATUS_INVALID, 386 verify_result.cert_status & CERT_STATUS_INVALID); 387 } else { 388 EXPECT_EQ(OK, error); 389 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); 390 } 391 } 392 } 393 } 394 395 // Regression test for http://crbug.com/108514. 396 #if defined(OS_MACOSX) && !defined(OS_IOS) 397 // Disabled on OS X - Security.framework doesn't ignore superflous certificates 398 // provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further 399 // details. 400 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert 401 #elif defined(USE_OPENSSL) || defined(OS_ANDROID) 402 // Disabled for OpenSSL / Android - Android and OpenSSL do not attempt to find 403 // a minimal certificate chain, thus prefer the MD5 root over the SHA-1 root. 404 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert 405 #else 406 #define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert 407 #endif 408 TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) { 409 base::FilePath certs_dir = GetTestCertsDirectory(); 410 411 scoped_refptr<X509Certificate> server_cert = 412 ImportCertFromFile(certs_dir, "cross-signed-leaf.pem"); 413 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); 414 415 scoped_refptr<X509Certificate> extra_cert = 416 ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem"); 417 ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get()); 418 419 scoped_refptr<X509Certificate> root_cert = 420 ImportCertFromFile(certs_dir, "cross-signed-root-sha1.pem"); 421 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); 422 423 ScopedTestRoot scoped_root(root_cert.get()); 424 425 X509Certificate::OSCertHandles intermediates; 426 intermediates.push_back(extra_cert->os_cert_handle()); 427 scoped_refptr<X509Certificate> cert_chain = 428 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 429 intermediates); 430 431 CertVerifyResult verify_result; 432 int flags = 0; 433 int error = Verify(cert_chain.get(), 434 "127.0.0.1", 435 flags, 436 NULL, 437 empty_cert_list_, 438 &verify_result); 439 EXPECT_EQ(OK, error); 440 441 // The extra MD5 root should be discarded 442 ASSERT_TRUE(verify_result.verified_cert.get()); 443 ASSERT_EQ(1u, 444 verify_result.verified_cert->GetIntermediateCertificates().size()); 445 EXPECT_TRUE(X509Certificate::IsSameOSCert( 446 verify_result.verified_cert->GetIntermediateCertificates().front(), 447 root_cert->os_cert_handle())); 448 449 EXPECT_FALSE(verify_result.has_md5); 450 } 451 452 // Test for bug 94673. 453 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) { 454 base::FilePath certs_dir = GetTestCertsDirectory(); 455 456 scoped_refptr<X509Certificate> server_cert = 457 ImportCertFromFile(certs_dir, "google_diginotar.pem"); 458 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); 459 460 scoped_refptr<X509Certificate> intermediate_cert = 461 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); 462 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); 463 464 X509Certificate::OSCertHandles intermediates; 465 intermediates.push_back(intermediate_cert->os_cert_handle()); 466 scoped_refptr<X509Certificate> cert_chain = 467 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), 468 intermediates); 469 470 CertVerifyResult verify_result; 471 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED; 472 int error = Verify(cert_chain.get(), 473 "mail.google.com", 474 flags, 475 NULL, 476 empty_cert_list_, 477 &verify_result); 478 EXPECT_NE(OK, error); 479 480 // Now turn off revocation checking. Certificate verification should still 481 // fail. 482 flags = 0; 483 error = Verify(cert_chain.get(), 484 "mail.google.com", 485 flags, 486 NULL, 487 empty_cert_list_, 488 &verify_result); 489 EXPECT_NE(OK, error); 490 } 491 492 TEST_F(CertVerifyProcTest, DigiNotarCerts) { 493 static const char* const kDigiNotarFilenames[] = { 494 "diginotar_root_ca.pem", 495 "diginotar_cyber_ca.pem", 496 "diginotar_services_1024_ca.pem", 497 "diginotar_pkioverheid.pem", 498 "diginotar_pkioverheid_g2.pem", 499 NULL, 500 }; 501 502 base::FilePath certs_dir = GetTestCertsDirectory(); 503 504 for (size_t i = 0; kDigiNotarFilenames[i]; i++) { 505 scoped_refptr<X509Certificate> diginotar_cert = 506 ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]); 507 std::string der_bytes; 508 ASSERT_TRUE(X509Certificate::GetDEREncoded( 509 diginotar_cert->os_cert_handle(), &der_bytes)); 510 511 base::StringPiece spki; 512 ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki)); 513 514 std::string spki_sha1 = base::SHA1HashString(spki.as_string()); 515 516 HashValueVector public_keys; 517 HashValue hash(HASH_VALUE_SHA1); 518 ASSERT_EQ(hash.size(), spki_sha1.size()); 519 memcpy(hash.data(), spki_sha1.data(), spki_sha1.size()); 520 public_keys.push_back(hash); 521 522 EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) << 523 "Public key not blocked for " << kDigiNotarFilenames[i]; 524 } 525 } 526 527 TEST_F(CertVerifyProcTest, NameConstraintsOk) { 528 CertificateList ca_cert_list = 529 CreateCertificateListFromFile(GetTestCertsDirectory(), 530 "root_ca_cert.pem", 531 X509Certificate::FORMAT_AUTO); 532 ASSERT_EQ(1U, ca_cert_list.size()); 533 ScopedTestRoot test_root(ca_cert_list[0]); 534 535 CertificateList cert_list = CreateCertificateListFromFile( 536 GetTestCertsDirectory(), "name_constraint_ok.crt", 537 X509Certificate::FORMAT_AUTO); 538 ASSERT_EQ(1U, cert_list.size()); 539 540 X509Certificate::OSCertHandles intermediates; 541 scoped_refptr<X509Certificate> leaf = 542 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), 543 intermediates); 544 545 int flags = 0; 546 CertVerifyResult verify_result; 547 int error = Verify(leaf.get(), 548 "test.example.com", 549 flags, 550 NULL, 551 empty_cert_list_, 552 &verify_result); 553 EXPECT_EQ(OK, error); 554 EXPECT_EQ(0U, verify_result.cert_status); 555 } 556 557 #if defined(OS_ANDROID) 558 // Disabled because Android isn't filling in SPKI hashes: crbug.com/116838. 559 #define MAYBE_NameConstraintsFailure DISABLED_NameConstraintsFailure 560 #else 561 #define MAYBE_NameConstraintsFailure NameConstraintsFailure 562 #endif 563 TEST_F(CertVerifyProcTest, MAYBE_NameConstraintsFailure) { 564 CertificateList ca_cert_list = 565 CreateCertificateListFromFile(GetTestCertsDirectory(), 566 "root_ca_cert.pem", 567 X509Certificate::FORMAT_AUTO); 568 ASSERT_EQ(1U, ca_cert_list.size()); 569 ScopedTestRoot test_root(ca_cert_list[0]); 570 571 CertificateList cert_list = CreateCertificateListFromFile( 572 GetTestCertsDirectory(), "name_constraint_bad.crt", 573 X509Certificate::FORMAT_AUTO); 574 ASSERT_EQ(1U, cert_list.size()); 575 576 X509Certificate::OSCertHandles intermediates; 577 scoped_refptr<X509Certificate> leaf = 578 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), 579 intermediates); 580 581 int flags = 0; 582 CertVerifyResult verify_result; 583 int error = Verify(leaf.get(), 584 "test.example.com", 585 flags, 586 NULL, 587 empty_cert_list_, 588 &verify_result); 589 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error); 590 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, 591 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); 592 } 593 594 // The certse.pem certificate has been revoked. crbug.com/259723. 595 TEST_F(CertVerifyProcTest, TestKnownRoot) { 596 base::FilePath certs_dir = GetTestCertsDirectory(); 597 CertificateList certs = CreateCertificateListFromFile( 598 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); 599 ASSERT_EQ(2U, certs.size()); 600 601 X509Certificate::OSCertHandles intermediates; 602 intermediates.push_back(certs[1]->os_cert_handle()); 603 604 scoped_refptr<X509Certificate> cert_chain = 605 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 606 intermediates); 607 608 int flags = 0; 609 CertVerifyResult verify_result; 610 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug 611 // against agl. See also PublicKeyHashes. 612 int error = Verify(cert_chain.get(), 613 "satveda.com", 614 flags, 615 NULL, 616 empty_cert_list_, 617 &verify_result); 618 EXPECT_EQ(OK, error); 619 EXPECT_EQ(0U, verify_result.cert_status); 620 EXPECT_TRUE(verify_result.is_issued_by_known_root); 621 } 622 623 // The certse.pem certificate has been revoked. crbug.com/259723. 624 TEST_F(CertVerifyProcTest, PublicKeyHashes) { 625 base::FilePath certs_dir = GetTestCertsDirectory(); 626 CertificateList certs = CreateCertificateListFromFile( 627 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO); 628 ASSERT_EQ(2U, certs.size()); 629 630 X509Certificate::OSCertHandles intermediates; 631 intermediates.push_back(certs[1]->os_cert_handle()); 632 633 scoped_refptr<X509Certificate> cert_chain = 634 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 635 intermediates); 636 int flags = 0; 637 CertVerifyResult verify_result; 638 639 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug 640 // against agl. See also TestKnownRoot. 641 int error = Verify(cert_chain.get(), 642 "satveda.com", 643 flags, 644 NULL, 645 empty_cert_list_, 646 &verify_result); 647 EXPECT_EQ(OK, error); 648 EXPECT_EQ(0U, verify_result.cert_status); 649 ASSERT_LE(2U, verify_result.public_key_hashes.size()); 650 651 HashValueVector sha1_hashes; 652 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { 653 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1) 654 continue; 655 sha1_hashes.push_back(verify_result.public_key_hashes[i]); 656 } 657 ASSERT_LE(2u, sha1_hashes.size()); 658 659 for (size_t i = 0; i < 2; ++i) { 660 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length), 661 HexEncode(sha1_hashes[i].data(), base::kSHA1Length)); 662 } 663 664 HashValueVector sha256_hashes; 665 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) { 666 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256) 667 continue; 668 sha256_hashes.push_back(verify_result.public_key_hashes[i]); 669 } 670 ASSERT_LE(2u, sha256_hashes.size()); 671 672 for (size_t i = 0; i < 2; ++i) { 673 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length), 674 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length)); 675 } 676 } 677 678 // A regression test for http://crbug.com/70293. 679 // The Key Usage extension in this RSA SSL server certificate does not have 680 // the keyEncipherment bit. 681 TEST_F(CertVerifyProcTest, InvalidKeyUsage) { 682 base::FilePath certs_dir = GetTestCertsDirectory(); 683 684 scoped_refptr<X509Certificate> server_cert = 685 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der"); 686 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); 687 688 int flags = 0; 689 CertVerifyResult verify_result; 690 int error = Verify(server_cert.get(), 691 "jira.aquameta.com", 692 flags, 693 NULL, 694 empty_cert_list_, 695 &verify_result); 696 #if defined(USE_OPENSSL) && !defined(OS_ANDROID) 697 // This certificate has two errors: "invalid key usage" and "untrusted CA". 698 // However, OpenSSL returns only one (the latter), and we can't detect 699 // the other errors. 700 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 701 #else 702 EXPECT_EQ(ERR_CERT_INVALID, error); 703 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); 704 #endif 705 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors 706 // from NSS. 707 #if !defined(USE_NSS) && !defined(OS_IOS) && !defined(OS_ANDROID) 708 // The certificate is issued by an unknown CA. 709 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); 710 #endif 711 } 712 713 // Basic test for returning the chain in CertVerifyResult. Note that the 714 // returned chain may just be a reflection of the originally supplied chain; 715 // that is, if any errors occur, the default chain returned is an exact copy 716 // of the certificate to be verified. The remaining VerifyReturn* tests are 717 // used to ensure that the actual, verified chain is being returned by 718 // Verify(). 719 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) { 720 base::FilePath certs_dir = GetTestCertsDirectory(); 721 CertificateList certs = CreateCertificateListFromFile( 722 certs_dir, "x509_verify_results.chain.pem", 723 X509Certificate::FORMAT_AUTO); 724 ASSERT_EQ(3U, certs.size()); 725 726 X509Certificate::OSCertHandles intermediates; 727 intermediates.push_back(certs[1]->os_cert_handle()); 728 intermediates.push_back(certs[2]->os_cert_handle()); 729 730 ScopedTestRoot scoped_root(certs[2].get()); 731 732 scoped_refptr<X509Certificate> google_full_chain = 733 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 734 intermediates); 735 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); 736 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); 737 738 CertVerifyResult verify_result; 739 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); 740 int error = Verify(google_full_chain.get(), 741 "127.0.0.1", 742 0, 743 NULL, 744 empty_cert_list_, 745 &verify_result); 746 EXPECT_EQ(OK, error); 747 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); 748 749 EXPECT_NE(google_full_chain, verify_result.verified_cert); 750 EXPECT_TRUE(X509Certificate::IsSameOSCert( 751 google_full_chain->os_cert_handle(), 752 verify_result.verified_cert->os_cert_handle())); 753 const X509Certificate::OSCertHandles& return_intermediates = 754 verify_result.verified_cert->GetIntermediateCertificates(); 755 ASSERT_EQ(2U, return_intermediates.size()); 756 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], 757 certs[1]->os_cert_handle())); 758 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], 759 certs[2]->os_cert_handle())); 760 } 761 762 #if defined(OS_ANDROID) 763 // TODO(ppi): Disabled because is_issued_by_known_root is incorrect on Android. 764 // Once this is fixed, re-enable this check for android. crbug.com/116838 765 #define MAYBE_IntranetHostsRejected DISABLED_IntranetHostsRejected 766 #else 767 #define MAYBE_IntranetHostsRejected IntranetHostsRejected 768 #endif 769 770 // Test that certificates issued for 'intranet' names (that is, containing no 771 // known public registry controlled domain information) issued by well-known 772 // CAs are flagged appropriately, while certificates that are issued by 773 // internal CAs are not flagged. 774 TEST_F(CertVerifyProcTest, MAYBE_IntranetHostsRejected) { 775 CertificateList cert_list = CreateCertificateListFromFile( 776 GetTestCertsDirectory(), "ok_cert.pem", 777 X509Certificate::FORMAT_AUTO); 778 ASSERT_EQ(1U, cert_list.size()); 779 scoped_refptr<X509Certificate> cert(cert_list[0]); 780 781 CertVerifyResult verify_result; 782 int error = 0; 783 784 // Intranet names for public CAs should be flagged: 785 verify_proc_ = new WellKnownCaCertVerifyProc(true); 786 error = 787 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); 788 EXPECT_EQ(OK, error); 789 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); 790 791 // However, if the CA is not well known, these should not be flagged: 792 verify_proc_ = new WellKnownCaCertVerifyProc(false); 793 error = 794 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result); 795 EXPECT_EQ(OK, error); 796 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME); 797 } 798 799 // Test that the certificate returned in CertVerifyResult is able to reorder 800 // certificates that are not ordered from end-entity to root. While this is 801 // a protocol violation if sent during a TLS handshake, if multiple sources 802 // of intermediate certificates are combined, it's possible that order may 803 // not be maintained. 804 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) { 805 base::FilePath certs_dir = GetTestCertsDirectory(); 806 CertificateList certs = CreateCertificateListFromFile( 807 certs_dir, "x509_verify_results.chain.pem", 808 X509Certificate::FORMAT_AUTO); 809 ASSERT_EQ(3U, certs.size()); 810 811 // Construct the chain out of order. 812 X509Certificate::OSCertHandles intermediates; 813 intermediates.push_back(certs[2]->os_cert_handle()); 814 intermediates.push_back(certs[1]->os_cert_handle()); 815 816 ScopedTestRoot scoped_root(certs[2].get()); 817 818 scoped_refptr<X509Certificate> google_full_chain = 819 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 820 intermediates); 821 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); 822 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size()); 823 824 CertVerifyResult verify_result; 825 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); 826 int error = Verify(google_full_chain.get(), 827 "127.0.0.1", 828 0, 829 NULL, 830 empty_cert_list_, 831 &verify_result); 832 EXPECT_EQ(OK, error); 833 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); 834 835 EXPECT_NE(google_full_chain, verify_result.verified_cert); 836 EXPECT_TRUE(X509Certificate::IsSameOSCert( 837 google_full_chain->os_cert_handle(), 838 verify_result.verified_cert->os_cert_handle())); 839 const X509Certificate::OSCertHandles& return_intermediates = 840 verify_result.verified_cert->GetIntermediateCertificates(); 841 ASSERT_EQ(2U, return_intermediates.size()); 842 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], 843 certs[1]->os_cert_handle())); 844 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], 845 certs[2]->os_cert_handle())); 846 } 847 848 // Test that Verify() filters out certificates which are not related to 849 // or part of the certificate chain being verified. 850 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) { 851 base::FilePath certs_dir = GetTestCertsDirectory(); 852 CertificateList certs = CreateCertificateListFromFile( 853 certs_dir, "x509_verify_results.chain.pem", 854 X509Certificate::FORMAT_AUTO); 855 ASSERT_EQ(3U, certs.size()); 856 ScopedTestRoot scoped_root(certs[2].get()); 857 858 scoped_refptr<X509Certificate> unrelated_certificate = 859 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem"); 860 scoped_refptr<X509Certificate> unrelated_certificate2 = 861 ImportCertFromFile(certs_dir, "aia-cert.pem"); 862 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate); 863 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2); 864 865 // Interject unrelated certificates into the list of intermediates. 866 X509Certificate::OSCertHandles intermediates; 867 intermediates.push_back(unrelated_certificate->os_cert_handle()); 868 intermediates.push_back(certs[1]->os_cert_handle()); 869 intermediates.push_back(unrelated_certificate2->os_cert_handle()); 870 intermediates.push_back(certs[2]->os_cert_handle()); 871 872 scoped_refptr<X509Certificate> google_full_chain = 873 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 874 intermediates); 875 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain); 876 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size()); 877 878 CertVerifyResult verify_result; 879 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); 880 int error = Verify(google_full_chain.get(), 881 "127.0.0.1", 882 0, 883 NULL, 884 empty_cert_list_, 885 &verify_result); 886 EXPECT_EQ(OK, error); 887 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert); 888 889 EXPECT_NE(google_full_chain, verify_result.verified_cert); 890 EXPECT_TRUE(X509Certificate::IsSameOSCert( 891 google_full_chain->os_cert_handle(), 892 verify_result.verified_cert->os_cert_handle())); 893 const X509Certificate::OSCertHandles& return_intermediates = 894 verify_result.verified_cert->GetIntermediateCertificates(); 895 ASSERT_EQ(2U, return_intermediates.size()); 896 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0], 897 certs[1]->os_cert_handle())); 898 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1], 899 certs[2]->os_cert_handle())); 900 } 901 902 TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) { 903 if (!SupportsAdditionalTrustAnchors()) { 904 LOG(INFO) << "Skipping this test in this platform."; 905 return; 906 } 907 908 // |ca_cert| is the issuer of |cert|. 909 CertificateList ca_cert_list = CreateCertificateListFromFile( 910 GetTestCertsDirectory(), "root_ca_cert.pem", 911 X509Certificate::FORMAT_AUTO); 912 ASSERT_EQ(1U, ca_cert_list.size()); 913 scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]); 914 915 CertificateList cert_list = CreateCertificateListFromFile( 916 GetTestCertsDirectory(), "ok_cert.pem", 917 X509Certificate::FORMAT_AUTO); 918 ASSERT_EQ(1U, cert_list.size()); 919 scoped_refptr<X509Certificate> cert(cert_list[0]); 920 921 // Verification of |cert| fails when |ca_cert| is not in the trust anchors 922 // list. 923 int flags = 0; 924 CertVerifyResult verify_result; 925 int error = Verify( 926 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); 927 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 928 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); 929 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); 930 931 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass. 932 CertificateList trust_anchors; 933 trust_anchors.push_back(ca_cert); 934 error = Verify( 935 cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result); 936 EXPECT_EQ(OK, error); 937 EXPECT_EQ(0U, verify_result.cert_status); 938 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor); 939 940 // Clearing the |trust_anchors| makes verification fail again (the cache 941 // should be skipped). 942 error = Verify( 943 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); 944 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 945 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); 946 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); 947 } 948 949 #if defined(OS_MACOSX) && !defined(OS_IOS) 950 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust 951 // Root can be successfully worked around once Apple completes removing the 952 // older GTE CyberTrust Root from its trusted root store. 953 // 954 // The issue is caused by servers supplying the cross-certified intermediate 955 // (necessary for certain mobile platforms), which OS X does not recognize 956 // as already existing within its trust store. 957 TEST_F(CertVerifyProcTest, CybertrustGTERoot) { 958 CertificateList certs = CreateCertificateListFromFile( 959 GetTestCertsDirectory(), 960 "cybertrust_omniroot_chain.pem", 961 X509Certificate::FORMAT_PEM_CERT_SEQUENCE); 962 ASSERT_EQ(2U, certs.size()); 963 964 X509Certificate::OSCertHandles intermediates; 965 intermediates.push_back(certs[1]->os_cert_handle()); 966 967 scoped_refptr<X509Certificate> cybertrust_basic = 968 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(), 969 intermediates); 970 ASSERT_TRUE(cybertrust_basic.get()); 971 972 scoped_refptr<X509Certificate> baltimore_root = 973 ImportCertFromFile(GetTestCertsDirectory(), 974 "cybertrust_baltimore_root.pem"); 975 ASSERT_TRUE(baltimore_root.get()); 976 977 ScopedTestRoot scoped_root(baltimore_root.get()); 978 979 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This 980 // simulates Keychain removing support for the GTE CyberTrust Root. 981 TestRootCerts::GetInstance()->SetAllowSystemTrust(false); 982 base::ScopedClosureRunner reset_system_trust( 983 base::Bind(&TestRootCerts::SetAllowSystemTrust, 984 base::Unretained(TestRootCerts::GetInstance()), 985 true)); 986 987 // First, make sure a simple certificate chain from 988 // EE -> Public SureServer SV -> Baltimore CyberTrust 989 // works. Only the first two certificates are included in the chain. 990 int flags = 0; 991 CertVerifyResult verify_result; 992 int error = Verify(cybertrust_basic.get(), 993 "cacert.omniroot.com", 994 flags, 995 NULL, 996 empty_cert_list_, 997 &verify_result); 998 EXPECT_EQ(OK, error); 999 EXPECT_EQ(0U, verify_result.cert_status); 1000 1001 // Attempt to verify with the first known cross-certified intermediate 1002 // provided. 1003 scoped_refptr<X509Certificate> baltimore_intermediate_1 = 1004 ImportCertFromFile(GetTestCertsDirectory(), 1005 "cybertrust_baltimore_cross_certified_1.pem"); 1006 ASSERT_TRUE(baltimore_intermediate_1.get()); 1007 1008 X509Certificate::OSCertHandles intermediate_chain_1 = 1009 cybertrust_basic->GetIntermediateCertificates(); 1010 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle()); 1011 1012 scoped_refptr<X509Certificate> baltimore_chain_1 = 1013 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), 1014 intermediate_chain_1); 1015 error = Verify(baltimore_chain_1.get(), 1016 "cacert.omniroot.com", 1017 flags, 1018 NULL, 1019 empty_cert_list_, 1020 &verify_result); 1021 EXPECT_EQ(OK, error); 1022 EXPECT_EQ(0U, verify_result.cert_status); 1023 1024 // Attempt to verify with the second known cross-certified intermediate 1025 // provided. 1026 scoped_refptr<X509Certificate> baltimore_intermediate_2 = 1027 ImportCertFromFile(GetTestCertsDirectory(), 1028 "cybertrust_baltimore_cross_certified_2.pem"); 1029 ASSERT_TRUE(baltimore_intermediate_2.get()); 1030 1031 X509Certificate::OSCertHandles intermediate_chain_2 = 1032 cybertrust_basic->GetIntermediateCertificates(); 1033 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle()); 1034 1035 scoped_refptr<X509Certificate> baltimore_chain_2 = 1036 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), 1037 intermediate_chain_2); 1038 error = Verify(baltimore_chain_2.get(), 1039 "cacert.omniroot.com", 1040 flags, 1041 NULL, 1042 empty_cert_list_, 1043 &verify_result); 1044 EXPECT_EQ(OK, error); 1045 EXPECT_EQ(0U, verify_result.cert_status); 1046 1047 // Attempt to verify when both a cross-certified intermediate AND 1048 // the legacy GTE root are provided. 1049 scoped_refptr<X509Certificate> cybertrust_root = 1050 ImportCertFromFile(GetTestCertsDirectory(), 1051 "cybertrust_gte_root.pem"); 1052 ASSERT_TRUE(cybertrust_root.get()); 1053 1054 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle()); 1055 scoped_refptr<X509Certificate> baltimore_chain_with_root = 1056 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(), 1057 intermediate_chain_2); 1058 error = Verify(baltimore_chain_with_root.get(), 1059 "cacert.omniroot.com", 1060 flags, 1061 NULL, 1062 empty_cert_list_, 1063 &verify_result); 1064 EXPECT_EQ(OK, error); 1065 EXPECT_EQ(0U, verify_result.cert_status); 1066 1067 } 1068 #endif 1069 1070 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX) 1071 static const uint8 kCRLSetLeafSPKIBlocked[] = { 1072 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, 1073 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 1074 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, 1075 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, 1076 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, 1077 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, 1078 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, 1079 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x43, 0x38, 0x4d, 0x4a, 0x46, 0x55, 0x55, 1080 0x5a, 0x38, 0x43, 0x79, 0x54, 0x2b, 0x4e, 0x57, 0x64, 0x68, 0x69, 0x7a, 0x51, 1081 0x68, 0x54, 0x49, 0x65, 0x46, 0x49, 0x37, 0x76, 0x41, 0x77, 0x7a, 0x64, 0x54, 1082 0x79, 0x52, 0x59, 0x45, 0x6e, 0x78, 0x6c, 0x33, 0x62, 0x67, 0x3d, 0x22, 0x5d, 1083 0x7d, 1084 }; 1085 1086 static const uint8 kCRLSetLeafSerialBlocked[] = { 1087 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, 1088 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 1089 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, 1090 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, 1091 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, 1092 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, 1093 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, 1094 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0x0f, 0x87, 0xe4, 0xc7, 0x75, 0xea, 1095 0x46, 0x7e, 0xf3, 0xfd, 0x82, 0xb7, 0x46, 0x7b, 0x10, 0xda, 0xc5, 0xbf, 0xd8, 1096 0xd1, 0x29, 0xb2, 0xc6, 0xac, 0x7f, 0x51, 0x42, 0x15, 0x28, 0x51, 0x06, 0x7f, 1097 0x01, 0x00, 0x00, 0x00, // number of serials 1098 0x01, 0xed, // serial 0xed 1099 }; 1100 1101 static const uint8 kCRLSetQUICSerialBlocked[] = { 1102 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, 1103 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 1104 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22, 1105 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22, 1106 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c, 1107 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a, 1108 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b, 1109 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 1110 // Issuer SPKI SHA-256 hash: 1111 0xe4, 0x3a, 0xa3, 0xdb, 0x98, 0x31, 0x61, 0x05, 0xdd, 0x57, 0x6d, 0xc6, 0x2f, 1112 0x71, 0x26, 0xba, 0xdd, 0xf4, 0x98, 0x3e, 0x62, 0x22, 0xf8, 0xf9, 0xe4, 0x18, 1113 0x62, 0x77, 0x79, 0xdb, 0x9b, 0x31, 1114 0x01, 0x00, 0x00, 0x00, // number of serials 1115 0x01, 0x03, // serial 3 1116 }; 1117 1118 // Test that CRLSets are effective in making a certificate appear to be 1119 // revoked. 1120 TEST_F(CertVerifyProcTest, CRLSet) { 1121 CertificateList ca_cert_list = 1122 CreateCertificateListFromFile(GetTestCertsDirectory(), 1123 "root_ca_cert.pem", 1124 X509Certificate::FORMAT_AUTO); 1125 ASSERT_EQ(1U, ca_cert_list.size()); 1126 ScopedTestRoot test_root(ca_cert_list[0]); 1127 1128 CertificateList cert_list = CreateCertificateListFromFile( 1129 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); 1130 ASSERT_EQ(1U, cert_list.size()); 1131 scoped_refptr<X509Certificate> cert(cert_list[0]); 1132 1133 int flags = 0; 1134 CertVerifyResult verify_result; 1135 int error = Verify( 1136 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result); 1137 EXPECT_EQ(OK, error); 1138 EXPECT_EQ(0U, verify_result.cert_status); 1139 1140 // First test blocking by SPKI. 1141 base::StringPiece crl_set_bytes( 1142 reinterpret_cast<const char*>(kCRLSetLeafSPKIBlocked), 1143 sizeof(kCRLSetLeafSPKIBlocked)); 1144 scoped_refptr<CRLSet> crl_set; 1145 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); 1146 1147 error = Verify(cert.get(), 1148 "127.0.0.1", 1149 flags, 1150 crl_set.get(), 1151 empty_cert_list_, 1152 &verify_result); 1153 EXPECT_EQ(ERR_CERT_REVOKED, error); 1154 1155 // Second, test revocation by serial number of a cert directly under the 1156 // root. 1157 crl_set_bytes = 1158 base::StringPiece(reinterpret_cast<const char*>(kCRLSetLeafSerialBlocked), 1159 sizeof(kCRLSetLeafSerialBlocked)); 1160 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); 1161 1162 error = Verify(cert.get(), 1163 "127.0.0.1", 1164 flags, 1165 crl_set.get(), 1166 empty_cert_list_, 1167 &verify_result); 1168 EXPECT_EQ(ERR_CERT_REVOKED, error); 1169 } 1170 1171 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) { 1172 CertificateList ca_cert_list = 1173 CreateCertificateListFromFile(GetTestCertsDirectory(), 1174 "quic_root.crt", 1175 X509Certificate::FORMAT_AUTO); 1176 ASSERT_EQ(1U, ca_cert_list.size()); 1177 ScopedTestRoot test_root(ca_cert_list[0]); 1178 1179 CertificateList intermediate_cert_list = 1180 CreateCertificateListFromFile(GetTestCertsDirectory(), 1181 "quic_intermediate.crt", 1182 X509Certificate::FORMAT_AUTO); 1183 ASSERT_EQ(1U, intermediate_cert_list.size()); 1184 X509Certificate::OSCertHandles intermediates; 1185 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle()); 1186 1187 CertificateList cert_list = CreateCertificateListFromFile( 1188 GetTestCertsDirectory(), "quic_test.example.com.crt", 1189 X509Certificate::FORMAT_AUTO); 1190 ASSERT_EQ(1U, cert_list.size()); 1191 1192 scoped_refptr<X509Certificate> leaf = 1193 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(), 1194 intermediates); 1195 1196 int flags = 0; 1197 CertVerifyResult verify_result; 1198 int error = Verify(leaf.get(), 1199 "test.example.com", 1200 flags, 1201 NULL, 1202 empty_cert_list_, 1203 &verify_result); 1204 EXPECT_EQ(OK, error); 1205 EXPECT_EQ(0U, verify_result.cert_status); 1206 1207 // Test revocation by serial number of a certificate not under the root. 1208 scoped_refptr<CRLSet> crl_set; 1209 base::StringPiece crl_set_bytes = 1210 base::StringPiece(reinterpret_cast<const char*>(kCRLSetQUICSerialBlocked), 1211 sizeof(kCRLSetQUICSerialBlocked)); 1212 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set)); 1213 1214 error = Verify(leaf.get(), 1215 "test.example.com", 1216 flags, 1217 crl_set.get(), 1218 empty_cert_list_, 1219 &verify_result); 1220 EXPECT_EQ(ERR_CERT_REVOKED, error); 1221 } 1222 #endif 1223 1224 struct WeakDigestTestData { 1225 const char* root_cert_filename; 1226 const char* intermediate_cert_filename; 1227 const char* ee_cert_filename; 1228 bool expected_has_md5; 1229 bool expected_has_md4; 1230 bool expected_has_md2; 1231 }; 1232 1233 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how 1234 // to output the parameter that was passed. Without this, it will simply 1235 // attempt to print out the first twenty bytes of the object, which depending 1236 // on platform and alignment, may result in an invalid read. 1237 void PrintTo(const WeakDigestTestData& data, std::ostream* os) { 1238 *os << "root: " 1239 << (data.root_cert_filename ? data.root_cert_filename : "none") 1240 << "; intermediate: " << data.intermediate_cert_filename 1241 << "; end-entity: " << data.ee_cert_filename; 1242 } 1243 1244 class CertVerifyProcWeakDigestTest 1245 : public CertVerifyProcTest, 1246 public testing::WithParamInterface<WeakDigestTestData> { 1247 public: 1248 CertVerifyProcWeakDigestTest() {} 1249 virtual ~CertVerifyProcWeakDigestTest() {} 1250 }; 1251 1252 TEST_P(CertVerifyProcWeakDigestTest, Verify) { 1253 WeakDigestTestData data = GetParam(); 1254 base::FilePath certs_dir = GetTestCertsDirectory(); 1255 1256 ScopedTestRoot test_root; 1257 if (data.root_cert_filename) { 1258 scoped_refptr<X509Certificate> root_cert = 1259 ImportCertFromFile(certs_dir, data.root_cert_filename); 1260 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); 1261 test_root.Reset(root_cert.get()); 1262 } 1263 1264 scoped_refptr<X509Certificate> intermediate_cert = 1265 ImportCertFromFile(certs_dir, data.intermediate_cert_filename); 1266 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert); 1267 scoped_refptr<X509Certificate> ee_cert = 1268 ImportCertFromFile(certs_dir, data.ee_cert_filename); 1269 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); 1270 1271 X509Certificate::OSCertHandles intermediates; 1272 intermediates.push_back(intermediate_cert->os_cert_handle()); 1273 1274 scoped_refptr<X509Certificate> ee_chain = 1275 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), 1276 intermediates); 1277 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain); 1278 1279 int flags = 0; 1280 CertVerifyResult verify_result; 1281 int rv = Verify(ee_chain.get(), 1282 "127.0.0.1", 1283 flags, 1284 NULL, 1285 empty_cert_list_, 1286 &verify_result); 1287 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); 1288 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); 1289 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); 1290 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor); 1291 1292 // Ensure that MD4 and MD2 are tagged as invalid. 1293 if (data.expected_has_md4 || data.expected_has_md2) { 1294 EXPECT_EQ(CERT_STATUS_INVALID, 1295 verify_result.cert_status & CERT_STATUS_INVALID); 1296 } 1297 1298 // Ensure that MD5 is flagged as weak. 1299 if (data.expected_has_md5) { 1300 EXPECT_EQ( 1301 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, 1302 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); 1303 } 1304 1305 // If a root cert is present, then check that the chain was rejected if any 1306 // weak algorithms are present. This is only checked when a root cert is 1307 // present because the error reported for incomplete chains with weak 1308 // algorithms depends on which implementation was used to validate (NSS, 1309 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm 1310 // present (MD2, MD4, MD5). 1311 if (data.root_cert_filename) { 1312 if (data.expected_has_md4 || data.expected_has_md2) { 1313 EXPECT_EQ(ERR_CERT_INVALID, rv); 1314 } else if (data.expected_has_md5) { 1315 EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv); 1316 } else { 1317 EXPECT_EQ(OK, rv); 1318 } 1319 } 1320 } 1321 1322 // Unlike TEST/TEST_F, which are macros that expand to further macros, 1323 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that 1324 // stringizes the arguments. As a result, macros passed as parameters (such as 1325 // prefix or test_case_name) will not be expanded by the preprocessor. To work 1326 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the 1327 // pre-processor will expand macros such as MAYBE_test_name before 1328 // instantiating the test. 1329 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \ 1330 INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) 1331 1332 // The signature algorithm of the root CA should not matter. 1333 const WeakDigestTestData kVerifyRootCATestData[] = { 1334 { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem", 1335 "weak_digest_sha1_ee.pem", false, false, false }, 1336 #if defined(USE_OPENSSL) || defined(OS_WIN) 1337 // MD4 is not supported by OS X / NSS 1338 { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem", 1339 "weak_digest_sha1_ee.pem", false, false, false }, 1340 #endif 1341 { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem", 1342 "weak_digest_sha1_ee.pem", false, false, false }, 1343 }; 1344 INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest, 1345 testing::ValuesIn(kVerifyRootCATestData)); 1346 1347 // The signature algorithm of intermediates should be properly detected. 1348 const WeakDigestTestData kVerifyIntermediateCATestData[] = { 1349 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", 1350 "weak_digest_sha1_ee.pem", true, false, false }, 1351 #if defined(USE_OPENSSL) || defined(OS_WIN) 1352 // MD4 is not supported by OS X / NSS 1353 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", 1354 "weak_digest_sha1_ee.pem", false, true, false }, 1355 #endif 1356 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", 1357 "weak_digest_sha1_ee.pem", false, false, true }, 1358 }; 1359 // Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled. 1360 #if defined(USE_NSS) || defined(OS_IOS) 1361 #define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate 1362 #else 1363 #define MAYBE_VerifyIntermediate VerifyIntermediate 1364 #endif 1365 WRAPPED_INSTANTIATE_TEST_CASE_P( 1366 MAYBE_VerifyIntermediate, 1367 CertVerifyProcWeakDigestTest, 1368 testing::ValuesIn(kVerifyIntermediateCATestData)); 1369 1370 // The signature algorithm of end-entity should be properly detected. 1371 const WeakDigestTestData kVerifyEndEntityTestData[] = { 1372 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", 1373 "weak_digest_md5_ee.pem", true, false, false }, 1374 #if defined(USE_OPENSSL) || defined(OS_WIN) 1375 // MD4 is not supported by OS X / NSS 1376 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", 1377 "weak_digest_md4_ee.pem", false, true, false }, 1378 #endif 1379 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", 1380 "weak_digest_md2_ee.pem", false, false, true }, 1381 }; 1382 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot 1383 // be cleared until NSS is cleanly shutdown, which is not presently supported 1384 // in Chromium. 1385 #if defined(USE_NSS) || defined(OS_IOS) 1386 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity 1387 #else 1388 #define MAYBE_VerifyEndEntity VerifyEndEntity 1389 #endif 1390 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity, 1391 CertVerifyProcWeakDigestTest, 1392 testing::ValuesIn(kVerifyEndEntityTestData)); 1393 1394 // Incomplete chains should still report the status of the intermediate. 1395 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = { 1396 { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem", 1397 true, false, false }, 1398 #if defined(USE_OPENSSL) || defined(OS_WIN) 1399 // MD4 is not supported by OS X / NSS 1400 { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem", 1401 false, true, false }, 1402 #endif 1403 { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem", 1404 false, false, true }, 1405 }; 1406 // Disabled on NSS - libpkix does not return constructed chains on error, 1407 // preventing us from detecting/inspecting the verified chain. 1408 #if defined(USE_NSS) || defined(OS_IOS) 1409 #define MAYBE_VerifyIncompleteIntermediate \ 1410 DISABLED_VerifyIncompleteIntermediate 1411 #else 1412 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate 1413 #endif 1414 WRAPPED_INSTANTIATE_TEST_CASE_P( 1415 MAYBE_VerifyIncompleteIntermediate, 1416 CertVerifyProcWeakDigestTest, 1417 testing::ValuesIn(kVerifyIncompleteIntermediateTestData)); 1418 1419 // Incomplete chains should still report the status of the end-entity. 1420 const WeakDigestTestData kVerifyIncompleteEETestData[] = { 1421 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem", 1422 true, false, false }, 1423 #if defined(USE_OPENSSL) || defined(OS_WIN) 1424 // MD4 is not supported by OS X / NSS 1425 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem", 1426 false, true, false }, 1427 #endif 1428 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem", 1429 false, false, true }, 1430 }; 1431 // Disabled on NSS - libpkix does not return constructed chains on error, 1432 // preventing us from detecting/inspecting the verified chain. 1433 #if defined(USE_NSS) || defined(OS_IOS) 1434 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity 1435 #else 1436 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity 1437 #endif 1438 WRAPPED_INSTANTIATE_TEST_CASE_P( 1439 MAYBE_VerifyIncompleteEndEntity, 1440 CertVerifyProcWeakDigestTest, 1441 testing::ValuesIn(kVerifyIncompleteEETestData)); 1442 1443 // Differing algorithms between the intermediate and the EE should still be 1444 // reported. 1445 const WeakDigestTestData kVerifyMixedTestData[] = { 1446 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", 1447 "weak_digest_md2_ee.pem", true, false, true }, 1448 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", 1449 "weak_digest_md5_ee.pem", true, false, true }, 1450 #if defined(USE_OPENSSL) || defined(OS_WIN) 1451 // MD4 is not supported by OS X / NSS 1452 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", 1453 "weak_digest_md2_ee.pem", false, true, true }, 1454 #endif 1455 }; 1456 // NSS does not support MD4 and does not enable MD2 by default, making all 1457 // permutations invalid. 1458 #if defined(USE_NSS) || defined(OS_IOS) 1459 #define MAYBE_VerifyMixed DISABLED_VerifyMixed 1460 #else 1461 #define MAYBE_VerifyMixed VerifyMixed 1462 #endif 1463 WRAPPED_INSTANTIATE_TEST_CASE_P( 1464 MAYBE_VerifyMixed, 1465 CertVerifyProcWeakDigestTest, 1466 testing::ValuesIn(kVerifyMixedTestData)); 1467 1468 // For the list of valid hostnames, see 1469 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem 1470 static const struct CertVerifyProcNameData { 1471 const char* hostname; 1472 bool valid; // Whether or not |hostname| matches a subjectAltName. 1473 } kVerifyNameData[] = { 1474 { "127.0.0.1", false }, // Don't match the common name 1475 { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4) 1476 { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6) 1477 { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN 1478 { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6) 1479 { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN 1480 { "test.example", true }, // Matches the dNSName SAN 1481 { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored) 1482 { "www.test.example", false }, // Should not match the dNSName SAN 1483 { "test..example", false }, // Should not match the dNSName SAN 1484 { "test.example..", false }, // Should not match the dNSName SAN 1485 { ".test.example.", false }, // Should not match the dNSName SAN 1486 { ".test.example", false }, // Should not match the dNSName SAN 1487 }; 1488 1489 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how 1490 // to output the parameter that was passed. Without this, it will simply 1491 // attempt to print out the first twenty bytes of the object, which depending 1492 // on platform and alignment, may result in an invalid read. 1493 void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) { 1494 *os << "Hostname: " << data.hostname << "; valid=" << data.valid; 1495 } 1496 1497 class CertVerifyProcNameTest 1498 : public CertVerifyProcTest, 1499 public testing::WithParamInterface<CertVerifyProcNameData> { 1500 public: 1501 CertVerifyProcNameTest() {} 1502 virtual ~CertVerifyProcNameTest() {} 1503 }; 1504 1505 TEST_P(CertVerifyProcNameTest, VerifyCertName) { 1506 CertVerifyProcNameData data = GetParam(); 1507 1508 CertificateList cert_list = CreateCertificateListFromFile( 1509 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem", 1510 X509Certificate::FORMAT_AUTO); 1511 ASSERT_EQ(1U, cert_list.size()); 1512 scoped_refptr<X509Certificate> cert(cert_list[0]); 1513 1514 ScopedTestRoot scoped_root(cert.get()); 1515 1516 CertVerifyResult verify_result; 1517 int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_, 1518 &verify_result); 1519 if (data.valid) { 1520 EXPECT_EQ(OK, error); 1521 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); 1522 } else { 1523 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); 1524 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); 1525 } 1526 } 1527 1528 WRAPPED_INSTANTIATE_TEST_CASE_P( 1529 VerifyName, 1530 CertVerifyProcNameTest, 1531 testing::ValuesIn(kVerifyNameData)); 1532 1533 } // namespace net 1534
