1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/memory/scoped_ptr.h" 6 #include "crypto/ec_private_key.h" 7 #include "crypto/openssl_util.h" 8 #include "net/cert/x509_util.h" 9 #include "net/cert/x509_util_openssl.h" 10 #include "testing/gtest/include/gtest/gtest.h" 11 12 namespace net { 13 14 namespace { 15 16 // Verify that a given certificate was signed with the private key corresponding 17 // to a given public key. 18 // |der_cert| is the DER-encoded X.509 certificate. 19 // |der_spki| is the DER-encoded public key of the signer. 20 void VerifyCertificateSignature(const std::string& der_cert, 21 const std::vector<uint8>& der_spki) { 22 const unsigned char* cert_data = 23 reinterpret_cast<const unsigned char*>(der_cert.data()); 24 int cert_data_len = static_cast<int>(der_cert.size()); 25 crypto::ScopedOpenSSL<X509, X509_free> cert( 26 d2i_X509(NULL, &cert_data, cert_data_len)); 27 ASSERT_TRUE(cert.get()); 28 29 // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier 30 // but there is no OpenSSL API to extract it from an X509 object (!?) 31 // Use X509_verify() directly instead, which takes an EVP_PKEY. 32 const unsigned char* pub_key_data = &der_spki.front(); 33 int pub_key_len = static_cast<int>(der_spki.size()); 34 crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pub_key( 35 d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); 36 ASSERT_TRUE(pub_key.get()); 37 38 // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error. 39 EXPECT_EQ(1, X509_verify(cert.get(), pub_key.get())); 40 } 41 42 // Verify the attributes of a domain-bound certificate. 43 // |domain| is the bound domain name. 44 // |der_cert| is the DER-encoded X.509 certificate. 45 void VerifyDomainBoundCert(const std::string& domain, 46 const std::string& der_cert) { 47 // Origin Bound Cert OID. 48 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; 49 crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free> oid_obj( 50 OBJ_txt2obj(oid_string, 0)); 51 ASSERT_TRUE(oid_obj.get()); 52 53 const unsigned char* cert_data = 54 reinterpret_cast<const unsigned char*>(der_cert.data()); 55 int cert_data_len = static_cast<int>(der_cert.size()); 56 crypto::ScopedOpenSSL<X509, X509_free> cert( 57 d2i_X509(NULL, &cert_data, cert_data_len)); 58 ASSERT_TRUE(cert.get()); 59 60 // Find the extension. 61 int ext_pos = X509_get_ext_by_OBJ(cert.get(), oid_obj.get(), -1); 62 ASSERT_NE(-1, ext_pos); 63 X509_EXTENSION* ext = X509_get_ext(cert.get(), ext_pos); 64 ASSERT_TRUE(ext); 65 66 // Check its value, it must be an ASN.1 IA5STRING 67 // Which means <tag> <length> <domain>, with: 68 // <tag> == 22 69 // <length> is the domain length, a single byte for short forms. 70 // <domain> are the domain characters. 71 // See http://en.wikipedia.org/wiki/X.690 72 ASN1_STRING* value_asn1 = X509_EXTENSION_get_data(ext); 73 ASSERT_TRUE(value_asn1); 74 std::string value_str(reinterpret_cast<const char*>(value_asn1->data), 75 value_asn1->length); 76 77 // Check that the domain size is small enough for short form. 78 ASSERT_LE(domain.size(), 127U) << "Domain is too long!"; 79 std::string value_expected; 80 value_expected.resize(2); 81 value_expected[0] = 22; 82 value_expected[1] = static_cast<char>(domain.size()); 83 value_expected += domain; 84 85 EXPECT_EQ(value_expected, value_str); 86 } 87 88 } // namespace 89 90 TEST(X509UtilOpenSSLTest, IsSupportedValidityRange) { 91 base::Time now = base::Time::Now(); 92 EXPECT_TRUE(x509_util::IsSupportedValidityRange(now, now)); 93 EXPECT_FALSE(x509_util::IsSupportedValidityRange( 94 now, now - base::TimeDelta::FromSeconds(1))); 95 96 // See x509_util_openssl.cc to see how these were computed. 97 const int64 kDaysFromYear0001ToUnixEpoch = 719162; 98 const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1; 99 100 // When computing too_old / too_late, add one day to account for 101 // possible leap seconds. 102 base::Time too_old = base::Time::UnixEpoch() - 103 base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch + 1); 104 105 base::Time too_late = base::Time::UnixEpoch() + 106 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000 + 1); 107 108 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, too_old)); 109 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, now)); 110 111 EXPECT_FALSE(x509_util::IsSupportedValidityRange(now, too_late)); 112 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_late, too_late)); 113 } 114 115 TEST(X509UtilOpenSSLTest, CreateDomainBoundCertEC) { 116 // Create a sample ASCII weborigin. 117 std::string domain = "weborigin.com"; 118 base::Time now = base::Time::Now(); 119 120 scoped_ptr<crypto::ECPrivateKey> private_key( 121 crypto::ECPrivateKey::Create()); 122 std::string der_cert; 123 ASSERT_TRUE( 124 x509_util::CreateDomainBoundCertEC(private_key.get(), 125 x509_util::DIGEST_SHA1, 126 domain, 127 1, 128 now, 129 now + base::TimeDelta::FromDays(1), 130 &der_cert)); 131 132 VerifyDomainBoundCert(domain, der_cert); 133 134 // signature_verifier_win and signature_verifier_mac can't handle EC certs. 135 std::vector<uint8> spki; 136 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); 137 VerifyCertificateSignature(der_cert, spki); 138 } 139 140 } // namespace net 141
