Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / net / cert / cert_verify_proc_whitelist_unittest.cc
blobe1206dcd9a2dfdcd792458fc0d6e16466bdd358b
1 // Copyright (c) 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/cert_verify_proc_whitelist.h"
7 #include "base/memory/ref_counted.h"
8 #include "net/base/test_data_directory.h"
9 #include "net/cert/x509_certificate.h"
10 #include "net/test/cert_test_util.h"
11 #include "testing/gtest/include/gtest/gtest.h"
13 namespace net {
15 namespace {
17 HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {
18 HashValue hash_value(tag);
19 memset(hash_value.data(), label, hash_value.size());
20 return hash_value;
23 HashValueVector GetFakeHashValues() {
24 HashValueVector public_key_hashes;
26 // Fake "root" hash
27 public_key_hashes.push_back(GetTestHashValue(0x00, HASH_VALUE_SHA256));
28 public_key_hashes.push_back(GetTestHashValue(0x01, HASH_VALUE_SHA1));
29 // Fake "intermediate" hash
30 public_key_hashes.push_back(GetTestHashValue(0x02, HASH_VALUE_SHA256));
31 public_key_hashes.push_back(GetTestHashValue(0x03, HASH_VALUE_SHA1));
32 // Fake "leaf" hash
33 public_key_hashes.push_back(GetTestHashValue(0x04, HASH_VALUE_SHA256));
34 public_key_hashes.push_back(GetTestHashValue(0x05, HASH_VALUE_SHA1));
36 return public_key_hashes;
39 // The SHA-256 hash of the leaf cert "ok_cert.pem"; obtainable either
40 // via X509Certificate::CalculateFingerprint256 or
41 // openssl x509 -inform pem -in ok_cert.pem -outform der | openssl
42 // dgst -sha256 -c
43 const uint8_t kWhitelistCerts[][crypto::kSHA256Length] = {
44 /* clang-format off */
45 { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
46 0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
47 0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
48 0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
49 /* clang-format on */
52 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByRoot) {
53 scoped_refptr<X509Certificate> cert =
54 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
55 ASSERT_TRUE(cert);
57 // clang-format off
58 const PublicKeyWhitelist kWhitelist[] = {
59 { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
60 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
63 kWhitelistCerts, arraysize(kWhitelistCerts)
66 // clang-format on
68 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
70 HashValueVector public_key_hashes = GetFakeHashValues();
72 // Should return false, indicating this cert is acceptable because of
73 // it being whitelisted.
74 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
76 SetCertificateWhitelistForTesting(nullptr, 0);
79 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByIntermediate) {
80 scoped_refptr<X509Certificate> cert =
81 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
82 ASSERT_TRUE(cert);
84 // clang-format off
85 const PublicKeyWhitelist kWhitelist[] = {
86 { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
87 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
88 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
89 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
90 kWhitelistCerts, arraysize(kWhitelistCerts)
93 // clang-format on
95 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
97 HashValueVector public_key_hashes = GetFakeHashValues();
99 // Should return false, indicating this cert is acceptable because of
100 // it being whitelisted.
101 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
103 SetCertificateWhitelistForTesting(nullptr, 0);
106 TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEE) {
107 scoped_refptr<X509Certificate> cert =
108 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
109 ASSERT_TRUE(cert);
111 // clang-format off
112 const PublicKeyWhitelist kWhitelist[] = {
113 { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
115 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
117 kWhitelistCerts, arraysize(kWhitelistCerts)
120 // clang-format on
122 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
124 HashValueVector public_key_hashes = GetFakeHashValues();
126 // Should return true, indicating this certificate chains to a constrained
127 // root and is not whitelisted.
128 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
130 SetCertificateWhitelistForTesting(nullptr, 0);
133 TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEEByIntermediate) {
134 scoped_refptr<X509Certificate> cert =
135 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
136 ASSERT_TRUE(cert);
138 // clang-format off
139 const PublicKeyWhitelist kWhitelist[] = {
140 { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
141 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
142 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
143 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
144 kWhitelistCerts, arraysize(kWhitelistCerts)
147 // clang-format on
149 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
151 HashValueVector public_key_hashes = GetFakeHashValues();
153 // Should return true, indicating this certificate chains to a constrained
154 // root and is not whitelisted.
155 EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
157 SetCertificateWhitelistForTesting(nullptr, 0);
160 TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {
161 scoped_refptr<X509Certificate> cert =
162 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
163 ASSERT_TRUE(cert);
165 // clang-format off
166 const PublicKeyWhitelist kWhitelist[] = {
167 { { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
168 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
169 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
170 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 },
171 kWhitelistCerts, arraysize(kWhitelistCerts)
174 // clang-format on
176 SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
178 HashValueVector public_key_hashes = GetFakeHashValues();
180 // Should return false, because the chain (as indicated by
181 // public_key_hashes) is not constrained.
182 EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
184 SetCertificateWhitelistForTesting(nullptr, 0);
187 } // namespace
189 } // namespace net