1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/x509_util.h"
6 #include "net/cert/x509_util_nss.h"
11 #include "base/memory/ref_counted.h"
12 #include "base/memory/scoped_ptr.h"
13 #include "crypto/ec_private_key.h"
14 #include "crypto/scoped_nss_types.h"
15 #include "crypto/signature_verifier.h"
16 #include "net/cert/x509_certificate.h"
17 #include "testing/gtest/include/gtest/gtest.h"
23 CERTCertificate
* CreateNSSCertHandleFromBytes(const char* data
, size_t length
) {
25 der_cert
.data
= reinterpret_cast<unsigned char*>(const_cast<char*>(data
));
26 der_cert
.len
= length
;
27 der_cert
.type
= siDERCertBuffer
;
29 // Parse into a certificate structure.
30 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert
, NULL
,
34 #if !defined(OS_WIN) && !defined(OS_MACOSX)
35 void VerifyCertificateSignature(const std::string
& der_cert
,
36 const std::vector
<uint8
>& der_spki
) {
37 crypto::ScopedPLArenaPool
arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE
));
40 memset(&sd
, 0, sizeof(sd
));
42 SECItem der_cert_item
= {
44 reinterpret_cast<unsigned char*>(const_cast<char*>(der_cert
.data())),
45 static_cast<unsigned int>(der_cert
.size())
47 SECStatus rv
= SEC_ASN1DecodeItem(arena
.get(), &sd
,
48 SEC_ASN1_GET(CERT_SignedDataTemplate
),
50 ASSERT_EQ(SECSuccess
, rv
);
52 // The CERTSignedData.signatureAlgorithm is decoded, but SignatureVerifier
53 // wants the DER encoded form, so re-encode it again.
54 SECItem
* signature_algorithm
= SEC_ASN1EncodeItem(
57 &sd
.signatureAlgorithm
,
58 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate
));
59 ASSERT_TRUE(signature_algorithm
);
61 crypto::SignatureVerifier verifier
;
62 bool ok
= verifier
.VerifyInit(
63 signature_algorithm
->data
,
64 signature_algorithm
->len
,
66 sd
.signature
.len
/ 8, // Signature is a BIT STRING, convert to bytes.
71 verifier
.VerifyUpdate(sd
.data
.data
,
74 ok
= verifier
.VerifyFinal();
77 #endif // !defined(OS_WIN) && !defined(OS_MACOSX)
79 void VerifyChannelID(const std::string
& domain
,
80 const std::string
& der_cert
) {
81 // Origin Bound Cert OID.
82 static const char oid_string
[] = "1.3.6.1.4.1.11129.2.1.6";
84 // Create object neccessary for extension lookup call.
85 SECItem extension_object
= {
87 (unsigned char*)domain
.data(),
88 static_cast<unsigned int>(domain
.size())
91 // IA5Encode and arena allocate SECItem.
92 PLArenaPool
* arena
= PORT_NewArena(DER_DEFAULT_CHUNKSIZE
);
93 SECItem
* expected
= SEC_ASN1EncodeItem(arena
,
96 SEC_ASN1_GET(SEC_IA5StringTemplate
));
98 ASSERT_NE(static_cast<SECItem
*>(NULL
), expected
);
100 // Create OID SECItem.
101 SECItem ob_cert_oid
= { siDEROID
, NULL
, 0 };
102 SECStatus ok
= SEC_StringToOID(arena
, &ob_cert_oid
,
105 ASSERT_EQ(SECSuccess
, ok
);
107 SECOidTag ob_cert_oid_tag
= SECOID_FindOIDTag(&ob_cert_oid
);
109 ASSERT_NE(SEC_OID_UNKNOWN
, ob_cert_oid_tag
);
111 // This test is run on Mac and Win where X509Certificate::os_cert_handle isn't
112 // an NSS type, so we have to manually create a NSS certificate object so we
113 // can use CERT_FindCertExtension. We also check the subject and validity
114 // times using NSS since X509Certificate will fail with EC certs on OSX 10.5
115 // (http://crbug.com/101231).
116 CERTCertificate
* nss_cert
= CreateNSSCertHandleFromBytes(
117 der_cert
.data(), der_cert
.size());
119 char* common_name
= CERT_GetCommonName(&nss_cert
->subject
);
120 ASSERT_TRUE(common_name
);
121 EXPECT_STREQ("anonymous.invalid", common_name
);
122 PORT_Free(common_name
);
123 EXPECT_EQ(SECSuccess
, CERT_CertTimesValid(nss_cert
));
125 // Lookup Origin Bound Cert extension in generated cert.
126 SECItem actual
= { siBuffer
, NULL
, 0 };
127 ok
= CERT_FindCertExtension(nss_cert
,
130 CERT_DestroyCertificate(nss_cert
);
131 ASSERT_EQ(SECSuccess
, ok
);
133 // Compare expected and actual extension values.
134 PRBool result
= SECITEM_ItemsAreEqual(expected
, &actual
);
138 SECITEM_FreeItem(&actual
, PR_FALSE
);
139 PORT_FreeArena(arena
, PR_FALSE
);
144 // This test creates a domain-bound cert and an EC private key and
145 // then verifies the content of the certificate.
146 TEST(X509UtilNSSTest
, CreateKeyAndChannelIDEC
) {
147 // Create a sample ASCII weborigin.
148 std::string domain
= "weborigin.com";
149 base::Time now
= base::Time::Now();
151 scoped_ptr
<crypto::ECPrivateKey
> private_key
;
152 std::string der_cert
;
153 ASSERT_TRUE(x509_util::CreateKeyAndChannelIDEC(
156 now
+ base::TimeDelta::FromDays(1),
160 VerifyChannelID(domain
, der_cert
);
162 #if !defined(OS_WIN) && !defined(OS_MACOSX)
163 // signature_verifier_win and signature_verifier_mac can't handle EC certs.
164 std::vector
<uint8
> spki
;
165 ASSERT_TRUE(private_key
->ExportPublicKey(&spki
));
166 VerifyCertificateSignature(der_cert
, spki
);