search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Web MIDI: send back error information to blink on starting sessions
[chromium-blink-merge.git] / net / cert / cert_verify_proc_unittest.cc
blob8f5156bc8631eafacd1f33ef9c2a1138ec672e44
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_verify_proc.h"
6
7 #include <vector>
8
9 #include "base/callback_helpers.h"
10 #include "base/files/file_path.h"
11 #include "base/logging.h"
12 #include "base/sha1.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "crypto/sha2.h"
15 #include "net/base/net_errors.h"
16 #include "net/base/test_data_directory.h"
17 #include "net/cert/asn1_util.h"
18 #include "net/cert/cert_status_flags.h"
19 #include "net/cert/cert_verifier.h"
20 #include "net/cert/cert_verify_result.h"
21 #include "net/cert/crl_set.h"
22 #include "net/cert/test_root_certs.h"
23 #include "net/cert/x509_certificate.h"
24 #include "net/test/cert_test_util.h"
25 #include "net/test/test_certificate_data.h"
26 #include "testing/gtest/include/gtest/gtest.h"
27
28 #if defined(OS_WIN)
29 #include "base/win/windows_version.h"
30 #elif defined(OS_MACOSX) && !defined(OS_IOS)
31 #include "base/mac/mac_util.h"
32 #elif defined(OS_ANDROID)
33 #include "base/android/build_info.h"
34 #endif
35
36 using base::HexEncode;
37
38 namespace net {
39
40 namespace {
41
42 // A certificate for www.paypal.com with a NULL byte in the common name.
43 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
44 unsigned char paypal_null_fingerprint[] = {
45 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba,
46 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7
47 };
48
49 // Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root|
50 // for all certificates that are Verified.
51 class WellKnownCaCertVerifyProc : public CertVerifyProc {
52 public:
53 // Initialize a CertVerifyProc that will set
54 // |verify_result->is_issued_by_known_root| to |is_well_known|.
55 explicit WellKnownCaCertVerifyProc(bool is_well_known)
56 : is_well_known_(is_well_known) {}
57
58 // CertVerifyProc implementation:
59 virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; }
60
61 protected:
62 virtual ~WellKnownCaCertVerifyProc() {}
63
64 private:
65 virtual int VerifyInternal(X509Certificate* cert,
66 const std::string& hostname,
67 int flags,
68 CRLSet* crl_set,
69 const CertificateList& additional_trust_anchors,
70 CertVerifyResult* verify_result) OVERRIDE;
71
72 const bool is_well_known_;
73
74 DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc);
75 };
76
77 int WellKnownCaCertVerifyProc::VerifyInternal(
78 X509Certificate* cert,
79 const std::string& hostname,
80 int flags,
81 CRLSet* crl_set,
82 const CertificateList& additional_trust_anchors,
83 CertVerifyResult* verify_result) {
84 verify_result->is_issued_by_known_root = is_well_known_;
85 return OK;
86 }
87
88 bool SupportsReturningVerifiedChain() {
89 #if defined(OS_ANDROID)
90 // Before API level 17, Android does not expose the APIs necessary to get at
91 // the verified certificate chain.
92 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
93 return false;
94 #endif
95 return true;
96 }
97
98 bool SupportsDetectingKnownRoots() {
99 #if defined(OS_ANDROID)
100 // http://crbug.com/361166
101 return false;
102 #endif
103 return true;
104 }
105
106 } // namespace
107
108 class CertVerifyProcTest : public testing::Test {
109 public:
110 CertVerifyProcTest()
111 : verify_proc_(CertVerifyProc::CreateDefault()) {
112 }
113 virtual ~CertVerifyProcTest() {}
114
115 protected:
116 bool SupportsAdditionalTrustAnchors() {
117 return verify_proc_->SupportsAdditionalTrustAnchors();
118 }
119
120 int Verify(X509Certificate* cert,
121 const std::string& hostname,
122 int flags,
123 CRLSet* crl_set,
124 const CertificateList& additional_trust_anchors,
125 CertVerifyResult* verify_result) {
126 return verify_proc_->Verify(cert, hostname, flags, crl_set,
127 additional_trust_anchors, verify_result);
128 }
129
130 const CertificateList empty_cert_list_;
131 scoped_refptr<CertVerifyProc> verify_proc_;
132 };
133
134 TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) {
135 // Check that verification without revocation checking works.
136 CertificateList certs = CreateCertificateListFromFile(
137 GetTestCertsDirectory(),
138 "googlenew.chain.pem",
139 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
140
141 X509Certificate::OSCertHandles intermediates;
142 intermediates.push_back(certs[1]->os_cert_handle());
143
144 scoped_refptr<X509Certificate> google_full_chain =
145 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
146 intermediates);
147
148 CertVerifyResult verify_result;
149 EXPECT_EQ(OK,
150 Verify(google_full_chain.get(),
151 "www.google.com",
152 0 /* flags */,
153 NULL,
154 empty_cert_list_,
155 &verify_result));
156 }
157
158 #if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
159 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
160 #define MAYBE_EVVerification DISABLED_EVVerification
161 #else
162 #define MAYBE_EVVerification EVVerification
163 #endif
164 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
165 CertificateList certs = CreateCertificateListFromFile(
166 GetTestCertsDirectory(),
167 "comodo.chain.pem",
168 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
169 ASSERT_EQ(3U, certs.size());
170
171 X509Certificate::OSCertHandles intermediates;
172 intermediates.push_back(certs[1]->os_cert_handle());
173 intermediates.push_back(certs[2]->os_cert_handle());
174
175 scoped_refptr<X509Certificate> comodo_chain =
176 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
177 intermediates);
178
179 scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
180 CertVerifyResult verify_result;
181 int flags = CertVerifier::VERIFY_EV_CERT;
182 int error = Verify(comodo_chain.get(),
183 "comodo.com",
184 flags,
185 crl_set.get(),
186 empty_cert_list_,
187 &verify_result);
188 EXPECT_EQ(OK, error);
189 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
190 }
191
192 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) {
193 scoped_refptr<X509Certificate> paypal_null_cert(
194 X509Certificate::CreateFromBytes(
195 reinterpret_cast<const char*>(paypal_null_der),
196 sizeof(paypal_null_der)));
197
198 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert);
199
200 const SHA1HashValue& fingerprint =
201 paypal_null_cert->fingerprint();
202 for (size_t i = 0; i < 20; ++i)
203 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
204
205 int flags = 0;
206 CertVerifyResult verify_result;
207 int error = Verify(paypal_null_cert.get(),
208 "www.paypal.com",
209 flags,
210 NULL,
211 empty_cert_list_,
212 &verify_result);
213 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID)
214 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
215 #else
216 // TOOD(bulach): investigate why macosx and win aren't returning
217 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
218 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
219 #endif
220 // Either the system crypto library should correctly report a certificate
221 // name mismatch, or our certificate blacklist should cause us to report an
222 // invalid certificate.
223 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS)
224 EXPECT_TRUE(verify_result.cert_status &
225 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
226 #endif
227 }
228
229 // A regression test for http://crbug.com/31497.
230 #if defined(OS_ANDROID)
231 // Disabled on Android, as the Android verification libraries require an
232 // explicit policy to be specified, even when anyPolicy is permitted.
233 #define MAYBE_IntermediateCARequireExplicitPolicy \
234 DISABLED_IntermediateCARequireExplicitPolicy
235 #else
236 #define MAYBE_IntermediateCARequireExplicitPolicy \
237 IntermediateCARequireExplicitPolicy
238 #endif
239 TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
240 base::FilePath certs_dir = GetTestCertsDirectory();
241
242 CertificateList certs = CreateCertificateListFromFile(
243 certs_dir, "explicit-policy-chain.pem",
244 X509Certificate::FORMAT_AUTO);
245 ASSERT_EQ(3U, certs.size());
246
247 X509Certificate::OSCertHandles intermediates;
248 intermediates.push_back(certs[1]->os_cert_handle());
249
250 scoped_refptr<X509Certificate> cert =
251 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
252 intermediates);
253 ASSERT_TRUE(cert.get());
254
255 ScopedTestRoot scoped_root(certs[2].get());
256
257 int flags = 0;
258 CertVerifyResult verify_result;
259 int error = Verify(cert.get(),
260 "policy_test.example",
261 flags,
262 NULL,
263 empty_cert_list_,
264 &verify_result);
265 EXPECT_EQ(OK, error);
266 EXPECT_EQ(0u, verify_result.cert_status);
267 }
268
269 // Test for bug 58437.
270 // This certificate will expire on 2011-12-21. The test will still
271 // pass if error == ERR_CERT_DATE_INVALID.
272 // This test is DISABLED because it appears that we cannot do
273 // certificate revocation checking when running all of the net unit tests.
274 // This test passes when run individually, but when run with all of the net
275 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is
276 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation
277 // status, i.e. that the revocation check is failing for some reason.
278 TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) {
279 base::FilePath certs_dir = GetTestCertsDirectory();
280
281 scoped_refptr<X509Certificate> server_cert =
282 ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem");
283 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
284
285 scoped_refptr<X509Certificate> intermediate_cert =
286 ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem");
287 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
288
289 X509Certificate::OSCertHandles intermediates;
290 intermediates.push_back(intermediate_cert->os_cert_handle());
291 scoped_refptr<X509Certificate> cert_chain =
292 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
293 intermediates);
294
295 CertVerifyResult verify_result;
296 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED |
297 CertVerifier::VERIFY_EV_CERT;
298 int error = Verify(cert_chain.get(),
299 "2029.globalsign.com",
300 flags,
301 NULL,
302 empty_cert_list_,
303 &verify_result);
304 if (error == OK)
305 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
306 else
307 EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
308 }
309
310 // Test that verifying an ECDSA certificate doesn't crash on XP. (See
311 // crbug.com/144466).
312 TEST_F(CertVerifyProcTest, ECDSA_RSA) {
313 base::FilePath certs_dir = GetTestCertsDirectory();
314
315 scoped_refptr<X509Certificate> cert =
316 ImportCertFromFile(certs_dir,
317 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem");
318
319 CertVerifyResult verify_result;
320 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result);
321
322 // We don't check verify_result because the certificate is signed by an
323 // unknown CA and will be considered invalid on XP because of the ECDSA
324 // public key.
325 }
326
327 // Currently, only RSA and DSA keys are checked for weakness, and our example
328 // weak size is 768. These could change in the future.
329 //
330 // Note that this means there may be false negatives: keys for other
331 // algorithms and which are weak will pass this test.
332 static bool IsWeakKeyType(const std::string& key_type) {
333 size_t pos = key_type.find("-");
334 std::string size = key_type.substr(0, pos);
335 std::string type = key_type.substr(pos + 1);
336
337 if (type == "rsa" || type == "dsa")
338 return size == "768";
339
340 return false;
341 }
342
343 TEST_F(CertVerifyProcTest, RejectWeakKeys) {
344 base::FilePath certs_dir = GetTestCertsDirectory();
345 typedef std::vector<std::string> Strings;
346 Strings key_types;
347
348 // generate-weak-test-chains.sh currently has:
349 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
350 // We must use the same key types here. The filenames generated look like:
351 // 2048-rsa-ee-by-768-rsa-intermediate.pem
352 key_types.push_back("768-rsa");
353 key_types.push_back("1024-rsa");
354 key_types.push_back("2048-rsa");
355
356 bool use_ecdsa = true;
357 #if defined(OS_WIN)
358 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP;
359 #endif
360
361 if (use_ecdsa)
362 key_types.push_back("prime256v1-ecdsa");
363
364 // Add the root that signed the intermediates for this test.
365 scoped_refptr<X509Certificate> root_cert =
366 ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
367 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
368 ScopedTestRoot scoped_root(root_cert.get());
369
370 // Now test each chain.
371 for (Strings::const_iterator ee_type = key_types.begin();
372 ee_type != key_types.end(); ++ee_type) {
373 for (Strings::const_iterator signer_type = key_types.begin();
374 signer_type != key_types.end(); ++signer_type) {
375 std::string basename = *ee_type + "-ee-by-" + *signer_type +
376 "-intermediate.pem";
377 SCOPED_TRACE(basename);
378 scoped_refptr<X509Certificate> ee_cert =
379 ImportCertFromFile(certs_dir, basename);
380 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
381
382 basename = *signer_type + "-intermediate.pem";
383 scoped_refptr<X509Certificate> intermediate =
384 ImportCertFromFile(certs_dir, basename);
385 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate);
386
387 X509Certificate::OSCertHandles intermediates;
388 intermediates.push_back(intermediate->os_cert_handle());
389 scoped_refptr<X509Certificate> cert_chain =
390 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
391 intermediates);
392
393 CertVerifyResult verify_result;
394 int error = Verify(cert_chain.get(),
395 "127.0.0.1",
396 0,
397 NULL,
398 empty_cert_list_,
399 &verify_result);
400
401 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
402 EXPECT_NE(OK, error);
403 EXPECT_EQ(CERT_STATUS_WEAK_KEY,
404 verify_result.cert_status & CERT_STATUS_WEAK_KEY);
405 EXPECT_NE(CERT_STATUS_INVALID,
406 verify_result.cert_status & CERT_STATUS_INVALID);
407 } else {
408 EXPECT_EQ(OK, error);
409 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
410 }
411 }
412 }
413 }
414
415 // Regression test for http://crbug.com/108514.
416 #if defined(OS_MACOSX) && !defined(OS_IOS)
417 // Disabled on OS X - Security.framework doesn't ignore superflous certificates
418 // provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
419 // details.
420 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
421 #else
422 #define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
423 #endif
424 TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
425 if (!SupportsReturningVerifiedChain()) {
426 LOG(INFO) << "Skipping this test in this platform.";
427 return;
428 }
429
430 base::FilePath certs_dir = GetTestCertsDirectory();
431
432 scoped_refptr<X509Certificate> server_cert =
433 ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
434 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
435
436 scoped_refptr<X509Certificate> extra_cert =
437 ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
438 ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
439
440 scoped_refptr<X509Certificate> root_cert =
441 ImportCertFromFile(certs_dir, "cross-signed-root-sha1.pem");
442 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
443
444 ScopedTestRoot scoped_root(root_cert.get());
445
446 X509Certificate::OSCertHandles intermediates;
447 intermediates.push_back(extra_cert->os_cert_handle());
448 scoped_refptr<X509Certificate> cert_chain =
449 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
450 intermediates);
451
452 CertVerifyResult verify_result;
453 int flags = 0;
454 int error = Verify(cert_chain.get(),
455 "127.0.0.1",
456 flags,
457 NULL,
458 empty_cert_list_,
459 &verify_result);
460 EXPECT_EQ(OK, error);
461
462 // The extra MD5 root should be discarded
463 ASSERT_TRUE(verify_result.verified_cert.get());
464 ASSERT_EQ(1u,
465 verify_result.verified_cert->GetIntermediateCertificates().size());
466 EXPECT_TRUE(X509Certificate::IsSameOSCert(
467 verify_result.verified_cert->GetIntermediateCertificates().front(),
468 root_cert->os_cert_handle()));
469
470 EXPECT_FALSE(verify_result.has_md5);
471 }
472
473 // Test for bug 94673.
474 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
475 base::FilePath certs_dir = GetTestCertsDirectory();
476
477 scoped_refptr<X509Certificate> server_cert =
478 ImportCertFromFile(certs_dir, "google_diginotar.pem");
479 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
480
481 scoped_refptr<X509Certificate> intermediate_cert =
482 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
483 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
484
485 X509Certificate::OSCertHandles intermediates;
486 intermediates.push_back(intermediate_cert->os_cert_handle());
487 scoped_refptr<X509Certificate> cert_chain =
488 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
489 intermediates);
490
491 CertVerifyResult verify_result;
492 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
493 int error = Verify(cert_chain.get(),
494 "mail.google.com",
495 flags,
496 NULL,
497 empty_cert_list_,
498 &verify_result);
499 EXPECT_NE(OK, error);
500
501 // Now turn off revocation checking. Certificate verification should still
502 // fail.
503 flags = 0;
504 error = Verify(cert_chain.get(),
505 "mail.google.com",
506 flags,
507 NULL,
508 empty_cert_list_,
509 &verify_result);
510 EXPECT_NE(OK, error);
511 }
512
513 TEST_F(CertVerifyProcTest, DigiNotarCerts) {
514 static const char* const kDigiNotarFilenames[] = {
515 "diginotar_root_ca.pem",
516 "diginotar_cyber_ca.pem",
517 "diginotar_services_1024_ca.pem",
518 "diginotar_pkioverheid.pem",
519 "diginotar_pkioverheid_g2.pem",
520 NULL,
521 };
522
523 base::FilePath certs_dir = GetTestCertsDirectory();
524
525 for (size_t i = 0; kDigiNotarFilenames[i]; i++) {
526 scoped_refptr<X509Certificate> diginotar_cert =
527 ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
528 std::string der_bytes;
529 ASSERT_TRUE(X509Certificate::GetDEREncoded(
530 diginotar_cert->os_cert_handle(), &der_bytes));
531
532 base::StringPiece spki;
533 ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
534
535 std::string spki_sha1 = base::SHA1HashString(spki.as_string());
536
537 HashValueVector public_keys;
538 HashValue hash(HASH_VALUE_SHA1);
539 ASSERT_EQ(hash.size(), spki_sha1.size());
540 memcpy(hash.data(), spki_sha1.data(), spki_sha1.size());
541 public_keys.push_back(hash);
542
543 EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
544 "Public key not blocked for " << kDigiNotarFilenames[i];
545 }
546 }
547
548 TEST_F(CertVerifyProcTest, NameConstraintsOk) {
549 CertificateList ca_cert_list =
550 CreateCertificateListFromFile(GetTestCertsDirectory(),
551 "root_ca_cert.pem",
552 X509Certificate::FORMAT_AUTO);
553 ASSERT_EQ(1U, ca_cert_list.size());
554 ScopedTestRoot test_root(ca_cert_list[0]);
555
556 CertificateList cert_list = CreateCertificateListFromFile(
557 GetTestCertsDirectory(), "name_constraint_ok.crt",
558 X509Certificate::FORMAT_AUTO);
559 ASSERT_EQ(1U, cert_list.size());
560
561 X509Certificate::OSCertHandles intermediates;
562 scoped_refptr<X509Certificate> leaf =
563 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
564 intermediates);
565
566 int flags = 0;
567 CertVerifyResult verify_result;
568 int error = Verify(leaf.get(),
569 "test.example.com",
570 flags,
571 NULL,
572 empty_cert_list_,
573 &verify_result);
574 EXPECT_EQ(OK, error);
575 EXPECT_EQ(0U, verify_result.cert_status);
576 }
577
578 TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
579 if (!SupportsReturningVerifiedChain()) {
580 LOG(INFO) << "Skipping this test in this platform.";
581 return;
582 }
583
584 CertificateList ca_cert_list =
585 CreateCertificateListFromFile(GetTestCertsDirectory(),
586 "root_ca_cert.pem",
587 X509Certificate::FORMAT_AUTO);
588 ASSERT_EQ(1U, ca_cert_list.size());
589 ScopedTestRoot test_root(ca_cert_list[0]);
590
591 CertificateList cert_list = CreateCertificateListFromFile(
592 GetTestCertsDirectory(), "name_constraint_bad.crt",
593 X509Certificate::FORMAT_AUTO);
594 ASSERT_EQ(1U, cert_list.size());
595
596 X509Certificate::OSCertHandles intermediates;
597 scoped_refptr<X509Certificate> leaf =
598 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
599 intermediates);
600
601 int flags = 0;
602 CertVerifyResult verify_result;
603 int error = Verify(leaf.get(),
604 "test.example.com",
605 flags,
606 NULL,
607 empty_cert_list_,
608 &verify_result);
609 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error);
610 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
611 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
612 }
613
614 TEST_F(CertVerifyProcTest, TestKnownRoot) {
615 if (!SupportsDetectingKnownRoots()) {
616 LOG(INFO) << "Skipping this test in this platform.";
617 return;
618 }
619
620 base::FilePath certs_dir = GetTestCertsDirectory();
621 CertificateList certs = CreateCertificateListFromFile(
622 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
623 ASSERT_EQ(2U, certs.size());
624
625 X509Certificate::OSCertHandles intermediates;
626 intermediates.push_back(certs[1]->os_cert_handle());
627
628 scoped_refptr<X509Certificate> cert_chain =
629 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
630 intermediates);
631
632 int flags = 0;
633 CertVerifyResult verify_result;
634 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
635 // against agl. See also PublicKeyHashes.
636 int error = Verify(cert_chain.get(),
637 "satveda.com",
638 flags,
639 NULL,
640 empty_cert_list_,
641 &verify_result);
642 EXPECT_EQ(OK, error);
643 EXPECT_EQ(0U, verify_result.cert_status);
644 EXPECT_TRUE(verify_result.is_issued_by_known_root);
645 }
646
647 // The certse.pem certificate has been revoked. crbug.com/259723.
648 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
649 if (!SupportsReturningVerifiedChain()) {
650 LOG(INFO) << "Skipping this test in this platform.";
651 return;
652 }
653
654 base::FilePath certs_dir = GetTestCertsDirectory();
655 CertificateList certs = CreateCertificateListFromFile(
656 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
657 ASSERT_EQ(2U, certs.size());
658
659 X509Certificate::OSCertHandles intermediates;
660 intermediates.push_back(certs[1]->os_cert_handle());
661
662 scoped_refptr<X509Certificate> cert_chain =
663 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
664 intermediates);
665 int flags = 0;
666 CertVerifyResult verify_result;
667
668 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
669 // against agl. See also TestKnownRoot.
670 int error = Verify(cert_chain.get(),
671 "satveda.com",
672 flags,
673 NULL,
674 empty_cert_list_,
675 &verify_result);
676 EXPECT_EQ(OK, error);
677 EXPECT_EQ(0U, verify_result.cert_status);
678 ASSERT_LE(2U, verify_result.public_key_hashes.size());
679
680 HashValueVector sha1_hashes;
681 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
682 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1)
683 continue;
684 sha1_hashes.push_back(verify_result.public_key_hashes[i]);
685 }
686 ASSERT_LE(2u, sha1_hashes.size());
687
688 for (size_t i = 0; i < 2; ++i) {
689 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
690 HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
691 }
692
693 HashValueVector sha256_hashes;
694 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
695 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256)
696 continue;
697 sha256_hashes.push_back(verify_result.public_key_hashes[i]);
698 }
699 ASSERT_LE(2u, sha256_hashes.size());
700
701 for (size_t i = 0; i < 2; ++i) {
702 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
703 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
704 }
705 }
706
707 // A regression test for http://crbug.com/70293.
708 // The Key Usage extension in this RSA SSL server certificate does not have
709 // the keyEncipherment bit.
710 TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
711 base::FilePath certs_dir = GetTestCertsDirectory();
712
713 scoped_refptr<X509Certificate> server_cert =
714 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
715 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
716
717 int flags = 0;
718 CertVerifyResult verify_result;
719 int error = Verify(server_cert.get(),
720 "jira.aquameta.com",
721 flags,
722 NULL,
723 empty_cert_list_,
724 &verify_result);
725 #if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
726 // This certificate has two errors: "invalid key usage" and "untrusted CA".
727 // However, OpenSSL returns only one (the latter), and we can't detect
728 // the other errors.
729 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
730 #else
731 EXPECT_EQ(ERR_CERT_INVALID, error);
732 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
733 #endif
734 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
735 // from NSS.
736 #if !defined(USE_NSS) && !defined(OS_IOS) && !defined(OS_ANDROID)
737 // The certificate is issued by an unknown CA.
738 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
739 #endif
740 }
741
742 // Basic test for returning the chain in CertVerifyResult. Note that the
743 // returned chain may just be a reflection of the originally supplied chain;
744 // that is, if any errors occur, the default chain returned is an exact copy
745 // of the certificate to be verified. The remaining VerifyReturn* tests are
746 // used to ensure that the actual, verified chain is being returned by
747 // Verify().
748 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
749 if (!SupportsReturningVerifiedChain()) {
750 LOG(INFO) << "Skipping this test in this platform.";
751 return;
752 }
753
754 base::FilePath certs_dir = GetTestCertsDirectory();
755 CertificateList certs = CreateCertificateListFromFile(
756 certs_dir, "x509_verify_results.chain.pem",
757 X509Certificate::FORMAT_AUTO);
758 ASSERT_EQ(3U, certs.size());
759
760 X509Certificate::OSCertHandles intermediates;
761 intermediates.push_back(certs[1]->os_cert_handle());
762 intermediates.push_back(certs[2]->os_cert_handle());
763
764 ScopedTestRoot scoped_root(certs[2].get());
765
766 scoped_refptr<X509Certificate> google_full_chain =
767 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
768 intermediates);
769 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
770 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
771
772 CertVerifyResult verify_result;
773 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
774 int error = Verify(google_full_chain.get(),
775 "127.0.0.1",
776 0,
777 NULL,
778 empty_cert_list_,
779 &verify_result);
780 EXPECT_EQ(OK, error);
781 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
782
783 EXPECT_NE(google_full_chain, verify_result.verified_cert);
784 EXPECT_TRUE(X509Certificate::IsSameOSCert(
785 google_full_chain->os_cert_handle(),
786 verify_result.verified_cert->os_cert_handle()));
787 const X509Certificate::OSCertHandles& return_intermediates =
788 verify_result.verified_cert->GetIntermediateCertificates();
789 ASSERT_EQ(2U, return_intermediates.size());
790 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
791 certs[1]->os_cert_handle()));
792 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
793 certs[2]->os_cert_handle()));
794 }
795
796 // Test that certificates issued for 'intranet' names (that is, containing no
797 // known public registry controlled domain information) issued by well-known
798 // CAs are flagged appropriately, while certificates that are issued by
799 // internal CAs are not flagged.
800 TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
801 if (!SupportsDetectingKnownRoots()) {
802 LOG(INFO) << "Skipping this test in this platform.";
803 return;
804 }
805
806 CertificateList cert_list = CreateCertificateListFromFile(
807 GetTestCertsDirectory(), "ok_cert.pem",
808 X509Certificate::FORMAT_AUTO);
809 ASSERT_EQ(1U, cert_list.size());
810 scoped_refptr<X509Certificate> cert(cert_list[0]);
811
812 CertVerifyResult verify_result;
813 int error = 0;
814
815 // Intranet names for public CAs should be flagged:
816 verify_proc_ = new WellKnownCaCertVerifyProc(true);
817 error =
818 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
819 EXPECT_EQ(OK, error);
820 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
821
822 // However, if the CA is not well known, these should not be flagged:
823 verify_proc_ = new WellKnownCaCertVerifyProc(false);
824 error =
825 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
826 EXPECT_EQ(OK, error);
827 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
828 }
829
830 // Test that the certificate returned in CertVerifyResult is able to reorder
831 // certificates that are not ordered from end-entity to root. While this is
832 // a protocol violation if sent during a TLS handshake, if multiple sources
833 // of intermediate certificates are combined, it's possible that order may
834 // not be maintained.
835 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
836 if (!SupportsReturningVerifiedChain()) {
837 LOG(INFO) << "Skipping this test in this platform.";
838 return;
839 }
840
841 base::FilePath certs_dir = GetTestCertsDirectory();
842 CertificateList certs = CreateCertificateListFromFile(
843 certs_dir, "x509_verify_results.chain.pem",
844 X509Certificate::FORMAT_AUTO);
845 ASSERT_EQ(3U, certs.size());
846
847 // Construct the chain out of order.
848 X509Certificate::OSCertHandles intermediates;
849 intermediates.push_back(certs[2]->os_cert_handle());
850 intermediates.push_back(certs[1]->os_cert_handle());
851
852 ScopedTestRoot scoped_root(certs[2].get());
853
854 scoped_refptr<X509Certificate> google_full_chain =
855 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
856 intermediates);
857 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
858 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
859
860 CertVerifyResult verify_result;
861 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
862 int error = Verify(google_full_chain.get(),
863 "127.0.0.1",
864 0,
865 NULL,
866 empty_cert_list_,
867 &verify_result);
868 EXPECT_EQ(OK, error);
869 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
870
871 EXPECT_NE(google_full_chain, verify_result.verified_cert);
872 EXPECT_TRUE(X509Certificate::IsSameOSCert(
873 google_full_chain->os_cert_handle(),
874 verify_result.verified_cert->os_cert_handle()));
875 const X509Certificate::OSCertHandles& return_intermediates =
876 verify_result.verified_cert->GetIntermediateCertificates();
877 ASSERT_EQ(2U, return_intermediates.size());
878 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
879 certs[1]->os_cert_handle()));
880 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
881 certs[2]->os_cert_handle()));
882 }
883
884 // Test that Verify() filters out certificates which are not related to
885 // or part of the certificate chain being verified.
886 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
887 if (!SupportsReturningVerifiedChain()) {
888 LOG(INFO) << "Skipping this test in this platform.";
889 return;
890 }
891
892 base::FilePath certs_dir = GetTestCertsDirectory();
893 CertificateList certs = CreateCertificateListFromFile(
894 certs_dir, "x509_verify_results.chain.pem",
895 X509Certificate::FORMAT_AUTO);
896 ASSERT_EQ(3U, certs.size());
897 ScopedTestRoot scoped_root(certs[2].get());
898
899 scoped_refptr<X509Certificate> unrelated_certificate =
900 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
901 scoped_refptr<X509Certificate> unrelated_certificate2 =
902 ImportCertFromFile(certs_dir, "aia-cert.pem");
903 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate);
904 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2);
905
906 // Interject unrelated certificates into the list of intermediates.
907 X509Certificate::OSCertHandles intermediates;
908 intermediates.push_back(unrelated_certificate->os_cert_handle());
909 intermediates.push_back(certs[1]->os_cert_handle());
910 intermediates.push_back(unrelated_certificate2->os_cert_handle());
911 intermediates.push_back(certs[2]->os_cert_handle());
912
913 scoped_refptr<X509Certificate> google_full_chain =
914 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
915 intermediates);
916 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
917 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
918
919 CertVerifyResult verify_result;
920 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
921 int error = Verify(google_full_chain.get(),
922 "127.0.0.1",
923 0,
924 NULL,
925 empty_cert_list_,
926 &verify_result);
927 EXPECT_EQ(OK, error);
928 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
929
930 EXPECT_NE(google_full_chain, verify_result.verified_cert);
931 EXPECT_TRUE(X509Certificate::IsSameOSCert(
932 google_full_chain->os_cert_handle(),
933 verify_result.verified_cert->os_cert_handle()));
934 const X509Certificate::OSCertHandles& return_intermediates =
935 verify_result.verified_cert->GetIntermediateCertificates();
936 ASSERT_EQ(2U, return_intermediates.size());
937 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
938 certs[1]->os_cert_handle()));
939 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
940 certs[2]->os_cert_handle()));
941 }
942
943 TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
944 if (!SupportsAdditionalTrustAnchors()) {
945 LOG(INFO) << "Skipping this test in this platform.";
946 return;
947 }
948
949 // |ca_cert| is the issuer of |cert|.
950 CertificateList ca_cert_list = CreateCertificateListFromFile(
951 GetTestCertsDirectory(), "root_ca_cert.pem",
952 X509Certificate::FORMAT_AUTO);
953 ASSERT_EQ(1U, ca_cert_list.size());
954 scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
955
956 CertificateList cert_list = CreateCertificateListFromFile(
957 GetTestCertsDirectory(), "ok_cert.pem",
958 X509Certificate::FORMAT_AUTO);
959 ASSERT_EQ(1U, cert_list.size());
960 scoped_refptr<X509Certificate> cert(cert_list[0]);
961
962 // Verification of |cert| fails when |ca_cert| is not in the trust anchors
963 // list.
964 int flags = 0;
965 CertVerifyResult verify_result;
966 int error = Verify(
967 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
968 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
969 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
970 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
971
972 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
973 CertificateList trust_anchors;
974 trust_anchors.push_back(ca_cert);
975 error = Verify(
976 cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
977 EXPECT_EQ(OK, error);
978 EXPECT_EQ(0U, verify_result.cert_status);
979 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
980
981 // Clearing the |trust_anchors| makes verification fail again (the cache
982 // should be skipped).
983 error = Verify(
984 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
985 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
986 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
987 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
988 }
989
990 // Tests that certificates issued by user-supplied roots are not flagged as
991 // issued by a known root. This should pass whether or not the platform supports
992 // detecting known roots.
993 TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
994 // Load root_ca_cert.pem into the test root store.
995 TestRootCerts* root_certs = TestRootCerts::GetInstance();
996 root_certs->AddFromFile(
997 GetTestCertsDirectory().AppendASCII("root_ca_cert.pem"));
998
999 CertificateList cert_list = CreateCertificateListFromFile(
1000 GetTestCertsDirectory(), "ok_cert.pem",
1001 X509Certificate::FORMAT_AUTO);
1002 ASSERT_EQ(1U, cert_list.size());
1003 scoped_refptr<X509Certificate> cert(cert_list[0]);
1004
1005 // Verification should pass.
1006 int flags = 0;
1007 CertVerifyResult verify_result;
1008 int error = Verify(
1009 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1010 EXPECT_EQ(OK, error);
1011 EXPECT_EQ(0U, verify_result.cert_status);
1012 // But should not be marked as a known root.
1013 EXPECT_FALSE(verify_result.is_issued_by_known_root);
1014
1015 root_certs->Clear();
1016 EXPECT_TRUE(root_certs->IsEmpty());
1017 }
1018
1019 #if defined(OS_MACOSX) && !defined(OS_IOS)
1020 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
1021 // Root can be successfully worked around once Apple completes removing the
1022 // older GTE CyberTrust Root from its trusted root store.
1023 //
1024 // The issue is caused by servers supplying the cross-certified intermediate
1025 // (necessary for certain mobile platforms), which OS X does not recognize
1026 // as already existing within its trust store.
1027 TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
1028 CertificateList certs = CreateCertificateListFromFile(
1029 GetTestCertsDirectory(),
1030 "cybertrust_omniroot_chain.pem",
1031 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
1032 ASSERT_EQ(2U, certs.size());
1033
1034 X509Certificate::OSCertHandles intermediates;
1035 intermediates.push_back(certs[1]->os_cert_handle());
1036
1037 scoped_refptr<X509Certificate> cybertrust_basic =
1038 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
1039 intermediates);
1040 ASSERT_TRUE(cybertrust_basic.get());
1041
1042 scoped_refptr<X509Certificate> baltimore_root =
1043 ImportCertFromFile(GetTestCertsDirectory(),
1044 "cybertrust_baltimore_root.pem");
1045 ASSERT_TRUE(baltimore_root.get());
1046
1047 ScopedTestRoot scoped_root(baltimore_root.get());
1048
1049 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This
1050 // simulates Keychain removing support for the GTE CyberTrust Root.
1051 TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
1052 base::ScopedClosureRunner reset_system_trust(
1053 base::Bind(&TestRootCerts::SetAllowSystemTrust,
1054 base::Unretained(TestRootCerts::GetInstance()),
1055 true));
1056
1057 // First, make sure a simple certificate chain from
1058 // EE -> Public SureServer SV -> Baltimore CyberTrust
1059 // works. Only the first two certificates are included in the chain.
1060 int flags = 0;
1061 CertVerifyResult verify_result;
1062 int error = Verify(cybertrust_basic.get(),
1063 "cacert.omniroot.com",
1064 flags,
1065 NULL,
1066 empty_cert_list_,
1067 &verify_result);
1068 EXPECT_EQ(OK, error);
1069 EXPECT_EQ(0U, verify_result.cert_status);
1070
1071 // Attempt to verify with the first known cross-certified intermediate
1072 // provided.
1073 scoped_refptr<X509Certificate> baltimore_intermediate_1 =
1074 ImportCertFromFile(GetTestCertsDirectory(),
1075 "cybertrust_baltimore_cross_certified_1.pem");
1076 ASSERT_TRUE(baltimore_intermediate_1.get());
1077
1078 X509Certificate::OSCertHandles intermediate_chain_1 =
1079 cybertrust_basic->GetIntermediateCertificates();
1080 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
1081
1082 scoped_refptr<X509Certificate> baltimore_chain_1 =
1083 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1084 intermediate_chain_1);
1085 error = Verify(baltimore_chain_1.get(),
1086 "cacert.omniroot.com",
1087 flags,
1088 NULL,
1089 empty_cert_list_,
1090 &verify_result);
1091 EXPECT_EQ(OK, error);
1092 EXPECT_EQ(0U, verify_result.cert_status);
1093
1094 // Attempt to verify with the second known cross-certified intermediate
1095 // provided.
1096 scoped_refptr<X509Certificate> baltimore_intermediate_2 =
1097 ImportCertFromFile(GetTestCertsDirectory(),
1098 "cybertrust_baltimore_cross_certified_2.pem");
1099 ASSERT_TRUE(baltimore_intermediate_2.get());
1100
1101 X509Certificate::OSCertHandles intermediate_chain_2 =
1102 cybertrust_basic->GetIntermediateCertificates();
1103 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
1104
1105 scoped_refptr<X509Certificate> baltimore_chain_2 =
1106 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1107 intermediate_chain_2);
1108 error = Verify(baltimore_chain_2.get(),
1109 "cacert.omniroot.com",
1110 flags,
1111 NULL,
1112 empty_cert_list_,
1113 &verify_result);
1114 EXPECT_EQ(OK, error);
1115 EXPECT_EQ(0U, verify_result.cert_status);
1116
1117 // Attempt to verify when both a cross-certified intermediate AND
1118 // the legacy GTE root are provided.
1119 scoped_refptr<X509Certificate> cybertrust_root =
1120 ImportCertFromFile(GetTestCertsDirectory(),
1121 "cybertrust_gte_root.pem");
1122 ASSERT_TRUE(cybertrust_root.get());
1123
1124 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
1125 scoped_refptr<X509Certificate> baltimore_chain_with_root =
1126 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1127 intermediate_chain_2);
1128 error = Verify(baltimore_chain_with_root.get(),
1129 "cacert.omniroot.com",
1130 flags,
1131 NULL,
1132 empty_cert_list_,
1133 &verify_result);
1134 EXPECT_EQ(OK, error);
1135 EXPECT_EQ(0U, verify_result.cert_status);
1136
1137 TestRootCerts::GetInstance()->Clear();
1138 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty());
1139 }
1140 #endif
1141
1142 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
1143 static const uint8 kCRLSetLeafSPKIBlocked[] = {
1144 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1145 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1146 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1147 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1148 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1149 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1150 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1151 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x43, 0x38, 0x4d, 0x4a, 0x46, 0x55, 0x55,
1152 0x5a, 0x38, 0x43, 0x79, 0x54, 0x2b, 0x4e, 0x57, 0x64, 0x68, 0x69, 0x7a, 0x51,
1153 0x68, 0x54, 0x49, 0x65, 0x46, 0x49, 0x37, 0x76, 0x41, 0x77, 0x7a, 0x64, 0x54,
1154 0x79, 0x52, 0x59, 0x45, 0x6e, 0x78, 0x6c, 0x33, 0x62, 0x67, 0x3d, 0x22, 0x5d,
1155 0x7d,
1156 };
1157
1158 static const uint8 kCRLSetLeafSerialBlocked[] = {
1159 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1160 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1161 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1162 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1163 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1164 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1165 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1166 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0x0f, 0x87, 0xe4, 0xc7, 0x75, 0xea,
1167 0x46, 0x7e, 0xf3, 0xfd, 0x82, 0xb7, 0x46, 0x7b, 0x10, 0xda, 0xc5, 0xbf, 0xd8,
1168 0xd1, 0x29, 0xb2, 0xc6, 0xac, 0x7f, 0x51, 0x42, 0x15, 0x28, 0x51, 0x06, 0x7f,
1169 0x01, 0x00, 0x00, 0x00, // number of serials
1170 0x01, 0xed, // serial 0xed
1171 };
1172
1173 static const uint8 kCRLSetQUICSerialBlocked[] = {
1174 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1175 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1176 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1177 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1178 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1179 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1180 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1181 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d,
1182 // Issuer SPKI SHA-256 hash:
1183 0xe4, 0x3a, 0xa3, 0xdb, 0x98, 0x31, 0x61, 0x05, 0xdd, 0x57, 0x6d, 0xc6, 0x2f,
1184 0x71, 0x26, 0xba, 0xdd, 0xf4, 0x98, 0x3e, 0x62, 0x22, 0xf8, 0xf9, 0xe4, 0x18,
1185 0x62, 0x77, 0x79, 0xdb, 0x9b, 0x31,
1186 0x01, 0x00, 0x00, 0x00, // number of serials
1187 0x01, 0x03, // serial 3
1188 };
1189
1190 // Test that CRLSets are effective in making a certificate appear to be
1191 // revoked.
1192 TEST_F(CertVerifyProcTest, CRLSet) {
1193 CertificateList ca_cert_list =
1194 CreateCertificateListFromFile(GetTestCertsDirectory(),
1195 "root_ca_cert.pem",
1196 X509Certificate::FORMAT_AUTO);
1197 ASSERT_EQ(1U, ca_cert_list.size());
1198 ScopedTestRoot test_root(ca_cert_list[0]);
1199
1200 CertificateList cert_list = CreateCertificateListFromFile(
1201 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
1202 ASSERT_EQ(1U, cert_list.size());
1203 scoped_refptr<X509Certificate> cert(cert_list[0]);
1204
1205 int flags = 0;
1206 CertVerifyResult verify_result;
1207 int error = Verify(
1208 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1209 EXPECT_EQ(OK, error);
1210 EXPECT_EQ(0U, verify_result.cert_status);
1211
1212 // First test blocking by SPKI.
1213 base::StringPiece crl_set_bytes(
1214 reinterpret_cast<const char*>(kCRLSetLeafSPKIBlocked),
1215 sizeof(kCRLSetLeafSPKIBlocked));
1216 scoped_refptr<CRLSet> crl_set;
1217 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1218
1219 error = Verify(cert.get(),
1220 "127.0.0.1",
1221 flags,
1222 crl_set.get(),
1223 empty_cert_list_,
1224 &verify_result);
1225 EXPECT_EQ(ERR_CERT_REVOKED, error);
1226
1227 // Second, test revocation by serial number of a cert directly under the
1228 // root.
1229 crl_set_bytes =
1230 base::StringPiece(reinterpret_cast<const char*>(kCRLSetLeafSerialBlocked),
1231 sizeof(kCRLSetLeafSerialBlocked));
1232 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1233
1234 error = Verify(cert.get(),
1235 "127.0.0.1",
1236 flags,
1237 crl_set.get(),
1238 empty_cert_list_,
1239 &verify_result);
1240 EXPECT_EQ(ERR_CERT_REVOKED, error);
1241 }
1242
1243 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
1244 CertificateList ca_cert_list =
1245 CreateCertificateListFromFile(GetTestCertsDirectory(),
1246 "quic_root.crt",
1247 X509Certificate::FORMAT_AUTO);
1248 ASSERT_EQ(1U, ca_cert_list.size());
1249 ScopedTestRoot test_root(ca_cert_list[0]);
1250
1251 CertificateList intermediate_cert_list =
1252 CreateCertificateListFromFile(GetTestCertsDirectory(),
1253 "quic_intermediate.crt",
1254 X509Certificate::FORMAT_AUTO);
1255 ASSERT_EQ(1U, intermediate_cert_list.size());
1256 X509Certificate::OSCertHandles intermediates;
1257 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle());
1258
1259 CertificateList cert_list = CreateCertificateListFromFile(
1260 GetTestCertsDirectory(), "quic_test.example.com.crt",
1261 X509Certificate::FORMAT_AUTO);
1262 ASSERT_EQ(1U, cert_list.size());
1263
1264 scoped_refptr<X509Certificate> leaf =
1265 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
1266 intermediates);
1267
1268 int flags = 0;
1269 CertVerifyResult verify_result;
1270 int error = Verify(leaf.get(),
1271 "test.example.com",
1272 flags,
1273 NULL,
1274 empty_cert_list_,
1275 &verify_result);
1276 EXPECT_EQ(OK, error);
1277 EXPECT_EQ(0U, verify_result.cert_status);
1278
1279 // Test revocation by serial number of a certificate not under the root.
1280 scoped_refptr<CRLSet> crl_set;
1281 base::StringPiece crl_set_bytes =
1282 base::StringPiece(reinterpret_cast<const char*>(kCRLSetQUICSerialBlocked),
1283 sizeof(kCRLSetQUICSerialBlocked));
1284 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1285
1286 error = Verify(leaf.get(),
1287 "test.example.com",
1288 flags,
1289 crl_set.get(),
1290 empty_cert_list_,
1291 &verify_result);
1292 EXPECT_EQ(ERR_CERT_REVOKED, error);
1293 }
1294 #endif
1295
1296 struct WeakDigestTestData {
1297 const char* root_cert_filename;
1298 const char* intermediate_cert_filename;
1299 const char* ee_cert_filename;
1300 bool expected_has_md5;
1301 bool expected_has_md4;
1302 bool expected_has_md2;
1303 };
1304
1305 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1306 // to output the parameter that was passed. Without this, it will simply
1307 // attempt to print out the first twenty bytes of the object, which depending
1308 // on platform and alignment, may result in an invalid read.
1309 void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
1310 *os << "root: "
1311 << (data.root_cert_filename ? data.root_cert_filename : "none")
1312 << "; intermediate: " << data.intermediate_cert_filename
1313 << "; end-entity: " << data.ee_cert_filename;
1314 }
1315
1316 class CertVerifyProcWeakDigestTest
1317 : public CertVerifyProcTest,
1318 public testing::WithParamInterface<WeakDigestTestData> {
1319 public:
1320 CertVerifyProcWeakDigestTest() {}
1321 virtual ~CertVerifyProcWeakDigestTest() {}
1322 };
1323
1324 TEST_P(CertVerifyProcWeakDigestTest, Verify) {
1325 WeakDigestTestData data = GetParam();
1326 base::FilePath certs_dir = GetTestCertsDirectory();
1327
1328 ScopedTestRoot test_root;
1329 if (data.root_cert_filename) {
1330 scoped_refptr<X509Certificate> root_cert =
1331 ImportCertFromFile(certs_dir, data.root_cert_filename);
1332 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
1333 test_root.Reset(root_cert.get());
1334 }
1335
1336 scoped_refptr<X509Certificate> intermediate_cert =
1337 ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
1338 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
1339 scoped_refptr<X509Certificate> ee_cert =
1340 ImportCertFromFile(certs_dir, data.ee_cert_filename);
1341 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
1342
1343 X509Certificate::OSCertHandles intermediates;
1344 intermediates.push_back(intermediate_cert->os_cert_handle());
1345
1346 scoped_refptr<X509Certificate> ee_chain =
1347 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
1348 intermediates);
1349 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain);
1350
1351 int flags = 0;
1352 CertVerifyResult verify_result;
1353 int rv = Verify(ee_chain.get(),
1354 "127.0.0.1",
1355 flags,
1356 NULL,
1357 empty_cert_list_,
1358 &verify_result);
1359 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
1360 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
1361 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
1362 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
1363
1364 // Ensure that MD4 and MD2 are tagged as invalid.
1365 if (data.expected_has_md4 || data.expected_has_md2) {
1366 EXPECT_EQ(CERT_STATUS_INVALID,
1367 verify_result.cert_status & CERT_STATUS_INVALID);
1368 }
1369
1370 // Ensure that MD5 is flagged as weak.
1371 if (data.expected_has_md5) {
1372 EXPECT_EQ(
1373 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
1374 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
1375 }
1376
1377 // If a root cert is present, then check that the chain was rejected if any
1378 // weak algorithms are present. This is only checked when a root cert is
1379 // present because the error reported for incomplete chains with weak
1380 // algorithms depends on which implementation was used to validate (NSS,
1381 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
1382 // present (MD2, MD4, MD5).
1383 if (data.root_cert_filename) {
1384 if (data.expected_has_md4 || data.expected_has_md2) {
1385 EXPECT_EQ(ERR_CERT_INVALID, rv);
1386 } else if (data.expected_has_md5) {
1387 EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
1388 } else {
1389 EXPECT_EQ(OK, rv);
1390 }
1391 }
1392 }
1393
1394 // Unlike TEST/TEST_F, which are macros that expand to further macros,
1395 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that
1396 // stringizes the arguments. As a result, macros passed as parameters (such as
1397 // prefix or test_case_name) will not be expanded by the preprocessor. To work
1398 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the
1399 // pre-processor will expand macros such as MAYBE_test_name before
1400 // instantiating the test.
1401 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
1402 INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator)
1403
1404 // The signature algorithm of the root CA should not matter.
1405 const WeakDigestTestData kVerifyRootCATestData[] = {
1406 { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
1407 "weak_digest_sha1_ee.pem", false, false, false },
1408 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1409 // MD4 is not supported by OS X / NSS
1410 { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
1411 "weak_digest_sha1_ee.pem", false, false, false },
1412 #endif
1413 { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
1414 "weak_digest_sha1_ee.pem", false, false, false },
1415 };
1416 INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
1417 testing::ValuesIn(kVerifyRootCATestData));
1418
1419 // The signature algorithm of intermediates should be properly detected.
1420 const WeakDigestTestData kVerifyIntermediateCATestData[] = {
1421 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1422 "weak_digest_sha1_ee.pem", true, false, false },
1423 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1424 // MD4 is not supported by OS X / NSS
1425 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1426 "weak_digest_sha1_ee.pem", false, true, false },
1427 #endif
1428 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1429 "weak_digest_sha1_ee.pem", false, false, true },
1430 };
1431 // Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled.
1432 #if defined(USE_NSS) || defined(OS_IOS)
1433 #define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate
1434 #else
1435 #define MAYBE_VerifyIntermediate VerifyIntermediate
1436 #endif
1437 WRAPPED_INSTANTIATE_TEST_CASE_P(
1438 MAYBE_VerifyIntermediate,
1439 CertVerifyProcWeakDigestTest,
1440 testing::ValuesIn(kVerifyIntermediateCATestData));
1441
1442 // The signature algorithm of end-entity should be properly detected.
1443 const WeakDigestTestData kVerifyEndEntityTestData[] = {
1444 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1445 "weak_digest_md5_ee.pem", true, false, false },
1446 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1447 // MD4 is not supported by OS X / NSS
1448 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1449 "weak_digest_md4_ee.pem", false, true, false },
1450 #endif
1451 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1452 "weak_digest_md2_ee.pem", false, false, true },
1453 };
1454 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot
1455 // be cleared until NSS is cleanly shutdown, which is not presently supported
1456 // in Chromium.
1457 #if defined(USE_NSS) || defined(OS_IOS)
1458 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity
1459 #else
1460 #define MAYBE_VerifyEndEntity VerifyEndEntity
1461 #endif
1462 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
1463 CertVerifyProcWeakDigestTest,
1464 testing::ValuesIn(kVerifyEndEntityTestData));
1465
1466 // Incomplete chains should still report the status of the intermediate.
1467 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
1468 { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
1469 true, false, false },
1470 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1471 // MD4 is not supported by OS X / NSS
1472 { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
1473 false, true, false },
1474 #endif
1475 { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
1476 false, false, true },
1477 };
1478 // Disabled on NSS - libpkix does not return constructed chains on error,
1479 // preventing us from detecting/inspecting the verified chain.
1480 #if defined(USE_NSS) || defined(OS_IOS)
1481 #define MAYBE_VerifyIncompleteIntermediate \
1482 DISABLED_VerifyIncompleteIntermediate
1483 #else
1484 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate
1485 #endif
1486 WRAPPED_INSTANTIATE_TEST_CASE_P(
1487 MAYBE_VerifyIncompleteIntermediate,
1488 CertVerifyProcWeakDigestTest,
1489 testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
1490
1491 // Incomplete chains should still report the status of the end-entity.
1492 const WeakDigestTestData kVerifyIncompleteEETestData[] = {
1493 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
1494 true, false, false },
1495 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1496 // MD4 is not supported by OS X / NSS
1497 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
1498 false, true, false },
1499 #endif
1500 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
1501 false, false, true },
1502 };
1503 // Disabled on NSS - libpkix does not return constructed chains on error,
1504 // preventing us from detecting/inspecting the verified chain.
1505 #if defined(USE_NSS) || defined(OS_IOS)
1506 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity
1507 #else
1508 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity
1509 #endif
1510 WRAPPED_INSTANTIATE_TEST_CASE_P(
1511 MAYBE_VerifyIncompleteEndEntity,
1512 CertVerifyProcWeakDigestTest,
1513 testing::ValuesIn(kVerifyIncompleteEETestData));
1514
1515 // Differing algorithms between the intermediate and the EE should still be
1516 // reported.
1517 const WeakDigestTestData kVerifyMixedTestData[] = {
1518 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1519 "weak_digest_md2_ee.pem", true, false, true },
1520 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1521 "weak_digest_md5_ee.pem", true, false, true },
1522 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1523 // MD4 is not supported by OS X / NSS
1524 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1525 "weak_digest_md2_ee.pem", false, true, true },
1526 #endif
1527 };
1528 // NSS does not support MD4 and does not enable MD2 by default, making all
1529 // permutations invalid.
1530 #if defined(USE_NSS) || defined(OS_IOS)
1531 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
1532 #else
1533 #define MAYBE_VerifyMixed VerifyMixed
1534 #endif
1535 WRAPPED_INSTANTIATE_TEST_CASE_P(
1536 MAYBE_VerifyMixed,
1537 CertVerifyProcWeakDigestTest,
1538 testing::ValuesIn(kVerifyMixedTestData));
1539
1540 // For the list of valid hostnames, see
1541 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
1542 static const struct CertVerifyProcNameData {
1543 const char* hostname;
1544 bool valid; // Whether or not |hostname| matches a subjectAltName.
1545 } kVerifyNameData[] = {
1546 { "127.0.0.1", false }, // Don't match the common name
1547 { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4)
1548 { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6)
1549 { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN
1550 { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6)
1551 { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN
1552 { "test.example", true }, // Matches the dNSName SAN
1553 { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored)
1554 { "www.test.example", false }, // Should not match the dNSName SAN
1555 { "test..example", false }, // Should not match the dNSName SAN
1556 { "test.example..", false }, // Should not match the dNSName SAN
1557 { ".test.example.", false }, // Should not match the dNSName SAN
1558 { ".test.example", false }, // Should not match the dNSName SAN
1559 };
1560
1561 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1562 // to output the parameter that was passed. Without this, it will simply
1563 // attempt to print out the first twenty bytes of the object, which depending
1564 // on platform and alignment, may result in an invalid read.
1565 void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
1566 *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
1567 }
1568
1569 class CertVerifyProcNameTest
1570 : public CertVerifyProcTest,
1571 public testing::WithParamInterface<CertVerifyProcNameData> {
1572 public:
1573 CertVerifyProcNameTest() {}
1574 virtual ~CertVerifyProcNameTest() {}
1575 };
1576
1577 TEST_P(CertVerifyProcNameTest, VerifyCertName) {
1578 CertVerifyProcNameData data = GetParam();
1579
1580 CertificateList cert_list = CreateCertificateListFromFile(
1581 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
1582 X509Certificate::FORMAT_AUTO);
1583 ASSERT_EQ(1U, cert_list.size());
1584 scoped_refptr<X509Certificate> cert(cert_list[0]);
1585
1586 ScopedTestRoot scoped_root(cert.get());
1587
1588 CertVerifyResult verify_result;
1589 int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
1590 &verify_result);
1591 if (data.valid) {
1592 EXPECT_EQ(OK, error);
1593 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1594 } else {
1595 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
1596 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1597 }
1598 }
1599
1600 WRAPPED_INSTANTIATE_TEST_CASE_P(
1601 VerifyName,
1602 CertVerifyProcNameTest,
1603 testing::ValuesIn(kVerifyNameData));
1604
1605 } // namespace net