Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / net / cert / cert_verify_proc_unittest.cc
blob75a19d2b494c718fc9cc4071ade5e8b2663986ec
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/cert_verify_proc.h"
7 #include <vector>
9 #include "base/callback_helpers.h"
10 #include "base/files/file_path.h"
11 #include "base/files/file_util.h"
12 #include "base/logging.h"
13 #include "base/sha1.h"
14 #include "base/strings/string_number_conversions.h"
15 #include "crypto/sha2.h"
16 #include "net/base/net_errors.h"
17 #include "net/base/test_data_directory.h"
18 #include "net/cert/asn1_util.h"
19 #include "net/cert/cert_status_flags.h"
20 #include "net/cert/cert_verifier.h"
21 #include "net/cert/cert_verify_result.h"
22 #include "net/cert/crl_set.h"
23 #include "net/cert/crl_set_storage.h"
24 #include "net/cert/test_root_certs.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/test/cert_test_util.h"
27 #include "net/test/test_certificate_data.h"
28 #include "testing/gtest/include/gtest/gtest.h"
30 #if defined(OS_WIN)
31 #include "base/win/windows_version.h"
32 #elif defined(OS_ANDROID)
33 #include "base/android/build_info.h"
34 #endif
36 using base::HexEncode;
38 namespace net {
40 namespace {
42 // A certificate for www.paypal.com with a NULL byte in the common name.
43 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
44 unsigned char paypal_null_fingerprint[] = {
45 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba,
46 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7
49 // Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root|
50 // for all certificates that are Verified.
51 class WellKnownCaCertVerifyProc : public CertVerifyProc {
52 public:
53 // Initialize a CertVerifyProc that will set
54 // |verify_result->is_issued_by_known_root| to |is_well_known|.
55 explicit WellKnownCaCertVerifyProc(bool is_well_known)
56 : is_well_known_(is_well_known) {}
58 // CertVerifyProc implementation:
59 bool SupportsAdditionalTrustAnchors() const override { return false; }
60 bool SupportsOCSPStapling() const override { return false; }
62 protected:
63 ~WellKnownCaCertVerifyProc() override {}
65 private:
66 int VerifyInternal(X509Certificate* cert,
67 const std::string& hostname,
68 const std::string& ocsp_response,
69 int flags,
70 CRLSet* crl_set,
71 const CertificateList& additional_trust_anchors,
72 CertVerifyResult* verify_result) override;
74 const bool is_well_known_;
76 DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc);
79 int WellKnownCaCertVerifyProc::VerifyInternal(
80 X509Certificate* cert,
81 const std::string& hostname,
82 const std::string& ocsp_response,
83 int flags,
84 CRLSet* crl_set,
85 const CertificateList& additional_trust_anchors,
86 CertVerifyResult* verify_result) {
87 verify_result->is_issued_by_known_root = is_well_known_;
88 return OK;
91 bool SupportsReturningVerifiedChain() {
92 #if defined(OS_ANDROID)
93 // Before API level 17, Android does not expose the APIs necessary to get at
94 // the verified certificate chain.
95 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
96 return false;
97 #endif
98 return true;
101 bool SupportsDetectingKnownRoots() {
102 #if defined(OS_ANDROID)
103 // Before API level 17, Android does not expose the APIs necessary to get at
104 // the verified certificate chain and detect known roots.
105 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
106 return false;
107 #endif
108 return true;
111 } // namespace
113 class CertVerifyProcTest : public testing::Test {
114 public:
115 CertVerifyProcTest()
116 : verify_proc_(CertVerifyProc::CreateDefault()) {
118 ~CertVerifyProcTest() override {}
120 protected:
121 bool SupportsAdditionalTrustAnchors() {
122 return verify_proc_->SupportsAdditionalTrustAnchors();
125 int Verify(X509Certificate* cert,
126 const std::string& hostname,
127 int flags,
128 CRLSet* crl_set,
129 const CertificateList& additional_trust_anchors,
130 CertVerifyResult* verify_result) {
131 return verify_proc_->Verify(cert, hostname, std::string(), flags, crl_set,
132 additional_trust_anchors, verify_result);
135 const CertificateList empty_cert_list_;
136 scoped_refptr<CertVerifyProc> verify_proc_;
139 TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) {
140 // Check that verification without revocation checking works.
141 CertificateList certs = CreateCertificateListFromFile(
142 GetTestCertsDirectory(),
143 "googlenew.chain.pem",
144 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
146 X509Certificate::OSCertHandles intermediates;
147 intermediates.push_back(certs[1]->os_cert_handle());
149 scoped_refptr<X509Certificate> google_full_chain =
150 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
151 intermediates);
153 CertVerifyResult verify_result;
154 EXPECT_EQ(OK,
155 Verify(google_full_chain.get(),
156 "www.google.com",
157 0 /* flags */,
158 NULL,
159 empty_cert_list_,
160 &verify_result));
163 #if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
164 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
165 #define MAYBE_EVVerification DISABLED_EVVerification
166 #else
167 // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
168 // expired, http://crbug.com/502818
169 #define MAYBE_EVVerification DISABLED_EVVerification
170 #endif
171 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
172 CertificateList certs = CreateCertificateListFromFile(
173 GetTestCertsDirectory(),
174 "comodo.chain.pem",
175 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
176 ASSERT_EQ(3U, certs.size());
178 X509Certificate::OSCertHandles intermediates;
179 intermediates.push_back(certs[1]->os_cert_handle());
180 intermediates.push_back(certs[2]->os_cert_handle());
182 scoped_refptr<X509Certificate> comodo_chain =
183 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
184 intermediates);
186 scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
187 CertVerifyResult verify_result;
188 int flags = CertVerifier::VERIFY_EV_CERT;
189 int error = Verify(comodo_chain.get(),
190 "comodo.com",
191 flags,
192 crl_set.get(),
193 empty_cert_list_,
194 &verify_result);
195 EXPECT_EQ(OK, error);
196 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
199 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) {
200 scoped_refptr<X509Certificate> paypal_null_cert(
201 X509Certificate::CreateFromBytes(
202 reinterpret_cast<const char*>(paypal_null_der),
203 sizeof(paypal_null_der)));
205 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert.get());
207 const SHA1HashValue& fingerprint =
208 paypal_null_cert->fingerprint();
209 for (size_t i = 0; i < 20; ++i)
210 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
212 int flags = 0;
213 CertVerifyResult verify_result;
214 int error = Verify(paypal_null_cert.get(),
215 "www.paypal.com",
216 flags,
217 NULL,
218 empty_cert_list_,
219 &verify_result);
220 #if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_ANDROID)
221 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
222 #else
223 // TOOD(bulach): investigate why macosx and win aren't returning
224 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
225 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
226 #endif
227 // Either the system crypto library should correctly report a certificate
228 // name mismatch, or our certificate blacklist should cause us to report an
229 // invalid certificate.
230 #if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_IOS)
231 EXPECT_TRUE(verify_result.cert_status &
232 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
233 #endif
236 // A regression test for http://crbug.com/31497.
237 #if defined(OS_ANDROID)
238 // Disabled on Android, as the Android verification libraries require an
239 // explicit policy to be specified, even when anyPolicy is permitted.
240 #define MAYBE_IntermediateCARequireExplicitPolicy \
241 DISABLED_IntermediateCARequireExplicitPolicy
242 #else
243 #define MAYBE_IntermediateCARequireExplicitPolicy \
244 IntermediateCARequireExplicitPolicy
245 #endif
246 TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
247 base::FilePath certs_dir = GetTestCertsDirectory();
249 CertificateList certs = CreateCertificateListFromFile(
250 certs_dir, "explicit-policy-chain.pem",
251 X509Certificate::FORMAT_AUTO);
252 ASSERT_EQ(3U, certs.size());
254 X509Certificate::OSCertHandles intermediates;
255 intermediates.push_back(certs[1]->os_cert_handle());
257 scoped_refptr<X509Certificate> cert =
258 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
259 intermediates);
260 ASSERT_TRUE(cert.get());
262 ScopedTestRoot scoped_root(certs[2].get());
264 int flags = 0;
265 CertVerifyResult verify_result;
266 int error = Verify(cert.get(),
267 "policy_test.example",
268 flags,
269 NULL,
270 empty_cert_list_,
271 &verify_result);
272 EXPECT_EQ(OK, error);
273 EXPECT_EQ(0u, verify_result.cert_status);
276 // Test for bug 58437.
277 // This certificate will expire on 2011-12-21. The test will still
278 // pass if error == ERR_CERT_DATE_INVALID.
279 // This test is DISABLED because it appears that we cannot do
280 // certificate revocation checking when running all of the net unit tests.
281 // This test passes when run individually, but when run with all of the net
282 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is
283 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation
284 // status, i.e. that the revocation check is failing for some reason.
285 TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) {
286 base::FilePath certs_dir = GetTestCertsDirectory();
288 scoped_refptr<X509Certificate> server_cert =
289 ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem");
290 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
292 scoped_refptr<X509Certificate> intermediate_cert =
293 ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem");
294 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get());
296 X509Certificate::OSCertHandles intermediates;
297 intermediates.push_back(intermediate_cert->os_cert_handle());
298 scoped_refptr<X509Certificate> cert_chain =
299 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
300 intermediates);
302 CertVerifyResult verify_result;
303 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED |
304 CertVerifier::VERIFY_EV_CERT;
305 int error = Verify(cert_chain.get(),
306 "2029.globalsign.com",
307 flags,
308 NULL,
309 empty_cert_list_,
310 &verify_result);
311 if (error == OK)
312 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
313 else
314 EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
317 // Test that verifying an ECDSA certificate doesn't crash on XP. (See
318 // crbug.com/144466).
319 TEST_F(CertVerifyProcTest, ECDSA_RSA) {
320 base::FilePath certs_dir = GetTestCertsDirectory();
322 scoped_refptr<X509Certificate> cert =
323 ImportCertFromFile(certs_dir,
324 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem");
326 CertVerifyResult verify_result;
327 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result);
329 // We don't check verify_result because the certificate is signed by an
330 // unknown CA and will be considered invalid on XP because of the ECDSA
331 // public key.
334 // Currently, only RSA and DSA keys are checked for weakness, and our example
335 // weak size is 768. These could change in the future.
337 // Note that this means there may be false negatives: keys for other
338 // algorithms and which are weak will pass this test.
339 static bool IsWeakKeyType(const std::string& key_type) {
340 size_t pos = key_type.find("-");
341 std::string size = key_type.substr(0, pos);
342 std::string type = key_type.substr(pos + 1);
344 if (type == "rsa" || type == "dsa")
345 return size == "768";
347 return false;
350 TEST_F(CertVerifyProcTest, RejectWeakKeys) {
351 base::FilePath certs_dir = GetTestCertsDirectory();
352 typedef std::vector<std::string> Strings;
353 Strings key_types;
355 // generate-weak-test-chains.sh currently has:
356 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
357 // We must use the same key types here. The filenames generated look like:
358 // 2048-rsa-ee-by-768-rsa-intermediate.pem
359 key_types.push_back("768-rsa");
360 key_types.push_back("1024-rsa");
361 key_types.push_back("2048-rsa");
363 bool use_ecdsa = true;
364 #if defined(OS_WIN)
365 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP;
366 #endif
368 if (use_ecdsa)
369 key_types.push_back("prime256v1-ecdsa");
371 // Add the root that signed the intermediates for this test.
372 scoped_refptr<X509Certificate> root_cert =
373 ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
374 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
375 ScopedTestRoot scoped_root(root_cert.get());
377 // Now test each chain.
378 for (Strings::const_iterator ee_type = key_types.begin();
379 ee_type != key_types.end(); ++ee_type) {
380 for (Strings::const_iterator signer_type = key_types.begin();
381 signer_type != key_types.end(); ++signer_type) {
382 std::string basename = *ee_type + "-ee-by-" + *signer_type +
383 "-intermediate.pem";
384 SCOPED_TRACE(basename);
385 scoped_refptr<X509Certificate> ee_cert =
386 ImportCertFromFile(certs_dir, basename);
387 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert.get());
389 basename = *signer_type + "-intermediate.pem";
390 scoped_refptr<X509Certificate> intermediate =
391 ImportCertFromFile(certs_dir, basename);
392 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate.get());
394 X509Certificate::OSCertHandles intermediates;
395 intermediates.push_back(intermediate->os_cert_handle());
396 scoped_refptr<X509Certificate> cert_chain =
397 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
398 intermediates);
400 CertVerifyResult verify_result;
401 int error = Verify(cert_chain.get(),
402 "127.0.0.1",
404 NULL,
405 empty_cert_list_,
406 &verify_result);
408 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
409 EXPECT_NE(OK, error);
410 EXPECT_EQ(CERT_STATUS_WEAK_KEY,
411 verify_result.cert_status & CERT_STATUS_WEAK_KEY);
412 EXPECT_NE(CERT_STATUS_INVALID,
413 verify_result.cert_status & CERT_STATUS_INVALID);
414 } else {
415 EXPECT_EQ(OK, error);
416 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
422 // Regression test for http://crbug.com/108514.
423 #if defined(OS_MACOSX) && !defined(OS_IOS)
424 // Disabled on OS X - Security.framework doesn't ignore superflous certificates
425 // provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
426 // details.
427 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
428 #else
429 #define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
430 #endif
431 TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
432 if (!SupportsReturningVerifiedChain()) {
433 LOG(INFO) << "Skipping this test in this platform.";
434 return;
437 base::FilePath certs_dir = GetTestCertsDirectory();
439 scoped_refptr<X509Certificate> server_cert =
440 ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
441 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
443 scoped_refptr<X509Certificate> extra_cert =
444 ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
445 ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
447 scoped_refptr<X509Certificate> root_cert =
448 ImportCertFromFile(certs_dir, "cross-signed-root-sha256.pem");
449 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
451 ScopedTestRoot scoped_root(root_cert.get());
453 X509Certificate::OSCertHandles intermediates;
454 intermediates.push_back(extra_cert->os_cert_handle());
455 scoped_refptr<X509Certificate> cert_chain =
456 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
457 intermediates);
459 CertVerifyResult verify_result;
460 int flags = 0;
461 int error = Verify(cert_chain.get(),
462 "127.0.0.1",
463 flags,
464 NULL,
465 empty_cert_list_,
466 &verify_result);
467 EXPECT_EQ(OK, error);
469 // The extra MD5 root should be discarded
470 ASSERT_TRUE(verify_result.verified_cert.get());
471 ASSERT_EQ(1u,
472 verify_result.verified_cert->GetIntermediateCertificates().size());
473 EXPECT_TRUE(X509Certificate::IsSameOSCert(
474 verify_result.verified_cert->GetIntermediateCertificates().front(),
475 root_cert->os_cert_handle()));
477 EXPECT_FALSE(verify_result.has_md5);
480 // Test for bug 94673.
481 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
482 base::FilePath certs_dir = GetTestCertsDirectory();
484 scoped_refptr<X509Certificate> server_cert =
485 ImportCertFromFile(certs_dir, "google_diginotar.pem");
486 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
488 scoped_refptr<X509Certificate> intermediate_cert =
489 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
490 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get());
492 X509Certificate::OSCertHandles intermediates;
493 intermediates.push_back(intermediate_cert->os_cert_handle());
494 scoped_refptr<X509Certificate> cert_chain =
495 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
496 intermediates);
498 CertVerifyResult verify_result;
499 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
500 int error = Verify(cert_chain.get(),
501 "mail.google.com",
502 flags,
503 NULL,
504 empty_cert_list_,
505 &verify_result);
506 EXPECT_NE(OK, error);
508 // Now turn off revocation checking. Certificate verification should still
509 // fail.
510 flags = 0;
511 error = Verify(cert_chain.get(),
512 "mail.google.com",
513 flags,
514 NULL,
515 empty_cert_list_,
516 &verify_result);
517 EXPECT_NE(OK, error);
520 TEST_F(CertVerifyProcTest, DigiNotarCerts) {
521 static const char* const kDigiNotarFilenames[] = {
522 "diginotar_root_ca.pem",
523 "diginotar_cyber_ca.pem",
524 "diginotar_services_1024_ca.pem",
525 "diginotar_pkioverheid.pem",
526 "diginotar_pkioverheid_g2.pem",
527 NULL,
530 base::FilePath certs_dir = GetTestCertsDirectory();
532 for (size_t i = 0; kDigiNotarFilenames[i]; i++) {
533 scoped_refptr<X509Certificate> diginotar_cert =
534 ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
535 std::string der_bytes;
536 ASSERT_TRUE(X509Certificate::GetDEREncoded(
537 diginotar_cert->os_cert_handle(), &der_bytes));
539 base::StringPiece spki;
540 ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
542 std::string spki_sha1 = base::SHA1HashString(spki.as_string());
544 HashValueVector public_keys;
545 HashValue hash(HASH_VALUE_SHA1);
546 ASSERT_EQ(hash.size(), spki_sha1.size());
547 memcpy(hash.data(), spki_sha1.data(), spki_sha1.size());
548 public_keys.push_back(hash);
550 EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
551 "Public key not blocked for " << kDigiNotarFilenames[i];
555 TEST_F(CertVerifyProcTest, NameConstraintsOk) {
556 CertificateList ca_cert_list =
557 CreateCertificateListFromFile(GetTestCertsDirectory(),
558 "root_ca_cert.pem",
559 X509Certificate::FORMAT_AUTO);
560 ASSERT_EQ(1U, ca_cert_list.size());
561 ScopedTestRoot test_root(ca_cert_list[0].get());
563 CertificateList cert_list = CreateCertificateListFromFile(
564 GetTestCertsDirectory(), "name_constraint_good.pem",
565 X509Certificate::FORMAT_AUTO);
566 ASSERT_EQ(1U, cert_list.size());
568 X509Certificate::OSCertHandles intermediates;
569 scoped_refptr<X509Certificate> leaf =
570 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
571 intermediates);
573 int flags = 0;
574 CertVerifyResult verify_result;
575 int error = Verify(leaf.get(),
576 "test.example.com",
577 flags,
578 NULL,
579 empty_cert_list_,
580 &verify_result);
581 EXPECT_EQ(OK, error);
582 EXPECT_EQ(0U, verify_result.cert_status);
585 TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
586 if (!SupportsReturningVerifiedChain()) {
587 LOG(INFO) << "Skipping this test in this platform.";
588 return;
591 CertificateList ca_cert_list =
592 CreateCertificateListFromFile(GetTestCertsDirectory(),
593 "root_ca_cert.pem",
594 X509Certificate::FORMAT_AUTO);
595 ASSERT_EQ(1U, ca_cert_list.size());
596 ScopedTestRoot test_root(ca_cert_list[0].get());
598 CertificateList cert_list = CreateCertificateListFromFile(
599 GetTestCertsDirectory(), "name_constraint_bad.pem",
600 X509Certificate::FORMAT_AUTO);
601 ASSERT_EQ(1U, cert_list.size());
603 X509Certificate::OSCertHandles intermediates;
604 scoped_refptr<X509Certificate> leaf =
605 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
606 intermediates);
608 int flags = 0;
609 CertVerifyResult verify_result;
610 int error = Verify(leaf.get(),
611 "test.example.com",
612 flags,
613 NULL,
614 empty_cert_list_,
615 &verify_result);
616 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error);
617 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
618 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
621 TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
622 struct {
623 const char* const file;
624 bool is_valid_too_long;
625 } tests[] = {
626 {"twitter-chain.pem", false},
627 {"start_after_expiry.pem", true},
628 {"pre_br_validity_ok.pem", false},
629 {"pre_br_validity_bad_121.pem", true},
630 {"pre_br_validity_bad_2020.pem", true},
631 {"10_year_validity.pem", false},
632 {"11_year_validity.pem", true},
633 {"39_months_after_2015_04.pem", false},
634 {"40_months_after_2015_04.pem", true},
635 {"60_months_after_2012_07.pem", false},
636 {"61_months_after_2012_07.pem", true},
639 base::FilePath certs_dir = GetTestCertsDirectory();
641 for (size_t i = 0; i < arraysize(tests); ++i) {
642 scoped_refptr<X509Certificate> certificate =
643 ImportCertFromFile(certs_dir, tests[i].file);
644 SCOPED_TRACE(tests[i].file);
645 ASSERT_TRUE(certificate);
646 EXPECT_EQ(tests[i].is_valid_too_long,
647 CertVerifyProc::HasTooLongValidity(*certificate));
651 TEST_F(CertVerifyProcTest, TestKnownRoot) {
652 if (!SupportsDetectingKnownRoots()) {
653 LOG(INFO) << "Skipping this test on this platform.";
654 return;
657 base::FilePath certs_dir = GetTestCertsDirectory();
658 CertificateList certs = CreateCertificateListFromFile(
659 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
660 ASSERT_EQ(3U, certs.size());
662 X509Certificate::OSCertHandles intermediates;
663 intermediates.push_back(certs[1]->os_cert_handle());
665 scoped_refptr<X509Certificate> cert_chain =
666 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
667 intermediates);
669 int flags = 0;
670 CertVerifyResult verify_result;
671 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
672 // against agl. See also PublicKeyHashes.
673 int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
674 empty_cert_list_, &verify_result);
675 EXPECT_EQ(OK, error);
676 EXPECT_TRUE(verify_result.is_issued_by_known_root);
679 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
680 if (!SupportsReturningVerifiedChain()) {
681 LOG(INFO) << "Skipping this test in this platform.";
682 return;
685 base::FilePath certs_dir = GetTestCertsDirectory();
686 CertificateList certs = CreateCertificateListFromFile(
687 certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
688 ASSERT_EQ(3U, certs.size());
690 X509Certificate::OSCertHandles intermediates;
691 intermediates.push_back(certs[1]->os_cert_handle());
693 scoped_refptr<X509Certificate> cert_chain =
694 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
695 intermediates);
696 int flags = 0;
697 CertVerifyResult verify_result;
699 // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
700 // against agl. See also TestKnownRoot.
701 int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
702 empty_cert_list_, &verify_result);
703 EXPECT_EQ(OK, error);
704 ASSERT_LE(3U, verify_result.public_key_hashes.size());
706 HashValueVector sha1_hashes;
707 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
708 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1)
709 continue;
710 sha1_hashes.push_back(verify_result.public_key_hashes[i]);
712 ASSERT_LE(3u, sha1_hashes.size());
714 for (size_t i = 0; i < 3; ++i) {
715 EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length),
716 HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
719 HashValueVector sha256_hashes;
720 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
721 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256)
722 continue;
723 sha256_hashes.push_back(verify_result.public_key_hashes[i]);
725 ASSERT_LE(3u, sha256_hashes.size());
727 for (size_t i = 0; i < 3; ++i) {
728 EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),
729 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
733 // A regression test for http://crbug.com/70293.
734 // The Key Usage extension in this RSA SSL server certificate does not have
735 // the keyEncipherment bit.
736 TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
737 base::FilePath certs_dir = GetTestCertsDirectory();
739 scoped_refptr<X509Certificate> server_cert =
740 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
741 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
743 int flags = 0;
744 CertVerifyResult verify_result;
745 int error = Verify(server_cert.get(),
746 "jira.aquameta.com",
747 flags,
748 NULL,
749 empty_cert_list_,
750 &verify_result);
751 #if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
752 // This certificate has two errors: "invalid key usage" and "untrusted CA".
753 // However, OpenSSL returns only one (the latter), and we can't detect
754 // the other errors.
755 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
756 #else
757 EXPECT_EQ(ERR_CERT_INVALID, error);
758 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
759 #endif
760 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
761 // from NSS.
762 #if !defined(USE_NSS_CERTS) && !defined(OS_IOS) && !defined(OS_ANDROID)
763 // The certificate is issued by an unknown CA.
764 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
765 #endif
768 // Basic test for returning the chain in CertVerifyResult. Note that the
769 // returned chain may just be a reflection of the originally supplied chain;
770 // that is, if any errors occur, the default chain returned is an exact copy
771 // of the certificate to be verified. The remaining VerifyReturn* tests are
772 // used to ensure that the actual, verified chain is being returned by
773 // Verify().
774 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
775 if (!SupportsReturningVerifiedChain()) {
776 LOG(INFO) << "Skipping this test in this platform.";
777 return;
780 base::FilePath certs_dir = GetTestCertsDirectory();
781 CertificateList certs = CreateCertificateListFromFile(
782 certs_dir, "x509_verify_results.chain.pem",
783 X509Certificate::FORMAT_AUTO);
784 ASSERT_EQ(3U, certs.size());
786 X509Certificate::OSCertHandles intermediates;
787 intermediates.push_back(certs[1]->os_cert_handle());
788 intermediates.push_back(certs[2]->os_cert_handle());
790 ScopedTestRoot scoped_root(certs[2].get());
792 scoped_refptr<X509Certificate> google_full_chain =
793 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
794 intermediates);
795 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get());
796 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
798 CertVerifyResult verify_result;
799 EXPECT_EQ(static_cast<X509Certificate*>(NULL),
800 verify_result.verified_cert.get());
801 int error = Verify(google_full_chain.get(),
802 "127.0.0.1",
804 NULL,
805 empty_cert_list_,
806 &verify_result);
807 EXPECT_EQ(OK, error);
808 ASSERT_NE(static_cast<X509Certificate*>(NULL),
809 verify_result.verified_cert.get());
811 EXPECT_NE(google_full_chain, verify_result.verified_cert);
812 EXPECT_TRUE(X509Certificate::IsSameOSCert(
813 google_full_chain->os_cert_handle(),
814 verify_result.verified_cert->os_cert_handle()));
815 const X509Certificate::OSCertHandles& return_intermediates =
816 verify_result.verified_cert->GetIntermediateCertificates();
817 ASSERT_EQ(2U, return_intermediates.size());
818 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
819 certs[1]->os_cert_handle()));
820 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
821 certs[2]->os_cert_handle()));
824 // Test that certificates issued for 'intranet' names (that is, containing no
825 // known public registry controlled domain information) issued by well-known
826 // CAs are flagged appropriately, while certificates that are issued by
827 // internal CAs are not flagged.
828 TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
829 if (!SupportsDetectingKnownRoots()) {
830 LOG(INFO) << "Skipping this test in this platform.";
831 return;
834 CertificateList cert_list = CreateCertificateListFromFile(
835 GetTestCertsDirectory(), "reject_intranet_hosts.pem",
836 X509Certificate::FORMAT_AUTO);
837 ASSERT_EQ(1U, cert_list.size());
838 scoped_refptr<X509Certificate> cert(cert_list[0]);
840 CertVerifyResult verify_result;
841 int error = 0;
843 // Intranet names for public CAs should be flagged:
844 verify_proc_ = new WellKnownCaCertVerifyProc(true);
845 error =
846 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
847 EXPECT_EQ(OK, error);
848 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
850 // However, if the CA is not well known, these should not be flagged:
851 verify_proc_ = new WellKnownCaCertVerifyProc(false);
852 error =
853 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
854 EXPECT_EQ(OK, error);
855 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
858 // Test that the certificate returned in CertVerifyResult is able to reorder
859 // certificates that are not ordered from end-entity to root. While this is
860 // a protocol violation if sent during a TLS handshake, if multiple sources
861 // of intermediate certificates are combined, it's possible that order may
862 // not be maintained.
863 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
864 if (!SupportsReturningVerifiedChain()) {
865 LOG(INFO) << "Skipping this test in this platform.";
866 return;
869 base::FilePath certs_dir = GetTestCertsDirectory();
870 CertificateList certs = CreateCertificateListFromFile(
871 certs_dir, "x509_verify_results.chain.pem",
872 X509Certificate::FORMAT_AUTO);
873 ASSERT_EQ(3U, certs.size());
875 // Construct the chain out of order.
876 X509Certificate::OSCertHandles intermediates;
877 intermediates.push_back(certs[2]->os_cert_handle());
878 intermediates.push_back(certs[1]->os_cert_handle());
880 ScopedTestRoot scoped_root(certs[2].get());
882 scoped_refptr<X509Certificate> google_full_chain =
883 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
884 intermediates);
885 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get());
886 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
888 CertVerifyResult verify_result;
889 EXPECT_EQ(static_cast<X509Certificate*>(NULL),
890 verify_result.verified_cert.get());
891 int error = Verify(google_full_chain.get(),
892 "127.0.0.1",
894 NULL,
895 empty_cert_list_,
896 &verify_result);
897 EXPECT_EQ(OK, error);
898 ASSERT_NE(static_cast<X509Certificate*>(NULL),
899 verify_result.verified_cert.get());
901 EXPECT_NE(google_full_chain, verify_result.verified_cert);
902 EXPECT_TRUE(X509Certificate::IsSameOSCert(
903 google_full_chain->os_cert_handle(),
904 verify_result.verified_cert->os_cert_handle()));
905 const X509Certificate::OSCertHandles& return_intermediates =
906 verify_result.verified_cert->GetIntermediateCertificates();
907 ASSERT_EQ(2U, return_intermediates.size());
908 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
909 certs[1]->os_cert_handle()));
910 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
911 certs[2]->os_cert_handle()));
914 // Test that Verify() filters out certificates which are not related to
915 // or part of the certificate chain being verified.
916 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
917 if (!SupportsReturningVerifiedChain()) {
918 LOG(INFO) << "Skipping this test in this platform.";
919 return;
922 base::FilePath certs_dir = GetTestCertsDirectory();
923 CertificateList certs = CreateCertificateListFromFile(
924 certs_dir, "x509_verify_results.chain.pem",
925 X509Certificate::FORMAT_AUTO);
926 ASSERT_EQ(3U, certs.size());
927 ScopedTestRoot scoped_root(certs[2].get());
929 scoped_refptr<X509Certificate> unrelated_certificate =
930 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
931 scoped_refptr<X509Certificate> unrelated_certificate2 =
932 ImportCertFromFile(certs_dir, "aia-cert.pem");
933 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate.get());
934 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2.get());
936 // Interject unrelated certificates into the list of intermediates.
937 X509Certificate::OSCertHandles intermediates;
938 intermediates.push_back(unrelated_certificate->os_cert_handle());
939 intermediates.push_back(certs[1]->os_cert_handle());
940 intermediates.push_back(unrelated_certificate2->os_cert_handle());
941 intermediates.push_back(certs[2]->os_cert_handle());
943 scoped_refptr<X509Certificate> google_full_chain =
944 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
945 intermediates);
946 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get());
947 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
949 CertVerifyResult verify_result;
950 EXPECT_EQ(static_cast<X509Certificate*>(NULL),
951 verify_result.verified_cert.get());
952 int error = Verify(google_full_chain.get(),
953 "127.0.0.1",
955 NULL,
956 empty_cert_list_,
957 &verify_result);
958 EXPECT_EQ(OK, error);
959 ASSERT_NE(static_cast<X509Certificate*>(NULL),
960 verify_result.verified_cert.get());
962 EXPECT_NE(google_full_chain, verify_result.verified_cert);
963 EXPECT_TRUE(X509Certificate::IsSameOSCert(
964 google_full_chain->os_cert_handle(),
965 verify_result.verified_cert->os_cert_handle()));
966 const X509Certificate::OSCertHandles& return_intermediates =
967 verify_result.verified_cert->GetIntermediateCertificates();
968 ASSERT_EQ(2U, return_intermediates.size());
969 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
970 certs[1]->os_cert_handle()));
971 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
972 certs[2]->os_cert_handle()));
975 TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
976 if (!SupportsAdditionalTrustAnchors()) {
977 LOG(INFO) << "Skipping this test in this platform.";
978 return;
981 // |ca_cert| is the issuer of |cert|.
982 CertificateList ca_cert_list = CreateCertificateListFromFile(
983 GetTestCertsDirectory(), "root_ca_cert.pem",
984 X509Certificate::FORMAT_AUTO);
985 ASSERT_EQ(1U, ca_cert_list.size());
986 scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
988 CertificateList cert_list = CreateCertificateListFromFile(
989 GetTestCertsDirectory(), "ok_cert.pem",
990 X509Certificate::FORMAT_AUTO);
991 ASSERT_EQ(1U, cert_list.size());
992 scoped_refptr<X509Certificate> cert(cert_list[0]);
994 // Verification of |cert| fails when |ca_cert| is not in the trust anchors
995 // list.
996 int flags = 0;
997 CertVerifyResult verify_result;
998 int error = Verify(
999 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1000 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
1001 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
1002 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
1004 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
1005 CertificateList trust_anchors;
1006 trust_anchors.push_back(ca_cert);
1007 error = Verify(
1008 cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
1009 EXPECT_EQ(OK, error);
1010 EXPECT_EQ(0U, verify_result.cert_status);
1011 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
1013 // Clearing the |trust_anchors| makes verification fail again (the cache
1014 // should be skipped).
1015 error = Verify(
1016 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1017 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
1018 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
1019 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
1022 // Tests that certificates issued by user-supplied roots are not flagged as
1023 // issued by a known root. This should pass whether or not the platform supports
1024 // detecting known roots.
1025 TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
1026 // Load root_ca_cert.pem into the test root store.
1027 ScopedTestRoot test_root(
1028 ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
1030 scoped_refptr<X509Certificate> cert(
1031 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
1033 // Verification should pass.
1034 int flags = 0;
1035 CertVerifyResult verify_result;
1036 int error = Verify(
1037 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1038 EXPECT_EQ(OK, error);
1039 EXPECT_EQ(0U, verify_result.cert_status);
1040 // But should not be marked as a known root.
1041 EXPECT_FALSE(verify_result.is_issued_by_known_root);
1044 #if defined(OS_MACOSX) && !defined(OS_IOS)
1045 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
1046 // Root can be successfully worked around once Apple completes removing the
1047 // older GTE CyberTrust Root from its trusted root store.
1049 // The issue is caused by servers supplying the cross-certified intermediate
1050 // (necessary for certain mobile platforms), which OS X does not recognize
1051 // as already existing within its trust store.
1052 TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
1053 CertificateList certs = CreateCertificateListFromFile(
1054 GetTestCertsDirectory(),
1055 "cybertrust_omniroot_chain.pem",
1056 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
1057 ASSERT_EQ(2U, certs.size());
1059 X509Certificate::OSCertHandles intermediates;
1060 intermediates.push_back(certs[1]->os_cert_handle());
1062 scoped_refptr<X509Certificate> cybertrust_basic =
1063 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
1064 intermediates);
1065 ASSERT_TRUE(cybertrust_basic.get());
1067 scoped_refptr<X509Certificate> baltimore_root =
1068 ImportCertFromFile(GetTestCertsDirectory(),
1069 "cybertrust_baltimore_root.pem");
1070 ASSERT_TRUE(baltimore_root.get());
1072 ScopedTestRoot scoped_root(baltimore_root.get());
1074 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This
1075 // simulates Keychain removing support for the GTE CyberTrust Root.
1076 TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
1077 base::ScopedClosureRunner reset_system_trust(
1078 base::Bind(&TestRootCerts::SetAllowSystemTrust,
1079 base::Unretained(TestRootCerts::GetInstance()),
1080 true));
1082 // First, make sure a simple certificate chain from
1083 // EE -> Public SureServer SV -> Baltimore CyberTrust
1084 // works. Only the first two certificates are included in the chain.
1085 int flags = 0;
1086 CertVerifyResult verify_result;
1087 int error = Verify(cybertrust_basic.get(),
1088 "cacert.omniroot.com",
1089 flags,
1090 NULL,
1091 empty_cert_list_,
1092 &verify_result);
1093 EXPECT_EQ(OK, error);
1094 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
1096 // Attempt to verify with the first known cross-certified intermediate
1097 // provided.
1098 scoped_refptr<X509Certificate> baltimore_intermediate_1 =
1099 ImportCertFromFile(GetTestCertsDirectory(),
1100 "cybertrust_baltimore_cross_certified_1.pem");
1101 ASSERT_TRUE(baltimore_intermediate_1.get());
1103 X509Certificate::OSCertHandles intermediate_chain_1 =
1104 cybertrust_basic->GetIntermediateCertificates();
1105 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
1107 scoped_refptr<X509Certificate> baltimore_chain_1 =
1108 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1109 intermediate_chain_1);
1110 error = Verify(baltimore_chain_1.get(),
1111 "cacert.omniroot.com",
1112 flags,
1113 NULL,
1114 empty_cert_list_,
1115 &verify_result);
1116 EXPECT_EQ(OK, error);
1117 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
1119 // Attempt to verify with the second known cross-certified intermediate
1120 // provided.
1121 scoped_refptr<X509Certificate> baltimore_intermediate_2 =
1122 ImportCertFromFile(GetTestCertsDirectory(),
1123 "cybertrust_baltimore_cross_certified_2.pem");
1124 ASSERT_TRUE(baltimore_intermediate_2.get());
1126 X509Certificate::OSCertHandles intermediate_chain_2 =
1127 cybertrust_basic->GetIntermediateCertificates();
1128 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
1130 scoped_refptr<X509Certificate> baltimore_chain_2 =
1131 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1132 intermediate_chain_2);
1133 error = Verify(baltimore_chain_2.get(),
1134 "cacert.omniroot.com",
1135 flags,
1136 NULL,
1137 empty_cert_list_,
1138 &verify_result);
1139 EXPECT_EQ(OK, error);
1140 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
1142 // Attempt to verify when both a cross-certified intermediate AND
1143 // the legacy GTE root are provided.
1144 scoped_refptr<X509Certificate> cybertrust_root =
1145 ImportCertFromFile(GetTestCertsDirectory(),
1146 "cybertrust_gte_root.pem");
1147 ASSERT_TRUE(cybertrust_root.get());
1149 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
1150 scoped_refptr<X509Certificate> baltimore_chain_with_root =
1151 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1152 intermediate_chain_2);
1153 error = Verify(baltimore_chain_with_root.get(),
1154 "cacert.omniroot.com",
1155 flags,
1156 NULL,
1157 empty_cert_list_,
1158 &verify_result);
1159 EXPECT_EQ(OK, error);
1160 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
1162 TestRootCerts::GetInstance()->Clear();
1163 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty());
1165 #endif
1167 #if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_WIN) || \
1168 defined(OS_MACOSX)
1169 // Test that CRLSets are effective in making a certificate appear to be
1170 // revoked.
1171 TEST_F(CertVerifyProcTest, CRLSet) {
1172 CertificateList ca_cert_list =
1173 CreateCertificateListFromFile(GetTestCertsDirectory(),
1174 "root_ca_cert.pem",
1175 X509Certificate::FORMAT_AUTO);
1176 ASSERT_EQ(1U, ca_cert_list.size());
1177 ScopedTestRoot test_root(ca_cert_list[0].get());
1179 CertificateList cert_list = CreateCertificateListFromFile(
1180 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
1181 ASSERT_EQ(1U, cert_list.size());
1182 scoped_refptr<X509Certificate> cert(cert_list[0]);
1184 int flags = 0;
1185 CertVerifyResult verify_result;
1186 int error = Verify(
1187 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1188 EXPECT_EQ(OK, error);
1189 EXPECT_EQ(0U, verify_result.cert_status);
1191 scoped_refptr<CRLSet> crl_set;
1192 std::string crl_set_bytes;
1194 // First test blocking by SPKI.
1195 EXPECT_TRUE(base::ReadFileToString(
1196 GetTestCertsDirectory().AppendASCII("crlset_by_leaf_spki.raw"),
1197 &crl_set_bytes));
1198 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
1200 error = Verify(cert.get(),
1201 "127.0.0.1",
1202 flags,
1203 crl_set.get(),
1204 empty_cert_list_,
1205 &verify_result);
1206 EXPECT_EQ(ERR_CERT_REVOKED, error);
1208 // Second, test revocation by serial number of a cert directly under the
1209 // root.
1210 crl_set_bytes.clear();
1211 EXPECT_TRUE(base::ReadFileToString(
1212 GetTestCertsDirectory().AppendASCII("crlset_by_root_serial.raw"),
1213 &crl_set_bytes));
1214 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
1216 error = Verify(cert.get(),
1217 "127.0.0.1",
1218 flags,
1219 crl_set.get(),
1220 empty_cert_list_,
1221 &verify_result);
1222 EXPECT_EQ(ERR_CERT_REVOKED, error);
1225 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
1226 CertificateList ca_cert_list =
1227 CreateCertificateListFromFile(GetTestCertsDirectory(),
1228 "quic_root.crt",
1229 X509Certificate::FORMAT_AUTO);
1230 ASSERT_EQ(1U, ca_cert_list.size());
1231 ScopedTestRoot test_root(ca_cert_list[0].get());
1233 CertificateList intermediate_cert_list =
1234 CreateCertificateListFromFile(GetTestCertsDirectory(),
1235 "quic_intermediate.crt",
1236 X509Certificate::FORMAT_AUTO);
1237 ASSERT_EQ(1U, intermediate_cert_list.size());
1238 X509Certificate::OSCertHandles intermediates;
1239 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle());
1241 CertificateList cert_list = CreateCertificateListFromFile(
1242 GetTestCertsDirectory(), "quic_test.example.com.crt",
1243 X509Certificate::FORMAT_AUTO);
1244 ASSERT_EQ(1U, cert_list.size());
1246 scoped_refptr<X509Certificate> leaf =
1247 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
1248 intermediates);
1250 int flags = 0;
1251 CertVerifyResult verify_result;
1252 int error = Verify(leaf.get(),
1253 "test.example.com",
1254 flags,
1255 NULL,
1256 empty_cert_list_,
1257 &verify_result);
1258 EXPECT_EQ(OK, error);
1259 EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
1261 // Test revocation by serial number of a certificate not under the root.
1262 scoped_refptr<CRLSet> crl_set;
1263 std::string crl_set_bytes;
1264 ASSERT_TRUE(base::ReadFileToString(
1265 GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"),
1266 &crl_set_bytes));
1267 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
1269 error = Verify(leaf.get(),
1270 "test.example.com",
1271 flags,
1272 crl_set.get(),
1273 empty_cert_list_,
1274 &verify_result);
1275 EXPECT_EQ(ERR_CERT_REVOKED, error);
1277 #endif
1279 enum ExpectedAlgorithms {
1280 EXPECT_MD2 = 1 << 0,
1281 EXPECT_MD4 = 1 << 1,
1282 EXPECT_MD5 = 1 << 2,
1283 EXPECT_SHA1 = 1 << 3
1286 struct WeakDigestTestData {
1287 const char* root_cert_filename;
1288 const char* intermediate_cert_filename;
1289 const char* ee_cert_filename;
1290 int expected_algorithms;
1293 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1294 // to output the parameter that was passed. Without this, it will simply
1295 // attempt to print out the first twenty bytes of the object, which depending
1296 // on platform and alignment, may result in an invalid read.
1297 void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
1298 *os << "root: "
1299 << (data.root_cert_filename ? data.root_cert_filename : "none")
1300 << "; intermediate: " << data.intermediate_cert_filename
1301 << "; end-entity: " << data.ee_cert_filename;
1304 class CertVerifyProcWeakDigestTest
1305 : public CertVerifyProcTest,
1306 public testing::WithParamInterface<WeakDigestTestData> {
1307 public:
1308 CertVerifyProcWeakDigestTest() {}
1309 virtual ~CertVerifyProcWeakDigestTest() {}
1312 TEST_P(CertVerifyProcWeakDigestTest, Verify) {
1313 WeakDigestTestData data = GetParam();
1314 base::FilePath certs_dir = GetTestCertsDirectory();
1316 ScopedTestRoot test_root;
1317 if (data.root_cert_filename) {
1318 scoped_refptr<X509Certificate> root_cert =
1319 ImportCertFromFile(certs_dir, data.root_cert_filename);
1320 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
1321 test_root.Reset(root_cert.get());
1324 scoped_refptr<X509Certificate> intermediate_cert =
1325 ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
1326 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get());
1327 scoped_refptr<X509Certificate> ee_cert =
1328 ImportCertFromFile(certs_dir, data.ee_cert_filename);
1329 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert.get());
1331 X509Certificate::OSCertHandles intermediates;
1332 intermediates.push_back(intermediate_cert->os_cert_handle());
1334 scoped_refptr<X509Certificate> ee_chain =
1335 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
1336 intermediates);
1337 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain.get());
1339 int flags = 0;
1340 CertVerifyResult verify_result;
1341 int rv = Verify(ee_chain.get(),
1342 "127.0.0.1",
1343 flags,
1344 NULL,
1345 empty_cert_list_,
1346 &verify_result);
1347 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2);
1348 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4);
1349 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5);
1350 EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1);
1352 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
1354 // Ensure that MD4 and MD2 are tagged as invalid.
1355 if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) {
1356 EXPECT_EQ(CERT_STATUS_INVALID,
1357 verify_result.cert_status & CERT_STATUS_INVALID);
1360 // Ensure that MD5 is flagged as weak.
1361 if (data.expected_algorithms & EXPECT_MD5) {
1362 EXPECT_EQ(
1363 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
1364 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
1367 // If a root cert is present, then check that the chain was rejected if any
1368 // weak algorithms are present. This is only checked when a root cert is
1369 // present because the error reported for incomplete chains with weak
1370 // algorithms depends on which implementation was used to validate (NSS,
1371 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
1372 // present (MD2, MD4, MD5).
1373 if (data.root_cert_filename) {
1374 if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) {
1375 EXPECT_EQ(ERR_CERT_INVALID, rv);
1376 } else if (data.expected_algorithms & EXPECT_MD5) {
1377 EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
1378 } else {
1379 EXPECT_EQ(OK, rv);
1384 // Unlike TEST/TEST_F, which are macros that expand to further macros,
1385 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that
1386 // stringizes the arguments. As a result, macros passed as parameters (such as
1387 // prefix or test_case_name) will not be expanded by the preprocessor. To work
1388 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the
1389 // pre-processor will expand macros such as MAYBE_test_name before
1390 // instantiating the test.
1391 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
1392 INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator)
1394 // The signature algorithm of the root CA should not matter.
1395 const WeakDigestTestData kVerifyRootCATestData[] = {
1396 { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
1397 "weak_digest_sha1_ee.pem", EXPECT_SHA1 },
1398 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1399 // MD4 is not supported by OS X / NSS
1400 { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
1401 "weak_digest_sha1_ee.pem", EXPECT_SHA1 },
1402 #endif
1403 { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
1404 "weak_digest_sha1_ee.pem", EXPECT_SHA1 },
1406 INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
1407 testing::ValuesIn(kVerifyRootCATestData));
1409 // The signature algorithm of intermediates should be properly detected.
1410 const WeakDigestTestData kVerifyIntermediateCATestData[] = {
1411 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1412 "weak_digest_sha1_ee.pem", EXPECT_MD5 | EXPECT_SHA1 },
1413 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1414 // MD4 is not supported by OS X / NSS
1415 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1416 "weak_digest_sha1_ee.pem", EXPECT_MD4 | EXPECT_SHA1 },
1417 #endif
1418 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1419 "weak_digest_sha1_ee.pem", EXPECT_MD2 | EXPECT_SHA1 },
1421 // Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled.
1422 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
1423 #define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate
1424 #else
1425 #define MAYBE_VerifyIntermediate VerifyIntermediate
1426 #endif
1427 WRAPPED_INSTANTIATE_TEST_CASE_P(
1428 MAYBE_VerifyIntermediate,
1429 CertVerifyProcWeakDigestTest,
1430 testing::ValuesIn(kVerifyIntermediateCATestData));
1432 // The signature algorithm of end-entity should be properly detected.
1433 const WeakDigestTestData kVerifyEndEntityTestData[] = {
1434 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1435 "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1 },
1436 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1437 // MD4 is not supported by OS X / NSS
1438 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1439 "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1 },
1440 #endif
1441 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1442 "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1 },
1444 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot
1445 // be cleared until NSS is cleanly shutdown, which is not presently supported
1446 // in Chromium.
1447 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
1448 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity
1449 #else
1450 #define MAYBE_VerifyEndEntity VerifyEndEntity
1451 #endif
1452 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
1453 CertVerifyProcWeakDigestTest,
1454 testing::ValuesIn(kVerifyEndEntityTestData));
1456 // Incomplete chains should still report the status of the intermediate.
1457 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
1458 { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
1459 EXPECT_MD5 | EXPECT_SHA1 },
1460 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1461 // MD4 is not supported by OS X / NSS
1462 { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
1463 EXPECT_MD4 | EXPECT_SHA1 },
1464 #endif
1465 { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
1466 EXPECT_MD2 | EXPECT_SHA1 },
1468 // Disabled on NSS - libpkix does not return constructed chains on error,
1469 // preventing us from detecting/inspecting the verified chain.
1470 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
1471 #define MAYBE_VerifyIncompleteIntermediate \
1472 DISABLED_VerifyIncompleteIntermediate
1473 #else
1474 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate
1475 #endif
1476 WRAPPED_INSTANTIATE_TEST_CASE_P(
1477 MAYBE_VerifyIncompleteIntermediate,
1478 CertVerifyProcWeakDigestTest,
1479 testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
1481 // Incomplete chains should still report the status of the end-entity.
1482 const WeakDigestTestData kVerifyIncompleteEETestData[] = {
1483 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
1484 EXPECT_MD5 | EXPECT_SHA1 },
1485 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1486 // MD4 is not supported by OS X / NSS
1487 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
1488 EXPECT_MD4 | EXPECT_SHA1 },
1489 #endif
1490 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
1491 EXPECT_MD2 | EXPECT_SHA1 },
1493 // Disabled on NSS - libpkix does not return constructed chains on error,
1494 // preventing us from detecting/inspecting the verified chain.
1495 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
1496 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity
1497 #else
1498 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity
1499 #endif
1500 WRAPPED_INSTANTIATE_TEST_CASE_P(
1501 MAYBE_VerifyIncompleteEndEntity,
1502 CertVerifyProcWeakDigestTest,
1503 testing::ValuesIn(kVerifyIncompleteEETestData));
1505 // Differing algorithms between the intermediate and the EE should still be
1506 // reported.
1507 const WeakDigestTestData kVerifyMixedTestData[] = {
1508 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1509 "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
1510 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1511 "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
1512 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1513 // MD4 is not supported by OS X / NSS
1514 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1515 "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4 },
1516 #endif
1518 // NSS does not support MD4 and does not enable MD2 by default, making all
1519 // permutations invalid.
1520 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
1521 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
1522 #else
1523 #define MAYBE_VerifyMixed VerifyMixed
1524 #endif
1525 WRAPPED_INSTANTIATE_TEST_CASE_P(
1526 MAYBE_VerifyMixed,
1527 CertVerifyProcWeakDigestTest,
1528 testing::ValuesIn(kVerifyMixedTestData));
1530 // For the list of valid hostnames, see
1531 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
1532 static const struct CertVerifyProcNameData {
1533 const char* hostname;
1534 bool valid; // Whether or not |hostname| matches a subjectAltName.
1535 } kVerifyNameData[] = {
1536 { "127.0.0.1", false }, // Don't match the common name
1537 { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4)
1538 { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6)
1539 { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN
1540 { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6)
1541 { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN
1542 { "test.example", true }, // Matches the dNSName SAN
1543 { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored)
1544 { "www.test.example", false }, // Should not match the dNSName SAN
1545 { "test..example", false }, // Should not match the dNSName SAN
1546 { "test.example..", false }, // Should not match the dNSName SAN
1547 { ".test.example.", false }, // Should not match the dNSName SAN
1548 { ".test.example", false }, // Should not match the dNSName SAN
1551 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1552 // to output the parameter that was passed. Without this, it will simply
1553 // attempt to print out the first twenty bytes of the object, which depending
1554 // on platform and alignment, may result in an invalid read.
1555 void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
1556 *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
1559 class CertVerifyProcNameTest
1560 : public CertVerifyProcTest,
1561 public testing::WithParamInterface<CertVerifyProcNameData> {
1562 public:
1563 CertVerifyProcNameTest() {}
1564 virtual ~CertVerifyProcNameTest() {}
1567 TEST_P(CertVerifyProcNameTest, VerifyCertName) {
1568 CertVerifyProcNameData data = GetParam();
1570 CertificateList cert_list = CreateCertificateListFromFile(
1571 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
1572 X509Certificate::FORMAT_AUTO);
1573 ASSERT_EQ(1U, cert_list.size());
1574 scoped_refptr<X509Certificate> cert(cert_list[0]);
1576 ScopedTestRoot scoped_root(cert.get());
1578 CertVerifyResult verify_result;
1579 int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
1580 &verify_result);
1581 if (data.valid) {
1582 EXPECT_EQ(OK, error);
1583 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1584 } else {
1585 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
1586 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1590 WRAPPED_INSTANTIATE_TEST_CASE_P(
1591 VerifyName,
1592 CertVerifyProcNameTest,
1593 testing::ValuesIn(kVerifyNameData));
1595 #if defined(OS_MACOSX) && !defined(OS_IOS)
1596 // Test that CertVerifyProcMac reacts appropriately when Apple's certificate
1597 // verifier rejects a certificate with a fatal error. This is a regression
1598 // test for https://crbug.com/472291.
1599 TEST_F(CertVerifyProcTest, LargeKey) {
1600 // Load root_ca_cert.pem into the test root store.
1601 ScopedTestRoot test_root(
1602 ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
1604 scoped_refptr<X509Certificate> cert(
1605 ImportCertFromFile(GetTestCertsDirectory(), "large_key.pem"));
1607 // Apple's verifier rejects this certificate as invalid because the
1608 // RSA key is too large. If a future version of OS X changes this,
1609 // large_key.pem may need to be regenerated with a larger key.
1610 int flags = 0;
1611 CertVerifyResult verify_result;
1612 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
1613 &verify_result);
1614 EXPECT_EQ(ERR_CERT_INVALID, error);
1615 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status);
1617 #endif // defined(OS_MACOSX) && !defined(OS_IOS)
1619 } // namespace net