| blob | 88e7701efc0a0c8b06062710acc4c54e4cd51320 |
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #import "ios/web/web_state/wk_web_view_security_util.h"
7 #import <Foundation/Foundation.h>
8 #include <Security/Security.h>
10 #include "base/mac/scoped_cftyperef.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "crypto/rsa_private_key.h"
13 #include "ios/web/public/test/web_test_util.h"
14 #include "net/cert/x509_cert_types.h"
15 #include "net/cert/x509_certificate.h"
16 #include "net/cert/x509_util.h"
17 #include "net/ssl/ssl_info.h"
18 #include "testing/gtest/include/gtest/gtest.h"
19 #include "testing/platform_test.h"
21 namespace web {
22 namespace {
23 // Subject for testing self-signed certificate.
24 const char kTestSubject[] = "self-signed";
26 // Returns an autoreleased certificate chain for testing. Chain will contain a
27 // single self-signed cert with |subject| as a subject.
28 NSArray* MakeTestCertChain(const std::string& subject) {
29 scoped_ptr<crypto::RSAPrivateKey> private_key;
30 std::string der_cert;
31 net::x509_util::CreateKeyAndSelfSignedCert(
32 "CN=" + subject, 1, base::Time::Now(),
33 base::Time::Now() + base::TimeDelta::FromDays(1), &private_key,
34 &der_cert);
36 base::ScopedCFTypeRef<SecCertificateRef> cert(
37 net::X509Certificate::CreateOSCertHandleFromBytes(der_cert.data(),
38 der_cert.size()));
39 NSArray* result = @[ reinterpret_cast<id>(cert.get()) ];
40 return result;
41 }
43 // Returns SecTrustRef object for testing.
44 base::ScopedCFTypeRef<SecTrustRef> CreateTestTrust(NSArray* cert_chain) {
45 base::ScopedCFTypeRef<SecPolicyRef> policy(SecPolicyCreateBasicX509());
46 SecTrustRef trust = nullptr;
47 SecTrustCreateWithCertificates(cert_chain, policy, &trust);
48 return base::ScopedCFTypeRef<SecTrustRef>(trust);
49 }
51 } // namespace
53 // Test class for wk_web_view_security_util functions.
54 typedef PlatformTest WKWebViewSecurityUtilTest;
56 // Tests CreateCertFromChain with self-signed cert.
57 TEST_F(WKWebViewSecurityUtilTest, CreationCertFromChain) {
58 scoped_refptr<net::X509Certificate> cert =
59 CreateCertFromChain(MakeTestCertChain(kTestSubject));
60 EXPECT_TRUE(cert->subject().GetDisplayName() == kTestSubject);
61 }
63 // Tests CreateCertFromChain with nil chain.
64 TEST_F(WKWebViewSecurityUtilTest, CreationCertFromNilChain) {
65 EXPECT_FALSE(CreateCertFromChain(nil));
66 }
68 // Tests CreateCertFromChain with empty chain.
69 TEST_F(WKWebViewSecurityUtilTest, CreationCertFromEmptyChain) {
70 EXPECT_FALSE(CreateCertFromChain(@[]));
71 }
73 // Tests MakeTrustValid with self-signed cert.
74 TEST_F(WKWebViewSecurityUtilTest, MakingTrustValid) {
75 // Create invalid trust object.
76 base::ScopedCFTypeRef<SecTrustRef> trust =
77 CreateTestTrust(MakeTestCertChain(kTestSubject));
79 SecTrustResultType result = -1;
80 SecTrustEvaluate(trust, &result);
81 EXPECT_EQ(kSecTrustResultRecoverableTrustFailure, result);
83 // Make sure that trust becomes valid after
84 // |EnsureFutureTrustEvaluationSucceeds| call.
85 EnsureFutureTrustEvaluationSucceeds(trust);
86 SecTrustEvaluate(trust, &result);
87 EXPECT_EQ(kSecTrustResultProceed, result);
88 }
90 // Tests CreateCertFromTrust.
91 TEST_F(WKWebViewSecurityUtilTest, CreationCertFromTrust) {
92 base::ScopedCFTypeRef<SecTrustRef> trust =
93 CreateTestTrust(MakeTestCertChain(kTestSubject));
94 scoped_refptr<net::X509Certificate> cert = CreateCertFromTrust(trust);
95 EXPECT_TRUE(cert->subject().GetDisplayName() == kTestSubject);
96 }
98 // Tests CreateCertFromTrust with nil trust.
99 TEST_F(WKWebViewSecurityUtilTest, CreationCertFromNilTrust) {
100 EXPECT_FALSE(CreateCertFromTrust(nil));
101 }
103 // Tests that IsWKWebViewSSLError returns true for NSError with NSURLErrorDomain
104 // domain and NSURLErrorSecureConnectionFailed error code.
105 TEST_F(WKWebViewSecurityUtilTest, CheckSecureConnectionFailedError) {
106 CR_TEST_REQUIRES_WK_WEB_VIEW();
108 EXPECT_TRUE(IsWKWebViewSSLError(
109 [NSError errorWithDomain:NSURLErrorDomain
110 code:NSURLErrorSecureConnectionFailed
111 userInfo:nil]));
112 }
114 // Tests that IsWKWebViewSSLError returns true for NSError with NSURLErrorDomain
115 // domain and NSURLErrorClientCertificateRequired error code.
116 TEST_F(WKWebViewSecurityUtilTest, CheckCannotLoadFromNetworkError) {
117 CR_TEST_REQUIRES_WK_WEB_VIEW();
119 EXPECT_TRUE(IsWKWebViewSSLError(
120 [NSError errorWithDomain:NSURLErrorDomain
121 code:NSURLErrorClientCertificateRequired
122 userInfo:nil]));
123 }
125 // Tests that IsWKWebViewSSLError returns false for NSError with empty domain
126 // and NSURLErrorClientCertificateRequired error code.
127 TEST_F(WKWebViewSecurityUtilTest, CheckCannotLoadFromNetworkErrorWithNoDomain) {
128 CR_TEST_REQUIRES_WK_WEB_VIEW();
130 EXPECT_FALSE(IsWKWebViewSSLError(
131 [NSError errorWithDomain:@""
132 code:NSURLErrorClientCertificateRequired
133 userInfo:nil]));
134 }
136 // Tests that IsWKWebViewSSLError returns false for NSError with
137 // NSURLErrorDomain domain and NSURLErrorDataLengthExceedsMaximum error code.
138 TEST_F(WKWebViewSecurityUtilTest, CheckDataLengthExceedsMaximumError) {
139 CR_TEST_REQUIRES_WK_WEB_VIEW();
141 EXPECT_FALSE(IsWKWebViewSSLError(
142 [NSError errorWithDomain:NSURLErrorDomain
143 code:NSURLErrorDataLengthExceedsMaximum
144 userInfo:nil]));
145 }
147 // Tests that IsWKWebViewSSLError returns false for NSError with
148 // NSURLErrorDomain domain and NSURLErrorCannotLoadFromNetwork error code.
149 TEST_F(WKWebViewSecurityUtilTest, CheckCannotCreateFileError) {
150 CR_TEST_REQUIRES_WK_WEB_VIEW();
152 EXPECT_FALSE(IsWKWebViewSSLError(
153 [NSError errorWithDomain:NSURLErrorDomain
154 code:NSURLErrorCannotLoadFromNetwork
155 userInfo:nil]));
156 }
158 // Tests GetSSLInfoFromWKWebViewSSLError with NSError without user info.
159 TEST_F(WKWebViewSecurityUtilTest, SSLInfoFromErrorWithoutUserInfo) {
160 CR_TEST_REQUIRES_WK_WEB_VIEW();
162 NSError* badDateError =
163 [NSError errorWithDomain:NSURLErrorDomain
164 code:NSURLErrorServerCertificateHasBadDate
165 userInfo:nil];
166 net::SSLInfo info;
167 GetSSLInfoFromWKWebViewSSLError(badDateError, &info);
168 EXPECT_TRUE(info.is_valid());
169 EXPECT_EQ(net::CERT_STATUS_DATE_INVALID, info.cert_status);
170 info.cert->subject();
171 EXPECT_EQ("", info.cert->subject().GetDisplayName());
172 }
174 // Tests GetSSLInfoFromWKWebViewSSLError with NSError without cert.
175 TEST_F(WKWebViewSecurityUtilTest, SSLInfoFromErrorWithoutCert) {
176 CR_TEST_REQUIRES_WK_WEB_VIEW();
178 NSError* untrustedCertError = [NSError
179 errorWithDomain:NSURLErrorDomain
180 code:NSURLErrorServerCertificateUntrusted
181 userInfo:@{
182 NSURLErrorFailingURLStringErrorKey : @"https://www.google.com/",
183 }];
184 net::SSLInfo info;
185 GetSSLInfoFromWKWebViewSSLError(untrustedCertError, &info);
186 EXPECT_TRUE(info.is_valid());
187 EXPECT_EQ(net::CERT_STATUS_INVALID, info.cert_status);
188 EXPECT_EQ("https://www.google.com/", info.cert->subject().GetDisplayName());
189 }
191 // Tests GetSSLInfoFromWKWebViewSSLError with NSError and self-signed cert.
192 TEST_F(WKWebViewSecurityUtilTest, SSLInfoFromErrorWithCert) {
193 CR_TEST_REQUIRES_WK_WEB_VIEW();
195 NSError* unknownCertError =
196 [NSError errorWithDomain:NSURLErrorDomain
197 code:NSURLErrorServerCertificateHasUnknownRoot
198 userInfo:@{
199 kNSErrorPeerCertificateChainKey :
200 MakeTestCertChain(kTestSubject),
201 }];
203 net::SSLInfo info;
204 GetSSLInfoFromWKWebViewSSLError(unknownCertError, &info);
205 EXPECT_TRUE(info.is_valid());
206 EXPECT_EQ(net::CERT_STATUS_INVALID, info.cert_status);
207 EXPECT_TRUE(info.cert->subject().GetDisplayName() == kTestSubject);
208 }
210 } // namespace web