search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Adding instrumentation to locate the source of jankiness
[chromium-blink-merge.git] / chrome / common / net / x509_certificate_model_unittest.cc
blob89eebae79a682d49d7879ce20484f6fdf2996381
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/common/net/x509_certificate_model.h"
6
7 #include "base/files/file_path.h"
8 #include "base/path_service.h"
9 #include "net/base/test_data_directory.h"
10 #include "net/test/cert_test_util.h"
11 #include "testing/gtest/include/gtest/gtest.h"
12
13 #if defined(USE_NSS)
14 #include "crypto/scoped_test_nss_db.h"
15 #include "net/cert/nss_cert_database.h"
16 #endif
17
18 TEST(X509CertificateModelTest, GetCertNameOrNicknameAndGetTitle) {
19 scoped_refptr<net::X509Certificate> cert(
20 net::ImportCertFromFile(net::GetTestCertsDirectory(),
21 "root_ca_cert.pem"));
22 ASSERT_TRUE(cert.get());
23 EXPECT_EQ(
24 "Test Root CA",
25 x509_certificate_model::GetCertNameOrNickname(cert->os_cert_handle()));
26
27 scoped_refptr<net::X509Certificate> punycode_cert(
28 net::ImportCertFromFile(net::GetTestCertsDirectory(),
29 "punycodetest.pem"));
30 ASSERT_TRUE(punycode_cert.get());
31 EXPECT_EQ("xn--wgv71a119e.com (日本語.com)",
32 x509_certificate_model::GetCertNameOrNickname(
33 punycode_cert->os_cert_handle()));
34
35 scoped_refptr<net::X509Certificate> no_cn_cert(
36 net::ImportCertFromFile(net::GetTestCertsDirectory(),
37 "no_subject_common_name_cert.pem"));
38 ASSERT_TRUE(no_cn_cert.get());
39 #if defined(USE_OPENSSL)
40 EXPECT_EQ("emailAddress=wtc@google.com",
41 x509_certificate_model::GetCertNameOrNickname(
42 no_cn_cert->os_cert_handle()));
43 #else
44 // Temp cert has no nickname.
45 EXPECT_EQ("",
46 x509_certificate_model::GetCertNameOrNickname(
47 no_cn_cert->os_cert_handle()));
48 #endif
49
50 EXPECT_EQ("xn--wgv71a119e.com",
51 x509_certificate_model::GetTitle(
52 punycode_cert->os_cert_handle()));
53
54 #if defined(USE_OPENSSL)
55 EXPECT_EQ("emailAddress=wtc@google.com",
56 x509_certificate_model::GetTitle(
57 no_cn_cert->os_cert_handle()));
58 #else
59 EXPECT_EQ("E=wtc@google.com",
60 x509_certificate_model::GetTitle(
61 no_cn_cert->os_cert_handle()));
62 #endif
63
64 scoped_refptr<net::X509Certificate> no_cn_cert2(net::ImportCertFromFile(
65 net::GetTestCertsDirectory(), "ct-test-embedded-cert.pem"));
66 ASSERT_TRUE(no_cn_cert2.get());
67 EXPECT_EQ("L=Erw Wen,ST=Wales,O=Certificate Transparency,C=GB",
68 x509_certificate_model::GetTitle(no_cn_cert2->os_cert_handle()));
69 }
70
71 TEST(X509CertificateModelTest, GetExtensions) {
72 {
73 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
74 net::GetTestCertsDirectory(), "root_ca_cert.pem"));
75 ASSERT_TRUE(cert.get());
76
77 x509_certificate_model::Extensions extensions;
78 x509_certificate_model::GetExtensions(
79 "critical", "notcrit", cert->os_cert_handle(), &extensions);
80 ASSERT_EQ(3U, extensions.size());
81
82 EXPECT_EQ("Certificate Basic Constraints", extensions[0].name);
83 EXPECT_EQ(
84 "critical\nIs a Certification Authority\n"
85 "Maximum number of intermediate CAs: unlimited",
86 extensions[0].value);
87
88 EXPECT_EQ("Certificate Subject Key ID", extensions[1].name);
89 EXPECT_EQ(
90 "notcrit\nKey ID: BC F7 30 D1 3C C0 F2 79 FA EF 9F C9 6C 5C 93 F3\n8A "
91 "68 AB 83",
92 extensions[1].value);
93
94 EXPECT_EQ("Certificate Key Usage", extensions[2].name);
95 EXPECT_EQ("critical\nCertificate Signer\nCRL Signer", extensions[2].value);
96 }
97
98 {
99 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
100 net::GetTestCertsDirectory(), "subjectAltName_sanity_check.pem"));
101 x509_certificate_model::Extensions extensions;
102 x509_certificate_model::GetExtensions(
103 "critical", "notcrit", cert->os_cert_handle(), &extensions);
104 ASSERT_EQ(2U, extensions.size());
105 EXPECT_EQ("Certificate Subject Alternative Name", extensions[1].name);
106 EXPECT_EQ(
107 "notcrit\nIP Address: 127.0.0.2\nIP Address: fe80::1\nDNS Name: "
108 "test.example\nEmail Address: test@test.example\nOID.1.2.3.4: 0C 09 69 "
109 "67 6E 6F 72 65 20 6D 65\nX.500 Name: CN = 127.0.0.3\n\n",
110 extensions[1].value);
111 }
112
113 {
114 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
115 net::GetTestCertsDirectory(), "foaf.me.chromium-test-cert.der"));
116 x509_certificate_model::Extensions extensions;
117 x509_certificate_model::GetExtensions(
118 "critical", "notcrit", cert->os_cert_handle(), &extensions);
119 ASSERT_EQ(5U, extensions.size());
120 EXPECT_EQ("Netscape Certificate Comment", extensions[1].name);
121 EXPECT_EQ("notcrit\nOpenSSL Generated Certificate", extensions[1].value);
122 }
123
124 {
125 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
126 net::GetTestCertsDirectory(), "2029_globalsign_com_cert.pem"));
127 x509_certificate_model::Extensions extensions;
128 x509_certificate_model::GetExtensions(
129 "critical", "notcrit", cert->os_cert_handle(), &extensions);
130 ASSERT_EQ(9U, extensions.size());
131
132 EXPECT_EQ("Certificate Subject Key ID", extensions[0].name);
133 EXPECT_EQ(
134 "notcrit\nKey ID: 59 BC D9 69 F7 B0 65 BB C8 34 C5 D2 C2 EF 17 78\nA6 "
135 "47 1E 8B",
136 extensions[0].value);
137
138 EXPECT_EQ("Certification Authority Key ID", extensions[1].name);
139 EXPECT_EQ(
140 "notcrit\nKey ID: 8A FC 14 1B 3D A3 59 67 A5 3B E1 73 92 A6 62 91\n7F "
141 "E4 78 30\n",
142 extensions[1].value);
143
144 EXPECT_EQ("Authority Information Access", extensions[2].name);
145 EXPECT_EQ(
146 "notcrit\nCA Issuers: "
147 "URI: http://secure.globalsign.net/cacert/SHA256extendval1.crt\n",
148 extensions[2].value);
149
150 EXPECT_EQ("CRL Distribution Points", extensions[3].name);
151 EXPECT_EQ("notcrit\nURI: http://crl.globalsign.net/SHA256ExtendVal1.crl\n",
152 extensions[3].value);
153
154 EXPECT_EQ("Certificate Basic Constraints", extensions[4].name);
155 EXPECT_EQ("notcrit\nIs not a Certification Authority\n",
156 extensions[4].value);
157
158 EXPECT_EQ("Certificate Key Usage", extensions[5].name);
159 EXPECT_EQ(
160 "critical\nSigning\nNon-repudiation\nKey Encipherment\n"
161 "Data Encipherment",
162 extensions[5].value);
163
164 EXPECT_EQ("Extended Key Usage", extensions[6].name);
165 EXPECT_EQ(
166 "notcrit\nTLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1)\n"
167 "TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2)\n",
168 extensions[6].value);
169
170 EXPECT_EQ("Certificate Policies", extensions[7].name);
171 EXPECT_EQ(
172 "notcrit\nOID.1.3.6.1.4.1.4146.1.1:\n"
173 " Certification Practice Statement Pointer:"
174 " http://www.globalsign.net/repository/\n",
175 extensions[7].value);
176
177 EXPECT_EQ("Netscape Certificate Type", extensions[8].name);
178 EXPECT_EQ("notcrit\nSSL Client Certificate\nSSL Server Certificate",
179 extensions[8].value);
180 }
181
182 {
183 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
184 net::GetTestCertsDirectory(), "diginotar_public_ca_2025.pem"));
185 x509_certificate_model::Extensions extensions;
186 x509_certificate_model::GetExtensions(
187 "critical", "notcrit", cert->os_cert_handle(), &extensions);
188 ASSERT_EQ(7U, extensions.size());
189
190 EXPECT_EQ("Authority Information Access", extensions[0].name);
191 EXPECT_EQ(
192 "notcrit\nOCSP Responder: "
193 "URI: http://validation.diginotar.nl\n",
194 extensions[0].value);
195
196 EXPECT_EQ("Certificate Basic Constraints", extensions[2].name);
197 EXPECT_EQ(
198 "critical\nIs a Certification Authority\n"
199 "Maximum number of intermediate CAs: 0",
200 extensions[2].value);
201 EXPECT_EQ("Certificate Policies", extensions[3].name);
202 EXPECT_EQ(
203 "notcrit\nOID.2.16.528.1.1001.1.1.1.1.5.2.6.4:\n"
204 " Certification Practice Statement Pointer:"
205 " http://www.diginotar.nl/cps\n"
206 " User Notice:\n"
207 " Conditions, as mentioned on our website (www.diginotar.nl), are "
208 "applicable to all our products and services.\n",
209 extensions[3].value);
210 }
211 }
212
213 TEST(X509CertificateModelTest, GetTypeCA) {
214 scoped_refptr<net::X509Certificate> cert(
215 net::ImportCertFromFile(net::GetTestCertsDirectory(),
216 "root_ca_cert.pem"));
217 ASSERT_TRUE(cert.get());
218
219 #if defined(USE_OPENSSL)
220 // Remove this when OpenSSL build implements the necessary functions.
221 EXPECT_EQ(net::OTHER_CERT,
222 x509_certificate_model::GetType(cert->os_cert_handle()));
223 #else
224 EXPECT_EQ(net::CA_CERT,
225 x509_certificate_model::GetType(cert->os_cert_handle()));
226
227 crypto::ScopedTestNSSDB test_nssdb;
228 net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot(
229 test_nssdb.slot())) /* public slot */,
230 crypto::ScopedPK11Slot(PK11_ReferenceSlot(
231 test_nssdb.slot())) /* private slot */);
232
233 // Test that explicitly distrusted CA certs are still returned as CA_CERT
234 // type. See http://crbug.com/96654.
235 EXPECT_TRUE(db.SetCertTrust(
236 cert.get(), net::CA_CERT, net::NSSCertDatabase::DISTRUSTED_SSL));
237
238 EXPECT_EQ(net::CA_CERT,
239 x509_certificate_model::GetType(cert->os_cert_handle()));
240 #endif
241 }
242
243 TEST(X509CertificateModelTest, GetTypeServer) {
244 scoped_refptr<net::X509Certificate> cert(
245 net::ImportCertFromFile(net::GetTestCertsDirectory(),
246 "google.single.der"));
247 ASSERT_TRUE(cert.get());
248
249 #if defined(USE_OPENSSL)
250 // Remove this when OpenSSL build implements the necessary functions.
251 EXPECT_EQ(net::OTHER_CERT,
252 x509_certificate_model::GetType(cert->os_cert_handle()));
253 #else
254 // Test mozilla_security_manager::GetCertType with server certs and default
255 // trust. Currently this doesn't work.
256 // TODO(mattm): make mozilla_security_manager::GetCertType smarter so we can
257 // tell server certs even if they have no trust bits set.
258 EXPECT_EQ(net::OTHER_CERT,
259 x509_certificate_model::GetType(cert->os_cert_handle()));
260
261 crypto::ScopedTestNSSDB test_nssdb;
262 net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot(
263 test_nssdb.slot())) /* public slot */,
264 crypto::ScopedPK11Slot(PK11_ReferenceSlot(
265 test_nssdb.slot())) /* private slot */);
266
267 // Test GetCertType with server certs and explicit trust.
268 EXPECT_TRUE(db.SetCertTrust(
269 cert.get(), net::SERVER_CERT, net::NSSCertDatabase::TRUSTED_SSL));
270
271 EXPECT_EQ(net::SERVER_CERT,
272 x509_certificate_model::GetType(cert->os_cert_handle()));
273
274 // Test GetCertType with server certs and explicit distrust.
275 EXPECT_TRUE(db.SetCertTrust(
276 cert.get(), net::SERVER_CERT, net::NSSCertDatabase::DISTRUSTED_SSL));
277
278 EXPECT_EQ(net::SERVER_CERT,
279 x509_certificate_model::GetType(cert->os_cert_handle()));
280 #endif
281 }
282
283 // An X.509 v1 certificate with the version field omitted should get
284 // the default value v1.
285 TEST(X509CertificateModelTest, GetVersionOmitted) {
286 scoped_refptr<net::X509Certificate> cert(
287 net::ImportCertFromFile(net::GetTestCertsDirectory(),
288 "ndn.ca.crt"));
289 ASSERT_TRUE(cert.get());
290
291 EXPECT_EQ("1", x509_certificate_model::GetVersion(cert->os_cert_handle()));
292 }
293
294 TEST(X509CertificateModelTest, GetCMSString) {
295 net::CertificateList certs =
296 CreateCertificateListFromFile(net::GetTestCertsDirectory(),
297 "multi-root-chain1.pem",
298 net::X509Certificate::FORMAT_AUTO);
299
300 net::X509Certificate::OSCertHandles cert_handles;
301 for (net::CertificateList::iterator i = certs.begin(); i != certs.end(); ++i)
302 cert_handles.push_back((*i)->os_cert_handle());
303 ASSERT_EQ(4U, cert_handles.size());
304
305 {
306 // Write the full chain.
307 std::string pkcs7_string = x509_certificate_model::GetCMSString(
308 cert_handles, 0, cert_handles.size());
309
310 ASSERT_FALSE(pkcs7_string.empty());
311
312 net::CertificateList decoded_certs =
313 net::X509Certificate::CreateCertificateListFromBytes(
314 pkcs7_string.data(),
315 pkcs7_string.size(),
316 net::X509Certificate::FORMAT_PKCS7);
317
318 ASSERT_EQ(certs.size(), decoded_certs.size());
319 #if defined(USE_OPENSSL)
320 for (size_t i = 0; i < certs.size(); ++i)
321 EXPECT_TRUE(certs[i]->Equals(decoded_certs[i]));
322 #else
323 // NSS sorts the certs before writing the file.
324 EXPECT_TRUE(certs[0]->Equals(decoded_certs.back().get()));
325 for (size_t i = 1; i < certs.size(); ++i)
326 EXPECT_TRUE(certs[i]->Equals(decoded_certs[i - 1].get()));
327 #endif
328 }
329
330 {
331 // Write only the first cert.
332 std::string pkcs7_string =
333 x509_certificate_model::GetCMSString(cert_handles, 0, 1);
334
335 net::CertificateList decoded_certs =
336 net::X509Certificate::CreateCertificateListFromBytes(
337 pkcs7_string.data(),
338 pkcs7_string.size(),
339 net::X509Certificate::FORMAT_PKCS7);
340
341 ASSERT_EQ(1U, decoded_certs.size());
342 EXPECT_TRUE(certs[0]->Equals(decoded_certs[0].get()));
343 }
344 }
345
346 TEST(X509CertificateModelTest, ProcessSecAlgorithms) {
347 {
348 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
349 net::GetTestCertsDirectory(), "root_ca_cert.pem"));
350 ASSERT_TRUE(cert.get());
351 EXPECT_EQ("PKCS #1 SHA-1 With RSA Encryption",
352 x509_certificate_model::ProcessSecAlgorithmSignature(
353 cert->os_cert_handle()));
354 EXPECT_EQ("PKCS #1 SHA-1 With RSA Encryption",
355 x509_certificate_model::ProcessSecAlgorithmSignatureWrap(
356 cert->os_cert_handle()));
357 EXPECT_EQ("PKCS #1 RSA Encryption",
358 x509_certificate_model::ProcessSecAlgorithmSubjectPublicKey(
359 cert->os_cert_handle()));
360 }
361 {
362 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
363 net::GetTestCertsDirectory(), "weak_digest_md5_root.pem"));
364 ASSERT_TRUE(cert.get());
365 EXPECT_EQ("PKCS #1 MD5 With RSA Encryption",
366 x509_certificate_model::ProcessSecAlgorithmSignature(
367 cert->os_cert_handle()));
368 EXPECT_EQ("PKCS #1 MD5 With RSA Encryption",
369 x509_certificate_model::ProcessSecAlgorithmSignatureWrap(
370 cert->os_cert_handle()));
371 EXPECT_EQ("PKCS #1 RSA Encryption",
372 x509_certificate_model::ProcessSecAlgorithmSubjectPublicKey(
373 cert->os_cert_handle()));
374 }
375 }
376
377 TEST(X509CertificateModelTest, ProcessSubjectPublicKeyInfo) {
378 {
379 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
380 net::GetTestCertsDirectory(), "root_ca_cert.pem"));
381 ASSERT_TRUE(cert.get());
382 EXPECT_EQ(
383 "Modulus (2048 bits):\n"
384 " B6 49 41 E3 42 01 51 A8 7F 3C 7A 71 D3 FB CD 91\n"
385 "35 17 84 1A 8E F6 36 C7 D1 70 1D FA 86 F3 6E BB\n"
386 "76 6F E8 32 2E 37 FD 38 92 3D 68 E4 8A 7D 42 33\n"
387 "14 46 1B DC 04 F6 91 6E 54 40 C4 0A 09 FD EC 2D\n"
388 "62 E2 5E E1 BA 2C 9C C1 B1 60 4C DA C7 F8 22 5C\n"
389 "82 20 65 42 1E 56 77 75 4F EB 90 2C 4A EA 57 0E\n"
390 "22 8D 6C 95 AC 11 EA CC D7 EE F6 70 0D 09 DD A6\n"
391 "35 61 5D C9 76 6D B0 F2 1E BF 30 86 D8 77 52 36\n"
392 "95 97 0E D1 46 C5 ED 81 3D 1B B0 F2 61 95 3C C1\n"
393 "40 38 EF 5F 5D BA 61 9F EF 2B 9C 9F 85 89 74 70\n"
394 "63 D5 76 E8 35 7E CE 01 E1 F3 11 11 90 1C 0D F5\n"
395 "FD 8D CE 10 6C AD 7C 55 1A 21 6F D7 2D F4 78 15\n"
396 "EA 2F 38 BD 91 9E 3C 1D 07 46 F5 43 C1 82 8B AF\n"
397 "12 53 65 19 8A 69 69 66 06 B2 DA 0B FA 2A 00 A1\n"
398 "2A 15 84 49 F1 01 BF 9B 30 06 D0 15 A0 1F 9D 51\n"
399 "91 47 E1 53 5F EF 5E EC C2 61 79 C2 14 9F C4 E3\n"
400 "\n"
401 #if defined(USE_OPENSSL)
402 " Public Exponent (17 bits):\n"
403 #else
404 " Public Exponent (24 bits):\n"
405 #endif
406 " 01 00 01",
407 x509_certificate_model::ProcessSubjectPublicKeyInfo(
408 cert->os_cert_handle()));
409 }
410 {
411 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
412 net::GetTestCertsDirectory(), "prime256v1-ecdsa-intermediate.pem"));
413 ASSERT_TRUE(cert.get());
414 EXPECT_EQ(
415 "04 DB 98 07 BC 61 DD 2D E6 B3 CC F7 D5 EA F7 A1\n"
416 "0D 28 DE F2 7C 26 97 CA EB D1 DB A3 1E C1 8F E9\n"
417 "E0 1E FE 31 BB AA 4A 5C 85 37 A6 FF 9E 2E 96 23\n"
418 "22 B8 30 5F 8F 22 AE B9 8B 6D 4F BD 4E F3 52 12\n"
419 "D4",
420 x509_certificate_model::ProcessSubjectPublicKeyInfo(
421 cert->os_cert_handle()));
422 }
423 }
424
425 TEST(X509CertificateModelTest, ProcessRawBitsSignatureWrap) {
426 scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile(
427 net::GetTestCertsDirectory(), "root_ca_cert.pem"));
428 ASSERT_TRUE(cert.get());
429 EXPECT_EQ(
430 "57 07 29 FB 7F E8 FF B0 E6 D8 58 6A C3 90 A1 38\n"
431 "1C B4 F3 68 B1 EC E8 89 23 24 D7 A8 F2 21 C3 60\n"
432 "E4 A4 49 5C 00 BF DF C7 82 78 80 2B 18 F7 AD DD\n"
433 "D0 62 5E A7 B0 CC F0 AA B4 CE 70 12 59 65 67 76\n"
434 "05 00 18 9A FF C4 2A 17 E3 F1 55 D8 BE 5C 5E EB\n"
435 "CA CB 53 87 10 D5 09 32 36 A7 5E 41 F4 53 DA 7E\n"
436 "56 60 D2 7E 4E 9A A5 08 5F 5D 75 E9 E7 30 CB 22\n"
437 "E9 EF 19 49 83 A5 23 A1 F8 60 4C E5 36 D5 39 78\n"
438 "18 F1 5E BF CE AA 0B 53 81 2C 78 A9 0A 6B DB 13\n"
439 "10 21 14 7F 1B 70 3D 89 1A 40 8A 06 2C 5D 50 19\n"
440 "62 F9 C7 45 89 F2 3D 66 05 3D 7D 75 5B 55 1E 80\n"
441 "42 72 A1 9A 7C 6D 0A 74 F6 EE A6 21 6C 3A 98 FB\n"
442 "77 82 5F F2 6B 56 E6 DD 9B 8E 50 F0 C6 AE FD EA\n"
443 "A6 05 07 A9 26 06 56 B3 B2 D9 B2 37 A0 21 3E 79\n"
444 "06 1F B9 51 BE F4 B1 49 4D 90 B5 33 E5 0E C7 5E\n"
445 "5B 40 C5 6A 04 D1 43 7A 94 6A A4 4F 61 FC 82 E0",
446 x509_certificate_model::ProcessRawBitsSignatureWrap(
447 cert->os_cert_handle()));
448 }