net/cert/cert_verify_proc_whitelist_unittest.cc

   1 // Copyright (c) 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/cert_verify_proc_whitelist.h"
   6
   7 #include "base/memory/ref_counted.h"
   8 #include "net/base/test_data_directory.h"
   9 #include "net/cert/x509_certificate.h"
  10 #include "net/test/cert_test_util.h"
  11 #include "testing/gtest/include/gtest/gtest.h"
  12
  13 namespace net {
  14
  15 namespace {
  16
  17 HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {
  18   HashValue hash_value(tag);
  19   memset(hash_value.data(), label, hash_value.size());
  20   return hash_value;
  21 }
  22
  23 HashValueVector GetFakeHashValues() {
  24   HashValueVector public_key_hashes;
  25
  26   // Fake "root" hash
  27   public_key_hashes.push_back(GetTestHashValue(0x00, HASH_VALUE_SHA256));
  28   public_key_hashes.push_back(GetTestHashValue(0x01, HASH_VALUE_SHA1));
  29   // Fake "intermediate" hash
  30   public_key_hashes.push_back(GetTestHashValue(0x02, HASH_VALUE_SHA256));
  31   public_key_hashes.push_back(GetTestHashValue(0x03, HASH_VALUE_SHA1));
  32   // Fake "leaf" hash
  33   public_key_hashes.push_back(GetTestHashValue(0x04, HASH_VALUE_SHA256));
  34   public_key_hashes.push_back(GetTestHashValue(0x05, HASH_VALUE_SHA1));
  35
  36   return public_key_hashes;
  37 }
  38
  39 // The SHA-256 hash of the leaf cert "ok_cert.pem"; obtainable either
  40 // via X509Certificate::CalculateFingerprint256 or
  41 // openssl x509 -inform pem -in ok_cert.pem -outform der | openssl
  42 //   dgst -sha256 -c
  43 const uint8_t kWhitelistCerts[][crypto::kSHA256Length] = {
  44     /* clang-format off */
  45   { 0xf4, 0x42, 0xdd, 0x66, 0xfa, 0x10, 0x70, 0x65,
  46     0xd1, 0x7e, 0xd9, 0xbb, 0x7c, 0xa9, 0x3c, 0x79,
  47     0x63, 0xbe, 0x01, 0xa7, 0x54, 0x18, 0xab, 0x2f,
  48     0xc3, 0x9a, 0x14, 0x53, 0xc3, 0x83, 0xa0, 0x5a },
  49     /* clang-format on */
  50 };
  51
  52 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByRoot) {
  53   scoped_refptr<X509Certificate> cert =
  54       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
  55   ASSERT_TRUE(cert);
  56
  57   // clang-format off
  58   const PublicKeyWhitelist kWhitelist[] = {
  59       { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  60           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  61           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  62           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
  63         kWhitelistCerts, arraysize(kWhitelistCerts)
  64       },
  65   };
  66   // clang-format on
  67
  68   SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
  69
  70   HashValueVector public_key_hashes = GetFakeHashValues();
  71
  72   // Should return false, indicating this cert is acceptable because of
  73   // it being whitelisted.
  74   EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
  75
  76   SetCertificateWhitelistForTesting(nullptr, 0);
  77 }
  78
  79 TEST(CertVerifyProcWhitelistTest, AcceptsWhitelistedEEByIntermediate) {
  80   scoped_refptr<X509Certificate> cert =
  81       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
  82   ASSERT_TRUE(cert);
  83
  84   // clang-format off
  85   const PublicKeyWhitelist kWhitelist[] = {
  86       { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
  87           0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
  88           0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
  89           0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
  90         kWhitelistCerts, arraysize(kWhitelistCerts)
  91       },
  92   };
  93   // clang-format on
  94
  95   SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
  96
  97   HashValueVector public_key_hashes = GetFakeHashValues();
  98
  99   // Should return false, indicating this cert is acceptable because of
 100   // it being whitelisted.
 101   EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
 102
 103   SetCertificateWhitelistForTesting(nullptr, 0);
 104 }
 105
 106 TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEE) {
 107   scoped_refptr<X509Certificate> cert =
 108       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
 109   ASSERT_TRUE(cert);
 110
 111   // clang-format off
 112   const PublicKeyWhitelist kWhitelist[] = {
 113       { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 114           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 115           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 116           0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
 117         kWhitelistCerts, arraysize(kWhitelistCerts)
 118       },
 119   };
 120   // clang-format on
 121
 122   SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
 123
 124   HashValueVector public_key_hashes = GetFakeHashValues();
 125
 126   // Should return true, indicating this certificate chains to a constrained
 127   // root and is not whitelisted.
 128   EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
 129
 130   SetCertificateWhitelistForTesting(nullptr, 0);
 131 }
 132
 133 TEST(CertVerifyProcWhitelistTest, RejectsNonWhitelistedEEByIntermediate) {
 134   scoped_refptr<X509Certificate> cert =
 135       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
 136   ASSERT_TRUE(cert);
 137
 138   // clang-format off
 139   const PublicKeyWhitelist kWhitelist[] = {
 140       { { 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
 141           0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
 142           0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
 143           0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 },
 144         kWhitelistCerts, arraysize(kWhitelistCerts)
 145       },
 146   };
 147   // clang-format on
 148
 149   SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
 150
 151   HashValueVector public_key_hashes = GetFakeHashValues();
 152
 153   // Should return true, indicating this certificate chains to a constrained
 154   // root and is not whitelisted.
 155   EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
 156
 157   SetCertificateWhitelistForTesting(nullptr, 0);
 158 }
 159
 160 TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {
 161   scoped_refptr<X509Certificate> cert =
 162       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
 163   ASSERT_TRUE(cert);
 164
 165   // clang-format off
 166   const PublicKeyWhitelist kWhitelist[] = {
 167       { { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
 168           0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
 169           0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10,
 170           0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 },
 171         kWhitelistCerts, arraysize(kWhitelistCerts)
 172       },
 173   };
 174   // clang-format on
 175
 176   SetCertificateWhitelistForTesting(kWhitelist, arraysize(kWhitelist));
 177
 178   HashValueVector public_key_hashes = GetFakeHashValues();
 179
 180   // Should return false, because the chain (as indicated by
 181   // public_key_hashes) is not constrained.
 182   EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
 183
 184   SetCertificateWhitelistForTesting(nullptr, 0);
 185 }
 186
 187 }  // namespace
 188
 189 }  // namespace net