search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Set correct DOM key code string for functional keys.
[chromium-blink-merge.git] / net / cert / cert_verify_proc_unittest.cc
blob5327d66949df862dd09ddb84266a9adfecfeefd6
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_verify_proc.h"
6
7 #include <vector>
8
9 #include "base/callback_helpers.h"
10 #include "base/file_util.h"
11 #include "base/files/file_path.h"
12 #include "base/logging.h"
13 #include "base/sha1.h"
14 #include "base/strings/string_number_conversions.h"
15 #include "crypto/sha2.h"
16 #include "net/base/net_errors.h"
17 #include "net/base/test_data_directory.h"
18 #include "net/cert/asn1_util.h"
19 #include "net/cert/cert_status_flags.h"
20 #include "net/cert/cert_verifier.h"
21 #include "net/cert/cert_verify_result.h"
22 #include "net/cert/crl_set.h"
23 #include "net/cert/crl_set_storage.h"
24 #include "net/cert/test_root_certs.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/test/cert_test_util.h"
27 #include "net/test/test_certificate_data.h"
28 #include "testing/gtest/include/gtest/gtest.h"
29
30 #if defined(OS_WIN)
31 #include "base/win/windows_version.h"
32 #elif defined(OS_MACOSX) && !defined(OS_IOS)
33 #include "base/mac/mac_util.h"
34 #elif defined(OS_ANDROID)
35 #include "base/android/build_info.h"
36 #endif
37
38 using base::HexEncode;
39
40 namespace net {
41
42 namespace {
43
44 // A certificate for www.paypal.com with a NULL byte in the common name.
45 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
46 unsigned char paypal_null_fingerprint[] = {
47 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba,
48 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7
49 };
50
51 // Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root|
52 // for all certificates that are Verified.
53 class WellKnownCaCertVerifyProc : public CertVerifyProc {
54 public:
55 // Initialize a CertVerifyProc that will set
56 // |verify_result->is_issued_by_known_root| to |is_well_known|.
57 explicit WellKnownCaCertVerifyProc(bool is_well_known)
58 : is_well_known_(is_well_known) {}
59
60 // CertVerifyProc implementation:
61 virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; }
62
63 protected:
64 virtual ~WellKnownCaCertVerifyProc() {}
65
66 private:
67 virtual int VerifyInternal(X509Certificate* cert,
68 const std::string& hostname,
69 int flags,
70 CRLSet* crl_set,
71 const CertificateList& additional_trust_anchors,
72 CertVerifyResult* verify_result) OVERRIDE;
73
74 const bool is_well_known_;
75
76 DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc);
77 };
78
79 int WellKnownCaCertVerifyProc::VerifyInternal(
80 X509Certificate* cert,
81 const std::string& hostname,
82 int flags,
83 CRLSet* crl_set,
84 const CertificateList& additional_trust_anchors,
85 CertVerifyResult* verify_result) {
86 verify_result->is_issued_by_known_root = is_well_known_;
87 return OK;
88 }
89
90 bool SupportsReturningVerifiedChain() {
91 #if defined(OS_ANDROID)
92 // Before API level 17, Android does not expose the APIs necessary to get at
93 // the verified certificate chain.
94 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
95 return false;
96 #endif
97 return true;
98 }
99
100 bool SupportsDetectingKnownRoots() {
101 #if defined(OS_ANDROID)
102 // Before API level 17, Android does not expose the APIs necessary to get at
103 // the verified certificate chain and detect known roots.
104 if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
105 return false;
106 #endif
107 return true;
108 }
109
110 } // namespace
111
112 class CertVerifyProcTest : public testing::Test {
113 public:
114 CertVerifyProcTest()
115 : verify_proc_(CertVerifyProc::CreateDefault()) {
116 }
117 virtual ~CertVerifyProcTest() {}
118
119 protected:
120 bool SupportsAdditionalTrustAnchors() {
121 return verify_proc_->SupportsAdditionalTrustAnchors();
122 }
123
124 int Verify(X509Certificate* cert,
125 const std::string& hostname,
126 int flags,
127 CRLSet* crl_set,
128 const CertificateList& additional_trust_anchors,
129 CertVerifyResult* verify_result) {
130 return verify_proc_->Verify(cert, hostname, flags, crl_set,
131 additional_trust_anchors, verify_result);
132 }
133
134 const CertificateList empty_cert_list_;
135 scoped_refptr<CertVerifyProc> verify_proc_;
136 };
137
138 TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) {
139 // Check that verification without revocation checking works.
140 CertificateList certs = CreateCertificateListFromFile(
141 GetTestCertsDirectory(),
142 "googlenew.chain.pem",
143 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
144
145 X509Certificate::OSCertHandles intermediates;
146 intermediates.push_back(certs[1]->os_cert_handle());
147
148 scoped_refptr<X509Certificate> google_full_chain =
149 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
150 intermediates);
151
152 CertVerifyResult verify_result;
153 EXPECT_EQ(OK,
154 Verify(google_full_chain.get(),
155 "www.google.com",
156 0 /* flags */,
157 NULL,
158 empty_cert_list_,
159 &verify_result));
160 }
161
162 #if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
163 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
164 #define MAYBE_EVVerification DISABLED_EVVerification
165 #else
166 #define MAYBE_EVVerification EVVerification
167 #endif
168 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
169 CertificateList certs = CreateCertificateListFromFile(
170 GetTestCertsDirectory(),
171 "comodo.chain.pem",
172 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
173 ASSERT_EQ(3U, certs.size());
174
175 X509Certificate::OSCertHandles intermediates;
176 intermediates.push_back(certs[1]->os_cert_handle());
177 intermediates.push_back(certs[2]->os_cert_handle());
178
179 scoped_refptr<X509Certificate> comodo_chain =
180 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
181 intermediates);
182
183 scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
184 CertVerifyResult verify_result;
185 int flags = CertVerifier::VERIFY_EV_CERT;
186 int error = Verify(comodo_chain.get(),
187 "comodo.com",
188 flags,
189 crl_set.get(),
190 empty_cert_list_,
191 &verify_result);
192 EXPECT_EQ(OK, error);
193 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
194 }
195
196 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) {
197 scoped_refptr<X509Certificate> paypal_null_cert(
198 X509Certificate::CreateFromBytes(
199 reinterpret_cast<const char*>(paypal_null_der),
200 sizeof(paypal_null_der)));
201
202 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert);
203
204 const SHA1HashValue& fingerprint =
205 paypal_null_cert->fingerprint();
206 for (size_t i = 0; i < 20; ++i)
207 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
208
209 int flags = 0;
210 CertVerifyResult verify_result;
211 int error = Verify(paypal_null_cert.get(),
212 "www.paypal.com",
213 flags,
214 NULL,
215 empty_cert_list_,
216 &verify_result);
217 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID)
218 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
219 #else
220 // TOOD(bulach): investigate why macosx and win aren't returning
221 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
222 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
223 #endif
224 // Either the system crypto library should correctly report a certificate
225 // name mismatch, or our certificate blacklist should cause us to report an
226 // invalid certificate.
227 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS)
228 EXPECT_TRUE(verify_result.cert_status &
229 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
230 #endif
231 }
232
233 // A regression test for http://crbug.com/31497.
234 #if defined(OS_ANDROID)
235 // Disabled on Android, as the Android verification libraries require an
236 // explicit policy to be specified, even when anyPolicy is permitted.
237 #define MAYBE_IntermediateCARequireExplicitPolicy \
238 DISABLED_IntermediateCARequireExplicitPolicy
239 #else
240 #define MAYBE_IntermediateCARequireExplicitPolicy \
241 IntermediateCARequireExplicitPolicy
242 #endif
243 TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
244 base::FilePath certs_dir = GetTestCertsDirectory();
245
246 CertificateList certs = CreateCertificateListFromFile(
247 certs_dir, "explicit-policy-chain.pem",
248 X509Certificate::FORMAT_AUTO);
249 ASSERT_EQ(3U, certs.size());
250
251 X509Certificate::OSCertHandles intermediates;
252 intermediates.push_back(certs[1]->os_cert_handle());
253
254 scoped_refptr<X509Certificate> cert =
255 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
256 intermediates);
257 ASSERT_TRUE(cert.get());
258
259 ScopedTestRoot scoped_root(certs[2].get());
260
261 int flags = 0;
262 CertVerifyResult verify_result;
263 int error = Verify(cert.get(),
264 "policy_test.example",
265 flags,
266 NULL,
267 empty_cert_list_,
268 &verify_result);
269 EXPECT_EQ(OK, error);
270 EXPECT_EQ(0u, verify_result.cert_status);
271 }
272
273 // Test for bug 58437.
274 // This certificate will expire on 2011-12-21. The test will still
275 // pass if error == ERR_CERT_DATE_INVALID.
276 // This test is DISABLED because it appears that we cannot do
277 // certificate revocation checking when running all of the net unit tests.
278 // This test passes when run individually, but when run with all of the net
279 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is
280 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation
281 // status, i.e. that the revocation check is failing for some reason.
282 TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) {
283 base::FilePath certs_dir = GetTestCertsDirectory();
284
285 scoped_refptr<X509Certificate> server_cert =
286 ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem");
287 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
288
289 scoped_refptr<X509Certificate> intermediate_cert =
290 ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem");
291 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
292
293 X509Certificate::OSCertHandles intermediates;
294 intermediates.push_back(intermediate_cert->os_cert_handle());
295 scoped_refptr<X509Certificate> cert_chain =
296 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
297 intermediates);
298
299 CertVerifyResult verify_result;
300 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED |
301 CertVerifier::VERIFY_EV_CERT;
302 int error = Verify(cert_chain.get(),
303 "2029.globalsign.com",
304 flags,
305 NULL,
306 empty_cert_list_,
307 &verify_result);
308 if (error == OK)
309 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
310 else
311 EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
312 }
313
314 // Test that verifying an ECDSA certificate doesn't crash on XP. (See
315 // crbug.com/144466).
316 TEST_F(CertVerifyProcTest, ECDSA_RSA) {
317 base::FilePath certs_dir = GetTestCertsDirectory();
318
319 scoped_refptr<X509Certificate> cert =
320 ImportCertFromFile(certs_dir,
321 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem");
322
323 CertVerifyResult verify_result;
324 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result);
325
326 // We don't check verify_result because the certificate is signed by an
327 // unknown CA and will be considered invalid on XP because of the ECDSA
328 // public key.
329 }
330
331 // Currently, only RSA and DSA keys are checked for weakness, and our example
332 // weak size is 768. These could change in the future.
333 //
334 // Note that this means there may be false negatives: keys for other
335 // algorithms and which are weak will pass this test.
336 static bool IsWeakKeyType(const std::string& key_type) {
337 size_t pos = key_type.find("-");
338 std::string size = key_type.substr(0, pos);
339 std::string type = key_type.substr(pos + 1);
340
341 if (type == "rsa" || type == "dsa")
342 return size == "768";
343
344 return false;
345 }
346
347 TEST_F(CertVerifyProcTest, RejectWeakKeys) {
348 base::FilePath certs_dir = GetTestCertsDirectory();
349 typedef std::vector<std::string> Strings;
350 Strings key_types;
351
352 // generate-weak-test-chains.sh currently has:
353 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
354 // We must use the same key types here. The filenames generated look like:
355 // 2048-rsa-ee-by-768-rsa-intermediate.pem
356 key_types.push_back("768-rsa");
357 key_types.push_back("1024-rsa");
358 key_types.push_back("2048-rsa");
359
360 bool use_ecdsa = true;
361 #if defined(OS_WIN)
362 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP;
363 #endif
364
365 if (use_ecdsa)
366 key_types.push_back("prime256v1-ecdsa");
367
368 // Add the root that signed the intermediates for this test.
369 scoped_refptr<X509Certificate> root_cert =
370 ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
371 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
372 ScopedTestRoot scoped_root(root_cert.get());
373
374 // Now test each chain.
375 for (Strings::const_iterator ee_type = key_types.begin();
376 ee_type != key_types.end(); ++ee_type) {
377 for (Strings::const_iterator signer_type = key_types.begin();
378 signer_type != key_types.end(); ++signer_type) {
379 std::string basename = *ee_type + "-ee-by-" + *signer_type +
380 "-intermediate.pem";
381 SCOPED_TRACE(basename);
382 scoped_refptr<X509Certificate> ee_cert =
383 ImportCertFromFile(certs_dir, basename);
384 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
385
386 basename = *signer_type + "-intermediate.pem";
387 scoped_refptr<X509Certificate> intermediate =
388 ImportCertFromFile(certs_dir, basename);
389 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate);
390
391 X509Certificate::OSCertHandles intermediates;
392 intermediates.push_back(intermediate->os_cert_handle());
393 scoped_refptr<X509Certificate> cert_chain =
394 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
395 intermediates);
396
397 CertVerifyResult verify_result;
398 int error = Verify(cert_chain.get(),
399 "127.0.0.1",
400 0,
401 NULL,
402 empty_cert_list_,
403 &verify_result);
404
405 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
406 EXPECT_NE(OK, error);
407 EXPECT_EQ(CERT_STATUS_WEAK_KEY,
408 verify_result.cert_status & CERT_STATUS_WEAK_KEY);
409 EXPECT_NE(CERT_STATUS_INVALID,
410 verify_result.cert_status & CERT_STATUS_INVALID);
411 } else {
412 EXPECT_EQ(OK, error);
413 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
414 }
415 }
416 }
417 }
418
419 // Regression test for http://crbug.com/108514.
420 #if defined(OS_MACOSX) && !defined(OS_IOS)
421 // Disabled on OS X - Security.framework doesn't ignore superflous certificates
422 // provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
423 // details.
424 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
425 #else
426 #define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
427 #endif
428 TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
429 if (!SupportsReturningVerifiedChain()) {
430 LOG(INFO) << "Skipping this test in this platform.";
431 return;
432 }
433
434 base::FilePath certs_dir = GetTestCertsDirectory();
435
436 scoped_refptr<X509Certificate> server_cert =
437 ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
438 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
439
440 scoped_refptr<X509Certificate> extra_cert =
441 ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
442 ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
443
444 scoped_refptr<X509Certificate> root_cert =
445 ImportCertFromFile(certs_dir, "cross-signed-root-sha1.pem");
446 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
447
448 ScopedTestRoot scoped_root(root_cert.get());
449
450 X509Certificate::OSCertHandles intermediates;
451 intermediates.push_back(extra_cert->os_cert_handle());
452 scoped_refptr<X509Certificate> cert_chain =
453 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
454 intermediates);
455
456 CertVerifyResult verify_result;
457 int flags = 0;
458 int error = Verify(cert_chain.get(),
459 "127.0.0.1",
460 flags,
461 NULL,
462 empty_cert_list_,
463 &verify_result);
464 EXPECT_EQ(OK, error);
465
466 // The extra MD5 root should be discarded
467 ASSERT_TRUE(verify_result.verified_cert.get());
468 ASSERT_EQ(1u,
469 verify_result.verified_cert->GetIntermediateCertificates().size());
470 EXPECT_TRUE(X509Certificate::IsSameOSCert(
471 verify_result.verified_cert->GetIntermediateCertificates().front(),
472 root_cert->os_cert_handle()));
473
474 EXPECT_FALSE(verify_result.has_md5);
475 }
476
477 // Test for bug 94673.
478 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
479 base::FilePath certs_dir = GetTestCertsDirectory();
480
481 scoped_refptr<X509Certificate> server_cert =
482 ImportCertFromFile(certs_dir, "google_diginotar.pem");
483 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
484
485 scoped_refptr<X509Certificate> intermediate_cert =
486 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
487 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
488
489 X509Certificate::OSCertHandles intermediates;
490 intermediates.push_back(intermediate_cert->os_cert_handle());
491 scoped_refptr<X509Certificate> cert_chain =
492 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
493 intermediates);
494
495 CertVerifyResult verify_result;
496 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
497 int error = Verify(cert_chain.get(),
498 "mail.google.com",
499 flags,
500 NULL,
501 empty_cert_list_,
502 &verify_result);
503 EXPECT_NE(OK, error);
504
505 // Now turn off revocation checking. Certificate verification should still
506 // fail.
507 flags = 0;
508 error = Verify(cert_chain.get(),
509 "mail.google.com",
510 flags,
511 NULL,
512 empty_cert_list_,
513 &verify_result);
514 EXPECT_NE(OK, error);
515 }
516
517 TEST_F(CertVerifyProcTest, DigiNotarCerts) {
518 static const char* const kDigiNotarFilenames[] = {
519 "diginotar_root_ca.pem",
520 "diginotar_cyber_ca.pem",
521 "diginotar_services_1024_ca.pem",
522 "diginotar_pkioverheid.pem",
523 "diginotar_pkioverheid_g2.pem",
524 NULL,
525 };
526
527 base::FilePath certs_dir = GetTestCertsDirectory();
528
529 for (size_t i = 0; kDigiNotarFilenames[i]; i++) {
530 scoped_refptr<X509Certificate> diginotar_cert =
531 ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
532 std::string der_bytes;
533 ASSERT_TRUE(X509Certificate::GetDEREncoded(
534 diginotar_cert->os_cert_handle(), &der_bytes));
535
536 base::StringPiece spki;
537 ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
538
539 std::string spki_sha1 = base::SHA1HashString(spki.as_string());
540
541 HashValueVector public_keys;
542 HashValue hash(HASH_VALUE_SHA1);
543 ASSERT_EQ(hash.size(), spki_sha1.size());
544 memcpy(hash.data(), spki_sha1.data(), spki_sha1.size());
545 public_keys.push_back(hash);
546
547 EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
548 "Public key not blocked for " << kDigiNotarFilenames[i];
549 }
550 }
551
552 TEST_F(CertVerifyProcTest, NameConstraintsOk) {
553 CertificateList ca_cert_list =
554 CreateCertificateListFromFile(GetTestCertsDirectory(),
555 "root_ca_cert.pem",
556 X509Certificate::FORMAT_AUTO);
557 ASSERT_EQ(1U, ca_cert_list.size());
558 ScopedTestRoot test_root(ca_cert_list[0]);
559
560 CertificateList cert_list = CreateCertificateListFromFile(
561 GetTestCertsDirectory(), "name_constraint_ok.crt",
562 X509Certificate::FORMAT_AUTO);
563 ASSERT_EQ(1U, cert_list.size());
564
565 X509Certificate::OSCertHandles intermediates;
566 scoped_refptr<X509Certificate> leaf =
567 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
568 intermediates);
569
570 int flags = 0;
571 CertVerifyResult verify_result;
572 int error = Verify(leaf.get(),
573 "test.example.com",
574 flags,
575 NULL,
576 empty_cert_list_,
577 &verify_result);
578 EXPECT_EQ(OK, error);
579 EXPECT_EQ(0U, verify_result.cert_status);
580 }
581
582 TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
583 if (!SupportsReturningVerifiedChain()) {
584 LOG(INFO) << "Skipping this test in this platform.";
585 return;
586 }
587
588 CertificateList ca_cert_list =
589 CreateCertificateListFromFile(GetTestCertsDirectory(),
590 "root_ca_cert.pem",
591 X509Certificate::FORMAT_AUTO);
592 ASSERT_EQ(1U, ca_cert_list.size());
593 ScopedTestRoot test_root(ca_cert_list[0]);
594
595 CertificateList cert_list = CreateCertificateListFromFile(
596 GetTestCertsDirectory(), "name_constraint_bad.crt",
597 X509Certificate::FORMAT_AUTO);
598 ASSERT_EQ(1U, cert_list.size());
599
600 X509Certificate::OSCertHandles intermediates;
601 scoped_refptr<X509Certificate> leaf =
602 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
603 intermediates);
604
605 int flags = 0;
606 CertVerifyResult verify_result;
607 int error = Verify(leaf.get(),
608 "test.example.com",
609 flags,
610 NULL,
611 empty_cert_list_,
612 &verify_result);
613 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error);
614 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
615 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
616 }
617
618 TEST_F(CertVerifyProcTest, TestKnownRoot) {
619 if (!SupportsDetectingKnownRoots()) {
620 LOG(INFO) << "Skipping this test in this platform.";
621 return;
622 }
623
624 base::FilePath certs_dir = GetTestCertsDirectory();
625 CertificateList certs = CreateCertificateListFromFile(
626 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
627 ASSERT_EQ(2U, certs.size());
628
629 X509Certificate::OSCertHandles intermediates;
630 intermediates.push_back(certs[1]->os_cert_handle());
631
632 scoped_refptr<X509Certificate> cert_chain =
633 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
634 intermediates);
635
636 int flags = 0;
637 CertVerifyResult verify_result;
638 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
639 // against agl. See also PublicKeyHashes.
640 int error = Verify(cert_chain.get(),
641 "satveda.com",
642 flags,
643 NULL,
644 empty_cert_list_,
645 &verify_result);
646 EXPECT_EQ(OK, error);
647 EXPECT_EQ(0U, verify_result.cert_status);
648 EXPECT_TRUE(verify_result.is_issued_by_known_root);
649 }
650
651 // The certse.pem certificate has been revoked. crbug.com/259723.
652 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
653 if (!SupportsReturningVerifiedChain()) {
654 LOG(INFO) << "Skipping this test in this platform.";
655 return;
656 }
657
658 base::FilePath certs_dir = GetTestCertsDirectory();
659 CertificateList certs = CreateCertificateListFromFile(
660 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
661 ASSERT_EQ(2U, certs.size());
662
663 X509Certificate::OSCertHandles intermediates;
664 intermediates.push_back(certs[1]->os_cert_handle());
665
666 scoped_refptr<X509Certificate> cert_chain =
667 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
668 intermediates);
669 int flags = 0;
670 CertVerifyResult verify_result;
671
672 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
673 // against agl. See also TestKnownRoot.
674 int error = Verify(cert_chain.get(),
675 "satveda.com",
676 flags,
677 NULL,
678 empty_cert_list_,
679 &verify_result);
680 EXPECT_EQ(OK, error);
681 EXPECT_EQ(0U, verify_result.cert_status);
682 ASSERT_LE(2U, verify_result.public_key_hashes.size());
683
684 HashValueVector sha1_hashes;
685 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
686 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1)
687 continue;
688 sha1_hashes.push_back(verify_result.public_key_hashes[i]);
689 }
690 ASSERT_LE(2u, sha1_hashes.size());
691
692 for (size_t i = 0; i < 2; ++i) {
693 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
694 HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
695 }
696
697 HashValueVector sha256_hashes;
698 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
699 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256)
700 continue;
701 sha256_hashes.push_back(verify_result.public_key_hashes[i]);
702 }
703 ASSERT_LE(2u, sha256_hashes.size());
704
705 for (size_t i = 0; i < 2; ++i) {
706 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
707 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
708 }
709 }
710
711 // A regression test for http://crbug.com/70293.
712 // The Key Usage extension in this RSA SSL server certificate does not have
713 // the keyEncipherment bit.
714 TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
715 base::FilePath certs_dir = GetTestCertsDirectory();
716
717 scoped_refptr<X509Certificate> server_cert =
718 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
719 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
720
721 int flags = 0;
722 CertVerifyResult verify_result;
723 int error = Verify(server_cert.get(),
724 "jira.aquameta.com",
725 flags,
726 NULL,
727 empty_cert_list_,
728 &verify_result);
729 #if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
730 // This certificate has two errors: "invalid key usage" and "untrusted CA".
731 // However, OpenSSL returns only one (the latter), and we can't detect
732 // the other errors.
733 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
734 #else
735 EXPECT_EQ(ERR_CERT_INVALID, error);
736 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
737 #endif
738 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
739 // from NSS.
740 #if !defined(USE_NSS) && !defined(OS_IOS) && !defined(OS_ANDROID)
741 // The certificate is issued by an unknown CA.
742 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
743 #endif
744 }
745
746 // Basic test for returning the chain in CertVerifyResult. Note that the
747 // returned chain may just be a reflection of the originally supplied chain;
748 // that is, if any errors occur, the default chain returned is an exact copy
749 // of the certificate to be verified. The remaining VerifyReturn* tests are
750 // used to ensure that the actual, verified chain is being returned by
751 // Verify().
752 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
753 if (!SupportsReturningVerifiedChain()) {
754 LOG(INFO) << "Skipping this test in this platform.";
755 return;
756 }
757
758 base::FilePath certs_dir = GetTestCertsDirectory();
759 CertificateList certs = CreateCertificateListFromFile(
760 certs_dir, "x509_verify_results.chain.pem",
761 X509Certificate::FORMAT_AUTO);
762 ASSERT_EQ(3U, certs.size());
763
764 X509Certificate::OSCertHandles intermediates;
765 intermediates.push_back(certs[1]->os_cert_handle());
766 intermediates.push_back(certs[2]->os_cert_handle());
767
768 ScopedTestRoot scoped_root(certs[2].get());
769
770 scoped_refptr<X509Certificate> google_full_chain =
771 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
772 intermediates);
773 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
774 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
775
776 CertVerifyResult verify_result;
777 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
778 int error = Verify(google_full_chain.get(),
779 "127.0.0.1",
780 0,
781 NULL,
782 empty_cert_list_,
783 &verify_result);
784 EXPECT_EQ(OK, error);
785 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
786
787 EXPECT_NE(google_full_chain, verify_result.verified_cert);
788 EXPECT_TRUE(X509Certificate::IsSameOSCert(
789 google_full_chain->os_cert_handle(),
790 verify_result.verified_cert->os_cert_handle()));
791 const X509Certificate::OSCertHandles& return_intermediates =
792 verify_result.verified_cert->GetIntermediateCertificates();
793 ASSERT_EQ(2U, return_intermediates.size());
794 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
795 certs[1]->os_cert_handle()));
796 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
797 certs[2]->os_cert_handle()));
798 }
799
800 // Test that certificates issued for 'intranet' names (that is, containing no
801 // known public registry controlled domain information) issued by well-known
802 // CAs are flagged appropriately, while certificates that are issued by
803 // internal CAs are not flagged.
804 TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
805 if (!SupportsDetectingKnownRoots()) {
806 LOG(INFO) << "Skipping this test in this platform.";
807 return;
808 }
809
810 CertificateList cert_list = CreateCertificateListFromFile(
811 GetTestCertsDirectory(), "ok_cert.pem",
812 X509Certificate::FORMAT_AUTO);
813 ASSERT_EQ(1U, cert_list.size());
814 scoped_refptr<X509Certificate> cert(cert_list[0]);
815
816 CertVerifyResult verify_result;
817 int error = 0;
818
819 // Intranet names for public CAs should be flagged:
820 verify_proc_ = new WellKnownCaCertVerifyProc(true);
821 error =
822 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
823 EXPECT_EQ(OK, error);
824 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
825
826 // However, if the CA is not well known, these should not be flagged:
827 verify_proc_ = new WellKnownCaCertVerifyProc(false);
828 error =
829 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
830 EXPECT_EQ(OK, error);
831 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
832 }
833
834 // Test that the certificate returned in CertVerifyResult is able to reorder
835 // certificates that are not ordered from end-entity to root. While this is
836 // a protocol violation if sent during a TLS handshake, if multiple sources
837 // of intermediate certificates are combined, it's possible that order may
838 // not be maintained.
839 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
840 if (!SupportsReturningVerifiedChain()) {
841 LOG(INFO) << "Skipping this test in this platform.";
842 return;
843 }
844
845 base::FilePath certs_dir = GetTestCertsDirectory();
846 CertificateList certs = CreateCertificateListFromFile(
847 certs_dir, "x509_verify_results.chain.pem",
848 X509Certificate::FORMAT_AUTO);
849 ASSERT_EQ(3U, certs.size());
850
851 // Construct the chain out of order.
852 X509Certificate::OSCertHandles intermediates;
853 intermediates.push_back(certs[2]->os_cert_handle());
854 intermediates.push_back(certs[1]->os_cert_handle());
855
856 ScopedTestRoot scoped_root(certs[2].get());
857
858 scoped_refptr<X509Certificate> google_full_chain =
859 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
860 intermediates);
861 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
862 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
863
864 CertVerifyResult verify_result;
865 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
866 int error = Verify(google_full_chain.get(),
867 "127.0.0.1",
868 0,
869 NULL,
870 empty_cert_list_,
871 &verify_result);
872 EXPECT_EQ(OK, error);
873 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
874
875 EXPECT_NE(google_full_chain, verify_result.verified_cert);
876 EXPECT_TRUE(X509Certificate::IsSameOSCert(
877 google_full_chain->os_cert_handle(),
878 verify_result.verified_cert->os_cert_handle()));
879 const X509Certificate::OSCertHandles& return_intermediates =
880 verify_result.verified_cert->GetIntermediateCertificates();
881 ASSERT_EQ(2U, return_intermediates.size());
882 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
883 certs[1]->os_cert_handle()));
884 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
885 certs[2]->os_cert_handle()));
886 }
887
888 // Test that Verify() filters out certificates which are not related to
889 // or part of the certificate chain being verified.
890 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
891 if (!SupportsReturningVerifiedChain()) {
892 LOG(INFO) << "Skipping this test in this platform.";
893 return;
894 }
895
896 base::FilePath certs_dir = GetTestCertsDirectory();
897 CertificateList certs = CreateCertificateListFromFile(
898 certs_dir, "x509_verify_results.chain.pem",
899 X509Certificate::FORMAT_AUTO);
900 ASSERT_EQ(3U, certs.size());
901 ScopedTestRoot scoped_root(certs[2].get());
902
903 scoped_refptr<X509Certificate> unrelated_certificate =
904 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
905 scoped_refptr<X509Certificate> unrelated_certificate2 =
906 ImportCertFromFile(certs_dir, "aia-cert.pem");
907 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate);
908 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2);
909
910 // Interject unrelated certificates into the list of intermediates.
911 X509Certificate::OSCertHandles intermediates;
912 intermediates.push_back(unrelated_certificate->os_cert_handle());
913 intermediates.push_back(certs[1]->os_cert_handle());
914 intermediates.push_back(unrelated_certificate2->os_cert_handle());
915 intermediates.push_back(certs[2]->os_cert_handle());
916
917 scoped_refptr<X509Certificate> google_full_chain =
918 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
919 intermediates);
920 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
921 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
922
923 CertVerifyResult verify_result;
924 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
925 int error = Verify(google_full_chain.get(),
926 "127.0.0.1",
927 0,
928 NULL,
929 empty_cert_list_,
930 &verify_result);
931 EXPECT_EQ(OK, error);
932 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
933
934 EXPECT_NE(google_full_chain, verify_result.verified_cert);
935 EXPECT_TRUE(X509Certificate::IsSameOSCert(
936 google_full_chain->os_cert_handle(),
937 verify_result.verified_cert->os_cert_handle()));
938 const X509Certificate::OSCertHandles& return_intermediates =
939 verify_result.verified_cert->GetIntermediateCertificates();
940 ASSERT_EQ(2U, return_intermediates.size());
941 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
942 certs[1]->os_cert_handle()));
943 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
944 certs[2]->os_cert_handle()));
945 }
946
947 TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
948 if (!SupportsAdditionalTrustAnchors()) {
949 LOG(INFO) << "Skipping this test in this platform.";
950 return;
951 }
952
953 // |ca_cert| is the issuer of |cert|.
954 CertificateList ca_cert_list = CreateCertificateListFromFile(
955 GetTestCertsDirectory(), "root_ca_cert.pem",
956 X509Certificate::FORMAT_AUTO);
957 ASSERT_EQ(1U, ca_cert_list.size());
958 scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
959
960 CertificateList cert_list = CreateCertificateListFromFile(
961 GetTestCertsDirectory(), "ok_cert.pem",
962 X509Certificate::FORMAT_AUTO);
963 ASSERT_EQ(1U, cert_list.size());
964 scoped_refptr<X509Certificate> cert(cert_list[0]);
965
966 // Verification of |cert| fails when |ca_cert| is not in the trust anchors
967 // list.
968 int flags = 0;
969 CertVerifyResult verify_result;
970 int error = Verify(
971 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
972 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
973 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
974 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
975
976 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
977 CertificateList trust_anchors;
978 trust_anchors.push_back(ca_cert);
979 error = Verify(
980 cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
981 EXPECT_EQ(OK, error);
982 EXPECT_EQ(0U, verify_result.cert_status);
983 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
984
985 // Clearing the |trust_anchors| makes verification fail again (the cache
986 // should be skipped).
987 error = Verify(
988 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
989 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
990 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
991 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
992 }
993
994 // Tests that certificates issued by user-supplied roots are not flagged as
995 // issued by a known root. This should pass whether or not the platform supports
996 // detecting known roots.
997 TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
998 // Load root_ca_cert.pem into the test root store.
999 TestRootCerts* root_certs = TestRootCerts::GetInstance();
1000 root_certs->AddFromFile(
1001 GetTestCertsDirectory().AppendASCII("root_ca_cert.pem"));
1002
1003 CertificateList cert_list = CreateCertificateListFromFile(
1004 GetTestCertsDirectory(), "ok_cert.pem",
1005 X509Certificate::FORMAT_AUTO);
1006 ASSERT_EQ(1U, cert_list.size());
1007 scoped_refptr<X509Certificate> cert(cert_list[0]);
1008
1009 // Verification should pass.
1010 int flags = 0;
1011 CertVerifyResult verify_result;
1012 int error = Verify(
1013 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1014 EXPECT_EQ(OK, error);
1015 EXPECT_EQ(0U, verify_result.cert_status);
1016 // But should not be marked as a known root.
1017 EXPECT_FALSE(verify_result.is_issued_by_known_root);
1018
1019 root_certs->Clear();
1020 EXPECT_TRUE(root_certs->IsEmpty());
1021 }
1022
1023 #if defined(OS_MACOSX) && !defined(OS_IOS)
1024 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
1025 // Root can be successfully worked around once Apple completes removing the
1026 // older GTE CyberTrust Root from its trusted root store.
1027 //
1028 // The issue is caused by servers supplying the cross-certified intermediate
1029 // (necessary for certain mobile platforms), which OS X does not recognize
1030 // as already existing within its trust store.
1031 TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
1032 CertificateList certs = CreateCertificateListFromFile(
1033 GetTestCertsDirectory(),
1034 "cybertrust_omniroot_chain.pem",
1035 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
1036 ASSERT_EQ(2U, certs.size());
1037
1038 X509Certificate::OSCertHandles intermediates;
1039 intermediates.push_back(certs[1]->os_cert_handle());
1040
1041 scoped_refptr<X509Certificate> cybertrust_basic =
1042 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
1043 intermediates);
1044 ASSERT_TRUE(cybertrust_basic.get());
1045
1046 scoped_refptr<X509Certificate> baltimore_root =
1047 ImportCertFromFile(GetTestCertsDirectory(),
1048 "cybertrust_baltimore_root.pem");
1049 ASSERT_TRUE(baltimore_root.get());
1050
1051 ScopedTestRoot scoped_root(baltimore_root.get());
1052
1053 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This
1054 // simulates Keychain removing support for the GTE CyberTrust Root.
1055 TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
1056 base::ScopedClosureRunner reset_system_trust(
1057 base::Bind(&TestRootCerts::SetAllowSystemTrust,
1058 base::Unretained(TestRootCerts::GetInstance()),
1059 true));
1060
1061 // First, make sure a simple certificate chain from
1062 // EE -> Public SureServer SV -> Baltimore CyberTrust
1063 // works. Only the first two certificates are included in the chain.
1064 int flags = 0;
1065 CertVerifyResult verify_result;
1066 int error = Verify(cybertrust_basic.get(),
1067 "cacert.omniroot.com",
1068 flags,
1069 NULL,
1070 empty_cert_list_,
1071 &verify_result);
1072 EXPECT_EQ(OK, error);
1073 EXPECT_EQ(0U, verify_result.cert_status);
1074
1075 // Attempt to verify with the first known cross-certified intermediate
1076 // provided.
1077 scoped_refptr<X509Certificate> baltimore_intermediate_1 =
1078 ImportCertFromFile(GetTestCertsDirectory(),
1079 "cybertrust_baltimore_cross_certified_1.pem");
1080 ASSERT_TRUE(baltimore_intermediate_1.get());
1081
1082 X509Certificate::OSCertHandles intermediate_chain_1 =
1083 cybertrust_basic->GetIntermediateCertificates();
1084 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
1085
1086 scoped_refptr<X509Certificate> baltimore_chain_1 =
1087 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1088 intermediate_chain_1);
1089 error = Verify(baltimore_chain_1.get(),
1090 "cacert.omniroot.com",
1091 flags,
1092 NULL,
1093 empty_cert_list_,
1094 &verify_result);
1095 EXPECT_EQ(OK, error);
1096 EXPECT_EQ(0U, verify_result.cert_status);
1097
1098 // Attempt to verify with the second known cross-certified intermediate
1099 // provided.
1100 scoped_refptr<X509Certificate> baltimore_intermediate_2 =
1101 ImportCertFromFile(GetTestCertsDirectory(),
1102 "cybertrust_baltimore_cross_certified_2.pem");
1103 ASSERT_TRUE(baltimore_intermediate_2.get());
1104
1105 X509Certificate::OSCertHandles intermediate_chain_2 =
1106 cybertrust_basic->GetIntermediateCertificates();
1107 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
1108
1109 scoped_refptr<X509Certificate> baltimore_chain_2 =
1110 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1111 intermediate_chain_2);
1112 error = Verify(baltimore_chain_2.get(),
1113 "cacert.omniroot.com",
1114 flags,
1115 NULL,
1116 empty_cert_list_,
1117 &verify_result);
1118 EXPECT_EQ(OK, error);
1119 EXPECT_EQ(0U, verify_result.cert_status);
1120
1121 // Attempt to verify when both a cross-certified intermediate AND
1122 // the legacy GTE root are provided.
1123 scoped_refptr<X509Certificate> cybertrust_root =
1124 ImportCertFromFile(GetTestCertsDirectory(),
1125 "cybertrust_gte_root.pem");
1126 ASSERT_TRUE(cybertrust_root.get());
1127
1128 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
1129 scoped_refptr<X509Certificate> baltimore_chain_with_root =
1130 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1131 intermediate_chain_2);
1132 error = Verify(baltimore_chain_with_root.get(),
1133 "cacert.omniroot.com",
1134 flags,
1135 NULL,
1136 empty_cert_list_,
1137 &verify_result);
1138 EXPECT_EQ(OK, error);
1139 EXPECT_EQ(0U, verify_result.cert_status);
1140
1141 TestRootCerts::GetInstance()->Clear();
1142 EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty());
1143 }
1144 #endif
1145
1146 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
1147 static const uint8 kCRLSetLeafSPKIBlocked[] = {
1148 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1149 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1150 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1151 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1152 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1153 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1154 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1155 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x43, 0x38, 0x4d, 0x4a, 0x46, 0x55, 0x55,
1156 0x5a, 0x38, 0x43, 0x79, 0x54, 0x2b, 0x4e, 0x57, 0x64, 0x68, 0x69, 0x7a, 0x51,
1157 0x68, 0x54, 0x49, 0x65, 0x46, 0x49, 0x37, 0x76, 0x41, 0x77, 0x7a, 0x64, 0x54,
1158 0x79, 0x52, 0x59, 0x45, 0x6e, 0x78, 0x6c, 0x33, 0x62, 0x67, 0x3d, 0x22, 0x5d,
1159 0x7d,
1160 };
1161
1162 static const uint8 kCRLSetLeafSerialBlocked[] = {
1163 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1164 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1165 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1166 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1167 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1168 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1169 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1170 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0x0f, 0x87, 0xe4, 0xc7, 0x75, 0xea,
1171 0x46, 0x7e, 0xf3, 0xfd, 0x82, 0xb7, 0x46, 0x7b, 0x10, 0xda, 0xc5, 0xbf, 0xd8,
1172 0xd1, 0x29, 0xb2, 0xc6, 0xac, 0x7f, 0x51, 0x42, 0x15, 0x28, 0x51, 0x06, 0x7f,
1173 0x01, 0x00, 0x00, 0x00, // number of serials
1174 0x01, 0xed, // serial 0xed
1175 };
1176
1177 static const uint8 kCRLSetQUICSerialBlocked[] = {
1178 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1179 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1180 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1181 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1182 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1183 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1184 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1185 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d,
1186 // Issuer SPKI SHA-256 hash:
1187 0xe4, 0x3a, 0xa3, 0xdb, 0x98, 0x31, 0x61, 0x05, 0xdd, 0x57, 0x6d, 0xc6, 0x2f,
1188 0x71, 0x26, 0xba, 0xdd, 0xf4, 0x98, 0x3e, 0x62, 0x22, 0xf8, 0xf9, 0xe4, 0x18,
1189 0x62, 0x77, 0x79, 0xdb, 0x9b, 0x31,
1190 0x01, 0x00, 0x00, 0x00, // number of serials
1191 0x01, 0x03, // serial 3
1192 };
1193
1194 // Test that CRLSets are effective in making a certificate appear to be
1195 // revoked.
1196 TEST_F(CertVerifyProcTest, CRLSet) {
1197 CertificateList ca_cert_list =
1198 CreateCertificateListFromFile(GetTestCertsDirectory(),
1199 "root_ca_cert.pem",
1200 X509Certificate::FORMAT_AUTO);
1201 ASSERT_EQ(1U, ca_cert_list.size());
1202 ScopedTestRoot test_root(ca_cert_list[0]);
1203
1204 CertificateList cert_list = CreateCertificateListFromFile(
1205 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
1206 ASSERT_EQ(1U, cert_list.size());
1207 scoped_refptr<X509Certificate> cert(cert_list[0]);
1208
1209 int flags = 0;
1210 CertVerifyResult verify_result;
1211 int error = Verify(
1212 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1213 EXPECT_EQ(OK, error);
1214 EXPECT_EQ(0U, verify_result.cert_status);
1215
1216 // First test blocking by SPKI.
1217 base::StringPiece crl_set_bytes(
1218 reinterpret_cast<const char*>(kCRLSetLeafSPKIBlocked),
1219 sizeof(kCRLSetLeafSPKIBlocked));
1220 scoped_refptr<CRLSet> crl_set;
1221 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
1222
1223 error = Verify(cert.get(),
1224 "127.0.0.1",
1225 flags,
1226 crl_set.get(),
1227 empty_cert_list_,
1228 &verify_result);
1229 EXPECT_EQ(ERR_CERT_REVOKED, error);
1230
1231 // Second, test revocation by serial number of a cert directly under the
1232 // root.
1233 crl_set_bytes =
1234 base::StringPiece(reinterpret_cast<const char*>(kCRLSetLeafSerialBlocked),
1235 sizeof(kCRLSetLeafSerialBlocked));
1236 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
1237
1238 error = Verify(cert.get(),
1239 "127.0.0.1",
1240 flags,
1241 crl_set.get(),
1242 empty_cert_list_,
1243 &verify_result);
1244 EXPECT_EQ(ERR_CERT_REVOKED, error);
1245 }
1246
1247 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
1248 CertificateList ca_cert_list =
1249 CreateCertificateListFromFile(GetTestCertsDirectory(),
1250 "quic_root.crt",
1251 X509Certificate::FORMAT_AUTO);
1252 ASSERT_EQ(1U, ca_cert_list.size());
1253 ScopedTestRoot test_root(ca_cert_list[0]);
1254
1255 CertificateList intermediate_cert_list =
1256 CreateCertificateListFromFile(GetTestCertsDirectory(),
1257 "quic_intermediate.crt",
1258 X509Certificate::FORMAT_AUTO);
1259 ASSERT_EQ(1U, intermediate_cert_list.size());
1260 X509Certificate::OSCertHandles intermediates;
1261 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle());
1262
1263 CertificateList cert_list = CreateCertificateListFromFile(
1264 GetTestCertsDirectory(), "quic_test.example.com.crt",
1265 X509Certificate::FORMAT_AUTO);
1266 ASSERT_EQ(1U, cert_list.size());
1267
1268 scoped_refptr<X509Certificate> leaf =
1269 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
1270 intermediates);
1271
1272 int flags = 0;
1273 CertVerifyResult verify_result;
1274 int error = Verify(leaf.get(),
1275 "test.example.com",
1276 flags,
1277 NULL,
1278 empty_cert_list_,
1279 &verify_result);
1280 EXPECT_EQ(OK, error);
1281 EXPECT_EQ(0U, verify_result.cert_status);
1282
1283 // Test revocation by serial number of a certificate not under the root.
1284 scoped_refptr<CRLSet> crl_set;
1285 base::StringPiece crl_set_bytes =
1286 base::StringPiece(reinterpret_cast<const char*>(kCRLSetQUICSerialBlocked),
1287 sizeof(kCRLSetQUICSerialBlocked));
1288 ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
1289
1290 error = Verify(leaf.get(),
1291 "test.example.com",
1292 flags,
1293 crl_set.get(),
1294 empty_cert_list_,
1295 &verify_result);
1296 EXPECT_EQ(ERR_CERT_REVOKED, error);
1297 }
1298 #endif
1299
1300 struct WeakDigestTestData {
1301 const char* root_cert_filename;
1302 const char* intermediate_cert_filename;
1303 const char* ee_cert_filename;
1304 bool expected_has_md5;
1305 bool expected_has_md4;
1306 bool expected_has_md2;
1307 };
1308
1309 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1310 // to output the parameter that was passed. Without this, it will simply
1311 // attempt to print out the first twenty bytes of the object, which depending
1312 // on platform and alignment, may result in an invalid read.
1313 void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
1314 *os << "root: "
1315 << (data.root_cert_filename ? data.root_cert_filename : "none")
1316 << "; intermediate: " << data.intermediate_cert_filename
1317 << "; end-entity: " << data.ee_cert_filename;
1318 }
1319
1320 class CertVerifyProcWeakDigestTest
1321 : public CertVerifyProcTest,
1322 public testing::WithParamInterface<WeakDigestTestData> {
1323 public:
1324 CertVerifyProcWeakDigestTest() {}
1325 virtual ~CertVerifyProcWeakDigestTest() {}
1326 };
1327
1328 TEST_P(CertVerifyProcWeakDigestTest, Verify) {
1329 WeakDigestTestData data = GetParam();
1330 base::FilePath certs_dir = GetTestCertsDirectory();
1331
1332 ScopedTestRoot test_root;
1333 if (data.root_cert_filename) {
1334 scoped_refptr<X509Certificate> root_cert =
1335 ImportCertFromFile(certs_dir, data.root_cert_filename);
1336 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
1337 test_root.Reset(root_cert.get());
1338 }
1339
1340 scoped_refptr<X509Certificate> intermediate_cert =
1341 ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
1342 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
1343 scoped_refptr<X509Certificate> ee_cert =
1344 ImportCertFromFile(certs_dir, data.ee_cert_filename);
1345 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
1346
1347 X509Certificate::OSCertHandles intermediates;
1348 intermediates.push_back(intermediate_cert->os_cert_handle());
1349
1350 scoped_refptr<X509Certificate> ee_chain =
1351 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
1352 intermediates);
1353 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain);
1354
1355 int flags = 0;
1356 CertVerifyResult verify_result;
1357 int rv = Verify(ee_chain.get(),
1358 "127.0.0.1",
1359 flags,
1360 NULL,
1361 empty_cert_list_,
1362 &verify_result);
1363 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
1364 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
1365 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
1366 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
1367
1368 // Ensure that MD4 and MD2 are tagged as invalid.
1369 if (data.expected_has_md4 || data.expected_has_md2) {
1370 EXPECT_EQ(CERT_STATUS_INVALID,
1371 verify_result.cert_status & CERT_STATUS_INVALID);
1372 }
1373
1374 // Ensure that MD5 is flagged as weak.
1375 if (data.expected_has_md5) {
1376 EXPECT_EQ(
1377 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
1378 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
1379 }
1380
1381 // If a root cert is present, then check that the chain was rejected if any
1382 // weak algorithms are present. This is only checked when a root cert is
1383 // present because the error reported for incomplete chains with weak
1384 // algorithms depends on which implementation was used to validate (NSS,
1385 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
1386 // present (MD2, MD4, MD5).
1387 if (data.root_cert_filename) {
1388 if (data.expected_has_md4 || data.expected_has_md2) {
1389 EXPECT_EQ(ERR_CERT_INVALID, rv);
1390 } else if (data.expected_has_md5) {
1391 EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
1392 } else {
1393 EXPECT_EQ(OK, rv);
1394 }
1395 }
1396 }
1397
1398 // Unlike TEST/TEST_F, which are macros that expand to further macros,
1399 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that
1400 // stringizes the arguments. As a result, macros passed as parameters (such as
1401 // prefix or test_case_name) will not be expanded by the preprocessor. To work
1402 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the
1403 // pre-processor will expand macros such as MAYBE_test_name before
1404 // instantiating the test.
1405 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
1406 INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator)
1407
1408 // The signature algorithm of the root CA should not matter.
1409 const WeakDigestTestData kVerifyRootCATestData[] = {
1410 { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
1411 "weak_digest_sha1_ee.pem", false, false, false },
1412 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1413 // MD4 is not supported by OS X / NSS
1414 { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
1415 "weak_digest_sha1_ee.pem", false, false, false },
1416 #endif
1417 { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
1418 "weak_digest_sha1_ee.pem", false, false, false },
1419 };
1420 INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
1421 testing::ValuesIn(kVerifyRootCATestData));
1422
1423 // The signature algorithm of intermediates should be properly detected.
1424 const WeakDigestTestData kVerifyIntermediateCATestData[] = {
1425 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1426 "weak_digest_sha1_ee.pem", true, false, false },
1427 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1428 // MD4 is not supported by OS X / NSS
1429 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1430 "weak_digest_sha1_ee.pem", false, true, false },
1431 #endif
1432 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1433 "weak_digest_sha1_ee.pem", false, false, true },
1434 };
1435 // Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled.
1436 #if defined(USE_NSS) || defined(OS_IOS)
1437 #define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate
1438 #else
1439 #define MAYBE_VerifyIntermediate VerifyIntermediate
1440 #endif
1441 WRAPPED_INSTANTIATE_TEST_CASE_P(
1442 MAYBE_VerifyIntermediate,
1443 CertVerifyProcWeakDigestTest,
1444 testing::ValuesIn(kVerifyIntermediateCATestData));
1445
1446 // The signature algorithm of end-entity should be properly detected.
1447 const WeakDigestTestData kVerifyEndEntityTestData[] = {
1448 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1449 "weak_digest_md5_ee.pem", true, false, false },
1450 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1451 // MD4 is not supported by OS X / NSS
1452 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1453 "weak_digest_md4_ee.pem", false, true, false },
1454 #endif
1455 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1456 "weak_digest_md2_ee.pem", false, false, true },
1457 };
1458 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot
1459 // be cleared until NSS is cleanly shutdown, which is not presently supported
1460 // in Chromium.
1461 #if defined(USE_NSS) || defined(OS_IOS)
1462 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity
1463 #else
1464 #define MAYBE_VerifyEndEntity VerifyEndEntity
1465 #endif
1466 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
1467 CertVerifyProcWeakDigestTest,
1468 testing::ValuesIn(kVerifyEndEntityTestData));
1469
1470 // Incomplete chains should still report the status of the intermediate.
1471 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
1472 { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
1473 true, false, false },
1474 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1475 // MD4 is not supported by OS X / NSS
1476 { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
1477 false, true, false },
1478 #endif
1479 { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
1480 false, false, true },
1481 };
1482 // Disabled on NSS - libpkix does not return constructed chains on error,
1483 // preventing us from detecting/inspecting the verified chain.
1484 #if defined(USE_NSS) || defined(OS_IOS)
1485 #define MAYBE_VerifyIncompleteIntermediate \
1486 DISABLED_VerifyIncompleteIntermediate
1487 #else
1488 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate
1489 #endif
1490 WRAPPED_INSTANTIATE_TEST_CASE_P(
1491 MAYBE_VerifyIncompleteIntermediate,
1492 CertVerifyProcWeakDigestTest,
1493 testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
1494
1495 // Incomplete chains should still report the status of the end-entity.
1496 const WeakDigestTestData kVerifyIncompleteEETestData[] = {
1497 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
1498 true, false, false },
1499 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1500 // MD4 is not supported by OS X / NSS
1501 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
1502 false, true, false },
1503 #endif
1504 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
1505 false, false, true },
1506 };
1507 // Disabled on NSS - libpkix does not return constructed chains on error,
1508 // preventing us from detecting/inspecting the verified chain.
1509 #if defined(USE_NSS) || defined(OS_IOS)
1510 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity
1511 #else
1512 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity
1513 #endif
1514 WRAPPED_INSTANTIATE_TEST_CASE_P(
1515 MAYBE_VerifyIncompleteEndEntity,
1516 CertVerifyProcWeakDigestTest,
1517 testing::ValuesIn(kVerifyIncompleteEETestData));
1518
1519 // Differing algorithms between the intermediate and the EE should still be
1520 // reported.
1521 const WeakDigestTestData kVerifyMixedTestData[] = {
1522 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1523 "weak_digest_md2_ee.pem", true, false, true },
1524 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1525 "weak_digest_md5_ee.pem", true, false, true },
1526 #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
1527 // MD4 is not supported by OS X / NSS
1528 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1529 "weak_digest_md2_ee.pem", false, true, true },
1530 #endif
1531 };
1532 // NSS does not support MD4 and does not enable MD2 by default, making all
1533 // permutations invalid.
1534 #if defined(USE_NSS) || defined(OS_IOS)
1535 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
1536 #else
1537 #define MAYBE_VerifyMixed VerifyMixed
1538 #endif
1539 WRAPPED_INSTANTIATE_TEST_CASE_P(
1540 MAYBE_VerifyMixed,
1541 CertVerifyProcWeakDigestTest,
1542 testing::ValuesIn(kVerifyMixedTestData));
1543
1544 // For the list of valid hostnames, see
1545 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
1546 static const struct CertVerifyProcNameData {
1547 const char* hostname;
1548 bool valid; // Whether or not |hostname| matches a subjectAltName.
1549 } kVerifyNameData[] = {
1550 { "127.0.0.1", false }, // Don't match the common name
1551 { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4)
1552 { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6)
1553 { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN
1554 { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6)
1555 { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN
1556 { "test.example", true }, // Matches the dNSName SAN
1557 { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored)
1558 { "www.test.example", false }, // Should not match the dNSName SAN
1559 { "test..example", false }, // Should not match the dNSName SAN
1560 { "test.example..", false }, // Should not match the dNSName SAN
1561 { ".test.example.", false }, // Should not match the dNSName SAN
1562 { ".test.example", false }, // Should not match the dNSName SAN
1563 };
1564
1565 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1566 // to output the parameter that was passed. Without this, it will simply
1567 // attempt to print out the first twenty bytes of the object, which depending
1568 // on platform and alignment, may result in an invalid read.
1569 void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
1570 *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
1571 }
1572
1573 class CertVerifyProcNameTest
1574 : public CertVerifyProcTest,
1575 public testing::WithParamInterface<CertVerifyProcNameData> {
1576 public:
1577 CertVerifyProcNameTest() {}
1578 virtual ~CertVerifyProcNameTest() {}
1579 };
1580
1581 TEST_P(CertVerifyProcNameTest, VerifyCertName) {
1582 CertVerifyProcNameData data = GetParam();
1583
1584 CertificateList cert_list = CreateCertificateListFromFile(
1585 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
1586 X509Certificate::FORMAT_AUTO);
1587 ASSERT_EQ(1U, cert_list.size());
1588 scoped_refptr<X509Certificate> cert(cert_list[0]);
1589
1590 ScopedTestRoot scoped_root(cert.get());
1591
1592 CertVerifyResult verify_result;
1593 int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
1594 &verify_result);
1595 if (data.valid) {
1596 EXPECT_EQ(OK, error);
1597 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1598 } else {
1599 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
1600 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1601 }
1602 }
1603
1604 WRAPPED_INSTANTIATE_TEST_CASE_P(
1605 VerifyName,
1606 CertVerifyProcNameTest,
1607 testing::ValuesIn(kVerifyNameData));
1608
1609 } // namespace net