1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <string>
6 #include <vector>
7
8 #include "net/tools/transport_security_state_generator/cert_util.h"
9 #include "net/tools/transport_security_state_generator/spki_hash.h"
10 #include "testing/gmock/include/gmock/gmock.h"
11 #include "testing/gtest/include/gtest/gtest.h"
12 #include "third_party/boringssl/src/include/openssl/x509v3.h"
13
14 namespace net::transport_security_state {
15
16 namespace {
17
18 // Certficate with the subject CN set to "Chromium", the subject organisation
19 // set to "The Chromium Projects", and the subject organizational unit set to
20 // "Security."
21 static const char kSelfSignedWithCommonNamePEM[] =
22 "-----BEGIN CERTIFICATE-----\n"
23 "MIIDeTCCAmGgAwIBAgIJAKZbsC4gPYAUMA0GCSqGSIb3DQEBCwUAMFMxETAPBgNV\n"
24 "BAMMCENocm9taXVtMR4wHAYDVQQKDBVUaGUgQ2hyb21pdW0gUHJvamVjdHMxETAP\n"
25 "BgNVBAsMCFNlY3VyaXR5MQswCQYDVQQGEwJVUzAeFw0xNzAxMjkyMDU1NDFaFw0x\n"
26 "ODAxMjkyMDU1NDFaMFMxETAPBgNVBAMMCENocm9taXVtMR4wHAYDVQQKDBVUaGUg\n"
27 "Q2hyb21pdW0gUHJvamVjdHMxETAPBgNVBAsMCFNlY3VyaXR5MQswCQYDVQQGEwJV\n"
28 "UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMlir9M85QOvQ5ok+uvH\n"
29 "XF7kmW21B22Ffdw+B2mXTV6NLGvINCdwocIlebQlAdWS2QY/WM08uAYJ3m0IGD+t\n"
30 "6OG4zG3vOmWMdFQy4XkxMsDkbV11F9n4dsF5TXEvILlupOtOWu6Up8vfFkii/x+/\n"
31 "bz4aGBDdFu6U8TdQ8ELSmHxJYi4LM0lUKTdLLte3T5Grv3UUXQW33Qs6RXZlH/ul\n"
32 "jf7/v0HQefM3XdT9djG1XRv8Ga32c8tz+wtSw7PPIWjt0ZDJxZ2/fX7YLwAt2D6N\n"
33 "zQgrNJtL0/I/j9sO6A0YQeHzmnlyoAd14VhBfEllZc51pFaut31wpbPPxtH0K0Ro\n"
34 "2XUCAwEAAaNQME4wHQYDVR0OBBYEFD7eitJ8KlIaVS4J9w2Nz+5OE8H0MB8GA1Ud\n"
35 "IwQYMBaAFD7eitJ8KlIaVS4J9w2Nz+5OE8H0MAwGA1UdEwQFMAMBAf8wDQYJKoZI\n"
36 "hvcNAQELBQADggEBAFjuy0Jhj2E/ALOkOst53/nHIpT5suru4H6YEmmPye+KCQnC\n"
37 "ws1msPyLQ8V10/kyQzJTSLbeehNyOaK99KJk+hZBVEKBa9uH3WXPpiwz1xr3STJO\n"
38 "hhV2wXGTMqe5gryR7r+n88+2TpRiZ/mAVyJm4NQgev4HZbFsl3sT50AQrrEbHHiY\n"
39 "Sh38NCR8JCVuzLBjcEEIWxjhDPkdNPJtx3cBkIDP+Cz1AUSPretGk7CQAGivq7Kq\n"
40 "9y6A59guc1RFVPeEQAxUIUDZGDQlB3PtmrXrp1/LAaDYvQCstDBgiZoamy+xSROP\n"
41 "BU2KIzRj2EUOWqtIURU4Q2QC1fbVqxVjfPowX/A=\n"
42 "-----END CERTIFICATE-----\n";
43
44 // Certificate without a subject CN. The subject organisation is set to
45 // "The Chromium Projects" and the subject origanisational unit is set to
46 // "Security".
47 static const char kSelfSignedWithoutCommonNamePEM[] =
48 "-----BEGIN CERTIFICATE-----\n"
49 "MIIDUzCCAjugAwIBAgIJAI18Ifktf3YOMA0GCSqGSIb3DQEBCwUAMEAxHjAcBgNV\n"
50 "BAoMFVRoZSBDaHJvbWl1bSBQcm9qZWN0czERMA8GA1UECwwIU2VjdXJpdHkxCzAJ\n"
51 "BgNVBAYTAlVTMB4XDTE3MDEyOTIxMTMwMloXDTE4MDEyOTIxMTMwMlowQDEeMBwG\n"
52 "A1UECgwVVGhlIENocm9taXVtIFByb2plY3RzMREwDwYDVQQLDAhTZWN1cml0eTEL\n"
53 "MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxfBIg\n"
54 "4hVljlFbyZ88mhLEKCfy/8X127H16ywcy+q+jlj7YtlWqGKlfIjKQkXKeI/xUB1F\n"
55 "ZC1S0kmVycAoahb4m+NqkfBkuxbpc5gYsv9TdgiNIhEezx6Z9OTPjGnTZVDjJNsQ\n"
56 "MVKfG+DD3qAf22PhpU2zGXCF2ECL7J/Lh6Wu/W3InuIcJGm3D7F182UK86stvC/+\n"
57 "mS9K7AJyX320vHWYsVB/jA9w6cSdlZf454E+wtsS0b+UIMF6fewg2Xb/FYxRsOjp\n"
58 "ppVpF8/2v6JzDjBhdZkYufR5M43tCEUBBK6TwfXAPfK3v2IDcoW+iOuztW5/cdTs\n"
59 "rVaGK9YqRDIeFWKNAgMBAAGjUDBOMB0GA1UdDgQWBBRh2Ef5+mRtj2sJHpXWlWai\n"
60 "D3zNXTAfBgNVHSMEGDAWgBRh2Ef5+mRtj2sJHpXWlWaiD3zNXTAMBgNVHRMEBTAD\n"
61 "AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAmxdLSlb76yre3VmugMQqybSkJr4+OZm6c\n"
62 "ES6TQeBzNrbPQhYPAfTUa2i4Cx5r4tMTp1IfUKgtng4qnKyLRgC+BV4zAfSRxbuw\n"
63 "aqicO1Whtl/Vs2Cdou10EU68kKOxLqNdzfXVVSQ/HxGFJFFJdSLfjpRTcfbORfeh\n"
64 "BfFQkjdlK8DdX8pPLjHImFKXT/8IpPPq41k2KuIhG3cd2vBNV7n7U793LSE+dPQk\n"
65 "0jKehPOfiPBl1nWr7ZTF8bYtgxboVsv73E6IoQhPGPnnDF3ISQ5/ulDQNXJr2PI3\n"
66 "ZYZ4PtSKcBi97BucW7lkt3bWY44TZGVHY1s4EGQFqU4aDyP+aR7Z\n"
67 "-----END CERTIFICATE-----\n";
68
69 // Certificate without a subject CN, organisation or organizational unit.
70 static const char kSelfSignedWithoutSubject[] =
71 "-----BEGIN CERTIFICATE-----\n"
72 "MIIC7TCCAdWgAwIBAgIJAOPMcoAKhzZPMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV\n"
73 "BAYTAlVTMB4XDTE3MDEyOTIxNDA1MloXDTE4MDEyOTIxNDA1MlowDTELMAkGA1UE\n"
74 "BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLn0oths5iUbDN\n"
75 "h5IssWAf4jBRVh0c7AfVpnsriSdpgMEfApjE4Fcb3ma/8g+f2SB0x7bSLKMfpKZl\n"
76 "v7tQBuNXsbMcv1l4Ip595ZznSr74Fpuc6K0pqaVUSrgt2EVDp6lx12fFcXMI08Ar\n"
77 "76v06loe7HnO+cOCAXn3Yd89UznB7w8a+RiJlUzb4vksksSQyxCOYwahx6kuN9vh\n"
78 "MkjmzoVSbO6vtHktECsq5M2k98GZMmbXimW+lkyqsG3qJnmAYsIapDE1droPp5Cx\n"
79 "l/tQ95CKEZQDuF4Zv+fgg0eHnnCAhuCPnM8GblOTsAsSjNd8GM+4eJPPtAHdB1nn\n"
80 "HCYB/QadAgMBAAGjUDBOMB0GA1UdDgQWBBTxlQlna2f2VttJkEoeayPsCF7SxzAf\n"
81 "BgNVHSMEGDAWgBTxlQlna2f2VttJkEoeayPsCF7SxzAMBgNVHRMEBTADAQH/MA0G\n"
82 "CSqGSIb3DQEBCwUAA4IBAQBUOmDhs3K1v+tPeO+TWFw8NDfOkcWy6EX+c6K7mSwF\n"
83 "mJjqWsEUBp+WbTK6RoVjuLucH5mRF3FmRrW/hOnxIWxpHg5/9vodReLDPnUw0Anb\n"
84 "QoxKgJ41VfD8aGK8GDPOrETwbIR6+d9P6bDKukiuW41Yh5TjXLufaQ1g9C1AIEoG\n"
85 "88Akr6g9Q0vJJXGl9YcPFz6M1wm3l/lH08v2Ual52elFXYcDcoxhLCOdImmWGlnn\n"
86 "MYXxdl1ivj3hHgFXxkIbrlYKVSBhwPPgjVYKkimFcZF5Xw7wfmIl/WUtVaRpmkGp\n"
87 "3TgH7jdRQ1WXlROBct/4Z8jzs7i+Ttk8oxct2r+PdqeZ\n"
88 "-----END CERTIFICATE-----\n";
89
90 // Valid PEM certificate headers but invalid BASE64 content.
91 static const char kInvalidCertificatePEM[] =
92 "-----BEGIN CERTIFICATE-----\n"
93 "This is invalid base64.\n"
94 "It contains some (#$*) invalid characters.\n"
95 "-----END CERTIFICATE-----\n";
96
97 // Valid PEM public key headers but invalid BASE64 content.
98 static const char kInvalidPublicKeyPEM[] =
99 "-----BEGIN PUBLIC KEY-----\n"
100 "This is invalid base64.\n"
101 "It contains some (#$*) invalid characters.\n"
102 "-----END PUBLIC KEY-----\n";
103
104 // Valid 2048 bit RSA public key.
105 static const char kPublicKeyPEM[] =
106 "-----BEGIN PUBLIC KEY-----\n"
107 "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAujzwcb5bJuC/A/Y9izGl\n"
108 "LlA3fnKGbeyn53BdVznJN4fQwU82WKVYdqt8d/1ZDRdYyhGrTgXJeCURe9VSJyX1\n"
109 "X2a5EApSFsopP8Yjy0Rl6dNOLO84KCW9dPmfHC3uP0ac4hnHT5dUr05YvhJmHCkf\n"
110 "as6v/aEgpPLDhRF6UruSUh+gIpUg/F3+vlD99HLfbloukoDtQyxW+86s9sO7RQ00\n"
111 "pd79VOoa/v09FvoS7MFgnBBOtvBQLOXjEH7/qBsnrXFtHBeOtxSLar/FL3OhVXuh\n"
112 "dUTRyc1Mg0ECtz8zHZugW+LleIm5Bf5Yr0bN1O/HfDPCkDaCldcm6xohEHn9pBaW\n"
113 "+wIDAQAB\n"
114 "-----END PUBLIC KEY-----\n";
115
116 // Valid 2048 bit RSA public key with incorrect PEM headers.
117 static const char kUnknownPEMHeaders[] =
118 "-----BEGIN OF SOMETHING-----\n"
119 "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAujzwcb5bJuC/A/Y9izGl\n"
120 "LlA3fnKGbeyn53BdVznJN4fQwU82WKVYdqt8d/1ZDRdYyhGrTgXJeCURe9VSJyX1\n"
121 "X2a5EApSFsopP8Yjy0Rl6dNOLO84KCW9dPmfHC3uP0ac4hnHT5dUr05YvhJmHCkf\n"
122 "as6v/aEgpPLDhRF6UruSUh+gIpUg/F3+vlD99HLfbloukoDtQyxW+86s9sO7RQ00\n"
123 "pd79VOoa/v09FvoS7MFgnBBOtvBQLOXjEH7/qBsnrXFtHBeOtxSLar/FL3OhVXuh\n"
124 "dUTRyc1Mg0ECtz8zHZugW+LleIm5Bf5Yr0bN1O/HfDPCkDaCldcm6xohEHn9pBaW\n"
125 "+wIDAQAB\n"
126 "-----END OF SOMETHING-----\n";
127
TEST(CertUtilTest,GetX509CertificateFromPEM)128 TEST(CertUtilTest, GetX509CertificateFromPEM) {
129 EXPECT_NE(nullptr, GetX509CertificateFromPEM(kSelfSignedWithCommonNamePEM));
130 EXPECT_NE(nullptr, GetX509CertificateFromPEM(kSelfSignedWithoutSubject));
131 EXPECT_EQ(nullptr, GetX509CertificateFromPEM(kInvalidCertificatePEM));
132 EXPECT_EQ(nullptr, GetX509CertificateFromPEM(kInvalidPublicKeyPEM));
133 }
134
135 // Test that the SPKI digest is correctly calculated for valid certificates.
TEST(CertUtilTest,CalculateSPKIHashFromCertificate)136 TEST(CertUtilTest, CalculateSPKIHashFromCertificate) {
137 SPKIHash hash1;
138 bssl::UniquePtr<X509> cert1 =
139 GetX509CertificateFromPEM(kSelfSignedWithCommonNamePEM);
140 EXPECT_TRUE(CalculateSPKIHashFromCertificate(cert1.get(), &hash1));
141 std::vector<uint8_t> hash_vector(hash1.data(), hash1.data() + hash1.size());
142 EXPECT_THAT(
143 hash_vector,
144 testing::ElementsAreArray(
145 {0xAC, 0xFB, 0x2B, 0xF3, 0x6A, 0x90, 0x47, 0xF1, 0x74, 0xAE, 0xF1,
146 0xCE, 0x63, 0x3D, 0xA9, 0x45, 0xCB, 0xA, 0xA7, 0x3F, 0x16, 0x2A,
147 0xF3, 0x88, 0x9A, 0xE2, 0x72, 0xC, 0x07, 0x63, 0x45, 0xB0}));
148
149 SPKIHash hash2;
150 bssl::UniquePtr<X509> cert2 =
151 GetX509CertificateFromPEM(kSelfSignedWithoutCommonNamePEM);
152 EXPECT_TRUE(CalculateSPKIHashFromCertificate(cert2.get(), &hash2));
153 std::vector<uint8_t> hash_vector2(hash2.data(), hash2.data() + hash2.size());
154 EXPECT_THAT(
155 hash_vector2,
156 testing::ElementsAreArray(
157 {0x40, 0xBC, 0xD6, 0xE4, 0x10, 0x70, 0x37, 0x3C, 0xF7, 0x21, 0x51,
158 0xD7, 0x27, 0x64, 0xFD, 0xF1, 0xA, 0x89, 0x0, 0xAD, 0x75, 0xDF,
159 0xB3, 0xEA, 0x21, 0xFC, 0x6E, 0x67, 0xD5, 0xAE, 0xA4, 0x94}));
160 }
161
162 // Test that the SPKI digest for public key's are calculated correctly.
TEST(CertUtilTest,CalculateSPKIHashFromKey)163 TEST(CertUtilTest, CalculateSPKIHashFromKey) {
164 SPKIHash hash1;
165 EXPECT_TRUE(CalculateSPKIHashFromKey(kPublicKeyPEM, &hash1));
166 std::vector<uint8_t> hash_vector(hash1.data(), hash1.data() + hash1.size());
167 EXPECT_THAT(
168 hash_vector,
169 testing::ElementsAreArray(
170 {0x63, 0xB0, 0x21, 0x4, 0x3, 0x13, 0x9E, 0x36, 0xEE, 0xCB, 0x6F,
171 0xA5, 0x7A, 0x94, 0x56, 0x18, 0xBA, 0x41, 0x13, 0x8C, 0x4A, 0x48,
172 0x99, 0x80, 0x51, 0x66, 0xF8, 0x85, 0x2, 0xFC, 0x48, 0x9E}));
173 SPKIHash hash2;
174 EXPECT_FALSE(CalculateSPKIHashFromKey(kInvalidPublicKeyPEM, &hash2));
175
176 SPKIHash hash3;
177 EXPECT_FALSE(
178 CalculateSPKIHashFromKey(kSelfSignedWithoutCommonNamePEM, &hash3));
179
180 SPKIHash hash4;
181 EXPECT_FALSE(CalculateSPKIHashFromKey(kUnknownPEMHeaders, &hash4));
182 }
183
184 // Test that the subject name is extracted correctly. This should default to the
185 // subject common name and fall back to the organisation + organizational unit.
TEST(CertUtilTest,ExtractSubjectNameFromCertificate)186 TEST(CertUtilTest, ExtractSubjectNameFromCertificate) {
187 std::string name1;
188 bssl::UniquePtr<X509> cert1 =
189 GetX509CertificateFromPEM(kSelfSignedWithCommonNamePEM);
190 EXPECT_TRUE(ExtractSubjectNameFromCertificate(cert1.get(), &name1));
191
192 // For certficates with the subject common name field set, we should get the
193 // value of the subject common name.
194 EXPECT_EQ("Chromium", name1);
195
196 std::string name2;
197 bssl::UniquePtr<X509> cert2 =
198 GetX509CertificateFromPEM(kSelfSignedWithoutCommonNamePEM);
199 EXPECT_TRUE(ExtractSubjectNameFromCertificate(cert2.get(), &name2));
200
201 // For certificates without a subject common name field, we should get
202 // the subject organization + " " + organizational unit instead.
203 EXPECT_EQ("The Chromium Projects Security", name2);
204
205 std::string name3;
206 bssl::UniquePtr<X509> cert3 =
207 GetX509CertificateFromPEM(kSelfSignedWithoutSubject);
208 EXPECT_FALSE(ExtractSubjectNameFromCertificate(cert3.get(), &name3));
209 }
210
211 } // namespace
212
213 } // namespace net::transport_security_state
214